The procfs files /proc/sys/net/bridge/bridge-nf-call-* control whether iptables sees packets being forwarded by linux bridges. Since neither Compute nor Network nodes in an OpenStack setup contain any arptables rules, it is not necessary to pass ARP packets to it. Here's the relevant kernel code: static unsigned int br_nf_forward_arp(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { struct net_bridge_port *p; struct net_bridge *br; struct net_device **d = (struct net_device **)(skb->cb); p = br_port_get_rcu(state->out); if (p == NULL) return NF_ACCEPT; br = p->br; if (!brnf_call_arptables && !br->nf_call_arptables) return NF_ACCEPT; if (!IS_ARP(skb)) { if (!IS_VLAN_ARP(skb)) return NF_ACCEPT; nf_bridge_pull_encap_header(skb); } if (arp_hdr(skb)->ar_pln != 4) { if (IS_VLAN_ARP(skb)) nf_bridge_push_encap_header(skb); return NF_ACCEPT; } *d = state->in; NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, state->net, state->sk, skb, state->in, state->out, br_nf_forward_finish); return NF_STOLEN; } The value of /proc/sys/net/bridge/bridge-nf-call-arptables is reflected in brnf_call_arptables variable. So unless the setting is enabled on a per-bridge basis, setting it to zero will eliminate the IS_ARP() check for every packet passing the bridge and a few more checks including the NF_HOOK() call for every ARP packet passing by. Per packet, I expect a very small performance improvement here. On a larger scale, thinking of ARP broadcasts this might reduce the system's base load considerably. Also, it's a very simple change and guaranteed to be safe since OSP doesn't even require arptables to be present on any of the systems it is deployed on.
I've checked the installers don't set that currently, so it's only on the neutron side :)
The fix is available in upstream stable/ocata, master.