Example 11 with StaticNatRule
use of com.cloud.network.rules.StaticNatRule in project cosmic by MissionCriticalCloud.
the class VirtualNetworkApplianceManagerImpl method finalizeNetworkRulesForNetwork.
protected void finalizeNetworkRulesForNetwork(final Commands cmds, final DomainRouterVO router, final Provider provider, final Long guestNetworkId) {
s_logger.debug("Resending ipAssoc, port forwarding, load balancing rules as a part of Virtual router start");
final ArrayList<? extends PublicIpAddress> publicIps = getPublicIpsToApply(router, provider, guestNetworkId);
final List<FirewallRule> firewallRulesEgress = new ArrayList<>();
// Fetch firewall Egress rules.
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall, provider)) {
firewallRulesEgress.addAll(_rulesDao.listByNetworkPurposeTrafficType(guestNetworkId, Purpose.Firewall, FirewallRule.TrafficType.Egress));
if (firewallRulesEgress.isEmpty()) {
// create egress default rule for VR
createDefaultEgressFirewallRule(firewallRulesEgress, guestNetworkId);
}
}
// Re-apply firewall Egress rules
s_logger.debug("Found " + firewallRulesEgress.size() + " firewall Egress rule(s) to apply as a part of domR " + router + " start.");
if (!firewallRulesEgress.isEmpty()) {
_commandSetupHelper.createFirewallRulesCommands(firewallRulesEgress, router, cmds, guestNetworkId);
}
if (publicIps != null && !publicIps.isEmpty()) {
final List<PortForwardingRule> pfRules = new ArrayList<>();
final List<FirewallRule> staticNatFirewallRules = new ArrayList<>();
final List<StaticNat> staticNats = new ArrayList<>();
final List<FirewallRule> firewallRulesIngress = new ArrayList<>();
// StaticNatRules; PFVPN to reapply on domR start)
for (final PublicIpAddress ip : publicIps) {
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.PortForwarding, provider)) {
pfRules.addAll(_pfRulesDao.listForApplication(ip.getId()));
}
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.StaticNat, provider)) {
staticNatFirewallRules.addAll(_rulesDao.listByIpAndPurpose(ip.getId(), Purpose.StaticNat));
}
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall, provider)) {
firewallRulesIngress.addAll(_rulesDao.listByIpAndPurpose(ip.getId(), Purpose.Firewall));
}
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.StaticNat, provider)) {
if (ip.isOneToOneNat()) {
final StaticNatImpl staticNat = new StaticNatImpl(ip.getAccountId(), ip.getDomainId(), guestNetworkId, ip.getId(), ip.getVmIp(), false);
staticNats.add(staticNat);
}
}
}
// Re-apply static nats
s_logger.debug("Found " + staticNats.size() + " static nat(s) to apply as a part of domR " + router + " start.");
if (!staticNats.isEmpty()) {
_commandSetupHelper.createApplyStaticNatCommands(staticNats, router, cmds);
}
// Re-apply firewall Ingress rules
s_logger.debug("Found " + firewallRulesIngress.size() + " firewall Ingress rule(s) to apply as a part of domR " + router + " start.");
if (!firewallRulesIngress.isEmpty()) {
_commandSetupHelper.createFirewallRulesCommands(firewallRulesIngress, router, cmds, guestNetworkId);
}
// Re-apply port forwarding rules
s_logger.debug("Found " + pfRules.size() + " port forwarding rule(s) to apply as a part of domR " + router + " start.");
if (!pfRules.isEmpty()) {
_commandSetupHelper.createApplyPortForwardingRulesCommands(pfRules, router, cmds, guestNetworkId);
}
// Re-apply static nat rules
s_logger.debug("Found " + staticNatFirewallRules.size() + " static nat rule(s) to apply as a part of domR " + router + " start.");
if (!staticNatFirewallRules.isEmpty()) {
final List<StaticNatRule> staticNatRules = new ArrayList<>();
for (final FirewallRule rule : staticNatFirewallRules) {
staticNatRules.add(_rulesMgr.buildStaticNatRule(rule, false));
}
_commandSetupHelper.createApplyStaticNatRulesCommands(staticNatRules, router, cmds, guestNetworkId);
}
final List<LoadBalancerVO> lbs = _loadBalancerDao.listByNetworkIdAndScheme(guestNetworkId, Scheme.Public);
final List<LoadBalancingRule> lbRules = new ArrayList<>();
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Lb, provider)) {
// Re-apply load balancing rules
for (final LoadBalancerVO lb : lbs) {
final List<LbDestination> dstList = _lbMgr.getExistingDestinations(lb.getId());
final List<LbStickinessPolicy> policyList = _lbMgr.getStickinessPolicies(lb.getId());
final List<LbHealthCheckPolicy> hcPolicyList = _lbMgr.getHealthCheckPolicies(lb.getId());
final Ip sourceIp = _networkModel.getPublicIpAddress(lb.getSourceIpAddressId()).getAddress();
final LbSslCert sslCert = _lbMgr.getLbSslCert(lb.getId());
final LoadBalancingRule loadBalancing = new LoadBalancingRule(lb, dstList, policyList, hcPolicyList, sourceIp, sslCert, lb.getLbProtocol());
lbRules.add(loadBalancing);
}
}
s_logger.debug("Found " + lbRules.size() + " load balancing rule(s) to apply as a part of domR " + router + " start.");
if (!lbRules.isEmpty()) {
_commandSetupHelper.createApplyLoadBalancingRulesCommands(lbRules, router, cmds, guestNetworkId);
}
}
}
Also used :
LbSslCert(com.cloud.network.lb.LoadBalancingRule.LbSslCert)
LoadBalancingRule(com.cloud.network.lb.LoadBalancingRule)
Ip(com.cloud.utils.net.Ip)
PublicIp(com.cloud.network.addr.PublicIp)
ArrayList(java.util.ArrayList)
LoadBalancerVO(com.cloud.network.dao.LoadBalancerVO)
LbStickinessPolicy(com.cloud.network.lb.LoadBalancingRule.LbStickinessPolicy)
StaticNatRule(com.cloud.network.rules.StaticNatRule)
PortForwardingRule(com.cloud.network.rules.PortForwardingRule)
StaticNat(com.cloud.network.rules.StaticNat)
LbDestination(com.cloud.network.lb.LoadBalancingRule.LbDestination)
PublicIpAddress(com.cloud.network.PublicIpAddress)
StaticNatImpl(com.cloud.network.rules.StaticNatImpl)
LbHealthCheckPolicy(com.cloud.network.lb.LoadBalancingRule.LbHealthCheckPolicy)
FirewallRule(com.cloud.network.rules.FirewallRule)
Example 12 with StaticNatRule
use of com.cloud.network.rules.StaticNatRule in project CloudStack-archive by CloudStack-extras.
the class ListIpForwardingRulesCmd method execute.
@Override
public void execute() {
List<? extends FirewallRule> result = _rulesService.searchStaticNatRules(publicIpAddressId, id, vmId, this.getStartIndex(), this.getPageSizeVal(), this.getAccountName(), this.getDomainId(), this.getProjectId(), this.isRecursive(), this.listAll());
ListResponse<IpForwardingRuleResponse> response = new ListResponse<IpForwardingRuleResponse>();
List<IpForwardingRuleResponse> ipForwardingResponses = new ArrayList<IpForwardingRuleResponse>();
for (FirewallRule rule : result) {
StaticNatRule staticNatRule = _rulesService.buildStaticNatRule(rule, false);
IpForwardingRuleResponse resp = _responseGenerator.createIpForwardingRuleResponse(staticNatRule);
if (resp != null) {
ipForwardingResponses.add(resp);
}
}
response.setResponses(ipForwardingResponses);
response.setResponseName(getCommandName());
this.setResponseObject(response);
}
Also used :
ListResponse(com.cloud.api.response.ListResponse)
ArrayList(java.util.ArrayList)
StaticNatRule(com.cloud.network.rules.StaticNatRule)
FirewallRule(com.cloud.network.rules.FirewallRule)
IpForwardingRuleResponse(com.cloud.api.response.IpForwardingRuleResponse)
Example 13 with StaticNatRule
use of com.cloud.network.rules.StaticNatRule in project cosmic by MissionCriticalCloud.
the class BasicNetworkVisitor method visit.
