ipv4_sg_rules.append(rule)
elif rule.get('ethertype') == constants.IPv6:
if rule.get('protocol') == 'icmp':
- rule['protocol'] = 'icmpv6'
+ rule['protocol'] = 'ipv6-icmp'
ipv6_sg_rules.append(rule)
return ipv4_sg_rules, ipv6_sg_rules
def _spoofing_rule(self, port, ipv4_rules, ipv6_rules):
# Allow dhcp client packets
- ipv4_rules += [comment_rule('-p udp -m udp --sport 68 --dport 67 '
+ ipv4_rules += [comment_rule('-p udp -m udp --sport 68 '
+ '-m udp --dport 67 '
'-j RETURN', comment=ic.DHCP_CLIENT)]
# Drop Router Advts from the port.
- ipv6_rules += [comment_rule('-p icmpv6 --icmpv6-type %s '
+ ipv6_rules += [comment_rule('-p ipv6-icmp -m icmp6 --icmpv6-type %s '
'-j DROP' % constants.ICMPV6_TYPE_RA,
comment=ic.IPV6_RA_DROP)]
- ipv6_rules += [comment_rule('-p icmpv6 -j RETURN',
+ ipv6_rules += [comment_rule('-p ipv6-icmp -j RETURN',
comment=ic.IPV6_ICMP_ALLOW)]
- ipv6_rules += [comment_rule('-p udp -m udp --sport 546 --dport 547 '
+ ipv6_rules += [comment_rule('-p udp -m udp --sport 546 '
+ '-m udp --dport 547 '
'-j RETURN', comment=ic.DHCP_CLIENT)]
mac_ipv4_pairs = []
mac_ipv6_pairs = []
def _drop_dhcp_rule(self, ipv4_rules, ipv6_rules):
#Note(nati) Drop dhcp packet from VM
- ipv4_rules += [comment_rule('-p udp -m udp --sport 67 --dport 68 '
+ ipv4_rules += [comment_rule('-p udp -m udp --sport 67 '
+ '-m udp --dport 68 '
'-j DROP', comment=ic.DHCP_SPOOF)]
- ipv6_rules += [comment_rule('-p udp -m udp --sport 547 --dport 546 '
+ ipv6_rules += [comment_rule('-p udp -m udp --sport 547 '
+ '-m udp --dport 546 '
'-j DROP', comment=ic.DHCP_SPOOF)]
def _accept_inbound_icmpv6(self):
# neighbor advertisement into the instance
icmpv6_rules = []
for icmp6_type in constants.ICMPV6_ALLOWED_TYPES:
- icmpv6_rules += ['-p icmpv6 --icmpv6-type %s -j RETURN' %
- icmp6_type]
+ icmpv6_rules += ['-p ipv6-icmp -m icmp6 --icmpv6-type %s '
+ '-j RETURN' % icmp6_type]
return icmpv6_rules
def _select_sg_rules_for_port(self, port, direction):
def _protocol_arg(self, protocol):
if not protocol:
return []
-
+ if protocol == 'icmpv6':
+ protocol = 'ipv6-icmp'
iptables_rule = ['-p', protocol]
- # iptables always adds '-m protocol' for udp and tcp
- if protocol in ['udp', 'tcp']:
- iptables_rule += ['-m', protocol]
return iptables_rule
def _port_arg(self, direction, protocol, port_range_min, port_range_max):
- if (protocol not in ['udp', 'tcp', 'icmp', 'icmpv6']
+ if (protocol not in ['udp', 'tcp', 'icmp', 'ipv6-icmp']
or port_range_min is None):
return []
- if protocol in ['icmp', 'icmpv6']:
+ protocol_modules = {'udp': 'udp', 'tcp': 'tcp',
+ 'icmp': 'icmp', 'ipv6-icmp': 'icmp6'}
+ # iptables adds '-m protocol' when the port number is specified
+ args = ['-m', protocol_modules[protocol]]
+
+ if protocol in ['icmp', 'ipv6-icmp']:
+ protocol_type = 'icmpv6' if protocol == 'ipv6-icmp' else 'icmp'
# Note(xuhanp): port_range_min/port_range_max represent
# icmp type/code when protocol is icmp or icmpv6
+ args += ['--%s-type' % protocol_type, '%s' % port_range_min]
# icmp code can be 0 so we cannot use "if port_range_max" here
if port_range_max is not None:
- return ['--%s-type' % protocol,
- '%s/%s' % (port_range_min, port_range_max)]
- return ['--%s-type' % protocol, '%s' % port_range_min]
+ args[-1] += '/%s' % port_range_max
elif port_range_min == port_range_max:
- return ['--%s' % direction, '%s' % (port_range_min,)]
+ args += ['--%s' % direction, '%s' % (port_range_min,)]
else:
- return ['-m', 'multiport',
- '--%ss' % direction,
- '%s:%s' % (port_range_min, port_range_max)]
+ args += ['-m', 'multiport', '--%ss' % direction,
+ '%s:%s' % (port_range_min, port_range_max)]
+ return args
def _ip_prefix_arg(self, direction, ip_prefix):
#NOTE (nati) : source_group_id is converted to list of source_
comment=ic.PAIR_DROP),
mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 68 --dport 67 -j RETURN',
+ '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN',
comment=None),
mock.call.add_rule('ofake_dev', '-j $sfake_dev',
comment=None),
mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 67 --dport 68 -j DROP',
+ '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP',
comment=None),
mock.call.add_rule(
'ofake_dev',
'direction': 'ingress',
'protocol': 'tcp'}
ingress = mock.call.add_rule(
- 'ifake_dev', '-p tcp -m tcp -j RETURN', comment=None)
+ 'ifake_dev', '-p tcp -j RETURN', comment=None)
egress = None
self._test_prepare_port_filter(rule, ingress, egress)
'protocol': 'tcp',
'source_ip_prefix': prefix}
ingress = mock.call.add_rule('ifake_dev',
- '-s %s -p tcp -m tcp -j RETURN' % prefix,
+ '-s %s -p tcp -j RETURN' % prefix,
comment=None)
egress = None
self._test_prepare_port_filter(rule, ingress, egress)
'direction': 'ingress',
'protocol': 'udp'}
ingress = mock.call.add_rule(
- 'ifake_dev', '-p udp -m udp -j RETURN', comment=None)
+ 'ifake_dev', '-p udp -j RETURN', comment=None)
egress = None
self._test_prepare_port_filter(rule, ingress, egress)
'protocol': 'udp',
'source_ip_prefix': prefix}
ingress = mock.call.add_rule('ifake_dev',
- '-s %s -p udp -m udp -j RETURN' % prefix,
+ '-s %s -p udp -j RETURN' % prefix,
comment=None)
egress = None
self._test_prepare_port_filter(rule, ingress, egress)
'direction': 'egress',
'protocol': 'tcp'}
egress = mock.call.add_rule(
- 'ofake_dev', '-p tcp -m tcp -j RETURN', comment=None)
+ 'ofake_dev', '-p tcp -j RETURN', comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'protocol': 'tcp',
'source_ip_prefix': prefix}
egress = mock.call.add_rule('ofake_dev',
- '-s %s -p tcp -m tcp -j RETURN' % prefix,
+ '-s %s -p tcp -j RETURN' % prefix,
comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'source_ip_prefix': prefix}
egress = mock.call.add_rule(
'ofake_dev',
- '-s %s -p icmp --icmp-type 8 -j RETURN' % prefix,
+ '-s %s -p icmp -m icmp --icmp-type 8 -j RETURN' % prefix,
comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'source_ip_prefix': prefix}
egress = mock.call.add_rule(
'ofake_dev',
- '-s %s -p icmp --icmp-type echo-request -j RETURN' % prefix,
+ '-s %s -p icmp -m icmp --icmp-type echo-request '
+ '-j RETURN' % prefix,
comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'source_ip_prefix': prefix}
egress = mock.call.add_rule(
'ofake_dev',
- '-s %s -p icmp --icmp-type 8/0 -j RETURN' % prefix,
+ '-s %s -p icmp -m icmp --icmp-type 8/0 -j RETURN' % prefix,
comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'direction': 'egress',
'protocol': 'udp'}
egress = mock.call.add_rule(
- 'ofake_dev', '-p udp -m udp -j RETURN', comment=None)
+ 'ofake_dev', '-p udp -j RETURN', comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'protocol': 'udp',
'source_ip_prefix': prefix}
egress = mock.call.add_rule('ofake_dev',
- '-s %s -p udp -m udp -j RETURN' % prefix,
+ '-s %s -p udp -j RETURN' % prefix,
comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'direction': 'ingress',
'protocol': 'tcp'}
ingress = mock.call.add_rule(
- 'ifake_dev', '-p tcp -m tcp -j RETURN', comment=None)
+ 'ifake_dev', '-p tcp -j RETURN', comment=None)
egress = None
self._test_prepare_port_filter(rule, ingress, egress)
'protocol': 'tcp',
'source_ip_prefix': prefix}
ingress = mock.call.add_rule('ifake_dev',
- '-s %s -p tcp -m tcp -j RETURN' % prefix,
+ '-s %s -p tcp -j RETURN' % prefix,
comment=None)
egress = None
self._test_prepare_port_filter(rule, ingress, egress)
'direction': 'ingress',
'protocol': 'icmp'}
ingress = mock.call.add_rule(
- 'ifake_dev', '-p icmpv6 -j RETURN', comment=None)
+ 'ifake_dev', '-p ipv6-icmp -j RETURN', comment=None)
egress = None
self._test_prepare_port_filter(rule, ingress, egress)
'protocol': 'icmp',
'source_ip_prefix': prefix}
ingress = mock.call.add_rule(
- 'ifake_dev', '-s %s -p icmpv6 -j RETURN' % prefix,
+ 'ifake_dev', '-s %s -p ipv6-icmp -j RETURN' % prefix,
comment=None)
egress = None
self._test_prepare_port_filter(rule, ingress, egress)
'direction': 'ingress',
'protocol': 'udp'}
ingress = mock.call.add_rule(
- 'ifake_dev', '-p udp -m udp -j RETURN', comment=None)
+ 'ifake_dev', '-p udp -j RETURN', comment=None)
egress = None
self._test_prepare_port_filter(rule, ingress, egress)
'protocol': 'udp',
'source_ip_prefix': prefix}
ingress = mock.call.add_rule('ifake_dev',
- '-s %s -p udp -m udp -j RETURN' % prefix,
+ '-s %s -p udp -j RETURN' % prefix,
comment=None)
egress = None
self._test_prepare_port_filter(rule, ingress, egress)
'direction': 'egress',
'protocol': 'tcp'}
egress = mock.call.add_rule(
- 'ofake_dev', '-p tcp -m tcp -j RETURN', comment=None)
+ 'ofake_dev', '-p tcp -j RETURN', comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'protocol': 'tcp',
'source_ip_prefix': prefix}
egress = mock.call.add_rule('ofake_dev',
- '-s %s -p tcp -m tcp -j RETURN' % prefix,
+ '-s %s -p tcp -j RETURN' % prefix,
comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'direction': 'egress',
'protocol': 'icmp'}
egress = mock.call.add_rule(
- 'ofake_dev', '-p icmpv6 -j RETURN', comment=None)
+ 'ofake_dev', '-p ipv6-icmp -j RETURN', comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'protocol': 'icmp',
'source_ip_prefix': prefix}
egress = mock.call.add_rule(
- 'ofake_dev', '-s %s -p icmpv6 -j RETURN' % prefix,
+ 'ofake_dev', '-s %s -p ipv6-icmp -j RETURN' % prefix,
comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'source_ip_prefix': prefix}
egress = mock.call.add_rule(
'ofake_dev',
- '-s %s -p icmpv6 --icmpv6-type 8 -j RETURN' % prefix,
+ '-s %s -p ipv6-icmp -m icmp6 --icmpv6-type 8 -j RETURN' % prefix,
comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'source_ip_prefix': prefix}
egress = mock.call.add_rule(
'ofake_dev',
- '-s %s -p icmpv6 --icmpv6-type echo-request -j RETURN' % prefix,
+ '-s %s -p ipv6-icmp -m icmp6 --icmpv6-type echo-request '
+ '-j RETURN' % prefix,
comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'source_ip_prefix': prefix}
egress = mock.call.add_rule(
'ofake_dev',
- '-s %s -p icmpv6 --icmpv6-type 8/0 -j RETURN' % prefix,
+ '-s %s -p ipv6-icmp -m icmp6 --icmpv6-type 8/0 -j RETURN' % prefix,
comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'direction': 'egress',
'protocol': 'udp'}
egress = mock.call.add_rule(
- 'ofake_dev', '-p udp -m udp -j RETURN', comment=None)
+ 'ofake_dev', '-p udp -j RETURN', comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
'protocol': 'udp',
'source_ip_prefix': prefix}
egress = mock.call.add_rule('ofake_dev',
- '-s %s -p udp -m udp -j RETURN' % prefix,
+ '-s %s -p udp -j RETURN' % prefix,
comment=None)
ingress = None
self._test_prepare_port_filter(rule, ingress, egress)
filter_inst = self.v4filter_inst
dhcp_rule = [mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 68 --dport 67 -j RETURN',
+ '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN',
comment=None)]
if ethertype == 'IPv6':
filter_inst = self.v6filter_inst
- dhcp_rule = [mock.call.add_rule('ofake_dev', '-p icmpv6 '
+ dhcp_rule = [mock.call.add_rule('ofake_dev', '-p ipv6-icmp '
+ '-m icmp6 '
'--icmpv6-type %s -j DROP'
% constants.ICMPV6_TYPE_RA,
comment=None),
mock.call.add_rule('ofake_dev',
- '-p icmpv6 -j RETURN',
+ '-p ipv6-icmp -j RETURN',
comment=None),
mock.call.add_rule('ofake_dev', '-p udp -m udp '
- '--sport 546 --dport 547 '
+ '--sport 546 -m udp --dport 547 '
'-j RETURN', comment=None)]
sg = [rule]
port['security_group_rules'] = sg
for icmp6_type in constants.ICMPV6_ALLOWED_TYPES:
calls.append(
mock.call.add_rule('ifake_dev',
- '-p icmpv6 --icmpv6-type %s -j RETURN' %
+ '-p ipv6-icmp -m icmp6 --icmpv6-type '
+ '%s -j RETURN' %
icmp6_type, comment=None))
calls += [
mock.call.add_rule(
if ethertype == 'IPv4':
calls.append(mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 67 --dport 68 -j DROP',
+ '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP',
comment=None))
if ethertype == 'IPv6':
calls.append(mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 547 --dport 546 -j DROP',
+ '-p udp -m udp --sport 547 -m udp --dport 546 -j DROP',
comment=None))
calls += [
mock.call.add_rule('ofake_dev',
'-j $sg-fallback', comment=None),
mock.call.add_rule('sg-chain', '-j ACCEPT')]
-
+ comb = zip(calls, filter_inst.mock_calls)
+ for (l, r) in comb:
+ self.assertEqual(l, r)
filter_inst.assert_has_calls(calls)
def _test_remove_conntrack_entries(self, ethertype, protocol,
comment=ic.PAIR_DROP),
mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 68 --dport 67 -j RETURN',
+ '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN',
comment=None),
mock.call.add_rule('ofake_dev', '-j $sfake_dev',
comment=None),
mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 67 --dport 68 -j DROP',
+ '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP',
comment=None),
mock.call.add_rule(
'ofake_dev',
comment=ic.PAIR_DROP),
mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 68 --dport 67 -j RETURN',
+ '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN',
comment=None),
mock.call.add_rule('ofake_dev', '-j $sfake_dev',
comment=None),
mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 67 --dport 68 -j DROP',
+ '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP',
comment=None),
mock.call.add_rule(
'ofake_dev',
comment=ic.PAIR_DROP),
mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 68 --dport 67 -j RETURN',
+ '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN',
comment=None),
mock.call.add_rule('ofake_dev', '-j $sfake_dev',
comment=None),
mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 67 --dport 68 -j DROP',
+ '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP',
comment=None),
mock.call.add_rule(
'ofake_dev',
comment=ic.PAIR_DROP),
mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 68 --dport 67 -j RETURN',
+ '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN',
comment=None),
mock.call.add_rule('ofake_dev', '-j $sfake_dev',
comment=None),
mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 67 --dport 68 -j DROP',
+ '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP',
comment=None),
mock.call.add_rule(
'ofake_dev',
[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-i_port1
[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
+[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp \
+--dport 68 -j RETURN
[0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A %(bn)s-i_port1 -m set --match-set NIPv4security_group1 src -j \
RETURN
[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
[0:0] -A %(bn)s-s_port1 -j DROP
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_port1 -j RETURN
[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-i_port1
[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
+[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp \
+--dport 68 -j RETURN
[0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
[0:0] -A %(bn)s-s_port1 -j DROP
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_port1 -j RETURN
[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-i_port1
[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
+[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp \
+--dport 68 -j RETURN
[0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A %(bn)s-i_port1 -s 10.0.0.4/32 -j RETURN
[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
[0:0] -A %(bn)s-s_port1 -j DROP
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_port1 -j RETURN
[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
---dport 68 -j RETURN
+-m udp --dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -m set --match-set NIPv4security_group1 src -j \
RETURN
[0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \
-j RETURN
[0:0] -A %(bn)s-s_%(port1)s -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_%(port1)s -j RETURN
[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
---dport 68 -j RETURN
+-m udp --dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -m set --match-set NIPv4security_group1 src -j \
RETURN
[0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \
-j RETURN
[0:0] -A %(bn)s-s_%(port2)s -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_%(port2)s -j RETURN
[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
---dport 68 -j RETURN
+-m udp --dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -m set --match-set NIPv4security_group1 src -j \
RETURN
[0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \
-j RETURN
[0:0] -A %(bn)s-s_%(port1)s -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_%(port1)s -j RETURN
[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
---dport 68 -j RETURN
+-m udp --dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -m set --match-set NIPv4security_group1 src -j \
RETURN
[0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \
-j RETURN
[0:0] -A %(bn)s-s_%(port2)s -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_%(port2)s -j RETURN
[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
---dport 68 -j RETURN
+-m udp --dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
[0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \
-j RETURN
[0:0] -A %(bn)s-s_%(port1)s -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_%(port1)s -j RETURN
[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
---dport 68 -j RETURN
+-m udp --dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
[0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \
-j RETURN
[0:0] -A %(bn)s-s_%(port2)s -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_%(port2)s -j RETURN
[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
---dport 68 -j RETURN
+-m udp --dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
""" % IPTABLES_ARG
[0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \
-j RETURN
[0:0] -A %(bn)s-s_%(port1)s -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_%(port1)s -j RETURN
[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
---dport 68 -j RETURN
+-m udp --dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
""" % IPTABLES_ARG
IPTABLES_FILTER_2_2 += ("[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s "
[0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \
-j RETURN
[0:0] -A %(bn)s-s_%(port2)s -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_%(port2)s -j RETURN
[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
---dport 68 -j RETURN
+-m udp --dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -p icmp -j RETURN
[0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \
-j RETURN
[0:0] -A %(bn)s-s_%(port1)s -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_%(port1)s -j RETURN
[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
---dport 68 -j RETURN
+-m udp --dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -p icmp -j RETURN
[0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \
-j RETURN
[0:0] -A %(bn)s-s_%(port2)s -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \
+-j RETURN
[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_%(port2)s -j RETURN
[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
%(physdev_is_bridged)s -j %(bn)s-sg-chain
[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 130 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 131 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 132 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 135 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 136 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-o_port1 -p icmpv6 --icmpv6-type 134 -j DROP
-[0:0] -A %(bn)s-o_port1 -p icmpv6 -j RETURN
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 --dport 547 -j RETURN
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 --dport 546 -j DROP
+[0:0] -A %(bn)s-o_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
+[0:0] -A %(bn)s-o_port1 -p ipv6-icmp -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 -m udp --dport 547 -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 -m udp --dport 546 -j DROP
[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
%(physdev_is_bridged)s -j %(bn)s-sg-chain
[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
-[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 130 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 131 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 132 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 135 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 136 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-o_%(port1)s -p icmpv6 --icmpv6-type 134 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -p icmpv6 -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 546 --dport 547 -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 547 --dport 546 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -p ipv6-icmp -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 546 -m udp --dport 547 \
+-j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 547 -m udp --dport 546 \
+-j DROP
[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
%(physdev_is_bridged)s -j %(bn)s-sg-chain
[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
-[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 130 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 131 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 132 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 135 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 136 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-o_%(port2)s -p icmpv6 --icmpv6-type 134 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -p icmpv6 -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 546 --dport 547 -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 547 --dport 546 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -p ipv6-icmp -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 546 -m udp --dport 547 \
+-j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 547 -m udp --dport 546 \
+-j DROP
[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
Code Review / openstack-build / neutron-build.git / commitdiff