Neutron/ML2PortSecurityExtensionDriver

Neutron ML2 Extension Driver
ML2 Extension Driver manages extended attributes on the neutron core resources implemented by the ML2 plugin: network, subnet and port.

Port Security Extension Driver
Neutron’s security group always applies anti-spoof rules on the VMs. This allows traffic to originate and terminate at the VM as expected, but prevents traffic to pass through the VM. This is required in cases where the VM routes traffic through it. By creating a port security extension flag, it is possible to enable/disable packet filtering.

Port Security Extension setup
The /etc/neutron/plugins/ml2/ml2_conf.ini file needs to be modified to load the port security extension driver extension_drivers = port_security

By default a network is created with the port_security_enabled=True. This behavior ensures the network to be secure by default.

localadmin@GG26devstack:~/devstack$ neutron net-show net1 +---+--+ +---+--+ +---+--+
 * Field                    | Value                                |
 * admin_state_up           | True                                 |
 * id                       | 725ebfa1-c3c3-43fa-b8c2-cac99f1f88fb |
 * mtu                      | 0                                    |
 * name                     | net1                                 |
 * port_security_enabled    | True                                 |
 * provider:network_type    | vxlan                                |
 * provider:physical_network |                                     |
 * provider:segmentation_id | 1001                                 |
 * router:external          | False                                |
 * shared                   | False                                |
 * status                   | ACTIVE                               |
 * subnets                  | 1d58d120-4990-41d8-b1f2-2354df54328a |
 * tenant_id                | ba328cf9aa72429aad0535ec4adcd882     |
 * vlan_transparent         | False                                |

When a port is created it picks up the port_security_enabled flag set to the the network that it belongs to.

When a particular vm needs to have its port_security_enabled flag disabled we could do so, by updating the port to which the vm is attached to. neutron port-update c080dbeb-491e-46e2-ab7e-192e7627d050 --port-security-enabled=False Or the equivalent command using openstack CLI: openstack port set --disable-port-security c080dbeb-491e-46e2-ab7e-192e7627d050

This VM will now be able to route traffic through it.