Example 11 with FirewallRuleVO
use of com.cloud.network.rules.FirewallRuleVO in project cloudstack by apache.
the class FirewallManagerImpl method updateFirewallRule.
protected FirewallRule updateFirewallRule(long ruleId, String customId, Account caller, Boolean forDisplay) {
FirewallRuleVO rule = _firewallDao.findById(ruleId);
if (rule == null || rule.getPurpose() != Purpose.Firewall) {
throw new InvalidParameterValueException("Unable to find " + ruleId + " having purpose " + Purpose.Firewall);
}
if (rule.getType() == FirewallRuleType.System && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
throw new InvalidParameterValueException("Only root admin can update the system wide firewall rule");
}
_accountMgr.checkAccess(caller, null, true, rule);
if (customId != null) {
rule.setUuid(customId);
}
if (forDisplay != null) {
rule.setDisplay(forDisplay);
}
_firewallDao.update(ruleId, rule);
return _firewallDao.findById(ruleId);
}
Also used :
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO)
Example 12 with FirewallRuleVO
use of com.cloud.network.rules.FirewallRuleVO in project cloudstack by apache.
the class FirewallManagerImpl method listFirewallRules.
@Override
public Pair<List<? extends FirewallRule>, Integer> listFirewallRules(IListFirewallRulesCmd cmd) {
Long ipId = cmd.getIpAddressId();
Long id = cmd.getId();
Long networkId = cmd.getNetworkId();
Map<String, String> tags = cmd.getTags();
FirewallRule.TrafficType trafficType = cmd.getTrafficType();
Boolean display = cmd.getDisplay();
Account caller = CallContext.current().getCallingAccount();
List<Long> permittedAccounts = new ArrayList<Long>();
if (ipId != null) {
IPAddressVO ipAddressVO = _ipAddressDao.findById(ipId);
if (ipAddressVO == null || !ipAddressVO.readyToUse()) {
throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for firewall rules yet");
}
_accountMgr.checkAccess(caller, null, true, ipAddressVO);
}
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
_accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(FirewallRuleVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<FirewallRuleVO> sb = _firewallDao.createSearchBuilder();
_accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), Op.EQ);
sb.and("trafficType", sb.entity().getTrafficType(), Op.EQ);
sb.and("networkId", sb.entity().getNetworkId(), Op.EQ);
sb.and("ip", sb.entity().getSourceIpAddressId(), Op.EQ);
sb.and("purpose", sb.entity().getPurpose(), Op.EQ);
sb.and("display", sb.entity().isDisplay(), Op.EQ);
if (tags != null && !tags.isEmpty()) {
SearchBuilder<ResourceTagVO> tagSearch = _resourceTagDao.createSearchBuilder();
for (int count = 0; count < tags.size(); count++) {
tagSearch.or().op("key" + String.valueOf(count), tagSearch.entity().getKey(), SearchCriteria.Op.EQ);
tagSearch.and("value" + String.valueOf(count), tagSearch.entity().getValue(), SearchCriteria.Op.EQ);
tagSearch.cp();
}
tagSearch.and("resourceType", tagSearch.entity().getResourceType(), SearchCriteria.Op.EQ);
sb.groupBy(sb.entity().getId());
sb.join("tagSearch", tagSearch, sb.entity().getId(), tagSearch.entity().getResourceId(), JoinBuilder.JoinType.INNER);
}
SearchCriteria<FirewallRuleVO> sc = sb.create();
_accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
}
if (tags != null && !tags.isEmpty()) {
int count = 0;
sc.setJoinParameters("tagSearch", "resourceType", ResourceObjectType.FirewallRule.toString());
for (String key : tags.keySet()) {
sc.setJoinParameters("tagSearch", "key" + String.valueOf(count), key);
sc.setJoinParameters("tagSearch", "value" + String.valueOf(count), tags.get(key));
count++;
}
}
if (display != null) {
sc.setParameters("display", display);
}
if (ipId != null) {
sc.setParameters("ip", ipId);
}
if (networkId != null) {
sc.setParameters("networkId", networkId);
}
sc.setParameters("purpose", Purpose.Firewall);
sc.setParameters("trafficType", trafficType);
Pair<List<FirewallRuleVO>, Integer> result = _firewallDao.searchAndCount(sc, filter);
return new Pair<List<? extends FirewallRule>, Integer>(result.first(), result.second());
}
Also used :
Account(com.cloud.user.Account)
ArrayList(java.util.ArrayList)
FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
ResourceTagVO(com.cloud.tags.ResourceTagVO)
List(java.util.List)
ArrayList(java.util.ArrayList)
FirewallRule(com.cloud.network.rules.FirewallRule)
Pair(com.cloud.utils.Pair)
Ternary(com.cloud.utils.Ternary)
ListProjectResourcesCriteria(com.cloud.projects.Project.ListProjectResourcesCriteria)
Filter(com.cloud.utils.db.Filter)
IPAddressVO(com.cloud.network.dao.IPAddressVO)
Example 13 with FirewallRuleVO
use of com.cloud.network.rules.FirewallRuleVO in project cloudstack by apache.
the class FirewallRulesDaoImpl method remove.
@Override
@DB
public boolean remove(Long id) {
TransactionLegacy txn = TransactionLegacy.currentTxn();
txn.start();
FirewallRuleVO entry = findById(id);
if (entry != null) {
if (entry.getPurpose() == Purpose.LoadBalancing) {
_tagsDao.removeByIdAndType(id, ResourceObjectType.LoadBalancer);
} else if (entry.getPurpose() == Purpose.PortForwarding) {
_tagsDao.removeByIdAndType(id, ResourceObjectType.PortForwardingRule);
} else if (entry.getPurpose() == Purpose.Firewall) {
_tagsDao.removeByIdAndType(id, ResourceObjectType.FirewallRule);
} else if (entry.getPurpose() == Purpose.NetworkACL) {
_tagsDao.removeByIdAndType(id, ResourceObjectType.NetworkACL);
}
}
boolean result = super.remove(id);
txn.commit();
return result;
}
Also used :
TransactionLegacy(com.cloud.utils.db.TransactionLegacy)
FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO)
DB(com.cloud.utils.db.DB)
Example 14 with FirewallRuleVO
use of com.cloud.network.rules.FirewallRuleVO in project cloudstack by apache.
the class PaloAltoResourceTest method removeEgressFirewallRule.
@Test
public void removeEgressFirewallRule() throws ConfigurationException, Exception {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: removeEgressFirewallRule");
System.out.println("---------------------------------------------------");
}
_context.put("has_public_interface", "true");
_context.put("has_private_interface", "true");
_context.put("has_src_nat_rule", "true");
_context.put("has_isolation_fw_rule", "true");
_context.put("has_service_tcp_80", "true");
_context.put("has_egress_fw_rule", "true");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resourceParams);
long vlanId = 3954;
List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
FirewallRuleVO revokedVO = new FirewallRuleVO(null, null, 80, 80, "tcp", 1, 1, 1, Purpose.Firewall, null, null, null, null, FirewallRule.TrafficType.Egress);
revokedVO.setState(State.Revoke);
FirewallRuleTO revoked = new FirewallRuleTO(revokedVO, Long.toString(vlanId), null, Purpose.Firewall, FirewallRule.TrafficType.Egress);
rules.add(revoked);
SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rules);
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
Answer answer = _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
Also used :
Answer(com.cloud.agent.api.Answer)
IpAssocAnswer(com.cloud.agent.api.routing.IpAssocAnswer)
ArrayList(java.util.ArrayList)
FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO)
SetFirewallRulesCommand(com.cloud.agent.api.routing.SetFirewallRulesCommand)
FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO)
Test(org.junit.Test)
Example 15 with FirewallRuleVO
use of com.cloud.network.rules.FirewallRuleVO in project cloudstack by apache.
the class NetworkServiceImpl method releaseSecondaryIpFromNic.
@Override
@DB
@ActionEvent(eventType = EventTypes.EVENT_NIC_SECONDARY_IP_UNASSIGN, eventDescription = "Removing secondary ip " + "from nic", async = true)
public boolean releaseSecondaryIpFromNic(long ipAddressId) {
Account caller = CallContext.current().getCallingAccount();
boolean success = false;
// Verify input parameters
NicSecondaryIpVO secIpVO = _nicSecondaryIpDao.findById(ipAddressId);
if (secIpVO == null) {
throw new InvalidParameterValueException("Unable to find secondary ip address by id");
}
VirtualMachine vm = _userVmDao.findById(secIpVO.getVmId());
if (vm == null) {
throw new InvalidParameterValueException("There is no vm with the given secondary ip");
}
// verify permissions
_accountMgr.checkAccess(caller, null, true, vm);
Network network = _networksDao.findById(secIpVO.getNetworkId());
if (network == null) {
throw new InvalidParameterValueException("Invalid network id is given");
}
// Validate network offering
NetworkOfferingVO ntwkOff = _networkOfferingDao.findById(network.getNetworkOfferingId());
Long nicId = secIpVO.getNicId();
s_logger.debug("ip id = " + ipAddressId + " nic id = " + nicId);
//check is this the last secondary ip for NIC
List<NicSecondaryIpVO> ipList = _nicSecondaryIpDao.listByNicId(nicId);
boolean lastIp = false;
if (ipList.size() == 1) {
// this is the last secondary ip to nic
lastIp = true;
}
DataCenter dc = _dcDao.findById(network.getDataCenterId());
if (dc == null) {
throw new InvalidParameterValueException("Invalid zone Id is given");
}
s_logger.debug("Calling secondary ip " + secIpVO.getIp4Address() + " release ");
if (dc.getNetworkType() == NetworkType.Advanced && network.getGuestType() == Network.GuestType.Isolated) {
//check PF or static NAT is configured on this ip address
String secondaryIp = secIpVO.getIp4Address();
List<FirewallRuleVO> fwRulesList = _firewallDao.listByNetworkAndPurpose(network.getId(), Purpose.PortForwarding);
if (fwRulesList.size() != 0) {
for (FirewallRuleVO rule : fwRulesList) {
if (_portForwardingDao.findByIdAndIp(rule.getId(), secondaryIp) != null) {
s_logger.debug("VM nic IP " + secondaryIp + " is associated with the port forwarding rule");
throw new InvalidParameterValueException("Can't remove the secondary ip " + secondaryIp + " is associate with the port forwarding rule");
}
}
}
//check if the secondary ip associated with any static nat rule
IPAddressVO publicIpVO = _ipAddressDao.findByIpAndNetworkId(secIpVO.getNetworkId(), secondaryIp);
if (publicIpVO != null) {
s_logger.debug("VM nic IP " + secondaryIp + " is associated with the static NAT rule public IP address id " + publicIpVO.getId());
throw new InvalidParameterValueException("Can' remove the ip " + secondaryIp + "is associate with static NAT rule public IP address id " + publicIpVO.getId());
}
if (_loadBalancerDao.isLoadBalancerRulesMappedToVmGuestIp(vm.getId(), secondaryIp, network.getId())) {
s_logger.debug("VM nic IP " + secondaryIp + " is mapped to load balancing rule");
throw new InvalidParameterValueException("Can't remove the secondary ip " + secondaryIp + " is mapped to load balancing rule");
}
} else if (dc.getNetworkType() == NetworkType.Basic || ntwkOff.getGuestType() == Network.GuestType.Shared) {
final IPAddressVO ip = _ipAddressDao.findByIpAndSourceNetworkId(secIpVO.getNetworkId(), secIpVO.getIp4Address());
if (ip != null) {
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
_ipAddrMgr.markIpAsUnavailable(ip.getId());
_ipAddressDao.unassignIpAddress(ip.getId());
}
});
}
} else {
throw new InvalidParameterValueException("Not supported for this network now");
}
success = removeNicSecondaryIP(secIpVO, lastIp);
return success;
}
Also used :
Account(com.cloud.user.Account)
TransactionStatus(com.cloud.utils.db.TransactionStatus)
TransactionCallbackNoReturn(com.cloud.utils.db.TransactionCallbackNoReturn)
FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO)
NicSecondaryIpVO(com.cloud.vm.dao.NicSecondaryIpVO)
DataCenter(com.cloud.dc.DataCenter)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
NetworkOfferingVO(com.cloud.offerings.NetworkOfferingVO)
IPAddressVO(com.cloud.network.dao.IPAddressVO)
VirtualMachine(com.cloud.vm.VirtualMachine)
ActionEvent(com.cloud.event.ActionEvent)
DB(com.cloud.utils.db.DB)
Aggregations
FirewallRuleVO (com.cloud.network.rules.FirewallRuleVO)32
ArrayList (java.util.ArrayList)18
InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)9
ResourceUnavailableException (com.cloud.exception.ResourceUnavailableException)8
IPAddressVO (com.cloud.network.dao.IPAddressVO)8
FirewallRule (com.cloud.network.rules.FirewallRule)8
DB (com.cloud.utils.db.DB)7
List (java.util.List)7
ActionEvent (com.cloud.event.ActionEvent)6
Network (com.cloud.network.Network)6
NetworkVO (com.cloud.network.dao.NetworkVO)6
Test (org.junit.Test)6
Account (com.cloud.user.Account)5
TransactionStatus (com.cloud.utils.db.TransactionStatus)5
CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)5
HashSet (java.util.HashSet)5
DataCenter (com.cloud.dc.DataCenter)4
NetworkRuleConflictException (com.cloud.exception.NetworkRuleConflictException)4
PortForwardingRuleVO (com.cloud.network.rules.PortForwardingRuleVO)4
PhysicalNetwork (com.cloud.network.PhysicalNetwork)3
