From d8ee3055eeffb8779caf2fb355ab4b84d5b280db Mon Sep 17 00:00:00 2001
From: John Davidge <jodavidg@cisco.com>
Date: Wed, 22 Oct 2014 02:28:52 -0700
Subject: [PATCH] Fix PYTHONHASHSEED bugs in test_security_groups_rpc

This fixes the test_security_groups_rpc unit test that breaks with a
randomized PYTHONHASHSEED (see the bug report).

The test assumed that several Dicts had elements in a particular order.
Found with PYTHONHASHSEED=2701526934.

The fix refactors the test case by using an OrderedDict instead of a Dict.
Or in the case of the regex strings, injecting different values depending
on the order of the devices2 and devices3 Dicts.

An upstream spelling mistake is also addressed in this patch.

Partial-bug: #1348818

Note: There are several other unrelated unit tests that also break with a
randomized PYTHONHASHSEED, but they are not addressed here. They will be
addressed in separate patches.

Change-Id: I744117edfc5869b0750349a89f2792f622e4285d
---
 .../tests/unit/test_security_groups_rpc.py    | 620 +++++++++---------
 1 file changed, 327 insertions(+), 293 deletions(-)

diff --git a/neutron/tests/unit/test_security_groups_rpc.py b/neutron/tests/unit/test_security_groups_rpc.py
index 1c0041537..90e1987b2 100644
--- a/neutron/tests/unit/test_security_groups_rpc.py
+++ b/neutron/tests/unit/test_security_groups_rpc.py
@@ -15,6 +15,7 @@
 
 import contextlib
 
+import collections
 import mock
 from oslo.config import cfg
 from oslo import messaging
@@ -38,6 +39,11 @@ from neutron import manager
 from neutron.tests import base
 from neutron.tests.unit import test_extension_security_group as test_sg
 
+try:
+    OrderedDict = collections.OrderedDict
+except AttributeError:
+    import ordereddict
+    OrderedDict = ordereddict.OrderedDict
 
 FAKE_PREFIX = {const.IPv4: '10.0.0.0/24',
                const.IPv6: '2001:db8::/64'}
@@ -47,7 +53,6 @@ FAKE_IP = {const.IPv4: '10.0.0.1',
            'IPv6_LLA': 'fe80::123',
            'IPv6_DHCP': '2001:db8::3'}
 
-
 TEST_PLUGIN_CLASS = ('neutron.tests.unit.test_security_groups_rpc.'
                      'SecurityGroupRpcTestPlugin')
 
@@ -226,7 +231,7 @@ class SGServerRpcCallBackTestCase(test_sg.SecurityGroupDBTestCase):
         plugin_obj = manager.NeutronManager.get_plugin()
         if ('allowed-address-pairs'
             not in plugin_obj.supported_extension_aliases):
-            self.skipTest("Test depeneds on allowed-address-pairs extension")
+            self.skipTest("Test depends on allowed-address-pairs extension")
         fake_prefix = FAKE_PREFIX['IPv4']
         with self.network() as n:
             with contextlib.nested(self.subnet(n),
@@ -1160,9 +1165,10 @@ class SecurityGroupAgentEnhancedRpcTestCase(
         super(SecurityGroupAgentEnhancedRpcTestCase, self).setUp(
             defer_refresh_firewall=defer_refresh_firewall)
         fake_sg_info = {
-            'security_groups': {
-                'fake_sgid1': [
-                    {'remote_group_id': 'fake_sgid2'}], 'fake_sgid2': []},
+            'security_groups':
+                OrderedDict([
+                    ('fake_sgid2', []),
+                    ('fake_sgid1', [{'remote_group_id': 'fake_sgid2'}])]),
             'sg_member_ips': {'fake_sgid2': {'IPv4': [], 'IPv6': []}},
             'devices': self.firewall.ports}
         self.agent.plugin_rpc.security_group_info_for_devices.return_value = (
@@ -1171,7 +1177,7 @@ class SecurityGroupAgentEnhancedRpcTestCase(
     def test_prepare_and_remove_devices_filter_enhanced_rpc(self):
         self.agent.prepare_devices_filter(['fake_device'])
         self.agent.remove_devices_filter(['fake_device'])
-        # these two mock are too log, just use tmp_mock to replace them
+        # these two mocks are too long, just use tmp_mock to replace them
         tmp_mock1 = mock.call.update_security_group_rules(
             'fake_sgid1', [{'remote_group_id': 'fake_sgid2'}])
         tmp_mock2 = mock.call.update_security_group_members(
@@ -1550,6 +1556,20 @@ IPTABLES_ARG = {'bn': iptables_manager.binary_name,
                 'physdev_is_bridged': PHYSDEV_IS_BRIDGED}
 
 CHAINS_NAT = 'OUTPUT|POSTROUTING|PREROUTING|float-snat|snat'
+
+# These Dicts use the same keys as devices2 and devices3 in
+# TestSecurityGroupAgentWithIptables() to ensure that the ordering
+# is consistent regardless of hashseed value
+PORTS = {'tap_port1': 'port1', 'tap_port2': 'port2'}
+MACS = {'tap_port1': '12:34:56:78:9a:bc', 'tap_port2': '12:34:56:78:9a:bd'}
+IPS = {'tap_port1': '10.0.0.3/32', 'tap_port2': '10.0.0.4/32'}
+
+IPTABLES_ARG['port1'] = PORTS.values()[0]
+IPTABLES_ARG['port2'] = PORTS.values()[1]
+IPTABLES_ARG['mac1'] = MACS.values()[0]
+IPTABLES_ARG['mac2'] = MACS.values()[1]
+IPTABLES_ARG['ip1'] = IPS.values()[0]
+IPTABLES_ARG['ip2'] = IPS.values()[1]
 IPTABLES_ARG['chains'] = CHAINS_NAT
 
 IPTABLES_NAT = """# Generated by iptables_manager
@@ -1764,62 +1784,62 @@ IPSET_FILTER_2 = """# Generated by iptables_manager
 [0:0] -A OUTPUT -j %(bn)s-OUTPUT
 [0:0] -A FORWARD -j %(bn)s-FORWARD
 [0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port1 \
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
-[0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port1 -m set --match-set IPv4security_group1 src -j \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -m set --match-set IPv4security_group1 src -j \
 RETURN
-[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
+[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-s_%(port1)s -m mac --mac-source %(mac1)s -s %(ip1)s \
 -j RETURN
-[0:0] -A %(bn)s-s_port1 -j DROP
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port1 -j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port2 \
+[0:0] -A %(bn)s-s_%(port1)s -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-i_port2
-[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port2 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
-[0:0] -A %(bn)s-i_port2 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port2 -m set --match-set IPv4security_group1 src -j \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -m set --match-set IPv4security_group1 src -j \
 RETURN
-[0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port2 \
+[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-o_port2
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-o_port2
-[0:0] -A %(bn)s-s_port2 -m mac --mac-source 12:34:56:78:9a:bd -s 10.0.0.4/32 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-s_%(port2)s -m mac --mac-source %(mac2)s -s %(ip2)s \
 -j RETURN
-[0:0] -A %(bn)s-s_port2 -j DROP
-[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN
-[0:0] -A %(bn)s-o_port2 -j %(bn)s-s_port2
-[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port2 -j RETURN
-[0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-s_%(port2)s -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
 # Completed by iptables_manager
@@ -1847,64 +1867,64 @@ IPSET_FILTER_2_3 = """# Generated by iptables_manager
 [0:0] -A OUTPUT -j %(bn)s-OUTPUT
 [0:0] -A FORWARD -j %(bn)s-FORWARD
 [0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port1 \
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
-[0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port1 -m set --match-set IPv4security_group1 src -j \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -m set --match-set IPv4security_group1 src -j \
 RETURN
-[0:0] -A %(bn)s-i_port1 -p icmp -j RETURN
-[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
+[0:0] -A %(bn)s-i_%(port1)s -p icmp -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-s_%(port1)s -m mac --mac-source %(mac1)s -s %(ip1)s \
 -j RETURN
-[0:0] -A %(bn)s-s_port1 -j DROP
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port1 -j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port2 \
+[0:0] -A %(bn)s-s_%(port1)s -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-i_port2
-[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port2 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
-[0:0] -A %(bn)s-i_port2 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port2 -m set --match-set IPv4security_group1 src -j \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -m set --match-set IPv4security_group1 src -j \
 RETURN
-[0:0] -A %(bn)s-i_port2 -p icmp -j RETURN
-[0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port2 \
+[0:0] -A %(bn)s-i_%(port2)s -p icmp -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-o_port2
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-o_port2
-[0:0] -A %(bn)s-s_port2 -m mac --mac-source 12:34:56:78:9a:bd -s 10.0.0.4/32 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-s_%(port2)s -m mac --mac-source %(mac2)s -s %(ip2)s \
 -j RETURN
-[0:0] -A %(bn)s-s_port2 -j DROP
-[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN
-[0:0] -A %(bn)s-o_port2 -j %(bn)s-s_port2
-[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port2 -j RETURN
-[0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-s_%(port2)s -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
 # Completed by iptables_manager
@@ -1932,65 +1952,70 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager
 [0:0] -A OUTPUT -j %(bn)s-OUTPUT
 [0:0] -A FORWARD -j %(bn)s-FORWARD
 [0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port1 \
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
-[0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.4/32 -j RETURN
-[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-s_%(port1)s -m mac --mac-source %(mac1)s -s %(ip1)s \
 -j RETURN
-[0:0] -A %(bn)s-s_port1 -j DROP
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port1 -j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port2 \
+[0:0] -A %(bn)s-s_%(port1)s -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-i_port2
-[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port2 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
-[0:0] -A %(bn)s-i_port2 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port2 -s 10.0.0.3/32 -j RETURN
-[0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port2 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-o_port2
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-o_port2
-[0:0] -A %(bn)s-s_port2 -m mac --mac-source 12:34:56:78:9a:bd -s 10.0.0.4/32 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-s_%(port2)s -m mac --mac-source %(mac2)s -s %(ip2)s \
 -j RETURN
-[0:0] -A %(bn)s-s_port2 -j DROP
-[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN
-[0:0] -A %(bn)s-o_port2 -j %(bn)s-s_port2
-[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port2 -j RETURN
-[0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-s_%(port2)s -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
 # Completed by iptables_manager
 """ % IPTABLES_ARG
 
