DHCP responses coming from instances are prohibited and dropped, but there is no mention about that in the official documentation. Users planning to use netbooting need to be informed, since netbooting relies on DHCP.
Here are 2 citations from the web explaining that.
"Rule 3 will prevent a VM from acting as a DHCP server since it will drop any packets coming from UDP source port 67 going to UDP port 68 (usually a response to a DHCP request)" from https://developer.rackspace.com/blog/software-defined-networks-in-the-havana-release-of-openstack-part-2/
"The security groups implementation automatically adds iptables rules to prevent instances running DHCP servers on a Quantum network." from https://ask.openstack.org/en/question/6967/how-to-allow-vm-to-manage-dhcp-itself/?answer=28135#post-id-28135
The code implementing that is in /usr/lib/python2.6/site-packages/neutron/agent/linux/iptables_firewall.py
Look for
def _drop_dhcp_rule(self):
#Note(nati) Drop dhcp packet from VM
return ['-p udp -m udp --sport 67 --dport 68 -j DROP']
One could say that it is a feature of the security groups, since _drop_dhcp_rule is called by _add_rule_by_security_group.
One could also say that prohibiting "Bring your own DHCP server" is a more high level design detail.
This should be added to an appropriate point in the networking guide