
----------------------
1) NFTables rulesets
----------------------

table ip mangle { # handle 1
	chain KUBE-IPTABLES-HINT { # handle 1
	}

	chain KUBE-KUBELET-CANARY { # handle 2
	}
}
table ip nat { # handle 3
	chain KUBE-MARK-DROP { # handle 1
		counter packets 0 bytes 0 meta mark set mark or 0x8000 # handle 2
	}

	chain KUBE-MARK-MASQ { # handle 3
		counter packets 0 bytes 0 meta mark set mark or 0x4000 # handle 5
	}

	chain KUBE-POSTROUTING { # handle 4
		meta mark & 0x00004000 != 0x00004000 counter packets 9453 bytes 736119 return # handle 8
		counter packets 0 bytes 0 meta mark set mark xor 0x4000 # handle 9
		 counter packets 0 bytes 0 masquerade fully-random # handle 10
	}

	chain POSTROUTING { # handle 6
		type nat hook postrouting priority srcnat; policy accept;
		 counter packets 9453 bytes 736119 jump KUBE-POSTROUTING # handle 7
		xt match set xt match set xt match set counter packets 34 bytes 2754 masquerade fully-random # handle 12
		ip saddr != 172.16.0.0/16 ip daddr != 172.16.0.0/16 xt match ipvs  counter packets 6 bytes 338 snat to 192.168.0.35 fully-random # handle 13
	}

	chain KUBE-KUBELET-CANARY { # handle 11
	}
}
table ip6 mangle { # handle 4
	chain KUBE-IPTABLES-HINT { # handle 1
	}

	chain KUBE-KUBELET-CANARY { # handle 2
	}
}
table ip6 nat { # handle 5
	chain KUBE-MARK-DROP { # handle 1
		counter packets 0 bytes 0 meta mark set mark or 0x8000 # handle 2
	}

	chain KUBE-MARK-MASQ { # handle 3
		counter packets 0 bytes 0 meta mark set mark or 0x4000 # handle 5
	}

	chain KUBE-POSTROUTING { # handle 4
		meta mark & 0x00004000 != 0x00004000 counter packets 40 bytes 13687 return # handle 8
		counter packets 0 bytes 0 meta mark set mark xor 0x4000 # handle 9
		 counter packets 0 bytes 0  # handle 10
	}

	chain POSTROUTING { # handle 6
		type nat hook postrouting priority srcnat; policy accept;
		 counter packets 40 bytes 13687 jump KUBE-POSTROUTING # handle 7
	}

	chain KUBE-KUBELET-CANARY { # handle 11
	}
}
table ip6 filter { # handle 6
	chain KUBE-FIREWALL { # handle 1
		 meta mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 drop # handle 2
	}

	chain KUBE-KUBELET-CANARY { # handle 3
	}
}
table ip filter { # handle 63
	chain INPUT { # handle 1
		type filter hook input priority filter; policy accept;
		 counter packets 12519 bytes 8458707 jump KUBE-ROUTER-INPUT # handle 19
		 xt match set counter packets 3023 bytes 474644 jump KUBE-ROUTER-SERVICES # handle 20
		counter packets 10051 bytes 7933938 jump KUBE-FIREWALL # handle 21
		ip saddr 192.168.0.35 tcp dport 6443  counter packets 497 bytes 86718 accept # handle 22
		ip saddr 127.0.0.1 tcp dport 6443  counter packets 2272 bytes 404235 accept # handle 23
		tcp dport 6443  counter packets 0 bytes 0 drop # handle 24
	}

	chain FORWARD { # handle 2
		type filter hook forward priority filter; policy accept;
		 counter packets 5753 bytes 5674359 jump KUBE-ROUTER-FORWARD # handle 25
		oifname "br1"  counter packets 5205 bytes 5121507 accept # handle 26
		oifname "kube-bridge"  counter packets 0 bytes 0 accept # handle 27
		iifname "kube-bridge"  counter packets 0 bytes 0 accept # handle 28
	}

	chain OUTPUT { # handle 3
		type filter hook output priority filter; policy accept;
		 counter packets 12674 bytes 8675689 jump KUBE-ROUTER-OUTPUT # handle 29
		counter packets 10635 bytes 8285160 jump KUBE-FIREWALL # handle 30
	}

	chain KUBE-FIREWALL { # handle 4
		ip saddr != 127.0.0.0/8 ip daddr 127.0.0.0/8  ct status dnat counter packets 0 bytes 0 drop # handle 31
		 meta mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 drop # handle 32
	}

	chain KUBE-KUBELET-CANARY { # handle 5
	}

	chain KUBE-NWPLCY-DEFAULT { # handle 6
		 counter packets 285 bytes 23441 meta mark set mark or 0x10000 # handle 33
	}

	chain KUBE-ROUTER-FORWARD { # handle 7
		ip daddr 172.16.2.217  counter packets 0 bytes 0 jump KUBE-POD-FW-3JJMXBS5ABENWBI3 # handle 47
		ip daddr 172.16.2.217 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-3JJMXBS5ABENWBI3 # handle 49
		ip saddr 172.16.2.217  counter packets 0 bytes 0 jump KUBE-POD-FW-3JJMXBS5ABENWBI3 # handle 51
		ip saddr 172.16.2.217 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-3JJMXBS5ABENWBI3 # handle 53
		ip daddr 172.16.2.222  counter packets 495 bytes 541607 jump KUBE-POD-FW-N6GVGYQKIGG25XVD # handle 63
		ip daddr 172.16.2.222 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-N6GVGYQKIGG25XVD # handle 65
		ip saddr 172.16.2.222  counter packets 53 bytes 11245 jump KUBE-POD-FW-N6GVGYQKIGG25XVD # handle 68
		ip saddr 172.16.2.222 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-N6GVGYQKIGG25XVD # handle 69
		ip daddr 172.16.2.216  counter packets 0 bytes 0 jump KUBE-POD-FW-BF7O37MQEAHT64TM # handle 79
		ip daddr 172.16.2.216 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-BF7O37MQEAHT64TM # handle 81
		ip saddr 172.16.2.216  counter packets 0 bytes 0 jump KUBE-POD-FW-BF7O37MQEAHT64TM # handle 83
		ip saddr 172.16.2.216 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-BF7O37MQEAHT64TM # handle 85
		ip daddr 172.16.2.219  counter packets 0 bytes 0 jump KUBE-POD-FW-IAHL2776DLSUGY7M # handle 95
		ip daddr 172.16.2.219 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-IAHL2776DLSUGY7M # handle 97
		ip saddr 172.16.2.219  counter packets 0 bytes 0 jump KUBE-POD-FW-IAHL2776DLSUGY7M # handle 100
		ip saddr 172.16.2.219 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-IAHL2776DLSUGY7M # handle 101
		ip daddr 172.16.2.220  counter packets 0 bytes 0 jump KUBE-POD-FW-U536KCJS6QJ4NH6G # handle 111
		ip daddr 172.16.2.220 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-U536KCJS6QJ4NH6G # handle 113
		ip saddr 172.16.2.220  counter packets 0 bytes 0 jump KUBE-POD-FW-U536KCJS6QJ4NH6G # handle 115
		ip saddr 172.16.2.220 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-U536KCJS6QJ4NH6G # handle 117
		ip daddr 172.16.2.221  counter packets 0 bytes 0 jump KUBE-POD-FW-QWEVTP5O4OQINWVD # handle 127
		ip daddr 172.16.2.221 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-QWEVTP5O4OQINWVD # handle 129
		ip saddr 172.16.2.221  counter packets 0 bytes 0 jump KUBE-POD-FW-QWEVTP5O4OQINWVD # handle 131
		ip saddr 172.16.2.221 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-QWEVTP5O4OQINWVD # handle 133
		ip daddr 172.16.2.223  counter packets 0 bytes 0 jump KUBE-POD-FW-KPTVHAVYJZPUNRXK # handle 143
		ip daddr 172.16.2.223 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-KPTVHAVYJZPUNRXK # handle 145
		ip saddr 172.16.2.223  counter packets 0 bytes 0 jump KUBE-POD-FW-KPTVHAVYJZPUNRXK # handle 147
		ip saddr 172.16.2.223 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-KPTVHAVYJZPUNRXK # handle 149
		ip daddr 172.16.2.218  counter packets 0 bytes 0 jump KUBE-POD-FW-UE277LRYNOOFBLWV # handle 159
		ip daddr 172.16.2.218 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-UE277LRYNOOFBLWV # handle 161
		ip saddr 172.16.2.218  counter packets 0 bytes 0 jump KUBE-POD-FW-UE277LRYNOOFBLWV # handle 163
		ip saddr 172.16.2.218 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-UE277LRYNOOFBLWV # handle 165
		 meta mark & 0x00020000 == 0x00020000 counter packets 0 bytes 0 accept # handle 170
	}

	chain KUBE-ROUTER-INPUT { # handle 8
		ip daddr 10.96.0.0/12  counter packets 0 bytes 0 return # handle 34
		meta l4proto tcp  fib daddr type local tcp dport 30000-32767 counter packets 362 bytes 25279 return # handle 35
		meta l4proto udp  fib daddr type local udp dport 30000-32767 counter packets 308 bytes 15092 return # handle 36
		ip saddr 172.16.2.217  counter packets 479 bytes 84551 jump KUBE-POD-FW-3JJMXBS5ABENWBI3 # handle 50
		ip saddr 172.16.2.222  counter packets 691 bytes 119883 jump KUBE-POD-FW-N6GVGYQKIGG25XVD # handle 67
		ip saddr 172.16.2.216  counter packets 0 bytes 0 jump KUBE-POD-FW-BF7O37MQEAHT64TM # handle 82
		ip saddr 172.16.2.219  counter packets 343 bytes 27852 jump KUBE-POD-FW-IAHL2776DLSUGY7M # handle 99
		ip saddr 172.16.2.220  counter packets 153 bytes 28169 jump KUBE-POD-FW-U536KCJS6QJ4NH6G # handle 114
		ip saddr 172.16.2.221  counter packets 30 bytes 2176 jump KUBE-POD-FW-QWEVTP5O4OQINWVD # handle 130
		ip saddr 172.16.2.223  counter packets 0 bytes 0 jump KUBE-POD-FW-KPTVHAVYJZPUNRXK # handle 146
		ip saddr 172.16.2.218  counter packets 138 bytes 204884 jump KUBE-POD-FW-UE277LRYNOOFBLWV # handle 162
		 meta mark & 0x00020000 == 0x00020000 counter packets 92 bytes 7655 accept # handle 172
	}

	chain KUBE-ROUTER-OUTPUT { # handle 9
		ip daddr 172.16.2.217  counter packets 548 bytes 192903 jump KUBE-POD-FW-3JJMXBS5ABENWBI3 # handle 48
		ip saddr 172.16.2.217  counter packets 0 bytes 0 jump KUBE-POD-FW-3JJMXBS5ABENWBI3 # handle 52
		ip daddr 172.16.2.222  counter packets 181 bytes 19750 jump KUBE-POD-FW-N6GVGYQKIGG25XVD # handle 64
		ip saddr 172.16.2.222  counter packets 590 bytes 76029 jump KUBE-POD-FW-N6GVGYQKIGG25XVD # handle 66
		ip daddr 172.16.2.216  counter packets 31 bytes 1860 jump KUBE-POD-FW-BF7O37MQEAHT64TM # handle 80
		ip saddr 172.16.2.216  counter packets 0 bytes 0 jump KUBE-POD-FW-BF7O37MQEAHT64TM # handle 84
		ip daddr 172.16.2.219  counter packets 426 bytes 32898 jump KUBE-POD-FW-IAHL2776DLSUGY7M # handle 96
		ip saddr 172.16.2.219  counter packets 0 bytes 0 jump KUBE-POD-FW-IAHL2776DLSUGY7M # handle 98
		ip daddr 172.16.2.220  counter packets 177 bytes 50395 jump KUBE-POD-FW-U536KCJS6QJ4NH6G # handle 112
		ip saddr 172.16.2.220  counter packets 0 bytes 0 jump KUBE-POD-FW-U536KCJS6QJ4NH6G # handle 116
		ip daddr 172.16.2.221  counter packets 33 bytes 13957 jump KUBE-POD-FW-QWEVTP5O4OQINWVD # handle 128
		ip saddr 172.16.2.221  counter packets 0 bytes 0 jump KUBE-POD-FW-QWEVTP5O4OQINWVD # handle 132
		ip daddr 172.16.2.223  counter packets 0 bytes 0 jump KUBE-POD-FW-KPTVHAVYJZPUNRXK # handle 144
		ip saddr 172.16.2.223  counter packets 0 bytes 0 jump KUBE-POD-FW-KPTVHAVYJZPUNRXK # handle 148
		ip daddr 172.16.2.218  counter packets 145 bytes 10392 jump KUBE-POD-FW-UE277LRYNOOFBLWV # handle 160
		ip saddr 172.16.2.218  counter packets 0 bytes 0 jump KUBE-POD-FW-UE277LRYNOOFBLWV # handle 164
		 meta mark & 0x00020000 == 0x00020000 counter packets 101 bytes 8131 accept # handle 171
	}

	chain KUBE-ROUTER-SERVICES { # handle 10
		 xt match set counter packets 62 bytes 11054 accept # handle 37
		meta l4proto icmp  icmp type echo-request counter packets 0 bytes 0 accept # handle 38
		meta l4proto icmp  icmp type destination-unreachable counter packets 286 bytes 27104 accept # handle 39
		meta l4proto icmp  icmp type time-exceeded counter packets 0 bytes 0 accept # handle 40
		 xt match set counter packets 286 bytes 19096 reject # handle 41
	}

	chain KUBE-POD-FW-3JJMXBS5ABENWBI3 { # handle 11
		 ct state related,established counter packets 1027 bytes 277454 accept # handle 46
		 ct state invalid counter packets 0 bytes 0 drop # handle 45
		ip daddr 172.16.2.217  fib saddr type local counter packets 0 bytes 0 accept # handle 44
		ip saddr 172.16.2.217  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 43
		ip daddr 172.16.2.217  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 42
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 54
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 55
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 56
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 57
	}

	chain KUBE-POD-FW-N6GVGYQKIGG25XVD { # handle 12
		 ct state related,established counter packets 1795 bytes 751408 accept # handle 62
		 ct state invalid counter packets 0 bytes 0 drop # handle 61
		ip daddr 172.16.2.222  fib saddr type local counter packets 22 bytes 1320 accept # handle 60
		ip saddr 172.16.2.222  counter packets 184 bytes 15310 jump KUBE-NWPLCY-DEFAULT # handle 59
		ip daddr 172.16.2.222  counter packets 9 bytes 476 jump KUBE-NWPLCY-DEFAULT # handle 58
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 70
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 71
		counter packets 193 bytes 15786 meta mark set mark and 0xfffeffff # handle 72
		 counter packets 193 bytes 15786 meta mark set mark or 0x20000 # handle 73
	}

	chain KUBE-POD-FW-BF7O37MQEAHT64TM { # handle 13
		 ct state related,established counter packets 0 bytes 0 accept # handle 78
		 ct state invalid counter packets 0 bytes 0 drop # handle 77
		ip daddr 172.16.2.216  fib saddr type local counter packets 0 bytes 0 accept # handle 76
		ip saddr 172.16.2.216  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 75
		ip daddr 172.16.2.216  counter packets 31 bytes 1860 jump KUBE-NWPLCY-DEFAULT # handle 74
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 86
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 87
		counter packets 31 bytes 1860 meta mark set mark and 0xfffeffff # handle 88
		 counter packets 31 bytes 1860 meta mark set mark or 0x20000 # handle 89
	}

	chain KUBE-POD-FW-IAHL2776DLSUGY7M { # handle 14
		 ct state related,established counter packets 640 bytes 50875 accept # handle 94
		 ct state invalid counter packets 0 bytes 0 drop # handle 93
		ip daddr 172.16.2.219  fib saddr type local counter packets 68 bytes 4080 accept # handle 92
		ip saddr 172.16.2.219  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 91
		ip daddr 172.16.2.219  counter packets 61 bytes 5795 jump KUBE-NWPLCY-DEFAULT # handle 90
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 102
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 103
		counter packets 61 bytes 5795 meta mark set mark and 0xfffeffff # handle 104
		 counter packets 61 bytes 5795 meta mark set mark or 0x20000 # handle 105
	}

	chain KUBE-POD-FW-U536KCJS6QJ4NH6G { # handle 15
		 ct state related,established counter packets 330 bytes 78564 accept # handle 110
		 ct state invalid counter packets 0 bytes 0 drop # handle 109
		ip daddr 172.16.2.220  fib saddr type local counter packets 0 bytes 0 accept # handle 108
		ip saddr 172.16.2.220  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 107
		ip daddr 172.16.2.220  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 106
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 118
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 119
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 120
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 121
	}

	chain KUBE-POD-FW-QWEVTP5O4OQINWVD { # handle 16
		 ct state related,established counter packets 63 bytes 16133 accept # handle 126
		 ct state invalid counter packets 0 bytes 0 drop # handle 125
		ip daddr 172.16.2.221  fib saddr type local counter packets 0 bytes 0 accept # handle 124
		ip saddr 172.16.2.221  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 123
		ip daddr 172.16.2.221  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 122
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 134
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 135
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 136
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 137
	}

	chain KUBE-POD-FW-KPTVHAVYJZPUNRXK { # handle 17
		 ct state related,established counter packets 0 bytes 0 accept # handle 142
		 ct state invalid counter packets 0 bytes 0 drop # handle 141
		ip daddr 172.16.2.223  fib saddr type local counter packets 0 bytes 0 accept # handle 140
		ip saddr 172.16.2.223  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 139
		ip daddr 172.16.2.223  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 138
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 150
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 151
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 152
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 153
	}

	chain KUBE-POD-FW-UE277LRYNOOFBLWV { # handle 18
		 ct state related,established counter packets 260 bytes 213896 accept # handle 158
		 ct state invalid counter packets 0 bytes 0 drop # handle 157
		ip daddr 172.16.2.218  fib saddr type local counter packets 23 bytes 1380 accept # handle 156
		ip saddr 172.16.2.218  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 155
		ip daddr 172.16.2.218  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 154
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 166
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 167
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 168
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 169
	}
}
