From ad742e1a51360b09763adb5b88df6f958bdb644c Mon Sep 17 00:00:00 2001
From: Aaron Rosen <arosen@nicira.com>
Date: Wed, 14 Nov 2012 14:52:06 -0800
Subject: [PATCH] All egress traffic allowed by default should be implied

This commit removes the egress rules that were created by default
to align with the way security groups work in amazon VPC.
"By default, all egress is allowed from the security
group until you add outbound rules to the group (then only the egress you
specified is allowed)."

Change-Id: I63936fbf76ea9a2828c8923be6ec14aac46b21bd
---
 quantum/db/securitygroups_db.py                     | 11 ++---------
 quantum/tests/unit/test_extension_security_group.py |  2 +-
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/quantum/db/securitygroups_db.py b/quantum/db/securitygroups_db.py
index b61f1dcb33..6e2eb5d296 100644
--- a/quantum/db/securitygroups_db.py
+++ b/quantum/db/securitygroups_db.py
@@ -127,20 +127,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
             context.session.add(security_group_db)
             if s.get('name') == 'default':
                 for ethertype in self.sg_supported_ethertypes:
-                    # Allow all egress traffic
-                    db = SecurityGroupRule(
-                        id=utils.str_uuid(), tenant_id=tenant_id,
-                        security_group=security_group_db,
-                        direction='egress',
-                        ethertype=ethertype)
-                    context.session.add(db)
                     # Allow intercommunication
                     db = SecurityGroupRule(
                         id=utils.str_uuid(), tenant_id=tenant_id,
                         security_group=security_group_db,
                         direction='ingress',
-                        source_group=security_group_db,
-                        ethertype=ethertype)
+                        ethertype=ethertype,
+                        source_group=security_group_db)
                     context.session.add(db)
 
         return self._make_security_group_dict(security_group_db)
diff --git a/quantum/tests/unit/test_extension_security_group.py b/quantum/tests/unit/test_extension_security_group.py
index efda1c7d5c..83c17713d3 100644
--- a/quantum/tests/unit/test_extension_security_group.py
+++ b/quantum/tests/unit/test_extension_security_group.py
@@ -367,7 +367,7 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
             self.assertEquals(len(groups['security_groups']), 1)
             res = self.new_list_request('security-group-rules')
             rules = self.deserialize('json', res.get_response(self.ext_api))
-            self.assertEquals(len(rules['security_group_rules']), 4)
+            self.assertEquals(len(rules['security_group_rules']), 2)
             # just generic rules to allow default egress and
             # intergroup communicartion
             for rule in rules['security_group_rules']: