# Generated by iptables-save v1.6.0 on Mon Jan 16 15:52:04 2017
*nat
:PREROUTING ACCEPT [302:26190]
:INPUT ACCEPT [17:3811]
:OUTPUT ACCEPT [2780:264135]
:POSTROUTING ACCEPT [3065:286514]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-POSTROUTING - [0:0]
:neutron-openvswi-PREROUTING - [0:0]
:neutron-openvswi-float-snat - [0:0]
:neutron-openvswi-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-openvswi-PREROUTING
-A OUTPUT -j neutron-openvswi-OUTPUT
-A POSTROUTING -j neutron-openvswi-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-openvswi-snat -j neutron-openvswi-float-snat
-A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-openvswi-snat
COMMIT
# Completed on Mon Jan 16 15:52:04 2017
# Generated by iptables-save v1.6.0 on Mon Jan 16 15:52:04 2017
*raw
:PREROUTING ACCEPT [9372:1691646]
:OUTPUT ACCEPT [10013:2227635]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-PREROUTING - [0:0]
-A PREROUTING -j neutron-openvswi-PREROUTING
-A OUTPUT -j neutron-openvswi-OUTPUT
-A neutron-openvswi-PREROUTING -m physdev --physdev-in qvb9908c160-43 -j CT --zone 3
-A neutron-openvswi-PREROUTING -m physdev --physdev-in tap9908c160-43 -j CT --zone 3
COMMIT
# Completed on Mon Jan 16 15:52:04 2017
# Generated by iptables-save v1.6.0 on Mon Jan 16 15:52:04 2017
*mangle
:PREROUTING ACCEPT [47488:155704673]
:INPUT ACCEPT [45398:155492017]
:FORWARD ACCEPT [2117:221512]
:OUTPUT ACCEPT [38592:7192524]
:POSTROUTING ACCEPT [40709:7414036]
:neutron-openvswi-FORWARD - [0:0]
:neutron-openvswi-INPUT - [0:0]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-POSTROUTING - [0:0]
:neutron-openvswi-PREROUTING - [0:0]
:neutron-openvswi-float-snat - [0:0]
:neutron-openvswi-floatingip - [0:0]
:neutron-openvswi-mark - [0:0]
:neutron-openvswi-scope - [0:0]
-A PREROUTING -j neutron-openvswi-PREROUTING
-A INPUT -j neutron-openvswi-INPUT
-A FORWARD -j neutron-openvswi-FORWARD
-A OUTPUT -j neutron-openvswi-OUTPUT
-A POSTROUTING -j neutron-openvswi-POSTROUTING
-A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment "managed by lxd-bridge" -j CHECKSUM --checksum-fill
-A neutron-openvswi-PREROUTING -j neutron-openvswi-mark
-A neutron-openvswi-PREROUTING -j neutron-openvswi-scope
-A neutron-openvswi-PREROUTING -m connmark ! --mark 0x0/0xffff0000 -j CONNMARK --restore-mark --nfmask 0xffff0000 --ctmask 0xffff0000
-A neutron-openvswi-PREROUTING -j neutron-openvswi-floatingip
-A neutron-openvswi-float-snat -m connmark --mark 0x0/0xffff0000 -j CONNMARK --save-mark --nfmask 0xffff0000 --ctmask 0xffff0000
COMMIT
# Completed on Mon Jan 16 15:52:04 2017
# Generated by iptables-save v1.6.0 on Mon Jan 16 15:52:04 2017
*filter
:INPUT ACCEPT [8954:1640702]
:FORWARD ACCEPT [424:52912]
:OUTPUT ACCEPT [10013:2227635]
:neutron-filter-top - [0:0]
:neutron-openvswi-FORWARD - [0:0]
:neutron-openvswi-INPUT - [0:0]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-i9908c160-4 - [0:0]
:neutron-openvswi-local - [0:0]
:neutron-openvswi-o9908c160-4 - [0:0]
:neutron-openvswi-s9908c160-4 - [0:0]
:neutron-openvswi-scope - [0:0]
:neutron-openvswi-sg-chain - [0:0]
:neutron-openvswi-sg-fallback - [0:0]
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -i lxdbr0 -p tcp -m tcp --dport 53 -m comment --comment "managed by lxd-bridge" -j ACCEPT
-A INPUT -i lxdbr0 -p udp -m udp --dport 53 -m comment --comment "managed by lxd-bridge" -j ACCEPT
-A INPUT -i lxdbr0 -p tcp -m tcp --dport 67 -m comment --comment "managed by lxd-bridge" -j ACCEPT
-A INPUT -i lxdbr0 -p udp -m udp --dport 67 -m comment --comment "managed by lxd-bridge" -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -o lxdbr0 -m comment --comment "managed by lxd-bridge" -j ACCEPT
-A FORWARD -i lxdbr0 -m comment --comment "managed by lxd-bridge" -j ACCEPT
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -j neutron-openvswi-scope
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap9908c160-43 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap9908c160-43 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap9908c160-43 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o9908c160-4
-A neutron-openvswi-i9908c160-4 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-i9908c160-4 -s 192.168.21.2/32 -p udp -m udp --sport 67 -m udp --dport 68 -j RETURN
-A neutron-openvswi-i9908c160-4 -m set --match-set NIPv43aa8de8c-386a-42d7-a12a- src -j RETURN
-A neutron-openvswi-i9908c160-4 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-i9908c160-4 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o9908c160-4 -p udp -m udp --sport 68 -m udp --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-o9908c160-4 -j neutron-openvswi-s9908c160-4
-A neutron-openvswi-o9908c160-4 -p udp -m udp --sport 67 -m udp --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-o9908c160-4 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-o9908c160-4 -j RETURN
-A neutron-openvswi-o9908c160-4 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-o9908c160-4 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s9908c160-4 -s 192.168.21.9/32 -m mac --mac-source FA:16:3E:90:6C:67 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-s9908c160-4 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap9908c160-43 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-i9908c160-4
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap9908c160-43 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-o9908c160-4
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
COMMIT
# Completed on Mon Jan 16 15:52:04 2017