diff --git a/defaults/main.yml b/defaults/main.yml
index 0fa14094..b9a69fcf 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -38,10 +38,14 @@ neutron_db_plugin: /etc/neutron/plugins/ml2/ml2_conf.ini
 
 ## Plugins
 neutron_plugin_core: neutron.plugins.ml2.plugin.Ml2Plugin
+# Other plugins can be added to the system by simply extending the list `neutron_plugin_base`.
+# neutron_plugin_base:
+#   - neutron.services.l3_router.l3_router_plugin.L3RouterPlugin
+#   - neutron.services.metering.metering_plugin.MeteringPlugin
+#   - neutron.services.loadbalancer.plugin.LoadBalancerPlugin
+#   - neutron.services.vpn.plugin.VPNDriverPlugin
 neutron_plugin_base:
   - neutron.services.l3_router.l3_router_plugin.L3RouterPlugin
-  - neutron.services.loadbalancer.plugin.LoadBalancerPlugin
-  - neutron.services.vpn.plugin.VPNDriverPlugin
   - neutron.services.metering.metering_plugin.MeteringPlugin
 neutron_plugin_loaded_base: "{% for plugin in neutron_plugin_base %}{{ plugin }}{% if not loop.last %},{% endif %}{% endfor %}"
 
diff --git a/files/api-paste.ini b/files/api-paste.ini
index bbcd4152..780853da 100644
--- a/files/api-paste.ini
+++ b/files/api-paste.ini
@@ -9,10 +9,10 @@ noauth = request_id catch_errors extensions neutronapiapp_v2_0
 keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
 
 [filter:request_id]
-paste.filter_factory = neutron.openstack.common.middleware.request_id:RequestIdMiddleware.factory
+paste.filter_factory = oslo.middleware:RequestId.factory
 
 [filter:catch_errors]
-paste.filter_factory = neutron.openstack.common.middleware.catch_errors:CatchErrorsMiddleware.factory
+paste.filter_factory = oslo.middleware:CatchErrors.factory
 
 [filter:keystonecontext]
 paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
@@ -27,4 +27,4 @@ paste.filter_factory = neutron.api.extensions:plugin_aware_extension_middleware_
 paste.app_factory = neutron.api.versions:Versions.factory
 
 [app:neutronapiapp_v2_0]
-paste.app_factory = neutron.api.v2.router:APIRouter.factory
+paste.app_factory = neutron.api.v2.router:APIRouter.factory
\ No newline at end of file
diff --git a/files/policy.json b/files/policy.json
index e7db4357..ae46bc2c 100644
--- a/files/policy.json
+++ b/files/policy.json
@@ -1,11 +1,14 @@
 {
     "context_is_admin":  "role:admin",
     "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
+    "context_is_advsvc":  "role:advsvc",
     "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
     "admin_only": "rule:context_is_admin",
     "regular_user": "",
     "shared": "field:networks:shared=True",
     "shared_firewalls": "field:firewalls:shared=True",
+    "shared_firewall_policies": "field:firewall_policies:shared=True",
+    "shared_subnetpools": "field:subnetpools:shared=True",
     "external": "field:networks:router:external=True",
     "default": "rule:admin_or_owner",
 
@@ -14,8 +17,14 @@
     "update_subnet": "rule:admin_or_network_owner",
     "delete_subnet": "rule:admin_or_network_owner",
 
+    "create_subnetpool": "",
+    "create_subnetpool:shared": "rule:admin_only",
+    "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
+    "update_subnetpool": "rule:admin_or_owner",
+    "delete_subnetpool": "rule:admin_or_owner",
+
     "create_network": "",
-    "get_network": "rule:admin_or_owner or rule:shared or rule:external",
+    "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
     "get_network:router:external": "rule:regular_user",
     "get_network:segments": "rule:admin_only",
     "get_network:provider:network_type": "rule:admin_only",
@@ -38,25 +47,26 @@
     "delete_network": "rule:admin_or_owner",
 
     "create_port": "",
-    "create_port:mac_address": "rule:admin_or_network_owner",
-    "create_port:fixed_ips": "rule:admin_or_network_owner",
-    "create_port:port_security_enabled": "rule:admin_or_network_owner",
+    "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "create_port:binding:host_id": "rule:admin_only",
     "create_port:binding:profile": "rule:admin_only",
-    "create_port:mac_learning_enabled": "rule:admin_or_network_owner",
-    "get_port": "rule:admin_or_owner",
+    "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "get_port:queue_id": "rule:admin_only",
     "get_port:binding:vif_type": "rule:admin_only",
     "get_port:binding:vif_details": "rule:admin_only",
     "get_port:binding:host_id": "rule:admin_only",
     "get_port:binding:profile": "rule:admin_only",
-    "update_port": "rule:admin_or_owner",
-    "update_port:fixed_ips": "rule:admin_or_network_owner",
-    "update_port:port_security_enabled": "rule:admin_or_network_owner",
+    "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
+    "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "update_port:binding:host_id": "rule:admin_only",
     "update_port:binding:profile": "rule:admin_only",
-    "update_port:mac_learning_enabled": "rule:admin_or_network_owner",
-    "delete_port": "rule:admin_or_owner",
+    "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
 
     "get_router:ha": "rule:admin_only",
     "create_router": "rule:regular_user",
@@ -73,6 +83,9 @@
     "add_router_interface": "rule:admin_or_owner",
     "remove_router_interface": "rule:admin_or_owner",
 
+    "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
+    "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
+
     "create_firewall": "",
     "get_firewall": "rule:admin_or_owner",
     "create_firewall:shared": "rule:admin_only",
@@ -82,7 +95,7 @@
     "delete_firewall": "rule:admin_or_owner",
 
     "create_firewall_policy": "",
-    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
+    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
     "create_firewall_policy:shared": "rule:admin_or_owner",
     "update_firewall_policy": "rule:admin_or_owner",
     "delete_firewall_policy": "rule:admin_or_owner",
@@ -109,8 +122,11 @@
     "get_l3-agents": "rule:admin_only",
     "get_loadbalancer-agent": "rule:admin_only",
     "get_loadbalancer-pools": "rule:admin_only",
+    "get_agent-loadbalancers": "rule:admin_only",
+    "get_loadbalancer-hosting-agent": "rule:admin_only",
 
     "create_floatingip": "rule:regular_user",
+    "create_floatingip:floating_ip_address": "rule:admin_only",
     "update_floatingip": "rule:admin_or_owner",
     "delete_floatingip": "rule:admin_or_owner",
     "get_floatingip": "rule:admin_or_owner",
diff --git a/files/rootwrap.d/dhcp.filters b/files/rootwrap.d/dhcp.filters
index 26c2ffa8..20d28001 100644
--- a/files/rootwrap.d/dhcp.filters
+++ b/files/rootwrap.d/dhcp.filters
@@ -9,7 +9,7 @@
 [Filters]
 
 # dhcp-agent
-dnsmasq: EnvFilter, dnsmasq, root, NEUTRON_NETWORK_ID=
+dnsmasq: CommandFilter, dnsmasq, root
 # dhcp-agent uses kill as well, that's handled by the generic KillFilter
 # it looks like these are the only signals needed, per
 # neutron/agent/linux/dhcp.py
@@ -23,16 +23,14 @@ dhcp_release: CommandFilter, dhcp_release, root
 
 # metadata proxy
 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
-metadata_proxy_quantum: CommandFilter, quantum-ns-metadata-proxy, root
 # If installed from source (say, by devstack), the prefix will be
 # /usr/local instead of /usr/bin.
 metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
-metadata_proxy_local_quantum: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
 # RHEL invocation of the metadata proxy will report /usr/bin/python
 kill_metadata: KillFilter, root, python, -9
 kill_metadata7: KillFilter, root, python2.7, -9
-kill_metadata6: KillFilter, root, python2.6, -9
 
 # ip_lib
 ip: IpFilter, ip, root
+find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
 ip_exec: IpNetnsExecFilter, ip, root
diff --git a/files/rootwrap.d/l3.filters b/files/rootwrap.d/l3.filters
index 9a303182..27c78742 100644
--- a/files/rootwrap.d/l3.filters
+++ b/files/rootwrap.d/l3.filters
@@ -18,22 +18,23 @@ radvd: CommandFilter, radvd, root
 
 # metadata proxy
 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
-metadata_proxy_quantum: CommandFilter, quantum-ns-metadata-proxy, root
 # If installed from source (say, by devstack), the prefix will be
 # /usr/local instead of /usr/bin.
 metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
-metadata_proxy_local_quantum: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
 # RHEL invocation of the metadata proxy will report /usr/bin/python
 kill_metadata: KillFilter, root, python, -9
 kill_metadata7: KillFilter, root, python2.7, -9
-kill_metadata6: KillFilter, root, python2.6, -9
 kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -9, -HUP
 kill_radvd: KillFilter, root, /sbin/radvd, -9, -HUP
 
 # ip_lib
 ip: IpFilter, ip, root
+find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
 ip_exec: IpNetnsExecFilter, ip, root
 
+# For ip monitor
+kill_ip_monitor: KillFilter, root, ip, -9
+
 # ovs_lib (if OVSInterfaceDriver is used)
 ovs-vsctl: CommandFilter, ovs-vsctl, root
 
@@ -49,3 +50,6 @@ kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9
 
 # l3 agent to delete floatingip's conntrack state
 conntrack: CommandFilter, conntrack, root
+
+# keepalived state change monitor
+keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
diff --git a/templates/neutron.conf.j2 b/templates/neutron.conf.j2
index 4ec732fb..f7cfceb5 100644
--- a/templates/neutron.conf.j2
+++ b/templates/neutron.conf.j2
@@ -12,7 +12,6 @@ use_syslog = False
 
 log_file = /var/log/neutron/neutron.log
 auth_strategy = keystone
-lock_path = /var/lock/neutron
 network_device_mtu = {{ neutron_network_device_mtu }}
 allow_overlapping_ips = True
 
@@ -62,13 +61,6 @@ dhcp_delete_namespaces = True
 dhcp_lease_duration = 86400
 
 
-## RabbitMQ
-rabbit_port = {{ rabbitmq_port }}
-rabbit_userid = {{ rabbitmq_userid }}
-rabbit_password = {{ rabbitmq_password }}
-rabbit_hosts = {{ rabbitmq_servers }}
-
-
 ## Notifications
 notify_nova_on_port_status_changes = True
 notify_nova_on_port_data_changes = True
@@ -119,6 +111,17 @@ check_revocations_for_cached = False
 connection = mysql://{{ neutron_galera_user }}:{{ neutron_container_mysql_password }}@{{ galera_address }}/{{ neutron_galera_database }}?charset=utf8
 
 
+[oslo_messaging_rabbit]
+rabbit_port = {{ rabbitmq_port }}
+rabbit_userid = {{ rabbitmq_userid }}
+rabbit_password = {{ rabbitmq_password }}
+rabbit_hosts = {{ rabbitmq_servers }}
+
+
+[oslo_concurrency]
+lock_path = /var/lock/neutron
+
+
 [service_providers]
 service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
 service_provider = VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default