[neutron] [openvswich-agent] Driver for security groups - openstack-discuss - lists.openstack.org

newer
Retirement process...

[neutron] [openvswich-agent] Driver for security groups

older
[elections][Keystone] PTL...

ETP

7 Sep 2022 7 Sep '22

4:08 p.m.

Hi, what is the recommended openvswich agent driver for security groups? Two options on my table are now OVS native firewall driver vs. OVSHybridIptablesFirewall driver Br, - Eki -

Attachments:

attachment.html (text/html — 265 bytes)

Reply

Sign in to reply online Use email software

Show replies by date

Lajos Katona

8 Sep 8 Sep

9:05 a.m.

Hi, You have to consider your needs for selection. For example the hybrid driver has the extra iptables/nftables in the traffic loop, and for that you need an extra linuxbrdge between the instance port and the firewall (nftables or in the past iptables). The extra components give performance and scalability cost (see [0]) The OVS driver installs flows to br-int and that will do the filtering based on the security group rules defined on the API, so everything is done on OVS ports/bridges. No extra component in the traffic no extra cost. The bad things is that for first debugging and understanding ovs flows based rules not easy at first. [0]: https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html Best wishes Lajos Katona ETP <erkki@peurat.net> ezt írta (időpont: 2022. szept. 7., Sze, 16:28):

Hi,

what is the recommended openvswich agent driver for security groups?

Two options on my table are now OVS native firewall driver vs. OVSHybridIptablesFirewall driver

Br,

- Eki -

Reply

Sign in to reply online Use email software

Slawek Kaplonski

9:27 a.m.

Hi, Dnia czwartek, 8 września 2022 09:05:33 CEST Lajos Katona pisze:

Hi, You have to consider your needs for selection. For example the hybrid driver has the extra iptables/nftables in the traffic loop, and for that you need an extra linuxbrdge between the instance port and the firewall (nftables or in the past iptables). The extra components give performance and scalability cost (see [0]) The OVS driver installs flows to br-int and that will do the filtering based on the security group rules defined on the API, so everything is done on OVS ports/bridges. No extra component in the traffic no extra cost. The bad things is that for first debugging and understanding ovs flows based rules not easy at first.

Additionally, there are some differences in the behavior of those 2 drivers - they are documented in [0]. Also, please note that e.g. security groups for the trunk ports and subports are only supported with openvswitch fw driver so if You want to use trunks with security groups, You have to choose openvswitch fw driver.

[0]: https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html

Best wishes Lajos Katona

ETP <erkki@peurat.net> ezt írta (időpont: 2022. szept. 7., Sze, 16:28):

...
Hi,

what is the recommended openvswich agent driver for security groups?

Two options on my table are now OVS native firewall driver vs. OVSHybridIptablesFirewall driver

Br,

- Eki -

-- Slawek Kaplonski Principal Software Engineer Red Hat

Reply

Sign in to reply online Use email software

868

Age (days ago)

869

Last active (days ago)

Download

2 comments

3 participants

tags

participants (3)

ETP
Lajos Katona
Slawek Kaplonski