[ https://issues.apache.org/jira/browse/CLOUDSTACK-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16049102#comment-16049102 ]
Jayapal Reddy edited comment on CLOUDSTACK-9934 at 6/14/17 12:04 PM: --------------------------------------------------------------------- moved ACL_OUTBOUND_eth3 to last to make correct the behaviour. {noformat} root@r-138-QA:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 0e:00:a9:fe:02:b3 brd ff:ff:ff:ff:ff:ff inet 169.254.2.179/16 brd 169.254.255.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 1e:00:b5:00:00:14 brd ff:ff:ff:ff:ff:ff inet 10.147.46.108/24 brd 10.147.46.255 scope global eth1 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 02:00:0d:61:00:08 brd ff:ff:ff:ff:ff:ff inet 10.1.2.1/24 brd 10.1.2.255 scope global eth2 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 02:00:50:fe:00:10 brd ff:ff:ff:ff:ff:ff inet 10.1.1.1/24 brd 10.1.1.255 scope global eth3 6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 1e:00:21:00:00:34 brd ff:ff:ff:ff:ff:ff inet 10.147.52.101/24 brd 10.147.52.255 scope global eth4 root@r-138-QA:~# iptables -t mangle -L -nv Chain PREROUTING (policy ACCEPT 303 packets, 16393 bytes) pkts bytes target prot opt in out source destination 2 168 CONNMARK all -- eth3 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore 0 0 CONNMARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore 0 0 ACL_OUTBOUND_eth2 all -- eth2 * 10.1.2.0/24 !10.1.2.1 state NEW 0 0 CONNMARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK set 0x1 0 0 CONNMARK all -- eth4 * 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK set 0x4 3 213 MARK all -- * * 10.1.1.68 0.0.0.0/0 state NEW MARK set 0x4 3 213 CONNMARK all -- * * 10.1.1.68 0.0.0.0/0 state NEW CONNMARK save 1 84 ACL_OUTBOUND_eth3 all -- eth3 * 10.1.1.0/24 !10.1.1.1 state NEW Chain INPUT (policy ACCEPT 298 packets, 15973 bytes) pkts bytes target prot opt in out source destination 0 0 MARK all -- * * 10.2.0.0/16 10.1.0.0/16 MARK set 0x524 Chain FORWARD (policy ACCEPT 6 packets, 504 bytes) pkts bytes target prot opt in out source destination 6 504 VPN_STATS_eth4 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 MARK all -- * * 10.2.0.0/16 10.1.0.0/16 MARK set 0x524 0 0 MARK all -- * * 10.1.0.0/16 10.2.0.0/16 MARK set 0x525 6 504 VPN_STATS_eth1 all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 295 packets, 36038 bytes) pkts bytes target prot opt in out source destination 0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill 0 0 MARK all -- * * 10.1.0.0/16 10.2.0.0/16 MARK set 0x525 Chain POSTROUTING (policy ACCEPT 301 packets, 36542 bytes) pkts bytes target prot opt in out source destination 0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill Chain ACL_OUTBOUND_eth2 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18 0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ACL_OUTBOUND_eth3 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18 0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50 1 84 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain VPN_STATS_eth1 (1 references) pkts bytes target prot opt in out source destination 0 0 all -- * eth1 0.0.0.0/0 0.0.0.0/0 mark match 0x525 0 0 all -- eth1 * 0.0.0.0/0 0.0.0.0/0 mark match 0x524 Chain VPN_STATS_eth4 (1 references) pkts bytes target prot opt in out source destination 0 0 all -- * eth4 0.0.0.0/0 0.0.0.0/0 mark match 0x525 0 0 all -- eth4 * 0.0.0.0/0 0.0.0.0/0 mark match 0x524 root@r-138-QA:~# iptables -t nat -L -nv Chain PREROUTING (policy ACCEPT 26 packets, 1875 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- eth0 * 0.0.0.0/0 10.147.52.101 to:10.1.1.68 0 0 DNAT all -- * * 0.0.0.0/0 10.147.52.101 to:10.1.1.68 Chain INPUT (policy ACCEPT 22 packets, 1539 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 129 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 10.147.52.101 to:10.1.1.68 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * eth0 10.1.1.0/24 10.1.1.68 to:10.1.2.1 4 336 SNAT all -- * eth4 10.1.1.68 0.0.0.0/0 to:10.147.52.101 0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 mark match 0x525 0 0 SNAT all -- * eth3 10.1.1.0/24 0.0.0.0/0 to:10.1.1.1 0 0 SNAT all -- * eth2 10.1.2.0/24 0.0.0.0/0 to:10.1.2.1 9 1986 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:10.147.46.108 0 0 SNAT all -- * eth4 0.0.0.0/0 0.0.0.0/0 to:10.147.52.101 root@r-138-QA:~# {noformat} was (Author: jayapal): root@r-138-QA:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 0e:00:a9:fe:02:b3 brd ff:ff:ff:ff:ff:ff inet 169.254.2.179/16 brd 169.254.255.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 1e:00:b5:00:00:14 brd ff:ff:ff:ff:ff:ff inet 10.147.46.108/24 brd 10.147.46.255 scope global eth1 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 02:00:0d:61:00:08 brd ff:ff:ff:ff:ff:ff inet 10.1.2.1/24 brd 10.1.2.255 scope global eth2 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 02:00:50:fe:00:10 brd ff:ff:ff:ff:ff:ff inet 10.1.1.1/24 brd 10.1.1.255 scope global eth3 6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 1e:00:21:00:00:34 brd ff:ff:ff:ff:ff:ff inet 10.147.52.101/24 brd 10.147.52.255 scope global eth4 root@r-138-QA:~# iptables -t mangle -L -nv Chain PREROUTING (policy ACCEPT 303 packets, 16393 bytes) pkts bytes target prot opt in out source destination 2 168 CONNMARK all -- eth3 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore 0 0 CONNMARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore 0 0 ACL_OUTBOUND_eth2 all -- eth2 * 10.1.2.0/24 !10.1.2.1 state NEW 0 0 CONNMARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK set 0x1 0 0 CONNMARK all -- eth4 * 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK set 0x4 3 213 MARK all -- * * 10.1.1.68 0.0.0.0/0 state NEW MARK set 0x4 3 213 CONNMARK all -- * * 10.1.1.68 0.0.0.0/0 state NEW CONNMARK save 1 84 ACL_OUTBOUND_eth3 all -- eth3 * 10.1.1.0/24 !10.1.1.1 state NEW Chain INPUT (policy ACCEPT 298 packets, 15973 bytes) pkts bytes target prot opt in out source destination 0 0 MARK all -- * * 10.2.0.0/16 10.1.0.0/16 MARK set 0x524 Chain FORWARD (policy ACCEPT 6 packets, 504 bytes) pkts bytes target prot opt in out source destination 6 504 VPN_STATS_eth4 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 MARK all -- * * 10.2.0.0/16 10.1.0.0/16 MARK set 0x524 0 0 MARK all -- * * 10.1.0.0/16 10.2.0.0/16 MARK set 0x525 6 504 VPN_STATS_eth1 all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 295 packets, 36038 bytes) pkts bytes target prot opt in out source destination 0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill 0 0 MARK all -- * * 10.1.0.0/16 10.2.0.0/16 MARK set 0x525 Chain POSTROUTING (policy ACCEPT 301 packets, 36542 bytes) pkts bytes target prot opt in out source destination 0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill Chain ACL_OUTBOUND_eth2 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18 0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ACL_OUTBOUND_eth3 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18 0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50 1 84 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain VPN_STATS_eth1 (1 references) pkts bytes target prot opt in out source destination 0 0 all -- * eth1 0.0.0.0/0 0.0.0.0/0 mark match 0x525 0 0 all -- eth1 * 0.0.0.0/0 0.0.0.0/0 mark match 0x524 Chain VPN_STATS_eth4 (1 references) pkts bytes target prot opt in out source destination 0 0 all -- * eth4 0.0.0.0/0 0.0.0.0/0 mark match 0x525 0 0 all -- eth4 * 0.0.0.0/0 0.0.0.0/0 mark match 0x524 root@r-138-QA:~# iptables -t nat -L -nv Chain PREROUTING (policy ACCEPT 26 packets, 1875 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- eth0 * 0.0.0.0/0 10.147.52.101 to:10.1.1.68 0 0 DNAT all -- * * 0.0.0.0/0 10.147.52.101 to:10.1.1.68 Chain INPUT (policy ACCEPT 22 packets, 1539 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 129 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 10.147.52.101 to:10.1.1.68 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * eth0 10.1.1.0/24 10.1.1.68 to:10.1.2.1 4 336 SNAT all -- * eth4 10.1.1.68 0.0.0.0/0 to:10.147.52.101 0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 mark match 0x525 0 0 SNAT all -- * eth3 10.1.1.0/24 0.0.0.0/0 to:10.1.1.1 0 0 SNAT all -- * eth2 10.1.2.0/24 0.0.0.0/0 to:10.1.2.1 9 1986 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:10.147.46.108 0 0 SNAT all -- * eth4 0.0.0.0/0 0.0.0.0/0 to:10.147.52.101 root@r-138-QA:~# > Traffic is not routed correctly on addtional public interface from static nat > enabled vm > ---------------------------------------------------------------------------------------- > > Key: CLOUDSTACK-9934 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9934 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Network Devices > Reporter: Jayapal Reddy > Fix For: 4.10.0.0 > > > 1. Configure static nat on additional public subnet ip in VPC. > 2. Now ping google.com from the static nat enabled vm. > 3. The traffic supposed to leave out from the additional public ip interface > (static nat enabled ip). > Bug: The traffic is leaving via default source nat interface (eth1). > Reason: > In iptables mangle table ACL_OUTBOUND_ethX chain is accepting the traffic > before the connmark rule is hit the packet. > Please look at the below logs. > {noformat} > root@r-135-QA:~# ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP > qlen 1000 > link/ether 0e:00:a9:fe:01:13 brd ff:ff:ff:ff:ff:ff > inet 169.254.1.19/16 brd 169.254.255.255 scope global eth0 > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP > qlen 1000 > link/ether 1e:00:f9:00:00:14 brd ff:ff:ff:ff:ff:ff > inet 10.147.46.108/24 brd 10.147.46.255 scope global eth1 > 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP > qlen 1000 > link/ether 02:00:29:c5:00:05 brd ff:ff:ff:ff:ff:ff > inet 10.1.2.1/24 brd 10.1.2.255 scope global eth3 > 6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP > qlen 1000 > link/ether 02:00:45:73:00:06 brd ff:ff:ff:ff:ff:ff > inet 10.1.1.1/24 brd 10.1.1.255 scope global eth4 > 8: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP > qlen 1000 > link/ether 1e:00:2a:00:00:34 brd ff:ff:ff:ff:ff:ff > inet 10.147.52.101/24 brd 10.147.52.255 scope global eth2 > root@r-135-QA:~# > root@r-135-QA:~# iptables -t mangle -L -nv > Chain PREROUTING (policy ACCEPT 328 packets, 19964 bytes) > pkts bytes target prot opt in out source > destination > 77 6453 CONNMARK all -- eth4 * 0.0.0.0/0 0.0.0.0/0 > state RELATED,ESTABLISHED CONNMARK restore > 7 541 CONNMARK all -- eth3 * 0.0.0.0/0 0.0.0.0/0 > state RELATED,ESTABLISHED CONNMARK restore > 2 144 ACL_OUTBOUND_eth3 all -- eth3 * 10.1.2.0/24 > !10.1.2.1 state NEW > 0 0 CONNMARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > state NEW CONNMARK set 0x1 > 34 2832 ACL_OUTBOUND_eth4 all -- eth4 * 10.1.1.0/24 > !10.1.1.1 state NEW > 12 801 CONNMARK all -- * * 10.1.1.68 0.0.0.0/0 > state NEW CONNMARK save > 0 0 CONNMARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0 > state NEW CONNMARK set 0x2 > 2 129 MARK all -- * * 10.1.2.128 0.0.0.0/0 > state NEW MARK set 0x2 > 2 129 CONNMARK all -- * * 10.1.2.128 0.0.0.0/0 > state NEW CONNMARK save > Chain INPUT (policy ACCEPT 325 packets, 19712 bytes) > pkts bytes target prot opt in out source > destination > Chain FORWARD (policy ACCEPT 4 packets, 336 bytes) > pkts bytes target prot opt in out source > destination > 4 336 VPN_STATS_eth2 all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 209 17520 VPN_STATS_eth1 all -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain OUTPUT (policy ACCEPT 291 packets, 35814 bytes) > pkts bytes target prot opt in out source > destination > 0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp dpt:68 CHECKSUM fill > Chain POSTROUTING (policy ACCEPT 295 packets, 36150 bytes) > pkts bytes target prot opt in out source > destination > 0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp dpt:68 CHECKSUM fill > Chain ACL_OUTBOUND_eth3 (1 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 224.0.0.18 > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 225.0.0.50 > 2 144 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain ACL_OUTBOUND_eth4 (1 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 224.0.0.18 > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 225.0.0.50 > 33 2748 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain ACL_OUTBOUND_eth5 (0 references) > pkts bytes target prot opt in out source > destination > Chain VPN_STATS_eth1 (1 references) > pkts bytes target prot opt in out source > destination > 0 0 all -- * eth1 0.0.0.0/0 0.0.0.0/0 > mark match 0x525 > 0 0 all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > mark match 0x524 > Chain VPN_STATS_eth2 (1 references) > pkts bytes target prot opt in out source > destination > 0 0 all -- * eth2 0.0.0.0/0 0.0.0.0/0 > mark match 0x525 > 0 0 all -- eth2 * 0.0.0.0/0 0.0.0.0/0 > mark match 0x524 > root@r-135-QA:~# > root@r-135-QA:~# tcpdump -i eth1 -nq > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes > 06:19:44.981751 IP 10.147.46.108 > 216.58.203.142: ICMP echo request, id > 23906, seq 3, length 64 > 06:19:45.000805 IP 216.58.203.142 > 10.147.46.108: ICMP echo reply, id 23906, > seq 3, length 64 > 06:19:46.312487 STP 802.1d, Config, Flags [none], bridge-id > 802e.f0:b2:e5:81:12:00.8027, length 42 > 06:19:48.316566 STP 802.1d, Config, Flags [none], bridge-id > 802e.f0:b2:e5:81:12:00.8027, length 42 > 06:19:49.103007 ARP, Request who-has 10.147.46.108 (1e:00:f9:00:00:14) tell > 0.0.0.0, length 46 > 06:19:49.103025 ARP, Reply 10.147.46.108 is-at 1e:00:f9:00:00:14, length 28 > 06:19:50.159695 ARP, Request who-has 10.147.46.1 tell 10.147.46.104, length 28 > 06:19:50.315802 STP 802.1d, Config, Flags [none], bridge-id > 802e.f0:b2:e5:81:12:00.8027, length 42 > 06:19:52.316119 STP 802.1d, Config, Flags [none], bridge-id > 802e.f0:b2:e5:81:12:00.8027, length 42 > ^C > 9 packets captured > 9 packets received by filter > 0 packets dropped by kernel > root@r-135-QA:~# > root@r-135-QA:~# iptables -t nat -L -nv > Chain PREROUTING (policy ACCEPT 10 packets, 714 bytes) > pkts bytes target prot opt in out source > destination > 0 0 DNAT all -- eth0 * 0.0.0.0/0 > 10.147.52.101 to:10.1.2.128 > 0 0 DNAT all -- * * 0.0.0.0/0 > 10.147.52.101 to:10.1.2.128 > Chain INPUT (policy ACCEPT 8 packets, 546 bytes) > pkts bytes target prot opt in out source > destination > Chain OUTPUT (policy ACCEPT 2 packets, 129 bytes) > pkts bytes target prot opt in out source > destination > 0 0 DNAT all -- * * 0.0.0.0/0 > 10.147.52.101 to:10.1.2.128 > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 SNAT all -- * eth0 10.1.2.0/24 > 10.1.2.128 to:10.147.44.100 > 0 0 SNAT all -- * eth2 10.1.2.128 0.0.0.0/0 > to:10.147.52.101 > 0 0 SNAT all -- * eth4 10.1.1.0/24 0.0.0.0/0 > to:10.1.1.1 > 0 0 SNAT all -- * eth3 10.1.2.0/24 0.0.0.0/0 > to:10.1.2.1 > 26 1841 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 > to:10.147.46.108 > 0 0 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 > to:10.147.52.101 > root@r-135-QA:~# > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)