Comment 2 for bug 1053819

So there are two high-level approaches to this.

1) try to patch nova security groups to handle overlapping IPs.
2) just focus on finishing the existing design of security groups within quantum, which implicitly will handle overlapping IPs.

Some quick thoughts based on how we might perform #1 in a non-invasive way:
- add an ensure namespace method to linux-net
- add a delete namespace method to linux-net
- for LibvirtHybridOVSBridgeDriverin nova/virt/libvirt/vif.py, ,plug() create the bridge and bridge-side veth device and place them into a instance specific (or vif-specific) namespace. We could do something similar for the BridgeDriver to support Linux Bridge plugin.
- modify nova/virt/firewall.py, and create a NamespaceIPtablesFirewallDriver. This driver would be a "meta driver", creating a separate instance of the normal IPtablesFirewallDriver for each namespace.
- when an instance id destroyed, destroy the instance of IPtablesFirewallDriver for that instance/vif.
- when a vif is unplugged(), destroy the corresponding namespace.