{#- vim: set sw=4 ts=4 sts=4 et : #}
table inet filter {
    set allow_tcp_out {
        type inet_service
        flags interval
        elements = {
{% for item in allow_outgoing if item.protocol|d('tcp') == 'tcp' %}
            {{ item.port }},
{% endfor %}
        }
    }

    set allow_udp_out {
        type inet_service
        flags interval
        elements = {
{% for item in allow_outgoing if item.protocol|d('tcp') == 'udp' %}
            {{ item.port }},
{% endfor %}
        }
    }

    chain output {
        ct state established,related accept
        oif lo accept
        ip6 nexthdr ipv6-icmp accept
        ip protocol { icmp, esp } accept
        tcp dport @allow_tcp_out ct state new counter accept
        udp dport @allow_udp_out ct state new counter accept
    }
}