test: add basic rules

6 files changed, 1978 insertions, 0 deletions

diff --git a/test/mandatory/filter-limit.json b/test/mandatory/filter-limit.json
new file mode 100644
index 0000000..a2fd1de
--- /dev/null
+++ b/test/mandatory/filter-limit.json
@@ -0,0 +1,41 @@
+{
+    "filter": [
+	{ "conn-limit": 1 },
+	{ "conn-limit": 1, "action": "pass" },
+	{ "conn-limit": 1, "log": true },
+	{ "conn-limit": 1, "log": true, "action": "pass" },
+	{ "conn-limit": { "count": 1, "log": false } },
+	{ "conn-limit": { "count": 1, "log": false }, "action": "pass" },
+	{ "conn-limit": { "count": 1, "log": false }, "log": true },
+	{
+	    "conn-limit": { "count": 1, "log": false },
+	    "log": true,
+	    "action": "pass"
+	},
+	{ "conn-limit": 30 },
+	{ "conn-limit": 30, "action": "pass" },
+	{ "conn-limit": 30, "log": true },
+	{ "conn-limit": { "count": 30, "log": false } },
+	{ "conn-limit": { "count": 30, "log": false }, "action": "pass" },
+	{ "conn-limit": { "count": 30, "log": false }, "log": true },
+
+	{ "flow-limit": 1 },
+	{ "flow-limit": 1, "action": "pass" },
+	{ "flow-limit": 1, "log": true },
+	{ "flow-limit": 1, "log": true, "action": "pass" },
+	{ "flow-limit": { "count": 1, "log": false } },
+	{ "flow-limit": { "count": 1, "log": false }, "action": "pass" },
+	{ "flow-limit": { "count": 1, "log": false }, "log": true },
+	{
+	    "flow-limit": { "count": 1, "log": false },
+	    "log": true,
+	    "action": "pass"
+	},
+	{ "flow-limit": 30 },
+	{ "flow-limit": 30, "action": "pass" },
+	{ "flow-limit": 30, "log": true },
+	{ "flow-limit": { "count": 30, "log": false } },
+	{ "flow-limit": { "count": 30, "log": false }, "action": "pass" },
+	{ "flow-limit": { "count": 30, "log": false }, "log": true }
+    ]
+}
diff --git a/test/mandatory/filter.json b/test/mandatory/filter.json
new file mode 100644
index 0000000..3918b9b
--- /dev/null
+++ b/test/mandatory/filter.json
@@ -0,0 +1,10 @@
+{
+    "filter": [
+	{},
+	{ "action": "accept" },
+	{ "action": "drop" },
+	{ "action": "pass" },
+	{ "action": "reject" },
+	{ "action": "tarpit" }
+    ]
+}
diff --git a/test/mandatory/log.json b/test/mandatory/log.json
new file mode 100644
index 0000000..8dadc1b
--- /dev/null
+++ b/test/mandatory/log.json
@@ -0,0 +1,13 @@
+{
+    "filter": [
+	{},
+	{ "action": "drop" },
+	{ "action": "pass" },
+	{ "log": false },
+	{ "log": false, "action": "drop" },
+	{ "log": false, "action": "pass" },
+	{ "log": true },
+	{ "log": true, "action": "drop" },
+	{ "log": true, "action": "pass" }
+    ]
+}
diff --git a/test/output/dump b/test/output/dump
index 69774bf..0b51d7d 100644
--- a/test/output/dump
+++ b/test/output/dump
@@ -1,3 +1,653 @@
+Filter 1                          {}
+(filter)                          
+  inet/filter/FORWARD             -j ACCEPT
+  inet6/filter/FORWARD            -j ACCEPT
+  inet/filter/INPUT               -j ACCEPT
+  inet6/filter/INPUT              -j ACCEPT
+  inet/filter/OUTPUT              -j ACCEPT
+  inet6/filter/OUTPUT             -j ACCEPT
+
+Filter 2                          {"action":"accept"}
+(filter)                          
+  inet/filter/FORWARD             -j ACCEPT
+  inet6/filter/FORWARD            -j ACCEPT
+  inet/filter/INPUT               -j ACCEPT
+  inet6/filter/INPUT              -j ACCEPT
+  inet/filter/OUTPUT              -j ACCEPT
+  inet6/filter/OUTPUT             -j ACCEPT
+
+Filter 3                          {"action":"drop"}
+(filter)                          
+  inet/filter/FORWARD             -j logdrop-0
+  inet6/filter/FORWARD            -j logdrop-0
+  inet/filter/INPUT               -j logdrop-0
+  inet6/filter/INPUT              -j logdrop-0
+  inet/filter/OUTPUT              -j logdrop-0
+  inet6/filter/OUTPUT             -j logdrop-0
+  inet/filter/logdrop-0           -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-0          -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-0           -j DROP
+  inet6/filter/logdrop-0          -j DROP
+
+Filter 4                          {"action":"pass"}
+(filter)                          
+  inet/filter/FORWARD             
+  inet6/filter/FORWARD            
+  inet/filter/INPUT               
+  inet6/filter/INPUT              
+  inet/filter/OUTPUT              
+  inet6/filter/OUTPUT             
+
+Filter 5                          {"action":"reject"}
+(filter)                          
+  inet/filter/FORWARD             -j logreject-0
+  inet6/filter/FORWARD            -j logreject-0
+  inet/filter/INPUT               -j logreject-0
+  inet6/filter/INPUT              -j logreject-0
+  inet/filter/OUTPUT              -j logreject-0
+  inet6/filter/OUTPUT             -j logreject-0
+  inet/filter/logreject-0         -m limit --limit 1/second -j LOG
+  inet6/filter/logreject-0        -m limit --limit 1/second -j LOG
+  inet/filter/logreject-0         -j REJECT
+  inet6/filter/logreject-0        -j REJECT
+
+Filter 6                          {"action":"tarpit"}
+(filter)                          
+  inet/filter/FORWARD             -j logtarpit-0
+  inet6/filter/FORWARD            -j logtarpit-0
+  inet/filter/INPUT               -j logtarpit-0
+  inet6/filter/INPUT              -j logtarpit-0
+  inet/filter/OUTPUT              -j logtarpit-0
+  inet6/filter/OUTPUT             -j logtarpit-0
+  inet/filter/logtarpit-0         -m limit --limit 1/second -j LOG
+  inet6/filter/logtarpit-0        -m limit --limit 1/second -j LOG
+  inet/filter/logtarpit-0         -j tarpit
+  inet6/filter/logtarpit-0        -j tarpit
+  inet/raw/PREROUTING             -j CT --notrack
+  inet6/raw/PREROUTING            -j CT --notrack
+  inet/raw/OUTPUT                 -j CT --notrack
+  inet6/raw/OUTPUT                -j CT --notrack
+
+Filter 7                          {"conn-limit":1}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-0
+  inet6/filter/FORWARD            -j limit-0
+  inet/filter/INPUT               -j limit-0
+  inet6/filter/INPUT              -j limit-0
+  inet/filter/OUTPUT              -j limit-0
+  inet6/filter/OUTPUT             -j limit-0
+  inet/filter/limit-0             -m recent --name limit-0 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-1
+  inet6/filter/limit-0            -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-1
+  inet/filter/logdrop-1           -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-1          -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-1           -j DROP
+  inet6/filter/logdrop-1          -j DROP
+  inet/filter/limit-0             -m recent --name limit-0 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-0            -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+
+Filter 8                          {"action":"pass","conn-limit":1}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-1
+  inet6/filter/FORWARD            -j limit-1
+  inet/filter/INPUT               -j limit-1
+  inet6/filter/INPUT              -j limit-1
+  inet/filter/OUTPUT              -j limit-1
+  inet6/filter/OUTPUT             -j limit-1
+  inet/filter/limit-1             -m recent --name limit-1 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-2
+  inet6/filter/limit-1            -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-2
+  inet/filter/logdrop-2           -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-2          -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-2           -j DROP
+  inet6/filter/logdrop-2          -j DROP
+  inet/filter/limit-1             -m recent --name limit-1 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-1            -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+
+Filter 9                          {"conn-limit":1,"log":true}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-2
+  inet6/filter/FORWARD            -j limit-2
+  inet/filter/INPUT               -j limit-2
+  inet6/filter/INPUT              -j limit-2
+  inet/filter/OUTPUT              -j limit-2
+  inet6/filter/OUTPUT             -j limit-2
+  inet/filter/limit-2             -m recent --name limit-2 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-3
+  inet6/filter/limit-2            -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-3
+  inet/filter/logdrop-3           -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-3          -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-3           -j DROP
+  inet6/filter/logdrop-3          -j DROP
+  inet/filter/limit-2             -m limit --limit 1/second -j LOG
+  inet6/filter/limit-2            -m limit --limit 1/second -j LOG
+  inet/filter/limit-2             -m recent --name limit-2 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-2            -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+
+Filter 10                         {"action":"pass","conn-limit":1,"log":true}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-3
+  inet6/filter/FORWARD            -j limit-3
+  inet/filter/INPUT               -j limit-3
+  inet6/filter/INPUT              -j limit-3
+  inet/filter/OUTPUT              -j limit-3
+  inet6/filter/OUTPUT             -j limit-3
+  inet/filter/limit-3             -m recent --name limit-3 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-4
+  inet6/filter/limit-3            -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-4
+  inet/filter/logdrop-4           -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-4          -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-4           -j DROP
+  inet6/filter/logdrop-4          -j DROP
+  inet/filter/limit-3             -m recent --name limit-3 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+  inet6/filter/limit-3            -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+
+Filter 11                         {"conn-limit":{"count":1,"log":false}}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-4
+  inet6/filter/FORWARD            -j limit-4
+  inet/filter/INPUT               -j limit-4
+  inet6/filter/INPUT              -j limit-4
+  inet/filter/OUTPUT              -j limit-4
+  inet6/filter/OUTPUT             -j limit-4
+  inet/filter/limit-4             -m recent --name limit-4 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-4            -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-4             -m recent --name limit-4 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-4            -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+
+Filter 12                         {"action":"pass","conn-limit":{"count":1,"log":false}}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-5
+  inet6/filter/FORWARD            -j limit-5
+  inet/filter/INPUT               -j limit-5
+  inet6/filter/INPUT              -j limit-5
+  inet/filter/OUTPUT              -j limit-5
+  inet6/filter/OUTPUT             -j limit-5
+  inet/filter/limit-5             -m recent --name limit-5 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-5            -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-5             -m recent --name limit-5 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-5            -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+
+Filter 13                         {"conn-limit":{"count":1,"log":false},"log":true}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-6
+  inet6/filter/FORWARD            -j limit-6
+  inet/filter/INPUT               -j limit-6
+  inet6/filter/INPUT              -j limit-6
+  inet/filter/OUTPUT              -j limit-6
+  inet6/filter/OUTPUT             -j limit-6
+  inet/filter/limit-6             -m recent --name limit-6 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-6            -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-6             -m limit --limit 1/second -j LOG
+  inet6/filter/limit-6            -m limit --limit 1/second -j LOG
+  inet/filter/limit-6             -m recent --name limit-6 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-6            -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+
+Filter 14                         {"action":"pass","conn-limit":{"count":1,"log":false},"log":true}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-7
+  inet6/filter/FORWARD            -j limit-7
+  inet/filter/INPUT               -j limit-7
+  inet6/filter/INPUT              -j limit-7
+  inet/filter/OUTPUT              -j limit-7
+  inet6/filter/OUTPUT             -j limit-7
+  inet/filter/limit-7             -m recent --name limit-7 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-7            -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-7             -m recent --name limit-7 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+  inet6/filter/limit-7            -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+
+Filter 15                         {"conn-limit":30}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-8
+  inet6/filter/FORWARD            -j limit-8
+  inet/filter/INPUT               -j limit-8
+  inet6/filter/INPUT              -j limit-8
+  inet/filter/OUTPUT              -j limit-8
+  inet6/filter/OUTPUT             -j limit-8
+  inet/filter/limit-8             -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-8 -j ACCEPT
+  inet6/filter/limit-8            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-8 -j ACCEPT
+  inet/filter/limit-8             -m limit --limit 1/second -j LOG
+  inet6/filter/limit-8            -m limit --limit 1/second -j LOG
+  inet/filter/limit-8             -j DROP
+  inet6/filter/limit-8            -j DROP
+
+Filter 16                         {"action":"pass","conn-limit":30}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-9
+  inet6/filter/FORWARD            -j limit-9
+  inet/filter/INPUT               -j limit-9
+  inet6/filter/INPUT              -j limit-9
+  inet/filter/OUTPUT              -j limit-9
+  inet6/filter/OUTPUT             -j limit-9
+  inet/filter/limit-9             -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-9 -j RETURN
+  inet6/filter/limit-9            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-9 -j RETURN
+  inet/filter/limit-9             -m limit --limit 1/second -j LOG
+  inet6/filter/limit-9            -m limit --limit 1/second -j LOG
+  inet/filter/limit-9             -j DROP
+  inet6/filter/limit-9            -j DROP
+
+Filter 17                         {"conn-limit":30,"log":true}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-10
+  inet6/filter/FORWARD            -j limit-10
+  inet/filter/INPUT               -j limit-10
+  inet6/filter/INPUT              -j limit-10
+  inet/filter/OUTPUT              -j limit-10
+  inet6/filter/OUTPUT             -j limit-10
+  inet/filter/limit-10            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-10 -j logaccept-0
+  inet6/filter/limit-10           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-10 -j logaccept-0
+  inet/filter/logaccept-0         -m limit --limit 1/second -j LOG
+  inet6/filter/logaccept-0        -m limit --limit 1/second -j LOG
+  inet/filter/logaccept-0         -j ACCEPT
+  inet6/filter/logaccept-0        -j ACCEPT
+  inet/filter/limit-10            -m limit --limit 1/second -j LOG
+  inet6/filter/limit-10           -m limit --limit 1/second -j LOG
+  inet/filter/limit-10            -j DROP
+  inet6/filter/limit-10           -j DROP
+
+Filter 18                         {"conn-limit":{"count":30,"log":false}}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-11
+  inet6/filter/FORWARD            -j limit-11
+  inet/filter/INPUT               -j limit-11
+  inet6/filter/INPUT              -j limit-11
+  inet/filter/OUTPUT              -j limit-11
+  inet6/filter/OUTPUT             -j limit-11
+  inet/filter/limit-11            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-11 -j ACCEPT
+  inet6/filter/limit-11           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-11 -j ACCEPT
+  inet/filter/limit-11            -j DROP
+  inet6/filter/limit-11           -j DROP
+
+Filter 19                         {"action":"pass","conn-limit":{"count":30,"log":false}}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-12
+  inet6/filter/FORWARD            -j limit-12
+  inet/filter/INPUT               -j limit-12
+  inet6/filter/INPUT              -j limit-12
+  inet/filter/OUTPUT              -j limit-12
+  inet6/filter/OUTPUT             -j limit-12
+  inet/filter/limit-12            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-12 -j RETURN
+  inet6/filter/limit-12           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-12 -j RETURN
+  inet/filter/limit-12            -j DROP
+  inet6/filter/limit-12           -j DROP
+
+Filter 20                         {"conn-limit":{"count":30,"log":false},"log":true}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-13
+  inet6/filter/FORWARD            -j limit-13
+  inet/filter/INPUT               -j limit-13
+  inet6/filter/INPUT              -j limit-13
+  inet/filter/OUTPUT              -j limit-13
+  inet6/filter/OUTPUT             -j limit-13
+  inet/filter/limit-13            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-13 -j logaccept-1
+  inet6/filter/limit-13           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-13 -j logaccept-1
+  inet/filter/logaccept-1         -m limit --limit 1/second -j LOG
+  inet6/filter/logaccept-1        -m limit --limit 1/second -j LOG
+  inet/filter/logaccept-1         -j ACCEPT
+  inet6/filter/logaccept-1        -j ACCEPT
+  inet/filter/limit-13            -j DROP
+  inet6/filter/limit-13           -j DROP
+
+Filter 21                         {"flow-limit":1}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-14
+  inet6/filter/FORWARD            -j limit-14
+  inet/filter/INPUT               -j limit-14
+  inet6/filter/INPUT              -j limit-14
+  inet/filter/OUTPUT              -j limit-14
+  inet6/filter/OUTPUT             -j limit-14
+  inet/filter/limit-14            -m recent --name limit-14 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-5
+  inet6/filter/limit-14           -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-5
+  inet/filter/logdrop-5           -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-5          -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-5           -j DROP
+  inet6/filter/logdrop-5          -j DROP
+  inet/filter/limit-14            -m recent --name limit-14 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-14           -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+  inet/filter/FORWARD             -j ACCEPT
+  inet6/filter/FORWARD            -j ACCEPT
+  inet/filter/INPUT               -j ACCEPT
+  inet6/filter/INPUT              -j ACCEPT
+  inet/filter/OUTPUT              -j ACCEPT
+  inet6/filter/OUTPUT             -j ACCEPT
+
+Filter 22                         {"action":"pass","flow-limit":1}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-15
+  inet6/filter/FORWARD            -j limit-15
+  inet/filter/INPUT               -j limit-15
+  inet6/filter/INPUT              -j limit-15
+  inet/filter/OUTPUT              -j limit-15
+  inet6/filter/OUTPUT             -j limit-15
+  inet/filter/limit-15            -m recent --name limit-15 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-6
+  inet6/filter/limit-15           -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-6
+  inet/filter/logdrop-6           -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-6          -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-6           -j DROP
+  inet6/filter/logdrop-6          -j DROP
+  inet/filter/limit-15            -m recent --name limit-15 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-15           -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+
+Filter 23                         {"flow-limit":1,"log":true}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-16
+  inet6/filter/FORWARD            -j limit-16
+  inet/filter/INPUT               -j limit-16
+  inet6/filter/INPUT              -j limit-16
+  inet/filter/OUTPUT              -j limit-16
+  inet6/filter/OUTPUT             -j limit-16
+  inet/filter/limit-16            -m recent --name limit-16 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-7
+  inet6/filter/limit-16           -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-7
+  inet/filter/logdrop-7           -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-7          -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-7           -j DROP
+  inet6/filter/logdrop-7          -j DROP
+  inet/filter/limit-16            -m recent --name limit-16 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-16           -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+  inet/filter/FORWARD             -j logaccept-final-0
+  inet6/filter/FORWARD            -j logaccept-final-0
+  inet/filter/INPUT               -j logaccept-final-0
+  inet6/filter/INPUT              -j logaccept-final-0
+  inet/filter/OUTPUT              -j logaccept-final-0
+  inet6/filter/OUTPUT             -j logaccept-final-0
+  inet/filter/logaccept-final-0   -m limit --limit 1/second -j LOG
+  inet6/filter/logaccept-final-0  -m limit --limit 1/second -j LOG
+  inet/filter/logaccept-final-0   -j ACCEPT
+  inet6/filter/logaccept-final-0  -j ACCEPT
+
+Filter 24                         {"action":"pass","flow-limit":1,"log":true}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-17
+  inet6/filter/FORWARD            -j limit-17
+  inet/filter/INPUT               -j limit-17
+  inet6/filter/INPUT              -j limit-17
+  inet/filter/OUTPUT              -j limit-17
+  inet6/filter/OUTPUT             -j limit-17
+  inet/filter/limit-17            -m recent --name limit-17 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-8
+  inet6/filter/limit-17           -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-8
+  inet/filter/logdrop-8           -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-8          -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-8           -j DROP
+  inet6/filter/logdrop-8          -j DROP
+  inet/filter/limit-17            -m recent --name limit-17 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+  inet6/filter/limit-17           -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+
+Filter 25                         {"flow-limit":{"count":1,"log":false}}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-18
+  inet6/filter/FORWARD            -j limit-18
+  inet/filter/INPUT               -j limit-18
+  inet6/filter/INPUT              -j limit-18
+  inet/filter/OUTPUT              -j limit-18
+  inet6/filter/OUTPUT             -j limit-18
+  inet/filter/limit-18            -m recent --name limit-18 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-18           -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-18            -m recent --name limit-18 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-18           -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+  inet/filter/FORWARD             -j ACCEPT
+  inet6/filter/FORWARD            -j ACCEPT
+  inet/filter/INPUT               -j ACCEPT
+  inet6/filter/INPUT              -j ACCEPT
+  inet/filter/OUTPUT              -j ACCEPT
+  inet6/filter/OUTPUT             -j ACCEPT
+
+Filter 26                         {"action":"pass","flow-limit":{"count":1,"log":false}}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-19
+  inet6/filter/FORWARD            -j limit-19
+  inet/filter/INPUT               -j limit-19
+  inet6/filter/INPUT              -j limit-19
+  inet/filter/OUTPUT              -j limit-19
+  inet6/filter/OUTPUT             -j limit-19
+  inet/filter/limit-19            -m recent --name limit-19 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-19           -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-19            -m recent --name limit-19 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-19           -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+
+Filter 27                         {"flow-limit":{"count":1,"log":false},"log":true}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-20
+  inet6/filter/FORWARD            -j limit-20
+  inet/filter/INPUT               -j limit-20
+  inet6/filter/INPUT              -j limit-20
+  inet/filter/OUTPUT              -j limit-20
+  inet6/filter/OUTPUT             -j limit-20
+  inet/filter/limit-20            -m recent --name limit-20 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-20           -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-20            -m recent --name limit-20 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-20           -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+  inet/filter/FORWARD             -j logaccept-final-1
+  inet6/filter/FORWARD            -j logaccept-final-1
+  inet/filter/INPUT               -j logaccept-final-1
+  inet6/filter/INPUT              -j logaccept-final-1
+  inet/filter/OUTPUT              -j logaccept-final-1
+  inet6/filter/OUTPUT             -j logaccept-final-1
+  inet/filter/logaccept-final-1   -m limit --limit 1/second -j LOG
+  inet6/filter/logaccept-final-1  -m limit --limit 1/second -j LOG
+  inet/filter/logaccept-final-1   -j ACCEPT
+  inet6/filter/logaccept-final-1  -j ACCEPT
+
+Filter 28                         {"action":"pass","flow-limit":{"count":1,"log":false},"log":true}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-21
+  inet6/filter/FORWARD            -j limit-21
+  inet/filter/INPUT               -j limit-21
+  inet6/filter/INPUT              -j limit-21
+  inet/filter/OUTPUT              -j limit-21
+  inet6/filter/OUTPUT             -j limit-21
+  inet/filter/limit-21            -m recent --name limit-21 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-21           -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-21            -m recent --name limit-21 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+  inet6/filter/limit-21           -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+
+Filter 29                         {"flow-limit":30}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-22
+  inet6/filter/FORWARD            -j limit-22
+  inet/filter/INPUT               -j limit-22
+  inet6/filter/INPUT              -j limit-22
+  inet/filter/OUTPUT              -j limit-22
+  inet6/filter/OUTPUT             -j limit-22
+  inet/filter/limit-22            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-22 -j RETURN
+  inet6/filter/limit-22           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-22 -j RETURN
+  inet/filter/limit-22            -m limit --limit 1/second -j LOG
+  inet6/filter/limit-22           -m limit --limit 1/second -j LOG
+  inet/filter/limit-22            -j DROP
+  inet6/filter/limit-22           -j DROP
+  inet/filter/FORWARD             -j ACCEPT
+  inet6/filter/FORWARD            -j ACCEPT
+  inet/filter/INPUT               -j ACCEPT
+  inet6/filter/INPUT              -j ACCEPT
+  inet/filter/OUTPUT              -j ACCEPT
+  inet6/filter/OUTPUT             -j ACCEPT
+
+Filter 30                         {"action":"pass","flow-limit":30}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-23
+  inet6/filter/FORWARD            -j limit-23
+  inet/filter/INPUT               -j limit-23
+  inet6/filter/INPUT              -j limit-23
+  inet/filter/OUTPUT              -j limit-23
+  inet6/filter/OUTPUT             -j limit-23
+  inet/filter/limit-23            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-23 -j RETURN
+  inet6/filter/limit-23           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-23 -j RETURN
+  inet/filter/limit-23            -m limit --limit 1/second -j LOG
+  inet6/filter/limit-23           -m limit --limit 1/second -j LOG
+  inet/filter/limit-23            -j DROP
+  inet6/filter/limit-23           -j DROP
+
+Filter 31                         {"flow-limit":30,"log":true}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-24
+  inet6/filter/FORWARD            -j limit-24
+  inet/filter/INPUT               -j limit-24
+  inet6/filter/INPUT              -j limit-24
+  inet/filter/OUTPUT              -j limit-24
+  inet6/filter/OUTPUT             -j limit-24
+  inet/filter/limit-24            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-24 -j RETURN
+  inet6/filter/limit-24           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-24 -j RETURN
+  inet/filter/limit-24            -m limit --limit 1/second -j LOG
+  inet6/filter/limit-24           -m limit --limit 1/second -j LOG
+  inet/filter/limit-24            -j DROP
+  inet6/filter/limit-24           -j DROP
+  inet/filter/FORWARD             -j logaccept-final-2
+  inet6/filter/FORWARD            -j logaccept-final-2
+  inet/filter/INPUT               -j logaccept-final-2
+  inet6/filter/INPUT              -j logaccept-final-2
+  inet/filter/OUTPUT              -j logaccept-final-2
+  inet6/filter/OUTPUT             -j logaccept-final-2
+  inet/filter/logaccept-final-2   -m limit --limit 1/second -j LOG
+  inet6/filter/logaccept-final-2  -m limit --limit 1/second -j LOG
+  inet/filter/logaccept-final-2   -j ACCEPT
+  inet6/filter/logaccept-final-2  -j ACCEPT
+
+Filter 32                         {"flow-limit":{"count":30,"log":false}}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-25
+  inet6/filter/FORWARD            -j limit-25
+  inet/filter/INPUT               -j limit-25
+  inet6/filter/INPUT              -j limit-25
+  inet/filter/OUTPUT              -j limit-25
+  inet6/filter/OUTPUT             -j limit-25
+  inet/filter/limit-25            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-25 -j RETURN
+  inet6/filter/limit-25           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-25 -j RETURN
+  inet/filter/limit-25            -j DROP
+  inet6/filter/limit-25           -j DROP
+  inet/filter/FORWARD             -j ACCEPT
+  inet6/filter/FORWARD            -j ACCEPT
+  inet/filter/INPUT               -j ACCEPT
+  inet6/filter/INPUT              -j ACCEPT
+  inet/filter/OUTPUT              -j ACCEPT
+  inet6/filter/OUTPUT             -j ACCEPT
+
+Filter 33                         {"action":"pass","flow-limit":{"count":30,"log":false}}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-26
+  inet6/filter/FORWARD            -j limit-26
+  inet/filter/INPUT               -j limit-26
+  inet6/filter/INPUT              -j limit-26
+  inet/filter/OUTPUT              -j limit-26
+  inet6/filter/OUTPUT             -j limit-26
+  inet/filter/limit-26            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-26 -j RETURN
+  inet6/filter/limit-26           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-26 -j RETURN
+  inet/filter/limit-26            -j DROP
+  inet6/filter/limit-26           -j DROP
+
+Filter 34                         {"flow-limit":{"count":30,"log":false},"log":true}
+(filter-limit)                    
+  inet/filter/FORWARD             -j limit-27
+  inet6/filter/FORWARD            -j limit-27
+  inet/filter/INPUT               -j limit-27
+  inet6/filter/INPUT              -j limit-27
+  inet/filter/OUTPUT              -j limit-27
+  inet6/filter/OUTPUT             -j limit-27
+  inet/filter/limit-27            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-27 -j RETURN
+  inet6/filter/limit-27           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-27 -j RETURN
+  inet/filter/limit-27            -j DROP
+  inet6/filter/limit-27           -j DROP
+  inet/filter/FORWARD             -j logaccept-final-3
+  inet6/filter/FORWARD            -j logaccept-final-3
+  inet/filter/INPUT               -j logaccept-final-3
+  inet6/filter/INPUT              -j logaccept-final-3
+  inet/filter/OUTPUT              -j logaccept-final-3
+  inet6/filter/OUTPUT             -j logaccept-final-3
+  inet/filter/logaccept-final-3   -m limit --limit 1/second -j LOG
+  inet6/filter/logaccept-final-3  -m limit --limit 1/second -j LOG
+  inet/filter/logaccept-final-3   -j ACCEPT
+  inet6/filter/logaccept-final-3  -j ACCEPT
+
+Filter 35                         {}
+(log)                             
+  inet/filter/FORWARD             -j ACCEPT
+  inet6/filter/FORWARD            -j ACCEPT
+  inet/filter/INPUT               -j ACCEPT
+  inet6/filter/INPUT              -j ACCEPT
+  inet/filter/OUTPUT              -j ACCEPT
+  inet6/filter/OUTPUT             -j ACCEPT
+
+Filter 36                         {"action":"drop"}
+(log)                             
+  inet/filter/FORWARD             -j logdrop-9
+  inet6/filter/FORWARD            -j logdrop-9
+  inet/filter/INPUT               -j logdrop-9
+  inet6/filter/INPUT              -j logdrop-9
+  inet/filter/OUTPUT              -j logdrop-9
+  inet6/filter/OUTPUT             -j logdrop-9
+  inet/filter/logdrop-9           -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-9          -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-9           -j DROP
+  inet6/filter/logdrop-9          -j DROP
+
+Filter 37                         {"action":"pass"}
+(log)                             
+  inet/filter/FORWARD             
+  inet6/filter/FORWARD            
+  inet/filter/INPUT               
+  inet6/filter/INPUT              
+  inet/filter/OUTPUT              
+  inet6/filter/OUTPUT             
+
+Filter 38                         {"log":false}
+(log)                             
+  inet/filter/FORWARD             -j ACCEPT
+  inet6/filter/FORWARD            -j ACCEPT
+  inet/filter/INPUT               -j ACCEPT
+  inet6/filter/INPUT              -j ACCEPT
+  inet/filter/OUTPUT              -j ACCEPT
+  inet6/filter/OUTPUT             -j ACCEPT
+
+Filter 39                         {"action":"drop","log":false}
+(log)                             
+  inet/filter/FORWARD             -j DROP
+  inet6/filter/FORWARD            -j DROP
+  inet/filter/INPUT               -j DROP
+  inet6/filter/INPUT              -j DROP
+  inet/filter/OUTPUT              -j DROP
+  inet6/filter/OUTPUT             -j DROP
+
+Filter 40                         {"action":"pass","log":false}
+(log)                             
+  inet/filter/FORWARD             
+  inet6/filter/FORWARD            
+  inet/filter/INPUT               
+  inet6/filter/INPUT              
+  inet/filter/OUTPUT              
+  inet6/filter/OUTPUT             
+
+Filter 41                         {"log":true}
+(log)                             
+  inet/filter/FORWARD             -j logaccept-2
+  inet6/filter/FORWARD            -j logaccept-2
+  inet/filter/INPUT               -j logaccept-2
+  inet6/filter/INPUT              -j logaccept-2
+  inet/filter/OUTPUT              -j logaccept-2
+  inet6/filter/OUTPUT             -j logaccept-2
+  inet/filter/logaccept-2         -m limit --limit 1/second -j LOG
+  inet6/filter/logaccept-2        -m limit --limit 1/second -j LOG
+  inet/filter/logaccept-2         -j ACCEPT
+  inet6/filter/logaccept-2        -j ACCEPT
+
+Filter 42                         {"action":"drop","log":true}
+(log)                             
+  inet/filter/FORWARD             -j logdrop-10
+  inet6/filter/FORWARD            -j logdrop-10
+  inet/filter/INPUT               -j logdrop-10
+  inet6/filter/INPUT              -j logdrop-10
+  inet/filter/OUTPUT              -j logdrop-10
+  inet6/filter/OUTPUT             -j logdrop-10
+  inet/filter/logdrop-10          -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-10         -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-10          -j DROP
+  inet6/filter/logdrop-10         -j DROP
+
+Filter 43                         {"action":"pass","log":true}
+(log)                             
+  inet/filter/FORWARD             -j logpass-0
+  inet6/filter/FORWARD            -j logpass-0
+  inet/filter/INPUT               -j logpass-0
+  inet6/filter/INPUT              -j logpass-0
+  inet/filter/OUTPUT              -j logpass-0
+  inet6/filter/OUTPUT             -j logpass-0
+  inet/filter/logpass-0           -m limit --limit 1/second -j LOG
+  inet6/filter/logpass-0          -m limit --limit 1/second -j LOG
+
+
 Ipset awall-masquerade  {"family":"inet","type":"hash:net"}
 (masquerade)            
 
@@ -198,17 +848,327 @@ hash:net family inet
 :INPUT DROP [0:0]
 :OUTPUT DROP [0:0]
 :icmp-routing - [0:0]
+:limit-0 - [0:0]
+:limit-1 - [0:0]
+:limit-10 - [0:0]
+:limit-11 - [0:0]
+:limit-12 - [0:0]
+:limit-13 - [0:0]
+:limit-14 - [0:0]
+:limit-15 - [0:0]
+:limit-16 - [0:0]
+:limit-17 - [0:0]
+:limit-18 - [0:0]
+:limit-19 - [0:0]
+:limit-2 - [0:0]
+:limit-20 - [0:0]
+:limit-21 - [0:0]
+:limit-22 - [0:0]
+:limit-23 - [0:0]
+:limit-24 - [0:0]
+:limit-25 - [0:0]
+:limit-26 - [0:0]
+:limit-27 - [0:0]
+:limit-3 - [0:0]
+:limit-4 - [0:0]
+:limit-5 - [0:0]
+:limit-6 - [0:0]
+:limit-7 - [0:0]
+:limit-8 - [0:0]
+:limit-9 - [0:0]
+:logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
+:logaccept-2 - [0:0]
+:logaccept-final-0 - [0:0]
+:logaccept-final-1 - [0:0]
+:logaccept-final-2 - [0:0]
+:logaccept-final-3 - [0:0]
+:logdrop-0 - [0:0]
+:logdrop-1 - [0:0]
+:logdrop-10 - [0:0]
+:logdrop-2 - [0:0]
+:logdrop-3 - [0:0]
+:logdrop-4 - [0:0]
+:logdrop-5 - [0:0]
+:logdrop-6 - [0:0]
+:logdrop-7 - [0:0]
+:logdrop-8 - [0:0]
+:logdrop-9 - [0:0]
+:logpass-0 - [0:0]
+:logreject-0 - [0:0]
+:logtarpit-0 - [0:0]
+:tarpit - [0:0]
+-A FORWARD -j limit-27
+-A FORWARD -j limit-26
+-A FORWARD -j limit-25
+-A FORWARD -j limit-24
+-A FORWARD -j limit-23
+-A FORWARD -j limit-22
+-A FORWARD -j limit-21
+-A FORWARD -j limit-20
+-A FORWARD -j limit-19
+-A FORWARD -j limit-18
+-A FORWARD -j limit-17
+-A FORWARD -j limit-16
+-A FORWARD -j limit-15
+-A FORWARD -j limit-14
 -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A FORWARD -j ACCEPT
+-A FORWARD -j ACCEPT
+-A FORWARD -j logdrop-0
+-A FORWARD 
+-A FORWARD -j logreject-0
+-A FORWARD -j logtarpit-0
+-A FORWARD -j limit-0
+-A FORWARD -j limit-1
+-A FORWARD -j limit-2
+-A FORWARD -j limit-3
+-A FORWARD -j limit-4
+-A FORWARD -j limit-5
+-A FORWARD -j limit-6
+-A FORWARD -j limit-7
+-A FORWARD -j limit-8
+-A FORWARD -j limit-9
+-A FORWARD -j limit-10
+-A FORWARD -j limit-11
+-A FORWARD -j limit-12
+-A FORWARD -j limit-13
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-0
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-1
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-2
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-3
+-A FORWARD -j ACCEPT
+-A FORWARD -j logdrop-9
+-A FORWARD 
+-A FORWARD -j ACCEPT
+-A FORWARD -j DROP
+-A FORWARD 
+-A FORWARD -j logaccept-2
+-A FORWARD -j logdrop-10
+-A FORWARD -j logpass-0
 -A FORWARD -p icmp -j icmp-routing
+-A INPUT -j limit-27
+-A INPUT -j limit-26
+-A INPUT -j limit-25
+-A INPUT -j limit-24
+-A INPUT -j limit-23
+-A INPUT -j limit-22
+-A INPUT -j limit-21
+-A INPUT -j limit-20
+-A INPUT -j limit-19
+-A INPUT -j limit-18
+-A INPUT -j limit-17
+-A INPUT -j limit-16
+-A INPUT -j limit-15
+-A INPUT -j limit-14
 -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -j logdrop-0
+-A INPUT 
+-A INPUT -j logreject-0
+-A INPUT -j logtarpit-0
+-A INPUT -j limit-0
+-A INPUT -j limit-1
+-A INPUT -j limit-2
+-A INPUT -j limit-3
+-A INPUT -j limit-4
+-A INPUT -j limit-5
+-A INPUT -j limit-6
+-A INPUT -j limit-7
+-A INPUT -j limit-8
+-A INPUT -j limit-9
+-A INPUT -j limit-10
+-A INPUT -j limit-11
+-A INPUT -j limit-12
+-A INPUT -j limit-13
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-0
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-1
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-2
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-3
+-A INPUT -j ACCEPT
+-A INPUT -j logdrop-9
+-A INPUT 
+-A INPUT -j ACCEPT
+-A INPUT -j DROP
+-A INPUT 
+-A INPUT -j logaccept-2
+-A INPUT -j logdrop-10
+-A INPUT -j logpass-0
 -A INPUT -p icmp -j icmp-routing
+-A OUTPUT -j limit-27
+-A OUTPUT -j limit-26
+-A OUTPUT -j limit-25
+-A OUTPUT -j limit-24
+-A OUTPUT -j limit-23
+-A OUTPUT -j limit-22
+-A OUTPUT -j limit-21
+-A OUTPUT -j limit-20
+-A OUTPUT -j limit-19
+-A OUTPUT -j limit-18
+-A OUTPUT -j limit-17
+-A OUTPUT -j limit-16
+-A OUTPUT -j limit-15
+-A OUTPUT -j limit-14
 -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logdrop-0
+-A OUTPUT 
+-A OUTPUT -j logreject-0
+-A OUTPUT -j logtarpit-0
+-A OUTPUT -j limit-0
+-A OUTPUT -j limit-1
+-A OUTPUT -j limit-2
+-A OUTPUT -j limit-3
+-A OUTPUT -j limit-4
+-A OUTPUT -j limit-5
+-A OUTPUT -j limit-6
+-A OUTPUT -j limit-7
+-A OUTPUT -j limit-8
+-A OUTPUT -j limit-9
+-A OUTPUT -j limit-10
+-A OUTPUT -j limit-11
+-A OUTPUT -j limit-12
+-A OUTPUT -j limit-13
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-0
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-1
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-2
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-3
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logdrop-9
+-A OUTPUT 
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j DROP
+-A OUTPUT 
+-A OUTPUT -j logaccept-2
+-A OUTPUT -j logdrop-10
+-A OUTPUT -j logpass-0
 -A OUTPUT -p icmp -j icmp-routing
 -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
 -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
 -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
+-A limit-0 -m recent --name limit-0 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-1
+-A limit-0 -m recent --name limit-0 --rsource --mask 255.255.255.255 --set -j ACCEPT
+-A limit-1 -m recent --name limit-1 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-2
+-A limit-1 -m recent --name limit-1 --rsource --mask 255.255.255.255 --set 
+-A limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-10 -j logaccept-0
+-A limit-10 -m limit --limit 1/second -j LOG
+-A limit-10 -j DROP
+-A limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-11 -j ACCEPT
+-A limit-11 -j DROP
+-A limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-12 -j RETURN
+-A limit-12 -j DROP
+-A limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-13 -j logaccept-1
+-A limit-13 -j DROP
+-A limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-5
+-A limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --set 
+-A limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-6
+-A limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --set 
+-A limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-7
+-A limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --set 
+-A limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-8
+-A limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+-A limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --set 
+-A limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --set 
+-A limit-2 -m recent --name limit-2 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-3
+-A limit-2 -m limit --limit 1/second -j LOG
+-A limit-2 -m recent --name limit-2 --rsource --mask 255.255.255.255 --set -j ACCEPT
+-A limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --set 
+-A limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+-A limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-22 -j RETURN
+-A limit-22 -m limit --limit 1/second -j LOG
+-A limit-22 -j DROP
+-A limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-23 -j RETURN
+-A limit-23 -m limit --limit 1/second -j LOG
+-A limit-23 -j DROP
+-A limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-24 -j RETURN
+-A limit-24 -m limit --limit 1/second -j LOG
+-A limit-24 -j DROP
+-A limit-25 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-25 -j RETURN
+-A limit-25 -j DROP
+-A limit-26 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-26 -j RETURN
+-A limit-26 -j DROP
+-A limit-27 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-27 -j RETURN
+-A limit-27 -j DROP
+-A limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-4
+-A limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+-A limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --set -j ACCEPT
+-A limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --set 
+-A limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-6 -m limit --limit 1/second -j LOG
+-A limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --set -j ACCEPT
+-A limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+-A limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-8 -j ACCEPT
+-A limit-8 -m limit --limit 1/second -j LOG
+-A limit-8 -j DROP
+-A limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-9 -j RETURN
+-A limit-9 -m limit --limit 1/second -j LOG
+-A limit-9 -j DROP
+-A logaccept-0 -m limit --limit 1/second -j LOG
+-A logaccept-0 -j ACCEPT
+-A logaccept-1 -m limit --limit 1/second -j LOG
+-A logaccept-1 -j ACCEPT
+-A logaccept-2 -m limit --limit 1/second -j LOG
+-A logaccept-2 -j ACCEPT
+-A logaccept-final-0 -m limit --limit 1/second -j LOG
+-A logaccept-final-0 -j ACCEPT
+-A logaccept-final-1 -m limit --limit 1/second -j LOG
+-A logaccept-final-1 -j ACCEPT
+-A logaccept-final-2 -m limit --limit 1/second -j LOG
+-A logaccept-final-2 -j ACCEPT
+-A logaccept-final-3 -m limit --limit 1/second -j LOG
+-A logaccept-final-3 -j ACCEPT
+-A logdrop-0 -m limit --limit 1/second -j LOG
+-A logdrop-0 -j DROP
+-A logdrop-1 -m limit --limit 1/second -j LOG
+-A logdrop-1 -j DROP
+-A logdrop-10 -m limit --limit 1/second -j LOG
+-A logdrop-10 -j DROP
+-A logdrop-2 -m limit --limit 1/second -j LOG
+-A logdrop-2 -j DROP
+-A logdrop-3 -m limit --limit 1/second -j LOG
+-A logdrop-3 -j DROP
+-A logdrop-4 -m limit --limit 1/second -j LOG
+-A logdrop-4 -j DROP
+-A logdrop-5 -m limit --limit 1/second -j LOG
+-A logdrop-5 -j DROP
+-A logdrop-6 -m limit --limit 1/second -j LOG
+-A logdrop-6 -j DROP
+-A logdrop-7 -m limit --limit 1/second -j LOG
+-A logdrop-7 -j DROP
+-A logdrop-8 -m limit --limit 1/second -j LOG
+-A logdrop-8 -j DROP
+-A logdrop-9 -m limit --limit 1/second -j LOG
+-A logdrop-9 -j DROP
+-A logpass-0 -m limit --limit 1/second -j LOG
+-A logreject-0 -m limit --limit 1/second -j LOG
+-A logreject-0 -j REJECT
+-A logtarpit-0 -m limit --limit 1/second -j LOG
+-A logtarpit-0 -j tarpit
+-A tarpit -p tcp -j TARPIT
+-A tarpit -j DROP
 COMMIT
 *nat
 :POSTROUTING ACCEPT [0:0]
@@ -216,6 +1176,12 @@ COMMIT
 -A POSTROUTING -m set --match-set awall-masquerade src -j awall-masquerade
 -A awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
 COMMIT
+*raw
+:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A OUTPUT -j CT --notrack
+-A PREROUTING -j CT --notrack
+COMMIT
 
 # rules6-save generated by awall
 *filter
@@ -223,17 +1189,333 @@ COMMIT
 :INPUT DROP [0:0]
 :OUTPUT DROP [0:0]
 :icmp-routing - [0:0]
+:limit-0 - [0:0]
+:limit-1 - [0:0]
+:limit-10 - [0:0]
+:limit-11 - [0:0]
+:limit-12 - [0:0]
+:limit-13 - [0:0]
+:limit-14 - [0:0]
+:limit-15 - [0:0]
+:limit-16 - [0:0]
+:limit-17 - [0:0]
+:limit-18 - [0:0]
+:limit-19 - [0:0]
+:limit-2 - [0:0]
+:limit-20 - [0:0]
+:limit-21 - [0:0]
+:limit-22 - [0:0]
+:limit-23 - [0:0]
+:limit-24 - [0:0]
+:limit-25 - [0:0]
+:limit-26 - [0:0]
+:limit-27 - [0:0]
+:limit-3 - [0:0]
+:limit-4 - [0:0]
+:limit-5 - [0:0]
+:limit-6 - [0:0]
+:limit-7 - [0:0]
+:limit-8 - [0:0]
+:limit-9 - [0:0]
+:logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
+:logaccept-2 - [0:0]
+:logaccept-final-0 - [0:0]
+:logaccept-final-1 - [0:0]
+:logaccept-final-2 - [0:0]
+:logaccept-final-3 - [0:0]
+:logdrop-0 - [0:0]
+:logdrop-1 - [0:0]
+:logdrop-10 - [0:0]
+:logdrop-2 - [0:0]
+:logdrop-3 - [0:0]
+:logdrop-4 - [0:0]
+:logdrop-5 - [0:0]
+:logdrop-6 - [0:0]
+:logdrop-7 - [0:0]
+:logdrop-8 - [0:0]
+:logdrop-9 - [0:0]
+:logpass-0 - [0:0]
+:logreject-0 - [0:0]
