Open Stack

Hi,

> When firewall_driver is set to NoopFirwallDriver in Neutron agent,
> uses can create security group and its rules, but no packet filtering
> is enforced.
> If neutron security group is enabled, users should expect packet
> filtering is enabled
> I think this behavior is confusing from Neutron API perspective,
> and if no packet filtering is enforced, we cannot say security group
> feature is provided.
> This is the background of the change.

In my thoughts there are three players here, the developer, the
administrator and the users (close to what is the API perspective in
your terms).

If the administrator decides to use the noop implementation of an API
and he does not tell his users this is the case, that's definitely
confusing for the users. If the administrator wants to use the noop
implementation and instead of getting a noop behaviour the whole
extension disappears that's also confusing, but for the administrator.

I also get that an API user typically does not know the configuration
against his code will run.

The noop implementation cannot be turned on accidentally. The
administrator has to do it for whatever reason - likely debugging as
you mentioned. I believe it's not the developer's responsibility to
protect the users from the administrator's intentional configuration
decision.

Anyway I can live with the other proposed alternatives too. I just
wanted to point out that for me the current behavior was the
surprising one. And also wanted to connect the discussion to its
origins.

Thanks,
Bence