### ### os-pike-controller ### --- Knobs ----------------------------------------------------------------------------- /proc/sys/net/bridge/bridge-nf-call-arptables 0 /proc/sys/net/bridge/bridge-nf-call-ip6tables 1 /proc/sys/net/bridge/bridge-nf-call-iptables 1 /proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged 0 /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged 0 /proc/sys/net/bridge/bridge-nf-pass-vlan-input-dev 0 --- iptables-save --------------------------------------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *nat :PREROUTING ACCEPT [2399717:158003031] :INPUT ACCEPT [2119167:127951021] :OUTPUT ACCEPT [1247497:74886415] :POSTROUTING ACCEPT [1247577:74889091] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_internal - [0:0] :POST_internal_allow - [0:0] :POST_internal_deny - [0:0] :POST_internal_log - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o em1 -g POST_public -A POSTROUTING_ZONES -o em3 -g POST_internal -A POSTROUTING_ZONES -o em2 -g POST_internal -A POSTROUTING_ZONES -g POST_public -A POST_internal -j POST_internal_log -A POST_internal -j POST_internal_deny -A POST_internal -j POST_internal_allow -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i em1 -g PRE_public -A PREROUTING_ZONES -i em3 -g PRE_internal -A PREROUTING_ZONES -i em2 -g PRE_internal -A PREROUTING_ZONES -g PRE_public -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *mangle :PREROUTING ACCEPT [35602313:7241395638] :INPUT ACCEPT [35334088:7216849998] :FORWARD ACCEPT [531456:52775128] :OUTPUT ACCEPT [31116154:7394564666] :POSTROUTING ACCEPT [31116411:7394578939] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i em1 -g PRE_public -A PREROUTING_ZONES -i em3 -g PRE_internal -A PREROUTING_ZONES -i em2 -g PRE_internal -A PREROUTING_ZONES -g PRE_public -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *security :INPUT ACCEPT [35320570:7211280904] :FORWARD ACCEPT [257:14273] :OUTPUT ACCEPT [31116154:7394564666] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *raw :PREROUTING ACCEPT [35376775:7055105749] :OUTPUT ACCEPT [30900981:7286277384] :OUTPUT_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-PREROUTING - [0:0] -A PREROUTING -j neutron-linuxbri-PREROUTING -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -j OUTPUT_direct -A PREROUTING_ZONES -i em1 -g PRE_public -A PREROUTING_ZONES -i em3 -g PRE_internal -A PREROUTING_ZONES -i em2 -g PRE_internal -A PREROUTING_ZONES -g PRE_public -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [30894651:7285234536] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_internal - [0:0] :FWDI_internal_allow - [0:0] :FWDI_internal_deny - [0:0] :FWDI_internal_log - [0:0] :FWDI_public - [0:0] :FWDI_public_allow - [0:0] :FWDI_public_deny - [0:0] :FWDI_public_log - [0:0] :FWDO_internal - [0:0] :FWDO_internal_allow - [0:0] :FWDO_internal_deny - [0:0] :FWDO_internal_log - [0:0] :FWDO_public - [0:0] :FWDO_public_allow - [0:0] :FWDO_public_deny - [0:0] :FWDO_public_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_internal - [0:0] :IN_internal_allow - [0:0] :IN_internal_deny - [0:0] :IN_internal_log - [0:0] :IN_public - [0:0] :IN_public_allow - [0:0] :IN_public_deny - [0:0] :IN_public_log - [0:0] :OUTPUT_direct - [0:0] :neutron-filter-top - [0:0] :neutron-linuxbri-FORWARD - [0:0] :neutron-linuxbri-INPUT - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-local - [0:0] :neutron-linuxbri-sg-chain - [0:0] :neutron-linuxbri-sg-fallback - [0:0] -A INPUT -j neutron-linuxbri-INPUT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-linuxbri-FORWARD -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i em1 -g FWDI_public -A FORWARD_IN_ZONES -i em3 -g FWDI_internal -A FORWARD_IN_ZONES -i em2 -g FWDI_internal -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o em1 -g FWDO_public -A FORWARD_OUT_ZONES -o em3 -g FWDO_internal -A FORWARD_OUT_ZONES -o em2 -g FWDO_internal -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_internal -j FWDI_internal_log -A FWDI_internal -j FWDI_internal_deny -A FWDI_internal -j FWDI_internal_allow -A FWDI_internal -p icmp -j ACCEPT -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDO_internal -j FWDO_internal_log -A FWDO_internal -j FWDO_internal_deny -A FWDO_internal -j FWDO_internal_allow -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i em1 -g IN_public -A INPUT_ZONES -i em3 -g IN_internal -A INPUT_ZONES -i em2 -g IN_internal -A INPUT_ZONES -g IN_public -A IN_internal -j IN_internal_log -A IN_internal -j IN_internal_deny -A IN_internal -j IN_internal_allow -A IN_internal -p icmp -j ACCEPT -A IN_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp -m conntrack --ctstate NEW -j ACCEPT -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 3121 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 15000 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 19292 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 18774 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 18778 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 16080 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 19696 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT -A neutron-filter-top -j neutron-linuxbri-local -A neutron-linuxbri-sg-chain -j ACCEPT -A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP COMMIT # Completed on Mon Jan 8 11:30:14 2018 --- ip netns exec qrouter-91776680-3d3d-4c21-8c38-2b0ac8aae5f4 iptables-save ------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-POSTROUTING - [0:0] :neutron-l3-agent-PREROUTING - [0:0] :neutron-l3-agent-float-snat - [0:0] :neutron-l3-agent-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A OUTPUT -j neutron-l3-agent-OUTPUT -A POSTROUTING -j neutron-l3-agent-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-l3-agent-POSTROUTING ! -i qg-8f108323-da ! -o qg-8f108323-da -m conntrack ! --ctstate DNAT -j ACCEPT -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697 -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat -A neutron-l3-agent-snat -o qg-8f108323-da -j SNAT --to-source 206.12.154.44 -A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 206.12.154.44 -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :neutron-l3-agent-FORWARD - [0:0] :neutron-l3-agent-INPUT - [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-POSTROUTING - [0:0] :neutron-l3-agent-PREROUTING - [0:0] :neutron-l3-agent-float-snat - [0:0] :neutron-l3-agent-floatingip - [0:0] :neutron-l3-agent-mark - [0:0] :neutron-l3-agent-scope - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-l3-agent-OUTPUT -A POSTROUTING -j neutron-l3-agent-POSTROUTING -A neutron-l3-agent-POSTROUTING -o qg-8f108323-da -m connmark --mark 0x0/0xffff0000 -j CONNMARK --save-mark --nfmask 0xffff0000 --ctmask 0xffff0000 -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-mark -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-scope -A neutron-l3-agent-PREROUTING -m connmark ! --mark 0x0/0xffff0000 -j CONNMARK --restore-mark --nfmask 0xffff0000 --ctmask 0xffff0000 -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-floatingip -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffff -A neutron-l3-agent-float-snat -m connmark --mark 0x0/0xffff0000 -j CONNMARK --save-mark --nfmask 0xffff0000 --ctmask 0xffff0000 -A neutron-l3-agent-mark -i qg-8f108323-da -j MARK --set-xmark 0x2/0xffff -A neutron-l3-agent-scope -i qg-8f108323-da -j MARK --set-xmark 0x4000000/0xffff0000 -A neutron-l3-agent-scope -i qr-2ca89b52-63 -j MARK --set-xmark 0x4000000/0xffff0000 COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *security :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-PREROUTING - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A OUTPUT -j neutron-l3-agent-OUTPUT COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :neutron-filter-top - [0:0] :neutron-l3-agent-FORWARD - [0:0] :neutron-l3-agent-INPUT - [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-local - [0:0] :neutron-l3-agent-scope - [0:0] -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-l3-agent-OUTPUT -A neutron-filter-top -j neutron-l3-agent-local -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP -A neutron-l3-agent-scope -o qr-2ca89b52-63 -m mark ! --mark 0x4000000/0xffff0000 -j DROP COMMIT # Completed on Mon Jan 8 11:30:14 2018 --- ip netns exec qdhcp-ab3e7c30-b8ee-4308-8c9f-8231dd91de2c iptables-save ------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-float-snat - [0:0] :neutron-dhcp-age-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-dhcp-age-snat -j neutron-dhcp-age-float-snat -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-dhcp-age-snat COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-mark - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A neutron-dhcp-age-POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A neutron-dhcp-age-PREROUTING -j neutron-dhcp-age-mark COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *security :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-local - [0:0] :neutron-filter-top - [0:0] -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-dhcp-age-OUTPUT -A neutron-filter-top -j neutron-dhcp-age-local COMMIT # Completed on Mon Jan 8 11:30:14 2018 --- ip netns exec qrouter-53301e03-c4c8-46b6-9e65-2ab6a2e46b41 iptables-save ------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *nat :PREROUTING ACCEPT [49:4816] :INPUT ACCEPT [1:324] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-POSTROUTING - [0:0] :neutron-l3-agent-PREROUTING - [0:0] :neutron-l3-agent-float-snat - [0:0] :neutron-l3-agent-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A OUTPUT -j neutron-l3-agent-OUTPUT -A POSTROUTING -j neutron-l3-agent-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697 -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *mangle :PREROUTING ACCEPT [100:10162] :INPUT ACCEPT [6:1962] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:132] :POSTROUTING ACCEPT [2:132] :neutron-l3-agent-FORWARD - [0:0] :neutron-l3-agent-INPUT - [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-POSTROUTING - [0:0] :neutron-l3-agent-PREROUTING - [0:0] :neutron-l3-agent-float-snat - [0:0] :neutron-l3-agent-floatingip - [0:0] :neutron-l3-agent-mark - [0:0] :neutron-l3-agent-scope - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-l3-agent-OUTPUT -A POSTROUTING -j neutron-l3-agent-POSTROUTING -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-mark -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-scope -A neutron-l3-agent-PREROUTING -m connmark ! --mark 0x0/0xffff0000 -j CONNMARK --restore-mark --nfmask 0xffff0000 --ctmask 0xffff0000 -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-floatingip -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffff -A neutron-l3-agent-float-snat -m connmark --mark 0x0/0xffff0000 -j CONNMARK --save-mark --nfmask 0xffff0000 --ctmask 0xffff0000 -A neutron-l3-agent-scope -i qr-65e6263a-50 -j MARK --set-xmark 0x4000000/0xffff0000 -A neutron-l3-agent-scope -i qr-d535e624-b8 -j MARK --set-xmark 0x4000000/0xffff0000 COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *security :INPUT ACCEPT [12:3906] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [5:560] COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *raw :PREROUTING ACCEPT [378:38241] :OUTPUT ACCEPT [5:560] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-PREROUTING - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A OUTPUT -j neutron-l3-agent-OUTPUT COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *filter :INPUT ACCEPT [6:1962] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:132] :neutron-filter-top - [0:0] :neutron-l3-agent-FORWARD - [0:0] :neutron-l3-agent-INPUT - [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-local - [0:0] :neutron-l3-agent-scope - [0:0] -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-l3-agent-OUTPUT -A neutron-filter-top -j neutron-l3-agent-local -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP -A neutron-l3-agent-scope -o qr-65e6263a-50 -m mark ! --mark 0x4000000/0xffff0000 -j DROP -A neutron-l3-agent-scope -o qr-d535e624-b8 -m mark ! --mark 0x4000000/0xffff0000 -j DROP COMMIT # Completed on Mon Jan 8 11:30:14 2018 --- ip netns exec qdhcp-759ebc61-6678-489c-b15d-c03c0a04a32a iptables-save ------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *nat :PREROUTING ACCEPT [4:1278] :INPUT ACCEPT [4:1278] :OUTPUT ACCEPT [4:1424] :POSTROUTING ACCEPT [4:1424] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-float-snat - [0:0] :neutron-dhcp-age-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-dhcp-age-snat -j neutron-dhcp-age-float-snat -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-dhcp-age-snat COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *mangle :PREROUTING ACCEPT [16:5472] :INPUT ACCEPT [16:5472] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [12:4362] :POSTROUTING ACCEPT [12:4362] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-mark - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A neutron-dhcp-age-POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A neutron-dhcp-age-PREROUTING -j neutron-dhcp-age-mark COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *security :INPUT ACCEPT [16:5472] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [12:4362] COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *raw :PREROUTING ACCEPT [16:5472] :OUTPUT ACCEPT [12:4362] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *filter :INPUT ACCEPT [16:5472] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [12:4362] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-local - [0:0] :neutron-filter-top - [0:0] -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-dhcp-age-OUTPUT -A neutron-filter-top -j neutron-dhcp-age-local COMMIT # Completed on Mon Jan 8 11:30:14 2018 --- ip netns exec qdhcp-e30da05a-f7c1-4c1f-843a-93dfde044a86 iptables-save ------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *nat :PREROUTING ACCEPT [339:27000] :INPUT ACCEPT [80:2676] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-float-snat - [0:0] :neutron-dhcp-age-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-dhcp-age-snat -j neutron-dhcp-age-float-snat -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-dhcp-age-snat COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *mangle :PREROUTING ACCEPT [348:27609] :INPUT ACCEPT [89:3285] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [80:2676] :POSTROUTING ACCEPT [80:2676] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-mark - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A neutron-dhcp-age-POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A neutron-dhcp-age-PREROUTING -j neutron-dhcp-age-mark COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *security :INPUT ACCEPT [89:3285] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [80:2676] COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *raw :PREROUTING ACCEPT [348:27609] :OUTPUT ACCEPT [80:2676] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT COMMIT # Completed on Mon Jan 8 11:30:14 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:30:14 2018 *filter :INPUT ACCEPT [89:3285] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [80:2676] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-local - [0:0] :neutron-filter-top - [0:0] -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-dhcp-age-OUTPUT -A neutron-filter-top -j neutron-dhcp-age-local COMMIT # Completed on Mon Jan 8 11:30:14 2018 ### ### os-pike-compute ### --- Knobs ----------------------------------------------------------------------------- /proc/sys/net/bridge/bridge-nf-call-arptables 