+# These Dicts use the same keys as devices2 and devices3 in
+# TestSecurityGroupAgentWithIptables() to ensure that the ordering
+# is consistent regardless of hashseed value
+REVERSE_PORT_ORDER = {'tap_port1': False, 'tap_port2': True}
+
 IPTABLES_FILTER_2_2 = """# Generated by iptables_manager
 *filter
 :neutron-filter-top - [0:0]
@@ -2013,59 +2038,68 @@ IPTABLES_FILTER_2_2 = """# Generated by iptables_manager
 [0:0] -A OUTPUT -j %(bn)s-OUTPUT
 [0:0] -A FORWARD -j %(bn)s-FORWARD
 [0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port1 \
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
-[0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
+""" % IPTABLES_ARG
+if (REVERSE_PORT_ORDER.values()[0] is True):
+    IPTABLES_FILTER_2_2 += ("[0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s "
+                            "-j RETURN\n"
+                            % IPTABLES_ARG)
+IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-s_%(port1)s -m mac --mac-source %(mac1)s -s %(ip1)s \
 -j RETURN
-[0:0] -A %(bn)s-s_port1 -j DROP
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port1 -j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port2 \
+[0:0] -A %(bn)s-s_%(port1)s -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-i_port2
-[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port2 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
-[0:0] -A %(bn)s-i_port2 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port2 -s 10.0.0.3/32 -j RETURN
-[0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port2 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
+""" % IPTABLES_ARG
+if (REVERSE_PORT_ORDER.values()[0] is False):
+    IPTABLES_FILTER_2_2 += ("[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s "
+                            "-j RETURN\n"
+                            % IPTABLES_ARG)
+IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-o_port2
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-o_port2
-[0:0] -A %(bn)s-s_port2 -m mac --mac-source 12:34:56:78:9a:bd -s 10.0.0.4/32 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-s_%(port2)s -m mac --mac-source %(mac2)s -s %(ip2)s \
 -j RETURN
-[0:0] -A %(bn)s-s_port2 -j DROP
-[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN
-[0:0] -A %(bn)s-o_port2 -j %(bn)s-s_port2
-[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port2 -j RETURN
-[0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-s_%(port2)s -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
 # Completed by iptables_manager
@@ -2093,62 +2127,62 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager
 [0:0] -A OUTPUT -j %(bn)s-OUTPUT
 [0:0] -A FORWARD -j %(bn)s-FORWARD
 [0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port1 \
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
-[0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port1 -s 10.0.0.4/32 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p icmp -j RETURN
-[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p icmp -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-s_%(port1)s -m mac --mac-source %(mac1)s -s %(ip1)s \
 -j RETURN
-[0:0] -A %(bn)s-s_port1 -j DROP
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port1 -j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port2 \
+[0:0] -A %(bn)s-s_%(port1)s -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-s_%(port1)s
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-i_port2
-[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port2 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
--j RETURN
-[0:0] -A %(bn)s-i_port2 -p tcp -m tcp --dport 22 -j RETURN
-[0:0] -A %(bn)s-i_port2 -s 10.0.0.3/32 -j RETURN
-[0:0] -A %(bn)s-i_port2 -p icmp -j RETURN
-[0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port2 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
+--dport 68 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p icmp -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-o_port2
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-o_port2
-[0:0] -A %(bn)s-s_port2 -m mac --mac-source 12:34:56:78:9a:bd -s 10.0.0.4/32 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-s_%(port2)s -m mac --mac-source %(mac2)s -s %(ip2)s \
 -j RETURN
-[0:0] -A %(bn)s-s_port2 -j DROP
-[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN
-[0:0] -A %(bn)s-o_port2 -j %(bn)s-s_port2
-[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 67 --dport 68 -j DROP
-[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port2 -j RETURN
-[0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-s_%(port2)s -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 68 --dport 67 -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-s_%(port2)s
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 67 --dport 68 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
 # Completed by iptables_manager
@@ -2247,54 +2281,54 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
 [0:0] -A OUTPUT -j %(bn)s-OUTPUT
 [0:0] -A FORWARD -j %(bn)s-FORWARD
 [0:0] -A %(bn)s-sg-fallback -j DROP
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port1 \
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-i_port1
-[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 130 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 131 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 132 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 135 -j RETURN
-[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 136 -j RETURN
-[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s
+[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 130 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 131 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 132 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 135 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -p icmpv6 --icmpv6-type 136 -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
-%(physdev_is_bridged)s -j %(bn)s-o_port1
-[0:0] -A %(bn)s-o_port1 -p icmpv6 -j RETURN
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 --dport 547 -j RETURN
-[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 --dport 546 -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port2 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-o_%(port1)s -p icmpv6 -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 546 --dport 547 -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 547 --dport 546 -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-o_%(port1)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port1)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-i_port2
-[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 130 -j RETURN
-[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 131 -j RETURN
-[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 132 -j RETURN
-[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 135 -j RETURN
-[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 136 -j RETURN
-[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback
-[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port2 \
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s
+[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 130 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 131 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 132 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 135 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -p icmpv6 --icmpv6-type 136 -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-i_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
-[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-o_port2
-[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
-%(physdev_is_bridged)s -j %(bn)s-o_port2
-[0:0] -A %(bn)s-o_port2 -p icmpv6 -j RETURN
-[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 546 --dport 547 -j RETURN
-[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 547 --dport 546 -j DROP
-[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP
-[0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN
-[0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback
+[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
+%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-o_%(port2)s -p icmpv6 -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 546 --dport 547 -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 547 --dport 546 -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -m state --state INVALID -j DROP
+[0:0] -A %(bn)s-o_%(port2)s -m state --state RELATED,ESTABLISHED -j RETURN
+[0:0] -A %(bn)s-o_%(port2)s -j %(bn)s-sg-fallback
 [0:0] -A %(bn)s-sg-chain -j ACCEPT
 COMMIT
 # Completed by iptables_manager
-- 
2.45.2