# Generated by iptables-save v1.8.4 on Sat May 20 21:37:44 2023
*mangle
:PREROUTING ACCEPT [19967620:44620266490]
:INPUT ACCEPT [10643523:40881713639]
:FORWARD ACCEPT [9150984:3736347051]
:OUTPUT ACCEPT [11021494:88702484245]
:POSTROUTING ACCEPT [20101074:92430322053]
:neutron-linuxbri-FORWARD - [0:0]
:neutron-linuxbri-INPUT - [0:0]
:neutron-linuxbri-OUTPUT - [0:0]
:neutron-linuxbri-POSTROUTING - [0:0]
:neutron-linuxbri-PREROUTING - [0:0]
:neutron-linuxbri-mark - [0:0]
-A PREROUTING -j neutron-linuxbri-PREROUTING
-A INPUT -j neutron-linuxbri-INPUT
-A FORWARD -j neutron-linuxbri-FORWARD
-A OUTPUT -j neutron-linuxbri-OUTPUT
-A POSTROUTING -j neutron-linuxbri-POSTROUTING
-A neutron-linuxbri-PREROUTING -j neutron-linuxbri-mark
COMMIT
# Completed on Sat May 20 21:37:44 2023
# Generated by iptables-save v1.8.4 on Sat May 20 21:37:44 2023
*raw
:PREROUTING ACCEPT [10179:226651643]
:OUTPUT ACCEPT [12510:5399903]
:neutron-linuxbri-OUTPUT - [0:0]
:neutron-linuxbri-PREROUTING - [0:0]
-A PREROUTING -j neutron-linuxbri-PREROUTING
-A OUTPUT -j neutron-linuxbri-OUTPUT
-A neutron-linuxbri-PREROUTING -m physdev --physdev-in brq959cb64a-b4 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
-A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
-A neutron-linuxbri-PREROUTING -m physdev --physdev-in tap076a0ad0-20 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
-A neutron-linuxbri-PREROUTING -m physdev --physdev-in brq959cb64a-b4 -m comment --comment "Make 2a2d12d-0e stateless" -j CT --notrack
-A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment --comment "Make 2a2d12d-0e stateless" -j CT --notrack
-A neutron-linuxbri-PREROUTING -m physdev --physdev-in tap12a2d12d-0e -m comment --comment "Make 2a2d12d-0e stateless" -j CT --notrack
-A neutron-linuxbri-PREROUTING -m physdev --physdev-in brqff8444eb-9b -m comment --comment "Set zone for 841aea6-02" -j CT --zone 4106
-A neutron-linuxbri-PREROUTING -i brqff8444eb-9b -m comment --comment "Set zone for 841aea6-02" -j CT --zone 4106
-A neutron-linuxbri-PREROUTING -m physdev --physdev-in tapa841aea6-02 -m comment --comment "Set zone for 841aea6-02" -j CT --zone 4106
-A neutron-linuxbri-PREROUTING -m physdev --physdev-in brqc84bc384-41 -m comment --comment "Set zone for 8efa1f6-58" -j CT --zone 4098
-A neutron-linuxbri-PREROUTING -i brqc84bc384-41 -m comment --comment "Set zone for 8efa1f6-58" -j CT --zone 4098
-A neutron-linuxbri-PREROUTING -m physdev --physdev-in tapd8efa1f6-58 -m comment --comment "Set zone for 8efa1f6-58" -j CT --zone 4098
COMMIT
# Completed on Sat May 20 21:37:44 2023
# Generated by iptables-save v1.8.4 on Sat May 20 21:37:44 2023
*nat
:PREROUTING ACCEPT [847348:114237129]
:INPUT ACCEPT [4593:857526]
:OUTPUT ACCEPT [201499:12989193]
:POSTROUTING ACCEPT [836840:115936767]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sat May 20 21:37:44 2023
# Generated by iptables-save v1.8.4 on Sat May 20 21:37:44 2023
*filter
:INPUT ACCEPT [10130:226649177]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [12511:5400294]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:neutron-filter-top - [0:0]
:neutron-linuxbri-FORWARD - [0:0]
:neutron-linuxbri-INPUT - [0:0]
:neutron-linuxbri-OUTPUT - [0:0]
:neutron-linuxbri-i076a0ad0-2 - [0:0]
:neutron-linuxbri-i12a2d12d-0 - [0:0]
:neutron-linuxbri-ia841aea6-0 - [0:0]
:neutron-linuxbri-id8efa1f6-5 - [0:0]
:neutron-linuxbri-local - [0:0]
:neutron-linuxbri-o076a0ad0-2 - [0:0]
:neutron-linuxbri-o12a2d12d-0 - [0:0]
:neutron-linuxbri-oa841aea6-0 - [0:0]
:neutron-linuxbri-od8efa1f6-5 - [0:0]
:neutron-linuxbri-s076a0ad0-2 - [0:0]
:neutron-linuxbri-s12a2d12d-0 - [0:0]
:neutron-linuxbri-sa841aea6-0 - [0:0]
:neutron-linuxbri-sd8efa1f6-5 - [0:0]
:neutron-linuxbri-sg-chain - [0:0]
:neutron-linuxbri-sg-fallback - [0:0]
-A INPUT -j neutron-linuxbri-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-linuxbri-FORWARD
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-linuxbri-OUTPUT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A neutron-filter-top -j neutron-linuxbri-local
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap076a0ad0-20 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap076a0ad0-20 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap12a2d12d-0e --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap12a2d12d-0e --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tapa841aea6-02 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tapa841aea6-02 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tapd8efa1f6-58 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tapd8efa1f6-58 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap2b07717a-b5 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap2b07717a-b5 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tapac1c7015-ac --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tapac1c7015-ac --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-INPUT -m physdev --physdev-in tap076a0ad0-20 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-linuxbri-o076a0ad0-2
-A neutron-linuxbri-INPUT -m physdev --physdev-in tap12a2d12d-0e --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-linuxbri-o12a2d12d-0
-A neutron-linuxbri-INPUT -m physdev --physdev-in tapa841aea6-02 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-linuxbri-oa841aea6-0
-A neutron-linuxbri-INPUT -m physdev --physdev-in tapd8efa1f6-58 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-linuxbri-od8efa1f6-5
-A neutron-linuxbri-i076a0ad0-2 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-i076a0ad0-2 -d 172.26.9.97/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-i076a0ad0-2 -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-i076a0ad0-2 -p tcp -j RETURN
-A neutron-linuxbri-i076a0ad0-2 -p icmp -j RETURN
-A neutron-linuxbri-i076a0ad0-2 -p udp -j RETURN
-A neutron-linuxbri-i076a0ad0-2 -m set --match-set NIPv41baae057-3f91-4125-95f2- src -j RETURN
-A neutron-linuxbri-i076a0ad0-2 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-linuxbri-i076a0ad0-2 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
-A neutron-linuxbri-i12a2d12d-0 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-i12a2d12d-0 -d 172.26.9.95/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-i12a2d12d-0 -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-i12a2d12d-0 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-linuxbri-i12a2d12d-0 -p icmp -j RETURN
-A neutron-linuxbri-i12a2d12d-0 -p tcp -m tcp --dport 80 -j RETURN
-A neutron-linuxbri-i12a2d12d-0 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-linuxbri-i12a2d12d-0 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
-A neutron-linuxbri-ia841aea6-0 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-ia841aea6-0 -d 172.16.1.18/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-ia841aea6-0 -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-ia841aea6-0 -m set --match-set NIPv4399b03ef-4d78-4419-b9be- src -j RETURN
-A neutron-linuxbri-ia841aea6-0 -p tcp -j RETURN
-A neutron-linuxbri-ia841aea6-0 -p udp -j RETURN
-A neutron-linuxbri-ia841aea6-0 -p icmp -j RETURN
-A neutron-linuxbri-ia841aea6-0 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-linuxbri-ia841aea6-0 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
-A neutron-linuxbri-id8efa1f6-5 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-id8efa1f6-5 -d 10.10.116.16/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-id8efa1f6-5 -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-id8efa1f6-5 -p tcp -j RETURN
-A neutron-linuxbri-id8efa1f6-5 -p icmp -j RETURN
-A neutron-linuxbri-id8efa1f6-5 -p udp -j RETURN
-A neutron-linuxbri-id8efa1f6-5 -m set --match-set NIPv41baae057-3f91-4125-95f2- src -j RETURN
-A neutron-linuxbri-id8efa1f6-5 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-linuxbri-id8efa1f6-5 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
-A neutron-linuxbri-o076a0ad0-2 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-linuxbri-o076a0ad0-2 -j neutron-linuxbri-s076a0ad0-2
-A neutron-linuxbri-o076a0ad0-2 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-linuxbri-o076a0ad0-2 -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-linuxbri-o076a0ad0-2 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-o076a0ad0-2 -j RETURN
-A neutron-linuxbri-o076a0ad0-2 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-linuxbri-o076a0ad0-2 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
-A neutron-linuxbri-o12a2d12d-0 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-linuxbri-o12a2d12d-0 -j neutron-linuxbri-s12a2d12d-0
-A neutron-linuxbri-o12a2d12d-0 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-linuxbri-o12a2d12d-0 -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-linuxbri-o12a2d12d-0 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-o12a2d12d-0 -p icmp -j RETURN
-A neutron-linuxbri-o12a2d12d-0 -j RETURN
-A neutron-linuxbri-o12a2d12d-0 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-linuxbri-o12a2d12d-0 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
-A neutron-linuxbri-oa841aea6-0 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-linuxbri-oa841aea6-0 -j neutron-linuxbri-sa841aea6-0
-A neutron-linuxbri-oa841aea6-0 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-linuxbri-oa841aea6-0 -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-linuxbri-oa841aea6-0 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-oa841aea6-0 -j RETURN
-A neutron-linuxbri-oa841aea6-0 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-linuxbri-oa841aea6-0 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
-A neutron-linuxbri-od8efa1f6-5 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-linuxbri-od8efa1f6-5 -j neutron-linuxbri-sd8efa1f6-5
-A neutron-linuxbri-od8efa1f6-5 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-linuxbri-od8efa1f6-5 -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-linuxbri-od8efa1f6-5 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-od8efa1f6-5 -j RETURN
-A neutron-linuxbri-od8efa1f6-5 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-linuxbri-od8efa1f6-5 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
-A neutron-linuxbri-s076a0ad0-2 -s 172.26.9.97/32 -m mac --mac-source FA:16:3E:C0:30:06 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-linuxbri-s076a0ad0-2 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-linuxbri-s12a2d12d-0 -s 172.26.9.95/32 -m mac --mac-source FA:16:3E:96:44:0E -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-linuxbri-s12a2d12d-0 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-linuxbri-sa841aea6-0 -s 172.16.1.18/32 -m mac --mac-source FA:16:3E:69:52:13 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-linuxbri-sa841aea6-0 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-linuxbri-sd8efa1f6-5 -s 10.10.116.16/32 -m mac --mac-source FA:16:3E:BD:EE:51 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-linuxbri-sd8efa1f6-5 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-linuxbri-sg-chain -m physdev --physdev-out tap076a0ad0-20 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-i076a0ad0-2
-A neutron-linuxbri-sg-chain -m physdev --physdev-in tap076a0ad0-20 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-o076a0ad0-2
-A neutron-linuxbri-sg-chain -m physdev --physdev-out tap12a2d12d-0e --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-i12a2d12d-0
-A neutron-linuxbri-sg-chain -m physdev --physdev-in tap12a2d12d-0e --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-o12a2d12d-0
-A neutron-linuxbri-sg-chain -m physdev --physdev-out tapa841aea6-02 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-ia841aea6-0
-A neutron-linuxbri-sg-chain -m physdev --physdev-in tapa841aea6-02 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-oa841aea6-0
-A neutron-linuxbri-sg-chain -m physdev --physdev-out tapd8efa1f6-58 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-id8efa1f6-5
-A neutron-linuxbri-sg-chain -m physdev --physdev-in tapd8efa1f6-58 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-od8efa1f6-5
-A neutron-linuxbri-sg-chain -j ACCEPT
-A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
COMMIT
# Completed on Sat May 20 21:37:44 2023