|
Use the command '# diag firewall proute list' to check the policy route.
Below is a sample entry:
id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=12 dport=0-65535 path(1) oif=5(port3) gwy=10.5.63.254
destination wildcard(1): 0.0.0.0/0.0.0.0
source mac(1): 00:78:65:6e:25:01-00:78:65:6e:25:01
hit_count=71 last_used=2022-01-31 06:47:23
The flow trace can be checked to see the traffic processing:
2022-01-31 06:47:23 id=20085 trace_id=9 func=print_pkt_detail line=5783 msg="vd-root:0 received a packet(proto=1, 192.168.10.10:1->8.8.8.8:2048) from port10. type=8, code=0, id=1, seq=13."
2022-01-31 06:47:23 id=20085 trace_id=9 func=init_ip_session_common line=5955 msg="allocate a new session-005c1464"
2022-01-31 06:47:23 id=20085 trace_id=9 func=rpdb_srv_match_input line=1030 msg="Match policy routing id=1: to 10.5.63.254 via ifindex-5"
2022-01-31 06:47:23 id=20085 trace_id=9 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.5.63.254 via port3"
2022-01-31 06:47:23 id=20085 trace_id=9 func=get_new_addr line=1230 msg="find SNAT: IP-10.5.55.40(from IPPOOL), port-60417"
2022-01-31 06:47:23 id=20085 trace_id=9 func=fw_forward_handler line=869 msg="Allowed by Policy-6: SNAT"
2022-01-31 06:47:23 id=20085 trace_id=9 func=__ip_session_run_tuple line=3492 msg="SNAT 192.168.10.10->10.5.55.40:60417"
The routing table entry is as shown below:
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.5.31.254, port1
C 10.5.16.0/20 is directly connected, port1
C 10.5.48.0/20 is directly connected, port3
S 10.100.69.65/32 [10/0] via 10.5.63.254, port3
O E2 192.168.2.0/24 [110/10] via 192.168.10.100, port10, 4d22h16m
C 192.168.10.0/24 is directly connected, port10
The packet is routed to port3 interface despite having the default route pointed to port1.
|
