
----------------------
1) NFTables rulesets
----------------------

table ip mangle { # handle 1
	chain KUBE-IPTABLES-HINT { # handle 1
	}

	chain KUBE-KUBELET-CANARY { # handle 2
	}
}
table ip nat { # handle 3
	chain KUBE-MARK-DROP { # handle 1
		counter packets 0 bytes 0 meta mark set mark or 0x8000 # handle 2
	}

	chain KUBE-MARK-MASQ { # handle 3
		counter packets 0 bytes 0 meta mark set mark or 0x4000 # handle 5
	}

	chain KUBE-POSTROUTING { # handle 4
		meta mark & 0x00004000 != 0x00004000 counter packets 13770 bytes 895462 return # handle 8
		counter packets 0 bytes 0 meta mark set mark xor 0x4000 # handle 9
		 counter packets 0 bytes 0 masquerade fully-random # handle 10
	}

	chain POSTROUTING { # handle 6
		type nat hook postrouting priority srcnat; policy accept;
		 counter packets 13770 bytes 895462 jump KUBE-POSTROUTING # handle 7
		xt match set xt match set xt match set counter packets 13 bytes 811 masquerade fully-random # handle 12
		ip saddr != 172.16.0.0/16 ip daddr != 172.16.0.0/16 xt match ipvs  counter packets 4 bytes 240 snat to 192.168.0.132 fully-random # handle 13
	}

	chain KUBE-KUBELET-CANARY { # handle 11
	}
}
table ip6 mangle { # handle 4
	chain KUBE-IPTABLES-HINT { # handle 1
	}

	chain KUBE-KUBELET-CANARY { # handle 2
	}
}
table ip6 nat { # handle 5
	chain KUBE-MARK-DROP { # handle 1
		counter packets 0 bytes 0 meta mark set mark or 0x8000 # handle 2
	}

	chain KUBE-MARK-MASQ { # handle 3
		counter packets 0 bytes 0 meta mark set mark or 0x4000 # handle 5
	}

	chain KUBE-POSTROUTING { # handle 4
		meta mark & 0x00004000 != 0x00004000 counter packets 0 bytes 0 return # handle 8
		counter packets 0 bytes 0 meta mark set mark xor 0x4000 # handle 9
		 counter packets 0 bytes 0  # handle 10
	}

	chain POSTROUTING { # handle 6
		type nat hook postrouting priority srcnat; policy accept;
		 counter packets 0 bytes 0 jump KUBE-POSTROUTING # handle 7
	}

	chain KUBE-KUBELET-CANARY { # handle 11
	}
}
table ip6 filter { # handle 6
	chain KUBE-FIREWALL { # handle 1
		 meta mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 drop # handle 2
	}

	chain KUBE-KUBELET-CANARY { # handle 3
	}
}
table ip filter { # handle 64
	chain INPUT { # handle 1
		type filter hook input priority filter; policy accept;
		 counter packets 11158 bytes 3925186 jump KUBE-ROUTER-INPUT # handle 17
		 xt match set counter packets 2919 bytes 545470 jump KUBE-ROUTER-SERVICES # handle 18
		counter packets 9123 bytes 3645721 jump KUBE-FIREWALL # handle 19
	}

	chain FORWARD { # handle 2
		type filter hook forward priority filter; policy accept;
		 counter packets 0 bytes 0 jump KUBE-ROUTER-FORWARD # handle 20
		oifname "enp34s0"  counter packets 0 bytes 0 accept # handle 21
		oifname "kube-bridge"  counter packets 0 bytes 0 accept # handle 22
		iifname "kube-bridge"  counter packets 0 bytes 0 accept # handle 23
	}

	chain OUTPUT { # handle 3
		type filter hook output priority filter; policy accept;
		 counter packets 11022 bytes 4465155 jump KUBE-ROUTER-OUTPUT # handle 24
		counter packets 8742 bytes 3981419 jump KUBE-FIREWALL # handle 25
	}

	chain KUBE-FIREWALL { # handle 4
		ip saddr != 127.0.0.0/8 ip daddr 127.0.0.0/8  ct status dnat counter packets 0 bytes 0 drop # handle 26
		 meta mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 drop # handle 27
	}

	chain KUBE-KUBELET-CANARY { # handle 5
	}

	chain KUBE-NWPLCY-DEFAULT { # handle 6
		 counter packets 0 bytes 0 meta mark set mark or 0x10000 # handle 28
	}

	chain KUBE-ROUTER-FORWARD { # handle 7
		ip daddr 172.16.0.12  counter packets 0 bytes 0 jump KUBE-POD-FW-XDYLRHB2TBU2LJ57 # handle 42
		ip daddr 172.16.0.12 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-XDYLRHB2TBU2LJ57 # handle 44
		ip saddr 172.16.0.12  counter packets 0 bytes 0 jump KUBE-POD-FW-XDYLRHB2TBU2LJ57 # handle 45
		ip saddr 172.16.0.12 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-XDYLRHB2TBU2LJ57 # handle 48
		ip daddr 172.16.0.11  counter packets 0 bytes 0 jump KUBE-POD-FW-PKA2SWMKJSCOHV3D # handle 58
		ip daddr 172.16.0.11 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-PKA2SWMKJSCOHV3D # handle 60
		ip saddr 172.16.0.11  counter packets 0 bytes 0 jump KUBE-POD-FW-PKA2SWMKJSCOHV3D # handle 62
		ip saddr 172.16.0.11 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-PKA2SWMKJSCOHV3D # handle 64
		ip daddr 172.16.0.18  counter packets 0 bytes 0 jump KUBE-POD-FW-PGKYL47ADMLNCQAJ # handle 74
		ip daddr 172.16.0.18 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-PGKYL47ADMLNCQAJ # handle 76
		ip saddr 172.16.0.18  counter packets 0 bytes 0 jump KUBE-POD-FW-PGKYL47ADMLNCQAJ # handle 78
		ip saddr 172.16.0.18 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-PGKYL47ADMLNCQAJ # handle 80
		ip daddr 172.16.0.13  counter packets 0 bytes 0 jump KUBE-POD-FW-QW6FZYHTSLAVIMTJ # handle 90
		ip daddr 172.16.0.13 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-QW6FZYHTSLAVIMTJ # handle 92
		ip saddr 172.16.0.13  counter packets 0 bytes 0 jump KUBE-POD-FW-QW6FZYHTSLAVIMTJ # handle 95
		ip saddr 172.16.0.13 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-QW6FZYHTSLAVIMTJ # handle 96
		ip daddr 172.16.0.15  counter packets 0 bytes 0 jump KUBE-POD-FW-OTP2FSSPNLMAKG2Z # handle 106
		ip daddr 172.16.0.15 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-OTP2FSSPNLMAKG2Z # handle 108
		ip saddr 172.16.0.15  counter packets 0 bytes 0 jump KUBE-POD-FW-OTP2FSSPNLMAKG2Z # handle 110
		ip saddr 172.16.0.15 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-OTP2FSSPNLMAKG2Z # handle 112
		ip daddr 172.16.0.14  counter packets 0 bytes 0 jump KUBE-POD-FW-PI2KIWRWTDWPISRJ # handle 122
		ip daddr 172.16.0.14 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-PI2KIWRWTDWPISRJ # handle 124
		ip saddr 172.16.0.14  counter packets 0 bytes 0 jump KUBE-POD-FW-PI2KIWRWTDWPISRJ # handle 126
		ip saddr 172.16.0.14 xt match physdev  counter packets 0 bytes 0 jump KUBE-POD-FW-PI2KIWRWTDWPISRJ # handle 128
		 meta mark & 0x00020000 == 0x00020000 counter packets 0 bytes 0 accept # handle 134
	}

	chain KUBE-ROUTER-INPUT { # handle 8
		ip daddr 10.96.0.0/12  counter packets 0 bytes 0 return # handle 29
		meta l4proto tcp  fib daddr type local tcp dport 30000-32767 counter packets 0 bytes 0 return # handle 30
		meta l4proto udp  fib daddr type local udp dport 30000-32767 counter packets 0 bytes 0 return # handle 31
		ip saddr 172.16.0.12  counter packets 880 bytes 154320 jump KUBE-POD-FW-XDYLRHB2TBU2LJ57 # handle 47
		ip saddr 172.16.0.11  counter packets 269 bytes 50401 jump KUBE-POD-FW-PKA2SWMKJSCOHV3D # handle 61
		ip saddr 172.16.0.18  counter packets 200 bytes 19680 jump KUBE-POD-FW-PGKYL47ADMLNCQAJ # handle 77
		ip saddr 172.16.0.13  counter packets 0 bytes 0 jump KUBE-POD-FW-QW6FZYHTSLAVIMTJ # handle 94
		ip saddr 172.16.0.15  counter packets 57 bytes 4153 jump KUBE-POD-FW-OTP2FSSPNLMAKG2Z # handle 109
		ip saddr 172.16.0.14  counter packets 629 bytes 50911 jump KUBE-POD-FW-PI2KIWRWTDWPISRJ # handle 125
		 meta mark & 0x00020000 == 0x00020000 counter packets 0 bytes 0 accept # handle 133
	}

	chain KUBE-ROUTER-OUTPUT { # handle 9
		ip daddr 172.16.0.12  counter packets 1003 bytes 300638 jump KUBE-POD-FW-XDYLRHB2TBU2LJ57 # handle 43
		ip saddr 172.16.0.12  counter packets 0 bytes 0 jump KUBE-POD-FW-XDYLRHB2TBU2LJ57 # handle 46
		ip daddr 172.16.0.11  counter packets 324 bytes 91634 jump KUBE-POD-FW-PKA2SWMKJSCOHV3D # handle 59
		ip saddr 172.16.0.11  counter packets 0 bytes 0 jump KUBE-POD-FW-PKA2SWMKJSCOHV3D # handle 63
		ip daddr 172.16.0.18  counter packets 214 bytes 15848 jump KUBE-POD-FW-PGKYL47ADMLNCQAJ # handle 75
		ip saddr 172.16.0.18  counter packets 0 bytes 0 jump KUBE-POD-FW-PGKYL47ADMLNCQAJ # handle 79
		ip daddr 172.16.0.13  counter packets 0 bytes 0 jump KUBE-POD-FW-QW6FZYHTSLAVIMTJ # handle 91
		ip saddr 172.16.0.13  counter packets 0 bytes 0 jump KUBE-POD-FW-QW6FZYHTSLAVIMTJ # handle 93
		ip daddr 172.16.0.15  counter packets 62 bytes 25769 jump KUBE-POD-FW-OTP2FSSPNLMAKG2Z # handle 107
		ip saddr 172.16.0.15  counter packets 0 bytes 0 jump KUBE-POD-FW-OTP2FSSPNLMAKG2Z # handle 111
		ip daddr 172.16.0.14  counter packets 677 bytes 49847 jump KUBE-POD-FW-PI2KIWRWTDWPISRJ # handle 123
		ip saddr 172.16.0.14  counter packets 0 bytes 0 jump KUBE-POD-FW-PI2KIWRWTDWPISRJ # handle 127
		 meta mark & 0x00020000 == 0x00020000 counter packets 0 bytes 0 accept # handle 135
	}

	chain KUBE-ROUTER-SERVICES { # handle 10
		 xt match set counter packets 0 bytes 0 accept # handle 32
		meta l4proto icmp  icmp type echo-request counter packets 0 bytes 0 accept # handle 33
		meta l4proto icmp  icmp type destination-unreachable counter packets 0 bytes 0 accept # handle 34
		meta l4proto icmp  icmp type time-exceeded counter packets 0 bytes 0 accept # handle 35
		 xt match set counter packets 0 bytes 0 reject # handle 36
	}

	chain KUBE-POD-FW-XDYLRHB2TBU2LJ57 { # handle 11
		 ct state related,established counter packets 1883 bytes 454958 accept # handle 41
		 ct state invalid counter packets 0 bytes 0 drop # handle 40
		ip daddr 172.16.0.12  fib saddr type local counter packets 0 bytes 0 accept # handle 39
		ip saddr 172.16.0.12  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 38
		ip daddr 172.16.0.12  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 37
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 49
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 50
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 51
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 52
	}

	chain KUBE-POD-FW-PKA2SWMKJSCOHV3D { # handle 12
		 ct state related,established counter packets 593 bytes 142035 accept # handle 57
		 ct state invalid counter packets 0 bytes 0 drop # handle 56
		ip daddr 172.16.0.11  fib saddr type local counter packets 0 bytes 0 accept # handle 55
		ip saddr 172.16.0.11  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 54
		ip daddr 172.16.0.11  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 53
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 65
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 66
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 67
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 68
	}

	chain KUBE-POD-FW-PGKYL47ADMLNCQAJ { # handle 13
		 ct state related,established counter packets 374 bytes 33128 accept # handle 73
		 ct state invalid counter packets 0 bytes 0 drop # handle 72
		ip daddr 172.16.0.18  fib saddr type local counter packets 40 bytes 2400 accept # handle 71
		ip saddr 172.16.0.18  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 70
		ip daddr 172.16.0.18  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 69
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 81
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 82
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 83
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 84
	}

	chain KUBE-POD-FW-QW6FZYHTSLAVIMTJ { # handle 14
		 ct state related,established counter packets 0 bytes 0 accept # handle 89
		 ct state invalid counter packets 0 bytes 0 drop # handle 88
		ip daddr 172.16.0.13  fib saddr type local counter packets 0 bytes 0 accept # handle 87
		ip saddr 172.16.0.13  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 86
		ip daddr 172.16.0.13  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 85
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 97
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 98
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 99
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 100
	}

	chain KUBE-POD-FW-OTP2FSSPNLMAKG2Z { # handle 15
		 ct state related,established counter packets 119 bytes 29922 accept # handle 105
		 ct state invalid counter packets 0 bytes 0 drop # handle 104
		ip daddr 172.16.0.15  fib saddr type local counter packets 0 bytes 0 accept # handle 103
		ip saddr 172.16.0.15  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 102
		ip daddr 172.16.0.15  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 101
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 113
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 114
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 115
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 116
	}

	chain KUBE-POD-FW-PI2KIWRWTDWPISRJ { # handle 16
		 ct state related,established counter packets 1183 bytes 93378 accept # handle 121
		 ct state invalid counter packets 0 bytes 0 drop # handle 120
		ip daddr 172.16.0.14  fib saddr type local counter packets 123 bytes 7380 accept # handle 119
		ip saddr 172.16.0.14  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 118
		ip daddr 172.16.0.14  counter packets 0 bytes 0 jump KUBE-NWPLCY-DEFAULT # handle 117
		 meta mark & 0x00010000 != 0x00010000 limit rate 10/minute burst 10 packets counter packets 0 bytes 0 log group 100 # handle 129
		 meta mark & 0x00010000 != 0x00010000 counter packets 0 bytes 0 reject # handle 130
		counter packets 0 bytes 0 meta mark set mark and 0xfffeffff # handle 131
		 counter packets 0 bytes 0 meta mark set mark or 0x20000 # handle 132
	}
}
