Examples with FirewallRuleTO com.cloud.agent.api.to.FirewallRuleTO used on opensource projects

Example 6 with FirewallRuleTO

use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.

the class HypervDirectConnectResource method execute.

protected SetFirewallRulesAnswer execute(final SetFirewallRulesCommand cmd) {
    final String controlIp = getRouterSshControlIp(cmd);
    final String[] results = new String[cmd.getRules().length];
    final FirewallRuleTO[] allrules = cmd.getRules();
    final FirewallRule.TrafficType trafficType = allrules[0].getTrafficType();
    final String egressDefault = cmd.getAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT);
    final String[][] rules = cmd.generateFwRules();
    String args = "";
    args += " -F ";
    if (trafficType == FirewallRule.TrafficType.Egress) {
        args += " -E ";
        if (egressDefault.equals("true")) {
            args += " -P 1 ";
        } else if (egressDefault.equals("System")) {
            args += " -P 2 ";
        } else {
            args += " -P 0 ";
        }
    }
    final StringBuilder sb = new StringBuilder();
    final String[] fwRules = rules[0];
    if (fwRules.length > 0) {
        for (int i = 0; i < fwRules.length; i++) {
            sb.append(fwRules[i]).append(',');
        }
        args += " -a " + sb.toString();
    }
    try {
        Pair<Boolean, String> result = null;
        if (trafficType == FirewallRule.TrafficType.Egress) {
            result = SshHelper.sshExecute(controlIp, DEFAULT_DOMR_SSHPORT, "root", getSystemVMKeyFile(), null, "/root/firewallRule_egress.sh " + args);
        } else {
            result = SshHelper.sshExecute(controlIp, DEFAULT_DOMR_SSHPORT, "root", getSystemVMKeyFile(), null, "/root/firewall_rule.sh " + args);
        }
        if (s_logger.isDebugEnabled()) {
            if (trafficType == FirewallRule.TrafficType.Egress) {
                s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewallRule_egress.sh " + args);
            } else {
                s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall_rule.sh " + args);
            }
        }
        if (!result.first()) {
            s_logger.error("SetFirewallRulesCommand failure on setting one rule. args: " + args);
            // FIXME - in the future we have to process each rule separately; now we temporarily set every rule to be false if single rule fails
            for (int i = 0; i < results.length; i++) {
                results[i] = "Failed";
            }
            return new SetFirewallRulesAnswer(cmd, false, results);
        }
    } catch (final Throwable e) {
        s_logger.error("SetFirewallRulesCommand(args: " + args + ") failed on setting one rule due to ", e);
        // FIXME - in the future we have to process each rule separately; now we temporarily set every rule to be false if single rule fails
        for (int i = 0; i < results.length; i++) {
            results[i] = "Failed";
        }
        return new SetFirewallRulesAnswer(cmd, false, results);
    }
    return new SetFirewallRulesAnswer(cmd, true, results);
}

Example 7 with FirewallRuleTO

use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.

the class JuniperSrxResource method execute.

private Answer execute(SetStaticNatRulesCommand cmd, int numRetries) {
    StaticNatRuleTO[] allRules = cmd.getRules();
    Map<String, ArrayList<FirewallRuleTO>> activeRules = getActiveRules(allRules);
    Map<String, String> vlanTagMap = getVlanTagMap(allRules);
    try {
        openConfiguration();
        Set<String> ipPairs = activeRules.keySet();
        for (String ipPair : ipPairs) {
            String[] ipPairComponents = ipPair.split("-");
            String publicIp = ipPairComponents[0];
            String privateIp = ipPairComponents[1];
            List<FirewallRuleTO> activeRulesForIpPair = activeRules.get(ipPair);
            Long publicVlanTag = getVlanTag(vlanTagMap.get(publicIp));
            // Delete the existing static NAT rule for this IP pair
            removeStaticNatRule(publicVlanTag, publicIp, privateIp);
            if (activeRulesForIpPair.size() > 0) {
                // If there are active FirewallRules for this IP pair, add the static NAT rule and open the specified port ranges
                addStaticNatRule(publicVlanTag, publicIp, privateIp, activeRulesForIpPair);
            }
        }
        commitConfiguration();
        return new Answer(cmd);
    } catch (ExecutionException e) {
        s_logger.error(e);
        closeConfiguration();
        if (numRetries > 0 && refreshSrxConnection()) {
            int numRetriesRemaining = numRetries - 1;
            s_logger.debug("Retrying SetPortForwardingRulesCommand. Number of retries remaining: " + numRetriesRemaining);
            return execute(cmd, numRetriesRemaining);
        } else {
            return new Answer(cmd, e);
        }
    }
}

Example 8 with FirewallRuleTO

use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.

the class JuniperSrxResource method extractApplications.

private List<Object[]> extractApplications(List<FirewallRuleTO> rules) throws ExecutionException {
    List<Object[]> applications = new ArrayList<Object[]>();
    for (FirewallRuleTO rule : rules) {
        Object[] application = new Object[3];
        application[0] = getProtocol(rule.getProtocol());
        if (application[0] == Protocol.icmp) {
            if (rule.getIcmpType() == -1) {
                application[1] = 255;
            } else {
                application[1] = rule.getIcmpType();
            }
            if (rule.getIcmpCode() == -1) {
                application[2] = 255;
            } else {
                application[2] = rule.getIcmpCode();
            }
        } else if (application[0] == Protocol.tcp || application[0] == Protocol.udp) {
            if (rule.getSrcPortRange() != null) {
                application[1] = rule.getSrcPortRange()[0];
                application[2] = rule.getSrcPortRange()[1];
            } else {
                application[1] = 0;
                application[2] = 65535;
            }
        } else if (application[0] == Protocol.all) {
            application[1] = 0;
            application[2] = 65535;
        }
        applications.add(application);
    }
    return applications;
}

Example 9 with FirewallRuleTO

use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.

the class JuniperSrxResource method execute.

private Answer execute(SetPortForwardingRulesCommand cmd, int numRetries) {
    PortForwardingRuleTO[] allRules = cmd.getRules();
    Map<String, ArrayList<FirewallRuleTO>> activeRules = getActiveRules(allRules);
    try {
        openConfiguration();
        Set<String> ipPairs = activeRules.keySet();
        for (String ipPair : ipPairs) {
            String[] ipPairComponents = ipPair.split("-");
            String publicIp = ipPairComponents[0];
            String privateIp = ipPairComponents[1];
            List<FirewallRuleTO> activeRulesForIpPair = activeRules.get(ipPair);
            // Get a list of all destination NAT rules for the public/private IP address pair
            List<String[]> destNatRules = getDestNatRules(RuleMatchCondition.PUBLIC_PRIVATE_IPS, publicIp, privateIp, null, null);
            Map<String, Long> publicVlanTags = getPublicVlanTagsForNatRules(destNatRules);
            // Delete all of these rules, along with the destination NAT pools and security policies they use
            removeDestinationNatRules(null, publicVlanTags, destNatRules);
            // If there are active rules for the public/private IP address pair, add them back
            for (FirewallRuleTO rule : activeRulesForIpPair) {
                Long publicVlanTag = getVlanTag(rule.getSrcVlanTag());
                PortForwardingRuleTO portForwardingRule = (PortForwardingRuleTO) rule;
                addDestinationNatRule(getProtocol(rule.getProtocol()), publicVlanTag, portForwardingRule.getSrcIp(), portForwardingRule.getDstIp(), portForwardingRule.getSrcPortRange()[0], portForwardingRule.getSrcPortRange()[1], portForwardingRule.getDstPortRange()[0], portForwardingRule.getDstPortRange()[1]);
            }
        }
        commitConfiguration();
        return new Answer(cmd);
    } catch (ExecutionException e) {
        s_logger.error(e);
        closeConfiguration();
        if (numRetries > 0 && refreshSrxConnection()) {
            int numRetriesRemaining = numRetries - 1;
            s_logger.debug("Retrying SetPortForwardingRulesCommand. Number of retries remaining: " + numRetriesRemaining);
            return execute(cmd, numRetriesRemaining);
        } else {
            return new Answer(cmd, e);
        }
    }
}

Example 10 with FirewallRuleTO

use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.

the class CiscoVnmcElement method applyFWRules.

@Override
public boolean applyFWRules(Network network, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
    if (!_networkModel.isProviderSupportServiceInNetwork(network.getId(), Service.Firewall, Provider.CiscoVnmc)) {
        s_logger.error("Firewall service is not provided by Cisco Vnmc device on network " + network.getName());
        return false;
    }
    // Find VNMC host for physical network
    List<CiscoVnmcControllerVO> devices = _ciscoVnmcDao.listByPhysicalNetwork(network.getPhysicalNetworkId());
    if (devices.isEmpty()) {
        s_logger.error("No Cisco Vnmc device on network " + network.getName());
        return true;
    }
    // Find if ASA 1000v is associated with network
    NetworkAsa1000vMapVO asaForNetwork = _networkAsa1000vMapDao.findByNetworkId(network.getId());
    if (asaForNetwork == null) {
        s_logger.debug("Cisco ASA 1000v device is not associated with network " + network.getName());
        return true;
    }
    if (network.getState() == Network.State.Allocated) {
        s_logger.debug("External firewall was asked to apply firewall rules for network with ID " + network.getId() + "; this network is not implemented. Skipping backend commands.");
        return true;
    }
    CiscoVnmcControllerVO ciscoVnmcDevice = devices.get(0);
    HostVO ciscoVnmcHost = _hostDao.findById(ciscoVnmcDevice.getHostId());
    List<FirewallRuleTO> rulesTO = new ArrayList<FirewallRuleTO>();
    for (FirewallRule rule : rules) {
        String address = "0.0.0.0";
        if (rule.getTrafficType() == TrafficType.Ingress) {
            IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
            address = sourceIp.getAddress().addr();
        }
        FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, address, rule.getPurpose(), rule.getTrafficType());
        rulesTO.add(ruleTO);
    }
    if (!rulesTO.isEmpty()) {
        SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
        cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, BroadcastDomainType.getValue(network.getBroadcastUri()));
        cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, network.getCidr());
        Answer answer = _agentMgr.easySend(ciscoVnmcHost.getId(), cmd);
        if (answer == null || !answer.getResult()) {
            String details = (answer != null) ? answer.getDetails() : "details unavailable";
            String msg = "Unable to apply firewall rules to Cisco ASA 1000v appliance due to: " + details + ".";
            s_logger.error(msg);
            throw new ResourceUnavailableException(msg, DataCenter.class, network.getDataCenterId());
        }
    }
    return true;
}