Comment 15 for bug 1316271

I'm not working on nova-network currently, but did in a previous life so will add a comment.

One of the better ways to do this is to add a rule to the libvirt xml file to drop all inbound packets to the compute host, something like this in nova/virt/libvirt/firewall.py:

+ def nova_no_my_ip_address(self):
+ # Drop all IPv4 packets going to CONF.my_ip, since the network
+ # stack will loop them back.
+ retval = "<filter name='nova-no-my-ip-address' chain='ipv4'>"
+ retval += """<rule action='drop' direction='out'>
+ <ip dstipaddr='%s' />
+ </rule>""" % CONF.my_ip
+ retval += '</filter>'
+ return retval

Then just put some code in _ensure_static_filters() to define and append that to the existing filter set.

That's untested and based on older code, I see there is a get_host_ip_addr() method now that might be a better choice.

My $.02