use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.
the class UpdateFirewallRuleCmd method execute.
@Override
public void execute() throws ResourceUnavailableException {
CallContext.current().setEventDetails("Rule ID: " + id);
final FirewallRule rule = _firewallService.updateIngressFirewallRule(id, this.getCustomId(), getDisplay());
FirewallResponse fwResponse = new FirewallResponse();
if (rule != null) {
fwResponse = _responseGenerator.createFirewallResponse(rule);
setResponseObject(fwResponse);
}
fwResponse.setResponseName(getCommandName());
}
use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.
the class ApiResponseHelper method createFirewallResponse.
@Override
public FirewallResponse createFirewallResponse(final FirewallRule fwRule) {
final FirewallResponse response = new FirewallResponse();
response.setId(fwRule.getUuid());
response.setProtocol(fwRule.getProtocol());
if (fwRule.getSourcePortStart() != null) {
response.setStartPort(fwRule.getSourcePortStart());
}
if (fwRule.getSourcePortEnd() != null) {
response.setEndPort(fwRule.getSourcePortEnd());
}
final List<String> cidrs = ApiDBUtils.findFirewallSourceCidrs(fwRule.getId());
response.setCidrList(StringUtils.join(cidrs, ","));
if (fwRule.getTrafficType() == FirewallRule.TrafficType.Ingress) {
final IpAddress ip = ApiDBUtils.findIpAddressById(fwRule.getSourceIpAddressId());
response.setPublicIpAddressId(ip.getUuid());
response.setPublicIpAddress(ip.getAddress().addr());
}
final Network network = ApiDBUtils.findNetworkById(fwRule.getNetworkId());
response.setNetworkId(network.getUuid());
final FirewallRule.State state = fwRule.getState();
String stateToSet = state.toString();
if (state.equals(FirewallRule.State.Revoke)) {
stateToSet = "Deleting";
}
response.setIcmpCode(fwRule.getIcmpCode());
response.setIcmpType(fwRule.getIcmpType());
response.setForDisplay(fwRule.isDisplay());
// set tag information
final List<? extends ResourceTag> tags = ApiDBUtils.listByResourceTypeAndId(ResourceObjectType.FirewallRule, fwRule.getId());
final List<ResourceTagResponse> tagResponses = new ArrayList<>();
for (final ResourceTag tag : tags) {
final ResourceTagResponse tagResponse = createResourceTagResponse(tag, true);
if (tagResponse != null) {
tagResponses.add(tagResponse);
}
}
response.setTags(tagResponses);
response.setState(stateToSet);
response.setObjectName("firewallrule");
return response;
}
use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.
the class VirtualNetworkApplianceManagerImpl method createDefaultEgressFirewallRule.
private void createDefaultEgressFirewallRule(final List<FirewallRule> rules, final long networkId) {
final NetworkVO network = _networkDao.findById(networkId);
final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
final Boolean defaultEgressPolicy = offering.getEgressDefaultPolicy();
// The default on the router is set to Deny all. So, if the default configuration in the offering is set to true (Allow), we change the Egress here
if (defaultEgressPolicy) {
final List<String> sourceCidr = new ArrayList<>();
sourceCidr.add(NetUtils.ALL_IP4_CIDRS);
final FirewallRule rule = new FirewallRuleVO(null, null, null, null, "all", networkId, network.getAccountId(), network.getDomainId(), Purpose.Firewall, sourceCidr, null, null, null, FirewallRule.TrafficType.Egress, FirewallRule.FirewallRuleType.System);
rules.add(rule);
} else {
s_logger.debug("Egress policy for the Network " + networkId + " is already defined as Deny. So, no need to default the rule to Allow. ");
}
}
use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.
the class VirtualNetworkApplianceManagerImpl method finalizeNetworkRulesForNetwork.
protected void finalizeNetworkRulesForNetwork(final Commands cmds, final DomainRouterVO router, final Provider provider, final Long guestNetworkId) {
s_logger.debug("Resending ipAssoc, port forwarding, load balancing rules as a part of Virtual router start");
final ArrayList<? extends PublicIpAddress> publicIps = getPublicIpsToApply(router, provider, guestNetworkId);
final List<FirewallRule> firewallRulesEgress = new ArrayList<>();
// Fetch firewall Egress rules.
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall, provider)) {
firewallRulesEgress.addAll(_rulesDao.listByNetworkPurposeTrafficType(guestNetworkId, Purpose.Firewall, FirewallRule.TrafficType.Egress));
if (firewallRulesEgress.isEmpty()) {
// create egress default rule for VR
createDefaultEgressFirewallRule(firewallRulesEgress, guestNetworkId);
}
}
// Re-apply firewall Egress rules
s_logger.debug("Found " + firewallRulesEgress.size() + " firewall Egress rule(s) to apply as a part of domR " + router + " start.");
if (!firewallRulesEgress.isEmpty()) {
_commandSetupHelper.createFirewallRulesCommands(firewallRulesEgress, router, cmds, guestNetworkId);
}
if (publicIps != null && !publicIps.isEmpty()) {
final List<PortForwardingRule> pfRules = new ArrayList<>();
final List<FirewallRule> staticNatFirewallRules = new ArrayList<>();
final List<StaticNat> staticNats = new ArrayList<>();
final List<FirewallRule> firewallRulesIngress = new ArrayList<>();
// StaticNatRules; PFVPN to reapply on domR start)
for (final PublicIpAddress ip : publicIps) {
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.PortForwarding, provider)) {
pfRules.addAll(_pfRulesDao.listForApplication(ip.getId()));
}
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.StaticNat, provider)) {
staticNatFirewallRules.addAll(_rulesDao.listByIpAndPurpose(ip.getId(), Purpose.StaticNat));
}
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall, provider)) {
firewallRulesIngress.addAll(_rulesDao.listByIpAndPurpose(ip.getId(), Purpose.Firewall));
}
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.StaticNat, provider)) {
if (ip.isOneToOneNat()) {
final StaticNatImpl staticNat = new StaticNatImpl(ip.getAccountId(), ip.getDomainId(), guestNetworkId, ip.getId(), ip.getVmIp(), false);
staticNats.add(staticNat);
}
}
}
// Re-apply static nats
s_logger.debug("Found " + staticNats.size() + " static nat(s) to apply as a part of domR " + router + " start.");
if (!staticNats.isEmpty()) {
_commandSetupHelper.createApplyStaticNatCommands(staticNats, router, cmds);
}
// Re-apply firewall Ingress rules
s_logger.debug("Found " + firewallRulesIngress.size() + " firewall Ingress rule(s) to apply as a part of domR " + router + " start.");
if (!firewallRulesIngress.isEmpty()) {
_commandSetupHelper.createFirewallRulesCommands(firewallRulesIngress, router, cmds, guestNetworkId);
}
// Re-apply port forwarding rules
s_logger.debug("Found " + pfRules.size() + " port forwarding rule(s) to apply as a part of domR " + router + " start.");
if (!pfRules.isEmpty()) {
_commandSetupHelper.createApplyPortForwardingRulesCommands(pfRules, router, cmds, guestNetworkId);
}
// Re-apply static nat rules
s_logger.debug("Found " + staticNatFirewallRules.size() + " static nat rule(s) to apply as a part of domR " + router + " start.");
if (!staticNatFirewallRules.isEmpty()) {
final List<StaticNatRule> staticNatRules = new ArrayList<>();
for (final FirewallRule rule : staticNatFirewallRules) {
staticNatRules.add(_rulesMgr.buildStaticNatRule(rule, false));
}
_commandSetupHelper.createApplyStaticNatRulesCommands(staticNatRules, router, cmds, guestNetworkId);
}
final List<LoadBalancerVO> lbs = _loadBalancerDao.listByNetworkIdAndScheme(guestNetworkId, Scheme.Public);
final List<LoadBalancingRule> lbRules = new ArrayList<>();
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Lb, provider)) {
// Re-apply load balancing rules
for (final LoadBalancerVO lb : lbs) {
final List<LbDestination> dstList = _lbMgr.getExistingDestinations(lb.getId());
final List<LbStickinessPolicy> policyList = _lbMgr.getStickinessPolicies(lb.getId());
final List<LbHealthCheckPolicy> hcPolicyList = _lbMgr.getHealthCheckPolicies(lb.getId());
final Ip sourceIp = _networkModel.getPublicIpAddress(lb.getSourceIpAddressId()).getAddress();
final LbSslCert sslCert = _lbMgr.getLbSslCert(lb.getId());
final LoadBalancingRule loadBalancing = new LoadBalancingRule(lb, dstList, policyList, hcPolicyList, sourceIp, sslCert, lb.getLbProtocol());
lbRules.add(loadBalancing);
}
}
s_logger.debug("Found " + lbRules.size() + " load balancing rule(s) to apply as a part of domR " + router + " start.");
if (!lbRules.isEmpty()) {
_commandSetupHelper.createApplyLoadBalancingRulesCommands(lbRules, router, cmds, guestNetworkId);
}
}
}
use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.
the class CreateEgressFirewallRuleCmd method create.
@Override
public void create() {
if (getSourceCidrList() != null) {
final String guestCidr = _networkService.getNetwork(getNetworkId()).getCidr();
for (final String cidr : getSourceCidrList()) {
if (!NetUtils.isValidIp4Cidr(cidr) && !NetUtils.isValidIp6Cidr(cidr)) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Source cidrs formatting error " + cidr);
}
if (cidr.equals(NetUtils.ALL_IP4_CIDRS)) {
continue;
}
if (!NetUtils.isNetworkAWithinNetworkB(cidr, guestCidr)) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, cidr + " is not within the guest cidr " + guestCidr);
}
}
}
if (getProtocol().equalsIgnoreCase(NetUtils.ALL_PROTO)) {
if (getSourcePortStart() != null && getSourcePortEnd() != null) {
throw new InvalidParameterValueException("Do not pass ports to protocol ALL, protocol ALL do not require ports. Unable to create " + "firewall rule for the network id=" + networkId);
}
}
if (getVpcId() != null) {
throw new InvalidParameterValueException("Unable to create firewall rule for the network id=" + networkId + " as firewall egress rule can be created only for non vpc networks.");
}
try {
final FirewallRule result = _firewallService.createEgressFirewallRule(this);
if (result != null) {
setEntityId(result.getId());
setEntityUuid(result.getUuid());
}
} catch (final NetworkRuleConflictException ex) {
s_logger.info("Network rule conflict: " + ex.getMessage());
s_logger.trace("Network Rule Conflict: ", ex);
throw new ServerApiException(ApiErrorCode.NETWORK_RULE_CONFLICT_ERROR, ex.getMessage());
}
}
Aggregations