when restart the vpn and l3 agent, the firewall rule apply to all tenants' router.

Hi all:
   when restart the vpn and l3 agent, the firewall rule apply to all tenants' router.
   step:
   1. Create network and router in A and B tenant.
   2. Create a firewall in A tenant.
   3. Restart vpn and l3 agent serivce.
   4. ip netns exec qrouter-B_router_uuid iptables -L -t filter -vn

Then I find the firewall rule in chain neutron-l3-agent-FORWARD and neutron-vpn-agen-FORWARD.

So I debug the code,and add some code in neutron/services/firewall/agents/l3reference/firewall_l3_agent.py :

     def _process_router_add(self, ri):
        """On router add, get fw with rules from plugin and update driver."""
        LOG.debug(_("Process router add, router_id: '%s'"), ri.router['id'])
        routers = []
        routers.append(ri.router)
        router_info_list = self._get_router_info_list_for_tenant(
            routers,
            ri.router['tenant_id'])
        if router_info_list:
            # Get the firewall with rules
            # for the tenant the router is on.
            ctx = context.Context('', ri.router['tenant_id'])
            fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx)
            LOG.debug(_("Process router add, fw_list: '%s'"),
                      [fw['id'] for fw in fw_list])
            for fw in fw_list:
+++++++++++++++++if fw['tenant_id'] == ri.router['tenant_id']:
                       self._invoke_driver_for_sync_from_plugin(
                        ctx,
                        router_info_list,
                         fw)

My neutron version is icehouse.