+:logtarpit-0 - [0:0]
+:tarpit - [0:0]
+-A FORWARD -j limit-27
+-A FORWARD -j limit-26
+-A FORWARD -j limit-25
+-A FORWARD -j limit-24
+-A FORWARD -j limit-23
+-A FORWARD -j limit-22
+-A FORWARD -j limit-21
+-A FORWARD -j limit-20
+-A FORWARD -j limit-19
+-A FORWARD -j limit-18
+-A FORWARD -j limit-17
+-A FORWARD -j limit-16
+-A FORWARD -j limit-15
+-A FORWARD -j limit-14
 -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A FORWARD -j ACCEPT
+-A FORWARD -j ACCEPT
+-A FORWARD -j logdrop-0
+-A FORWARD 
+-A FORWARD -j logreject-0
+-A FORWARD -j logtarpit-0
+-A FORWARD -j limit-0
+-A FORWARD -j limit-1
+-A FORWARD -j limit-2
+-A FORWARD -j limit-3
+-A FORWARD -j limit-4
+-A FORWARD -j limit-5
+-A FORWARD -j limit-6
+-A FORWARD -j limit-7
+-A FORWARD -j limit-8
+-A FORWARD -j limit-9
+-A FORWARD -j limit-10
+-A FORWARD -j limit-11
+-A FORWARD -j limit-12
+-A FORWARD -j limit-13
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-0
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-1
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-2
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-3
+-A FORWARD -j ACCEPT
+-A FORWARD -j logdrop-9
+-A FORWARD 
+-A FORWARD -j ACCEPT
+-A FORWARD -j DROP
+-A FORWARD 
+-A FORWARD -j logaccept-2
+-A FORWARD -j logdrop-10
+-A FORWARD -j logpass-0
 -A FORWARD -p icmpv6 -j icmp-routing
+-A INPUT -j limit-27
+-A INPUT -j limit-26
+-A INPUT -j limit-25
+-A INPUT -j limit-24
+-A INPUT -j limit-23
+-A INPUT -j limit-22
+-A INPUT -j limit-21
+-A INPUT -j limit-20
+-A INPUT -j limit-19
+-A INPUT -j limit-18
+-A INPUT -j limit-17
+-A INPUT -j limit-16
+-A INPUT -j limit-15
+-A INPUT -j limit-14
 -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -j logdrop-0
+-A INPUT 
+-A INPUT -j logreject-0
+-A INPUT -j logtarpit-0
+-A INPUT -j limit-0
+-A INPUT -j limit-1
+-A INPUT -j limit-2
+-A INPUT -j limit-3
+-A INPUT -j limit-4
+-A INPUT -j limit-5
+-A INPUT -j limit-6
+-A INPUT -j limit-7
+-A INPUT -j limit-8
+-A INPUT -j limit-9
+-A INPUT -j limit-10
+-A INPUT -j limit-11
+-A INPUT -j limit-12
+-A INPUT -j limit-13
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-0
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-1
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-2
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-3
+-A INPUT -j ACCEPT
+-A INPUT -j logdrop-9
+-A INPUT 
+-A INPUT -j ACCEPT
+-A INPUT -j DROP
+-A INPUT 
+-A INPUT -j logaccept-2
+-A INPUT -j logdrop-10
+-A INPUT -j logpass-0
 -A INPUT -p icmpv6 -j ACCEPT
+-A OUTPUT -j limit-27
+-A OUTPUT -j limit-26
+-A OUTPUT -j limit-25
+-A OUTPUT -j limit-24
+-A OUTPUT -j limit-23
+-A OUTPUT -j limit-22
+-A OUTPUT -j limit-21
+-A OUTPUT -j limit-20
+-A OUTPUT -j limit-19
+-A OUTPUT -j limit-18
+-A OUTPUT -j limit-17
+-A OUTPUT -j limit-16
+-A OUTPUT -j limit-15
+-A OUTPUT -j limit-14
 -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logdrop-0
+-A OUTPUT 
+-A OUTPUT -j logreject-0
+-A OUTPUT -j logtarpit-0
+-A OUTPUT -j limit-0
+-A OUTPUT -j limit-1
+-A OUTPUT -j limit-2
+-A OUTPUT -j limit-3
+-A OUTPUT -j limit-4
+-A OUTPUT -j limit-5
+-A OUTPUT -j limit-6
+-A OUTPUT -j limit-7
+-A OUTPUT -j limit-8
+-A OUTPUT -j limit-9
+-A OUTPUT -j limit-10
+-A OUTPUT -j limit-11
+-A OUTPUT -j limit-12
+-A OUTPUT -j limit-13
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-0
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-1
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-2
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-3
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logdrop-9
+-A OUTPUT 
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j DROP
+-A OUTPUT 
+-A OUTPUT -j logaccept-2
+-A OUTPUT -j logdrop-10
+-A OUTPUT -j logpass-0
 -A OUTPUT -p icmpv6 -j ACCEPT
 -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
 -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
 -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
 -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
+-A limit-0 -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-1
+-A limit-0 -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+-A limit-1 -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-2
+-A limit-1 -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-10 -j logaccept-0
+-A limit-10 -m limit --limit 1/second -j LOG
+-A limit-10 -j DROP
+-A limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-11 -j ACCEPT
+-A limit-11 -j DROP
+-A limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-12 -j RETURN
+-A limit-12 -j DROP
+-A limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-13 -j logaccept-1
+-A limit-13 -j DROP
+-A limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-5
+-A limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-6
+-A limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-7
+-A limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-8
+-A limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+-A limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-2 -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-3
+-A limit-2 -m limit --limit 1/second -j LOG
+-A limit-2 -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+-A limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+-A limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-22 -j RETURN
+-A limit-22 -m limit --limit 1/second -j LOG
+-A limit-22 -j DROP
+-A limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-23 -j RETURN
+-A limit-23 -m limit --limit 1/second -j LOG
+-A limit-23 -j DROP
+-A limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-24 -j RETURN
+-A limit-24 -m limit --limit 1/second -j LOG
+-A limit-24 -j DROP
+-A limit-25 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-25 -j RETURN
+-A limit-25 -j DROP
+-A limit-26 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-26 -j RETURN
+-A limit-26 -j DROP
+-A limit-27 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-27 -j RETURN
+-A limit-27 -j DROP
+-A limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-4
+-A limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+-A limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+-A limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-6 -m limit --limit 1/second -j LOG
+-A limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+-A limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+-A limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-8 -j ACCEPT
+-A limit-8 -m limit --limit 1/second -j LOG
+-A limit-8 -j DROP
+-A limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-9 -j RETURN
+-A limit-9 -m limit --limit 1/second -j LOG
+-A limit-9 -j DROP
+-A logaccept-0 -m limit --limit 1/second -j LOG
+-A logaccept-0 -j ACCEPT
+-A logaccept-1 -m limit --limit 1/second -j LOG
+-A logaccept-1 -j ACCEPT
+-A logaccept-2 -m limit --limit 1/second -j LOG
+-A logaccept-2 -j ACCEPT
+-A logaccept-final-0 -m limit --limit 1/second -j LOG
+-A logaccept-final-0 -j ACCEPT
+-A logaccept-final-1 -m limit --limit 1/second -j LOG
+-A logaccept-final-1 -j ACCEPT
+-A logaccept-final-2 -m limit --limit 1/second -j LOG
+-A logaccept-final-2 -j ACCEPT
+-A logaccept-final-3 -m limit --limit 1/second -j LOG
+-A logaccept-final-3 -j ACCEPT
+-A logdrop-0 -m limit --limit 1/second -j LOG
+-A logdrop-0 -j DROP
+-A logdrop-1 -m limit --limit 1/second -j LOG
+-A logdrop-1 -j DROP
+-A logdrop-10 -m limit --limit 1/second -j LOG
+-A logdrop-10 -j DROP
+-A logdrop-2 -m limit --limit 1/second -j LOG
+-A logdrop-2 -j DROP
+-A logdrop-3 -m limit --limit 1/second -j LOG
+-A logdrop-3 -j DROP
+-A logdrop-4 -m limit --limit 1/second -j LOG
+-A logdrop-4 -j DROP
+-A logdrop-5 -m limit --limit 1/second -j LOG
+-A logdrop-5 -j DROP
+-A logdrop-6 -m limit --limit 1/second -j LOG
+-A logdrop-6 -j DROP
+-A logdrop-7 -m limit --limit 1/second -j LOG
+-A logdrop-7 -j DROP
+-A logdrop-8 -m limit --limit 1/second -j LOG
+-A logdrop-8 -j DROP
+-A logdrop-9 -m limit --limit 1/second -j LOG
+-A logdrop-9 -j DROP
+-A logpass-0 -m limit --limit 1/second -j LOG
+-A logreject-0 -m limit --limit 1/second -j LOG
+-A logreject-0 -j REJECT
+-A logtarpit-0 -m limit --limit 1/second -j LOG
+-A logtarpit-0 -j tarpit
+-A tarpit -p tcp -j TARPIT
+-A tarpit -j DROP
+COMMIT
+*raw
+:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A OUTPUT -j CT --notrack
+-A PREROUTING -j CT --notrack
 COMMIT
 
diff --git a/test/output/rules-save b/test/output/rules-save
index 06c601d..31d3efa 100644
--- a/test/output/rules-save
+++ b/test/output/rules-save
@@ -4,17 +4,327 @@
 :INPUT DROP [0:0]
 :OUTPUT DROP [0:0]
 :icmp-routing - [0:0]
+:limit-0 - [0:0]
+:limit-1 - [0:0]
+:limit-10 - [0:0]
+:limit-11 - [0:0]
+:limit-12 - [0:0]
+:limit-13 - [0:0]
+:limit-14 - [0:0]
+:limit-15 - [0:0]
+:limit-16 - [0:0]
+:limit-17 - [0:0]
+:limit-18 - [0:0]
+:limit-19 - [0:0]
+:limit-2 - [0:0]
+:limit-20 - [0:0]
+:limit-21 - [0:0]
+:limit-22 - [0:0]
+:limit-23 - [0:0]
+:limit-24 - [0:0]
+:limit-25 - [0:0]
+:limit-26 - [0:0]
+:limit-27 - [0:0]
+:limit-3 - [0:0]
+:limit-4 - [0:0]
+:limit-5 - [0:0]
+:limit-6 - [0:0]
+:limit-7 - [0:0]
+:limit-8 - [0:0]
+:limit-9 - [0:0]
+:logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
+:logaccept-2 - [0:0]
+:logaccept-final-0 - [0:0]
+:logaccept-final-1 - [0:0]
+:logaccept-final-2 - [0:0]
+:logaccept-final-3 - [0:0]
+:logdrop-0 - [0:0]
+:logdrop-1 - [0:0]
+:logdrop-10 - [0:0]
+:logdrop-2 - [0:0]
+:logdrop-3 - [0:0]
+:logdrop-4 - [0:0]
+:logdrop-5 - [0:0]
+:logdrop-6 - [0:0]
+:logdrop-7 - [0:0]
+:logdrop-8 - [0:0]
+:logdrop-9 - [0:0]
+:logpass-0 - [0:0]
+:logreject-0 - [0:0]
+:logtarpit-0 - [0:0]
+:tarpit - [0:0]
+-A FORWARD -j limit-27
+-A FORWARD -j limit-26
+-A FORWARD -j limit-25
+-A FORWARD -j limit-24
+-A FORWARD -j limit-23
+-A FORWARD -j limit-22
+-A FORWARD -j limit-21
+-A FORWARD -j limit-20
+-A FORWARD -j limit-19
+-A FORWARD -j limit-18
+-A FORWARD -j limit-17
+-A FORWARD -j limit-16
+-A FORWARD -j limit-15
+-A FORWARD -j limit-14
 -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A FORWARD -j ACCEPT
+-A FORWARD -j ACCEPT
+-A FORWARD -j logdrop-0
+-A FORWARD 
+-A FORWARD -j logreject-0
+-A FORWARD -j logtarpit-0
+-A FORWARD -j limit-0
+-A FORWARD -j limit-1
+-A FORWARD -j limit-2
+-A FORWARD -j limit-3
+-A FORWARD -j limit-4
+-A FORWARD -j limit-5
+-A FORWARD -j limit-6
+-A FORWARD -j limit-7
+-A FORWARD -j limit-8
+-A FORWARD -j limit-9
+-A FORWARD -j limit-10
+-A FORWARD -j limit-11
+-A FORWARD -j limit-12
+-A FORWARD -j limit-13
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-0
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-1
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-2
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-3
+-A FORWARD -j ACCEPT
+-A FORWARD -j logdrop-9
+-A FORWARD 
+-A FORWARD -j ACCEPT
+-A FORWARD -j DROP
+-A FORWARD 
+-A FORWARD -j logaccept-2
+-A FORWARD -j logdrop-10
+-A FORWARD -j logpass-0
 -A FORWARD -p icmp -j icmp-routing
+-A INPUT -j limit-27
+-A INPUT -j limit-26
+-A INPUT -j limit-25
+-A INPUT -j limit-24
+-A INPUT -j limit-23
+-A INPUT -j limit-22
+-A INPUT -j limit-21
+-A INPUT -j limit-20
+-A INPUT -j limit-19
+-A INPUT -j limit-18
+-A INPUT -j limit-17
+-A INPUT -j limit-16
+-A INPUT -j limit-15
+-A INPUT -j limit-14
 -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -j logdrop-0
+-A INPUT 
+-A INPUT -j logreject-0
+-A INPUT -j logtarpit-0
+-A INPUT -j limit-0
+-A INPUT -j limit-1
+-A INPUT -j limit-2
+-A INPUT -j limit-3
+-A INPUT -j limit-4
+-A INPUT -j limit-5
+-A INPUT -j limit-6
+-A INPUT -j limit-7
+-A INPUT -j limit-8
+-A INPUT -j limit-9
+-A INPUT -j limit-10
+-A INPUT -j limit-11
+-A INPUT -j limit-12
+-A INPUT -j limit-13
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-0
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-1
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-2
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-3
+-A INPUT -j ACCEPT
+-A INPUT -j logdrop-9
+-A INPUT 
+-A INPUT -j ACCEPT
+-A INPUT -j DROP
+-A INPUT 
+-A INPUT -j logaccept-2
+-A INPUT -j logdrop-10
+-A INPUT -j logpass-0
 -A INPUT -p icmp -j icmp-routing
+-A OUTPUT -j limit-27
+-A OUTPUT -j limit-26
+-A OUTPUT -j limit-25
+-A OUTPUT -j limit-24
+-A OUTPUT -j limit-23
+-A OUTPUT -j limit-22
+-A OUTPUT -j limit-21
+-A OUTPUT -j limit-20
+-A OUTPUT -j limit-19
+-A OUTPUT -j limit-18
+-A OUTPUT -j limit-17
+-A OUTPUT -j limit-16
+-A OUTPUT -j limit-15
+-A OUTPUT -j limit-14
 -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logdrop-0
+-A OUTPUT 
+-A OUTPUT -j logreject-0
+-A OUTPUT -j logtarpit-0
+-A OUTPUT -j limit-0
+-A OUTPUT -j limit-1
+-A OUTPUT -j limit-2
+-A OUTPUT -j limit-3
+-A OUTPUT -j limit-4
+-A OUTPUT -j limit-5
+-A OUTPUT -j limit-6
+-A OUTPUT -j limit-7
+-A OUTPUT -j limit-8
+-A OUTPUT -j limit-9
+-A OUTPUT -j limit-10
+-A OUTPUT -j limit-11
+-A OUTPUT -j limit-12
+-A OUTPUT -j limit-13
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-0
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-1
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-2
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-3
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logdrop-9
+-A OUTPUT 
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j DROP
+-A OUTPUT 
+-A OUTPUT -j logaccept-2
+-A OUTPUT -j logdrop-10
+-A OUTPUT -j logpass-0
 -A OUTPUT -p icmp -j icmp-routing
 -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
 -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
 -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
+-A limit-0 -m recent --name limit-0 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-1
+-A limit-0 -m recent --name limit-0 --rsource --mask 255.255.255.255 --set -j ACCEPT
+-A limit-1 -m recent --name limit-1 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-2
+-A limit-1 -m recent --name limit-1 --rsource --mask 255.255.255.255 --set 
+-A limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-10 -j logaccept-0
+-A limit-10 -m limit --limit 1/second -j LOG
+-A limit-10 -j DROP
+-A limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-11 -j ACCEPT
+-A limit-11 -j DROP
+-A limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-12 -j RETURN
+-A limit-12 -j DROP
+-A limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-13 -j logaccept-1
+-A limit-13 -j DROP
+-A limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-5
+-A limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --set 
+-A limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-6
+-A limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --set 
+-A limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-7
+-A limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --set 
+-A limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-8
+-A limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+-A limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --set 
+-A limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --set 
+-A limit-2 -m recent --name limit-2 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-3
+-A limit-2 -m limit --limit 1/second -j LOG
+-A limit-2 -m recent --name limit-2 --rsource --mask 255.255.255.255 --set -j ACCEPT
+-A limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --set 
+-A limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+-A limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-22 -j RETURN
+-A limit-22 -m limit --limit 1/second -j LOG
+-A limit-22 -j DROP
+-A limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-23 -j RETURN
+-A limit-23 -m limit --limit 1/second -j LOG
+-A limit-23 -j DROP
+-A limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-24 -j RETURN
+-A limit-24 -m limit --limit 1/second -j LOG
+-A limit-24 -j DROP
+-A limit-25 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-25 -j RETURN
+-A limit-25 -j DROP
+-A limit-26 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-26 -j RETURN
+-A limit-26 -j DROP
+-A limit-27 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-27 -j RETURN
+-A limit-27 -j DROP
+-A limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-4
+-A limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+-A limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --set -j ACCEPT
+-A limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --set 
+-A limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-6 -m limit --limit 1/second -j LOG
+-A limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --set -j ACCEPT
+-A limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+-A limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+-A limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-8 -j ACCEPT
+-A limit-8 -m limit --limit 1/second -j LOG
+-A limit-8 -j DROP
+-A limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-9 -j RETURN
+-A limit-9 -m limit --limit 1/second -j LOG
+-A limit-9 -j DROP
+-A logaccept-0 -m limit --limit 1/second -j LOG
+-A logaccept-0 -j ACCEPT
+-A logaccept-1 -m limit --limit 1/second -j LOG
+-A logaccept-1 -j ACCEPT
+-A logaccept-2 -m limit --limit 1/second -j LOG
+-A logaccept-2 -j ACCEPT
+-A logaccept-final-0 -m limit --limit 1/second -j LOG
+-A logaccept-final-0 -j ACCEPT
+-A logaccept-final-1 -m limit --limit 1/second -j LOG
+-A logaccept-final-1 -j ACCEPT
+-A logaccept-final-2 -m limit --limit 1/second -j LOG
+-A logaccept-final-2 -j ACCEPT
+-A logaccept-final-3 -m limit --limit 1/second -j LOG
+-A logaccept-final-3 -j ACCEPT
+-A logdrop-0 -m limit --limit 1/second -j LOG
+-A logdrop-0 -j DROP
+-A logdrop-1 -m limit --limit 1/second -j LOG
+-A logdrop-1 -j DROP
+-A logdrop-10 -m limit --limit 1/second -j LOG
+-A logdrop-10 -j DROP
+-A logdrop-2 -m limit --limit 1/second -j LOG
+-A logdrop-2 -j DROP
+-A logdrop-3 -m limit --limit 1/second -j LOG
+-A logdrop-3 -j DROP
+-A logdrop-4 -m limit --limit 1/second -j LOG
+-A logdrop-4 -j DROP
+-A logdrop-5 -m limit --limit 1/second -j LOG
+-A logdrop-5 -j DROP
+-A logdrop-6 -m limit --limit 1/second -j LOG
+-A logdrop-6 -j DROP
+-A logdrop-7 -m limit --limit 1/second -j LOG
+-A logdrop-7 -j DROP
+-A logdrop-8 -m limit --limit 1/second -j LOG
+-A logdrop-8 -j DROP
+-A logdrop-9 -m limit --limit 1/second -j LOG
+-A logdrop-9 -j DROP
+-A logpass-0 -m limit --limit 1/second -j LOG
+-A logreject-0 -m limit --limit 1/second -j LOG
+-A logreject-0 -j REJECT
+-A logtarpit-0 -m limit --limit 1/second -j LOG
+-A logtarpit-0 -j tarpit
+-A tarpit -p tcp -j TARPIT
+-A tarpit -j DROP
 COMMIT
 *nat
 :POSTROUTING ACCEPT [0:0]
@@ -22,3 +332,9 @@ COMMIT
 -A POSTROUTING -m set --match-set awall-masquerade src -j awall-masquerade
 -A awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
 COMMIT
+*raw
+:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A OUTPUT -j CT --notrack
+-A PREROUTING -j CT --notrack
+COMMIT
diff --git a/test/output/rules6-save b/test/output/rules6-save
index 419fd05..c8c4fc4 100644
--- a/test/output/rules6-save
+++ b/test/output/rules6-save
@@ -4,16 +4,332 @@
 :INPUT DROP [0:0]
 :OUTPUT DROP [0:0]
 :icmp-routing - [0:0]
+:limit-0 - [0:0]
+:limit-1 - [0:0]
