wakame-vdc-dcmgr 11.06.0 → 11.12.0

data/lib/dcmgr/node_modules/scheduler.rb

@@ -0,0 +1,189 @@
+# -*- coding: utf-8 -*-
+require 'isono'
+
+module Dcmgr
+  module NodeModules
+    class Scheduler < Isono::NodeModules::Base
+      include Dcmgr::Logger
+
+      # module_module: bin/collector
+      initialize_hook do
+        app = Isono::Rack::ObjectMethod.new(myinstance)
+        job = Isono::NodeModules::JobChannel.new(node)
+        job.register_endpoint('scheduler', Isono::Rack.build do
+                                use Isono::Rack::DataStore
+                                run proc { |req, res|
+                                  Thread.current[Models::BaseNew::LOCK_TABLES_KEY] = {}
+                                  app.call(req, res)
+                                }
+                              end)
+      end
+
+      terminate_hook do
+      end
+
+      def schedule_instance(instance_id)
+        instance = Models::Instance[instance_id]
+        vol = Models::Volume.find(:instance_id=>instance.id, :boot_dev=>1)
+        
+        Dcmgr::Scheduler.host_node.schedule(instance)
+        Dcmgr::Scheduler.network.schedule(instance)
+        lease_ip_address_to_instance(instance)
+        instance.save
+        
+        instance.state = :pending
+        instance.save
+
+
+        case instance.image.boot_dev_type
+        when Models::Image::BOOT_DEV_SAN
+          Dcmgr::Scheduler.storage_node.schedule(vol)
+          vol.state = :pending
+          vol.save
+          
+          commit_transaction
+          
+          repository_address = Dcmgr::StorageService.repository_address(vol.snapshot.destination_key)
+          self.job.submit("sta-handle.#{vol.storage_node.node_id}",
+                          'create_volume_and_run_instance', vol.canonical_uuid, instance.canonical_uuid, repository_address)
+        when Models::Image::BOOT_DEV_LOCAL
+          commit_transaction
+          self.job.submit("hva-handle.#{instance.host_node.node_id}",
+                          'run_local_store', instance.canonical_uuid)
+        else
+          raise "Unknown boot type"
+        end
+        event.publish('instance.scheduled', :args=>[instance.canonical_uuid])
+        
+      rescue ::Exception => e
+        rollback_transaction rescue nil
+        
+        logger.error(e)
+        instance.destroy if instance
+        vol.destroy if vol
+        return
+      end
+
+      def schedule_instance_ha(instance_id, vol)
+        instance = Models::Instance[instance_id]
+        
+        Dcmgr::Scheduler.host_node_ha.schedule(instance)
+        # Don't re-schedule network here.
+        # The IP address, MAC address and NIC must be assigned with same address.
+        instance.save
+        
+        instance.state = :pending
+        instance.save
+
+        commit_transaction
+        case instance.image.boot_dev_type
+        when Models::Image::BOOT_DEV_SAN
+          self.job.submit("hva-handle.#{instance.host_node.node_id}", 'run_vol_store', instance.canonical_uuid, vol.canonical_uuid)
+        when Models::Image::BOOT_DEV_LOCAL
+          self.job.submit("hva-handle.#{instance.host_node.node_id}", 'run_local_store', instance.canonical_uuid)
+        else
+          raise "Unknown boot type"
+        end
+        event.publish('instance.scheduled', :args=>[instance.canonical_uuid])
+        
+      rescue ::Exception => e
+        rollback_transaction rescue nil
+        
+        logger.error(e)
+        instance.destroy if instance
+        vol.destroy if vol
+        return
+      end
+
+      def schedule_start_instance(instance_id)
+        instance = Models::Instance[instance_id]
+        vol = Models::Volume.find(:instance_id=>instance.id, :boot_dev=>1)
+        
+        Dcmgr::Scheduler.host_node.schedule(instance)
+        lease_ip_address_to_instance(instance)
+        instance.save
+        
+        instance.state = :pending
+        instance.save
+
+        commit_transaction
+        case instance.image.boot_dev_type
+        when Models::Image::BOOT_DEV_SAN
+          self.job.submit("hva-handle.#{instance.host_node.node_id}", 'run_vol_store', instance.canonical_uuid, vol.canonical_uuid)
+        when Models::Image::BOOT_DEV_LOCAL
+          self.job.submit("hva-handle.#{instance.host_node.node_id}", 'run_local_store', instance.canonical_uuid)
+        else
+          raise "Unknown boot type"
+        end
+        event.publish('instance.scheduled', :args=>[instance.canonical_uuid])
+        
+      rescue ::Exception => e
+        rollback_transaction rescue nil
+        
+        logger.error(e)
+        instance.destroy if instance
+        vol.destroy if vol
+        return
+      end
+
+      def schedule_volume(volume_id)
+        volume = Models::Volume[volume_id]
+        
+        Dcmgr::Scheduler.storage_node.schedule(volume)
+        volume.save
+
+        volume.state = :pending
+        volume.save
+        
+        commit_transaction
+        
+        repository_address = nil
+        if volume.snapshot
+          repository_address = Dcmgr::StorageService.repository_address(volume.snapshot.destination_key)
+        end
+              
+        self.job.submit("sta-handle.#{volume.storage_node.node_id}",
+                        'create_volume', volume.canonical_uuid, repository_address)
+      rescue ::Exception => e
+        rollback_transaction rescue nil
+
+        logger.error(e)
+        volume.destroy
+      end
+
+      protected
+      # commit manually before return from the request block
+      def commit_transaction
+        db = Sequel::DATABASES.first
+        db << db.__send__(:commit_transaction_sql)
+      end
+
+      def rollback_transaction
+        db = Sequel::DATABASES.first
+        db << db.__send__(:rollback_transaction_sql)
+      end
+      
+      def job()
+        Isono::NodeModules::JobChannel.new(self.node)
+      end
+
+      def event()
+        Isono::NodeModules::EventChannel.new(self.node)
+      end
+
+      def lease_ip_address_to_instance(instance)
+        instance.nic.each { |nic|
+          network = nic.network
+          if network && nic.direct_ip_lease.empty?
+            Models::IpLease.lease(nic, network)
+          end
+          nat_network = nic.nat_network 
+          if nat_network && nic.nat_ip_lease.empty?
+            Models::IpLease.lease(nic, nat_network)
+          end
+        }
+      end
+      
+    end
+  end
+end

data/lib/dcmgr/node_modules/service_netfilter.rb

@@ -8,29 +8,34 @@ module Dcmgr
     module Bandwidth
       include Dcmgr::Helpers::NicHelper
       include Dcmgr::Logger
-      
+
       def clear_bandwidth_limits
         logger.debug "Removing all bandwidth limits"
         "tc qdisc del dev #{find_nic(@node.manifest.config.hv_ifindex)} root"
       end
-    
+
+
+      # Enforces the bandwidth limits set for the networks.
+      # This uses the tc command to do so.
+      # _networks_ is an array containing the networks to set
+      # the bandwidth limits for.
       def limit_bandwidth(networks)
         bandwidth_cmd = []
         #raise ArgumentError unless inst_maps.is_a?(Hash)
         nic = find_nic(@node.manifest.config.hv_ifindex)
-        
+
         #Determine the physical nic's peed in Mbit/s
         speed = %x{ethtool #{nic} | grep Speed | cut -d ' ' -f2}.chomp.to_i
-        
+
         #Set up root disc
         bandwidth_cmd << "tc qdisc add dev #{nic} root handle 1: htb"
         bandwidth_cmd << "tc class add dev #{nic} parent 1: classid 1:1 htb rate #{speed}mbit ceil #{speed}mbit"
-        
+
         networks.each { |nw|
           next if nw[:bandwidth].nil?
-          
+
           logger.debug "Limiting bandwidth to #{nw[:bandwidth]}Mbit/s for #{nw[:uuid]}."
-          
+
           #Set up the bandwidth limit for this network
           bandwidth_cmd << "tc class add dev #{nic} parent 1:1 classid 1:1#{nw[:bandwidth_mark]} htb rate #{nw[:bandwidth]}mbit ceil #{nw[:bandwidth]}mbit prio 1"
           bandwidth_cmd << "tc qdisc add dev #{nic} parent 1:1#{nw[:bandwidth_mark]} handle 1#{nw[:bandwidth_mark]}: sfq perturb 10"
@@ -39,7 +44,7 @@ module Dcmgr
           #Mark the packets passing through this network
           ["s","d"].each { |x| bandwidth_cmd << "iptables -A FORWARD -#{x} #{nw[:ipv4_gw]}/#{nw[:prefix]} -j MARK --set-mark 0x#{nw[:bandwidth_mark]}" }
         }
-        
+
         bandwidth_cmd
       end
     end
@@ -48,6 +53,69 @@ module Dcmgr
       include Dcmgr::Helpers::NicHelper
       include Dcmgr::Logger
       
+      # Quick and dirty hack to unlink the nat chains before deleting them.
+      # It would be cleaner to recall the creation method with a :delete action
+      # but NAT rules are based on IP leases and those are deleted on instance termination
+      # Therefore we use grep to get the referring rules based on vnic uuid and then delete them.
+      # Run build_nat_chains(inst_map, :delete) afterwards to delete the chains themselves
+      def unlink_nat_chains(inst_map)
+        raise ArgumentError, "inst_map must be a Hash." unless inst_map.is_a?(Hash)
+
+        del_cmds = []
+        inst_map[:instance_nics].each { |nic|
+          post = %x{iptables -t nat -L POSTROUTING --line-numbers | grep s_#{nic[:uuid]} | tr -s ' ' | cut -d ' ' -f1}.chomp
+          pre = %x{iptables -t nat -L PREROUTING --line-numbers | grep d_#{nic[:uuid]} | tr -s ' ' | cut -d ' ' -f1}.chomp
+
+          del_cmds << "iptables -t nat -D POSTROUTING #{post}" unless post.empty?
+          del_cmds << "iptables -t nat -D PREROUTING #{pre}" unless pre.empty?
+        }
+
+        del_cmds
+      end
+      
+      # Similar hack to unlink_nat_chains. Once an instance is terminated,
+      # we no longer know which IP it had so we grep the rules by mac address
+      # and delete them by rule numer
+      def stop_arp_reply(inst_map)
+        raise ArgumentError, "inst_map must be a Hash." unless inst_map.is_a?(Hash)
+
+        del_cmds = []
+
+        inst_map[:instance_nics].each { |nic|
+          mac = clean_mac(nic[:mac_addr])
+          rule_number = %x{ebtables -t nat -L --Ln --Lmac2 | grep #{mac} | cut -d '.' -f1}
+          del_cmds << "ebtables -t nat -D PREROUTING #{rule_number}" unless rule_number.empty?
+        }
+
+        del_cmds
+      end
+      
+      # Builds or deletes the chains for each vnic in an instance.
+      # We use different chains for incoming and outgoing packets per vnic
+      # This way every packet only needs to be checked against chains that
+      # are specifically intended for it.
+      # _inst_map_ is a map of the instance to build or delte chains for.
+      # _action_ decides wether we will create or delete the rules. It can be
+      # either of the following:
+      # * :create is the default value and creates chains for _inst_map_
+      # * :delete deletes the chains for _inst_map_
+      def build_nat_chains(inst_map, action = :create)
+        actions = { :create => ['N'], :delete => ['F', 'X'] }
+        raise ArgumentError, "#{action} is not a valid action. Valid actions are #{actions.keys.join(',')}." unless actions.keys.member?(action)
+        raise ArgumentError, "inst_map must be a Hash." unless inst_map.is_a?(Hash)
+
+        chain_cmds = []
+        inst_map[:instance_nics].each { |nic|
+          ['s','d'].each { |bound|
+            actions[action].each { |a|
+              chain_cmds << "iptables -t nat -#{a} #{bound}_#{nic[:uuid]}"
+            }
+          }
+        }
+
+        chain_cmds
+      end
+
       # Takes an instance and nats it.
       # If the instance is in a network that has a nat_network mapped to it,
       # it will receive a second ip lease for that network. This lease will then be
@@ -55,93 +123,108 @@ module Dcmgr
       # For example if 192.168.0.0/24 is natted to 172.16.0.0/16, then
       # an instance with ip 192.168.0.10 might be natted to ip 172.16.46.23.
       def nat_instance(inst_map)
+        raise ArgumentError, "inst_map must be a Hash." unless inst_map.is_a?(Hash)
+
         nat_cmd = []
-        raise ArgumentError unless inst_map.is_a?(Hash)
-        
-        inst_map[:instance_nics].each {
-          |nic|       
+
+        inst_map[:instance_nics].each { |nic|
+          # strict check
+          next unless valid_nic?(nic[:uuid])
+
           nat_ips = rpc.request('hva-collector', 'get_nat_leases', nic[:uuid]).map {|ip| IPAddress(ip)}
-          
+
           #Get the internal ip for this nic
           internal_ip = IPAddress rpc.request('hva-collector', 'get_iplease_for_nic', nic[:uuid])
           inside_exception_ips = rpc.request('hva-collector','get_group_instance_ipv4s',inst_map[:uuid]).map {|ip| IPAddress(ip)}
           outside_exception_ips = rpc.request('hva-collector','get_group_instance_ipv4s',inst_map[:uuid],:outside).map {|ip| IPAddress(ip)}
-          
+
           #output the commands to nat this nic and answer arp requests for its outside ip
-          friend_ipset  = inst_map[:uuid] + "_friend_ips"
+          friend_ipset  = nic[:uuid] + "_friend_ips"
           nat_ips.each { |external_ip|
             if @node.manifest.config.use_ipset
-              
+
               nat_cmd << "ipset -N #{friend_ipset} iphash"
-              
+
               inside_exception_ips.each { |ex_ip|
                 nat_cmd << "ipset -A #{friend_ipset} #{ex_ip.address}"
               }
-              
-              # The good rules that use ipset
-              postrouting_command = "iptables -t nat -A POSTROUTING -s #{internal_ip.address} -m set ! --match-set #{friend_ipset} dst"
-              prerouting_command = "iptables -t nat -A PREROUTING -d #{external_ip.address} -m set ! --match-set #{friend_ipset} src"
+
+              # The good rules that use ipset              
+              postrouting_command = "iptables -t nat -A s_#{nic[:uuid]} -s #{internal_ip.address} -m set ! --match-set #{friend_ipset} dst"
+              prerouting_command = "iptables -t nat -A d_#{nic[:uuid]} -d #{external_ip.address} -m set ! --match-set #{friend_ipset} src"
             else
               # The ugly rules to use in case ipset is not installed
-              postrouting_command = "iptables -t nat -A POSTROUTING -s #{internal_ip.address}"
-              prerouting_command = "iptables -t nat -A PREROUTING -d #{external_ip.address}"
+              postrouting_command = "iptables -t nat -A s_#{nic[:uuid]} -s #{internal_ip.address}"
+              prerouting_command = "iptables -t nat -A d_#{nic[:uuid]} -d #{external_ip.address}"
             end
-            
+
+            # Set up the proper chain jumps
+            nat_cmd << "iptables -t nat -A PREROUTING -d #{external_ip.address} -j d_#{nic[:uuid]}"
+            nat_cmd << "iptables -t nat -A POSTROUTING -s #{internal_ip.address} -j s_#{nic[:uuid]}"
+
             # Build the final nat rules and log any packets that traverse them
-            nat_cmd << postrouting_command  + " -j LOG --log-prefix 'Snat '"
+            nat_cmd << postrouting_command  + " -j LOG --log-prefix 'Snat '" if @node.manifest.config.packet_drop_log
             nat_cmd << postrouting_command  + " -j SNAT --to #{external_ip.address}"
-            
-            nat_cmd << prerouting_command + " -j LOG --log-prefix 'Dnat '"
+
+            nat_cmd << prerouting_command + " -j LOG --log-prefix 'Dnat '" if @node.manifest.config.packet_drop_log
             nat_cmd << prerouting_command + " -j DNAT --to #{internal_ip.address}"
-            
+
             logger.debug "Natting #{internal_ip.address} to #{external_ip.address}"
-            
-            nat_cmd << arp_respond(external_ip)
+
+            mac = clean_mac(nic[:mac_addr])
+            nat_cmd << arp_respond(external_ip,mac)
           }
         }
-        
+
         nat_cmd
       end
-      
+
+      # Returns the netfilter rules for destination IP addresses that
+      # will not use static nat. These are the IP addresses of other instances
+      # in the same security group.
+      # _inst_map_ is a map of the instance that the rules will be defined for.
       def nat_exceptions(inst_map)
         inside_exception_ips = rpc.request('hva-collector','get_group_instance_ipv4s',inst_map[:uuid]).map {|ip| IPAddress(ip)}
         outside_exception_ips = rpc.request('hva-collector','get_group_instance_ipv4s',inst_map[:uuid],:outside).map {|ip| IPAddress(ip)}
-        
+
         cmds = []
         inst_map[:instance_nics].each { |nic|
+          # strict check
+          next unless valid_nic?(nic[:uuid])
+
           internal_ip = IPAddress(rpc.request('hva-collector', 'get_iplease_for_nic', nic[:uuid]))
           inside_exception_ips.each { |ex_ip|
-            cmds << "iptables -t nat -A POSTROUTING -s #{internal_ip.address} -d #{ex_ip.address}/#{ex_ip.prefix} -j ACCEPT"
+            cmds << "iptables -t nat -A s_#{nic[:uuid]} -s #{internal_ip.address} -d #{ex_ip.address}/#{ex_ip.prefix} -j ACCEPT"
           }
           outside_exception_ips.each { |ex_ip|
-            cmds << "iptables -t nat -A PREROUTING -s #{internal_ip.address} -d #{ex_ip.address}/#{ex_ip.prefix} -j ACCEPT"
+            cmds << "iptables -t nat -A d_#{nic[:uuid]} -s #{internal_ip.address} -d #{ex_ip.address}/#{ex_ip.prefix} -j ACCEPT"
           }
         }
-        
+
         cmds
       end
-      
+
       # Returns ebtables command to respond to ARP requests for the address _ip_.
-      def arp_respond(ip)
-        ip = IPAddress(ip) if ip.is_a?(String)    
+      # _mac_addr_ is the mac address that we will reply with.
+      def arp_respond(ip,mac_addr)
+        ip = IPAddress(ip) if ip.is_a?(String)
         raise "Invalid IP address: #{ip}" unless ip.is_a?(IPAddress)
-        
+
         #Get the mac address for our physical nic
-        nic = find_nic(@node.manifest.config.hv_ifindex)
+        #nic = find_nic(@node.manifest.config.hv_ifindex)
         #TODO: Find a prettier way to get the mac address
-        mac_addr = %x{ifconfig | grep '#{nic}' | tr -s ' ' | cut -d ' ' -f5}.chomp
-        
+        #mac_addr = %x{ifconfig | grep '#{nic}' | tr -s ' ' | cut -d ' ' -f5}.chomp
+
         logger.debug "Replying ARP requests for address: #{ip.address}"
-        
+
         "ebtables -t nat -A PREROUTING -p arp --arp-ip-dst #{ip.address} --arp-opcode REQUEST -j arpreply --arpreply-mac #{mac_addr}"
       end
-      
+
       def is_natted_ip?(ip)
         ip = IPAddress(ip) if ip.is_a?(String)
-        #TODO: put in a proper argumenterror here
-        raise "Invalid IP address: #{ip}" unless ip.is_a?(IPAddress)
-        
-        rpc.request('hva-collector', 'is_natted_ip?', ip.address) 
+        raise ArgumentError, "Invalid IP address: #{ip}" unless ip.is_a?(IPAddress)
+
+        rpc.request('hva-collector', 'is_natted_ip?', ip.address)
       end
     end
 
@@ -150,12 +233,20 @@ module Dcmgr
       include Dcmgr::Helpers::NicHelper
       include Nat
       include Bandwidth
+      
+      attr_accessor :controller
 
       initialize_hook do
         @worker_thread = Isono::ThreadPool.new(1, 'Netfilter')
 
         @worker_thread.pass {
-          myinstance.init_netfilter
+          unless myinstance.node.manifest.config.edge_networking == 'legacy_netfilter'
+            sleep 1
+            # Initializing the controller will also apply netfilter rules for every alive instance
+            myinstance.controller = VNet::ControllerFactory.create_controller(myinstance.node)
+          else
+            myinstance.init_netfilter
+          end
         }
 
         event = Isono::NodeModules::EventChannel.new(node)
@@ -164,8 +255,12 @@ module Dcmgr
           @worker_thread.pass {
             logger.info("refresh on instance_started: #{args.inspect}")
             inst_id = args[0]
-            logger.info("refresh_netfilter_by_friend_instance_id: #{inst_id}")
-            myinstance.refresh_netfilter_by_friend_instance_id(inst_id)
+            unless myinstance.node.manifest.config.edge_networking == 'legacy_netfilter'
+              myinstance.controller.apply_instance(inst_id)
+            else
+              logger.info("add_netfilter_by_instance_id: #{inst_id}")
+              myinstance.add_netfilter_by_instance_id(inst_id)
+            end
           }
         end
 
@@ -173,16 +268,24 @@ module Dcmgr
           @worker_thread.pass {
             logger.info("refresh on instance_terminated: #{args.inspect}")
             inst_id = args[0]
-            logger.info("refresh_netfilter_by_friend_instance_id: #{inst_id}")
-            myinstance.refresh_netfilter_by_friend_instance_id(inst_id)
+            unless myinstance.node.manifest.config.edge_networking == 'legacy_netfilter'
+              myinstance.controller.remove_instance(inst_id)
+            else
+              logger.info("delete_netfilter_by_instance_id: #{inst_id}")
+              myinstance.delete_netfilter_by_instance_id(inst_id)
+            end
           }
         end
 
-        event.subscribe('hva/netfilter_updated', '#') do |args|
+        event.subscribe('hva/security_group_updated', '#') do |args|
           @worker_thread.pass {
             logger.info("refresh on netfilter_updated: #{args.inspect}")
-            netfilter_group_id = args[0]
-            myinstance.refresh_netfilter_by_joined_netfilter_group_id(netfilter_group_id)
+            security_group_id = args[0]
+            unless myinstance.node.manifest.config.edge_networking == 'legacy_netfilter'
+              myinstance.controller.update_security_group(security_group_id)
+            else
+              myinstance.refresh_netfilter_by_joined_security_group_id(security_group_id)
+            end
           }
         end
       end
@@ -196,7 +299,7 @@ module Dcmgr
             viftable_map[ inst_map[:ips].first ] = inst_map[:instance_nics].first[:uuid]
 
             # Does the hva have instance?
-            unless inst_map[:host_pool][:node_id] == node.node_id
+            unless inst_map[:host_node][:node_id] == node.node_id
               logger.warn("no match for the instance: #{inst_map[:uuid]}")
               next
             end
@@ -217,15 +320,81 @@ module Dcmgr
         end
       end
 
+      # This method created all netfilter rules for one instance.
+      # It is called when starting a new instances
+      # _inst_id_ is the canonical uuid of the instance whose netfilter rule are to be created.
+      def add_netfilter_by_instance_id(inst_id)
+        raise ArgumentError, "Unknown Instance ID: #{inst_id}" if inst_id.nil?
+        inst_map = rpc.request('hva-collector', 'get_instance', inst_id)
+        raise ArgumentError, "Unknown Instance ID: #{inst_id}" if inst_map.nil?
+
+        cmds = []
+        vif_map = build_vif_map(inst_map)
+        viftable_map = {}
+        viftable_map[ inst_map[:ips].first ] = inst_map[:instance_nics].first[:uuid]
+
+        if @node.manifest.config.enable_ebtables
+          cmds << build_ebtables_chains(vif_map,:create)
+          cmds << build_ebtables_basic_part(vif_map, inst_map, :create)
+          cmds << build_ebtables_group_part(vif_map, inst_map, viftable_map, :create)
+          cmds << build_ebtables_final_part(vif_map, :create)
+        end
+
+        if @node.manifest.config.enable_iptables
+          cmds << build_iptables_chains(protocol_map(:iptables), vif_map, :create)
+          cmds << build_iptables_basic_part(vif_map, inst_map, :create)
+          cmds << build_iptables_group_part(vif_map, inst_map, :create)
+          cmds << build_iptables_final_part(vif_map, :create)
+        end
+
+        if @node.manifest.config.enable_ebtables && @node.manifest.config.enable_iptables
+          cmds << build_nat_chains(inst_map)
+          cmds << nat_exceptions(inst_map) unless @node.manifest.config.use_ipset
+          cmds << nat_instance(inst_map)
+        end
+        
+        do_exec(cmds)
+      end
+
+      # This method deletes all netfilter rules for one instance.
+      # It is called when terminating an instance.
+      # _inst_id_ The canonical uuid of the instance whose netfilter rules are to be deleted.
+      def delete_netfilter_by_instance_id(inst_id)
+        raise ArgumentError, "Unknown Instance ID: #{inst_id}" if inst_id.nil?
+        inst_map = rpc.request('hva-collector', 'get_instance', inst_id)
+        raise ArgumentError, "Unknown Instance ID: #{inst_id}" if inst_map.nil?
+
+        #Create vnic map
+        vif_map = build_vif_map(inst_map)
+
+        #Delete ebtables chains
+        cmds = []
+
+        #Calling build_ebtables_basic_part with the :delete flag will delete all jumps to this instance's chains and then delete the chains themselves
+        cmds << build_ebtables_basic_part(vif_map, inst_map, :delete) if @node.manifest.config.enable_ebtables
+
+        #Delete nat chains
+        if @node.manifest.config.enable_ebtables && @node.manifest.config.enable_iptables
+          cmds << unlink_nat_chains(inst_map)
+          cmds << stop_arp_reply(inst_map)
+          cmds << build_nat_chains(inst_map, :delete)
+        end
+
+        #Delete iptables chains
+        cmds << build_iptables_basic_part(vif_map, inst_map, :delete) if @node.manifest.config.enable_iptables
+
+        do_exec(cmds)
+      end
+
       # from event_subscriber
       def refresh_netfilter_by_friend_instance_id(inst_id)
         raise "UnknownInstanceID" if inst_id.nil?
 
         begin
-          ng_maps = rpc.request('hva-collector', 'get_netfilter_groups_of_instance', inst_id)
+          ng_maps = rpc.request('hva-collector', 'get_security_groups_of_instance', inst_id)
           # get friend instance(s)
           friend_inst_maps = ng_maps.map { |ng_map|
-            rpc.request('hva-collector', 'get_instances_of_netfilter_group', ng_map[:id])
+            rpc.request('hva-collector', 'get_instances_of_security_group', ng_map[:id])
           }.flatten.uniq
           guest_inst_maps = rpc.request('hva-collector', 'get_alive_instances', node.node_id)
 
@@ -237,7 +406,7 @@ module Dcmgr
           else
             # group_instance: 1->0
             inst_map = rpc.request('hva-collector', 'get_instance', inst_id)
-            init_netfilter if inst_map[:host_pool][:node_id] == node.node_id
+            init_netfilter if inst_map[:host_node][:node_id] == node.node_id
           end
         rescue Exception => e
           p e
@@ -245,11 +414,11 @@ module Dcmgr
       end
 
       # from event_subscriber
-      def refresh_netfilter_by_joined_netfilter_group_id(netfilter_group_id)
-        raise "UnknownNetfilterGroupID" if netfilter_group_id.nil?
+      def refresh_netfilter_by_joined_security_group_id(security_group_id)
+        raise "Unknown security group ID: #{security_group_id}" if security_group_id.nil?
 
         begin
-          inst_maps = rpc.request('hva-collector', 'get_instances_of_netfilter_group', netfilter_group_id)
+          inst_maps = rpc.request('hva-collector', 'get_instances_of_security_group', security_group_id)
           init_netfilter if inst_maps.size > 0
         rescue Exception => e
           p e
@@ -259,7 +428,7 @@ module Dcmgr
       def build_vif_map(inst_map = {})
         vif_map = {
           :uuid  => inst_map[:instance_nics].first[:uuid],
-          :mac   => inst_map[:instance_nics].first[:mac_addr].unpack('A2'*6).join(':'),
+          :mac   => clean_mac(inst_map[:instance_nics].first[:mac_addr]),
           :ipv4  => inst_map[:ips].first,
         }
       end
@@ -312,7 +481,7 @@ module Dcmgr
         inst_maps.each { |inst_map|
           vif_map = build_vif_map(inst_map)
 
-          basic_cmds << build_ebtables_basic_part(vif_map, inst_map)            
+          basic_cmds << build_ebtables_basic_part(vif_map, inst_map)
           group_cmds << build_ebtables_group_part(vif_map, inst_map, viftable_map)
           final_cmds << build_ebtables_final_part(vif_map)
         }
@@ -331,15 +500,17 @@ module Dcmgr
         nat_cmds   = []
         final_cmds = []
 
+        #Drop all packets that aren't explicitely allowed
+        #init_cmds << "iptables -P FORWARD DROP"
+        init_cmds << "iptables -P FORWARD ACCEPT"
+
         [ 'raw', 'nat', 'filter' ].each { |table|
           [ 'F', 'Z', 'X' ].each { |xcmd|
             init_cmds << "iptables -t #{table} -#{xcmd}"
           }
         }
-        
-        #TODO: Make an option in the config file to use ipset
-        use_ipset = true
-        if use_ipset
+
+        if @node.manifest.config.use_ipset
           ['F','X'].each { |xcmd|
             init_cmds << "ipset -#{xcmd}"
           }
@@ -365,25 +536,28 @@ module Dcmgr
       end
 
       def init_static_nat(inst_maps = [])
+        chain_cmds  = []
+        #ref_cmds    = []
         accept_cmds = []
         nat_cmds    = []
-        
+
         inst_maps.each { |inst_map|
+          chain_cmds  << build_nat_chains(inst_map)
+          #ref_cmds    = ref_nat_chains(inst_map)
           accept_cmds << nat_exceptions(inst_map) unless @node.manifest.config.use_ipset
           nat_cmds    << nat_instance(inst_map)
         }
-        
-        do_exec([accept_cmds,nat_cmds])
+
+        do_exec([chain_cmds,accept_cmds,nat_cmds])
       end
 
       def init_bandwidth_limit(network_maps)
         do_exec([clear_bandwidth_limits,limit_bandwidth(network_maps)])
       end
 
-      def build_ebtables_basic_part(vif_map, inst_map)
-        basic_cmds = []
-        hva_ipv4 = Isono::Util.default_gw_ipaddr
-
+      def build_ebtables_chains(vif_map,action = :create)
+        actions = { :create => 'N' , :delete => 'X' }
+        raise ArgumentError, "#{action} is not a valid action. Valid actions are #{actions.keys.join(',')}" unless actions.keys.member?(action)
         ################################
         ## 0. chain name
         ################################
@@ -404,75 +578,90 @@ module Dcmgr
           chains << "d_#{vif_map[:uuid]}_s_hst_#{k}"
         }
 
+        # create user defined chains.
+        cmds = chains.map { |chain|
+          "ebtables -#{actions[action]} #{chain}"
+        }
+
+        cmds
+      end
+
+      def build_ebtables_basic_part(vif_map, inst_map, action = :create)
+        basic_cmds = []
+
+        actions = { :create => 'A' , :delete => 'D' }
+        raise ArgumentError, "#{action} is not a valid action. Valid actions are #{actions.keys.join(',')}" unless actions.keys.member?(action)
+
+        hva_ipv4 = Isono::Util.default_gw_ipaddr
+
         ################################
         ## 1. basic part
         ################################
+        
+        protocol_map = protocol_map(:ebtables)
 
-        # create user defined chains.
-        [ 'N' ].each { |xcmd|
-          chains.each { |chain|
-            basic_cmds << "ebtables -#{xcmd} #{chain}"
-          }
-        }
+        basic_cmds << build_ebtables_chains(vif_map,action) if action == :create
 
         # jumt to user defined chains
-        basic_cmds << "ebtables -A FORWARD -i #{vif_map[:uuid]} -j s_#{vif_map[:uuid]}"
-        basic_cmds << "ebtables -A FORWARD -o #{vif_map[:uuid]} -j d_#{vif_map[:uuid]}"
-        basic_cmds << "ebtables -A INPUT   -i #{vif_map[:uuid]} -j s_#{vif_map[:uuid]}_d_hst"
-        basic_cmds << "ebtables -A OUTPUT  -o #{vif_map[:uuid]} -j d_#{vif_map[:uuid]}_s_hst"
+        basic_cmds << "ebtables -#{actions[action]} FORWARD -i #{vif_map[:uuid]} -j s_#{vif_map[:uuid]}"
+        basic_cmds << "ebtables -#{actions[action]} FORWARD -o #{vif_map[:uuid]} -j d_#{vif_map[:uuid]}"
+        basic_cmds << "ebtables -#{actions[action]} INPUT   -i #{vif_map[:uuid]} -j s_#{vif_map[:uuid]}_d_hst"
+        basic_cmds << "ebtables -#{actions[action]} OUTPUT  -o #{vif_map[:uuid]} -j d_#{vif_map[:uuid]}_s_hst"
 
         # IP protocol routing
         protocol_map.each { |k,v|
-          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}       -p #{v} -j s_#{vif_map[:uuid]}_#{k}"
-          basic_cmds << "ebtables -A d_#{vif_map[:uuid]}       -p #{v} -j d_#{vif_map[:uuid]}_#{k}"
-          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst -p #{v} -j s_#{vif_map[:uuid]}_d_hst_#{k}"
-          basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst -p #{v} -j d_#{vif_map[:uuid]}_s_hst_#{k}"
+          basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}       -p #{v} -j s_#{vif_map[:uuid]}_#{k}"
+          basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}       -p #{v} -j d_#{vif_map[:uuid]}_#{k}"
+          basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst -p #{v} -j s_#{vif_map[:uuid]}_d_hst_#{k}"
+          basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_s_hst -p #{v} -j d_#{vif_map[:uuid]}_s_hst_#{k}"
         }
 
         if @node.manifest.config.packet_drop_log
-          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}       --log-level 4 --log-ip --log-arp --log-prefix 'D s_#{vif_map[:uuid]}:'       -j CONTINUE"
-          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst --log-level 4 --log-ip --log-arp --log-prefix 'D s_#{vif_map[:uuid]}_d_hst:' -j CONTINUE"
+          basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}       --log-level 4 --log-ip --log-arp --log-prefix 'D s_#{vif_map[:uuid]}:'       -j CONTINUE" if @node.manifest.config.packet_drop_log
+          basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst --log-level 4 --log-ip --log-arp --log-prefix 'D s_#{vif_map[:uuid]}_d_hst:' -j CONTINUE" if @node.manifest.config.packet_drop_log
         end
-        basic_cmds << "ebtables -A s_#{vif_map[:uuid]}       -j DROP"
-        basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst -j DROP"
+        basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}       -j DROP"
+        basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst -j DROP"
         # anti spoof: mac    # guest -> *
-        basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_arp       --protocol arp --arp-mac-src ! #{vif_map[:mac]} --log-ip --log-arp --log-prefix 'Dmc s_#{vif_map[:uuid]}_arp:'       -j CONTINUE"
-        basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-mac-src ! #{vif_map[:mac]} --log-ip --log-arp --log-prefix 'Dmc s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE"
-        basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_arp       --protocol arp --arp-mac-src ! #{vif_map[:mac]} -j DROP"
-        basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-mac-src ! #{vif_map[:mac]} -j DROP"
+        basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_arp       --protocol arp --arp-mac-src ! #{vif_map[:mac]} --log-ip --log-arp --log-prefix 'Dmc s_#{vif_map[:uuid]}_arp:'       -j CONTINUE" if @node.manifest.config.packet_drop_log
+        basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-mac-src ! #{vif_map[:mac]} --log-ip --log-arp --log-prefix 'Dmc s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE" if @node.manifest.config.packet_drop_log
+        basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_arp       --protocol arp --arp-mac-src ! #{vif_map[:mac]} -j DROP"
+        basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-mac-src ! #{vif_map[:mac]} -j DROP"
         # guest <- * (broadcast)
-        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp                          --arp-mac-dst 00:00:00:00:00:00 --log-ip --log-arp --log-prefix 'Amc d_#{vif_map[:uuid]}_arp:'     -j CONTINUE"
-        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-ip-src=#{hva_ipv4} --arp-mac-dst 00:00:00:00:00:00 --log-ip --log-arp --log-prefix 'Amc d_#{vif_map[:uuid]}_hst_arp:' -j CONTINUE"
-        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp                          --arp-mac-dst 00:00:00:00:00:00 -j ACCEPT"
-        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-ip-src=#{hva_ipv4} --arp-mac-dst 00:00:00:00:00:00 -j ACCEPT"
+        basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_arp       --protocol arp                          --arp-mac-dst 00:00:00:00:00:00 --log-ip --log-arp --log-prefix 'Amc d_#{vif_map[:uuid]}_arp:'     -j CONTINUE" if @node.manifest.config.packet_drop_log
+        basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-ip-src=#{hva_ipv4} --arp-mac-dst 00:00:00:00:00:00 --log-ip --log-arp --log-prefix 'Amc d_#{vif_map[:uuid]}_hst_arp:' -j CONTINUE" if @node.manifest.config.packet_drop_log
+        basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_arp       --protocol arp                          --arp-mac-dst 00:00:00:00:00:00 -j ACCEPT"
+        basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-ip-src=#{hva_ipv4} --arp-mac-dst 00:00:00:00:00:00 -j ACCEPT"
 
         # guest <- *
-        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp --arp-mac-dst ! #{vif_map[:mac]} --log-ip --log-arp --log-prefix 'Dmc d_#{vif_map[:uuid]}_arp:'       -j CONTINUE"
-        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-mac-dst ! #{vif_map[:mac]} --log-ip --log-arp --log-prefix 'Dmc d_#{vif_map[:uuid]}_s_hst_arp:' -j CONTINUE"
-        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp --arp-mac-dst ! #{vif_map[:mac]} -j DROP"
-        basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-mac-dst ! #{vif_map[:mac]} -j DROP"
+        basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_arp       --protocol arp --arp-mac-dst ! #{vif_map[:mac]} --log-ip --log-arp --log-prefix 'Dmc d_#{vif_map[:uuid]}_arp:'       -j CONTINUE" if @node.manifest.config.packet_drop_log
+        basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-mac-dst ! #{vif_map[:mac]} --log-ip --log-arp --log-prefix 'Dmc d_#{vif_map[:uuid]}_s_hst_arp:' -j CONTINUE" if @node.manifest.config.packet_drop_log
+        basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_arp       --protocol arp --arp-mac-dst ! #{vif_map[:mac]} -j DROP"
+        basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-mac-dst ! #{vif_map[:mac]} -j DROP"
 
         # anti spoof: ipv4
         inst_map[:ips].each { |ipv4|
-          #next if is_natted_ip? ipv4
           # guest -> *
-          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-src ! #{ipv4} --log-ip --log-arp --log-prefix 'Dip s_#{vif_map[:uuid]}_arp:'       -j CONTINUE"
-          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src ! #{ipv4} --log-ip --log-arp --log-prefix 'Dip s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE"
-          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-src ! #{ipv4} -j DROP"
-          basic_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src ! #{ipv4} -j DROP"
+          basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-src ! #{ipv4} --log-ip --log-arp --log-prefix 'Dip s_#{vif_map[:uuid]}_arp:'       -j CONTINUE" if @node.manifest.config.packet_drop_log
+          basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src ! #{ipv4} --log-ip --log-arp --log-prefix 'Dip s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE" if @node.manifest.config.packet_drop_log
+          basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-src ! #{ipv4} -j DROP"
+          basic_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src ! #{ipv4} -j DROP"
           # guest <- *
-          basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-dst ! #{ipv4} --log-ip --log-arp --log-prefix 'Dip d_#{vif_map[:uuid]}_arp:'       -j CONTINUE"
-          basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-ip-dst ! #{ipv4} --log-ip --log-arp --log-prefix 'Dip d_#{vif_map[:uuid]}_s_hst_arp:' -j CONTINUE"
-          basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-dst ! #{ipv4} -j DROP"
-          basic_cmds << "ebtables -A d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-ip-dst ! #{ipv4} -j DROP"
+          basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-dst ! #{ipv4} --log-ip --log-arp --log-prefix 'Dip d_#{vif_map[:uuid]}_arp:'       -j CONTINUE" if @node.manifest.config.packet_drop_log
+          basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-ip-dst ! #{ipv4} --log-ip --log-arp --log-prefix 'Dip d_#{vif_map[:uuid]}_s_hst_arp:' -j CONTINUE" if @node.manifest.config.packet_drop_log
+          basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-dst ! #{ipv4} -j DROP"
+          basic_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_s_hst_arp --protocol arp --arp-ip-dst ! #{ipv4} -j DROP"
         }
 
+        basic_cmds << build_ebtables_chains(vif_map,action) if action == :delete
         basic_cmds
       end
 
-      def build_ebtables_group_part(vif_map, inst_map, viftable_map)
+      def build_ebtables_group_part(vif_map, inst_map, viftable_map, action = :create)
         group_cmds = []
         hva_ipv4 = Isono::Util.default_gw_ipaddr
+        actions = { :create => 'A' , :delete => 'D' }
+        raise ArgumentError, "#{action} is not a valid action. Valid actions are #{actions.keys.join(',')}" unless actions.keys.member?(action)
 
         ################################
         ## 2. group part
@@ -482,23 +671,26 @@ module Dcmgr
         network_map = rpc.request('hva-collector', 'get_network', inst_map[:instance_nics].first[:network_id])
         raise "UnknownNetworkId" if network_map.nil?
         joined_network = IPAddress("#{network_map[:ipv4_gw]}/#{network_map[:prefix]}")
-        
-        [ network_map[:dns_server], network_map[:dhcp_server] ].each { |ipv4|
-          next unless joined_network.include? IPAddress(ipv4)      
+
+        [ network_map[:dns_server], network_map[:dhcp_server], network_map[:metadata_server] ].each { |ipv4|
+          next if ipv4.nil? or not joined_network.include? IPAddress(ipv4)
           same_subnet_ipv4s << ipv4
-        }       
+        }
 
         # network resource node(s)
-        ng_maps = rpc.request('hva-collector', 'get_netfilter_groups_of_instance', inst_map[:uuid])
+        ng_maps = rpc.request('hva-collector', 'get_security_groups_of_instance', inst_map[:uuid])
         rules = ng_maps.map { |ng_map|
           ng_map[:rules].map { |rule| rule[:permission] }
         }.flatten
         build_rule(rules).each do |rule|
+          # <ArgumentError: Invalid IP "0.0.0.0">
+          next if rule[:ip_source] == "0.0.0.0/0"
+
           begin
-            # <ArgumentError: Invalid IP "0.0.0.0">
             next unless joined_network.include? IPAddress(rule[:ip_source])
             same_subnet_ipv4s << rule[:ip_source]
           rescue Exception => e
+            #raise unless e.is_a? ArgumentError
             p e
           end
         end
@@ -516,72 +708,93 @@ module Dcmgr
           # get_macaddr_by_ipv4, ipv4
           if ipv4 == hva_ipv4
             #p "#{vif_map[:uuid]}(#{vif_map[:ipv4]}) -> [host] ***-****** (#{ipv4})"
-            group_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} --log-ip --log-arp --log-prefix 'Afw s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE"
-            group_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} -j ACCEPT"
+            group_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} --log-ip --log-arp --log-prefix 'Afw s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE" if @node.manifest.config.packet_drop_log
+            group_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} -j ACCEPT"
           elsif guest_ipv4s.include?(ipv4)
             #p "#{vif_map[:uuid]}(#{vif_map[:ipv4]}) -> [guest] #{viftable_map[ipv4]}(#{ipv4})"
 
             # guest->guest
-            group_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} --log-ip --log-arp --log-prefix 'Afw d_#{vif_map[:uuid]}_arp:'       -j CONTINUE"
-            group_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} -j ACCEPT"
+            group_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} --log-ip --log-arp --log-prefix 'Afw d_#{vif_map[:uuid]}_arp:'       -j CONTINUE" if @node.manifest.config.packet_drop_log
+            group_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_arp       --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} -j ACCEPT"
             # guest->host
-            group_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} --log-ip --log-arp --log-prefix 'Afw s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE"
-            group_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} -j ACCEPT"
-            
+            group_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} --log-ip --log-arp --log-prefix 'Afw s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE" if @node.manifest.config.packet_drop_log
+            group_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst_arp --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} -j ACCEPT"
+
             unless viftable_map[ipv4].nil?
               # guest->guest
-              group_cmds << "ebtables -A d_#{viftable_map[ipv4]}_arp       --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} --log-ip --log-arp --log-prefix 'Arv d_#{viftable_map[ipv4]}_arp:' -j CONTINUE"
-              group_cmds << "ebtables -A d_#{viftable_map[ipv4]}_arp       --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} -j ACCEPT"
+              group_cmds << "ebtables -#{actions[action]} d_#{viftable_map[ipv4]}_arp       --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} --log-ip --log-arp --log-prefix 'Arv d_#{viftable_map[ipv4]}_arp:' -j CONTINUE" if @node.manifest.config.packet_drop_log
+              group_cmds << "ebtables -#{actions[action]} d_#{viftable_map[ipv4]}_arp       --protocol arp --arp-ip-src #{vif_map[:ipv4]} --arp-ip-dst #{ipv4} -j ACCEPT"
 
               # guest->host
-              group_cmds << "ebtables -A s_#{viftable_map[ipv4]}_d_hst_arp --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} --log-ip --log-arp --log-prefix 'Arv s_#{viftable_map[ipv4]}_d_hst_arp:' -j CONTINUE"
-              group_cmds << "ebtables -A s_#{viftable_map[ipv4]}_d_hst_arp --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} -j ACCEPT"
+              group_cmds << "ebtables -#{actions[action]} s_#{viftable_map[ipv4]}_d_hst_arp --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} --log-ip --log-arp --log-prefix 'Arv s_#{viftable_map[ipv4]}_d_hst_arp:' -j CONTINUE" if @node.manifest.config.packet_drop_log
+              group_cmds << "ebtables -#{actions[action]} s_#{viftable_map[ipv4]}_d_hst_arp --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} -j ACCEPT"
             end
           else
             #p "#{vif_map[:uuid]}(#{vif_map[:ipv4]}) -> [other] ***-******** (#{ipv4})"
-            group_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} --log-ip --log-arp --log-prefix 'Afw :d_#{vif_map[:uuid]}_arp' -j CONTINUE"
-            group_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} -j ACCEPT"
+            group_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_arp --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} --log-ip --log-arp --log-prefix 'Afw :d_#{vif_map[:uuid]}_arp' -j CONTINUE" if @node.manifest.config.packet_drop_log
+            group_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_arp --protocol arp --arp-ip-src #{ipv4} --arp-ip-dst #{vif_map[:ipv4]} -j ACCEPT"
           end
         end
 
         group_cmds
       end
-      def build_ebtables_final_part(vif_map)
+
+      def build_ebtables_final_part(vif_map, action = :create)
         final_cmds = []
+        actions = { :create => 'A' , :delete => 'D' }
+        raise ArgumentError, "#{action} is not a valid action. Valid actions are #{actions.keys.join(',')}" unless actions.keys.member?(action)
 
         ################################
         ## 3. final part
         ################################
         # deny,allow
-        final_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       --log-level 4 --log-ip --log-arp --log-prefix 'D d_#{vif_map[:uuid]}_arp:'       -j CONTINUE"
-        final_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp --log-level 4 --log-ip --log-arp --log-prefix 'D s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE"
-        final_cmds << "ebtables -A d_#{vif_map[:uuid]}_arp       -j DROP"
-        final_cmds << "ebtables -A s_#{vif_map[:uuid]}_d_hst_arp -j DROP"
+        final_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_arp       --log-level 4 --log-ip --log-arp --log-prefix 'D d_#{vif_map[:uuid]}_arp:'       -j CONTINUE" if @node.manifest.config.packet_drop_log
+        final_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst_arp --log-level 4 --log-ip --log-arp --log-prefix 'D s_#{vif_map[:uuid]}_d_hst_arp:' -j CONTINUE" if @node.manifest.config.packet_drop_log
+        final_cmds << "ebtables -#{actions[action]} d_#{vif_map[:uuid]}_arp       -j DROP"
+        final_cmds << "ebtables -#{actions[action]} s_#{vif_map[:uuid]}_d_hst_arp -j DROP"
 
         final_cmds
       end
 
-      def build_iptables_basic_part(vif_map, inst_map)
-        basic_cmds = []
+      def build_iptables_chains(protocol_map, vif_map, action = :create)
+        actions = { :create => ['N'] , :delete => ['F','X'] }
+        raise ArgumentError, "#{action} is not a valid action. Valid actions are #{actions.keys.join(',')}" unless actions.keys.member?(action)
 
-        network_map = rpc.request('hva-collector', 'get_network', inst_map[:instance_nics].first[:network_id])
-        raise "UnknownNetworkId" if network_map.nil?
+        chain_cmds = []
 
         ################################
         ## 0. chain name
         ################################
 
+        [ 's', 'd' ].each do |bound|
+          protocol_map.each { |k,v|
+            actions[action].each do |act|
+              chain_cmds << "iptables -#{act} #{bound}_#{vif_map[:uuid]}"
+              chain_cmds << "iptables -#{act} #{bound}_#{vif_map[:uuid]}_#{k}"
+
+              chain_cmds << "iptables -#{act} #{bound}_#{vif_map[:uuid]}_drop"
+              chain_cmds << "iptables -#{act} #{bound}_#{vif_map[:uuid]}_#{k}_drop"
+            end
+          }
+        end
+
+        chain_cmds
+      end
+
+      def build_iptables_basic_part(vif_map, inst_map, action = :create)
+        basic_cmds = []
+
+        actions = { :create => 'A' , :delete => 'D' }
+        raise ArgumentError, "#{action} is not a valid action. Valid actions are #{actions.keys.join(',')}" unless actions.keys.member?(action)
+
+        network_map = rpc.request('hva-collector', 'get_network', inst_map[:instance_nics].first[:network_id])
+        raise "UnknownNetworkId" if network_map.nil?
+
         # support IP protocol
         protocol_map = protocol_map(:iptables)
 
         # make chain names.
-        chains = []
-        protocol_map.each { |k,v|
-          chains << "s_#{vif_map[:uuid]}_#{k}"
-          chains << "d_#{vif_map[:uuid]}_#{k}"
-        }
-        chains << "s_#{vif_map[:uuid]}"
-        chains << "d_#{vif_map[:uuid]}"
+        basic_cmds << build_iptables_chains(protocol_map, vif_map, :create) if action == :create
 
         ################################
         ## 1. basic part
@@ -589,133 +802,141 @@ module Dcmgr
 
         # metadata-server
         port = network_map[:metadata_server_port] || 80
-        [ 'A' ].each { |xcmd|
-          basic_cmds << "iptables -t nat -#{xcmd} PREROUTING -m physdev --physdev-in #{vif_map[:uuid]} -d 169.254.169.254 -p tcp --dport 80 -j DNAT --to-destination #{network_map[:metadata_server]}:#{port}"
-        }
-        # create user defined chains.
-        [ 'N' ].each { |xcmd|
-          chains.each { |chain|
-            basic_cmds << "iptables -#{xcmd} #{chain}"
-
-            # logger & drop
-            basic_cmds << "iptables -N #{chain}_drop"
-            if @node.manifest.config.packet_drop_log
-              basic_cmds << "iptables -A #{chain}_drop -j LOG --log-level 4 --log-prefix 'D #{chain}:'"
-            end
-            basic_cmds << "iptables -A #{chain}_drop -j DROP"
-          }
-        }
+        basic_cmds << "iptables -t nat -#{actions[action]} PREROUTING -m physdev --physdev-in #{vif_map[:uuid]} -d 169.254.169.254 -p tcp --dport 80 -j DNAT --to-destination #{network_map[:metadata_server]}:#{port}"
 
         # DHCP Server
-        basic_cmds << "iptables -A d_#{vif_map[:uuid]}_udp -p udp ! -s #{network_map[:dhcp_server]} --sport 67 -j d_#{vif_map[:uuid]}_udp_drop"
-        basic_cmds << "iptables -A d_#{vif_map[:uuid]}_udp -p udp ! -s #{network_map[:dhcp_server]} --sport 68 -j d_#{vif_map[:uuid]}_udp_drop"
+        basic_cmds << "iptables -#{actions[action]} d_#{vif_map[:uuid]} -p udp ! -s #{network_map[:dhcp_server]} --sport 67 -j d_#{vif_map[:uuid]}_udp_drop"
+        basic_cmds << "iptables -#{actions[action]} d_#{vif_map[:uuid]} -p udp ! -s #{network_map[:dhcp_server]} --sport 68 -j d_#{vif_map[:uuid]}_udp_drop"
 
         # group nodes
         # group node IPv4 addresses.
         ipv4s = rpc.request('hva-collector', 'get_group_instance_ipv4s', inst_map[:uuid])
         ipv4s << network_map[:ipv4_gw]
         ipv4s.uniq.reverse_each { |addr|
-          basic_cmds << "iptables -A d_#{vif_map[:uuid]} -s #{addr} -j ACCEPT"
+          basic_cmds << "iptables -#{actions[action]} d_#{vif_map[:uuid]} -s #{addr} -j ACCEPT"
         }
 
         # IP protocol routing
         [ 's', 'd' ].each do |bound|
           protocol_map.each { |k,v|
-            basic_cmds << "iptables -N #{bound}_#{vif_map[:uuid]}_#{k}"
+            #basic_cmds << "iptables -#{chain_actions[action]} #{bound}_#{vif_map[:uuid]}_#{k}"
+            # Log dropped packets
+            ["#{bound}_#{vif_map[:uuid]}", "#{bound}_#{vif_map[:uuid]}_#{k}"].each { |chain|
+              basic_cmds << "iptables -#{actions[action]} #{chain}_drop -j LOG --log-level 4 --log-prefix 'D #{chain}:'" if @node.manifest.config.packet_drop_log
+              basic_cmds << "iptables -#{actions[action]} #{chain}_drop -j DROP"
+            }
 
             case k
             when 'tcp'
               case bound
               when 's'
-                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -m state --state NEW,ESTABLISHED -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
+                basic_cmds << "iptables -#{actions[action]} #{bound}_#{vif_map[:uuid]} -m state --state NEW,ESTABLISHED -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
               when 'd'
-                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -m state --state RELATED,ESTABLISHED -p #{k} -j ACCEPT"
-                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
+                basic_cmds << "iptables -#{actions[action]} #{bound}_#{vif_map[:uuid]} -m state --state RELATED,ESTABLISHED -p #{k} -j ACCEPT"
+                basic_cmds << "iptables -#{actions[action]} #{bound}_#{vif_map[:uuid]} -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
               end
             when 'udp'
               case bound
               when 's'
-                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -m state --state NEW,ESTABLISHED -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
+                basic_cmds << "iptables -#{actions[action]} #{bound}_#{vif_map[:uuid]} -m state --state NEW,ESTABLISHED -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
               when 'd'
-                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -m state --state ESTABLISHED -p #{k} -j ACCEPT"
-                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
+                basic_cmds << "iptables -#{actions[action]} #{bound}_#{vif_map[:uuid]} -m state --state ESTABLISHED -p #{k} -j ACCEPT"
+                basic_cmds << "iptables -#{actions[action]} #{bound}_#{vif_map[:uuid]} -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
               end
             when 'icmp'
               case bound
               when 's'
-                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -m state --state NEW,ESTABLISHED,RELATED -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
+                basic_cmds << "iptables -#{actions[action]} #{bound}_#{vif_map[:uuid]} -m state --state NEW,ESTABLISHED,RELATED -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
               when 'd'
-                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -m state --state ESTABLISHED,RELATED -p #{k} -j ACCEPT"
-                basic_cmds << "iptables -A #{bound}_#{vif_map[:uuid]} -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
+                basic_cmds << "iptables -#{actions[action]} #{bound}_#{vif_map[:uuid]} -m state --state ESTABLISHED,RELATED -p #{k} -j ACCEPT"
+                basic_cmds << "iptables -#{actions[action]} #{bound}_#{vif_map[:uuid]} -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}"
               end
             end
           }
         end
 
-        basic_cmds << "iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in  #{vif_map[:uuid]} -j s_#{vif_map[:uuid]}"
-        basic_cmds << "iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-out #{vif_map[:uuid]} -j d_#{vif_map[:uuid]}"
+        basic_cmds << "iptables -#{actions[action]} FORWARD -m physdev --physdev-is-bridged --physdev-in  #{vif_map[:uuid]} -j s_#{vif_map[:uuid]}"
+        basic_cmds << "iptables -#{actions[action]} FORWARD -m physdev --physdev-is-bridged --physdev-out #{vif_map[:uuid]} -j d_#{vif_map[:uuid]}"
 
         ##
         ## ACCEPT
         ##
         # DHCP Server
-        basic_cmds << "iptables -A d_#{vif_map[:uuid]}_udp -p udp -s #{network_map[:dhcp_server]} --sport 67 -j ACCEPT"
-        basic_cmds << "iptables -A d_#{vif_map[:uuid]}_udp -p udp -s #{network_map[:dhcp_server]} --sport 68 -j ACCEPT"
+        basic_cmds << "iptables -#{actions[action]} d_#{vif_map[:uuid]}_udp -p udp -s #{network_map[:dhcp_server]} --sport 67 -j ACCEPT"
+        basic_cmds << "iptables -#{actions[action]} d_#{vif_map[:uuid]}_udp -p udp -s #{network_map[:dhcp_server]} --sport 68 -j ACCEPT"
 
         # DNS Server
-        basic_cmds << "iptables -A s_#{vif_map[:uuid]}_udp -p udp -d #{network_map[:dns_server]} --dport 53 -j ACCEPT"
+        basic_cmds << "iptables -#{actions[action]} s_#{vif_map[:uuid]}_udp -p udp -d #{network_map[:dns_server]} --dport 53 -j ACCEPT"
+
+        # MetaData Server
+        basic_cmds << "iptables -#{actions[action]} s_#{vif_map[:uuid]}_tcp -p tcp -d #{network_map[:metadata_server]} --dport #{network_map[:metadata_server_port]} -j ACCEPT"
 
         ##
         ## DROP
         ##
         protocol_map.each { |k,v|
           # DHCP
-          basic_cmds << "iptables -A s_#{vif_map[:uuid]} -d #{network_map[:dhcp_server]} -p #{k} -j s_#{vif_map[:uuid]}_#{k}_drop"
+          basic_cmds << "iptables -#{actions[action]} s_#{vif_map[:uuid]} -d #{network_map[:dhcp_server]} -p #{k} -j s_#{vif_map[:uuid]}_#{k}_drop"
           # DNS
-          basic_cmds << "iptables -A s_#{vif_map[:uuid]} -d #{network_map[:dns_server]} -p #{k} -j s_#{vif_map[:uuid]}_#{k}_drop"
+          basic_cmds << "iptables -#{actions[action]} s_#{vif_map[:uuid]} -d #{network_map[:dns_server]} -p #{k} -j s_#{vif_map[:uuid]}_#{k}_drop"
         }
 
+        basic_cmds << build_iptables_chains(protocol_map, vif_map, :delete) if action == :delete
+
         basic_cmds
       end
 
-      def build_iptables_group_part(vif_map, inst_map)
+      def build_iptables_group_part(vif_map, inst_map, action = :create)
         group_cmds = []
 
         ################################
         ## 2. group part
         ################################
-        ng_maps = rpc.request('hva-collector', 'get_netfilter_groups_of_instance', inst_map[:uuid])
-        rules = ng_maps.map { |ng_map|
-          ng_map[:rules].map { |rule| rule[:permission] }
-        }.flatten
-
-        # security group
-        build_rule(rules).each do |rule|
-          case rule[:ip_protocol]
-          when 'tcp', 'udp'
-            if rule[:ip_fport] == rule[:ip_tport]
-              group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --dport #{rule[:ip_fport]} -j ACCEPT"
-            else
-              group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --dport #{rule[:ip_fport]}:#{rule[:ip_tport]} -j ACCEPT"
-            end
-          when 'icmp'
-            # icmp
-            #   This extension can be used if `--protocol icmp' is specified. It provides the following option:
-            #   [!] --icmp-type {type[/code]|typename}
-            #     This allows specification of the ICMP type, which can be a numeric ICMP type, type/code pair, or one of the ICMP type names shown by the command
-            #      iptables -p icmp -h
-            if rule[:icmp_type] == -1 && rule[:icmp_code] == -1
-              group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} -j ACCEPT"
-            else
-              group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --icmp-type #{rule[:icmp_type]}/#{rule[:icmp_code]} -j ACCEPT"
+        
+        case action
+          when :delete
+            protocol_map(:iptables).each { |k,v|
+              # Fluch all security group chains
+              group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{k} -F"
+            }
+          when :create
+            ng_maps = rpc.request('hva-collector', 'get_security_groups_of_instance', inst_map[:uuid])
+            rules = ng_maps.map { |ng_map|
+              ng_map[:rules].map { |rule| rule[:permission] }
+            }.flatten
+
+            # security group
+            build_rule(rules).each do |rule|
+              case rule[:ip_protocol]
+              when 'tcp', 'udp'
+                if rule[:ip_fport] == rule[:ip_tport]
+                  group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --dport #{rule[:ip_fport]} -j ACCEPT"
+                else
+                  group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --dport #{rule[:ip_fport]}:#{rule[:ip_tport]} -j ACCEPT"
+                end
+              when 'icmp'
+                # icmp
+                #   This extension can be used if `--protocol icmp' is specified. It provides the following option:
+                #   [!] --icmp-type {type[/code]|typename}
+                #     This allows specification of the ICMP type, which can be a numeric ICMP type, type/code pair, or one of the ICMP type names shown by the command
+                #      iptables -p icmp -h
+                if rule[:icmp_type] == -1 && rule[:icmp_code] == -1
+                  group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} -j ACCEPT"
+                else
+                  group_cmds << "iptables -A d_#{vif_map[:uuid]}_#{rule[:ip_protocol]} -p #{rule[:ip_protocol]} -s #{rule[:ip_source]} --icmp-type #{rule[:icmp_type]}/#{rule[:icmp_code]} -j ACCEPT"
+                end
+              end
             end
-          end
+          else
+            raise ArgumentError, "#{action} is not a valid action."
         end
-
         group_cmds
       end
 
-      def build_iptables_final_part(vif_map)
+      def build_iptables_final_part(vif_map, action = :create)
+        actions = { :create => 'A' , :delete => 'D' }
+        raise ArgumentError, "#{action} is not a valid action. Valid actions are #{actions.keys.join(',')}" unless actions.keys.member?(action)
+
         final_cmds = []
 
         # support IP protocol
@@ -725,15 +946,19 @@ module Dcmgr
         ## 3. final part
         ################################
 
-        # drop other routings
-        protocol_map.each { |k,v|
-          final_cmds << "iptables -A d_#{vif_map[:uuid]}_#{k} -p #{k} -j d_#{vif_map[:uuid]}_#{k}_drop"
-        }
-
-        # IP protocol routing
+        # Send dropped ip packets to their respective drop chains, based on their protocol
         [ 'd' ].each do |bound|
           protocol_map.each { |k,v|
-            final_cmds << "iptables -A #{bound}_#{vif_map[:uuid]}_#{k} -j #{bound}_#{vif_map[:uuid]}_#{k}_drop"
+            # Any packets that travel the protocol specific chains and don't get accepted are directed to drop chains
+            # where logging can take place before the packets are dropped by the FORWARD chain policy
+            final_cmds << "iptables -#{actions[action]} #{bound}_#{vif_map[:uuid]} -p #{k} -j #{bound}_#{vif_map[:uuid]}_#{k}_drop"
+          }
+        end
+
+        # Allow outgoing traffic from the instance
+        [ 's' ].each do |bound|
+          protocol_map.each { |k,v|
+            final_cmds << "iptables -#{actions[action]} #{bound}_#{vif_map[:uuid]}_#{k} -p #{k} -j ACCEPT"
           }
         end
 
@@ -767,8 +992,8 @@ module Dcmgr
           # ip_fport    : tcp,udp? 1 - 16bit, icmp: -1
           ip_protocol, ip_fport = from_pair.split(':')
 
-          # protocol    : [ ip4 | ip6 | #{account_id} ]
-          # ip_source   : ip4? xxx.xxx.xxx.xxx./[0-32], ip6? (not yet supprted), #{netfilter_group_id}
+          # protocol    : [ ip4 | ip6 | security_group_uuid ]
+          # ip_source   : ip4? xxx.xxx.xxx.xxx./[0-32], ip6? (not yet supprted)
           protocol, ip_source = source_pair.split(':')
 
           begin
@@ -784,9 +1009,9 @@ module Dcmgr
                 if prefix.to_i == 0
                   ip_source = ip_addr
                 end
-              when s.scan(/a-\w{8}/)
+              when s.scan(/ng-\w+/)
                 from_group = true
-                inst_maps = rpc.request('hva-collector', 'get_instances_of_account_netfilter_group', protocol, ip_source)
+                inst_maps = rpc.request('hva-collector', 'get_instances_of_security_group', protocol)
                 inst_maps.each { |inst_map|
                   ipv4s << inst_map[:ips]
                 }