table inet redxenfirewall {

	set blackhole4 {
		type ipv4_addr;
		flags dynamic, timeout;
	}

	set blackhole6 {
		type ipv6_addr;
		flags dynamic, timeout;
	}

	chain rxfi {
		type filter hook input priority 0;
		policy drop;
		include "inet/redxenfirewall/filter/input/blocked/*";
		include "inet/redxenfirewall/filter/input/trusted/*";
		include "inet/redxenfirewall/filter/input/stateful/*";
		include "inet/redxenfirewall/filter/input/allowed/*";
		include "inet/redxenfirewall/filter/input/established/*";
		counter reject with icmpx type admin-prohibited;
	}

	chain fwfi {
		type filter hook forward priority 0;
		policy drop;
		include "inet/redxenfirewall/filter/forward/*";
		counter reject with icmpx type no-route;
	}

	chain txfi {
		type filter hook output priority 0;
		policy accept;
		include "inet/redxenfirewall/filter/output/*";
	}

	chain prenat {
		type nat hook prerouting priority -100;
		policy accept;
		include "inet/redxenfirewall/nat/prerouting/*";
	}

	chain rxnat {
		type nat hook input priority 100;
		policy accept;
		include "inet/redxenfirewall/nat/input/*";
	}

	chain txnat {
		type nat hook output priority -100;
		policy accept;
		include "inet/redxenfirewall/nat/output/*";
	}

	chain postnat {
		type nat hook postrouting priority 100;
		policy accept;
		include "inet/redxenfirewall/nat/postrouting/*";
	}

}