Chain INPUT (policy ACCEPT 1383245 packets, 1457716917 bytes) pkts bytes target prot opt in out source destination 1382672 1457619222 neutron-openvswi-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1385 137454 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0 1385 137454 neutron-openvswi-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1207659 packets, 199091317 bytes) pkts bytes target prot opt in out source destination 1207012 199009211 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0 1207012 199009211 neutron-openvswi-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-filter-top (2 references) pkts bytes target prot opt in out source destination 1208397 199146665 neutron-openvswi-local all -- * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-openvswi-FORWARD (1 references) pkts bytes target prot opt in out source destination 3 1005 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap803c3d55-c7 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ 1 317 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap803c3d55-c7 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ 3 783 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap17009447-c5 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ 3 730 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap17009447-c5 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ 3 1005 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap5ac1b14e-1b --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ 1 317 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap5ac1b14e-1b --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ Chain neutron-openvswi-INPUT (1 references) pkts bytes target prot opt in out source destination 0 0 neutron-openvswi-o803c3d55-c all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap803c3d55-c7 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */ 0 0 neutron-openvswi-o17009447-c all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap17009447-c5 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */ 0 0 neutron-openvswi-o5ac1b14e-1 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap5ac1b14e-1b --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */ Chain neutron-openvswi-OUTPUT (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-i17009447-c (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ 1 84 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ 2 699 RETURN udp -- * * 192.168.1.2 0.0.0.0/0 udp spt:67 dpt:68 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set NETIPv497942cda-39b7-4374-8 src 0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */ Chain neutron-openvswi-i5ac1b14e-1 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ 1 359 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ 0 0 RETURN udp -- * * 192.168.1.2 0.0.0.0/0 udp spt:67 dpt:68 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set NETIPv497942cda-39b7-4374-8 src 2 646 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */ Chain neutron-openvswi-i803c3d55-c (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ 1 359 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ 0 0 RETURN udp -- * * 192.168.1.2 0.0.0.0/0 udp spt:67 dpt:68 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set NETIPv497942cda-39b7-4374-8 src 2 646 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */ Chain neutron-openvswi-local (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-o17009447-c (2 references) pkts bytes target prot opt in out source destination 2 646 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 /* Allow DHCP client traffic. */ 1 84 neutron-openvswi-s17009447-c all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ 1 84 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */ Chain neutron-openvswi-o5ac1b14e-1 (2 references) pkts bytes target prot opt in out source destination 1 317 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 /* Allow DHCP client traffic. */ 91 7544 neutron-openvswi-s5ac1b14e-1 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ 16 984 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */ Chain neutron-openvswi-o803c3d55-c (2 references) pkts bytes target prot opt in out source destination 1 317 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 /* Allow DHCP client traffic. */ 194 16022 neutron-openvswi-s803c3d55-c all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ 39 2454 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */ Chain neutron-openvswi-s17009447-c (1 references) pkts bytes target prot opt in out source destination 1 84 RETURN all -- * * 192.168.1.33 0.0.0.0/0 MAC FA:16:3E:A3:61:A1 /* Allow traffic from defined IP/MAC pairs. */ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Drop traffic without an IP/MAC allow rule. */ Chain neutron-openvswi-s5ac1b14e-1 (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 192.168.1.31 0.0.0.0/0 MAC FA:16:3E:36:4D:EC /* Allow traffic from defined IP/MAC pairs. */ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Drop traffic without an IP/MAC allow rule. */ Chain neutron-openvswi-s803c3d55-c (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 192.168.1.35 0.0.0.0/0 MAC FA:16:3E:D9:86:7E /* Allow traffic from defined IP/MAC pairs. */ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Drop traffic without an IP/MAC allow rule. */ Chain neutron-openvswi-sg-chain (6 references) pkts bytes target prot opt in out source destination 3 1005 neutron-openvswi-i803c3d55-c all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap803c3d55-c7 --physdev-is-bridged /* Jump to the VM specific chain. */ 1 317 neutron-openvswi-o803c3d55-c all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap803c3d55-c7 --physdev-is-bridged /* Jump to the VM specific chain. */ 3 783 neutron-openvswi-i17009447-c all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap17009447-c5 --physdev-is-bridged /* Jump to the VM specific chain. */ 3 730 neutron-openvswi-o17009447-c all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap17009447-c5 --physdev-is-bridged /* Jump to the VM specific chain. */ 3 1005 neutron-openvswi-i5ac1b14e-1 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap5ac1b14e-1b --physdev-is-bridged /* Jump to the VM specific chain. */ 1 317 neutron-openvswi-o5ac1b14e-1 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap5ac1b14e-1b --physdev-is-bridged /* Jump to the VM specific chain. */ 1357 128396 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-openvswi-sg-fallback (6 references) pkts bytes target prot opt in out source destination 4 1292 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Default drop rule for unmatched traffic. */