]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: b7dd033)
All egress traffic allowed by default should be implied
authorAaron Rosen <arosen@nicira.com>
Wed, 14 Nov 2012 22:52:06 +0000 (14:52 -0800)
committerAkihiro MOTOKI <motoki@da.jp.nec.com>
Mon, 19 Nov 2012 14:30:09 +0000 (23:30 +0900)
This commit removes the egress rules that were created by default
to align with the way security groups work in amazon VPC.
"By default, all egress is allowed from the security
group until you add outbound rules to the group (then only the egress you
specified is allowed)."

Change-Id: I63936fbf76ea9a2828c8923be6ec14aac46b21bd

quantum/db/securitygroups_db.py patch | blob | history
quantum/tests/unit/test_extension_security_group.py patch | blob | history

diff --git a/quantum/db/securitygroups_db.py b/quantum/db/securitygroups_db.py
index b61f1dcb33f2df91e56f44cd5fd9426f38444ffd..6e2eb5d29632a4e44997d8fc58c71eaccd344cc8 100644 (file)
--- a/quantum/db/securitygroups_db.py
+++ b/quantum/db/securitygroups_db.py
@@ -127,20 +127,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
             context.session.add(security_group_db)
             if s.get('name') == 'default':
                 for ethertype in self.sg_supported_ethertypes:
-                    # Allow all egress traffic
-                    db = SecurityGroupRule(
-                        id=utils.str_uuid(), tenant_id=tenant_id,
-                        security_group=security_group_db,
-                        direction='egress',
-                        ethertype=ethertype)
-                    context.session.add(db)
                     # Allow intercommunication
                     db = SecurityGroupRule(
                         id=utils.str_uuid(), tenant_id=tenant_id,
                         security_group=security_group_db,
                         direction='ingress',
-                        source_group=security_group_db,
-                        ethertype=ethertype)
+                        ethertype=ethertype,
+                        source_group=security_group_db)
                     context.session.add(db)
 
         return self._make_security_group_dict(security_group_db)
diff --git a/quantum/tests/unit/test_extension_security_group.py b/quantum/tests/unit/test_extension_security_group.py
index efda1c7d5cc45d868188136a421c2a9d7b5b618b..83c17713d381d0faa2cdd965560ca7a7a6eb93b9 100644 (file)
--- a/quantum/tests/unit/test_extension_security_group.py
+++ b/quantum/tests/unit/test_extension_security_group.py
@@ -367,7 +367,7 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
             self.assertEquals(len(groups['security_groups']), 1)
             res = self.new_list_request('security-group-rules')
             rules = self.deserialize('json', res.get_response(self.ext_api))
-            self.assertEquals(len(rules['security_group_rules']), 4)
+            self.assertEquals(len(rules['security_group_rules']), 2)
             # just generic rules to allow default egress and
             # intergroup communicartion
             for rule in rules['security_group_rules']: