Created
September 16, 2025 14:08
-
-
Save fmuyassarov/7ff6558e77e33b82417b9a3c5c2cac67 to your computer and use it in GitHub Desktop.
before anything
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Chain INPUT (policy ACCEPT 952M packets, 309G bytes) | |
| pkts bytes target prot opt in out source destination | |
| 130M 40G cali-INPUT all -- any any anywhere anywhere /* cali:Cz_u1IQiXIMmKD4c */ | |
| 126M 39G KUBE-IPVS-FILTER all -- any any anywhere anywhere /* kubernetes ipvs access filter */ | |
| 126M 39G KUBE-PROXY-FIREWALL all -- any any anywhere anywhere /* kube-proxy firewall rules */ | |
| 126M 39G KUBE-NODE-PORT all -- any any anywhere anywhere /* kubernetes health check rules */ | |
| 14M 833M KUBE-PROXY-FIREWALL all -- any any anywhere anywhere ctstate NEW /* kubernetes load balancer firewall */ | |
| 952M 308G KUBE-NODEPORTS all -- any any anywhere anywhere /* kubernetes health check service ports */ | |
| 14M 833M KUBE-EXTERNAL-SERVICES all -- any any anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */ | |
| 952M 308G KUBE-FIREWALL all -- any any anywhere anywhere | |
| Chain FORWARD (policy ACCEPT 2 packets, 181 bytes) | |
| pkts bytes target prot opt in out source destination | |
| 46 5885 cali-FORWARD all -- any any anywhere anywhere /* cali:wUHhoiAYhphO9Mso */ | |
| 16057 82M DOCKER-USER all -- any any anywhere anywhere | |
| 16057 82M DOCKER-FORWARD all -- any any anywhere anywhere | |
| 83 6844 KUBE-PROXY-FIREWALL all -- any any anywhere anywhere /* kube-proxy firewall rules */ | |
| 817K 87M KUBE-PROXY-FIREWALL all -- any any anywhere anywhere ctstate NEW /* kubernetes load balancer firewall */ | |
| 1164K 1940M KUBE-FORWARD all -- any any anywhere anywhere /* kubernetes forwarding rules */ | |
| 817K 87M KUBE-SERVICES all -- any any anywhere anywhere ctstate NEW /* kubernetes service portals */ | |
| 817K 87M KUBE-EXTERNAL-SERVICES all -- any any anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */ | |
| 20 1634 ACCEPT all -- any any anywhere anywhere /* cali:S93hcgKJrXEqnTfs */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000 | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:mp77cMpurHhyjLrM */ MARK or 0x10000 | |
| Chain OUTPUT (policy ACCEPT 1011M packets, 331G bytes) | |
| pkts bytes target prot opt in out source destination | |
| 130M 38G cali-OUTPUT all -- any any anywhere anywhere /* cali:tVnHkvAo15HuiPy0 */ | |
| 130M 38G KUBE-IPVS-OUT-FILTER all -- any any anywhere anywhere /* kubernetes ipvs access filter */ | |
| 17M 1016M KUBE-PROXY-FIREWALL all -- any any anywhere anywhere ctstate NEW /* kubernetes load balancer firewall */ | |
| 17M 1016M KUBE-SERVICES all -- any any anywhere anywhere ctstate NEW /* kubernetes service portals */ | |
| 1011M 331G KUBE-FIREWALL all -- any any anywhere anywhere | |
| Chain DOCKER (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 DROP all -- !br-bc18ce9c999c br-bc18ce9c999c anywhere anywhere | |
| 0 0 DROP all -- !docker0 docker0 anywhere anywhere | |
| Chain DOCKER-BRIDGE (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 DOCKER all -- any br-bc18ce9c999c anywhere anywhere | |
| 0 0 DOCKER all -- any docker0 anywhere anywhere | |
| Chain DOCKER-CT (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 ACCEPT all -- any br-bc18ce9c999c anywhere anywhere ctstate RELATED,ESTABLISHED | |
| 10330 81M ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED | |
| Chain DOCKER-FORWARD (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 16057 82M DOCKER-CT all -- any any anywhere anywhere | |
| 5727 517K DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere | |
| 5727 517K DOCKER-BRIDGE all -- any any anywhere anywhere | |
| 0 0 ACCEPT all -- br-bc18ce9c999c any anywhere anywhere | |
| 5707 516K ACCEPT all -- docker0 any anywhere anywhere | |
| Chain DOCKER-ISOLATION-STAGE-1 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-bc18ce9c999c !br-bc18ce9c999c anywhere anywhere | |
| 5707 516K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere | |
| Chain DOCKER-ISOLATION-STAGE-2 (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 DROP all -- any docker0 anywhere anywhere | |
