This has been fixed by https://review.openstack.org/#/c/385085
I tested the described scenario and I couldn't see ICMP traffic on port of private machine. I reverted the mentioned patch and I'm able to see [root@compute ~]# tcpdump -s0 -e -nnvvi tap59d5b819-88 tcpdump: listening on tap59d5b819-88, link-type EN10MB (Ethernet), capture size 262144 bytes 10:41:49.917436 fa:16:3e:55:0a:07 > fa:16:3e:e9:f2:03, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58955, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.134.7 > 10.0.0.9: ICMP echo request, id 34305, seq 1751, length 64 10:41:49.917713 fa:16:3e:e9:f2:03 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell 10.0.0.9, length 28 10:41:50.917342 fa:16:3e:e9:f2:03 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell 10.0.0.9, length 28 10:41:50.917799 fa:16:3e:55:0a:07 > fa:16:3e:e9:f2:03, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 59088, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.134.7 > 10.0.0.9: ICMP echo request, id 34305, seq 1752, length 64 10:41:51.917444 fa:16:3e:e9:f2:03 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell 10.0.0.9, length 28 10:41:51.918230 fa:16:3e:55:0a:07 > fa:16:3e:e9:f2:03, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 59106, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.134.7 > 10.0.0.9: ICMP echo request, id 34305, seq 1753, length 64 ** Changed in: neutron Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1736739 Title: Machines attached to isolated network are able to reach VMs attached to other networks Status in neutron: Fix Released Bug description: Machines attached to isolated network are able to reach VMs attached to other networks. This behavior was observed using Symnet - the symbolic network analysis engine. Pre-conditions: devstack latest version (at the time of writing) + all services latest versions on ubuntu 16.04 Steps to reproduce: Contents of local.conf: [[local|localrc]] ADMIN_PASSWORD=stack DATABASE_PASSWORD=stack RABBIT_PASSWORD=stack RABBIT_HOST=localhost SERVICE_PASSWORD=$ADMIN_PASSWORD HOST_IP=192.168.154.23 IP_VERSION=4 LOGFILE=$DEST/logs/stack.sh.log LOGDAYS=2 MYSQL_PASSWORD=stack DATABASE_TYPE=mysql [[post-config|$NEUTRON_CONF]] [DEFAULT] service_plugins = router,trunk [[post-config|/$Q_PLUGIN_CONF_FILE]] [securitygroup] firewall_driver = openvswitch After stack.sh finishes operation (note that devstack creates networks public and private and a router to connect them). source openrc admin demo openstack server create --network private --image cirros-0.3.5-x86_64-disk --flavor m1.nano private openstack network create isolated openstack subnet create --network isolated --subnet-range 192.168.134.0/24 isolated openstack server create --network isolated --image cirros-0.3.5-x86_64-disk --flavor m1.nano isolated openstack port list --server private // get MAC and IP of private server openstack port list --server isolated // get MAC and IP of isolated server Log into isolated and create an ARP entry for private machine: sudo ip route add 10.0.0.0/26 dev eth0 src <isolated_ip> arp -s <private_ip> <private_mac> ping <private_ip> Back to the devstack machine: sudo tcpdump -e -vv -i tap<private_port_id> // notice the ICMP traffic originating from isolated towards private Expected output: No traffic can get from the isolated VM to the private VM. Actual output: Traffic from the isolated machine reaches the private virtual machine even though they are not connected via any router. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1736739/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp