Comment 13 for bug 1112912

Ok, now understand where you are coming from better. Well, at least we've gotten to the essence of the question :)

My understanding of your main goal was to eliminate the need for configuration variables in nova + quantum to be manually in sync, which to me implies that one entity would have to decide the desired state, and push it to the others. Since we are talking about aspects of network filtering, my thinking is that the network service would own the decision, pushing this information to Nova.

A key question here is which service "owns" network filtering policy, given that it is technically possible to implement filtering in both systems. Having it owned in two places doesn't make sense to me, since the policies could conflict unless manually synced. The reality is that Nova was originally designed in the absence of a network service, and thus took on certain network capabilities initially. We've moved functionality like security groups, floating IPs, etc. to Quantum, though we will not yet remove these capabilities from Nova for obvious backward compat reasons. As a result, it seems reasonable that when quantum is in use, the user has decided that quantum owns the definition of network behavior.