dhcp renew failure- recreated

My DHCP server config:
subnet 172.16.2.0 netmask 255.255.255.0 {
 range 172.16.2.2 172.16.2.2;
 option routers 172.16.2.3;
 default-lease-time 300;
 max-lease-time 600;
}


packet capture in my EDGE:(DHCP client)
edge:b2-edge1:~# tcpdump udp port '(67 or 68)' -nnpe -i eth4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
15:49:00.177897 02:42:ac:10:02:02 > 02:42:ac:10:02:03, ethertype IPv4 (0x0800), length 342: 172.16.2.2.68 > 172.16.2.3.67: BOOTP/DHCP, Request from 02:42:ac:10:02:02, length 300
15:49:00.181304 02:42:ac:10:02:03 > 02:42:ac:10:02:02, ethertype IPv4 (0x0800), length 342: 172.16.2.3.67 > 172.16.2.2.68: BOOTP/DHCP, Reply, length 300
15:50:15.253255 02:42:ac:10:02:02 > 02:42:ac:10:02:03, ethertype IPv4 (0x0800), length 342: 172.16.2.2.68 > 172.16.2.3.67: BOOTP/DHCP, Request from 02:42:ac:10:02:02, length 300
15:50:15.253687 02:42:ac:10:02:03 > 02:42:ac:10:02:02, ethertype IPv4 (0x0800), length 342: 172.16.2.3.67 > 172.16.2.2.68: BOOTP/DHCP, Reply, length 300
15:50:52.329879 02:42:ac:10:02:02 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 172.16.2.2.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 02:42:ac:10:02:02, length 300
15:50:52.332624 02:42:ac:10:02:03 > 02:42:ac:10:02:02, ethertype IPv4 (0x0800), length 342: 172.16.2.3.67 > 172.16.2.2.68: BOOTP/DHCP, Reply, length 300
15:53:22.473984 02:42:ac:10:02:02 > 02:42:ac:10:02:03, ethertype IPv4 (0x0800), length 342: 172.16.2.2.68 > 172.16.2.3.67: BOOTP/DHCP, Request from 02:42:ac:10:02:02, length 300
15:53:22.475907 02:42:ac:10:02:03 > 02:42:ac:10:02:02, ethertype IPv4 (0x0800), length 342: 172.16.2.3.67 > 172.16.2.2.68: BOOTP/DHCP, Reply, length 300
15:54:37.549189 02:42:ac:10:02:02 > 02:42:ac:10:02:03, ethertype IPv4 (0x0800), length 342: 172.16.2.2.68 > 172.16.2.3.67: BOOTP/DHCP, Request from 02:42:ac:10:02:02, length 300
15:54:37.549619 02:42:ac:10:02:03 > 02:42:ac:10:02:02, ethertype IPv4 (0x0800), length 342: 172.16.2.3.67 > 172.16.2.2.68: BOOTP/DHCP, Reply, length 300
15:55:14.621785 02:42:ac:10:02:02 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 172.16.2.2.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 02:42:ac:10:02:02, length 300
15:55:14.624184 02:42:ac:10:02:03 > 02:42:ac:10:02:02, ethertype IPv4 (0x0800), length 342: 172.16.2.3.67 > 172.16.2.2.68: BOOTP/DHCP, Reply, length 300
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel


UDHCP log messages in my device:
edge:b2-edge1:~# tail -f /var/log/messages | grep -i dhcp
2020-08-26T15:49:00.178 NOTICE daemon netifd: GE5 (11668): udhcpc: sending renew to 172.16.2.3
2020-08-26T15:50:15.253 NOTICE daemon netifd: GE5 (11668): udhcpc: sending renew to 172.16.2.3
2020-08-26T15:50:52.310 NOTICE daemon netifd: GE5 (11668): udhcpc: sending renew to 0.0.0.0
2020-08-26T15:50:52.346 NOTICE daemon netifd: GE5 (11668): udhcpc: lease of 172.16.2.2 obtained, lease time 300
2020-08-26T15:53:22.473 NOTICE daemon netifd: GE5 (11668): udhcpc: sending renew to 172.16.2.3
2020-08-26T15:54:37.549 NOTICE daemon netifd: GE5 (11668): udhcpc: sending renew to 172.16.2.3
2020-08-26T15:55:14.605 NOTICE daemon netifd: GE5 (11668): udhcpc: sending renew to 0.0.0.0
2020-08-26T15:55:14.637 NOTICE daemon netifd: GE5 (11668): udhcpc: lease of 172.16.2.2 obtained, lease time 300


Interface in which DHCP is configured:
edge:b2-edge1:~# ifconfig eth4
eth4      Link encap:Ethernet  HWaddr 02:42:AC:10:02:02
          inet addr:172.16.2.2  Bcast:172.16.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:2782418 errors:0 dropped:0 overruns:0 frame:0
          TX packets:406817 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10000
          RX bytes:185307570 (176.7 Mb)  TX bytes:18115794 (17.2 Mb)
--
Server side interface config:
root@b2-l3switch1:~# ifconfig eth2
eth2      Link encap:Ethernet  HWaddr 02:42:ac:10:02:03
          inet addr:172.16.2.3  Bcast:172.16.2.7  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:406855 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2801381 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:17161070 (17.1 MB)  TX bytes:186134516 (186.1 MB)

root@b2-l3switch1:~#


Requested logs:
edge:b2-edge1:~#
edge:b2-edge1:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "4.15.0-1057-aws",
	"hostname": "vc-edge",
	"system": "Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz",
	"release": {
		"distribution": "OpenWrt",
		"version": "cc-remerge-618-g0acfaf8",
		"revision": "r0+2278-0acfaf8",
		"codename": "masked_vc-xen-aws",
		"target": "x64/vc-xen-aws",
		"description": "OpenWrt masked vc-xen-aws cc-remerge-618-g0acfaf8"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option ipv6 '0'

config interface 'management'
	option ifname 'management'
	option type 'bridge'
	option bridge_empty '1'
	option force_link '1'
	option proto 'static'
	list ipaddr '10.0.2.2'
	option netmask '255.255.255.255'
	option ipv6 '0'

config interface 'segmgmt'
	option ifname 'segmgmt'
	option type 'bridge'
	option bridge_empty '1'
	option force_link '1'
	option proto 'static'
	list ipaddr '169.254.3.1'
	list ipaddr '169.254.3.2'
	list ipaddr '169.254.3.3'
	option netmask '255.255.255.255'
	option ipv6 '0'

config interface 'network1'
	option ifname 'eth0 eth1'
	option proto 'static'
	option type 'bridge'
	list ipaddr '10.0.2.1/24'
	option ipv6 '0'
	option mtu '1500'

config interface 'network100'
	option ifname 'eth1.100'
	option proto 'static'
	option type 'bridge'
	list ipaddr '10.100.2.1/24'
	option ipv6 '0'
	option mtu '1500'

config interface 'network101'
	option ifname 'eth1.101'
	option proto 'static'
	option type 'bridge'
	list ipaddr '10.101.2.1/24'
	option ipv6 '0'
	option mtu '1500'

config interface 'GE3'
	option ifname 'eth2'
	option proto 'static'
	option ipaddr '169.254.6.45'
	option netmask '255.255.255.248'
	option ipv6 '0'
	option mtu '1500'

config route 'GE3_DEFAULT_ROUTE'
	option interface 'GE3'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option gateway '169.254.6.41'
	option metric '5'

config interface 'GE4'
	option ifname 'eth3'
	option proto 'static'
	option ipaddr '169.254.7.2'
	option netmask '255.255.255.248'
	option ipv6 '0'
	option mtu '1500'

config route 'GE4_DEFAULT_ROUTE'
	option interface 'GE4'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option gateway '169.254.7.1'
	option metric '6'

config interface 'GE5'
	option ifname 'eth4'
	option hostname 'vc-ge5'
	option proto 'dhcp'
	option ipv6 '0'
	option mtu '1500'
	option metric '7'

config interface 'GE5_100'
	option ifname 'eth4.100'
	option proto 'static'
	option ipaddr '172.17.2.2'
	option netmask '255.255.255.248'
	option ipv6 '0'
	option mtu '1500'
	option macaddr '02:42:ac:10:02:02'

config interface 'GE5_101'
	option ifname 'eth4.101'
	option proto 'static'
	option ipaddr '172.18.2.2'
	option netmask '255.255.255.248'
	option ipv6 '0'
	option mtu '1500'
	option macaddr '02:42:ac:10:02:02'

config interface 'GE6'
	option ifname 'eth5'
	option hostname 'vc-ge6'
	option proto 'dhcp'
	option ipv6 '0'
	option mtu '1500'
	option metric '8'

config interface 'GE7'
	option ifname 'eth6'
	option hostname 'vc-ge7'
	option proto 'dhcp'
	option ipv6 '0'
	option mtu '1500'
	option metric '9'

config interface 'GE8'
	option ifname 'eth7'
	option hostname 'vc-ge8'
	option proto 'dhcp'
	option ipv6 '0'
	option mtu '1500'
	option metric '10'

uci: Entry not found
package dhcp

config dnsmasq 'secure'
	option bind_dynamic '1'
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option noresolv '1'
	option nonegcache '1'
	option authoritative '1'
	option readethers '1'
	option dnsforwardmax '500'
	option dhcpleasemax '5000'
	option dhcpnooverride '1'
	option leasefile '/tmp/dhcp.leases.secure'
	list server '208.67.222.222@10.0.2.2'
	list server '208.67.220.220@10.0.2.2'
	list server '/masked.net/8.8.8.8@10.0.2.2'
	list server '/masked.net/8.8.4.4@10.0.2.2'
	list interface 'network1'
	list interface 'network100'
	list interface 'network101'
	list interface 'vce1'
	list interface 'lo'

config dhcp 'network1'
	option interface 'network1'
	option dnsmasq_config 'secure'
	option start '13'
	option limit '242'
	option leasetime '86400'
	option force '1'
	list dhcp_option '119,masked.net'

config host
	option ip '10.0.2.25'
	option mac '02:42:0a:00:02:19'
	option dnsmasq_config 'secure'

config dhcp 'network100'
	option interface 'network100'
	option dnsmasq_config 'secure'
	option start '13'
	option limit '242'
	option leasetime '86400'
	option force '1'
	list dhcp_option '119,masked.net'

config host
	option ip '10.100.2.100'
	option mac '02:42:0a:00:02:19'
	option dnsmasq_config 'secure'

config dhcp 'network101'
	option interface 'network101'
	option dnsmasq_config 'secure'
	option start '13'
	option limit '242'
	option leasetime '86400'
	option force '1'
	list dhcp_option '119,masked.net'

config host
	option ip '10.101.2.100'
	option mac '02:42:0a:00:02:19'
	option dnsmasq_config 'secure'

config host
	option ip '10.0.2.2'
	option mac 'ff:ff:ff:ff:ff:ff'
	option dnsmasq_config 'secure'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option disable_ipv6 '1'

config zone
	option name 'GE3'
	option network 'GE3'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'GE3'
	option proto 'udp'
	option dest_port '68'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping'
	option src 'GE3'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'GE4'
	option network 'GE4'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'GE4'
	option proto 'udp'
	option dest_port '68'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping'
	option src 'GE4'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'GE5'
	option network 'GE5'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'GE5'
	option proto 'udp'
	option dest_port '68'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping'
	option src 'GE5'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'GE6'
	option network 'GE6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'GE6'
	option proto 'udp'
	option dest_port '68'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping'
	option src 'GE6'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'GE7'
	option network 'GE7'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'GE7'
	option proto 'udp'
	option dest_port '68'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping'
	option src 'GE7'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'GE8'
	option network 'GE8'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'GE8'
	option proto 'udp'
	option dest_port '68'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping'
	option src 'GE8'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'network1'
	option network 'network1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'network1'
	option dest 'GE3'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network1'
	option dest 'GE4'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network1'
	option dest 'GE5'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network1'
	option dest 'GE6'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network1'
	option dest 'GE7'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network1'
	option dest 'GE8'
	option proto 'all'
	option target 'ACCEPT'

config rule
	option src 'network1'
	option dest_port '53'
	option proto 'tcpudp'
	option target 'ACCEPT'

config rule
	option src 'network1'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option src 'network1'
	option dest_port '2607'
	option proto 'tcp'
	option target 'REJECT'

config zone
	option name 'network100'
	option network 'network100'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'network100'
	option dest 'GE3'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network100'
	option dest 'GE4'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network100'
	option dest 'GE5'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network100'
	option dest 'GE6'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network100'
	option dest 'GE7'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network100'
	option dest 'GE8'
	option proto 'all'
	option target 'ACCEPT'

config rule
	option src 'network100'
	option dest_port '53'
	option proto 'tcpudp'
	option target 'ACCEPT'

config rule
	option src 'network100'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option src 'network100'
	option dest_port '2607'
	option proto 'tcp'
	option target 'REJECT'

config zone
	option name 'network101'
	option network 'network101'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'network101'
	option dest 'GE3'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network101'
	option dest 'GE4'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network101'
	option dest 'GE5'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network101'
	option dest 'GE6'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network101'
	option dest 'GE7'
	option proto 'all'
	option target 'ACCEPT'

config forwarding
	option src 'network101'
	option dest 'GE8'
	option proto 'all'
	option target 'ACCEPT'

config rule
	option src 'network101'
	option dest_port '53'
	option proto 'tcpudp'
	option target 'ACCEPT'

config rule
	option src 'network101'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option src 'network101'
	option dest_port '2607'
	option proto 'tcp'
	option target 'REJECT'

#!/bin/sh
iptables -t mangle -N LOGGING
iptables -t mangle -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
# Generated by iptables-save v1.4.21 on Wed Aug 26 15:56:11 2020
*mangle
:PREROUTING ACCEPT [20598:2694195]
:INPUT ACCEPT [10821:1354977]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:1312]
:POSTROUTING ACCEPT [3564:571851]
:LOGGING - [0:0]
:MODEM_CHAIN - [0:0]
:SEG_LAN_ROUTING_INPUT - [0:0]
:SEG_LAN_ROUTING_OUTPUT - [0:0]
:TUN_CHAIN - [0:0]
:VCMP_MARK_ACL - [0:0]
[20991:2753444] -A PREROUTING -j SEG_LAN_ROUTING_INPUT
[20992:2753493] -A PREROUTING -j VCMP_MARK_ACL
[0:0] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
[3948:612468] -A OUTPUT -j SEG_LAN_ROUTING_OUTPUT
[3949:612545] -A OUTPUT -j TUN_CHAIN
[0:0] -A SEG_LAN_ROUTING_INPUT -i br-network101 -m state --state NEW -j CONNMARK --set-xmark 0xd5/0xffffffff
[0:0] -A SEG_LAN_ROUTING_INPUT -i br-network101 -m state --state NEW -j CONNMARK --set-xmark 0xd5/0xffffffff
[0:0] -A SEG_LAN_ROUTING_INPUT -i br-network100 -m state --state NEW -j CONNMARK --set-xmark 0xd4/0xffffffff
[0:0] -A SEG_LAN_ROUTING_INPUT -i br-network100 -m state --state NEW -j CONNMARK --set-xmark 0xd4/0xffffffff
[2:128] -A SEG_LAN_ROUTING_INPUT -i br-network1 -m state --state NEW -j CONNMARK --set-xmark 0xd3/0xffffffff
[2:128] -A SEG_LAN_ROUTING_INPUT -i br-network1 -m state --state NEW -j CONNMARK --set-xmark 0xd3/0xffffffff
[0:0] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd5 -j MARK --set-xmark 0xd5/0xffffffff
[0:0] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd4 -j MARK --set-xmark 0xd4/0xffffffff
[484:37982] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd3 -j MARK --set-xmark 0xd3/0xffffffff
[2507:478692] -A TUN_CHAIN -p tcp -j MODEM_CHAIN
[0:0] -A TUN_CHAIN -m connmark --mark 0xd8 -j MARK --set-xmark 0xd8/0xffffffff
[0:0] -A TUN_CHAIN -m connmark --mark 0xd8 -j ACCEPT
[0:0] -A TUN_CHAIN -m connmark --mark 0xd7 -j MARK --set-xmark 0xd7/0xffffffff
[0:0] -A TUN_CHAIN -m connmark --mark 0xd7 -j ACCEPT
[0:0] -A TUN_CHAIN -m connmark --mark 0xda -j MARK --set-xmark 0xda/0xffffffff
[0:0] -A TUN_CHAIN -m connmark --mark 0xda -j ACCEPT
[0:0] -A TUN_CHAIN -m connmark --mark 0xd9 -j MARK --set-xmark 0xd9/0xffffffff
[0:0] -A TUN_CHAIN -m connmark --mark 0xd9 -j ACCEPT
[0:0] -A TUN_CHAIN -m connmark --mark 0xd6 -j MARK --set-xmark 0xd6/0xffffffff
[0:0] -A TUN_CHAIN -m connmark --mark 0xd6 -j ACCEPT
[699:63961] -A TUN_CHAIN -d 127.0.0.1/32 -j ACCEPT
[512:36992] -A TUN_CHAIN -o lo -j ACCEPT
[0:0] -A TUN_CHAIN -s 169.254.3.0/24 -j MARK --set-xmark 0xc8/0xffffffff
[0:0] -A TUN_CHAIN -s 169.254.3.0/24 -j ACCEPT
[484:37982] -A TUN_CHAIN -o br-network1 -j ACCEPT
[0:0] -A TUN_CHAIN -o br-network100 -j ACCEPT
[0:0] -A TUN_CHAIN -o br-network101 -j ACCEPT
[1776:423978] -A TUN_CHAIN -s 10.0.2.2/32 -j MARK --set-xmark 0xc8/0xffffffff
[1776:423978] -A TUN_CHAIN -s 10.0.2.2/32 -j ACCEPT
[0:0] -A TUN_CHAIN -p tcp -m multiport --sports 179 -j MARK --set-xmark 0xc8/0xffffffff
[0:0] -A TUN_CHAIN -p tcp -m multiport --sports 179 -j ACCEPT
[92:7746] -A TUN_CHAIN -p tcp -m multiport --dports 22,53,80,123,443,61000,179 -j MARK --set-xmark 0xc8/0xffffffff
[92:7746] -A TUN_CHAIN -p tcp -m multiport --dports 22,53,80,123,443,61000,179 -j ACCEPT
[0:0] -A TUN_CHAIN -p udp -m multiport --dports 53,123 -j MARK --set-xmark 0xc8/0xffffffff
[0:0] -A TUN_CHAIN -p udp -m multiport --dports 53,123 -j ACCEPT
[0:0] -A TUN_CHAIN -p icmp -m icmp --icmp-type 8/0 -j MARK --set-xmark 0xc8/0xffffffff
[0:0] -A TUN_CHAIN -p icmp -j ACCEPT
[747:39744] -A VCMP_MARK_ACL -i eth4 -m state --state NEW -j CONNMARK --set-xmark 0xd6/0xffffffff
[673:35268] -A VCMP_MARK_ACL -i eth4.100 -m state --state NEW -j CONNMARK --set-xmark 0xd9/0xffffffff
[671:35164] -A VCMP_MARK_ACL -i eth4.101 -m state --state NEW -j CONNMARK --set-xmark 0xda/0xffffffff
[5480:359173] -A VCMP_MARK_ACL -i eth2 -m state --state NEW -j CONNMARK --set-xmark 0xd7/0xffffffff
[9704:1335666] -A VCMP_MARK_ACL -i eth3 -m state --state NEW -j CONNMARK --set-xmark 0xd8/0xffffffff
COMMIT
# Completed on Wed Aug 26 15:56:11 2020
# Generated by iptables-save v1.4.21 on Wed Aug 26 15:56:11 2020
*filter
:INPUT ACCEPT [9:8040]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:PORTAL_INPUT - [0:0]
:SEG_MGMT - [0:0]
:VCMP_FWD_ACL - [0:0]
:VCMP_IN_ACL - [0:0]
:VCMP_IN_ACL_PERSIST - [0:0]
:VCMP_IN_ACL_SEGMENT - [0:0]
:VCMP_OUT_ACL - [0:0]
:forwarding_GE3_rule - [0:0]
:forwarding_GE4_rule - [0:0]
:forwarding_GE5_rule - [0:0]
:forwarding_GE6_rule - [0:0]
:forwarding_GE7_rule - [0:0]
:forwarding_GE8_rule - [0:0]
:forwarding_network0_rule - [0:0]
:forwarding_network1_rule - [0:0]
:forwarding_rule - [0:0]
:input_GE3_rule - [0:0]
:input_GE4_rule - [0:0]
:input_GE5_rule - [0:0]
:input_GE6_rule - [0:0]
:input_GE7_rule - [0:0]
:input_GE8_rule - [0:0]
:input_network0_rule - [0:0]
:input_network1_rule - [0:0]
:input_rule - [0:0]
:output_GE3_rule - [0:0]
:output_GE4_rule - [0:0]
:output_GE5_rule - [0:0]
:output_GE6_rule - [0:0]
:output_GE7_rule - [0:0]
:output_GE8_rule - [0:0]
:output_network0_rule - [0:0]
:output_network1_rule - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_GE3_dest_ACCEPT - [0:0]
:zone_GE3_dest_REJECT - [0:0]
:zone_GE3_forward - [0:0]
:zone_GE3_input - [0:0]
:zone_GE3_output - [0:0]
:zone_GE3_src_REJECT - [0:0]
:zone_GE4_dest_ACCEPT - [0:0]
:zone_GE4_dest_REJECT - [0:0]
:zone_GE4_forward - [0:0]
:zone_GE4_input - [0:0]
:zone_GE4_output - [0:0]
:zone_GE4_src_REJECT - [0:0]
:zone_GE5_dest_ACCEPT - [0:0]
:zone_GE5_dest_REJECT - [0:0]
:zone_GE5_forward - [0:0]
:zone_GE5_input - [0:0]
:zone_GE5_output - [0:0]
:zone_GE5_src_REJECT - [0:0]
:zone_GE6_dest_ACCEPT - [0:0]
:zone_GE6_dest_REJECT - [0:0]
:zone_GE6_forward - [0:0]
:zone_GE6_input - [0:0]
:zone_GE6_output - [0:0]
:zone_GE6_src_REJECT - [0:0]
:zone_GE7_dest_ACCEPT - [0:0]
:zone_GE7_dest_REJECT - [0:0]
:zone_GE7_forward - [0:0]
:zone_GE7_input - [0:0]
:zone_GE7_output - [0:0]
:zone_GE7_src_REJECT - [0:0]
:zone_GE8_dest_ACCEPT - [0:0]
:zone_GE8_dest_REJECT - [0:0]
:zone_GE8_forward - [0:0]
:zone_GE8_input - [0:0]
:zone_GE8_output - [0:0]
:zone_GE8_src_REJECT - [0:0]
:zone_network0_forward - [0:0]
:zone_network0_input - [0:0]
:zone_network0_output - [0:0]
