diff --git a/pkgs/firewallgen/default.nix b/pkgs/firewallgen/default.nix
index 21dc0b8..1037e7d 100644
--- a/pkgs/firewallgen/default.nix
+++ b/pkgs/firewallgen/default.nix
@@ -13,8 +13,8 @@ let
     optionalString
     ;
   inherit (lib.lists) groupBy;
-  inherit (lib.attrsets) mapAttrsToList;
-  inherit (builtins) map head tail;
+  inherit (lib.attrsets) attrsToList mapAttrsToList;
+  inherit (builtins) elemAt map head tail toString;
 
   indentLines =
     offset: lines:
@@ -68,6 +68,25 @@ let
       }
     '';
 
+  domap =
+    {
+      name,
+      type,
+      elements ? [ ],
+      extraText ? null,
+      ...
+    }:
+      let
+        colonize = v:
+          let  ty = elemAt (attrsToList v) 0; in "${ty.name}: ${ty.value}";
+      in ''
+        map ${name}  {
+          type ${colonize type}
+          ${if elements != [ ] then "elements = { ${concatStringsSep ", " (mapAttrsToList (k: v : "${k}: ${toString v}") elements)} }" else ""}
+          ${optionalString (extraText != null) extraText}
+        }
+      '';
+
   dochainorset =
     {
       kind ? "chain",
@@ -76,6 +95,7 @@ let
     {
       chain = dochain;
       set = doset;
+      map = domap;
     }
     .${kind}
       params;
diff --git a/pkgs/firewallgen/test-rules-min.nix b/pkgs/firewallgen/test-rules-min.nix
index 3ba4e39..8a3da82 100644
--- a/pkgs/firewallgen/test-rules-min.nix
+++ b/pkgs/firewallgen/test-rules-min.nix
@@ -151,6 +151,18 @@ in
       "eth0"
       "eth1"
     ];
-
   };
+
+  map-intf-limits-ip6 = {
+    name = "intf-limits";
+    kind = "map";
+    family = "ip6";
+    type = { ifname = "bytes"; };
+    elements = {
+      # XXX keys need to be generated from interface outputs
+      ppp0 = builtins.floor (70*1000*1000 * 0.05); # 5% of 70MB fttp connection
+      lan = builtins.floor (1000*1000*1000 * 0.05); # GB ethernet
+    };
+  };
+
 }