gunnarniels/Actual output Secret

## Actual output
docker run registry.access.redhat.com/ubi8-minimal curl --location https://dl.yarnpkg.com/rpm/yarn.repo
Unable to find image 'registry.access.redhat.com/ubi8-minimal:latest' locally
latest: Pulling from ubi8-minimal
41ae95b593e0: Already exists
f20f68829d13: Already exists
Digest: sha256:372622021a90893d9e25c298e045c804388c7666f3e756cd48f75d20172d9e55
Status: Downloaded newer image for registry.access.redhat.com/ubi8-minimal:latest
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--   0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--   0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--   0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--   0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0
  curl: (6) Could not resolve host: dl.yarnpkg.com

## Excpected output
# docker run registry.access.redhat.com/ubi8-minimal curl --location https://dl.yarnpkg.com/rpm/yarn.repo
Unable to find image 'registry.access.redhat.com/ubi8-minimal:latest' locally
latest: Pulling from ubi8-minimal
41ae95b593e0: Already exists
f20f68829d13: Already exists
Digest: sha256:372622021a90893d9e25c298e045c804388c7666f3e756cd48f75d20172d9e55
Status: Downloaded newer image for registry.access.redhat.com/ubi8-minimal:latest
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:-- 100   130  100   130    0     0    628      0 --:--:-- --:--:-- --:--:--   628
[yarn]
name=Yarn Repository
baseurl=https://dl.yarnpkg.com/rpm/
enabled=1
gpgcheck=1
gpgkey=https://dl.yarnpkg.com/rpm/pubkey.gpg

## Failed trace output on filter rule 5
Sep 08 06:07:22 baldur kernel: TRACE: filter:DOCKER-ISOLATION-STAGE-2:return:2 IN=docker0 OUT=exbr PHYSIN=vethd4543cb MAC=02:42:dd:21:67:40:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=192.168.2.1 LEN=71 TOS=0x00 PREC=0x00 TTL=63 ID=30516 DF PROTO=UDP SPT=47923 DPT=53 LEN=51
Sep 08 06:07:22 baldur kernel: TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=docker0 OUT=exbr PHYSIN=vethd4543cb MAC=02:42:dd:21:67:40:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=192.168.2.1 LEN=71 TOS=0x00 PREC=0x00 TTL=63 ID=30516 DF PROTO=UDP SPT=47923 DPT=53 LEN=51
Sep 08 06:07:22 baldur kernel: TRACE: filter:FORWARD:rule:5 IN=docker0 OUT=exbr PHYSIN=vethd4543cb MAC=02:42:dd:21:67:40:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=192.168.2.1 LEN=71 TOS=0x00 PREC=0x00 TTL=63 ID=30516 DF PROTO=UDP SPT=47923 DPT=53 LEN=51

## ipt_after.txt
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    DOCKER-USER  all  --  anywhere             anywhere
2    DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
3    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
4    DOCKER     all  --  anywhere             anywhere
5    ACCEPT     all  --  anywhere             anywhere
6    ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain DOCKER (1 references)
num  target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num  target     prot opt source               destination
1    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
2    RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num  target     prot opt source               destination
1    DROP       all  --  anywhere             anywhere
2    RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  172.17.0.0/16        anywhere

Chain DOCKER (2 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

## iptables_before.txt
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    DOCKER-USER  all  --  anywhere             anywhere
2    DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
3    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
4    DOCKER     all  --  anywhere             anywhere
5    ACCEPT     all  --  anywhere             anywhere
6    ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain DOCKER (1 references)
num  target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num  target     prot opt source               destination
1    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
2    RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num  target     prot opt source               destination
1    DROP       all  --  anywhere             anywhere
2    RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  172.17.0.0/16        anywhere

Chain DOCKER (2 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

## link status
# ipb link
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
enp0s25          UP             d0:50:99:a5:08:49 <BROADCAST,MULTICAST,UP,LOWER_UP>
exbr             UP             9a:5f:b2:1e:94:a7 <BROADCAST,MULTICAST,UP,LOWER_UP>
virbr0           DOWN           52:54:00:4f:ca:69 <NO-CARRIER,BROADCAST,MULTICAST,UP>
virbr0-nic       DOWN           52:54:00:4f:ca:69 <BROADCAST,MULTICAST>
docker0          DOWN           02:42:dd:21:67:40 <NO-CARRIER,BROADCAST,MULTICAST,UP>

#bridge link show
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master exbr state forwarding priority 32 cost 100
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 master virbr0 state disabled priority 32 cost 100

# ipb a
lo               UNKNOWN        127.0.0.1/8 ::1/128
enp0s25          UP
exbr             UP             192.168.2.97/24 fe80::985f:b2ff:fe1e:94a7/64
virbr0           DOWN           192.168.100.1/24
virbr0-nic       DOWN
docker0          DOWN           172.17.0.1/16 fe80::46e8:567:b3cf:1aa1/64

## nft-after.txt
table inet firewalld {
	ct helper helper-tftp-udp {
		type "tftp" protocol udp
		l3proto inet
	}

	chain raw_PREROUTING {
		type filter hook prerouting priority raw + 10; policy accept;
		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
		meta nfproto ipv6 fib saddr . iif oif missing drop
		jump raw_PREROUTING_ZONES
	}

	chain raw_PREROUTING_ZONES {
		iifname "enp0s25" goto raw_PRE_public
		iifname "exbr" goto raw_PRE_public
		iifname "docker0" goto raw_PRE_public
		iifname "virbr0" goto raw_PRE_libvirt
		goto raw_PRE_public
	}

	chain mangle_PREROUTING {
		type filter hook prerouting priority mangle + 10; policy accept;
		jump mangle_PREROUTING_ZONES
	}

	chain mangle_PREROUTING_ZONES {
		iifname "enp0s25" goto mangle_PRE_public
		iifname "exbr" goto mangle_PRE_public
		iifname "docker0" goto mangle_PRE_public
		iifname "virbr0" goto mangle_PRE_libvirt
		goto mangle_PRE_public
	}

	chain filter_INPUT {
		type filter hook input priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		jump filter_INPUT_ZONES
		ct state { invalid } drop
		reject with icmpx type admin-prohibited
	}

	chain filter_FORWARD {
		type filter hook forward priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
		jump filter_FORWARD_IN_ZONES
		jump filter_FORWARD_OUT_ZONES
		ct state { invalid } drop
		reject with icmpx type admin-prohibited
	}

	chain filter_OUTPUT {
		type filter hook output priority filter + 10; policy accept;
		oifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
	}

	chain filter_INPUT_ZONES {
		iifname "enp0s25" goto filter_IN_public
		iifname "exbr" goto filter_IN_public
		iifname "docker0" goto filter_IN_public
		iifname "virbr0" goto filter_IN_libvirt
		goto filter_IN_public
	}

	chain filter_FORWARD_IN_ZONES {
		iifname "enp0s25" goto filter_FWDI_public
		iifname "exbr" goto filter_FWDI_public
		iifname "docker0" goto filter_FWDI_public
		iifname "virbr0" goto filter_FWDI_libvirt
		goto filter_FWDI_public
	}

	chain filter_FORWARD_OUT_ZONES {
		oifname "enp0s25" goto filter_FWDO_public
		oifname "exbr" goto filter_FWDO_public
		oifname "docker0" goto filter_FWDO_public
		oifname "virbr0" goto filter_FWDO_libvirt
		goto filter_FWDO_public
	}

	chain raw_PRE_libvirt {
		jump raw_PRE_libvirt_pre
		jump raw_PRE_libvirt_log
		jump raw_PRE_libvirt_deny
		jump raw_PRE_libvirt_allow
		jump raw_PRE_libvirt_post
	}

	chain raw_PRE_libvirt_pre {
	}

	chain raw_PRE_libvirt_log {
	}

	chain raw_PRE_libvirt_deny {
	}

	chain raw_PRE_libvirt_allow {
	}

	chain raw_PRE_libvirt_post {
	}

	chain filter_IN_libvirt {
		jump filter_IN_libvirt_pre
		jump filter_IN_libvirt_log
		jump filter_IN_libvirt_deny
		jump filter_IN_libvirt_allow
		jump filter_IN_libvirt_post
		accept
	}

	chain filter_IN_libvirt_pre {
	}

	chain filter_IN_libvirt_log {
	}

	chain filter_IN_libvirt_deny {
	}

	chain filter_IN_libvirt_allow {
		udp dport 67 ct state { new, untracked } accept
		udp dport 547 ct state { new, untracked } accept
		tcp dport 53 ct state { new, untracked } accept
		udp dport 53 ct state { new, untracked } accept
		tcp dport 22 ct state { new, untracked } accept
		udp dport 69 ct helper set "helper-tftp-udp"
		udp dport 69 ct state { new, untracked } accept
	}

	chain filter_IN_libvirt_post {
		reject
	}

	chain mangle_PRE_libvirt {
		jump mangle_PRE_libvirt_pre
		jump mangle_PRE_libvirt_log
		jump mangle_PRE_libvirt_deny
		jump mangle_PRE_libvirt_allow
		jump mangle_PRE_libvirt_post
	}

	chain mangle_PRE_libvirt_pre {
	}

	chain mangle_PRE_libvirt_log {
	}

	chain mangle_PRE_libvirt_deny {
	}

	chain mangle_PRE_libvirt_allow {
	}

	chain mangle_PRE_libvirt_post {
	}

	chain filter_FWDI_libvirt {
		jump filter_FWDI_libvirt_pre
		jump filter_FWDI_libvirt_log
		jump filter_FWDI_libvirt_deny
		jump filter_FWDI_libvirt_allow
		jump filter_FWDI_libvirt_post
		accept
	}

	chain filter_FWDI_libvirt_pre {
	}

	chain filter_FWDI_libvirt_log {
	}

	chain filter_FWDI_libvirt_deny {
	}

	chain filter_FWDI_libvirt_allow {
	}

	chain filter_FWDI_libvirt_post {
	}

	chain filter_FWDO_libvirt {
		jump filter_FWDO_libvirt_pre
		jump filter_FWDO_libvirt_log
		jump filter_FWDO_libvirt_deny
		jump filter_FWDO_libvirt_allow
		jump filter_FWDO_libvirt_post
		accept
	}

	chain filter_FWDO_libvirt_pre {
	}

	chain filter_FWDO_libvirt_log {
	}

	chain filter_FWDO_libvirt_deny {
	}

	chain filter_FWDO_libvirt_allow {
	}

	chain filter_FWDO_libvirt_post {
	}

	chain raw_PRE_public {
		jump raw_PRE_public_pre
		jump raw_PRE_public_log
		jump raw_PRE_public_deny
		jump raw_PRE_public_allow
		jump raw_PRE_public_post
	}

	chain raw_PRE_public_pre {
	}

	chain raw_PRE_public_log {
	}

	chain raw_PRE_public_deny {
	}

	chain raw_PRE_public_allow {
	}

	chain raw_PRE_public_post {
	}

	chain filter_IN_public {
		jump filter_IN_public_pre
		jump filter_IN_public_log
		jump filter_IN_public_deny
		jump filter_IN_public_allow
		jump filter_IN_public_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_public_pre {
	}

	chain filter_IN_public_log {
	}

	chain filter_IN_public_deny {
	}

	chain filter_IN_public_allow {
		tcp dport 22 ct state { new, untracked } accept
		udp dport 60000-61000 ct state { new, untracked } accept
		udp dport 5353 ct state { new, untracked } accept
	}

	chain filter_IN_public_post {
	}

	chain filter_FWDI_public {
		jump filter_FWDI_public_pre
		jump filter_FWDI_public_log
		jump filter_FWDI_public_deny
		jump filter_FWDI_public_allow
		jump filter_FWDI_public_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_FWDI_public_pre {
	}

	chain filter_FWDI_public_log {
	}

	chain filter_FWDI_public_deny {
	}

	chain filter_FWDI_public_allow {
	}

	chain filter_FWDI_public_post {
	}

	chain mangle_PRE_public {
		jump mangle_PRE_public_pre
		jump mangle_PRE_public_log
		jump mangle_PRE_public_deny
		jump mangle_PRE_public_allow
		jump mangle_PRE_public_post
	}

	chain mangle_PRE_public_pre {
	}

	chain mangle_PRE_public_log {
	}

	chain mangle_PRE_public_deny {
	}

	chain mangle_PRE_public_allow {
	}

	chain mangle_PRE_public_post {
	}

	chain filter_FWDO_public {
		jump filter_FWDO_public_pre
		jump filter_FWDO_public_log
		jump filter_FWDO_public_deny
		jump filter_FWDO_public_allow
		jump filter_FWDO_public_post
	}

	chain filter_FWDO_public_pre {
	}

	chain filter_FWDO_public_log {
	}

	chain filter_FWDO_public_deny {
	}

	chain filter_FWDO_public_allow {
	}

	chain filter_FWDO_public_post {
	}
}
table ip firewalld {
	chain nat_PREROUTING {
		type nat hook prerouting priority dstnat + 10; policy accept;
		jump nat_PREROUTING_ZONES
	}

	chain nat_PREROUTING_ZONES {
		iifname "enp0s25" goto nat_PRE_public
		iifname "exbr" goto nat_PRE_public
		iifname "docker0" goto nat_PRE_public
		iifname "virbr0" goto nat_PRE_libvirt
		goto nat_PRE_public
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority srcnat + 10; policy accept;
		jump nat_POSTROUTING_ZONES
	}

	chain nat_POSTROUTING_ZONES {
		oifname "enp0s25" goto nat_POST_public
		oifname "exbr" goto nat_POST_public
		oifname "docker0" goto nat_POST_public
		oifname "virbr0" goto nat_POST_libvirt
		goto nat_POST_public
	}

	chain nat_PRE_libvirt {
		jump nat_PRE_libvirt_pre
		jump nat_PRE_libvirt_log
		jump nat_PRE_libvirt_deny
		jump nat_PRE_libvirt_allow
		jump nat_PRE_libvirt_post
	}

	chain nat_PRE_libvirt_pre {
	}

	chain nat_PRE_libvirt_log {
	}

	chain nat_PRE_libvirt_deny {
	}

	chain nat_PRE_libvirt_allow {
	}

	chain nat_PRE_libvirt_post {
	}

	chain nat_POST_libvirt {
		jump nat_POST_libvirt_pre
		jump nat_POST_libvirt_log
		jump nat_POST_libvirt_deny
		jump nat_POST_libvirt_allow
		jump nat_POST_libvirt_post
	}

	chain nat_POST_libvirt_pre {
	}

	chain nat_POST_libvirt_log {
	}

	chain nat_POST_libvirt_deny {
	}

	chain nat_POST_libvirt_allow {
	}

	chain nat_POST_libvirt_post {
	}

	chain nat_PRE_public {
		jump nat_PRE_public_pre
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
		jump nat_PRE_public_post
	}

	chain nat_PRE_public_pre {
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_PRE_public_post {
	}

	chain nat_POST_public {
		jump nat_POST_public_pre
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
		jump nat_POST_public_post
	}

	chain nat_POST_public_pre {
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}

	chain nat_POST_public_post {
	}
}

## Successful trace output
Sep 08 06:08:49 baldur kernel: TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=docker0 OUT=exbr PHYSIN=veth7880ce1 MAC=02:42:dd:21:67:40:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45314 DF PROTO=UDP SPT=45834 DPT=53 LEN=40
Sep 08 06:08:49 baldur kernel: TRACE: filter:FORWARD:rule:5 IN=docker0 OUT=exbr PHYSIN=veth7880ce1 MAC=02:42:dd:21:67:40:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45314 DF PROTO=UDP SPT=45834 DPT=53 LEN=40
Sep 08 06:08:49 baldur kernel: TRACE: mangle:POSTROUTING:policy:1 IN=docker0 OUT=exbr PHYSIN=veth7880ce1 MAC=02:42:dd:21:67:40:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45314 DF PROTO=UDP SPT=45834 DPT=53 LEN=40
	docker run registry.access.redhat.com/ubi8-minimal curl --location https://dl.yarnpkg.com/rpm/yarn.repo
	Unable to find image 'registry.access.redhat.com/ubi8-minimal:latest' locally
	latest: Pulling from ubi8-minimal
	41ae95b593e0: Already exists
	f20f68829d13: Already exists
	Digest: sha256:372622021a90893d9e25c298e045c804388c7666f3e756cd48f75d20172d9e55
	Status: Downloaded newer image for registry.access.redhat.com/ubi8-minimal:latest
	% Total % Received % Xferd Average Speed Time Time Time Current
	Dload Upload Total Spent Left Speed
	0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0
	curl: (6) Could not resolve host: dl.yarnpkg.com
	# docker run registry.access.redhat.com/ubi8-minimal curl --location https://dl.yarnpkg.com/rpm/yarn.repo
	Unable to find image 'registry.access.redhat.com/ubi8-minimal:latest' locally
	latest: Pulling from ubi8-minimal
	41ae95b593e0: Already exists
	f20f68829d13: Already exists
	Digest: sha256:372622021a90893d9e25c298e045c804388c7666f3e756cd48f75d20172d9e55
	Status: Downloaded newer image for registry.access.redhat.com/ubi8-minimal:latest
	% Total % Received % Xferd Average Speed Time Time Time Current
	Dload Upload Total Spent Left Speed
	0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 130 100 130 0 0 628 0 --:--:-- --:--:-- --:--:-- 628
	[yarn]
	name=Yarn Repository
	baseurl=https://dl.yarnpkg.com/rpm/
	enabled=1
	gpgcheck=1
	gpgkey=https://dl.yarnpkg.com/rpm/pubkey.gpg
	Sep 08 06:07:22 baldur kernel: TRACE: filter:DOCKER-ISOLATION-STAGE-2:return:2 IN=docker0 OUT=exbr PHYSIN=vethd4543cb MAC=02:42:dd:21:67:40:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=192.168.2.1 LEN=71 TOS=0x00 PREC=0x00 TTL=63 ID=30516 DF PROTO=UDP SPT=47923 DPT=53 LEN=51
	Sep 08 06:07:22 baldur kernel: TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=docker0 OUT=exbr PHYSIN=vethd4543cb MAC=02:42:dd:21:67:40:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=192.168.2.1 LEN=71 TOS=0x00 PREC=0x00 TTL=63 ID=30516 DF PROTO=UDP SPT=47923 DPT=53 LEN=51
	Sep 08 06:07:22 baldur kernel: TRACE: filter:FORWARD:rule:5 IN=docker0 OUT=exbr PHYSIN=vethd4543cb MAC=02:42:dd:21:67:40:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=192.168.2.1 LEN=71 TOS=0x00 PREC=0x00 TTL=63 ID=30516 DF PROTO=UDP SPT=47923 DPT=53 LEN=51
	Chain INPUT (policy ACCEPT)
	num target prot opt source destination

	Chain FORWARD (policy ACCEPT)
	num target prot opt source destination
	1 DOCKER-USER all -- anywhere anywhere
	2 DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
	3 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
	4 DOCKER all -- anywhere anywhere
	5 ACCEPT all -- anywhere anywhere
	6 ACCEPT all -- anywhere anywhere

	Chain OUTPUT (policy ACCEPT)
	num target prot opt source destination

	Chain DOCKER (1 references)
	num target prot opt source destination

	Chain DOCKER-ISOLATION-STAGE-1 (1 references)
	num target prot opt source destination
	1 DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
	2 RETURN all -- anywhere anywhere

	Chain DOCKER-ISOLATION-STAGE-2 (1 references)
	num target prot opt source destination
	1 DROP all -- anywhere anywhere
	2 RETURN all -- anywhere anywhere

	Chain DOCKER-USER (1 references)
	num target prot opt source destination
	1 RETURN all -- anywhere anywhere
	Chain PREROUTING (policy ACCEPT)
	num target prot opt source destination
	1 DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL

	Chain INPUT (policy ACCEPT)
	num target prot opt source destination

	Chain OUTPUT (policy ACCEPT)
	num target prot opt source destination
	1 DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

	Chain POSTROUTING (policy ACCEPT)
	num target prot opt source destination
	1 MASQUERADE all -- 172.17.0.0/16 anywhere

	Chain DOCKER (2 references)
	num target prot opt source destination
	1 RETURN all -- anywhere anywhere
	Chain PREROUTING (policy ACCEPT)
	num target prot opt source destination

	Chain INPUT (policy ACCEPT)
	num target prot opt source destination

	Chain FORWARD (policy ACCEPT)
	num target prot opt source destination

	Chain OUTPUT (policy ACCEPT)
	num target prot opt source destination

	Chain POSTROUTING (policy ACCEPT)
	num target prot opt source destination
	Chain PREROUTING (policy ACCEPT)
	num target prot opt source destination

	Chain OUTPUT (policy ACCEPT)
	num target prot opt source destination
	Chain INPUT (policy ACCEPT)
	num target prot opt source destination

