Hi,

Dnia czwartek, 8 września 2022 09:05:33 CEST Lajos Katona pisze:

Hi, You have to consider your needs for selection. For example the hybrid driver has the extra iptables/nftables in the traffic loop, and for that you need an extra linuxbrdge between the instance port and the firewall (nftables or in the past iptables). The extra components give performance and scalability cost (see [0]) The OVS driver installs flows to br-int and that will do the filtering based on the security group rules defined on the API, so everything is done on OVS ports/bridges. No extra component in the traffic no extra cost. The bad things is that for first debugging and understanding ovs flows based rules not easy at first.

Additionally, there are some differences in the behavior of those 2 drivers - they are documented in [0]. Also, please note that e.g. security groups for the trunk ports and subports are only supported with openvswitch fw driver so if You want to use trunks with security groups, You have to choose openvswitch fw driver.

Best wishes Lajos Katona

ETP erkki@peurat.net ezt írta (időpont: 2022. szept. 7., Sze, 16:28):

...

Hi,

what is the recommended openvswich agent driver for security groups?

Two options on my table are now OVS native firewall driver vs. OVSHybridIptablesFirewall driver

Br,

- Eki -