Comment 2 for bug 1720205

The problem is not inside namespaces they looks fine.

In the example above tapb48c914e-20 is nova port, tap5015bfe4-c5 and tapa6d0f381-b7 dhcp and ruter ports.
Default security rule "-A FORWARD -j REJECT --reject-with icmp-host-prohibited" prevent non local traffic. So by default traffic localized inside brq76f218a0-55 and not go through vxlan-1006.
Nova port bridge this by rules in neutron-linuxbri-FORWARD chain:
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT

In current state servers behind vxlan-1006 can't reach tap5015bfe4-c5 tapa6d0f381-b7 agents and tapb48c914e-20 VM didn't receive answers from remote agents which are isolated on their hosts.

I believe that agent ports connected bridge have to have same security rules as nova ports respecting to brq76f218a0-55.

I think it was work in ocata thanks to legacy nova net chains and the issue was applicable only for router HA net see 1717927 , but in pike all agent traffic locked in the host bridges.
Unfortunately I have no ocata setup to check it more closely for now.