hi, i have the same error message. it looks to me the new table is not created at all which obviously would be needed to add chains/rules etc.
am not sure what is the exact syntax or should we have any creation line at all (ie. may automatically create a table if does not exist yet), but

add table inet dscptag
or
create table inet dscptag

in *.nft neither works.

also it looks ip ip set dscp cs0 is not valid but ip set dscp cs0 is accepted. at least adding manually only latter format is parsed successfully.

Ok, I just pushed to devel a version that put in all the missing "define" and also got rid of the ip ip and ip6 ip6 errors/typos.

There are two kinds of scripts in nftables. the nftables output format I'm using and the "script" style. I don't like the script style myself, and I don't think we should mix it. So there's no "add table ..." in the nftables output style.

https://wiki.nftables.org/wiki-nftables/index.php/Scripting

@grrr2 how are you loading the file? and what are the errors with the current version I just pushed?

i followed @jow's instruction: adding your nft file to /usr/share/nftables.d/table-post. sorry if that's not right way.

that sounds like the right way. But is different from what dave was suggesting above Help me update my HFSC shaper scripts for fw4/nftables - #6 by dave14305 so I guess it makes a difference which version of OpenWrt you have, sounds like the /usr/share/nftables.d/table-post method is only available in relatively recent versions (snapshots etc)

yes, i tried on snapshot.

i simplified your rules a bit for simpler troubleshooting, only for syntax checking purpose:

define udpbulkport = {51413}
define tcpbulkport = {51413,6881-6889}
define vidconfports = {10000,3478:3479,8801:8802,19302:19309,5938,53}
define realtime4 = {192.168.109.1} # example, just add all your game console here
define realtime6 = {fd90::129a} ## example only replace with game console
define lowpriolan4 = {192.168.109.2} # example, add your low priority lan machines here
define lowpriolan6 = {fd90::129a} ## example, add your low priority lan ipv6 PUBLIC addr here

define ackrate = 300

define downrate = 15000 # kbits/sec ... CHANGE ME
define uprate = 15000 # kbits/sec ... CHANGE ME


table inet dscptag {

    chain dscptag {
        type filter hook forward priority 0; policy accept;

        # wash all the DSCP to begin with ... you can comment this out
        ip dscp set cs0
        ip6 dscp set cs0

        udp sport $udpbulkport ip dscp set cs1
    }

}

I also tried with config include way by saving to /etc/dscptag.nft first. then service firewall restart. foremost it fails with

/etc/dscptag.nft:15:1-5: Error: syntax error, unexpected table
table inet dscptag {
^^^^^

so it does not create the table so cannot add any chains/rules. but as i said, with the /usr/share/nftables.d same problem.

also i think the correct rule format is as in my simplified version. if using your version there are many
errors like:

./dscptag.nft:28:12-14: Error: syntax error, unexpected udp
        ip udp sport = $udpbulkport ip dscp set cs1

or

./dscptag.nft:28:31-31: Error: syntax error, unexpected '='
        ip protocol udp sport = $udpbulkport ip dscp set cs1

Can you post the output of fw4 print?

yes those shouldn't be there. I pushed a version removing all the = signs

The biggest hurdle will be first to make sure the table gets created properly. I'm not sure what is causing this:

daniel are you sure make table inet

maybe

nft add chain inet dscptag ??

in my firewall nothing appair for the moment

i'm on last snapshot

Looks like it's my fault. The include option in /etc/config/firewall should be ruleset-append instead of table-append. ruleset-append will be added outside of the table inet fw4 block. table-append will be inside the table inet fw4 block, hence the errors trying to add a new table within a table. I will update my earlier post to stop others from propagating my error.

Even @jow's response earlier with an example has ruleset and table include locations swapped, and he wrote firewall4!

Thanks @dave14305 & @dlakelan updated the file and updated firewall string to ruleset-append but something still not working:

root@OpenWrt:~# service firewall restart
In file included from /dev/stdin:219:1-27:
/etc/dscptag.nft:24:12-16: Error: syntax error, unexpected string
        ip proto udp udp sport $udpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:219:1-27:
/etc/dscptag.nft:27:12-16: Error: syntax error, unexpected string
        ip proto udp udp dport $udpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:219:1-27:
/etc/dscptag.nft:30:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp sport $tcpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:219:1-27:
/etc/dscptag.nft:32:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp dport $tcpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:219:1-27:
/etc/dscptag.nft:36:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp flags & ack meta length < 100 add @vfast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 30000/second} random mod 1000 > 5 drop
           ^^^^^
In file included from /dev/stdin:219:1-27:
/etc/dscptag.nft:37:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp flags & ack meta length < 100 add @fast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 3000/second} random mod 1000 > 50 drop
           ^^^^^
In file included from /dev/stdin:219:1-27:
/etc/dscptag.nft:38:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp flags & ack meta length < 100 add @med4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 300/second} random mod 1000 > 500 drop
           ^^^^^
In file included from /dev/stdin:219:1-27:
/etc/dscptag.nft:39:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp flags & ack meta length < 100 add @slow4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 300/second} random mod 1000 > 500 drop
           ^^^^^
In file included from /dev/stdin:219:1-27:
/etc/dscptag.nft:42:12-16: Error: syntax error, unexpected string
        ip proto udp udp dport $vidconfports ip dscp set cs4
           ^^^^^
In file included from /dev/stdin:219:1-27:
/etc/dscptag.nft:45:12-16: Error: syntax error, unexpected string
        ip proto udp udp daddr $realtime4 ip dscp set cs5
           ^^^^^
root@OpenWrt:~# 

yes, as i reported yesterday this syntax is incorrect.
should be: udp sport $udpbulkport ip dscp set cs1

hint check default fw4 rules, eg.
udp dport 500 counter jump accept_to_lan comment "!fw4: Allow-ISAKMP"

I just had some time and fired up a Vm with the latest OpenWrt snapshot to help and do some debugging.

First of all I’m a pretty noob when I comes to nftables…

Got the same error messages as the others. Like @dave14305 explained there is an issue because it wants to create a table inside of a table, but I think you don’t have to create an extra table “dscptag”. Just create a chain dscptag in the table fw4.

For testing purposes I removed:

table inet dscptag {

…. and the error disappeared

But I got a lot of other errors (even more afterwards):

[details="Summary"]
This text will be hidden
[/details]

root@OpenWrt:~# service firewall restart
In file included from /dev/stdin:20:2-33:
/etc/nftables.d/dscptagNEW.nft:23:12-16: Error: syntax error, unexpected string
        ip proto udp udp sport $udpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:20:2-33:
/etc/nftables.d/dscptagNEW.nft:26:12-16: Error: syntax error, unexpected string
        ip proto udp udp dport $udpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:20:2-33:
/etc/nftables.d/dscptagNEW.nft:29:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp sport $tcpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:20:2-33:
/etc/nftables.d/dscptagNEW.nft:31:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp dport $tcpbulkport ip dscp set cs1
           ^^^^^
In file included from /dev/stdin:20:2-33:
/etc/nftables.d/dscptagNEW.nft:35:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp flags & ack meta length < 100 add @vfast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 30000/second} random mod 1000 > 5 drop
           ^^^^^
In file included from /dev/stdin:20:2-33:
/etc/nftables.d/dscptagNEW.nft:36:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp flags & ack meta length < 100 add @fast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 3000/second} random mod 1000 > 50 drop
           ^^^^^
In file included from /dev/stdin:20:2-33:
/etc/nftables.d/dscptagNEW.nft:37:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp flags & ack meta length < 100 add @med4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 300/second} random mod 1000 > 500 drop
           ^^^^^
In file included from /dev/stdin:20:2-33:
/etc/nftables.d/dscptagNEW.nft:38:12-16: Error: syntax error, unexpected string
        ip proto tcp tcp flags & ack meta length < 100 add @slow4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 300/second} random mod 1000 > 500 drop
           ^^^^^
In file included from /dev/stdin:20:2-33:
/etc/nftables.d/dscptagNEW.nft:41:12-16: Error: syntax error, unexpected string
        ip proto udp udp dport $vidconfports ip dscp set cs4
           ^^^^^
In file included from /dev/stdin:20:2-33:
/etc/nftables.d/dscptagNEW.nft:44:12-16: Error: syntax error, unexpected string
        ip proto udp udp daddr $realtime4 ip dscp set cs5

Here are some findings:
I think “proto” has to be “protocol”

“udp udp daddr” has to be “udp ip daddr”

For Port ranges you have to use “-”

….

