Search in sources :

Example 21 with PortForwardingRuleTO

use of com.cloud.agent.api.to.PortForwardingRuleTO in project cloudstack by apache.

the class MockNetworkManagerImpl method setVpcPortForwards.

@Override
public SetPortForwardingRulesAnswer setVpcPortForwards(SetPortForwardingRulesVpcCommand cmd) {
    String[] results = new String[cmd.getRules().length];
    StringBuilder sb = new StringBuilder();
    for (PortForwardingRuleTO rule : cmd.getRules()) {
        sb.append("src:");
        sb.append(rule.getStringSrcPortRange());
        sb.append("dst:");
        sb.append(rule.getStringDstPortRange());
    }
    return new SetPortForwardingRulesAnswer(cmd, results, true);
}
Also used : SetPortForwardingRulesAnswer(com.cloud.agent.api.routing.SetPortForwardingRulesAnswer) PortForwardingRuleTO(com.cloud.agent.api.to.PortForwardingRuleTO)

Example 22 with PortForwardingRuleTO

use of com.cloud.agent.api.to.PortForwardingRuleTO in project cloudstack by apache.

the class NiciraNvpConfigurePortForwardingRulesCommandWrapper method execute.

@Override
public Answer execute(final ConfigurePortForwardingRulesOnLogicalRouterCommand command, final NiciraNvpResource niciraNvpResource) {
    final NiciraNvpApi niciraNvpApi = niciraNvpResource.getNiciraNvpApi();
    try {
        final List<NatRule> existingRules = niciraNvpApi.findNatRulesByLogicalRouterUuid(command.getLogicalRouterUuid());
        for (final PortForwardingRuleTO rule : command.getRules()) {
            if (rule.isAlreadyAdded() && !rule.revoked()) {
                // Don't need to do anything
                continue;
            }
            if (rule.getDstPortRange()[0] != rule.getDstPortRange()[1] || rule.getSrcPortRange()[0] != rule.getSrcPortRange()[1]) {
                return new ConfigurePortForwardingRulesOnLogicalRouterAnswer(command, false, "Nicira NVP doesn't support port ranges for port forwarding");
            }
            final NatRule[] rulepair = niciraNvpResource.generatePortForwardingRulePair(rule.getDstIp(), rule.getDstPortRange(), rule.getSrcIp(), rule.getSrcPortRange(), rule.getProtocol());
            NatRule incoming = null;
            NatRule outgoing = null;
            for (final NatRule storedRule : existingRules) {
                if (storedRule.equalsIgnoreUuid(rulepair[1])) {
                    // The outgoing rule exists
                    outgoing = storedRule;
                    s_logger.debug("Found matching outgoing rule " + outgoing.getUuid());
                    if (incoming != null) {
                        break;
                    }
                } else if (storedRule.equalsIgnoreUuid(rulepair[0])) {
                    // The incoming rule exists
                    incoming = storedRule;
                    s_logger.debug("Found matching incoming rule " + incoming.getUuid());
                    if (outgoing != null) {
                        break;
                    }
                }
            }
            if (incoming != null && outgoing != null) {
                if (rule.revoked()) {
                    s_logger.debug("Deleting incoming rule " + incoming.getUuid());
                    niciraNvpApi.deleteLogicalRouterNatRule(command.getLogicalRouterUuid(), incoming.getUuid());
                    s_logger.debug("Deleting outgoing rule " + outgoing.getUuid());
                    niciraNvpApi.deleteLogicalRouterNatRule(command.getLogicalRouterUuid(), outgoing.getUuid());
                }
            } else {
                if (rule.revoked()) {
                    s_logger.warn("Tried deleting a rule that does not exist, " + rule.getSrcIp() + " -> " + rule.getDstIp());
                    break;
                }
                rulepair[0] = niciraNvpApi.createLogicalRouterNatRule(command.getLogicalRouterUuid(), rulepair[0]);
                s_logger.debug("Created " + niciraNvpResource.natRuleToString(rulepair[0]));
                try {
                    rulepair[1] = niciraNvpApi.createLogicalRouterNatRule(command.getLogicalRouterUuid(), rulepair[1]);
                    s_logger.debug("Created " + niciraNvpResource.natRuleToString(rulepair[1]));
                } catch (final NiciraNvpApiException ex) {
                    s_logger.warn("NiciraNvpApiException during create call, rolling back previous create");
                    niciraNvpApi.deleteLogicalRouterNatRule(command.getLogicalRouterUuid(), rulepair[0].getUuid());
                    // Rethrow the original exception
                    throw ex;
                }
            }
        }
        return new ConfigurePortForwardingRulesOnLogicalRouterAnswer(command, true, command.getRules().size() + " PortForwarding rules applied");
    } catch (final NiciraNvpApiException e) {
        final CommandRetryUtility retryUtility = niciraNvpResource.getRetryUtility();
        retryUtility.addRetry(command, NUM_RETRIES);
        return retryUtility.retry(command, ConfigurePortForwardingRulesOnLogicalRouterAnswer.class, e);
    }
}
Also used : PortForwardingRuleTO(com.cloud.agent.api.to.PortForwardingRuleTO) NiciraNvpApi(com.cloud.network.nicira.NiciraNvpApi) NatRule(com.cloud.network.nicira.NatRule) CommandRetryUtility(com.cloud.network.utils.CommandRetryUtility) NiciraNvpApiException(com.cloud.network.nicira.NiciraNvpApiException) ConfigurePortForwardingRulesOnLogicalRouterAnswer(com.cloud.agent.api.ConfigurePortForwardingRulesOnLogicalRouterAnswer)

Example 23 with PortForwardingRuleTO

use of com.cloud.agent.api.to.PortForwardingRuleTO in project cloudstack by apache.

the class JuniperSrxResource method getActiveRules.

private Map<String, ArrayList<FirewallRuleTO>> getActiveRules(FirewallRuleTO[] allRules) {
    Map<String, ArrayList<FirewallRuleTO>> activeRules = new HashMap<String, ArrayList<FirewallRuleTO>>();
    for (FirewallRuleTO rule : allRules) {
        String ipPair;
        if (rule.getPurpose().equals(Purpose.StaticNat)) {
            StaticNatRuleTO staticNatRule = (StaticNatRuleTO) rule;
            ipPair = staticNatRule.getSrcIp() + "-" + staticNatRule.getDstIp();
        } else if (rule.getPurpose().equals(Purpose.PortForwarding)) {
            PortForwardingRuleTO portForwardingRule = (PortForwardingRuleTO) rule;
            ipPair = portForwardingRule.getSrcIp() + "-" + portForwardingRule.getDstIp();
        } else {
            continue;
        }
        ArrayList<FirewallRuleTO> activeRulesForIpPair = activeRules.get(ipPair);
        if (activeRulesForIpPair == null) {
            activeRulesForIpPair = new ArrayList<FirewallRuleTO>();
        }
        if (!rule.revoked() || rule.isAlreadyAdded()) {
            activeRulesForIpPair.add(rule);
        }
        activeRules.put(ipPair, activeRulesForIpPair);
    }
    return activeRules;
}
Also used : StaticNatRuleTO(com.cloud.agent.api.to.StaticNatRuleTO) PortForwardingRuleTO(com.cloud.agent.api.to.PortForwardingRuleTO) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO)

Example 24 with PortForwardingRuleTO

use of com.cloud.agent.api.to.PortForwardingRuleTO in project cloudstack by apache.

the class MidoNetElement method applyPFRules.

@Override
public boolean applyPFRules(Network network, List<PortForwardingRule> rules) throws ResourceUnavailableException {
    s_logger.debug("applyPFRules called with network " + network.toString());
    if (!midoInNetwork(network)) {
        return false;
    }
    if (!canHandle(network, Service.PortForwarding)) {
        return false;
    }
    String accountIdStr = getAccountUuid(network);
    String networkUUIDStr = String.valueOf(network.getId());
    RuleChain preNat = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_PRENAT);
    RuleChain postNat = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_POST);
    RuleChain preFilter = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_PREFILTER);
    Router providerRouter = api.getRouter(_providerRouterId);
    Router tenantRouter = getOrCreateGuestNetworkRouter(network);
    RouterPort[] ports = getOrCreateProviderRouterPorts(tenantRouter, providerRouter);
    RouterPort providerDownlink = ports[1];
    // Rules in the preNat table
    Map<String, Rule> existingPreNatRules = new HashMap<String, Rule>();
    for (Rule existingRule : preNat.getRules()) {
        // The "port forwarding" rules we're interested in are dnat rules where src / dst ports are specified
        if (existingRule.getType().equals(DtoRule.DNAT) && existingRule.getTpDst() != null) {
            String ruleString = new SimpleFirewallRule(existingRule).toStringArray()[0];
            existingPreNatRules.put(ruleString, existingRule);
        }
    }
    /*
         * Counts of rules associated with an IP address. Use this to check
         * how many rules we have of a given IP address. When it reaches 0,
         * we can delete the route associated with it.
         */
    Map<String, Integer> ipRuleCounts = new HashMap<String, Integer>();
    for (Rule rule : preNat.getRules()) {
        String ip = rule.getNwDstAddress();
        if (ip != null && rule.getNwDstLength() == 32) {
            if (ipRuleCounts.containsKey(ip)) {
                ipRuleCounts.put(ip, new Integer(ipRuleCounts.get(ip).intValue() + 1));
            } else {
                ipRuleCounts.put(ip, new Integer(1));
            }
        }
    }
    /*
         * Routes associated with IP. When we delete all the rules associated
         * with a given IP, we can delete the route associated with it.
         */
    Map<String, Route> routes = new HashMap<String, Route>();
    for (Route route : providerRouter.getRoutes(new MultivaluedMapImpl())) {
        String ip = route.getDstNetworkAddr();
        if (ip != null && route.getDstNetworkLength() == 32) {
            routes.put(ip, route);
        }
    }
    for (PortForwardingRule rule : rules) {
        IpAddress dstIp = _networkModel.getIp(rule.getSourceIpAddressId());
        PortForwardingRuleTO ruleTO = new PortForwardingRuleTO(rule, null, dstIp.getAddress().addr());
        SimpleFirewallRule fwRule = new SimpleFirewallRule(ruleTO);
        String[] ruleStrings = fwRule.toStringArray();
        if (rule.getState() == FirewallRule.State.Revoke) {
            /*
                 * Lookup in existingRules, delete if present
                 * We need to delete from both the preNat table and the
                 * postNat table.
                 */
            for (String revokeRuleString : ruleStrings) {
                Rule foundPreNatRule = existingPreNatRules.get(revokeRuleString);
                if (foundPreNatRule != null) {
                    String ip = foundPreNatRule.getNwDstAddress();
                    // is this the last rule associated with this IP?
                    Integer cnt = ipRuleCounts.get(ip);
                    if (cnt != null) {
                        if (cnt == 1) {
                            ipRuleCounts.remove(ip);
                            // no more rules for this IP. delete the route.
                            Route route = routes.remove(ip);
                            route.delete();
                        } else {
                            ipRuleCounts.put(ip, new Integer(ipRuleCounts.get(ip).intValue() - 1));
                        }
                    }
                    foundPreNatRule.delete();
                }
            }
        } else if (rule.getState() == FirewallRule.State.Add) {
            for (int i = 0; i < ruleStrings.length; i++) {
                String ruleString = ruleStrings[i];
                Rule foundRule = existingPreNatRules.get(ruleString);
                if (foundRule == null) {
                    String vmIp = ruleTO.getDstIp();
                    String publicIp = dstIp.getAddress().addr();
                    int privPortStart = ruleTO.getDstPortRange()[0];
                    int privPortEnd = ruleTO.getDstPortRange()[1];
                    int pubPortStart = ruleTO.getSrcPortRange()[0];
                    int pubPortEnd = ruleTO.getSrcPortRange()[1];
                    DtoRule.DtoNatTarget[] preTargets = new DtoRule.DtoNatTarget[] { new DtoRule.DtoNatTarget(vmIp, vmIp, privPortStart, privPortEnd) };
                    Rule preNatRule = preNat.addRule().type(DtoRule.DNAT).flowAction(DtoRule.Accept).nwDstAddress(publicIp).nwDstLength(32).tpDst(new DtoRange(pubPortStart, pubPortEnd)).natTargets(preTargets).nwProto(SimpleFirewallRule.stringToProtocolNumber(rule.getProtocol())).position(1);
                    Integer cnt = ipRuleCounts.get(publicIp);
                    if (cnt != null) {
                        ipRuleCounts.put(publicIp, new Integer(cnt.intValue() + 1));
                    } else {
                        ipRuleCounts.put(publicIp, new Integer(1));
                    }
                    String preNatRuleStr = new SimpleFirewallRule(preNatRule).toStringArray()[0];
                    existingPreNatRules.put(preNatRuleStr, preNatRule);
                    preNatRule.create();
                    if (routes.get(publicIp) == null) {
                        Route route = providerRouter.addRoute().type("Normal").weight(100).srcNetworkAddr("0.0.0.0").srcNetworkLength(0).dstNetworkAddr(publicIp).dstNetworkLength(32).nextHopPort(providerDownlink.getId());
                        route.create();
                        routes.put(publicIp, route);
                    }
                    // default firewall rule
                    if (canHandle(network, Service.Firewall)) {
                        boolean defaultBlock = false;
                        for (Rule filterRule : preFilter.getRules()) {
                            String pfDstIp = filterRule.getNwDstAddress();
                            if (pfDstIp != null && filterRule.getNwDstAddress().equals(publicIp)) {
                                defaultBlock = true;
                                break;
                            }
                        }
                        if (!defaultBlock) {
                            preFilter.addRule().type(DtoRule.Drop).nwDstAddress(publicIp).nwDstLength(32).create();
                        }
                    }
                }
            }
        }
    }
    return true;
}
Also used : DtoRange(org.midonet.client.dto.DtoRule.DtoRange) PortForwardingRuleTO(com.cloud.agent.api.to.PortForwardingRuleTO) HashMap(java.util.HashMap) DtoRule(org.midonet.client.dto.DtoRule) Router(org.midonet.client.resource.Router) MultivaluedMapImpl(com.sun.jersey.core.util.MultivaluedMapImpl) PortForwardingRule(com.cloud.network.rules.PortForwardingRule) RuleChain(org.midonet.client.resource.RuleChain) IpAddress(com.cloud.network.IpAddress) PublicIpAddress(com.cloud.network.PublicIpAddress) Rule(org.midonet.client.resource.Rule) PortForwardingRule(com.cloud.network.rules.PortForwardingRule) FirewallRule(com.cloud.network.rules.FirewallRule) DtoRule(org.midonet.client.dto.DtoRule) RouterPort(org.midonet.client.resource.RouterPort) Route(org.midonet.client.resource.Route)

Example 25 with PortForwardingRuleTO

use of com.cloud.agent.api.to.PortForwardingRuleTO in project cloudstack by apache.

the class ExternalFirewallDeviceManagerImpl method applyPortForwardingRules.

@Override
public boolean applyPortForwardingRules(Network network, List<? extends PortForwardingRule> rules) throws ResourceUnavailableException {
    // Find the external firewall in this zone
    long zoneId = network.getDataCenterId();
    DataCenterVO zone = _dcDao.findById(zoneId);
    ExternalFirewallDeviceVO fwDeviceVO = getExternalFirewallForNetwork(network);
    HostVO externalFirewall = _hostDao.findById(fwDeviceVO.getHostId());
    assert (externalFirewall != null);
    if (network.getState() == Network.State.Allocated) {
        s_logger.debug("External firewall was asked to apply firewall rules for network with ID " + network.getId() + "; this network is not implemented. Skipping backend commands.");
        return true;
    }
    List<PortForwardingRuleTO> pfRules = new ArrayList<PortForwardingRuleTO>();
    for (PortForwardingRule rule : rules) {
        IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
        Vlan vlan = _vlanDao.findById(sourceIp.getVlanId());
        PortForwardingRuleTO ruleTO = new PortForwardingRuleTO(rule, vlan.getVlanTag(), sourceIp.getAddress().addr());
        pfRules.add(ruleTO);
    }
    sendPortForwardingRules(pfRules, zone, externalFirewall.getId());
    return true;
}
Also used : DataCenterVO(com.cloud.dc.DataCenterVO) ExternalFirewallDeviceVO(com.cloud.network.dao.ExternalFirewallDeviceVO) PortForwardingRuleTO(com.cloud.agent.api.to.PortForwardingRuleTO) ArrayList(java.util.ArrayList) Vlan(com.cloud.dc.Vlan) PortForwardingRule(com.cloud.network.rules.PortForwardingRule) HostVO(com.cloud.host.HostVO)

Aggregations

PortForwardingRuleTO (com.cloud.agent.api.to.PortForwardingRuleTO)26 ArrayList (java.util.ArrayList)22 Test (org.junit.Test)8 Answer (com.cloud.agent.api.Answer)7 ConfigurePortForwardingRulesOnLogicalRouterAnswer (com.cloud.agent.api.ConfigurePortForwardingRulesOnLogicalRouterAnswer)7 SetPortForwardingRulesCommand (com.cloud.agent.api.routing.SetPortForwardingRulesCommand)7 ConfigurePortForwardingRulesOnLogicalRouterCommand (com.cloud.agent.api.ConfigurePortForwardingRulesOnLogicalRouterCommand)6 NatRule (com.cloud.network.nicira.NatRule)6 IpAssocAnswer (com.cloud.agent.api.routing.IpAssocAnswer)5 DestinationNatRule (com.cloud.network.nicira.DestinationNatRule)5 SourceNatRule (com.cloud.network.nicira.SourceNatRule)5 PortForwardingRule (com.cloud.network.rules.PortForwardingRule)5 IpAddress (com.cloud.network.IpAddress)4 PublicIpAddress (com.cloud.network.PublicIpAddress)4 HashMap (java.util.HashMap)4 ExternalNetworkResourceUsageAnswer (com.cloud.agent.api.ExternalNetworkResourceUsageAnswer)3 MaintainAnswer (com.cloud.agent.api.MaintainAnswer)3 ReadyAnswer (com.cloud.agent.api.ReadyAnswer)3 SetPortForwardingRulesVpcCommand (com.cloud.agent.api.routing.SetPortForwardingRulesVpcCommand)3 Vlan (com.cloud.dc.Vlan)3