Fixing this in OSP10 would require a large number of backports since the concept of the iptables protocol map was introduced in Ocata. For that reason I am closing this as a cherry-pick isn't feasible.