[RFE][fwaas][OVN]support l3 firewall for ovn driver

We discussed this RFE during the drivers meeting (see [1]) and agreed that this is a good idea, but we would like you to add some extra details and the exact goals to have clear direction and see if it is possible with OVN.

[1]: https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-05-13-14.01.log.html#l-14

I created a blueprint for this RFE:
https://blueprints.launchpad.net/neutron/+spec/support-l3-firewall-for-ovn-driver

Please reference the blueprint also in your commit messages, not only this RFE, example:
Partially-Implements: blueprint support-l3-firewall-for-ovn-driver

I have test it that l3 acl with ovn backend.It is work fine when put any stateless acls for lrp which is gateway of subnet.
So we could implement one driver with ovn backend through transform firewall rules to stateless acls for lrp.
Any one has other opinions?

Is it only effective in the gateway subnet? What about the internal subnet interface?

@ZhouHeng
We test it use gateway port of internal subnet.

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-fwaas/+/845756

This patch[1] use stateless acls but the drop action in OVN implementation also is stateful, it will cause a matter when we use drop action.
And We are trying to implement an new action that support stateless drop in OVN could solve this matter.
Currently, it only works good with stateless security if use this patch.

[1]https://review.opendev.org/c/openstack/neutron-fwaas/+/845756

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/905416

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/905421

Reviewed: https://review.opendev.org/c/openstack/neutron/+/905416
Committed: https://opendev.org/openstack/neutron/commit/5dfb742d715c161c0c7e39d559b126e13022c789
Submitter: "Zuul (22348)"
Branch: master

commit 5dfb742d715c161c0c7e39d559b126e13022c789
Author: liushy <liuxie_11@163.com>
Date: Fri Jan 12 16:32:07 2024 +0800

    Add firewall_v2 to extensions supported by ovn

    This addition is required to run a devstack setup with ovn
    that includes firewall_v2 from the proposed patch [1]

    [1]https://review.opendev.org/c/openstack/neutron-fwaas/+/845756

    Related-Bug: #1971958
    Change-Id: Id370e86e470c160c38cfb5126bbfa0f0babe4485

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/905421
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.