
----------------------
1) NFTables rulesets
----------------------

table ip mangle { # handle 1
	chain KUBE-IPTABLES-HINT { # handle 1
	}

	chain KUBE-KUBELET-CANARY { # handle 2
	}
}
table ip nat { # handle 3
	chain KUBE-MARK-DROP { # handle 1
		counter packets 0 bytes 0 meta mark set mark or 0x8000 # handle 2
	}

	chain KUBE-MARK-MASQ { # handle 3
		counter packets 0 bytes 0 meta mark set mark or 0x4000 # handle 5
	}

	chain KUBE-POSTROUTING { # handle 4
		meta mark & 0x00004000 != 0x00004000 counter packets 818757 bytes 54138681 return # handle 8
		counter packets 0 bytes 0 meta mark set mark xor 0x4000 # handle 9
		 counter packets 0 bytes 0 masquerade fully-random # handle 10
	}

	chain POSTROUTING { # handle 6
		type nat hook postrouting priority srcnat; policy accept;
		 counter packets 818757 bytes 54138681 jump KUBE-POSTROUTING # handle 7
		xt match set xt match set xt match set counter packets 600844 bytes 39395822 masquerade fully-random # handle 12
		ip saddr != 172.16.0.0/16 ip daddr != 172.16.0.0/16 xt match ipvs  counter packets 7 bytes 420 snat to 192.168.2.161 fully-random # handle 13
	}

	chain KUBE-KUBELET-CANARY { # handle 11
	}
}
table ip6 mangle { # handle 4
	chain KUBE-IPTABLES-HINT { # handle 1
	}

	chain KUBE-KUBELET-CANARY { # handle 2
	}
}
table ip6 nat { # handle 5
	chain KUBE-MARK-DROP { # handle 1
		counter packets 0 bytes 0 meta mark set mark or 0x8000 # handle 2
	}

	chain KUBE-MARK-MASQ { # handle 3
		counter packets 0 bytes 0 meta mark set mark or 0x4000 # handle 5
	}

	chain KUBE-POSTROUTING { # handle 4
		meta mark & 0x00004000 != 0x00004000 counter packets 5180 bytes 1401327 return # handle 8
		counter packets 0 bytes 0 meta mark set mark xor 0x4000 # handle 9
		 counter packets 0 bytes 0  # handle 10
	}

	chain POSTROUTING { # handle 6
		type nat hook postrouting priority srcnat; policy accept;
		 counter packets 5180 bytes 1401327 jump KUBE-POSTROUTING # handle 7
	}

	chain KUBE-KUBELET-CANARY { # handle 11
	}
}
table ip6 filter { # handle 6
	chain KUBE-FIREWALL { # handle 1
		 meta mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 drop # handle 2
	}

	chain KUBE-KUBELET-CANARY { # handle 3
	}
}
table ip filter { # handle 496
	chain INPUT { # handle 1
		type filter hook input priority filter; policy accept;
		 counter packets 1896 bytes 1580455 jump KUBE-ROUTER-INPUT # handle 19
		 xt match set counter packets 141 bytes 25038 jump KUBE-ROUTER-SERVICES # handle 20
		counter packets 1784 bytes 1559702 jump KUBE-FIREWALL # handle 21
		ip saddr 192.168.2.161 tcp dport 6443  counter packets 35 bytes 6138 accept # handle 22
		ip saddr 127.0.0.1 tcp dport 6443  counter packets 733 bytes 103923 accept # handle 23
		tcp dport 6443  counter packets 0 bytes 0 drop # handle 24
	}

	chain FORWARD { # handle 2
		type filter hook forward priority filter; policy accept;
		 counter packets 6007 bytes 15376591 jump KUBE-ROUTER-FORWARD # handle 25
		oifname "enp5s0"  counter packets 0 bytes 0 accept # handle 26
		oifname "kube-bridge"  counter packets 0 bytes 0 accept # handle 27
		iifname "kube-bridge"  counter packets 0 bytes 0 accept # handle 28
	}

	chain OUTPUT { # handle 3
		type filter hook output priority filter; policy accept;
		 counter packets 1880 bytes 1544353 jump KUBE-ROUTER-OUTPUT # handle 29
		counter packets 1769 bytes 1523058 jump KUBE-FIREWALL # handle 30
	}

	chain KUBE-FIREWALL { # handle 4
		ip saddr != 127.0.0.0/8 ip daddr 127.0.0.0/8  ct status dnat counter packets 0 bytes 0 drop # handle 31
		 meta mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 drop # handle 32
	}

	chain KUBE-KUBELET-CANARY { # handle 5
	}

	chain KUBE-NWPLCY-DEFAULT { # handle 6
		 counter packets 52 bytes 4437 meta mark set mark or 0x10000 # handle 33
	}

	chain KUBE-ROUTER-FORWARD { # handle 7
		ip daddr 172.16.0.243  counter packets 0 bytes 0 jump KUBE-POD-FW-R5OTVCDWFUUS7X7D # handle 47
		ip daddr 172.16.0.243 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-R5OTVCDWFUUS7X7D # handle 49
		ip saddr 172.16.0.243  counter packets 0 bytes 0 jump KUBE-POD-FW-R5OTVCDWFUUS7X7D # handle 52
		ip saddr 172.16.0.243 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-R5OTVCDWFUUS7X7D # handle 53
		ip daddr 172.16.0.244  counter packets 431 bytes 43141 jump KUBE-POD-FW-DKNGSBNDJLFRRWGD # handle 63
		ip daddr 172.16.0.244 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-DKNGSBNDJLFRRWGD # handle 65
		ip saddr 172.16.0.244  counter packets 5546 bytes 15331680 jump KUBE-POD-FW-DKNGSBNDJLFRRWGD # handle 67
		ip saddr 172.16.0.244 xt match physdev  counter packets 7 bytes 1155 jump KUBE-POD-FW-DKNGSBNDJLFRRWGD # handle 69
		ip daddr 172.16.0.247  counter packets 0 bytes 0 jump KUBE-POD-FW-L6BETOJTOKUMUIRE # handle 79
		ip daddr 172.16.0.247 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-L6BETOJTOKUMUIRE # handle 81
		ip saddr 172.16.0.247  counter packets 0 bytes 0 jump KUBE-POD-FW-L6BETOJTOKUMUIRE # handle 83
		ip saddr 172.16.0.247 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-L6BETOJTOKUMUIRE # handle 85
		ip daddr 172.16.0.248  counter packets 0 bytes 0 jump KUBE-POD-FW-CSU7CZ7QCM77KF3O # handle 95
		ip daddr 172.16.0.248 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-CSU7CZ7QCM77KF3O # handle 97
		ip saddr 172.16.0.248  counter packets 0 bytes 0 jump KUBE-POD-FW-CSU7CZ7QCM77KF3O # handle 99
		ip saddr 172.16.0.248 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-CSU7CZ7QCM77KF3O # handle 101
		ip daddr 172.16.0.249  counter packets 0 bytes 0 jump KUBE-POD-FW-SXMQSPKBKACYM4W6 # handle 111
		ip daddr 172.16.0.249 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-SXMQSPKBKACYM4W6 # handle 113
		ip saddr 172.16.0.249  counter packets 0 bytes 0 jump KUBE-POD-FW-SXMQSPKBKACYM4W6 # handle 115
		ip saddr 172.16.0.249 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-SXMQSPKBKACYM4W6 # handle 117
		ip daddr 172.16.0.250  counter packets 0 bytes 0 jump KUBE-POD-FW-JZ3IWCEO54I3X4FP # handle 127
		ip daddr 172.16.0.250 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-JZ3IWCEO54I3X4FP # handle 129
		ip saddr 172.16.0.250  counter packets 0 bytes 0 jump KUBE-POD-FW-JZ3IWCEO54I3X4FP # handle 132
		ip saddr 172.16.0.250 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-JZ3IWCEO54I3X4FP # handle 133
		ip daddr 172.16.0.246  counter packets 0 bytes 0 jump KUBE-POD-FW-3TGQAMQFWREC2XKZ # handle 143
		ip daddr 172.16.0.246 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-3TGQAMQFWREC2XKZ # handle 145
		ip saddr 172.16.0.246  counter packets 0 bytes 0 jump KUBE-POD-FW-3TGQAMQFWREC2XKZ # handle 147
		ip saddr 172.16.0.246 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-3TGQAMQFWREC2XKZ # handle 149
		ip daddr 172.16.0.245  counter packets 15 bytes 1095 jump KUBE-POD-FW-BANIJMZVL3PGSPBU # handle 159
		ip daddr 172.16.0.245 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-BANIJMZVL3PGSPBU # handle 161
		ip saddr 172.16.0.245  counter packets 15 bytes 675 jump KUBE-POD-FW-BANIJMZVL3PGSPBU # handle 163
		ip saddr 172.16.0.245 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-BANIJMZVL3PGSPBU # handle 165
		 meta mark & 0x00020000 == 0x00020000 counter packets 45 bytes 3282 accept # handle 171
	}

	chain KUBE-ROUTER-INPUT { # handle 8
		ip daddr 10.96.0.0/12  counter packets 0 bytes 0 return # handle 34
		meta l4proto tcp  fib daddr type local tcp dport 30000-32767 counter packets 14 bytes 4407 return # handle 35
		meta l4proto udp  fib daddr type local udp dport 30000-32767 counter packets 0 bytes 0 return # handle 36
		ip saddr 172.16.0.243  counter packets 5 bytes 492 jump KUBE-POD-FW-R5OTVCDWFUUS7X7D # handle 51
		ip saddr 172.16.0.244  counter packets 8 bytes 4764 jump KUBE-POD-FW-DKNGSBNDJLFRRWGD # handle 66
		ip saddr 172.16.0.247  counter packets 10 bytes 1482 jump KUBE-POD-FW-L6BETOJTOKUMUIRE # handle 82
		ip saddr 172.16.0.248  counter packets 30 bytes 5027 jump KUBE-POD-FW-CSU7CZ7QCM77KF3O # handle 98
		ip saddr 172.16.0.249  counter packets 0 bytes 0 jump KUBE-POD-FW-SXMQSPKBKACYM4W6 # handle 114
		ip saddr 172.16.0.250  counter packets 0 bytes 0 jump KUBE-POD-FW-JZ3IWCEO54I3X4FP # handle 131
		ip saddr 172.16.0.246  counter packets 7 bytes 1255 jump KUBE-POD-FW-3TGQAMQFWREC2XKZ # handle 146
		ip saddr 172.16.0.245  counter packets 25 bytes 2064 jump KUBE-POD-FW-BANIJMZVL3PGSPBU # handle 162
		 meta mark & 0x00020000 == 0x00020000 counter packets 0 bytes 0 accept # handle 170
	}

	chain KUBE-ROUTER-OUTPUT { # handle 9
		ip daddr 172.16.0.243  counter packets 5 bytes 379 jump KUBE-POD-FW-R5OTVCDWFUUS7X7D # handle 48
		ip saddr 172.16.0.243  counter packets 0 bytes 0 jump KUBE-POD-FW-R5OTVCDWFUUS7X7D # handle 50
		ip daddr 172.16.0.244  counter packets 26 bytes 5257 jump KUBE-POD-FW-DKNGSBNDJLFRRWGD # handle 64
		ip saddr 172.16.0.244  counter packets 0 bytes 0 jump KUBE-POD-FW-DKNGSBNDJLFRRWGD # handle 68
		ip daddr 172.16.0.247  counter packets 10 bytes 780 jump KUBE-POD-FW-L6BETOJTOKUMUIRE # handle 80
		ip saddr 172.16.0.247  counter packets 0 bytes 0 jump KUBE-POD-FW-L6BETOJTOKUMUIRE # handle 84
		ip daddr 172.16.0.248  counter packets 32 bytes 10499 jump KUBE-POD-FW-CSU7CZ7QCM77KF3O # handle 96
		ip saddr 172.16.0.248  counter packets 0 bytes 0 jump KUBE-POD-FW-CSU7CZ7QCM77KF3O # handle 100
		ip daddr 172.16.0.249  counter packets 0 bytes 0 jump KUBE-POD-FW-SXMQSPKBKACYM4W6 # handle 112
		ip saddr 172.16.0.249  counter packets 0 bytes 0 jump KUBE-POD-FW-SXMQSPKBKACYM4W6 # handle 116
		ip daddr 172.16.0.250  counter packets 0 bytes 0 jump KUBE-POD-FW-JZ3IWCEO54I3X4FP # handle 128
		ip saddr 172.16.0.250  counter packets 0 bytes 0 jump KUBE-POD-FW-JZ3IWCEO54I3X4FP # handle 130
		ip daddr 172.16.0.246  counter packets 8 bytes 2195 jump KUBE-POD-FW-3TGQAMQFWREC2XKZ # handle 144
		ip saddr 172.16.0.246  counter packets 0 bytes 0 jump KUBE-POD-FW-3TGQAMQFWREC2XKZ # handle 148
		ip daddr 172.16.0.245  counter packets 30 bytes 2185 jump KUBE-POD-FW-BANIJMZVL3PGSPBU # handle 160
		ip saddr 172.16.0.245  counter packets 0 bytes 0 jump KUBE-POD-FW-BANIJMZVL3PGSPBU # handle 164
		 meta mark & 0x00020000 == 0x00020000 counter packets 0 bytes 0 accept # handle 172
	}

	chain KUBE-ROUTER-SERVICES { # handle 10
		 xt match set counter packets 14 bytes 4407 accept # handle 37
		meta l4proto icmp  icmp type echo-request counter packets 0 bytes 0 accept # handle 38
		meta l4proto icmp  icmp type destination-unreachable counter packets 13 bytes 1262 accept # handle 39
		meta l4proto icmp  icmp type time-exceeded counter packets 0 bytes 0 accept # handle 40
		 xt match set counter packets 0 bytes 0 reject # handle 41
	}

	chain KUBE-POD-FW-R5OTVCDWFUUS7X7D { # handle 11
		 ct state related,established counter packets 9 bytes 811 accept # handle 46
		 ct state invalid counter packets 0 bytes 0 drop # handle 45
		ip daddr 172.16.0.243  fib saddr type local counter packets 1 bytes 60 accept # handle 44
		ip saddr 172.16.0.243  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 43
		ip daddr 172.16.0.243  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 42
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 54
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 55
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 56
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 57
	}

	chain KUBE-POD-FW-DKNGSBNDJLFRRWGD { # handle 12
		 ct state related,established counter packets 5979 bytes 15382115 accept # handle 62
		 ct state invalid counter packets 0 bytes 0 drop # handle 61
		ip daddr 172.16.0.244  fib saddr type local counter packets 2 bytes 120 accept # handle 60
		ip saddr 172.16.0.244  counter packets 37 bytes 3762 jump KUBE-NWPLCY-DEFAULT # handle 59
		ip daddr 172.16.0.244  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 58
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 70
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 71
		counter packets 37 bytes 3762 meta mark set mark and 0xfffeffff # handle 72
		 counter packets 37 bytes 3762 meta mark set mark or 0x20000 # handle 73
	}

	chain KUBE-POD-FW-L6BETOJTOKUMUIRE { # handle 13
		 ct state related,established counter packets 18 bytes 2142 accept # handle 78
		 ct state invalid counter packets 0 bytes 0 drop # handle 77
		ip daddr 172.16.0.247  fib saddr type local counter packets 2 bytes 120 accept # handle 76
		ip saddr 172.16.0.247  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 75
		ip daddr 172.16.0.247  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 74
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 86
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 87
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 88
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 89
	}

	chain KUBE-POD-FW-CSU7CZ7QCM77KF3O { # handle 14
		 ct state related,established counter packets 62 bytes 15526 accept # handle 94
		 ct state invalid counter packets 0 bytes 0 drop # handle 93
		ip daddr 172.16.0.248  fib saddr type local counter packets 0 bytes 0 accept # handle 92
		ip saddr 172.16.0.248  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 91
		ip daddr 172.16.0.248  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 90
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 102
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 103
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 104
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 105
	}

	chain KUBE-POD-FW-SXMQSPKBKACYM4W6 { # handle 15
		 ct state related,established counter packets 0 bytes 0 accept # handle 110
		 ct state invalid counter packets 0 bytes 0 drop # handle 109
		ip daddr 172.16.0.249  fib saddr type local counter packets 0 bytes 0 accept # handle 108
		ip saddr 172.16.0.249  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 107
		ip daddr 172.16.0.249  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 106
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 118
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 119
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 120
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 121
	}

	chain KUBE-POD-FW-JZ3IWCEO54I3X4FP { # handle 16
		 ct state related,established counter packets 0 bytes 0 accept # handle 126
		 ct state invalid counter packets 0 bytes 0 drop # handle 125
		ip daddr 172.16.0.250  fib saddr type local counter packets 0 bytes 0 accept # handle 124
		ip saddr 172.16.0.250  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 123
		ip daddr 172.16.0.250  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 122
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 134
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 135
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 136
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 137
	}

	chain KUBE-POD-FW-3TGQAMQFWREC2XKZ { # handle 17
		 ct state related,established counter packets 15 bytes 3450 accept # handle 142
		 ct state invalid counter packets 0 bytes 0 drop # handle 141
		ip daddr 172.16.0.246  fib saddr type local counter packets 0 bytes 0 accept # handle 140
		ip saddr 172.16.0.246  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 139
		ip daddr 172.16.0.246  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 138
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 150
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 151
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 152
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 153
	}

	chain KUBE-POD-FW-BANIJMZVL3PGSPBU { # handle 18
		 ct state related,established counter packets 65 bytes 5044 accept # handle 158
		 ct state invalid counter packets 0 bytes 0 drop # handle 157
		ip daddr 172.16.0.245  fib saddr type local counter packets 5 bytes 300 accept # handle 156
		ip saddr 172.16.0.245  counter packets 15 bytes 675 jump KUBE-NWPLCY-DEFAULT # handle 155
		ip daddr 172.16.0.245  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 154
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 166
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 167
		counter packets 15 bytes 675 meta mark set mark and 0xfffeffff # handle 168
		 counter packets 15 bytes 675 meta mark set mark or 0x20000 # handle 169
	}
}
