[Openstack] br-tun and br-int bridges in Neutron OVS
Jay Pipes
jaypipes at gmail.com
Thu Apr 24 15:43:57 UTC 2014
On Thu, 2014-04-24 at 11:19 -0400, HS wrote:
> Hi,
>
> When OVS plugin is used with GRE option in Neutron, I see that each
> compute node has br-tun and br-int bridges created.
>
> I'm trying to understand why we need the additional br-tun bridge
> here. Can't we create tunneling ports in br-int bridge, and have
> br-int relay traffic between VM ports and tunneling ports directly?
> Why do we have to introduce another br-tun bridge in between?
It has to do with a OVS limitation in applying iptables rules directly
on VIF ports.
See Darragh's article here:
http://techbackground.blogspot.com/2013/05/debugging-quantum-dhcp-and-open-vswitch.html
and the Limitations section at the end of this document:
http://openvswitch.org/openstack/documentation/
Specifically:
OVS is not compatible with iptables + ebtables rules that are applied
directly on VIF ports. Thus, the existing implementations of Nova
security groups and spoof-prevention aren’t compatible.
Best,
-jay
More information about the Openstack
mailing list