:zone_network100_dest_ACCEPT - [0:0]
:zone_network100_dest_REJECT - [0:0]
:zone_network100_forward - [0:0]
:zone_network100_input - [0:0]
:zone_network100_output - [0:0]
:zone_network100_src_ACCEPT - [0:0]
:zone_network101_dest_ACCEPT - [0:0]
:zone_network101_dest_REJECT - [0:0]
:zone_network101_forward - [0:0]
:zone_network101_input - [0:0]
:zone_network101_output - [0:0]
:zone_network101_src_ACCEPT - [0:0]
:zone_network1_dest_ACCEPT - [0:0]
:zone_network1_dest_REJECT - [0:0]
:zone_network1_forward - [0:0]
:zone_network1_input - [0:0]
:zone_network1_output - [0:0]
:zone_network1_src_ACCEPT - [0:0]
[0:0] -A INPUT -s 192.168.32.2/32 -i vce1 -p tcp -m tcp --sport 80 -j DROP
[528:52872] -A INPUT -p icmp -j SEG_MGMT
[10981:1391408] -A INPUT -j VCMP_IN_ACL_PERSIST
[10636:1379371] -A INPUT -j VCMP_IN_ACL_SEGMENT
[10636:1379371] -A INPUT -j VCMP_IN_ACL
[0:0] -A INPUT -s 192.168.32.2/32 -i vce1 -p tcp -m tcp --sport 80 -j DROP
[2054:172113] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1653:789055] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1602:778764] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[12:672] -A INPUT -i eth2 -m comment --comment "!fw3" -j zone_GE3_input
[0:0] -A INPUT -i eth3 -m comment --comment "!fw3" -j zone_GE4_input
[10:520] -A INPUT -i eth4 -m comment --comment "!fw3" -j zone_GE5_input
[0:0] -A INPUT -i eth5 -m comment --comment "!fw3" -j zone_GE6_input
[0:0] -A INPUT -i eth6 -m comment --comment "!fw3" -j zone_GE7_input
[0:0] -A INPUT -i eth7 -m comment --comment "!fw3" -j zone_GE8_input
[0:0] -A INPUT -i br-network1 -m comment --comment "!fw3" -j zone_network1_input
[0:0] -A INPUT -i br-network100 -m comment --comment "!fw3" -j zone_network100_input
[0:0] -A INPUT -i br-network101 -m comment --comment "!fw3" -j zone_network101_input
[0:0] -A FORWARD -o vce1 -j ACCEPT
[0:0] -A FORWARD -i vce1 -j ACCEPT
[0:0] -A FORWARD -j VCMP_FWD_ACL
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_GE3_forward
[0:0] -A FORWARD -i eth3 -m comment --comment "!fw3" -j zone_GE4_forward
[0:0] -A FORWARD -i eth4 -m comment --comment "!fw3" -j zone_GE5_forward
[0:0] -A FORWARD -i eth5 -m comment --comment "!fw3" -j zone_GE6_forward
[0:0] -A FORWARD -i eth6 -m comment --comment "!fw3" -j zone_GE7_forward
[0:0] -A FORWARD -i eth7 -m comment --comment "!fw3" -j zone_GE8_forward
[0:0] -A FORWARD -i br-network1 -m comment --comment "!fw3" -j zone_network1_forward
[0:0] -A FORWARD -i br-network100 -m comment --comment "!fw3" -j zone_network100_forward
[0:0] -A FORWARD -i br-network101 -m comment --comment "!fw3" -j zone_network101_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[3949:612545] -A OUTPUT -j VCMP_OUT_ACL
[2054:172113] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2477:489314] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2300:480578] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[176:8408] -A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_GE3_output
[0:0] -A OUTPUT -o eth3 -m comment --comment "!fw3" -j zone_GE4_output
[1:328] -A OUTPUT -o eth4 -m comment --comment "!fw3" -j zone_GE5_output
[0:0] -A OUTPUT -o eth5 -m comment --comment "!fw3" -j zone_GE6_output
[0:0] -A OUTPUT -o eth6 -m comment --comment "!fw3" -j zone_GE7_output
[0:0] -A OUTPUT -o eth7 -m comment --comment "!fw3" -j zone_GE8_output
[0:0] -A OUTPUT -o br-network1 -m comment --comment "!fw3" -j zone_network1_output
[0:0] -A OUTPUT -o br-network100 -m comment --comment "!fw3" -j zone_network100_output
[0:0] -A OUTPUT -o br-network101 -m comment --comment "!fw3" -j zone_network101_output
[0:0] -A SEG_MGMT ! -s 10.101.2.0/24 -d 10.101.2.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
[0:0] -A SEG_MGMT ! -s 10.101.2.0/24 -d 10.101.2.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
[0:0] -A SEG_MGMT ! -s 10.100.2.0/24 -d 10.100.2.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
[0:0] -A SEG_MGMT ! -s 10.100.2.0/24 -d 10.100.2.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
[0:0] -A SEG_MGMT ! -s 10.0.2.0/24 -d 10.0.2.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
[0:0] -A SEG_MGMT ! -s 10.0.2.0/24 -d 10.0.2.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
[0:0] -A VCMP_FWD_ACL -i br-network1 -o br-network100 -j DROP
[0:0] -A VCMP_FWD_ACL -i br-network1 -o br-network101 -j DROP
[0:0] -A VCMP_FWD_ACL -i br-network100 -o br-network1 -j DROP
[0:0] -A VCMP_FWD_ACL -i br-network100 -o br-network101 -j DROP
[0:0] -A VCMP_FWD_ACL -i br-network101 -o br-network1 -j DROP
[0:0] -A VCMP_FWD_ACL -i br-network101 -o br-network100 -j DROP
[0:0] -A VCMP_FWD_ACL -j DROP
[0:0] -A VCMP_IN_ACL -s 192.168.14.1/32 -j ACCEPT
[0:0] -A VCMP_IN_ACL -s 192.168.32.2/32 -j ACCEPT
[0:0] -A VCMP_IN_ACL -i eth4 -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A VCMP_IN_ACL -i eth4 -p icmp -m icmp --icmp-type 3 -j ACCEPT
[679:37156] -A VCMP_IN_ACL -i eth4 -j DROP
[0:0] -A VCMP_IN_ACL -i eth4.100 -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A VCMP_IN_ACL -i eth4.100 -p icmp -m icmp --icmp-type 3 -j ACCEPT
[673:35268] -A VCMP_IN_ACL -i eth4.100 -j DROP
[0:0] -A VCMP_IN_ACL -i eth4.101 -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A VCMP_IN_ACL -i eth4.101 -p icmp -m icmp --icmp-type 3 -j ACCEPT
[671:35164] -A VCMP_IN_ACL -i eth4.101 -j DROP
[0:0] -A VCMP_IN_ACL -i eth2 -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A VCMP_IN_ACL -i eth2 -p icmp -m icmp --icmp-type 3 -j ACCEPT
[5482:359269] -A VCMP_IN_ACL -i eth2 -j DROP
[0:0] -A VCMP_IN_ACL -i eth3 -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A VCMP_IN_ACL -i eth3 -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A VCMP_IN_ACL -i eth3 -j DROP
[0:0] -A VCMP_IN_ACL -i br-network1 -p tcp -m tcp --dport 179 -j DROP
[0:0] -A VCMP_IN_ACL -i br-network1 -p tcp -m tcp --sport 179 -j DROP
[0:0] -A VCMP_IN_ACL -i br-network100 -p tcp -m tcp --dport 179 -j DROP
[0:0] -A VCMP_IN_ACL -i br-network100 -p tcp -m tcp --sport 179 -j DROP
[0:0] -A VCMP_IN_ACL -i br-network101 -p tcp -m tcp --dport 179 -j DROP
[0:0] -A VCMP_IN_ACL -i br-network101 -p tcp -m tcp --sport 179 -j DROP
