diff --git a/etc/neutron/rootwrap.d/ofagent.filters b/etc/neutron/rootwrap.d/ofagent.filters
new file mode 100644
index 00000000000..11e42564831
--- /dev/null
+++ b/etc/neutron/rootwrap.d/ofagent.filters
@@ -0,0 +1,16 @@
+# neutron-rootwrap command filters for nodes on which
+# neutron-ofagent-agent is expected to control network
+#
+# This file should be owned by (and only-writeable by) the root user
+
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+
+[Filters]
+
+# ovs_lib
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+# ip_lib
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
diff --git a/setup.cfg b/setup.cfg
index a021a4ee030..321aeb5cf94 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -43,6 +43,7 @@ data_files =
         etc/neutron/rootwrap.d/lbaas-haproxy.filters
         etc/neutron/rootwrap.d/linuxbridge-plugin.filters
         etc/neutron/rootwrap.d/nec-plugin.filters
+        etc/neutron/rootwrap.d/ofagent.filters
         etc/neutron/rootwrap.d/openvswitch-plugin.filters
         etc/neutron/rootwrap.d/ryu-plugin.filters
         etc/neutron/rootwrap.d/vpnaas.filters