Created
June 15, 2022 11:46
-
-
Save mangelajo/cfca0d13228467b14318ee8df9c09ce2 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- a 2022-06-13 00:33:03.094617241 +0200 | |
| +++ b 2022-06-13 00:33:06.160439506 +0200 | |
| @@ -1,1028 +1,1028 @@ | |
| table inet firewalld { | |
| chain mangle_PREROUTING { | |
| type filter hook prerouting priority mangle + 10; policy accept; | |
| jump mangle_PREROUTING_ZONES | |
| } | |
| chain mangle_PREROUTING_POLICIES_pre { | |
| jump mangle_PRE_policy_allow-host-ipv6 | |
| } | |
| chain mangle_PREROUTING_ZONES { | |
| ip saddr 10.42.0.0/16 goto mangle_PRE_trusted | |
| iifname "enp0s5" goto mangle_PRE_FedoraServer | |
| iifname "eth0" goto mangle_PRE_public | |
| goto mangle_PRE_FedoraServer | |
| } | |
| chain mangle_PREROUTING_POLICIES_post { | |
| } | |
| chain nat_PREROUTING { | |
| type nat hook prerouting priority dstnat + 10; policy accept; | |
| jump nat_PREROUTING_ZONES | |
| } | |
| chain nat_PREROUTING_POLICIES_pre { | |
| jump nat_PRE_policy_allow-host-ipv6 | |
| } | |
| chain nat_PREROUTING_ZONES { | |
| ip saddr 10.42.0.0/16 goto nat_PRE_trusted | |
| iifname "enp0s5" goto nat_PRE_FedoraServer | |
| iifname "eth0" goto nat_PRE_public | |
| goto nat_PRE_FedoraServer | |
| } | |
| chain nat_PREROUTING_POLICIES_post { | |
| } | |
| chain nat_POSTROUTING { | |
| type nat hook postrouting priority srcnat + 10; policy accept; | |
| jump nat_POSTROUTING_ZONES | |
| } | |
| chain nat_POSTROUTING_POLICIES_pre { | |
| } | |
| chain nat_POSTROUTING_ZONES { | |
| ip daddr 10.42.0.0/16 goto nat_POST_trusted | |
| oifname "enp0s5" goto nat_POST_FedoraServer | |
| oifname "eth0" goto nat_POST_public | |
| goto nat_POST_FedoraServer | |
| } | |
| chain nat_POSTROUTING_POLICIES_post { | |
| } | |
| chain filter_PREROUTING { | |
| type filter hook prerouting priority filter + 10; policy accept; | |
| icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept | |
| meta nfproto ipv6 fib saddr . mark . iif oif missing drop | |
| } | |
| chain filter_INPUT { | |
| type filter hook input priority filter + 10; policy accept; | |
| ct state { established, related } accept | |
| ct status dnat accept | |
| iifname "lo" accept | |
| jump filter_INPUT_ZONES | |
| ct state invalid drop | |
| reject with icmpx admin-prohibited | |
| } | |
| chain filter_FORWARD { | |
| type filter hook forward priority filter + 10; policy accept; | |
| ct state { established, related } accept | |
| ct status dnat accept | |
| iifname "lo" accept | |
| ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable | |
| jump filter_FORWARD_ZONES | |
| ct state invalid drop | |
| reject with icmpx admin-prohibited | |
| } | |
| chain filter_OUTPUT { | |
| type filter hook output priority filter + 10; policy accept; | |
| ct state { established, related } accept | |
| oifname "lo" accept | |
| ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable | |
| jump filter_OUTPUT_POLICIES_pre | |
| jump filter_OUTPUT_POLICIES_post | |
| } | |
| chain filter_INPUT_POLICIES_pre { | |
| jump filter_IN_policy_allow-host-ipv6 | |
| } | |
| chain filter_INPUT_ZONES { | |
| ip saddr 10.42.0.0/16 goto filter_IN_trusted | |
| iifname "enp0s5" goto filter_IN_FedoraServer | |
| iifname "eth0" goto filter_IN_public | |
| goto filter_IN_FedoraServer | |
| } | |
| chain filter_INPUT_POLICIES_post { | |
| } | |
| chain filter_FORWARD_POLICIES_pre { | |
| } | |
| chain filter_FORWARD_ZONES { | |
| ip saddr 10.42.0.0/16 goto filter_FWD_trusted | |
| iifname "enp0s5" goto filter_FWD_FedoraServer | |
| iifname "eth0" goto filter_FWD_public | |
| goto filter_FWD_FedoraServer | |
| } | |
| chain filter_FORWARD_POLICIES_post { | |
| } | |
| chain filter_OUTPUT_POLICIES_pre { | |
| } | |
| chain filter_OUTPUT_POLICIES_post { | |
| } | |
| chain filter_IN_public { | |
| jump filter_INPUT_POLICIES_pre | |
| jump filter_IN_public_pre | |
| jump filter_IN_public_log | |
| jump filter_IN_public_deny | |
| jump filter_IN_public_allow | |
| jump filter_IN_public_post | |
| jump filter_INPUT_POLICIES_post | |
| meta l4proto { icmp, ipv6-icmp } accept | |
| reject with icmpx admin-prohibited | |
| } | |
| chain filter_IN_public_pre { | |
| } | |
| chain filter_IN_public_log { | |
| } | |
| chain filter_IN_public_deny { | |
| } | |
| chain filter_IN_public_allow { | |
| tcp dport 22 ct state { new, untracked } accept | |
| ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept | |
| ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept | |
| ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept | |
| tcp dport 6443 ct state { new, untracked } accept | |
| tcp dport 30000-32767 ct state { new, untracked } accept | |
| tcp dport 2379-2380 ct state { new, untracked } accept | |
| tcp dport 80 ct state { new, untracked } accept | |
| tcp dport 443 ct state { new, untracked } accept | |
| tcp dport 10250 ct state { new, untracked } accept | |
| tcp dport 10251 ct state { new, untracked } accept | |
| } | |
| chain filter_IN_public_post { | |
| } | |
| chain nat_POST_public { | |
| jump nat_POSTROUTING_POLICIES_pre | |
| jump nat_POST_public_pre | |
| jump nat_POST_public_log | |
| jump nat_POST_public_deny | |
| jump nat_POST_public_allow | |
| jump nat_POST_public_post | |
| jump nat_POSTROUTING_POLICIES_post | |
| } | |
| chain nat_POST_public_pre { | |
| } | |
| chain nat_POST_public_log { | |
| } | |
| chain nat_POST_public_deny { | |
| } | |
| chain nat_POST_public_allow { | |
| meta nfproto ipv4 oifname != "lo" masquerade | |
| } | |
| chain nat_POST_public_post { | |
| } | |
| chain filter_FWD_public { | |
| jump filter_FORWARD_POLICIES_pre | |
| jump filter_FWD_public_pre | |
| jump filter_FWD_public_log | |
| jump filter_FWD_public_deny | |
| jump filter_FWD_public_allow | |
| jump filter_FWD_public_post | |
| jump filter_FORWARD_POLICIES_post | |
| reject with icmpx admin-prohibited | |
| } | |
| chain filter_FWD_public_pre { | |
| } | |
| chain filter_FWD_public_log { | |
| } | |
| chain filter_FWD_public_deny { | |
| } | |
| chain filter_FWD_public_allow { | |
| oifname "eth0" accept | |
| } | |
| chain filter_FWD_public_post { | |
| } | |
| chain nat_PRE_public { | |
| jump nat_PREROUTING_POLICIES_pre | |
| jump nat_PRE_public_pre | |
| jump nat_PRE_public_log | |
| jump nat_PRE_public_deny | |
| jump nat_PRE_public_allow | |
| jump nat_PRE_public_post | |
| jump nat_PREROUTING_POLICIES_post | |
| } | |
| chain nat_PRE_public_pre { | |
| } | |
| chain nat_PRE_public_log { | |
| } | |
| chain nat_PRE_public_deny { | |
| } | |
| chain nat_PRE_public_allow { | |
| } | |
| chain nat_PRE_public_post { | |
| } | |
| chain mangle_PRE_public { | |
| jump mangle_PREROUTING_POLICIES_pre | |
| jump mangle_PRE_public_pre | |
| jump mangle_PRE_public_log | |
| jump mangle_PRE_public_deny | |
| jump mangle_PRE_public_allow | |
| jump mangle_PRE_public_post | |
| jump mangle_PREROUTING_POLICIES_post | |
| } | |
| chain mangle_PRE_public_pre { | |
| } | |
| chain mangle_PRE_public_log { | |
| } | |
| chain mangle_PRE_public_deny { | |
| } | |
| chain mangle_PRE_public_allow { | |
| } | |
| chain mangle_PRE_public_post { | |
| } | |
| chain filter_IN_trusted { | |
| jump filter_INPUT_POLICIES_pre | |
| jump filter_IN_trusted_pre | |
| jump filter_IN_trusted_log | |
| jump filter_IN_trusted_deny | |
| jump filter_IN_trusted_allow | |
| jump filter_IN_trusted_post | |
| jump filter_INPUT_POLICIES_post | |
| accept | |
| } | |
| chain filter_IN_trusted_pre { | |
| } | |
| chain filter_IN_trusted_log { | |
| } | |
| chain filter_IN_trusted_deny { | |
| } | |
| chain filter_IN_trusted_allow { | |
| } | |
| chain filter_IN_trusted_post { | |
| } | |
| chain nat_POST_trusted { | |
| jump nat_POSTROUTING_POLICIES_pre | |
| jump nat_POST_trusted_pre | |
| jump nat_POST_trusted_log | |
| jump nat_POST_trusted_deny | |
| jump nat_POST_trusted_allow | |
| jump nat_POST_trusted_post | |
| jump nat_POSTROUTING_POLICIES_post | |
| } | |
| chain nat_POST_trusted_pre { | |
| } | |
| chain nat_POST_trusted_log { | |
| } | |
| chain nat_POST_trusted_deny { | |
| } | |
| chain nat_POST_trusted_allow { | |
| } | |
| chain nat_POST_trusted_post { | |
| } | |
| chain filter_FWD_trusted { | |
| jump filter_FORWARD_POLICIES_pre | |
| jump filter_FWD_trusted_pre | |
| jump filter_FWD_trusted_log | |
| jump filter_FWD_trusted_deny | |
| jump filter_FWD_trusted_allow | |
| jump filter_FWD_trusted_post | |
| jump filter_FORWARD_POLICIES_post | |
| accept | |
| } | |
| chain filter_FWD_trusted_pre { | |
| } | |
| chain filter_FWD_trusted_log { | |
| } | |
| chain filter_FWD_trusted_deny { | |
| } | |
| chain filter_FWD_trusted_allow { | |
| ip daddr 10.42.0.0/16 accept | |
| } | |
| chain filter_FWD_trusted_post { | |
| } | |
| chain nat_PRE_trusted { | |
| jump nat_PREROUTING_POLICIES_pre | |
| jump nat_PRE_trusted_pre | |
| jump nat_PRE_trusted_log | |
| jump nat_PRE_trusted_deny | |
| jump nat_PRE_trusted_allow | |
| jump nat_PRE_trusted_post | |
| jump nat_PREROUTING_POLICIES_post | |
| } | |
| chain nat_PRE_trusted_pre { | |
| } | |
| chain nat_PRE_trusted_log { | |
| } | |
| chain nat_PRE_trusted_deny { | |
| } | |
| chain nat_PRE_trusted_allow { | |
| } | |
| chain nat_PRE_trusted_post { | |
| } | |
| chain mangle_PRE_trusted { | |
| jump mangle_PREROUTING_POLICIES_pre | |
| jump mangle_PRE_trusted_pre | |
| jump mangle_PRE_trusted_log | |
| jump mangle_PRE_trusted_deny | |
| jump mangle_PRE_trusted_allow | |
| jump mangle_PRE_trusted_post | |
| jump mangle_PREROUTING_POLICIES_post | |
| } | |
| chain mangle_PRE_trusted_pre { | |
| } | |
| chain mangle_PRE_trusted_log { | |
| } | |
| chain mangle_PRE_trusted_deny { | |
| } | |
| chain mangle_PRE_trusted_allow { | |
| } | |
| chain mangle_PRE_trusted_post { | |
| } | |
| chain filter_IN_FedoraServer { | |
| jump filter_INPUT_POLICIES_pre | |
| jump filter_IN_FedoraServer_pre | |
| jump filter_IN_FedoraServer_log | |
| jump filter_IN_FedoraServer_deny | |
| jump filter_IN_FedoraServer_allow | |
| jump filter_IN_FedoraServer_post | |
| jump filter_INPUT_POLICIES_post | |
| meta l4proto { icmp, ipv6-icmp } accept | |
| reject with icmpx admin-prohibited | |
| } | |
| chain filter_IN_FedoraServer_pre { | |
| } | |
| chain filter_IN_FedoraServer_log { | |
| } | |
| chain filter_IN_FedoraServer_deny { | |
| } | |
| chain filter_IN_FedoraServer_allow { | |
| tcp dport 22 ct state { new, untracked } accept | |
| ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept | |
| tcp dport 9090 ct state { new, untracked } accept | |
| } | |
| chain filter_IN_FedoraServer_post { | |
| } | |
| chain nat_POST_FedoraServer { | |
| jump nat_POSTROUTING_POLICIES_pre | |
| jump nat_POST_FedoraServer_pre | |
| jump nat_POST_FedoraServer_log | |
| jump nat_POST_FedoraServer_deny | |
| jump nat_POST_FedoraServer_allow | |
| jump nat_POST_FedoraServer_post | |
| jump nat_POSTROUTING_POLICIES_post | |
| } | |
| chain nat_POST_FedoraServer_pre { | |
| } | |
| chain nat_POST_FedoraServer_log { | |
| } | |
| chain nat_POST_FedoraServer_deny { | |
| } | |
| chain nat_POST_FedoraServer_allow { | |
| } | |
| chain nat_POST_FedoraServer_post { | |
| } | |
| chain filter_FWD_FedoraServer { | |
| jump filter_FORWARD_POLICIES_pre | |
| jump filter_FWD_FedoraServer_pre | |
| jump filter_FWD_FedoraServer_log | |
| jump filter_FWD_FedoraServer_deny | |
| jump filter_FWD_FedoraServer_allow | |
| jump filter_FWD_FedoraServer_post | |
| jump filter_FORWARD_POLICIES_post | |
| reject with icmpx admin-prohibited | |
| } | |
| chain filter_FWD_FedoraServer_pre { | |
| } | |
| chain filter_FWD_FedoraServer_log { | |
| } | |
| chain filter_FWD_FedoraServer_deny { | |
| } | |
| chain filter_FWD_FedoraServer_allow { | |
| } | |
| chain filter_FWD_FedoraServer_post { | |
| } | |
| chain nat_PRE_FedoraServer { | |
| jump nat_PREROUTING_POLICIES_pre | |
| jump nat_PRE_FedoraServer_pre | |
| jump nat_PRE_FedoraServer_log | |
| jump nat_PRE_FedoraServer_deny | |
| jump nat_PRE_FedoraServer_allow | |
| jump nat_PRE_FedoraServer_post | |
| jump nat_PREROUTING_POLICIES_post | |
| } | |
| chain nat_PRE_FedoraServer_pre { | |
| } | |
| chain nat_PRE_FedoraServer_log { | |
| } | |
| chain nat_PRE_FedoraServer_deny { | |
| } | |
| chain nat_PRE_FedoraServer_allow { | |
| } | |
| chain nat_PRE_FedoraServer_post { | |
| } | |
| chain mangle_PRE_FedoraServer { | |
| jump mangle_PREROUTING_POLICIES_pre | |
| jump mangle_PRE_FedoraServer_pre | |
| jump mangle_PRE_FedoraServer_log | |
| jump mangle_PRE_FedoraServer_deny | |
