Network Troubleshooting OVS diagram doesn't account for qbr bridges needed for security groups

I can do the grunt work of updating the diagram if someone can provide the information. Even uploading a hand drawn diagram here is fine.

I still have dreams of actually fixing this but if some one can get there before me the misisng bridge is a linux-bridge device between the eth0 in the VM (#1 in the diagram) and integration bridge (#3). The tap device (#2) is on this bridge and then connected to the integration bridge by another veth pair

root@pulsar-2:/etc/nova# brctl show
bridge name bridge id STP enabled interfaces
qbr36edc375-17 8000.e61a7141009e no qvb36edc375-17
                                                        tap36edc375-17

so in this case:

tap36edc375-17 is item #2 in the diagram
qbr36edc375-17 is the missing bridge
qvb36edc375-17 is the veth on the linux-bridge qbr36edc375-17
qvo36edc375-17 is the other side of the veth pair which is on br-int (#3)

I'm not 100% sure why this is necessary as all the iptables rules specify the tap device (#2) as the physical interface:
(this is 'default' security group on a system with instance fixed IP 10.0.171.132)

root@pulsar-2:~# iptables -S |grep 36edc375-1
-N neutron-openvswi-i36edc375-1
-N neutron-openvswi-o36edc375-1
-N neutron-openvswi-s36edc375-1
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap36edc375-17 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap36edc375-17 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap36edc375-17 --physdev-is-bridged -j neutron-openvswi-o36edc375-1
-A neutron-openvswi-i36edc375-1 -m state --state INVALID -j DROP
-A neutron-openvswi-i36edc375-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i36edc375-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i36edc375-1 -p icmp -j RETURN
-A neutron-openvswi-i36edc375-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o36edc375-1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o36edc375-1 -j neutron-openvswi-s36edc375-1
-A neutron-openvswi-o36edc375-1 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o36edc375-1 -m state --state INVALID -j DROP
-A neutron-openvswi-o36edc375-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o36edc375-1 -j RETURN
-A neutron-openvswi-o36edc375-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s36edc375-1 -s 10.0.171.132/32 -m mac --mac-source FA:16:3E:40:3A:5E -j RETURN
-A neutron-openvswi-s36edc375-1 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap36edc375-17 --physdev-is-bridged -j neutron-openvswi-i36edc375-1
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap36edc375-17 --physdev-is-bridged -j neutron-openvswi-o36edc375-1

clarification that iptables output is a modified "default" which adds an ingess rule for ssh and ICMP so the following lines should be removed for a true default listing:

-A neutron-openvswi-i36edc375-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i36edc375-1 -p icmp -j RETURN

Fix proposed to branch: master
Review: https://review.openstack.org/222434

Change abandoned by Andreas Jaeger (<email address hidden>) on branch: master
Review: https://review.openstack.org/222434
Reason: Content has moved to openstack-manuals repository, this repo is now frozen. Please propose your change again for openstack-manuals.

Can I assign this to myself and try to push it?

Be my guest, thank you for asking.

The diagrams that Darren created in this patch: https://review.openstack.org/#/c/222434/ appear to be the same ones used in the current Ops Guide. Marking this as complete.