diff --git a/files/rootwrap.d/l3.filters b/files/rootwrap.d/l3.filters
index a0a86e60..ea18b1ca 100644
--- a/files/rootwrap.d/l3.filters
+++ b/files/rootwrap.d/l3.filters
@@ -34,6 +34,15 @@ ip: IpFilter, ip, root
 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
 ip_exec: IpNetnsExecFilter, ip, root
 
+# l3_tc_lib
+l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
+l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
+l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
+l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
+l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
+l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
+l3_tc_add_filter_egress:  RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
+
 # For ip monitor
 kill_ip_monitor: KillFilter, root, ip, -9
 
diff --git a/files/rootwrap.d/linuxbridge-plugin.filters b/files/rootwrap.d/linuxbridge-plugin.filters
index f0934357..298b8077 100644
--- a/files/rootwrap.d/linuxbridge-plugin.filters
+++ b/files/rootwrap.d/linuxbridge-plugin.filters
@@ -13,6 +13,7 @@
 # from the old mechanism
 brctl: CommandFilter, brctl, root
 bridge: CommandFilter, bridge, root
+sysctl: CommandFilter, sysctl, root
 
 # ip_lib
 ip: IpFilter, ip, root
diff --git a/files/rootwrap.d/openvswitch-plugin.filters b/files/rootwrap.d/openvswitch-plugin.filters
index 89c44dd4..e5290243 100644
--- a/files/rootwrap.d/openvswitch-plugin.filters
+++ b/files/rootwrap.d/openvswitch-plugin.filters
@@ -21,3 +21,6 @@ ovsdb-client: CommandFilter, ovsdb-client, root
 ip: IpFilter, ip, root
 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
 ip_exec: IpNetnsExecFilter, ip, root
+
+# needed for FDB extension
+bridge: CommandFilter, bridge, root
diff --git a/templates/api-paste.ini.j2 b/templates/api-paste.ini.j2
index 1c98cfe3..f79088c3 100644
--- a/templates/api-paste.ini.j2
+++ b/templates/api-paste.ini.j2
@@ -36,7 +36,7 @@ paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 paste.filter_factory = neutron.api.extensions:plugin_aware_extension_middleware_factory
 
 [app:neutronversions]
-paste.app_factory = neutron.api.versions:Versions.factory
+paste.app_factory = neutron.pecan_wsgi.app:versions_factory
 
 [app:neutronapiapp_v2_0]
 paste.app_factory = neutron.api.v2.router:APIRouter.factory