From 3416fcbb3df7d8dc16ab54a59ae7f81be49881a9 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Fri, 3 Nov 2023 09:27:36 +0800
Subject: [PATCH 01/25] Update iptables-graph

support k8s rules
---
 iptables-graph | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/iptables-graph b/iptables-graph
index 34bb844..f8c9fa8 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -33,6 +33,10 @@ for line in line_list:
         else:
             rule_body = ' '.join(token_list[2:])
 
+        rule_body = rule_body.replace('&', '&amp;')
+        rule_body = rule_body.replace('"', '&quot;')
+        rule_body = rule_body.replace('>', '&gt;')
+        rule_body = rule_body.replace('<', '&lt;')
         all_chains[current_table][current_chain].append({'rule_body':rule_body, 'target':target})
         continue
     else:

From 942b829099c9e4d649ce77df079ecc9bb6e0a671 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Thu, 21 Dec 2023 09:55:48 +0800
Subject: [PATCH 02/25] Update targets

---
 iptables-graph | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iptables-graph b/iptables-graph
index f8c9fa8..a45fc26 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -25,7 +25,7 @@ for line in line_list:
 
         rule_body = ''
         target = ''
-        if token_list[-2] == '-j' and token_list[-1] not in ['RETURN', 'ACCEPT', 'DROP']:
+        if token_list[-2] == '-j' and token_list[-1] not in ['ACCEPT','REJECT','DROP','REDIRECT','MASQUERADE','LOG','DNAT','SNAT','MIRROR','QUEUE','RETURN','MARK']:
             target = token_list[-1]
             if target not in all_chains[current_table]:
                 all_chains[current_table][target] = list()

From bdeb6cef53197bad510eda4eb73dbd402ca6b06b Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Thu, 21 Dec 2023 11:12:41 +0800
Subject: [PATCH 03/25] add color to final rule

---
 iptables-graph | 48 ++++++++++++++++++++++++------------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index a45fc26..76d1ab6 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -18,30 +18,29 @@ for line in line_list:
     if token_list[0][1:] in all_chains.keys():
         current_table = token_list[0][1:]
         continue
-    if token_list[0] == '-A':
-        current_chain = token_list[1]
-        if current_chain not in all_chains[current_table]:
-            all_chains[current_table][current_chain] = list()
-
-        rule_body = ''
-        target = ''
-        if token_list[-2] == '-j' and token_list[-1] not in ['ACCEPT','REJECT','DROP','REDIRECT','MASQUERADE','LOG','DNAT','SNAT','MIRROR','QUEUE','RETURN','MARK']:
-            target = token_list[-1]
-            if target not in all_chains[current_table]:
-                all_chains[current_table][target] = list()
-            rule_body = ' '.join(token_list[2:])
-        else:
-            rule_body = ' '.join(token_list[2:])
-
-        rule_body = rule_body.replace('&', '&amp;')
-        rule_body = rule_body.replace('"', '&quot;')
-        rule_body = rule_body.replace('>', '&gt;')
-        rule_body = rule_body.replace('<', '&lt;')
-        all_chains[current_table][current_chain].append({'rule_body':rule_body, 'target':target})
-        continue
-    else:
+    if token_list[0] != '-A':
         continue
+    current_chain = token_list[1]
+    if current_chain not in all_chains[current_table]:
+        all_chains[current_table][current_chain] = list()
 
+    target = ''
+    final_rule = False
+    i = token_list.index('-j')
+    if i != -1:
+        target = token_list[i+1]
+        if target in ['ACCEPT','REJECT','DROP','REDIRECT','MASQUERADE','LOG','DNAT','SNAT','MIRROR','QUEUE','RETURN','MARK']:
+            final_rule = target not in ['LOG', 'MARK', 'RETURN']
+            target = ''
+        elif target not in all_chains[current_table]:
+            all_chains[current_table][target] = list()
+    rule_body = ' '.join(token_list[2:])
+    rule_body = rule_body.replace('&', '&amp;')
+    rule_body = rule_body.replace('"', '&quot;')
+    rule_body = rule_body.replace('>', '&gt;')
+    rule_body = rule_body.replace('<', '&lt;')
+    all_chains[current_table][current_chain].append({'rule_body':rule_body, 'target':target, 'final_rule':final_rule})
+    continue
 
 def get_node_name(table_name, chain_name):
     return re.sub('[^a-zA-Z0-9]', '', table_name) + '_' + re.sub('[^a-zA-Z0-9]', '', chain_name)
@@ -51,7 +50,7 @@ def get_port_name(rule_index):
 
 output="""digraph {
     graph [pad="0.5", nodesep="0.5", ranksep="2"];
-    node [shape=plain]
+    node [shape=box3d]
     rankdir=LR;
 
 """
@@ -72,8 +71,9 @@ for table in all_chains:
             tmp_body += """
   <tr><td port="""
             tmp_body += "\"" + get_port_name(i) + "\""
+            if rule["final_rule"]:
+                tmp_body += " bgcolor=\"lightgrey\""
             tmp_body += """>""" + rule["rule_body"] + """</td></tr>"""
-            #tmp_body += """></td></tr>"""
         tmp_body += """
   <tr><td port="end">end</td></tr>
 </table>>];

From 056464a054b18d07e18f6aa88588b10cbac34087 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Thu, 21 Dec 2023 17:03:12 +0800
Subject: [PATCH 04/25] Update iptables-graph

---
 iptables-graph | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/iptables-graph b/iptables-graph
index 76d1ab6..28da4fd 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -29,7 +29,9 @@ for line in line_list:
     i = token_list.index('-j')
     if i != -1:
         target = token_list[i+1]
-        if target in ['ACCEPT','REJECT','DROP','REDIRECT','MASQUERADE','LOG','DNAT','SNAT','MIRROR','QUEUE','RETURN','MARK']:
+        if target in ['ACCEPT','REJECT','DROP','RETURN',\
+            'REDIRECT','MASQUERADE','DNAT','SNAT','DNPT','SNPT',\
+            'LOG','QUEUE','MARK']:
             final_rule = target not in ['LOG', 'MARK', 'RETURN']
             target = ''
         elif target not in all_chains[current_table]:

From d67035ca79b9c489cfdfb95ece0f70a2fbb6b5ea Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Wed, 10 Jan 2024 10:53:41 +0800
Subject: [PATCH 05/25] Update iptables-graph

---
 iptables-graph | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index 28da4fd..7d3fcb0 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -25,10 +25,13 @@ for line in line_list:
         all_chains[current_table][current_chain] = list()
 
     target = ''
+    if '-j' in token_list:
+        target = token_list[token_list.index('-j') + 1]
+    elif '-g' in token_list:
+        target = token_list[token_list.index('-g') + 1]
+
     final_rule = False
-    i = token_list.index('-j')
-    if i != -1:
-        target = token_list[i+1]
+    if target != '':
         if target in ['ACCEPT','REJECT','DROP','RETURN',\
             'REDIRECT','MASQUERADE','DNAT','SNAT','DNPT','SNPT',\
             'LOG','QUEUE','MARK']:
@@ -36,6 +39,7 @@ for line in line_list:
             target = ''
         elif target not in all_chains[current_table]:
             all_chains[current_table][target] = list()
+
     rule_body = ' '.join(token_list[2:])
     rule_body = rule_body.replace('&', '&amp;')
     rule_body = rule_body.replace('"', '&quot;')

From a6c53ad718602b003d5ba8e620aa98cea7e2230d Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Wed, 10 Jan 2024 11:03:23 +0800
Subject: [PATCH 06/25] Update iptables-graph

---
 iptables-graph | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index 7d3fcb0..fa5096b 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -24,11 +24,14 @@ for line in line_list:
     if current_chain not in all_chains[current_table]:
         all_chains[current_table][current_chain] = list()
 
+    i = -1
     target = ''
     if '-j' in token_list:
-        target = token_list[token_list.index('-j') + 1]
+        i = token_list.index('-j') + 1
     elif '-g' in token_list:
-        target = token_list[token_list.index('-g') + 1]
+        i = token_list.index('-g') + 1
+    if i > 0 and i < len(token_list):
+        target = token_list[i]
 
     final_rule = False
     if target != '':

From 579446fb1f0c6dd1153ba63af815f7f7a2ab92c7 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Wed, 10 Jan 2024 11:16:40 +0800
Subject: [PATCH 07/25] Update iptables-graph

---
 iptables-graph | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index fa5096b..c1de9b3 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -40,8 +40,10 @@ for line in line_list:
             'LOG','QUEUE','MARK']:
             final_rule = target not in ['LOG', 'MARK', 'RETURN']
             target = ''
-        elif target not in all_chains[current_table]:
-            all_chains[current_table][target] = list()
+        else:
+            token_list[i] = "[" + current_table + ":" + token_list[i] + "]"
+            if target not in all_chains[current_table]:
+                all_chains[current_table][target] = list()
 
     rule_body = ' '.join(token_list[2:])
     rule_body = rule_body.replace('&', '&amp;')

From 8b2def92f97ab6d0578ad4a8e6825cf67906658b Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Wed, 10 Jan 2024 14:39:03 +0800
Subject: [PATCH 08/25] Update iptables-graph

---
 iptables-graph | 74 ++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 60 insertions(+), 14 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index c1de9b3..a40dc40 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -3,19 +3,52 @@ import sys
 import re
 import string
 
-all_chains = {	'raw':	    {'PREROUTING':list(), 'OUTPUT':list()},
-        'filter':   {'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list()},
-        'nat':	    {'PREROUTING':list(), 'OUTPUT':list(), 'POSTROUTING':list()},
-        'mangle':   {'PREROUTING':list(), 'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list(), 'POSTROUTING':list()}}
+all_chains = {	
+    'raw':{'PREROUTING':list(), 'OUTPUT':list()},
+    'filter':{'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list()},
+    'nat':{'PREROUTING':list(), 'OUTPUT':list(), 'POSTROUTING':list()},
+    'mangle':{'PREROUTING':list(), 'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list(), 'POSTROUTING':list()}
+}
 
 defualt_chain_list = ['PREROUTING', 'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING']
+tables_comment = {};
+
+def get_escape(text):
+    text = text.replace('&', '&amp;')
+    text = text.replace('"', '&quot;')
+    text = text.replace('>', '&gt;')
+    text = text.replace('<', '&lt;')
+    return text
 
 input_string = sys.stdin.read()
 line_list = input_string.splitlines()
 current_table = None
 for line in line_list:
-    token_list = line.split()
-    if token_list[0][1:] in all_chains.keys():
+    if line[0] == '#':
+        continue
+    buf = []
+    token_list = []
+    qoute = False
+    for i, c in enumerate(line):
+        if qoute:
+            buf.append(c)
+            if c == '"' and line[i-1] != '\\':
+                qoute = False
+                token_list.append(''.join(buf))
+                buf = []
+        else:
+            if c == ' ':
+                if len(buf) > 0:
+                    token_list.append(''.join(buf))
+                    buf = []
+                continue
+            if c == '"':
+                qoute = True
+            buf.append(c)
+    if not qoute and len(buf) > 0:
+        token_list.append(''.join(buf))
+
+    if token_list[0][0] == '*' and token_list[0][1:] in all_chains.keys():
         current_table = token_list[0][1:]
         continue
     if token_list[0] != '-A':
@@ -41,15 +74,24 @@ for line in line_list:
             final_rule = target not in ['LOG', 'MARK', 'RETURN']
             target = ''
         else:
-            token_list[i] = "[" + current_table + ":" + token_list[i] + "]"
+            # remove JUMP
+            del token_list[i-1]
+            del token_list[i-1]
+            if '--comment' in token_list:
+                i = token_list.index('--comment') + 1
+                if i < len(token_list):
+                    comment = token_list[i].replace("\\", "")
+                    name = current_table + ':' + target
+                    if name not in tables_comment:
+                        tables_comment[name] = []
+                    if len(comment) > 0:
+                        comment = get_escape(comment[1:len(comment)-1])
+                        if comment not in tables_comment[name]:
+                            tables_comment[name].append(comment)
             if target not in all_chains[current_table]:
                 all_chains[current_table][target] = list()
 
-    rule_body = ' '.join(token_list[2:])
-    rule_body = rule_body.replace('&', '&amp;')
-    rule_body = rule_body.replace('"', '&quot;')
-    rule_body = rule_body.replace('>', '&gt;')
-    rule_body = rule_body.replace('<', '&lt;')
+    rule_body = get_escape(' '.join(token_list[2:]))
     all_chains[current_table][current_chain].append({'rule_body':rule_body, 'target':target, 'final_rule':final_rule})
     continue
 
@@ -74,9 +116,13 @@ for table in all_chains:
   <tr><td bgcolor="red"><i>""" + chain + """</i></td></tr>
   <tr><td port="begin" bgcolor="tomato"><i>""" + table + """</i></td></tr>"""
         else:
+            name = table + ":" + chain
+            if name in tables_comment:
+                for comment in tables_comment[name]:
+                    tmp_body +="""
+<tr><td bgcolor="grey"><b><i>""" + comment + """</i></b></td></tr>"""
             tmp_body +="""
-  <tr><td><i>""" + chain + """</i></td></tr>
-  <tr><td port="begin"><i>""" + table + """</i></td></tr>"""
+  <tr><td port="begin"><i>[""" + name + """]</i></td></tr>"""
         for i in range(len(all_chains[table][chain])):
             rule = all_chains[table][chain][i]
             tmp_body += """

From 5151e3104b9c3168be22b9c464a176fe90f51643 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Wed, 10 Jan 2024 21:33:07 +0800
Subject: [PATCH 09/25] Update iptables-graph

add security table & correct nat table
---
 iptables-graph | 346 +++++++++++++++++++++++++------------------------
 1 file changed, 178 insertions(+), 168 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index 45ee9a7..b348e13 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -1,172 +1,182 @@
-    #!/usr/bin/env python3
-    import sys
-    import re
-    import string
-
-    all_chains = {	
-        'raw':{'PREROUTING':list(), 'OUTPUT':list()},
-        'filter':{'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list()},
-        'nat':{'PREROUTING':list(), 'OUTPUT':list(), 'POSTROUTING':list()},
-        'mangle':{'PREROUTING':list(), 'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list(), 'POSTROUTING':list()}
-    }
-
-    defualt_chain_list = ['PREROUTING', 'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING']
-    tables_comment = {};
-
-    def get_escape(text):
-        text = text.replace('&', '&amp;')
-        text = text.replace('"', '&quot;')
-        text = text.replace('>', '&gt;')
-        text = text.replace('<', '&lt;')
-        return text
-
-    input_string = sys.stdin.read()
-    line_list = input_string.splitlines()
-    current_table = None
-    for line in line_list:
-        if line[0] == '#':
-            continue
-        buf = []
-        token_list = []
-        qoute = False
-        for i, c in enumerate(line):
-            if qoute:
-                buf.append(c)
-                if c == '"' and line[i-1] != '\\':
-                    qoute = False
+#!/usr/bin/env python3
+import sys
+import re
+import string
+
+all_chains = {  
+    'raw':{'PREROUTING':list(), 'OUTPUT':list()},
+    'filter':{'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list()},
+    'security':{'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list()},
+    'nat':{'PREROUTING':list(), 'INPUT':list(), 'OUTPUT':list(), 'POSTROUTING':list()},
+    'mangle':{'PREROUTING':list(), 'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list(), 'POSTROUTING':list()}
+}
+
+defualt_chain_list = ['PREROUTING', 'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING']
+tables_comment = {};
+
+def get_escape(text):
+    text = text.replace('&', '&amp;')
+    text = text.replace('"', '&quot;')
+    text = text.replace('>', '&gt;')
+    text = text.replace('<', '&lt;')
+    return text
+
+input_string = sys.stdin.read()
+line_list = input_string.splitlines()
+current_table = None
+for line in line_list:
+    if line[0] == '#':
+        continue
+    buf = []
+    token_list = []
+    qoute = False
+    for i, c in enumerate(line):
+        if qoute:
+            buf.append(c)
+            if c == '"' and line[i-1] != '\\':
+                qoute = False
+                token_list.append(''.join(buf))
+                buf = []
+        else:
+            if c == ' ':
+                if len(buf) > 0:
                     token_list.append(''.join(buf))
                     buf = []
-            else:
-                if c == ' ':
-                    if len(buf) > 0:
-                        token_list.append(''.join(buf))
-                        buf = []
-                    continue
-                if c == '"':
-                    qoute = True
-                buf.append(c)
-        if not qoute and len(buf) > 0:
-            token_list.append(''.join(buf))
-
-        if token_list[0][0] == '*' and token_list[0][1:] in all_chains.keys():
-            current_table = token_list[0][1:]
-            continue
-        if token_list[0] != '-A':
-            continue
-        current_chain = token_list[1]
-        if current_chain not in all_chains[current_table]:
-            all_chains[current_table][current_chain] = list()
-
-        i = -1
-        target = ''
-        if '-j' in token_list:
-            i = token_list.index('-j') + 1
-        elif '-g' in token_list:
-            i = token_list.index('-g') + 1
-        if i > 0 and i < len(token_list):
-            target = token_list[i]
-
-        final_rule = False
-        if target != '':
-            if target in ['ACCEPT','REJECT','DROP','RETURN',\
-                'REDIRECT','MASQUERADE','DNAT','SNAT','DNPT','SNPT',\
-                'LOG','QUEUE','MARK']:
-                final_rule = target not in ['LOG', 'MARK', 'RETURN']
-                target = ''
-            else:
-                # remove JUMP
-                del token_list[i-1]
-                del token_list[i-1]
-                if '--comment' in token_list:
-                    i = token_list.index('--comment') + 1
-                    if i < len(token_list):
-                        comment = token_list[i].replace("\\", "")
-                        name = current_table + ':' + target
-                        if name not in tables_comment:
-                            tables_comment[name] = []
-                        if len(comment) > 0:
-                            comment = get_escape(comment[1:len(comment)-1])
-                            if comment not in tables_comment[name]:
-                                tables_comment[name].append(comment)
-                if target not in all_chains[current_table]:
-                    all_chains[current_table][target] = list()
-
-        rule_body = get_escape(' '.join(token_list[2:]))
-        all_chains[current_table][current_chain].append({'rule_body':rule_body, 'target':target, 'final_rule':final_rule})
+                continue
+            if c == '"':
+                qoute = True
+            buf.append(c)
+    if not qoute and len(buf) > 0:
+        token_list.append(''.join(buf))
+
+    if token_list[0][0] == '*' and token_list[0][1:] in all_chains.keys():
+        current_table = token_list[0][1:]
         continue
-
-    def get_node_name(table_name, chain_name):
-        return re.sub('[^a-zA-Z0-9]', '', table_name) + '_' + re.sub('[^a-zA-Z0-9]', '', chain_name)
-
-    def get_port_name(rule_index):
-        return "rule_" + str(rule_index)
-
-    output="""digraph {
-        graph [pad="0.5", nodesep="0.5", ranksep="2"];
-        node [shape=box3d]
-        rankdir=LR;
-
-    """
-    for table in all_chains:
-        for chain in all_chains[table]:
-            node_name = get_node_name(table, chain)
-            tmp_body = node_name + """ [label=<<table border="0" cellborder="1" cellspacing="0">"""
-            if chain in defualt_chain_list:
-                tmp_body +="""
-      <tr><td bgcolor="red"><i>""" + chain + """</i></td></tr>
-      <tr><td port="begin" bgcolor="tomato"><i>""" + table + """</i></td></tr>"""
-            else:
-                name = table + ":" + chain
-                if name in tables_comment:
-                    for comment in tables_comment[name]:
-                        tmp_body +="""
-    <tr><td bgcolor="grey"><b><i>""" + comment + """</i></b></td></tr>"""
-                tmp_body +="""
-      <tr><td port="begin"><i>[""" + name + """]</i></td></tr>"""
-            for i in range(len(all_chains[table][chain])):
-                rule = all_chains[table][chain][i]
-                tmp_body += """
-      <tr><td port="""
-                tmp_body += "\"" + get_port_name(i) + "\""
-                if rule["final_rule"]:
-                    tmp_body += " bgcolor=\"lightgrey\""
-                tmp_body += """>""" + rule["rule_body"] + """</td></tr>"""
+    if token_list[0] != '-A':
+        continue
+    current_chain = token_list[1]
+    if current_chain not in all_chains[current_table]:
+        all_chains[current_table][current_chain] = list()
+
+    i = -1
+    target = ''
+    if '-j' in token_list:
+        i = token_list.index('-j') + 1
+    elif '-g' in token_list:
+        i = token_list.index('-g') + 1
+    if i > 0 and i < len(token_list):
+        target = token_list[i]
+
+    final_rule = False
+    if target != '':
+        if target in ['ACCEPT','REJECT','DROP','RETURN',\
+            'REDIRECT','MASQUERADE','DNAT','SNAT','DNPT','SNPT',\
+            'LOG','QUEUE','MARK', \
+            'SECMARK', 'CONNSECMARK']:
+            final_rule = target not in ['LOG', 'MARK', 'RETURN']
+            target = ''
+        else:
+            # remove JUMP
+            del token_list[i-1]
+            del token_list[i-1]
+            if '--comment' in token_list:
+                i = token_list.index('--comment') + 1
+                if i < len(token_list):
+                    comment = token_list[i].replace("\\", "")
+                    name = current_table + ':' + target
+                    if name not in tables_comment:
+                        tables_comment[name] = []
+                    if len(comment) > 0:
+                        comment = get_escape(comment[1:len(comment)-1])
+                        if comment not in tables_comment[name]:
+                            tables_comment[name].append(comment)
+            if target not in all_chains[current_table]:
+                all_chains[current_table][target] = list()
+
+    rule_body = get_escape(' '.join(token_list[2:]))
+    all_chains[current_table][current_chain].append({'rule_body':rule_body, 'target':target, 'final_rule':final_rule})
+    continue
+
+def get_node_name(table_name, chain_name):
+    return re.sub('[^a-zA-Z0-9]', '', table_name) + '_' + re.sub('[^a-zA-Z0-9]', '', chain_name)
+
+def get_port_name(rule_index):
+    return "rule_" + str(rule_index)
+
+output="""digraph {
+    graph [pad="0.5", nodesep="0.5", ranksep="2"];
+    node [shape=box3d]
+    rankdir=LR;
+
+"""
+for table in all_chains:
+    for chain in all_chains[table]:
+        node_name = get_node_name(table, chain)
+        tmp_body = node_name + """ [label=<<table border="0" cellborder="1" cellspacing="0">"""
+        if chain in defualt_chain_list:
+            tmp_body +="""
+  <tr><td bgcolor="red"><i>""" + chain + """</i></td></tr>
+  <tr><td port="begin" bgcolor="tomato"><i>""" + table + """</i></td></tr>"""
+        else:
+            name = table + ":" + chain
+            if name in tables_comment:
+                for comment in tables_comment[name]:
+                    tmp_body +="""
+<tr><td bgcolor="grey"><b><i>""" + comment + """</i></b></td></tr>"""
+            tmp_body +="""
+  <tr><td port="begin"><i>[""" + name + """]</i></td></tr>"""
+        for i in range(len(all_chains[table][chain])):
+            rule = all_chains[table][chain][i]
             tmp_body += """
-      <tr><td port="end">end</td></tr>
-    </table>>];
-    """
-            output += tmp_body
-
-    for table in all_chains:
-        for chain in all_chains[table]:
-            for i in range(len(all_chains[table][chain])):
-                rule = all_chains[table][chain][i]
-                if rule['target']:
-                    source_node = get_node_name(table, chain) + ':' + get_port_name(i)
-                    target_node = get_node_name(table, rule['target']) + ':begin'
-                    output += source_node + """ -> """ + target_node + """;
-    """
-
-    def default_chain_link(src_table_name, src_chain_name, dst_table_name, dst_chain_name):
-        source_node = get_node_name(src_table_name, src_chain_name) + ':end'
-        target_node = get_node_name(dst_table_name, dst_chain_name) + ':begin'
-        return source_node + """ -> """ + target_node + """ [color=red];
-    """
-
-    output += default_chain_link('raw',	'PREROUTING',	'mangle',   'PREROUTING')
-    output += default_chain_link('mangle',	'PREROUTING',	'nat',	    'PREROUTING')
-    output += default_chain_link('nat',	'PREROUTING',	'mangle',   'INPUT')
-    output += default_chain_link('mangle',	'INPUT',	'filter',   'INPUT')
-    output += default_chain_link('filter',	'INPUT',	'raw',	    'OUTPUT')
-    output += default_chain_link('raw',	'OUTPUT',	'mangle',   'OUTPUT')
-    output += default_chain_link('mangle',	'OUTPUT',	'nat',	    'OUTPUT')
-    output += default_chain_link('nat',	'OUTPUT',	'filter',   'OUTPUT')
-    output += default_chain_link('filter',	'OUTPUT',	'mangle',   'POSTROUTING')
-    output += default_chain_link('mangle',	'POSTROUTING',	'nat',	    'POSTROUTING')
-    output += default_chain_link('nat',	'PREROUTING',	'mangle',   'FORWARD')
-    output += default_chain_link('mangle',	'FORWARD',	'filter',   'FORWARD')
-    output += default_chain_link('filter',	'FORWARD',	'mangle',   'POSTROUTING')
-
-    output += """
-    }"""
-    print(output)
+  <tr><td port="""
+            tmp_body += "\"" + get_port_name(i) + "\""
+            if rule["final_rule"]:
+                tmp_body += " bgcolor=\"lightgrey\""
+            tmp_body += """>""" + rule["rule_body"] + """</td></tr>"""
+        tmp_body += """
+  <tr><td port="end">end</td></tr>
+</table>>];
+"""
+        output += tmp_body
+
+for table in all_chains:
+    for chain in all_chains[table]:
+        for i in range(len(all_chains[table][chain])):
+            rule = all_chains[table][chain][i]
+            if rule['target']:
+                source_node = get_node_name(table, chain) + ':' + get_port_name(i)
+                target_node = get_node_name(table, rule['target']) + ':begin'
+                output += source_node + """ -> """ + target_node + """;
+"""
+
+def default_chain_link(src_table_name, src_chain_name, dst_table_name, dst_chain_name):
+    source_node = get_node_name(src_table_name, src_chain_name) + ':end'
+    target_node = get_node_name(dst_table_name, dst_chain_name) + ':begin'
+    return source_node + """ -> """ + target_node + """ [color=red];
+"""
+
+output += default_chain_link('raw', 'PREROUTING',   'mangle',   'PREROUTING')
+output += default_chain_link('mangle',  'PREROUTING',   'nat',      'PREROUTING')
+
+output += default_chain_link('nat', 'PREROUTING',   'mangle',   'INPUT')
+output += default_chain_link('mangle',   'INPUT',   'filter',   'INPUT')
+output += default_chain_link('filter',   'INPUT',   'security',   'INPUT')
+output += default_chain_link('security',   'INPUT',   'nat',   'INPUT')
+
+output += default_chain_link('nat', 'PREROUTING',   'mangle',   'FORWARD')
+output += default_chain_link('mangle', 'FORWARD',   'filter',   'FORWARD')
+output += default_chain_link('filter',   'FORWARD',   'security',   'FORWARD')
+
+output += default_chain_link('nat',   'INPUT',   'raw',   'OUTPUT')
+output += default_chain_link('raw',   'OUTPUT',   'mangle',   'OUTPUT')
+output += default_chain_link('mangle',   'OUTPUT',   'nat',   'OUTPUT')
+output += default_chain_link('nat',   'OUTPUT',   'filter',   'OUTPUT')
+output += default_chain_link('filter',   'OUTPUT',   'security',   'OUTPUT')
+
+output += default_chain_link('security',   'OUTPUT',   'mangle',   'POSTROUTING')
+output += default_chain_link('security',   'FORWARD',   'mangle',   'POSTROUTING')
+output += default_chain_link('mangle',   'POSTROUTING',   'nat',   'POSTROUTING')
+
+output += """
+}"""
+print(output)

From e2708d84efc9b2fa0d1bcbadabcfa66272f3a1db Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Wed, 10 Jan 2024 22:15:12 +0800
Subject: [PATCH 10/25] Update iptables-graph

---
 iptables-graph | 35 ++++++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index b348e13..1f84033 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -11,8 +11,17 @@ all_chains = {
     'mangle':{'PREROUTING':list(), 'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list(), 'POSTROUTING':list()}
 }
 
+def get_node_name(table_name, chain_name):
+    return re.sub('[^a-zA-Z0-9]', '', table_name) + '_' + re.sub('[^a-zA-Z0-9]', '', chain_name)
+
 defualt_chain_list = ['PREROUTING', 'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING']
-tables_comment = {};
+endness_chain = [
+    get_node_name('raw', 'PREROUTING'), 
+    get_node_name('nat', ':POSTROUTING'), 
+    get_node_name('nat', 'INPUT'), 
+    get_node_name('raw', 'OUTPUT')
+]
+tables_comment = {}
 
 def get_escape(text):
     text = text.replace('&', '&amp;')
@@ -83,13 +92,13 @@ for line in line_list:
                 i = token_list.index('--comment') + 1
                 if i < len(token_list):
                     comment = token_list[i].replace("\\", "")
-                    name = current_table + ':' + target
-                    if name not in tables_comment:
-                        tables_comment[name] = []
+                    node_name = get_node_name(current_table, target)
+                    if node_name not in tables_comment:
+                        tables_comment[node_name] = []
                     if len(comment) > 0:
                         comment = get_escape(comment[1:len(comment)-1])
-                        if comment not in tables_comment[name]:
-                            tables_comment[name].append(comment)
+                        if comment not in tables_comment[node_name]:
+                            tables_comment[node_name].append(comment)
             if target not in all_chains[current_table]:
                 all_chains[current_table][target] = list()
 
@@ -97,8 +106,6 @@ for line in line_list:
     all_chains[current_table][current_chain].append({'rule_body':rule_body, 'target':target, 'final_rule':final_rule})
     continue
 
-def get_node_name(table_name, chain_name):
-    return re.sub('[^a-zA-Z0-9]', '', table_name) + '_' + re.sub('[^a-zA-Z0-9]', '', chain_name)
 
 def get_port_name(rule_index):
     return "rule_" + str(rule_index)
@@ -114,17 +121,19 @@ for table in all_chains:
         node_name = get_node_name(table, chain)
         tmp_body = node_name + """ [label=<<table border="0" cellborder="1" cellspacing="0">"""
         if chain in defualt_chain_list:
+            bgcolor ="red"
+            if node_name in endness_chain:
+                bgcolor = "lightblue"
             tmp_body +="""
-  <tr><td bgcolor="red"><i>""" + chain + """</i></td></tr>
+  <tr><td bgcolor=\"""" + bgcolor + """\"><i>""" + chain + """</i></td></tr>
   <tr><td port="begin" bgcolor="tomato"><i>""" + table + """</i></td></tr>"""
         else:
-            name = table + ":" + chain
-            if name in tables_comment:
-                for comment in tables_comment[name]:
+            if node_name in tables_comment:
+                for comment in tables_comment[node_name]:
                     tmp_body +="""
 <tr><td bgcolor="grey"><b><i>""" + comment + """</i></b></td></tr>"""
             tmp_body +="""
-  <tr><td port="begin"><i>[""" + name + """]</i></td></tr>"""
+  <tr><td port="begin"><i>[""" + node_name.replace("_",  ":")  + """]</i></td></tr>"""
         for i in range(len(all_chains[table][chain])):
             rule = all_chains[table][chain][i]
             tmp_body += """

From 0662565e04cb0de901189f3b586923357cb7e691 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Wed, 10 Jan 2024 23:19:43 +0800
Subject: [PATCH 11/25] Update iptables-graph

---
 iptables-graph | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index 1f84033..91df4eb 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -15,12 +15,19 @@ def get_node_name(table_name, chain_name):
     return re.sub('[^a-zA-Z0-9]', '', table_name) + '_' + re.sub('[^a-zA-Z0-9]', '', chain_name)
 
 defualt_chain_list = ['PREROUTING', 'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING']
+
+default_chain_policy={}
+for table in all_chains:
+    for chain in defualt_chain_list:
+        default_chain_policy[get_node_name(table, chain)] = 'ACCEPT'
+
 endness_chain = [
     get_node_name('raw', 'PREROUTING'), 
     get_node_name('nat', ':POSTROUTING'), 
     get_node_name('nat', 'INPUT'), 
     get_node_name('raw', 'OUTPUT')
 ]
+
 tables_comment = {}
 
 def get_escape(text):
@@ -58,8 +65,14 @@ for line in line_list:
     if not qoute and len(buf) > 0:
         token_list.append(''.join(buf))
 
-    if token_list[0][0] == '*' and token_list[0][1:] in all_chains.keys():
-        current_table = token_list[0][1:]
+    if token_list[0][0] == '*':
+        if token_list[0][1:] in all_chains.keys():
+            current_table = token_list[0][1:]
+        continue
+    if token_list[0][0] == ':':
+        node_name = get_node_name(current_table, token_list[0][1:])
+        if node_name in default_chain_policy:
+            default_chain_policy[node_name] = token_list[1]
         continue
     if token_list[0] != '-A':
         continue
@@ -124,9 +137,12 @@ for table in all_chains:
             bgcolor ="red"
             if node_name in endness_chain:
                 bgcolor = "lightblue"
+            policy = ""
+            if node_name in default_chain_policy:
+                policy = ":" + default_chain_policy[node_name]
             tmp_body +="""
   <tr><td bgcolor=\"""" + bgcolor + """\"><i>""" + chain + """</i></td></tr>
-  <tr><td port="begin" bgcolor="tomato"><i>""" + table + """</i></td></tr>"""
+  <tr><td port="begin" bgcolor="tomato"><i>""" + table + policy + """</i></td></tr>"""
         else:
             if node_name in tables_comment:
                 for comment in tables_comment[node_name]:
@@ -167,6 +183,7 @@ def default_chain_link(src_table_name, src_chain_name, dst_table_name, dst_chain
 output += default_chain_link('raw', 'PREROUTING',   'mangle',   'PREROUTING')
 output += default_chain_link('mangle',  'PREROUTING',   'nat',      'PREROUTING')
 
+output += default_chain_link('mangle',  'PREROUTING',   'mangle',      'INPUT')
 output += default_chain_link('nat', 'PREROUTING',   'mangle',   'INPUT')
 output += default_chain_link('mangle',   'INPUT',   'filter',   'INPUT')
 output += default_chain_link('filter',   'INPUT',   'security',   'INPUT')

From e5652e9dffc1dad876f5b8331cebbf0f3af58359 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Thu, 11 Jan 2024 11:03:51 +0800
Subject: [PATCH 12/25] Update iptables-graph

---
 iptables-graph | 273 ++++++++++++++++++++++++++++++++-----------------
 1 file changed, 178 insertions(+), 95 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index 91df4eb..212fb94 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -3,45 +3,64 @@ import sys
 import re
 import string
 
-all_chains = {  
-    'raw':{'PREROUTING':list(), 'OUTPUT':list()},
-    'filter':{'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list()},
-    'security':{'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list()},
-    'nat':{'PREROUTING':list(), 'INPUT':list(), 'OUTPUT':list(), 'POSTROUTING':list()},
-    'mangle':{'PREROUTING':list(), 'INPUT':list(), 'OUTPUT':list(), 'FORWARD':list(), 'POSTROUTING':list()}
+all_chains = {
+    "raw": {"PREROUTING": list(), "OUTPUT": list()},
+    "filter": {"INPUT": list(), "OUTPUT": list(), "FORWARD": list()},
+    "security": {"INPUT": list(), "OUTPUT": list(), "FORWARD": list()},
+    "nat": {
+        "PREROUTING": list(),
+        "INPUT": list(),
+        "OUTPUT": list(),
+        "POSTROUTING": list(),
+    },
+    "mangle": {
+        "PREROUTING": list(),
+        "INPUT": list(),
+        "OUTPUT": list(),
+        "FORWARD": list(),
+        "POSTROUTING": list(),
+    },
 }
 
+
 def get_node_name(table_name, chain_name):
-    return re.sub('[^a-zA-Z0-9]', '', table_name) + '_' + re.sub('[^a-zA-Z0-9]', '', chain_name)
+    return (
+        re.sub("[^a-zA-Z0-9]", "", table_name)
+        + "_"
+        + re.sub("[^a-zA-Z0-9]", "", chain_name)
+    )
+
 
-defualt_chain_list = ['PREROUTING', 'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING']
+defualt_chain_list = ["PREROUTING", "FORWARD", "INPUT", "OUTPUT", "POSTROUTING"]
 
-default_chain_policy={}
+default_chain_policy = {}
 for table in all_chains:
     for chain in defualt_chain_list:
-        default_chain_policy[get_node_name(table, chain)] = 'ACCEPT'
+        default_chain_policy[get_node_name(table, chain)] = "ACCEPT"
 
 endness_chain = [
-    get_node_name('raw', 'PREROUTING'), 
-    get_node_name('nat', ':POSTROUTING'), 
-    get_node_name('nat', 'INPUT'), 
-    get_node_name('raw', 'OUTPUT')
+    get_node_name("raw", "PREROUTING"),
+    get_node_name("nat", ":POSTROUTING"),
+    get_node_name("nat", "INPUT"),
+    get_node_name("raw", "OUTPUT"),
 ]
 
 tables_comment = {}
 
+
 def get_escape(text):
-    text = text.replace('&', '&amp;')
-    text = text.replace('"', '&quot;')
-    text = text.replace('>', '&gt;')
-    text = text.replace('<', '&lt;')
+    text = text.replace("&", "&amp;")
+    text = text.replace('"', "&quot;")
+    text = text.replace(">", "&gt;")
+    text = text.replace("<", "&lt;")
     return text
 
+
 input_string = sys.stdin.read()
 line_list = input_string.splitlines()
 current_table = None
 for line in line_list:
-    if line[0] == '#':
+    if line[0] == "#":
         continue
     buf = []
     token_list = []
@@ -49,159 +68,223 @@ for line in line_list:
     for i, c in enumerate(line):
         if qoute:
             buf.append(c)
-            if c == '"' and line[i-1] != '\\':
+            if c == '"' and line[i - 1] != "\\":
                 qoute = False
-                token_list.append(''.join(buf))
+                token_list.append("".join(buf))
                 buf = []
         else:
-            if c == ' ':
+            if c == " ":
                 if len(buf) > 0:
-                    token_list.append(''.join(buf))
+                    token_list.append("".join(buf))
                     buf = []
                 continue
             if c == '"':
                 qoute = True
             buf.append(c)
     if not qoute and len(buf) > 0:
-        token_list.append(''.join(buf))
+        token_list.append("".join(buf))
 
-    if token_list[0][0] == '*':
+    if token_list[0][0] == "*":
         if token_list[0][1:] in all_chains.keys():
             current_table = token_list[0][1:]
         continue
-    if token_list[0][0] == ':':
+    if token_list[0][0] == ":":
         node_name = get_node_name(current_table, token_list[0][1:])
         if node_name in default_chain_policy:
             default_chain_policy[node_name] = token_list[1]
         continue
-    if token_list[0] != '-A':
+    if token_list[0] != "-A":
         continue
     current_chain = token_list[1]
     if current_chain not in all_chains[current_table]:
         all_chains[current_table][current_chain] = list()
 
     i = -1
-    target = ''
-    if '-j' in token_list:
-        i = token_list.index('-j') + 1
-    elif '-g' in token_list:
-        i = token_list.index('-g') + 1
+    target = ""
+    if "-j" in token_list:
+        i = token_list.index("-j") + 1
+    elif "-g" in token_list:
+        i = token_list.index("-g") + 1
     if i > 0 and i < len(token_list):
         target = token_list[i]
 
     final_rule = False
-    if target != '':
-        if target in ['ACCEPT','REJECT','DROP','RETURN',\
-            'REDIRECT','MASQUERADE','DNAT','SNAT','DNPT','SNPT',\
-            'LOG','QUEUE','MARK', \
-            'SECMARK', 'CONNSECMARK']:
-            final_rule = target not in ['LOG', 'MARK', 'RETURN']
-            target = ''
+    if target != "":
+        if target in [
+            "ACCEPT",
+            "REJECT",
+            "DROP",
+            "RETURN",
+            "REDIRECT",
+            "MASQUERADE",
+            "DNAT",
+            "SNAT",
+            "DNPT",
+            "SNPT",
+            "LOG",
+            "QUEUE",
+            "MARK",
+            "SECMARK",
+            "CONNSECMARK",
+        ]:
+            final_rule = target not in ["LOG", "MARK", "RETURN"]
+            target = ""
         else:
             # remove JUMP
-            del token_list[i-1]
-            del token_list[i-1]
-            if '--comment' in token_list:
-                i = token_list.index('--comment') + 1
+            del token_list[i - 1]
+            del token_list[i - 1]
+            if "--comment" in token_list:
+                i = token_list.index("--comment") + 1
                 if i < len(token_list):
                     comment = token_list[i].replace("\\", "")
                     node_name = get_node_name(current_table, target)
                     if node_name not in tables_comment:
                         tables_comment[node_name] = []
                     if len(comment) > 0:
-                        comment = get_escape(comment[1:len(comment)-1])
+                        comment = get_escape(comment[1 : len(comment) - 1])
                         if comment not in tables_comment[node_name]:
                             tables_comment[node_name].append(comment)
             if target not in all_chains[current_table]:
                 all_chains[current_table][target] = list()
 
-    rule_body = get_escape(' '.join(token_list[2:]))
-    all_chains[current_table][current_chain].append({'rule_body':rule_body, 'target':target, 'final_rule':final_rule})
+    rule_body = get_escape(" ".join(token_list[2:]))
+    all_chains[current_table][current_chain].append(
+        {"rule_body": rule_body, "target": target, "final_rule": final_rule}
+    )
     continue
 
 
 def get_port_name(rule_index):
     return "rule_" + str(rule_index)
 
-output="""digraph {
+
+output = """digraph {
     graph [pad="0.5", nodesep="0.5", ranksep="2"];
     node [shape=box3d]
     rankdir=LR;
-
 """
 for table in all_chains:
     for chain in all_chains[table]:
         node_name = get_node_name(table, chain)
-        tmp_body = node_name + """ [label=<<table border="0" cellborder="1" cellspacing="0">"""
+        tmp_body = (
+            """
+    """
+            + node_name
+            + """ [label=<<table border="0" cellborder="1" cellspacing="0">"""
+        )
         if chain in defualt_chain_list:
-            bgcolor ="red"
+            bgcolor = "tomato"
             if node_name in endness_chain:
                 bgcolor = "lightblue"
-            policy = ""
-            if node_name in default_chain_policy:
-                policy = ":" + default_chain_policy[node_name]
-            tmp_body +="""
-  <tr><td bgcolor=\"""" + bgcolor + """\"><i>""" + chain + """</i></td></tr>
-  <tr><td port="begin" bgcolor="tomato"><i>""" + table + policy + """</i></td></tr>"""
+            tmp_body += (
+                """
+      <tr><td bgcolor=\""""
+                + bgcolor
+                + """\"><i>"""
+                + node_name.replace("_", ":")
+                + """</i></td></tr>
+      <tr><td port="begin"></td></tr>"""
+            )
         else:
-            if node_name in tables_comment:
-                for comment in tables_comment[node_name]:
-                    tmp_body +="""
-<tr><td bgcolor="grey"><b><i>""" + comment + """</i></b></td></tr>"""
-            tmp_body +="""
-  <tr><td port="begin"><i>[""" + node_name.replace("_",  ":")  + """]</i></td></tr>"""
+            if not node_name in tables_comment:
+                tables_comment[node_name] = [node_name.replace("_", ":")]
+            for comment in sorted(tables_comment[node_name]):
+                tmp_body += (
+                    """
+      <tr><td bgcolor="grey"><b><i>"""
+                    + comment
+                    + """</i></b></td></tr>"""
+                )
+            tmp_body += """
+      <tr><td port="begin"></td></tr>"""
         for i in range(len(all_chains[table][chain])):
             rule = all_chains[table][chain][i]
             tmp_body += """
-  <tr><td port="""
-            tmp_body += "\"" + get_port_name(i) + "\""
+      <tr><td port="""
+            tmp_body += '"' + get_port_name(i) + '"'
             if rule["final_rule"]:
-                tmp_body += " bgcolor=\"lightgrey\""
+                tmp_body += ' bgcolor="lightgrey"'
             tmp_body += """>""" + rule["rule_body"] + """</td></tr>"""
-        tmp_body += """
-  <tr><td port="end">end</td></tr>
-</table>>];
+        policy = "-j RETURN"
+        if node_name in default_chain_policy:
+            policy = "-j " + default_chain_policy[node_name]
+        tmp_body += (
+            """
+      <tr><td port="end">"""
+            + policy
+            + """</td></tr>
+    </table>>];
 """
+        )
         output += tmp_body
 
 for table in all_chains:
     for chain in all_chains[table]:
         for i in range(len(all_chains[table][chain])):
             rule = all_chains[table][chain][i]
-            if rule['target']:
-                source_node = get_node_name(table, chain) + ':' + get_port_name(i)
-                target_node = get_node_name(table, rule['target']) + ':begin'
-                output += source_node + """ -> """ + target_node + """;
-"""
+            if rule["target"]:
+                source_node = get_node_name(table, chain) + ":" + get_port_name(i)
+                target_node = get_node_name(table, rule["target"]) + ":begin"
+                output += (
+                    """
+    """
+                    + source_node
+                    + """ -> """
+                    + target_node
+                    + """;"""
+                )
+
 
 def default_chain_link(src_table_name, src_chain_name, dst_table_name, dst_chain_name):
-    source_node = get_node_name(src_table_name, src_chain_name) + ':end'
-    target_node = get_node_name(dst_table_name, dst_chain_name) + ':begin'
-    return source_node + """ -> """ + target_node + """ [color=red];
-"""
+    source_node = get_node_name(src_table_name, src_chain_name)
+    color = "red"
+    if (
+        source_node in default_chain_policy
+        and default_chain_policy[source_node] != "ACCEPT"
+    ):
+        color = "grey"
+    target_node = get_node_name(dst_table_name, dst_chain_name)
+    return (
+        """
+    """
+        + source_node
+        + """:end -> """
+        + target_node
+        + """:begin [color="""
+        + color
+        + """];"""
+    )
+
+output += "INGRESS[shape=circle fillcolor=lightblue style=filled];"
+output += "EGRESS[shape=circle fillcolor=lightblue style=filled];"
+output += "APPLICATION[shape=circle style=filled];"
+
+output += "INGRESS->" + get_node_name("raw", "PREROUTING") + ":begin[color=blue];"
+output += get_node_name("nat", "INPUT") + ":end-> APPLICATION[color=blue];"
+output += "APPLICATION->" + get_node_name("raw", "OUTPUT") + ":begin[color=blue];"
+output += get_node_name("nat", "POSTROUTING") + ":end-> EGRESS[color=blue];"
 
-output += default_chain_link('raw', 'PREROUTING',   'mangle',   'PREROUTING')
-output += default_chain_link('mangle',  'PREROUTING',   'nat',      'PREROUTING')
+output += default_chain_link("raw", "PREROUTING", "mangle", "PREROUTING")
+output += default_chain_link("mangle", "PREROUTING", "nat", "PREROUTING")
 
-output += default_chain_link('mangle',  'PREROUTING',   'mangle',      'INPUT')
-output += default_chain_link('nat', 'PREROUTING',   'mangle',   'INPUT')
-output += default_chain_link('mangle',   'INPUT',   'filter',   'INPUT')
-output += default_chain_link('filter',   'INPUT',   'security',   'INPUT')
-output += default_chain_link('security',   'INPUT',   'nat',   'INPUT')
+output += default_chain_link("nat", "PREROUTING", "mangle", "INPUT")
+output += default_chain_link("mangle", "INPUT", "filter", "INPUT")
+output += default_chain_link("filter", "INPUT", "security", "INPUT")
+output += default_chain_link("security", "INPUT", "nat", "INPUT")
 
-output += default_chain_link('nat', 'PREROUTING',   'mangle',   'FORWARD')
-output += default_chain_link('mangle', 'FORWARD',   'filter',   'FORWARD')
-output += default_chain_link('filter',   'FORWARD',   'security',   'FORWARD')
+output += default_chain_link("nat", "PREROUTING", "mangle", "FORWARD")
+output += default_chain_link("mangle", "FORWARD", "filter", "FORWARD")
+output += default_chain_link("filter", "FORWARD", "security", "FORWARD")
 
-output += default_chain_link('nat',   'INPUT',   'raw',   'OUTPUT')
-output += default_chain_link('raw',   'OUTPUT',   'mangle',   'OUTPUT')
-output += default_chain_link('mangle',   'OUTPUT',   'nat',   'OUTPUT')
-output += default_chain_link('nat',   'OUTPUT',   'filter',   'OUTPUT')
-output += default_chain_link('filter',   'OUTPUT',   'security',   'OUTPUT')
+# output += default_chain_link("nat", "INPUT", "raw", "OUTPUT")
+output += default_chain_link("raw", "OUTPUT", "mangle", "OUTPUT")
+output += default_chain_link("mangle", "OUTPUT", "nat", "OUTPUT")
+output += default_chain_link("nat", "OUTPUT", "filter", "OUTPUT")
+output += default_chain_link("filter", "OUTPUT", "security", "OUTPUT")
 
-output += default_chain_link('security',   'OUTPUT',   'mangle',   'POSTROUTING')
-output += default_chain_link('security',   'FORWARD',   'mangle',   'POSTROUTING')
-output += default_chain_link('mangle',   'POSTROUTING',   'nat',   'POSTROUTING')
+output += default_chain_link("security", "OUTPUT", "mangle", "POSTROUTING")
+output += default_chain_link("security", "FORWARD", "mangle", "POSTROUTING")
+output += default_chain_link("mangle", "POSTROUTING", "nat", "POSTROUTING")
 
 output += """
 }"""

From 4e915535fbbbc5a920d7961dbcf82c809ab1fc39 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Fri, 12 Jan 2024 15:11:41 +0800
Subject: [PATCH 13/25] remove empty chain

---
 iptables-graph | 49 ++++++++++++++++++++++++++++++++++---------------
 1 file changed, 34 insertions(+), 15 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index 212fb94..d3e032e 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -2,6 +2,11 @@
 import sys
 import re
 import string
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--eliminate", help="eliminate empty/unused chain", action=argparse.BooleanOptionalAction)
+argv = parser.parse_args()
 
 all_chains = {
     "raw": {"PREROUTING": list(), "OUTPUT": list()},
@@ -46,7 +51,7 @@ endness_chain = [
 ]
 
 tables_comment = {}
-
+tables_target = []
 
 def get_escape(text):
     text = text.replace("&", "&amp;")
@@ -130,6 +135,8 @@ for line in line_list:
             final_rule = target not in ["LOG", "MARK", "RETURN"]
             target = ""
         else:
+            if tables_target not in tables_target:
+                tables_target.append(target)
             # remove JUMP
             del token_list[i - 1]
             del token_list[i - 1]
@@ -153,7 +160,6 @@ for line in line_list:
     )
     continue
 
-
 def get_port_name(rule_index):
     return "rule_" + str(rule_index)
 
@@ -165,6 +171,10 @@ output = """digraph {
 """
 for table in all_chains:
     for chain in all_chains[table]:
+        if argv.eliminate and not chain in defualt_chain_list:
+            if chain not in tables_target or len(all_chains[table][chain]) == 0:
+                continue
+
         node_name = get_node_name(table, chain)
         tmp_body = (
             """
@@ -202,7 +212,10 @@ for table in all_chains:
             tmp_body += """
       <tr><td port="""
             tmp_body += '"' + get_port_name(i) + '"'
-            if rule["final_rule"]:
+            if argv.eliminate and rule["target"] and rule["target"] \
+                not in defualt_chain_list and len(all_chains[table][rule["target"]]) == 0:
+                tmp_body += ' bgcolor="yellow"'
+            elif rule["final_rule"]:
                 tmp_body += ' bgcolor="lightgrey"'
             tmp_body += """>""" + rule["rule_body"] + """</td></tr>"""
         policy = "-j RETURN"
@@ -221,10 +234,14 @@ for table in all_chains:
 for table in all_chains:
     for chain in all_chains[table]:
         for i in range(len(all_chains[table][chain])):
-            rule = all_chains[table][chain][i]
-            if rule["target"]:
+            target = all_chains[table][chain][i]["target"]
+            if target:
+                if argv.eliminate and target not in defualt_chain_list:
+                    if target not in tables_target or len(all_chains[table][target]) == 0:
+                        continue
+
                 source_node = get_node_name(table, chain) + ":" + get_port_name(i)
-                target_node = get_node_name(table, rule["target"]) + ":begin"
+                target_node = get_node_name(table, target) + ":begin"
                 output += (
                     """
     """
@@ -255,14 +272,17 @@ def default_chain_link(src_table_name, src_chain_name, dst_table_name, dst_chain
         + """];"""
     )
 
-output += "INGRESS[shape=circle fillcolor=lightblue style=filled];"
-output += "EGRESS[shape=circle fillcolor=lightblue style=filled];"
-output += "APPLICATION[shape=circle style=filled];"
-
-output += "INGRESS->" + get_node_name("raw", "PREROUTING") + ":begin[color=blue];"
-output += get_node_name("nat", "INPUT") + ":end-> APPLICATION[color=blue];"
-output += "APPLICATION->" + get_node_name("raw", "OUTPUT") + ":begin[color=blue];"
-output += get_node_name("nat", "POSTROUTING") + ":end-> EGRESS[color=blue];"
+def default_link():
+    return """
+    INGRESS[shape=circle fillcolor=lightblue style=filled];
+    EGRESS[shape=circle fillcolor=lightblue style=filled];
+    APPLICATION[shape=circle fillcolor=lightblue style=filled];
+    INGRESS->""" + get_node_name("raw", "PREROUTING") + """:begin[color=blue];
+    """ + get_node_name("nat", "INPUT") + """:end-> APPLICATION[color=blue];
+    APPLICATION->""" + get_node_name("raw", "OUTPUT") + """:begin[color=blue];
+    """ + get_node_name("nat", "POSTROUTING") + """:end-> EGRESS[color=blue];"""
+    
+output += default_link()
 
 output += default_chain_link("raw", "PREROUTING", "mangle", "PREROUTING")
 output += default_chain_link("mangle", "PREROUTING", "nat", "PREROUTING")
@@ -276,7 +296,6 @@ output += default_chain_link("nat", "PREROUTING", "mangle", "FORWARD")
 output += default_chain_link("mangle", "FORWARD", "filter", "FORWARD")
 output += default_chain_link("filter", "FORWARD", "security", "FORWARD")
 
-# output += default_chain_link("nat", "INPUT", "raw", "OUTPUT")
 output += default_chain_link("raw", "OUTPUT", "mangle", "OUTPUT")
 output += default_chain_link("mangle", "OUTPUT", "nat", "OUTPUT")
 output += default_chain_link("nat", "OUTPUT", "filter", "OUTPUT")

From f45d36bf6879223b8080c849b9acd9f90ca195d3 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Fri, 12 Jan 2024 15:57:50 +0800
Subject: [PATCH 14/25] remove rules after absolute RETURN

---
 iptables-graph | 44 ++++++++++++++++++++++++++++++++------------
 1 file changed, 32 insertions(+), 12 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index d3e032e..888f47d 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -51,7 +51,7 @@ endness_chain = [
 ]
 
 tables_comment = {}
-tables_target = []
+tables_target = {}
 
 def get_escape(text):
     text = text.replace("&", "&amp;")
@@ -135,8 +135,10 @@ for line in line_list:
             final_rule = target not in ["LOG", "MARK", "RETURN"]
             target = ""
         else:
-            if tables_target not in tables_target:
-                tables_target.append(target)
+            node_name = get_node_name(current_table, target)
+            if node_name not in tables_target:
+                tables_target[node_name] = 0
+            tables_target[node_name] += 1
             # remove JUMP
             del token_list[i - 1]
             del token_list[i - 1]
@@ -144,7 +146,6 @@ for line in line_list:
                 i = token_list.index("--comment") + 1
                 if i < len(token_list):
                     comment = token_list[i].replace("\\", "")
-                    node_name = get_node_name(current_table, target)
                     if node_name not in tables_comment:
                         tables_comment[node_name] = []
                     if len(comment) > 0:
@@ -160,10 +161,27 @@ for line in line_list:
     )
     continue
 
+if argv.eliminate:
+    for table in all_chains:
+        for chain in all_chains[table]:
+            rules = all_chains[table][chain]
+            for i in range(len(rules)):
+                if rules[i]["rule_body"] == "-j RETURN":
+                    while i != len(rules)-1:
+                        del rules[i]
+                    break
+                target = rules[i]["target"]
+                if target and target not in defualt_chain_list and len(all_chains[table][target]) == 1:
+                    rule = all_chains[table][target][0]
+                    if rule["rule_body"] == "" and rule["target"]:
+                        node_name = get_node_name(table, rule["target"])
+                        tables_target[node_name] -= 1
+                        rules[i]["target"] = rule["target"]
+                        del all_chains[table][target][0]
+
 def get_port_name(rule_index):
     return "rule_" + str(rule_index)
 
-
 output = """digraph {
     graph [pad="0.5", nodesep="0.5", ranksep="2"];
     node [shape=box3d]
@@ -172,7 +190,8 @@ output = """digraph {
 for table in all_chains:
     for chain in all_chains[table]:
         if argv.eliminate and not chain in defualt_chain_list:
-            if chain not in tables_target or len(all_chains[table][chain]) == 0:
+            node_name = get_node_name(table, chain)
+            if node_name not in tables_target or tables_target[node_name] < 1 or len(all_chains[table][chain]) == 0:
                 continue
 
         node_name = get_node_name(table, chain)
@@ -209,13 +228,13 @@ for table in all_chains:
       <tr><td port="begin"></td></tr>"""
         for i in range(len(all_chains[table][chain])):
             rule = all_chains[table][chain][i]
+            if argv.eliminate and rule["target"] and rule["target"] \
+                not in defualt_chain_list and len(all_chains[table][rule["target"]]) == 0:
+                continue
             tmp_body += """
       <tr><td port="""
             tmp_body += '"' + get_port_name(i) + '"'
-            if argv.eliminate and rule["target"] and rule["target"] \
-                not in defualt_chain_list and len(all_chains[table][rule["target"]]) == 0:
-                tmp_body += ' bgcolor="yellow"'
-            elif rule["final_rule"]:
+            if rule["final_rule"]:
                 tmp_body += ' bgcolor="lightgrey"'
             tmp_body += """>""" + rule["rule_body"] + """</td></tr>"""
         policy = "-j RETURN"
@@ -237,7 +256,8 @@ for table in all_chains:
             target = all_chains[table][chain][i]["target"]
             if target:
                 if argv.eliminate and target not in defualt_chain_list:
-                    if target not in tables_target or len(all_chains[table][target]) == 0:
+                    node_name = get_node_name(table, target)
+                    if node_name not in tables_target or tables_target[node_name] < 1 or len(all_chains[table][target]) == 0:
                         continue
 
                 source_node = get_node_name(table, chain) + ":" + get_port_name(i)
@@ -281,7 +301,7 @@ def default_link():
     """ + get_node_name("nat", "INPUT") + """:end-> APPLICATION[color=blue];
     APPLICATION->""" + get_node_name("raw", "OUTPUT") + """:begin[color=blue];
     """ + get_node_name("nat", "POSTROUTING") + """:end-> EGRESS[color=blue];"""
-    
+
 output += default_link()
 
 output += default_chain_link("raw", "PREROUTING", "mangle", "PREROUTING")

From d5ef6ece16a45cead6ff7164b0526d7c84d22072 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Fri, 12 Jan 2024 16:02:22 +0800
Subject: [PATCH 15/25] Update iptables-graph

---
 iptables-graph | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/iptables-graph b/iptables-graph
index 888f47d..bcfa674 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -167,7 +167,9 @@ if argv.eliminate:
             rules = all_chains[table][chain]
             for i in range(len(rules)):
                 if rules[i]["rule_body"] == "-j RETURN":
-                    while i != len(rules)-1:
+                    if chain in defualt_chain_list:
+                        i += 1
+                    while i < len(rules):
                         del rules[i]
                     break
                 target = rules[i]["target"]

From c0af981dda64eb7f629a2e9a07df1df95997fed2 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Fri, 12 Jan 2024 17:30:45 +0800
Subject: [PATCH 16/25] Update iptables-graph

---
 iptables-graph | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index bcfa674..27e647b 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -105,7 +105,7 @@ for line in line_list:
         all_chains[current_table][current_chain] = list()
 
     i = -1
-    target = ""
+    target = None
     if "-j" in token_list:
         i = token_list.index("-j") + 1
     elif "-g" in token_list:
@@ -114,7 +114,7 @@ for line in line_list:
         target = token_list[i]
 
     final_rule = False
-    if target != "":
+    if target:
         if target in [
             "ACCEPT",
             "REJECT",
@@ -133,7 +133,7 @@ for line in line_list:
             "CONNSECMARK",
         ]:
             final_rule = target not in ["LOG", "MARK", "RETURN"]
-            target = ""
+            target = None
         else:
             node_name = get_node_name(current_table, target)
             if node_name not in tables_target:
@@ -161,6 +161,17 @@ for line in line_list:
     )
     continue
 
+def get_next_chain(table_name, chain_name):
+    rules=all_chains[table_name][chain_name]
+    if len(rules) == 1:
+        target = rules[0]["target"]
+        rule = rules[0]["rule_body"]
+        if target and rule == "":
+            del rules[0]
+            tables_target[get_node_name(table_name, chain_name)] -= 1
+            return get_next_chain(table_name, target)
+    return chain_name
+
 if argv.eliminate:
     for table in all_chains:
         for chain in all_chains[table]:
@@ -173,13 +184,8 @@ if argv.eliminate:
                         del rules[i]
                     break
                 target = rules[i]["target"]
-                if target and target not in defualt_chain_list and len(all_chains[table][target]) == 1:
-                    rule = all_chains[table][target][0]
-                    if rule["rule_body"] == "" and rule["target"]:
-                        node_name = get_node_name(table, rule["target"])
-                        tables_target[node_name] -= 1
-                        rules[i]["target"] = rule["target"]
-                        del all_chains[table][target][0]
+                if target and target not in defualt_chain_list:
+                    rules[i]["target"] = get_next_chain(table, target)
 
 def get_port_name(rule_index):
     return "rule_" + str(rule_index)
@@ -230,13 +236,18 @@ for table in all_chains:
       <tr><td port="begin"></td></tr>"""
         for i in range(len(all_chains[table][chain])):
             rule = all_chains[table][chain][i]
+            empty_target = False
             if argv.eliminate and rule["target"] and rule["target"] \
                 not in defualt_chain_list and len(all_chains[table][rule["target"]]) == 0:
-                continue
+                if rule["rule_body"] == "":
+                    continue
+                empty_target = True
             tmp_body += """
       <tr><td port="""
             tmp_body += '"' + get_port_name(i) + '"'
-            if rule["final_rule"]:
+            if empty_target:
+                tmp_body += ' bgcolor="yellow"'
+            elif rule["final_rule"]:
                 tmp_body += ' bgcolor="lightgrey"'
             tmp_body += """>""" + rule["rule_body"] + """</td></tr>"""
         policy = "-j RETURN"

From 6f538cbecbf781e70453360d3c2f0966668743e9 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Sat, 13 Jan 2024 13:51:48 +0800
Subject: [PATCH 17/25] Update iptables-graph

---
 iptables-graph | 117 ++++++++++++++++++++++++++++---------------------
 1 file changed, 68 insertions(+), 49 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index 27e647b..8bbefda 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -60,15 +60,13 @@ def get_escape(text):
     text = text.replace("<", "&lt;")
     return text
 
-
-input_string = sys.stdin.read()
-line_list = input_string.splitlines()
-current_table = None
-for line in line_list:
-    if line[0] == "#":
-        continue
-    buf = []
+def parse_line(line):
     token_list = []
+    if line[0] == '#':
+        token_list.append('#')
+        token_list.append(line[1:])
+        return token_list
+    buf = []
     qoute = False
     for i, c in enumerate(line):
         if qoute:
@@ -88,30 +86,44 @@ for line in line_list:
             buf.append(c)
     if not qoute and len(buf) > 0:
         token_list.append("".join(buf))
+    if len(token_list ) > 0:
+        first = token_list[0][0]
+        if first == "*" or  first == ':':
+            token_list.insert(0, first)
+            token_list[1] =  token_list[1][1:]
+    return token_list
 
-    if token_list[0][0] == "*":
-        if token_list[0][1:] in all_chains.keys():
-            current_table = token_list[0][1:]
+input_string = sys.stdin.read()
+line_list = input_string.splitlines()
+current_table = None
+for line in line_list:
+    args = parse_line(line)
+    if len(args) < 1  or args[0] == "#":
+        continue
+    if args[0] == "*":
+        if args[1] in all_chains.keys():
+            current_table = args[1]
         continue
-    if token_list[0][0] == ":":
-        node_name = get_node_name(current_table, token_list[0][1:])
-        if node_name in default_chain_policy:
-            default_chain_policy[node_name] = token_list[1]
+    if args[0] == ":":
+        node_name = get_node_name(current_table, args[1])
+        if args[2] == '-':
+            args[2] = "RETURN"
+        default_chain_policy[node_name] = args[2]
         continue
-    if token_list[0] != "-A":
+    if args[0] != "-A":
         continue
-    current_chain = token_list[1]
+    current_chain = args[1]
     if current_chain not in all_chains[current_table]:
         all_chains[current_table][current_chain] = list()
 
     i = -1
     target = None
-    if "-j" in token_list:
-        i = token_list.index("-j") + 1
-    elif "-g" in token_list:
-        i = token_list.index("-g") + 1
-    if i > 0 and i < len(token_list):
-        target = token_list[i]
+    if "-j" in args:
+        i = args.index("-j") + 1
+    elif "-g" in args:
+        i = args.index("-g") + 1
+    if i > 0 and i < len(args):
+        target = args[i]
 
     final_rule = False
     if target:
@@ -130,9 +142,9 @@ for line in line_list:
             "QUEUE",
             "MARK",
             "SECMARK",
-            "CONNSECMARK",
+            "CONNSECMARK"
         ]:
-            final_rule = target not in ["LOG", "MARK", "RETURN"]
+            final_rule = target not in ["LOG", "MARK", "SECMARK", "CONNSECMARK"]
             target = None
         else:
             node_name = get_node_name(current_table, target)
@@ -140,12 +152,12 @@ for line in line_list:
                 tables_target[node_name] = 0
             tables_target[node_name] += 1
             # remove JUMP
-            del token_list[i - 1]
-            del token_list[i - 1]
-            if "--comment" in token_list:
-                i = token_list.index("--comment") + 1
-                if i < len(token_list):
-                    comment = token_list[i].replace("\\", "")
+            del args[i - 1]
+            del args[i - 1]
+            if "--comment" in args:
+                i = args.index("--comment") + 1
+                if i < len(args):
+                    comment = args[i].replace("\\", "")
                     if node_name not in tables_comment:
                         tables_comment[node_name] = []
                     if len(comment) > 0:
@@ -155,9 +167,8 @@ for line in line_list:
             if target not in all_chains[current_table]:
                 all_chains[current_table][target] = list()
 
-    rule_body = get_escape(" ".join(token_list[2:]))
     all_chains[current_table][current_chain].append(
-        {"rule_body": rule_body, "target": target, "final_rule": final_rule}
+        {"rule": args[2:], "target": target, "final": final_rule}
     )
     continue
 
@@ -165,8 +176,8 @@ def get_next_chain(table_name, chain_name):
     rules=all_chains[table_name][chain_name]
     if len(rules) == 1:
         target = rules[0]["target"]
-        rule = rules[0]["rule_body"]
-        if target and rule == "":
+        rule = rules[0]["rule"]
+        if target and len(rule) == 0:
             del rules[0]
             tables_target[get_node_name(table_name, chain_name)] -= 1
             return get_next_chain(table_name, target)
@@ -177,7 +188,8 @@ if argv.eliminate:
         for chain in all_chains[table]:
             rules = all_chains[table][chain]
             for i in range(len(rules)):
-                if rules[i]["rule_body"] == "-j RETURN":
+                rule = rules[i]["rule"]
+                if len(rule) == 2  and rule[0] == "-j":
                     if chain in defualt_chain_list:
                         i += 1
                     while i < len(rules):
@@ -239,7 +251,7 @@ for table in all_chains:
             empty_target = False
             if argv.eliminate and rule["target"] and rule["target"] \
                 not in defualt_chain_list and len(all_chains[table][rule["target"]]) == 0:
-                if rule["rule_body"] == "":
+                if len(rule["rule"]) == 0:
                     continue
                 empty_target = True
             tmp_body += """
@@ -247,15 +259,22 @@ for table in all_chains:
             tmp_body += '"' + get_port_name(i) + '"'
             if empty_target:
                 tmp_body += ' bgcolor="yellow"'
-            elif rule["final_rule"]:
-                tmp_body += ' bgcolor="lightgrey"'
-            tmp_body += """>""" + rule["rule_body"] + """</td></tr>"""
-        policy = "-j RETURN"
-        if node_name in default_chain_policy:
-            policy = "-j " + default_chain_policy[node_name]
+            elif rule["final"]:
+                target = rule['rule'][rule['rule'].index('-j') + 1]
+                if target == 'DROP' or target == 'REJECT':
+                    tmp_body += ' bgcolor="coral"'
+                elif target == 'RETURN':
+                    tmp_body += ' bgcolor="moccasin"'
+                else:
+                    tmp_body += ' bgcolor="lightgreen"'
+            tmp_body += """>""" + get_escape(" ".join(rule["rule"])) + """</td></tr>"""
+        policy = "-j " + default_chain_policy[node_name]
+        bgcolor = "white"
+        if default_chain_policy[node_name] != 'RETURN':
+            bgcolor = "lightgreen"
         tmp_body += (
             """
-      <tr><td port="end">"""
+      <tr><td port="end" bgcolor=\"""" + bgcolor + """\">"""
             + policy
             + """</td></tr>
     </table>>];
@@ -307,13 +326,13 @@ def default_chain_link(src_table_name, src_chain_name, dst_table_name, dst_chain
 
 def default_link():
     return """
-    INGRESS[shape=circle fillcolor=lightblue style=filled];
-    EGRESS[shape=circle fillcolor=lightblue style=filled];
-    APPLICATION[shape=circle fillcolor=lightblue style=filled];
-    INGRESS->""" + get_node_name("raw", "PREROUTING") + """:begin[color=blue];
+    START[shape=circle fillcolor=black fontcolor=white style=filled];
+    END[shape=circle fillcolor=black fontcolor=white style=filled];
+    APPLICATION[shape=circle fillcolor=black fontcolor=white style=filled];
+    START->""" + get_node_name("raw", "PREROUTING") + """:begin[color=blue];
     """ + get_node_name("nat", "INPUT") + """:end-> APPLICATION[color=blue];
     APPLICATION->""" + get_node_name("raw", "OUTPUT") + """:begin[color=blue];
-    """ + get_node_name("nat", "POSTROUTING") + """:end-> EGRESS[color=blue];"""
+    """ + get_node_name("nat", "POSTROUTING") + """:end-> END[color=blue];"""
 
 output += default_link()
 

From 59bef5898719f4b645578df07ce03b446e3f3806 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Mon, 15 Jan 2024 08:56:08 +0800
Subject: [PATCH 18/25] Update iptables-graph

---
 iptables-graph | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index 8bbefda..0b0a4c4 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -268,18 +268,19 @@ for table in all_chains:
                 else:
                     tmp_body += ' bgcolor="lightgreen"'
             tmp_body += """>""" + get_escape(" ".join(rule["rule"])) + """</td></tr>"""
-        policy = "-j " + default_chain_policy[node_name]
-        bgcolor = "white"
-        if default_chain_policy[node_name] != 'RETURN':
-            bgcolor = "lightgreen"
+        tmp_body += """
+      <tr><td port="end\""""
+        policy = default_chain_policy[node_name]
+        if policy == 'DROP':
+            tmp_body += ' bgcolor="coral"'
+        elif policy == 'ACCEPT':
+            tmp_body += ' bgcolor="lightgreen"'
         tmp_body += (
-            """
-      <tr><td port="end" bgcolor=\"""" + bgcolor + """\">"""
+            """>-j """
             + policy
             + """</td></tr>
     </table>>];
-"""
-        )
+""")
         output += tmp_body
 
 for table in all_chains:

From ae7c8f0c5805a65245552ecc6269dc39fcb4e134 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Mon, 15 Jan 2024 09:13:43 +0800
Subject: [PATCH 19/25] support libvirt

---
 iptables-graph | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index 0b0a4c4..7eb42b6 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -142,9 +142,10 @@ for line in line_list:
             "QUEUE",
             "MARK",
             "SECMARK",
-            "CONNSECMARK"
+            "CONNSECMARK",
+            "CHECKSUM"
         ]:
-            final_rule = target not in ["LOG", "MARK", "SECMARK", "CONNSECMARK"]
+            final_rule = target not in ["LOG", "MARK", "SECMARK", "CONNSECMARK", "CHECKSUM"]
             target = None
         else:
             node_name = get_node_name(current_table, target)

From ffa081390b25f1b14bcbc7c5b58eccf7ad2def83 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Mon, 15 Jan 2024 10:12:55 +0800
Subject: [PATCH 20/25] support user final target

---
 iptables-graph | 147 +++++++++++++++++++++++++++++++++----------------
 1 file changed, 100 insertions(+), 47 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index 7eb42b6..e67747e 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -5,7 +5,14 @@ import string
 import argparse
 
 parser = argparse.ArgumentParser()
-parser.add_argument("--eliminate", help="eliminate empty/unused chain", action=argparse.BooleanOptionalAction)
+parser.add_argument(
+    "-e",
+    "--eliminate",
+    help="eliminate empty/unused chain",
+    action=argparse.BooleanOptionalAction,
+)
+parser.add_argument("-f", "--final-targets", help="final targets")
+parser.add_argument("-m", "--middle-targets", help="middle targets")
 argv = parser.parse_args()
 
 all_chains = {
@@ -50,9 +57,25 @@ endness_chain = [
     get_node_name("raw", "OUTPUT"),
 ]
 
+default_middle_targets = ["LOG", "MARK", "SECMARK", "CONNSECMARK", "CHECKSUM"]
+default_final_targets = [
+    "ACCEPT",
+    "REJECT",
+    "DROP",
+    "RETURN",
+    "REDIRECT",
+    "MASQUERADE",
+    "DNAT",
+    "SNAT",
+    "DNPT",
+    "SNPT",
+    "QUEUE",
+]
+
 tables_comment = {}
 tables_target = {}
 
+
 def get_escape(text):
     text = text.replace("&", "&amp;")
     text = text.replace('"', "&quot;")
@@ -60,10 +83,13 @@ def get_escape(text):
     text = text.replace("<", "&lt;")
     return text
 
-def parse_line(line):
+
+def parse_line(line, separators):
     token_list = []
-    if line[0] == '#':
-        token_list.append('#')
+    if not line:
+        return token_list
+    if line[0] == "#":
+        token_list.append("#")
         token_list.append(line[1:])
         return token_list
     buf = []
@@ -76,7 +102,7 @@ def parse_line(line):
                 token_list.append("".join(buf))
                 buf = []
         else:
-            if c == " ":
+            if c in separators:
                 if len(buf) > 0:
                     token_list.append("".join(buf))
                     buf = []
@@ -86,19 +112,32 @@ def parse_line(line):
             buf.append(c)
     if not qoute and len(buf) > 0:
         token_list.append("".join(buf))
-    if len(token_list ) > 0:
+    if len(token_list) > 0:
         first = token_list[0][0]
-        if first == "*" or  first == ':':
+        if first == "*" or first == ":":
             token_list.insert(0, first)
-            token_list[1] =  token_list[1][1:]
+            token_list[1] = token_list[1][1:]
     return token_list
 
+
+def set_targets(args, targets):
+    if not args:
+        return
+    for target in parse_line(args, ","):
+        target = target.strip()
+        if len(target) > 0:
+            targets.append(target)
+
+
+set_targets(argv.final_targets, default_final_targets)
+set_targets(argv.middle_targets, default_middle_targets)
+
 input_string = sys.stdin.read()
 line_list = input_string.splitlines()
 current_table = None
 for line in line_list:
-    args = parse_line(line)
-    if len(args) < 1  or args[0] == "#":
+    args = parse_line(line, [" "])
+    if len(args) < 1 or args[0] == "#":
         continue
     if args[0] == "*":
         if args[1] in all_chains.keys():
@@ -106,7 +145,7 @@ for line in line_list:
         continue
     if args[0] == ":":
         node_name = get_node_name(current_table, args[1])
-        if args[2] == '-':
+        if args[2] == "-":
             args[2] = "RETURN"
         default_chain_policy[node_name] = args[2]
         continue
@@ -127,25 +166,10 @@ for line in line_list:
 
     final_rule = False
     if target:
-        if target in [
-            "ACCEPT",
-            "REJECT",
-            "DROP",
-            "RETURN",
-            "REDIRECT",
-            "MASQUERADE",
-            "DNAT",
-            "SNAT",
-            "DNPT",
-            "SNPT",
-            "LOG",
-            "QUEUE",
-            "MARK",
-            "SECMARK",
-            "CONNSECMARK",
-            "CHECKSUM"
-        ]:
-            final_rule = target not in ["LOG", "MARK", "SECMARK", "CONNSECMARK", "CHECKSUM"]
+        if target in default_middle_targets:
+            target = None
+        elif target in default_final_targets:
+            final_rule = True
             target = None
         else:
             node_name = get_node_name(current_table, target)
@@ -173,8 +197,9 @@ for line in line_list:
     )
     continue
 
+
 def get_next_chain(table_name, chain_name):
-    rules=all_chains[table_name][chain_name]
+    rules = all_chains[table_name][chain_name]
     if len(rules) == 1:
         target = rules[0]["target"]
         rule = rules[0]["rule"]
@@ -184,13 +209,14 @@ def get_next_chain(table_name, chain_name):
             return get_next_chain(table_name, target)
     return chain_name
 
+
 if argv.eliminate:
     for table in all_chains:
         for chain in all_chains[table]:
             rules = all_chains[table][chain]
             for i in range(len(rules)):
                 rule = rules[i]["rule"]
-                if len(rule) == 2  and rule[0] == "-j":
+                if len(rule) == 2 and rule[0] == "-j":
                     if chain in defualt_chain_list:
                         i += 1
                     while i < len(rules):
@@ -200,9 +226,11 @@ if argv.eliminate:
                 if target and target not in defualt_chain_list:
                     rules[i]["target"] = get_next_chain(table, target)
 
+
 def get_port_name(rule_index):
     return "rule_" + str(rule_index)
 
+
 output = """digraph {
     graph [pad="0.5", nodesep="0.5", ranksep="2"];
     node [shape=box3d]
@@ -212,7 +240,11 @@ for table in all_chains:
     for chain in all_chains[table]:
         if argv.eliminate and not chain in defualt_chain_list:
             node_name = get_node_name(table, chain)
-            if node_name not in tables_target or tables_target[node_name] < 1 or len(all_chains[table][chain]) == 0:
+            if (
+                node_name not in tables_target
+                or tables_target[node_name] < 1
+                or len(all_chains[table][chain]) == 0
+            ):
                 continue
 
         node_name = get_node_name(table, chain)
@@ -250,8 +282,12 @@ for table in all_chains:
         for i in range(len(all_chains[table][chain])):
             rule = all_chains[table][chain][i]
             empty_target = False
-            if argv.eliminate and rule["target"] and rule["target"] \
-                not in defualt_chain_list and len(all_chains[table][rule["target"]]) == 0:
+            if (
+                argv.eliminate
+                and rule["target"]
+                and rule["target"] not in defualt_chain_list
+                and len(all_chains[table][rule["target"]]) == 0
+            ):
                 if len(rule["rule"]) == 0:
                     continue
                 empty_target = True
@@ -261,10 +297,10 @@ for table in all_chains:
             if empty_target:
                 tmp_body += ' bgcolor="yellow"'
             elif rule["final"]:
-                target = rule['rule'][rule['rule'].index('-j') + 1]
-                if target == 'DROP' or target == 'REJECT':
+                target = rule["rule"][rule["rule"].index("-j") + 1]
+                if target == "DROP" or target == "REJECT":
                     tmp_body += ' bgcolor="coral"'
-                elif target == 'RETURN':
+                elif target == "RETURN":
                     tmp_body += ' bgcolor="moccasin"'
                 else:
                     tmp_body += ' bgcolor="lightgreen"'
@@ -272,16 +308,17 @@ for table in all_chains:
         tmp_body += """
       <tr><td port="end\""""
         policy = default_chain_policy[node_name]
-        if policy == 'DROP':
+        if policy == "DROP":
             tmp_body += ' bgcolor="coral"'
-        elif policy == 'ACCEPT':
+        elif policy == "ACCEPT":
             tmp_body += ' bgcolor="lightgreen"'
         tmp_body += (
             """>-j """
             + policy
             + """</td></tr>
     </table>>];
-""")
+"""
+        )
         output += tmp_body
 
 for table in all_chains:
@@ -291,7 +328,11 @@ for table in all_chains:
             if target:
                 if argv.eliminate and target not in defualt_chain_list:
                     node_name = get_node_name(table, target)
-                    if node_name not in tables_target or tables_target[node_name] < 1 or len(all_chains[table][target]) == 0:
+                    if (
+                        node_name not in tables_target
+                        or tables_target[node_name] < 1
+                        or len(all_chains[table][target]) == 0
+                    ):
                         continue
 
                 source_node = get_node_name(table, chain) + ":" + get_port_name(i)
@@ -326,15 +367,27 @@ def default_chain_link(src_table_name, src_chain_name, dst_table_name, dst_chain
         + """];"""
     )
 
+
 def default_link():
-    return """
+    return (
+        """
     START[shape=circle fillcolor=black fontcolor=white style=filled];
     END[shape=circle fillcolor=black fontcolor=white style=filled];
     APPLICATION[shape=circle fillcolor=black fontcolor=white style=filled];
-    START->""" + get_node_name("raw", "PREROUTING") + """:begin[color=blue];
-    """ + get_node_name("nat", "INPUT") + """:end-> APPLICATION[color=blue];
-    APPLICATION->""" + get_node_name("raw", "OUTPUT") + """:begin[color=blue];
-    """ + get_node_name("nat", "POSTROUTING") + """:end-> END[color=blue];"""
+    START->"""
+        + get_node_name("raw", "PREROUTING")
+        + """:begin[color=blue];
+    """
+        + get_node_name("nat", "INPUT")
+        + """:end-> APPLICATION[color=blue];
+    APPLICATION->"""
+        + get_node_name("raw", "OUTPUT")
+        + """:begin[color=blue];
+    """
+        + get_node_name("nat", "POSTROUTING")
+        + """:end-> END[color=blue];"""
+    )
+
 
 output += default_link()
 

From 1c0c691f60980ce348b91e19fa63f2becb5c88ba Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Mon, 15 Jan 2024 10:17:42 +0800
Subject: [PATCH 21/25] Update iptables-graph

---
 iptables-graph | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iptables-graph b/iptables-graph
index e67747e..bac932d 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -124,7 +124,7 @@ def set_targets(args, targets):
     if not args:
         return
     for target in parse_line(args, ","):
-        target = target.strip()
+        target = target.strip().upper()
         if len(target) > 0:
             targets.append(target)
 

From 1b3de200dad1bdac2921008d4bf395851c2a91b2 Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Mon, 15 Jan 2024 11:19:57 +0800
Subject: [PATCH 22/25] Update iptables-graph

---
 iptables-graph | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index bac932d..671953f 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -204,7 +204,6 @@ def get_next_chain(table_name, chain_name):
         target = rules[0]["target"]
         rule = rules[0]["rule"]
         if target and len(rule) == 0:
-            del rules[0]
             tables_target[get_node_name(table_name, chain_name)] -= 1
             return get_next_chain(table_name, target)
     return chain_name
@@ -326,17 +325,27 @@ for table in all_chains:
         for i in range(len(all_chains[table][chain])):
             target = all_chains[table][chain][i]["target"]
             if target:
-                if argv.eliminate and target not in defualt_chain_list:
-                    node_name = get_node_name(table, target)
+                node_name1 = get_node_name(table, chain)
+                node_name2 = get_node_name(table, target)
+                if argv.eliminate:
                     if (
-                        node_name not in tables_target
-                        or tables_target[node_name] < 1
-                        or len(all_chains[table][target]) == 0
+                        chain not in defualt_chain_list
+                        and (
+                            node_name1 not in tables_target
+                            or tables_target[node_name1] < 1
+                            or len(all_chains[table][chain]) == 0
+                        )
+                        or target not in defualt_chain_list
+                        and (
+                            node_name2 not in tables_target
+                            or tables_target[node_name2] < 1
+                            or len(all_chains[table][target]) == 0
+                        )
                     ):
                         continue
 
-                source_node = get_node_name(table, chain) + ":" + get_port_name(i)
-                target_node = get_node_name(table, target) + ":begin"
+                source_node = node_name1 + ":" + get_port_name(i)
+                target_node = node_name2 + ":begin"
                 output += (
                     """
     """

From c7018e99e59101ecdc8f2517eba8f94f157046ed Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Tue, 23 Jan 2024 11:23:56 +0800
Subject: [PATCH 23/25] Update iptables-graph

---
 iptables-graph | 37 +++++++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/iptables-graph b/iptables-graph
index 671953f..e8e84de 100755
--- a/iptables-graph
+++ b/iptables-graph
@@ -100,12 +100,12 @@ def parse_line(line, separators):
             if c == '"' and line[i - 1] != "\\":
                 qoute = False
                 token_list.append("".join(buf))
-                buf = []
+                buf.clear()
         else:
             if c in separators:
                 if len(buf) > 0:
                     token_list.append("".join(buf))
-                    buf = []
+                    buf.clear()
                 continue
             if c == '"':
                 qoute = True
@@ -172,25 +172,34 @@ for line in line_list:
             final_rule = True
             target = None
         else:
+            if target not in all_chains[current_table]:
+                all_chains[current_table][target] = list()
+            # remove JUMP
+            if argv.eliminate:
+                del args[i-1]
+                del args[i-1]
             node_name = get_node_name(current_table, target)
             if node_name not in tables_target:
                 tables_target[node_name] = 0
             tables_target[node_name] += 1
-            # remove JUMP
-            del args[i - 1]
-            del args[i - 1]
+            if node_name not in tables_comment:
+                tables_comment[node_name] = list()
+            comment = current_table + ":" + target
             if "--comment" in args:
                 i = args.index("--comment") + 1
                 if i < len(args):
-                    comment = args[i].replace("\\", "")
-                    if node_name not in tables_comment:
-                        tables_comment[node_name] = []
-                    if len(comment) > 0:
-                        comment = get_escape(comment[1 : len(comment) - 1])
-                        if comment not in tables_comment[node_name]:
-                            tables_comment[node_name].append(comment)
-            if target not in all_chains[current_table]:
-                all_chains[current_table][target] = list()
+                    tmp = args[i].replace("\\", "")
+                    i = len(tmp)
+                    if i > 0 and tmp[0] == '"' and tmp[i-1] == '"':
+                        tmp = get_escape(tmp[1 : i-1])
+                        i = len(tmp)
+                    if i > 0:
+                        if comment in tables_comment[node_name]:
+                            i = tables_comment[node_name].index(comment)
+                            del tables_comment[node_name][i]
+                        comment = tmp
+            if comment not in tables_comment[node_name]:
+                tables_comment[node_name].append(comment)
 
     all_chains[current_table][current_chain].append(
         {"rule": args[2:], "target": target, "final": final_rule}

From 0b79d0af0ac70a60699464a11f1d35a1969f316b Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Tue, 23 Jan 2024 11:25:19 +0800
Subject: [PATCH 24/25] Update example.txt

---
 example.txt | 125 ++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 93 insertions(+), 32 deletions(-)

diff --git a/example.txt b/example.txt
index 8b6c7b7..238731f 100644
--- a/example.txt
+++ b/example.txt
@@ -1,35 +1,96 @@
-# Generated by iptables-save v1.6.0 on Thu Apr  8 16:44:20 2021
-*nat
-:PREROUTING ACCEPT [1:44]
-:INPUT ACCEPT [1:44]
-:OUTPUT ACCEPT [108934:8322365]
-:POSTROUTING ACCEPT [108934:8322365]
-:DOCKER - [0:0]
--A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
--A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
--A POSTROUTING -s 172.18.0.0/24 ! -o docker0 -j MASQUERADE
--A DOCKER -i docker0 -j RETURN
+# Generated by iptables-save v1.8.7 on Tue Jan 23 02:39:22 2024
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:KUBE-IPTABLES-HINT - [0:0]
+:KUBE-KUBELET-CANARY - [0:0]
 COMMIT
-# Completed on Thu Apr  8 16:44:20 2021
-# Generated by iptables-save v1.6.0 on Thu Apr  8 16:44:20 2021
+# Completed on Tue Jan 23 02:39:22 2024
+# Generated by iptables-save v1.8.7 on Tue Jan 23 02:39:22 2024
 *filter
-:INPUT ACCEPT [5732373:3510919135]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [3381411:259078259]
-:DOCKER - [0:0]
-:DOCKER-ISOLATION-STAGE-1 - [0:0]
-:DOCKER-ISOLATION-STAGE-2 - [0:0]
-:DOCKER-USER - [0:0]
--A FORWARD -j DOCKER-USER
--A FORWARD -j DOCKER-ISOLATION-STAGE-1
--A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A FORWARD -o docker0 -j DOCKER
--A FORWARD -i docker0 ! -o docker0 -j ACCEPT
--A FORWARD -i docker0 -o docker0 -j ACCEPT
--A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
--A DOCKER-ISOLATION-STAGE-1 -j RETURN
--A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
--A DOCKER-ISOLATION-STAGE-2 -j RETURN
--A DOCKER-USER -j RETURN
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:FLANNEL-FWD - [0:0]
+:KUBE-FIREWALL - [0:0]
+:KUBE-FORWARD - [0:0]
+:KUBE-IPVS-FILTER - [0:0]
+:KUBE-IPVS-OUT-FILTER - [0:0]
+:KUBE-KUBELET-CANARY - [0:0]
+:KUBE-NODE-PORT - [0:0]
+:KUBE-PROXY-FIREWALL - [0:0]
+:KUBE-SOURCE-RANGES-FIREWALL - [0:0]
+-A INPUT -m comment --comment "kubernetes ipvs access filter" -j KUBE-IPVS-FILTER
+-A INPUT -m comment --comment "kube-proxy firewall rules" -j KUBE-PROXY-FIREWALL
+-A INPUT -m comment --comment "kubernetes health check rules" -j KUBE-NODE-PORT
+-A INPUT -j KUBE-FIREWALL
+-A FORWARD -m comment --comment "kube-proxy firewall rules" -j KUBE-PROXY-FIREWALL
+-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
+-A FORWARD -m comment --comment "flanneld forward" -j FLANNEL-FWD
+-A OUTPUT -m comment --comment "kubernetes ipvs access filter" -j KUBE-IPVS-OUT-FILTER
+-A OUTPUT -j KUBE-FIREWALL
+-A FLANNEL-FWD -s 10.244.0.0/16 -m comment --comment "flanneld forward" -j ACCEPT
+-A FLANNEL-FWD -d 10.244.0.0/16 -m comment --comment "flanneld forward" -j ACCEPT
+-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
+-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -j ACCEPT
+-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A KUBE-IPVS-FILTER -m set --match-set KUBE-LOAD-BALANCER dst,dst -j RETURN
+-A KUBE-IPVS-FILTER -m set --match-set KUBE-CLUSTER-IP dst,dst -j RETURN
+-A KUBE-IPVS-FILTER -m set --match-set KUBE-EXTERNAL-IP dst,dst -j RETURN
+-A KUBE-IPVS-FILTER -m set --match-set KUBE-EXTERNAL-IP-LOCAL dst,dst -j RETURN
+-A KUBE-IPVS-FILTER -m set --match-set KUBE-HEALTH-CHECK-NODE-PORT dst -j RETURN
+-A KUBE-IPVS-FILTER -m conntrack --ctstate NEW -m set --match-set KUBE-IPVS-IPS dst -j REJECT --reject-with icmp-port-unreachable
+-A KUBE-NODE-PORT -m comment --comment "Kubernetes health check node port" -m set --match-set KUBE-HEALTH-CHECK-NODE-PORT dst -j ACCEPT
+-A KUBE-SOURCE-RANGES-FIREWALL -j DROP
+COMMIT
+# Completed on Tue Jan 23 02:39:22 2024
+# Generated by iptables-save v1.8.7 on Tue Jan 23 02:39:22 2024
+*nat
+:PREROUTING ACCEPT [15036:904858]
+:INPUT ACCEPT [14908:894762]
+:OUTPUT ACCEPT [724068:43444067]
+:POSTROUTING ACCEPT [244344:14660705]
+:DOCKER_OUTPUT - [0:0]
+:DOCKER_POSTROUTING - [0:0]
+:FLANNEL-POSTRTG - [0:0]
+:KUBE-KUBELET-CANARY - [0:0]
+:KUBE-LOAD-BALANCER - [0:0]
+:KUBE-MARK-MASQ - [0:0]
+:KUBE-NODE-PORT - [0:0]
+:KUBE-POSTROUTING - [0:0]
+:KUBE-SERVICES - [0:0]
+-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
+-A PREROUTING -d 172.18.0.1/32 -j DOCKER_OUTPUT
+-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
+-A OUTPUT -d 172.18.0.1/32 -j DOCKER_OUTPUT
+-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
+-A POSTROUTING -d 172.18.0.1/32 -j DOCKER_POSTROUTING
+-A POSTROUTING -m comment --comment "flanneld masq" -j FLANNEL-POSTRTG
+-A DOCKER_OUTPUT -d 172.18.0.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.11:33955
+-A DOCKER_OUTPUT -d 172.18.0.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.11:39855
+-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p tcp -j SNAT --to-source 172.18.0.1:53
+-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p udp -j SNAT --to-source 172.18.0.1:53
+-A FLANNEL-POSTRTG -m comment --comment "flanneld masq" -j RETURN
+-A FLANNEL-POSTRTG -s 10.244.0.0/24 -d 10.244.0.0/16 -m comment --comment "flanneld masq" -j RETURN
+-A FLANNEL-POSTRTG -s 10.244.0.0/16 -d 10.244.0.0/24 -m comment --comment "flanneld masq" -j RETURN
+-A FLANNEL-POSTRTG ! -s 10.244.0.0/16 -d 10.244.0.0/24 -m comment --comment "flanneld masq" -j RETURN
+-A FLANNEL-POSTRTG -s 10.244.0.0/16 ! -d 224.0.0.0/4 -m comment --comment "flanneld masq" -j MASQUERADE --random-fully
+-A FLANNEL-POSTRTG ! -s 10.244.0.0/16 -d 10.244.0.0/16 -m comment --comment "flanneld masq" -j MASQUERADE --random-fully
+-A KUBE-LOAD-BALANCER -j KUBE-MARK-MASQ
+-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
+-A KUBE-NODE-PORT -p tcp -m comment --comment "Kubernetes nodeport TCP port for masquerade purpose" -m set --match-set KUBE-NODE-PORT-TCP dst -j KUBE-MARK-MASQ
+-A KUBE-POSTROUTING -m comment --comment "Kubernetes endpoints dst ip:port, source ip for solving hairpin purpose" -m set --match-set KUBE-LOOP-BACK dst,dst,src -j MASQUERADE
+-A KUBE-POSTROUTING -j RETURN
+-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
+-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully
+-A KUBE-SERVICES -s 127.0.0.0/8 -j RETURN
+-A KUBE-SERVICES -m comment --comment "Kubernetes service lb portal" -m set --match-set KUBE-LOAD-BALANCER dst,dst -j KUBE-LOAD-BALANCER
+-A KUBE-SERVICES ! -s 10.244.0.0/16 -m comment --comment "Kubernetes service cluster ip + port for masquerade purpose" -m set --match-set KUBE-CLUSTER-IP dst,dst -j KUBE-MARK-MASQ
+-A KUBE-SERVICES -m addrtype --dst-type LOCAL -j KUBE-NODE-PORT
+-A KUBE-SERVICES -m set --match-set KUBE-CLUSTER-IP dst,dst -j ACCEPT
+-A KUBE-SERVICES -m set --match-set KUBE-LOAD-BALANCER dst,dst -j ACCEPT
 COMMIT
-# Completed on Thu Apr  8 16:44:20 2021
+# Completed on Tue Jan 23 02:39:22 2024

From 8bf035a55d47a28afc14e2ff1d6654305f490b6c Mon Sep 17 00:00:00 2001
From: Jacky WU <hongzhi.wu@139.com>
Date: Tue, 23 Jan 2024 11:26:28 +0800
Subject: [PATCH 25/25] Update example.svg

---
 example.svg | 1181 +++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 857 insertions(+), 324 deletions(-)

diff --git a/example.svg b/example.svg
index 14ca587..783f548 100644
--- a/example.svg
+++ b/example.svg
@@ -1,359 +1,892 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<!-- Generated by graphviz version 2.38.0 (20140413.2041)
+<!-- Generated by graphviz version 2.43.0 (0)
  -->
 <!-- Title: %3 Pages: 1 -->
-<svg width="4235pt" height="784pt"
- viewBox="0.00 0.00 4235.00 783.50" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(36 747.5)">
+<svg width="9879pt" height="1239pt"
+ viewBox="0.00 0.00 9879.19 1239.10" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(36 1203.1)">
 <title>%3</title>
-<polygon fill="white" stroke="none" points="-36,36 -36,-747.5 4199,-747.5 4199,36 -36,36"/>
-<!-- filter_DOCKERUSER -->
-<g id="node1" class="node"><title>filter_DOCKERUSER</title>
-<polygon fill="none" stroke="black" points="1952,-711.5 1838,-711.5 1838,-619.5 1952,-619.5 1952,-711.5"/>
-<polygon fill="none" stroke="black" points="1846,-686.5 1846,-707.5 1944,-707.5 1944,-686.5 1846,-686.5"/>
-<text text-anchor="start" x="1849" y="-694.3" font-family="Times,serif" font-style="italic" font-size="14.00">DOCKER&#45;USER</text>
-<polygon fill="none" stroke="black" points="1846,-665.5 1846,-686.5 1944,-686.5 1944,-665.5 1846,-665.5"/>
-<text text-anchor="start" x="1881.5" y="-673.3" font-family="Times,serif" font-style="italic" font-size="14.00">filter</text>
-<polygon fill="none" stroke="black" points="1846,-644.5 1846,-665.5 1944,-665.5 1944,-644.5 1846,-644.5"/>
-<text text-anchor="start" x="1861.5" y="-651.3" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
-<polygon fill="none" stroke="black" points="1846,-623.5 1846,-644.5 1944,-644.5 1944,-623.5 1846,-623.5"/>
-<text text-anchor="start" x="1885" y="-630.3" font-family="Times,serif" font-size="14.00">end</text>
-</g>
-<!-- filter_DOCKERISOLATIONSTAGE1 -->
-<g id="node2" class="node"><title>filter_DOCKERISOLATIONSTAGE1</title>
-<polygon fill="none" stroke="black" points="2073,-583 1717,-583 1717,-470 2073,-470 2073,-583"/>
-<polygon fill="none" stroke="black" points="1725,-557.5 1725,-578.5 2065,-578.5 2065,-557.5 1725,-557.5"/>
-<text text-anchor="start" x="1803.5" y="-565.3" font-family="Times,serif" font-style="italic" font-size="14.00">DOCKER&#45;ISOLATION&#45;STAGE&#45;1</text>
-<polygon fill="none" stroke="black" points="1725,-536.5 1725,-557.5 2065,-557.5 2065,-536.5 1725,-536.5"/>
-<text text-anchor="start" x="1881.5" y="-544.3" font-family="Times,serif" font-style="italic" font-size="14.00">filter</text>
-<polygon fill="none" stroke="black" points="1725,-515.5 1725,-536.5 2065,-536.5 2065,-515.5 1725,-515.5"/>
-<text text-anchor="start" x="1728" y="-522.3" font-family="Times,serif" font-size="14.00">&#45;i docker0 ! &#45;o docker0 &#45;j DOCKER&#45;ISOLATION&#45;STAGE&#45;2</text>
-<polygon fill="none" stroke="black" points="1725,-494.5 1725,-515.5 2065,-515.5 2065,-494.5 1725,-494.5"/>
-<text text-anchor="start" x="1861.5" y="-501.3" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
-<polygon fill="none" stroke="black" points="1725,-473.5 1725,-494.5 2065,-494.5 2065,-473.5 1725,-473.5"/>
-<text text-anchor="start" x="1885" y="-480.3" font-family="Times,serif" font-size="14.00">end</text>
-</g>
-<!-- filter_DOCKERISOLATIONSTAGE2 -->
-<g id="node3" class="node"><title>filter_DOCKERISOLATIONSTAGE2</title>
-<polygon fill="none" stroke="black" points="2422,-561 2217,-561 2217,-448 2422,-448 2422,-561"/>
-<polygon fill="none" stroke="black" points="2225.5,-535.5 2225.5,-556.5 2414.5,-556.5 2414.5,-535.5 2225.5,-535.5"/>
-<text text-anchor="start" x="2228.5" y="-543.3" font-family="Times,serif" font-style="italic" font-size="14.00">DOCKER&#45;ISOLATION&#45;STAGE&#45;2</text>
-<polygon fill="none" stroke="black" points="2225.5,-514.5 2225.5,-535.5 2414.5,-535.5 2414.5,-514.5 2225.5,-514.5"/>
-<text text-anchor="start" x="2306.5" y="-522.3" font-family="Times,serif" font-style="italic" font-size="14.00">filter</text>
-<polygon fill="none" stroke="black" points="2225.5,-493.5 2225.5,-514.5 2414.5,-514.5 2414.5,-493.5 2225.5,-493.5"/>
-<text text-anchor="start" x="2264.5" y="-500.3" font-family="Times,serif" font-size="14.00">&#45;o docker0 &#45;j DROP</text>
-<polygon fill="none" stroke="black" points="2225.5,-472.5 2225.5,-493.5 2414.5,-493.5 2414.5,-472.5 2225.5,-472.5"/>
-<text text-anchor="start" x="2286.5" y="-479.3" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
-<polygon fill="none" stroke="black" points="2225.5,-451.5 2225.5,-472.5 2414.5,-472.5 2414.5,-451.5 2225.5,-451.5"/>
-<text text-anchor="start" x="2310" y="-458.3" font-family="Times,serif" font-size="14.00">end</text>
-</g>
-<!-- filter_DOCKERISOLATIONSTAGE1&#45;&gt;filter_DOCKERISOLATIONSTAGE2 -->
-<g id="edge1" class="edge"><title>filter_DOCKERISOLATIONSTAGE1:rule_0&#45;&gt;filter_DOCKERISOLATIONSTAGE2:begin</title>
-<path fill="none" stroke="black" d="M2066,-525.5C2132.87,-525.5 2152.13,-525.5 2214.16,-525.5"/>
-<polygon fill="black" stroke="black" points="2214.5,-529 2224.5,-525.5 2214.5,-522 2214.5,-529"/>
-</g>
-<!-- filter_OUTPUT -->
-<g id="node4" class="node"><title>filter_OUTPUT</title>
-<polygon fill="none" stroke="black" points="3176.5,-124 3101.5,-124 3101.5,-53 3176.5,-53 3176.5,-124"/>
-<polygon fill="red" stroke="none" points="3110,-98.5 3110,-119.5 3169,-119.5 3169,-98.5 3110,-98.5"/>
-<polygon fill="none" stroke="black" points="3110,-98.5 3110,-119.5 3169,-119.5 3169,-98.5 3110,-98.5"/>
-<text text-anchor="start" x="3113" y="-106.3" font-family="Times,serif" font-style="italic" font-size="14.00">OUTPUT</text>
-<polygon fill="tomato" stroke="none" points="3110,-77.5 3110,-98.5 3169,-98.5 3169,-77.5 3110,-77.5"/>
-<polygon fill="none" stroke="black" points="3110,-77.5 3110,-98.5 3169,-98.5 3169,-77.5 3110,-77.5"/>
-<text text-anchor="start" x="3126" y="-85.3" font-family="Times,serif" font-style="italic" font-size="14.00">filter</text>
-<polygon fill="none" stroke="black" points="3110,-56.5 3110,-77.5 3169,-77.5 3169,-56.5 3110,-56.5"/>
-<text text-anchor="start" x="3129.5" y="-63.3" font-family="Times,serif" font-size="14.00">end</text>
-</g>
-<!-- mangle_POSTROUTING -->
-<g id="node12" class="node"><title>mangle_POSTROUTING</title>
-<polygon fill="none" stroke="black" points="3470,-223 3357,-223 3357,-152 3470,-152 3470,-223"/>
-<polygon fill="red" stroke="none" points="3365.5,-197.5 3365.5,-218.5 3462.5,-218.5 3462.5,-197.5 3365.5,-197.5"/>
-<polygon fill="none" stroke="black" points="3365.5,-197.5 3365.5,-218.5 3462.5,-218.5 3462.5,-197.5 3365.5,-197.5"/>
-<text text-anchor="start" x="3368.5" y="-205.3" font-family="Times,serif" font-style="italic" font-size="14.00">POSTROUTING</text>
-<polygon fill="tomato" stroke="none" points="3365.5,-176.5 3365.5,-197.5 3462.5,-197.5 3462.5,-176.5 3365.5,-176.5"/>
-<polygon fill="none" stroke="black" points="3365.5,-176.5 3365.5,-197.5 3462.5,-197.5 3462.5,-176.5 3365.5,-176.5"/>
-<text text-anchor="start" x="3394" y="-184.3" font-family="Times,serif" font-style="italic" font-size="14.00">mangle</text>
-<polygon fill="none" stroke="black" points="3365.5,-155.5 3365.5,-176.5 3462.5,-176.5 3462.5,-155.5 3365.5,-155.5"/>
-<text text-anchor="start" x="3404" y="-162.3" font-family="Times,serif" font-size="14.00">end</text>
-</g>
-<!-- filter_OUTPUT&#45;&gt;mangle_POSTROUTING -->
-<g id="edge16" class="edge"><title>filter_OUTPUT:end&#45;&gt;mangle_POSTROUTING:begin</title>
-<path fill="none" stroke="red" d="M3170,-66.5C3268.1,-66.5 3263.39,-178.437 3354.46,-186.089"/>
-<polygon fill="red" stroke="red" points="3354.37,-189.588 3364.5,-186.5 3354.65,-182.594 3354.37,-189.588"/>
+<polygon fill="white" stroke="transparent" points="-36,36 -36,-1203.1 9843.19,-1203.1 9843.19,36 -36,36"/>
+<!-- raw_PREROUTING -->
+<g id="node1" class="node">
+<title>raw_PREROUTING</title>
+<polygon fill="none" stroke="black" points="556,-1043.6 423,-1043.6 419,-1039.6 419,-987.6 552,-987.6 556,-991.6 556,-1043.6"/>
+<polyline fill="none" stroke="black" points="552,-1039.6 419,-1039.6 "/>
+<polyline fill="none" stroke="black" points="552,-1039.6 552,-987.6 "/>
+<polyline fill="none" stroke="black" points="552,-1039.6 556,-1043.6 "/>
+<polygon fill="lightblue" stroke="transparent" points="427.5,-1018.6 427.5,-1039.6 548.5,-1039.6 548.5,-1018.6 427.5,-1018.6"/>
+<polygon fill="none" stroke="black" points="427.5,-1018.6 427.5,-1039.6 548.5,-1039.6 548.5,-1018.6 427.5,-1018.6"/>
+<text text-anchor="start" x="430.5" y="-1026.4" font-family="Times,serif" font-style="italic" font-size="14.00">raw:PREROUTING</text>
+<polygon fill="none" stroke="black" points="427.5,-1012.6 427.5,-1018.6 548.5,-1018.6 548.5,-1012.6 427.5,-1012.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="427.5,-991.6 427.5,-1012.6 548.5,-1012.6 548.5,-991.6 427.5,-991.6"/>
+<polygon fill="none" stroke="black" points="427.5,-991.6 427.5,-1012.6 548.5,-1012.6 548.5,-991.6 427.5,-991.6"/>
+<text text-anchor="start" x="456" y="-998.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
 </g>
-<!-- filter_FORWARD -->
-<g id="node5" class="node"><title>filter_FORWARD</title>
-<polygon fill="none" stroke="black" points="1573,-518 1141,-518 1141,-321 1573,-321 1573,-518"/>
-<polygon fill="red" stroke="none" points="1149,-492.5 1149,-513.5 1565,-513.5 1565,-492.5 1149,-492.5"/>
-<polygon fill="none" stroke="black" points="1149,-492.5 1149,-513.5 1565,-513.5 1565,-492.5 1149,-492.5"/>
-<text text-anchor="start" x="1324.5" y="-500.3" font-family="Times,serif" font-style="italic" font-size="14.00">FORWARD</text>
-<polygon fill="tomato" stroke="none" points="1149,-471.5 1149,-492.5 1565,-492.5 1565,-471.5 1149,-471.5"/>
-<polygon fill="none" stroke="black" points="1149,-471.5 1149,-492.5 1565,-492.5 1565,-471.5 1149,-471.5"/>
-<text text-anchor="start" x="1343.5" y="-479.3" font-family="Times,serif" font-style="italic" font-size="14.00">filter</text>
-<polygon fill="none" stroke="black" points="1149,-450.5 1149,-471.5 1565,-471.5 1565,-450.5 1149,-450.5"/>
-<text text-anchor="start" x="1303.5" y="-457.3" font-family="Times,serif" font-size="14.00">&#45;j DOCKER&#45;USER</text>
-<polygon fill="none" stroke="black" points="1149,-429.5 1149,-450.5 1565,-450.5 1565,-429.5 1149,-429.5"/>
-<text text-anchor="start" x="1255" y="-436.3" font-family="Times,serif" font-size="14.00">&#45;j DOCKER&#45;ISOLATION&#45;STAGE&#45;1</text>
-<polygon fill="none" stroke="black" points="1149,-408.5 1149,-429.5 1565,-429.5 1565,-408.5 1149,-408.5"/>
-<text text-anchor="start" x="1152" y="-415.3" font-family="Times,serif" font-size="14.00">&#45;o docker0 &#45;m conntrack &#45;&#45;ctstate RELATED,ESTABLISHED &#45;j ACCEPT</text>
-<polygon fill="none" stroke="black" points="1149,-387.5 1149,-408.5 1565,-408.5 1565,-387.5 1149,-387.5"/>
-<text text-anchor="start" x="1292" y="-394.3" font-family="Times,serif" font-size="14.00">&#45;o docker0 &#45;j DOCKER</text>
-<polygon fill="none" stroke="black" points="1149,-366.5 1149,-387.5 1565,-387.5 1565,-366.5 1149,-366.5"/>
-<text text-anchor="start" x="1260" y="-373.3" font-family="Times,serif" font-size="14.00">&#45;i docker0 ! &#45;o docker0 &#45;j ACCEPT</text>
-<polygon fill="none" stroke="black" points="1149,-345.5 1149,-366.5 1565,-366.5 1565,-345.5 1149,-345.5"/>
-<text text-anchor="start" x="1264" y="-352.3" font-family="Times,serif" font-size="14.00">&#45;i docker0 &#45;o docker0 &#45;j ACCEPT</text>
-<polygon fill="none" stroke="black" points="1149,-324.5 1149,-345.5 1565,-345.5 1565,-324.5 1149,-324.5"/>
-<text text-anchor="start" x="1347" y="-331.3" font-family="Times,serif" font-size="14.00">end</text>
-</g>
-<!-- filter_FORWARD&#45;&gt;filter_DOCKERUSER -->
-<g id="edge2" class="edge"><title>filter_FORWARD:rule_0&#45;&gt;filter_DOCKERUSER:begin</title>
-<path fill="none" stroke="black" d="M1566,-461.5C1657.52,-461.5 1643.53,-546.933 1717,-601.5 1767.04,-638.664 1777.93,-672.586 1834.68,-676.185"/>
-<polygon fill="black" stroke="black" points="1834.9,-679.693 1845,-676.5 1835.11,-672.697 1834.9,-679.693"/>
-</g>
-<!-- filter_FORWARD&#45;&gt;filter_DOCKERISOLATIONSTAGE1 -->
-<g id="edge3" class="edge"><title>filter_FORWARD:rule_1&#45;&gt;filter_DOCKERISOLATIONSTAGE1:begin</title>
-<path fill="none" stroke="black" d="M1566,-440.5C1647.17,-440.5 1640.01,-538.502 1713.59,-546.924"/>
-<polygon fill="black" stroke="black" points="1713.82,-550.443 1724,-547.5 1714.21,-543.453 1713.82,-550.443"/>
-</g>
-<!-- filter_DOCKER -->
-<g id="node7" class="node"><title>filter_DOCKER</title>
-<polygon fill="none" stroke="black" points="1933.5,-434 1856.5,-434 1856.5,-363 1933.5,-363 1933.5,-434"/>
-<polygon fill="none" stroke="black" points="1865,-408.5 1865,-429.5 1926,-429.5 1926,-408.5 1865,-408.5"/>
-<text text-anchor="start" x="1868" y="-416.3" font-family="Times,serif" font-style="italic" font-size="14.00">DOCKER</text>
-<polygon fill="none" stroke="black" points="1865,-387.5 1865,-408.5 1926,-408.5 1926,-387.5 1865,-387.5"/>
-<text text-anchor="start" x="1882" y="-395.3" font-family="Times,serif" font-style="italic" font-size="14.00">filter</text>
-<polygon fill="none" stroke="black" points="1865,-366.5 1865,-387.5 1926,-387.5 1926,-366.5 1865,-366.5"/>
-<text text-anchor="start" x="1885.5" y="-373.3" font-family="Times,serif" font-size="14.00">end</text>
-</g>
-<!-- filter_FORWARD&#45;&gt;filter_DOCKER -->
-<g id="edge4" class="edge"><title>filter_FORWARD:rule_3&#45;&gt;filter_DOCKER:begin</title>
-<path fill="none" stroke="black" d="M1566,-397.5C1694.95,-397.5 1729.74,-397.5 1853.73,-397.5"/>
-<polygon fill="black" stroke="black" points="1854,-401 1864,-397.5 1854,-394 1854,-401"/>
-</g>
-<!-- filter_FORWARD&#45;&gt;mangle_POSTROUTING -->
-<g id="edge20" class="edge"><title>filter_FORWARD:end&#45;&gt;mangle_POSTROUTING:begin</title>
-<path fill="none" stroke="red" d="M1566,-334.5C1900.66,-334.5 1983.84,-307.5 2318.5,-307.5 2318.5,-307.5 2318.5,-307.5 2744.5,-307.5 2953.37,-307.5 3013,-330.734 3213,-270.5 3283.26,-249.338 3287.28,-192.207 3354.16,-186.897"/>
-<polygon fill="red" stroke="red" points="3354.64,-190.381 3364.5,-186.5 3354.37,-183.386 3354.64,-190.381"/>
+<!-- mangle_PREROUTING -->
+<g id="node29" class="node">
+<title>mangle_PREROUTING</title>
+<polygon fill="none" stroke="black" points="858,-1029.6 704,-1029.6 700,-1025.6 700,-973.6 854,-973.6 858,-977.6 858,-1029.6"/>
+<polyline fill="none" stroke="black" points="854,-1025.6 700,-1025.6 "/>
+<polyline fill="none" stroke="black" points="854,-1025.6 854,-973.6 "/>
+<polyline fill="none" stroke="black" points="854,-1025.6 858,-1029.6 "/>
+<polygon fill="tomato" stroke="transparent" points="708,-1004.6 708,-1025.6 850,-1025.6 850,-1004.6 708,-1004.6"/>
+<polygon fill="none" stroke="black" points="708,-1004.6 708,-1025.6 850,-1025.6 850,-1004.6 708,-1004.6"/>
+<text text-anchor="start" x="711" y="-1012.4" font-family="Times,serif" font-style="italic" font-size="14.00">mangle:PREROUTING</text>
+<polygon fill="none" stroke="black" points="708,-998.6 708,-1004.6 850,-1004.6 850,-998.6 708,-998.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="708,-977.6 708,-998.6 850,-998.6 850,-977.6 708,-977.6"/>
+<polygon fill="none" stroke="black" points="708,-977.6 708,-998.6 850,-998.6 850,-977.6 708,-977.6"/>
+<text text-anchor="start" x="747" y="-984.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
 </g>
-<!-- filter_INPUT -->
-<g id="node6" class="node"><title>filter_INPUT</title>
-<polygon fill="none" stroke="black" points="1388,-114 1326,-114 1326,-43 1388,-43 1388,-114"/>
-<polygon fill="red" stroke="none" points="1334,-88.5 1334,-109.5 1380,-109.5 1380,-88.5 1334,-88.5"/>
-<polygon fill="none" stroke="black" points="1334,-88.5 1334,-109.5 1380,-109.5 1380,-88.5 1334,-88.5"/>
-<text text-anchor="start" x="1337" y="-96.3" font-family="Times,serif" font-style="italic" font-size="14.00">INPUT</text>
-<polygon fill="tomato" stroke="none" points="1334,-67.5 1334,-88.5 1380,-88.5 1380,-67.5 1334,-67.5"/>
-<polygon fill="none" stroke="black" points="1334,-67.5 1334,-88.5 1380,-88.5 1380,-67.5 1334,-67.5"/>
-<text text-anchor="start" x="1343.5" y="-75.3" font-family="Times,serif" font-style="italic" font-size="14.00">filter</text>
-<polygon fill="none" stroke="black" points="1334,-46.5 1334,-67.5 1380,-67.5 1380,-46.5 1334,-46.5"/>
-<text text-anchor="start" x="1347" y="-53.3" font-family="Times,serif" font-size="14.00">end</text>
+<!-- raw_PREROUTING&#45;&gt;mangle_PREROUTING -->
+<g id="edge26" class="edge">
+<title>raw_PREROUTING:end&#45;&gt;mangle_PREROUTING:begin</title>
+<path fill="none" stroke="red" d="M549.5,-1001.6C615.95,-1001.6 635.09,-1001.6 696.73,-1001.6"/>
+<polygon fill="red" stroke="red" points="697,-1005.1 707,-1001.6 697,-998.1 697,-1005.1"/>
 </g>
 <!-- raw_OUTPUT -->
-<g id="node8" class="node"><title>raw_OUTPUT</title>
-<polygon fill="none" stroke="black" points="1932.5,-136 1857.5,-136 1857.5,-65 1932.5,-65 1932.5,-136"/>
-<polygon fill="red" stroke="none" points="1866,-110.5 1866,-131.5 1925,-131.5 1925,-110.5 1866,-110.5"/>
-<polygon fill="none" stroke="black" points="1866,-110.5 1866,-131.5 1925,-131.5 1925,-110.5 1866,-110.5"/>
-<text text-anchor="start" x="1869" y="-118.3" font-family="Times,serif" font-style="italic" font-size="14.00">OUTPUT</text>
-<polygon fill="tomato" stroke="none" points="1866,-89.5 1866,-110.5 1925,-110.5 1925,-89.5 1866,-89.5"/>
-<polygon fill="none" stroke="black" points="1866,-89.5 1866,-110.5 1925,-110.5 1925,-89.5 1866,-89.5"/>
-<text text-anchor="start" x="1884.5" y="-97.3" font-family="Times,serif" font-style="italic" font-size="14.00">raw</text>
-<polygon fill="none" stroke="black" points="1866,-68.5 1866,-89.5 1925,-89.5 1925,-68.5 1866,-68.5"/>
-<text text-anchor="start" x="1885.5" y="-75.3" font-family="Times,serif" font-size="14.00">end</text>
-</g>
-<!-- filter_INPUT&#45;&gt;raw_OUTPUT -->
-<g id="edge12" class="edge"><title>filter_INPUT:end&#45;&gt;raw_OUTPUT:begin</title>
-<path fill="none" stroke="red" d="M1381,-56.5C1593.58,-56.5 1647.37,-98.1667 1855,-99.4688"/>
-<polygon fill="red" stroke="red" points="1854.99,-102.969 1865,-99.5 1855.01,-95.9688 1854.99,-102.969"/>
+<g id="node2" class="node">
+<title>raw_OUTPUT</title>
+<polygon fill="none" stroke="black" points="4203.19,-425.6 4103.19,-425.6 4099.19,-421.6 4099.19,-369.6 4199.19,-369.6 4203.19,-373.6 4203.19,-425.6"/>
+<polyline fill="none" stroke="black" points="4199.19,-421.6 4099.19,-421.6 "/>
+<polyline fill="none" stroke="black" points="4199.19,-421.6 4199.19,-369.6 "/>
+<polyline fill="none" stroke="black" points="4199.19,-421.6 4203.19,-425.6 "/>
+<polygon fill="lightblue" stroke="transparent" points="4107.19,-400.6 4107.19,-421.6 4195.19,-421.6 4195.19,-400.6 4107.19,-400.6"/>
+<polygon fill="none" stroke="black" points="4107.19,-400.6 4107.19,-421.6 4195.19,-421.6 4195.19,-400.6 4107.19,-400.6"/>
+<text text-anchor="start" x="4110.19" y="-408.4" font-family="Times,serif" font-style="italic" font-size="14.00">raw:OUTPUT</text>
+<polygon fill="none" stroke="black" points="4107.19,-394.6 4107.19,-400.6 4195.19,-400.6 4195.19,-394.6 4107.19,-394.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="4107.19,-373.6 4107.19,-394.6 4195.19,-394.6 4195.19,-373.6 4107.19,-373.6"/>
+<polygon fill="none" stroke="black" points="4107.19,-373.6 4107.19,-394.6 4195.19,-394.6 4195.19,-373.6 4107.19,-373.6"/>
+<text text-anchor="start" x="4119.19" y="-380.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
 </g>
 <!-- mangle_OUTPUT -->
-<g id="node14" class="node"><title>mangle_OUTPUT</title>
-<polygon fill="none" stroke="black" points="2357,-147 2282,-147 2282,-76 2357,-76 2357,-147"/>
-<polygon fill="red" stroke="none" points="2290.5,-121.5 2290.5,-142.5 2349.5,-142.5 2349.5,-121.5 2290.5,-121.5"/>
-<polygon fill="none" stroke="black" points="2290.5,-121.5 2290.5,-142.5 2349.5,-142.5 2349.5,-121.5 2290.5,-121.5"/>
-<text text-anchor="start" x="2293.5" y="-129.3" font-family="Times,serif" font-style="italic" font-size="14.00">OUTPUT</text>
-<polygon fill="tomato" stroke="none" points="2290.5,-100.5 2290.5,-121.5 2349.5,-121.5 2349.5,-100.5 2290.5,-100.5"/>
-<polygon fill="none" stroke="black" points="2290.5,-100.5 2290.5,-121.5 2349.5,-121.5 2349.5,-100.5 2290.5,-100.5"/>
-<text text-anchor="start" x="2300" y="-108.3" font-family="Times,serif" font-style="italic" font-size="14.00">mangle</text>
-<polygon fill="none" stroke="black" points="2290.5,-79.5 2290.5,-100.5 2349.5,-100.5 2349.5,-79.5 2290.5,-79.5"/>
-<text text-anchor="start" x="2310" y="-86.3" font-family="Times,serif" font-size="14.00">end</text>
+<g id="node31" class="node">
+<title>mangle_OUTPUT</title>
+<polygon fill="none" stroke="black" points="4472.19,-425.6 4351.19,-425.6 4347.19,-421.6 4347.19,-369.6 4468.19,-369.6 4472.19,-373.6 4472.19,-425.6"/>
+<polyline fill="none" stroke="black" points="4468.19,-421.6 4347.19,-421.6 "/>
+<polyline fill="none" stroke="black" points="4468.19,-421.6 4468.19,-369.6 "/>
+<polyline fill="none" stroke="black" points="4468.19,-421.6 4472.19,-425.6 "/>
+<polygon fill="tomato" stroke="transparent" points="4355.69,-400.6 4355.69,-421.6 4464.69,-421.6 4464.69,-400.6 4355.69,-400.6"/>
+<polygon fill="none" stroke="black" points="4355.69,-400.6 4355.69,-421.6 4464.69,-421.6 4464.69,-400.6 4355.69,-400.6"/>
+<text text-anchor="start" x="4358.69" y="-408.4" font-family="Times,serif" font-style="italic" font-size="14.00">mangle:OUTPUT</text>
+<polygon fill="none" stroke="black" points="4355.69,-394.6 4355.69,-400.6 4464.69,-400.6 4464.69,-394.6 4355.69,-394.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="4355.69,-373.6 4355.69,-394.6 4464.69,-394.6 4464.69,-373.6 4355.69,-373.6"/>
+<polygon fill="none" stroke="black" points="4355.69,-373.6 4355.69,-394.6 4464.69,-394.6 4464.69,-373.6 4355.69,-373.6"/>
+<text text-anchor="start" x="4378.19" y="-380.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
 </g>
 <!-- raw_OUTPUT&#45;&gt;mangle_OUTPUT -->
-<g id="edge13" class="edge"><title>raw_OUTPUT:end&#45;&gt;mangle_OUTPUT:begin</title>
-<path fill="none" stroke="red" d="M1926,-78.5C2084.7,-78.5 2125.58,-109.14 2279.21,-110.456"/>
-<polygon fill="red" stroke="red" points="2279.49,-113.957 2289.5,-110.5 2279.51,-106.957 2279.49,-113.957"/>
+<g id="edge35" class="edge">
+<title>raw_OUTPUT:end&#45;&gt;mangle_OUTPUT:begin</title>
+<path fill="none" stroke="red" d="M4196.19,-383.6C4263.32,-383.6 4282.1,-396.21 4344.32,-397.49"/>
+<polygon fill="red" stroke="red" points="4344.65,-401 4354.69,-397.6 4344.72,-394 4344.65,-401"/>
 </g>
-<!-- raw_PREROUTING -->
-<g id="node9" class="node"><title>raw_PREROUTING</title>
-<polygon fill="none" stroke="black" points="106,-263 7.10543e-15,-263 7.10543e-15,-192 106,-192 106,-263"/>
-<polygon fill="red" stroke="none" points="8,-237.5 8,-258.5 98,-258.5 98,-237.5 8,-237.5"/>
-<polygon fill="none" stroke="black" points="8,-237.5 8,-258.5 98,-258.5 98,-237.5 8,-237.5"/>
-<text text-anchor="start" x="11" y="-245.3" font-family="Times,serif" font-style="italic" font-size="14.00">PREROUTING</text>
-<polygon fill="tomato" stroke="none" points="8,-216.5 8,-237.5 98,-237.5 98,-216.5 8,-216.5"/>
-<polygon fill="none" stroke="black" points="8,-216.5 8,-237.5 98,-237.5 98,-216.5 8,-216.5"/>
-<text text-anchor="start" x="42" y="-224.3" font-family="Times,serif" font-style="italic" font-size="14.00">raw</text>
-<polygon fill="none" stroke="black" points="8,-195.5 8,-216.5 98,-216.5 98,-195.5 8,-195.5"/>
-<text text-anchor="start" x="43" y="-202.3" font-family="Times,serif" font-size="14.00">end</text>
+<!-- filter_INPUT -->
+<g id="node3" class="node">
+<title>filter_INPUT</title>
+<polygon fill="none" stroke="black" points="2408,-719.6 1897,-719.6 1893,-715.6 1893,-579.6 2404,-579.6 2408,-583.6 2408,-719.6"/>
+<polyline fill="none" stroke="black" points="2404,-715.6 1893,-715.6 "/>
+<polyline fill="none" stroke="black" points="2404,-715.6 2404,-579.6 "/>
+<polyline fill="none" stroke="black" points="2404,-715.6 2408,-719.6 "/>
+<polygon fill="tomato" stroke="transparent" points="1901.5,-694.6 1901.5,-715.6 2400.5,-715.6 2400.5,-694.6 1901.5,-694.6"/>
+<polygon fill="none" stroke="black" points="1901.5,-694.6 1901.5,-715.6 2400.5,-715.6 2400.5,-694.6 1901.5,-694.6"/>
+<text text-anchor="start" x="2110.5" y="-702.4" font-family="Times,serif" font-style="italic" font-size="14.00">filter:INPUT</text>
+<polygon fill="none" stroke="black" points="1901.5,-688.6 1901.5,-694.6 2400.5,-694.6 2400.5,-688.6 1901.5,-688.6"/>
+<polygon fill="none" stroke="black" points="1901.5,-667.6 1901.5,-688.6 2400.5,-688.6 2400.5,-667.6 1901.5,-667.6"/>
+<text text-anchor="start" x="1916" y="-674.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;kubernetes ipvs access filter&quot; &#45;j KUBE&#45;IPVS&#45;FILTER</text>
+<polygon fill="none" stroke="black" points="1901.5,-646.6 1901.5,-667.6 2400.5,-667.6 2400.5,-646.6 1901.5,-646.6"/>
+<text text-anchor="start" x="1904.5" y="-653.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;kube&#45;proxy firewall rules&quot; &#45;j KUBE&#45;PROXY&#45;FIREWALL</text>
+<polygon fill="none" stroke="black" points="1901.5,-625.6 1901.5,-646.6 2400.5,-646.6 2400.5,-625.6 1901.5,-625.6"/>
+<text text-anchor="start" x="1909" y="-632.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;kubernetes health check rules&quot; &#45;j KUBE&#45;NODE&#45;PORT</text>
+<polygon fill="none" stroke="black" points="1901.5,-604.6 1901.5,-625.6 2400.5,-625.6 2400.5,-604.6 1901.5,-604.6"/>
+<text text-anchor="start" x="2090" y="-611.4" font-family="Times,serif" font-size="14.00">&#45;j KUBE&#45;FIREWALL</text>
+<polygon fill="lightgreen" stroke="transparent" points="1901.5,-583.6 1901.5,-604.6 2400.5,-604.6 2400.5,-583.6 1901.5,-583.6"/>
+<polygon fill="none" stroke="black" points="1901.5,-583.6 1901.5,-604.6 2400.5,-604.6 2400.5,-583.6 1901.5,-583.6"/>
+<text text-anchor="start" x="2119" y="-590.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
+</g>
+<!-- filter_KUBEIPVSFILTER -->
+<g id="node6" class="node">
+<title>filter_KUBEIPVSFILTER</title>
+<polygon fill="none" stroke="black" points="3335.5,-950.6 2608.5,-950.6 2604.5,-946.6 2604.5,-768.6 3331.5,-768.6 3335.5,-772.6 3335.5,-950.6"/>
+<polyline fill="none" stroke="black" points="3331.5,-946.6 2604.5,-946.6 "/>
+<polyline fill="none" stroke="black" points="3331.5,-946.6 3331.5,-768.6 "/>
+<polyline fill="none" stroke="black" points="3331.5,-946.6 3335.5,-950.6 "/>
+<polygon fill="grey" stroke="transparent" points="2613,-925.6 2613,-946.6 3328,-946.6 3328,-925.6 2613,-925.6"/>
+<polygon fill="none" stroke="black" points="2613,-925.6 2613,-946.6 3328,-946.6 3328,-925.6 2613,-925.6"/>
+<text text-anchor="start" x="2881" y="-933.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">kubernetes ipvs access filter</text>
+<polygon fill="none" stroke="black" points="2613,-919.6 2613,-925.6 3328,-925.6 3328,-919.6 2613,-919.6"/>
+<polygon fill="moccasin" stroke="transparent" points="2613,-898.6 2613,-919.6 3328,-919.6 3328,-898.6 2613,-898.6"/>
+<polygon fill="none" stroke="black" points="2613,-898.6 2613,-919.6 3328,-919.6 3328,-898.6 2613,-898.6"/>
+<text text-anchor="start" x="2777" y="-905.4" font-family="Times,serif" font-size="14.00">&#45;m set &#45;&#45;match&#45;set KUBE&#45;LOAD&#45;BALANCER dst,dst &#45;j RETURN</text>
+<polygon fill="moccasin" stroke="transparent" points="2613,-877.6 2613,-898.6 3328,-898.6 3328,-877.6 2613,-877.6"/>
+<polygon fill="none" stroke="black" points="2613,-877.6 2613,-898.6 3328,-898.6 3328,-877.6 2613,-877.6"/>
+<text text-anchor="start" x="2796" y="-884.4" font-family="Times,serif" font-size="14.00">&#45;m set &#45;&#45;match&#45;set KUBE&#45;CLUSTER&#45;IP dst,dst &#45;j RETURN</text>
+<polygon fill="moccasin" stroke="transparent" points="2613,-856.6 2613,-877.6 3328,-877.6 3328,-856.6 2613,-856.6"/>
+<polygon fill="none" stroke="black" points="2613,-856.6 2613,-877.6 3328,-877.6 3328,-856.6 2613,-856.6"/>
+<text text-anchor="start" x="2790.5" y="-863.4" font-family="Times,serif" font-size="14.00">&#45;m set &#45;&#45;match&#45;set KUBE&#45;EXTERNAL&#45;IP dst,dst &#45;j RETURN</text>
+<polygon fill="moccasin" stroke="transparent" points="2613,-835.6 2613,-856.6 3328,-856.6 3328,-835.6 2613,-835.6"/>
+<polygon fill="none" stroke="black" points="2613,-835.6 2613,-856.6 3328,-856.6 3328,-835.6 2613,-835.6"/>
+<text text-anchor="start" x="2766" y="-842.4" font-family="Times,serif" font-size="14.00">&#45;m set &#45;&#45;match&#45;set KUBE&#45;EXTERNAL&#45;IP&#45;LOCAL dst,dst &#45;j RETURN</text>
+<polygon fill="moccasin" stroke="transparent" points="2613,-814.6 2613,-835.6 3328,-835.6 3328,-814.6 2613,-814.6"/>
+<polygon fill="none" stroke="black" points="2613,-814.6 2613,-835.6 3328,-835.6 3328,-814.6 2613,-814.6"/>
+<text text-anchor="start" x="2753" y="-821.4" font-family="Times,serif" font-size="14.00">&#45;m set &#45;&#45;match&#45;set KUBE&#45;HEALTH&#45;CHECK&#45;NODE&#45;PORT dst &#45;j RETURN</text>
+<polygon fill="coral" stroke="transparent" points="2613,-793.6 2613,-814.6 3328,-814.6 3328,-793.6 2613,-793.6"/>
+<polygon fill="none" stroke="black" points="2613,-793.6 2613,-814.6 3328,-814.6 3328,-793.6 2613,-793.6"/>
+<text text-anchor="start" x="2616" y="-800.4" font-family="Times,serif" font-size="14.00">&#45;m conntrack &#45;&#45;ctstate NEW &#45;m set &#45;&#45;match&#45;set KUBE&#45;IPVS&#45;IPS dst &#45;j REJECT &#45;&#45;reject&#45;with icmp&#45;port&#45;unreachable</text>
+<polygon fill="none" stroke="black" points="2613,-772.6 2613,-793.6 3328,-793.6 3328,-772.6 2613,-772.6"/>
+<text text-anchor="start" x="2937" y="-779.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- filter_INPUT&#45;&gt;filter_KUBEIPVSFILTER -->
+<g id="edge1" class="edge">
+<title>filter_INPUT:rule_0&#45;&gt;filter_KUBEIPVSFILTER:begin</title>
+<path fill="none" stroke="black" d="M2401.5,-678.6C2541.23,-678.6 2472.35,-910.83 2601.9,-922.17"/>
+<polygon fill="black" stroke="black" points="2601.86,-925.67 2612,-922.6 2602.16,-918.68 2601.86,-925.67"/>
+</g>
+<!-- filter_KUBEPROXYFIREWALL -->
+<g id="node7" class="node">
+<title>filter_KUBEPROXYFIREWALL</title>
+<polygon fill="none" stroke="black" points="3064,-618.6 2880,-618.6 2876,-614.6 2876,-562.6 3060,-562.6 3064,-566.6 3064,-618.6"/>
+<polyline fill="none" stroke="black" points="3060,-614.6 2876,-614.6 "/>
+<polyline fill="none" stroke="black" points="3060,-614.6 3060,-562.6 "/>
+<polyline fill="none" stroke="black" points="3060,-614.6 3064,-618.6 "/>
+<polygon fill="grey" stroke="transparent" points="2884,-593.6 2884,-614.6 3056,-614.6 3056,-593.6 2884,-593.6"/>
+<polygon fill="none" stroke="black" points="2884,-593.6 2884,-614.6 3056,-614.6 3056,-593.6 2884,-593.6"/>
+<text text-anchor="start" x="2887" y="-601.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">kube&#45;proxy firewall rules</text>
+<polygon fill="none" stroke="black" points="2884,-587.6 2884,-593.6 3056,-593.6 3056,-587.6 2884,-587.6"/>
+<polygon fill="none" stroke="black" points="2884,-566.6 2884,-587.6 3056,-587.6 3056,-566.6 2884,-566.6"/>
+<text text-anchor="start" x="2936.5" y="-573.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- filter_INPUT&#45;&gt;filter_KUBEPROXYFIREWALL -->
+<g id="edge2" class="edge">
+<title>filter_INPUT:rule_1&#45;&gt;filter_KUBEPROXYFIREWALL:begin</title>
+<path fill="none" stroke="black" d="M2401.5,-657.6C2469.04,-657.6 2485.11,-645.91 2552,-636.6 2695.66,-616.59 2732.76,-591.79 2872.74,-590.64"/>
+<polygon fill="black" stroke="black" points="2873.01,-594.14 2883,-590.6 2872.99,-587.14 2873.01,-594.14"/>
+</g>
+<!-- filter_KUBENODEPORT -->
+<g id="node8" class="node">
+<title>filter_KUBENODEPORT</title>
+<polygon fill="none" stroke="black" points="3388,-732.1 2556,-732.1 2552,-728.1 2552,-655.1 3384,-655.1 3388,-659.1 3388,-732.1"/>
+<polyline fill="none" stroke="black" points="3384,-728.1 2552,-728.1 "/>
+<polyline fill="none" stroke="black" points="3384,-728.1 3384,-655.1 "/>
+<polyline fill="none" stroke="black" points="3384,-728.1 3388,-732.1 "/>
+<polygon fill="grey" stroke="transparent" points="2560,-706.6 2560,-727.6 3380,-727.6 3380,-706.6 2560,-706.6"/>
+<polygon fill="none" stroke="black" points="2560,-706.6 2560,-727.6 3380,-727.6 3380,-706.6 2560,-706.6"/>
+<text text-anchor="start" x="2872" y="-714.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">kubernetes health check rules</text>
+<polygon fill="none" stroke="black" points="2560,-700.6 2560,-706.6 3380,-706.6 3380,-700.6 2560,-700.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="2560,-679.6 2560,-700.6 3380,-700.6 3380,-679.6 2560,-679.6"/>
+<polygon fill="none" stroke="black" points="2560,-679.6 2560,-700.6 3380,-700.6 3380,-679.6 2560,-679.6"/>
+<text text-anchor="start" x="2563" y="-686.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;Kubernetes health check node port&quot; &#45;m set &#45;&#45;match&#45;set KUBE&#45;HEALTH&#45;CHECK&#45;NODE&#45;PORT dst &#45;j ACCEPT</text>
+<polygon fill="none" stroke="black" points="2560,-658.6 2560,-679.6 3380,-679.6 3380,-658.6 2560,-658.6"/>
+<text text-anchor="start" x="2936.5" y="-665.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- filter_INPUT&#45;&gt;filter_KUBENODEPORT -->
+<g id="edge3" class="edge">
+<title>filter_INPUT:rule_2&#45;&gt;filter_KUBENODEPORT:begin</title>
+<path fill="none" stroke="black" d="M2401.5,-635.6C2474.17,-635.6 2482.13,-697.37 2548.73,-703.16"/>
+<polygon fill="black" stroke="black" points="2548.86,-706.67 2559,-703.6 2549.16,-699.68 2548.86,-706.67"/>
+</g>
+<!-- filter_KUBEFIREWALL -->
+<g id="node9" class="node">
+<title>filter_KUBEFIREWALL</title>
+<polygon fill="none" stroke="black" points="7433.69,-536.1 6452.69,-536.1 6448.69,-532.1 6448.69,-459.1 7429.69,-459.1 7433.69,-463.1 7433.69,-536.1"/>
+<polyline fill="none" stroke="black" points="7429.69,-532.1 6448.69,-532.1 "/>
+<polyline fill="none" stroke="black" points="7429.69,-532.1 7429.69,-459.1 "/>
+<polyline fill="none" stroke="black" points="7429.69,-532.1 7433.69,-536.1 "/>
+<polygon fill="grey" stroke="transparent" points="6457.19,-510.6 6457.19,-531.6 7426.19,-531.6 7426.19,-510.6 6457.19,-510.6"/>
+<polygon fill="none" stroke="black" points="6457.19,-510.6 6457.19,-531.6 7426.19,-531.6 7426.19,-510.6 6457.19,-510.6"/>
+<text text-anchor="start" x="6866.69" y="-518.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">filter:KUBE&#45;FIREWALL</text>
+<polygon fill="none" stroke="black" points="6457.19,-504.6 6457.19,-510.6 7426.19,-510.6 7426.19,-504.6 6457.19,-504.6"/>
+<polygon fill="coral" stroke="transparent" points="6457.19,-483.6 6457.19,-504.6 7426.19,-504.6 7426.19,-483.6 6457.19,-483.6"/>
+<polygon fill="none" stroke="black" points="6457.19,-483.6 6457.19,-504.6 7426.19,-504.6 7426.19,-483.6 6457.19,-483.6"/>
+<text text-anchor="start" x="6460.19" y="-490.4" font-family="Times,serif" font-size="14.00">! &#45;s 127.0.0.0/8 &#45;d 127.0.0.0/8 &#45;m comment &#45;&#45;comment &quot;block incoming localnet connections&quot; &#45;m conntrack ! &#45;&#45;ctstate RELATED,ESTABLISHED,DNAT &#45;j DROP</text>
+<polygon fill="none" stroke="black" points="6457.19,-462.6 6457.19,-483.6 7426.19,-483.6 7426.19,-462.6 6457.19,-462.6"/>
+<text text-anchor="start" x="6908.19" y="-469.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- filter_INPUT&#45;&gt;filter_KUBEFIREWALL -->
+<g id="edge4" class="edge">
+<title>filter_INPUT:rule_3&#45;&gt;filter_KUBEFIREWALL:begin</title>
+<path fill="none" stroke="black" d="M2401.5,-614.6C2475.27,-614.6 2480.26,-561.79 2552,-544.6 3006.52,-435.64 3135.6,-507.6 3603,-507.6 3603,-507.6 3603,-507.6 4849.69,-507.6 5560.29,-507.6 5740.48,-507.6 6446.03,-507.6"/>
+<polygon fill="black" stroke="black" points="6446.19,-511.1 6456.19,-507.6 6446.19,-504.1 6446.19,-511.1"/>
+</g>
+<!-- security_INPUT -->
+<g id="node14" class="node">
+<title>security_INPUT</title>
+<polygon fill="none" stroke="black" points="3029,-452.6 2915,-452.6 2911,-448.6 2911,-396.6 3025,-396.6 3029,-400.6 3029,-452.6"/>
+<polyline fill="none" stroke="black" points="3025,-448.6 2911,-448.6 "/>
+<polyline fill="none" stroke="black" points="3025,-448.6 3025,-396.6 "/>
+<polyline fill="none" stroke="black" points="3025,-448.6 3029,-452.6 "/>
+<polygon fill="tomato" stroke="transparent" points="2919,-427.6 2919,-448.6 3021,-448.6 3021,-427.6 2919,-427.6"/>
+<polygon fill="none" stroke="black" points="2919,-427.6 2919,-448.6 3021,-448.6 3021,-427.6 2919,-427.6"/>
+<text text-anchor="start" x="2922" y="-435.4" font-family="Times,serif" font-style="italic" font-size="14.00">security:INPUT</text>
+<polygon fill="none" stroke="black" points="2919,-421.6 2919,-427.6 3021,-427.6 3021,-421.6 2919,-421.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="2919,-400.6 2919,-421.6 3021,-421.6 3021,-400.6 2919,-400.6"/>
+<polygon fill="none" stroke="black" points="2919,-400.6 2919,-421.6 3021,-421.6 3021,-400.6 2919,-400.6"/>
+<text text-anchor="start" x="2938" y="-407.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
+</g>
+<!-- filter_INPUT&#45;&gt;security_INPUT -->
+<g id="edge30" class="edge">
+<title>filter_INPUT:end&#45;&gt;security_INPUT:begin</title>
+<path fill="none" stroke="red" d="M2401.5,-593.6C2485.41,-593.6 2474.67,-512.17 2552,-479.6 2700.33,-417.11 2751.32,-424.25 2907.55,-424.59"/>
+<polygon fill="red" stroke="red" points="2908,-428.09 2918,-424.6 2908,-421.09 2908,-428.09"/>
 </g>
-<!-- mangle_PREROUTING -->
-<g id="node13" class="node"><title>mangle_PREROUTING</title>
-<polygon fill="none" stroke="black" points="356,-242 250,-242 250,-171 356,-171 356,-242"/>
-<polygon fill="red" stroke="none" points="258,-216.5 258,-237.5 348,-237.5 348,-216.5 258,-216.5"/>
-<polygon fill="none" stroke="black" points="258,-216.5 258,-237.5 348,-237.5 348,-216.5 258,-216.5"/>
-<text text-anchor="start" x="261" y="-224.3" font-family="Times,serif" font-style="italic" font-size="14.00">PREROUTING</text>
-<polygon fill="tomato" stroke="none" points="258,-195.5 258,-216.5 348,-216.5 348,-195.5 258,-195.5"/>
-<polygon fill="none" stroke="black" points="258,-195.5 258,-216.5 348,-216.5 348,-195.5 258,-195.5"/>
-<text text-anchor="start" x="283" y="-203.3" font-family="Times,serif" font-style="italic" font-size="14.00">mangle</text>
-<polygon fill="none" stroke="black" points="258,-174.5 258,-195.5 348,-195.5 348,-174.5 258,-174.5"/>
-<text text-anchor="start" x="293" y="-181.3" font-family="Times,serif" font-size="14.00">end</text>
+<!-- filter_OUTPUT -->
+<g id="node4" class="node">
+<title>filter_OUTPUT</title>
+<polygon fill="none" stroke="black" points="6026.69,-693.6 5506.69,-693.6 5502.69,-689.6 5502.69,-595.6 6022.69,-595.6 6026.69,-599.6 6026.69,-693.6"/>
+<polyline fill="none" stroke="black" points="6022.69,-689.6 5502.69,-689.6 "/>
+<polyline fill="none" stroke="black" points="6022.69,-689.6 6022.69,-595.6 "/>
+<polyline fill="none" stroke="black" points="6022.69,-689.6 6026.69,-693.6 "/>
+<polygon fill="tomato" stroke="transparent" points="5510.69,-668.6 5510.69,-689.6 6018.69,-689.6 6018.69,-668.6 5510.69,-668.6"/>
+<polygon fill="none" stroke="black" points="5510.69,-668.6 5510.69,-689.6 6018.69,-689.6 6018.69,-668.6 5510.69,-668.6"/>
+<text text-anchor="start" x="5717.69" y="-676.4" font-family="Times,serif" font-style="italic" font-size="14.00">filter:OUTPUT</text>
+<polygon fill="none" stroke="black" points="5510.69,-662.6 5510.69,-668.6 6018.69,-668.6 6018.69,-662.6 5510.69,-662.6"/>
+<polygon fill="none" stroke="black" points="5510.69,-641.6 5510.69,-662.6 6018.69,-662.6 6018.69,-641.6 5510.69,-641.6"/>
+<text text-anchor="start" x="5513.69" y="-648.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;kubernetes ipvs access filter&quot; &#45;j KUBE&#45;IPVS&#45;OUT&#45;FILTER</text>
+<polygon fill="none" stroke="black" points="5510.69,-620.6 5510.69,-641.6 6018.69,-641.6 6018.69,-620.6 5510.69,-620.6"/>
+<text text-anchor="start" x="5703.69" y="-627.4" font-family="Times,serif" font-size="14.00">&#45;j KUBE&#45;FIREWALL</text>
+<polygon fill="lightgreen" stroke="transparent" points="5510.69,-599.6 5510.69,-620.6 6018.69,-620.6 6018.69,-599.6 5510.69,-599.6"/>
+<polygon fill="none" stroke="black" points="5510.69,-599.6 5510.69,-620.6 6018.69,-620.6 6018.69,-599.6 5510.69,-599.6"/>
+<text text-anchor="start" x="5732.69" y="-606.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
+</g>
+<!-- filter_OUTPUT&#45;&gt;filter_KUBEFIREWALL -->
+<g id="edge6" class="edge">
+<title>filter_OUTPUT:rule_1&#45;&gt;filter_KUBEFIREWALL:begin</title>
+<path fill="none" stroke="black" d="M6019.69,-630.6C6217.8,-630.6 6253.44,-511.77 6446,-507.7"/>
+<polygon fill="black" stroke="black" points="6446.23,-511.2 6456.19,-507.6 6446.15,-504.2 6446.23,-511.2"/>
+</g>
+<!-- filter_KUBEIPVSOUTFILTER -->
+<g id="node12" class="node">
+<title>filter_KUBEIPVSOUTFILTER</title>
+<polygon fill="none" stroke="black" points="7041.69,-720.6 6844.69,-720.6 6840.69,-716.6 6840.69,-664.6 7037.69,-664.6 7041.69,-668.6 7041.69,-720.6"/>
+<polyline fill="none" stroke="black" points="7037.69,-716.6 6840.69,-716.6 "/>
+<polyline fill="none" stroke="black" points="7037.69,-716.6 7037.69,-664.6 "/>
+<polyline fill="none" stroke="black" points="7037.69,-716.6 7041.69,-720.6 "/>
+<polygon fill="grey" stroke="transparent" points="6849.19,-695.6 6849.19,-716.6 7034.19,-716.6 7034.19,-695.6 6849.19,-695.6"/>
+<polygon fill="none" stroke="black" points="6849.19,-695.6 6849.19,-716.6 7034.19,-716.6 7034.19,-695.6 6849.19,-695.6"/>
+<text text-anchor="start" x="6852.19" y="-703.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">kubernetes ipvs access filter</text>
+<polygon fill="none" stroke="black" points="6849.19,-689.6 6849.19,-695.6 7034.19,-695.6 7034.19,-689.6 6849.19,-689.6"/>
+<polygon fill="none" stroke="black" points="6849.19,-668.6 6849.19,-689.6 7034.19,-689.6 7034.19,-668.6 6849.19,-668.6"/>
+<text text-anchor="start" x="6908.19" y="-675.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- filter_OUTPUT&#45;&gt;filter_KUBEIPVSOUTFILTER -->
+<g id="edge5" class="edge">
+<title>filter_OUTPUT:rule_0&#45;&gt;filter_KUBEIPVSOUTFILTER:begin</title>
+<path fill="none" stroke="black" d="M6019.69,-652.6C6384.92,-652.6 6477.82,-691.86 6838,-692.59"/>
+<polygon fill="black" stroke="black" points="6838.18,-696.09 6848.19,-692.6 6838.19,-689.09 6838.18,-696.09"/>
+</g>
+<!-- security_OUTPUT -->
+<g id="node15" class="node">
+<title>security_OUTPUT</title>
+<polygon fill="none" stroke="black" points="7006.69,-628.6 6879.69,-628.6 6875.69,-624.6 6875.69,-572.6 7002.69,-572.6 7006.69,-576.6 7006.69,-628.6"/>
+<polyline fill="none" stroke="black" points="7002.69,-624.6 6875.69,-624.6 "/>
+<polyline fill="none" stroke="black" points="7002.69,-624.6 7002.69,-572.6 "/>
+<polyline fill="none" stroke="black" points="7002.69,-624.6 7006.69,-628.6 "/>
+<polygon fill="tomato" stroke="transparent" points="6884.19,-603.6 6884.19,-624.6 6999.19,-624.6 6999.19,-603.6 6884.19,-603.6"/>
+<polygon fill="none" stroke="black" points="6884.19,-603.6 6884.19,-624.6 6999.19,-624.6 6999.19,-603.6 6884.19,-603.6"/>
+<text text-anchor="start" x="6887.19" y="-611.4" font-family="Times,serif" font-style="italic" font-size="14.00">security:OUTPUT</text>
+<polygon fill="none" stroke="black" points="6884.19,-597.6 6884.19,-603.6 6999.19,-603.6 6999.19,-597.6 6884.19,-597.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="6884.19,-576.6 6884.19,-597.6 6999.19,-597.6 6999.19,-576.6 6884.19,-576.6"/>
+<polygon fill="none" stroke="black" points="6884.19,-576.6 6884.19,-597.6 6999.19,-597.6 6999.19,-576.6 6884.19,-576.6"/>
+<text text-anchor="start" x="6909.69" y="-583.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
+</g>
+<!-- filter_OUTPUT&#45;&gt;security_OUTPUT -->
+<g id="edge38" class="edge">
+<title>filter_OUTPUT:end&#45;&gt;security_OUTPUT:begin</title>
+<path fill="none" stroke="red" d="M6019.69,-609.6C6400.11,-609.6 6497.68,-600.75 6873.13,-600.6"/>
+<polygon fill="red" stroke="red" points="6873.19,-604.1 6883.19,-600.6 6873.19,-597.1 6873.19,-604.1"/>
 </g>
-<!-- raw_PREROUTING&#45;&gt;mangle_PREROUTING -->
-<g id="edge8" class="edge"><title>raw_PREROUTING:end&#45;&gt;mangle_PREROUTING:begin</title>
-<path fill="none" stroke="red" d="M99,-205.5C165.656,-205.5 184.859,-205.5 246.696,-205.5"/>
-<polygon fill="red" stroke="red" points="247,-209 257,-205.5 247,-202 247,-209"/>
+<!-- filter_FORWARD -->
+<g id="node5" class="node">
+<title>filter_FORWARD</title>
+<polygon fill="none" stroke="black" points="2408,-396.1 1897,-396.1 1893,-392.1 1893,-277.1 2404,-277.1 2408,-281.1 2408,-396.1"/>
+<polyline fill="none" stroke="black" points="2404,-392.1 1893,-392.1 "/>
+<polyline fill="none" stroke="black" points="2404,-392.1 2404,-277.1 "/>
+<polyline fill="none" stroke="black" points="2404,-392.1 2408,-396.1 "/>
+<polygon fill="tomato" stroke="transparent" points="1901.5,-370.6 1901.5,-391.6 2400.5,-391.6 2400.5,-370.6 1901.5,-370.6"/>
+<polygon fill="none" stroke="black" points="1901.5,-370.6 1901.5,-391.6 2400.5,-391.6 2400.5,-370.6 1901.5,-370.6"/>
+<text text-anchor="start" x="2097.5" y="-378.4" font-family="Times,serif" font-style="italic" font-size="14.00">filter:FORWARD</text>
+<polygon fill="none" stroke="black" points="1901.5,-364.6 1901.5,-370.6 2400.5,-370.6 2400.5,-364.6 1901.5,-364.6"/>
+<polygon fill="none" stroke="black" points="1901.5,-343.6 1901.5,-364.6 2400.5,-364.6 2400.5,-343.6 1901.5,-343.6"/>
+<text text-anchor="start" x="1904.5" y="-350.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;kube&#45;proxy firewall rules&quot; &#45;j KUBE&#45;PROXY&#45;FIREWALL</text>
+<polygon fill="none" stroke="black" points="1901.5,-322.6 1901.5,-343.6 2400.5,-343.6 2400.5,-322.6 1901.5,-322.6"/>
+<text text-anchor="start" x="1920.5" y="-329.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;kubernetes forwarding rules&quot; &#45;j KUBE&#45;FORWARD</text>
+<polygon fill="none" stroke="black" points="1901.5,-301.6 1901.5,-322.6 2400.5,-322.6 2400.5,-301.6 1901.5,-301.6"/>
+<text text-anchor="start" x="1960" y="-308.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;flanneld forward&quot; &#45;j FLANNEL&#45;FWD</text>
+<polygon fill="lightgreen" stroke="transparent" points="1901.5,-280.6 1901.5,-301.6 2400.5,-301.6 2400.5,-280.6 1901.5,-280.6"/>
+<polygon fill="none" stroke="black" points="1901.5,-280.6 1901.5,-301.6 2400.5,-301.6 2400.5,-280.6 1901.5,-280.6"/>
+<text text-anchor="start" x="2119" y="-287.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
+</g>
+<!-- filter_FORWARD&#45;&gt;filter_KUBEPROXYFIREWALL -->
+<g id="edge7" class="edge">
+<title>filter_FORWARD:rule_0&#45;&gt;filter_KUBEPROXYFIREWALL:begin</title>
+<path fill="none" stroke="black" d="M2401.5,-354.6C2485.95,-354.6 2477.98,-429.94 2552,-470.6 2686.08,-544.23 2724.79,-588.58 2872.63,-590.53"/>
+<polygon fill="black" stroke="black" points="2872.98,-594.03 2883,-590.6 2873.02,-587.03 2872.98,-594.03"/>
+</g>
+<!-- filter_KUBEFORWARD -->
+<g id="node10" class="node">
+<title>filter_KUBEFORWARD</title>
+<polygon fill="none" stroke="black" points="3368,-360.6 2576,-360.6 2572,-356.6 2572,-262.6 3364,-262.6 3368,-266.6 3368,-360.6"/>
+<polyline fill="none" stroke="black" points="3364,-356.6 2572,-356.6 "/>
+<polyline fill="none" stroke="black" points="3364,-356.6 3364,-262.6 "/>
+<polyline fill="none" stroke="black" points="3364,-356.6 3368,-360.6 "/>
+<polygon fill="grey" stroke="transparent" points="2580,-335.6 2580,-356.6 3360,-356.6 3360,-335.6 2580,-335.6"/>
+<polygon fill="none" stroke="black" points="2580,-335.6 2580,-356.6 3360,-356.6 3360,-335.6 2580,-335.6"/>
+<text text-anchor="start" x="2878" y="-343.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">kubernetes forwarding rules</text>
+<polygon fill="none" stroke="black" points="2580,-329.6 2580,-335.6 3360,-335.6 3360,-329.6 2580,-329.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="2580,-308.6 2580,-329.6 3360,-329.6 3360,-308.6 2580,-308.6"/>
+<polygon fill="none" stroke="black" points="2580,-308.6 2580,-329.6 3360,-329.6 3360,-308.6 2580,-308.6"/>
+<text text-anchor="start" x="2767.5" y="-315.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;kubernetes forwarding rules&quot; &#45;j ACCEPT</text>
+<polygon fill="lightgreen" stroke="transparent" points="2580,-287.6 2580,-308.6 3360,-308.6 3360,-287.6 2580,-287.6"/>
+<polygon fill="none" stroke="black" points="2580,-287.6 2580,-308.6 3360,-308.6 3360,-287.6 2580,-287.6"/>
+<text text-anchor="start" x="2583" y="-294.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;kubernetes forwarding conntrack rule&quot; &#45;m conntrack &#45;&#45;ctstate RELATED,ESTABLISHED &#45;j ACCEPT</text>
+<polygon fill="none" stroke="black" points="2580,-266.6 2580,-287.6 3360,-287.6 3360,-266.6 2580,-266.6"/>
+<text text-anchor="start" x="2936.5" y="-273.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- filter_FORWARD&#45;&gt;filter_KUBEFORWARD -->
+<g id="edge8" class="edge">
+<title>filter_FORWARD:rule_1&#45;&gt;filter_KUBEFORWARD:begin</title>
+<path fill="none" stroke="black" d="M2401.5,-332.6C2476.85,-332.6 2498.22,-332.6 2568.72,-332.6"/>
+<polygon fill="black" stroke="black" points="2569,-336.1 2579,-332.6 2569,-329.1 2569,-336.1"/>
+</g>
+<!-- filter_FLANNELFWD -->
+<g id="node11" class="node">
+<title>filter_FLANNELFWD</title>
+<polygon fill="none" stroke="black" points="3196.5,-226.6 2747.5,-226.6 2743.5,-222.6 2743.5,-128.6 3192.5,-128.6 3196.5,-132.6 3196.5,-226.6"/>
+<polyline fill="none" stroke="black" points="3192.5,-222.6 2743.5,-222.6 "/>
+<polyline fill="none" stroke="black" points="3192.5,-222.6 3192.5,-128.6 "/>
+<polyline fill="none" stroke="black" points="3192.5,-222.6 3196.5,-226.6 "/>
+<polygon fill="grey" stroke="transparent" points="2752,-201.6 2752,-222.6 3189,-222.6 3189,-201.6 2752,-201.6"/>
+<polygon fill="none" stroke="black" points="2752,-201.6 2752,-222.6 3189,-222.6 3189,-201.6 2752,-201.6"/>
+<text text-anchor="start" x="2913" y="-209.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">flanneld forward</text>
+<polygon fill="none" stroke="black" points="2752,-195.6 2752,-201.6 3189,-201.6 3189,-195.6 2752,-195.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="2752,-174.6 2752,-195.6 3189,-195.6 3189,-174.6 2752,-174.6"/>
+<polygon fill="none" stroke="black" points="2752,-174.6 2752,-195.6 3189,-195.6 3189,-174.6 2752,-174.6"/>
+<text text-anchor="start" x="2756" y="-181.4" font-family="Times,serif" font-size="14.00">&#45;s 10.244.0.0/16 &#45;m comment &#45;&#45;comment &quot;flanneld forward&quot; &#45;j ACCEPT</text>
+<polygon fill="lightgreen" stroke="transparent" points="2752,-153.6 2752,-174.6 3189,-174.6 3189,-153.6 2752,-153.6"/>
+<polygon fill="none" stroke="black" points="2752,-153.6 2752,-174.6 3189,-174.6 3189,-153.6 2752,-153.6"/>
+<text text-anchor="start" x="2755" y="-160.4" font-family="Times,serif" font-size="14.00">&#45;d 10.244.0.0/16 &#45;m comment &#45;&#45;comment &quot;flanneld forward&quot; &#45;j ACCEPT</text>
+<polygon fill="none" stroke="black" points="2752,-132.6 2752,-153.6 3189,-153.6 3189,-132.6 2752,-132.6"/>
+<text text-anchor="start" x="2937" y="-139.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- filter_FORWARD&#45;&gt;filter_FLANNELFWD -->
+<g id="edge9" class="edge">
+<title>filter_FORWARD:rule_2&#45;&gt;filter_FLANNELFWD:begin</title>
+<path fill="none" stroke="black" d="M2401.5,-311.6C2474.72,-311.6 2482.57,-267.84 2552,-244.6 2634.8,-216.88 2658.44,-199.92 2740.92,-198.67"/>
+<polygon fill="black" stroke="black" points="2741.03,-202.17 2751,-198.6 2740.97,-195.17 2741.03,-202.17"/>
+</g>
+<!-- security_FORWARD -->
+<g id="node16" class="node">
+<title>security_FORWARD</title>
+<polygon fill="none" stroke="black" points="3676,-151.6 3536,-151.6 3532,-147.6 3532,-95.6 3672,-95.6 3676,-99.6 3676,-151.6"/>
+<polyline fill="none" stroke="black" points="3672,-147.6 3532,-147.6 "/>
+<polyline fill="none" stroke="black" points="3672,-147.6 3672,-95.6 "/>
+<polyline fill="none" stroke="black" points="3672,-147.6 3676,-151.6 "/>
+<polygon fill="tomato" stroke="transparent" points="3540,-126.6 3540,-147.6 3668,-147.6 3668,-126.6 3540,-126.6"/>
+<polygon fill="none" stroke="black" points="3540,-126.6 3540,-147.6 3668,-147.6 3668,-126.6 3540,-126.6"/>
+<text text-anchor="start" x="3543" y="-134.4" font-family="Times,serif" font-style="italic" font-size="14.00">security:FORWARD</text>
+<polygon fill="none" stroke="black" points="3540,-120.6 3540,-126.6 3668,-126.6 3668,-120.6 3540,-120.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="3540,-99.6 3540,-120.6 3668,-120.6 3668,-99.6 3540,-99.6"/>
+<polygon fill="none" stroke="black" points="3540,-99.6 3540,-120.6 3668,-120.6 3668,-99.6 3540,-99.6"/>
+<text text-anchor="start" x="3572" y="-106.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
+</g>
+<!-- filter_FORWARD&#45;&gt;security_FORWARD -->
+<g id="edge34" class="edge">
+<title>filter_FORWARD:end&#45;&gt;security_FORWARD:begin</title>
+<path fill="none" stroke="red" d="M2401.5,-290.6C2505.78,-290.6 2457.53,-154.75 2552,-110.6 2888.61,46.72 3016.79,-94.65 3388,-110.6 3451.75,-113.34 3469.78,-122.55 3528.75,-123.52"/>
+<polygon fill="red" stroke="red" points="3528.97,-127.02 3539,-123.6 3529.03,-120.02 3528.97,-127.02"/>
+</g>
+<!-- filter_KUBESOURCERANGESFIREWALL -->
+<g id="node13" class="node">
+<title>filter_KUBESOURCERANGESFIREWALL</title>
+<polygon fill="none" stroke="black" points="275,-1167.1 4,-1167.1 0,-1163.1 0,-1090.1 271,-1090.1 275,-1094.1 275,-1167.1"/>
+<polyline fill="none" stroke="black" points="271,-1163.1 0,-1163.1 "/>
+<polyline fill="none" stroke="black" points="271,-1163.1 271,-1090.1 "/>
+<polyline fill="none" stroke="black" points="271,-1163.1 275,-1167.1 "/>
+<polygon fill="grey" stroke="transparent" points="8.5,-1141.6 8.5,-1162.6 267.5,-1162.6 267.5,-1141.6 8.5,-1141.6"/>
+<polygon fill="none" stroke="black" points="8.5,-1141.6 8.5,-1162.6 267.5,-1162.6 267.5,-1141.6 8.5,-1141.6"/>
+<text text-anchor="start" x="11.5" y="-1149.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">filter:KUBESOURCERANGESFIREWALL</text>
+<polygon fill="none" stroke="black" points="8.5,-1135.6 8.5,-1141.6 267.5,-1141.6 267.5,-1135.6 8.5,-1135.6"/>
+<polygon fill="coral" stroke="transparent" points="8.5,-1114.6 8.5,-1135.6 267.5,-1135.6 267.5,-1114.6 8.5,-1114.6"/>
+<polygon fill="none" stroke="black" points="8.5,-1114.6 8.5,-1135.6 267.5,-1135.6 267.5,-1114.6 8.5,-1114.6"/>
+<text text-anchor="start" x="113.5" y="-1121.4" font-family="Times,serif" font-size="14.00">&#45;j DROP</text>
+<polygon fill="none" stroke="black" points="8.5,-1093.6 8.5,-1114.6 267.5,-1114.6 267.5,-1093.6 8.5,-1093.6"/>
+<text text-anchor="start" x="104.5" y="-1100.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- nat_INPUT -->
+<g id="node18" class="node">
+<title>nat_INPUT</title>
+<polygon fill="none" stroke="black" points="3648.5,-432.6 3563.5,-432.6 3559.5,-428.6 3559.5,-376.6 3644.5,-376.6 3648.5,-380.6 3648.5,-432.6"/>
+<polyline fill="none" stroke="black" points="3644.5,-428.6 3559.5,-428.6 "/>
+<polyline fill="none" stroke="black" points="3644.5,-428.6 3644.5,-376.6 "/>
+<polyline fill="none" stroke="black" points="3644.5,-428.6 3648.5,-432.6 "/>
+<polygon fill="lightblue" stroke="transparent" points="3568,-407.6 3568,-428.6 3641,-428.6 3641,-407.6 3568,-407.6"/>
+<polygon fill="none" stroke="black" points="3568,-407.6 3568,-428.6 3641,-428.6 3641,-407.6 3568,-407.6"/>
+<text text-anchor="start" x="3571" y="-415.4" font-family="Times,serif" font-style="italic" font-size="14.00">nat:INPUT</text>
+<polygon fill="none" stroke="black" points="3568,-401.6 3568,-407.6 3641,-407.6 3641,-401.6 3568,-401.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="3568,-380.6 3568,-401.6 3641,-401.6 3641,-380.6 3568,-380.6"/>
+<polygon fill="none" stroke="black" points="3568,-380.6 3568,-401.6 3641,-401.6 3641,-380.6 3568,-380.6"/>
+<text text-anchor="start" x="3572.5" y="-387.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
+</g>
+<!-- security_INPUT&#45;&gt;nat_INPUT -->
+<g id="edge31" class="edge">
+<title>security_INPUT:end&#45;&gt;nat_INPUT:begin</title>
+<path fill="none" stroke="red" d="M3022,-410.6C3260.81,-410.6 3323.01,-404.77 3556.82,-404.6"/>
+<polygon fill="red" stroke="red" points="3557,-408.1 3567,-404.6 3557,-401.1 3557,-408.1"/>
 </g>
-<!-- mangle_FORWARD -->
-<g id="node10" class="node"><title>mangle_FORWARD</title>
-<polygon fill="none" stroke="black" points="997,-178 910,-178 910,-107 997,-107 997,-178"/>
-<polygon fill="red" stroke="none" points="918.5,-152.5 918.5,-173.5 989.5,-173.5 989.5,-152.5 918.5,-152.5"/>
-<polygon fill="none" stroke="black" points="918.5,-152.5 918.5,-173.5 989.5,-173.5 989.5,-152.5 918.5,-152.5"/>
-<text text-anchor="start" x="921.5" y="-160.3" font-family="Times,serif" font-style="italic" font-size="14.00">FORWARD</text>
-<polygon fill="tomato" stroke="none" points="918.5,-131.5 918.5,-152.5 989.5,-152.5 989.5,-131.5 918.5,-131.5"/>
-<polygon fill="none" stroke="black" points="918.5,-131.5 918.5,-152.5 989.5,-152.5 989.5,-131.5 918.5,-131.5"/>
-<text text-anchor="start" x="934" y="-139.3" font-family="Times,serif" font-style="italic" font-size="14.00">mangle</text>
-<polygon fill="none" stroke="black" points="918.5,-110.5 918.5,-131.5 989.5,-131.5 989.5,-110.5 918.5,-110.5"/>
-<text text-anchor="start" x="944" y="-117.3" font-family="Times,serif" font-size="14.00">end</text>
+<!-- mangle_POSTROUTING -->
+<g id="node33" class="node">
+<title>mangle_POSTROUTING</title>
+<polygon fill="none" stroke="black" points="7861.19,-401.6 7699.19,-401.6 7695.19,-397.6 7695.19,-345.6 7857.19,-345.6 7861.19,-349.6 7861.19,-401.6"/>
+<polyline fill="none" stroke="black" points="7857.19,-397.6 7695.19,-397.6 "/>
+<polyline fill="none" stroke="black" points="7857.19,-397.6 7857.19,-345.6 "/>
+<polyline fill="none" stroke="black" points="7857.19,-397.6 7861.19,-401.6 "/>
+<polygon fill="tomato" stroke="transparent" points="7703.19,-376.6 7703.19,-397.6 7853.19,-397.6 7853.19,-376.6 7703.19,-376.6"/>
+<polygon fill="none" stroke="black" points="7703.19,-376.6 7703.19,-397.6 7853.19,-397.6 7853.19,-376.6 7703.19,-376.6"/>
+<text text-anchor="start" x="7706.19" y="-384.4" font-family="Times,serif" font-style="italic" font-size="14.00">mangle:POSTROUTING</text>
+<polygon fill="none" stroke="black" points="7703.19,-370.6 7703.19,-376.6 7853.19,-376.6 7853.19,-370.6 7703.19,-370.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="7703.19,-349.6 7703.19,-370.6 7853.19,-370.6 7853.19,-349.6 7703.19,-349.6"/>
+<polygon fill="none" stroke="black" points="7703.19,-349.6 7703.19,-370.6 7853.19,-370.6 7853.19,-349.6 7703.19,-349.6"/>
+<text text-anchor="start" x="7746.19" y="-356.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
+</g>
+<!-- security_OUTPUT&#45;&gt;mangle_POSTROUTING -->
+<g id="edge39" class="edge">
+<title>security_OUTPUT:end&#45;&gt;mangle_POSTROUTING:begin</title>
+<path fill="none" stroke="red" d="M7000.19,-586.6C7193.63,-586.6 7251.41,-616.95 7434.19,-553.6 7566.45,-507.75 7559.16,-380.04 7691.95,-373.83"/>
+<polygon fill="red" stroke="red" points="7692.27,-377.33 7702.19,-373.6 7692.11,-370.33 7692.27,-377.33"/>
+</g>
+<!-- security_FORWARD&#45;&gt;mangle_POSTROUTING -->
+<g id="edge40" class="edge">
+<title>security_FORWARD:end&#45;&gt;mangle_POSTROUTING:begin</title>
+<path fill="none" stroke="red" d="M3669,-109.6C3884.06,-109.6 3935.13,-160.6 4150.19,-160.6 4150.19,-160.6 4150.19,-160.6 5765.69,-160.6 6628.16,-160.6 6834.72,-371.94 7692.07,-373.59"/>
+<polygon fill="red" stroke="red" points="7692.18,-377.09 7702.19,-373.6 7692.19,-370.09 7692.18,-377.09"/>
 </g>
-<!-- mangle_FORWARD&#45;&gt;filter_FORWARD -->
-<g id="edge19" class="edge"><title>mangle_FORWARD:end&#45;&gt;filter_FORWARD:begin</title>
-<path fill="none" stroke="red" d="M990.5,-120.5C1162.36,-120.5 980.321,-467.805 1137.66,-482.05"/>
-<polygon fill="red" stroke="red" points="1137.86,-485.561 1148,-482.5 1138.16,-478.568 1137.86,-485.561"/>
+<!-- nat_PREROUTING -->
+<g id="node17" class="node">
+<title>nat_PREROUTING</title>
+<polygon fill="none" stroke="black" points="1467,-1015.6 1006,-1015.6 1002,-1011.6 1002,-917.6 1463,-917.6 1467,-921.6 1467,-1015.6"/>
+<polyline fill="none" stroke="black" points="1463,-1011.6 1002,-1011.6 "/>
+<polyline fill="none" stroke="black" points="1463,-1011.6 1463,-917.6 "/>
+<polyline fill="none" stroke="black" points="1463,-1011.6 1467,-1015.6 "/>
+<polygon fill="tomato" stroke="transparent" points="1010.5,-990.6 1010.5,-1011.6 1459.5,-1011.6 1459.5,-990.6 1010.5,-990.6"/>
+<polygon fill="none" stroke="black" points="1010.5,-990.6 1010.5,-1011.6 1459.5,-1011.6 1459.5,-990.6 1010.5,-990.6"/>
+<text text-anchor="start" x="1179" y="-998.4" font-family="Times,serif" font-style="italic" font-size="14.00">nat:PREROUTING</text>
+<polygon fill="none" stroke="black" points="1010.5,-984.6 1010.5,-990.6 1459.5,-990.6 1459.5,-984.6 1010.5,-984.6"/>
+<polygon fill="none" stroke="black" points="1010.5,-963.6 1010.5,-984.6 1459.5,-984.6 1459.5,-963.6 1010.5,-963.6"/>
+<text text-anchor="start" x="1013.5" y="-970.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;kubernetes service portals&quot; &#45;j KUBE&#45;SERVICES</text>
+<polygon fill="none" stroke="black" points="1010.5,-942.6 1010.5,-963.6 1459.5,-963.6 1459.5,-942.6 1010.5,-942.6"/>
+<text text-anchor="start" x="1123" y="-949.4" font-family="Times,serif" font-size="14.00">&#45;d 172.18.0.1/32 &#45;j DOCKER_OUTPUT</text>
+<polygon fill="lightgreen" stroke="transparent" points="1010.5,-921.6 1010.5,-942.6 1459.5,-942.6 1459.5,-921.6 1010.5,-921.6"/>
+<polygon fill="none" stroke="black" points="1010.5,-921.6 1010.5,-942.6 1459.5,-942.6 1459.5,-921.6 1010.5,-921.6"/>
+<text text-anchor="start" x="1203" y="-928.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
+</g>
+<!-- nat_KUBESERVICES -->
+<g id="node21" class="node">
+<title>nat_KUBESERVICES</title>
+<polygon fill="none" stroke="black" points="6304.19,-1098.6 5229.19,-1098.6 5225.19,-1094.6 5225.19,-916.6 6300.19,-916.6 6304.19,-920.6 6304.19,-1098.6"/>
+<polyline fill="none" stroke="black" points="6300.19,-1094.6 5225.19,-1094.6 "/>
+<polyline fill="none" stroke="black" points="6300.19,-1094.6 6300.19,-916.6 "/>
+<polyline fill="none" stroke="black" points="6300.19,-1094.6 6304.19,-1098.6 "/>
+<polygon fill="grey" stroke="transparent" points="5233.69,-1073.6 5233.69,-1094.6 6296.69,-1094.6 6296.69,-1073.6 5233.69,-1073.6"/>
+<polygon fill="none" stroke="black" points="5233.69,-1073.6 5233.69,-1094.6 6296.69,-1094.6 6296.69,-1073.6 5233.69,-1073.6"/>
+<text text-anchor="start" x="5681.19" y="-1081.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">kubernetes service portals</text>
+<polygon fill="none" stroke="black" points="5233.69,-1067.6 5233.69,-1073.6 6296.69,-1073.6 6296.69,-1067.6 5233.69,-1067.6"/>
+<polygon fill="moccasin" stroke="transparent" points="5233.69,-1046.6 5233.69,-1067.6 6296.69,-1067.6 6296.69,-1046.6 5233.69,-1046.6"/>
+<polygon fill="none" stroke="black" points="5233.69,-1046.6 5233.69,-1067.6 6296.69,-1067.6 6296.69,-1046.6 5233.69,-1046.6"/>
+<text text-anchor="start" x="5691.69" y="-1053.4" font-family="Times,serif" font-size="14.00">&#45;s 127.0.0.0/8 &#45;j RETURN</text>
+<polygon fill="none" stroke="black" points="5233.69,-1025.6 5233.69,-1046.6 6296.69,-1046.6 6296.69,-1025.6 5233.69,-1025.6"/>
+<text text-anchor="start" x="5351.19" y="-1032.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;Kubernetes service lb portal&quot; &#45;m set &#45;&#45;match&#45;set KUBE&#45;LOAD&#45;BALANCER dst,dst &#45;j KUBE&#45;LOAD&#45;BALANCER</text>
+<polygon fill="none" stroke="black" points="5233.69,-1004.6 5233.69,-1025.6 6296.69,-1025.6 6296.69,-1004.6 5233.69,-1004.6"/>
+<text text-anchor="start" x="5236.69" y="-1011.4" font-family="Times,serif" font-size="14.00">! &#45;s 10.244.0.0/16 &#45;m comment &#45;&#45;comment &quot;Kubernetes service cluster ip + port for masquerade purpose&quot; &#45;m set &#45;&#45;match&#45;set KUBE&#45;CLUSTER&#45;IP dst,dst &#45;j KUBE&#45;MARK&#45;MASQ</text>
+<polygon fill="none" stroke="black" points="5233.69,-983.6 5233.69,-1004.6 6296.69,-1004.6 6296.69,-983.6 5233.69,-983.6"/>
+<text text-anchor="start" x="5604.69" y="-990.4" font-family="Times,serif" font-size="14.00">&#45;m addrtype &#45;&#45;dst&#45;type LOCAL &#45;j KUBE&#45;NODE&#45;PORT</text>
+<polygon fill="lightgreen" stroke="transparent" points="5233.69,-962.6 5233.69,-983.6 6296.69,-983.6 6296.69,-962.6 5233.69,-962.6"/>
+<polygon fill="none" stroke="black" points="5233.69,-962.6 5233.69,-983.6 6296.69,-983.6 6296.69,-962.6 5233.69,-962.6"/>
+<text text-anchor="start" x="5592.19" y="-969.4" font-family="Times,serif" font-size="14.00">&#45;m set &#45;&#45;match&#45;set KUBE&#45;CLUSTER&#45;IP dst,dst &#45;j ACCEPT</text>
+<polygon fill="lightgreen" stroke="transparent" points="5233.69,-941.6 5233.69,-962.6 6296.69,-962.6 6296.69,-941.6 5233.69,-941.6"/>
+<polygon fill="none" stroke="black" points="5233.69,-941.6 5233.69,-962.6 6296.69,-962.6 6296.69,-941.6 5233.69,-941.6"/>
+<text text-anchor="start" x="5573.19" y="-948.4" font-family="Times,serif" font-size="14.00">&#45;m set &#45;&#45;match&#45;set KUBE&#45;LOAD&#45;BALANCER dst,dst &#45;j ACCEPT</text>
+<polygon fill="none" stroke="black" points="5233.69,-920.6 5233.69,-941.6 6296.69,-941.6 6296.69,-920.6 5233.69,-920.6"/>
+<text text-anchor="start" x="5731.69" y="-927.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- nat_PREROUTING&#45;&gt;nat_KUBESERVICES -->
+<g id="edge10" class="edge">
+<title>nat_PREROUTING:rule_0&#45;&gt;nat_KUBESERVICES:begin</title>
+<path fill="none" stroke="black" d="M1460.5,-974.6C1532.35,-974.6 1541.04,-1017.26 1611,-1033.6 1844.91,-1088.22 1909.3,-1079.6 2149.5,-1079.6 2149.5,-1079.6 2149.5,-1079.6 4410.69,-1079.6 4772.65,-1079.6 4865.62,-1070.76 5222.59,-1070.6"/>
+<polygon fill="black" stroke="black" points="5222.69,-1074.1 5232.69,-1070.6 5222.69,-1067.1 5222.69,-1074.1"/>
+</g>
+<!-- nat_DOCKEROUTPUT -->
+<g id="node22" class="node">
+<title>nat_DOCKEROUTPUT</title>
+<polygon fill="none" stroke="black" points="6023.19,-862.6 5510.19,-862.6 5506.19,-858.6 5506.19,-764.6 6019.19,-764.6 6023.19,-768.6 6023.19,-862.6"/>
+<polyline fill="none" stroke="black" points="6019.19,-858.6 5506.19,-858.6 "/>
+<polyline fill="none" stroke="black" points="6019.19,-858.6 6019.19,-764.6 "/>
+<polyline fill="none" stroke="black" points="6019.19,-858.6 6023.19,-862.6 "/>
+<polygon fill="grey" stroke="transparent" points="5514.69,-837.6 5514.69,-858.6 6015.69,-858.6 6015.69,-837.6 5514.69,-837.6"/>
+<polygon fill="none" stroke="black" points="5514.69,-837.6 5514.69,-858.6 6015.69,-858.6 6015.69,-837.6 5514.69,-837.6"/>
+<text text-anchor="start" x="5694.19" y="-845.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">nat:DOCKER_OUTPUT</text>
+<polygon fill="none" stroke="black" points="5514.69,-831.6 5514.69,-837.6 6015.69,-837.6 6015.69,-831.6 5514.69,-831.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="5514.69,-810.6 5514.69,-831.6 6015.69,-831.6 6015.69,-810.6 5514.69,-810.6"/>
+<polygon fill="none" stroke="black" points="5514.69,-810.6 5514.69,-831.6 6015.69,-831.6 6015.69,-810.6 5514.69,-810.6"/>
+<text text-anchor="start" x="5520.19" y="-817.4" font-family="Times,serif" font-size="14.00">&#45;d 172.18.0.1/32 &#45;p tcp &#45;m tcp &#45;&#45;dport 53 &#45;j DNAT &#45;&#45;to&#45;destination 127.0.0.11:33955</text>
+<polygon fill="lightgreen" stroke="transparent" points="5514.69,-789.6 5514.69,-810.6 6015.69,-810.6 6015.69,-789.6 5514.69,-789.6"/>
+<polygon fill="none" stroke="black" points="5514.69,-789.6 5514.69,-810.6 6015.69,-810.6 6015.69,-789.6 5514.69,-789.6"/>
+<text text-anchor="start" x="5517.69" y="-796.4" font-family="Times,serif" font-size="14.00">&#45;d 172.18.0.1/32 &#45;p udp &#45;m udp &#45;&#45;dport 53 &#45;j DNAT &#45;&#45;to&#45;destination 127.0.0.11:39855</text>
+<polygon fill="none" stroke="black" points="5514.69,-768.6 5514.69,-789.6 6015.69,-789.6 6015.69,-768.6 5514.69,-768.6"/>
+<text text-anchor="start" x="5731.69" y="-775.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- nat_PREROUTING&#45;&gt;nat_DOCKEROUTPUT -->
+<g id="edge11" class="edge">
+<title>nat_PREROUTING:rule_1&#45;&gt;nat_DOCKEROUTPUT:begin</title>
+<path fill="none" stroke="black" d="M1460.5,-952.6C1767.63,-952.6 1842.37,-1005.6 2149.5,-1005.6 2149.5,-1005.6 2149.5,-1005.6 4410.69,-1005.6 4903.38,-1005.6 5016.08,-836.93 5503.57,-834.62"/>
+<polygon fill="black" stroke="black" points="5503.7,-838.12 5513.69,-834.6 5503.68,-831.12 5503.7,-838.12"/>
 </g>
 <!-- mangle_INPUT -->
-<g id="node11" class="node"><title>mangle_INPUT</title>
-<polygon fill="none" stroke="black" points="984.5,-71 922.5,-71 922.5,-0 984.5,-0 984.5,-71"/>
-<polygon fill="red" stroke="none" points="930.5,-45.5 930.5,-66.5 976.5,-66.5 976.5,-45.5 930.5,-45.5"/>
-<polygon fill="none" stroke="black" points="930.5,-45.5 930.5,-66.5 976.5,-66.5 976.5,-45.5 930.5,-45.5"/>
-<text text-anchor="start" x="933.5" y="-53.3" font-family="Times,serif" font-style="italic" font-size="14.00">INPUT</text>
-<polygon fill="tomato" stroke="none" points="930.5,-24.5 930.5,-45.5 976.5,-45.5 976.5,-24.5 930.5,-24.5"/>
-<polygon fill="none" stroke="black" points="930.5,-24.5 930.5,-45.5 976.5,-45.5 976.5,-24.5 930.5,-24.5"/>
-<text text-anchor="start" x="933.5" y="-32.3" font-family="Times,serif" font-style="italic" font-size="14.00">mangle</text>
-<polygon fill="none" stroke="black" points="930.5,-3.5 930.5,-24.5 976.5,-24.5 976.5,-3.5 930.5,-3.5"/>
-<text text-anchor="start" x="943.5" y="-10.3" font-family="Times,serif" font-size="14.00">end</text>
+<g id="node30" class="node">
+<title>mangle_INPUT</title>
+<polygon fill="none" stroke="black" points="1736,-786.6 1628,-786.6 1624,-782.6 1624,-730.6 1732,-730.6 1736,-734.6 1736,-786.6"/>
+<polyline fill="none" stroke="black" points="1732,-782.6 1624,-782.6 "/>
+<polyline fill="none" stroke="black" points="1732,-782.6 1732,-730.6 "/>
+<polyline fill="none" stroke="black" points="1732,-782.6 1736,-786.6 "/>
+<polygon fill="tomato" stroke="transparent" points="1632,-761.6 1632,-782.6 1728,-782.6 1728,-761.6 1632,-761.6"/>
+<polygon fill="none" stroke="black" points="1632,-761.6 1632,-782.6 1728,-782.6 1728,-761.6 1632,-761.6"/>
+<text text-anchor="start" x="1635" y="-769.4" font-family="Times,serif" font-style="italic" font-size="14.00">mangle:INPUT</text>
+<polygon fill="none" stroke="black" points="1632,-755.6 1632,-761.6 1728,-761.6 1728,-755.6 1632,-755.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="1632,-734.6 1632,-755.6 1728,-755.6 1728,-734.6 1632,-734.6"/>
+<polygon fill="none" stroke="black" points="1632,-734.6 1632,-755.6 1728,-755.6 1728,-734.6 1632,-734.6"/>
+<text text-anchor="start" x="1648" y="-741.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
 </g>
-<!-- mangle_INPUT&#45;&gt;filter_INPUT -->
-<g id="edge11" class="edge"><title>mangle_INPUT:end&#45;&gt;filter_INPUT:begin</title>
-<path fill="none" stroke="red" d="M977.5,-13.5C1134.59,-13.5 1170.92,-74.7795 1322.82,-77.4126"/>
-<polygon fill="red" stroke="red" points="1322.97,-80.9139 1333,-77.5 1323.03,-73.9142 1322.97,-80.9139"/>
+<!-- nat_PREROUTING&#45;&gt;mangle_INPUT -->
+<g id="edge28" class="edge">
+<title>nat_PREROUTING:end&#45;&gt;mangle_INPUT:begin</title>
+<path fill="none" stroke="red" d="M1460.5,-931.6C1564.87,-931.6 1525.89,-769.9 1620.74,-759.16"/>
+<polygon fill="red" stroke="red" points="1621.21,-762.64 1631,-758.6 1620.82,-755.65 1621.21,-762.64"/>
 </g>
-<!-- nat_POSTROUTING -->
-<g id="node19" class="node"><title>nat_POSTROUTING</title>
-<polygon fill="none" stroke="black" points="3907,-200.5 3614,-200.5 3614,-108.5 3907,-108.5 3907,-200.5"/>
-<polygon fill="red" stroke="none" points="3622.5,-175.5 3622.5,-196.5 3899.5,-196.5 3899.5,-175.5 3622.5,-175.5"/>
-<polygon fill="none" stroke="black" points="3622.5,-175.5 3622.5,-196.5 3899.5,-196.5 3899.5,-175.5 3622.5,-175.5"/>
-<text text-anchor="start" x="3715.5" y="-183.3" font-family="Times,serif" font-style="italic" font-size="14.00">POSTROUTING</text>
-<polygon fill="tomato" stroke="none" points="3622.5,-154.5 3622.5,-175.5 3899.5,-175.5 3899.5,-154.5 3622.5,-154.5"/>
-<polygon fill="none" stroke="black" points="3622.5,-154.5 3622.5,-175.5 3899.5,-175.5 3899.5,-154.5 3622.5,-154.5"/>
-<text text-anchor="start" x="3752" y="-162.3" font-family="Times,serif" font-style="italic" font-size="14.00">nat</text>
-<polygon fill="none" stroke="black" points="3622.5,-133.5 3622.5,-154.5 3899.5,-154.5 3899.5,-133.5 3622.5,-133.5"/>
-<text text-anchor="start" x="3625.5" y="-140.3" font-family="Times,serif" font-size="14.00">&#45;s 172.18.0.0/24 ! &#45;o docker0 &#45;j MASQUERADE</text>
-<polygon fill="none" stroke="black" points="3622.5,-112.5 3622.5,-133.5 3899.5,-133.5 3899.5,-112.5 3622.5,-112.5"/>
-<text text-anchor="start" x="3751" y="-119.3" font-family="Times,serif" font-size="14.00">end</text>
+<!-- mangle_FORWARD -->
+<g id="node32" class="node">
+<title>mangle_FORWARD</title>
+<polygon fill="none" stroke="black" points="1749,-612.6 1615,-612.6 1611,-608.6 1611,-556.6 1745,-556.6 1749,-560.6 1749,-612.6"/>
+<polyline fill="none" stroke="black" points="1745,-608.6 1611,-608.6 "/>
+<polyline fill="none" stroke="black" points="1745,-608.6 1745,-556.6 "/>
+<polyline fill="none" stroke="black" points="1745,-608.6 1749,-612.6 "/>
+<polygon fill="tomato" stroke="transparent" points="1619,-587.6 1619,-608.6 1741,-608.6 1741,-587.6 1619,-587.6"/>
+<polygon fill="none" stroke="black" points="1619,-587.6 1619,-608.6 1741,-608.6 1741,-587.6 1619,-587.6"/>
+<text text-anchor="start" x="1622" y="-595.4" font-family="Times,serif" font-style="italic" font-size="14.00">mangle:FORWARD</text>
+<polygon fill="none" stroke="black" points="1619,-581.6 1619,-587.6 1741,-587.6 1741,-581.6 1619,-581.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="1619,-560.6 1619,-581.6 1741,-581.6 1741,-560.6 1619,-560.6"/>
+<polygon fill="none" stroke="black" points="1619,-560.6 1619,-581.6 1741,-581.6 1741,-560.6 1619,-560.6"/>
+<text text-anchor="start" x="1648" y="-567.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
 </g>
-<!-- mangle_POSTROUTING&#45;&gt;nat_POSTROUTING -->
-<g id="edge17" class="edge"><title>mangle_POSTROUTING:end&#45;&gt;nat_POSTROUTING:begin</title>
-<path fill="none" stroke="red" d="M3463.5,-165.5C3530.16,-165.5 3549.36,-165.5 3611.2,-165.5"/>
-<polygon fill="red" stroke="red" points="3611.5,-169 3621.5,-165.5 3611.5,-162 3611.5,-169"/>
+<!-- nat_PREROUTING&#45;&gt;mangle_FORWARD -->
+<g id="edge32" class="edge">
+<title>nat_PREROUTING:end&#45;&gt;mangle_FORWARD:begin</title>
+<path fill="none" stroke="red" d="M1460.5,-931.6C1626.23,-931.6 1456.26,-599.35 1607.56,-585.07"/>
+<polygon fill="red" stroke="red" points="1608.17,-588.55 1618,-584.6 1607.85,-581.55 1608.17,-588.55"/>
+</g>
+<!-- APPLICATION -->
+<g id="node36" class="node">
+<title>APPLICATION</title>
+<ellipse fill="black" stroke="black" cx="3887.59" cy="-384.6" rx="67.69" ry="67.69"/>
+<text text-anchor="middle" x="3887.59" y="-380.9" font-family="Times,serif" font-size="14.00" fill="white">APPLICATION</text>
+</g>
+<!-- nat_INPUT&#45;&gt;APPLICATION -->
+<g id="edge23" class="edge">
+<title>nat_INPUT:end&#45;&gt;APPLICATION</title>
+<path fill="none" stroke="blue" d="M3642,-390.6C3698.21,-390.6 3761.67,-388.99 3809.86,-387.45"/>
+<polygon fill="blue" stroke="blue" points="3810.02,-390.94 3819.9,-387.12 3809.8,-383.95 3810.02,-390.94"/>
 </g>
-<!-- nat_PREROUTING -->
-<g id="node18" class="node"><title>nat_PREROUTING</title>
-<polygon fill="none" stroke="black" points="766,-219.5 500,-219.5 500,-127.5 766,-127.5 766,-219.5"/>
-<polygon fill="red" stroke="none" points="508,-194.5 508,-215.5 758,-215.5 758,-194.5 508,-194.5"/>
-<polygon fill="none" stroke="black" points="508,-194.5 508,-215.5 758,-215.5 758,-194.5 508,-194.5"/>
-<text text-anchor="start" x="591" y="-202.3" font-family="Times,serif" font-style="italic" font-size="14.00">PREROUTING</text>
-<polygon fill="tomato" stroke="none" points="508,-173.5 508,-194.5 758,-194.5 758,-173.5 508,-173.5"/>
-<polygon fill="none" stroke="black" points="508,-173.5 508,-194.5 758,-194.5 758,-173.5 508,-173.5"/>
-<text text-anchor="start" x="624" y="-181.3" font-family="Times,serif" font-style="italic" font-size="14.00">nat</text>
-<polygon fill="none" stroke="black" points="508,-152.5 508,-173.5 758,-173.5 758,-152.5 508,-152.5"/>
-<text text-anchor="start" x="511" y="-159.3" font-family="Times,serif" font-size="14.00">&#45;m addrtype &#45;&#45;dst&#45;type LOCAL &#45;j DOCKER</text>
-<polygon fill="none" stroke="black" points="508,-131.5 508,-152.5 758,-152.5 758,-131.5 508,-131.5"/>
-<text text-anchor="start" x="623" y="-138.3" font-family="Times,serif" font-size="14.00">end</text>
+<!-- nat_OUTPUT -->
+<g id="node19" class="node">
+<title>nat_OUTPUT</title>
+<polygon fill="none" stroke="black" points="5081.19,-823.6 4620.19,-823.6 4616.19,-819.6 4616.19,-725.6 5077.19,-725.6 5081.19,-729.6 5081.19,-823.6"/>
+<polyline fill="none" stroke="black" points="5077.19,-819.6 4616.19,-819.6 "/>
+<polyline fill="none" stroke="black" points="5077.19,-819.6 5077.19,-725.6 "/>
+<polyline fill="none" stroke="black" points="5077.19,-819.6 5081.19,-823.6 "/>
+<polygon fill="tomato" stroke="transparent" points="4624.69,-798.6 4624.69,-819.6 5073.69,-819.6 5073.69,-798.6 4624.69,-798.6"/>
+<polygon fill="none" stroke="black" points="4624.69,-798.6 4624.69,-819.6 5073.69,-819.6 5073.69,-798.6 4624.69,-798.6"/>
+<text text-anchor="start" x="4809.19" y="-806.4" font-family="Times,serif" font-style="italic" font-size="14.00">nat:OUTPUT</text>
+<polygon fill="none" stroke="black" points="4624.69,-792.6 4624.69,-798.6 5073.69,-798.6 5073.69,-792.6 4624.69,-792.6"/>
+<polygon fill="none" stroke="black" points="4624.69,-771.6 4624.69,-792.6 5073.69,-792.6 5073.69,-771.6 4624.69,-771.6"/>
+<text text-anchor="start" x="4627.69" y="-778.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;kubernetes service portals&quot; &#45;j KUBE&#45;SERVICES</text>
+<polygon fill="none" stroke="black" points="4624.69,-750.6 4624.69,-771.6 5073.69,-771.6 5073.69,-750.6 4624.69,-750.6"/>
+<text text-anchor="start" x="4737.19" y="-757.4" font-family="Times,serif" font-size="14.00">&#45;d 172.18.0.1/32 &#45;j DOCKER_OUTPUT</text>
+<polygon fill="lightgreen" stroke="transparent" points="4624.69,-729.6 4624.69,-750.6 5073.69,-750.6 5073.69,-729.6 4624.69,-729.6"/>
+<polygon fill="none" stroke="black" points="4624.69,-729.6 4624.69,-750.6 5073.69,-750.6 5073.69,-729.6 4624.69,-729.6"/>
+<text text-anchor="start" x="4817.19" y="-736.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
+</g>
+<!-- nat_OUTPUT&#45;&gt;filter_OUTPUT -->
+<g id="edge37" class="edge">
+<title>nat_OUTPUT:end&#45;&gt;filter_OUTPUT:begin</title>
+<path fill="none" stroke="red" d="M5074.69,-739.6C5267.35,-739.6 5312.03,-668.18 5499.49,-665.67"/>
+<polygon fill="red" stroke="red" points="5499.71,-669.16 5509.69,-665.6 5499.66,-662.16 5499.71,-669.16"/>
+</g>
+<!-- nat_OUTPUT&#45;&gt;nat_KUBESERVICES -->
+<g id="edge12" class="edge">
+<title>nat_OUTPUT:rule_0&#45;&gt;nat_KUBESERVICES:begin</title>
+<path fill="none" stroke="black" d="M5074.69,-782.6C5217.12,-782.6 5093.07,-1056.71 5222.49,-1070.09"/>
+<polygon fill="black" stroke="black" points="5222.53,-1073.6 5232.69,-1070.6 5222.87,-1066.61 5222.53,-1073.6"/>
+</g>
+<!-- nat_OUTPUT&#45;&gt;nat_DOCKEROUTPUT -->
+<g id="edge13" class="edge">
+<title>nat_OUTPUT:rule_1&#45;&gt;nat_DOCKEROUTPUT:begin</title>
+<path fill="none" stroke="black" d="M5074.69,-760.6C5269.17,-760.6 5314.3,-832.09 5503.68,-834.53"/>
+<polygon fill="black" stroke="black" points="5503.67,-838.03 5513.69,-834.6 5503.71,-831.03 5503.67,-838.03"/>
+</g>
+<!-- nat_POSTROUTING -->
+<g id="node20" class="node">
+<title>nat_POSTROUTING</title>
+<polygon fill="none" stroke="black" points="8635.19,-388.1 8126.19,-388.1 8122.19,-384.1 8122.19,-269.1 8631.19,-269.1 8635.19,-273.1 8635.19,-388.1"/>
+<polyline fill="none" stroke="black" points="8631.19,-384.1 8122.19,-384.1 "/>
+<polyline fill="none" stroke="black" points="8631.19,-384.1 8631.19,-269.1 "/>
+<polyline fill="none" stroke="black" points="8631.19,-384.1 8635.19,-388.1 "/>
+<polygon fill="lightblue" stroke="transparent" points="8130.69,-362.6 8130.69,-383.6 8627.69,-383.6 8627.69,-362.6 8130.69,-362.6"/>
+<polygon fill="none" stroke="black" points="8130.69,-362.6 8130.69,-383.6 8627.69,-383.6 8627.69,-362.6 8130.69,-362.6"/>
+<text text-anchor="start" x="8318.69" y="-370.4" font-family="Times,serif" font-style="italic" font-size="14.00">nat:POSTROUTING</text>
+<polygon fill="none" stroke="black" points="8130.69,-356.6 8130.69,-362.6 8627.69,-362.6 8627.69,-356.6 8130.69,-356.6"/>
+<polygon fill="none" stroke="black" points="8130.69,-335.6 8130.69,-356.6 8627.69,-356.6 8627.69,-335.6 8130.69,-335.6"/>
+<text text-anchor="start" x="8133.69" y="-342.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;kubernetes postrouting rules&quot; &#45;j KUBE&#45;POSTROUTING</text>
+<polygon fill="none" stroke="black" points="8130.69,-314.6 8130.69,-335.6 8627.69,-335.6 8627.69,-314.6 8130.69,-314.6"/>
+<text text-anchor="start" x="8246.69" y="-321.4" font-family="Times,serif" font-size="14.00">&#45;d 172.18.0.1/32 &#45;j DOCKER_POSTROUTING</text>
+<polygon fill="none" stroke="black" points="8130.69,-293.6 8130.69,-314.6 8627.69,-314.6 8627.69,-293.6 8130.69,-293.6"/>
+<text text-anchor="start" x="8185.19" y="-300.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;flanneld masq&quot; &#45;j FLANNEL&#45;POSTRTG</text>
+<polygon fill="lightgreen" stroke="transparent" points="8130.69,-272.6 8130.69,-293.6 8627.69,-293.6 8627.69,-272.6 8130.69,-272.6"/>
+<polygon fill="none" stroke="black" points="8130.69,-272.6 8130.69,-293.6 8627.69,-293.6 8627.69,-272.6 8130.69,-272.6"/>
+<text text-anchor="start" x="8347.19" y="-279.4" font-family="Times,serif" font-size="14.00">&#45;j ACCEPT</text>
+</g>
+<!-- nat_KUBEPOSTROUTING -->
+<g id="node23" class="node">
+<title>nat_KUBEPOSTROUTING</title>
+<polygon fill="none" stroke="black" points="9807.19,-585.6 8783.19,-585.6 8779.19,-581.6 8779.19,-445.6 9803.19,-445.6 9807.19,-449.6 9807.19,-585.6"/>
+<polyline fill="none" stroke="black" points="9803.19,-581.6 8779.19,-581.6 "/>
+<polyline fill="none" stroke="black" points="9803.19,-581.6 9803.19,-445.6 "/>
+<polyline fill="none" stroke="black" points="9803.19,-581.6 9807.19,-585.6 "/>
+<polygon fill="grey" stroke="transparent" points="8787.19,-560.6 8787.19,-581.6 9799.19,-581.6 9799.19,-560.6 8787.19,-560.6"/>
+<polygon fill="none" stroke="black" points="8787.19,-560.6 8787.19,-581.6 9799.19,-581.6 9799.19,-560.6 8787.19,-560.6"/>
+<text text-anchor="start" x="9200.19" y="-568.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">kubernetes postrouting rules</text>
+<polygon fill="none" stroke="black" points="8787.19,-554.6 8787.19,-560.6 9799.19,-560.6 9799.19,-554.6 8787.19,-554.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="8787.19,-533.6 8787.19,-554.6 9799.19,-554.6 9799.19,-533.6 8787.19,-533.6"/>
+<polygon fill="none" stroke="black" points="8787.19,-533.6 8787.19,-554.6 9799.19,-554.6 9799.19,-533.6 8787.19,-533.6"/>
+<text text-anchor="start" x="8790.19" y="-540.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;Kubernetes endpoints dst ip:port, source ip for solving hairpin purpose&quot; &#45;m set &#45;&#45;match&#45;set KUBE&#45;LOOP&#45;BACK dst,dst,src &#45;j MASQUERADE</text>
+<polygon fill="moccasin" stroke="transparent" points="8787.19,-512.6 8787.19,-533.6 9799.19,-533.6 9799.19,-512.6 8787.19,-512.6"/>
+<polygon fill="none" stroke="black" points="8787.19,-512.6 8787.19,-533.6 9799.19,-533.6 9799.19,-512.6 8787.19,-512.6"/>
+<text text-anchor="start" x="9259.69" y="-519.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+<polygon fill="none" stroke="black" points="8787.19,-491.6 8787.19,-512.6 9799.19,-512.6 9799.19,-491.6 8787.19,-491.6"/>
+<text text-anchor="start" x="9193.69" y="-498.4" font-family="Times,serif" font-size="14.00">&#45;j MARK &#45;&#45;set&#45;xmark 0x4000/0x0</text>
+<polygon fill="lightgreen" stroke="transparent" points="8787.19,-470.6 8787.19,-491.6 9799.19,-491.6 9799.19,-470.6 8787.19,-470.6"/>
+<polygon fill="none" stroke="black" points="8787.19,-470.6 8787.19,-491.6 9799.19,-491.6 9799.19,-470.6 8787.19,-470.6"/>
+<text text-anchor="start" x="8978.69" y="-477.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;kubernetes service traffic requiring SNAT&quot; &#45;j MASQUERADE &#45;&#45;random&#45;fully</text>
+<polygon fill="none" stroke="black" points="8787.19,-449.6 8787.19,-470.6 9799.19,-470.6 9799.19,-449.6 8787.19,-449.6"/>
+<text text-anchor="start" x="9259.69" y="-456.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- nat_POSTROUTING&#45;&gt;nat_KUBEPOSTROUTING -->
+<g id="edge14" class="edge">
+<title>nat_POSTROUTING:rule_0&#45;&gt;nat_KUBEPOSTROUTING:begin</title>
+<path fill="none" stroke="black" d="M8628.69,-346.6C8742.17,-346.6 8673.62,-545.02 8776.08,-557.03"/>
+<polygon fill="black" stroke="black" points="8776.01,-560.53 8786.19,-557.6 8776.4,-553.54 8776.01,-560.53"/>
+</g>
+<!-- nat_DOCKERPOSTROUTING -->
+<g id="node24" class="node">
+<title>nat_DOCKERPOSTROUTING</title>
+<polygon fill="none" stroke="black" points="9470.19,-409.6 9120.19,-409.6 9116.19,-405.6 9116.19,-311.6 9466.19,-311.6 9470.19,-315.6 9470.19,-409.6"/>
+<polyline fill="none" stroke="black" points="9466.19,-405.6 9116.19,-405.6 "/>
+<polyline fill="none" stroke="black" points="9466.19,-405.6 9466.19,-311.6 "/>
+<polyline fill="none" stroke="black" points="9466.19,-405.6 9470.19,-409.6 "/>
+<polygon fill="grey" stroke="transparent" points="9124.19,-384.6 9124.19,-405.6 9462.19,-405.6 9462.19,-384.6 9124.19,-384.6"/>
+<polygon fill="none" stroke="black" points="9124.19,-384.6 9124.19,-405.6 9462.19,-405.6 9462.19,-384.6 9124.19,-384.6"/>
+<text text-anchor="start" x="9201.69" y="-392.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">nat:DOCKER_POSTROUTING</text>
+<polygon fill="none" stroke="black" points="9124.19,-378.6 9124.19,-384.6 9462.19,-384.6 9462.19,-378.6 9124.19,-378.6"/>
+<polygon fill="lightgreen" stroke="transparent" points="9124.19,-357.6 9124.19,-378.6 9462.19,-378.6 9462.19,-357.6 9124.19,-357.6"/>
+<polygon fill="none" stroke="black" points="9124.19,-357.6 9124.19,-378.6 9462.19,-378.6 9462.19,-357.6 9124.19,-357.6"/>
+<text text-anchor="start" x="9128.19" y="-364.4" font-family="Times,serif" font-size="14.00">&#45;s 127.0.0.11/32 &#45;p tcp &#45;j SNAT &#45;&#45;to&#45;source 172.18.0.1:53</text>
+<polygon fill="lightgreen" stroke="transparent" points="9124.19,-336.6 9124.19,-357.6 9462.19,-357.6 9462.19,-336.6 9124.19,-336.6"/>
+<polygon fill="none" stroke="black" points="9124.19,-336.6 9124.19,-357.6 9462.19,-357.6 9462.19,-336.6 9124.19,-336.6"/>
+<text text-anchor="start" x="9127.19" y="-343.4" font-family="Times,serif" font-size="14.00">&#45;s 127.0.0.11/32 &#45;p udp &#45;j SNAT &#45;&#45;to&#45;source 172.18.0.1:53</text>
+<polygon fill="none" stroke="black" points="9124.19,-315.6 9124.19,-336.6 9462.19,-336.6 9462.19,-315.6 9124.19,-315.6"/>
+<text text-anchor="start" x="9259.69" y="-322.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- nat_POSTROUTING&#45;&gt;nat_DOCKERPOSTROUTING -->
+<g id="edge15" class="edge">
+<title>nat_POSTROUTING:rule_1&#45;&gt;nat_DOCKERPOSTROUTING:begin</title>
+<path fill="none" stroke="black" d="M8628.69,-324.6C8846.46,-324.6 8900.29,-379.83 9112.94,-381.56"/>
+<polygon fill="black" stroke="black" points="9113.17,-385.06 9123.19,-381.6 9113.2,-378.06 9113.17,-385.06"/>
+</g>
+<!-- nat_FLANNELPOSTRTG -->
+<g id="node25" class="node">
+<title>nat_FLANNELPOSTRTG</title>
+<polygon fill="none" stroke="black" points="9630.19,-275.6 8960.19,-275.6 8956.19,-271.6 8956.19,-93.6 9626.19,-93.6 9630.19,-97.6 9630.19,-275.6"/>
+<polyline fill="none" stroke="black" points="9626.19,-271.6 8956.19,-271.6 "/>
+<polyline fill="none" stroke="black" points="9626.19,-271.6 9626.19,-93.6 "/>
+<polyline fill="none" stroke="black" points="9626.19,-271.6 9630.19,-275.6 "/>
+<polygon fill="grey" stroke="transparent" points="8964.19,-250.6 8964.19,-271.6 9622.19,-271.6 9622.19,-250.6 8964.19,-250.6"/>
+<polygon fill="none" stroke="black" points="8964.19,-250.6 8964.19,-271.6 9622.19,-271.6 9622.19,-250.6 8964.19,-250.6"/>
+<text text-anchor="start" x="9247.69" y="-258.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">flanneld masq</text>
+<polygon fill="none" stroke="black" points="8964.19,-244.6 8964.19,-250.6 9622.19,-250.6 9622.19,-244.6 8964.19,-244.6"/>
+<polygon fill="moccasin" stroke="transparent" points="8964.19,-223.6 8964.19,-244.6 9622.19,-244.6 9622.19,-223.6 8964.19,-223.6"/>
+<polygon fill="none" stroke="black" points="8964.19,-223.6 8964.19,-244.6 9622.19,-244.6 9622.19,-223.6 8964.19,-223.6"/>
+<text text-anchor="start" x="9135.19" y="-230.4" font-family="Times,serif" font-size="14.00">&#45;m comment &#45;&#45;comment &quot;flanneld masq&quot; &#45;j RETURN</text>
+<polygon fill="moccasin" stroke="transparent" points="8964.19,-202.6 8964.19,-223.6 9622.19,-223.6 9622.19,-202.6 8964.19,-202.6"/>
+<polygon fill="none" stroke="black" points="8964.19,-202.6 8964.19,-223.6 9622.19,-223.6 9622.19,-202.6 8964.19,-202.6"/>
+<text text-anchor="start" x="9041.19" y="-209.4" font-family="Times,serif" font-size="14.00">&#45;s 10.244.0.0/24 &#45;d 10.244.0.0/16 &#45;m comment &#45;&#45;comment &quot;flanneld masq&quot; &#45;j RETURN</text>
+<polygon fill="moccasin" stroke="transparent" points="8964.19,-181.6 8964.19,-202.6 9622.19,-202.6 9622.19,-181.6 8964.19,-181.6"/>
+<polygon fill="none" stroke="black" points="8964.19,-181.6 8964.19,-202.6 9622.19,-202.6 9622.19,-181.6 8964.19,-181.6"/>
+<text text-anchor="start" x="9041.19" y="-188.4" font-family="Times,serif" font-size="14.00">&#45;s 10.244.0.0/16 &#45;d 10.244.0.0/24 &#45;m comment &#45;&#45;comment &quot;flanneld masq&quot; &#45;j RETURN</text>
+<polygon fill="moccasin" stroke="transparent" points="8964.19,-160.6 8964.19,-181.6 9622.19,-181.6 9622.19,-160.6 8964.19,-160.6"/>
+<polygon fill="none" stroke="black" points="8964.19,-160.6 8964.19,-181.6 9622.19,-181.6 9622.19,-160.6 8964.19,-160.6"/>
+<text text-anchor="start" x="9037.19" y="-167.4" font-family="Times,serif" font-size="14.00">! &#45;s 10.244.0.0/16 &#45;d 10.244.0.0/24 &#45;m comment &#45;&#45;comment &quot;flanneld masq&quot; &#45;j RETURN</text>
+<polygon fill="lightgreen" stroke="transparent" points="8964.19,-139.6 8964.19,-160.6 9622.19,-160.6 9622.19,-139.6 8964.19,-139.6"/>
+<polygon fill="none" stroke="black" points="8964.19,-139.6 8964.19,-160.6 9622.19,-160.6 9622.19,-139.6 8964.19,-139.6"/>
+<text text-anchor="start" x="8974.19" y="-146.4" font-family="Times,serif" font-size="14.00">&#45;s 10.244.0.0/16 ! &#45;d 224.0.0.0/4 &#45;m comment &#45;&#45;comment &quot;flanneld masq&quot; &#45;j MASQUERADE &#45;&#45;random&#45;fully</text>
+<polygon fill="lightgreen" stroke="transparent" points="8964.19,-118.6 8964.19,-139.6 9622.19,-139.6 9622.19,-118.6 8964.19,-118.6"/>
+<polygon fill="none" stroke="black" points="8964.19,-118.6 8964.19,-139.6 9622.19,-139.6 9622.19,-118.6 8964.19,-118.6"/>
+<text text-anchor="start" x="8967.19" y="-125.4" font-family="Times,serif" font-size="14.00">! &#45;s 10.244.0.0/16 &#45;d 10.244.0.0/16 &#45;m comment &#45;&#45;comment &quot;flanneld masq&quot; &#45;j MASQUERADE &#45;&#45;random&#45;fully</text>
+<polygon fill="none" stroke="black" points="8964.19,-97.6 8964.19,-118.6 9622.19,-118.6 9622.19,-97.6 8964.19,-97.6"/>
+<text text-anchor="start" x="9259.69" y="-104.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- nat_POSTROUTING&#45;&gt;nat_FLANNELPOSTRTG -->
+<g id="edge16" class="edge">
+<title>nat_POSTROUTING:rule_2&#45;&gt;nat_FLANNELPOSTRTG:begin</title>
+<path fill="none" stroke="black" d="M8628.69,-303.6C8775.89,-303.6 8810.84,-250.19 8952.78,-247.69"/>
+<polygon fill="black" stroke="black" points="8953.22,-251.18 8963.19,-247.6 8953.16,-244.18 8953.22,-251.18"/>
+</g>
+<!-- END -->
+<g id="node35" class="node">
+<title>END</title>
+<ellipse fill="black" stroke="black" cx="9293.19" cy="-28.6" rx="28.7" ry="28.7"/>
+<text text-anchor="middle" x="9293.19" y="-24.9" font-family="Times,serif" font-size="14.00" fill="white">END</text>
+</g>
+<!-- nat_POSTROUTING&#45;&gt;END -->
+<g id="edge25" class="edge">
+<title>nat_POSTROUTING:end&#45;&gt;END</title>
+<path fill="none" stroke="blue" d="M8628.69,-282.6C8742.43,-282.6 8680.29,-131.79 8779.19,-75.6 8936.63,13.87 9165.95,-8.79 9254.95,-22.17"/>
+<polygon fill="blue" stroke="blue" points="9254.43,-25.63 9264.84,-23.71 9255.5,-18.71 9254.43,-25.63"/>
+</g>
+<!-- nat_KUBELOADBALANCER -->
+<g id="node26" class="node">
+<title>nat_KUBELOADBALANCER</title>
+<polygon fill="none" stroke="black" points="7043.19,-1148.1 6843.19,-1148.1 6839.19,-1144.1 6839.19,-1071.1 7039.19,-1071.1 7043.19,-1075.1 7043.19,-1148.1"/>
+<polyline fill="none" stroke="black" points="7039.19,-1144.1 6839.19,-1144.1 "/>
+<polyline fill="none" stroke="black" points="7039.19,-1144.1 7039.19,-1071.1 "/>
+<polyline fill="none" stroke="black" points="7039.19,-1144.1 7043.19,-1148.1 "/>
+<polygon fill="grey" stroke="transparent" points="6847.19,-1122.6 6847.19,-1143.6 7035.19,-1143.6 7035.19,-1122.6 6847.19,-1122.6"/>
+<polygon fill="none" stroke="black" points="6847.19,-1122.6 6847.19,-1143.6 7035.19,-1143.6 7035.19,-1122.6 6847.19,-1122.6"/>
+<text text-anchor="start" x="6850.19" y="-1130.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">Kubernetes service lb portal</text>
+<polygon fill="none" stroke="black" points="6847.19,-1116.6 6847.19,-1122.6 7035.19,-1122.6 7035.19,-1116.6 6847.19,-1116.6"/>
+<polygon fill="none" stroke="black" points="6847.19,-1095.6 6847.19,-1116.6 7035.19,-1116.6 7035.19,-1095.6 6847.19,-1095.6"/>
+<text text-anchor="start" x="6871.19" y="-1102.4" font-family="Times,serif" font-size="14.00">&#45;j KUBE&#45;MARK&#45;MASQ</text>
+<polygon fill="none" stroke="black" points="6847.19,-1074.6 6847.19,-1095.6 7035.19,-1095.6 7035.19,-1074.6 6847.19,-1074.6"/>
+<text text-anchor="start" x="6907.69" y="-1081.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- nat_KUBESERVICES&#45;&gt;nat_KUBELOADBALANCER -->
+<g id="edge17" class="edge">
+<title>nat_KUBESERVICES:rule_1&#45;&gt;nat_KUBELOADBALANCER:begin</title>
+<path fill="none" stroke="black" d="M6297.69,-1036.6C6540.87,-1036.6 6598.08,-1117.34 6836.18,-1119.55"/>
+<polygon fill="black" stroke="black" points="6836.17,-1123.05 6846.19,-1119.6 6836.2,-1116.05 6836.17,-1123.05"/>
+</g>
+<!-- nat_KUBEMARKMASQ -->
+<g id="node27" class="node">
+<title>nat_KUBEMARKMASQ</title>
+<polygon fill="none" stroke="black" points="7978.19,-1064.6 7582.19,-1064.6 7578.19,-1060.6 7578.19,-966.6 7974.19,-966.6 7978.19,-970.6 7978.19,-1064.6"/>
+<polyline fill="none" stroke="black" points="7974.19,-1060.6 7578.19,-1060.6 "/>
+<polyline fill="none" stroke="black" points="7974.19,-1060.6 7974.19,-966.6 "/>
+<polyline fill="none" stroke="black" points="7974.19,-1060.6 7978.19,-1064.6 "/>
+<polygon fill="grey" stroke="transparent" points="7586.19,-1039.6 7586.19,-1060.6 7970.19,-1060.6 7970.19,-1039.6 7586.19,-1039.6"/>
+<polygon fill="none" stroke="black" points="7586.19,-1039.6 7586.19,-1060.6 7970.19,-1060.6 7970.19,-1039.6 7586.19,-1039.6"/>
+<text text-anchor="start" x="7606.69" y="-1047.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">Kubernetes nodeport TCP port for masquerade purpose</text>
+<polygon fill="grey" stroke="transparent" points="7586.19,-1018.6 7586.19,-1039.6 7970.19,-1039.6 7970.19,-1018.6 7586.19,-1018.6"/>
+<polygon fill="none" stroke="black" points="7586.19,-1018.6 7586.19,-1039.6 7970.19,-1039.6 7970.19,-1018.6 7586.19,-1018.6"/>
+<text text-anchor="start" x="7589.19" y="-1026.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">Kubernetes service cluster ip + port for masquerade purpose</text>
+<polygon fill="none" stroke="black" points="7586.19,-1012.6 7586.19,-1018.6 7970.19,-1018.6 7970.19,-1012.6 7586.19,-1012.6"/>
+<polygon fill="none" stroke="black" points="7586.19,-991.6 7586.19,-1012.6 7970.19,-1012.6 7970.19,-991.6 7586.19,-991.6"/>
+<text text-anchor="start" x="7668.69" y="-998.4" font-family="Times,serif" font-size="14.00">&#45;j MARK &#45;&#45;set&#45;xmark 0x4000/0x4000</text>
+<polygon fill="none" stroke="black" points="7586.19,-970.6 7586.19,-991.6 7970.19,-991.6 7970.19,-970.6 7586.19,-970.6"/>
+<text text-anchor="start" x="7744.69" y="-977.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- nat_KUBESERVICES&#45;&gt;nat_KUBEMARKMASQ -->
+<g id="edge18" class="edge">
+<title>nat_KUBESERVICES:rule_2&#45;&gt;nat_KUBEMARKMASQ:begin</title>
+<path fill="none" stroke="black" d="M6297.69,-1015.6C6866.56,-1015.6 7011.27,-1015.6 7575.17,-1015.6"/>
+<polygon fill="black" stroke="black" points="7575.19,-1019.1 7585.19,-1015.6 7575.19,-1012.1 7575.19,-1019.1"/>
+</g>
+<!-- nat_KUBENODEPORT -->
+<g id="node28" class="node">
+<title>nat_KUBENODEPORT</title>
+<polygon fill="none" stroke="black" points="7434.19,-960.1 6452.19,-960.1 6448.19,-956.1 6448.19,-883.1 7430.19,-883.1 7434.19,-887.1 7434.19,-960.1"/>
+<polyline fill="none" stroke="black" points="7430.19,-956.1 6448.19,-956.1 "/>
+<polyline fill="none" stroke="black" points="7430.19,-956.1 7430.19,-883.1 "/>
+<polyline fill="none" stroke="black" points="7430.19,-956.1 7434.19,-960.1 "/>
+<polygon fill="grey" stroke="transparent" points="6456.19,-934.6 6456.19,-955.6 7426.19,-955.6 7426.19,-934.6 6456.19,-934.6"/>
+<polygon fill="none" stroke="black" points="6456.19,-934.6 6456.19,-955.6 7426.19,-955.6 7426.19,-934.6 6456.19,-934.6"/>
+<text text-anchor="start" x="6868.69" y="-942.4" font-family="Times,serif" font-weight="bold" font-style="italic" font-size="14.00">nat:KUBE&#45;NODE&#45;PORT</text>
+<polygon fill="none" stroke="black" points="6456.19,-928.6 6456.19,-934.6 7426.19,-934.6 7426.19,-928.6 6456.19,-928.6"/>
+<polygon fill="none" stroke="black" points="6456.19,-907.6 6456.19,-928.6 7426.19,-928.6 7426.19,-907.6 6456.19,-907.6"/>
+<text text-anchor="start" x="6459.19" y="-914.4" font-family="Times,serif" font-size="14.00">&#45;p tcp &#45;m comment &#45;&#45;comment &quot;Kubernetes nodeport TCP port for masquerade purpose&quot; &#45;m set &#45;&#45;match&#45;set KUBE&#45;NODE&#45;PORT&#45;TCP dst &#45;j KUBE&#45;MARK&#45;MASQ</text>
+<polygon fill="none" stroke="black" points="6456.19,-886.6 6456.19,-907.6 7426.19,-907.6 7426.19,-886.6 6456.19,-886.6"/>
+<text text-anchor="start" x="6907.69" y="-893.4" font-family="Times,serif" font-size="14.00">&#45;j RETURN</text>
+</g>
+<!-- nat_KUBESERVICES&#45;&gt;nat_KUBENODEPORT -->
+<g id="edge19" class="edge">
+<title>nat_KUBESERVICES:rule_3&#45;&gt;nat_KUBENODEPORT:begin</title>
+<path fill="none" stroke="black" d="M6297.69,-993.6C6369.39,-993.6 6379.15,-937.27 6445.04,-931.99"/>
+<polygon fill="black" stroke="black" points="6445.33,-935.48 6455.19,-931.6 6445.06,-928.49 6445.33,-935.48"/>
+</g>
+<!-- nat_KUBELOADBALANCER&#45;&gt;nat_KUBEMARKMASQ -->
+<g id="edge20" class="edge">
+<title>nat_KUBELOADBALANCER:rule_0&#45;&gt;nat_KUBEMARKMASQ:begin</title>
+<path fill="none" stroke="black" d="M7036.19,-1105.6C7215.21,-1105.6 7257.71,-1073.7 7434.19,-1043.6 7498.05,-1032.7 7515.23,-1017.26 7575.18,-1015.72"/>
+<polygon fill="black" stroke="black" points="7575.23,-1019.22 7585.19,-1015.6 7575.15,-1012.22 7575.23,-1019.22"/>
+</g>
+<!-- nat_KUBENODEPORT&#45;&gt;nat_KUBEMARKMASQ -->
+<g id="edge21" class="edge">
+<title>nat_KUBENODEPORT:rule_0&#45;&gt;nat_KUBEMARKMASQ:begin</title>
+<path fill="none" stroke="black" d="M7427.19,-917.6C7506.27,-917.6 7503.01,-1007.36 7575.02,-1015.07"/>
+<polygon fill="black" stroke="black" points="7575.02,-1018.57 7585.19,-1015.6 7575.38,-1011.58 7575.02,-1018.57"/>
 </g>
 <!-- mangle_PREROUTING&#45;&gt;nat_PREROUTING -->
-<g id="edge9" class="edge"><title>mangle_PREROUTING:end&#45;&gt;nat_PREROUTING:begin</title>
-<path fill="none" stroke="red" d="M349,-184.5C415.656,-184.5 434.859,-184.5 496.696,-184.5"/>
-<polygon fill="red" stroke="red" points="497,-188 507,-184.5 497,-181 497,-188"/>
+<g id="edge27" class="edge">
+<title>mangle_PREROUTING:end&#45;&gt;nat_PREROUTING:begin</title>
+<path fill="none" stroke="red" d="M851,-987.6C917.87,-987.6 937.13,-987.6 999.16,-987.6"/>
+<polygon fill="red" stroke="red" points="999.5,-991.1 1009.5,-987.6 999.5,-984.1 999.5,-991.1"/>
 </g>
-<!-- nat_OUTPUT -->
-<g id="node16" class="node"><title>nat_OUTPUT</title>
-<polygon fill="none" stroke="black" points="2921,-165.5 2566,-165.5 2566,-73.5 2921,-73.5 2921,-165.5"/>
-<polygon fill="red" stroke="none" points="2574.5,-140.5 2574.5,-161.5 2913.5,-161.5 2913.5,-140.5 2574.5,-140.5"/>
-<polygon fill="none" stroke="black" points="2574.5,-140.5 2574.5,-161.5 2913.5,-161.5 2913.5,-140.5 2574.5,-140.5"/>
-<text text-anchor="start" x="2717.5" y="-148.3" font-family="Times,serif" font-style="italic" font-size="14.00">OUTPUT</text>
-<polygon fill="tomato" stroke="none" points="2574.5,-119.5 2574.5,-140.5 2913.5,-140.5 2913.5,-119.5 2574.5,-119.5"/>
-<polygon fill="none" stroke="black" points="2574.5,-119.5 2574.5,-140.5 2913.5,-140.5 2913.5,-119.5 2574.5,-119.5"/>
-<text text-anchor="start" x="2735" y="-127.3" font-family="Times,serif" font-style="italic" font-size="14.00">nat</text>
-<polygon fill="none" stroke="black" points="2574.5,-98.5 2574.5,-119.5 2913.5,-119.5 2913.5,-98.5 2574.5,-98.5"/>
-<text text-anchor="start" x="2577.5" y="-105.3" font-family="Times,serif" font-size="14.00">! &#45;d 127.0.0.0/8 &#45;m addrtype &#45;&#45;dst&#45;type LOCAL &#45;j DOCKER</text>
-<polygon fill="none" stroke="black" points="2574.5,-77.5 2574.5,-98.5 2913.5,-98.5 2913.5,-77.5 2574.5,-77.5"/>
-<text text-anchor="start" x="2734" y="-84.3" font-family="Times,serif" font-size="14.00">end</text>
+<!-- mangle_INPUT&#45;&gt;filter_INPUT -->
+<g id="edge29" class="edge">
+<title>mangle_INPUT:end&#45;&gt;filter_INPUT:begin</title>
+<path fill="none" stroke="red" d="M1729,-744.6C1805.2,-744.6 1819.51,-696.25 1890.15,-691.91"/>
+<polygon fill="red" stroke="red" points="1890.61,-695.4 1900.5,-691.6 1890.4,-688.4 1890.61,-695.4"/>
 </g>
 <!-- mangle_OUTPUT&#45;&gt;nat_OUTPUT -->
-<g id="edge14" class="edge"><title>mangle_OUTPUT:end&#45;&gt;nat_OUTPUT:begin</title>
-<path fill="none" stroke="red" d="M2350.5,-89.5C2447.83,-89.5 2471.17,-127.745 2563.44,-130.36"/>
-<polygon fill="red" stroke="red" points="2563.45,-133.86 2573.5,-130.5 2563.55,-126.861 2563.45,-133.86"/>
-</g>
-<!-- nat_MASQUERADE -->
-<g id="node15" class="node"><title>nat_MASQUERADE</title>
-<polygon fill="none" stroke="black" points="4163,-180 4051,-180 4051,-109 4163,-109 4163,-180"/>
-<polygon fill="none" stroke="black" points="4059,-154.5 4059,-175.5 4155,-175.5 4155,-154.5 4059,-154.5"/>
-<text text-anchor="start" x="4062" y="-162.3" font-family="Times,serif" font-style="italic" font-size="14.00">MASQUERADE</text>
-<polygon fill="none" stroke="black" points="4059,-133.5 4059,-154.5 4155,-154.5 4155,-133.5 4059,-133.5"/>
-<text text-anchor="start" x="4098" y="-141.3" font-family="Times,serif" font-style="italic" font-size="14.00">nat</text>
-<polygon fill="none" stroke="black" points="4059,-112.5 4059,-133.5 4155,-133.5 4155,-112.5 4059,-112.5"/>
-<text text-anchor="start" x="4097" y="-119.3" font-family="Times,serif" font-size="14.00">end</text>
-</g>
-<!-- nat_OUTPUT&#45;&gt;filter_OUTPUT -->
-<g id="edge15" class="edge"><title>nat_OUTPUT:end&#45;&gt;filter_OUTPUT:begin</title>
-<path fill="none" stroke="red" d="M2914.5,-87.5C2997.4,-87.5 3020.67,-87.5 3098.68,-87.5"/>
-<polygon fill="red" stroke="red" points="3099,-91.0001 3109,-87.5 3099,-84.0001 3099,-91.0001"/>
-</g>
-<!-- nat_DOCKER -->
-<g id="node17" class="node"><title>nat_DOCKER</title>
-<polygon fill="none" stroke="black" points="3213,-252.5 3065,-252.5 3065,-160.5 3213,-160.5 3213,-252.5"/>
-<polygon fill="none" stroke="black" points="3073,-227.5 3073,-248.5 3205,-248.5 3205,-227.5 3073,-227.5"/>
-<text text-anchor="start" x="3111.5" y="-235.3" font-family="Times,serif" font-style="italic" font-size="14.00">DOCKER</text>
-<polygon fill="none" stroke="black" points="3073,-206.5 3073,-227.5 3205,-227.5 3205,-206.5 3073,-206.5"/>
-<text text-anchor="start" x="3130" y="-214.3" font-family="Times,serif" font-style="italic" font-size="14.00">nat</text>
-<polygon fill="none" stroke="black" points="3073,-185.5 3073,-206.5 3205,-206.5 3205,-185.5 3073,-185.5"/>
-<text text-anchor="start" x="3076" y="-192.3" font-family="Times,serif" font-size="14.00">&#45;i docker0 &#45;j RETURN</text>
-<polygon fill="none" stroke="black" points="3073,-164.5 3073,-185.5 3205,-185.5 3205,-164.5 3073,-164.5"/>
-<text text-anchor="start" x="3129" y="-171.3" font-family="Times,serif" font-size="14.00">end</text>
-</g>
-<!-- nat_OUTPUT&#45;&gt;nat_DOCKER -->
-<g id="edge5" class="edge"><title>nat_OUTPUT:rule_0&#45;&gt;nat_DOCKER:begin</title>
-<path fill="none" stroke="black" d="M2914.5,-108.5C2996.14,-108.5 2987.75,-208.742 3062.01,-216.965"/>
-<polygon fill="black" stroke="black" points="3061.83,-220.46 3072,-217.5 3062.2,-213.47 3061.83,-220.46"/>
+<g id="edge36" class="edge">
+<title>mangle_OUTPUT:end&#45;&gt;nat_OUTPUT:begin</title>
+<path fill="none" stroke="red" d="M4465.69,-383.6C4658.26,-383.6 4435.9,-780.85 4613.48,-795.2"/>
+<polygon fill="red" stroke="red" points="4613.56,-798.7 4623.69,-795.6 4613.83,-791.71 4613.56,-798.7"/>
 </g>
-<!-- nat_PREROUTING&#45;&gt;mangle_FORWARD -->
-<g id="edge18" class="edge"><title>nat_PREROUTING:end&#45;&gt;mangle_FORWARD:begin</title>
-<path fill="none" stroke="red" d="M759,-141.5C825.867,-141.5 845.131,-141.5 907.163,-141.5"/>
-<polygon fill="red" stroke="red" points="907.5,-145 917.5,-141.5 907.5,-138 907.5,-145"/>
+<!-- mangle_FORWARD&#45;&gt;filter_FORWARD -->
+<g id="edge33" class="edge">
+<title>mangle_FORWARD:end&#45;&gt;filter_FORWARD:begin</title>
+<path fill="none" stroke="red" d="M1742,-570.6C1852.89,-570.6 1790.26,-380.09 1890.3,-368.18"/>
+<polygon fill="red" stroke="red" points="1890.72,-371.66 1900.5,-367.6 1890.32,-364.67 1890.72,-371.66"/>
 </g>
-<!-- nat_PREROUTING&#45;&gt;mangle_INPUT -->
-<g id="edge10" class="edge"><title>nat_PREROUTING:end&#45;&gt;mangle_INPUT:begin</title>
-<path fill="none" stroke="red" d="M759,-141.5C844.969,-141.5 840.545,-42.6961 919.452,-34.9771"/>
-<polygon fill="red" stroke="red" points="919.677,-38.4704 929.5,-34.5 919.345,-31.4783 919.677,-38.4704"/>
-</g>
-<!-- nat_PREROUTING&#45;&gt;nat_DOCKER -->
-<g id="edge6" class="edge"><title>nat_PREROUTING:rule_0&#45;&gt;nat_DOCKER:begin</title>
-<path fill="none" stroke="black" d="M759,-162.5C827.695,-162.5 842.077,-185.229 910,-195.5 1106.7,-225.245 1157.06,-233.5 1356,-233.5 1356,-233.5 1356,-233.5 2320.5,-233.5 2651.15,-233.5 2736.19,-217.826 3061.8,-217.505"/>
-<polygon fill="black" stroke="black" points="3062,-221.005 3072,-217.5 3062,-214.005 3062,-221.005"/>
-</g>
-<!-- nat_POSTROUTING&#45;&gt;nat_MASQUERADE -->
-<g id="edge7" class="edge"><title>nat_POSTROUTING:rule_0&#45;&gt;nat_MASQUERADE:begin</title>
-<path fill="none" stroke="black" d="M3900.5,-143.5C3966.95,-143.5 3986.09,-143.5 4047.73,-143.5"/>
-<polygon fill="black" stroke="black" points="4048,-147 4058,-143.5 4048,-140 4048,-147"/>
+<!-- mangle_POSTROUTING&#45;&gt;nat_POSTROUTING -->
+<g id="edge41" class="edge">
+<title>mangle_POSTROUTING:end&#45;&gt;nat_POSTROUTING:begin</title>
+<path fill="none" stroke="red" d="M7854.19,-359.6C7973.16,-359.6 8005.44,-359.6 8119.5,-359.6"/>
+<polygon fill="red" stroke="red" points="8119.69,-363.1 8129.69,-359.6 8119.69,-356.1 8119.69,-363.1"/>
+</g>
+<!-- START -->
+<g id="node34" class="node">
+<title>START</title>
+<ellipse fill="black" stroke="black" cx="137.5" cy="-1015.6" rx="38.19" ry="38.19"/>
+<text text-anchor="middle" x="137.5" y="-1011.9" font-family="Times,serif" font-size="14.00" fill="white">START</text>
+</g>
+<!-- START&#45;&gt;raw_PREROUTING -->
+<g id="edge22" class="edge">
+<title>START&#45;&gt;raw_PREROUTING:begin</title>
+<path fill="none" stroke="blue" d="M176.24,-1015.6C229.23,-1015.6 328.99,-1015.6 416.45,-1015.6"/>
+<polygon fill="blue" stroke="blue" points="416.5,-1019.1 426.5,-1015.6 416.5,-1012.1 416.5,-1019.1"/>
+</g>
+<!-- APPLICATION&#45;&gt;raw_OUTPUT -->
+<g id="edge24" class="edge">
+<title>APPLICATION&#45;&gt;raw_OUTPUT:begin</title>
+<path fill="none" stroke="blue" d="M3955.2,-390.64C3995.38,-393.81 4047.94,-397.13 4096.01,-397.55"/>
+<polygon fill="blue" stroke="blue" points="4096.17,-401.05 4106.19,-397.6 4096.2,-394.05 4096.17,-401.05"/>
 </g>
 </g>
 </svg>