# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter { # handle 3
	chain OUTPUT { # handle 1
		type filter hook output priority filter; policy accept;
		tcp flags syn / fin,syn,rst,ack tcp dport 22624 counter packets 0 bytes 0 reject # handle 20
		tcp flags syn / fin,syn,rst,ack tcp dport 22623 counter packets 0 bytes 0 reject # handle 19
		counter packets 7189449 bytes 7130504745 jump KUBE-FIREWALL # handle 11
		oifname "ens3" udp dport 53 xt match "string" counter packets 0 bytes 0 drop # handle 2
		oifname "ens3" udp dport 53 xt match "string" counter packets 0 bytes 0 drop # handle 3
		oifname "ens3" udp dport 53 xt match "string" counter packets 0 bytes 0 drop # handle 4
		oifname "ens3" udp dport 53 xt match "string" counter packets 0 bytes 0 drop # handle 5
		oifname "ens3" udp dport 53 xt match "string" counter packets 0 bytes 0 drop # handle 6
		oifname "ens3" udp dport 53 xt match "string" counter packets 0 bytes 0 drop # handle 7
		oifname "ens3" udp dport 53 xt match "string" counter packets 0 bytes 0 drop # handle 8
		oifname "ens3" udp dport 53 xt match "string" counter packets 0 bytes 0 drop # handle 9
	}

	chain KUBE-FIREWALL { # handle 10
		ip saddr != 127.0.0.0/8 ip daddr 127.0.0.0/8  ct status dnat counter packets 0 bytes 0 drop # handle 14
	}

	chain INPUT { # handle 12
		type filter hook input priority filter; policy accept;
		iifname "ovn-k8s-mp0"  counter packets 1973393 bytes 1865832716 accept # handle 29
		counter packets 5557777 bytes 11217553693 jump KUBE-FIREWALL # handle 13
	}

	chain KUBE-KUBELET-CANARY { # handle 15
	}

	chain FORWARD { # handle 16
		type filter hook forward priority filter; policy accept;
		iifname "ovn-k8s-mp0" counter packets 7507 bytes 773538 accept # handle 28
		oifname "ovn-k8s-mp0" counter packets 6545 bytes 19530502 accept # handle 27
		tcp flags syn / fin,syn,rst,ack tcp dport 22624 counter packets 0 bytes 0 reject # handle 18
		tcp flags syn / fin,syn,rst,ack tcp dport 22623 counter packets 0 bytes 0 reject # handle 17
	}
}
# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle { # handle 4
	chain KUBE-IPTABLES-HINT { # handle 1
	}

	chain KUBE-KUBELET-CANARY { # handle 2
	}

	chain OVN-KUBE-ITP { # handle 3
	}

	chain OUTPUT { # handle 4
		type route hook output priority mangle; policy accept;
		counter packets 7072100 bytes 7013758340 jump OVN-KUBE-ITP # handle 5
	}

	chain PREROUTING { # handle 6
		type filter hook prerouting priority mangle; policy accept;
		meta mark 0x000003f0 counter packets 0 bytes 0 ct mark set mark # handle 8
		meta mark 0x00000000 counter packets 6800917 bytes 10127002102 meta mark set ct mark # handle 7
	}
}
table ip6 mangle { # handle 5
	chain KUBE-IPTABLES-HINT { # handle 1
	}

	chain KUBE-KUBELET-CANARY { # handle 2
	}
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat { # handle 6
	chain KUBE-KUBELET-CANARY { # handle 1
	}

	chain OVN-KUBE-ITP { # handle 7
	}

	chain OVN-KUBE-NODEPORT { # handle 8
		ip protocol tcp fib daddr type local tcp dport 31304 counter packets 0 bytes 0 dnat to 10.217.5.79:15691 # handle 252
		ip protocol tcp fib daddr type local tcp dport 30814 counter packets 0 bytes 0 dnat to 10.217.5.79:15671 # handle 250
		ip protocol tcp fib daddr type local tcp dport 30957 counter packets 0 bytes 0 dnat to 10.217.5.79:5671 # handle 248
		ip protocol tcp fib daddr type local tcp dport 31728 counter packets 0 bytes 0 dnat to 10.217.5.29:15691 # handle 246
		ip protocol tcp fib daddr type local tcp dport 30351 counter packets 0 bytes 0 dnat to 10.217.5.29:15671 # handle 244
		ip protocol tcp fib daddr type local tcp dport 31824 counter packets 0 bytes 0 dnat to 10.217.5.29:5671 # handle 242
		ip protocol tcp fib daddr type local tcp dport 32051 counter packets 0 bytes 0 dnat to 10.217.5.249:53 # handle 240
		ip protocol udp fib daddr type local udp dport 32051 counter packets 0 bytes 0 dnat to 10.217.5.249:53 # handle 238
		ip protocol tcp fib daddr type local tcp dport 32278 counter packets 0 bytes 0 dnat to 10.217.4.212:8775 # handle 212
		ip protocol tcp fib daddr type local tcp dport 30410 counter packets 0 bytes 0 dnat to 10.217.5.148:8774 # handle 210
		ip protocol tcp fib daddr type local tcp dport 31917 counter packets 0 bytes 0 dnat to 10.217.4.136:9292 # handle 180
		ip protocol tcp fib daddr type local tcp dport 30497 counter packets 0 bytes 0 dnat to 10.217.5.3:9696 # handle 178
		ip protocol tcp fib daddr type local tcp dport 32249 counter packets 0 bytes 0 dnat to 10.217.4.112:8080 # handle 172
		ip protocol tcp fib daddr type local tcp dport 30799 counter packets 0 bytes 0 dnat to 10.217.5.118:8004 # handle 170
		ip protocol tcp fib daddr type local tcp dport 31338 counter packets 0 bytes 0 dnat to 10.217.5.31:8776 # handle 158
		ip protocol tcp fib daddr type local tcp dport 30226 counter packets 0 bytes 0 dnat to 10.217.4.165:5000 # handle 153
		ip protocol tcp fib daddr type local tcp dport 32419 counter packets 0 bytes 0 dnat to 10.217.4.109:8778 # handle 151
		ip protocol tcp fib daddr type local tcp dport 31593 counter packets 0 bytes 0 dnat to 10.217.4.56:9311 # handle 143
	}

	chain OVN-KUBE-EXTERNALIP { # handle 9
		ip daddr 172.17.0.86 tcp dport 15691 counter packets 0 bytes 0 dnat to 10.217.5.79:15691 # handle 253
		ip daddr 172.17.0.86 tcp dport 15671 counter packets 0 bytes 0 dnat to 10.217.5.79:15671 # handle 251
		ip daddr 172.17.0.86 tcp dport 5671 counter packets 6 bytes 360 dnat to 10.217.5.79:5671 # handle 249
		ip daddr 172.17.0.85 tcp dport 15691 counter packets 0 bytes 0 dnat to 10.217.5.29:15691 # handle 247
		ip daddr 172.17.0.85 tcp dport 15671 counter packets 0 bytes 0 dnat to 10.217.5.29:15671 # handle 245
		ip daddr 172.17.0.85 tcp dport 5671 counter packets 0 bytes 0 dnat to 10.217.5.29:5671 # handle 243
		ip daddr 192.168.122.80 tcp dport 53 counter packets 0 bytes 0 dnat to 10.217.5.249:53 # handle 241
		ip daddr 192.168.122.80 udp dport 53 counter packets 212 bytes 15535 dnat to 10.217.5.249:53 # handle 239
		ip daddr 172.17.0.80 tcp dport 8775 counter packets 0 bytes 0 dnat to 10.217.4.212:8775 # handle 213
		ip daddr 172.17.0.80 tcp dport 8774 counter packets 0 bytes 0 dnat to 10.217.5.148:8774 # handle 211
		ip daddr 172.17.0.80 tcp dport 9292 counter packets 0 bytes 0 dnat to 10.217.4.136:9292 # handle 181
		ip daddr 172.17.0.80 tcp dport 9696 counter packets 0 bytes 0 dnat to 10.217.5.3:9696 # handle 179
		ip daddr 172.17.0.80 tcp dport 8080 counter packets 0 bytes 0 dnat to 10.217.4.112:8080 # handle 173
		ip daddr 172.17.0.80 tcp dport 8004 counter packets 0 bytes 0 dnat to 10.217.5.118:8004 # handle 171
		ip daddr 172.17.0.80 tcp dport 8776 counter packets 0 bytes 0 dnat to 10.217.5.31:8776 # handle 159
		ip daddr 172.17.0.80 tcp dport 5000 counter packets 2 bytes 120 dnat to 10.217.4.165:5000 # handle 154
		ip daddr 172.17.0.80 tcp dport 8778 counter packets 29 bytes 1740 dnat to 10.217.4.109:8778 # handle 152
		ip daddr 172.17.0.80 tcp dport 9311 counter packets 0 bytes 0 dnat to 10.217.4.56:9311 # handle 144
	}

