Here you go:
sbezverk@kube-4:~$ sudo nft --debug=netlink list ruleset
ip kube-nfproxy-v4 filter-input 23
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ immediate reg 0 jump -> k8s-filter-services ]
userdata = {
ip kube-nfproxy-v4 filter-input 24 23
[ immediate reg 0 jump -> k8s-filter-firewall ]
userdata = {
ip kube-nfproxy-v4 filter-output 27
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ immediate reg 0 jump -> k8s-filter-services ]
userdata = {
ip kube-nfproxy-v4 filter-output 28 27
[ immediate reg 0 jump -> k8s-filter-firewall ]
userdata = {
ip kube-nfproxy-v4 filter-forward 25
[ immediate reg 0 jump -> k8s-filter-forward ]
userdata = {
ip kube-nfproxy-v4 filter-forward 26 25
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ immediate reg 0 jump -> k8s-filter-services ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-firewall 29
[ meta load mark => reg 1 ]
[ cmp eq reg 1 0x00008000 ]
[ immediate reg 0 drop ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-services 35
[ payload load 1b @ network header + 9 => reg 1 ]
[ payload load 4b @ network header + 16 => reg 9 ]
[ payload load 2b @ transport header + 2 => reg 10 ]
[ lookup reg 1 set no-endpoints dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-forward 30
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000001 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ immediate reg 0 drop ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-forward 31 30
[ meta load mark => reg 1 ]
[ cmp eq reg 1 0x00004000 ]
[ immediate reg 0 accept ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-forward 32 31
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000f0ff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00007039 ]
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000006 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ immediate reg 0 accept ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-forward 33 32
[ payload load 4b @ network header + 16 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000f0ff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00007039 ]
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000006 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ immediate reg 0 accept ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-do-reject 34
[ reject type 0 code 1 ]
userdata = {
ip kube-nfproxy-v4 nat-preroutin 36
[ immediate reg 0 jump -> k8s-nat-services ]
userdata = {
ip kube-nfproxy-v4 nat-output 37
[ immediate reg 0 jump -> k8s-nat-services ]
userdata = {
ip kube-nfproxy-v4 nat-postrouting 38
[ immediate reg 0 jump -> k8s-nat-postrouting ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-mark-drop 39
[ immediate reg 1 0x00008000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-do-mark-masq 47
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
[ immediate reg 0 return ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-mark-masq 48
[ payload load 1b @ network header + 9 => reg 1 ]
[ payload load 4b @ network header + 16 => reg 9 ]
[ payload load 2b @ transport header + 2 => reg 10 ]
[ lookup reg 1 set do-mark-masq dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-mark-masq 49 48
[ immediate reg 0 return ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-services 41
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000f0ff ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00007039 ]
[ immediate reg 0 jump -> k8s-nat-mark-masq ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-services 42 41
[ payload load 1b @ network header + 9 => reg 1 ]
[ payload load 4b @ network header + 16 => reg 9 ]
[ payload load 2b @ transport header + 2 => reg 10 ]
[ lookup reg 1 set cluster-ip dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-services 43 42
[ payload load 1b @ network header + 9 => reg 1 ]
[ payload load 4b @ network header + 16 => reg 9 ]
[ payload load 2b @ transport header + 2 => reg 10 ]
[ lookup reg 1 set external-ip dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-services 44 43
[ payload load 1b @ network header + 9 => reg 1 ]
[ payload load 4b @ network header + 16 => reg 9 ]
[ payload load 2b @ transport header + 2 => reg 10 ]
[ lookup reg 1 set loadbalancer-ip dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-services 45 44
[ fib daddr type => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ immediate reg 0 jump -> k8s-nat-nodeports ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-nodeports 46
[ payload load 1b @ network header + 9 => reg 1 ]
[ payload load 2b @ transport header + 2 => reg 9 ]
[ lookup reg 1 set nodeports dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-postrouting 40
[ meta load mark => reg 1 ]
[ cmp eq reg 1 0x00004000 ]
[ masq flags 0xc ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-Z2V2H34MNX3I6O2G 112
[ numgen reg 1 = inc mod 2 ]
[ lookup reg 1 set __map2 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-Z2V2H34MNX3I6O2G 59 112
[ counter pkts 1 bytes 60 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-WTQR35QT3M6PVG5X 54
[ counter pkts 3 bytes 180 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-WTQR35QT3M6PVG5X 55 54
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x6850a8c0 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-WTQR35QT3M6PVG5X 56 55
[ immediate reg 1 0x6850a8c0 ]
[ immediate reg 2 0x00002b19 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-WTQR35QT3M6PVG5X 108 56
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-WTQR35QT3M6PVG5X 109 108
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x6850a8c0 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-WTQR35QT3M6PVG5X 110 109
[ immediate reg 1 0x6850a8c0 ]
[ immediate reg 2 0x00002b19 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-M53CN2XYVUHRQ7UB 170
[ numgen reg 1 = inc mod 3 ]
[ lookup reg 1 set __map5 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-M53CN2XYVUHRQ7UB 76 170
[ counter pkts 4 bytes 240 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-PL4AZP3AKMRCVEEV 101
[ numgen reg 1 = inc mod 2 ]
[ lookup reg 1 set __map1 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-PL4AZP3AKMRCVEEV 83 101
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-F3FYSUNEU5GRF2PR 67
[ counter pkts 156 bytes 9360 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-F3FYSUNEU5GRF2PR 68 67
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x27007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-F3FYSUNEU5GRF2PR 69 68
[ immediate reg 1 0x27007039 ]
[ immediate reg 2 0x0000911f ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-TMVEFT7EX55F4T62 71
[ counter pkts 3 bytes 180 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-TMVEFT7EX55F4T62 72 71
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x29007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-TMVEFT7EX55F4T62 73 72
[ immediate reg 1 0x29007039 ]
[ immediate reg 2 0x0000901f ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-UOK7V3LF34NNNXJK 78
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-UOK7V3LF34NNNXJK 79 78
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x29007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-UOK7V3LF34NNNXJK 80 79
[ immediate reg 1 0x29007039 ]
[ immediate reg 2 0x00009a1f ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-ZQKXCYOBISQCSH6Q 124
[ numgen reg 1 = inc mod 1 ]
[ lookup reg 1 set __map4 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-ZQKXCYOBISQCSH6Q 125 124
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-GTJ7BFLUOQRCGMD5 88
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-GTJ7BFLUOQRCGMD5 89 88
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x34007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-GTJ7BFLUOQRCGMD5 90 89
[ immediate reg 1 0x34007039 ]
[ immediate reg 2 0x00001d23 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-MLOFX2HRWDMEIJ2C 138
[ numgen reg 1 = inc mod 2 ]
[ lookup reg 1 set __map6 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-MLOFX2HRWDMEIJ2C 132 138
[ counter pkts 1597 bytes 126466 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-AB4FZJCEEYJGUR7G 97
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-AB4FZJCEEYJGUR7G 98 97
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x34007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-AB4FZJCEEYJGUR7G 99 98
[ immediate reg 1 0x34007039 ]
[ immediate reg 2 0x00002623 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-BKEZZE5BBBAFLJMD 151
[ numgen reg 1 = inc mod 2 ]
[ lookup reg 1 set __map7 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-BKEZZE5BBBAFLJMD 145 151
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-XZFCNG333PM4X5VI 164
[ numgen reg 1 = inc mod 2 ]
[ lookup reg 1 set __map8 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-XZFCNG333PM4X5VI 158 164
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-ALEQQYFAJOE576GL 117
[ numgen reg 1 = inc mod 1 ]
[ lookup reg 1 set __map0 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-ALEQQYFAJOE576GL 118 117
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-5CXJFIVYWUOH4QP5 120
[ counter pkts 1 bytes 60 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-5CXJFIVYWUOH4QP5 121 120
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2f007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-5CXJFIVYWUOH4QP5 122 121
[ immediate reg 1 0x2f007039 ]
[ immediate reg 2 0x0000bb01 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-ZLBUKWY4CZE4VBQ6 127
[ counter pkts 1597 bytes 127401 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-ZLBUKWY4CZE4VBQ6 128 127
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2a007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-ZLBUKWY4CZE4VBQ6 129 128
[ immediate reg 1 0x2a007039 ]
[ immediate reg 2 0x00003500 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-L7QM2ZN4KU2U3Y7S 134
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-L7QM2ZN4KU2U3Y7S 135 134
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2b007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-L7QM2ZN4KU2U3Y7S 136 135
[ immediate reg 1 0x2b007039 ]
[ immediate reg 2 0x00003500 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-47JQSZ5IZC6OSGGT 140
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-47JQSZ5IZC6OSGGT 141 140
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2a007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-47JQSZ5IZC6OSGGT 142 141
[ immediate reg 1 0x2a007039 ]
[ immediate reg 2 0x00003500 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-SLRAZLUBLWQJXVD6 147
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-SLRAZLUBLWQJXVD6 148 147
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2b007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-SLRAZLUBLWQJXVD6 149 148
[ immediate reg 1 0x2b007039 ]
[ immediate reg 2 0x00003500 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-MDXSOI4QEYHXQ5TE 153
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-MDXSOI4QEYHXQ5TE 154 153
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2a007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-MDXSOI4QEYHXQ5TE 155 154
[ immediate reg 1 0x2a007039 ]
[ immediate reg 2 0x0000c123 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-MQDIJAQHMGQYQDQC 160
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-MQDIJAQHMGQYQDQC 161 160
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2b007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-MQDIJAQHMGQYQDQC 162 161
[ immediate reg 1 0x2b007039 ]
[ immediate reg 2 0x0000c123 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-23NTSA2UXPPQIPK4 166
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-23NTSA2UXPPQIPK4 167 166
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x35007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-23NTSA2UXPPQIPK4 168 167
[ immediate reg 1 0x35007039 ]
[ immediate reg 2 0x00005322 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table ip kube-nfproxy-v4 {
map no-endpoints {
type inet_proto . ipv4_addr . inet_service : verdict
}
map do-mark-masq {
type inet_proto . ipv4_addr . inet_service : verdict
elements = { tcp . 57.128.0.1 . 443 : jump k8s-nat-do-mark-masq,
tcp . 57.128.0.10 . 53 : jump k8s-nat-do-mark-masq,
tcp . 57.128.0.10 . 9153 : jump k8s-nat-do-mark-masq,
tcp . 57.139.80.125 . 8081 : jump k8s-nat-do-mark-masq,
tcp . 57.141.10.218 . 443 : jump k8s-nat-do-mark-masq,
tcp . 57.141.53.140 . 808 : jump k8s-nat-do-mark-masq,
tcp . 192.168.80.104 . 808 : jump k8s-nat-do-mark-masq,
udp . 57.128.0.10 . 53 : jump k8s-nat-do-mark-masq,
udp . 57.141.53.140 . 809 : jump k8s-nat-do-mark-masq,
udp . 192.168.80.104 . 809 : jump k8s-nat-do-mark-masq }
}
map cluster-ip {
type inet_proto . ipv4_addr . inet_service : verdict
elements = { tcp . 57.128.0.1 . 443 : jump k8s-nfproxy-svc-Z2V2H34MNX3I6O2G,
tcp . 57.128.0.10 . 53 : jump k8s-nfproxy-svc-BKEZZE5BBBAFLJMD,
tcp . 57.128.0.10 . 9153 : jump k8s-nfproxy-svc-XZFCNG333PM4X5VI,
tcp . 57.139.80.125 . 8081 : jump k8s-nfproxy-svc-ALEQQYFAJOE576GL,
tcp . 57.141.10.218 . 443 : jump k8s-nfproxy-svc-ZQKXCYOBISQCSH6Q,
tcp . 57.141.53.140 . 808 : jump k8s-nfproxy-svc-M53CN2XYVUHRQ7UB,
udp . 57.128.0.10 . 53 : jump k8s-nfproxy-svc-MLOFX2HRWDMEIJ2C,
udp . 57.141.53.140 . 809 : jump k8s-nfproxy-svc-PL4AZP3AKMRCVEEV }
}
map external-ip {
type inet_proto . ipv4_addr . inet_service : verdict
elements = { tcp . 192.168.80.104 . 808 : jump k8s-nfproxy-svc-M53CN2XYVUHRQ7UB,
udp . 192.168.80.104 . 809 : jump k8s-nfproxy-svc-PL4AZP3AKMRCVEEV }
}
map loadbalancer-ip {
type inet_proto . ipv4_addr . inet_service : verdict
}
map nodeports {
type inet_proto . inet_service : verdict
elements = { tcp . 30283 : jump k8s-nfproxy-svc-ALEQQYFAJOE576GL }
}
chain filter-input {
type filter hook input priority filter; policy accept;
ct state new jump k8s-filter-services comment " jump k8s-filter-firewall comment "}
chain filter-output {
type filter hook output priority filter; policy accept;
ct state new jump k8s-filter-services
jump k8s-filter-firewall comment "}
chain filter-forward {
type filter hook forward priority filter; policy accept;
jump k8s-filter-forward
ct state new jump k8s-filter-services comment "}
chain k8s-filter-firewall {
meta mark 0x00008000 drop
}
chain k8s-filter-services {
ip protocol . ip daddr . @th,16,16 vmap @no-endpoints
}
chain k8s-filter-forward {
ct state invalid drop
meta mark 0x00004000 accept comment " ip saddr 57.112.0.0/12 ct state established,related accept
ip daddr 57.112.0.0/12 ct state established,related accept
}
chain k8s-filter-do-reject {
reject with icmp type host-unreachable
}
chain nat-preroutin {
type nat hook prerouting priority filter; policy accept;
jump k8s-nat-services
}
chain nat-output {
type nat hook output priority filter; policy accept;
jump k8s-nat-services
}
chain nat-postrouting {
type nat hook postrouting priority filter; policy accept;
jump k8s-nat-postrouting comment "}
chain k8s-nat-mark-drop {
meta mark set 0x00008000
}
chain k8s-nat-do-mark-masq {
meta mark set 0x00004000 return
}
chain k8s-nat-mark-masq {
ip protocol . ip daddr . @th,16,16 vmap @do-mark-masq
return comment ""
}
chain k8s-nat-services {
ip saddr != 57.112.0.0/12 jump k8s-nat-mark-masq
ip protocol . ip daddr . @th,16,16 vmap @cluster-ip comment " ip protocol . ip daddr . @th,16,16 vmap @external-ip
ip protocol . ip daddr . @th,16,16 vmap @loadbalancer-ip
fib daddr type local jump k8s-nat-nodeports comment "2"
}
chain k8s-nat-nodeports {
ip protocol . @th,16,16 vmap @nodeports comment ""
}
chain k8s-nat-postrouting {
meta mark 0x00004000 masquerade random,persistent comment ""
}
chain k8s-nfproxy-svc-Z2V2H34MNX3I6O2G {
numgen inc mod 2 vmap { 0 : goto k8s-nfproxy-sep-WTQR35QT3M6PVG5X, 1 : goto k8s-nfproxy-sep-WTQR35QT3M6PVG5X }
counter packets 1 bytes 60 comment ""
}
chain k8s-nfproxy-fw-Z2V2H34MNX3I6O2G {
}
chain k8s-nfproxy-xlb-Z2V2H34MNX3I6O2G {
}
chain k8s-nfproxy-sep-WTQR35QT3M6PVG5X {
counter packets 3 bytes 180 comment ""
ip saddr 192.168.80.104 meta mark set 0x00004000 comment ""
dnat to 192.168.80.104:6443 fully-random
counter packets 0 bytes 0
ip saddr 192.168.80.104 meta mark set 0x00004000 comment ""
dnat to 192.168.80.104:6443 fully-random comment ""
}
chain k8s-nfproxy-svc-M53CN2XYVUHRQ7UB {
numgen inc mod 3 vmap { 0 : goto k8s-nfproxy-sep-TMVEFT7EX55F4T62, 1 : goto k8s-nfproxy-sep-GTJ7BFLUOQRCGMD5, 2 : goto k8s-nfproxy-sep-23NTSA2UXPPQIPK4 }
counter packets 4 bytes 240 comment ""
}
chain k8s-nfproxy-fw-M53CN2XYVUHRQ7UB {
}
chain k8s-nfproxy-xlb-M53CN2XYVUHRQ7UB {
}
chain k8s-nfproxy-svc-PL4AZP3AKMRCVEEV {
numgen inc mod 2 vmap { 0 : goto k8s-nfproxy-sep-UOK7V3LF34NNNXJK, 1 : goto k8s-nfproxy-sep-AB4FZJCEEYJGUR7G }
counter packets 0 bytes 0 comment ""
}
chain k8s-nfproxy-fw-PL4AZP3AKMRCVEEV {
}
chain k8s-nfproxy-xlb-PL4AZP3AKMRCVEEV {
}
chain k8s-nfproxy-sep-F3FYSUNEU5GRF2PR {
counter packets 156 bytes 9360 comment ""
ip saddr 57.112.0.39 meta mark set 0x00004000 comment ""
dnat to 57.112.0.39:8081 fully-random
}
chain k8s-nfproxy-sep-TMVEFT7EX55F4T62 {
counter packets 3 bytes 180 comment ""
ip saddr 57.112.0.41 meta mark set 0x00004000 comment ""
dnat to 57.112.0.41:8080 fully-random
}
chain k8s-nfproxy-sep-UOK7V3LF34NNNXJK {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.41 meta mark set 0x00004000 comment ""
dnat to 57.112.0.41:8090 fully-random
}
chain k8s-nfproxy-svc-ZQKXCYOBISQCSH6Q {
numgen inc mod 1 vmap { 0 : goto k8s-nfproxy-sep-5CXJFIVYWUOH4QP5 } comment ""
counter packets 0 bytes 0 comment ""
}
chain k8s-nfproxy-fw-ZQKXCYOBISQCSH6Q {
}
chain k8s-nfproxy-xlb-ZQKXCYOBISQCSH6Q {
}
chain k8s-nfproxy-sep-GTJ7BFLUOQRCGMD5 {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.52 meta mark set 0x00004000 comment ""
dnat to 57.112.0.52:8989 fully-random
}
chain k8s-nfproxy-svc-MLOFX2HRWDMEIJ2C {
numgen inc mod 2 vmap { 0 : goto k8s-nfproxy-sep-ZLBUKWY4CZE4VBQ6, 1 : goto k8s-nfproxy-sep-L7QM2ZN4KU2U3Y7S }
counter packets 1597 bytes 126466 comment ""
}
chain k8s-nfproxy-fw-MLOFX2HRWDMEIJ2C {
}
chain k8s-nfproxy-xlb-MLOFX2HRWDMEIJ2C {
}
chain k8s-nfproxy-sep-AB4FZJCEEYJGUR7G {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.52 meta mark set 0x00004000 comment ""
dnat to 57.112.0.52:8998 fully-random
}
chain k8s-nfproxy-svc-BKEZZE5BBBAFLJMD {
numgen inc mod 2 vmap { 0 : goto k8s-nfproxy-sep-47JQSZ5IZC6OSGGT, 1 : goto k8s-nfproxy-sep-SLRAZLUBLWQJXVD6 }
counter packets 0 bytes 0 comment ""
}
chain k8s-nfproxy-fw-BKEZZE5BBBAFLJMD {
}
chain k8s-nfproxy-xlb-BKEZZE5BBBAFLJMD {
}
chain k8s-nfproxy-svc-XZFCNG333PM4X5VI {
numgen inc mod 2 vmap { 0 : goto k8s-nfproxy-sep-MDXSOI4QEYHXQ5TE, 1 : goto k8s-nfproxy-sep-MQDIJAQHMGQYQDQC }
counter packets 0 bytes 0 comment ""
}
chain k8s-nfproxy-fw-XZFCNG333PM4X5VI {
}
chain k8s-nfproxy-xlb-XZFCNG333PM4X5VI {
}
chain k8s-nfproxy-svc-ALEQQYFAJOE576GL {
numgen inc mod 1 vmap { 0 : goto k8s-nfproxy-sep-F3FYSUNEU5GRF2PR } comment ""
counter packets 0 bytes 0 comment ""
}
chain k8s-nfproxy-fw-ALEQQYFAJOE576GL {
}
chain k8s-nfproxy-xlb-ALEQQYFAJOE576GL {
}
chain k8s-nfproxy-sep-5CXJFIVYWUOH4QP5 {
counter packets 1 bytes 60 comment ""
ip saddr 57.112.0.47 meta mark set 0x00004000 comment ""
dnat to 57.112.0.47:443 fully-random
}
chain k8s-nfproxy-sep-ZLBUKWY4CZE4VBQ6 {
counter packets 1597 bytes 127401 comment ""
ip saddr 57.112.0.42 meta mark set 0x00004000 comment ""
dnat to 57.112.0.42:53 fully-random
}
chain k8s-nfproxy-sep-L7QM2ZN4KU2U3Y7S {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.43 meta mark set 0x00004000 comment ""
dnat to 57.112.0.43:53 fully-random
}
chain k8s-nfproxy-sep-47JQSZ5IZC6OSGGT {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.42 meta mark set 0x00004000 comment ""
dnat to 57.112.0.42:53 fully-random
}
chain k8s-nfproxy-sep-SLRAZLUBLWQJXVD6 {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.43 meta mark set 0x00004000 comment ""
dnat to 57.112.0.43:53 fully-random
}
chain k8s-nfproxy-sep-MDXSOI4QEYHXQ5TE {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.42 meta mark set 0x00004000 comment ""
dnat to 57.112.0.42:9153 fully-random
}
chain k8s-nfproxy-sep-MQDIJAQHMGQYQDQC {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.43 meta mark set 0x00004000 comment ""
dnat to 57.112.0.43:9153 fully-random
}
chain k8s-nfproxy-sep-23NTSA2UXPPQIPK4 {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.53 meta mark set 0x00004000 comment ""
dnat to 57.112.0.53:8787 fully-random
}
}
table ip6 kube-nfproxy-v6 {
}
sbezverk@kube-4:~$
On 2020-01-20, 5:00 PM, "Florian Westphal" <fw@xxxxxxxxx> wrote:
sbezverk <sbezverk@xxxxxxxxx> wrote:
> Numgen has GOTO directive and not Jump (Phil asked to change it), I thought it means after hitting any chains in numgen the processing will go back to service chain, no?
>
> It is Ubuntu 18.04
>
> sbezverk@kube-4:~$ uname -a
> Linux kube-4 5.4.10-050410-generic #202001091038 SMP Thu Jan 9 10:41:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
> sbezverk@kube-4:~$ sudo nft --version
> nftables v0.9.1 (Headless Horseman)
> sbezverk@kube-4:~$
>
> I also want to remind you that I do NOT use nft cli to program rules, I use nft cli just to see resulting rules.
In that case, please include "nft --debug=netlink list ruleset".
It would also be good to check if things work when you add it via nft
tool.
> >
> > chain k8s-nfproxy-svc-M53CN2XYVUHRQ7UB {
> > numgen inc mod 2 vmap { 0 : goto k8s-nfproxy-sep-TMVEFT7EX55F4T62, 1 : goto k8s-nfproxy-sep-GTJ7BFLUOQRCGMD5 }
> > counter packets 1 bytes 60 comment ""
> > }
Just to clarify, the "goto" means that the "counter" should NEVER
increment here because nft interpreter returns to the chain that had
"jump k8s-nfproxy-svc-M53CN2XYVUHRQ7UB".
jump and goto do the same thing except that goto doesn't record the
location/chain to return to.
