diff --git a/example.yaml b/example.yaml
index 29b2615..20b074f 100644
--- a/example.yaml
+++ b/example.yaml
@@ -2,23 +2,23 @@
 zones:
   - name: users-internet-allowed
     include:
-      - rules.yaml
+      files: [example.yaml]
+
   - name: mgmt
     include:
-      - 10.203.0.0/16
+      addrs: [10.203.0.0/16]
+
   - name: adm
     include:
-      - 2a09:6840::/29
-      - 10.128.0.0/16
+      addrs: [2a09:6840::/29, 10.128.0.0/16]
+
   - name: internet
     exclude:
-      - adm
-      - mgmt
+      zones: [adm, mgmt]
 
 blacklist:
   enabled: true
-  addr:
-    - 0.0.0.0
+  addr: [0.0.0.0]
 
 reverse_path_filter:
   enabled: true
@@ -27,11 +27,13 @@ filter:
   input:
     - iif: lo
       verdict: accept
+
     - src: mgmt
       protocols:
         tcp:
           dport: [22, 240..242]
       verdict: accept
+
     - src: backbone
       protocols:
         ospf: true
@@ -39,27 +41,33 @@ filter:
         tcp:
             dport: [179]
       verdict: accept
+
     - protocols:
         icmp: true
       verdict: accept
+
   output:
     - verdict: accept
+
   forward:
     - src: interco-crans
       verdict: accept
+
     - src: users-internet-allowed
       protocols:
         tcp:
           dport: [25]
       verdict: drop
+
     - src: users-internet-allowed
       dest:
-        - internet
-        - 10.0.0.1
+        addrs: [10.0.0.1]
+        zones: [internet]
       verdict: accept
 
 nat:
-  - src: mgmt
+  - src:
+      zones: [mgmt]
     snat:
       addr: 45.66.108.14
       persistent: true
diff --git a/nftables.py b/nftables.py
index 47c22f0..c7f993d 100755
--- a/nftables.py
+++ b/nftables.py
@@ -1,6 +1,5 @@
 #!/usr/bin/env python3
 
-from __future__ import annotations
 from argparse import ArgumentParser, FileType
 from enum import Enum
 from pydantic import (
@@ -49,10 +48,16 @@ class ZoneName(str):
     pass
 
 
+class ZoneEntries(RestrictiveBaseModel):
+    addrs: list[IPvAnyNetwork] | None
+    files: list[FilePath] | None
+    zones: list[ZoneName] | None
+
+
 class Zone(RestrictiveBaseModel):
     name: ZoneName
-    exclude: list[IPvAnyNetwork | ZoneName | FilePath] | None
-    include: list[IPvAnyNetwork | ZoneName | FilePath] | None
+    exclude: ZoneEntries | None
+    include: ZoneEntries | None
 
     @root_validator()
     def validate_mutually_exactly_one(cls, values):
@@ -110,7 +115,7 @@ class Rule(RestrictiveBaseModel):
 
 
 class ForwardRule(Rule):
-    dest: ZoneName | list[IPvAnyNetwork | ZoneName | FilePath] | None
+    dest: ZoneEntries | None
 
 
 class Filter(RestrictiveBaseModel):
@@ -126,7 +131,7 @@ class SNat(RestrictiveBaseModel):
 
 
 class Nat(RestrictiveBaseModel):
-    src: ZoneName | list[IPvAnyNetwork | ZoneName | FilePath] | None
+    src: ZoneEntries | None
     snat: SNat