Here at the WMF, we use a lot Netfilter software, mostly iptables using the ferm wrapper (ops/puppet). Also other software stacks like kubernetes and openstack are using iptables to manage networking.
However, iptables is being replaced by nftables.
This new framework (well, not that new) brings some interesting features for us, which can drastically improve some of our use cases, and remove our needs for wrappers like ferm:
- native dual stack support for IPv4 & IPv6
- native support for performance structures, like sets, maps, dictionaries and concatenations
- improved debugging and reporting options
- native support for all classic families in a single tool (vs the split: iptables, ip6tables, arptables, ebtables)
- ingress hook support for improved performance
- flexible ruleset layout, vs the classical static layout of iptables (i.e. filter/INPUT, nat/PREROUTING, etc)
- optional counters and multiple actions in a single rule (i.e, you can increment a counter, log and NAT in the same rule)
- improved ruleset management options, fully atomic and incremental ruleset updates, improved error reporting, etc
- all the ecosystem and tooling is supported (conntrack-tools, sysctl keys, libs, etc)
In our case (WMF), an eventual migration from iptables (ferm) to nftables would require:
- a puppet rewrite of the affected modules (base::firewall and friends)
- external software stacks integration with nftables (i.e, k8s and openstack generating nftables rulesets vs iptables)
External software project should address the migration by themselves, I don't plan to send patches unless we determine it's crucial or key for our business.
There is also a Netfilter upstream compat/translation effort in place to help in migrations, but I don't think we need those (well, we could trick k8s or openstack so they generate nftables rules without a single change in their codebase).
I maintain the Debian nftables packages, they in good shape and uptodate, ready to use.
This is, for example, an iptables ruleset generated by openstack in our WMCS infra, which could be rewritten natively in nftables using 2 or 3 rules with sets and maps.
# Generated by iptables-save vX.X.XX on Mon Feb XX XX:XX:XX XXXX *filter :INPUT ACCEPT XXXXXXXXXXX:XXXXXXXXXXXXXXX :FORWARD ACCEPT XXXXXXXXXXX:XXXXXXXXXXXX :OUTPUT ACCEPT XXXXXXXXXXX:XXXXXXXXXXXXXX :nova-api-FORWARD - XX:XX :nova-api-INPUT - XX:XX :nova-api-OUTPUT - XX:XX :nova-api-local - XX:XX :nova-filter-top - XX:XX :nova-network-FORWARD - XX:XX :nova-network-INPUT - XX:XX :nova-network-OUTPUT - XX:XX :nova-network-local - XX:XX -A INPUT -j nova-network-INPUT -A INPUT -j nova-api-INPUT -A FORWARD -j nova-filter-top -A FORWARD -j nova-network-FORWARD -A FORWARD -j nova-api-FORWARD -A OUTPUT -j nova-filter-top -A OUTPUT -j nova-network-OUTPUT -A OUTPUT -j nova-api-OUTPUT -A nova-api-INPUT -d XX.XX.XX.XX/XX -p tcp -m tcp --dport XXXX -j ACCEPT -A nova-filter-top -j nova-network-local -A nova-filter-top -j nova-api-local -A nova-network-FORWARD -i brXXXX -j ACCEPT -A nova-network-FORWARD -o brXXXX -j ACCEPT -A nova-network-INPUT -i brXXXX -p udp -m udp --dport XX -j ACCEPT -A nova-network-INPUT -i brXXXX -p tcp -m tcp --dport XX -j ACCEPT -A nova-network-INPUT -i brXXXX -p udp -m udp --dport XX -j ACCEPT -A nova-network-INPUT -i brXXXX -p tcp -m tcp --dport XX -j ACCEPT COMMIT # Completed on Mon Feb XX XX:XX:XX XXXX # Generated by iptables-save vX.X.XX on Mon Feb XX XX:XX:XX XXXX *mangle :PREROUTING ACCEPT XXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXX :INPUT ACCEPT XXXXXXXXXXX:XXXXXXXXXXXXXXX :FORWARD ACCEPT XXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXX :OUTPUT ACCEPT XXXXXXXXXXX:XXXXXXXXXXXXXX :POSTROUTING ACCEPT XXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXX :nova-api-POSTROUTING - XX:XX :nova-network-POSTROUTING - XX:XX -A POSTROUTING -j nova-network-POSTROUTING -A POSTROUTING -j nova-api-POSTROUTING -A nova-network-POSTROUTING -o brXXXX -p udp -m udp --dport XX -j CHECKSUM --checksum-fill COMMIT # Completed on Mon Feb XX XX:XX:XX XXXX # Generated by iptables-save vX.X.XX on Mon Feb XX XX:XX:XX XXXX *nat :PREROUTING ACCEPT XXXXXXXXXXXX:XXXXXXXXXXXXXX :INPUT ACCEPT XXXXXXXXXX:XXXXXXXXXXXX :OUTPUT ACCEPT XXXXXXXX:XXXXXXXXXX :POSTROUTING ACCEPT XXXXXXXXXXX:XXXXXXXXXXXX :nova-api-OUTPUT - XX:XX :nova-api-POSTROUTING - XX:XX :nova-api-PREROUTING - XX:XX :nova-api-float-snat - XX:XX :nova-api-snat - XX:XX :nova-network-OUTPUT - XX:XX :nova-network-POSTROUTING - XX:XX :nova-network-PREROUTING - XX:XX :nova-network-float-snat - XX:XX :nova-network-snat - XX:XX :nova-postrouting-bottom - XX:XX -A PREROUTING -j nova-network-PREROUTING -A PREROUTING -j nova-api-PREROUTING -A OUTPUT -j nova-network-OUTPUT -A OUTPUT -j nova-api-OUTPUT -A POSTROUTING -j nova-network-POSTROUTING -A POSTROUTING -j nova-api-POSTROUTING -A POSTROUTING -j nova-postrouting-bottom -A nova-api-snat -j nova-api-float-snat -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.X -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.X -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.X -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.X -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-OUTPUT -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.X/XX -d XX.XX.XX.XX/XX -j ACCEPT -A nova-network-POSTROUTING -s XX.XX.XX.X/XX -d XXX.XX.XXX.X/XX -j ACCEPT -A nova-network-POSTROUTING -s XX.XX.XX.X/XX -d XX.X.X.X/X -j ACCEPT -A nova-network-POSTROUTING -s XX.XX.XX.X/XX -d XX.XX.XX.X/XX -m conntrack ! --ctstate DNAT -j ACCEPT -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.X/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.X/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.X/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.X/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-POSTROUTING -s XX.XX.XX.XXX/XX -m conntrack --ctstate DNAT -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-PREROUTING -d XXX.XXX.XXX.XXX/XX -p tcp -m tcp --dport XX -j DNAT --to-destination XX.XX.XX.XX:XXXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.X -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.X -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.X -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.X -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-PREROUTING -d XXX.XX.XXX.XXX/XX -j DNAT --to-destination XX.XX.XX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.X/XX -d XX.XX.XX.X/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.X/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.X/XX -d XX.XX.XX.X/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.X/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.X/XX -d XX.XX.XX.X/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.X/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.X/XX -d XX.XX.XX.X/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.X/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -d XX.XX.XX.XX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -d XX.XX.XX.XXX/XX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-float-snat -s XX.XX.XX.XXX/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-network-snat -j nova-network-float-snat -A nova-network-snat -s XX.XX.XX.X/XX -o ethX -j SNAT --to-source XXX.XX.XXX.XXX -A nova-postrouting-bottom -j nova-network-snat -A nova-postrouting-bottom -j nova-api-snat COMMIT # Completed on Mon Feb XX XX:XX:XX XXXX
I'm opening this ticket to collect comments and questions across teams which may have different point of views, use cases, tradeoffs and requirements for an eventual migration.
More info at http://wiki.nftables.org/ (pleny of docs and examples).
For those who may know nothing about nftables, this is what a ruleset in my laptop looks like:
⏚ arturo@endurance:~$ sudo nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
iif "lo" accept
ct state established,related accept
icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
counter packets 4990 bytes 472427 drop
}
}