Before creating the Onload firewall, run the onload_iptables -v
option to identify which rules will be adopted by the firewall and which will be rejected (a reason is given for rejection):
# onload_iptables -v
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5201
=> if=None protocol=tcp local_ip=0.0.0.0/0 local_port=5201-5201 remote_ip=0.0.0.0/0 remote_port=0-65535 action=DECELERATE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5201
=> if=None protocol=tcp local_ip=0.0.0.0/0 local_port=5201-5201 remote_ip=0.0.0.0/0 remote_port=0-65535 action=DECELERATE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:80:88
=> if=None protocol=tcp local_ip=0.0.0.0/0 local_port=80-88 remote_ip=0.0.0.0/0 remote_port=0-65535 action=
tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:800
=> Error parsing: Insuffcient arguments in rule.
The last rule is rejected because the action is missing.
Note: The -v option does not create firewall rules for any Solarflare interface, but
allows the user to preview which Linux iptables rules will be accepted and which will be
rejected by Onload.