diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2
index 8eb5dbf9ab..82126a8a9f 100644
--- a/docker/base/Dockerfile.j2
+++ b/docker/base/Dockerfile.j2
@@ -326,6 +326,7 @@ COPY apt_preferences /etc/apt/preferences.d/kolla-custom
    {'name': 'mariadb', 'url': 'https://downloads.mariadb.com/MariaDB/mariadb-keyring-2019.gpg', 'type': 'gpg'},
    {'name': 'opensearch', 'url': 'https://artifacts.opensearch.org/publickeys/opensearch.pgp'},
    {'name': 'proxysql', 'url': 'https://repo.proxysql.com/ProxySQL/proxysql-2.7.x/repo_pub_key'},
+   {'name': 'proxysql-3', 'url': 'https://repo.proxysql.com/ProxySQL/proxysql-3.0.x/repo_pub_key'},
    {'name': 'treasuredata', 'url': 'https://packages.treasuredata.com/GPG-KEY-td-agent'},
 ] %}
 
diff --git a/docker/base/proxysql.repo b/docker/base/proxysql.repo
index 1d45963e05..ae9ca800a4 100644
--- a/docker/base/proxysql.repo
+++ b/docker/base/proxysql.repo
@@ -1,5 +1,5 @@
 [proxysql]
-name = ProxySQL
+name = ProxySQL 2.7.x
 # NOTE(mnasiadka): use 9 for both 9 and 10
 baseurl = https://repo.proxysql.com/ProxySQL/proxysql-2.7.x/almalinux/9
 gpgkey = https://repo.proxysql.com/ProxySQL/proxysql-2.7.x/repo_pub_key
diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2
index 1224a2b495..04547a5c6b 100644
--- a/docker/neutron/neutron-base/Dockerfile.j2
+++ b/docker/neutron/neutron-base/Dockerfile.j2
@@ -7,11 +7,15 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
 {% import "macros.j2" as macros with context %}
 
-{{ macros.enable_extra_repos(['docker-ce', 'openvswitch']) }}
+{{ macros.enable_extra_repos(['docker-ce', 'openvswitch', 'epel']) }}
 {{ macros.configure_user(name='neutron') }}
 
 {% if base_package_type == 'rpm' %}
 
+    # FIXME(wszumski): iptables-nft is deprecated. We need to advise users
+    # to migrate to some other firewall driver as we cannot rely on this
+    # package forever, see: https://access.redhat.com/solutions/6739041.
+    # iptables-legacy is not available from EPEL 10.
     {% set neutron_base_packages = [
         'conntrack-tools',
         'dnsmasq',
@@ -21,6 +25,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
         'iproute-tc',
         'ipset',
         'iptables',
+        'iptables-nft',
         'iputils',
         'keepalived',
         'net-tools',
@@ -33,9 +38,13 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
             'python3-openvswitch3.5'
         ] %}
     {% else %}
+	# NOTE(wszumski): iptables-legacy lets us check and clear out legacy
+	# iptables rules due to LP#2144562. This package is installed from the
+	# EPEL repository.
         {% set neutron_base_packages = neutron_base_packages + [
             'openvswitch',
-            'python3-openvswitch'
+            'python3-openvswitch',
+            'iptables-legacy',
         ] %}
     {% endif %}
 
@@ -64,6 +73,18 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
 {{ macros.install_packages(neutron_base_packages | customizable("packages")) }}
 
+{% if base_distro_tag.startswith('9') or base_distro_tag.startswith('stream9') %}
+# NOTE(wszumski): Without this iptables-legacy is selected as default. This
+# increases the priority from 10 to 200.
+RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-nft 200 \
+  --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-nft \
+  --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-nft-restore \
+  --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-nft-save \
+  --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-nft-restore \
+  --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-nft-save \
+  && update-alternatives --auto iptables
+{% endif %}
+
 ADD neutron-base-archive /neutron-base-source
 ADD plugins-archive /
 
diff --git a/docker/proxysql/proxysql-3/Dockerfile.j2 b/docker/proxysql/proxysql-3/Dockerfile.j2
new file mode 100644
index 0000000000..c58bcd444e
--- /dev/null
+++ b/docker/proxysql/proxysql-3/Dockerfile.j2
@@ -0,0 +1,47 @@
+FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }}
+{% block labels %}
+LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
+{% endblock %}
+
+{% block proxysql_header %}{% endblock %}
+
+{% if base_package_type == 'rpm' %}
+COPY proxysql-3.repo /etc/yum.repos.d/proxysql-3.repo
+{% endif %}
+
+{% import "macros.j2" as macros with context %}
+
+{{ macros.enable_extra_repos(['proxysql-3']) }}
+
+{% set proxysql_packages = [
+    'proxysql',
+] %}
+
+{% if base_package_type == 'rpm' %}
+    {% set proxysql_packages = proxysql_packages + [
+        'python3-PyYAML',
+    ] %}
+{% elif base_package_type == 'deb' %}
+    {% set proxysql_packages = proxysql_packages + [
+        'python3-yaml',
+    ] %}
+{% endif %}
+
+{{ macros.configure_user(name='proxysql') }}
+{{ macros.install_packages(proxysql_packages | customizable("packages")) }}
+
+COPY kolla_proxysql_config_sync kolla_extend_start /usr/local/bin/
+RUN chmod 755 /usr/local/bin/kolla_proxysql_config_sync \
+    && chmod 644 /usr/local/bin/kolla_extend_start
+
+RUN install -g proxysql -o proxysql -m 770 -d /var/lib/kolla/proxysql \
+    && touch /etc/proxysql.cnf \
+    && chown proxysql:proxysql /etc/proxysql.cnf \
+    && chmod 600 /etc/proxysql.cnf
+
+{{ macros.kolla_patch_sources() }}
+
+{% block proxysql_footer %}{% endblock %}
+{% block footer %}{% endblock %}
+
+USER proxysql
diff --git a/docker/proxysql/proxysql-3/kolla_extend_start b/docker/proxysql/proxysql-3/kolla_extend_start
new file mode 120000
index 0000000000..928d198f01
--- /dev/null
+++ b/docker/proxysql/proxysql-3/kolla_extend_start
@@ -0,0 +1 @@
+../proxysql/kolla_extend_start
\ No newline at end of file
diff --git a/docker/proxysql/proxysql-3/kolla_proxysql_config_sync b/docker/proxysql/proxysql-3/kolla_proxysql_config_sync
new file mode 120000
index 0000000000..6313088e13
--- /dev/null
+++ b/docker/proxysql/proxysql-3/kolla_proxysql_config_sync
@@ -0,0 +1 @@
+../proxysql/kolla_proxysql_config_sync
\ No newline at end of file
diff --git a/docker/proxysql/proxysql-3/proxysql-3.repo b/docker/proxysql/proxysql-3/proxysql-3.repo
new file mode 100644
index 0000000000..1afc71c364
--- /dev/null
+++ b/docker/proxysql/proxysql-3/proxysql-3.repo
@@ -0,0 +1,8 @@
+
+[proxysql-3]
+name = ProxySQL 3.0.x
+# NOTE(mnasiadka): use 9 for both 9 and 10
+baseurl = https://repo.proxysql.com/ProxySQL/proxysql-3.0.x/almalinux/9
+gpgkey = https://repo.proxysql.com/ProxySQL/proxysql-3.0.x/repo_pub_key
+gpgcheck = 1
+enabled = 0
diff --git a/docker/proxysql/Dockerfile.j2 b/docker/proxysql/proxysql/Dockerfile.j2
similarity index 100%
rename from docker/proxysql/Dockerfile.j2
rename to docker/proxysql/proxysql/Dockerfile.j2
diff --git a/docker/proxysql/kolla_extend_start b/docker/proxysql/proxysql/kolla_extend_start
similarity index 100%
rename from docker/proxysql/kolla_extend_start
rename to docker/proxysql/proxysql/kolla_extend_start
diff --git a/docker/proxysql/kolla_proxysql_config_sync b/docker/proxysql/proxysql/kolla_proxysql_config_sync
similarity index 100%
rename from docker/proxysql/kolla_proxysql_config_sync
rename to docker/proxysql/proxysql/kolla_proxysql_config_sync
diff --git a/kolla/template/repos-el10.yaml b/kolla/template/repos-el10.yaml
index ff1993f11f..708f623724 100644
--- a/kolla/template/repos-el10.yaml
+++ b/kolla/template/repos-el10.yaml
@@ -16,6 +16,7 @@ centos:
   openvswitch: "centos-nfv-openvswitch"
   opstools: "centos-opstools"
   proxysql: "proxysql"
+  proxysql-3: "proxysql-3"
   rabbitmq: "rabbitmq_rabbitmq-server"
 centos-aarch64:
   ceph: "centos-ceph-squid"
@@ -36,6 +37,7 @@ centos-aarch64:
   openvswitch: "centos-nfv-openvswitch"
   opstools: "centos-opstools"
   proxysql: "proxysql"
+  proxysql-3: "proxysql-3"
   rabbitmq: "rabbitmq_rabbitmq-server"
 rocky:
   ceph: "centos-ceph-squid"
@@ -55,6 +57,7 @@ rocky:
   openvswitch: "centos-nfv-openvswitch"
   opstools: "centos-opstools"
   proxysql: "proxysql"
+  proxysql-3: "proxysql-3"
   rabbitmq: "rabbitmq_rabbitmq-server"
 rocky-aarch64:
   ceph: "centos-ceph-squid"
@@ -75,4 +78,5 @@ rocky-aarch64:
   openvswitch: "centos-nfv-openvswitch"
   opstools: "centos-opstools"
   proxysql: "proxysql"
+  proxysql-3: "proxysql-3"
   rabbitmq: "rabbitmq_rabbitmq-server"
diff --git a/kolla/template/repos.yaml b/kolla/template/repos.yaml
index 607396edf4..437b67a138 100644
--- a/kolla/template/repos.yaml
+++ b/kolla/template/repos.yaml
@@ -16,6 +16,7 @@ centos:
   openvswitch: "centos-nfv-openvswitch"
   opstools: "centos-opstools"
   proxysql: "proxysql"
+  proxysql-3: "proxysql-3"
   rabbitmq: "rabbitmq_rabbitmq-server"
 
 centos-aarch64:
@@ -36,6 +37,7 @@ centos-aarch64:
   openvswitch: "centos-nfv-openvswitch"
   opstools: "centos-opstools"
   proxysql: "proxysql"
+  proxysql-3: "proxysql-3"
   rabbitmq: "rabbitmq_rabbitmq-server"
 
 # NOTE(mnasiadka): For RabbitMQ Debuntu suite names is following:
@@ -92,6 +94,11 @@ debian:
     suite: "./"
     component: ""
     gpg_key: "proxysql.asc"
+  proxysql-3:
+    url: "https://repo.proxysql.com/ProxySQL/proxysql-3.0.x/bookworm/"
+    suite: "./"
+    component: ""
+    gpg_key: "proxysql.asc"
   rabbitmq:
     url: "https://deb1.rabbitmq.com/rabbitmq-server/debian/bookworm"
     suite: "bookworm"
@@ -149,6 +156,11 @@ debian-aarch64:
     suite: "./"
     component: ""
     gpg_key: "proxysql.asc"
+  proxysql-3:
+    url: "https://repo.proxysql.com/ProxySQL/proxysql-3.0.x/bookworm/"
+    suite: "./"
+    component: ""
+    gpg_key: "proxysql.asc"
   rabbitmq:
     url: "https://deb1.rabbitmq.com/rabbitmq-server/debian/bookworm"
     suite: "bookworm"
@@ -175,6 +187,7 @@ rocky:
   openvswitch: "centos-nfv-openvswitch"
   opstools: "centos-opstools"
   proxysql: "proxysql"
+  proxysql-3: "proxysql-3"
   rabbitmq: "rabbitmq_rabbitmq-server"
 
 rocky-aarch64:
@@ -195,6 +208,7 @@ rocky-aarch64:
   openvswitch: "centos-nfv-openvswitch"
   opstools: "centos-opstools"
   proxysql: "proxysql"
+  proxysql-3: "proxysql-3"
   rabbitmq: "rabbitmq_rabbitmq-server"
 
 ubuntu:
@@ -249,6 +263,11 @@ ubuntu:
     suite: "./"
     component: ""
     gpg_key: "proxysql.asc"
+  proxysql-3:
+    url: "https://repo.proxysql.com/ProxySQL/proxysql-3.0.x/noble/"
+    suite: "./"
+    component: ""
+    gpg_key: "proxysql.asc"
   rabbitmq:
     url: "https://deb1.rabbitmq.com/rabbitmq-server/ubuntu/noble"
     suite: "noble"
@@ -307,6 +326,11 @@ ubuntu-aarch64:
     suite: "./"
     component: ""
     gpg_key: "proxysql.asc"
+  proxysql-3:
+    url: "https://repo.proxysql.com/ProxySQL/proxysql-3.0.x/noble/"
+    suite: "./"
+    component: ""
+    gpg_key: "proxysql.asc"
   rabbitmq:
     url: "https://deb1.rabbitmq.com/rabbitmq-server/ubuntu/noble"
     suite: "noble"
diff --git a/releasenotes/notes/add-proxysql-3-on-epoxy-f37a06b21274db26.yaml b/releasenotes/notes/add-proxysql-3-on-epoxy-f37a06b21274db26.yaml
new file mode 100644
index 0000000000..09f7093cb1
--- /dev/null
+++ b/releasenotes/notes/add-proxysql-3-on-epoxy-f37a06b21274db26.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Add ProxySQL 3.0.x image to 2025.1 release.
+    Currently ProxySQL 2.7.x, which is the default version of ProxySQL of
+    2025.1, has a bug that `SSL handshake does not send full certificate
+    chain <https://github.com/sysown/proxysql/issues/4877>`__.
+    This causes database TLS verification failure when users use intermediate
+    certificate.
+    This bug was only fixed on ProxySQL 3.0.x release.
diff --git a/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml
new file mode 100644
index 0000000000..b4c5bc88a3
--- /dev/null
+++ b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml
@@ -0,0 +1,37 @@
+upgrade:
+  - |
+    On Rocky9 or CentOS Stream 9 based installations, VMs may be using legacy
+    iptables rules if you installed or upgraded before this release. You can
+    check by running ``iptables-legacy-save`` inside of the
+    ``neutron_openvswitch_agent`` container and looking for neutron rules.
+
+    After upgrading you will need to clear out the old iptables rules to
+    prevent conflicts::
+
+      iptables-legacy -P INPUT ACCEPT
+      iptables-legacy -P FORWARD ACCEPT
+      iptables-legacy -P OUTPUT ACCEPT
+      iptables-legacy -t nat -F
+      iptables-legacy -t nat -X
+      iptables-legacy -t mangle -F
+      iptables-legacy -t mangle -X
+      iptables-legacy -t raw -F
+      iptables-legacy -t raw -X
+      iptables-legacy -t filter -F
+      iptables-legacy -t filter -X
+      iptables-legacy -F
+      iptables-legacy -X
+
+    If you are updating to this release or newer, no action is required.
+
+    For more information, please see
+    `LP#2144562 <https://bugs.launchpad.net/kolla/+bug/2144562>`__.
+
+fixes:
+  - |
+    Fixes an issue where firewall rules were being implemented via legacy
+    iptables rules. This differed from the behaviour in previous releases,
+    where iptables-nft was used to create these as nftables rules. On upgrade,
+    this could lead to mixture of iptables and nftables rules based on whether
+    the VM was booted before or after the upgrade. For more information, please
+    see `LP#2144562 <https://bugs.launchpad.net/kolla/+bug/2144562>`__.