table ip nat { # handle 1
	chain NETAVARK-1D8721804F16F { # handle 1
		ip daddr 10.88.0.0/16 counter packets 3621 bytes 259493 accept # handle 4
		ip daddr != 224.0.0.0/4 counter packets 494 bytes 43493 masquerade  # handle 5
	}

	chain POSTROUTING { # handle 6
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 45621 bytes 2797585 jump NETAVARK-HOSTPORT-MASQ # handle 13
		ip saddr 10.88.0.0/16 counter packets 4116 bytes 303026 jump NETAVARK-1D8721804F16F # handle 7
	}

	chain NETAVARK-HOSTPORT-SETMARK { # handle 8
		counter packets 0 bytes 0 meta mark set mark or 0x2000  # handle 11
	}

	chain NETAVARK-HOSTPORT-MASQ { # handle 9
		 meta mark & 0x00002000 == 0x00002000 counter packets 0 bytes 0 masquerade  # handle 12
	}

	chain NETAVARK-HOSTPORT-DNAT { # handle 10
	}

	chain PREROUTING { # handle 14
		type nat hook prerouting priority dstnat; policy accept;
		fib daddr type local counter packets 2308 bytes 137826 jump NETAVARK-HOSTPORT-DNAT # handle 15
	}

	chain OUTPUT { # handle 16
		type nat hook output priority -100; policy accept;
		fib daddr type local counter packets 39236 bytes 2353474 jump NETAVARK-HOSTPORT-DNAT # handle 17
	}

	chain INPUT { # handle 18
		type nat hook input priority 100; policy accept;
	}
}
table ip filter { # handle 2
	chain NETAVARK_FORWARD { # handle 1
		ip daddr 10.88.0.0/16 ct state related,established counter packets 501 bytes 173729 accept # handle 4
		ip saddr 10.88.0.0/16 counter packets 506 bytes 44234 accept # handle 5
	}

	chain FORWARD { # handle 2
		type filter hook forward priority filter; policy accept;
		 counter packets 1007 bytes 217963 jump NETAVARK_FORWARD # handle 3
	}

	chain INPUT { # handle 6
		type filter hook input priority filter; policy accept;
	}

	chain OUTPUT { # handle 7
		type filter hook output priority filter; policy accept;
	}
}
table inet filter { # handle 3
	chain INPUT { # handle 1
		type filter hook input priority filter; policy drop;
		jump EDPM_INPUT # handle 913
		jump EDPM_INPUT # handle 880
		jump EDPM_INPUT # handle 855
		jump EDPM_INPUT # handle 836
		jump TRIPLEO_INPUT # handle 808
		ip saddr 172.17.1.0/24 tcp dport 6641 ct state new counter packets 0 bytes 0 accept # handle 810
		ip saddr 172.17.1.0/24 tcp dport 6642 ct state new counter packets 0 bytes 0 accept # handle 811
	}

	chain FORWARD { # handle 2
		type filter hook forward priority filter; policy accept;
	}

	chain OUTPUT { # handle 3
		type filter hook output priority filter; policy accept;
		jump TRIPLEO_OUTPUT # handle 809
	}

	chain TRIPLEO_INPUT { # handle 709
		ct state established,related counter packets 2861546 bytes 16211121601 accept comment "000 accept related established rules" # handle 711
		meta l4proto icmp ct state new counter packets 11 bytes 388 accept comment "001 accept all icmp" # handle 712
		meta l4proto ipv6-icmp counter packets 37 bytes 2664 accept comment "001 accept all ipv6-icmp" # handle 713
		iifname "lo" counter packets 40144 bytes 2440684 accept comment "002 accept all to lo interface" # handle 714
		tcp dport 22 ct state new counter packets 271 bytes 16072 accept comment "003 accept ssh from all" # handle 715
		ip saddr 192.168.122.0/24 tcp dport 22 ct state new counter packets 0 bytes 0 accept comment "003 accept ssh from ctlplane subnet 192.168.122.0/24" # handle 716
		ip6 daddr fe80::/64 udp dport 546 ct state new counter packets 0 bytes 0 accept comment "004 accept ipv6 dhcpv6" # handle 717
		tcp dport 8042 ct state new counter packets 0 bytes 0 accept comment "100 aodh_haproxy_frontend" # handle 718
		tcp dport 13042 ct state new counter packets 0 bytes 0 accept comment "100 aodh_haproxy_frontend_ssl" # handle 719
		tcp dport 8776 ct state new counter packets 0 bytes 0 accept comment "100 cinder_haproxy_frontend" # handle 720
		tcp dport 13776 ct state new counter packets 0 bytes 0 accept comment "100 cinder_haproxy_frontend_ssl" # handle 721
		tcp dport 8787 ct state new counter packets 0 bytes 0 accept comment "100 docker_registry_haproxy_frontend" # handle 722
		tcp dport 13787 ct state new counter packets 0 bytes 0 accept comment "100 docker_registry_haproxy_frontend_ssl" # handle 723
		tcp dport 9292 ct state new counter packets 0 bytes 0 accept comment "100 glance_api_haproxy_frontend" # handle 724
		tcp dport 13292 ct state new counter packets 0 bytes 0 accept comment "100 glance_api_haproxy_frontend_ssl" # handle 725
		tcp dport 9293 ct state new counter packets 0 bytes 0 accept comment "100 glance_api_internal_haproxy_frontend" # handle 726
		tcp dport 8041 ct state new counter packets 0 bytes 0 accept comment "100 gnocchi_haproxy_frontend" # handle 727
		tcp dport 13041 ct state new counter packets 0 bytes 0 accept comment "100 gnocchi_haproxy_frontend_ssl" # handle 728
		tcp dport 8000 ct state new counter packets 0 bytes 0 accept comment "100 heat_api_cfn_haproxy_frontend" # handle 729
		tcp dport 13005 ct state new counter packets 0 bytes 0 accept comment "100 heat_api_cfn_haproxy_frontend_ssl" # handle 730
		tcp dport 8004 ct state new counter packets 0 bytes 0 accept comment "100 heat_api_haproxy_frontend" # handle 731
		tcp dport 13004 ct state new counter packets 0 bytes 0 accept comment "100 heat_api_haproxy_frontend_ssl" # handle 732
		tcp dport 80 ct state new counter packets 0 bytes 0 accept comment "100 horizon_haproxy_frontend" # handle 733
		tcp dport 443 ct state new counter packets 0 bytes 0 accept comment "100 horizon_haproxy_frontend_ssl" # handle 734
		tcp dport 35357 ct state new counter packets 0 bytes 0 accept comment "100 keystone_admin_haproxy_frontend" # handle 735
		tcp dport 5000 ct state new counter packets 0 bytes 0 accept comment "100 keystone_public_haproxy_frontend" # handle 736
		tcp dport 13000 ct state new counter packets 0 bytes 0 accept comment "100 keystone_public_haproxy_frontend_ssl" # handle 737
		tcp dport 8786 ct state new counter packets 0 bytes 0 accept comment "100 manila_haproxy_frontend" # handle 738
		tcp dport 13786 ct state new counter packets 0 bytes 0 accept comment "100 manila_haproxy_frontend_ssl" # handle 739
		tcp dport 3306 ct state new counter packets 22 bytes 1320 accept comment "100 mysql_haproxy" # handle 740
		tcp dport 9696 ct state new counter packets 0 bytes 0 accept comment "100 neutron_haproxy_frontend" # handle 741
		tcp dport 13696 ct state new counter packets 0 bytes 0 accept comment "100 neutron_haproxy_frontend_ssl" # handle 742
		tcp dport 8775 ct state new counter packets 0 bytes 0 accept comment "100 nova_metadatahaproxy_frontend" # handle 743
		tcp dport 13775 ct state new counter packets 0 bytes 0 accept comment "100 nova_metadatahaproxy_frontend_ssl" # handle 744
		tcp dport 8774 ct state new counter packets 0 bytes 0 accept comment "100 nova_osapi_haproxy_frontend" # handle 745
		tcp dport 13774 ct state new counter packets 0 bytes 0 accept comment "100 nova_osapi_haproxy_frontend_ssl" # handle 746
		tcp dport 6080 ct state new counter packets 0 bytes 0 accept comment "100 nova_vncproxy_haproxy_frontend" # handle 747
		tcp dport 13080 ct state new counter packets 0 bytes 0 accept comment "100 nova_vncproxy_haproxy_frontend_ssl" # handle 748
		tcp dport 9876 ct state new counter packets 0 bytes 0 accept comment "100 octavia_haproxy_frontend" # handle 749
		tcp dport 13876 ct state new counter packets 0 bytes 0 accept comment "100 octavia_haproxy_frontend_ssl" # handle 750
		tcp dport 8778 ct state new counter packets 0 bytes 0 accept comment "100 placement_haproxy_frontend" # handle 751
		tcp dport 13778 ct state new counter packets 0 bytes 0 accept comment "100 placement_haproxy_frontend_ssl" # handle 752
		tcp dport 8080 ct state new counter packets 0 bytes 0 accept comment "100 swift_proxy_server_haproxy_frontend" # handle 753
		tcp dport 13808 ct state new counter packets 0 bytes 0 accept comment "100 swift_proxy_server_haproxy_frontend_ssl" # handle 754
		tcp dport { 873, 3123, 3306, 4444, 4567, 4568, 9200 } ct state new counter packets 0 bytes 0 accept comment "104 mysql galera-bundle" # handle 756
		udp dport 123 ct state new counter packets 0 bytes 0 accept comment "105 ntp" # handle 757
		tcp dport 1993 ct state new counter packets 0 bytes 0 accept comment "107 haproxy stats" # handle 758
		tcp dport { 3124, 6379, 26379 } ct state new counter packets 0 bytes 0 accept comment "108 redis-bundle" # handle 760
		tcp dport { 3122, 4369, 5672, 25672-25683 } ct state new counter packets 0 bytes 0 accept comment "109 rabbitmq-bundle" # handle 762
		tcp dport { 5000, 35357 } ct state new counter packets 0 bytes 0 accept comment "111 keystone" # handle 764
		tcp dport 9292 ct state new counter packets 0 bytes 0 accept comment "112 glance_api" # handle 765
		tcp dport 9293 ct state new counter packets 0 bytes 0 accept comment "112 glance_api_internal" # handle 766
		tcp dport 8774 ct state new counter packets 0 bytes 0 accept comment "113 nova_api" # handle 767
		ip saddr 172.17.0.0/24 tcp dport 2022 ct state new counter packets 0 bytes 0 accept comment "113 nova_migration_target accept api subnet 172.17.0.0/24" # handle 768
		ip saddr 172.17.0.0/24 tcp dport 2022 ct state new counter packets 0 bytes 0 accept comment "113 nova_migration_target accept libvirt subnet 172.17.0.0/24" # handle 769
		tcp dport 9696 ct state new counter packets 0 bytes 0 accept comment "114 neutron api" # handle 770
		udp dport 67 ct state new counter packets 0 bytes 0 accept comment "115 neutron dhcp input" # handle 771
		udp dport 547 ct state new counter packets 0 bytes 0 accept comment "115 neutron dhcpv6 input" # handle 772
		udp dport 4789 counter packets 0 bytes 0 accept comment "118 neutron vxlan networks" # handle 776
		tcp dport 8776 ct state new counter packets 0 bytes 0 accept comment "119 cinder" # handle 777
		udp dport 6081 counter packets 38 bytes 3876 accept comment "119 neutron geneve networks" # handle 778
		tcp dport 3260 ct state new counter packets 0 bytes 0 accept comment "120 iscsi initiator" # handle 779
		tcp dport 9876 ct state new counter packets 0 bytes 0 accept comment "120 octavia api" # handle 780
		ip saddr 172.17.0.0/24 tcp dport { 11211, 11212 } ct state new counter packets 0 bytes 0 accept comment "121 memcached 172.17.0.0/24" # handle 782
		ip saddr 172.17.0.0/24 tcp dport { 6641, 6642, 6643, 6644 } ct state new counter packets 0 bytes 0 accept comment "121 OVN DB server and cluster ports for 172.17.0.0/24" # handle 784
		tcp dport 8080 ct state new counter packets 0 bytes 0 accept comment "122 swift proxy" # handle 785
		tcp dport { 873, 6000, 6001, 6002 } ct state new counter packets 52 bytes 3120 accept comment "123 swift storage" # handle 787
		ip saddr 192.168.122.0/24 udp dport 161 ct state new counter packets 0 bytes 0 accept comment "124 snmp 192.168.122.0/24" # handle 788
		tcp dport 8004 ct state new counter packets 0 bytes 0 accept comment "125 heat_api" # handle 789
		tcp dport 8000 ct state new counter packets 0 bytes 0 accept comment "125 heat_cfn" # handle 790
		tcp dport 443 ct state new counter packets 0 bytes 0 accept comment "126 horizon" # handle 791
		tcp dport 8042 ct state new counter packets 0 bytes 0 accept comment "128 aodh-api" # handle 792
		tcp dport 8041 ct state new counter packets 0 bytes 0 accept comment "129 gnocchi-api" # handle 793
		tcp dport { 2224, 3121, 21064 } ct state new counter packets 0 bytes 0 accept comment "130 pacemaker tcp" # handle 795
		udp dport 5405 ct state new counter packets 0 bytes 0 accept comment "131 pacemaker udp" # handle 796
		tcp dport 6080 ct state new counter packets 0 bytes 0 accept comment "137 nova_vnc_proxy" # handle 797
		tcp dport 8778 ct state new counter packets 0 bytes 0 accept comment "138 placement" # handle 798
		tcp dport 8775 ct state new counter packets 0 bytes 0 accept comment "139 nova_metadata" # handle 799
		udp dport 8125 ct state new counter packets 0 bytes 0 accept comment "140 gnocchi-statsd" # handle 800
		tcp dport 8786 ct state new counter packets 0 bytes 0 accept comment "150 manila" # handle 801
		tcp dport 8787 ct state new counter packets 0 bytes 0 accept comment "155 docker-registry" # handle 802
		tcp dport { 5900-6923, 16514, 61152-61215 } ct state new counter packets 2 bytes 120 accept comment "200 nova_libvirt" # handle 804
		udp dport 5555 ct state new counter packets 0 bytes 0 accept comment "200 octavia health manager interface" # handle 805
		udp dport 514 ct state new counter packets 0 bytes 0 accept comment "210 octavia lb-mgmt-net offload rsyslog" # handle 806
		limit rate 20/minute burst 15 packets counter packets 1028 bytes 61640 log prefix "DROPPING: " flags all comment "999 log all" # handle 807
	}

