Example 1 with RuleChain
use of org.midonet.client.resource.RuleChain in project cloudstack by apache.
the class MidoNetElement method deleteGuestNetworkRouters.
private void deleteGuestNetworkRouters(Network network) {
String accountUuid = getAccountUuid(network);
boolean isVpc = getIsVpc(network);
long id = getRouterId(network, isVpc);
Router tenantRouter = getGuestNetworkRouter(id, accountUuid, isVpc);
// Delete any peer ports corresponding to this router
for (Port peerPort : tenantRouter.getPeerPorts((new MultivaluedMapImpl()))) {
if (peerPort != null && peerPort instanceof RouterPort) {
RouterPort checkPort = (RouterPort) peerPort;
if (checkPort.getType().equals("ExteriorRouter")) {
checkPort.vifId(null).update();
} else if (checkPort.getType().equals("InteriorRouter")) {
checkPort.unlink();
}
checkPort.delete();
} else if (peerPort != null && peerPort instanceof BridgePort) {
BridgePort checkPort = (BridgePort) peerPort;
if (checkPort.getType().equals("ExteriorBridge")) {
checkPort.vifId(null).update();
} else if (checkPort.getType().equals("InteriorBridge")) {
checkPort.unlink();
}
checkPort.delete();
}
}
if (tenantRouter != null) {
// Remove all peer ports if any exist
for (RouterPort p : tenantRouter.getPorts(new MultivaluedMapImpl())) {
if (p.getType().equals("ExteriorRouter")) {
// Set VIF ID to null
p.vifId(null).update();
// the port might have some chains associated with it
}
if (p.getType().equals("InteriorRouter")) {
p.unlink();
}
// Delete port
p.delete();
}
// Remove inbound and outbound filter chains
String accountIdStr = String.valueOf(accountUuid);
String routerName = getRouterName(isVpc, id);
RuleChain pre = api.getChain(tenantRouter.getInboundFilterId());
RuleChain preFilter = getChain(accountIdStr, routerName, RuleChainCode.TR_PREFILTER);
RuleChain preNat = getChain(accountIdStr, routerName, RuleChainCode.TR_PRENAT);
RuleChain post = api.getChain(tenantRouter.getOutboundFilterId());
pre.delete();
preFilter.delete();
preNat.delete();
post.delete();
// Remove routes
for (Route r : tenantRouter.getRoutes(new MultivaluedMapImpl())) {
r.delete();
}
tenantRouter.delete();
}
}
Also used :
BridgePort(org.midonet.client.resource.BridgePort)
RuleChain(org.midonet.client.resource.RuleChain)
RouterPort(org.midonet.client.resource.RouterPort)
BridgePort(org.midonet.client.resource.BridgePort)
Port(org.midonet.client.resource.Port)
Router(org.midonet.client.resource.Router)
MultivaluedMapImpl(com.sun.jersey.core.util.MultivaluedMapImpl)
RouterPort(org.midonet.client.resource.RouterPort)
Route(org.midonet.client.resource.Route)
Example 2 with RuleChain
use of org.midonet.client.resource.RuleChain in project cloudstack by apache.
the class MidoNetElement method applyFWRules.
@Override
public boolean applyFWRules(Network config, List<? extends FirewallRule> rulesToApply) throws ResourceUnavailableException {
if (!midoInNetwork(config)) {
return false;
}
if (canHandle(config, Service.Firewall)) {
String accountIdStr = getAccountUuid(config);
String networkUUIDStr = String.valueOf(config.getId());
RuleChain preFilter = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_PREFILTER);
RuleChain preNat = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_PRENAT);
// Create a map of Rule description -> Rule for quicker lookups
Map<String, Rule> existingRules = new HashMap<String, Rule>();
for (Rule existingRule : preFilter.getRules()) {
// The "whitelist" rules we're interested in are the Jump rules where src address is specified
if (existingRule.getType().equals(DtoRule.Jump) && existingRule.getNwSrcAddress() != null) {
String ruleString = new SimpleFirewallRule(existingRule).toStringArray()[0];
existingRules.put(ruleString, existingRule);
}
}
for (FirewallRule rule : rulesToApply) {
if (rule.getState() == FirewallRule.State.Revoke || rule.getState() == FirewallRule.State.Add) {
IpAddress dstIp = _networkModel.getIp(rule.getSourceIpAddressId());
FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, dstIp.getAddress().addr());
// Convert to string representation
SimpleFirewallRule fwRule = new SimpleFirewallRule(ruleTO);
String[] ruleStrings = fwRule.toStringArray();
if (rule.getState() == FirewallRule.State.Revoke) {
// Lookup in existingRules, delete if present
for (String revokeRuleString : ruleStrings) {
Rule foundRule = existingRules.get(revokeRuleString);
if (foundRule != null) {
foundRule.delete();
}
}
} else if (rule.getState() == FirewallRule.State.Add) {
// Lookup in existingRules, add if not present
for (int i = 0; i < ruleStrings.length; i++) {
String ruleString = ruleStrings[i];
Rule foundRule = existingRules.get(ruleString);
if (foundRule == null) {
// Get the cidr for the related entry in the Source Cidrs list
String relatedCidr = fwRule.sourceCidrs.get(i);
Pair<String, Integer> cidrParts = NetUtils.getCidr(relatedCidr);
// Create rule with correct proto, cidr, ACCEPT, dst IP
Rule toApply = preFilter.addRule().type(DtoRule.Jump).jumpChainId(preNat.getId()).position(1).nwSrcAddress(cidrParts.first()).nwSrcLength(cidrParts.second()).nwDstAddress(ruleTO.getSrcIp()).nwDstLength(32).nwProto(SimpleFirewallRule.stringToProtocolNumber(rule.getProtocol()));
if (rule.getProtocol().equals("icmp")) {
// (-1, -1) means "allow all ICMP", so we don't set tpSrc / tpDst
if (fwRule.icmpType != -1 | fwRule.icmpCode != -1) {
toApply.tpSrc(new DtoRange(fwRule.icmpType, fwRule.icmpType)).tpDst(new DtoRange(fwRule.icmpCode, fwRule.icmpCode));
}
} else {
toApply.tpDst(new DtoRange(fwRule.dstPortStart, fwRule.dstPortEnd));
}
toApply.create();
}
}
}
}
}
return true;
} else {
return true;
}
}
Also used :
DtoRange(org.midonet.client.dto.DtoRule.DtoRange)
RuleChain(org.midonet.client.resource.RuleChain)
HashMap(java.util.HashMap)
IpAddress(com.cloud.network.IpAddress)
PublicIpAddress(com.cloud.network.PublicIpAddress)
Rule(org.midonet.client.resource.Rule)
PortForwardingRule(com.cloud.network.rules.PortForwardingRule)
FirewallRule(com.cloud.network.rules.FirewallRule)
DtoRule(org.midonet.client.dto.DtoRule)
FirewallRuleTO(com.cloud.agent.api.to.FirewallRuleTO)
FirewallRule(com.cloud.network.rules.FirewallRule)
Pair(com.cloud.utils.Pair)
Example 3 with RuleChain
use of org.midonet.client.resource.RuleChain in project cloudstack by apache.
the class MidoNetElement method resetEgressACLFilter.
/*
* resetEgressACLFilter sets the Egress ACL Filter back to its initial
* state - drop everything. This needs to be called when all Egress
* ACL rules are deleted, so we can start allowing all Egress traffic
* again
*/
protected void resetEgressACLFilter(Network network) {
boolean isVpc = getIsVpc(network);
long id = getRouterId(network, isVpc);
String routerName = getRouterName(isVpc, id);
RuleChain egressChain = getChain(String.valueOf(network.getId()), getAccountUuid(network), routerName, RuleChainCode.ACL_EGRESS);
// Clear all the rules out
for (Rule rule : egressChain.getRules()) {
rule.delete();
}
// Add a matchForwardFlow rule so that we can accept all return traffic
egressChain.addRule().type(DtoRule.Accept).matchForwardFlow(true).position(1).create();
}
Also used :
RuleChain(org.midonet.client.resource.RuleChain)
Rule(org.midonet.client.resource.Rule)
PortForwardingRule(com.cloud.network.rules.PortForwardingRule)
FirewallRule(com.cloud.network.rules.FirewallRule)
DtoRule(org.midonet.client.dto.DtoRule)
Example 4 with RuleChain
use of org.midonet.client.resource.RuleChain in project cloudstack by apache.
the class MidoNetElement method applyStaticNats.
