Search in sources :

Example 11 with FirewallRule

use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.

the class UpdateFirewallRuleCmd method execute.

@Override
public void execute() throws ResourceUnavailableException {
    CallContext.current().setEventDetails("Rule ID: " + id);
    final FirewallRule rule = _firewallService.updateIngressFirewallRule(id, this.getCustomId(), getDisplay());
    FirewallResponse fwResponse = new FirewallResponse();
    if (rule != null) {
        fwResponse = _responseGenerator.createFirewallResponse(rule);
        setResponseObject(fwResponse);
    }
    fwResponse.setResponseName(getCommandName());
}
Also used : FirewallRule(com.cloud.legacymodel.network.FirewallRule) FirewallResponse(com.cloud.api.response.FirewallResponse)

Example 12 with FirewallRule

use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.

the class ApiResponseHelper method createFirewallResponse.

@Override
public FirewallResponse createFirewallResponse(final FirewallRule fwRule) {
    final FirewallResponse response = new FirewallResponse();
    response.setId(fwRule.getUuid());
    response.setProtocol(fwRule.getProtocol());
    if (fwRule.getSourcePortStart() != null) {
        response.setStartPort(fwRule.getSourcePortStart());
    }
    if (fwRule.getSourcePortEnd() != null) {
        response.setEndPort(fwRule.getSourcePortEnd());
    }
    final List<String> cidrs = ApiDBUtils.findFirewallSourceCidrs(fwRule.getId());
    response.setCidrList(StringUtils.join(cidrs, ","));
    if (fwRule.getTrafficType() == FirewallRule.TrafficType.Ingress) {
        final IpAddress ip = ApiDBUtils.findIpAddressById(fwRule.getSourceIpAddressId());
        response.setPublicIpAddressId(ip.getUuid());
        response.setPublicIpAddress(ip.getAddress().addr());
    }
    final Network network = ApiDBUtils.findNetworkById(fwRule.getNetworkId());
    response.setNetworkId(network.getUuid());
    final FirewallRule.State state = fwRule.getState();
    String stateToSet = state.toString();
    if (state.equals(FirewallRule.State.Revoke)) {
        stateToSet = "Deleting";
    }
    response.setIcmpCode(fwRule.getIcmpCode());
    response.setIcmpType(fwRule.getIcmpType());
    response.setForDisplay(fwRule.isDisplay());
    // set tag information
    final List<? extends ResourceTag> tags = ApiDBUtils.listByResourceTypeAndId(ResourceObjectType.FirewallRule, fwRule.getId());
    final List<ResourceTagResponse> tagResponses = new ArrayList<>();
    for (final ResourceTag tag : tags) {
        final ResourceTagResponse tagResponse = createResourceTagResponse(tag, true);
        if (tagResponse != null) {
            tagResponses.add(tagResponse);
        }
    }
    response.setTags(tagResponses);
    response.setState(stateToSet);
    response.setObjectName("firewallrule");
    return response;
}
Also used : ResourceTag(com.cloud.server.ResourceTag) PhysicalNetwork(com.cloud.network.PhysicalNetwork) Network(com.cloud.legacymodel.network.Network) ResourceTagResponse(com.cloud.api.response.ResourceTagResponse) ArrayList(java.util.ArrayList) IpAddress(com.cloud.network.IpAddress) FirewallRule(com.cloud.legacymodel.network.FirewallRule) FirewallResponse(com.cloud.api.response.FirewallResponse)

Example 13 with FirewallRule

use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.

the class VirtualNetworkApplianceManagerImpl method createDefaultEgressFirewallRule.

private void createDefaultEgressFirewallRule(final List<FirewallRule> rules, final long networkId) {
    final NetworkVO network = _networkDao.findById(networkId);
    final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
    final Boolean defaultEgressPolicy = offering.getEgressDefaultPolicy();
    // The default on the router is set to Deny all. So, if the default configuration in the offering is set to true (Allow), we change the Egress here
    if (defaultEgressPolicy) {
        final List<String> sourceCidr = new ArrayList<>();
        sourceCidr.add(NetUtils.ALL_IP4_CIDRS);
        final FirewallRule rule = new FirewallRuleVO(null, null, null, null, "all", networkId, network.getAccountId(), network.getDomainId(), Purpose.Firewall, sourceCidr, null, null, null, FirewallRule.TrafficType.Egress, FirewallRule.FirewallRuleType.System);
        rules.add(rule);
    } else {
        s_logger.debug("Egress policy for the Network " + networkId + " is already defined as Deny. So, no need to default the rule to Allow. ");
    }
}
Also used : NetworkVO(com.cloud.network.dao.NetworkVO) ArrayList(java.util.ArrayList) NetworkOfferingVO(com.cloud.offerings.NetworkOfferingVO) FirewallRule(com.cloud.legacymodel.network.FirewallRule) FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO)

Example 14 with FirewallRule

use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.

the class VirtualNetworkApplianceManagerImpl method finalizeNetworkRulesForNetwork.

protected void finalizeNetworkRulesForNetwork(final Commands cmds, final DomainRouterVO router, final Provider provider, final Long guestNetworkId) {
    s_logger.debug("Resending ipAssoc, port forwarding, load balancing rules as a part of Virtual router start");
    final ArrayList<? extends PublicIpAddress> publicIps = getPublicIpsToApply(router, provider, guestNetworkId);
    final List<FirewallRule> firewallRulesEgress = new ArrayList<>();
    // Fetch firewall Egress rules.
    if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall, provider)) {
        firewallRulesEgress.addAll(_rulesDao.listByNetworkPurposeTrafficType(guestNetworkId, Purpose.Firewall, FirewallRule.TrafficType.Egress));
        if (firewallRulesEgress.isEmpty()) {
            // create egress default rule for VR
            createDefaultEgressFirewallRule(firewallRulesEgress, guestNetworkId);
        }
    }
    // Re-apply firewall Egress rules
    s_logger.debug("Found " + firewallRulesEgress.size() + " firewall Egress rule(s) to apply as a part of domR " + router + " start.");
    if (!firewallRulesEgress.isEmpty()) {
        _commandSetupHelper.createFirewallRulesCommands(firewallRulesEgress, router, cmds, guestNetworkId);
    }
    if (publicIps != null && !publicIps.isEmpty()) {
        final List<PortForwardingRule> pfRules = new ArrayList<>();
        final List<FirewallRule> staticNatFirewallRules = new ArrayList<>();
        final List<StaticNat> staticNats = new ArrayList<>();
        final List<FirewallRule> firewallRulesIngress = new ArrayList<>();
        // StaticNatRules; PFVPN to reapply on domR start)
        for (final PublicIpAddress ip : publicIps) {
            if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.PortForwarding, provider)) {
                pfRules.addAll(_pfRulesDao.listForApplication(ip.getId()));
            }
            if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.StaticNat, provider)) {
                staticNatFirewallRules.addAll(_rulesDao.listByIpAndPurpose(ip.getId(), Purpose.StaticNat));
            }
            if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall, provider)) {
                firewallRulesIngress.addAll(_rulesDao.listByIpAndPurpose(ip.getId(), Purpose.Firewall));
            }
            if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.StaticNat, provider)) {
                if (ip.isOneToOneNat()) {
                    final StaticNatImpl staticNat = new StaticNatImpl(ip.getAccountId(), ip.getDomainId(), guestNetworkId, ip.getId(), ip.getVmIp(), false);
                    staticNats.add(staticNat);
                }
            }
        }
        // Re-apply static nats
        s_logger.debug("Found " + staticNats.size() + " static nat(s) to apply as a part of domR " + router + " start.");
        if (!staticNats.isEmpty()) {
            _commandSetupHelper.createApplyStaticNatCommands(staticNats, router, cmds);
        }
        // Re-apply firewall Ingress rules
        s_logger.debug("Found " + firewallRulesIngress.size() + " firewall Ingress rule(s) to apply as a part of domR " + router + " start.");
        if (!firewallRulesIngress.isEmpty()) {
            _commandSetupHelper.createFirewallRulesCommands(firewallRulesIngress, router, cmds, guestNetworkId);
        }
        // Re-apply port forwarding rules
        s_logger.debug("Found " + pfRules.size() + " port forwarding rule(s) to apply as a part of domR " + router + " start.");
        if (!pfRules.isEmpty()) {
            _commandSetupHelper.createApplyPortForwardingRulesCommands(pfRules, router, cmds, guestNetworkId);
        }
        // Re-apply static nat rules
        s_logger.debug("Found " + staticNatFirewallRules.size() + " static nat rule(s) to apply as a part of domR " + router + " start.");
        if (!staticNatFirewallRules.isEmpty()) {
            final List<StaticNatRule> staticNatRules = new ArrayList<>();
            for (final FirewallRule rule : staticNatFirewallRules) {
                staticNatRules.add(_rulesMgr.buildStaticNatRule(rule, false));
            }
            _commandSetupHelper.createApplyStaticNatRulesCommands(staticNatRules, router, cmds, guestNetworkId);
        }
        final List<LoadBalancerVO> lbs = _loadBalancerDao.listByNetworkIdAndScheme(guestNetworkId, Scheme.Public);
        final List<LoadBalancingRule> lbRules = new ArrayList<>();
        if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Lb, provider)) {
            // Re-apply load balancing rules
            for (final LoadBalancerVO lb : lbs) {
                final List<LbDestination> dstList = _lbMgr.getExistingDestinations(lb.getId());
                final List<LbStickinessPolicy> policyList = _lbMgr.getStickinessPolicies(lb.getId());
                final List<LbHealthCheckPolicy> hcPolicyList = _lbMgr.getHealthCheckPolicies(lb.getId());
                final Ip sourceIp = _networkModel.getPublicIpAddress(lb.getSourceIpAddressId()).getAddress();
                final LbSslCert sslCert = _lbMgr.getLbSslCert(lb.getId());
                final LoadBalancingRule loadBalancing = new LoadBalancingRule(lb, dstList, policyList, hcPolicyList, sourceIp, sslCert, lb.getLbProtocol());
                lbRules.add(loadBalancing);
            }
        }
        s_logger.debug("Found " + lbRules.size() + " load balancing rule(s) to apply as a part of domR " + router + " start.");
        if (!lbRules.isEmpty()) {
            _commandSetupHelper.createApplyLoadBalancingRulesCommands(lbRules, router, cmds, guestNetworkId);
        }
    }
}
Also used : LbSslCert(com.cloud.legacymodel.network.LoadBalancingRule.LbSslCert) LoadBalancingRule(com.cloud.legacymodel.network.LoadBalancingRule) Ip(com.cloud.legacymodel.network.Ip) PublicIp(com.cloud.network.addr.PublicIp) ArrayList(java.util.ArrayList) LoadBalancerVO(com.cloud.network.dao.LoadBalancerVO) LbStickinessPolicy(com.cloud.legacymodel.network.LoadBalancingRule.LbStickinessPolicy) StaticNatRule(com.cloud.legacymodel.network.StaticNatRule) PortForwardingRule(com.cloud.legacymodel.network.PortForwardingRule) StaticNat(com.cloud.network.rules.StaticNat) LbDestination(com.cloud.legacymodel.network.LoadBalancingRule.LbDestination) PublicIpAddress(com.cloud.network.PublicIpAddress) StaticNatImpl(com.cloud.network.rules.StaticNatImpl) LbHealthCheckPolicy(com.cloud.legacymodel.network.LoadBalancingRule.LbHealthCheckPolicy) FirewallRule(com.cloud.legacymodel.network.FirewallRule)

Example 15 with FirewallRule

use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.

the class CreateEgressFirewallRuleCmd method create.

@Override
public void create() {
    if (getSourceCidrList() != null) {
        final String guestCidr = _networkService.getNetwork(getNetworkId()).getCidr();
        for (final String cidr : getSourceCidrList()) {
            if (!NetUtils.isValidIp4Cidr(cidr) && !NetUtils.isValidIp6Cidr(cidr)) {
                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Source cidrs formatting error " + cidr);
            }
            if (cidr.equals(NetUtils.ALL_IP4_CIDRS)) {
                continue;
            }
            if (!NetUtils.isNetworkAWithinNetworkB(cidr, guestCidr)) {
                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, cidr + " is not within the guest cidr " + guestCidr);
            }
        }
    }
    if (getProtocol().equalsIgnoreCase(NetUtils.ALL_PROTO)) {
        if (getSourcePortStart() != null && getSourcePortEnd() != null) {
            throw new InvalidParameterValueException("Do not pass ports to protocol ALL, protocol ALL do not require ports. Unable to create " + "firewall rule for the network id=" + networkId);
        }
    }
    if (getVpcId() != null) {
        throw new InvalidParameterValueException("Unable to create firewall rule for the network id=" + networkId + " as firewall egress rule can be created only for non vpc networks.");
    }
    try {
        final FirewallRule result = _firewallService.createEgressFirewallRule(this);
        if (result != null) {
            setEntityId(result.getId());
            setEntityUuid(result.getUuid());
        }
    } catch (final NetworkRuleConflictException ex) {
        s_logger.info("Network rule conflict: " + ex.getMessage());
        s_logger.trace("Network Rule Conflict: ", ex);
        throw new ServerApiException(ApiErrorCode.NETWORK_RULE_CONFLICT_ERROR, ex.getMessage());
    }
}
Also used : ServerApiException(com.cloud.api.ServerApiException) InvalidParameterValueException(com.cloud.legacymodel.exceptions.InvalidParameterValueException) FirewallRule(com.cloud.legacymodel.network.FirewallRule) NetworkRuleConflictException(com.cloud.legacymodel.exceptions.NetworkRuleConflictException)

Aggregations

FirewallRule (com.cloud.legacymodel.network.FirewallRule)23 ArrayList (java.util.ArrayList)14 FirewallResponse (com.cloud.api.response.FirewallResponse)7 FirewallRuleVO (com.cloud.network.rules.FirewallRuleVO)7 ServerApiException (com.cloud.api.ServerApiException)5 NetworkRuleConflictException (com.cloud.legacymodel.exceptions.NetworkRuleConflictException)4 StaticNatRule (com.cloud.legacymodel.network.StaticNatRule)4 IpAddress (com.cloud.network.IpAddress)4 List (java.util.List)4 ListResponse (com.cloud.api.response.ListResponse)3 ActionEvent (com.cloud.event.ActionEvent)3 InvalidParameterValueException (com.cloud.legacymodel.exceptions.InvalidParameterValueException)3 PublicIpAddress (com.cloud.network.PublicIpAddress)3 NetworkVO (com.cloud.network.dao.NetworkVO)3 NetworkOfferingVO (com.cloud.offerings.NetworkOfferingVO)3 IpForwardingRuleResponse (com.cloud.api.response.IpForwardingRuleResponse)2 CallContext (com.cloud.context.CallContext)2 Zone (com.cloud.db.model.Zone)2 SetFirewallRulesCommand (com.cloud.legacymodel.communication.command.SetFirewallRulesCommand)2 ResourceUnavailableException (com.cloud.legacymodel.exceptions.ResourceUnavailableException)2