From 5dddaa2cfa29422ecab4bf329c22bc5a511982c9 Mon Sep 17 00:00:00 2001
From: Erik Berg <openstack@slipsprogrammor.no>
Date: Wed, 23 Dec 2020 09:36:48 +0100
Subject: [PATCH] Allow overriding firewall_driver for ovs

By setting neutron_firewall_driver in user_variables.yml
you can set it to openvswitch even if not using dpdk.

Change-Id: I9301ba7f962a644631a300337b626d7652e43f63
---
 ...-ovs-firewall-driver-0ba4dee50aff725c.yaml | 24 +++++++++++++++++++
 vars/main.yml                                 |  4 ++--
 2 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/override-ovs-firewall-driver-0ba4dee50aff725c.yaml

diff --git a/releasenotes/notes/override-ovs-firewall-driver-0ba4dee50aff725c.yaml b/releasenotes/notes/override-ovs-firewall-driver-0ba4dee50aff725c.yaml
new file mode 100644
index 00000000..80ca8a7d
--- /dev/null
+++ b/releasenotes/notes/override-ovs-firewall-driver-0ba4dee50aff725c.yaml
@@ -0,0 +1,24 @@
+---
+prelude: >
+    Historically, Open vSwitch (OVS) could not interact directly with iptables
+    to implement security groups. Thus, the OVS agent and Compute service use a
+    Linux bridge between each instance (VM) and the OVS integration bridge
+    br-int to implement security groups. Now the OVS agent includes an optional
+    firewall driver that natively implements security groups as flows in OVS
+    rather than the Linux bridge device and iptables. This increases
+    scalability and performance.
+features:
+  - |
+    You can override the default ``iptables_hybrid`` firewall driver for Open
+    vSwitch by setting ``neutron_firewall_driver: openvswitch``
+upgrade:
+  - |
+    Introduce this feature to empty compute nodes, and migrate VMs over once
+    the agents have been restarted.
+critical:
+  - |
+    This feature requires kernel and user space support for conntrack, thus
+    requiring minimum versions of the Linux kernel and Open vSwitch. All cases
+    require Open vSwitch version 2.5 or newer. Kernel version 4.3 or newer
+    includes conntrack support. Kernel version 3.3, but less than 4.3, does not
+    include conntrack support and requires building the OVS modules.
diff --git a/vars/main.yml b/vars/main.yml
index 66b3f82a..01342737 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -161,7 +161,7 @@ neutron_plugins:
     plugin_core: ml2
     plugin_ini: plugins/ml2/ml2_conf.ini
   ml2.ovs:
-    driver_firewall: iptables_hybrid
+    driver_firewall: "{{ neutron_firewall_driver | default('iptables_hybrid') }}"
     driver_interface: openvswitch
     drivers_type: "{{ neutron_ml2_drivers_type }}"
     l2_population: "{{ neutron_l2_population }}"
@@ -171,7 +171,7 @@ neutron_plugins:
     plugin_core: ml2
     plugin_ini: plugins/ml2/ml2_conf.ini
   ml2.ovs.dvr:
-    driver_firewall: iptables_hybrid
+    driver_firewall: "{{ neutron_firewall_driver | default('iptables_hybrid') }}"
     driver_interface: openvswitch
     drivers_type: "{{ neutron_ml2_drivers_type }}"
     l2_population: "{{ neutron_l2_population }}"