Open Stack

Hey,

I'm trying to work out why hairpinning is turned on on switch VM ports
in libvirt.  I thought this was for reflecting snat packets back to
the machine when (in nova-network) we need snat translations in
vif-local rules.  (If it has another purpose, please tell me, but I
can't see why else you'd be doing it.)

But if so:

- I think it should be in IpTablesFirewall and not embedded directly
in the driver (where it makes assumptions about the fact that a
libvirt port is attached to a bridge, and that this is necessary at
all)
- reflecting back every single packet is just overkill if it is just
NATting packets that matter
- When you're running Quantum, SNAT is done in the L3 namespace and
not at the port level any more.

Reason I ask is that it causes some odd behaviour when you're using
ipv6 - with some VMs (not Linux, as it happens) reflecting the
neighbor discovery packet back screws up the ipv6 neighbor discovery
sequence.


Cheers,
-- 
Ian.