[openstack-dev] Hairpinning in libvirt
Ian Wells
ijw.ubuntu at cack.org.uk
Thu Jun 13 11:18:03 UTC 2013
Hey,
I'm trying to work out why hairpinning is turned on on switch VM ports
in libvirt. I thought this was for reflecting snat packets back to
the machine when (in nova-network) we need snat translations in
vif-local rules. (If it has another purpose, please tell me, but I
can't see why else you'd be doing it.)
But if so:
- I think it should be in IpTablesFirewall and not embedded directly
in the driver (where it makes assumptions about the fact that a
libvirt port is attached to a bridge, and that this is necessary at
all)
- reflecting back every single packet is just overkill if it is just
NATting packets that matter
- When you're running Quantum, SNAT is done in the L3 namespace and
not at the port level any more.
Reason I ask is that it causes some odd behaviour when you're using
ipv6 - with some VMs (not Linux, as it happens) reflecting the
neighbor discovery packet back screws up the ipv6 neighbor discovery
sequence.
Cheers,
--
Ian.
More information about the OpenStack-dev
mailing list