spikecurtis/gist:e3131fd5650ff7097232

## gistfile1.txt
sjc@sjc-dev:~/repos/calico-docker/dist$ ./calicoctl profile sjc rule show
Inbound rules:
   1 allow
Outbound rules:
   1 allow
sjc@sjc-dev:~/repos/calico-docker/dist$ sudo iptables-save
# Generated by iptables-save v1.4.21 on Mon Jul 13 17:43:35 2015
*nat
:PREROUTING ACCEPT [5:420]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [77:4660]
:POSTROUTING ACCEPT [77:4660]
:DOCKER - [0:0]
:felix-PREROUTING - [0:0]
-A PREROUTING -j felix-PREROUTING
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 13 17:43:35 2015
# Generated by iptables-save v1.4.21 on Mon Jul 13 17:43:35 2015
*filter
:INPUT ACCEPT [590:33047]
:FORWARD ACCEPT [134:11256]
:OUTPUT ACCEPT [599:33876]
:DOCKER - [0:0]
:felix-FORWARD - [0:0]
:felix-FROM-ENDPOINT - [0:0]
:felix-INPUT - [0:0]
:felix-TO-ENDPOINT - [0:0]
:felix-from-13c19ef229b - [0:0]
:felix-from-2eda3af029b - [0:0]
:felix-p-sjc-i - [0:0]
:felix-p-sjc-o - [0:0]
:felix-to-13c19ef229b - [0:0]
:felix-to-2eda3af029b - [0:0]
-A INPUT -j felix-INPUT
-A FORWARD -j felix-FORWARD
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A felix-FORWARD -i cali+ -m conntrack --ctstate INVALID -j DROP
-A felix-FORWARD -o cali+ -m conntrack --ctstate INVALID -j DROP
-A felix-FORWARD -i cali+ -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
-A felix-FORWARD -o cali+ -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
-A felix-FORWARD -i cali+ -j felix-FROM-ENDPOINT
-A felix-FORWARD -o cali+ -j felix-TO-ENDPOINT
-A felix-FORWARD -i cali+ -j ACCEPT
-A felix-FORWARD -o cali+ -j ACCEPT
-A felix-FROM-ENDPOINT -i cali13c19ef229b -g felix-from-13c19ef229b
-A felix-FROM-ENDPOINT -i cali2eda3af029b -g felix-from-2eda3af029b
-A felix-FROM-ENDPOINT -j DROP
-A felix-INPUT -p ipencap -m set ! --match-set felix-calico-hosts-4 src -j DROP
-A felix-INPUT ! -i cali+ -j RETURN
-A felix-INPUT -m conntrack --ctstate INVALID -j DROP
-A felix-INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A felix-INPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A felix-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A felix-INPUT -j DROP
-A felix-TO-ENDPOINT -o cali13c19ef229b -g felix-to-13c19ef229b
-A felix-TO-ENDPOINT -o cali2eda3af029b -g felix-to-2eda3af029b
-A felix-TO-ENDPOINT -j DROP
-A felix-from-13c19ef229b -j MARK --set-xmark 0x0/0xffffffff
-A felix-from-13c19ef229b -s 192.168.100.1/32 -m mac --mac-source FE:A7:95:79:C6:24 -j felix-p-sjc-o
-A felix-from-13c19ef229b -m mark ! --mark 0x1/0x1 -m comment --comment "No mark means profile accepted packet" -j RETURN
-A felix-from-13c19ef229b -m comment --comment "Default DROP if no match (endpoint 13c19ef229b611e5947908002737b14f):" -j DROP
-A felix-from-2eda3af029b -j MARK --set-xmark 0x0/0xffffffff
-A felix-from-2eda3af029b -s 192.168.100.2/32 -m mac --mac-source F6:FF:BB:00:99:EF -j felix-p-sjc-o
-A felix-from-2eda3af029b -m mark ! --mark 0x1/0x1 -m comment --comment "No mark means profile accepted packet" -j RETURN
-A felix-from-2eda3af029b -m comment --comment "Default DROP if no match (endpoint 2eda3af029b611e5947908002737b14f):" -j DROP
-A felix-p-sjc-i -j RETURN
-A felix-p-sjc-i -m comment --comment "Mark as not matched" -j MARK --set-xmark 0x1/0xffffffff
-A felix-p-sjc-o -j RETURN
-A felix-p-sjc-o -m comment --comment "Mark as not matched" -j MARK --set-xmark 0x1/0xffffffff
-A felix-to-13c19ef229b -j MARK --set-xmark 0x0/0xffffffff
-A felix-to-13c19ef229b -j felix-p-sjc-i
-A felix-to-13c19ef229b -m mark ! --mark 0x1/0x1 -m comment --comment "No mark means profile accepted packet" -j RETURN
-A felix-to-13c19ef229b -m comment --comment "Endpoint 13c19ef229b611e5947908002737b14f:" -j DROP
-A felix-to-2eda3af029b -j MARK --set-xmark 0x0/0xffffffff
-A felix-to-2eda3af029b -j felix-p-sjc-i
-A felix-to-2eda3af029b -m mark ! --mark 0x1/0x1 -m comment --comment "No mark means profile accepted packet" -j RETURN
-A felix-to-2eda3af029b -m comment --comment "Endpoint 2eda3af029b611e5947908002737b14f:" -j DROP
COMMIT
# Completed on Mon Jul 13 17:43:35 2015
	sjc@sjc-dev:~/repos/calico-docker/dist$ ./calicoctl profile sjc rule show
	Inbound rules:
	1 allow
	Outbound rules:
	1 allow
	sjc@sjc-dev:~/repos/calico-docker/dist$ sudo iptables-save
	# Generated by iptables-save v1.4.21 on Mon Jul 13 17:43:35 2015
	*nat
	:PREROUTING ACCEPT [5:420]
	:INPUT ACCEPT [0:0]
	:OUTPUT ACCEPT [77:4660]
	:POSTROUTING ACCEPT [77:4660]
	:DOCKER - [0:0]
	:felix-PREROUTING - [0:0]
	-A PREROUTING -j felix-PREROUTING
	-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
	-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
	-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
	COMMIT
	# Completed on Mon Jul 13 17:43:35 2015
	# Generated by iptables-save v1.4.21 on Mon Jul 13 17:43:35 2015
	*filter
	:INPUT ACCEPT [590:33047]
	:FORWARD ACCEPT [134:11256]
	:OUTPUT ACCEPT [599:33876]
	:DOCKER - [0:0]
	:felix-FORWARD - [0:0]
	:felix-FROM-ENDPOINT - [0:0]
	:felix-INPUT - [0:0]
	:felix-TO-ENDPOINT - [0:0]
	:felix-from-13c19ef229b - [0:0]
	:felix-from-2eda3af029b - [0:0]
	:felix-p-sjc-i - [0:0]
	:felix-p-sjc-o - [0:0]
	:felix-to-13c19ef229b - [0:0]
	:felix-to-2eda3af029b - [0:0]
	-A INPUT -j felix-INPUT
	-A FORWARD -j felix-FORWARD
	-A FORWARD -o docker0 -j DOCKER
	-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
	-A FORWARD -i docker0 -o docker0 -j ACCEPT
	-A felix-FORWARD -i cali+ -m conntrack --ctstate INVALID -j DROP
	-A felix-FORWARD -o cali+ -m conntrack --ctstate INVALID -j DROP
	-A felix-FORWARD -i cali+ -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
	-A felix-FORWARD -o cali+ -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
	-A felix-FORWARD -i cali+ -j felix-FROM-ENDPOINT
	-A felix-FORWARD -o cali+ -j felix-TO-ENDPOINT
	-A felix-FORWARD -i cali+ -j ACCEPT
	-A felix-FORWARD -o cali+ -j ACCEPT
	-A felix-FROM-ENDPOINT -i cali13c19ef229b -g felix-from-13c19ef229b
	-A felix-FROM-ENDPOINT -i cali2eda3af029b -g felix-from-2eda3af029b
	-A felix-FROM-ENDPOINT -j DROP
	-A felix-INPUT -p ipencap -m set ! --match-set felix-calico-hosts-4 src -j DROP
	-A felix-INPUT ! -i cali+ -j RETURN
	-A felix-INPUT -m conntrack --ctstate INVALID -j DROP
	-A felix-INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A felix-INPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
	-A felix-INPUT -p udp -m udp --dport 53 -j ACCEPT
	-A felix-INPUT -j DROP
	-A felix-TO-ENDPOINT -o cali13c19ef229b -g felix-to-13c19ef229b
	-A felix-TO-ENDPOINT -o cali2eda3af029b -g felix-to-2eda3af029b
	-A felix-TO-ENDPOINT -j DROP
	-A felix-from-13c19ef229b -j MARK --set-xmark 0x0/0xffffffff
	-A felix-from-13c19ef229b -s 192.168.100.1/32 -m mac --mac-source FE:A7:95:79:C6:24 -j felix-p-sjc-o
	-A felix-from-13c19ef229b -m mark ! --mark 0x1/0x1 -m comment --comment "No mark means profile accepted packet" -j RETURN
	-A felix-from-13c19ef229b -m comment --comment "Default DROP if no match (endpoint 13c19ef229b611e5947908002737b14f):" -j DROP
	-A felix-from-2eda3af029b -j MARK --set-xmark 0x0/0xffffffff
	-A felix-from-2eda3af029b -s 192.168.100.2/32 -m mac --mac-source F6:FF:BB:00:99:EF -j felix-p-sjc-o
	-A felix-from-2eda3af029b -m mark ! --mark 0x1/0x1 -m comment --comment "No mark means profile accepted packet" -j RETURN
	-A felix-from-2eda3af029b -m comment --comment "Default DROP if no match (endpoint 2eda3af029b611e5947908002737b14f):" -j DROP
	-A felix-p-sjc-i -j RETURN
	-A felix-p-sjc-i -m comment --comment "Mark as not matched" -j MARK --set-xmark 0x1/0xffffffff
	-A felix-p-sjc-o -j RETURN
	-A felix-p-sjc-o -m comment --comment "Mark as not matched" -j MARK --set-xmark 0x1/0xffffffff
	-A felix-to-13c19ef229b -j MARK --set-xmark 0x0/0xffffffff
	-A felix-to-13c19ef229b -j felix-p-sjc-i
	-A felix-to-13c19ef229b -m mark ! --mark 0x1/0x1 -m comment --comment "No mark means profile accepted packet" -j RETURN
	-A felix-to-13c19ef229b -m comment --comment "Endpoint 13c19ef229b611e5947908002737b14f:" -j DROP
	-A felix-to-2eda3af029b -j MARK --set-xmark 0x0/0xffffffff
	-A felix-to-2eda3af029b -j felix-p-sjc-i
	-A felix-to-2eda3af029b -m mark ! --mark 0x1/0x1 -m comment --comment "No mark means profile accepted packet" -j RETURN
	-A felix-to-2eda3af029b -m comment --comment "Endpoint 2eda3af029b611e5947908002737b14f:" -j DROP
	COMMIT
	# Completed on Mon Jul 13 17:43:35 2015