When you remove a security group from a port, the chains remain but appear to limit traffic to DHCP requests/responses and established connections only. All other ingress/egress traffic through the port is dropped by the neutron-*-sg-fallback chain. Same goes for ports that are created without a security group that are later applied to instances.
You might be interested in the ML2 port security feature in Kilo, which allows you to disable filtering and anti-spoofing on the port altogether.
When you remove a security group from a port, the chains remain but appear to limit traffic to DHCP requests/responses and established connections only. All other ingress/egress traffic through the port is dropped by the neutron- *-sg-fallback chain. Same goes for ports that are created without a security group that are later applied to instances.
You might be interested in the ML2 port security feature in Kilo, which allows you to disable filtering and anti-spoofing on the port altogether.
I don't know much about it, but there are some details here: specs.openstack .org/openstack/ neutron- specs/specs/ kilo/ml2- ovs-portsecurit y.html
http://
and here: blog.otherwiseg uy.com/ trying- out-the- ml2-port- security- extension/
http://