What scripts / hooks are triggered in a netvm when a network-client VM starts / shuts down?

I think I found my answer in this post: Set firewall rules for windows 10 update - #12 by icequbes1

Replace the rule with handle 14 to add logging and a counter:

nft replace rule qubes-firewall qbs-10-138-26-180 handle 14 counter log prefix \"[qubes-firewall-BLOCKED] \" reject with icmp type admin-prohibited

My remaining question is whats the best way to automate that. When qubes-firewall creates a chain, I want to run a “post hook” script that configures this chain to not reject with admin-prohibited but to log & drop.