	chain OVN-KUBE-ETP { # handle 10
	}

	chain OUTPUT { # handle 11
		type nat hook output priority dstnat; policy accept;
		counter packets 76688 bytes 4606803 jump OVN-KUBE-EXTERNALIP # handle 17
		counter packets 76688 bytes 4606803 jump OVN-KUBE-NODEPORT # handle 15
		counter packets 76688 bytes 4606803 jump OVN-KUBE-ITP # handle 12
	}

	chain PREROUTING { # handle 13
		type nat hook prerouting priority dstnat; policy accept;
		counter packets 7044 bytes 455065 jump OVN-KUBE-ETP # handle 18
		counter packets 7044 bytes 455065 jump OVN-KUBE-EXTERNALIP # handle 16
		counter packets 6795 bytes 437310 jump OVN-KUBE-NODEPORT # handle 14
	}

	chain OVN-KUBE-EGRESS-IP-MULTI-NIC { # handle 19
	}

	chain POSTROUTING { # handle 20
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 77488 bytes 4657618 jump OVN-KUBE-EGRESS-IP-MULTI-NIC # handle 21
		ip saddr 169.254.0.1 counter packets 0 bytes 0 masquerade # handle 24
		ip saddr 10.217.0.0/23 counter packets 59294 bytes 3557640 masquerade # handle 25
		counter packets 13976 bytes 845172 jump OVN-KUBE-UDN-MASQUERADE # handle 26
	}

	chain OVN-KUBE-UDN-MASQUERADE { # handle 23
		ip saddr 169.254.0.0/29 counter packets 82 bytes 9012 return # handle 27
		ip daddr 10.217.4.0/23 counter packets 249 bytes 17755 return # handle 28
		ip saddr 169.254.0.0/17 counter packets 0 bytes 0 masquerade # handle 29
	}
}
table ip6 nat { # handle 7
	chain KUBE-KUBELET-CANARY { # handle 1
	}
}
table ip6 filter { # handle 8
	chain KUBE-KUBELET-CANARY { # handle 1
	}
}
# Warning: table ip raw is managed by iptables-nft, do not touch!
table ip raw { # handle 9
	chain PREROUTING { # handle 1
		type filter hook prerouting priority raw; policy accept;
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 2
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 5
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 7
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 9
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 11
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 13
	}

	chain OUTPUT { # handle 3
		type filter hook output priority raw; policy accept;
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 4
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 6
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 8
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 10
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 12
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 14
	}
}
# Warning: table ip6 raw is managed by iptables-nft, do not touch!
table ip6 raw { # handle 10
	chain PREROUTING { # handle 1
		type filter hook prerouting priority raw; policy accept;
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 2
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 5
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 7
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 9
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 11
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 13
	}

	chain OUTPUT { # handle 3
		type filter hook output priority raw; policy accept;
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 4
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 6
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 8
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 10
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 12
		udp dport 6081 counter packets 0 bytes 0 notrack # handle 14
	}
}
table inet ovn-kubernetes { # handle 12
	set udn-open-ports-v4 { # handle 22
		type ipv4_addr . inet_proto . inet_service
		comment "default network open ports of pods in user defined networks (IPv4)"
	}

	set udn-open-ports-v6 { # handle 23
		type ipv6_addr . inet_proto . inet_service
		comment "default network open ports of pods in user defined networks (IPv6)"
	}

	set udn-open-ports-icmp-v4 { # handle 24
		type ipv4_addr
		comment "default network IPs of pods in user defined networks that allow ICMP (IPv4)"
	}

	set udn-open-ports-icmp-v6 { # handle 25
		type ipv6_addr
		comment "default network IPs of pods in user defined networks that allow ICMP (IPv6)"
	}

	set udn-pod-default-ips-v4 { # handle 26
		type ipv4_addr
		comment "default network IPs of pods in user defined networks (IPv4)"
	}

	set udn-pod-default-ips-v6 { # handle 27
		type ipv6_addr
		comment "default network IPs of pods in user defined networks (IPv6)"
	}

	set mgmtport-no-snat-nodeports { # handle 51
		type inet_proto . inet_service
		comment "NodePorts not subject to management port SNAT"
	}

	set mgmtport-no-snat-services-v4 { # handle 52
		type ipv4_addr . inet_proto . inet_service
		comment "eTP:Local short-circuit not subject to management port SNAT (IPv4)"
	}

	set mgmtport-no-snat-services-v6 { # handle 53
		type ipv6_addr . inet_proto . inet_service
		comment "eTP:Local short-circuit not subject to management port SNAT (IPv6)"
	}

	map udn-mark-nodeports { # handle 109
		type inet_proto . inet_service : verdict
		comment "UDN services NodePorts mark"
	}

	map udn-mark-external-ips-v4 { # handle 110
		type ipv4_addr . inet_proto . inet_service : verdict
		comment "UDN services External IPs mark (IPv4)"
	}

	map udn-mark-external-ips-v6 { # handle 111
		type ipv6_addr . inet_proto . inet_service : verdict
		comment "UDN services External IPs mark (IPv6)"
	}

	map egress-service-snat-v4 { # handle 117
		type ipv4_addr : ipv4_addr
	}

	chain udn-isolation { # handle 21
		comment "Host isolation for user defined networks"
		type filter hook output priority filter; policy accept;
		ip daddr . meta l4proto . th dport @udn-open-ports-v4 accept # handle 199
		ip daddr @udn-open-ports-icmp-v4 meta l4proto icmp accept # handle 200
		socket cgroupv2 level 2 "system.slice/kubelet.service" ip daddr @udn-pod-default-ips-v4 accept # handle 201
		ip daddr @udn-pod-default-ips-v4 drop # handle 202
	}

	chain mgmtport-snat { # handle 50
		comment "OVN SNAT to Management Port"
		type nat hook postrouting priority srcnat; policy accept;
		oifname != "ovn-k8s-mp0" return # handle 830
		meta l4proto . th dport @mgmtport-no-snat-nodeports return # handle 831
		ip saddr 10.217.0.2 return # handle 832
		ip daddr . meta l4proto . th dport @mgmtport-no-snat-services-v4 return # handle 833
		snat ip to 10.217.0.2 # handle 834
	}

	chain udn-service-mark { # handle 104
		comment "UDN services packet mark"
		fib daddr type local meta l4proto . th dport vmap @udn-mark-nodeports # handle 210
		ip daddr . meta l4proto . th dport vmap @udn-mark-external-ips-v4 # handle 211
		ip6 daddr . meta l4proto . th dport vmap @udn-mark-external-ips-v6 # handle 212
	}

	chain udn-service-prerouting { # handle 105
		comment "UDN services packet mark - Prerouting"
		type filter hook prerouting priority mangle; policy accept;
		iifname != "ovn-k8s-mp0" jump udn-service-mark # handle 208
	}

	chain udn-service-output { # handle 107
		comment "UDN services packet mark - Output"
		type filter hook output priority mangle; policy accept;
		jump udn-service-mark # handle 209
	}

	chain egress-services { # handle 115
		type nat hook postrouting priority srcnat; policy accept;
		meta mark 0x000003f0 return comment "DoNotSNAT" # handle 213
		snat ip to ip saddr map @egress-service-snat-v4 # handle 214
	}
}
