[neutron] [openvswich-agent] Driver for security groups

Slawek Kaplonski skaplons at redhat.com
Thu Sep 8 07:27:46 UTC 2022


Hi,

Dnia czwartek, 8 września 2022 09:05:33 CEST Lajos Katona pisze:
> Hi,
> You have to consider your needs for selection.
> For example the hybrid driver has the extra iptables/nftables in the
> traffic loop, and for that you need an extra linuxbrdge between the
> instance port and the firewall (nftables or in the past iptables).
> The extra components give performance and scalability cost (see [0])
> The OVS driver installs flows to br-int and that will do the filtering
> based on the security group rules defined on the API, so everything is done
> on OVS ports/bridges. No extra component in the traffic no extra cost.
> The bad things is that for first debugging and understanding ovs flows
> based rules not easy at first.

Additionally, there are some differences in the behavior of those 2 drivers - they are documented in [0].
Also, please note that e.g. security groups for the trunk ports and subports are only supported with
openvswitch fw driver so if You want to use trunks with security groups, You have to choose openvswitch fw driver.

> 
> [0]: https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html
> 
> Best wishes
> Lajos Katona
> 
> ETP <erkki at peurat.net> ezt írta (időpont: 2022. szept. 7., Sze, 16:28):
> 
> > Hi,
> >
> > what is the recommended openvswich agent driver for security groups?
> >
> > Two options on my table are now OVS native firewall driver vs.
> > OVSHybridIptablesFirewall driver
> >
> > Br,
> >
> >     - Eki -
> >
> >
> 


-- 
Slawek Kaplonski
Principal Software Engineer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220908/e11f42db/attachment.sig>


More information about the openstack-discuss mailing list