FWaaS Drivers Comparison

FWaaS Drivers Comparison¶

Neutron FWaaS supports multiple backend drivers. This document describes the differences between the OVN driver and the agent-based drivers (L3 and L2).

Overview¶

Feature	OVN Driver	L3 Agent Driver	L2 Agent Driver
Backend	OVN ACLs (Port Groups)	iptables	OpenFlow (OVS)
Architecture	Service driver (no agent)	Agent-based (RPC)	Agent-based (RPC)
Supported port types	L3 (router ports)	L3 (router ports)	L2 (VM/compute ports)
Logging API support	No	Yes (iptables-based)	No
Rule type	Stateless	Stateful	Stateful

Supported Actions¶

Action	OVN Driver	L3 Agent Driver	L2 Agent Driver
Allow	Yes	Yes	Yes
Deny (drop)	Yes	Yes	Yes
Reject (ICMP error)	Yes	Yes	No

For more details about the internals of each driver, see the Drivers Internals section in the Contributor Guide.

this page last updated: 2026-03-09 14:38:10

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.