	chain TRIPLEO_OUTPUT { # handle 710
		udp dport 68 ct state new counter packets 0 bytes 0 accept comment "116 neutron dhcp output" # handle 773
		udp dport 546 ct state new counter packets 0 bytes 0 accept comment "116 neutron dhcpv6 output" # handle 774
		udp dport 547 ct state new counter packets 0 bytes 0 accept comment "116 neutron dhcpv6 relay output" # handle 775
	}

	chain EDPM_INPUT { # handle 829
		tcp dport 9101 ct state new counter packets 53 bytes 3180 accept comment "000 Allow ceilometer_compute_prom_exporter traffic" # handle 898
		tcp dport 9100 ct state new counter packets 1 bytes 60 accept comment "000 Allow node_exporter traffic" # handle 899
		tcp dport 9882 ct state new counter packets 46 bytes 2760 accept comment "000 Allow podman_exporter traffic" # handle 900
		ct state established,related counter packets 54376 bytes 50353386 accept comment "000 accept related established rules" # handle 901
		tcp dport 9105 ct state new counter packets 1 bytes 60 accept comment "001 Allow openstack_network_exporter traffic" # handle 902
		meta l4proto icmp ct state new counter packets 2 bytes 70 accept comment "001 accept all icmp" # handle 903
		meta l4proto ipv6-icmp counter packets 3 bytes 216 accept comment "001 accept all ipv6-icmp" # handle 904
		iifname "lo" counter packets 473 bytes 28380 accept comment "002 accept all to lo interface" # handle 905
		ip saddr 0.0.0.0/0 tcp dport 22 ct state new counter packets 60 bytes 3592 accept comment "003 Allow ssh from 0.0.0.0/0" # handle 906
		ip6 daddr fe80::/64 udp dport 546 ct state new counter packets 0 bytes 0 accept comment "004 accept ipv6 dhcpv6" # handle 907
		tcp dport 5900-6923 ct state new counter packets 30 bytes 1800 accept comment "005 Allow vnc access on all networks." # handle 908
		tcp dport 61152-61215 ct state new counter packets 0 bytes 0 accept comment "006 Allow libvirt live migration traffic" # handle 909
		tcp dport 16514 ct state new counter packets 0 bytes 0 accept comment "007 Allow libvirt tls" # handle 910
		udp dport 4789 ct state new counter packets 0 bytes 0 accept comment "118 neutron vxlan networks" # handle 911
		udp dport 6081 ct state untracked counter packets 0 bytes 0 accept comment "119 neutron geneve networks" # handle 912
	}
}
table inet raw { # handle 4
	chain PREROUTING { # handle 1
		type filter hook prerouting priority raw; policy accept;
		jump EDPM_PREROUTING # handle 80
		jump EDPM_PREROUTING # handle 70
		jump EDPM_PREROUTING # handle 60
		jump TRIPLEO_PREROUTING # handle 46
	}

	chain OUTPUT { # handle 2
		type filter hook output priority raw; policy accept;
		jump EDPM_OUTPUT # handle 79
		jump EDPM_OUTPUT # handle 69
		jump EDPM_OUTPUT # handle 59
		jump TRIPLEO_OUTPUT # handle 45
	}

	chain TRIPLEO_OUTPUT { # handle 41
		udp dport 6081 ct state invalid counter packets 0 bytes 0 notrack comment "120 neutron geneve networks no conntrack" # handle 43
	}

	chain TRIPLEO_PREROUTING { # handle 42
		udp dport 6081 ct state invalid counter packets 38 bytes 3876 notrack comment "121 neutron geneve networks no conntrack" # handle 44
	}

	chain EDPM_OUTPUT { # handle 55
		udp dport 6081 counter packets 0 bytes 0 notrack comment "120 neutron geneve networks no conntrack" # handle 77
	}

	chain EDPM_PREROUTING { # handle 56
		udp dport 6081 counter packets 0 bytes 0 notrack comment "121 neutron geneve networks no conntrack" # handle 78
	}
}
table inet nat { # handle 5
	chain PREROUTING { # handle 1
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain INPUT { # handle 2
		type nat hook input priority 100; policy accept;
	}

	chain OUTPUT { # handle 3
		type nat hook output priority -100; policy accept;
	}

	chain POSTROUTING { # handle 4
		type nat hook postrouting priority srcnat; policy accept;
	}
}
table ip raw { # handle 6
	chain PREROUTING { # handle 1
		type filter hook prerouting priority raw; policy accept;
	}

	chain OUTPUT { # handle 2
		type filter hook output priority raw; policy accept;
	}
}
table ip6 raw { # handle 7
	chain PREROUTING { # handle 1
		type filter hook prerouting priority raw; policy accept;
	}

	chain OUTPUT { # handle 2
		type filter hook output priority raw; policy accept;
	}
}
table ip6 filter { # handle 8
	chain INPUT { # handle 1
		type filter hook input priority filter; policy accept;
	}

	chain FORWARD { # handle 2
		type filter hook forward priority filter; policy accept;
	}

	chain OUTPUT { # handle 3
		type filter hook output priority filter; policy accept;
	}
}
