Example 16 with FirewallRuleTO
use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.
the class PaloAltoResourceTest method addEgressFirewallRule.
@Test
public void addEgressFirewallRule() throws ConfigurationException, Exception {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: addEgressFirewallRule");
System.out.println("---------------------------------------------------");
}
_context.put("has_public_interface", "true");
_context.put("has_private_interface", "true");
_context.put("has_src_nat_rule", "true");
_context.put("has_isolation_fw_rule", "true");
_context.put("has_service_tcp_80", "true");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resourceParams);
long vlanId = 3954;
List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
List<String> cidrList = new ArrayList<String>();
cidrList.add("0.0.0.0/0");
FirewallRuleVO activeVO = new FirewallRuleVO(null, null, 80, 80, "tcp", 1, 1, 1, Purpose.Firewall, cidrList, null, null, null, FirewallRule.TrafficType.Egress);
FirewallRuleTO active = new FirewallRuleTO(activeVO, Long.toString(vlanId), null, Purpose.Firewall, FirewallRule.TrafficType.Egress);
rules.add(active);
SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rules);
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
Answer answer = _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
Also used :
Answer(com.cloud.agent.api.Answer)
IpAssocAnswer(com.cloud.agent.api.routing.IpAssocAnswer)
ArrayList(java.util.ArrayList)
FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO)
SetFirewallRulesCommand(com.cloud.agent.api.routing.SetFirewallRulesCommand)
FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO)
Test(org.junit.Test)
Example 17 with FirewallRuleTO
use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.
the class PaloAltoResourceTest method removeIngressFirewallRule.
@Test
public void removeIngressFirewallRule() throws ConfigurationException, Exception {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: removeIngressFirewallRule");
System.out.println("---------------------------------------------------");
}
_context.put("has_public_interface", "true");
_context.put("has_private_interface", "true");
_context.put("has_src_nat_rule", "true");
_context.put("has_isolation_fw_rule", "true");
_context.put("has_service_tcp_80", "true");
_context.put("has_ingress_fw_rule", "true");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resourceParams);
long vlanId = 3954;
List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
FirewallRuleTO revoked = new FirewallRuleTO(8, null, "192.168.80.103", "tcp", 80, 80, true, false, FirewallRule.Purpose.Firewall, null, null, null);
rules.add(revoked);
SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rules);
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
Answer answer = _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
Also used :
Answer(com.cloud.agent.api.Answer)
IpAssocAnswer(com.cloud.agent.api.routing.IpAssocAnswer)
ArrayList(java.util.ArrayList)
FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO)
SetFirewallRulesCommand(com.cloud.agent.api.routing.SetFirewallRulesCommand)
Test(org.junit.Test)
Example 18 with FirewallRuleTO
use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.
the class SetFirewallRulesConfigItem method generateConfig.
@Override
public List<ConfigItem> generateConfig(final NetworkElementCommand cmd) {
final SetFirewallRulesCommand command = (SetFirewallRulesCommand) cmd;
final List<FirewallRule> rules = new ArrayList<FirewallRule>();
for (final FirewallRuleTO rule : command.getRules()) {
final FirewallRule fwRule = new FirewallRule(rule.getId(), rule.getSrcVlanTag(), rule.getSrcIp(), rule.getProtocol(), rule.getSrcPortRange(), rule.revoked(), rule.isAlreadyAdded(), rule.getSourceCidrList(), rule.getDestCidrList(), rule.getPurpose().toString(), rule.getIcmpType(), rule.getIcmpCode(), rule.getTrafficType().toString(), rule.getGuestCidr(), rule.isDefaultEgressPolicy());
rules.add(fwRule);
}
final FirewallRules ruleSet = new FirewallRules(rules.toArray(new FirewallRule[rules.size()]));
return generateConfigItems(ruleSet);
}
Also used :
ArrayList(java.util.ArrayList)
FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO)
SetFirewallRulesCommand(com.cloud.agent.api.routing.SetFirewallRulesCommand)
FirewallRule(com.cloud.agent.resource.virtualnetwork.model.FirewallRule)
FirewallRules(com.cloud.agent.resource.virtualnetwork.model.FirewallRules)
Example 19 with FirewallRuleTO
use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.
the class CommandSetupHelper method createApplyFirewallRulesCommands.
public void createApplyFirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
final List<FirewallRuleTO> rulesTO = new ArrayList<FirewallRuleTO>();
String systemRule = null;
Boolean defaultEgressPolicy = false;
if (rules != null) {
if (rules.size() > 0) {
if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
}
}
for (final FirewallRule rule : rules) {
_rulesDao.loadSourceCidrs((FirewallRuleVO) rule);
final FirewallRule.TrafficType traffictype = rule.getTrafficType();
if (traffictype == FirewallRule.TrafficType.Ingress) {
final IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(), Purpose.Firewall, traffictype);
rulesTO.add(ruleTO);
} else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
final NetworkVO network = _networkDao.findById(guestNetworkId);
final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
defaultEgressPolicy = offering.isEgressDefaultPolicy();
assert rule.getSourceIpAddressId() == null : "ipAddressId should be null for egress firewall rule. ";
final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Firewall, traffictype, defaultEgressPolicy);
rulesTO.add(ruleTO);
}
}
}
final SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, _routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
final DataCenterVO dcVo = _dcDao.findById(router.getDataCenterId());
cmd.setAccessDetail(NetworkElementCommand.ZONE_NETWORK_TYPE, dcVo.getNetworkType().toString());
if (systemRule != null) {
cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, systemRule);
} else {
cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, String.valueOf(defaultEgressPolicy));
}
cmds.addCommand(cmd);
}
Also used :
DataCenterVO(com.cloud.dc.DataCenterVO)
NetworkVO(com.cloud.network.dao.NetworkVO)
ArrayList(java.util.ArrayList)
NetworkOfferingVO(com.cloud.offerings.NetworkOfferingVO)
PrivateIpAddress(com.cloud.network.vpc.PrivateIpAddress)
IpAddress(com.cloud.network.IpAddress)
PublicIpAddress(com.cloud.network.PublicIpAddress)
FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO)
FirewallRule(com.cloud.network.rules.FirewallRule)
SetFirewallRulesCommand(com.cloud.agent.api.routing.SetFirewallRulesCommand)
Example 20 with FirewallRuleTO
use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.
the class JuniperSrxResource method execute.
private Answer execute(SetFirewallRulesCommand cmd, int numRetries) {
FirewallRuleTO[] rules = cmd.getRules();
try {
openConfiguration();
if (rules[0].getTrafficType() == FirewallRule.TrafficType.Egress) {
Map<String, ArrayList<FirewallRuleTO>> activeRules = getActiveFirewallEgressRules(rules);
Set<String> guestVlans = activeRules.keySet();
// List<String> cidrs = new ArrayList();
boolean defaultEgressPolicy = rules[0].isDefaultEgressPolicy();
FirewallRule.FirewallRuleType type = rules[0].getType();
// getting
String guestCidr = rules[0].getGuestCidr();
List<String> cidrs = new ArrayList<String>();
cidrs.add(guestCidr);
List<Object[]> applications = new ArrayList<Object[]>();
Object[] application = new Object[3];
application[0] = Protocol.all;
application[1] = NetUtils.PORT_RANGE_MIN;
application[2] = NetUtils.PORT_RANGE_MAX;
applications.add(application);
for (String guestVlan : guestVlans) {
List<FirewallRuleTO> activeRulesForGuestNw = activeRules.get(guestVlan);
removeEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS, guestVlan, extractCidrs(activeRulesForGuestNw), defaultEgressPolicy);
if (activeRulesForGuestNw.size() > 0 && type == FirewallRule.FirewallRuleType.User) {
addEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS, guestVlan, extractApplications(activeRulesForGuestNw), extractCidrs(activeRulesForGuestNw), defaultEgressPolicy);
/* Adding default policy rules are required because the order of rules is important.
* Depending on the rules order the traffic accept/drop is performed
*/
removeEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT, guestVlan, cidrs, defaultEgressPolicy);
addEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT, guestVlan, applications, cidrs, defaultEgressPolicy);
}
// remove required with out comparing default policy because in upgrade network offering we may required to delete
// the previously added rule
removeEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT, guestVlan, cidrs, false);
if (defaultEgressPolicy == true && type == FirewallRule.FirewallRuleType.System) {
removeEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT, guestVlan, cidrs, defaultEgressPolicy);
if (activeRulesForGuestNw.size() > 0) {
// add default egress security policy
addEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT, guestVlan, applications, cidrs, defaultEgressPolicy);
}
}
}
commitConfiguration();
} else {
for (FirewallRuleTO rule : rules) {
int startPort = NetUtils.PORT_RANGE_MIN, endPort = NetUtils.PORT_RANGE_MAX;
if (rule.getSrcPortRange() != null) {
startPort = rule.getSrcPortRange()[0];
endPort = rule.getSrcPortRange()[1];
}
FirewallFilterTerm term = new FirewallFilterTerm(genIpIdentifier(rule.getSrcIp()) + "-" + String.valueOf(rule.getId()), rule.getSourceCidrList(), rule.getSrcIp(), rule.getProtocol(), startPort, endPort, rule.getIcmpType(), rule.getIcmpCode(), genIpIdentifier(rule.getSrcIp()) + _usageFilterIPInput.getCounterIdentifier());
if (!rule.revoked()) {
manageProxyArp(SrxCommand.ADD, getVlanTag(rule.getSrcVlanTag()), rule.getSrcIp());
manageFirewallFilter(SrxCommand.ADD, term, _publicZoneInputFilterName);
} else {
manageFirewallFilter(SrxCommand.DELETE, term, _publicZoneInputFilterName);
manageProxyArp(SrxCommand.DELETE, getVlanTag(rule.getSrcVlanTag()), rule.getSrcIp());
}
}
commitConfiguration();
}
return new Answer(cmd);
} catch (ExecutionException e) {
s_logger.error(e);
closeConfiguration();
if (numRetries > 0 && refreshSrxConnection()) {
int numRetriesRemaining = numRetries - 1;
s_logger.debug("Retrying SetFirewallRulesCommand. Number of retries remaining: " + numRetriesRemaining);
return execute(cmd, numRetriesRemaining);
} else {
return new Answer(cmd, e);
}
}
}
Also used :
ArrayList(java.util.ArrayList)
FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO)
Answer(com.cloud.agent.api.Answer)
MaintainAnswer(com.cloud.agent.api.MaintainAnswer)
IpAssocAnswer(com.cloud.agent.api.routing.IpAssocAnswer)
ReadyAnswer(com.cloud.agent.api.ReadyAnswer)
ExternalNetworkResourceUsageAnswer(com.cloud.agent.api.ExternalNetworkResourceUsageAnswer)
ExecutionException(com.cloud.utils.exception.ExecutionException)
FirewallRule(com.cloud.network.rules.FirewallRule)
Aggregations
FirewallRuleTO (com.cloud.agent.api.to.FirewallRuleTO)28
ArrayList (java.util.ArrayList)23
SetFirewallRulesCommand (com.cloud.agent.api.routing.SetFirewallRulesCommand)13
Answer (com.cloud.agent.api.Answer)11
IpAssocAnswer (com.cloud.agent.api.routing.IpAssocAnswer)9
FirewallRule (com.cloud.network.rules.FirewallRule)9
IpAddress (com.cloud.network.IpAddress)6
PublicIpAddress (com.cloud.network.PublicIpAddress)6
ExternalNetworkResourceUsageAnswer (com.cloud.agent.api.ExternalNetworkResourceUsageAnswer)5
MaintainAnswer (com.cloud.agent.api.MaintainAnswer)5
ReadyAnswer (com.cloud.agent.api.ReadyAnswer)5
NetworkVO (com.cloud.network.dao.NetworkVO)5
NetworkOfferingVO (com.cloud.offerings.NetworkOfferingVO)5
ExecutionException (com.cloud.utils.exception.ExecutionException)5
Test (org.junit.Test)5
HashMap (java.util.HashMap)4
DataCenterVO (com.cloud.dc.DataCenterVO)3
HashSet (java.util.HashSet)3
PortForwardingRuleTO (com.cloud.agent.api.to.PortForwardingRuleTO)2
StaticNatRuleTO (com.cloud.agent.api.to.StaticNatRuleTO)2
