Linux bridge mechanism driver

The Linux bridge mechanism driver uses only Linux bridges and veth pairs as interconnection devices. A layer-2 agent manages Linux bridges on each compute node and any other node that provides layer-3 (routing), DHCP, metadata, or other network services.

Compatibility with nftables

nftables replaces iptables, ip6tables, arptables and ebtables, in order to provide a single API for all Netfilter operations. nftables provides a backwards compatibility set of tools for those replaced binaries that present the legacy API to the user while using the new packet classification framework. As reported in LP#1915341 and LP#1922892, the tool ebtables-nft is not totally compatible with the legacy API and returns some errors. To use Linux Bridge mechanism driver in newer operating systems that use nftables by default, it is needed to switch back to the legacy tool.

# /usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy

Since LP#1922127 and LP#1922892 were fixed, Neutron Linux Bridge mechanism driver is compatible with the nftables binaries using the legacy API.

Note

Just to unravel the possible terminology confusion, these are the three Netfilter available framework alternatives:

• The legacy binaries (iptables, ip6tables, arptables and ebtables) that use the legacy API.

• The new nftables binaries that use the legacy API, to help in the transition to this new framework. Those binaries replicate the same commands as the legacy one but using the new framework. The binaries have the same name ended in -nft.

• The new nftables framework using the new API. All Netfilter operations are executed using this new API and one single binary, nft.

Currently we support the first two options. The migration (total or partial) to the new API is tracked in LP#1508155.

In order to use the nftables binaries with the legacy API, it is needed to execute the following commands.

# /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-nft
# /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# /usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-nft
# /usr/bin/update-alternatives --set arptables /usr/sbin/arptables-nft

The ipset tool is not compatible with nftables. To disable it, enable_ipset must be set to False in the ML2 plugin configuration file /etc/neutron/plugins/ml2/ml2_conf.ini.

[securitygroup]
# ...
enable_ipset = False

• Linux bridge: Provider networks
  • Prerequisites
  • Architecture
  • Example configuration
  • Network traffic flow
• Linux bridge: Self-service networks
  • Prerequisites
  • Architecture
  • Example configuration
  • Network traffic flow
• Linux bridge: High availability using VRRP
  • Prerequisites
  • Architecture
  • Example configuration
  • Network traffic flow