[openstack-dev] [neutron] Why neutron-openvswitch-agent use linux-bridge?

Lorin Hochstein lorin at nimbisservices.com
Wed Nov 27 18:53:33 UTC 2013

Hi George:

On Wed, Nov 27, 2013 at 1:45 PM, George Shuklin <george.shuklin at gmail.com>wrote:

> Good day.
> I looking at the internals of bridge layout of openvswitch agent at
> http://docs.openstack.org/network-admin/admin/content/
> figures/2/figures/under-the-hood-scenario-1-ovs-compute.png
> and wondering, why this scheme is so complicated and why it use linux
> bridge and vethes with openvswitch together? Why no just plug tap device
> directly to openvswitch bridge without intermediate brctl bridge?
> I guess that was caused by some important consideration, but I unable to
> find any documents about this.
> If someone know reasons for that complex construction with different
> bridges, please response.
If you look a little further down on the page with that figure, the
documentation reads

Ideally, the TAP device vnet0 would be connected directly to the
integration bridge, br-int. Unfortunately, this isn't possible because of
how OpenStack security groups are currently implemented. OpenStack uses
iptables rules on the TAP devices such as vnet0 to implement security
groups, and Open vSwitch is not compatible with iptables rules that are
applied directly on TAP devices that are connected to an Open vSwitch port.

Take care,


Lorin Hochstein
Lead Architect - Cloud Services
Nimbis Services, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131127/f33dd6ed/attachment.html>

More information about the OpenStack-dev mailing list