| jump mangle_PRE_FedoraServer_allow | |
| jump mangle_PRE_FedoraServer_post | |
| jump mangle_PREROUTING_POLICIES_post | |
| } | |
| chain mangle_PRE_FedoraServer_pre { | |
| } | |
| chain mangle_PRE_FedoraServer_log { | |
| } | |
| chain mangle_PRE_FedoraServer_deny { | |
| } | |
| chain mangle_PRE_FedoraServer_allow { | |
| } | |
| chain mangle_PRE_FedoraServer_post { | |
| } | |
| chain filter_IN_policy_allow-host-ipv6 { | |
| jump filter_IN_policy_allow-host-ipv6_pre | |
| jump filter_IN_policy_allow-host-ipv6_log | |
| jump filter_IN_policy_allow-host-ipv6_deny | |
| jump filter_IN_policy_allow-host-ipv6_allow | |
| jump filter_IN_policy_allow-host-ipv6_post | |
| } | |
| chain filter_IN_policy_allow-host-ipv6_pre { | |
| } | |
| chain filter_IN_policy_allow-host-ipv6_log { | |
| } | |
| chain filter_IN_policy_allow-host-ipv6_deny { | |
| } | |
| chain filter_IN_policy_allow-host-ipv6_allow { | |
| icmpv6 type nd-neighbor-advert accept | |
| icmpv6 type nd-neighbor-solicit accept | |
| icmpv6 type nd-router-advert accept | |
| icmpv6 type nd-redirect accept | |
| } | |
| chain filter_IN_policy_allow-host-ipv6_post { | |
| } | |
| chain nat_PRE_policy_allow-host-ipv6 { | |
| jump nat_PRE_policy_allow-host-ipv6_pre | |
| jump nat_PRE_policy_allow-host-ipv6_log | |
| jump nat_PRE_policy_allow-host-ipv6_deny | |
| jump nat_PRE_policy_allow-host-ipv6_allow | |
| jump nat_PRE_policy_allow-host-ipv6_post | |
| } | |
| chain nat_PRE_policy_allow-host-ipv6_pre { | |
| } | |
| chain nat_PRE_policy_allow-host-ipv6_log { | |
| } | |
| chain nat_PRE_policy_allow-host-ipv6_deny { | |
| } | |
| chain nat_PRE_policy_allow-host-ipv6_allow { | |
| } | |
| chain nat_PRE_policy_allow-host-ipv6_post { | |
| } | |
| chain mangle_PRE_policy_allow-host-ipv6 { | |
| jump mangle_PRE_policy_allow-host-ipv6_pre | |
| jump mangle_PRE_policy_allow-host-ipv6_log | |
| jump mangle_PRE_policy_allow-host-ipv6_deny | |
| jump mangle_PRE_policy_allow-host-ipv6_allow | |
| jump mangle_PRE_policy_allow-host-ipv6_post | |
| } | |
| chain mangle_PRE_policy_allow-host-ipv6_pre { | |
| } | |
| chain mangle_PRE_policy_allow-host-ipv6_log { | |
| } | |
| chain mangle_PRE_policy_allow-host-ipv6_deny { | |
| } | |
| chain mangle_PRE_policy_allow-host-ipv6_allow { | |
| } | |
| chain mangle_PRE_policy_allow-host-ipv6_post { | |
| } | |
| } | |
| table ip nat { | |
| chain KUBE-MARK-MASQ { | |
| - counter packets 57702 bytes 3469380 meta mark set mark or 0x4000 | |
| + counter packets 58331 bytes 3507120 meta mark set mark or 0x4000 | |
| } | |
| chain KUBE-PROXY-CANARY { | |
| } | |
| chain KUBE-SERVICES { | |
| meta l4proto tcp ip daddr 10.43.227.132 tcp dport 80 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.227.132 tcp dport 80 counter packets 0 bytes 0 jump KUBE-SVC-G7SE62USL23TYJ2M | |
| meta l4proto tcp ip daddr 10.43.19.128 tcp dport 5672 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.19.128 tcp dport 5672 counter packets 0 bytes 0 jump KUBE-SVC-GIKJNZAAI45WUYBH | |
| meta l4proto tcp ip daddr 10.43.211.129 tcp dport 8161 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.211.129 tcp dport 8161 counter packets 0 bytes 0 jump KUBE-SVC-LIOOHFJYYW3ZABPU | |
| meta l4proto tcp ip daddr 10.43.17.229 tcp dport 8080 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.17.229 tcp dport 8080 counter packets 0 bytes 0 jump KUBE-SVC-C3MFIKRRKIIKRMI5 | |
| meta l4proto tcp ip daddr 10.43.24.66 tcp dport 8080 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.24.66 tcp dport 8080 counter packets 0 bytes 0 jump KUBE-SVC-3RLFT6EFUQAF2XVN | |
| meta l4proto tcp ip daddr 10.43.0.10 tcp dport 53 counter packets 110 bytes 6600 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.0.10 tcp dport 53 counter packets 110 bytes 6600 jump KUBE-SVC-6BRQXW4I6ZZ3LHZH | |
| meta l4proto tcp ip daddr 10.43.255.102 tcp dport 1936 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.255.102 tcp dport 1936 counter packets 0 bytes 0 jump KUBE-SVC-LMGCLHC2KUY6NS4N | |
| meta l4proto tcp ip daddr 10.43.0.1 tcp dport 443 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.0.1 tcp dport 443 counter packets 0 bytes 0 jump KUBE-SVC-NPX46M4PTMTKRN6Y | |
| - meta l4proto tcp ip daddr 10.43.0.33 tcp dport 8080 counter packets 57482 bytes 3448920 jump KUBE-MARK-MASQ | |
| - meta l4proto tcp ip daddr 10.43.0.33 tcp dport 8080 counter packets 57482 bytes 3448920 jump KUBE-SVC-2BVHRYMGYCU2HG4Z | |
| + meta l4proto tcp ip daddr 10.43.0.33 tcp dport 8080 counter packets 58111 bytes 3486660 jump KUBE-MARK-MASQ | |
| + meta l4proto tcp ip daddr 10.43.0.33 tcp dport 8080 counter packets 58111 bytes 3486660 jump KUBE-SVC-2BVHRYMGYCU2HG4Z | |
| meta l4proto tcp ip daddr 10.43.255.102 tcp dport 443 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.255.102 tcp dport 443 counter packets 0 bytes 0 jump KUBE-SVC-PIUKAOOLWSYDMVAC | |
| meta l4proto tcp ip daddr 10.43.23.66 tcp dport 1883 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.23.66 tcp dport 1883 counter packets 0 bytes 0 jump KUBE-SVC-P2XKEW5RYSAHZBCZ | |
| meta l4proto udp ip daddr 10.43.0.10 udp dport 53 counter packets 110 bytes 13860 jump KUBE-MARK-MASQ | |
| meta l4proto udp ip daddr 10.43.0.10 udp dport 53 counter packets 110 bytes 13860 jump KUBE-SVC-BGNS3J6UB7MMLVDO | |
| meta l4proto tcp ip daddr 10.43.0.10 tcp dport 9154 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.0.10 tcp dport 9154 counter packets 0 bytes 0 jump KUBE-SVC-P2RWE722QPZ5K3VW | |
| meta l4proto tcp ip daddr 10.43.255.102 tcp dport 80 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.255.102 tcp dport 80 counter packets 0 bytes 0 jump KUBE-SVC-U3LVBEEPLKGG5GBK | |
| meta l4proto tcp ip daddr 10.43.227.132 tcp dport 443 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp ip daddr 10.43.227.132 tcp dport 443 counter packets 0 bytes 0 jump KUBE-SVC-SPETZ3VUXX5SVBRP | |
| - fib daddr type local counter packets 1573 bytes 81706 jump KUBE-NODEPORTS | |
| + fib daddr type local counter packets 1574 bytes 81766 jump KUBE-NODEPORTS | |
| } | |
| chain OUTPUT { | |
| type nat hook output priority -100; policy accept; | |
| - counter packets 162793 bytes 10041336 jump KUBE-SERVICES | |
| + counter packets 162796 bytes 10041516 jump KUBE-SERVICES | |
| } | |
| chain PREROUTING { | |
| type nat hook prerouting priority dstnat; policy accept; | |
| - counter packets 275528 bytes 36322706 jump KUBE-SERVICES | |
| + counter packets 276158 bytes 36360553 jump KUBE-SERVICES | |
| } | |
| chain KUBE-POSTROUTING { | |
| - mark and 0x4000 != 0x4000 counter packets 2443 bytes 143362 return | |
| - counter packets 57702 bytes 3469380 meta mark set mark xor 0x4000 | |
| - counter packets 57702 bytes 3469380 masquerade | |
| + mark and 0x4000 != 0x4000 counter packets 2446 bytes 143542 return | |
| + counter packets 58331 bytes 3507120 meta mark set mark xor 0x4000 | |
| + counter packets 58331 bytes 3507120 masquerade | |
| } | |
| chain POSTROUTING { | |
| type nat hook postrouting priority srcnat; policy accept; | |
| - counter packets 220578 bytes 13513016 jump KUBE-POSTROUTING | |
| + counter packets 221210 bytes 13550936 jump KUBE-POSTROUTING | |
| ip saddr 10.42.0.14 counter packets 0 bytes 0 jump CNI-b359b0134e21fbe839200228 | |
| ip saddr 10.42.0.13 counter packets 0 bytes 0 jump CNI-6a017f66ca1c8132af15d5c6 | |
| ip saddr 10.42.0.17 counter packets 0 bytes 0 jump CNI-e32c9a7ca3143f1b67582f85 | |
| ip saddr 10.42.0.19 counter packets 0 bytes 0 jump CNI-af0909ded6cccad365764eb5 | |
| ip saddr 10.42.0.20 counter packets 0 bytes 0 jump CNI-1b4a229293ad1d3e3cd6e30b | |
| ip saddr 10.42.0.33 counter packets 24 bytes 1940 jump CNI-e5fc7af0dde0985be86c1041 | |
| ip saddr 10.42.0.108 counter packets 0 bytes 0 jump CNI-a441a63d2015ec36f3fbc358 | |
| ip saddr 10.42.0.109 counter packets 3 bytes 180 jump CNI-9fa638e77c9d3a8c373e4a2f | |
| ip saddr 10.42.0.110 counter packets 0 bytes 0 jump CNI-30bbdfa36b5194c4ed0dd0ee | |
| } | |
| chain KUBE-MARK-DROP { | |
| counter packets 0 bytes 0 meta mark set mark or 0x8000 | |
| } | |
| chain KUBE-NODEPORTS { | |
| meta l4proto tcp tcp dport 30001 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp tcp dport 30001 counter packets 0 bytes 0 jump KUBE-SVC-G7SE62USL23TYJ2M | |
| meta l4proto tcp tcp dport 30880 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp tcp dport 30880 counter packets 0 bytes 0 jump KUBE-SVC-GIKJNZAAI45WUYBH | |
| meta l4proto tcp tcp dport 32400 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp tcp dport 32400 counter packets 0 bytes 0 jump KUBE-SVC-P2XKEW5RYSAHZBCZ | |
| meta l4proto tcp tcp dport 30002 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp tcp dport 30002 counter packets 0 bytes 0 jump KUBE-SVC-SPETZ3VUXX5SVBRP | |
| } | |
| chain KUBE-SVC-NPX46M4PTMTKRN6Y { | |
| counter packets 0 bytes 0 jump KUBE-SEP-NU5YS2QG5G6SFNS3 | |
| } | |
| chain KUBE-SEP-NU5YS2QG5G6SFNS3 { | |
| ip saddr 192.168.1.143 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 0 bytes 0 dnat to 192.168.1.143:6443 | |
| } | |
| chain KUBE-KUBELET-CANARY { | |
| } | |
| chain KUBE-SVC-SPETZ3VUXX5SVBRP { | |
| counter packets 0 bytes 0 jump KUBE-SEP-YVZYPLPEZG6ICUPI | |
| } | |
| chain KUBE-SEP-YVZYPLPEZG6ICUPI { | |
| ip saddr 192.168.1.143 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 0 bytes 0 dnat to 192.168.1.143:443 | |
| } | |
| chain KUBE-SVC-G7SE62USL23TYJ2M { | |
| counter packets 0 bytes 0 jump KUBE-SEP-JTIZZVBXHJN4U2LS | |
| } | |
| chain KUBE-SEP-JTIZZVBXHJN4U2LS { | |
| ip saddr 192.168.1.143 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 0 bytes 0 dnat to 192.168.1.143:80 | |
| } | |
| chain KUBE-SVC-LMGCLHC2KUY6NS4N { | |
| counter packets 0 bytes 0 jump KUBE-SEP-HSDIEGJHWCV7I2PL | |
| } | |
| chain KUBE-SEP-HSDIEGJHWCV7I2PL { | |
| ip saddr 192.168.1.143 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 0 bytes 0 dnat to 192.168.1.143:1936 | |
| } | |
| chain KUBE-SVC-PIUKAOOLWSYDMVAC { | |
| counter packets 0 bytes 0 jump KUBE-SEP-UD3PE6BLFTW7HIJ6 | |
| } | |
| chain KUBE-SEP-UD3PE6BLFTW7HIJ6 { | |
| ip saddr 192.168.1.143 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 0 bytes 0 dnat to 192.168.1.143:443 | |
| } | |
| chain KUBE-SVC-U3LVBEEPLKGG5GBK { | |
| counter packets 0 bytes 0 jump KUBE-SEP-C53PRW3DWHYT4Z7R | |
| } | |
| chain KUBE-SEP-C53PRW3DWHYT4Z7R { | |
| ip saddr 192.168.1.143 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 0 bytes 0 dnat to 192.168.1.143:80 | |
| } | |
| chain CNI-b359b0134e21fbe839200228 { | |
| ip daddr 10.42.0.0/24 counter packets 0 bytes 0 accept | |
| ip daddr != 224.0.0.0/4 counter packets 0 bytes 0 masquerade | |
| } | |
| chain CNI-6a017f66ca1c8132af15d5c6 { | |
| ip daddr 10.42.0.0/24 counter packets 0 bytes 0 accept | |
| ip daddr != 224.0.0.0/4 counter packets 0 bytes 0 masquerade | |
| } | |
| chain CNI-e32c9a7ca3143f1b67582f85 { | |
| ip daddr 10.42.0.0/24 counter packets 0 bytes 0 accept | |
| ip daddr != 224.0.0.0/4 counter packets 0 bytes 0 masquerade | |
| } | |
| chain KUBE-SVC-C3MFIKRRKIIKRMI5 { | |
| counter packets 0 bytes 0 jump KUBE-SEP-WIIPAY2ARHIT5FU5 | |
| } | |
| chain KUBE-SEP-WIIPAY2ARHIT5FU5 { | |
| ip saddr 10.42.0.13 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 0 bytes 0 dnat to 10.42.0.13:8080 | |
| } | |
| chain CNI-af0909ded6cccad365764eb5 { | |
| ip daddr 10.42.0.0/24 counter packets 0 bytes 0 accept | |
| ip daddr != 224.0.0.0/4 counter packets 0 bytes 0 masquerade | |
| } | |
| chain CNI-1b4a229293ad1d3e3cd6e30b { | |
| ip daddr 10.42.0.0/24 counter packets 0 bytes 0 accept | |
| ip daddr != 224.0.0.0/4 counter packets 0 bytes 0 masquerade | |
| } | |
| chain CNI-e5fc7af0dde0985be86c1041 { | |
| ip daddr 10.42.0.0/24 counter packets 0 bytes 0 accept | |
| ip daddr != 224.0.0.0/4 counter packets 24 bytes 1940 masquerade | |
| } | |
| chain KUBE-SVC-6BRQXW4I6ZZ3LHZH { | |
| counter packets 110 bytes 6600 jump KUBE-SEP-M7UY7PVPP6JCSB4X | |
| } | |
| chain KUBE-SEP-M7UY7PVPP6JCSB4X { | |
| ip saddr 10.42.0.33 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 110 bytes 6600 dnat to 10.42.0.33:5353 | |
| } | |
| chain KUBE-SVC-BGNS3J6UB7MMLVDO { | |
| counter packets 110 bytes 13860 jump KUBE-SEP-HSCJNKQ4QRMV4IFJ | |
| } | |
| chain KUBE-SEP-HSCJNKQ4QRMV4IFJ { | |
| ip saddr 10.42.0.33 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto udp counter packets 110 bytes 13860 dnat to 10.42.0.33:5353 | |
| } | |
| chain KUBE-SVC-P2RWE722QPZ5K3VW { | |
| counter packets 0 bytes 0 jump KUBE-SEP-YPM3MAM3FHEWCDML | |
| } | |
| chain KUBE-SEP-YPM3MAM3FHEWCDML { | |
| ip saddr 10.42.0.33 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 0 bytes 0 dnat to 10.42.0.33:9154 | |
| } | |
| chain CNI-a441a63d2015ec36f3fbc358 { | |
| ip daddr 10.42.0.0/24 counter packets 0 bytes 0 accept | |
| ip daddr != 224.0.0.0/4 counter packets 0 bytes 0 masquerade | |
| } | |
| chain CNI-9fa638e77c9d3a8c373e4a2f { | |
| ip daddr 10.42.0.0/24 counter packets 0 bytes 0 accept | |
| ip daddr != 224.0.0.0/4 counter packets 3 bytes 180 masquerade | |
| } | |
| chain KUBE-SVC-2BVHRYMGYCU2HG4Z { | |
| - counter packets 57482 bytes 3448920 jump KUBE-SEP-2U6K5B7TH6AHRTTQ | |
| + counter packets 58111 bytes 3486660 jump KUBE-SEP-2U6K5B7TH6AHRTTQ | |
| } | |
| chain CNI-30bbdfa36b5194c4ed0dd0ee { | |
| ip daddr 10.42.0.0/24 counter packets 0 bytes 0 accept | |
| ip daddr != 224.0.0.0/4 counter packets 0 bytes 0 masquerade | |
| } | |
| chain KUBE-SEP-2U6K5B7TH6AHRTTQ { | |
| ip saddr 10.42.0.110 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| - meta l4proto tcp counter packets 57482 bytes 3448920 dnat to 10.42.0.110:8080 | |
| + meta l4proto tcp counter packets 58111 bytes 3486660 dnat to 10.42.0.110:8080 | |
| } | |
| chain KUBE-SVC-LIOOHFJYYW3ZABPU { | |
| counter packets 0 bytes 0 jump KUBE-SEP-XDF4WTSOAK4ADJ7F | |
| } | |
| chain KUBE-SEP-XDF4WTSOAK4ADJ7F { | |
| ip saddr 10.42.0.20 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 0 bytes 0 dnat to 10.42.0.20:8161 | |
| } | |
| chain KUBE-SVC-GIKJNZAAI45WUYBH { | |
| counter packets 0 bytes 0 jump KUBE-SEP-CS5NYMJC2IGVVT3B | |
| } | |
| chain KUBE-SEP-CS5NYMJC2IGVVT3B { | |
| ip saddr 10.42.0.20 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 0 bytes 0 dnat to 10.42.0.20:5672 | |
| } | |
| chain KUBE-SVC-P2XKEW5RYSAHZBCZ { | |
| counter packets 0 bytes 0 jump KUBE-SEP-GI6LF5OD7EXYXXMB | |
| } | |
| chain KUBE-SEP-GI6LF5OD7EXYXXMB { | |
| ip saddr 10.42.0.20 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 0 bytes 0 dnat to 10.42.0.20:1883 | |
| } | |
| chain KUBE-SVC-3RLFT6EFUQAF2XVN { | |
| counter packets 0 bytes 0 jump KUBE-SEP-42GF2HMPY756HIKQ | |
| } | |
| chain KUBE-SEP-42GF2HMPY756HIKQ { | |
| ip saddr 10.42.0.109 counter packets 0 bytes 0 jump KUBE-MARK-MASQ | |
| meta l4proto tcp counter packets 0 bytes 0 dnat to 10.42.0.109:8080 | |
| } | |
| } | |
| table ip6 nat { | |
| chain KUBE-MARK-MASQ { | |
| counter packets 0 bytes 0 meta mark set mark or 0x4000 | |
| } | |
| chain KUBE-PROXY-CANARY { | |
| } | |
| chain KUBE-SERVICES { | |
| - fib daddr type local counter packets 0 bytes 0 jump KUBE-NODEPORTS | |
| + fib daddr type local counter packets 2 bytes 160 jump KUBE-NODEPORTS | |
| } | |
| chain OUTPUT { | |
| type nat hook output priority -100; policy accept; | |
| - counter packets 87576 bytes 6798486 jump KUBE-SERVICES | |
| + counter packets 87578 bytes 6798646 jump KUBE-SERVICES | |
| } | |
| chain PREROUTING { | |
| type nat hook prerouting priority dstnat; policy accept; | |
| counter packets 40324 bytes 12212633 jump KUBE-SERVICES | |
| } | |
| chain KUBE-POSTROUTING { | |
| - mark and 0x4000 != 0x4000 counter packets 0 bytes 0 return | |
| + mark and 0x4000 != 0x4000 counter packets 2 bytes 160 return | |
| counter packets 0 bytes 0 meta mark set mark xor 0x4000 | |
| counter packets 0 bytes 0 masquerade random-fully | |
| } | |
| chain POSTROUTING { | |
| type nat hook postrouting priority srcnat; policy accept; | |
| - counter packets 87576 bytes 6798486 jump KUBE-POSTROUTING | |
| + counter packets 87578 bytes 6798646 jump KUBE-POSTROUTING | |
| } | |
| chain KUBE-MARK-DROP { | |
| counter packets 0 bytes 0 meta mark set mark or 0x8000 | |
| } | |
| chain KUBE-NODEPORTS { | |
| } | |
| chain KUBE-KUBELET-CANARY { | |
| } | |
| } | |
| table ip6 mangle { | |
| chain KUBE-PROXY-CANARY { | |
| } | |
| chain KUBE-KUBELET-CANARY { | |
| } | |
| } | |
| table ip mangle { | |
| chain KUBE-PROXY-CANARY { | |
| } | |
| chain KUBE-KUBELET-CANARY { | |
| } | |
| chain OUTPUT { | |
| type route hook output priority mangle; policy accept; | |
| skuid 2000 counter packets 0 bytes 0 drop | |
| skuid 2000 counter packets 0 bytes 0 drop | |
| } | |
| } | |
| table ip filter { | |
| chain KUBE-PROXY-CANARY { | |
| } | |
| chain KUBE-EXTERNAL-SERVICES { | |
| } | |
| chain INPUT { | |
| type filter hook input priority filter; policy accept; | |
| - counter packets 19204636 bytes 3242082992 jump KUBE-FIREWALL | |
| - counter packets 19204971 bytes 3242159314 jump KUBE-NODEPORTS | |
| - ct state new counter packets 230913 bytes 23853927 jump KUBE-EXTERNAL-SERVICES | |
| + counter packets 19210298 bytes 3244468684 jump KUBE-FIREWALL | |
| + counter packets 19210633 bytes 3244545006 jump KUBE-NODEPORTS | |
| + ct state new counter packets 230915 bytes 23854094 jump KUBE-EXTERNAL-SERVICES | |
| } | |
| chain FORWARD { | |
| type filter hook forward priority filter; policy accept; | |
| - counter packets 708834 bytes 213839225 jump KUBE-FORWARD | |
| + counter packets 716384 bytes 215033800 jump KUBE-FORWARD | |
| ct state new counter packets 314 bytes 24212 jump KUBE-SERVICES | |
| ct state new counter packets 314 bytes 24212 jump KUBE-EXTERNAL-SERVICES | |
| } | |
| chain KUBE-NODEPORTS { | |
| } | |
| chain KUBE-SERVICES { | |
| } | |
| chain OUTPUT { | |
| type filter hook output priority filter; policy accept; | |
| skuid 2000 counter packets 0 bytes 0 drop | |
| - counter packets 18878480 bytes 3196941996 jump KUBE-FIREWALL | |
| - ct state new counter packets 162800 bytes 10041664 jump KUBE-SERVICES | |
| + counter packets 18884113 bytes 3199932930 jump KUBE-FIREWALL | |
| + ct state new counter packets 162803 bytes 10041844 jump KUBE-SERVICES | |
| } | |
| chain KUBE-FORWARD { | |
| ct state invalid counter packets 0 bytes 0 drop | |
| - mark and 0x4000 == 0x4000 counter packets 57482 bytes 3448920 accept | |
| - ct state related,established counter packets 632567 bytes 105723178 accept | |
| + mark and 0x4000 == 0x4000 counter packets 58111 bytes 3486660 accept | |
| + ct state related,established counter packets 639488 bytes 106880013 accept | |
| ct state related,established counter packets 0 bytes 0 accept | |
| } | |
| chain KUBE-FIREWALL { | |
| mark and 0x8000 == 0x8000 counter packets 0 bytes 0 drop | |
| ip saddr != 127.0.0.0/8 ip daddr 127.0.0.0/8 ct status dnat counter packets 0 bytes 0 drop | |
| } | |
| chain KUBE-KUBELET-CANARY { | |
| } | |
| } | |
| table ip6 filter { | |
| chain KUBE-PROXY-CANARY { | |
| } | |
| chain KUBE-EXTERNAL-SERVICES { | |
| } | |
| chain INPUT { | |
| type filter hook input priority filter; policy accept; | |
| - counter packets 1506585 bytes 341277708 jump KUBE-FIREWALL | |
| - counter packets 1506586 bytes 341277784 jump KUBE-NODEPORTS | |
| - ct state new counter packets 127673 bytes 18992543 jump KUBE-EXTERNAL-SERVICES | |
| + counter packets 1506710 bytes 341321964 jump KUBE-FIREWALL | |
| + counter packets 1506711 bytes 341322040 jump KUBE-NODEPORTS | |
| + ct state new counter packets 127675 bytes 18992703 jump KUBE-EXTERNAL-SERVICES | |
| } | |
| chain FORWARD { | |
| type filter hook forward priority filter; policy accept; | |
| counter packets 0 bytes 0 jump KUBE-FORWARD | |
| ct state new counter packets 0 bytes 0 jump KUBE-SERVICES | |
| ct state new counter packets 0 bytes 0 jump KUBE-EXTERNAL-SERVICES | |
| } | |
| chain KUBE-NODEPORTS { | |
| } | |
| chain KUBE-SERVICES { | |
| } | |
| chain OUTPUT { | |
| type filter hook output priority filter; policy accept; | |
| - counter packets 1463746 bytes 328908611 jump KUBE-FIREWALL | |
| - ct state new counter packets 87578 bytes 6798646 jump KUBE-SERVICES | |
| + counter packets 1463871 bytes 328952867 jump KUBE-FIREWALL | |
| + ct state new counter packets 87580 bytes 6798806 jump KUBE-SERVICES | |
| } | |
| chain KUBE-FORWARD { | |
| ct state invalid counter packets 0 bytes 0 drop | |
| mark and 0x4000 == 0x4000 counter packets 0 bytes 0 accept | |
| ct state related,established counter packets 0 bytes 0 accept | |
| ct state related,established counter packets 0 bytes 0 accept | |
| } | |
| chain KUBE-FIREWALL { | |
| mark and 0x8000 == 0x8000 counter packets 0 bytes 0 drop | |
| } | |
| chain KUBE-KUBELET-CANARY { | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment