New linux firewall - nft - maps with concatenations and interval doesn't seem to work

Hello linux firewall gurus,

I am trying to move from iptables-based firewalls to nft. I find sets/maps/concatenations quite useful, but now I am trying to use more concepts together.... and it doesn't work for me as I think it should. I want to mark certain packets for latter use. I have some hosts on network, which are identified by: input interface, MAC address, IP address (or IP network). Of course I could mark it case-by-case, but maps seem to be better here.

Let me show some examples to show what doesn't work for me. This is how I load file containing some defs and dump it from kernel (under nft list ruleset):

$ cat example.nft 
flush ruleset

table ip filter {

    set s1 {
        type iface_index . ether_addr . ipv4_addr
        flags interval
        elements = {
            "lan" . aa:aa:aa:aa:aa:01 . 10.1.1.1,
            "lan" . aa:aa:aa:aa:aa:02 . 10.1.1.2,
            "lan" . aa:aa:aa:aa:aa:03 . 10.1.2.0/24
        }
    }

    map m1 {
        type ipv4_addr : mark;
        flags interval;
        elements = {
            10.1.1.1 : 1,
            10.1.1.2 : 2,
            10.1.2.0/24 : 3
        }
    }

    map m2 {
        type iface_index . ether_addr . ipv4_addr : mark;
        elements = {
            "lan" . aa:aa:aa:aa:aa:01 . 10.1.1.1 : 1,
            "lan" . aa:aa:aa:aa:aa:02 . 10.1.1.2 : 2,
            "lan" . aa:aa:aa:aa:aa:03 . 10.1.2.0/24 : 3
        }
    }

    map m3 {
        type iface_index . ether_addr . ipv4_addr : mark;
        flags interval;
        elements = {
            "lan" . aa:aa:aa:aa:aa:01 . 10.1.1.1 : 1,
            "lan" . aa:aa:aa:aa:aa:02 . 10.1.1.2 : 2,
            "lan" . aa:aa:aa:aa:aa:03 . 10.1.2.0/24 : 3
        }
    }

}
$ nft -f example.nft 
$ nft list ruleset
table ip filter {
        set s1 {
                type iface_index . ether_addr . ipv4_addr
                flags interval
                elements = { "lan" . aa:aa:aa:aa:aa:01 . 10.1.1.1,
                             "lan" . aa:aa:aa:aa:aa:02 . 10.1.1.2,
                             "lan" . aa:aa:aa:aa:aa:03 . 10.1.2.0/24 }
        }

        map m1 {
                type ipv4_addr : mark
                flags interval
                elements = { 10.1.1.1 : 0x00000001, 10.1.1.2 : 0x00000002,
                             10.1.2.0/24 : 0x00000003 }
        }

        map m2 {
                type iface_index . ether_addr . ipv4_addr : mark
                elements = { "lan" . aa:aa:aa:aa:aa:01 . 10.1.1.1 : 0x00000001,
                             "lan" . aa:aa:aa:aa:aa:02 . 10.1.1.2 : 0x00000002,
                             "lan" . aa:aa:aa:aa:aa:03 . 10.1.2.0 : 0x00000003 }
        }

        map m3 {
                type iface_index . ether_addr . ipv4_addr : mark
                flags interval
                elements = { "lan" . aa:aa:aa:aa:aa:01-aa:aa:aa:aa:aa:02 . 10.1.1.1-10.1.1.2 : 0x00000002,
                             "lan" . aa:aa:aa:aa:aa:03 . 10.1.2.0 : 0x00000003 }
        }
}

Set s1 shows "host definitions" on my lan interface - 2 hosts with 1 IP address, 1 host with whole /24 network. Dump from kernel is just like it should be. Works great!

Map m1 shows that maps can work with intervals. Again no problem here.

Map m2 shows that maps can work with concatenations. The dumped version of m2 looks OK, but doesn't show 3rd line correctly: 10.1.2.0 in place of 10.1.2.0/24. But that is expected, since m2 doesn't use interval flag.

Map m1 shows what I want in source file - but doesn't work as you can see in the dump. I want a map which marks each element (3-tuple: inteface, MAC, IP-or-IPnet) with respective value. But when it comes out of kernel, it's quite different from loaded config.

So finally my question: How to make map work with concatenations and intervals?

Thanks.

PS: This is on linux 5.10.2.