On Thu, 2014-04-24 at 11:19 -0400, HS wrote: > Hi, > > When OVS plugin is used with GRE option in Neutron, I see that each > compute node has br-tun and br-int bridges created. > > I'm trying to understand why we need the additional br-tun bridge > here. Can't we create tunneling ports in br-int bridge, and have > br-int relay traffic between VM ports and tunneling ports directly? > Why do we have to introduce another br-tun bridge in between?
It has to do with a OVS limitation in applying iptables rules directly on VIF ports. See Darragh's article here: http://techbackground.blogspot.com/2013/05/debugging-quantum-dhcp-and-open-vswitch.html and the Limitations section at the end of this document: http://openvswitch.org/openstack/documentation/ Specifically: OVS is not compatible with iptables + ebtables rules that are applied directly on VIF ports. Thus, the existing implementations of Nova security groups and spoof-prevention aren’t compatible. Best, -jay _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
