-<%- node[:networking][:firewall][:sets].each do |set| %>
- set <%= set %> {
-<%- if set.end_with?("-ip") %>
- type ipv4_addr
-<%- elsif set.end_with?("-ip6") %>
- type ipv6_addr
-<%- end %>
- flags dynamic
- size 0
+<% node[:networking][:firewall][:sets].each do |set| -%>
+ set <%= set[:name] %> {
+ type <%= set[:type] %>
+<% if set[:flags] -%>
+ flags <%= set[:flags].join(", ") %>
+<% end -%>
+<% if set[:timeout] -%>
+ timeout <%= set[:timeout] %>s
+<% end -%>
+ }
+
+<% end -%>
+
+<% node[:networking][:firewall][:helpers].each do |helper| -%>
+ ct helper <%= helper[:name] %> {
+ type "<%= helper[:helper] %>" protocol <%= helper[:protocol] %>