Protocol vrrp在iptables和firewalld中的记录

来自三线的随记

前几天接触到了防火墙环境下的 keepalived脑 裂问题

做一个小小的后续mark


firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface dmac-vc01v2058 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
[root@centos7 ~]# nslookup vrrp.mcast.net
Server:		223.5.5.5
Address:	223.5.5.5#53

Non-authoritative answer:
Name:	vrrp.mcast.net
Address: 224.0.0.18

ps: [这个解析结果就很有意思]

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    11840   18M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2        1    29 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
3       67  7216 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
4       67  7216 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
5       67  7216 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
6        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
7       61  6736 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain INPUT_direct (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     112  --  dmac-vc01v2058 *       0.0.0.0/0            224.0.0.18          


- just a mark waiting for the 鸽子