tested on kilo, juno and liberty. This breaks creating instances in horizon - on liberty anyway, maybe older too.
People usually want to do this because the anti-spoofing rules are dropping packets transmitted by Nova instances that do not have the source MAC or IP address that was allocated to the instance. Note: allowed-addresses-pairs or port-security extension can fix that. Also there is a performance drop using the hybrid plugging strategy (veth+linuxbridge+iptables).
But Nova needs a security groups API or it will refuse to start instances. It needs to be configured to use its own or Neutron's. Here we configure it to use the Nova security groups API, but disable nova-compute (and the Neutron L2 agent - just to be sure) from applying any iptables rules.
# /etc/neutron/plugins/ml2/ml2_conf.ini
[securitygroup]
enable_security_group = False
firewall_driver = neutron.agent.firewall.NoopFirewallDriver
To stop nova-compute from creating the iptables rules, configure it to use its Noop driver:
# /etc/nova/nova.conf
[DEFAULT]
security_group_api = nova
firewall_driver = nova.virt.firewall.NoopFirewallDriver
Restart all neutron-server, neutron-openvswitch-agent, nova-api and nova-compute services.
Now Neutron will creates ports with:
# neutron port-show 2a771f08-8758-43c5-b30c-71ec5a141ce0 | grep binding:vif_details
| binding:vif_details | {"port_filter": false, "ovs_hybrid_plug": false}
When using the OVS agent, that should also stop Nova from using the hybrid VIF plugging strategy, where it places a Linux Bridge in-line between the instance's tap and br-int. Instead, it should plug the VIF straight into br-int.
<interface type='bridge'>
<mac address='fa:16:3e:15:93:85'/>
<source bridge='br-int'/>
<virtualport type='openvswitch'>
<parameters interfaceid='7fda07e4-de58-44da-a71f-d137a68d6c60'/>
</virtualport>
<target dev='tap7fda07e4-de'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
In Mitaka the anti-spoofing aren't anymore set in the IPtables instead they are implemented to in ovs flows.
if you want to disable the anti spoofing rules you should set prevent_arp_spoofing = false in the neutron ml2 configuration