i've migrated some fw code to nftables, and am cleaning up my sources -- at this point, for my own readability.
i've managed to so far miss any clear writeups on such housekeeping, so using some trial-n-error :-/
when involving marks in nat/mangle chains, what's valid, or not, is a bit fuzzy.
in this sample script
cat tmp.nft
#!/usr/sbin/nft -f
define VPN = "A"
define LAN = "B"
define SVR1 = "1.1.1.1"
define SVR2 = "2.2.2.2"
table nat {
chain prerouting {
type nat hook prerouting priority -150; policy accept;
# SET1
meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 udp dport 53
meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 tcp dport 53
meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR2 udp dport 25
meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR2 tcp dport 465
# SET2 (This seem a bit tortured, but it's fewer lines ...)
meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 meta l4proto {tcp, udp} th dport 53
meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR2 tcp dport { 25, 465 }
# SET3
meta mark set 0x02 {
24 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 meta l4proto {tcp, udp} th dport 53
25 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR2 tcp dport { 25, 465 }
26 }
27
28 }
29 }
rule group "SETs" 1, 2 & 3 are _intended_ to be functionally equivalent, but simply increasingly "grouped" for convenience/readability (yes, arguable!)
testing, SET1 & SET2 seem OK, but SET3 is clearly unhappy,
nft -c -f tmp.nft
tmp.nft:24:4-7: Error: syntax error, unexpected meta
meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 meta l4proto {tcp, udp} th dport 53
^^^^
tmp.nft:29:1-1: Error: syntax error, unexpected '}'
}
^
what's specifically DISallowed in my SET3 syntax usage?
what'd be the 'most grouped' that SET can validly be?