[0:0] -A VCMP_IN_ACL_PERSIST -s 169.254.6.41/32 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A VCMP_IN_ACL_PERSIST -s 169.254.7.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A VCMP_IN_ACL_PERSIST -s 172.16.2.3/32 -p tcp -m tcp --dport 22 -j ACCEPT
[562:32550] -A VCMP_IN_ACL_PERSIST -s 10.0.2.25/32 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A VCMP_IN_ACL_PERSIST -p tcp -m tcp --dport 22 -j DROP
[0:0] -A VCMP_IN_ACL_PERSIST -p udp -m udp --dport 161 -j DROP
[0:0] -A VCMP_IN_ACL_PERSIST -p tcp -m tcp --dport 80 -j DROP
[0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.2.1/32 -i br-network101 -j DROP
[0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.2.1/32 -i br-network101 -j DROP
[0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.2.2/32 -i br-network101 -j DROP
[0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.2.1/32 -i br-network100 -j DROP
[0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.2.1/32 -i br-network100 -j DROP
[0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.2.2/32 -i br-network100 -j DROP
[0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.2.1/32 -i br-network1 -j DROP
[0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.2.1/32 -i br-network1 -j DROP
[0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.2.1/32 -i br-management -j DROP
[0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.2.1/32 -i br-management -j DROP
[0:0] -A VCMP_OUT_ACL -p icmp -m icmp --icmp-type 11/0 -j DROP
[0:0] -A VCMP_OUT_ACL -o eth4 -p icmp -m icmp --icmp-type 5 -j DROP
[0:0] -A VCMP_OUT_ACL -o eth4.100 -p icmp -m icmp --icmp-type 5 -j DROP
[0:0] -A VCMP_OUT_ACL -o eth4.101 -p icmp -m icmp --icmp-type 5 -j DROP
[0:0] -A VCMP_OUT_ACL -o eth2 -p icmp -m icmp --icmp-type 5 -j DROP
[0:0] -A VCMP_OUT_ACL -o eth3 -p icmp -m icmp --icmp-type 5 -j DROP
[2:96] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[20:1096] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[5:200] -A zone_GE3_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[171:8208] -A zone_GE3_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_GE3_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_GE3_forward -m comment --comment "!fw3: Custom GE3 forwarding rule chain" -j forwarding_GE3_rule
[0:0] -A zone_GE3_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_GE3_forward -m comment --comment "!fw3" -j zone_GE3_dest_REJECT
[12:672] -A zone_GE3_input -m comment --comment "!fw3: Custom GE3 input rule chain" -j input_GE3_rule
[0:0] -A zone_GE3_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_GE3_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_GE3_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[12:672] -A zone_GE3_input -m comment --comment "!fw3" -j zone_GE3_src_REJECT
[176:8408] -A zone_GE3_output -m comment --comment "!fw3: Custom GE3 output rule chain" -j output_GE3_rule
[176:8408] -A zone_GE3_output -m comment --comment "!fw3" -j zone_GE3_dest_ACCEPT
[12:672] -A zone_GE3_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_GE4_dest_ACCEPT -o eth3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_GE4_dest_ACCEPT -o eth3 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_GE4_dest_REJECT -o eth3 -m comment --comment "!fw3" -j reject
[0:0] -A zone_GE4_forward -m comment --comment "!fw3: Custom GE4 forwarding rule chain" -j forwarding_GE4_rule
[0:0] -A zone_GE4_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_GE4_forward -m comment --comment "!fw3" -j zone_GE4_dest_REJECT
[0:0] -A zone_GE4_input -m comment --comment "!fw3: Custom GE4 input rule chain" -j input_GE4_rule
[0:0] -A zone_GE4_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_GE4_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_GE4_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_GE4_input -m comment --comment "!fw3" -j zone_GE4_src_REJECT
[0:0] -A zone_GE4_output -m comment --comment "!fw3: Custom GE4 output rule chain" -j output_GE4_rule
[0:0] -A zone_GE4_output -m comment --comment "!fw3" -j zone_GE4_dest_ACCEPT
[0:0] -A zone_GE4_src_REJECT -i eth3 -m comment --comment "!fw3" -j reject
[0:0] -A zone_GE5_dest_ACCEPT -o eth4 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1:328] -A zone_GE5_dest_ACCEPT -o eth4 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_GE5_dest_REJECT -o eth4 -m comment --comment "!fw3" -j reject
[0:0] -A zone_GE5_forward -m comment --comment "!fw3: Custom GE5 forwarding rule chain" -j forwarding_GE5_rule
[0:0] -A zone_GE5_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_GE5_forward -m comment --comment "!fw3" -j zone_GE5_dest_REJECT
[10:520] -A zone_GE5_input -m comment --comment "!fw3: Custom GE5 input rule chain" -j input_GE5_rule
[0:0] -A zone_GE5_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_GE5_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_GE5_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[10:520] -A zone_GE5_input -m comment --comment "!fw3" -j zone_GE5_src_REJECT
[1:328] -A zone_GE5_output -m comment --comment "!fw3: Custom GE5 output rule chain" -j output_GE5_rule
[1:328] -A zone_GE5_output -m comment --comment "!fw3" -j zone_GE5_dest_ACCEPT
[10:520] -A zone_GE5_src_REJECT -i eth4 -m comment --comment "!fw3" -j reject
[0:0] -A zone_GE6_dest_ACCEPT -o eth5 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_GE6_dest_ACCEPT -o eth5 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_GE6_dest_REJECT -o eth5 -m comment --comment "!fw3" -j reject
[0:0] -A zone_GE6_forward -m comment --comment "!fw3: Custom GE6 forwarding rule chain" -j forwarding_GE6_rule
[0:0] -A zone_GE6_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_GE6_forward -m comment --comment "!fw3" -j zone_GE6_dest_REJECT
[0:0] -A zone_GE6_input -m comment --comment "!fw3: Custom GE6 input rule chain" -j input_GE6_rule
[0:0] -A zone_GE6_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_GE6_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_GE6_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_GE6_input -m comment --comment "!fw3" -j zone_GE6_src_REJECT
[0:0] -A zone_GE6_output -m comment --comment "!fw3: Custom GE6 output rule chain" -j output_GE6_rule
[0:0] -A zone_GE6_output -m comment --comment "!fw3" -j zone_GE6_dest_ACCEPT
[0:0] -A zone_GE6_src_REJECT -i eth5 -m comment --comment "!fw3" -j reject
