Jun  7 22:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:39:29 truenas env[20630]: COMMIT
Jun  7 22:40:04 truenas systemd[1]: Starting system activity accounting tool...
Jun  7 22:40:04 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  7 22:40:04 truenas systemd[1]: Finished system activity accounting tool.
Jun  7 22:44:29 truenas env[20630]: E0607 22:44:29.748926   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 22:44:29 truenas env[20630]: Error occurred at line: 103
Jun  7 22:44:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 22:44:29 truenas env[20630]: )
Jun  7 22:44:29 truenas env[20630]: *filter
Jun  7 22:44:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 22:44:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 22:44:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 22:44:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 22:44:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 22:44:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 22:44:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 22:44:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 22:44:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 22:44:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 22:44:29 truenas env[20630]: :KUBE-POD-FW-7MEVPILSH4HCI3AF - [0:0]
Jun  7 22:44:29 truenas env[20630]: :KUBE-POD-FW-AUEYNDOK2A4WJ6VP - [0:0]
Jun  7 22:44:29 truenas env[20630]: :KUBE-POD-FW-M2COX2DEISJFUUSY - [0:0]
Jun  7 22:44:29 truenas env[20630]: :KUBE-POD-FW-KZR4VLSHYWR2RL2X - [0:0]
Jun  7 22:44:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 22:44:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 22:44:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 22:44:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 22:44:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 22:44:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 22:44:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 22:44:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 22:44:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 22:44:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-7MEVPILSH4HCI3AF 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-7MEVPILSH4HCI3AF 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-7MEVPILSH4HCI3AF 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-7MEVPILSH4HCI3AF 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-7MEVPILSH4HCI3AF 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7MEVPILSH4HCI3AF" -d 172.16.0.42 -j KUBE-POD-FW-7MEVPILSH4HCI3AF
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7MEVPILSH4HCI3AF" -d 172.16.0.42 -j KUBE-POD-FW-7MEVPILSH4HCI3AF
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7MEVPILSH4HCI3AF" -d 172.16.0.42 -j KUBE-POD-FW-7MEVPILSH4HCI3AF
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7MEVPILSH4HCI3AF" -s 172.16.0.42 -j KUBE-POD-FW-7MEVPILSH4HCI3AF
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7MEVPILSH4HCI3AF" -s 172.16.0.42 -j KUBE-POD-FW-7MEVPILSH4HCI3AF
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7MEVPILSH4HCI3AF" -s 172.16.0.42 -j KUBE-POD-FW-7MEVPILSH4HCI3AF
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7MEVPILSH4HCI3AF" -s 172.16.0.42 -j KUBE-POD-FW-7MEVPILSH4HCI3AF
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-7MEVPILSH4HCI3AF -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-7MEVPILSH4HCI3AF -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-7MEVPILSH4HCI3AF -j MARK --set-mark 0/0x10000
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-7MEVPILSH4HCI3AF -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-AUEYNDOK2A4WJ6VP 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-AUEYNDOK2A4WJ6VP 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-AUEYNDOK2A4WJ6VP 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-AUEYNDOK2A4WJ6VP 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-AUEYNDOK2A4WJ6VP 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AUEYNDOK2A4WJ6VP" -d 172.16.0.45 -j KUBE-POD-FW-AUEYNDOK2A4WJ6VP
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AUEYNDOK2A4WJ6VP" -d 172.16.0.45 -j KUBE-POD-FW-AUEYNDOK2A4WJ6VP
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AUEYNDOK2A4WJ6VP" -d 172.16.0.45 -j KUBE-POD-FW-AUEYNDOK2A4WJ6VP
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AUEYNDOK2A4WJ6VP" -s 172.16.0.45 -j KUBE-POD-FW-AUEYNDOK2A4WJ6VP
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AUEYNDOK2A4WJ6VP" -s 172.16.0.45 -j KUBE-POD-FW-AUEYNDOK2A4WJ6VP
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AUEYNDOK2A4WJ6VP" -s 172.16.0.45 -j KUBE-POD-FW-AUEYNDOK2A4WJ6VP
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AUEYNDOK2A4WJ6VP" -s 172.16.0.45 -j KUBE-POD-FW-AUEYNDOK2A4WJ6VP
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-AUEYNDOK2A4WJ6VP -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-AUEYNDOK2A4WJ6VP -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-AUEYNDOK2A4WJ6VP -j MARK --set-mark 0/0x10000
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-AUEYNDOK2A4WJ6VP -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-M2COX2DEISJFUUSY 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-M2COX2DEISJFUUSY 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-M2COX2DEISJFUUSY 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-M2COX2DEISJFUUSY 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-M2COX2DEISJFUUSY 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M2COX2DEISJFUUSY" -d 172.16.0.43 -j KUBE-POD-FW-M2COX2DEISJFUUSY
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M2COX2DEISJFUUSY" -d 172.16.0.43 -j KUBE-POD-FW-M2COX2DEISJFUUSY
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M2COX2DEISJFUUSY" -d 172.16.0.43 -j KUBE-POD-FW-M2COX2DEISJFUUSY
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M2COX2DEISJFUUSY" -s 172.16.0.43 -j KUBE-POD-FW-M2COX2DEISJFUUSY
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M2COX2DEISJFUUSY" -s 172.16.0.43 -j KUBE-POD-FW-M2COX2DEISJFUUSY
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M2COX2DEISJFUUSY" -s 172.16.0.43 -j KUBE-POD-FW-M2COX2DEISJFUUSY
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M2COX2DEISJFUUSY" -s 172.16.0.43 -j KUBE-POD-FW-M2COX2DEISJFUUSY
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-M2COX2DEISJFUUSY -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-M2COX2DEISJFUUSY -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-M2COX2DEISJFUUSY -j MARK --set-mark 0/0x10000
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-M2COX2DEISJFUUSY -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-KZR4VLSHYWR2RL2X 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-KZR4VLSHYWR2RL2X 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-KZR4VLSHYWR2RL2X 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-KZR4VLSHYWR2RL2X 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:44:29 truenas env[20630]: -I KUBE-POD-FW-KZR4VLSHYWR2RL2X 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KZR4VLSHYWR2RL2X" -d 172.16.0.46 -j KUBE-POD-FW-KZR4VLSHYWR2RL2X
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KZR4VLSHYWR2RL2X" -d 172.16.0.46 -j KUBE-POD-FW-KZR4VLSHYWR2RL2X
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KZR4VLSHYWR2RL2X" -d 172.16.0.46 -j KUBE-POD-FW-KZR4VLSHYWR2RL2X
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KZR4VLSHYWR2RL2X" -s 172.16.0.46 -j KUBE-POD-FW-KZR4VLSHYWR2RL2X
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KZR4VLSHYWR2RL2X" -s 172.16.0.46 -j KUBE-POD-FW-KZR4VLSHYWR2RL2X
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KZR4VLSHYWR2RL2X" -s 172.16.0.46 -j KUBE-POD-FW-KZR4VLSHYWR2RL2X
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KZR4VLSHYWR2RL2X" -s 172.16.0.46 -j KUBE-POD-FW-KZR4VLSHYWR2RL2X
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-KZR4VLSHYWR2RL2X -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-KZR4VLSHYWR2RL2X -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-KZR4VLSHYWR2RL2X -j MARK --set-mark 0/0x10000
Jun  7 22:44:29 truenas env[20630]: -A KUBE-POD-FW-KZR4VLSHYWR2RL2X -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:44:29 truenas env[20630]: COMMIT
Jun  7 22:49:29 truenas env[20630]: E0607 22:49:29.777369   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 22:49:29 truenas env[20630]: Error occurred at line: 103
Jun  7 22:49:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 22:49:29 truenas env[20630]: )
Jun  7 22:49:29 truenas env[20630]: *filter
Jun  7 22:49:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 22:49:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 22:49:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 22:49:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 22:49:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 22:49:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 22:49:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 22:49:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 22:49:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 22:49:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 22:49:29 truenas env[20630]: :KUBE-POD-FW-J65IRZXKSVLRY354 - [0:0]
Jun  7 22:49:29 truenas env[20630]: :KUBE-POD-FW-NWRHKSUYACQ4RV6M - [0:0]
Jun  7 22:49:29 truenas env[20630]: :KUBE-POD-FW-Q7HOKDTPNW7GKUAL - [0:0]
Jun  7 22:49:29 truenas env[20630]: :KUBE-POD-FW-6PJEU7ZZGEN2VSMZ - [0:0]
Jun  7 22:49:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 22:49:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 22:49:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 22:49:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 22:49:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 22:49:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 22:49:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 22:49:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 22:49:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 22:49:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-J65IRZXKSVLRY354 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-J65IRZXKSVLRY354 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-J65IRZXKSVLRY354 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-J65IRZXKSVLRY354 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-J65IRZXKSVLRY354 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-J65IRZXKSVLRY354" -d 172.16.0.46 -j KUBE-POD-FW-J65IRZXKSVLRY354
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-J65IRZXKSVLRY354" -d 172.16.0.46 -j KUBE-POD-FW-J65IRZXKSVLRY354
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-J65IRZXKSVLRY354" -d 172.16.0.46 -j KUBE-POD-FW-J65IRZXKSVLRY354
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-J65IRZXKSVLRY354" -s 172.16.0.46 -j KUBE-POD-FW-J65IRZXKSVLRY354
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-J65IRZXKSVLRY354" -s 172.16.0.46 -j KUBE-POD-FW-J65IRZXKSVLRY354
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-J65IRZXKSVLRY354" -s 172.16.0.46 -j KUBE-POD-FW-J65IRZXKSVLRY354
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-J65IRZXKSVLRY354" -s 172.16.0.46 -j KUBE-POD-FW-J65IRZXKSVLRY354
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-J65IRZXKSVLRY354 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-J65IRZXKSVLRY354 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-J65IRZXKSVLRY354 -j MARK --set-mark 0/0x10000
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-J65IRZXKSVLRY354 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-NWRHKSUYACQ4RV6M 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-NWRHKSUYACQ4RV6M 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-NWRHKSUYACQ4RV6M 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-NWRHKSUYACQ4RV6M 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-NWRHKSUYACQ4RV6M 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NWRHKSUYACQ4RV6M" -d 172.16.0.42 -j KUBE-POD-FW-NWRHKSUYACQ4RV6M
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NWRHKSUYACQ4RV6M" -d 172.16.0.42 -j KUBE-POD-FW-NWRHKSUYACQ4RV6M
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NWRHKSUYACQ4RV6M" -d 172.16.0.42 -j KUBE-POD-FW-NWRHKSUYACQ4RV6M
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NWRHKSUYACQ4RV6M" -s 172.16.0.42 -j KUBE-POD-FW-NWRHKSUYACQ4RV6M
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NWRHKSUYACQ4RV6M" -s 172.16.0.42 -j KUBE-POD-FW-NWRHKSUYACQ4RV6M
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NWRHKSUYACQ4RV6M" -s 172.16.0.42 -j KUBE-POD-FW-NWRHKSUYACQ4RV6M
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NWRHKSUYACQ4RV6M" -s 172.16.0.42 -j KUBE-POD-FW-NWRHKSUYACQ4RV6M
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-NWRHKSUYACQ4RV6M -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-NWRHKSUYACQ4RV6M -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-NWRHKSUYACQ4RV6M -j MARK --set-mark 0/0x10000
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-NWRHKSUYACQ4RV6M -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-Q7HOKDTPNW7GKUAL 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-Q7HOKDTPNW7GKUAL 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-Q7HOKDTPNW7GKUAL 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-Q7HOKDTPNW7GKUAL 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-Q7HOKDTPNW7GKUAL 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Q7HOKDTPNW7GKUAL" -d 172.16.0.45 -j KUBE-POD-FW-Q7HOKDTPNW7GKUAL
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Q7HOKDTPNW7GKUAL" -d 172.16.0.45 -j KUBE-POD-FW-Q7HOKDTPNW7GKUAL
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Q7HOKDTPNW7GKUAL" -d 172.16.0.45 -j KUBE-POD-FW-Q7HOKDTPNW7GKUAL
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Q7HOKDTPNW7GKUAL" -s 172.16.0.45 -j KUBE-POD-FW-Q7HOKDTPNW7GKUAL
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Q7HOKDTPNW7GKUAL" -s 172.16.0.45 -j KUBE-POD-FW-Q7HOKDTPNW7GKUAL
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Q7HOKDTPNW7GKUAL" -s 172.16.0.45 -j KUBE-POD-FW-Q7HOKDTPNW7GKUAL
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Q7HOKDTPNW7GKUAL" -s 172.16.0.45 -j KUBE-POD-FW-Q7HOKDTPNW7GKUAL
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-Q7HOKDTPNW7GKUAL -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-Q7HOKDTPNW7GKUAL -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-Q7HOKDTPNW7GKUAL -j MARK --set-mark 0/0x10000
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-Q7HOKDTPNW7GKUAL -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-6PJEU7ZZGEN2VSMZ 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-6PJEU7ZZGEN2VSMZ 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-6PJEU7ZZGEN2VSMZ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-6PJEU7ZZGEN2VSMZ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:49:29 truenas env[20630]: -I KUBE-POD-FW-6PJEU7ZZGEN2VSMZ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6PJEU7ZZGEN2VSMZ" -d 172.16.0.43 -j KUBE-POD-FW-6PJEU7ZZGEN2VSMZ
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6PJEU7ZZGEN2VSMZ" -d 172.16.0.43 -j KUBE-POD-FW-6PJEU7ZZGEN2VSMZ
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6PJEU7ZZGEN2VSMZ" -d 172.16.0.43 -j KUBE-POD-FW-6PJEU7ZZGEN2VSMZ
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6PJEU7ZZGEN2VSMZ" -s 172.16.0.43 -j KUBE-POD-FW-6PJEU7ZZGEN2VSMZ
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6PJEU7ZZGEN2VSMZ" -s 172.16.0.43 -j KUBE-POD-FW-6PJEU7ZZGEN2VSMZ
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6PJEU7ZZGEN2VSMZ" -s 172.16.0.43 -j KUBE-POD-FW-6PJEU7ZZGEN2VSMZ
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6PJEU7ZZGEN2VSMZ" -s 172.16.0.43 -j KUBE-POD-FW-6PJEU7ZZGEN2VSMZ
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-6PJEU7ZZGEN2VSMZ -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-6PJEU7ZZGEN2VSMZ -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-6PJEU7ZZGEN2VSMZ -j MARK --set-mark 0/0x10000
Jun  7 22:49:29 truenas env[20630]: -A KUBE-POD-FW-6PJEU7ZZGEN2VSMZ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:49:29 truenas env[20630]: COMMIT
Jun  7 22:50:04 truenas systemd[1]: Starting system activity accounting tool...
Jun  7 22:50:04 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  7 22:50:04 truenas systemd[1]: Finished system activity accounting tool.
Jun  7 22:51:06 truenas dhclient[3600]: DHCPREQUEST for 10.12.1.5 on enp0s31f6 to 10.12.1.1 port 67
Jun  7 22:51:06 truenas dhclient[3600]: DHCPACK of 10.12.1.5 from 10.12.1.1
Jun  7 22:51:06 truenas dhclient[3600]: bound to 10.12.1.5 -- renewal in 34419 seconds.
Jun  7 22:54:29 truenas env[20630]: E0607 22:54:29.707195   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 22:54:29 truenas env[20630]: Error occurred at line: 103
Jun  7 22:54:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 22:54:29 truenas env[20630]: )
Jun  7 22:54:29 truenas env[20630]: *filter
Jun  7 22:54:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 22:54:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 22:54:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 22:54:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 22:54:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 22:54:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 22:54:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 22:54:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 22:54:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 22:54:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 22:54:29 truenas env[20630]: :KUBE-POD-FW-QCQFUHLLEBJ3NIVP - [0:0]
Jun  7 22:54:29 truenas env[20630]: :KUBE-POD-FW-LOAOBC2KXEKPV5IT - [0:0]
Jun  7 22:54:29 truenas env[20630]: :KUBE-POD-FW-2WNOGZAR3KOX5NIC - [0:0]
Jun  7 22:54:29 truenas env[20630]: :KUBE-POD-FW-W5QB4ZHDW2ERYYP2 - [0:0]
Jun  7 22:54:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 22:54:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 22:54:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 22:54:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 22:54:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 22:54:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 22:54:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 22:54:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 22:54:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 22:54:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-QCQFUHLLEBJ3NIVP 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-QCQFUHLLEBJ3NIVP 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-QCQFUHLLEBJ3NIVP 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-QCQFUHLLEBJ3NIVP 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-QCQFUHLLEBJ3NIVP 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QCQFUHLLEBJ3NIVP" -d 172.16.0.46 -j KUBE-POD-FW-QCQFUHLLEBJ3NIVP
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QCQFUHLLEBJ3NIVP" -d 172.16.0.46 -j KUBE-POD-FW-QCQFUHLLEBJ3NIVP
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QCQFUHLLEBJ3NIVP" -d 172.16.0.46 -j KUBE-POD-FW-QCQFUHLLEBJ3NIVP
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QCQFUHLLEBJ3NIVP" -s 172.16.0.46 -j KUBE-POD-FW-QCQFUHLLEBJ3NIVP
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QCQFUHLLEBJ3NIVP" -s 172.16.0.46 -j KUBE-POD-FW-QCQFUHLLEBJ3NIVP
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QCQFUHLLEBJ3NIVP" -s 172.16.0.46 -j KUBE-POD-FW-QCQFUHLLEBJ3NIVP
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QCQFUHLLEBJ3NIVP" -s 172.16.0.46 -j KUBE-POD-FW-QCQFUHLLEBJ3NIVP
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-QCQFUHLLEBJ3NIVP -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-QCQFUHLLEBJ3NIVP -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-QCQFUHLLEBJ3NIVP -j MARK --set-mark 0/0x10000
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-QCQFUHLLEBJ3NIVP -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-LOAOBC2KXEKPV5IT 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-LOAOBC2KXEKPV5IT 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-LOAOBC2KXEKPV5IT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-LOAOBC2KXEKPV5IT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-LOAOBC2KXEKPV5IT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LOAOBC2KXEKPV5IT" -d 172.16.0.42 -j KUBE-POD-FW-LOAOBC2KXEKPV5IT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LOAOBC2KXEKPV5IT" -d 172.16.0.42 -j KUBE-POD-FW-LOAOBC2KXEKPV5IT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LOAOBC2KXEKPV5IT" -d 172.16.0.42 -j KUBE-POD-FW-LOAOBC2KXEKPV5IT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LOAOBC2KXEKPV5IT" -s 172.16.0.42 -j KUBE-POD-FW-LOAOBC2KXEKPV5IT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LOAOBC2KXEKPV5IT" -s 172.16.0.42 -j KUBE-POD-FW-LOAOBC2KXEKPV5IT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LOAOBC2KXEKPV5IT" -s 172.16.0.42 -j KUBE-POD-FW-LOAOBC2KXEKPV5IT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LOAOBC2KXEKPV5IT" -s 172.16.0.42 -j KUBE-POD-FW-LOAOBC2KXEKPV5IT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-LOAOBC2KXEKPV5IT -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-LOAOBC2KXEKPV5IT -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-LOAOBC2KXEKPV5IT -j MARK --set-mark 0/0x10000
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-LOAOBC2KXEKPV5IT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-2WNOGZAR3KOX5NIC 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-2WNOGZAR3KOX5NIC 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-2WNOGZAR3KOX5NIC 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-2WNOGZAR3KOX5NIC 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-2WNOGZAR3KOX5NIC 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-2WNOGZAR3KOX5NIC" -d 172.16.0.45 -j KUBE-POD-FW-2WNOGZAR3KOX5NIC
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-2WNOGZAR3KOX5NIC" -d 172.16.0.45 -j KUBE-POD-FW-2WNOGZAR3KOX5NIC
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-2WNOGZAR3KOX5NIC" -d 172.16.0.45 -j KUBE-POD-FW-2WNOGZAR3KOX5NIC
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-2WNOGZAR3KOX5NIC" -s 172.16.0.45 -j KUBE-POD-FW-2WNOGZAR3KOX5NIC
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-2WNOGZAR3KOX5NIC" -s 172.16.0.45 -j KUBE-POD-FW-2WNOGZAR3KOX5NIC
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-2WNOGZAR3KOX5NIC" -s 172.16.0.45 -j KUBE-POD-FW-2WNOGZAR3KOX5NIC
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-2WNOGZAR3KOX5NIC" -s 172.16.0.45 -j KUBE-POD-FW-2WNOGZAR3KOX5NIC
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-2WNOGZAR3KOX5NIC -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-2WNOGZAR3KOX5NIC -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-2WNOGZAR3KOX5NIC -j MARK --set-mark 0/0x10000
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-2WNOGZAR3KOX5NIC -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-W5QB4ZHDW2ERYYP2 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-W5QB4ZHDW2ERYYP2 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-W5QB4ZHDW2ERYYP2 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-W5QB4ZHDW2ERYYP2 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:54:29 truenas env[20630]: -I KUBE-POD-FW-W5QB4ZHDW2ERYYP2 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W5QB4ZHDW2ERYYP2" -d 172.16.0.43 -j KUBE-POD-FW-W5QB4ZHDW2ERYYP2
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W5QB4ZHDW2ERYYP2" -d 172.16.0.43 -j KUBE-POD-FW-W5QB4ZHDW2ERYYP2
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W5QB4ZHDW2ERYYP2" -d 172.16.0.43 -j KUBE-POD-FW-W5QB4ZHDW2ERYYP2
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W5QB4ZHDW2ERYYP2" -s 172.16.0.43 -j KUBE-POD-FW-W5QB4ZHDW2ERYYP2
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W5QB4ZHDW2ERYYP2" -s 172.16.0.43 -j KUBE-POD-FW-W5QB4ZHDW2ERYYP2
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W5QB4ZHDW2ERYYP2" -s 172.16.0.43 -j KUBE-POD-FW-W5QB4ZHDW2ERYYP2
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W5QB4ZHDW2ERYYP2" -s 172.16.0.43 -j KUBE-POD-FW-W5QB4ZHDW2ERYYP2
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-W5QB4ZHDW2ERYYP2 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-W5QB4ZHDW2ERYYP2 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-W5QB4ZHDW2ERYYP2 -j MARK --set-mark 0/0x10000
Jun  7 22:54:29 truenas env[20630]: -A KUBE-POD-FW-W5QB4ZHDW2ERYYP2 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:54:29 truenas env[20630]: COMMIT
Jun  7 22:59:06 truenas smartd[3887]: Device: /dev/sdb [SAT], SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 72 to 73
Jun  7 22:59:06 truenas smartd[3887]: Device: /dev/sdb [SAT], SMART Usage Attribute: 195 Hardware_ECC_Recovered changed from 72 to 73
Jun  7 22:59:26 truenas nscd[381089]: 381089 monitoring file `/etc/hosts` (1)
Jun  7 22:59:26 truenas nscd[381089]: 381089 monitoring directory `/etc` (2)
Jun  7 22:59:26 truenas nscd[381089]: 381089 monitoring file `/etc/resolv.conf` (3)
Jun  7 22:59:26 truenas nscd[381089]: 381089 monitoring directory `/etc` (2)
Jun  7 22:59:26 truenas nscd[381089]: 381089 cannot create /var/cache/nscd/hosts; no persistent database used
Jun  7 22:59:29 truenas env[20630]: E0607 22:59:29.780852   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 22:59:29 truenas env[20630]: Error occurred at line: 103
Jun  7 22:59:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 22:59:29 truenas env[20630]: )
Jun  7 22:59:29 truenas env[20630]: *filter
Jun  7 22:59:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 22:59:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 22:59:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 22:59:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 22:59:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 22:59:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 22:59:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 22:59:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 22:59:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 22:59:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 22:59:29 truenas env[20630]: :KUBE-POD-FW-KQXLJAKDRREZJ5AY - [0:0]
Jun  7 22:59:29 truenas env[20630]: :KUBE-POD-FW-GBUSOXQUXJHJG2QY - [0:0]
Jun  7 22:59:29 truenas env[20630]: :KUBE-POD-FW-XTRRM6CEY3REUCTU - [0:0]
Jun  7 22:59:29 truenas env[20630]: :KUBE-POD-FW-7OVIDN62C5DVQYGA - [0:0]
Jun  7 22:59:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 22:59:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 22:59:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 22:59:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 22:59:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 22:59:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 22:59:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 22:59:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 22:59:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 22:59:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-KQXLJAKDRREZJ5AY 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-KQXLJAKDRREZJ5AY 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-KQXLJAKDRREZJ5AY 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-KQXLJAKDRREZJ5AY 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-KQXLJAKDRREZJ5AY 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KQXLJAKDRREZJ5AY" -d 172.16.0.45 -j KUBE-POD-FW-KQXLJAKDRREZJ5AY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KQXLJAKDRREZJ5AY" -d 172.16.0.45 -j KUBE-POD-FW-KQXLJAKDRREZJ5AY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KQXLJAKDRREZJ5AY" -d 172.16.0.45 -j KUBE-POD-FW-KQXLJAKDRREZJ5AY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KQXLJAKDRREZJ5AY" -s 172.16.0.45 -j KUBE-POD-FW-KQXLJAKDRREZJ5AY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KQXLJAKDRREZJ5AY" -s 172.16.0.45 -j KUBE-POD-FW-KQXLJAKDRREZJ5AY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KQXLJAKDRREZJ5AY" -s 172.16.0.45 -j KUBE-POD-FW-KQXLJAKDRREZJ5AY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KQXLJAKDRREZJ5AY" -s 172.16.0.45 -j KUBE-POD-FW-KQXLJAKDRREZJ5AY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-KQXLJAKDRREZJ5AY -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-KQXLJAKDRREZJ5AY -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-KQXLJAKDRREZJ5AY -j MARK --set-mark 0/0x10000
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-KQXLJAKDRREZJ5AY -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-GBUSOXQUXJHJG2QY 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-GBUSOXQUXJHJG2QY 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-GBUSOXQUXJHJG2QY 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-GBUSOXQUXJHJG2QY 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-GBUSOXQUXJHJG2QY 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GBUSOXQUXJHJG2QY" -d 172.16.0.43 -j KUBE-POD-FW-GBUSOXQUXJHJG2QY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GBUSOXQUXJHJG2QY" -d 172.16.0.43 -j KUBE-POD-FW-GBUSOXQUXJHJG2QY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GBUSOXQUXJHJG2QY" -d 172.16.0.43 -j KUBE-POD-FW-GBUSOXQUXJHJG2QY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GBUSOXQUXJHJG2QY" -s 172.16.0.43 -j KUBE-POD-FW-GBUSOXQUXJHJG2QY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GBUSOXQUXJHJG2QY" -s 172.16.0.43 -j KUBE-POD-FW-GBUSOXQUXJHJG2QY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GBUSOXQUXJHJG2QY" -s 172.16.0.43 -j KUBE-POD-FW-GBUSOXQUXJHJG2QY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GBUSOXQUXJHJG2QY" -s 172.16.0.43 -j KUBE-POD-FW-GBUSOXQUXJHJG2QY
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-GBUSOXQUXJHJG2QY -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-GBUSOXQUXJHJG2QY -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-GBUSOXQUXJHJG2QY -j MARK --set-mark 0/0x10000
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-GBUSOXQUXJHJG2QY -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-XTRRM6CEY3REUCTU 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-XTRRM6CEY3REUCTU 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-XTRRM6CEY3REUCTU 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-XTRRM6CEY3REUCTU 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-XTRRM6CEY3REUCTU 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XTRRM6CEY3REUCTU" -d 172.16.0.46 -j KUBE-POD-FW-XTRRM6CEY3REUCTU
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XTRRM6CEY3REUCTU" -d 172.16.0.46 -j KUBE-POD-FW-XTRRM6CEY3REUCTU
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XTRRM6CEY3REUCTU" -d 172.16.0.46 -j KUBE-POD-FW-XTRRM6CEY3REUCTU
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XTRRM6CEY3REUCTU" -s 172.16.0.46 -j KUBE-POD-FW-XTRRM6CEY3REUCTU
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XTRRM6CEY3REUCTU" -s 172.16.0.46 -j KUBE-POD-FW-XTRRM6CEY3REUCTU
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XTRRM6CEY3REUCTU" -s 172.16.0.46 -j KUBE-POD-FW-XTRRM6CEY3REUCTU
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XTRRM6CEY3REUCTU" -s 172.16.0.46 -j KUBE-POD-FW-XTRRM6CEY3REUCTU
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-XTRRM6CEY3REUCTU -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-XTRRM6CEY3REUCTU -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-XTRRM6CEY3REUCTU -j MARK --set-mark 0/0x10000
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-XTRRM6CEY3REUCTU -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-7OVIDN62C5DVQYGA 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-7OVIDN62C5DVQYGA 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-7OVIDN62C5DVQYGA 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-7OVIDN62C5DVQYGA 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 22:59:29 truenas env[20630]: -I KUBE-POD-FW-7OVIDN62C5DVQYGA 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7OVIDN62C5DVQYGA" -d 172.16.0.42 -j KUBE-POD-FW-7OVIDN62C5DVQYGA
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7OVIDN62C5DVQYGA" -d 172.16.0.42 -j KUBE-POD-FW-7OVIDN62C5DVQYGA
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7OVIDN62C5DVQYGA" -d 172.16.0.42 -j KUBE-POD-FW-7OVIDN62C5DVQYGA
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7OVIDN62C5DVQYGA" -s 172.16.0.42 -j KUBE-POD-FW-7OVIDN62C5DVQYGA
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7OVIDN62C5DVQYGA" -s 172.16.0.42 -j KUBE-POD-FW-7OVIDN62C5DVQYGA
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7OVIDN62C5DVQYGA" -s 172.16.0.42 -j KUBE-POD-FW-7OVIDN62C5DVQYGA
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7OVIDN62C5DVQYGA" -s 172.16.0.42 -j KUBE-POD-FW-7OVIDN62C5DVQYGA
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-7OVIDN62C5DVQYGA -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-7OVIDN62C5DVQYGA -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-7OVIDN62C5DVQYGA -j MARK --set-mark 0/0x10000
Jun  7 22:59:29 truenas env[20630]: -A KUBE-POD-FW-7OVIDN62C5DVQYGA -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 22:59:29 truenas env[20630]: COMMIT
Jun  7 23:00:04 truenas systemd[1]: Starting system activity accounting tool...
Jun  7 23:00:04 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  7 23:00:04 truenas systemd[1]: Finished system activity accounting tool.
Jun  7 23:04:29 truenas env[20630]: E0607 23:04:29.760591   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 23:04:29 truenas env[20630]: Error occurred at line: 103
Jun  7 23:04:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 23:04:29 truenas env[20630]: )
Jun  7 23:04:29 truenas env[20630]: *filter
Jun  7 23:04:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 23:04:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 23:04:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 23:04:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 23:04:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 23:04:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 23:04:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 23:04:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 23:04:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 23:04:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 23:04:29 truenas env[20630]: :KUBE-POD-FW-7WOZHEGXCB773RFA - [0:0]
Jun  7 23:04:29 truenas env[20630]: :KUBE-POD-FW-N3BZS2F2NWODJTUX - [0:0]
Jun  7 23:04:29 truenas env[20630]: :KUBE-POD-FW-HWFCXUKQA62BBZG4 - [0:0]
Jun  7 23:04:29 truenas env[20630]: :KUBE-POD-FW-5KFRAGJP6VP7QSAM - [0:0]
Jun  7 23:04:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 23:04:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 23:04:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 23:04:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 23:04:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 23:04:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 23:04:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 23:04:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 23:04:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 23:04:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-7WOZHEGXCB773RFA 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-7WOZHEGXCB773RFA 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-7WOZHEGXCB773RFA 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-7WOZHEGXCB773RFA 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-7WOZHEGXCB773RFA 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7WOZHEGXCB773RFA" -d 172.16.0.42 -j KUBE-POD-FW-7WOZHEGXCB773RFA
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7WOZHEGXCB773RFA" -d 172.16.0.42 -j KUBE-POD-FW-7WOZHEGXCB773RFA
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7WOZHEGXCB773RFA" -d 172.16.0.42 -j KUBE-POD-FW-7WOZHEGXCB773RFA
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7WOZHEGXCB773RFA" -s 172.16.0.42 -j KUBE-POD-FW-7WOZHEGXCB773RFA
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7WOZHEGXCB773RFA" -s 172.16.0.42 -j KUBE-POD-FW-7WOZHEGXCB773RFA
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7WOZHEGXCB773RFA" -s 172.16.0.42 -j KUBE-POD-FW-7WOZHEGXCB773RFA
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-7WOZHEGXCB773RFA" -s 172.16.0.42 -j KUBE-POD-FW-7WOZHEGXCB773RFA
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-7WOZHEGXCB773RFA -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-7WOZHEGXCB773RFA -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-7WOZHEGXCB773RFA -j MARK --set-mark 0/0x10000
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-7WOZHEGXCB773RFA -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-N3BZS2F2NWODJTUX 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-N3BZS2F2NWODJTUX 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-N3BZS2F2NWODJTUX 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-N3BZS2F2NWODJTUX 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-N3BZS2F2NWODJTUX 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-N3BZS2F2NWODJTUX" -d 172.16.0.45 -j KUBE-POD-FW-N3BZS2F2NWODJTUX
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-N3BZS2F2NWODJTUX" -d 172.16.0.45 -j KUBE-POD-FW-N3BZS2F2NWODJTUX
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-N3BZS2F2NWODJTUX" -d 172.16.0.45 -j KUBE-POD-FW-N3BZS2F2NWODJTUX
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-N3BZS2F2NWODJTUX" -s 172.16.0.45 -j KUBE-POD-FW-N3BZS2F2NWODJTUX
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-N3BZS2F2NWODJTUX" -s 172.16.0.45 -j KUBE-POD-FW-N3BZS2F2NWODJTUX
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-N3BZS2F2NWODJTUX" -s 172.16.0.45 -j KUBE-POD-FW-N3BZS2F2NWODJTUX
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-N3BZS2F2NWODJTUX" -s 172.16.0.45 -j KUBE-POD-FW-N3BZS2F2NWODJTUX
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-N3BZS2F2NWODJTUX -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-N3BZS2F2NWODJTUX -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-N3BZS2F2NWODJTUX -j MARK --set-mark 0/0x10000
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-N3BZS2F2NWODJTUX -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-HWFCXUKQA62BBZG4 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-HWFCXUKQA62BBZG4 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-HWFCXUKQA62BBZG4 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-HWFCXUKQA62BBZG4 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-HWFCXUKQA62BBZG4 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HWFCXUKQA62BBZG4" -d 172.16.0.43 -j KUBE-POD-FW-HWFCXUKQA62BBZG4
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HWFCXUKQA62BBZG4" -d 172.16.0.43 -j KUBE-POD-FW-HWFCXUKQA62BBZG4
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HWFCXUKQA62BBZG4" -d 172.16.0.43 -j KUBE-POD-FW-HWFCXUKQA62BBZG4
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HWFCXUKQA62BBZG4" -s 172.16.0.43 -j KUBE-POD-FW-HWFCXUKQA62BBZG4
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HWFCXUKQA62BBZG4" -s 172.16.0.43 -j KUBE-POD-FW-HWFCXUKQA62BBZG4
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HWFCXUKQA62BBZG4" -s 172.16.0.43 -j KUBE-POD-FW-HWFCXUKQA62BBZG4
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HWFCXUKQA62BBZG4" -s 172.16.0.43 -j KUBE-POD-FW-HWFCXUKQA62BBZG4
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-HWFCXUKQA62BBZG4 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-HWFCXUKQA62BBZG4 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-HWFCXUKQA62BBZG4 -j MARK --set-mark 0/0x10000
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-HWFCXUKQA62BBZG4 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-5KFRAGJP6VP7QSAM 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-5KFRAGJP6VP7QSAM 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-5KFRAGJP6VP7QSAM 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-5KFRAGJP6VP7QSAM 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:04:29 truenas env[20630]: -I KUBE-POD-FW-5KFRAGJP6VP7QSAM 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5KFRAGJP6VP7QSAM" -d 172.16.0.46 -j KUBE-POD-FW-5KFRAGJP6VP7QSAM
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5KFRAGJP6VP7QSAM" -d 172.16.0.46 -j KUBE-POD-FW-5KFRAGJP6VP7QSAM
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5KFRAGJP6VP7QSAM" -d 172.16.0.46 -j KUBE-POD-FW-5KFRAGJP6VP7QSAM
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5KFRAGJP6VP7QSAM" -s 172.16.0.46 -j KUBE-POD-FW-5KFRAGJP6VP7QSAM
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5KFRAGJP6VP7QSAM" -s 172.16.0.46 -j KUBE-POD-FW-5KFRAGJP6VP7QSAM
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5KFRAGJP6VP7QSAM" -s 172.16.0.46 -j KUBE-POD-FW-5KFRAGJP6VP7QSAM
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5KFRAGJP6VP7QSAM" -s 172.16.0.46 -j KUBE-POD-FW-5KFRAGJP6VP7QSAM
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-5KFRAGJP6VP7QSAM -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-5KFRAGJP6VP7QSAM -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-5KFRAGJP6VP7QSAM -j MARK --set-mark 0/0x10000
Jun  7 23:04:29 truenas env[20630]: -A KUBE-POD-FW-5KFRAGJP6VP7QSAM -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:04:29 truenas env[20630]: COMMIT
Jun  7 23:09:29 truenas env[20630]: E0607 23:09:29.755867   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 23:09:29 truenas env[20630]: Error occurred at line: 103
Jun  7 23:09:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 23:09:29 truenas env[20630]: )
Jun  7 23:09:29 truenas env[20630]: *filter
Jun  7 23:09:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 23:09:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 23:09:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 23:09:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 23:09:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 23:09:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 23:09:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 23:09:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 23:09:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 23:09:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 23:09:29 truenas env[20630]: :KUBE-POD-FW-LLDABQFCFJP63OGB - [0:0]
Jun  7 23:09:29 truenas env[20630]: :KUBE-POD-FW-YL4UHBJX2TLNG7VH - [0:0]
Jun  7 23:09:29 truenas env[20630]: :KUBE-POD-FW-DBQ2DFDKUMDVWBEF - [0:0]
Jun  7 23:09:29 truenas env[20630]: :KUBE-POD-FW-MFDUAK2WAAMISMWN - [0:0]
Jun  7 23:09:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 23:09:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 23:09:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 23:09:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 23:09:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 23:09:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 23:09:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 23:09:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 23:09:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 23:09:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-LLDABQFCFJP63OGB 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-LLDABQFCFJP63OGB 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-LLDABQFCFJP63OGB 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-LLDABQFCFJP63OGB 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-LLDABQFCFJP63OGB 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LLDABQFCFJP63OGB" -d 172.16.0.46 -j KUBE-POD-FW-LLDABQFCFJP63OGB
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LLDABQFCFJP63OGB" -d 172.16.0.46 -j KUBE-POD-FW-LLDABQFCFJP63OGB
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LLDABQFCFJP63OGB" -d 172.16.0.46 -j KUBE-POD-FW-LLDABQFCFJP63OGB
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LLDABQFCFJP63OGB" -s 172.16.0.46 -j KUBE-POD-FW-LLDABQFCFJP63OGB
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LLDABQFCFJP63OGB" -s 172.16.0.46 -j KUBE-POD-FW-LLDABQFCFJP63OGB
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LLDABQFCFJP63OGB" -s 172.16.0.46 -j KUBE-POD-FW-LLDABQFCFJP63OGB
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LLDABQFCFJP63OGB" -s 172.16.0.46 -j KUBE-POD-FW-LLDABQFCFJP63OGB
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-LLDABQFCFJP63OGB -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-LLDABQFCFJP63OGB -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-LLDABQFCFJP63OGB -j MARK --set-mark 0/0x10000
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-LLDABQFCFJP63OGB -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-YL4UHBJX2TLNG7VH 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-YL4UHBJX2TLNG7VH 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-YL4UHBJX2TLNG7VH 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-YL4UHBJX2TLNG7VH 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-YL4UHBJX2TLNG7VH 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YL4UHBJX2TLNG7VH" -d 172.16.0.42 -j KUBE-POD-FW-YL4UHBJX2TLNG7VH
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YL4UHBJX2TLNG7VH" -d 172.16.0.42 -j KUBE-POD-FW-YL4UHBJX2TLNG7VH
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YL4UHBJX2TLNG7VH" -d 172.16.0.42 -j KUBE-POD-FW-YL4UHBJX2TLNG7VH
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YL4UHBJX2TLNG7VH" -s 172.16.0.42 -j KUBE-POD-FW-YL4UHBJX2TLNG7VH
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YL4UHBJX2TLNG7VH" -s 172.16.0.42 -j KUBE-POD-FW-YL4UHBJX2TLNG7VH
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YL4UHBJX2TLNG7VH" -s 172.16.0.42 -j KUBE-POD-FW-YL4UHBJX2TLNG7VH
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YL4UHBJX2TLNG7VH" -s 172.16.0.42 -j KUBE-POD-FW-YL4UHBJX2TLNG7VH
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-YL4UHBJX2TLNG7VH -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-YL4UHBJX2TLNG7VH -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-YL4UHBJX2TLNG7VH -j MARK --set-mark 0/0x10000
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-YL4UHBJX2TLNG7VH -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-DBQ2DFDKUMDVWBEF 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-DBQ2DFDKUMDVWBEF 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-DBQ2DFDKUMDVWBEF 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-DBQ2DFDKUMDVWBEF 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-DBQ2DFDKUMDVWBEF 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DBQ2DFDKUMDVWBEF" -d 172.16.0.45 -j KUBE-POD-FW-DBQ2DFDKUMDVWBEF
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DBQ2DFDKUMDVWBEF" -d 172.16.0.45 -j KUBE-POD-FW-DBQ2DFDKUMDVWBEF
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DBQ2DFDKUMDVWBEF" -d 172.16.0.45 -j KUBE-POD-FW-DBQ2DFDKUMDVWBEF
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DBQ2DFDKUMDVWBEF" -s 172.16.0.45 -j KUBE-POD-FW-DBQ2DFDKUMDVWBEF
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DBQ2DFDKUMDVWBEF" -s 172.16.0.45 -j KUBE-POD-FW-DBQ2DFDKUMDVWBEF
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DBQ2DFDKUMDVWBEF" -s 172.16.0.45 -j KUBE-POD-FW-DBQ2DFDKUMDVWBEF
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DBQ2DFDKUMDVWBEF" -s 172.16.0.45 -j KUBE-POD-FW-DBQ2DFDKUMDVWBEF
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-DBQ2DFDKUMDVWBEF -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-DBQ2DFDKUMDVWBEF -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-DBQ2DFDKUMDVWBEF -j MARK --set-mark 0/0x10000
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-DBQ2DFDKUMDVWBEF -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-MFDUAK2WAAMISMWN 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-MFDUAK2WAAMISMWN 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-MFDUAK2WAAMISMWN 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-MFDUAK2WAAMISMWN 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:09:29 truenas env[20630]: -I KUBE-POD-FW-MFDUAK2WAAMISMWN 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MFDUAK2WAAMISMWN" -d 172.16.0.43 -j KUBE-POD-FW-MFDUAK2WAAMISMWN
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MFDUAK2WAAMISMWN" -d 172.16.0.43 -j KUBE-POD-FW-MFDUAK2WAAMISMWN
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MFDUAK2WAAMISMWN" -d 172.16.0.43 -j KUBE-POD-FW-MFDUAK2WAAMISMWN
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MFDUAK2WAAMISMWN" -s 172.16.0.43 -j KUBE-POD-FW-MFDUAK2WAAMISMWN
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MFDUAK2WAAMISMWN" -s 172.16.0.43 -j KUBE-POD-FW-MFDUAK2WAAMISMWN
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MFDUAK2WAAMISMWN" -s 172.16.0.43 -j KUBE-POD-FW-MFDUAK2WAAMISMWN
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MFDUAK2WAAMISMWN" -s 172.16.0.43 -j KUBE-POD-FW-MFDUAK2WAAMISMWN
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-MFDUAK2WAAMISMWN -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-MFDUAK2WAAMISMWN -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-MFDUAK2WAAMISMWN -j MARK --set-mark 0/0x10000
Jun  7 23:09:29 truenas env[20630]: -A KUBE-POD-FW-MFDUAK2WAAMISMWN -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:09:29 truenas env[20630]: COMMIT
Jun  7 23:10:04 truenas systemd[1]: Starting system activity accounting tool...
Jun  7 23:10:04 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  7 23:10:04 truenas systemd[1]: Finished system activity accounting tool.
Jun  7 23:14:29 truenas env[20630]: E0607 23:14:29.748615   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 23:14:29 truenas env[20630]: Error occurred at line: 103
Jun  7 23:14:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 23:14:29 truenas env[20630]: )
Jun  7 23:14:29 truenas env[20630]: *filter
Jun  7 23:14:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 23:14:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 23:14:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 23:14:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 23:14:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 23:14:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 23:14:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 23:14:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 23:14:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 23:14:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 23:14:29 truenas env[20630]: :KUBE-POD-FW-M7UPGX5L2ETTFF6I - [0:0]
Jun  7 23:14:29 truenas env[20630]: :KUBE-POD-FW-BBVHHK3A5HBOTXQ4 - [0:0]
Jun  7 23:14:29 truenas env[20630]: :KUBE-POD-FW-NEQ6J5VWJCFXN7WO - [0:0]
Jun  7 23:14:29 truenas env[20630]: :KUBE-POD-FW-766EOL7OEQ7EAWDX - [0:0]
Jun  7 23:14:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 23:14:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 23:14:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 23:14:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 23:14:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 23:14:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 23:14:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 23:14:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 23:14:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 23:14:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-M7UPGX5L2ETTFF6I 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-M7UPGX5L2ETTFF6I 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-M7UPGX5L2ETTFF6I 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-M7UPGX5L2ETTFF6I 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-M7UPGX5L2ETTFF6I 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M7UPGX5L2ETTFF6I" -d 172.16.0.46 -j KUBE-POD-FW-M7UPGX5L2ETTFF6I
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M7UPGX5L2ETTFF6I" -d 172.16.0.46 -j KUBE-POD-FW-M7UPGX5L2ETTFF6I
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M7UPGX5L2ETTFF6I" -d 172.16.0.46 -j KUBE-POD-FW-M7UPGX5L2ETTFF6I
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M7UPGX5L2ETTFF6I" -s 172.16.0.46 -j KUBE-POD-FW-M7UPGX5L2ETTFF6I
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M7UPGX5L2ETTFF6I" -s 172.16.0.46 -j KUBE-POD-FW-M7UPGX5L2ETTFF6I
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M7UPGX5L2ETTFF6I" -s 172.16.0.46 -j KUBE-POD-FW-M7UPGX5L2ETTFF6I
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M7UPGX5L2ETTFF6I" -s 172.16.0.46 -j KUBE-POD-FW-M7UPGX5L2ETTFF6I
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-M7UPGX5L2ETTFF6I -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-M7UPGX5L2ETTFF6I -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-M7UPGX5L2ETTFF6I -j MARK --set-mark 0/0x10000
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-M7UPGX5L2ETTFF6I -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-BBVHHK3A5HBOTXQ4 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-BBVHHK3A5HBOTXQ4 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-BBVHHK3A5HBOTXQ4 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-BBVHHK3A5HBOTXQ4 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-BBVHHK3A5HBOTXQ4 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BBVHHK3A5HBOTXQ4" -d 172.16.0.42 -j KUBE-POD-FW-BBVHHK3A5HBOTXQ4
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BBVHHK3A5HBOTXQ4" -d 172.16.0.42 -j KUBE-POD-FW-BBVHHK3A5HBOTXQ4
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BBVHHK3A5HBOTXQ4" -d 172.16.0.42 -j KUBE-POD-FW-BBVHHK3A5HBOTXQ4
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BBVHHK3A5HBOTXQ4" -s 172.16.0.42 -j KUBE-POD-FW-BBVHHK3A5HBOTXQ4
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BBVHHK3A5HBOTXQ4" -s 172.16.0.42 -j KUBE-POD-FW-BBVHHK3A5HBOTXQ4
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BBVHHK3A5HBOTXQ4" -s 172.16.0.42 -j KUBE-POD-FW-BBVHHK3A5HBOTXQ4
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BBVHHK3A5HBOTXQ4" -s 172.16.0.42 -j KUBE-POD-FW-BBVHHK3A5HBOTXQ4
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-BBVHHK3A5HBOTXQ4 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-BBVHHK3A5HBOTXQ4 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-BBVHHK3A5HBOTXQ4 -j MARK --set-mark 0/0x10000
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-BBVHHK3A5HBOTXQ4 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-NEQ6J5VWJCFXN7WO 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-NEQ6J5VWJCFXN7WO 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-NEQ6J5VWJCFXN7WO 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-NEQ6J5VWJCFXN7WO 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-NEQ6J5VWJCFXN7WO 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-NEQ6J5VWJCFXN7WO" -d 172.16.0.45 -j KUBE-POD-FW-NEQ6J5VWJCFXN7WO
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-NEQ6J5VWJCFXN7WO" -d 172.16.0.45 -j KUBE-POD-FW-NEQ6J5VWJCFXN7WO
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-NEQ6J5VWJCFXN7WO" -d 172.16.0.45 -j KUBE-POD-FW-NEQ6J5VWJCFXN7WO
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-NEQ6J5VWJCFXN7WO" -s 172.16.0.45 -j KUBE-POD-FW-NEQ6J5VWJCFXN7WO
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-NEQ6J5VWJCFXN7WO" -s 172.16.0.45 -j KUBE-POD-FW-NEQ6J5VWJCFXN7WO
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-NEQ6J5VWJCFXN7WO" -s 172.16.0.45 -j KUBE-POD-FW-NEQ6J5VWJCFXN7WO
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-NEQ6J5VWJCFXN7WO" -s 172.16.0.45 -j KUBE-POD-FW-NEQ6J5VWJCFXN7WO
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-NEQ6J5VWJCFXN7WO -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-NEQ6J5VWJCFXN7WO -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-NEQ6J5VWJCFXN7WO -j MARK --set-mark 0/0x10000
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-NEQ6J5VWJCFXN7WO -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-766EOL7OEQ7EAWDX 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-766EOL7OEQ7EAWDX 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-766EOL7OEQ7EAWDX 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-766EOL7OEQ7EAWDX 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:14:29 truenas env[20630]: -I KUBE-POD-FW-766EOL7OEQ7EAWDX 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-766EOL7OEQ7EAWDX" -d 172.16.0.43 -j KUBE-POD-FW-766EOL7OEQ7EAWDX
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-766EOL7OEQ7EAWDX" -d 172.16.0.43 -j KUBE-POD-FW-766EOL7OEQ7EAWDX
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-766EOL7OEQ7EAWDX" -d 172.16.0.43 -j KUBE-POD-FW-766EOL7OEQ7EAWDX
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-766EOL7OEQ7EAWDX" -s 172.16.0.43 -j KUBE-POD-FW-766EOL7OEQ7EAWDX
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-766EOL7OEQ7EAWDX" -s 172.16.0.43 -j KUBE-POD-FW-766EOL7OEQ7EAWDX
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-766EOL7OEQ7EAWDX" -s 172.16.0.43 -j KUBE-POD-FW-766EOL7OEQ7EAWDX
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-766EOL7OEQ7EAWDX" -s 172.16.0.43 -j KUBE-POD-FW-766EOL7OEQ7EAWDX
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-766EOL7OEQ7EAWDX -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-766EOL7OEQ7EAWDX -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-766EOL7OEQ7EAWDX -j MARK --set-mark 0/0x10000
Jun  7 23:14:29 truenas env[20630]: -A KUBE-POD-FW-766EOL7OEQ7EAWDX -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:14:29 truenas env[20630]: COMMIT
Jun  7 23:17:01 truenas CRON[401031]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jun  7 23:19:29 truenas env[20630]: E0607 23:19:29.756581   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 23:19:29 truenas env[20630]: Error occurred at line: 103
Jun  7 23:19:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 23:19:29 truenas env[20630]: )
Jun  7 23:19:29 truenas env[20630]: *filter
Jun  7 23:19:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 23:19:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 23:19:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 23:19:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 23:19:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 23:19:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 23:19:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 23:19:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 23:19:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 23:19:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 23:19:29 truenas env[20630]: :KUBE-POD-FW-XRMGIYAWWJD3GQ5P - [0:0]
Jun  7 23:19:29 truenas env[20630]: :KUBE-POD-FW-B2TOAEHDHIDE2NAX - [0:0]
Jun  7 23:19:29 truenas env[20630]: :KUBE-POD-FW-UJFKDFHRMKJDL4BC - [0:0]
Jun  7 23:19:29 truenas env[20630]: :KUBE-POD-FW-CARTUS76W3QCVQV7 - [0:0]
Jun  7 23:19:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 23:19:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 23:19:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 23:19:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 23:19:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 23:19:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 23:19:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 23:19:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 23:19:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 23:19:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-XRMGIYAWWJD3GQ5P 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-XRMGIYAWWJD3GQ5P 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-XRMGIYAWWJD3GQ5P 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-XRMGIYAWWJD3GQ5P 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-XRMGIYAWWJD3GQ5P 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XRMGIYAWWJD3GQ5P" -d 172.16.0.42 -j KUBE-POD-FW-XRMGIYAWWJD3GQ5P
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XRMGIYAWWJD3GQ5P" -d 172.16.0.42 -j KUBE-POD-FW-XRMGIYAWWJD3GQ5P
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XRMGIYAWWJD3GQ5P" -d 172.16.0.42 -j KUBE-POD-FW-XRMGIYAWWJD3GQ5P
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XRMGIYAWWJD3GQ5P" -s 172.16.0.42 -j KUBE-POD-FW-XRMGIYAWWJD3GQ5P
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XRMGIYAWWJD3GQ5P" -s 172.16.0.42 -j KUBE-POD-FW-XRMGIYAWWJD3GQ5P
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XRMGIYAWWJD3GQ5P" -s 172.16.0.42 -j KUBE-POD-FW-XRMGIYAWWJD3GQ5P
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XRMGIYAWWJD3GQ5P" -s 172.16.0.42 -j KUBE-POD-FW-XRMGIYAWWJD3GQ5P
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-XRMGIYAWWJD3GQ5P -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-XRMGIYAWWJD3GQ5P -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-XRMGIYAWWJD3GQ5P -j MARK --set-mark 0/0x10000
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-XRMGIYAWWJD3GQ5P -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-B2TOAEHDHIDE2NAX 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-B2TOAEHDHIDE2NAX 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-B2TOAEHDHIDE2NAX 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-B2TOAEHDHIDE2NAX 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-B2TOAEHDHIDE2NAX 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-B2TOAEHDHIDE2NAX" -d 172.16.0.45 -j KUBE-POD-FW-B2TOAEHDHIDE2NAX
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-B2TOAEHDHIDE2NAX" -d 172.16.0.45 -j KUBE-POD-FW-B2TOAEHDHIDE2NAX
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-B2TOAEHDHIDE2NAX" -d 172.16.0.45 -j KUBE-POD-FW-B2TOAEHDHIDE2NAX
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-B2TOAEHDHIDE2NAX" -s 172.16.0.45 -j KUBE-POD-FW-B2TOAEHDHIDE2NAX
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-B2TOAEHDHIDE2NAX" -s 172.16.0.45 -j KUBE-POD-FW-B2TOAEHDHIDE2NAX
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-B2TOAEHDHIDE2NAX" -s 172.16.0.45 -j KUBE-POD-FW-B2TOAEHDHIDE2NAX
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-B2TOAEHDHIDE2NAX" -s 172.16.0.45 -j KUBE-POD-FW-B2TOAEHDHIDE2NAX
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-B2TOAEHDHIDE2NAX -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-B2TOAEHDHIDE2NAX -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-B2TOAEHDHIDE2NAX -j MARK --set-mark 0/0x10000
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-B2TOAEHDHIDE2NAX -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-UJFKDFHRMKJDL4BC 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-UJFKDFHRMKJDL4BC 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-UJFKDFHRMKJDL4BC 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-UJFKDFHRMKJDL4BC 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-UJFKDFHRMKJDL4BC 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UJFKDFHRMKJDL4BC" -d 172.16.0.43 -j KUBE-POD-FW-UJFKDFHRMKJDL4BC
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UJFKDFHRMKJDL4BC" -d 172.16.0.43 -j KUBE-POD-FW-UJFKDFHRMKJDL4BC
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UJFKDFHRMKJDL4BC" -d 172.16.0.43 -j KUBE-POD-FW-UJFKDFHRMKJDL4BC
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UJFKDFHRMKJDL4BC" -s 172.16.0.43 -j KUBE-POD-FW-UJFKDFHRMKJDL4BC
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UJFKDFHRMKJDL4BC" -s 172.16.0.43 -j KUBE-POD-FW-UJFKDFHRMKJDL4BC
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UJFKDFHRMKJDL4BC" -s 172.16.0.43 -j KUBE-POD-FW-UJFKDFHRMKJDL4BC
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UJFKDFHRMKJDL4BC" -s 172.16.0.43 -j KUBE-POD-FW-UJFKDFHRMKJDL4BC
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-UJFKDFHRMKJDL4BC -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-UJFKDFHRMKJDL4BC -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-UJFKDFHRMKJDL4BC -j MARK --set-mark 0/0x10000
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-UJFKDFHRMKJDL4BC -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-CARTUS76W3QCVQV7 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-CARTUS76W3QCVQV7 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-CARTUS76W3QCVQV7 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-CARTUS76W3QCVQV7 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:19:29 truenas env[20630]: -I KUBE-POD-FW-CARTUS76W3QCVQV7 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CARTUS76W3QCVQV7" -d 172.16.0.46 -j KUBE-POD-FW-CARTUS76W3QCVQV7
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CARTUS76W3QCVQV7" -d 172.16.0.46 -j KUBE-POD-FW-CARTUS76W3QCVQV7
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CARTUS76W3QCVQV7" -d 172.16.0.46 -j KUBE-POD-FW-CARTUS76W3QCVQV7
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CARTUS76W3QCVQV7" -s 172.16.0.46 -j KUBE-POD-FW-CARTUS76W3QCVQV7
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CARTUS76W3QCVQV7" -s 172.16.0.46 -j KUBE-POD-FW-CARTUS76W3QCVQV7
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CARTUS76W3QCVQV7" -s 172.16.0.46 -j KUBE-POD-FW-CARTUS76W3QCVQV7
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CARTUS76W3QCVQV7" -s 172.16.0.46 -j KUBE-POD-FW-CARTUS76W3QCVQV7
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-CARTUS76W3QCVQV7 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-CARTUS76W3QCVQV7 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-CARTUS76W3QCVQV7 -j MARK --set-mark 0/0x10000
Jun  7 23:19:29 truenas env[20630]: -A KUBE-POD-FW-CARTUS76W3QCVQV7 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:19:29 truenas env[20630]: COMMIT
Jun  7 23:20:02 truenas systemd[1]: Starting system activity accounting tool...
Jun  7 23:20:02 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  7 23:20:02 truenas systemd[1]: Finished system activity accounting tool.
Jun  7 23:24:29 truenas env[20630]: E0607 23:24:29.748640   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 23:24:29 truenas env[20630]: Error occurred at line: 103
Jun  7 23:24:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 23:24:29 truenas env[20630]: )
Jun  7 23:24:29 truenas env[20630]: *filter
Jun  7 23:24:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 23:24:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 23:24:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 23:24:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 23:24:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 23:24:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 23:24:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 23:24:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 23:24:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 23:24:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 23:24:29 truenas env[20630]: :KUBE-POD-FW-4HGIWGRMMPVAH3SI - [0:0]
Jun  7 23:24:29 truenas env[20630]: :KUBE-POD-FW-7CFM2RSX2UIK3L6Q - [0:0]
Jun  7 23:24:29 truenas env[20630]: :KUBE-POD-FW-3RXSM2ANYJO564DV - [0:0]
Jun  7 23:24:29 truenas env[20630]: :KUBE-POD-FW-C2KRPT2QSYNLKE6S - [0:0]
Jun  7 23:24:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 23:24:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 23:24:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 23:24:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 23:24:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 23:24:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 23:24:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 23:24:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 23:24:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 23:24:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-4HGIWGRMMPVAH3SI 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-4HGIWGRMMPVAH3SI 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-4HGIWGRMMPVAH3SI 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-4HGIWGRMMPVAH3SI 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-4HGIWGRMMPVAH3SI 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4HGIWGRMMPVAH3SI" -d 172.16.0.42 -j KUBE-POD-FW-4HGIWGRMMPVAH3SI
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4HGIWGRMMPVAH3SI" -d 172.16.0.42 -j KUBE-POD-FW-4HGIWGRMMPVAH3SI
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4HGIWGRMMPVAH3SI" -d 172.16.0.42 -j KUBE-POD-FW-4HGIWGRMMPVAH3SI
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4HGIWGRMMPVAH3SI" -s 172.16.0.42 -j KUBE-POD-FW-4HGIWGRMMPVAH3SI
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4HGIWGRMMPVAH3SI" -s 172.16.0.42 -j KUBE-POD-FW-4HGIWGRMMPVAH3SI
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4HGIWGRMMPVAH3SI" -s 172.16.0.42 -j KUBE-POD-FW-4HGIWGRMMPVAH3SI
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4HGIWGRMMPVAH3SI" -s 172.16.0.42 -j KUBE-POD-FW-4HGIWGRMMPVAH3SI
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-4HGIWGRMMPVAH3SI -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-4HGIWGRMMPVAH3SI -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-4HGIWGRMMPVAH3SI -j MARK --set-mark 0/0x10000
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-4HGIWGRMMPVAH3SI -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-7CFM2RSX2UIK3L6Q 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-7CFM2RSX2UIK3L6Q 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-7CFM2RSX2UIK3L6Q 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-7CFM2RSX2UIK3L6Q 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-7CFM2RSX2UIK3L6Q 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7CFM2RSX2UIK3L6Q" -d 172.16.0.45 -j KUBE-POD-FW-7CFM2RSX2UIK3L6Q
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7CFM2RSX2UIK3L6Q" -d 172.16.0.45 -j KUBE-POD-FW-7CFM2RSX2UIK3L6Q
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7CFM2RSX2UIK3L6Q" -d 172.16.0.45 -j KUBE-POD-FW-7CFM2RSX2UIK3L6Q
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7CFM2RSX2UIK3L6Q" -s 172.16.0.45 -j KUBE-POD-FW-7CFM2RSX2UIK3L6Q
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7CFM2RSX2UIK3L6Q" -s 172.16.0.45 -j KUBE-POD-FW-7CFM2RSX2UIK3L6Q
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7CFM2RSX2UIK3L6Q" -s 172.16.0.45 -j KUBE-POD-FW-7CFM2RSX2UIK3L6Q
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7CFM2RSX2UIK3L6Q" -s 172.16.0.45 -j KUBE-POD-FW-7CFM2RSX2UIK3L6Q
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-7CFM2RSX2UIK3L6Q -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-7CFM2RSX2UIK3L6Q -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-7CFM2RSX2UIK3L6Q -j MARK --set-mark 0/0x10000
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-7CFM2RSX2UIK3L6Q -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-3RXSM2ANYJO564DV 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-3RXSM2ANYJO564DV 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-3RXSM2ANYJO564DV 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-3RXSM2ANYJO564DV 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-3RXSM2ANYJO564DV 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3RXSM2ANYJO564DV" -d 172.16.0.43 -j KUBE-POD-FW-3RXSM2ANYJO564DV
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3RXSM2ANYJO564DV" -d 172.16.0.43 -j KUBE-POD-FW-3RXSM2ANYJO564DV
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3RXSM2ANYJO564DV" -d 172.16.0.43 -j KUBE-POD-FW-3RXSM2ANYJO564DV
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3RXSM2ANYJO564DV" -s 172.16.0.43 -j KUBE-POD-FW-3RXSM2ANYJO564DV
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3RXSM2ANYJO564DV" -s 172.16.0.43 -j KUBE-POD-FW-3RXSM2ANYJO564DV
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3RXSM2ANYJO564DV" -s 172.16.0.43 -j KUBE-POD-FW-3RXSM2ANYJO564DV
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3RXSM2ANYJO564DV" -s 172.16.0.43 -j KUBE-POD-FW-3RXSM2ANYJO564DV
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-3RXSM2ANYJO564DV -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-3RXSM2ANYJO564DV -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-3RXSM2ANYJO564DV -j MARK --set-mark 0/0x10000
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-3RXSM2ANYJO564DV -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-C2KRPT2QSYNLKE6S 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-C2KRPT2QSYNLKE6S 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-C2KRPT2QSYNLKE6S 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-C2KRPT2QSYNLKE6S 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:24:29 truenas env[20630]: -I KUBE-POD-FW-C2KRPT2QSYNLKE6S 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-C2KRPT2QSYNLKE6S" -d 172.16.0.46 -j KUBE-POD-FW-C2KRPT2QSYNLKE6S
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-C2KRPT2QSYNLKE6S" -d 172.16.0.46 -j KUBE-POD-FW-C2KRPT2QSYNLKE6S
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-C2KRPT2QSYNLKE6S" -d 172.16.0.46 -j KUBE-POD-FW-C2KRPT2QSYNLKE6S
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-C2KRPT2QSYNLKE6S" -s 172.16.0.46 -j KUBE-POD-FW-C2KRPT2QSYNLKE6S
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-C2KRPT2QSYNLKE6S" -s 172.16.0.46 -j KUBE-POD-FW-C2KRPT2QSYNLKE6S
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-C2KRPT2QSYNLKE6S" -s 172.16.0.46 -j KUBE-POD-FW-C2KRPT2QSYNLKE6S
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-C2KRPT2QSYNLKE6S" -s 172.16.0.46 -j KUBE-POD-FW-C2KRPT2QSYNLKE6S
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-C2KRPT2QSYNLKE6S -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-C2KRPT2QSYNLKE6S -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-C2KRPT2QSYNLKE6S -j MARK --set-mark 0/0x10000
Jun  7 23:24:29 truenas env[20630]: -A KUBE-POD-FW-C2KRPT2QSYNLKE6S -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:24:29 truenas env[20630]: COMMIT
Jun  7 23:29:06 truenas smartd[3887]: Device: /dev/sdb [SAT], SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 73 to 74
Jun  7 23:29:06 truenas smartd[3887]: Device: /dev/sdb [SAT], SMART Usage Attribute: 195 Hardware_ECC_Recovered changed from 73 to 74
Jun  7 23:29:07 truenas smartd[3887]: Device: /dev/sdc [SAT], SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 80 to 81
Jun  7 23:29:07 truenas smartd[3887]: Device: /dev/sdc [SAT], SMART Usage Attribute: 195 Hardware_ECC_Recovered changed from 80 to 81
Jun  7 23:29:29 truenas env[20630]: E0607 23:29:29.756616   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 23:29:29 truenas env[20630]: Error occurred at line: 103
Jun  7 23:29:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 23:29:29 truenas env[20630]: )
Jun  7 23:29:29 truenas env[20630]: *filter
Jun  7 23:29:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 23:29:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 23:29:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 23:29:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 23:29:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 23:29:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 23:29:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 23:29:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 23:29:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 23:29:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 23:29:29 truenas env[20630]: :KUBE-POD-FW-Y7OYF4MCQOFQEKB4 - [0:0]
Jun  7 23:29:29 truenas env[20630]: :KUBE-POD-FW-QWEI7ZHNP7YJKQPQ - [0:0]
Jun  7 23:29:29 truenas env[20630]: :KUBE-POD-FW-BMLICIA6TPRYXXKT - [0:0]
Jun  7 23:29:29 truenas env[20630]: :KUBE-POD-FW-XCTHJDRI6VJ5RWRP - [0:0]
Jun  7 23:29:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 23:29:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 23:29:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 23:29:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 23:29:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 23:29:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 23:29:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 23:29:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 23:29:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 23:29:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-Y7OYF4MCQOFQEKB4 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-Y7OYF4MCQOFQEKB4 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-Y7OYF4MCQOFQEKB4 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-Y7OYF4MCQOFQEKB4 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-Y7OYF4MCQOFQEKB4 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y7OYF4MCQOFQEKB4" -d 172.16.0.42 -j KUBE-POD-FW-Y7OYF4MCQOFQEKB4
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y7OYF4MCQOFQEKB4" -d 172.16.0.42 -j KUBE-POD-FW-Y7OYF4MCQOFQEKB4
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y7OYF4MCQOFQEKB4" -d 172.16.0.42 -j KUBE-POD-FW-Y7OYF4MCQOFQEKB4
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y7OYF4MCQOFQEKB4" -s 172.16.0.42 -j KUBE-POD-FW-Y7OYF4MCQOFQEKB4
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y7OYF4MCQOFQEKB4" -s 172.16.0.42 -j KUBE-POD-FW-Y7OYF4MCQOFQEKB4
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y7OYF4MCQOFQEKB4" -s 172.16.0.42 -j KUBE-POD-FW-Y7OYF4MCQOFQEKB4
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y7OYF4MCQOFQEKB4" -s 172.16.0.42 -j KUBE-POD-FW-Y7OYF4MCQOFQEKB4
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-Y7OYF4MCQOFQEKB4 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-Y7OYF4MCQOFQEKB4 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-Y7OYF4MCQOFQEKB4 -j MARK --set-mark 0/0x10000
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-Y7OYF4MCQOFQEKB4 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-QWEI7ZHNP7YJKQPQ 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-QWEI7ZHNP7YJKQPQ 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-QWEI7ZHNP7YJKQPQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-QWEI7ZHNP7YJKQPQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-QWEI7ZHNP7YJKQPQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QWEI7ZHNP7YJKQPQ" -d 172.16.0.45 -j KUBE-POD-FW-QWEI7ZHNP7YJKQPQ
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QWEI7ZHNP7YJKQPQ" -d 172.16.0.45 -j KUBE-POD-FW-QWEI7ZHNP7YJKQPQ
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QWEI7ZHNP7YJKQPQ" -d 172.16.0.45 -j KUBE-POD-FW-QWEI7ZHNP7YJKQPQ
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QWEI7ZHNP7YJKQPQ" -s 172.16.0.45 -j KUBE-POD-FW-QWEI7ZHNP7YJKQPQ
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QWEI7ZHNP7YJKQPQ" -s 172.16.0.45 -j KUBE-POD-FW-QWEI7ZHNP7YJKQPQ
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QWEI7ZHNP7YJKQPQ" -s 172.16.0.45 -j KUBE-POD-FW-QWEI7ZHNP7YJKQPQ
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QWEI7ZHNP7YJKQPQ" -s 172.16.0.45 -j KUBE-POD-FW-QWEI7ZHNP7YJKQPQ
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-QWEI7ZHNP7YJKQPQ -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-QWEI7ZHNP7YJKQPQ -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-QWEI7ZHNP7YJKQPQ -j MARK --set-mark 0/0x10000
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-QWEI7ZHNP7YJKQPQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-BMLICIA6TPRYXXKT 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-BMLICIA6TPRYXXKT 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-BMLICIA6TPRYXXKT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-BMLICIA6TPRYXXKT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-BMLICIA6TPRYXXKT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BMLICIA6TPRYXXKT" -d 172.16.0.43 -j KUBE-POD-FW-BMLICIA6TPRYXXKT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BMLICIA6TPRYXXKT" -d 172.16.0.43 -j KUBE-POD-FW-BMLICIA6TPRYXXKT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BMLICIA6TPRYXXKT" -d 172.16.0.43 -j KUBE-POD-FW-BMLICIA6TPRYXXKT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BMLICIA6TPRYXXKT" -s 172.16.0.43 -j KUBE-POD-FW-BMLICIA6TPRYXXKT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BMLICIA6TPRYXXKT" -s 172.16.0.43 -j KUBE-POD-FW-BMLICIA6TPRYXXKT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BMLICIA6TPRYXXKT" -s 172.16.0.43 -j KUBE-POD-FW-BMLICIA6TPRYXXKT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BMLICIA6TPRYXXKT" -s 172.16.0.43 -j KUBE-POD-FW-BMLICIA6TPRYXXKT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-BMLICIA6TPRYXXKT -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-BMLICIA6TPRYXXKT -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-BMLICIA6TPRYXXKT -j MARK --set-mark 0/0x10000
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-BMLICIA6TPRYXXKT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-XCTHJDRI6VJ5RWRP 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-XCTHJDRI6VJ5RWRP 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-XCTHJDRI6VJ5RWRP 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-XCTHJDRI6VJ5RWRP 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:29:29 truenas env[20630]: -I KUBE-POD-FW-XCTHJDRI6VJ5RWRP 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XCTHJDRI6VJ5RWRP" -d 172.16.0.46 -j KUBE-POD-FW-XCTHJDRI6VJ5RWRP
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XCTHJDRI6VJ5RWRP" -d 172.16.0.46 -j KUBE-POD-FW-XCTHJDRI6VJ5RWRP
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XCTHJDRI6VJ5RWRP" -d 172.16.0.46 -j KUBE-POD-FW-XCTHJDRI6VJ5RWRP
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XCTHJDRI6VJ5RWRP" -s 172.16.0.46 -j KUBE-POD-FW-XCTHJDRI6VJ5RWRP
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XCTHJDRI6VJ5RWRP" -s 172.16.0.46 -j KUBE-POD-FW-XCTHJDRI6VJ5RWRP
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XCTHJDRI6VJ5RWRP" -s 172.16.0.46 -j KUBE-POD-FW-XCTHJDRI6VJ5RWRP
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XCTHJDRI6VJ5RWRP" -s 172.16.0.46 -j KUBE-POD-FW-XCTHJDRI6VJ5RWRP
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-XCTHJDRI6VJ5RWRP -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-XCTHJDRI6VJ5RWRP -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-XCTHJDRI6VJ5RWRP -j MARK --set-mark 0/0x10000
Jun  7 23:29:29 truenas env[20630]: -A KUBE-POD-FW-XCTHJDRI6VJ5RWRP -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:29:29 truenas env[20630]: COMMIT
Jun  7 23:30:04 truenas systemd[1]: Starting system activity accounting tool...
Jun  7 23:30:04 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  7 23:30:04 truenas systemd[1]: Finished system activity accounting tool.
Jun  7 23:34:29 truenas env[20630]: E0607 23:34:29.768617   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 23:34:29 truenas env[20630]: Error occurred at line: 103
Jun  7 23:34:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 23:34:29 truenas env[20630]: )
Jun  7 23:34:29 truenas env[20630]: *filter
Jun  7 23:34:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 23:34:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 23:34:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 23:34:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 23:34:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 23:34:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 23:34:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 23:34:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 23:34:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 23:34:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 23:34:29 truenas env[20630]: :KUBE-POD-FW-MVXU5YIPFX4U5NIN - [0:0]
Jun  7 23:34:29 truenas env[20630]: :KUBE-POD-FW-57TTEVVYFUYPMATN - [0:0]
Jun  7 23:34:29 truenas env[20630]: :KUBE-POD-FW-3ALUZEP6IOZCDZSF - [0:0]
Jun  7 23:34:29 truenas env[20630]: :KUBE-POD-FW-SUERCICYMFUZQUZJ - [0:0]
Jun  7 23:34:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 23:34:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 23:34:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 23:34:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 23:34:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 23:34:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 23:34:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 23:34:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 23:34:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 23:34:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-MVXU5YIPFX4U5NIN 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-MVXU5YIPFX4U5NIN 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-MVXU5YIPFX4U5NIN 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-MVXU5YIPFX4U5NIN 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-MVXU5YIPFX4U5NIN 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MVXU5YIPFX4U5NIN" -d 172.16.0.43 -j KUBE-POD-FW-MVXU5YIPFX4U5NIN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MVXU5YIPFX4U5NIN" -d 172.16.0.43 -j KUBE-POD-FW-MVXU5YIPFX4U5NIN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MVXU5YIPFX4U5NIN" -d 172.16.0.43 -j KUBE-POD-FW-MVXU5YIPFX4U5NIN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MVXU5YIPFX4U5NIN" -s 172.16.0.43 -j KUBE-POD-FW-MVXU5YIPFX4U5NIN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MVXU5YIPFX4U5NIN" -s 172.16.0.43 -j KUBE-POD-FW-MVXU5YIPFX4U5NIN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MVXU5YIPFX4U5NIN" -s 172.16.0.43 -j KUBE-POD-FW-MVXU5YIPFX4U5NIN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MVXU5YIPFX4U5NIN" -s 172.16.0.43 -j KUBE-POD-FW-MVXU5YIPFX4U5NIN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-MVXU5YIPFX4U5NIN -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-MVXU5YIPFX4U5NIN -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-MVXU5YIPFX4U5NIN -j MARK --set-mark 0/0x10000
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-MVXU5YIPFX4U5NIN -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-57TTEVVYFUYPMATN 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-57TTEVVYFUYPMATN 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-57TTEVVYFUYPMATN 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-57TTEVVYFUYPMATN 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-57TTEVVYFUYPMATN 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-57TTEVVYFUYPMATN" -d 172.16.0.46 -j KUBE-POD-FW-57TTEVVYFUYPMATN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-57TTEVVYFUYPMATN" -d 172.16.0.46 -j KUBE-POD-FW-57TTEVVYFUYPMATN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-57TTEVVYFUYPMATN" -d 172.16.0.46 -j KUBE-POD-FW-57TTEVVYFUYPMATN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-57TTEVVYFUYPMATN" -s 172.16.0.46 -j KUBE-POD-FW-57TTEVVYFUYPMATN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-57TTEVVYFUYPMATN" -s 172.16.0.46 -j KUBE-POD-FW-57TTEVVYFUYPMATN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-57TTEVVYFUYPMATN" -s 172.16.0.46 -j KUBE-POD-FW-57TTEVVYFUYPMATN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-57TTEVVYFUYPMATN" -s 172.16.0.46 -j KUBE-POD-FW-57TTEVVYFUYPMATN
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-57TTEVVYFUYPMATN -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-57TTEVVYFUYPMATN -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-57TTEVVYFUYPMATN -j MARK --set-mark 0/0x10000
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-57TTEVVYFUYPMATN -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-3ALUZEP6IOZCDZSF 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-3ALUZEP6IOZCDZSF 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-3ALUZEP6IOZCDZSF 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-3ALUZEP6IOZCDZSF 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-3ALUZEP6IOZCDZSF 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3ALUZEP6IOZCDZSF" -d 172.16.0.42 -j KUBE-POD-FW-3ALUZEP6IOZCDZSF
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3ALUZEP6IOZCDZSF" -d 172.16.0.42 -j KUBE-POD-FW-3ALUZEP6IOZCDZSF
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3ALUZEP6IOZCDZSF" -d 172.16.0.42 -j KUBE-POD-FW-3ALUZEP6IOZCDZSF
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3ALUZEP6IOZCDZSF" -s 172.16.0.42 -j KUBE-POD-FW-3ALUZEP6IOZCDZSF
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3ALUZEP6IOZCDZSF" -s 172.16.0.42 -j KUBE-POD-FW-3ALUZEP6IOZCDZSF
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3ALUZEP6IOZCDZSF" -s 172.16.0.42 -j KUBE-POD-FW-3ALUZEP6IOZCDZSF
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3ALUZEP6IOZCDZSF" -s 172.16.0.42 -j KUBE-POD-FW-3ALUZEP6IOZCDZSF
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-3ALUZEP6IOZCDZSF -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-3ALUZEP6IOZCDZSF -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-3ALUZEP6IOZCDZSF -j MARK --set-mark 0/0x10000
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-3ALUZEP6IOZCDZSF -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-SUERCICYMFUZQUZJ 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-SUERCICYMFUZQUZJ 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-SUERCICYMFUZQUZJ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-SUERCICYMFUZQUZJ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:34:29 truenas env[20630]: -I KUBE-POD-FW-SUERCICYMFUZQUZJ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SUERCICYMFUZQUZJ" -d 172.16.0.45 -j KUBE-POD-FW-SUERCICYMFUZQUZJ
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SUERCICYMFUZQUZJ" -d 172.16.0.45 -j KUBE-POD-FW-SUERCICYMFUZQUZJ
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SUERCICYMFUZQUZJ" -d 172.16.0.45 -j KUBE-POD-FW-SUERCICYMFUZQUZJ
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SUERCICYMFUZQUZJ" -s 172.16.0.45 -j KUBE-POD-FW-SUERCICYMFUZQUZJ
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SUERCICYMFUZQUZJ" -s 172.16.0.45 -j KUBE-POD-FW-SUERCICYMFUZQUZJ
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SUERCICYMFUZQUZJ" -s 172.16.0.45 -j KUBE-POD-FW-SUERCICYMFUZQUZJ
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SUERCICYMFUZQUZJ" -s 172.16.0.45 -j KUBE-POD-FW-SUERCICYMFUZQUZJ
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-SUERCICYMFUZQUZJ -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-SUERCICYMFUZQUZJ -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-SUERCICYMFUZQUZJ -j MARK --set-mark 0/0x10000
Jun  7 23:34:29 truenas env[20630]: -A KUBE-POD-FW-SUERCICYMFUZQUZJ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:34:29 truenas env[20630]: COMMIT
Jun  7 23:39:29 truenas env[20630]: E0607 23:39:29.736806   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 23:39:29 truenas env[20630]: Error occurred at line: 103
Jun  7 23:39:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 23:39:29 truenas env[20630]: )
Jun  7 23:39:29 truenas env[20630]: *filter
Jun  7 23:39:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 23:39:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 23:39:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 23:39:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 23:39:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 23:39:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 23:39:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 23:39:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 23:39:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 23:39:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 23:39:29 truenas env[20630]: :KUBE-POD-FW-O5IGYSDKXV4BNTPO - [0:0]
Jun  7 23:39:29 truenas env[20630]: :KUBE-POD-FW-6KBHPZNW4UDMJI3X - [0:0]
Jun  7 23:39:29 truenas env[20630]: :KUBE-POD-FW-VHRUPAUAYKIFMAU6 - [0:0]
Jun  7 23:39:29 truenas env[20630]: :KUBE-POD-FW-XNCVUCMAAUMZKHSB - [0:0]
Jun  7 23:39:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 23:39:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 23:39:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 23:39:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 23:39:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 23:39:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 23:39:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 23:39:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 23:39:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 23:39:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-O5IGYSDKXV4BNTPO 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-O5IGYSDKXV4BNTPO 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-O5IGYSDKXV4BNTPO 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-O5IGYSDKXV4BNTPO 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-O5IGYSDKXV4BNTPO 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-O5IGYSDKXV4BNTPO" -d 172.16.0.42 -j KUBE-POD-FW-O5IGYSDKXV4BNTPO
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-O5IGYSDKXV4BNTPO" -d 172.16.0.42 -j KUBE-POD-FW-O5IGYSDKXV4BNTPO
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-O5IGYSDKXV4BNTPO" -d 172.16.0.42 -j KUBE-POD-FW-O5IGYSDKXV4BNTPO
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-O5IGYSDKXV4BNTPO" -s 172.16.0.42 -j KUBE-POD-FW-O5IGYSDKXV4BNTPO
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-O5IGYSDKXV4BNTPO" -s 172.16.0.42 -j KUBE-POD-FW-O5IGYSDKXV4BNTPO
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-O5IGYSDKXV4BNTPO" -s 172.16.0.42 -j KUBE-POD-FW-O5IGYSDKXV4BNTPO
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-O5IGYSDKXV4BNTPO" -s 172.16.0.42 -j KUBE-POD-FW-O5IGYSDKXV4BNTPO
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-O5IGYSDKXV4BNTPO -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-O5IGYSDKXV4BNTPO -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-O5IGYSDKXV4BNTPO -j MARK --set-mark 0/0x10000
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-O5IGYSDKXV4BNTPO -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-6KBHPZNW4UDMJI3X 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-6KBHPZNW4UDMJI3X 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-6KBHPZNW4UDMJI3X 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-6KBHPZNW4UDMJI3X 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-6KBHPZNW4UDMJI3X 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6KBHPZNW4UDMJI3X" -d 172.16.0.45 -j KUBE-POD-FW-6KBHPZNW4UDMJI3X
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6KBHPZNW4UDMJI3X" -d 172.16.0.45 -j KUBE-POD-FW-6KBHPZNW4UDMJI3X
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6KBHPZNW4UDMJI3X" -d 172.16.0.45 -j KUBE-POD-FW-6KBHPZNW4UDMJI3X
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6KBHPZNW4UDMJI3X" -s 172.16.0.45 -j KUBE-POD-FW-6KBHPZNW4UDMJI3X
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6KBHPZNW4UDMJI3X" -s 172.16.0.45 -j KUBE-POD-FW-6KBHPZNW4UDMJI3X
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6KBHPZNW4UDMJI3X" -s 172.16.0.45 -j KUBE-POD-FW-6KBHPZNW4UDMJI3X
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6KBHPZNW4UDMJI3X" -s 172.16.0.45 -j KUBE-POD-FW-6KBHPZNW4UDMJI3X
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-6KBHPZNW4UDMJI3X -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-6KBHPZNW4UDMJI3X -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-6KBHPZNW4UDMJI3X -j MARK --set-mark 0/0x10000
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-6KBHPZNW4UDMJI3X -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-VHRUPAUAYKIFMAU6 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-VHRUPAUAYKIFMAU6 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-VHRUPAUAYKIFMAU6 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-VHRUPAUAYKIFMAU6 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-VHRUPAUAYKIFMAU6 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VHRUPAUAYKIFMAU6" -d 172.16.0.43 -j KUBE-POD-FW-VHRUPAUAYKIFMAU6
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VHRUPAUAYKIFMAU6" -d 172.16.0.43 -j KUBE-POD-FW-VHRUPAUAYKIFMAU6
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VHRUPAUAYKIFMAU6" -d 172.16.0.43 -j KUBE-POD-FW-VHRUPAUAYKIFMAU6
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VHRUPAUAYKIFMAU6" -s 172.16.0.43 -j KUBE-POD-FW-VHRUPAUAYKIFMAU6
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VHRUPAUAYKIFMAU6" -s 172.16.0.43 -j KUBE-POD-FW-VHRUPAUAYKIFMAU6
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VHRUPAUAYKIFMAU6" -s 172.16.0.43 -j KUBE-POD-FW-VHRUPAUAYKIFMAU6
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VHRUPAUAYKIFMAU6" -s 172.16.0.43 -j KUBE-POD-FW-VHRUPAUAYKIFMAU6
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-VHRUPAUAYKIFMAU6 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-VHRUPAUAYKIFMAU6 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-VHRUPAUAYKIFMAU6 -j MARK --set-mark 0/0x10000
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-VHRUPAUAYKIFMAU6 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-XNCVUCMAAUMZKHSB 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-XNCVUCMAAUMZKHSB 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-XNCVUCMAAUMZKHSB 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-XNCVUCMAAUMZKHSB 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:39:29 truenas env[20630]: -I KUBE-POD-FW-XNCVUCMAAUMZKHSB 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XNCVUCMAAUMZKHSB" -d 172.16.0.46 -j KUBE-POD-FW-XNCVUCMAAUMZKHSB
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XNCVUCMAAUMZKHSB" -d 172.16.0.46 -j KUBE-POD-FW-XNCVUCMAAUMZKHSB
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XNCVUCMAAUMZKHSB" -d 172.16.0.46 -j KUBE-POD-FW-XNCVUCMAAUMZKHSB
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XNCVUCMAAUMZKHSB" -s 172.16.0.46 -j KUBE-POD-FW-XNCVUCMAAUMZKHSB
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XNCVUCMAAUMZKHSB" -s 172.16.0.46 -j KUBE-POD-FW-XNCVUCMAAUMZKHSB
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XNCVUCMAAUMZKHSB" -s 172.16.0.46 -j KUBE-POD-FW-XNCVUCMAAUMZKHSB
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XNCVUCMAAUMZKHSB" -s 172.16.0.46 -j KUBE-POD-FW-XNCVUCMAAUMZKHSB
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-XNCVUCMAAUMZKHSB -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-XNCVUCMAAUMZKHSB -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-XNCVUCMAAUMZKHSB -j MARK --set-mark 0/0x10000
Jun  7 23:39:29 truenas env[20630]: -A KUBE-POD-FW-XNCVUCMAAUMZKHSB -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:39:29 truenas env[20630]: COMMIT
Jun  7 23:40:04 truenas systemd[1]: Starting system activity accounting tool...
Jun  7 23:40:04 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  7 23:40:04 truenas systemd[1]: Finished system activity accounting tool.
Jun  7 23:44:29 truenas env[20630]: E0607 23:44:29.756897   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 23:44:29 truenas env[20630]: Error occurred at line: 103
Jun  7 23:44:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 23:44:29 truenas env[20630]: )
Jun  7 23:44:29 truenas env[20630]: *filter
Jun  7 23:44:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 23:44:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 23:44:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 23:44:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 23:44:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 23:44:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 23:44:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 23:44:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 23:44:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 23:44:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 23:44:29 truenas env[20630]: :KUBE-POD-FW-IBLYTXMXDBINHFRO - [0:0]
Jun  7 23:44:29 truenas env[20630]: :KUBE-POD-FW-UNIDOGJHK7O6TT52 - [0:0]
Jun  7 23:44:29 truenas env[20630]: :KUBE-POD-FW-EPPPFSBQBPAUY4JE - [0:0]
Jun  7 23:44:29 truenas env[20630]: :KUBE-POD-FW-GTNLBENG7VG5JDXD - [0:0]
Jun  7 23:44:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 23:44:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 23:44:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 23:44:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 23:44:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 23:44:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 23:44:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 23:44:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 23:44:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 23:44:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-IBLYTXMXDBINHFRO 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-IBLYTXMXDBINHFRO 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-IBLYTXMXDBINHFRO 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-IBLYTXMXDBINHFRO 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-IBLYTXMXDBINHFRO 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IBLYTXMXDBINHFRO" -d 172.16.0.42 -j KUBE-POD-FW-IBLYTXMXDBINHFRO
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IBLYTXMXDBINHFRO" -d 172.16.0.42 -j KUBE-POD-FW-IBLYTXMXDBINHFRO
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IBLYTXMXDBINHFRO" -d 172.16.0.42 -j KUBE-POD-FW-IBLYTXMXDBINHFRO
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IBLYTXMXDBINHFRO" -s 172.16.0.42 -j KUBE-POD-FW-IBLYTXMXDBINHFRO
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IBLYTXMXDBINHFRO" -s 172.16.0.42 -j KUBE-POD-FW-IBLYTXMXDBINHFRO
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IBLYTXMXDBINHFRO" -s 172.16.0.42 -j KUBE-POD-FW-IBLYTXMXDBINHFRO
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IBLYTXMXDBINHFRO" -s 172.16.0.42 -j KUBE-POD-FW-IBLYTXMXDBINHFRO
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-IBLYTXMXDBINHFRO -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-IBLYTXMXDBINHFRO -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-IBLYTXMXDBINHFRO -j MARK --set-mark 0/0x10000
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-IBLYTXMXDBINHFRO -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-UNIDOGJHK7O6TT52 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-UNIDOGJHK7O6TT52 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-UNIDOGJHK7O6TT52 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-UNIDOGJHK7O6TT52 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-UNIDOGJHK7O6TT52 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-UNIDOGJHK7O6TT52" -d 172.16.0.45 -j KUBE-POD-FW-UNIDOGJHK7O6TT52
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-UNIDOGJHK7O6TT52" -d 172.16.0.45 -j KUBE-POD-FW-UNIDOGJHK7O6TT52
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-UNIDOGJHK7O6TT52" -d 172.16.0.45 -j KUBE-POD-FW-UNIDOGJHK7O6TT52
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-UNIDOGJHK7O6TT52" -s 172.16.0.45 -j KUBE-POD-FW-UNIDOGJHK7O6TT52
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-UNIDOGJHK7O6TT52" -s 172.16.0.45 -j KUBE-POD-FW-UNIDOGJHK7O6TT52
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-UNIDOGJHK7O6TT52" -s 172.16.0.45 -j KUBE-POD-FW-UNIDOGJHK7O6TT52
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-UNIDOGJHK7O6TT52" -s 172.16.0.45 -j KUBE-POD-FW-UNIDOGJHK7O6TT52
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-UNIDOGJHK7O6TT52 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-UNIDOGJHK7O6TT52 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-UNIDOGJHK7O6TT52 -j MARK --set-mark 0/0x10000
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-UNIDOGJHK7O6TT52 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-EPPPFSBQBPAUY4JE 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-EPPPFSBQBPAUY4JE 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-EPPPFSBQBPAUY4JE 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-EPPPFSBQBPAUY4JE 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-EPPPFSBQBPAUY4JE 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EPPPFSBQBPAUY4JE" -d 172.16.0.43 -j KUBE-POD-FW-EPPPFSBQBPAUY4JE
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EPPPFSBQBPAUY4JE" -d 172.16.0.43 -j KUBE-POD-FW-EPPPFSBQBPAUY4JE
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EPPPFSBQBPAUY4JE" -d 172.16.0.43 -j KUBE-POD-FW-EPPPFSBQBPAUY4JE
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EPPPFSBQBPAUY4JE" -s 172.16.0.43 -j KUBE-POD-FW-EPPPFSBQBPAUY4JE
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EPPPFSBQBPAUY4JE" -s 172.16.0.43 -j KUBE-POD-FW-EPPPFSBQBPAUY4JE
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EPPPFSBQBPAUY4JE" -s 172.16.0.43 -j KUBE-POD-FW-EPPPFSBQBPAUY4JE
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EPPPFSBQBPAUY4JE" -s 172.16.0.43 -j KUBE-POD-FW-EPPPFSBQBPAUY4JE
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-EPPPFSBQBPAUY4JE -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-EPPPFSBQBPAUY4JE -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-EPPPFSBQBPAUY4JE -j MARK --set-mark 0/0x10000
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-EPPPFSBQBPAUY4JE -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-GTNLBENG7VG5JDXD 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-GTNLBENG7VG5JDXD 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-GTNLBENG7VG5JDXD 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-GTNLBENG7VG5JDXD 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:44:29 truenas env[20630]: -I KUBE-POD-FW-GTNLBENG7VG5JDXD 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GTNLBENG7VG5JDXD" -d 172.16.0.46 -j KUBE-POD-FW-GTNLBENG7VG5JDXD
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GTNLBENG7VG5JDXD" -d 172.16.0.46 -j KUBE-POD-FW-GTNLBENG7VG5JDXD
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GTNLBENG7VG5JDXD" -d 172.16.0.46 -j KUBE-POD-FW-GTNLBENG7VG5JDXD
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GTNLBENG7VG5JDXD" -s 172.16.0.46 -j KUBE-POD-FW-GTNLBENG7VG5JDXD
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GTNLBENG7VG5JDXD" -s 172.16.0.46 -j KUBE-POD-FW-GTNLBENG7VG5JDXD
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GTNLBENG7VG5JDXD" -s 172.16.0.46 -j KUBE-POD-FW-GTNLBENG7VG5JDXD
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GTNLBENG7VG5JDXD" -s 172.16.0.46 -j KUBE-POD-FW-GTNLBENG7VG5JDXD
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-GTNLBENG7VG5JDXD -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-GTNLBENG7VG5JDXD -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-GTNLBENG7VG5JDXD -j MARK --set-mark 0/0x10000
Jun  7 23:44:29 truenas env[20630]: -A KUBE-POD-FW-GTNLBENG7VG5JDXD -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:44:29 truenas env[20630]: COMMIT
Jun  7 23:49:29 truenas env[20630]: E0607 23:49:29.797098   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 23:49:29 truenas env[20630]: Error occurred at line: 103
Jun  7 23:49:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 23:49:29 truenas env[20630]: )
Jun  7 23:49:29 truenas env[20630]: *filter
Jun  7 23:49:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 23:49:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 23:49:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 23:49:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 23:49:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 23:49:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 23:49:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 23:49:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 23:49:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 23:49:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 23:49:29 truenas env[20630]: :KUBE-POD-FW-P5Y4KY63JJUEQ2XF - [0:0]
Jun  7 23:49:29 truenas env[20630]: :KUBE-POD-FW-KAWUIQOVOOEGCMW4 - [0:0]
Jun  7 23:49:29 truenas env[20630]: :KUBE-POD-FW-BFLNLDZ7MCWKEZPZ - [0:0]
Jun  7 23:49:29 truenas env[20630]: :KUBE-POD-FW-ABKBHXLOXKRX7JXH - [0:0]
Jun  7 23:49:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 23:49:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 23:49:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 23:49:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 23:49:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 23:49:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 23:49:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 23:49:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 23:49:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 23:49:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-P5Y4KY63JJUEQ2XF 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-P5Y4KY63JJUEQ2XF 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-P5Y4KY63JJUEQ2XF 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-P5Y4KY63JJUEQ2XF 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-P5Y4KY63JJUEQ2XF 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-P5Y4KY63JJUEQ2XF" -d 172.16.0.43 -j KUBE-POD-FW-P5Y4KY63JJUEQ2XF
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-P5Y4KY63JJUEQ2XF" -d 172.16.0.43 -j KUBE-POD-FW-P5Y4KY63JJUEQ2XF
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-P5Y4KY63JJUEQ2XF" -d 172.16.0.43 -j KUBE-POD-FW-P5Y4KY63JJUEQ2XF
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-P5Y4KY63JJUEQ2XF" -s 172.16.0.43 -j KUBE-POD-FW-P5Y4KY63JJUEQ2XF
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-P5Y4KY63JJUEQ2XF" -s 172.16.0.43 -j KUBE-POD-FW-P5Y4KY63JJUEQ2XF
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-P5Y4KY63JJUEQ2XF" -s 172.16.0.43 -j KUBE-POD-FW-P5Y4KY63JJUEQ2XF
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-P5Y4KY63JJUEQ2XF" -s 172.16.0.43 -j KUBE-POD-FW-P5Y4KY63JJUEQ2XF
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-P5Y4KY63JJUEQ2XF -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-P5Y4KY63JJUEQ2XF -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-P5Y4KY63JJUEQ2XF -j MARK --set-mark 0/0x10000
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-P5Y4KY63JJUEQ2XF -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-KAWUIQOVOOEGCMW4 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-KAWUIQOVOOEGCMW4 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-KAWUIQOVOOEGCMW4 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-KAWUIQOVOOEGCMW4 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-KAWUIQOVOOEGCMW4 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KAWUIQOVOOEGCMW4" -d 172.16.0.46 -j KUBE-POD-FW-KAWUIQOVOOEGCMW4
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KAWUIQOVOOEGCMW4" -d 172.16.0.46 -j KUBE-POD-FW-KAWUIQOVOOEGCMW4
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KAWUIQOVOOEGCMW4" -d 172.16.0.46 -j KUBE-POD-FW-KAWUIQOVOOEGCMW4
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KAWUIQOVOOEGCMW4" -s 172.16.0.46 -j KUBE-POD-FW-KAWUIQOVOOEGCMW4
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KAWUIQOVOOEGCMW4" -s 172.16.0.46 -j KUBE-POD-FW-KAWUIQOVOOEGCMW4
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KAWUIQOVOOEGCMW4" -s 172.16.0.46 -j KUBE-POD-FW-KAWUIQOVOOEGCMW4
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-KAWUIQOVOOEGCMW4" -s 172.16.0.46 -j KUBE-POD-FW-KAWUIQOVOOEGCMW4
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-KAWUIQOVOOEGCMW4 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-KAWUIQOVOOEGCMW4 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-KAWUIQOVOOEGCMW4 -j MARK --set-mark 0/0x10000
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-KAWUIQOVOOEGCMW4 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-BFLNLDZ7MCWKEZPZ 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-BFLNLDZ7MCWKEZPZ 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-BFLNLDZ7MCWKEZPZ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-BFLNLDZ7MCWKEZPZ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-BFLNLDZ7MCWKEZPZ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BFLNLDZ7MCWKEZPZ" -d 172.16.0.42 -j KUBE-POD-FW-BFLNLDZ7MCWKEZPZ
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BFLNLDZ7MCWKEZPZ" -d 172.16.0.42 -j KUBE-POD-FW-BFLNLDZ7MCWKEZPZ
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BFLNLDZ7MCWKEZPZ" -d 172.16.0.42 -j KUBE-POD-FW-BFLNLDZ7MCWKEZPZ
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BFLNLDZ7MCWKEZPZ" -s 172.16.0.42 -j KUBE-POD-FW-BFLNLDZ7MCWKEZPZ
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BFLNLDZ7MCWKEZPZ" -s 172.16.0.42 -j KUBE-POD-FW-BFLNLDZ7MCWKEZPZ
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BFLNLDZ7MCWKEZPZ" -s 172.16.0.42 -j KUBE-POD-FW-BFLNLDZ7MCWKEZPZ
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BFLNLDZ7MCWKEZPZ" -s 172.16.0.42 -j KUBE-POD-FW-BFLNLDZ7MCWKEZPZ
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-BFLNLDZ7MCWKEZPZ -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-BFLNLDZ7MCWKEZPZ -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-BFLNLDZ7MCWKEZPZ -j MARK --set-mark 0/0x10000
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-BFLNLDZ7MCWKEZPZ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-ABKBHXLOXKRX7JXH 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-ABKBHXLOXKRX7JXH 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-ABKBHXLOXKRX7JXH 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-ABKBHXLOXKRX7JXH 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:49:29 truenas env[20630]: -I KUBE-POD-FW-ABKBHXLOXKRX7JXH 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ABKBHXLOXKRX7JXH" -d 172.16.0.45 -j KUBE-POD-FW-ABKBHXLOXKRX7JXH
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ABKBHXLOXKRX7JXH" -d 172.16.0.45 -j KUBE-POD-FW-ABKBHXLOXKRX7JXH
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ABKBHXLOXKRX7JXH" -d 172.16.0.45 -j KUBE-POD-FW-ABKBHXLOXKRX7JXH
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ABKBHXLOXKRX7JXH" -s 172.16.0.45 -j KUBE-POD-FW-ABKBHXLOXKRX7JXH
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ABKBHXLOXKRX7JXH" -s 172.16.0.45 -j KUBE-POD-FW-ABKBHXLOXKRX7JXH
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ABKBHXLOXKRX7JXH" -s 172.16.0.45 -j KUBE-POD-FW-ABKBHXLOXKRX7JXH
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ABKBHXLOXKRX7JXH" -s 172.16.0.45 -j KUBE-POD-FW-ABKBHXLOXKRX7JXH
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-ABKBHXLOXKRX7JXH -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-ABKBHXLOXKRX7JXH -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-ABKBHXLOXKRX7JXH -j MARK --set-mark 0/0x10000
Jun  7 23:49:29 truenas env[20630]: -A KUBE-POD-FW-ABKBHXLOXKRX7JXH -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:49:29 truenas env[20630]: COMMIT
Jun  7 23:50:04 truenas systemd[1]: Starting system activity accounting tool...
Jun  7 23:50:04 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  7 23:50:04 truenas systemd[1]: Finished system activity accounting tool.
Jun  7 23:54:29 truenas env[20630]: E0607 23:54:29.760580   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 23:54:29 truenas env[20630]: Error occurred at line: 103
Jun  7 23:54:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 23:54:29 truenas env[20630]: )
Jun  7 23:54:29 truenas env[20630]: *filter
Jun  7 23:54:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 23:54:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 23:54:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 23:54:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 23:54:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 23:54:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 23:54:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 23:54:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 23:54:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 23:54:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 23:54:29 truenas env[20630]: :KUBE-POD-FW-ORLR3PK57OAV3NCW - [0:0]
Jun  7 23:54:29 truenas env[20630]: :KUBE-POD-FW-LXXGHRRAKA6I2NH2 - [0:0]
Jun  7 23:54:29 truenas env[20630]: :KUBE-POD-FW-4WAAXEB6G7PDGXOR - [0:0]
Jun  7 23:54:29 truenas env[20630]: :KUBE-POD-FW-XXWB6AJDKXBQ4IYP - [0:0]
Jun  7 23:54:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 23:54:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 23:54:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 23:54:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 23:54:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 23:54:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 23:54:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 23:54:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 23:54:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 23:54:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-ORLR3PK57OAV3NCW 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-ORLR3PK57OAV3NCW 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-ORLR3PK57OAV3NCW 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-ORLR3PK57OAV3NCW 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-ORLR3PK57OAV3NCW 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ORLR3PK57OAV3NCW" -d 172.16.0.43 -j KUBE-POD-FW-ORLR3PK57OAV3NCW
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ORLR3PK57OAV3NCW" -d 172.16.0.43 -j KUBE-POD-FW-ORLR3PK57OAV3NCW
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ORLR3PK57OAV3NCW" -d 172.16.0.43 -j KUBE-POD-FW-ORLR3PK57OAV3NCW
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ORLR3PK57OAV3NCW" -s 172.16.0.43 -j KUBE-POD-FW-ORLR3PK57OAV3NCW
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ORLR3PK57OAV3NCW" -s 172.16.0.43 -j KUBE-POD-FW-ORLR3PK57OAV3NCW
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ORLR3PK57OAV3NCW" -s 172.16.0.43 -j KUBE-POD-FW-ORLR3PK57OAV3NCW
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ORLR3PK57OAV3NCW" -s 172.16.0.43 -j KUBE-POD-FW-ORLR3PK57OAV3NCW
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-ORLR3PK57OAV3NCW -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-ORLR3PK57OAV3NCW -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-ORLR3PK57OAV3NCW -j MARK --set-mark 0/0x10000
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-ORLR3PK57OAV3NCW -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-LXXGHRRAKA6I2NH2 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-LXXGHRRAKA6I2NH2 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-LXXGHRRAKA6I2NH2 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-LXXGHRRAKA6I2NH2 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-LXXGHRRAKA6I2NH2 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LXXGHRRAKA6I2NH2" -d 172.16.0.46 -j KUBE-POD-FW-LXXGHRRAKA6I2NH2
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LXXGHRRAKA6I2NH2" -d 172.16.0.46 -j KUBE-POD-FW-LXXGHRRAKA6I2NH2
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LXXGHRRAKA6I2NH2" -d 172.16.0.46 -j KUBE-POD-FW-LXXGHRRAKA6I2NH2
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LXXGHRRAKA6I2NH2" -s 172.16.0.46 -j KUBE-POD-FW-LXXGHRRAKA6I2NH2
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LXXGHRRAKA6I2NH2" -s 172.16.0.46 -j KUBE-POD-FW-LXXGHRRAKA6I2NH2
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LXXGHRRAKA6I2NH2" -s 172.16.0.46 -j KUBE-POD-FW-LXXGHRRAKA6I2NH2
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-LXXGHRRAKA6I2NH2" -s 172.16.0.46 -j KUBE-POD-FW-LXXGHRRAKA6I2NH2
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-LXXGHRRAKA6I2NH2 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-LXXGHRRAKA6I2NH2 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-LXXGHRRAKA6I2NH2 -j MARK --set-mark 0/0x10000
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-LXXGHRRAKA6I2NH2 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-4WAAXEB6G7PDGXOR 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-4WAAXEB6G7PDGXOR 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-4WAAXEB6G7PDGXOR 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-4WAAXEB6G7PDGXOR 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-4WAAXEB6G7PDGXOR 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4WAAXEB6G7PDGXOR" -d 172.16.0.42 -j KUBE-POD-FW-4WAAXEB6G7PDGXOR
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4WAAXEB6G7PDGXOR" -d 172.16.0.42 -j KUBE-POD-FW-4WAAXEB6G7PDGXOR
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4WAAXEB6G7PDGXOR" -d 172.16.0.42 -j KUBE-POD-FW-4WAAXEB6G7PDGXOR
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4WAAXEB6G7PDGXOR" -s 172.16.0.42 -j KUBE-POD-FW-4WAAXEB6G7PDGXOR
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4WAAXEB6G7PDGXOR" -s 172.16.0.42 -j KUBE-POD-FW-4WAAXEB6G7PDGXOR
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4WAAXEB6G7PDGXOR" -s 172.16.0.42 -j KUBE-POD-FW-4WAAXEB6G7PDGXOR
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4WAAXEB6G7PDGXOR" -s 172.16.0.42 -j KUBE-POD-FW-4WAAXEB6G7PDGXOR
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-4WAAXEB6G7PDGXOR -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-4WAAXEB6G7PDGXOR -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-4WAAXEB6G7PDGXOR -j MARK --set-mark 0/0x10000
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-4WAAXEB6G7PDGXOR -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-XXWB6AJDKXBQ4IYP 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-XXWB6AJDKXBQ4IYP 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-XXWB6AJDKXBQ4IYP 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-XXWB6AJDKXBQ4IYP 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:54:29 truenas env[20630]: -I KUBE-POD-FW-XXWB6AJDKXBQ4IYP 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XXWB6AJDKXBQ4IYP" -d 172.16.0.45 -j KUBE-POD-FW-XXWB6AJDKXBQ4IYP
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XXWB6AJDKXBQ4IYP" -d 172.16.0.45 -j KUBE-POD-FW-XXWB6AJDKXBQ4IYP
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XXWB6AJDKXBQ4IYP" -d 172.16.0.45 -j KUBE-POD-FW-XXWB6AJDKXBQ4IYP
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XXWB6AJDKXBQ4IYP" -s 172.16.0.45 -j KUBE-POD-FW-XXWB6AJDKXBQ4IYP
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XXWB6AJDKXBQ4IYP" -s 172.16.0.45 -j KUBE-POD-FW-XXWB6AJDKXBQ4IYP
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XXWB6AJDKXBQ4IYP" -s 172.16.0.45 -j KUBE-POD-FW-XXWB6AJDKXBQ4IYP
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XXWB6AJDKXBQ4IYP" -s 172.16.0.45 -j KUBE-POD-FW-XXWB6AJDKXBQ4IYP
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-XXWB6AJDKXBQ4IYP -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-XXWB6AJDKXBQ4IYP -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-XXWB6AJDKXBQ4IYP -j MARK --set-mark 0/0x10000
Jun  7 23:54:29 truenas env[20630]: -A KUBE-POD-FW-XXWB6AJDKXBQ4IYP -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:54:29 truenas env[20630]: COMMIT
Jun  7 23:59:26 truenas nscd[446590]: 446590 monitoring file `/etc/hosts` (1)
Jun  7 23:59:26 truenas nscd[446590]: 446590 monitoring directory `/etc` (2)
Jun  7 23:59:26 truenas nscd[446590]: 446590 monitoring file `/etc/resolv.conf` (3)
Jun  7 23:59:26 truenas nscd[446590]: 446590 monitoring directory `/etc` (2)
Jun  7 23:59:26 truenas nscd[446590]: 446590 cannot create /var/cache/nscd/hosts; no persistent database used
Jun  7 23:59:29 truenas env[20630]: E0607 23:59:29.753084   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  7 23:59:29 truenas env[20630]: Error occurred at line: 103
Jun  7 23:59:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  7 23:59:29 truenas env[20630]: )
Jun  7 23:59:29 truenas env[20630]: *filter
Jun  7 23:59:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  7 23:59:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  7 23:59:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  7 23:59:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  7 23:59:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  7 23:59:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  7 23:59:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  7 23:59:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  7 23:59:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  7 23:59:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  7 23:59:29 truenas env[20630]: :KUBE-POD-FW-CTY3SWO3HJM2AKMT - [0:0]
Jun  7 23:59:29 truenas env[20630]: :KUBE-POD-FW-DUTXLZBJQXNHH6F5 - [0:0]
Jun  7 23:59:29 truenas env[20630]: :KUBE-POD-FW-4PYKO6W5ZXE5HPCF - [0:0]
Jun  7 23:59:29 truenas env[20630]: :KUBE-POD-FW-XUJ5A4MHQEX34OKR - [0:0]
Jun  7 23:59:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  7 23:59:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  7 23:59:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  7 23:59:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  7 23:59:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  7 23:59:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  7 23:59:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  7 23:59:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  7 23:59:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  7 23:59:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-CTY3SWO3HJM2AKMT 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-CTY3SWO3HJM2AKMT 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-CTY3SWO3HJM2AKMT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-CTY3SWO3HJM2AKMT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-CTY3SWO3HJM2AKMT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-CTY3SWO3HJM2AKMT" -d 172.16.0.42 -j KUBE-POD-FW-CTY3SWO3HJM2AKMT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-CTY3SWO3HJM2AKMT" -d 172.16.0.42 -j KUBE-POD-FW-CTY3SWO3HJM2AKMT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-CTY3SWO3HJM2AKMT" -d 172.16.0.42 -j KUBE-POD-FW-CTY3SWO3HJM2AKMT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-CTY3SWO3HJM2AKMT" -s 172.16.0.42 -j KUBE-POD-FW-CTY3SWO3HJM2AKMT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-CTY3SWO3HJM2AKMT" -s 172.16.0.42 -j KUBE-POD-FW-CTY3SWO3HJM2AKMT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-CTY3SWO3HJM2AKMT" -s 172.16.0.42 -j KUBE-POD-FW-CTY3SWO3HJM2AKMT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-CTY3SWO3HJM2AKMT" -s 172.16.0.42 -j KUBE-POD-FW-CTY3SWO3HJM2AKMT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-CTY3SWO3HJM2AKMT -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-CTY3SWO3HJM2AKMT -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-CTY3SWO3HJM2AKMT -j MARK --set-mark 0/0x10000
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-CTY3SWO3HJM2AKMT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-DUTXLZBJQXNHH6F5 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-DUTXLZBJQXNHH6F5 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-DUTXLZBJQXNHH6F5 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-DUTXLZBJQXNHH6F5 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-DUTXLZBJQXNHH6F5 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DUTXLZBJQXNHH6F5" -d 172.16.0.45 -j KUBE-POD-FW-DUTXLZBJQXNHH6F5
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DUTXLZBJQXNHH6F5" -d 172.16.0.45 -j KUBE-POD-FW-DUTXLZBJQXNHH6F5
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DUTXLZBJQXNHH6F5" -d 172.16.0.45 -j KUBE-POD-FW-DUTXLZBJQXNHH6F5
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DUTXLZBJQXNHH6F5" -s 172.16.0.45 -j KUBE-POD-FW-DUTXLZBJQXNHH6F5
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DUTXLZBJQXNHH6F5" -s 172.16.0.45 -j KUBE-POD-FW-DUTXLZBJQXNHH6F5
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DUTXLZBJQXNHH6F5" -s 172.16.0.45 -j KUBE-POD-FW-DUTXLZBJQXNHH6F5
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DUTXLZBJQXNHH6F5" -s 172.16.0.45 -j KUBE-POD-FW-DUTXLZBJQXNHH6F5
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-DUTXLZBJQXNHH6F5 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-DUTXLZBJQXNHH6F5 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-DUTXLZBJQXNHH6F5 -j MARK --set-mark 0/0x10000
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-DUTXLZBJQXNHH6F5 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-4PYKO6W5ZXE5HPCF 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-4PYKO6W5ZXE5HPCF 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-4PYKO6W5ZXE5HPCF 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-4PYKO6W5ZXE5HPCF 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-4PYKO6W5ZXE5HPCF 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4PYKO6W5ZXE5HPCF" -d 172.16.0.43 -j KUBE-POD-FW-4PYKO6W5ZXE5HPCF
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4PYKO6W5ZXE5HPCF" -d 172.16.0.43 -j KUBE-POD-FW-4PYKO6W5ZXE5HPCF
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4PYKO6W5ZXE5HPCF" -d 172.16.0.43 -j KUBE-POD-FW-4PYKO6W5ZXE5HPCF
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4PYKO6W5ZXE5HPCF" -s 172.16.0.43 -j KUBE-POD-FW-4PYKO6W5ZXE5HPCF
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4PYKO6W5ZXE5HPCF" -s 172.16.0.43 -j KUBE-POD-FW-4PYKO6W5ZXE5HPCF
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4PYKO6W5ZXE5HPCF" -s 172.16.0.43 -j KUBE-POD-FW-4PYKO6W5ZXE5HPCF
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4PYKO6W5ZXE5HPCF" -s 172.16.0.43 -j KUBE-POD-FW-4PYKO6W5ZXE5HPCF
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-4PYKO6W5ZXE5HPCF -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-4PYKO6W5ZXE5HPCF -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-4PYKO6W5ZXE5HPCF -j MARK --set-mark 0/0x10000
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-4PYKO6W5ZXE5HPCF -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-XUJ5A4MHQEX34OKR 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-XUJ5A4MHQEX34OKR 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-XUJ5A4MHQEX34OKR 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-XUJ5A4MHQEX34OKR 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  7 23:59:29 truenas env[20630]: -I KUBE-POD-FW-XUJ5A4MHQEX34OKR 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XUJ5A4MHQEX34OKR" -d 172.16.0.46 -j KUBE-POD-FW-XUJ5A4MHQEX34OKR
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XUJ5A4MHQEX34OKR" -d 172.16.0.46 -j KUBE-POD-FW-XUJ5A4MHQEX34OKR
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XUJ5A4MHQEX34OKR" -d 172.16.0.46 -j KUBE-POD-FW-XUJ5A4MHQEX34OKR
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XUJ5A4MHQEX34OKR" -s 172.16.0.46 -j KUBE-POD-FW-XUJ5A4MHQEX34OKR
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XUJ5A4MHQEX34OKR" -s 172.16.0.46 -j KUBE-POD-FW-XUJ5A4MHQEX34OKR
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XUJ5A4MHQEX34OKR" -s 172.16.0.46 -j KUBE-POD-FW-XUJ5A4MHQEX34OKR
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-XUJ5A4MHQEX34OKR" -s 172.16.0.46 -j KUBE-POD-FW-XUJ5A4MHQEX34OKR
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-XUJ5A4MHQEX34OKR -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-XUJ5A4MHQEX34OKR -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-XUJ5A4MHQEX34OKR -j MARK --set-mark 0/0x10000
Jun  7 23:59:29 truenas env[20630]: -A KUBE-POD-FW-XUJ5A4MHQEX34OKR -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  7 23:59:29 truenas env[20630]: COMMIT
Jun  8 00:00:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 00:00:05 truenas systemd[1]: Starting exim4-base housekeeping...
Jun  8 00:00:05 truenas systemd[447319]: exim4-base.service: Failed to locate executable /etc/cron.daily/exim4-base: No such file or directory
Jun  8 00:00:05 truenas systemd[447319]: exim4-base.service: Failed at step EXEC spawning /etc/cron.daily/exim4-base: No such file or directory
Jun  8 00:00:05 truenas systemd[1]: Starting Daily man-db regeneration...
Jun  8 00:00:05 truenas systemd[1]: exim4-base.service: Main process exited, code=exited, status=203/EXEC
Jun  8 00:00:05 truenas systemd[1]: exim4-base.service: Failed with result 'exit-code'.
Jun  8 00:00:05 truenas systemd[1]: Failed to start exim4-base housekeeping.
Jun  8 00:00:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 00:00:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 00:00:05 truenas systemd[1]: Starting Rotate log files...
Jun  8 00:00:05 truenas systemd[1]: logrotate.service: Succeeded.
Jun  8 00:00:05 truenas systemd[1]: Finished Rotate log files.
Jun  8 00:00:05 truenas systemd[1]: man-db.service: Succeeded.
Jun  8 00:00:05 truenas systemd[1]: Finished Daily man-db regeneration.
Jun  8 00:04:29 truenas env[20630]: E0608 00:04:29.744711   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 00:04:29 truenas env[20630]: Error occurred at line: 103
Jun  8 00:04:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 00:04:29 truenas env[20630]: )
Jun  8 00:04:29 truenas env[20630]: *filter
Jun  8 00:04:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 00:04:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 00:04:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 00:04:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 00:04:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 00:04:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 00:04:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 00:04:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 00:04:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 00:04:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 00:04:29 truenas env[20630]: :KUBE-POD-FW-YCUD5SMUDVFQBJVI - [0:0]
Jun  8 00:04:29 truenas env[20630]: :KUBE-POD-FW-66756QZTMNII6DOT - [0:0]
Jun  8 00:04:29 truenas env[20630]: :KUBE-POD-FW-W42RI7QNLRWEDF6J - [0:0]
Jun  8 00:04:29 truenas env[20630]: :KUBE-POD-FW-ZZYZA37UX7ZMVC7G - [0:0]
Jun  8 00:04:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 00:04:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 00:04:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 00:04:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 00:04:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 00:04:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 00:04:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 00:04:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 00:04:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 00:04:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-YCUD5SMUDVFQBJVI 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-YCUD5SMUDVFQBJVI 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-YCUD5SMUDVFQBJVI 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-YCUD5SMUDVFQBJVI 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-YCUD5SMUDVFQBJVI 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YCUD5SMUDVFQBJVI" -d 172.16.0.42 -j KUBE-POD-FW-YCUD5SMUDVFQBJVI
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YCUD5SMUDVFQBJVI" -d 172.16.0.42 -j KUBE-POD-FW-YCUD5SMUDVFQBJVI
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YCUD5SMUDVFQBJVI" -d 172.16.0.42 -j KUBE-POD-FW-YCUD5SMUDVFQBJVI
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YCUD5SMUDVFQBJVI" -s 172.16.0.42 -j KUBE-POD-FW-YCUD5SMUDVFQBJVI
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YCUD5SMUDVFQBJVI" -s 172.16.0.42 -j KUBE-POD-FW-YCUD5SMUDVFQBJVI
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YCUD5SMUDVFQBJVI" -s 172.16.0.42 -j KUBE-POD-FW-YCUD5SMUDVFQBJVI
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YCUD5SMUDVFQBJVI" -s 172.16.0.42 -j KUBE-POD-FW-YCUD5SMUDVFQBJVI
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-YCUD5SMUDVFQBJVI -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-YCUD5SMUDVFQBJVI -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-YCUD5SMUDVFQBJVI -j MARK --set-mark 0/0x10000
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-YCUD5SMUDVFQBJVI -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-66756QZTMNII6DOT 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-66756QZTMNII6DOT 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-66756QZTMNII6DOT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-66756QZTMNII6DOT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-66756QZTMNII6DOT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-66756QZTMNII6DOT" -d 172.16.0.45 -j KUBE-POD-FW-66756QZTMNII6DOT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-66756QZTMNII6DOT" -d 172.16.0.45 -j KUBE-POD-FW-66756QZTMNII6DOT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-66756QZTMNII6DOT" -d 172.16.0.45 -j KUBE-POD-FW-66756QZTMNII6DOT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-66756QZTMNII6DOT" -s 172.16.0.45 -j KUBE-POD-FW-66756QZTMNII6DOT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-66756QZTMNII6DOT" -s 172.16.0.45 -j KUBE-POD-FW-66756QZTMNII6DOT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-66756QZTMNII6DOT" -s 172.16.0.45 -j KUBE-POD-FW-66756QZTMNII6DOT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-66756QZTMNII6DOT" -s 172.16.0.45 -j KUBE-POD-FW-66756QZTMNII6DOT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-66756QZTMNII6DOT -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-66756QZTMNII6DOT -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-66756QZTMNII6DOT -j MARK --set-mark 0/0x10000
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-66756QZTMNII6DOT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-W42RI7QNLRWEDF6J 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-W42RI7QNLRWEDF6J 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-W42RI7QNLRWEDF6J 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-W42RI7QNLRWEDF6J 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-W42RI7QNLRWEDF6J 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W42RI7QNLRWEDF6J" -d 172.16.0.43 -j KUBE-POD-FW-W42RI7QNLRWEDF6J
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W42RI7QNLRWEDF6J" -d 172.16.0.43 -j KUBE-POD-FW-W42RI7QNLRWEDF6J
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W42RI7QNLRWEDF6J" -d 172.16.0.43 -j KUBE-POD-FW-W42RI7QNLRWEDF6J
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W42RI7QNLRWEDF6J" -s 172.16.0.43 -j KUBE-POD-FW-W42RI7QNLRWEDF6J
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W42RI7QNLRWEDF6J" -s 172.16.0.43 -j KUBE-POD-FW-W42RI7QNLRWEDF6J
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W42RI7QNLRWEDF6J" -s 172.16.0.43 -j KUBE-POD-FW-W42RI7QNLRWEDF6J
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-W42RI7QNLRWEDF6J" -s 172.16.0.43 -j KUBE-POD-FW-W42RI7QNLRWEDF6J
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-W42RI7QNLRWEDF6J -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-W42RI7QNLRWEDF6J -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-W42RI7QNLRWEDF6J -j MARK --set-mark 0/0x10000
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-W42RI7QNLRWEDF6J -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-ZZYZA37UX7ZMVC7G 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-ZZYZA37UX7ZMVC7G 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-ZZYZA37UX7ZMVC7G 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-ZZYZA37UX7ZMVC7G 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:04:29 truenas env[20630]: -I KUBE-POD-FW-ZZYZA37UX7ZMVC7G 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZZYZA37UX7ZMVC7G" -d 172.16.0.46 -j KUBE-POD-FW-ZZYZA37UX7ZMVC7G
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZZYZA37UX7ZMVC7G" -d 172.16.0.46 -j KUBE-POD-FW-ZZYZA37UX7ZMVC7G
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZZYZA37UX7ZMVC7G" -d 172.16.0.46 -j KUBE-POD-FW-ZZYZA37UX7ZMVC7G
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZZYZA37UX7ZMVC7G" -s 172.16.0.46 -j KUBE-POD-FW-ZZYZA37UX7ZMVC7G
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZZYZA37UX7ZMVC7G" -s 172.16.0.46 -j KUBE-POD-FW-ZZYZA37UX7ZMVC7G
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZZYZA37UX7ZMVC7G" -s 172.16.0.46 -j KUBE-POD-FW-ZZYZA37UX7ZMVC7G
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZZYZA37UX7ZMVC7G" -s 172.16.0.46 -j KUBE-POD-FW-ZZYZA37UX7ZMVC7G
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-ZZYZA37UX7ZMVC7G -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-ZZYZA37UX7ZMVC7G -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-ZZYZA37UX7ZMVC7G -j MARK --set-mark 0/0x10000
Jun  8 00:04:29 truenas env[20630]: -A KUBE-POD-FW-ZZYZA37UX7ZMVC7G -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:04:29 truenas env[20630]: COMMIT
Jun  8 00:07:05 truenas systemd[1]: Starting Generate a daily summary of process accounting...
Jun  8 00:07:31 truenas systemd[1]: sysstat-summary.service: Succeeded.
Jun  8 00:07:31 truenas systemd[1]: Finished Generate a daily summary of process accounting.
Jun  8 00:09:29 truenas env[20630]: E0608 00:09:29.768863   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 00:09:29 truenas env[20630]: Error occurred at line: 103
Jun  8 00:09:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 00:09:29 truenas env[20630]: )
Jun  8 00:09:29 truenas env[20630]: *filter
Jun  8 00:09:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 00:09:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 00:09:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 00:09:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 00:09:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 00:09:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 00:09:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 00:09:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 00:09:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 00:09:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 00:09:29 truenas env[20630]: :KUBE-POD-FW-ZQMF7X6H2UTPBRDM - [0:0]
Jun  8 00:09:29 truenas env[20630]: :KUBE-POD-FW-EXZ6VBAHINILDT37 - [0:0]
Jun  8 00:09:29 truenas env[20630]: :KUBE-POD-FW-SRRPHSM52QRKFOM3 - [0:0]
Jun  8 00:09:29 truenas env[20630]: :KUBE-POD-FW-W3GVS5KFZ5PT4D3Z - [0:0]
Jun  8 00:09:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 00:09:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 00:09:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 00:09:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 00:09:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 00:09:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 00:09:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 00:09:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 00:09:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 00:09:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-ZQMF7X6H2UTPBRDM 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-ZQMF7X6H2UTPBRDM 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-ZQMF7X6H2UTPBRDM 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-ZQMF7X6H2UTPBRDM 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-ZQMF7X6H2UTPBRDM 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZQMF7X6H2UTPBRDM" -d 172.16.0.43 -j KUBE-POD-FW-ZQMF7X6H2UTPBRDM
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZQMF7X6H2UTPBRDM" -d 172.16.0.43 -j KUBE-POD-FW-ZQMF7X6H2UTPBRDM
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZQMF7X6H2UTPBRDM" -d 172.16.0.43 -j KUBE-POD-FW-ZQMF7X6H2UTPBRDM
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZQMF7X6H2UTPBRDM" -s 172.16.0.43 -j KUBE-POD-FW-ZQMF7X6H2UTPBRDM
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZQMF7X6H2UTPBRDM" -s 172.16.0.43 -j KUBE-POD-FW-ZQMF7X6H2UTPBRDM
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZQMF7X6H2UTPBRDM" -s 172.16.0.43 -j KUBE-POD-FW-ZQMF7X6H2UTPBRDM
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZQMF7X6H2UTPBRDM" -s 172.16.0.43 -j KUBE-POD-FW-ZQMF7X6H2UTPBRDM
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-ZQMF7X6H2UTPBRDM -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-ZQMF7X6H2UTPBRDM -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-ZQMF7X6H2UTPBRDM -j MARK --set-mark 0/0x10000
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-ZQMF7X6H2UTPBRDM -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-EXZ6VBAHINILDT37 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-EXZ6VBAHINILDT37 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-EXZ6VBAHINILDT37 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-EXZ6VBAHINILDT37 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-EXZ6VBAHINILDT37 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXZ6VBAHINILDT37" -d 172.16.0.46 -j KUBE-POD-FW-EXZ6VBAHINILDT37
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXZ6VBAHINILDT37" -d 172.16.0.46 -j KUBE-POD-FW-EXZ6VBAHINILDT37
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXZ6VBAHINILDT37" -d 172.16.0.46 -j KUBE-POD-FW-EXZ6VBAHINILDT37
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXZ6VBAHINILDT37" -s 172.16.0.46 -j KUBE-POD-FW-EXZ6VBAHINILDT37
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXZ6VBAHINILDT37" -s 172.16.0.46 -j KUBE-POD-FW-EXZ6VBAHINILDT37
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXZ6VBAHINILDT37" -s 172.16.0.46 -j KUBE-POD-FW-EXZ6VBAHINILDT37
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXZ6VBAHINILDT37" -s 172.16.0.46 -j KUBE-POD-FW-EXZ6VBAHINILDT37
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-EXZ6VBAHINILDT37 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-EXZ6VBAHINILDT37 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-EXZ6VBAHINILDT37 -j MARK --set-mark 0/0x10000
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-EXZ6VBAHINILDT37 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-SRRPHSM52QRKFOM3 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-SRRPHSM52QRKFOM3 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-SRRPHSM52QRKFOM3 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-SRRPHSM52QRKFOM3 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-SRRPHSM52QRKFOM3 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SRRPHSM52QRKFOM3" -d 172.16.0.42 -j KUBE-POD-FW-SRRPHSM52QRKFOM3
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SRRPHSM52QRKFOM3" -d 172.16.0.42 -j KUBE-POD-FW-SRRPHSM52QRKFOM3
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SRRPHSM52QRKFOM3" -d 172.16.0.42 -j KUBE-POD-FW-SRRPHSM52QRKFOM3
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SRRPHSM52QRKFOM3" -s 172.16.0.42 -j KUBE-POD-FW-SRRPHSM52QRKFOM3
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SRRPHSM52QRKFOM3" -s 172.16.0.42 -j KUBE-POD-FW-SRRPHSM52QRKFOM3
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SRRPHSM52QRKFOM3" -s 172.16.0.42 -j KUBE-POD-FW-SRRPHSM52QRKFOM3
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SRRPHSM52QRKFOM3" -s 172.16.0.42 -j KUBE-POD-FW-SRRPHSM52QRKFOM3
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-SRRPHSM52QRKFOM3 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-SRRPHSM52QRKFOM3 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-SRRPHSM52QRKFOM3 -j MARK --set-mark 0/0x10000
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-SRRPHSM52QRKFOM3 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-W3GVS5KFZ5PT4D3Z 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-W3GVS5KFZ5PT4D3Z 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-W3GVS5KFZ5PT4D3Z 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-W3GVS5KFZ5PT4D3Z 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:09:29 truenas env[20630]: -I KUBE-POD-FW-W3GVS5KFZ5PT4D3Z 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-W3GVS5KFZ5PT4D3Z" -d 172.16.0.45 -j KUBE-POD-FW-W3GVS5KFZ5PT4D3Z
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-W3GVS5KFZ5PT4D3Z" -d 172.16.0.45 -j KUBE-POD-FW-W3GVS5KFZ5PT4D3Z
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-W3GVS5KFZ5PT4D3Z" -d 172.16.0.45 -j KUBE-POD-FW-W3GVS5KFZ5PT4D3Z
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-W3GVS5KFZ5PT4D3Z" -s 172.16.0.45 -j KUBE-POD-FW-W3GVS5KFZ5PT4D3Z
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-W3GVS5KFZ5PT4D3Z" -s 172.16.0.45 -j KUBE-POD-FW-W3GVS5KFZ5PT4D3Z
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-W3GVS5KFZ5PT4D3Z" -s 172.16.0.45 -j KUBE-POD-FW-W3GVS5KFZ5PT4D3Z
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-W3GVS5KFZ5PT4D3Z" -s 172.16.0.45 -j KUBE-POD-FW-W3GVS5KFZ5PT4D3Z
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-W3GVS5KFZ5PT4D3Z -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-W3GVS5KFZ5PT4D3Z -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-W3GVS5KFZ5PT4D3Z -j MARK --set-mark 0/0x10000
Jun  8 00:09:29 truenas env[20630]: -A KUBE-POD-FW-W3GVS5KFZ5PT4D3Z -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:09:29 truenas env[20630]: COMMIT
Jun  8 00:10:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 00:10:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 00:10:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 00:14:29 truenas env[20630]: E0608 00:14:29.748571   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 00:14:29 truenas env[20630]: Error occurred at line: 103
Jun  8 00:14:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 00:14:29 truenas env[20630]: )
Jun  8 00:14:29 truenas env[20630]: *filter
Jun  8 00:14:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 00:14:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 00:14:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 00:14:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 00:14:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 00:14:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 00:14:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 00:14:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 00:14:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 00:14:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 00:14:29 truenas env[20630]: :KUBE-POD-FW-IZJSWVJQNQOL4FHG - [0:0]
Jun  8 00:14:29 truenas env[20630]: :KUBE-POD-FW-ZSQCPE64Q6IRKQ76 - [0:0]
Jun  8 00:14:29 truenas env[20630]: :KUBE-POD-FW-ATJNAPTYL63VHGR2 - [0:0]
Jun  8 00:14:29 truenas env[20630]: :KUBE-POD-FW-YUA662RKB6XZPFU7 - [0:0]
Jun  8 00:14:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 00:14:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 00:14:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 00:14:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 00:14:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 00:14:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 00:14:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 00:14:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 00:14:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 00:14:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-IZJSWVJQNQOL4FHG 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-IZJSWVJQNQOL4FHG 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-IZJSWVJQNQOL4FHG 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-IZJSWVJQNQOL4FHG 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-IZJSWVJQNQOL4FHG 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IZJSWVJQNQOL4FHG" -d 172.16.0.42 -j KUBE-POD-FW-IZJSWVJQNQOL4FHG
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IZJSWVJQNQOL4FHG" -d 172.16.0.42 -j KUBE-POD-FW-IZJSWVJQNQOL4FHG
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IZJSWVJQNQOL4FHG" -d 172.16.0.42 -j KUBE-POD-FW-IZJSWVJQNQOL4FHG
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IZJSWVJQNQOL4FHG" -s 172.16.0.42 -j KUBE-POD-FW-IZJSWVJQNQOL4FHG
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IZJSWVJQNQOL4FHG" -s 172.16.0.42 -j KUBE-POD-FW-IZJSWVJQNQOL4FHG
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IZJSWVJQNQOL4FHG" -s 172.16.0.42 -j KUBE-POD-FW-IZJSWVJQNQOL4FHG
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IZJSWVJQNQOL4FHG" -s 172.16.0.42 -j KUBE-POD-FW-IZJSWVJQNQOL4FHG
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-IZJSWVJQNQOL4FHG -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-IZJSWVJQNQOL4FHG -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-IZJSWVJQNQOL4FHG -j MARK --set-mark 0/0x10000
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-IZJSWVJQNQOL4FHG -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-ZSQCPE64Q6IRKQ76 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-ZSQCPE64Q6IRKQ76 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-ZSQCPE64Q6IRKQ76 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-ZSQCPE64Q6IRKQ76 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-ZSQCPE64Q6IRKQ76 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZSQCPE64Q6IRKQ76" -d 172.16.0.45 -j KUBE-POD-FW-ZSQCPE64Q6IRKQ76
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZSQCPE64Q6IRKQ76" -d 172.16.0.45 -j KUBE-POD-FW-ZSQCPE64Q6IRKQ76
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZSQCPE64Q6IRKQ76" -d 172.16.0.45 -j KUBE-POD-FW-ZSQCPE64Q6IRKQ76
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZSQCPE64Q6IRKQ76" -s 172.16.0.45 -j KUBE-POD-FW-ZSQCPE64Q6IRKQ76
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZSQCPE64Q6IRKQ76" -s 172.16.0.45 -j KUBE-POD-FW-ZSQCPE64Q6IRKQ76
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZSQCPE64Q6IRKQ76" -s 172.16.0.45 -j KUBE-POD-FW-ZSQCPE64Q6IRKQ76
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZSQCPE64Q6IRKQ76" -s 172.16.0.45 -j KUBE-POD-FW-ZSQCPE64Q6IRKQ76
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-ZSQCPE64Q6IRKQ76 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-ZSQCPE64Q6IRKQ76 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-ZSQCPE64Q6IRKQ76 -j MARK --set-mark 0/0x10000
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-ZSQCPE64Q6IRKQ76 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-ATJNAPTYL63VHGR2 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-ATJNAPTYL63VHGR2 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-ATJNAPTYL63VHGR2 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-ATJNAPTYL63VHGR2 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-ATJNAPTYL63VHGR2 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ATJNAPTYL63VHGR2" -d 172.16.0.43 -j KUBE-POD-FW-ATJNAPTYL63VHGR2
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ATJNAPTYL63VHGR2" -d 172.16.0.43 -j KUBE-POD-FW-ATJNAPTYL63VHGR2
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ATJNAPTYL63VHGR2" -d 172.16.0.43 -j KUBE-POD-FW-ATJNAPTYL63VHGR2
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ATJNAPTYL63VHGR2" -s 172.16.0.43 -j KUBE-POD-FW-ATJNAPTYL63VHGR2
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ATJNAPTYL63VHGR2" -s 172.16.0.43 -j KUBE-POD-FW-ATJNAPTYL63VHGR2
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ATJNAPTYL63VHGR2" -s 172.16.0.43 -j KUBE-POD-FW-ATJNAPTYL63VHGR2
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ATJNAPTYL63VHGR2" -s 172.16.0.43 -j KUBE-POD-FW-ATJNAPTYL63VHGR2
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-ATJNAPTYL63VHGR2 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-ATJNAPTYL63VHGR2 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-ATJNAPTYL63VHGR2 -j MARK --set-mark 0/0x10000
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-ATJNAPTYL63VHGR2 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-YUA662RKB6XZPFU7 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-YUA662RKB6XZPFU7 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-YUA662RKB6XZPFU7 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-YUA662RKB6XZPFU7 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:14:29 truenas env[20630]: -I KUBE-POD-FW-YUA662RKB6XZPFU7 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YUA662RKB6XZPFU7" -d 172.16.0.46 -j KUBE-POD-FW-YUA662RKB6XZPFU7
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YUA662RKB6XZPFU7" -d 172.16.0.46 -j KUBE-POD-FW-YUA662RKB6XZPFU7
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YUA662RKB6XZPFU7" -d 172.16.0.46 -j KUBE-POD-FW-YUA662RKB6XZPFU7
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YUA662RKB6XZPFU7" -s 172.16.0.46 -j KUBE-POD-FW-YUA662RKB6XZPFU7
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YUA662RKB6XZPFU7" -s 172.16.0.46 -j KUBE-POD-FW-YUA662RKB6XZPFU7
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YUA662RKB6XZPFU7" -s 172.16.0.46 -j KUBE-POD-FW-YUA662RKB6XZPFU7
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YUA662RKB6XZPFU7" -s 172.16.0.46 -j KUBE-POD-FW-YUA662RKB6XZPFU7
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-YUA662RKB6XZPFU7 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-YUA662RKB6XZPFU7 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-YUA662RKB6XZPFU7 -j MARK --set-mark 0/0x10000
Jun  8 00:14:29 truenas env[20630]: -A KUBE-POD-FW-YUA662RKB6XZPFU7 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:14:29 truenas env[20630]: COMMIT
Jun  8 00:17:01 truenas CRON[466313]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jun  8 00:19:29 truenas env[20630]: E0608 00:19:29.748781   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 00:19:29 truenas env[20630]: Error occurred at line: 103
Jun  8 00:19:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 00:19:29 truenas env[20630]: )
Jun  8 00:19:29 truenas env[20630]: *filter
Jun  8 00:19:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 00:19:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 00:19:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 00:19:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 00:19:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 00:19:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 00:19:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 00:19:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 00:19:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 00:19:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 00:19:29 truenas env[20630]: :KUBE-POD-FW-C7JP3IIQJ6SRA2PB - [0:0]
Jun  8 00:19:29 truenas env[20630]: :KUBE-POD-FW-ZWAVL7D4YGWYRSWX - [0:0]
Jun  8 00:19:29 truenas env[20630]: :KUBE-POD-FW-JULYMWSKQCLKFCAS - [0:0]
Jun  8 00:19:29 truenas env[20630]: :KUBE-POD-FW-SA7ZLRMVE5QUOD7Y - [0:0]
Jun  8 00:19:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 00:19:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 00:19:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 00:19:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 00:19:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 00:19:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 00:19:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 00:19:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 00:19:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 00:19:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-C7JP3IIQJ6SRA2PB 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-C7JP3IIQJ6SRA2PB 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-C7JP3IIQJ6SRA2PB 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-C7JP3IIQJ6SRA2PB 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-C7JP3IIQJ6SRA2PB 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C7JP3IIQJ6SRA2PB" -d 172.16.0.45 -j KUBE-POD-FW-C7JP3IIQJ6SRA2PB
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C7JP3IIQJ6SRA2PB" -d 172.16.0.45 -j KUBE-POD-FW-C7JP3IIQJ6SRA2PB
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C7JP3IIQJ6SRA2PB" -d 172.16.0.45 -j KUBE-POD-FW-C7JP3IIQJ6SRA2PB
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C7JP3IIQJ6SRA2PB" -s 172.16.0.45 -j KUBE-POD-FW-C7JP3IIQJ6SRA2PB
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C7JP3IIQJ6SRA2PB" -s 172.16.0.45 -j KUBE-POD-FW-C7JP3IIQJ6SRA2PB
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C7JP3IIQJ6SRA2PB" -s 172.16.0.45 -j KUBE-POD-FW-C7JP3IIQJ6SRA2PB
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C7JP3IIQJ6SRA2PB" -s 172.16.0.45 -j KUBE-POD-FW-C7JP3IIQJ6SRA2PB
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-C7JP3IIQJ6SRA2PB -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-C7JP3IIQJ6SRA2PB -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-C7JP3IIQJ6SRA2PB -j MARK --set-mark 0/0x10000
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-C7JP3IIQJ6SRA2PB -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-ZWAVL7D4YGWYRSWX 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-ZWAVL7D4YGWYRSWX 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-ZWAVL7D4YGWYRSWX 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-ZWAVL7D4YGWYRSWX 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-ZWAVL7D4YGWYRSWX 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZWAVL7D4YGWYRSWX" -d 172.16.0.43 -j KUBE-POD-FW-ZWAVL7D4YGWYRSWX
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZWAVL7D4YGWYRSWX" -d 172.16.0.43 -j KUBE-POD-FW-ZWAVL7D4YGWYRSWX
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZWAVL7D4YGWYRSWX" -d 172.16.0.43 -j KUBE-POD-FW-ZWAVL7D4YGWYRSWX
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZWAVL7D4YGWYRSWX" -s 172.16.0.43 -j KUBE-POD-FW-ZWAVL7D4YGWYRSWX
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZWAVL7D4YGWYRSWX" -s 172.16.0.43 -j KUBE-POD-FW-ZWAVL7D4YGWYRSWX
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZWAVL7D4YGWYRSWX" -s 172.16.0.43 -j KUBE-POD-FW-ZWAVL7D4YGWYRSWX
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZWAVL7D4YGWYRSWX" -s 172.16.0.43 -j KUBE-POD-FW-ZWAVL7D4YGWYRSWX
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-ZWAVL7D4YGWYRSWX -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-ZWAVL7D4YGWYRSWX -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-ZWAVL7D4YGWYRSWX -j MARK --set-mark 0/0x10000
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-ZWAVL7D4YGWYRSWX -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-JULYMWSKQCLKFCAS 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-JULYMWSKQCLKFCAS 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-JULYMWSKQCLKFCAS 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-JULYMWSKQCLKFCAS 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-JULYMWSKQCLKFCAS 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JULYMWSKQCLKFCAS" -d 172.16.0.46 -j KUBE-POD-FW-JULYMWSKQCLKFCAS
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JULYMWSKQCLKFCAS" -d 172.16.0.46 -j KUBE-POD-FW-JULYMWSKQCLKFCAS
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JULYMWSKQCLKFCAS" -d 172.16.0.46 -j KUBE-POD-FW-JULYMWSKQCLKFCAS
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JULYMWSKQCLKFCAS" -s 172.16.0.46 -j KUBE-POD-FW-JULYMWSKQCLKFCAS
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JULYMWSKQCLKFCAS" -s 172.16.0.46 -j KUBE-POD-FW-JULYMWSKQCLKFCAS
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JULYMWSKQCLKFCAS" -s 172.16.0.46 -j KUBE-POD-FW-JULYMWSKQCLKFCAS
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JULYMWSKQCLKFCAS" -s 172.16.0.46 -j KUBE-POD-FW-JULYMWSKQCLKFCAS
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-JULYMWSKQCLKFCAS -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-JULYMWSKQCLKFCAS -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-JULYMWSKQCLKFCAS -j MARK --set-mark 0/0x10000
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-JULYMWSKQCLKFCAS -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-SA7ZLRMVE5QUOD7Y 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-SA7ZLRMVE5QUOD7Y 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-SA7ZLRMVE5QUOD7Y 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-SA7ZLRMVE5QUOD7Y 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:19:29 truenas env[20630]: -I KUBE-POD-FW-SA7ZLRMVE5QUOD7Y 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SA7ZLRMVE5QUOD7Y" -d 172.16.0.42 -j KUBE-POD-FW-SA7ZLRMVE5QUOD7Y
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SA7ZLRMVE5QUOD7Y" -d 172.16.0.42 -j KUBE-POD-FW-SA7ZLRMVE5QUOD7Y
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SA7ZLRMVE5QUOD7Y" -d 172.16.0.42 -j KUBE-POD-FW-SA7ZLRMVE5QUOD7Y
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SA7ZLRMVE5QUOD7Y" -s 172.16.0.42 -j KUBE-POD-FW-SA7ZLRMVE5QUOD7Y
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SA7ZLRMVE5QUOD7Y" -s 172.16.0.42 -j KUBE-POD-FW-SA7ZLRMVE5QUOD7Y
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SA7ZLRMVE5QUOD7Y" -s 172.16.0.42 -j KUBE-POD-FW-SA7ZLRMVE5QUOD7Y
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SA7ZLRMVE5QUOD7Y" -s 172.16.0.42 -j KUBE-POD-FW-SA7ZLRMVE5QUOD7Y
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-SA7ZLRMVE5QUOD7Y -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-SA7ZLRMVE5QUOD7Y -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-SA7ZLRMVE5QUOD7Y -j MARK --set-mark 0/0x10000
Jun  8 00:19:29 truenas env[20630]: -A KUBE-POD-FW-SA7ZLRMVE5QUOD7Y -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:19:29 truenas env[20630]: COMMIT
Jun  8 00:20:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 00:20:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 00:20:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 00:24:29 truenas env[20630]: E0608 00:24:29.752649   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 00:24:29 truenas env[20630]: Error occurred at line: 103
Jun  8 00:24:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 00:24:29 truenas env[20630]: )
Jun  8 00:24:29 truenas env[20630]: *filter
Jun  8 00:24:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 00:24:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 00:24:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 00:24:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 00:24:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 00:24:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 00:24:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 00:24:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 00:24:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 00:24:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 00:24:29 truenas env[20630]: :KUBE-POD-FW-3VVL4JXDG6SDXHKQ - [0:0]
Jun  8 00:24:29 truenas env[20630]: :KUBE-POD-FW-LV7IB7LBYNIP2TEI - [0:0]
Jun  8 00:24:29 truenas env[20630]: :KUBE-POD-FW-QTCEXU6SZIILNVQ7 - [0:0]
Jun  8 00:24:29 truenas env[20630]: :KUBE-POD-FW-Q4DXIEN4FLTC5XNK - [0:0]
Jun  8 00:24:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 00:24:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 00:24:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 00:24:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 00:24:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 00:24:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 00:24:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 00:24:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 00:24:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 00:24:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-3VVL4JXDG6SDXHKQ 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-3VVL4JXDG6SDXHKQ 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-3VVL4JXDG6SDXHKQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-3VVL4JXDG6SDXHKQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-3VVL4JXDG6SDXHKQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3VVL4JXDG6SDXHKQ" -d 172.16.0.45 -j KUBE-POD-FW-3VVL4JXDG6SDXHKQ
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3VVL4JXDG6SDXHKQ" -d 172.16.0.45 -j KUBE-POD-FW-3VVL4JXDG6SDXHKQ
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3VVL4JXDG6SDXHKQ" -d 172.16.0.45 -j KUBE-POD-FW-3VVL4JXDG6SDXHKQ
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3VVL4JXDG6SDXHKQ" -s 172.16.0.45 -j KUBE-POD-FW-3VVL4JXDG6SDXHKQ
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3VVL4JXDG6SDXHKQ" -s 172.16.0.45 -j KUBE-POD-FW-3VVL4JXDG6SDXHKQ
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3VVL4JXDG6SDXHKQ" -s 172.16.0.45 -j KUBE-POD-FW-3VVL4JXDG6SDXHKQ
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3VVL4JXDG6SDXHKQ" -s 172.16.0.45 -j KUBE-POD-FW-3VVL4JXDG6SDXHKQ
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-3VVL4JXDG6SDXHKQ -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-3VVL4JXDG6SDXHKQ -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-3VVL4JXDG6SDXHKQ -j MARK --set-mark 0/0x10000
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-3VVL4JXDG6SDXHKQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-LV7IB7LBYNIP2TEI 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-LV7IB7LBYNIP2TEI 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-LV7IB7LBYNIP2TEI 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-LV7IB7LBYNIP2TEI 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-LV7IB7LBYNIP2TEI 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LV7IB7LBYNIP2TEI" -d 172.16.0.43 -j KUBE-POD-FW-LV7IB7LBYNIP2TEI
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LV7IB7LBYNIP2TEI" -d 172.16.0.43 -j KUBE-POD-FW-LV7IB7LBYNIP2TEI
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LV7IB7LBYNIP2TEI" -d 172.16.0.43 -j KUBE-POD-FW-LV7IB7LBYNIP2TEI
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LV7IB7LBYNIP2TEI" -s 172.16.0.43 -j KUBE-POD-FW-LV7IB7LBYNIP2TEI
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LV7IB7LBYNIP2TEI" -s 172.16.0.43 -j KUBE-POD-FW-LV7IB7LBYNIP2TEI
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LV7IB7LBYNIP2TEI" -s 172.16.0.43 -j KUBE-POD-FW-LV7IB7LBYNIP2TEI
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LV7IB7LBYNIP2TEI" -s 172.16.0.43 -j KUBE-POD-FW-LV7IB7LBYNIP2TEI
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-LV7IB7LBYNIP2TEI -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-LV7IB7LBYNIP2TEI -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-LV7IB7LBYNIP2TEI -j MARK --set-mark 0/0x10000
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-LV7IB7LBYNIP2TEI -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-QTCEXU6SZIILNVQ7 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-QTCEXU6SZIILNVQ7 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-QTCEXU6SZIILNVQ7 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-QTCEXU6SZIILNVQ7 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-QTCEXU6SZIILNVQ7 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QTCEXU6SZIILNVQ7" -d 172.16.0.46 -j KUBE-POD-FW-QTCEXU6SZIILNVQ7
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QTCEXU6SZIILNVQ7" -d 172.16.0.46 -j KUBE-POD-FW-QTCEXU6SZIILNVQ7
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QTCEXU6SZIILNVQ7" -d 172.16.0.46 -j KUBE-POD-FW-QTCEXU6SZIILNVQ7
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QTCEXU6SZIILNVQ7" -s 172.16.0.46 -j KUBE-POD-FW-QTCEXU6SZIILNVQ7
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QTCEXU6SZIILNVQ7" -s 172.16.0.46 -j KUBE-POD-FW-QTCEXU6SZIILNVQ7
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QTCEXU6SZIILNVQ7" -s 172.16.0.46 -j KUBE-POD-FW-QTCEXU6SZIILNVQ7
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QTCEXU6SZIILNVQ7" -s 172.16.0.46 -j KUBE-POD-FW-QTCEXU6SZIILNVQ7
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-QTCEXU6SZIILNVQ7 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-QTCEXU6SZIILNVQ7 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-QTCEXU6SZIILNVQ7 -j MARK --set-mark 0/0x10000
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-QTCEXU6SZIILNVQ7 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-Q4DXIEN4FLTC5XNK 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-Q4DXIEN4FLTC5XNK 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-Q4DXIEN4FLTC5XNK 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-Q4DXIEN4FLTC5XNK 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:24:29 truenas env[20630]: -I KUBE-POD-FW-Q4DXIEN4FLTC5XNK 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q4DXIEN4FLTC5XNK" -d 172.16.0.42 -j KUBE-POD-FW-Q4DXIEN4FLTC5XNK
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q4DXIEN4FLTC5XNK" -d 172.16.0.42 -j KUBE-POD-FW-Q4DXIEN4FLTC5XNK
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q4DXIEN4FLTC5XNK" -d 172.16.0.42 -j KUBE-POD-FW-Q4DXIEN4FLTC5XNK
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q4DXIEN4FLTC5XNK" -s 172.16.0.42 -j KUBE-POD-FW-Q4DXIEN4FLTC5XNK
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q4DXIEN4FLTC5XNK" -s 172.16.0.42 -j KUBE-POD-FW-Q4DXIEN4FLTC5XNK
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q4DXIEN4FLTC5XNK" -s 172.16.0.42 -j KUBE-POD-FW-Q4DXIEN4FLTC5XNK
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q4DXIEN4FLTC5XNK" -s 172.16.0.42 -j KUBE-POD-FW-Q4DXIEN4FLTC5XNK
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-Q4DXIEN4FLTC5XNK -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-Q4DXIEN4FLTC5XNK -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-Q4DXIEN4FLTC5XNK -j MARK --set-mark 0/0x10000
Jun  8 00:24:29 truenas env[20630]: -A KUBE-POD-FW-Q4DXIEN4FLTC5XNK -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:24:29 truenas env[20630]: COMMIT
Jun  8 00:29:06 truenas smartd[3887]: Device: /dev/sda [SAT], SMART Usage Attribute: 190 Airflow_Temperature_Cel changed from 68 to 69
Jun  8 00:29:06 truenas smartd[3887]: Device: /dev/sdb [SAT], SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 74 to 75
Jun  8 00:29:06 truenas smartd[3887]: Device: /dev/sdb [SAT], SMART Usage Attribute: 195 Hardware_ECC_Recovered changed from 74 to 75
Jun  8 00:29:29 truenas env[20630]: E0608 00:29:29.736558   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 00:29:29 truenas env[20630]: Error occurred at line: 103
Jun  8 00:29:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 00:29:29 truenas env[20630]: )
Jun  8 00:29:29 truenas env[20630]: *filter
Jun  8 00:29:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 00:29:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 00:29:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 00:29:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 00:29:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 00:29:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 00:29:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 00:29:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 00:29:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 00:29:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 00:29:29 truenas env[20630]: :KUBE-POD-FW-EXERZTMPKPUJEBJR - [0:0]
Jun  8 00:29:29 truenas env[20630]: :KUBE-POD-FW-VUYMQESWHGHGGL6Q - [0:0]
Jun  8 00:29:29 truenas env[20630]: :KUBE-POD-FW-6ZM5TSEWYVTKPNYV - [0:0]
Jun  8 00:29:29 truenas env[20630]: :KUBE-POD-FW-ZYCZPP2XQKX43GXH - [0:0]
Jun  8 00:29:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 00:29:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 00:29:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 00:29:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 00:29:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 00:29:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 00:29:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 00:29:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 00:29:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 00:29:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-EXERZTMPKPUJEBJR 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-EXERZTMPKPUJEBJR 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-EXERZTMPKPUJEBJR 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-EXERZTMPKPUJEBJR 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-EXERZTMPKPUJEBJR 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXERZTMPKPUJEBJR" -d 172.16.0.46 -j KUBE-POD-FW-EXERZTMPKPUJEBJR
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXERZTMPKPUJEBJR" -d 172.16.0.46 -j KUBE-POD-FW-EXERZTMPKPUJEBJR
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXERZTMPKPUJEBJR" -d 172.16.0.46 -j KUBE-POD-FW-EXERZTMPKPUJEBJR
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXERZTMPKPUJEBJR" -s 172.16.0.46 -j KUBE-POD-FW-EXERZTMPKPUJEBJR
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXERZTMPKPUJEBJR" -s 172.16.0.46 -j KUBE-POD-FW-EXERZTMPKPUJEBJR
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXERZTMPKPUJEBJR" -s 172.16.0.46 -j KUBE-POD-FW-EXERZTMPKPUJEBJR
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EXERZTMPKPUJEBJR" -s 172.16.0.46 -j KUBE-POD-FW-EXERZTMPKPUJEBJR
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-EXERZTMPKPUJEBJR -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-EXERZTMPKPUJEBJR -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-EXERZTMPKPUJEBJR -j MARK --set-mark 0/0x10000
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-EXERZTMPKPUJEBJR -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-VUYMQESWHGHGGL6Q 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-VUYMQESWHGHGGL6Q 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-VUYMQESWHGHGGL6Q 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-VUYMQESWHGHGGL6Q 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-VUYMQESWHGHGGL6Q 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VUYMQESWHGHGGL6Q" -d 172.16.0.42 -j KUBE-POD-FW-VUYMQESWHGHGGL6Q
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VUYMQESWHGHGGL6Q" -d 172.16.0.42 -j KUBE-POD-FW-VUYMQESWHGHGGL6Q
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VUYMQESWHGHGGL6Q" -d 172.16.0.42 -j KUBE-POD-FW-VUYMQESWHGHGGL6Q
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VUYMQESWHGHGGL6Q" -s 172.16.0.42 -j KUBE-POD-FW-VUYMQESWHGHGGL6Q
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VUYMQESWHGHGGL6Q" -s 172.16.0.42 -j KUBE-POD-FW-VUYMQESWHGHGGL6Q
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VUYMQESWHGHGGL6Q" -s 172.16.0.42 -j KUBE-POD-FW-VUYMQESWHGHGGL6Q
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VUYMQESWHGHGGL6Q" -s 172.16.0.42 -j KUBE-POD-FW-VUYMQESWHGHGGL6Q
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-VUYMQESWHGHGGL6Q -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-VUYMQESWHGHGGL6Q -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-VUYMQESWHGHGGL6Q -j MARK --set-mark 0/0x10000
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-VUYMQESWHGHGGL6Q -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-6ZM5TSEWYVTKPNYV 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-6ZM5TSEWYVTKPNYV 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-6ZM5TSEWYVTKPNYV 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-6ZM5TSEWYVTKPNYV 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-6ZM5TSEWYVTKPNYV 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6ZM5TSEWYVTKPNYV" -d 172.16.0.45 -j KUBE-POD-FW-6ZM5TSEWYVTKPNYV
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6ZM5TSEWYVTKPNYV" -d 172.16.0.45 -j KUBE-POD-FW-6ZM5TSEWYVTKPNYV
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6ZM5TSEWYVTKPNYV" -d 172.16.0.45 -j KUBE-POD-FW-6ZM5TSEWYVTKPNYV
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6ZM5TSEWYVTKPNYV" -s 172.16.0.45 -j KUBE-POD-FW-6ZM5TSEWYVTKPNYV
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6ZM5TSEWYVTKPNYV" -s 172.16.0.45 -j KUBE-POD-FW-6ZM5TSEWYVTKPNYV
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6ZM5TSEWYVTKPNYV" -s 172.16.0.45 -j KUBE-POD-FW-6ZM5TSEWYVTKPNYV
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-6ZM5TSEWYVTKPNYV" -s 172.16.0.45 -j KUBE-POD-FW-6ZM5TSEWYVTKPNYV
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-6ZM5TSEWYVTKPNYV -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-6ZM5TSEWYVTKPNYV -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-6ZM5TSEWYVTKPNYV -j MARK --set-mark 0/0x10000
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-6ZM5TSEWYVTKPNYV -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-ZYCZPP2XQKX43GXH 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-ZYCZPP2XQKX43GXH 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-ZYCZPP2XQKX43GXH 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-ZYCZPP2XQKX43GXH 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:29:29 truenas env[20630]: -I KUBE-POD-FW-ZYCZPP2XQKX43GXH 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZYCZPP2XQKX43GXH" -d 172.16.0.43 -j KUBE-POD-FW-ZYCZPP2XQKX43GXH
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZYCZPP2XQKX43GXH" -d 172.16.0.43 -j KUBE-POD-FW-ZYCZPP2XQKX43GXH
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZYCZPP2XQKX43GXH" -d 172.16.0.43 -j KUBE-POD-FW-ZYCZPP2XQKX43GXH
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZYCZPP2XQKX43GXH" -s 172.16.0.43 -j KUBE-POD-FW-ZYCZPP2XQKX43GXH
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZYCZPP2XQKX43GXH" -s 172.16.0.43 -j KUBE-POD-FW-ZYCZPP2XQKX43GXH
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZYCZPP2XQKX43GXH" -s 172.16.0.43 -j KUBE-POD-FW-ZYCZPP2XQKX43GXH
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZYCZPP2XQKX43GXH" -s 172.16.0.43 -j KUBE-POD-FW-ZYCZPP2XQKX43GXH
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-ZYCZPP2XQKX43GXH -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-ZYCZPP2XQKX43GXH -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-ZYCZPP2XQKX43GXH -j MARK --set-mark 0/0x10000
Jun  8 00:29:29 truenas env[20630]: -A KUBE-POD-FW-ZYCZPP2XQKX43GXH -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:29:29 truenas env[20630]: COMMIT
Jun  8 00:30:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 00:30:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 00:30:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 00:34:29 truenas env[20630]: E0608 00:34:29.756662   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 00:34:29 truenas env[20630]: Error occurred at line: 103
Jun  8 00:34:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 00:34:29 truenas env[20630]: )
Jun  8 00:34:29 truenas env[20630]: *filter
Jun  8 00:34:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 00:34:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 00:34:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 00:34:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 00:34:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 00:34:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 00:34:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 00:34:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 00:34:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 00:34:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 00:34:29 truenas env[20630]: :KUBE-POD-FW-VETTQFO4R56H5GG6 - [0:0]
Jun  8 00:34:29 truenas env[20630]: :KUBE-POD-FW-262ZYFDPPDMCHOZA - [0:0]
Jun  8 00:34:29 truenas env[20630]: :KUBE-POD-FW-IGRWEYJ425OGHZQU - [0:0]
Jun  8 00:34:29 truenas env[20630]: :KUBE-POD-FW-OGOWYI7AEQZKVJ2S - [0:0]
Jun  8 00:34:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 00:34:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 00:34:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 00:34:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 00:34:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 00:34:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 00:34:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 00:34:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 00:34:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 00:34:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-VETTQFO4R56H5GG6 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-VETTQFO4R56H5GG6 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-VETTQFO4R56H5GG6 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-VETTQFO4R56H5GG6 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-VETTQFO4R56H5GG6 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VETTQFO4R56H5GG6" -d 172.16.0.42 -j KUBE-POD-FW-VETTQFO4R56H5GG6
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VETTQFO4R56H5GG6" -d 172.16.0.42 -j KUBE-POD-FW-VETTQFO4R56H5GG6
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VETTQFO4R56H5GG6" -d 172.16.0.42 -j KUBE-POD-FW-VETTQFO4R56H5GG6
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VETTQFO4R56H5GG6" -s 172.16.0.42 -j KUBE-POD-FW-VETTQFO4R56H5GG6
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VETTQFO4R56H5GG6" -s 172.16.0.42 -j KUBE-POD-FW-VETTQFO4R56H5GG6
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VETTQFO4R56H5GG6" -s 172.16.0.42 -j KUBE-POD-FW-VETTQFO4R56H5GG6
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-VETTQFO4R56H5GG6" -s 172.16.0.42 -j KUBE-POD-FW-VETTQFO4R56H5GG6
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-VETTQFO4R56H5GG6 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-VETTQFO4R56H5GG6 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-VETTQFO4R56H5GG6 -j MARK --set-mark 0/0x10000
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-VETTQFO4R56H5GG6 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-262ZYFDPPDMCHOZA 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-262ZYFDPPDMCHOZA 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-262ZYFDPPDMCHOZA 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-262ZYFDPPDMCHOZA 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-262ZYFDPPDMCHOZA 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-262ZYFDPPDMCHOZA" -d 172.16.0.45 -j KUBE-POD-FW-262ZYFDPPDMCHOZA
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-262ZYFDPPDMCHOZA" -d 172.16.0.45 -j KUBE-POD-FW-262ZYFDPPDMCHOZA
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-262ZYFDPPDMCHOZA" -d 172.16.0.45 -j KUBE-POD-FW-262ZYFDPPDMCHOZA
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-262ZYFDPPDMCHOZA" -s 172.16.0.45 -j KUBE-POD-FW-262ZYFDPPDMCHOZA
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-262ZYFDPPDMCHOZA" -s 172.16.0.45 -j KUBE-POD-FW-262ZYFDPPDMCHOZA
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-262ZYFDPPDMCHOZA" -s 172.16.0.45 -j KUBE-POD-FW-262ZYFDPPDMCHOZA
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-262ZYFDPPDMCHOZA" -s 172.16.0.45 -j KUBE-POD-FW-262ZYFDPPDMCHOZA
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-262ZYFDPPDMCHOZA -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-262ZYFDPPDMCHOZA -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-262ZYFDPPDMCHOZA -j MARK --set-mark 0/0x10000
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-262ZYFDPPDMCHOZA -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-IGRWEYJ425OGHZQU 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-IGRWEYJ425OGHZQU 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-IGRWEYJ425OGHZQU 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-IGRWEYJ425OGHZQU 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-IGRWEYJ425OGHZQU 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-IGRWEYJ425OGHZQU" -d 172.16.0.43 -j KUBE-POD-FW-IGRWEYJ425OGHZQU
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-IGRWEYJ425OGHZQU" -d 172.16.0.43 -j KUBE-POD-FW-IGRWEYJ425OGHZQU
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-IGRWEYJ425OGHZQU" -d 172.16.0.43 -j KUBE-POD-FW-IGRWEYJ425OGHZQU
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-IGRWEYJ425OGHZQU" -s 172.16.0.43 -j KUBE-POD-FW-IGRWEYJ425OGHZQU
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-IGRWEYJ425OGHZQU" -s 172.16.0.43 -j KUBE-POD-FW-IGRWEYJ425OGHZQU
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-IGRWEYJ425OGHZQU" -s 172.16.0.43 -j KUBE-POD-FW-IGRWEYJ425OGHZQU
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-IGRWEYJ425OGHZQU" -s 172.16.0.43 -j KUBE-POD-FW-IGRWEYJ425OGHZQU
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-IGRWEYJ425OGHZQU -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-IGRWEYJ425OGHZQU -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-IGRWEYJ425OGHZQU -j MARK --set-mark 0/0x10000
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-IGRWEYJ425OGHZQU -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-OGOWYI7AEQZKVJ2S 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-OGOWYI7AEQZKVJ2S 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-OGOWYI7AEQZKVJ2S 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-OGOWYI7AEQZKVJ2S 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:34:29 truenas env[20630]: -I KUBE-POD-FW-OGOWYI7AEQZKVJ2S 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-OGOWYI7AEQZKVJ2S" -d 172.16.0.46 -j KUBE-POD-FW-OGOWYI7AEQZKVJ2S
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-OGOWYI7AEQZKVJ2S" -d 172.16.0.46 -j KUBE-POD-FW-OGOWYI7AEQZKVJ2S
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-OGOWYI7AEQZKVJ2S" -d 172.16.0.46 -j KUBE-POD-FW-OGOWYI7AEQZKVJ2S
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-OGOWYI7AEQZKVJ2S" -s 172.16.0.46 -j KUBE-POD-FW-OGOWYI7AEQZKVJ2S
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-OGOWYI7AEQZKVJ2S" -s 172.16.0.46 -j KUBE-POD-FW-OGOWYI7AEQZKVJ2S
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-OGOWYI7AEQZKVJ2S" -s 172.16.0.46 -j KUBE-POD-FW-OGOWYI7AEQZKVJ2S
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-OGOWYI7AEQZKVJ2S" -s 172.16.0.46 -j KUBE-POD-FW-OGOWYI7AEQZKVJ2S
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-OGOWYI7AEQZKVJ2S -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-OGOWYI7AEQZKVJ2S -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-OGOWYI7AEQZKVJ2S -j MARK --set-mark 0/0x10000
Jun  8 00:34:29 truenas env[20630]: -A KUBE-POD-FW-OGOWYI7AEQZKVJ2S -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:34:29 truenas env[20630]: COMMIT
Jun  8 00:39:29 truenas env[20630]: E0608 00:39:29.740922   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 00:39:29 truenas env[20630]: Error occurred at line: 103
Jun  8 00:39:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 00:39:29 truenas env[20630]: )
Jun  8 00:39:29 truenas env[20630]: *filter
Jun  8 00:39:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 00:39:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 00:39:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 00:39:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 00:39:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 00:39:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 00:39:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 00:39:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 00:39:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 00:39:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 00:39:29 truenas env[20630]: :KUBE-POD-FW-DY7M74HHATUVZZ34 - [0:0]
Jun  8 00:39:29 truenas env[20630]: :KUBE-POD-FW-4233724HIPUXFIOT - [0:0]
Jun  8 00:39:29 truenas env[20630]: :KUBE-POD-FW-VD7V6T7REQ7EZDFS - [0:0]
Jun  8 00:39:29 truenas env[20630]: :KUBE-POD-FW-DOV3XXJVHVXTFG7C - [0:0]
Jun  8 00:39:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 00:39:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 00:39:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 00:39:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 00:39:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 00:39:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 00:39:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 00:39:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 00:39:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 00:39:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-DY7M74HHATUVZZ34 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-DY7M74HHATUVZZ34 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-DY7M74HHATUVZZ34 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-DY7M74HHATUVZZ34 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-DY7M74HHATUVZZ34 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY7M74HHATUVZZ34" -d 172.16.0.42 -j KUBE-POD-FW-DY7M74HHATUVZZ34
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY7M74HHATUVZZ34" -d 172.16.0.42 -j KUBE-POD-FW-DY7M74HHATUVZZ34
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY7M74HHATUVZZ34" -d 172.16.0.42 -j KUBE-POD-FW-DY7M74HHATUVZZ34
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY7M74HHATUVZZ34" -s 172.16.0.42 -j KUBE-POD-FW-DY7M74HHATUVZZ34
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY7M74HHATUVZZ34" -s 172.16.0.42 -j KUBE-POD-FW-DY7M74HHATUVZZ34
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY7M74HHATUVZZ34" -s 172.16.0.42 -j KUBE-POD-FW-DY7M74HHATUVZZ34
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY7M74HHATUVZZ34" -s 172.16.0.42 -j KUBE-POD-FW-DY7M74HHATUVZZ34
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-DY7M74HHATUVZZ34 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-DY7M74HHATUVZZ34 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-DY7M74HHATUVZZ34 -j MARK --set-mark 0/0x10000
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-DY7M74HHATUVZZ34 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-4233724HIPUXFIOT 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-4233724HIPUXFIOT 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-4233724HIPUXFIOT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-4233724HIPUXFIOT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-4233724HIPUXFIOT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4233724HIPUXFIOT" -d 172.16.0.45 -j KUBE-POD-FW-4233724HIPUXFIOT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4233724HIPUXFIOT" -d 172.16.0.45 -j KUBE-POD-FW-4233724HIPUXFIOT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4233724HIPUXFIOT" -d 172.16.0.45 -j KUBE-POD-FW-4233724HIPUXFIOT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4233724HIPUXFIOT" -s 172.16.0.45 -j KUBE-POD-FW-4233724HIPUXFIOT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4233724HIPUXFIOT" -s 172.16.0.45 -j KUBE-POD-FW-4233724HIPUXFIOT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4233724HIPUXFIOT" -s 172.16.0.45 -j KUBE-POD-FW-4233724HIPUXFIOT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4233724HIPUXFIOT" -s 172.16.0.45 -j KUBE-POD-FW-4233724HIPUXFIOT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-4233724HIPUXFIOT -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-4233724HIPUXFIOT -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-4233724HIPUXFIOT -j MARK --set-mark 0/0x10000
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-4233724HIPUXFIOT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-VD7V6T7REQ7EZDFS 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-VD7V6T7REQ7EZDFS 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-VD7V6T7REQ7EZDFS 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-VD7V6T7REQ7EZDFS 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-VD7V6T7REQ7EZDFS 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VD7V6T7REQ7EZDFS" -d 172.16.0.43 -j KUBE-POD-FW-VD7V6T7REQ7EZDFS
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VD7V6T7REQ7EZDFS" -d 172.16.0.43 -j KUBE-POD-FW-VD7V6T7REQ7EZDFS
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VD7V6T7REQ7EZDFS" -d 172.16.0.43 -j KUBE-POD-FW-VD7V6T7REQ7EZDFS
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VD7V6T7REQ7EZDFS" -s 172.16.0.43 -j KUBE-POD-FW-VD7V6T7REQ7EZDFS
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VD7V6T7REQ7EZDFS" -s 172.16.0.43 -j KUBE-POD-FW-VD7V6T7REQ7EZDFS
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VD7V6T7REQ7EZDFS" -s 172.16.0.43 -j KUBE-POD-FW-VD7V6T7REQ7EZDFS
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VD7V6T7REQ7EZDFS" -s 172.16.0.43 -j KUBE-POD-FW-VD7V6T7REQ7EZDFS
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-VD7V6T7REQ7EZDFS -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-VD7V6T7REQ7EZDFS -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-VD7V6T7REQ7EZDFS -j MARK --set-mark 0/0x10000
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-VD7V6T7REQ7EZDFS -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-DOV3XXJVHVXTFG7C 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-DOV3XXJVHVXTFG7C 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-DOV3XXJVHVXTFG7C 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-DOV3XXJVHVXTFG7C 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:39:29 truenas env[20630]: -I KUBE-POD-FW-DOV3XXJVHVXTFG7C 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DOV3XXJVHVXTFG7C" -d 172.16.0.46 -j KUBE-POD-FW-DOV3XXJVHVXTFG7C
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DOV3XXJVHVXTFG7C" -d 172.16.0.46 -j KUBE-POD-FW-DOV3XXJVHVXTFG7C
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DOV3XXJVHVXTFG7C" -d 172.16.0.46 -j KUBE-POD-FW-DOV3XXJVHVXTFG7C
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DOV3XXJVHVXTFG7C" -s 172.16.0.46 -j KUBE-POD-FW-DOV3XXJVHVXTFG7C
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DOV3XXJVHVXTFG7C" -s 172.16.0.46 -j KUBE-POD-FW-DOV3XXJVHVXTFG7C
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DOV3XXJVHVXTFG7C" -s 172.16.0.46 -j KUBE-POD-FW-DOV3XXJVHVXTFG7C
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DOV3XXJVHVXTFG7C" -s 172.16.0.46 -j KUBE-POD-FW-DOV3XXJVHVXTFG7C
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-DOV3XXJVHVXTFG7C -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-DOV3XXJVHVXTFG7C -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-DOV3XXJVHVXTFG7C -j MARK --set-mark 0/0x10000
Jun  8 00:39:29 truenas env[20630]: -A KUBE-POD-FW-DOV3XXJVHVXTFG7C -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:39:29 truenas env[20630]: COMMIT
Jun  8 00:40:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 00:40:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 00:40:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 00:44:29 truenas env[20630]: E0608 00:44:29.736831   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 00:44:29 truenas env[20630]: Error occurred at line: 103
Jun  8 00:44:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 00:44:29 truenas env[20630]: )
Jun  8 00:44:29 truenas env[20630]: *filter
Jun  8 00:44:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 00:44:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 00:44:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 00:44:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 00:44:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 00:44:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 00:44:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 00:44:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 00:44:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 00:44:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 00:44:29 truenas env[20630]: :KUBE-POD-FW-RARXBOD65XLU4733 - [0:0]
Jun  8 00:44:29 truenas env[20630]: :KUBE-POD-FW-AX6ZMRDFPGOTGVZC - [0:0]
Jun  8 00:44:29 truenas env[20630]: :KUBE-POD-FW-WBS24OSVGTFBWMDG - [0:0]
Jun  8 00:44:29 truenas env[20630]: :KUBE-POD-FW-2FMR5VWDVHU3652D - [0:0]
Jun  8 00:44:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 00:44:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 00:44:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 00:44:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 00:44:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 00:44:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 00:44:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 00:44:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 00:44:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 00:44:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-RARXBOD65XLU4733 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-RARXBOD65XLU4733 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-RARXBOD65XLU4733 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-RARXBOD65XLU4733 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-RARXBOD65XLU4733 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RARXBOD65XLU4733" -d 172.16.0.45 -j KUBE-POD-FW-RARXBOD65XLU4733
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RARXBOD65XLU4733" -d 172.16.0.45 -j KUBE-POD-FW-RARXBOD65XLU4733
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RARXBOD65XLU4733" -d 172.16.0.45 -j KUBE-POD-FW-RARXBOD65XLU4733
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RARXBOD65XLU4733" -s 172.16.0.45 -j KUBE-POD-FW-RARXBOD65XLU4733
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RARXBOD65XLU4733" -s 172.16.0.45 -j KUBE-POD-FW-RARXBOD65XLU4733
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RARXBOD65XLU4733" -s 172.16.0.45 -j KUBE-POD-FW-RARXBOD65XLU4733
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RARXBOD65XLU4733" -s 172.16.0.45 -j KUBE-POD-FW-RARXBOD65XLU4733
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-RARXBOD65XLU4733 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-RARXBOD65XLU4733 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-RARXBOD65XLU4733 -j MARK --set-mark 0/0x10000
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-RARXBOD65XLU4733 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-AX6ZMRDFPGOTGVZC 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-AX6ZMRDFPGOTGVZC 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-AX6ZMRDFPGOTGVZC 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-AX6ZMRDFPGOTGVZC 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-AX6ZMRDFPGOTGVZC 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AX6ZMRDFPGOTGVZC" -d 172.16.0.43 -j KUBE-POD-FW-AX6ZMRDFPGOTGVZC
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AX6ZMRDFPGOTGVZC" -d 172.16.0.43 -j KUBE-POD-FW-AX6ZMRDFPGOTGVZC
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AX6ZMRDFPGOTGVZC" -d 172.16.0.43 -j KUBE-POD-FW-AX6ZMRDFPGOTGVZC
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AX6ZMRDFPGOTGVZC" -s 172.16.0.43 -j KUBE-POD-FW-AX6ZMRDFPGOTGVZC
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AX6ZMRDFPGOTGVZC" -s 172.16.0.43 -j KUBE-POD-FW-AX6ZMRDFPGOTGVZC
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AX6ZMRDFPGOTGVZC" -s 172.16.0.43 -j KUBE-POD-FW-AX6ZMRDFPGOTGVZC
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AX6ZMRDFPGOTGVZC" -s 172.16.0.43 -j KUBE-POD-FW-AX6ZMRDFPGOTGVZC
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-AX6ZMRDFPGOTGVZC -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-AX6ZMRDFPGOTGVZC -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-AX6ZMRDFPGOTGVZC -j MARK --set-mark 0/0x10000
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-AX6ZMRDFPGOTGVZC -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-WBS24OSVGTFBWMDG 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-WBS24OSVGTFBWMDG 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-WBS24OSVGTFBWMDG 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-WBS24OSVGTFBWMDG 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-WBS24OSVGTFBWMDG 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WBS24OSVGTFBWMDG" -d 172.16.0.46 -j KUBE-POD-FW-WBS24OSVGTFBWMDG
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WBS24OSVGTFBWMDG" -d 172.16.0.46 -j KUBE-POD-FW-WBS24OSVGTFBWMDG
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WBS24OSVGTFBWMDG" -d 172.16.0.46 -j KUBE-POD-FW-WBS24OSVGTFBWMDG
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WBS24OSVGTFBWMDG" -s 172.16.0.46 -j KUBE-POD-FW-WBS24OSVGTFBWMDG
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WBS24OSVGTFBWMDG" -s 172.16.0.46 -j KUBE-POD-FW-WBS24OSVGTFBWMDG
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WBS24OSVGTFBWMDG" -s 172.16.0.46 -j KUBE-POD-FW-WBS24OSVGTFBWMDG
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WBS24OSVGTFBWMDG" -s 172.16.0.46 -j KUBE-POD-FW-WBS24OSVGTFBWMDG
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-WBS24OSVGTFBWMDG -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-WBS24OSVGTFBWMDG -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-WBS24OSVGTFBWMDG -j MARK --set-mark 0/0x10000
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-WBS24OSVGTFBWMDG -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-2FMR5VWDVHU3652D 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-2FMR5VWDVHU3652D 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-2FMR5VWDVHU3652D 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-2FMR5VWDVHU3652D 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:44:29 truenas env[20630]: -I KUBE-POD-FW-2FMR5VWDVHU3652D 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2FMR5VWDVHU3652D" -d 172.16.0.42 -j KUBE-POD-FW-2FMR5VWDVHU3652D
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2FMR5VWDVHU3652D" -d 172.16.0.42 -j KUBE-POD-FW-2FMR5VWDVHU3652D
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2FMR5VWDVHU3652D" -d 172.16.0.42 -j KUBE-POD-FW-2FMR5VWDVHU3652D
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2FMR5VWDVHU3652D" -s 172.16.0.42 -j KUBE-POD-FW-2FMR5VWDVHU3652D
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2FMR5VWDVHU3652D" -s 172.16.0.42 -j KUBE-POD-FW-2FMR5VWDVHU3652D
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2FMR5VWDVHU3652D" -s 172.16.0.42 -j KUBE-POD-FW-2FMR5VWDVHU3652D
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2FMR5VWDVHU3652D" -s 172.16.0.42 -j KUBE-POD-FW-2FMR5VWDVHU3652D
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-2FMR5VWDVHU3652D -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-2FMR5VWDVHU3652D -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-2FMR5VWDVHU3652D -j MARK --set-mark 0/0x10000
Jun  8 00:44:29 truenas env[20630]: -A KUBE-POD-FW-2FMR5VWDVHU3652D -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:44:29 truenas env[20630]: COMMIT
Jun  8 00:49:29 truenas env[20630]: E0608 00:49:29.776813   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 00:49:29 truenas env[20630]: Error occurred at line: 103
Jun  8 00:49:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 00:49:29 truenas env[20630]: )
Jun  8 00:49:29 truenas env[20630]: *filter
Jun  8 00:49:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 00:49:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 00:49:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 00:49:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 00:49:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 00:49:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 00:49:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 00:49:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 00:49:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 00:49:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 00:49:29 truenas env[20630]: :KUBE-POD-FW-47MO7CWEFDHXOZJV - [0:0]
Jun  8 00:49:29 truenas env[20630]: :KUBE-POD-FW-XDVW3WHJ3Y763NU6 - [0:0]
Jun  8 00:49:29 truenas env[20630]: :KUBE-POD-FW-65SLQAYSP3SWWRVJ - [0:0]
Jun  8 00:49:29 truenas env[20630]: :KUBE-POD-FW-PV75XNAFFZLJQU62 - [0:0]
Jun  8 00:49:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 00:49:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 00:49:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 00:49:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 00:49:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 00:49:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 00:49:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 00:49:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 00:49:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 00:49:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-47MO7CWEFDHXOZJV 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-47MO7CWEFDHXOZJV 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-47MO7CWEFDHXOZJV 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-47MO7CWEFDHXOZJV 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-47MO7CWEFDHXOZJV 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-47MO7CWEFDHXOZJV" -d 172.16.0.46 -j KUBE-POD-FW-47MO7CWEFDHXOZJV
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-47MO7CWEFDHXOZJV" -d 172.16.0.46 -j KUBE-POD-FW-47MO7CWEFDHXOZJV
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-47MO7CWEFDHXOZJV" -d 172.16.0.46 -j KUBE-POD-FW-47MO7CWEFDHXOZJV
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-47MO7CWEFDHXOZJV" -s 172.16.0.46 -j KUBE-POD-FW-47MO7CWEFDHXOZJV
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-47MO7CWEFDHXOZJV" -s 172.16.0.46 -j KUBE-POD-FW-47MO7CWEFDHXOZJV
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-47MO7CWEFDHXOZJV" -s 172.16.0.46 -j KUBE-POD-FW-47MO7CWEFDHXOZJV
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-47MO7CWEFDHXOZJV" -s 172.16.0.46 -j KUBE-POD-FW-47MO7CWEFDHXOZJV
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-47MO7CWEFDHXOZJV -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-47MO7CWEFDHXOZJV -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-47MO7CWEFDHXOZJV -j MARK --set-mark 0/0x10000
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-47MO7CWEFDHXOZJV -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-XDVW3WHJ3Y763NU6 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-XDVW3WHJ3Y763NU6 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-XDVW3WHJ3Y763NU6 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-XDVW3WHJ3Y763NU6 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-XDVW3WHJ3Y763NU6 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XDVW3WHJ3Y763NU6" -d 172.16.0.42 -j KUBE-POD-FW-XDVW3WHJ3Y763NU6
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XDVW3WHJ3Y763NU6" -d 172.16.0.42 -j KUBE-POD-FW-XDVW3WHJ3Y763NU6
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XDVW3WHJ3Y763NU6" -d 172.16.0.42 -j KUBE-POD-FW-XDVW3WHJ3Y763NU6
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XDVW3WHJ3Y763NU6" -s 172.16.0.42 -j KUBE-POD-FW-XDVW3WHJ3Y763NU6
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XDVW3WHJ3Y763NU6" -s 172.16.0.42 -j KUBE-POD-FW-XDVW3WHJ3Y763NU6
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XDVW3WHJ3Y763NU6" -s 172.16.0.42 -j KUBE-POD-FW-XDVW3WHJ3Y763NU6
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XDVW3WHJ3Y763NU6" -s 172.16.0.42 -j KUBE-POD-FW-XDVW3WHJ3Y763NU6
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-XDVW3WHJ3Y763NU6 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-XDVW3WHJ3Y763NU6 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-XDVW3WHJ3Y763NU6 -j MARK --set-mark 0/0x10000
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-XDVW3WHJ3Y763NU6 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-65SLQAYSP3SWWRVJ 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-65SLQAYSP3SWWRVJ 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-65SLQAYSP3SWWRVJ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-65SLQAYSP3SWWRVJ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-65SLQAYSP3SWWRVJ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-65SLQAYSP3SWWRVJ" -d 172.16.0.45 -j KUBE-POD-FW-65SLQAYSP3SWWRVJ
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-65SLQAYSP3SWWRVJ" -d 172.16.0.45 -j KUBE-POD-FW-65SLQAYSP3SWWRVJ
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-65SLQAYSP3SWWRVJ" -d 172.16.0.45 -j KUBE-POD-FW-65SLQAYSP3SWWRVJ
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-65SLQAYSP3SWWRVJ" -s 172.16.0.45 -j KUBE-POD-FW-65SLQAYSP3SWWRVJ
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-65SLQAYSP3SWWRVJ" -s 172.16.0.45 -j KUBE-POD-FW-65SLQAYSP3SWWRVJ
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-65SLQAYSP3SWWRVJ" -s 172.16.0.45 -j KUBE-POD-FW-65SLQAYSP3SWWRVJ
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-65SLQAYSP3SWWRVJ" -s 172.16.0.45 -j KUBE-POD-FW-65SLQAYSP3SWWRVJ
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-65SLQAYSP3SWWRVJ -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-65SLQAYSP3SWWRVJ -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-65SLQAYSP3SWWRVJ -j MARK --set-mark 0/0x10000
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-65SLQAYSP3SWWRVJ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-PV75XNAFFZLJQU62 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-PV75XNAFFZLJQU62 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-PV75XNAFFZLJQU62 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-PV75XNAFFZLJQU62 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:49:29 truenas env[20630]: -I KUBE-POD-FW-PV75XNAFFZLJQU62 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PV75XNAFFZLJQU62" -d 172.16.0.43 -j KUBE-POD-FW-PV75XNAFFZLJQU62
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PV75XNAFFZLJQU62" -d 172.16.0.43 -j KUBE-POD-FW-PV75XNAFFZLJQU62
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PV75XNAFFZLJQU62" -d 172.16.0.43 -j KUBE-POD-FW-PV75XNAFFZLJQU62
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PV75XNAFFZLJQU62" -s 172.16.0.43 -j KUBE-POD-FW-PV75XNAFFZLJQU62
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PV75XNAFFZLJQU62" -s 172.16.0.43 -j KUBE-POD-FW-PV75XNAFFZLJQU62
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PV75XNAFFZLJQU62" -s 172.16.0.43 -j KUBE-POD-FW-PV75XNAFFZLJQU62
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PV75XNAFFZLJQU62" -s 172.16.0.43 -j KUBE-POD-FW-PV75XNAFFZLJQU62
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-PV75XNAFFZLJQU62 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-PV75XNAFFZLJQU62 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-PV75XNAFFZLJQU62 -j MARK --set-mark 0/0x10000
Jun  8 00:49:29 truenas env[20630]: -A KUBE-POD-FW-PV75XNAFFZLJQU62 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:49:29 truenas env[20630]: COMMIT
Jun  8 00:50:01 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 00:50:01 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 00:50:01 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 00:54:29 truenas env[20630]: E0608 00:54:29.748492   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 00:54:29 truenas env[20630]: Error occurred at line: 103
Jun  8 00:54:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 00:54:29 truenas env[20630]: )
Jun  8 00:54:29 truenas env[20630]: *filter
Jun  8 00:54:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 00:54:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 00:54:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 00:54:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 00:54:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 00:54:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 00:54:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 00:54:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 00:54:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 00:54:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 00:54:29 truenas env[20630]: :KUBE-POD-FW-VANFG2XPBBGDB3F4 - [0:0]
Jun  8 00:54:29 truenas env[20630]: :KUBE-POD-FW-ZZPZ37VYQT5ZPJYV - [0:0]
Jun  8 00:54:29 truenas env[20630]: :KUBE-POD-FW-FKP44ZOGMHZIFYYZ - [0:0]
Jun  8 00:54:29 truenas env[20630]: :KUBE-POD-FW-FY4MJSCGF2WCQNMC - [0:0]
Jun  8 00:54:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 00:54:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 00:54:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 00:54:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 00:54:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 00:54:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 00:54:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 00:54:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 00:54:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 00:54:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-VANFG2XPBBGDB3F4 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-VANFG2XPBBGDB3F4 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-VANFG2XPBBGDB3F4 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-VANFG2XPBBGDB3F4 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-VANFG2XPBBGDB3F4 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VANFG2XPBBGDB3F4" -d 172.16.0.45 -j KUBE-POD-FW-VANFG2XPBBGDB3F4
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VANFG2XPBBGDB3F4" -d 172.16.0.45 -j KUBE-POD-FW-VANFG2XPBBGDB3F4
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VANFG2XPBBGDB3F4" -d 172.16.0.45 -j KUBE-POD-FW-VANFG2XPBBGDB3F4
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VANFG2XPBBGDB3F4" -s 172.16.0.45 -j KUBE-POD-FW-VANFG2XPBBGDB3F4
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VANFG2XPBBGDB3F4" -s 172.16.0.45 -j KUBE-POD-FW-VANFG2XPBBGDB3F4
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VANFG2XPBBGDB3F4" -s 172.16.0.45 -j KUBE-POD-FW-VANFG2XPBBGDB3F4
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VANFG2XPBBGDB3F4" -s 172.16.0.45 -j KUBE-POD-FW-VANFG2XPBBGDB3F4
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-VANFG2XPBBGDB3F4 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-VANFG2XPBBGDB3F4 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-VANFG2XPBBGDB3F4 -j MARK --set-mark 0/0x10000
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-VANFG2XPBBGDB3F4 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-ZZPZ37VYQT5ZPJYV 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-ZZPZ37VYQT5ZPJYV 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-ZZPZ37VYQT5ZPJYV 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-ZZPZ37VYQT5ZPJYV 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-ZZPZ37VYQT5ZPJYV 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZZPZ37VYQT5ZPJYV" -d 172.16.0.43 -j KUBE-POD-FW-ZZPZ37VYQT5ZPJYV
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZZPZ37VYQT5ZPJYV" -d 172.16.0.43 -j KUBE-POD-FW-ZZPZ37VYQT5ZPJYV
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZZPZ37VYQT5ZPJYV" -d 172.16.0.43 -j KUBE-POD-FW-ZZPZ37VYQT5ZPJYV
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZZPZ37VYQT5ZPJYV" -s 172.16.0.43 -j KUBE-POD-FW-ZZPZ37VYQT5ZPJYV
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZZPZ37VYQT5ZPJYV" -s 172.16.0.43 -j KUBE-POD-FW-ZZPZ37VYQT5ZPJYV
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZZPZ37VYQT5ZPJYV" -s 172.16.0.43 -j KUBE-POD-FW-ZZPZ37VYQT5ZPJYV
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZZPZ37VYQT5ZPJYV" -s 172.16.0.43 -j KUBE-POD-FW-ZZPZ37VYQT5ZPJYV
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-ZZPZ37VYQT5ZPJYV -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-ZZPZ37VYQT5ZPJYV -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-ZZPZ37VYQT5ZPJYV -j MARK --set-mark 0/0x10000
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-ZZPZ37VYQT5ZPJYV -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-FKP44ZOGMHZIFYYZ 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-FKP44ZOGMHZIFYYZ 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-FKP44ZOGMHZIFYYZ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-FKP44ZOGMHZIFYYZ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-FKP44ZOGMHZIFYYZ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FKP44ZOGMHZIFYYZ" -d 172.16.0.46 -j KUBE-POD-FW-FKP44ZOGMHZIFYYZ
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FKP44ZOGMHZIFYYZ" -d 172.16.0.46 -j KUBE-POD-FW-FKP44ZOGMHZIFYYZ
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FKP44ZOGMHZIFYYZ" -d 172.16.0.46 -j KUBE-POD-FW-FKP44ZOGMHZIFYYZ
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FKP44ZOGMHZIFYYZ" -s 172.16.0.46 -j KUBE-POD-FW-FKP44ZOGMHZIFYYZ
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FKP44ZOGMHZIFYYZ" -s 172.16.0.46 -j KUBE-POD-FW-FKP44ZOGMHZIFYYZ
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FKP44ZOGMHZIFYYZ" -s 172.16.0.46 -j KUBE-POD-FW-FKP44ZOGMHZIFYYZ
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FKP44ZOGMHZIFYYZ" -s 172.16.0.46 -j KUBE-POD-FW-FKP44ZOGMHZIFYYZ
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-FKP44ZOGMHZIFYYZ -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-FKP44ZOGMHZIFYYZ -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-FKP44ZOGMHZIFYYZ -j MARK --set-mark 0/0x10000
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-FKP44ZOGMHZIFYYZ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-FY4MJSCGF2WCQNMC 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-FY4MJSCGF2WCQNMC 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-FY4MJSCGF2WCQNMC 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-FY4MJSCGF2WCQNMC 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:54:29 truenas env[20630]: -I KUBE-POD-FW-FY4MJSCGF2WCQNMC 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FY4MJSCGF2WCQNMC" -d 172.16.0.42 -j KUBE-POD-FW-FY4MJSCGF2WCQNMC
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FY4MJSCGF2WCQNMC" -d 172.16.0.42 -j KUBE-POD-FW-FY4MJSCGF2WCQNMC
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FY4MJSCGF2WCQNMC" -d 172.16.0.42 -j KUBE-POD-FW-FY4MJSCGF2WCQNMC
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FY4MJSCGF2WCQNMC" -s 172.16.0.42 -j KUBE-POD-FW-FY4MJSCGF2WCQNMC
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FY4MJSCGF2WCQNMC" -s 172.16.0.42 -j KUBE-POD-FW-FY4MJSCGF2WCQNMC
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FY4MJSCGF2WCQNMC" -s 172.16.0.42 -j KUBE-POD-FW-FY4MJSCGF2WCQNMC
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FY4MJSCGF2WCQNMC" -s 172.16.0.42 -j KUBE-POD-FW-FY4MJSCGF2WCQNMC
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-FY4MJSCGF2WCQNMC -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-FY4MJSCGF2WCQNMC -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-FY4MJSCGF2WCQNMC -j MARK --set-mark 0/0x10000
Jun  8 00:54:29 truenas env[20630]: -A KUBE-POD-FW-FY4MJSCGF2WCQNMC -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:54:29 truenas env[20630]: COMMIT
Jun  8 00:59:06 truenas smartd[3887]: Device: /dev/sda [SAT], SMART Usage Attribute: 190 Airflow_Temperature_Cel changed from 69 to 68
Jun  8 00:59:26 truenas nscd[512197]: 512197 monitoring file `/etc/hosts` (1)
Jun  8 00:59:26 truenas nscd[512197]: 512197 monitoring directory `/etc` (2)
Jun  8 00:59:26 truenas nscd[512197]: 512197 monitoring file `/etc/resolv.conf` (3)
Jun  8 00:59:26 truenas nscd[512197]: 512197 monitoring directory `/etc` (2)
Jun  8 00:59:26 truenas nscd[512197]: 512197 cannot create /var/cache/nscd/hosts; no persistent database used
Jun  8 00:59:29 truenas env[20630]: E0608 00:59:29.728904   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 00:59:29 truenas env[20630]: Error occurred at line: 103
Jun  8 00:59:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 00:59:29 truenas env[20630]: )
Jun  8 00:59:29 truenas env[20630]: *filter
Jun  8 00:59:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 00:59:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 00:59:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 00:59:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 00:59:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 00:59:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 00:59:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 00:59:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 00:59:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 00:59:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 00:59:29 truenas env[20630]: :KUBE-POD-FW-7INKJDXIQBT3SF32 - [0:0]
Jun  8 00:59:29 truenas env[20630]: :KUBE-POD-FW-GXPX37XBIBBFUDZO - [0:0]
Jun  8 00:59:29 truenas env[20630]: :KUBE-POD-FW-CXX3IRVJVYGQKJJA - [0:0]
Jun  8 00:59:29 truenas env[20630]: :KUBE-POD-FW-AIHLEDXSCINCBCBZ - [0:0]
Jun  8 00:59:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 00:59:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 00:59:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 00:59:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 00:59:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 00:59:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 00:59:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 00:59:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 00:59:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 00:59:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-7INKJDXIQBT3SF32 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-7INKJDXIQBT3SF32 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-7INKJDXIQBT3SF32 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-7INKJDXIQBT3SF32 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-7INKJDXIQBT3SF32 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7INKJDXIQBT3SF32" -d 172.16.0.45 -j KUBE-POD-FW-7INKJDXIQBT3SF32
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7INKJDXIQBT3SF32" -d 172.16.0.45 -j KUBE-POD-FW-7INKJDXIQBT3SF32
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7INKJDXIQBT3SF32" -d 172.16.0.45 -j KUBE-POD-FW-7INKJDXIQBT3SF32
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7INKJDXIQBT3SF32" -s 172.16.0.45 -j KUBE-POD-FW-7INKJDXIQBT3SF32
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7INKJDXIQBT3SF32" -s 172.16.0.45 -j KUBE-POD-FW-7INKJDXIQBT3SF32
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7INKJDXIQBT3SF32" -s 172.16.0.45 -j KUBE-POD-FW-7INKJDXIQBT3SF32
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7INKJDXIQBT3SF32" -s 172.16.0.45 -j KUBE-POD-FW-7INKJDXIQBT3SF32
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-7INKJDXIQBT3SF32 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-7INKJDXIQBT3SF32 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-7INKJDXIQBT3SF32 -j MARK --set-mark 0/0x10000
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-7INKJDXIQBT3SF32 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-GXPX37XBIBBFUDZO 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-GXPX37XBIBBFUDZO 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-GXPX37XBIBBFUDZO 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-GXPX37XBIBBFUDZO 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-GXPX37XBIBBFUDZO 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GXPX37XBIBBFUDZO" -d 172.16.0.43 -j KUBE-POD-FW-GXPX37XBIBBFUDZO
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GXPX37XBIBBFUDZO" -d 172.16.0.43 -j KUBE-POD-FW-GXPX37XBIBBFUDZO
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GXPX37XBIBBFUDZO" -d 172.16.0.43 -j KUBE-POD-FW-GXPX37XBIBBFUDZO
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GXPX37XBIBBFUDZO" -s 172.16.0.43 -j KUBE-POD-FW-GXPX37XBIBBFUDZO
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GXPX37XBIBBFUDZO" -s 172.16.0.43 -j KUBE-POD-FW-GXPX37XBIBBFUDZO
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GXPX37XBIBBFUDZO" -s 172.16.0.43 -j KUBE-POD-FW-GXPX37XBIBBFUDZO
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GXPX37XBIBBFUDZO" -s 172.16.0.43 -j KUBE-POD-FW-GXPX37XBIBBFUDZO
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-GXPX37XBIBBFUDZO -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-GXPX37XBIBBFUDZO -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-GXPX37XBIBBFUDZO -j MARK --set-mark 0/0x10000
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-GXPX37XBIBBFUDZO -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-CXX3IRVJVYGQKJJA 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-CXX3IRVJVYGQKJJA 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-CXX3IRVJVYGQKJJA 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-CXX3IRVJVYGQKJJA 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-CXX3IRVJVYGQKJJA 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CXX3IRVJVYGQKJJA" -d 172.16.0.46 -j KUBE-POD-FW-CXX3IRVJVYGQKJJA
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CXX3IRVJVYGQKJJA" -d 172.16.0.46 -j KUBE-POD-FW-CXX3IRVJVYGQKJJA
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CXX3IRVJVYGQKJJA" -d 172.16.0.46 -j KUBE-POD-FW-CXX3IRVJVYGQKJJA
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CXX3IRVJVYGQKJJA" -s 172.16.0.46 -j KUBE-POD-FW-CXX3IRVJVYGQKJJA
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CXX3IRVJVYGQKJJA" -s 172.16.0.46 -j KUBE-POD-FW-CXX3IRVJVYGQKJJA
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CXX3IRVJVYGQKJJA" -s 172.16.0.46 -j KUBE-POD-FW-CXX3IRVJVYGQKJJA
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CXX3IRVJVYGQKJJA" -s 172.16.0.46 -j KUBE-POD-FW-CXX3IRVJVYGQKJJA
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-CXX3IRVJVYGQKJJA -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-CXX3IRVJVYGQKJJA -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-CXX3IRVJVYGQKJJA -j MARK --set-mark 0/0x10000
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-CXX3IRVJVYGQKJJA -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-AIHLEDXSCINCBCBZ 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-AIHLEDXSCINCBCBZ 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-AIHLEDXSCINCBCBZ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-AIHLEDXSCINCBCBZ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 00:59:29 truenas env[20630]: -I KUBE-POD-FW-AIHLEDXSCINCBCBZ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AIHLEDXSCINCBCBZ" -d 172.16.0.42 -j KUBE-POD-FW-AIHLEDXSCINCBCBZ
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AIHLEDXSCINCBCBZ" -d 172.16.0.42 -j KUBE-POD-FW-AIHLEDXSCINCBCBZ
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AIHLEDXSCINCBCBZ" -d 172.16.0.42 -j KUBE-POD-FW-AIHLEDXSCINCBCBZ
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AIHLEDXSCINCBCBZ" -s 172.16.0.42 -j KUBE-POD-FW-AIHLEDXSCINCBCBZ
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AIHLEDXSCINCBCBZ" -s 172.16.0.42 -j KUBE-POD-FW-AIHLEDXSCINCBCBZ
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AIHLEDXSCINCBCBZ" -s 172.16.0.42 -j KUBE-POD-FW-AIHLEDXSCINCBCBZ
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AIHLEDXSCINCBCBZ" -s 172.16.0.42 -j KUBE-POD-FW-AIHLEDXSCINCBCBZ
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-AIHLEDXSCINCBCBZ -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-AIHLEDXSCINCBCBZ -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-AIHLEDXSCINCBCBZ -j MARK --set-mark 0/0x10000
Jun  8 00:59:29 truenas env[20630]: -A KUBE-POD-FW-AIHLEDXSCINCBCBZ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 00:59:29 truenas env[20630]: COMMIT
Jun  8 01:00:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 01:00:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 01:00:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 01:04:29 truenas env[20630]: E0608 01:04:29.752873   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 01:04:29 truenas env[20630]: Error occurred at line: 103
Jun  8 01:04:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 01:04:29 truenas env[20630]: )
Jun  8 01:04:29 truenas env[20630]: *filter
Jun  8 01:04:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 01:04:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 01:04:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 01:04:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 01:04:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 01:04:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 01:04:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 01:04:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 01:04:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 01:04:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 01:04:29 truenas env[20630]: :KUBE-POD-FW-PXMACCKVLKNCL3NF - [0:0]
Jun  8 01:04:29 truenas env[20630]: :KUBE-POD-FW-KCUEPW7FKSXA37YZ - [0:0]
Jun  8 01:04:29 truenas env[20630]: :KUBE-POD-FW-RJXMLH2KPJ4UBLHV - [0:0]
Jun  8 01:04:29 truenas env[20630]: :KUBE-POD-FW-W5323XWM35BT7NLC - [0:0]
Jun  8 01:04:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 01:04:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 01:04:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 01:04:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 01:04:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 01:04:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 01:04:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 01:04:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 01:04:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 01:04:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-PXMACCKVLKNCL3NF 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-PXMACCKVLKNCL3NF 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-PXMACCKVLKNCL3NF 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-PXMACCKVLKNCL3NF 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-PXMACCKVLKNCL3NF 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-PXMACCKVLKNCL3NF" -d 172.16.0.42 -j KUBE-POD-FW-PXMACCKVLKNCL3NF
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-PXMACCKVLKNCL3NF" -d 172.16.0.42 -j KUBE-POD-FW-PXMACCKVLKNCL3NF
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-PXMACCKVLKNCL3NF" -d 172.16.0.42 -j KUBE-POD-FW-PXMACCKVLKNCL3NF
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-PXMACCKVLKNCL3NF" -s 172.16.0.42 -j KUBE-POD-FW-PXMACCKVLKNCL3NF
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-PXMACCKVLKNCL3NF" -s 172.16.0.42 -j KUBE-POD-FW-PXMACCKVLKNCL3NF
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-PXMACCKVLKNCL3NF" -s 172.16.0.42 -j KUBE-POD-FW-PXMACCKVLKNCL3NF
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-PXMACCKVLKNCL3NF" -s 172.16.0.42 -j KUBE-POD-FW-PXMACCKVLKNCL3NF
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-PXMACCKVLKNCL3NF -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-PXMACCKVLKNCL3NF -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-PXMACCKVLKNCL3NF -j MARK --set-mark 0/0x10000
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-PXMACCKVLKNCL3NF -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-KCUEPW7FKSXA37YZ 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-KCUEPW7FKSXA37YZ 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-KCUEPW7FKSXA37YZ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-KCUEPW7FKSXA37YZ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-KCUEPW7FKSXA37YZ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KCUEPW7FKSXA37YZ" -d 172.16.0.45 -j KUBE-POD-FW-KCUEPW7FKSXA37YZ
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KCUEPW7FKSXA37YZ" -d 172.16.0.45 -j KUBE-POD-FW-KCUEPW7FKSXA37YZ
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KCUEPW7FKSXA37YZ" -d 172.16.0.45 -j KUBE-POD-FW-KCUEPW7FKSXA37YZ
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KCUEPW7FKSXA37YZ" -s 172.16.0.45 -j KUBE-POD-FW-KCUEPW7FKSXA37YZ
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KCUEPW7FKSXA37YZ" -s 172.16.0.45 -j KUBE-POD-FW-KCUEPW7FKSXA37YZ
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KCUEPW7FKSXA37YZ" -s 172.16.0.45 -j KUBE-POD-FW-KCUEPW7FKSXA37YZ
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KCUEPW7FKSXA37YZ" -s 172.16.0.45 -j KUBE-POD-FW-KCUEPW7FKSXA37YZ
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-KCUEPW7FKSXA37YZ -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-KCUEPW7FKSXA37YZ -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-KCUEPW7FKSXA37YZ -j MARK --set-mark 0/0x10000
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-KCUEPW7FKSXA37YZ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-RJXMLH2KPJ4UBLHV 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-RJXMLH2KPJ4UBLHV 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-RJXMLH2KPJ4UBLHV 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-RJXMLH2KPJ4UBLHV 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-RJXMLH2KPJ4UBLHV 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-RJXMLH2KPJ4UBLHV" -d 172.16.0.43 -j KUBE-POD-FW-RJXMLH2KPJ4UBLHV
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-RJXMLH2KPJ4UBLHV" -d 172.16.0.43 -j KUBE-POD-FW-RJXMLH2KPJ4UBLHV
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-RJXMLH2KPJ4UBLHV" -d 172.16.0.43 -j KUBE-POD-FW-RJXMLH2KPJ4UBLHV
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-RJXMLH2KPJ4UBLHV" -s 172.16.0.43 -j KUBE-POD-FW-RJXMLH2KPJ4UBLHV
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-RJXMLH2KPJ4UBLHV" -s 172.16.0.43 -j KUBE-POD-FW-RJXMLH2KPJ4UBLHV
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-RJXMLH2KPJ4UBLHV" -s 172.16.0.43 -j KUBE-POD-FW-RJXMLH2KPJ4UBLHV
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-RJXMLH2KPJ4UBLHV" -s 172.16.0.43 -j KUBE-POD-FW-RJXMLH2KPJ4UBLHV
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-RJXMLH2KPJ4UBLHV -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-RJXMLH2KPJ4UBLHV -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-RJXMLH2KPJ4UBLHV -j MARK --set-mark 0/0x10000
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-RJXMLH2KPJ4UBLHV -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-W5323XWM35BT7NLC 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-W5323XWM35BT7NLC 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-W5323XWM35BT7NLC 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-W5323XWM35BT7NLC 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:04:29 truenas env[20630]: -I KUBE-POD-FW-W5323XWM35BT7NLC 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W5323XWM35BT7NLC" -d 172.16.0.46 -j KUBE-POD-FW-W5323XWM35BT7NLC
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W5323XWM35BT7NLC" -d 172.16.0.46 -j KUBE-POD-FW-W5323XWM35BT7NLC
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W5323XWM35BT7NLC" -d 172.16.0.46 -j KUBE-POD-FW-W5323XWM35BT7NLC
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W5323XWM35BT7NLC" -s 172.16.0.46 -j KUBE-POD-FW-W5323XWM35BT7NLC
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W5323XWM35BT7NLC" -s 172.16.0.46 -j KUBE-POD-FW-W5323XWM35BT7NLC
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W5323XWM35BT7NLC" -s 172.16.0.46 -j KUBE-POD-FW-W5323XWM35BT7NLC
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W5323XWM35BT7NLC" -s 172.16.0.46 -j KUBE-POD-FW-W5323XWM35BT7NLC
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-W5323XWM35BT7NLC -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-W5323XWM35BT7NLC -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-W5323XWM35BT7NLC -j MARK --set-mark 0/0x10000
Jun  8 01:04:29 truenas env[20630]: -A KUBE-POD-FW-W5323XWM35BT7NLC -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:04:29 truenas env[20630]: COMMIT
Jun  8 01:09:29 truenas env[20630]: E0608 01:09:29.736739   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 01:09:29 truenas env[20630]: Error occurred at line: 103
Jun  8 01:09:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 01:09:29 truenas env[20630]: )
Jun  8 01:09:29 truenas env[20630]: *filter
Jun  8 01:09:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 01:09:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 01:09:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 01:09:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 01:09:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 01:09:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 01:09:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 01:09:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 01:09:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 01:09:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 01:09:29 truenas env[20630]: :KUBE-POD-FW-3H6HHBZWWPMCB4DK - [0:0]
Jun  8 01:09:29 truenas env[20630]: :KUBE-POD-FW-ZJG4K732SSHPRR7G - [0:0]
Jun  8 01:09:29 truenas env[20630]: :KUBE-POD-FW-54YFBXNF54LFWWOU - [0:0]
Jun  8 01:09:29 truenas env[20630]: :KUBE-POD-FW-HA6D5U75OVLWYNHD - [0:0]
Jun  8 01:09:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 01:09:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 01:09:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 01:09:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 01:09:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 01:09:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 01:09:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 01:09:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 01:09:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 01:09:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-3H6HHBZWWPMCB4DK 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-3H6HHBZWWPMCB4DK 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-3H6HHBZWWPMCB4DK 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-3H6HHBZWWPMCB4DK 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-3H6HHBZWWPMCB4DK 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3H6HHBZWWPMCB4DK" -d 172.16.0.45 -j KUBE-POD-FW-3H6HHBZWWPMCB4DK
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3H6HHBZWWPMCB4DK" -d 172.16.0.45 -j KUBE-POD-FW-3H6HHBZWWPMCB4DK
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3H6HHBZWWPMCB4DK" -d 172.16.0.45 -j KUBE-POD-FW-3H6HHBZWWPMCB4DK
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3H6HHBZWWPMCB4DK" -s 172.16.0.45 -j KUBE-POD-FW-3H6HHBZWWPMCB4DK
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3H6HHBZWWPMCB4DK" -s 172.16.0.45 -j KUBE-POD-FW-3H6HHBZWWPMCB4DK
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3H6HHBZWWPMCB4DK" -s 172.16.0.45 -j KUBE-POD-FW-3H6HHBZWWPMCB4DK
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3H6HHBZWWPMCB4DK" -s 172.16.0.45 -j KUBE-POD-FW-3H6HHBZWWPMCB4DK
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-3H6HHBZWWPMCB4DK -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-3H6HHBZWWPMCB4DK -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-3H6HHBZWWPMCB4DK -j MARK --set-mark 0/0x10000
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-3H6HHBZWWPMCB4DK -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-ZJG4K732SSHPRR7G 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-ZJG4K732SSHPRR7G 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-ZJG4K732SSHPRR7G 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-ZJG4K732SSHPRR7G 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-ZJG4K732SSHPRR7G 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZJG4K732SSHPRR7G" -d 172.16.0.43 -j KUBE-POD-FW-ZJG4K732SSHPRR7G
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZJG4K732SSHPRR7G" -d 172.16.0.43 -j KUBE-POD-FW-ZJG4K732SSHPRR7G
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZJG4K732SSHPRR7G" -d 172.16.0.43 -j KUBE-POD-FW-ZJG4K732SSHPRR7G
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZJG4K732SSHPRR7G" -s 172.16.0.43 -j KUBE-POD-FW-ZJG4K732SSHPRR7G
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZJG4K732SSHPRR7G" -s 172.16.0.43 -j KUBE-POD-FW-ZJG4K732SSHPRR7G
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZJG4K732SSHPRR7G" -s 172.16.0.43 -j KUBE-POD-FW-ZJG4K732SSHPRR7G
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ZJG4K732SSHPRR7G" -s 172.16.0.43 -j KUBE-POD-FW-ZJG4K732SSHPRR7G
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-ZJG4K732SSHPRR7G -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-ZJG4K732SSHPRR7G -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-ZJG4K732SSHPRR7G -j MARK --set-mark 0/0x10000
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-ZJG4K732SSHPRR7G -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-54YFBXNF54LFWWOU 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-54YFBXNF54LFWWOU 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-54YFBXNF54LFWWOU 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-54YFBXNF54LFWWOU 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-54YFBXNF54LFWWOU 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-54YFBXNF54LFWWOU" -d 172.16.0.46 -j KUBE-POD-FW-54YFBXNF54LFWWOU
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-54YFBXNF54LFWWOU" -d 172.16.0.46 -j KUBE-POD-FW-54YFBXNF54LFWWOU
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-54YFBXNF54LFWWOU" -d 172.16.0.46 -j KUBE-POD-FW-54YFBXNF54LFWWOU
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-54YFBXNF54LFWWOU" -s 172.16.0.46 -j KUBE-POD-FW-54YFBXNF54LFWWOU
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-54YFBXNF54LFWWOU" -s 172.16.0.46 -j KUBE-POD-FW-54YFBXNF54LFWWOU
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-54YFBXNF54LFWWOU" -s 172.16.0.46 -j KUBE-POD-FW-54YFBXNF54LFWWOU
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-54YFBXNF54LFWWOU" -s 172.16.0.46 -j KUBE-POD-FW-54YFBXNF54LFWWOU
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-54YFBXNF54LFWWOU -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-54YFBXNF54LFWWOU -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-54YFBXNF54LFWWOU -j MARK --set-mark 0/0x10000
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-54YFBXNF54LFWWOU -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-HA6D5U75OVLWYNHD 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-HA6D5U75OVLWYNHD 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-HA6D5U75OVLWYNHD 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-HA6D5U75OVLWYNHD 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:09:29 truenas env[20630]: -I KUBE-POD-FW-HA6D5U75OVLWYNHD 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HA6D5U75OVLWYNHD" -d 172.16.0.42 -j KUBE-POD-FW-HA6D5U75OVLWYNHD
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HA6D5U75OVLWYNHD" -d 172.16.0.42 -j KUBE-POD-FW-HA6D5U75OVLWYNHD
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HA6D5U75OVLWYNHD" -d 172.16.0.42 -j KUBE-POD-FW-HA6D5U75OVLWYNHD
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HA6D5U75OVLWYNHD" -s 172.16.0.42 -j KUBE-POD-FW-HA6D5U75OVLWYNHD
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HA6D5U75OVLWYNHD" -s 172.16.0.42 -j KUBE-POD-FW-HA6D5U75OVLWYNHD
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HA6D5U75OVLWYNHD" -s 172.16.0.42 -j KUBE-POD-FW-HA6D5U75OVLWYNHD
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HA6D5U75OVLWYNHD" -s 172.16.0.42 -j KUBE-POD-FW-HA6D5U75OVLWYNHD
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-HA6D5U75OVLWYNHD -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-HA6D5U75OVLWYNHD -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-HA6D5U75OVLWYNHD -j MARK --set-mark 0/0x10000
Jun  8 01:09:29 truenas env[20630]: -A KUBE-POD-FW-HA6D5U75OVLWYNHD -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:09:29 truenas env[20630]: COMMIT
Jun  8 01:10:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 01:10:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 01:10:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 01:14:29 truenas env[20630]: E0608 01:14:29.756306   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 01:14:29 truenas env[20630]: Error occurred at line: 103
Jun  8 01:14:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 01:14:29 truenas env[20630]: )
Jun  8 01:14:29 truenas env[20630]: *filter
Jun  8 01:14:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 01:14:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 01:14:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 01:14:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 01:14:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 01:14:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 01:14:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 01:14:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 01:14:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 01:14:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 01:14:29 truenas env[20630]: :KUBE-POD-FW-Z7WEFYTUDT6XOCHJ - [0:0]
Jun  8 01:14:29 truenas env[20630]: :KUBE-POD-FW-IPDWUGR53L3GRMFQ - [0:0]
Jun  8 01:14:29 truenas env[20630]: :KUBE-POD-FW-U4OS6MXHKOUC5M57 - [0:0]
Jun  8 01:14:29 truenas env[20630]: :KUBE-POD-FW-AYKAAL5D4CDANNU2 - [0:0]
Jun  8 01:14:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 01:14:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 01:14:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 01:14:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 01:14:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 01:14:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 01:14:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 01:14:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 01:14:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 01:14:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-Z7WEFYTUDT6XOCHJ 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-Z7WEFYTUDT6XOCHJ 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-Z7WEFYTUDT6XOCHJ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-Z7WEFYTUDT6XOCHJ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-Z7WEFYTUDT6XOCHJ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-Z7WEFYTUDT6XOCHJ" -d 172.16.0.43 -j KUBE-POD-FW-Z7WEFYTUDT6XOCHJ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-Z7WEFYTUDT6XOCHJ" -d 172.16.0.43 -j KUBE-POD-FW-Z7WEFYTUDT6XOCHJ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-Z7WEFYTUDT6XOCHJ" -d 172.16.0.43 -j KUBE-POD-FW-Z7WEFYTUDT6XOCHJ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-Z7WEFYTUDT6XOCHJ" -s 172.16.0.43 -j KUBE-POD-FW-Z7WEFYTUDT6XOCHJ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-Z7WEFYTUDT6XOCHJ" -s 172.16.0.43 -j KUBE-POD-FW-Z7WEFYTUDT6XOCHJ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-Z7WEFYTUDT6XOCHJ" -s 172.16.0.43 -j KUBE-POD-FW-Z7WEFYTUDT6XOCHJ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-Z7WEFYTUDT6XOCHJ" -s 172.16.0.43 -j KUBE-POD-FW-Z7WEFYTUDT6XOCHJ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-Z7WEFYTUDT6XOCHJ -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-Z7WEFYTUDT6XOCHJ -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-Z7WEFYTUDT6XOCHJ -j MARK --set-mark 0/0x10000
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-Z7WEFYTUDT6XOCHJ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-IPDWUGR53L3GRMFQ 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-IPDWUGR53L3GRMFQ 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-IPDWUGR53L3GRMFQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-IPDWUGR53L3GRMFQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-IPDWUGR53L3GRMFQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-IPDWUGR53L3GRMFQ" -d 172.16.0.46 -j KUBE-POD-FW-IPDWUGR53L3GRMFQ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-IPDWUGR53L3GRMFQ" -d 172.16.0.46 -j KUBE-POD-FW-IPDWUGR53L3GRMFQ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-IPDWUGR53L3GRMFQ" -d 172.16.0.46 -j KUBE-POD-FW-IPDWUGR53L3GRMFQ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-IPDWUGR53L3GRMFQ" -s 172.16.0.46 -j KUBE-POD-FW-IPDWUGR53L3GRMFQ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-IPDWUGR53L3GRMFQ" -s 172.16.0.46 -j KUBE-POD-FW-IPDWUGR53L3GRMFQ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-IPDWUGR53L3GRMFQ" -s 172.16.0.46 -j KUBE-POD-FW-IPDWUGR53L3GRMFQ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-IPDWUGR53L3GRMFQ" -s 172.16.0.46 -j KUBE-POD-FW-IPDWUGR53L3GRMFQ
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-IPDWUGR53L3GRMFQ -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-IPDWUGR53L3GRMFQ -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-IPDWUGR53L3GRMFQ -j MARK --set-mark 0/0x10000
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-IPDWUGR53L3GRMFQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-U4OS6MXHKOUC5M57 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-U4OS6MXHKOUC5M57 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-U4OS6MXHKOUC5M57 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-U4OS6MXHKOUC5M57 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-U4OS6MXHKOUC5M57 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U4OS6MXHKOUC5M57" -d 172.16.0.42 -j KUBE-POD-FW-U4OS6MXHKOUC5M57
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U4OS6MXHKOUC5M57" -d 172.16.0.42 -j KUBE-POD-FW-U4OS6MXHKOUC5M57
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U4OS6MXHKOUC5M57" -d 172.16.0.42 -j KUBE-POD-FW-U4OS6MXHKOUC5M57
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U4OS6MXHKOUC5M57" -s 172.16.0.42 -j KUBE-POD-FW-U4OS6MXHKOUC5M57
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U4OS6MXHKOUC5M57" -s 172.16.0.42 -j KUBE-POD-FW-U4OS6MXHKOUC5M57
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U4OS6MXHKOUC5M57" -s 172.16.0.42 -j KUBE-POD-FW-U4OS6MXHKOUC5M57
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U4OS6MXHKOUC5M57" -s 172.16.0.42 -j KUBE-POD-FW-U4OS6MXHKOUC5M57
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-U4OS6MXHKOUC5M57 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-U4OS6MXHKOUC5M57 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-U4OS6MXHKOUC5M57 -j MARK --set-mark 0/0x10000
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-U4OS6MXHKOUC5M57 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-AYKAAL5D4CDANNU2 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-AYKAAL5D4CDANNU2 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-AYKAAL5D4CDANNU2 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-AYKAAL5D4CDANNU2 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:14:29 truenas env[20630]: -I KUBE-POD-FW-AYKAAL5D4CDANNU2 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AYKAAL5D4CDANNU2" -d 172.16.0.45 -j KUBE-POD-FW-AYKAAL5D4CDANNU2
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AYKAAL5D4CDANNU2" -d 172.16.0.45 -j KUBE-POD-FW-AYKAAL5D4CDANNU2
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AYKAAL5D4CDANNU2" -d 172.16.0.45 -j KUBE-POD-FW-AYKAAL5D4CDANNU2
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AYKAAL5D4CDANNU2" -s 172.16.0.45 -j KUBE-POD-FW-AYKAAL5D4CDANNU2
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AYKAAL5D4CDANNU2" -s 172.16.0.45 -j KUBE-POD-FW-AYKAAL5D4CDANNU2
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AYKAAL5D4CDANNU2" -s 172.16.0.45 -j KUBE-POD-FW-AYKAAL5D4CDANNU2
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AYKAAL5D4CDANNU2" -s 172.16.0.45 -j KUBE-POD-FW-AYKAAL5D4CDANNU2
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-AYKAAL5D4CDANNU2 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-AYKAAL5D4CDANNU2 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-AYKAAL5D4CDANNU2 -j MARK --set-mark 0/0x10000
Jun  8 01:14:29 truenas env[20630]: -A KUBE-POD-FW-AYKAAL5D4CDANNU2 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:14:29 truenas env[20630]: COMMIT
Jun  8 01:16:05 truenas systemd[1]: Starting Daily apt download activities...
Jun  8 01:16:05 truenas apt.systemd.daily[530591]: /usr/lib/apt/apt.systemd.daily: 319: apt-config: Permission denied
Jun  8 01:16:05 truenas systemd[1]: apt-daily.service: Succeeded.
Jun  8 01:16:05 truenas systemd[1]: Finished Daily apt download activities.
Jun  8 01:17:01 truenas CRON[531627]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jun  8 01:19:29 truenas env[20630]: E0608 01:19:29.792665   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 01:19:29 truenas env[20630]: Error occurred at line: 103
Jun  8 01:19:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 01:19:29 truenas env[20630]: )
Jun  8 01:19:29 truenas env[20630]: *filter
Jun  8 01:19:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 01:19:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 01:19:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 01:19:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 01:19:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 01:19:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 01:19:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 01:19:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 01:19:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 01:19:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 01:19:29 truenas env[20630]: :KUBE-POD-FW-BTQUIW6SG4KMZNHI - [0:0]
Jun  8 01:19:29 truenas env[20630]: :KUBE-POD-FW-SAS6RM763EDLIVXC - [0:0]
Jun  8 01:19:29 truenas env[20630]: :KUBE-POD-FW-JXXCO527FQ7HGXH4 - [0:0]
Jun  8 01:19:29 truenas env[20630]: :KUBE-POD-FW-IHDCQGUKTLJY6RTH - [0:0]
Jun  8 01:19:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 01:19:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 01:19:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 01:19:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 01:19:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 01:19:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 01:19:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 01:19:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 01:19:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 01:19:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-BTQUIW6SG4KMZNHI 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-BTQUIW6SG4KMZNHI 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-BTQUIW6SG4KMZNHI 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-BTQUIW6SG4KMZNHI 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-BTQUIW6SG4KMZNHI 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BTQUIW6SG4KMZNHI" -d 172.16.0.43 -j KUBE-POD-FW-BTQUIW6SG4KMZNHI
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BTQUIW6SG4KMZNHI" -d 172.16.0.43 -j KUBE-POD-FW-BTQUIW6SG4KMZNHI
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BTQUIW6SG4KMZNHI" -d 172.16.0.43 -j KUBE-POD-FW-BTQUIW6SG4KMZNHI
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BTQUIW6SG4KMZNHI" -s 172.16.0.43 -j KUBE-POD-FW-BTQUIW6SG4KMZNHI
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BTQUIW6SG4KMZNHI" -s 172.16.0.43 -j KUBE-POD-FW-BTQUIW6SG4KMZNHI
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BTQUIW6SG4KMZNHI" -s 172.16.0.43 -j KUBE-POD-FW-BTQUIW6SG4KMZNHI
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-BTQUIW6SG4KMZNHI" -s 172.16.0.43 -j KUBE-POD-FW-BTQUIW6SG4KMZNHI
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-BTQUIW6SG4KMZNHI -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-BTQUIW6SG4KMZNHI -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-BTQUIW6SG4KMZNHI -j MARK --set-mark 0/0x10000
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-BTQUIW6SG4KMZNHI -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-SAS6RM763EDLIVXC 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-SAS6RM763EDLIVXC 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-SAS6RM763EDLIVXC 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-SAS6RM763EDLIVXC 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-SAS6RM763EDLIVXC 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SAS6RM763EDLIVXC" -d 172.16.0.46 -j KUBE-POD-FW-SAS6RM763EDLIVXC
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SAS6RM763EDLIVXC" -d 172.16.0.46 -j KUBE-POD-FW-SAS6RM763EDLIVXC
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SAS6RM763EDLIVXC" -d 172.16.0.46 -j KUBE-POD-FW-SAS6RM763EDLIVXC
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SAS6RM763EDLIVXC" -s 172.16.0.46 -j KUBE-POD-FW-SAS6RM763EDLIVXC
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SAS6RM763EDLIVXC" -s 172.16.0.46 -j KUBE-POD-FW-SAS6RM763EDLIVXC
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SAS6RM763EDLIVXC" -s 172.16.0.46 -j KUBE-POD-FW-SAS6RM763EDLIVXC
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SAS6RM763EDLIVXC" -s 172.16.0.46 -j KUBE-POD-FW-SAS6RM763EDLIVXC
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-SAS6RM763EDLIVXC -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-SAS6RM763EDLIVXC -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-SAS6RM763EDLIVXC -j MARK --set-mark 0/0x10000
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-SAS6RM763EDLIVXC -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-JXXCO527FQ7HGXH4 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-JXXCO527FQ7HGXH4 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-JXXCO527FQ7HGXH4 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-JXXCO527FQ7HGXH4 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-JXXCO527FQ7HGXH4 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JXXCO527FQ7HGXH4" -d 172.16.0.42 -j KUBE-POD-FW-JXXCO527FQ7HGXH4
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JXXCO527FQ7HGXH4" -d 172.16.0.42 -j KUBE-POD-FW-JXXCO527FQ7HGXH4
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JXXCO527FQ7HGXH4" -d 172.16.0.42 -j KUBE-POD-FW-JXXCO527FQ7HGXH4
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JXXCO527FQ7HGXH4" -s 172.16.0.42 -j KUBE-POD-FW-JXXCO527FQ7HGXH4
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JXXCO527FQ7HGXH4" -s 172.16.0.42 -j KUBE-POD-FW-JXXCO527FQ7HGXH4
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JXXCO527FQ7HGXH4" -s 172.16.0.42 -j KUBE-POD-FW-JXXCO527FQ7HGXH4
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JXXCO527FQ7HGXH4" -s 172.16.0.42 -j KUBE-POD-FW-JXXCO527FQ7HGXH4
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-JXXCO527FQ7HGXH4 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-JXXCO527FQ7HGXH4 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-JXXCO527FQ7HGXH4 -j MARK --set-mark 0/0x10000
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-JXXCO527FQ7HGXH4 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-IHDCQGUKTLJY6RTH 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-IHDCQGUKTLJY6RTH 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-IHDCQGUKTLJY6RTH 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-IHDCQGUKTLJY6RTH 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:19:29 truenas env[20630]: -I KUBE-POD-FW-IHDCQGUKTLJY6RTH 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-IHDCQGUKTLJY6RTH" -d 172.16.0.45 -j KUBE-POD-FW-IHDCQGUKTLJY6RTH
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-IHDCQGUKTLJY6RTH" -d 172.16.0.45 -j KUBE-POD-FW-IHDCQGUKTLJY6RTH
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-IHDCQGUKTLJY6RTH" -d 172.16.0.45 -j KUBE-POD-FW-IHDCQGUKTLJY6RTH
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-IHDCQGUKTLJY6RTH" -s 172.16.0.45 -j KUBE-POD-FW-IHDCQGUKTLJY6RTH
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-IHDCQGUKTLJY6RTH" -s 172.16.0.45 -j KUBE-POD-FW-IHDCQGUKTLJY6RTH
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-IHDCQGUKTLJY6RTH" -s 172.16.0.45 -j KUBE-POD-FW-IHDCQGUKTLJY6RTH
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-IHDCQGUKTLJY6RTH" -s 172.16.0.45 -j KUBE-POD-FW-IHDCQGUKTLJY6RTH
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-IHDCQGUKTLJY6RTH -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-IHDCQGUKTLJY6RTH -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-IHDCQGUKTLJY6RTH -j MARK --set-mark 0/0x10000
Jun  8 01:19:29 truenas env[20630]: -A KUBE-POD-FW-IHDCQGUKTLJY6RTH -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:19:29 truenas env[20630]: COMMIT
Jun  8 01:20:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 01:20:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 01:20:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 01:24:29 truenas env[20630]: E0608 01:24:29.768597   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 01:24:29 truenas env[20630]: Error occurred at line: 103
Jun  8 01:24:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 01:24:29 truenas env[20630]: )
Jun  8 01:24:29 truenas env[20630]: *filter
Jun  8 01:24:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 01:24:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 01:24:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 01:24:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 01:24:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 01:24:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 01:24:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 01:24:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 01:24:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 01:24:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 01:24:29 truenas env[20630]: :KUBE-POD-FW-3QHDIRBI2GZJ37SW - [0:0]
Jun  8 01:24:29 truenas env[20630]: :KUBE-POD-FW-JG6GTG355IUGMZ3L - [0:0]
Jun  8 01:24:29 truenas env[20630]: :KUBE-POD-FW-G6SKMOZGF4PHNGQQ - [0:0]
Jun  8 01:24:29 truenas env[20630]: :KUBE-POD-FW-DY4RWZXD4W5EEX6O - [0:0]
Jun  8 01:24:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 01:24:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 01:24:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 01:24:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 01:24:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 01:24:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 01:24:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 01:24:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 01:24:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 01:24:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-3QHDIRBI2GZJ37SW 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-3QHDIRBI2GZJ37SW 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-3QHDIRBI2GZJ37SW 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-3QHDIRBI2GZJ37SW 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-3QHDIRBI2GZJ37SW 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3QHDIRBI2GZJ37SW" -d 172.16.0.45 -j KUBE-POD-FW-3QHDIRBI2GZJ37SW
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3QHDIRBI2GZJ37SW" -d 172.16.0.45 -j KUBE-POD-FW-3QHDIRBI2GZJ37SW
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3QHDIRBI2GZJ37SW" -d 172.16.0.45 -j KUBE-POD-FW-3QHDIRBI2GZJ37SW
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3QHDIRBI2GZJ37SW" -s 172.16.0.45 -j KUBE-POD-FW-3QHDIRBI2GZJ37SW
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3QHDIRBI2GZJ37SW" -s 172.16.0.45 -j KUBE-POD-FW-3QHDIRBI2GZJ37SW
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3QHDIRBI2GZJ37SW" -s 172.16.0.45 -j KUBE-POD-FW-3QHDIRBI2GZJ37SW
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3QHDIRBI2GZJ37SW" -s 172.16.0.45 -j KUBE-POD-FW-3QHDIRBI2GZJ37SW
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-3QHDIRBI2GZJ37SW -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-3QHDIRBI2GZJ37SW -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-3QHDIRBI2GZJ37SW -j MARK --set-mark 0/0x10000
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-3QHDIRBI2GZJ37SW -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-JG6GTG355IUGMZ3L 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-JG6GTG355IUGMZ3L 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-JG6GTG355IUGMZ3L 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-JG6GTG355IUGMZ3L 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-JG6GTG355IUGMZ3L 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JG6GTG355IUGMZ3L" -d 172.16.0.43 -j KUBE-POD-FW-JG6GTG355IUGMZ3L
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JG6GTG355IUGMZ3L" -d 172.16.0.43 -j KUBE-POD-FW-JG6GTG355IUGMZ3L
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JG6GTG355IUGMZ3L" -d 172.16.0.43 -j KUBE-POD-FW-JG6GTG355IUGMZ3L
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JG6GTG355IUGMZ3L" -s 172.16.0.43 -j KUBE-POD-FW-JG6GTG355IUGMZ3L
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JG6GTG355IUGMZ3L" -s 172.16.0.43 -j KUBE-POD-FW-JG6GTG355IUGMZ3L
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JG6GTG355IUGMZ3L" -s 172.16.0.43 -j KUBE-POD-FW-JG6GTG355IUGMZ3L
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JG6GTG355IUGMZ3L" -s 172.16.0.43 -j KUBE-POD-FW-JG6GTG355IUGMZ3L
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-JG6GTG355IUGMZ3L -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-JG6GTG355IUGMZ3L -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-JG6GTG355IUGMZ3L -j MARK --set-mark 0/0x10000
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-JG6GTG355IUGMZ3L -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-G6SKMOZGF4PHNGQQ 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-G6SKMOZGF4PHNGQQ 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-G6SKMOZGF4PHNGQQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-G6SKMOZGF4PHNGQQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-G6SKMOZGF4PHNGQQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6SKMOZGF4PHNGQQ" -d 172.16.0.46 -j KUBE-POD-FW-G6SKMOZGF4PHNGQQ
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6SKMOZGF4PHNGQQ" -d 172.16.0.46 -j KUBE-POD-FW-G6SKMOZGF4PHNGQQ
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6SKMOZGF4PHNGQQ" -d 172.16.0.46 -j KUBE-POD-FW-G6SKMOZGF4PHNGQQ
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6SKMOZGF4PHNGQQ" -s 172.16.0.46 -j KUBE-POD-FW-G6SKMOZGF4PHNGQQ
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6SKMOZGF4PHNGQQ" -s 172.16.0.46 -j KUBE-POD-FW-G6SKMOZGF4PHNGQQ
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6SKMOZGF4PHNGQQ" -s 172.16.0.46 -j KUBE-POD-FW-G6SKMOZGF4PHNGQQ
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6SKMOZGF4PHNGQQ" -s 172.16.0.46 -j KUBE-POD-FW-G6SKMOZGF4PHNGQQ
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-G6SKMOZGF4PHNGQQ -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-G6SKMOZGF4PHNGQQ -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-G6SKMOZGF4PHNGQQ -j MARK --set-mark 0/0x10000
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-G6SKMOZGF4PHNGQQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-DY4RWZXD4W5EEX6O 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-DY4RWZXD4W5EEX6O 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-DY4RWZXD4W5EEX6O 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-DY4RWZXD4W5EEX6O 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:24:29 truenas env[20630]: -I KUBE-POD-FW-DY4RWZXD4W5EEX6O 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY4RWZXD4W5EEX6O" -d 172.16.0.42 -j KUBE-POD-FW-DY4RWZXD4W5EEX6O
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY4RWZXD4W5EEX6O" -d 172.16.0.42 -j KUBE-POD-FW-DY4RWZXD4W5EEX6O
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY4RWZXD4W5EEX6O" -d 172.16.0.42 -j KUBE-POD-FW-DY4RWZXD4W5EEX6O
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY4RWZXD4W5EEX6O" -s 172.16.0.42 -j KUBE-POD-FW-DY4RWZXD4W5EEX6O
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY4RWZXD4W5EEX6O" -s 172.16.0.42 -j KUBE-POD-FW-DY4RWZXD4W5EEX6O
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY4RWZXD4W5EEX6O" -s 172.16.0.42 -j KUBE-POD-FW-DY4RWZXD4W5EEX6O
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DY4RWZXD4W5EEX6O" -s 172.16.0.42 -j KUBE-POD-FW-DY4RWZXD4W5EEX6O
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-DY4RWZXD4W5EEX6O -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-DY4RWZXD4W5EEX6O -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-DY4RWZXD4W5EEX6O -j MARK --set-mark 0/0x10000
Jun  8 01:24:29 truenas env[20630]: -A KUBE-POD-FW-DY4RWZXD4W5EEX6O -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:24:29 truenas env[20630]: COMMIT
Jun  8 01:29:07 truenas smartd[3887]: Device: /dev/sdb [SAT], SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 75 to 76
Jun  8 01:29:07 truenas smartd[3887]: Device: /dev/sdb [SAT], SMART Usage Attribute: 195 Hardware_ECC_Recovered changed from 75 to 76
Jun  8 01:29:29 truenas env[20630]: E0608 01:29:29.732535   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 01:29:29 truenas env[20630]: Error occurred at line: 103
Jun  8 01:29:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 01:29:29 truenas env[20630]: )
Jun  8 01:29:29 truenas env[20630]: *filter
Jun  8 01:29:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 01:29:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 01:29:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 01:29:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 01:29:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 01:29:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 01:29:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 01:29:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 01:29:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 01:29:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 01:29:29 truenas env[20630]: :KUBE-POD-FW-VAM75ZT4GVI2TJBQ - [0:0]
Jun  8 01:29:29 truenas env[20630]: :KUBE-POD-FW-SER6X6QF26JVP5C2 - [0:0]
Jun  8 01:29:29 truenas env[20630]: :KUBE-POD-FW-EDGNDGI3KEVACBFB - [0:0]
Jun  8 01:29:29 truenas env[20630]: :KUBE-POD-FW-A67Y6Q5K7WQOE2NT - [0:0]
Jun  8 01:29:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 01:29:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 01:29:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 01:29:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 01:29:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 01:29:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 01:29:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 01:29:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 01:29:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 01:29:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-VAM75ZT4GVI2TJBQ 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-VAM75ZT4GVI2TJBQ 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-VAM75ZT4GVI2TJBQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-VAM75ZT4GVI2TJBQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-VAM75ZT4GVI2TJBQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VAM75ZT4GVI2TJBQ" -d 172.16.0.43 -j KUBE-POD-FW-VAM75ZT4GVI2TJBQ
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VAM75ZT4GVI2TJBQ" -d 172.16.0.43 -j KUBE-POD-FW-VAM75ZT4GVI2TJBQ
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VAM75ZT4GVI2TJBQ" -d 172.16.0.43 -j KUBE-POD-FW-VAM75ZT4GVI2TJBQ
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VAM75ZT4GVI2TJBQ" -s 172.16.0.43 -j KUBE-POD-FW-VAM75ZT4GVI2TJBQ
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VAM75ZT4GVI2TJBQ" -s 172.16.0.43 -j KUBE-POD-FW-VAM75ZT4GVI2TJBQ
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VAM75ZT4GVI2TJBQ" -s 172.16.0.43 -j KUBE-POD-FW-VAM75ZT4GVI2TJBQ
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-VAM75ZT4GVI2TJBQ" -s 172.16.0.43 -j KUBE-POD-FW-VAM75ZT4GVI2TJBQ
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-VAM75ZT4GVI2TJBQ -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-VAM75ZT4GVI2TJBQ -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-VAM75ZT4GVI2TJBQ -j MARK --set-mark 0/0x10000
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-VAM75ZT4GVI2TJBQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-SER6X6QF26JVP5C2 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-SER6X6QF26JVP5C2 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-SER6X6QF26JVP5C2 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-SER6X6QF26JVP5C2 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-SER6X6QF26JVP5C2 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SER6X6QF26JVP5C2" -d 172.16.0.46 -j KUBE-POD-FW-SER6X6QF26JVP5C2
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SER6X6QF26JVP5C2" -d 172.16.0.46 -j KUBE-POD-FW-SER6X6QF26JVP5C2
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SER6X6QF26JVP5C2" -d 172.16.0.46 -j KUBE-POD-FW-SER6X6QF26JVP5C2
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SER6X6QF26JVP5C2" -s 172.16.0.46 -j KUBE-POD-FW-SER6X6QF26JVP5C2
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SER6X6QF26JVP5C2" -s 172.16.0.46 -j KUBE-POD-FW-SER6X6QF26JVP5C2
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SER6X6QF26JVP5C2" -s 172.16.0.46 -j KUBE-POD-FW-SER6X6QF26JVP5C2
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SER6X6QF26JVP5C2" -s 172.16.0.46 -j KUBE-POD-FW-SER6X6QF26JVP5C2
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-SER6X6QF26JVP5C2 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-SER6X6QF26JVP5C2 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-SER6X6QF26JVP5C2 -j MARK --set-mark 0/0x10000
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-SER6X6QF26JVP5C2 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-EDGNDGI3KEVACBFB 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-EDGNDGI3KEVACBFB 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-EDGNDGI3KEVACBFB 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-EDGNDGI3KEVACBFB 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-EDGNDGI3KEVACBFB 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EDGNDGI3KEVACBFB" -d 172.16.0.42 -j KUBE-POD-FW-EDGNDGI3KEVACBFB
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EDGNDGI3KEVACBFB" -d 172.16.0.42 -j KUBE-POD-FW-EDGNDGI3KEVACBFB
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EDGNDGI3KEVACBFB" -d 172.16.0.42 -j KUBE-POD-FW-EDGNDGI3KEVACBFB
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EDGNDGI3KEVACBFB" -s 172.16.0.42 -j KUBE-POD-FW-EDGNDGI3KEVACBFB
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EDGNDGI3KEVACBFB" -s 172.16.0.42 -j KUBE-POD-FW-EDGNDGI3KEVACBFB
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EDGNDGI3KEVACBFB" -s 172.16.0.42 -j KUBE-POD-FW-EDGNDGI3KEVACBFB
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EDGNDGI3KEVACBFB" -s 172.16.0.42 -j KUBE-POD-FW-EDGNDGI3KEVACBFB
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-EDGNDGI3KEVACBFB -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-EDGNDGI3KEVACBFB -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-EDGNDGI3KEVACBFB -j MARK --set-mark 0/0x10000
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-EDGNDGI3KEVACBFB -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-A67Y6Q5K7WQOE2NT 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-A67Y6Q5K7WQOE2NT 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-A67Y6Q5K7WQOE2NT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-A67Y6Q5K7WQOE2NT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:29:29 truenas env[20630]: -I KUBE-POD-FW-A67Y6Q5K7WQOE2NT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-A67Y6Q5K7WQOE2NT" -d 172.16.0.45 -j KUBE-POD-FW-A67Y6Q5K7WQOE2NT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-A67Y6Q5K7WQOE2NT" -d 172.16.0.45 -j KUBE-POD-FW-A67Y6Q5K7WQOE2NT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-A67Y6Q5K7WQOE2NT" -d 172.16.0.45 -j KUBE-POD-FW-A67Y6Q5K7WQOE2NT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-A67Y6Q5K7WQOE2NT" -s 172.16.0.45 -j KUBE-POD-FW-A67Y6Q5K7WQOE2NT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-A67Y6Q5K7WQOE2NT" -s 172.16.0.45 -j KUBE-POD-FW-A67Y6Q5K7WQOE2NT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-A67Y6Q5K7WQOE2NT" -s 172.16.0.45 -j KUBE-POD-FW-A67Y6Q5K7WQOE2NT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-A67Y6Q5K7WQOE2NT" -s 172.16.0.45 -j KUBE-POD-FW-A67Y6Q5K7WQOE2NT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-A67Y6Q5K7WQOE2NT -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-A67Y6Q5K7WQOE2NT -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-A67Y6Q5K7WQOE2NT -j MARK --set-mark 0/0x10000
Jun  8 01:29:29 truenas env[20630]: -A KUBE-POD-FW-A67Y6Q5K7WQOE2NT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:29:29 truenas env[20630]: COMMIT
Jun  8 01:30:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 01:30:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 01:30:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 01:34:29 truenas env[20630]: E0608 01:34:29.755816   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 01:34:29 truenas env[20630]: Error occurred at line: 103
Jun  8 01:34:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 01:34:29 truenas env[20630]: )
Jun  8 01:34:29 truenas env[20630]: *filter
Jun  8 01:34:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 01:34:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 01:34:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 01:34:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 01:34:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 01:34:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 01:34:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 01:34:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 01:34:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 01:34:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 01:34:29 truenas env[20630]: :KUBE-POD-FW-ODXS73QCKHRT2VIZ - [0:0]
Jun  8 01:34:29 truenas env[20630]: :KUBE-POD-FW-FUIGSWE62QAESGCJ - [0:0]
Jun  8 01:34:29 truenas env[20630]: :KUBE-POD-FW-JAUDGBHTOTGT3G2B - [0:0]
Jun  8 01:34:29 truenas env[20630]: :KUBE-POD-FW-CSTQJHKHEH42JHQC - [0:0]
Jun  8 01:34:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 01:34:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 01:34:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 01:34:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 01:34:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 01:34:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 01:34:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 01:34:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 01:34:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 01:34:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-ODXS73QCKHRT2VIZ 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-ODXS73QCKHRT2VIZ 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-ODXS73QCKHRT2VIZ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-ODXS73QCKHRT2VIZ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-ODXS73QCKHRT2VIZ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ODXS73QCKHRT2VIZ" -d 172.16.0.43 -j KUBE-POD-FW-ODXS73QCKHRT2VIZ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ODXS73QCKHRT2VIZ" -d 172.16.0.43 -j KUBE-POD-FW-ODXS73QCKHRT2VIZ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ODXS73QCKHRT2VIZ" -d 172.16.0.43 -j KUBE-POD-FW-ODXS73QCKHRT2VIZ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ODXS73QCKHRT2VIZ" -s 172.16.0.43 -j KUBE-POD-FW-ODXS73QCKHRT2VIZ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ODXS73QCKHRT2VIZ" -s 172.16.0.43 -j KUBE-POD-FW-ODXS73QCKHRT2VIZ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ODXS73QCKHRT2VIZ" -s 172.16.0.43 -j KUBE-POD-FW-ODXS73QCKHRT2VIZ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ODXS73QCKHRT2VIZ" -s 172.16.0.43 -j KUBE-POD-FW-ODXS73QCKHRT2VIZ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-ODXS73QCKHRT2VIZ -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-ODXS73QCKHRT2VIZ -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-ODXS73QCKHRT2VIZ -j MARK --set-mark 0/0x10000
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-ODXS73QCKHRT2VIZ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-FUIGSWE62QAESGCJ 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-FUIGSWE62QAESGCJ 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-FUIGSWE62QAESGCJ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-FUIGSWE62QAESGCJ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-FUIGSWE62QAESGCJ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FUIGSWE62QAESGCJ" -d 172.16.0.46 -j KUBE-POD-FW-FUIGSWE62QAESGCJ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FUIGSWE62QAESGCJ" -d 172.16.0.46 -j KUBE-POD-FW-FUIGSWE62QAESGCJ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FUIGSWE62QAESGCJ" -d 172.16.0.46 -j KUBE-POD-FW-FUIGSWE62QAESGCJ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FUIGSWE62QAESGCJ" -s 172.16.0.46 -j KUBE-POD-FW-FUIGSWE62QAESGCJ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FUIGSWE62QAESGCJ" -s 172.16.0.46 -j KUBE-POD-FW-FUIGSWE62QAESGCJ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FUIGSWE62QAESGCJ" -s 172.16.0.46 -j KUBE-POD-FW-FUIGSWE62QAESGCJ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FUIGSWE62QAESGCJ" -s 172.16.0.46 -j KUBE-POD-FW-FUIGSWE62QAESGCJ
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-FUIGSWE62QAESGCJ -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-FUIGSWE62QAESGCJ -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-FUIGSWE62QAESGCJ -j MARK --set-mark 0/0x10000
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-FUIGSWE62QAESGCJ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-JAUDGBHTOTGT3G2B 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-JAUDGBHTOTGT3G2B 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-JAUDGBHTOTGT3G2B 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-JAUDGBHTOTGT3G2B 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-JAUDGBHTOTGT3G2B 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JAUDGBHTOTGT3G2B" -d 172.16.0.42 -j KUBE-POD-FW-JAUDGBHTOTGT3G2B
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JAUDGBHTOTGT3G2B" -d 172.16.0.42 -j KUBE-POD-FW-JAUDGBHTOTGT3G2B
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JAUDGBHTOTGT3G2B" -d 172.16.0.42 -j KUBE-POD-FW-JAUDGBHTOTGT3G2B
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JAUDGBHTOTGT3G2B" -s 172.16.0.42 -j KUBE-POD-FW-JAUDGBHTOTGT3G2B
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JAUDGBHTOTGT3G2B" -s 172.16.0.42 -j KUBE-POD-FW-JAUDGBHTOTGT3G2B
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JAUDGBHTOTGT3G2B" -s 172.16.0.42 -j KUBE-POD-FW-JAUDGBHTOTGT3G2B
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-JAUDGBHTOTGT3G2B" -s 172.16.0.42 -j KUBE-POD-FW-JAUDGBHTOTGT3G2B
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-JAUDGBHTOTGT3G2B -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-JAUDGBHTOTGT3G2B -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-JAUDGBHTOTGT3G2B -j MARK --set-mark 0/0x10000
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-JAUDGBHTOTGT3G2B -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-CSTQJHKHEH42JHQC 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-CSTQJHKHEH42JHQC 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-CSTQJHKHEH42JHQC 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-CSTQJHKHEH42JHQC 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:34:29 truenas env[20630]: -I KUBE-POD-FW-CSTQJHKHEH42JHQC 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-CSTQJHKHEH42JHQC" -d 172.16.0.45 -j KUBE-POD-FW-CSTQJHKHEH42JHQC
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-CSTQJHKHEH42JHQC" -d 172.16.0.45 -j KUBE-POD-FW-CSTQJHKHEH42JHQC
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-CSTQJHKHEH42JHQC" -d 172.16.0.45 -j KUBE-POD-FW-CSTQJHKHEH42JHQC
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-CSTQJHKHEH42JHQC" -s 172.16.0.45 -j KUBE-POD-FW-CSTQJHKHEH42JHQC
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-CSTQJHKHEH42JHQC" -s 172.16.0.45 -j KUBE-POD-FW-CSTQJHKHEH42JHQC
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-CSTQJHKHEH42JHQC" -s 172.16.0.45 -j KUBE-POD-FW-CSTQJHKHEH42JHQC
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-CSTQJHKHEH42JHQC" -s 172.16.0.45 -j KUBE-POD-FW-CSTQJHKHEH42JHQC
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-CSTQJHKHEH42JHQC -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-CSTQJHKHEH42JHQC -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-CSTQJHKHEH42JHQC -j MARK --set-mark 0/0x10000
Jun  8 01:34:29 truenas env[20630]: -A KUBE-POD-FW-CSTQJHKHEH42JHQC -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:34:29 truenas env[20630]: COMMIT
Jun  8 01:39:29 truenas env[20630]: E0608 01:39:29.752610   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 01:39:29 truenas env[20630]: Error occurred at line: 103
Jun  8 01:39:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 01:39:29 truenas env[20630]: )
Jun  8 01:39:29 truenas env[20630]: *filter
Jun  8 01:39:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 01:39:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 01:39:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 01:39:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 01:39:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 01:39:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 01:39:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 01:39:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 01:39:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 01:39:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 01:39:29 truenas env[20630]: :KUBE-POD-FW-2DOU6ZW4E2XNNVHT - [0:0]
Jun  8 01:39:29 truenas env[20630]: :KUBE-POD-FW-O5U5V4XPQJ54UFGG - [0:0]
Jun  8 01:39:29 truenas env[20630]: :KUBE-POD-FW-J5OGGDSRGGT67V26 - [0:0]
Jun  8 01:39:29 truenas env[20630]: :KUBE-POD-FW-QXBTO5Z5IBJQSEQP - [0:0]
Jun  8 01:39:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 01:39:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 01:39:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 01:39:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 01:39:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 01:39:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 01:39:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 01:39:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 01:39:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 01:39:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-2DOU6ZW4E2XNNVHT 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-2DOU6ZW4E2XNNVHT 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-2DOU6ZW4E2XNNVHT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-2DOU6ZW4E2XNNVHT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-2DOU6ZW4E2XNNVHT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOU6ZW4E2XNNVHT" -d 172.16.0.42 -j KUBE-POD-FW-2DOU6ZW4E2XNNVHT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOU6ZW4E2XNNVHT" -d 172.16.0.42 -j KUBE-POD-FW-2DOU6ZW4E2XNNVHT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOU6ZW4E2XNNVHT" -d 172.16.0.42 -j KUBE-POD-FW-2DOU6ZW4E2XNNVHT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOU6ZW4E2XNNVHT" -s 172.16.0.42 -j KUBE-POD-FW-2DOU6ZW4E2XNNVHT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOU6ZW4E2XNNVHT" -s 172.16.0.42 -j KUBE-POD-FW-2DOU6ZW4E2XNNVHT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOU6ZW4E2XNNVHT" -s 172.16.0.42 -j KUBE-POD-FW-2DOU6ZW4E2XNNVHT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOU6ZW4E2XNNVHT" -s 172.16.0.42 -j KUBE-POD-FW-2DOU6ZW4E2XNNVHT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-2DOU6ZW4E2XNNVHT -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-2DOU6ZW4E2XNNVHT -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-2DOU6ZW4E2XNNVHT -j MARK --set-mark 0/0x10000
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-2DOU6ZW4E2XNNVHT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-O5U5V4XPQJ54UFGG 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-O5U5V4XPQJ54UFGG 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-O5U5V4XPQJ54UFGG 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-O5U5V4XPQJ54UFGG 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-O5U5V4XPQJ54UFGG 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O5U5V4XPQJ54UFGG" -d 172.16.0.45 -j KUBE-POD-FW-O5U5V4XPQJ54UFGG
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O5U5V4XPQJ54UFGG" -d 172.16.0.45 -j KUBE-POD-FW-O5U5V4XPQJ54UFGG
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O5U5V4XPQJ54UFGG" -d 172.16.0.45 -j KUBE-POD-FW-O5U5V4XPQJ54UFGG
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O5U5V4XPQJ54UFGG" -s 172.16.0.45 -j KUBE-POD-FW-O5U5V4XPQJ54UFGG
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O5U5V4XPQJ54UFGG" -s 172.16.0.45 -j KUBE-POD-FW-O5U5V4XPQJ54UFGG
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O5U5V4XPQJ54UFGG" -s 172.16.0.45 -j KUBE-POD-FW-O5U5V4XPQJ54UFGG
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O5U5V4XPQJ54UFGG" -s 172.16.0.45 -j KUBE-POD-FW-O5U5V4XPQJ54UFGG
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-O5U5V4XPQJ54UFGG -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-O5U5V4XPQJ54UFGG -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-O5U5V4XPQJ54UFGG -j MARK --set-mark 0/0x10000
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-O5U5V4XPQJ54UFGG -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-J5OGGDSRGGT67V26 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-J5OGGDSRGGT67V26 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-J5OGGDSRGGT67V26 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-J5OGGDSRGGT67V26 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-J5OGGDSRGGT67V26 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J5OGGDSRGGT67V26" -d 172.16.0.43 -j KUBE-POD-FW-J5OGGDSRGGT67V26
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J5OGGDSRGGT67V26" -d 172.16.0.43 -j KUBE-POD-FW-J5OGGDSRGGT67V26
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J5OGGDSRGGT67V26" -d 172.16.0.43 -j KUBE-POD-FW-J5OGGDSRGGT67V26
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J5OGGDSRGGT67V26" -s 172.16.0.43 -j KUBE-POD-FW-J5OGGDSRGGT67V26
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J5OGGDSRGGT67V26" -s 172.16.0.43 -j KUBE-POD-FW-J5OGGDSRGGT67V26
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J5OGGDSRGGT67V26" -s 172.16.0.43 -j KUBE-POD-FW-J5OGGDSRGGT67V26
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J5OGGDSRGGT67V26" -s 172.16.0.43 -j KUBE-POD-FW-J5OGGDSRGGT67V26
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-J5OGGDSRGGT67V26 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-J5OGGDSRGGT67V26 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-J5OGGDSRGGT67V26 -j MARK --set-mark 0/0x10000
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-J5OGGDSRGGT67V26 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-QXBTO5Z5IBJQSEQP 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-QXBTO5Z5IBJQSEQP 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-QXBTO5Z5IBJQSEQP 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-QXBTO5Z5IBJQSEQP 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:39:29 truenas env[20630]: -I KUBE-POD-FW-QXBTO5Z5IBJQSEQP 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QXBTO5Z5IBJQSEQP" -d 172.16.0.46 -j KUBE-POD-FW-QXBTO5Z5IBJQSEQP
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QXBTO5Z5IBJQSEQP" -d 172.16.0.46 -j KUBE-POD-FW-QXBTO5Z5IBJQSEQP
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QXBTO5Z5IBJQSEQP" -d 172.16.0.46 -j KUBE-POD-FW-QXBTO5Z5IBJQSEQP
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QXBTO5Z5IBJQSEQP" -s 172.16.0.46 -j KUBE-POD-FW-QXBTO5Z5IBJQSEQP
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QXBTO5Z5IBJQSEQP" -s 172.16.0.46 -j KUBE-POD-FW-QXBTO5Z5IBJQSEQP
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QXBTO5Z5IBJQSEQP" -s 172.16.0.46 -j KUBE-POD-FW-QXBTO5Z5IBJQSEQP
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QXBTO5Z5IBJQSEQP" -s 172.16.0.46 -j KUBE-POD-FW-QXBTO5Z5IBJQSEQP
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-QXBTO5Z5IBJQSEQP -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-QXBTO5Z5IBJQSEQP -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-QXBTO5Z5IBJQSEQP -j MARK --set-mark 0/0x10000
Jun  8 01:39:29 truenas env[20630]: -A KUBE-POD-FW-QXBTO5Z5IBJQSEQP -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:39:29 truenas env[20630]: COMMIT
Jun  8 01:40:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 01:40:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 01:40:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 01:44:29 truenas env[20630]: E0608 01:44:29.748941   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 01:44:29 truenas env[20630]: Error occurred at line: 103
Jun  8 01:44:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 01:44:29 truenas env[20630]: )
Jun  8 01:44:29 truenas env[20630]: *filter
Jun  8 01:44:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 01:44:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 01:44:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 01:44:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 01:44:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 01:44:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 01:44:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 01:44:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 01:44:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 01:44:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 01:44:29 truenas env[20630]: :KUBE-POD-FW-XA32MSF7HUFDY62L - [0:0]
Jun  8 01:44:29 truenas env[20630]: :KUBE-POD-FW-QRCMQVSBI7XKLOBZ - [0:0]
Jun  8 01:44:29 truenas env[20630]: :KUBE-POD-FW-K3JCHSH6BYJTVDCN - [0:0]
Jun  8 01:44:29 truenas env[20630]: :KUBE-POD-FW-HQH4PUXFSP65T3EL - [0:0]
Jun  8 01:44:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 01:44:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 01:44:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 01:44:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 01:44:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 01:44:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 01:44:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 01:44:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 01:44:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 01:44:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-XA32MSF7HUFDY62L 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-XA32MSF7HUFDY62L 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-XA32MSF7HUFDY62L 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-XA32MSF7HUFDY62L 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-XA32MSF7HUFDY62L 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XA32MSF7HUFDY62L" -d 172.16.0.43 -j KUBE-POD-FW-XA32MSF7HUFDY62L
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XA32MSF7HUFDY62L" -d 172.16.0.43 -j KUBE-POD-FW-XA32MSF7HUFDY62L
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XA32MSF7HUFDY62L" -d 172.16.0.43 -j KUBE-POD-FW-XA32MSF7HUFDY62L
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XA32MSF7HUFDY62L" -s 172.16.0.43 -j KUBE-POD-FW-XA32MSF7HUFDY62L
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XA32MSF7HUFDY62L" -s 172.16.0.43 -j KUBE-POD-FW-XA32MSF7HUFDY62L
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XA32MSF7HUFDY62L" -s 172.16.0.43 -j KUBE-POD-FW-XA32MSF7HUFDY62L
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XA32MSF7HUFDY62L" -s 172.16.0.43 -j KUBE-POD-FW-XA32MSF7HUFDY62L
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-XA32MSF7HUFDY62L -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-XA32MSF7HUFDY62L -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-XA32MSF7HUFDY62L -j MARK --set-mark 0/0x10000
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-XA32MSF7HUFDY62L -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-QRCMQVSBI7XKLOBZ 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-QRCMQVSBI7XKLOBZ 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-QRCMQVSBI7XKLOBZ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-QRCMQVSBI7XKLOBZ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-QRCMQVSBI7XKLOBZ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QRCMQVSBI7XKLOBZ" -d 172.16.0.46 -j KUBE-POD-FW-QRCMQVSBI7XKLOBZ
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QRCMQVSBI7XKLOBZ" -d 172.16.0.46 -j KUBE-POD-FW-QRCMQVSBI7XKLOBZ
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QRCMQVSBI7XKLOBZ" -d 172.16.0.46 -j KUBE-POD-FW-QRCMQVSBI7XKLOBZ
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QRCMQVSBI7XKLOBZ" -s 172.16.0.46 -j KUBE-POD-FW-QRCMQVSBI7XKLOBZ
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QRCMQVSBI7XKLOBZ" -s 172.16.0.46 -j KUBE-POD-FW-QRCMQVSBI7XKLOBZ
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QRCMQVSBI7XKLOBZ" -s 172.16.0.46 -j KUBE-POD-FW-QRCMQVSBI7XKLOBZ
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QRCMQVSBI7XKLOBZ" -s 172.16.0.46 -j KUBE-POD-FW-QRCMQVSBI7XKLOBZ
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-QRCMQVSBI7XKLOBZ -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-QRCMQVSBI7XKLOBZ -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-QRCMQVSBI7XKLOBZ -j MARK --set-mark 0/0x10000
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-QRCMQVSBI7XKLOBZ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-K3JCHSH6BYJTVDCN 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-K3JCHSH6BYJTVDCN 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-K3JCHSH6BYJTVDCN 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-K3JCHSH6BYJTVDCN 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-K3JCHSH6BYJTVDCN 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K3JCHSH6BYJTVDCN" -d 172.16.0.42 -j KUBE-POD-FW-K3JCHSH6BYJTVDCN
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K3JCHSH6BYJTVDCN" -d 172.16.0.42 -j KUBE-POD-FW-K3JCHSH6BYJTVDCN
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K3JCHSH6BYJTVDCN" -d 172.16.0.42 -j KUBE-POD-FW-K3JCHSH6BYJTVDCN
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K3JCHSH6BYJTVDCN" -s 172.16.0.42 -j KUBE-POD-FW-K3JCHSH6BYJTVDCN
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K3JCHSH6BYJTVDCN" -s 172.16.0.42 -j KUBE-POD-FW-K3JCHSH6BYJTVDCN
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K3JCHSH6BYJTVDCN" -s 172.16.0.42 -j KUBE-POD-FW-K3JCHSH6BYJTVDCN
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K3JCHSH6BYJTVDCN" -s 172.16.0.42 -j KUBE-POD-FW-K3JCHSH6BYJTVDCN
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-K3JCHSH6BYJTVDCN -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-K3JCHSH6BYJTVDCN -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-K3JCHSH6BYJTVDCN -j MARK --set-mark 0/0x10000
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-K3JCHSH6BYJTVDCN -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-HQH4PUXFSP65T3EL 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-HQH4PUXFSP65T3EL 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-HQH4PUXFSP65T3EL 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-HQH4PUXFSP65T3EL 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:44:29 truenas env[20630]: -I KUBE-POD-FW-HQH4PUXFSP65T3EL 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-HQH4PUXFSP65T3EL" -d 172.16.0.45 -j KUBE-POD-FW-HQH4PUXFSP65T3EL
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-HQH4PUXFSP65T3EL" -d 172.16.0.45 -j KUBE-POD-FW-HQH4PUXFSP65T3EL
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-HQH4PUXFSP65T3EL" -d 172.16.0.45 -j KUBE-POD-FW-HQH4PUXFSP65T3EL
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-HQH4PUXFSP65T3EL" -s 172.16.0.45 -j KUBE-POD-FW-HQH4PUXFSP65T3EL
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-HQH4PUXFSP65T3EL" -s 172.16.0.45 -j KUBE-POD-FW-HQH4PUXFSP65T3EL
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-HQH4PUXFSP65T3EL" -s 172.16.0.45 -j KUBE-POD-FW-HQH4PUXFSP65T3EL
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-HQH4PUXFSP65T3EL" -s 172.16.0.45 -j KUBE-POD-FW-HQH4PUXFSP65T3EL
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-HQH4PUXFSP65T3EL -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-HQH4PUXFSP65T3EL -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-HQH4PUXFSP65T3EL -j MARK --set-mark 0/0x10000
Jun  8 01:44:29 truenas env[20630]: -A KUBE-POD-FW-HQH4PUXFSP65T3EL -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:44:29 truenas env[20630]: COMMIT
Jun  8 01:49:29 truenas env[20630]: E0608 01:49:29.728585   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 01:49:29 truenas env[20630]: Error occurred at line: 103
Jun  8 01:49:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 01:49:29 truenas env[20630]: )
Jun  8 01:49:29 truenas env[20630]: *filter
Jun  8 01:49:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 01:49:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 01:49:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 01:49:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 01:49:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 01:49:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 01:49:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 01:49:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 01:49:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 01:49:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 01:49:29 truenas env[20630]: :KUBE-POD-FW-SSRSVTCZLWRYT2DS - [0:0]
Jun  8 01:49:29 truenas env[20630]: :KUBE-POD-FW-F2N7DYYHENHLXRTY - [0:0]
Jun  8 01:49:29 truenas env[20630]: :KUBE-POD-FW-OTSHLFJDBF7EWAWW - [0:0]
Jun  8 01:49:29 truenas env[20630]: :KUBE-POD-FW-A6W2WGVM4FPL4QTQ - [0:0]
Jun  8 01:49:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 01:49:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 01:49:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 01:49:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 01:49:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 01:49:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 01:49:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 01:49:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 01:49:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 01:49:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-SSRSVTCZLWRYT2DS 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-SSRSVTCZLWRYT2DS 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-SSRSVTCZLWRYT2DS 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-SSRSVTCZLWRYT2DS 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-SSRSVTCZLWRYT2DS 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SSRSVTCZLWRYT2DS" -d 172.16.0.46 -j KUBE-POD-FW-SSRSVTCZLWRYT2DS
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SSRSVTCZLWRYT2DS" -d 172.16.0.46 -j KUBE-POD-FW-SSRSVTCZLWRYT2DS
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SSRSVTCZLWRYT2DS" -d 172.16.0.46 -j KUBE-POD-FW-SSRSVTCZLWRYT2DS
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SSRSVTCZLWRYT2DS" -s 172.16.0.46 -j KUBE-POD-FW-SSRSVTCZLWRYT2DS
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SSRSVTCZLWRYT2DS" -s 172.16.0.46 -j KUBE-POD-FW-SSRSVTCZLWRYT2DS
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SSRSVTCZLWRYT2DS" -s 172.16.0.46 -j KUBE-POD-FW-SSRSVTCZLWRYT2DS
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-SSRSVTCZLWRYT2DS" -s 172.16.0.46 -j KUBE-POD-FW-SSRSVTCZLWRYT2DS
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-SSRSVTCZLWRYT2DS -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-SSRSVTCZLWRYT2DS -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-SSRSVTCZLWRYT2DS -j MARK --set-mark 0/0x10000
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-SSRSVTCZLWRYT2DS -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-F2N7DYYHENHLXRTY 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-F2N7DYYHENHLXRTY 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-F2N7DYYHENHLXRTY 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-F2N7DYYHENHLXRTY 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-F2N7DYYHENHLXRTY 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-F2N7DYYHENHLXRTY" -d 172.16.0.42 -j KUBE-POD-FW-F2N7DYYHENHLXRTY
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-F2N7DYYHENHLXRTY" -d 172.16.0.42 -j KUBE-POD-FW-F2N7DYYHENHLXRTY
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-F2N7DYYHENHLXRTY" -d 172.16.0.42 -j KUBE-POD-FW-F2N7DYYHENHLXRTY
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-F2N7DYYHENHLXRTY" -s 172.16.0.42 -j KUBE-POD-FW-F2N7DYYHENHLXRTY
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-F2N7DYYHENHLXRTY" -s 172.16.0.42 -j KUBE-POD-FW-F2N7DYYHENHLXRTY
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-F2N7DYYHENHLXRTY" -s 172.16.0.42 -j KUBE-POD-FW-F2N7DYYHENHLXRTY
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-F2N7DYYHENHLXRTY" -s 172.16.0.42 -j KUBE-POD-FW-F2N7DYYHENHLXRTY
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-F2N7DYYHENHLXRTY -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-F2N7DYYHENHLXRTY -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-F2N7DYYHENHLXRTY -j MARK --set-mark 0/0x10000
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-F2N7DYYHENHLXRTY -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-OTSHLFJDBF7EWAWW 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-OTSHLFJDBF7EWAWW 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-OTSHLFJDBF7EWAWW 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-OTSHLFJDBF7EWAWW 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-OTSHLFJDBF7EWAWW 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OTSHLFJDBF7EWAWW" -d 172.16.0.45 -j KUBE-POD-FW-OTSHLFJDBF7EWAWW
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OTSHLFJDBF7EWAWW" -d 172.16.0.45 -j KUBE-POD-FW-OTSHLFJDBF7EWAWW
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OTSHLFJDBF7EWAWW" -d 172.16.0.45 -j KUBE-POD-FW-OTSHLFJDBF7EWAWW
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OTSHLFJDBF7EWAWW" -s 172.16.0.45 -j KUBE-POD-FW-OTSHLFJDBF7EWAWW
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OTSHLFJDBF7EWAWW" -s 172.16.0.45 -j KUBE-POD-FW-OTSHLFJDBF7EWAWW
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OTSHLFJDBF7EWAWW" -s 172.16.0.45 -j KUBE-POD-FW-OTSHLFJDBF7EWAWW
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OTSHLFJDBF7EWAWW" -s 172.16.0.45 -j KUBE-POD-FW-OTSHLFJDBF7EWAWW
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-OTSHLFJDBF7EWAWW -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-OTSHLFJDBF7EWAWW -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-OTSHLFJDBF7EWAWW -j MARK --set-mark 0/0x10000
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-OTSHLFJDBF7EWAWW -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-A6W2WGVM4FPL4QTQ 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-A6W2WGVM4FPL4QTQ 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-A6W2WGVM4FPL4QTQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-A6W2WGVM4FPL4QTQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:49:29 truenas env[20630]: -I KUBE-POD-FW-A6W2WGVM4FPL4QTQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-A6W2WGVM4FPL4QTQ" -d 172.16.0.43 -j KUBE-POD-FW-A6W2WGVM4FPL4QTQ
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-A6W2WGVM4FPL4QTQ" -d 172.16.0.43 -j KUBE-POD-FW-A6W2WGVM4FPL4QTQ
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-A6W2WGVM4FPL4QTQ" -d 172.16.0.43 -j KUBE-POD-FW-A6W2WGVM4FPL4QTQ
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-A6W2WGVM4FPL4QTQ" -s 172.16.0.43 -j KUBE-POD-FW-A6W2WGVM4FPL4QTQ
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-A6W2WGVM4FPL4QTQ" -s 172.16.0.43 -j KUBE-POD-FW-A6W2WGVM4FPL4QTQ
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-A6W2WGVM4FPL4QTQ" -s 172.16.0.43 -j KUBE-POD-FW-A6W2WGVM4FPL4QTQ
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-A6W2WGVM4FPL4QTQ" -s 172.16.0.43 -j KUBE-POD-FW-A6W2WGVM4FPL4QTQ
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-A6W2WGVM4FPL4QTQ -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-A6W2WGVM4FPL4QTQ -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-A6W2WGVM4FPL4QTQ -j MARK --set-mark 0/0x10000
Jun  8 01:49:29 truenas env[20630]: -A KUBE-POD-FW-A6W2WGVM4FPL4QTQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:49:29 truenas env[20630]: COMMIT
Jun  8 01:50:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 01:50:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 01:50:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 01:52:01 truenas CRON[569769]: (root) CMD (midclt call update.download > /dev/null 2>&1)
Jun  8 01:54:29 truenas env[20630]: E0608 01:54:29.764919   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 01:54:29 truenas env[20630]: Error occurred at line: 103
Jun  8 01:54:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 01:54:29 truenas env[20630]: )
Jun  8 01:54:29 truenas env[20630]: *filter
Jun  8 01:54:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 01:54:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 01:54:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 01:54:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 01:54:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 01:54:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 01:54:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 01:54:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 01:54:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 01:54:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 01:54:29 truenas env[20630]: :KUBE-POD-FW-Q3G4GQUYRDVALFV6 - [0:0]
Jun  8 01:54:29 truenas env[20630]: :KUBE-POD-FW-AKRWBR73W7MJP6XK - [0:0]
Jun  8 01:54:29 truenas env[20630]: :KUBE-POD-FW-D77ES5B753QNTJKP - [0:0]
Jun  8 01:54:29 truenas env[20630]: :KUBE-POD-FW-VC7ADKHNC6OASWMH - [0:0]
Jun  8 01:54:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 01:54:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 01:54:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 01:54:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 01:54:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 01:54:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 01:54:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 01:54:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 01:54:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 01:54:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-Q3G4GQUYRDVALFV6 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-Q3G4GQUYRDVALFV6 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-Q3G4GQUYRDVALFV6 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-Q3G4GQUYRDVALFV6 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-Q3G4GQUYRDVALFV6 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q3G4GQUYRDVALFV6" -d 172.16.0.42 -j KUBE-POD-FW-Q3G4GQUYRDVALFV6
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q3G4GQUYRDVALFV6" -d 172.16.0.42 -j KUBE-POD-FW-Q3G4GQUYRDVALFV6
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q3G4GQUYRDVALFV6" -d 172.16.0.42 -j KUBE-POD-FW-Q3G4GQUYRDVALFV6
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q3G4GQUYRDVALFV6" -s 172.16.0.42 -j KUBE-POD-FW-Q3G4GQUYRDVALFV6
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q3G4GQUYRDVALFV6" -s 172.16.0.42 -j KUBE-POD-FW-Q3G4GQUYRDVALFV6
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q3G4GQUYRDVALFV6" -s 172.16.0.42 -j KUBE-POD-FW-Q3G4GQUYRDVALFV6
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Q3G4GQUYRDVALFV6" -s 172.16.0.42 -j KUBE-POD-FW-Q3G4GQUYRDVALFV6
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-Q3G4GQUYRDVALFV6 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-Q3G4GQUYRDVALFV6 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-Q3G4GQUYRDVALFV6 -j MARK --set-mark 0/0x10000
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-Q3G4GQUYRDVALFV6 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-AKRWBR73W7MJP6XK 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-AKRWBR73W7MJP6XK 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-AKRWBR73W7MJP6XK 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-AKRWBR73W7MJP6XK 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-AKRWBR73W7MJP6XK 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AKRWBR73W7MJP6XK" -d 172.16.0.45 -j KUBE-POD-FW-AKRWBR73W7MJP6XK
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AKRWBR73W7MJP6XK" -d 172.16.0.45 -j KUBE-POD-FW-AKRWBR73W7MJP6XK
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AKRWBR73W7MJP6XK" -d 172.16.0.45 -j KUBE-POD-FW-AKRWBR73W7MJP6XK
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AKRWBR73W7MJP6XK" -s 172.16.0.45 -j KUBE-POD-FW-AKRWBR73W7MJP6XK
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AKRWBR73W7MJP6XK" -s 172.16.0.45 -j KUBE-POD-FW-AKRWBR73W7MJP6XK
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AKRWBR73W7MJP6XK" -s 172.16.0.45 -j KUBE-POD-FW-AKRWBR73W7MJP6XK
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-AKRWBR73W7MJP6XK" -s 172.16.0.45 -j KUBE-POD-FW-AKRWBR73W7MJP6XK
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-AKRWBR73W7MJP6XK -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-AKRWBR73W7MJP6XK -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-AKRWBR73W7MJP6XK -j MARK --set-mark 0/0x10000
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-AKRWBR73W7MJP6XK -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-D77ES5B753QNTJKP 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-D77ES5B753QNTJKP 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-D77ES5B753QNTJKP 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-D77ES5B753QNTJKP 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-D77ES5B753QNTJKP 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-D77ES5B753QNTJKP" -d 172.16.0.43 -j KUBE-POD-FW-D77ES5B753QNTJKP
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-D77ES5B753QNTJKP" -d 172.16.0.43 -j KUBE-POD-FW-D77ES5B753QNTJKP
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-D77ES5B753QNTJKP" -d 172.16.0.43 -j KUBE-POD-FW-D77ES5B753QNTJKP
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-D77ES5B753QNTJKP" -s 172.16.0.43 -j KUBE-POD-FW-D77ES5B753QNTJKP
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-D77ES5B753QNTJKP" -s 172.16.0.43 -j KUBE-POD-FW-D77ES5B753QNTJKP
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-D77ES5B753QNTJKP" -s 172.16.0.43 -j KUBE-POD-FW-D77ES5B753QNTJKP
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-D77ES5B753QNTJKP" -s 172.16.0.43 -j KUBE-POD-FW-D77ES5B753QNTJKP
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-D77ES5B753QNTJKP -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-D77ES5B753QNTJKP -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-D77ES5B753QNTJKP -j MARK --set-mark 0/0x10000
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-D77ES5B753QNTJKP -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-VC7ADKHNC6OASWMH 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-VC7ADKHNC6OASWMH 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-VC7ADKHNC6OASWMH 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-VC7ADKHNC6OASWMH 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:54:29 truenas env[20630]: -I KUBE-POD-FW-VC7ADKHNC6OASWMH 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VC7ADKHNC6OASWMH" -d 172.16.0.46 -j KUBE-POD-FW-VC7ADKHNC6OASWMH
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VC7ADKHNC6OASWMH" -d 172.16.0.46 -j KUBE-POD-FW-VC7ADKHNC6OASWMH
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VC7ADKHNC6OASWMH" -d 172.16.0.46 -j KUBE-POD-FW-VC7ADKHNC6OASWMH
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VC7ADKHNC6OASWMH" -s 172.16.0.46 -j KUBE-POD-FW-VC7ADKHNC6OASWMH
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VC7ADKHNC6OASWMH" -s 172.16.0.46 -j KUBE-POD-FW-VC7ADKHNC6OASWMH
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VC7ADKHNC6OASWMH" -s 172.16.0.46 -j KUBE-POD-FW-VC7ADKHNC6OASWMH
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VC7ADKHNC6OASWMH" -s 172.16.0.46 -j KUBE-POD-FW-VC7ADKHNC6OASWMH
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-VC7ADKHNC6OASWMH -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-VC7ADKHNC6OASWMH -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-VC7ADKHNC6OASWMH -j MARK --set-mark 0/0x10000
Jun  8 01:54:29 truenas env[20630]: -A KUBE-POD-FW-VC7ADKHNC6OASWMH -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:54:29 truenas env[20630]: COMMIT
Jun  8 01:59:26 truenas nscd[577893]: 577893 monitoring file `/etc/hosts` (1)
Jun  8 01:59:26 truenas nscd[577893]: 577893 monitoring directory `/etc` (2)
Jun  8 01:59:26 truenas nscd[577893]: 577893 monitoring file `/etc/resolv.conf` (3)
Jun  8 01:59:26 truenas nscd[577893]: 577893 monitoring directory `/etc` (2)
Jun  8 01:59:26 truenas nscd[577893]: 577893 cannot create /var/cache/nscd/hosts; no persistent database used
Jun  8 01:59:29 truenas env[20630]: E0608 01:59:29.748569   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 01:59:29 truenas env[20630]: Error occurred at line: 103
Jun  8 01:59:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 01:59:29 truenas env[20630]: )
Jun  8 01:59:29 truenas env[20630]: *filter
Jun  8 01:59:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 01:59:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 01:59:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 01:59:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 01:59:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 01:59:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 01:59:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 01:59:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 01:59:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 01:59:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 01:59:29 truenas env[20630]: :KUBE-POD-FW-MGDF53EVNLVED2IV - [0:0]
Jun  8 01:59:29 truenas env[20630]: :KUBE-POD-FW-2DOCLXEWLPBLPFLI - [0:0]
Jun  8 01:59:29 truenas env[20630]: :KUBE-POD-FW-DKAFJ4FPMYMD36K6 - [0:0]
Jun  8 01:59:29 truenas env[20630]: :KUBE-POD-FW-EZXAFFUOQQN24WLO - [0:0]
Jun  8 01:59:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 01:59:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 01:59:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 01:59:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 01:59:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 01:59:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 01:59:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 01:59:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 01:59:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 01:59:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-MGDF53EVNLVED2IV 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-MGDF53EVNLVED2IV 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-MGDF53EVNLVED2IV 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-MGDF53EVNLVED2IV 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-MGDF53EVNLVED2IV 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MGDF53EVNLVED2IV" -d 172.16.0.46 -j KUBE-POD-FW-MGDF53EVNLVED2IV
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MGDF53EVNLVED2IV" -d 172.16.0.46 -j KUBE-POD-FW-MGDF53EVNLVED2IV
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MGDF53EVNLVED2IV" -d 172.16.0.46 -j KUBE-POD-FW-MGDF53EVNLVED2IV
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MGDF53EVNLVED2IV" -s 172.16.0.46 -j KUBE-POD-FW-MGDF53EVNLVED2IV
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MGDF53EVNLVED2IV" -s 172.16.0.46 -j KUBE-POD-FW-MGDF53EVNLVED2IV
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MGDF53EVNLVED2IV" -s 172.16.0.46 -j KUBE-POD-FW-MGDF53EVNLVED2IV
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MGDF53EVNLVED2IV" -s 172.16.0.46 -j KUBE-POD-FW-MGDF53EVNLVED2IV
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-MGDF53EVNLVED2IV -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-MGDF53EVNLVED2IV -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-MGDF53EVNLVED2IV -j MARK --set-mark 0/0x10000
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-MGDF53EVNLVED2IV -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-2DOCLXEWLPBLPFLI 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-2DOCLXEWLPBLPFLI 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-2DOCLXEWLPBLPFLI 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-2DOCLXEWLPBLPFLI 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-2DOCLXEWLPBLPFLI 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOCLXEWLPBLPFLI" -d 172.16.0.42 -j KUBE-POD-FW-2DOCLXEWLPBLPFLI
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOCLXEWLPBLPFLI" -d 172.16.0.42 -j KUBE-POD-FW-2DOCLXEWLPBLPFLI
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOCLXEWLPBLPFLI" -d 172.16.0.42 -j KUBE-POD-FW-2DOCLXEWLPBLPFLI
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOCLXEWLPBLPFLI" -s 172.16.0.42 -j KUBE-POD-FW-2DOCLXEWLPBLPFLI
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOCLXEWLPBLPFLI" -s 172.16.0.42 -j KUBE-POD-FW-2DOCLXEWLPBLPFLI
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOCLXEWLPBLPFLI" -s 172.16.0.42 -j KUBE-POD-FW-2DOCLXEWLPBLPFLI
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2DOCLXEWLPBLPFLI" -s 172.16.0.42 -j KUBE-POD-FW-2DOCLXEWLPBLPFLI
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-2DOCLXEWLPBLPFLI -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-2DOCLXEWLPBLPFLI -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-2DOCLXEWLPBLPFLI -j MARK --set-mark 0/0x10000
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-2DOCLXEWLPBLPFLI -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-DKAFJ4FPMYMD36K6 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-DKAFJ4FPMYMD36K6 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-DKAFJ4FPMYMD36K6 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-DKAFJ4FPMYMD36K6 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-DKAFJ4FPMYMD36K6 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DKAFJ4FPMYMD36K6" -d 172.16.0.45 -j KUBE-POD-FW-DKAFJ4FPMYMD36K6
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DKAFJ4FPMYMD36K6" -d 172.16.0.45 -j KUBE-POD-FW-DKAFJ4FPMYMD36K6
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DKAFJ4FPMYMD36K6" -d 172.16.0.45 -j KUBE-POD-FW-DKAFJ4FPMYMD36K6
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DKAFJ4FPMYMD36K6" -s 172.16.0.45 -j KUBE-POD-FW-DKAFJ4FPMYMD36K6
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DKAFJ4FPMYMD36K6" -s 172.16.0.45 -j KUBE-POD-FW-DKAFJ4FPMYMD36K6
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DKAFJ4FPMYMD36K6" -s 172.16.0.45 -j KUBE-POD-FW-DKAFJ4FPMYMD36K6
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DKAFJ4FPMYMD36K6" -s 172.16.0.45 -j KUBE-POD-FW-DKAFJ4FPMYMD36K6
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-DKAFJ4FPMYMD36K6 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-DKAFJ4FPMYMD36K6 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-DKAFJ4FPMYMD36K6 -j MARK --set-mark 0/0x10000
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-DKAFJ4FPMYMD36K6 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-EZXAFFUOQQN24WLO 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-EZXAFFUOQQN24WLO 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-EZXAFFUOQQN24WLO 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-EZXAFFUOQQN24WLO 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 01:59:29 truenas env[20630]: -I KUBE-POD-FW-EZXAFFUOQQN24WLO 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EZXAFFUOQQN24WLO" -d 172.16.0.43 -j KUBE-POD-FW-EZXAFFUOQQN24WLO
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EZXAFFUOQQN24WLO" -d 172.16.0.43 -j KUBE-POD-FW-EZXAFFUOQQN24WLO
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EZXAFFUOQQN24WLO" -d 172.16.0.43 -j KUBE-POD-FW-EZXAFFUOQQN24WLO
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EZXAFFUOQQN24WLO" -s 172.16.0.43 -j KUBE-POD-FW-EZXAFFUOQQN24WLO
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EZXAFFUOQQN24WLO" -s 172.16.0.43 -j KUBE-POD-FW-EZXAFFUOQQN24WLO
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EZXAFFUOQQN24WLO" -s 172.16.0.43 -j KUBE-POD-FW-EZXAFFUOQQN24WLO
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EZXAFFUOQQN24WLO" -s 172.16.0.43 -j KUBE-POD-FW-EZXAFFUOQQN24WLO
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-EZXAFFUOQQN24WLO -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-EZXAFFUOQQN24WLO -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-EZXAFFUOQQN24WLO -j MARK --set-mark 0/0x10000
Jun  8 01:59:29 truenas env[20630]: -A KUBE-POD-FW-EZXAFFUOQQN24WLO -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 01:59:29 truenas env[20630]: COMMIT
Jun  8 02:00:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 02:00:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 02:00:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 02:04:29 truenas env[20630]: E0608 02:04:29.728642   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 02:04:29 truenas env[20630]: Error occurred at line: 103
Jun  8 02:04:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 02:04:29 truenas env[20630]: )
Jun  8 02:04:29 truenas env[20630]: *filter
Jun  8 02:04:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 02:04:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 02:04:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 02:04:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 02:04:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 02:04:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 02:04:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 02:04:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 02:04:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 02:04:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 02:04:29 truenas env[20630]: :KUBE-POD-FW-KGW5PSJTSSKLSRPX - [0:0]
Jun  8 02:04:29 truenas env[20630]: :KUBE-POD-FW-5ZXFYCLGNIVUUWCF - [0:0]
Jun  8 02:04:29 truenas env[20630]: :KUBE-POD-FW-G6727Q3YB5COGDR5 - [0:0]
Jun  8 02:04:29 truenas env[20630]: :KUBE-POD-FW-FKYLXZWFAZYN3WVC - [0:0]
Jun  8 02:04:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 02:04:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 02:04:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 02:04:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 02:04:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 02:04:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 02:04:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 02:04:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 02:04:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 02:04:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-KGW5PSJTSSKLSRPX 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-KGW5PSJTSSKLSRPX 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-KGW5PSJTSSKLSRPX 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-KGW5PSJTSSKLSRPX 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-KGW5PSJTSSKLSRPX 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KGW5PSJTSSKLSRPX" -d 172.16.0.45 -j KUBE-POD-FW-KGW5PSJTSSKLSRPX
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KGW5PSJTSSKLSRPX" -d 172.16.0.45 -j KUBE-POD-FW-KGW5PSJTSSKLSRPX
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KGW5PSJTSSKLSRPX" -d 172.16.0.45 -j KUBE-POD-FW-KGW5PSJTSSKLSRPX
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KGW5PSJTSSKLSRPX" -s 172.16.0.45 -j KUBE-POD-FW-KGW5PSJTSSKLSRPX
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KGW5PSJTSSKLSRPX" -s 172.16.0.45 -j KUBE-POD-FW-KGW5PSJTSSKLSRPX
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KGW5PSJTSSKLSRPX" -s 172.16.0.45 -j KUBE-POD-FW-KGW5PSJTSSKLSRPX
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-KGW5PSJTSSKLSRPX" -s 172.16.0.45 -j KUBE-POD-FW-KGW5PSJTSSKLSRPX
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-KGW5PSJTSSKLSRPX -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-KGW5PSJTSSKLSRPX -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-KGW5PSJTSSKLSRPX -j MARK --set-mark 0/0x10000
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-KGW5PSJTSSKLSRPX -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-5ZXFYCLGNIVUUWCF 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-5ZXFYCLGNIVUUWCF 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-5ZXFYCLGNIVUUWCF 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-5ZXFYCLGNIVUUWCF 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-5ZXFYCLGNIVUUWCF 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5ZXFYCLGNIVUUWCF" -d 172.16.0.43 -j KUBE-POD-FW-5ZXFYCLGNIVUUWCF
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5ZXFYCLGNIVUUWCF" -d 172.16.0.43 -j KUBE-POD-FW-5ZXFYCLGNIVUUWCF
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5ZXFYCLGNIVUUWCF" -d 172.16.0.43 -j KUBE-POD-FW-5ZXFYCLGNIVUUWCF
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5ZXFYCLGNIVUUWCF" -s 172.16.0.43 -j KUBE-POD-FW-5ZXFYCLGNIVUUWCF
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5ZXFYCLGNIVUUWCF" -s 172.16.0.43 -j KUBE-POD-FW-5ZXFYCLGNIVUUWCF
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5ZXFYCLGNIVUUWCF" -s 172.16.0.43 -j KUBE-POD-FW-5ZXFYCLGNIVUUWCF
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5ZXFYCLGNIVUUWCF" -s 172.16.0.43 -j KUBE-POD-FW-5ZXFYCLGNIVUUWCF
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-5ZXFYCLGNIVUUWCF -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-5ZXFYCLGNIVUUWCF -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-5ZXFYCLGNIVUUWCF -j MARK --set-mark 0/0x10000
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-5ZXFYCLGNIVUUWCF -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-G6727Q3YB5COGDR5 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-G6727Q3YB5COGDR5 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-G6727Q3YB5COGDR5 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-G6727Q3YB5COGDR5 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-G6727Q3YB5COGDR5 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6727Q3YB5COGDR5" -d 172.16.0.46 -j KUBE-POD-FW-G6727Q3YB5COGDR5
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6727Q3YB5COGDR5" -d 172.16.0.46 -j KUBE-POD-FW-G6727Q3YB5COGDR5
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6727Q3YB5COGDR5" -d 172.16.0.46 -j KUBE-POD-FW-G6727Q3YB5COGDR5
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6727Q3YB5COGDR5" -s 172.16.0.46 -j KUBE-POD-FW-G6727Q3YB5COGDR5
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6727Q3YB5COGDR5" -s 172.16.0.46 -j KUBE-POD-FW-G6727Q3YB5COGDR5
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6727Q3YB5COGDR5" -s 172.16.0.46 -j KUBE-POD-FW-G6727Q3YB5COGDR5
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-G6727Q3YB5COGDR5" -s 172.16.0.46 -j KUBE-POD-FW-G6727Q3YB5COGDR5
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-G6727Q3YB5COGDR5 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-G6727Q3YB5COGDR5 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-G6727Q3YB5COGDR5 -j MARK --set-mark 0/0x10000
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-G6727Q3YB5COGDR5 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-FKYLXZWFAZYN3WVC 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-FKYLXZWFAZYN3WVC 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-FKYLXZWFAZYN3WVC 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-FKYLXZWFAZYN3WVC 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:04:29 truenas env[20630]: -I KUBE-POD-FW-FKYLXZWFAZYN3WVC 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FKYLXZWFAZYN3WVC" -d 172.16.0.42 -j KUBE-POD-FW-FKYLXZWFAZYN3WVC
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FKYLXZWFAZYN3WVC" -d 172.16.0.42 -j KUBE-POD-FW-FKYLXZWFAZYN3WVC
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FKYLXZWFAZYN3WVC" -d 172.16.0.42 -j KUBE-POD-FW-FKYLXZWFAZYN3WVC
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FKYLXZWFAZYN3WVC" -s 172.16.0.42 -j KUBE-POD-FW-FKYLXZWFAZYN3WVC
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FKYLXZWFAZYN3WVC" -s 172.16.0.42 -j KUBE-POD-FW-FKYLXZWFAZYN3WVC
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FKYLXZWFAZYN3WVC" -s 172.16.0.42 -j KUBE-POD-FW-FKYLXZWFAZYN3WVC
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FKYLXZWFAZYN3WVC" -s 172.16.0.42 -j KUBE-POD-FW-FKYLXZWFAZYN3WVC
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-FKYLXZWFAZYN3WVC -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-FKYLXZWFAZYN3WVC -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-FKYLXZWFAZYN3WVC -j MARK --set-mark 0/0x10000
Jun  8 02:04:29 truenas env[20630]: -A KUBE-POD-FW-FKYLXZWFAZYN3WVC -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:04:29 truenas env[20630]: COMMIT
Jun  8 02:09:29 truenas env[20630]: E0608 02:09:29.716754   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 02:09:29 truenas env[20630]: Error occurred at line: 103
Jun  8 02:09:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 02:09:29 truenas env[20630]: )
Jun  8 02:09:29 truenas env[20630]: *filter
Jun  8 02:09:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 02:09:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 02:09:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 02:09:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 02:09:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 02:09:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 02:09:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 02:09:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 02:09:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 02:09:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 02:09:29 truenas env[20630]: :KUBE-POD-FW-FMEZRMFNWN4F7DNU - [0:0]
Jun  8 02:09:29 truenas env[20630]: :KUBE-POD-FW-6GBLB24H3CATEXEW - [0:0]
Jun  8 02:09:29 truenas env[20630]: :KUBE-POD-FW-RRDEADDENQVOOEY3 - [0:0]
Jun  8 02:09:29 truenas env[20630]: :KUBE-POD-FW-PZUZQN6ZI5HKUVAQ - [0:0]
Jun  8 02:09:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 02:09:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 02:09:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 02:09:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 02:09:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 02:09:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 02:09:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 02:09:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 02:09:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 02:09:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-FMEZRMFNWN4F7DNU 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-FMEZRMFNWN4F7DNU 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-FMEZRMFNWN4F7DNU 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-FMEZRMFNWN4F7DNU 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-FMEZRMFNWN4F7DNU 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-FMEZRMFNWN4F7DNU" -d 172.16.0.43 -j KUBE-POD-FW-FMEZRMFNWN4F7DNU
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-FMEZRMFNWN4F7DNU" -d 172.16.0.43 -j KUBE-POD-FW-FMEZRMFNWN4F7DNU
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-FMEZRMFNWN4F7DNU" -d 172.16.0.43 -j KUBE-POD-FW-FMEZRMFNWN4F7DNU
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-FMEZRMFNWN4F7DNU" -s 172.16.0.43 -j KUBE-POD-FW-FMEZRMFNWN4F7DNU
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-FMEZRMFNWN4F7DNU" -s 172.16.0.43 -j KUBE-POD-FW-FMEZRMFNWN4F7DNU
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-FMEZRMFNWN4F7DNU" -s 172.16.0.43 -j KUBE-POD-FW-FMEZRMFNWN4F7DNU
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-FMEZRMFNWN4F7DNU" -s 172.16.0.43 -j KUBE-POD-FW-FMEZRMFNWN4F7DNU
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-FMEZRMFNWN4F7DNU -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-FMEZRMFNWN4F7DNU -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-FMEZRMFNWN4F7DNU -j MARK --set-mark 0/0x10000
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-FMEZRMFNWN4F7DNU -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-6GBLB24H3CATEXEW 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-6GBLB24H3CATEXEW 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-6GBLB24H3CATEXEW 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-6GBLB24H3CATEXEW 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-6GBLB24H3CATEXEW 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-6GBLB24H3CATEXEW" -d 172.16.0.46 -j KUBE-POD-FW-6GBLB24H3CATEXEW
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-6GBLB24H3CATEXEW" -d 172.16.0.46 -j KUBE-POD-FW-6GBLB24H3CATEXEW
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-6GBLB24H3CATEXEW" -d 172.16.0.46 -j KUBE-POD-FW-6GBLB24H3CATEXEW
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-6GBLB24H3CATEXEW" -s 172.16.0.46 -j KUBE-POD-FW-6GBLB24H3CATEXEW
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-6GBLB24H3CATEXEW" -s 172.16.0.46 -j KUBE-POD-FW-6GBLB24H3CATEXEW
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-6GBLB24H3CATEXEW" -s 172.16.0.46 -j KUBE-POD-FW-6GBLB24H3CATEXEW
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-6GBLB24H3CATEXEW" -s 172.16.0.46 -j KUBE-POD-FW-6GBLB24H3CATEXEW
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-6GBLB24H3CATEXEW -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-6GBLB24H3CATEXEW -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-6GBLB24H3CATEXEW -j MARK --set-mark 0/0x10000
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-6GBLB24H3CATEXEW -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-RRDEADDENQVOOEY3 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-RRDEADDENQVOOEY3 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-RRDEADDENQVOOEY3 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-RRDEADDENQVOOEY3 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-RRDEADDENQVOOEY3 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RRDEADDENQVOOEY3" -d 172.16.0.42 -j KUBE-POD-FW-RRDEADDENQVOOEY3
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RRDEADDENQVOOEY3" -d 172.16.0.42 -j KUBE-POD-FW-RRDEADDENQVOOEY3
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RRDEADDENQVOOEY3" -d 172.16.0.42 -j KUBE-POD-FW-RRDEADDENQVOOEY3
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RRDEADDENQVOOEY3" -s 172.16.0.42 -j KUBE-POD-FW-RRDEADDENQVOOEY3
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RRDEADDENQVOOEY3" -s 172.16.0.42 -j KUBE-POD-FW-RRDEADDENQVOOEY3
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RRDEADDENQVOOEY3" -s 172.16.0.42 -j KUBE-POD-FW-RRDEADDENQVOOEY3
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RRDEADDENQVOOEY3" -s 172.16.0.42 -j KUBE-POD-FW-RRDEADDENQVOOEY3
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-RRDEADDENQVOOEY3 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-RRDEADDENQVOOEY3 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-RRDEADDENQVOOEY3 -j MARK --set-mark 0/0x10000
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-RRDEADDENQVOOEY3 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-PZUZQN6ZI5HKUVAQ 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-PZUZQN6ZI5HKUVAQ 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-PZUZQN6ZI5HKUVAQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-PZUZQN6ZI5HKUVAQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:09:29 truenas env[20630]: -I KUBE-POD-FW-PZUZQN6ZI5HKUVAQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PZUZQN6ZI5HKUVAQ" -d 172.16.0.45 -j KUBE-POD-FW-PZUZQN6ZI5HKUVAQ
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PZUZQN6ZI5HKUVAQ" -d 172.16.0.45 -j KUBE-POD-FW-PZUZQN6ZI5HKUVAQ
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PZUZQN6ZI5HKUVAQ" -d 172.16.0.45 -j KUBE-POD-FW-PZUZQN6ZI5HKUVAQ
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PZUZQN6ZI5HKUVAQ" -s 172.16.0.45 -j KUBE-POD-FW-PZUZQN6ZI5HKUVAQ
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PZUZQN6ZI5HKUVAQ" -s 172.16.0.45 -j KUBE-POD-FW-PZUZQN6ZI5HKUVAQ
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PZUZQN6ZI5HKUVAQ" -s 172.16.0.45 -j KUBE-POD-FW-PZUZQN6ZI5HKUVAQ
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PZUZQN6ZI5HKUVAQ" -s 172.16.0.45 -j KUBE-POD-FW-PZUZQN6ZI5HKUVAQ
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-PZUZQN6ZI5HKUVAQ -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-PZUZQN6ZI5HKUVAQ -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-PZUZQN6ZI5HKUVAQ -j MARK --set-mark 0/0x10000
Jun  8 02:09:29 truenas env[20630]: -A KUBE-POD-FW-PZUZQN6ZI5HKUVAQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:09:29 truenas env[20630]: COMMIT
Jun  8 02:10:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 02:10:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 02:10:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 02:14:29 truenas env[20630]: E0608 02:14:29.748581   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 02:14:29 truenas env[20630]: Error occurred at line: 103
Jun  8 02:14:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 02:14:29 truenas env[20630]: )
Jun  8 02:14:29 truenas env[20630]: *filter
Jun  8 02:14:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 02:14:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 02:14:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 02:14:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 02:14:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 02:14:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 02:14:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 02:14:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 02:14:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 02:14:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 02:14:29 truenas env[20630]: :KUBE-POD-FW-RVDF7HLJSJS35EOU - [0:0]
Jun  8 02:14:29 truenas env[20630]: :KUBE-POD-FW-3TZ42QR4X2E6F4MQ - [0:0]
Jun  8 02:14:29 truenas env[20630]: :KUBE-POD-FW-PK7QKGXBKH2WGVXE - [0:0]
Jun  8 02:14:29 truenas env[20630]: :KUBE-POD-FW-26WIP5PIYQKDLDW3 - [0:0]
Jun  8 02:14:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 02:14:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 02:14:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 02:14:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 02:14:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 02:14:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 02:14:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 02:14:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 02:14:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 02:14:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-RVDF7HLJSJS35EOU 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-RVDF7HLJSJS35EOU 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-RVDF7HLJSJS35EOU 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-RVDF7HLJSJS35EOU 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-RVDF7HLJSJS35EOU 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RVDF7HLJSJS35EOU" -d 172.16.0.42 -j KUBE-POD-FW-RVDF7HLJSJS35EOU
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RVDF7HLJSJS35EOU" -d 172.16.0.42 -j KUBE-POD-FW-RVDF7HLJSJS35EOU
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RVDF7HLJSJS35EOU" -d 172.16.0.42 -j KUBE-POD-FW-RVDF7HLJSJS35EOU
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RVDF7HLJSJS35EOU" -s 172.16.0.42 -j KUBE-POD-FW-RVDF7HLJSJS35EOU
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RVDF7HLJSJS35EOU" -s 172.16.0.42 -j KUBE-POD-FW-RVDF7HLJSJS35EOU
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RVDF7HLJSJS35EOU" -s 172.16.0.42 -j KUBE-POD-FW-RVDF7HLJSJS35EOU
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-RVDF7HLJSJS35EOU" -s 172.16.0.42 -j KUBE-POD-FW-RVDF7HLJSJS35EOU
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-RVDF7HLJSJS35EOU -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-RVDF7HLJSJS35EOU -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-RVDF7HLJSJS35EOU -j MARK --set-mark 0/0x10000
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-RVDF7HLJSJS35EOU -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-3TZ42QR4X2E6F4MQ 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-3TZ42QR4X2E6F4MQ 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-3TZ42QR4X2E6F4MQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-3TZ42QR4X2E6F4MQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-3TZ42QR4X2E6F4MQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3TZ42QR4X2E6F4MQ" -d 172.16.0.45 -j KUBE-POD-FW-3TZ42QR4X2E6F4MQ
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3TZ42QR4X2E6F4MQ" -d 172.16.0.45 -j KUBE-POD-FW-3TZ42QR4X2E6F4MQ
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3TZ42QR4X2E6F4MQ" -d 172.16.0.45 -j KUBE-POD-FW-3TZ42QR4X2E6F4MQ
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3TZ42QR4X2E6F4MQ" -s 172.16.0.45 -j KUBE-POD-FW-3TZ42QR4X2E6F4MQ
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3TZ42QR4X2E6F4MQ" -s 172.16.0.45 -j KUBE-POD-FW-3TZ42QR4X2E6F4MQ
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3TZ42QR4X2E6F4MQ" -s 172.16.0.45 -j KUBE-POD-FW-3TZ42QR4X2E6F4MQ
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3TZ42QR4X2E6F4MQ" -s 172.16.0.45 -j KUBE-POD-FW-3TZ42QR4X2E6F4MQ
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-3TZ42QR4X2E6F4MQ -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-3TZ42QR4X2E6F4MQ -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-3TZ42QR4X2E6F4MQ -j MARK --set-mark 0/0x10000
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-3TZ42QR4X2E6F4MQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-PK7QKGXBKH2WGVXE 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-PK7QKGXBKH2WGVXE 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-PK7QKGXBKH2WGVXE 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-PK7QKGXBKH2WGVXE 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-PK7QKGXBKH2WGVXE 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PK7QKGXBKH2WGVXE" -d 172.16.0.43 -j KUBE-POD-FW-PK7QKGXBKH2WGVXE
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PK7QKGXBKH2WGVXE" -d 172.16.0.43 -j KUBE-POD-FW-PK7QKGXBKH2WGVXE
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PK7QKGXBKH2WGVXE" -d 172.16.0.43 -j KUBE-POD-FW-PK7QKGXBKH2WGVXE
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PK7QKGXBKH2WGVXE" -s 172.16.0.43 -j KUBE-POD-FW-PK7QKGXBKH2WGVXE
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PK7QKGXBKH2WGVXE" -s 172.16.0.43 -j KUBE-POD-FW-PK7QKGXBKH2WGVXE
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PK7QKGXBKH2WGVXE" -s 172.16.0.43 -j KUBE-POD-FW-PK7QKGXBKH2WGVXE
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PK7QKGXBKH2WGVXE" -s 172.16.0.43 -j KUBE-POD-FW-PK7QKGXBKH2WGVXE
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-PK7QKGXBKH2WGVXE -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-PK7QKGXBKH2WGVXE -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-PK7QKGXBKH2WGVXE -j MARK --set-mark 0/0x10000
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-PK7QKGXBKH2WGVXE -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-26WIP5PIYQKDLDW3 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-26WIP5PIYQKDLDW3 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-26WIP5PIYQKDLDW3 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-26WIP5PIYQKDLDW3 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:14:29 truenas env[20630]: -I KUBE-POD-FW-26WIP5PIYQKDLDW3 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-26WIP5PIYQKDLDW3" -d 172.16.0.46 -j KUBE-POD-FW-26WIP5PIYQKDLDW3
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-26WIP5PIYQKDLDW3" -d 172.16.0.46 -j KUBE-POD-FW-26WIP5PIYQKDLDW3
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-26WIP5PIYQKDLDW3" -d 172.16.0.46 -j KUBE-POD-FW-26WIP5PIYQKDLDW3
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-26WIP5PIYQKDLDW3" -s 172.16.0.46 -j KUBE-POD-FW-26WIP5PIYQKDLDW3
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-26WIP5PIYQKDLDW3" -s 172.16.0.46 -j KUBE-POD-FW-26WIP5PIYQKDLDW3
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-26WIP5PIYQKDLDW3" -s 172.16.0.46 -j KUBE-POD-FW-26WIP5PIYQKDLDW3
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-26WIP5PIYQKDLDW3" -s 172.16.0.46 -j KUBE-POD-FW-26WIP5PIYQKDLDW3
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-26WIP5PIYQKDLDW3 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-26WIP5PIYQKDLDW3 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-26WIP5PIYQKDLDW3 -j MARK --set-mark 0/0x10000
Jun  8 02:14:29 truenas env[20630]: -A KUBE-POD-FW-26WIP5PIYQKDLDW3 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:14:29 truenas env[20630]: COMMIT
Jun  8 02:17:01 truenas CRON[597169]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jun  8 02:19:29 truenas env[20630]: E0608 02:19:29.740561   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 02:19:29 truenas env[20630]: Error occurred at line: 103
Jun  8 02:19:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 02:19:29 truenas env[20630]: )
Jun  8 02:19:29 truenas env[20630]: *filter
Jun  8 02:19:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 02:19:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 02:19:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 02:19:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 02:19:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 02:19:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 02:19:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 02:19:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 02:19:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 02:19:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 02:19:29 truenas env[20630]: :KUBE-POD-FW-SAMDYDQGGE3MI734 - [0:0]
Jun  8 02:19:29 truenas env[20630]: :KUBE-POD-FW-EFX7A4FN2USTWJUA - [0:0]
Jun  8 02:19:29 truenas env[20630]: :KUBE-POD-FW-3FR6MU36QB2QVRCX - [0:0]
Jun  8 02:19:29 truenas env[20630]: :KUBE-POD-FW-4E5NDAGMKL7ZKTYQ - [0:0]
Jun  8 02:19:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 02:19:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 02:19:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 02:19:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 02:19:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 02:19:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 02:19:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 02:19:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 02:19:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 02:19:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-SAMDYDQGGE3MI734 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-SAMDYDQGGE3MI734 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-SAMDYDQGGE3MI734 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-SAMDYDQGGE3MI734 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-SAMDYDQGGE3MI734 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SAMDYDQGGE3MI734" -d 172.16.0.42 -j KUBE-POD-FW-SAMDYDQGGE3MI734
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SAMDYDQGGE3MI734" -d 172.16.0.42 -j KUBE-POD-FW-SAMDYDQGGE3MI734
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SAMDYDQGGE3MI734" -d 172.16.0.42 -j KUBE-POD-FW-SAMDYDQGGE3MI734
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SAMDYDQGGE3MI734" -s 172.16.0.42 -j KUBE-POD-FW-SAMDYDQGGE3MI734
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SAMDYDQGGE3MI734" -s 172.16.0.42 -j KUBE-POD-FW-SAMDYDQGGE3MI734
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SAMDYDQGGE3MI734" -s 172.16.0.42 -j KUBE-POD-FW-SAMDYDQGGE3MI734
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SAMDYDQGGE3MI734" -s 172.16.0.42 -j KUBE-POD-FW-SAMDYDQGGE3MI734
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-SAMDYDQGGE3MI734 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-SAMDYDQGGE3MI734 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-SAMDYDQGGE3MI734 -j MARK --set-mark 0/0x10000
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-SAMDYDQGGE3MI734 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-EFX7A4FN2USTWJUA 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-EFX7A4FN2USTWJUA 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-EFX7A4FN2USTWJUA 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-EFX7A4FN2USTWJUA 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-EFX7A4FN2USTWJUA 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-EFX7A4FN2USTWJUA" -d 172.16.0.45 -j KUBE-POD-FW-EFX7A4FN2USTWJUA
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-EFX7A4FN2USTWJUA" -d 172.16.0.45 -j KUBE-POD-FW-EFX7A4FN2USTWJUA
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-EFX7A4FN2USTWJUA" -d 172.16.0.45 -j KUBE-POD-FW-EFX7A4FN2USTWJUA
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-EFX7A4FN2USTWJUA" -s 172.16.0.45 -j KUBE-POD-FW-EFX7A4FN2USTWJUA
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-EFX7A4FN2USTWJUA" -s 172.16.0.45 -j KUBE-POD-FW-EFX7A4FN2USTWJUA
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-EFX7A4FN2USTWJUA" -s 172.16.0.45 -j KUBE-POD-FW-EFX7A4FN2USTWJUA
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-EFX7A4FN2USTWJUA" -s 172.16.0.45 -j KUBE-POD-FW-EFX7A4FN2USTWJUA
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-EFX7A4FN2USTWJUA -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-EFX7A4FN2USTWJUA -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-EFX7A4FN2USTWJUA -j MARK --set-mark 0/0x10000
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-EFX7A4FN2USTWJUA -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-3FR6MU36QB2QVRCX 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-3FR6MU36QB2QVRCX 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-3FR6MU36QB2QVRCX 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-3FR6MU36QB2QVRCX 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-3FR6MU36QB2QVRCX 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3FR6MU36QB2QVRCX" -d 172.16.0.43 -j KUBE-POD-FW-3FR6MU36QB2QVRCX
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3FR6MU36QB2QVRCX" -d 172.16.0.43 -j KUBE-POD-FW-3FR6MU36QB2QVRCX
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3FR6MU36QB2QVRCX" -d 172.16.0.43 -j KUBE-POD-FW-3FR6MU36QB2QVRCX
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3FR6MU36QB2QVRCX" -s 172.16.0.43 -j KUBE-POD-FW-3FR6MU36QB2QVRCX
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3FR6MU36QB2QVRCX" -s 172.16.0.43 -j KUBE-POD-FW-3FR6MU36QB2QVRCX
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3FR6MU36QB2QVRCX" -s 172.16.0.43 -j KUBE-POD-FW-3FR6MU36QB2QVRCX
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-3FR6MU36QB2QVRCX" -s 172.16.0.43 -j KUBE-POD-FW-3FR6MU36QB2QVRCX
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-3FR6MU36QB2QVRCX -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-3FR6MU36QB2QVRCX -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-3FR6MU36QB2QVRCX -j MARK --set-mark 0/0x10000
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-3FR6MU36QB2QVRCX -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-4E5NDAGMKL7ZKTYQ 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-4E5NDAGMKL7ZKTYQ 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-4E5NDAGMKL7ZKTYQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-4E5NDAGMKL7ZKTYQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:19:29 truenas env[20630]: -I KUBE-POD-FW-4E5NDAGMKL7ZKTYQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4E5NDAGMKL7ZKTYQ" -d 172.16.0.46 -j KUBE-POD-FW-4E5NDAGMKL7ZKTYQ
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4E5NDAGMKL7ZKTYQ" -d 172.16.0.46 -j KUBE-POD-FW-4E5NDAGMKL7ZKTYQ
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4E5NDAGMKL7ZKTYQ" -d 172.16.0.46 -j KUBE-POD-FW-4E5NDAGMKL7ZKTYQ
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4E5NDAGMKL7ZKTYQ" -s 172.16.0.46 -j KUBE-POD-FW-4E5NDAGMKL7ZKTYQ
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4E5NDAGMKL7ZKTYQ" -s 172.16.0.46 -j KUBE-POD-FW-4E5NDAGMKL7ZKTYQ
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4E5NDAGMKL7ZKTYQ" -s 172.16.0.46 -j KUBE-POD-FW-4E5NDAGMKL7ZKTYQ
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4E5NDAGMKL7ZKTYQ" -s 172.16.0.46 -j KUBE-POD-FW-4E5NDAGMKL7ZKTYQ
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-4E5NDAGMKL7ZKTYQ -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-4E5NDAGMKL7ZKTYQ -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-4E5NDAGMKL7ZKTYQ -j MARK --set-mark 0/0x10000
Jun  8 02:19:29 truenas env[20630]: -A KUBE-POD-FW-4E5NDAGMKL7ZKTYQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:19:29 truenas env[20630]: COMMIT
Jun  8 02:20:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 02:20:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 02:20:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 02:24:29 truenas env[20630]: E0608 02:24:29.780643   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 02:24:29 truenas env[20630]: Error occurred at line: 103
Jun  8 02:24:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 02:24:29 truenas env[20630]: )
Jun  8 02:24:29 truenas env[20630]: *filter
Jun  8 02:24:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 02:24:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 02:24:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 02:24:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 02:24:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 02:24:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 02:24:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 02:24:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 02:24:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 02:24:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 02:24:29 truenas env[20630]: :KUBE-POD-FW-U3DXXFJABYO7XVUE - [0:0]
Jun  8 02:24:29 truenas env[20630]: :KUBE-POD-FW-G3IKO25AYZOKXGPL - [0:0]
Jun  8 02:24:29 truenas env[20630]: :KUBE-POD-FW-NS5GGP67TBJYSBUK - [0:0]
Jun  8 02:24:29 truenas env[20630]: :KUBE-POD-FW-RSGN47FOI5OFGYD7 - [0:0]
Jun  8 02:24:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 02:24:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 02:24:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 02:24:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 02:24:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 02:24:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 02:24:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 02:24:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 02:24:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 02:24:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-U3DXXFJABYO7XVUE 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-U3DXXFJABYO7XVUE 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-U3DXXFJABYO7XVUE 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-U3DXXFJABYO7XVUE 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-U3DXXFJABYO7XVUE 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U3DXXFJABYO7XVUE" -d 172.16.0.42 -j KUBE-POD-FW-U3DXXFJABYO7XVUE
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U3DXXFJABYO7XVUE" -d 172.16.0.42 -j KUBE-POD-FW-U3DXXFJABYO7XVUE
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U3DXXFJABYO7XVUE" -d 172.16.0.42 -j KUBE-POD-FW-U3DXXFJABYO7XVUE
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U3DXXFJABYO7XVUE" -s 172.16.0.42 -j KUBE-POD-FW-U3DXXFJABYO7XVUE
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U3DXXFJABYO7XVUE" -s 172.16.0.42 -j KUBE-POD-FW-U3DXXFJABYO7XVUE
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U3DXXFJABYO7XVUE" -s 172.16.0.42 -j KUBE-POD-FW-U3DXXFJABYO7XVUE
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-U3DXXFJABYO7XVUE" -s 172.16.0.42 -j KUBE-POD-FW-U3DXXFJABYO7XVUE
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-U3DXXFJABYO7XVUE -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-U3DXXFJABYO7XVUE -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-U3DXXFJABYO7XVUE -j MARK --set-mark 0/0x10000
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-U3DXXFJABYO7XVUE -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-G3IKO25AYZOKXGPL 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-G3IKO25AYZOKXGPL 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-G3IKO25AYZOKXGPL 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-G3IKO25AYZOKXGPL 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-G3IKO25AYZOKXGPL 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-G3IKO25AYZOKXGPL" -d 172.16.0.45 -j KUBE-POD-FW-G3IKO25AYZOKXGPL
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-G3IKO25AYZOKXGPL" -d 172.16.0.45 -j KUBE-POD-FW-G3IKO25AYZOKXGPL
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-G3IKO25AYZOKXGPL" -d 172.16.0.45 -j KUBE-POD-FW-G3IKO25AYZOKXGPL
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-G3IKO25AYZOKXGPL" -s 172.16.0.45 -j KUBE-POD-FW-G3IKO25AYZOKXGPL
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-G3IKO25AYZOKXGPL" -s 172.16.0.45 -j KUBE-POD-FW-G3IKO25AYZOKXGPL
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-G3IKO25AYZOKXGPL" -s 172.16.0.45 -j KUBE-POD-FW-G3IKO25AYZOKXGPL
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-G3IKO25AYZOKXGPL" -s 172.16.0.45 -j KUBE-POD-FW-G3IKO25AYZOKXGPL
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-G3IKO25AYZOKXGPL -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-G3IKO25AYZOKXGPL -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-G3IKO25AYZOKXGPL -j MARK --set-mark 0/0x10000
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-G3IKO25AYZOKXGPL -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-NS5GGP67TBJYSBUK 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-NS5GGP67TBJYSBUK 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-NS5GGP67TBJYSBUK 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-NS5GGP67TBJYSBUK 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-NS5GGP67TBJYSBUK 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NS5GGP67TBJYSBUK" -d 172.16.0.43 -j KUBE-POD-FW-NS5GGP67TBJYSBUK
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NS5GGP67TBJYSBUK" -d 172.16.0.43 -j KUBE-POD-FW-NS5GGP67TBJYSBUK
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NS5GGP67TBJYSBUK" -d 172.16.0.43 -j KUBE-POD-FW-NS5GGP67TBJYSBUK
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NS5GGP67TBJYSBUK" -s 172.16.0.43 -j KUBE-POD-FW-NS5GGP67TBJYSBUK
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NS5GGP67TBJYSBUK" -s 172.16.0.43 -j KUBE-POD-FW-NS5GGP67TBJYSBUK
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NS5GGP67TBJYSBUK" -s 172.16.0.43 -j KUBE-POD-FW-NS5GGP67TBJYSBUK
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NS5GGP67TBJYSBUK" -s 172.16.0.43 -j KUBE-POD-FW-NS5GGP67TBJYSBUK
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-NS5GGP67TBJYSBUK -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-NS5GGP67TBJYSBUK -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-NS5GGP67TBJYSBUK -j MARK --set-mark 0/0x10000
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-NS5GGP67TBJYSBUK -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-RSGN47FOI5OFGYD7 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-RSGN47FOI5OFGYD7 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-RSGN47FOI5OFGYD7 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-RSGN47FOI5OFGYD7 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:24:29 truenas env[20630]: -I KUBE-POD-FW-RSGN47FOI5OFGYD7 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-RSGN47FOI5OFGYD7" -d 172.16.0.46 -j KUBE-POD-FW-RSGN47FOI5OFGYD7
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-RSGN47FOI5OFGYD7" -d 172.16.0.46 -j KUBE-POD-FW-RSGN47FOI5OFGYD7
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-RSGN47FOI5OFGYD7" -d 172.16.0.46 -j KUBE-POD-FW-RSGN47FOI5OFGYD7
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-RSGN47FOI5OFGYD7" -s 172.16.0.46 -j KUBE-POD-FW-RSGN47FOI5OFGYD7
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-RSGN47FOI5OFGYD7" -s 172.16.0.46 -j KUBE-POD-FW-RSGN47FOI5OFGYD7
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-RSGN47FOI5OFGYD7" -s 172.16.0.46 -j KUBE-POD-FW-RSGN47FOI5OFGYD7
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-RSGN47FOI5OFGYD7" -s 172.16.0.46 -j KUBE-POD-FW-RSGN47FOI5OFGYD7
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-RSGN47FOI5OFGYD7 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-RSGN47FOI5OFGYD7 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-RSGN47FOI5OFGYD7 -j MARK --set-mark 0/0x10000
Jun  8 02:24:29 truenas env[20630]: -A KUBE-POD-FW-RSGN47FOI5OFGYD7 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:24:29 truenas env[20630]: COMMIT
Jun  8 02:29:29 truenas env[20630]: E0608 02:29:29.788851   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 02:29:29 truenas env[20630]: Error occurred at line: 103
Jun  8 02:29:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 02:29:29 truenas env[20630]: )
Jun  8 02:29:29 truenas env[20630]: *filter
Jun  8 02:29:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 02:29:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 02:29:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 02:29:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 02:29:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 02:29:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 02:29:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 02:29:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 02:29:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 02:29:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 02:29:29 truenas env[20630]: :KUBE-POD-FW-4VYQPCGF7VPS44KF - [0:0]
Jun  8 02:29:29 truenas env[20630]: :KUBE-POD-FW-O6BDJ55RR56EHQBP - [0:0]
Jun  8 02:29:29 truenas env[20630]: :KUBE-POD-FW-MWWTSGNIIYG3V2QO - [0:0]
Jun  8 02:29:29 truenas env[20630]: :KUBE-POD-FW-K4GVMXYY33R5GSQH - [0:0]
Jun  8 02:29:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 02:29:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 02:29:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 02:29:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 02:29:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 02:29:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 02:29:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 02:29:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 02:29:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 02:29:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-4VYQPCGF7VPS44KF 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-4VYQPCGF7VPS44KF 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-4VYQPCGF7VPS44KF 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-4VYQPCGF7VPS44KF 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-4VYQPCGF7VPS44KF 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4VYQPCGF7VPS44KF" -d 172.16.0.42 -j KUBE-POD-FW-4VYQPCGF7VPS44KF
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4VYQPCGF7VPS44KF" -d 172.16.0.42 -j KUBE-POD-FW-4VYQPCGF7VPS44KF
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4VYQPCGF7VPS44KF" -d 172.16.0.42 -j KUBE-POD-FW-4VYQPCGF7VPS44KF
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4VYQPCGF7VPS44KF" -s 172.16.0.42 -j KUBE-POD-FW-4VYQPCGF7VPS44KF
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4VYQPCGF7VPS44KF" -s 172.16.0.42 -j KUBE-POD-FW-4VYQPCGF7VPS44KF
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4VYQPCGF7VPS44KF" -s 172.16.0.42 -j KUBE-POD-FW-4VYQPCGF7VPS44KF
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-4VYQPCGF7VPS44KF" -s 172.16.0.42 -j KUBE-POD-FW-4VYQPCGF7VPS44KF
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-4VYQPCGF7VPS44KF -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-4VYQPCGF7VPS44KF -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-4VYQPCGF7VPS44KF -j MARK --set-mark 0/0x10000
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-4VYQPCGF7VPS44KF -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-O6BDJ55RR56EHQBP 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-O6BDJ55RR56EHQBP 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-O6BDJ55RR56EHQBP 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-O6BDJ55RR56EHQBP 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-O6BDJ55RR56EHQBP 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O6BDJ55RR56EHQBP" -d 172.16.0.45 -j KUBE-POD-FW-O6BDJ55RR56EHQBP
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O6BDJ55RR56EHQBP" -d 172.16.0.45 -j KUBE-POD-FW-O6BDJ55RR56EHQBP
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O6BDJ55RR56EHQBP" -d 172.16.0.45 -j KUBE-POD-FW-O6BDJ55RR56EHQBP
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O6BDJ55RR56EHQBP" -s 172.16.0.45 -j KUBE-POD-FW-O6BDJ55RR56EHQBP
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O6BDJ55RR56EHQBP" -s 172.16.0.45 -j KUBE-POD-FW-O6BDJ55RR56EHQBP
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O6BDJ55RR56EHQBP" -s 172.16.0.45 -j KUBE-POD-FW-O6BDJ55RR56EHQBP
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-O6BDJ55RR56EHQBP" -s 172.16.0.45 -j KUBE-POD-FW-O6BDJ55RR56EHQBP
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-O6BDJ55RR56EHQBP -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-O6BDJ55RR56EHQBP -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-O6BDJ55RR56EHQBP -j MARK --set-mark 0/0x10000
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-O6BDJ55RR56EHQBP -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-MWWTSGNIIYG3V2QO 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-MWWTSGNIIYG3V2QO 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-MWWTSGNIIYG3V2QO 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-MWWTSGNIIYG3V2QO 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-MWWTSGNIIYG3V2QO 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MWWTSGNIIYG3V2QO" -d 172.16.0.43 -j KUBE-POD-FW-MWWTSGNIIYG3V2QO
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MWWTSGNIIYG3V2QO" -d 172.16.0.43 -j KUBE-POD-FW-MWWTSGNIIYG3V2QO
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MWWTSGNIIYG3V2QO" -d 172.16.0.43 -j KUBE-POD-FW-MWWTSGNIIYG3V2QO
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MWWTSGNIIYG3V2QO" -s 172.16.0.43 -j KUBE-POD-FW-MWWTSGNIIYG3V2QO
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MWWTSGNIIYG3V2QO" -s 172.16.0.43 -j KUBE-POD-FW-MWWTSGNIIYG3V2QO
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MWWTSGNIIYG3V2QO" -s 172.16.0.43 -j KUBE-POD-FW-MWWTSGNIIYG3V2QO
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MWWTSGNIIYG3V2QO" -s 172.16.0.43 -j KUBE-POD-FW-MWWTSGNIIYG3V2QO
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-MWWTSGNIIYG3V2QO -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-MWWTSGNIIYG3V2QO -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-MWWTSGNIIYG3V2QO -j MARK --set-mark 0/0x10000
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-MWWTSGNIIYG3V2QO -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-K4GVMXYY33R5GSQH 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-K4GVMXYY33R5GSQH 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-K4GVMXYY33R5GSQH 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-K4GVMXYY33R5GSQH 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:29:29 truenas env[20630]: -I KUBE-POD-FW-K4GVMXYY33R5GSQH 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-K4GVMXYY33R5GSQH" -d 172.16.0.46 -j KUBE-POD-FW-K4GVMXYY33R5GSQH
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-K4GVMXYY33R5GSQH" -d 172.16.0.46 -j KUBE-POD-FW-K4GVMXYY33R5GSQH
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-K4GVMXYY33R5GSQH" -d 172.16.0.46 -j KUBE-POD-FW-K4GVMXYY33R5GSQH
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-K4GVMXYY33R5GSQH" -s 172.16.0.46 -j KUBE-POD-FW-K4GVMXYY33R5GSQH
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-K4GVMXYY33R5GSQH" -s 172.16.0.46 -j KUBE-POD-FW-K4GVMXYY33R5GSQH
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-K4GVMXYY33R5GSQH" -s 172.16.0.46 -j KUBE-POD-FW-K4GVMXYY33R5GSQH
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-K4GVMXYY33R5GSQH" -s 172.16.0.46 -j KUBE-POD-FW-K4GVMXYY33R5GSQH
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-K4GVMXYY33R5GSQH -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-K4GVMXYY33R5GSQH -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-K4GVMXYY33R5GSQH -j MARK --set-mark 0/0x10000
Jun  8 02:29:29 truenas env[20630]: -A KUBE-POD-FW-K4GVMXYY33R5GSQH -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:29:29 truenas env[20630]: COMMIT
Jun  8 02:30:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 02:30:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 02:30:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 02:34:29 truenas env[20630]: E0608 02:34:29.764868   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 02:34:29 truenas env[20630]: Error occurred at line: 103
Jun  8 02:34:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 02:34:29 truenas env[20630]: )
Jun  8 02:34:29 truenas env[20630]: *filter
Jun  8 02:34:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 02:34:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 02:34:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 02:34:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 02:34:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 02:34:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 02:34:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 02:34:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 02:34:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 02:34:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 02:34:29 truenas env[20630]: :KUBE-POD-FW-ZAW4OLMPX5FLG6KP - [0:0]
Jun  8 02:34:29 truenas env[20630]: :KUBE-POD-FW-ECR2DHIGYPBBU23Y - [0:0]
Jun  8 02:34:29 truenas env[20630]: :KUBE-POD-FW-W6XE4GJ25SEE6W37 - [0:0]
Jun  8 02:34:29 truenas env[20630]: :KUBE-POD-FW-3L7DOMNWKKJXCTLF - [0:0]
Jun  8 02:34:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 02:34:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 02:34:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 02:34:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 02:34:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 02:34:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 02:34:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 02:34:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 02:34:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 02:34:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-ZAW4OLMPX5FLG6KP 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-ZAW4OLMPX5FLG6KP 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-ZAW4OLMPX5FLG6KP 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-ZAW4OLMPX5FLG6KP 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-ZAW4OLMPX5FLG6KP 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZAW4OLMPX5FLG6KP" -d 172.16.0.45 -j KUBE-POD-FW-ZAW4OLMPX5FLG6KP
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZAW4OLMPX5FLG6KP" -d 172.16.0.45 -j KUBE-POD-FW-ZAW4OLMPX5FLG6KP
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZAW4OLMPX5FLG6KP" -d 172.16.0.45 -j KUBE-POD-FW-ZAW4OLMPX5FLG6KP
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZAW4OLMPX5FLG6KP" -s 172.16.0.45 -j KUBE-POD-FW-ZAW4OLMPX5FLG6KP
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZAW4OLMPX5FLG6KP" -s 172.16.0.45 -j KUBE-POD-FW-ZAW4OLMPX5FLG6KP
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZAW4OLMPX5FLG6KP" -s 172.16.0.45 -j KUBE-POD-FW-ZAW4OLMPX5FLG6KP
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ZAW4OLMPX5FLG6KP" -s 172.16.0.45 -j KUBE-POD-FW-ZAW4OLMPX5FLG6KP
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-ZAW4OLMPX5FLG6KP -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-ZAW4OLMPX5FLG6KP -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-ZAW4OLMPX5FLG6KP -j MARK --set-mark 0/0x10000
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-ZAW4OLMPX5FLG6KP -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-ECR2DHIGYPBBU23Y 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-ECR2DHIGYPBBU23Y 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-ECR2DHIGYPBBU23Y 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-ECR2DHIGYPBBU23Y 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-ECR2DHIGYPBBU23Y 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ECR2DHIGYPBBU23Y" -d 172.16.0.43 -j KUBE-POD-FW-ECR2DHIGYPBBU23Y
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ECR2DHIGYPBBU23Y" -d 172.16.0.43 -j KUBE-POD-FW-ECR2DHIGYPBBU23Y
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ECR2DHIGYPBBU23Y" -d 172.16.0.43 -j KUBE-POD-FW-ECR2DHIGYPBBU23Y
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ECR2DHIGYPBBU23Y" -s 172.16.0.43 -j KUBE-POD-FW-ECR2DHIGYPBBU23Y
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ECR2DHIGYPBBU23Y" -s 172.16.0.43 -j KUBE-POD-FW-ECR2DHIGYPBBU23Y
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ECR2DHIGYPBBU23Y" -s 172.16.0.43 -j KUBE-POD-FW-ECR2DHIGYPBBU23Y
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-ECR2DHIGYPBBU23Y" -s 172.16.0.43 -j KUBE-POD-FW-ECR2DHIGYPBBU23Y
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-ECR2DHIGYPBBU23Y -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-ECR2DHIGYPBBU23Y -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-ECR2DHIGYPBBU23Y -j MARK --set-mark 0/0x10000
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-ECR2DHIGYPBBU23Y -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-W6XE4GJ25SEE6W37 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-W6XE4GJ25SEE6W37 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-W6XE4GJ25SEE6W37 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-W6XE4GJ25SEE6W37 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-W6XE4GJ25SEE6W37 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W6XE4GJ25SEE6W37" -d 172.16.0.46 -j KUBE-POD-FW-W6XE4GJ25SEE6W37
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W6XE4GJ25SEE6W37" -d 172.16.0.46 -j KUBE-POD-FW-W6XE4GJ25SEE6W37
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W6XE4GJ25SEE6W37" -d 172.16.0.46 -j KUBE-POD-FW-W6XE4GJ25SEE6W37
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W6XE4GJ25SEE6W37" -s 172.16.0.46 -j KUBE-POD-FW-W6XE4GJ25SEE6W37
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W6XE4GJ25SEE6W37" -s 172.16.0.46 -j KUBE-POD-FW-W6XE4GJ25SEE6W37
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W6XE4GJ25SEE6W37" -s 172.16.0.46 -j KUBE-POD-FW-W6XE4GJ25SEE6W37
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-W6XE4GJ25SEE6W37" -s 172.16.0.46 -j KUBE-POD-FW-W6XE4GJ25SEE6W37
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-W6XE4GJ25SEE6W37 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-W6XE4GJ25SEE6W37 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-W6XE4GJ25SEE6W37 -j MARK --set-mark 0/0x10000
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-W6XE4GJ25SEE6W37 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-3L7DOMNWKKJXCTLF 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-3L7DOMNWKKJXCTLF 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-3L7DOMNWKKJXCTLF 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-3L7DOMNWKKJXCTLF 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:34:29 truenas env[20630]: -I KUBE-POD-FW-3L7DOMNWKKJXCTLF 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3L7DOMNWKKJXCTLF" -d 172.16.0.42 -j KUBE-POD-FW-3L7DOMNWKKJXCTLF
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3L7DOMNWKKJXCTLF" -d 172.16.0.42 -j KUBE-POD-FW-3L7DOMNWKKJXCTLF
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3L7DOMNWKKJXCTLF" -d 172.16.0.42 -j KUBE-POD-FW-3L7DOMNWKKJXCTLF
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3L7DOMNWKKJXCTLF" -s 172.16.0.42 -j KUBE-POD-FW-3L7DOMNWKKJXCTLF
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3L7DOMNWKKJXCTLF" -s 172.16.0.42 -j KUBE-POD-FW-3L7DOMNWKKJXCTLF
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3L7DOMNWKKJXCTLF" -s 172.16.0.42 -j KUBE-POD-FW-3L7DOMNWKKJXCTLF
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3L7DOMNWKKJXCTLF" -s 172.16.0.42 -j KUBE-POD-FW-3L7DOMNWKKJXCTLF
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-3L7DOMNWKKJXCTLF -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-3L7DOMNWKKJXCTLF -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-3L7DOMNWKKJXCTLF -j MARK --set-mark 0/0x10000
Jun  8 02:34:29 truenas env[20630]: -A KUBE-POD-FW-3L7DOMNWKKJXCTLF -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:34:29 truenas env[20630]: COMMIT
Jun  8 02:39:29 truenas env[20630]: E0608 02:39:29.752823   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 02:39:29 truenas env[20630]: Error occurred at line: 103
Jun  8 02:39:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 02:39:29 truenas env[20630]: )
Jun  8 02:39:29 truenas env[20630]: *filter
Jun  8 02:39:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 02:39:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 02:39:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 02:39:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 02:39:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 02:39:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 02:39:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 02:39:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 02:39:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 02:39:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 02:39:29 truenas env[20630]: :KUBE-POD-FW-HT4EC3MBYHTSC46C - [0:0]
Jun  8 02:39:29 truenas env[20630]: :KUBE-POD-FW-3LC75J7LNZJDFUJ6 - [0:0]
Jun  8 02:39:29 truenas env[20630]: :KUBE-POD-FW-X43OT4X5F4ZOJ6MH - [0:0]
Jun  8 02:39:29 truenas env[20630]: :KUBE-POD-FW-WJZIEYUFKRSTYOFV - [0:0]
Jun  8 02:39:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 02:39:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 02:39:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 02:39:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 02:39:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 02:39:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 02:39:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 02:39:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 02:39:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 02:39:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-HT4EC3MBYHTSC46C 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-HT4EC3MBYHTSC46C 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-HT4EC3MBYHTSC46C 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-HT4EC3MBYHTSC46C 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-HT4EC3MBYHTSC46C 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HT4EC3MBYHTSC46C" -d 172.16.0.42 -j KUBE-POD-FW-HT4EC3MBYHTSC46C
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HT4EC3MBYHTSC46C" -d 172.16.0.42 -j KUBE-POD-FW-HT4EC3MBYHTSC46C
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HT4EC3MBYHTSC46C" -d 172.16.0.42 -j KUBE-POD-FW-HT4EC3MBYHTSC46C
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HT4EC3MBYHTSC46C" -s 172.16.0.42 -j KUBE-POD-FW-HT4EC3MBYHTSC46C
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HT4EC3MBYHTSC46C" -s 172.16.0.42 -j KUBE-POD-FW-HT4EC3MBYHTSC46C
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HT4EC3MBYHTSC46C" -s 172.16.0.42 -j KUBE-POD-FW-HT4EC3MBYHTSC46C
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-HT4EC3MBYHTSC46C" -s 172.16.0.42 -j KUBE-POD-FW-HT4EC3MBYHTSC46C
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-HT4EC3MBYHTSC46C -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-HT4EC3MBYHTSC46C -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-HT4EC3MBYHTSC46C -j MARK --set-mark 0/0x10000
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-HT4EC3MBYHTSC46C -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-3LC75J7LNZJDFUJ6 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-3LC75J7LNZJDFUJ6 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-3LC75J7LNZJDFUJ6 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-3LC75J7LNZJDFUJ6 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-3LC75J7LNZJDFUJ6 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3LC75J7LNZJDFUJ6" -d 172.16.0.45 -j KUBE-POD-FW-3LC75J7LNZJDFUJ6
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3LC75J7LNZJDFUJ6" -d 172.16.0.45 -j KUBE-POD-FW-3LC75J7LNZJDFUJ6
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3LC75J7LNZJDFUJ6" -d 172.16.0.45 -j KUBE-POD-FW-3LC75J7LNZJDFUJ6
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3LC75J7LNZJDFUJ6" -s 172.16.0.45 -j KUBE-POD-FW-3LC75J7LNZJDFUJ6
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3LC75J7LNZJDFUJ6" -s 172.16.0.45 -j KUBE-POD-FW-3LC75J7LNZJDFUJ6
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3LC75J7LNZJDFUJ6" -s 172.16.0.45 -j KUBE-POD-FW-3LC75J7LNZJDFUJ6
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3LC75J7LNZJDFUJ6" -s 172.16.0.45 -j KUBE-POD-FW-3LC75J7LNZJDFUJ6
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-3LC75J7LNZJDFUJ6 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-3LC75J7LNZJDFUJ6 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-3LC75J7LNZJDFUJ6 -j MARK --set-mark 0/0x10000
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-3LC75J7LNZJDFUJ6 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-X43OT4X5F4ZOJ6MH 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-X43OT4X5F4ZOJ6MH 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-X43OT4X5F4ZOJ6MH 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-X43OT4X5F4ZOJ6MH 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-X43OT4X5F4ZOJ6MH 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-X43OT4X5F4ZOJ6MH" -d 172.16.0.43 -j KUBE-POD-FW-X43OT4X5F4ZOJ6MH
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-X43OT4X5F4ZOJ6MH" -d 172.16.0.43 -j KUBE-POD-FW-X43OT4X5F4ZOJ6MH
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-X43OT4X5F4ZOJ6MH" -d 172.16.0.43 -j KUBE-POD-FW-X43OT4X5F4ZOJ6MH
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-X43OT4X5F4ZOJ6MH" -s 172.16.0.43 -j KUBE-POD-FW-X43OT4X5F4ZOJ6MH
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-X43OT4X5F4ZOJ6MH" -s 172.16.0.43 -j KUBE-POD-FW-X43OT4X5F4ZOJ6MH
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-X43OT4X5F4ZOJ6MH" -s 172.16.0.43 -j KUBE-POD-FW-X43OT4X5F4ZOJ6MH
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-X43OT4X5F4ZOJ6MH" -s 172.16.0.43 -j KUBE-POD-FW-X43OT4X5F4ZOJ6MH
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-X43OT4X5F4ZOJ6MH -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-X43OT4X5F4ZOJ6MH -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-X43OT4X5F4ZOJ6MH -j MARK --set-mark 0/0x10000
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-X43OT4X5F4ZOJ6MH -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-WJZIEYUFKRSTYOFV 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-WJZIEYUFKRSTYOFV 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-WJZIEYUFKRSTYOFV 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-WJZIEYUFKRSTYOFV 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:39:29 truenas env[20630]: -I KUBE-POD-FW-WJZIEYUFKRSTYOFV 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WJZIEYUFKRSTYOFV" -d 172.16.0.46 -j KUBE-POD-FW-WJZIEYUFKRSTYOFV
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WJZIEYUFKRSTYOFV" -d 172.16.0.46 -j KUBE-POD-FW-WJZIEYUFKRSTYOFV
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WJZIEYUFKRSTYOFV" -d 172.16.0.46 -j KUBE-POD-FW-WJZIEYUFKRSTYOFV
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WJZIEYUFKRSTYOFV" -s 172.16.0.46 -j KUBE-POD-FW-WJZIEYUFKRSTYOFV
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WJZIEYUFKRSTYOFV" -s 172.16.0.46 -j KUBE-POD-FW-WJZIEYUFKRSTYOFV
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WJZIEYUFKRSTYOFV" -s 172.16.0.46 -j KUBE-POD-FW-WJZIEYUFKRSTYOFV
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WJZIEYUFKRSTYOFV" -s 172.16.0.46 -j KUBE-POD-FW-WJZIEYUFKRSTYOFV
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-WJZIEYUFKRSTYOFV -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-WJZIEYUFKRSTYOFV -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-WJZIEYUFKRSTYOFV -j MARK --set-mark 0/0x10000
Jun  8 02:39:29 truenas env[20630]: -A KUBE-POD-FW-WJZIEYUFKRSTYOFV -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:39:29 truenas env[20630]: COMMIT
Jun  8 02:40:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 02:40:06 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 02:40:06 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 02:44:29 truenas env[20630]: E0608 02:44:29.728365   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 02:44:29 truenas env[20630]: Error occurred at line: 103
Jun  8 02:44:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 02:44:29 truenas env[20630]: )
Jun  8 02:44:29 truenas env[20630]: *filter
Jun  8 02:44:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 02:44:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 02:44:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 02:44:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 02:44:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 02:44:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 02:44:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 02:44:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 02:44:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 02:44:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 02:44:29 truenas env[20630]: :KUBE-POD-FW-VO43J4ZYHWYGG6XX - [0:0]
Jun  8 02:44:29 truenas env[20630]: :KUBE-POD-FW-MY5HVHGZE4SPLUTT - [0:0]
Jun  8 02:44:29 truenas env[20630]: :KUBE-POD-FW-UC765P6E62B56S52 - [0:0]
Jun  8 02:44:29 truenas env[20630]: :KUBE-POD-FW-EHX6NRZXPV7GVJ5E - [0:0]
Jun  8 02:44:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 02:44:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 02:44:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 02:44:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 02:44:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 02:44:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 02:44:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 02:44:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 02:44:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 02:44:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-VO43J4ZYHWYGG6XX 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-VO43J4ZYHWYGG6XX 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-VO43J4ZYHWYGG6XX 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-VO43J4ZYHWYGG6XX 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-VO43J4ZYHWYGG6XX 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VO43J4ZYHWYGG6XX" -d 172.16.0.45 -j KUBE-POD-FW-VO43J4ZYHWYGG6XX
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VO43J4ZYHWYGG6XX" -d 172.16.0.45 -j KUBE-POD-FW-VO43J4ZYHWYGG6XX
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VO43J4ZYHWYGG6XX" -d 172.16.0.45 -j KUBE-POD-FW-VO43J4ZYHWYGG6XX
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VO43J4ZYHWYGG6XX" -s 172.16.0.45 -j KUBE-POD-FW-VO43J4ZYHWYGG6XX
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VO43J4ZYHWYGG6XX" -s 172.16.0.45 -j KUBE-POD-FW-VO43J4ZYHWYGG6XX
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VO43J4ZYHWYGG6XX" -s 172.16.0.45 -j KUBE-POD-FW-VO43J4ZYHWYGG6XX
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-VO43J4ZYHWYGG6XX" -s 172.16.0.45 -j KUBE-POD-FW-VO43J4ZYHWYGG6XX
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-VO43J4ZYHWYGG6XX -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-VO43J4ZYHWYGG6XX -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-VO43J4ZYHWYGG6XX -j MARK --set-mark 0/0x10000
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-VO43J4ZYHWYGG6XX -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-MY5HVHGZE4SPLUTT 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-MY5HVHGZE4SPLUTT 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-MY5HVHGZE4SPLUTT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-MY5HVHGZE4SPLUTT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-MY5HVHGZE4SPLUTT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MY5HVHGZE4SPLUTT" -d 172.16.0.43 -j KUBE-POD-FW-MY5HVHGZE4SPLUTT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MY5HVHGZE4SPLUTT" -d 172.16.0.43 -j KUBE-POD-FW-MY5HVHGZE4SPLUTT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MY5HVHGZE4SPLUTT" -d 172.16.0.43 -j KUBE-POD-FW-MY5HVHGZE4SPLUTT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MY5HVHGZE4SPLUTT" -s 172.16.0.43 -j KUBE-POD-FW-MY5HVHGZE4SPLUTT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MY5HVHGZE4SPLUTT" -s 172.16.0.43 -j KUBE-POD-FW-MY5HVHGZE4SPLUTT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MY5HVHGZE4SPLUTT" -s 172.16.0.43 -j KUBE-POD-FW-MY5HVHGZE4SPLUTT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-MY5HVHGZE4SPLUTT" -s 172.16.0.43 -j KUBE-POD-FW-MY5HVHGZE4SPLUTT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-MY5HVHGZE4SPLUTT -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-MY5HVHGZE4SPLUTT -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-MY5HVHGZE4SPLUTT -j MARK --set-mark 0/0x10000
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-MY5HVHGZE4SPLUTT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-UC765P6E62B56S52 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-UC765P6E62B56S52 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-UC765P6E62B56S52 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-UC765P6E62B56S52 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-UC765P6E62B56S52 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UC765P6E62B56S52" -d 172.16.0.46 -j KUBE-POD-FW-UC765P6E62B56S52
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UC765P6E62B56S52" -d 172.16.0.46 -j KUBE-POD-FW-UC765P6E62B56S52
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UC765P6E62B56S52" -d 172.16.0.46 -j KUBE-POD-FW-UC765P6E62B56S52
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UC765P6E62B56S52" -s 172.16.0.46 -j KUBE-POD-FW-UC765P6E62B56S52
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UC765P6E62B56S52" -s 172.16.0.46 -j KUBE-POD-FW-UC765P6E62B56S52
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UC765P6E62B56S52" -s 172.16.0.46 -j KUBE-POD-FW-UC765P6E62B56S52
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UC765P6E62B56S52" -s 172.16.0.46 -j KUBE-POD-FW-UC765P6E62B56S52
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-UC765P6E62B56S52 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-UC765P6E62B56S52 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-UC765P6E62B56S52 -j MARK --set-mark 0/0x10000
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-UC765P6E62B56S52 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-EHX6NRZXPV7GVJ5E 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-EHX6NRZXPV7GVJ5E 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-EHX6NRZXPV7GVJ5E 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-EHX6NRZXPV7GVJ5E 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:44:29 truenas env[20630]: -I KUBE-POD-FW-EHX6NRZXPV7GVJ5E 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EHX6NRZXPV7GVJ5E" -d 172.16.0.42 -j KUBE-POD-FW-EHX6NRZXPV7GVJ5E
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EHX6NRZXPV7GVJ5E" -d 172.16.0.42 -j KUBE-POD-FW-EHX6NRZXPV7GVJ5E
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EHX6NRZXPV7GVJ5E" -d 172.16.0.42 -j KUBE-POD-FW-EHX6NRZXPV7GVJ5E
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EHX6NRZXPV7GVJ5E" -s 172.16.0.42 -j KUBE-POD-FW-EHX6NRZXPV7GVJ5E
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EHX6NRZXPV7GVJ5E" -s 172.16.0.42 -j KUBE-POD-FW-EHX6NRZXPV7GVJ5E
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EHX6NRZXPV7GVJ5E" -s 172.16.0.42 -j KUBE-POD-FW-EHX6NRZXPV7GVJ5E
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-EHX6NRZXPV7GVJ5E" -s 172.16.0.42 -j KUBE-POD-FW-EHX6NRZXPV7GVJ5E
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-EHX6NRZXPV7GVJ5E -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-EHX6NRZXPV7GVJ5E -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-EHX6NRZXPV7GVJ5E -j MARK --set-mark 0/0x10000
Jun  8 02:44:29 truenas env[20630]: -A KUBE-POD-FW-EHX6NRZXPV7GVJ5E -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:44:29 truenas env[20630]: COMMIT
Jun  8 02:49:29 truenas env[20630]: E0608 02:49:29.764507   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 02:49:29 truenas env[20630]: Error occurred at line: 103
Jun  8 02:49:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 02:49:29 truenas env[20630]: )
Jun  8 02:49:29 truenas env[20630]: *filter
Jun  8 02:49:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 02:49:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 02:49:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 02:49:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 02:49:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 02:49:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 02:49:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 02:49:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 02:49:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 02:49:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 02:49:29 truenas env[20630]: :KUBE-POD-FW-4DUHX6OCZG5QFSN2 - [0:0]
Jun  8 02:49:29 truenas env[20630]: :KUBE-POD-FW-YNWJ6GIRO7XHCVRI - [0:0]
Jun  8 02:49:29 truenas env[20630]: :KUBE-POD-FW-TTLPN4XFIKB4TGVN - [0:0]
Jun  8 02:49:29 truenas env[20630]: :KUBE-POD-FW-XHSFY7Q54SWFHG7R - [0:0]
Jun  8 02:49:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 02:49:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 02:49:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 02:49:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 02:49:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 02:49:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 02:49:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 02:49:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 02:49:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 02:49:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-4DUHX6OCZG5QFSN2 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-4DUHX6OCZG5QFSN2 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-4DUHX6OCZG5QFSN2 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-4DUHX6OCZG5QFSN2 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-4DUHX6OCZG5QFSN2 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DUHX6OCZG5QFSN2" -d 172.16.0.43 -j KUBE-POD-FW-4DUHX6OCZG5QFSN2
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DUHX6OCZG5QFSN2" -d 172.16.0.43 -j KUBE-POD-FW-4DUHX6OCZG5QFSN2
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DUHX6OCZG5QFSN2" -d 172.16.0.43 -j KUBE-POD-FW-4DUHX6OCZG5QFSN2
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DUHX6OCZG5QFSN2" -s 172.16.0.43 -j KUBE-POD-FW-4DUHX6OCZG5QFSN2
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DUHX6OCZG5QFSN2" -s 172.16.0.43 -j KUBE-POD-FW-4DUHX6OCZG5QFSN2
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DUHX6OCZG5QFSN2" -s 172.16.0.43 -j KUBE-POD-FW-4DUHX6OCZG5QFSN2
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DUHX6OCZG5QFSN2" -s 172.16.0.43 -j KUBE-POD-FW-4DUHX6OCZG5QFSN2
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-4DUHX6OCZG5QFSN2 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-4DUHX6OCZG5QFSN2 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-4DUHX6OCZG5QFSN2 -j MARK --set-mark 0/0x10000
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-4DUHX6OCZG5QFSN2 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-YNWJ6GIRO7XHCVRI 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-YNWJ6GIRO7XHCVRI 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-YNWJ6GIRO7XHCVRI 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-YNWJ6GIRO7XHCVRI 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-YNWJ6GIRO7XHCVRI 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YNWJ6GIRO7XHCVRI" -d 172.16.0.46 -j KUBE-POD-FW-YNWJ6GIRO7XHCVRI
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YNWJ6GIRO7XHCVRI" -d 172.16.0.46 -j KUBE-POD-FW-YNWJ6GIRO7XHCVRI
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YNWJ6GIRO7XHCVRI" -d 172.16.0.46 -j KUBE-POD-FW-YNWJ6GIRO7XHCVRI
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YNWJ6GIRO7XHCVRI" -s 172.16.0.46 -j KUBE-POD-FW-YNWJ6GIRO7XHCVRI
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YNWJ6GIRO7XHCVRI" -s 172.16.0.46 -j KUBE-POD-FW-YNWJ6GIRO7XHCVRI
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YNWJ6GIRO7XHCVRI" -s 172.16.0.46 -j KUBE-POD-FW-YNWJ6GIRO7XHCVRI
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YNWJ6GIRO7XHCVRI" -s 172.16.0.46 -j KUBE-POD-FW-YNWJ6GIRO7XHCVRI
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-YNWJ6GIRO7XHCVRI -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-YNWJ6GIRO7XHCVRI -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-YNWJ6GIRO7XHCVRI -j MARK --set-mark 0/0x10000
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-YNWJ6GIRO7XHCVRI -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-TTLPN4XFIKB4TGVN 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-TTLPN4XFIKB4TGVN 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-TTLPN4XFIKB4TGVN 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-TTLPN4XFIKB4TGVN 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-TTLPN4XFIKB4TGVN 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TTLPN4XFIKB4TGVN" -d 172.16.0.42 -j KUBE-POD-FW-TTLPN4XFIKB4TGVN
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TTLPN4XFIKB4TGVN" -d 172.16.0.42 -j KUBE-POD-FW-TTLPN4XFIKB4TGVN
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TTLPN4XFIKB4TGVN" -d 172.16.0.42 -j KUBE-POD-FW-TTLPN4XFIKB4TGVN
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TTLPN4XFIKB4TGVN" -s 172.16.0.42 -j KUBE-POD-FW-TTLPN4XFIKB4TGVN
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TTLPN4XFIKB4TGVN" -s 172.16.0.42 -j KUBE-POD-FW-TTLPN4XFIKB4TGVN
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TTLPN4XFIKB4TGVN" -s 172.16.0.42 -j KUBE-POD-FW-TTLPN4XFIKB4TGVN
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TTLPN4XFIKB4TGVN" -s 172.16.0.42 -j KUBE-POD-FW-TTLPN4XFIKB4TGVN
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-TTLPN4XFIKB4TGVN -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-TTLPN4XFIKB4TGVN -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-TTLPN4XFIKB4TGVN -j MARK --set-mark 0/0x10000
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-TTLPN4XFIKB4TGVN -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-XHSFY7Q54SWFHG7R 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-XHSFY7Q54SWFHG7R 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-XHSFY7Q54SWFHG7R 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-XHSFY7Q54SWFHG7R 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:49:29 truenas env[20630]: -I KUBE-POD-FW-XHSFY7Q54SWFHG7R 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XHSFY7Q54SWFHG7R" -d 172.16.0.45 -j KUBE-POD-FW-XHSFY7Q54SWFHG7R
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XHSFY7Q54SWFHG7R" -d 172.16.0.45 -j KUBE-POD-FW-XHSFY7Q54SWFHG7R
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XHSFY7Q54SWFHG7R" -d 172.16.0.45 -j KUBE-POD-FW-XHSFY7Q54SWFHG7R
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XHSFY7Q54SWFHG7R" -s 172.16.0.45 -j KUBE-POD-FW-XHSFY7Q54SWFHG7R
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XHSFY7Q54SWFHG7R" -s 172.16.0.45 -j KUBE-POD-FW-XHSFY7Q54SWFHG7R
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XHSFY7Q54SWFHG7R" -s 172.16.0.45 -j KUBE-POD-FW-XHSFY7Q54SWFHG7R
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XHSFY7Q54SWFHG7R" -s 172.16.0.45 -j KUBE-POD-FW-XHSFY7Q54SWFHG7R
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-XHSFY7Q54SWFHG7R -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-XHSFY7Q54SWFHG7R -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-XHSFY7Q54SWFHG7R -j MARK --set-mark 0/0x10000
Jun  8 02:49:29 truenas env[20630]: -A KUBE-POD-FW-XHSFY7Q54SWFHG7R -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:49:29 truenas env[20630]: COMMIT
Jun  8 02:50:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 02:50:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 02:50:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 02:54:29 truenas env[20630]: E0608 02:54:29.804094   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 02:54:29 truenas env[20630]: Error occurred at line: 103
Jun  8 02:54:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 02:54:29 truenas env[20630]: )
Jun  8 02:54:29 truenas env[20630]: *filter
Jun  8 02:54:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 02:54:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 02:54:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 02:54:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 02:54:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 02:54:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 02:54:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 02:54:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 02:54:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 02:54:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 02:54:29 truenas env[20630]: :KUBE-POD-FW-GLYPBDCUOH7S6Q3C - [0:0]
Jun  8 02:54:29 truenas env[20630]: :KUBE-POD-FW-SDXJS43ZVLK74HSY - [0:0]
Jun  8 02:54:29 truenas env[20630]: :KUBE-POD-FW-O53QSCMOYPB7JITW - [0:0]
Jun  8 02:54:29 truenas env[20630]: :KUBE-POD-FW-YGBU2XPFXQZPAUG6 - [0:0]
Jun  8 02:54:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 02:54:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 02:54:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 02:54:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 02:54:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 02:54:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 02:54:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 02:54:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 02:54:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 02:54:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-GLYPBDCUOH7S6Q3C 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-GLYPBDCUOH7S6Q3C 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-GLYPBDCUOH7S6Q3C 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-GLYPBDCUOH7S6Q3C 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-GLYPBDCUOH7S6Q3C 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-GLYPBDCUOH7S6Q3C" -d 172.16.0.45 -j KUBE-POD-FW-GLYPBDCUOH7S6Q3C
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-GLYPBDCUOH7S6Q3C" -d 172.16.0.45 -j KUBE-POD-FW-GLYPBDCUOH7S6Q3C
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-GLYPBDCUOH7S6Q3C" -d 172.16.0.45 -j KUBE-POD-FW-GLYPBDCUOH7S6Q3C
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-GLYPBDCUOH7S6Q3C" -s 172.16.0.45 -j KUBE-POD-FW-GLYPBDCUOH7S6Q3C
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-GLYPBDCUOH7S6Q3C" -s 172.16.0.45 -j KUBE-POD-FW-GLYPBDCUOH7S6Q3C
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-GLYPBDCUOH7S6Q3C" -s 172.16.0.45 -j KUBE-POD-FW-GLYPBDCUOH7S6Q3C
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-GLYPBDCUOH7S6Q3C" -s 172.16.0.45 -j KUBE-POD-FW-GLYPBDCUOH7S6Q3C
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-GLYPBDCUOH7S6Q3C -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-GLYPBDCUOH7S6Q3C -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-GLYPBDCUOH7S6Q3C -j MARK --set-mark 0/0x10000
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-GLYPBDCUOH7S6Q3C -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-SDXJS43ZVLK74HSY 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-SDXJS43ZVLK74HSY 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-SDXJS43ZVLK74HSY 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-SDXJS43ZVLK74HSY 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-SDXJS43ZVLK74HSY 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDXJS43ZVLK74HSY" -d 172.16.0.43 -j KUBE-POD-FW-SDXJS43ZVLK74HSY
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDXJS43ZVLK74HSY" -d 172.16.0.43 -j KUBE-POD-FW-SDXJS43ZVLK74HSY
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDXJS43ZVLK74HSY" -d 172.16.0.43 -j KUBE-POD-FW-SDXJS43ZVLK74HSY
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDXJS43ZVLK74HSY" -s 172.16.0.43 -j KUBE-POD-FW-SDXJS43ZVLK74HSY
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDXJS43ZVLK74HSY" -s 172.16.0.43 -j KUBE-POD-FW-SDXJS43ZVLK74HSY
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDXJS43ZVLK74HSY" -s 172.16.0.43 -j KUBE-POD-FW-SDXJS43ZVLK74HSY
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDXJS43ZVLK74HSY" -s 172.16.0.43 -j KUBE-POD-FW-SDXJS43ZVLK74HSY
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-SDXJS43ZVLK74HSY -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-SDXJS43ZVLK74HSY -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-SDXJS43ZVLK74HSY -j MARK --set-mark 0/0x10000
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-SDXJS43ZVLK74HSY -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-O53QSCMOYPB7JITW 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-O53QSCMOYPB7JITW 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-O53QSCMOYPB7JITW 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-O53QSCMOYPB7JITW 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-O53QSCMOYPB7JITW 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-O53QSCMOYPB7JITW" -d 172.16.0.46 -j KUBE-POD-FW-O53QSCMOYPB7JITW
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-O53QSCMOYPB7JITW" -d 172.16.0.46 -j KUBE-POD-FW-O53QSCMOYPB7JITW
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-O53QSCMOYPB7JITW" -d 172.16.0.46 -j KUBE-POD-FW-O53QSCMOYPB7JITW
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-O53QSCMOYPB7JITW" -s 172.16.0.46 -j KUBE-POD-FW-O53QSCMOYPB7JITW
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-O53QSCMOYPB7JITW" -s 172.16.0.46 -j KUBE-POD-FW-O53QSCMOYPB7JITW
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-O53QSCMOYPB7JITW" -s 172.16.0.46 -j KUBE-POD-FW-O53QSCMOYPB7JITW
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-O53QSCMOYPB7JITW" -s 172.16.0.46 -j KUBE-POD-FW-O53QSCMOYPB7JITW
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-O53QSCMOYPB7JITW -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-O53QSCMOYPB7JITW -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-O53QSCMOYPB7JITW -j MARK --set-mark 0/0x10000
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-O53QSCMOYPB7JITW -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-YGBU2XPFXQZPAUG6 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-YGBU2XPFXQZPAUG6 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-YGBU2XPFXQZPAUG6 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-YGBU2XPFXQZPAUG6 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:54:29 truenas env[20630]: -I KUBE-POD-FW-YGBU2XPFXQZPAUG6 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YGBU2XPFXQZPAUG6" -d 172.16.0.42 -j KUBE-POD-FW-YGBU2XPFXQZPAUG6
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YGBU2XPFXQZPAUG6" -d 172.16.0.42 -j KUBE-POD-FW-YGBU2XPFXQZPAUG6
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YGBU2XPFXQZPAUG6" -d 172.16.0.42 -j KUBE-POD-FW-YGBU2XPFXQZPAUG6
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YGBU2XPFXQZPAUG6" -s 172.16.0.42 -j KUBE-POD-FW-YGBU2XPFXQZPAUG6
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YGBU2XPFXQZPAUG6" -s 172.16.0.42 -j KUBE-POD-FW-YGBU2XPFXQZPAUG6
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YGBU2XPFXQZPAUG6" -s 172.16.0.42 -j KUBE-POD-FW-YGBU2XPFXQZPAUG6
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YGBU2XPFXQZPAUG6" -s 172.16.0.42 -j KUBE-POD-FW-YGBU2XPFXQZPAUG6
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-YGBU2XPFXQZPAUG6 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-YGBU2XPFXQZPAUG6 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-YGBU2XPFXQZPAUG6 -j MARK --set-mark 0/0x10000
Jun  8 02:54:29 truenas env[20630]: -A KUBE-POD-FW-YGBU2XPFXQZPAUG6 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:54:29 truenas env[20630]: COMMIT
Jun  8 02:59:06 truenas smartd[3887]: Device: /dev/sdb [SAT], SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 76 to 77
Jun  8 02:59:06 truenas smartd[3887]: Device: /dev/sdb [SAT], SMART Usage Attribute: 195 Hardware_ECC_Recovered changed from 76 to 77
Jun  8 02:59:26 truenas nscd[643743]: 643743 monitoring file `/etc/hosts` (1)
Jun  8 02:59:26 truenas nscd[643743]: 643743 monitoring directory `/etc` (2)
Jun  8 02:59:26 truenas nscd[643743]: 643743 monitoring file `/etc/resolv.conf` (3)
Jun  8 02:59:26 truenas nscd[643743]: 643743 monitoring directory `/etc` (2)
Jun  8 02:59:26 truenas nscd[643743]: 643743 cannot create /var/cache/nscd/hosts; no persistent database used
Jun  8 02:59:29 truenas env[20630]: E0608 02:59:29.748619   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 02:59:29 truenas env[20630]: Error occurred at line: 103
Jun  8 02:59:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 02:59:29 truenas env[20630]: )
Jun  8 02:59:29 truenas env[20630]: *filter
Jun  8 02:59:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 02:59:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 02:59:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 02:59:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 02:59:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 02:59:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 02:59:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 02:59:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 02:59:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 02:59:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 02:59:29 truenas env[20630]: :KUBE-POD-FW-NAMBRK5RYXJBBFGE - [0:0]
Jun  8 02:59:29 truenas env[20630]: :KUBE-POD-FW-MYRKFVYCIMVQQ54H - [0:0]
Jun  8 02:59:29 truenas env[20630]: :KUBE-POD-FW-LAPGPLEEO4POCXVR - [0:0]
Jun  8 02:59:29 truenas env[20630]: :KUBE-POD-FW-B36GHNOSKPTJFICB - [0:0]
Jun  8 02:59:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 02:59:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 02:59:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 02:59:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 02:59:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 02:59:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 02:59:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 02:59:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 02:59:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 02:59:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-NAMBRK5RYXJBBFGE 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-NAMBRK5RYXJBBFGE 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-NAMBRK5RYXJBBFGE 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-NAMBRK5RYXJBBFGE 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-NAMBRK5RYXJBBFGE 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-NAMBRK5RYXJBBFGE" -d 172.16.0.46 -j KUBE-POD-FW-NAMBRK5RYXJBBFGE
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-NAMBRK5RYXJBBFGE" -d 172.16.0.46 -j KUBE-POD-FW-NAMBRK5RYXJBBFGE
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-NAMBRK5RYXJBBFGE" -d 172.16.0.46 -j KUBE-POD-FW-NAMBRK5RYXJBBFGE
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-NAMBRK5RYXJBBFGE" -s 172.16.0.46 -j KUBE-POD-FW-NAMBRK5RYXJBBFGE
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-NAMBRK5RYXJBBFGE" -s 172.16.0.46 -j KUBE-POD-FW-NAMBRK5RYXJBBFGE
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-NAMBRK5RYXJBBFGE" -s 172.16.0.46 -j KUBE-POD-FW-NAMBRK5RYXJBBFGE
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-NAMBRK5RYXJBBFGE" -s 172.16.0.46 -j KUBE-POD-FW-NAMBRK5RYXJBBFGE
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-NAMBRK5RYXJBBFGE -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-NAMBRK5RYXJBBFGE -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-NAMBRK5RYXJBBFGE -j MARK --set-mark 0/0x10000
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-NAMBRK5RYXJBBFGE -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-MYRKFVYCIMVQQ54H 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-MYRKFVYCIMVQQ54H 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-MYRKFVYCIMVQQ54H 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-MYRKFVYCIMVQQ54H 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-MYRKFVYCIMVQQ54H 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-MYRKFVYCIMVQQ54H" -d 172.16.0.42 -j KUBE-POD-FW-MYRKFVYCIMVQQ54H
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-MYRKFVYCIMVQQ54H" -d 172.16.0.42 -j KUBE-POD-FW-MYRKFVYCIMVQQ54H
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-MYRKFVYCIMVQQ54H" -d 172.16.0.42 -j KUBE-POD-FW-MYRKFVYCIMVQQ54H
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-MYRKFVYCIMVQQ54H" -s 172.16.0.42 -j KUBE-POD-FW-MYRKFVYCIMVQQ54H
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-MYRKFVYCIMVQQ54H" -s 172.16.0.42 -j KUBE-POD-FW-MYRKFVYCIMVQQ54H
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-MYRKFVYCIMVQQ54H" -s 172.16.0.42 -j KUBE-POD-FW-MYRKFVYCIMVQQ54H
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-MYRKFVYCIMVQQ54H" -s 172.16.0.42 -j KUBE-POD-FW-MYRKFVYCIMVQQ54H
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-MYRKFVYCIMVQQ54H -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-MYRKFVYCIMVQQ54H -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-MYRKFVYCIMVQQ54H -j MARK --set-mark 0/0x10000
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-MYRKFVYCIMVQQ54H -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-LAPGPLEEO4POCXVR 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-LAPGPLEEO4POCXVR 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-LAPGPLEEO4POCXVR 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-LAPGPLEEO4POCXVR 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-LAPGPLEEO4POCXVR 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-LAPGPLEEO4POCXVR" -d 172.16.0.45 -j KUBE-POD-FW-LAPGPLEEO4POCXVR
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-LAPGPLEEO4POCXVR" -d 172.16.0.45 -j KUBE-POD-FW-LAPGPLEEO4POCXVR
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-LAPGPLEEO4POCXVR" -d 172.16.0.45 -j KUBE-POD-FW-LAPGPLEEO4POCXVR
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-LAPGPLEEO4POCXVR" -s 172.16.0.45 -j KUBE-POD-FW-LAPGPLEEO4POCXVR
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-LAPGPLEEO4POCXVR" -s 172.16.0.45 -j KUBE-POD-FW-LAPGPLEEO4POCXVR
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-LAPGPLEEO4POCXVR" -s 172.16.0.45 -j KUBE-POD-FW-LAPGPLEEO4POCXVR
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-LAPGPLEEO4POCXVR" -s 172.16.0.45 -j KUBE-POD-FW-LAPGPLEEO4POCXVR
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-LAPGPLEEO4POCXVR -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-LAPGPLEEO4POCXVR -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-LAPGPLEEO4POCXVR -j MARK --set-mark 0/0x10000
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-LAPGPLEEO4POCXVR -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-B36GHNOSKPTJFICB 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-B36GHNOSKPTJFICB 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-B36GHNOSKPTJFICB 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-B36GHNOSKPTJFICB 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 02:59:29 truenas env[20630]: -I KUBE-POD-FW-B36GHNOSKPTJFICB 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-B36GHNOSKPTJFICB" -d 172.16.0.43 -j KUBE-POD-FW-B36GHNOSKPTJFICB
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-B36GHNOSKPTJFICB" -d 172.16.0.43 -j KUBE-POD-FW-B36GHNOSKPTJFICB
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-B36GHNOSKPTJFICB" -d 172.16.0.43 -j KUBE-POD-FW-B36GHNOSKPTJFICB
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-B36GHNOSKPTJFICB" -s 172.16.0.43 -j KUBE-POD-FW-B36GHNOSKPTJFICB
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-B36GHNOSKPTJFICB" -s 172.16.0.43 -j KUBE-POD-FW-B36GHNOSKPTJFICB
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-B36GHNOSKPTJFICB" -s 172.16.0.43 -j KUBE-POD-FW-B36GHNOSKPTJFICB
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-B36GHNOSKPTJFICB" -s 172.16.0.43 -j KUBE-POD-FW-B36GHNOSKPTJFICB
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-B36GHNOSKPTJFICB -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-B36GHNOSKPTJFICB -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-B36GHNOSKPTJFICB -j MARK --set-mark 0/0x10000
Jun  8 02:59:29 truenas env[20630]: -A KUBE-POD-FW-B36GHNOSKPTJFICB -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 02:59:29 truenas env[20630]: COMMIT
Jun  8 03:00:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 03:00:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 03:00:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 03:04:29 truenas env[20630]: E0608 03:04:29.800509   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 03:04:29 truenas env[20630]: Error occurred at line: 103
Jun  8 03:04:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 03:04:29 truenas env[20630]: )
Jun  8 03:04:29 truenas env[20630]: *filter
Jun  8 03:04:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 03:04:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 03:04:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 03:04:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 03:04:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 03:04:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 03:04:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 03:04:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 03:04:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 03:04:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 03:04:29 truenas env[20630]: :KUBE-POD-FW-J4YSHW3PUZF6GQRN - [0:0]
Jun  8 03:04:29 truenas env[20630]: :KUBE-POD-FW-BFYTDSNPFAGFZRAZ - [0:0]
Jun  8 03:04:29 truenas env[20630]: :KUBE-POD-FW-5KVEPXUOTSCSBCQ3 - [0:0]
Jun  8 03:04:29 truenas env[20630]: :KUBE-POD-FW-RNARO5JW3QNJN65P - [0:0]
Jun  8 03:04:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 03:04:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 03:04:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 03:04:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 03:04:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 03:04:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 03:04:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 03:04:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 03:04:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 03:04:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-J4YSHW3PUZF6GQRN 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-J4YSHW3PUZF6GQRN 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-J4YSHW3PUZF6GQRN 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-J4YSHW3PUZF6GQRN 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-J4YSHW3PUZF6GQRN 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J4YSHW3PUZF6GQRN" -d 172.16.0.43 -j KUBE-POD-FW-J4YSHW3PUZF6GQRN
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J4YSHW3PUZF6GQRN" -d 172.16.0.43 -j KUBE-POD-FW-J4YSHW3PUZF6GQRN
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J4YSHW3PUZF6GQRN" -d 172.16.0.43 -j KUBE-POD-FW-J4YSHW3PUZF6GQRN
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J4YSHW3PUZF6GQRN" -s 172.16.0.43 -j KUBE-POD-FW-J4YSHW3PUZF6GQRN
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J4YSHW3PUZF6GQRN" -s 172.16.0.43 -j KUBE-POD-FW-J4YSHW3PUZF6GQRN
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J4YSHW3PUZF6GQRN" -s 172.16.0.43 -j KUBE-POD-FW-J4YSHW3PUZF6GQRN
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J4YSHW3PUZF6GQRN" -s 172.16.0.43 -j KUBE-POD-FW-J4YSHW3PUZF6GQRN
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-J4YSHW3PUZF6GQRN -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-J4YSHW3PUZF6GQRN -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-J4YSHW3PUZF6GQRN -j MARK --set-mark 0/0x10000
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-J4YSHW3PUZF6GQRN -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-BFYTDSNPFAGFZRAZ 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-BFYTDSNPFAGFZRAZ 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-BFYTDSNPFAGFZRAZ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-BFYTDSNPFAGFZRAZ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-BFYTDSNPFAGFZRAZ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-BFYTDSNPFAGFZRAZ" -d 172.16.0.46 -j KUBE-POD-FW-BFYTDSNPFAGFZRAZ
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-BFYTDSNPFAGFZRAZ" -d 172.16.0.46 -j KUBE-POD-FW-BFYTDSNPFAGFZRAZ
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-BFYTDSNPFAGFZRAZ" -d 172.16.0.46 -j KUBE-POD-FW-BFYTDSNPFAGFZRAZ
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-BFYTDSNPFAGFZRAZ" -s 172.16.0.46 -j KUBE-POD-FW-BFYTDSNPFAGFZRAZ
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-BFYTDSNPFAGFZRAZ" -s 172.16.0.46 -j KUBE-POD-FW-BFYTDSNPFAGFZRAZ
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-BFYTDSNPFAGFZRAZ" -s 172.16.0.46 -j KUBE-POD-FW-BFYTDSNPFAGFZRAZ
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-BFYTDSNPFAGFZRAZ" -s 172.16.0.46 -j KUBE-POD-FW-BFYTDSNPFAGFZRAZ
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-BFYTDSNPFAGFZRAZ -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-BFYTDSNPFAGFZRAZ -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-BFYTDSNPFAGFZRAZ -j MARK --set-mark 0/0x10000
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-BFYTDSNPFAGFZRAZ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-5KVEPXUOTSCSBCQ3 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-5KVEPXUOTSCSBCQ3 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-5KVEPXUOTSCSBCQ3 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-5KVEPXUOTSCSBCQ3 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-5KVEPXUOTSCSBCQ3 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KVEPXUOTSCSBCQ3" -d 172.16.0.42 -j KUBE-POD-FW-5KVEPXUOTSCSBCQ3
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KVEPXUOTSCSBCQ3" -d 172.16.0.42 -j KUBE-POD-FW-5KVEPXUOTSCSBCQ3
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KVEPXUOTSCSBCQ3" -d 172.16.0.42 -j KUBE-POD-FW-5KVEPXUOTSCSBCQ3
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KVEPXUOTSCSBCQ3" -s 172.16.0.42 -j KUBE-POD-FW-5KVEPXUOTSCSBCQ3
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KVEPXUOTSCSBCQ3" -s 172.16.0.42 -j KUBE-POD-FW-5KVEPXUOTSCSBCQ3
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KVEPXUOTSCSBCQ3" -s 172.16.0.42 -j KUBE-POD-FW-5KVEPXUOTSCSBCQ3
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KVEPXUOTSCSBCQ3" -s 172.16.0.42 -j KUBE-POD-FW-5KVEPXUOTSCSBCQ3
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-5KVEPXUOTSCSBCQ3 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-5KVEPXUOTSCSBCQ3 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-5KVEPXUOTSCSBCQ3 -j MARK --set-mark 0/0x10000
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-5KVEPXUOTSCSBCQ3 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-RNARO5JW3QNJN65P 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-RNARO5JW3QNJN65P 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-RNARO5JW3QNJN65P 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-RNARO5JW3QNJN65P 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:04:29 truenas env[20630]: -I KUBE-POD-FW-RNARO5JW3QNJN65P 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RNARO5JW3QNJN65P" -d 172.16.0.45 -j KUBE-POD-FW-RNARO5JW3QNJN65P
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RNARO5JW3QNJN65P" -d 172.16.0.45 -j KUBE-POD-FW-RNARO5JW3QNJN65P
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RNARO5JW3QNJN65P" -d 172.16.0.45 -j KUBE-POD-FW-RNARO5JW3QNJN65P
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RNARO5JW3QNJN65P" -s 172.16.0.45 -j KUBE-POD-FW-RNARO5JW3QNJN65P
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RNARO5JW3QNJN65P" -s 172.16.0.45 -j KUBE-POD-FW-RNARO5JW3QNJN65P
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RNARO5JW3QNJN65P" -s 172.16.0.45 -j KUBE-POD-FW-RNARO5JW3QNJN65P
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RNARO5JW3QNJN65P" -s 172.16.0.45 -j KUBE-POD-FW-RNARO5JW3QNJN65P
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-RNARO5JW3QNJN65P -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-RNARO5JW3QNJN65P -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-RNARO5JW3QNJN65P -j MARK --set-mark 0/0x10000
Jun  8 03:04:29 truenas env[20630]: -A KUBE-POD-FW-RNARO5JW3QNJN65P -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:04:29 truenas env[20630]: COMMIT
Jun  8 03:09:29 truenas env[20630]: E0608 03:09:29.776477   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 03:09:29 truenas env[20630]: Error occurred at line: 103
Jun  8 03:09:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 03:09:29 truenas env[20630]: )
Jun  8 03:09:29 truenas env[20630]: *filter
Jun  8 03:09:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 03:09:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 03:09:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 03:09:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 03:09:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 03:09:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 03:09:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 03:09:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 03:09:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 03:09:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 03:09:29 truenas env[20630]: :KUBE-POD-FW-SDALH6GBZYNK7SLB - [0:0]
Jun  8 03:09:29 truenas env[20630]: :KUBE-POD-FW-TBOQTUWLB43UFXXL - [0:0]
Jun  8 03:09:29 truenas env[20630]: :KUBE-POD-FW-DPATAS5JSRUDHOCJ - [0:0]
Jun  8 03:09:29 truenas env[20630]: :KUBE-POD-FW-DYWCQ6CTQWE7IQA3 - [0:0]
Jun  8 03:09:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 03:09:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 03:09:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 03:09:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 03:09:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 03:09:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 03:09:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 03:09:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 03:09:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 03:09:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-SDALH6GBZYNK7SLB 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-SDALH6GBZYNK7SLB 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-SDALH6GBZYNK7SLB 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-SDALH6GBZYNK7SLB 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-SDALH6GBZYNK7SLB 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDALH6GBZYNK7SLB" -d 172.16.0.43 -j KUBE-POD-FW-SDALH6GBZYNK7SLB
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDALH6GBZYNK7SLB" -d 172.16.0.43 -j KUBE-POD-FW-SDALH6GBZYNK7SLB
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDALH6GBZYNK7SLB" -d 172.16.0.43 -j KUBE-POD-FW-SDALH6GBZYNK7SLB
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDALH6GBZYNK7SLB" -s 172.16.0.43 -j KUBE-POD-FW-SDALH6GBZYNK7SLB
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDALH6GBZYNK7SLB" -s 172.16.0.43 -j KUBE-POD-FW-SDALH6GBZYNK7SLB
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDALH6GBZYNK7SLB" -s 172.16.0.43 -j KUBE-POD-FW-SDALH6GBZYNK7SLB
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SDALH6GBZYNK7SLB" -s 172.16.0.43 -j KUBE-POD-FW-SDALH6GBZYNK7SLB
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-SDALH6GBZYNK7SLB -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-SDALH6GBZYNK7SLB -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-SDALH6GBZYNK7SLB -j MARK --set-mark 0/0x10000
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-SDALH6GBZYNK7SLB -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-TBOQTUWLB43UFXXL 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-TBOQTUWLB43UFXXL 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-TBOQTUWLB43UFXXL 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-TBOQTUWLB43UFXXL 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-TBOQTUWLB43UFXXL 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-TBOQTUWLB43UFXXL" -d 172.16.0.46 -j KUBE-POD-FW-TBOQTUWLB43UFXXL
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-TBOQTUWLB43UFXXL" -d 172.16.0.46 -j KUBE-POD-FW-TBOQTUWLB43UFXXL
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-TBOQTUWLB43UFXXL" -d 172.16.0.46 -j KUBE-POD-FW-TBOQTUWLB43UFXXL
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-TBOQTUWLB43UFXXL" -s 172.16.0.46 -j KUBE-POD-FW-TBOQTUWLB43UFXXL
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-TBOQTUWLB43UFXXL" -s 172.16.0.46 -j KUBE-POD-FW-TBOQTUWLB43UFXXL
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-TBOQTUWLB43UFXXL" -s 172.16.0.46 -j KUBE-POD-FW-TBOQTUWLB43UFXXL
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-TBOQTUWLB43UFXXL" -s 172.16.0.46 -j KUBE-POD-FW-TBOQTUWLB43UFXXL
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-TBOQTUWLB43UFXXL -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-TBOQTUWLB43UFXXL -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-TBOQTUWLB43UFXXL -j MARK --set-mark 0/0x10000
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-TBOQTUWLB43UFXXL -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-DPATAS5JSRUDHOCJ 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-DPATAS5JSRUDHOCJ 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-DPATAS5JSRUDHOCJ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-DPATAS5JSRUDHOCJ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-DPATAS5JSRUDHOCJ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DPATAS5JSRUDHOCJ" -d 172.16.0.42 -j KUBE-POD-FW-DPATAS5JSRUDHOCJ
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DPATAS5JSRUDHOCJ" -d 172.16.0.42 -j KUBE-POD-FW-DPATAS5JSRUDHOCJ
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DPATAS5JSRUDHOCJ" -d 172.16.0.42 -j KUBE-POD-FW-DPATAS5JSRUDHOCJ
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DPATAS5JSRUDHOCJ" -s 172.16.0.42 -j KUBE-POD-FW-DPATAS5JSRUDHOCJ
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DPATAS5JSRUDHOCJ" -s 172.16.0.42 -j KUBE-POD-FW-DPATAS5JSRUDHOCJ
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DPATAS5JSRUDHOCJ" -s 172.16.0.42 -j KUBE-POD-FW-DPATAS5JSRUDHOCJ
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DPATAS5JSRUDHOCJ" -s 172.16.0.42 -j KUBE-POD-FW-DPATAS5JSRUDHOCJ
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-DPATAS5JSRUDHOCJ -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-DPATAS5JSRUDHOCJ -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-DPATAS5JSRUDHOCJ -j MARK --set-mark 0/0x10000
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-DPATAS5JSRUDHOCJ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-DYWCQ6CTQWE7IQA3 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-DYWCQ6CTQWE7IQA3 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-DYWCQ6CTQWE7IQA3 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-DYWCQ6CTQWE7IQA3 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:09:29 truenas env[20630]: -I KUBE-POD-FW-DYWCQ6CTQWE7IQA3 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DYWCQ6CTQWE7IQA3" -d 172.16.0.45 -j KUBE-POD-FW-DYWCQ6CTQWE7IQA3
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DYWCQ6CTQWE7IQA3" -d 172.16.0.45 -j KUBE-POD-FW-DYWCQ6CTQWE7IQA3
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DYWCQ6CTQWE7IQA3" -d 172.16.0.45 -j KUBE-POD-FW-DYWCQ6CTQWE7IQA3
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DYWCQ6CTQWE7IQA3" -s 172.16.0.45 -j KUBE-POD-FW-DYWCQ6CTQWE7IQA3
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DYWCQ6CTQWE7IQA3" -s 172.16.0.45 -j KUBE-POD-FW-DYWCQ6CTQWE7IQA3
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DYWCQ6CTQWE7IQA3" -s 172.16.0.45 -j KUBE-POD-FW-DYWCQ6CTQWE7IQA3
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DYWCQ6CTQWE7IQA3" -s 172.16.0.45 -j KUBE-POD-FW-DYWCQ6CTQWE7IQA3
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-DYWCQ6CTQWE7IQA3 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-DYWCQ6CTQWE7IQA3 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-DYWCQ6CTQWE7IQA3 -j MARK --set-mark 0/0x10000
Jun  8 03:09:29 truenas env[20630]: -A KUBE-POD-FW-DYWCQ6CTQWE7IQA3 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:09:29 truenas env[20630]: COMMIT
Jun  8 03:10:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 03:10:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 03:10:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 03:14:29 truenas env[20630]: E0608 03:14:29.764641   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 03:14:29 truenas env[20630]: Error occurred at line: 103
Jun  8 03:14:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 03:14:29 truenas env[20630]: )
Jun  8 03:14:29 truenas env[20630]: *filter
Jun  8 03:14:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 03:14:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 03:14:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 03:14:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 03:14:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 03:14:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 03:14:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 03:14:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 03:14:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 03:14:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 03:14:29 truenas env[20630]: :KUBE-POD-FW-P6KBU4XXF5FPG3ZQ - [0:0]
Jun  8 03:14:29 truenas env[20630]: :KUBE-POD-FW-LYQOMX4TUYMV5PKM - [0:0]
Jun  8 03:14:29 truenas env[20630]: :KUBE-POD-FW-PPDRGPLVFULXSJF3 - [0:0]
Jun  8 03:14:29 truenas env[20630]: :KUBE-POD-FW-HDBVS7ZGIZWTPDP2 - [0:0]
Jun  8 03:14:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 03:14:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 03:14:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 03:14:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 03:14:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 03:14:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 03:14:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 03:14:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 03:14:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 03:14:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-P6KBU4XXF5FPG3ZQ 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-P6KBU4XXF5FPG3ZQ 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-P6KBU4XXF5FPG3ZQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-P6KBU4XXF5FPG3ZQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-P6KBU4XXF5FPG3ZQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-P6KBU4XXF5FPG3ZQ" -d 172.16.0.46 -j KUBE-POD-FW-P6KBU4XXF5FPG3ZQ
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-P6KBU4XXF5FPG3ZQ" -d 172.16.0.46 -j KUBE-POD-FW-P6KBU4XXF5FPG3ZQ
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-P6KBU4XXF5FPG3ZQ" -d 172.16.0.46 -j KUBE-POD-FW-P6KBU4XXF5FPG3ZQ
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-P6KBU4XXF5FPG3ZQ" -s 172.16.0.46 -j KUBE-POD-FW-P6KBU4XXF5FPG3ZQ
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-P6KBU4XXF5FPG3ZQ" -s 172.16.0.46 -j KUBE-POD-FW-P6KBU4XXF5FPG3ZQ
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-P6KBU4XXF5FPG3ZQ" -s 172.16.0.46 -j KUBE-POD-FW-P6KBU4XXF5FPG3ZQ
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-P6KBU4XXF5FPG3ZQ" -s 172.16.0.46 -j KUBE-POD-FW-P6KBU4XXF5FPG3ZQ
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-P6KBU4XXF5FPG3ZQ -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-P6KBU4XXF5FPG3ZQ -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-P6KBU4XXF5FPG3ZQ -j MARK --set-mark 0/0x10000
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-P6KBU4XXF5FPG3ZQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-LYQOMX4TUYMV5PKM 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-LYQOMX4TUYMV5PKM 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-LYQOMX4TUYMV5PKM 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-LYQOMX4TUYMV5PKM 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-LYQOMX4TUYMV5PKM 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LYQOMX4TUYMV5PKM" -d 172.16.0.42 -j KUBE-POD-FW-LYQOMX4TUYMV5PKM
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LYQOMX4TUYMV5PKM" -d 172.16.0.42 -j KUBE-POD-FW-LYQOMX4TUYMV5PKM
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LYQOMX4TUYMV5PKM" -d 172.16.0.42 -j KUBE-POD-FW-LYQOMX4TUYMV5PKM
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LYQOMX4TUYMV5PKM" -s 172.16.0.42 -j KUBE-POD-FW-LYQOMX4TUYMV5PKM
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LYQOMX4TUYMV5PKM" -s 172.16.0.42 -j KUBE-POD-FW-LYQOMX4TUYMV5PKM
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LYQOMX4TUYMV5PKM" -s 172.16.0.42 -j KUBE-POD-FW-LYQOMX4TUYMV5PKM
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LYQOMX4TUYMV5PKM" -s 172.16.0.42 -j KUBE-POD-FW-LYQOMX4TUYMV5PKM
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-LYQOMX4TUYMV5PKM -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-LYQOMX4TUYMV5PKM -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-LYQOMX4TUYMV5PKM -j MARK --set-mark 0/0x10000
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-LYQOMX4TUYMV5PKM -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-PPDRGPLVFULXSJF3 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-PPDRGPLVFULXSJF3 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-PPDRGPLVFULXSJF3 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-PPDRGPLVFULXSJF3 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-PPDRGPLVFULXSJF3 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PPDRGPLVFULXSJF3" -d 172.16.0.45 -j KUBE-POD-FW-PPDRGPLVFULXSJF3
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PPDRGPLVFULXSJF3" -d 172.16.0.45 -j KUBE-POD-FW-PPDRGPLVFULXSJF3
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PPDRGPLVFULXSJF3" -d 172.16.0.45 -j KUBE-POD-FW-PPDRGPLVFULXSJF3
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PPDRGPLVFULXSJF3" -s 172.16.0.45 -j KUBE-POD-FW-PPDRGPLVFULXSJF3