| 0 0 DROP all -- any br-bc18ce9c999c anywhere anywhere | |
| Chain DOCKER-USER (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 833K 169M RETURN all -- any any anywhere anywhere | |
| Chain KUBE-EXTERNAL-SERVICES (2 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain KUBE-FIREWALL (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 DROP all -- any any !localhost/8 localhost/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT | |
| Chain KUBE-FORWARD (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* kubernetes forwarding rules */ mark match 0x4000/0x4000 | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* kubernetes forwarding conntrack rule */ ctstate RELATED,ESTABLISHED | |
| Chain KUBE-IPVS-FILTER (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 RETURN all -- any any anywhere anywhere match-set KUBE-LOAD-BALANCER dst,dst | |
| 0 0 RETURN all -- any any anywhere anywhere match-set KUBE-CLUSTER-IP dst,dst | |
| 0 0 RETURN all -- any any anywhere anywhere match-set KUBE-EXTERNAL-IP dst,dst | |
| 0 0 RETURN all -- any any anywhere anywhere match-set KUBE-EXTERNAL-IP-LOCAL dst,dst | |
| 0 0 RETURN all -- any any anywhere anywhere match-set KUBE-HEALTH-CHECK-NODE-PORT dst | |
| 0 0 REJECT all -- any any anywhere anywhere ctstate NEW match-set KUBE-IPVS-IPS dst reject-with icmp-port-unreachable | |
| Chain KUBE-IPVS-OUT-FILTER (1 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain KUBE-KUBELET-CANARY (0 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain KUBE-NODE-PORT (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* Kubernetes health check node port */ match-set KUBE-HEALTH-CHECK-NODE-PORT dst | |
| Chain KUBE-NODEPORTS (1 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain KUBE-PROXY-CANARY (0 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain KUBE-PROXY-FIREWALL (5 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain KUBE-SERVICES (2 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain KUBE-SOURCE-RANGES-FIREWALL (0 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 DROP all -- any any anywhere anywhere | |
| Chain cali-FORWARD (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 12 1638 MARK all -- any any anywhere anywhere /* cali:vjrMJCRpqwy5oRoX */ MARK and 0xfff1ffff | |
| 12 1638 cali-from-hep-forward all -- any any anywhere anywhere /* cali:A_sPAO0mcxbT9mOV */ mark match 0x0/0x10000 | |
| 6 390 cali-from-wl-dispatch all -- cali+ any anywhere anywhere /* cali:8ZoYfO5HKXWbB3pk */ | |
| 6 1248 cali-to-wl-dispatch all -- any cali+ anywhere anywhere /* cali:jdEuaPBe14V2hutn */ | |
| 5 305 cali-to-hep-forward all -- any any anywhere anywhere /* cali:12bc6HljsMKsmfr- */ | |
| 5 305 cali-cidr-block all -- any any anywhere anywhere /* cali:NOSxoaGx8OIstr1z */ | |
| Chain cali-INPUT (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 ACCEPT udp -- any any anywhere anywhere /* cali:J76FwxInZIsk7uKY */ /* Allow IPv4 VXLAN packets from allowed hosts */ multiport dports 4789 match-set cali40all-vxlan-net src ADDRTYPE match dst-type LOCAL | |
| 0 0 DROP udp -- any any anywhere anywhere /* cali:EDCNTTxYfggApx8C */ /* Drop IPv4 VXLAN packets from non-allowed hosts */ multiport dports 4789 ADDRTYPE match dst-type LOCAL | |
| 94807 129M MARK all -- any any anywhere anywhere /* cali:B_8fGLpLlTQcXZgh */ MARK and 0xfffff | |
| 94807 129M cali-forward-check all -- any any anywhere anywhere /* cali:AD1HGbXEph59_YyS */ | |
| 45 4014 RETURN all -- any any anywhere anywhere /* cali:NmYAbfrd1o63cxNo */ mark match ! 0x0/0xfff00000 | |
| 1877 569K cali-wl-to-host all -- cali+ any anywhere anywhere [goto] /* cali:O-dDeZL8fOcsUtUD */ | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* cali:ZI1yfOrOsD5YjTbe */ mark match 0x10000/0x10000 | |
| 92885 129M MARK all -- any any anywhere anywhere /* cali:XxqbC-iTL5WaS8eO */ MARK and 0xfff0ffff | |
| 92885 129M cali-from-host-endpoint all -- any any anywhere anywhere /* cali:IZ5RzzpDkgrPBLwh */ | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* cali:jUXk5Q3mXlNarOhs */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000 | |
| Chain cali-OUTPUT (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* cali:Mq1_rAdXXH3YkrzW */ mark match 0x10000/0x10000 | |
| 0 0 cali-forward-endpoint-mark all -- any any anywhere anywhere [goto] /* cali:5Z67OUUpTOM7Xa1a */ mark match ! 0x0/0xfff00000 | |
| 1893 1075K RETURN all -- any cali+ anywhere anywhere /* cali:M2Wf0OehNdig8MHR */ | |
| 0 0 ACCEPT udp -- any any anywhere anywhere /* cali:ClE20y3NCwgoEuMI */ /* Allow IPv4 VXLAN packets to other allowed hosts */ multiport dports 4789 ADDRTYPE match src-type LOCAL match-set cali40all-vxlan-net dst | |
| 88647 37M MARK all -- any any anywhere anywhere /* cali:aMcwcA5f79hQPBgR */ MARK and 0xfff0ffff | |
| 88647 37M cali-to-host-endpoint all -- any any anywhere anywhere /* cali:n_vqcKl8u9NdpYmx */ ! ctstate DNAT | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* cali:979hsn7wL9UDIMMj */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000 | |
| Chain cali-cidr-block (1 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain cali-forward-check (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 128M 39G RETURN all -- any any anywhere anywhere /* cali:Pbldlb4FaULvpdD8 */ ctstate RELATED,ESTABLISHED | |
| 0 0 cali-set-endpoint-mark tcp -- any any anywhere anywhere [goto] /* cali:ZD-6UxuUtGW-xtzg */ /* To kubernetes NodePort service */ multiport dports 30000:32767 match-set cali40this-host dst | |
| 0 0 cali-set-endpoint-mark udp -- any any anywhere anywhere [goto] /* cali:CbPfUajQ2bFVnDq4 */ /* To kubernetes NodePort service */ multiport dports 30000:32767 match-set cali40this-host dst | |
| 15153 1757K cali-set-endpoint-mark all -- any any anywhere anywhere /* cali:jmhU0ODogX-Zfe5g */ /* To kubernetes service */ ! match-set cali40this-host dst | |
| Chain cali-forward-endpoint-mark (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 cali-from-endpoint-mark all -- any any anywhere anywhere /* cali:O0SmFDrnm7KggWqW */ mark match ! 0x100000/0xfff00000 | |
| 0 0 cali-to-wl-dispatch all -- any cali+ anywhere anywhere /* cali:aFl0WFKRxDqj8oA6 */ | |
| 0 0 cali-to-hep-forward all -- any any anywhere anywhere /* cali:AZKVrO3i_8cLai5f */ | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:96HaP1sFtb-NYoYA */ MARK and 0xfffff | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* cali:VxO6hyNWz62YEtul */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000 | |
| Chain cali-from-endpoint-mark (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 cali-fw-cali299f39e782d all -- any any anywhere anywhere [goto] /* cali:r_lOY1H9D7CJcX2m */ mark match 0x73400000/0xfff00000 | |
| 0 0 cali-fw-cali3862ba2b954 all -- any any anywhere anywhere [goto] /* cali:owYaEWIGSYQ7xLMu */ mark match 0x1a400000/0xfff00000 | |
| 0 0 cali-fw-cali4b00c59f252 all -- any any anywhere anywhere [goto] /* cali:0FllKG9VJSsjqQtX */ mark match 0x40a00000/0xfff00000 | |
| 0 0 cali-fw-cali557158cd734 all -- any any anywhere anywhere [goto] /* cali:Lvi31_abgvFArTGI */ mark match 0x3ba00000/0xfff00000 | |
| 0 0 cali-fw-cali590c7f9f7ee all -- any any anywhere anywhere [goto] /* cali:SLhsdfXJWHr4UvTk */ mark match 0x5d400000/0xfff00000 | |
| 0 0 cali-fw-calic8e3b733162 all -- any any anywhere anywhere [goto] /* cali:pUQcpjvhB87_vtWA */ mark match 0x2700000/0xfff00000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:-5LrAABBWU5eE7iV */ /* Unknown interface */ | |
| Chain cali-from-hep-forward (1 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain cali-from-host-endpoint (1 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain cali-from-wl-dispatch (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 cali-fw-cali299f39e782d all -- cali299f39e782d any anywhere anywhere [goto] /* cali:EI7BARWoCeFBEMNw */ | |
| 140 11057 cali-fw-cali3862ba2b954 all -- cali3862ba2b954 any anywhere anywhere [goto] /* cali:wcxtNrAMtrGWgjY7 */ | |
| 235 33576 cali-fw-cali4b00c59f252 all -- cali4b00c59f252 any anywhere anywhere [goto] /* cali:cRAcqoTJGWAxRcPi */ | |
| 452 64002 cali-from-wl-dispatch-5 all -- cali5+ any anywhere anywhere [goto] /* cali:cdL35QUpMMxalFBI */ | |
| 287 193K cali-fw-calic8e3b733162 all -- calic8e3b733162 any anywhere anywhere [goto] /* cali:s6H4_iZsgg_p0umZ */ | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:d81YvsooFEkQkz0T */ /* Unknown interface */ | |
| Chain cali-from-wl-dispatch-5 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 133 10509 cali-fw-cali557158cd734 all -- cali557158cd734 any anywhere anywhere [goto] /* cali:wdgYrDG0c9j6NG6g */ | |
| 319 53493 cali-fw-cali590c7f9f7ee all -- cali590c7f9f7ee any anywhere anywhere [goto] /* cali:tp9gbCyFcyH-_g7p */ | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:1lALwmXy1GhGVwR1 */ /* Unknown interface */ | |
| Chain cali-fw-cali299f39e782d (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* cali:GfJ_KkcBcCmrig7M */ ctstate RELATED,ESTABLISHED | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:Lcfjx8EgU9U5lpzg */ ctstate INVALID | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:Qq-yrWJMnL-NJ6yg */ MARK and 0xfffcffff | |
| 0 0 DROP udp -- any any anywhere anywhere /* cali:VN6zjU4qYBWKXAIJ */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789 | |
| 0 0 DROP ipencap -- any any anywhere anywhere /* cali:ExS2b1c_UikuDiJS */ /* Drop IPinIP encapped packets originating in workloads */ | |
| 0 0 cali-pro-kns.calico-system all -- any any anywhere anywhere /* cali:StbcuTHOWLJJuLji */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:NJ94Hz3y4R86fNdu */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 cali-pro-_ymJUz7yzI6NOKJhG2- all -- any any anywhere anywhere /* cali:mL5q2cB16W9VMRWa */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:oA0rdzTCalEu-itf */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:CKOgE-ZFwlguJqfh */ /* Drop if no profiles matched */ | |
| Chain cali-fw-cali3862ba2b954 (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 195 17243 ACCEPT all -- any any anywhere anywhere /* cali:TsTF6nqXJRbVW-s8 */ ctstate RELATED,ESTABLISHED | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:4J4FJdJo5RVpuKoS */ ctstate INVALID | |
| 3 175 MARK all -- any any anywhere anywhere /* cali:qbxl-G3KLoj2CD9n */ MARK and 0xfffcffff | |
| 0 0 DROP udp -- any any anywhere anywhere /* cali:6b-pdaf5LEctV92_ */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789 | |
| 0 0 DROP ipencap -- any any anywhere anywhere /* cali:6dL1RnBv4DluifEG */ /* Drop IPinIP encapped packets originating in workloads */ | |
| 3 175 cali-pro-kns.kube-system all -- any any anywhere anywhere /* cali:b89dS4Rf06STbmFh */ | |
| 3 175 RETURN all -- any any anywhere anywhere /* cali:OQ461jeZDyj5jyhJ */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 cali-pro-_u2Tn2rSoAPffvE7JO6 all -- any any anywhere anywhere /* cali:3SNgmuFoaEYFPvl7 */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:JNqIX6z5dhoZ5rqe */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:yX1fYxhkrSZpEhnK */ /* Drop if no profiles matched */ | |
| Chain cali-fw-cali4b00c59f252 (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 235 33576 ACCEPT all -- any any anywhere anywhere /* cali:A-nz0HbDBF-uA9n1 */ ctstate RELATED,ESTABLISHED | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:DjBAL8K61DHXhWmv */ ctstate INVALID | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:2DQe6ZlTVRUuxzr6 */ MARK and 0xfffcffff | |
| 0 0 DROP udp -- any any anywhere anywhere /* cali:XWbOs53I4rW0-xee */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789 | |
| 0 0 DROP ipencap -- any any anywhere anywhere /* cali:7W_JErkX4tfXugdw */ /* Drop IPinIP encapped packets originating in workloads */ | |
| 0 0 cali-pro-kns.calico-system all -- any any anywhere anywhere /* cali:Ec6rQQvqevXEPaC4 */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:MUa19jR0uZ5I_UyD */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 cali-pro-_nzzjLvInId1gPHmQz_ all -- any any anywhere anywhere /* cali:vk3d7rETLit-dDaK */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:0cH1q8LXBwJDoLzm */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:m0btgE0_BAckFQB0 */ /* Drop if no profiles matched */ | |
| Chain cali-fw-cali557158cd734 (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 187 16592 ACCEPT all -- any any anywhere anywhere /* cali:d05E0SArDhDNKYOc */ ctstate RELATED,ESTABLISHED | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:ufc3YceD-Tig1Kf1 */ ctstate INVALID | |
| 2 130 MARK all -- any any anywhere anywhere /* cali:t8hMNupRetn6neG2 */ MARK and 0xfffcffff | |
| 0 0 DROP udp -- any any anywhere anywhere /* cali:vNjGJhQxeZ2KPcdE */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789 | |
| 0 0 DROP ipencap -- any any anywhere anywhere /* cali:reWI3-s1qSutdfTJ */ /* Drop IPinIP encapped packets originating in workloads */ | |
| 2 130 cali-pro-kns.kube-system all -- any any anywhere anywhere /* cali:t2K6_DDfHKWfs0rL */ | |
| 2 130 RETURN all -- any any anywhere anywhere /* cali:zMFwpfABxm6v-Eim */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 cali-pro-_u2Tn2rSoAPffvE7JO6 all -- any any anywhere anywhere /* cali:CJW54OeeOqMfvif6 */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:fUITJWI6asK7jzEJ */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:IYOI4IoVI1Hli1cW */ /* Drop if no profiles matched */ | |
| Chain cali-fw-cali590c7f9f7ee (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 319 53493 ACCEPT all -- any any anywhere anywhere /* cali:MFqVPM8C3ypwA3RX */ ctstate RELATED,ESTABLISHED | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:7Ld_KLrH7rlyVw91 */ ctstate INVALID | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:VJEOQU3Q1SKld6L_ */ MARK and 0xfffcffff | |
| 0 0 DROP udp -- any any anywhere anywhere /* cali:v1xD9be2TjwGpAFU */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789 | |
| 0 0 DROP ipencap -- any any anywhere anywhere /* cali:-cJtl1b0cTibF4kq */ /* Drop IPinIP encapped packets originating in workloads */ | |
| 0 0 cali-pro-_kJqfZpgUe7r2t4A-14 all -- any any anywhere anywhere /* cali:6pN2edXf6_GGldeC */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:ieV3z86lsOHE2byW */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 cali-pro-_4yi5_iSUAwsU8zMHTk all -- any any anywhere anywhere /* cali:PB2fBxL3VGZ5CpcX */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:1v-2tGYDhvVtgMaY */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:K5v6BhtDdJvooGsx */ /* Drop if no profiles matched */ | |
| Chain cali-fw-calic8e3b733162 (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 942 448K ACCEPT all -- any any anywhere anywhere /* cali:ATespSLDLFkQhDxV */ ctstate RELATED,ESTABLISHED | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:seYdOTcy3wTBSxyP */ ctstate INVALID | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:NKpEzfSGpZUloUsq */ MARK and 0xfffcffff | |
| 0 0 DROP udp -- any any anywhere anywhere /* cali:AqK81lewk0N1xnDc */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789 | |
| 0 0 DROP ipencap -- any any anywhere anywhere /* cali:3knxeG6vwfHb73EB */ /* Drop IPinIP encapped packets originating in workloads */ | |
| 0 0 cali-pro-_kJqfZpgUe7r2t4A-14 all -- any any anywhere anywhere /* cali:hsA2c70b8dPq8Gu2 */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:kdal5vR0ElgSdW1X */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 cali-pro-_4yi5_iSUAwsU8zMHTk all -- any any anywhere anywhere /* cali:qMK34UC7D5bg6n05 */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:Z8Q-AkWd7OEVYatf */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:PqYtBhx3I_QLUFV9 */ /* Drop if no profiles matched */ | |
| Chain cali-pi-_FDiLImilezd09cpg5ci (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 MARK tcp -- any any anywhere anywhere /* cali:wH4Z-YLtazvrkIUi */ /* Policy calico-apiserver/knp.default.allow-apiserver ingress */ multiport dports 5443 MARK or 0x10000 | |
| Chain cali-pri-_4yi5_iSUAwsU8zMHTk (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 all -- any any anywhere anywhere /* cali:ZYnaZZFwsSjfXO4C */ /* Profile ksa.calico-apiserver.calico-apiserver ingress */ | |
| Chain cali-pri-_kJqfZpgUe7r2t4A-14 (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:IQx0SzlDGn6BPv0A */ /* Profile kns.calico-apiserver ingress */ MARK or 0x10000 | |
