Sterling Greene <******@****.***> 1700166003 -0500

    public void addChain(final AuthenticationChain chain) {
        chains = ArrayUtils.addAll(chains, chain);
    }

    protected StreamOf<AuthenticationChain> chains() {
        return stream(chains);
    }

	// Flush and delete the istio chains from NAT table.
	chains := []string{constants.ISTIOOUTPUT, constants.ISTIOINBOUND}
	flushAndDeleteChains(ext, iptV, constants.NAT, chains)
	// Flush and delete the istio chains from MANGLE table.
	chains = []string{constants.ISTIOINBOUND, constants.ISTIODIVERT, constants.ISTIOTPROXY}
	flushAndDeleteChains(ext, iptV, constants.MANGLE, chains)

	if cfg.InboundInterceptionMode == constants.TPROXY {

	if c, _ := f.Dump.GetChain(table, chain); c != nil {
		c.Rules = nil
	}
	return nil
}

// DeleteChain is part of iptables.Interface
func (f *FakeIPTables) DeleteChain(table iptables.Table, chain iptables.Chain) error {
	t, err := f.Dump.GetTable(table)
	if err != nil {
		return err
	}
	for i := range t.Chains {
		if t.Chains[i].Name == chain {

upgradeNotes:
  - title: PeerAuthentication per-port-level configuration will now also apply to pass through filter chains.
    content: |
      Previously the PeerAuthentication per-port-level configuration is ignored if the port number is not defined in a
      service and the traffic will be handled by a pass through filter chain. Now the per-port-level setting will be

		}
		// Build the actual chain
		chains := lb.inboundChainForOpts(cc, mtls, opts)

		if cc.bindToPort {
			// If this config is for bindToPort, we want to actually create a real Listener.
			listeners = append(listeners, lb.inboundCustomListener(cc, chains))
		} else {
			// Otherwise, just append the filter chain to the virtual inbound chains.

		return nil, fmt.Errorf("unsupported auth type: %q", authType)
	}

	tlsInfo := peer.AuthInfo.(credentials.TLSInfo)
	chains := tlsInfo.State.VerifiedChains
	if len(chains) == 0 || len(chains[0]) == 0 {
		return nil, fmt.Errorf("no verified chain is found")
	}

	ids, err := util.ExtractIDs(chains[0][0].Extensions)
	if err != nil {
		return nil, err
	}

	return &security.Caller{

// not match. This means an empty match (`{}`) may not match if another chain
// matches one criteria but not another.
func (sim *Simulation) matchFilterChain(chains []*listener.FilterChain, defaultChain *listener.FilterChain,
	input Call, hasTLSInspector bool,
) (*listener.FilterChain, error) {
	chains = filter("DestinationPort", chains, func(fc *listener.FilterChainMatch) bool {
		return fc.GetDestinationPort() == nil

	expected := sets.New(
		ChainPrerouting,
		Chain("INPUT"),
		Chain("OUTPUT"),
		ChainPostrouting,
		Chain("DOCKER"),
		Chain("KUBE-NODEPORT-CONTAINER"),
		Chain("KUBE-NODEPORT-HOST"),
		Chain("KUBE-PORTALS-CONTAINER"),
		Chain("KUBE-PORTALS-HOST"),
		Chain("KUBE-SVC-1111111111111111"),
		Chain("KUBE-SVC-2222222222222222"),
		Chain("KUBE-SVC-3333333333333333"),
		Chain("KUBE-SVC-4444444444444444"),

	chain, topErr := verifyChain(c, topCtx, opts)
	if topErr == nil {
		chains = append(chains, chain)
	}

	if lqCtxCount := topCtx.LowerQualityChainCount; lqCtxCount > 0 {
		lqCtxs := unsafe.Slice(topCtx.LowerQualityChains, lqCtxCount)
		for _, ctx := range lqCtxs {
			chain, err := verifyChain(c, ctx, opts)
			if err == nil {
				chains = append(chains, chain)
			}
		}
	}