Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Calico updates to v3.0, add auto-scaler, add typha #34

Merged
merged 1 commit into from
Mar 30, 2018
Merged

Calico updates to v3.0, add auto-scaler, add typha #34

merged 1 commit into from
Mar 30, 2018

Conversation

tmjd
Copy link
Contributor

@tmjd tmjd commented Feb 15, 2018

A prior installation is not upgradable from the previous version. It would be necessary to first update Calico to v2.6.6+ and then upgrade to this version should be possible.

@liwenwu-amazon
Copy link
Contributor

@tmjd
Can you specify what kind of tests you have done for this change?
thanks
LIwen--

@tmjd
Copy link
Contributor Author

tmjd commented Feb 23, 2018

The testing I did was to bring up a small 3 node cluster (1 master, 2 nodes), deploy with the manifest and then ran through the Simple Policy Demo which deploys pods and a service then uses another pod to test that network policy will block traffic and then that traffic can be allowed. I also verified that the traffic worked across hosts.
I initially had issue #35 but modified my setup and was able to test successfully.

@liwenwu-amazon
Copy link
Contributor

liwenwu-amazon commented Feb 23, 2018
edited
Loading

I am getting following error:

kubectl -s liwen-c4-WesleyMa-112LBCGNGOXC5-85649114.us-west-2.elb.amazonaws.com apply -f aws-k8s-cni-calico.yaml 
daemonset "aws-node" created
daemonset "calico-node" created
customresourcedefinition "felixconfigurations.crd.projectcalico.org" created
customresourcedefinition "bgpconfigurations.crd.projectcalico.org" created
customresourcedefinition "ippools.crd.projectcalico.org" created
customresourcedefinition "hostendpoints.crd.projectcalico.org" created
customresourcedefinition "clusterinformations.crd.projectcalico.org" created
customresourcedefinition "globalnetworkpolicies.crd.projectcalico.org" created
customresourcedefinition "globalnetworksets.crd.projectcalico.org" created
customresourcedefinition "networkpolicies.crd.projectcalico.org" created
serviceaccount "calico-node" created
clusterrole "calico-node" created
clusterrolebinding "calico-node" created
deployment "calico-typha" created
configmap "calico-typha-horizontal-autoscaler" created
deployment "calico-typha-horizontal-autoscaler" created
serviceaccount "typha-cpha" created
service "calico-typha" created
Error from server (BadRequest): error when creating "aws-k8s-cni-calico.yaml": ClusterRoleBinding in version "v1" cannot be handled as a ClusterRoleBinding: no kind "ClusterRoleBinding" is registered for version "rbac.authorization.k8s.io/v1"
Error from server (BadRequest): error when creating "aws-k8s-cni-calico.yaml": ClusterRole in version "v1" cannot be handled as a ClusterRole: no kind "ClusterRole" is registered for version "rbac.authorization.k8s.io/v1"
Error from server (BadRequest): error when creating "aws-k8s-cni-calico.yaml": Role in version "v1" cannot be handled as a Role: no kind "Role" is registered for version "rbac.authorization.k8s.io/v1"
Error from server (BadRequest): error when creating "aws-k8s-cni-calico.yaml": RoleBinding in version "v1" cannot be handled as a RoleBinding: no kind "RoleBinding" is registered for version "rbac.authorization.k8s.io/v1"

kubectl -s liwen-c4-WesleyMa-112LBCGNGOXC5-85649114.us-west-2.elb.amazonaws.com version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.3", GitCommit:"d2835416544f298c919e2ead3be3d0864b52323b", GitTreeState:"clean", BuildDate:"2018-02-07T12:22:21Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.4", GitCommit:"793658f2d7ca7f064d2bdf606519f9fe1229c381", GitTreeState:"clean", BuildDate:"2017-08-17T08:30:51Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

@caseydavenport
Copy link
Contributor

Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.4", GitCommit:"793658f2d7ca7f064d2bdf606519f9fe1229c381", GitTreeState:"clean", BuildDate:"2017-08-17T08:30:51Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

I think it's because you're running an older version of Kubernetes.

@tmjd we may need to use the v1beta1 apiVersion in order to support earlier k8s versions.

@tmjd
Copy link
Contributor Author

tmjd commented Feb 23, 2018

@liwenwu-amazon I've pushed changes so they all use the v1beta1 apiVersion, I've verified it still works with my v1.9.3 cluster.

@liwenwu-amazon
Copy link
Contributor

@tmjd thanks Eric. I no longer see any errors when applying aws-k8s-cni-calico.yaml . But I can NOT get simple policy demo working.

Is it due to the fact my cluster is 1.7.4? thanks

@tmjd
Copy link
Contributor Author

tmjd commented Feb 27, 2018

Off the top of my head I think that should work. Which step specifically is not working?

If it is the isolation that is not working try using the following from a previous version of the demo (notice it doesn't have matchLabels: {} like the latest version does).

kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
  name: default-deny
  namespace: policy-demo
spec:
  podSelector:
EOF

If the part that is not working is Allow Access using a NetworkPolicy then I wonder if you may be hitting the same problem which I submitted #35. That only seemed to be a problem when going cross host though.

@liwenwu-amazon
Copy link
Contributor

Issue-1: With version 1.7.4, I am NOT seeing Isolation policy being enfoced.

Issue-2: With version 1.93, "allow Access using NetworkPolicy" ONLY affects the new Pods created after the Network Policy configuration. It does NOT work for the existing running Pods.

@caseydavenport
Copy link
Contributor

Issue-2: With version 1.93, "allow Access using NetworkPolicy" ONLY affects the new Pods created after the Network Policy configuration. It does NOT work for the existing running Pods.

For clarification, do you mean pods created before applying the policy? Or pods created before installing Calico?

@liwenwu-amazon
Copy link
Contributor

Pods created before applying the policy.

@tmjd
Copy link
Contributor Author

tmjd commented Mar 2, 2018

Issue-1: With version 1.7.4, I am NOT seeing Isolation policy being enfoced.

I just deployed a K8s v1.7.4 cluster and the Simple Policy demo (the Calico v3.0 version) worked as expected. (Though my kubectl client was v1.7.11.) When you had that deployed did you take a look at the logs from calico-node? My instinct is that calico-node was unable to connect to the kubernetes api or policy/pod configuration wasn't correct like they were in different namespaces, is there anyway it could have been that?

Issue-2: That's new behavior. Did you have to re-create all pods before the policy worked, both the nginx and access pods or just the access pod?

@tmjd tmjd force-pushed the calico-updates branch from 92fae25 to 4612666 Compare March 7, 2018 17:50
@tmjd
Copy link
Contributor Author

tmjd commented Mar 7, 2018

I've rebased the changes on latest master.

@liwenwu-amazon
Copy link
Contributor

I am seeing following on my 1.9 cluster, it looks like the policy is NOT working.

ubuntu@ip-20-0-1-4:~/learning$ kubectl get NetworkPolicy -n policy-demo
NAME           POD-SELECTOR   AGE
access-nginx   run=nginx      3m
default-deny   <none>         4m
ubuntu@ip-20-0-1-4:~/learning$ kubectl describe NetworkPolicy access-nginx -n policy-demo
Name:         access-nginx
Namespace:    policy-demo
Created on:   2018-03-08 03:33:32 +0000 UTC
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     run=nginx
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From PodSelector: run=access
  Allowing egress traffic:
    <none> (Selected pods are isolated for egress connectivity)
  Policy Types: Ingress
ubuntu@ip-20-0-1-4:~/learning$ kubectl describe NetworkPolicy default-deny -n policy-demo
Name:         default-deny
Namespace:    policy-demo
Created on:   2018-03-08 03:32:46 +0000 UTC
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    <none> (Selected pods are isolated for ingress connectivity)
  Allowing egress traffic:
    <none> (Selected pods are isolated for egress connectivity)
  Policy Types: Ingress
ubuntu@ip-20-0-1-4:~/learning$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ # 
/ #  wget -q --timeout=5 nginx -O -
wget: download timed out

if I delete all policy, i can see it works again

ubuntu@ip-20-0-1-4:~/learning$ kubectl delete NetworkPolicy access-nginx -n policy-demo
networkpolicy "access-nginx" deleted
ubuntu@ip-20-0-1-4:~/learning$ kubectl delete NetworkPolicy default-deny -n policy-demo
networkpolicy "default-deny" deleted
ubuntu@ip-20-0-1-4:~/learning$ kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ #  wget -q --timeout=5 nginx -O -
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
/ #

Here is kubectl and cluster version

ubuntu@ip-20-0-1-4:~/learning$ kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.3", GitCommit:"d2835416544f298c919e2ead3be3d0864b52323b", GitTreeState:"clean", BuildDate:"2018-02-07T12:22:21Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.3", GitCommit:"d2835416544f298c919e2ead3be3d0864b52323b", GitTreeState:"clean", BuildDate:"2018-02-07T11:55:20Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

@tmjd
Copy link
Contributor Author

tmjd commented Mar 8, 2018

This problem sounds like what you would see if you were having an issue like #35. There are a couple things you can check:

  • Ensure your access pod and nginx pod are on the same host (you can guarantee the access pod is accessing a specific pod by using a specific pod's IP address). In that case, does the policy work as expected?
  • With the access pod connecting an nginx pod on a different host, run tcpdump to monitor the traffic on the destination host. Does the traffic source IP have the IP of the access pod or the access pod's host?

@liwenwu-amazon
Copy link
Contributor

@tmjd @caseydavenport , my setup is different than issue #35, where VPC ONLY have 1 CIDR.
I am seeing something quite wrong when I enable NetworkPolicy:

  • For Pod outgoing traffic, if a Pod get an IP address from e.g eth1, its outgoing traffic MUST be sent out through eth1, today amazon-vpc-cni-k8s CNI set this up using policy routing
  • Before I enable NetworkPolicy, I can see all Pod's outgoing traffic are sent out in correct interface
  • After I enable NetworkPolicy, i see the Pod's traffic going out on eth0 interface, where it suppose to go out on eth1 interface.

Here is the iptable dump after enable NetworkPolicy

root@ip-20-0-33-42:/home/admin# ls
iptable.out
root@ip-20-0-33-42:/home/admin# vi iptable.out 
root@ip-20-0-33-42:/home/admin# 
root@ip-20-0-33-42:/home/admin# 
root@ip-20-0-33-42:/home/admin# 
root@ip-20-0-33-42:/home/admin# 
root@ip-20-0-33-42:/home/admin# 
root@ip-20-0-33-42:/home/admin# cat iptable.out 
# Generated by iptables-save v1.4.21 on Fri Mar  9 17:08:39 2018
*mangle
:PREROUTING ACCEPT [651:39060]
:INPUT ACCEPT [21648:16565637]
:FORWARD ACCEPT [4359:1015677]
:OUTPUT ACCEPT [20358:20408233]
:POSTROUTING ACCEPT [24716:21423870]
:cali-PREROUTING - [0:0]
:cali-failsafe-in - [0:0]
:cali-from-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:nE3PUa5RSRqBBvwx" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-PREROUTING -i cali+ -m comment --comment "cali:qgFofvzQe6yJPouQ" -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:o178eO5vvpj8e65z" -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:5TQcm-i_T8rVGEEa" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
-A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:ywE9WYUBEpve70WT" -m multiport --dports 6666 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:l-WQSVBf_lygPR0J" -m multiport --dports 6667 -j ACCEPT
COMMIT
# Completed on Fri Mar  9 17:08:39 2018
# Generated by iptables-save v1.4.21 on Fri Mar  9 17:08:39 2018
*raw
:PREROUTING ACCEPT [26010:17581470]
:OUTPUT ACCEPT [20358:20408233]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-failsafe-in - [0:0]
:cali-failsafe-out - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A cali-OUTPUT -m comment --comment "cali:WX1xZBEtmbS0Rhjs" -j MARK --set-xmark 0x0/0xf000000
-A cali-OUTPUT -m comment --comment "cali:iE00ZyllJNXfrlg_" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:Asois4hxp1rUxwJS" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:zatSDPVUhhPCk6Iy" -j MARK --set-xmark 0x0/0xf000000
-A cali-PREROUTING -i cali+ -m comment --comment "cali:-ES4EW0vxFmM81t8" -j MARK --set-xmark 0x4000000/0x4000000
-A cali-PREROUTING -m comment --comment "cali:VE1J3S_1t9q8GAsm" -m mark --mark 0x0/0x4000000 -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:VX8l4jKL9w89GXz5" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
-A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:ywE9WYUBEpve70WT" -m multiport --dports 6666 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:l-WQSVBf_lygPR0J" -m multiport --dports 6667 -j ACCEPT
-A cali-failsafe-out -p udp -m comment --comment "cali:82hjfji-wChFhAqL" -m multiport --dports 53 -j ACCEPT
-A cali-failsafe-out -p udp -m comment --comment "cali:TNM3RfEjbNr72hgH" -m multiport --dports 67 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:ycxKitIl4u3dK0HR" -m multiport --dports 179 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:hxjEWyxdkXXkdvut" -m multiport --dports 2379 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:cA_GLtruuvG88KiO" -m multiport --dports 2380 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:Sb1hkLYFMrKS6r01" -m multiport --dports 6666 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:UwLSebGONJUG4yG-" -m multiport --dports 6667 -j ACCEPT
COMMIT
# Completed on Fri Mar  9 17:08:39 2018
# Generated by iptables-save v1.4.21 on Fri Mar  9 17:08:39 2018
*nat
:PREROUTING ACCEPT [4:240]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [13:780]
:POSTROUTING ACCEPT [9:540]
:DOCKER - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-47ZTQF2OO4P3K6AQ - [0:0]
:KUBE-SEP-AHCI3VXZR7DYPSOG - [0:0]
:KUBE-SEP-DZMXYIBKHSHUGCPJ - [0:0]
:KUBE-SEP-FUDZJ44UO76TXVI3 - [0:0]
:KUBE-SEP-IVUVAZBJ6TW42LP3 - [0:0]
:KUBE-SEP-J2UK65G3RT4SPOAQ - [0:0]
:KUBE-SEP-KMPWJOXQVDLCQAXT - [0:0]
:KUBE-SEP-KPIWEBNG5LEFP7IB - [0:0]
:KUBE-SEP-LJFYOLTXVETASVUQ - [0:0]
:KUBE-SEP-N5XBNBOBH7TYMR2K - [0:0]
:KUBE-SEP-NVVCPL6U2NLBR73G - [0:0]
:KUBE-SEP-PYND2LDCU6BE4QTS - [0:0]
:KUBE-SEP-RTAFHQS73VG7CGRG - [0:0]
:KUBE-SEP-SFOREAE27WLCJZTM - [0:0]
:KUBE-SEP-TDERACZEFUGBM3NW - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-3VXIGVIYYFN7DHDA - [0:0]
:KUBE-SVC-B6SSVPZTT5VLALG3 - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-IFO32E4YIRUTZPGJ - [0:0]
:KUBE-SVC-NAZP4SD6XLP35COK - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:KUBE-SVC-TLAQXR2JYFLX6OG2 - [0:0]
:KUBE-SVC-VUMZCXJHDF5H4EWS - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING ! -d 20.0.0.0/16 -m comment --comment "AWS, SNAT" -m addrtype ! --dst-type LOCAL -j SNAT --to-source 20.0.33.42
-A DOCKER -i docker0 -j RETURN
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "monitoring/grafana:" -m tcp --dport 30902 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "monitoring/grafana:" -m tcp --dport 30902 -j KUBE-SVC-TLAQXR2JYFLX6OG2
-A KUBE-NODEPORTS -p tcp -m comment --comment "monitoring/alertmanager-main:web" -m tcp --dport 30903 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "monitoring/alertmanager-main:web" -m tcp --dport 30903 -j KUBE-SVC-NAZP4SD6XLP35COK
-A KUBE-NODEPORTS -p tcp -m comment --comment "monitoring/prometheus-k8s:web" -m tcp --dport 30900 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "monitoring/prometheus-k8s:web" -m tcp --dport 30900 -j KUBE-SVC-IFO32E4YIRUTZPGJ
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-47ZTQF2OO4P3K6AQ -s 20.0.37.59/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-47ZTQF2OO4P3K6AQ -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 20.0.37.59:53
-A KUBE-SEP-AHCI3VXZR7DYPSOG -s 20.0.53.180/32 -m comment --comment "monitoring/prometheus-k8s:web" -j KUBE-MARK-MASQ
-A KUBE-SEP-AHCI3VXZR7DYPSOG -p tcp -m comment --comment "monitoring/prometheus-k8s:web" -m tcp -j DNAT --to-destination 20.0.53.180:9090
-A KUBE-SEP-DZMXYIBKHSHUGCPJ -s 20.0.51.213/32 -m comment --comment "monitoring/grafana:" -j KUBE-MARK-MASQ
-A KUBE-SEP-DZMXYIBKHSHUGCPJ -p tcp -m comment --comment "monitoring/grafana:" -m tcp -j DNAT --to-destination 20.0.51.213:3000
-A KUBE-SEP-FUDZJ44UO76TXVI3 -s 20.0.37.59/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-FUDZJ44UO76TXVI3 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 20.0.37.59:53
-A KUBE-SEP-IVUVAZBJ6TW42LP3 -s 20.0.39.66/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-IVUVAZBJ6TW42LP3 -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-IVUVAZBJ6TW42LP3 --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 20.0.39.66:443
-A KUBE-SEP-J2UK65G3RT4SPOAQ -s 20.0.63.68/32 -m comment --comment "policy-demo/nginx:" -j KUBE-MARK-MASQ
-A KUBE-SEP-J2UK65G3RT4SPOAQ -p tcp -m comment --comment "policy-demo/nginx:" -m tcp -j DNAT --to-destination 20.0.63.68:80
-A KUBE-SEP-KMPWJOXQVDLCQAXT -s 20.0.87.5/32 -m comment --comment "kube-system/calico-typha:calico-typha" -j KUBE-MARK-MASQ
-A KUBE-SEP-KMPWJOXQVDLCQAXT -p tcp -m comment --comment "kube-system/calico-typha:calico-typha" -m tcp -j DNAT --to-destination 20.0.87.5:5473
-A KUBE-SEP-KPIWEBNG5LEFP7IB -s 20.0.59.12/32 -m comment --comment "monitoring/alertmanager-main:web" -j KUBE-MARK-MASQ
-A KUBE-SEP-KPIWEBNG5LEFP7IB -p tcp -m comment --comment "monitoring/alertmanager-main:web" -m tcp -j DNAT --to-destination 20.0.59.12:9093
-A KUBE-SEP-LJFYOLTXVETASVUQ -s 20.0.94.246/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-LJFYOLTXVETASVUQ -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 20.0.94.246:53
-A KUBE-SEP-N5XBNBOBH7TYMR2K -s 20.0.94.246/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-N5XBNBOBH7TYMR2K -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 20.0.94.246:53
-A KUBE-SEP-NVVCPL6U2NLBR73G -s 20.0.70.248/32 -m comment --comment "monitoring/alertmanager-main:web" -j KUBE-MARK-MASQ
-A KUBE-SEP-NVVCPL6U2NLBR73G -p tcp -m comment --comment "monitoring/alertmanager-main:web" -m tcp -j DNAT --to-destination 20.0.70.248:9093
-A KUBE-SEP-PYND2LDCU6BE4QTS -s 20.0.69.101/32 -m comment --comment "monitoring/prometheus-k8s:web" -j KUBE-MARK-MASQ
-A KUBE-SEP-PYND2LDCU6BE4QTS -p tcp -m comment --comment "monitoring/prometheus-k8s:web" -m tcp -j DNAT --to-destination 20.0.69.101:9090
-A KUBE-SEP-RTAFHQS73VG7CGRG -s 20.0.51.13/32 -m comment --comment "monitoring/prometheus-operator:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-RTAFHQS73VG7CGRG -p tcp -m comment --comment "monitoring/prometheus-operator:http" -m tcp -j DNAT --to-destination 20.0.51.13:8080
-A KUBE-SEP-SFOREAE27WLCJZTM -s 20.0.71.133/32 -m comment --comment "policy-demo/nginx:" -j KUBE-MARK-MASQ
-A KUBE-SEP-SFOREAE27WLCJZTM -p tcp -m comment --comment "policy-demo/nginx:" -m tcp -j DNAT --to-destination 20.0.71.133:80
-A KUBE-SEP-TDERACZEFUGBM3NW -s 20.0.52.228/32 -m comment --comment "monitoring/alertmanager-main:web" -j KUBE-MARK-MASQ
-A KUBE-SEP-TDERACZEFUGBM3NW -p tcp -m comment --comment "monitoring/alertmanager-main:web" -m tcp -j DNAT --to-destination 20.0.52.228:9093
-A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.68.169.244/32 -p tcp -m comment --comment "monitoring/grafana: cluster IP" -m tcp --dport 3000 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 100.68.169.244/32 -p tcp -m comment --comment "monitoring/grafana: cluster IP" -m tcp --dport 3000 -j KUBE-SVC-TLAQXR2JYFLX6OG2
-A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.65.40.214/32 -p tcp -m comment --comment "monitoring/alertmanager-main:web cluster IP" -m tcp --dport 9093 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 100.65.40.214/32 -p tcp -m comment --comment "monitoring/alertmanager-main:web cluster IP" -m tcp --dport 9093 -j KUBE-SVC-NAZP4SD6XLP35COK
-A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.64.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 100.64.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.71.250.15/32 -p tcp -m comment --comment "kube-system/calico-typha:calico-typha cluster IP" -m tcp --dport 5473 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 100.71.250.15/32 -p tcp -m comment --comment "kube-system/calico-typha:calico-typha cluster IP" -m tcp --dport 5473 -j KUBE-SVC-VUMZCXJHDF5H4EWS
-A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.71.121.243/32 -p tcp -m comment --comment "monitoring/prometheus-operator:http cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 100.71.121.243/32 -p tcp -m comment --comment "monitoring/prometheus-operator:http cluster IP" -m tcp --dport 8080 -j KUBE-SVC-B6SSVPZTT5VLALG3
-A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.69.158.42/32 -p tcp -m comment --comment "monitoring/prometheus-k8s:web cluster IP" -m tcp --dport 9090 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 100.69.158.42/32 -p tcp -m comment --comment "monitoring/prometheus-k8s:web cluster IP" -m tcp --dport 9090 -j KUBE-SVC-IFO32E4YIRUTZPGJ
-A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.64.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 100.64.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.64.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 100.64.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.66.60.222/32 -p tcp -m comment --comment "policy-demo/nginx: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 100.66.60.222/32 -p tcp -m comment --comment "policy-demo/nginx: cluster IP" -m tcp --dport 80 -j KUBE-SVC-3VXIGVIYYFN7DHDA
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-3VXIGVIYYFN7DHDA -m comment --comment "policy-demo/nginx:" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-J2UK65G3RT4SPOAQ
-A KUBE-SVC-3VXIGVIYYFN7DHDA -m comment --comment "policy-demo/nginx:" -j KUBE-SEP-SFOREAE27WLCJZTM
-A KUBE-SVC-B6SSVPZTT5VLALG3 -m comment --comment "monitoring/prometheus-operator:http" -j KUBE-SEP-RTAFHQS73VG7CGRG
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-FUDZJ44UO76TXVI3
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-N5XBNBOBH7TYMR2K
-A KUBE-SVC-IFO32E4YIRUTZPGJ -m comment --comment "monitoring/prometheus-k8s:web" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-AHCI3VXZR7DYPSOG
-A KUBE-SVC-IFO32E4YIRUTZPGJ -m comment --comment "monitoring/prometheus-k8s:web" -j KUBE-SEP-PYND2LDCU6BE4QTS
-A KUBE-SVC-NAZP4SD6XLP35COK -m comment --comment "monitoring/alertmanager-main:web" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-TDERACZEFUGBM3NW
-A KUBE-SVC-NAZP4SD6XLP35COK -m comment --comment "monitoring/alertmanager-main:web" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-KPIWEBNG5LEFP7IB
-A KUBE-SVC-NAZP4SD6XLP35COK -m comment --comment "monitoring/alertmanager-main:web" -j KUBE-SEP-NVVCPL6U2NLBR73G
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-IVUVAZBJ6TW42LP3 --mask 255.255.255.255 --rsource -j KUBE-SEP-IVUVAZBJ6TW42LP3
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-IVUVAZBJ6TW42LP3
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-47ZTQF2OO4P3K6AQ
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-LJFYOLTXVETASVUQ
-A KUBE-SVC-TLAQXR2JYFLX6OG2 -m comment --comment "monitoring/grafana:" -j KUBE-SEP-DZMXYIBKHSHUGCPJ
-A KUBE-SVC-VUMZCXJHDF5H4EWS -m comment --comment "kube-system/calico-typha:calico-typha" -j KUBE-SEP-KMPWJOXQVDLCQAXT
-A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
-A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
-A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
-A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
COMMIT
# Completed on Fri Mar  9 17:08:39 2018
# Generated by iptables-save v1.4.21 on Fri Mar  9 17:08:39 2018
*filter
:INPUT ACCEPT [336:527937]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [309:230735]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-failsafe-in - [0:0]
:cali-failsafe-out - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-from-wl-dispatch-0 - [0:0]
:cali-from-wl-dispatch-1 - [0:0]
:cali-from-wl-dispatch-2 - [0:0]
:cali-from-wl-dispatch-5 - [0:0]
:cali-from-wl-dispatch-7 - [0:0]
:cali-from-wl-dispatch-8 - [0:0]
:cali-from-wl-dispatch-9 - [0:0]
:cali-from-wl-dispatch-a - [0:0]
:cali-from-wl-dispatch-b - [0:0]
:cali-fw-cali071740d01ce - [0:0]
:cali-fw-cali0f90fa3ec58 - [0:0]
:cali-fw-cali11239f98883 - [0:0]
:cali-fw-cali1f3ee5e103f - [0:0]
:cali-fw-cali21b57f50c1a - [0:0]
:cali-fw-cali25b9a1b0d15 - [0:0]
:cali-fw-cali40d3624cf34 - [0:0]
:cali-fw-cali5039a0227d9 - [0:0]
:cali-fw-cali535a4e1eaef - [0:0]
:cali-fw-cali6309ad0d4e3 - [0:0]
:cali-fw-cali764314fcdea - [0:0]
:cali-fw-cali77cb96a0922 - [0:0]
:cali-fw-cali79578072159 - [0:0]
:cali-fw-cali7d6effdbcf0 - [0:0]
:cali-fw-cali8224bf4c0aa - [0:0]
:cali-fw-cali88c9d56734d - [0:0]
:cali-fw-cali9448e85cbcf - [0:0]
:cali-fw-cali978b69e8fe9 - [0:0]
:cali-fw-cali9d631d3c0ca - [0:0]
:cali-fw-calia4e9baced41 - [0:0]
:cali-fw-calia85d85d4f5c - [0:0]
:cali-fw-caliab276a425c1 - [0:0]
:cali-fw-calib5c22879e61 - [0:0]
:cali-fw-calibb84390bbdf - [0:0]
:cali-fw-caliecc56958316 - [0:0]
:cali-fw-califda98f676cf - [0:0]
:cali-pri-kns.default - [0:0]
:cali-pri-kns.monitoring - [0:0]
:cali-pro-kns.default - [0:0]
:cali-pro-kns.monitoring - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-to-wl-dispatch-0 - [0:0]
:cali-to-wl-dispatch-1 - [0:0]
:cali-to-wl-dispatch-2 - [0:0]
:cali-to-wl-dispatch-5 - [0:0]
:cali-to-wl-dispatch-7 - [0:0]
:cali-to-wl-dispatch-8 - [0:0]
:cali-to-wl-dispatch-9 - [0:0]
:cali-to-wl-dispatch-a - [0:0]
:cali-to-wl-dispatch-b - [0:0]
:cali-tw-cali071740d01ce - [0:0]
:cali-tw-cali0f90fa3ec58 - [0:0]
:cali-tw-cali11239f98883 - [0:0]
:cali-tw-cali1f3ee5e103f - [0:0]
:cali-tw-cali21b57f50c1a - [0:0]
:cali-tw-cali25b9a1b0d15 - [0:0]
:cali-tw-cali40d3624cf34 - [0:0]
:cali-tw-cali5039a0227d9 - [0:0]
:cali-tw-cali535a4e1eaef - [0:0]
:cali-tw-cali6309ad0d4e3 - [0:0]
:cali-tw-cali764314fcdea - [0:0]
:cali-tw-cali77cb96a0922 - [0:0]
:cali-tw-cali79578072159 - [0:0]
:cali-tw-cali7d6effdbcf0 - [0:0]
:cali-tw-cali8224bf4c0aa - [0:0]
:cali-tw-cali88c9d56734d - [0:0]
:cali-tw-cali9448e85cbcf - [0:0]
:cali-tw-cali978b69e8fe9 - [0:0]
:cali-tw-cali9d631d3c0ca - [0:0]
:cali-tw-calia4e9baced41 - [0:0]
:cali-tw-calia85d85d4f5c - [0:0]
:cali-tw-caliab276a425c1 - [0:0]
:cali-tw-calib5c22879e61 - [0:0]
:cali-tw-calibb84390bbdf - [0:0]
:cali-tw-caliecc56958316 - [0:0]
:cali-tw-califda98f676cf - [0:0]
:cali-wl-to-host - [0:0]
-A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
-A INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A INPUT -j KUBE-FIREWALL
-A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
-A FORWARD -m comment --comment "kubernetes forward rules" -j KUBE-FORWARD
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -p tcp -j ACCEPT
-A FORWARD -p udp -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A DOCKER-ISOLATION -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -s 100.96.0.0/11 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-FORWARD -d 100.96.0.0/11 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-FORWARD -m comment --comment "cali:JV9-BRWxjz8He5Ib" -j MARK --set-xmark 0x0/0xe000000
-A cali-FORWARD -m comment --comment "cali:p3dIAeGsCabF0CUT" -m mark --mark 0x0/0x1000000 -j cali-from-hep-forward
-A cali-FORWARD -i cali+ -m comment --comment "cali:DeNlxb0sUevj_Plt" -j cali-from-wl-dispatch
-A cali-FORWARD -o cali+ -m comment --comment "cali:B81FOaQNZymbX9H8" -j cali-to-wl-dispatch
-A cali-FORWARD -m comment --comment "cali:bB-I9T0YRAYMASx0" -j cali-to-hep-forward
-A cali-FORWARD -m comment --comment "cali:I1Ki7aNgQsJFzEpG" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-INPUT -m comment --comment "cali:i7okJZpS8VxaJB3n" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-INPUT -i cali+ -m comment --comment "cali:JaoDb6CLdcGw8g0Y" -g cali-wl-to-host
-A cali-INPUT -m comment --comment "cali:c5eKVW2VdKQ_LiSM" -j MARK --set-xmark 0x0/0xf000000
-A cali-INPUT -m comment --comment "cali:hwQKYSlSCkpE_9uN" -j cali-from-host-endpoint
-A cali-INPUT -m comment --comment "cali:ttp8-serzKCP-bKZ" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:YQSSJIsRcHjFbXaI" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-OUTPUT -o cali+ -m comment --comment "cali:N882DxHZfedrB21M" -m ipvs --ipvs -j cali-to-wl-dispatch
-A cali-OUTPUT -o cali+ -m comment --comment "cali:3DMcCmSodO9PvZSQ" -j RETURN
-A cali-OUTPUT -m comment --comment "cali:1rtQdJWFgiAjnYNa" -j MARK --set-xmark 0x0/0xf000000
-A cali-OUTPUT -m comment --comment "cali:ow9xXZQeAjSutSN2" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:PJxR9tvY62ypP44i" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
-A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:ywE9WYUBEpve70WT" -m multiport --dports 6666 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:l-WQSVBf_lygPR0J" -m multiport --dports 6667 -j ACCEPT
-A cali-failsafe-out -p udp -m comment --comment "cali:82hjfji-wChFhAqL" -m multiport --dports 53 -j ACCEPT
-A cali-failsafe-out -p udp -m comment --comment "cali:TNM3RfEjbNr72hgH" -m multiport --dports 67 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:ycxKitIl4u3dK0HR" -m multiport --dports 179 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:hxjEWyxdkXXkdvut" -m multiport --dports 2379 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:cA_GLtruuvG88KiO" -m multiport --dports 2380 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:Sb1hkLYFMrKS6r01" -m multiport --dports 6666 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:UwLSebGONJUG4yG-" -m multiport --dports 6667 -j ACCEPT
-A cali-from-wl-dispatch -i cali0+ -m comment --comment "cali:eBnVcASLTvMFg9XV" -g cali-from-wl-dispatch-0
-A cali-from-wl-dispatch -i cali1+ -m comment --comment "cali:MldUGW-Du40orI9-" -g cali-from-wl-dispatch-1
-A cali-from-wl-dispatch -i cali2+ -m comment --comment "cali:kTdzpLxGrgPwdaCE" -g cali-from-wl-dispatch-2
-A cali-from-wl-dispatch -i cali40d3624cf34 -m comment --comment "cali:QeQP2t-qnFrI8BuY" -g cali-fw-cali40d3624cf34
-A cali-from-wl-dispatch -i cali5+ -m comment --comment "cali:MuBQFwG93xgPMC2m" -g cali-from-wl-dispatch-5
-A cali-from-wl-dispatch -i cali6309ad0d4e3 -m comment --comment "cali:EptWMvqf98aGPxyN" -g cali-fw-cali6309ad0d4e3
-A cali-from-wl-dispatch -i cali7+ -m comment --comment "cali:QS9R9gq_c9ghFHPf" -g cali-from-wl-dispatch-7
-A cali-from-wl-dispatch -i cali8+ -m comment --comment "cali:xJ3TXQocZsrZt7uE" -g cali-from-wl-dispatch-8
-A cali-from-wl-dispatch -i cali9+ -m comment --comment "cali:mFbmgHyQnRK2vhS8" -g cali-from-wl-dispatch-9
-A cali-from-wl-dispatch -i calia+ -m comment --comment "cali:6H9TS7A-dcOmQp2m" -g cali-from-wl-dispatch-a
-A cali-from-wl-dispatch -i calib+ -m comment --comment "cali:K63-vWi169HLcJEa" -g cali-from-wl-dispatch-b
-A cali-from-wl-dispatch -i caliecc56958316 -m comment --comment "cali:nfvT8wnMubN-ZMI-" -g cali-fw-caliecc56958316
-A cali-from-wl-dispatch -i califda98f676cf -m comment --comment "cali:ay7hsutXYVT5Q7Vv" -g cali-fw-califda98f676cf
-A cali-from-wl-dispatch -m comment --comment "cali:ztpydPjXSsYLwFAM" -m comment --comment "Unknown interface" -j DROP
-A cali-from-wl-dispatch-0 -i cali071740d01ce -m comment --comment "cali:EadBA5x9-HwzLTFb" -g cali-fw-cali071740d01ce
-A cali-from-wl-dispatch-0 -i cali0f90fa3ec58 -m comment --comment "cali:0rtBiNjZbYfiGpgF" -g cali-fw-cali0f90fa3ec58
-A cali-from-wl-dispatch-0 -m comment --comment "cali:gl-c9ioOmWQJgG1c" -m comment --comment "Unknown interface" -j DROP
-A cali-from-wl-dispatch-1 -i cali11239f98883 -m comment --comment "cali:BTQHK0qAVYhZVjWd" -g cali-fw-cali11239f98883
-A cali-from-wl-dispatch-1 -i cali1f3ee5e103f -m comment --comment "cali:qRlGrGwaQzp5VNjm" -g cali-fw-cali1f3ee5e103f
-A cali-from-wl-dispatch-1 -m comment --comment "cali:BUD_-0y6hdXRqVTG" -m comment --comment "Unknown interface" -j DROP
-A cali-from-wl-dispatch-2 -i cali21b57f50c1a -m comment --comment "cali:lFd9EbzwVYfcdQwP" -g cali-fw-cali21b57f50c1a
-A cali-from-wl-dispatch-2 -i cali25b9a1b0d15 -m comment --comment "cali:LT3lFAMJ4yHJChys" -g cali-fw-cali25b9a1b0d15
-A cali-from-wl-dispatch-2 -m comment --comment "cali:UdsFXDiIe7sNnNmB" -m comment --comment "Unknown interface" -j DROP
-A cali-from-wl-dispatch-5 -i cali5039a0227d9 -m comment --comment "cali:TwnCLNb1QrfJInJ-" -g cali-fw-cali5039a0227d9
-A cali-from-wl-dispatch-5 -i cali535a4e1eaef -m comment --comment "cali:HOsWoXdm2MBStOTV" -g cali-fw-cali535a4e1eaef
-A cali-from-wl-dispatch-5 -m comment --comment "cali:kp-ldlBZV8EgtpKe" -m comment --comment "Unknown interface" -j DROP
-A cali-from-wl-dispatch-7 -i cali764314fcdea -m comment --comment "cali:8RWqMPsuDjy5-G3G" -g cali-fw-cali764314fcdea
-A cali-from-wl-dispatch-7 -i cali77cb96a0922 -m comment --comment "cali:_LLvamP2SRrKKSsi" -g cali-fw-cali77cb96a0922
-A cali-from-wl-dispatch-7 -i cali79578072159 -m comment --comment "cali:HwdlhQdoerRL8tD2" -g cali-fw-cali79578072159
-A cali-from-wl-dispatch-7 -i cali7d6effdbcf0 -m comment --comment "cali:-SXPg5sZB64HOYqe" -g cali-fw-cali7d6effdbcf0
-A cali-from-wl-dispatch-7 -m comment --comment "cali:kGHUtkSXXK_DS3Gf" -m comment --comment "Unknown interface" -j DROP
-A cali-from-wl-dispatch-8 -i cali8224bf4c0aa -m comment --comment "cali:wUQIHP-y8xcXy1ti" -g cali-fw-cali8224bf4c0aa
-A cali-from-wl-dispatch-8 -i cali88c9d56734d -m comment --comment "cali:9H_V7QaVQgIX5box" -g cali-fw-cali88c9d56734d
-A cali-from-wl-dispatch-8 -m comment --comment "cali:5zQXpFDy24wI8jnF" -m comment --comment "Unknown interface" -j DROP
-A cali-from-wl-dispatch-9 -i cali9448e85cbcf -m comment --comment "cali:darNGUYswdvoDrBJ" -g cali-fw-cali9448e85cbcf
-A cali-from-wl-dispatch-9 -i cali978b69e8fe9 -m comment --comment "cali:OtVUTIi_V8pi_4Y9" -g cali-fw-cali978b69e8fe9
-A cali-from-wl-dispatch-9 -i cali9d631d3c0ca -m comment --comment "cali:foPBXgOicapgQFO2" -g cali-fw-cali9d631d3c0ca
-A cali-from-wl-dispatch-9 -m comment --comment "cali:eBkGyyX6nk-vWcE4" -m comment --comment "Unknown interface" -j DROP
-A cali-from-wl-dispatch-a -i calia4e9baced41 -m comment --comment "cali:F07fAGXzRbJnKIJm" -g cali-fw-calia4e9baced41
-A cali-from-wl-dispatch-a -i calia85d85d4f5c -m comment --comment "cali:srJokE7JCHSICR2j" -g cali-fw-calia85d85d4f5c
-A cali-from-wl-dispatch-a -i caliab276a425c1 -m comment --comment "cali:fl0IPEs9mdUVAs2x" -g cali-fw-caliab276a425c1
-A cali-from-wl-dispatch-a -m comment --comment "cali:KJZfKRBaI42wNMlz" -m comment --comment "Unknown interface" -j DROP
-A cali-from-wl-dispatch-b -i calib5c22879e61 -m comment --comment "cali:CQ-wENFr0yyqFKc-" -g cali-fw-calib5c22879e61
-A cali-from-wl-dispatch-b -i calibb84390bbdf -m comment --comment "cali:WtOrRRnAvuZ8Rg_Z" -g cali-fw-calibb84390bbdf
-A cali-from-wl-dispatch-b -m comment --comment "cali:BD5_lAV2MzgY2GKB" -m comment --comment "Unknown interface" -j DROP
-A cali-fw-cali071740d01ce -m comment --comment "cali:fQzj4B5O9GncVG_l" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali071740d01ce -m comment --comment "cali:RdqYNKkfmyIIDyct" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali071740d01ce -m comment --comment "cali:vhIZ1gzuP1cuju65" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali071740d01ce -m comment --comment "cali:g-twoQRqAXc-ijJB" -j cali-pro-kns.default
-A cali-fw-cali071740d01ce -m comment --comment "cali:Mm8LuQAZsdOOA8GT" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali071740d01ce -m comment --comment "cali:483-aZe8nvf6GkR0" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali0f90fa3ec58 -m comment --comment "cali:CBrOqm6xFpdRzt9E" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali0f90fa3ec58 -m comment --comment "cali:43MmXlEZnqPbdjLj" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali0f90fa3ec58 -m comment --comment "cali:Xt-bYnk93tcyTd6F" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali0f90fa3ec58 -m comment --comment "cali:MblPY750EZTS1xgT" -j cali-pro-kns.default
-A cali-fw-cali0f90fa3ec58 -m comment --comment "cali:otCxM6fY_HI9u9yI" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali0f90fa3ec58 -m comment --comment "cali:Yh_ViP6sKwI2bKDU" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali11239f98883 -m comment --comment "cali:UWHyKfzmT4oWoNDe" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali11239f98883 -m comment --comment "cali:HQPHvGI41AYi87rq" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali11239f98883 -m comment --comment "cali:2L39BEmQ2YDiqDLu" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali11239f98883 -m comment --comment "cali:7UJ3d8LVn0tKpJDt" -j cali-pro-kns.monitoring
-A cali-fw-cali11239f98883 -m comment --comment "cali:YFwci7lbkpCUt2MV" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali11239f98883 -m comment --comment "cali:22K3hWq58fwQFQj0" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali1f3ee5e103f -m comment --comment "cali:1JS-NfANwS0skxMc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali1f3ee5e103f -m comment --comment "cali:f8Nt_Iu3DjxdBbWO" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali1f3ee5e103f -m comment --comment "cali:oTdTsSKIOKcSB1AI" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali1f3ee5e103f -m comment --comment "cali:9v-r3vIDON3vl5m9" -j cali-pro-kns.default
-A cali-fw-cali1f3ee5e103f -m comment --comment "cali:5B4iOTOZSgmTltGM" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali1f3ee5e103f -m comment --comment "cali:4yni85cClKHBfFru" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali21b57f50c1a -m comment --comment "cali:2QZ-PXfEUn9fitYB" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali21b57f50c1a -m comment --comment "cali:ECsKSUmuaOwncXAp" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali21b57f50c1a -m comment --comment "cali:anVcxzIISIsWtaqQ" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali21b57f50c1a -m comment --comment "cali:4Dl-1RGj_G-v6N5P" -j cali-pro-kns.default
-A cali-fw-cali21b57f50c1a -m comment --comment "cali:kO7MZNbXcbdon_go" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali21b57f50c1a -m comment --comment "cali:F2xmWXvLHnIew2sZ" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali25b9a1b0d15 -m comment --comment "cali:pEfgQounQwLsBw5W" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali25b9a1b0d15 -m comment --comment "cali:SLpep0Bvu--dHAaO" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali25b9a1b0d15 -m comment --comment "cali:3NB4kWfibd2vTJMB" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali25b9a1b0d15 -m comment --comment "cali:Tvrk-2q21feUWMag" -j cali-pro-kns.default
-A cali-fw-cali25b9a1b0d15 -m comment --comment "cali:z3RiNSvoIx9pAeo8" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali25b9a1b0d15 -m comment --comment "cali:AdxfrLg5-8EHvksw" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali40d3624cf34 -m comment --comment "cali:dlsJciAtMH45Xn2W" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali40d3624cf34 -m comment --comment "cali:oJZN8msctWarMT13" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali40d3624cf34 -m comment --comment "cali:O9a-yoxbuUOkRmX_" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali40d3624cf34 -m comment --comment "cali:37MagJREYflIzZn0" -j cali-pro-kns.default
-A cali-fw-cali40d3624cf34 -m comment --comment "cali:d7dmUdv0xU61VABU" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali40d3624cf34 -m comment --comment "cali:r_mPkHSR2GwPLVmH" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali5039a0227d9 -m comment --comment "cali:80C1RB409W6CS6FA" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali5039a0227d9 -m comment --comment "cali:1M_VJVehP5ZBRZJc" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali5039a0227d9 -m comment --comment "cali:jhpwtuFL52T2Ndtj" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali5039a0227d9 -m comment --comment "cali:oar4SKZchraMw3ym" -j cali-pro-kns.monitoring
-A cali-fw-cali5039a0227d9 -m comment --comment "cali:fvnLB7GUUcSOKl7G" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali5039a0227d9 -m comment --comment "cali:qpOplgrwMLFwFgqw" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali535a4e1eaef -m comment --comment "cali:GoEJfFosnWnGWPFs" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali535a4e1eaef -m comment --comment "cali:Sp83MfdaRCjeK1yn" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali535a4e1eaef -m comment --comment "cali:Mtx2plgJ4bc0WGqY" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali535a4e1eaef -m comment --comment "cali:HmZDO2XkgECJcb6S" -j cali-pro-kns.default
-A cali-fw-cali535a4e1eaef -m comment --comment "cali:ihWekgHcqFJ4kN2B" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali535a4e1eaef -m comment --comment "cali:yBoyEeCoQCS9ZCOk" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali6309ad0d4e3 -m comment --comment "cali:g-2PeE6YN3XcfiKT" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali6309ad0d4e3 -m comment --comment "cali:URbrvV8jfxXvQpB6" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali6309ad0d4e3 -m comment --comment "cali:XLMCvI2UYqW699rj" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali6309ad0d4e3 -m comment --comment "cali:J3aE7nS4WAU7RstP" -j cali-pro-kns.default
-A cali-fw-cali6309ad0d4e3 -m comment --comment "cali:cnx5-Ew5emhz5qSl" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali6309ad0d4e3 -m comment --comment "cali:Uo0lwm70DfDLKVs6" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali764314fcdea -m comment --comment "cali:Nhwa8iiS5TmzBFpZ" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali764314fcdea -m comment --comment "cali:BTPvvYUXHEuxlhlL" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali764314fcdea -m comment --comment "cali:f_OQJSuN5LVvitK6" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali764314fcdea -m comment --comment "cali:Rxs5IGY3vJQ13eDO" -j cali-pro-kns.default
-A cali-fw-cali764314fcdea -m comment --comment "cali:JYkU6g4sJrrlu4MR" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali764314fcdea -m comment --comment "cali:Z4FvQl7umuZsFUkE" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali77cb96a0922 -m comment --comment "cali:WZa87w-DkIfS7V_Y" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali77cb96a0922 -m comment --comment "cali:ED7XHNGiup3MgTCD" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali77cb96a0922 -m comment --comment "cali:NipJx86l19-touMU" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali77cb96a0922 -m comment --comment "cali:GX2siA_ZbOWt0aOE" -j cali-pro-kns.default
-A cali-fw-cali77cb96a0922 -m comment --comment "cali:R9vi65omFLzuxmEv" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali77cb96a0922 -m comment --comment "cali:dCY0YVUXeunJcd6T" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali79578072159 -m comment --comment "cali:AfN5xhjsKfB_dMyP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali79578072159 -m comment --comment "cali:6Puiu_sDGvOSUsz2" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali79578072159 -m comment --comment "cali:qRk8EwkFCv7jXpVm" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali79578072159 -m comment --comment "cali:YiJEhSmRswaK516b" -j cali-pro-kns.default
-A cali-fw-cali79578072159 -m comment --comment "cali:k5HQ1TntQTMLVGR4" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali79578072159 -m comment --comment "cali:H9KlUwwITFeAUN40" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali7d6effdbcf0 -m comment --comment "cali:4_yH3_xUvwys3Gvw" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali7d6effdbcf0 -m comment --comment "cali:QCe4rXuvespwVtqa" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali7d6effdbcf0 -m comment --comment "cali:qDp1zEQeHBuiWi9T" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali7d6effdbcf0 -m comment --comment "cali:kQXkiOYmpbyh6d-t" -j cali-pro-kns.default
-A cali-fw-cali7d6effdbcf0 -m comment --comment "cali:VQ_SJNosuJqgIlJj" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali7d6effdbcf0 -m comment --comment "cali:8OgoLu6jAJeYwVPC" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali8224bf4c0aa -m comment --comment "cali:Dpe4avhM1TDNqT4G" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali8224bf4c0aa -m comment --comment "cali:vRzsgRlhJkdETuHS" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali8224bf4c0aa -m comment --comment "cali:kh3bckqe4jr9GmLe" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali8224bf4c0aa -m comment --comment "cali:JTLqpfskzbneQM7L" -j cali-pro-kns.default
-A cali-fw-cali8224bf4c0aa -m comment --comment "cali:mBaMH_X3KBnc0MhG" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali8224bf4c0aa -m comment --comment "cali:cDza8eSIicEip9UD" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali88c9d56734d -m comment --comment "cali:V0Aa7h7RRy8gzuKi" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali88c9d56734d -m comment --comment "cali:geZDYhszRYE2f3NA" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali88c9d56734d -m comment --comment "cali:LR0x2isGufIAmfAQ" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali88c9d56734d -m comment --comment "cali:ACWbcch13ENdAJ6f" -j cali-pro-kns.default
-A cali-fw-cali88c9d56734d -m comment --comment "cali:vF2DOoZRomTVlJFF" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali88c9d56734d -m comment --comment "cali:rMcbnCWgjbjbeRr-" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali9448e85cbcf -m comment --comment "cali:RgQBKUxee0_3GbH9" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali9448e85cbcf -m comment --comment "cali:qq7iUrRbPTUVDjxi" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali9448e85cbcf -m comment --comment "cali:lgS4Ag9wV2CvTzAZ" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali9448e85cbcf -m comment --comment "cali:H7FlcM36vDX12jC3" -j cali-pro-kns.default
-A cali-fw-cali9448e85cbcf -m comment --comment "cali:zgyVmoLN_MS3aQfe" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali9448e85cbcf -m comment --comment "cali:dWnnZ5Brj7S1NpwQ" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali978b69e8fe9 -m comment --comment "cali:l5SEfz9ImeEJuOjc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali978b69e8fe9 -m comment --comment "cali:6bKbmyxKTWqAdPVQ" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali978b69e8fe9 -m comment --comment "cali:Txw42l_-_3voEfD1" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali978b69e8fe9 -m comment --comment "cali:nSswGoNSQz21kTtB" -j cali-pro-kns.default
-A cali-fw-cali978b69e8fe9 -m comment --comment "cali:MuR7K_UG5KXJkG0L" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali978b69e8fe9 -m comment --comment "cali:HUaLXU0IjuRWDudE" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali9d631d3c0ca -m comment --comment "cali:eizvMy4sLRrkF0pl" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali9d631d3c0ca -m comment --comment "cali:ZCzIwhGFbrgPY3XZ" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali9d631d3c0ca -m comment --comment "cali:TMKGPUFiZUTaB8MR" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali9d631d3c0ca -m comment --comment "cali:0NGfoDxubDTZ-TZv" -j cali-pro-kns.default
-A cali-fw-cali9d631d3c0ca -m comment --comment "cali:JUqxaTMObQbafi8V" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali9d631d3c0ca -m comment --comment "cali:JQNyWoDMiD2HuoBl" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-calia4e9baced41 -m comment --comment "cali:zgP4aoX2BzIcvYzd" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-calia4e9baced41 -m comment --comment "cali:0mliiRWTWu0kbOsa" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-calia4e9baced41 -m comment --comment "cali:xbjzpJRYMXBt7Q9n" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-calia4e9baced41 -m comment --comment "cali:uogTO7WhXMGQJBZj" -j cali-pro-kns.default
-A cali-fw-calia4e9baced41 -m comment --comment "cali:P0veJTRU4GfkY75V" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-calia4e9baced41 -m comment --comment "cali:vdPKQYzml_LKB1BZ" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-calia85d85d4f5c -m comment --comment "cali:RacZwUxnfgxpqVU7" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-calia85d85d4f5c -m comment --comment "cali:ErUxu_JzaDkKwYi6" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-calia85d85d4f5c -m comment --comment "cali:CfbMjtZBmQ0I17yr" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-calia85d85d4f5c -m comment --comment "cali:Zlmxf-uIlOktvnmA" -j cali-pro-kns.default
-A cali-fw-calia85d85d4f5c -m comment --comment "cali:2zYWgb-PmnPJCzhA" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-calia85d85d4f5c -m comment --comment "cali:6a8-7V3BHhh09_hK" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-caliab276a425c1 -m comment --comment "cali:4zzXxwPdRmnVXhmr" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-caliab276a425c1 -m comment --comment "cali:UTnIbpkkyT8j1yvQ" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-caliab276a425c1 -m comment --comment "cali:ys2Q9ze0Tjn7LvFP" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-caliab276a425c1 -m comment --comment "cali:oNi2YNbkgj2HEY9Z" -j cali-pro-kns.default
-A cali-fw-caliab276a425c1 -m comment --comment "cali:Vp-iOpxKb-aUaiPu" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-caliab276a425c1 -m comment --comment "cali:XlyPOqwpdr_fu9rN" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-calib5c22879e61 -m comment --comment "cali:FnChPIibIHq7ERUq" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-calib5c22879e61 -m comment --comment "cali:Xu5OxbRDWq4SiiGt" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-calib5c22879e61 -m comment --comment "cali:76LGueUcWEJNSK8J" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-calib5c22879e61 -m comment --comment "cali:ebvbFduOlhePEyQm" -j cali-pro-kns.default
-A cali-fw-calib5c22879e61 -m comment --comment "cali:UkGKzS338Tavir-X" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-calib5c22879e61 -m comment --comment "cali:R0VY0LMTlbehUFmd" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-calibb84390bbdf -m comment --comment "cali:ECmPSe3L1fYYQfZF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-calibb84390bbdf -m comment --comment "cali:LVmntCUz623WqrxM" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-calibb84390bbdf -m comment --comment "cali:AdFxU_J9TWTTB066" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-calibb84390bbdf -m comment --comment "cali:W18WceDU9nVB5EyL" -j cali-pro-kns.default
-A cali-fw-calibb84390bbdf -m comment --comment "cali:nZHABdD14Njy_9UF" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-calibb84390bbdf -m comment --comment "cali:qz-uXbcSFxwGTqVx" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-caliecc56958316 -m comment --comment "cali:hq-RIIHXhNGSgI-b" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-caliecc56958316 -m comment --comment "cali:Lbgi5o4ngyn1p6X5" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-caliecc56958316 -m comment --comment "cali:1yeTZFJeSlgZSR6_" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-caliecc56958316 -m comment --comment "cali:5hMJwvGDEGZvFm5j" -j cali-pro-kns.default
-A cali-fw-caliecc56958316 -m comment --comment "cali:gxkBL3a648prJuWS" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-caliecc56958316 -m comment --comment "cali:7b0xlKDSODfVypUH" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-califda98f676cf -m comment --comment "cali:tNdg_oeijH6guNXB" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-califda98f676cf -m comment --comment "cali:FGF8BCjLVIiWwt95" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-califda98f676cf -m comment --comment "cali:q99sXWE-1lS3LBJC" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-califda98f676cf -m comment --comment "cali:pfcjFK8ymvEPYEkw" -j cali-pro-kns.default
-A cali-fw-califda98f676cf -m comment --comment "cali:bONRZries_JUIYpg" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-califda98f676cf -m comment --comment "cali:iOHX7p6VFFqN70FL" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-pri-kns.default -m comment --comment "cali:5yVkkQ7pBcxxkSaE" -j MARK --set-xmark 0x1000000/0x1000000
-A cali-pri-kns.default -m comment --comment "cali:pZi5w5MrTl3DghSD" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-pri-kns.monitoring -m comment --comment "cali:oPMCXSERxOyy2rZf" -j MARK --set-xmark 0x1000000/0x1000000
-A cali-pri-kns.monitoring -m comment --comment "cali:mmcSrb1DDc4pJWRy" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-pro-kns.default -m comment --comment "cali:gbqtfAKh_VXndzz6" -j MARK --set-xmark 0x1000000/0x1000000
-A cali-pro-kns.default -m comment --comment "cali:JMure-l4CiemFMIB" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-pro-kns.monitoring -m comment --comment "cali:fxoIMhDrZqEZQnMm" -j MARK --set-xmark 0x1000000/0x1000000
-A cali-pro-kns.monitoring -m comment --comment "cali:GAgtexm48uQCx9qM" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-to-wl-dispatch -o cali0+ -m comment --comment "cali:dIkHjFD9PelLx7cm" -g cali-to-wl-dispatch-0
-A cali-to-wl-dispatch -o cali1+ -m comment --comment "cali:cOtVr_jX21sbMubK" -g cali-to-wl-dispatch-1
-A cali-to-wl-dispatch -o cali2+ -m comment --comment "cali:DzxtnY8HbTKkqBjq" -g cali-to-wl-dispatch-2
-A cali-to-wl-dispatch -o cali40d3624cf34 -m comment --comment "cali:dmyHD_NBR4RbajFX" -g cali-tw-cali40d3624cf34
-A cali-to-wl-dispatch -o cali5+ -m comment --comment "cali:VVnWoMJdDCyaT5Al" -g cali-to-wl-dispatch-5
-A cali-to-wl-dispatch -o cali6309ad0d4e3 -m comment --comment "cali:8KyIBxyXwPMCp6p6" -g cali-tw-cali6309ad0d4e3
-A cali-to-wl-dispatch -o cali7+ -m comment --comment "cali:yCIyP7HFJ_I84NW_" -g cali-to-wl-dispatch-7
-A cali-to-wl-dispatch -o cali8+ -m comment --comment "cali:vG-ddDGt36t8wzO3" -g cali-to-wl-dispatch-8
-A cali-to-wl-dispatch -o cali9+ -m comment --comment "cali:3qFt9V3wIKRPuUD8" -g cali-to-wl-dispatch-9
-A cali-to-wl-dispatch -o calia+ -m comment --comment "cali:lZCwXYv3V_owTIAE" -g cali-to-wl-dispatch-a
-A cali-to-wl-dispatch -o calib+ -m comment --comment "cali:D0rAw8f-LFiQooXq" -g cali-to-wl-dispatch-b
-A cali-to-wl-dispatch -o caliecc56958316 -m comment --comment "cali:X0rzPIoIfnKt65sH" -g cali-tw-caliecc56958316
-A cali-to-wl-dispatch -o califda98f676cf -m comment --comment "cali:CuL-HHQJ76gl-nUT" -g cali-tw-califda98f676cf
-A cali-to-wl-dispatch -m comment --comment "cali:7vFmRT8si0VTwA9I" -m comment --comment "Unknown interface" -j DROP
-A cali-to-wl-dispatch-0 -o cali071740d01ce -m comment --comment "cali:Oxh8BprIMgEaNpFx" -g cali-tw-cali071740d01ce
-A cali-to-wl-dispatch-0 -o cali0f90fa3ec58 -m comment --comment "cali:94F-6yIForeFK_gT" -g cali-tw-cali0f90fa3ec58
-A cali-to-wl-dispatch-0 -m comment --comment "cali:TBGYjZdVC4Yybajv" -m comment --comment "Unknown interface" -j DROP
-A cali-to-wl-dispatch-1 -o cali11239f98883 -m comment --comment "cali:CtrEnFL0nneci_8V" -g cali-tw-cali11239f98883
-A cali-to-wl-dispatch-1 -o cali1f3ee5e103f -m comment --comment "cali:7w7kLu0fzCGprUfY" -g cali-tw-cali1f3ee5e103f
-A cali-to-wl-dispatch-1 -m comment --comment "cali:QAlB9cjtfEsK2F6Q" -m comment --comment "Unknown interface" -j DROP
-A cali-to-wl-dispatch-2 -o cali21b57f50c1a -m comment --comment "cali:p3Zhxvpv6suPYODd" -g cali-tw-cali21b57f50c1a
-A cali-to-wl-dispatch-2 -o cali25b9a1b0d15 -m comment --comment "cali:ZRAd38yjIcgwzAZb" -g cali-tw-cali25b9a1b0d15
-A cali-to-wl-dispatch-2 -m comment --comment "cali:hyvH4UD0XvWXSoja" -m comment --comment "Unknown interface" -j DROP
-A cali-to-wl-dispatch-5 -o cali5039a0227d9 -m comment --comment "cali:p73dxXWqvKD3PKd5" -g cali-tw-cali5039a0227d9
-A cali-to-wl-dispatch-5 -o cali535a4e1eaef -m comment --comment "cali:zrUrUNXu9sryrJn6" -g cali-tw-cali535a4e1eaef
-A cali-to-wl-dispatch-5 -m comment --comment "cali:7m0PqaBKNR0WuL4n" -m comment --comment "Unknown interface" -j DROP
-A cali-to-wl-dispatch-7 -o cali764314fcdea -m comment --comment "cali:yAw4IevkSgCpFxsb" -g cali-tw-cali764314fcdea
-A cali-to-wl-dispatch-7 -o cali77cb96a0922 -m comment --comment "cali:5w-EDDWQ9vscvanL" -g cali-tw-cali77cb96a0922
-A cali-to-wl-dispatch-7 -o cali79578072159 -m comment --comment "cali:KPgz8B0SOg0_kXSP" -g cali-tw-cali79578072159
-A cali-to-wl-dispatch-7 -o cali7d6effdbcf0 -m comment --comment "cali:ZEllk2D3woBa9whe" -g cali-tw-cali7d6effdbcf0
-A cali-to-wl-dispatch-7 -m comment --comment "cali:kSAnHYGxW36y5KL6" -m comment --comment "Unknown interface" -j DROP
-A cali-to-wl-dispatch-8 -o cali8224bf4c0aa -m comment --comment "cali:tNSDIzpdag7-xvYs" -g cali-tw-cali8224bf4c0aa
-A cali-to-wl-dispatch-8 -o cali88c9d56734d -m comment --comment "cali:3K5gdC2w2kquRu_9" -g cali-tw-cali88c9d56734d
-A cali-to-wl-dispatch-8 -m comment --comment "cali:KprnWSulVcOrLU68" -m comment --comment "Unknown interface" -j DROP
-A cali-to-wl-dispatch-9 -o cali9448e85cbcf -m comment --comment "cali:H1Lkcm7fCMhUzrhv" -g cali-tw-cali9448e85cbcf
-A cali-to-wl-dispatch-9 -o cali978b69e8fe9 -m comment --comment "cali:fKrwCzzlS2dMOtWi" -g cali-tw-cali978b69e8fe9
-A cali-to-wl-dispatch-9 -o cali9d631d3c0ca -m comment --comment "cali:mayu459MrAIkT-kn" -g cali-tw-cali9d631d3c0ca
-A cali-to-wl-dispatch-9 -m comment --comment "cali:VphQIRZ_qmZTJZwf" -m comment --comment "Unknown interface" -j DROP
-A cali-to-wl-dispatch-a -o calia4e9baced41 -m comment --comment "cali:R2NojdYSOIMnpVOq" -g cali-tw-calia4e9baced41
-A cali-to-wl-dispatch-a -o calia85d85d4f5c -m comment --comment "cali:yKHpNPZrsBl9P1eA" -g cali-tw-calia85d85d4f5c
-A cali-to-wl-dispatch-a -o caliab276a425c1 -m comment --comment "cali:o-xFY2wTJw33PBhJ" -g cali-tw-caliab276a425c1
-A cali-to-wl-dispatch-a -m comment --comment "cali:IcaJ68VCOIidyj3w" -m comment --comment "Unknown interface" -j DROP
-A cali-to-wl-dispatch-b -o calib5c22879e61 -m comment --comment "cali:00QzuY7oTPrSBDwQ" -g cali-tw-calib5c22879e61
-A cali-to-wl-dispatch-b -o calibb84390bbdf -m comment --comment "cali:WPe7_3zdVi2oO6P4" -g cali-tw-calibb84390bbdf
-A cali-to-wl-dispatch-b -m comment --comment "cali:a1FG3O13_eqr8pXV" -m comment --comment "Unknown interface" -j DROP
-A cali-tw-cali071740d01ce -m comment --comment "cali:I6grCyTWrpsFjd4K" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali071740d01ce -m comment --comment "cali:S29W-t7QjbUAjnPn" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali071740d01ce -m comment --comment "cali:eTncSwrgsOBH_fcp" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali071740d01ce -m comment --comment "cali:vNc7WwQ6IaOFUn1q" -j cali-pri-kns.default
-A cali-tw-cali071740d01ce -m comment --comment "cali:LIT-2Os3TNQl3_YN" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali071740d01ce -m comment --comment "cali:h28QONHmwlXhdmTW" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali0f90fa3ec58 -m comment --comment "cali:zOQ5UOcnwLs8zVpJ" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali0f90fa3ec58 -m comment --comment "cali:EJwqGpDPryutqd3s" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali0f90fa3ec58 -m comment --comment "cali:Z7eLtBfnmOlun9MP" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali0f90fa3ec58 -m comment --comment "cali:bhY5u8LyxoRfzq2x" -j cali-pri-kns.default
-A cali-tw-cali0f90fa3ec58 -m comment --comment "cali:DoyODP8Lw2naXg7Q" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali0f90fa3ec58 -m comment --comment "cali:rBLRpdtISyH4ViG-" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali11239f98883 -m comment --comment "cali:63AiEhcKlL4J9x0W" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali11239f98883 -m comment --comment "cali:U_uF6VQoKAohXmTC" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali11239f98883 -m comment --comment "cali:iIK_YKafg85j07gs" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali11239f98883 -m comment --comment "cali:mm9oS8-cy3jfjoYt" -j cali-pri-kns.monitoring
-A cali-tw-cali11239f98883 -m comment --comment "cali:gydP89j_2cgXaE_G" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali11239f98883 -m comment --comment "cali:bePUhbnFEJxTqXxE" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali1f3ee5e103f -m comment --comment "cali:bvXOBbaiCe-pQF11" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali1f3ee5e103f -m comment --comment "cali:YRrRDTsWaorivUNx" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali1f3ee5e103f -m comment --comment "cali:TTkNo5xU-2DbQ4i8" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali1f3ee5e103f -m comment --comment "cali:OtyakaFcEJoPaoAD" -j cali-pri-kns.default
-A cali-tw-cali1f3ee5e103f -m comment --comment "cali:Dj0zLhfqEu6tG9lK" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali1f3ee5e103f -m comment --comment "cali:NfquxkJLUS2IwsnI" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali21b57f50c1a -m comment --comment "cali:6ciBEB5ocicLWkzM" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali21b57f50c1a -m comment --comment "cali:-JcTF3SCjaECutpE" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali21b57f50c1a -m comment --comment "cali:AWSJrwAnlgF2Fpza" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali21b57f50c1a -m comment --comment "cali:pYtRNUreu7c4cm3i" -j cali-pri-kns.default
-A cali-tw-cali21b57f50c1a -m comment --comment "cali:ohXiZwsxWatyVOr8" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali21b57f50c1a -m comment --comment "cali:VhftkeUQlvNeO5kH" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali25b9a1b0d15 -m comment --comment "cali:C6cOmKVrvlwpT5X8" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali25b9a1b0d15 -m comment --comment "cali:y1jPY26zJzOM8Kr_" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali25b9a1b0d15 -m comment --comment "cali:OcUyxnN2E29loib6" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali25b9a1b0d15 -m comment --comment "cali:oS4ZlehkRzJA3pzx" -j cali-pri-kns.default
-A cali-tw-cali25b9a1b0d15 -m comment --comment "cali:gCP-Z5mpPlR5V1Rf" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali25b9a1b0d15 -m comment --comment "cali:NR8iiAvaoA2IELsj" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali40d3624cf34 -m comment --comment "cali:b2iqPLUd5cAxa766" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali40d3624cf34 -m comment --comment "cali:6FKJMc4D_4vtyyLS" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali40d3624cf34 -m comment --comment "cali:hQ52W8AMj_WKKW95" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali40d3624cf34 -m comment --comment "cali:-es39YWiWAuBImHl" -j cali-pri-kns.default
-A cali-tw-cali40d3624cf34 -m comment --comment "cali:QBqN1N9IZVvCq-h7" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali40d3624cf34 -m comment --comment "cali:4QTK_SLVRnkQVL7g" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali5039a0227d9 -m comment --comment "cali:_BWIow4MBSmkRktr" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali5039a0227d9 -m comment --comment "cali:bkZc6IWCVGjtZxDL" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali5039a0227d9 -m comment --comment "cali:6i1fjBPOq1Dfdqik" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali5039a0227d9 -m comment --comment "cali:qhbh2-5vJJvoCQMF" -j cali-pri-kns.monitoring
-A cali-tw-cali5039a0227d9 -m comment --comment "cali:DKyzBFK-6dIqF6Or" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali5039a0227d9 -m comment --comment "cali:jqYf32GicA6GlMvi" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali535a4e1eaef -m comment --comment "cali:yZy4T1qnlU9yjXkd" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali535a4e1eaef -m comment --comment "cali:sgPs6xjVG3rlSggq" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali535a4e1eaef -m comment --comment "cali:K9ReePGkOhIDRtXE" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali535a4e1eaef -m comment --comment "cali:sGY12w0HTsGdZQ81" -j cali-pri-kns.default
-A cali-tw-cali535a4e1eaef -m comment --comment "cali:2WnXRtwnkOvC8rqd" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali535a4e1eaef -m comment --comment "cali:FYsVLf5OIA8W423H" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali6309ad0d4e3 -m comment --comment "cali:YpWa_eEs7a9PFiad" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali6309ad0d4e3 -m comment --comment "cali:GtOkx-dF3ZPKkzPf" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali6309ad0d4e3 -m comment --comment "cali:oamvnvjvtkMawkWC" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali6309ad0d4e3 -m comment --comment "cali:j_Zmeok4uy2DzrmY" -j cali-pri-kns.default
-A cali-tw-cali6309ad0d4e3 -m comment --comment "cali:_fjv44I7hdK2mHFW" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali6309ad0d4e3 -m comment --comment "cali:aD2yHI5NjyKOCmA7" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali764314fcdea -m comment --comment "cali:qksF2v_kw3tnMZW8" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali764314fcdea -m comment --comment "cali:Hu3n5EPZcE4BTgIr" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali764314fcdea -m comment --comment "cali:wEqsbADYjZdzWRZB" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali764314fcdea -m comment --comment "cali:ZSarCi0SOtmP5d-I" -j cali-pri-kns.default
-A cali-tw-cali764314fcdea -m comment --comment "cali:LY15qRT-RlTdPnDY" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali764314fcdea -m comment --comment "cali:hvAZs-hSCqT8ZBbA" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali77cb96a0922 -m comment --comment "cali:mC6ZbTPIK4oIKq9H" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali77cb96a0922 -m comment --comment "cali:Tj1-x3mwGnH5Nly8" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali77cb96a0922 -m comment --comment "cali:okRYA3FkTnE902IR" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali77cb96a0922 -m comment --comment "cali:t_oDJS3L8kWI2RXQ" -j cali-pri-kns.default
-A cali-tw-cali77cb96a0922 -m comment --comment "cali:YBmK2CnS9cQvUdCb" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali77cb96a0922 -m comment --comment "cali:dulC-U756mfO7XtO" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali79578072159 -m comment --comment "cali:onSLjKGa9Gd4Zt7P" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali79578072159 -m comment --comment "cali:BShWwL6CwI4xcV4t" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali79578072159 -m comment --comment "cali:xwD3CPxTSWXJ2lnN" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali79578072159 -m comment --comment "cali:r-ccSCbymMFraBRP" -j cali-pri-kns.default
-A cali-tw-cali79578072159 -m comment --comment "cali:NYZqETD6-ipTOVKJ" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali79578072159 -m comment --comment "cali:BBPqnFoj-PlONDLc" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali7d6effdbcf0 -m comment --comment "cali:HJ3amOiBqhbmY8PP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali7d6effdbcf0 -m comment --comment "cali:b3aN0DI0-61eS9qU" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali7d6effdbcf0 -m comment --comment "cali:O8zhZg5kNJZ-XTTp" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali7d6effdbcf0 -m comment --comment "cali:BBlJMEywEhl2V2Im" -j cali-pri-kns.default
-A cali-tw-cali7d6effdbcf0 -m comment --comment "cali:nERGtxLG63nRddIp" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali7d6effdbcf0 -m comment --comment "cali:PMGvNn1NegZtuEMt" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali8224bf4c0aa -m comment --comment "cali:G003gsJfRLmqC1Zu" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali8224bf4c0aa -m comment --comment "cali:1ParTgGQbZG18gku" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali8224bf4c0aa -m comment --comment "cali:sKgakcuCaUUVnwlD" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali8224bf4c0aa -m comment --comment "cali:FtocbTCw0XFWguZu" -j cali-pri-kns.default
-A cali-tw-cali8224bf4c0aa -m comment --comment "cali:kl2G-SfJqxwskVe8" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali8224bf4c0aa -m comment --comment "cali:BerdtxtPT8tvD95g" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali88c9d56734d -m comment --comment "cali:GuJkVobXaAu84EGt" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali88c9d56734d -m comment --comment "cali:3AlJEzqdo_7lAipE" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali88c9d56734d -m comment --comment "cali:_BdgSf683EU0hPV2" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali88c9d56734d -m comment --comment "cali:IRdysO3MpFurZSaP" -j cali-pri-kns.default
-A cali-tw-cali88c9d56734d -m comment --comment "cali:ScR2NE9CS8WbMNsm" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali88c9d56734d -m comment --comment "cali:5dVoDeS0FDbUdZGW" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali9448e85cbcf -m comment --comment "cali:wtfPA7i1UZ4L1u3k" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali9448e85cbcf -m comment --comment "cali:E0cjFJ5qVOkZjJ-A" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali9448e85cbcf -m comment --comment "cali:QoBO64QaUnY9r8oh" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali9448e85cbcf -m comment --comment "cali:mCDdYopVRZCfRi7g" -j cali-pri-kns.default
-A cali-tw-cali9448e85cbcf -m comment --comment "cali:Gal8llL13aSy3nMf" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali9448e85cbcf -m comment --comment "cali:o2f9n0gxviSIqcL_" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali978b69e8fe9 -m comment --comment "cali:L-tBQOXXZ1dKLUE8" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali978b69e8fe9 -m comment --comment "cali:JkAapx82kTODEGQL" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali978b69e8fe9 -m comment --comment "cali:RN6eDFLj-B7gvSha" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali978b69e8fe9 -m comment --comment "cali:MbFhfgM9UbBKpxHu" -j cali-pri-kns.default
-A cali-tw-cali978b69e8fe9 -m comment --comment "cali:RIQbQFcEfXSgzjwi" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali978b69e8fe9 -m comment --comment "cali:P_vfhQ4CaW7WUiLW" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali9d631d3c0ca -m comment --comment "cali:SM8J8kfXHCBJ8jJC" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali9d631d3c0ca -m comment --comment "cali:wZzdAZC0MlmjzHB_" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali9d631d3c0ca -m comment --comment "cali:dFZ0MUXCacEmiZy8" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali9d631d3c0ca -m comment --comment "cali:UDEX3h1Zuzgud6ZZ" -j cali-pri-kns.default
-A cali-tw-cali9d631d3c0ca -m comment --comment "cali:9Xz1XvYeldPrDenx" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali9d631d3c0ca -m comment --comment "cali:NarBPvDakowcsYhF" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-calia4e9baced41 -m comment --comment "cali:NafhjOzOvXx3rwjm" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-calia4e9baced41 -m comment --comment "cali:t58ggT5MmWGThuok" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-calia4e9baced41 -m comment --comment "cali:jCHnqnqtfS_oW05S" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-calia4e9baced41 -m comment --comment "cali:idTVv6YWeRan_HAM" -j cali-pri-kns.default
-A cali-tw-calia4e9baced41 -m comment --comment "cali:xrMjZWZhLdvEMVX7" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-calia4e9baced41 -m comment --comment "cali:4YIvvOx4ITdPzXfK" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-calia85d85d4f5c -m comment --comment "cali:9MSjBLVmGnZAF8zo" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-calia85d85d4f5c -m comment --comment "cali:QqffMYqBAi1GA0WL" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-calia85d85d4f5c -m comment --comment "cali:KiqFsKnZxG7DK5OY" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-calia85d85d4f5c -m comment --comment "cali:2nZvHf2oaALsPJEJ" -j cali-pri-kns.default
-A cali-tw-calia85d85d4f5c -m comment --comment "cali:MzgQLNFBmAp6aa9U" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-calia85d85d4f5c -m comment --comment "cali:Zb89W1xd3oHJo27J" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-caliab276a425c1 -m comment --comment "cali:zIukMtr12AnPq2TX" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-caliab276a425c1 -m comment --comment "cali:YK8o8sYh493O8q20" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-caliab276a425c1 -m comment --comment "cali:OTsIqYEbnwDFXVeO" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-caliab276a425c1 -m comment --comment "cali:bPj7teNAUhxFFWl_" -j cali-pri-kns.default
-A cali-tw-caliab276a425c1 -m comment --comment "cali:iaAX02ON3bp6bqQ9" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-caliab276a425c1 -m comment --comment "cali:21L3DAttI7PsF7SZ" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-calib5c22879e61 -m comment --comment "cali:xCHB6_fNrRLXJlVr" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-calib5c22879e61 -m comment --comment "cali:o4I8kayYragiZRVf" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-calib5c22879e61 -m comment --comment "cali:H6Lxerlw3sEM-Pds" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-calib5c22879e61 -m comment --comment "cali:JgcA31koegU5GE0m" -j cali-pri-kns.default
-A cali-tw-calib5c22879e61 -m comment --comment "cali:dTfIRR2vl0wVn4rP" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-calib5c22879e61 -m comment --comment "cali:N9buMmn1BrTZW_Qq" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-calibb84390bbdf -m comment --comment "cali:-ZBMT_yj9MJk1jA2" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-calibb84390bbdf -m comment --comment "cali:-ph_ZagKnr33oFS0" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-calibb84390bbdf -m comment --comment "cali:JLJkcKqQm1dXoznD" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-calibb84390bbdf -m comment --comment "cali:pZWMMUykyM7RF5il" -j cali-pri-kns.default
-A cali-tw-calibb84390bbdf -m comment --comment "cali:E7GaNN8egpAPg1h4" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-calibb84390bbdf -m comment --comment "cali:-vqcoiFrmam_O7MJ" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-caliecc56958316 -m comment --comment "cali:xUzhMaDZEG8Zm0Ox" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-caliecc56958316 -m comment --comment "cali:2fcuYgdrphJlJep0" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-caliecc56958316 -m comment --comment "cali:SGiIdyYTzT75FrbH" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-caliecc56958316 -m comment --comment "cali:QjE_5E2W8hVBGe4C" -j cali-pri-kns.default
-A cali-tw-caliecc56958316 -m comment --comment "cali:tS6REF1rlKK49XVa" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-caliecc56958316 -m comment --comment "cali:PfB3wrSu_ttjaNT3" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-califda98f676cf -m comment --comment "cali:rsgcS1NuNguGgEVJ" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-califda98f676cf -m comment --comment "cali:kPw4PYGth4HFhUgm" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-califda98f676cf -m comment --comment "cali:m4p9E8xJtt1ntk5U" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-califda98f676cf -m comment --comment "cali:292jXyHEQlxFaOOh" -j cali-pri-kns.default
-A cali-tw-califda98f676cf -m comment --comment "cali:aiqWaoAUpF3bAJ5p" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-califda98f676cf -m comment --comment "cali:E4mHs610p3kNBoBk" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-wl-to-host -m comment --comment "cali:Ee9Sbo10IpVujdIY" -j cali-from-wl-dispatch
-A cali-wl-to-host -m comment --comment "cali:nSZbcOoG1xPONxb8" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
COMMIT
# Completed on Fri Mar  9 17:08:39 2018

@tmjd
Copy link
Contributor Author

tmjd commented Mar 29, 2018

Rebased onto master

@liwenwu-amazon liwenwu-amazon merged commit bd3297a into aws:master Mar 30, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tmjd @liwenwu-amazon @caseydavenport