table inet filter {
    chain input {
{% for service in services %}
{% set prefixes = service | allowed_prefixes %}
{% set ports = service.ports | compact_numlist %}
{% if 'name' in service %}
        # service {{ service.name }}
{% endif %}
{% if prefixes %}
{% if prefixes | ipv4 %}
        ip saddr { {{ prefixes | ipv4 | join(', ') }} } {{ service.protocol.value }} dport { {{ ports }} } accept
{% endif %}
{% if prefixes | ipv6 %}
        ip6 saddr { {{ prefixes | ipv6 | join(', ') }} } {{ service.protocol.value }} dport { {{ ports }} } accept
{% endif %}
{% else %}
        tcp dport { {{ ports }} } accept
{% endif %}

{% endfor %}
    }
}