Nowadays, when using openvswitch-agent with security groups we must use hybrid bridging, i.e. per instance we have both openvswitch bridge and linux bridge. The rationale behind this approach is to set filtering rules matching on given linux bridge.
We can get rid of linux bridge if filtering is done directly in openvswitch via openflow rules. The benefits of this approach are better throughput in data plain due to removal of linux bridge and faster rule filtering due to not using physdev extension in iptables. Another improvement is in control plain because currently setting rules via iptables firewall driver doesn't scale well.
This RFE requests a new firewall driver that is capable of filtering packets based on specified security groups using openvswitch only. Requirement for OVS is to have conntrack support which is planned to be released with OVS 2.4.
UPDATE (2015-06-02 jlibosva): What we want to achieve with this rfe is to use security groups with openvswitch-agent without having a need of linux bridge. The reasons for this include performance and easier debugging.
This is describing the "how" and not the "what". The what, if I read between the lines, is that you'd like to be able to use security groups on OVS without the need for a Linuxbridge. The reasons for this include performance and easier debugging.
Regardless, this is a good thing, and I believe we should move forward with this. I expect once we get to the Neutron patches and devref we'll hit the "connection tracking support isn't in a release OVS verison yet" issue, but lets deal with it there.