The core issue here is that the L2 agent trusts any devices whose owner field starts with 'network:'. This is necessary because the DHCP port and the router ports can't have DHCP spoofing and IP spoofing rules (respectively).
Here is the logic that skips 'network:' owned ports for security groups.
The core issue here is that the L2 agent trusts any devices whose owner field starts with 'network:'. This is necessary because the DHCP port and the router ports can't have DHCP spoofing and IP spoofing rules (respectively).
Here is the logic that skips 'network:' owned ports for security groups.
https:/ /github. com/openstack/ neutron/ blob/d66f0e2791 9a29682d7c65e4f 9ce1f9c7b278542 /neutron/ api/rpc/ handlers/ securitygroups_ rpc.py# L83