[0:0] -A zone_GE7_dest_ACCEPT -o eth6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_GE7_dest_ACCEPT -o eth6 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_GE7_dest_REJECT -o eth6 -m comment --comment "!fw3" -j reject
[0:0] -A zone_GE7_forward -m comment --comment "!fw3: Custom GE7 forwarding rule chain" -j forwarding_GE7_rule
[0:0] -A zone_GE7_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_GE7_forward -m comment --comment "!fw3" -j zone_GE7_dest_REJECT
[0:0] -A zone_GE7_input -m comment --comment "!fw3: Custom GE7 input rule chain" -j input_GE7_rule
[0:0] -A zone_GE7_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_GE7_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_GE7_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_GE7_input -m comment --comment "!fw3" -j zone_GE7_src_REJECT
[0:0] -A zone_GE7_output -m comment --comment "!fw3: Custom GE7 output rule chain" -j output_GE7_rule
[0:0] -A zone_GE7_output -m comment --comment "!fw3" -j zone_GE7_dest_ACCEPT
[0:0] -A zone_GE7_src_REJECT -i eth6 -m comment --comment "!fw3" -j reject
[0:0] -A zone_GE8_dest_ACCEPT -o eth7 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_GE8_dest_ACCEPT -o eth7 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_GE8_dest_REJECT -o eth7 -m comment --comment "!fw3" -j reject
[0:0] -A zone_GE8_forward -m comment --comment "!fw3: Custom GE8 forwarding rule chain" -j forwarding_GE8_rule
[0:0] -A zone_GE8_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_GE8_forward -m comment --comment "!fw3" -j zone_GE8_dest_REJECT
[0:0] -A zone_GE8_input -m comment --comment "!fw3: Custom GE8 input rule chain" -j input_GE8_rule
[0:0] -A zone_GE8_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_GE8_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_GE8_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_GE8_input -m comment --comment "!fw3" -j zone_GE8_src_REJECT
[0:0] -A zone_GE8_output -m comment --comment "!fw3: Custom GE8 output rule chain" -j output_GE8_rule
[0:0] -A zone_GE8_output -m comment --comment "!fw3" -j zone_GE8_dest_ACCEPT
[0:0] -A zone_GE8_src_REJECT -i eth7 -m comment --comment "!fw3" -j reject
[0:0] -A zone_network100_dest_ACCEPT -o br-network100 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_network100_dest_REJECT -o br-network100 -m comment --comment "!fw3" -j reject
[0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
[0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
[0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
[0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
[0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
[0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
[0:0] -A zone_network100_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_network100_forward -m comment --comment "!fw3" -j zone_network100_dest_REJECT
[0:0] -A zone_network100_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[15]" -j ACCEPT
[0:0] -A zone_network100_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[15]" -j ACCEPT
[0:0] -A zone_network100_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[16]" -j ACCEPT
[0:0] -A zone_network100_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[17]" -j reject
[0:0] -A zone_network100_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_network100_input -m comment --comment "!fw3" -j zone_network100_src_ACCEPT
[0:0] -A zone_network100_output -m comment --comment "!fw3" -j zone_network100_dest_ACCEPT
[0:0] -A zone_network100_src_ACCEPT -i br-network100 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_network101_dest_ACCEPT -o br-network101 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_network101_dest_REJECT -o br-network101 -m comment --comment "!fw3" -j reject
[0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
[0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
[0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
[0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
[0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
[0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
[0:0] -A zone_network101_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_network101_forward -m comment --comment "!fw3" -j zone_network101_dest_REJECT
[0:0] -A zone_network101_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[18]" -j ACCEPT
[0:0] -A zone_network101_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[18]" -j ACCEPT
[0:0] -A zone_network101_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[19]" -j ACCEPT
[0:0] -A zone_network101_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[20]" -j reject
[0:0] -A zone_network101_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_network101_input -m comment --comment "!fw3" -j zone_network101_src_ACCEPT
[0:0] -A zone_network101_output -m comment --comment "!fw3" -j zone_network101_dest_ACCEPT
[0:0] -A zone_network101_src_ACCEPT -i br-network101 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_network1_dest_ACCEPT -o br-network1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_network1_dest_REJECT -o br-network1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_network1_forward -m comment --comment "!fw3: Custom network1 forwarding rule chain" -j forwarding_network1_rule
[0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
[0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
[0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
[0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
[0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
[0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
[0:0] -A zone_network1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_network1_forward -m comment --comment "!fw3" -j zone_network1_dest_REJECT
[0:0] -A zone_network1_input -m comment --comment "!fw3: Custom network1 input rule chain" -j input_network1_rule
[0:0] -A zone_network1_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
[0:0] -A zone_network1_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
[0:0] -A zone_network1_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[13]" -j ACCEPT
[0:0] -A zone_network1_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[14]" -j reject
