Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERROR: got unexpected token: <EOF> #8

Open
tekumara opened this issue Feb 6, 2022 · 2 comments
Open

ERROR: got unexpected token: <EOF> #8

tekumara opened this issue Feb 6, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@tekumara
Copy link

tekumara commented Feb 6, 2022 

iptables -v -L > iptables.txt
awk -f iptables-vis.awk < iptables.txt > iptables.dia
blockdiag3 iptables.dia -T svg -o iptables.svg
ERROR: got unexpected token: <EOF>

iptables.txt:

Chain INPUT (policy ACCEPT 588 packets, 226K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1792  515K KUBE-ROUTER-INPUT  all  --  any    any     anywhere             anywhere             /* kube-router netpol - 4IA2OSFRMVNDXBVV */
  588  226K KUBE-NODEPORTS  all  --  any    any     anywhere             anywhere             /* kubernetes health check service ports */
  123 16578 KUBE-EXTERNAL-SERVICES  all  --  any    any     anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */
  588  226K KUBE-FIREWALL  all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  635  206K KUBE-ROUTER-FORWARD  all  --  any    any     anywhere             anywhere             /* kube-router netpol - TEMCG2JMHZYE7H7T */
    0     0 KUBE-FORWARD  all  --  any    any     anywhere             anywhere             /* kubernetes forwarding rules */
    0     0 KUBE-SERVICES  all  --  any    any     anywhere             anywhere             ctstate NEW /* kubernetes service portals */
    0     0 KUBE-EXTERNAL-SERVICES  all  --  any    any     anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */
    0     0 ACCEPT     all  --  any    any     ip-10-42-0-0.ec2.internal/16  anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             ip-10-42-0-0.ec2.internal/16 

Chain OUTPUT (policy ACCEPT 652 packets, 172K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2011  343K KUBE-ROUTER-OUTPUT  all  --  any    any     anywhere             anywhere             /* kube-router netpol - VEAAIY32XVBHCSCY */
  127 24622 KUBE-SERVICES  all  --  any    any     anywhere             anywhere             ctstate NEW /* kubernetes service portals */
  652  172K KUBE-FIREWALL  all  --  any    any     anywhere             anywhere            

Chain KUBE-EXTERNAL-SERVICES (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain KUBE-FIREWALL (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
    0     0 DROP       all  --  any    any    !ip-127-0-0-0.ec2.internal/8  ip-127-0-0-0.ec2.internal/8  /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT

Chain KUBE-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             /* kubernetes forwarding rules */ mark match 0x4000/0x4000
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             /* kubernetes forwarding conntrack rule */ ctstate RELATED,ESTABLISHED

Chain KUBE-KUBELET-CANARY (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain KUBE-NODEPORTS (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain KUBE-NWPLCY-DEFAULT (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             /* rule to mark traffic matching a network policy */ MARK or 0x10000

Chain KUBE-POD-FW-L3CCKNL42X3PDDA3 (7 references)
 pkts bytes target     prot opt in     out     source               destination         
 3073  658K ACCEPT     all  --  any    any     anywhere             anywhere             /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
   87  5220 ACCEPT     all  --  any    any     anywhere             ip-10-42-2-2.ec2.internal  /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
    0     0 KUBE-NWPLCY-DEFAULT  all  --  any    any     ip-10-42-2-2.ec2.internal  anywhere             /* run through default egress network policy  chain */
    0     0 KUBE-NWPLCY-DEFAULT  all  --  any    any     anywhere             ip-10-42-2-2.ec2.internal  /* run through default ingress network policy  chain */
    0     0 NFLOG      all  --  any    any     anywhere             anywhere             /* rule to log dropped traffic POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
    0     0 REJECT     all  --  any    any     anywhere             anywhere             /* rule to REJECT traffic destined for POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK and 0xfffeffff
    0     0 MARK       all  --  any    any     anywhere             anywhere             /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-POD-FW-OIM3DLDDVNYGTNCC (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    any     anywhere             ip-10-42-2-4.ec2.internal  /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
    0     0 KUBE-NWPLCY-DEFAULT  all  --  any    any     ip-10-42-2-4.ec2.internal  anywhere             /* run through default egress network policy  chain */
    0     0 KUBE-NWPLCY-DEFAULT  all  --  any    any     anywhere             ip-10-42-2-4.ec2.internal  /* run through default ingress network policy  chain */
    0     0 NFLOG      all  --  any    any     anywhere             anywhere             /* rule to log dropped traffic POD name:svclb-traefik-8fjlg namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
    0     0 REJECT     all  --  any    any     anywhere             anywhere             /* rule to REJECT traffic destined for POD name:svclb-traefik-8fjlg namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK and 0xfffeffff
    0     0 MARK       all  --  any    any     anywhere             anywhere             /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-POD-FW-PCWK32JIKVMMAWJH (7 references)
 pkts bytes target     prot opt in     out     source               destination         
   38  3845 ACCEPT     all  --  any    any     anywhere             anywhere             /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    any     anywhere             ip-10-42-2-3.ec2.internal  /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
    0     0 KUBE-NWPLCY-DEFAULT  all  --  any    any     ip-10-42-2-3.ec2.internal  anywhere             /* run through default egress network policy  chain */
    0     0 KUBE-NWPLCY-DEFAULT  all  --  any    any     anywhere             ip-10-42-2-3.ec2.internal  /* run through default ingress network policy  chain */
    0     0 NFLOG      all  --  any    any     anywhere             anywhere             /* rule to log dropped traffic POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
    0     0 REJECT     all  --  any    any     anywhere             anywhere             /* rule to REJECT traffic destined for POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK and 0xfffeffff
    0     0 MARK       all  --  any    any     anywhere             anywhere             /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-PROXY-CANARY (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain KUBE-ROUTER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-POD-FW-OIM3DLDDVNYGTNCC  all  --  any    any     ip-10-42-2-4.ec2.internal  anywhere             PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
    0     0 KUBE-POD-FW-OIM3DLDDVNYGTNCC  all  --  any    any     ip-10-42-2-4.ec2.internal  anywhere             /* rule to jump traffic from POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
    0     0 KUBE-POD-FW-OIM3DLDDVNYGTNCC  all  --  any    any     anywhere             ip-10-42-2-4.ec2.internal  PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
    0     0 KUBE-POD-FW-OIM3DLDDVNYGTNCC  all  --  any    any     anywhere             ip-10-42-2-4.ec2.internal  /* rule to jump traffic destined to POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
    0     0 KUBE-POD-FW-PCWK32JIKVMMAWJH  all  --  any    any     ip-10-42-2-3.ec2.internal  anywhere             PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
   19  2467 KUBE-POD-FW-PCWK32JIKVMMAWJH  all  --  any    any     ip-10-42-2-3.ec2.internal  anywhere             /* rule to jump traffic from POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
    0     0 KUBE-POD-FW-PCWK32JIKVMMAWJH  all  --  any    any     anywhere             ip-10-42-2-3.ec2.internal  PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
   19  1378 KUBE-POD-FW-PCWK32JIKVMMAWJH  all  --  any    any     anywhere             ip-10-42-2-3.ec2.internal  /* rule to jump traffic destined to POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
    0     0 KUBE-POD-FW-L3CCKNL42X3PDDA3  all  --  any    any     ip-10-42-2-2.ec2.internal  anywhere             PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
  300 54101 KUBE-POD-FW-L3CCKNL42X3PDDA3  all  --  any    any     ip-10-42-2-2.ec2.internal  anywhere             /* rule to jump traffic from POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
    0     0 KUBE-POD-FW-L3CCKNL42X3PDDA3  all  --  any    any     anywhere             ip-10-42-2-2.ec2.internal  PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
  297  148K KUBE-POD-FW-L3CCKNL42X3PDDA3  all  --  any    any     anywhere             ip-10-42-2-2.ec2.internal  /* rule to jump traffic destined to POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000

Chain KUBE-ROUTER-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-POD-FW-OIM3DLDDVNYGTNCC  all  --  any    any     ip-10-42-2-4.ec2.internal  anywhere             /* rule to jump traffic from POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
    0     0 KUBE-POD-FW-PCWK32JIKVMMAWJH  all  --  any    any     ip-10-42-2-3.ec2.internal  anywhere             /* rule to jump traffic from POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
 1204  289K KUBE-POD-FW-L3CCKNL42X3PDDA3  all  --  any    any     ip-10-42-2-2.ec2.internal  anywhere             /* rule to jump traffic from POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
    0     0 RETURN     all  --  any    any     anywhere             ip-10-43-0-0.ec2.internal/16  /* allow traffic to cluster IP - M66LPN4N3KB5HTJR */
    0     0 RETURN     tcp  --  any    any     anywhere             anywhere             /* allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767
    0     0 RETURN     udp  --  any    any     anywhere             anywhere             /* allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000

Chain KUBE-ROUTER-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-POD-FW-OIM3DLDDVNYGTNCC  all  --  any    any     ip-10-42-2-4.ec2.internal  anywhere             /* rule to jump traffic from POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
    0     0 KUBE-POD-FW-OIM3DLDDVNYGTNCC  all  --  any    any     anywhere             ip-10-42-2-4.ec2.internal  /* rule to jump traffic destined to POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
    0     0 KUBE-POD-FW-PCWK32JIKVMMAWJH  all  --  any    any     ip-10-42-2-3.ec2.internal  anywhere             /* rule to jump traffic from POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
    0     0 KUBE-POD-FW-PCWK32JIKVMMAWJH  all  --  any    any     anywhere             ip-10-42-2-3.ec2.internal  /* rule to jump traffic destined to POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
    0     0 KUBE-POD-FW-L3CCKNL42X3PDDA3  all  --  any    any     ip-10-42-2-2.ec2.internal  anywhere             /* rule to jump traffic from POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
 1359  171K KUBE-POD-FW-L3CCKNL42X3PDDA3  all  --  any    any     anywhere             ip-10-42-2-2.ec2.internal  /* rule to jump traffic destined to POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000

Chain KUBE-SERVICES (2 references)
 pkts bytes target     prot opt in     out     source               destination
@Nudin Nudin added the bug Something isn't working label Nov 9, 2022
@alan-wint
Copy link

It seems to be failing on the blank lines between chains. Removing them allowed awk -f iptables-vis.awk < iptables.txt > iptables.dia to succeed.

@Nudin
Copy link
Owner

Nudin commented Mar 3, 2023

I cannot reproduce this with the content you posted. 🤔

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tekumara @Nudin @alan-wint