dhcp renew failure

1. edge:b3-edge1:~# ubus call system board; \
2. > uci export network; uci export wireless; \
3. > uci export dhcp; uci export firewall; \
4. > head -n -0 /etc/firewall.user; \
5. > iptables-save -c; \
6. > ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
7. {
8. "kernel": "4.15.0-1057-aws",
9. "hostname": "vc-edge",
10. "system": "Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz",
11. "release": {
12. "distribution": "OpenWrt",
13. "version": "cc-remerge-618-g0acfaf8",
14. "revision": "r0+2278-0acfaf8",
15. "codename": "example_vc-xen-aws",
16. "target": "x64/vc-xen-aws",
17. "description": "OpenWrt example vc-xen-aws cc-remerge-618-g0acfaf8"
18. }
19. }
20. package network
21.  
22. config interface 'loopback'
23. option ifname 'lo'
24. option proto 'static'
25. option ipaddr '127.0.0.1'
26. option netmask '255.0.0.0'
27. option ipv6 '0'
28.  
29. config interface 'management'
30. option ifname 'management'
31. option type 'bridge'
32. option bridge_empty '1'
33. option force_link '1'
34. option proto 'static'
35. list ipaddr '10.0.3.2'
36. option netmask '255.255.255.255'
37. option ipv6 '0'
38.  
39. config interface 'segmgmt'
40. option ifname 'segmgmt'
41. option type 'bridge'
42. option bridge_empty '1'
43. option force_link '1'
44. option proto 'static'
45. list ipaddr '169.254.3.1'
46. list ipaddr '169.254.3.2'
47. list ipaddr '169.254.3.3'
48. option netmask '255.255.255.255'
49. option ipv6 '0'
50.  
51. config interface 'network1'
52. option ifname 'eth0 eth1'
53. option proto 'static'
54. option type 'bridge'
55. list ipaddr '10.0.3.1/24'
56. option ipv6 '0'
57. option mtu '1500'
58.  
59. config interface 'network100'
60. option ifname 'eth1.100'
61. option proto 'static'
62. option type 'bridge'
63. list ipaddr '10.100.3.1/24'
64. option ipv6 '0'
65. option mtu '1500'
66.  
67. config interface 'network101'
68. option ifname 'eth1.101'
69. option proto 'static'
70. option type 'bridge'
71. list ipaddr '10.101.3.1/24'
72. option ipv6 '0'
73. option mtu '1500'
74.  
75. config interface 'GE3'
76. option ifname 'eth2'
77. option proto 'static'
78. option ipaddr '169.254.9.2'
79. option netmask '255.255.255.248'
80. option ipv6 '0'
81. option mtu '1500'
82.  
83. config route 'GE3_DEFAULT_ROUTE'
84. option interface 'GE3'
85. option target '0.0.0.0'
86. option netmask '0.0.0.0'
87. option gateway '169.254.9.1'
88. option metric '5'
89.  
90. config interface 'GE4'
91. option ifname 'eth3'
92. option hostname 'vc-ge4'
93. option proto 'dhcp'
94. option ipv6 '0'
95. option mtu '1500'
96. option metric '6'
97.  
98. config interface 'GE4_100'
99. option ifname 'eth3.100'
100. option proto 'static'
101. option ipaddr '172.17.3.2'
102. option netmask '255.255.255.248'
103. option ipv6 '0'
104. option mtu '1500'
105. option macaddr '02:42:ac:10:03:05'
106.  
107. config interface 'GE4_101'
108. option ifname 'eth3.101'
109. option proto 'static'
110. option ipaddr '172.18.3.2'
111. option netmask '255.255.255.248'
112. option ipv6 '0'
113. option mtu '1500'
114. option macaddr '02:42:ac:10:03:05'
115.  
116. config interface 'GE5'
117. option ifname 'eth4'
118. option hostname 'vc-ge5'
119. option proto 'dhcp'
120. option ipv6 '0'
121. option mtu '1500'
122. option metric '7'
123.  
124. config interface 'GE6'
125. option ifname 'eth5'
126. option hostname 'vc-ge6'
127. option proto 'dhcp'
128. option ipv6 '0'
129. option mtu '1500'
130. option metric '8'
131.  
132. config interface 'GE7'
133. option ifname 'eth6'
134. option hostname 'vc-ge7'
135. option proto 'dhcp'
136. option ipv6 '0'
137. option mtu '1500'
138. option metric '9'
139.  
140. config interface 'GE8'
141. option ifname 'eth7'
142. option hostname 'vc-ge8'
143. option proto 'dhcp'
144. option ipv6 '0'
145. option mtu '1500'
146. option metric '10'
147.  
148. uci: Entry not found
149. package dhcp
150.  
151. config dnsmasq 'secure'
152. option bind_dynamic '1'
153. option domainneeded '1'
154. option boguspriv '1'
155. option filterwin2k '0'
156. option localise_queries '1'
157. option rebind_protection '0'
158. option rebind_localhost '1'
159. option local '/lan/'
160. option domain 'lan'
161. option expandhosts '1'
162. option noresolv '1'
163. option nonegcache '1'
164. option authoritative '1'
165. option readethers '1'
166. option dnsforwardmax '500'
167. option dhcpleasemax '5000'
168. option dhcpnooverride '1'
169. option logdhcp '1'
170. option leasefile '/tmp/dhcp.leases.secure'
171. list server '208.67.222.222@10.0.3.2'
172. list server '208.67.220.220@10.0.3.2'
173. list server '/example.net/8.8.8.8@10.0.3.2'
174. list server '/example.net/8.8.4.4@10.0.3.2'
175. list interface 'network1'
176. list interface 'network100'
177. list interface 'network101'
178. list interface 'vce1'
179. list interface 'lo'
180.  
181. config dhcp 'network1'
182. option interface 'network1'
183. option dnsmasq_config 'secure'
184. option start '13'
185. option limit '242'
186. option leasetime '86400'
187. option force '1'
188. list dhcp_option '119,example.net'
189.  
190. config host
191. option ip '10.0.3.25'
192. option mac '02:42:0a:00:03:19'
193. option dnsmasq_config 'secure'
194.  
195. config dhcp 'network100'
196. option interface 'network100'
197. option dnsmasq_config 'secure'
198. option start '13'
199. option limit '242'
200. option leasetime '86400'
201. option force '1'
202. list dhcp_option '119,example.net'
203.  
204. config host
205. option ip '10.100.3.100'
206. option mac '02:42:0a:00:03:19'
207. option dnsmasq_config 'secure'
208.  
209. config dhcp 'network101'
210. option interface 'network101'
211. option dnsmasq_config 'secure'
212. option start '13'
213. option limit '242'
214. option leasetime '86400'
215. option force '1'
216. list dhcp_option '119,example.net'
217.  
218. config host
219. option ip '10.101.3.100'
220. option mac '02:42:0a:00:03:19'
221. option dnsmasq_config 'secure'
222.  
223. config host
224. option ip '10.0.3.2'
225. option mac 'ff:ff:ff:ff:ff:ff'
226. option dnsmasq_config 'secure'
227.  
228. package firewall
229.  
230. config defaults
231. option syn_flood '1'
232. option input 'ACCEPT'
233. option output 'ACCEPT'
234. option forward 'REJECT'
235. option disable_ipv6 '1'
236.  
237. config zone
238. option name 'GE3'
239. option network 'GE3'
240. option input 'REJECT'
241. option output 'ACCEPT'
242. option forward 'REJECT'
243. option masq '1'
244.  
245. config rule
246. option name 'Allow-DHCP-Renew'
247. option src 'GE3'
248. option proto 'udp'
249. option dest_port '68'
250. option family 'ipv4'
251. option target 'ACCEPT'
252.  
253. config rule
254. option name 'Allow-Ping'
255. option src 'GE3'
256. option proto 'icmp'
257. option icmp_type 'echo-request'
258. option family 'ipv4'
259. option target 'ACCEPT'
260.  
261. config zone
262. option name 'GE4'
263. option network 'GE4'
264. option input 'REJECT'
265. option output 'ACCEPT'
266. option forward 'REJECT'
267. option masq '1'
268.  
269. config rule
270. option name 'Allow-DHCP-Renew'
271. option src 'GE4'
272. option proto 'udp'
273. option dest_port '68'
274. option family 'ipv4'
275. option target 'ACCEPT'
276.  
277. config rule
278. option name 'Allow-Ping'
279. option src 'GE4'
280. option proto 'icmp'
281. option icmp_type 'echo-request'
282. option family 'ipv4'
283. option target 'ACCEPT'
284.  
285. config zone
286. option name 'GE5'
287. option network 'GE5'
288. option input 'REJECT'
289. option output 'ACCEPT'
290. option forward 'REJECT'
291. option masq '1'
292.  
293. config rule
294. option name 'Allow-DHCP-Renew'
295. option src 'GE5'
296. option proto 'udp'
297. option dest_port '68'
298. option family 'ipv4'
299. option target 'ACCEPT'
300.  
301. config rule
302. option name 'Allow-Ping'
303. option src 'GE5'
304. option proto 'icmp'
305. option icmp_type 'echo-request'
306. option family 'ipv4'
307. option target 'ACCEPT'
308.  
309. config zone
310. option name 'GE6'
311. option network 'GE6'
312. option input 'REJECT'
313. option output 'ACCEPT'
314. option forward 'REJECT'
315. option masq '1'
316.  
317. config rule
318. option name 'Allow-DHCP-Renew'
319. option src 'GE6'
320. option proto 'udp'
321. option dest_port '68'
322. option family 'ipv4'
323. option target 'ACCEPT'
324.  
325. config rule
326. option name 'Allow-Ping'
327. option src 'GE6'
328. option proto 'icmp'
329. option icmp_type 'echo-request'
330. option family 'ipv4'
331. option target 'ACCEPT'
332.  
333. config zone
334. option name 'GE7'
335. option network 'GE7'
336. option input 'REJECT'
337. option output 'ACCEPT'
338. option forward 'REJECT'
339. option masq '1'
340.  
341. config rule
342. option name 'Allow-DHCP-Renew'
343. option src 'GE7'
344. option proto 'udp'
345. option dest_port '68'
346. option family 'ipv4'
347. option target 'ACCEPT'
348.  
349. config rule
350. option name 'Allow-Ping'
351. option src 'GE7'
352. option proto 'icmp'
353. option icmp_type 'echo-request'
354. option family 'ipv4'
355. option target 'ACCEPT'
356.  
357. config zone
358. option name 'GE8'
359. option network 'GE8'
360. option input 'REJECT'
361. option output 'ACCEPT'
362. option forward 'REJECT'
363. option masq '1'
364.  
365. config rule
366. option name 'Allow-DHCP-Renew'
367. option src 'GE8'
368. option proto 'udp'
369. option dest_port '68'
370. option family 'ipv4'
371. option target 'ACCEPT'
372.  
373. config rule
374. option name 'Allow-Ping'
375. option src 'GE8'
376. option proto 'icmp'
377. option icmp_type 'echo-request'
378. option family 'ipv4'
379. option target 'ACCEPT'
380.  
381. config include
382. option path '/etc/firewall.user'
383.  
384. config zone
385. option name 'network1'
386. option network 'network1'
387. option input 'ACCEPT'
388. option output 'ACCEPT'
389. option forward 'REJECT'
390.  
391. config forwarding
392. option src 'network1'
393. option dest 'GE3'
394. option proto 'all'
395. option target 'ACCEPT'
396.  
397. config forwarding
398. option src 'network1'
399. option dest 'GE4'
400. option proto 'all'
401. option target 'ACCEPT'
402.  
403. config forwarding
404. option src 'network1'
405. option dest 'GE5'
406. option proto 'all'
407. option target 'ACCEPT'
408.  
409. config forwarding
410. option src 'network1'
411. option dest 'GE6'
412. option proto 'all'
413. option target 'ACCEPT'
414.  
415. config forwarding
416. option src 'network1'
417. option dest 'GE7'
418. option proto 'all'
419. option target 'ACCEPT'
420.  
421. config forwarding
422. option src 'network1'
423. option dest 'GE8'
424. option proto 'all'
425. option target 'ACCEPT'
426.  
427. config rule
428. option src 'network1'
429. option dest_port '53'
430. option proto 'tcpudp'
431. option target 'ACCEPT'
432.  
433. config rule
434. option src 'network1'
435. option src_port '67-68'
436. option dest_port '67-68'
437. option proto 'udp'
438. option target 'ACCEPT'
439.  
440. config rule
441. option src 'network1'
442. option dest_port '2607'
443. option proto 'tcp'
444. option target 'REJECT'
445.  
446. config zone
447. option name 'network100'
448. option network 'network100'
449. option input 'ACCEPT'
450. option output 'ACCEPT'
451. option forward 'REJECT'
452.  
453. config forwarding
454. option src 'network100'
455. option dest 'GE3'
456. option proto 'all'
457. option target 'ACCEPT'
458.  
459. config forwarding
460. option src 'network100'
461. option dest 'GE4'
462. option proto 'all'
463. option target 'ACCEPT'
464.  
465. config forwarding
466. option src 'network100'
467. option dest 'GE5'
468. option proto 'all'
469. option target 'ACCEPT'
470.  
471. config forwarding
472. option src 'network100'
473. option dest 'GE6'
474. option proto 'all'
475. option target 'ACCEPT'
476.  
477. config forwarding
478. option src 'network100'
479. option dest 'GE7'
480. option proto 'all'
481. option target 'ACCEPT'
482.  
483. config forwarding
484. option src 'network100'
485. option dest 'GE8'
486. option proto 'all'
487. option target 'ACCEPT'
488.  
489. config rule
490. option src 'network100'
491. option dest_port '53'
492. option proto 'tcpudp'
493. option target 'ACCEPT'
494.  
495. config rule
496. option src 'network100'
497. option src_port '67-68'
498. option dest_port '67-68'
499. option proto 'udp'
500. option target 'ACCEPT'
501.  
502. config rule
503. option src 'network100'
504. option dest_port '2607'
505. option proto 'tcp'
506. option target 'REJECT'
507.  
508. config zone
509. option name 'network101'
510. option network 'network101'
511. option input 'ACCEPT'
512. option output 'ACCEPT'
513. option forward 'REJECT'
514.  
515. config forwarding
516. option src 'network101'
517. option dest 'GE3'
518. option proto 'all'
519. option target 'ACCEPT'
520.  
521. config forwarding
522. option src 'network101'
523. option dest 'GE4'
524. option proto 'all'
525. option target 'ACCEPT'
526.  
527. config forwarding
528. option src 'network101'
529. option dest 'GE5'
530. option proto 'all'
531. option target 'ACCEPT'
532.  
533. config forwarding
534. option src 'network101'
535. option dest 'GE6'
536. option proto 'all'
537. option target 'ACCEPT'
538.  
539. config forwarding
540. option src 'network101'
541. option dest 'GE7'
542. option proto 'all'
543. option target 'ACCEPT'
544.  
545. config forwarding
546. option src 'network101'
547. option dest 'GE8'
548. option proto 'all'
549. option target 'ACCEPT'
550.  
551. config rule
552. option src 'network101'
553. option dest_port '53'
554. option proto 'tcpudp'
555. option target 'ACCEPT'
556.  
557. config rule
558. option src 'network101'
559. option src_port '67-68'
560. option dest_port '67-68'
561. option proto 'udp'
562. option target 'ACCEPT'
563.  
564. config rule
565. option src 'network101'
566. option dest_port '2607'
567. option proto 'tcp'
568. option target 'REJECT'
569.  
570. #!/bin/sh
571. iptables -t mangle -N LOGGING
572. iptables -t mangle -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
573. # Generated by iptables-save v1.4.21 on Tue Aug 25 09:22:41 2020
574. *mangle
575. :PREROUTING ACCEPT [3373329:616839538]
576. :INPUT ACCEPT [3338494:614025214]
577. :FORWARD ACCEPT [0:0]
578. :OUTPUT ACCEPT [1144:375232]
579. :POSTROUTING ACCEPT [686907:138297669]
580. :LOGGING - [0:0]
581. :MODEM_CHAIN - [0:0]
582. :SEG_LAN_ROUTING_INPUT - [0:0]
583. :SEG_LAN_ROUTING_OUTPUT - [0:0]
584. :TUN_CHAIN - [0:0]
585. :VCMP_MARK_ACL - [0:0]
586. [3373722:616897812] -A PREROUTING -j SEG_LAN_ROUTING_INPUT
587. [3373723:616897864] -A PREROUTING -j VCMP_MARK_ACL
588. [0:0] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
589. [687310:138341500] -A OUTPUT -j SEG_LAN_ROUTING_OUTPUT
590. [687310:138341500] -A OUTPUT -j TUN_CHAIN
591. [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network101 -m state --state NEW -j CONNMARK --set-xmark 0xd7/0xffffffff
592. [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network101 -m state --state NEW -j CONNMARK --set-xmark 0xd7/0xffffffff
593. [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network100 -m state --state NEW -j CONNMARK --set-xmark 0xd6/0xffffffff
594. [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network100 -m state --state NEW -j CONNMARK --set-xmark 0xd6/0xffffffff
595. [15:960] -A SEG_LAN_ROUTING_INPUT -i br-network1 -m state --state NEW -j CONNMARK --set-xmark 0xd5/0xffffffff
596. [15:960] -A SEG_LAN_ROUTING_INPUT -i br-network1 -m state --state NEW -j CONNMARK --set-xmark 0xd5/0xffffffff
597. [0:0] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd7 -j MARK --set-xmark 0xd7/0xffffffff
598. [0:0] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd6 -j MARK --set-xmark 0xd6/0xffffffff
599. [7612:1248199] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd5 -j MARK --set-xmark 0xd5/0xffffffff
600. [522959:123679713] -A TUN_CHAIN -p tcp -j MODEM_CHAIN
601. [0:0] -A TUN_CHAIN -m connmark --mark 0xd9 -j MARK --set-xmark 0xd9/0xffffffff
602. [0:0] -A TUN_CHAIN -m connmark --mark 0xd9 -j ACCEPT
603. [0:0] -A TUN_CHAIN -m connmark --mark 0xd8 -j MARK --set-xmark 0xd8/0xffffffff
604. [0:0] -A TUN_CHAIN -m connmark --mark 0xd8 -j ACCEPT
605. [0:0] -A TUN_CHAIN -m connmark --mark 0xd3 -j MARK --set-xmark 0xd3/0xffffffff
606. [0:0] -A TUN_CHAIN -m connmark --mark 0xd3 -j ACCEPT
607. [0:0] -A TUN_CHAIN -m connmark --mark 0xd2 -j MARK --set-xmark 0xd2/0xffffffff
608. [0:0] -A TUN_CHAIN -m connmark --mark 0xd2 -j ACCEPT
609. [92696:8977738] -A TUN_CHAIN -d 127.0.0.1/32 -j ACCEPT
610. [81408:5982888] -A TUN_CHAIN -o lo -j ACCEPT
611. [0:0] -A TUN_CHAIN -s 169.254.3.0/24 -j MARK --set-xmark 0xc8/0xffffffff
612. [0:0] -A TUN_CHAIN -s 169.254.3.0/24 -j ACCEPT
613. [7682:1254823] -A TUN_CHAIN -o br-network1 -j ACCEPT
614. [0:0] -A TUN_CHAIN -o br-network100 -j ACCEPT
615. [0:0] -A TUN_CHAIN -o br-network101 -j ACCEPT
616. [482385:120455663] -A TUN_CHAIN -s 10.0.3.2/32 -j MARK --set-xmark 0xc8/0xffffffff
617. [482385:120455663] -A TUN_CHAIN -s 10.0.3.2/32 -j ACCEPT
618. [0:0] -A TUN_CHAIN -p tcp -m multiport --sports 179 -j MARK --set-xmark 0xc8/0xffffffff
619. [0:0] -A TUN_CHAIN -p tcp -m multiport --sports 179 -j ACCEPT
620. [21634:1257213] -A TUN_CHAIN -p tcp -m multiport --dports 22,53,80,123,443,61000,179 -j MARK --set-xmark 0xc8/0xffffffff
621. [21634:1257213] -A TUN_CHAIN -p tcp -m multiport --dports 22,53,80,123,443,61000,179 -j ACCEPT
622. [0:0] -A TUN_CHAIN -p udp -m multiport --dports 53,123 -j MARK --set-xmark 0xc8/0xffffffff
623. [0:0] -A TUN_CHAIN -p udp -m multiport --dports 53,123 -j ACCEPT
624. [0:0] -A TUN_CHAIN -p icmp -m icmp --icmp-type 8/0 -j MARK --set-xmark 0xc8/0xffffffff
625. [0:0] -A TUN_CHAIN -p icmp -j ACCEPT
626. [2507118:371475719] -A VCMP_MARK_ACL -i eth2 -m state --state NEW -j CONNMARK --set-xmark 0xd2/0xffffffff
627. [263515:28657744] -A VCMP_MARK_ACL -i eth3 -m state --state NEW -j CONNMARK --set-xmark 0xd3/0xffffffff
628. [0:0] -A VCMP_MARK_ACL -i eth3.100 -m state --state NEW -j CONNMARK --set-xmark 0xd8/0xffffffff
629. [0:0] -A VCMP_MARK_ACL -i eth3.101 -m state --state NEW -j CONNMARK --set-xmark 0xd9/0xffffffff
630. COMMIT
631. # Completed on Tue Aug 25 09:22:41 2020
632. # Generated by iptables-save v1.4.21 on Tue Aug 25 09:22:41 2020
633. *filter
634. :INPUT ACCEPT [0:0]
635. :FORWARD DROP [0:0]
636. :OUTPUT ACCEPT [0:0]
637. :PORTAL_INPUT - [0:0]
638. :SEG_MGMT - [0:0]
639. :VCMP_FWD_ACL - [0:0]
640. :VCMP_IN_ACL - [0:0]
641. :VCMP_IN_ACL_PERSIST - [0:0]
642. :VCMP_IN_ACL_SEGMENT - [0:0]
643. :VCMP_OUT_ACL - [0:0]
644. :forwarding_GE3_rule - [0:0]
645. :forwarding_GE4_rule - [0:0]
646. :forwarding_GE5_rule - [0:0]
647. :forwarding_GE6_rule - [0:0]
648. :forwarding_GE7_rule - [0:0]
649. :forwarding_GE8_rule - [0:0]
650. :forwarding_network0_rule - [0:0]
651. :forwarding_network1_rule - [0:0]
652. :forwarding_rule - [0:0]
653. :input_GE3_rule - [0:0]
654. :input_GE4_rule - [0:0]
655. :input_GE5_rule - [0:0]
656. :input_GE6_rule - [0:0]
657. :input_GE7_rule - [0:0]
658. :input_GE8_rule - [0:0]
659. :input_network0_rule - [0:0]
660. :input_network1_rule - [0:0]
661. :input_rule - [0:0]
662. :output_GE3_rule - [0:0]
663. :output_GE4_rule - [0:0]
664. :output_GE5_rule - [0:0]
665. :output_GE6_rule - [0:0]
666. :output_GE7_rule - [0:0]
667. :output_GE8_rule - [0:0]
668. :output_network0_rule - [0:0]
669. :output_network1_rule - [0:0]
670. :output_rule - [0:0]
671. :reject - [0:0]
672. :syn_flood - [0:0]
673. :zone_GE3_dest_ACCEPT - [0:0]
674. :zone_GE3_dest_REJECT - [0:0]
675. :zone_GE3_forward - [0:0]
676. :zone_GE3_input - [0:0]
677. :zone_GE3_output - [0:0]
678. :zone_GE3_src_REJECT - [0:0]
679. :zone_GE4_dest_ACCEPT - [0:0]
680. :zone_GE4_dest_REJECT - [0:0]
681. :zone_GE4_forward - [0:0]
682. :zone_GE4_input - [0:0]
683. :zone_GE4_output - [0:0]
684. :zone_GE4_src_REJECT - [0:0]
685. :zone_GE5_dest_ACCEPT - [0:0]
686. :zone_GE5_dest_REJECT - [0:0]
687. :zone_GE5_forward - [0:0]
688. :zone_GE5_input - [0:0]
689. :zone_GE5_output - [0:0]
690. :zone_GE5_src_REJECT - [0:0]
691. :zone_GE6_dest_ACCEPT - [0:0]
692. :zone_GE6_dest_REJECT - [0:0]
693. :zone_GE6_forward - [0:0]
694. :zone_GE6_input - [0:0]
695. :zone_GE6_output - [0:0]
696. :zone_GE6_src_REJECT - [0:0]
697. :zone_GE7_dest_ACCEPT - [0:0]
698. :zone_GE7_dest_REJECT - [0:0]
699. :zone_GE7_forward - [0:0]
700. :zone_GE7_input - [0:0]
701. :zone_GE7_output - [0:0]
702. :zone_GE7_src_REJECT - [0:0]
703. :zone_GE8_dest_ACCEPT - [0:0]
704. :zone_GE8_dest_REJECT - [0:0]
705. :zone_GE8_forward - [0:0]
706. :zone_GE8_input - [0:0]
707. :zone_GE8_output - [0:0]
708. :zone_GE8_src_REJECT - [0:0]
709. :zone_network0_forward - [0:0]
710. :zone_network0_input - [0:0]
711. :zone_network0_output - [0:0]
712. :zone_network100_dest_ACCEPT - [0:0]
713. :zone_network100_dest_REJECT - [0:0]
714. :zone_network100_forward - [0:0]
715. :zone_network100_input - [0:0]
716. :zone_network100_output - [0:0]
717. :zone_network100_src_ACCEPT - [0:0]
718. :zone_network101_dest_ACCEPT - [0:0]
719. :zone_network101_dest_REJECT - [0:0]
720. :zone_network101_forward - [0:0]
721. :zone_network101_input - [0:0]
722. :zone_network101_output - [0:0]
723. :zone_network101_src_ACCEPT - [0:0]
724. :zone_network1_dest_ACCEPT - [0:0]
725. :zone_network1_dest_REJECT - [0:0]
726. :zone_network1_forward - [0:0]
727. :zone_network1_input - [0:0]
728. :zone_network1_output - [0:0]
729. :zone_network1_src_ACCEPT - [0:0]
730. [81040:8225520] -A INPUT -p icmp -j SEG_MGMT
731. [0:0] -A INPUT -s 192.168.32.2/32 -i vce1 -p tcp -m tcp --sport 80 -j DROP
732. [3338663:614061319] -A INPUT -j VCMP_IN_ACL_PERSIST
733. [3329472:613572334] -A INPUT -j VCMP_IN_ACL_SEGMENT
734. [3329472:613572334] -A INPUT -j VCMP_IN_ACL
735. [0:0] -A INPUT -s 192.168.32.2/32 -i vce1 -p tcp -m tcp --sport 80 -j DROP
736. [10176:890400] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
737. [26282:12613151] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
738. [26282:12613151] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
739. [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
740. [0:0] -A INPUT -i eth2 -m comment --comment "!fw3" -j zone_GE3_input
741. [0:0] -A INPUT -i eth3 -m comment --comment "!fw3" -j zone_GE4_input
742. [0:0] -A INPUT -i eth4 -m comment --comment "!fw3" -j zone_GE5_input
743. [0:0] -A INPUT -i eth5 -m comment --comment "!fw3" -j zone_GE6_input
744. [0:0] -A INPUT -i eth6 -m comment --comment "!fw3" -j zone_GE7_input
745. [0:0] -A INPUT -i eth7 -m comment --comment "!fw3" -j zone_GE8_input
746. [0:0] -A INPUT -i br-network1 -m comment --comment "!fw3" -j zone_network1_input
747. [0:0] -A INPUT -i br-network100 -m comment --comment "!fw3" -j zone_network100_input
748. [0:0] -A INPUT -i br-network101 -m comment --comment "!fw3" -j zone_network101_input
749. [0:0] -A FORWARD -o vce1 -j ACCEPT
750. [0:0] -A FORWARD -i vce1 -j ACCEPT
751. [0:0] -A FORWARD -j VCMP_FWD_ACL
752. [0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
753. [0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
754. [0:0] -A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_GE3_forward
755. [0:0] -A FORWARD -i eth3 -m comment --comment "!fw3" -j zone_GE4_forward
756. [0:0] -A FORWARD -i eth4 -m comment --comment "!fw3" -j zone_GE5_forward
757. [0:0] -A FORWARD -i eth5 -m comment --comment "!fw3" -j zone_GE6_forward
758. [0:0] -A FORWARD -i eth6 -m comment --comment "!fw3" -j zone_GE7_forward
759. [0:0] -A FORWARD -i eth7 -m comment --comment "!fw3" -j zone_GE8_forward
760. [0:0] -A FORWARD -i br-network1 -m comment --comment "!fw3" -j zone_network1_forward
761. [0:0] -A FORWARD -i br-network100 -m comment --comment "!fw3" -j zone_network100_forward
762. [0:0] -A FORWARD -i br-network101 -m comment --comment "!fw3" -j zone_network101_forward
763. [0:0] -A FORWARD -m comment --comment "!fw3" -j reject
764. [687317:138342013] -A OUTPUT -j VCMP_OUT_ACL
765. [10176:890400] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
766. [32727:7157482] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
767. [29934:7023418] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
768. [2793:134064] -A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_GE3_output
769. [0:0] -A OUTPUT -o eth3 -m comment --comment "!fw3" -j zone_GE4_output
770. [0:0] -A OUTPUT -o eth4 -m comment --comment "!fw3" -j zone_GE5_output
771. [0:0] -A OUTPUT -o eth5 -m comment --comment "!fw3" -j zone_GE6_output
772. [0:0] -A OUTPUT -o eth6 -m comment --comment "!fw3" -j zone_GE7_output
773. [0:0] -A OUTPUT -o eth7 -m comment --comment "!fw3" -j zone_GE8_output
774. [0:0] -A OUTPUT -o br-network1 -m comment --comment "!fw3" -j zone_network1_output
775. [0:0] -A OUTPUT -o br-network100 -m comment --comment "!fw3" -j zone_network100_output
776. [0:0] -A OUTPUT -o br-network101 -m comment --comment "!fw3" -j zone_network101_output
777. [0:0] -A SEG_MGMT ! -s 10.101.3.0/24 -d 10.101.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
778. [0:0] -A SEG_MGMT ! -s 10.101.3.0/24 -d 10.101.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
779. [0:0] -A SEG_MGMT ! -s 10.100.3.0/24 -d 10.100.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
780. [0:0] -A SEG_MGMT ! -s 10.100.3.0/24 -d 10.100.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
781. [0:0] -A SEG_MGMT ! -s 10.0.3.0/24 -d 10.0.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
782. [0:0] -A SEG_MGMT ! -s 10.0.3.0/24 -d 10.0.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
783. [0:0] -A VCMP_FWD_ACL -i br-network1 -o br-network100 -j DROP
784. [0:0] -A VCMP_FWD_ACL -i br-network1 -o br-network101 -j DROP
785. [0:0] -A VCMP_FWD_ACL -i br-network100 -o br-network1 -j DROP
786. [0:0] -A VCMP_FWD_ACL -i br-network100 -o br-network101 -j DROP
787. [0:0] -A VCMP_FWD_ACL -i br-network101 -o br-network1 -j DROP
788. [0:0] -A VCMP_FWD_ACL -i br-network101 -o br-network100 -j DROP
789. [0:0] -A VCMP_FWD_ACL -j DROP
790. [0:0] -A VCMP_IN_ACL -s 192.168.14.1/32 -j ACCEPT
791. [0:0] -A VCMP_IN_ACL -s 192.168.32.2/32 -j ACCEPT
792. [0:0] -A VCMP_IN_ACL -i eth2 -p icmp -m icmp --icmp-type 11 -j ACCEPT
793. [0:0] -A VCMP_IN_ACL -i eth2 -p icmp -m icmp --icmp-type 3 -j ACCEPT
794. [2507126:371479988] -A VCMP_IN_ACL -i eth2 -j DROP
795. [0:0] -A VCMP_IN_ACL -i eth3 -p icmp -m icmp --icmp-type 11 -j ACCEPT
796. [0:0] -A VCMP_IN_ACL -i eth3 -p icmp -m icmp --icmp-type 3 -j ACCEPT
797. [230292:26372432] -A VCMP_IN_ACL -i eth3 -j DROP
798. [0:0] -A VCMP_IN_ACL -i eth3.100 -p icmp -m icmp --icmp-type 11 -j ACCEPT
799. [0:0] -A VCMP_IN_ACL -i eth3.100 -p icmp -m icmp --icmp-type 3 -j ACCEPT
800. [0:0] -A VCMP_IN_ACL -i eth3.100 -j DROP
801. [0:0] -A VCMP_IN_ACL -i eth3.101 -p icmp -m icmp --icmp-type 11 -j ACCEPT
802. [0:0] -A VCMP_IN_ACL -i eth3.101 -p icmp -m icmp --icmp-type 3 -j ACCEPT
803. [0:0] -A VCMP_IN_ACL -i eth3.101 -j DROP
804. [0:0] -A VCMP_IN_ACL -i br-network1 -p tcp -m tcp --dport 179 -j DROP
805. [0:0] -A VCMP_IN_ACL -i br-network1 -p tcp -m tcp --sport 179 -j DROP
806. [0:0] -A VCMP_IN_ACL -i br-network100 -p tcp -m tcp --dport 179 -j DROP
807. [0:0] -A VCMP_IN_ACL -i br-network100 -p tcp -m tcp --sport 179 -j DROP
808. [0:0] -A VCMP_IN_ACL -i br-network101 -p tcp -m tcp --dport 179 -j DROP
809. [0:0] -A VCMP_IN_ACL -i br-network101 -p tcp -m tcp --sport 179 -j DROP
810. [0:0] -A VCMP_IN_ACL_PERSIST -s 172.16.5.3/32 -p tcp -m tcp --dport 22 -j ACCEPT
811. [0:0] -A VCMP_IN_ACL_PERSIST -s 169.254.9.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
812. [9406:510711] -A VCMP_IN_ACL_PERSIST -s 10.0.3.25/32 -p tcp -m tcp --dport 22 -j ACCEPT
813. [0:0] -A VCMP_IN_ACL_PERSIST -p tcp -m tcp --dport 22 -j DROP
814. [0:0] -A VCMP_IN_ACL_PERSIST -p udp -m udp --dport 161 -j DROP
815. [0:0] -A VCMP_IN_ACL_PERSIST -p tcp -m tcp --dport 80 -j DROP
816. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.3.1/32 -i vce1 -j DROP
817. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.3.1/32 -i vce1 -j DROP
818. [0:0] -A VCMP_IN_ACL_SEGMENT -d 169.254.129.4/32 -i br-network101 -j DROP
819. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.3.1/32 -i br-network101 -j DROP
820. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.3.1/32 -i br-network101 -j DROP
821. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.3.2/32 -i br-network101 -j DROP
822. [0:0] -A VCMP_IN_ACL_SEGMENT -d 169.254.129.4/32 -i br-network100 -j DROP
823. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.3.1/32 -i br-network100 -j DROP
824. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.3.1/32 -i br-network100 -j DROP
825. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.3.2/32 -i br-network100 -j DROP
826. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.3.1/32 -i br-network1 -j DROP
827. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.3.1/32 -i br-network1 -j DROP
828. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.3.1/32 -i br-management -j DROP
829. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.3.1/32 -i br-management -j DROP
830. [0:0] -A VCMP_OUT_ACL -p icmp -m icmp --icmp-type 11/0 -j DROP
831. [0:0] -A VCMP_OUT_ACL -o eth2 -p icmp -m icmp --icmp-type 5 -j DROP
832. [0:0] -A VCMP_OUT_ACL -o eth3 -p icmp -m icmp --icmp-type 5 -j DROP
833. [0:0] -A VCMP_OUT_ACL -o eth3.100 -p icmp -m icmp --icmp-type 5 -j DROP
834. [0:0] -A VCMP_OUT_ACL -o eth3.101 -p icmp -m icmp --icmp-type 5 -j DROP
835. [0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
836. [0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
837. [0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
838. [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
839. [0:0] -A zone_GE3_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
840. [2793:134064] -A zone_GE3_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
841. [0:0] -A zone_GE3_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
842. [0:0] -A zone_GE3_forward -m comment --comment "!fw3: Custom GE3 forwarding rule chain" -j forwarding_GE3_rule
843. [0:0] -A zone_GE3_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
844. [0:0] -A zone_GE3_forward -m comment --comment "!fw3" -j zone_GE3_dest_REJECT
845. [0:0] -A zone_GE3_input -m comment --comment "!fw3: Custom GE3 input rule chain" -j input_GE3_rule
846. [0:0] -A zone_GE3_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
847. [0:0] -A zone_GE3_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
848. [0:0] -A zone_GE3_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
849. [0:0] -A zone_GE3_input -m comment --comment "!fw3" -j zone_GE3_src_REJECT
850. [2793:134064] -A zone_GE3_output -m comment --comment "!fw3: Custom GE3 output rule chain" -j output_GE3_rule
851. [2793:134064] -A zone_GE3_output -m comment --comment "!fw3" -j zone_GE3_dest_ACCEPT
852. [0:0] -A zone_GE3_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
853. [0:0] -A zone_GE4_dest_ACCEPT -o eth3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
854. [0:0] -A zone_GE4_dest_ACCEPT -o eth3 -m comment --comment "!fw3" -j ACCEPT
855. [0:0] -A zone_GE4_dest_REJECT -o eth3 -m comment --comment "!fw3" -j reject
856. [0:0] -A zone_GE4_forward -m comment --comment "!fw3: Custom GE4 forwarding rule chain" -j forwarding_GE4_rule
857. [0:0] -A zone_GE4_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
858. [0:0] -A zone_GE4_forward -m comment --comment "!fw3" -j zone_GE4_dest_REJECT
859. [0:0] -A zone_GE4_input -m comment --comment "!fw3: Custom GE4 input rule chain" -j input_GE4_rule
860. [0:0] -A zone_GE4_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
861. [0:0] -A zone_GE4_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
862. [0:0] -A zone_GE4_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
863. [0:0] -A zone_GE4_input -m comment --comment "!fw3" -j zone_GE4_src_REJECT
864. [0:0] -A zone_GE4_output -m comment --comment "!fw3: Custom GE4 output rule chain" -j output_GE4_rule
865. [0:0] -A zone_GE4_output -m comment --comment "!fw3" -j zone_GE4_dest_ACCEPT
866. [0:0] -A zone_GE4_src_REJECT -i eth3 -m comment --comment "!fw3" -j reject
867. [0:0] -A zone_GE5_dest_ACCEPT -o eth4 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
868. [0:0] -A zone_GE5_dest_ACCEPT -o eth4 -m comment --comment "!fw3" -j ACCEPT
869. [0:0] -A zone_GE5_dest_REJECT -o eth4 -m comment --comment "!fw3" -j reject
870. [0:0] -A zone_GE5_forward -m comment --comment "!fw3: Custom GE5 forwarding rule chain" -j forwarding_GE5_rule
871. [0:0] -A zone_GE5_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
872. [0:0] -A zone_GE5_forward -m comment --comment "!fw3" -j zone_GE5_dest_REJECT
873. [0:0] -A zone_GE5_input -m comment --comment "!fw3: Custom GE5 input rule chain" -j input_GE5_rule
874. [0:0] -A zone_GE5_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
875. [0:0] -A zone_GE5_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
876. [0:0] -A zone_GE5_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
877. [0:0] -A zone_GE5_input -m comment --comment "!fw3" -j zone_GE5_src_REJECT
878. [0:0] -A zone_GE5_output -m comment --comment "!fw3: Custom GE5 output rule chain" -j output_GE5_rule
879. [0:0] -A zone_GE5_output -m comment --comment "!fw3" -j zone_GE5_dest_ACCEPT
880. [0:0] -A zone_GE5_src_REJECT -i eth4 -m comment --comment "!fw3" -j reject
881. [0:0] -A zone_GE6_dest_ACCEPT -o eth5 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
882. [0:0] -A zone_GE6_dest_ACCEPT -o eth5 -m comment --comment "!fw3" -j ACCEPT
883. [0:0] -A zone_GE6_dest_REJECT -o eth5 -m comment --comment "!fw3" -j reject
884. [0:0] -A zone_GE6_forward -m comment --comment "!fw3: Custom GE6 forwarding rule chain" -j forwarding_GE6_rule
885. [0:0] -A zone_GE6_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
