[neutron] [openvswich-agent] Driver for security groups

Lajos Katona katonalala at gmail.com
Thu Sep 8 07:05:33 UTC 2022


Hi,
You have to consider your needs for selection.
For example the hybrid driver has the extra iptables/nftables in the
traffic loop, and for that you need an extra linuxbrdge between the
instance port and the firewall (nftables or in the past iptables).
The extra components give performance and scalability cost (see [0])
The OVS driver installs flows to br-int and that will do the filtering
based on the security group rules defined on the API, so everything is done
on OVS ports/bridges. No extra component in the traffic no extra cost.
The bad things is that for first debugging and understanding ovs flows
based rules not easy at first.

[0]: https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html

Best wishes
Lajos Katona

ETP <erkki at peurat.net> ezt írta (időpont: 2022. szept. 7., Sze, 16:28):

> Hi,
>
> what is the recommended openvswich agent driver for security groups?
>
> Two options on my table are now OVS native firewall driver vs.
> OVSHybridIptablesFirewall driver
>
> Br,
>
>     - Eki -
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220908/83f1929b/attachment-0001.htm>


More information about the openstack-discuss mailing list