Advertisement
Guest User

dhcp renew failure

a guest
Aug 25th, 2020
37
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. edge:b3-edge1:~# ubus call system board; \
  2. > uci export network; uci export wireless; \
  3. > uci export dhcp; uci export firewall; \
  4. > head -n -0 /etc/firewall.user; \
  5. > iptables-save -c; \
  6. > ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
  7. {
  8. "kernel": "4.15.0-1057-aws",
  9. "hostname": "vc-edge",
  10. "system": "Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz",
  11. "release": {
  12. "distribution": "OpenWrt",
  13. "version": "cc-remerge-618-g0acfaf8",
  14. "revision": "r0+2278-0acfaf8",
  15. "codename": "example_vc-xen-aws",
  16. "target": "x64/vc-xen-aws",
  17. "description": "OpenWrt example vc-xen-aws cc-remerge-618-g0acfaf8"
  18. }
  19. }
  20. package network
  21.  
  22. config interface 'loopback'
  23. option ifname 'lo'
  24. option proto 'static'
  25. option ipaddr '127.0.0.1'
  26. option netmask '255.0.0.0'
  27. option ipv6 '0'
  28.  
  29. config interface 'management'
  30. option ifname 'management'
  31. option type 'bridge'
  32. option bridge_empty '1'
  33. option force_link '1'
  34. option proto 'static'
  35. list ipaddr '10.0.3.2'
  36. option netmask '255.255.255.255'
  37. option ipv6 '0'
  38.  
  39. config interface 'segmgmt'
  40. option ifname 'segmgmt'
  41. option type 'bridge'
  42. option bridge_empty '1'
  43. option force_link '1'
  44. option proto 'static'
  45. list ipaddr '169.254.3.1'
  46. list ipaddr '169.254.3.2'
  47. list ipaddr '169.254.3.3'
  48. option netmask '255.255.255.255'
  49. option ipv6 '0'
  50.  
  51. config interface 'network1'
  52. option ifname 'eth0 eth1'
  53. option proto 'static'
  54. option type 'bridge'
  55. list ipaddr '10.0.3.1/24'
  56. option ipv6 '0'
  57. option mtu '1500'
  58.  
  59. config interface 'network100'
  60. option ifname 'eth1.100'
  61. option proto 'static'
  62. option type 'bridge'
  63. list ipaddr '10.100.3.1/24'
  64. option ipv6 '0'
  65. option mtu '1500'
  66.  
  67. config interface 'network101'
  68. option ifname 'eth1.101'
  69. option proto 'static'
  70. option type 'bridge'
  71. list ipaddr '10.101.3.1/24'
  72. option ipv6 '0'
  73. option mtu '1500'
  74.  
  75. config interface 'GE3'
  76. option ifname 'eth2'
  77. option proto 'static'
  78. option ipaddr '169.254.9.2'
  79. option netmask '255.255.255.248'
  80. option ipv6 '0'
  81. option mtu '1500'
  82.  
  83. config route 'GE3_DEFAULT_ROUTE'
  84. option interface 'GE3'
  85. option target '0.0.0.0'
  86. option netmask '0.0.0.0'
  87. option gateway '169.254.9.1'
  88. option metric '5'
  89.  
  90. config interface 'GE4'
  91. option ifname 'eth3'
  92. option hostname 'vc-ge4'
  93. option proto 'dhcp'
  94. option ipv6 '0'
  95. option mtu '1500'
  96. option metric '6'
  97.  
  98. config interface 'GE4_100'
  99. option ifname 'eth3.100'
  100. option proto 'static'
  101. option ipaddr '172.17.3.2'
  102. option netmask '255.255.255.248'
  103. option ipv6 '0'
  104. option mtu '1500'
  105. option macaddr '02:42:ac:10:03:05'
  106.  
  107. config interface 'GE4_101'
  108. option ifname 'eth3.101'
  109. option proto 'static'
  110. option ipaddr '172.18.3.2'
  111. option netmask '255.255.255.248'
  112. option ipv6 '0'
  113. option mtu '1500'
  114. option macaddr '02:42:ac:10:03:05'
  115.  
  116. config interface 'GE5'
  117. option ifname 'eth4'
  118. option hostname 'vc-ge5'
  119. option proto 'dhcp'
  120. option ipv6 '0'
  121. option mtu '1500'
  122. option metric '7'
  123.  
  124. config interface 'GE6'
  125. option ifname 'eth5'
  126. option hostname 'vc-ge6'
  127. option proto 'dhcp'
  128. option ipv6 '0'
  129. option mtu '1500'
  130. option metric '8'
  131.  
  132. config interface 'GE7'
  133. option ifname 'eth6'
  134. option hostname 'vc-ge7'
  135. option proto 'dhcp'
  136. option ipv6 '0'
  137. option mtu '1500'
  138. option metric '9'
  139.  
  140. config interface 'GE8'
  141. option ifname 'eth7'
  142. option hostname 'vc-ge8'
  143. option proto 'dhcp'
  144. option ipv6 '0'
  145. option mtu '1500'
  146. option metric '10'
  147.  
  148. uci: Entry not found
  149. package dhcp
  150.  
  151. config dnsmasq 'secure'
  152. option bind_dynamic '1'
  153. option domainneeded '1'
  154. option boguspriv '1'
  155. option filterwin2k '0'
  156. option localise_queries '1'
  157. option rebind_protection '0'
  158. option rebind_localhost '1'
  159. option local '/lan/'
  160. option domain 'lan'
  161. option expandhosts '1'
  162. option noresolv '1'
  163. option nonegcache '1'
  164. option authoritative '1'
  165. option readethers '1'
  166. option dnsforwardmax '500'
  167. option dhcpleasemax '5000'
  168. option dhcpnooverride '1'
  169. option logdhcp '1'
  170. option leasefile '/tmp/dhcp.leases.secure'
  171. list server '208.67.222.222@10.0.3.2'
  172. list server '208.67.220.220@10.0.3.2'
  173. list server '/example.net/8.8.8.8@10.0.3.2'
  174. list server '/example.net/8.8.4.4@10.0.3.2'
  175. list interface 'network1'
  176. list interface 'network100'
  177. list interface 'network101'
  178. list interface 'vce1'
  179. list interface 'lo'
  180.  
  181. config dhcp 'network1'
  182. option interface 'network1'
  183. option dnsmasq_config 'secure'
  184. option start '13'
  185. option limit '242'
  186. option leasetime '86400'
  187. option force '1'
  188. list dhcp_option '119,example.net'
  189.  
  190. config host
  191. option ip '10.0.3.25'
  192. option mac '02:42:0a:00:03:19'
  193. option dnsmasq_config 'secure'
  194.  
  195. config dhcp 'network100'
  196. option interface 'network100'
  197. option dnsmasq_config 'secure'
  198. option start '13'
  199. option limit '242'
  200. option leasetime '86400'
  201. option force '1'
  202. list dhcp_option '119,example.net'
  203.  
  204. config host
  205. option ip '10.100.3.100'
  206. option mac '02:42:0a:00:03:19'
  207. option dnsmasq_config 'secure'
  208.  
  209. config dhcp 'network101'
  210. option interface 'network101'
  211. option dnsmasq_config 'secure'
  212. option start '13'
  213. option limit '242'
  214. option leasetime '86400'
  215. option force '1'
  216. list dhcp_option '119,example.net'
  217.  
  218. config host
  219. option ip '10.101.3.100'
  220. option mac '02:42:0a:00:03:19'
  221. option dnsmasq_config 'secure'
  222.  
  223. config host
  224. option ip '10.0.3.2'
  225. option mac 'ff:ff:ff:ff:ff:ff'
  226. option dnsmasq_config 'secure'
  227.  
  228. package firewall
  229.  
  230. config defaults
  231. option syn_flood '1'
  232. option input 'ACCEPT'
  233. option output 'ACCEPT'
  234. option forward 'REJECT'
  235. option disable_ipv6 '1'
  236.  
  237. config zone
  238. option name 'GE3'
  239. option network 'GE3'
  240. option input 'REJECT'
  241. option output 'ACCEPT'
  242. option forward 'REJECT'
  243. option masq '1'
  244.  
  245. config rule
  246. option name 'Allow-DHCP-Renew'
  247. option src 'GE3'
  248. option proto 'udp'
  249. option dest_port '68'
  250. option family 'ipv4'
  251. option target 'ACCEPT'
  252.  
  253. config rule
  254. option name 'Allow-Ping'
  255. option src 'GE3'
  256. option proto 'icmp'
  257. option icmp_type 'echo-request'
  258. option family 'ipv4'
  259. option target 'ACCEPT'
  260.  
  261. config zone
  262. option name 'GE4'
  263. option network 'GE4'
  264. option input 'REJECT'
  265. option output 'ACCEPT'
  266. option forward 'REJECT'
  267. option masq '1'
  268.  
  269. config rule
  270. option name 'Allow-DHCP-Renew'
  271. option src 'GE4'
  272. option proto 'udp'
  273. option dest_port '68'
  274. option family 'ipv4'
  275. option target 'ACCEPT'
  276.  
  277. config rule
  278. option name 'Allow-Ping'
  279. option src 'GE4'
  280. option proto 'icmp'
  281. option icmp_type 'echo-request'
  282. option family 'ipv4'
  283. option target 'ACCEPT'
  284.  
  285. config zone
  286. option name 'GE5'
  287. option network 'GE5'
  288. option input 'REJECT'
  289. option output 'ACCEPT'
  290. option forward 'REJECT'
  291. option masq '1'
  292.  
  293. config rule
  294. option name 'Allow-DHCP-Renew'
  295. option src 'GE5'
  296. option proto 'udp'
  297. option dest_port '68'
  298. option family 'ipv4'
  299. option target 'ACCEPT'
  300.  
  301. config rule
  302. option name 'Allow-Ping'
  303. option src 'GE5'
  304. option proto 'icmp'
  305. option icmp_type 'echo-request'
  306. option family 'ipv4'
  307. option target 'ACCEPT'
  308.  
  309. config zone
  310. option name 'GE6'
  311. option network 'GE6'
  312. option input 'REJECT'
  313. option output 'ACCEPT'
  314. option forward 'REJECT'
  315. option masq '1'
  316.  
  317. config rule
  318. option name 'Allow-DHCP-Renew'
  319. option src 'GE6'
  320. option proto 'udp'
  321. option dest_port '68'
  322. option family 'ipv4'
  323. option target 'ACCEPT'
  324.  
  325. config rule
  326. option name 'Allow-Ping'
  327. option src 'GE6'
  328. option proto 'icmp'
  329. option icmp_type 'echo-request'
  330. option family 'ipv4'
  331. option target 'ACCEPT'
  332.  
  333. config zone
  334. option name 'GE7'
  335. option network 'GE7'
  336. option input 'REJECT'
  337. option output 'ACCEPT'
  338. option forward 'REJECT'
  339. option masq '1'
  340.  
  341. config rule
  342. option name 'Allow-DHCP-Renew'
  343. option src 'GE7'
  344. option proto 'udp'
  345. option dest_port '68'
  346. option family 'ipv4'
  347. option target 'ACCEPT'
  348.  
  349. config rule
  350. option name 'Allow-Ping'
  351. option src 'GE7'
  352. option proto 'icmp'
  353. option icmp_type 'echo-request'
  354. option family 'ipv4'
  355. option target 'ACCEPT'
  356.  
  357. config zone
  358. option name 'GE8'
  359. option network 'GE8'
  360. option input 'REJECT'
  361. option output 'ACCEPT'
  362. option forward 'REJECT'
  363. option masq '1'
  364.  
  365. config rule
  366. option name 'Allow-DHCP-Renew'
  367. option src 'GE8'
  368. option proto 'udp'
  369. option dest_port '68'
  370. option family 'ipv4'
  371. option target 'ACCEPT'
  372.  
  373. config rule
  374. option name 'Allow-Ping'
  375. option src 'GE8'
  376. option proto 'icmp'
  377. option icmp_type 'echo-request'
  378. option family 'ipv4'
  379. option target 'ACCEPT'
  380.  
  381. config include
  382. option path '/etc/firewall.user'
  383.  
  384. config zone
  385. option name 'network1'
  386. option network 'network1'
  387. option input 'ACCEPT'
  388. option output 'ACCEPT'
  389. option forward 'REJECT'
  390.  
  391. config forwarding
  392. option src 'network1'
  393. option dest 'GE3'
  394. option proto 'all'
  395. option target 'ACCEPT'
  396.  
  397. config forwarding
  398. option src 'network1'
  399. option dest 'GE4'
  400. option proto 'all'
  401. option target 'ACCEPT'
  402.  
  403. config forwarding
  404. option src 'network1'
  405. option dest 'GE5'
  406. option proto 'all'
  407. option target 'ACCEPT'
  408.  
  409. config forwarding
  410. option src 'network1'
  411. option dest 'GE6'
  412. option proto 'all'
  413. option target 'ACCEPT'
  414.  
  415. config forwarding
  416. option src 'network1'
  417. option dest 'GE7'
  418. option proto 'all'
  419. option target 'ACCEPT'
  420.  
  421. config forwarding
  422. option src 'network1'
  423. option dest 'GE8'
  424. option proto 'all'
  425. option target 'ACCEPT'
  426.  
  427. config rule
  428. option src 'network1'
  429. option dest_port '53'
  430. option proto 'tcpudp'
  431. option target 'ACCEPT'
  432.  
  433. config rule
  434. option src 'network1'
  435. option src_port '67-68'
  436. option dest_port '67-68'
  437. option proto 'udp'
  438. option target 'ACCEPT'
  439.  
  440. config rule
  441. option src 'network1'
  442. option dest_port '2607'
  443. option proto 'tcp'
  444. option target 'REJECT'
  445.  
  446. config zone
  447. option name 'network100'
  448. option network 'network100'
  449. option input 'ACCEPT'
  450. option output 'ACCEPT'
  451. option forward 'REJECT'
  452.  
  453. config forwarding
  454. option src 'network100'
  455. option dest 'GE3'
  456. option proto 'all'
  457. option target 'ACCEPT'
  458.  
  459. config forwarding
  460. option src 'network100'
  461. option dest 'GE4'
  462. option proto 'all'
  463. option target 'ACCEPT'
  464.  
  465. config forwarding
  466. option src 'network100'
  467. option dest 'GE5'
  468. option proto 'all'
  469. option target 'ACCEPT'
  470.  
  471. config forwarding
  472. option src 'network100'
  473. option dest 'GE6'
  474. option proto 'all'
  475. option target 'ACCEPT'
  476.  
  477. config forwarding
  478. option src 'network100'
  479. option dest 'GE7'
  480. option proto 'all'
  481. option target 'ACCEPT'
  482.  
  483. config forwarding
  484. option src 'network100'
  485. option dest 'GE8'
  486. option proto 'all'
  487. option target 'ACCEPT'
  488.  
  489. config rule
  490. option src 'network100'
  491. option dest_port '53'
  492. option proto 'tcpudp'
  493. option target 'ACCEPT'
  494.  
  495. config rule
  496. option src 'network100'
  497. option src_port '67-68'
  498. option dest_port '67-68'
  499. option proto 'udp'
  500. option target 'ACCEPT'
  501.  
  502. config rule
  503. option src 'network100'
  504. option dest_port '2607'
  505. option proto 'tcp'
  506. option target 'REJECT'
  507.  
  508. config zone
  509. option name 'network101'
  510. option network 'network101'
  511. option input 'ACCEPT'
  512. option output 'ACCEPT'
  513. option forward 'REJECT'
  514.  
  515. config forwarding
  516. option src 'network101'
  517. option dest 'GE3'
  518. option proto 'all'
  519. option target 'ACCEPT'
  520.  
  521. config forwarding
  522. option src 'network101'
  523. option dest 'GE4'
  524. option proto 'all'
  525. option target 'ACCEPT'
  526.  
  527. config forwarding
  528. option src 'network101'
  529. option dest 'GE5'
  530. option proto 'all'
  531. option target 'ACCEPT'
  532.  
  533. config forwarding
  534. option src 'network101'
  535. option dest 'GE6'
  536. option proto 'all'
  537. option target 'ACCEPT'
  538.  
  539. config forwarding
  540. option src 'network101'
  541. option dest 'GE7'
  542. option proto 'all'
  543. option target 'ACCEPT'
  544.  
  545. config forwarding
  546. option src 'network101'
  547. option dest 'GE8'
  548. option proto 'all'
  549. option target 'ACCEPT'
  550.  
  551. config rule
  552. option src 'network101'
  553. option dest_port '53'
  554. option proto 'tcpudp'
  555. option target 'ACCEPT'
  556.  
  557. config rule
  558. option src 'network101'
  559. option src_port '67-68'
  560. option dest_port '67-68'
  561. option proto 'udp'
  562. option target 'ACCEPT'
  563.  
  564. config rule
  565. option src 'network101'
  566. option dest_port '2607'
  567. option proto 'tcp'
  568. option target 'REJECT'
  569.  
  570. #!/bin/sh
  571. iptables -t mangle -N LOGGING
  572. iptables -t mangle -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
  573. # Generated by iptables-save v1.4.21 on Tue Aug 25 09:22:41 2020
  574. *mangle
  575. :PREROUTING ACCEPT [3373329:616839538]
  576. :INPUT ACCEPT [3338494:614025214]
  577. :FORWARD ACCEPT [0:0]
  578. :OUTPUT ACCEPT [1144:375232]
  579. :POSTROUTING ACCEPT [686907:138297669]
  580. :LOGGING - [0:0]
  581. :MODEM_CHAIN - [0:0]
  582. :SEG_LAN_ROUTING_INPUT - [0:0]
  583. :SEG_LAN_ROUTING_OUTPUT - [0:0]
  584. :TUN_CHAIN - [0:0]
  585. :VCMP_MARK_ACL - [0:0]
  586. [3373722:616897812] -A PREROUTING -j SEG_LAN_ROUTING_INPUT
  587. [3373723:616897864] -A PREROUTING -j VCMP_MARK_ACL
  588. [0:0] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
  589. [687310:138341500] -A OUTPUT -j SEG_LAN_ROUTING_OUTPUT
  590. [687310:138341500] -A OUTPUT -j TUN_CHAIN
  591. [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network101 -m state --state NEW -j CONNMARK --set-xmark 0xd7/0xffffffff
  592. [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network101 -m state --state NEW -j CONNMARK --set-xmark 0xd7/0xffffffff
  593. [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network100 -m state --state NEW -j CONNMARK --set-xmark 0xd6/0xffffffff
  594. [0:0] -A SEG_LAN_ROUTING_INPUT -i br-network100 -m state --state NEW -j CONNMARK --set-xmark 0xd6/0xffffffff
  595. [15:960] -A SEG_LAN_ROUTING_INPUT -i br-network1 -m state --state NEW -j CONNMARK --set-xmark 0xd5/0xffffffff
  596. [15:960] -A SEG_LAN_ROUTING_INPUT -i br-network1 -m state --state NEW -j CONNMARK --set-xmark 0xd5/0xffffffff
  597. [0:0] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd7 -j MARK --set-xmark 0xd7/0xffffffff
  598. [0:0] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd6 -j MARK --set-xmark 0xd6/0xffffffff
  599. [7612:1248199] -A SEG_LAN_ROUTING_OUTPUT -m connmark --mark 0xd5 -j MARK --set-xmark 0xd5/0xffffffff
  600. [522959:123679713] -A TUN_CHAIN -p tcp -j MODEM_CHAIN
  601. [0:0] -A TUN_CHAIN -m connmark --mark 0xd9 -j MARK --set-xmark 0xd9/0xffffffff
  602. [0:0] -A TUN_CHAIN -m connmark --mark 0xd9 -j ACCEPT
  603. [0:0] -A TUN_CHAIN -m connmark --mark 0xd8 -j MARK --set-xmark 0xd8/0xffffffff
  604. [0:0] -A TUN_CHAIN -m connmark --mark 0xd8 -j ACCEPT
  605. [0:0] -A TUN_CHAIN -m connmark --mark 0xd3 -j MARK --set-xmark 0xd3/0xffffffff
  606. [0:0] -A TUN_CHAIN -m connmark --mark 0xd3 -j ACCEPT
  607. [0:0] -A TUN_CHAIN -m connmark --mark 0xd2 -j MARK --set-xmark 0xd2/0xffffffff
  608. [0:0] -A TUN_CHAIN -m connmark --mark 0xd2 -j ACCEPT
  609. [92696:8977738] -A TUN_CHAIN -d 127.0.0.1/32 -j ACCEPT
  610. [81408:5982888] -A TUN_CHAIN -o lo -j ACCEPT
  611. [0:0] -A TUN_CHAIN -s 169.254.3.0/24 -j MARK --set-xmark 0xc8/0xffffffff
  612. [0:0] -A TUN_CHAIN -s 169.254.3.0/24 -j ACCEPT
  613. [7682:1254823] -A TUN_CHAIN -o br-network1 -j ACCEPT
  614. [0:0] -A TUN_CHAIN -o br-network100 -j ACCEPT
  615. [0:0] -A TUN_CHAIN -o br-network101 -j ACCEPT
  616. [482385:120455663] -A TUN_CHAIN -s 10.0.3.2/32 -j MARK --set-xmark 0xc8/0xffffffff
  617. [482385:120455663] -A TUN_CHAIN -s 10.0.3.2/32 -j ACCEPT
  618. [0:0] -A TUN_CHAIN -p tcp -m multiport --sports 179 -j MARK --set-xmark 0xc8/0xffffffff
  619. [0:0] -A TUN_CHAIN -p tcp -m multiport --sports 179 -j ACCEPT
  620. [21634:1257213] -A TUN_CHAIN -p tcp -m multiport --dports 22,53,80,123,443,61000,179 -j MARK --set-xmark 0xc8/0xffffffff
  621. [21634:1257213] -A TUN_CHAIN -p tcp -m multiport --dports 22,53,80,123,443,61000,179 -j ACCEPT
  622. [0:0] -A TUN_CHAIN -p udp -m multiport --dports 53,123 -j MARK --set-xmark 0xc8/0xffffffff
  623. [0:0] -A TUN_CHAIN -p udp -m multiport --dports 53,123 -j ACCEPT
  624. [0:0] -A TUN_CHAIN -p icmp -m icmp --icmp-type 8/0 -j MARK --set-xmark 0xc8/0xffffffff
  625. [0:0] -A TUN_CHAIN -p icmp -j ACCEPT
  626. [2507118:371475719] -A VCMP_MARK_ACL -i eth2 -m state --state NEW -j CONNMARK --set-xmark 0xd2/0xffffffff
  627. [263515:28657744] -A VCMP_MARK_ACL -i eth3 -m state --state NEW -j CONNMARK --set-xmark 0xd3/0xffffffff
  628. [0:0] -A VCMP_MARK_ACL -i eth3.100 -m state --state NEW -j CONNMARK --set-xmark 0xd8/0xffffffff
  629. [0:0] -A VCMP_MARK_ACL -i eth3.101 -m state --state NEW -j CONNMARK --set-xmark 0xd9/0xffffffff
  630. COMMIT
  631. # Completed on Tue Aug 25 09:22:41 2020
  632. # Generated by iptables-save v1.4.21 on Tue Aug 25 09:22:41 2020
  633. *filter
  634. :INPUT ACCEPT [0:0]
  635. :FORWARD DROP [0:0]
  636. :OUTPUT ACCEPT [0:0]
  637. :PORTAL_INPUT - [0:0]
  638. :SEG_MGMT - [0:0]
  639. :VCMP_FWD_ACL - [0:0]
  640. :VCMP_IN_ACL - [0:0]
  641. :VCMP_IN_ACL_PERSIST - [0:0]
  642. :VCMP_IN_ACL_SEGMENT - [0:0]
  643. :VCMP_OUT_ACL - [0:0]
  644. :forwarding_GE3_rule - [0:0]
  645. :forwarding_GE4_rule - [0:0]
  646. :forwarding_GE5_rule - [0:0]
  647. :forwarding_GE6_rule - [0:0]
  648. :forwarding_GE7_rule - [0:0]
  649. :forwarding_GE8_rule - [0:0]
  650. :forwarding_network0_rule - [0:0]
  651. :forwarding_network1_rule - [0:0]
  652. :forwarding_rule - [0:0]
  653. :input_GE3_rule - [0:0]
  654. :input_GE4_rule - [0:0]
  655. :input_GE5_rule - [0:0]
  656. :input_GE6_rule - [0:0]
  657. :input_GE7_rule - [0:0]
  658. :input_GE8_rule - [0:0]
  659. :input_network0_rule - [0:0]
  660. :input_network1_rule - [0:0]
  661. :input_rule - [0:0]
  662. :output_GE3_rule - [0:0]
  663. :output_GE4_rule - [0:0]
  664. :output_GE5_rule - [0:0]
  665. :output_GE6_rule - [0:0]
  666. :output_GE7_rule - [0:0]
  667. :output_GE8_rule - [0:0]
  668. :output_network0_rule - [0:0]
  669. :output_network1_rule - [0:0]
  670. :output_rule - [0:0]
  671. :reject - [0:0]
  672. :syn_flood - [0:0]
  673. :zone_GE3_dest_ACCEPT - [0:0]
  674. :zone_GE3_dest_REJECT - [0:0]
  675. :zone_GE3_forward - [0:0]
  676. :zone_GE3_input - [0:0]
  677. :zone_GE3_output - [0:0]
  678. :zone_GE3_src_REJECT - [0:0]
  679. :zone_GE4_dest_ACCEPT - [0:0]
  680. :zone_GE4_dest_REJECT - [0:0]
  681. :zone_GE4_forward - [0:0]
  682. :zone_GE4_input - [0:0]
  683. :zone_GE4_output - [0:0]
  684. :zone_GE4_src_REJECT - [0:0]
  685. :zone_GE5_dest_ACCEPT - [0:0]
  686. :zone_GE5_dest_REJECT - [0:0]
  687. :zone_GE5_forward - [0:0]
  688. :zone_GE5_input - [0:0]
  689. :zone_GE5_output - [0:0]
  690. :zone_GE5_src_REJECT - [0:0]
  691. :zone_GE6_dest_ACCEPT - [0:0]
  692. :zone_GE6_dest_REJECT - [0:0]
  693. :zone_GE6_forward - [0:0]
  694. :zone_GE6_input - [0:0]
  695. :zone_GE6_output - [0:0]
  696. :zone_GE6_src_REJECT - [0:0]
  697. :zone_GE7_dest_ACCEPT - [0:0]
  698. :zone_GE7_dest_REJECT - [0:0]
  699. :zone_GE7_forward - [0:0]
  700. :zone_GE7_input - [0:0]
  701. :zone_GE7_output - [0:0]
  702. :zone_GE7_src_REJECT - [0:0]
  703. :zone_GE8_dest_ACCEPT - [0:0]
  704. :zone_GE8_dest_REJECT - [0:0]
  705. :zone_GE8_forward - [0:0]
  706. :zone_GE8_input - [0:0]
  707. :zone_GE8_output - [0:0]
  708. :zone_GE8_src_REJECT - [0:0]
  709. :zone_network0_forward - [0:0]
  710. :zone_network0_input - [0:0]
  711. :zone_network0_output - [0:0]
  712. :zone_network100_dest_ACCEPT - [0:0]
  713. :zone_network100_dest_REJECT - [0:0]
  714. :zone_network100_forward - [0:0]
  715. :zone_network100_input - [0:0]
  716. :zone_network100_output - [0:0]
  717. :zone_network100_src_ACCEPT - [0:0]
  718. :zone_network101_dest_ACCEPT - [0:0]
  719. :zone_network101_dest_REJECT - [0:0]
  720. :zone_network101_forward - [0:0]
  721. :zone_network101_input - [0:0]
  722. :zone_network101_output - [0:0]
  723. :zone_network101_src_ACCEPT - [0:0]
  724. :zone_network1_dest_ACCEPT - [0:0]
  725. :zone_network1_dest_REJECT - [0:0]
  726. :zone_network1_forward - [0:0]
  727. :zone_network1_input - [0:0]
  728. :zone_network1_output - [0:0]
  729. :zone_network1_src_ACCEPT - [0:0]
  730. [81040:8225520] -A INPUT -p icmp -j SEG_MGMT
  731. [0:0] -A INPUT -s 192.168.32.2/32 -i vce1 -p tcp -m tcp --sport 80 -j DROP
  732. [3338663:614061319] -A INPUT -j VCMP_IN_ACL_PERSIST
  733. [3329472:613572334] -A INPUT -j VCMP_IN_ACL_SEGMENT
  734. [3329472:613572334] -A INPUT -j VCMP_IN_ACL
  735. [0:0] -A INPUT -s 192.168.32.2/32 -i vce1 -p tcp -m tcp --sport 80 -j DROP
  736. [10176:890400] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  737. [26282:12613151] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  738. [26282:12613151] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  739. [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
  740. [0:0] -A INPUT -i eth2 -m comment --comment "!fw3" -j zone_GE3_input
  741. [0:0] -A INPUT -i eth3 -m comment --comment "!fw3" -j zone_GE4_input
  742. [0:0] -A INPUT -i eth4 -m comment --comment "!fw3" -j zone_GE5_input
  743. [0:0] -A INPUT -i eth5 -m comment --comment "!fw3" -j zone_GE6_input
  744. [0:0] -A INPUT -i eth6 -m comment --comment "!fw3" -j zone_GE7_input
  745. [0:0] -A INPUT -i eth7 -m comment --comment "!fw3" -j zone_GE8_input
  746. [0:0] -A INPUT -i br-network1 -m comment --comment "!fw3" -j zone_network1_input
  747. [0:0] -A INPUT -i br-network100 -m comment --comment "!fw3" -j zone_network100_input
  748. [0:0] -A INPUT -i br-network101 -m comment --comment "!fw3" -j zone_network101_input
  749. [0:0] -A FORWARD -o vce1 -j ACCEPT
  750. [0:0] -A FORWARD -i vce1 -j ACCEPT
  751. [0:0] -A FORWARD -j VCMP_FWD_ACL
  752. [0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
  753. [0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  754. [0:0] -A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_GE3_forward
  755. [0:0] -A FORWARD -i eth3 -m comment --comment "!fw3" -j zone_GE4_forward
  756. [0:0] -A FORWARD -i eth4 -m comment --comment "!fw3" -j zone_GE5_forward
  757. [0:0] -A FORWARD -i eth5 -m comment --comment "!fw3" -j zone_GE6_forward
  758. [0:0] -A FORWARD -i eth6 -m comment --comment "!fw3" -j zone_GE7_forward
  759. [0:0] -A FORWARD -i eth7 -m comment --comment "!fw3" -j zone_GE8_forward
  760. [0:0] -A FORWARD -i br-network1 -m comment --comment "!fw3" -j zone_network1_forward
  761. [0:0] -A FORWARD -i br-network100 -m comment --comment "!fw3" -j zone_network100_forward
  762. [0:0] -A FORWARD -i br-network101 -m comment --comment "!fw3" -j zone_network101_forward
  763. [0:0] -A FORWARD -m comment --comment "!fw3" -j reject
  764. [687317:138342013] -A OUTPUT -j VCMP_OUT_ACL
  765. [10176:890400] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  766. [32727:7157482] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  767. [29934:7023418] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  768. [2793:134064] -A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_GE3_output
  769. [0:0] -A OUTPUT -o eth3 -m comment --comment "!fw3" -j zone_GE4_output
  770. [0:0] -A OUTPUT -o eth4 -m comment --comment "!fw3" -j zone_GE5_output
  771. [0:0] -A OUTPUT -o eth5 -m comment --comment "!fw3" -j zone_GE6_output
  772. [0:0] -A OUTPUT -o eth6 -m comment --comment "!fw3" -j zone_GE7_output
  773. [0:0] -A OUTPUT -o eth7 -m comment --comment "!fw3" -j zone_GE8_output
  774. [0:0] -A OUTPUT -o br-network1 -m comment --comment "!fw3" -j zone_network1_output
  775. [0:0] -A OUTPUT -o br-network100 -m comment --comment "!fw3" -j zone_network100_output
  776. [0:0] -A OUTPUT -o br-network101 -m comment --comment "!fw3" -j zone_network101_output
  777. [0:0] -A SEG_MGMT ! -s 10.101.3.0/24 -d 10.101.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
  778. [0:0] -A SEG_MGMT ! -s 10.101.3.0/24 -d 10.101.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
  779. [0:0] -A SEG_MGMT ! -s 10.100.3.0/24 -d 10.100.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
  780. [0:0] -A SEG_MGMT ! -s 10.100.3.0/24 -d 10.100.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
  781. [0:0] -A SEG_MGMT ! -s 10.0.3.0/24 -d 10.0.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
  782. [0:0] -A SEG_MGMT ! -s 10.0.3.0/24 -d 10.0.3.1/32 -p icmp -m icmp --icmp-type 8 -j DROP
  783. [0:0] -A VCMP_FWD_ACL -i br-network1 -o br-network100 -j DROP
  784. [0:0] -A VCMP_FWD_ACL -i br-network1 -o br-network101 -j DROP
  785. [0:0] -A VCMP_FWD_ACL -i br-network100 -o br-network1 -j DROP
  786. [0:0] -A VCMP_FWD_ACL -i br-network100 -o br-network101 -j DROP
  787. [0:0] -A VCMP_FWD_ACL -i br-network101 -o br-network1 -j DROP
  788. [0:0] -A VCMP_FWD_ACL -i br-network101 -o br-network100 -j DROP
  789. [0:0] -A VCMP_FWD_ACL -j DROP
  790. [0:0] -A VCMP_IN_ACL -s 192.168.14.1/32 -j ACCEPT
  791. [0:0] -A VCMP_IN_ACL -s 192.168.32.2/32 -j ACCEPT
  792. [0:0] -A VCMP_IN_ACL -i eth2 -p icmp -m icmp --icmp-type 11 -j ACCEPT
  793. [0:0] -A VCMP_IN_ACL -i eth2 -p icmp -m icmp --icmp-type 3 -j ACCEPT
  794. [2507126:371479988] -A VCMP_IN_ACL -i eth2 -j DROP
  795. [0:0] -A VCMP_IN_ACL -i eth3 -p icmp -m icmp --icmp-type 11 -j ACCEPT
  796. [0:0] -A VCMP_IN_ACL -i eth3 -p icmp -m icmp --icmp-type 3 -j ACCEPT
  797. [230292:26372432] -A VCMP_IN_ACL -i eth3 -j DROP
  798. [0:0] -A VCMP_IN_ACL -i eth3.100 -p icmp -m icmp --icmp-type 11 -j ACCEPT
  799. [0:0] -A VCMP_IN_ACL -i eth3.100 -p icmp -m icmp --icmp-type 3 -j ACCEPT
  800. [0:0] -A VCMP_IN_ACL -i eth3.100 -j DROP
  801. [0:0] -A VCMP_IN_ACL -i eth3.101 -p icmp -m icmp --icmp-type 11 -j ACCEPT
  802. [0:0] -A VCMP_IN_ACL -i eth3.101 -p icmp -m icmp --icmp-type 3 -j ACCEPT
  803. [0:0] -A VCMP_IN_ACL -i eth3.101 -j DROP
  804. [0:0] -A VCMP_IN_ACL -i br-network1 -p tcp -m tcp --dport 179 -j DROP
  805. [0:0] -A VCMP_IN_ACL -i br-network1 -p tcp -m tcp --sport 179 -j DROP
  806. [0:0] -A VCMP_IN_ACL -i br-network100 -p tcp -m tcp --dport 179 -j DROP
  807. [0:0] -A VCMP_IN_ACL -i br-network100 -p tcp -m tcp --sport 179 -j DROP
  808. [0:0] -A VCMP_IN_ACL -i br-network101 -p tcp -m tcp --dport 179 -j DROP
  809. [0:0] -A VCMP_IN_ACL -i br-network101 -p tcp -m tcp --sport 179 -j DROP
  810. [0:0] -A VCMP_IN_ACL_PERSIST -s 172.16.5.3/32 -p tcp -m tcp --dport 22 -j ACCEPT
  811. [0:0] -A VCMP_IN_ACL_PERSIST -s 169.254.9.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
  812. [9406:510711] -A VCMP_IN_ACL_PERSIST -s 10.0.3.25/32 -p tcp -m tcp --dport 22 -j ACCEPT
  813. [0:0] -A VCMP_IN_ACL_PERSIST -p tcp -m tcp --dport 22 -j DROP
  814. [0:0] -A VCMP_IN_ACL_PERSIST -p udp -m udp --dport 161 -j DROP
  815. [0:0] -A VCMP_IN_ACL_PERSIST -p tcp -m tcp --dport 80 -j DROP
  816. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.3.1/32 -i vce1 -j DROP
  817. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.3.1/32 -i vce1 -j DROP
  818. [0:0] -A VCMP_IN_ACL_SEGMENT -d 169.254.129.4/32 -i br-network101 -j DROP
  819. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.3.1/32 -i br-network101 -j DROP
  820. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.3.1/32 -i br-network101 -j DROP
  821. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.3.2/32 -i br-network101 -j DROP
  822. [0:0] -A VCMP_IN_ACL_SEGMENT -d 169.254.129.4/32 -i br-network100 -j DROP
  823. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.3.1/32 -i br-network100 -j DROP
  824. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.3.1/32 -i br-network100 -j DROP
  825. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.0.3.2/32 -i br-network100 -j DROP
  826. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.3.1/32 -i br-network1 -j DROP
  827. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.3.1/32 -i br-network1 -j DROP
  828. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.101.3.1/32 -i br-management -j DROP
  829. [0:0] -A VCMP_IN_ACL_SEGMENT -d 10.100.3.1/32 -i br-management -j DROP
  830. [0:0] -A VCMP_OUT_ACL -p icmp -m icmp --icmp-type 11/0 -j DROP
  831. [0:0] -A VCMP_OUT_ACL -o eth2 -p icmp -m icmp --icmp-type 5 -j DROP
  832. [0:0] -A VCMP_OUT_ACL -o eth3 -p icmp -m icmp --icmp-type 5 -j DROP
  833. [0:0] -A VCMP_OUT_ACL -o eth3.100 -p icmp -m icmp --icmp-type 5 -j DROP
  834. [0:0] -A VCMP_OUT_ACL -o eth3.101 -p icmp -m icmp --icmp-type 5 -j DROP
  835. [0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  836. [0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
  837. [0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  838. [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
  839. [0:0] -A zone_GE3_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  840. [2793:134064] -A zone_GE3_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
  841. [0:0] -A zone_GE3_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
  842. [0:0] -A zone_GE3_forward -m comment --comment "!fw3: Custom GE3 forwarding rule chain" -j forwarding_GE3_rule
  843. [0:0] -A zone_GE3_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  844. [0:0] -A zone_GE3_forward -m comment --comment "!fw3" -j zone_GE3_dest_REJECT
  845. [0:0] -A zone_GE3_input -m comment --comment "!fw3: Custom GE3 input rule chain" -j input_GE3_rule
  846. [0:0] -A zone_GE3_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  847. [0:0] -A zone_GE3_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  848. [0:0] -A zone_GE3_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  849. [0:0] -A zone_GE3_input -m comment --comment "!fw3" -j zone_GE3_src_REJECT
  850. [2793:134064] -A zone_GE3_output -m comment --comment "!fw3: Custom GE3 output rule chain" -j output_GE3_rule
  851. [2793:134064] -A zone_GE3_output -m comment --comment "!fw3" -j zone_GE3_dest_ACCEPT
  852. [0:0] -A zone_GE3_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
  853. [0:0] -A zone_GE4_dest_ACCEPT -o eth3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  854. [0:0] -A zone_GE4_dest_ACCEPT -o eth3 -m comment --comment "!fw3" -j ACCEPT
  855. [0:0] -A zone_GE4_dest_REJECT -o eth3 -m comment --comment "!fw3" -j reject
  856. [0:0] -A zone_GE4_forward -m comment --comment "!fw3: Custom GE4 forwarding rule chain" -j forwarding_GE4_rule
  857. [0:0] -A zone_GE4_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  858. [0:0] -A zone_GE4_forward -m comment --comment "!fw3" -j zone_GE4_dest_REJECT
  859. [0:0] -A zone_GE4_input -m comment --comment "!fw3: Custom GE4 input rule chain" -j input_GE4_rule
  860. [0:0] -A zone_GE4_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  861. [0:0] -A zone_GE4_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  862. [0:0] -A zone_GE4_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  863. [0:0] -A zone_GE4_input -m comment --comment "!fw3" -j zone_GE4_src_REJECT
  864. [0:0] -A zone_GE4_output -m comment --comment "!fw3: Custom GE4 output rule chain" -j output_GE4_rule
  865. [0:0] -A zone_GE4_output -m comment --comment "!fw3" -j zone_GE4_dest_ACCEPT
  866. [0:0] -A zone_GE4_src_REJECT -i eth3 -m comment --comment "!fw3" -j reject
  867. [0:0] -A zone_GE5_dest_ACCEPT -o eth4 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  868. [0:0] -A zone_GE5_dest_ACCEPT -o eth4 -m comment --comment "!fw3" -j ACCEPT
  869. [0:0] -A zone_GE5_dest_REJECT -o eth4 -m comment --comment "!fw3" -j reject
  870. [0:0] -A zone_GE5_forward -m comment --comment "!fw3: Custom GE5 forwarding rule chain" -j forwarding_GE5_rule
  871. [0:0] -A zone_GE5_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  872. [0:0] -A zone_GE5_forward -m comment --comment "!fw3" -j zone_GE5_dest_REJECT
  873. [0:0] -A zone_GE5_input -m comment --comment "!fw3: Custom GE5 input rule chain" -j input_GE5_rule
  874. [0:0] -A zone_GE5_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  875. [0:0] -A zone_GE5_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  876. [0:0] -A zone_GE5_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  877. [0:0] -A zone_GE5_input -m comment --comment "!fw3" -j zone_GE5_src_REJECT
  878. [0:0] -A zone_GE5_output -m comment --comment "!fw3: Custom GE5 output rule chain" -j output_GE5_rule
  879. [0:0] -A zone_GE5_output -m comment --comment "!fw3" -j zone_GE5_dest_ACCEPT
  880. [0:0] -A zone_GE5_src_REJECT -i eth4 -m comment --comment "!fw3" -j reject
  881. [0:0] -A zone_GE6_dest_ACCEPT -o eth5 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  882. [0:0] -A zone_GE6_dest_ACCEPT -o eth5 -m comment --comment "!fw3" -j ACCEPT
  883. [0:0] -A zone_GE6_dest_REJECT -o eth5 -m comment --comment "!fw3" -j reject
  884. [0:0] -A zone_GE6_forward -m comment --comment "!fw3: Custom GE6 forwarding rule chain" -j forwarding_GE6_rule
  885. [0:0] -A zone_GE6_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  886. [0:0] -A zone_GE6_forward -m comment --comment "!fw3" -j zone_GE6_dest_REJECT
  887. [0:0] -A zone_GE6_input -m comment --comment "!fw3: Custom GE6 input rule chain" -j input_GE6_rule
  888. [0:0] -A zone_GE6_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  889. [0:0] -A zone_GE6_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  890. [0:0] -A zone_GE6_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  891. [0:0] -A zone_GE6_input -m comment --comment "!fw3" -j zone_GE6_src_REJECT
  892. [0:0] -A zone_GE6_output -m comment --comment "!fw3: Custom GE6 output rule chain" -j output_GE6_rule
  893. [0:0] -A zone_GE6_output -m comment --comment "!fw3" -j zone_GE6_dest_ACCEPT
  894. [0:0] -A zone_GE6_src_REJECT -i eth5 -m comment --comment "!fw3" -j reject
  895. [0:0] -A zone_GE7_dest_ACCEPT -o eth6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  896. [0:0] -A zone_GE7_dest_ACCEPT -o eth6 -m comment --comment "!fw3" -j ACCEPT
  897. [0:0] -A zone_GE7_dest_REJECT -o eth6 -m comment --comment "!fw3" -j reject
  898. [0:0] -A zone_GE7_forward -m comment --comment "!fw3: Custom GE7 forwarding rule chain" -j forwarding_GE7_rule
  899. [0:0] -A zone_GE7_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  900. [0:0] -A zone_GE7_forward -m comment --comment "!fw3" -j zone_GE7_dest_REJECT
  901. [0:0] -A zone_GE7_input -m comment --comment "!fw3: Custom GE7 input rule chain" -j input_GE7_rule
  902. [0:0] -A zone_GE7_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  903. [0:0] -A zone_GE7_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  904. [0:0] -A zone_GE7_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  905. [0:0] -A zone_GE7_input -m comment --comment "!fw3" -j zone_GE7_src_REJECT
  906. [0:0] -A zone_GE7_output -m comment --comment "!fw3: Custom GE7 output rule chain" -j output_GE7_rule
  907. [0:0] -A zone_GE7_output -m comment --comment "!fw3" -j zone_GE7_dest_ACCEPT
  908. [0:0] -A zone_GE7_src_REJECT -i eth6 -m comment --comment "!fw3" -j reject
  909. [0:0] -A zone_GE8_dest_ACCEPT -o eth7 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  910. [0:0] -A zone_GE8_dest_ACCEPT -o eth7 -m comment --comment "!fw3" -j ACCEPT
  911. [0:0] -A zone_GE8_dest_REJECT -o eth7 -m comment --comment "!fw3" -j reject
  912. [0:0] -A zone_GE8_forward -m comment --comment "!fw3: Custom GE8 forwarding rule chain" -j forwarding_GE8_rule
  913. [0:0] -A zone_GE8_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  914. [0:0] -A zone_GE8_forward -m comment --comment "!fw3" -j zone_GE8_dest_REJECT
  915. [0:0] -A zone_GE8_input -m comment --comment "!fw3: Custom GE8 input rule chain" -j input_GE8_rule
  916. [0:0] -A zone_GE8_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  917. [0:0] -A zone_GE8_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  918. [0:0] -A zone_GE8_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  919. [0:0] -A zone_GE8_input -m comment --comment "!fw3" -j zone_GE8_src_REJECT
  920. [0:0] -A zone_GE8_output -m comment --comment "!fw3: Custom GE8 output rule chain" -j output_GE8_rule
  921. [0:0] -A zone_GE8_output -m comment --comment "!fw3" -j zone_GE8_dest_ACCEPT
  922. [0:0] -A zone_GE8_src_REJECT -i eth7 -m comment --comment "!fw3" -j reject
  923. [0:0] -A zone_network100_dest_ACCEPT -o br-network100 -m comment --comment "!fw3" -j ACCEPT
  924. [0:0] -A zone_network100_dest_REJECT -o br-network100 -m comment --comment "!fw3" -j reject
  925. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
  926. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
  927. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
  928. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
  929. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
  930. [0:0] -A zone_network100_forward -m comment --comment "!fw3: Zone network100 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
  931. [0:0] -A zone_network100_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  932. [0:0] -A zone_network100_forward -m comment --comment "!fw3" -j zone_network100_dest_REJECT
  933. [0:0] -A zone_network100_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[15]" -j ACCEPT
  934. [0:0] -A zone_network100_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[15]" -j ACCEPT
  935. [0:0] -A zone_network100_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[16]" -j ACCEPT
  936. [0:0] -A zone_network100_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[17]" -j reject
  937. [0:0] -A zone_network100_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  938. [0:0] -A zone_network100_input -m comment --comment "!fw3" -j zone_network100_src_ACCEPT
  939. [0:0] -A zone_network100_output -m comment --comment "!fw3" -j zone_network100_dest_ACCEPT
  940. [0:0] -A zone_network100_src_ACCEPT -i br-network100 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  941. [0:0] -A zone_network101_dest_ACCEPT -o br-network101 -m comment --comment "!fw3" -j ACCEPT
  942. [0:0] -A zone_network101_dest_REJECT -o br-network101 -m comment --comment "!fw3" -j reject
  943. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
  944. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
  945. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
  946. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
  947. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
  948. [0:0] -A zone_network101_forward -m comment --comment "!fw3: Zone network101 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
  949. [0:0] -A zone_network101_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  950. [0:0] -A zone_network101_forward -m comment --comment "!fw3" -j zone_network101_dest_REJECT
  951. [0:0] -A zone_network101_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[18]" -j ACCEPT
  952. [0:0] -A zone_network101_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[18]" -j ACCEPT
  953. [0:0] -A zone_network101_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[19]" -j ACCEPT
  954. [0:0] -A zone_network101_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[20]" -j reject
  955. [0:0] -A zone_network101_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  956. [0:0] -A zone_network101_input -m comment --comment "!fw3" -j zone_network101_src_ACCEPT
  957. [0:0] -A zone_network101_output -m comment --comment "!fw3" -j zone_network101_dest_ACCEPT
  958. [0:0] -A zone_network101_src_ACCEPT -i br-network101 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  959. [0:0] -A zone_network1_dest_ACCEPT -o br-network1 -m comment --comment "!fw3" -j ACCEPT
  960. [0:0] -A zone_network1_dest_REJECT -o br-network1 -m comment --comment "!fw3" -j reject
  961. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Custom network1 forwarding rule chain" -j forwarding_network1_rule
  962. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE3 forwarding policy" -j zone_GE3_dest_ACCEPT
  963. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE4 forwarding policy" -j zone_GE4_dest_ACCEPT
  964. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE5 forwarding policy" -j zone_GE5_dest_ACCEPT
  965. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE6 forwarding policy" -j zone_GE6_dest_ACCEPT
  966. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE7 forwarding policy" -j zone_GE7_dest_ACCEPT
  967. [0:0] -A zone_network1_forward -m comment --comment "!fw3: Zone network1 to GE8 forwarding policy" -j zone_GE8_dest_ACCEPT
  968. [0:0] -A zone_network1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  969. [0:0] -A zone_network1_forward -m comment --comment "!fw3" -j zone_network1_dest_REJECT
  970. [0:0] -A zone_network1_input -m comment --comment "!fw3: Custom network1 input rule chain" -j input_network1_rule
  971. [0:0] -A zone_network1_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
  972. [0:0] -A zone_network1_input -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
  973. [0:0] -A zone_network1_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: @rule[13]" -j ACCEPT
  974. [0:0] -A zone_network1_input -p tcp -m tcp --dport 2607 -m comment --comment "!fw3: @rule[14]" -j reject
  975. [0:0] -A zone_network1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  976. [0:0] -A zone_network1_input -m comment --comment "!fw3" -j zone_network1_src_ACCEPT
  977. [0:0] -A zone_network1_output -m comment --comment "!fw3: Custom network1 output rule chain" -j output_network1_rule
  978. [0:0] -A zone_network1_output -m comment --comment "!fw3" -j zone_network1_dest_ACCEPT
  979. [0:0] -A zone_network1_src_ACCEPT -i br-network1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  980. COMMIT
  981. # Completed on Tue Aug 25 09:22:41 2020
  982. # Generated by iptables-save v1.4.21 on Tue Aug 25 09:22:41 2020
  983. *nat
  984. :PREROUTING ACCEPT [170945:24378274]
  985. :INPUT ACCEPT [3:192]
  986. :OUTPUT ACCEPT [5333:320754]
  987. :POSTROUTING ACCEPT [5333:320754]
  988. :VCMP_DNAT_ACL - [0:0]
  989. :VCMP_SNAT_ACL - [0:0]
  990. :postrouting_GE3_rule - [0:0]
  991. :postrouting_GE4_rule - [0:0]
  992. :postrouting_GE5_rule - [0:0]
  993. :postrouting_GE6_rule - [0:0]
  994. :postrouting_GE7_rule - [0:0]
  995. :postrouting_GE8_rule - [0:0]
  996. :postrouting_network0_rule - [0:0]
  997. :postrouting_network1_rule - [0:0]
  998. :postrouting_rule - [0:0]
  999. :prerouting_GE3_rule - [0:0]
  1000. :prerouting_GE4_rule - [0:0]
  1001. :prerouting_GE5_rule - [0:0]
  1002. :prerouting_GE6_rule - [0:0]
  1003. :prerouting_GE7_rule - [0:0]
  1004. :prerouting_GE8_rule - [0:0]
  1005. :prerouting_network0_rule - [0:0]
  1006. :prerouting_network1_rule - [0:0]
  1007. :prerouting_rule - [0:0]
  1008. :zone_GE3_postrouting - [0:0]
  1009. :zone_GE3_prerouting - [0:0]
  1010. :zone_GE4_postrouting - [0:0]
  1011. :zone_GE4_prerouting - [0:0]
  1012. :zone_GE5_postrouting - [0:0]
  1013. :zone_GE5_prerouting - [0:0]
  1014. :zone_GE6_postrouting - [0:0]
  1015. :zone_GE6_prerouting - [0:0]
  1016. :zone_GE7_postrouting - [0:0]
  1017. :zone_GE7_prerouting - [0:0]
  1018. :zone_GE8_postrouting - [0:0]
  1019. :zone_GE8_prerouting - [0:0]
  1020. :zone_network100_postrouting - [0:0]
  1021. :zone_network100_prerouting - [0:0]
  1022. :zone_network101_postrouting - [0:0]
  1023. :zone_network101_prerouting - [0:0]
  1024. :zone_network1_postrouting - [0:0]
  1025. :zone_network1_prerouting - [0:0]
  1026. [2770681:400137463] -A PREROUTING -j VCMP_DNAT_ACL
  1027. [170945:24378274] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
  1028. [156734:23313218] -A PREROUTING -i eth2 -m comment --comment "!fw3" -j zone_GE3_prerouting
  1029. [14208:1064864] -A PREROUTING -i eth3 -m comment --comment "!fw3" -j zone_GE4_prerouting
  1030. [0:0] -A PREROUTING -i eth4 -m comment --comment "!fw3" -j zone_GE5_prerouting
  1031. [0:0] -A PREROUTING -i eth5 -m comment --comment "!fw3" -j zone_GE6_prerouting
  1032. [0:0] -A PREROUTING -i eth6 -m comment --comment "!fw3" -j zone_GE7_prerouting
  1033. [0:0] -A PREROUTING -i eth7 -m comment --comment "!fw3" -j zone_GE8_prerouting
  1034. [3:192] -A PREROUTING -i br-network1 -m comment --comment "!fw3" -j zone_network1_prerouting
  1035. [0:0] -A PREROUTING -i br-network100 -m comment --comment "!fw3" -j zone_network100_prerouting
  1036. [0:0] -A PREROUTING -i br-network101 -m comment --comment "!fw3" -j zone_network101_prerouting
  1037. [85521:5206872] -A POSTROUTING -j VCMP_SNAT_ACL
  1038. [5333:320754] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
  1039. [0:0] -A POSTROUTING -o eth2 -m comment --comment "!fw3" -j zone_GE3_postrouting
  1040. [0:0] -A POSTROUTING -o eth3 -m comment --comment "!fw3" -j zone_GE4_postrouting
  1041. [0:0] -A POSTROUTING -o eth4 -m comment --comment "!fw3" -j zone_GE5_postrouting
  1042. [0:0] -A POSTROUTING -o eth5 -m comment --comment "!fw3" -j zone_GE6_postrouting
  1043. [0:0] -A POSTROUTING -o eth6 -m comment --comment "!fw3" -j zone_GE7_postrouting
  1044. [0:0] -A POSTROUTING -o eth7 -m comment --comment "!fw3" -j zone_GE8_postrouting
  1045. [0:0] -A POSTROUTING -o br-network1 -m comment --comment "!fw3" -j zone_network1_postrouting
  1046. [0:0] -A POSTROUTING -o br-network100 -m comment --comment "!fw3" -j zone_network100_postrouting
  1047. [0:0] -A POSTROUTING -o br-network101 -m comment --comment "!fw3" -j zone_network101_postrouting
  1048. [0:0] -A zone_GE3_postrouting -m comment --comment "!fw3: Custom GE3 postrouting rule chain" -j postrouting_GE3_rule
  1049. [0:0] -A zone_GE3_postrouting -m comment --comment "!fw3" -j MASQUERADE
  1050. [156734:23313218] -A zone_GE3_prerouting -m comment --comment "!fw3: Custom GE3 prerouting rule chain" -j prerouting_GE3_rule
  1051. [0:0] -A zone_GE4_postrouting -m comment --comment "!fw3: Custom GE4 postrouting rule chain" -j postrouting_GE4_rule
  1052. [0:0] -A zone_GE4_postrouting -m comment --comment "!fw3" -j MASQUERADE
  1053. [14208:1064864] -A zone_GE4_prerouting -m comment --comment "!fw3: Custom GE4 prerouting rule chain" -j prerouting_GE4_rule
  1054. [0:0] -A zone_GE5_postrouting -m comment --comment "!fw3: Custom GE5 postrouting rule chain" -j postrouting_GE5_rule
  1055. [0:0] -A zone_GE5_postrouting -m comment --comment "!fw3" -j MASQUERADE
  1056. [0:0] -A zone_GE5_prerouting -m comment --comment "!fw3: Custom GE5 prerouting rule chain" -j prerouting_GE5_rule
  1057. [0:0] -A zone_GE6_postrouting -m comment --comment "!fw3: Custom GE6 postrouting rule chain" -j postrouting_GE6_rule
  1058. [0:0] -A zone_GE6_postrouting -m comment --comment "!fw3" -j MASQUERADE
  1059. [0:0] -A zone_GE6_prerouting -m comment --comment "!fw3: Custom GE6 prerouting rule chain" -j prerouting_GE6_rule
  1060. [0:0] -A zone_GE7_postrouting -m comment --comment "!fw3: Custom GE7 postrouting rule chain" -j postrouting_GE7_rule
  1061. [0:0] -A zone_GE7_postrouting -m comment --comment "!fw3" -j MASQUERADE
  1062. [0:0] -A zone_GE7_prerouting -m comment --comment "!fw3: Custom GE7 prerouting rule chain" -j prerouting_GE7_rule
  1063. [0:0] -A zone_GE8_postrouting -m comment --comment "!fw3: Custom GE8 postrouting rule chain" -j postrouting_GE8_rule
  1064. [0:0] -A zone_GE8_postrouting -m comment --comment "!fw3" -j MASQUERADE
  1065. [0:0] -A zone_GE8_prerouting -m comment --comment "!fw3: Custom GE8 prerouting rule chain" -j prerouting_GE8_rule
  1066. [0:0] -A zone_network1_postrouting -m comment --comment "!fw3: Custom network1 postrouting rule chain" -j postrouting_network1_rule
  1067. [3:192] -A zone_network1_prerouting -m comment --comment "!fw3: Custom network1 prerouting rule chain" -j prerouting_network1_rule
  1068. COMMIT
  1069. # Completed on Tue Aug 25 09:22:41 2020
  1070. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  1071. inet 127.0.0.1/8 scope host lo
  1072. valid_lft forever preferred_lft forever
  1073. 271: eth2@if272: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 10000 link-netnsid 0
  1074. inet 169.254.9.2/29 brd 169.254.9.7 scope global eth2
  1075. valid_lft forever preferred_lft forever
  1076. 21: br-management: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
  1077. inet 10.0.3.2/32 brd 255.255.255.255 scope global br-management
  1078. valid_lft forever preferred_lft forever
  1079. 22: br-network1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  1080. inet 10.0.3.1/24 brd 10.0.3.255 scope global br-network1
  1081. valid_lft forever preferred_lft forever
  1082. 23: br-network100: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  1083. inet 10.100.3.1/24 brd 10.100.3.255 scope global br-network100
  1084. valid_lft forever preferred_lft forever
  1085. 25: br-network101: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  1086. inet 10.101.3.1/24 brd 10.101.3.255 scope global br-network101
  1087. valid_lft forever preferred_lft forever
  1088. 27: br-segmgmt: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
  1089. inet 169.254.3.1/32 brd 255.255.255.255 scope global br-segmgmt
  1090. valid_lft forever preferred_lft forever
  1091. inet 169.254.3.2/32 brd 255.255.255.255 scope global br-segmgmt
  1092. valid_lft forever preferred_lft forever
  1093. inet 169.254.3.3/32 brd 255.255.255.255 scope global br-segmgmt
  1094. valid_lft forever preferred_lft forever
  1095. 28: eth3.100@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  1096. inet 172.17.3.2/29 brd 172.17.3.7 scope global eth3.100
  1097. valid_lft forever preferred_lft forever
  1098. 29: eth3.101@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  1099. inet 172.18.3.2/29 brd 172.18.3.7 scope global eth3.101
  1100. valid_lft forever preferred_lft forever
  1101. 30: vce1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 4096
  1102. inet 169.254.129.4 peer 169.254.129.1/32 scope global vce1
  1103. valid_lft forever preferred_lft forever
  1104. default dev vce1 table 200 scope link
  1105. default via 169.254.9.1 dev eth2 table 210
  1106. default dev br-network1 table 213 scope link
  1107. default dev br-network100 table 214 scope link
  1108. default dev br-network101 table 215 scope link
  1109. default via 172.17.3.3 dev eth3.100 table 216
  1110. 172.17.3.0/29 dev eth3.100 table 216 scope link
  1111. default via 172.18.3.3 dev eth3.101 table 217
  1112. 172.18.3.0/29 dev eth3.101 table 217 scope link
  1113. default via 169.254.9.1 dev eth2 proto static metric 5
  1114. 10.0.3.0/24 dev br-network1 proto kernel scope link src 10.0.3.1
  1115. 10.100.3.0/24 dev br-network100 proto kernel scope link src 10.100.3.1
  1116. 10.101.3.0/24 dev br-network101 proto kernel scope link src 10.101.3.1
  1117. 169.254.9.0/29 dev eth2 proto kernel scope link src 169.254.9.2
  1118. 169.254.129.1 dev vce1 proto kernel scope link src 169.254.129.4
  1119. 172.17.3.0/29 dev eth3.100 proto kernel scope link src 172.17.3.2
  1120. 172.18.3.0/29 dev eth3.101 proto kernel scope link src 172.18.3.2
  1121. broadcast 10.0.3.0 dev br-network1 table local proto kernel scope link src 10.0.3.1
  1122. local 10.0.3.1 dev br-network1 table local proto kernel scope host src 10.0.3.1
  1123. local 10.0.3.2 dev br-management table local proto kernel scope host src 10.0.3.2
  1124. broadcast 10.0.3.255 dev br-network1 table local proto kernel scope link src 10.0.3.1
  1125. broadcast 10.100.3.0 dev br-network100 table local proto kernel scope link src 10.100.3.1
  1126. local 10.100.3.1 dev br-network100 table local proto kernel scope host src 10.100.3.1
  1127. broadcast 10.100.3.255 dev br-network100 table local proto kernel scope link src 10.100.3.1
  1128. broadcast 10.101.3.0 dev br-network101 table local proto kernel scope link src 10.101.3.1
  1129. local 10.101.3.1 dev br-network101 table local proto kernel scope host src 10.101.3.1
  1130. broadcast 10.101.3.255 dev br-network101 table local proto kernel scope link src 10.101.3.1
  1131. broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
  1132. local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
  1133. local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
  1134. broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
  1135. local 169.254.3.1 dev br-segmgmt table local proto kernel scope host src 169.254.3.1
  1136. local 169.254.3.2 dev br-segmgmt table local proto kernel scope host src 169.254.3.2
  1137. local 169.254.3.3 dev br-segmgmt table local proto kernel scope host src 169.254.3.3
  1138. broadcast 169.254.9.0 dev eth2 table local proto kernel scope link src 169.254.9.2
  1139. local 169.254.9.2 dev eth2 table local proto kernel scope host src 169.254.9.2
  1140. broadcast 169.254.9.7 dev eth2 table local proto kernel scope link src 169.254.9.2
  1141. local 169.254.129.4 dev vce1 table local proto kernel scope host src 169.254.129.4
  1142. broadcast 172.17.3.0 dev eth3.100 table local proto kernel scope link src 172.17.3.2
  1143. local 172.17.3.2 dev eth3.100 table local proto kernel scope host src 172.17.3.2
  1144. broadcast 172.17.3.7 dev eth3.100 table local proto kernel scope link src 172.17.3.2
  1145. broadcast 172.18.3.0 dev eth3.101 table local proto kernel scope link src 172.18.3.2
  1146. local 172.18.3.2 dev eth3.101 table local proto kernel scope host src 172.18.3.2
  1147. broadcast 172.18.3.7 dev eth3.101 table local proto kernel scope link src 172.18.3.2
  1148. 0: from all lookup local
  1149. 32755: from all fwmark 0xc8 lookup 200
  1150. 32756: from all fwmark 0xd7 lookup 215
  1151. 32757: from all fwmark 0xd6 lookup 214
  1152. 32758: from all fwmark 0xd5 lookup 213
  1153. 32760: from all fwmark 0xd9 lookup 217
  1154. 32761: from all fwmark 0xd8 lookup 216
  1155. 32762: from all fwmark 0xd3 lookup 211
  1156. 32763: from all fwmark 0xd2 lookup 210
  1157. 32766: from all lookup main
  1158. 32767: from all lookup default
  1159. edge:b3-edge1:~#
  1160.  
Advertisement
RAW Paste Data Copied
Advertisement