table netdev ddos_mitigation{

	# Banned addresses (for example with fail2ban)
	set banned_ipv4{
		type ipv4_addr
		flags timeout
	}

	set banned_ipv6{
		type ipv6_addr
		flags timeout
	}

	# Bogons IP retrieved from a bogon list
	set bogon_ipv4 {
		type ipv4_addr
		flags interval
		elements={ 0.0.0.0/8 }
	}

	set bogon_ipv6 {
		type ipv6_addr
		flags interval
		elements={ ::/8 }
	}

	# Private addresses
	set private_ipv4{
		type ipv4_addr
		flags interval, constant
		elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
	}

	set private_ipv6{
		type ipv6_addr
		flags interval, constant
		elements = { fc00::/7 }
	}

	chain bogon_wan{
		# Block bogon networks on the wan interface
		# (Not assigned by IANA + RFC 1918 + RFC 4193)
		type filter hook ingress device wan priority -500
		policy accept

		ip  saddr @bogon_ipv4   counter drop
		ip  saddr @private_ipv4 counter drop
		ip  saddr @banned_ipv4  counter drop

		ip6 saddr @bogon_ipv6   counter drop
		ip6 saddr @private_ipv6 counter drop
		ip6 saddr @banned_ipv6  counter drop
	}

	chain bogon_lan{
		# Block bogon networks on the lan interface
		# (Not assigned by IANA)
		type filter hook ingress device lan priority -500
		policy accept

		ip  saddr @bogon_ipv4 counter drop
		ip6 saddr @bogon_ipv6 counter drop
	}
}