Search in sources :

Example 6 with NetworkRuleConflictException

use of com.cloud.exception.NetworkRuleConflictException in project cloudstack by apache.

the class FirewallManagerImpl method detectRulesConflict.

@Override
public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflictException {
    List<FirewallRuleVO> rules;
    if (newRule.getSourceIpAddressId() != null) {
        rules = _firewallDao.listByIpAndPurposeAndNotRevoked(newRule.getSourceIpAddressId(), null);
        assert (rules.size() >= 1) : "For network rules, we now always first persist the rule and then check for " + "network conflicts so we should at least have one rule at this point.";
    } else {
        // fetches only firewall egress rules.
        rules = _firewallDao.listByNetworkPurposeTrafficTypeAndNotRevoked(newRule.getNetworkId(), Purpose.Firewall, newRule.getTrafficType());
        assert (rules.size() >= 1);
    }
    for (FirewallRuleVO rule : rules) {
        if (rule.getId() == newRule.getId()) {
            // Skips my own rule.
            continue;
        }
        boolean oneOfRulesIsFirewall = ((rule.getPurpose() == Purpose.Firewall || newRule.getPurpose() == Purpose.Firewall) && ((newRule.getPurpose() != rule.getPurpose()) || (!newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()))));
        // if both rules are firewall and their cidrs are different, we can skip port ranges verification
        boolean bothRulesFirewall = (rule.getPurpose() == newRule.getPurpose() && rule.getPurpose() == Purpose.Firewall);
        boolean duplicatedCidrs = false;
        if (bothRulesFirewall) {
            // Verify that the rules have different cidrs
            _firewallDao.loadSourceCidrs(rule);
            _firewallDao.loadSourceCidrs((FirewallRuleVO) newRule);
            List<String> ruleCidrList = rule.getSourceCidrList();
            List<String> newRuleCidrList = newRule.getSourceCidrList();
            if (ruleCidrList == null || newRuleCidrList == null) {
                continue;
            }
            Collection<String> similar = new HashSet<String>(ruleCidrList);
            similar.retainAll(newRuleCidrList);
            if (similar.size() > 0) {
                duplicatedCidrs = true;
            }
        }
        if (!oneOfRulesIsFirewall) {
            if (rule.getPurpose() == Purpose.StaticNat && newRule.getPurpose() != Purpose.StaticNat) {
                throw new NetworkRuleConflictException("There is 1 to 1 Nat rule specified for the ip address id=" + newRule.getSourceIpAddressId());
            } else if (rule.getPurpose() != Purpose.StaticNat && newRule.getPurpose() == Purpose.StaticNat) {
                throw new NetworkRuleConflictException("There is already firewall rule specified for the ip address id=" + newRule.getSourceIpAddressId());
            }
        }
        if (rule.getNetworkId() != newRule.getNetworkId() && rule.getState() != State.Revoke) {
            throw new NetworkRuleConflictException("New rule is for a different network than what's specified in rule " + rule.getXid());
        }
        if (newRule.getProtocol().equalsIgnoreCase(NetUtils.ICMP_PROTO) && newRule.getProtocol().equalsIgnoreCase(rule.getProtocol())) {
            if (newRule.getIcmpCode().longValue() == rule.getIcmpCode().longValue() && newRule.getIcmpType().longValue() == rule.getIcmpType().longValue() && newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()) && duplicatedCidrs) {
                throw new InvalidParameterValueException("New rule conflicts with existing rule id=" + rule.getId());
            }
        }
        boolean notNullPorts = (newRule.getSourcePortStart() != null && newRule.getSourcePortEnd() != null && rule.getSourcePortStart() != null && rule.getSourcePortEnd() != null);
        boolean nullPorts = (newRule.getSourcePortStart() == null && newRule.getSourcePortEnd() == null && rule.getSourcePortStart() == null && rule.getSourcePortEnd() == null);
        if (nullPorts && duplicatedCidrs && (rule.getProtocol().equalsIgnoreCase(newRule.getProtocol())) && !newRule.getProtocol().equalsIgnoreCase(NetUtils.ICMP_PROTO)) {
            throw new NetworkRuleConflictException("There is already a firewall rule specified with protocol = " + newRule.getProtocol() + " and no ports");
        }
        if (!notNullPorts) {
            continue;
        } else if (!oneOfRulesIsFirewall && !(bothRulesFirewall && !duplicatedCidrs) && ((rule.getSourcePortStart().intValue() <= newRule.getSourcePortStart().intValue() && rule.getSourcePortEnd().intValue() >= newRule.getSourcePortStart().intValue()) || (rule.getSourcePortStart().intValue() <= newRule.getSourcePortEnd().intValue() && rule.getSourcePortEnd().intValue() >= newRule.getSourcePortEnd().intValue()) || (newRule.getSourcePortStart().intValue() <= rule.getSourcePortStart().intValue() && newRule.getSourcePortEnd().intValue() >= rule.getSourcePortStart().intValue()) || (newRule.getSourcePortStart().intValue() <= rule.getSourcePortEnd().intValue() && newRule.getSourcePortEnd().intValue() >= rule.getSourcePortEnd().intValue()))) {
            // we allow port forwarding rules with the same parameters but different protocols
            boolean allowPf = (rule.getPurpose() == Purpose.PortForwarding && newRule.getPurpose() == Purpose.PortForwarding && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol())) || (rule.getPurpose() == Purpose.Vpn && newRule.getPurpose() == Purpose.PortForwarding && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));
            boolean allowStaticNat = (rule.getPurpose() == Purpose.StaticNat && newRule.getPurpose() == Purpose.StaticNat && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));
            boolean allowVpnPf = (rule.getPurpose() == Purpose.PortForwarding && newRule.getPurpose() == Purpose.Vpn && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));
            boolean allowVpnLb = (rule.getPurpose() == Purpose.LoadBalancing && newRule.getPurpose() == Purpose.Vpn && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));
            if (!(allowPf || allowStaticNat || oneOfRulesIsFirewall || allowVpnPf || allowVpnLb)) {
                throw new NetworkRuleConflictException("The range specified, " + newRule.getSourcePortStart() + "-" + newRule.getSourcePortEnd() + ", conflicts with rule " + rule.getId() + " which has " + rule.getSourcePortStart() + "-" + rule.getSourcePortEnd());
            }
        }
    }
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("No network rule conflicts detected for " + newRule + " against " + (rules.size() - 1) + " existing rules");
    }
}
Also used : InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) NetworkRuleConflictException(com.cloud.exception.NetworkRuleConflictException) FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO) HashSet(java.util.HashSet)

Example 7 with NetworkRuleConflictException

use of com.cloud.exception.NetworkRuleConflictException in project cloudstack by apache.

the class CreateIpForwardingRuleCmd method create.

@Override
public void create() {
    //cidr list parameter is deprecated
    if (cidrlist != null) {
        throw new InvalidParameterValueException("Parameter cidrList is deprecated; if you need to open firewall rule for the specific CIDR, please refer to createFirewallRule command");
    }
    try {
        StaticNatRule rule = _rulesService.createStaticNatRule(this, getOpenFirewall());
        setEntityId(rule.getId());
        setEntityUuid(rule.getUuid());
    } catch (NetworkRuleConflictException e) {
        s_logger.info("Unable to create static NAT rule due to ", e);
        throw new ServerApiException(ApiErrorCode.NETWORK_RULE_CONFLICT_ERROR, e.getMessage());
    }
}
Also used : ServerApiException(org.apache.cloudstack.api.ServerApiException) InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) StaticNatRule(com.cloud.network.rules.StaticNatRule) NetworkRuleConflictException(com.cloud.exception.NetworkRuleConflictException)

Example 8 with NetworkRuleConflictException

use of com.cloud.exception.NetworkRuleConflictException in project cloudstack by apache.

the class UploadSslCertCmd method execute.

/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException, NetworkRuleConflictException {
    try {
        SslCertResponse response = _certService.uploadSslCert(this);
        setResponseObject(response);
        response.setResponseName(getCommandName());
    } catch (Exception e) {
        throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, e.getMessage());
    }
}
Also used : ServerApiException(org.apache.cloudstack.api.ServerApiException) SslCertResponse(org.apache.cloudstack.api.response.SslCertResponse) ServerApiException(org.apache.cloudstack.api.ServerApiException) NetworkRuleConflictException(com.cloud.exception.NetworkRuleConflictException) ResourceUnavailableException(com.cloud.exception.ResourceUnavailableException) ResourceAllocationException(com.cloud.exception.ResourceAllocationException) ConcurrentOperationException(com.cloud.exception.ConcurrentOperationException) InsufficientCapacityException(com.cloud.exception.InsufficientCapacityException)

Example 9 with NetworkRuleConflictException

use of com.cloud.exception.NetworkRuleConflictException in project cloudstack by apache.

the class AddBaremetalPxeCmd method execute.

@Override
public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException, NetworkRuleConflictException {
    try {
        BaremetalPxeVO vo = pxeMgr.addPxeServer(this);
        BaremetalPxeResponse rsp = pxeMgr.getApiResponse(vo);
        rsp.setResponseName(getCommandName());
        this.setResponseObject(rsp);
    } catch (Exception e) {
        s_logger.warn("Unable to add external pxe server with url: " + getUrl(), e);
        throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, e.getMessage());
    }
}
Also used : BaremetalPxeResponse(com.cloud.baremetal.networkservice.BaremetalPxeResponse) NetworkRuleConflictException(com.cloud.exception.NetworkRuleConflictException) ResourceUnavailableException(com.cloud.exception.ResourceUnavailableException) ResourceAllocationException(com.cloud.exception.ResourceAllocationException) ConcurrentOperationException(com.cloud.exception.ConcurrentOperationException) InsufficientCapacityException(com.cloud.exception.InsufficientCapacityException) BaremetalPxeVO(com.cloud.baremetal.database.BaremetalPxeVO)

Example 10 with NetworkRuleConflictException

use of com.cloud.exception.NetworkRuleConflictException in project cloudstack by apache.

the class AddBaremetalRctCmd method execute.

@Override
public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException, NetworkRuleConflictException {
    try {
        BaremetalRctResponse rsp = vlanMgr.addRct(this);
        this.setResponseObject(rsp);
    } catch (Exception e) {
        s_logger.warn(String.format("unable to add baremetal RCT[%s]", getRctUrl()), e);
        throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, e.getMessage());
    }
}
Also used : BaremetalRctResponse(com.cloud.baremetal.networkservice.BaremetalRctResponse) ResourceAllocationException(com.cloud.exception.ResourceAllocationException) ConcurrentOperationException(com.cloud.exception.ConcurrentOperationException) InsufficientCapacityException(com.cloud.exception.InsufficientCapacityException) NetworkRuleConflictException(com.cloud.exception.NetworkRuleConflictException) ResourceUnavailableException(com.cloud.exception.ResourceUnavailableException)

Aggregations

NetworkRuleConflictException (com.cloud.exception.NetworkRuleConflictException)44 InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)19 ResourceUnavailableException (com.cloud.exception.ResourceUnavailableException)18 ServerApiException (org.apache.cloudstack.api.ServerApiException)14 ConcurrentOperationException (com.cloud.exception.ConcurrentOperationException)12 InsufficientCapacityException (com.cloud.exception.InsufficientCapacityException)12 ResourceAllocationException (com.cloud.exception.ResourceAllocationException)12 CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)12 Network (com.cloud.network.Network)10 InsufficientAddressCapacityException (com.cloud.exception.InsufficientAddressCapacityException)9 IPAddressVO (com.cloud.network.dao.IPAddressVO)9 DB (com.cloud.utils.db.DB)8 TransactionStatus (com.cloud.utils.db.TransactionStatus)8 ServerApiException (com.cloud.api.ServerApiException)6 Account (com.cloud.user.Account)6 TransactionCallbackWithException (com.cloud.utils.db.TransactionCallbackWithException)6 SuccessResponse (org.apache.cloudstack.api.response.SuccessResponse)5 ActionEvent (com.cloud.event.ActionEvent)4 IpAddress (com.cloud.network.IpAddress)4 FirewallRule (com.cloud.network.rules.FirewallRule)4