table inet filter {
    chain input {
        tcp dport ssh accept

{% for service in services %}
{% set prefixes = service | allowed_prefixes %}
{% set prefixes4 = prefixes | selectattr('family.value', '==', 4) | map('string') %}
{% set prefixes6 = prefixes | selectattr('family.value', '==', 6) | map('string') %}
{% set ports = service.ports | compact_numlist %}
        # service {{ service.name }}
{% if prefixes4 or prefixes6 %}
{% if prefixes4 %}
        ip saddr { {{ prefixes4 | join(', ') }} } tcp dport { {{ ports }} } accept
{% endif %}
{% if prefixes6 %}
        ip6 saddr { {{ prefixes6 | join(', ') }} } tcp dport { {{ ports }} } accept
{% endif %}
{% else %}
        tcp dport { {{ ports }} } accept
{% endif %}

{% endfor %}
    }
}