/**
* From interface StaticNatServiceProvider
*/
@Override
public boolean applyStaticNats(Network network, List<? extends StaticNat> rules) throws ResourceUnavailableException {
s_logger.debug("applyStaticNats called with network: " + network.toString());
if (!midoInNetwork(network)) {
return false;
}
if (!canHandle(network, Service.StaticNat)) {
return false;
}
boolean resources = false;
Router tenantRouter = null;
Router providerRouter = null;
RouterPort[] ports = null;
RouterPort tenantUplink = null;
RouterPort providerDownlink = null;
RuleChain preFilter = null;
RuleChain preNat = null;
RuleChain post = null;
String accountIdStr = getAccountUuid(network);
String networkUUIDStr = String.valueOf(network.getId());
for (StaticNat rule : rules) {
IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
String sourceIpAddr = sourceIp.getAddress().addr();
if (resources == false) {
tenantRouter = getOrCreateGuestNetworkRouter(network);
providerRouter = api.getRouter(_providerRouterId);
ports = getOrCreateProviderRouterPorts(tenantRouter, providerRouter);
tenantUplink = ports[0];
providerDownlink = ports[1];
boolean isVpc = getIsVpc(network);
long id = getRouterId(network, isVpc);
String routerName = getRouterName(isVpc, id);
preFilter = getChain(accountIdStr, routerName, RuleChainCode.TR_PREFILTER);
preNat = getChain(accountIdStr, routerName, RuleChainCode.TR_PRENAT);
post = api.getChain(tenantRouter.getOutboundFilterId());
resources = true;
}
if (rule.isForRevoke()) {
removeMidonetStaticNAT(preFilter, preNat, post, sourceIpAddr, rule.getDestIpAddress(), providerRouter);
} else {
addMidonetStaticNAT(preFilter, preNat, post, sourceIpAddr, rule.getDestIpAddress(), tenantUplink, providerDownlink, providerRouter, network);
}
}
return true;
}
Also used :
RuleChain(org.midonet.client.resource.RuleChain)
Router(org.midonet.client.resource.Router)
IpAddress(com.cloud.network.IpAddress)
PublicIpAddress(com.cloud.network.PublicIpAddress)
RouterPort(org.midonet.client.resource.RouterPort)
StaticNat(com.cloud.network.rules.StaticNat)
Example 5 with RuleChain
use of org.midonet.client.resource.RuleChain in project cloudstack by apache.
the class MidoNetElement method getOrInitEgressACLFilter.
protected RuleChain getOrInitEgressACLFilter(Network network) {
boolean isVpc = getIsVpc(network);
long id = getRouterId(network, isVpc);
String routerName = getRouterName(isVpc, id);
RuleChain egressChain = getChain(String.valueOf(network.getId()), getAccountUuid(network), routerName, RuleChainCode.ACL_EGRESS);
// Rules set by the user will have a protocol, so we count the ACL
// rules by counting how much have the nwProto field set.
int totalRules = 0;
for (Rule rule : egressChain.getRules()) {
if (rule.getNwProto() != 0) {
totalRules++;
}
}
if (totalRules > 0) {
// There are already rules present, no need to init.
return egressChain;
} else {
// We need to delete any placeholder rules
for (Rule rule : egressChain.getRules()) {
rule.delete();
}
}
int pos = 1;
// If it is ARP, accept it
egressChain.addRule().type(DtoRule.Accept).dlType(0x0806).position(pos++).create();
// If it is ICMP to the router, accept that
egressChain.addRule().type(DtoRule.Accept).nwProto(SimpleFirewallRule.stringToProtocolNumber("icmp")).nwDstAddress(network.getGateway()).nwDstLength(32).position(pos++).create();
// Everything else gets dropped
egressChain.addRule().type(DtoRule.Drop).position(pos).create();
return egressChain;
}
Also used :
RuleChain(org.midonet.client.resource.RuleChain)
Rule(org.midonet.client.resource.Rule)
PortForwardingRule(com.cloud.network.rules.PortForwardingRule)
FirewallRule(com.cloud.network.rules.FirewallRule)
DtoRule(org.midonet.client.dto.DtoRule)
Aggregations
RuleChain (org.midonet.client.resource.RuleChain)10
RouterPort (org.midonet.client.resource.RouterPort)5
PublicIpAddress (com.cloud.network.PublicIpAddress)4
FirewallRule (com.cloud.network.rules.FirewallRule)4
PortForwardingRule (com.cloud.network.rules.PortForwardingRule)4
DtoRule (org.midonet.client.dto.DtoRule)4
Router (org.midonet.client.resource.Router)4
Rule (org.midonet.client.resource.Rule)4
IpAddress (com.cloud.network.IpAddress)3
MultivaluedMapImpl (com.sun.jersey.core.util.MultivaluedMapImpl)3
HashMap (java.util.HashMap)2
DtoRange (org.midonet.client.dto.DtoRule.DtoRange)2
BridgePort (org.midonet.client.resource.BridgePort)2
Route (org.midonet.client.resource.Route)2
FirewallRuleTO (com.cloud.agent.api.to.FirewallRuleTO)1
PortForwardingRuleTO (com.cloud.agent.api.to.PortForwardingRuleTO)1
StaticNat (com.cloud.network.rules.StaticNat)1
Pair (com.cloud.utils.Pair)1
MultivaluedMap (javax.ws.rs.core.MultivaluedMap)1
Port (org.midonet.client.resource.Port)1
