diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
index f8431c7cb82..a686e0e82cc 100644
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -23,6 +23,7 @@ from neutron.agent import firewall
 from neutron.agent.linux import ipset_manager
 from neutron.agent.linux import iptables_comments as ic
 from neutron.agent.linux import iptables_manager
+from neutron.agent.linux import utils
 from neutron.common import constants
 from neutron.common import ipv6_utils
 from neutron.extensions import portsecurity as psec
@@ -72,6 +73,32 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
             lambda: collections.defaultdict(list))
         self.pre_sg_members = None
         self.enable_ipset = cfg.CONF.SECURITYGROUP.enable_ipset
+        self._enabled_netfilter_for_bridges = False
+
+    def _enable_netfilter_for_bridges(self):
+        # we only need to set these values once, but it has to be when
+        # we create a bridge; before that the bridge module might not
+        # be loaded and the proc values aren't there.
+        if self._enabled_netfilter_for_bridges:
+            return
+        else:
+            self._enabled_netfilter_for_bridges = True
+
+        # These proc values ensure that netfilter is enabled on
+        # bridges; essential for enforcing security groups rules with
+        # OVS Hybrid.  Distributions can differ on whether this is
+        # enabled by default or not (Ubuntu - yes, Redhat - no, for
+        # example).
+        LOG.debug("Enabling netfilter for bridges")
+        utils.execute(['sysctl', '-w',
+                       'net.bridge.bridge-nf-call-arptables=1'],
+                      run_as_root=True)
+        utils.execute(['sysctl', '-w',
+                       'net.bridge.bridge-nf-call-ip6tables=1'],
+                      run_as_root=True)
+        utils.execute(['sysctl', '-w',
+                       'net.bridge.bridge-nf-call-iptables=1'],
+                      run_as_root=True)
 
     @property
     def ports(self):
@@ -104,7 +131,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
         LOG.debug("Preparing device (%s) filter", port['device'])
         self._remove_chains()
         self._set_ports(port)
-
+        self._enable_netfilter_for_bridges()
         # each security group has it own chains
         self._setup_chains()
         self.iptables.apply()
diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py
index a5dea8fd6c8..0953043b2dd 100644
--- a/neutron/tests/unit/agent/test_securitygroups_rpc.py
+++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py
@@ -2488,6 +2488,9 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase):
         cfg.CONF.set_override('enable_ipset', False, group='SECURITYGROUP')
         cfg.CONF.set_override('comment_iptables_rules', False, group='AGENT')
 
+        self.utils_exec = mock.patch(
+            'neutron.agent.linux.utils.execute').start()
+
         self.rpc = mock.Mock()
         self._init_agent(defer_refresh_firewall)
 
@@ -2612,6 +2615,13 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase):
             self.assertThat(kwargs['process_input'],
                             matchers.MatchesRegex(expected_regex))
 
+        expected = ['net.bridge.bridge-nf-call-arptables=1',
+                    'net.bridge.bridge-nf-call-ip6tables=1',
+                    'net.bridge.bridge-nf-call-iptables=1']
+        for e in expected:
+            self.utils_exec.assert_any_call(['sysctl', '-w', e],
+                                            run_as_root=True)
+
     def _replay_iptables(self, v4_filter, v6_filter, raw):
         self._register_mock_call(
             ['iptables-save', '-c'],