tested on kilo, juno and liberty. This breaks creating instances in horizon - on liberty anyway, maybe older too.
People usually want to do this because the anti-spoofing rules are dropping packets transmitted by Nova instances that do not have the source MAC or IP address that was allocated to the instance. Note: allowed-addresses-pairs or port-security extension can fix that. Also there is a performance drop using the hybrid plugging strategy (veth+linuxbridge+iptables).
But Nova needs a security groups API or it will refuse to start instances. It needs to be configured to use its own or Neutron's. Here we configure it to use the Nova security groups API, but disable nova-compute (and the Neutron L2 agent - just to be sure) from applying any iptables rules.