| Chain cali-pri-_nzzjLvInId1gPHmQz_ (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 all -- any any anywhere anywhere /* cali:UQoEf2WCdU0bPTCb */ /* Profile ksa.calico-system.calico-kube-controllers ingress */ | |
| Chain cali-pri-_u2Tn2rSoAPffvE7JO6 (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 all -- any any anywhere anywhere /* cali:WqgznqAQ-uYV0oBx */ /* Profile ksa.kube-system.coredns ingress */ | |
| Chain cali-pri-_ymJUz7yzI6NOKJhG2- (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 all -- any any anywhere anywhere /* cali:52zm9tLYY65R0fSD */ /* Profile ksa.calico-system.csi-node-driver ingress */ | |
| Chain cali-pri-kns.calico-system (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:hLANj-OVIyT53h_j */ /* Profile kns.calico-system ingress */ MARK or 0x10000 | |
| Chain cali-pri-kns.kube-system (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:J1TyxtHWd0qaBGK- */ /* Profile kns.kube-system ingress */ MARK or 0x10000 | |
| Chain cali-pro-_4yi5_iSUAwsU8zMHTk (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 all -- any any anywhere anywhere /* cali:Pp_dQp2FeNabRhyi */ /* Profile ksa.calico-apiserver.calico-apiserver egress */ | |
| Chain cali-pro-_kJqfZpgUe7r2t4A-14 (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:_cFTxC141wwWRzyZ */ /* Profile kns.calico-apiserver egress */ MARK or 0x10000 | |
| Chain cali-pro-_nzzjLvInId1gPHmQz_ (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 all -- any any anywhere anywhere /* cali:5bHxBXLMkJKgC6dk */ /* Profile ksa.calico-system.calico-kube-controllers egress */ | |
| Chain cali-pro-_u2Tn2rSoAPffvE7JO6 (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 all -- any any anywhere anywhere /* cali:0-_UPh39dt5XfhmJ */ /* Profile ksa.kube-system.coredns egress */ | |
| Chain cali-pro-_ymJUz7yzI6NOKJhG2- (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 all -- any any anywhere anywhere /* cali:yuJvAdyU1LYltt-O */ /* Profile ksa.calico-system.csi-node-driver egress */ | |
| Chain cali-pro-kns.calico-system (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:gWxJzCZXxl31NR0P */ /* Profile kns.calico-system egress */ MARK or 0x10000 | |
| Chain cali-pro-kns.kube-system (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 5 305 MARK all -- any any anywhere anywhere /* cali:tgOR2S8DVHZW3F1M */ /* Profile kns.kube-system egress */ MARK or 0x10000 | |
| Chain cali-set-endpoint-mark (3 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 cali-sm-cali299f39e782d all -- cali299f39e782d any anywhere anywhere [goto] /* cali:BOFSKT1arlaTChMJ */ | |
| 0 0 cali-sm-cali3862ba2b954 all -- cali3862ba2b954 any anywhere anywhere [goto] /* cali:NnDO8FmNq91JTVLT */ | |
| 1 60 cali-sm-cali4b00c59f252 all -- cali4b00c59f252 any anywhere anywhere [goto] /* cali:GjxhAwbAO6wts5vA */ | |
| 1 60 cali-set-endpoint-mark-5 all -- cali5+ any anywhere anywhere [goto] /* cali:q38ugJW7drHRY_7Y */ | |
| 0 0 cali-sm-calic8e3b733162 all -- calic8e3b733162 any anywhere anywhere [goto] /* cali:PxH9uyy1KBvKE5tb */ | |
| 0 0 DROP all -- cali+ any anywhere anywhere /* cali:kpfAcPbDEiOYKi96 */ /* Unknown endpoint */ | |
| 3 927 MARK all -- any any anywhere anywhere /* cali:LI8pSo_XPWygSExm */ /* Non-Cali endpoint mark */ MARK xset 0x100000/0xfff00000 | |
| Chain cali-set-endpoint-mark-5 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 cali-sm-cali557158cd734 all -- cali557158cd734 any anywhere anywhere [goto] /* cali:pmp27P2XGfYP-6dD */ | |
| 1 60 cali-sm-cali590c7f9f7ee all -- cali590c7f9f7ee any anywhere anywhere [goto] /* cali:6roykgbJvRqnmFDX */ | |
| Chain cali-sm-cali299f39e782d (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:PID4fSxyLV4-qgTS */ MARK xset 0x73400000/0xfff00000 | |
| Chain cali-sm-cali3862ba2b954 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 3 180 MARK all -- any any anywhere anywhere /* cali:FaySE6VnBbZaT2UA */ MARK xset 0x1a400000/0xfff00000 | |
| Chain cali-sm-cali4b00c59f252 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 1 60 MARK all -- any any anywhere anywhere /* cali:rhqVrKf8kXeamF_x */ MARK xset 0x40a00000/0xfff00000 | |
