From: Kevin Benton Date: Mon, 5 Oct 2015 14:36:39 +0000 (-0700) Subject: Fix iptables modules references in rule generation X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=292bdff78b91320ea40739e1ceb01c3cb1a31cc8;p=openstack-build%2Fneutron-build.git Fix iptables modules references in rule generation The way we were generating rules with module references for TCP, UDP, and ICMP was not matching the output of iptables-save so all of the counters for those rules were being destroyed on each iptables reload. This patch corrects the generation so it's in line with iptables-save output. It uses the matching module name only when a specific port number or port range is specified. It also uses the full 'ipv6-icmp' protocol name that shows up in the output rather than 'icmpv6'. Closes-Bug: #1502924 Change-Id: I1bf9a85cd299a7618d29c72991612898c5437442 --- diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index f6cc18987..02661b969 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -345,7 +345,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): ipv4_sg_rules.append(rule) elif rule.get('ethertype') == constants.IPv6: if rule.get('protocol') == 'icmp': - rule['protocol'] = 'icmpv6' + rule['protocol'] = 'ipv6-icmp' ipv6_sg_rules.append(rule) return ipv4_sg_rules, ipv6_sg_rules @@ -384,15 +384,17 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _spoofing_rule(self, port, ipv4_rules, ipv6_rules): # Allow dhcp client packets - ipv4_rules += [comment_rule('-p udp -m udp --sport 68 --dport 67 ' + ipv4_rules += [comment_rule('-p udp -m udp --sport 68 ' + '-m udp --dport 67 ' '-j RETURN', comment=ic.DHCP_CLIENT)] # Drop Router Advts from the port. - ipv6_rules += [comment_rule('-p icmpv6 --icmpv6-type %s ' + ipv6_rules += [comment_rule('-p ipv6-icmp -m icmp6 --icmpv6-type %s ' '-j DROP' % constants.ICMPV6_TYPE_RA, comment=ic.IPV6_RA_DROP)] - ipv6_rules += [comment_rule('-p icmpv6 -j RETURN', + ipv6_rules += [comment_rule('-p ipv6-icmp -j RETURN', comment=ic.IPV6_ICMP_ALLOW)] - ipv6_rules += [comment_rule('-p udp -m udp --sport 546 --dport 547 ' + ipv6_rules += [comment_rule('-p udp -m udp --sport 546 ' + '-m udp --dport 547 ' '-j RETURN', comment=ic.DHCP_CLIENT)] mac_ipv4_pairs = [] mac_ipv6_pairs = [] @@ -418,9 +420,11 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _drop_dhcp_rule(self, ipv4_rules, ipv6_rules): #Note(nati) Drop dhcp packet from VM - ipv4_rules += [comment_rule('-p udp -m udp --sport 67 --dport 68 ' + ipv4_rules += [comment_rule('-p udp -m udp --sport 67 ' + '-m udp --dport 68 ' '-j DROP', comment=ic.DHCP_SPOOF)] - ipv6_rules += [comment_rule('-p udp -m udp --sport 547 --dport 546 ' + ipv6_rules += [comment_rule('-p udp -m udp --sport 547 ' + '-m udp --dport 546 ' '-j DROP', comment=ic.DHCP_SPOOF)] def _accept_inbound_icmpv6(self): @@ -428,8 +432,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver): # neighbor advertisement into the instance icmpv6_rules = [] for icmp6_type in constants.ICMPV6_ALLOWED_TYPES: - icmpv6_rules += ['-p icmpv6 --icmpv6-type %s -j RETURN' % - icmp6_type] + icmpv6_rules += ['-p ipv6-icmp -m icmp6 --icmpv6-type %s ' + '-j RETURN' % icmp6_type] return icmpv6_rules def _select_sg_rules_for_port(self, port, direction): @@ -594,32 +598,35 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _protocol_arg(self, protocol): if not protocol: return [] - + if protocol == 'icmpv6': + protocol = 'ipv6-icmp' iptables_rule = ['-p', protocol] - # iptables always adds '-m protocol' for udp and tcp - if protocol in ['udp', 'tcp']: - iptables_rule += ['-m', protocol] return iptables_rule def _port_arg(self, direction, protocol, port_range_min, port_range_max): - if (protocol not in ['udp', 'tcp', 'icmp', 'icmpv6'] + if (protocol not in ['udp', 'tcp', 'icmp', 'ipv6-icmp'] or port_range_min is None): return [] - if protocol in ['icmp', 'icmpv6']: + protocol_modules = {'udp': 'udp', 'tcp': 'tcp', + 'icmp': 'icmp', 'ipv6-icmp': 'icmp6'} + # iptables adds '-m protocol' when the port number is specified + args = ['-m', protocol_modules[protocol]] + + if protocol in ['icmp', 'ipv6-icmp']: + protocol_type = 'icmpv6' if protocol == 'ipv6-icmp' else 'icmp' # Note(xuhanp): port_range_min/port_range_max represent # icmp type/code when protocol is icmp or icmpv6 + args += ['--%s-type' % protocol_type, '%s' % port_range_min] # icmp code can be 0 so we cannot use "if port_range_max" here if port_range_max is not None: - return ['--%s-type' % protocol, - '%s/%s' % (port_range_min, port_range_max)] - return ['--%s-type' % protocol, '%s' % port_range_min] + args[-1] += '/%s' % port_range_max elif port_range_min == port_range_max: - return ['--%s' % direction, '%s' % (port_range_min,)] + args += ['--%s' % direction, '%s' % (port_range_min,)] else: - return ['-m', 'multiport', - '--%ss' % direction, - '%s:%s' % (port_range_min, port_range_max)] + args += ['-m', 'multiport', '--%ss' % direction, + '%s:%s' % (port_range_min, port_range_max)] + return args def _ip_prefix_arg(self, direction, ip_prefix): #NOTE (nati) : source_group_id is converted to list of source_ diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index 3a857c9fb..a7d422b84 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -158,13 +158,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=ic.PAIR_DROP), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 68 --dport 67 -j RETURN', + '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN', comment=None), mock.call.add_rule('ofake_dev', '-j $sfake_dev', comment=None), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 67 --dport 68 -j DROP', + '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP', comment=None), mock.call.add_rule( 'ofake_dev', @@ -204,7 +204,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'direction': 'ingress', 'protocol': 'tcp'} ingress = mock.call.add_rule( - 'ifake_dev', '-p tcp -m tcp -j RETURN', comment=None) + 'ifake_dev', '-p tcp -j RETURN', comment=None) egress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -215,7 +215,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'tcp', 'source_ip_prefix': prefix} ingress = mock.call.add_rule('ifake_dev', - '-s %s -p tcp -m tcp -j RETURN' % prefix, + '-s %s -p tcp -j RETURN' % prefix, comment=None) egress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -286,7 +286,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'direction': 'ingress', 'protocol': 'udp'} ingress = mock.call.add_rule( - 'ifake_dev', '-p udp -m udp -j RETURN', comment=None) + 'ifake_dev', '-p udp -j RETURN', comment=None) egress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -297,7 +297,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'udp', 'source_ip_prefix': prefix} ingress = mock.call.add_rule('ifake_dev', - '-s %s -p udp -m udp -j RETURN' % prefix, + '-s %s -p udp -j RETURN' % prefix, comment=None) egress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -364,7 +364,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'direction': 'egress', 'protocol': 'tcp'} egress = mock.call.add_rule( - 'ofake_dev', '-p tcp -m tcp -j RETURN', comment=None) + 'ofake_dev', '-p tcp -j RETURN', comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -375,7 +375,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'tcp', 'source_ip_prefix': prefix} egress = mock.call.add_rule('ofake_dev', - '-s %s -p tcp -m tcp -j RETURN' % prefix, + '-s %s -p tcp -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -410,7 +410,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'source_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p icmp --icmp-type 8 -j RETURN' % prefix, + '-s %s -p icmp -m icmp --icmp-type 8 -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -424,7 +424,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'source_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p icmp --icmp-type echo-request -j RETURN' % prefix, + '-s %s -p icmp -m icmp --icmp-type echo-request ' + '-j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -439,7 +440,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'source_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p icmp --icmp-type 8/0 -j RETURN' % prefix, + '-s %s -p icmp -m icmp --icmp-type 8/0 -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -489,7 +490,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'direction': 'egress', 'protocol': 'udp'} egress = mock.call.add_rule( - 'ofake_dev', '-p udp -m udp -j RETURN', comment=None) + 'ofake_dev', '-p udp -j RETURN', comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -500,7 +501,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'udp', 'source_ip_prefix': prefix} egress = mock.call.add_rule('ofake_dev', - '-s %s -p udp -m udp -j RETURN' % prefix, + '-s %s -p udp -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -568,7 +569,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'direction': 'ingress', 'protocol': 'tcp'} ingress = mock.call.add_rule( - 'ifake_dev', '-p tcp -m tcp -j RETURN', comment=None) + 'ifake_dev', '-p tcp -j RETURN', comment=None) egress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -579,7 +580,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'tcp', 'source_ip_prefix': prefix} ingress = mock.call.add_rule('ifake_dev', - '-s %s -p tcp -m tcp -j RETURN' % prefix, + '-s %s -p tcp -j RETURN' % prefix, comment=None) egress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -601,7 +602,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'direction': 'ingress', 'protocol': 'icmp'} ingress = mock.call.add_rule( - 'ifake_dev', '-p icmpv6 -j RETURN', comment=None) + 'ifake_dev', '-p ipv6-icmp -j RETURN', comment=None) egress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -612,7 +613,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'icmp', 'source_ip_prefix': prefix} ingress = mock.call.add_rule( - 'ifake_dev', '-s %s -p icmpv6 -j RETURN' % prefix, + 'ifake_dev', '-s %s -p ipv6-icmp -j RETURN' % prefix, comment=None) egress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -669,7 +670,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'direction': 'ingress', 'protocol': 'udp'} ingress = mock.call.add_rule( - 'ifake_dev', '-p udp -m udp -j RETURN', comment=None) + 'ifake_dev', '-p udp -j RETURN', comment=None) egress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -680,7 +681,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'udp', 'source_ip_prefix': prefix} ingress = mock.call.add_rule('ifake_dev', - '-s %s -p udp -m udp -j RETURN' % prefix, + '-s %s -p udp -j RETURN' % prefix, comment=None) egress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -747,7 +748,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'direction': 'egress', 'protocol': 'tcp'} egress = mock.call.add_rule( - 'ofake_dev', '-p tcp -m tcp -j RETURN', comment=None) + 'ofake_dev', '-p tcp -j RETURN', comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -758,7 +759,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'tcp', 'source_ip_prefix': prefix} egress = mock.call.add_rule('ofake_dev', - '-s %s -p tcp -m tcp -j RETURN' % prefix, + '-s %s -p tcp -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -768,7 +769,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'direction': 'egress', 'protocol': 'icmp'} egress = mock.call.add_rule( - 'ofake_dev', '-p icmpv6 -j RETURN', comment=None) + 'ofake_dev', '-p ipv6-icmp -j RETURN', comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -779,7 +780,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'icmp', 'source_ip_prefix': prefix} egress = mock.call.add_rule( - 'ofake_dev', '-s %s -p icmpv6 -j RETURN' % prefix, + 'ofake_dev', '-s %s -p ipv6-icmp -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -793,7 +794,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'source_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p icmpv6 --icmpv6-type 8 -j RETURN' % prefix, + '-s %s -p ipv6-icmp -m icmp6 --icmpv6-type 8 -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -807,7 +808,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'source_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p icmpv6 --icmpv6-type echo-request -j RETURN' % prefix, + '-s %s -p ipv6-icmp -m icmp6 --icmpv6-type echo-request ' + '-j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -822,7 +824,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'source_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p icmpv6 --icmpv6-type 8/0 -j RETURN' % prefix, + '-s %s -p ipv6-icmp -m icmp6 --icmpv6-type 8/0 -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -872,7 +874,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'direction': 'egress', 'protocol': 'udp'} egress = mock.call.add_rule( - 'ofake_dev', '-p udp -m udp -j RETURN', comment=None) + 'ofake_dev', '-p udp -j RETURN', comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -883,7 +885,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'udp', 'source_ip_prefix': prefix} egress = mock.call.add_rule('ofake_dev', - '-s %s -p udp -m udp -j RETURN' % prefix, + '-s %s -p udp -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -938,21 +940,22 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): filter_inst = self.v4filter_inst dhcp_rule = [mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 68 --dport 67 -j RETURN', + '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN', comment=None)] if ethertype == 'IPv6': filter_inst = self.v6filter_inst - dhcp_rule = [mock.call.add_rule('ofake_dev', '-p icmpv6 ' + dhcp_rule = [mock.call.add_rule('ofake_dev', '-p ipv6-icmp ' + '-m icmp6 ' '--icmpv6-type %s -j DROP' % constants.ICMPV6_TYPE_RA, comment=None), mock.call.add_rule('ofake_dev', - '-p icmpv6 -j RETURN', + '-p ipv6-icmp -j RETURN', comment=None), mock.call.add_rule('ofake_dev', '-p udp -m udp ' - '--sport 546 --dport 547 ' + '--sport 546 -m udp --dport 547 ' '-j RETURN', comment=None)] sg = [rule] port['security_group_rules'] = sg @@ -979,7 +982,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): for icmp6_type in constants.ICMPV6_ALLOWED_TYPES: calls.append( mock.call.add_rule('ifake_dev', - '-p icmpv6 --icmpv6-type %s -j RETURN' % + '-p ipv6-icmp -m icmp6 --icmpv6-type ' + '%s -j RETURN' % icmp6_type, comment=None)) calls += [ mock.call.add_rule( @@ -1025,12 +1029,12 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): if ethertype == 'IPv4': calls.append(mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 67 --dport 68 -j DROP', + '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP', comment=None)) if ethertype == 'IPv6': calls.append(mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 547 --dport 546 -j DROP', + '-p udp -m udp --sport 547 -m udp --dport 546 -j DROP', comment=None)) calls += [ @@ -1049,7 +1053,9 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): mock.call.add_rule('ofake_dev', '-j $sg-fallback', comment=None), mock.call.add_rule('sg-chain', '-j ACCEPT')] - + comb = zip(calls, filter_inst.mock_calls) + for (l, r) in comb: + self.assertEqual(l, r) filter_inst.assert_has_calls(calls) def _test_remove_conntrack_entries(self, ethertype, protocol, @@ -1189,13 +1195,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=ic.PAIR_DROP), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 68 --dport 67 -j RETURN', + '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN', comment=None), mock.call.add_rule('ofake_dev', '-j $sfake_dev', comment=None), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 67 --dport 68 -j DROP', + '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP', comment=None), mock.call.add_rule( 'ofake_dev', @@ -1261,13 +1267,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=ic.PAIR_DROP), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 68 --dport 67 -j RETURN', + '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN', comment=None), mock.call.add_rule('ofake_dev', '-j $sfake_dev', comment=None), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 67 --dport 68 -j DROP', + '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP', comment=None), mock.call.add_rule( 'ofake_dev', @@ -1436,13 +1442,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=ic.PAIR_DROP), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 68 --dport 67 -j RETURN', + '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN', comment=None), mock.call.add_rule('ofake_dev', '-j $sfake_dev', comment=None), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 67 --dport 68 -j DROP', + '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP', comment=None), mock.call.add_rule( 'ofake_dev', @@ -1510,13 +1516,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=ic.PAIR_DROP), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 68 --dport 67 -j RETURN', + '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN', comment=None), mock.call.add_rule('ofake_dev', '-j $sfake_dev', comment=None), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 67 --dport 68 -j DROP', + '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP', comment=None), mock.call.add_rule( 'ofake_dev', diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py index 668071c8e..a5a5de405 100644 --- a/neutron/tests/unit/agent/test_securitygroups_rpc.py +++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py @@ -1773,8 +1773,8 @@ IPSET_FILTER_1 = """# Generated by iptables_manager [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-i_port1 [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN -[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ --j RETURN +[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp \ +--dport 68 -j RETURN [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_port1 -m set --match-set NIPv4security_group1 src -j \ RETURN @@ -1789,9 +1789,10 @@ RETURN [0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \ -j RETURN [0:0] -A %(bn)s-s_port1 -j DROP -[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1 -[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port1 -j RETURN [0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP @@ -1825,8 +1826,8 @@ IPTABLES_FILTER_1 = """# Generated by iptables_manager [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-i_port1 [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN -[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ --j RETURN +[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp \ +--dport 68 -j RETURN [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback @@ -1839,9 +1840,10 @@ IPTABLES_FILTER_1 = """# Generated by iptables_manager [0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \ -j RETURN [0:0] -A %(bn)s-s_port1 -j DROP -[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1 -[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port1 -j RETURN [0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP @@ -1876,8 +1878,8 @@ IPTABLES_FILTER_1_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-i_port1 [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN -[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ --j RETURN +[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 -m udp \ +--dport 68 -j RETURN [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_port1 -s 10.0.0.4/32 -j RETURN [0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP @@ -1891,9 +1893,10 @@ IPTABLES_FILTER_1_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \ -j RETURN [0:0] -A %(bn)s-s_port1 -j DROP -[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1 -[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port1 -j RETURN [0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP @@ -1933,7 +1936,7 @@ IPSET_FILTER_2 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-i_%(port1)s [0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \ ---dport 68 -j RETURN +-m udp --dport 68 -j RETURN [0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_%(port1)s -m set --match-set NIPv4security_group1 src -j \ RETURN @@ -1948,9 +1951,10 @@ RETURN [0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \ -j RETURN [0:0] -A %(bn)s-s_%(port1)s -j DROP -[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s -[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_%(port1)s -j RETURN [0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP @@ -1961,7 +1965,7 @@ RETURN %(physdev_is_bridged)s -j %(bn)s-i_%(port2)s [0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \ ---dport 68 -j RETURN +-m udp --dport 68 -j RETURN [0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_%(port2)s -m set --match-set NIPv4security_group1 src -j \ RETURN @@ -1976,9 +1980,10 @@ RETURN [0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \ -j RETURN [0:0] -A %(bn)s-s_%(port2)s -j DROP -[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s -[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_%(port2)s -j RETURN [0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP @@ -2016,7 +2021,7 @@ IPSET_FILTER_2_3 