diff --git a/machines/shinobu/services/router.nix b/machines/shinobu/services/router.nix
index 7013278..ecc2cef 100644
--- a/machines/shinobu/services/router.nix
+++ b/machines/shinobu/services/router.nix
@@ -66,7 +66,7 @@ in
 
         table inet filter {
           chain forward {
-            type filter hook forward priority filter; policy drop;
+            type filter hook forward priority filter; policy drop
 
             # Use MSS clamping
             # to avoid too large packets from client on the lan
@@ -74,38 +74,40 @@ in
             iifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu
             oifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu
 
-            iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
-            iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;
+            iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept
+            iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept
 
             # plastic router
-            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept;
-            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $PLASTIC_ROUTER_V4 ct state established,related counter accept;
+            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept
+            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $PLASTIC_ROUTER_V4 ct state established,related counter accept
 
-            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $VUEKO_V4 udp dport $VUEKO_PORT counter accept;
-            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $VUEKO_V4 udp sport $VUEKO_PORT ct state established,related counter accept;
-            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT counter accept;
-            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip6 saddr $VUEKO_V6 udp sport $VUEKO_PORT ct state established,related counter accept;
+            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $VUEKO_V4 udp dport $VUEKO_PORT counter accept
+            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $VUEKO_V4 udp sport $VUEKO_PORT ct state established,related counter accept
+            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT counter accept
+            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip6 saddr $VUEKO_V6 udp sport $VUEKO_PORT ct state established,related counter accept
           }
         }
 
         table inet nat {
           chain prerouting {
-            type nat hook prerouting priority filter; policy accept;
+            type nat hook prerouting priority filter; policy accept
           }
 
           chain postrouting {
-            type nat hook postrouting priority filter; policy accept;
-            oifname $MASQUERADE_IFACES masquerade;
+            type nat hook postrouting priority filter; policy accept
+            oifname $MASQUERADE_IFACES masquerade
           }
         }
 
         table inet mangle {
           chain output {
-            type route hook output priority mangle;
+            type route hook output priority mangle
 
             # Add fwmark noVpnMark to packets to vueko, so it will get routed correctly
-            ip daddr $VUEKO_V4 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter;
-            ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter;
+            ip daddr $VUEKO_V4 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter
+            ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter
+          }
+        }
           }
         }
       '';