feature #3175: Add a default SG rule to allow outbound connections for every protocol

2025-03-21 14:50:08 +03:00 · 2014-11-13 17:45:52 +01:00 · 2014-11-13 17:45:52 +01:00 · b57ccf38ed
commit b57ccf38ed
parent 3f2ad72cb0
2 changed files with 44 additions and 1 deletions
--- a/src/nebula/Nebula.cc
+++ b/src/nebula/Nebula.cc
@ -473,7 +473,6 @@ void Nebula::start(bool bootstrap_only)
        clpool  = new ClusterPool(db);
        docpool = new DocumentPool(db);
        zonepool= new ZonePool(db, is_federation_slave());
-        secgrouppool = new SecurityGroupPool(db);

        nebula_configuration->get("VM_HOOK", vm_hooks);
        nebula_configuration->get("HOST_HOOK",  host_hooks);
@ -548,6 +547,8 @@ void Nebula::start(bool bootstrap_only)

        default_user_quota.select();
        default_group_quota.select();
+
+        secgrouppool = new SecurityGroupPool(db);
    }
    catch (exception&)
    {
--- a/src/secgroup/SecurityGroupPool.cc
+++ b/src/secgroup/SecurityGroupPool.cc
@ -15,6 +15,9 @@
 /* -------------------------------------------------------------------------- */

 #include "SecurityGroupPool.h"
+#include "User.h"
+#include "Nebula.h"
+#include "NebulaLog.h"

 /* -------------------------------------------------------------------------- */

@ -24,6 +27,45 @@ SecurityGroupPool::SecurityGroupPool(SqlDB * db)
    //lastOID is set in PoolSQL::init_cb
    if (get_lastOID() == -1)
    {
+        // Build the default default security group
+        string default_sg =
+            "NAME=default\n"
+            "DESCRIPTION=\"The default security group is added to every "
+            "network. Use it to add default filter rules for your networks. "
+            "You may remove this security group from any network by "
+            "updating its properties.\"\n"
+            "RULE=[RULE_TYPE=OUTBOUND,PROTOCOL=ALL]";
+
+        Nebula& nd         = Nebula::instance();
+        UserPool * upool   = nd.get_upool();
+        User *    oneadmin = upool->get(0, false);
+
+        string error;
+
+        Template * default_tmpl = new Template;
+        char * error_parse;
+
+        default_tmpl->parse(default_sg, &error_parse);
+
+        SecurityGroup * secgroup = new SecurityGroup(
+                oneadmin->get_uid(),
+                oneadmin->get_gid(),
+                oneadmin->get_uname(),
+                oneadmin->get_gname(),
+                oneadmin->get_umask(),
+                default_tmpl);
+
+        secgroup->set_permissions(1,1,1,1,0,0,1,0,0,error);
+
+        if (PoolSQL::allocate(secgroup, error) < 0)
+        {
+            ostringstream oss;
+            oss << "Error trying to create default security group: " << error;
+            NebulaLog::log("SGROUP", Log::ERROR, oss);
+
+            throw runtime_error(oss.str());
+        }
+
        // The first 100 IDs are reserved for system Security Groups.
        // Regular ones start from ID 100