	Chain FORWARD (policy ACCEPT)
	num target prot opt source destination

	Chain OUTPUT (policy ACCEPT)
	num target prot opt source destination
	# ipb link
	lo UNKNOWN 00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
	enp0s25 UP d0:50:99:a5:08:49 <BROADCAST,MULTICAST,UP,LOWER_UP>
	exbr UP 9a:5f:b2:1e:94:a7 <BROADCAST,MULTICAST,UP,LOWER_UP>
	virbr0 DOWN 52:54:00:4f:ca:69 <NO-CARRIER,BROADCAST,MULTICAST,UP>
	virbr0-nic DOWN 52:54:00:4f:ca:69 <BROADCAST,MULTICAST>
	docker0 DOWN 02:42:dd:21:67:40 <NO-CARRIER,BROADCAST,MULTICAST,UP>

	#bridge link show
	2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master exbr state forwarding priority 32 cost 100
	5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 master virbr0 state disabled priority 32 cost 100

	# ipb a
	lo UNKNOWN 127.0.0.1/8 ::1/128
	enp0s25 UP
	exbr UP 192.168.2.97/24 fe80::985f:b2ff:fe1e:94a7/64
	virbr0 DOWN 192.168.100.1/24
	virbr0-nic DOWN
	docker0 DOWN 172.17.0.1/16 fe80::46e8:567:b3cf:1aa1/64
	table inet firewalld {
	ct helper helper-tftp-udp {
	type "tftp" protocol udp
	l3proto inet
	}

	chain raw_PREROUTING {
	type filter hook prerouting priority raw + 10; policy accept;
	icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
	meta nfproto ipv6 fib saddr . iif oif missing drop
	jump raw_PREROUTING_ZONES
	}

	chain raw_PREROUTING_ZONES {
	iifname "enp0s25" goto raw_PRE_public
	iifname "exbr" goto raw_PRE_public
	iifname "docker0" goto raw_PRE_public
	iifname "virbr0" goto raw_PRE_libvirt
	goto raw_PRE_public
	}

	chain mangle_PREROUTING {
	type filter hook prerouting priority mangle + 10; policy accept;
	jump mangle_PREROUTING_ZONES
	}

	chain mangle_PREROUTING_ZONES {
	iifname "enp0s25" goto mangle_PRE_public
	iifname "exbr" goto mangle_PRE_public
	iifname "docker0" goto mangle_PRE_public
	iifname "virbr0" goto mangle_PRE_libvirt
	goto mangle_PRE_public
	}

	chain filter_INPUT {
	type filter hook input priority filter + 10; policy accept;
	ct state { established, related } accept
	ct status dnat accept
	iifname "lo" accept
	jump filter_INPUT_ZONES
	ct state { invalid } drop
	reject with icmpx type admin-prohibited
	}

	chain filter_FORWARD {
	type filter hook forward priority filter + 10; policy accept;
	ct state { established, related } accept
	ct status dnat accept
	iifname "lo" accept
	ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
	jump filter_FORWARD_IN_ZONES
	jump filter_FORWARD_OUT_ZONES
	ct state { invalid } drop
	reject with icmpx type admin-prohibited
	}

	chain filter_OUTPUT {
	type filter hook output priority filter + 10; policy accept;
	oifname "lo" accept
	ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
	}

	chain filter_INPUT_ZONES {
	iifname "enp0s25" goto filter_IN_public
	iifname "exbr" goto filter_IN_public
	iifname "docker0" goto filter_IN_public
	iifname "virbr0" goto filter_IN_libvirt
	goto filter_IN_public
	}

	chain filter_FORWARD_IN_ZONES {
	iifname "enp0s25" goto filter_FWDI_public
	iifname "exbr" goto filter_FWDI_public
	iifname "docker0" goto filter_FWDI_public
	iifname "virbr0" goto filter_FWDI_libvirt
	goto filter_FWDI_public
	}

	chain filter_FORWARD_OUT_ZONES {
	oifname "enp0s25" goto filter_FWDO_public
	oifname "exbr" goto filter_FWDO_public
	oifname "docker0" goto filter_FWDO_public
	oifname "virbr0" goto filter_FWDO_libvirt
	goto filter_FWDO_public
	}

	chain raw_PRE_libvirt {
	jump raw_PRE_libvirt_pre
	jump raw_PRE_libvirt_log
	jump raw_PRE_libvirt_deny
	jump raw_PRE_libvirt_allow
	jump raw_PRE_libvirt_post
	}

	chain raw_PRE_libvirt_pre {
	}

	chain raw_PRE_libvirt_log {
	}

	chain raw_PRE_libvirt_deny {
	}

	chain raw_PRE_libvirt_allow {
	}

	chain raw_PRE_libvirt_post {
	}

	chain filter_IN_libvirt {
	jump filter_IN_libvirt_pre
	jump filter_IN_libvirt_log
	jump filter_IN_libvirt_deny
	jump filter_IN_libvirt_allow
	jump filter_IN_libvirt_post
	accept
	}

	chain filter_IN_libvirt_pre {
	}

	chain filter_IN_libvirt_log {
	}

	chain filter_IN_libvirt_deny {
	}

	chain filter_IN_libvirt_allow {
	udp dport 67 ct state { new, untracked } accept
	udp dport 547 ct state { new, untracked } accept
	tcp dport 53 ct state { new, untracked } accept
	udp dport 53 ct state { new, untracked } accept
	tcp dport 22 ct state { new, untracked } accept
	udp dport 69 ct helper set "helper-tftp-udp"
	udp dport 69 ct state { new, untracked } accept
	}

	chain filter_IN_libvirt_post {
	reject
	}

	chain mangle_PRE_libvirt {
	jump mangle_PRE_libvirt_pre
	jump mangle_PRE_libvirt_log
	jump mangle_PRE_libvirt_deny
	jump mangle_PRE_libvirt_allow
	jump mangle_PRE_libvirt_post
	}

	chain mangle_PRE_libvirt_pre {
	}

	chain mangle_PRE_libvirt_log {
	}

	chain mangle_PRE_libvirt_deny {
	}

	chain mangle_PRE_libvirt_allow {
	}

	chain mangle_PRE_libvirt_post {
	}

	chain filter_FWDI_libvirt {
	jump filter_FWDI_libvirt_pre
	jump filter_FWDI_libvirt_log
	jump filter_FWDI_libvirt_deny
	jump filter_FWDI_libvirt_allow
	jump filter_FWDI_libvirt_post
	accept
	}

	chain filter_FWDI_libvirt_pre {
	}

	chain filter_FWDI_libvirt_log {
	}

	chain filter_FWDI_libvirt_deny {
	}

	chain filter_FWDI_libvirt_allow {
	}

	chain filter_FWDI_libvirt_post {
	}

	chain filter_FWDO_libvirt {
	jump filter_FWDO_libvirt_pre
	jump filter_FWDO_libvirt_log
	jump filter_FWDO_libvirt_deny
	jump filter_FWDO_libvirt_allow
	jump filter_FWDO_libvirt_post
	accept
	}

	chain filter_FWDO_libvirt_pre {
	}

	chain filter_FWDO_libvirt_log {
	}

	chain filter_FWDO_libvirt_deny {
	}

	chain filter_FWDO_libvirt_allow {
	}

	chain filter_FWDO_libvirt_post {
	}

	chain raw_PRE_public {
	jump raw_PRE_public_pre
	jump raw_PRE_public_log
	jump raw_PRE_public_deny
	jump raw_PRE_public_allow
	jump raw_PRE_public_post
	}

	chain raw_PRE_public_pre {
	}

	chain raw_PRE_public_log {
	}

	chain raw_PRE_public_deny {
	}

	chain raw_PRE_public_allow {
	}

	chain raw_PRE_public_post {
	}

	chain filter_IN_public {
	jump filter_IN_public_pre
	jump filter_IN_public_log
	jump filter_IN_public_deny
	jump filter_IN_public_allow
	jump filter_IN_public_post
	meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_public_pre {
	}

	chain filter_IN_public_log {
	}

	chain filter_IN_public_deny {
	}

	chain filter_IN_public_allow {
	tcp dport 22 ct state { new, untracked } accept
	udp dport 60000-61000 ct state { new, untracked } accept
	udp dport 5353 ct state { new, untracked } accept
	}

	chain filter_IN_public_post {
	}

	chain filter_FWDI_public {
	jump filter_FWDI_public_pre
	jump filter_FWDI_public_log
	jump filter_FWDI_public_deny
	jump filter_FWDI_public_allow
	jump filter_FWDI_public_post
	meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_FWDI_public_pre {
	}

	chain filter_FWDI_public_log {
	}

	chain filter_FWDI_public_deny {
	}

	chain filter_FWDI_public_allow {
	}

	chain filter_FWDI_public_post {
	}

	chain mangle_PRE_public {
	jump mangle_PRE_public_pre
	jump mangle_PRE_public_log
	jump mangle_PRE_public_deny
	jump mangle_PRE_public_allow
	jump mangle_PRE_public_post
	}

	chain mangle_PRE_public_pre {
	}

	chain mangle_PRE_public_log {
	}

	chain mangle_PRE_public_deny {
	}

	chain mangle_PRE_public_allow {
	}

	chain mangle_PRE_public_post {
	}

	chain filter_FWDO_public {
	jump filter_FWDO_public_pre
	jump filter_FWDO_public_log
	jump filter_FWDO_public_deny
	jump filter_FWDO_public_allow
	jump filter_FWDO_public_post
	}

	chain filter_FWDO_public_pre {
	}

	chain filter_FWDO_public_log {
	}

	chain filter_FWDO_public_deny {
	}

	chain filter_FWDO_public_allow {
	}

	chain filter_FWDO_public_post {
	}
	}
	table ip firewalld {
	chain nat_PREROUTING {
	type nat hook prerouting priority dstnat + 10; policy accept;
	jump nat_PREROUTING_ZONES
	}

	chain nat_PREROUTING_ZONES {
	iifname "enp0s25" goto nat_PRE_public
	iifname "exbr" goto nat_PRE_public
	iifname "docker0" goto nat_PRE_public
	iifname "virbr0" goto nat_PRE_libvirt
	goto nat_PRE_public
	}

	chain nat_POSTROUTING {
	type nat hook postrouting priority srcnat + 10; policy accept;
	jump nat_POSTROUTING_ZONES
	}

	chain nat_POSTROUTING_ZONES {
	oifname "enp0s25" goto nat_POST_public
	oifname "exbr" goto nat_POST_public
	oifname "docker0" goto nat_POST_public
	oifname "virbr0" goto nat_POST_libvirt
	goto nat_POST_public
	}

	chain nat_PRE_libvirt {
	jump nat_PRE_libvirt_pre
	jump nat_PRE_libvirt_log
	jump nat_PRE_libvirt_deny
	jump nat_PRE_libvirt_allow
	jump nat_PRE_libvirt_post
	}

	chain nat_PRE_libvirt_pre {
	}

	chain nat_PRE_libvirt_log {
	}

	chain nat_PRE_libvirt_deny {
	}

	chain nat_PRE_libvirt_allow {
	}

	chain nat_PRE_libvirt_post {
	}

	chain nat_POST_libvirt {
	jump nat_POST_libvirt_pre
	jump nat_POST_libvirt_log
	jump nat_POST_libvirt_deny
	jump nat_POST_libvirt_allow
	jump nat_POST_libvirt_post
	}

	chain nat_POST_libvirt_pre {
	}

	chain nat_POST_libvirt_log {
	}

	chain nat_POST_libvirt_deny {
	}

	chain nat_POST_libvirt_allow {
	}

	chain nat_POST_libvirt_post {
	}

	chain nat_PRE_public {
	jump nat_PRE_public_pre
	jump nat_PRE_public_log
	jump nat_PRE_public_deny
	jump nat_PRE_public_allow
	jump nat_PRE_public_post
	}

	chain nat_PRE_public_pre {
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_PRE_public_post {
	}

	chain nat_POST_public {
	jump nat_POST_public_pre
	jump nat_POST_public_log
	jump nat_POST_public_deny
	jump nat_POST_public_allow
	jump nat_POST_public_post
	}

	chain nat_POST_public_pre {
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}

	chain nat_POST_public_post {
	}
	}
	Sep 08 06:08:49 baldur kernel: TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=docker0 OUT=exbr PHYSIN=veth7880ce1 MAC=02:42:dd:21:67:40:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45314 DF PROTO=UDP SPT=45834 DPT=53 LEN=40
	Sep 08 06:08:49 baldur kernel: TRACE: filter:FORWARD:rule:5 IN=docker0 OUT=exbr PHYSIN=veth7880ce1 MAC=02:42:dd:21:67:40:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45314 DF PROTO=UDP SPT=45834 DPT=53 LEN=40
	Sep 08 06:08:49 baldur kernel: TRACE: mangle:POSTROUTING:policy:1 IN=docker0 OUT=exbr PHYSIN=veth7880ce1 MAC=02:42:dd:21:67:40:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45314 DF PROTO=UDP SPT=45834 DPT=53 LEN=40