The anti-IP spoofing rules, anti-MAC spoofing rules, and anti-DHCP spoofing rules can be bypassed by changing the device_owner field of a compute node's port to something that starts with 'network:'.
Steps to reproduce:
Create a port on the target network:
neutron port-create some_network
Start a repeated update of the device_owner field to immediately change it back after nova sets it to 'compute:<whatever>' on VM attachment. (This has to be done quickly because the owner has to be set to 'network:something' before the L2 agent wires up the security group rules.)
The anti-IP spoofing rules, anti-MAC spoofing rules, and anti-DHCP spoofing rules can be bypassed by changing the device_owner field of a compute node's port to something that starts with 'network:'.
Steps to reproduce:
Create a port on the target network:
neutron port-create some_network
Start a repeated update of the device_owner field to immediately change it back after nova sets it to 'compute: <whatever> ' on VM attachment. (This has to be done quickly because the owner has to be set to 'network:something' before the L2 agent wires up the security group rules.)
watch neutron port-update <port-uuid- from-above> --device-owner network:hello
Then boot the VM with the port UUID:
nova boot test --nic port-id= <port-uuid- from-above> --flavor m1.tiny --image cirros- 0.3.4-x86_ 64-uec
This VM will now have no iptables rules applied because it will be treated as a network owned port (e.g. router interface, DHCP interface, etc).