886. [0:0] -A zone_GE6_forward -m comment --comment "!fw3" -j zone_GE6_dest_REJECT
887. [0:0] -A zone_GE6_input -m comment --comment "!fw3: Custom GE6 input rule chain" -j input_GE6_rule
888. [0:0] -A zone_GE6_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
889. [0:0] -A zone_GE6_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
890. [0:0] -A zone_GE6_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
891. [0:0] -A zone_GE6_input -m comment --comment "!fw3" -j zone_GE6_src_REJECT
892. [0:0] -A zone_GE6_output -m comment --comment "!fw3: Custom GE6 output rule chain" -j output_GE6_rule
893. [0:0] -A zone_GE6_output -m comment --comment "!fw3" -j zone_GE6_dest_ACCEPT
894. [0:0] -A zone_GE6_src_REJECT -i eth5 -m comment --comment "!fw3" -j reject
895. [0:0] -A zone_GE7_dest_ACCEPT -o eth6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
896. [0:0] -A zone_GE7_dest_ACCEPT -o eth6 -m comment --comment "!fw3" -j ACCEPT
897. [0:0] -A zone_GE7_dest_REJECT -o eth6 -m comment --comment "!fw3" -j reject
898. [0:0] -A zone_GE7_forward -m comment --comment "!fw3: Custom GE7 forwarding rule chain" -j forwarding_GE7_rule
899. [0:0] -A zone_GE7_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
900. [0:0] -A zone_GE7_forward -m comment --comment "!fw3" -j zone_GE7_dest_REJECT
901. [0:0] -A zone_GE7_input -m comment --comment "!fw3: Custom GE7 input rule chain" -j input_GE7_rule
902. [0:0] -A zone_GE7_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
903. [0:0] -A zone_GE7_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
904. [0:0] -A zone_GE7_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
905. [0:0] -A zone_GE7_input -m comment --comment "!fw3" -j zone_GE7_src_REJECT
906. [0:0] -A zone_GE7_output -m comment --comment "!fw3: Custom GE7 output rule chain" -j output_GE7_rule
907. [0:0] -A zone_GE7_output -m comment --comment "!fw3" -j zone_GE7_dest_ACCEPT
908. [0:0] -A zone_GE7_src_REJECT -i eth6 -m comment --comment "!fw3" -j reject
909. [0:0] -A zone_GE8_dest_ACCEPT -o eth7 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
910. [0:0] -A zone_GE8_dest_ACCEPT -o eth7 -m comment --comment "!fw3" -j ACCEPT
911. [0:0] -A zone_GE8_dest_REJECT -o eth7 -m comment --comment "!fw3" -j reject
912. [0:0] -A zone_GE8_forward -m comment --comment "!fw3: Custom GE8 forwarding rule chain" -j forwarding_GE8_rule
913. [0:0] -A zone_GE8_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
914. [0:0] -A zone_GE8_forward -m comment --comment "!fw3" -j zone_GE8_dest_REJECT
915. [0:0] -A zone_GE8_input -m comment --comment "!fw3: Custom GE8 input rule chain" -j input_GE8_rule
916. [0:0] -A zone_GE8_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
917. [0:0] -A zone_GE8_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
918. [0:0] -A zone_GE8_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
919. [0:0] -A zone_GE8_input -m comment --comment "!fw3" -j zone_GE8_src_REJECT
920. [0:0] -A zone_GE8_output -m comment --comment "!fw3: Custom GE8 output rule chain" -j output_GE8_rule
921. [0:0] -A zone_GE8_output -m comment --comment "!fw3" -j zone_GE8_dest_ACCEPT
922. [0:0] -A zone_GE8_src_REJECT -i eth7 -m comment --comment "!fw3" -j reject
923. [0:0] -A zone_network100_dest_ACCEPT -o br-network100 -m comment --comment "!fw3" -j ACCEPT
924. [0:0] -A zone_network100_dest_REJECT -o br-network100 -m comment --comment "!fw3" -j reject
925. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
926. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
927. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
928. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
929. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
930. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
931. [0:0] -A zone_network100_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
932. [0:0] -A zone_network100_forward -m comment --comment "!fw3" -j zone_network100_dest_REJECT
933. [0:0] -A zone_network100_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[15]" -j ACCEPT
934. [0:0] -A zone_network100_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[15]" -j ACCEPT
935. [0:0] -A zone_network100_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[16]" -j ACCEPT
936. [0:0] -A zone_network100_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[17]" -j reject
937. [0:0] -A zone_network100_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
938. [0:0] -A zone_network100_input -m comment --comment "!fw3" -j zone_network100_src_ACCEPT
939. [0:0] -A zone_network100_output -m comment --comment "!fw3" -j zone_network100_dest_ACCEPT
940. [0:0] -A zone_network100_src_ACCEPT -i br-network100 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
941. [0:0] -A zone_network101_dest_ACCEPT -o br-network101 -m comment --comment "!fw3" -j ACCEPT
942. [0:0] -A zone_network101_dest_REJECT -o br-network101 -m comment --comment "!fw3" -j reject
943. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
944. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
945. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
946. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
947. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
948. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
949. [0:0] -A zone_network101_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
950. [0:0] -A zone_network101_forward -m comment --comment "!fw3" -j zone_network101_dest_REJECT
951. [0:0] -A zone_network101_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[18]" -j ACCEPT
952. [0:0] -A zone_network101_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[18]" -j ACCEPT
953. [0:0] -A zone_network101_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[19]" -j ACCEPT
954. [0:0] -A zone_network101_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[20]" -j reject
955. [0:0] -A zone_network101_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
956. [0:0] -A zone_network101_input -m comment --comment "!fw3" -j zone_network101_src_ACCEPT
957. [0:0] -A zone_network101_output -m comment --comment "!fw3" -j zone_network101_dest_ACCEPT
958. [0:0] -A zone_network101_src_ACCEPT -i br-network101 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
959. [0:0] -A zone_network1_dest_ACCEPT -o br-network1 -m comment --comment "!fw3" -j ACCEPT
960. [0:0] -A zone_network1_dest_REJECT -o br-network1 -m comment --comment "!fw3" -j reject
961. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Custom network1 forwarding rule chain" -j forwarding_network1_rule
962. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
963. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
964. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
965. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
966. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
967. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
968. [0:0] -A zone_network1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
969. [0:0] -A zone_network1_forward -m comment --comment "!fw3" -j zone_network1_dest_REJECT
970. [0:0] -A zone_network1_input -m comment --comment "!fw3: Custom network1 input rule chain" -j input_network1_rule
971. [0:0] -A zone_network1_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
972. [0:0] -A zone_network1_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
973. [0:0] -A zone_network1_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[13]" -j ACCEPT
974. [0:0] -A zone_network1_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[14]" -j reject
975. [0:0] -A zone_network1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
976. [0:0] -A zone_network1_input -m comment --comment "!fw3" -j zone_network1_src_ACCEPT
977. [0:0] -A zone_network1_output -m comment --comment "!fw3: Custom network1 output rule chain" -j output_network1_rule
978. [0:0] -A zone_network1_output -m comment --comment "!fw3" -j zone_network1_dest_ACCEPT
979. [0:0] -A zone_network1_src_ACCEPT -i br-network1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
980. COMMIT
981. # Completed on Tue Aug 25 09:22:41 2020
982. # Generated by iptables-save v1.4.21 on Tue Aug 25 09:22:41 2020
983. *nat
984. :PREROUTING ACCEPT [170945:24378274]
985. :INPUT ACCEPT [3:192]
986. :OUTPUT ACCEPT [5333:320754]
987. :POSTROUTING ACCEPT [5333:320754]
988. :VCMP_DNAT_ACL - [0:0]
989. :VCMP_SNAT_ACL - [0:0]
990. :postrouting_GE3_rule - [0:0]
991. :postrouting_GE4_rule - [0:0]
992. :postrouting_GE5_rule - [0:0]
993. :postrouting_GE6_rule - [0:0]
994. :postrouting_GE7_rule - [0:0]
995. :postrouting_GE8_rule - [0:0]
996. :postrouting_network0_rule - [0:0]
997. :postrouting_network1_rule - [0:0]
998. :postrouting_rule - [0:0]
999. :prerouting_GE3_rule - [0:0]
1000. :prerouting_GE4_rule - [0:0]
1001. :prerouting_GE5_rule - [0:0]
1002. :prerouting_GE6_rule - [0:0]
1003. :prerouting_GE7_rule - [0:0]
1004. :prerouting_GE8_rule - [0:0]
1005. :prerouting_network0_rule - [0:0]
1006. :prerouting_network1_rule - [0:0]
1007. :prerouting_rule - [0:0]
1008. :zone_GE3_postrouting - [0:0]
1009. :zone_GE3_prerouting - [0:0]
1010. :zone_GE4_postrouting - [0:0]
1011. :zone_GE4_prerouting - [0:0]
1012. :zone_GE5_postrouting - [0:0]
1013. :zone_GE5_prerouting - [0:0]
1014. :zone_GE6_postrouting - [0:0]
1015. :zone_GE6_prerouting - [0:0]
1016. :zone_GE7_postrouting - [0:0]
1017. :zone_GE7_prerouting - [0:0]
1018. :zone_GE8_postrouting - [0:0]
1019. :zone_GE8_prerouting - [0:0]
1020. :zone_network100_postrouting - [0:0]
1021. :zone_network100_prerouting - [0:0]
1022. :zone_network101_postrouting - [0:0]
1023. :zone_network101_prerouting - [0:0]
1024. :zone_network1_postrouting - [0:0]
1025. :zone_network1_prerouting - [0:0]
1026. [2770681:400137463] -A PREROUTING -j VCMP_DNAT_ACL
1027. [170945:24378274] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
1028. [156734:23313218] -A PREROUTING -i eth2 -m comment --comment "!fw3" -j zone_GE3_prerouting
1029. [14208:1064864] -A PREROUTING -i eth3 -m comment --comment "!fw3" -j zone_GE4_prerouting
1030. [0:0] -A PREROUTING -i eth4 -m comment --comment "!fw3" -j zone_GE5_prerouting
1031. [0:0] -A PREROUTING -i eth5 -m comment --comment "!fw3" -j zone_GE6_prerouting
1032. [0:0] -A PREROUTING -i eth6 -m comment --comment "!fw3" -j zone_GE7_prerouting
1033. [0:0] -A PREROUTING -i eth7 -m comment --comment "!fw3" -j zone_GE8_prerouting
1034. [3:192] -A PREROUTING -i br-network1 -m comment --comment "!fw3" -j zone_network1_prerouting
1035. [0:0] -A PREROUTING -i br-network100 -m comment --comment "!fw3" -j zone_network100_prerouting
1036. [0:0] -A PREROUTING -i br-network101 -m comment --comment "!fw3" -j zone_network101_prerouting
1037. [85521:5206872] -A POSTROUTING -j VCMP_SNAT_ACL
1038. [5333:320754] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
1039. [0:0] -A POSTROUTING -o eth2 -m comment --comment "!fw3" -j zone_GE3_postrouting
1040. [0:0] -A POSTROUTING -o eth3 -m comment --comment "!fw3" -j zone_GE4_postrouting
1041. [0:0] -A POSTROUTING -o eth4 -m comment --comment "!fw3" -j zone_GE5_postrouting
1042. [0:0] -A POSTROUTING -o eth5 -m comment --comment "!fw3" -j zone_GE6_postrouting
1043. [0:0] -A POSTROUTING -o eth6 -m comment --comment "!fw3" -j zone_GE7_postrouting
1044. [0:0] -A POSTROUTING -o eth7 -m comment --comment "!fw3" -j zone_GE8_postrouting
1045. [0:0] -A POSTROUTING -o br-network1 -m comment --comment "!fw3" -j zone_network1_postrouting
1046. [0:0] -A POSTROUTING -o br-network100 -m comment --comment "!fw3" -j zone_network100_postrouting
1047. [0:0] -A POSTROUTING -o br-network101 -m comment --comment "!fw3" -j zone_network101_postrouting
1048. [0:0] -A zone_GE3_postrouting -m comment --comment "!fw3: Custom GE3 postrouting rule chain" -j postrouting_GE3_rule
1049. [0:0] -A zone_GE3_postrouting -m comment --comment "!fw3" -j MASQUERADE
1050. [156734:23313218] -A zone_GE3_prerouting -m comment --comment "!fw3: Custom GE3 prerouting rule chain" -j prerouting_GE3_rule
1051. [0:0] -A zone_GE4_postrouting -m comment --comment "!fw3: Custom GE4 postrouting rule chain" -j postrouting_GE4_rule
1052. [0:0] -A zone_GE4_postrouting -m comment --comment "!fw3" -j MASQUERADE
1053. [14208:1064864] -A zone_GE4_prerouting -m comment --comment "!fw3: Custom GE4 prerouting rule chain" -j prerouting_GE4_rule
1054. [0:0] -A zone_GE5_postrouting -m comment --comment "!fw3: Custom GE5 postrouting rule chain" -j postrouting_GE5_rule
1055. [0:0] -A zone_GE5_postrouting -m comment --comment "!fw3" -j MASQUERADE
1056. [0:0] -A zone_GE5_prerouting -m comment --comment "!fw3: Custom GE5 prerouting rule chain" -j prerouting_GE5_rule
1057. [0:0] -A zone_GE6_postrouting -m comment --comment "!fw3: Custom GE6 postrouting rule chain" -j postrouting_GE6_rule
1058. [0:0] -A zone_GE6_postrouting -m comment --comment "!fw3" -j MASQUERADE
1059. [0:0] -A zone_GE6_prerouting -m comment --comment "!fw3: Custom GE6 prerouting rule chain" -j prerouting_GE6_rule
1060. [0:0] -A zone_GE7_postrouting -m comment --comment "!fw3: Custom GE7 postrouting rule chain" -j postrouting_GE7_rule
1061. [0:0] -A zone_GE7_postrouting -m comment --comment "!fw3" -j MASQUERADE
1062. [0:0] -A zone_GE7_prerouting -m comment --comment "!fw3: Custom GE7 prerouting rule chain" -j prerouting_GE7_rule
1063. [0:0] -A zone_GE8_postrouting -m comment --comment "!fw3: Custom GE8 postrouting rule chain" -j postrouting_GE8_rule
1064. [0:0] -A zone_GE8_postrouting -m comment --comment "!fw3" -j MASQUERADE
1065. [0:0] -A zone_GE8_prerouting -m comment --comment "!fw3: Custom GE8 prerouting rule chain" -j prerouting_GE8_rule
1066. [0:0] -A zone_network1_postrouting -m comment --comment "!fw3: Custom network1 postrouting rule chain" -j postrouting_network1_rule
1067. [3:192] -A zone_network1_prerouting -m comment --comment "!fw3: Custom network1 prerouting rule chain" -j prerouting_network1_rule
1068. COMMIT
1069. # Completed on Tue Aug 25 09:22:41 2020
1070. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
1071. inet 127.0.0.1/8 scope host lo
1072. valid_lft forever preferred_lft forever
1073. 271: eth2@if272: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 10000 link-netnsid 0
1074. inet 169.254.9.2/29 brd 169.254.9.7 scope global eth2
1075. valid_lft forever preferred_lft forever
1076. 21: br-management: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
1077. inet 10.0.3.2/32 brd 255.255.255.255 scope global br-management
1078. valid_lft forever preferred_lft forever
1079. 22: br-network1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
1080. inet 10.0.3.1/24 brd 10.0.3.255 scope global br-network1
1081. valid_lft forever preferred_lft forever
1082. 23: br-network100: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
1083. inet 10.100.3.1/24 brd 10.100.3.255 scope global br-network100
1084. valid_lft forever preferred_lft forever
1085. 25: br-network101: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
1086. inet 10.101.3.1/24 brd 10.101.3.255 scope global br-network101
1087. valid_lft forever preferred_lft forever
1088. 27: br-segmgmt: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
1089. inet 169.254.3.1/32 brd 255.255.255.255 scope global br-segmgmt
1090. valid_lft forever preferred_lft forever
1091. inet 169.254.3.2/32 brd 255.255.255.255 scope global br-segmgmt
1092. valid_lft forever preferred_lft forever
1093. inet 169.254.3.3/32 brd 255.255.255.255 scope global br-segmgmt
1094. valid_lft forever preferred_lft forever
1095. 28: eth3.100@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
1096. inet 172.17.3.2/29 brd 172.17.3.7 scope global eth3.100
1097. valid_lft forever preferred_lft forever
1098. 29: eth3.101@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
1099. inet 172.18.3.2/29 brd 172.18.3.7 scope global eth3.101
1100. valid_lft forever preferred_lft forever
1101. 30: vce1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 4096
1102. inet 169.254.129.4 peer 169.254.129.1/32 scope global vce1
1103. valid_lft forever preferred_lft forever
1104. default dev vce1 table 200 scope link
1105. default via 169.254.9.1 dev eth2 table 210
1106. default dev br-network1 table 213 scope link
1107. default dev br-network100 table 214 scope link
1108. default dev br-network101 table 215 scope link
1109. default via 172.17.3.3 dev eth3.100 table 216
1110. 172.17.3.0/29 dev eth3.100 table 216 scope link
1111. default via 172.18.3.3 dev eth3.101 table 217
1112. 172.18.3.0/29 dev eth3.101 table 217 scope link
1113. default via 169.254.9.1 dev eth2 proto static metric 5
1114. 10.0.3.0/24 dev br-network1 proto kernel scope link src 10.0.3.1
1115. 10.100.3.0/24 dev br-network100 proto kernel scope link src 10.100.3.1
1116. 10.101.3.0/24 dev br-network101 proto kernel scope link src 10.101.3.1
1117. 169.254.9.0/29 dev eth2 proto kernel scope link src 169.254.9.2
1118. 169.254.129.1 dev vce1 proto kernel scope link src 169.254.129.4
1119. 172.17.3.0/29 dev eth3.100 proto kernel scope link src 172.17.3.2
1120. 172.18.3.0/29 dev eth3.101 proto kernel scope link src 172.18.3.2
1121. broadcast 10.0.3.0 dev br-network1 table local proto kernel scope link src 10.0.3.1
1122. local 10.0.3.1 dev br-network1 table local proto kernel scope host src 10.0.3.1
1123. local 10.0.3.2 dev br-management table local proto kernel scope host src 10.0.3.2
1124. broadcast 10.0.3.255 dev br-network1 table local proto kernel scope link src 10.0.3.1
1125. broadcast 10.100.3.0 dev br-network100 table local proto kernel scope link src 10.100.3.1
1126. local 10.100.3.1 dev br-network100 table local proto kernel scope host src 10.100.3.1
1127. broadcast 10.100.3.255 dev br-network100 table local proto kernel scope link src 10.100.3.1
1128. broadcast 10.101.3.0 dev br-network101 table local proto kernel scope link src 10.101.3.1
1129. local 10.101.3.1 dev br-network101 table local proto kernel scope host src 10.101.3.1
1130. broadcast 10.101.3.255 dev br-network101 table local proto kernel scope link src 10.101.3.1
1131. broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
1132. local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
1133. local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
1134. broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
1135. local 169.254.3.1 dev br-segmgmt table local proto kernel scope host src 169.254.3.1
1136. local 169.254.3.2 dev br-segmgmt table local proto kernel scope host src 169.254.3.2
1137. local 169.254.3.3 dev br-segmgmt table local proto kernel scope host src 169.254.3.3
1138. broadcast 169.254.9.0 dev eth2 table local proto kernel scope link src 169.254.9.2
1139. local 169.254.9.2 dev eth2 table local proto kernel scope host src 169.254.9.2
1140. broadcast 169.254.9.7 dev eth2 table local proto kernel scope link src 169.254.9.2
1141. local 169.254.129.4 dev vce1 table local proto kernel scope host src 169.254.129.4
1142. broadcast 172.17.3.0 dev eth3.100 table local proto kernel scope link src 172.17.3.2
1143. local 172.17.3.2 dev eth3.100 table local proto kernel scope host src 172.17.3.2
1144. broadcast 172.17.3.7 dev eth3.100 table local proto kernel scope link src 172.17.3.2
1145. broadcast 172.18.3.0 dev eth3.101 table local proto kernel scope link src 172.18.3.2
1146. local 172.18.3.2 dev eth3.101 table local proto kernel scope host src 172.18.3.2
1147. broadcast 172.18.3.7 dev eth3.101 table local proto kernel scope link src 172.18.3.2
1148. 0: from all lookup local
1149. 32755: from all fwmark 0xc8 lookup 200
1150. 32756: from all fwmark 0xd7 lookup 215
1151. 32757: from all fwmark 0xd6 lookup 214
1152. 32758: from all fwmark 0xd5 lookup 213
1153. 32760: from all fwmark 0xd9 lookup 217
1154. 32761: from all fwmark 0xd8 lookup 216
1155. 32762: from all fwmark 0xd3 lookup 211
1156. 32763: from all fwmark 0xd2 lookup 210
1157. 32766: from all lookup main
1158. 32767: from all lookup default
1159. edge:b3-edge1:~#
1160.