Examples with SetFirewallRulesCommand com.cloud.agent.api.routing.SetFirewallRulesCommand used on opensource projects

Example 6 with SetFirewallRulesCommand

use of com.cloud.agent.api.routing.SetFirewallRulesCommand in project cloudstack by apache.

the class CiscoVnmcElement method applyFWRules.

@Override
public boolean applyFWRules(Network network, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
    if (!_networkModel.isProviderSupportServiceInNetwork(network.getId(), Service.Firewall, Provider.CiscoVnmc)) {
        s_logger.error("Firewall service is not provided by Cisco Vnmc device on network " + network.getName());
        return false;
    }
    // Find VNMC host for physical network
    List<CiscoVnmcControllerVO> devices = _ciscoVnmcDao.listByPhysicalNetwork(network.getPhysicalNetworkId());
    if (devices.isEmpty()) {
        s_logger.error("No Cisco Vnmc device on network " + network.getName());
        return true;
    }
    // Find if ASA 1000v is associated with network
    NetworkAsa1000vMapVO asaForNetwork = _networkAsa1000vMapDao.findByNetworkId(network.getId());
    if (asaForNetwork == null) {
        s_logger.debug("Cisco ASA 1000v device is not associated with network " + network.getName());
        return true;
    }
    if (network.getState() == Network.State.Allocated) {
        s_logger.debug("External firewall was asked to apply firewall rules for network with ID " + network.getId() + "; this network is not implemented. Skipping backend commands.");
        return true;
    }
    CiscoVnmcControllerVO ciscoVnmcDevice = devices.get(0);
    HostVO ciscoVnmcHost = _hostDao.findById(ciscoVnmcDevice.getHostId());
    List<FirewallRuleTO> rulesTO = new ArrayList<FirewallRuleTO>();
    for (FirewallRule rule : rules) {
        String address = "0.0.0.0";
        if (rule.getTrafficType() == TrafficType.Ingress) {
            IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
            address = sourceIp.getAddress().addr();
        }
        FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, address, rule.getPurpose(), rule.getTrafficType());
        rulesTO.add(ruleTO);
    }
    if (!rulesTO.isEmpty()) {
        SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
        cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, BroadcastDomainType.getValue(network.getBroadcastUri()));
        cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, network.getCidr());
        Answer answer = _agentMgr.easySend(ciscoVnmcHost.getId(), cmd);
        if (answer == null || !answer.getResult()) {
            String details = (answer != null) ? answer.getDetails() : "details unavailable";
            String msg = "Unable to apply firewall rules to Cisco ASA 1000v appliance due to: " + details + ".";
            s_logger.error(msg);
            throw new ResourceUnavailableException(msg, DataCenter.class, network.getDataCenterId());
        }
    }
    return true;
}

Example 7 with SetFirewallRulesCommand

use of com.cloud.agent.api.routing.SetFirewallRulesCommand in project cloudstack by apache.

the class CommandSetupHelper method createFirewallRulesCommands.

public void createFirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
    final List<FirewallRuleTO> rulesTO = new ArrayList<FirewallRuleTO>();
    String systemRule = null;
    Boolean defaultEgressPolicy = false;
    if (rules != null) {
        if (rules.size() > 0) {
            if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
                systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
            }
        }
        for (final FirewallRule rule : rules) {
            _rulesDao.loadSourceCidrs((FirewallRuleVO) rule);
            final FirewallRule.TrafficType traffictype = rule.getTrafficType();
            if (traffictype == FirewallRule.TrafficType.Ingress) {
                final IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
                final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(), Purpose.Firewall, traffictype);
                rulesTO.add(ruleTO);
            } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
                final NetworkVO network = _networkDao.findById(guestNetworkId);
                final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
                defaultEgressPolicy = offering.getEgressDefaultPolicy();
                assert rule.getSourceIpAddressId() == null : "ipAddressId should be null for egress firewall rule. ";
                final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Firewall, traffictype, defaultEgressPolicy);
                rulesTO.add(ruleTO);
            }
        }
    }
    final SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
    cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
    cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, _routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()));
    cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
    final DataCenterVO dcVo = _dcDao.findById(router.getDataCenterId());
    cmd.setAccessDetail(NetworkElementCommand.ZONE_NETWORK_TYPE, dcVo.getNetworkType().toString());
    if (systemRule != null) {
        cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, systemRule);
    } else {
        cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, String.valueOf(defaultEgressPolicy));
    }
    cmds.addCommand(cmd);
}

Example 8 with SetFirewallRulesCommand

use of com.cloud.agent.api.routing.SetFirewallRulesCommand in project cloudstack by apache.

the class SetFirewallRulesConfigItem method generateConfig.

@Override
public List<ConfigItem> generateConfig(final NetworkElementCommand cmd) {
    final SetFirewallRulesCommand command = (SetFirewallRulesCommand) cmd;
    final List<FirewallRule> rules = new ArrayList<FirewallRule>();
    for (final FirewallRuleTO rule : command.getRules()) {
        final FirewallRule fwRule = new FirewallRule(rule.getId(), rule.getSrcVlanTag(), rule.getSrcIp(), rule.getProtocol(), rule.getSrcPortRange(), rule.revoked(), rule.isAlreadyAdded(), rule.getSourceCidrList(), rule.getPurpose().toString(), rule.getIcmpType(), rule.getIcmpCode(), rule.getTrafficType().toString(), rule.getGuestCidr(), rule.isDefaultEgressPolicy());
        rules.add(fwRule);
    }
    final FirewallRules ruleSet = new FirewallRules(rules.toArray(new FirewallRule[rules.size()]));
    return generateConfigItems(ruleSet);
}

Example 9 with SetFirewallRulesCommand

use of com.cloud.agent.api.routing.SetFirewallRulesCommand in project cloudstack by apache.

the class ExternalFirewallDeviceManagerImpl method sendFirewallRules.

protected void sendFirewallRules(List<FirewallRuleTO> firewallRules, DataCenter zone, long externalFirewallId) throws ResourceUnavailableException {
    if (!firewallRules.isEmpty()) {
        SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(firewallRules);
        Answer answer = _agentMgr.easySend(externalFirewallId, cmd);
        if (answer == null || !answer.getResult()) {
            String details = (answer != null) ? answer.getDetails() : "details unavailable";
            String msg = "External firewall was unable to apply static nat rules to the SRX appliance in zone " + zone.getName() + " due to: " + details + ".";
            s_logger.error(msg);
            throw new ResourceUnavailableException(msg, DataCenter.class, zone.getId());
        }
    }
}

Example 10 with SetFirewallRulesCommand

use of com.cloud.agent.api.routing.SetFirewallRulesCommand in project cloudstack by apache.

the class PaloAltoResourceTest method removeIngressFirewallRule.

@Test
public void removeIngressFirewallRule() throws ConfigurationException, Exception {
    if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
        System.out.println("\nTEST: removeIngressFirewallRule");
        System.out.println("---------------------------------------------------");
    }
    _context.put("has_public_interface", "true");
    _context.put("has_private_interface", "true");
    _context.put("has_src_nat_rule", "true");
    _context.put("has_isolation_fw_rule", "true");
    _context.put("has_service_tcp_80", "true");
    _context.put("has_ingress_fw_rule", "true");
    _resource.setMockContext(_context);
    _resource.configure("PaloAltoResource", _resourceParams);
    long vlanId = 3954;
    List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
    FirewallRuleTO revoked = new FirewallRuleTO(8, null, "192.168.80.103", "tcp", 80, 80, true, false, FirewallRule.Purpose.Firewall, null, null, null);
    rules.add(revoked);
    SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rules);
    cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
    cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
    Answer answer = _resource.executeRequest(cmd);
    assertTrue(answer.getResult());
}