Here is a minimalistic script with no error you can compare with yours:

define udpbulkport = {51413}
define tcpbulkport = {51413,6881-6889}
define vidconfports = {10000,3478-3479,8801-8802,19302-19309,5938,53}
define realtime4 = {192.168.109.1} # example, just add all your game console here
define realtime6 = {fd90::129a} ## example only replace with game console
define lowpriolan4 = {192.168.109.2} # example, add your low priority lan machines here
define lowpriolan6 = {fd90::129a} ## example, add your low priority lan ipv6 PUBLIC addr here

define ackrate = 300

define downrate = 15000 # kbits/sec ... CHANGE ME
define uprate = 15000 # kbits/sec ... CHANGE ME



    chain dscptag {
        type filter hook forward priority 0; policy accept;

        # wash all the DSCP to begin with ... you can comment this out
        ip dscp set cs0
        ip6 dscp set cs0 

        ip protocol udp udp sport $udpbulkport ip dscp set cs1
        ip6 nexthdr udp udp sport $udpbulkport ip6 dscp set cs1

        ip protocol udp udp dport $udpbulkport ip dscp set cs1
        ip6 nexthdr udp udp dport $udpbulkport ip6 dscp set cs1

        ip protocol tcp tcp sport $tcpbulkport ip dscp set cs1
        ip6 nexthdr tcp tcp sport $tcpbulkport ip6 dscp set cs1
        ip protocol tcp tcp dport $tcpbulkport ip dscp set cs1
        ip6 nexthdr tcp tcp dport $tcpbulkport ip6 dscp set cs1

        ## ack limit rate to about 150 pps by decimating the quantity of pure acks being sent
        #ip protocol tcp tcp flags & ack meta length < 100 add @vfast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 30000/second} random mod 1000 > 5 drop
        #ip protocol tcp tcp flags & ack meta length < 100 add @fast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 3000/second} random mod 1000 > 50 drop
        #ip protocol tcp tcp flags & ack meta length < 100 add @med4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 300/second} random mod 1000 > 500 drop
        #ip protocol tcp tcp flags & ack meta length < 100 add @slow4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 300/second} random mod 1000 > 500 drop
        ## for almost everyone we won't send more than 150 acks/second

        ip protocol udp udp dport $vidconfports ip dscp set cs4
        ip6 nexthdr udp udp dport $vidconfports ip6 dscp set cs4

        ip protocol udp ip daddr $realtime4 ip dscp set cs5
        ip protocol udp ip saddr $realtime4 ip dscp set cs5

        ip6 nexthdr udp ip6 daddr $realtime6 ip6 dscp set cs5
        ip6 nexthdr udp ip6 saddr $realtime6 ip6 dscp set cs5

        ip protocol udp ip daddr $lowpriolan4 ip dscp set cs2
        ip protocol udp ip saddr $lowpriolan4 ip dscp set cs2

        ip6 nexthdr udp ip6 daddr $lowpriolan6 ip6 dscp set cs2
        ip6 nexthdr udp ip6 saddr $lowpriolan6 ip6 dscp set cs2

        #downgrade udp going faster than 450 pps, probably not realtime traffic
        #ip protocol udp ip dscp > cs2 add @udp_meter4 {ip saddr . ip daddr . udp sport . udp dport limit rate over 450/second} counter ip dscp set cs2
        #ip6 nexthdr udp ip6 dscp > cs2 add @udp_meter6 {ip6 saddr . ip6 daddr . udp sport . udp dport limit rate over 450/second} counter ip dscp set cs2

        # down prioritize the first 500ms of tcp packets
        #ip protocol tcp ct bytes > $downrate * 500/8 ip dscp < cs4 ip dscp set cs2

        # downgrade tcp that has transferred more than 10 seconds worth of packets
        #ip protocol tcp ct bytes > 
[details="Summary"]
This text will be hidden
[/details]
$downrate * 10000/8 ip dscp < cs4 ip dscp set cs1

        ## tcp with less than 150 pps gets upgraded to cs4
        #ip protocol tcp add @slowtcp4 {ip saddr . ip daddr . udp sport . udp dport limit 150/second burst 150} ip dscp set cs4
        #ip6 nexthdr tcp add @slowtcp6 {ip6 saddr . ip6 daddr . udp sport . udp dport limit 150/second burst 150} ip dscp set cs4


    }

I commented out all lines where I got and error and did not find a fast answer!!

Looks good:

image1002×990 92.4 KB

Dave explained this is because he had an error in where it should be included... if you put it in /usr/share/nftables.d/ruleset-post/ it should work.

good catches! thanks. I have updated the code on the github.

Can you pull my version and try it with the table definition but put the file in the directory mentioned above?

Hi @dlakelan this is the output with the updated file:

root@OpenWrt:~# service firewall restart
Automatically including '/usr/share/nftables.d/ruleset-post//dscptag.nft'
In file included from /dev/stdin:219:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:36:41-44: Error: syntax error, unexpected meta
        ip protocol tcp tcp flags & ack meta length < 100 add @vfast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 30000/second} random mod 1000 > 5 drop
                                        ^^^^
In file included from /dev/stdin:219:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:37:41-44: Error: syntax error, unexpected meta
        ip protocol tcp tcp flags & ack meta length < 100 add @fast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 3000/second} random mod 1000 > 50 drop
                                        ^^^^
In file included from /dev/stdin:219:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:38:41-44: Error: syntax error, unexpected meta
        ip protocol tcp tcp flags & ack meta length < 100 add @med4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 300/second} random mod 1000 > 500 drop
                                        ^^^^
In file included from /dev/stdin:219:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:39:41-44: Error: syntax error, unexpected meta
        ip protocol tcp tcp flags & ack meta length < 100 add @slow4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 300/second} random mod 1000 > 500 drop
                                        ^^^^
In file included from /dev/stdin:219:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:62:46-46: Error: syntax error, unexpected *, expecting newline or semicolon
        ip protocol tcp ct bytes > $downrate * 500/8 ip dscp < cs4 ip dscp set cs2
                                             ^
In file included from /dev/stdin:219:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:65:46-46: Error: syntax error, unexpected *, expecting newline or semicolon
        ip protocol tcp ct bytes > $downrate * 10000/8 ip dscp < cs4 ip dscp set cs1
                                             ^
In file included from /dev/stdin:219:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:68:90-92: Error: syntax error, unexpected number, expecting name or rate
        ip protocol tcp add @slowtcp4 {ip saddr . ip daddr . udp sport . udp dport limit 150/second burst 150} ip dscp set cs4
                                                                                         ^^^
In file included from /dev/stdin:219:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:69:92-94: Error: syntax error, unexpected number, expecting name or rate
        ip6 nexthdr tcp add @slowtcp6 {ip6 saddr . ip6 daddr . udp sport . udp dport limit 150/second burst 150} ip dscp set cs4
                                                                                           ^^^
In file included from /dev/stdin:219:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:58:43-53: Error: No such file or directory
        ip protocol udp ip dscp > cs2 add @udp_meter4 {ip saddr . ip daddr . udp sport . udp dport limit rate over 450/second} counter ip dscp set cs2
                                          ^^^^^^^^^^^

fabulous, so now we don't have any "stupid" mistakes or issues with the table! NOW it's actual confusion on my part, not sure why that meta match doesn't work, I'll look into that on the wiki.

ok, it looks like the ack match needs to be

tcp flags & ack == ack

I've pushed a fix for that. see how it goes.

This was the solution:
another error:

root@OpenWrt:/usr/share/nftables.d/ruleset-post# service firewall restart
Automatically including '/usr/share/nftables.d/ruleset-post//dscptag.nft'
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:36:156-161: Error: syntax error, unexpected random, expecting newline or semicolon
        ip protocol tcp tcp flags & ack == ack meta length < 100 add @vfast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 30000/second} random mod 1000 > 5 drop
                                                                                                                                                           ^^^^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:37:154-159: Error: syntax error, unexpected random, expecting newline or semicolon
        ip protocol tcp tcp flags & ack == ack meta length < 100 add @fast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 3000/second} random mod 1000 > 50 drop
                                                                                                                                                         ^^^^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:38:152-157: Error: syntax error, unexpected random, expecting newline or semicolon
        ip protocol tcp tcp flags & ack == ack meta length < 100 add @med4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 300/second} random mod 1000 > 500 drop
                                                                                                                                                       ^^^^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:39:153-158: Error: syntax error, unexpected random, expecting newline or semicolon
        ip protocol tcp tcp flags & ack == ack meta length < 100 add @slow4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 300/second} random mod 1000 > 500 drop
                                                                                                                                                        ^^^^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:62:46-46: Error: syntax error, unexpected *, expecting newline or semicolon
        ip protocol tcp ct bytes > $downrate * 500/8 ip dscp < cs4 ip dscp set cs2
                                             ^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:65:46-46: Error: syntax error, unexpected *, expecting newline or semicolon
        ip protocol tcp ct bytes > $downrate * 10000/8 ip dscp < cs4 ip dscp set cs1
                                             ^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:68:90-92: Error: syntax error, unexpected number, expecting name or rate
        ip protocol tcp add @slowtcp4 {ip saddr . ip daddr . udp sport . udp dport limit 150/second burst 150} ip dscp set cs4
                                                                                         ^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:69:92-94: Error: syntax error, unexpected number, expecting name or rate
        ip6 nexthdr tcp add @slowtcp6 {ip6 saddr . ip6 daddr . udp sport . udp dport limit 150/second burst 150} ip dscp set cs4
                                                                                           ^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:58:43-53: Error: No such file or directory
        ip protocol udp ip dscp > cs2 add @udp_meter4 {ip saddr . ip daddr . udp sport . udp dport limit rate over 450/second} counter ip dscp set cs2
                                          ^^^^^^^^^^^
root@OpenWrt:/usr/share/nftables.d/ruleset-post#

hmmm. I think that's because I'm doing a match but I need to be doing an action... which is a more fundamental issue... perhaps for the moment can you comment out all the ack matching lines? I'll look into that issue later. The solution might be to jump to a chain where I can handle matching.

correct syntax i think:

tcp flags & ack == ack add @vfast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 30000/second} numgen random mod 1000 > 5 drop
or
tcp flags & ack == ack meta length < 100 add @vfast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 30000/second} numgen random mod 1000 > 5

I think I need:

        ip protocol tcp tcp flags & ack == ack meta length < 100 add @vfast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 30000/second} jump drop995 

with a chain defined that drops 99.5% of packets or etc... I pushed that version, can you try it?

Errors with the latest version:

root@OpenWrt:/usr/share/nftables.d/ruleset-post# service firewall restart
Automatically including '/usr/share/nftables.d/ruleset-post//dscptag.nft'
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:18:9-14: Error: syntax error, unexpected random
        random mod 1000 > 5 drop
        ^^^^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:21:9-14: Error: syntax error, unexpected random
        random mod 100 > 5 drop
        ^^^^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:24:9-14: Error: syntax error, unexpected random
        random mod 100 > 50 drop
        ^^^^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:48:159-162: Error: syntax error, unexpected drop, expecting '{'
        ip protocol tcp tcp flags & ack == ack meta length < 100 add @fast4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 3000/second} jump drop 95
                                                                                                                                                              ^^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:49:157-160: Error: syntax error, unexpected drop, expecting '{'
        ip protocol tcp tcp flags & ack == ack meta length < 100 add @med4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 300/second} jump drop 50
                                                                                                                                                            ^^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:50:158-161: Error: syntax error, unexpected drop, expecting '{'
        ip protocol tcp tcp flags & ack == ack meta length < 100 add @slow4ack {ip daddr . ip saddr . tcp dport . tcp sport limit rate over 300/second} jump drop 50
                                                                                                                                                             ^^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:73:46-46: Error: syntax error, unexpected *, expecting newline or semicolon
        ip protocol tcp ct bytes > $downrate * 500/8 ip dscp < cs4 ip dscp set cs2
                                             ^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:76:46-46: Error: syntax error, unexpected *, expecting newline or semicolon
        ip protocol tcp ct bytes > $downrate * 10000/8 ip dscp < cs4 ip dscp set cs1
                                             ^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:79:90-92: Error: syntax error, unexpected number, expecting name or rate
        ip protocol tcp add @slowtcp4 {ip saddr . ip daddr . udp sport . udp dport limit 150/second burst 150} ip dscp set cs4
                                                                                         ^^^
In file included from /dev/stdin:190:1-58:
/usr/share/nftables.d/ruleset-post//dscptag.nft:80:92-94: Error: syntax error, unexpected number, expecting name or rate
        ip6 nexthdr tcp add @slowtcp6 {ip6 saddr . ip6 daddr . udp sport . udp dport limit 150/second burst 150} ip dscp set cs4
                                                                                           ^^^