table inet filter { # handle 4
	chain INPUT { # handle 1
		type filter hook input priority filter; policy drop;
		jump EDPM_INPUT # handle 379
		jump EDPM_INPUT # handle 348
		jump EDPM_INPUT # handle 325
		jump EDPM_INPUT # handle 306
		jump TRIPLEO_INPUT # handle 279
		ip saddr 172.17.1.0/24 tcp dport 6641 ct state new counter packets 0 bytes 0 accept # handle 280
		ip saddr 172.17.1.0/24 tcp dport 6642 ct state new counter packets 0 bytes 0 accept # handle 281
	}

	chain FORWARD { # handle 2
		type filter hook forward priority filter; policy accept;
	}

	chain OUTPUT { # handle 3
		type filter hook output priority filter; policy accept;
	}

	chain TRIPLEO_INPUT { # handle 246
		ct state established,related counter packets 336314 bytes 2314512948 accept comment "000 accept related established rules" # handle 247
		meta l4proto icmp ct state new counter packets 6 bytes 248 accept comment "001 accept all icmp" # handle 248
		meta l4proto ipv6-icmp counter packets 55 bytes 3960 accept comment "001 accept all ipv6-icmp" # handle 249
		iifname "lo" counter packets 9805 bytes 588300 accept comment "002 accept all to lo interface" # handle 250
		tcp dport 22 ct state new counter packets 293 bytes 17520 accept comment "003 accept ssh from all" # handle 251
		ip saddr 192.168.122.0/24 tcp dport 22 ct state new counter packets 0 bytes 0 accept comment "003 accept ssh from ctlplane subnet 192.168.122.0/24" # handle 252
		ip6 daddr fe80::/64 udp dport 546 ct state new counter packets 0 bytes 0 accept comment "004 accept ipv6 dhcpv6" # handle 253
		tcp dport 3306 ct state new counter packets 26 bytes 1560 accept comment "100 mysql_haproxy" # handle 254
		tcp dport 8775 ct state new counter packets 0 bytes 0 accept comment "100 nova_metadatahaproxy_frontend" # handle 255
		tcp dport 6080 ct state new counter packets 0 bytes 0 accept comment "100 nova_vncproxy_haproxy_frontend" # handle 256
		tcp dport { 873, 3123, 3306, 4444, 4567, 4568, 9200 } ct state new counter packets 0 bytes 0 accept comment "104 mysql galera-bundle" # handle 258
		udp dport 123 ct state new counter packets 0 bytes 0 accept comment "105 ntp" # handle 259
		tcp dport 1993 ct state new counter packets 0 bytes 0 accept comment "107 haproxy stats" # handle 260
		tcp dport { 5667, 5668 } ct state new counter packets 0 bytes 0 accept comment "109 accept internal metrics qdr ctlplane subnet 192.168.122.0/24" # handle 262
		tcp dport 5666 ct state new counter packets 0 bytes 0 accept comment "109 metrics qdr" # handle 263
		tcp dport { 3122, 4369, 5672, 25672-25683 } ct state new counter packets 0 bytes 0 accept comment "109 rabbitmq-bundle" # handle 265
		ip saddr 172.17.0.0/24 tcp dport 2022 ct state new counter packets 0 bytes 0 accept comment "113 nova_migration_target accept api subnet 172.17.0.0/24" # handle 266
		ip saddr 172.17.0.0/24 tcp dport 2022 ct state new counter packets 0 bytes 0 accept comment "113 nova_migration_target accept libvirt subnet 172.17.0.0/24" # handle 267
		udp dport 4789 counter packets 0 bytes 0 accept comment "118 neutron vxlan networks" # handle 268
		udp dport 6081 counter packets 6260 bytes 638520 accept comment "119 neutron geneve networks" # handle 269
		ip saddr 192.168.122.0/24 udp dport 161 ct state new counter packets 0 bytes 0 accept comment "124 snmp 192.168.122.0/24" # handle 270
		tcp dport { 2224, 3121, 21064 } ct state new counter packets 0 bytes 0 accept comment "130 pacemaker tcp" # handle 272
		udp dport 5405 ct state new counter packets 0 bytes 0 accept comment "131 pacemaker udp" # handle 273
		tcp dport 6080 ct state new counter packets 0 bytes 0 accept comment "137 nova_vnc_proxy" # handle 274
		tcp dport 8775 ct state new counter packets 0 bytes 0 accept comment "139 nova_metadata" # handle 275
		tcp dport { 5900-6923, 16514, 61152-61215 } ct state new counter packets 0 bytes 0 accept comment "200 nova_libvirt" # handle 277
		limit rate 20/minute burst 15 packets counter packets 953 bytes 57180 log prefix "DROPPING: " flags all comment "999 log all" # handle 278
	}

