Since the ML2 plugin can concurrently support different L2 agents (or other mechanisms) with different configuration files,
the actual firewall_driver value in the ml2_conf.ini file does not matter in the server, but
firewall_driver must be set to a non-default value in the ml2 configuration to enable the securitygroup extension.
To enable securitygroup API, edit the ml2_conf.ini file:
[securitygroup] firewall_driver = dummy
Each L2 agent configuration file (such as ovs_neutron_plugin.ini or linuxbridge_conf.ini) should contain the appropriate firewall_driver value for that agent.
To disable securitygroup API, edit the ml2_conf.ini file:
[securitygroup] firewall_driver = neutron.agent.firewall.NoopFirewallDriver
Also, each L2 agent configuration file (such as ovs_neutron_plugin.ini or linuxbridge_conf.ini) should contain this value in firewall_driver parameter for that agent.
