table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		ct state { established, related } counter packets 899 bytes 66109 accept
		ct state invalid counter packets 0 bytes 0 drop
		iif "lo" accept
		iifname != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
		iifname != "lo" ip6 daddr ::1 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
		ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } counter packets 0 bytes 0 accept
		ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } counter packets 0 bytes 0 accept
		tcp dport ssh accept comment "accept SSH"
		tcp dport { http, https } accept comment "accept HTTP(S)"
		counter packets 308 bytes 15791 comment "count dropped packets"
	}

	chain forward {
		type filter hook forward priority 50; policy drop;
	}

	chain output {
		type filter hook output priority 0; policy accept;
		counter packets 783 bytes 94524 comment "count accepted packets"
	}
}
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority -100; policy accept;
		fib daddr type local counter packets 381 bytes 20151 jump CNI-HOSTPORT-DNAT
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority 100; policy accept;
		counter packets 1 bytes 60 jump CNI-HOSTPORT-MASQ comment "CNI portfwd requiring masquerade"
		ip saddr 172.17.0.18 counter packets 0 bytes 0 jump CNI-fe69141f566e79646b5e75ea comment "name: "podman1" id: "1561a1eea5d7cf6073a2c0ff9d4457fa1f52ca44316bda5595a34e6e2dd53a1b""
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
		fib daddr type local counter packets 0 bytes 0 jump CNI-HOSTPORT-DNAT
	}

	chain CNI-fe69141f566e79646b5e75ea {
		ip daddr 172.17.0.0/24 counter packets 0 bytes 0 accept comment "name: "podman1" id: "1561a1eea5d7cf6073a2c0ff9d4457fa1f52ca44316bda5595a34e6e2dd53a1b""
		ip daddr != 224.0.0.0/4 counter packets 0 bytes 0 masquerade  comment "name: "podman1" id: "1561a1eea5d7cf6073a2c0ff9d4457fa1f52ca44316bda5595a34e6e2dd53a1b""
	}

	chain CNI-HOSTPORT-SETMARK {
		counter packets 0 bytes 0 meta mark set mark or 0x2000  comment "CNI portfwd masquerade mark"
	}

	chain CNI-HOSTPORT-MASQ {
		mark and 0x2000 == 0x2000 counter packets 0 bytes 0 masquerade 
	}

	chain CNI-HOSTPORT-DNAT {
		meta l4proto tcp tcp dport 80 counter packets 60 bytes 3560 jump CNI-DN-fe69141f566e79646b5e7 comment "dnat name: "podman1" id: "1561a1eea5d7cf6073a2c0ff9d4457fa1f52ca44316bda5595a34e6e2dd53a1b""
	}

	chain CNI-DN-fe69141f566e79646b5e7 {
		meta l4proto tcp ip saddr 172.17.0.0/24 tcp dport 80 counter packets 0 bytes 0 jump CNI-HOSTPORT-SETMARK
		meta l4proto tcp ip saddr 127.0.0.1 tcp dport 80 counter packets 0 bytes 0 jump CNI-HOSTPORT-SETMARK
		meta l4proto tcp tcp dport 80 counter packets 60 bytes 3560 dnat to 172.17.0.18:80
	}
}
table ip filter {
	chain INPUT {
		type filter hook input priority 0; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 0; policy accept;
		counter packets 60 bytes 3560 jump CNI-FORWARD comment "CNI firewall plugin rules"
	}

	chain OUTPUT {
		type filter hook output priority 0; policy accept;
	}

	chain CNI-FORWARD {
		counter packets 60 bytes 3560 jump CNI-ADMIN comment "CNI firewall plugin rules"
		ip daddr 172.17.0.18 ct state related,established counter packets 0 bytes 0 accept
		ip saddr 172.17.0.18 counter packets 0 bytes 0 accept
	}

	chain CNI-ADMIN {
	}
}