1 /proc/sys/net/bridge/bridge-nf-call-ip6tables 1 /proc/sys/net/bridge/bridge-nf-call-iptables 1 /proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged 0 /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged 0 /proc/sys/net/bridge/bridge-nf-pass-vlan-input-dev 0 --- iptables-save --------------------------------------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:29:13 2018 *nat :PREROUTING ACCEPT [27490:2711051] :INPUT ACCEPT [23699:1845512] :OUTPUT ACCEPT [10306:1453599] :POSTROUTING ACCEPT [12807:2263839] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_internal - [0:0] :POST_internal_allow - [0:0] :POST_internal_deny - [0:0] :POST_internal_log - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o p3p1 -g POST_public -A POSTROUTING_ZONES -o em1 -g POST_internal -A POSTROUTING_ZONES -g POST_public -A POST_internal -j POST_internal_log -A POST_internal -j POST_internal_deny -A POST_internal -j POST_internal_allow -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i p3p1 -g PRE_public -A PREROUTING_ZONES -i em1 -g PRE_internal -A PREROUTING_ZONES -g PRE_public -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Mon Jan 8 11:29:13 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:29:13 2018 *mangle :PREROUTING ACCEPT [3275912:347427858] :INPUT ACCEPT [3275882:347418318] :FORWARD ACCEPT [7515:2434554] :OUTPUT ACCEPT [3206175:424054324] :POSTROUTING ACCEPT [3213690:426488878] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i p3p1 -g PRE_public -A PREROUTING_ZONES -i em1 -g PRE_internal -A PREROUTING_ZONES -g PRE_public -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Mon Jan 8 11:29:13 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:29:13 2018 *security :INPUT ACCEPT [3266941:344930885] :FORWARD ACCEPT [7515:2434554] :OUTPUT ACCEPT [3206175:424054324] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Mon Jan 8 11:29:13 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:29:13 2018 *raw :PREROUTING ACCEPT [15989:1865727] :OUTPUT ACCEPT [15460:2112838] :OUTPUT_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-PREROUTING - [0:0] -A PREROUTING -j neutron-linuxbri-PREROUTING -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -j OUTPUT_direct -A PREROUTING_ZONES -i p3p1 -g PRE_public -A PREROUTING_ZONES -i em1 -g PRE_internal -A PREROUTING_ZONES -g PRE_public -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow -A neutron-linuxbri-PREROUTING -m physdev --physdev-in brqab3e7c30-b8 -m comment --comment "Set zone for 5709c53-77" -j CT --zone 2 -A neutron-linuxbri-PREROUTING -i brqab3e7c30-b8 -m comment --comment "Set zone for 5709c53-77" -j CT --zone 2 -A neutron-linuxbri-PREROUTING -m physdev --physdev-in tap25709c53-77 -m comment --comment "Set zone for 5709c53-77" -j CT --zone 2 -A neutron-linuxbri-PREROUTING -m physdev --physdev-in brq759ebc61-66 -m comment --comment "Set zone for 25a24c9-7d" -j CT --zone 1 -A neutron-linuxbri-PREROUTING -i brq759ebc61-66 -m comment --comment "Set zone for 25a24c9-7d" -j CT --zone 1 -A neutron-linuxbri-PREROUTING -m physdev --physdev-in tapf25a24c9-7d -m comment --comment "Set zone for 25a24c9-7d" -j CT --zone 1 COMMIT # Completed on Mon Jan 8 11:29:13 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:29:13 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [15460:2112838] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_internal - [0:0] :FWDI_internal_allow - [0:0] :FWDI_internal_deny - [0:0] :FWDI_internal_log - [0:0] :FWDI_public - [0:0] :FWDI_public_allow - [0:0] :FWDI_public_deny - [0:0] :FWDI_public_log - [0:0] :FWDO_internal - [0:0] :FWDO_internal_allow - [0:0] :FWDO_internal_deny - [0:0] :FWDO_internal_log - [0:0] :FWDO_public - [0:0] :FWDO_public_allow - [0:0] :FWDO_public_deny - [0:0] :FWDO_public_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_internal - [0:0] :IN_internal_allow - [0:0] :IN_internal_deny - [0:0] :IN_internal_log - [0:0] :IN_public - [0:0] :IN_public_allow - [0:0] :IN_public_deny - [0:0] :IN_public_log - [0:0] :OUTPUT_direct - [0:0] :neutron-filter-top - [0:0] :neutron-linuxbri-FORWARD - [0:0] :neutron-linuxbri-INPUT - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-i25709c53-7 - [0:0] :neutron-linuxbri-if25a24c9-7 - [0:0] :neutron-linuxbri-local - [0:0] :neutron-linuxbri-o25709c53-7 - [0:0] :neutron-linuxbri-of25a24c9-7 - [0:0] :neutron-linuxbri-s25709c53-7 - [0:0] :neutron-linuxbri-sf25a24c9-7 - [0:0] :neutron-linuxbri-sg-chain - [0:0] :neutron-linuxbri-sg-fallback - [0:0] -A INPUT -j neutron-linuxbri-INPUT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-linuxbri-FORWARD -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i p3p1 -g FWDI_public -A FORWARD_IN_ZONES -i em1 -g FWDI_internal -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o p3p1 -g FWDO_public -A FORWARD_OUT_ZONES -o em1 -g FWDO_internal -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_internal -j FWDI_internal_log -A FWDI_internal -j FWDI_internal_deny -A FWDI_internal -j FWDI_internal_allow -A FWDI_internal -p icmp -j ACCEPT -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDO_internal -j FWDO_internal_log -A FWDO_internal -j FWDO_internal_deny -A FWDO_internal -j FWDO_internal_allow -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i p3p1 -g IN_public -A INPUT_ZONES -i em1 -g IN_internal -A INPUT_ZONES -g IN_public -A IN_internal -j IN_internal_log -A IN_internal -j IN_internal_deny -A IN_internal -j IN_internal_allow -A IN_internal -p icmp -j ACCEPT -A IN_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp -m conntrack --ctstate NEW -j ACCEPT -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 3121 -m conntrack --ctstate NEW -j ACCEPT -A neutron-filter-top -j neutron-linuxbri-local -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap25709c53-77 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap25709c53-77 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapf25a24c9-7d --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-in tapf25a24c9-7d --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-INPUT -m physdev --physdev-in tap25709c53-77 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-linuxbri-o25709c53-7 -A neutron-linuxbri-INPUT -m physdev --physdev-in tapf25a24c9-7d --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-linuxbri-of25a24c9-7 -A neutron-linuxbri-i25709c53-7 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-i25709c53-7 -d 10.0.0.12/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-linuxbri-i25709c53-7 -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-linuxbri-i25709c53-7 -m set --match-set NIPv434252589-8603-4df2-9e31- src -j RETURN -A neutron-linuxbri-i25709c53-7 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-i25709c53-7 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-if25a24c9-7 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-if25a24c9-7 -d 10.0.0.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-linuxbri-if25a24c9-7 -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-linuxbri-if25a24c9-7 -m set --match-set NIPv400728236-e0ec-4bc7-a783- src -j RETURN -A neutron-linuxbri-if25a24c9-7 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-if25a24c9-7 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-o25709c53-7 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN -A neutron-linuxbri-o25709c53-7 -j neutron-linuxbri-s25709c53-7 -A neutron-linuxbri-o25709c53-7 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN -A neutron-linuxbri-o25709c53-7 -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP -A neutron-linuxbri-o25709c53-7 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-o25709c53-7 -j RETURN -A neutron-linuxbri-o25709c53-7 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-o25709c53-7 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-of25a24c9-7 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN -A neutron-linuxbri-of25a24c9-7 -j neutron-linuxbri-sf25a24c9-7 -A neutron-linuxbri-of25a24c9-7 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN -A neutron-linuxbri-of25a24c9-7 -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP -A neutron-linuxbri-of25a24c9-7 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-of25a24c9-7 -j RETURN -A neutron-linuxbri-of25a24c9-7 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-of25a24c9-7 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-s25709c53-7 -s 10.0.0.12/32 -m mac --mac-source FA:16:3E:BF:40:01 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN -A neutron-linuxbri-s25709c53-7 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP -A neutron-linuxbri-sf25a24c9-7 -s 10.0.0.3/32 -m mac --mac-source FA:16:3E:48:2A:90 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN -A neutron-linuxbri-sf25a24c9-7 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP -A neutron-linuxbri-sg-chain -m physdev --physdev-out tap25709c53-77 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-i25709c53-7 -A neutron-linuxbri-sg-chain -m physdev --physdev-in tap25709c53-77 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-o25709c53-7 -A neutron-linuxbri-sg-chain -m physdev --physdev-out tapf25a24c9-7d --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-if25a24c9-7 -A neutron-linuxbri-sg-chain -m physdev --physdev-in tapf25a24c9-7d --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-of25a24c9-7 -A neutron-linuxbri-sg-chain -j ACCEPT -A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP COMMIT # Completed on Mon Jan 8 11:29:13 2018 ### ### os-liberty-controller ### --- Knobs ----------------------------------------------------------------------------- /proc/sys/net/bridge/bridge-nf-call-arptables 0 /proc/sys/net/bridge/bridge-nf-call-ip6tables 0 /proc/sys/net/bridge/bridge-nf-call-iptables 0 /proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged 0 /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged 0 /proc/sys/net/bridge/bridge-nf-pass-vlan-input-dev 0 --- iptables-save --------------------------------------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *security :INPUT ACCEPT [72021114356:29749572204244] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [262939153731:436224688260714] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *nat :PREROUTING ACCEPT [61089693:11483135306] :INPUT ACCEPT [60054749:11365244739] :OUTPUT ACCEPT [76183542:8903221064] :POSTROUTING ACCEPT [76183542:8903221064] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_internal - [0:0] :POST_internal_allow - [0:0] :POST_internal_deny - [0:0] :POST_internal_log - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-POSTROUTING - [0:0] :neutron-linuxbri-PREROUTING - [0:0] :neutron-linuxbri-float-snat - [0:0] :neutron-linuxbri-snat - [0:0] :neutron-postrouting-bottom - [0:0] :nova-api-OUTPUT - [0:0] :nova-api-POSTROUTING - [0:0] :nova-api-PREROUTING - [0:0] :nova-api-float-snat - [0:0] :nova-api-snat - [0:0] :nova-postrouting-bottom - [0:0] -A PREROUTING -j neutron-linuxbri-PREROUTING -A PREROUTING -j nova-api-PREROUTING -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -j nova-api-OUTPUT -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j neutron-linuxbri-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A POSTROUTING -j nova-api-POSTROUTING -A POSTROUTING -j nova-postrouting-bottom -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o em1 -g POST_internal -A POSTROUTING_ZONES -o p3p1 -g POST_public -A POSTROUTING_ZONES -g POST_public -A POST_internal -j POST_internal_log -A POST_internal -j POST_internal_deny -A POST_internal -j POST_internal_allow -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i em1 -g PRE_internal -A PREROUTING_ZONES -i p3p1 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow -A neutron-linuxbri-snat -j neutron-linuxbri-float-snat -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-linuxbri-snat -A nova-api-snat -j nova-api-float-snat -A nova-postrouting-bottom -j nova-api-snat COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *mangle :PREROUTING ACCEPT [29972215728:7884018389926] :INPUT ACCEPT [29971253831:7883905021012] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [127066758055:212611572824629] :POSTROUTING ACCEPT [127066758055:212611572824629] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] :neutron-linuxbri-FORWARD - [0:0] :neutron-linuxbri-INPUT - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-POSTROUTING - [0:0] :neutron-linuxbri-PREROUTING - [0:0] :neutron-linuxbri-mark - [0:0] :nova-api-POSTROUTING - [0:0] -A PREROUTING -j neutron-linuxbri-PREROUTING -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j neutron-linuxbri-INPUT -A INPUT -j INPUT_direct -A FORWARD -j neutron-linuxbri-FORWARD -A FORWARD -j FORWARD_direct -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j neutron-linuxbri-POSTROUTING -A POSTROUTING -j nova-api-POSTROUTING -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i em1 -g PRE_internal -A PREROUTING_ZONES -i p3p1 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow -A neutron-linuxbri-PREROUTING -j neutron-linuxbri-mark COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *raw :PREROUTING ACCEPT [29972215725:7884018389571] :OUTPUT ACCEPT [127066758052:212611572824034] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-PREROUTING - [0:0] -A PREROUTING -j neutron-linuxbri-PREROUTING -A PREROUTING -j PREROUTING_direct -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [127066758057:212611572825058] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_internal - [0:0] :FWDI_internal_allow - [0:0] :FWDI_internal_deny - [0:0] :FWDI_internal_log - [0:0] :FWDI_public - [0:0] :FWDI_public_allow - [0:0] :FWDI_public_deny - [0:0] :FWDI_public_log - [0:0] :FWDO_internal - [0:0] :FWDO_internal_allow - [0:0] :FWDO_internal_deny - [0:0] :FWDO_internal_log - [0:0] :FWDO_public - [0:0] :FWDO_public_allow - [0:0] :FWDO_public_deny - [0:0] :FWDO_public_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_internal - [0:0] :IN_internal_allow - [0:0] :IN_internal_deny - [0:0] :IN_internal_log - [0:0] :IN_public - [0:0] :IN_public_allow - [0:0] :IN_public_deny - [0:0] :IN_public_log - [0:0] :OUTPUT_direct - [0:0] :neutron-filter-top - [0:0] :neutron-linuxbri-FORWARD - [0:0] :neutron-linuxbri-INPUT - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-local - [0:0] :neutron-linuxbri-sg-chain - [0:0] :neutron-linuxbri-sg-fallback - [0:0] :nova-api-FORWARD - [0:0] :nova-api-INPUT - [0:0] :nova-api-OUTPUT - [0:0] :nova-api-local - [0:0] :nova-filter-top - [0:0] -A INPUT -j neutron-linuxbri-INPUT -A INPUT -j nova-api-INPUT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-linuxbri-FORWARD -A FORWARD -j nova-filter-top -A FORWARD -j nova-api-FORWARD -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -j nova-filter-top -A OUTPUT -j nova-api-OUTPUT -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i em1 -g FWDI_internal -A FORWARD_IN_ZONES -i p3p1 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o em1 -g FWDO_internal -A FORWARD_OUT_ZONES -o p3p1 -g FWDO_public -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_internal -j FWDI_internal_log -A FWDI_internal -j FWDI_internal_deny -A FWDI_internal -j FWDI_internal_allow -A FWDI_internal -p icmp -j ACCEPT -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDO_internal -j FWDO_internal_log -A FWDO_internal -j FWDO_internal_deny -A FWDO_internal -j FWDO_internal_allow -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i em1 -g IN_internal -A INPUT_ZONES -i p3p1 -g IN_public -A INPUT_ZONES -g IN_public -A IN_internal -j IN_internal_log -A IN_internal -j IN_internal_deny -A IN_internal -j IN_internal_allow -A IN_internal -p icmp -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp -m conntrack --ctstate NEW -j ACCEPT -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 16080 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 18776 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 19292 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 15000 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 3121 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 18774 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 19696 -m conntrack --ctstate NEW -j ACCEPT -A neutron-filter-top -j neutron-linuxbri-local -A neutron-linuxbri-sg-chain -j ACCEPT -A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP -A nova-api-INPUT -d 10.200.200.3/32 -p tcp -m tcp --dport 8775 -j ACCEPT -A nova-filter-top -j nova-api-local COMMIT # Completed on Mon Jan 8 11:33:42 2018 --- ip netns exec qdhcp-a8367dd4-c34d-4716-8c43-de0dd95916be iptables-save ------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *security :INPUT ACCEPT [562714:35791734] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [536741:35191279] COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *nat :PREROUTING ACCEPT [3675510:399165518] :INPUT ACCEPT [454965:25427408] :OUTPUT ACCEPT [857:381627] :POSTROUTING ACCEPT [857:381627] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-float-snat - [0:0] :neutron-dhcp-age-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-dhcp-age-snat -j neutron-dhcp-age-float-snat -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-dhcp-age-snat COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *mangle :PREROUTING ACCEPT [3962622:419733019] :INPUT ACCEPT [742077:45994909] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [708645:45719241] :POSTROUTING ACCEPT [708645:45719241] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-mark - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A neutron-dhcp-age-POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A neutron-dhcp-age-PREROUTING -j neutron-dhcp-age-mark COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *raw :PREROUTING ACCEPT [3962622:419733019] :OUTPUT ACCEPT [708645:45719241] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *filter :INPUT ACCEPT [742077:45994909] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [708645:45719241] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-local - [0:0] :neutron-filter-top - [0:0] -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-dhcp-age-OUTPUT -A neutron-filter-top -j neutron-dhcp-age-local COMMIT # Completed on Mon Jan 8 11:33:42 2018 --- ip netns exec qdhcp-b87a9b70-1fbf-47d6-aa35-d9e92ae406e5 iptables-save ------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *security :INPUT ACCEPT [11547:3782108] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [11547:4273411] COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *nat :PREROUTING ACCEPT [31362:8302697] :INPUT ACCEPT [15172:4673040] :OUTPUT ACCEPT [3824:1716788] :POSTROUTING ACCEPT [3824:1716788] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-float-snat - [0:0] :neutron-dhcp-age-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-dhcp-age-snat -j neutron-dhcp-age-float-snat -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-dhcp-age-snat COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *mangle :PREROUTING ACCEPT [40518:11650089] :INPUT ACCEPT [24328:8020432] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [24328:9054476] :POSTROUTING ACCEPT [24328:9054476] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-mark - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A neutron-dhcp-age-POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A neutron-dhcp-age-PREROUTING -j neutron-dhcp-age-mark COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *raw :PREROUTING ACCEPT [40518:11650089] :OUTPUT ACCEPT [24328:9054476] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *filter :INPUT ACCEPT [24328:8020432] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [24328:9054476] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-local - [0:0] :neutron-filter-top - [0:0] -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-dhcp-age-OUTPUT -A neutron-filter-top -j neutron-dhcp-age-local COMMIT # Completed on Mon Jan 8 11:33:42 2018 --- ip netns exec qdhcp-ab78812a-194a-48f7-bb0b-157c39ff6be4 iptables-save ------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *security :INPUT ACCEPT [4734:1377833] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4721:1491299] COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *nat :PREROUTING ACCEPT [10118:2273230] :INPUT ACCEPT [2932:646950] :OUTPUT ACCEPT [1632:723688] :POSTROUTING ACCEPT [1632:723688] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-float-snat - [0:0] :neutron-dhcp-age-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-dhcp-age-snat -j neutron-dhcp-age-float-snat -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-dhcp-age-snat COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *mangle :PREROUTING ACCEPT [11994:3025414] :INPUT ACCEPT [4808:1399134] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4795:1514019] :POSTROUTING ACCEPT [4795:1514019] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-mark - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A neutron-dhcp-age-POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A neutron-dhcp-age-PREROUTING -j neutron-dhcp-age-mark COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *raw :PREROUTING ACCEPT [11994:3025414] :OUTPUT ACCEPT [4795:1514019] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *filter :INPUT ACCEPT [4808:1399134] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4795:1514019] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-local - [0:0] :neutron-filter-top - [0:0] -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-dhcp-age-OUTPUT -A neutron-filter-top -j neutron-dhcp-age-local COMMIT # Completed on Mon Jan 8 11:33:42 2018 --- ip netns exec qdhcp-b7876321-1318-4b3c-b6c6-7ae9789141ec iptables-save ------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *security :INPUT ACCEPT [12501:4068061] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [12501:4514337] COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *nat :PREROUTING ACCEPT [29191:6999104] :INPUT ACCEPT [8172:2287679] :OUTPUT ACCEPT [4707:2103830] :POSTROUTING ACCEPT [4707:2103830] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-float-snat - [0:0] :neutron-dhcp-age-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-dhcp-age-snat -j neutron-dhcp-age-float-snat -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-dhcp-age-snat COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *mangle :PREROUTING ACCEPT [38699:10529698] :INPUT ACCEPT [17680:5818273] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [17680:6494393] :POSTROUTING ACCEPT [17680:6494393] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-POSTROUTING - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] :neutron-dhcp-age-mark - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-dhcp-age-OUTPUT -A POSTROUTING -j neutron-dhcp-age-POSTROUTING -A neutron-dhcp-age-POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A neutron-dhcp-age-PREROUTING -j neutron-dhcp-age-mark COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *raw :PREROUTING ACCEPT [38699:10529698] :OUTPUT ACCEPT [17680:6494393] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-PREROUTING - [0:0] -A PREROUTING -j neutron-dhcp-age-PREROUTING -A OUTPUT -j neutron-dhcp-age-OUTPUT COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *filter :INPUT ACCEPT [17680:5818273] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [17680:6494393] :neutron-dhcp-age-FORWARD - [0:0] :neutron-dhcp-age-INPUT - [0:0] :neutron-dhcp-age-OUTPUT - [0:0] :neutron-dhcp-age-local - [0:0] :neutron-filter-top - [0:0] -A INPUT -j neutron-dhcp-age-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-dhcp-age-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-dhcp-age-OUTPUT -A neutron-filter-top -j neutron-dhcp-age-local COMMIT # Completed on Mon Jan 8 11:33:42 2018 --- ip netns exec qrouter-fda7ea8f-2e1e-477f-b366-72f129476f15 iptables-save ------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *security :INPUT ACCEPT [316890:17203414] :FORWARD ACCEPT [28341033:50769233366] :OUTPUT ACCEPT [866709:199522339] COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *nat :PREROUTING ACCEPT [171520:19261350] :INPUT ACCEPT [8847:397356] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-POSTROUTING - [0:0] :neutron-l3-agent-PREROUTING - [0:0] :neutron-l3-agent-float-snat - [0:0] :neutron-l3-agent-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A OUTPUT -j neutron-l3-agent-OUTPUT -A POSTROUTING -j neutron-l3-agent-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-l3-agent-POSTROUTING ! -i qg-4d94aa9d-7f ! -o qg-4d94aa9d-7f -m conntrack ! --ctstate DNAT -j ACCEPT -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat -A neutron-l3-agent-snat -o qg-4d94aa9d-7f -j SNAT --to-source 206.12.154.36 -A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 206.12.154.36 -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *mangle :PREROUTING ACCEPT [8705655:20562327416] :INPUT ACCEPT [138987:6799551] :FORWARD ACCEPT [7616200:20444704276] :OUTPUT ACCEPT [195033:10945809] :POSTROUTING ACCEPT [7811233:20455650085] :neutron-l3-agent-FORWARD - [0:0] :neutron-l3-agent-INPUT - [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-POSTROUTING - [0:0] :neutron-l3-agent-PREROUTING - [0:0] :neutron-l3-agent-mark - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-l3-agent-OUTPUT -A POSTROUTING -j neutron-l3-agent-POSTROUTING -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-mark -A neutron-l3-agent-mark -i qg-4d94aa9d-7f -j MARK --set-xmark 0x2/0xffff COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *raw :PREROUTING ACCEPT [32994089:54087670084] :OUTPUT ACCEPT [1010973:205961763] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-PREROUTING - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A OUTPUT -j neutron-l3-agent-OUTPUT COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *filter :INPUT ACCEPT [138987:6799551] :FORWARD ACCEPT [7616200:20444704276] :OUTPUT ACCEPT [195033:10945809] :neutron-filter-top - [0:0] :neutron-l3-agent-FORWARD - [0:0] :neutron-l3-agent-INPUT - [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-local - [0:0] -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-l3-agent-OUTPUT -A neutron-filter-top -j neutron-l3-agent-local COMMIT # Completed on Mon Jan 8 11:33:42 2018 --- ip netns exec qrouter-d7fb750b-b06b-4e90-873d-5f344b9a1f86 iptables-save ------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *security :INPUT ACCEPT [3702921:169602878] :FORWARD ACCEPT [33261218009:188018564501452] :OUTPUT ACCEPT [8331983:1962664418] COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *nat :PREROUTING ACCEPT [3611881:255160759] :INPUT ACCEPT [15735:863179] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [60339:6292261] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-POSTROUTING - [0:0] :neutron-l3-agent-PREROUTING - [0:0] :neutron-l3-agent-float-snat - [0:0] :neutron-l3-agent-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A OUTPUT -j neutron-l3-agent-OUTPUT -A POSTROUTING -j neutron-l3-agent-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-l3-agent-OUTPUT -d 206.12.154.169/32 -j DNAT --to-destination 10.0.0.187 -A neutron-l3-agent-OUTPUT -d 206.12.154.40/32 -j DNAT --to-destination 10.0.0.176 -A neutron-l3-agent-POSTROUTING ! -i qg-a39ad524-73 ! -o qg-a39ad524-73 -m conntrack ! --ctstate DNAT -j ACCEPT -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697 -A neutron-l3-agent-PREROUTING -d 206.12.154.169/32 -j DNAT --to-destination 10.0.0.187 -A neutron-l3-agent-PREROUTING -d 206.12.154.40/32 -j DNAT --to-destination 10.0.0.176 -A neutron-l3-agent-float-snat -s 10.0.0.187/32 -j SNAT --to-source 206.12.154.169 -A neutron-l3-agent-float-snat -s 10.0.0.176/32 -j SNAT --to-source 206.12.154.40 -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat -A neutron-l3-agent-snat -o qg-a39ad524-73 -j SNAT --to-source 206.12.154.34 -A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 206.12.154.34 -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *mangle :PREROUTING ACCEPT [29204377344:176119971131179] :INPUT ACCEPT [3308436:142339648] :FORWARD ACCEPT [29200098818:176119695964045] :OUTPUT ACCEPT [278117:55652114] :POSTROUTING ACCEPT [29200376828:176119751601783] :neutron-l3-agent-FORWARD - [0:0] :neutron-l3-agent-INPUT - [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-POSTROUTING - [0:0] :neutron-l3-agent-PREROUTING - [0:0] :neutron-l3-agent-mark - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-l3-agent-OUTPUT -A POSTROUTING -j neutron-l3-agent-POSTROUTING -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-mark -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffff -A neutron-l3-agent-mark -i qg-a39ad524-73 -j MARK --set-xmark 0x2/0xffff COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *raw :PREROUTING ACCEPT [33588027215:189212507669253] :OUTPUT ACCEPT [10640010:2493518747] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-PREROUTING - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A OUTPUT -j neutron-l3-agent-OUTPUT COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *filter :INPUT ACCEPT [3142882:129501168] :FORWARD ACCEPT [29200098818:176119695964045] :OUTPUT ACCEPT [278010:55637738] :neutron-filter-top - [0:0] :neutron-l3-agent-FORWARD - [0:0] :neutron-l3-agent-INPUT - [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-local - [0:0] -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-l3-agent-OUTPUT -A neutron-filter-top -j neutron-l3-agent-local -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP COMMIT # Completed on Mon Jan 8 11:33:42 2018 --- ip netns exec qrouter-be56f6e2-c0cd-44a4-97d0-945eee4135f9 iptables-save ------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *security :INPUT ACCEPT [418677:37374201] :FORWARD ACCEPT [46790864933:239737316406173] :OUTPUT ACCEPT [526719:63310985] COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *nat :PREROUTING ACCEPT [3399857:266143327] :INPUT ACCEPT [90945:13373087] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-POSTROUTING - [0:0] :neutron-l3-agent-PREROUTING - [0:0] :neutron-l3-agent-float-snat - [0:0] :neutron-l3-agent-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A OUTPUT -j neutron-l3-agent-OUTPUT -A POSTROUTING -j neutron-l3-agent-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-l3-agent-POSTROUTING ! -i qg-cb769b88-65 ! -o qg-cb769b88-65 -m conntrack ! --ctstate DNAT -j ACCEPT -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697 -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat -A neutron-l3-agent-snat -o qg-cb769b88-65 -j SNAT --to-source 206.12.154.35 -A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 206.12.154.35 -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *mangle :PREROUTING ACCEPT [4849150287:27021945853595] :INPUT ACCEPT [125032:15865395] :FORWARD ACCEPT [4848078113:27021819926439] :OUTPUT ACCEPT [123561:11247580] :POSTROUTING ACCEPT [4848201670:27021831173699] :neutron-l3-agent-FORWARD - [0:0] :neutron-l3-agent-INPUT - [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-POSTROUTING - [0:0] :neutron-l3-agent-PREROUTING - [0:0] :neutron-l3-agent-mark - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-l3-agent-OUTPUT -A POSTROUTING -j neutron-l3-agent-POSTROUTING -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-mark -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffff -A neutron-l3-agent-mark -i qg-cb769b88-65 -j MARK --set-xmark 0x2/0xffff COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *raw :PREROUTING ACCEPT [58582914675:296183274510055] :OUTPUT ACCEPT [770142:103302273] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-PREROUTING - [0:0] -A PREROUTING -j neutron-l3-agent-PREROUTING -A OUTPUT -j neutron-l3-agent-OUTPUT COMMIT # Completed on Mon Jan 8 11:33:42 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:33:42 2018 *filter :INPUT ACCEPT [102350:14132254] :FORWARD ACCEPT [4848078113:27021819926439] :OUTPUT ACCEPT [123557:11247260] :neutron-filter-top - [0:0] :neutron-l3-agent-FORWARD - [0:0] :neutron-l3-agent-INPUT - [0:0] :neutron-l3-agent-OUTPUT - [0:0] :neutron-l3-agent-local - [0:0] -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-l3-agent-OUTPUT -A neutron-filter-top -j neutron-l3-agent-local -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP COMMIT # Completed on Mon Jan 8 11:33:42 2018 ### ### os-liberty-compute ### --- Knobs ----------------------------------------------------------------------------- /proc/sys/net/bridge/bridge-nf-call-arptables 1 /proc/sys/net/bridge/bridge-nf-call-ip6tables 1 /proc/sys/net/bridge/bridge-nf-call-iptables 1 /proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged 0 /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged 0 /proc/sys/net/bridge/bridge-nf-pass-vlan-input-dev 0 --- iptables-save --------------------------------------------------------------------- # Generated by iptables-save v1.4.21 on Mon Jan 8 11:36:09 2018 *nat :PREROUTING ACCEPT [1949491:540891986] :INPUT ACCEPT [370572:57761500] :OUTPUT ACCEPT [4186422:703190770] :POSTROUTING ACCEPT [5611208:1179448813] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_internal - [0:0] :POST_internal_allow - [0:0] :POST_internal_deny - [0:0] :POST_internal_log - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-POSTROUTING - [0:0] :neutron-linuxbri-PREROUTING - [0:0] :neutron-linuxbri-float-snat - [0:0] :neutron-linuxbri-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-linuxbri-PREROUTING -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j neutron-linuxbri-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o tapa36aef11-81 -g POST_public -A POSTROUTING_ZONES -o em1 -g POST_internal -A POSTROUTING_ZONES -o p3p1 -g POST_public -A POSTROUTING_ZONES -g POST_public -A POST_internal -j POST_internal_log -A POST_internal -j POST_internal_deny -A POST_internal -j POST_internal_allow -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i tapa36aef11-81 -g PRE_public -A PREROUTING_ZONES -i em1 -g PRE_internal -A PREROUTING_ZONES -i p3p1 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow -A neutron-linuxbri-snat -j neutron-linuxbri-float-snat -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-linuxbri-snat COMMIT # Completed on Mon Jan 8 11:36:09 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:36:09 2018 *mangle :PREROUTING ACCEPT [2935990126:49410335055210] :INPUT ACCEPT [117047879:65164430975] :FORWARD ACCEPT [2828128283:49345996948303] :OUTPUT ACCEPT [107325622:27185559213] :POSTROUTING ACCEPT [2932320386:49372910185434] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] :neutron-linuxbri-FORWARD - [0:0] :neutron-linuxbri-INPUT - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-POSTROUTING - [0:0] :neutron-linuxbri-PREROUTING - [0:0] :neutron-linuxbri-mark - [0:0] -A PREROUTING -j neutron-linuxbri-PREROUTING -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j neutron-linuxbri-INPUT -A INPUT -j INPUT_direct -A FORWARD -j neutron-linuxbri-FORWARD -A FORWARD -j FORWARD_direct -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j neutron-linuxbri-POSTROUTING -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i tapa36aef11-81 -g PRE_public -A PREROUTING_ZONES -i em1 -g PRE_internal -A PREROUTING_ZONES -i p3p1 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow -A neutron-linuxbri-PREROUTING -j neutron-linuxbri-mark COMMIT # Completed on Mon Jan 8 11:36:09 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:36:09 2018 *security :INPUT ACCEPT [2318648449:495689424929] :FORWARD ACCEPT [7781524492:55558061381108] :OUTPUT ACCEPT [947086216:11824619329532] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Mon Jan 8 11:36:09 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:36:09 2018 *raw :PREROUTING ACCEPT [10094551639:56053066081825] :OUTPUT ACCEPT [946546725:11824560031906] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-PREROUTING - [0:0] -A PREROUTING -j neutron-linuxbri-PREROUTING -A PREROUTING -j PREROUTING_direct -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Mon Jan 8 11:36:09 2018 # Generated by iptables-save v1.4.21 on Mon Jan 8 11:36:09 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3107858:919039971] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_internal - [0:0] :FWDI_internal_allow - [0:0] :FWDI_internal_deny - [0:0] :FWDI_internal_log - [0:0] :FWDI_public - [0:0] :FWDI_public_allow - [0:0] :FWDI_public_deny - [0:0] :FWDI_public_log - [0:0] :FWDO_internal - [0:0] :FWDO_internal_allow - [0:0] :FWDO_internal_deny - [0:0] :FWDO_internal_log - [0:0] :FWDO_public - [0:0] :FWDO_public_allow - [0:0] :FWDO_public_deny - [0:0] :FWDO_public_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_internal - [0:0] :IN_internal_allow - [0:0] :IN_internal_deny - [0:0] :IN_internal_log - [0:0] :IN_public - [0:0] :IN_public_allow - [0:0] :IN_public_deny - [0:0] :IN_public_log - [0:0] :OUTPUT_direct - [0:0] :neutron-filter-top - [0:0] :neutron-linuxbri-FORWARD - [0:0] :neutron-linuxbri-INPUT - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-i067966e8-9 - [0:0] :neutron-linuxbri-i53b0443d-e - [0:0] :neutron-linuxbri-ia79710be-1 - [0:0] :neutron-linuxbri-local - [0:0] :neutron-linuxbri-o067966e8-9 - [0:0] :neutron-linuxbri-o53b0443d-e - [0:0] :neutron-linuxbri-oa79710be-1 - [0:0] :neutron-linuxbri-s067966e8-9 - [0:0] :neutron-linuxbri-s53b0443d-e - [0:0] :neutron-linuxbri-sa79710be-1 - [0:0] :neutron-linuxbri-sg-chain - [0:0] :neutron-linuxbri-sg-fallback - [0:0] -A INPUT -j neutron-linuxbri-INPUT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-linuxbri-FORWARD -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -p icmp -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-linuxbri-OUTPUT -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i tapa36aef11-81 -g FWDI_public -A FORWARD_IN_ZONES -i em1 -g FWDI_internal -A FORWARD_IN_ZONES -i p3p1 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o tapa36aef11-81 -g FWDO_public -A FORWARD_OUT_ZONES -o em1 -g FWDO_internal -A FORWARD_OUT_ZONES -o p3p1 -g FWDO_public -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_internal -j FWDI_internal_log -A FWDI_internal -j FWDI_internal_deny -A FWDI_internal -j FWDI_internal_allow -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDO_internal -j FWDO_internal_log -A FWDO_internal -j FWDO_internal_deny -A FWDO_internal -j FWDO_internal_allow -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i tapa36aef11-81 -g IN_public -A INPUT_ZONES -i em1 -g IN_internal -A INPUT_ZONES -i p3p1 -g IN_public -A INPUT_ZONES -g IN_public -A IN_internal -j IN_internal_log -A IN_internal -j IN_internal_deny -A IN_internal -j IN_internal_allow -A IN_internal_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp -m conntrack --ctstate NEW -j ACCEPT -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public_allow -p tcp -m tcp --dport 3121 -m conntrack --ctstate NEW -j ACCEPT -A neutron-filter-top -j neutron-linuxbri-local -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap067966e8-9e --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap067966e8-9e --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap53b0443d-ec --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap53b0443d-ec --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapa79710be-18 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-in tapa79710be-18 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain -A neutron-linuxbri-INPUT -m physdev --physdev-in tap067966e8-9e --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-linuxbri-o067966e8-9 -A neutron-linuxbri-INPUT -m physdev --physdev-in tap53b0443d-ec --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-linuxbri-o53b0443d-e -A neutron-linuxbri-INPUT -m physdev --physdev-in tapa79710be-18 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-linuxbri-oa79710be-1 -A neutron-linuxbri-i067966e8-9 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-i067966e8-9 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp --dport 68 -j RETURN -A neutron-linuxbri-i067966e8-9 -m set --match-set NIPv4f1cd0f3d-e09f-4e7c-b287- src -j RETURN -A neutron-linuxbri-i067966e8-9 -p tcp -m tcp --dport 22 -j RETURN -A neutron-linuxbri-i067966e8-9 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-i067966e8-9 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-i53b0443d-e -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-i53b0443d-e -s 206.12.154.32/32 -p udp -m udp --sport 67 -m udp --dport 68 -j RETURN -A neutron-linuxbri-i53b0443d-e -p tcp -m tcp --dport 80 -j RETURN -A neutron-linuxbri-i53b0443d-e -p tcp -m tcp --dport 9614 -j RETURN -A neutron-linuxbri-i53b0443d-e -p tcp -m tcp --dport 443 -j RETURN -A neutron-linuxbri-i53b0443d-e -p udp -m udp -m multiport --dports 0:65535 -j RETURN -A neutron-linuxbri-i53b0443d-e -p tcp -m tcp --dport 9618 -j RETURN -A neutron-linuxbri-i53b0443d-e -p tcp -m tcp --dport 22 -j RETURN -A neutron-linuxbri-i53b0443d-e -p tcp -m tcp --dport 9135 -j RETURN -A neutron-linuxbri-i53b0443d-e -p tcp -m tcp -m multiport --dports 0:65535 -j RETURN -A neutron-linuxbri-i53b0443d-e -p tcp -m tcp -m multiport --dports 40000:50000 -j RETURN -A neutron-linuxbri-i53b0443d-e -p tcp -m tcp -m multiport --dports 20000:25000 -j RETURN -A neutron-linuxbri-i53b0443d-e -m set --match-set NIPv40b54ff29-23d2-4eb4-9acd- src -j RETURN -A neutron-linuxbri-i53b0443d-e -p tcp -m tcp --dport 9162 -j RETURN -A neutron-linuxbri-i53b0443d-e -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-i53b0443d-e -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-ia79710be-1 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-ia79710be-1 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp --dport 68 -j RETURN -A neutron-linuxbri-ia79710be-1 -p tcp -m tcp --dport 80 -j RETURN -A neutron-linuxbri-ia79710be-1 -p tcp -m tcp --dport 9614 -j RETURN -A neutron-linuxbri-ia79710be-1 -p tcp -m tcp --dport 443 -j RETURN -A neutron-linuxbri-ia79710be-1 -p udp -m udp -m multiport --dports 0:65535 -j RETURN -A neutron-linuxbri-ia79710be-1 -p tcp -m tcp --dport 9618 -j RETURN -A neutron-linuxbri-ia79710be-1 -p tcp -m tcp --dport 22 -j RETURN -A neutron-linuxbri-ia79710be-1 -p tcp -m tcp --dport 9135 -j RETURN -A neutron-linuxbri-ia79710be-1 -p tcp -m tcp -m multiport --dports 0:65535 -j RETURN -A neutron-linuxbri-ia79710be-1 -p tcp -m tcp -m multiport --dports 40000:50000 -j RETURN -A neutron-linuxbri-ia79710be-1 -p tcp -m tcp -m multiport --dports 20000:25000 -j RETURN -A neutron-linuxbri-ia79710be-1 -m set --match-set NIPv40b54ff29-23d2-4eb4-9acd- src -j RETURN -A neutron-linuxbri-ia79710be-1 -p tcp -m tcp --dport 9162 -j RETURN -A neutron-linuxbri-ia79710be-1 -s 206.12.154.0/24 -p tcp -m tcp --dport 22 -j RETURN -A neutron-linuxbri-ia79710be-1 -p tcp -m tcp --dport 8649 -j RETURN -A neutron-linuxbri-ia79710be-1 -p tcp -m tcp --dport 8651 -j RETURN -A neutron-linuxbri-ia79710be-1 -s 142.104.60.0/24 -p tcp -m tcp --dport 22 -j RETURN -A neutron-linuxbri-ia79710be-1 -s 142.104.60.0/24 -p tcp -m tcp --dport 80 -j RETURN -A neutron-linuxbri-ia79710be-1 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-ia79710be-1 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-o067966e8-9 -p udp -m udp --sport 68 -m udp --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN -A neutron-linuxbri-o067966e8-9 -j neutron-linuxbri-s067966e8-9 -A neutron-linuxbri-o067966e8-9 -p udp -m udp --sport 67 -m udp --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP -A neutron-linuxbri-o067966e8-9 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-o067966e8-9 -j RETURN -A neutron-linuxbri-o067966e8-9 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-o067966e8-9 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-o53b0443d-e -p udp -m udp --sport 68 -m udp --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN -A neutron-linuxbri-o53b0443d-e -j neutron-linuxbri-s53b0443d-e -A neutron-linuxbri-o53b0443d-e -p udp -m udp --sport 67 -m udp --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP -A neutron-linuxbri-o53b0443d-e -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-o53b0443d-e -j RETURN -A neutron-linuxbri-o53b0443d-e -p tcp -m tcp -m multiport --dports 0:65535 -j RETURN -A neutron-linuxbri-o53b0443d-e -p udp -m udp -m multiport --dports 0:65535 -j RETURN -A neutron-linuxbri-o53b0443d-e -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-o53b0443d-e -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-oa79710be-1 -p udp -m udp --sport 68 -m udp --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN -A neutron-linuxbri-oa79710be-1 -j neutron-linuxbri-sa79710be-1 -A neutron-linuxbri-oa79710be-1 -p udp -m udp --sport 67 -m udp --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP -A neutron-linuxbri-oa79710be-1 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-linuxbri-oa79710be-1 -p tcp -m tcp -m multiport --dports 0:65535 -j RETURN -A neutron-linuxbri-oa79710be-1 -p udp -m udp -m multiport --dports 0:65535 -j RETURN -A neutron-linuxbri-oa79710be-1 -j RETURN -A neutron-linuxbri-oa79710be-1 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-linuxbri-oa79710be-1 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-s067966e8-9 -s 10.0.0.68/32 -m mac --mac-source FA:16:3E:68:37:FB -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN -A neutron-linuxbri-s067966e8-9 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP -A neutron-linuxbri-s53b0443d-e -s 206.12.154.152/32 -m mac --mac-source FA:16:3E:C7:CD:B3 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN -A neutron-linuxbri-s53b0443d-e -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP -A neutron-linuxbri-sa79710be-1 -s 10.0.0.187/32 -m mac --mac-source FA:16:3E:02:B8:9B -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN -A neutron-linuxbri-sa79710be-1 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP -A neutron-linuxbri-sg-chain -m physdev --physdev-out tap067966e8-9e --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-i067966e8-9 -A neutron-linuxbri-sg-chain -m physdev --physdev-in tap067966e8-9e --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-o067966e8-9 -A neutron-linuxbri-sg-chain -m physdev --physdev-out tap53b0443d-ec --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-i53b0443d-e -A neutron-linuxbri-sg-chain -m physdev --physdev-in tap53b0443d-ec --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-o53b0443d-e -A neutron-linuxbri-sg-chain -m physdev --physdev-out tapa79710be-18 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-ia79710be-1 -A neutron-linuxbri-sg-chain -m physdev --physdev-in tapa79710be-18 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-oa79710be-1 -A neutron-linuxbri-sg-chain -j ACCEPT -A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP COMMIT # Completed on Mon Jan 8 11:36:09 2018