
----------------------
1) NFTables rulesets
----------------------

table ip mangle { # handle 1
	chain KUBE-IPTABLES-HINT { # handle 1
	}

	chain KUBE-KUBELET-CANARY { # handle 2
	}
}
table ip nat { # handle 3
	chain KUBE-MARK-DROP { # handle 1
		counter packets 0 bytes 0 meta mark set mark or 0x8000 # handle 2
	}

	chain KUBE-MARK-MASQ { # handle 3
		counter packets 0 bytes 0 meta mark set mark or 0x4000 # handle 5
	}

	chain KUBE-POSTROUTING { # handle 4
		meta mark & 0x00004000 != 0x00004000 counter packets 31516 bytes 2023494 return # handle 8
		counter packets 0 bytes 0 meta mark set mark xor 0x4000 # handle 9
		 counter packets 0 bytes 0 masquerade fully-random # handle 10
	}

	chain POSTROUTING { # handle 6
		type nat hook postrouting priority srcnat; policy accept;
		 counter packets 31517 bytes 2023554 jump KUBE-POSTROUTING # handle 7
		xt match set xt match set xt match set counter packets 253 bytes 21439 masquerade fully-random # handle 12
		ip saddr != 172.16.0.0/16 ip daddr != 172.16.0.0/16 xt match ipvs  counter packets 634 bytes 38040 snat to 192.168.178.45 fully-random # handle 13
	}

	chain KUBE-KUBELET-CANARY { # handle 11
	}
}
table ip6 mangle { # handle 4
	chain KUBE-IPTABLES-HINT { # handle 1
	}

	chain KUBE-KUBELET-CANARY { # handle 2
	}
}
table ip6 nat { # handle 5
	chain KUBE-MARK-DROP { # handle 1
		counter packets 0 bytes 0 meta mark set mark or 0x8000 # handle 2
	}

	chain KUBE-MARK-MASQ { # handle 3
		counter packets 0 bytes 0 meta mark set mark or 0x4000 # handle 5
	}

	chain KUBE-POSTROUTING { # handle 4
		meta mark & 0x00004000 != 0x00004000 counter packets 0 bytes 0 return # handle 8
		counter packets 0 bytes 0 meta mark set mark xor 0x4000 # handle 9
		 counter packets 0 bytes 0  # handle 10
	}

	chain POSTROUTING { # handle 6
		type nat hook postrouting priority srcnat; policy accept;
		 counter packets 0 bytes 0 jump KUBE-POSTROUTING # handle 7
	}

	chain KUBE-KUBELET-CANARY { # handle 11
	}
}
table ip6 filter { # handle 6
	chain KUBE-FIREWALL { # handle 1
		 meta mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 drop # handle 2
	}

	chain KUBE-KUBELET-CANARY { # handle 3
	}
}
table ip filter { # handle 2387
	chain INPUT { # handle 1
		type filter hook input priority filter; policy accept;
		 counter packets 55534 bytes 898850004 jump KUBE-ROUTER-INPUT # handle 16
		 xt match set counter packets 54074 bytes 897607867 jump KUBE-ROUTER-SERVICES # handle 17
		counter packets 55535 bytes 898873224 jump KUBE-FIREWALL # handle 18
		ip saddr 192.168.178.45 tcp dport 6443  counter packets 2 bytes 132 accept # handle 19
		ip saddr 127.0.0.1 tcp dport 6443  counter packets 681 bytes 101897 accept # handle 20
		tcp dport 6443  counter packets 0 bytes 0 drop # handle 21
	}

	chain FORWARD { # handle 2
		type filter hook forward priority filter; policy accept;
		 counter packets 0 bytes 0 jump KUBE-ROUTER-FORWARD # handle 22
		oifname "eno1"  counter packets 0 bytes 0 accept # handle 23
		oifname "kube-bridge"  counter packets 0 bytes 0 accept # handle 24
		iifname "kube-bridge"  counter packets 0 bytes 0 accept # handle 25
	}

	chain OUTPUT { # handle 3
		type filter hook output priority filter; policy accept;
		 counter packets 43503 bytes 6274479 jump KUBE-ROUTER-OUTPUT # handle 26
		counter packets 43503 bytes 6274479 jump KUBE-FIREWALL # handle 27
	}

	chain KUBE-FIREWALL { # handle 4
		ip saddr != 127.0.0.0/8 ip daddr 127.0.0.0/8  ct status dnat counter packets 0 bytes 0 drop # handle 28
		 meta mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 drop # handle 29
	}

	chain KUBE-KUBELET-CANARY { # handle 5
	}

	chain KUBE-NWPLCY-DEFAULT { # handle 6
		 counter packets 0 bytes 0 meta mark set mark or 0x10000 # handle 30
	}

	chain KUBE-ROUTER-FORWARD { # handle 7
		ip daddr 172.16.5.109  counter packets 0 bytes 0 jump KUBE-POD-FW-SHNJSG5RGDULWYY5 # handle 44
		ip daddr 172.16.5.109 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-SHNJSG5RGDULWYY5 # handle 46
		ip saddr 172.16.5.109  counter packets 0 bytes 0 jump KUBE-POD-FW-SHNJSG5RGDULWYY5 # handle 47
		ip saddr 172.16.5.109 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-SHNJSG5RGDULWYY5 # handle 50
		ip daddr 172.16.5.110  counter packets 0 bytes 0 jump KUBE-POD-FW-WM2EQFIUSHHT26VM # handle 60
		ip daddr 172.16.5.110 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-WM2EQFIUSHHT26VM # handle 62
		ip saddr 172.16.5.110  counter packets 0 bytes 0 jump KUBE-POD-FW-WM2EQFIUSHHT26VM # handle 64
		ip saddr 172.16.5.110 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-WM2EQFIUSHHT26VM # handle 66
		ip daddr 172.16.5.106  counter packets 0 bytes 0 jump KUBE-POD-FW-ETFAT7SFSI4MIBFY # handle 76
		ip daddr 172.16.5.106 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-ETFAT7SFSI4MIBFY # handle 78
		ip saddr 172.16.5.106  counter packets 0 bytes 0 jump KUBE-POD-FW-ETFAT7SFSI4MIBFY # handle 80
		ip saddr 172.16.5.106 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-ETFAT7SFSI4MIBFY # handle 82
		ip daddr 172.16.5.108  counter packets 0 bytes 0 jump KUBE-POD-FW-X5JJKLYO7XZRPERY # handle 92
		ip daddr 172.16.5.108 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-X5JJKLYO7XZRPERY # handle 94
		ip saddr 172.16.5.108  counter packets 0 bytes 0 jump KUBE-POD-FW-X5JJKLYO7XZRPERY # handle 95
		ip saddr 172.16.5.108 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-X5JJKLYO7XZRPERY # handle 98
		ip daddr 172.16.5.107  counter packets 0 bytes 0 jump KUBE-POD-FW-GRYCBCQEA24QSY6Y # handle 108
		ip daddr 172.16.5.107 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-GRYCBCQEA24QSY6Y # handle 110
		ip saddr 172.16.5.107  counter packets 0 bytes 0 jump KUBE-POD-FW-GRYCBCQEA24QSY6Y # handle 112
		ip saddr 172.16.5.107 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-GRYCBCQEA24QSY6Y # handle 114
		 meta mark & 0x00020000 == 0x00020000 counter packets 0 bytes 0 accept # handle 120
	}

	chain KUBE-ROUTER-INPUT { # handle 8
		ip daddr 10.96.0.0/12  counter packets 0 bytes 0 return # handle 31
		meta l4proto tcp  fib daddr type local tcp dport 30000-32767 counter packets 0 bytes 0 return # handle 32
		meta l4proto udp  fib daddr type local udp dport 30000-32767 counter packets 0 bytes 0 return # handle 33
		ip saddr 172.16.5.109  counter packets 0 bytes 0 jump KUBE-POD-FW-SHNJSG5RGDULWYY5 # handle 49
		ip saddr 172.16.5.110  counter packets 0 bytes 0 jump KUBE-POD-FW-WM2EQFIUSHHT26VM # handle 63
		ip saddr 172.16.5.106  counter packets 0 bytes 0 jump KUBE-POD-FW-ETFAT7SFSI4MIBFY # handle 79
		ip saddr 172.16.5.108  counter packets 0 bytes 0 jump KUBE-POD-FW-X5JJKLYO7XZRPERY # handle 97
		ip saddr 172.16.5.107  counter packets 0 bytes 0 jump KUBE-POD-FW-GRYCBCQEA24QSY6Y # handle 111
		 meta mark & 0x00020000 == 0x00020000 counter packets 0 bytes 0 accept # handle 119
	}

	chain KUBE-ROUTER-OUTPUT { # handle 9
		ip daddr 172.16.5.109  counter packets 0 bytes 0 jump KUBE-POD-FW-SHNJSG5RGDULWYY5 # handle 45
		ip saddr 172.16.5.109  counter packets 0 bytes 0 jump KUBE-POD-FW-SHNJSG5RGDULWYY5 # handle 48
		ip daddr 172.16.5.110  counter packets 0 bytes 0 jump KUBE-POD-FW-WM2EQFIUSHHT26VM # handle 61
		ip saddr 172.16.5.110  counter packets 0 bytes 0 jump KUBE-POD-FW-WM2EQFIUSHHT26VM # handle 65
		ip daddr 172.16.5.106  counter packets 0 bytes 0 jump KUBE-POD-FW-ETFAT7SFSI4MIBFY # handle 77
		ip saddr 172.16.5.106  counter packets 0 bytes 0 jump KUBE-POD-FW-ETFAT7SFSI4MIBFY # handle 81
		ip daddr 172.16.5.108  counter packets 0 bytes 0 jump KUBE-POD-FW-X5JJKLYO7XZRPERY # handle 93
		ip saddr 172.16.5.108  counter packets 0 bytes 0 jump KUBE-POD-FW-X5JJKLYO7XZRPERY # handle 96
		ip daddr 172.16.5.107  counter packets 0 bytes 0 jump KUBE-POD-FW-GRYCBCQEA24QSY6Y # handle 109
		ip saddr 172.16.5.107  counter packets 0 bytes 0 jump KUBE-POD-FW-GRYCBCQEA24QSY6Y # handle 113
		 meta mark & 0x00020000 == 0x00020000 counter packets 0 bytes 0 accept # handle 121
	}

	chain KUBE-ROUTER-SERVICES { # handle 10
		 xt match set counter packets 0 bytes 0 accept # handle 34
		meta l4proto icmp  icmp type echo-request counter packets 0 bytes 0 accept # handle 35
		meta l4proto icmp  icmp type destination-unreachable counter packets 0 bytes 0 accept # handle 36
		meta l4proto icmp  icmp type time-exceeded counter packets 0 bytes 0 accept # handle 37
		 xt match set counter packets 0 bytes 0 reject # handle 38
	}

	chain KUBE-POD-FW-SHNJSG5RGDULWYY5 { # handle 11
		 ct state related,established counter packets 0 bytes 0 accept # handle 43
		 ct state invalid counter packets 0 bytes 0 drop # handle 42
		ip daddr 172.16.5.109  fib saddr type local counter packets 0 bytes 0 accept # handle 41
		ip saddr 172.16.5.109  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 40
		ip daddr 172.16.5.109  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 39
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 51
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 52
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 53
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 54
	}

	chain KUBE-POD-FW-WM2EQFIUSHHT26VM { # handle 12
		 ct state related,established counter packets 0 bytes 0 accept # handle 59
		 ct state invalid counter packets 0 bytes 0 drop # handle 58
		ip daddr 172.16.5.110  fib saddr type local counter packets 0 bytes 0 accept # handle 57
		ip saddr 172.16.5.110  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 56
		ip daddr 172.16.5.110  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 55
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 67
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 68
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 69
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 70
	}

	chain KUBE-POD-FW-ETFAT7SFSI4MIBFY { # handle 13
		 ct state related,established counter packets 0 bytes 0 accept # handle 75
		 ct state invalid counter packets 0 bytes 0 drop # handle 74
		ip daddr 172.16.5.106  fib saddr type local counter packets 0 bytes 0 accept # handle 73
		ip saddr 172.16.5.106  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 72
		ip daddr 172.16.5.106  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 71
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 83
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 84
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 85
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 86
	}

	chain KUBE-POD-FW-X5JJKLYO7XZRPERY { # handle 14
		 ct state related,established counter packets 0 bytes 0 accept # handle 91
		 ct state invalid counter packets 0 bytes 0 drop # handle 90
		ip daddr 172.16.5.108  fib saddr type local counter packets 0 bytes 0 accept # handle 89
		ip saddr 172.16.5.108  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 88
		ip daddr 172.16.5.108  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 87
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 99
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 100
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 101
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 102
	}

	chain KUBE-POD-FW-GRYCBCQEA24QSY6Y { # handle 15
		 ct state related,established counter packets 0 bytes 0 accept # handle 107
		 ct state invalid counter packets 0 bytes 0 drop # handle 106
		ip daddr 172.16.5.107  fib saddr type local counter packets 0 bytes 0 accept # handle 105
		ip saddr 172.16.5.107  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 104
		ip daddr 172.16.5.107  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 103
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 115
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 116
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 117
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 118
	}
}
