diff --git a/nftables-attestation.conf b/nftables-attestation.conf
index 806d357..70aab4a 100644
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@@ -54,14 +54,14 @@ table inet filter {
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
-        tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
+        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         accept
     }
 
diff --git a/nftables-discuss.conf b/nftables-discuss.conf
index b19f935..575797f 100644
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@@ -57,14 +57,14 @@ table inet filter {
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
-        tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
+        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         accept
     }
 
diff --git a/nftables-mail.conf b/nftables-mail.conf
index 1d1cd10..71ae92b 100644
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@@ -54,14 +54,14 @@ table inet filter {
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
-        tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
+        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         accept
     }
 
diff --git a/nftables-matrix.conf b/nftables-matrix.conf
index 681729f..9724f16 100644
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@@ -54,14 +54,14 @@ table inet filter {
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
-        tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
+        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         accept
     }
 
diff --git a/nftables-network.conf b/nftables-network.conf
index c721a74..fba5eca 100644
--- a/nftables-network.conf
+++ b/nftables-network.conf
@@ -59,14 +59,14 @@ table inet filter {
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
-        tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
+        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         accept
     }
 
diff --git a/nftables-ns1.conf b/nftables-ns1.conf
index d4e30d5..c3c3264 100644
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@@ -67,19 +67,19 @@ table inet filter {
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
-        tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
-        tcp dport { 53, 853 } ip saddr @ip-connlimit-dns reject with tcp reset
-        tcp dport { 53, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-dns reject with tcp reset
+        tcp dport { 53, 853 } ip saddr @ip-connlimit-dns counter reject with tcp reset
+        tcp dport { 53, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-dns counter reject with tcp reset
         tcp dport { 53, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
-        tcp dport { 53, 853 } tcp flags syn add @ip-connlimit-dns { ip saddr ct count over 16 } reject with tcp reset
-        tcp dport { 53, 853 } tcp flags syn add @ip6-connlimit-dns { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } reject with tcp reset
+        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport { 53, 853 } tcp flags syn add @ip-connlimit-dns { ip saddr ct count over 16 } counter reject with tcp reset
+        tcp dport { 53, 853 } tcp flags syn add @ip6-connlimit-dns { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
         accept
     }
 
diff --git a/nftables-ns2.conf b/nftables-ns2.conf
index e0cdde7..b57e578 100644
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@@ -72,19 +72,19 @@ table inet filter {
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
-        tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
-        tcp dport { 53, 853 } ip saddr @ip-connlimit-dns reject with tcp reset
-        tcp dport { 53, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-dns reject with tcp reset
+        tcp dport { 53, 853 } ip saddr @ip-connlimit-dns counter reject with tcp reset
+        tcp dport { 53, 853 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-dns counter reject with tcp reset
         tcp dport { 53, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
-        tcp dport { 53, 853 } tcp flags syn add @ip-connlimit-dns { ip saddr ct count over 16 } reject with tcp reset
-        tcp dport { 53, 853 } tcp flags syn add @ip6-connlimit-dns { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } reject with tcp reset
+        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport { 53, 853 } tcp flags syn add @ip-connlimit-dns { ip saddr ct count over 16 } counter reject with tcp reset
+        tcp dport { 53, 853 } tcp flags syn add @ip6-connlimit-dns { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
         accept
     }
 
diff --git a/nftables-social.conf b/nftables-social.conf
index cef1659..927ddef 100644
--- a/nftables-social.conf
+++ b/nftables-social.conf
@@ -54,14 +54,14 @@ table inet filter {
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
-        tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
+        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         accept
     }
 
diff --git a/nftables-web.conf b/nftables-web.conf
index 290ac34..fe280c2 100644
--- a/nftables-web.conf
+++ b/nftables-web.conf
@@ -58,14 +58,14 @@ table inet filter {
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
-        tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-loopback {
-        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
+        tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         accept
     }