calico Cluster I/O timeout when using Calico CNI.

Cluster I/O timeout when using Calico CNI.

Open johnray21216 opened this issue 4 years ago • 13 comments

Expected Behavior

Sonobuoy Pod should be able to run multiple instances of the E2E test in an IPV6 Kubernetes Cluster Environment.

Current Behavior

When sonobuoy is ran for the first time, sonobuoy is able to start the e2e test. When run the second time (or if the sonobuoy pod is scheduled on THE SAME node as the previous successful instance), it would produce an i/o timeout when connecting to the service IP from the sonobuoy pod.

Possible Solution

None

Steps to Reproduce (for bugs)

Configure Cluster and Calico for IPV6.
Copy $HOME/.kube/config file from the master node to a client machine (a machine that is outside of the cluster but is able to communicate with the cluster)
Download sonobuoy (v0.17.2) on client machine.
Push sonobuoy images to private repository.
Execute sonobuoy run with the --kubeconfig flag and using the config file that was copied from the master node to the client machine.

Context

We are currently trying to build an air-gapped ipv6 kubernetes cluster environment. We are using sonobuoy to do end-to-end testing on our clusters.

Your Environment

Calico version - 0.3.14
Orchestrator version (e.g. kubernetes, mesos, rkt): kubernetes 1.16.3
Operating System and version: Centos 7

We have setup an air-gapped IPV6 cluster environment composed of 3 nodes (1 master , 2 worker) and also a private repository and a client machine. The private repository holds the images used for the cluster and the client machine executes the sonobuoy test remotely outside the cluster. All of the machines are connected in the same network and is not connected to the internet. We have downloaded the images on an online machine and transferred it to the cluster and the private repository.

We already escalated this issue with sonobuoy and we have already dismissed the idea that the issue is with the executable or the deployment. We have tried a CNI called KindNet and it was able to run sonobuoy multiple instances with no issues. We have also tried an IPv4 setup and we have confirmed that it is working as expected.

I hope the community would be able to help us with this issue.

Jul 27 '20 08:07 johnray21216

Hm, this is interesting. I'm not aware of any reason that this would be Sonobuoy specific. Are you seeing issues with any other pods in the cluster connecting to services?

could you share the manifest you're using to run sonobuoy?

Aug 06 '20 18:08 caseydavenport

Hello, @caseydavenport. I will be replying in behalf of @johnray21216 .

The i/o timeout issue when connecting to the Kubernetes service IP is not encountered by other pods in the cluster. As stated by @johnray21216 , there is no timeout issue in the sonobuoy pod when the test is executed for the first time. It only appears in the succeeding executions of the test.

Shown below is the sonobuoy manifest used,

---
apiVersion: v1
kind: Namespace
metadata:
  name: sonobuoy
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    component: sonobuoy
  name: sonobuoy-serviceaccount
  namespace: sonobuoy
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    component: sonobuoy
    namespace: sonobuoy
  name: sonobuoy-serviceaccount-sonobuoy
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: sonobuoy-serviceaccount-sonobuoy
subjects:
- kind: ServiceAccount
  name: sonobuoy-serviceaccount
  namespace: sonobuoy
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    component: sonobuoy
    namespace: sonobuoy
  name: sonobuoy-serviceaccount-sonobuoy
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '/metrics'
  - '/logs'
  - '/logs/*'
  verbs:
  - 'get'
---
apiVersion: v1
data:
  config.json: |
    {"Description":"DEFAULT","UUID":"5235698a-3c3f-46bd-934c-7a57a7a9547c","Version":"v0.17.2","ResultsDir":"/tmp/sonobuoy","Resources":["apiservices","certificatesigningrequests","clusterrolebindings","clusterroles","componentstatuses","configmaps","controllerrevisions","cronjobs","customresourcedefinitions","daemonsets","deployments","endpoints","ingresses","jobs","leases","limitranges","mutatingwebhookconfigurations","namespaces","networkpolicies","nodes","persistentvolumeclaims","persistentvolumes","poddisruptionbudgets","pods","podlogs","podsecuritypolicies","podtemplates","priorityclasses","replicasets","replicationcontrollers","resourcequotas","rolebindings","roles","servergroups","serverversion","serviceaccounts","services","statefulsets","storageclasses","validatingwebhookconfigurations","volumeattachments"],"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null,"LimitSize":"","LimitTime":""}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":10800},"Plugins":[{"name":"e2e"},{"name":"systemd-logs"}],"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"abk-opm:5000/sonobuoy:v0.17.2","Always":"IfNotPresent","ImagePullSecrets":"","ProgressUpdatesPort":"8099"}
kind: ConfigMap
metadata:
  labels:
    component: sonobuoy
  name: sonobuoy-config-cm
  namespace: sonobuoy
---
apiVersion: v1
data:
  plugin-0.yaml: |
    sonobuoy-config:
      driver: Job
      plugin-name: e2e
      result-format: junit
    spec:
      command:
      - /run_e2e.sh
      env:
      - name: E2E_FOCUS
        value: \[Conformance\]
      - name: E2E_SKIP
        value: \[Disruptive\]|NoExecuteTaintManager
      - name: E2E_PARALLEL
        value: "1"
      - name: E2E_USE_GO_RUNNER
        value: "true"
      - name: E2E_EXTRA_ARGS
        value: --progress-report-url=http://localhost:8099/progress
      image: abk-opm:5000/conformance:v1.16.3
      imagePullPolicy: Always
      name: e2e
      resources: {}
      volumeMounts:
      - mountPath: /tmp/results
        name: results
  plugin-1.yaml: |
    sonobuoy-config:
      driver: DaemonSet
      plugin-name: systemd-logs
      result-format: raw
    spec:
      command:
      - /bin/sh
      - -c
      - /get_systemd_logs.sh && while true; do echo "Sleeping for 1h to avoid daemonset
        restart"; sleep 3600; done
      env:
      - name: CHROOT_DIR
        value: /node
      - name: RESULTS_DIR
        value: /tmp/results
      - name: NODE_NAME
        valueFrom:
          fieldRef:
            fieldPath: spec.nodeName
      image: abk-opm:5000/systemd-logs:v0.3
      imagePullPolicy: Always
      name: systemd-logs
      resources: {}
      securityContext:
        privileged: true
      volumeMounts:
      - mountPath: /tmp/results
        name: results
      - mountPath: /node
        name: root
kind: ConfigMap
metadata:
  labels:
    component: sonobuoy
  name: sonobuoy-plugins-cm
  namespace: sonobuoy
---
apiVersion: v1
kind: Pod
metadata:
  labels:
    component: sonobuoy
    run: sonobuoy-master
    tier: analysis
  name: sonobuoy
  namespace: sonobuoy
spec:
  containers:
  - env:
    - name: SONOBUOY_ADVERTISE_IP
      valueFrom:
        fieldRef:
          fieldPath: status.podIP
    image: abk-opm:5000/sonobuoy:v0.17.2
    imagePullPolicy: Always
    name: kube-sonobuoy
    command: ["/sonobuoy"]
    args: ["aggregator", "--no-exit", "--logtostderr", "-v", "8"]
    volumeMounts:
    - mountPath: /etc/sonobuoy
      name: sonobuoy-config-volume
    - mountPath: /plugins.d
      name: sonobuoy-plugins-volume
    - mountPath: /tmp/sonobuoy
      name: output-volume
  restartPolicy: Never
  serviceAccountName: sonobuoy-serviceaccount
  tolerations:
  - key: "kubernetes.io/e2e-evict-taint-key"
    operator: "Exists"
  volumes:
  - configMap:
      name: sonobuoy-config-cm
    name: sonobuoy-config-volume
  - configMap:
      name: sonobuoy-plugins-cm
    name: sonobuoy-plugins-volume
  - emptyDir: {}
    name: output-volume
---
apiVersion: v1
kind: Service
metadata:
  labels:
    component: sonobuoy
    run: sonobuoy-master
  name: sonobuoy-master
  namespace: sonobuoy
spec:
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    run: sonobuoy-master
  type: ClusterIP

Aug 10 '20 06:08 asoloa

Hi :wave: I'm one of the maintainers of Sonobuoy who was trying to help @johnray21216 debug this issue.

Some other users were seeing this same problem and provided some logs from the Calico pods. For these users, the first run of Sonobuoy succeeded, but when they deleted the workload (using sonobuoy delete which deletes the sonobuoy namespace and all resources within it), the following log messages were observed:

2020-07-06 06:12:49.159 [INFO][116] int_dataplane.go 836: Received *proto.ServiceAccountUpdate update from calculation graph msg=id:<namespace:"sonobuoy" name:"sonobuoy-serviceaccount" > labels:<key:"component" value:"sonobuoy" >
2020-07-06 06:12:49.209 [WARNING][116] active_rules_calculator.go 326: Profile not known or invalid, generating dummy profile that drops all traffic. profileID="ksa.sonobuoy.sonobuoy-serviceaccount"
2020-07-06 06:12:49.209 [INFO][116] int_dataplane.go 836: Received *proto.ActiveProfileUpdate update from calculation graph msg=id:<name:"ksa.sonobuoy.sonobuoy-serviceaccount" > profile:<inbound_rules:<action:"deny" rule_id:"72K0GtWSqVmg3zna" > outbound_rules:<action:"deny" rule_id:"g4ouJCo7BiI1jZ0N" > >
2020-07-06 06:12:49.209 [INFO][116] int_dataplane.go 836: Received *proto.ServiceAccountRemove update from calculation graph msg=id:<namespace:"sonobuoy" name:"sonobuoy-serviceaccount" >
2020-07-06 06:12:49.222 [INFO][116] calc_graph.go 392: Local endpoint updated id=WorkloadEndpoint(node=allot-k8s-worker02, orchestrator=k8s, workload=sonobuoy/sonobuoy, name=eth0)
2020-07-06 06:12:49.222 [INFO][116] int_dataplane.go 836: Received *proto.WorkloadEndpointUpdate update from calculation graph msg=id:<orchestrator_id:"k8s" workload_id:"sonobuoy/sonobuoy" endpoint_id:"eth0" > endpoint:<state:"active" name:"cali41a3cc79a18" profile_ids:"kns.sonobuoy" profile_ids:"ksa.sonobuoy.sonobuoy-serviceaccount" ipv6_nets:"fd00:10:101:1111::1c26/128" tiers:<name:"default" ingress_policies:"default.allow-all-upgrade" egress_policies:"default.allow-all-upgrade" > >
2020-07-06 06:12:49.222 [INFO][116] endpoint_mgr.go 497: Updating per-endpoint chains. id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:12:49.222 [INFO][116] endpoint_mgr.go 524: Updating endpoint routes. id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:12:49.223 [INFO][116] endpoint_mgr.go 432: Re-evaluated workload endpoint status adminUp=true failed=false known=true operUp=true status="up" workloadEndpointID=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:12:49.223 [INFO][116] status_combiner.go 58: Storing endpoint status update ipVersion=0x4 status="up" workload=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:12:49.223 [INFO][116] endpoint_mgr.go 497: Updating per-endpoint chains. id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:12:49.223 [INFO][116] endpoint_mgr.go 524: Updating endpoint routes. id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:12:49.223 [INFO][116] endpoint_mgr.go 432: Re-evaluated workload endpoint status adminUp=true failed=false known=true operUp=true status="up" workloadEndpointID=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:12:49.223 [INFO][116] status_combiner.go 58: Storing endpoint status update ipVersion=0x6 status="up" workload=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:12:49.231 [INFO][116] status_combiner.go 81: Endpoint up for at least one IP version id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"} ipVersion=0x4 status="up"
2020-07-06 06:12:49.231 [INFO][116] status_combiner.go 98: Reporting combined status. id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"} status="up"
2020-07-06 06:13:19.415 [INFO][116] endpoint_mgr.go 432: Re-evaluated workload endpoint status adminUp=true failed=false known=true operUp=false status="down" workloadEndpointID=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:13:19.415 [INFO][116] status_combiner.go 58: Storing endpoint status update ipVersion=0x4 status="down" workload=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:13:19.415 [INFO][116] endpoint_mgr.go 432: Re-evaluated workload endpoint status adminUp=true failed=false known=true operUp=false status="down" workloadEndpointID=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:13:19.415 [INFO][116] status_combiner.go 58: Storing endpoint status update ipVersion=0x6 status="down" workload=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:13:19.415 [INFO][116] status_combiner.go 78: Endpoint down for at least one IP version id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"} ipVersion=0x6 status="down"
2020-07-06 06:13:19.415 [INFO][116] status_combiner.go 78: Endpoint down for at least one IP version id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"} ipVersion=0x4 status="down"
2020-07-06 06:13:19.416 [INFO][116] status_combiner.go 98: Reporting combined status. id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"} status="down"
2020-07-06 06:13:19.913 [INFO][116] calc_graph.go 390: Local endpoint deleted id=WorkloadEndpoint(node=allot-k8s-worker02, orchestrator=k8s, workload=sonobuoy/sonobuoy, name=eth0)
2020-07-06 06:13:19.913 [INFO][116] int_dataplane.go 836: Received *proto.WorkloadEndpointRemove update from calculation graph msg=id:<orchestrator_id:"k8s" workload_id:"sonobuoy/sonobuoy" endpoint_id:"eth0" >
2020-07-06 06:13:19.913 [INFO][116] int_dataplane.go 836: Received *proto.ActiveProfileRemove update from calculation graph msg=id:<name:"kns.sonobuoy" >
2020-07-06 06:13:19.913 [INFO][116] table.go 499: Queing deletion of chain. chainName="cali-pri-kns.sonobuoy" ipVersion=0x4 table="filter"
2020-07-06 06:13:19.913 [INFO][116] table.go 499: Queing deletion of chain. chainName="cali-pro-kns.sonobuoy" ipVersion=0x4 table="filter"
2020-07-06 06:13:19.913 [INFO][116] table.go 499: Queing deletion of chain. chainName="cali-pri-kns.sonobuoy" ipVersion=0x6 table="filter"
2020-07-06 06:13:19.913 [INFO][116] table.go 499: Queing deletion of chain. chainName="cali-pro-kns.sonobuoy" ipVersion=0x6 table="filter"
2020-07-06 06:13:19.913 [INFO][116] int_dataplane.go 836: Received *proto.ActiveProfileRemove update from calculation graph msg=id:<name:"ksa.sonobuoy.sonobuoy-serviceaccount" >
2020-07-06 06:13:19.913 [INFO][116] endpoint_mgr.go 577: Workload removed, deleting its chains. id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:13:19.913 [INFO][116] endpoint_mgr.go 586: Workload removed, deleting old state. id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:13:19.914 [INFO][116] endpoint_mgr.go 432: Re-evaluated workload endpoint status adminUp=false failed=false known=false operUp=false status="" workloadEndpointID=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:13:19.914 [INFO][116] status_combiner.go 58: Storing endpoint status update ipVersion=0x4 status="" workload=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:13:19.914 [INFO][116] endpoint_mgr.go 577: Workload removed, deleting its chains. id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:13:19.914 [INFO][116] endpoint_mgr.go 586: Workload removed, deleting old state. id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:13:19.914 [INFO][116] endpoint_mgr.go 432: Re-evaluated workload endpoint status adminUp=false failed=false known=false operUp=false status="" workloadEndpointID=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:13:19.914 [INFO][116] status_combiner.go 58: Storing endpoint status update ipVersion=0x6 status="" workload=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}
2020-07-06 06:13:19.926 [INFO][116] status_combiner.go 86: Reporting endpoint removed. id=proto.WorkloadEndpointID{OrchestratorId:"k8s", WorkloadId:"sonobuoy/sonobuoy", EndpointId:"eth0"}

This warning from Felix stood out to me: active_rules_calculator.go 326: Profile not known or invalid, generating dummy profile that drops all traffic. profileID="ksa.sonobuoy.sonobuoy-serviceaccount". My guess was that when trying to re-run sonobuoy (which would use the same namespace and service account name), it was reusing the same deny-all policy which prevented the sonobuoy pod from connecting to the API server, although I'm not familiar enough with the project to know if this warning is expected. It seems like it was also being generated for other workloads that were deleted during the course of running the Kubernetes E2E tests.

Hopefully these logs are useful! If you need any more information about Sonobuoy, I'd be happy to help.

Aug 10 '20 13:08 zubron

active_rules_calculator.go 326: Profile not known or invalid, generating dummy profile that drops all traffic. profileID="ksa.sonobuoy.sonobuoy-serviceaccount"

I believe that this message is likely just a transient state, as it's possible we learn about pods / service accounts / namespaces deletion out of order (in this case, the serviceaccount being deleted before the pod that references it). However, I wouldn't expect that to be steady-state (e.g., while sonobuoy is running rather than being torn down).

It does sound like there is likely something getting left over from the previous run that is interfering, but its not obvious what it is. I think ideally to diagnose this we'd be able to track where the packets from the sonobuoy pod are being dropped (e.g., via tcpdump, iptables-save -c, etc) and then work our way back from there.

If I can find some time I will try to reproduce this myself, but in the meantime it would be very helpful if you could try to trace the traffic coming from the sonobuoy pod and identify where they are getting dropped. e.g.,

Are they making it out of the pod at all?
Are they getting dropped in iptables on the sending node? If so, which rule?
Are they getting dropped in the network?
Dropped on the receiving node in iptables?
The return traffic?

Aug 11 '20 20:08 caseydavenport

Hello, @caseydavenport and @zubron. Thank you very much for your support. Sorry for the late response.

Here are the information we've gathered.
NOTE: You may see the file 20200812-logs.zip most of the time in this comment: Here are the contents inside the 20200812-logs.zip file:

[root@b-ipv6-k8s-ms1 ~]# ls -lh 20200812-logs
total 8.7M
-rw-r--r--. 1 root root 2.9M Aug 12 16:51 calico-node-wk1-1.log
-rw-r--r--. 1 root root 469K Aug 12 17:00 calico-node-wk1-2.log
-rw-r--r--. 1 root root 3.8M Aug 12 16:51 calico-node-wk2-1.log
-rw-r--r--. 1 root root 1.3M Aug 12 17:00 calico-node-wk2-2.log
-rw-r--r--. 1 root root  27K Aug 12 17:01 ip6tables-after-fail.txt
-rw-r--r--. 1 root root  27K Aug 12 16:51 ip6tables-after-success.txt
-rw-r--r--. 1 root root  26K Aug 12 16:59 ip6tables-before-fail.txt
-rw-r--r--. 1 root root  26K Aug 12 16:43 ip6tables-before-success.txt
-rw-r--r--. 1 root root 240K Aug 12 16:51 tcpdump-1st-run.txt
-rw-r--r--. 1 root root    0 Aug 12 16:59 tcpdump-2nd-run.txt

Please also note that IP addresses are censored for security reasons. Thank you for understanding.

First execution (SUCCESS)

We ran the "sonobuoy run" command in the sonobuoy client to execute the test. Here are the pods created by the test:

[root@b-ipv6-k8s-ms1 ~]# kubectl get pods -n sonobuoy -o wide
NAME                                READY   STATUS              RESTARTS   AGE   IP                          NODE             NOMINATED NODE   READINESS GATES
sonobuoy                            1/1     Running             0          23s   xxxx:xxx:xxx:x:3000::5583   b-ipv6-k8s-wk2   <none>           <none>
sonobuoy-e2e-job-797d7866e77b4c0f   0/2     ContainerCreating   0          17s   <none>                      b-ipv6-k8s-wk2   <none>           <none>
[root@b-ipv6-k8s-ms1 ~]# kubectl get pods -n sonobuoy -o wide
NAME                                READY   STATUS    RESTARTS   AGE   IP                          NODE             NOMINATED NODE   READINESS GATES
sonobuoy                            1/1     Running   0          36s   xxxx:xxx:xxx:x:3000::5583   b-ipv6-k8s-wk2   <none>           <none>
sonobuoy-e2e-job-797d7866e77b4c0f   2/2     Running   0          30s   xxxx:xxx:xxx:x:3000::5584   b-ipv6-k8s-wk2   <none>           <none>
[root@b-ipv6-k8s-ms1 ~]# kubectl get pods -n sonobuoy -o wide
NAME       READY   STATUS    RESTARTS   AGE   IP                          NODE             NOMINATED NODE   READINESS GATES
sonobuoy   1/1     Running   0          67s   xxxx:xxx:xxx:x:3000::5583   b-ipv6-k8s-wk2   <none>           <none>

While the test was ongoing, we have tcpdump running in another terminal. We filtered the output by only displaying traffic from the pod CIDR. tcpdump-1st-run.txt file can be found in 20200812-logs.zip.

[root@b-ipv6-k8s-ms1 ~]# tcpdump -nn dst port 6443 -vv | grep "xxxx:xxx:xxx:x:3000" > tcpdump-1st-run.txt

tcpdump-1st-run.txt: (Some lines were omitted.)

16:50:06.676273 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1f (incorrect -> 0xf42a), seq 284113945:284113991, ack 2673926172, win 1367, options [nop,nop,TS val 3513720789 ecr 3513703360], length 46
16:50:06.679238 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x25b3), seq 46, ack 695, win 1367, options [nop,nop,TS val 3513720792 ecr 3513713323], length 0
16:50:06.679639 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1f (incorrect -> 0x257a), seq 46:92, ack 695, win 1367, options [nop,nop,TS val 3513720793 ecr 3513713323], length 46
16:50:06.681746 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x252c), seq 92, ack 779, win 1367, options [nop,nop,TS val 3513720795 ecr 3513713325], length 0
16:50:06.681851 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1b (incorrect -> 0xa5e8), seq 92:134, ack 779, win 1367, options [nop,nop,TS val 3513720795 ecr 3513713325], length 42
16:50:13.446016 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0xdfc9), seq 134, ack 4971, win 1367, options [nop,nop,TS val 3513727559 ecr 3513720089], length 0
16:50:13.446169 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1b (incorrect -> 0x8545), seq 134:176, ack 4971, win 1367, options [nop,nop,TS val 3513727559 ecr 3513720089], length 42
16:50:13.446753 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0xcf3d), seq 176, ack 9163, win 1367, options [nop,nop,TS val 3513727560 ecr 3513720090], length 0
16:50:13.447389 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1b (incorrect -> 0x3ea0), seq 176:218, ack 9163, win 1367, options [nop,nop,TS val 3513727560 ecr 3513720090], length 42
16:50:13.981953 IP6 (hlim 63, next-header TCP (6) payload length: 40) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [S], cksum 0xfb7c (incorrect -> 0x8864), seq 4204707917, win 27600, options [mss 1380,sackOK,TS val 3513714725 ecr 0,nop,wscale 7], length 0
16:50:13.982197 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x43a7), seq 4204707918, ack 1727104653, win 216, options [nop,nop,TS val 3513714726 ecr 3513720626], length 0
16:50:13.982654 IP6 (hlim 63, next-header TCP (6) payload length: 293) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfc79 (incorrect -> 0x18da), seq 0:261, ack 1, win 216, options [nop,nop,TS val 3513714726 ecr 3513720626], length 261
16:50:13.986360 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x3d29), seq 261, ack 1372, win 238, options [nop,nop,TS val 3513714730 ecr 3513720630], length 0
16:50:13.987280 IP6 (hlim 63, next-header TCP (6) payload length: 137) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfbdd (incorrect -> 0xb2bd), seq 261:366, ack 1372, win 238, options [nop,nop,TS val 3513714731 ecr 3513720630], length 105
16:50:13.987908 IP6 (hlim 63, next-header TCP (6) payload length: 125) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfbd1 (incorrect -> 0x5e7d), seq 366:459, ack 1485, win 238, options [nop,nop,TS val 3513714731 ecr 3513720631], length 93
16:50:13.988091 IP6 (hlim 63, next-header TCP (6) payload length: 955) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xff0f (incorrect -> 0x2f83), seq 459:1382, ack 1485, win 238, options [nop,nop,TS val 3513714732 ecr 3513720631], length 923
16:50:13.988183 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x3803), seq 1382, ack 1565, win 238, options [nop,nop,TS val 3513714732 ecr 3513720632], length 0
16:50:13.988236 IP6 (hlim 63, next-header TCP (6) payload length: 70) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9a (incorrect -> 0x4e91), seq 1382:1420, ack 1565, win 238, options [nop,nop,TS val 3513714732 ecr 3513720632], length 38
16:50:13.989326 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x36b1), seq 1420, ack 1842, win 259, options [nop,nop,TS val 3513714733 ecr 3513720633], length 0
16:50:13.990365 IP6 (hlim 63, next-header TCP (6) payload length: 91) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfbaf (incorrect -> 0x1cd2), seq 1420:1479, ack 1842, win 259, options [nop,nop,TS val 3513714734 ecr 3513720633], length 59
...
16:50:16.682241 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1f (incorrect -> 0x4ca8), seq 218:264, ack 9163, win 1367, options [nop,nop,TS val 3513730795 ecr 3513720091], length 46
16:50:16.684952 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0xb2e3), seq 264, ack 9857, win 1367, options [nop,nop,TS val 3513730798 ecr 3513723328], length 0
16:50:16.685403 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1f (incorrect -> 0xd95b), seq 264:310, ack 9857, win 1367, options [nop,nop,TS val 3513730798 ecr 3513723328], length 46
16:50:16.686677 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0xb25d), seq 310, ack 9941, win 1367, options [nop,nop,TS val 3513730800 ecr 3513723330], length 0
16:50:17.582787 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x9b0f), seq 310, ack 14115, win 1367, options [nop,nop,TS val 3513731696 ecr 3513724226], length 0
16:50:17.582911 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x8ac1), seq 310, ack 18289, win 1367, options [nop,nop,TS val 3513731696 ecr 3513724226], length 0
16:50:17.583002 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1b (incorrect -> 0x80b5), seq 310:352, ack 18289, win 1367, options [nop,nop,TS val 3513731696 ecr 3513724226], length 42
16:50:17.583179 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1b (incorrect -> 0x4ae9), seq 352:394, ack 18289, win 1367, options [nop,nop,TS val 3513731696 ecr 3513724226], length 42
16:50:22.714521 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfba2 (incorrect -> 0x589c), seq 11004:11050, ack 73763, win 1375, options [nop,nop,TS val 3513723458 ecr 3513720746], length 46
16:50:22.718274 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0xa178), seq 11050, ack 77373, win 1375, options [nop,nop,TS val 3513723462 ecr 3513729362], length 0
16:50:22.718747 IP6 (hlim 63, next-header TCP (6) payload length: 80) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfba4 (incorrect -> 0x7580), seq 11050:11098, ack 77373, win 1375, options [nop,nop,TS val 3513723462 ecr 3513729362], length 48
16:50:22.718811 IP6 (hlim 63, next-header TCP (6) payload length: 370) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfcc6 (incorrect -> 0x1a3f), seq 11098:11436, ack 77373, win 1375, options [nop,nop,TS val 3513723462 ecr 3513729362], length 338
16:50:22.718833 IP6 (hlim 63, next-header TCP (6) payload length: 70) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9a (incorrect -> 0x57b7), seq 11436:11474, ack 77373, win 1375, options [nop,nop,TS val 3513723462 ecr 3513729362], length 38
16:50:22.722047 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x9206), seq 11474, ack 80899, win 1375, options [nop,nop,TS val 3513723465 ecr 3513729363], length 0
16:50:23.403683 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x5b67), seq 394, ack 18724, win 1367, options [nop,nop,TS val 3513737517 ecr 3513730008], length 0
16:50:24.103400 IP6 (hlim 63, next-header TCP (6) payload length: 135) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfbdb (incorrect -> 0xf1be), seq 11474:11577, ack 80899, win 1375, options [nop,nop,TS val 3513724847 ecr 3513729363], length 103
16:50:24.106088 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x715b), seq 11577, ack 86388, win 1375, options [nop,nop,TS val 3513724850 ecr 3513730749], length 0
16:50:24.106290 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9e (incorrect -> 0x0815), seq 11577:11619, ack 86426, win 1375, options [nop,nop,TS val 3513724850 ecr 3513730750], length 42
16:50:25.685238 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x4947), seq 394, ack 18762, win 1367, options [nop,nop,TS val 3513739798 ecr 3513732329], length 0
16:50:25.685909 IP6 (hlim 63, next-header TCP (6) payload length: 146) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda63 (incorrect -> 0x7fd0), seq 394:508, ack 18762, win 1367, options [nop,nop,TS val 3513739799 ecr 3513732329], length 114
16:50:25.726615 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x4869), seq 508, ack 18827, win 1367, options [nop,nop,TS val 3513739840 ecr 3513732330], length 0
16:50:26.687173 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1f (incorrect -> 0xc0b3), seq 508:554, ack 18827, win 1367, options [nop,nop,TS val 3513740800 ecr 3513732330], length 46
16:50:26.689975 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x404b), seq 554, ack 18893, win 1367, options [nop,nop,TS val 3513740803 ecr 3513733333], length 0
16:50:26.689999 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x3ddb), seq 554, ack 19521, win 1363, options [nop,nop,TS val 3513740803 ecr 3513733333], length 0
16:50:26.694070 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1f (incorrect -> 0xb7a0), seq 554:600, ack 19521, win 1367, options [nop,nop,TS val 3513740807 ecr 3513733333], length 46
16:50:26.695478 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x3d4a), seq 600, ack 19605, win 1367, options [nop,nop,TS val 3513740808 ecr 3513733339], length 0
16:50:33.366092 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfba2 (incorrect -> 0x1a07), seq 11619:11665, ack 86426, win 1375, options [nop,nop,TS val 3513734109 ecr 3513730790], length 46
16:50:33.371814 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x1a66), seq 11665, ack 90032, win 1375, options [nop,nop,TS val 3513734115 ecr 3513740013], length 0
16:50:33.373458 IP6 (hlim 63, next-header TCP (6) payload length: 80) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfba4 (incorrect -> 0x092d), seq 11665:11713, ack 90032, win 1375, options [nop,nop,TS val 3513734117 ecr 3513740013], length 48
16:50:33.373506 IP6 (hlim 63, next-header TCP (6) payload length: 370) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfcc6 (incorrect -> 0xc882), seq 11713:12051, ack 90032, win 1375, options [nop,nop,TS val 3513734117 ecr 3513740013], length 338
16:50:33.373536 IP6 (hlim 63, next-header TCP (6) payload length: 70) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9a (incorrect -> 0x55c6), seq 12051:12089, ack 90032, win 1375, options [nop,nop,TS val 3513734117 ecr 3513740013], length 38
16:50:33.376492 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x0af2), seq 12089, ack 93554, win 1375, options [nop,nop,TS val 3513734120 ecr 3513740018], length 0
16:50:34.107315 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfba2 (incorrect -> 0x6ba4), seq 12089:12135, ack 93554, win 1375, options [nop,nop,TS val 3513734851 ecr 3513740018], length 46
16:50:35.215367 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0xe6cd), seq 12135, ack 99081, win 1375, options [nop,nop,TS val 3513735959 ecr 3513741858], length 0
16:50:35.215657 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9e (incorrect -> 0x3cf3), seq 12135:12177, ack 99081, win 1375, options [nop,nop,TS val 3513735959 ecr 3513741858], length 42
16:50:35.613803 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0xe362), seq 600, ack 24783, win 1367, options [nop,nop,TS val 3513749727 ecr 3513742257], length 0
16:50:35.613883 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0xcf28), seq 600, ack 29961, win 1367, options [nop,nop,TS val 3513749727 ecr 3513742257], length 0
16:50:35.613973 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1b (incorrect -> 0x6cea), seq 600:642, ack 29961, win 1367, options [nop,nop,TS val 3513749727 ecr 3513742257], length 42
16:50:35.614400 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1b (incorrect -> 0xa516), seq 642:684, ack 29961, win 1367, options [nop,nop,TS val 3513749727 ecr 3513742257], length 42
16:50:36.698750 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1f (incorrect -> 0xabf4), seq 684:730, ack 29961, win 1367, options [nop,nop,TS val 3513750812 ecr 3513742258], length 46
16:50:36.702618 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0xc36f), seq 730, ack 30655, win 1367, options [nop,nop,TS val 3513750816 ecr 3513743345], length 0
16:50:36.703369 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1f (incorrect -> 0xa46b), seq 730:776, ack 30655, win 1367, options [nop,nop,TS val 3513750816 ecr 3513743345], length 46
16:50:36.704683 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0xc2e8), seq 776, ack 30739, win 1367, options [nop,nop,TS val 3513750818 ecr 3513743348], length 0
16:50:42.365700 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfba2 (incorrect -> 0x521c), seq 12177:12223, ack 99081, win 1375, options [nop,nop,TS val 3513743109 ecr 3513741859], length 46
16:50:42.369046 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0xa07c), seq 12223, ack 102687, win 1375, options [nop,nop,TS val 3513743112 ecr 3513749012], length 0
16:50:42.369896 IP6 (hlim 63, next-header TCP (6) payload length: 80) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfba4 (incorrect -> 0x777f), seq 12223:12271, ack 102687, win 1375, options [nop,nop,TS val 3513743113 ecr 3513749012], length 48
16:50:42.369917 IP6 (hlim 63, next-header TCP (6) payload length: 370) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfcc6 (incorrect -> 0x6b62), seq 12271:12609, ack 102687, win 1375, options [nop,nop,TS val 3513743113 ecr 3513749012], length 338
16:50:42.369954 IP6 (hlim 63, next-header TCP (6) payload length: 70) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9a (incorrect -> 0xeaf4), seq 12609:12647, ack 102687, win 1375, options [nop,nop,TS val 3513743113 ecr 3513749012], length 38
16:50:42.372984 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x9e79), seq 12647, ack 102772, win 1375, options [nop,nop,TS val 3513743116 ecr 3513749014], length 0
16:50:42.373065 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x9108), seq 12647, ack 106209, win 1375, options [nop,nop,TS val 3513743117 ecr 3513749017], length 0
16:50:42.527069 IP6 (hlim 63, next-header TCP (6) payload length: 40) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [S], cksum 0xfb7d (incorrect -> 0x5a99), seq 1329528224, win 27600, options [mss 1380,sackOK,TS val 3513743270 ecr 0,nop,wscale 7], length 0
16:50:42.527318 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0x77b4), seq 1329528225, ack 3123405305, win 216, options [nop,nop,TS val 3513743271 ecr 3513749171], length 0
16:50:42.527701 IP6 (hlim 63, next-header TCP (6) payload length: 241) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfc46 (incorrect -> 0x12ac), seq 0:209, ack 1, win 216, options [nop,nop,TS val 3513743271 ecr 3513749171], length 209
16:50:42.531224 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0x716a), seq 209, ack 1372, win 238, options [nop,nop,TS val 3513743275 ecr 3513749175], length 0
16:50:42.532714 IP6 (hlim 63, next-header TCP (6) payload length: 137) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfbde (incorrect -> 0x5478), seq 209:314, ack 1372, win 238, options [nop,nop,TS val 3513743276 ecr 3513749175], length 105
16:50:42.533265 IP6 (hlim 63, next-header TCP (6) payload length: 125) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfbd2 (incorrect -> 0xd224), seq 314:407, ack 1485, win 238, options [nop,nop,TS val 3513743277 ecr 3513749177], length 93
16:50:42.533592 IP6 (hlim 63, next-header TCP (6) payload length: 993) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xff36 (incorrect -> 0x4f03), seq 407:1368, ack 1565, win 238, options [nop,nop,TS val 3513743277 ecr 3513749177], length 961
16:50:42.533647 IP6 (hlim 63, next-header TCP (6) payload length: 70) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9b (incorrect -> 0x5878), seq 1368:1406, ack 1565, win 238, options [nop,nop,TS val 3513743277 ecr 3513749177], length 38
16:50:42.535491 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0x541a), seq 1406, ack 7579, win 330, options [nop,nop,TS val 3513743279 ecr 3513749179], length 0
16:50:42.535530 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0x3e64), seq 1406, ack 13051, win 416, options [nop,nop,TS val 3513743279 ecr 3513749179], length 0
16:50:42.535634 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0x360f), seq 1406, ack 15152, win 448, options [nop,nop,TS val 3513743279 ecr 3513749179], length 0
...
16:50:45.217107 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfba2 (incorrect -> 0x1fac), seq 12647:12693, ack 106209, win 1375, options [nop,nop,TS val 3513745960 ecr 3513749017], length 46
16:50:45.221211 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x63d6), seq 12693, ack 112037, win 1375, options [nop,nop,TS val 3513745965 ecr 3513751865], length 0
16:50:45.221452 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9e (incorrect -> 0x6f23), seq 12693:12735, ack 112037, win 1375, options [nop,nop,TS val 3513745965 ecr 3513751865], length 42
16:50:46.078429 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0x4932), seq 4226, ack 130064, win 1801, options [nop,nop,TS val 3513746822 ecr 3513752722], length 0
16:50:46.078648 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9f (incorrect -> 0x264e), seq 4226:4268, ack 130064, win 1801, options [nop,nop,TS val 3513746822 ecr 3513752722], length 42
16:50:46.687823 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfba3 (incorrect -> 0x82dd), seq 4268:4314, ack 130064, win 1801, options [nop,nop,TS val 3513747431 ecr 3513752762], length 46
16:50:46.689914 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0x3e43), seq 4314, ack 131532, win 1822, options [nop,nop,TS val 3513747433 ecr 3513753333], length 0
16:50:46.690388 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfba3 (incorrect -> 0x4409), seq 4314:4360, ack 131532, win 1822, options [nop,nop,TS val 3513747434 ecr 3513753333], length 46
16:50:46.691982 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0x385a), seq 4360, ack 132973, win 1844, options [nop,nop,TS val 3513747435 ecr 3513753335], length 0
16:50:46.693553 IP6 (hlim 63, next-header TCP (6) payload length: 90) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfbaf (incorrect -> 0xb63d), seq 4360:4418, ack 132973, win 1844, options [nop,nop,TS val 3513747437 ecr 3513753335], length 58
16:50:46.693575 IP6 (hlim 63, next-header TCP (6) payload length: 103) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfbbc (incorrect -> 0x3478), seq 4418:4489, ack 132973, win 1844, options [nop,nop,TS val 3513747437 ecr 3513753335], length 71
16:50:46.693650 IP6 (hlim 63, next-header TCP (6) payload length: 70) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9b (incorrect -> 0xb27c), seq 4489:4527, ack 132973, win 1844, options [nop,nop,TS val 3513747437 ecr 3513753335], length 38
16:50:46.697341 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0x31d3), seq 4527, ack 134445, win 1867, options [nop,nop,TS val 3513747441 ecr 3513753338], length 0
16:50:46.702484 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0x2bff), seq 4527, ack 135902, win 1889, options [nop,nop,TS val 3513747446 ecr 3513753346], length 0
16:50:46.705157 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1f (incorrect -> 0x0867), seq 776:822, ack 30739, win 1367, options [nop,nop,TS val 3513760818 ecr 3513743348], length 46
16:50:46.711401 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x71db), seq 822, ack 31433, win 1367, options [nop,nop,TS val 3513760824 ecr 3513753351], length 0
16:50:46.711837 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1f (incorrect -> 0x1e9e), seq 822:868, ack 31433, win 1367, options [nop,nop,TS val 3513760825 ecr 3513753351], length 46
16:50:46.715492 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x714e), seq 868, ack 31517, win 1367, options [nop,nop,TS val 3513760828 ecr 3513753358], length 0
16:50:47.605640 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x5962), seq 868, ack 35859, win 1367, options [nop,nop,TS val 3513761719 ecr 3513754249], length 0
16:50:47.605784 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1b (incorrect -> 0xf075), seq 868:910, ack 35859, win 1367, options [nop,nop,TS val 3513761719 ecr 3513754249], length 42
16:50:47.605956 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xd9f1 (incorrect -> 0x4842), seq 910, ack 40201, win 1367, options [nop,nop,TS val 3513761719 ecr 3513754249], length 0
16:50:47.606044 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::3400.50160 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xda1b (incorrect -> 0x324e), seq 910:952, ack 40201, win 1367, options [nop,nop,TS val 3513761719 ecr 3513754249], length 42
16:50:49.104519 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0x12b2), seq 4527, ack 137550, win 1914, options [nop,nop,TS val 3513749848 ecr 3513755748], length 0
16:50:50.000756 IP6 (hlim 63, next-header TCP (6) payload length: 78) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfba2 (incorrect -> 0x1f71), seq 12735:12781, ack 112037, win 1375, options [nop,nop,TS val 3513750744 ecr 3513751905], length 46
16:50:50.004496 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x300a), seq 12781, ack 115643, win 1375, options [nop,nop,TS val 3513750748 ecr 3513756648], length 0
16:50:50.005532 IP6 (hlim 63, next-header TCP (6) payload length: 80) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfba4 (incorrect -> 0x7f93), seq 12781:12829, ack 115643, win 1375, options [nop,nop,TS val 3513750749 ecr 3513756648], length 48
16:50:50.005580 IP6 (hlim 63, next-header TCP (6) payload length: 370) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfcc6 (incorrect -> 0xff7c), seq 12829:13167, ack 115643, win 1375, options [nop,nop,TS val 3513750749 ecr 3513756648], length 338
16:50:50.005604 IP6 (hlim 63, next-header TCP (6) payload length: 70) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9a (incorrect -> 0x2805), seq 13167:13205, ack 115643, win 1375, options [nop,nop,TS val 3513750749 ecr 3513756648], length 38
16:50:50.009013 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5583.43808 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb74 (incorrect -> 0x209a), seq 13205, ack 119165, win 1375, options [nop,nop,TS val 3513750752 ecr 3513756650], length 0
16:50:50.126671 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0x042c), seq 4527, ack 139198, win 1940, options [nop,nop,TS val 3513750870 ecr 3513756770], length 0
16:50:50.126855 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9f (incorrect -> 0x87dd), seq 4527:4569, ack 139198, win 1940, options [nop,nop,TS val 3513750870 ecr 3513756770], length 42
16:50:50.131906 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0xfd6e), seq 4569, ack 140845, win 1966, options [nop,nop,TS val 3513750875 ecr 3513756775], length 0
16:50:51.703387 IP6 (hlim 63, next-header TCP (6) payload length: 112) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfbc5 (incorrect -> 0x2373), seq 4569:4649, ack 140845, win 1966, options [nop,nop,TS val 3513752447 ecr 3513756775], length 80
16:50:51.716588 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0xd591), seq 4649, ack 147750, win 2016, options [nop,nop,TS val 3513752460 ecr 3513758360], length 0
16:50:51.716649 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0xc031), seq 4649, ack 153222, win 2016, options [nop,nop,TS val 3513752460 ecr 3513758360], length 0
16:50:51.716769 IP6 (hlim 63, next-header TCP (6) payload length: 32) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [.], cksum 0xfb75 (incorrect -> 0xaa45), seq 4649, ack 158834, win 2016, options [nop,nop,TS val 3513752460 ecr 3513758360], length 0
16:50:51.716921 IP6 (hlim 63, next-header TCP (6) payload length: 74) xxxx:xxx:xxx:x:3000::5584.55158 > xxxx:xxx:xxx:x::111.6443: Flags [P.], cksum 0xfb9f (incorrect -> 0x5d64), seq 4649:4691, ack 158872, win 2016, options [nop,nop,TS val 3513752460 ecr 3513758360], length 42
...

Before we executed the sonobuoy run command, we tail-ed the logs of the calico-node pod of each node and redirected them to a file.

[root@b-ipv6-k8s-ms1 ~]# kubectl get pods -n kube-system -o wide | grep node
calico-node-jzpgz                          1/1     Running   0          2m36s   xxxx:xxx:xxx:x::111         b-ipv6-k8s-ms1   <none>           <none>
calico-node-k7mxr                          1/1     Running   0          2m9s    xxxx:xxx:xxx:x::122         b-ipv6-k8s-wk2   <none>           <none>
calico-node-q2n66                          1/1     Running   0          2m19s   xxxx:xxx:xxx:x::121         b-ipv6-k8s-wk1   <none>           <none>

## In another terminal:
[root@b-ipv6-k8s-ms1 ~]# kubectl logs -n kube-system --follow --since=1s calico-node-q2n66 >> calico-node-wk1-1.log
## Yet in another terminal:
[root@b-ipv6-k8s-ms1 ~]# kubectl logs -n kube-system --follow --since=1s calico-node-k7mxr >> calico-node-wk2-1.log

The calico-node-wk[1-2]-1.log files can be found in 20200812-logs.zip. We have set FELIX_LOGSEVERITYSCREEN to debug, so the size of the files went up to 18k+ lines. Also, since the sonobuoy pod was scheduled in the b-ipv6-k8s-wk2 node, the file to check is calico-node-wk2-1.log.
We have also gathered the rules generated by ip6tables-save -c before and after sonobuoy run command. However, they were only gathered in the master node side. Is that okay? Before sonobuoy run command / ip6tables-before-success.txt:

# Generated by ip6tables-save v1.4.21 on Wed Aug 12 16:43:32 2020
*mangle
:PREROUTING ACCEPT [3670489:299933554]
:INPUT ACCEPT [254209386:96476755856]
:FORWARD ACCEPT [523:62476]
:OUTPUT ACCEPT [253251660:110265695632]
:POSTROUTING ACCEPT [253252183:110265758108]
:cali-PREROUTING - [0:0]
:cali-failsafe-in - [0:0]
:cali-from-host-endpoint - [0:0]
[254211121:96476917027] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
[250540632:96176983473] -A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-PREROUTING -m comment --comment "cali:KX7AGNd6rMcDUai6" -m mark --mark 0x10000/0x10000 -j ACCEPT
[3670489:299933554] -A cali-PREROUTING -m comment --comment "cali:wNH7KsA3ILKJBsY9" -j cali-from-host-endpoint
[0:0] -A cali-PREROUTING -m comment --comment "cali:Cg96MgVuoPm7UMRo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:mPbJtAVtggkxHxc5" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:fO5oL6ZgWfrcySer" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:LaZshaEfmfK7yZxJ" -m multiport --dports 6667 -j ACCEPT
COMMIT
# Completed on Wed Aug 12 16:43:32 2020
# Generated by ip6tables-save v1.4.21 on Wed Aug 12 16:43:32 2020
*raw
:PREROUTING ACCEPT [254211118:96476916811]
:OUTPUT ACCEPT [253251658:110265695488]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-failsafe-in - [0:0]
:cali-failsafe-out - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
[254211254:96476927651] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
[253251658:110265695488] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
[253251658:110265695488] -A cali-OUTPUT -m comment --comment "cali:njdnLwYeGqBJyMxW" -j MARK --set-xmark 0x0/0xf0000
[253251658:110265695488] -A cali-OUTPUT -m comment --comment "cali:rz86uTUcEZAfFsh7" -j cali-to-host-endpoint
[0:0] -A cali-OUTPUT -m comment --comment "cali:pN0F5zD0b8yf9W1Z" -m mark --mark 0x10000/0x10000 -j ACCEPT
[254211254:96476927651] -A cali-PREROUTING -m comment --comment "cali:XFX5xbM8B9qR10JG" -j MARK --set-xmark 0x0/0xf0000
[25741106:3594122061] -A cali-PREROUTING -i cali+ -m comment --comment "cali:EWMPb0zVROM-woQp" -j MARK --set-xmark 0x40000/0x40000
[136:10840] -A cali-PREROUTING -m comment --comment "cali:V6ooGP15glg7wm91" -m mark --mark 0x40000/0x40000 -m rpfilter --invert -j DROP
[228470148:92882805590] -A cali-PREROUTING -m comment --comment "cali:RMTzKqp0j735XfY4" -m mark --mark 0x0/0x40000 -j cali-from-host-endpoint
[0:0] -A cali-PREROUTING -m comment --comment "cali:T8-Zfumo2dKygI73" -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:mPbJtAVtggkxHxc5" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:fO5oL6ZgWfrcySer" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:LaZshaEfmfK7yZxJ" -m multiport --dports 6667 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:fbYikSrS3FDgSouR" -m multiport --sports 53 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:8UOIQCAJz-_58Uh5" -m multiport --sports 67 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:GyksmUvvbhmM211m" -m multiport --sports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:SkYSmU5eonWqL-1u" -m multiport --sports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:lHgbr-PUyt1svFgh" -m multiport --sports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:FILVxC04GR2ken1t" -m multiport --sports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:xlr_BWr0CBZ3xOMa" -m multiport --sports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:hYM8-jR-CdKF7cWt" -m multiport --sports 6667 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:82hjfji-wChFhAqL" -m multiport --dports 53 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:TNM3RfEjbNr72hgH" -m multiport --dports 67 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:ycxKitIl4u3dK0HR" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:hxjEWyxdkXXkdvut" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:cA_GLtruuvG88KiO" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:8SAxPXDH-KtRtgCC" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:9WSIxuMDm1HHMb92" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:VKKssDqC9SjhUz5c" -m multiport --dports 6667 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:XvT4hmhByQ4TNO7Z" -m multiport --sports 22 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:tRSUx3a-0xrrHH0q" -m multiport --sports 68 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:VNOCkjWk1hxsHwxW" -m multiport --sports 179 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:IhBxXyKym3wOjnyY" -m multiport --sports 2379 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:mtQtSz8udwrYsX9y" -m multiport --sports 2380 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:tZg4sFv0MwsSGo9t" -m multiport --sports 6443 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:t81Srej36zNbRD9A" -m multiport --sports 6666 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:uCIgU-IZNI2XonDU" -m multiport --sports 6667 -j ACCEPT
COMMIT
# Completed on Wed Aug 12 16:43:32 2020
# Generated by ip6tables-save v1.4.21 on Wed Aug 12 16:43:32 2020
*filter
:INPUT ACCEPT [867:211368]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [946:303936]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-failsafe-in - [0:0]
:cali-failsafe-out - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-fw-cali30b9bf9a537 - [0:0]
:cali-fw-calice01ffe2489 - [0:0]
:cali-pri-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pri-kns.kube-system - [0:0]
:cali-pro-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pro-kns.kube-system - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-tw-cali30b9bf9a537 - [0:0]
:cali-tw-calice01ffe2489 - [0:0]
:cali-wl-to-host - [0:0]
[102339579:24963959021] -A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
[4:320] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[3615302:289234548] -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[3615302:289234548] -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
[523:62476] -A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
[254:29281] -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
[192:19968] -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[253251660:110265695632] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
[4865319:389238978] -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[0:0] -A KUBE-EXTERNAL-SERVICES -p tcp -m comment --comment "default/nginx:80-80 has no endpoints" -m addrtype --dst-type LOCAL -m tcp --dport 30027 -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
[0:0] -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
[0:0] -A KUBE-FORWARD -s xxxx:xxx:xxx:x:3000::/112 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A KUBE-FORWARD -d xxxx:xxx:xxx:x:3000::/112 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::c834/128 -p tcp -m comment --comment "default/nginx:80-80 has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp6-port-unreachable
[523:62476] -A cali-FORWARD -m comment --comment "cali:vjrMJCRpqwy5oRoX" -j MARK --set-xmark 0x0/0xe0000
[523:62476] -A cali-FORWARD -m comment --comment "cali:A_sPAO0mcxbT9mOV" -m mark --mark 0x0/0x10000 -j cali-from-hep-forward
[134:19918] -A cali-FORWARD -i cali+ -m comment --comment "cali:8ZoYfO5HKXWbB3pk" -j cali-from-wl-dispatch
[135:13277] -A cali-FORWARD -o cali+ -m comment --comment "cali:jdEuaPBe14V2hutn" -j cali-to-wl-dispatch
[375:41095] -A cali-FORWARD -m comment --comment "cali:12bc6HljsMKsmfr-" -j cali-to-hep-forward
[121:11814] -A cali-FORWARD -m comment --comment "cali:MH9kMp5aNICL-Olv" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[25740757:3594084567] -A cali-INPUT -i cali+ -m comment --comment "cali:FewJpBykm9iJ-YNH" -g cali-wl-to-host
[0:0] -A cali-INPUT -m comment --comment "cali:hder3ARWznqqv8Va" -m mark --mark 0x10000/0x10000 -j ACCEPT
[228468629:92882671289] -A cali-INPUT -m comment --comment "cali:xgOu2uJft6H9oDGF" -j MARK --set-xmark 0x0/0xf0000
[228468629:92882671289] -A cali-INPUT -m comment --comment "cali:_-d-qojMfHM6NwBo" -j cali-from-host-endpoint
[0:0] -A cali-INPUT -m comment --comment "cali:LqmE76MP94lZTGhA" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-OUTPUT -m comment --comment "cali:Mq1_rAdXXH3YkrzW" -m mark --mark 0x10000/0x10000 -j ACCEPT
[26651449:7826696709] -A cali-OUTPUT -o cali+ -m comment --comment "cali:69FkRTJDvD5Vu6Vl" -j RETURN
[226600211:102438998923] -A cali-OUTPUT -m comment --comment "cali:Fskumj4SGQtDV6GC" -j MARK --set-xmark 0x0/0xf0000
[226600211:102438998923] -A cali-OUTPUT -m comment --comment "cali:8rXMdo5sNesjJxGc" -j cali-to-host-endpoint
[0:0] -A cali-OUTPUT -m comment --comment "cali:Ja-pnrHi-PrNKxgd" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:mPbJtAVtggkxHxc5" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:fO5oL6ZgWfrcySer" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:LaZshaEfmfK7yZxJ" -m multiport --dports 6667 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:82hjfji-wChFhAqL" -m multiport --dports 53 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:TNM3RfEjbNr72hgH" -m multiport --dports 67 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:ycxKitIl4u3dK0HR" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:hxjEWyxdkXXkdvut" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:cA_GLtruuvG88KiO" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:8SAxPXDH-KtRtgCC" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:9WSIxuMDm1HHMb92" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:VKKssDqC9SjhUz5c" -m multiport --dports 6667 -j ACCEPT
[4945780:436138792] -A cali-from-wl-dispatch -i cali30b9bf9a537 -m comment --comment "cali:TdkUO3g2bmtPBzT2" -g cali-fw-cali30b9bf9a537
[1664407:146806818] -A cali-from-wl-dispatch -i calice01ffe2489 -m comment --comment "cali:qZtqeqL0_4Qh9GSl" -g cali-fw-calice01ffe2489
[0:0] -A cali-from-wl-dispatch -m comment --comment "cali:WMRy35io39Nv01Hy" -m comment --comment "Unknown interface" -j DROP
[4945777:436138552] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:_kRSnZbQHQcu3znT" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:h3_y1VVa-AeSxYZh" -m conntrack --ctstate INVALID -j DROP
[3:240] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:whAvY_pnCW2iotQC" -j MARK --set-xmark 0x0/0x10000
[0:0] -A cali-fw-cali30b9bf9a537 -p udp -m comment --comment "cali:1kKNxPgeLM5SZ2YH" -m comment --comment "Drop VXLAN encapped packets originating in pods" -m multiport --dports 4789 -j DROP
[0:0] -A cali-fw-cali30b9bf9a537 -p ipv4 -m comment --comment "cali:l-iND7FoAfGB8Y9y" -m comment --comment "Drop IPinIP encapped packets originating in pods" -j DROP
[3:240] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:8Myt6biblGcgMGri" -j cali-pro-kns.kube-system
[3:240] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:AWrwzwXhvm39hdGT" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:4maW0RA5gdKyBjGZ" -j cali-pro-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:bVSwbnML1hdeF8rP" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:ZMNXlx-shVA2lOFu" -m comment --comment "Drop if no profiles matched" -j DROP
[4946241:436171944] -A cali-fw-calice01ffe2489 -m comment --comment "cali:SElIeFT_TuDlXqwG" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:hLIGQ7Yq-h6QiMAU" -m conntrack --ctstate INVALID -j DROP
[3:240] -A cali-fw-calice01ffe2489 -m comment --comment "cali:f-oplNjx0zZFhKEE" -j MARK --set-xmark 0x0/0x10000
[0:0] -A cali-fw-calice01ffe2489 -p udp -m comment --comment "cali:GTb-M1r1oyT35RCX" -m comment --comment "Drop VXLAN encapped packets originating in pods" -m multiport --dports 4789 -j DROP
[0:0] -A cali-fw-calice01ffe2489 -p ipv4 -m comment --comment "cali:FOM2BQGwKtQgJnD-" -m comment --comment "Drop IPinIP encapped packets originating in pods" -j DROP
[3:240] -A cali-fw-calice01ffe2489 -m comment --comment "cali:7w3JCfcr7z6zn8fG" -j cali-pro-kns.kube-system
[3:240] -A cali-fw-calice01ffe2489 -m comment --comment "cali:9Raus9F8bAWFsGTH" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:8ebHx-RG5s1GS9xy" -j cali-pro-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:V3M9bhftjmI9XJJp" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:ptKo9gdgteT0iymb" -m comment --comment "Drop if no profiles matched" -j DROP
[121:11814] -A cali-pri-kns.kube-system -m comment --comment "cali:zoH5gU6U55FKZxEo" -j MARK --set-xmark 0x10000/0x10000
[121:11814] -A cali-pri-kns.kube-system -m comment --comment "cali:bcGRIJcyOS9dgBiB" -m mark --mark 0x10000/0x10000 -j RETURN
[7:560] -A cali-pro-kns.kube-system -m comment --comment "cali:-50oJuMfLVO3LkBk" -j MARK --set-xmark 0x10000/0x10000
[7:560] -A cali-pro-kns.kube-system -m comment --comment "cali:ztVPKv1UYejNzm1g" -m mark --mark 0x10000/0x10000 -j RETURN
[78:7815] -A cali-to-wl-dispatch -o cali30b9bf9a537 -m comment --comment "cali:PRmMjbBkzhhGb8cM" -g cali-tw-cali30b9bf9a537
[0:0] -A cali-to-wl-dispatch -o calice01ffe2489 -m comment --comment "cali:qeRfW5mCBi1pF2PZ" -g cali-tw-calice01ffe2489
[0:0] -A cali-to-wl-dispatch -m comment --comment "cali:Gj7sBQkFSZeSGmsH" -m comment --comment "Unknown interface" -j DROP
[12:1283] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:-CoCh3ZUa7b1RPI6" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:k6bxa2bOjxZZ2vQ1" -m conntrack --ctstate INVALID -j DROP
[66:6532] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:Ug7BQ-QLkNwkNAxC" -j MARK --set-xmark 0x0/0x10000
[66:6532] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:S2sadggM5ckEWxzv" -j cali-pri-kns.kube-system
[66:6532] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:74v0PKh0InLzbtF2" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:TKKNotNJ67L58YJH" -j cali-pri-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:b-IgDIfWh1nZOl2p" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:3WRrggKrMW9CxAF-" -m comment --comment "Drop if no profiles matched" -j DROP
[2:180] -A cali-tw-calice01ffe2489 -m comment --comment "cali:EOncPVWzTONIWYRF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:8rX1rZeYRHVKDKg7" -m conntrack --ctstate INVALID -j DROP
[55:5282] -A cali-tw-calice01ffe2489 -m comment --comment "cali:xPumpNvsEAo8G1oj" -j MARK --set-xmark 0x0/0x10000
[55:5282] -A cali-tw-calice01ffe2489 -m comment --comment "cali:gmc8p-JdtN479jqa" -j cali-pri-kns.kube-system
[55:5282] -A cali-tw-calice01ffe2489 -m comment --comment "cali:DiquB76f6PYstd2p" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:nKureDF-uMd7R7Fd" -j cali-pri-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:gjLQ9ONkBs5nwG0J" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:hOh5mtuRyo9xQWzk" -m comment --comment "Drop if no profiles matched" -j DROP
[0:0] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:TYeA_BqDrPHaAt6E" -m icmp6 --icmpv6-type 130 -j ACCEPT
[0:0] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:5ugan8LfmJg_BiJc" -m icmp6 --icmpv6-type 131 -j ACCEPT
[0:0] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:Fl5LHxdlOnUNgCc4" -m icmp6 --icmpv6-type 132 -j ACCEPT
[45:2520] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:tNvzCkGVISJ3ZXdS" -m icmp6 --icmpv6-type 133 -j ACCEPT
[20:1440] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:86e1wB5w3SEOMrZb" -m icmp6 --icmpv6-type 135 -j ACCEPT
[28:1896] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:kCq3XXx0yCb5mSXt" -m icmp6 --icmpv6-type 136 -j ACCEPT
[25740664:3594078711] -A cali-wl-to-host -m comment --comment "cali:qQJuyC_KUUNb16sA" -j cali-from-wl-dispatch
[35:2800] -A cali-wl-to-host -m comment --comment "cali:TEAa8oLTO9cQ8kDr" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
COMMIT
# Completed on Wed Aug 12 16:43:32 2020
# Generated by ip6tables-save v1.4.21 on Wed Aug 12 16:43:32 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [16:1280]
:POSTROUTING ACCEPT [16:1280]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-6B5SP7D5ASD3CW5Y - [0:0]
:KUBE-SEP-BGROXOK5IGCUJXP3 - [0:0]
:KUBE-SEP-BZXS7E4L6UMNVEC6 - [0:0]
:KUBE-SEP-HV7FJCKRVMU7FEF3 - [0:0]
:KUBE-SEP-K3TOD5ZA2L5A3YZL - [0:0]
:KUBE-SEP-OGBCM5DU7623OXI6 - [0:0]
:KUBE-SEP-PNNLZDMSTYYB55XI - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
[122433:9796908] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
[122433:9796908] -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[4865134:389220102] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
[4865206:389225854] -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[1157061:92565284] -A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
[0:0] -A POSTROUTING ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::1/128 -p tcp -m tcp --dport 443 -j MASQUERADE
[4864679:389185570] -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
[0:0] -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
[0:0] -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
[0:0] -A KUBE-SEP-6B5SP7D5ASD3CW5Y -s xxxx:xxx:xxx:x::111/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-6B5SP7D5ASD3CW5Y -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x::111]:6443
[0:0] -A KUBE-SEP-BGROXOK5IGCUJXP3 -s xxxx:xxx:xxx:x:3000::c6c2/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-BGROXOK5IGCUJXP3 -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c2]:53
[0:0] -A KUBE-SEP-BZXS7E4L6UMNVEC6 -s xxxx:xxx:xxx:x:3000::c6c0/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-BZXS7E4L6UMNVEC6 -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c0]:9153
[0:0] -A KUBE-SEP-HV7FJCKRVMU7FEF3 -s xxxx:xxx:xxx:x:3000::c6c0/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-HV7FJCKRVMU7FEF3 -p udp -m udp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c0]:53
[0:0] -A KUBE-SEP-K3TOD5ZA2L5A3YZL -s xxxx:xxx:xxx:x:3000::c6c0/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-K3TOD5ZA2L5A3YZL -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c0]:53
[0:0] -A KUBE-SEP-OGBCM5DU7623OXI6 -s xxxx:xxx:xxx:x:3000::c6c2/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-OGBCM5DU7623OXI6 -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c2]:9153
[0:0] -A KUBE-SEP-PNNLZDMSTYYB55XI -s xxxx:xxx:xxx:x:3000::c6c2/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-PNNLZDMSTYYB55XI -p udp -m udp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c2]:53
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::a/128 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::a/128 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::1/128 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::1/128 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
[7:560] -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
[0:0] -A KUBE-SVC-ERIFXISQEP7F7OF4 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-K3TOD5ZA2L5A3YZL
[0:0] -A KUBE-SVC-ERIFXISQEP7F7OF4 -j KUBE-SEP-BGROXOK5IGCUJXP3
[0:0] -A KUBE-SVC-JD5MR3NA4I4DYORP -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-BZXS7E4L6UMNVEC6
[0:0] -A KUBE-SVC-JD5MR3NA4I4DYORP -j KUBE-SEP-OGBCM5DU7623OXI6
[0:0] -A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-6B5SP7D5ASD3CW5Y
[0:0] -A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-HV7FJCKRVMU7FEF3
[0:0] -A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-PNNLZDMSTYYB55XI
[4865134:389220102] -A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
[4864945:389206858] -A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
[4864945:389206858] -A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
[122433:9796908] -A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
COMMIT
# Completed on Wed Aug 12 16:43:32 2020

After sonobuoy run command / ip6tables-after-success.txt:

# Generated by ip6tables-save v1.4.21 on Wed Aug 12 16:51:33 2020
*mangle
:PREROUTING ACCEPT [3670681:299959018]
:INPUT ACCEPT [254307977:96505166021]
:FORWARD ACCEPT [523:62476]
:OUTPUT ACCEPT [253328482:110287616361]
:POSTROUTING ACCEPT [253329005:110287678837]
:cali-PREROUTING - [0:0]
:cali-failsafe-in - [0:0]
:cali-from-host-endpoint - [0:0]
[254309712:96505327192] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
[250639031:96205368174] -A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-PREROUTING -m comment --comment "cali:KX7AGNd6rMcDUai6" -m mark --mark 0x10000/0x10000 -j ACCEPT
[3670681:299959018] -A cali-PREROUTING -m comment --comment "cali:wNH7KsA3ILKJBsY9" -j cali-from-host-endpoint
[0:0] -A cali-PREROUTING -m comment --comment "cali:Cg96MgVuoPm7UMRo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:mPbJtAVtggkxHxc5" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:fO5oL6ZgWfrcySer" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:LaZshaEfmfK7yZxJ" -m multiport --dports 6667 -j ACCEPT
COMMIT
# Completed on Wed Aug 12 16:51:33 2020
# Generated by ip6tables-save v1.4.21 on Wed Aug 12 16:51:33 2020
*raw
:PREROUTING ACCEPT [254309716:96505328546]
:OUTPUT ACCEPT [253328487:110287617787]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-failsafe-in - [0:0]
:cali-failsafe-out - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
[254309852:96505339386] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
[253328487:110287617787] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
[253328487:110287617787] -A cali-OUTPUT -m comment --comment "cali:njdnLwYeGqBJyMxW" -j MARK --set-xmark 0x0/0xf0000
[253328487:110287617787] -A cali-OUTPUT -m comment --comment "cali:rz86uTUcEZAfFsh7" -j cali-to-host-endpoint
[0:0] -A cali-OUTPUT -m comment --comment "cali:pN0F5zD0b8yf9W1Z" -m mark --mark 0x10000/0x10000 -j ACCEPT
[254309852:96505339386] -A cali-PREROUTING -m comment --comment "cali:XFX5xbM8B9qR10JG" -j MARK --set-xmark 0x0/0xf0000
[25743149:3594301665] -A cali-PREROUTING -i cali+ -m comment --comment "cali:EWMPb0zVROM-woQp" -j MARK --set-xmark 0x40000/0x40000
[136:10840] -A cali-PREROUTING -m comment --comment "cali:V6ooGP15glg7wm91" -m mark --mark 0x40000/0x40000 -m rpfilter --invert -j DROP
[228566703:92911037721] -A cali-PREROUTING -m comment --comment "cali:RMTzKqp0j735XfY4" -m mark --mark 0x0/0x40000 -j cali-from-host-endpoint
[0:0] -A cali-PREROUTING -m comment --comment "cali:T8-Zfumo2dKygI73" -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:mPbJtAVtggkxHxc5" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:fO5oL6ZgWfrcySer" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:LaZshaEfmfK7yZxJ" -m multiport --dports 6667 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:fbYikSrS3FDgSouR" -m multiport --sports 53 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:8UOIQCAJz-_58Uh5" -m multiport --sports 67 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:GyksmUvvbhmM211m" -m multiport --sports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:SkYSmU5eonWqL-1u" -m multiport --sports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:lHgbr-PUyt1svFgh" -m multiport --sports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:FILVxC04GR2ken1t" -m multiport --sports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:xlr_BWr0CBZ3xOMa" -m multiport --sports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:hYM8-jR-CdKF7cWt" -m multiport --sports 6667 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:82hjfji-wChFhAqL" -m multiport --dports 53 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:TNM3RfEjbNr72hgH" -m multiport --dports 67 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:ycxKitIl4u3dK0HR" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:hxjEWyxdkXXkdvut" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:cA_GLtruuvG88KiO" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:8SAxPXDH-KtRtgCC" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:9WSIxuMDm1HHMb92" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:VKKssDqC9SjhUz5c" -m multiport --dports 6667 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:XvT4hmhByQ4TNO7Z" -m multiport --sports 22 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:tRSUx3a-0xrrHH0q" -m multiport --sports 68 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:VNOCkjWk1hxsHwxW" -m multiport --sports 179 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:IhBxXyKym3wOjnyY" -m multiport --sports 2379 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:mtQtSz8udwrYsX9y" -m multiport --sports 2380 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:tZg4sFv0MwsSGo9t" -m multiport --sports 6443 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:t81Srej36zNbRD9A" -m multiport --sports 6666 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:uCIgU-IZNI2XonDU" -m multiport --sports 6667 -j ACCEPT
COMMIT
# Completed on Wed Aug 12 16:51:33 2020
# Generated by ip6tables-save v1.4.21 on Wed Aug 12 16:51:33 2020
*filter
:INPUT ACCEPT [6685:1764222]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4878:1099335]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-failsafe-in - [0:0]
:cali-failsafe-out - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-fw-cali30b9bf9a537 - [0:0]
:cali-fw-calice01ffe2489 - [0:0]
:cali-pri-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pri-kns.kube-system - [0:0]
:cali-pro-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pro-kns.kube-system - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-tw-cali30b9bf9a537 - [0:0]
:cali-tw-calice01ffe2489 - [0:0]
:cali-wl-to-host - [0:0]
[102438178:24992370870] -A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
[4:320] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[3615471:289248068] -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[3615471:289248068] -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
[523:62476] -A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
[254:29281] -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
[192:19968] -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[253328490:110287618045] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
[4865673:389267298] -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[0:0] -A KUBE-EXTERNAL-SERVICES -p tcp -m comment --comment "default/nginx:80-80 has no endpoints" -m addrtype --dst-type LOCAL -m tcp --dport 30027 -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
[0:0] -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
[0:0] -A KUBE-FORWARD -s xxxx:xxx:xxx:x:3000::/112 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A KUBE-FORWARD -d xxxx:xxx:xxx:x:3000::/112 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::c834/128 -p tcp -m comment --comment "default/nginx:80-80 has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp6-port-unreachable
[523:62476] -A cali-FORWARD -m comment --comment "cali:vjrMJCRpqwy5oRoX" -j MARK --set-xmark 0x0/0xe0000
[523:62476] -A cali-FORWARD -m comment --comment "cali:A_sPAO0mcxbT9mOV" -m mark --mark 0x0/0x10000 -j cali-from-hep-forward
[134:19918] -A cali-FORWARD -i cali+ -m comment --comment "cali:8ZoYfO5HKXWbB3pk" -j cali-from-wl-dispatch
[135:13277] -A cali-FORWARD -o cali+ -m comment --comment "cali:jdEuaPBe14V2hutn" -j cali-to-wl-dispatch
[375:41095] -A cali-FORWARD -m comment --comment "cali:12bc6HljsMKsmfr-" -j cali-to-hep-forward
[121:11814] -A cali-FORWARD -m comment --comment "cali:MH9kMp5aNICL-Olv" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[25742800:3594264171] -A cali-INPUT -i cali+ -m comment --comment "cali:FewJpBykm9iJ-YNH" -g cali-wl-to-host
[0:0] -A cali-INPUT -m comment --comment "cali:hder3ARWznqqv8Va" -m mark --mark 0x10000/0x10000 -j ACCEPT
[228565185:92910903534] -A cali-INPUT -m comment --comment "cali:xgOu2uJft6H9oDGF" -j MARK --set-xmark 0x0/0xf0000
[228565185:92910903534] -A cali-INPUT -m comment --comment "cali:_-d-qojMfHM6NwBo" -j cali-from-host-endpoint
[0:0] -A cali-INPUT -m comment --comment "cali:LqmE76MP94lZTGhA" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-OUTPUT -m comment --comment "cali:Mq1_rAdXXH3YkrzW" -m mark --mark 0x10000/0x10000 -j ACCEPT
[26653508:7827346173] -A cali-OUTPUT -o cali+ -m comment --comment "cali:69FkRTJDvD5Vu6Vl" -j RETURN
[226674982:102460271872] -A cali-OUTPUT -m comment --comment "cali:Fskumj4SGQtDV6GC" -j MARK --set-xmark 0x0/0xf0000
[226674982:102460271872] -A cali-OUTPUT -m comment --comment "cali:8rXMdo5sNesjJxGc" -j cali-to-host-endpoint
[0:0] -A cali-OUTPUT -m comment --comment "cali:Ja-pnrHi-PrNKxgd" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:mPbJtAVtggkxHxc5" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:fO5oL6ZgWfrcySer" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:LaZshaEfmfK7yZxJ" -m multiport --dports 6667 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:82hjfji-wChFhAqL" -m multiport --dports 53 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:TNM3RfEjbNr72hgH" -m multiport --dports 67 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:ycxKitIl4u3dK0HR" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:hxjEWyxdkXXkdvut" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:cA_GLtruuvG88KiO" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:8SAxPXDH-KtRtgCC" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:9WSIxuMDm1HHMb92" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:VKKssDqC9SjhUz5c" -m multiport --dports 6667 -j ACCEPT
[4946802:436228666] -A cali-from-wl-dispatch -i cali30b9bf9a537 -m comment --comment "cali:TdkUO3g2bmtPBzT2" -g cali-fw-cali30b9bf9a537
[1665428:146896548] -A cali-from-wl-dispatch -i calice01ffe2489 -m comment --comment "cali:qZtqeqL0_4Qh9GSl" -g cali-fw-calice01ffe2489
[0:0] -A cali-from-wl-dispatch -m comment --comment "cali:WMRy35io39Nv01Hy" -m comment --comment "Unknown interface" -j DROP
[4946799:436228426] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:_kRSnZbQHQcu3znT" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:h3_y1VVa-AeSxYZh" -m conntrack --ctstate INVALID -j DROP
[3:240] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:whAvY_pnCW2iotQC" -j MARK --set-xmark 0x0/0x10000
[0:0] -A cali-fw-cali30b9bf9a537 -p udp -m comment --comment "cali:1kKNxPgeLM5SZ2YH" -m comment --comment "Drop VXLAN encapped packets originating in pods" -m multiport --dports 4789 -j DROP
[0:0] -A cali-fw-cali30b9bf9a537 -p ipv4 -m comment --comment "cali:l-iND7FoAfGB8Y9y" -m comment --comment "Drop IPinIP encapped packets originating in pods" -j DROP
[3:240] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:8Myt6biblGcgMGri" -j cali-pro-kns.kube-system
[3:240] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:AWrwzwXhvm39hdGT" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:4maW0RA5gdKyBjGZ" -j cali-pro-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:bVSwbnML1hdeF8rP" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:ZMNXlx-shVA2lOFu" -m comment --comment "Drop if no profiles matched" -j DROP
[4947262:436261674] -A cali-fw-calice01ffe2489 -m comment --comment "cali:SElIeFT_TuDlXqwG" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:hLIGQ7Yq-h6QiMAU" -m conntrack --ctstate INVALID -j DROP
[3:240] -A cali-fw-calice01ffe2489 -m comment --comment "cali:f-oplNjx0zZFhKEE" -j MARK --set-xmark 0x0/0x10000
[0:0] -A cali-fw-calice01ffe2489 -p udp -m comment --comment "cali:GTb-M1r1oyT35RCX" -m comment --comment "Drop VXLAN encapped packets originating in pods" -m multiport --dports 4789 -j DROP
[0:0] -A cali-fw-calice01ffe2489 -p ipv4 -m comment --comment "cali:FOM2BQGwKtQgJnD-" -m comment --comment "Drop IPinIP encapped packets originating in pods" -j DROP
[3:240] -A cali-fw-calice01ffe2489 -m comment --comment "cali:7w3JCfcr7z6zn8fG" -j cali-pro-kns.kube-system
[3:240] -A cali-fw-calice01ffe2489 -m comment --comment "cali:9Raus9F8bAWFsGTH" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:8ebHx-RG5s1GS9xy" -j cali-pro-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:V3M9bhftjmI9XJJp" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:ptKo9gdgteT0iymb" -m comment --comment "Drop if no profiles matched" -j DROP
[121:11814] -A cali-pri-kns.kube-system -m comment --comment "cali:zoH5gU6U55FKZxEo" -j MARK --set-xmark 0x10000/0x10000
[121:11814] -A cali-pri-kns.kube-system -m comment --comment "cali:bcGRIJcyOS9dgBiB" -m mark --mark 0x10000/0x10000 -j RETURN
[7:560] -A cali-pro-kns.kube-system -m comment --comment "cali:-50oJuMfLVO3LkBk" -j MARK --set-xmark 0x10000/0x10000
[7:560] -A cali-pro-kns.kube-system -m comment --comment "cali:ztVPKv1UYejNzm1g" -m mark --mark 0x10000/0x10000 -j RETURN
[78:7815] -A cali-to-wl-dispatch -o cali30b9bf9a537 -m comment --comment "cali:PRmMjbBkzhhGb8cM" -g cali-tw-cali30b9bf9a537
[0:0] -A cali-to-wl-dispatch -o calice01ffe2489 -m comment --comment "cali:qeRfW5mCBi1pF2PZ" -g cali-tw-calice01ffe2489
[0:0] -A cali-to-wl-dispatch -m comment --comment "cali:Gj7sBQkFSZeSGmsH" -m comment --comment "Unknown interface" -j DROP
[12:1283] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:-CoCh3ZUa7b1RPI6" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:k6bxa2bOjxZZ2vQ1" -m conntrack --ctstate INVALID -j DROP
[66:6532] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:Ug7BQ-QLkNwkNAxC" -j MARK --set-xmark 0x0/0x10000
[66:6532] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:S2sadggM5ckEWxzv" -j cali-pri-kns.kube-system
[66:6532] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:74v0PKh0InLzbtF2" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:TKKNotNJ67L58YJH" -j cali-pri-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:b-IgDIfWh1nZOl2p" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:3WRrggKrMW9CxAF-" -m comment --comment "Drop if no profiles matched" -j DROP
[2:180] -A cali-tw-calice01ffe2489 -m comment --comment "cali:EOncPVWzTONIWYRF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:8rX1rZeYRHVKDKg7" -m conntrack --ctstate INVALID -j DROP
[55:5282] -A cali-tw-calice01ffe2489 -m comment --comment "cali:xPumpNvsEAo8G1oj" -j MARK --set-xmark 0x0/0x10000
[55:5282] -A cali-tw-calice01ffe2489 -m comment --comment "cali:gmc8p-JdtN479jqa" -j cali-pri-kns.kube-system
[55:5282] -A cali-tw-calice01ffe2489 -m comment --comment "cali:DiquB76f6PYstd2p" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:nKureDF-uMd7R7Fd" -j cali-pri-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:gjLQ9ONkBs5nwG0J" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:hOh5mtuRyo9xQWzk" -m comment --comment "Drop if no profiles matched" -j DROP
[0:0] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:TYeA_BqDrPHaAt6E" -m icmp6 --icmpv6-type 130 -j ACCEPT
[0:0] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:5ugan8LfmJg_BiJc" -m icmp6 --icmpv6-type 131 -j ACCEPT
[0:0] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:Fl5LHxdlOnUNgCc4" -m icmp6 --icmpv6-type 132 -j ACCEPT
[45:2520] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:tNvzCkGVISJ3ZXdS" -m icmp6 --icmpv6-type 133 -j ACCEPT
[20:1440] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:86e1wB5w3SEOMrZb" -m icmp6 --icmpv6-type 135 -j ACCEPT
[28:1896] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:kCq3XXx0yCb5mSXt" -m icmp6 --icmpv6-type 136 -j ACCEPT
[25742707:3594258315] -A cali-wl-to-host -m comment --comment "cali:qQJuyC_KUUNb16sA" -j cali-from-wl-dispatch
[35:2800] -A cali-wl-to-host -m comment --comment "cali:TEAa8oLTO9cQ8kDr" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
COMMIT
# Completed on Wed Aug 12 16:51:33 2020
# Generated by ip6tables-save v1.4.21 on Wed Aug 12 16:51:33 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [15:1200]
:POSTROUTING ACCEPT [15:1200]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-6B5SP7D5ASD3CW5Y - [0:0]
:KUBE-SEP-BGROXOK5IGCUJXP3 - [0:0]
:KUBE-SEP-BZXS7E4L6UMNVEC6 - [0:0]
:KUBE-SEP-HV7FJCKRVMU7FEF3 - [0:0]
:KUBE-SEP-K3TOD5ZA2L5A3YZL - [0:0]
:KUBE-SEP-OGBCM5DU7623OXI6 - [0:0]
:KUBE-SEP-PNNLZDMSTYYB55XI - [0:0]
:KUBE-SEP-V3SQHT4VN75PHYKP - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-45SAB6SQZMFLFICK - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
[122446:9797948] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
[122446:9797948] -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[4865488:389248422] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
[4865560:389254174] -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[1157415:92593604] -A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
[0:0] -A POSTROUTING ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::1/128 -p tcp -m tcp --dport 443 -j MASQUERADE
[4865033:389213890] -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
[0:0] -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
[0:0] -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
[0:0] -A KUBE-SEP-6B5SP7D5ASD3CW5Y -s xxxx:xxx:xxx:x::111/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-6B5SP7D5ASD3CW5Y -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x::111]:6443
[0:0] -A KUBE-SEP-BGROXOK5IGCUJXP3 -s xxxx:xxx:xxx:x:3000::c6c2/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-BGROXOK5IGCUJXP3 -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c2]:53
[0:0] -A KUBE-SEP-BZXS7E4L6UMNVEC6 -s xxxx:xxx:xxx:x:3000::c6c0/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-BZXS7E4L6UMNVEC6 -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c0]:9153
[0:0] -A KUBE-SEP-HV7FJCKRVMU7FEF3 -s xxxx:xxx:xxx:x:3000::c6c0/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-HV7FJCKRVMU7FEF3 -p udp -m udp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c0]:53
[0:0] -A KUBE-SEP-K3TOD5ZA2L5A3YZL -s xxxx:xxx:xxx:x:3000::c6c0/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-K3TOD5ZA2L5A3YZL -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c0]:53
[0:0] -A KUBE-SEP-OGBCM5DU7623OXI6 -s xxxx:xxx:xxx:x:3000::c6c2/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-OGBCM5DU7623OXI6 -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c2]:9153
[0:0] -A KUBE-SEP-PNNLZDMSTYYB55XI -s xxxx:xxx:xxx:x:3000::c6c2/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-PNNLZDMSTYYB55XI -p udp -m udp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c2]:53
[0:0] -A KUBE-SEP-V3SQHT4VN75PHYKP -s xxxx:xxx:xxx:x:3000::5583/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-V3SQHT4VN75PHYKP -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::5583]:8080
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::1/128 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::1/128 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::a/128 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::a/128 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::b90c/128 -p tcp -m comment --comment "sonobuoy/sonobuoy-master: cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::b90c/128 -p tcp -m comment --comment "sonobuoy/sonobuoy-master: cluster IP" -m tcp --dport 8080 -j KUBE-SVC-45SAB6SQZMFLFICK
[7:560] -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
[0:0] -A KUBE-SVC-45SAB6SQZMFLFICK -j KUBE-SEP-V3SQHT4VN75PHYKP
[0:0] -A KUBE-SVC-ERIFXISQEP7F7OF4 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-K3TOD5ZA2L5A3YZL
[0:0] -A KUBE-SVC-ERIFXISQEP7F7OF4 -j KUBE-SEP-BGROXOK5IGCUJXP3
[0:0] -A KUBE-SVC-JD5MR3NA4I4DYORP -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-BZXS7E4L6UMNVEC6
[0:0] -A KUBE-SVC-JD5MR3NA4I4DYORP -j KUBE-SEP-OGBCM5DU7623OXI6
[0:0] -A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-6B5SP7D5ASD3CW5Y
[0:0] -A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-HV7FJCKRVMU7FEF3
[0:0] -A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-PNNLZDMSTYYB55XI
[4865488:389248422] -A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
[4865299:389235178] -A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
[4865299:389235178] -A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
[122446:9797948] -A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
COMMIT
# Completed on Wed Aug 12 16:51:33 2020

Second execution (FAILED)

Shown below is the only pod created after executing the sonobuoy run command for the 2nd time:

[root@b-ipv6-k8s-ms1 ~]# kubectl get pods -n sonobuoy -o wide
No resources found in sonobuoy namespace.
[root@b-ipv6-k8s-ms1 ~]# kubectl get pods -n sonobuoy -o wide
NAME       READY   STATUS    RESTARTS   AGE   IP                          NODE             NOMINATED NODE   READINESS GATES
sonobuoy   1/1     Running   0          16s   xxxx:xxx:xxx:x:3000::5585   b-ipv6-k8s-wk2   <none>           <none>
[root@b-ipv6-k8s-ms1 ~]# kubectl get pods -n sonobuoy -o wide
NAME       READY   STATUS    RESTARTS   AGE   IP                          NODE             NOMINATED NODE   READINESS GATES
sonobuoy   1/1     Running   0          23s   xxxx:xxx:xxx:x:3000::5585   b-ipv6-k8s-wk2   <none>           <none>
[root@b-ipv6-k8s-ms1 ~]# kubectl get pods -n sonobuoy -o wide
NAME       READY   STATUS    RESTARTS   AGE   IP                          NODE             NOMINATED NODE   READINESS GATES
sonobuoy   1/1     Running   0          35s   xxxx:xxx:xxx:x:3000::5585   b-ipv6-k8s-wk2   <none>           <none>
[root@b-ipv6-k8s-ms1 ~]# kubectl logs -n kube-systemsonobuoy sonobuoy
time="2020-08-12T07:59:38Z" level=info msg="Scanning plugins in ./plugins.d (pwd: /)"
time="2020-08-12T07:59:38Z" level=info msg="Scanning plugins in /etc/sonobuoy/plugins.d (pwd: /)"
time="2020-08-12T07:59:38Z" level=info msg="Directory (/etc/sonobuoy/plugins.d) does not exist"
time="2020-08-12T07:59:38Z" level=info msg="Scanning plugins in ~/sonobuoy/plugins.d (pwd: /)"
time="2020-08-12T07:59:38Z" level=info msg="Directory (~/sonobuoy/plugins.d) does not exist"
time="2020-08-12T08:00:08Z" level=error msg="could not get api group resources: Get https://[xxxx:xxx:xxx:x:4000::1]:443/api?timeout=32s: dial tcp [xxxx:xxx:xxx:x:4000::1]:443: i/o timeout"
time="2020-08-12T08:00:08Z" level=info msg="no-exit was specified, sonobuoy is now blocking"
[root@b-ipv6-k8s-ms1 ~]#

We have also saved the calico-node logs generated in this execution namely calico-node-wk[1-2]-2.log. The calico-node-wk[1-2]-2.log files can be found in 20200812-logs.zip. Also, since the sonobuoy pod was scheduled in the b-ipv6-k8s-wk2 node, the file to check is calico-node-wk2-2.log.
During this execution, the tcpdump command we used earlier did not show any output at all. It could be possible that the traffic did not get outside the sonobuoy pod. In this execution, the sonobuoy pod can't connect to the Kubernetes service API endpoint, but it can ping other pods in the cluster.
And similar to the 1st execution, we gathered the rules generated by ip6tables-save -c before and after sonobuoy run command. Do note that these rules were only taken from the master node. Before sonobuoy run command / ip6tables-before-fail.txt:

# Generated by ip6tables-save v1.4.21 on Wed Aug 12 16:59:10 2020
*mangle
:PREROUTING ACCEPT [3670853:299984706]
:INPUT ACCEPT [254333103:96511244391]
:FORWARD ACCEPT [523:62476]
:OUTPUT ACCEPT [253353310:110295743720]
:POSTROUTING ACCEPT [253353833:110295806196]
:cali-PREROUTING - [0:0]
:cali-failsafe-in - [0:0]
:cali-from-host-endpoint - [0:0]
[254334838:96511405562] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
[250663985:96211420856] -A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-PREROUTING -m comment --comment "cali:KX7AGNd6rMcDUai6" -m mark --mark 0x10000/0x10000 -j ACCEPT
[3670853:299984706] -A cali-PREROUTING -m comment --comment "cali:wNH7KsA3ILKJBsY9" -j cali-from-host-endpoint
[0:0] -A cali-PREROUTING -m comment --comment "cali:Cg96MgVuoPm7UMRo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:mPbJtAVtggkxHxc5" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:fO5oL6ZgWfrcySer" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:LaZshaEfmfK7yZxJ" -m multiport --dports 6667 -j ACCEPT
COMMIT
# Completed on Wed Aug 12 16:59:10 2020
# Generated by ip6tables-save v1.4.21 on Wed Aug 12 16:59:10 2020
*raw
:PREROUTING ACCEPT [254334835:96511405346]
:OUTPUT ACCEPT [253353308:110295743576]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-failsafe-in - [0:0]
:cali-failsafe-out - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
[254334971:96511416186] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
[253353308:110295743576] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
[253353308:110295743576] -A cali-OUTPUT -m comment --comment "cali:njdnLwYeGqBJyMxW" -j MARK --set-xmark 0x0/0xf0000
[253353308:110295743576] -A cali-OUTPUT -m comment --comment "cali:rz86uTUcEZAfFsh7" -j cali-to-host-endpoint
[0:0] -A cali-OUTPUT -m comment --comment "cali:pN0F5zD0b8yf9W1Z" -m mark --mark 0x10000/0x10000 -j ACCEPT
[254334971:96511416186] -A cali-PREROUTING -m comment --comment "cali:XFX5xbM8B9qR10JG" -j MARK --set-xmark 0x0/0xf0000
[25745096:3594473062] -A cali-PREROUTING -i cali+ -m comment --comment "cali:EWMPb0zVROM-woQp" -j MARK --set-xmark 0x40000/0x40000
[136:10840] -A cali-PREROUTING -m comment --comment "cali:V6ooGP15glg7wm91" -m mark --mark 0x40000/0x40000 -m rpfilter --invert -j DROP
[228589875:92916943124] -A cali-PREROUTING -m comment --comment "cali:RMTzKqp0j735XfY4" -m mark --mark 0x0/0x40000 -j cali-from-host-endpoint
[0:0] -A cali-PREROUTING -m comment --comment "cali:T8-Zfumo2dKygI73" -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:mPbJtAVtggkxHxc5" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:fO5oL6ZgWfrcySer" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:LaZshaEfmfK7yZxJ" -m multiport --dports 6667 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:fbYikSrS3FDgSouR" -m multiport --sports 53 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:8UOIQCAJz-_58Uh5" -m multiport --sports 67 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:GyksmUvvbhmM211m" -m multiport --sports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:SkYSmU5eonWqL-1u" -m multiport --sports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:lHgbr-PUyt1svFgh" -m multiport --sports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:FILVxC04GR2ken1t" -m multiport --sports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:xlr_BWr0CBZ3xOMa" -m multiport --sports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:hYM8-jR-CdKF7cWt" -m multiport --sports 6667 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:82hjfji-wChFhAqL" -m multiport --dports 53 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:TNM3RfEjbNr72hgH" -m multiport --dports 67 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:ycxKitIl4u3dK0HR" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:hxjEWyxdkXXkdvut" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:cA_GLtruuvG88KiO" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:8SAxPXDH-KtRtgCC" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:9WSIxuMDm1HHMb92" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:VKKssDqC9SjhUz5c" -m multiport --dports 6667 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:XvT4hmhByQ4TNO7Z" -m multiport --sports 22 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:tRSUx3a-0xrrHH0q" -m multiport --sports 68 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:VNOCkjWk1hxsHwxW" -m multiport --sports 179 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:IhBxXyKym3wOjnyY" -m multiport --sports 2379 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:mtQtSz8udwrYsX9y" -m multiport --sports 2380 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:tZg4sFv0MwsSGo9t" -m multiport --sports 6443 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:t81Srej36zNbRD9A" -m multiport --sports 6666 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:uCIgU-IZNI2XonDU" -m multiport --sports 6667 -j ACCEPT
COMMIT
# Completed on Wed Aug 12 16:59:10 2020
# Generated by ip6tables-save v1.4.21 on Wed Aug 12 16:59:10 2020
*filter
:INPUT ACCEPT [372:103807]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [401:160931]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-failsafe-in - [0:0]
:cali-failsafe-out - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-fw-cali30b9bf9a537 - [0:0]
:cali-fw-calice01ffe2489 - [0:0]
:cali-pri-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pri-kns.kube-system - [0:0]
:cali-pro-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pro-kns.kube-system - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-tw-cali30b9bf9a537 - [0:0]
:cali-tw-calice01ffe2489 - [0:0]
:cali-wl-to-host - [0:0]
[102463296:24998447556] -A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
[4:320] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[3615612:289259348] -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[3615612:289259348] -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
[523:62476] -A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
[254:29281] -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
[192:19968] -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[253353310:110295743720] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
[4865995:389293058] -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[0:0] -A KUBE-EXTERNAL-SERVICES -p tcp -m comment --comment "default/nginx:80-80 has no endpoints" -m addrtype --dst-type LOCAL -m tcp --dport 30027 -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
[0:0] -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
[0:0] -A KUBE-FORWARD -s xxxx:xxx:xxx:x:3000::/112 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A KUBE-FORWARD -d xxxx:xxx:xxx:x:3000::/112 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::c834/128 -p tcp -m comment --comment "default/nginx:80-80 has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp6-port-unreachable
[523:62476] -A cali-FORWARD -m comment --comment "cali:vjrMJCRpqwy5oRoX" -j MARK --set-xmark 0x0/0xe0000
[523:62476] -A cali-FORWARD -m comment --comment "cali:A_sPAO0mcxbT9mOV" -m mark --mark 0x0/0x10000 -j cali-from-hep-forward
[134:19918] -A cali-FORWARD -i cali+ -m comment --comment "cali:8ZoYfO5HKXWbB3pk" -j cali-from-wl-dispatch
[135:13277] -A cali-FORWARD -o cali+ -m comment --comment "cali:jdEuaPBe14V2hutn" -j cali-to-wl-dispatch
[375:41095] -A cali-FORWARD -m comment --comment "cali:12bc6HljsMKsmfr-" -j cali-to-hep-forward
[121:11814] -A cali-FORWARD -m comment --comment "cali:MH9kMp5aNICL-Olv" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[25744747:3594435568] -A cali-INPUT -i cali+ -m comment --comment "cali:FewJpBykm9iJ-YNH" -g cali-wl-to-host
[0:0] -A cali-INPUT -m comment --comment "cali:hder3ARWznqqv8Va" -m mark --mark 0x10000/0x10000 -j ACCEPT
[228588356:92916808823] -A cali-INPUT -m comment --comment "cali:xgOu2uJft6H9oDGF" -j MARK --set-xmark 0x0/0xf0000
[228588356:92916808823] -A cali-INPUT -m comment --comment "cali:_-d-qojMfHM6NwBo" -j cali-from-host-endpoint
[0:0] -A cali-INPUT -m comment --comment "cali:LqmE76MP94lZTGhA" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-OUTPUT -m comment --comment "cali:Mq1_rAdXXH3YkrzW" -m mark --mark 0x10000/0x10000 -j ACCEPT
[26655474:7827963330] -A cali-OUTPUT -o cali+ -m comment --comment "cali:69FkRTJDvD5Vu6Vl" -j RETURN
[226697836:102467780390] -A cali-OUTPUT -m comment --comment "cali:Fskumj4SGQtDV6GC" -j MARK --set-xmark 0x0/0xf0000
[226697836:102467780390] -A cali-OUTPUT -m comment --comment "cali:8rXMdo5sNesjJxGc" -j cali-to-host-endpoint
[0:0] -A cali-OUTPUT -m comment --comment "cali:Ja-pnrHi-PrNKxgd" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:mPbJtAVtggkxHxc5" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:fO5oL6ZgWfrcySer" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:LaZshaEfmfK7yZxJ" -m multiport --dports 6667 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:82hjfji-wChFhAqL" -m multiport --dports 53 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:TNM3RfEjbNr72hgH" -m multiport --dports 67 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:ycxKitIl4u3dK0HR" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:hxjEWyxdkXXkdvut" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:cA_GLtruuvG88KiO" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:8SAxPXDH-KtRtgCC" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:9WSIxuMDm1HHMb92" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:VKKssDqC9SjhUz5c" -m multiport --dports 6667 -j ACCEPT
[4947774:436314202] -A cali-from-wl-dispatch -i cali30b9bf9a537 -m comment --comment "cali:TdkUO3g2bmtPBzT2" -g cali-fw-cali30b9bf9a537
[1666403:146982409] -A cali-from-wl-dispatch -i calice01ffe2489 -m comment --comment "cali:qZtqeqL0_4Qh9GSl" -g cali-fw-calice01ffe2489
[0:0] -A cali-from-wl-dispatch -m comment --comment "cali:WMRy35io39Nv01Hy" -m comment --comment "Unknown interface" -j DROP
[4947771:436313962] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:_kRSnZbQHQcu3znT" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:h3_y1VVa-AeSxYZh" -m conntrack --ctstate INVALID -j DROP
[3:240] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:whAvY_pnCW2iotQC" -j MARK --set-xmark 0x0/0x10000
[0:0] -A cali-fw-cali30b9bf9a537 -p udp -m comment --comment "cali:1kKNxPgeLM5SZ2YH" -m comment --comment "Drop VXLAN encapped packets originating in pods" -m multiport --dports 4789 -j DROP
[0:0] -A cali-fw-cali30b9bf9a537 -p ipv4 -m comment --comment "cali:l-iND7FoAfGB8Y9y" -m comment --comment "Drop IPinIP encapped packets originating in pods" -j DROP
[3:240] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:8Myt6biblGcgMGri" -j cali-pro-kns.kube-system
[3:240] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:AWrwzwXhvm39hdGT" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:4maW0RA5gdKyBjGZ" -j cali-pro-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:bVSwbnML1hdeF8rP" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:ZMNXlx-shVA2lOFu" -m comment --comment "Drop if no profiles matched" -j DROP
[4948237:436347535] -A cali-fw-calice01ffe2489 -m comment --comment "cali:SElIeFT_TuDlXqwG" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:hLIGQ7Yq-h6QiMAU" -m conntrack --ctstate INVALID -j DROP
[3:240] -A cali-fw-calice01ffe2489 -m comment --comment "cali:f-oplNjx0zZFhKEE" -j MARK --set-xmark 0x0/0x10000
[0:0] -A cali-fw-calice01ffe2489 -p udp -m comment --comment "cali:GTb-M1r1oyT35RCX" -m comment --comment "Drop VXLAN encapped packets originating in pods" -m multiport --dports 4789 -j DROP
[0:0] -A cali-fw-calice01ffe2489 -p ipv4 -m comment --comment "cali:FOM2BQGwKtQgJnD-" -m comment --comment "Drop IPinIP encapped packets originating in pods" -j DROP
[3:240] -A cali-fw-calice01ffe2489 -m comment --comment "cali:7w3JCfcr7z6zn8fG" -j cali-pro-kns.kube-system
[3:240] -A cali-fw-calice01ffe2489 -m comment --comment "cali:9Raus9F8bAWFsGTH" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:8ebHx-RG5s1GS9xy" -j cali-pro-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:V3M9bhftjmI9XJJp" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:ptKo9gdgteT0iymb" -m comment --comment "Drop if no profiles matched" -j DROP
[121:11814] -A cali-pri-kns.kube-system -m comment --comment "cali:zoH5gU6U55FKZxEo" -j MARK --set-xmark 0x10000/0x10000
[121:11814] -A cali-pri-kns.kube-system -m comment --comment "cali:bcGRIJcyOS9dgBiB" -m mark --mark 0x10000/0x10000 -j RETURN
[7:560] -A cali-pro-kns.kube-system -m comment --comment "cali:-50oJuMfLVO3LkBk" -j MARK --set-xmark 0x10000/0x10000
[7:560] -A cali-pro-kns.kube-system -m comment --comment "cali:ztVPKv1UYejNzm1g" -m mark --mark 0x10000/0x10000 -j RETURN
[78:7815] -A cali-to-wl-dispatch -o cali30b9bf9a537 -m comment --comment "cali:PRmMjbBkzhhGb8cM" -g cali-tw-cali30b9bf9a537
[0:0] -A cali-to-wl-dispatch -o calice01ffe2489 -m comment --comment "cali:qeRfW5mCBi1pF2PZ" -g cali-tw-calice01ffe2489
[0:0] -A cali-to-wl-dispatch -m comment --comment "cali:Gj7sBQkFSZeSGmsH" -m comment --comment "Unknown interface" -j DROP
[12:1283] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:-CoCh3ZUa7b1RPI6" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:k6bxa2bOjxZZ2vQ1" -m conntrack --ctstate INVALID -j DROP
[66:6532] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:Ug7BQ-QLkNwkNAxC" -j MARK --set-xmark 0x0/0x10000
[66:6532] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:S2sadggM5ckEWxzv" -j cali-pri-kns.kube-system
[66:6532] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:74v0PKh0InLzbtF2" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:TKKNotNJ67L58YJH" -j cali-pri-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:b-IgDIfWh1nZOl2p" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:3WRrggKrMW9CxAF-" -m comment --comment "Drop if no profiles matched" -j DROP
[2:180] -A cali-tw-calice01ffe2489 -m comment --comment "cali:EOncPVWzTONIWYRF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:8rX1rZeYRHVKDKg7" -m conntrack --ctstate INVALID -j DROP
[55:5282] -A cali-tw-calice01ffe2489 -m comment --comment "cali:xPumpNvsEAo8G1oj" -j MARK --set-xmark 0x0/0x10000
[55:5282] -A cali-tw-calice01ffe2489 -m comment --comment "cali:gmc8p-JdtN479jqa" -j cali-pri-kns.kube-system
[55:5282] -A cali-tw-calice01ffe2489 -m comment --comment "cali:DiquB76f6PYstd2p" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:nKureDF-uMd7R7Fd" -j cali-pri-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:gjLQ9ONkBs5nwG0J" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:hOh5mtuRyo9xQWzk" -m comment --comment "Drop if no profiles matched" -j DROP
[0:0] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:TYeA_BqDrPHaAt6E" -m icmp6 --icmpv6-type 130 -j ACCEPT
[0:0] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:5ugan8LfmJg_BiJc" -m icmp6 --icmpv6-type 131 -j ACCEPT
[0:0] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:Fl5LHxdlOnUNgCc4" -m icmp6 --icmpv6-type 132 -j ACCEPT
[45:2520] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:tNvzCkGVISJ3ZXdS" -m icmp6 --icmpv6-type 133 -j ACCEPT
[20:1440] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:86e1wB5w3SEOMrZb" -m icmp6 --icmpv6-type 135 -j ACCEPT
[28:1896] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:kCq3XXx0yCb5mSXt" -m icmp6 --icmpv6-type 136 -j ACCEPT
[25744654:3594429712] -A cali-wl-to-host -m comment --comment "cali:qQJuyC_KUUNb16sA" -j cali-from-wl-dispatch
[35:2800] -A cali-wl-to-host -m comment --comment "cali:TEAa8oLTO9cQ8kDr" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
COMMIT
# Completed on Wed Aug 12 16:59:10 2020
# Generated by ip6tables-save v1.4.21 on Wed Aug 12 16:59:10 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [6:480]
:POSTROUTING ACCEPT [6:480]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-6B5SP7D5ASD3CW5Y - [0:0]
:KUBE-SEP-BGROXOK5IGCUJXP3 - [0:0]
:KUBE-SEP-BZXS7E4L6UMNVEC6 - [0:0]
:KUBE-SEP-HV7FJCKRVMU7FEF3 - [0:0]
:KUBE-SEP-K3TOD5ZA2L5A3YZL - [0:0]
:KUBE-SEP-OGBCM5DU7623OXI6 - [0:0]
:KUBE-SEP-PNNLZDMSTYYB55XI - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
[122449:9798188] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
[122449:9798188] -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[4865810:389274182] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
[4865882:389279934] -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[1157737:92619364] -A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
[0:0] -A POSTROUTING ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::1/128 -p tcp -m tcp --dport 443 -j MASQUERADE
[4865355:389239650] -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
[0:0] -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
[0:0] -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
[0:0] -A KUBE-SEP-6B5SP7D5ASD3CW5Y -s xxxx:xxx:xxx:x::111/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-6B5SP7D5ASD3CW5Y -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x::111]:6443
[0:0] -A KUBE-SEP-BGROXOK5IGCUJXP3 -s xxxx:xxx:xxx:x:3000::c6c2/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-BGROXOK5IGCUJXP3 -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c2]:53
[0:0] -A KUBE-SEP-BZXS7E4L6UMNVEC6 -s xxxx:xxx:xxx:x:3000::c6c0/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-BZXS7E4L6UMNVEC6 -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c0]:9153
[0:0] -A KUBE-SEP-HV7FJCKRVMU7FEF3 -s xxxx:xxx:xxx:x:3000::c6c0/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-HV7FJCKRVMU7FEF3 -p udp -m udp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c0]:53
[0:0] -A KUBE-SEP-K3TOD5ZA2L5A3YZL -s xxxx:xxx:xxx:x:3000::c6c0/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-K3TOD5ZA2L5A3YZL -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c0]:53
[0:0] -A KUBE-SEP-OGBCM5DU7623OXI6 -s xxxx:xxx:xxx:x:3000::c6c2/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-OGBCM5DU7623OXI6 -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c2]:9153
[0:0] -A KUBE-SEP-PNNLZDMSTYYB55XI -s xxxx:xxx:xxx:x:3000::c6c2/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-PNNLZDMSTYYB55XI -p udp -m udp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c2]:53
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::1/128 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::1/128 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::a/128 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::a/128 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
[2:160] -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
[0:0] -A KUBE-SVC-ERIFXISQEP7F7OF4 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-K3TOD5ZA2L5A3YZL
[0:0] -A KUBE-SVC-ERIFXISQEP7F7OF4 -j KUBE-SEP-BGROXOK5IGCUJXP3
[0:0] -A KUBE-SVC-JD5MR3NA4I4DYORP -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-BZXS7E4L6UMNVEC6
[0:0] -A KUBE-SVC-JD5MR3NA4I4DYORP -j KUBE-SEP-OGBCM5DU7623OXI6
[0:0] -A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-6B5SP7D5ASD3CW5Y
[0:0] -A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-HV7FJCKRVMU7FEF3
[0:0] -A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-PNNLZDMSTYYB55XI
[4865810:389274182] -A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
[4865621:389260938] -A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
[4865621:389260938] -A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
[122449:9798188] -A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
COMMIT
# Completed on Wed Aug 12 16:59:10 2020

After sonobuoy run command / ip6tables-after-fail.txt:

# Generated by ip6tables-save v1.4.21 on Wed Aug 12 17:01:19 2020
*mangle
:PREROUTING ACCEPT [3670927:300002210]
:INPUT ACCEPT [254359267:96518587934]
:FORWARD ACCEPT [523:62476]
:OUTPUT ACCEPT [253374031:110301294557]
:POSTROUTING ACCEPT [253374554:110301357033]
:cali-PREROUTING - [0:0]
:cali-failsafe-in - [0:0]
:cali-from-host-endpoint - [0:0]
[254361002:96518749105] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
[250690075:96218746895] -A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-PREROUTING -m comment --comment "cali:KX7AGNd6rMcDUai6" -m mark --mark 0x10000/0x10000 -j ACCEPT
[3670927:300002210] -A cali-PREROUTING -m comment --comment "cali:wNH7KsA3ILKJBsY9" -j cali-from-host-endpoint
[0:0] -A cali-PREROUTING -m comment --comment "cali:Cg96MgVuoPm7UMRo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:mPbJtAVtggkxHxc5" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:fO5oL6ZgWfrcySer" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:LaZshaEfmfK7yZxJ" -m multiport --dports 6667 -j ACCEPT
COMMIT
# Completed on Wed Aug 12 17:01:19 2020
# Generated by ip6tables-save v1.4.21 on Wed Aug 12 17:01:19 2020
*raw
:PREROUTING ACCEPT [254360999:96518748889]
:OUTPUT ACCEPT [253374029:110301294413]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-failsafe-in - [0:0]
:cali-failsafe-out - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
[254361135:96518759729] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
[253374029:110301294413] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
[253374029:110301294413] -A cali-OUTPUT -m comment --comment "cali:njdnLwYeGqBJyMxW" -j MARK --set-xmark 0x0/0xf0000
[253374029:110301294413] -A cali-OUTPUT -m comment --comment "cali:rz86uTUcEZAfFsh7" -j cali-to-host-endpoint
[0:0] -A cali-OUTPUT -m comment --comment "cali:pN0F5zD0b8yf9W1Z" -m mark --mark 0x10000/0x10000 -j ACCEPT
[254361135:96518759729] -A cali-PREROUTING -m comment --comment "cali:XFX5xbM8B9qR10JG" -j MARK --set-xmark 0x0/0xf0000
[25745646:3594521256] -A cali-PREROUTING -i cali+ -m comment --comment "cali:EWMPb0zVROM-woQp" -j MARK --set-xmark 0x40000/0x40000
[136:10840] -A cali-PREROUTING -m comment --comment "cali:V6ooGP15glg7wm91" -m mark --mark 0x40000/0x40000 -m rpfilter --invert -j DROP
[228615489:92924238473] -A cali-PREROUTING -m comment --comment "cali:RMTzKqp0j735XfY4" -m mark --mark 0x0/0x40000 -j cali-from-host-endpoint
[0:0] -A cali-PREROUTING -m comment --comment "cali:T8-Zfumo2dKygI73" -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:mPbJtAVtggkxHxc5" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:fO5oL6ZgWfrcySer" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:LaZshaEfmfK7yZxJ" -m multiport --dports 6667 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:fbYikSrS3FDgSouR" -m multiport --sports 53 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:8UOIQCAJz-_58Uh5" -m multiport --sports 67 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:GyksmUvvbhmM211m" -m multiport --sports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:SkYSmU5eonWqL-1u" -m multiport --sports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:lHgbr-PUyt1svFgh" -m multiport --sports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:FILVxC04GR2ken1t" -m multiport --sports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:xlr_BWr0CBZ3xOMa" -m multiport --sports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:hYM8-jR-CdKF7cWt" -m multiport --sports 6667 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:82hjfji-wChFhAqL" -m multiport --dports 53 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:TNM3RfEjbNr72hgH" -m multiport --dports 67 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:ycxKitIl4u3dK0HR" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:hxjEWyxdkXXkdvut" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:cA_GLtruuvG88KiO" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:8SAxPXDH-KtRtgCC" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:9WSIxuMDm1HHMb92" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:VKKssDqC9SjhUz5c" -m multiport --dports 6667 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:XvT4hmhByQ4TNO7Z" -m multiport --sports 22 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:tRSUx3a-0xrrHH0q" -m multiport --sports 68 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:VNOCkjWk1hxsHwxW" -m multiport --sports 179 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:IhBxXyKym3wOjnyY" -m multiport --sports 2379 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:mtQtSz8udwrYsX9y" -m multiport --sports 2380 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:tZg4sFv0MwsSGo9t" -m multiport --sports 6443 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:t81Srej36zNbRD9A" -m multiport --sports 6666 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:uCIgU-IZNI2XonDU" -m multiport --sports 6667 -j ACCEPT
COMMIT
# Completed on Wed Aug 12 17:01:19 2020
# Generated by ip6tables-save v1.4.21 on Wed Aug 12 17:01:19 2020
*filter
:INPUT ACCEPT [632:153018]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [665:184241]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-failsafe-in - [0:0]
:cali-failsafe-out - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-fw-cali30b9bf9a537 - [0:0]
:cali-fw-calice01ffe2489 - [0:0]
:cali-pri-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pri-kns.kube-system - [0:0]
:cali-pro-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pro-kns.kube-system - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-tw-cali30b9bf9a537 - [0:0]
:cali-tw-calice01ffe2489 - [0:0]
:cali-wl-to-host - [0:0]
[102489460:25005791099] -A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
[4:320] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[3615660:289263188] -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[3615660:289263188] -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
[523:62476] -A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
[254:29281] -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
[192:19968] -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[253374031:110301294557] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
[4866094:389300978] -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[0:0] -A KUBE-EXTERNAL-SERVICES -p tcp -m comment --comment "default/nginx:80-80 has no endpoints" -m addrtype --dst-type LOCAL -m tcp --dport 30027 -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
[0:0] -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
[0:0] -A KUBE-FORWARD -s xxxx:xxx:xxx:x:3000::/112 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A KUBE-FORWARD -d xxxx:xxx:xxx:x:3000::/112 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::c834/128 -p tcp -m comment --comment "default/nginx:80-80 has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp6-port-unreachable
[523:62476] -A cali-FORWARD -m comment --comment "cali:vjrMJCRpqwy5oRoX" -j MARK --set-xmark 0x0/0xe0000
[523:62476] -A cali-FORWARD -m comment --comment "cali:A_sPAO0mcxbT9mOV" -m mark --mark 0x0/0x10000 -j cali-from-hep-forward
[134:19918] -A cali-FORWARD -i cali+ -m comment --comment "cali:8ZoYfO5HKXWbB3pk" -j cali-from-wl-dispatch
[135:13277] -A cali-FORWARD -o cali+ -m comment --comment "cali:jdEuaPBe14V2hutn" -j cali-to-wl-dispatch
[375:41095] -A cali-FORWARD -m comment --comment "cali:12bc6HljsMKsmfr-" -j cali-to-hep-forward
[121:11814] -A cali-FORWARD -m comment --comment "cali:MH9kMp5aNICL-Olv" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[25745297:3594483762] -A cali-INPUT -i cali+ -m comment --comment "cali:FewJpBykm9iJ-YNH" -g cali-wl-to-host
[0:0] -A cali-INPUT -m comment --comment "cali:hder3ARWznqqv8Va" -m mark --mark 0x10000/0x10000 -j ACCEPT
[228613970:92924104172] -A cali-INPUT -m comment --comment "cali:xgOu2uJft6H9oDGF" -j MARK --set-xmark 0x0/0xf0000
[228613970:92924104172] -A cali-INPUT -m comment --comment "cali:_-d-qojMfHM6NwBo" -j cali-from-host-endpoint
[0:0] -A cali-INPUT -m comment --comment "cali:LqmE76MP94lZTGhA" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-OUTPUT -m comment --comment "cali:Mq1_rAdXXH3YkrzW" -m mark --mark 0x10000/0x10000 -j ACCEPT
[26656026:7828138956] -A cali-OUTPUT -o cali+ -m comment --comment "cali:69FkRTJDvD5Vu6Vl" -j RETURN
[226718005:102473155601] -A cali-OUTPUT -m comment --comment "cali:Fskumj4SGQtDV6GC" -j MARK --set-xmark 0x0/0xf0000
[226718005:102473155601] -A cali-OUTPUT -m comment --comment "cali:8rXMdo5sNesjJxGc" -j cali-to-host-endpoint
[0:0] -A cali-OUTPUT -m comment --comment "cali:Ja-pnrHi-PrNKxgd" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
[0:0] -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:mPbJtAVtggkxHxc5" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:fO5oL6ZgWfrcySer" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-in -p tcp -m comment --comment "cali:LaZshaEfmfK7yZxJ" -m multiport --dports 6667 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:82hjfji-wChFhAqL" -m multiport --dports 53 -j ACCEPT
[0:0] -A cali-failsafe-out -p udp -m comment --comment "cali:TNM3RfEjbNr72hgH" -m multiport --dports 67 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:ycxKitIl4u3dK0HR" -m multiport --dports 179 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:hxjEWyxdkXXkdvut" -m multiport --dports 2379 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:cA_GLtruuvG88KiO" -m multiport --dports 2380 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:8SAxPXDH-KtRtgCC" -m multiport --dports 6443 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:9WSIxuMDm1HHMb92" -m multiport --dports 6666 -j ACCEPT
[0:0] -A cali-failsafe-out -p tcp -m comment --comment "cali:VKKssDqC9SjhUz5c" -m multiport --dports 6667 -j ACCEPT
[4948053:436338713] -A cali-from-wl-dispatch -i cali30b9bf9a537 -m comment --comment "cali:TdkUO3g2bmtPBzT2" -g cali-fw-cali30b9bf9a537
[1666674:147006092] -A cali-from-wl-dispatch -i calice01ffe2489 -m comment --comment "cali:qZtqeqL0_4Qh9GSl" -g cali-fw-calice01ffe2489
[0:0] -A cali-from-wl-dispatch -m comment --comment "cali:WMRy35io39Nv01Hy" -m comment --comment "Unknown interface" -j DROP
[4948050:436338473] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:_kRSnZbQHQcu3znT" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:h3_y1VVa-AeSxYZh" -m conntrack --ctstate INVALID -j DROP
[3:240] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:whAvY_pnCW2iotQC" -j MARK --set-xmark 0x0/0x10000
[0:0] -A cali-fw-cali30b9bf9a537 -p udp -m comment --comment "cali:1kKNxPgeLM5SZ2YH" -m comment --comment "Drop VXLAN encapped packets originating in pods" -m multiport --dports 4789 -j DROP
[0:0] -A cali-fw-cali30b9bf9a537 -p ipv4 -m comment --comment "cali:l-iND7FoAfGB8Y9y" -m comment --comment "Drop IPinIP encapped packets originating in pods" -j DROP
[3:240] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:8Myt6biblGcgMGri" -j cali-pro-kns.kube-system
[3:240] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:AWrwzwXhvm39hdGT" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:4maW0RA5gdKyBjGZ" -j cali-pro-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:bVSwbnML1hdeF8rP" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-cali30b9bf9a537 -m comment --comment "cali:ZMNXlx-shVA2lOFu" -m comment --comment "Drop if no profiles matched" -j DROP
[4948508:436371218] -A cali-fw-calice01ffe2489 -m comment --comment "cali:SElIeFT_TuDlXqwG" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:hLIGQ7Yq-h6QiMAU" -m conntrack --ctstate INVALID -j DROP
[3:240] -A cali-fw-calice01ffe2489 -m comment --comment "cali:f-oplNjx0zZFhKEE" -j MARK --set-xmark 0x0/0x10000
[0:0] -A cali-fw-calice01ffe2489 -p udp -m comment --comment "cali:GTb-M1r1oyT35RCX" -m comment --comment "Drop VXLAN encapped packets originating in pods" -m multiport --dports 4789 -j DROP
[0:0] -A cali-fw-calice01ffe2489 -p ipv4 -m comment --comment "cali:FOM2BQGwKtQgJnD-" -m comment --comment "Drop IPinIP encapped packets originating in pods" -j DROP
[3:240] -A cali-fw-calice01ffe2489 -m comment --comment "cali:7w3JCfcr7z6zn8fG" -j cali-pro-kns.kube-system
[3:240] -A cali-fw-calice01ffe2489 -m comment --comment "cali:9Raus9F8bAWFsGTH" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:8ebHx-RG5s1GS9xy" -j cali-pro-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:V3M9bhftjmI9XJJp" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-fw-calice01ffe2489 -m comment --comment "cali:ptKo9gdgteT0iymb" -m comment --comment "Drop if no profiles matched" -j DROP
[121:11814] -A cali-pri-kns.kube-system -m comment --comment "cali:zoH5gU6U55FKZxEo" -j MARK --set-xmark 0x10000/0x10000
[121:11814] -A cali-pri-kns.kube-system -m comment --comment "cali:bcGRIJcyOS9dgBiB" -m mark --mark 0x10000/0x10000 -j RETURN
[7:560] -A cali-pro-kns.kube-system -m comment --comment "cali:-50oJuMfLVO3LkBk" -j MARK --set-xmark 0x10000/0x10000
[7:560] -A cali-pro-kns.kube-system -m comment --comment "cali:ztVPKv1UYejNzm1g" -m mark --mark 0x10000/0x10000 -j RETURN
[78:7815] -A cali-to-wl-dispatch -o cali30b9bf9a537 -m comment --comment "cali:PRmMjbBkzhhGb8cM" -g cali-tw-cali30b9bf9a537
[0:0] -A cali-to-wl-dispatch -o calice01ffe2489 -m comment --comment "cali:qeRfW5mCBi1pF2PZ" -g cali-tw-calice01ffe2489
[0:0] -A cali-to-wl-dispatch -m comment --comment "cali:Gj7sBQkFSZeSGmsH" -m comment --comment "Unknown interface" -j DROP
[12:1283] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:-CoCh3ZUa7b1RPI6" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:k6bxa2bOjxZZ2vQ1" -m conntrack --ctstate INVALID -j DROP
[66:6532] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:Ug7BQ-QLkNwkNAxC" -j MARK --set-xmark 0x0/0x10000
[66:6532] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:S2sadggM5ckEWxzv" -j cali-pri-kns.kube-system
[66:6532] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:74v0PKh0InLzbtF2" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:TKKNotNJ67L58YJH" -j cali-pri-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:b-IgDIfWh1nZOl2p" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-cali30b9bf9a537 -m comment --comment "cali:3WRrggKrMW9CxAF-" -m comment --comment "Drop if no profiles matched" -j DROP
[2:180] -A cali-tw-calice01ffe2489 -m comment --comment "cali:EOncPVWzTONIWYRF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:8rX1rZeYRHVKDKg7" -m conntrack --ctstate INVALID -j DROP
[55:5282] -A cali-tw-calice01ffe2489 -m comment --comment "cali:xPumpNvsEAo8G1oj" -j MARK --set-xmark 0x0/0x10000
[55:5282] -A cali-tw-calice01ffe2489 -m comment --comment "cali:gmc8p-JdtN479jqa" -j cali-pri-kns.kube-system
[55:5282] -A cali-tw-calice01ffe2489 -m comment --comment "cali:DiquB76f6PYstd2p" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:nKureDF-uMd7R7Fd" -j cali-pri-_u2Tn2rSoAPffvE7JO6
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:gjLQ9ONkBs5nwG0J" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
[0:0] -A cali-tw-calice01ffe2489 -m comment --comment "cali:hOh5mtuRyo9xQWzk" -m comment --comment "Drop if no profiles matched" -j DROP
[0:0] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:TYeA_BqDrPHaAt6E" -m icmp6 --icmpv6-type 130 -j ACCEPT
[0:0] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:5ugan8LfmJg_BiJc" -m icmp6 --icmpv6-type 131 -j ACCEPT
[0:0] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:Fl5LHxdlOnUNgCc4" -m icmp6 --icmpv6-type 132 -j ACCEPT
[45:2520] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:tNvzCkGVISJ3ZXdS" -m icmp6 --icmpv6-type 133 -j ACCEPT
[20:1440] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:86e1wB5w3SEOMrZb" -m icmp6 --icmpv6-type 135 -j ACCEPT
[28:1896] -A cali-wl-to-host -p ipv6-icmp -m comment --comment "cali:kCq3XXx0yCb5mSXt" -m icmp6 --icmpv6-type 136 -j ACCEPT
[25745204:3594477906] -A cali-wl-to-host -m comment --comment "cali:qQJuyC_KUUNb16sA" -j cali-from-wl-dispatch
[35:2800] -A cali-wl-to-host -m comment --comment "cali:TEAa8oLTO9cQ8kDr" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
COMMIT
# Completed on Wed Aug 12 17:01:19 2020
# Generated by ip6tables-save v1.4.21 on Wed Aug 12 17:01:19 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [8:640]
:POSTROUTING ACCEPT [8:640]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-6B5SP7D5ASD3CW5Y - [0:0]
:KUBE-SEP-BGROXOK5IGCUJXP3 - [0:0]
:KUBE-SEP-BZXS7E4L6UMNVEC6 - [0:0]
:KUBE-SEP-HV7FJCKRVMU7FEF3 - [0:0]
:KUBE-SEP-IDVTQPJAC5ZE5NGR - [0:0]
:KUBE-SEP-K3TOD5ZA2L5A3YZL - [0:0]
:KUBE-SEP-OGBCM5DU7623OXI6 - [0:0]
:KUBE-SEP-PNNLZDMSTYYB55XI - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-45SAB6SQZMFLFICK - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
[122452:9798428] -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
[122452:9798428] -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[4865909:389282102] -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
[4865981:389287854] -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
[1157836:92627284] -A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
[0:0] -A POSTROUTING ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::1/128 -p tcp -m tcp --dport 443 -j MASQUERADE
[4865454:389247570] -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
[0:0] -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
[0:0] -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
[0:0] -A KUBE-SEP-6B5SP7D5ASD3CW5Y -s xxxx:xxx:xxx:x::111/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-6B5SP7D5ASD3CW5Y -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x::111]:6443
[0:0] -A KUBE-SEP-BGROXOK5IGCUJXP3 -s xxxx:xxx:xxx:x:3000::c6c2/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-BGROXOK5IGCUJXP3 -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c2]:53
[0:0] -A KUBE-SEP-BZXS7E4L6UMNVEC6 -s xxxx:xxx:xxx:x:3000::c6c0/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-BZXS7E4L6UMNVEC6 -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c0]:9153
[0:0] -A KUBE-SEP-HV7FJCKRVMU7FEF3 -s xxxx:xxx:xxx:x:3000::c6c0/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-HV7FJCKRVMU7FEF3 -p udp -m udp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c0]:53
[0:0] -A KUBE-SEP-IDVTQPJAC5ZE5NGR -s xxxx:xxx:xxx:x:3000::5585/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-IDVTQPJAC5ZE5NGR -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::5585]:8080
[0:0] -A KUBE-SEP-K3TOD5ZA2L5A3YZL -s xxxx:xxx:xxx:x:3000::c6c0/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-K3TOD5ZA2L5A3YZL -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c0]:53
[0:0] -A KUBE-SEP-OGBCM5DU7623OXI6 -s xxxx:xxx:xxx:x:3000::c6c2/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-OGBCM5DU7623OXI6 -p tcp -m tcp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c2]:9153
[0:0] -A KUBE-SEP-PNNLZDMSTYYB55XI -s xxxx:xxx:xxx:x:3000::c6c2/128 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SEP-PNNLZDMSTYYB55XI -p udp -m udp -j DNAT --to-destination [xxxx:xxx:xxx:x:3000::c6c2]:53
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::af5d/128 -p tcp -m comment --comment "sonobuoy/sonobuoy-master: cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::af5d/128 -p tcp -m comment --comment "sonobuoy/sonobuoy-master: cluster IP" -m tcp --dport 8080 -j KUBE-SVC-45SAB6SQZMFLFICK
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::1/128 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::1/128 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::a/128 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::a/128 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
[0:0] -A KUBE-SERVICES ! -s xxxx:xxx:xxx:x:3000::/112 -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
[0:0] -A KUBE-SERVICES -d xxxx:xxx:xxx:x:4000::a/128 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
[3:240] -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
[0:0] -A KUBE-SVC-45SAB6SQZMFLFICK -j KUBE-SEP-IDVTQPJAC5ZE5NGR
[0:0] -A KUBE-SVC-ERIFXISQEP7F7OF4 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-K3TOD5ZA2L5A3YZL
[0:0] -A KUBE-SVC-ERIFXISQEP7F7OF4 -j KUBE-SEP-BGROXOK5IGCUJXP3
[0:0] -A KUBE-SVC-JD5MR3NA4I4DYORP -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-BZXS7E4L6UMNVEC6
[0:0] -A KUBE-SVC-JD5MR3NA4I4DYORP -j KUBE-SEP-OGBCM5DU7623OXI6
[0:0] -A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-6B5SP7D5ASD3CW5Y
[0:0] -A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-HV7FJCKRVMU7FEF3
[0:0] -A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-PNNLZDMSTYYB55XI
[4865909:389282102] -A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
[4865720:389268858] -A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
[4865720:389268858] -A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
[122452:9798428] -A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
COMMIT
# Completed on Wed Aug 12 17:01:19 2020

We hope that these information are of help in determining the cause of the issue. Should you need more information, please do inform us. Again, thank you very much for your support.

Aug 13 '20 03:08 asoloa

Forgive me if I'm completely off - I haven't read the entire thread/traces thorough enough to be certain, but it sounds like some of the same symptoms I just experienced in a cluster with similar properties. CentOS 7, K8S 1.16.13, IPv6 only-cluster, Calico 3.11 in L3/BGP mode.

Are you by any chance using IPVS mode for kube-proxy/Service IPs?

I experienced, for a longer period, that occasionally packets to ServiceIP's would go to a random pod/IP (probably on the same node as the correct pod) that had nothing with the Service/Correct pod to do (not in endpoints or anything - completly unrelated). Resulting in different kinds of connection issues/timeouts.

Only discovered it a few days ago with a lot of tcpdump's.

I tried disabling IPVS-mode back to iptables, and haven't experienced it since. I don't know if IPVS + IPv6 is not that rock solid yet in the kernel yet, or if I misconfigured something, but that was my experience after all.

Aug 25 '20 20:08 DennisGlindhart

Hello, @DennisGlindhart ! Thank you very much for your input. We are using iptables mode.

We've also tried to set the KUBERNETES_SERVICE_IP and KUBERNETES_SERVICE_PORT variables in the env section of the pod to use <kubernetes-api-server-ip>:6443 instead of <kubernetes-svc-cluster-ip>:443.

We can confirm that during 1st run, the execution was OK. In the 2nd run, i/o timeout error occurs again, but this time, the error message would be: "https://<kubernetes-api-server-ip>:6443/api?timeout=32s: dial tcp <kubernetes-api-server-ip>:6443: i/o timeout"

In conclusion, regardless of what endpoint we use to access the Kubernetes API, the 1st run would be OK and the succeeding runs will be NG.

That is all. Again, thank you very much!

Aug 26 '20 03:08 asoloa

Sorry for the delay, have been on PTO for a week. This is in my queue, will get back to it soon!

Aug 31 '20 21:08 caseydavenport

Sorry for the late response, @caseydavenport . This is noted. Thank you very much for the support! :+1:

Sep 08 '20 08:09 asoloa

any update on this issue; i started hitting the same issue and sonobuoy version 0.52.0 and kubernetes v 1.20.1

Jul 21 '21 19:07 karthikpaidi

Out of curiosity, I'm running into a similar problem that I could have sworn I've seen another issue for but I can't find it.... but @soloabejo, what is your kubelet QPS setting set to? If you raise it to ~50 and run this test again, does it solve the problem?

I have an issue where when I try to push too many pods through a single node all at once, I start getting these timeouts all over the place. It happens because the kubelet doesn't update the k8s api fast enough for calico to set up the ip tables before the pod starts. So the pod starts without any networking. If it makes a call too early in its life (to the k8s api frequently, but it could be anywhere), it times out. Just curious f this is the same issue.

Apr 01 '22 22:04 wreed4

@wreed4 What kubelet QPS setting are you referring to? Also what problems existed and solved by this configuration?

Jan 24 '23 11:01 ThanKarab

I know that this might be off-topic, but google brings me here when I am searching for the i/o timeouts. And since this isn't closed yet, theoretically might be a solution for your case too.

I've had plenty of i/o timeouts between K8s services, etcd.. causing them to restart often. I am using IPVS and Calico/VXLAN, latest HWE Linux kernel 6.5.0-18-generic, Ubuntu 22.04 LTS. K8s kubespray'ed with kubespray v2.24.0. (updated to v2.24.1 today), so K8s v1.28.6, Calico v3.26.4.

Figured HW checksum offloading must be disabled on NICs as when they are enabled (default) one may observe multiple networking issues:

etcd: multiple "connection timed out"-errors;
k8s services: multiple "i/o timeout"-errors between the services;
k8s kube-system services keep restarting frequently;
TCP Spurious Retransmissions in tcpdump/wireshark logs when receiving data over ssh connection to the server;
the data stream (over SSH connection) appeared to be intermittent/abrupt and eventually stalls;
sometimes initial connection to the server (to its public IP over internet) fails due to tcp i/o timeout / TLS handshake timeout: Users might see errors such as:

$ kubectl get pods -A --sort-by='{.metadata.creationTimestamp}'
Unable to connect to the server: dial tcp REDACTED:6443: i/o timeout

$ kubectl run app2-node2 --rm -ti --image=nicolaka/netshoot --overrides='{"apiVersion":"v1", "spec":{"nodeSelector":{"kubernetes.io/hostname":"node2"}}}' -- /bin/bash
Unable to connect to the server: net/http: TLS handshake timeout

$ kubectl -n akash-services delete pod akash-provider-0
Error from server: etcdserver: request timed out, possibly due to connection lost

$ kubectl -n akash-services delete pod akash-provider-0
Unable to connect to the server: net/http: TLS handshake timeout

These are the HW checksum offloading settings that I've disabled (netplan config example) for both NICs:

NIC driver i40e

      receive-checksum-offload: false
      transmit-checksum-offload: false

ethtool equivalent is:

ethtool -K eth0 rx off tx off

Hope that helps someone.

Additionally, major confirmation for that you need to disable HW checksum offloading is if you also see vxlan.calico: hw csum failure kernel message in dmesg / kern.log. However, it can take quite some time until you get it, in my case I haven't even seen that on the other servers, yet they had the same symptoms (i/o timeouts).

Note on Calico's `ChecksumOffloadBroken=true`

Also, Calico v3.26.4 is supposed to be setting ChecksumOffloadBroken to true by default: https://github.com/projectcalico/calico/blob/v3.26.4/felix/environment/feature_detect_common.go#L11-L14 https://github.com/projectcalico/calico/blob/v3.26.4/felix/environment/feature_detect_linux.go#L131

Acc. to Kubespray v2.24.1 it should let Calico use the default setting (which is ChecksumOffloadBroken=true) https://github.com/kubernetes-sigs/kubespray/blob/v2.24.1/roles/network_plugin/calico_defaults/defaults/main.yml#L172 https://github.com/kubernetes-sigs/kubespray/blob/v2.24.1/roles/network_plugin/calico/tasks/install.yml#L189

https://github.com/kubernetes-sigs/kubespray/blob/v2.24.1/docs/calico.md#optional--configure-vxlan-hardware-offload

Additional info https://github.com/kubernetes-sigs/kubespray/pull/9261#issuecomment-1248844913

One would think that this (Calico's ChecksumOffloadBroken=true) should fix the issue, and perhaps it does in specific cases, but it appears to be just for tx-udp_tnl-segmentation & tx-udp_tnl-csum-segmentation for VXLAN offload (kernels >= 5.7, the VXLAN offload default is on.) which is still enabled for me, yet rx off tx off (HW checksum offloading) were the only switches that solved the issue in my case.

Feb 29 '24 21:02 arno01

calico calico copied to clipboard

Cluster I/O timeout when using Calico CNI.

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Context

Your Environment

First execution (SUCCESS)

Second execution (FAILED)

Note on Calico's ChecksumOffloadBroken=true

calico
calico copied to clipboard

Note on Calico's `ChecksumOffloadBroken=true`