Search in sources :

Example 1 with StaticNatRuleImpl

use of com.cloud.network.rules.StaticNatRuleImpl in project cosmic by MissionCriticalCloud.

the class NetworkOrchestrator method shutdownNetworkResources.

private boolean shutdownNetworkResources(final long networkId, final Account caller, final long callerUserId) {
    // This method cleans up network rules on the backend w/o touching them in the DB
    boolean success = true;
    final Network network = _networksDao.findById(networkId);
    // Mark all PF rules as revoked and apply them on the backend (not in the DB)
    final List<PortForwardingRuleVO> pfRules = _portForwardingRulesDao.listByNetwork(networkId);
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Releasing " + pfRules.size() + " port forwarding rules for network id=" + networkId + " as a part of shutdownNetworkRules");
    }
    for (final PortForwardingRuleVO pfRule : pfRules) {
        s_logger.trace("Marking pf rule " + pfRule + " with Revoke state");
        pfRule.setState(FirewallRule.State.Revoke);
    }
    try {
        if (!_firewallMgr.applyRules(pfRules, true, false)) {
            s_logger.warn("Failed to cleanup pf rules as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup pf rules as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    // Mark all static rules as revoked and apply them on the backend (not in the DB)
    final List<FirewallRuleVO> firewallStaticNatRules = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.StaticNat);
    final List<StaticNatRule> staticNatRules = new ArrayList<>();
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Releasing " + firewallStaticNatRules.size() + " static nat rules for network id=" + networkId + " as a part of shutdownNetworkRules");
    }
    for (final FirewallRuleVO firewallStaticNatRule : firewallStaticNatRules) {
        s_logger.trace("Marking static nat rule " + firewallStaticNatRule + " with Revoke state");
        final IpAddress ip = _ipAddressDao.findById(firewallStaticNatRule.getSourceIpAddressId());
        final FirewallRuleVO ruleVO = _firewallDao.findById(firewallStaticNatRule.getId());
        if (ip == null || !ip.isOneToOneNat() || ip.getAssociatedWithVmId() == null) {
            throw new InvalidParameterValueException("Source ip address of the rule id=" + firewallStaticNatRule.getId() + " is not static nat enabled");
        }
        // String dstIp = _networkModel.getIpInNetwork(ip.getAssociatedWithVmId(), firewallStaticNatRule.getNetworkId());
        ruleVO.setState(FirewallRule.State.Revoke);
        staticNatRules.add(new StaticNatRuleImpl(ruleVO, ip.getVmIp()));
    }
    try {
        if (!_firewallMgr.applyRules(staticNatRules, true, false)) {
            s_logger.warn("Failed to cleanup static nat rules as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup static nat rules as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    try {
        if (!_lbMgr.revokeLoadBalancersForNetwork(networkId, Scheme.Public)) {
            s_logger.warn("Failed to cleanup public lb rules as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup public lb rules as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    // revoke all firewall rules for the network w/o applying them on the DB
    final List<FirewallRuleVO> firewallRules = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Ingress);
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Releasing " + firewallRules.size() + " firewall ingress rules for network id=" + networkId + " as a part of shutdownNetworkRules");
    }
    for (final FirewallRuleVO firewallRule : firewallRules) {
        s_logger.trace("Marking firewall ingress rule " + firewallRule + " with Revoke state");
        firewallRule.setState(FirewallRule.State.Revoke);
    }
    try {
        if (!_firewallMgr.applyRules(firewallRules, true, false)) {
            s_logger.warn("Failed to cleanup firewall ingress rules as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup firewall ingress rules as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    final List<FirewallRuleVO> firewallEgressRules = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Releasing " + firewallEgressRules.size() + " firewall egress rules for network id=" + networkId + " as a part of shutdownNetworkRules");
    }
    try {
        // delete default egress rule
        final Zone zone = _zoneRepository.findOne(network.getDataCenterId());
        if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && (network.getGuestType() == GuestType.Isolated || network.getGuestType() == GuestType.Shared && zone.getNetworkType() == com.cloud.model.enumeration.NetworkType.Advanced)) {
            // add default egress rule to accept the traffic
            _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), _networkModel.getNetworkEgressDefaultPolicy(networkId), false);
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup firewall default egress rule as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    for (final FirewallRuleVO firewallRule : firewallEgressRules) {
        s_logger.trace("Marking firewall egress rule " + firewallRule + " with Revoke state");
        firewallRule.setState(FirewallRule.State.Revoke);
    }
    try {
        if (!_firewallMgr.applyRules(firewallEgressRules, true, false)) {
            s_logger.warn("Failed to cleanup firewall egress rules as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup firewall egress rules as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    if (network.getVpcId() != null) {
        if (s_logger.isDebugEnabled()) {
            s_logger.debug("Releasing Network ACL Items for network id=" + networkId + " as a part of shutdownNetworkRules");
        }
        try {
            // revoke all Network ACLs for the network w/o applying them in the DB
            if (!_networkACLMgr.revokeACLItemsForNetwork(networkId)) {
                s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules");
                success = false;
            }
        } catch (final ResourceUnavailableException ex) {
            s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules due to ", ex);
            success = false;
        }
    }
    // release all static nats for the network
    if (!_rulesMgr.applyStaticNatForNetwork(networkId, false, caller, true)) {
        s_logger.warn("Failed to disable static nats as part of shutdownNetworkRules for network id " + networkId);
        success = false;
    }
    // Get all ip addresses, mark as releasing and release them on the backend
    final List<IPAddressVO> userIps = _ipAddressDao.listByAssociatedNetwork(networkId, null);
    final List<PublicIp> publicIpsToRelease = new ArrayList<>();
    if (userIps != null && !userIps.isEmpty()) {
        for (final IPAddressVO userIp : userIps) {
            userIp.setState(IpAddress.State.Releasing);
            final PublicIp publicIp = PublicIp.createFromAddrAndVlan(userIp, _vlanDao.findById(userIp.getVlanId()));
            publicIpsToRelease.add(publicIp);
        }
    }
    try {
        if (!_ipAddrMgr.applyIpAssociations(network, true, true, publicIpsToRelease)) {
            s_logger.warn("Unable to apply ip address associations for " + network + " as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException e) {
        throw new CloudRuntimeException("We should never get to here because we used true when applyIpAssociations", e);
    }
    return success;
}
Also used : PortForwardingRuleVO(com.cloud.network.rules.PortForwardingRuleVO) PublicIp(com.cloud.network.addr.PublicIp) Zone(com.cloud.db.model.Zone) ArrayList(java.util.ArrayList) StaticNatRule(com.cloud.network.rules.StaticNatRule) FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO) InvalidParameterValueException(com.cloud.utils.exception.InvalidParameterValueException) StaticNatRuleImpl(com.cloud.network.rules.StaticNatRuleImpl) CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) Network(com.cloud.network.Network) PhysicalNetwork(com.cloud.network.PhysicalNetwork) ResourceUnavailableException(com.cloud.exception.ResourceUnavailableException) IpAddress(com.cloud.network.IpAddress) IPAddressVO(com.cloud.network.dao.IPAddressVO)

Example 2 with StaticNatRuleImpl

use of com.cloud.network.rules.StaticNatRuleImpl in project cloudstack by apache.

the class NetworkOrchestrator method shutdownNetworkResources.

private boolean shutdownNetworkResources(final long networkId, final Account caller, final long callerUserId) {
    // This method cleans up network rules on the backend w/o touching them in the DB
    boolean success = true;
    final Network network = _networksDao.findById(networkId);
    // Mark all PF rules as revoked and apply them on the backend (not in the DB)
    final List<PortForwardingRuleVO> pfRules = _portForwardingRulesDao.listByNetwork(networkId);
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Releasing " + pfRules.size() + " port forwarding rules for network id=" + networkId + " as a part of shutdownNetworkRules");
    }
    for (final PortForwardingRuleVO pfRule : pfRules) {
        s_logger.trace("Marking pf rule " + pfRule + " with Revoke state");
        pfRule.setState(FirewallRule.State.Revoke);
    }
    try {
        if (!_firewallMgr.applyRules(pfRules, true, false)) {
            s_logger.warn("Failed to cleanup pf rules as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup pf rules as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    // Mark all static rules as revoked and apply them on the backend (not in the DB)
    final List<FirewallRuleVO> firewallStaticNatRules = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.StaticNat);
    final List<StaticNatRule> staticNatRules = new ArrayList<StaticNatRule>();
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Releasing " + firewallStaticNatRules.size() + " static nat rules for network id=" + networkId + " as a part of shutdownNetworkRules");
    }
    for (final FirewallRuleVO firewallStaticNatRule : firewallStaticNatRules) {
        s_logger.trace("Marking static nat rule " + firewallStaticNatRule + " with Revoke state");
        final IpAddress ip = _ipAddressDao.findById(firewallStaticNatRule.getSourceIpAddressId());
        final FirewallRuleVO ruleVO = _firewallDao.findById(firewallStaticNatRule.getId());
        if (ip == null || !ip.isOneToOneNat() || ip.getAssociatedWithVmId() == null) {
            throw new InvalidParameterValueException("Source ip address of the rule id=" + firewallStaticNatRule.getId() + " is not static nat enabled");
        }
        // String dstIp = _networkModel.getIpInNetwork(ip.getAssociatedWithVmId(), firewallStaticNatRule.getNetworkId());
        ruleVO.setState(FirewallRule.State.Revoke);
        staticNatRules.add(new StaticNatRuleImpl(ruleVO, ip.getVmIp()));
    }
    try {
        if (!_firewallMgr.applyRules(staticNatRules, true, false)) {
            s_logger.warn("Failed to cleanup static nat rules as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup static nat rules as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    try {
        if (!_lbMgr.revokeLoadBalancersForNetwork(networkId, Scheme.Public)) {
            s_logger.warn("Failed to cleanup public lb rules as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup public lb rules as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    try {
        if (!_lbMgr.revokeLoadBalancersForNetwork(networkId, Scheme.Internal)) {
            s_logger.warn("Failed to cleanup internal lb rules as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup public lb rules as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    // revoke all firewall rules for the network w/o applying them on the DB
    final List<FirewallRuleVO> firewallRules = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Ingress);
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Releasing " + firewallRules.size() + " firewall ingress rules for network id=" + networkId + " as a part of shutdownNetworkRules");
    }
    for (final FirewallRuleVO firewallRule : firewallRules) {
        s_logger.trace("Marking firewall ingress rule " + firewallRule + " with Revoke state");
        firewallRule.setState(FirewallRule.State.Revoke);
    }
    try {
        if (!_firewallMgr.applyRules(firewallRules, true, false)) {
            s_logger.warn("Failed to cleanup firewall ingress rules as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup firewall ingress rules as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    final List<FirewallRuleVO> firewallEgressRules = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Releasing " + firewallEgressRules.size() + " firewall egress rules for network id=" + networkId + " as a part of shutdownNetworkRules");
    }
    try {
        // delete default egress rule
        final DataCenter zone = _dcDao.findById(network.getDataCenterId());
        if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && (network.getGuestType() == Network.GuestType.Isolated || network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced)) {
            // add default egress rule to accept the traffic
            _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), _networkModel.getNetworkEgressDefaultPolicy(networkId), false);
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup firewall default egress rule as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    for (final FirewallRuleVO firewallRule : firewallEgressRules) {
        s_logger.trace("Marking firewall egress rule " + firewallRule + " with Revoke state");
        firewallRule.setState(FirewallRule.State.Revoke);
    }
    try {
        if (!_firewallMgr.applyRules(firewallEgressRules, true, false)) {
            s_logger.warn("Failed to cleanup firewall egress rules as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException ex) {
        s_logger.warn("Failed to cleanup firewall egress rules as a part of shutdownNetworkRules due to ", ex);
        success = false;
    }
    if (network.getVpcId() != null) {
        if (s_logger.isDebugEnabled()) {
            s_logger.debug("Releasing Network ACL Items for network id=" + networkId + " as a part of shutdownNetworkRules");
        }
        try {
            // revoke all Network ACLs for the network w/o applying them in the DB
            if (!_networkACLMgr.revokeACLItemsForNetwork(networkId)) {
                s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules");
                success = false;
            }
        } catch (final ResourceUnavailableException ex) {
            s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules due to ", ex);
            success = false;
        }
    }
    // release all static nats for the network
    if (!_rulesMgr.applyStaticNatForNetwork(networkId, false, caller, true)) {
        s_logger.warn("Failed to disable static nats as part of shutdownNetworkRules for network id " + networkId);
        success = false;
    }
    // Get all ip addresses, mark as releasing and release them on the backend
    final List<IPAddressVO> userIps = _ipAddressDao.listByAssociatedNetwork(networkId, null);
    final List<PublicIp> publicIpsToRelease = new ArrayList<PublicIp>();
    if (userIps != null && !userIps.isEmpty()) {
        for (final IPAddressVO userIp : userIps) {
            userIp.setState(IpAddress.State.Releasing);
            final PublicIp publicIp = PublicIp.createFromAddrAndVlan(userIp, _vlanDao.findById(userIp.getVlanId()));
            publicIpsToRelease.add(publicIp);
        }
    }
    try {
        if (!_ipAddrMgr.applyIpAssociations(network, true, true, publicIpsToRelease)) {
            s_logger.warn("Unable to apply ip address associations for " + network + " as a part of shutdownNetworkRules");
            success = false;
        }
    } catch (final ResourceUnavailableException e) {
        throw new CloudRuntimeException("We should never get to here because we used true when applyIpAssociations", e);
    }
    return success;
}
Also used : PortForwardingRuleVO(com.cloud.network.rules.PortForwardingRuleVO) PublicIp(com.cloud.network.addr.PublicIp) ArrayList(java.util.ArrayList) StaticNatRule(com.cloud.network.rules.StaticNatRule) FirewallRuleVO(com.cloud.network.rules.FirewallRuleVO) DataCenter(com.cloud.dc.DataCenter) InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) StaticNatRuleImpl(com.cloud.network.rules.StaticNatRuleImpl) CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) Network(com.cloud.network.Network) PhysicalNetwork(com.cloud.network.PhysicalNetwork) ResourceUnavailableException(com.cloud.exception.ResourceUnavailableException) IpAddress(com.cloud.network.IpAddress) IPAddressVO(com.cloud.network.dao.IPAddressVO)

Aggregations

ResourceUnavailableException (com.cloud.exception.ResourceUnavailableException)2 IpAddress (com.cloud.network.IpAddress)2 Network (com.cloud.network.Network)2 PhysicalNetwork (com.cloud.network.PhysicalNetwork)2 PublicIp (com.cloud.network.addr.PublicIp)2 IPAddressVO (com.cloud.network.dao.IPAddressVO)2 FirewallRuleVO (com.cloud.network.rules.FirewallRuleVO)2 PortForwardingRuleVO (com.cloud.network.rules.PortForwardingRuleVO)2 StaticNatRule (com.cloud.network.rules.StaticNatRule)2 StaticNatRuleImpl (com.cloud.network.rules.StaticNatRuleImpl)2 CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)2 ArrayList (java.util.ArrayList)2 Zone (com.cloud.db.model.Zone)1 DataCenter (com.cloud.dc.DataCenter)1 InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)1 InvalidParameterValueException (com.cloud.utils.exception.InvalidParameterValueException)1