Comment 39 for bug 1558658

Reviewed: https://review.openstack.org/303617
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b0f6984de3985b80c728dd282fe6148b28f01fe4
Submitter: Jenkins
Branch: stable/kilo

commit b0f6984de3985b80c728dd282fe6148b28f01fe4
Author: Dustin Lundquist <email address hidden>
Date: Thu Mar 31 12:04:31 2016 -0700

    Iptables firewall prevent IP spoofed DHCP requests

    The DHCP rules in the fixed iptables firewall rules were too permissive.
    They permitted any UDP traffic with a source port of 68 and destination
    port of 67. Care must be taken since these rules return before the IP
    spoofing prevention rules. This patch splits the fixed DHCP rules into
    two, one for the discovery and request messages which take place before
    the instance has bound an IP address and a second to permit DHCP
    renewals.

    Conflicts:
     neutron/agent/linux/iptables_firewall.py
     neutron/tests/functional/agent/test_firewall.py
     neutron/tests/unit/agent/linux/test_iptables_firewall.py
     neutron/tests/unit/agent/test_securitygroups_rpc.py

    Change-Id: Ibc2b0fa80baf2ea8b01fa568cd1fe7a7e092e7a5
    Partial-Bug: #1558658
    (cherry picked from commit 6a93ee8ac1a901c255e3475a24f1afc11d8bf80f)