Examples with FirewallRule com.cloud.network.rules.FirewallRule used on opensource projects

Example 56 with FirewallRule

use of com.cloud.network.rules.FirewallRule in project cloudstack by apache.

the class FirewallManagerImpl method revokeRelatedFirewallRule.

@Override
public boolean revokeRelatedFirewallRule(long ruleId, boolean apply) {
    FirewallRule fwRule = _firewallDao.findByRelatedId(ruleId);
    if (fwRule == null) {
        s_logger.trace("No related firewall rule exists for rule id=" + ruleId + " so returning true here");
        return true;
    }
    s_logger.debug("Revoking Firewall rule id=" + fwRule.getId() + " as a part of rule delete id=" + ruleId + " with apply=" + apply);
    return revokeIngressFirewallRule(fwRule.getId(), apply);
}

Example 57 with FirewallRule

use of com.cloud.network.rules.FirewallRule in project cloudstack by apache.

the class ApiResponseHelper method createFirewallResponse.

@Override
public FirewallResponse createFirewallResponse(FirewallRule fwRule) {
    FirewallResponse response = new FirewallResponse();
    response.setId(fwRule.getUuid());
    response.setProtocol(fwRule.getProtocol());
    if (fwRule.getSourcePortStart() != null) {
        response.setStartPort(fwRule.getSourcePortStart());
    }
    if (fwRule.getSourcePortEnd() != null) {
        response.setEndPort(fwRule.getSourcePortEnd());
    }
    List<String> cidrs = ApiDBUtils.findFirewallSourceCidrs(fwRule.getId());
    response.setCidrList(StringUtils.join(cidrs, ","));
    if (fwRule.getTrafficType() == FirewallRule.TrafficType.Egress) {
        List<String> destCidrs = ApiDBUtils.findFirewallDestCidrs(fwRule.getId());
        response.setDestCidr(StringUtils.join(destCidrs, ","));
    }
    if (fwRule.getTrafficType() == FirewallRule.TrafficType.Ingress) {
        IpAddress ip = ApiDBUtils.findIpAddressById(fwRule.getSourceIpAddressId());
        response.setPublicIpAddressId(ip.getUuid());
        response.setPublicIpAddress(ip.getAddress().addr());
    }
    Network network = ApiDBUtils.findNetworkById(fwRule.getNetworkId());
    response.setNetworkId(network.getUuid());
    FirewallRule.State state = fwRule.getState();
    String stateToSet = state.toString();
    if (state.equals(FirewallRule.State.Revoke)) {
        stateToSet = "Deleting";
    }
    response.setIcmpCode(fwRule.getIcmpCode());
    response.setIcmpType(fwRule.getIcmpType());
    response.setForDisplay(fwRule.isDisplay());
    // set tag information
    List<? extends ResourceTag> tags = ApiDBUtils.listByResourceTypeAndId(ResourceObjectType.FirewallRule, fwRule.getId());
    List<ResourceTagResponse> tagResponses = new ArrayList<ResourceTagResponse>();
    for (ResourceTag tag : tags) {
        ResourceTagResponse tagResponse = createResourceTagResponse(tag, true);
        CollectionUtils.addIgnoreNull(tagResponses, tagResponse);
    }
    response.setTags(tagResponses);
    response.setState(stateToSet);
    response.setObjectName("firewallrule");
    return response;
}

Example 58 with FirewallRule

use of com.cloud.network.rules.FirewallRule in project cloudstack by apache.

the class KubernetesClusterScaleWorker method scaleKubernetesClusterNetworkRules.

/**
 * Scale network rules for an existing Kubernetes cluster while scaling it
 * Open up firewall for SSH access from port NODES_DEFAULT_START_SSH_PORT to NODES_DEFAULT_START_SSH_PORT+n.
 * Also remove port forwarding rules for all virtual machines and re-create port-forwarding rule
 * to forward public IP traffic to all node VMs' private IP.
 * @param clusterVMIds
 * @throws ManagementServerException
 */
private void scaleKubernetesClusterNetworkRules(final List<Long> clusterVMIds) throws ManagementServerException {
    if (!Network.GuestType.Isolated.equals(network.getGuestType())) {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug(String.format("Network : %s for Kubernetes cluster : %s is not an isolated network, therefore, no need for network rules", network.getName(), kubernetesCluster.getName()));
        }
        return;
    }
    IpAddress publicIp = getSourceNatIp(network);
    if (publicIp == null) {
        throw new ManagementServerException(String.format("No source NAT IP addresses found for network : %s, Kubernetes cluster : %s", network.getName(), kubernetesCluster.getName()));
    }
    // Remove existing SSH firewall rules
    FirewallRule firewallRule = removeSshFirewallRule(publicIp);
    if (firewallRule == null) {
        throw new ManagementServerException("Firewall rule for node SSH access can't be provisioned");
    }
    int existingFirewallRuleSourcePortEnd = firewallRule.getSourcePortEnd();
    int endPort = CLUSTER_NODES_DEFAULT_START_SSH_PORT + clusterVMIds.size() - 1;
    // Provision new SSH firewall rules
    try {
        provisionFirewallRules(publicIp, owner, CLUSTER_NODES_DEFAULT_START_SSH_PORT, endPort);
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug(String.format("Provisioned  firewall rule to open up port %d to %d on %s in Kubernetes cluster %s", CLUSTER_NODES_DEFAULT_START_SSH_PORT, endPort, publicIp.getAddress().addr(), kubernetesCluster.getName()));
        }
    } catch (NoSuchFieldException | IllegalAccessException | ResourceUnavailableException e) {
        throw new ManagementServerException(String.format("Failed to activate SSH firewall rules for the Kubernetes cluster : %s", kubernetesCluster.getName()), e);
    }
    try {
        removePortForwardingRules(publicIp, network, owner, CLUSTER_NODES_DEFAULT_START_SSH_PORT, existingFirewallRuleSourcePortEnd);
    } catch (ResourceUnavailableException e) {
        throw new ManagementServerException(String.format("Failed to remove SSH port forwarding rules for removed VMs for the Kubernetes cluster : %s", kubernetesCluster.getName()), e);
    }
    try {
        provisionSshPortForwardingRules(publicIp, network, owner, clusterVMIds, CLUSTER_NODES_DEFAULT_START_SSH_PORT);
    } catch (ResourceUnavailableException | NetworkRuleConflictException e) {
        throw new ManagementServerException(String.format("Failed to activate SSH port forwarding rules for the Kubernetes cluster : %s", kubernetesCluster.getName()), e);
    }
}

Example 59 with FirewallRule

use of com.cloud.network.rules.FirewallRule in project cloudstack by apache.

the class VirtualNetworkApplianceManagerImpl method createDefaultEgressFirewallRule.

private void createDefaultEgressFirewallRule(final List<FirewallRule> rules, final long networkId) {
    final NetworkVO network = _networkDao.findById(networkId);
    final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
    final Boolean defaultEgressPolicy = offering.isEgressDefaultPolicy();
    // The default on the router is set to Deny all. So, if the default configuration in the offering is set to true (Allow), we change the Egress here
    if (defaultEgressPolicy) {
        final List<String> sourceCidr = new ArrayList<String>();
        final List<String> destCidr = new ArrayList<String>();
        sourceCidr.add(network.getCidr());
        destCidr.add(NetUtils.ALL_IP4_CIDRS);
        final FirewallRule rule = new FirewallRuleVO(null, null, null, null, "all", networkId, network.getAccountId(), network.getDomainId(), Purpose.Firewall, sourceCidr, destCidr, null, null, null, FirewallRule.TrafficType.Egress, FirewallRule.FirewallRuleType.System);
        rules.add(rule);
    } else {
        s_logger.debug("Egress policy for the Network " + networkId + " is already defined as Deny. So, no need to default the rule to Allow. ");
    }
}