From b57ccf38edd1a22ce7c85a0d204bf6791ad57c07 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rsmontero@opennebula.org>
Date: Thu, 13 Nov 2014 17:45:52 +0100
Subject: [PATCH] feature #3175: Add a default SG rule to allow outbound
 connections for every protocol

---
 src/nebula/Nebula.cc              |  3 ++-
 src/secgroup/SecurityGroupPool.cc | 42 +++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/src/nebula/Nebula.cc b/src/nebula/Nebula.cc
index 70915bbf67..796daa7537 100644
--- a/src/nebula/Nebula.cc
+++ b/src/nebula/Nebula.cc
@@ -473,7 +473,6 @@ void Nebula::start(bool bootstrap_only)
         clpool  = new ClusterPool(db);
         docpool = new DocumentPool(db);
         zonepool= new ZonePool(db, is_federation_slave());
-        secgrouppool = new SecurityGroupPool(db);
 
         nebula_configuration->get("VM_HOOK", vm_hooks);
         nebula_configuration->get("HOST_HOOK",  host_hooks);
@@ -548,6 +547,8 @@ void Nebula::start(bool bootstrap_only)
 
         default_user_quota.select();
         default_group_quota.select();
+
+        secgrouppool = new SecurityGroupPool(db);
     }
     catch (exception&)
     {
diff --git a/src/secgroup/SecurityGroupPool.cc b/src/secgroup/SecurityGroupPool.cc
index 4d20eef7f7..7a9aeedb6b 100644
--- a/src/secgroup/SecurityGroupPool.cc
+++ b/src/secgroup/SecurityGroupPool.cc
@@ -15,6 +15,9 @@
 /* -------------------------------------------------------------------------- */
 
 #include "SecurityGroupPool.h"
+#include "User.h"
+#include "Nebula.h"
+#include "NebulaLog.h"
 
 /* -------------------------------------------------------------------------- */
 
@@ -24,6 +27,45 @@ SecurityGroupPool::SecurityGroupPool(SqlDB * db)
     //lastOID is set in PoolSQL::init_cb
     if (get_lastOID() == -1)
     {
+        // Build the default default security group
+        string default_sg =
+            "NAME=default\n"
+            "DESCRIPTION=\"The default security group is added to every "
+            "network. Use it to add default filter rules for your networks. "
+            "You may remove this security group from any network by "
+            "updating its properties.\"\n"
+            "RULE=[RULE_TYPE=OUTBOUND,PROTOCOL=ALL]";
+
+        Nebula& nd         = Nebula::instance();
+        UserPool * upool   = nd.get_upool();
+        User *    oneadmin = upool->get(0, false);
+
+        string error;
+
+        Template * default_tmpl = new Template;
+        char * error_parse;
+
+        default_tmpl->parse(default_sg, &error_parse);
+
+        SecurityGroup * secgroup = new SecurityGroup(
+                oneadmin->get_uid(),
+                oneadmin->get_gid(),
+                oneadmin->get_uname(),
+                oneadmin->get_gname(),
+                oneadmin->get_umask(),
+                default_tmpl);
+
+        secgroup->set_permissions(1,1,1,1,0,0,1,0,0,error);
+
+        if (PoolSQL::allocate(secgroup, error) < 0)
+        {
+            ostringstream oss;
+            oss << "Error trying to create default security group: " << error;
+            NebulaLog::log("SGROUP", Log::ERROR, oss);
+
+            throw runtime_error(oss.str());
+        }
+
         // The first 100 IDs are reserved for system Security Groups.
         // Regular ones start from ID 100