From 0a810fd38f5db21b98d9b032a2d1c3e98a6d150f Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Sat, 23 Aug 2025 22:21:27 -0400
Subject: [PATCH] switch SSH IPv6 connection limit to /64

---
 etc/nftables/nftables-attestation.conf | 8 ++++----
 etc/nftables/nftables-discuss.conf     | 8 ++++----
 etc/nftables/nftables-mail.conf        | 8 ++++----
 etc/nftables/nftables-matrix.conf      | 8 ++++----
 etc/nftables/nftables-network.conf     | 8 ++++----
 etc/nftables/nftables-ns1.conf         | 8 ++++----
 etc/nftables/nftables-ns2.conf         | 8 ++++----
 etc/nftables/nftables-social.conf      | 8 ++++----
 etc/nftables/nftables-web.conf         | 8 ++++----
 9 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/etc/nftables/nftables-attestation.conf b/etc/nftables/nftables-attestation.conf
index b865562..e6278bb 100644
--- a/etc/nftables/nftables-attestation.conf
+++ b/etc/nftables/nftables-attestation.conf
@@ -60,7 +60,7 @@ table inet filter {
         ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         synproxy mss 1460 wscale 7 timestamp sack-perm
@@ -68,7 +68,7 @@ table inet filter {
 
     chain input-tcp-service-new {
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
@@ -78,7 +78,7 @@ table inet filter {
     chain input-tcp-service-established {
         ct mark 0x1 accept
         tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -88,7 +88,7 @@ table inet filter {
     chain input-tcp-service-loopback {
         tcp flags != syn accept
         tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-discuss.conf b/etc/nftables/nftables-discuss.conf
index c9be78b..44879d0 100644
--- a/etc/nftables/nftables-discuss.conf
+++ b/etc/nftables/nftables-discuss.conf
@@ -60,7 +60,7 @@ table inet filter {
         ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         synproxy mss 1460 wscale 7 timestamp sack-perm
@@ -68,7 +68,7 @@ table inet filter {
 
     chain input-tcp-service-new {
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
@@ -78,7 +78,7 @@ table inet filter {
     chain input-tcp-service-established {
         ct mark 0x1 accept
         tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -88,7 +88,7 @@ table inet filter {
     chain input-tcp-service-loopback {
         tcp flags != syn accept
         tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-mail.conf b/etc/nftables/nftables-mail.conf
index 058cf08..be52f14 100644
--- a/etc/nftables/nftables-mail.conf
+++ b/etc/nftables/nftables-mail.conf
@@ -72,7 +72,7 @@ table inet filter {
         ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         synproxy mss 1460 wscale 7 timestamp sack-perm
@@ -80,7 +80,7 @@ table inet filter {
 
     chain input-tcp-service-new {
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
@@ -90,7 +90,7 @@ table inet filter {
     chain input-tcp-service-established {
         ct mark 0x1 accept
         tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -100,7 +100,7 @@ table inet filter {
     chain input-tcp-service-loopback {
         tcp flags != syn accept
         tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip saddr != $ip-allowlist-main add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 25, 80, 443, 465, 993 } ip6 saddr != $ip6-allowlist-main add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-matrix.conf b/etc/nftables/nftables-matrix.conf
index 3bf6223..d8d334f 100644
--- a/etc/nftables/nftables-matrix.conf
+++ b/etc/nftables/nftables-matrix.conf
@@ -60,7 +60,7 @@ table inet filter {
         ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         synproxy mss 1460 wscale 7 timestamp sack-perm
@@ -68,7 +68,7 @@ table inet filter {
 
     chain input-tcp-service-new {
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
@@ -78,7 +78,7 @@ table inet filter {
     chain input-tcp-service-established {
         ct mark 0x1 accept
         tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -88,7 +88,7 @@ table inet filter {
     chain input-tcp-service-loopback {
         tcp flags != syn accept
         tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-network.conf b/etc/nftables/nftables-network.conf
index 52cb98e..8a8fde9 100644
--- a/etc/nftables/nftables-network.conf
+++ b/etc/nftables/nftables-network.conf
@@ -70,7 +70,7 @@ table inet filter {
         ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         synproxy mss 1460 wscale 7 timestamp sack-perm
@@ -78,7 +78,7 @@ table inet filter {
 
     chain input-tcp-service-new {
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
@@ -88,7 +88,7 @@ table inet filter {
     chain input-tcp-service-established {
         ct mark 0x1 accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -98,7 +98,7 @@ table inet filter {
     chain input-tcp-service-loopback {
         tcp flags != syn accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf
index fa4fe9c..c2ac540 100644
--- a/etc/nftables/nftables-ns1.conf
+++ b/etc/nftables/nftables-ns1.conf
@@ -76,7 +76,7 @@ table inet filter {
         ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         synproxy mss 1460 wscale 7 timestamp sack-perm
@@ -84,7 +84,7 @@ table inet filter {
 
     chain input-tcp-service-new {
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
@@ -94,7 +94,7 @@ table inet filter {
     chain input-tcp-service-established {
         ct mark 0x1 accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -104,7 +104,7 @@ table inet filter {
     chain input-tcp-service-loopback {
         tcp flags != syn accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-ns2.conf b/etc/nftables/nftables-ns2.conf
index 394d8e3..a62fa96 100644
--- a/etc/nftables/nftables-ns2.conf
+++ b/etc/nftables/nftables-ns2.conf
@@ -74,7 +74,7 @@ table inet filter {
         ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         synproxy mss 1460 wscale 7 timestamp sack-perm
@@ -82,7 +82,7 @@ table inet filter {
 
     chain input-tcp-service-new {
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
@@ -92,7 +92,7 @@ table inet filter {
     chain input-tcp-service-established {
         ct mark 0x1 accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -102,7 +102,7 @@ table inet filter {
     chain input-tcp-service-loopback {
         tcp flags != syn accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-social.conf b/etc/nftables/nftables-social.conf
index 9c8174f..6711a5b 100644
--- a/etc/nftables/nftables-social.conf
+++ b/etc/nftables/nftables-social.conf
@@ -60,7 +60,7 @@ table inet filter {
         ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         synproxy mss 1460 wscale 7 timestamp sack-perm
@@ -68,7 +68,7 @@ table inet filter {
 
     chain input-tcp-service-new {
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
@@ -78,7 +78,7 @@ table inet filter {
     chain input-tcp-service-established {
         ct mark 0x1 accept
         tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -88,7 +88,7 @@ table inet filter {
     chain input-tcp-service-loopback {
         tcp flags != syn accept
         tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/etc/nftables/nftables-web.conf b/etc/nftables/nftables-web.conf
index 58fe0a3..dd65482 100644
--- a/etc/nftables/nftables-web.conf
+++ b/etc/nftables/nftables-web.conf
@@ -70,7 +70,7 @@ table inet filter {
         ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         synproxy mss 1460 wscale 7 timestamp sack-perm
@@ -78,7 +78,7 @@ table inet filter {
 
     chain input-tcp-service-new {
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
         tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
@@ -88,7 +88,7 @@ table inet filter {
     chain input-tcp-service-established {
         ct mark 0x1 accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -98,7 +98,7 @@ table inet filter {
     chain input-tcp-service-loopback {
         tcp flags != syn accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
         tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept