Return traffic

Return traffic from the instances through the integration bridge br-int may be processed by various flow rules that are used to inhibit ARP and MAC spoofing from instances. If the traffic is allowed, it is forwarded to Table 60 for additional processing and out to the provider bridge:

Once traffic hits the provider bridge br-eth2, it is processed by the flow rules as follows:

If these rules look familiar, it's because they are the same flow rules on the provider bridge that we showed you earlier. This time, however, traffic from the integration bridge connected to port phy-br-eth2 is processed by these rules.

The first flow rule on the provider bridge checks the VLAN ID in the Ethernet header, and if it is 1, modifies it to 42 before forwarding the traffic to the physical interface. The second rule modifies the VLAN tag of the frame from 2 to 40 before it exits the bridge. All other traffic from the integration bridge not tagged as VLAN 1 or 2 is dropped.

Flow rules for a particular network will not exist on a bridge if there are no instances or resources in that network scheduled to that node. The Neutron Open vSwitch agent on each node is responsible for creating the appropriate flow rules for virtual switches on the respective node.

Table of Contents for Return traffic

Create new playlist

Sign In

Sign Up

Table of Contents for
Return traffic