+:limit-10 - [0:0]
+:limit-11 - [0:0]
+:limit-12 - [0:0]
+:limit-13 - [0:0]
+:limit-14 - [0:0]
+:limit-15 - [0:0]
+:limit-16 - [0:0]
+:limit-17 - [0:0]
+:limit-18 - [0:0]
+:limit-19 - [0:0]
+:limit-2 - [0:0]
+:limit-20 - [0:0]
+:limit-21 - [0:0]
+:limit-22 - [0:0]
+:limit-23 - [0:0]
+:limit-24 - [0:0]
+:limit-25 - [0:0]
+:limit-26 - [0:0]
+:limit-27 - [0:0]
+:limit-3 - [0:0]
+:limit-4 - [0:0]
+:limit-5 - [0:0]
+:limit-6 - [0:0]
+:limit-7 - [0:0]
+:limit-8 - [0:0]
+:limit-9 - [0:0]
+:logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
+:logaccept-2 - [0:0]
+:logaccept-final-0 - [0:0]
+:logaccept-final-1 - [0:0]
+:logaccept-final-2 - [0:0]
+:logaccept-final-3 - [0:0]
+:logdrop-0 - [0:0]
+:logdrop-1 - [0:0]
+:logdrop-10 - [0:0]
+:logdrop-2 - [0:0]
+:logdrop-3 - [0:0]
+:logdrop-4 - [0:0]
+:logdrop-5 - [0:0]
+:logdrop-6 - [0:0]
+:logdrop-7 - [0:0]
+:logdrop-8 - [0:0]
+:logdrop-9 - [0:0]
+:logpass-0 - [0:0]
+:logreject-0 - [0:0]
+:logtarpit-0 - [0:0]
+:tarpit - [0:0]
+-A FORWARD -j limit-27
+-A FORWARD -j limit-26
+-A FORWARD -j limit-25
+-A FORWARD -j limit-24
+-A FORWARD -j limit-23
+-A FORWARD -j limit-22
+-A FORWARD -j limit-21
+-A FORWARD -j limit-20
+-A FORWARD -j limit-19
+-A FORWARD -j limit-18
+-A FORWARD -j limit-17
+-A FORWARD -j limit-16
+-A FORWARD -j limit-15
+-A FORWARD -j limit-14
 -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A FORWARD -j ACCEPT
+-A FORWARD -j ACCEPT
+-A FORWARD -j logdrop-0
+-A FORWARD 
+-A FORWARD -j logreject-0
+-A FORWARD -j logtarpit-0
+-A FORWARD -j limit-0
+-A FORWARD -j limit-1
+-A FORWARD -j limit-2
+-A FORWARD -j limit-3
+-A FORWARD -j limit-4
+-A FORWARD -j limit-5
+-A FORWARD -j limit-6
+-A FORWARD -j limit-7
+-A FORWARD -j limit-8
+-A FORWARD -j limit-9
+-A FORWARD -j limit-10
+-A FORWARD -j limit-11
+-A FORWARD -j limit-12
+-A FORWARD -j limit-13
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-0
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-1
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-2
+-A FORWARD -j ACCEPT
+-A FORWARD -j logaccept-final-3
+-A FORWARD -j ACCEPT
+-A FORWARD -j logdrop-9
+-A FORWARD 
+-A FORWARD -j ACCEPT
+-A FORWARD -j DROP
+-A FORWARD 
+-A FORWARD -j logaccept-2
+-A FORWARD -j logdrop-10
+-A FORWARD -j logpass-0
 -A FORWARD -p icmpv6 -j icmp-routing
+-A INPUT -j limit-27
+-A INPUT -j limit-26
+-A INPUT -j limit-25
+-A INPUT -j limit-24
+-A INPUT -j limit-23
+-A INPUT -j limit-22
+-A INPUT -j limit-21
+-A INPUT -j limit-20
+-A INPUT -j limit-19
+-A INPUT -j limit-18
+-A INPUT -j limit-17
+-A INPUT -j limit-16
+-A INPUT -j limit-15
+-A INPUT -j limit-14
 -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -j ACCEPT
+-A INPUT -j logdrop-0
+-A INPUT 
+-A INPUT -j logreject-0
+-A INPUT -j logtarpit-0
+-A INPUT -j limit-0
+-A INPUT -j limit-1
+-A INPUT -j limit-2
+-A INPUT -j limit-3
+-A INPUT -j limit-4
+-A INPUT -j limit-5
+-A INPUT -j limit-6
+-A INPUT -j limit-7
+-A INPUT -j limit-8
+-A INPUT -j limit-9
+-A INPUT -j limit-10
+-A INPUT -j limit-11
+-A INPUT -j limit-12
+-A INPUT -j limit-13
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-0
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-1
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-2
+-A INPUT -j ACCEPT
+-A INPUT -j logaccept-final-3
+-A INPUT -j ACCEPT
+-A INPUT -j logdrop-9
+-A INPUT 
+-A INPUT -j ACCEPT
+-A INPUT -j DROP
+-A INPUT 
+-A INPUT -j logaccept-2
+-A INPUT -j logdrop-10
+-A INPUT -j logpass-0
 -A INPUT -p icmpv6 -j ACCEPT
+-A OUTPUT -j limit-27
+-A OUTPUT -j limit-26
+-A OUTPUT -j limit-25
+-A OUTPUT -j limit-24
+-A OUTPUT -j limit-23
+-A OUTPUT -j limit-22
+-A OUTPUT -j limit-21
+-A OUTPUT -j limit-20
+-A OUTPUT -j limit-19
+-A OUTPUT -j limit-18
+-A OUTPUT -j limit-17
+-A OUTPUT -j limit-16
+-A OUTPUT -j limit-15
+-A OUTPUT -j limit-14
 -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logdrop-0
+-A OUTPUT 
+-A OUTPUT -j logreject-0
+-A OUTPUT -j logtarpit-0
+-A OUTPUT -j limit-0
+-A OUTPUT -j limit-1
+-A OUTPUT -j limit-2
+-A OUTPUT -j limit-3
+-A OUTPUT -j limit-4
+-A OUTPUT -j limit-5
+-A OUTPUT -j limit-6
+-A OUTPUT -j limit-7
+-A OUTPUT -j limit-8
+-A OUTPUT -j limit-9
+-A OUTPUT -j limit-10
+-A OUTPUT -j limit-11
+-A OUTPUT -j limit-12
+-A OUTPUT -j limit-13
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-0
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-1
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-2
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logaccept-final-3
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j logdrop-9
+-A OUTPUT 
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j DROP
+-A OUTPUT 
+-A OUTPUT -j logaccept-2
+-A OUTPUT -j logdrop-10
+-A OUTPUT -j logpass-0
 -A OUTPUT -p icmpv6 -j ACCEPT
 -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
 -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
 -A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
 -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
+-A limit-0 -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-1
+-A limit-0 -m recent --name limit-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+-A limit-1 -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-2
+-A limit-1 -m recent --name limit-1 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-10 -j logaccept-0
+-A limit-10 -m limit --limit 1/second -j LOG
+-A limit-10 -j DROP
+-A limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-11 -j ACCEPT
+-A limit-11 -j DROP
+-A limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-12 -j RETURN
+-A limit-12 -j DROP
+-A limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-13 -j logaccept-1
+-A limit-13 -j DROP
+-A limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-5
+-A limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-6
+-A limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-7
+-A limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-8
+-A limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+-A limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-2 -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-3
+-A limit-2 -m limit --limit 1/second -j LOG
+-A limit-2 -m recent --name limit-2 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+-A limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+-A limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-22 -j RETURN
+-A limit-22 -m limit --limit 1/second -j LOG
+-A limit-22 -j DROP
+-A limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-23 -j RETURN
+-A limit-23 -m limit --limit 1/second -j LOG
+-A limit-23 -j DROP
+-A limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-24 -j RETURN
+-A limit-24 -m limit --limit 1/second -j LOG
+-A limit-24 -j DROP
+-A limit-25 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-25 -j RETURN
+-A limit-25 -j DROP
+-A limit-26 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-26 -j RETURN
+-A limit-26 -j DROP
+-A limit-27 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-27 -j RETURN
+-A limit-27 -j DROP
+-A limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-4
+-A limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+-A limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+-A limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+-A limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-6 -m limit --limit 1/second -j LOG
+-A limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+-A limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+-A limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+-A limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-8 -j ACCEPT
+-A limit-8 -m limit --limit 1/second -j LOG
+-A limit-8 -j DROP
+-A limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-9 -j RETURN
+-A limit-9 -m limit --limit 1/second -j LOG
+-A limit-9 -j DROP
+-A logaccept-0 -m limit --limit 1/second -j LOG
+-A logaccept-0 -j ACCEPT
+-A logaccept-1 -m limit --limit 1/second -j LOG
+-A logaccept-1 -j ACCEPT
+-A logaccept-2 -m limit --limit 1/second -j LOG
+-A logaccept-2 -j ACCEPT
+-A logaccept-final-0 -m limit --limit 1/second -j LOG
+-A logaccept-final-0 -j ACCEPT
+-A logaccept-final-1 -m limit --limit 1/second -j LOG
+-A logaccept-final-1 -j ACCEPT
+-A logaccept-final-2 -m limit --limit 1/second -j LOG
+-A logaccept-final-2 -j ACCEPT
+-A logaccept-final-3 -m limit --limit 1/second -j LOG
+-A logaccept-final-3 -j ACCEPT
+-A logdrop-0 -m limit --limit 1/second -j LOG
+-A logdrop-0 -j DROP
+-A logdrop-1 -m limit --limit 1/second -j LOG
+-A logdrop-1 -j DROP
+-A logdrop-10 -m limit --limit 1/second -j LOG
+-A logdrop-10 -j DROP
+-A logdrop-2 -m limit --limit 1/second -j LOG
+-A logdrop-2 -j DROP
+-A logdrop-3 -m limit --limit 1/second -j LOG
+-A logdrop-3 -j DROP
+-A logdrop-4 -m limit --limit 1/second -j LOG
+-A logdrop-4 -j DROP
+-A logdrop-5 -m limit --limit 1/second -j LOG
+-A logdrop-5 -j DROP
+-A logdrop-6 -m limit --limit 1/second -j LOG
+-A logdrop-6 -j DROP
+-A logdrop-7 -m limit --limit 1/second -j LOG
+-A logdrop-7 -j DROP
+-A logdrop-8 -m limit --limit 1/second -j LOG
+-A logdrop-8 -j DROP
+-A logdrop-9 -m limit --limit 1/second -j LOG
+-A logdrop-9 -j DROP
+-A logpass-0 -m limit --limit 1/second -j LOG
+-A logreject-0 -m limit --limit 1/second -j LOG
+-A logreject-0 -j REJECT
+-A logtarpit-0 -m limit --limit 1/second -j LOG
+-A logtarpit-0 -j tarpit
+-A tarpit -p tcp -j TARPIT
+-A tarpit -j DROP
+COMMIT
+*raw
+:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A OUTPUT -j CT --notrack
+-A PREROUTING -j CT --notrack
 COMMIT