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PPDRGPLVFULXSJF3" -s 172.16.0.45 -j KUBE-POD-FW-PPDRGPLVFULXSJF3
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PPDRGPLVFULXSJF3" -s 172.16.0.45 -j KUBE-POD-FW-PPDRGPLVFULXSJF3
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PPDRGPLVFULXSJF3" -s 172.16.0.45 -j KUBE-POD-FW-PPDRGPLVFULXSJF3
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-PPDRGPLVFULXSJF3 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-PPDRGPLVFULXSJF3 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-PPDRGPLVFULXSJF3 -j MARK --set-mark 0/0x10000
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-PPDRGPLVFULXSJF3 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-HDBVS7ZGIZWTPDP2 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-HDBVS7ZGIZWTPDP2 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-HDBVS7ZGIZWTPDP2 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-HDBVS7ZGIZWTPDP2 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:14:29 truenas env[20630]: -I KUBE-POD-FW-HDBVS7ZGIZWTPDP2 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HDBVS7ZGIZWTPDP2" -d 172.16.0.43 -j KUBE-POD-FW-HDBVS7ZGIZWTPDP2
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HDBVS7ZGIZWTPDP2" -d 172.16.0.43 -j KUBE-POD-FW-HDBVS7ZGIZWTPDP2
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HDBVS7ZGIZWTPDP2" -d 172.16.0.43 -j KUBE-POD-FW-HDBVS7ZGIZWTPDP2
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HDBVS7ZGIZWTPDP2" -s 172.16.0.43 -j KUBE-POD-FW-HDBVS7ZGIZWTPDP2
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HDBVS7ZGIZWTPDP2" -s 172.16.0.43 -j KUBE-POD-FW-HDBVS7ZGIZWTPDP2
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HDBVS7ZGIZWTPDP2" -s 172.16.0.43 -j KUBE-POD-FW-HDBVS7ZGIZWTPDP2
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HDBVS7ZGIZWTPDP2" -s 172.16.0.43 -j KUBE-POD-FW-HDBVS7ZGIZWTPDP2
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-HDBVS7ZGIZWTPDP2 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-HDBVS7ZGIZWTPDP2 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-HDBVS7ZGIZWTPDP2 -j MARK --set-mark 0/0x10000
Jun  8 03:14:29 truenas env[20630]: -A KUBE-POD-FW-HDBVS7ZGIZWTPDP2 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:14:29 truenas env[20630]: COMMIT
Jun  8 03:17:01 truenas CRON[663449]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jun  8 03:19:29 truenas env[20630]: E0608 03:19:29.776528   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 03:19:29 truenas env[20630]: Error occurred at line: 103
Jun  8 03:19:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 03:19:29 truenas env[20630]: )
Jun  8 03:19:29 truenas env[20630]: *filter
Jun  8 03:19:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 03:19:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 03:19:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 03:19:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 03:19:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 03:19:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 03:19:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 03:19:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 03:19:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 03:19:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 03:19:29 truenas env[20630]: :KUBE-POD-FW-IR7JL3K6IEMRZI6Y - [0:0]
Jun  8 03:19:29 truenas env[20630]: :KUBE-POD-FW-JDGNIRVB76BOEF5L - [0:0]
Jun  8 03:19:29 truenas env[20630]: :KUBE-POD-FW-GECOYB3MQJAVLBP3 - [0:0]
Jun  8 03:19:29 truenas env[20630]: :KUBE-POD-FW-4OWCHJPIZHTWUXLQ - [0:0]
Jun  8 03:19:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 03:19:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 03:19:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 03:19:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 03:19:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 03:19:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 03:19:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 03:19:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 03:19:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 03:19:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-IR7JL3K6IEMRZI6Y 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-IR7JL3K6IEMRZI6Y 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-IR7JL3K6IEMRZI6Y 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-IR7JL3K6IEMRZI6Y 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-IR7JL3K6IEMRZI6Y 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IR7JL3K6IEMRZI6Y" -d 172.16.0.42 -j KUBE-POD-FW-IR7JL3K6IEMRZI6Y
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IR7JL3K6IEMRZI6Y" -d 172.16.0.42 -j KUBE-POD-FW-IR7JL3K6IEMRZI6Y
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IR7JL3K6IEMRZI6Y" -d 172.16.0.42 -j KUBE-POD-FW-IR7JL3K6IEMRZI6Y
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IR7JL3K6IEMRZI6Y" -s 172.16.0.42 -j KUBE-POD-FW-IR7JL3K6IEMRZI6Y
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IR7JL3K6IEMRZI6Y" -s 172.16.0.42 -j KUBE-POD-FW-IR7JL3K6IEMRZI6Y
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IR7JL3K6IEMRZI6Y" -s 172.16.0.42 -j KUBE-POD-FW-IR7JL3K6IEMRZI6Y
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-IR7JL3K6IEMRZI6Y" -s 172.16.0.42 -j KUBE-POD-FW-IR7JL3K6IEMRZI6Y
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-IR7JL3K6IEMRZI6Y -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-IR7JL3K6IEMRZI6Y -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-IR7JL3K6IEMRZI6Y -j MARK --set-mark 0/0x10000
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-IR7JL3K6IEMRZI6Y -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-JDGNIRVB76BOEF5L 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-JDGNIRVB76BOEF5L 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-JDGNIRVB76BOEF5L 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-JDGNIRVB76BOEF5L 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-JDGNIRVB76BOEF5L 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JDGNIRVB76BOEF5L" -d 172.16.0.45 -j KUBE-POD-FW-JDGNIRVB76BOEF5L
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JDGNIRVB76BOEF5L" -d 172.16.0.45 -j KUBE-POD-FW-JDGNIRVB76BOEF5L
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JDGNIRVB76BOEF5L" -d 172.16.0.45 -j KUBE-POD-FW-JDGNIRVB76BOEF5L
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JDGNIRVB76BOEF5L" -s 172.16.0.45 -j KUBE-POD-FW-JDGNIRVB76BOEF5L
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JDGNIRVB76BOEF5L" -s 172.16.0.45 -j KUBE-POD-FW-JDGNIRVB76BOEF5L
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JDGNIRVB76BOEF5L" -s 172.16.0.45 -j KUBE-POD-FW-JDGNIRVB76BOEF5L
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JDGNIRVB76BOEF5L" -s 172.16.0.45 -j KUBE-POD-FW-JDGNIRVB76BOEF5L
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-JDGNIRVB76BOEF5L -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-JDGNIRVB76BOEF5L -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-JDGNIRVB76BOEF5L -j MARK --set-mark 0/0x10000
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-JDGNIRVB76BOEF5L -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-GECOYB3MQJAVLBP3 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-GECOYB3MQJAVLBP3 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-GECOYB3MQJAVLBP3 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-GECOYB3MQJAVLBP3 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-GECOYB3MQJAVLBP3 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GECOYB3MQJAVLBP3" -d 172.16.0.43 -j KUBE-POD-FW-GECOYB3MQJAVLBP3
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GECOYB3MQJAVLBP3" -d 172.16.0.43 -j KUBE-POD-FW-GECOYB3MQJAVLBP3
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GECOYB3MQJAVLBP3" -d 172.16.0.43 -j KUBE-POD-FW-GECOYB3MQJAVLBP3
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GECOYB3MQJAVLBP3" -s 172.16.0.43 -j KUBE-POD-FW-GECOYB3MQJAVLBP3
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GECOYB3MQJAVLBP3" -s 172.16.0.43 -j KUBE-POD-FW-GECOYB3MQJAVLBP3
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GECOYB3MQJAVLBP3" -s 172.16.0.43 -j KUBE-POD-FW-GECOYB3MQJAVLBP3
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-GECOYB3MQJAVLBP3" -s 172.16.0.43 -j KUBE-POD-FW-GECOYB3MQJAVLBP3
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-GECOYB3MQJAVLBP3 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-GECOYB3MQJAVLBP3 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-GECOYB3MQJAVLBP3 -j MARK --set-mark 0/0x10000
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-GECOYB3MQJAVLBP3 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-4OWCHJPIZHTWUXLQ 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-4OWCHJPIZHTWUXLQ 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-4OWCHJPIZHTWUXLQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-4OWCHJPIZHTWUXLQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:19:29 truenas env[20630]: -I KUBE-POD-FW-4OWCHJPIZHTWUXLQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4OWCHJPIZHTWUXLQ" -d 172.16.0.46 -j KUBE-POD-FW-4OWCHJPIZHTWUXLQ
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4OWCHJPIZHTWUXLQ" -d 172.16.0.46 -j KUBE-POD-FW-4OWCHJPIZHTWUXLQ
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4OWCHJPIZHTWUXLQ" -d 172.16.0.46 -j KUBE-POD-FW-4OWCHJPIZHTWUXLQ
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4OWCHJPIZHTWUXLQ" -s 172.16.0.46 -j KUBE-POD-FW-4OWCHJPIZHTWUXLQ
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4OWCHJPIZHTWUXLQ" -s 172.16.0.46 -j KUBE-POD-FW-4OWCHJPIZHTWUXLQ
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4OWCHJPIZHTWUXLQ" -s 172.16.0.46 -j KUBE-POD-FW-4OWCHJPIZHTWUXLQ
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-4OWCHJPIZHTWUXLQ" -s 172.16.0.46 -j KUBE-POD-FW-4OWCHJPIZHTWUXLQ
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-4OWCHJPIZHTWUXLQ -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-4OWCHJPIZHTWUXLQ -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-4OWCHJPIZHTWUXLQ -j MARK --set-mark 0/0x10000
Jun  8 03:19:29 truenas env[20630]: -A KUBE-POD-FW-4OWCHJPIZHTWUXLQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:19:29 truenas env[20630]: COMMIT
Jun  8 03:20:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 03:20:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 03:20:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 03:24:29 truenas env[20630]: E0608 03:24:29.740520   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 03:24:29 truenas env[20630]: Error occurred at line: 103
Jun  8 03:24:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 03:24:29 truenas env[20630]: )
Jun  8 03:24:29 truenas env[20630]: *filter
Jun  8 03:24:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 03:24:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 03:24:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 03:24:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 03:24:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 03:24:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 03:24:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 03:24:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 03:24:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 03:24:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 03:24:29 truenas env[20630]: :KUBE-POD-FW-77CKM5GRPQIZQ5S2 - [0:0]
Jun  8 03:24:29 truenas env[20630]: :KUBE-POD-FW-NQ42GQL236WNVOTA - [0:0]
Jun  8 03:24:29 truenas env[20630]: :KUBE-POD-FW-BMMLTVWBQZRVJT25 - [0:0]
Jun  8 03:24:29 truenas env[20630]: :KUBE-POD-FW-XXLCH7CMQEDVSF7E - [0:0]
Jun  8 03:24:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 03:24:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 03:24:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 03:24:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 03:24:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 03:24:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 03:24:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 03:24:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 03:24:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 03:24:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-77CKM5GRPQIZQ5S2 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-77CKM5GRPQIZQ5S2 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-77CKM5GRPQIZQ5S2 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-77CKM5GRPQIZQ5S2 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-77CKM5GRPQIZQ5S2 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-77CKM5GRPQIZQ5S2" -d 172.16.0.46 -j KUBE-POD-FW-77CKM5GRPQIZQ5S2
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-77CKM5GRPQIZQ5S2" -d 172.16.0.46 -j KUBE-POD-FW-77CKM5GRPQIZQ5S2
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-77CKM5GRPQIZQ5S2" -d 172.16.0.46 -j KUBE-POD-FW-77CKM5GRPQIZQ5S2
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-77CKM5GRPQIZQ5S2" -s 172.16.0.46 -j KUBE-POD-FW-77CKM5GRPQIZQ5S2
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-77CKM5GRPQIZQ5S2" -s 172.16.0.46 -j KUBE-POD-FW-77CKM5GRPQIZQ5S2
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-77CKM5GRPQIZQ5S2" -s 172.16.0.46 -j KUBE-POD-FW-77CKM5GRPQIZQ5S2
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-77CKM5GRPQIZQ5S2" -s 172.16.0.46 -j KUBE-POD-FW-77CKM5GRPQIZQ5S2
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-77CKM5GRPQIZQ5S2 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-77CKM5GRPQIZQ5S2 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-77CKM5GRPQIZQ5S2 -j MARK --set-mark 0/0x10000
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-77CKM5GRPQIZQ5S2 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-NQ42GQL236WNVOTA 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-NQ42GQL236WNVOTA 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-NQ42GQL236WNVOTA 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-NQ42GQL236WNVOTA 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-NQ42GQL236WNVOTA 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NQ42GQL236WNVOTA" -d 172.16.0.42 -j KUBE-POD-FW-NQ42GQL236WNVOTA
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NQ42GQL236WNVOTA" -d 172.16.0.42 -j KUBE-POD-FW-NQ42GQL236WNVOTA
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NQ42GQL236WNVOTA" -d 172.16.0.42 -j KUBE-POD-FW-NQ42GQL236WNVOTA
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NQ42GQL236WNVOTA" -s 172.16.0.42 -j KUBE-POD-FW-NQ42GQL236WNVOTA
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NQ42GQL236WNVOTA" -s 172.16.0.42 -j KUBE-POD-FW-NQ42GQL236WNVOTA
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NQ42GQL236WNVOTA" -s 172.16.0.42 -j KUBE-POD-FW-NQ42GQL236WNVOTA
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-NQ42GQL236WNVOTA" -s 172.16.0.42 -j KUBE-POD-FW-NQ42GQL236WNVOTA
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-NQ42GQL236WNVOTA -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-NQ42GQL236WNVOTA -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-NQ42GQL236WNVOTA -j MARK --set-mark 0/0x10000
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-NQ42GQL236WNVOTA -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-BMMLTVWBQZRVJT25 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-BMMLTVWBQZRVJT25 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-BMMLTVWBQZRVJT25 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-BMMLTVWBQZRVJT25 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-BMMLTVWBQZRVJT25 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-BMMLTVWBQZRVJT25" -d 172.16.0.45 -j KUBE-POD-FW-BMMLTVWBQZRVJT25
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-BMMLTVWBQZRVJT25" -d 172.16.0.45 -j KUBE-POD-FW-BMMLTVWBQZRVJT25
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-BMMLTVWBQZRVJT25" -d 172.16.0.45 -j KUBE-POD-FW-BMMLTVWBQZRVJT25
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-BMMLTVWBQZRVJT25" -s 172.16.0.45 -j KUBE-POD-FW-BMMLTVWBQZRVJT25
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-BMMLTVWBQZRVJT25" -s 172.16.0.45 -j KUBE-POD-FW-BMMLTVWBQZRVJT25
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-BMMLTVWBQZRVJT25" -s 172.16.0.45 -j KUBE-POD-FW-BMMLTVWBQZRVJT25
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-BMMLTVWBQZRVJT25" -s 172.16.0.45 -j KUBE-POD-FW-BMMLTVWBQZRVJT25
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-BMMLTVWBQZRVJT25 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-BMMLTVWBQZRVJT25 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-BMMLTVWBQZRVJT25 -j MARK --set-mark 0/0x10000
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-BMMLTVWBQZRVJT25 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-XXLCH7CMQEDVSF7E 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-XXLCH7CMQEDVSF7E 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-XXLCH7CMQEDVSF7E 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-XXLCH7CMQEDVSF7E 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:24:29 truenas env[20630]: -I KUBE-POD-FW-XXLCH7CMQEDVSF7E 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XXLCH7CMQEDVSF7E" -d 172.16.0.43 -j KUBE-POD-FW-XXLCH7CMQEDVSF7E
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XXLCH7CMQEDVSF7E" -d 172.16.0.43 -j KUBE-POD-FW-XXLCH7CMQEDVSF7E
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XXLCH7CMQEDVSF7E" -d 172.16.0.43 -j KUBE-POD-FW-XXLCH7CMQEDVSF7E
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XXLCH7CMQEDVSF7E" -s 172.16.0.43 -j KUBE-POD-FW-XXLCH7CMQEDVSF7E
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XXLCH7CMQEDVSF7E" -s 172.16.0.43 -j KUBE-POD-FW-XXLCH7CMQEDVSF7E
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XXLCH7CMQEDVSF7E" -s 172.16.0.43 -j KUBE-POD-FW-XXLCH7CMQEDVSF7E
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-XXLCH7CMQEDVSF7E" -s 172.16.0.43 -j KUBE-POD-FW-XXLCH7CMQEDVSF7E
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-XXLCH7CMQEDVSF7E -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-XXLCH7CMQEDVSF7E -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-XXLCH7CMQEDVSF7E -j MARK --set-mark 0/0x10000
Jun  8 03:24:29 truenas env[20630]: -A KUBE-POD-FW-XXLCH7CMQEDVSF7E -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:24:29 truenas env[20630]: COMMIT
Jun  8 03:29:29 truenas env[20630]: E0608 03:29:29.700476   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 03:29:29 truenas env[20630]: Error occurred at line: 103
Jun  8 03:29:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 03:29:29 truenas env[20630]: )
Jun  8 03:29:29 truenas env[20630]: *filter
Jun  8 03:29:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 03:29:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 03:29:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 03:29:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 03:29:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 03:29:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 03:29:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 03:29:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 03:29:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 03:29:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 03:29:29 truenas env[20630]: :KUBE-POD-FW-LB2R6DPRLKIN7LDX - [0:0]
Jun  8 03:29:29 truenas env[20630]: :KUBE-POD-FW-Y3QAZVMU6DVZTUSQ - [0:0]
Jun  8 03:29:29 truenas env[20630]: :KUBE-POD-FW-L7HACRFBMND56CBQ - [0:0]
Jun  8 03:29:29 truenas env[20630]: :KUBE-POD-FW-E736XG7P2VMUUMRG - [0:0]
Jun  8 03:29:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 03:29:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 03:29:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 03:29:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 03:29:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 03:29:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 03:29:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 03:29:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 03:29:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 03:29:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-LB2R6DPRLKIN7LDX 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-LB2R6DPRLKIN7LDX 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-LB2R6DPRLKIN7LDX 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-LB2R6DPRLKIN7LDX 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-LB2R6DPRLKIN7LDX 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LB2R6DPRLKIN7LDX" -d 172.16.0.42 -j KUBE-POD-FW-LB2R6DPRLKIN7LDX
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LB2R6DPRLKIN7LDX" -d 172.16.0.42 -j KUBE-POD-FW-LB2R6DPRLKIN7LDX
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LB2R6DPRLKIN7LDX" -d 172.16.0.42 -j KUBE-POD-FW-LB2R6DPRLKIN7LDX
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LB2R6DPRLKIN7LDX" -s 172.16.0.42 -j KUBE-POD-FW-LB2R6DPRLKIN7LDX
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LB2R6DPRLKIN7LDX" -s 172.16.0.42 -j KUBE-POD-FW-LB2R6DPRLKIN7LDX
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LB2R6DPRLKIN7LDX" -s 172.16.0.42 -j KUBE-POD-FW-LB2R6DPRLKIN7LDX
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LB2R6DPRLKIN7LDX" -s 172.16.0.42 -j KUBE-POD-FW-LB2R6DPRLKIN7LDX
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-LB2R6DPRLKIN7LDX -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-LB2R6DPRLKIN7LDX -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-LB2R6DPRLKIN7LDX -j MARK --set-mark 0/0x10000
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-LB2R6DPRLKIN7LDX -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-Y3QAZVMU6DVZTUSQ 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-Y3QAZVMU6DVZTUSQ 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-Y3QAZVMU6DVZTUSQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-Y3QAZVMU6DVZTUSQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-Y3QAZVMU6DVZTUSQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Y3QAZVMU6DVZTUSQ" -d 172.16.0.45 -j KUBE-POD-FW-Y3QAZVMU6DVZTUSQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Y3QAZVMU6DVZTUSQ" -d 172.16.0.45 -j KUBE-POD-FW-Y3QAZVMU6DVZTUSQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Y3QAZVMU6DVZTUSQ" -d 172.16.0.45 -j KUBE-POD-FW-Y3QAZVMU6DVZTUSQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Y3QAZVMU6DVZTUSQ" -s 172.16.0.45 -j KUBE-POD-FW-Y3QAZVMU6DVZTUSQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Y3QAZVMU6DVZTUSQ" -s 172.16.0.45 -j KUBE-POD-FW-Y3QAZVMU6DVZTUSQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Y3QAZVMU6DVZTUSQ" -s 172.16.0.45 -j KUBE-POD-FW-Y3QAZVMU6DVZTUSQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-Y3QAZVMU6DVZTUSQ" -s 172.16.0.45 -j KUBE-POD-FW-Y3QAZVMU6DVZTUSQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-Y3QAZVMU6DVZTUSQ -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-Y3QAZVMU6DVZTUSQ -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-Y3QAZVMU6DVZTUSQ -j MARK --set-mark 0/0x10000
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-Y3QAZVMU6DVZTUSQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-L7HACRFBMND56CBQ 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-L7HACRFBMND56CBQ 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-L7HACRFBMND56CBQ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-L7HACRFBMND56CBQ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-L7HACRFBMND56CBQ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-L7HACRFBMND56CBQ" -d 172.16.0.43 -j KUBE-POD-FW-L7HACRFBMND56CBQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-L7HACRFBMND56CBQ" -d 172.16.0.43 -j KUBE-POD-FW-L7HACRFBMND56CBQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-L7HACRFBMND56CBQ" -d 172.16.0.43 -j KUBE-POD-FW-L7HACRFBMND56CBQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-L7HACRFBMND56CBQ" -s 172.16.0.43 -j KUBE-POD-FW-L7HACRFBMND56CBQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-L7HACRFBMND56CBQ" -s 172.16.0.43 -j KUBE-POD-FW-L7HACRFBMND56CBQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-L7HACRFBMND56CBQ" -s 172.16.0.43 -j KUBE-POD-FW-L7HACRFBMND56CBQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-L7HACRFBMND56CBQ" -s 172.16.0.43 -j KUBE-POD-FW-L7HACRFBMND56CBQ
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-L7HACRFBMND56CBQ -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-L7HACRFBMND56CBQ -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-L7HACRFBMND56CBQ -j MARK --set-mark 0/0x10000
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-L7HACRFBMND56CBQ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-E736XG7P2VMUUMRG 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-E736XG7P2VMUUMRG 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-E736XG7P2VMUUMRG 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-E736XG7P2VMUUMRG 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:29:29 truenas env[20630]: -I KUBE-POD-FW-E736XG7P2VMUUMRG 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-E736XG7P2VMUUMRG" -d 172.16.0.46 -j KUBE-POD-FW-E736XG7P2VMUUMRG
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-E736XG7P2VMUUMRG" -d 172.16.0.46 -j KUBE-POD-FW-E736XG7P2VMUUMRG
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-E736XG7P2VMUUMRG" -d 172.16.0.46 -j KUBE-POD-FW-E736XG7P2VMUUMRG
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-E736XG7P2VMUUMRG" -s 172.16.0.46 -j KUBE-POD-FW-E736XG7P2VMUUMRG
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-E736XG7P2VMUUMRG" -s 172.16.0.46 -j KUBE-POD-FW-E736XG7P2VMUUMRG
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-E736XG7P2VMUUMRG" -s 172.16.0.46 -j KUBE-POD-FW-E736XG7P2VMUUMRG
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-E736XG7P2VMUUMRG" -s 172.16.0.46 -j KUBE-POD-FW-E736XG7P2VMUUMRG
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-E736XG7P2VMUUMRG -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-E736XG7P2VMUUMRG -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-E736XG7P2VMUUMRG -j MARK --set-mark 0/0x10000
Jun  8 03:29:29 truenas env[20630]: -A KUBE-POD-FW-E736XG7P2VMUUMRG -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:29:29 truenas env[20630]: COMMIT
Jun  8 03:30:01 truenas CRON[677653]: (root) CMD (midclt call dscache.refresh > /dev/null 2>&1)
Jun  8 03:30:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 03:30:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 03:30:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 03:34:29 truenas env[20630]: E0608 03:34:29.748927   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 03:34:29 truenas env[20630]: Error occurred at line: 103
Jun  8 03:34:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 03:34:29 truenas env[20630]: )
Jun  8 03:34:29 truenas env[20630]: *filter
Jun  8 03:34:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 03:34:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 03:34:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 03:34:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 03:34:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 03:34:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 03:34:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 03:34:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 03:34:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 03:34:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 03:34:29 truenas env[20630]: :KUBE-POD-FW-WTHD2KXOF2WQKCP4 - [0:0]
Jun  8 03:34:29 truenas env[20630]: :KUBE-POD-FW-JIOJCSM4YSCBD5RU - [0:0]
Jun  8 03:34:29 truenas env[20630]: :KUBE-POD-FW-K5H2MNPZTPMAF3PW - [0:0]
Jun  8 03:34:29 truenas env[20630]: :KUBE-POD-FW-PSTG426NHK3HAOUJ - [0:0]
Jun  8 03:34:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 03:34:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 03:34:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 03:34:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 03:34:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 03:34:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 03:34:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 03:34:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 03:34:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 03:34:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-WTHD2KXOF2WQKCP4 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-WTHD2KXOF2WQKCP4 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-WTHD2KXOF2WQKCP4 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-WTHD2KXOF2WQKCP4 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-WTHD2KXOF2WQKCP4 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-WTHD2KXOF2WQKCP4" -d 172.16.0.43 -j KUBE-POD-FW-WTHD2KXOF2WQKCP4
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-WTHD2KXOF2WQKCP4" -d 172.16.0.43 -j KUBE-POD-FW-WTHD2KXOF2WQKCP4
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-WTHD2KXOF2WQKCP4" -d 172.16.0.43 -j KUBE-POD-FW-WTHD2KXOF2WQKCP4
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-WTHD2KXOF2WQKCP4" -s 172.16.0.43 -j KUBE-POD-FW-WTHD2KXOF2WQKCP4
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-WTHD2KXOF2WQKCP4" -s 172.16.0.43 -j KUBE-POD-FW-WTHD2KXOF2WQKCP4
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-WTHD2KXOF2WQKCP4" -s 172.16.0.43 -j KUBE-POD-FW-WTHD2KXOF2WQKCP4
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-WTHD2KXOF2WQKCP4" -s 172.16.0.43 -j KUBE-POD-FW-WTHD2KXOF2WQKCP4
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-WTHD2KXOF2WQKCP4 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-WTHD2KXOF2WQKCP4 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-WTHD2KXOF2WQKCP4 -j MARK --set-mark 0/0x10000
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-WTHD2KXOF2WQKCP4 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-JIOJCSM4YSCBD5RU 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-JIOJCSM4YSCBD5RU 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-JIOJCSM4YSCBD5RU 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-JIOJCSM4YSCBD5RU 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-JIOJCSM4YSCBD5RU 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JIOJCSM4YSCBD5RU" -d 172.16.0.46 -j KUBE-POD-FW-JIOJCSM4YSCBD5RU
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JIOJCSM4YSCBD5RU" -d 172.16.0.46 -j KUBE-POD-FW-JIOJCSM4YSCBD5RU
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JIOJCSM4YSCBD5RU" -d 172.16.0.46 -j KUBE-POD-FW-JIOJCSM4YSCBD5RU
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JIOJCSM4YSCBD5RU" -s 172.16.0.46 -j KUBE-POD-FW-JIOJCSM4YSCBD5RU
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JIOJCSM4YSCBD5RU" -s 172.16.0.46 -j KUBE-POD-FW-JIOJCSM4YSCBD5RU
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JIOJCSM4YSCBD5RU" -s 172.16.0.46 -j KUBE-POD-FW-JIOJCSM4YSCBD5RU
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JIOJCSM4YSCBD5RU" -s 172.16.0.46 -j KUBE-POD-FW-JIOJCSM4YSCBD5RU
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-JIOJCSM4YSCBD5RU -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-JIOJCSM4YSCBD5RU -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-JIOJCSM4YSCBD5RU -j MARK --set-mark 0/0x10000
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-JIOJCSM4YSCBD5RU -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-K5H2MNPZTPMAF3PW 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-K5H2MNPZTPMAF3PW 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-K5H2MNPZTPMAF3PW 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-K5H2MNPZTPMAF3PW 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-K5H2MNPZTPMAF3PW 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K5H2MNPZTPMAF3PW" -d 172.16.0.42 -j KUBE-POD-FW-K5H2MNPZTPMAF3PW
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K5H2MNPZTPMAF3PW" -d 172.16.0.42 -j KUBE-POD-FW-K5H2MNPZTPMAF3PW
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K5H2MNPZTPMAF3PW" -d 172.16.0.42 -j KUBE-POD-FW-K5H2MNPZTPMAF3PW
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K5H2MNPZTPMAF3PW" -s 172.16.0.42 -j KUBE-POD-FW-K5H2MNPZTPMAF3PW
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K5H2MNPZTPMAF3PW" -s 172.16.0.42 -j KUBE-POD-FW-K5H2MNPZTPMAF3PW
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K5H2MNPZTPMAF3PW" -s 172.16.0.42 -j KUBE-POD-FW-K5H2MNPZTPMAF3PW
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-K5H2MNPZTPMAF3PW" -s 172.16.0.42 -j KUBE-POD-FW-K5H2MNPZTPMAF3PW
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-K5H2MNPZTPMAF3PW -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-K5H2MNPZTPMAF3PW -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-K5H2MNPZTPMAF3PW -j MARK --set-mark 0/0x10000
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-K5H2MNPZTPMAF3PW -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-PSTG426NHK3HAOUJ 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-PSTG426NHK3HAOUJ 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-PSTG426NHK3HAOUJ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-PSTG426NHK3HAOUJ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:34:29 truenas env[20630]: -I KUBE-POD-FW-PSTG426NHK3HAOUJ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PSTG426NHK3HAOUJ" -d 172.16.0.45 -j KUBE-POD-FW-PSTG426NHK3HAOUJ
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PSTG426NHK3HAOUJ" -d 172.16.0.45 -j KUBE-POD-FW-PSTG426NHK3HAOUJ
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PSTG426NHK3HAOUJ" -d 172.16.0.45 -j KUBE-POD-FW-PSTG426NHK3HAOUJ
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PSTG426NHK3HAOUJ" -s 172.16.0.45 -j KUBE-POD-FW-PSTG426NHK3HAOUJ
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PSTG426NHK3HAOUJ" -s 172.16.0.45 -j KUBE-POD-FW-PSTG426NHK3HAOUJ
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PSTG426NHK3HAOUJ" -s 172.16.0.45 -j KUBE-POD-FW-PSTG426NHK3HAOUJ
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-PSTG426NHK3HAOUJ" -s 172.16.0.45 -j KUBE-POD-FW-PSTG426NHK3HAOUJ
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-PSTG426NHK3HAOUJ -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-PSTG426NHK3HAOUJ -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-PSTG426NHK3HAOUJ -j MARK --set-mark 0/0x10000
Jun  8 03:34:29 truenas env[20630]: -A KUBE-POD-FW-PSTG426NHK3HAOUJ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:34:29 truenas env[20630]: COMMIT
Jun  8 03:39:29 truenas env[20630]: E0608 03:39:29.772600   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 03:39:29 truenas env[20630]: Error occurred at line: 103
Jun  8 03:39:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 03:39:29 truenas env[20630]: )
Jun  8 03:39:29 truenas env[20630]: *filter
Jun  8 03:39:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 03:39:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 03:39:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 03:39:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 03:39:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 03:39:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 03:39:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 03:39:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 03:39:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 03:39:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 03:39:29 truenas env[20630]: :KUBE-POD-FW-EYXBFB7QPYHOPWFD - [0:0]
Jun  8 03:39:29 truenas env[20630]: :KUBE-POD-FW-TC5MLGA7HEKXK4NN - [0:0]
Jun  8 03:39:29 truenas env[20630]: :KUBE-POD-FW-ISTOEFB5LQ4C3IQB - [0:0]
Jun  8 03:39:29 truenas env[20630]: :KUBE-POD-FW-PZQUTVCJOTGIG4ES - [0:0]
Jun  8 03:39:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 03:39:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 03:39:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 03:39:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 03:39:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 03:39:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 03:39:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 03:39:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 03:39:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 03:39:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-EYXBFB7QPYHOPWFD 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-EYXBFB7QPYHOPWFD 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-EYXBFB7QPYHOPWFD 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-EYXBFB7QPYHOPWFD 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-EYXBFB7QPYHOPWFD 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EYXBFB7QPYHOPWFD" -d 172.16.0.46 -j KUBE-POD-FW-EYXBFB7QPYHOPWFD
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EYXBFB7QPYHOPWFD" -d 172.16.0.46 -j KUBE-POD-FW-EYXBFB7QPYHOPWFD
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EYXBFB7QPYHOPWFD" -d 172.16.0.46 -j KUBE-POD-FW-EYXBFB7QPYHOPWFD
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EYXBFB7QPYHOPWFD" -s 172.16.0.46 -j KUBE-POD-FW-EYXBFB7QPYHOPWFD
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EYXBFB7QPYHOPWFD" -s 172.16.0.46 -j KUBE-POD-FW-EYXBFB7QPYHOPWFD
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EYXBFB7QPYHOPWFD" -s 172.16.0.46 -j KUBE-POD-FW-EYXBFB7QPYHOPWFD
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EYXBFB7QPYHOPWFD" -s 172.16.0.46 -j KUBE-POD-FW-EYXBFB7QPYHOPWFD
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-EYXBFB7QPYHOPWFD -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-EYXBFB7QPYHOPWFD -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-EYXBFB7QPYHOPWFD -j MARK --set-mark 0/0x10000
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-EYXBFB7QPYHOPWFD -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-TC5MLGA7HEKXK4NN 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-TC5MLGA7HEKXK4NN 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-TC5MLGA7HEKXK4NN 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-TC5MLGA7HEKXK4NN 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-TC5MLGA7HEKXK4NN 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TC5MLGA7HEKXK4NN" -d 172.16.0.42 -j KUBE-POD-FW-TC5MLGA7HEKXK4NN
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TC5MLGA7HEKXK4NN" -d 172.16.0.42 -j KUBE-POD-FW-TC5MLGA7HEKXK4NN
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TC5MLGA7HEKXK4NN" -d 172.16.0.42 -j KUBE-POD-FW-TC5MLGA7HEKXK4NN
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TC5MLGA7HEKXK4NN" -s 172.16.0.42 -j KUBE-POD-FW-TC5MLGA7HEKXK4NN
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TC5MLGA7HEKXK4NN" -s 172.16.0.42 -j KUBE-POD-FW-TC5MLGA7HEKXK4NN
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TC5MLGA7HEKXK4NN" -s 172.16.0.42 -j KUBE-POD-FW-TC5MLGA7HEKXK4NN
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TC5MLGA7HEKXK4NN" -s 172.16.0.42 -j KUBE-POD-FW-TC5MLGA7HEKXK4NN
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-TC5MLGA7HEKXK4NN -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-TC5MLGA7HEKXK4NN -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-TC5MLGA7HEKXK4NN -j MARK --set-mark 0/0x10000
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-TC5MLGA7HEKXK4NN -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-ISTOEFB5LQ4C3IQB 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-ISTOEFB5LQ4C3IQB 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-ISTOEFB5LQ4C3IQB 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-ISTOEFB5LQ4C3IQB 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-ISTOEFB5LQ4C3IQB 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ISTOEFB5LQ4C3IQB" -d 172.16.0.45 -j KUBE-POD-FW-ISTOEFB5LQ4C3IQB
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ISTOEFB5LQ4C3IQB" -d 172.16.0.45 -j KUBE-POD-FW-ISTOEFB5LQ4C3IQB
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ISTOEFB5LQ4C3IQB" -d 172.16.0.45 -j KUBE-POD-FW-ISTOEFB5LQ4C3IQB
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ISTOEFB5LQ4C3IQB" -s 172.16.0.45 -j KUBE-POD-FW-ISTOEFB5LQ4C3IQB
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ISTOEFB5LQ4C3IQB" -s 172.16.0.45 -j KUBE-POD-FW-ISTOEFB5LQ4C3IQB
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ISTOEFB5LQ4C3IQB" -s 172.16.0.45 -j KUBE-POD-FW-ISTOEFB5LQ4C3IQB
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-ISTOEFB5LQ4C3IQB" -s 172.16.0.45 -j KUBE-POD-FW-ISTOEFB5LQ4C3IQB
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-ISTOEFB5LQ4C3IQB -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-ISTOEFB5LQ4C3IQB -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-ISTOEFB5LQ4C3IQB -j MARK --set-mark 0/0x10000
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-ISTOEFB5LQ4C3IQB -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-PZQUTVCJOTGIG4ES 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-PZQUTVCJOTGIG4ES 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-PZQUTVCJOTGIG4ES 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-PZQUTVCJOTGIG4ES 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:39:29 truenas env[20630]: -I KUBE-POD-FW-PZQUTVCJOTGIG4ES 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PZQUTVCJOTGIG4ES" -d 172.16.0.43 -j KUBE-POD-FW-PZQUTVCJOTGIG4ES
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PZQUTVCJOTGIG4ES" -d 172.16.0.43 -j KUBE-POD-FW-PZQUTVCJOTGIG4ES
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PZQUTVCJOTGIG4ES" -d 172.16.0.43 -j KUBE-POD-FW-PZQUTVCJOTGIG4ES
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PZQUTVCJOTGIG4ES" -s 172.16.0.43 -j KUBE-POD-FW-PZQUTVCJOTGIG4ES
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PZQUTVCJOTGIG4ES" -s 172.16.0.43 -j KUBE-POD-FW-PZQUTVCJOTGIG4ES
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PZQUTVCJOTGIG4ES" -s 172.16.0.43 -j KUBE-POD-FW-PZQUTVCJOTGIG4ES
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PZQUTVCJOTGIG4ES" -s 172.16.0.43 -j KUBE-POD-FW-PZQUTVCJOTGIG4ES
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-PZQUTVCJOTGIG4ES -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-PZQUTVCJOTGIG4ES -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-PZQUTVCJOTGIG4ES -j MARK --set-mark 0/0x10000
Jun  8 03:39:29 truenas env[20630]: -A KUBE-POD-FW-PZQUTVCJOTGIG4ES -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:39:29 truenas env[20630]: COMMIT
Jun  8 03:40:05 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 03:40:05 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 03:40:05 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 03:44:29 truenas env[20630]: E0608 03:44:29.744707   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 03:44:29 truenas env[20630]: Error occurred at line: 103
Jun  8 03:44:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 03:44:29 truenas env[20630]: )
Jun  8 03:44:29 truenas env[20630]: *filter
Jun  8 03:44:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 03:44:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 03:44:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 03:44:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 03:44:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 03:44:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 03:44:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 03:44:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 03:44:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 03:44:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 03:44:29 truenas env[20630]: :KUBE-POD-FW-X2UMCOQJMSSEIUMI - [0:0]
Jun  8 03:44:29 truenas env[20630]: :KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ - [0:0]
Jun  8 03:44:29 truenas env[20630]: :KUBE-POD-FW-UOQ6RDE2NBGLKT4E - [0:0]
Jun  8 03:44:29 truenas env[20630]: :KUBE-POD-FW-UJBUTWQVBHY5BMH6 - [0:0]
Jun  8 03:44:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 03:44:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 03:44:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 03:44:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 03:44:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 03:44:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 03:44:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 03:44:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 03:44:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 03:44:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-X2UMCOQJMSSEIUMI 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-X2UMCOQJMSSEIUMI 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-X2UMCOQJMSSEIUMI 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-X2UMCOQJMSSEIUMI 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-X2UMCOQJMSSEIUMI 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X2UMCOQJMSSEIUMI" -d 172.16.0.42 -j KUBE-POD-FW-X2UMCOQJMSSEIUMI
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X2UMCOQJMSSEIUMI" -d 172.16.0.42 -j KUBE-POD-FW-X2UMCOQJMSSEIUMI
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X2UMCOQJMSSEIUMI" -d 172.16.0.42 -j KUBE-POD-FW-X2UMCOQJMSSEIUMI
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X2UMCOQJMSSEIUMI" -s 172.16.0.42 -j KUBE-POD-FW-X2UMCOQJMSSEIUMI
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X2UMCOQJMSSEIUMI" -s 172.16.0.42 -j KUBE-POD-FW-X2UMCOQJMSSEIUMI
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X2UMCOQJMSSEIUMI" -s 172.16.0.42 -j KUBE-POD-FW-X2UMCOQJMSSEIUMI
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X2UMCOQJMSSEIUMI" -s 172.16.0.42 -j KUBE-POD-FW-X2UMCOQJMSSEIUMI
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-X2UMCOQJMSSEIUMI -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-X2UMCOQJMSSEIUMI -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-X2UMCOQJMSSEIUMI -j MARK --set-mark 0/0x10000
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-X2UMCOQJMSSEIUMI -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ" -d 172.16.0.45 -j KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ" -d 172.16.0.45 -j KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ" -d 172.16.0.45 -j KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ" -s 172.16.0.45 -j KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ" -s 172.16.0.45 -j KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ" -s 172.16.0.45 -j KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ" -s 172.16.0.45 -j KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ -j MARK --set-mark 0/0x10000
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-OBXOWL7ZHY4ZF7XJ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-UOQ6RDE2NBGLKT4E 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-UOQ6RDE2NBGLKT4E 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-UOQ6RDE2NBGLKT4E 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-UOQ6RDE2NBGLKT4E 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-UOQ6RDE2NBGLKT4E 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UOQ6RDE2NBGLKT4E" -d 172.16.0.43 -j KUBE-POD-FW-UOQ6RDE2NBGLKT4E
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UOQ6RDE2NBGLKT4E" -d 172.16.0.43 -j KUBE-POD-FW-UOQ6RDE2NBGLKT4E
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UOQ6RDE2NBGLKT4E" -d 172.16.0.43 -j KUBE-POD-FW-UOQ6RDE2NBGLKT4E
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UOQ6RDE2NBGLKT4E" -s 172.16.0.43 -j KUBE-POD-FW-UOQ6RDE2NBGLKT4E
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UOQ6RDE2NBGLKT4E" -s 172.16.0.43 -j KUBE-POD-FW-UOQ6RDE2NBGLKT4E
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UOQ6RDE2NBGLKT4E" -s 172.16.0.43 -j KUBE-POD-FW-UOQ6RDE2NBGLKT4E
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-UOQ6RDE2NBGLKT4E" -s 172.16.0.43 -j KUBE-POD-FW-UOQ6RDE2NBGLKT4E
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-UOQ6RDE2NBGLKT4E -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-UOQ6RDE2NBGLKT4E -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-UOQ6RDE2NBGLKT4E -j MARK --set-mark 0/0x10000
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-UOQ6RDE2NBGLKT4E -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-UJBUTWQVBHY5BMH6 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-UJBUTWQVBHY5BMH6 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-UJBUTWQVBHY5BMH6 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-UJBUTWQVBHY5BMH6 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:44:29 truenas env[20630]: -I KUBE-POD-FW-UJBUTWQVBHY5BMH6 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UJBUTWQVBHY5BMH6" -d 172.16.0.46 -j KUBE-POD-FW-UJBUTWQVBHY5BMH6
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UJBUTWQVBHY5BMH6" -d 172.16.0.46 -j KUBE-POD-FW-UJBUTWQVBHY5BMH6
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UJBUTWQVBHY5BMH6" -d 172.16.0.46 -j KUBE-POD-FW-UJBUTWQVBHY5BMH6
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UJBUTWQVBHY5BMH6" -s 172.16.0.46 -j KUBE-POD-FW-UJBUTWQVBHY5BMH6
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UJBUTWQVBHY5BMH6" -s 172.16.0.46 -j KUBE-POD-FW-UJBUTWQVBHY5BMH6
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UJBUTWQVBHY5BMH6" -s 172.16.0.46 -j KUBE-POD-FW-UJBUTWQVBHY5BMH6
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-UJBUTWQVBHY5BMH6" -s 172.16.0.46 -j KUBE-POD-FW-UJBUTWQVBHY5BMH6
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-UJBUTWQVBHY5BMH6 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-UJBUTWQVBHY5BMH6 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-UJBUTWQVBHY5BMH6 -j MARK --set-mark 0/0x10000
Jun  8 03:44:29 truenas env[20630]: -A KUBE-POD-FW-UJBUTWQVBHY5BMH6 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:44:29 truenas env[20630]: COMMIT
Jun  8 03:45:01 truenas CRON[694027]: (root) CMD (midclt call config.backup >/dev/null 2>&1)
Jun  8 03:45:01 truenas CRON[694028]: (root) CMD (midclt call pool.scrub.run boot-pool 7 > /dev/null 2>&1)
Jun  8 03:49:29 truenas env[20630]: E0608 03:49:29.776985   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 03:49:29 truenas env[20630]: Error occurred at line: 103
Jun  8 03:49:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 03:49:29 truenas env[20630]: )
Jun  8 03:49:29 truenas env[20630]: *filter
Jun  8 03:49:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 03:49:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 03:49:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 03:49:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 03:49:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 03:49:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 03:49:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 03:49:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 03:49:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 03:49:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 03:49:29 truenas env[20630]: :KUBE-POD-FW-7J22QKZ7CD6XYNAB - [0:0]
Jun  8 03:49:29 truenas env[20630]: :KUBE-POD-FW-DLKRXJGOAHKA26YK - [0:0]
Jun  8 03:49:29 truenas env[20630]: :KUBE-POD-FW-SYMQ2WWLNHABPODL - [0:0]
Jun  8 03:49:29 truenas env[20630]: :KUBE-POD-FW-634RGXAGNKUIX2HB - [0:0]
Jun  8 03:49:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 03:49:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 03:49:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 03:49:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 03:49:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 03:49:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 03:49:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 03:49:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 03:49:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 03:49:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-7J22QKZ7CD6XYNAB 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-7J22QKZ7CD6XYNAB 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-7J22QKZ7CD6XYNAB 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-7J22QKZ7CD6XYNAB 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-7J22QKZ7CD6XYNAB 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-7J22QKZ7CD6XYNAB" -d 172.16.0.46 -j KUBE-POD-FW-7J22QKZ7CD6XYNAB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-7J22QKZ7CD6XYNAB" -d 172.16.0.46 -j KUBE-POD-FW-7J22QKZ7CD6XYNAB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-7J22QKZ7CD6XYNAB" -d 172.16.0.46 -j KUBE-POD-FW-7J22QKZ7CD6XYNAB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-7J22QKZ7CD6XYNAB" -s 172.16.0.46 -j KUBE-POD-FW-7J22QKZ7CD6XYNAB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-7J22QKZ7CD6XYNAB" -s 172.16.0.46 -j KUBE-POD-FW-7J22QKZ7CD6XYNAB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-7J22QKZ7CD6XYNAB" -s 172.16.0.46 -j KUBE-POD-FW-7J22QKZ7CD6XYNAB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-7J22QKZ7CD6XYNAB" -s 172.16.0.46 -j KUBE-POD-FW-7J22QKZ7CD6XYNAB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-7J22QKZ7CD6XYNAB -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-7J22QKZ7CD6XYNAB -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-7J22QKZ7CD6XYNAB -j MARK --set-mark 0/0x10000
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-7J22QKZ7CD6XYNAB -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-DLKRXJGOAHKA26YK 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-DLKRXJGOAHKA26YK 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-DLKRXJGOAHKA26YK 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-DLKRXJGOAHKA26YK 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-DLKRXJGOAHKA26YK 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DLKRXJGOAHKA26YK" -d 172.16.0.42 -j KUBE-POD-FW-DLKRXJGOAHKA26YK
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DLKRXJGOAHKA26YK" -d 172.16.0.42 -j KUBE-POD-FW-DLKRXJGOAHKA26YK
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DLKRXJGOAHKA26YK" -d 172.16.0.42 -j KUBE-POD-FW-DLKRXJGOAHKA26YK
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DLKRXJGOAHKA26YK" -s 172.16.0.42 -j KUBE-POD-FW-DLKRXJGOAHKA26YK
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DLKRXJGOAHKA26YK" -s 172.16.0.42 -j KUBE-POD-FW-DLKRXJGOAHKA26YK
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DLKRXJGOAHKA26YK" -s 172.16.0.42 -j KUBE-POD-FW-DLKRXJGOAHKA26YK
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DLKRXJGOAHKA26YK" -s 172.16.0.42 -j KUBE-POD-FW-DLKRXJGOAHKA26YK
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-DLKRXJGOAHKA26YK -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-DLKRXJGOAHKA26YK -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-DLKRXJGOAHKA26YK -j MARK --set-mark 0/0x10000
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-DLKRXJGOAHKA26YK -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-SYMQ2WWLNHABPODL 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-SYMQ2WWLNHABPODL 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-SYMQ2WWLNHABPODL 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-SYMQ2WWLNHABPODL 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-SYMQ2WWLNHABPODL 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SYMQ2WWLNHABPODL" -d 172.16.0.45 -j KUBE-POD-FW-SYMQ2WWLNHABPODL
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SYMQ2WWLNHABPODL" -d 172.16.0.45 -j KUBE-POD-FW-SYMQ2WWLNHABPODL
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SYMQ2WWLNHABPODL" -d 172.16.0.45 -j KUBE-POD-FW-SYMQ2WWLNHABPODL
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SYMQ2WWLNHABPODL" -s 172.16.0.45 -j KUBE-POD-FW-SYMQ2WWLNHABPODL
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SYMQ2WWLNHABPODL" -s 172.16.0.45 -j KUBE-POD-FW-SYMQ2WWLNHABPODL
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SYMQ2WWLNHABPODL" -s 172.16.0.45 -j KUBE-POD-FW-SYMQ2WWLNHABPODL
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-SYMQ2WWLNHABPODL" -s 172.16.0.45 -j KUBE-POD-FW-SYMQ2WWLNHABPODL
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-SYMQ2WWLNHABPODL -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-SYMQ2WWLNHABPODL -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-SYMQ2WWLNHABPODL -j MARK --set-mark 0/0x10000
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-SYMQ2WWLNHABPODL -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-634RGXAGNKUIX2HB 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-634RGXAGNKUIX2HB 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-634RGXAGNKUIX2HB 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-634RGXAGNKUIX2HB 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:49:29 truenas env[20630]: -I KUBE-POD-FW-634RGXAGNKUIX2HB 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-634RGXAGNKUIX2HB" -d 172.16.0.43 -j KUBE-POD-FW-634RGXAGNKUIX2HB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-634RGXAGNKUIX2HB" -d 172.16.0.43 -j KUBE-POD-FW-634RGXAGNKUIX2HB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-634RGXAGNKUIX2HB" -d 172.16.0.43 -j KUBE-POD-FW-634RGXAGNKUIX2HB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-634RGXAGNKUIX2HB" -s 172.16.0.43 -j KUBE-POD-FW-634RGXAGNKUIX2HB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-634RGXAGNKUIX2HB" -s 172.16.0.43 -j KUBE-POD-FW-634RGXAGNKUIX2HB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-634RGXAGNKUIX2HB" -s 172.16.0.43 -j KUBE-POD-FW-634RGXAGNKUIX2HB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-634RGXAGNKUIX2HB" -s 172.16.0.43 -j KUBE-POD-FW-634RGXAGNKUIX2HB
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-634RGXAGNKUIX2HB -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-634RGXAGNKUIX2HB -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-634RGXAGNKUIX2HB -j MARK --set-mark 0/0x10000
Jun  8 03:49:29 truenas env[20630]: -A KUBE-POD-FW-634RGXAGNKUIX2HB -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:49:29 truenas env[20630]: COMMIT
Jun  8 03:50:06 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 03:50:06 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 03:50:06 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 03:54:29 truenas env[20630]: E0608 03:54:29.756857   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 03:54:29 truenas env[20630]: Error occurred at line: 103
Jun  8 03:54:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 03:54:29 truenas env[20630]: )
Jun  8 03:54:29 truenas env[20630]: *filter
Jun  8 03:54:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 03:54:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 03:54:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 03:54:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 03:54:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 03:54:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 03:54:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 03:54:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 03:54:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 03:54:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 03:54:29 truenas env[20630]: :KUBE-POD-FW-JZQR5ENAOW37RWIK - [0:0]
Jun  8 03:54:29 truenas env[20630]: :KUBE-POD-FW-M2ID4ICOC4VG5OG3 - [0:0]
Jun  8 03:54:29 truenas env[20630]: :KUBE-POD-FW-E4PGYCYSVHEJCMOL - [0:0]
Jun  8 03:54:29 truenas env[20630]: :KUBE-POD-FW-YKH72YAPTMOA4U3K - [0:0]
Jun  8 03:54:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 03:54:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 03:54:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 03:54:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 03:54:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 03:54:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 03:54:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 03:54:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 03:54:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 03:54:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-JZQR5ENAOW37RWIK 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-JZQR5ENAOW37RWIK 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-JZQR5ENAOW37RWIK 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-JZQR5ENAOW37RWIK 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-JZQR5ENAOW37RWIK 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JZQR5ENAOW37RWIK" -d 172.16.0.43 -j KUBE-POD-FW-JZQR5ENAOW37RWIK
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JZQR5ENAOW37RWIK" -d 172.16.0.43 -j KUBE-POD-FW-JZQR5ENAOW37RWIK
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JZQR5ENAOW37RWIK" -d 172.16.0.43 -j KUBE-POD-FW-JZQR5ENAOW37RWIK
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JZQR5ENAOW37RWIK" -s 172.16.0.43 -j KUBE-POD-FW-JZQR5ENAOW37RWIK
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JZQR5ENAOW37RWIK" -s 172.16.0.43 -j KUBE-POD-FW-JZQR5ENAOW37RWIK
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JZQR5ENAOW37RWIK" -s 172.16.0.43 -j KUBE-POD-FW-JZQR5ENAOW37RWIK
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-JZQR5ENAOW37RWIK" -s 172.16.0.43 -j KUBE-POD-FW-JZQR5ENAOW37RWIK
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-JZQR5ENAOW37RWIK -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-JZQR5ENAOW37RWIK -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-JZQR5ENAOW37RWIK -j MARK --set-mark 0/0x10000
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-JZQR5ENAOW37RWIK -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-M2ID4ICOC4VG5OG3 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-M2ID4ICOC4VG5OG3 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-M2ID4ICOC4VG5OG3 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-M2ID4ICOC4VG5OG3 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-M2ID4ICOC4VG5OG3 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M2ID4ICOC4VG5OG3" -d 172.16.0.46 -j KUBE-POD-FW-M2ID4ICOC4VG5OG3
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M2ID4ICOC4VG5OG3" -d 172.16.0.46 -j KUBE-POD-FW-M2ID4ICOC4VG5OG3
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M2ID4ICOC4VG5OG3" -d 172.16.0.46 -j KUBE-POD-FW-M2ID4ICOC4VG5OG3
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M2ID4ICOC4VG5OG3" -s 172.16.0.46 -j KUBE-POD-FW-M2ID4ICOC4VG5OG3
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M2ID4ICOC4VG5OG3" -s 172.16.0.46 -j KUBE-POD-FW-M2ID4ICOC4VG5OG3
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M2ID4ICOC4VG5OG3" -s 172.16.0.46 -j KUBE-POD-FW-M2ID4ICOC4VG5OG3
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-M2ID4ICOC4VG5OG3" -s 172.16.0.46 -j KUBE-POD-FW-M2ID4ICOC4VG5OG3
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-M2ID4ICOC4VG5OG3 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-M2ID4ICOC4VG5OG3 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-M2ID4ICOC4VG5OG3 -j MARK --set-mark 0/0x10000
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-M2ID4ICOC4VG5OG3 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-E4PGYCYSVHEJCMOL 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-E4PGYCYSVHEJCMOL 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-E4PGYCYSVHEJCMOL 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-E4PGYCYSVHEJCMOL 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-E4PGYCYSVHEJCMOL 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E4PGYCYSVHEJCMOL" -d 172.16.0.42 -j KUBE-POD-FW-E4PGYCYSVHEJCMOL
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E4PGYCYSVHEJCMOL" -d 172.16.0.42 -j KUBE-POD-FW-E4PGYCYSVHEJCMOL
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E4PGYCYSVHEJCMOL" -d 172.16.0.42 -j KUBE-POD-FW-E4PGYCYSVHEJCMOL
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E4PGYCYSVHEJCMOL" -s 172.16.0.42 -j KUBE-POD-FW-E4PGYCYSVHEJCMOL
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E4PGYCYSVHEJCMOL" -s 172.16.0.42 -j KUBE-POD-FW-E4PGYCYSVHEJCMOL
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E4PGYCYSVHEJCMOL" -s 172.16.0.42 -j KUBE-POD-FW-E4PGYCYSVHEJCMOL
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E4PGYCYSVHEJCMOL" -s 172.16.0.42 -j KUBE-POD-FW-E4PGYCYSVHEJCMOL
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-E4PGYCYSVHEJCMOL -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-E4PGYCYSVHEJCMOL -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-E4PGYCYSVHEJCMOL -j MARK --set-mark 0/0x10000
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-E4PGYCYSVHEJCMOL -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-YKH72YAPTMOA4U3K 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-YKH72YAPTMOA4U3K 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-YKH72YAPTMOA4U3K 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-YKH72YAPTMOA4U3K 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:54:29 truenas env[20630]: -I KUBE-POD-FW-YKH72YAPTMOA4U3K 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YKH72YAPTMOA4U3K" -d 172.16.0.45 -j KUBE-POD-FW-YKH72YAPTMOA4U3K
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YKH72YAPTMOA4U3K" -d 172.16.0.45 -j KUBE-POD-FW-YKH72YAPTMOA4U3K
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YKH72YAPTMOA4U3K" -d 172.16.0.45 -j KUBE-POD-FW-YKH72YAPTMOA4U3K
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YKH72YAPTMOA4U3K" -s 172.16.0.45 -j KUBE-POD-FW-YKH72YAPTMOA4U3K
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YKH72YAPTMOA4U3K" -s 172.16.0.45 -j KUBE-POD-FW-YKH72YAPTMOA4U3K
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YKH72YAPTMOA4U3K" -s 172.16.0.45 -j KUBE-POD-FW-YKH72YAPTMOA4U3K
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YKH72YAPTMOA4U3K" -s 172.16.0.45 -j KUBE-POD-FW-YKH72YAPTMOA4U3K
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-YKH72YAPTMOA4U3K -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-YKH72YAPTMOA4U3K -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-YKH72YAPTMOA4U3K -j MARK --set-mark 0/0x10000
Jun  8 03:54:29 truenas env[20630]: -A KUBE-POD-FW-YKH72YAPTMOA4U3K -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:54:29 truenas env[20630]: COMMIT
Jun  8 03:59:06 truenas smartd[3887]: Device: /dev/sdc [SAT], SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 81 to 82
Jun  8 03:59:06 truenas smartd[3887]: Device: /dev/sdc [SAT], SMART Usage Attribute: 195 Hardware_ECC_Recovered changed from 81 to 82
Jun  8 03:59:26 truenas nscd[710139]: 710139 monitoring file `/etc/hosts` (1)
Jun  8 03:59:26 truenas nscd[710139]: 710139 monitoring directory `/etc` (2)
Jun  8 03:59:26 truenas nscd[710139]: 710139 monitoring file `/etc/resolv.conf` (3)
Jun  8 03:59:26 truenas nscd[710139]: 710139 monitoring directory `/etc` (2)
Jun  8 03:59:26 truenas nscd[710139]: 710139 cannot create /var/cache/nscd/hosts; no persistent database used
Jun  8 03:59:29 truenas env[20630]: E0608 03:59:29.768529   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 03:59:29 truenas env[20630]: Error occurred at line: 103
Jun  8 03:59:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 03:59:29 truenas env[20630]: )
Jun  8 03:59:29 truenas env[20630]: *filter
Jun  8 03:59:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 03:59:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 03:59:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 03:59:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 03:59:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 03:59:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 03:59:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 03:59:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 03:59:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 03:59:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 03:59:29 truenas env[20630]: :KUBE-POD-FW-3Z4HJBHIUAUQCJIF - [0:0]
Jun  8 03:59:29 truenas env[20630]: :KUBE-POD-FW-SZALPQUNMOYICSLH - [0:0]
Jun  8 03:59:29 truenas env[20630]: :KUBE-POD-FW-C6F3EL3ET4AILG4Q - [0:0]
Jun  8 03:59:29 truenas env[20630]: :KUBE-POD-FW-2WMB5HJINAEO5A63 - [0:0]
Jun  8 03:59:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 03:59:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 03:59:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 03:59:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 03:59:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 03:59:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 03:59:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 03:59:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 03:59:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 03:59:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-3Z4HJBHIUAUQCJIF 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-3Z4HJBHIUAUQCJIF 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-3Z4HJBHIUAUQCJIF 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-3Z4HJBHIUAUQCJIF 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-3Z4HJBHIUAUQCJIF 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-3Z4HJBHIUAUQCJIF" -d 172.16.0.46 -j KUBE-POD-FW-3Z4HJBHIUAUQCJIF
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-3Z4HJBHIUAUQCJIF" -d 172.16.0.46 -j KUBE-POD-FW-3Z4HJBHIUAUQCJIF
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-3Z4HJBHIUAUQCJIF" -d 172.16.0.46 -j KUBE-POD-FW-3Z4HJBHIUAUQCJIF
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-3Z4HJBHIUAUQCJIF" -s 172.16.0.46 -j KUBE-POD-FW-3Z4HJBHIUAUQCJIF
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-3Z4HJBHIUAUQCJIF" -s 172.16.0.46 -j KUBE-POD-FW-3Z4HJBHIUAUQCJIF
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-3Z4HJBHIUAUQCJIF" -s 172.16.0.46 -j KUBE-POD-FW-3Z4HJBHIUAUQCJIF
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-3Z4HJBHIUAUQCJIF" -s 172.16.0.46 -j KUBE-POD-FW-3Z4HJBHIUAUQCJIF
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-3Z4HJBHIUAUQCJIF -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-3Z4HJBHIUAUQCJIF -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-3Z4HJBHIUAUQCJIF -j MARK --set-mark 0/0x10000
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-3Z4HJBHIUAUQCJIF -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-SZALPQUNMOYICSLH 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-SZALPQUNMOYICSLH 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-SZALPQUNMOYICSLH 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-SZALPQUNMOYICSLH 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-SZALPQUNMOYICSLH 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SZALPQUNMOYICSLH" -d 172.16.0.42 -j KUBE-POD-FW-SZALPQUNMOYICSLH
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SZALPQUNMOYICSLH" -d 172.16.0.42 -j KUBE-POD-FW-SZALPQUNMOYICSLH
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SZALPQUNMOYICSLH" -d 172.16.0.42 -j KUBE-POD-FW-SZALPQUNMOYICSLH
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SZALPQUNMOYICSLH" -s 172.16.0.42 -j KUBE-POD-FW-SZALPQUNMOYICSLH
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SZALPQUNMOYICSLH" -s 172.16.0.42 -j KUBE-POD-FW-SZALPQUNMOYICSLH
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SZALPQUNMOYICSLH" -s 172.16.0.42 -j KUBE-POD-FW-SZALPQUNMOYICSLH
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-SZALPQUNMOYICSLH" -s 172.16.0.42 -j KUBE-POD-FW-SZALPQUNMOYICSLH
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-SZALPQUNMOYICSLH -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-SZALPQUNMOYICSLH -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-SZALPQUNMOYICSLH -j MARK --set-mark 0/0x10000
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-SZALPQUNMOYICSLH -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-C6F3EL3ET4AILG4Q 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-C6F3EL3ET4AILG4Q 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-C6F3EL3ET4AILG4Q 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-C6F3EL3ET4AILG4Q 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-C6F3EL3ET4AILG4Q 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C6F3EL3ET4AILG4Q" -d 172.16.0.45 -j KUBE-POD-FW-C6F3EL3ET4AILG4Q
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C6F3EL3ET4AILG4Q" -d 172.16.0.45 -j KUBE-POD-FW-C6F3EL3ET4AILG4Q
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C6F3EL3ET4AILG4Q" -d 172.16.0.45 -j KUBE-POD-FW-C6F3EL3ET4AILG4Q
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C6F3EL3ET4AILG4Q" -s 172.16.0.45 -j KUBE-POD-FW-C6F3EL3ET4AILG4Q
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C6F3EL3ET4AILG4Q" -s 172.16.0.45 -j KUBE-POD-FW-C6F3EL3ET4AILG4Q
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C6F3EL3ET4AILG4Q" -s 172.16.0.45 -j KUBE-POD-FW-C6F3EL3ET4AILG4Q
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-C6F3EL3ET4AILG4Q" -s 172.16.0.45 -j KUBE-POD-FW-C6F3EL3ET4AILG4Q
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-C6F3EL3ET4AILG4Q -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-C6F3EL3ET4AILG4Q -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-C6F3EL3ET4AILG4Q -j MARK --set-mark 0/0x10000
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-C6F3EL3ET4AILG4Q -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-2WMB5HJINAEO5A63 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-2WMB5HJINAEO5A63 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-2WMB5HJINAEO5A63 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-2WMB5HJINAEO5A63 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 03:59:29 truenas env[20630]: -I KUBE-POD-FW-2WMB5HJINAEO5A63 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-2WMB5HJINAEO5A63" -d 172.16.0.43 -j KUBE-POD-FW-2WMB5HJINAEO5A63
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-2WMB5HJINAEO5A63" -d 172.16.0.43 -j KUBE-POD-FW-2WMB5HJINAEO5A63
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-2WMB5HJINAEO5A63" -d 172.16.0.43 -j KUBE-POD-FW-2WMB5HJINAEO5A63
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-2WMB5HJINAEO5A63" -s 172.16.0.43 -j KUBE-POD-FW-2WMB5HJINAEO5A63
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-2WMB5HJINAEO5A63" -s 172.16.0.43 -j KUBE-POD-FW-2WMB5HJINAEO5A63
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-2WMB5HJINAEO5A63" -s 172.16.0.43 -j KUBE-POD-FW-2WMB5HJINAEO5A63
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-2WMB5HJINAEO5A63" -s 172.16.0.43 -j KUBE-POD-FW-2WMB5HJINAEO5A63
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-2WMB5HJINAEO5A63 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-2WMB5HJINAEO5A63 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-2WMB5HJINAEO5A63 -j MARK --set-mark 0/0x10000
Jun  8 03:59:29 truenas env[20630]: -A KUBE-POD-FW-2WMB5HJINAEO5A63 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 03:59:29 truenas env[20630]: COMMIT
Jun  8 04:00:06 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 04:00:06 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 04:00:06 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 04:04:29 truenas env[20630]: E0608 04:04:29.732797   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:04:29 truenas env[20630]: Error occurred at line: 103
Jun  8 04:04:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:04:29 truenas env[20630]: )
Jun  8 04:04:29 truenas env[20630]: *filter
Jun  8 04:04:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:04:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:04:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:04:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:04:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:04:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:04:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:04:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:04:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:04:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:04:29 truenas env[20630]: :KUBE-POD-FW-PCFY6WD73RZPVO3V - [0:0]
Jun  8 04:04:29 truenas env[20630]: :KUBE-POD-FW-GBJWYH75VMSW5IWG - [0:0]
Jun  8 04:04:29 truenas env[20630]: :KUBE-POD-FW-I7HNTNQQPQHX4NM6 - [0:0]
Jun  8 04:04:29 truenas env[20630]: :KUBE-POD-FW-CN2PJ4HMT67ZR4T7 - [0:0]
Jun  8 04:04:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:04:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:04:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:04:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:04:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:04:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:04:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:04:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:04:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:04:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-PCFY6WD73RZPVO3V 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-PCFY6WD73RZPVO3V 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-PCFY6WD73RZPVO3V 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-PCFY6WD73RZPVO3V 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-PCFY6WD73RZPVO3V 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PCFY6WD73RZPVO3V" -d 172.16.0.46 -j KUBE-POD-FW-PCFY6WD73RZPVO3V
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PCFY6WD73RZPVO3V" -d 172.16.0.46 -j KUBE-POD-FW-PCFY6WD73RZPVO3V
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PCFY6WD73RZPVO3V" -d 172.16.0.46 -j KUBE-POD-FW-PCFY6WD73RZPVO3V
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PCFY6WD73RZPVO3V" -s 172.16.0.46 -j KUBE-POD-FW-PCFY6WD73RZPVO3V
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PCFY6WD73RZPVO3V" -s 172.16.0.46 -j KUBE-POD-FW-PCFY6WD73RZPVO3V
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PCFY6WD73RZPVO3V" -s 172.16.0.46 -j KUBE-POD-FW-PCFY6WD73RZPVO3V
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PCFY6WD73RZPVO3V" -s 172.16.0.46 -j KUBE-POD-FW-PCFY6WD73RZPVO3V
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-PCFY6WD73RZPVO3V -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-PCFY6WD73RZPVO3V -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-PCFY6WD73RZPVO3V -j MARK --set-mark 0/0x10000
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-PCFY6WD73RZPVO3V -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-GBJWYH75VMSW5IWG 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-GBJWYH75VMSW5IWG 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-GBJWYH75VMSW5IWG 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-GBJWYH75VMSW5IWG 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-GBJWYH75VMSW5IWG 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-GBJWYH75VMSW5IWG" -d 172.16.0.42 -j KUBE-POD-FW-GBJWYH75VMSW5IWG
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-GBJWYH75VMSW5IWG" -d 172.16.0.42 -j KUBE-POD-FW-GBJWYH75VMSW5IWG
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-GBJWYH75VMSW5IWG" -d 172.16.0.42 -j KUBE-POD-FW-GBJWYH75VMSW5IWG
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-GBJWYH75VMSW5IWG" -s 172.16.0.42 -j KUBE-POD-FW-GBJWYH75VMSW5IWG
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-GBJWYH75VMSW5IWG" -s 172.16.0.42 -j KUBE-POD-FW-GBJWYH75VMSW5IWG
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-GBJWYH75VMSW5IWG" -s 172.16.0.42 -j KUBE-POD-FW-GBJWYH75VMSW5IWG
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-GBJWYH75VMSW5IWG" -s 172.16.0.42 -j KUBE-POD-FW-GBJWYH75VMSW5IWG
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-GBJWYH75VMSW5IWG -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-GBJWYH75VMSW5IWG -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-GBJWYH75VMSW5IWG -j MARK --set-mark 0/0x10000
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-GBJWYH75VMSW5IWG -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-I7HNTNQQPQHX4NM6 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-I7HNTNQQPQHX4NM6 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-I7HNTNQQPQHX4NM6 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-I7HNTNQQPQHX4NM6 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-I7HNTNQQPQHX4NM6 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-I7HNTNQQPQHX4NM6" -d 172.16.0.45 -j KUBE-POD-FW-I7HNTNQQPQHX4NM6
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-I7HNTNQQPQHX4NM6" -d 172.16.0.45 -j KUBE-POD-FW-I7HNTNQQPQHX4NM6
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-I7HNTNQQPQHX4NM6" -d 172.16.0.45 -j KUBE-POD-FW-I7HNTNQQPQHX4NM6
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-I7HNTNQQPQHX4NM6" -s 172.16.0.45 -j KUBE-POD-FW-I7HNTNQQPQHX4NM6
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-I7HNTNQQPQHX4NM6" -s 172.16.0.45 -j KUBE-POD-FW-I7HNTNQQPQHX4NM6
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-I7HNTNQQPQHX4NM6" -s 172.16.0.45 -j KUBE-POD-FW-I7HNTNQQPQHX4NM6
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-I7HNTNQQPQHX4NM6" -s 172.16.0.45 -j KUBE-POD-FW-I7HNTNQQPQHX4NM6
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-I7HNTNQQPQHX4NM6 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-I7HNTNQQPQHX4NM6 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-I7HNTNQQPQHX4NM6 -j MARK --set-mark 0/0x10000
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-I7HNTNQQPQHX4NM6 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-CN2PJ4HMT67ZR4T7 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-CN2PJ4HMT67ZR4T7 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-CN2PJ4HMT67ZR4T7 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-CN2PJ4HMT67ZR4T7 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:04:29 truenas env[20630]: -I KUBE-POD-FW-CN2PJ4HMT67ZR4T7 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CN2PJ4HMT67ZR4T7" -d 172.16.0.43 -j KUBE-POD-FW-CN2PJ4HMT67ZR4T7
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CN2PJ4HMT67ZR4T7" -d 172.16.0.43 -j KUBE-POD-FW-CN2PJ4HMT67ZR4T7
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CN2PJ4HMT67ZR4T7" -d 172.16.0.43 -j KUBE-POD-FW-CN2PJ4HMT67ZR4T7
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CN2PJ4HMT67ZR4T7" -s 172.16.0.43 -j KUBE-POD-FW-CN2PJ4HMT67ZR4T7
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CN2PJ4HMT67ZR4T7" -s 172.16.0.43 -j KUBE-POD-FW-CN2PJ4HMT67ZR4T7
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CN2PJ4HMT67ZR4T7" -s 172.16.0.43 -j KUBE-POD-FW-CN2PJ4HMT67ZR4T7
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CN2PJ4HMT67ZR4T7" -s 172.16.0.43 -j KUBE-POD-FW-CN2PJ4HMT67ZR4T7
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-CN2PJ4HMT67ZR4T7 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-CN2PJ4HMT67ZR4T7 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-CN2PJ4HMT67ZR4T7 -j MARK --set-mark 0/0x10000
Jun  8 04:04:29 truenas env[20630]: -A KUBE-POD-FW-CN2PJ4HMT67ZR4T7 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:04:29 truenas env[20630]: COMMIT
Jun  8 04:09:29 truenas env[20630]: E0608 04:09:29.764874   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:09:29 truenas env[20630]: Error occurred at line: 103
Jun  8 04:09:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:09:29 truenas env[20630]: )
Jun  8 04:09:29 truenas env[20630]: *filter
Jun  8 04:09:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:09:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:09:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:09:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:09:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:09:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:09:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:09:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:09:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:09:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:09:29 truenas env[20630]: :KUBE-POD-FW-OM5PFI3CWXDBB4OR - [0:0]
Jun  8 04:09:29 truenas env[20630]: :KUBE-POD-FW-7PWMJP537C4IB5QJ - [0:0]
Jun  8 04:09:29 truenas env[20630]: :KUBE-POD-FW-ABELCPVLPQ7XURZC - [0:0]
Jun  8 04:09:29 truenas env[20630]: :KUBE-POD-FW-AXMEZZQBZUO6AK5F - [0:0]
Jun  8 04:09:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:09:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:09:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:09:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:09:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:09:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:09:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:09:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:09:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:09:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-OM5PFI3CWXDBB4OR 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-OM5PFI3CWXDBB4OR 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-OM5PFI3CWXDBB4OR 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-OM5PFI3CWXDBB4OR 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-OM5PFI3CWXDBB4OR 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OM5PFI3CWXDBB4OR" -d 172.16.0.45 -j KUBE-POD-FW-OM5PFI3CWXDBB4OR
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OM5PFI3CWXDBB4OR" -d 172.16.0.45 -j KUBE-POD-FW-OM5PFI3CWXDBB4OR
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OM5PFI3CWXDBB4OR" -d 172.16.0.45 -j KUBE-POD-FW-OM5PFI3CWXDBB4OR
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OM5PFI3CWXDBB4OR" -s 172.16.0.45 -j KUBE-POD-FW-OM5PFI3CWXDBB4OR
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OM5PFI3CWXDBB4OR" -s 172.16.0.45 -j KUBE-POD-FW-OM5PFI3CWXDBB4OR
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OM5PFI3CWXDBB4OR" -s 172.16.0.45 -j KUBE-POD-FW-OM5PFI3CWXDBB4OR
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-OM5PFI3CWXDBB4OR" -s 172.16.0.45 -j KUBE-POD-FW-OM5PFI3CWXDBB4OR
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-OM5PFI3CWXDBB4OR -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-OM5PFI3CWXDBB4OR -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-OM5PFI3CWXDBB4OR -j MARK --set-mark 0/0x10000
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-OM5PFI3CWXDBB4OR -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-7PWMJP537C4IB5QJ 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-7PWMJP537C4IB5QJ 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-7PWMJP537C4IB5QJ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-7PWMJP537C4IB5QJ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-7PWMJP537C4IB5QJ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-7PWMJP537C4IB5QJ" -d 172.16.0.43 -j KUBE-POD-FW-7PWMJP537C4IB5QJ
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-7PWMJP537C4IB5QJ" -d 172.16.0.43 -j KUBE-POD-FW-7PWMJP537C4IB5QJ
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-7PWMJP537C4IB5QJ" -d 172.16.0.43 -j KUBE-POD-FW-7PWMJP537C4IB5QJ
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-7PWMJP537C4IB5QJ" -s 172.16.0.43 -j KUBE-POD-FW-7PWMJP537C4IB5QJ
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-7PWMJP537C4IB5QJ" -s 172.16.0.43 -j KUBE-POD-FW-7PWMJP537C4IB5QJ
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-7PWMJP537C4IB5QJ" -s 172.16.0.43 -j KUBE-POD-FW-7PWMJP537C4IB5QJ
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-7PWMJP537C4IB5QJ" -s 172.16.0.43 -j KUBE-POD-FW-7PWMJP537C4IB5QJ
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-7PWMJP537C4IB5QJ -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-7PWMJP537C4IB5QJ -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-7PWMJP537C4IB5QJ -j MARK --set-mark 0/0x10000
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-7PWMJP537C4IB5QJ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-ABELCPVLPQ7XURZC 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-ABELCPVLPQ7XURZC 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-ABELCPVLPQ7XURZC 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-ABELCPVLPQ7XURZC 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-ABELCPVLPQ7XURZC 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ABELCPVLPQ7XURZC" -d 172.16.0.46 -j KUBE-POD-FW-ABELCPVLPQ7XURZC
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ABELCPVLPQ7XURZC" -d 172.16.0.46 -j KUBE-POD-FW-ABELCPVLPQ7XURZC
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ABELCPVLPQ7XURZC" -d 172.16.0.46 -j KUBE-POD-FW-ABELCPVLPQ7XURZC
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ABELCPVLPQ7XURZC" -s 172.16.0.46 -j KUBE-POD-FW-ABELCPVLPQ7XURZC
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ABELCPVLPQ7XURZC" -s 172.16.0.46 -j KUBE-POD-FW-ABELCPVLPQ7XURZC
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ABELCPVLPQ7XURZC" -s 172.16.0.46 -j KUBE-POD-FW-ABELCPVLPQ7XURZC
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ABELCPVLPQ7XURZC" -s 172.16.0.46 -j KUBE-POD-FW-ABELCPVLPQ7XURZC
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-ABELCPVLPQ7XURZC -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-ABELCPVLPQ7XURZC -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-ABELCPVLPQ7XURZC -j MARK --set-mark 0/0x10000
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-ABELCPVLPQ7XURZC -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-AXMEZZQBZUO6AK5F 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-AXMEZZQBZUO6AK5F 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-AXMEZZQBZUO6AK5F 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-AXMEZZQBZUO6AK5F 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:09:29 truenas env[20630]: -I KUBE-POD-FW-AXMEZZQBZUO6AK5F 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AXMEZZQBZUO6AK5F" -d 172.16.0.42 -j KUBE-POD-FW-AXMEZZQBZUO6AK5F
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AXMEZZQBZUO6AK5F" -d 172.16.0.42 -j KUBE-POD-FW-AXMEZZQBZUO6AK5F
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AXMEZZQBZUO6AK5F" -d 172.16.0.42 -j KUBE-POD-FW-AXMEZZQBZUO6AK5F
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AXMEZZQBZUO6AK5F" -s 172.16.0.42 -j KUBE-POD-FW-AXMEZZQBZUO6AK5F
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AXMEZZQBZUO6AK5F" -s 172.16.0.42 -j KUBE-POD-FW-AXMEZZQBZUO6AK5F
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AXMEZZQBZUO6AK5F" -s 172.16.0.42 -j KUBE-POD-FW-AXMEZZQBZUO6AK5F
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-AXMEZZQBZUO6AK5F" -s 172.16.0.42 -j KUBE-POD-FW-AXMEZZQBZUO6AK5F
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-AXMEZZQBZUO6AK5F -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-AXMEZZQBZUO6AK5F -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-AXMEZZQBZUO6AK5F -j MARK --set-mark 0/0x10000
Jun  8 04:09:29 truenas env[20630]: -A KUBE-POD-FW-AXMEZZQBZUO6AK5F -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:09:29 truenas env[20630]: COMMIT
Jun  8 04:10:06 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 04:10:06 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 04:10:06 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 04:14:29 truenas env[20630]: E0608 04:14:29.748811   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:14:29 truenas env[20630]: Error occurred at line: 103
Jun  8 04:14:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:14:29 truenas env[20630]: )
Jun  8 04:14:29 truenas env[20630]: *filter
Jun  8 04:14:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:14:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:14:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:14:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:14:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:14:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:14:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:14:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:14:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:14:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:14:29 truenas env[20630]: :KUBE-POD-FW-GO26UE344TZCOWVW - [0:0]
Jun  8 04:14:29 truenas env[20630]: :KUBE-POD-FW-DR27CK6ENC7IEB3M - [0:0]
Jun  8 04:14:29 truenas env[20630]: :KUBE-POD-FW-4CJ3KPL7LP52VWCT - [0:0]
Jun  8 04:14:29 truenas env[20630]: :KUBE-POD-FW-YQD74PGQQV6OXULC - [0:0]
Jun  8 04:14:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:14:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:14:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:14:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:14:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:14:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:14:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:14:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:14:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:14:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-GO26UE344TZCOWVW 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-GO26UE344TZCOWVW 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-GO26UE344TZCOWVW 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-GO26UE344TZCOWVW 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-GO26UE344TZCOWVW 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GO26UE344TZCOWVW" -d 172.16.0.46 -j KUBE-POD-FW-GO26UE344TZCOWVW
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GO26UE344TZCOWVW" -d 172.16.0.46 -j KUBE-POD-FW-GO26UE344TZCOWVW
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GO26UE344TZCOWVW" -d 172.16.0.46 -j KUBE-POD-FW-GO26UE344TZCOWVW
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GO26UE344TZCOWVW" -s 172.16.0.46 -j KUBE-POD-FW-GO26UE344TZCOWVW
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GO26UE344TZCOWVW" -s 172.16.0.46 -j KUBE-POD-FW-GO26UE344TZCOWVW
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GO26UE344TZCOWVW" -s 172.16.0.46 -j KUBE-POD-FW-GO26UE344TZCOWVW
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-GO26UE344TZCOWVW" -s 172.16.0.46 -j KUBE-POD-FW-GO26UE344TZCOWVW
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-GO26UE344TZCOWVW -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-GO26UE344TZCOWVW -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-GO26UE344TZCOWVW -j MARK --set-mark 0/0x10000
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-GO26UE344TZCOWVW -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-DR27CK6ENC7IEB3M 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-DR27CK6ENC7IEB3M 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-DR27CK6ENC7IEB3M 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-DR27CK6ENC7IEB3M 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-DR27CK6ENC7IEB3M 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DR27CK6ENC7IEB3M" -d 172.16.0.42 -j KUBE-POD-FW-DR27CK6ENC7IEB3M
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DR27CK6ENC7IEB3M" -d 172.16.0.42 -j KUBE-POD-FW-DR27CK6ENC7IEB3M
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DR27CK6ENC7IEB3M" -d 172.16.0.42 -j KUBE-POD-FW-DR27CK6ENC7IEB3M
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DR27CK6ENC7IEB3M" -s 172.16.0.42 -j KUBE-POD-FW-DR27CK6ENC7IEB3M
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DR27CK6ENC7IEB3M" -s 172.16.0.42 -j KUBE-POD-FW-DR27CK6ENC7IEB3M
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DR27CK6ENC7IEB3M" -s 172.16.0.42 -j KUBE-POD-FW-DR27CK6ENC7IEB3M
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-DR27CK6ENC7IEB3M" -s 172.16.0.42 -j KUBE-POD-FW-DR27CK6ENC7IEB3M
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-DR27CK6ENC7IEB3M -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-DR27CK6ENC7IEB3M -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-DR27CK6ENC7IEB3M -j MARK --set-mark 0/0x10000
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-DR27CK6ENC7IEB3M -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-4CJ3KPL7LP52VWCT 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-4CJ3KPL7LP52VWCT 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-4CJ3KPL7LP52VWCT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-4CJ3KPL7LP52VWCT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-4CJ3KPL7LP52VWCT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4CJ3KPL7LP52VWCT" -d 172.16.0.45 -j KUBE-POD-FW-4CJ3KPL7LP52VWCT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4CJ3KPL7LP52VWCT" -d 172.16.0.45 -j KUBE-POD-FW-4CJ3KPL7LP52VWCT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4CJ3KPL7LP52VWCT" -d 172.16.0.45 -j KUBE-POD-FW-4CJ3KPL7LP52VWCT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4CJ3KPL7LP52VWCT" -s 172.16.0.45 -j KUBE-POD-FW-4CJ3KPL7LP52VWCT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4CJ3KPL7LP52VWCT" -s 172.16.0.45 -j KUBE-POD-FW-4CJ3KPL7LP52VWCT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4CJ3KPL7LP52VWCT" -s 172.16.0.45 -j KUBE-POD-FW-4CJ3KPL7LP52VWCT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-4CJ3KPL7LP52VWCT" -s 172.16.0.45 -j KUBE-POD-FW-4CJ3KPL7LP52VWCT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-4CJ3KPL7LP52VWCT -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-4CJ3KPL7LP52VWCT -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-4CJ3KPL7LP52VWCT -j MARK --set-mark 0/0x10000
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-4CJ3KPL7LP52VWCT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-YQD74PGQQV6OXULC 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-YQD74PGQQV6OXULC 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-YQD74PGQQV6OXULC 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-YQD74PGQQV6OXULC 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:14:29 truenas env[20630]: -I KUBE-POD-FW-YQD74PGQQV6OXULC 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-YQD74PGQQV6OXULC" -d 172.16.0.43 -j KUBE-POD-FW-YQD74PGQQV6OXULC
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-YQD74PGQQV6OXULC" -d 172.16.0.43 -j KUBE-POD-FW-YQD74PGQQV6OXULC
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-YQD74PGQQV6OXULC" -d 172.16.0.43 -j KUBE-POD-FW-YQD74PGQQV6OXULC
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-YQD74PGQQV6OXULC" -s 172.16.0.43 -j KUBE-POD-FW-YQD74PGQQV6OXULC
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-YQD74PGQQV6OXULC" -s 172.16.0.43 -j KUBE-POD-FW-YQD74PGQQV6OXULC
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-YQD74PGQQV6OXULC" -s 172.16.0.43 -j KUBE-POD-FW-YQD74PGQQV6OXULC
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-YQD74PGQQV6OXULC" -s 172.16.0.43 -j KUBE-POD-FW-YQD74PGQQV6OXULC
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-YQD74PGQQV6OXULC -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-YQD74PGQQV6OXULC -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-YQD74PGQQV6OXULC -j MARK --set-mark 0/0x10000
Jun  8 04:14:29 truenas env[20630]: -A KUBE-POD-FW-YQD74PGQQV6OXULC -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:14:29 truenas env[20630]: COMMIT
Jun  8 04:17:01 truenas CRON[729505]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jun  8 04:19:29 truenas env[20630]: E0608 04:19:29.792732   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:19:29 truenas env[20630]: Error occurred at line: 103
Jun  8 04:19:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:19:29 truenas env[20630]: )
Jun  8 04:19:29 truenas env[20630]: *filter
Jun  8 04:19:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:19:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:19:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:19:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:19:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:19:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:19:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:19:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:19:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:19:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:19:29 truenas env[20630]: :KUBE-POD-FW-FQPKKQB37FHIGKUY - [0:0]
Jun  8 04:19:29 truenas env[20630]: :KUBE-POD-FW-YELLQXWTDXQ7PATU - [0:0]
Jun  8 04:19:29 truenas env[20630]: :KUBE-POD-FW-4DWJ2RF7VXSVL64L - [0:0]
Jun  8 04:19:29 truenas env[20630]: :KUBE-POD-FW-ZCSVWV3XMZ34I6RT - [0:0]
Jun  8 04:19:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:19:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:19:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:19:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:19:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:19:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:19:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:19:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:19:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:19:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-FQPKKQB37FHIGKUY 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-FQPKKQB37FHIGKUY 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-FQPKKQB37FHIGKUY 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-FQPKKQB37FHIGKUY 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-FQPKKQB37FHIGKUY 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FQPKKQB37FHIGKUY" -d 172.16.0.42 -j KUBE-POD-FW-FQPKKQB37FHIGKUY
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FQPKKQB37FHIGKUY" -d 172.16.0.42 -j KUBE-POD-FW-FQPKKQB37FHIGKUY
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FQPKKQB37FHIGKUY" -d 172.16.0.42 -j KUBE-POD-FW-FQPKKQB37FHIGKUY
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FQPKKQB37FHIGKUY" -s 172.16.0.42 -j KUBE-POD-FW-FQPKKQB37FHIGKUY
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FQPKKQB37FHIGKUY" -s 172.16.0.42 -j KUBE-POD-FW-FQPKKQB37FHIGKUY
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FQPKKQB37FHIGKUY" -s 172.16.0.42 -j KUBE-POD-FW-FQPKKQB37FHIGKUY
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-FQPKKQB37FHIGKUY" -s 172.16.0.42 -j KUBE-POD-FW-FQPKKQB37FHIGKUY
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-FQPKKQB37FHIGKUY -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-FQPKKQB37FHIGKUY -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-FQPKKQB37FHIGKUY -j MARK --set-mark 0/0x10000
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-FQPKKQB37FHIGKUY -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-YELLQXWTDXQ7PATU 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-YELLQXWTDXQ7PATU 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-YELLQXWTDXQ7PATU 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-YELLQXWTDXQ7PATU 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-YELLQXWTDXQ7PATU 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YELLQXWTDXQ7PATU" -d 172.16.0.45 -j KUBE-POD-FW-YELLQXWTDXQ7PATU
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YELLQXWTDXQ7PATU" -d 172.16.0.45 -j KUBE-POD-FW-YELLQXWTDXQ7PATU
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YELLQXWTDXQ7PATU" -d 172.16.0.45 -j KUBE-POD-FW-YELLQXWTDXQ7PATU
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YELLQXWTDXQ7PATU" -s 172.16.0.45 -j KUBE-POD-FW-YELLQXWTDXQ7PATU
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YELLQXWTDXQ7PATU" -s 172.16.0.45 -j KUBE-POD-FW-YELLQXWTDXQ7PATU
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YELLQXWTDXQ7PATU" -s 172.16.0.45 -j KUBE-POD-FW-YELLQXWTDXQ7PATU
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-YELLQXWTDXQ7PATU" -s 172.16.0.45 -j KUBE-POD-FW-YELLQXWTDXQ7PATU
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-YELLQXWTDXQ7PATU -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-YELLQXWTDXQ7PATU -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-YELLQXWTDXQ7PATU -j MARK --set-mark 0/0x10000
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-YELLQXWTDXQ7PATU -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-4DWJ2RF7VXSVL64L 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-4DWJ2RF7VXSVL64L 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-4DWJ2RF7VXSVL64L 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-4DWJ2RF7VXSVL64L 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-4DWJ2RF7VXSVL64L 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DWJ2RF7VXSVL64L" -d 172.16.0.43 -j KUBE-POD-FW-4DWJ2RF7VXSVL64L
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DWJ2RF7VXSVL64L" -d 172.16.0.43 -j KUBE-POD-FW-4DWJ2RF7VXSVL64L
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DWJ2RF7VXSVL64L" -d 172.16.0.43 -j KUBE-POD-FW-4DWJ2RF7VXSVL64L
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DWJ2RF7VXSVL64L" -s 172.16.0.43 -j KUBE-POD-FW-4DWJ2RF7VXSVL64L
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DWJ2RF7VXSVL64L" -s 172.16.0.43 -j KUBE-POD-FW-4DWJ2RF7VXSVL64L
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DWJ2RF7VXSVL64L" -s 172.16.0.43 -j KUBE-POD-FW-4DWJ2RF7VXSVL64L
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-4DWJ2RF7VXSVL64L" -s 172.16.0.43 -j KUBE-POD-FW-4DWJ2RF7VXSVL64L
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-4DWJ2RF7VXSVL64L -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-4DWJ2RF7VXSVL64L -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-4DWJ2RF7VXSVL64L -j MARK --set-mark 0/0x10000
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-4DWJ2RF7VXSVL64L -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-ZCSVWV3XMZ34I6RT 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-ZCSVWV3XMZ34I6RT 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-ZCSVWV3XMZ34I6RT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-ZCSVWV3XMZ34I6RT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:19:29 truenas env[20630]: -I KUBE-POD-FW-ZCSVWV3XMZ34I6RT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZCSVWV3XMZ34I6RT" -d 172.16.0.46 -j KUBE-POD-FW-ZCSVWV3XMZ34I6RT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZCSVWV3XMZ34I6RT" -d 172.16.0.46 -j KUBE-POD-FW-ZCSVWV3XMZ34I6RT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZCSVWV3XMZ34I6RT" -d 172.16.0.46 -j KUBE-POD-FW-ZCSVWV3XMZ34I6RT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZCSVWV3XMZ34I6RT" -s 172.16.0.46 -j KUBE-POD-FW-ZCSVWV3XMZ34I6RT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZCSVWV3XMZ34I6RT" -s 172.16.0.46 -j KUBE-POD-FW-ZCSVWV3XMZ34I6RT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZCSVWV3XMZ34I6RT" -s 172.16.0.46 -j KUBE-POD-FW-ZCSVWV3XMZ34I6RT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-ZCSVWV3XMZ34I6RT" -s 172.16.0.46 -j KUBE-POD-FW-ZCSVWV3XMZ34I6RT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-ZCSVWV3XMZ34I6RT -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-ZCSVWV3XMZ34I6RT -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-ZCSVWV3XMZ34I6RT -j MARK --set-mark 0/0x10000
Jun  8 04:19:29 truenas env[20630]: -A KUBE-POD-FW-ZCSVWV3XMZ34I6RT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:19:29 truenas env[20630]: COMMIT
Jun  8 04:20:06 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 04:20:06 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 04:20:06 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 04:24:29 truenas env[20630]: E0608 04:24:29.756803   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:24:29 truenas env[20630]: Error occurred at line: 103
Jun  8 04:24:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:24:29 truenas env[20630]: )
Jun  8 04:24:29 truenas env[20630]: *filter
Jun  8 04:24:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:24:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:24:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:24:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:24:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:24:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:24:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:24:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:24:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:24:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:24:29 truenas env[20630]: :KUBE-POD-FW-LX6SUZRH6FWQJ3TL - [0:0]
Jun  8 04:24:29 truenas env[20630]: :KUBE-POD-FW-URK7RRTBC6PBN6DF - [0:0]
Jun  8 04:24:29 truenas env[20630]: :KUBE-POD-FW-Y2BDEAJMTTXQG2EZ - [0:0]
Jun  8 04:24:29 truenas env[20630]: :KUBE-POD-FW-7GKC7RTNKVWGNGB3 - [0:0]
Jun  8 04:24:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:24:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:24:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:24:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:24:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:24:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:24:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:24:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:24:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:24:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-LX6SUZRH6FWQJ3TL 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-LX6SUZRH6FWQJ3TL 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-LX6SUZRH6FWQJ3TL 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-LX6SUZRH6FWQJ3TL 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-LX6SUZRH6FWQJ3TL 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LX6SUZRH6FWQJ3TL" -d 172.16.0.43 -j KUBE-POD-FW-LX6SUZRH6FWQJ3TL
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LX6SUZRH6FWQJ3TL" -d 172.16.0.43 -j KUBE-POD-FW-LX6SUZRH6FWQJ3TL
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LX6SUZRH6FWQJ3TL" -d 172.16.0.43 -j KUBE-POD-FW-LX6SUZRH6FWQJ3TL
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LX6SUZRH6FWQJ3TL" -s 172.16.0.43 -j KUBE-POD-FW-LX6SUZRH6FWQJ3TL
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LX6SUZRH6FWQJ3TL" -s 172.16.0.43 -j KUBE-POD-FW-LX6SUZRH6FWQJ3TL
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LX6SUZRH6FWQJ3TL" -s 172.16.0.43 -j KUBE-POD-FW-LX6SUZRH6FWQJ3TL
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-LX6SUZRH6FWQJ3TL" -s 172.16.0.43 -j KUBE-POD-FW-LX6SUZRH6FWQJ3TL
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-LX6SUZRH6FWQJ3TL -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-LX6SUZRH6FWQJ3TL -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-LX6SUZRH6FWQJ3TL -j MARK --set-mark 0/0x10000
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-LX6SUZRH6FWQJ3TL -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-URK7RRTBC6PBN6DF 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-URK7RRTBC6PBN6DF 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-URK7RRTBC6PBN6DF 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-URK7RRTBC6PBN6DF 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-URK7RRTBC6PBN6DF 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-URK7RRTBC6PBN6DF" -d 172.16.0.46 -j KUBE-POD-FW-URK7RRTBC6PBN6DF
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-URK7RRTBC6PBN6DF" -d 172.16.0.46 -j KUBE-POD-FW-URK7RRTBC6PBN6DF
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-URK7RRTBC6PBN6DF" -d 172.16.0.46 -j KUBE-POD-FW-URK7RRTBC6PBN6DF
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-URK7RRTBC6PBN6DF" -s 172.16.0.46 -j KUBE-POD-FW-URK7RRTBC6PBN6DF
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-URK7RRTBC6PBN6DF" -s 172.16.0.46 -j KUBE-POD-FW-URK7RRTBC6PBN6DF
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-URK7RRTBC6PBN6DF" -s 172.16.0.46 -j KUBE-POD-FW-URK7RRTBC6PBN6DF
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-URK7RRTBC6PBN6DF" -s 172.16.0.46 -j KUBE-POD-FW-URK7RRTBC6PBN6DF
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-URK7RRTBC6PBN6DF -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-URK7RRTBC6PBN6DF -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-URK7RRTBC6PBN6DF -j MARK --set-mark 0/0x10000
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-URK7RRTBC6PBN6DF -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-Y2BDEAJMTTXQG2EZ 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-Y2BDEAJMTTXQG2EZ 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-Y2BDEAJMTTXQG2EZ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-Y2BDEAJMTTXQG2EZ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-Y2BDEAJMTTXQG2EZ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y2BDEAJMTTXQG2EZ" -d 172.16.0.42 -j KUBE-POD-FW-Y2BDEAJMTTXQG2EZ
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y2BDEAJMTTXQG2EZ" -d 172.16.0.42 -j KUBE-POD-FW-Y2BDEAJMTTXQG2EZ
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y2BDEAJMTTXQG2EZ" -d 172.16.0.42 -j KUBE-POD-FW-Y2BDEAJMTTXQG2EZ
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y2BDEAJMTTXQG2EZ" -s 172.16.0.42 -j KUBE-POD-FW-Y2BDEAJMTTXQG2EZ
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y2BDEAJMTTXQG2EZ" -s 172.16.0.42 -j KUBE-POD-FW-Y2BDEAJMTTXQG2EZ
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y2BDEAJMTTXQG2EZ" -s 172.16.0.42 -j KUBE-POD-FW-Y2BDEAJMTTXQG2EZ
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y2BDEAJMTTXQG2EZ" -s 172.16.0.42 -j KUBE-POD-FW-Y2BDEAJMTTXQG2EZ
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-Y2BDEAJMTTXQG2EZ -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-Y2BDEAJMTTXQG2EZ -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-Y2BDEAJMTTXQG2EZ -j MARK --set-mark 0/0x10000
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-Y2BDEAJMTTXQG2EZ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-7GKC7RTNKVWGNGB3 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-7GKC7RTNKVWGNGB3 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-7GKC7RTNKVWGNGB3 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-7GKC7RTNKVWGNGB3 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:24:29 truenas env[20630]: -I KUBE-POD-FW-7GKC7RTNKVWGNGB3 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7GKC7RTNKVWGNGB3" -d 172.16.0.45 -j KUBE-POD-FW-7GKC7RTNKVWGNGB3
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7GKC7RTNKVWGNGB3" -d 172.16.0.45 -j KUBE-POD-FW-7GKC7RTNKVWGNGB3
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7GKC7RTNKVWGNGB3" -d 172.16.0.45 -j KUBE-POD-FW-7GKC7RTNKVWGNGB3
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7GKC7RTNKVWGNGB3" -s 172.16.0.45 -j KUBE-POD-FW-7GKC7RTNKVWGNGB3
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7GKC7RTNKVWGNGB3" -s 172.16.0.45 -j KUBE-POD-FW-7GKC7RTNKVWGNGB3
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7GKC7RTNKVWGNGB3" -s 172.16.0.45 -j KUBE-POD-FW-7GKC7RTNKVWGNGB3
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7GKC7RTNKVWGNGB3" -s 172.16.0.45 -j KUBE-POD-FW-7GKC7RTNKVWGNGB3
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-7GKC7RTNKVWGNGB3 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-7GKC7RTNKVWGNGB3 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-7GKC7RTNKVWGNGB3 -j MARK --set-mark 0/0x10000
Jun  8 04:24:29 truenas env[20630]: -A KUBE-POD-FW-7GKC7RTNKVWGNGB3 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:24:29 truenas env[20630]: COMMIT
Jun  8 04:29:29 truenas env[20630]: E0608 04:29:29.781267   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:29:29 truenas env[20630]: Error occurred at line: 103
Jun  8 04:29:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:29:29 truenas env[20630]: )
Jun  8 04:29:29 truenas env[20630]: *filter
Jun  8 04:29:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:29:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:29:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:29:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:29:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:29:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:29:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:29:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:29:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:29:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:29:29 truenas env[20630]: :KUBE-POD-FW-R7EMO7SGXZDZZEFH - [0:0]
Jun  8 04:29:29 truenas env[20630]: :KUBE-POD-FW-5BER37I422KEWI57 - [0:0]
Jun  8 04:29:29 truenas env[20630]: :KUBE-POD-FW-MUM6BCN753DIAZJT - [0:0]
Jun  8 04:29:29 truenas env[20630]: :KUBE-POD-FW-NZZBTJ6N4GBCDLMP - [0:0]
Jun  8 04:29:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:29:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:29:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:29:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:29:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:29:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:29:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:29:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:29:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:29:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-R7EMO7SGXZDZZEFH 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-R7EMO7SGXZDZZEFH 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-R7EMO7SGXZDZZEFH 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-R7EMO7SGXZDZZEFH 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-R7EMO7SGXZDZZEFH 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-R7EMO7SGXZDZZEFH" -d 172.16.0.46 -j KUBE-POD-FW-R7EMO7SGXZDZZEFH
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-R7EMO7SGXZDZZEFH" -d 172.16.0.46 -j KUBE-POD-FW-R7EMO7SGXZDZZEFH
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-R7EMO7SGXZDZZEFH" -d 172.16.0.46 -j KUBE-POD-FW-R7EMO7SGXZDZZEFH
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-R7EMO7SGXZDZZEFH" -s 172.16.0.46 -j KUBE-POD-FW-R7EMO7SGXZDZZEFH
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-R7EMO7SGXZDZZEFH" -s 172.16.0.46 -j KUBE-POD-FW-R7EMO7SGXZDZZEFH
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-R7EMO7SGXZDZZEFH" -s 172.16.0.46 -j KUBE-POD-FW-R7EMO7SGXZDZZEFH
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-R7EMO7SGXZDZZEFH" -s 172.16.0.46 -j KUBE-POD-FW-R7EMO7SGXZDZZEFH
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-R7EMO7SGXZDZZEFH -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-R7EMO7SGXZDZZEFH -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-R7EMO7SGXZDZZEFH -j MARK --set-mark 0/0x10000
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-R7EMO7SGXZDZZEFH -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-5BER37I422KEWI57 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-5BER37I422KEWI57 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-5BER37I422KEWI57 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-5BER37I422KEWI57 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-5BER37I422KEWI57 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5BER37I422KEWI57" -d 172.16.0.42 -j KUBE-POD-FW-5BER37I422KEWI57
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5BER37I422KEWI57" -d 172.16.0.42 -j KUBE-POD-FW-5BER37I422KEWI57
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5BER37I422KEWI57" -d 172.16.0.42 -j KUBE-POD-FW-5BER37I422KEWI57
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5BER37I422KEWI57" -s 172.16.0.42 -j KUBE-POD-FW-5BER37I422KEWI57
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5BER37I422KEWI57" -s 172.16.0.42 -j KUBE-POD-FW-5BER37I422KEWI57
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5BER37I422KEWI57" -s 172.16.0.42 -j KUBE-POD-FW-5BER37I422KEWI57
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5BER37I422KEWI57" -s 172.16.0.42 -j KUBE-POD-FW-5BER37I422KEWI57
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-5BER37I422KEWI57 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-5BER37I422KEWI57 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-5BER37I422KEWI57 -j MARK --set-mark 0/0x10000
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-5BER37I422KEWI57 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-MUM6BCN753DIAZJT 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-MUM6BCN753DIAZJT 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-MUM6BCN753DIAZJT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-MUM6BCN753DIAZJT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-MUM6BCN753DIAZJT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MUM6BCN753DIAZJT" -d 172.16.0.45 -j KUBE-POD-FW-MUM6BCN753DIAZJT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MUM6BCN753DIAZJT" -d 172.16.0.45 -j KUBE-POD-FW-MUM6BCN753DIAZJT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MUM6BCN753DIAZJT" -d 172.16.0.45 -j KUBE-POD-FW-MUM6BCN753DIAZJT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MUM6BCN753DIAZJT" -s 172.16.0.45 -j KUBE-POD-FW-MUM6BCN753DIAZJT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MUM6BCN753DIAZJT" -s 172.16.0.45 -j KUBE-POD-FW-MUM6BCN753DIAZJT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MUM6BCN753DIAZJT" -s 172.16.0.45 -j KUBE-POD-FW-MUM6BCN753DIAZJT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MUM6BCN753DIAZJT" -s 172.16.0.45 -j KUBE-POD-FW-MUM6BCN753DIAZJT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-MUM6BCN753DIAZJT -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-MUM6BCN753DIAZJT -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-MUM6BCN753DIAZJT -j MARK --set-mark 0/0x10000
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-MUM6BCN753DIAZJT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-NZZBTJ6N4GBCDLMP 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-NZZBTJ6N4GBCDLMP 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-NZZBTJ6N4GBCDLMP 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-NZZBTJ6N4GBCDLMP 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:29:29 truenas env[20630]: -I KUBE-POD-FW-NZZBTJ6N4GBCDLMP 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NZZBTJ6N4GBCDLMP" -d 172.16.0.43 -j KUBE-POD-FW-NZZBTJ6N4GBCDLMP
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NZZBTJ6N4GBCDLMP" -d 172.16.0.43 -j KUBE-POD-FW-NZZBTJ6N4GBCDLMP
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NZZBTJ6N4GBCDLMP" -d 172.16.0.43 -j KUBE-POD-FW-NZZBTJ6N4GBCDLMP
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NZZBTJ6N4GBCDLMP" -s 172.16.0.43 -j KUBE-POD-FW-NZZBTJ6N4GBCDLMP
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NZZBTJ6N4GBCDLMP" -s 172.16.0.43 -j KUBE-POD-FW-NZZBTJ6N4GBCDLMP
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NZZBTJ6N4GBCDLMP" -s 172.16.0.43 -j KUBE-POD-FW-NZZBTJ6N4GBCDLMP
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NZZBTJ6N4GBCDLMP" -s 172.16.0.43 -j KUBE-POD-FW-NZZBTJ6N4GBCDLMP
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-NZZBTJ6N4GBCDLMP -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-NZZBTJ6N4GBCDLMP -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-NZZBTJ6N4GBCDLMP -j MARK --set-mark 0/0x10000
Jun  8 04:29:29 truenas env[20630]: -A KUBE-POD-FW-NZZBTJ6N4GBCDLMP -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:29:29 truenas env[20630]: COMMIT
Jun  8 04:30:06 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 04:30:06 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 04:30:06 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 04:34:29 truenas env[20630]: E0608 04:34:29.768848   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:34:29 truenas env[20630]: Error occurred at line: 103
Jun  8 04:34:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:34:29 truenas env[20630]: )
Jun  8 04:34:29 truenas env[20630]: *filter
Jun  8 04:34:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:34:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:34:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:34:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:34:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:34:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:34:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:34:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:34:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:34:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:34:29 truenas env[20630]: :KUBE-POD-FW-FWMOWULXTM66TCZK - [0:0]
Jun  8 04:34:29 truenas env[20630]: :KUBE-POD-FW-2NWICSJFPFQK7TE2 - [0:0]
Jun  8 04:34:29 truenas env[20630]: :KUBE-POD-FW-DAVX474FOHRDOX7E - [0:0]
Jun  8 04:34:29 truenas env[20630]: :KUBE-POD-FW-EJN5YMYZA636GKKH - [0:0]
Jun  8 04:34:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:34:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:34:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:34:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:34:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:34:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:34:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:34:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:34:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:34:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-FWMOWULXTM66TCZK 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-FWMOWULXTM66TCZK 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-FWMOWULXTM66TCZK 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-FWMOWULXTM66TCZK 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-FWMOWULXTM66TCZK 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FWMOWULXTM66TCZK" -d 172.16.0.46 -j KUBE-POD-FW-FWMOWULXTM66TCZK
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FWMOWULXTM66TCZK" -d 172.16.0.46 -j KUBE-POD-FW-FWMOWULXTM66TCZK
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FWMOWULXTM66TCZK" -d 172.16.0.46 -j KUBE-POD-FW-FWMOWULXTM66TCZK
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FWMOWULXTM66TCZK" -s 172.16.0.46 -j KUBE-POD-FW-FWMOWULXTM66TCZK
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FWMOWULXTM66TCZK" -s 172.16.0.46 -j KUBE-POD-FW-FWMOWULXTM66TCZK
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FWMOWULXTM66TCZK" -s 172.16.0.46 -j KUBE-POD-FW-FWMOWULXTM66TCZK
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FWMOWULXTM66TCZK" -s 172.16.0.46 -j KUBE-POD-FW-FWMOWULXTM66TCZK
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-FWMOWULXTM66TCZK -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-FWMOWULXTM66TCZK -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-FWMOWULXTM66TCZK -j MARK --set-mark 0/0x10000
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-FWMOWULXTM66TCZK -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-2NWICSJFPFQK7TE2 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-2NWICSJFPFQK7TE2 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-2NWICSJFPFQK7TE2 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-2NWICSJFPFQK7TE2 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-2NWICSJFPFQK7TE2 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2NWICSJFPFQK7TE2" -d 172.16.0.42 -j KUBE-POD-FW-2NWICSJFPFQK7TE2
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2NWICSJFPFQK7TE2" -d 172.16.0.42 -j KUBE-POD-FW-2NWICSJFPFQK7TE2
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2NWICSJFPFQK7TE2" -d 172.16.0.42 -j KUBE-POD-FW-2NWICSJFPFQK7TE2
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2NWICSJFPFQK7TE2" -s 172.16.0.42 -j KUBE-POD-FW-2NWICSJFPFQK7TE2
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2NWICSJFPFQK7TE2" -s 172.16.0.42 -j KUBE-POD-FW-2NWICSJFPFQK7TE2
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2NWICSJFPFQK7TE2" -s 172.16.0.42 -j KUBE-POD-FW-2NWICSJFPFQK7TE2
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-2NWICSJFPFQK7TE2" -s 172.16.0.42 -j KUBE-POD-FW-2NWICSJFPFQK7TE2
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-2NWICSJFPFQK7TE2 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-2NWICSJFPFQK7TE2 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-2NWICSJFPFQK7TE2 -j MARK --set-mark 0/0x10000
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-2NWICSJFPFQK7TE2 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-DAVX474FOHRDOX7E 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-DAVX474FOHRDOX7E 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-DAVX474FOHRDOX7E 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-DAVX474FOHRDOX7E 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-DAVX474FOHRDOX7E 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DAVX474FOHRDOX7E" -d 172.16.0.45 -j KUBE-POD-FW-DAVX474FOHRDOX7E
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DAVX474FOHRDOX7E" -d 172.16.0.45 -j KUBE-POD-FW-DAVX474FOHRDOX7E
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DAVX474FOHRDOX7E" -d 172.16.0.45 -j KUBE-POD-FW-DAVX474FOHRDOX7E
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DAVX474FOHRDOX7E" -s 172.16.0.45 -j KUBE-POD-FW-DAVX474FOHRDOX7E
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DAVX474FOHRDOX7E" -s 172.16.0.45 -j KUBE-POD-FW-DAVX474FOHRDOX7E
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DAVX474FOHRDOX7E" -s 172.16.0.45 -j KUBE-POD-FW-DAVX474FOHRDOX7E
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DAVX474FOHRDOX7E" -s 172.16.0.45 -j KUBE-POD-FW-DAVX474FOHRDOX7E
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-DAVX474FOHRDOX7E -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-DAVX474FOHRDOX7E -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-DAVX474FOHRDOX7E -j MARK --set-mark 0/0x10000
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-DAVX474FOHRDOX7E -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-EJN5YMYZA636GKKH 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-EJN5YMYZA636GKKH 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-EJN5YMYZA636GKKH 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-EJN5YMYZA636GKKH 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:34:29 truenas env[20630]: -I KUBE-POD-FW-EJN5YMYZA636GKKH 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EJN5YMYZA636GKKH" -d 172.16.0.43 -j KUBE-POD-FW-EJN5YMYZA636GKKH
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EJN5YMYZA636GKKH" -d 172.16.0.43 -j KUBE-POD-FW-EJN5YMYZA636GKKH
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EJN5YMYZA636GKKH" -d 172.16.0.43 -j KUBE-POD-FW-EJN5YMYZA636GKKH
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EJN5YMYZA636GKKH" -s 172.16.0.43 -j KUBE-POD-FW-EJN5YMYZA636GKKH
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EJN5YMYZA636GKKH" -s 172.16.0.43 -j KUBE-POD-FW-EJN5YMYZA636GKKH
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EJN5YMYZA636GKKH" -s 172.16.0.43 -j KUBE-POD-FW-EJN5YMYZA636GKKH
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-EJN5YMYZA636GKKH" -s 172.16.0.43 -j KUBE-POD-FW-EJN5YMYZA636GKKH
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-EJN5YMYZA636GKKH -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-EJN5YMYZA636GKKH -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-EJN5YMYZA636GKKH -j MARK --set-mark 0/0x10000
Jun  8 04:34:29 truenas env[20630]: -A KUBE-POD-FW-EJN5YMYZA636GKKH -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:34:29 truenas env[20630]: COMMIT
Jun  8 04:39:29 truenas env[20630]: E0608 04:39:29.800996   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:39:29 truenas env[20630]: Error occurred at line: 103
Jun  8 04:39:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:39:29 truenas env[20630]: )
Jun  8 04:39:29 truenas env[20630]: *filter
Jun  8 04:39:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:39:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:39:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:39:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:39:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:39:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:39:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:39:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:39:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:39:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:39:29 truenas env[20630]: :KUBE-POD-FW-5QPOYUFW24OI4ZMB - [0:0]
Jun  8 04:39:29 truenas env[20630]: :KUBE-POD-FW-7LX7MJCN2Y24PNII - [0:0]
Jun  8 04:39:29 truenas env[20630]: :KUBE-POD-FW-5BYFVX3LGCNBCOP5 - [0:0]
Jun  8 04:39:29 truenas env[20630]: :KUBE-POD-FW-WOHWZRYXJAV6RHHW - [0:0]
Jun  8 04:39:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:39:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:39:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:39:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:39:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:39:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:39:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:39:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:39:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:39:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-5QPOYUFW24OI4ZMB 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-5QPOYUFW24OI4ZMB 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-5QPOYUFW24OI4ZMB 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-5QPOYUFW24OI4ZMB 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-5QPOYUFW24OI4ZMB 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5QPOYUFW24OI4ZMB" -d 172.16.0.42 -j KUBE-POD-FW-5QPOYUFW24OI4ZMB
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5QPOYUFW24OI4ZMB" -d 172.16.0.42 -j KUBE-POD-FW-5QPOYUFW24OI4ZMB
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5QPOYUFW24OI4ZMB" -d 172.16.0.42 -j KUBE-POD-FW-5QPOYUFW24OI4ZMB
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5QPOYUFW24OI4ZMB" -s 172.16.0.42 -j KUBE-POD-FW-5QPOYUFW24OI4ZMB
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5QPOYUFW24OI4ZMB" -s 172.16.0.42 -j KUBE-POD-FW-5QPOYUFW24OI4ZMB
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5QPOYUFW24OI4ZMB" -s 172.16.0.42 -j KUBE-POD-FW-5QPOYUFW24OI4ZMB
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5QPOYUFW24OI4ZMB" -s 172.16.0.42 -j KUBE-POD-FW-5QPOYUFW24OI4ZMB
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-5QPOYUFW24OI4ZMB -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-5QPOYUFW24OI4ZMB -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-5QPOYUFW24OI4ZMB -j MARK --set-mark 0/0x10000
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-5QPOYUFW24OI4ZMB -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-7LX7MJCN2Y24PNII 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-7LX7MJCN2Y24PNII 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-7LX7MJCN2Y24PNII 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-7LX7MJCN2Y24PNII 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-7LX7MJCN2Y24PNII 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7LX7MJCN2Y24PNII" -d 172.16.0.45 -j KUBE-POD-FW-7LX7MJCN2Y24PNII
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7LX7MJCN2Y24PNII" -d 172.16.0.45 -j KUBE-POD-FW-7LX7MJCN2Y24PNII
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7LX7MJCN2Y24PNII" -d 172.16.0.45 -j KUBE-POD-FW-7LX7MJCN2Y24PNII
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7LX7MJCN2Y24PNII" -s 172.16.0.45 -j KUBE-POD-FW-7LX7MJCN2Y24PNII
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7LX7MJCN2Y24PNII" -s 172.16.0.45 -j KUBE-POD-FW-7LX7MJCN2Y24PNII
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7LX7MJCN2Y24PNII" -s 172.16.0.45 -j KUBE-POD-FW-7LX7MJCN2Y24PNII
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7LX7MJCN2Y24PNII" -s 172.16.0.45 -j KUBE-POD-FW-7LX7MJCN2Y24PNII
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-7LX7MJCN2Y24PNII -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-7LX7MJCN2Y24PNII -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-7LX7MJCN2Y24PNII -j MARK --set-mark 0/0x10000
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-7LX7MJCN2Y24PNII -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-5BYFVX3LGCNBCOP5 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-5BYFVX3LGCNBCOP5 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-5BYFVX3LGCNBCOP5 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-5BYFVX3LGCNBCOP5 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-5BYFVX3LGCNBCOP5 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5BYFVX3LGCNBCOP5" -d 172.16.0.43 -j KUBE-POD-FW-5BYFVX3LGCNBCOP5
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5BYFVX3LGCNBCOP5" -d 172.16.0.43 -j KUBE-POD-FW-5BYFVX3LGCNBCOP5
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5BYFVX3LGCNBCOP5" -d 172.16.0.43 -j KUBE-POD-FW-5BYFVX3LGCNBCOP5
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5BYFVX3LGCNBCOP5" -s 172.16.0.43 -j KUBE-POD-FW-5BYFVX3LGCNBCOP5
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5BYFVX3LGCNBCOP5" -s 172.16.0.43 -j KUBE-POD-FW-5BYFVX3LGCNBCOP5
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5BYFVX3LGCNBCOP5" -s 172.16.0.43 -j KUBE-POD-FW-5BYFVX3LGCNBCOP5
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-5BYFVX3LGCNBCOP5" -s 172.16.0.43 -j KUBE-POD-FW-5BYFVX3LGCNBCOP5
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-5BYFVX3LGCNBCOP5 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-5BYFVX3LGCNBCOP5 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-5BYFVX3LGCNBCOP5 -j MARK --set-mark 0/0x10000
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-5BYFVX3LGCNBCOP5 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-WOHWZRYXJAV6RHHW 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-WOHWZRYXJAV6RHHW 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-WOHWZRYXJAV6RHHW 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-WOHWZRYXJAV6RHHW 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:39:29 truenas env[20630]: -I KUBE-POD-FW-WOHWZRYXJAV6RHHW 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WOHWZRYXJAV6RHHW" -d 172.16.0.46 -j KUBE-POD-FW-WOHWZRYXJAV6RHHW
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WOHWZRYXJAV6RHHW" -d 172.16.0.46 -j KUBE-POD-FW-WOHWZRYXJAV6RHHW
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WOHWZRYXJAV6RHHW" -d 172.16.0.46 -j KUBE-POD-FW-WOHWZRYXJAV6RHHW
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WOHWZRYXJAV6RHHW" -s 172.16.0.46 -j KUBE-POD-FW-WOHWZRYXJAV6RHHW
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WOHWZRYXJAV6RHHW" -s 172.16.0.46 -j KUBE-POD-FW-WOHWZRYXJAV6RHHW
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WOHWZRYXJAV6RHHW" -s 172.16.0.46 -j KUBE-POD-FW-WOHWZRYXJAV6RHHW
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WOHWZRYXJAV6RHHW" -s 172.16.0.46 -j KUBE-POD-FW-WOHWZRYXJAV6RHHW
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-WOHWZRYXJAV6RHHW -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-WOHWZRYXJAV6RHHW -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-WOHWZRYXJAV6RHHW -j MARK --set-mark 0/0x10000
Jun  8 04:39:29 truenas env[20630]: -A KUBE-POD-FW-WOHWZRYXJAV6RHHW -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:39:29 truenas env[20630]: COMMIT
Jun  8 04:40:06 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 04:40:06 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 04:40:06 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 04:44:29 truenas env[20630]: E0608 04:44:29.764696   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:44:29 truenas env[20630]: Error occurred at line: 103
Jun  8 04:44:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:44:29 truenas env[20630]: )
Jun  8 04:44:29 truenas env[20630]: *filter
Jun  8 04:44:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:44:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:44:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:44:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:44:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:44:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:44:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:44:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:44:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:44:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:44:29 truenas env[20630]: :KUBE-POD-FW-X7B5B2HIZ2V3MVNA - [0:0]
Jun  8 04:44:29 truenas env[20630]: :KUBE-POD-FW-XJY4VWFWYK7QIPQD - [0:0]
Jun  8 04:44:29 truenas env[20630]: :KUBE-POD-FW-DZZKWFLSQ6ZP2ABG - [0:0]
Jun  8 04:44:29 truenas env[20630]: :KUBE-POD-FW-VR57UX72O47KZBSV - [0:0]
Jun  8 04:44:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:44:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:44:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:44:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:44:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:44:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:44:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:44:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:44:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:44:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-X7B5B2HIZ2V3MVNA 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-X7B5B2HIZ2V3MVNA 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-X7B5B2HIZ2V3MVNA 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-X7B5B2HIZ2V3MVNA 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-X7B5B2HIZ2V3MVNA 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X7B5B2HIZ2V3MVNA" -d 172.16.0.42 -j KUBE-POD-FW-X7B5B2HIZ2V3MVNA
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X7B5B2HIZ2V3MVNA" -d 172.16.0.42 -j KUBE-POD-FW-X7B5B2HIZ2V3MVNA
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X7B5B2HIZ2V3MVNA" -d 172.16.0.42 -j KUBE-POD-FW-X7B5B2HIZ2V3MVNA
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X7B5B2HIZ2V3MVNA" -s 172.16.0.42 -j KUBE-POD-FW-X7B5B2HIZ2V3MVNA
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X7B5B2HIZ2V3MVNA" -s 172.16.0.42 -j KUBE-POD-FW-X7B5B2HIZ2V3MVNA
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X7B5B2HIZ2V3MVNA" -s 172.16.0.42 -j KUBE-POD-FW-X7B5B2HIZ2V3MVNA
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-X7B5B2HIZ2V3MVNA" -s 172.16.0.42 -j KUBE-POD-FW-X7B5B2HIZ2V3MVNA
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-X7B5B2HIZ2V3MVNA -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-X7B5B2HIZ2V3MVNA -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-X7B5B2HIZ2V3MVNA -j MARK --set-mark 0/0x10000
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-X7B5B2HIZ2V3MVNA -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-XJY4VWFWYK7QIPQD 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-XJY4VWFWYK7QIPQD 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-XJY4VWFWYK7QIPQD 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-XJY4VWFWYK7QIPQD 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-XJY4VWFWYK7QIPQD 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJY4VWFWYK7QIPQD" -d 172.16.0.45 -j KUBE-POD-FW-XJY4VWFWYK7QIPQD
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJY4VWFWYK7QIPQD" -d 172.16.0.45 -j KUBE-POD-FW-XJY4VWFWYK7QIPQD
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJY4VWFWYK7QIPQD" -d 172.16.0.45 -j KUBE-POD-FW-XJY4VWFWYK7QIPQD
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJY4VWFWYK7QIPQD" -s 172.16.0.45 -j KUBE-POD-FW-XJY4VWFWYK7QIPQD
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJY4VWFWYK7QIPQD" -s 172.16.0.45 -j KUBE-POD-FW-XJY4VWFWYK7QIPQD
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJY4VWFWYK7QIPQD" -s 172.16.0.45 -j KUBE-POD-FW-XJY4VWFWYK7QIPQD
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJY4VWFWYK7QIPQD" -s 172.16.0.45 -j KUBE-POD-FW-XJY4VWFWYK7QIPQD
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-XJY4VWFWYK7QIPQD -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-XJY4VWFWYK7QIPQD -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-XJY4VWFWYK7QIPQD -j MARK --set-mark 0/0x10000
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-XJY4VWFWYK7QIPQD -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-DZZKWFLSQ6ZP2ABG 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-DZZKWFLSQ6ZP2ABG 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-DZZKWFLSQ6ZP2ABG 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-DZZKWFLSQ6ZP2ABG 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-DZZKWFLSQ6ZP2ABG 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-DZZKWFLSQ6ZP2ABG" -d 172.16.0.43 -j KUBE-POD-FW-DZZKWFLSQ6ZP2ABG
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-DZZKWFLSQ6ZP2ABG" -d 172.16.0.43 -j KUBE-POD-FW-DZZKWFLSQ6ZP2ABG
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-DZZKWFLSQ6ZP2ABG" -d 172.16.0.43 -j KUBE-POD-FW-DZZKWFLSQ6ZP2ABG
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-DZZKWFLSQ6ZP2ABG" -s 172.16.0.43 -j KUBE-POD-FW-DZZKWFLSQ6ZP2ABG
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-DZZKWFLSQ6ZP2ABG" -s 172.16.0.43 -j KUBE-POD-FW-DZZKWFLSQ6ZP2ABG
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-DZZKWFLSQ6ZP2ABG" -s 172.16.0.43 -j KUBE-POD-FW-DZZKWFLSQ6ZP2ABG
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-DZZKWFLSQ6ZP2ABG" -s 172.16.0.43 -j KUBE-POD-FW-DZZKWFLSQ6ZP2ABG
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-DZZKWFLSQ6ZP2ABG -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-DZZKWFLSQ6ZP2ABG -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-DZZKWFLSQ6ZP2ABG -j MARK --set-mark 0/0x10000
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-DZZKWFLSQ6ZP2ABG -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-VR57UX72O47KZBSV 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-VR57UX72O47KZBSV 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-VR57UX72O47KZBSV 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-VR57UX72O47KZBSV 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:44:29 truenas env[20630]: -I KUBE-POD-FW-VR57UX72O47KZBSV 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VR57UX72O47KZBSV" -d 172.16.0.46 -j KUBE-POD-FW-VR57UX72O47KZBSV
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VR57UX72O47KZBSV" -d 172.16.0.46 -j KUBE-POD-FW-VR57UX72O47KZBSV
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VR57UX72O47KZBSV" -d 172.16.0.46 -j KUBE-POD-FW-VR57UX72O47KZBSV
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VR57UX72O47KZBSV" -s 172.16.0.46 -j KUBE-POD-FW-VR57UX72O47KZBSV
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VR57UX72O47KZBSV" -s 172.16.0.46 -j KUBE-POD-FW-VR57UX72O47KZBSV
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VR57UX72O47KZBSV" -s 172.16.0.46 -j KUBE-POD-FW-VR57UX72O47KZBSV
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-VR57UX72O47KZBSV" -s 172.16.0.46 -j KUBE-POD-FW-VR57UX72O47KZBSV
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-VR57UX72O47KZBSV -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-VR57UX72O47KZBSV -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-VR57UX72O47KZBSV -j MARK --set-mark 0/0x10000
Jun  8 04:44:29 truenas env[20630]: -A KUBE-POD-FW-VR57UX72O47KZBSV -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:44:29 truenas env[20630]: COMMIT
Jun  8 04:47:39 truenas systemd[1]: mnt-Master\x20Pool-ix\x2dapplications-releases-hass\x2dinstance-volumes-ix_volumes-ix\x2dpostgres_backups.mount: Succeeded.
Jun  8 04:47:39 truenas systemd[1]: mnt-Master\x20Pool-ix\x2dapplications-releases-hass\x2dinstance-volumes-ix_volumes-ix\x2dpostgres_data.mount: Succeeded.
Jun  8 04:47:39 truenas systemd[1]: mnt-Master\x20Pool-ix\x2dapplications-releases-hass\x2dinstance-volumes-ix_volumes.mount: Succeeded.
Jun  8 04:47:40 truenas systemd[1]: mnt-Master\x20Pool-ix\x2dapplications-releases-hass\x2dinstance-volumes.mount: Succeeded.
Jun  8 04:47:40 truenas systemd[1]: mnt-Master\x20Pool-ix\x2dapplications-releases-hass\x2dinstance-charts.mount: Succeeded.
Jun  8 04:47:40 truenas ntpd[4092]: Deleting interface #34 kube-dummy-if, 172.17.113.67#123, interface stats: received=0, sent=0, dropped=0, active_time=687226 secs
Jun  8 04:47:40 truenas ntpd[4092]: Deleting interface #35 kube-dummy-if, 172.17.13.160#123, interface stats: received=0, sent=0, dropped=0, active_time=687226 secs
Jun  8 04:47:40 truenas systemd[1]: mnt-Master\x20Pool-ix\x2dapplications-releases-hass\x2dinstance.mount: Succeeded.
Jun  8 04:47:46 truenas env[20630]: E0608 04:47:46.884844   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:47:46 truenas env[20630]: Error occurred at line: 103
Jun  8 04:47:46 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:47:46 truenas env[20630]: )
Jun  8 04:47:46 truenas env[20630]: *filter
Jun  8 04:47:46 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:47:46 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:47:46 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:47:46 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:47:46 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:47:46 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:47:46 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:47:46 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:47:46 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:47:46 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:47:46 truenas env[20630]: :KUBE-POD-FW-G7YXRJ6HWGGPIP7T - [0:0]
Jun  8 04:47:46 truenas env[20630]: :KUBE-POD-FW-7XAZJVWSPWEH2B4Z - [0:0]
Jun  8 04:47:46 truenas env[20630]: :KUBE-POD-FW-AC76WUM3LY6OBCLI - [0:0]
Jun  8 04:47:46 truenas env[20630]: :KUBE-POD-FW-MLCFSZEE23W34DOC - [0:0]
Jun  8 04:47:46 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:47:46 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:47:46 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:47:46 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:47:46 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:47:46 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:47:46 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:47:46 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:47:46 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:47:46 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-G7YXRJ6HWGGPIP7T 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-G7YXRJ6HWGGPIP7T 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-G7YXRJ6HWGGPIP7T 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-G7YXRJ6HWGGPIP7T 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-G7YXRJ6HWGGPIP7T 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-G7YXRJ6HWGGPIP7T" -d 172.16.0.42 -j KUBE-POD-FW-G7YXRJ6HWGGPIP7T
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-G7YXRJ6HWGGPIP7T" -d 172.16.0.42 -j KUBE-POD-FW-G7YXRJ6HWGGPIP7T
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-G7YXRJ6HWGGPIP7T" -d 172.16.0.42 -j KUBE-POD-FW-G7YXRJ6HWGGPIP7T
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-G7YXRJ6HWGGPIP7T" -s 172.16.0.42 -j KUBE-POD-FW-G7YXRJ6HWGGPIP7T
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-G7YXRJ6HWGGPIP7T" -s 172.16.0.42 -j KUBE-POD-FW-G7YXRJ6HWGGPIP7T
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-G7YXRJ6HWGGPIP7T" -s 172.16.0.42 -j KUBE-POD-FW-G7YXRJ6HWGGPIP7T
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-G7YXRJ6HWGGPIP7T" -s 172.16.0.42 -j KUBE-POD-FW-G7YXRJ6HWGGPIP7T
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-G7YXRJ6HWGGPIP7T -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-G7YXRJ6HWGGPIP7T -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-G7YXRJ6HWGGPIP7T -j MARK --set-mark 0/0x10000
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-G7YXRJ6HWGGPIP7T -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-7XAZJVWSPWEH2B4Z 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-7XAZJVWSPWEH2B4Z 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-7XAZJVWSPWEH2B4Z 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-7XAZJVWSPWEH2B4Z 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-7XAZJVWSPWEH2B4Z 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7XAZJVWSPWEH2B4Z" -d 172.16.0.45 -j KUBE-POD-FW-7XAZJVWSPWEH2B4Z
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7XAZJVWSPWEH2B4Z" -d 172.16.0.45 -j KUBE-POD-FW-7XAZJVWSPWEH2B4Z
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7XAZJVWSPWEH2B4Z" -d 172.16.0.45 -j KUBE-POD-FW-7XAZJVWSPWEH2B4Z
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7XAZJVWSPWEH2B4Z" -s 172.16.0.45 -j KUBE-POD-FW-7XAZJVWSPWEH2B4Z
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7XAZJVWSPWEH2B4Z" -s 172.16.0.45 -j KUBE-POD-FW-7XAZJVWSPWEH2B4Z
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7XAZJVWSPWEH2B4Z" -s 172.16.0.45 -j KUBE-POD-FW-7XAZJVWSPWEH2B4Z
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7XAZJVWSPWEH2B4Z" -s 172.16.0.45 -j KUBE-POD-FW-7XAZJVWSPWEH2B4Z
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-7XAZJVWSPWEH2B4Z -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-7XAZJVWSPWEH2B4Z -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-7XAZJVWSPWEH2B4Z -j MARK --set-mark 0/0x10000
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-7XAZJVWSPWEH2B4Z -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-AC76WUM3LY6OBCLI 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-AC76WUM3LY6OBCLI 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-AC76WUM3LY6OBCLI 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-AC76WUM3LY6OBCLI 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-AC76WUM3LY6OBCLI 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AC76WUM3LY6OBCLI" -d 172.16.0.43 -j KUBE-POD-FW-AC76WUM3LY6OBCLI
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AC76WUM3LY6OBCLI" -d 172.16.0.43 -j KUBE-POD-FW-AC76WUM3LY6OBCLI
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AC76WUM3LY6OBCLI" -d 172.16.0.43 -j KUBE-POD-FW-AC76WUM3LY6OBCLI
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AC76WUM3LY6OBCLI" -s 172.16.0.43 -j KUBE-POD-FW-AC76WUM3LY6OBCLI
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AC76WUM3LY6OBCLI" -s 172.16.0.43 -j KUBE-POD-FW-AC76WUM3LY6OBCLI
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AC76WUM3LY6OBCLI" -s 172.16.0.43 -j KUBE-POD-FW-AC76WUM3LY6OBCLI
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-AC76WUM3LY6OBCLI" -s 172.16.0.43 -j KUBE-POD-FW-AC76WUM3LY6OBCLI
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-AC76WUM3LY6OBCLI -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-AC76WUM3LY6OBCLI -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-AC76WUM3LY6OBCLI -j MARK --set-mark 0/0x10000
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-AC76WUM3LY6OBCLI -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-MLCFSZEE23W34DOC 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-MLCFSZEE23W34DOC 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-MLCFSZEE23W34DOC 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-MLCFSZEE23W34DOC 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:47:46 truenas env[20630]: -I KUBE-POD-FW-MLCFSZEE23W34DOC 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MLCFSZEE23W34DOC" -d 172.16.0.46 -j KUBE-POD-FW-MLCFSZEE23W34DOC
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MLCFSZEE23W34DOC" -d 172.16.0.46 -j KUBE-POD-FW-MLCFSZEE23W34DOC
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MLCFSZEE23W34DOC" -d 172.16.0.46 -j KUBE-POD-FW-MLCFSZEE23W34DOC
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MLCFSZEE23W34DOC" -s 172.16.0.46 -j KUBE-POD-FW-MLCFSZEE23W34DOC
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MLCFSZEE23W34DOC" -s 172.16.0.46 -j KUBE-POD-FW-MLCFSZEE23W34DOC
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MLCFSZEE23W34DOC" -s 172.16.0.46 -j KUBE-POD-FW-MLCFSZEE23W34DOC
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-MLCFSZEE23W34DOC" -s 172.16.0.46 -j KUBE-POD-FW-MLCFSZEE23W34DOC
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-MLCFSZEE23W34DOC -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-MLCFSZEE23W34DOC -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-MLCFSZEE23W34DOC -j MARK --set-mark 0/0x10000
Jun  8 04:47:46 truenas env[20630]: -A KUBE-POD-FW-MLCFSZEE23W34DOC -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:47:46 truenas env[20630]: COMMIT
Jun  8 04:49:29 truenas env[20630]: E0608 04:49:29.719133   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:49:29 truenas env[20630]: Error occurred at line: 103
Jun  8 04:49:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:49:29 truenas env[20630]: )
Jun  8 04:49:29 truenas env[20630]: *filter
Jun  8 04:49:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:49:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:49:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:49:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:49:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:49:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:49:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:49:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:49:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:49:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:49:29 truenas env[20630]: :KUBE-POD-FW-DINWPYRRRFV6K4OF - [0:0]
Jun  8 04:49:29 truenas env[20630]: :KUBE-POD-FW-YYUCCLXDINQYMENT - [0:0]
Jun  8 04:49:29 truenas env[20630]: :KUBE-POD-FW-36PEXZLI6IHP3DH3 - [0:0]
Jun  8 04:49:29 truenas env[20630]: :KUBE-POD-FW-CXCN4TFVMMCHYU77 - [0:0]
Jun  8 04:49:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:49:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:49:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:49:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:49:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:49:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:49:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:49:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:49:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:49:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-DINWPYRRRFV6K4OF 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-DINWPYRRRFV6K4OF 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-DINWPYRRRFV6K4OF 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-DINWPYRRRFV6K4OF 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-DINWPYRRRFV6K4OF 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DINWPYRRRFV6K4OF" -d 172.16.0.46 -j KUBE-POD-FW-DINWPYRRRFV6K4OF
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DINWPYRRRFV6K4OF" -d 172.16.0.46 -j KUBE-POD-FW-DINWPYRRRFV6K4OF
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DINWPYRRRFV6K4OF" -d 172.16.0.46 -j KUBE-POD-FW-DINWPYRRRFV6K4OF
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DINWPYRRRFV6K4OF" -s 172.16.0.46 -j KUBE-POD-FW-DINWPYRRRFV6K4OF
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DINWPYRRRFV6K4OF" -s 172.16.0.46 -j KUBE-POD-FW-DINWPYRRRFV6K4OF
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DINWPYRRRFV6K4OF" -s 172.16.0.46 -j KUBE-POD-FW-DINWPYRRRFV6K4OF
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DINWPYRRRFV6K4OF" -s 172.16.0.46 -j KUBE-POD-FW-DINWPYRRRFV6K4OF
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-DINWPYRRRFV6K4OF -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-DINWPYRRRFV6K4OF -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-DINWPYRRRFV6K4OF -j MARK --set-mark 0/0x10000
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-DINWPYRRRFV6K4OF -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-YYUCCLXDINQYMENT 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-YYUCCLXDINQYMENT 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-YYUCCLXDINQYMENT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-YYUCCLXDINQYMENT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-YYUCCLXDINQYMENT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YYUCCLXDINQYMENT" -d 172.16.0.42 -j KUBE-POD-FW-YYUCCLXDINQYMENT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YYUCCLXDINQYMENT" -d 172.16.0.42 -j KUBE-POD-FW-YYUCCLXDINQYMENT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YYUCCLXDINQYMENT" -d 172.16.0.42 -j KUBE-POD-FW-YYUCCLXDINQYMENT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YYUCCLXDINQYMENT" -s 172.16.0.42 -j KUBE-POD-FW-YYUCCLXDINQYMENT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YYUCCLXDINQYMENT" -s 172.16.0.42 -j KUBE-POD-FW-YYUCCLXDINQYMENT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YYUCCLXDINQYMENT" -s 172.16.0.42 -j KUBE-POD-FW-YYUCCLXDINQYMENT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-YYUCCLXDINQYMENT" -s 172.16.0.42 -j KUBE-POD-FW-YYUCCLXDINQYMENT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-YYUCCLXDINQYMENT -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-YYUCCLXDINQYMENT -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-YYUCCLXDINQYMENT -j MARK --set-mark 0/0x10000
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-YYUCCLXDINQYMENT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-36PEXZLI6IHP3DH3 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-36PEXZLI6IHP3DH3 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-36PEXZLI6IHP3DH3 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-36PEXZLI6IHP3DH3 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-36PEXZLI6IHP3DH3 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-36PEXZLI6IHP3DH3" -d 172.16.0.45 -j KUBE-POD-FW-36PEXZLI6IHP3DH3
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-36PEXZLI6IHP3DH3" -d 172.16.0.45 -j KUBE-POD-FW-36PEXZLI6IHP3DH3
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-36PEXZLI6IHP3DH3" -d 172.16.0.45 -j KUBE-POD-FW-36PEXZLI6IHP3DH3
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-36PEXZLI6IHP3DH3" -s 172.16.0.45 -j KUBE-POD-FW-36PEXZLI6IHP3DH3
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-36PEXZLI6IHP3DH3" -s 172.16.0.45 -j KUBE-POD-FW-36PEXZLI6IHP3DH3
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-36PEXZLI6IHP3DH3" -s 172.16.0.45 -j KUBE-POD-FW-36PEXZLI6IHP3DH3
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-36PEXZLI6IHP3DH3" -s 172.16.0.45 -j KUBE-POD-FW-36PEXZLI6IHP3DH3
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-36PEXZLI6IHP3DH3 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-36PEXZLI6IHP3DH3 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-36PEXZLI6IHP3DH3 -j MARK --set-mark 0/0x10000
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-36PEXZLI6IHP3DH3 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-CXCN4TFVMMCHYU77 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-CXCN4TFVMMCHYU77 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-CXCN4TFVMMCHYU77 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-CXCN4TFVMMCHYU77 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:49:29 truenas env[20630]: -I KUBE-POD-FW-CXCN4TFVMMCHYU77 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CXCN4TFVMMCHYU77" -d 172.16.0.43 -j KUBE-POD-FW-CXCN4TFVMMCHYU77
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CXCN4TFVMMCHYU77" -d 172.16.0.43 -j KUBE-POD-FW-CXCN4TFVMMCHYU77
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CXCN4TFVMMCHYU77" -d 172.16.0.43 -j KUBE-POD-FW-CXCN4TFVMMCHYU77
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CXCN4TFVMMCHYU77" -s 172.16.0.43 -j KUBE-POD-FW-CXCN4TFVMMCHYU77
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CXCN4TFVMMCHYU77" -s 172.16.0.43 -j KUBE-POD-FW-CXCN4TFVMMCHYU77
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CXCN4TFVMMCHYU77" -s 172.16.0.43 -j KUBE-POD-FW-CXCN4TFVMMCHYU77
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-CXCN4TFVMMCHYU77" -s 172.16.0.43 -j KUBE-POD-FW-CXCN4TFVMMCHYU77
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-CXCN4TFVMMCHYU77 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-CXCN4TFVMMCHYU77 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-CXCN4TFVMMCHYU77 -j MARK --set-mark 0/0x10000
Jun  8 04:49:29 truenas env[20630]: -A KUBE-POD-FW-CXCN4TFVMMCHYU77 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:49:29 truenas env[20630]: COMMIT
Jun  8 04:50:06 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 04:50:06 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 04:50:06 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 04:51:37 truenas systemd[1]: Created slice User Slice of UID 0.
Jun  8 04:51:37 truenas systemd[1]: Starting User Runtime Directory /run/user/0...
Jun  8 04:51:37 truenas systemd[1]: Finished User Runtime Directory /run/user/0.
Jun  8 04:51:37 truenas systemd[1]: Starting User Manager for UID 0...
Jun  8 04:51:38 truenas systemd[768737]: gpgconf: error running '/usr/lib/gnupg/scdaemon': probably not installed
Jun  8 04:51:38 truenas systemd-xdg-autostart-generator[768750]: Exec binary '/usr/libexec/at-spi-bus-launcher' does not exist: No such file or directory
Jun  8 04:51:38 truenas systemd-xdg-autostart-generator[768750]: Not generating service for XDG autostart app-at\x2dspi\x2ddbus\x2dbus-autostart.service, error parsing Exec= line: No such file or directory
Jun  8 04:51:38 truenas systemd[768731]: Queued start job for default target Main User Target.
Jun  8 04:51:38 truenas systemd[768731]: Created slice User Application Slice.
Jun  8 04:51:38 truenas systemd[768731]: Reached target Paths.
Jun  8 04:51:38 truenas systemd[768731]: Reached target Timers.
Jun  8 04:51:38 truenas systemd[768731]: Starting D-Bus User Message Bus Socket.
Jun  8 04:51:38 truenas systemd[768731]: Listening on GnuPG network certificate management daemon.
Jun  8 04:51:38 truenas systemd[768731]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
Jun  8 04:51:38 truenas systemd[768731]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).
Jun  8 04:51:38 truenas systemd[768731]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Jun  8 04:51:38 truenas systemd[768731]: Listening on GnuPG cryptographic agent and passphrase cache.
Jun  8 04:51:38 truenas systemd[768731]: Listening on D-Bus User Message Bus Socket.
Jun  8 04:51:38 truenas systemd[768731]: Reached target Sockets.
Jun  8 04:51:38 truenas systemd[768731]: Reached target Basic System.
Jun  8 04:51:38 truenas systemd[768731]: Reached target Main User Target.
Jun  8 04:51:38 truenas systemd[768731]: Startup finished in 106ms.
Jun  8 04:51:38 truenas systemd[1]: Started User Manager for UID 0.
Jun  8 04:51:38 truenas systemd[1]: Started Session 267 of user root.
Jun  8 04:54:00 truenas env[20630]: E0608 04:54:00.971202   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:54:00 truenas env[20630]: Error occurred at line: 103
Jun  8 04:54:00 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:54:00 truenas env[20630]: )
Jun  8 04:54:00 truenas env[20630]: *filter
Jun  8 04:54:00 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:00 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:54:00 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:00 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:54:00 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:54:00 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:54:00 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:54:00 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:54:00 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:54:00 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:54:00 truenas env[20630]: :KUBE-POD-FW-7BN5NUWCU7PVHYVK - [0:0]
Jun  8 04:54:00 truenas env[20630]: :KUBE-POD-FW-NQI2DPMP63BWJO3A - [0:0]
Jun  8 04:54:00 truenas env[20630]: :KUBE-POD-FW-WW75WMOHODXE6PF2 - [0:0]
Jun  8 04:54:00 truenas env[20630]: :KUBE-POD-FW-ZTBYTLEKRUFBIAAI - [0:0]
Jun  8 04:54:00 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:54:00 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:54:00 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:54:00 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:54:00 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:54:00 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:54:00 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:54:00 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:54:00 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:54:00 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-7BN5NUWCU7PVHYVK 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-7BN5NUWCU7PVHYVK 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-7BN5NUWCU7PVHYVK 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-7BN5NUWCU7PVHYVK 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-7BN5NUWCU7PVHYVK 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7BN5NUWCU7PVHYVK" -d 172.16.0.45 -j KUBE-POD-FW-7BN5NUWCU7PVHYVK
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7BN5NUWCU7PVHYVK" -d 172.16.0.45 -j KUBE-POD-FW-7BN5NUWCU7PVHYVK
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7BN5NUWCU7PVHYVK" -d 172.16.0.45 -j KUBE-POD-FW-7BN5NUWCU7PVHYVK
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7BN5NUWCU7PVHYVK" -s 172.16.0.45 -j KUBE-POD-FW-7BN5NUWCU7PVHYVK
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7BN5NUWCU7PVHYVK" -s 172.16.0.45 -j KUBE-POD-FW-7BN5NUWCU7PVHYVK
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7BN5NUWCU7PVHYVK" -s 172.16.0.45 -j KUBE-POD-FW-7BN5NUWCU7PVHYVK
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-7BN5NUWCU7PVHYVK" -s 172.16.0.45 -j KUBE-POD-FW-7BN5NUWCU7PVHYVK
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-7BN5NUWCU7PVHYVK -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-7BN5NUWCU7PVHYVK -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-7BN5NUWCU7PVHYVK -j MARK --set-mark 0/0x10000
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-7BN5NUWCU7PVHYVK -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-NQI2DPMP63BWJO3A 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-NQI2DPMP63BWJO3A 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-NQI2DPMP63BWJO3A 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-NQI2DPMP63BWJO3A 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-NQI2DPMP63BWJO3A 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NQI2DPMP63BWJO3A" -d 172.16.0.43 -j KUBE-POD-FW-NQI2DPMP63BWJO3A
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NQI2DPMP63BWJO3A" -d 172.16.0.43 -j KUBE-POD-FW-NQI2DPMP63BWJO3A
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NQI2DPMP63BWJO3A" -d 172.16.0.43 -j KUBE-POD-FW-NQI2DPMP63BWJO3A
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NQI2DPMP63BWJO3A" -s 172.16.0.43 -j KUBE-POD-FW-NQI2DPMP63BWJO3A
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NQI2DPMP63BWJO3A" -s 172.16.0.43 -j KUBE-POD-FW-NQI2DPMP63BWJO3A
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NQI2DPMP63BWJO3A" -s 172.16.0.43 -j KUBE-POD-FW-NQI2DPMP63BWJO3A
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-NQI2DPMP63BWJO3A" -s 172.16.0.43 -j KUBE-POD-FW-NQI2DPMP63BWJO3A
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-NQI2DPMP63BWJO3A -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-NQI2DPMP63BWJO3A -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-NQI2DPMP63BWJO3A -j MARK --set-mark 0/0x10000
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-NQI2DPMP63BWJO3A -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-WW75WMOHODXE6PF2 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-WW75WMOHODXE6PF2 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-WW75WMOHODXE6PF2 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-WW75WMOHODXE6PF2 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-WW75WMOHODXE6PF2 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WW75WMOHODXE6PF2" -d 172.16.0.46 -j KUBE-POD-FW-WW75WMOHODXE6PF2
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WW75WMOHODXE6PF2" -d 172.16.0.46 -j KUBE-POD-FW-WW75WMOHODXE6PF2
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WW75WMOHODXE6PF2" -d 172.16.0.46 -j KUBE-POD-FW-WW75WMOHODXE6PF2
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WW75WMOHODXE6PF2" -s 172.16.0.46 -j KUBE-POD-FW-WW75WMOHODXE6PF2
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WW75WMOHODXE6PF2" -s 172.16.0.46 -j KUBE-POD-FW-WW75WMOHODXE6PF2
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WW75WMOHODXE6PF2" -s 172.16.0.46 -j KUBE-POD-FW-WW75WMOHODXE6PF2
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-WW75WMOHODXE6PF2" -s 172.16.0.46 -j KUBE-POD-FW-WW75WMOHODXE6PF2
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-WW75WMOHODXE6PF2 -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-WW75WMOHODXE6PF2 -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-WW75WMOHODXE6PF2 -j MARK --set-mark 0/0x10000
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-WW75WMOHODXE6PF2 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-ZTBYTLEKRUFBIAAI 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-ZTBYTLEKRUFBIAAI 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-ZTBYTLEKRUFBIAAI 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-ZTBYTLEKRUFBIAAI 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:00 truenas env[20630]: -I KUBE-POD-FW-ZTBYTLEKRUFBIAAI 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-ZTBYTLEKRUFBIAAI" -d 172.16.0.42 -j KUBE-POD-FW-ZTBYTLEKRUFBIAAI
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-ZTBYTLEKRUFBIAAI" -d 172.16.0.42 -j KUBE-POD-FW-ZTBYTLEKRUFBIAAI
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-ZTBYTLEKRUFBIAAI" -d 172.16.0.42 -j KUBE-POD-FW-ZTBYTLEKRUFBIAAI
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-ZTBYTLEKRUFBIAAI" -s 172.16.0.42 -j KUBE-POD-FW-ZTBYTLEKRUFBIAAI
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-ZTBYTLEKRUFBIAAI" -s 172.16.0.42 -j KUBE-POD-FW-ZTBYTLEKRUFBIAAI
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-ZTBYTLEKRUFBIAAI" -s 172.16.0.42 -j KUBE-POD-FW-ZTBYTLEKRUFBIAAI
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-ZTBYTLEKRUFBIAAI" -s 172.16.0.42 -j KUBE-POD-FW-ZTBYTLEKRUFBIAAI
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-ZTBYTLEKRUFBIAAI -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-ZTBYTLEKRUFBIAAI -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-ZTBYTLEKRUFBIAAI -j MARK --set-mark 0/0x10000
Jun  8 04:54:00 truenas env[20630]: -A KUBE-POD-FW-ZTBYTLEKRUFBIAAI -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:00 truenas env[20630]: COMMIT
Jun  8 04:54:01 truenas env[20630]: E0608 04:54:01.553286   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:54:01 truenas env[20630]: Error occurred at line: 103
Jun  8 04:54:01 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:54:01 truenas env[20630]: )
Jun  8 04:54:01 truenas env[20630]: *filter
Jun  8 04:54:01 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:01 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:54:01 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:01 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:54:01 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:54:01 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:54:01 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:54:01 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:54:01 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:54:01 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:54:01 truenas env[20630]: :KUBE-POD-FW-6PBUCZQYB2GYVIEY - [0:0]
Jun  8 04:54:01 truenas env[20630]: :KUBE-POD-FW-JTIDGOATXTHMAKLB - [0:0]
Jun  8 04:54:01 truenas env[20630]: :KUBE-POD-FW-43JM6OZ5I2DBP4VH - [0:0]
Jun  8 04:54:01 truenas env[20630]: :KUBE-POD-FW-DDXUE4Q4UXZWX3KI - [0:0]
Jun  8 04:54:01 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:54:01 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:54:01 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:54:01 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:54:01 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:54:01 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:54:01 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:54:01 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:54:01 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:54:01 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-6PBUCZQYB2GYVIEY 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-6PBUCZQYB2GYVIEY 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-6PBUCZQYB2GYVIEY 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-6PBUCZQYB2GYVIEY 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-6PBUCZQYB2GYVIEY 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6PBUCZQYB2GYVIEY" -d 172.16.0.42 -j KUBE-POD-FW-6PBUCZQYB2GYVIEY
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6PBUCZQYB2GYVIEY" -d 172.16.0.42 -j KUBE-POD-FW-6PBUCZQYB2GYVIEY
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6PBUCZQYB2GYVIEY" -d 172.16.0.42 -j KUBE-POD-FW-6PBUCZQYB2GYVIEY
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6PBUCZQYB2GYVIEY" -s 172.16.0.42 -j KUBE-POD-FW-6PBUCZQYB2GYVIEY
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6PBUCZQYB2GYVIEY" -s 172.16.0.42 -j KUBE-POD-FW-6PBUCZQYB2GYVIEY
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6PBUCZQYB2GYVIEY" -s 172.16.0.42 -j KUBE-POD-FW-6PBUCZQYB2GYVIEY
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6PBUCZQYB2GYVIEY" -s 172.16.0.42 -j KUBE-POD-FW-6PBUCZQYB2GYVIEY
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-6PBUCZQYB2GYVIEY -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-6PBUCZQYB2GYVIEY -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-6PBUCZQYB2GYVIEY -j MARK --set-mark 0/0x10000
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-6PBUCZQYB2GYVIEY -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-JTIDGOATXTHMAKLB 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-JTIDGOATXTHMAKLB 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-JTIDGOATXTHMAKLB 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-JTIDGOATXTHMAKLB 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-JTIDGOATXTHMAKLB 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JTIDGOATXTHMAKLB" -d 172.16.0.45 -j KUBE-POD-FW-JTIDGOATXTHMAKLB
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JTIDGOATXTHMAKLB" -d 172.16.0.45 -j KUBE-POD-FW-JTIDGOATXTHMAKLB
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JTIDGOATXTHMAKLB" -d 172.16.0.45 -j KUBE-POD-FW-JTIDGOATXTHMAKLB
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JTIDGOATXTHMAKLB" -s 172.16.0.45 -j KUBE-POD-FW-JTIDGOATXTHMAKLB
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JTIDGOATXTHMAKLB" -s 172.16.0.45 -j KUBE-POD-FW-JTIDGOATXTHMAKLB
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JTIDGOATXTHMAKLB" -s 172.16.0.45 -j KUBE-POD-FW-JTIDGOATXTHMAKLB
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-JTIDGOATXTHMAKLB" -s 172.16.0.45 -j KUBE-POD-FW-JTIDGOATXTHMAKLB
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-JTIDGOATXTHMAKLB -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-JTIDGOATXTHMAKLB -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-JTIDGOATXTHMAKLB -j MARK --set-mark 0/0x10000
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-JTIDGOATXTHMAKLB -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-43JM6OZ5I2DBP4VH 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-43JM6OZ5I2DBP4VH 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-43JM6OZ5I2DBP4VH 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-43JM6OZ5I2DBP4VH 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-43JM6OZ5I2DBP4VH 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-43JM6OZ5I2DBP4VH" -d 172.16.0.43 -j KUBE-POD-FW-43JM6OZ5I2DBP4VH
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-43JM6OZ5I2DBP4VH" -d 172.16.0.43 -j KUBE-POD-FW-43JM6OZ5I2DBP4VH
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-43JM6OZ5I2DBP4VH" -d 172.16.0.43 -j KUBE-POD-FW-43JM6OZ5I2DBP4VH
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-43JM6OZ5I2DBP4VH" -s 172.16.0.43 -j KUBE-POD-FW-43JM6OZ5I2DBP4VH
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-43JM6OZ5I2DBP4VH" -s 172.16.0.43 -j KUBE-POD-FW-43JM6OZ5I2DBP4VH
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-43JM6OZ5I2DBP4VH" -s 172.16.0.43 -j KUBE-POD-FW-43JM6OZ5I2DBP4VH
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-43JM6OZ5I2DBP4VH" -s 172.16.0.43 -j KUBE-POD-FW-43JM6OZ5I2DBP4VH
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-43JM6OZ5I2DBP4VH -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-43JM6OZ5I2DBP4VH -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-43JM6OZ5I2DBP4VH -j MARK --set-mark 0/0x10000
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-43JM6OZ5I2DBP4VH -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-DDXUE4Q4UXZWX3KI 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-DDXUE4Q4UXZWX3KI 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-DDXUE4Q4UXZWX3KI 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-DDXUE4Q4UXZWX3KI 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:01 truenas env[20630]: -I KUBE-POD-FW-DDXUE4Q4UXZWX3KI 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DDXUE4Q4UXZWX3KI" -d 172.16.0.46 -j KUBE-POD-FW-DDXUE4Q4UXZWX3KI
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DDXUE4Q4UXZWX3KI" -d 172.16.0.46 -j KUBE-POD-FW-DDXUE4Q4UXZWX3KI
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DDXUE4Q4UXZWX3KI" -d 172.16.0.46 -j KUBE-POD-FW-DDXUE4Q4UXZWX3KI
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DDXUE4Q4UXZWX3KI" -s 172.16.0.46 -j KUBE-POD-FW-DDXUE4Q4UXZWX3KI
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DDXUE4Q4UXZWX3KI" -s 172.16.0.46 -j KUBE-POD-FW-DDXUE4Q4UXZWX3KI
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DDXUE4Q4UXZWX3KI" -s 172.16.0.46 -j KUBE-POD-FW-DDXUE4Q4UXZWX3KI
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-DDXUE4Q4UXZWX3KI" -s 172.16.0.46 -j KUBE-POD-FW-DDXUE4Q4UXZWX3KI
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-DDXUE4Q4UXZWX3KI -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-DDXUE4Q4UXZWX3KI -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-DDXUE4Q4UXZWX3KI -j MARK --set-mark 0/0x10000
Jun  8 04:54:01 truenas env[20630]: -A KUBE-POD-FW-DDXUE4Q4UXZWX3KI -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:01 truenas env[20630]: COMMIT
Jun  8 04:54:01 truenas systemd[768731]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-f6185cd29a893020af402b944d9ed38df5ce1cb187c1c37369b636ff35923419\x2dinit.mount: Succeeded.
Jun  8 04:54:02 truenas kernel: IPv6: ADDRCONF(NETDEV_CHANGE): vethc392e3e3: link becomes ready
Jun  8 04:54:02 truenas kernel: kube-bridge: port 5(vethc392e3e3) entered blocking state
Jun  8 04:54:02 truenas kernel: kube-bridge: port 5(vethc392e3e3) entered disabled state
Jun  8 04:54:02 truenas kernel: device vethc392e3e3 entered promiscuous mode
Jun  8 04:54:02 truenas kernel: kube-bridge: port 5(vethc392e3e3) entered blocking state
Jun  8 04:54:02 truenas kernel: kube-bridge: port 5(vethc392e3e3) entered forwarding state
Jun  8 04:54:02 truenas systemd-udevd[771416]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun  8 04:54:02 truenas systemd-udevd[771416]: Using default interface naming scheme 'v247'.
Jun  8 04:54:02 truenas systemd-udevd[771416]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun  8 04:54:04 truenas systemd[1]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-3778cdbbd64bfb86b79476ee70a07e19b438444cc71d76ca68271c83444a2a81\x2dinit.mount: Succeeded.
Jun  8 04:54:04 truenas systemd[768731]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-3778cdbbd64bfb86b79476ee70a07e19b438444cc71d76ca68271c83444a2a81\x2dinit.mount: Succeeded.
Jun  8 04:54:04 truenas ntpd[4092]: Listen normally on 42 vethc392e3e3 [fe80::282a:16ff:fe1a:26c6%22]:123
Jun  8 04:54:04 truenas systemd[768731]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-3778cdbbd64bfb86b79476ee70a07e19b438444cc71d76ca68271c83444a2a81.mount: Succeeded.
Jun  8 04:54:04 truenas systemd[1]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-3778cdbbd64bfb86b79476ee70a07e19b438444cc71d76ca68271c83444a2a81.mount: Succeeded.
Jun  8 04:54:05 truenas kernel: kube-bridge: port 5(vethc392e3e3) entered disabled state
Jun  8 04:54:05 truenas kernel: device vethc392e3e3 left promiscuous mode
Jun  8 04:54:05 truenas kernel: kube-bridge: port 5(vethc392e3e3) entered disabled state
Jun  8 04:54:05 truenas env[20630]: E0608 04:54:05.381277   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:54:05 truenas env[20630]: Error occurred at line: 103
Jun  8 04:54:05 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:54:05 truenas env[20630]: )
Jun  8 04:54:05 truenas env[20630]: *filter
Jun  8 04:54:05 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-POD-FW-XQ5F46S25MRGRKUH - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-POD-FW-QAZOJPARB2QH77N2 - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-POD-FW-HLPLVIDA2OHLJWN5 - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-POD-FW-YPZZ66GTFHYIV2ZO - [0:0]
Jun  8 04:54:05 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:54:05 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:54:05 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:54:05 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:54:05 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:54:05 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:54:05 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:54:05 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-XQ5F46S25MRGRKUH 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-XQ5F46S25MRGRKUH 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-XQ5F46S25MRGRKUH 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-XQ5F46S25MRGRKUH 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-XQ5F46S25MRGRKUH 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XQ5F46S25MRGRKUH" -d 172.16.0.42 -j KUBE-POD-FW-XQ5F46S25MRGRKUH
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XQ5F46S25MRGRKUH" -d 172.16.0.42 -j KUBE-POD-FW-XQ5F46S25MRGRKUH
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XQ5F46S25MRGRKUH" -d 172.16.0.42 -j KUBE-POD-FW-XQ5F46S25MRGRKUH
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XQ5F46S25MRGRKUH" -s 172.16.0.42 -j KUBE-POD-FW-XQ5F46S25MRGRKUH
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XQ5F46S25MRGRKUH" -s 172.16.0.42 -j KUBE-POD-FW-XQ5F46S25MRGRKUH
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XQ5F46S25MRGRKUH" -s 172.16.0.42 -j KUBE-POD-FW-XQ5F46S25MRGRKUH
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-XQ5F46S25MRGRKUH" -s 172.16.0.42 -j KUBE-POD-FW-XQ5F46S25MRGRKUH
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-XQ5F46S25MRGRKUH -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-XQ5F46S25MRGRKUH -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-XQ5F46S25MRGRKUH -j MARK --set-mark 0/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-XQ5F46S25MRGRKUH -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-QAZOJPARB2QH77N2 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-QAZOJPARB2QH77N2 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-QAZOJPARB2QH77N2 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-QAZOJPARB2QH77N2 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-QAZOJPARB2QH77N2 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QAZOJPARB2QH77N2" -d 172.16.0.45 -j KUBE-POD-FW-QAZOJPARB2QH77N2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QAZOJPARB2QH77N2" -d 172.16.0.45 -j KUBE-POD-FW-QAZOJPARB2QH77N2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QAZOJPARB2QH77N2" -d 172.16.0.45 -j KUBE-POD-FW-QAZOJPARB2QH77N2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QAZOJPARB2QH77N2" -s 172.16.0.45 -j KUBE-POD-FW-QAZOJPARB2QH77N2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QAZOJPARB2QH77N2" -s 172.16.0.45 -j KUBE-POD-FW-QAZOJPARB2QH77N2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QAZOJPARB2QH77N2" -s 172.16.0.45 -j KUBE-POD-FW-QAZOJPARB2QH77N2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QAZOJPARB2QH77N2" -s 172.16.0.45 -j KUBE-POD-FW-QAZOJPARB2QH77N2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-QAZOJPARB2QH77N2 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-QAZOJPARB2QH77N2 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-QAZOJPARB2QH77N2 -j MARK --set-mark 0/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-QAZOJPARB2QH77N2 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-HLPLVIDA2OHLJWN5 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-HLPLVIDA2OHLJWN5 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-HLPLVIDA2OHLJWN5 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-HLPLVIDA2OHLJWN5 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-HLPLVIDA2OHLJWN5 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HLPLVIDA2OHLJWN5" -d 172.16.0.43 -j KUBE-POD-FW-HLPLVIDA2OHLJWN5
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HLPLVIDA2OHLJWN5" -d 172.16.0.43 -j KUBE-POD-FW-HLPLVIDA2OHLJWN5
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HLPLVIDA2OHLJWN5" -d 172.16.0.43 -j KUBE-POD-FW-HLPLVIDA2OHLJWN5
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HLPLVIDA2OHLJWN5" -s 172.16.0.43 -j KUBE-POD-FW-HLPLVIDA2OHLJWN5
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HLPLVIDA2OHLJWN5" -s 172.16.0.43 -j KUBE-POD-FW-HLPLVIDA2OHLJWN5
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HLPLVIDA2OHLJWN5" -s 172.16.0.43 -j KUBE-POD-FW-HLPLVIDA2OHLJWN5
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-HLPLVIDA2OHLJWN5" -s 172.16.0.43 -j KUBE-POD-FW-HLPLVIDA2OHLJWN5
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-HLPLVIDA2OHLJWN5 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-HLPLVIDA2OHLJWN5 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-HLPLVIDA2OHLJWN5 -j MARK --set-mark 0/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-HLPLVIDA2OHLJWN5 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-YPZZ66GTFHYIV2ZO 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-YPZZ66GTFHYIV2ZO 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-YPZZ66GTFHYIV2ZO 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-YPZZ66GTFHYIV2ZO 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-YPZZ66GTFHYIV2ZO 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YPZZ66GTFHYIV2ZO" -d 172.16.0.46 -j KUBE-POD-FW-YPZZ66GTFHYIV2ZO
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YPZZ66GTFHYIV2ZO" -d 172.16.0.46 -j KUBE-POD-FW-YPZZ66GTFHYIV2ZO
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YPZZ66GTFHYIV2ZO" -d 172.16.0.46 -j KUBE-POD-FW-YPZZ66GTFHYIV2ZO
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YPZZ66GTFHYIV2ZO" -s 172.16.0.46 -j KUBE-POD-FW-YPZZ66GTFHYIV2ZO
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YPZZ66GTFHYIV2ZO" -s 172.16.0.46 -j KUBE-POD-FW-YPZZ66GTFHYIV2ZO
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YPZZ66GTFHYIV2ZO" -s 172.16.0.46 -j KUBE-POD-FW-YPZZ66GTFHYIV2ZO
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-YPZZ66GTFHYIV2ZO" -s 172.16.0.46 -j KUBE-POD-FW-YPZZ66GTFHYIV2ZO
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-YPZZ66GTFHYIV2ZO -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-YPZZ66GTFHYIV2ZO -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-YPZZ66GTFHYIV2ZO -j MARK --set-mark 0/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-YPZZ66GTFHYIV2ZO -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: COMMIT
Jun  8 04:54:05 truenas systemd[768731]: run-docker-netns-869c7fcd7f91.mount: Succeeded.
Jun  8 04:54:05 truenas systemd[1]: run-docker-netns-869c7fcd7f91.mount: Succeeded.
Jun  8 04:54:05 truenas systemd[768731]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-containers-672c9d871956817632ba3ae73f4ef4110d80c6897118fc5fbbb9ae8c3459adfe-mounts-shm.mount: Succeeded.
Jun  8 04:54:05 truenas systemd[1]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-containers-672c9d871956817632ba3ae73f4ef4110d80c6897118fc5fbbb9ae8c3459adfe-mounts-shm.mount: Succeeded.
Jun  8 04:54:05 truenas systemd[768731]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-f6185cd29a893020af402b944d9ed38df5ce1cb187c1c37369b636ff35923419.mount: Succeeded.
Jun  8 04:54:05 truenas systemd[1]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-f6185cd29a893020af402b944d9ed38df5ce1cb187c1c37369b636ff35923419.mount: Succeeded.
Jun  8 04:54:05 truenas env[20630]: E0608 04:54:05.707736   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:54:05 truenas env[20630]: Error occurred at line: 103
Jun  8 04:54:05 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:54:05 truenas env[20630]: )
Jun  8 04:54:05 truenas env[20630]: *filter
Jun  8 04:54:05 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-POD-FW-FGSORLNHHV75EXMM - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-POD-FW-5KXBIPOI44E7TVD7 - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-POD-FW-DXM6ABYLGEQUVCQM - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-POD-FW-PT5LFRTXVT2VURVP - [0:0]
Jun  8 04:54:05 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:54:05 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:54:05 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:54:05 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:54:05 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:54:05 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:54:05 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:54:05 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-FGSORLNHHV75EXMM 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-FGSORLNHHV75EXMM 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-FGSORLNHHV75EXMM 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-FGSORLNHHV75EXMM 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-FGSORLNHHV75EXMM 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FGSORLNHHV75EXMM" -d 172.16.0.46 -j KUBE-POD-FW-FGSORLNHHV75EXMM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FGSORLNHHV75EXMM" -d 172.16.0.46 -j KUBE-POD-FW-FGSORLNHHV75EXMM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FGSORLNHHV75EXMM" -d 172.16.0.46 -j KUBE-POD-FW-FGSORLNHHV75EXMM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FGSORLNHHV75EXMM" -s 172.16.0.46 -j KUBE-POD-FW-FGSORLNHHV75EXMM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FGSORLNHHV75EXMM" -s 172.16.0.46 -j KUBE-POD-FW-FGSORLNHHV75EXMM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FGSORLNHHV75EXMM" -s 172.16.0.46 -j KUBE-POD-FW-FGSORLNHHV75EXMM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-FGSORLNHHV75EXMM" -s 172.16.0.46 -j KUBE-POD-FW-FGSORLNHHV75EXMM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-FGSORLNHHV75EXMM -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-FGSORLNHHV75EXMM -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-FGSORLNHHV75EXMM -j MARK --set-mark 0/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-FGSORLNHHV75EXMM -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-5KXBIPOI44E7TVD7 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-5KXBIPOI44E7TVD7 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-5KXBIPOI44E7TVD7 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-5KXBIPOI44E7TVD7 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-5KXBIPOI44E7TVD7 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KXBIPOI44E7TVD7" -d 172.16.0.42 -j KUBE-POD-FW-5KXBIPOI44E7TVD7
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KXBIPOI44E7TVD7" -d 172.16.0.42 -j KUBE-POD-FW-5KXBIPOI44E7TVD7
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KXBIPOI44E7TVD7" -d 172.16.0.42 -j KUBE-POD-FW-5KXBIPOI44E7TVD7
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KXBIPOI44E7TVD7" -s 172.16.0.42 -j KUBE-POD-FW-5KXBIPOI44E7TVD7
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KXBIPOI44E7TVD7" -s 172.16.0.42 -j KUBE-POD-FW-5KXBIPOI44E7TVD7
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KXBIPOI44E7TVD7" -s 172.16.0.42 -j KUBE-POD-FW-5KXBIPOI44E7TVD7
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-5KXBIPOI44E7TVD7" -s 172.16.0.42 -j KUBE-POD-FW-5KXBIPOI44E7TVD7
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-5KXBIPOI44E7TVD7 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-5KXBIPOI44E7TVD7 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-5KXBIPOI44E7TVD7 -j MARK --set-mark 0/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-5KXBIPOI44E7TVD7 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-DXM6ABYLGEQUVCQM 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-DXM6ABYLGEQUVCQM 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-DXM6ABYLGEQUVCQM 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-DXM6ABYLGEQUVCQM 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-DXM6ABYLGEQUVCQM 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DXM6ABYLGEQUVCQM" -d 172.16.0.45 -j KUBE-POD-FW-DXM6ABYLGEQUVCQM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DXM6ABYLGEQUVCQM" -d 172.16.0.45 -j KUBE-POD-FW-DXM6ABYLGEQUVCQM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DXM6ABYLGEQUVCQM" -d 172.16.0.45 -j KUBE-POD-FW-DXM6ABYLGEQUVCQM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DXM6ABYLGEQUVCQM" -s 172.16.0.45 -j KUBE-POD-FW-DXM6ABYLGEQUVCQM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DXM6ABYLGEQUVCQM" -s 172.16.0.45 -j KUBE-POD-FW-DXM6ABYLGEQUVCQM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DXM6ABYLGEQUVCQM" -s 172.16.0.45 -j KUBE-POD-FW-DXM6ABYLGEQUVCQM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-DXM6ABYLGEQUVCQM" -s 172.16.0.45 -j KUBE-POD-FW-DXM6ABYLGEQUVCQM
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-DXM6ABYLGEQUVCQM -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-DXM6ABYLGEQUVCQM -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-DXM6ABYLGEQUVCQM -j MARK --set-mark 0/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-DXM6ABYLGEQUVCQM -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-PT5LFRTXVT2VURVP 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-PT5LFRTXVT2VURVP 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-PT5LFRTXVT2VURVP 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-PT5LFRTXVT2VURVP 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-PT5LFRTXVT2VURVP 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PT5LFRTXVT2VURVP" -d 172.16.0.43 -j KUBE-POD-FW-PT5LFRTXVT2VURVP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PT5LFRTXVT2VURVP" -d 172.16.0.43 -j KUBE-POD-FW-PT5LFRTXVT2VURVP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PT5LFRTXVT2VURVP" -d 172.16.0.43 -j KUBE-POD-FW-PT5LFRTXVT2VURVP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PT5LFRTXVT2VURVP" -s 172.16.0.43 -j KUBE-POD-FW-PT5LFRTXVT2VURVP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PT5LFRTXVT2VURVP" -s 172.16.0.43 -j KUBE-POD-FW-PT5LFRTXVT2VURVP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PT5LFRTXVT2VURVP" -s 172.16.0.43 -j KUBE-POD-FW-PT5LFRTXVT2VURVP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PT5LFRTXVT2VURVP" -s 172.16.0.43 -j KUBE-POD-FW-PT5LFRTXVT2VURVP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-PT5LFRTXVT2VURVP -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-PT5LFRTXVT2VURVP -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-PT5LFRTXVT2VURVP -j MARK --set-mark 0/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-PT5LFRTXVT2VURVP -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: COMMIT
Jun  8 04:54:05 truenas env[20630]: E0608 04:54:05.988492   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:54:05 truenas env[20630]: Error occurred at line: 103
Jun  8 04:54:05 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:54:05 truenas env[20630]: )
Jun  8 04:54:05 truenas env[20630]: *filter
Jun  8 04:54:05 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-POD-FW-I223IJEGJQ7NS5PL - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-POD-FW-3DAS7RGRJZBQJXP6 - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-POD-FW-QMK4UHTLCD7JIE3U - [0:0]
Jun  8 04:54:05 truenas env[20630]: :KUBE-POD-FW-PB3X3A3LPP6LH3Z2 - [0:0]
Jun  8 04:54:05 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:54:05 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:54:05 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:54:05 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:54:05 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:54:05 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:54:05 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:54:05 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:54:05 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-I223IJEGJQ7NS5PL 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-I223IJEGJQ7NS5PL 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-I223IJEGJQ7NS5PL 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-I223IJEGJQ7NS5PL 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-I223IJEGJQ7NS5PL 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-I223IJEGJQ7NS5PL" -d 172.16.0.46 -j KUBE-POD-FW-I223IJEGJQ7NS5PL
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-I223IJEGJQ7NS5PL" -d 172.16.0.46 -j KUBE-POD-FW-I223IJEGJQ7NS5PL
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-I223IJEGJQ7NS5PL" -d 172.16.0.46 -j KUBE-POD-FW-I223IJEGJQ7NS5PL
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-I223IJEGJQ7NS5PL" -s 172.16.0.46 -j KUBE-POD-FW-I223IJEGJQ7NS5PL
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-I223IJEGJQ7NS5PL" -s 172.16.0.46 -j KUBE-POD-FW-I223IJEGJQ7NS5PL
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-I223IJEGJQ7NS5PL" -s 172.16.0.46 -j KUBE-POD-FW-I223IJEGJQ7NS5PL
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-I223IJEGJQ7NS5PL" -s 172.16.0.46 -j KUBE-POD-FW-I223IJEGJQ7NS5PL
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-I223IJEGJQ7NS5PL -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-I223IJEGJQ7NS5PL -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-I223IJEGJQ7NS5PL -j MARK --set-mark 0/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-I223IJEGJQ7NS5PL -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-3DAS7RGRJZBQJXP6 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-3DAS7RGRJZBQJXP6 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-3DAS7RGRJZBQJXP6 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-3DAS7RGRJZBQJXP6 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-3DAS7RGRJZBQJXP6 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3DAS7RGRJZBQJXP6" -d 172.16.0.42 -j KUBE-POD-FW-3DAS7RGRJZBQJXP6
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3DAS7RGRJZBQJXP6" -d 172.16.0.42 -j KUBE-POD-FW-3DAS7RGRJZBQJXP6
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3DAS7RGRJZBQJXP6" -d 172.16.0.42 -j KUBE-POD-FW-3DAS7RGRJZBQJXP6
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3DAS7RGRJZBQJXP6" -s 172.16.0.42 -j KUBE-POD-FW-3DAS7RGRJZBQJXP6
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3DAS7RGRJZBQJXP6" -s 172.16.0.42 -j KUBE-POD-FW-3DAS7RGRJZBQJXP6
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3DAS7RGRJZBQJXP6" -s 172.16.0.42 -j KUBE-POD-FW-3DAS7RGRJZBQJXP6
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-3DAS7RGRJZBQJXP6" -s 172.16.0.42 -j KUBE-POD-FW-3DAS7RGRJZBQJXP6
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-3DAS7RGRJZBQJXP6 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-3DAS7RGRJZBQJXP6 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-3DAS7RGRJZBQJXP6 -j MARK --set-mark 0/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-3DAS7RGRJZBQJXP6 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-QMK4UHTLCD7JIE3U 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-QMK4UHTLCD7JIE3U 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-QMK4UHTLCD7JIE3U 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-QMK4UHTLCD7JIE3U 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-QMK4UHTLCD7JIE3U 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QMK4UHTLCD7JIE3U" -d 172.16.0.45 -j KUBE-POD-FW-QMK4UHTLCD7JIE3U
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QMK4UHTLCD7JIE3U" -d 172.16.0.45 -j KUBE-POD-FW-QMK4UHTLCD7JIE3U
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QMK4UHTLCD7JIE3U" -d 172.16.0.45 -j KUBE-POD-FW-QMK4UHTLCD7JIE3U
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QMK4UHTLCD7JIE3U" -s 172.16.0.45 -j KUBE-POD-FW-QMK4UHTLCD7JIE3U
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QMK4UHTLCD7JIE3U" -s 172.16.0.45 -j KUBE-POD-FW-QMK4UHTLCD7JIE3U
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QMK4UHTLCD7JIE3U" -s 172.16.0.45 -j KUBE-POD-FW-QMK4UHTLCD7JIE3U
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QMK4UHTLCD7JIE3U" -s 172.16.0.45 -j KUBE-POD-FW-QMK4UHTLCD7JIE3U
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-QMK4UHTLCD7JIE3U -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-QMK4UHTLCD7JIE3U -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-QMK4UHTLCD7JIE3U -j MARK --set-mark 0/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-QMK4UHTLCD7JIE3U -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-PB3X3A3LPP6LH3Z2 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-PB3X3A3LPP6LH3Z2 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-PB3X3A3LPP6LH3Z2 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-PB3X3A3LPP6LH3Z2 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:05 truenas env[20630]: -I KUBE-POD-FW-PB3X3A3LPP6LH3Z2 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PB3X3A3LPP6LH3Z2" -d 172.16.0.43 -j KUBE-POD-FW-PB3X3A3LPP6LH3Z2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PB3X3A3LPP6LH3Z2" -d 172.16.0.43 -j KUBE-POD-FW-PB3X3A3LPP6LH3Z2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PB3X3A3LPP6LH3Z2" -d 172.16.0.43 -j KUBE-POD-FW-PB3X3A3LPP6LH3Z2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PB3X3A3LPP6LH3Z2" -s 172.16.0.43 -j KUBE-POD-FW-PB3X3A3LPP6LH3Z2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PB3X3A3LPP6LH3Z2" -s 172.16.0.43 -j KUBE-POD-FW-PB3X3A3LPP6LH3Z2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PB3X3A3LPP6LH3Z2" -s 172.16.0.43 -j KUBE-POD-FW-PB3X3A3LPP6LH3Z2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PB3X3A3LPP6LH3Z2" -s 172.16.0.43 -j KUBE-POD-FW-PB3X3A3LPP6LH3Z2
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-PB3X3A3LPP6LH3Z2 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-PB3X3A3LPP6LH3Z2 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-PB3X3A3LPP6LH3Z2 -j MARK --set-mark 0/0x10000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-POD-FW-PB3X3A3LPP6LH3Z2 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:05 truenas env[20630]: COMMIT
Jun  8 04:54:06 truenas systemd[768731]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-34d5ab9d7d2ff4df02d3d2506cab2b1e7758dbdd364d67552103da2057667de8\x2dinit.mount: Succeeded.
Jun  8 04:54:06 truenas systemd[1]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-34d5ab9d7d2ff4df02d3d2506cab2b1e7758dbdd364d67552103da2057667de8\x2dinit.mount: Succeeded.
Jun  8 04:54:06 truenas systemd[1]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-5a092aaed1dea788d32d1567d1a235f5ddbef884a941ea18d310118fab14afdc\x2dinit.mount: Succeeded.
Jun  8 04:54:06 truenas env[20630]: E0608 04:54:06.159413   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:54:06 truenas env[20630]: Error occurred at line: 103
Jun  8 04:54:06 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:54:06 truenas env[20630]: )
Jun  8 04:54:06 truenas env[20630]: *filter
Jun  8 04:54:06 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:06 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:54:06 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:06 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:54:06 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:54:06 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:54:06 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:54:06 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:54:06 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:54:06 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:54:06 truenas env[20630]: :KUBE-POD-FW-OI4D5ATRDGFK5MDL - [0:0]
Jun  8 04:54:06 truenas env[20630]: :KUBE-POD-FW-JHZCBUMOHCYFMGYY - [0:0]
Jun  8 04:54:06 truenas env[20630]: :KUBE-POD-FW-BQELZCUDTCVWBICW - [0:0]
Jun  8 04:54:06 truenas env[20630]: :KUBE-POD-FW-E6U3LABMJ2LBHOUP - [0:0]
Jun  8 04:54:06 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:54:06 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:54:06 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:54:06 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:54:06 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:54:06 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:54:06 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:54:06 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:54:06 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:54:06 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-OI4D5ATRDGFK5MDL 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-OI4D5ATRDGFK5MDL 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-OI4D5ATRDGFK5MDL 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-OI4D5ATRDGFK5MDL 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-OI4D5ATRDGFK5MDL 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-OI4D5ATRDGFK5MDL" -d 172.16.0.43 -j KUBE-POD-FW-OI4D5ATRDGFK5MDL
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-OI4D5ATRDGFK5MDL" -d 172.16.0.43 -j KUBE-POD-FW-OI4D5ATRDGFK5MDL
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-OI4D5ATRDGFK5MDL" -d 172.16.0.43 -j KUBE-POD-FW-OI4D5ATRDGFK5MDL
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-OI4D5ATRDGFK5MDL" -s 172.16.0.43 -j KUBE-POD-FW-OI4D5ATRDGFK5MDL
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-OI4D5ATRDGFK5MDL" -s 172.16.0.43 -j KUBE-POD-FW-OI4D5ATRDGFK5MDL
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-OI4D5ATRDGFK5MDL" -s 172.16.0.43 -j KUBE-POD-FW-OI4D5ATRDGFK5MDL
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-OI4D5ATRDGFK5MDL" -s 172.16.0.43 -j KUBE-POD-FW-OI4D5ATRDGFK5MDL
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-OI4D5ATRDGFK5MDL -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-OI4D5ATRDGFK5MDL -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-OI4D5ATRDGFK5MDL -j MARK --set-mark 0/0x10000
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-OI4D5ATRDGFK5MDL -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-JHZCBUMOHCYFMGYY 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-JHZCBUMOHCYFMGYY 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-JHZCBUMOHCYFMGYY 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-JHZCBUMOHCYFMGYY 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-JHZCBUMOHCYFMGYY 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JHZCBUMOHCYFMGYY" -d 172.16.0.46 -j KUBE-POD-FW-JHZCBUMOHCYFMGYY
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JHZCBUMOHCYFMGYY" -d 172.16.0.46 -j KUBE-POD-FW-JHZCBUMOHCYFMGYY
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JHZCBUMOHCYFMGYY" -d 172.16.0.46 -j KUBE-POD-FW-JHZCBUMOHCYFMGYY
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JHZCBUMOHCYFMGYY" -s 172.16.0.46 -j KUBE-POD-FW-JHZCBUMOHCYFMGYY
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JHZCBUMOHCYFMGYY" -s 172.16.0.46 -j KUBE-POD-FW-JHZCBUMOHCYFMGYY
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JHZCBUMOHCYFMGYY" -s 172.16.0.46 -j KUBE-POD-FW-JHZCBUMOHCYFMGYY
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-JHZCBUMOHCYFMGYY" -s 172.16.0.46 -j KUBE-POD-FW-JHZCBUMOHCYFMGYY
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-JHZCBUMOHCYFMGYY -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-JHZCBUMOHCYFMGYY -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-JHZCBUMOHCYFMGYY -j MARK --set-mark 0/0x10000
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-JHZCBUMOHCYFMGYY -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-BQELZCUDTCVWBICW 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-BQELZCUDTCVWBICW 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-BQELZCUDTCVWBICW 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-BQELZCUDTCVWBICW 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-BQELZCUDTCVWBICW 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BQELZCUDTCVWBICW" -d 172.16.0.42 -j KUBE-POD-FW-BQELZCUDTCVWBICW
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BQELZCUDTCVWBICW" -d 172.16.0.42 -j KUBE-POD-FW-BQELZCUDTCVWBICW
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BQELZCUDTCVWBICW" -d 172.16.0.42 -j KUBE-POD-FW-BQELZCUDTCVWBICW
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BQELZCUDTCVWBICW" -s 172.16.0.42 -j KUBE-POD-FW-BQELZCUDTCVWBICW
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BQELZCUDTCVWBICW" -s 172.16.0.42 -j KUBE-POD-FW-BQELZCUDTCVWBICW
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BQELZCUDTCVWBICW" -s 172.16.0.42 -j KUBE-POD-FW-BQELZCUDTCVWBICW
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-BQELZCUDTCVWBICW" -s 172.16.0.42 -j KUBE-POD-FW-BQELZCUDTCVWBICW
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-BQELZCUDTCVWBICW -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-BQELZCUDTCVWBICW -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-BQELZCUDTCVWBICW -j MARK --set-mark 0/0x10000
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-BQELZCUDTCVWBICW -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-E6U3LABMJ2LBHOUP 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-E6U3LABMJ2LBHOUP 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-E6U3LABMJ2LBHOUP 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-E6U3LABMJ2LBHOUP 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:06 truenas env[20630]: -I KUBE-POD-FW-E6U3LABMJ2LBHOUP 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-E6U3LABMJ2LBHOUP" -d 172.16.0.45 -j KUBE-POD-FW-E6U3LABMJ2LBHOUP
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-E6U3LABMJ2LBHOUP" -d 172.16.0.45 -j KUBE-POD-FW-E6U3LABMJ2LBHOUP
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-E6U3LABMJ2LBHOUP" -d 172.16.0.45 -j KUBE-POD-FW-E6U3LABMJ2LBHOUP
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-E6U3LABMJ2LBHOUP" -s 172.16.0.45 -j KUBE-POD-FW-E6U3LABMJ2LBHOUP
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-E6U3LABMJ2LBHOUP" -s 172.16.0.45 -j KUBE-POD-FW-E6U3LABMJ2LBHOUP
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-E6U3LABMJ2LBHOUP" -s 172.16.0.45 -j KUBE-POD-FW-E6U3LABMJ2LBHOUP
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-E6U3LABMJ2LBHOUP" -s 172.16.0.45 -j KUBE-POD-FW-E6U3LABMJ2LBHOUP
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-E6U3LABMJ2LBHOUP -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-E6U3LABMJ2LBHOUP -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-E6U3LABMJ2LBHOUP -j MARK --set-mark 0/0x10000
Jun  8 04:54:06 truenas env[20630]: -A KUBE-POD-FW-E6U3LABMJ2LBHOUP -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:06 truenas env[20630]: COMMIT
Jun  8 04:54:06 truenas systemd[768731]: var-lib-kubelet-pods-11243742\x2dc209\x2d4a0d\x2dae94\x2db609082c9cc1-volumes-kubernetes.io\x7eprojected-kube\x2dapi\x2daccess\x2dhgwjf.mount: Succeeded.
Jun  8 04:54:06 truenas systemd[1]: var-lib-kubelet-pods-11243742\x2dc209\x2d4a0d\x2dae94\x2db609082c9cc1-volumes-kubernetes.io\x7eprojected-kube\x2dapi\x2daccess\x2dhgwjf.mount: Succeeded.
Jun  8 04:54:06 truenas systemd[1]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-5a092aaed1dea788d32d1567d1a235f5ddbef884a941ea18d310118fab14afdc.mount: Succeeded.
Jun  8 04:54:06 truenas systemd[768731]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-5a092aaed1dea788d32d1567d1a235f5ddbef884a941ea18d310118fab14afdc.mount: Succeeded.
Jun  8 04:54:06 truenas ntpd[4092]: Listen normally on 43 kube-dummy-if 172.17.61.151:123
Jun  8 04:54:06 truenas ntpd[4092]: Listen normally on 44 kube-dummy-if 172.17.253.246:123
Jun  8 04:54:06 truenas ntpd[4092]: Deleting interface #42 vethc392e3e3, fe80::282a:16ff:fe1a:26c6%22#123, interface stats: received=0, sent=0, dropped=0, active_time=2 secs
Jun  8 04:54:06 truenas systemd[768731]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-a4f3190ef0351a45db767be93be13f848c616888bf8ea52fe8a2c5b720c71c96\x2dinit.mount: Succeeded.
Jun  8 04:54:06 truenas systemd[1]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-a4f3190ef0351a45db767be93be13f848c616888bf8ea52fe8a2c5b720c71c96\x2dinit.mount: Succeeded.
Jun  8 04:54:06 truenas systemd[1]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-3b0f9cebaaa84355741cf4a77f61fc87e60368a50576517884b150aee35ff623\x2dinit.mount: Succeeded.
Jun  8 04:54:06 truenas systemd[768731]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-3b0f9cebaaa84355741cf4a77f61fc87e60368a50576517884b150aee35ff623\x2dinit.mount: Succeeded.
Jun  8 04:54:07 truenas systemd[1]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-a4f3190ef0351a45db767be93be13f848c616888bf8ea52fe8a2c5b720c71c96.mount: Succeeded.
Jun  8 04:54:07 truenas systemd[768731]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-a4f3190ef0351a45db767be93be13f848c616888bf8ea52fe8a2c5b720c71c96.mount: Succeeded.
Jun  8 04:54:07 truenas systemd[768731]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-3b0f9cebaaa84355741cf4a77f61fc87e60368a50576517884b150aee35ff623.mount: Succeeded.
Jun  8 04:54:07 truenas systemd[1]: mnt-Master\x5c\x20Pool-ix\x2dapplications-docker-zfs-graph-3b0f9cebaaa84355741cf4a77f61fc87e60368a50576517884b150aee35ff623.mount: Succeeded.
Jun  8 04:54:07 truenas systemd[1]: run-docker-runtime\x2drunc-moby-a519013b4176a3e083a478053a54c685c4bfaae064a82187130fcc11f4554b74-runc.LrTKUb.mount: Succeeded.
Jun  8 04:54:07 truenas systemd[768731]: run-docker-runtime\x2drunc-moby-a519013b4176a3e083a478053a54c685c4bfaae064a82187130fcc11f4554b74-runc.LrTKUb.mount: Succeeded.
Jun  8 04:54:08 truenas env[20630]: E0608 04:54:08.586449   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:54:08 truenas env[20630]: Error occurred at line: 103
Jun  8 04:54:08 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:54:08 truenas env[20630]: )
Jun  8 04:54:08 truenas env[20630]: *filter
Jun  8 04:54:08 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:08 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:54:08 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:08 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:54:08 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:54:08 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:54:08 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:54:08 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:54:08 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:54:08 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:54:08 truenas env[20630]: :KUBE-POD-FW-QH5OB3NJO2IYW725 - [0:0]
Jun  8 04:54:08 truenas env[20630]: :KUBE-POD-FW-MZY4UP6LDEOEO5BT - [0:0]
Jun  8 04:54:08 truenas env[20630]: :KUBE-POD-FW-SGD5ZGG74CA4MHJT - [0:0]
Jun  8 04:54:08 truenas env[20630]: :KUBE-POD-FW-PDYQ6Y3VCQMA4HVI - [0:0]
Jun  8 04:54:08 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:54:08 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:54:08 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:54:08 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:54:08 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:54:08 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:54:08 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:54:08 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:54:08 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:54:08 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-QH5OB3NJO2IYW725 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-QH5OB3NJO2IYW725 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-QH5OB3NJO2IYW725 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-QH5OB3NJO2IYW725 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-QH5OB3NJO2IYW725 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-QH5OB3NJO2IYW725" -d 172.16.0.42 -j KUBE-POD-FW-QH5OB3NJO2IYW725
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-QH5OB3NJO2IYW725" -d 172.16.0.42 -j KUBE-POD-FW-QH5OB3NJO2IYW725
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-QH5OB3NJO2IYW725" -d 172.16.0.42 -j KUBE-POD-FW-QH5OB3NJO2IYW725
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-QH5OB3NJO2IYW725" -s 172.16.0.42 -j KUBE-POD-FW-QH5OB3NJO2IYW725
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-QH5OB3NJO2IYW725" -s 172.16.0.42 -j KUBE-POD-FW-QH5OB3NJO2IYW725
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-QH5OB3NJO2IYW725" -s 172.16.0.42 -j KUBE-POD-FW-QH5OB3NJO2IYW725
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-QH5OB3NJO2IYW725" -s 172.16.0.42 -j KUBE-POD-FW-QH5OB3NJO2IYW725
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-QH5OB3NJO2IYW725 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-QH5OB3NJO2IYW725 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-QH5OB3NJO2IYW725 -j MARK --set-mark 0/0x10000
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-QH5OB3NJO2IYW725 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-MZY4UP6LDEOEO5BT 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-MZY4UP6LDEOEO5BT 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-MZY4UP6LDEOEO5BT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-MZY4UP6LDEOEO5BT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-MZY4UP6LDEOEO5BT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MZY4UP6LDEOEO5BT" -d 172.16.0.45 -j KUBE-POD-FW-MZY4UP6LDEOEO5BT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MZY4UP6LDEOEO5BT" -d 172.16.0.45 -j KUBE-POD-FW-MZY4UP6LDEOEO5BT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MZY4UP6LDEOEO5BT" -d 172.16.0.45 -j KUBE-POD-FW-MZY4UP6LDEOEO5BT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MZY4UP6LDEOEO5BT" -s 172.16.0.45 -j KUBE-POD-FW-MZY4UP6LDEOEO5BT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MZY4UP6LDEOEO5BT" -s 172.16.0.45 -j KUBE-POD-FW-MZY4UP6LDEOEO5BT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MZY4UP6LDEOEO5BT" -s 172.16.0.45 -j KUBE-POD-FW-MZY4UP6LDEOEO5BT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-MZY4UP6LDEOEO5BT" -s 172.16.0.45 -j KUBE-POD-FW-MZY4UP6LDEOEO5BT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-MZY4UP6LDEOEO5BT -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-MZY4UP6LDEOEO5BT -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-MZY4UP6LDEOEO5BT -j MARK --set-mark 0/0x10000
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-MZY4UP6LDEOEO5BT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-SGD5ZGG74CA4MHJT 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-SGD5ZGG74CA4MHJT 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-SGD5ZGG74CA4MHJT 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-SGD5ZGG74CA4MHJT 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-SGD5ZGG74CA4MHJT 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SGD5ZGG74CA4MHJT" -d 172.16.0.43 -j KUBE-POD-FW-SGD5ZGG74CA4MHJT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SGD5ZGG74CA4MHJT" -d 172.16.0.43 -j KUBE-POD-FW-SGD5ZGG74CA4MHJT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SGD5ZGG74CA4MHJT" -d 172.16.0.43 -j KUBE-POD-FW-SGD5ZGG74CA4MHJT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SGD5ZGG74CA4MHJT" -s 172.16.0.43 -j KUBE-POD-FW-SGD5ZGG74CA4MHJT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SGD5ZGG74CA4MHJT" -s 172.16.0.43 -j KUBE-POD-FW-SGD5ZGG74CA4MHJT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SGD5ZGG74CA4MHJT" -s 172.16.0.43 -j KUBE-POD-FW-SGD5ZGG74CA4MHJT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-SGD5ZGG74CA4MHJT" -s 172.16.0.43 -j KUBE-POD-FW-SGD5ZGG74CA4MHJT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-SGD5ZGG74CA4MHJT -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-SGD5ZGG74CA4MHJT -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-SGD5ZGG74CA4MHJT -j MARK --set-mark 0/0x10000
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-SGD5ZGG74CA4MHJT -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-PDYQ6Y3VCQMA4HVI 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-PDYQ6Y3VCQMA4HVI 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-PDYQ6Y3VCQMA4HVI 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-PDYQ6Y3VCQMA4HVI 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:08 truenas env[20630]: -I KUBE-POD-FW-PDYQ6Y3VCQMA4HVI 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PDYQ6Y3VCQMA4HVI" -d 172.16.0.46 -j KUBE-POD-FW-PDYQ6Y3VCQMA4HVI
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PDYQ6Y3VCQMA4HVI" -d 172.16.0.46 -j KUBE-POD-FW-PDYQ6Y3VCQMA4HVI
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PDYQ6Y3VCQMA4HVI" -d 172.16.0.46 -j KUBE-POD-FW-PDYQ6Y3VCQMA4HVI
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PDYQ6Y3VCQMA4HVI" -s 172.16.0.46 -j KUBE-POD-FW-PDYQ6Y3VCQMA4HVI
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PDYQ6Y3VCQMA4HVI" -s 172.16.0.46 -j KUBE-POD-FW-PDYQ6Y3VCQMA4HVI
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PDYQ6Y3VCQMA4HVI" -s 172.16.0.46 -j KUBE-POD-FW-PDYQ6Y3VCQMA4HVI
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-PDYQ6Y3VCQMA4HVI" -s 172.16.0.46 -j KUBE-POD-FW-PDYQ6Y3VCQMA4HVI
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-PDYQ6Y3VCQMA4HVI -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-PDYQ6Y3VCQMA4HVI -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-PDYQ6Y3VCQMA4HVI -j MARK --set-mark 0/0x10000
Jun  8 04:54:08 truenas env[20630]: -A KUBE-POD-FW-PDYQ6Y3VCQMA4HVI -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:08 truenas env[20630]: COMMIT
Jun  8 04:54:29 truenas env[20630]: E0608 04:54:29.768343   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:54:29 truenas env[20630]: Error occurred at line: 103
Jun  8 04:54:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:54:29 truenas env[20630]: )
Jun  8 04:54:29 truenas env[20630]: *filter
Jun  8 04:54:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:54:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:54:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:54:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:54:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:54:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:54:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:54:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:54:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:54:29 truenas env[20630]: :KUBE-POD-FW-Y3Z22K3ARUONZ7W5 - [0:0]
Jun  8 04:54:29 truenas env[20630]: :KUBE-POD-FW-3PQ5ELKBH3PHLAQ7 - [0:0]
Jun  8 04:54:29 truenas env[20630]: :KUBE-POD-FW-6ES32QU44QUTYA34 - [0:0]
Jun  8 04:54:29 truenas env[20630]: :KUBE-POD-FW-EKPQH4UKPHZIPYSO - [0:0]
Jun  8 04:54:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:54:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:54:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:54:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:54:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:54:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:54:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:54:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:54:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:54:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-Y3Z22K3ARUONZ7W5 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-Y3Z22K3ARUONZ7W5 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-Y3Z22K3ARUONZ7W5 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-Y3Z22K3ARUONZ7W5 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-Y3Z22K3ARUONZ7W5 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y3Z22K3ARUONZ7W5" -d 172.16.0.42 -j KUBE-POD-FW-Y3Z22K3ARUONZ7W5
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y3Z22K3ARUONZ7W5" -d 172.16.0.42 -j KUBE-POD-FW-Y3Z22K3ARUONZ7W5
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y3Z22K3ARUONZ7W5" -d 172.16.0.42 -j KUBE-POD-FW-Y3Z22K3ARUONZ7W5
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y3Z22K3ARUONZ7W5" -s 172.16.0.42 -j KUBE-POD-FW-Y3Z22K3ARUONZ7W5
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y3Z22K3ARUONZ7W5" -s 172.16.0.42 -j KUBE-POD-FW-Y3Z22K3ARUONZ7W5
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y3Z22K3ARUONZ7W5" -s 172.16.0.42 -j KUBE-POD-FW-Y3Z22K3ARUONZ7W5
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-Y3Z22K3ARUONZ7W5" -s 172.16.0.42 -j KUBE-POD-FW-Y3Z22K3ARUONZ7W5
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-Y3Z22K3ARUONZ7W5 -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-Y3Z22K3ARUONZ7W5 -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-Y3Z22K3ARUONZ7W5 -j MARK --set-mark 0/0x10000
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-Y3Z22K3ARUONZ7W5 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-3PQ5ELKBH3PHLAQ7 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-3PQ5ELKBH3PHLAQ7 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-3PQ5ELKBH3PHLAQ7 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-3PQ5ELKBH3PHLAQ7 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-3PQ5ELKBH3PHLAQ7 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3PQ5ELKBH3PHLAQ7" -d 172.16.0.45 -j KUBE-POD-FW-3PQ5ELKBH3PHLAQ7
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3PQ5ELKBH3PHLAQ7" -d 172.16.0.45 -j KUBE-POD-FW-3PQ5ELKBH3PHLAQ7
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3PQ5ELKBH3PHLAQ7" -d 172.16.0.45 -j KUBE-POD-FW-3PQ5ELKBH3PHLAQ7
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3PQ5ELKBH3PHLAQ7" -s 172.16.0.45 -j KUBE-POD-FW-3PQ5ELKBH3PHLAQ7
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3PQ5ELKBH3PHLAQ7" -s 172.16.0.45 -j KUBE-POD-FW-3PQ5ELKBH3PHLAQ7
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3PQ5ELKBH3PHLAQ7" -s 172.16.0.45 -j KUBE-POD-FW-3PQ5ELKBH3PHLAQ7
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-3PQ5ELKBH3PHLAQ7" -s 172.16.0.45 -j KUBE-POD-FW-3PQ5ELKBH3PHLAQ7
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-3PQ5ELKBH3PHLAQ7 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-3PQ5ELKBH3PHLAQ7 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-3PQ5ELKBH3PHLAQ7 -j MARK --set-mark 0/0x10000
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-3PQ5ELKBH3PHLAQ7 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-6ES32QU44QUTYA34 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-6ES32QU44QUTYA34 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-6ES32QU44QUTYA34 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-6ES32QU44QUTYA34 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-6ES32QU44QUTYA34 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6ES32QU44QUTYA34" -d 172.16.0.43 -j KUBE-POD-FW-6ES32QU44QUTYA34
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6ES32QU44QUTYA34" -d 172.16.0.43 -j KUBE-POD-FW-6ES32QU44QUTYA34
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6ES32QU44QUTYA34" -d 172.16.0.43 -j KUBE-POD-FW-6ES32QU44QUTYA34
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6ES32QU44QUTYA34" -s 172.16.0.43 -j KUBE-POD-FW-6ES32QU44QUTYA34
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6ES32QU44QUTYA34" -s 172.16.0.43 -j KUBE-POD-FW-6ES32QU44QUTYA34
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6ES32QU44QUTYA34" -s 172.16.0.43 -j KUBE-POD-FW-6ES32QU44QUTYA34
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-6ES32QU44QUTYA34" -s 172.16.0.43 -j KUBE-POD-FW-6ES32QU44QUTYA34
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-6ES32QU44QUTYA34 -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-6ES32QU44QUTYA34 -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-6ES32QU44QUTYA34 -j MARK --set-mark 0/0x10000
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-6ES32QU44QUTYA34 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-EKPQH4UKPHZIPYSO 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-EKPQH4UKPHZIPYSO 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-EKPQH4UKPHZIPYSO 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-EKPQH4UKPHZIPYSO 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:54:29 truenas env[20630]: -I KUBE-POD-FW-EKPQH4UKPHZIPYSO 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EKPQH4UKPHZIPYSO" -d 172.16.0.46 -j KUBE-POD-FW-EKPQH4UKPHZIPYSO
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EKPQH4UKPHZIPYSO" -d 172.16.0.46 -j KUBE-POD-FW-EKPQH4UKPHZIPYSO
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EKPQH4UKPHZIPYSO" -d 172.16.0.46 -j KUBE-POD-FW-EKPQH4UKPHZIPYSO
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EKPQH4UKPHZIPYSO" -s 172.16.0.46 -j KUBE-POD-FW-EKPQH4UKPHZIPYSO
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EKPQH4UKPHZIPYSO" -s 172.16.0.46 -j KUBE-POD-FW-EKPQH4UKPHZIPYSO
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EKPQH4UKPHZIPYSO" -s 172.16.0.46 -j KUBE-POD-FW-EKPQH4UKPHZIPYSO
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-EKPQH4UKPHZIPYSO" -s 172.16.0.46 -j KUBE-POD-FW-EKPQH4UKPHZIPYSO
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-EKPQH4UKPHZIPYSO -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-EKPQH4UKPHZIPYSO -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-EKPQH4UKPHZIPYSO -j MARK --set-mark 0/0x10000
Jun  8 04:54:29 truenas env[20630]: -A KUBE-POD-FW-EKPQH4UKPHZIPYSO -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:54:29 truenas env[20630]: COMMIT
Jun  8 04:59:06 truenas smartd[3887]: Device: /dev/sda [SAT], SMART Usage Attribute: 190 Airflow_Temperature_Cel changed from 68 to 67
Jun  8 04:59:06 truenas smartd[3887]: Device: /dev/sdb [SAT], SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 77 to 78
Jun  8 04:59:06 truenas smartd[3887]: Device: /dev/sdb [SAT], SMART Usage Attribute: 195 Hardware_ECC_Recovered changed from 77 to 78
Jun  8 04:59:26 truenas nscd[781055]: 781055 monitoring file `/etc/hosts` (1)
Jun  8 04:59:26 truenas nscd[781055]: 781055 monitoring directory `/etc` (2)
Jun  8 04:59:26 truenas nscd[781055]: 781055 monitoring file `/etc/resolv.conf` (3)
Jun  8 04:59:26 truenas nscd[781055]: 781055 monitoring directory `/etc` (2)
Jun  8 04:59:26 truenas nscd[781055]: 781055 cannot create /var/cache/nscd/hosts; no persistent database used
Jun  8 04:59:29 truenas env[20630]: E0608 04:59:29.756742   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 04:59:29 truenas env[20630]: Error occurred at line: 103
Jun  8 04:59:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 04:59:29 truenas env[20630]: )
Jun  8 04:59:29 truenas env[20630]: *filter
Jun  8 04:59:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 04:59:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 04:59:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 04:59:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 04:59:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 04:59:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 04:59:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 04:59:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 04:59:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 04:59:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 04:59:29 truenas env[20630]: :KUBE-POD-FW-CWXNFR2CUS4NCRHP - [0:0]
Jun  8 04:59:29 truenas env[20630]: :KUBE-POD-FW-E3QT2WOAG5Y3BHLU - [0:0]
Jun  8 04:59:29 truenas env[20630]: :KUBE-POD-FW-XJEYGDKRB2YAOGQA - [0:0]
Jun  8 04:59:29 truenas env[20630]: :KUBE-POD-FW-PHZO2IMHQQXZE75J - [0:0]
Jun  8 04:59:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 04:59:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 04:59:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 04:59:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 04:59:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 04:59:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 04:59:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 04:59:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 04:59:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 04:59:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-CWXNFR2CUS4NCRHP 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-CWXNFR2CUS4NCRHP 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-CWXNFR2CUS4NCRHP 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-CWXNFR2CUS4NCRHP 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-CWXNFR2CUS4NCRHP 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CWXNFR2CUS4NCRHP" -d 172.16.0.46 -j KUBE-POD-FW-CWXNFR2CUS4NCRHP
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CWXNFR2CUS4NCRHP" -d 172.16.0.46 -j KUBE-POD-FW-CWXNFR2CUS4NCRHP
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CWXNFR2CUS4NCRHP" -d 172.16.0.46 -j KUBE-POD-FW-CWXNFR2CUS4NCRHP
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CWXNFR2CUS4NCRHP" -s 172.16.0.46 -j KUBE-POD-FW-CWXNFR2CUS4NCRHP
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CWXNFR2CUS4NCRHP" -s 172.16.0.46 -j KUBE-POD-FW-CWXNFR2CUS4NCRHP
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CWXNFR2CUS4NCRHP" -s 172.16.0.46 -j KUBE-POD-FW-CWXNFR2CUS4NCRHP
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-CWXNFR2CUS4NCRHP" -s 172.16.0.46 -j KUBE-POD-FW-CWXNFR2CUS4NCRHP
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-CWXNFR2CUS4NCRHP -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-CWXNFR2CUS4NCRHP -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-CWXNFR2CUS4NCRHP -j MARK --set-mark 0/0x10000
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-CWXNFR2CUS4NCRHP -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-E3QT2WOAG5Y3BHLU 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-E3QT2WOAG5Y3BHLU 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-E3QT2WOAG5Y3BHLU 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-E3QT2WOAG5Y3BHLU 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-E3QT2WOAG5Y3BHLU 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E3QT2WOAG5Y3BHLU" -d 172.16.0.42 -j KUBE-POD-FW-E3QT2WOAG5Y3BHLU
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E3QT2WOAG5Y3BHLU" -d 172.16.0.42 -j KUBE-POD-FW-E3QT2WOAG5Y3BHLU
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E3QT2WOAG5Y3BHLU" -d 172.16.0.42 -j KUBE-POD-FW-E3QT2WOAG5Y3BHLU
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E3QT2WOAG5Y3BHLU" -s 172.16.0.42 -j KUBE-POD-FW-E3QT2WOAG5Y3BHLU
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E3QT2WOAG5Y3BHLU" -s 172.16.0.42 -j KUBE-POD-FW-E3QT2WOAG5Y3BHLU
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E3QT2WOAG5Y3BHLU" -s 172.16.0.42 -j KUBE-POD-FW-E3QT2WOAG5Y3BHLU
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-E3QT2WOAG5Y3BHLU" -s 172.16.0.42 -j KUBE-POD-FW-E3QT2WOAG5Y3BHLU
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-E3QT2WOAG5Y3BHLU -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-E3QT2WOAG5Y3BHLU -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-E3QT2WOAG5Y3BHLU -j MARK --set-mark 0/0x10000
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-E3QT2WOAG5Y3BHLU -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-XJEYGDKRB2YAOGQA 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-XJEYGDKRB2YAOGQA 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-XJEYGDKRB2YAOGQA 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-XJEYGDKRB2YAOGQA 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-XJEYGDKRB2YAOGQA 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJEYGDKRB2YAOGQA" -d 172.16.0.45 -j KUBE-POD-FW-XJEYGDKRB2YAOGQA
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJEYGDKRB2YAOGQA" -d 172.16.0.45 -j KUBE-POD-FW-XJEYGDKRB2YAOGQA
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJEYGDKRB2YAOGQA" -d 172.16.0.45 -j KUBE-POD-FW-XJEYGDKRB2YAOGQA
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJEYGDKRB2YAOGQA" -s 172.16.0.45 -j KUBE-POD-FW-XJEYGDKRB2YAOGQA
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJEYGDKRB2YAOGQA" -s 172.16.0.45 -j KUBE-POD-FW-XJEYGDKRB2YAOGQA
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJEYGDKRB2YAOGQA" -s 172.16.0.45 -j KUBE-POD-FW-XJEYGDKRB2YAOGQA
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-XJEYGDKRB2YAOGQA" -s 172.16.0.45 -j KUBE-POD-FW-XJEYGDKRB2YAOGQA
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-XJEYGDKRB2YAOGQA -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-XJEYGDKRB2YAOGQA -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-XJEYGDKRB2YAOGQA -j MARK --set-mark 0/0x10000
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-XJEYGDKRB2YAOGQA -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-PHZO2IMHQQXZE75J 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-PHZO2IMHQQXZE75J 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-PHZO2IMHQQXZE75J 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-PHZO2IMHQQXZE75J 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 04:59:29 truenas env[20630]: -I KUBE-POD-FW-PHZO2IMHQQXZE75J 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PHZO2IMHQQXZE75J" -d 172.16.0.43 -j KUBE-POD-FW-PHZO2IMHQQXZE75J
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PHZO2IMHQQXZE75J" -d 172.16.0.43 -j KUBE-POD-FW-PHZO2IMHQQXZE75J
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PHZO2IMHQQXZE75J" -d 172.16.0.43 -j KUBE-POD-FW-PHZO2IMHQQXZE75J
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PHZO2IMHQQXZE75J" -s 172.16.0.43 -j KUBE-POD-FW-PHZO2IMHQQXZE75J
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PHZO2IMHQQXZE75J" -s 172.16.0.43 -j KUBE-POD-FW-PHZO2IMHQQXZE75J
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PHZO2IMHQQXZE75J" -s 172.16.0.43 -j KUBE-POD-FW-PHZO2IMHQQXZE75J
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PHZO2IMHQQXZE75J" -s 172.16.0.43 -j KUBE-POD-FW-PHZO2IMHQQXZE75J
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-PHZO2IMHQQXZE75J -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-PHZO2IMHQQXZE75J -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-PHZO2IMHQQXZE75J -j MARK --set-mark 0/0x10000
Jun  8 04:59:29 truenas env[20630]: -A KUBE-POD-FW-PHZO2IMHQQXZE75J -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 04:59:29 truenas env[20630]: COMMIT
Jun  8 05:00:06 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 05:00:06 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 05:00:06 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 05:04:29 truenas env[20630]: E0608 05:04:29.740758   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 05:04:29 truenas env[20630]: Error occurred at line: 103
Jun  8 05:04:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 05:04:29 truenas env[20630]: )
Jun  8 05:04:29 truenas env[20630]: *filter
Jun  8 05:04:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 05:04:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 05:04:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 05:04:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 05:04:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 05:04:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 05:04:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 05:04:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 05:04:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 05:04:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 05:04:29 truenas env[20630]: :KUBE-POD-FW-HXBOBL4MYNGQWNSD - [0:0]
Jun  8 05:04:29 truenas env[20630]: :KUBE-POD-FW-LRTJKQOSWQZJPF5K - [0:0]
Jun  8 05:04:29 truenas env[20630]: :KUBE-POD-FW-RJTLHGMCC6LSNOOZ - [0:0]
Jun  8 05:04:29 truenas env[20630]: :KUBE-POD-FW-J2H4BWBA44UUER4F - [0:0]
Jun  8 05:04:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 05:04:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 05:04:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 05:04:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 05:04:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 05:04:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 05:04:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 05:04:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 05:04:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 05:04:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-HXBOBL4MYNGQWNSD 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-HXBOBL4MYNGQWNSD 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-HXBOBL4MYNGQWNSD 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-HXBOBL4MYNGQWNSD 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-HXBOBL4MYNGQWNSD 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-HXBOBL4MYNGQWNSD" -d 172.16.0.46 -j KUBE-POD-FW-HXBOBL4MYNGQWNSD
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-HXBOBL4MYNGQWNSD" -d 172.16.0.46 -j KUBE-POD-FW-HXBOBL4MYNGQWNSD
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-HXBOBL4MYNGQWNSD" -d 172.16.0.46 -j KUBE-POD-FW-HXBOBL4MYNGQWNSD
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-HXBOBL4MYNGQWNSD" -s 172.16.0.46 -j KUBE-POD-FW-HXBOBL4MYNGQWNSD
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-HXBOBL4MYNGQWNSD" -s 172.16.0.46 -j KUBE-POD-FW-HXBOBL4MYNGQWNSD
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-HXBOBL4MYNGQWNSD" -s 172.16.0.46 -j KUBE-POD-FW-HXBOBL4MYNGQWNSD
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-HXBOBL4MYNGQWNSD" -s 172.16.0.46 -j KUBE-POD-FW-HXBOBL4MYNGQWNSD
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-HXBOBL4MYNGQWNSD -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-HXBOBL4MYNGQWNSD -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-HXBOBL4MYNGQWNSD -j MARK --set-mark 0/0x10000
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-HXBOBL4MYNGQWNSD -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-LRTJKQOSWQZJPF5K 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-LRTJKQOSWQZJPF5K 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-LRTJKQOSWQZJPF5K 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-LRTJKQOSWQZJPF5K 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-LRTJKQOSWQZJPF5K 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LRTJKQOSWQZJPF5K" -d 172.16.0.42 -j KUBE-POD-FW-LRTJKQOSWQZJPF5K
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LRTJKQOSWQZJPF5K" -d 172.16.0.42 -j KUBE-POD-FW-LRTJKQOSWQZJPF5K
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LRTJKQOSWQZJPF5K" -d 172.16.0.42 -j KUBE-POD-FW-LRTJKQOSWQZJPF5K
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LRTJKQOSWQZJPF5K" -s 172.16.0.42 -j KUBE-POD-FW-LRTJKQOSWQZJPF5K
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LRTJKQOSWQZJPF5K" -s 172.16.0.42 -j KUBE-POD-FW-LRTJKQOSWQZJPF5K
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LRTJKQOSWQZJPF5K" -s 172.16.0.42 -j KUBE-POD-FW-LRTJKQOSWQZJPF5K
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-LRTJKQOSWQZJPF5K" -s 172.16.0.42 -j KUBE-POD-FW-LRTJKQOSWQZJPF5K
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-LRTJKQOSWQZJPF5K -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-LRTJKQOSWQZJPF5K -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-LRTJKQOSWQZJPF5K -j MARK --set-mark 0/0x10000
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-LRTJKQOSWQZJPF5K -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-RJTLHGMCC6LSNOOZ 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-RJTLHGMCC6LSNOOZ 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-RJTLHGMCC6LSNOOZ 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-RJTLHGMCC6LSNOOZ 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-RJTLHGMCC6LSNOOZ 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RJTLHGMCC6LSNOOZ" -d 172.16.0.45 -j KUBE-POD-FW-RJTLHGMCC6LSNOOZ
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RJTLHGMCC6LSNOOZ" -d 172.16.0.45 -j KUBE-POD-FW-RJTLHGMCC6LSNOOZ
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RJTLHGMCC6LSNOOZ" -d 172.16.0.45 -j KUBE-POD-FW-RJTLHGMCC6LSNOOZ
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RJTLHGMCC6LSNOOZ" -s 172.16.0.45 -j KUBE-POD-FW-RJTLHGMCC6LSNOOZ
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RJTLHGMCC6LSNOOZ" -s 172.16.0.45 -j KUBE-POD-FW-RJTLHGMCC6LSNOOZ
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RJTLHGMCC6LSNOOZ" -s 172.16.0.45 -j KUBE-POD-FW-RJTLHGMCC6LSNOOZ
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-RJTLHGMCC6LSNOOZ" -s 172.16.0.45 -j KUBE-POD-FW-RJTLHGMCC6LSNOOZ
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-RJTLHGMCC6LSNOOZ -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-RJTLHGMCC6LSNOOZ -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-RJTLHGMCC6LSNOOZ -j MARK --set-mark 0/0x10000
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-RJTLHGMCC6LSNOOZ -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-J2H4BWBA44UUER4F 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-J2H4BWBA44UUER4F 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-J2H4BWBA44UUER4F 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-J2H4BWBA44UUER4F 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:04:29 truenas env[20630]: -I KUBE-POD-FW-J2H4BWBA44UUER4F 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J2H4BWBA44UUER4F" -d 172.16.0.43 -j KUBE-POD-FW-J2H4BWBA44UUER4F
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J2H4BWBA44UUER4F" -d 172.16.0.43 -j KUBE-POD-FW-J2H4BWBA44UUER4F
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J2H4BWBA44UUER4F" -d 172.16.0.43 -j KUBE-POD-FW-J2H4BWBA44UUER4F
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J2H4BWBA44UUER4F" -s 172.16.0.43 -j KUBE-POD-FW-J2H4BWBA44UUER4F
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J2H4BWBA44UUER4F" -s 172.16.0.43 -j KUBE-POD-FW-J2H4BWBA44UUER4F
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J2H4BWBA44UUER4F" -s 172.16.0.43 -j KUBE-POD-FW-J2H4BWBA44UUER4F
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-J2H4BWBA44UUER4F" -s 172.16.0.43 -j KUBE-POD-FW-J2H4BWBA44UUER4F
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-J2H4BWBA44UUER4F -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-J2H4BWBA44UUER4F -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-J2H4BWBA44UUER4F -j MARK --set-mark 0/0x10000
Jun  8 05:04:29 truenas env[20630]: -A KUBE-POD-FW-J2H4BWBA44UUER4F -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 05:04:29 truenas env[20630]: COMMIT
Jun  8 05:09:29 truenas env[20630]: E0608 05:09:29.772420   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 05:09:29 truenas env[20630]: Error occurred at line: 103
Jun  8 05:09:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 05:09:29 truenas env[20630]: )
Jun  8 05:09:29 truenas env[20630]: *filter
Jun  8 05:09:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 05:09:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 05:09:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 05:09:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 05:09:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 05:09:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 05:09:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 05:09:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 05:09:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 05:09:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 05:09:29 truenas env[20630]: :KUBE-POD-FW-I32GAU2X4SIMZFOV - [0:0]
Jun  8 05:09:29 truenas env[20630]: :KUBE-POD-FW-X4WPRBNH6LOLLBAA - [0:0]
Jun  8 05:09:29 truenas env[20630]: :KUBE-POD-FW-TWPUBMUI4PTOTJSE - [0:0]
Jun  8 05:09:29 truenas env[20630]: :KUBE-POD-FW-TA7INHQAUZIEA624 - [0:0]
Jun  8 05:09:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 05:09:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 05:09:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 05:09:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 05:09:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 05:09:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 05:09:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 05:09:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 05:09:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 05:09:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-I32GAU2X4SIMZFOV 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-I32GAU2X4SIMZFOV 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-I32GAU2X4SIMZFOV 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-I32GAU2X4SIMZFOV 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-I32GAU2X4SIMZFOV 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-I32GAU2X4SIMZFOV" -d 172.16.0.43 -j KUBE-POD-FW-I32GAU2X4SIMZFOV
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-I32GAU2X4SIMZFOV" -d 172.16.0.43 -j KUBE-POD-FW-I32GAU2X4SIMZFOV
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-I32GAU2X4SIMZFOV" -d 172.16.0.43 -j KUBE-POD-FW-I32GAU2X4SIMZFOV
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-I32GAU2X4SIMZFOV" -s 172.16.0.43 -j KUBE-POD-FW-I32GAU2X4SIMZFOV
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-I32GAU2X4SIMZFOV" -s 172.16.0.43 -j KUBE-POD-FW-I32GAU2X4SIMZFOV
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-I32GAU2X4SIMZFOV" -s 172.16.0.43 -j KUBE-POD-FW-I32GAU2X4SIMZFOV
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-I32GAU2X4SIMZFOV" -s 172.16.0.43 -j KUBE-POD-FW-I32GAU2X4SIMZFOV
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-I32GAU2X4SIMZFOV -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-I32GAU2X4SIMZFOV -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-I32GAU2X4SIMZFOV -j MARK --set-mark 0/0x10000
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-I32GAU2X4SIMZFOV -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-X4WPRBNH6LOLLBAA 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-X4WPRBNH6LOLLBAA 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-X4WPRBNH6LOLLBAA 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-X4WPRBNH6LOLLBAA 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-X4WPRBNH6LOLLBAA 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-X4WPRBNH6LOLLBAA" -d 172.16.0.46 -j KUBE-POD-FW-X4WPRBNH6LOLLBAA
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-X4WPRBNH6LOLLBAA" -d 172.16.0.46 -j KUBE-POD-FW-X4WPRBNH6LOLLBAA
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-X4WPRBNH6LOLLBAA" -d 172.16.0.46 -j KUBE-POD-FW-X4WPRBNH6LOLLBAA
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-X4WPRBNH6LOLLBAA" -s 172.16.0.46 -j KUBE-POD-FW-X4WPRBNH6LOLLBAA
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-X4WPRBNH6LOLLBAA" -s 172.16.0.46 -j KUBE-POD-FW-X4WPRBNH6LOLLBAA
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-X4WPRBNH6LOLLBAA" -s 172.16.0.46 -j KUBE-POD-FW-X4WPRBNH6LOLLBAA
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-X4WPRBNH6LOLLBAA" -s 172.16.0.46 -j KUBE-POD-FW-X4WPRBNH6LOLLBAA
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-X4WPRBNH6LOLLBAA -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-X4WPRBNH6LOLLBAA -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-X4WPRBNH6LOLLBAA -j MARK --set-mark 0/0x10000
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-X4WPRBNH6LOLLBAA -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-TWPUBMUI4PTOTJSE 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-TWPUBMUI4PTOTJSE 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-TWPUBMUI4PTOTJSE 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-TWPUBMUI4PTOTJSE 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-TWPUBMUI4PTOTJSE 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TWPUBMUI4PTOTJSE" -d 172.16.0.42 -j KUBE-POD-FW-TWPUBMUI4PTOTJSE
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TWPUBMUI4PTOTJSE" -d 172.16.0.42 -j KUBE-POD-FW-TWPUBMUI4PTOTJSE
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TWPUBMUI4PTOTJSE" -d 172.16.0.42 -j KUBE-POD-FW-TWPUBMUI4PTOTJSE
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TWPUBMUI4PTOTJSE" -s 172.16.0.42 -j KUBE-POD-FW-TWPUBMUI4PTOTJSE
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TWPUBMUI4PTOTJSE" -s 172.16.0.42 -j KUBE-POD-FW-TWPUBMUI4PTOTJSE
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TWPUBMUI4PTOTJSE" -s 172.16.0.42 -j KUBE-POD-FW-TWPUBMUI4PTOTJSE
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-TWPUBMUI4PTOTJSE" -s 172.16.0.42 -j KUBE-POD-FW-TWPUBMUI4PTOTJSE
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-TWPUBMUI4PTOTJSE -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-TWPUBMUI4PTOTJSE -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-TWPUBMUI4PTOTJSE -j MARK --set-mark 0/0x10000
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-TWPUBMUI4PTOTJSE -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-TA7INHQAUZIEA624 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-TA7INHQAUZIEA624 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-TA7INHQAUZIEA624 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-TA7INHQAUZIEA624 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:09:29 truenas env[20630]: -I KUBE-POD-FW-TA7INHQAUZIEA624 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-TA7INHQAUZIEA624" -d 172.16.0.45 -j KUBE-POD-FW-TA7INHQAUZIEA624
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-TA7INHQAUZIEA624" -d 172.16.0.45 -j KUBE-POD-FW-TA7INHQAUZIEA624
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-TA7INHQAUZIEA624" -d 172.16.0.45 -j KUBE-POD-FW-TA7INHQAUZIEA624
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-TA7INHQAUZIEA624" -s 172.16.0.45 -j KUBE-POD-FW-TA7INHQAUZIEA624
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-TA7INHQAUZIEA624" -s 172.16.0.45 -j KUBE-POD-FW-TA7INHQAUZIEA624
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-TA7INHQAUZIEA624" -s 172.16.0.45 -j KUBE-POD-FW-TA7INHQAUZIEA624
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-TA7INHQAUZIEA624" -s 172.16.0.45 -j KUBE-POD-FW-TA7INHQAUZIEA624
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-TA7INHQAUZIEA624 -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-TA7INHQAUZIEA624 -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-TA7INHQAUZIEA624 -j MARK --set-mark 0/0x10000
Jun  8 05:09:29 truenas env[20630]: -A KUBE-POD-FW-TA7INHQAUZIEA624 -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 05:09:29 truenas env[20630]: COMMIT
Jun  8 05:10:06 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 05:10:06 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 05:10:06 truenas systemd[1]: Finished system activity accounting tool.
Jun  8 05:14:29 truenas env[20630]: E0608 05:14:29.728276   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 05:14:29 truenas env[20630]: Error occurred at line: 103
Jun  8 05:14:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 05:14:29 truenas env[20630]: )
Jun  8 05:14:29 truenas env[20630]: *filter
Jun  8 05:14:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 05:14:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 05:14:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 05:14:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 05:14:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 05:14:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 05:14:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 05:14:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 05:14:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 05:14:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 05:14:29 truenas env[20630]: :KUBE-POD-FW-6OZBA4PPEUOGJH6J - [0:0]
Jun  8 05:14:29 truenas env[20630]: :KUBE-POD-FW-QNLLJKAAM7RXZJ7Z - [0:0]
Jun  8 05:14:29 truenas env[20630]: :KUBE-POD-FW-M27JX356DVHVHQ3P - [0:0]
Jun  8 05:14:29 truenas env[20630]: :KUBE-POD-FW-QEFX6SUSYMPVKWUS - [0:0]
Jun  8 05:14:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 05:14:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 05:14:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 05:14:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 05:14:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 05:14:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 05:14:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 05:14:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 05:14:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 05:14:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-6OZBA4PPEUOGJH6J 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-6OZBA4PPEUOGJH6J 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-6OZBA4PPEUOGJH6J 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-6OZBA4PPEUOGJH6J 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-6OZBA4PPEUOGJH6J 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6OZBA4PPEUOGJH6J" -d 172.16.0.42 -j KUBE-POD-FW-6OZBA4PPEUOGJH6J
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6OZBA4PPEUOGJH6J" -d 172.16.0.42 -j KUBE-POD-FW-6OZBA4PPEUOGJH6J
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6OZBA4PPEUOGJH6J" -d 172.16.0.42 -j KUBE-POD-FW-6OZBA4PPEUOGJH6J
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6OZBA4PPEUOGJH6J" -s 172.16.0.42 -j KUBE-POD-FW-6OZBA4PPEUOGJH6J
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6OZBA4PPEUOGJH6J" -s 172.16.0.42 -j KUBE-POD-FW-6OZBA4PPEUOGJH6J
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6OZBA4PPEUOGJH6J" -s 172.16.0.42 -j KUBE-POD-FW-6OZBA4PPEUOGJH6J
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-6OZBA4PPEUOGJH6J" -s 172.16.0.42 -j KUBE-POD-FW-6OZBA4PPEUOGJH6J
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-6OZBA4PPEUOGJH6J -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-6OZBA4PPEUOGJH6J -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-6OZBA4PPEUOGJH6J -j MARK --set-mark 0/0x10000
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-6OZBA4PPEUOGJH6J -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-QNLLJKAAM7RXZJ7Z 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-QNLLJKAAM7RXZJ7Z 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-QNLLJKAAM7RXZJ7Z 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-QNLLJKAAM7RXZJ7Z 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-QNLLJKAAM7RXZJ7Z 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QNLLJKAAM7RXZJ7Z" -d 172.16.0.45 -j KUBE-POD-FW-QNLLJKAAM7RXZJ7Z
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QNLLJKAAM7RXZJ7Z" -d 172.16.0.45 -j KUBE-POD-FW-QNLLJKAAM7RXZJ7Z
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QNLLJKAAM7RXZJ7Z" -d 172.16.0.45 -j KUBE-POD-FW-QNLLJKAAM7RXZJ7Z
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QNLLJKAAM7RXZJ7Z" -s 172.16.0.45 -j KUBE-POD-FW-QNLLJKAAM7RXZJ7Z
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QNLLJKAAM7RXZJ7Z" -s 172.16.0.45 -j KUBE-POD-FW-QNLLJKAAM7RXZJ7Z
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QNLLJKAAM7RXZJ7Z" -s 172.16.0.45 -j KUBE-POD-FW-QNLLJKAAM7RXZJ7Z
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QNLLJKAAM7RXZJ7Z" -s 172.16.0.45 -j KUBE-POD-FW-QNLLJKAAM7RXZJ7Z
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-QNLLJKAAM7RXZJ7Z -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-QNLLJKAAM7RXZJ7Z -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-QNLLJKAAM7RXZJ7Z -j MARK --set-mark 0/0x10000
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-QNLLJKAAM7RXZJ7Z -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-M27JX356DVHVHQ3P 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-M27JX356DVHVHQ3P 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-M27JX356DVHVHQ3P 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-M27JX356DVHVHQ3P 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-M27JX356DVHVHQ3P 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M27JX356DVHVHQ3P" -d 172.16.0.43 -j KUBE-POD-FW-M27JX356DVHVHQ3P
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M27JX356DVHVHQ3P" -d 172.16.0.43 -j KUBE-POD-FW-M27JX356DVHVHQ3P
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M27JX356DVHVHQ3P" -d 172.16.0.43 -j KUBE-POD-FW-M27JX356DVHVHQ3P
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M27JX356DVHVHQ3P" -s 172.16.0.43 -j KUBE-POD-FW-M27JX356DVHVHQ3P
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M27JX356DVHVHQ3P" -s 172.16.0.43 -j KUBE-POD-FW-M27JX356DVHVHQ3P
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M27JX356DVHVHQ3P" -s 172.16.0.43 -j KUBE-POD-FW-M27JX356DVHVHQ3P
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-M27JX356DVHVHQ3P" -s 172.16.0.43 -j KUBE-POD-FW-M27JX356DVHVHQ3P
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-M27JX356DVHVHQ3P -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-M27JX356DVHVHQ3P -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-M27JX356DVHVHQ3P -j MARK --set-mark 0/0x10000
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-M27JX356DVHVHQ3P -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-QEFX6SUSYMPVKWUS 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-QEFX6SUSYMPVKWUS 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-QEFX6SUSYMPVKWUS 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-QEFX6SUSYMPVKWUS 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:14:29 truenas env[20630]: -I KUBE-POD-FW-QEFX6SUSYMPVKWUS 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QEFX6SUSYMPVKWUS" -d 172.16.0.46 -j KUBE-POD-FW-QEFX6SUSYMPVKWUS
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QEFX6SUSYMPVKWUS" -d 172.16.0.46 -j KUBE-POD-FW-QEFX6SUSYMPVKWUS
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QEFX6SUSYMPVKWUS" -d 172.16.0.46 -j KUBE-POD-FW-QEFX6SUSYMPVKWUS
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QEFX6SUSYMPVKWUS" -s 172.16.0.46 -j KUBE-POD-FW-QEFX6SUSYMPVKWUS
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QEFX6SUSYMPVKWUS" -s 172.16.0.46 -j KUBE-POD-FW-QEFX6SUSYMPVKWUS
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QEFX6SUSYMPVKWUS" -s 172.16.0.46 -j KUBE-POD-FW-QEFX6SUSYMPVKWUS
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-QEFX6SUSYMPVKWUS" -s 172.16.0.46 -j KUBE-POD-FW-QEFX6SUSYMPVKWUS
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-QEFX6SUSYMPVKWUS -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-QEFX6SUSYMPVKWUS -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-QEFX6SUSYMPVKWUS -j MARK --set-mark 0/0x10000
Jun  8 05:14:29 truenas env[20630]: -A KUBE-POD-FW-QEFX6SUSYMPVKWUS -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 05:14:29 truenas env[20630]: COMMIT
Jun  8 05:17:01 truenas CRON[801084]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jun  8 05:19:11 truenas systemd[1]: session-267.scope: Succeeded.
Jun  8 05:19:21 truenas systemd[1]: Stopping User Manager for UID 0...
Jun  8 05:19:21 truenas systemd[768731]: Stopped target Main User Target.
Jun  8 05:19:21 truenas systemd[768731]: Stopped target Basic System.
Jun  8 05:19:21 truenas systemd[768731]: Stopped target Paths.
Jun  8 05:19:21 truenas systemd[768731]: Stopped target Sockets.
Jun  8 05:19:21 truenas systemd[768731]: Stopped target Timers.
Jun  8 05:19:21 truenas systemd[768731]: dbus.socket: Succeeded.
Jun  8 05:19:21 truenas systemd[768731]: Closed D-Bus User Message Bus Socket.
Jun  8 05:19:21 truenas systemd[768731]: dirmngr.socket: Succeeded.
Jun  8 05:19:21 truenas systemd[768731]: Closed GnuPG network certificate management daemon.
Jun  8 05:19:21 truenas systemd[768731]: gpg-agent-browser.socket: Succeeded.
Jun  8 05:19:21 truenas systemd[768731]: Closed GnuPG cryptographic agent and passphrase cache (access for web browsers).
Jun  8 05:19:21 truenas systemd[768731]: gpg-agent-extra.socket: Succeeded.
Jun  8 05:19:21 truenas systemd[768731]: Closed GnuPG cryptographic agent and passphrase cache (restricted).
Jun  8 05:19:21 truenas systemd[768731]: gpg-agent-ssh.socket: Succeeded.
Jun  8 05:19:21 truenas systemd[768731]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Jun  8 05:19:21 truenas systemd[768731]: gpg-agent.socket: Succeeded.
Jun  8 05:19:21 truenas systemd[768731]: Closed GnuPG cryptographic agent and passphrase cache.
Jun  8 05:19:21 truenas systemd[768731]: Removed slice User Application Slice.
Jun  8 05:19:21 truenas systemd[768731]: Reached target Shutdown.
Jun  8 05:19:21 truenas systemd[768731]: systemd-exit.service: Succeeded.
Jun  8 05:19:21 truenas systemd[768731]: Finished Exit the Session.
Jun  8 05:19:21 truenas systemd[768731]: Reached target Exit the Session.
Jun  8 05:19:21 truenas systemd[1]: user@0.service: Succeeded.
Jun  8 05:19:21 truenas systemd[1]: Stopped User Manager for UID 0.
Jun  8 05:19:21 truenas systemd[1]: Stopping User Runtime Directory /run/user/0...
Jun  8 05:19:21 truenas systemd[1]: run-user-0.mount: Succeeded.
Jun  8 05:19:21 truenas systemd[1]: user-runtime-dir@0.service: Succeeded.
Jun  8 05:19:21 truenas systemd[1]: Stopped User Runtime Directory /run/user/0.
Jun  8 05:19:21 truenas systemd[1]: Removed slice User Slice of UID 0.
Jun  8 05:19:29 truenas env[20630]: E0608 05:19:29.752785   20630 network_policy_controller.go:276] Aborting sync. Failed to run iptables-restore: exit status 2 (Bad argument `to'
Jun  8 05:19:29 truenas env[20630]: Error occurred at line: 103
Jun  8 05:19:29 truenas env[20630]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Jun  8 05:19:29 truenas env[20630]: )
Jun  8 05:19:29 truenas env[20630]: *filter
Jun  8 05:19:29 truenas env[20630]: :INPUT ACCEPT [0:0] - [0:0]
Jun  8 05:19:29 truenas env[20630]: :FORWARD ACCEPT [0:0] - [0:0]
Jun  8 05:19:29 truenas env[20630]: :OUTPUT ACCEPT [0:0] - [0:0]
Jun  8 05:19:29 truenas env[20630]: :KUBE-FIREWALL - [0:0] - [0:0]
Jun  8 05:19:29 truenas env[20630]: :KUBE-KUBELET-CANARY - [0:0] - [0:0]
Jun  8 05:19:29 truenas env[20630]: :KUBE-NWPLCY-DEFAULT - [0:0] - [0:0]
Jun  8 05:19:29 truenas env[20630]: :KUBE-ROUTER-FORWARD - [0:0] - [0:0]
Jun  8 05:19:29 truenas env[20630]: :KUBE-ROUTER-INPUT - [0:0] - [0:0]
Jun  8 05:19:29 truenas env[20630]: :KUBE-ROUTER-OUTPUT - [0:0] - [0:0]
Jun  8 05:19:29 truenas env[20630]: :KUBE-ROUTER-SERVICES - [0:0] - [0:0]
Jun  8 05:19:29 truenas env[20630]: :KUBE-POD-FW-QQE25OPN2HH3ZUDL - [0:0]
Jun  8 05:19:29 truenas env[20630]: :KUBE-POD-FW-PFZXSEYNOZC35MBC - [0:0]
Jun  8 05:19:29 truenas env[20630]: :KUBE-POD-FW-5GCWHBCGP7SDUQBO - [0:0]
Jun  8 05:19:29 truenas env[20630]: :KUBE-POD-FW-V66UEHHSBRXKBQMY - [0:0]
Jun  8 05:19:29 truenas env[20630]: -A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
Jun  8 05:19:29 truenas env[20630]: -A INPUT -m comment --comment "handle traffic to IPVS service IPs in custom chain" -m set --match-set kube-router-service-ips dst -j KUBE-ROUTER-SERVICES
Jun  8 05:19:29 truenas env[20630]: -A INPUT -j KUBE-FIREWALL
Jun  8 05:19:29 truenas env[20630]: -A INPUT -s 10.12.1.5/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections" -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A INPUT -p tcp -m tcp --dport 6443 -m comment --comment "iX Custom Rule to drop connection requests to k8s cluster from external sources" -j DROP
Jun  8 05:19:29 truenas env[20630]: -A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
Jun  8 05:19:29 truenas env[20630]: -A FORWARD -o enp0s31f6 -m comment --comment "allow outbound node port traffic on node interface with which node ip is associated" -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A FORWARD -o kube-bridge -m comment --comment "allow inbound traffic to pods" -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A FORWARD -i kube-bridge -m comment --comment "allow outbound traffic from pods" -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
Jun  8 05:19:29 truenas env[20630]: -A OUTPUT -j KUBE-FIREWALL
Jun  8 05:19:29 truenas env[20630]: -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
Jun  8 05:19:29 truenas env[20630]: -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
Jun  8 05:19:29 truenas env[20630]: -A KUBE-NWPLCY-DEFAULT -m comment --comment "rule to mark traffic matching a network policy" -j MARK --set-xmark 0x10000/0x10000
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -d 10.96.0.0/12 -m comment --comment "allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ" -j RETURN
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "allow input traffic to ipvs services" -m set --match-set kube-router-ipvs-services dst,dst -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp echo requests to service IPs" -m icmp --icmp-type 8 -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp destination unreachable messages to service IPs" -m icmp --icmp-type 3 -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -p icmp -m comment --comment "allow icmp ttl exceeded messages to service IPs" -m icmp --icmp-type 11 -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-SERVICES -m comment --comment "reject all unexpected traffic to service IPs" -m set ! --match-set kube-router-local-ips dst -j REJECT --reject-with icmp-port-unreachable
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-QQE25OPN2HH3ZUDL 1 -d 172.16.0.45 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-QQE25OPN2HH3ZUDL 1 -s 172.16.0.45 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-QQE25OPN2HH3ZUDL 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.45 -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-QQE25OPN2HH3ZUDL 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-QQE25OPN2HH3ZUDL 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QQE25OPN2HH3ZUDL" -d 172.16.0.45 -j KUBE-POD-FW-QQE25OPN2HH3ZUDL
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QQE25OPN2HH3ZUDL" -d 172.16.0.45 -j KUBE-POD-FW-QQE25OPN2HH3ZUDL
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QQE25OPN2HH3ZUDL" -d 172.16.0.45 -j KUBE-POD-FW-QQE25OPN2HH3ZUDL
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QQE25OPN2HH3ZUDL" -s 172.16.0.45 -j KUBE-POD-FW-QQE25OPN2HH3ZUDL
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QQE25OPN2HH3ZUDL" -s 172.16.0.45 -j KUBE-POD-FW-QQE25OPN2HH3ZUDL
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QQE25OPN2HH3ZUDL" -s 172.16.0.45 -j KUBE-POD-FW-QQE25OPN2HH3ZUDL
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:openebs-zfs-controller-0 namespace: kube-system to chain KUBE-POD-FW-QQE25OPN2HH3ZUDL" -s 172.16.0.45 -j KUBE-POD-FW-QQE25OPN2HH3ZUDL
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-QQE25OPN2HH3ZUDL -m comment --comment "rule to log dropped traffic POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-QQE25OPN2HH3ZUDL -m comment --comment "rule to REJECT traffic destined for POD name:openebs-zfs-controller-0 namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-QQE25OPN2HH3ZUDL -j MARK --set-mark 0/0x10000
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-QQE25OPN2HH3ZUDL -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-PFZXSEYNOZC35MBC 1 -d 172.16.0.43 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-PFZXSEYNOZC35MBC 1 -s 172.16.0.43 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-PFZXSEYNOZC35MBC 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.43 -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-PFZXSEYNOZC35MBC 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-PFZXSEYNOZC35MBC 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PFZXSEYNOZC35MBC" -d 172.16.0.43 -j KUBE-POD-FW-PFZXSEYNOZC35MBC
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PFZXSEYNOZC35MBC" -d 172.16.0.43 -j KUBE-POD-FW-PFZXSEYNOZC35MBC
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PFZXSEYNOZC35MBC" -d 172.16.0.43 -j KUBE-POD-FW-PFZXSEYNOZC35MBC
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PFZXSEYNOZC35MBC" -s 172.16.0.43 -j KUBE-POD-FW-PFZXSEYNOZC35MBC
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PFZXSEYNOZC35MBC" -s 172.16.0.43 -j KUBE-POD-FW-PFZXSEYNOZC35MBC
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PFZXSEYNOZC35MBC" -s 172.16.0.43 -j KUBE-POD-FW-PFZXSEYNOZC35MBC
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:coredns-d76bd69b-zh8xt namespace: kube-system to chain KUBE-POD-FW-PFZXSEYNOZC35MBC" -s 172.16.0.43 -j KUBE-POD-FW-PFZXSEYNOZC35MBC
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-PFZXSEYNOZC35MBC -m comment --comment "rule to log dropped traffic POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-PFZXSEYNOZC35MBC -m comment --comment "rule to REJECT traffic destined for POD name:coredns-d76bd69b-zh8xt namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-PFZXSEYNOZC35MBC -j MARK --set-mark 0/0x10000
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-PFZXSEYNOZC35MBC -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-5GCWHBCGP7SDUQBO 1 -d 172.16.0.46 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-5GCWHBCGP7SDUQBO 1 -s 172.16.0.46 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-5GCWHBCGP7SDUQBO 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.46 -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-5GCWHBCGP7SDUQBO 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-5GCWHBCGP7SDUQBO 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5GCWHBCGP7SDUQBO" -d 172.16.0.46 -j KUBE-POD-FW-5GCWHBCGP7SDUQBO
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5GCWHBCGP7SDUQBO" -d 172.16.0.46 -j KUBE-POD-FW-5GCWHBCGP7SDUQBO
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5GCWHBCGP7SDUQBO" -d 172.16.0.46 -j KUBE-POD-FW-5GCWHBCGP7SDUQBO
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5GCWHBCGP7SDUQBO" -s 172.16.0.46 -j KUBE-POD-FW-5GCWHBCGP7SDUQBO
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5GCWHBCGP7SDUQBO" -s 172.16.0.46 -j KUBE-POD-FW-5GCWHBCGP7SDUQBO
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5GCWHBCGP7SDUQBO" -s 172.16.0.46 -j KUBE-POD-FW-5GCWHBCGP7SDUQBO
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server to chain KUBE-POD-FW-5GCWHBCGP7SDUQBO" -s 172.16.0.46 -j KUBE-POD-FW-5GCWHBCGP7SDUQBO
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-5GCWHBCGP7SDUQBO -m comment --comment "rule to log dropped traffic POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-5GCWHBCGP7SDUQBO -m comment --comment "rule to REJECT traffic destined for POD name:media-server-emby-74d544f4c-dmp2j namespace: ix-media-server" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-5GCWHBCGP7SDUQBO -j MARK --set-mark 0/0x10000
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-5GCWHBCGP7SDUQBO -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-V66UEHHSBRXKBQMY 1 -d 172.16.0.42 -m comment --comment "run through default ingress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-V66UEHHSBRXKBQMY 1 -s 172.16.0.42 -m comment --comment "run through default egress network policy  chain" -j KUBE-NWPLCY-DEFAULT
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-V66UEHHSBRXKBQMY 1 -m comment --comment "rule to permit the traffic to pods when source is the pod's local node" -m addrtype --src-type LOCAL -d 172.16.0.42 -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-V66UEHHSBRXKBQMY 1 -m comment --comment "rule to drop invalid state for pod" -m conntrack --ctstate INVALID -j DROP
Jun  8 05:19:29 truenas env[20630]: -I KUBE-POD-FW-V66UEHHSBRXKBQMY 1 -m comment --comment "rule for stateful firewall for pod" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-V66UEHHSBRXKBQMY" -d 172.16.0.42 -j KUBE-POD-FW-V66UEHHSBRXKBQMY
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-V66UEHHSBRXKBQMY" -d 172.16.0.42 -j KUBE-POD-FW-V66UEHHSBRXKBQMY
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic destined to POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-V66UEHHSBRXKBQMY" -d 172.16.0.42 -j KUBE-POD-FW-V66UEHHSBRXKBQMY
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-V66UEHHSBRXKBQMY" -s 172.16.0.42 -j KUBE-POD-FW-V66UEHHSBRXKBQMY
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-V66UEHHSBRXKBQMY" -s 172.16.0.42 -j KUBE-POD-FW-V66UEHHSBRXKBQMY
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-V66UEHHSBRXKBQMY" -s 172.16.0.42 -j KUBE-POD-FW-V66UEHHSBRXKBQMY
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m physdev --physdev-is-bridged -m comment --comment "rule to jump traffic from POD name:intel-gpu-plugin-mksln namespace: kube-system to chain KUBE-POD-FW-V66UEHHSBRXKBQMY" -s 172.16.0.42 -j KUBE-POD-FW-V66UEHHSBRXKBQMY
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-V66UEHHSBRXKBQMY -m comment --comment "rule to log dropped traffic POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j NFLOG --nflog-group 100 -m limit --limit 10/minute --limit-burst 10
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-V66UEHHSBRXKBQMY -m comment --comment "rule to REJECT traffic destined for POD name:intel-gpu-plugin-mksln namespace: kube-system" -m mark ! --mark 0x10000/0x10000 -j REJECT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-V66UEHHSBRXKBQMY -j MARK --set-mark 0/0x10000
Jun  8 05:19:29 truenas env[20630]: -A KUBE-POD-FW-V66UEHHSBRXKBQMY -m comment --comment "set mark to ACCEPT traffic that comply to network policies" -j MARK --set-mark 0x20000/0x20000
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-INPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-FORWARD -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: -A KUBE-ROUTER-OUTPUT -m comment --comment rule to explicitly ACCEPT traffic that comply to network policies -m mark --mark 0x20000/0x20000 -j ACCEPT
Jun  8 05:19:29 truenas env[20630]: COMMIT
Jun  8 05:20:06 truenas systemd[1]: Starting system activity accounting tool...
Jun  8 05:20:06 truenas systemd[1]: sysstat-collect.service: Succeeded.
Jun  8 05:20:06 truenas systemd[1]: Finished system activity accounting tool.
