use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.
the class JuniperSrxResource method getActiveFirewallEgressRules.
private Map<String, ArrayList<FirewallRuleTO>> getActiveFirewallEgressRules(FirewallRuleTO[] allRules) {
Map<String, ArrayList<FirewallRuleTO>> activeRules = new HashMap<String, ArrayList<FirewallRuleTO>>();
for (FirewallRuleTO rule : allRules) {
String guestVlan;
guestVlan = rule.getSrcVlanTag();
ArrayList<FirewallRuleTO> activeRulesForNetwork = activeRules.get(guestVlan);
if (activeRulesForNetwork == null) {
activeRulesForNetwork = new ArrayList<FirewallRuleTO>();
}
if (!rule.revoked() || rule.isAlreadyAdded()) {
activeRulesForNetwork.add(rule);
}
activeRules.put(guestVlan, activeRulesForNetwork);
}
return activeRules;
}
use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.
the class JuniperSrxResource method extractCidrs.
private List<String> extractCidrs(List<FirewallRuleTO> rules) throws ExecutionException {
List<String> allCidrs = new ArrayList<String>();
List<String> cidrs = new ArrayList<String>();
for (FirewallRuleTO rule : rules) {
cidrs = (rule.getSourceCidrList());
for (String cidr : cidrs) {
if (!allCidrs.contains(cidr)) {
allCidrs.add(cidr);
}
}
}
return allCidrs;
}
use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.
the class JuniperSrxResource method getActiveRules.
private Map<String, ArrayList<FirewallRuleTO>> getActiveRules(FirewallRuleTO[] allRules) {
Map<String, ArrayList<FirewallRuleTO>> activeRules = new HashMap<String, ArrayList<FirewallRuleTO>>();
for (FirewallRuleTO rule : allRules) {
String ipPair;
if (rule.getPurpose().equals(Purpose.StaticNat)) {
StaticNatRuleTO staticNatRule = (StaticNatRuleTO) rule;
ipPair = staticNatRule.getSrcIp() + "-" + staticNatRule.getDstIp();
} else if (rule.getPurpose().equals(Purpose.PortForwarding)) {
PortForwardingRuleTO portForwardingRule = (PortForwardingRuleTO) rule;
ipPair = portForwardingRule.getSrcIp() + "-" + portForwardingRule.getDstIp();
} else {
continue;
}
ArrayList<FirewallRuleTO> activeRulesForIpPair = activeRules.get(ipPair);
if (activeRulesForIpPair == null) {
activeRulesForIpPair = new ArrayList<FirewallRuleTO>();
}
if (!rule.revoked() || rule.isAlreadyAdded()) {
activeRulesForIpPair.add(rule);
}
activeRules.put(ipPair, activeRulesForIpPair);
}
return activeRules;
}
use of com.cloud.agent.api.to.FirewallRuleTO in project cloudstack by apache.
the class CiscoVnmcResource method execute.
private Answer execute(SetFirewallRulesCommand cmd, int numRetries) {
String vlanId = cmd.getContextParam(NetworkElementCommand.GUEST_VLAN_TAG);
String tenant = "vlan-" + vlanId;
FirewallRuleTO[] rules = cmd.getRules();
Map<String, List<FirewallRuleTO>> publicIpRulesMap = new HashMap<String, List<FirewallRuleTO>>();
for (FirewallRuleTO rule : rules) {
String publicIp = rule.getSrcIp();
if (!publicIpRulesMap.containsKey(publicIp)) {
List<FirewallRuleTO> publicIpRulesList = new ArrayList<FirewallRuleTO>();
publicIpRulesMap.put(publicIp, publicIpRulesList);
}
publicIpRulesMap.get(publicIp).add(rule);
}
try {
if (!_connection.createTenantVDCAclPolicySet(tenant, true)) {
throw new ExecutionException("Failed to create ACL ingress policy set in VNMC for guest network with vlan " + vlanId);
}
if (!_connection.createTenantVDCAclPolicySet(tenant, false)) {
throw new ExecutionException("Failed to create ACL egress policy set in VNMC for guest network with vlan " + vlanId);
}
for (String publicIp : publicIpRulesMap.keySet()) {
String policyIdentifier = publicIp.replace('.', '-');
if (!_connection.createTenantVDCAclPolicy(tenant, policyIdentifier)) {
throw new ExecutionException("Failed to create ACL policy in VNMC for guest network with vlan " + vlanId);
}
if (!_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, true)) {
throw new ExecutionException("Failed to associate ACL policy with ACL ingress policy set in VNMC for guest network with vlan " + vlanId);
}
if (!_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, false)) {
throw new ExecutionException("Failed to associate ACL policy with ACL egress policy set in VNMC for guest network with vlan " + vlanId);
}
for (FirewallRuleTO rule : publicIpRulesMap.get(publicIp)) {
if (rule.revoked()) {
if (!_connection.deleteTenantVDCAclRule(tenant, rule.getId(), policyIdentifier)) {
throw new ExecutionException("Failed to delete ACL rule in VNMC for guest network with vlan " + vlanId);
}
} else {
String[] externalIpRange = getIpRangeFromCidr(rule.getSourceCidrList().get(0));
if (rule.getTrafficType() == TrafficType.Ingress) {
if (!rule.getProtocol().equalsIgnoreCase("icmp") && rule.getSrcPortRange() != null) {
if (!_connection.createTenantVDCIngressAclRule(tenant, rule.getId(), policyIdentifier, rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1], Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]))) {
throw new ExecutionException("Failed to create ACL ingress rule in VNMC for guest network with vlan " + vlanId);
}
} else {
if (!_connection.createTenantVDCIngressAclRule(tenant, rule.getId(), policyIdentifier, rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1])) {
throw new ExecutionException("Failed to create ACL ingress rule in VNMC for guest network with vlan " + vlanId);
}
}
} else {
if ((rule.getProtocol().equalsIgnoreCase("tcp") || rule.getProtocol().equalsIgnoreCase("udp")) && rule.getSrcPortRange() != null) {
if (!_connection.createTenantVDCEgressAclRule(tenant, rule.getId(), policyIdentifier, rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1], Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]))) {
throw new ExecutionException("Failed to create ACL egress rule in VNMC for guest network with vlan " + vlanId);
}
} else {
if (!_connection.createTenantVDCEgressAclRule(tenant, rule.getId(), policyIdentifier, rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1])) {
throw new ExecutionException("Failed to create ACL egress rule in VNMC for guest network with vlan " + vlanId);
}
}
}
}
}
}
if (!_connection.associateAclPolicySet(tenant)) {
throw new ExecutionException("Failed to associate ACL policy set with edge security profile in VNMC for guest network with vlan " + vlanId);
}
} catch (ExecutionException e) {
String msg = "SetFirewallRulesCommand failed due to " + e.getMessage();
s_logger.error(msg, e);
return new Answer(cmd, false, msg);
}
return new Answer(cmd, true, "Success");
}
use of com.cloud.agent.api.to.FirewallRuleTO in project cosmic by MissionCriticalCloud.
the class CommandSetupHelper method createFirewallRulesCommands.
public void createFirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
final List<FirewallRuleTO> rulesTO = new ArrayList<>();
String systemRule = null;
Boolean defaultEgressPolicy = false;
if (rules != null) {
if (rules.size() > 0) {
if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
}
}
for (final FirewallRule rule : rules) {
_rulesDao.loadSourceCidrs((FirewallRuleVO) rule);
final FirewallRule.TrafficType traffictype = rule.getTrafficType();
if (traffictype == FirewallRule.TrafficType.Ingress) {
final IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(), Purpose.Firewall, traffictype);
rulesTO.add(ruleTO);
} else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
final NetworkVO network = _networkDao.findById(guestNetworkId);
final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
defaultEgressPolicy = offering.getEgressDefaultPolicy();
assert rule.getSourceIpAddressId() == null : "ipAddressId should be null for egress firewall rule. ";
final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Firewall, traffictype, defaultEgressPolicy);
rulesTO.add(ruleTO);
}
}
}
final SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
final Zone zone = zoneRepository.findOne(router.getDataCenterId());
cmd.setAccessDetail(NetworkElementCommand.ZONE_NETWORK_TYPE, zone.getNetworkType().toString());
if (systemRule != null) {
cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, systemRule);
} else {
cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, String.valueOf(defaultEgressPolicy));
}
cmds.addCommand(cmd);
}
Aggregations