{
    # SSH_Whitelist
    my $sshd_port = ${'sshd'}{'TCPPort'} || "22";
    # Find the current SSH_Whitelit_$$ chain, and create a new one.
    $OUT .=<<'EOF';
    OLD_SSH_Whitelist=$(get_safe_id SSH_Whitelist filter find)
    NEW_SSH_Whitelist=$(get_safe_id SSH_Whitelist filter new)
    /sbin/iptables --new-chain $NEW_SSH_Whitelist
EOF
    # here we add the content from sshd ValidFrom 
    # or create a new one dedicated for sshd
    my @vals = split ",",  ($sshd{ValidFrom} || '');
    #$OUT .="#sshd whitelist content : "
    #$OUT .= join " ", @vals;

    foreach my $ip ( @vals ){
            $OUT .= "    /sbin/iptables --append \$NEW_SSH_Whitelist -s $ip";
            $OUT .= " -p tcp";
            $OUT .= " --dport $sshd_port" ;
            $OUT .= " -j ACCEPT\n";
    }

    $OUT .= "    /sbin/iptables --append  \$NEW_SSH_Whitelist" .
                " -j RETURN\n";

    # Having created a new SSH_Whitelist chain, activate it and destroy the old one.
    $OUT .=<<'EOF';
    /sbin/iptables --replace SSH_Whitelist 1 \
            --jump $NEW_SSH_Whitelist
    /sbin/iptables --flush $OLD_SSH_Whitelist
    /sbin/iptables --delete-chain $OLD_SSH_Whitelist
EOF
    # SSH_Autoblock
    my $abtries = ${'sshd'}{'AutoBlockTries'} || "4";
    my $abtime = ${'sshd'}{'AutoBlockTime'} || "900";

    $OUT .=<<"EOF";

    /sbin/iptables --replace SSH_Autoblock 3 -m recent --rcheck --rttl \\
	--seconds $abtime --hitcount $abtries --name SSH -j denylog
    # Clear SSH_Autoblock site history too
    echo / > /proc/net/xt_recent/SSH
EOF
}
