class firewall::rules::in::dns (
  Array[Stdlib::Port]      $ports     = [53],
  Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
  Optional[String]         $ipset     = undef,
) {

  $ports.each |$port| {
    $protocols.each |$proto| {
      if $ipset != '' {
        $rule = "${proto} dport ${port} ip saddr @${ipset} accept"
      }else{
        $rule = "${proto} dport ${port} accept"
      }
      nftables::rule { "default_in-dns_${proto}_${port}":
        content => $rule,
      }
    }
  }
}