Merge "Iptables firewall driver adds forward rules for trusted ports"

neutron/agent/linux/iptables_comments.py

@@ -33,5 +33,6 @@ INVALID_DROP = ("Drop packets that appear related to an existing connection "
 ALLOW_ASSOC = ('Direct packets associated with a known session to the RETURN '
                'chain.')
 PORT_SEC_ACCEPT = 'Accept all packets when port security is disabled.'
+TRUSTED_ACCEPT = 'Accept all packets when port is trusted.'
 IPV6_RA_DROP = 'Drop IPv6 Router Advts from VM Instance.'
 IPV6_ICMP_ALLOW = 'Allow IPv6 ICMP traffic.'

neutron/agent/linux/iptables_firewall.py

@@ -108,6 +108,33 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
             else:
                 self._update_remote_security_group_members(sec_group_ids)
 
+    def process_trusted_ports(self, port_ids):
+        """Process ports that are trusted and shouldn't be filtered."""
+        for port in port_ids:
+            self._add_trusted_port_rules(port)
+
+    def remove_trusted_ports(self, port_ids):
+        for port in port_ids:
+            self._remove_trusted_port_rules(port)
+
+    def _add_trusted_port_rules(self, port):
+        device = self._get_device_name(port)
+        jump_rule = [
+            '-m physdev --%s %s --physdev-is-bridged -j ACCEPT' % (
+                self.IPTABLES_DIRECTION[constants.INGRESS_DIRECTION],
+                device)]
+        self._add_rules_to_chain_v4v6(
+            'FORWARD', jump_rule, jump_rule, comment=ic.TRUSTED_ACCEPT)
+
+    def _remove_trusted_port_rules(self, port):
+        device = self._get_device_name(port)
+
+        jump_rule = [
+            '-m physdev --%s %s --physdev-is-bridged -j ACCEPT' % (
+                self.IPTABLES_DIRECTION[constants.INGRESS_DIRECTION],
+                device)]
+        self._remove_rule_from_chain_v4v6('FORWARD', jump_rule, jump_rule)
+
     def update_security_group_rules(self, sg_id, sg_rules):
         LOG.debug("Update rules of security group (%s)", sg_id)
         self.sg_rules[sg_id] = sg_rules
@@ -266,6 +293,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
                                                   comment=comment)
 
     def _get_device_name(self, port):
+        if not isinstance(port, dict):
+            return port
         return port['device']
 
     def _update_port_sec_rules(self, port, direction, add=False):
@@ -871,4 +900,6 @@ class OVSHybridIptablesFirewallDriver(IptablesFirewallDriver):
         return ('qvb' + port['device'])[:n_const.LINUX_DEV_LEN]
 
     def _get_device_name(self, port):
-        return get_hybrid_port_name(port['device'])
+        device_name = super(
+            OVSHybridIptablesFirewallDriver, self)._get_device_name(port)
+        return get_hybrid_port_name(device_name)

neutron/agent/securitygroups_rpc.py

@@ -56,6 +56,20 @@ class SecurityGroupAgentRpc(object):
         self.plugin_rpc = plugin_rpc
         self.init_firewall(defer_refresh_firewall, integration_bridge)
 
+    def _get_trusted_devices(self, device_ids, devices):
+        trusted_devices = []
+        # Devices which are already added in firewall ports should
+        # not be treated as trusted devices but as regular ports
+        all_devices = devices.copy()
+        all_devices.update(self.firewall.ports)
+        device_names = [
+            dev['device'] for dev in all_devices.values()]
+        for device_id in device_ids:
+            if (device_id not in all_devices.keys() and
+                    device_id not in device_names):
+                trusted_devices.append(device_id)
+        return trusted_devices
+
     def init_firewall(self, defer_refresh_firewall=False,
                       integration_bridge=None):
         firewall_driver = cfg.CONF.SECURITYGROUP.firewall_driver or 'noop'
@@ -125,7 +139,7 @@ class SecurityGroupAgentRpc(object):
         else:
             devices = self.plugin_rpc.security_group_rules_for_devices(
                 self.context, list(device_ids))
-        trusted_devices = list(set(device_ids) - set(devices.keys()))
+        trusted_devices = self._get_trusted_devices(device_ids, devices)
 
         with self.firewall.defer_apply():
             if self.use_enhanced_rpc:

neutron/tests/unit/agent/test_securitygroups_rpc.py

@@ -775,6 +775,18 @@ class SecurityGroupAgentRpcTestCaseForNoneDriver(base.BaseTestCase):
         self.assertEqual(agent.firewall.__class__.__name__,
                          'NoopFirewallDriver')
 
+    def test_get_trusted_devices(self):
+        agent = sg_rpc.SecurityGroupAgentRpc(
+                context=None, plugin_rpc=mock.Mock())
+        device_ids = ['port_1_id', 'tap_2', 'tap_3', 'port_4_id']
+        devices = {
+            'port_1_id': {'device': 'tap_1'},
+            'port_3_id': {'device': 'tap_3'},
+        }
+        trusted_devices = agent._get_trusted_devices(
+            device_ids, devices)
+        self.assertEqual(['tap_2', 'port_4_id'], trusted_devices)
+
 
 class BaseSecurityGroupAgentRpcTestCase(base.BaseTestCase):
     def setUp(self, defer_refresh_firewall=False):
@@ -1371,6 +1383,7 @@ CHAINS_NAT = 'OUTPUT|POSTROUTING|PREROUTING|float-snat|snat'
 
 IPTABLES_ARG['port1'] = 'port1'
 IPTABLES_ARG['port2'] = 'port2'
+IPTABLES_ARG['port3'] = 'port3'
 IPTABLES_ARG['mac1'] = '12:34:56:78:9A:BC'
 IPTABLES_ARG['mac2'] = '12:34:56:78:9A:BD'
 IPTABLES_ARG['ip1'] = '10.0.0.3/32'
@@ -1751,7 +1764,7 @@ COMMIT
 # Completed by iptables_manager
 """ % IPTABLES_ARG
 
-IPSET_FILTER_2_3 = """# Generated by iptables_manager
+IPSET_FILTER_2_TRUSTED = """# Generated by iptables_manager
 *filter
 :FORWARD - [0:0]
 :INPUT - [0:0]
@@ -1775,13 +1788,103 @@ IPSET_FILTER_2_3 = """# Generated by iptables_manager
 -I OUTPUT 1 -j neutron-filter-top
 -I OUTPUT 2 -j %(bn)s-OUTPUT
 -I neutron-filter-top 1 -j %(bn)s-local
--I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \
+%(physdev_is_bridged)s -j ACCEPT
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
--I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
--I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
--I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -m set --match-set NIPv4security_group1 src -j RETURN
+-I %(bn)s-i_%(port1)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -m set --match-set NIPv4security_group1 src -j RETURN
+-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
+--sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
+-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP
+-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 6 -j RETURN
+-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
+--sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
+-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP
+-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 6 -j RETURN
+-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
+-I %(bn)s-s_%(port1)s 2 -j DROP
+-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
+-I %(bn)s-s_%(port2)s 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
+COMMIT
+# Completed by iptables_manager
+""" % IPTABLES_ARG
+
+IPSET_FILTER_2_3_TRUSTED = """# Generated by iptables_manager
+*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
+:neutron-filter-top - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \
+%(physdev_is_bridged)s -j ACCEPT
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 -I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
@@ -1925,6 +2028,94 @@ COMMIT
 # Completed by iptables_manager
 """ % IPTABLES_ARG
 
+IPTABLES_FILTER_2_TRUSTED = """# Generated by iptables_manager
+*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
+:neutron-filter-top - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \
+%(physdev_is_bridged)s -j ACCEPT
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -s %(ip2)s -j RETURN
+-I %(bn)s-i_%(port1)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN
+-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
+--sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
+-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP
+-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 6 -j RETURN
+-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
+--sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
+-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP
+-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 6 -j RETURN
+-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
+-I %(bn)s-s_%(port1)s 2 -j DROP
+-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
+-I %(bn)s-s_%(port2)s 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
+COMMIT
+# Completed by iptables_manager
+""" % IPTABLES_ARG
+
 IPTABLES_FILTER_2_2 = """# Generated by iptables_manager
 *filter
 :FORWARD - [0:0]
@@ -2098,6 +2289,95 @@ COMMIT
 # Completed by iptables_manager
 """ % IPTABLES_ARG
 
+IPTABLES_FILTER_2_3_TRUSTED = """# Generated by iptables_manager
+*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
+:neutron-filter-top - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \
+%(physdev_is_bridged)s -j ACCEPT
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -s %(ip2)s -j RETURN
+-I %(bn)s-i_%(port1)s 5 -p icmp -j RETURN
+-I %(bn)s-i_%(port1)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN
+-I %(bn)s-i_%(port2)s 5 -p icmp -j RETURN
+-I %(bn)s-i_%(port2)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
+--sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
+-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP
+-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 6 -j RETURN
+-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
+--sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
+-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP
+-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 6 -j RETURN
+-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
+-I %(bn)s-s_%(port1)s 2 -j DROP
+-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
+-I %(bn)s-s_%(port2)s 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
+COMMIT
+# Completed by iptables_manager
+""" % IPTABLES_ARG
 
 IPTABLES_ARG['chains'] = CHAINS_EMPTY
 IPTABLES_FILTER_EMPTY = """# Generated by iptables_manager
@@ -2269,6 +2549,94 @@ COMMIT
 # Completed by iptables_manager
 """ % IPTABLES_ARG
 
+IPTABLES_FILTER_V6_2_TRUSTED = """# Generated by iptables_manager
+*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
+:neutron-filter-top - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \
+%(physdev_is_bridged)s -j ACCEPT
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-i_%(port1)s 1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
+-I %(bn)s-i_%(port1)s 2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
+-I %(bn)s-i_%(port2)s 2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
+--icmpv6-type 131 -j RETURN
+-I %(bn)s-o_%(port1)s 2 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
+--icmpv6-type 135 -j RETURN
+-I %(bn)s-o_%(port1)s 3 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
+--icmpv6-type 143 -j RETURN
+-I %(bn)s-o_%(port1)s 4 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
+-I %(bn)s-o_%(port1)s 5 -p ipv6-icmp -j RETURN
+-I %(bn)s-o_%(port1)s 6 -p udp -m udp --sport 546 --dport 547 -j RETURN
+-I %(bn)s-o_%(port1)s 7 -p udp -m udp --sport 547 --dport 546 -j DROP
+-I %(bn)s-o_%(port1)s 8 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 9 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 10 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
+--icmpv6-type 131 -j RETURN
+-I %(bn)s-o_%(port2)s 2 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
+--icmpv6-type 135 -j RETURN
+-I %(bn)s-o_%(port2)s 3 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
+--icmpv6-type 143 -j RETURN
+-I %(bn)s-o_%(port2)s 4 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
+-I %(bn)s-o_%(port2)s 5 -p ipv6-icmp -j RETURN
+-I %(bn)s-o_%(port2)s 6 -p udp -m udp --sport 546 --dport 547 -j RETURN
+-I %(bn)s-o_%(port2)s 7 -p udp -m udp --sport 547 --dport 546 -j DROP
+-I %(bn)s-o_%(port2)s 8 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 9 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 10 -j %(bn)s-sg-fallback
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
+COMMIT
+# Completed by iptables_manager
+""" % IPTABLES_ARG
+
 IPTABLES_ARG['chains'] = CHAINS_EMPTY
 IPTABLES_FILTER_V6_EMPTY = """# Generated by iptables_manager
 *filter
@@ -2518,10 +2886,12 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase):
 
     def test_security_group_rule_updated(self):
         self.rpc.security_group_rules_for_devices.return_value = self.devices2
-        self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_BRIDGE_NET_2)
-        self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_BRIDGE_NET_2)
+        self._replay_iptables(
+                IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_BRIDGE_NET_2)
+        self._replay_iptables(
+                IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_BRIDGE_NET_2)
 
         self.agent.prepare_devices_filter(['tap_port1', 'tap_port3'])
         self.rpc.security_group_rules_for_devices.return_value = self.devices3
@@ -2635,10 +3005,12 @@ class TestSecurityGroupAgentEnhancedRpcWithIptables(
 
     def test_security_group_rule_updated(self):
         self.sg_info.return_value = self.devices_info2
-        self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_BRIDGE_NET_2)
-        self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_BRIDGE_NET_2)
+        self._replay_iptables(
+                IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_BRIDGE_NET_2)
+        self._replay_iptables(
+                IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_BRIDGE_NET_2)
 
         self.agent.prepare_devices_filter(['tap_port1', 'tap_port3'])
         self.sg_info.return_value = self.devices_info3
@@ -2706,10 +3078,12 @@ class TestSecurityGroupAgentEnhancedIpsetWithIptables(
         self.ipset._get_new_set_ips = mock.Mock(return_value=['10.0.0.3'])
         self.ipset._get_deleted_set_ips = mock.Mock(return_value=[])
         self.sg_info.return_value = self.devices_info2
-        self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_BRIDGE_NET_2)
-        self._replay_iptables(IPSET_FILTER_2_3, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_BRIDGE_NET_2)
+        self._replay_iptables(
+                IPSET_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_BRIDGE_NET_2)
+        self._replay_iptables(
+                IPSET_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_BRIDGE_NET_2)
 
         self.agent.prepare_devices_filter(['tap_port1', 'tap_port3'])
         self.sg_info.return_value = self.devices_info3
@@ -2829,10 +3203,12 @@ class TestSecurityGroupAgentWithOVSIptables(
     def test_security_group_rule_updated(self):
         self.ipconntrack._device_zone_map = {}
         self.rpc.security_group_rules_for_devices.return_value = self.devices2
-        self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_DEVICE_2)
-        self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_DEVICE_2)
+        self._replay_iptables(
+                IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_DEVICE_2)
+        self._replay_iptables(
+                IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_DEVICE_2)
 
         self.agent.prepare_devices_filter(['tap_port1', 'tap_port3'])
         self.rpc.security_group_rules_for_devices.return_value = self.devices3