diff --git a/etc/neutron/rootwrap.d/iptables-firewall.filters b/etc/neutron/rootwrap.d/iptables-firewall.filters
index b8a6ab5b3ba..29c78dae3f0 100644
--- a/etc/neutron/rootwrap.d/iptables-firewall.filters
+++ b/etc/neutron/rootwrap.d/iptables-firewall.filters
@@ -19,3 +19,10 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
 #   "iptables", "-A", ...
 iptables: CommandFilter, iptables, root
 ip6tables: CommandFilter, ip6tables, root
+
+# neutron/agent/linux/iptables_manager.py
+#   "sysctl", "-w", ...
+sysctl: CommandFilter, sysctl, root
+
+# neutron/agent/linux/ip_conntrack.py
+conntrack: CommandFilter, conntrack, root
\ No newline at end of file