@Override
public boolean visit(final FirewallRules firewall) throws ResourceUnavailableException {
final Network network = firewall.getNetwork();
final DomainRouterVO router = (DomainRouterVO) firewall.getRouter();
final List<? extends FirewallRule> rules = firewall.getRules();
final List<LoadBalancingRule> loadbalancingRules = firewall.getLoadbalancingRules();
final Purpose purpose = firewall.getPurpose();
final Commands cmds = new Commands(Command.OnError.Continue);
_commandSetupHelper.createPublicIpACLsCommands(router, cmds);
if (purpose == Purpose.LoadBalancing) {
_commandSetupHelper.createApplyLoadBalancingRulesCommands(loadbalancingRules, router, cmds, network.getId());
return _networkGeneralHelper.sendCommandsToRouter(router, cmds);
} else if (purpose == Purpose.PortForwarding) {
_commandSetupHelper.createApplyPortForwardingRulesCommands((List<? extends PortForwardingRule>) rules, router, cmds, network.getId());
return _networkGeneralHelper.sendCommandsToRouter(router, cmds);
} else if (purpose == Purpose.StaticNat) {
_commandSetupHelper.createApplyStaticNatRulesCommands((List<StaticNatRule>) rules, router, cmds, network.getId());
return _networkGeneralHelper.sendCommandsToRouter(router, cmds);
} else if (purpose == Purpose.Firewall) {
_commandSetupHelper.createApplyFirewallRulesCommands(rules, router, cmds, network.getId());
return _networkGeneralHelper.sendCommandsToRouter(router, cmds);
}
s_logger.warn("Unable to apply rules of purpose: " + rules.get(0).getPurpose());
return false;
}
Also used :
LoadBalancingRule(com.cloud.network.lb.LoadBalancingRule)
Network(com.cloud.network.Network)
Commands(com.cloud.agent.manager.Commands)
Purpose(com.cloud.network.rules.FirewallRule.Purpose)
List(java.util.List)
StaticNatRule(com.cloud.network.rules.StaticNatRule)
PortForwardingRule(com.cloud.network.rules.PortForwardingRule)
DomainRouterVO(com.cloud.vm.DomainRouterVO)
Example 14 with StaticNatRule
use of com.cloud.network.rules.StaticNatRule in project cloudstack by apache.
the class NetworkOrchestrator method shutdownNetworkResources.
private boolean shutdownNetworkResources(final long networkId, final Account caller, final long callerUserId) {
// This method cleans up network rules on the backend w/o touching them in the DB
boolean success = true;
final Network network = _networksDao.findById(networkId);
// Mark all PF rules as revoked and apply them on the backend (not in the DB)
final List<PortForwardingRuleVO> pfRules = _portForwardingRulesDao.listByNetwork(networkId);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Releasing " + pfRules.size() + " port forwarding rules for network id=" + networkId + " as a part of shutdownNetworkRules");
}
for (final PortForwardingRuleVO pfRule : pfRules) {
s_logger.trace("Marking pf rule " + pfRule + " with Revoke state");
pfRule.setState(FirewallRule.State.Revoke);
}
try {
if (!_firewallMgr.applyRules(pfRules, true, false)) {
s_logger.warn("Failed to cleanup pf rules as a part of shutdownNetworkRules");
success = false;
}
} catch (final ResourceUnavailableException ex) {
s_logger.warn("Failed to cleanup pf rules as a part of shutdownNetworkRules due to ", ex);
success = false;
}
// Mark all static rules as revoked and apply them on the backend (not in the DB)
final List<FirewallRuleVO> firewallStaticNatRules = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.StaticNat);
final List<StaticNatRule> staticNatRules = new ArrayList<StaticNatRule>();
if (s_logger.isDebugEnabled()) {
s_logger.debug("Releasing " + firewallStaticNatRules.size() + " static nat rules for network id=" + networkId + " as a part of shutdownNetworkRules");
}
for (final FirewallRuleVO firewallStaticNatRule : firewallStaticNatRules) {
s_logger.trace("Marking static nat rule " + firewallStaticNatRule + " with Revoke state");
final IpAddress ip = _ipAddressDao.findById(firewallStaticNatRule.getSourceIpAddressId());
final FirewallRuleVO ruleVO = _firewallDao.findById(firewallStaticNatRule.getId());
if (ip == null || !ip.isOneToOneNat() || ip.getAssociatedWithVmId() == null) {
throw new InvalidParameterValueException("Source ip address of the rule id=" + firewallStaticNatRule.getId() + " is not static nat enabled");
}
// String dstIp = _networkModel.getIpInNetwork(ip.getAssociatedWithVmId(), firewallStaticNatRule.getNetworkId());
ruleVO.setState(FirewallRule.State.Revoke);
staticNatRules.add(new StaticNatRuleImpl(ruleVO, ip.getVmIp()));
}
try {
if (!_firewallMgr.applyRules(staticNatRules, true, false)) {
s_logger.warn("Failed to cleanup static nat rules as a part of shutdownNetworkRules");
success = false;
}
} catch (final ResourceUnavailableException ex) {
s_logger.warn("Failed to cleanup static nat rules as a part of shutdownNetworkRules due to ", ex);
success = false;
}
try {
if (!_lbMgr.revokeLoadBalancersForNetwork(networkId, Scheme.Public)) {
s_logger.warn("Failed to cleanup public lb rules as a part of shutdownNetworkRules");
success = false;
}
} catch (final ResourceUnavailableException ex) {
s_logger.warn("Failed to cleanup public lb rules as a part of shutdownNetworkRules due to ", ex);
success = false;
}
try {
if (!_lbMgr.revokeLoadBalancersForNetwork(networkId, Scheme.Internal)) {
s_logger.warn("Failed to cleanup internal lb rules as a part of shutdownNetworkRules");
success = false;
}
} catch (final ResourceUnavailableException ex) {
s_logger.warn("Failed to cleanup public lb rules as a part of shutdownNetworkRules due to ", ex);
success = false;
}
// revoke all firewall rules for the network w/o applying them on the DB
final List<FirewallRuleVO> firewallRules = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Ingress);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Releasing " + firewallRules.size() + " firewall ingress rules for network id=" + networkId + " as a part of shutdownNetworkRules");
}
for (final FirewallRuleVO firewallRule : firewallRules) {
s_logger.trace("Marking firewall ingress rule " + firewallRule + " with Revoke state");
firewallRule.setState(FirewallRule.State.Revoke);
}
try {
if (!_firewallMgr.applyRules(firewallRules, true, false)) {
s_logger.warn("Failed to cleanup firewall ingress rules as a part of shutdownNetworkRules");
success = false;
}
} catch (final ResourceUnavailableException ex) {
s_logger.warn("Failed to cleanup firewall ingress rules as a part of shutdownNetworkRules due to ", ex);
success = false;
}
final List<FirewallRuleVO> firewallEgressRules = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Releasing " + firewallEgressRules.size() + " firewall egress rules for network id=" + networkId + " as a part of shutdownNetworkRules");
}
try {
// delete default egress rule
final DataCenter zone = _dcDao.findById(network.getDataCenterId());
if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && (network.getGuestType() == Network.GuestType.Isolated || network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced)) {
// add default egress rule to accept the traffic
_firewallMgr.applyDefaultEgressFirewallRule(network.getId(), _networkModel.getNetworkEgressDefaultPolicy(networkId), false);
}
} catch (final ResourceUnavailableException ex) {
s_logger.warn("Failed to cleanup firewall default egress rule as a part of shutdownNetworkRules due to ", ex);
success = false;
}
for (final FirewallRuleVO firewallRule : firewallEgressRules) {
s_logger.trace("Marking firewall egress rule " + firewallRule + " with Revoke state");
firewallRule.setState(FirewallRule.State.Revoke);
}
try {
if (!_firewallMgr.applyRules(firewallEgressRules, true, false)) {
s_logger.warn("Failed to cleanup firewall egress rules as a part of shutdownNetworkRules");
success = false;
}
} catch (final ResourceUnavailableException ex) {
s_logger.warn("Failed to cleanup firewall egress rules as a part of shutdownNetworkRules due to ", ex);
success = false;
}
if (network.getVpcId() != null) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Releasing Network ACL Items for network id=" + networkId + " as a part of shutdownNetworkRules");
}
try {
// revoke all Network ACLs for the network w/o applying them in the DB
if (!_networkACLMgr.revokeACLItemsForNetwork(networkId)) {
s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules");
success = false;
}
} catch (final ResourceUnavailableException ex) {
s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules due to ", ex);
success = false;
}
}
// release all static nats for the network
if (!_rulesMgr.applyStaticNatForNetwork(networkId, false, caller, true)) {
s_logger.warn("Failed to disable static nats as part of shutdownNetworkRules for network id " + networkId);
success = false;
}
// Get all ip addresses, mark as releasing and release them on the backend
final List<IPAddressVO> userIps = _ipAddressDao.listByAssociatedNetwork(networkId, null);
final List<PublicIp> publicIpsToRelease = new ArrayList<PublicIp>();
if (userIps != null && !userIps.isEmpty()) {
for (final IPAddressVO userIp : userIps) {
userIp.setState(IpAddress.State.Releasing);
final PublicIp publicIp = PublicIp.createFromAddrAndVlan(userIp, _vlanDao.findById(userIp.getVlanId()));
publicIpsToRelease.add(publicIp);
}
}
try {
if (!_ipAddrMgr.applyIpAssociations(network, true, true, publicIpsToRelease)) {
s_logger.warn("Unable to apply ip address associations for " + network + " as a part of shutdownNetworkRules");
success = false;
}
} catch (final ResourceUnavailableException e) {
throw new CloudRuntimeException("We should never get to here because we used true when applyIpAssociations", e);
}
return success;
}
Also used :
PortForwardingRuleVO(com.cloud.network.rules.PortForwardingRuleVO)
PublicIp(com.cloud.network.addr.PublicIp)
ArrayList(java.util.ArrayList)
StaticNatRule(com.cloud.network.rules.StaticNatRule)
FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO)
DataCenter(com.cloud.dc.DataCenter)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
StaticNatRuleImpl(com.cloud.network.rules.StaticNatRuleImpl)
CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException)
Network(com.cloud.network.Network)
PhysicalNetwork(com.cloud.network.PhysicalNetwork)
ResourceUnavailableException(com.cloud.exception.ResourceUnavailableException)
IpAddress(com.cloud.network.IpAddress)
IPAddressVO(com.cloud.network.dao.IPAddressVO)
Example 15 with StaticNatRule
use of com.cloud.network.rules.StaticNatRule in project cosmic by MissionCriticalCloud.
the class CreateIpForwardingRuleCmd method create.
@Override
public void create() {
// cidr list parameter is deprecated
if (cidrlist != null) {
throw new InvalidParameterValueException("Parameter cidrList is deprecated; if you need to open firewall rule for the specific CIDR, please refer to createFirewallRule command");
}
try {
final StaticNatRule rule = _rulesService.createStaticNatRule(this, getOpenFirewall());
setEntityId(rule.getId());
setEntityUuid(rule.getUuid());
} catch (final NetworkRuleConflictException e) {
s_logger.info("Unable to create static NAT rule due to ", e);
throw new ServerApiException(ApiErrorCode.NETWORK_RULE_CONFLICT_ERROR, e.getMessage());
}
}
Also used :
ServerApiException(com.cloud.api.ServerApiException)
InvalidParameterValueException(com.cloud.utils.exception.InvalidParameterValueException)
StaticNatRule(com.cloud.network.rules.StaticNatRule)
NetworkRuleConflictException(com.cloud.exception.NetworkRuleConflictException)
Aggregations
StaticNatRule (com.cloud.network.rules.StaticNatRule)17
ArrayList (java.util.ArrayList)10
FirewallRule (com.cloud.network.rules.FirewallRule)8
Network (com.cloud.network.Network)5
ServerApiException (com.cloud.api.ServerApiException)4
IpForwardingRuleResponse (com.cloud.api.response.IpForwardingRuleResponse)4
IpAddress (com.cloud.network.IpAddress)4
PublicIpAddress (com.cloud.network.PublicIpAddress)4
PublicIp (com.cloud.network.addr.PublicIp)4
LoadBalancingRule (com.cloud.network.lb.LoadBalancingRule)4
PortForwardingRule (com.cloud.network.rules.PortForwardingRule)4
List (java.util.List)4
InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)3
NetworkRuleConflictException (com.cloud.exception.NetworkRuleConflictException)3
SetStaticNatRulesCommand (com.cloud.agent.api.routing.SetStaticNatRulesCommand)2
StaticNatRuleTO (com.cloud.agent.api.to.StaticNatRuleTO)2
Commands (com.cloud.agent.manager.Commands)2
ListResponse (com.cloud.api.response.ListResponse)2
Zone (com.cloud.db.model.Zone)2
ResourceUnavailableException (com.cloud.exception.ResourceUnavailableException)2
