Iptables firewall driver adds forward rules for trusted ports

Iptables firewall driver can now add process trusted ports and adds rules for them to FORWARD chain. Change-Id: I67d0f17b4b56671fc2e2dd6e2fc4518dc42cd131 Closes-Bug: #1720205
2017-12-05 14:37:50 +01:00 · 2017-12-05 14:37:50 +01:00 · 97b30494a9
parent 20760bcdf5
commit 97b30494a9
4 changed files with 445 additions and 23 deletions
--- a/neutron/agent/linux/iptables_comments.py
+++ b/neutron/agent/linux/iptables_comments.py
@ -33,5 +33,6 @@ INVALID_DROP = ("Drop packets that appear related to an existing connection "
 ALLOW_ASSOC = ('Direct packets associated with a known session to the RETURN '
               'chain.')
 PORT_SEC_ACCEPT = 'Accept all packets when port security is disabled.'
+TRUSTED_ACCEPT = 'Accept all packets when port is trusted.'
 IPV6_RA_DROP = 'Drop IPv6 Router Advts from VM Instance.'
 IPV6_ICMP_ALLOW = 'Allow IPv6 ICMP traffic.'
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@ -108,6 +108,33 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
            else:
                self._update_remote_security_group_members(sec_group_ids)

+    def process_trusted_ports(self, port_ids):
+        """Process ports that are trusted and shouldn't be filtered."""
+        for port in port_ids:
+            self._add_trusted_port_rules(port)
+
+    def remove_trusted_ports(self, port_ids):
+        for port in port_ids:
+            self._remove_trusted_port_rules(port)
+
+    def _add_trusted_port_rules(self, port):
+        device = self._get_device_name(port)
+        jump_rule = [
+            '-m physdev --%s %s --physdev-is-bridged -j ACCEPT' % (
+                self.IPTABLES_DIRECTION[constants.INGRESS_DIRECTION],
+                device)]
+        self._add_rules_to_chain_v4v6(
+            'FORWARD', jump_rule, jump_rule, comment=ic.TRUSTED_ACCEPT)
+
+    def _remove_trusted_port_rules(self, port):
+        device = self._get_device_name(port)
+
+        jump_rule = [
+            '-m physdev --%s %s --physdev-is-bridged -j ACCEPT' % (
+                self.IPTABLES_DIRECTION[constants.INGRESS_DIRECTION],
+                device)]
+        self._remove_rule_from_chain_v4v6('FORWARD', jump_rule, jump_rule)
+
    def update_security_group_rules(self, sg_id, sg_rules):
        LOG.debug("Update rules of security group (%s)", sg_id)
        self.sg_rules[sg_id] = sg_rules
@ -266,6 +293,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
                                                  comment=comment)

    def _get_device_name(self, port):
+        if not isinstance(port, dict):
+            return port
        return port['device']

    def _update_port_sec_rules(self, port, direction, add=False):
@ -871,4 +900,6 @@ class OVSHybridIptablesFirewallDriver(IptablesFirewallDriver):
        return ('qvb' + port['device'])[:n_const.LINUX_DEV_LEN]

    def _get_device_name(self, port):
-        return get_hybrid_port_name(port['device'])
+        device_name = super(
+            OVSHybridIptablesFirewallDriver, self)._get_device_name(port)
+        return get_hybrid_port_name(device_name)
--- a/neutron/agent/securitygroups_rpc.py
+++ b/neutron/agent/securitygroups_rpc.py
@ -58,6 +58,20 @@ class SecurityGroupAgentRpc(object):
        self.plugin_rpc = plugin_rpc
        self.init_firewall(defer_refresh_firewall, integration_bridge)

+    def _get_trusted_devices(self, device_ids, devices):
+        trusted_devices = []
+        # Devices which are already added in firewall ports should
+        # not be treated as trusted devices but as regular ports
+        all_devices = devices.copy()
+        all_devices.update(self.firewall.ports)
+        device_names = [
+            dev['device'] for dev in all_devices.values()]
+        for device_id in device_ids:
+            if (device_id not in all_devices.keys() and
+                    device_id not in device_names):
+                trusted_devices.append(device_id)
+        return trusted_devices
+
    def init_firewall(self, defer_refresh_firewall=False,
                      integration_bridge=None):
        firewall_driver = cfg.CONF.SECURITYGROUP.firewall_driver or 'noop'
@ -127,7 +141,7 @@ class SecurityGroupAgentRpc(object):
        else:
            devices = self.plugin_rpc.security_group_rules_for_devices(
                self.context, list(device_ids))
-        trusted_devices = list(set(device_ids) - set(devices.keys()))
+        trusted_devices = self._get_trusted_devices(device_ids, devices)

        with self.firewall.defer_apply():
            if self.use_enhanced_rpc:
--- a/neutron/tests/unit/agent/test_securitygroups_rpc.py
+++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py
@ -775,6 +775,18 @@ class SecurityGroupAgentRpcTestCaseForNoneDriver(base.BaseTestCase):
        self.assertEqual(agent.firewall.__class__.__name__,
                         'NoopFirewallDriver')

+    def test_get_trusted_devices(self):
+        agent = sg_rpc.SecurityGroupAgentRpc(
+                context=None, plugin_rpc=mock.Mock())
+        device_ids = ['port_1_id', 'tap_2', 'tap_3', 'port_4_id']
+        devices = {
+            'port_1_id': {'device': 'tap_1'},
+            'port_3_id': {'device': 'tap_3'},
+        }
+        trusted_devices = agent._get_trusted_devices(
+            device_ids, devices)
+        self.assertEqual(['tap_2', 'port_4_id'], trusted_devices)
+

 class BaseSecurityGroupAgentRpcTestCase(base.BaseTestCase):
    def setUp(self, defer_refresh_firewall=False):
@ -1371,6 +1383,7 @@ CHAINS_NAT = 'OUTPUT|POSTROUTING|PREROUTING|float-snat|snat'

 IPTABLES_ARG['port1'] = 'port1'
 IPTABLES_ARG['port2'] = 'port2'
+IPTABLES_ARG['port3'] = 'port3'
 IPTABLES_ARG['mac1'] = '12:34:56:78:9A:BC'
 IPTABLES_ARG['mac2'] = '12:34:56:78:9A:BD'
 IPTABLES_ARG['ip1'] = '10.0.0.3/32'
@ -1751,7 +1764,7 @@ COMMIT
 # Completed by iptables_manager
 """ % IPTABLES_ARG

-IPSET_FILTER_2_3 = """# Generated by iptables_manager
+IPSET_FILTER_2_TRUSTED = """# Generated by iptables_manager
 *filter
 :FORWARD - [0:0]
 :INPUT - [0:0]
@ -1775,13 +1788,103 @@ IPSET_FILTER_2_3 = """# Generated by iptables_manager
 -I OUTPUT 1 -j neutron-filter-top
 -I OUTPUT 2 -j %(bn)s-OUTPUT
 -I neutron-filter-top 1 -j %(bn)s-local
-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \
+%(physdev_is_bridged)s -j ACCEPT
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -m set --match-set NIPv4security_group1 src -j RETURN
+-I %(bn)s-i_%(port1)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -m set --match-set NIPv4security_group1 src -j RETURN
+-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
+--sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
+-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP
+-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 6 -j RETURN
+-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
+--sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
+-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP
+-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 6 -j RETURN
+-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
+-I %(bn)s-s_%(port1)s 2 -j DROP
+-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
+-I %(bn)s-s_%(port2)s 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
+COMMIT
+# Completed by iptables_manager
+""" % IPTABLES_ARG
+
+IPSET_FILTER_2_3_TRUSTED = """# Generated by iptables_manager
+*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
+:neutron-filter-top - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \
+%(physdev_is_bridged)s -j ACCEPT
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 -I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
@ -1925,6 +2028,94 @@ COMMIT
 # Completed by iptables_manager
 """ % IPTABLES_ARG

+IPTABLES_FILTER_2_TRUSTED = """# Generated by iptables_manager
+*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
+:neutron-filter-top - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \
+%(physdev_is_bridged)s -j ACCEPT
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -s %(ip2)s -j RETURN
+-I %(bn)s-i_%(port1)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN
+-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
+--sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
+-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP
+-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 6 -j RETURN
+-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
+--sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
+-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP
+-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 6 -j RETURN
+-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
+-I %(bn)s-s_%(port1)s 2 -j DROP
+-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
+-I %(bn)s-s_%(port2)s 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
+COMMIT
+# Completed by iptables_manager
+""" % IPTABLES_ARG
+
 IPTABLES_FILTER_2_2 = """# Generated by iptables_manager
 *filter
 :FORWARD - [0:0]
@ -2098,6 +2289,95 @@ COMMIT
 # Completed by iptables_manager
 """ % IPTABLES_ARG

+IPTABLES_FILTER_2_3_TRUSTED = """# Generated by iptables_manager
+*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
+:neutron-filter-top - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \
+%(physdev_is_bridged)s -j ACCEPT
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -s %(ip2)s -j RETURN
+-I %(bn)s-i_%(port1)s 5 -p icmp -j RETURN
+-I %(bn)s-i_%(port1)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN
+-I %(bn)s-i_%(port2)s 5 -p icmp -j RETURN
+-I %(bn)s-i_%(port2)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
+--sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
+-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP
+-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 6 -j RETURN
+-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
+--sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
+-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP
+-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 6 -j RETURN
+-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
+-I %(bn)s-s_%(port1)s 2 -j DROP
+-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
+-I %(bn)s-s_%(port2)s 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
+COMMIT
+# Completed by iptables_manager
+""" % IPTABLES_ARG

 IPTABLES_ARG['chains'] = CHAINS_EMPTY
 IPTABLES_FILTER_EMPTY = """# Generated by iptables_manager
@ -2269,6 +2549,94 @@ COMMIT
 # Completed by iptables_manager
 """ % IPTABLES_ARG

+IPTABLES_FILTER_V6_2_TRUSTED = """# Generated by iptables_manager
+*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
+:neutron-filter-top - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+:%(bn)s-(%(chains)s) - [0:0]
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \
+%(physdev_is_bridged)s -j ACCEPT
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-sg-chain
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-i_%(port1)s 1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
+-I %(bn)s-i_%(port1)s 2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
+-I %(bn)s-i_%(port2)s 2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
+--icmpv6-type 131 -j RETURN
+-I %(bn)s-o_%(port1)s 2 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
+--icmpv6-type 135 -j RETURN
+-I %(bn)s-o_%(port1)s 3 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
+--icmpv6-type 143 -j RETURN
+-I %(bn)s-o_%(port1)s 4 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
+-I %(bn)s-o_%(port1)s 5 -p ipv6-icmp -j RETURN
+-I %(bn)s-o_%(port1)s 6 -p udp -m udp --sport 546 --dport 547 -j RETURN
+-I %(bn)s-o_%(port1)s 7 -p udp -m udp --sport 547 --dport 546 -j DROP
+-I %(bn)s-o_%(port1)s 8 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 9 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 10 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
+--icmpv6-type 131 -j RETURN
+-I %(bn)s-o_%(port2)s 2 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
+--icmpv6-type 135 -j RETURN
+-I %(bn)s-o_%(port2)s 3 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
+--icmpv6-type 143 -j RETURN
+-I %(bn)s-o_%(port2)s 4 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
+-I %(bn)s-o_%(port2)s 5 -p ipv6-icmp -j RETURN
+-I %(bn)s-o_%(port2)s 6 -p udp -m udp --sport 546 --dport 547 -j RETURN
+-I %(bn)s-o_%(port2)s 7 -p udp -m udp --sport 547 --dport 546 -j DROP
+-I %(bn)s-o_%(port2)s 8 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 9 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 10 -j %(bn)s-sg-fallback
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
+COMMIT
+# Completed by iptables_manager
+""" % IPTABLES_ARG
+
 IPTABLES_ARG['chains'] = CHAINS_EMPTY
 IPTABLES_FILTER_V6_EMPTY = """# Generated by iptables_manager
 *filter
@ -2518,10 +2886,12 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase):

    def test_security_group_rule_updated(self):
        self.rpc.security_group_rules_for_devices.return_value = self.devices2
-        self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_BRIDGE_NET_2)
-        self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_BRIDGE_NET_2)
+        self._replay_iptables(
+                IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_BRIDGE_NET_2)
+        self._replay_iptables(
+                IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_BRIDGE_NET_2)

        self.agent.prepare_devices_filter(['tap_port1', 'tap_port3'])
        self.rpc.security_group_rules_for_devices.return_value = self.devices3
@ -2635,10 +3005,12 @@ class TestSecurityGroupAgentEnhancedRpcWithIptables(

    def test_security_group_rule_updated(self):
        self.sg_info.return_value = self.devices_info2
-        self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_BRIDGE_NET_2)
-        self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_BRIDGE_NET_2)
+        self._replay_iptables(
+                IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_BRIDGE_NET_2)
+        self._replay_iptables(
+                IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_BRIDGE_NET_2)

        self.agent.prepare_devices_filter(['tap_port1', 'tap_port3'])
        self.sg_info.return_value = self.devices_info3
@ -2706,10 +3078,12 @@ class TestSecurityGroupAgentEnhancedIpsetWithIptables(
        self.ipset._get_new_set_ips = mock.Mock(return_value=['10.0.0.3'])
        self.ipset._get_deleted_set_ips = mock.Mock(return_value=[])
        self.sg_info.return_value = self.devices_info2
-        self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_BRIDGE_NET_2)
-        self._replay_iptables(IPSET_FILTER_2_3, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_BRIDGE_NET_2)
+        self._replay_iptables(
+                IPSET_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_BRIDGE_NET_2)
+        self._replay_iptables(
+                IPSET_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_BRIDGE_NET_2)

        self.agent.prepare_devices_filter(['tap_port1', 'tap_port3'])
        self.sg_info.return_value = self.devices_info3
@ -2829,10 +3203,12 @@ class TestSecurityGroupAgentWithOVSIptables(
    def test_security_group_rule_updated(self):
        self.ipconntrack._device_zone_map = {}
        self.rpc.security_group_rules_for_devices.return_value = self.devices2
-        self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_DEVICE_2)
-        self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2,
-                              IPTABLES_RAW_DEVICE_2)
+        self._replay_iptables(
+                IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_DEVICE_2)
+        self._replay_iptables(
+                IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED,
+                IPTABLES_RAW_DEVICE_2)

        self.agent.prepare_devices_filter(['tap_port1', 'tap_port3'])
        self.rpc.security_group_rules_for_devices.return_value = self.devices3