NFTables tables, hooks and rules ordering

I'm new to nftables but have used iptables for quite a while now. While playing with nftables, I was thinking: "Hey, this is cool, I could have like a management table, where all the mngt stuff goes in, and is accepted and then I could have like tenants tables, that can do whatever". So I tried to do that and failed. The nftables tables are: table inet management { chain input { type filter hook input priority -1000; policy drop; iifname "lo" counter packets 16 bytes 996 accept ct state established,related counter packets 22982 bytes 1739629 accept tcp dport 22 counter packets 0 bytes 0 accept log prefix "Dropped by management: " } } table ip tenant1 { set web { type inet_service elements = { 80, 443 } } chain input { type filter hook input priority 1000; policy drop; tcp dport @web accept log prefix "Dropped by tenant1: " } } What I would expect to happen is to allow traffic on port 22 to reach this machine (via the management table, input chain, tcp dport 22 rule) and to also allow the traffic on port 80 and 443 (via the tenant1 table). What actually happens is that traffic on port 22 is sent to the next table to be processed (tenant1) while everything else is dropped....? Now, from what I understand from reading the documentation, and from what I can observe, it seems that an accepted packet is not necessarily accepted if there are other tables/chains with the same hook (input in our case) that will ultimately drop the packet. If I'm right about my above assumption, the question is, how would one use tables in nftables? Because I expected this to work something along the lines: we got two tables, if the packet is accepted in one of them, then it's accepted for good. If the packet's dropped in one of them, then it's dropped for good. I thought that the traffic is being evaluated in EACH of the tables, and the first table to decide what to do with that packet takes precedence. Any help would be greatly appreciated, as I'm a bit lost on how I could use the tables in nftables. P.S. I saw that an accept action could be set to mark the packets, and subsequent tables would check for that mark, but this seems to be a hack, more than a solution. To be honest, after playing with this new and improved firewall, at least for my needs (simple NAT/filtering rules), this is way worse. I mean, in iptables, an accept is ... well, an accept, not a maybe. What the hell am I missing??? And don't get me started on the priority problem, where a smaller number means a higher priority :))