文章目录
参见:12张图带你轻松了解 calico 6种场景下宿主机和pod互访的iptables规则链流转情况【上】
场景五:同节点上,不同容器之间的访问
# master节点
tcpdump -nn -i cali8b980351434 -w 5-master-cali.cap
tcpdump -nn -i tunl0 -w 5-master-tunl0.cap
tcpdump -nn -i ens33 -w 5-master-ens33.cap
# node节点
tcpdump -nn -i ens33 -w 5-node-ens33.cap
tcpdump -nn -i tunl0 -w 5-node-tunl0.cap
tcpdump -nn -i cali3494337d77e -w 5-node-cali.cap
cat /var/log/iptables.log
request
Jan 13 20:23:03 master kernel: device cali8b980351434 entered promiscuous mode
Jan 13 20:23:09 master kernel: device tunl0 entered promiscuous mode
Jan 13 20:23:14 master kernel: device ens33 entered promiscuous mode
Jan 13 20:23:17 master kernel: device cali3582606acef entered promiscuous mode
Jan 13 20:23:58 master kernel: IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: raw:PREROUTING:policy:4 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: mangle:PREROUTING:rule:1 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: mangle:PREROUTING:policy:2 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: nat:PREROUTING:rule:1 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: nat:cali-fip-dnat:return:1 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: nat:cali-PREROUTING:return:2 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: nat:PREROUTING:rule:2 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: nat:KUBE-SERVICES:return:4 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: nat:PREROUTING:policy:4 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: mangle:FORWARD:policy:1 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: filter:FORWARD:rule:1 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-FORWARD:rule:1 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-FORWARD:rule:2 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-FORWARD:rule:3 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-from-wl-dispatch:rule:3 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-fw-cali8b980351434:rule:3 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-fw-cali8b980351434:rule:6 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-pro-kns.test:rule:1 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-pro-kns.test:rule:2 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-fw-cali8b980351434:rule:7 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-FORWARD:rule:4 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-to-wl-dispatch:rule:1 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-tw-cali3582606acef:rule:3 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-tw-cali3582606acef:rule:4 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-pri-kns.test:rule:1 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-pri-kns.test:rule:2 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-tw-cali3582606acef:rule:5 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-FORWARD:rule:5 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-FORWARD:rule:6 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-cidr-block:return:1 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-FORWARD:return:7 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:FORWARD:rule:2 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:KUBE-FORWARD:return:4 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:FORWARD:rule:3 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:DOCKER-USER:return:1 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:FORWARD:rule:4 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: filter:FORWARD:rule:9 IN=cali8b980351434 OUT=cali3582606acef MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=cali3582606acef SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: mangle:cali-POSTROUTING:rule:1 IN= OUT=cali3582606acef SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=cali3582606acef SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=cali3582606acef SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: nat:cali-POSTROUTING:rule:1 IN= OUT=cali3582606acef SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: nat:cali-fip-snat:return:1 IN= OUT=cali3582606acef SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: nat:cali-POSTROUTING:rule:2 IN= OUT=cali3582606acef SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: nat:cali-nat-outgoing:return:2 IN= OUT=cali3582606acef SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: nat:cali-POSTROUTING:return:4 IN= OUT=cali3582606acef SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: nat:POSTROUTING:rule:2 IN= OUT=cali3582606acef SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: nat:KUBE-POSTROUTING:rule:1 IN= OUT=cali3582606acef SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
Jan 13 20:23:58 master kernel: TRACE: nat:POSTROUTING:policy:4 IN= OUT=cali3582606acef SRC=172.248.219.111 DST=172.248.219.110 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47109 DF PROTO=ICMP TYPE=8 CODE=0 ID=6656 SEQ=0 MARK=0x10000
tunl0和ens33为空
reply
Jan 13 20:23:58 master kernel: IN=cali3582606acef OUT= MAC=ee:ee:ee:ee:ee:ee:62:fa:66:e2:88:ec:08:00 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: raw:PREROUTING:policy:4 IN=cali3582606acef OUT= MAC=ee:ee:ee:ee:ee:ee:62:fa:66:e2:88:ec:08:00 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: mangle:PREROUTING:rule:1 IN=cali3582606acef OUT= MAC=ee:ee:ee:ee:ee:ee:62:fa:66:e2:88:ec:08:00 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=cali3582606acef OUT= MAC=ee:ee:ee:ee:ee:ee:62:fa:66:e2:88:ec:08:00 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: mangle:FORWARD:policy:1 IN=cali3582606acef OUT=cali8b980351434 MAC=ee:ee:ee:ee:ee:ee:62:fa:66:e2:88:ec:08:00 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: filter:FORWARD:rule:1 IN=cali3582606acef OUT=cali8b980351434 MAC=ee:ee:ee:ee:ee:ee:62:fa:66:e2:88:ec:08:00 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-FORWARD:rule:1 IN=cali3582606acef OUT=cali8b980351434 MAC=ee:ee:ee:ee:ee:ee:62:fa:66:e2:88:ec:08:00 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0 MARK=0x40000
Jan 13 20:23:58 master kernel: TRACE: filter:cali-FORWARD:rule:2 IN=cali3582606acef OUT=cali8b980351434 MAC=ee:ee:ee:ee:ee:ee:62:fa:66:e2:88:ec:08:00 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=cali3582606acef OUT=cali8b980351434 MAC=ee:ee:ee:ee:ee:ee:62:fa:66:e2:88:ec:08:00 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-FORWARD:rule:3 IN=cali3582606acef OUT=cali8b980351434 MAC=ee:ee:ee:ee:ee:ee:62:fa:66:e2:88:ec:08:00 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-from-wl-dispatch:rule:1 IN=cali3582606acef OUT=cali8b980351434 MAC=ee:ee:ee:ee:ee:ee:62:fa:66:e2:88:ec:08:00 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: filter:cali-fw-cali3582606acef:rule:1 IN=cali3582606acef OUT=cali8b980351434 MAC=ee:ee:ee:ee:ee:ee:62:fa:66:e2:88:ec:08:00 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=cali8b980351434 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=cali8b980351434 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=cali8b980351434 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0
Jan 13 20:23:58 master kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=cali8b980351434 SRC=172.248.219.110 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11449 PROTO=ICMP TYPE=0 CODE=0 ID=6656 SEQ=0
Jan 13 20:24:02 master kernel: device cali8b980351434 left promiscuous mode
Jan 13 20:24:02 master kernel: device tunl0 left promiscuous mode
Jan 13 20:24:02 master kernel: device ens33 left promiscuous mode
Jan 13 20:24:02 master kernel: device cali3582606acef left promiscuous mode
场景六:跨节点,容器间互相访问
# master节点
tcpdump -nn -i cali8b980351434 -w 6-master-cali.cap
tcpdump -nn -i tunl0 -w 6-master-tunl0.cap
tcpdump -nn -i ens33 -w 6-master-ens33.cap
# node节点
tcpdump -nn -i ens33 -w 6-node-ens33.cap
tcpdump -nn -i tunl0 -w 6-node-tunl0.cap
tcpdump -nn -i cali3494337d77e -w 6-node-cali.cap
cat /var/log/iptables.log
master request
Jan 13 20:26:27 master kernel: device cali8b980351434 entered promiscuous mode
Jan 13 20:26:33 master kernel: device tunl0 entered promiscuous mode
Jan 13 20:26:37 master kernel: device ens33 entered promiscuous mode
Jan 13 20:27:10 master kernel: IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: raw:PREROUTING:policy:4 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: mangle:PREROUTING:rule:1 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: mangle:PREROUTING:policy:2 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: nat:PREROUTING:rule:1 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: nat:cali-fip-dnat:return:1 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: nat:cali-PREROUTING:return:2 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: nat:PREROUTING:rule:2 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: nat:KUBE-SERVICES:return:4 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: nat:PREROUTING:policy:4 IN=cali8b980351434 OUT= MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: mangle:FORWARD:policy:1 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: filter:FORWARD:rule:1 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: filter:cali-FORWARD:rule:1 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 master kernel: TRACE: filter:cali-FORWARD:rule:2 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-FORWARD:rule:3 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-from-wl-dispatch:rule:3 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-fw-cali8b980351434:rule:3 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-fw-cali8b980351434:rule:6 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-pro-kns.test:rule:1 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-pro-kns.test:rule:2 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:cali-fw-cali8b980351434:rule:7 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:cali-FORWARD:rule:5 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:cali-FORWARD:rule:6 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:cali-cidr-block:return:1 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:cali-FORWARD:return:7 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:FORWARD:rule:2 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:KUBE-FORWARD:return:4 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:FORWARD:rule:3 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:DOCKER-USER:return:1 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:FORWARD:rule:4 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: filter:FORWARD:rule:9 IN=cali8b980351434 OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:b2:9d:08:c0:a8:85:08:00 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: mangle:cali-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: nat:cali-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: nat:cali-fip-snat:return:1 IN= OUT=tunl0 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: nat:cali-POSTROUTING:rule:2 IN= OUT=tunl0 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: nat:cali-nat-outgoing:return:2 IN= OUT=tunl0 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: nat:cali-POSTROUTING:return:4 IN= OUT=tunl0 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: nat:POSTROUTING:rule:2 IN= OUT=tunl0 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: nat:KUBE-POSTROUTING:rule:1 IN= OUT=tunl0 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 master kernel: TRACE: nat:POSTROUTING:policy:4 IN= OUT=tunl0 SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
node request
Jan 13 20:26:44 node1 kernel: device ens33 entered promiscuous mode
Jan 13 20:26:47 node1 kernel: device tunl0 entered promiscuous mode
Jan 13 20:26:50 node1 kernel: device cali3494337d77e entered promiscuous mode
Jan 13 20:27:10 node1 kernel: IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: raw:PREROUTING:policy:4 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: mangle:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: mangle:cali-PREROUTING:rule:3 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: mangle:cali-from-host-endpoint:return:1 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: mangle:cali-PREROUTING:return:5 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: mangle:PREROUTING:policy:2 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: nat:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: nat:cali-PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: nat:cali-fip-dnat:return:1 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: nat:cali-PREROUTING:return:2 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: nat:PREROUTING:rule:2 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: nat:KUBE-SERVICES:return:4 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: nat:PREROUTING:policy:4 IN=tunl0 OUT= MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: mangle:FORWARD:policy:1 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:FORWARD:rule:1 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-FORWARD:rule:4 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-to-wl-dispatch:rule:2 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-tw-cali3494337d77e:rule:3 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-tw-cali3494337d77e:rule:4 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-pri-kns.test:rule:1 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-pri-kns.test:rule:2 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-tw-cali3494337d77e:rule:5 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-FORWARD:rule:5 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-to-hep-forward:return:1 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-FORWARD:rule:6 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-cidr-block:return:1 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-FORWARD:return:7 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:FORWARD:rule:2 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:KUBE-FORWARD:return:4 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:FORWARD:rule:3 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:DOCKER-USER:return:1 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:FORWARD:rule:4 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: filter:FORWARD:rule:9 IN=tunl0 OUT=cali3494337d77e MAC= SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=cali3494337d77e SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: mangle:cali-POSTROUTING:rule:1 IN= OUT=cali3494337d77e SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=cali3494337d77e SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=cali3494337d77e SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: nat:cali-POSTROUTING:rule:1 IN= OUT=cali3494337d77e SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: nat:cali-fip-snat:return:1 IN= OUT=cali3494337d77e SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: nat:cali-POSTROUTING:rule:2 IN= OUT=cali3494337d77e SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: nat:cali-nat-outgoing:return:2 IN= OUT=cali3494337d77e SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: nat:cali-POSTROUTING:return:4 IN= OUT=cali3494337d77e SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: nat:POSTROUTING:rule:2 IN= OUT=cali3494337d77e SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: nat:KUBE-POSTROUTING:rule:1 IN= OUT=cali3494337d77e SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
Jan 13 20:27:10 node1 kernel: TRACE: nat:POSTROUTING:policy:4 IN= OUT=cali3494337d77e SRC=172.248.219.111 DST=172.248.166.157 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=50045 DF PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=0 MARK=0x10000
node reply
Jan 13 20:27:10 node1 kernel: IN=cali3494337d77e OUT= MAC=ee:ee:ee:ee:ee:ee:da:ac:74:e9:7b:c0:08:00 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 node1 kernel: TRACE: raw:PREROUTING:policy:4 IN=cali3494337d77e OUT= MAC=ee:ee:ee:ee:ee:ee:da:ac:74:e9:7b:c0:08:00 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 node1 kernel: TRACE: mangle:PREROUTING:rule:1 IN=cali3494337d77e OUT= MAC=ee:ee:ee:ee:ee:ee:da:ac:74:e9:7b:c0:08:00 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 node1 kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=cali3494337d77e OUT= MAC=ee:ee:ee:ee:ee:ee:da:ac:74:e9:7b:c0:08:00 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 node1 kernel: TRACE: mangle:FORWARD:policy:1 IN=cali3494337d77e OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:da:ac:74:e9:7b:c0:08:00 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 node1 kernel: TRACE: filter:FORWARD:rule:1 IN=cali3494337d77e OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:da:ac:74:e9:7b:c0:08:00 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-FORWARD:rule:1 IN=cali3494337d77e OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:da:ac:74:e9:7b:c0:08:00 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0 MARK=0x40000
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-FORWARD:rule:2 IN=cali3494337d77e OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:da:ac:74:e9:7b:c0:08:00 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=cali3494337d77e OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:da:ac:74:e9:7b:c0:08:00 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-FORWARD:rule:3 IN=cali3494337d77e OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:da:ac:74:e9:7b:c0:08:00 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-from-wl-dispatch:rule:2 IN=cali3494337d77e OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:da:ac:74:e9:7b:c0:08:00 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: filter:cali-fw-cali3494337d77e:rule:1 IN=cali3494337d77e OUT=tunl0 MAC=ee:ee:ee:ee:ee:ee:da:ac:74:e9:7b:c0:08:00 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=tunl0 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=tunl0 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=tunl0 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 node1 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=tunl0 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:14 node1 kernel: device tunl0 left promiscuous mode
Jan 13 20:27:14 node1 kernel: device cali3494337d77e left promiscuous mode
Jan 13 20:27:14 node1 kernel: device ens33 left promiscuous mode
master reply
Jan 13 20:27:10 master kernel: IN=tunl0 OUT= MAC= SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: raw:PREROUTING:policy:4 IN=tunl0 OUT= MAC= SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: mangle:PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: mangle:cali-PREROUTING:rule:1 IN=tunl0 OUT= MAC= SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: mangle:FORWARD:policy:1 IN=tunl0 OUT=cali8b980351434 MAC= SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:FORWARD:rule:1 IN=tunl0 OUT=cali8b980351434 MAC= SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-FORWARD:rule:1 IN=tunl0 OUT=cali8b980351434 MAC= SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-FORWARD:rule:2 IN=tunl0 OUT=cali8b980351434 MAC= SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-from-hep-forward:return:1 IN=tunl0 OUT=cali8b980351434 MAC= SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-FORWARD:rule:4 IN=tunl0 OUT=cali8b980351434 MAC= SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-to-wl-dispatch:rule:3 IN=tunl0 OUT=cali8b980351434 MAC= SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: filter:cali-tw-cali8b980351434:rule:1 IN=tunl0 OUT=cali8b980351434 MAC= SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=cali8b980351434 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: mangle:cali-POSTROUTING:rule:3 IN= OUT=cali8b980351434 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: mangle:cali-POSTROUTING:return:6 IN= OUT=cali8b980351434 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:10 master kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=cali8b980351434 SRC=172.248.166.157 DST=172.248.219.111 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=47293 PROTO=ICMP TYPE=0 CODE=0 ID=1536 SEQ=0
Jan 13 20:27:14 master kernel: device tunl0 left promiscuous mode
Jan 13 20:27:14 master kernel: device cali8b980351434 left promiscuous mode
Jan 13 20:27:14 master kernel: device ens33 left promiscuous mode
附件
12张图
场景一: 从宿主机到容器
场景二:从容器到宿主机
场景三:从容器访问calico集群中的非宿主机
场景四:从calico集群中非宿主机访问容器
场景五:同节点上,不同容器之间的访问
场景六:跨节点,容器间互相访问
busybox的yaml文件
[root@master files]# cat busybox1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox1
namespace: test
spec:
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- image: busybox:1.28.4
args:
- /bin/sh
- -c
- sleep 1000;
imagePullPolicy: Always
name: busybox1
resources: {}
[root@master files]#
[root@master files]#
[root@master files]# cat busybox2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox2
namespace: test
spec:
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- image: busybox:1.28.4
args:
- /bin/sh
- -c
- sleep 1000;
imagePullPolicy: Always
name: busybox2
resources: {}
[root@master files]#
[root@master files]#
[root@master files]#
[root@master files]# cat busybox3.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox3
namespace: test
spec:
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- image: busybox:1.28.4
args:
- /bin/sh
- -c
- sleep 1000;
imagePullPolicy: Always
name: busybox3
resources: {}
[root@master files]#
master iptables filter表
[root@master files]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 931 packets, 158K bytes)
num pkts bytes target prot opt in out source destination
1 16M 3067M cali-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Cz_u1IQiXIMmKD4c */
2 16M 3002M KUBE-FIREWALL all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 34 2856 cali-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:wUHhoiAYhphO9Mso */
2 17 1428 KUBE-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */
3 17 1428 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
4 17 1428 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
6 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
7 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
8 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
9 17 1428 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:S93hcgKJrXEqnTfs */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000
10 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:mp77cMpurHhyjLrM */ MARK or 0x10000
Chain OUTPUT (policy ACCEPT 998 packets, 162K bytes)
num pkts bytes target prot opt in out source destination
1 17M 3117M cali-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:tVnHkvAo15HuiPy0 */
2 17M 3130M KUBE-FIREWALL all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (1 references)
num pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
2 17 1428 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
num pkts bytes target prot opt in out source destination
1 17 1428 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain KUBE-FIREWALL (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
2 0 0 DROP all -- * * !127.0.0.0/8 127.0.0.0/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT
Chain KUBE-FORWARD (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ mark match 0x4000/0x4000
2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-KUBELET-CANARY (0 references)
num pkts bytes target prot opt in out source destination
Chain cali-FORWARD (1 references)
num pkts bytes target prot opt in out source destination
1 34 2856 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:vjrMJCRpqwy5oRoX */ MARK and 0xfff1ffff
2 34 2856 cali-from-hep-forward all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:A_sPAO0mcxbT9mOV */ mark match 0x0/0x10000
3 20 1680 cali-from-wl-dispatch all -- cali+ * 0.0.0.0/0 0.0.0.0/0 /* cali:8ZoYfO5HKXWbB3pk */
4 17 1428 cali-to-wl-dispatch all -- * cali+ 0.0.0.0/0 0.0.0.0/0 /* cali:jdEuaPBe14V2hutn */
5 17 1428 cali-to-hep-forward all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:12bc6HljsMKsmfr- */
6 17 1428 cali-cidr-block all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:NOSxoaGx8OIstr1z */
Chain cali-INPUT (1 references)
num pkts bytes target prot opt in out source destination
1 22040 18M ACCEPT 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:PajejrV4aFdkZojI */ /* Allow IPIP packets from Calico hosts */ match-set cali40all-hosts-net src ADDRTYPE match dst-type LOCAL
2 0 0 DROP 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:_wjq-Yrma8Ly1Svo */ /* Drop IPIP packets from non-Calico hosts */
3 16M 3049M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:ss8lEMQsXi-s6qYT */ MARK and 0xfffff
4 16M 3049M cali-forward-check all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:PgIW-V0nEjwPhF_8 */
5 901 63805 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:QMJlDwlS0OjHyfMN */ mark match ! 0x0/0xfff00000
6 232K 62M cali-wl-to-host all -- cali+ * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:nDRe73txrna-aZjG */
7 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:iX2AYvqGXaVqwkro */ mark match 0x10000/0x10000
8 16M 2987M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:bhpnxD5IRtBP8KW0 */ MARK and 0xfff0ffff
9 16M 2987M cali-from-host-endpoint all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:H5_bccAbHV0sooVy */
10 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:inBL01YlfurT0dbI */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000
Chain cali-OUTPUT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Mq1_rAdXXH3YkrzW */ mark match 0x10000/0x10000
2 0 0 cali-forward-endpoint-mark all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:5Z67OUUpTOM7Xa1a */ mark match ! 0x0/0xfff00000
3 227K 65M RETURN all -- * cali+ 0.0.0.0/0 0.0.0.0/0 /* cali:M2Wf0OehNdig8MHR */
4 25569 3001K ACCEPT 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:AJBkLho_0Qd8LNr3 */ /* Allow IPIP packets to other Calico hosts */ match-set cali40all-hosts-net dst ADDRTYPE match src-type LOCAL
5 17M 3049M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:iz2RWXlXJDUfsLpe */ MARK and 0xfff0ffff
6 17M 3049M cali-to-host-endpoint all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:xQqLi8S0sxbiyvjR */ ! ctstate DNAT
7 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:aSnsxZdmhxm_ilRZ */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000
Chain cali-cidr-block (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-forward-check (1 references)
num pkts bytes target prot opt in out source destination
1 16M 3046M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Pbldlb4FaULvpdD8 */ ctstate RELATED,ESTABLISHED
2 0 0 cali-set-endpoint-mark tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:ZD-6UxuUtGW-xtzg */ /* To kubernetes NodePort service */ multiport dports 30000:32767 match-set cali40this-host dst
3 0 0 cali-set-endpoint-mark udp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:CbPfUajQ2bFVnDq4 */ /* To kubernetes NodePort service */ multiport dports 30000:32767 match-set cali40this-host dst
4 901 63805 cali-set-endpoint-mark all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:jmhU0ODogX-Zfe5g */ /* To kubernetes service */ ! match-set cali40this-host dst
Chain cali-forward-endpoint-mark (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 cali-from-endpoint-mark all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:O0SmFDrnm7KggWqW */ mark match ! 0x100000/0xfff00000
2 0 0 cali-to-wl-dispatch all -- * cali+ 0.0.0.0/0 0.0.0.0/0 /* cali:aFl0WFKRxDqj8oA6 */
3 0 0 cali-to-hep-forward all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:AZKVrO3i_8cLai5f */
4 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:96HaP1sFtb-NYoYA */ MARK and 0xfffff
5 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:VxO6hyNWz62YEtul */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000
Chain cali-from-endpoint-mark (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 cali-fw-cali3582606acef all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:x-B3sN8Vfq0mfX9Y */ mark match 0x7f300000/0xfff00000
2 0 0 cali-fw-cali41b697fb6a5 all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:K5Uw9BAymgWQAxl3 */ mark match 0xd8300000/0xfff00000
3 0 0 cali-fw-cali46a0761a9ee all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:Tig6ds0eNVrCnnHB */ mark match 0xa8700000/0xfff00000
4 0 0 cali-fw-cali8b980351434 all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:17Gvtt6vL-bNfarh */ mark match 0xad500000/0xfff00000
5 0 0 cali-fw-calied26b64c64e all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:0ULT3imdMMhkgf7q */ mark match 0x28300000/0xfff00000
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:pCk4paFBcLGuGpuw */ /* Unknown interface */
Chain cali-from-hep-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-from-host-endpoint (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-from-wl-dispatch (2 references)
num pkts bytes target prot opt in out source destination
1 3 252 cali-fw-cali3582606acef all -- cali3582606acef * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:zpftyxoIwzrR0Nuf */
2 43934 3297K cali-from-wl-dispatch-4 all -- cali4+ * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:aWsOuulUmWohzmTJ */
3 23 1932 cali-fw-cali8b980351434 all -- cali8b980351434 * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:aTWTjdNkz06lusKE */
4 188K 58M cali-fw-calied26b64c64e all -- calied26b64c64e * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:XCCsWF-iCgpdi4eg */
5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:-JTYGiLLLnAPJlK8 */ /* Unknown interface */
Chain cali-from-wl-dispatch-4 (1 references)
num pkts bytes target prot opt in out source destination
1 43934 3297K cali-fw-cali41b697fb6a5 all -- cali41b697fb6a5 * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:BTPWxiTtxZMAGPFw */
2 0 0 cali-fw-cali46a0761a9ee all -- cali46a0761a9ee * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:On0xozaLDQaBpwYe */
3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:hrovBmjX7GS9R1tF */ /* Unknown interface */
Chain cali-fw-cali3582606acef (2 references)
num pkts bytes target prot opt in out source destination
1 3 252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:zx9Un1Np5_q0Wbvk */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:PmQcFfNtx6c51SOO */ ctstate INVALID
3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:txBEfNzQCCZ_G40K */ MARK and 0xfffeffff
4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Kr_SLkiOVDA7IuIG */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789
5 0 0 DROP 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:tEA8PE-_LVLoDB-c */ /* Drop IPinIP encapped packets originating in workloads */
6 0 0 cali-pro-kns.test all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:oN3FA2cnhgBXTtVU */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:b7pPZSeK2YAtE4ry */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 cali-pro-ksa.test.default all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:tSdUtfTwRAXSVtb7 */
9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:QGBMwKkX5AFMPhDR */ /* Return if profile accepted */ mark match 0x10000/0x10000
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:wdSxttLv-rUNIHcP */ /* Drop if no profiles matched */
Chain cali-fw-cali41b697fb6a5 (2 references)
num pkts bytes target prot opt in out source destination
1 44113 3313K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:6MjuXrRtD3qYLBRK */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:7mWhV-_jcdj7ZOCI */ ctstate INVALID
3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Ijj9WGZjkOGyFyvj */ MARK and 0xfffeffff
4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:elHnzondjXLK65_V */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789
5 0 0 DROP 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:3C1Yu_ucMQi-LkOS */ /* Drop IPinIP encapped packets originating in workloads */
6 0 0 cali-pro-kns.calico-system all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:159uJebRLs9FXo3y */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:7LVOmAYY__ej3Jeb */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 cali-pro-_nzzjLvInId1gPHmQz_ all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:WfOcFivAeosGhcV6 */
9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:VfKHl6eiUS5em54t */ /* Return if profile accepted */ mark match 0x10000/0x10000
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:pg9XEWH9iEsr-Wgo */ /* Drop if no profiles matched */
Chain cali-fw-cali46a0761a9ee (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:N6OlNbC9mZXEXIx4 */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:_nCeTnSG-L-irUoU */ ctstate INVALID
3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:htHJoDW9BMnJ4wN8 */ MARK and 0xfffeffff
4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:IWf1QzT1tOamB3bT */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789
5 0 0 DROP 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:MQiGnoX-bCpXuvAB */ /* Drop IPinIP encapped packets originating in workloads */
6 0 0 cali-pro-kns.kelu all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:O_fqu5_TSOGTL-9t */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:HnOAJ-4DSkgt2KZz */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 cali-pro-ksa.kelu.default all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:uwAXwB5ggrENW5q6 */
9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:w1Nl1BFPGFtDM9ko */ /* Return if profile accepted */ mark match 0x10000/0x10000
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:6O23erELJesHYLK3 */ /* Drop if no profiles matched */
Chain cali-fw-cali8b980351434 (2 references)
num pkts bytes target prot opt in out source destination
1 10 840 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:iQF2LntHHw2mIP7I */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:_vUF7Q9Kb7pacQ-W */ ctstate INVALID
3 13 1092 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:ur6TfjYdXX_jhQ33 */ MARK and 0xfffeffff
4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:RzMsuLYGAXQdpEri */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789
5 0 0 DROP 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:xRBV3vGtzB2OvLH4 */ /* Drop IPinIP encapped packets originating in workloads */
6 13 1092 cali-pro-kns.test all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:X5xzSazVM1jMc7gy */
7 13 1092 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:VG5kBKlWsg_QZQP9 */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 cali-pro-ksa.test.default all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Xq76c5ACKp8vUEQa */
9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:QY73IvbRdz6hyigL */ /* Return if profile accepted */ mark match 0x10000/0x10000
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Bnikk2T5xDyjBmHV */ /* Drop if no profiles matched */
Chain cali-fw-calied26b64c64e (2 references)
num pkts bytes target prot opt in out source destination
1 188K 58M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:22U9OSB_9spgBC4u */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:8QAYfV-ac1hRuubr */ ctstate INVALID
3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:8_ZM_iyU2bHTGgIS */ MARK and 0xfffeffff
4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:ynzJ9j_zvM7rhJci */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789
5 0 0 DROP 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:n-hyr1swI2SWNkTx */ /* Drop IPinIP encapped packets originating in workloads */
6 0 0 cali-pro-_kJqfZpgUe7r2t4A-14 all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:8FuVDKPH5ckjtwdD */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:QVtmLyG01ERoVdAx */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 cali-pro-_4yi5_iSUAwsU8zMHTk all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:NPn2q2kePh0juhQ3 */
9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:PoezhWlI14COoa7a */ /* Return if profile accepted */ mark match 0x10000/0x10000
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:wgRkAjO48Ort63Sz */ /* Drop if no profiles matched */
Chain cali-pi-_3CJ_GmvE9pcCktVJ2ep (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:yqCHbQuMNpd4Tyud */ multiport dports 5443 MARK or 0x10000
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:r7K-R2NZ8MDhg56E */ mark match 0x10000/0x10000
Chain cali-pri-_4yi5_iSUAwsU8zMHTk (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-pri-_kJqfZpgUe7r2t4A-14 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:NtEAHjNnsVBDEfXK */ MARK or 0x10000
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:9VH2M_nLwiyE-4SU */ mark match 0x10000/0x10000
Chain cali-pri-_nzzjLvInId1gPHmQz_ (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-pri-kns.calico-system (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:lA1GbGF0y5VU72nH */ MARK or 0x10000
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:E1m1FietzlJfN7WE */ mark match 0x10000/0x10000
Chain cali-pri-kns.kelu (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:jl2zoP3SzZB2TuCr */ MARK or 0x10000
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:wkjFs16C3dJwr39t */ mark match 0x10000/0x10000
Chain cali-pri-kns.test (2 references)
num pkts bytes target prot opt in out source destination
1 9 756 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Sc2MJ8Z8lZUNZycB */ MARK or 0x10000
2 9 756 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:KEqIbBH5rmYpA3ul */ mark match 0x10000/0x10000
Chain cali-pri-ksa.kelu.default (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-pri-ksa.test.default (2 references)
num pkts bytes target prot opt in out source destination
Chain cali-pro-_4yi5_iSUAwsU8zMHTk (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-pro-_kJqfZpgUe7r2t4A-14 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:D2nLcTxR7J5qLYcI */ MARK or 0x10000
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:7wfaz_mRDJOI_9mB */ mark match 0x10000/0x10000
Chain cali-pro-_nzzjLvInId1gPHmQz_ (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-pro-kns.calico-system (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:bTgyjfwHbUZu3xg3 */ MARK or 0x10000
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:YRkGp3QlDi9-gZhH */ mark match 0x10000/0x10000
Chain cali-pro-kns.kelu (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Rxl_-Cz81LLiYGcp */ MARK or 0x10000
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:YDtyGStT8zsPjybx */ mark match 0x10000/0x10000
Chain cali-pro-kns.test (2 references)
num pkts bytes target prot opt in out source destination
1 13 1092 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:DyDQFBj8Z6Hj6Q6M */ MARK or 0x10000
2 13 1092 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:E5xwh9bf1g8ZUM0i */ mark match 0x10000/0x10000
Chain cali-pro-ksa.kelu.default (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-pro-ksa.test.default (2 references)
num pkts bytes target prot opt in out source destination
Chain cali-set-endpoint-mark (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 cali-sm-cali3582606acef all -- cali3582606acef * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:aRBYFKrJWjOoN5-B */
2 172 10320 cali-set-endpoint-mark-4 all -- cali4+ * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:WZveofYZnWtmWWSK */
3 0 0 cali-sm-cali8b980351434 all -- cali8b980351434 * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:Ozhag8MucWcfxl5c */
4 216 12960 cali-sm-calied26b64c64e all -- calied26b64c64e * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:B15zcfopjYcsTnRv */
5 0 0 DROP all -- cali+ * 0.0.0.0/0 0.0.0.0/0 /* cali:yx96mf105eZAheAa */ /* Unknown endpoint */
6 509 40249 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:74HppCv-3Faj9UIw */ /* Non-Cali endpoint mark */ MARK xset 0x100000/0xfff00000
Chain cali-set-endpoint-mark-4 (1 references)
num pkts bytes target prot opt in out source destination
1 172 10320 cali-sm-cali41b697fb6a5 all -- cali41b697fb6a5 * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:itcAe5oRNRn3FDLO */
2 0 0 cali-sm-cali46a0761a9ee all -- cali46a0761a9ee * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:_ewqx-xbYiTMgzFP */
Chain cali-sm-cali3582606acef (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:CRn1HTRaxiXvFFj3 */ MARK xset 0x7f300000/0xfff00000
Chain cali-sm-cali41b697fb6a5 (1 references)
num pkts bytes target prot opt in out source destination
1 173 10380 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:o0jNz6xnfPw6PBAB */ MARK xset 0xd8300000/0xfff00000
Chain cali-sm-cali46a0761a9ee (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:X4PBySfS3RPjJCnN */ MARK xset 0xa8700000/0xfff00000
Chain cali-sm-cali8b980351434 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:H5MZn7-ejghVOZOE */ MARK xset 0xad500000/0xfff00000
Chain cali-sm-calied26b64c64e (1 references)
num pkts bytes target prot opt in out source destination
1 217 13020 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:23bPuGfiLXZXvpr0 */ MARK xset 0x28300000/0xfff00000
Chain cali-to-hep-forward (2 references)
num pkts bytes target prot opt in out source destination
Chain cali-to-host-endpoint (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-to-wl-dispatch (2 references)
num pkts bytes target prot opt in out source destination
1 3 252 cali-tw-cali3582606acef all -- * cali3582606acef 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:sGUIG9dxDc_EOXCI */
2 0 0 cali-to-wl-dispatch-4 all -- * cali4+ 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:fgoLkOQq9i_vqliQ */
3 14 1176 cali-tw-cali8b980351434 all -- * cali8b980351434 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:rX09ute-GFeCtsgD */
4 0 0 cali-tw-calied26b64c64e all -- * calied26b64c64e 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:Rm8d1b3hjuPujZ0F */
5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:AufwYh-m4sF8uOn9 */ /* Unknown interface */
Chain cali-to-wl-dispatch-4 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 cali-tw-cali41b697fb6a5 all -- * cali41b697fb6a5 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:CDsgGPxLgQke9C6X */
2 0 0 cali-tw-cali46a0761a9ee all -- * cali46a0761a9ee 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:R4cxdFJ46y0Ht1XM */
3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:E01mlXstw_lvWST1 */ /* Unknown interface */
Chain cali-tw-cali3582606acef (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:BeSpzYNSTvHhmlvY */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:rJzFKdSeXFlVtsFU */ ctstate INVALID
3 3 252 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Xjk4YtTWvBtl4zZ1 */ MARK and 0xfffeffff
4 3 252 cali-pri-kns.test all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:csFdIWDGW6sOmkkj */
5 3 252 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:UqeZGuo8zdA-9Q1K */ /* Return if profile accepted */ mark match 0x10000/0x10000
6 0 0 cali-pri-ksa.test.default all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:L3_OFD9Iqk8e6CTe */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:h44eJAY_Ubm9y_mN */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:GDKjjgWdzLwGE-iZ */ /* Drop if no profiles matched */
Chain cali-tw-cali41b697fb6a5 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:nQZyVMYfTAvDDOZs */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:pVkzmgWAnY7GSEBa */ ctstate INVALID
3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:v-5iruzK6kYwB0_l */ MARK and 0xfffeffff
4 0 0 cali-pri-kns.calico-system all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:XC2-UtGhn6W7Y-06 */
5 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:q2HnDCDeys8DI_cE */ /* Return if profile accepted */ mark match 0x10000/0x10000
6 0 0 cali-pri-_nzzjLvInId1gPHmQz_ all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:coOxrFtYtyRq12JI */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:EqeMAGXI8Rt4onxO */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:wP-FpWUPVrvc6v6_ */ /* Drop if no profiles matched */
Chain cali-tw-cali46a0761a9ee (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:-UvYRg3RFUj4YPF3 */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:9m8SwJycTpf9AWgW */ ctstate INVALID
3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:b-EtrHmGyTtQQLbG */ MARK and 0xfffeffff
4 0 0 cali-pri-kns.kelu all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:IX9V3nDdJk8Nduca */
5 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:JbNtXPcwoLuwNdrI */ /* Return if profile accepted */ mark match 0x10000/0x10000
6 0 0 cali-pri-ksa.kelu.default all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:dRxwJl57RJawBZvz */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:rcGbZN_AjjgDdJMf */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Hnkq4eIYeQ3Ejanr */ /* Drop if no profiles matched */
Chain cali-tw-cali8b980351434 (1 references)
num pkts bytes target prot opt in out source destination
1 8 672 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:eveuGwIaNUJ73xEw */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:YsK_j51CfedLAgds */ ctstate INVALID
3 6 504 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:NH4umg1IfPSCl3Dq */ MARK and 0xfffeffff
4 6 504 cali-pri-kns.test all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:cjVpPHdrPdaLCstZ */
5 6 504 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:UjplSenlfwW0u8Bx */ /* Return if profile accepted */ mark match 0x10000/0x10000
6 0 0 cali-pri-ksa.test.default all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:el_i4YJmldnY69Ov */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:DlcM3lGN0W24ggHU */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:IYTpISzvr_e_6EuR */ /* Drop if no profiles matched */
Chain cali-tw-calied26b64c64e (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:pN37T1ppOoHzX0z_ */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:qlKU0odHbESQlH3y */ ctstate INVALID
3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:DNkqHeLvVtAosRS2 */ MARK and 0xfffeffff
4 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Utssqh3HPUCABhVX */ /* Start of policies */ MARK and 0xfffdffff
5 0 0 cali-pi-_3CJ_GmvE9pcCktVJ2ep all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:B8x5sUgz-Oavp-hc */ mark match 0x0/0x20000
6 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:L1mhd1brsqwd681P */ /* Return if policy accepted */ mark match 0x10000/0x10000
7 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:H8QUzhFt-pGA1Us- */ /* Drop if no policies passed packet */ mark match 0x0/0x20000
8 0 0 cali-pri-_kJqfZpgUe7r2t4A-14 all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:4TufVbaWkJHPL9nX */
9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:chxg2etLQUFgkkcz */ /* Return if profile accepted */ mark match 0x10000/0x10000
10 0 0 cali-pri-_4yi5_iSUAwsU8zMHTk all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:_-RKxWZ6mxYOUijs */
11 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:9P6FMsVecLQ9ZWlY */ /* Return if profile accepted */ mark match 0x10000/0x10000
12 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:PQ1y6xBNMSBZ2bAg */ /* Drop if no profiles matched */
Chain cali-wl-to-host (1 references)
num pkts bytes target prot opt in out source destination
1 232K 62M cali-from-wl-dispatch all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Ee9Sbo10IpVujdIY */
2 2 168 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:nSZbcOoG1xPONxb8 */ /* Configured DefaultEndpointToHostAction */
[root@master files]#
node iptables filter表
[root@node1 ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 1085 packets, 151K bytes)
num pkts bytes target prot opt in out source destination
1 6306K 892M cali-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Cz_u1IQiXIMmKD4c */
2 6140K 861M KUBE-FIREWALL all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 141K 44M cali-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:wUHhoiAYhphO9Mso */
2 584 35191 KUBE-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */
3 584 35191 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
4 584 35191 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
6 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
7 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
8 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
9 584 35191 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:S93hcgKJrXEqnTfs */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000
10 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:mp77cMpurHhyjLrM */ MARK or 0x10000
Chain OUTPUT (policy ACCEPT 1069 packets, 137K bytes)
num pkts bytes target prot opt in out source destination
1 6068K 990M cali-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:tVnHkvAo15HuiPy0 */
2 6059K 974M KUBE-FIREWALL all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (1 references)
num pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
2 584 35191 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
num pkts bytes target prot opt in out source destination
1 584 35191 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain KUBE-FIREWALL (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
2 0 0 DROP all -- * * !127.0.0.0/8 127.0.0.0/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT
Chain KUBE-FORWARD (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ mark match 0x4000/0x4000
2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-KUBELET-CANARY (0 references)
num pkts bytes target prot opt in out source destination
Chain cali-FORWARD (1 references)
num pkts bytes target prot opt in out source destination
1 141K 44M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:vjrMJCRpqwy5oRoX */ MARK and 0xfff1ffff
2 141K 44M cali-from-hep-forward all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:A_sPAO0mcxbT9mOV */ mark match 0x0/0x10000
3 32239 26M cali-from-wl-dispatch all -- cali+ * 0.0.0.0/0 0.0.0.0/0 /* cali:8ZoYfO5HKXWbB3pk */
4 109K 18M cali-to-wl-dispatch all -- * cali+ 0.0.0.0/0 0.0.0.0/0 /* cali:jdEuaPBe14V2hutn */
5 584 35191 cali-to-hep-forward all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:12bc6HljsMKsmfr- */
6 584 35191 cali-cidr-block all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:NOSxoaGx8OIstr1z */
Chain cali-INPUT (1 references)
num pkts bytes target prot opt in out source destination
1 25592 2999K ACCEPT 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:PajejrV4aFdkZojI */ /* Allow IPIP packets from Calico hosts */ match-set cali40all-hosts-net src ADDRTYPE match dst-type LOCAL
2 0 0 DROP 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:_wjq-Yrma8Ly1Svo */ /* Drop IPIP packets from non-Calico hosts */
3 6281K 889M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:ss8lEMQsXi-s6qYT */ MARK and 0xfffff
4 6281K 889M cali-forward-check all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:PgIW-V0nEjwPhF_8 */
5 605 46009 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:QMJlDwlS0OjHyfMN */ mark match ! 0x0/0xfff00000
6 155K 33M cali-wl-to-host all -- cali+ * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:nDRe73txrna-aZjG */
7 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:iX2AYvqGXaVqwkro */ mark match 0x10000/0x10000
8 6125K 856M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:bhpnxD5IRtBP8KW0 */ MARK and 0xfff0ffff
9 6125K 856M cali-from-host-endpoint all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:H5_bccAbHV0sooVy */
10 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:inBL01YlfurT0dbI */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000
Chain cali-OUTPUT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Mq1_rAdXXH3YkrzW */ mark match 0x10000/0x10000
2 96 5760 cali-forward-endpoint-mark all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:5Z67OUUpTOM7Xa1a */ mark match ! 0x0/0xfff00000
3 67468 6493K RETURN all -- * cali+ 0.0.0.0/0 0.0.0.0/0 /* cali:M2Wf0OehNdig8MHR */
4 22754 18M ACCEPT 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:AJBkLho_0Qd8LNr3 */ /* Allow IPIP packets to other Calico hosts */ match-set cali40all-hosts-net dst ADDRTYPE match src-type LOCAL
5 5978K 965M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:iz2RWXlXJDUfsLpe */ MARK and 0xfff0ffff
6 5978K 965M cali-to-host-endpoint all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:xQqLi8S0sxbiyvjR */ ! ctstate DNAT
7 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:aSnsxZdmhxm_ilRZ */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000
Chain cali-cidr-block (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-forward-check (1 references)
num pkts bytes target prot opt in out source destination
1 6225K 886M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Pbldlb4FaULvpdD8 */ ctstate RELATED,ESTABLISHED
2 0 0 cali-set-endpoint-mark tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:ZD-6UxuUtGW-xtzg */ /* To kubernetes NodePort service */ multiport dports 30000:32767 match-set cali40this-host dst
3 0 0 cali-set-endpoint-mark udp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:CbPfUajQ2bFVnDq4 */ /* To kubernetes NodePort service */ multiport dports 30000:32767 match-set cali40this-host dst
4 605 46009 cali-set-endpoint-mark all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:jmhU0ODogX-Zfe5g */ /* To kubernetes service */ ! match-set cali40this-host dst
Chain cali-forward-endpoint-mark (1 references)
num pkts bytes target prot opt in out source destination
1 96 5760 cali-from-endpoint-mark all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:O0SmFDrnm7KggWqW */ mark match ! 0x100000/0xfff00000
2 0 0 cali-to-wl-dispatch all -- * cali+ 0.0.0.0/0 0.0.0.0/0 /* cali:aFl0WFKRxDqj8oA6 */
3 96 5760 cali-to-hep-forward all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:AZKVrO3i_8cLai5f */
4 96 5760 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:96HaP1sFtb-NYoYA */ MARK and 0xfffff
5 96 5760 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:VxO6hyNWz62YEtul */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000
Chain cali-from-endpoint-mark (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 cali-fw-cali29b44b8716f all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:cct1lFxv-4nAP5dh */ mark match 0x62100000/0xfff00000
2 0 0 cali-fw-cali3494337d77e all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:utL3If-JG6vPn9LY */ mark match 0x4bc00000/0xfff00000
3 96 5760 cali-fw-cali5932d6c609f all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:7XkQ9HVo_0ncKLmZ */ mark match 0x5e500000/0xfff00000
4 0 0 cali-fw-cali80612bce243 all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:aWCXf-MHdjBl8JRl */ mark match 0xf3c00000/0xfff00000
5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:QmsvvjDRYS9sHMuJ */ /* Unknown interface */
Chain cali-from-hep-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-from-host-endpoint (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-from-wl-dispatch (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 cali-fw-cali29b44b8716f all -- cali29b44b8716f * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:9rnLBXZn8xgmz9A2 */
2 6 504 cali-fw-cali3494337d77e all -- cali3494337d77e * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:sRhQsfq6vMKK_q07 */
3 187K 59M cali-fw-cali5932d6c609f all -- cali5932d6c609f * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:dlwEgwIoJ3MRacKs */
4 0 0 cali-fw-cali80612bce243 all -- cali80612bce243 * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:rXDHb9FyKTxhVyil */
5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:rhcM49hxPRcfDXh- */ /* Unknown interface */
Chain cali-fw-cali29b44b8716f (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:EfBx2W5d9YHVkB8P */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:SOrp_4ErQb_kjinb */ ctstate INVALID
3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:5eTs_mZoYr-v0o5p */ MARK and 0xfffeffff
4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:xLFZw97934ovYfQy */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789
5 0 0 DROP 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:S0zeDHFVw6lXmzLW */ /* Drop IPinIP encapped packets originating in workloads */
6 0 0 cali-pro-kns.kelu all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:CQLIpnYzAPqiwu0x */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:48_IP9no7YrEKNb2 */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 cali-pro-ksa.kelu.default all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Oi5Dj--87N_P7bXq */
9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:2SuJUkrDz8Qpmybj */ /* Return if profile accepted */ mark match 0x10000/0x10000
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:dPdvwznD9sqxztQA */ /* Drop if no profiles matched */
Chain cali-fw-cali3494337d77e (2 references)
num pkts bytes target prot opt in out source destination
1 6 504 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Y8jRqXV7XuKgZpih */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:PXvy8gdqPH3ItRUQ */ ctstate INVALID
3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Nve53RKfQd_7Trk6 */ MARK and 0xfffeffff
4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:ni683fwDW6HlV6QG */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789
5 0 0 DROP 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Jq9Y--18JkLZA-3R */ /* Drop IPinIP encapped packets originating in workloads */
6 0 0 cali-pro-kns.test all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:_coUZ9k66QXutCJ7 */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:EkX-s4uXlE3EKdgb */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 cali-pro-ksa.test.default all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:zGNOqPnIrszoQQEm */
9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:TlA9oahjU4iliTR- */ /* Return if profile accepted */ mark match 0x10000/0x10000
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:NLABEutx14RpBiZp */ /* Drop if no profiles matched */
Chain cali-fw-cali5932d6c609f (2 references)
num pkts bytes target prot opt in out source destination
1 187K 59M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:cRvtRQBfjH4fqq0t */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:eiNtxKgHzpMAHRPg */ ctstate INVALID
3 99 5947 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:UWnasP21RwAyPOpG */ MARK and 0xfffeffff
4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:eHnGcoBV2bGxVvey */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789
5 0 0 DROP 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:YWYDm1vMd_31weC6 */ /* Drop IPinIP encapped packets originating in workloads */
6 99 5947 cali-pro-_kJqfZpgUe7r2t4A-14 all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Z9V80LHzw4L_9-DL */
7 99 5947 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:S7h5j_vVWOL-kd3u */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 cali-pro-_4yi5_iSUAwsU8zMHTk all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:4AyldhKwid-tT1eZ */
9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:LNro_p8yHI8vfhPf */ /* Return if profile accepted */ mark match 0x10000/0x10000
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:8Ov6pad4UEOkoEMY */ /* Drop if no profiles matched */
Chain cali-fw-cali80612bce243 (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:sJZmF6IVdwJFoV84 */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:W-Bi6nHIX9fQmXyp */ ctstate INVALID
3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:VDchcnSmxpnSUmVp */ MARK and 0xfffeffff
4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Ehhrpb_hb_w5Y2ci */ /* Drop VXLAN encapped packets originating in workloads */ multiport dports 4789
5 0 0 DROP 4 -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:ITXD3pDlMzb11MLr */ /* Drop IPinIP encapped packets originating in workloads */
6 0 0 cali-pro-kns.kelu all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:KHo-AAYbSSswfqiC */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Kw2x-v6I2q3V7dZA */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 cali-pro-ksa.kelu.default all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:2tDa1tjBxXqonSHz */
9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:NyV0pp_hQlvVh7eE */ /* Return if profile accepted */ mark match 0x10000/0x10000
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:yhe2QKjskMUuH6KR */ /* Drop if no profiles matched */
Chain cali-pi-_3CJ_GmvE9pcCktVJ2ep (1 references)
num pkts bytes target prot opt in out source destination
1 575 34500 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:yqCHbQuMNpd4Tyud */ multiport dports 5443 MARK or 0x10000
2 575 34500 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:r7K-R2NZ8MDhg56E */ mark match 0x10000/0x10000
Chain cali-pi-default.deny-cka (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:M5GNaQI8_reBW8yT */ match-set cali40s:GlI58GcsnUVriq8nY4DTDbA src multiport dports 80 MARK or 0x10000
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Eny0orU4YZcF_V1M */ mark match 0x10000/0x10000
Chain cali-pri-_4yi5_iSUAwsU8zMHTk (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-pri-_kJqfZpgUe7r2t4A-14 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:NtEAHjNnsVBDEfXK */ MARK or 0x10000
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:9VH2M_nLwiyE-4SU */ mark match 0x10000/0x10000
Chain cali-pri-kns.kelu (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:jl2zoP3SzZB2TuCr */ MARK or 0x10000
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:wkjFs16C3dJwr39t */ mark match 0x10000/0x10000
Chain cali-pri-kns.test (1 references)
num pkts bytes target prot opt in out source destination
1 6 504 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Sc2MJ8Z8lZUNZycB */ MARK or 0x10000
2 6 504 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:KEqIbBH5rmYpA3ul */ mark match 0x10000/0x10000
Chain cali-pri-ksa.kelu.default (2 references)
num pkts bytes target prot opt in out source destination
Chain cali-pri-ksa.test.default (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-pro-_4yi5_iSUAwsU8zMHTk (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-pro-_kJqfZpgUe7r2t4A-14 (1 references)
num pkts bytes target prot opt in out source destination
1 99 5947 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:D2nLcTxR7J5qLYcI */ MARK or 0x10000
2 99 5947 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:7wfaz_mRDJOI_9mB */ mark match 0x10000/0x10000
Chain cali-pro-kns.kelu (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Rxl_-Cz81LLiYGcp */ MARK or 0x10000
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:YDtyGStT8zsPjybx */ mark match 0x10000/0x10000
Chain cali-pro-kns.test (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:DyDQFBj8Z6Hj6Q6M */ MARK or 0x10000
2 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:E5xwh9bf1g8ZUM0i */ mark match 0x10000/0x10000
Chain cali-pro-ksa.kelu.default (2 references)
num pkts bytes target prot opt in out source destination
Chain cali-pro-ksa.test.default (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-set-endpoint-mark (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 cali-sm-cali29b44b8716f all -- cali29b44b8716f * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:ZQQJN-I1HXALDyWN */
2 0 0 cali-sm-cali3494337d77e all -- cali3494337d77e * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:OkgJlEuT83ArBLnD */
3 96 5760 cali-sm-cali5932d6c609f all -- cali5932d6c609f * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:eQvPLoAxV6qvAWvf */
4 0 0 cali-sm-cali80612bce243 all -- cali80612bce243 * 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:T4wtgvZkh99eIknH */
5 0 0 DROP all -- cali+ * 0.0.0.0/0 0.0.0.0/0 /* cali:zrWvQ9cha_w6BYvg */ /* Unknown endpoint */
6 509 40249 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:r55Lx1l4j6CFjWt8 */ /* Non-Cali endpoint mark */ MARK xset 0x100000/0xfff00000
Chain cali-sm-cali29b44b8716f (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:zP6cxq9h7uN3ZzaE */ MARK xset 0x62100000/0xfff00000
Chain cali-sm-cali3494337d77e (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:pdI0SiLUn44fjI4g */ MARK xset 0x4bc00000/0xfff00000
Chain cali-sm-cali5932d6c609f (1 references)
num pkts bytes target prot opt in out source destination
1 96 5760 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:F6GxwmLrxLk9m7UJ */ MARK xset 0x5e500000/0xfff00000
Chain cali-sm-cali80612bce243 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:izD3Ux--NKzwWtwx */ MARK xset 0xf3c00000/0xfff00000
Chain cali-to-hep-forward (2 references)
num pkts bytes target prot opt in out source destination
Chain cali-to-host-endpoint (1 references)
num pkts bytes target prot opt in out source destination
Chain cali-to-wl-dispatch (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 cali-tw-cali29b44b8716f all -- * cali29b44b8716f 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:X_XkL5iihUBoKodJ */
2 6 504 cali-tw-cali3494337d77e all -- * cali3494337d77e 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:8_djfouWt1kOFmuL */
3 109K 18M cali-tw-cali5932d6c609f all -- * cali5932d6c609f 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:RyZQMpoODu4znCFX */
4 0 0 cali-tw-cali80612bce243 all -- * cali80612bce243 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:hGFVAeEGmp6xup7J */
5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:n00vz8wJi9KEK0lq */ /* Unknown interface */
Chain cali-tw-cali29b44b8716f (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:qNbKaqq73N6VuOtt */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:FBbnatUhhjZoBl0z */ ctstate INVALID
3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:HVkjC5rdMBXRJooN */ MARK and 0xfffeffff
4 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:COdYPHM2TZ8_cMkZ */ /* Start of policies */ MARK and 0xfffdffff
5 0 0 cali-pi-default.deny-cka all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:rztTO_HW-LPNymBU */ mark match 0x0/0x20000
6 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:63etJAeqt35CdI4E */ /* Return if policy accepted */ mark match 0x10000/0x10000
7 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:8HcJ2Op669hLMSZw */ /* Drop if no policies passed packet */ mark match 0x0/0x20000
8 0 0 cali-pri-kns.kelu all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:qIF8pl_yOBoZ4ZSQ */
9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:BmofsHjen05MpPPS */ /* Return if profile accepted */ mark match 0x10000/0x10000
10 0 0 cali-pri-ksa.kelu.default all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:lLKl6m4s1ST4pr4h */
11 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:AEsxBjqCdKci3DW7 */ /* Return if profile accepted */ mark match 0x10000/0x10000
12 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:D2vrMQG_HkqY7om1 */ /* Drop if no profiles matched */
Chain cali-tw-cali3494337d77e (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:HYjKGP987KjMGL3y */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:a_eLZ_J536O2iBCL */ ctstate INVALID
3 6 504 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:AdNA1pKs-1txdAeV */ MARK and 0xfffeffff
4 6 504 cali-pri-kns.test all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:3OAiE1Ce2eGorhfT */
5 6 504 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:oNXfDjP4hy73LXk0 */ /* Return if profile accepted */ mark match 0x10000/0x10000
6 0 0 cali-pri-ksa.test.default all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:q5zmaGViDMLc7I-m */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:cJUNfSawRW0zZ9LT */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:U4YYzzngdIzvH8s4 */ /* Drop if no profiles matched */
Chain cali-tw-cali5932d6c609f (1 references)
num pkts bytes target prot opt in out source destination
1 108K 18M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:94mTsGmxY9JihlrZ */ ctstate RELATED,ESTABLISHED
2 12 480 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:3rcsEdCsJnUOJEXp */ ctstate INVALID
3 575 34500 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:azhuEnvOgAHKkh_0 */ MARK and 0xfffeffff
4 575 34500 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:cUoEKDOZ7HIZmaXx */ /* Start of policies */ MARK and 0xfffdffff
5 575 34500 cali-pi-_3CJ_GmvE9pcCktVJ2ep all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:jXMObaDS_Jq6BoJ6 */ mark match 0x0/0x20000
6 575 34500 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:5GzVKaWHygOW1Oz8 */ /* Return if policy accepted */ mark match 0x10000/0x10000
7 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:TFdgNx3qn4XU5n95 */ /* Drop if no policies passed packet */ mark match 0x0/0x20000
8 0 0 cali-pri-_kJqfZpgUe7r2t4A-14 all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:poT8sJfvjekMQVTx */
9 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:5N_rI_r_hg2FiRfS */ /* Return if profile accepted */ mark match 0x10000/0x10000
10 0 0 cali-pri-_4yi5_iSUAwsU8zMHTk all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:MjysK7DyZ4XGvFBP */
11 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:WULR1keemRa1p9s1 */ /* Return if profile accepted */ mark match 0x10000/0x10000
12 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:tUpxBsxxsuqN34r3 */ /* Drop if no profiles matched */
Chain cali-tw-cali80612bce243 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:LERDskugFfZG04md */ ctstate RELATED,ESTABLISHED
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Ct70QCd8hWBhhhKj */ ctstate INVALID
3 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:XEAB6NIVUjehvWZ7 */ MARK and 0xfffeffff
4 0 0 cali-pri-kns.kelu all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:MK9NfhdhXOqXYacc */
5 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:I1zzOPN3nGfrSdr1 */ /* Return if profile accepted */ mark match 0x10000/0x10000
6 0 0 cali-pri-ksa.kelu.default all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:6MzPuv_SK-8jFJni */
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:r7pToUeHhCjBge8f */ /* Return if profile accepted */ mark match 0x10000/0x10000
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:0RzXJppcVMClLyug */ /* Drop if no profiles matched */
Chain cali-wl-to-host (1 references)
num pkts bytes target prot opt in out source destination
1 155K 33M cali-from-wl-dispatch all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:Ee9Sbo10IpVujdIY */
2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:nSZbcOoG1xPONxb8 */ /* Configured DefaultEndpointToHostAction */
[root@node1 ~]#
680
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
