From: Kevin Benton <blak111@gmail.com>
Date: Fri, 28 Aug 2015 07:50:59 +0000 (-0700)
Subject: Process user iptables rules before INVALID
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=0a258afc7ee3c03974dffa2c0dd0b7b367034cc7;p=openstack-build%2Fneutron-build.git

Process user iptables rules before INVALID

Process user-defined iptables rules before the INVALID DROP
rule. This is to allow scenarios where the VMs need to
legitimately receive packets that conntrack doesn't have an
entry for (e.g. SYN-ACK where the SYN wasn't sent by the VM).
A user can accomplish this by adding an allow rule that matches
the headers of these INVALID packets so they get permitted before
they hit the INVALID DROP rule.

Closes-Bug: #1460741
Change-Id: Ie6ce5f3fa688f1bf25b77db5955211922d9fe85b
---

diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
index 0a7ef4b4a..b0ac0f793 100644
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -559,13 +559,13 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
 
     def _convert_sgr_to_iptables_rules(self, security_group_rules):
         iptables_rules = []
-        self._drop_invalid_packets(iptables_rules)
         self._allow_established(iptables_rules)
         for rule in security_group_rules:
             args = self._convert_sg_rule_to_iptables_args(rule)
             if args:
                 iptables_rules += [' '.join(args)]
 
+        self._drop_invalid_packets(iptables_rules)
         iptables_rules += [comment_rule('-j $sg-fallback',
                                         comment=ic.UNMATCHED)]
         return iptables_rules
diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
index adfa2a5c8..24c1b5d8b 100644
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@@ -124,11 +124,11 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                                     comment=ic.SG_TO_VM_SG),
                  mock.call.add_rule(
                      'ifake_dev',
-                     '-m state --state INVALID -j DROP',
+                     '-m state --state RELATED,ESTABLISHED -j RETURN',
                      comment=None),
                  mock.call.add_rule(
                      'ifake_dev',
-                     '-m state --state RELATED,ESTABLISHED -j RETURN',
+                     '-m state --state INVALID -j DROP',
                      comment=None),
                  mock.call.add_rule(
                      'ifake_dev',
@@ -165,13 +165,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                      'ofake_dev',
                      '-p udp -m udp --sport 67 --dport 68 -j DROP',
                      comment=None),
-                 mock.call.add_rule(
-                     'ofake_dev',
-                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule(
                      'ofake_dev',
                      '-m state --state RELATED,ESTABLISHED -j RETURN',
                      comment=None),
+                 mock.call.add_rule(
+                     'ofake_dev',
+                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule(
                      'ofake_dev',
                      '-j $sg-fallback',
@@ -981,10 +981,6 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                                        '-p icmpv6 --icmpv6-type %s -j RETURN' %
                                        icmp6_type, comment=None))
         calls += [
-            mock.call.add_rule(
-                'ifake_dev',
-                '-m state --state INVALID -j DROP', comment=None
-            ),
             mock.call.add_rule(
                 'ifake_dev',
                 '-m state --state RELATED,ESTABLISHED -j RETURN',
@@ -995,7 +991,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
         if ingress_expected_call:
             calls.append(ingress_expected_call)
 
-        calls += [mock.call.add_rule('ifake_dev',
+        calls += [mock.call.add_rule(
+                      'ifake_dev',
+                      '-m state --state INVALID -j DROP', comment=None),
+                  mock.call.add_rule('ifake_dev',
                                      '-j $sg-fallback', comment=None),
                   mock.call.add_chain('ofake_dev'),
                   mock.call.add_rule('FORWARD',
@@ -1034,9 +1033,6 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                 comment=None))
 
         calls += [
-            mock.call.add_rule(
-                'ofake_dev',
-                '-m state --state INVALID -j DROP', comment=None),
             mock.call.add_rule(
                 'ofake_dev',
                 '-m state --state RELATED,ESTABLISHED -j RETURN',
@@ -1046,7 +1042,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
         if egress_expected_call:
             calls.append(egress_expected_call)
 
-        calls += [mock.call.add_rule('ofake_dev',
+        calls += [mock.call.add_rule(
+                      'ofake_dev',
+                      '-m state --state INVALID -j DROP', comment=None),
+                  mock.call.add_rule('ofake_dev',
                                      '-j $sg-fallback', comment=None),
                   mock.call.add_rule('sg-chain', '-j ACCEPT')]
 
@@ -1150,15 +1149,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                      '-m physdev --physdev-out tapfake_dev '
                      '--physdev-is-bridged -j $ifake_dev',
                      comment=ic.SG_TO_VM_SG),
-                 mock.call.add_rule(
-                     'ifake_dev',
-                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule(
                      'ifake_dev',
                      '-m state --state RELATED,ESTABLISHED -j RETURN',
                      comment=None),
                  mock.call.add_rule('ifake_dev', '-j RETURN',
                                     comment=None),
+                 mock.call.add_rule(
+                     'ifake_dev',
+                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule(
                      'ifake_dev',
                      '-j $sg-fallback', comment=None),
@@ -1197,13 +1196,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                      'ofake_dev',
                      '-p udp -m udp --sport 67 --dport 68 -j DROP',
                      comment=None),
-                 mock.call.add_rule(
-                     'ofake_dev', '-m state --state INVALID -j DROP',
-                     comment=None),
                  mock.call.add_rule(
                      'ofake_dev',
                      '-m state --state RELATED,ESTABLISHED -j RETURN',
                      comment=None),
+                 mock.call.add_rule(
+                     'ofake_dev', '-m state --state INVALID -j DROP',
+                     comment=None),
                  mock.call.add_rule(
                      'ofake_dev',
                      '-j $sg-fallback', comment=None),
@@ -1224,13 +1223,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                      '-m physdev --physdev-out tapfake_dev '
                      '--physdev-is-bridged -j $ifake_dev',
                      comment=ic.SG_TO_VM_SG),
-                 mock.call.add_rule(
-                     'ifake_dev',
-                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule(
                      'ifake_dev',
                      '-m state --state RELATED,ESTABLISHED -j RETURN',
                      comment=None),
+                 mock.call.add_rule(
+                     'ifake_dev',
+                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule(
                      'ifake_dev',
                      '-j $sg-fallback', comment=None),
@@ -1269,15 +1268,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                      'ofake_dev',
                      '-p udp -m udp --sport 67 --dport 68 -j DROP',
                      comment=None),
-                 mock.call.add_rule(
-                     'ofake_dev',
-                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule(
                      'ofake_dev',
                      '-m state --state RELATED,ESTABLISHED -j RETURN',
                      comment=None),
                  mock.call.add_rule('ofake_dev', '-j RETURN',
                                     comment=None),
+                 mock.call.add_rule(
+                     'ofake_dev',
+                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule('ofake_dev',
                                     '-j $sg-fallback',
                                     comment=None),
@@ -1398,13 +1397,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                                     '--physdev-is-bridged '
                                     '-j $ifake_dev',
                                     comment=ic.SG_TO_VM_SG),
-                 mock.call.add_rule(
-                     'ifake_dev',
-                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule(
                      'ifake_dev',
                      '-m state --state RELATED,ESTABLISHED -j RETURN',
                      comment=None),
+                 mock.call.add_rule(
+                     'ifake_dev',
+                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule('ifake_dev',
                                     '-j $sg-fallback', comment=None),
                  mock.call.add_chain('ofake_dev'),
@@ -1444,13 +1443,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                      'ofake_dev',
                      '-p udp -m udp --sport 67 --dport 68 -j DROP',
                      comment=None),
-                 mock.call.add_rule(
-                     'ofake_dev',
-                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule(
                      'ofake_dev',
                      '-m state --state RELATED,ESTABLISHED -j RETURN',
                      comment=None),
+                 mock.call.add_rule(
+                     'ofake_dev',
+                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule('ofake_dev',
                                     '-j $sg-fallback', comment=None),
                  mock.call.add_rule('sg-chain', '-j ACCEPT')]
@@ -1478,13 +1477,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                                     '--physdev-is-bridged '
                                     '-j $ifake_dev',
                                     comment=ic.SG_TO_VM_SG),
-                 mock.call.add_rule(
-                     'ifake_dev',
-                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule(
                      'ifake_dev',
                      '-m state --state RELATED,ESTABLISHED -j RETURN',
                      comment=None),
+                 mock.call.add_rule(
+                     'ifake_dev',
+                     '-m state --state INVALID -j DROP', comment=None),
                  mock.call.add_rule('ifake_dev', '-j $sg-fallback',
                                     comment=None),
                  mock.call.add_chain('ofake_dev'),
@@ -1520,11 +1519,11 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                      comment=None),
                  mock.call.add_rule(
                      'ofake_dev',
-                     '-m state --state INVALID -j DROP',
+                     '-m state --state RELATED,ESTABLISHED -j RETURN',
                      comment=None),
                  mock.call.add_rule(
                      'ofake_dev',
-                     '-m state --state RELATED,ESTABLISHED -j RETURN',
+                     '-m state --state INVALID -j DROP',
                      comment=None),
                  mock.call.add_rule('ofake_dev', '-j $sg-fallback',
                                     comment=None),
diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py
index 3b34ab0e0..7bf968388 100644
--- a/neutron/tests/unit/agent/test_securitygroups_rpc.py
+++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py
@@ -1772,13 +1772,13 @@ IPSET_FILTER_1 = """# Generated by iptables_manager
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
 -j RETURN
 [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
 [0:0] -A %(bn)s-i_port1 -m set --match-set NIPv4security_group1 src -j \
 RETURN
+[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -1792,9 +1792,9 @@ RETURN
 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_port1 -j RETURN
+[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
@@ -1824,11 +1824,11 @@ IPTABLES_FILTER_1 = """# Generated by iptables_manager
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
 -j RETURN
 [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
+[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -1842,9 +1842,9 @@ IPTABLES_FILTER_1 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_port1 -j RETURN
+[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
@@ -1875,12 +1875,12 @@ IPTABLES_FILTER_1_2 = """# Generated by iptables_manager
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
 -j RETURN
 [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
 [0:0] -A %(bn)s-i_port1 -s 10.0.0.4/32 -j RETURN
+[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -1894,9 +1894,9 @@ IPTABLES_FILTER_1_2 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_port1 -j RETURN
+[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
@@ -1931,13 +1931,13 @@ IPSET_FILTER_2 = """# Generated by iptables_manager
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
-[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
 --dport 68 -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -m set --match-set NIPv4security_group1 src -j \
 RETURN
+[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -1951,21 +1951,21 @@ RETURN
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
-[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
 --dport 68 -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -m set --match-set NIPv4security_group1 src -j \
 RETURN
+[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -1979,9 +1979,9 @@ RETURN
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
@@ -2014,7 +2014,6 @@ IPSET_FILTER_2_3 = """# Generated by iptables_manager
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
-[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
 --dport 68 -j RETURN
@@ -2022,6 +2021,7 @@ IPSET_FILTER_2_3 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-i_%(port1)s -m set --match-set NIPv4security_group1 src -j \
 RETURN
 [0:0] -A %(bn)s-i_%(port1)s -p icmp -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -2035,15 +2035,14 @@ RETURN
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
-[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
 --dport 68 -j RETURN
@@ -2051,6 +2050,7 @@ RETURN
 [0:0] -A %(bn)s-i_%(port2)s -m set --match-set NIPv4security_group1 src -j \
 RETURN
 [0:0] -A %(bn)s-i_%(port2)s -p icmp -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -2064,9 +2064,9 @@ RETURN
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
@@ -2099,12 +2099,12 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
-[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
 --dport 68 -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -2118,20 +2118,20 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
-[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
 --dport 68 -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -2145,9 +2145,9 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
@@ -2180,11 +2180,11 @@ IPTABLES_FILTER_2_2 = """# Generated by iptables_manager
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
-[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
 --dport 68 -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
 """ % IPTABLES_ARG
 IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
@@ -2199,15 +2199,14 @@ IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
-[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
 --dport 68 -j RETURN
@@ -2216,7 +2215,9 @@ IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
 IPTABLES_FILTER_2_2 += ("[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s "
                         "-j RETURN\n"
                         % IPTABLES_ARG)
-IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
+IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port2)s -m state --state \
+INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
@@ -2229,9 +2230,9 @@ IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
@@ -2264,13 +2265,13 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
-[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
 --dport 68 -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -p icmp -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -2284,21 +2285,21 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
-[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
 --dport 68 -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -p icmp -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -2312,9 +2313,9 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
@@ -2371,8 +2372,8 @@ IPTABLES_FILTER_V6_1 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 132 -j RETURN
 [0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 135 -j RETURN
 [0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 136 -j RETURN
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -2384,8 +2385,8 @@ IPTABLES_FILTER_V6_1 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-o_port1 -p icmpv6 -j RETURN
 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 --dport 547 -j RETURN
 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 --dport 546 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
@@ -2424,8 +2425,8 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 132 -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 135 -j RETURN
 [0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 136 -j RETURN
-[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -2437,8 +2438,8 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-o_%(port1)s -p icmpv6 -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 546 --dport 547 -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 547 --dport 546 -j DROP
-[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -2449,8 +2450,8 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 132 -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 135 -j RETURN
 [0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 136 -j RETURN
-[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
@@ -2462,8 +2463,8 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-o_%(port2)s -p icmpv6 -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 546 --dport 547 -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 547 --dport 546 -j DROP
-[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT