cookbook-openstack-network/files/default/etc/quantum/rootwrap.d/openvswitch-plugin.filters

# quantum-rootwrap command filters for nodes on which quantum is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user

# format seems to be
# cmd-name: filter-name, raw-command, user, args

[Filters]

# openvswitch-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
ovs-ofctl: CommandFilter, /bin/ovs-ofctl, root
ovs-ofctl_usr: CommandFilter, /usr/bin/ovs-ofctl, root
ovs-ofctl_sbin: CommandFilter, /sbin/ovs-ofctl, root
ovs-ofctl_sbin_usr: CommandFilter, /usr/sbin/ovs-ofctl, root
xe: CommandFilter, /sbin/xe, root
xe_usr: CommandFilter, /usr/sbin/xe, root

# ip_lib
ip: IpFilter, /sbin/ip, root
ip_usr: IpFilter, /usr/sbin/ip, root
ip_exec: IpNetnsExecFilter, /sbin/ip, root
ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root