class firewall::rules::in::sshd (
  Array[Stdlib::Port] $ports = [22],
  Optional[String]    $ipset = undef,
) {

  $ports.each |$port| {
    if $ipset != '' {
      $rule = "tcp dport ${port} ip saddr @${ipset} accept"
    }else{
      $rule = "tcp dport ${port} accept"
    }
    nftables::rule { "default_in-sshd_tcp_${port}":
      content => $rule,
    }
  }
}