diff --git a/deploy/files/usr/local/lib/systemd/system/left4me-nft-mark.service b/deploy/files/usr/local/lib/systemd/system/left4me-nft-mark.service
new file mode 100644
index 0000000..b3de2f3
--- /dev/null
+++ b/deploy/files/usr/local/lib/systemd/system/left4me-nft-mark.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=left4me nftables packet marking (DSCP EF + priority for srcds)
+After=network-pre.target
+Before=network.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/sbin/nft -f /usr/local/lib/left4me/nft/left4me-mark.nft
+ExecStop=/usr/sbin/nft delete table inet left4me_mark
+
+[Install]
+WantedBy=multi-user.target
diff --git a/deploy/tests/test_deploy_artifacts.py b/deploy/tests/test_deploy_artifacts.py
index 0774c79..d88dc1b 100644
--- a/deploy/tests/test_deploy_artifacts.py
+++ b/deploy/tests/test_deploy_artifacts.py
@@ -14,6 +14,7 @@ BUILD_SLICE = DEPLOY / "files/usr/local/lib/systemd/system/l4d2-build.slice"
 SYSCTL_CONF = DEPLOY / "files/etc/sysctl.d/99-left4me.conf"
 GLOBAL_REFRESH_SERVICE = DEPLOY / "files/usr/local/lib/systemd/system/left4me-refresh-global-overlays.service"
 GLOBAL_REFRESH_TIMER = DEPLOY / "files/usr/local/lib/systemd/system/left4me-refresh-global-overlays.timer"
+NFT_MARK_UNIT = DEPLOY / "files/usr/local/lib/systemd/system/left4me-nft-mark.service"
 SANDBOX_UNIT_DIR = DEPLOY / "files/usr/local/lib/systemd/system"
 SYSTEMCTL_HELPER = DEPLOY / "files/usr/local/libexec/left4me/left4me-systemctl"
 JOURNALCTL_HELPER = DEPLOY / "files/usr/local/libexec/left4me/left4me-journalctl"
@@ -735,3 +736,23 @@ def test_nft_mark_file_marks_left4me_udp_with_dscp_ef_and_priority():
 
     # skb->priority class 6:0, set inline alongside DSCP.
     assert "meta priority set 0006:0000" in text
+
+
+def test_nft_mark_unit_loads_and_clears_left4me_table():
+    assert NFT_MARK_UNIT.is_file()
+    text = NFT_MARK_UNIT.read_text()
+
+    # Loads the rules early so the very first packet srcds emits is marked.
+    assert "After=network-pre.target" in text
+    assert "Before=network.target" in text
+    assert "Wants=network-pre.target" in text
+
+    # Oneshot lifecycle: load on start, drop on stop.
+    assert "Type=oneshot" in text
+    assert "RemainAfterExit=yes" in text
+    assert (
+        "ExecStart=/usr/sbin/nft -f /usr/local/lib/left4me/nft/left4me-mark.nft"
+        in text
+    )
+    assert "ExecStop=/usr/sbin/nft delete table inet left4me_mark" in text
+    assert "WantedBy=multi-user.target" in text