Bug 1671176

Hi,

~~~
Note

Use OpenvSwitch firewall driver for guest management interfaces only. It is not intended to be used as a telcom firewall. For best performance and scalability, avoid the OpenvSwitch firewall driver for dataplane interfaces.

For a telco grade stateful firewall, consider deploying a VNF. 
~~~

That's still misleading.

The openvswitch firewall driver is tech preview. It has serious shortcomings such as:
Issues with SCTP: https://access.redhat.com/solutions/3298031
Issues with fragmentation: https://access.redhat.com/solutions/3662811

As tech preview, it is not supported without a support exception. And with the above shortcomings in OSP 10, it shouldn't be supported at all, IMO.

That message above still makes customers believe that this is supported, when it's clearly tech preview and not supported. It's also still in the example.

The example is listed first, then the warning. People read top to bottom, and the first thing they see will be stuck in their heads. Also, the example is in a dark background and attracts more attention than the warning message. At the very least, we should:

a) change the note to
~~~
Note

The OpenvSwitch firewall driver is tech preview and therefore not supported by Red Hat without a support exception.

Use OpenvSwitch firewall driver for guest management interfaces only. It is not intended to be used as a telcom firewall. For best performance and scalability, avoid the OpenvSwitch firewall driver for dataplane interfaces.

For a telco grade stateful firewall, consider deploying a VNF. 
~~~

b) change the example line to:
~~~
  # Configure the classname of the firewall driver to use for implementing security groups.
  NeutronOVSFirewallDriver: openvswitch # tthe openvswitch firewall driver is *not* supported by Red Hat
~~~
>> I don't understand why our templates contain this misleading line. Why can't we just drop it?

For RHOSP10, the firewall driver is not supported, with OVS or OVS-DPDK. In the NFV template, however, we do activate it on the VM management interfaces, and this is misleading for customers as it works fine in our case but we know that this cannot work in all supported configurations. For instance, the openvswitch firewall doesn't work with VLAN Aware VMs in RNOSP10. Since RHOSP13, this is different as openvswitch firewall is GA.

For RHOSP10, we should mention that the feature is not supported but is working in basic scenarios like the one provided as an example.

For RHOSP10 and RHOSP13 we should mention that the firewall is intended to be used on non data planes interfaces, as the performances of OVS-DPDK would then be severely degraded. Non data plane interface are typically the VM management interface. A dataplane interface is carrying user traffic. More insights in https://www.slideshare.net/LF_OpenvSwitch/lfovs17ovsdpdk-for-nfv-go-live-feedback and https://www.youtube.com/watch?v=YzD91dgyBgo&index=7&list=PLaJlRa-xItwD7ikTsrZOhju5xbE-QP9U1

Published: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/network_functions_virtualization_configuration_guide/index#proc-ovsdpdk-firewall

(In reply to Roger Heslop from comment #6)
> Published:
> https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/
> html-single/network_functions_virtualization_configuration_guide/index#proc-
> ovsdpdk-firewall

see my comment https://bugzilla.redhat.com/show_bug.cgi?id=1665711#c4
Thanks