From: Aaron Rosen <arosen@nicira.com>
Date: Wed, 14 Nov 2012 22:52:06 +0000 (-0800)
Subject: All egress traffic allowed by default should be implied
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=495909de281f6749262fcfad00d110351c1f3f02;p=openstack-build%2Fneutron-build.git

All egress traffic allowed by default should be implied

This commit removes the egress rules that were created by default
to align with the way security groups work in amazon VPC.
"By default, all egress is allowed from the security
group until you add outbound rules to the group (then only the egress you
specified is allowed)."

Change-Id: I63936fbf76ea9a2828c8923be6ec14aac46b21bd
---

diff --git a/quantum/db/securitygroups_db.py b/quantum/db/securitygroups_db.py
index b61f1dcb3..6e2eb5d29 100644
--- a/quantum/db/securitygroups_db.py
+++ b/quantum/db/securitygroups_db.py
@@ -127,20 +127,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
             context.session.add(security_group_db)
             if s.get('name') == 'default':
                 for ethertype in self.sg_supported_ethertypes:
-                    # Allow all egress traffic
-                    db = SecurityGroupRule(
-                        id=utils.str_uuid(), tenant_id=tenant_id,
-                        security_group=security_group_db,
-                        direction='egress',
-                        ethertype=ethertype)
-                    context.session.add(db)
                     # Allow intercommunication
                     db = SecurityGroupRule(
                         id=utils.str_uuid(), tenant_id=tenant_id,
                         security_group=security_group_db,
                         direction='ingress',
-                        source_group=security_group_db,
-                        ethertype=ethertype)
+                        ethertype=ethertype,
+                        source_group=security_group_db)
                     context.session.add(db)
 
         return self._make_security_group_dict(security_group_db)
diff --git a/quantum/tests/unit/test_extension_security_group.py b/quantum/tests/unit/test_extension_security_group.py
index efda1c7d5..83c17713d 100644
--- a/quantum/tests/unit/test_extension_security_group.py
+++ b/quantum/tests/unit/test_extension_security_group.py
@@ -367,7 +367,7 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
             self.assertEquals(len(groups['security_groups']), 1)
             res = self.new_list_request('security-group-rules')
             rules = self.deserialize('json', res.get_response(self.ext_api))
-            self.assertEquals(len(rules['security_group_rules']), 4)
+            self.assertEquals(len(rules['security_group_rules']), 2)
             # just generic rules to allow default egress and
             # intergroup communicartion
             for rule in rules['security_group_rules']: