port security rules only applied at port binding/creation time

Quick Overview
==============

OpenStack is already running with networks and instances created.
Port security extension is not enabled.
When enabling port_security, instances in old networks not get DHCP.
Instances in new networks work fine.

Bug Description
===============

As suggestion in bug https://bugs.launchpad.net/neutron/+bug/1694420. Decided to verify how port_security behaves regarding upgrade or reconfiguration of existing environments without port_security to port_security as this is a blocker to enable it by default.

During my verification/tests with source code from master branch (Pike ATM) found that instances not get DHCP in old networks while instances in new networks after enabling port_security worked fine.

In a IRC discussion, one suggestion was to disable and re-enable DHCP in old subnets. After that DHCP worked fine and fixes the issue.

How to reproduce
================

- Deploy OpenStack without port_security
- Create 1 network, subnet and attach to a router
    - <Optionally deploy one instance> -> Not really needed.
- Enable port_security extension in ml2_conf.ini
- Restart all neutron services.
- Create 1 instance in the old network.
- Instance not getting DHCP lease.
- Create 1 new network, subnet, attach to router.
- Spawn new instance in new network
- Instance gets DHCP lease.

Expected behaviour
=================

Instance in old network get DHCP lease.

Actual Results
==============

Instance in old network not get DHCP lease.

Environment configuration
=========================

- CentOS 7.
- Neutron master source code Latest commit: https://github.com/openstack/neutron/commit/0f218aae7ed666f3f13ac0560a57f1eeed45cee7
- OpenStack deployed with Kolla, all defaults.

Logs
====

Attached logs with:
 - network/ports information
 - iptables-save in qdhcp

Let me know if need something else.
I'm available in kolla's IRC channel as egonzalez

Regards