	chain EDPM_INPUT { # handle 299
		tcp dport 9101 ct state new counter packets 48 bytes 2880 accept comment "000 Allow ceilometer_compute_prom_exporter traffic" # handle 365
		tcp dport 9100 ct state new counter packets 2 bytes 120 accept comment "000 Allow node_exporter traffic" # handle 366
		tcp dport 9882 ct state new counter packets 11 bytes 660 accept comment "000 Allow podman_exporter traffic" # handle 367
		ct state established,related counter packets 92643 bytes 79166192 accept comment "000 accept related established rules" # handle 368
		tcp dport 9105 ct state new counter packets 3 bytes 180 accept comment "001 Allow openstack_network_exporter traffic" # handle 369
		meta l4proto icmp ct state new counter packets 3 bytes 116 accept comment "001 accept all icmp" # handle 370
		meta l4proto ipv6-icmp counter packets 6 bytes 432 accept comment "001 accept all ipv6-icmp" # handle 371
		iifname "lo" counter packets 3757 bytes 225420 accept comment "002 accept all to lo interface" # handle 372
		ip saddr 0.0.0.0/0 tcp dport 22 ct state new counter packets 41 bytes 2424 accept comment "003 Allow ssh from 0.0.0.0/0" # handle 373
		ip6 daddr fe80::/64 udp dport 546 ct state new counter packets 0 bytes 0 accept comment "004 accept ipv6 dhcpv6" # handle 374
		tcp dport 5900-6923 ct state new counter packets 0 bytes 0 accept comment "005 Allow vnc access on all networks." # handle 375
		tcp dport 61152-61215 ct state new counter packets 0 bytes 0 accept comment "006 Allow libvirt live migration traffic" # handle 376
		udp dport 4789 ct state new counter packets 0 bytes 0 accept comment "118 neutron vxlan networks" # handle 377
		udp dport 6081 ct state untracked counter packets 1566 bytes 159732 accept comment "119 neutron geneve networks" # handle 378
	}
}
table inet raw { # handle 5
	chain PREROUTING { # handle 1
		type filter hook prerouting priority raw; policy accept;
		jump EDPM_PREROUTING # handle 84
		jump EDPM_PREROUTING # handle 74
		jump EDPM_PREROUTING # handle 64
		jump TRIPLEO_PREROUTING # handle 50
	}

	chain OUTPUT { # handle 2
		type filter hook output priority raw; policy accept;
		jump EDPM_OUTPUT # handle 83
		jump EDPM_OUTPUT # handle 73
		jump EDPM_OUTPUT # handle 63
		jump TRIPLEO_OUTPUT # handle 49
	}

	chain TRIPLEO_OUTPUT { # handle 45
		udp dport 6081 ct state invalid counter packets 6266 bytes 639132 notrack comment "120 neutron geneve networks no conntrack" # handle 47
	}

	chain TRIPLEO_PREROUTING { # handle 46
		udp dport 6081 ct state invalid counter packets 6260 bytes 638520 notrack comment "121 neutron geneve networks no conntrack" # handle 48
	}

	chain EDPM_OUTPUT { # handle 59
		udp dport 6081 counter packets 0 bytes 0 notrack comment "120 neutron geneve networks no conntrack" # handle 81
	}

	chain EDPM_PREROUTING { # handle 60
		udp dport 6081 counter packets 4698 bytes 479196 notrack comment "121 neutron geneve networks no conntrack" # handle 82
	}
}
table inet nat { # handle 6
	chain PREROUTING { # handle 1
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain INPUT { # handle 2
		type nat hook input priority 100; policy accept;
	}

	chain OUTPUT { # handle 3
		type nat hook output priority -100; policy accept;
	}

	chain POSTROUTING { # handle 4
		type nat hook postrouting priority srcnat; policy accept;
	}
}
table ip filter { # handle 7
	chain INPUT { # handle 1
		type filter hook input priority filter; policy accept;
	}

	chain FORWARD { # handle 2
		type filter hook forward priority filter; policy accept;
	}

	chain OUTPUT { # handle 3
		type filter hook output priority filter; policy accept;
	}
}
table ip raw { # handle 8
	chain PREROUTING { # handle 1
		type filter hook prerouting priority raw; policy accept;
	}

	chain OUTPUT { # handle 2
		type filter hook output priority raw; policy accept;
	}
}
table ip nat { # handle 9
	chain PREROUTING { # handle 1
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain INPUT { # handle 2
		type nat hook input priority 100; policy accept;
	}

	chain OUTPUT { # handle 3
		type nat hook output priority -100; policy accept;
	}

	chain POSTROUTING { # handle 4
		type nat hook postrouting priority srcnat; policy accept;
	}
}
table ip6 raw { # handle 10
	chain PREROUTING { # handle 1
		type filter hook prerouting priority raw; policy accept;
	}

	chain OUTPUT { # handle 2
		type filter hook output priority raw; policy accept;
	}
}
table ip6 filter { # handle 11
	chain INPUT { # handle 1
		type filter hook input priority filter; policy accept;
	}

	chain FORWARD { # handle 2
		type filter hook forward priority filter; policy accept;
	}

	chain OUTPUT { # handle 3
		type filter hook output priority filter; policy accept;
	}
}
