neutron: Use openvswitch firewall driver by default

openvswitch firewall has been in Neutron tree since Newton and has gone
through lots of improvements since including simple upgrade path from
the iptables hybrid driver.

We have a tempest job running in Neutron tree with openvswitch firewall
that's been voting and stable for a while. For neutron_tempest_plugin,
we have had the openvswitch firewall in use since the beginning.

This patch proposes openvswitch firewall driver to become a default
driver for openvswitch agent deployments.

Change-Id: If26d0180e459210511f25f1faa83dd8ccea25ff4

lib/neutron

@@ -220,8 +220,8 @@ function configure_neutron_new {
         if [[ $NEUTRON_AGENT == "linuxbridge" ]]; then
             iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup firewall_driver iptables
             iniset $NEUTRON_CORE_PLUGIN_CONF vxlan local_ip $HOST_IP
-        else
+        elif [[ $NEUTRON_AGENT == "openvswitch" ]]; then
-            iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup firewall_driver iptables_hybrid
+            iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup firewall_driver openvswitch
             iniset $NEUTRON_CORE_PLUGIN_CONF ovs local_ip $HOST_IP
 
             if [[ "$NEUTRON_DISTRIBUTED_ROUTING" = "True" ]]; then

lib/neutron_plugins/ovs_base

@@ -86,7 +86,7 @@ function _neutron_ovs_base_install_agent_packages {
 
 function _neutron_ovs_base_configure_firewall_driver {
     if [[ "$Q_USE_SECGROUP" == "True" ]]; then
-        iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver iptables_hybrid
+        iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver openvswitch
         if ! running_in_container; then
             enable_kernel_bridge_firewall
         fi