[0:0] -A zone_network1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_network1_input -m comment --comment "!fw3" -j zone_network1_src_ACCEPT
[0:0] -A zone_network1_output -m comment --comment "!fw3: Custom network1 output rule chain" -j output_network1_rule
[0:0] -A zone_network1_output -m comment --comment "!fw3" -j zone_network1_dest_ACCEPT
[0:0] -A zone_network1_src_ACCEPT -i br-network1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Wed Aug 26 15:56:11 2020
# Generated by iptables-save v1.4.21 on Wed Aug 26 15:56:11 2020
*nat
:PREROUTING ACCEPT [16035:1748821]
:INPUT ACCEPT [10:8152]
:OUTPUT ACCEPT [594:38244]
:POSTROUTING ACCEPT [586:37580]
:VCMP_DNAT_ACL - [0:0]
:VCMP_SNAT_ACL - [0:0]
:postrouting_GE3_rule - [0:0]
:postrouting_GE4_rule - [0:0]
:postrouting_GE5_rule - [0:0]
:postrouting_GE6_rule - [0:0]
:postrouting_GE7_rule - [0:0]
:postrouting_GE8_rule - [0:0]
:postrouting_network0_rule - [0:0]
:postrouting_network1_rule - [0:0]
:postrouting_rule - [0:0]
:prerouting_GE3_rule - [0:0]
:prerouting_GE4_rule - [0:0]
:prerouting_GE5_rule - [0:0]
:prerouting_GE6_rule - [0:0]
:prerouting_GE7_rule - [0:0]
:prerouting_GE8_rule - [0:0]
:prerouting_network0_rule - [0:0]
:prerouting_network1_rule - [0:0]
:prerouting_rule - [0:0]
:zone_GE3_postrouting - [0:0]
:zone_GE3_prerouting - [0:0]
:zone_GE4_postrouting - [0:0]
:zone_GE4_prerouting - [0:0]
:zone_GE5_postrouting - [0:0]
:zone_GE5_prerouting - [0:0]
:zone_GE6_postrouting - [0:0]
:zone_GE6_prerouting - [0:0]
:zone_GE7_postrouting - [0:0]
:zone_GE7_prerouting - [0:0]
:zone_GE8_postrouting - [0:0]
:zone_GE8_prerouting - [0:0]
:zone_network100_postrouting - [0:0]
:zone_network100_prerouting - [0:0]
:zone_network101_postrouting - [0:0]
:zone_network101_prerouting - [0:0]
:zone_network1_postrouting - [0:0]
:zone_network1_prerouting - [0:0]
[16035:1748821] -A PREROUTING -j VCMP_DNAT_ACL
[16336:1772700] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[5678:374899] -A PREROUTING -i eth2 -m comment --comment "!fw3" -j zone_GE3_prerouting
[9771:1342556] -A PREROUTING -i eth3 -m comment --comment "!fw3" -j zone_GE4_prerouting
[776:41278] -A PREROUTING -i eth4 -m comment --comment "!fw3" -j zone_GE5_prerouting
[0:0] -A PREROUTING -i eth5 -m comment --comment "!fw3" -j zone_GE6_prerouting
[0:0] -A PREROUTING -i eth6 -m comment --comment "!fw3" -j zone_GE7_prerouting
[0:0] -A PREROUTING -i eth7 -m comment --comment "!fw3" -j zone_GE8_prerouting
[2:128] -A PREROUTING -i br-network1 -m comment --comment "!fw3" -j zone_network1_prerouting
[0:0] -A PREROUTING -i br-network100 -m comment --comment "!fw3" -j zone_network100_prerouting
[0:0] -A PREROUTING -i br-network101 -m comment --comment "!fw3" -j zone_network101_prerouting
[594:38244] -A POSTROUTING -j VCMP_SNAT_ACL
[779:51237] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[8:384] -A POSTROUTING -o eth2 -m comment --comment "!fw3" -j zone_GE3_postrouting
[0:0] -A POSTROUTING -o eth3 -m comment --comment "!fw3" -j zone_GE4_postrouting
[1:328] -A POSTROUTING -o eth4 -m comment --comment "!fw3" -j zone_GE5_postrouting
[0:0] -A POSTROUTING -o eth5 -m comment --comment "!fw3" -j zone_GE6_postrouting
[0:0] -A POSTROUTING -o eth6 -m comment --comment "!fw3" -j zone_GE7_postrouting
[0:0] -A POSTROUTING -o eth7 -m comment --comment "!fw3" -j zone_GE8_postrouting
[0:0] -A POSTROUTING -o br-network1 -m comment --comment "!fw3" -j zone_network1_postrouting
[0:0] -A POSTROUTING -o br-network100 -m comment --comment "!fw3" -j zone_network100_postrouting
[0:0] -A POSTROUTING -o br-network101 -m comment --comment "!fw3" -j zone_network101_postrouting
[8:384] -A zone_GE3_postrouting -m comment --comment "!fw3: Custom GE3 postrouting rule chain" -j postrouting_GE3_rule
[8:384] -A zone_GE3_postrouting -m comment --comment "!fw3" -j MASQUERADE
[5678:374899] -A zone_GE3_prerouting -m comment --comment "!fw3: Custom GE3 prerouting rule chain" -j prerouting_GE3_rule
[0:0] -A zone_GE4_postrouting -m comment --comment "!fw3: Custom GE4 postrouting rule chain" -j postrouting_GE4_rule
[0:0] -A zone_GE4_postrouting -m comment --comment "!fw3" -j MASQUERADE
[9771:1342556] -A zone_GE4_prerouting -m comment --comment "!fw3: Custom GE4 prerouting rule chain" -j prerouting_GE4_rule
[1:328] -A zone_GE5_postrouting -m comment --comment "!fw3: Custom GE5 postrouting rule chain" -j postrouting_GE5_rule
[1:328] -A zone_GE5_postrouting -m comment --comment "!fw3" -j MASQUERADE
[776:41278] -A zone_GE5_prerouting -m comment --comment "!fw3: Custom GE5 prerouting rule chain" -j prerouting_GE5_rule
[0:0] -A zone_GE6_postrouting -m comment --comment "!fw3: Custom GE6 postrouting rule chain" -j postrouting_GE6_rule
[0:0] -A zone_GE6_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_GE6_prerouting -m comment --comment "!fw3: Custom GE6 prerouting rule chain" -j prerouting_GE6_rule
[0:0] -A zone_GE7_postrouting -m comment --comment "!fw3: Custom GE7 postrouting rule chain" -j postrouting_GE7_rule
[0:0] -A zone_GE7_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_GE7_prerouting -m comment --comment "!fw3: Custom GE7 prerouting rule chain" -j prerouting_GE7_rule
[0:0] -A zone_GE8_postrouting -m comment --comment "!fw3: Custom GE8 postrouting rule chain" -j postrouting_GE8_rule
[0:0] -A zone_GE8_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_GE8_prerouting -m comment --comment "!fw3: Custom GE8 prerouting rule chain" -j prerouting_GE8_rule
[0:0] -A zone_network1_postrouting -m comment --comment "!fw3: Custom network1 postrouting rule chain" -j postrouting_network1_rule
[2:128] -A zone_network1_prerouting -m comment --comment "!fw3: Custom network1 prerouting rule chain" -j prerouting_network1_rule
COMMIT
# Completed on Wed Aug 26 15:56:11 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
24: br-management: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    inet 10.0.2.2/32 brd 255.255.255.255 scope global br-management
       valid_lft forever preferred_lft forever
25: br-network1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.0.2.1/24 brd 10.0.2.255 scope global br-network1
       valid_lft forever preferred_lft forever
26: br-network100: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.100.2.1/24 brd 10.100.2.255 scope global br-network100