| Chain cali-sm-cali557158cd734 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 3 180 MARK all -- any any anywhere anywhere /* cali:jilUkdvIPYhEutVo */ MARK xset 0x3ba00000/0xfff00000 | |
| Chain cali-sm-cali590c7f9f7ee (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 1 60 MARK all -- any any anywhere anywhere /* cali:zcwx_xe5WeGO0IYU */ MARK xset 0x5d400000/0xfff00000 | |
| Chain cali-sm-calic8e3b733162 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 1 60 MARK all -- any any anywhere anywhere /* cali:El_otMJwE6PAEin5 */ MARK xset 0x2700000/0xfff00000 | |
| Chain cali-to-hep-forward (2 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain cali-to-host-endpoint (1 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain cali-to-wl-dispatch (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 cali-tw-cali299f39e782d all -- any cali299f39e782d anywhere anywhere [goto] /* cali:_e9sCp_tjm6Ks_zC */ | |
| 0 0 cali-tw-cali3862ba2b954 all -- any cali3862ba2b954 anywhere anywhere [goto] /* cali:shOyFmJCSpU2nD6w */ | |
| 0 0 cali-tw-cali4b00c59f252 all -- any cali4b00c59f252 anywhere anywhere [goto] /* cali:Sf_4KFA3olPFRDWZ */ | |
| 0 0 cali-to-wl-dispatch-5 all -- any cali5+ anywhere anywhere [goto] /* cali:VzbpX3qLvCTsP5Ut */ | |
| 0 0 cali-tw-calic8e3b733162 all -- any calic8e3b733162 anywhere anywhere [goto] /* cali:3_4jRIOea5Vl00fK */ | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:MJeF0Tr1ywA9nPu1 */ /* Unknown interface */ | |
| Chain cali-to-wl-dispatch-5 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 cali-tw-cali557158cd734 all -- any cali557158cd734 anywhere anywhere [goto] /* cali:FSY5K5hW1t3zYWl6 */ | |
| 0 0 cali-tw-cali590c7f9f7ee all -- any cali590c7f9f7ee anywhere anywhere [goto] /* cali:C4Cxg_oY2_124jbv */ | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:w927Uz4YFpYGfC94 */ /* Unknown interface */ | |
| Chain cali-tw-cali299f39e782d (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* cali:MlZBT1jcIWQg-WOP */ ctstate RELATED,ESTABLISHED | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:MCwOdNjVUVPirdeH */ ctstate INVALID | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:SeOL57QCIYl1H0FA */ MARK and 0xfffcffff | |
| 0 0 cali-pri-kns.calico-system all -- any any anywhere anywhere /* cali:ZguooveXn9k3Ezew */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:tUwtnXySqcwXeN0n */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 cali-pri-_ymJUz7yzI6NOKJhG2- all -- any any anywhere anywhere /* cali:C_esheQxiohzP7hB */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:d_V878F70rjugU4F */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:Blkr1nswMgOl4ls6 */ /* Drop if no profiles matched */ | |
| Chain cali-tw-cali3862ba2b954 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 4 832 ACCEPT all -- any any anywhere anywhere /* cali:S9Qu3IYaL6QfBTqQ */ ctstate RELATED,ESTABLISHED | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:PSyApruPbOXUy5pN */ ctstate INVALID | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:f3wdOuwhk29zvRwY */ MARK and 0xfffcffff | |
| 0 0 cali-pri-kns.kube-system all -- any any anywhere anywhere /* cali:Q0WBaqWhhEumQzJh */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:c-IGv_J0mzHUG1dg */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 cali-pri-_u2Tn2rSoAPffvE7JO6 all -- any any anywhere anywhere /* cali:zrnCGVV-PVl4O7fc */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:-Qw8iKxdbpr3tNP4 */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:8JnupwPiwJeFlLmB */ /* Drop if no profiles matched */ | |
| Chain cali-tw-cali4b00c59f252 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* cali:p7GOoWN6z5d47d_N */ ctstate RELATED,ESTABLISHED | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:I4VQOLN3QI3rsMki */ ctstate INVALID | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:06cvzxeLIpwmaRnT */ MARK and 0xfffcffff | |
| 0 0 cali-pri-kns.calico-system all -- any any anywhere anywhere /* cali:FDB2t7DCyAeOebA9 */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:ihmtjsGdNjZZ_fl3 */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 cali-pri-_nzzjLvInId1gPHmQz_ all -- any any anywhere anywhere /* cali:oKXGXMq7hZ94artF */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:ChWcwIgauNJnZKv_ */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:iNsTFn_Z0abg5X-h */ /* Drop if no profiles matched */ | |
| Chain cali-tw-cali557158cd734 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 2 416 ACCEPT all -- any any anywhere anywhere /* cali:GdfmultSGHNY9xWA */ ctstate RELATED,ESTABLISHED | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:gv-WV-8GrNk3FKl0 */ ctstate INVALID | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:Dmwoe0XU8FmPP7Wi */ MARK and 0xfffcffff | |
| 0 0 cali-pri-kns.kube-system all -- any any anywhere anywhere /* cali:WaTEQdjwHmRfLumJ */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:HCRsQ4WaA20aYo5q */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 cali-pri-_u2Tn2rSoAPffvE7JO6 all -- any any anywhere anywhere /* cali:VbOcE_mgOYSUBmSM */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:JdBYx3gM0tCrpzsn */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:hnrGjAoxzOfWRgy4 */ /* Drop if no profiles matched */ | |
| Chain cali-tw-cali590c7f9f7ee (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* cali:ZYzd4NhO9xLKTePq */ ctstate RELATED,ESTABLISHED | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:hLIKD0TX8Y4k4UE- */ ctstate INVALID | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:_msXNeEoajV9GfnK */ MARK and 0xfffcffff | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:NC1O5uA1f4NOQPWz */ /* Start of tier default */ MARK and 0xfffdffff | |
| 0 0 cali-pi-_FDiLImilezd09cpg5ci all -- any any anywhere anywhere /* cali:ko9P4yQKpCd3cWum */ mark match 0x0/0x20000 | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:zbbOfr3rgSdWpjCt */ /* Return if policy accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:wMqu4oxS7AIHHXXE */ /* Drop if no policies passed packet */ mark match 0x0/0x20000 | |
| 0 0 cali-pri-_kJqfZpgUe7r2t4A-14 all -- any any anywhere anywhere /* cali:78qJJ00-GBTij9S0 */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:HOJDzloY0-PN0-vy */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 cali-pri-_4yi5_iSUAwsU8zMHTk all -- any any anywhere anywhere /* cali:c3aEsUqKJc-cOXBu */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:fVso_3LnhDgBRjag */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:lGopEvlEr8eMqz2l */ /* Drop if no profiles matched */ | |
| Chain cali-tw-calic8e3b733162 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* cali:O7On6neBXBwtSg11 */ ctstate RELATED,ESTABLISHED | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:wxCgP1EyodTRoctp */ ctstate INVALID | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:0RkFflYtv-Xu1FfU */ MARK and 0xfffcffff | |
| 0 0 MARK all -- any any anywhere anywhere /* cali:dTCkyXwWpOVk5n4O */ /* Start of tier default */ MARK and 0xfffdffff | |
| 0 0 cali-pi-_FDiLImilezd09cpg5ci all -- any any anywhere anywhere /* cali:SZTZsTsLWHcD_EXw */ mark match 0x0/0x20000 | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:pPF4Ch5I1Iiut0tB */ /* Return if policy accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:5dnCWHNYoh1FmWFd */ /* Drop if no policies passed packet */ mark match 0x0/0x20000 | |
| 0 0 cali-pri-_kJqfZpgUe7r2t4A-14 all -- any any anywhere anywhere /* cali:A8CGiMntiSNPkdvO */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:iXdKpvgSC9wlJSSN */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 cali-pri-_4yi5_iSUAwsU8zMHTk all -- any any anywhere anywhere /* cali:cRN6CYlBiWbMXul2 */ | |
| 0 0 RETURN all -- any any anywhere anywhere /* cali:HHHv0UXys13ILXBj */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
| 0 0 DROP all -- any any anywhere anywhere /* cali:8Bj5Fsp_kmThZ5Ot */ /* Drop if no profiles matched */ | |
| Chain cali-wl-to-host (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 58M 10G cali-from-wl-dispatch all -- any any anywhere anywhere /* cali:Ee9Sbo10IpVujdIY */ | |
| 32008 1920K ACCEPT all -- any any anywhere anywhere /* cali:nSZbcOoG1xPONxb8 */ /* Configured DefaultEndpointToHostAction */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment