From 495909de281f6749262fcfad00d110351c1f3f02 Mon Sep 17 00:00:00 2001
From: Aaron Rosen <arosen@nicira.com>
Date: Wed, 14 Nov 2012 14:52:06 -0800
Subject: [PATCH] All egress traffic allowed by default should be implied

This commit removes the egress rules that were created by default
to align with the way security groups work in amazon VPC.
"By default, all egress is allowed from the security
group until you add outbound rules to the group (then only the egress you
specified is allowed)."

Change-Id: I63936fbf76ea9a2828c8923be6ec14aac46b21bd
---
 quantum/db/securitygroups_db.py                     | 11 ++---------
 quantum/tests/unit/test_extension_security_group.py |  2 +-
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/quantum/db/securitygroups_db.py b/quantum/db/securitygroups_db.py
index b61f1dcb33f..6e2eb5d2963 100644
--- a/quantum/db/securitygroups_db.py
+++ b/quantum/db/securitygroups_db.py
@@ -127,20 +127,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
             context.session.add(security_group_db)
             if s.get('name') == 'default':
                 for ethertype in self.sg_supported_ethertypes:
-                    # Allow all egress traffic
-                    db = SecurityGroupRule(
-                        id=utils.str_uuid(), tenant_id=tenant_id,
-                        security_group=security_group_db,
-                        direction='egress',
-                        ethertype=ethertype)
-                    context.session.add(db)
                     # Allow intercommunication
                     db = SecurityGroupRule(
                         id=utils.str_uuid(), tenant_id=tenant_id,
                         security_group=security_group_db,
                         direction='ingress',
-                        source_group=security_group_db,
-                        ethertype=ethertype)
+                        ethertype=ethertype,
+                        source_group=security_group_db)
                     context.session.add(db)
 
         return self._make_security_group_dict(security_group_db)
diff --git a/quantum/tests/unit/test_extension_security_group.py b/quantum/tests/unit/test_extension_security_group.py
index efda1c7d5cc..83c17713d38 100644
--- a/quantum/tests/unit/test_extension_security_group.py
+++ b/quantum/tests/unit/test_extension_security_group.py
@@ -367,7 +367,7 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
             self.assertEquals(len(groups['security_groups']), 1)
             res = self.new_list_request('security-group-rules')
             rules = self.deserialize('json', res.get_response(self.ext_api))
-            self.assertEquals(len(rules['security_group_rules']), 4)
+            self.assertEquals(len(rules['security_group_rules']), 2)
             # just generic rules to allow default egress and
             # intergroup communicartion
             for rule in rules['security_group_rules']: