wakame-vdc-agents 10.12.0 → 11.06.0

data/lib/dcmgr/models/tag.rb

@@ -160,5 +160,10 @@ module Dcmgr::Models
     def to_api_document
       to_hash.merge({:type_id=>self.class.to_s.split('::').last})
     end
+
+    def self.declare(account_id, tag_class_name, name)
+      Dcmgr::Tags.const_get(tag_class_name).find_or_create(:account_id=>account_id,
+                                                           :name=>name)
+    end
   end
 end

data/lib/dcmgr/models/vlan_lease.rb

@@ -13,5 +13,13 @@ module Dcmgr::Models
     with_timestamps
 
     one_to_many :networks
+
+    def validate
+
+      unless 1 <= self.tag_id.to_i && self.tag_id.to_i <= 4095
+        errors.add(:tag_id, "Tag ID is out of range (1-4095)")
+      end
+      
+    end
   end
 end

data/lib/dcmgr/models/volume.rb

@@ -32,13 +32,16 @@ module Dcmgr::Models
       String :host_device_name
       String :guest_device_name
       String :export_path, :null=>false
+#      String :intermediate_path, :null=>false
       Text :transport_information
       Time :deleted_at
       Time :attached_at
       Time :detached_at
+
       index :storage_pool_id
       index :instance_id
       index :snapshot_id
+      index :deleted_at
     end
     with_timestamps
 
@@ -47,6 +50,15 @@ module Dcmgr::Models
 
     plugin ArchiveChangedColumn, :histories
     
+    subset(:lives, {:deleted_at => nil})
+
+    RECENT_TERMED_PERIOD=(60 * 15)
+    # lists the volumes are available and deleted within
+    # RECENT_TERMED_PERIOD sec.
+    def_dataset_method(:alives_and_recent_termed) {
+      filter("deleted_at IS NULL OR deleted_at >= ?", (Time.now.utc - RECENT_TERMED_PERIOD))
+    }
+    
     # serialization plugin must be defined at the bottom of all class
     # method calls.
     # Possible column data:
@@ -58,19 +70,20 @@ module Dcmgr::Models
     class RequestError < RuntimeError; end
 
     def before_create
-      # check the volume size
       sp = self.storage_pool
-      volume_size = Volume.dataset.where(:storage_pool_id=> self.storage_pool_id).get{sum(:size)}
-      total_size = sp.offerring_disk_space - volume_size.to_i
+      volume_size = sp.volumes_dataset.lives.sum(:size).to_i
+      # check if the sum of available volume and new volume is under
+      # the limit of offering capacity.
+      total_size = sp.offering_disk_space - volume_size.to_i
       if self.size > total_size
         raise DiskError, "out of disk space"
       end
 
-      super
-    end
-
-    def before_save
-      self.updated_at = Time.now
+      # TODO: Here may not be the right place for capacity validation.
+      per_account_totoal = self.class.filter(:account_id=>self.account_id).lives.sum(:size).to_i
+      if self.account.quota.volume_total_size < per_account_totoal + self.size.to_i
+        raise DiskError, "Out of account quota: #{self.account.quota.volume_total_size}, #{self.size.to_i}, #{per_account_totoal}"
+      end
       super
     end
 
@@ -134,8 +147,13 @@ module Dcmgr::Models
         :state => self.state,
         :instance_id => (self.instance && self.instance.canonical_uuid),
         :deleted_at => self.deleted_at,
+        :detached_at => self.detached_at,
       }
     end
+    
+    def ready_to_take_snapshot?
+      %w(available attached).member?(self.state)
+    end
 
     def create_snapshot(account_id)
       vs = VolumeSnapshot.create(:account_id=>account_id,

data/lib/dcmgr/models/volume_snapshot.rb

@@ -17,13 +17,23 @@ module Dcmgr::Models
       Fixnum :size, :null=>false
       Fixnum :status, :null=>false, :default=>0
       String :state, :null=>false, :default=>STATE_TYPE_REGISTERING
+      String :destination_key, :null=>false 
+      Time   :deleted_at
       index :storage_pool_id
+      index  :deleted_at
     end
     with_timestamps
 
     many_to_one :storage_pool
     plugin ArchiveChangedColumn, :histories
 
+    RECENT_TERMED_PERIOD=(60 * 15)
+    # lists the volumes are available and deleted within
+    # RECENT_TERMED_PERIOD sec.
+    def_dataset_method(:alives_and_recent_termed) {
+      filter("deleted_at IS NULL OR deleted_at >= ?", (Time.now.utc - RECENT_TERMED_PERIOD))
+    }
+
     class RequestError < RuntimeError; end
 
     # Hash data for API response.
@@ -34,7 +44,10 @@ module Dcmgr::Models
         :state => self.state,
         :size => self.size,
         :origin_volume_id => self.origin_volume_id,
+        :destination_id => self.destination,
+        :destination_name => self.display_name, 
         :created_at => self.created_at,
+        :deleted_at => self.deleted_at,
       }
     end
 
@@ -44,9 +57,23 @@ module Dcmgr::Models
       storage_pool.create_volume(account_id, self.size, self.canonical_uuid)
     end
 
+    def display_name
+      repository_config = Dcmgr::StorageService.snapshot_repository_config
+      repository = repository_config[self.destination]
+      repository['display_name']
+    end
+
     def origin_volume
       Volume[origin_volume_id]
     end
+    
+    def snapshot_filename
+      "#{self.canonical_uuid}.zsnap"
+    end
+    
+    def destination
+      self.destination_key.split('@')[0]
+    end
 
     def self.delete_snapshot(account_id, uuid)
       vs = self.dataset.where(:account_id => account_id).where(:uuid => uuid.split('-').last).first
@@ -56,5 +83,15 @@ module Dcmgr::Models
       vs.state = :deleting
       vs.save_changes
     end
+    
+    def update_destination_key(account_id, destination_key)
+      self.destination_key = destination_key
+      self.save_changes
+    end
+
+    def self.store_local?(destination)
+      destination.nil?
+    end 
+
   end
 end

data/lib/dcmgr/node_modules/hva_collector.rb

@@ -6,6 +6,7 @@ module Dcmgr
   module NodeModules
     class HvaCollector < Isono::NodeModules::Base
       include Isono::NodeModules
+      include Dcmgr::Logger
 
       initialize_hook do
         rpc = RpcChannel.new(node)
@@ -23,7 +24,6 @@ module Dcmgr
       end
 
       def get_instance(instance_id)
-        Models::Instance.lock!
         inst = Models::Instance[instance_id]
         raise "UnknownInstanceID" if inst.nil?
 
@@ -32,7 +32,6 @@ module Dcmgr
       end
 
       def update_instance(instance_id, data)
-        Models::Instance.lock!
         inst = Models::Instance[instance_id]
         raise "UnknownInstanceID" if inst.nil?
         if data[:state] == :terminated
@@ -48,54 +47,76 @@ module Dcmgr
       end
 
       def get_netfilter_groups_of_instance(instance_id)
-        Models::Instance.lock!
         inst = Models::Instance[instance_id]
         raise "UnknownInstanceID" if inst.nil?
 
         inst.netfilter_groups.map { |g| g.to_hash }
       end
 
-      def get_group_instance_ipv4s(instance_id)
-        Models::Instance.lock!
+      #Returns an array containing the ip addresses of all instances in the same security group.
+      # _set_ determines which ip addresses are returned. There are 3 possible values
+      # :inside is the default value. This returns all inside ip addresses
+      # :outside returns all the outside addresses for instances that are natted.
+      # :all returns all ip addresses regardless of whether they're natted or not
+      def get_group_instance_ipv4s(instance_id,set = :inside)
         inst = Models::Instance[instance_id]
         raise "UnknownInstanceID" if inst.nil?
-
-        ipv4s = inst.netfilter_groups.map { |netfilter_group|
-          next if netfilter_group.nil?
-          netfilter_group.instance_netfilter_groups.map { |instance_netfilter_group|
-            next if instance_netfilter_group.nil?
-            instance_netfilter_group.instance_dataset.lives.all.map { |instance|
-              next if instance.nil?
-              instance.ips.map { |ip|
-                next if ip.nil?
-                ip.ipv4
+        raise "Unknown ip set." unless [:inside,:all,:outside].member?(set)
+
+        inst.netfilter_groups.compact.map { |netfilter_group|
+          netfilter_group.instances_dataset.lives.all.compact.map { |instance|
+              instance.ips.compact.map { |ip|
+                case set
+                when :all
+                  ip
+                when :inside
+                  ip.map {|i| unless i.is_natted? then i.ipv4 else nil end}.compact
+                when :outside
+                  ip.map {|i| if i.is_natted? then i.ipv4 else nil end}.compact
+                end
               }
             }
-          }
-        }.flatten.uniq.compact
-        ipv4s
+          }.flatten.uniq.compact
       end
 
 #      def get_instances_of_account_netfilter_group(account_id, netfilter_group_id)
       def get_instances_of_account_netfilter_group(account_id, netfilter_group_name)
-        Models::NetfilterGroup.lock!
         ng_map = Models::NetfilterGroup.find(:account_id => account_id, :name => netfilter_group_name)
         raise "UnknownNetfilterGroupID" if ng_map.nil?
-        inst_maps = ng_map.instance_netfilter_groups.map { |instance_netfilter_group|
-          instance_netfilter_group.instance_dataset.lives.all.map { |inst| inst.to_hash }
-        }.flatten.uniq.compact
+        inst_maps = ng_map.instances_dataset.lives.all.map { |inst| inst.to_hash }.flatten.uniq.compact
         inst_maps
       end
 
       def get_network(network_id)
-        Models::Network.lock!
         network = Models::Network[network_id]
         raise "UnknownNetworkID" if network.nil?
         network.to_hash
       end
 
+      #Returns the current iplease for nic with uuid _nic_uuid_
+      def get_iplease_for_nic(nic_uuid)
+        nic = Models::Taggable.find(nic_uuid)
+        Models::IpLease.find(:instance_nic_id => nic[:id])[:ipv4]
+      end
+
+      def get_nat_leases(nic_uuid)
+        #TODO: get this to work with non canonical uuid
+        nic = Models::Taggable.find(nic_uuid)
+        
+        leases = Models::IpLease.filter({:instance_nic_id => nic[:id]} & ~{:network_id => nic[:network_id]})
+        leases.map {|l| l[:ipv4]}
+      end
+
+      def is_natted_ip?(ip)
+        lease = Models::IpLease.find(:ipv4 => ip)
+        
+        return false if lease.nil?
+            
+        #lease.instance_nic.network_id != lease.network_id  
+        lease.is_natted?
+      end
+
       def get_networks
-        Models::Network.lock!
         networks = Models::Network.all
         networks.map { |network|
           network.to_hash
@@ -103,8 +124,6 @@ module Dcmgr
       end
 
       def get_dhcp_conf(network_name)
-        Models::Network.lock!
-
         build_network_segment = proc { |network|
           gwaddr = network.ipaddress
           h = {
@@ -121,7 +140,7 @@ module Dcmgr
             :addr2host=> [],
           }
           
-          network.ip_lease_dataset.filter(:type=>Models::IpLease::TYPE_AUTO).each { |ip|
+          network.ip_lease_dataset.filter(:alloc_type=>Models::IpLease::TYPE_AUTO).each { |ip|
             # ignore IPs unbound to vnic.
             next if ip.instance_nic.nil? || ip.instance_nic.instance.nil?
             
@@ -131,7 +150,7 @@ module Dcmgr
             }
             h[:addr2host] << {
               :hostname => ip.instance_nic.instance.fqdn_hostname,
-              :ipaddr   => ip.ipv4
+              :ipaddr   => network.nat_network.nil? ? ip.ipv4 : ip.nat_outside_lease.ipv4 
             }
           }
           
@@ -157,23 +176,24 @@ module Dcmgr
       end
 
       def get_instances_of_netfilter_group(netfilter_group_id)
-        Models::NetfilterGroup.lock!
         g = Models::NetfilterGroup[netfilter_group_id]
         raise "UnknownNetfilterGroupID" if g.nil?
-        inst_maps = g.instance_netfilter_groups.map { |instance_netfilter_group|
-          instance_netfilter_group.instance_dataset.lives.all.map { |inst| inst.to_hash }
-        }.flatten.uniq.compact
-        inst_maps
+        g.instances.map {|i| i.to_hash }.flatten.uniq.compact
       end
 
       def get_alive_instances(node_id)
-        Models::HostPool.lock!
         hp = Models::HostPool.find(:node_id => node_id)
-        raise "UnknownNodeID", node_id if hp.nil?
+        if hp.nil?
+          logger.error("The node ID is not bound to HostPool yet: #{node_id}")
+          return []
+        end
         hps = Models::HostPool.where(:account_id => hp.account_id).all
         inst_on_hp = hps.map { |hp|
           inst_on_hp = hp.instances_dataset.lives.all.map { |inst|
-            inst.to_hash
+            inst_map = inst.to_hash
+            # Does the hva have instance?
+            next unless inst_map[:host_pool][:node_id] == node_id
+            inst_map
           }
         }.flatten.uniq.compact
         inst_on_hp

data/lib/dcmgr/node_modules/instance_ha.rb

@@ -7,7 +7,7 @@ module Dcmgr
       include Dcmgr::Logger
       
       initialize_hook do
-        @thread_pool = Isono::ThreadPool.new
+        @thread_pool = Isono::ThreadPool.new(1, 'InstanceHA')
         event = Isono::NodeModules::EventChannel.new(node)
         event.subscribe('hva/fault_instance', '#') { |args|
           @thread_pool.pass {

data/lib/dcmgr/node_modules/instance_monitor.rb

@@ -0,0 +1,70 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module NodeModules
+    class InstanceMonitor < Isono::NodeModules::Base
+      include Dcmgr::Rpc::KvmHelper
+      include Dcmgr::Logger
+
+      initialize_hook do
+        @thread_pool = Isono::ThreadPool.new(1, 'InstanceMonitor')
+        @monitor = EventMachine::PeriodicTimer.new(5) {
+          next if @thread_pool.queue.size > 0
+          @thread_pool.pass {
+            myinstance.check_instance
+          }
+        }
+      end
+
+      terminate_hook do
+        @monitor.cancel
+        @thread_pool.shutdown
+      end
+
+      def check_instance()
+        instlst = rpc.request('hva-collector', 'get_alive_instances', manifest.node_id)
+        instlst.find_all{|i| i[:state] == 'running' }.each { |i|
+          begin
+            check_kvm_process(i)
+          rescue Exception => e
+            if i[:status] == 'online'
+              logger.error("#{e.class}, #{e.message}")
+
+              rpc.request('hva-collector', 'update_instance', i[:uuid], {:status=>:offline}) { |req|
+                req.oneshot = true
+              }
+              event.publish('hva/fault_instance', :args=>[i[:uuid]])
+            end
+            next
+          end
+
+          if i[:status] != 'online'
+            rpc.request('hva-collector', 'update_instance', i[:uuid], {:status=>:online}) { |req|
+              req.oneshot = true
+            }
+          end
+        }
+      end
+
+      private
+      def check_kvm_process(i)
+        kvm_pid_path = File.expand_path("#{i[:uuid]}/kvm.pid", node.manifest.config.vm_data_dir)
+        unless File.exists?(kvm_pid_path)
+          raise "Unable to find the kvm.pid file: #{i[:uuid]}"
+        end
+        pid = File.read(kvm_pid_path).to_i
+        unless File.exists?(File.expand_path(pid.to_s, '/proc'))
+          raise "Unable to find the pid of kvm process: #{pid}"
+        end
+      end
+
+      def rpc
+        @rpc ||= Isono::NodeModules::RpcChannel.new(@node)
+      end
+
+      def event
+        @event ||= Isono::NodeModules::EventChannel.new(@node)
+      end
+    end
+
+  end
+end

data/lib/dcmgr/node_modules/service_netfilter.rb

@@ -0,0 +1,914 @@
+# -*- coding: utf-8 -*-
+require 'isono'
+require 'ipaddress'
+
+module Dcmgr
+  module NodeModules
+
+    module Bandwidth
+      include Dcmgr::Helpers::NicHelper
+      include Dcmgr::Logger
+      
+      def clear_bandwidth_limits
+        logger.debug "Removing all bandwidth limits"
+        "tc qdisc del dev #{find_nic(@node.manifest.config.hv_ifindex)} root"
+      end
+    
+      def limit_bandwidth(networks)
+        bandwidth_cmd = []
+        #raise ArgumentError unless inst_maps.is_a?(Hash)
+        nic = find_nic(@node.manifest.config.hv_ifindex)
+        
+        #Determine the physical nic's peed in Mbit/s
+        speed = %x{ethtool #{nic} | grep Speed | cut -d ' ' -f2}.chomp.to_i
+        
+        #Set up root disc
+        bandwidth_cmd << "tc qdisc add dev #{nic} root handle 1: htb"
+        bandwidth_cmd << "tc class add dev #{nic} parent 1: classid 1:1 htb rate #{speed}mbit ceil #{speed}mbit"
+        
+        networks.each { |nw|
+          next if nw[:bandwidth].nil?
+          
+          logger.debug "Limiting bandwidth to #{nw[:bandwidth]}Mbit/s for #{nw[:uuid]}."
+          
+          #Set up the bandwidth limit for this network
+          bandwidth_cmd << "tc class add dev #{nic} parent 1:1 classid 1:1#{nw[:bandwidth_mark]} htb rate #{nw[:bandwidth]}mbit ceil #{nw[:bandwidth]}mbit prio 1"
+          bandwidth_cmd << "tc qdisc add dev #{nic} parent 1:1#{nw[:bandwidth_mark]} handle 1#{nw[:bandwidth_mark]}: sfq perturb 10"
+          bandwidth_cmd << "tc filter add dev #{nic} protocol ip parent 1: prio 1 handle #{nw[:bandwidth_mark]} fw classid 1:1#{nw[:bandwidth_mark]}"
+
+          #Mark the packets passing through this network
+          ["s","d"].each { |x| bandwidth_cmd << "iptables -A FORWARD -#{x} #{nw[:ipv4_gw]}/#{nw[:prefix]} -j MARK --set-mark 0x#{nw[:bandwidth_mark]}" }
+        }
+        
+        bandwidth_cmd
+      end
+    end
+
+    module Nat
+      include Dcmgr::Helpers::NicHelper
+      include Dcmgr::Logger
+      
+      # Takes an instance and nats it.
+      # If the instance is in a network that has a nat_network mapped to it,
+      # it will receive a second ip lease for that network. This lease will then be
+      # natted to the ip the instance already had in its own network.
+      # For example if 192.168.0.0/24 is natted to 172.16.0.0/16, then
+      # an instance with ip 192.168.0.10 might be natted to ip 172.16.46.23.
+      def nat_instance(inst_map)
+        nat_cmd = []
+        raise ArgumentError unless inst_map.is_a?(Hash)
+        
+        inst_map[:instance_nics].each {
+          |nic|       
+          nat_ips = rpc.request('hva-collector', 'get_nat_leases', nic[:uuid]).map {|ip| IPAddress(ip)}
+          
+          #Get the internal ip for this nic
+          internal_ip = IPAddress rpc.request('hva-collector', 'get_iplease_for_nic', nic[:uuid])
+          inside_exception_ips = rpc.request('hva-collector','get_group_instance_ipv4s',inst_map[:uuid]).map {|ip| IPAddress(ip)}
+          outside_exception_ips = rpc.request('hva-collector','get_group_instance_ipv4s',inst_map[:uuid],:outside).map {|ip| IPAddress(ip)}
+          
+          #output the commands to nat this nic and answer arp requests for its outside ip
+          friend_ipset  = inst_map[:uuid] + "_friend_ips"
+          nat_ips.each { |external_ip|
+            if @node.manifest.config.use_ipset
+              
+              nat_cmd << "ipset -N #{friend_ipset} iphash"
+              
+              inside_exception_ips.each { |ex_ip|
+                nat_cmd << "ipset -A #{friend_ipset} #{ex_ip.address}"
+              }
+              
+              # The good rules that use ipset
+              postrouting_command = "iptables -t nat -A POSTROUTING -s #{internal_ip.address} -m set ! --match-set #{friend_ipset} dst"
+              prerouting_command = "iptables -t nat -A PREROUTING -d #{external_ip.address} -m set ! --match-set #{friend_ipset} src"
+            else
+              # The ugly rules to use in case ipset is not installed
+              postrouting_command = "iptables -t nat -A POSTROUTING -s #{internal_ip.address}"
+              prerouting_command = "iptables -t nat -A PREROUTING -d #{external_ip.address}"
+            end
+            
+            # Build the final nat rules and log any packets that traverse them
+            nat_cmd << postrouting_command  + " -j LOG --log-prefix 'Snat '"
+            nat_cmd << postrouting_command  + " -j SNAT --to #{external_ip.address}"
+            
+            nat_cmd << prerouting_command + " -j LOG --log-prefix 'Dnat '"
+            nat_cmd << prerouting_command + " -j DNAT --to #{internal_ip.address}"
+            
+            logger.debug "Natting #{internal_ip.address} to #{external_ip.address}"
+            
+            nat_cmd << arp_respond(external_ip)
+          }
+        }
+        
+        nat_cmd
+      end
+      
+      def nat_exceptions(inst_map)
+        inside_exception_ips = rpc.request('hva-collector','get_group_instance_ipv4s',inst_map[:uuid]).map {|ip| IPAddress(ip)}
+        outside_exception_ips = rpc.request('hva-collector','get_group_instance_ipv4s',inst_map[:uuid],:outside).map {|ip| IPAddress(ip)}
+        
+        cmds = []
+        inst_map[:instance_nics].each { |nic|
+          internal_ip = IPAddress(rpc.request('hva-collector', 'get_iplease_for_nic', nic[:uuid]))
+          inside_exception_ips.each { |ex_ip|
+            cmds << "iptables -t nat -A POSTROUTING -s #{internal_ip.address} -d #{ex_ip.address}/#{ex_ip.prefix} -j ACCEPT"
+          }
+          outside_exception_ips.each { |ex_ip|
+            cmds << "iptables -t nat -A PREROUTING -s #{internal_ip.address} -d #{ex_ip.address}/#{ex_ip.prefix} -j ACCEPT"
+          }
+        }
+        
+        cmds
+      end
+      
+      # Returns ebtables command to respond to ARP requests for the address _ip_.
+      def arp_respond(ip)
+        ip = IPAddress(ip) if ip.is_a?(String)    
+        raise "Invalid IP address: #{ip}" unless ip.is_a?(IPAddress)
+        
+        #Get the mac address for our physical nic
+        nic = find_nic(@node.manifest.config.hv_ifindex)
+        #TODO: Find a prettier way to get the mac address
+        mac_addr = %x{ifconfig | grep '#{nic}' | tr -s ' ' | cut -d ' ' -f5}.chomp
+        
+        logger.debug "Replying ARP requests for address: #{ip.address}"
+        
+        "ebtables -t nat -A PREROUTING -p arp --arp-ip-dst #{ip.address} --arp-opcode REQUEST -j arpreply --arpreply-mac #{mac_addr}"
+      end
+      
+      def is_natted_ip?(ip)
+        ip = IPAddress(ip) if ip.is_a?(String)
+        #TODO: put in a proper argumenterror here
+        raise "Invalid IP address: #{ip}" unless ip.is_a?(IPAddress)
+        
+        rpc.request('hva-collector', 'is_natted_ip?', ip.address) 
+      end
+    end
+
+    class ServiceNetfilter < Isono::NodeModules::Base
+      include Dcmgr::Logger
+      include Dcmgr::Helpers::NicHelper
+      include Nat
+      include Bandwidth
+
+      initialize_hook do
+        @worker_thread = Isono::ThreadPool.new(1, 'Netfilter')
+
+        @worker_thread.pass {
+          myinstance.init_netfilter
+        }
+
+        event = Isono::NodeModules::EventChannel.new(node)
+
+        event.subscribe('hva/instance_started', '#') do |args|
+          @worker_thread.pass {
+            logger.info("refresh on instance_started: #{args.inspect}")
+            inst_id = args[0]
+            logger.info("refresh_netfilter_by_friend_instance_id: #{inst_id}")
+            myinstance.refresh_netfilter_by_friend_instance_id(inst_id)
+          }
+        end
+
+        event.subscribe('hva/instance_terminated', '#') do |args|
+          @worker_thread.pass {
+            logger.info("refresh on instance_terminated: #{args.inspect}")
+            inst_id = args[0]
+            logger.info("refresh_netfilter_by_friend_instance_id: #{inst_id}")
+            myinstance.refresh_netfilter_by_friend_instance_id(inst_id)
+          }
+        end
+
+        event.subscribe('hva/netfilter_updated', '#') do |args|
+          @worker_thread.pass {
+            logger.info("refresh on netfilter_updated: #{args.inspect}")
+            netfilter_group_id = args[0]
+            myinstance.refresh_netfilter_by_joined_netfilter_group_id(netfilter_group_id)
+          }
+        end
+      end
+
+      def init_netfilter
+        begin
+          inst_maps = rpc.request('hva-collector', 'get_alive_instances', node.node_id)
+
+          viftable_map = {}
+          inst_maps = inst_maps.map { |inst_map|
+            viftable_map[ inst_map[:ips].first ] = inst_map[:instance_nics].first[:uuid]
+
+            # Does the hva have instance?
+            unless inst_map[:host_pool][:node_id] == node.node_id
+              logger.warn("no match for the instance: #{inst_map[:uuid]}")
+              next
+            end
+            # Does host have vif?
+            next unless valid_nic?(inst_map[:instance_nics].first[:uuid])
+            inst_maps
+          }.flatten.uniq.compact
+
+          init_iptables(inst_maps) if @node.manifest.config.enable_iptables
+          init_ebtables(inst_maps, viftable_map) if @node.manifest.config.enable_ebtables
+          init_static_nat(inst_maps) if @node.manifest.config.enable_iptables && @node.manifest.config.enable_ebtables
+          init_bandwidth_limit(networks = rpc.request('hva-collector', 'get_networks')) if @node.manifest.config.enable_iptables
+          sleep 1
+
+          logger.info("initialized netfilter")
+        rescue Exception => e
+          p e
+        end
+      end
+
+      # from event_subscriber
+      def refresh_netfilter_by_friend_instance_id(inst_id)
+        raise "UnknownInstanceID" if inst_id.nil?
+
+        begin
+          ng_maps = rpc.request('hva-collector', 'get_netfilter_groups_of_instance', inst_id)
+          # get friend instance(s)
+          friend_inst_maps = ng_maps.map { |ng_map|
+            rpc.request('hva-collector', 'get_instances_of_netfilter_group', ng_map[:id])
+          }.flatten.uniq
+          guest_inst_maps = rpc.request('hva-collector', 'get_alive_instances', node.node_id)
+
+          uuids = friend_inst_maps.map { |inst_map| inst_map[:uuid] } & guest_inst_maps.map  { |inst_map| inst_map[:uuid] }
+          logger.info("my guest instance(s)?: #{uuids.inspect}")
+
+          if uuids.flatten.uniq.size > 0
+            init_netfilter
+          else
+            # group_instance: 1->0
+            inst_map = rpc.request('hva-collector', 'get_instance', inst_id)
+            init_netfilter if inst_map[:host_pool][:node_id] == node.node_id
+          end
+        rescue Exception => e
+          p e
+        end
+      end
+
+      # from event_subscriber
+      def refresh_netfilter_by_joined_netfilter_group_id(netfilter_group_id)
+        raise "UnknownNetfilterGroupID" if netfilter_group_id.nil?
+
+        begin
+          inst_maps = rpc.request('hva-collector', 'get_instances_of_netfilter_group', netfilter_group_id)
+          init_netfilter if inst_maps.size > 0
+        rescue Exception => e
+          p e
+        end
+      end
+
+      def build_vif_map(inst_map = {})
+        vif_map = {
+          :uuid  => inst_map[:instance_nics].first[:uuid],
+          :mac   => inst_map[:instance_nics].first[:mac_addr].unpack('A2'*6).join(':'),
+          :ipv4  => inst_map[:ips].first,
+        }
+      end
+
+      def protocol_map(type)
+        case type
+        when :iptables
+          {
+            'tcp'  => 'tcp',
+            'udp'  => 'udp',
+            'icmp' => 'icmp',
+          }
+        when :ebtables
+          {
+            'ip4'  => 'ip4',
+            'arp'  => 'arp',
+            #'ip6'  => 'ip6',
+            #'rarp' => '0x8035',
+          }
+        end
+      end
+
+      def do_exec(cmds)
+        recmds = []
+
+        eos = "__EOS_#{Isono::Util.gen_id}___"
+        recmds << "/bin/cat <<'#{eos}' | /bin/bash"
+        cmds.flatten.uniq.each { |cmd|
+          puts cmd if @node.manifest.config.verbose_netfilter == true
+          recmds << cmd
+        }
+        recmds << "#{eos}"
+
+        logger.debug("applying rule line(s): #{recmds.size - 2}")
+        system(recmds.join("\n"))
+        logger.debug("applied rule line(s): #{recmds.size - 2}")
+      end
+
+      def init_ebtables(inst_maps = [], viftable_map = {})
+        init_cmds  = []
+        basic_cmds = []
+        group_cmds = []
+        nat_cmds   = []
+        final_cmds = []
+
+        init_cmds << "ebtables --init-table"
+        #Clear the nat table. This table is only used in build_ebtables_nat_part
+        init_cmds << "ebtables -t nat --init-table"
+
+        inst_maps.each { |inst_map|
+          vif_map = build_vif_map(inst_map)
+
+          basic_cmds << build_ebtables_basic_part(vif_map, inst_map)            
+          group_cmds << build_ebtables_group_part(vif_map, inst_map, viftable_map)
+          final_cmds << build_ebtables_final_part(vif_map)
+        }
+
+        viftable_map.each { |k,v|
+          logger.debug("viftable: #{v} <=> #{k}")
+        }
+
+        do_exec([init_cmds, basic_cmds, group_cmds, final_cmds])
+      end
+
+      def init_iptables(inst_maps = [])
+        init_cmds  = []
+        basic_cmds = []
+        group_cmds = []
+        nat_cmds   = []
+        final_cmds = []
+
+        [ 'raw', 'nat', 'filter' ].each { |table|
+          [ 'F', 'Z', 'X' ].each { |xcmd|
+            init_cmds << "iptables -t #{table} -#{xcmd}"
+          }
+        }
+        
+        #TODO: Make an option in the config file to use ipset
+        use_ipset = true
+        if use_ipset
+          ['F','X'].each { |xcmd|
+            init_cmds << "ipset -#{xcmd}"
+          }
+        end
+
+        # via http://backreference.org/2010/06/11/iptables-debugging/
+        # To debug ipv4 packets.
+        # $ sudo tail -F /var/log/kern.log | grep TRACE:
+        if @node.manifest.config.debug_iptables
+          init_cmds << "iptables -t raw -A OUTPUT -p icmp -j TRACE"
+          init_cmds << "iptables -t raw -A PREROUTING -p icmp -j TRACE"
+        end
+
+        inst_maps.each { |inst_map|
+          vif_map = build_vif_map(inst_map)
+
+          basic_cmds << build_iptables_basic_part(vif_map, inst_map)
+          group_cmds << build_iptables_group_part(vif_map, inst_map)
+          final_cmds << build_iptables_final_part(vif_map)
+        }
+
+        do_exec([init_cmds, basic_cmds, group_cmds, final_cmds])
+      end
+
+      def init_static_nat(inst_maps = [])
+        accept_cmds = []
+        nat_cmds    = []
+        
+        inst_maps.each { |inst_map|
+          accept_cmds << nat_exceptions(inst_map) unless @node.manifest.config.use_ipset
+          nat_cmds    << nat_instance(inst_map)
+        }
+        
+        do_exec([accept_cmds,nat_cmds])
+      end
+
+      def init_bandwidth_limit(network_maps)
+        do_exec([clear_bandwidth_limits,limit_bandwidth(network_maps)])
+      end
+
+      def build_ebtables_basic_part(vif_map, inst_map)
+        basic_cmds = []
+        hva_ipv4 = Isono::Util.default_gw_ipaddr
+
+        ################################
+        ## 0. chain name
+        ################################
+
+        # support IP protocol
+        protocol_map = protocol_map(:ebtables)
+
+        # make chain names.
+        chains = []
+        chains << "s_#{vif_map[:uuid]}"
+        chains << "d_#{vif_map[:uuid]}"
+        chains << "s_#{vif_map[:uuid]}_d_hst"
+        chains << "d_#{vif_map[:uuid]}_s_hst"
+        protocol_map.each { |k,v|
+          chains << "s_#{vif_map[:uuid]}_#{k}"
+          chains << "d_#{vif_map[:uuid]}_#{k}"
+          chains << "s_#{vif_map[:uuid]}_d_hst_#{k}"
+          chains << "d_#{vif_map[:uuid]}_s_hst_#{k}"
+        }
+
+        ################################
+        ## 1. basic part
+        ################################
+
+        # create user defined chains.
+        [ 'N' ].each { |xcmd|
+          chains.each { |chain|
+            basic_cmds << "ebtables -#{xcmd} #{chain}"
+          }
+        }
+
+        # jumt to user defined chains
+        basic_cmds << "ebtables -A FORWARD -i #{vif_map[:uuid]} -j s_#{vif_map[:uuid]}"
+        basic_cmds << "ebtables -A FORWARD -o #{vif_map[:uuid]} -j d_#{vif_map[:uuid]}"
+        basic_cmds << "ebtables -A INPUT   -i #{vif_map[:uuid]} -j s_#{vif_map[:uuid]}_d_hst"
+        basic_cmds << "ebtables -A OUTPUT  -o #{vif_map[:uuid]} -j d_#{vif_map[:uuid]}_s_hst"
+
+        # IP protocol routing
+        protocol_map.each { |k,v|
+          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}       -p #{v} -j s_#{vif_map[:uuid]}_#{k}"
+          basic_cmds << "ebtables -A d_#{vif_map[:uuid]}       -p #{v} -j d_#{vif_map[:uuid]}_#{k}"
+          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst -p #{v} -j s_#{vif_map[:uuid]}_d_hst_#{k}"
+          basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst -p #{v} -j d_#{vif_map[:uuid]}_s_hst_#{k}"
+        }
+
+        if @node.manifest.config.packet_drop_log
+          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}       --log-level 4 --log-ip --log-arp --log-prefix 'D s_#{vif_map[:uuid]}:'       -j CONTINUE"
+          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst --log-level 4 --log-ip --log-arp --log-prefix 'D s_#{vif_map[:uuid]}_d_hst:' -j CONTINUE"
+        end
+        basic_cmds << "ebtables -A s_#{vif_map[:uuid]}       -j DROP"
+        basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst -j DROP"
+        # anti spoof: mac    # guest -> *
+        basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_arp       --protocol arp --arp-mac-src ! #{vif_map[:mac]} --log-ip --log-arp --log-prefix 'Dmc s_#{vif_map[:uuid]}_arp:'       -j CONTINUE"
+        basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-mac-src ! #{vif_map[:mac]} --log-ip --log-arp --log-prefix 'Dmc s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE"
+        basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_arp       --protocol arp --arp-mac-src ! #{vif_map[:mac]} -j DROP"
+        basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-mac-src ! #{vif_map[:mac]} -j DROP"
+        # guest <- * (broadcast)
+        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp                          --arp-mac-dst 00:00:00:00:00:00 --log-ip --log-arp --log-prefix 'Amc d_#{vif_map[:uuid]}_arp:'     -j CONTINUE"
+        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-ip-src=#{hva_ipv4} --arp-mac-dst 00:00:00:00:00:00 --log-ip --log-arp --log-prefix 'Amc d_#{vif_map[:uuid]}_hst_arp:' -j CONTINUE"
+        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp                          --arp-mac-dst 00:00:00:00:00:00 -j ACCEPT"
+        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-ip-src=#{hva_ipv4} --arp-mac-dst 00:00:00:00:00:00 -j ACCEPT"
+
+        # guest <- *
+        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp --arp-mac-dst ! #{vif_map[:mac]} --log-ip --log-arp --log-prefix 'Dmc d_#{vif_map[:uuid]}_arp:'       -j CONTINUE"
+        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-mac-dst ! #{vif_map[:mac]} --log-ip --log-arp --log-prefix 'Dmc d_#{vif_map[:uuid]}_s_hst_arp:' -j CONTINUE"
+        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp --arp-mac-dst ! #{vif_map[:mac]} -j DROP"
+        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-mac-dst ! #{vif_map[:mac]} -j DROP"
+
+        # anti spoof: ipv4
+        inst_map[:ips].each { |ipv4|
+          #next if is_natted_ip? ipv4
+          # guest -> *
+          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-src ! #{ipv4} --log-ip --log-arp --log-prefix 'Dip s_#{vif_map[:uuid]}_arp:'       -j CONTINUE"
+          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src ! #{ipv4} --log-ip --log-arp --log-prefix 'Dip s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE"
+          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-src ! #{ipv4} -j DROP"
+          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src ! #{ipv4} -j DROP"
+          # guest <- *
+          basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-dst ! #{ipv4} --log-ip --log-arp --log-prefix 'Dip d_#{vif_map[:uuid]}_arp:'       -j CONTINUE"
+          basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-ip-dst ! #{ipv4} --log-ip --log-arp --log-prefix 'Dip d_#{vif_map[:uuid]}_s_hst_arp:' -j CONTINUE"
+          basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-dst ! #{ipv4} -j DROP"
+          basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-ip-dst ! #{ipv4} -j DROP"
+        }
+
+        basic_cmds
+      end
+
+      def build_ebtables_group_part(vif_map, inst_map, viftable_map)
+        group_cmds = []
+        hva_ipv4 = Isono::Util.default_gw_ipaddr
+
+        ################################
+        ## 2. group part
+        ################################
+        same_subnet_ipv4s = rpc.request('hva-collector', 'get_group_instance_ipv4s', inst_map[:uuid])
+
+        network_map = rpc.request('hva-collector', 'get_network', inst_map[:instance_nics].first[:network_id])
+        raise "UnknownNetworkId" if network_map.nil?
+        joined_network = IPAddress("#{network_map[:ipv4_gw]}/#{network_map[:prefix]}")
+        
+        [ network_map[:dns_server], network_map[:dhcp_server] ].each { |ipv4|
+          next unless joined_network.include? IPAddress(ipv4)      
+          same_subnet_ipv4s << ipv4
+        }       
+
+        # network resource node(s)
+        ng_maps = rpc.request('hva-collector', 'get_netfilter_groups_of_instance', inst_map[:uuid])
+        rules = ng_maps.map { |ng_map|
+          ng_map[:rules].map { |rule| rule[:permission] }
+        }.flatten
+        build_rule(rules).each do |rule|
+          begin
+            # <ArgumentError: Invalid IP "0.0.0.0">
+            next unless joined_network.include? IPAddress(rule[:ip_source])
+            same_subnet_ipv4s << rule[:ip_source]
+          rescue Exception => e
+            p e
+          end
+        end
+        same_subnet_ipv4s << network_map[:ipv4_gw]
+
+        # guest node(s) in HyperVisor.
+        alive_inst_maps = rpc.request('hva-collector', 'get_alive_instances', node.node_id)
+        guest_ipv4s = alive_inst_maps.map { |alive_inst_map|
+          alive_inst_map[:ips]
+        }.flatten.uniq.compact
+
+        same_subnet_ipv4s.uniq.reverse_each do |ipv4|
+          next if vif_map[:ipv4] == ipv4
+
+          # get_macaddr_by_ipv4, ipv4
+          if ipv4 == hva_ipv4
+            #p "#{vif_map[:uuid]}(#{vif_map[:ipv4]}) -> [host] ***-****** (#{ipv4})"
+            group_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} --log-ip --log-arp --log-prefix 'Afw s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE"
+            group_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} -j ACCEPT"
+          elsif guest_ipv4s.include?(ipv4)
+            #p "#{vif_map[:uuid]}(#{vif_map[:ipv4]}) -> [guest] #{viftable_map[ipv4]}(#{ipv4})"
+
+            # guest->guest
+            group_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} --log-ip --log-arp --log-prefix 'Afw d_#{vif_map[:uuid]}_arp:'       -j CONTINUE"
+            group_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} -j ACCEPT"
+            # guest->host
+            group_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} --log-ip --log-arp --log-prefix 'Afw s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE"
+            group_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} -j ACCEPT"
+            
+            unless viftable_map[ipv4].nil?
+              # guest->guest
+              group_cmds << "ebtables -A d_#{viftable_map[ipv4]}_arp       --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} --log-ip --log-arp --log-prefix 'Arv d_#{viftable_map[ipv4]}_arp:' -j CONTINUE"
+              group_cmds << "ebtables -A d_#{viftable_map[ipv4]}_arp       --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} -j ACCEPT"
+
+              # guest->host
+              group_cmds << "ebtables -A s_#{viftable_map[ipv4]}_d_hst_arp --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} --log-ip --log-arp --log-prefix 'Arv s_#{viftable_map[ipv4]}_d_hst_arp:' -j CONTINUE"
+              group_cmds << "ebtables -A s_#{viftable_map[ipv4]}_d_hst_arp --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} -j ACCEPT"
+            end
+          else
+            #p "#{vif_map[:uuid]}(#{vif_map[:ipv4]}) -> [other] ***-******** (#{ipv4})"
+            group_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} --log-ip --log-arp --log-prefix 'Afw :d_#{vif_map[:uuid]}_arp' -j CONTINUE"
+            group_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} -j ACCEPT"
+          end
+        end
+
+        group_cmds
+      end
+      def build_ebtables_final_part(vif_map)
+        final_cmds = []
+
+        ################################
+        ## 3. final part
+        ################################
+        # deny,allow
+        final_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --log-level 4 --log-ip --log-arp --log-prefix 'D d_#{vif_map[:uuid]}_arp:'       -j CONTINUE"
+        final_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --log-level 4 --log-ip --log-arp --log-prefix 'D s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE"
+        final_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       -j DROP"
+        final_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp -j DROP"
+
+        final_cmds
+      end
+
+      def build_iptables_basic_part(vif_map, inst_map)
+        basic_cmds = []
+
+        network_map = rpc.request('hva-collector', 'get_network', inst_map[:instance_nics].first[:network_id])
+        raise "UnknownNetworkId" if network_map.nil?
+
+        ################################
+        ## 0. chain name
+        ################################
+
+        # support IP protocol
+        protocol_map = protocol_map(:iptables)
+
+        # make chain names.
+        chains = []
+        protocol_map.each { |k,v|
+          chains << "s_#{vif_map[:uuid]}_#{k}"
+          chains << "d_#{vif_map[:uuid]}_#{k}"
+        }
+        chains << "s_#{vif_map[:uuid]}"
+        chains << "d_#{vif_map[:uuid]}"
+
+        ################################
+        ## 1. basic part
+        ################################
+
+        # metadata-server
+        port = network_map[:metadata_server_port] || 80
+        [ 'A' ].each { |xcmd|
+          basic_cmds << "iptables -t nat -#{xcmd} PREROUTING -m physdev --physdev-in #{vif_map[:uuid]} -d 169.254.169.254 -p tcp --dport 80 -j DNAT --to-destination #{network_map[:metadata_server]}:#{port}"
+        }
+        # create user defined chains.
+        [ 'N' ].each { |xcmd|
+          chains.each { |chain|
+            basic_cmds << "iptables -#{xcmd} #{chain}"
+
+            # logger & drop
+            basic_cmds << "iptables -N #{chain}_drop"
+            if @node.manifest.config.packet_drop_log
+              basic_cmds << "iptables -A #{chain}_drop -j LOG --log-level 4 --log-prefix 'D #{chain}:'"
+            end
+            basic_cmds << "iptables -A #{chain}_drop -j DROP"
+          }
+        }
+
+        # DHCP Server
+        basic_cmds << "iptables -A d_#{vif_map[:uuid]}_udp -p udp ! -s #{network_map[:dhcp_server]} --sport 67 -j d_#{vif_map[:uuid]}_udp_drop"
+        basic_cmds << "iptables -A d_#{vif_map[:uuid]}_udp -p udp ! -s #{network_map[:dhcp_server]} --sport 68 -j d_#{vif_map[:uuid]}_udp_drop"
+
+        # group nodes
+        # group node IPv4 addresses.
+        ipv4s = rpc.request('hva-collector', 'get_group_instance_ipv4s', inst_map[:uuid])
+        ipv4s << network_map[:ipv4_gw]
+        ipv4s.uniq.reverse_each { |addr|
+          basic_cmds << "iptables -A d_#{vif_map[:uuid]} -s #{addr} -j ACCEPT"
+        }
+
+        # IP protocol routing
+        [ 's', 'd' ].each do |bound|
+          protocol_map.each { |k,v|
+            basic_cmds << "iptables -N #{bound}_#{vif_map[:uuid]}_#{k}"
+
+            case k
+            when 'tcp'
+              case bound
+              when 's'
+                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -m state --state NEW,ESTABLISHED -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
+              when 'd'
+                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -m state --state RELATED,ESTABLISHED -p #{k} -j ACCEPT"
+                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
+              end
+            when 'udp'
+              case bound
+              when 's'
+                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -m state --state NEW,ESTABLISHED -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
+              when 'd'
+                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -m state --state ESTABLISHED -p #{k} -j ACCEPT"
+                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
+              end
+            when 'icmp'
+              case bound
+              when 's'
+                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -m state --state NEW,ESTABLISHED,RELATED -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
+              when 'd'
+                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -m state --state ESTABLISHED,RELATED -p #{k} -j ACCEPT"
+                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
+              end
+            end
+          }
+        end
+
+        basic_cmds << "iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in  #{vif_map[:uuid]} -j s_#{vif_map[:uuid]}"
+        basic_cmds << "iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-out #{vif_map[:uuid]} -j d_#{vif_map[:uuid]}"
+
+        ##
+        ## ACCEPT
+        ##
+        # DHCP Server
+        basic_cmds << "iptables -A d_#{vif_map[:uuid]}_udp -p udp -s #{network_map[:dhcp_server]} --sport 67 -j ACCEPT"
+        basic_cmds << "iptables -A d_#{vif_map[:uuid]}_udp -p udp -s #{network_map[:dhcp_server]} --sport 68 -j ACCEPT"
+
+        # DNS Server
+        basic_cmds << "iptables -A s_#{vif_map[:uuid]}_udp -p udp -d #{network_map[:dns_server]} --dport 53 -j ACCEPT"
+
+        ##
+        ## DROP
+        ##
+        protocol_map.each { |k,v|
+          # DHCP
+          basic_cmds << "iptables -A s_#{vif_map[:uuid]} -d #{network_map[:dhcp_server]} -p #{k} -j s_#{vif_map[:uuid]}_#{k}_drop"
+          # DNS
+          basic_cmds << "iptables -A s_#{vif_map[:uuid]} -d #{network_map[:dns_server]} -p #{k} -j s_#{vif_map[:uuid]}_#{k}_drop"
+        }
+
+        basic_cmds
+      end
+
+      def build_iptables_group_part(vif_map, inst_map)
+        group_cmds = []
+
+        ################################
+        ## 2. group part
+        ################################
+        ng_maps = rpc.request('hva-collector', 'get_netfilter_groups_of_instance', inst_map[:uuid])
+        rules = ng_maps.map { |ng_map|
+          ng_map[:rules].map { |rule| rule[:permission] }
+        }.flatten
+
+        # security group
+        build_rule(rules).each do |rule|
+          case rule[:ip_protocol]
+          when 'tcp', 'udp'
+            if rule[:ip_fport] == rule[:ip_tport]
+              group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --dport #{rule[:ip_fport]} -j ACCEPT"
+            else
+              group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --dport #{rule[:ip_fport]}:#{rule[:ip_tport]} -j ACCEPT"
+            end
+          when 'icmp'
+            # icmp
+            #   This extension can be used if `--protocol icmp' is specified. It provides the following option:
+            #   [!] --icmp-type {type[/code]|typename}
+            #     This allows specification of the ICMP type, which can be a numeric ICMP type, type/code pair, or one of the ICMP type names shown by the command
+            #      iptables -p icmp -h
+            if rule[:icmp_type] == -1 && rule[:icmp_code] == -1
+              group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} -j ACCEPT"
+            else
+              group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --icmp-type #{rule[:icmp_type]}/#{rule[:icmp_code]} -j ACCEPT"
+            end
+          end
+        end
+
+        group_cmds
+      end
+
+      def build_iptables_final_part(vif_map)
+        final_cmds = []
+
+        # support IP protocol
+        protocol_map = protocol_map(:iptables)
+
+        ################################
+        ## 3. final part
+        ################################
+
+        # drop other routings
+        protocol_map.each { |k,v|
+          final_cmds << "iptables -A d_#{vif_map[:uuid]}_#{k} -p #{k} -j d_#{vif_map[:uuid]}_#{k}_drop"
+        }
+
+        # IP protocol routing
+        [ 'd' ].each do |bound|
+          protocol_map.each { |k,v|
+            final_cmds << "iptables -A #{bound}_#{vif_map[:uuid]}_#{k} -j #{bound}_#{vif_map[:uuid]}_#{k}_drop"
+          }
+        end
+
+        final_cmds
+      end
+
+      def build_rule(rules = [])
+        rule_maps = []
+
+        rules.each do |rule|
+          rule = rule.strip.gsub(/[\s\t]+/, '')
+          from_group = false
+          ipv4s = []
+
+          # ex.
+          # "tcp:22,22,ip4:0.0.0.0"
+          # "udp:53,53,ip4:0.0.0.0"
+          # "icmp:-1,-1,ip4:0.0.0.0"
+
+          # 1st phase
+          # ip_tport    : tcp,udp? 1 - 16bit, icmp: -1
+          # id_port has been separeted in first phase.
+          from_pair, ip_tport, source_pair = rule.split(',')
+
+          next if from_pair.nil?
+          next if ip_tport.nil?
+          next if source_pair.nil?
+
+          # 2nd phase
+          # ip_protocol : [ tcp | udp | icmp ]
+          # ip_fport    : tcp,udp? 1 - 16bit, icmp: -1
+          ip_protocol, ip_fport = from_pair.split(':')
+
+          # protocol    : [ ip4 | ip6 | #{account_id} ]
+          # ip_source   : ip4? xxx.xxx.xxx.xxx./[0-32], ip6? (not yet supprted), #{netfilter_group_id}
+          protocol, ip_source = source_pair.split(':')
+
+          begin
+            s = StringScanner.new(protocol)
+            until s.eos?
+              case
+              when s.scan(/ip6/)
+                # TODO#FUTURE: support IPv6 address format
+                next
+              when s.scan(/ip4/)
+                # IPAddress doesn't support prefix '0'.
+                ip_addr, prefix = ip_source.split('/', 2)
+                if prefix.to_i == 0
+                  ip_source = ip_addr
+                end
+              when s.scan(/a-\w{8}/)
+                from_group = true
+                inst_maps = rpc.request('hva-collector', 'get_instances_of_account_netfilter_group', protocol, ip_source)
+                inst_maps.each { |inst_map|
+                  ipv4s << inst_map[:ips]
+                }
+              else
+                raise "unexpected protocol '#{s.peep(20)}'"
+              end
+            end
+          rescue Exception => e
+            p e
+            next
+          end
+
+          begin
+            if from_group == false
+              #p "from_group:(#{from_group}) ip_source -> #{ip_source}"
+              ip = IPAddress(ip_source)
+              ip_source = case ip.u32
+                          when 0
+                            "#{ip.address}/0"
+                          else
+                            "#{ip.address}/#{ip.prefix}"
+                          end
+            else
+              ipv4s = ipv4s.flatten.uniq
+            end
+          rescue Exception => e
+            p e
+            next
+          end
+
+          case ip_protocol
+          when 'tcp', 'udp'
+            ip_fport = ip_fport.to_i
+            ip_tport = ip_tport.to_i
+
+            # validate port range
+            [ ip_fport, ip_tport ].each do |port|
+              next unless port >= 1 && port <= 65535
+            end
+
+            if ip_fport <= ip_tport
+              if from_group == false
+                rule_maps << {
+                  :ip_protocol => ip_protocol,
+                  :ip_fport    => ip_fport,
+                  :ip_tport    => ip_tport,
+                  :protocol    => protocol,
+                  :ip_source   => ip_source,
+                }
+              else
+                ipv4s.each { |ip|
+                  rule_maps << {
+                    :ip_protocol => ip_protocol,
+                    :ip_fport    => ip_fport,
+                    :ip_tport    => ip_tport,
+                    :protocol    => 'ip4',
+                    :ip_source   => ip,
+                  }
+                }
+              end
+            end
+          when 'icmp'
+            # via http://docs.amazonwebservices.com/AWSEC2/latest/CommandLineReference/
+            #
+            # For the ICMP protocol, the ICMP type and code must be specified.
+            # This must be specified in the format type:code where both are integers.
+            # Type, code, or both can be specified as -1, which is a wildcard.
+
+            icmp_type = ip_fport.to_i
+            icmp_code = ip_tport.to_i
+
+            # icmp_type
+            case icmp_type
+            when -1
+            when 0, 3, 5, 8, 11, 12, 13, 14, 15, 16, 17, 18
+            else
+              next
+            end
+
+            # icmp_code
+            case icmp_code
+            when -1
+            when 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
+              # when icmp_type equals -1 icmp_code must equal -1.
+              next if icmp_type == -1
+            else
+              next
+            end
+
+            if from_group == false
+              rule_maps << {
+                :ip_protocol => ip_protocol,
+                :icmp_type   => ip_tport.to_i, # ip_tport.to_i, # -1 or 0,       3,    5,       8,        11, 12, 13, 14, 15, 16, 17, 18
+                :icmp_code   => ip_fport.to_i, # ip_fport.to_i, # -1 or 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
+                :protocol    => protocol,
+                :ip_source   => ip_source,
+              }
+            else
+              ipv4s.each { |ip|
+                rule_maps << {
+                  :ip_protocol => ip_protocol,
+                  :icmp_type   => ip_tport.to_i, # ip_tport.to_i, # -1 or 0,       3,    5,       8,        11, 12, 13, 14, 15, 16, 17, 18
+                  :icmp_code   => ip_fport.to_i, # ip_fport.to_i, # -1 or 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
+                  :protocol    => 'ip4',
+                  :ip_source   => ip,
+                }
+              }
+            end
+          end
+        end
+
+        rule_maps
+      end
+
+      def rpc
+        @rpc ||= Isono::NodeModules::RpcChannel.new(@node)
+      end
+
+      def event
+        @event ||= Isono::NodeModules::EventChannel.new(@node)
+      end
+
+    end
+  end
+end