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-i_%(port1)s [0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \ ---dport 68 -j RETURN +-m udp --dport 68 -j RETURN [0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_%(port1)s -m set --match-set NIPv4security_group1 src -j \ RETURN @@ -2032,9 +2037,10 @@ RETURN [0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \ -j RETURN [0:0] -A %(bn)s-s_%(port1)s -j DROP -[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s -[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_%(port1)s -j RETURN [0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP @@ -2045,7 +2051,7 @@ RETURN %(physdev_is_bridged)s -j %(bn)s-i_%(port2)s [0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \ ---dport 68 -j RETURN +-m udp --dport 68 -j RETURN [0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_%(port2)s -m set --match-set NIPv4security_group1 src -j \ RETURN @@ -2061,9 +2067,10 @@ RETURN [0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \ -j RETURN [0:0] -A %(bn)s-s_%(port2)s -j DROP -[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s -[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_%(port2)s -j RETURN [0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP @@ -2101,7 +2108,7 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-i_%(port1)s [0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \ ---dport 68 -j RETURN +-m udp --dport 68 -j RETURN [0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s -j RETURN [0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP @@ -2115,9 +2122,10 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \ -j RETURN [0:0] -A %(bn)s-s_%(port1)s -j DROP -[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s -[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_%(port1)s -j RETURN [0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP @@ -2128,7 +2136,7 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-i_%(port2)s [0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \ ---dport 68 -j RETURN +-m udp --dport 68 -j RETURN [0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s -j RETURN [0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP @@ -2142,9 +2150,10 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \ -j RETURN [0:0] -A %(bn)s-s_%(port2)s -j DROP -[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s -[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_%(port2)s -j RETURN [0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP @@ -2182,7 +2191,7 @@ IPTABLES_FILTER_2_2 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-i_%(port1)s [0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \ ---dport 68 -j RETURN +-m udp --dport 68 -j RETURN [0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP """ % IPTABLES_ARG @@ -2196,9 +2205,10 @@ IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback [0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \ -j RETURN [0:0] -A %(bn)s-s_%(port1)s -j DROP -[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s -[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_%(port1)s -j RETURN [0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP @@ -2209,7 +2219,7 @@ IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback %(physdev_is_bridged)s -j %(bn)s-i_%(port2)s [0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \ ---dport 68 -j RETURN +-m udp --dport 68 -j RETURN [0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN """ % IPTABLES_ARG IPTABLES_FILTER_2_2 += ("[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s " @@ -2227,9 +2237,10 @@ INVALID -j DROP [0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \ -j RETURN [0:0] -A %(bn)s-s_%(port2)s -j DROP -[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s -[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_%(port2)s -j RETURN [0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP @@ -2267,7 +2278,7 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-i_%(port1)s [0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \ ---dport 68 -j RETURN +-m udp --dport 68 -j RETURN [0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s -j RETURN [0:0] -A %(bn)s-i_%(port1)s -p icmp -j RETURN @@ -2282,9 +2293,10 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager [0:0] -A %(bn)s-s_%(port1)s -s %(ip1)s -m mac --mac-source %(mac1)s \ -j RETURN [0:0] -A %(bn)s-s_%(port1)s -j DROP -[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s -[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_%(port1)s -j RETURN [0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP @@ -2295,7 +2307,7 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-i_%(port2)s [0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \ ---dport 68 -j RETURN +-m udp --dport 68 -j RETURN [0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s -j RETURN [0:0] -A %(bn)s-i_%(port2)s -p icmp -j RETURN @@ -2310,9 +2322,10 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager [0:0] -A %(bn)s-s_%(port2)s -s %(ip2)s -m mac --mac-source %(mac2)s \ -j RETURN [0:0] -A %(bn)s-s_%(port2)s -j DROP -[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN +[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 -m udp --dport 67 \ +-j RETURN [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s -[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP +[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 -m udp --dport 68 -j DROP [0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_%(port2)s -j RETURN [0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP @@ -2368,11 +2381,11 @@ IPTABLES_FILTER_V6_1 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-i_port1 -[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 130 -j RETURN -[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 131 -j RETURN -[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 132 -j RETURN -[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 135 -j RETURN -[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 136 -j RETURN +[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN +[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j RETURN +[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j RETURN +[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN +[0:0] -A %(bn)s-i_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback @@ -2382,10 +2395,10 @@ IPTABLES_FILTER_V6_1 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-o_port1 [0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-o_port1 -[0:0] -A %(bn)s-o_port1 -p icmpv6 --icmpv6-type 134 -j DROP -[0:0] -A %(bn)s-o_port1 -p icmpv6 -j RETURN -[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 --dport 547 -j RETURN -[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 --dport 546 -j DROP +[0:0] -A %(bn)s-o_port1 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP +[0:0] -A %(bn)s-o_port1 -p ipv6-icmp -j RETURN +[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 -m udp --dport 547 -j RETURN +[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 -m udp --dport 546 -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback @@ -2421,11 +2434,11 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \ %(physdev_is_bridged)s -j %(bn)s-i_%(port1)s -[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 130 -j RETURN -[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 131 -j RETURN -[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 132 -j RETURN -[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 135 -j RETURN -[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 136 -j RETURN +[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN +[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j RETURN +[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j RETURN +[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN +[0:0] -A %(bn)s-i_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN [0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback @@ -2435,10 +2448,12 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-o_%(port1)s [0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ %(physdev_is_bridged)s -j %(bn)s-o_%(port1)s -[0:0] -A %(bn)s-o_%(port1)s -p icmpv6 --icmpv6-type 134 -j DROP -[0:0] -A %(bn)s-o_%(port1)s -p icmpv6 -j RETURN -[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 546 --dport 547 -j RETURN -[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 547 --dport 546 -j DROP +[0:0] -A %(bn)s-o_%(port1)s -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP +[0:0] -A %(bn)s-o_%(port1)s -p ipv6-icmp -j RETURN +[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 546 -m udp --dport 547 \ +-j RETURN +[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 547 -m udp --dport 546 \ +-j DROP [0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback @@ -2446,11 +2461,11 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \ %(physdev_is_bridged)s -j %(bn)s-i_%(port2)s -[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 130 -j RETURN -[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 131 -j RETURN -[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 132 -j RETURN -[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 135 -j RETURN -[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 136 -j RETURN +[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN +[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j RETURN +[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j RETURN +[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN +[0:0] -A %(bn)s-i_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN [0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback @@ -2460,10 +2475,12 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-o_%(port2)s [0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ %(physdev_is_bridged)s -j %(bn)s-o_%(port2)s -[0:0] -A %(bn)s-o_%(port2)s -p icmpv6 --icmpv6-type 134 -j DROP -[0:0] -A %(bn)s-o_%(port2)s -p icmpv6 -j RETURN -[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 546 --dport 547 -j RETURN -[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 547 --dport 546 -j DROP +[0:0] -A %(bn)s-o_%(port2)s -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP +[0:0] -A %(bn)s-o_%(port2)s -p ipv6-icmp -j RETURN +[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 546 -m udp --dport 547 \ +-j RETURN +[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 547 -m udp --dport 546 \ +-j DROP [0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback