Search in sources :

Example 16 with FirewallRule

use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.

the class CommandSetupHelper method createApplyFirewallRulesCommands.

public void createApplyFirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
    final List<FirewallRuleTO> rulesTO = new ArrayList<>();
    String systemRule = null;
    Boolean defaultEgressPolicy = false;
    if (rules != null) {
        if (rules.size() > 0) {
            if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
                systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
            }
        }
        for (final FirewallRule rule : rules) {
            _rulesDao.loadSourceCidrs((FirewallRuleVO) rule);
            final FirewallRule.TrafficType traffictype = rule.getTrafficType();
            if (traffictype == FirewallRule.TrafficType.Ingress) {
                final IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
                final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(), Purpose.Firewall, traffictype);
                rulesTO.add(ruleTO);
            } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
                final NetworkVO network = _networkDao.findById(guestNetworkId);
                final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
                defaultEgressPolicy = offering.getEgressDefaultPolicy();
                assert rule.getSourceIpAddressId() == null : "ipAddressId should be null for egress firewall rule. ";
                final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Firewall, traffictype, defaultEgressPolicy);
                rulesTO.add(ruleTO);
            }
        }
    }
    final SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
    cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
    cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
    final Zone zone = zoneRepository.findById(router.getDataCenterId()).orElse(null);
    cmd.setAccessDetail(NetworkElementCommand.ZONE_NETWORK_TYPE, zone.getNetworkType().toString());
    if (systemRule != null) {
        cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, systemRule);
    } else {
        cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, String.valueOf(defaultEgressPolicy));
    }
    cmds.addCommand(cmd);
}
Also used : NetworkVO(com.cloud.network.dao.NetworkVO) Zone(com.cloud.db.model.Zone) ArrayList(java.util.ArrayList) NetworkOfferingVO(com.cloud.offerings.NetworkOfferingVO) IpAddress(com.cloud.network.IpAddress) PublicIpAddress(com.cloud.network.PublicIpAddress) FirewallRuleTO(com.cloud.legacymodel.to.FirewallRuleTO) FirewallRule(com.cloud.legacymodel.network.FirewallRule) SetFirewallRulesCommand(com.cloud.legacymodel.communication.command.SetFirewallRulesCommand)

Example 17 with FirewallRule

use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.

the class CommandSetupHelper method createFirewallRulesCommands.

public void createFirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
    final List<FirewallRuleTO> rulesTO = new ArrayList<>();
    String systemRule = null;
    Boolean defaultEgressPolicy = false;
    if (rules != null) {
        if (rules.size() > 0) {
            if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
                systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
            }
        }
        for (final FirewallRule rule : rules) {
            _rulesDao.loadSourceCidrs((FirewallRuleVO) rule);
            final FirewallRule.TrafficType traffictype = rule.getTrafficType();
            if (traffictype == FirewallRule.TrafficType.Ingress) {
                final IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
                final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(), Purpose.Firewall, traffictype);
                rulesTO.add(ruleTO);
            } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
                final NetworkVO network = _networkDao.findById(guestNetworkId);
                final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
                defaultEgressPolicy = offering.getEgressDefaultPolicy();
                assert rule.getSourceIpAddressId() == null : "ipAddressId should be null for egress firewall rule. ";
                final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Firewall, traffictype, defaultEgressPolicy);
                rulesTO.add(ruleTO);
            }
        }
    }
    final SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
    cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
    cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
    final Zone zone = zoneRepository.findById(router.getDataCenterId()).orElse(null);
    cmd.setAccessDetail(NetworkElementCommand.ZONE_NETWORK_TYPE, zone.getNetworkType().toString());
    if (systemRule != null) {
        cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, systemRule);
    } else {
        cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, String.valueOf(defaultEgressPolicy));
    }
    cmds.addCommand(cmd);
}
Also used : NetworkVO(com.cloud.network.dao.NetworkVO) Zone(com.cloud.db.model.Zone) ArrayList(java.util.ArrayList) NetworkOfferingVO(com.cloud.offerings.NetworkOfferingVO) IpAddress(com.cloud.network.IpAddress) PublicIpAddress(com.cloud.network.PublicIpAddress) FirewallRuleTO(com.cloud.legacymodel.to.FirewallRuleTO) FirewallRule(com.cloud.legacymodel.network.FirewallRule) SetFirewallRulesCommand(com.cloud.legacymodel.communication.command.SetFirewallRulesCommand)

Example 18 with FirewallRule

use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.

the class FirewallManagerTest method testDetectRulesConflict.

@Test
public void testDetectRulesConflict() {
    final List<FirewallRuleVO> ruleList = new ArrayList<>();
    final FirewallRuleVO rule1 = spy(new FirewallRuleVO("rule1", 3, 500, "UDP", 1, 2, 1, Purpose.Vpn, null, null, null, null));
    final FirewallRuleVO rule2 = spy(new FirewallRuleVO("rule2", 3, 1701, "UDP", 1, 2, 1, Purpose.Vpn, null, null, null, null));
    final FirewallRuleVO rule3 = spy(new FirewallRuleVO("rule3", 3, 4500, "UDP", 1, 2, 1, Purpose.Vpn, null, null, null, null));
    ruleList.add(rule1);
    ruleList.add(rule2);
    ruleList.add(rule3);
    final FirewallManagerImpl firewallMgr = (FirewallManagerImpl) _firewallMgr;
    when(firewallMgr._firewallDao.listByIpAndPurposeAndNotRevoked(3, null)).thenReturn(ruleList);
    when(rule1.getId()).thenReturn(1L);
    when(rule2.getId()).thenReturn(2L);
    when(rule3.getId()).thenReturn(3L);
    final FirewallRule newRule1 = new FirewallRuleVO("newRule1", 3, 500, "TCP", 1, 2, 1, Purpose.PortForwarding, null, null, null, null);
    final FirewallRule newRule2 = new FirewallRuleVO("newRule2", 3, 1701, "TCP", 1, 2, 1, Purpose.PortForwarding, null, null, null, null);
    final FirewallRule newRule3 = new FirewallRuleVO("newRule3", 3, 4500, "TCP", 1, 2, 1, Purpose.PortForwarding, null, null, null, null);
    try {
        firewallMgr.detectRulesConflict(newRule1);
        firewallMgr.detectRulesConflict(newRule2);
        firewallMgr.detectRulesConflict(newRule3);
    } catch (final NetworkRuleConflictException ex) {
        Assert.fail();
    }
}
Also used : ArrayList(java.util.ArrayList) FirewallRule(com.cloud.legacymodel.network.FirewallRule) NetworkRuleConflictException(com.cloud.legacymodel.exceptions.NetworkRuleConflictException) FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO) Test(org.junit.Test)

Example 19 with FirewallRule

use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.

the class RulesManagerImpl method applyStaticNatRulesForIp.

protected boolean applyStaticNatRulesForIp(final long sourceIpId, final boolean continueOnError, final Account caller, final boolean forRevoke) {
    final List<? extends FirewallRule> rules = _firewallDao.listByIpAndPurpose(sourceIpId, Purpose.StaticNat);
    final List<StaticNatRule> staticNatRules = new ArrayList<>();
    if (rules.size() == 0) {
        s_logger.debug("There are no static nat rules to apply for ip id=" + sourceIpId);
        return true;
    }
    for (final FirewallRule rule : rules) {
        staticNatRules.add(buildStaticNatRule(rule, forRevoke));
    }
    if (caller != null) {
        _accountMgr.checkAccess(caller, null, true, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()]));
    }
    try {
        if (!_firewallMgr.applyRules(staticNatRules, continueOnError, true)) {
            return false;
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to apply static nat rules for ip due to ", ex);
        return false;
    }
    return true;
}
Also used : ArrayList(java.util.ArrayList) ResourceUnavailableException(com.cloud.legacymodel.exceptions.ResourceUnavailableException) StaticNatRule(com.cloud.legacymodel.network.StaticNatRule) FirewallRule(com.cloud.legacymodel.network.FirewallRule)

Example 20 with FirewallRule

use of com.cloud.legacymodel.network.FirewallRule in project cosmic by MissionCriticalCloud.

the class FirewallManagerImpl method applyRules.

@Override
public boolean applyRules(final List<? extends FirewallRule> rules, final boolean continueOnError, final boolean updateRulesInDB) throws ResourceUnavailableException {
    boolean success = true;
    if (rules == null || rules.size() == 0) {
        s_logger.debug("There are no rules to forward to the network elements");
        return true;
    }
    final Purpose purpose = rules.get(0).getPurpose();
    if (!_ipAddrMgr.applyRules(rules, purpose, this, continueOnError)) {
        s_logger.warn("Rules are not completely applied");
        return false;
    } else {
        if (updateRulesInDB) {
            for (final FirewallRule rule : rules) {
                if (rule.getState() == FirewallRule.State.Revoke) {
                    final FirewallRuleVO relatedRule = _firewallDao.findByRelatedId(rule.getId());
                    if (relatedRule != null) {
                        s_logger.warn("Can't remove the firewall rule id=" + rule.getId() + " as it has related firewall rule id=" + relatedRule.getId() + "; leaving it in Revoke state");
                        success = false;
                    } else {
                        removeRule(rule);
                        if (rule.getSourceIpAddressId() != null) {
                            // if the rule is the last one for the ip address assigned to VPC, unassign it from the network
                            final IpAddress ip = _ipAddressDao.findById(rule.getSourceIpAddressId());
                            _vpcMgr.unassignIPFromVpcNetwork(ip.getId(), rule.getNetworkId());
                        }
                    }
                } else if (rule.getState() == FirewallRule.State.Add) {
                    final FirewallRuleVO ruleVO = _firewallDao.findById(rule.getId());
                    ruleVO.setState(FirewallRule.State.Active);
                    _firewallDao.update(ruleVO.getId(), ruleVO);
                }
            }
        }
    }
    return success;
}
Also used : Purpose(com.cloud.legacymodel.network.FirewallRule.Purpose) IpAddress(com.cloud.network.IpAddress) FirewallRule(com.cloud.legacymodel.network.FirewallRule) FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO)

Aggregations

FirewallRule (com.cloud.legacymodel.network.FirewallRule)23 ArrayList (java.util.ArrayList)14 FirewallResponse (com.cloud.api.response.FirewallResponse)7 FirewallRuleVO (com.cloud.network.rules.FirewallRuleVO)7 ServerApiException (com.cloud.api.ServerApiException)5 NetworkRuleConflictException (com.cloud.legacymodel.exceptions.NetworkRuleConflictException)4 StaticNatRule (com.cloud.legacymodel.network.StaticNatRule)4 IpAddress (com.cloud.network.IpAddress)4 List (java.util.List)4 ListResponse (com.cloud.api.response.ListResponse)3 ActionEvent (com.cloud.event.ActionEvent)3 InvalidParameterValueException (com.cloud.legacymodel.exceptions.InvalidParameterValueException)3 PublicIpAddress (com.cloud.network.PublicIpAddress)3 NetworkVO (com.cloud.network.dao.NetworkVO)3 NetworkOfferingVO (com.cloud.offerings.NetworkOfferingVO)3 IpForwardingRuleResponse (com.cloud.api.response.IpForwardingRuleResponse)2 CallContext (com.cloud.context.CallContext)2 Zone (com.cloud.db.model.Zone)2 SetFirewallRulesCommand (com.cloud.legacymodel.communication.command.SetFirewallRulesCommand)2 ResourceUnavailableException (com.cloud.legacymodel.exceptions.ResourceUnavailableException)2