Comment 12 for bug 1316271

This one needs to be tested:

--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -76,6 +76,28 @@ class NWFilterFirewall(base_firewall.FirewallDriver):
                   </filter>'''

     @staticmethod
+ def nova_dhcp_isolate_filter():
+ """This filter will disallow all traffic toward the gateway of the guests.
+ """
+
+ return '''<filter name='nova-isolate-dhcp-server' chain='ipv4'>
+ <uuid>891e4787-e5c0-d59b-cda6-41bc3c6b36fc</uuid>
+ <rule action='allow' direction='in'
+ priority='100'>
+ <tcp dstipaddr='$DHCPSERVER'
+ dstportstart='8776'/>
+ </rule>
+ <rule action='drop' direction='in'
+ priority='100'>
+ <tcp dstipaddr='$DHCPSERVER' />
+ </rule>
+ <rule action='drop' direction='in'
+ priority='100'>
+ <udp dstipaddr='$DHCPSERVER' />
+ </rule>
+ </filter>'''
+
+ @staticmethod
     def nova_dhcp_filter():
         """The standard allow-dhcp-server filter is an <ip> one, so it uses
            ebtables to allow traffic through. Without a corresponding rule in
@@ -221,6 +243,7 @@ class NWFilterFirewall(base_firewall.FirewallDriver):
         self._define_filter(self._filter_container('nova-vpn',
                                                    ['allow-dhcp-server']))
         self._define_filter(self.nova_dhcp_filter)
+ self._define_filter(self.nova_dhcp_isolate_filter)

         self.static_filters_configured = True