Hi,

You have to consider your needs for selection.

For example the hybrid driver has the extra iptables/nftables in the traffic loop, and for that you need an extra linuxbrdge between the instance port and the firewall (nftables or in the past iptables).

The extra components give performance and scalability cost (see [0])

The OVS driver installs flows to br-int and that will do the filtering based on the security group rules defined on the API, so everything is done on OVS ports/bridges. No extra component in the traffic no extra cost.

The bad things is that for first debugging and understanding ovs flows based rules not easy at first.

[0]: https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html

Best wishes

Lajos Katona

ETP <erkki@peurat.net> ezt írta (időpont: 2022. szept. 7., Sze, 16:28):

Hi,

what is the recommended openvswich agent driver for security groups?

Two options on my table are now OVS native firewall driver vs. OVSHybridIptablesFirewall driver

Br,

- Eki -