Return traffic from the instances through the integration bridge br-int may be processed by various flow rules that are used to inhibit ARP and MAC spoofing from instances. If the traffic is allowed, it is forwarded to Table 60 for additional processing and out to the provider bridge:
Once traffic hits the provider bridge br-eth2, it is processed by the flow rules as follows:
If these rules look familiar, it's because they are the same flow rules on the provider bridge that we showed you earlier. This time, however, traffic from the integration bridge connected to port phy-br-eth2 is processed by these rules.
The first flow rule on the provider bridge checks the VLAN ID in the Ethernet header, and if it is 1, modifies it to 42 before forwarding the traffic to the physical interface. The second rule modifies the VLAN tag of the frame from 2 to 40 before it exits the bridge. All other traffic from the integration bridge not tagged as VLAN 1 or 2 is dropped.