Example 1 with NetworkRuleConflictException
use of com.cloud.exception.NetworkRuleConflictException in project CloudStack-archive by CloudStack-extras.
the class CreateLoadBalancerRuleCmd method create.
@Override
public void create() {
//cidr list parameter is deprecated
if (cidrlist != null) {
throw new InvalidParameterValueException("Parameter cidrList is deprecated; if you need to open firewall rule for the specific cidr, please refer to createFirewallRule command");
}
try {
LoadBalancer result = _lbService.createLoadBalancerRule(this, getOpenFirewall());
this.setEntityId(result.getId());
} catch (NetworkRuleConflictException e) {
s_logger.warn("Exception: ", e);
throw new ServerApiException(BaseCmd.NETWORK_RULE_CONFLICT_ERROR, e.getMessage());
} catch (InsufficientAddressCapacityException e) {
s_logger.warn("Exception: ", e);
throw new ServerApiException(BaseCmd.INSUFFICIENT_CAPACITY_ERROR, e.getMessage());
}
}
Also used :
ServerApiException(com.cloud.api.ServerApiException)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
InsufficientAddressCapacityException(com.cloud.exception.InsufficientAddressCapacityException)
LoadBalancer(com.cloud.network.rules.LoadBalancer)
NetworkRuleConflictException(com.cloud.exception.NetworkRuleConflictException)
Example 2 with NetworkRuleConflictException
use of com.cloud.exception.NetworkRuleConflictException in project CloudStack-archive by CloudStack-extras.
the class CreateFirewallRuleCmd method create.
@Override
public void create() {
if (getSourceCidrList() != null) {
for (String cidr : getSourceCidrList()) {
if (!NetUtils.isValidCIDR(cidr)) {
throw new ServerApiException(BaseCmd.PARAM_ERROR, "Source cidrs formatting error " + cidr);
}
}
}
try {
FirewallRule result = _firewallService.createFirewallRule(this);
setEntityId(result.getId());
} catch (NetworkRuleConflictException ex) {
s_logger.info("Network rule conflict: " + ex.getMessage());
s_logger.trace("Network Rule Conflict: ", ex);
throw new ServerApiException(BaseCmd.NETWORK_RULE_CONFLICT_ERROR, ex.getMessage());
}
}
Also used :
ServerApiException(com.cloud.api.ServerApiException)
FirewallRule(com.cloud.network.rules.FirewallRule)
NetworkRuleConflictException(com.cloud.exception.NetworkRuleConflictException)
Example 3 with NetworkRuleConflictException
use of com.cloud.exception.NetworkRuleConflictException in project CloudStack-archive by CloudStack-extras.
the class CreateIpForwardingRuleCmd method create.
@Override
public void create() {
//cidr list parameter is deprecated
if (cidrlist != null) {
throw new InvalidParameterValueException("Parameter cidrList is deprecated; if you need to open firewall rule for the specific cidr, please refer to createFirewallRule command");
}
try {
StaticNatRule rule = _rulesService.createStaticNatRule(this, getOpenFirewall());
this.setEntityId(rule.getId());
} catch (NetworkRuleConflictException e) {
s_logger.info("Unable to create Static Nat Rule due to ", e);
throw new ServerApiException(BaseCmd.NETWORK_RULE_CONFLICT_ERROR, e.getMessage());
}
}
Also used :
ServerApiException(com.cloud.api.ServerApiException)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
StaticNatRule(com.cloud.network.rules.StaticNatRule)
NetworkRuleConflictException(com.cloud.exception.NetworkRuleConflictException)
Example 4 with NetworkRuleConflictException
use of com.cloud.exception.NetworkRuleConflictException in project CloudStack-archive by CloudStack-extras.
the class EnableStaticNatCmd method execute.
@Override
public void execute() throws ResourceUnavailableException {
try {
boolean result = _rulesService.enableStaticNat(ipAddressId, virtualMachineId, false);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
this.setResponseObject(response);
} else {
throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to enable static nat");
}
} catch (NetworkRuleConflictException ex) {
s_logger.info("Network rule conflict: " + ex.getMessage());
s_logger.trace("Network Rule Conflict: ", ex);
throw new ServerApiException(BaseCmd.NETWORK_RULE_CONFLICT_ERROR, ex.getMessage());
}
}
Also used :
SuccessResponse(com.cloud.api.response.SuccessResponse)
ServerApiException(com.cloud.api.ServerApiException)
NetworkRuleConflictException(com.cloud.exception.NetworkRuleConflictException)
Example 5 with NetworkRuleConflictException
use of com.cloud.exception.NetworkRuleConflictException in project cloudstack by apache.
the class FirewallManagerImpl method detectRulesConflict.
@Override
public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflictException {
List<FirewallRuleVO> rules;
if (newRule.getSourceIpAddressId() != null) {
rules = _firewallDao.listByIpAndPurposeAndNotRevoked(newRule.getSourceIpAddressId(), null);
assert (rules.size() >= 1) : "For network rules, we now always first persist the rule and then check for " + "network conflicts so we should at least have one rule at this point.";
} else {
// fetches only firewall egress rules.
rules = _firewallDao.listByNetworkPurposeTrafficTypeAndNotRevoked(newRule.getNetworkId(), Purpose.Firewall, newRule.getTrafficType());
assert (rules.size() >= 1);
}
for (FirewallRuleVO rule : rules) {
if (rule.getId() == newRule.getId()) {
// Skips my own rule.
continue;
}
boolean oneOfRulesIsFirewall = ((rule.getPurpose() == Purpose.Firewall || newRule.getPurpose() == Purpose.Firewall) && ((newRule.getPurpose() != rule.getPurpose()) || (!newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()))));
// if both rules are firewall and their cidrs are different, we can skip port ranges verification
boolean bothRulesFirewall = (rule.getPurpose() == newRule.getPurpose() && rule.getPurpose() == Purpose.Firewall);
boolean duplicatedCidrs = false;
if (bothRulesFirewall) {
_firewallDao.loadSourceCidrs(rule);
_firewallDao.loadSourceCidrs((FirewallRuleVO) newRule);
_firewallDao.loadDestinationCidrs(rule);
_firewallDao.loadDestinationCidrs((FirewallRuleVO) newRule);
if (rule.getSourceCidrList() == null || newRule.getSourceCidrList() == null) {
continue;
}
duplicatedCidrs = (detectConflictingCidrs(rule.getSourceCidrList(), newRule.getSourceCidrList()) && detectConflictingCidrs(rule.getDestinationCidrList(), newRule.getDestinationCidrList()));
}
if (!oneOfRulesIsFirewall) {
if (rule.getPurpose() == Purpose.StaticNat && newRule.getPurpose() != Purpose.StaticNat) {
throw new NetworkRuleConflictException("There is 1 to 1 Nat rule specified for the ip address id=" + newRule.getSourceIpAddressId());
} else if (rule.getPurpose() != Purpose.StaticNat && newRule.getPurpose() == Purpose.StaticNat) {
throw new NetworkRuleConflictException("There is already firewall rule specified for the ip address id=" + newRule.getSourceIpAddressId());
}
}
// Checking if the rule applied is to the same network that is passed in the rule.
if (rule.getNetworkId() != newRule.getNetworkId() && rule.getState() != State.Revoke) {
throw new NetworkRuleConflictException("New rule is for a different network than what's specified in rule " + rule.getXid());
}
// Check for the ICMP protocol. This has to be done separately from other protocols as we need to check the ICMP codes and ICMP type also.
if (newRule.getProtocol().equalsIgnoreCase(NetUtils.ICMP_PROTO) && newRule.getProtocol().equalsIgnoreCase(rule.getProtocol())) {
if (newRule.getIcmpCode().longValue() == rule.getIcmpCode().longValue() && newRule.getIcmpType().longValue() == rule.getIcmpType().longValue() && newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()) && duplicatedCidrs) {
throw new InvalidParameterValueException("New rule conflicts with existing rule id=" + rule.getId());
}
}
boolean notNullPorts = (newRule.getSourcePortStart() != null && newRule.getSourcePortEnd() != null && rule.getSourcePortStart() != null && rule.getSourcePortEnd() != null);
boolean nullPorts = (newRule.getSourcePortStart() == null && newRule.getSourcePortEnd() == null && rule.getSourcePortStart() == null && rule.getSourcePortEnd() == null);
// If ports are not specified and cidrs are same and protocol is also same(NOT ICMP as it is separately checked above)
if (nullPorts && duplicatedCidrs && (rule.getProtocol().equalsIgnoreCase(newRule.getProtocol())) && !newRule.getProtocol().equalsIgnoreCase(NetUtils.ICMP_PROTO)) {
throw new NetworkRuleConflictException("There is already a firewall rule specified with protocol = " + newRule.getProtocol() + " and no ports");
}
if (!notNullPorts) {
continue;
} else if (!oneOfRulesIsFirewall && !(bothRulesFirewall && !duplicatedCidrs) && ((rule.getSourcePortStart().intValue() <= newRule.getSourcePortStart().intValue() && rule.getSourcePortEnd().intValue() >= newRule.getSourcePortStart().intValue()) || (rule.getSourcePortStart().intValue() <= newRule.getSourcePortEnd().intValue() && rule.getSourcePortEnd().intValue() >= newRule.getSourcePortEnd().intValue()) || (newRule.getSourcePortStart().intValue() <= rule.getSourcePortStart().intValue() && newRule.getSourcePortEnd().intValue() >= rule.getSourcePortStart().intValue()) || (newRule.getSourcePortStart().intValue() <= rule.getSourcePortEnd().intValue() && newRule.getSourcePortEnd().intValue() >= rule.getSourcePortEnd().intValue()))) {
// Above else if conditions checks for the conflicting port ranges.
// we allow port forwarding rules with the same parameters but different protocols
boolean allowPf = (rule.getPurpose() == Purpose.PortForwarding && newRule.getPurpose() == Purpose.PortForwarding && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol())) || (rule.getPurpose() == Purpose.Vpn && newRule.getPurpose() == Purpose.PortForwarding && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));
boolean allowStaticNat = (rule.getPurpose() == Purpose.StaticNat && newRule.getPurpose() == Purpose.StaticNat && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));
boolean allowVpnPf = (rule.getPurpose() == Purpose.PortForwarding && newRule.getPurpose() == Purpose.Vpn && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));
boolean allowVpnLb = (rule.getPurpose() == Purpose.LoadBalancing && newRule.getPurpose() == Purpose.Vpn && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));
if (!(allowPf || allowStaticNat || oneOfRulesIsFirewall || allowVpnPf || allowVpnLb)) {
throw new NetworkRuleConflictException("The range specified, " + newRule.getSourcePortStart() + "-" + newRule.getSourcePortEnd() + ", conflicts with rule " + rule.getId() + " which has " + rule.getSourcePortStart() + "-" + rule.getSourcePortEnd());
}
}
}
if (s_logger.isDebugEnabled()) {
s_logger.debug("No network rule conflicts detected for " + newRule + " against " + (rules.size() - 1) + " existing rules");
}
}
Also used :
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
NetworkRuleConflictException(com.cloud.exception.NetworkRuleConflictException)
FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO)
Aggregations
NetworkRuleConflictException (com.cloud.exception.NetworkRuleConflictException)85
ResourceUnavailableException (com.cloud.exception.ResourceUnavailableException)41
CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)28
InsufficientCapacityException (com.cloud.exception.InsufficientCapacityException)26
ResourceAllocationException (com.cloud.exception.ResourceAllocationException)26
ConcurrentOperationException (com.cloud.exception.ConcurrentOperationException)25
ServerApiException (org.apache.cloudstack.api.ServerApiException)25
InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)19
ServerApiException (com.cloud.api.ServerApiException)18
Network (com.cloud.network.Network)18
IPAddressVO (com.cloud.network.dao.IPAddressVO)17
InsufficientAddressCapacityException (com.cloud.exception.InsufficientAddressCapacityException)16
TransactionStatus (com.cloud.utils.db.TransactionStatus)16
DB (com.cloud.utils.db.DB)15
InvalidParameterValueException (com.cloud.utils.exception.InvalidParameterValueException)14
SuccessResponse (org.apache.cloudstack.api.response.SuccessResponse)13
Account (com.cloud.user.Account)12
TransactionCallbackWithException (com.cloud.utils.db.TransactionCallbackWithException)11
IpAddress (com.cloud.network.IpAddress)10
ActionEvent (com.cloud.event.ActionEvent)8
