Search in sources :

Example 21 with FirewallRuleTO

use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.

the class JuniperSrxResource method getActiveFirewallEgressRules.

private Map<String, ArrayList<FirewallRuleTO>> getActiveFirewallEgressRules(FirewallRuleTO[] allRules) {
    Map<String, ArrayList<FirewallRuleTO>> activeRules = new HashMap<String, ArrayList<FirewallRuleTO>>();
    for (FirewallRuleTO rule : allRules) {
        String guestVlan;
        guestVlan = rule.getSrcVlanTag();
        ArrayList<FirewallRuleTO> activeRulesForNetwork = activeRules.get(guestVlan);
        if (activeRulesForNetwork == null) {
            activeRulesForNetwork = new ArrayList<FirewallRuleTO>();
        }
        if (!rule.revoked() || rule.isAlreadyAdded()) {
            activeRulesForNetwork.add(rule);
        }
        activeRules.put(guestVlan, activeRulesForNetwork);
    }
    return activeRules;
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO)

Example 22 with FirewallRuleTO

use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.

the class JuniperSrxResource method extractCidrs.

private List<String> extractCidrs(List<FirewallRuleTO> rules) throws ExecutionException {
    List<String> allCidrs = new ArrayList<String>();
    List<String> cidrs = new ArrayList<String>();
    for (FirewallRuleTO rule : rules) {
        cidrs = (rule.getSourceCidrList());
        for (String cidr : cidrs) {
            if (!allCidrs.contains(cidr)) {
                allCidrs.add(cidr);
            }
        }
    }
    return allCidrs;
}
Also used : ArrayList(java.util.ArrayList) FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO)

Example 23 with FirewallRuleTO

use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.

the class JuniperSrxResource method getActiveRules.

private Map<String, ArrayList<FirewallRuleTO>> getActiveRules(FirewallRuleTO[] allRules) {
    Map<String, ArrayList<FirewallRuleTO>> activeRules = new HashMap<String, ArrayList<FirewallRuleTO>>();
    for (FirewallRuleTO rule : allRules) {
        String ipPair;
        if (rule.getPurpose().equals(Purpose.StaticNat)) {
            StaticNatRuleTO staticNatRule = (StaticNatRuleTO) rule;
            ipPair = staticNatRule.getSrcIp() + "-" + staticNatRule.getDstIp();
        } else if (rule.getPurpose().equals(Purpose.PortForwarding)) {
            PortForwardingRuleTO portForwardingRule = (PortForwardingRuleTO) rule;
            ipPair = portForwardingRule.getSrcIp() + "-" + portForwardingRule.getDstIp();
        } else {
            continue;
        }
        ArrayList<FirewallRuleTO> activeRulesForIpPair = activeRules.get(ipPair);
        if (activeRulesForIpPair == null) {
            activeRulesForIpPair = new ArrayList<FirewallRuleTO>();
        }
        if (!rule.revoked() || rule.isAlreadyAdded()) {
            activeRulesForIpPair.add(rule);
        }
        activeRules.put(ipPair, activeRulesForIpPair);
    }
    return activeRules;
}
Also used : StaticNatRuleTO(com.cloud.agent.api.to.StaticNatRuleTO) PortForwardingRuleTO(com.cloud.agent.api.to.PortForwardingRuleTO) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO)

Example 24 with FirewallRuleTO

use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.

the class CiscoVnmcResource method execute.

private Answer execute(SetFirewallRulesCommand cmd, int numRetries) {
    String vlanId = cmd.getContextParam(NetworkElementCommand.GUEST_VLAN_TAG);
    String tenant = "vlan-" + vlanId;
    FirewallRuleTO[] rules = cmd.getRules();
    Map<String, List<FirewallRuleTO>> publicIpRulesMap = new HashMap<String, List<FirewallRuleTO>>();
    for (FirewallRuleTO rule : rules) {
        String publicIp = rule.getSrcIp();
        if (!publicIpRulesMap.containsKey(publicIp)) {
            List<FirewallRuleTO> publicIpRulesList = new ArrayList<FirewallRuleTO>();
            publicIpRulesMap.put(publicIp, publicIpRulesList);
        }
        publicIpRulesMap.get(publicIp).add(rule);
    }
    try {
        if (!_connection.createTenantVDCAclPolicySet(tenant, true)) {
            throw new ExecutionException("Failed to create ACL ingress policy set in VNMC for guest network with vlan " + vlanId);
        }
        if (!_connection.createTenantVDCAclPolicySet(tenant, false)) {
            throw new ExecutionException("Failed to create ACL egress policy set in VNMC for guest network with vlan " + vlanId);
        }
        for (String publicIp : publicIpRulesMap.keySet()) {
            String policyIdentifier = publicIp.replace('.', '-');
            if (!_connection.createTenantVDCAclPolicy(tenant, policyIdentifier)) {
                throw new ExecutionException("Failed to create ACL policy in VNMC for guest network with vlan " + vlanId);
            }
            if (!_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, true)) {
                throw new ExecutionException("Failed to associate ACL policy with ACL ingress policy set in VNMC for guest network with vlan " + vlanId);
            }
            if (!_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, false)) {
                throw new ExecutionException("Failed to associate ACL policy with ACL egress policy set in VNMC for guest network with vlan " + vlanId);
            }
            for (FirewallRuleTO rule : publicIpRulesMap.get(publicIp)) {
                if (rule.revoked()) {
                    if (!_connection.deleteTenantVDCAclRule(tenant, rule.getId(), policyIdentifier)) {
                        throw new ExecutionException("Failed to delete ACL rule in VNMC for guest network with vlan " + vlanId);
                    }
                } else {
                    String[] externalIpRange = getIpRangeFromCidr(rule.getSourceCidrList().get(0));
                    if (rule.getTrafficType() == TrafficType.Ingress) {
                        if (!rule.getProtocol().equalsIgnoreCase("icmp") && rule.getSrcPortRange() != null) {
                            if (!_connection.createTenantVDCIngressAclRule(tenant, rule.getId(), policyIdentifier, rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1], Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]))) {
                                throw new ExecutionException("Failed to create ACL ingress rule in VNMC for guest network with vlan " + vlanId);
                            }
                        } else {
                            if (!_connection.createTenantVDCIngressAclRule(tenant, rule.getId(), policyIdentifier, rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1])) {
                                throw new ExecutionException("Failed to create ACL ingress rule in VNMC for guest network with vlan " + vlanId);
                            }
                        }
                    } else {
                        if ((rule.getProtocol().equalsIgnoreCase("tcp") || rule.getProtocol().equalsIgnoreCase("udp")) && rule.getSrcPortRange() != null) {
                            if (!_connection.createTenantVDCEgressAclRule(tenant, rule.getId(), policyIdentifier, rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1], Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]))) {
                                throw new ExecutionException("Failed to create ACL egress rule in VNMC for guest network with vlan " + vlanId);
                            }
                        } else {
                            if (!_connection.createTenantVDCEgressAclRule(tenant, rule.getId(), policyIdentifier, rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1])) {
                                throw new ExecutionException("Failed to create ACL egress rule in VNMC for guest network with vlan " + vlanId);
                            }
                        }
                    }
                }
            }
        }
        if (!_connection.associateAclPolicySet(tenant)) {
            throw new ExecutionException("Failed to associate ACL policy set with edge security profile in VNMC for guest network with vlan " + vlanId);
        }
    } catch (ExecutionException e) {
        String msg = "SetFirewallRulesCommand failed due to " + e.getMessage();
        s_logger.error(msg, e);
        return new Answer(cmd, false, msg);
    }
    return new Answer(cmd, true, "Success");
}
Also used : ReadyAnswer(com.cloud.agent.api.ReadyAnswer) Answer(com.cloud.agent.api.Answer) MaintainAnswer(com.cloud.agent.api.MaintainAnswer) ExternalNetworkResourceUsageAnswer(com.cloud.agent.api.ExternalNetworkResourceUsageAnswer) IpAssocAnswer(com.cloud.agent.api.routing.IpAssocAnswer) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) ArrayList(java.util.ArrayList) List(java.util.List) FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO) ExecutionException(com.cloud.utils.exception.ExecutionException)

Example 25 with FirewallRuleTO

use of com.cloud.agent.api.to.FirewallRuleTO in project cosmic by MissionCriticalCloud.

the class CommandSetupHelper method createFirewallRulesCommands.

public void createFirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
    final List<FirewallRuleTO> rulesTO = new ArrayList<>();
    String systemRule = null;
    Boolean defaultEgressPolicy = false;
    if (rules != null) {
        if (rules.size() > 0) {
            if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
                systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
            }
        }
        for (final FirewallRule rule : rules) {
            _rulesDao.loadSourceCidrs((FirewallRuleVO) rule);
            final FirewallRule.TrafficType traffictype = rule.getTrafficType();
            if (traffictype == FirewallRule.TrafficType.Ingress) {
                final IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
                final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(), Purpose.Firewall, traffictype);
                rulesTO.add(ruleTO);
            } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
                final NetworkVO network = _networkDao.findById(guestNetworkId);
                final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
                defaultEgressPolicy = offering.getEgressDefaultPolicy();
                assert rule.getSourceIpAddressId() == null : "ipAddressId should be null for egress firewall rule. ";
                final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Firewall, traffictype, defaultEgressPolicy);
                rulesTO.add(ruleTO);
            }
        }
    }
    final SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
    cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
    cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
    final Zone zone = zoneRepository.findOne(router.getDataCenterId());
    cmd.setAccessDetail(NetworkElementCommand.ZONE_NETWORK_TYPE, zone.getNetworkType().toString());
    if (systemRule != null) {
        cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, systemRule);
    } else {
        cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, String.valueOf(defaultEgressPolicy));
    }
    cmds.addCommand(cmd);
}
Also used : NetworkVO(com.cloud.network.dao.NetworkVO) Zone(com.cloud.db.model.Zone) ArrayList(java.util.ArrayList) NetworkOfferingVO(com.cloud.offerings.NetworkOfferingVO) IpAddress(com.cloud.network.IpAddress) PublicIpAddress(com.cloud.network.PublicIpAddress) FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO) FirewallRule(com.cloud.network.rules.FirewallRule) SetFirewallRulesCommand(com.cloud.agent.api.routing.SetFirewallRulesCommand)

Aggregations

FirewallRuleTO (com.cloud.agent.api.to.FirewallRuleTO)28 ArrayList (java.util.ArrayList)23 SetFirewallRulesCommand (com.cloud.agent.api.routing.SetFirewallRulesCommand)13 Answer (com.cloud.agent.api.Answer)11 IpAssocAnswer (com.cloud.agent.api.routing.IpAssocAnswer)9 FirewallRule (com.cloud.network.rules.FirewallRule)9 IpAddress (com.cloud.network.IpAddress)6 PublicIpAddress (com.cloud.network.PublicIpAddress)6 ExternalNetworkResourceUsageAnswer (com.cloud.agent.api.ExternalNetworkResourceUsageAnswer)5 MaintainAnswer (com.cloud.agent.api.MaintainAnswer)5 ReadyAnswer (com.cloud.agent.api.ReadyAnswer)5 NetworkVO (com.cloud.network.dao.NetworkVO)5 NetworkOfferingVO (com.cloud.offerings.NetworkOfferingVO)5 ExecutionException (com.cloud.utils.exception.ExecutionException)5 Test (org.junit.Test)5 HashMap (java.util.HashMap)4 DataCenterVO (com.cloud.dc.DataCenterVO)3 HashSet (java.util.HashSet)3 PortForwardingRuleTO (com.cloud.agent.api.to.PortForwardingRuleTO)2 StaticNatRuleTO (com.cloud.agent.api.to.StaticNatRuleTO)2