diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 66156914c53a..9aafc50a1fca 100644
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -831,7 +831,8 @@ def restart_dhcp(context, dev, network_ref):
         else:
             LOG.debug(_('Pid %d is stale, relaunching dnsmasq'), pid)
 
-    cmd = ['FLAGFILE=%s' % FLAGS.dhcpbridge_flagfile,
+    cmd = ['env',
+           'FLAGFILE=%s' % FLAGS.dhcpbridge_flagfile,
            'NETWORK_ID=%s' % str(network_ref['id']),
            'dnsmasq',
            '--strict-order',
diff --git a/nova/rootwrap/filters.py b/nova/rootwrap/filters.py
index fc130139f736..52808d9ecbc9 100644
--- a/nova/rootwrap/filters.py
+++ b/nova/rootwrap/filters.py
@@ -73,19 +73,21 @@ class DnsmasqFilter(CommandFilter):
     """Specific filter for the dnsmasq call (which includes env)"""
 
     def match(self, userargs):
-        if (userargs[0].startswith("FLAGFILE=") and
-            userargs[1].startswith("NETWORK_ID=") and
-            userargs[2] == "dnsmasq"):
+        if (userargs[0] == 'env' and
+            userargs[1].startswith('FLAGFILE=') and
+            userargs[2].startswith('NETWORK_ID=') and
+            userargs[3] == 'dnsmasq'):
             return True
         return False
 
     def get_command(self, userargs):
-        return [self.exec_path] + userargs[3:]
+        dnsmasq_pos = userargs.index('dnsmasq')
+        return [self.exec_path] + userargs[dnsmasq_pos + 1:]
 
     def get_environment(self, userargs):
         env = os.environ.copy()
-        env['FLAGFILE'] = userargs[0].split('=')[-1]
-        env['NETWORK_ID'] = userargs[1].split('=')[-1]
+        env['FLAGFILE'] = userargs[1].split('=')[-1]
+        env['NETWORK_ID'] = userargs[2].split('=')[-1]
         return env
 
 
diff --git a/nova/tests/test_nova_rootwrap.py b/nova/tests/test_nova_rootwrap.py
index f67f2f56cd7c..dc615bf5d438 100644
--- a/nova/tests/test_nova_rootwrap.py
+++ b/nova/tests/test_nova_rootwrap.py
@@ -55,7 +55,7 @@ class RootwrapTestCase(test.TestCase):
         self.assertTrue(filtermatch is None)
 
     def test_DnsmasqFilter(self):
-        usercmd = ['FLAGFILE=A', 'NETWORK_ID=foobar', 'dnsmasq', 'foo']
+        usercmd = ['env', 'FLAGFILE=A', 'NETWORK_ID=foobar', 'dnsmasq', 'foo']
         f = filters.DnsmasqFilter("/usr/bin/dnsmasq", "root")
         self.assertTrue(f.match(usercmd))
         self.assertEqual(f.get_command(usercmd), ['/usr/bin/dnsmasq', 'foo'])