There is abandoned blueprint to implement security groups via OVS: https://review.openstack.org/#/c/89712/
OVS supports ARP filtering. It is rather elegant, because it accepts nw_src/nw_dst (IPs) for arp rules and check them against ARP payload (TPA/SPA).
Etables brings more dependencies on neutron ovs agent. May be sticking to OVS only is better idea?
There is abandoned blueprint to implement security groups via OVS: https:/ /review. openstack. org/#/c/ 89712/
OVS supports ARP filtering. It is rather elegant, because it accepts nw_src/nw_dst (IPs) for arp rules and check them against ARP payload (TPA/SPA).
Etables brings more dependencies on neutron ovs agent. May be sticking to OVS only is better idea?