diff --git a/nftables-attestation.conf b/nftables-attestation.conf
index 6d57b41..09d0b45 100644
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@@ -50,7 +50,7 @@ table inet filter {
         policy drop
 
         iif lo tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr ct count over 1 } reject with tcp reset
+        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
 
         iif lo accept
         tcp dport { 80, 443 } accept
@@ -58,7 +58,7 @@ table inet filter {
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
diff --git a/nftables-discuss.conf b/nftables-discuss.conf
index 2b5140a..9ba0120 100644
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@@ -53,7 +53,7 @@ table inet filter {
         policy drop
 
         iif lo tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr ct count over 1 } reject with tcp reset
+        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
 
         iif lo accept
         tcp dport { 80, 443 } accept
@@ -61,7 +61,7 @@ table inet filter {
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
diff --git a/nftables-mail.conf b/nftables-mail.conf
index ef5c977..da43dd0 100644
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@@ -50,7 +50,7 @@ table inet filter {
         policy drop
 
         iif lo tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr ct count over 1 } reject with tcp reset
+        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
 
         iif lo accept
         tcp dport { 25, 80, 443, 465, 993 } accept
@@ -58,7 +58,7 @@ table inet filter {
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
diff --git a/nftables-matrix.conf b/nftables-matrix.conf
index 87a7954..0120b2d 100644
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@@ -50,7 +50,7 @@ table inet filter {
         policy drop
 
         iif lo tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr ct count over 1 } reject with tcp reset
+        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
 
         iif lo accept
         tcp dport { 80, 443 } accept
@@ -58,7 +58,7 @@ table inet filter {
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
diff --git a/nftables-network.conf b/nftables-network.conf
index 5806e62..a80a077 100644
--- a/nftables-network.conf
+++ b/nftables-network.conf
@@ -54,7 +54,7 @@ table inet filter {
         policy drop
 
         iif lo tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr ct count over 1 } reject with tcp reset
+        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
 
         iif lo accept
         tcp dport { 80, 443, 7275 } accept
@@ -63,7 +63,7 @@ table inet filter {
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
diff --git a/nftables-ns1.conf b/nftables-ns1.conf
index 023c514..13a43d7 100644
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@@ -52,7 +52,7 @@ table inet filter {
         policy drop
 
         iif lo tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr ct count over 1 } reject with tcp reset
+        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
 
         iif lo accept
         udp dport 53 accept
@@ -61,7 +61,7 @@ table inet filter {
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
diff --git a/nftables-ns2.conf b/nftables-ns2.conf
index 408b11f..b980e0a 100644
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@@ -57,7 +57,7 @@ table inet filter {
         policy drop
 
         iif lo tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr ct count over 1 } reject with tcp reset
+        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
 
         iif lo accept
         udp dport 53 accept
@@ -66,7 +66,7 @@ table inet filter {
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
diff --git a/nftables-social.conf b/nftables-social.conf
index 403794a..537227d 100644
--- a/nftables-social.conf
+++ b/nftables-social.conf
@@ -50,7 +50,7 @@ table inet filter {
         policy drop
 
         iif lo tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr ct count over 1 } reject with tcp reset
+        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
 
         iif lo accept
         tcp dport { 80, 443 } accept
@@ -58,7 +58,7 @@ table inet filter {
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
diff --git a/nftables-web.conf b/nftables-web.conf
index beaf5c1..e288f7b 100644
--- a/nftables-web.conf
+++ b/nftables-web.conf
@@ -54,7 +54,7 @@ table inet filter {
         policy drop
 
         iif lo tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset
-        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr ct count over 1 } reject with tcp reset
+        iif lo tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset
 
         iif lo accept
         tcp dport { 80, 443 } accept
@@ -62,7 +62,7 @@ table inet filter {
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh reject with tcp reset
-        tcp dport 22 ip6 saddr @ip6-connlimit-ssh reject with tcp reset
+        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
     }