       valid_lft forever preferred_lft forever
28: br-network101: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.101.2.1/24 brd 10.101.2.255 scope global br-network101
       valid_lft forever preferred_lft forever
30: br-segmgmt: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    inet 169.254.3.1/32 brd 255.255.255.255 scope global br-segmgmt
       valid_lft forever preferred_lft forever
    inet 169.254.3.2/32 brd 255.255.255.255 scope global br-segmgmt
       valid_lft forever preferred_lft forever
    inet 169.254.3.3/32 brd 255.255.255.255 scope global br-segmgmt
       valid_lft forever preferred_lft forever
31: eth4.100@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.17.2.2/29 brd 172.17.2.7 scope global eth4.100
       valid_lft forever preferred_lft forever
32: eth4.101@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.18.2.2/29 brd 172.18.2.7 scope global eth4.101
       valid_lft forever preferred_lft forever
33: vce1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 4096
    inet 169.254.129.3 peer 169.254.129.1/32 scope global vce1
       valid_lft forever preferred_lft forever
95: eth4@if96: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 10000 link-netnsid 0
    inet 172.16.2.2/24 brd 172.16.2.255 scope global eth4
       valid_lft forever preferred_lft forever
203: eth2@if204: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 10000 link-netnsid 0
    inet 169.254.6.45/29 brd 169.254.6.47 scope global eth2
       valid_lft forever preferred_lft forever
209: eth3@if210: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 10000 link-netnsid 0
    inet 169.254.7.2/29 brd 169.254.7.7 scope global eth3
       valid_lft forever preferred_lft forever
default dev vce1  table 200  scope link
default dev br-network1  table 211  scope link
default dev br-network100  table 212  scope link
default dev br-network101  table 213  scope link
default via 172.16.2.3 dev eth4  table 214
default via 169.254.6.41 dev eth2  table 215
default via 169.254.7.1 dev eth3  table 216
default via 172.17.2.3 dev eth4.100  table 217
172.17.2.0/29 dev eth4.100  table 217  scope link
default via 172.18.2.3 dev eth4.101  table 218
172.18.2.0/29 dev eth4.101  table 218  scope link
default via 169.254.6.41 dev eth2  proto static  metric 5
default via 169.254.7.1 dev eth3  proto static  metric 6
default via 172.16.2.3 dev eth4  proto static  src 172.16.2.2  metric 7
10.0.2.0/24 dev br-network1  proto kernel  scope link  src 10.0.2.1
10.100.2.0/24 dev br-network100  proto kernel  scope link  src 10.100.2.1
10.101.2.0/24 dev br-network101  proto kernel  scope link  src 10.101.2.1
169.254.6.40/29 dev eth2  proto kernel  scope link  src 169.254.6.45
169.254.7.0/29 dev eth3  proto kernel  scope link  src 169.254.7.2
169.254.129.1 dev vce1  proto kernel  scope link  src 169.254.129.3
172.16.2.0/24 dev eth4  proto static  scope link  metric 7
172.16.2.3 dev eth4  proto static  scope link  src 172.16.2.2  metric 7
172.17.2.0/29 dev eth4.100  proto kernel  scope link  src 172.17.2.2
172.18.2.0/29 dev eth4.101  proto kernel  scope link  src 172.18.2.2
broadcast 10.0.2.0 dev br-network1  table local  proto kernel  scope link  src 10.0.2.1
local 10.0.2.1 dev br-network1  table local  proto kernel  scope host  src 10.0.2.1
local 10.0.2.2 dev br-management  table local  proto kernel  scope host  src 10.0.2.2
broadcast 10.0.2.255 dev br-network1  table local  proto kernel  scope link  src 10.0.2.1
broadcast 10.100.2.0 dev br-network100  table local  proto kernel  scope link  src 10.100.2.1
local 10.100.2.1 dev br-network100  table local  proto kernel  scope host  src 10.100.2.1
broadcast 10.100.2.255 dev br-network100  table local  proto kernel  scope link  src 10.100.2.1
broadcast 10.101.2.0 dev br-network101  table local  proto kernel  scope link  src 10.101.2.1
local 10.101.2.1 dev br-network101  table local  proto kernel  scope host  src 10.101.2.1
broadcast 10.101.2.255 dev br-network101  table local  proto kernel  scope link  src 10.101.2.1
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 169.254.3.1 dev br-segmgmt  table local  proto kernel  scope host  src 169.254.3.1
local 169.254.3.2 dev br-segmgmt  table local  proto kernel  scope host  src 169.254.3.2
local 169.254.3.3 dev br-segmgmt  table local  proto kernel  scope host  src 169.254.3.3
broadcast 169.254.6.40 dev eth2  table local  proto kernel  scope link  src 169.254.6.45
local 169.254.6.45 dev eth2  table local  proto kernel  scope host  src 169.254.6.45
broadcast 169.254.6.47 dev eth2  table local  proto kernel  scope link  src 169.254.6.45
broadcast 169.254.7.0 dev eth3  table local  proto kernel  scope link  src 169.254.7.2
local 169.254.7.2 dev eth3  table local  proto kernel  scope host  src 169.254.7.2
broadcast 169.254.7.7 dev eth3  table local  proto kernel  scope link  src 169.254.7.2
local 169.254.129.3 dev vce1  table local  proto kernel  scope host  src 169.254.129.3
broadcast 172.16.2.0 dev eth4  table local  proto kernel  scope link  src 172.16.2.2
local 172.16.2.2 dev eth4  table local  proto kernel  scope host  src 172.16.2.2
broadcast 172.16.2.255 dev eth4  table local  proto kernel  scope link  src 172.16.2.2
broadcast 172.17.2.0 dev eth4.100  table local  proto kernel  scope link  src 172.17.2.2
local 172.17.2.2 dev eth4.100  table local  proto kernel  scope host  src 172.17.2.2
broadcast 172.17.2.7 dev eth4.100  table local  proto kernel  scope link  src 172.17.2.2
broadcast 172.18.2.0 dev eth4.101  table local  proto kernel  scope link  src 172.18.2.2
local 172.18.2.2 dev eth4.101  table local  proto kernel  scope host  src 172.18.2.2
broadcast 172.18.2.7 dev eth4.101  table local  proto kernel  scope link  src 172.18.2.2
0:	from all lookup local
32756:	from all fwmark 0xc8 lookup 200
32757:	from all fwmark 0xd5 lookup 213
32758:	from all fwmark 0xd4 lookup 212
32759:	from all fwmark 0xd3 lookup 211
32761:	from all fwmark 0xd8 lookup 216
32762:	from all fwmark 0xd7 lookup 215
32763:	from all fwmark 0xda lookup 218
32764:	from all fwmark 0xd9 lookup 217
32765:	from all fwmark 0xd6 lookup 214
32766:	from all lookup main
32767:	from all lookup default
edge:b2-edge1:~#