>> There's no real reason as far as I'm aware, just an implementation decision. >> >> This is inaccurate. There is a reason(s), and this has been asked before: >> >> http://lists.openstack.org/pipermail/openstack/2014-March/005950.html > > This link is to a thread asking why do we connect a Linux bridge between a tap > device and br-int (For security groups). > >> http://lists.openstack.org/pipermail/openstack/2014-April/006865.html > > This link is to this thread itself. > >> >> In a nutshell, the design decision that led to the existing architecture is >> due to the way OVS handles packets and interact with netfilter. > > I think you're talking about the bridge between a tap device and br-int and > not about br-tun. sure, these are separate topics. FYI, ofagent uses a single openflow bridge (ie. no br-tun) but for SGs still needs LBs as ovs-agent does. YAMAMOTO Takashi