Comment 9 for bug 1316271

The full patch would look like this:

--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -1631,10 +1631,14 @@ def remove_ebtables_rules(rules, table='filter'):
 def isolate_dhcp_address(interface, address):
     # block arp traffic to address across the interface
     rules = []
+ rules.append('INPUT -p TCP -i %s --dst %s --ip-destination-port 8776 -j ALLOW'
+ % (interface, address))
     rules.append('INPUT -p ARP -i %s --arp-ip-dst %s -j DROP'
                  % (interface, address))
     rules.append('OUTPUT -p ARP -o %s --arp-ip-src %s -j DROP'
                  % (interface, address))
+ rules.append('INPUT -i %s --dst %s -j DROP'
+ % (interface, address))
     # NOTE(vish): the above is not possible with iptables/arptables
     ensure_ebtables_rules(rules)
     # block dhcp broadcast traffic across the interface
@@ -1663,10 +1667,14 @@ def isolate_dhcp_address(interface, address):
 def remove_isolate_dhcp_address(interface, address):
     # block arp traffic to address across the interface
     rules = []
+ rules.append('INPUT -p TCP -i %s --dst %s --ip-destination-port 8776 -j ALLOW'
+ % (interface, address))
     rules.append('INPUT -p ARP -i %s --arp-ip-dst %s -j DROP'
                  % (interface, address))
     rules.append('OUTPUT -p ARP -o %s --arp-ip-src %s -j DROP'
                  % (interface, address))
+ rules.append('INPUT -i %s --dst %s -j DROP'
+ % (interface, address))
     remove_ebtables_rules(rules)
     # NOTE(vish): the above is not possible with iptables/arptables
     # block dhcp broadcast traffic across the interface