
----------------------
1) NFTables rulesets
----------------------

table ip mangle { # handle 1
	chain KUBE-IPTABLES-HINT { # handle 1
	}

	chain KUBE-KUBELET-CANARY { # handle 2
	}
}
table ip nat { # handle 3
	chain KUBE-MARK-DROP { # handle 1
		counter packets 0 bytes 0 meta mark set mark or 0x8000 # handle 2
	}

	chain KUBE-MARK-MASQ { # handle 3
		counter packets 0 bytes 0 meta mark set mark or 0x4000 # handle 5
	}

	chain KUBE-POSTROUTING { # handle 4
		meta mark & 0x00004000 != 0x00004000 counter packets 28945 bytes 1768568 return # handle 8
		counter packets 0 bytes 0 meta mark set mark xor 0x4000 # handle 9
		 counter packets 0 bytes 0 masquerade fully-random # handle 10
	}

	chain POSTROUTING { # handle 6
		type nat hook postrouting priority srcnat; policy accept;
		 counter packets 28945 bytes 1768568 jump KUBE-POSTROUTING # handle 7
		xt match set xt match set xt match set counter packets 5554 bytes 250274 masquerade fully-random # handle 12
		ip saddr != 172.16.0.0/16 ip daddr != 172.16.0.0/16 xt match ipvs  counter packets 4 bytes 240 snat to 192.168.3.5 fully-random # handle 13
	}

	chain KUBE-KUBELET-CANARY { # handle 11
	}
}
table ip6 mangle { # handle 4
	chain KUBE-IPTABLES-HINT { # handle 1
	}

	chain KUBE-KUBELET-CANARY { # handle 2
	}
}
table ip6 nat { # handle 5
	chain KUBE-MARK-DROP { # handle 1
		counter packets 0 bytes 0 meta mark set mark or 0x8000 # handle 2
	}

	chain KUBE-MARK-MASQ { # handle 3
		counter packets 0 bytes 0 meta mark set mark or 0x4000 # handle 5
	}

	chain KUBE-POSTROUTING { # handle 4
		meta mark & 0x00004000 != 0x00004000 counter packets 103 bytes 5093 return # handle 8
		counter packets 0 bytes 0 meta mark set mark xor 0x4000 # handle 9
		 counter packets 0 bytes 0  # handle 10
	}

	chain POSTROUTING { # handle 6
		type nat hook postrouting priority srcnat; policy accept;
		 counter packets 103 bytes 5093 jump KUBE-POSTROUTING # handle 7
	}

	chain KUBE-KUBELET-CANARY { # handle 11
	}
}
table ip6 filter { # handle 6
	chain KUBE-FIREWALL { # handle 1
		 meta mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 drop # handle 2
	}

	chain KUBE-KUBELET-CANARY { # handle 3
	}
}
table ip filter { # handle 67
	chain INPUT { # handle 1
		type filter hook input priority filter; policy accept;
		 counter packets 26970 bytes 5332948 jump KUBE-ROUTER-INPUT # handle 16
		 xt match set counter packets 0 bytes 0 jump KUBE-ROUTER-SERVICES # handle 17
		counter packets 24729 bytes 5018354 jump KUBE-FIREWALL # handle 18
		ip saddr 192.168.3.5 tcp dport 6443  counter packets 1109 bytes 191064 accept # handle 19
		ip saddr 127.0.0.1 tcp dport 6443  counter packets 1156 bytes 170511 accept # handle 20
		tcp dport 6443  counter packets 0 bytes 0 drop # handle 21
	}

	chain FORWARD { # handle 2
		type filter hook forward priority filter; policy accept;
		 counter packets 168 bytes 7560 jump KUBE-ROUTER-FORWARD # handle 22
		oifname "eno1"  counter packets 0 bytes 0 accept # handle 23
		oifname "kube-bridge"  counter packets 0 bytes 0 accept # handle 24
		iifname "kube-bridge"  counter packets 0 bytes 0 accept # handle 25
	}

	chain OUTPUT { # handle 3
		type filter hook output priority filter; policy accept;
		 counter packets 27103 bytes 5884271 jump KUBE-ROUTER-OUTPUT # handle 26
		counter packets 24417 bytes 5288674 jump KUBE-FIREWALL # handle 27
	}

	chain KUBE-FIREWALL { # handle 4
		ip saddr != 127.0.0.0/8 ip daddr 127.0.0.0/8  ct status dnat counter packets 0 bytes 0 drop # handle 28
		 meta mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 drop # handle 29
	}

	chain KUBE-KUBELET-CANARY { # handle 5
	}

	chain KUBE-NWPLCY-DEFAULT { # handle 6
		 counter packets 168 bytes 7560 meta mark set mark or 0x10000 # handle 30
	}

	chain KUBE-ROUTER-FORWARD { # handle 7
		ip daddr 172.16.0.22  counter packets 0 bytes 0 jump KUBE-POD-FW-R6Y5V5VFBU6A7TMT # handle 44
		ip daddr 172.16.0.22 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-R6Y5V5VFBU6A7TMT # handle 46
		ip saddr 172.16.0.22  counter packets 0 bytes 0 jump KUBE-POD-FW-R6Y5V5VFBU6A7TMT # handle 47
		ip saddr 172.16.0.22 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-R6Y5V5VFBU6A7TMT # handle 50
		ip daddr 172.16.0.21  counter packets 0 bytes 0 jump KUBE-POD-FW-IFSL6I2FD2DWDKUH # handle 60
		ip daddr 172.16.0.21 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-IFSL6I2FD2DWDKUH # handle 62
		ip saddr 172.16.0.21  counter packets 168 bytes 7560 jump KUBE-POD-FW-IFSL6I2FD2DWDKUH # handle 64
		ip saddr 172.16.0.21 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-IFSL6I2FD2DWDKUH # handle 66
		ip daddr 172.16.0.19  counter packets 0 bytes 0 jump KUBE-POD-FW-S4E2P7THBKEKU2RQ # handle 76
		ip daddr 172.16.0.19 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-S4E2P7THBKEKU2RQ # handle 78
		ip saddr 172.16.0.19  counter packets 0 bytes 0 jump KUBE-POD-FW-S4E2P7THBKEKU2RQ # handle 81
		ip saddr 172.16.0.19 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-S4E2P7THBKEKU2RQ # handle 82
		ip daddr 172.16.0.18  counter packets 0 bytes 0 jump KUBE-POD-FW-GNGBDNG7EENQUHEK # handle 92
		ip daddr 172.16.0.18 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-GNGBDNG7EENQUHEK # handle 94
		ip saddr 172.16.0.18  counter packets 0 bytes 0 jump KUBE-POD-FW-GNGBDNG7EENQUHEK # handle 96
		ip saddr 172.16.0.18 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-GNGBDNG7EENQUHEK # handle 98
		ip daddr 172.16.0.20  counter packets 0 bytes 0 jump KUBE-POD-FW-E6SAAVQ2REWQKV7E # handle 108
		ip daddr 172.16.0.20 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-E6SAAVQ2REWQKV7E # handle 110
		ip saddr 172.16.0.20  counter packets 0 bytes 0 jump KUBE-POD-FW-E6SAAVQ2REWQKV7E # handle 112
		ip saddr 172.16.0.20 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-E6SAAVQ2REWQKV7E # handle 114
		 meta mark & 0x00020000 == 0x00020000 counter packets 168 bytes 7560 accept # handle 120
	}

	chain KUBE-ROUTER-INPUT { # handle 8
		ip daddr 10.96.0.0/12  counter packets 0 bytes 0 return # handle 31
		meta l4proto tcp  fib daddr type local tcp dport 30000-32767 counter packets 0 bytes 0 return # handle 32
		meta l4proto udp  fib daddr type local udp dport 30000-32767 counter packets 0 bytes 0 return # handle 33
		ip saddr 172.16.0.22  counter packets 70 bytes 5098 jump KUBE-POD-FW-R6Y5V5VFBU6A7TMT # handle 49
		ip saddr 172.16.0.21  counter packets 771 bytes 62299 jump KUBE-POD-FW-IFSL6I2FD2DWDKUH # handle 63
		ip saddr 172.16.0.19  counter packets 0 bytes 0 jump KUBE-POD-FW-S4E2P7THBKEKU2RQ # handle 80
		ip saddr 172.16.0.18  counter packets 1331 bytes 242186 jump KUBE-POD-FW-GNGBDNG7EENQUHEK # handle 95
		ip saddr 172.16.0.20  counter packets 69 bytes 5011 jump KUBE-POD-FW-E6SAAVQ2REWQKV7E # handle 111
		 meta mark & 0x00020000 == 0x00020000 counter packets 0 bytes 0 accept # handle 119
	}

	chain KUBE-ROUTER-OUTPUT { # handle 9
		ip daddr 172.16.0.22  counter packets 76 bytes 31307 jump KUBE-POD-FW-R6Y5V5VFBU6A7TMT # handle 45
		ip saddr 172.16.0.22  counter packets 0 bytes 0 jump KUBE-POD-FW-R6Y5V5VFBU6A7TMT # handle 48
		ip daddr 172.16.0.21  counter packets 1030 bytes 74941 jump KUBE-POD-FW-IFSL6I2FD2DWDKUH # handle 61
		ip saddr 172.16.0.21  counter packets 0 bytes 0 jump KUBE-POD-FW-IFSL6I2FD2DWDKUH # handle 65
		ip daddr 172.16.0.19  counter packets 0 bytes 0 jump KUBE-POD-FW-S4E2P7THBKEKU2RQ # handle 77
		ip saddr 172.16.0.19  counter packets 0 bytes 0 jump KUBE-POD-FW-S4E2P7THBKEKU2RQ # handle 79
		ip daddr 172.16.0.18  counter packets 1505 bytes 458093 jump KUBE-POD-FW-GNGBDNG7EENQUHEK # handle 93
		ip saddr 172.16.0.18  counter packets 0 bytes 0 jump KUBE-POD-FW-GNGBDNG7EENQUHEK # handle 97
		ip daddr 172.16.0.20  counter packets 75 bytes 31256 jump KUBE-POD-FW-E6SAAVQ2REWQKV7E # handle 109
		ip saddr 172.16.0.20  counter packets 0 bytes 0 jump KUBE-POD-FW-E6SAAVQ2REWQKV7E # handle 113
		 meta mark & 0x00020000 == 0x00020000 counter packets 0 bytes 0 accept # handle 121
	}

	chain KUBE-ROUTER-SERVICES { # handle 10
		 xt match set counter packets 0 bytes 0 accept # handle 34
		meta l4proto icmp  icmp type echo-request counter packets 0 bytes 0 accept # handle 35
		meta l4proto icmp  icmp type destination-unreachable counter packets 0 bytes 0 accept # handle 36
		meta l4proto icmp  icmp type time-exceeded counter packets 0 bytes 0 accept # handle 37
		 xt match set counter packets 0 bytes 0 reject # handle 38
	}

	chain KUBE-POD-FW-R6Y5V5VFBU6A7TMT { # handle 11
		 ct state related,established counter packets 146 bytes 36405 accept # handle 43
		 ct state invalid counter packets 0 bytes 0 drop # handle 42
		ip daddr 172.16.0.22  fib saddr type local counter packets 0 bytes 0 accept # handle 41
		ip saddr 172.16.0.22  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 40
		ip daddr 172.16.0.22  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 39
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 51
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 52
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 53
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 54
	}

	chain KUBE-POD-FW-IFSL6I2FD2DWDKUH { # handle 12
		 ct state related,established counter packets 1650 bytes 128180 accept # handle 59
		 ct state invalid counter packets 0 bytes 0 drop # handle 58
		ip daddr 172.16.0.21  fib saddr type local counter packets 151 bytes 9060 accept # handle 57
		ip saddr 172.16.0.21  counter packets 168 bytes 7560 jump KUBE-NWPLCY-DEFAULT # handle 56
		ip daddr 172.16.0.21  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 55
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 67
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 68
		counter packets 168 bytes 7560 meta mark set mark and 0xfffeffff # handle 69
		 counter packets 168 bytes 7560 meta mark set mark or 0x20000 # handle 70
	}

	chain KUBE-POD-FW-S4E2P7THBKEKU2RQ { # handle 13
		 ct state related,established counter packets 0 bytes 0 accept # handle 75
		 ct state invalid counter packets 0 bytes 0 drop # handle 74
		ip daddr 172.16.0.19  fib saddr type local counter packets 0 bytes 0 accept # handle 73
		ip saddr 172.16.0.19  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 72
		ip daddr 172.16.0.19  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 71
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 83
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 84
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 85
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 86
	}

	chain KUBE-POD-FW-GNGBDNG7EENQUHEK { # handle 14
		 ct state related,established counter packets 2836 bytes 700279 accept # handle 91
		 ct state invalid counter packets 0 bytes 0 drop # handle 90
		ip daddr 172.16.0.18  fib saddr type local counter packets 0 bytes 0 accept # handle 89
		ip saddr 172.16.0.18  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 88
		ip daddr 172.16.0.18  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 87
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 99
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 100
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 101
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 102
	}

	chain KUBE-POD-FW-E6SAAVQ2REWQKV7E { # handle 15
		 ct state related,established counter packets 144 bytes 36267 accept # handle 107
		 ct state invalid counter packets 0 bytes 0 drop # handle 106
		ip daddr 172.16.0.20  fib saddr type local counter packets 0 bytes 0 accept # handle 105
		ip saddr 172.16.0.20  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 104
		ip daddr 172.16.0.20  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 103
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 115
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 116
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 117
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 118
	}
}
