Well, I've looked around and I must agree, it have not easy solution. May be adding logic to dnsmasq... But otherwise iptables seems to be the single option.
But I have concern: should we apply them on the compute host? I think it should be limited only to outgoing traffic from neutron-dhcp-agent. Reason: Any additional iptables rules on compute will slow down neutron near 'fast path' with tenant traffic.
As far as I understand fix, it applied to tenant ports, not to dhcp-agent ports.
Well, I've looked around and I must agree, it have not easy solution. May be adding logic to dnsmasq... But otherwise iptables seems to be the single option.
But I have concern: should we apply them on the compute host? I think it should be limited only to outgoing traffic from neutron-dhcp-agent. Reason: Any additional iptables rules on compute will slow down neutron near 'fast path' with tenant traffic.
As far as I understand fix, it applied to tenant ports, not to dhcp-agent ports.