OP's set definition has multiple syntax errors.
A set of elements where each element is a combination of two base types, IPv4 + Ethernet, is needed: it's not a set of simple elements, but a set of concatenations:
Concatenations
Since Linux kernel 4.1, nftables supports concatenations.
This new feature allows you to put two or more selectors together to
perform very fast lookups in sets, maps, vmaps and meters.
Currently, in all of nft's man page, a single occurrence of the word concatenations appears for a non-trivial use but it's not defined there. So while nftables' wiki sometimes includes outdated information, it still includes useful documentation to complement the manual.
The . character is used to concatenate multiple base values. Also, a set element doesn't use an additional pair of { } nor uses the : character which is for maps.
This could be defined and used like below, reusing OP's information with concrete values. An host will allow only incoming traffic from matching pairs of source IPv4 address plus Ethernet source MAC address, for example as a way to enforce such association between MAC and IP address:
table ip t {
set authorized {
type ipv4_addr . ether_addr
flags constant
elements = {
192.168.1.1 . 02:00:00:00:00:01,
192.168.1.2 . 02:00:00:00:00:02,
192.168.1.3 . 02:00:00:00:00:03
}
}
chain input { type filter hook input priority 0; policy drop;
ip saddr . ether saddr @authorized accept
}
}
Note: newer versions of nftables and kernel allow an easier syntax. Instead of:
type ipv4_addr . ether_addr
where figuring out ipv4_addr or ether_addr requires to find it in some additional documentation, one can use instead:
typeof ip saddr . ether saddr
reusing the same keywords used in rule syntax.
