#! nft -f # add table ip filter add chain ip filter output { type filter hook output priority 0 ; } add chain ip filter chain1 add rule ip filter chain1 counter add chain ip filter chain2 add rule ip filter chain2 counter # must succeed: expr { expr, ... } add rule ip filter OUTPUT tcp dport { \ 22, \ 23, \ } # must fail: expr { type1, type2, ... } add rule ip filter OUTPUT tcp dport { \ 22, \ 192.168.0.1, \ } # must succeed: expr { expr : verdict, ... } add rule ip filter OUTPUT tcp dport vmap { \ 22 : jump chain1, \ 23 : jump chain2, \ } # must fail: expr { expr : verdict, expr : expr, ... } add rule ip filter OUTPUT tcp dport vmap { \ 22 : jump chain1, \ 23 : 0x100, \ } # must fail: expr { expr : expr, ...} add rule ip filter OUTPUT tcp dport vmap { \ 22 : 0x100, \ 23 : 0x200, \ } # must succeed: expr MAP { expr : expr, ... } expr add rule ip filter OUTPUT meta mark set tcp dport map { \ 22 : 1, \ 23 : 2, \ } # must fail: expr MAP { expr : type1, expr : type2, .. } expr add rule ip filter OUTPUT meta mark set tcp dport map { \ 22 : 1, \ 23 : 192.168.0.1, \ }