import collections
import contextlib
+import difflib
import os
import re
import sys
self.remove_chains.add(name)
# first, add rules to remove that have a matching chain name
- self.remove_rules += [r for r in self.rules if r.chain == name]
+ self.remove_rules += [str(r) for r in self.rules
+ if r.chain == name]
# next, remove rules from list that have a matching chain name
self.rules = [r for r in self.rules if r.chain != name]
if not wrap:
jump_snippet = '-j %s' % name
# next, add rules to remove that have a matching jump chain
- self.remove_rules += [r for r in self.rules
+ self.remove_rules += [str(r) for r in self.rules
if jump_snippet in r.rule]
else:
jump_snippet = '-j %s-%s' % (self.wrap_name, name)
self.wrap_name,
comment=comment))
if not wrap:
- self.remove_rules.append(IptablesRule(chain, rule, wrap, top,
- self.wrap_name,
- comment=comment))
+ self.remove_rules.append(str(IptablesRule(chain, rule, wrap,
+ top, self.wrap_name,
+ comment=comment)))
except ValueError:
LOG.warn(_LW('Tried to remove rule that was not there:'
' %(chain)r %(rule)r %(wrap)r %(top)r'),
if self.iptables_apply_deferred:
return
- self._apply()
+ return self._apply()
def _apply(self):
lock_name = 'iptables'
def _apply_synchronized(self):
"""Apply the current in-memory set of iptables rules.
- This will blow away any rules left over from previous runs of the
- same component of Nova, and replace them with our current set of
- rules. This happens atomically, thanks to iptables-restore.
+ This will create a diff between the rules from the previous runs
+ and replace them with the current set of rules.
+ This happens atomically, thanks to iptables-restore.
+ Returns a list of the changes that were sent to iptables-save.
"""
s = [('iptables', self.ipv4)]
if self.use_ipv6:
s += [('ip6tables', self.ipv6)]
-
+ all_commands = [] # variable to keep track all commands for return val
for cmd, tables in s:
- args = ['%s-save' % (cmd,), '-c']
+ args = ['%s-save' % (cmd,)]
if self.namespace:
args = ['ip', 'netns', 'exec', self.namespace] + args
- all_tables = self.execute(args, run_as_root=True)
- all_lines = all_tables.split('\n')
+ save_output = self.execute(args, run_as_root=True)
+ all_lines = save_output.split('\n')
+ commands = []
# Traverse tables in sorted order for predictable dump output
for table_name in sorted(tables):
table = tables[table_name]
+ # isolate the lines of the table we are modifying
start, end = self._find_table(all_lines, table_name)
- all_lines[start:end] = self._modify_rules(
- all_lines[start:end], table, table_name)
-
- args = ['%s-restore' % (cmd,), '-c']
+ old_rules = all_lines[start:end]
+ # generate the new table state we want
+ new_rules = self._modify_rules(old_rules, table, table_name)
+ # generate the iptables commands to get between the old state
+ # and the new state
+ changes = _generate_path_between_rules(old_rules, new_rules)
+ if changes:
+ # if there are changes to the table, we put on the header
+ # and footer that iptables-save needs
+ commands += (['# Generated by iptables_manager'] +
+ ['*%s' % table_name] + changes +
+ ['COMMIT', '# Completed by iptables_manager'])
+ if not commands:
+ continue
+ all_commands += commands
+ args = ['%s-restore' % (cmd,), '-n']
if self.namespace:
args = ['ip', 'netns', 'exec', self.namespace] + args
try:
- self.execute(args, process_input='\n'.join(all_lines),
+ # always end with a new line
+ commands.append('')
+ self.execute(args, process_input='\n'.join(commands),
run_as_root=True)
except RuntimeError as r_error:
with excutils.save_and_reraise_exception():
except AttributeError:
# line error wasn't found, print all lines instead
log_start = 0
- log_end = len(all_lines)
+ log_end = len(commands)
log_lines = ('%7d. %s' % (idx, l)
for idx, l in enumerate(
- all_lines[log_start:log_end],
+ commands[log_start:log_end],
log_start + 1)
)
LOG.error(_LE("IPTablesManager.apply failed to apply the "
"following set of iptables rules:\n%s"),
'\n'.join(log_lines))
- LOG.debug("IPTablesManager.apply completed with success")
+ LOG.debug("IPTablesManager.apply completed with success. %d iptables "
+ "commands were issued", len(all_commands))
+ return all_commands
def _find_table(self, lines, table_name):
if len(lines) < 3:
# length only <2 when fake iptables
return (0, 0)
try:
- start = lines.index('*%s' % table_name) - 1
+ start = lines.index('*%s' % table_name)
except ValueError:
# Couldn't find table_name
LOG.debug('Unable to find table %s', table_name)
return (0, 0)
- end = lines[start:].index('COMMIT') + start + 2
+ end = lines[start:].index('COMMIT') + start + 1
return (start, end)
def _find_rules_index(self, lines):
return rules_index
- def _find_last_entry(self, filter_map, match_str):
- # find last matching entry
- try:
- return filter_map[match_str][-1]
- except KeyError:
- pass
-
def _modify_rules(self, current_lines, table, table_name):
# Chains are stored as sets to avoid duplicates.
# Sort the output chains here to make their order predictable.
unwrapped_chains = sorted(table.unwrapped_chains)
chains = sorted(table.chains)
- remove_chains = table.remove_chains
- rules = table.rules
- remove_rules = table.remove_rules
-
- if not current_lines:
- fake_table = ['# Generated by iptables_manager',
- '*' + table_name, 'COMMIT',
- '# Completed by iptables_manager']
- current_lines = fake_table
-
- # Fill old_filter with any chains or rules we might have added,
- # they could have a [packet:byte] count we want to preserve.
- # Fill new_filter with any chains or rules without our name in them.
- old_filter, new_filter = [], []
- for line in current_lines:
- (old_filter if self.wrap_name in line else
- new_filter).append(line.strip())
-
- old_filter_map = make_filter_map(old_filter)
- new_filter_map = make_filter_map(new_filter)
-
- rules_index = self._find_rules_index(new_filter)
- all_chains = [':%s' % name for name in unwrapped_chains]
- all_chains += [':%s-%s' % (self.wrap_name, name) for name in chains]
-
- # Iterate through all the chains, trying to find an existing
- # match.
- our_chains = []
- for chain in all_chains:
- chain_str = str(chain).strip()
-
- old = self._find_last_entry(old_filter_map, chain_str)
- if not old:
- dup = self._find_last_entry(new_filter_map, chain_str)
- new_filter = [s for s in new_filter if chain_str not in s.strip()]
-
- # if no old or duplicates, use original chain
- if old or dup:
- chain_str = str(old or dup)
- else:
- # add-on the [packet:bytes]
- chain_str += ' - [0:0]'
-
- our_chains += [chain_str]
-
- # Iterate through all the rules, trying to find an existing
- # match.
- our_rules = []
- bot_rules = []
- for rule in rules:
- rule_str = str(rule).strip()
- # Further down, we weed out duplicates from the bottom of the
- # list, so here we remove the dupes ahead of time.
-
- old = self._find_last_entry(old_filter_map, rule_str)
- if not old:
- dup = self._find_last_entry(new_filter_map, rule_str)
- new_filter = [s for s in new_filter if rule_str not in s.strip()]
-
- # if no old or duplicates, use original rule
- if old or dup:
- rule_str = str(old or dup)
- # backup one index so we write the array correctly
- if not old:
- rules_index -= 1
- else:
- # add-on the [packet:bytes]
- rule_str = '[0:0] ' + rule_str
+ # we don't want to change any rules that don't belong to us so we start
+ # the new_filter with these rules
+ new_filter = [line.strip() for line in current_lines
+ if self.wrap_name not in line]
+
+ # generate our list of chain names
+ our_chains = [':%s-%s' % (self.wrap_name, name) for name in chains]
+
+ # the unwrapped chains (e.g. neutron-filter-top) may already exist in
+ # the new_filter since they aren't marked by the wrap_name so we only
+ # want to add them if they arent' already there
+ our_chains += [':%s' % name for name in unwrapped_chains
+ if not any(':%s' % name in s for s in new_filter)]
+
+ our_top_rules = []
+ our_bottom_rules = []
+ for rule in table.rules:
+ rule_str = str(rule)
+ # similar to the unwrapped chains, there are some rules that belong
+ # to us but they don't have the wrap name. we want to remove them
+ # from the new_filter and then add them in the right location in
+ # case our new rules changed the order.
+ # (e.g. '-A FORWARD -j neutron-filter-top')
+ new_filter = [s for s in new_filter if rule_str not in s]
if rule.top:
# rule.top == True means we want this rule to be at the top.
- our_rules += [rule_str]
+ our_top_rules += [rule_str]
else:
- bot_rules += [rule_str]
+ our_bottom_rules += [rule_str]
- our_rules += bot_rules
+ our_chains_and_rules = our_chains + our_top_rules + our_bottom_rules
- new_filter[rules_index:rules_index] = our_rules
- new_filter[rules_index:rules_index] = our_chains
+ # locate the position immediately after the existing chains to insert
+ # our chains and rules
+ rules_index = self._find_rules_index(new_filter)
+ new_filter[rules_index:rules_index] = our_chains_and_rules
- def _strip_packets_bytes(line):
- # strip any [packet:byte] counts at start or end of lines
- if line.startswith(':'):
- # it's a chain, for example, ":neutron-billing - [0:0]"
- line = line.split(':')[1]
- line = line.split(' - [', 1)[0]
- elif line.startswith('['):
- # it's a rule, for example, "[0:0] -A neutron-billing..."
- line = line.split('] ', 1)[1]
- line = line.strip()
- return line
-
- seen_chains = set()
-
- def _weed_out_duplicate_chains(line):
- # ignore [packet:byte] counts at end of lines
+ def _weed_out_removes(line):
+ # remove any rules or chains from the filter that were slated
+ # for removal
if line.startswith(':'):
- line = _strip_packets_bytes(line)
- if line in seen_chains:
+ chain = line[1:]
+ if chain in table.remove_chains:
+ table.remove_chains.remove(chain)
return False
- else:
- seen_chains.add(line)
-
- # Leave it alone
- return True
-
- seen_rules = set()
-
- def _weed_out_duplicate_rules(line):
- if line.startswith('['):
- line = _strip_packets_bytes(line)
- if line in seen_rules:
+ else:
+ if line in table.remove_rules:
+ table.remove_rules.remove(line)
return False
- else:
- seen_rules.add(line)
-
# Leave it alone
return True
- def _weed_out_removes(line):
- # We need to find exact matches here
- if line.startswith(':'):
- line = _strip_packets_bytes(line)
- for chain in remove_chains:
- if chain == line:
- remove_chains.remove(chain)
- return False
- elif line.startswith('['):
- line = _strip_packets_bytes(line)
- for rule in remove_rules:
- rule_str = _strip_packets_bytes(str(rule))
- if rule_str == line:
- remove_rules.remove(rule)
- return False
-
+ seen_lines = set()
+
+ # TODO(kevinbenton): remove this function and the next one. They are
+ # just oversized brooms to sweep bugs under the rug!!! We generate the
+ # rules and we shouldn't be generating duplicates.
+ def _weed_out_duplicates(line):
+ if line in seen_lines:
+ thing = 'chain' if line.startswith(':') else 'rule'
+ LOG.warning(_LW("Duplicate iptables %(thing)s detected. This "
+ "may indicate a bug in the the iptables "
+ "%(thing)s generation code. Line: %(line)s"),
+ {'thing': thing, 'line': line})
+ return False
+ seen_lines.add(line)
# Leave it alone
return True
- # We filter duplicates. Go through the chains and rules, letting
- # the *last* occurrence take precedence since it could have a
- # non-zero [packet:byte] count we want to preserve. We also filter
- # out anything in the "remove" list.
new_filter.reverse()
new_filter = [line for line in new_filter
- if _weed_out_duplicate_chains(line) and
- _weed_out_duplicate_rules(line) and
+ if _weed_out_duplicates(line) and
_weed_out_removes(line)]
new_filter.reverse()
- # flush lists, just in case we didn't find something
- remove_chains.clear()
- for rule in remove_rules:
- remove_rules.remove(rule)
+ # flush lists, just in case a rule or chain marked for removal
+ # was already gone. (chains is a set, rules is a list)
+ table.remove_chains.clear()
+ table.remove_rules = []
return new_filter
return acc
-def make_filter_map(filter_list):
- filter_map = collections.defaultdict(list)
- for data in filter_list:
- # strip any [packet:byte] counts at start or end of lines,
- # for example, chains look like ":neutron-foo - [0:0]"
- # and rules look like "[0:0] -A neutron-foo..."
- if data.startswith('['):
- key = data.rpartition('] ')[2]
- elif data.endswith(']'):
- key = data.rsplit(' [', 1)[0]
- if key.endswith(' -'):
- key = key[:-2]
+def _generate_path_between_rules(old_rules, new_rules):
+ """Generates iptables commands to get from old_rules to new_rules.
+
+ This function diffs the two rule sets and then calculates the iptables
+ commands necessary to get from the old rules to the new rules using
+ insert and delete commands.
+ """
+ old_by_chain = _get_rules_by_chain(old_rules)
+ new_by_chain = _get_rules_by_chain(new_rules)
+ old_chains, new_chains = set(old_by_chain.keys()), set(new_by_chain.keys())
+ # all referenced chains should be declared at the top before rules.
+
+ # NOTE(kevinbenton): sorting and grouping chains is for determinism in
+ # tests. iptables doesn't care about the order here
+ statements = [':%s - [0:0]' % c for c in sorted(new_chains - old_chains)]
+ sg_chains = []
+ other_chains = []
+ for chain in sorted(old_chains | new_chains):
+ if '-sg-' in chain:
+ sg_chains.append(chain)
else:
- # things like COMMIT, *filter, and *nat land here
+ other_chains.append(chain)
+
+ for chain in other_chains + sg_chains:
+ statements += _generate_chain_diff_iptables_commands(
+ chain, old_by_chain[chain], new_by_chain[chain])
+ # unreferenced chains get the axe
+ for chain in sorted(old_chains - new_chains):
+ statements += ['-X %s' % chain]
+ return statements
+
+
+def _get_rules_by_chain(rules):
+ by_chain = collections.defaultdict(list)
+ for line in rules:
+ if line.startswith(':'):
+ chain = line[1:].split(' ', 1)[0]
+ # even though this is a default dict, we need to manually add
+ # chains to ensure that ones without rules are included because
+ # they might be a jump reference
+ if chain not in by_chain:
+ by_chain[chain] = []
+ elif line.startswith('-A'):
+ chain = line[3:].split(' ', 1)[0]
+ by_chain[chain].append(line)
+ return by_chain
+
+
+def _generate_chain_diff_iptables_commands(chain, old_chain_rules,
+ new_chain_rules):
+ # keep track of the old index because we have to insert rules
+ # in the right position
+ old_index = 1
+ statements = []
+ for line in difflib.ndiff(old_chain_rules, new_chain_rules):
+ if line.startswith('?'):
+ # skip ? because that's a guide string for intraline differences
continue
- filter_map[key].append(data)
- # regular IP(v6) entries are translated into /32s or /128s so we
- # include a lookup without the CIDR here to match as well
- for cidr in ('/32', '/128'):
- if cidr in key:
- alt_key = key.replace(cidr, '')
- filter_map[alt_key].append(data)
- # return a regular dict so readers don't accidentally add entries
- return dict(filter_map)
+ elif line.startswith('-'): # line deleted
+ statements.append('-D %s %d' % (chain, old_index))
+ # since we are removing a line from the old rules, we
+ # backup the index by 1
+ old_index -= 1
+ elif line.startswith('+'): # line added
+ # strip the chain name since we have to add it before the index
+ rule = line[5:].split(' ', 1)[-1]
+ # rule inserted at this position
+ statements.append('-I %s %d %s' % (chain, old_index, rule))
+ old_index += 1
+ return statements
NAT_TEMPLATE = ('# Generated by iptables_manager\n'
'*nat\n'
+ ':OUTPUT - [0:0]\n'
+ ':POSTROUTING - [0:0]\n'
+ ':PREROUTING - [0:0]\n'
':neutron-postrouting-bottom - [0:0]\n'
':%(bn)s-OUTPUT - [0:0]\n'
':%(bn)s-POSTROUTING - [0:0]\n'
':%(bn)s-PREROUTING - [0:0]\n'
':%(bn)s-float-snat - [0:0]\n'
':%(bn)s-snat - [0:0]\n'
- '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING\n'
- '[0:0] -A POSTROUTING -j neutron-postrouting-bottom\n'
- '[0:0] -A neutron-postrouting-bottom -j %(bn)s-snat\n'
- '[0:0] -A %(bn)s-snat -j '
+ '-I OUTPUT 1 -j %(bn)s-OUTPUT\n'
+ '-I POSTROUTING 1 -j %(bn)s-POSTROUTING\n'
+ '-I POSTROUTING 2 -j neutron-postrouting-bottom\n'
+ '-I PREROUTING 1 -j %(bn)s-PREROUTING\n'
+ '-I neutron-postrouting-bottom 1 -j %(bn)s-snat\n'
+ '-I %(bn)s-snat 1 -j '
'%(bn)s-float-snat\n'
'COMMIT\n'
'# Completed by iptables_manager\n')
FILTER_TEMPLATE = ('# Generated by iptables_manager\n'
'*filter\n'
+ ':FORWARD - [0:0]\n'
+ ':INPUT - [0:0]\n'
+ ':OUTPUT - [0:0]\n'
':neutron-filter-top - [0:0]\n'
':%(bn)s-FORWARD - [0:0]\n'
':%(bn)s-INPUT - [0:0]\n'
':%(bn)s-OUTPUT - [0:0]\n'
':%(bn)s-local - [0:0]\n'
- '[0:0] -A FORWARD -j neutron-filter-top\n'
- '[0:0] -A OUTPUT -j neutron-filter-top\n'
- '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
+ '-I FORWARD 1 -j neutron-filter-top\n'
+ '-I FORWARD 2 -j %(bn)s-FORWARD\n'
+ '-I INPUT 1 -j %(bn)s-INPUT\n'
+ '-I OUTPUT 1 -j neutron-filter-top\n'
+ '-I OUTPUT 2 -j %(bn)s-OUTPUT\n'
+ '-I neutron-filter-top 1 -j %(bn)s-local\n'
'COMMIT\n'
'# Completed by iptables_manager\n')
FILTER_WITH_RULES_TEMPLATE = (
'# Generated by iptables_manager\n'
'*filter\n'
+ ':FORWARD - [0:0]\n'
+ ':INPUT - [0:0]\n'
+ ':OUTPUT - [0:0]\n'
':neutron-filter-top - [0:0]\n'
':%(bn)s-FORWARD - [0:0]\n'
':%(bn)s-INPUT - [0:0]\n'
':%(bn)s-OUTPUT - [0:0]\n'
':%(bn)s-filter - [0:0]\n'
':%(bn)s-local - [0:0]\n'
- '[0:0] -A FORWARD -j neutron-filter-top\n'
- '[0:0] -A OUTPUT -j neutron-filter-top\n'
- '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
+ '-I FORWARD 1 -j neutron-filter-top\n'
+ '-I FORWARD 2 -j %(bn)s-FORWARD\n'
+ '-I INPUT 1 -j %(bn)s-INPUT\n'
+ '-I OUTPUT 1 -j neutron-filter-top\n'
+ '-I OUTPUT 2 -j %(bn)s-OUTPUT\n'
+ '-I neutron-filter-top 1 -j %(bn)s-local\n'
'%(filter_rules)s'
'COMMIT\n'
'# Completed by iptables_manager\n')
COMMENTED_NAT_DUMP = (
'# Generated by iptables_manager\n'
'*nat\n'
+ ':OUTPUT - [0:0]\n'
+ ':POSTROUTING - [0:0]\n'
+ ':PREROUTING - [0:0]\n'
':neutron-postrouting-bottom - [0:0]\n'
':%(bn)s-OUTPUT - [0:0]\n'
':%(bn)s-POSTROUTING - [0:0]\n'
':%(bn)s-PREROUTING - [0:0]\n'
':%(bn)s-float-snat - [0:0]\n'
':%(bn)s-snat - [0:0]\n'
- '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING\n'
- '[0:0] -A POSTROUTING -j neutron-postrouting-bottom\n'
- '[0:0] -A neutron-postrouting-bottom '
+ '-I OUTPUT 1 -j %(bn)s-OUTPUT\n'
+ '-I POSTROUTING 1 -j %(bn)s-POSTROUTING\n'
+ '-I POSTROUTING 2 -j neutron-postrouting-bottom\n'
+ '-I PREROUTING 1 -j %(bn)s-PREROUTING\n'
+ '-I neutron-postrouting-bottom 1 '
'-m comment --comment "%(snat_out_comment)s" -j %(bn)s-snat\n'
- '[0:0] -A %(bn)s-snat -j '
+ '-I %(bn)s-snat 1 -j '
'%(bn)s-float-snat\n'
'COMMIT\n'
'# Completed by iptables_manager\n' % IPTABLES_ARG)
def test_add_filter_rule(self):
iptables_args = {}
iptables_args.update(IPTABLES_ARG)
- filter_rules = ('[0:0] -A %(bn)s-filter -j DROP\n'
- '[0:0] -A %(bn)s-INPUT -s 0/0 -d 192.168.0.2 -j '
- '%(bn)s-filter\n' % iptables_args)
+ filter_rules = ('-I %(bn)s-INPUT 1 -s 0/0 -d 192.168.0.2 -j '
+ '%(bn)s-filter\n-I %(bn)s-filter 1 -j DROP\n'
+ % iptables_args)
iptables_args['filter_rules'] = filter_rules
filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % iptables_args
mangle_dump = _generate_mangle_dump(IPTABLES_ARG)
expected_calls_and_values = [
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(raw_dump + COMMENTED_NAT_DUMP +
- mangle_dump + filter_dump_mod),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(filter_dump_mod + mangle_dump +
+ COMMENTED_NAT_DUMP + raw_dump),
run_as_root=True),
None),
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(raw_dump + COMMENTED_NAT_DUMP +
- mangle_dump + FILTER_DUMP),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(FILTER_DUMP + mangle_dump +
+ COMMENTED_NAT_DUMP + raw_dump),
run_as_root=True
),
None),
def _generate_mangle_dump(iptables_args):
return ('# Generated by iptables_manager\n'
'*mangle\n'
+ ':FORWARD - [0:0]\n'
+ ':INPUT - [0:0]\n'
+ ':OUTPUT - [0:0]\n'
+ ':POSTROUTING - [0:0]\n'
+ ':PREROUTING - [0:0]\n'
':%(bn)s-FORWARD - [0:0]\n'
':%(bn)s-INPUT - [0:0]\n'
':%(bn)s-OUTPUT - [0:0]\n'
':%(bn)s-POSTROUTING - [0:0]\n'
':%(bn)s-PREROUTING - [0:0]\n'
':%(bn)s-mark - [0:0]\n'
- '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING\n'
- '[0:0] -A %(bn)s-PREROUTING -j %(bn)s-mark\n'
+ '-I FORWARD 1 -j %(bn)s-FORWARD\n'
+ '-I INPUT 1 -j %(bn)s-INPUT\n'
+ '-I OUTPUT 1 -j %(bn)s-OUTPUT\n'
+ '-I POSTROUTING 1 -j %(bn)s-POSTROUTING\n'
+ '-I PREROUTING 1 -j %(bn)s-PREROUTING\n'
+ '-I %(bn)s-PREROUTING 1 -j %(bn)s-mark\n'
'COMMIT\n'
'# Completed by iptables_manager\n' % iptables_args)
def _generate_raw_dump(iptables_args):
return ('# Generated by iptables_manager\n'
'*raw\n'
+ ':OUTPUT - [0:0]\n'
+ ':PREROUTING - [0:0]\n'
':%(bn)s-OUTPUT - [0:0]\n'
':%(bn)s-PREROUTING - [0:0]\n'
- '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
+ '-I OUTPUT 1 -j %(bn)s-OUTPUT\n'
+ '-I PREROUTING 1 -j %(bn)s-PREROUTING\n'
'COMMIT\n'
'# Completed by iptables_manager\n' % iptables_args)
+
MANGLE_DUMP = _generate_mangle_dump(IPTABLES_ARG)
RAW_DUMP = _generate_raw_dump(IPTABLES_ARG)
def _extend_with_ip6tables_filter(self, expected_calls, filter_dump):
expected_calls.insert(2, (
- mock.call(['ip6tables-save', '-c'],
+ mock.call(['ip6tables-save'],
run_as_root=True),
''))
expected_calls.insert(3, (
- mock.call(['ip6tables-restore', '-c'],
+ mock.call(['ip6tables-restore', '-n'],
process_input=filter_dump,
run_as_root=True),
None))
expected_calls.extend([
- (mock.call(['ip6tables-save', '-c'],
+ (mock.call(['ip6tables-save'],
run_as_root=True),
''),
- (mock.call(['ip6tables-restore', '-c'],
+ (mock.call(['ip6tables-restore', '-n'],
process_input=filter_dump,
run_as_root=True),
None)])
def _test_add_and_remove_chain_custom_binary_name_helper(self, use_ipv6):
- bn = ("abcdef" * 5)
+ bn = ("xbcdef" * 5)
self.iptables = iptables_manager.IptablesManager(
binary_name=bn,
mangle_dump = _generate_mangle_dump(iptables_args)
expected_calls_and_values = [
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(raw_dump + nat_dump + mangle_dump +
- filter_dump_mod),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(filter_dump_mod + mangle_dump +
+ nat_dump + raw_dump),
run_as_root=True),
None),
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(raw_dump + nat_dump + mangle_dump +
- filter_dump),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(filter_dump + mangle_dump +
+ nat_dump + raw_dump),
run_as_root=True),
None),
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- raw_dump + filter_dump_ipv6)
+ filter_dump_ipv6 + raw_dump)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
self._test_add_and_remove_chain_custom_binary_name_helper(True)
def _test_empty_chain_custom_binary_name_helper(self, use_ipv6):
- bn = ("abcdef" * 5)[:16]
+ bn = ("xbcdef" * 5)[:16]
self.iptables = iptables_manager.IptablesManager(
binary_name=bn,
filter_dump = FILTER_TEMPLATE % iptables_args
- filter_rules = ('[0:0] -A %(bn)s-filter -s 0/0 -d 192.168.0.2\n'
+ filter_rules = ('-I %(bn)s-filter 1 -s 0/0 -d 192.168.0.2\n'
% iptables_args)
iptables_args['filter_rules'] = filter_rules
filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % iptables_args
mangle_dump = _generate_mangle_dump(iptables_args)
expected_calls_and_values = [
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(raw_dump + nat_dump + mangle_dump +
- filter_dump_mod),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(filter_dump_mod + mangle_dump +
+ nat_dump + raw_dump),
run_as_root=True),
None),
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(raw_dump + nat_dump + mangle_dump +
- filter_dump),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(filter_dump + mangle_dump +
+ nat_dump + raw_dump),
run_as_root=True),
None),
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- raw_dump + filter_dump)
+ filter_dump + raw_dump)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % IPTABLES_ARG
expected_calls_and_values = [
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP +
- filter_dump_mod),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(filter_dump_mod + MANGLE_DUMP +
+ NAT_DUMP + RAW_DUMP),
run_as_root=True),
None),
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP +
- FILTER_DUMP),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
+ RAW_DUMP),
run_as_root=True),
None),
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- RAW_DUMP + FILTER_DUMP)
+ FILTER_DUMP + RAW_DUMP)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
iptables_args = {}
iptables_args.update(IPTABLES_ARG)
- filter_rules = ('[0:0] -A %(bn)s-filter -j DROP\n'
- '[0:0] -A %(bn)s-INPUT -s 0/0 -d 192.168.0.2 -j '
- '%(bn)s-filter\n' % iptables_args)
+ filter_rules = ('-I %(bn)s-INPUT 1 -s 0/0 -d 192.168.0.2 -j '
+ '%(bn)s-filter\n-I %(bn)s-filter 1 -j DROP\n'
+ % iptables_args)
iptables_args['filter_rules'] = filter_rules
filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % iptables_args
raw_dump = RAW_DUMP % IPTABLES_ARG
expected_calls_and_values = [
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP +
- filter_dump_mod),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(filter_dump_mod + MANGLE_DUMP +
+ NAT_DUMP + RAW_DUMP),
run_as_root=True),
None),
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP +
- FILTER_DUMP),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
+ RAW_DUMP),
run_as_root=True
),
None),
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- raw_dump + FILTER_DUMP)
+ FILTER_DUMP + raw_dump)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
filter_dump_mod = ('# Generated by iptables_manager\n'
'*filter\n'
+ ':FORWARD - [0:0]\n'
+ ':INPUT - [0:0]\n'
+ ':OUTPUT - [0:0]\n'
':neutron-filter-top - [0:0]\n'
':%(wrap)s - [0:0]\n'
':%(bn)s-FORWARD - [0:0]\n'
':%(bn)s-INPUT - [0:0]\n'
':%(bn)s-OUTPUT - [0:0]\n'
':%(bn)s-local - [0:0]\n'
- '[0:0] -A FORWARD -j neutron-filter-top\n'
- '[0:0] -A OUTPUT -j neutron-filter-top\n'
- '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
- '[0:0] -A %(bn)s-INPUT -s 0/0 -d 192.168.0.2 -j '
+ '-I FORWARD 1 -j neutron-filter-top\n'
+ '-I FORWARD 2 -j %(bn)s-FORWARD\n'
+ '-I INPUT 1 -j %(bn)s-INPUT\n'
+ '-I OUTPUT 1 -j neutron-filter-top\n'
+ '-I OUTPUT 2 -j %(bn)s-OUTPUT\n'
+ '-I neutron-filter-top 1 -j %(bn)s-local\n'
+ '-I %(bn)s-INPUT 1 -s 0/0 -d 192.168.0.2 -j '
'%(wrap)s\n'
'COMMIT\n'
'# Completed by iptables_manager\n'
raw_dump = RAW_DUMP % IPTABLES_ARG
expected_calls_and_values = [
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP +
- filter_dump_mod),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(filter_dump_mod + MANGLE_DUMP +
+ NAT_DUMP + RAW_DUMP),
run_as_root=True),
None),
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP +
- FILTER_DUMP),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(FILTER_DUMP + MANGLE_DUMP +
+ NAT_DUMP + RAW_DUMP),
run_as_root=True),
None),
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- raw_dump + FILTER_DUMP)
+ FILTER_DUMP + raw_dump)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
mangle_dump_mod = (
'# Generated by iptables_manager\n'
'*mangle\n'
+ ':FORWARD - [0:0]\n'
+ ':INPUT - [0:0]\n'
+ ':OUTPUT - [0:0]\n'
+ ':POSTROUTING - [0:0]\n'
+ ':PREROUTING - [0:0]\n'
':%(bn)s-FORWARD - [0:0]\n'
':%(bn)s-INPUT - [0:0]\n'
':%(bn)s-OUTPUT - [0:0]\n'
':%(bn)s-PREROUTING - [0:0]\n'
':%(bn)s-mangle - [0:0]\n'
':%(bn)s-mark - [0:0]\n'
- '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING\n'
- '[0:0] -A %(bn)s-PREROUTING -j %(bn)s-mark\n'
- '[0:0] -A %(bn)s-PREROUTING -j MARK --set-xmark 0x1/%(mark)s\n'
+ '-I FORWARD 1 -j %(bn)s-FORWARD\n'
+ '-I INPUT 1 -j %(bn)s-INPUT\n'
+ '-I OUTPUT 1 -j %(bn)s-OUTPUT\n'
+ '-I POSTROUTING 1 -j %(bn)s-POSTROUTING\n'
+ '-I PREROUTING 1 -j %(bn)s-PREROUTING\n'
+ '-I %(bn)s-PREROUTING 1 -j %(bn)s-mark\n'
+ '-I %(bn)s-PREROUTING 2 -j MARK --set-xmark 0x1/%(mark)s\n'
'COMMIT\n'
'# Completed by iptables_manager\n' % IPTABLES_ARG)
expected_calls_and_values = [
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(RAW_DUMP + NAT_DUMP + mangle_dump_mod +
- FILTER_DUMP),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(FILTER_DUMP + mangle_dump_mod +
+ NAT_DUMP + RAW_DUMP),
run_as_root=True),
None),
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP +
- FILTER_DUMP),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(FILTER_DUMP + MANGLE_DUMP +
+ NAT_DUMP + RAW_DUMP),
run_as_root=True),
None),
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- RAW_DUMP + FILTER_DUMP)
+ FILTER_DUMP + RAW_DUMP)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
nat_dump_mod = ('# Generated by iptables_manager\n'
'*nat\n'
+ ':OUTPUT - [0:0]\n'
+ ':POSTROUTING - [0:0]\n'
+ ':PREROUTING - [0:0]\n'
':neutron-postrouting-bottom - [0:0]\n'
':%(bn)s-OUTPUT - [0:0]\n'
':%(bn)s-POSTROUTING - [0:0]\n'
':%(bn)s-float-snat - [0:0]\n'
':%(bn)s-nat - [0:0]\n'
':%(bn)s-snat - [0:0]\n'
- '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING\n'
- '[0:0] -A POSTROUTING -j neutron-postrouting-bottom\n'
- '[0:0] -A neutron-postrouting-bottom -j %(bn)s-snat\n'
- '[0:0] -A %(bn)s-snat -j %(bn)s-float-snat\n'
- '[0:0] -A %(bn)s-PREROUTING -d 192.168.0.3 -j '
+ '-I OUTPUT 1 -j %(bn)s-OUTPUT\n'
+ '-I POSTROUTING 1 -j %(bn)s-POSTROUTING\n'
+ '-I POSTROUTING 2 -j neutron-postrouting-bottom\n'
+ '-I PREROUTING 1 -j %(bn)s-PREROUTING\n'
+ '-I neutron-postrouting-bottom 1 -j %(bn)s-snat\n'
+ '-I %(bn)s-PREROUTING 1 -d 192.168.0.3 -j '
'%(bn)s-nat\n'
- '[0:0] -A %(bn)s-nat -p tcp --dport 8080 -j '
+ '-I %(bn)s-nat 1 -p tcp --dport 8080 -j '
'REDIRECT --to-port 80\n'
+ '-I %(bn)s-snat 1 -j %(bn)s-float-snat\n'
'COMMIT\n'
- '# Completed by iptables_manager\n'
- % IPTABLES_ARG)
+ '# Completed by iptables_manager\n' % IPTABLES_ARG)
raw_dump = RAW_DUMP % IPTABLES_ARG
expected_calls_and_values = [
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(RAW_DUMP + nat_dump_mod + MANGLE_DUMP +
- FILTER_DUMP),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(FILTER_DUMP + MANGLE_DUMP +
+ nat_dump_mod + RAW_DUMP),
run_as_root=True),
None),
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(RAW_DUMP + nat_dump + MANGLE_DUMP +
- FILTER_DUMP),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(FILTER_DUMP + MANGLE_DUMP + nat_dump +
+ RAW_DUMP),
run_as_root=True),
None),
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- raw_dump + FILTER_DUMP)
+ FILTER_DUMP + raw_dump)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
raw_dump_mod = ('# Generated by iptables_manager\n'
'*raw\n'
+ ':OUTPUT - [0:0]\n'
+ ':PREROUTING - [0:0]\n'
':%(bn)s-OUTPUT - [0:0]\n'
':%(bn)s-PREROUTING - [0:0]\n'
':%(bn)s-raw - [0:0]\n'
- '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A %(bn)s-PREROUTING -j CT --notrack\n'
+ '-I OUTPUT 1 -j %(bn)s-OUTPUT\n'
+ '-I PREROUTING 1 -j %(bn)s-PREROUTING\n'
+ '-I %(bn)s-PREROUTING 1 -j CT --notrack\n'
'COMMIT\n'
'# Completed by iptables_manager\n'
% IPTABLES_ARG)
expected_calls_and_values = [
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(raw_dump_mod + NAT_DUMP + MANGLE_DUMP +
- FILTER_DUMP),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
+ raw_dump_mod),
run_as_root=True),
None),
- (mock.call(['iptables-save', '-c'],
+ (mock.call(['iptables-save'],
run_as_root=True),
''),
- (mock.call(['iptables-restore', '-c'],
- process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP +
- FILTER_DUMP),
+ (mock.call(['iptables-restore', '-n'],
+ process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
+ RAW_DUMP),
run_as_root=True),
None),
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- RAW_DUMP + FILTER_DUMP)
+ FILTER_DUMP + RAW_DUMP)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
def test_get_traffic_counters_with_zero_with_ipv6(self):
self._test_get_traffic_counters_with_zero_helper(True)
- def _test_find_last_entry(self, find_str):
- filter_list = [':neutron-filter-top - [0:0]',
- ':%(bn)s-FORWARD - [0:0]',
- ':%(bn)s-INPUT - [0:0]',
- ':%(bn)s-local - [0:0]',
- ':%(wrap)s - [0:0]',
- ':%(bn)s-OUTPUT - [0:0]',
- '[0:0] -A FORWARD -j neutron-filter-top',
- '[0:0] -A OUTPUT -j neutron-filter-top'
- % IPTABLES_ARG]
- filter_map = iptables_manager.make_filter_map(filter_list)
- return self.iptables._find_last_entry(filter_map, find_str)
-
- def test_find_last_entry_old_dup(self):
- find_str = '-A OUTPUT -j neutron-filter-top'
- match_str = '[0:0] -A OUTPUT -j neutron-filter-top'
- ret_str = self._test_find_last_entry(find_str)
- self.assertEqual(ret_str, match_str)
-
- def test_find_last_entry_none(self):
- find_str = 'neutron-filter-NOTFOUND'
- ret_str = self._test_find_last_entry(find_str)
- self.assertIsNone(ret_str)
-
- def test_make_filter_map_cidr_stripping(self):
- filter_rules = ('[0:0] -A OUTPUT -j DROP',
- '[0:0] -A INPUT -d 192.168.0.2/32 -j DROP',
- '[0:0] -A INPUT -d 1234:31::001F/128 -j DROP',
- 'OUTPUT - [0:0]')
- filter_map = iptables_manager.make_filter_map(filter_rules)
- # make sure /128 works without CIDR
- self.assertEqual(filter_rules[2],
- filter_map['-A INPUT -d 1234:31::001F -j DROP'][0])
- # make sure /32 works without CIDR
- self.assertEqual(filter_rules[1],
- filter_map['-A INPUT -d 192.168.0.2 -j DROP'][0])
-
class IptablesManagerStateLessTestCase(base.BaseTestCase):
IPTABLES_MANGLE = """# Generated by iptables_manager
*mangle
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
+:POSTROUTING - [0:0]
+:PREROUTING - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A PREROUTING -j %(bn)s-PREROUTING
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING
-[0:0] -A %(bn)s-PREROUTING -j %(bn)s-mark
+-I FORWARD 1 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j %(bn)s-OUTPUT
+-I POSTROUTING 1 -j %(bn)s-POSTROUTING
+-I PREROUTING 1 -j %(bn)s-PREROUTING
+-I %(bn)s-PREROUTING 1 -j %(bn)s-mark
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_RAW_DEFAULT = """# Generated by iptables_manager
*raw
+:OUTPUT - [0:0]
+:PREROUTING - [0:0]
:%(bn)s-OUTPUT - [0:0]
:%(bn)s-PREROUTING - [0:0]
-[0:0] -A PREROUTING -j %(bn)s-PREROUTING
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
+-I OUTPUT 1 -j %(bn)s-OUTPUT
+-I PREROUTING 1 -j %(bn)s-PREROUTING
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_RAW_DEVICE_1 = """# Generated by iptables_manager
*raw
+:OUTPUT - [0:0]
+:PREROUTING - [0:0]
:%(bn)s-OUTPUT - [0:0]
:%(bn)s-PREROUTING - [0:0]
-[0:0] -A PREROUTING -j %(bn)s-PREROUTING
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A %(bn)s-PREROUTING -m physdev --physdev-in qvbtap_port1 -j CT --zone 1
-[0:0] -A %(bn)s-PREROUTING -m physdev --physdev-in tap_port1 -j CT --zone 1
+-I OUTPUT 1 -j %(bn)s-OUTPUT
+-I PREROUTING 1 -j %(bn)s-PREROUTING
+-I %(bn)s-PREROUTING 1 -m physdev --physdev-in qvbtap_port1 -j CT --zone 1
+-I %(bn)s-PREROUTING 2 -m physdev --physdev-in tap_port1 -j CT --zone 1
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_RAW_DEVICE_2 = """# Generated by iptables_manager
*raw
+:OUTPUT - [0:0]
+:PREROUTING - [0:0]
:%(bn)s-OUTPUT - [0:0]
:%(bn)s-PREROUTING - [0:0]
-[0:0] -A PREROUTING -j %(bn)s-PREROUTING
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A %(bn)s-PREROUTING -m physdev --physdev-in qvbtap_%(port1)s \
+-I OUTPUT 1 -j %(bn)s-OUTPUT
+-I PREROUTING 1 -j %(bn)s-PREROUTING
+-I %(bn)s-PREROUTING 1 -m physdev --physdev-in qvbtap_%(port1)s \
-j CT --zone 1
-[0:0] -A %(bn)s-PREROUTING -m physdev --physdev-in tap_%(port1)s -j CT --zone 1
-[0:0] -A %(bn)s-PREROUTING -m physdev --physdev-in qvbtap_%(port2)s \
+-I %(bn)s-PREROUTING 2 -m physdev --physdev-in tap_%(port1)s -j CT --zone 1
+-I %(bn)s-PREROUTING 3 -m physdev --physdev-in qvbtap_%(port2)s \
-j CT --zone 2
-[0:0] -A %(bn)s-PREROUTING -m physdev --physdev-in tap_%(port2)s -j CT --zone 2
+-I %(bn)s-PREROUTING 4 -m physdev --physdev-in tap_%(port2)s -j CT --zone 2
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_NAT = """# Generated by iptables_manager
*nat
+:OUTPUT - [0:0]
+:POSTROUTING - [0:0]
+:PREROUTING - [0:0]
:neutron-postrouting-bottom - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A PREROUTING -j %(bn)s-PREROUTING
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING
-[0:0] -A POSTROUTING -j neutron-postrouting-bottom
-[0:0] -A neutron-postrouting-bottom -j %(bn)s-snat
-[0:0] -A %(bn)s-snat -j %(bn)s-float-snat
+-I OUTPUT 1 -j %(bn)s-OUTPUT
+-I POSTROUTING 1 -j %(bn)s-POSTROUTING
+-I POSTROUTING 2 -j neutron-postrouting-bottom
+-I PREROUTING 1 -j %(bn)s-PREROUTING
+-I neutron-postrouting-bottom 1 -j %(bn)s-snat
+-I %(bn)s-snat 1 -j %(bn)s-float-snat
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_RAW = """# Generated by iptables_manager
*raw
+:OUTPUT - [0:0]
+:PREROUTING - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A PREROUTING -j %(bn)s-PREROUTING
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
+-I OUTPUT 1 -j %(bn)s-OUTPUT
+-I PREROUTING 1 -j %(bn)s-PREROUTING
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPSET_FILTER_1 = """# Generated by iptables_manager
*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
:neutron-filter-top - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A FORWARD -j neutron-filter-top
-[0:0] -A OUTPUT -j neutron-filter-top
-[0:0] -A neutron-filter-top -j %(bn)s-local
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port1 \
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp \
---dport 68 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port1 -m set --match-set NIPv4security_group1 src -j \
-RETURN
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
+-I %(bn)s-i_port1 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_port1 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp \
+--dport 68 -j RETURN
+-I %(bn)s-i_port1 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_port1 4 -m set --match-set NIPv4security_group1 src -j \
+RETURN
+-I %(bn)s-i_port1 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_port1 6 -j %(bn)s-sg-fallback
+-I %(bn)s-o_port1 1 -p udp -m udp --sport 68 -m udp --dport 67 \
-j RETURN
-[0:0] -A %(bn)s-s_port1 -j DROP
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 -m udp --dport 67 \
+-I %(bn)s-o_port1 2 -j %(bn)s-s_port1
+-I %(bn)s-o_port1 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_port1 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_port1 5 -j RETURN
+-I %(bn)s-o_port1 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_port1 7 -j %(bn)s-sg-fallback
+-I %(bn)s-s_port1 1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port1 -j RETURN
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-sg-chain -j ACCEPT
+-I %(bn)s-s_port1 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_port1 \
+%(physdev_is_bridged)s -j %(bn)s-i_port1
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_port1 \
+%(physdev_is_bridged)s -j %(bn)s-o_port1
+-I %(bn)s-sg-chain 3 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_FILTER_1 = """# Generated by iptables_manager
*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
:neutron-filter-top - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A FORWARD -j neutron-filter-top
-[0:0] -A OUTPUT -j neutron-filter-top
-[0:0] -A neutron-filter-top -j %(bn)s-local
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port1 \
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp \
---dport 68 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port1 \
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
+-I %(bn)s-i_port1 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_port1 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp \
+--dport 68 -j RETURN
+-I %(bn)s-i_port1 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_port1 4 -m state --state INVALID -j DROP
+-I %(bn)s-i_port1 5 -j %(bn)s-sg-fallback
+-I %(bn)s-o_port1 1 -p udp -m udp --sport 68 -m udp --dport 67 \
-j RETURN
-[0:0] -A %(bn)s-s_port1 -j DROP
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 -m udp --dport 67 \
+-I %(bn)s-o_port1 2 -j %(bn)s-s_port1
+-I %(bn)s-o_port1 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_port1 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_port1 5 -j RETURN
+-I %(bn)s-o_port1 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_port1 7 -j %(bn)s-sg-fallback
+-I %(bn)s-s_port1 1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port1 -j RETURN
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-sg-chain -j ACCEPT
+-I %(bn)s-s_port1 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_port1 \
+%(physdev_is_bridged)s -j %(bn)s-i_port1
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_port1 \
+%(physdev_is_bridged)s -j %(bn)s-o_port1
+-I %(bn)s-sg-chain 3 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_FILTER_1_2 = """# Generated by iptables_manager
*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
:neutron-filter-top - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A FORWARD -j neutron-filter-top
-[0:0] -A OUTPUT -j neutron-filter-top
-[0:0] -A neutron-filter-top -j %(bn)s-local
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port1 \
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp \
---dport 68 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.4/32 -j RETURN
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
+-I %(bn)s-i_port1 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_port1 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp \
+--dport 68 -j RETURN
+-I %(bn)s-i_port1 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_port1 4 -s 10.0.0.4/32 -j RETURN
+-I %(bn)s-i_port1 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_port1 6 -j %(bn)s-sg-fallback
+-I %(bn)s-o_port1 1 -p udp -m udp --sport 68 -m udp --dport 67 \
-j RETURN
-[0:0] -A %(bn)s-s_port1 -j DROP
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 -m udp --dport 67 \
+-I %(bn)s-o_port1 2 -j %(bn)s-s_port1
+-I %(bn)s-o_port1 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_port1 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_port1 5 -j RETURN
+-I %(bn)s-o_port1 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_port1 7 -j %(bn)s-sg-fallback
+-I %(bn)s-s_port1 1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port1 -j RETURN
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-sg-chain -j ACCEPT
+-I %(bn)s-s_port1 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_port1 \
+%(physdev_is_bridged)s -j %(bn)s-i_port1
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_port1 \
+%(physdev_is_bridged)s -j %(bn)s-o_port1
+-I %(bn)s-sg-chain 3 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPSET_FILTER_2 = """# Generated by iptables_manager
*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
:neutron-filter-top - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A FORWARD -j neutron-filter-top
-[0:0] -A OUTPUT -j neutron-filter-top
-[0:0] -A neutron-filter-top -j %(bn)s-local
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
-[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
--m udp --dport 68 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -m set --match-set NIPv4security_group1 src -j \
-RETURN
-[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \
--j RETURN
-[0:0] -A %(bn)s-s_%(port1)s -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \
--j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
-%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
-[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
--m udp --dport 68 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -m set --match-set NIPv4security_group1 src -j \
-RETURN
-[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+-m udp --dport 68 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -m set --match-set NIPv4security_group1 src -j RETURN
+-I %(bn)s-i_%(port1)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+-m udp --dport 68 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -m set --match-set NIPv4security_group1 src -j RETURN
+-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
+-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 5 -j RETURN
+-I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
+-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 5 -j RETURN
+-I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
+-I %(bn)s-s_%(port1)s 2 -j DROP
+-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
+-I %(bn)s-s_%(port2)s 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \
--j RETURN
-[0:0] -A %(bn)s-s_%(port2)s -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \
--j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-sg-chain -j ACCEPT
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPSET_FILTER_2_3 = """# Generated by iptables_manager
*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
:neutron-filter-top - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A FORWARD -j neutron-filter-top
-[0:0] -A OUTPUT -j neutron-filter-top
-[0:0] -A neutron-filter-top -j %(bn)s-local
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
-[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
--m udp --dport 68 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -m set --match-set NIPv4security_group1 src -j \
-RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p icmp -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \
--j RETURN
-[0:0] -A %(bn)s-s_%(port1)s -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \
--j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
-%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
-[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
--m udp --dport 68 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -m set --match-set NIPv4security_group1 src -j \
-RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p icmp -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+-m udp --dport 68 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -m set --match-set NIPv4security_group1 src -j RETURN
+-I %(bn)s-i_%(port1)s 5 -p icmp -j RETURN
+-I %(bn)s-i_%(port1)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+-m udp --dport 68 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -m set --match-set NIPv4security_group1 src -j RETURN
+-I %(bn)s-i_%(port2)s 5 -p icmp -j RETURN
+-I %(bn)s-i_%(port2)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
+-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 5 -j RETURN
+-I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
+-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 5 -j RETURN
+-I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
+-I %(bn)s-s_%(port1)s 2 -j DROP
+-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
+-I %(bn)s-s_%(port2)s 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \
--j RETURN
-[0:0] -A %(bn)s-s_%(port2)s -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \
--j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-sg-chain -j ACCEPT
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_FILTER_2 = """# Generated by iptables_manager
*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
:neutron-filter-top - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A FORWARD -j neutron-filter-top
-[0:0] -A OUTPUT -j neutron-filter-top
-[0:0] -A neutron-filter-top -j %(bn)s-local
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
-[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
--m udp --dport 68 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \
--j RETURN
-[0:0] -A %(bn)s-s_%(port1)s -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \
--j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
-%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
-[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
--m udp --dport 68 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \
+-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+-m udp --dport 68 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -s %(ip2)s -j RETURN
+-I %(bn)s-i_%(port1)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+-m udp --dport 68 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN
+-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 \
-j RETURN
-[0:0] -A %(bn)s-s_%(port2)s -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \
+-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
+-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 5 -j RETURN
+-I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 \
-j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-sg-chain -j ACCEPT
+-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
+-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 5 -j RETURN
+-I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
+-I %(bn)s-s_%(port1)s 2 -j DROP
+-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
+-I %(bn)s-s_%(port2)s 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_FILTER_2_2 = """# Generated by iptables_manager
*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
:neutron-filter-top - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A FORWARD -j neutron-filter-top
-[0:0] -A OUTPUT -j neutron-filter-top
-[0:0] -A neutron-filter-top -j %(bn)s-local
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
-[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
--m udp --dport 68 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
-""" % IPTABLES_ARG
-IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \
--j RETURN
-[0:0] -A %(bn)s-s_%(port1)s -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \
--j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
-%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
-[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
--m udp --dport 68 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
-""" % IPTABLES_ARG
-IPTABLES_FILTER_2_2 += ("[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s "
- "-j RETURN\n"
- % IPTABLES_ARG)
-IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port2)s -m state --state \
-INVALID -j DROP
-[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+-m udp --dport 68 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 5 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+-m udp --dport 68 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN
+-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
+-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 5 -j RETURN
+-I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
+-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 5 -j RETURN
+-I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
+-I %(bn)s-s_%(port1)s 2 -j DROP
+-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
+-I %(bn)s-s_%(port2)s 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \
--j RETURN
-[0:0] -A %(bn)s-s_%(port2)s -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \
--j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-sg-chain -j ACCEPT
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_FILTER_2_3 = """# Generated by iptables_manager
*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
:neutron-filter-top - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A FORWARD -j neutron-filter-top
-[0:0] -A OUTPUT -j neutron-filter-top
-[0:0] -A neutron-filter-top -j %(bn)s-local
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
-[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
--m udp --dport 68 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p icmp -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \
--j RETURN
-[0:0] -A %(bn)s-s_%(port1)s -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \
--j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
-%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
-[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
--m udp --dport 68 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p icmp -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+-m udp --dport 68 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -s %(ip2)s -j RETURN
+-I %(bn)s-i_%(port1)s 5 -p icmp -j RETURN
+-I %(bn)s-i_%(port1)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+-m udp --dport 68 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN
+-I %(bn)s-i_%(port2)s 5 -p icmp -j RETURN
+-I %(bn)s-i_%(port2)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
+-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
+-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 5 -j RETURN
+-I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
+-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
+-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
+-I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 5 -j RETURN
+-I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
+-I %(bn)s-s_%(port1)s 2 -j DROP
+-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
+-I %(bn)s-s_%(port2)s 2 -j DROP
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \
--j RETURN
-[0:0] -A %(bn)s-s_%(port2)s -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \
--j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-sg-chain -j ACCEPT
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_ARG['chains'] = CHAINS_EMPTY
IPTABLES_FILTER_EMPTY = """# Generated by iptables_manager
*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
:neutron-filter-top - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A FORWARD -j neutron-filter-top
-[0:0] -A OUTPUT -j neutron-filter-top
-[0:0] -A neutron-filter-top -j %(bn)s-local
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-sg-chain -j ACCEPT
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-sg-chain 1 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_ARG['chains'] = CHAINS_1
IPTABLES_FILTER_V6_1 = """# Generated by iptables_manager
*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
:neutron-filter-top - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A FORWARD -j neutron-filter-top
-[0:0] -A OUTPUT -j neutron-filter-top
-[0:0] -A neutron-filter-top -j %(bn)s-local
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port1 \
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
-[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port1 \
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
+-I %(bn)s-i_port1 1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
+-I %(bn)s-i_port1 2 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j RETURN
+-I %(bn)s-i_port1 3 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j RETURN
+-I %(bn)s-i_port1 4 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+-I %(bn)s-i_port1 5 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
+-I %(bn)s-i_port1 6 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_port1 7 -m state --state INVALID -j DROP
+-I %(bn)s-i_port1 8 -j %(bn)s-sg-fallback
+-I %(bn)s-o_port1 1 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
+-I %(bn)s-o_port1 2 -p ipv6-icmp -j RETURN
+-I %(bn)s-o_port1 3 -p udp -m udp --sport 546 -m udp --dport 547 -j RETURN
+-I %(bn)s-o_port1 4 -p udp -m udp --sport 547 -m udp --dport 546 -j DROP
+-I %(bn)s-o_port1 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_port1 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_port1 7 -j %(bn)s-sg-fallback
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_port1 \
+%(physdev_is_bridged)s -j %(bn)s-i_port1
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-o_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
-[0:0] -A %(bn)s-o_port1 -p ipv6-icmp -j RETURN
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 -m udp --dport 547 -j RETURN
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 -m udp --dport 546 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-sg-chain -j ACCEPT
+-I %(bn)s-sg-chain 3 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
:neutron-filter-top - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A FORWARD -j neutron-filter-top
-[0:0] -A OUTPUT -j neutron-filter-top
-[0:0] -A neutron-filter-top -j %(bn)s-local
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
-[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
-%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
-[0:0] -A %(bn)s-o_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -p ipv6-icmp -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 546 -m udp --dport 547 \
--j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 547 -m udp --dport 546 \
--j DROP
-[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
-%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
-[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+-I %(bn)s-i_%(port1)s 1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
+-I %(bn)s-i_%(port1)s 2 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+-I %(bn)s-i_%(port1)s 5 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
+-I %(bn)s-i_%(port1)s 6 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
+-I %(bn)s-i_%(port2)s 2 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+-I %(bn)s-i_%(port2)s 5 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
+-I %(bn)s-i_%(port2)s 6 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 7 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 8 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port1)s 1 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
+-I %(bn)s-o_%(port1)s 2 -p ipv6-icmp -j RETURN
+-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 546 -m udp --dport 547 -j RETURN
+-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 547 -m udp --dport 546 -j DROP
+-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-o_%(port2)s 1 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
+-I %(bn)s-o_%(port2)s 2 -p ipv6-icmp -j RETURN
+-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 546 -m udp --dport 547 -j RETURN
+-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 547 -m udp --dport 546 -j DROP
+-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP
+-I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
-[0:0] -A %(bn)s-o_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -p ipv6-icmp -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 546 -m udp --dport 547 \
--j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 547 -m udp --dport 546 \
--j DROP
-[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-sg-chain -j ACCEPT
+-I %(bn)s-sg-chain 5 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
IPTABLES_ARG['chains'] = CHAINS_EMPTY
IPTABLES_FILTER_V6_EMPTY = """# Generated by iptables_manager
*filter
+:FORWARD - [0:0]
+:INPUT - [0:0]
+:OUTPUT - [0:0]
:neutron-filter-top - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
:%(bn)s-(%(chains)s) - [0:0]
-[0:0] -A FORWARD -j neutron-filter-top
-[0:0] -A OUTPUT -j neutron-filter-top
-[0:0] -A neutron-filter-top -j %(bn)s-local
-[0:0] -A INPUT -j %(bn)s-INPUT
-[0:0] -A OUTPUT -j %(bn)s-OUTPUT
-[0:0] -A FORWARD -j %(bn)s-FORWARD
-[0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-sg-chain -j ACCEPT
+-I FORWARD 1 -j neutron-filter-top
+-I FORWARD 2 -j %(bn)s-FORWARD
+-I INPUT 1 -j %(bn)s-INPUT
+-I OUTPUT 1 -j neutron-filter-top
+-I OUTPUT 2 -j %(bn)s-OUTPUT
+-I neutron-filter-top 1 -j %(bn)s-local
+-I %(bn)s-sg-chain 1 -j ACCEPT
+-I %(bn)s-sg-fallback 1 -j DROP
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
def _replay_iptables(self, v4_filter, v6_filter, raw):
self._register_mock_call(
- ['iptables-save', '-c'],
+ ['iptables-save'],
run_as_root=True,
return_value='')
self._register_mock_call(
- ['iptables-restore', '-c'],
- process_input=self._regex(raw + IPTABLES_NAT +
- IPTABLES_MANGLE + v4_filter),
+ ['iptables-restore', '-n'],
+ process_input=self._regex(v4_filter + IPTABLES_MANGLE +
+ IPTABLES_NAT + raw),
run_as_root=True,
return_value='')
self._register_mock_call(
- ['ip6tables-save', '-c'],
+ ['ip6tables-save'],
run_as_root=True,
return_value='')
self._register_mock_call(
- ['ip6tables-restore', '-c'],
- process_input=self._regex(raw + v6_filter),
+ ['ip6tables-restore', '-n'],
+ process_input=self._regex(v6_filter + raw),
run_as_root=True,
return_value='')
Code Review / openstack-build / neutron-build.git / commitdiff