diff --git a/nova/tests/unit/virt/libvirt/test_vif.py b/nova/tests/unit/virt/libvirt/test_vif.py
index f8a84627b9d1..5412ddaf4a6e 100644
--- a/nova/tests/unit/virt/libvirt/test_vif.py
+++ b/nova/tests/unit/virt/libvirt/test_vif.py
@@ -406,8 +406,7 @@ class LibvirtVifTestCase(test.NoDBTestCase):
     def setUp(self):
         super(LibvirtVifTestCase, self).setUp()
         self.useFixture(fakelibvirt.FakeLibvirtFixture(stub_os_vif=False))
-        self.flags(allow_same_net_traffic=True,
-                   firewall_driver=None)
+        self.flags(firewall_driver=None)
         # os_vif.initialize is typically done in nova-compute startup
         os_vif.initialize()
         self.setup_os_vif_objects()
diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index dcc6f4a25b00..3c234a315cbc 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -156,24 +156,21 @@ class NWFilterFirewall(base_firewall.FirewallDriver):
             if dhcp_server:
                 parameters.append(format_parameter('DHCPSERVER', dhcp_server))
 
+            ipv4_cidr = subnet['cidr']
+            net, mask = netutils.get_net_and_mask(ipv4_cidr)
+            parameters.append(format_parameter('PROJNET', net))
+            parameters.append(format_parameter('PROJMASK', mask))
+
         for subnet in v6_subnets:
             gateway = subnet.get('gateway')
             if gateway:
                 ra_server = gateway['address'] + "/128"
                 parameters.append(format_parameter('RASERVER', ra_server))
 
-        if CONF.allow_same_net_traffic:
-            for subnet in v4_subnets:
-                ipv4_cidr = subnet['cidr']
-                net, mask = netutils.get_net_and_mask(ipv4_cidr)
-                parameters.append(format_parameter('PROJNET', net))
-                parameters.append(format_parameter('PROJMASK', mask))
-
-            for subnet in v6_subnets:
-                ipv6_cidr = subnet['cidr']
-                net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr)
-                parameters.append(format_parameter('PROJNET6', net))
-                parameters.append(format_parameter('PROJMASK6', prefix))
+            ipv6_cidr = subnet['cidr']
+            net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr)
+            parameters.append(format_parameter('PROJNET6', net))
+            parameters.append(format_parameter('PROJMASK6', prefix))
 
         return parameters
 
diff --git a/releasenotes/notes/libvirt-ignore-allow_same_net_traffic-fd88bb2801b81561.yaml b/releasenotes/notes/libvirt-ignore-allow_same_net_traffic-fd88bb2801b81561.yaml
new file mode 100644
index 000000000000..7c1e3a15b27b
--- /dev/null
+++ b/releasenotes/notes/libvirt-ignore-allow_same_net_traffic-fd88bb2801b81561.yaml
@@ -0,0 +1,26 @@
+---
+upgrade:
+  - |
+    The libvirt driver provides port filtering capability. This capability is
+    enabled when the following is true:
+
+    - The `nova.virt.libvirt.firewall.IptablesFirewallDriver` firewall driver
+      is enabled
+    - Security groups are disabled
+    - Neutron port filtering is disabled
+    - An IPTables-compatible interface is used, e.g. hybrid mode, where the
+        VIF is a tap device
+
+    When enabled, libvirt applies IPTables rules that provide MAC, IP, and
+    ARP spoofing protection.
+
+    Previously, setting the `allow_same_net_traffic` config option to `True`
+    allowed for same network traffic when using these port filters. This was
+    the default case and was the only case tested. Setting this to `False`
+    disabled same network traffic *when using the libvirt driver port filtering
+    functionality only*, however, this was neither tested nor documented.
+
+    Given that there are other better documented and better tested ways to
+    approach this, such as through use of neutron's native port filtering or
+    security groups, this functionality has been removed.  Users should instead
+    rely on one of these alternatives.