schuerg · June 15, 2025 15:54 · Jun 15, 2025
diff --git a/ruleset.nft b/ruleset.nft
@@ -0,0 +1,993 @@
+table ip nat {
+	chain DOCKER {
+		iifname "docker0" counter packets 0 bytes 0 return
+	}
+
+	chain PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 170 bytes 31777 jump DOCKER
+	}
+
+	chain OUTPUT {
+		type nat hook output priority dstnat; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
+	}
+
+	chain POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		ip saddr 172.17.0.0/16 oifname != "docker0" counter packets 0 bytes 0 masquerade
+		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 1 bytes 67 masquerade
+	}
+}
+table ip filter {
+	chain DOCKER {
+		iifname != "docker0" oifname "docker0" counter packets 0 bytes 0 drop
+	}
+
+	chain DOCKER-FORWARD {
+		counter packets 0 bytes 0 jump DOCKER-CT
+		counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
+		counter packets 0 bytes 0 jump DOCKER-BRIDGE
+		iifname "docker0" counter packets 0 bytes 0 accept
+	}
+
+	chain DOCKER-BRIDGE {
+		oifname "docker0" counter packets 0 bytes 0 jump DOCKER
+	}
+
+	chain DOCKER-CT {
+		oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
+	}
+
+	chain DOCKER-ISOLATION-STAGE-1 {
+		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
+	}
+
+	chain DOCKER-ISOLATION-STAGE-2 {
+		oifname "docker0" counter packets 0 bytes 0 drop
+	}
+
+	chain FORWARD {
+		type filter hook forward priority filter; policy drop;
+		counter packets 0 bytes 0 jump DOCKER-USER
+		counter packets 0 bytes 0 jump DOCKER-FORWARD
+	}
+
+	chain DOCKER-USER {
+	}
+}
+table ip6 nat {
+	chain DOCKER {
+	}
+
+	chain PREROUTING {
+		type nat hook prerouting priority dstnat; policy accept;
+		fib daddr type local counter packets 0 bytes 0 jump DOCKER
+	}
+
+	chain OUTPUT {
+		type nat hook output priority dstnat; policy accept;
+		ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump DOCKER
+	}
+}
+table ip6 filter {
+	chain DOCKER {
+	}
+
+	chain DOCKER-FORWARD {
+		counter packets 0 bytes 0 jump DOCKER-CT
+		counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
+		counter packets 0 bytes 0 jump DOCKER-BRIDGE
+	}
+
+	chain DOCKER-BRIDGE {
+	}
+
+	chain DOCKER-CT {
+	}
+
+	chain DOCKER-ISOLATION-STAGE-1 {
+	}
+
+	chain DOCKER-ISOLATION-STAGE-2 {
+	}
+
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
+		counter packets 0 bytes 0 jump DOCKER-USER
+		counter packets 0 bytes 0 jump DOCKER-FORWARD
+	}
+
+	chain DOCKER-USER {
+	}
+}
+table ip libvirt_network {
+	chain forward {
+		type filter hook forward priority filter; policy accept;
+		counter packets 1731 bytes 107548 jump guest_cross
+		counter packets 1731 bytes 107548 jump guest_input
+		counter packets 1731 bytes 107548 jump guest_output
+	}
+
+	chain guest_output {
+		ip saddr 192.168.122.0/24 iif "virbr0" counter packets 0 bytes 0 accept
+		iif "virbr0" counter packets 0 bytes 0 reject
+	}
+
+	chain guest_input {
+		oif "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept
+		oif "virbr0" counter packets 0 bytes 0 reject
+	}
+
+	chain guest_cross {
+		iif "virbr0" oif "virbr0" counter packets 0 bytes 0 accept
+	}
+
+	chain guest_nat {
+		type nat hook postrouting priority srcnat; policy accept;
+		ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
+		ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
+		meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
+		meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
+		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade
+	}
+}
+table ip6 libvirt_network {
+	chain forward {
+		type filter hook forward priority filter; policy accept;
+		counter packets 0 bytes 0 jump guest_cross
+		counter packets 0 bytes 0 jump guest_input
+		counter packets 0 bytes 0 jump guest_output
+	}
+
+	chain guest_output {
+	}
+
+	chain guest_input {
+	}
+
+	chain guest_cross {
+	}
+
+	chain guest_nat {
+		type nat hook postrouting priority srcnat; policy accept;
+	}
+}
+table inet firewalld {
+	ct helper helper-netbios-ns-udp {
+		type "netbios-ns" protocol udp
+		l3proto ip
+	}
+
+	ct helper helper-tftp-udp {
+		type "tftp" protocol udp
+		l3proto inet
+	}
+
+	chain mangle_PREROUTING {
+		type filter hook prerouting priority mangle + 10; policy accept;
+		jump mangle_PREROUTING_POLICIES
+	}
+
+	chain mangle_PREROUTING_POLICIES {
+		iifname "wlp0s20f3" jump mangle_PRE_policy_allow-host-ipv6
+		iifname "wlp0s20f3" jump mangle_PRE_FedoraWorkstation
+		iifname "wlp0s20f3" return
+		iifname "docker0" jump mangle_PRE_policy_allow-host-ipv6
+		iifname "docker0" jump mangle_PRE_docker
+		iifname "docker0" return
+		iifname "virbr0" jump mangle_PRE_policy_allow-host-ipv6
+		iifname "virbr0" jump mangle_PRE_libvirt
+		iifname "virbr0" return
+		jump mangle_PRE_policy_allow-host-ipv6
+		jump mangle_PRE_FedoraWorkstation
+		return
+	}
+
+	chain nat_PREROUTING {
+		type nat hook prerouting priority dstnat + 10; policy accept;
+		jump nat_PREROUTING_POLICIES
+	}
+
+	chain nat_PREROUTING_POLICIES {
+		iifname "wlp0s20f3" jump nat_PRE_policy_allow-host-ipv6
+		iifname "wlp0s20f3" jump nat_PRE_FedoraWorkstation
+		iifname "wlp0s20f3" return
+		iifname "docker0" jump nat_PRE_policy_allow-host-ipv6
+		iifname "docker0" jump nat_PRE_docker
+		iifname "docker0" return
+		iifname "virbr0" jump nat_PRE_policy_allow-host-ipv6
+		iifname "virbr0" jump nat_PRE_libvirt
+		iifname "virbr0" return
+		jump nat_PRE_policy_allow-host-ipv6
+		jump nat_PRE_FedoraWorkstation
+		return
+	}
+
+	chain nat_POSTROUTING {
+		type nat hook postrouting priority srcnat + 10; policy accept;
+		jump nat_POSTROUTING_POLICIES
+	}
+
+	chain nat_POSTROUTING_POLICIES {
+		iifname "wlp0s20f3" oifname "wlp0s20f3" jump nat_POST_FedoraWorkstation
+		iifname "wlp0s20f3" oifname "wlp0s20f3" return
+		iifname "docker0" oifname "wlp0s20f3" jump nat_POST_FedoraWorkstation
+		iifname "docker0" oifname "wlp0s20f3" return
+		iifname "virbr0" oifname "wlp0s20f3" jump nat_POST_FedoraWorkstation
+		iifname "virbr0" oifname "wlp0s20f3" return
+		oifname "wlp0s20f3" jump nat_POST_FedoraWorkstation
+		oifname "wlp0s20f3" return
+		iifname "wlp0s20f3" oifname "docker0" jump nat_POST_policy_docker-forwarding
+		iifname "wlp0s20f3" oifname "docker0" jump nat_POST_docker
+		iifname "wlp0s20f3" oifname "docker0" return
+		iifname "docker0" oifname "docker0" jump nat_POST_policy_docker-forwarding
+		iifname "docker0" oifname "docker0" jump nat_POST_docker
+		iifname "docker0" oifname "docker0" return
+		iifname "virbr0" oifname "docker0" jump nat_POST_policy_docker-forwarding
+		iifname "virbr0" oifname "docker0" jump nat_POST_docker
+		iifname "virbr0" oifname "docker0" return
+		oifname "docker0" jump nat_POST_policy_docker-forwarding
+		oifname "docker0" jump nat_POST_docker
+		oifname "docker0" return
+		iifname "wlp0s20f3" oifname "virbr0" jump nat_POST_libvirt
+		iifname "wlp0s20f3" oifname "virbr0" return
+		iifname "docker0" oifname "virbr0" jump nat_POST_libvirt
+		iifname "docker0" oifname "virbr0" return
+		iifname "virbr0" oifname "virbr0" jump nat_POST_libvirt
+		iifname "virbr0" oifname "virbr0" return
+		oifname "virbr0" jump nat_POST_libvirt
+		oifname "virbr0" return
+		iifname "wlp0s20f3" jump nat_POST_FedoraWorkstation
+		iifname "wlp0s20f3" return
+		iifname "docker0" jump nat_POST_FedoraWorkstation
+		iifname "docker0" return
+		iifname "virbr0" jump nat_POST_FedoraWorkstation
+		iifname "virbr0" return
+		jump nat_POST_FedoraWorkstation
+		return
+	}
+
+	chain nat_OUTPUT {
+		type nat hook output priority dstnat + 10; policy accept;
+		jump nat_OUTPUT_POLICIES
+	}
+
+	chain nat_OUTPUT_POLICIES {
+		oifname "wlp0s20f3" jump nat_OUT_FedoraWorkstation
+		oifname "wlp0s20f3" return
+		oifname "docker0" jump nat_OUT_docker
+		oifname "docker0" return
+		oifname "virbr0" jump nat_OUT_libvirt
+		oifname "virbr0" return
+		jump nat_OUT_FedoraWorkstation
+		return
+	}
+
+	chain filter_PREROUTING {
+		type filter hook prerouting priority filter + 10; policy accept;
+		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+		meta nfproto ipv6 fib saddr . mark . iif oif missing drop
+	}
+
+	chain filter_INPUT {
+		type filter hook input priority filter + 10; policy accept;
+		ct state { established, related } accept
+		ct status dnat accept
+		iifname "lo" accept
+		ct state invalid drop
+		jump filter_INPUT_POLICIES
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_FORWARD {
+		type filter hook forward priority filter + 10; policy accept;
+		ct state { established, related } accept
+		ct status dnat accept
+		iifname "lo" accept
+		ct state invalid drop
+		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
+		jump filter_FORWARD_POLICIES
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_OUTPUT {
+		type filter hook output priority filter + 10; policy accept;
+		ct state { established, related } accept
+		oifname "lo" accept
+		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
+		jump filter_OUTPUT_POLICIES
+	}
+
+	chain filter_INPUT_POLICIES {
+		iifname "wlp0s20f3" jump filter_IN_policy_allow-host-ipv6
+		iifname "wlp0s20f3" jump filter_IN_FedoraWorkstation
+		iifname "wlp0s20f3" reject with icmpx admin-prohibited
+		iifname "docker0" jump filter_IN_policy_allow-host-ipv6
+		iifname "docker0" jump filter_IN_docker
+		iifname "docker0" accept
+		iifname "virbr0" jump filter_IN_policy_allow-host-ipv6
+		iifname "virbr0" jump filter_IN_libvirt
+		iifname "virbr0" accept
+		jump filter_IN_policy_allow-host-ipv6
+		jump filter_IN_FedoraWorkstation
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_FORWARD_POLICIES {
+		iifname "wlp0s20f3" oifname "wlp0s20f3" jump filter_FWD_FedoraWorkstation
+		iifname "wlp0s20f3" oifname "wlp0s20f3" reject with icmpx admin-prohibited
+		iifname "wlp0s20f3" oifname "docker0" jump filter_FWD_policy_docker-forwarding
+		iifname "wlp0s20f3" oifname "docker0" jump filter_FWD_FedoraWorkstation
+		iifname "wlp0s20f3" oifname "docker0" reject with icmpx admin-prohibited
+		iifname "wlp0s20f3" oifname "virbr0" jump filter_FWD_FedoraWorkstation
+		iifname "wlp0s20f3" oifname "virbr0" reject with icmpx admin-prohibited
+		iifname "wlp0s20f3" jump filter_FWD_FedoraWorkstation
+		iifname "wlp0s20f3" reject with icmpx admin-prohibited
+		iifname "docker0" oifname "wlp0s20f3" jump filter_FWD_docker
+		iifname "docker0" oifname "wlp0s20f3" accept
+		iifname "docker0" oifname "docker0" jump filter_FWD_policy_docker-forwarding
+		iifname "docker0" oifname "docker0" jump filter_FWD_docker
+		iifname "docker0" oifname "docker0" accept
+		iifname "docker0" oifname "virbr0" jump filter_FWD_docker
+		iifname "docker0" oifname "virbr0" accept
+		iifname "docker0" jump filter_FWD_docker
+		iifname "docker0" accept
+		iifname "virbr0" oifname "wlp0s20f3" jump filter_FWD_libvirt
+		iifname "virbr0" oifname "wlp0s20f3" accept
+		iifname "virbr0" oifname "docker0" jump filter_FWD_policy_docker-forwarding
+		iifname "virbr0" oifname "docker0" jump filter_FWD_libvirt
+		iifname "virbr0" oifname "docker0" accept
+		iifname "virbr0" oifname "virbr0" jump filter_FWD_libvirt
+		iifname "virbr0" oifname "virbr0" accept
+		iifname "virbr0" jump filter_FWD_libvirt
+		iifname "virbr0" accept
+		oifname "wlp0s20f3" jump filter_FWD_FedoraWorkstation
+		oifname "wlp0s20f3" reject with icmpx admin-prohibited
+		oifname "docker0" jump filter_FWD_policy_docker-forwarding
+		oifname "docker0" jump filter_FWD_FedoraWorkstation
+		oifname "docker0" reject with icmpx admin-prohibited
+		oifname "virbr0" jump filter_FWD_FedoraWorkstation
+		oifname "virbr0" reject with icmpx admin-prohibited
+		jump filter_FWD_FedoraWorkstation
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_OUTPUT_POLICIES {
+		oifname "wlp0s20f3" jump filter_OUT_FedoraWorkstation
+		oifname "wlp0s20f3" return
+		oifname "docker0" jump filter_OUT_docker
+		oifname "docker0" return
+		oifname "virbr0" jump filter_OUT_libvirt
+		oifname "virbr0" return
+		jump filter_OUT_FedoraWorkstation
+		return
+	}
+
+	chain filter_IN_FedoraWorkstation {
+		jump filter_IN_FedoraWorkstation_pre
+		jump filter_IN_FedoraWorkstation_log
+		jump filter_IN_FedoraWorkstation_deny
+		jump filter_IN_FedoraWorkstation_allow
+		jump filter_IN_FedoraWorkstation_post
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_FedoraWorkstation_pre {
+	}
+
+	chain filter_IN_FedoraWorkstation_log {
+	}
+
+	chain filter_IN_FedoraWorkstation_deny {
+	}
+
+	chain filter_IN_FedoraWorkstation_allow {
+		ip6 daddr fe80::/64 udp dport 546 accept
+		tcp dport 22 accept
+		udp dport 137 ct helper set "helper-netbios-ns-udp"
+		udp dport 137 accept
+		udp dport 138 accept
+		ip daddr 224.0.0.251 udp dport 5353 accept
+		ip6 daddr ff02::fb udp dport 5353 accept
+		udp dport 1025-65535 accept
+		tcp dport 1025-65535 accept
+	}
+
+	chain filter_IN_FedoraWorkstation_post {
+	}
+
+	chain filter_OUT_FedoraWorkstation {
+		jump filter_OUT_FedoraWorkstation_pre
+		jump filter_OUT_FedoraWorkstation_log
+		jump filter_OUT_FedoraWorkstation_deny
+		jump filter_OUT_FedoraWorkstation_allow
+		jump filter_OUT_FedoraWorkstation_post
+	}
+
+	chain filter_OUT_FedoraWorkstation_pre {
+	}
+
+	chain filter_OUT_FedoraWorkstation_log {
+	}
+
+	chain filter_OUT_FedoraWorkstation_deny {
+	}
+
+	chain filter_OUT_FedoraWorkstation_allow {
+	}
+
+	chain filter_OUT_FedoraWorkstation_post {
+	}
+
+	chain nat_OUT_FedoraWorkstation {
+		jump nat_OUT_FedoraWorkstation_pre
+		jump nat_OUT_FedoraWorkstation_log
+		jump nat_OUT_FedoraWorkstation_deny
+		jump nat_OUT_FedoraWorkstation_allow
+		jump nat_OUT_FedoraWorkstation_post
+	}
+
+	chain nat_OUT_FedoraWorkstation_pre {
+	}
+
+	chain nat_OUT_FedoraWorkstation_log {
+	}
+
+	chain nat_OUT_FedoraWorkstation_deny {
+	}
+
+	chain nat_OUT_FedoraWorkstation_allow {
+	}
+
+	chain nat_OUT_FedoraWorkstation_post {
+	}
+
+	chain nat_POST_FedoraWorkstation {
+		jump nat_POST_FedoraWorkstation_pre
+		jump nat_POST_FedoraWorkstation_log
+		jump nat_POST_FedoraWorkstation_deny
+		jump nat_POST_FedoraWorkstation_allow
+		jump nat_POST_FedoraWorkstation_post
+	}
+
+	chain nat_POST_FedoraWorkstation_pre {
+	}
+
+	chain nat_POST_FedoraWorkstation_log {
+	}
+
+	chain nat_POST_FedoraWorkstation_deny {
+	}
+
+	chain nat_POST_FedoraWorkstation_allow {
+	}
+
+	chain nat_POST_FedoraWorkstation_post {
+	}
+
+	chain filter_FWD_FedoraWorkstation {
+		jump filter_FWD_FedoraWorkstation_pre
+		jump filter_FWD_FedoraWorkstation_log
+		jump filter_FWD_FedoraWorkstation_deny
+		jump filter_FWD_FedoraWorkstation_allow
+		jump filter_FWD_FedoraWorkstation_post
+	}
+
+	chain filter_FWD_FedoraWorkstation_pre {
+	}
+
+	chain filter_FWD_FedoraWorkstation_log {
+	}
+
+	chain filter_FWD_FedoraWorkstation_deny {
+	}
+
+	chain filter_FWD_FedoraWorkstation_allow {
+		oifname "wlp0s20f3" accept
+	}
+
+	chain filter_FWD_FedoraWorkstation_post {
+	}
+
+	chain nat_PRE_FedoraWorkstation {
+		jump nat_PRE_FedoraWorkstation_pre
+		jump nat_PRE_FedoraWorkstation_log
+		jump nat_PRE_FedoraWorkstation_deny
+		jump nat_PRE_FedoraWorkstation_allow
+		jump nat_PRE_FedoraWorkstation_post
+	}
+
+	chain nat_PRE_FedoraWorkstation_pre {
+	}
+
+	chain nat_PRE_FedoraWorkstation_log {
+	}
+
+	chain nat_PRE_FedoraWorkstation_deny {
+	}
+
+	chain nat_PRE_FedoraWorkstation_allow {
+	}
+
+	chain nat_PRE_FedoraWorkstation_post {
+	}
+
+	chain mangle_PRE_FedoraWorkstation {
+		jump mangle_PRE_FedoraWorkstation_pre
+		jump mangle_PRE_FedoraWorkstation_log
+		jump mangle_PRE_FedoraWorkstation_deny
+		jump mangle_PRE_FedoraWorkstation_allow
+		jump mangle_PRE_FedoraWorkstation_post
+	}
+
+	chain mangle_PRE_FedoraWorkstation_pre {
+	}
+
+	chain mangle_PRE_FedoraWorkstation_log {
+	}
+
+	chain mangle_PRE_FedoraWorkstation_deny {
+	}
+
+	chain mangle_PRE_FedoraWorkstation_allow {
+	}
+
+	chain mangle_PRE_FedoraWorkstation_post {
+	}
+
+	chain filter_IN_policy_allow-host-ipv6 {
+		jump filter_IN_policy_allow-host-ipv6_pre
+		jump filter_IN_policy_allow-host-ipv6_log
+		jump filter_IN_policy_allow-host-ipv6_deny
+		jump filter_IN_policy_allow-host-ipv6_allow
+		jump filter_IN_policy_allow-host-ipv6_post
+	}
+
+	chain filter_IN_policy_allow-host-ipv6_pre {
+	}
+
+	chain filter_IN_policy_allow-host-ipv6_log {
+	}
+
+	chain filter_IN_policy_allow-host-ipv6_deny {
+	}
+
+	chain filter_IN_policy_allow-host-ipv6_allow {
+		icmpv6 type nd-neighbor-advert accept
+		icmpv6 type nd-neighbor-solicit accept
+		icmpv6 type nd-router-advert accept
+		icmpv6 type nd-redirect accept
+	}
+
+	chain filter_IN_policy_allow-host-ipv6_post {
+	}
+
+	chain nat_PRE_policy_allow-host-ipv6 {
+		jump nat_PRE_policy_allow-host-ipv6_pre
+		jump nat_PRE_policy_allow-host-ipv6_log
+		jump nat_PRE_policy_allow-host-ipv6_deny
+		jump nat_PRE_policy_allow-host-ipv6_allow
+		jump nat_PRE_policy_allow-host-ipv6_post
+	}
+
+	chain nat_PRE_policy_allow-host-ipv6_pre {
+	}
+
+	chain nat_PRE_policy_allow-host-ipv6_log {
+	}
+
+	chain nat_PRE_policy_allow-host-ipv6_deny {
+	}
+
+	chain nat_PRE_policy_allow-host-ipv6_allow {
+	}
+
+	chain nat_PRE_policy_allow-host-ipv6_post {
+	}
+
+	chain mangle_PRE_policy_allow-host-ipv6 {
+		jump mangle_PRE_policy_allow-host-ipv6_pre
+		jump mangle_PRE_policy_allow-host-ipv6_log
+		jump mangle_PRE_policy_allow-host-ipv6_deny
+		jump mangle_PRE_policy_allow-host-ipv6_allow
+		jump mangle_PRE_policy_allow-host-ipv6_post
+	}
+
+	chain mangle_PRE_policy_allow-host-ipv6_pre {
+	}
+
+	chain mangle_PRE_policy_allow-host-ipv6_log {
+	}
+
+	chain mangle_PRE_policy_allow-host-ipv6_deny {
+	}
+
+	chain mangle_PRE_policy_allow-host-ipv6_allow {
+	}
+
+	chain mangle_PRE_policy_allow-host-ipv6_post {
+	}
+
+	chain filter_IN_libvirt {
+		jump filter_IN_libvirt_pre
+		jump filter_IN_libvirt_log
+		jump filter_IN_libvirt_deny
+		jump filter_IN_libvirt_allow
+		jump filter_IN_libvirt_post
+	}
+
+	chain filter_IN_libvirt_pre {
+	}
+
+	chain filter_IN_libvirt_log {
+	}
+
+	chain filter_IN_libvirt_deny {
+	}
+
+	chain filter_IN_libvirt_allow {
+		udp dport 67 accept
+		udp dport 547 accept
+		tcp dport 53 accept
+		udp dport 53 accept
+		tcp dport 22 accept
+		udp dport 69 ct helper set "helper-tftp-udp"
+		udp dport 69 accept
+		meta l4proto icmp accept
+		meta l4proto ipv6-icmp accept
+	}
+
+	chain filter_IN_libvirt_post {
+		reject
+	}
+
+	chain filter_OUT_libvirt {
+		jump filter_OUT_libvirt_pre
+		jump filter_OUT_libvirt_log
+		jump filter_OUT_libvirt_deny
+		jump filter_OUT_libvirt_allow
+		jump filter_OUT_libvirt_post
+	}
+
+	chain filter_OUT_libvirt_pre {
+	}
+
+	chain filter_OUT_libvirt_log {
+	}
+
+	chain filter_OUT_libvirt_deny {
+	}
+
+	chain filter_OUT_libvirt_allow {
+	}
+
+	chain filter_OUT_libvirt_post {
+	}
+
+	chain nat_OUT_libvirt {
+		jump nat_OUT_libvirt_pre
+		jump nat_OUT_libvirt_log
+		jump nat_OUT_libvirt_deny
+		jump nat_OUT_libvirt_allow
+		jump nat_OUT_libvirt_post
+	}
+
+	chain nat_OUT_libvirt_pre {
+	}
+
+	chain nat_OUT_libvirt_log {
+	}
+
+	chain nat_OUT_libvirt_deny {
+	}
+
+	chain nat_OUT_libvirt_allow {
+	}
+
+	chain nat_OUT_libvirt_post {
+	}
+
+	chain nat_POST_libvirt {
+		jump nat_POST_libvirt_pre
+		jump nat_POST_libvirt_log
+		jump nat_POST_libvirt_deny
+		jump nat_POST_libvirt_allow
+		jump nat_POST_libvirt_post
+	}
+
+	chain nat_POST_libvirt_pre {
+	}
+
+	chain nat_POST_libvirt_log {
+	}
+
+	chain nat_POST_libvirt_deny {
+	}
+
+	chain nat_POST_libvirt_allow {
+		meta nfproto ipv4 oifname != "lo" masquerade
+	}
+
+	chain nat_POST_libvirt_post {
+	}
+
+	chain filter_FWD_libvirt {
+		jump filter_FWD_libvirt_pre
+		jump filter_FWD_libvirt_log
+		jump filter_FWD_libvirt_deny
+		jump filter_FWD_libvirt_allow
+		jump filter_FWD_libvirt_post
+	}
+
+	chain filter_FWD_libvirt_pre {
+	}
+
+	chain filter_FWD_libvirt_log {
+	}
+
+	chain filter_FWD_libvirt_deny {
+	}
+
+	chain filter_FWD_libvirt_allow {
+		oifname "virbr0" accept
+	}
+
+	chain filter_FWD_libvirt_post {
+	}
+
+	chain nat_PRE_libvirt {
+		jump nat_PRE_libvirt_pre
+		jump nat_PRE_libvirt_log
+		jump nat_PRE_libvirt_deny
+		jump nat_PRE_libvirt_allow
+		jump nat_PRE_libvirt_post
+	}
+
+	chain nat_PRE_libvirt_pre {
+	}
+
+	chain nat_PRE_libvirt_log {
+	}
+
+	chain nat_PRE_libvirt_deny {
+	}
+
+	chain nat_PRE_libvirt_allow {
+	}
+
+	chain nat_PRE_libvirt_post {
+	}
+
+	chain mangle_PRE_libvirt {
+		jump mangle_PRE_libvirt_pre
+		jump mangle_PRE_libvirt_log
+		jump mangle_PRE_libvirt_deny
+		jump mangle_PRE_libvirt_allow
+		jump mangle_PRE_libvirt_post
+	}
+
+	chain mangle_PRE_libvirt_pre {
+	}
+
+	chain mangle_PRE_libvirt_log {
+	}
+
+	chain mangle_PRE_libvirt_deny {
+	}
+
+	chain mangle_PRE_libvirt_allow {
+	}
+
+	chain mangle_PRE_libvirt_post {
+	}
+
+	chain filter_IN_docker {
+		jump filter_IN_docker_pre
+		jump filter_IN_docker_log
+		jump filter_IN_docker_deny
+		jump filter_IN_docker_allow
+		jump filter_IN_docker_post
+	}
+
+	chain filter_IN_docker_pre {
+	}
+
+	chain filter_IN_docker_log {
+	}
+
+	chain filter_IN_docker_deny {
+	}
+
+	chain filter_IN_docker_allow {
+	}
+
+	chain filter_IN_docker_post {
+	}
+
+	chain filter_OUT_docker {
+		jump filter_OUT_docker_pre
+		jump filter_OUT_docker_log
+		jump filter_OUT_docker_deny
+		jump filter_OUT_docker_allow
+		jump filter_OUT_docker_post
+	}
+
+	chain filter_OUT_docker_pre {
+	}
+
+	chain filter_OUT_docker_log {
+	}
+
+	chain filter_OUT_docker_deny {
+	}
+
+	chain filter_OUT_docker_allow {
+	}
+
+	chain filter_OUT_docker_post {
+	}
+
+	chain nat_OUT_docker {
+		jump nat_OUT_docker_pre
+		jump nat_OUT_docker_log
+		jump nat_OUT_docker_deny
+		jump nat_OUT_docker_allow
+		jump nat_OUT_docker_post
+	}
+
+	chain nat_OUT_docker_pre {
+	}
+
+	chain nat_OUT_docker_log {
+	}
+
+	chain nat_OUT_docker_deny {
+	}
+
+	chain nat_OUT_docker_allow {
+	}
+
+	chain nat_OUT_docker_post {
+	}
+
+	chain nat_POST_docker {
+		jump nat_POST_docker_pre
+		jump nat_POST_docker_log
+		jump nat_POST_docker_deny
+		jump nat_POST_docker_allow
+		jump nat_POST_docker_post
+	}
+
+	chain nat_POST_docker_pre {
+	}
+
+	chain nat_POST_docker_log {
+	}
+
+	chain nat_POST_docker_deny {
+	}
+
+	chain nat_POST_docker_allow {
+	}
+
+	chain nat_POST_docker_post {
+	}
+
+	chain filter_FWD_docker {
+		jump filter_FWD_docker_pre
+		jump filter_FWD_docker_log
+		jump filter_FWD_docker_deny
+		jump filter_FWD_docker_allow
+		jump filter_FWD_docker_post
+	}
+
+	chain filter_FWD_docker_pre {
+	}
+
+	chain filter_FWD_docker_log {
+	}
+
+	chain filter_FWD_docker_deny {
+	}
+
+	chain filter_FWD_docker_allow {
+		oifname "docker0" accept
+	}
+
+	chain filter_FWD_docker_post {
+	}
+
+	chain nat_PRE_docker {
+		jump nat_PRE_docker_pre
+		jump nat_PRE_docker_log
+		jump nat_PRE_docker_deny
+		jump nat_PRE_docker_allow
+		jump nat_PRE_docker_post
+	}
+
+	chain nat_PRE_docker_pre {
+	}
+
+	chain nat_PRE_docker_log {
+	}
+
+	chain nat_PRE_docker_deny {
+	}
+
+	chain nat_PRE_docker_allow {
+	}
+
+	chain nat_PRE_docker_post {
+	}
+
+	chain mangle_PRE_docker {
+		jump mangle_PRE_docker_pre
+		jump mangle_PRE_docker_log
+		jump mangle_PRE_docker_deny
+		jump mangle_PRE_docker_allow
+		jump mangle_PRE_docker_post
+	}
+
+	chain mangle_PRE_docker_pre {
+	}
+
+	chain mangle_PRE_docker_log {
+	}
+
+	chain mangle_PRE_docker_deny {
+	}
+
+	chain mangle_PRE_docker_allow {
+	}
+
+	chain mangle_PRE_docker_post {
+	}
+
+	chain filter_FWD_policy_docker-forwarding {
+		jump filter_FWD_policy_docker-forwarding_pre
+		jump filter_FWD_policy_docker-forwarding_log
+		jump filter_FWD_policy_docker-forwarding_deny
+		jump filter_FWD_policy_docker-forwarding_allow
+		jump filter_FWD_policy_docker-forwarding_post
+		accept
+	}
+
+	chain filter_FWD_policy_docker-forwarding_pre {
+	}
+
+	chain filter_FWD_policy_docker-forwarding_log {
+	}
+
+	chain filter_FWD_policy_docker-forwarding_deny {
+	}
+
+	chain filter_FWD_policy_docker-forwarding_allow {
+	}
+
+	chain filter_FWD_policy_docker-forwarding_post {
+	}
+
+	chain nat_POST_policy_docker-forwarding {
+		jump nat_POST_policy_docker-forwarding_pre
+		jump nat_POST_policy_docker-forwarding_log
+		jump nat_POST_policy_docker-forwarding_deny
+		jump nat_POST_policy_docker-forwarding_allow
+		jump nat_POST_policy_docker-forwarding_post
+	}
+
+	chain nat_POST_policy_docker-forwarding_pre {
+	}
+
+	chain nat_POST_policy_docker-forwarding_log {
+	}
+
+	chain nat_POST_policy_docker-forwarding_deny {
+	}
+
+	chain nat_POST_policy_docker-forwarding_allow {
+	}
+
+	chain nat_POST_policy_docker-forwarding_post {
+	}
+}
No results found