You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ja...@apache.org on 2013/06/24 11:22:15 UTC
[1/6] git commit: updated refs/heads/network_acl to 9a5912a
Updated Branches:
refs/heads/master-6-17-stable f00ebad1c -> 4f7506264
refs/heads/network_acl 0396ef9c2 -> 9a5912a3f
CLOUDSTACK-2364: fixed private gateway creation in VPC - the vnet for the private gateway network is not stored in data_center_vnet table
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/9a5912a3
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/9a5912a3
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/9a5912a3
Branch: refs/heads/network_acl
Commit: 9a5912a3f0dbb045e73391301d78a7ee33a6d630
Parents: 0396ef9
Author: Alena Prokharchyk <al...@citrix.com>
Authored: Tue May 7 13:02:29 2013 -0700
Committer: Jayapal <ja...@citrix.com>
Committed: Thu May 9 11:00:56 2013 +0530
----------------------------------------------------------------------
.../com/cloud/network/NetworkManagerImpl.java | 39 +++++++++++---------
1 file changed, 22 insertions(+), 17 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9a5912a3/server/src/com/cloud/network/NetworkManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java
index 7d349fd..73ec160 100755
--- a/server/src/com/cloud/network/NetworkManagerImpl.java
+++ b/server/src/com/cloud/network/NetworkManagerImpl.java
@@ -2005,23 +2005,28 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
if (_networksDao.countByZoneAndUri(zoneId, uri) > 0) {
throw new InvalidParameterValueException("Network with vlan " + vlanId + " already exists in zone " + zoneId);
} else {
- DataCenterVnetVO dcVnet = _datacenterVnetDao.findVnet(zoneId, vlanId.toString()).get(0);
- // Fail network creation if specified vlan is dedicated to a different account
- if (dcVnet.getAccountGuestVlanMapId() != null) {
- Long accountGuestVlanMapId = dcVnet.getAccountGuestVlanMapId();
- AccountGuestVlanMapVO map = _accountGuestVlanMapDao.findById(accountGuestVlanMapId);
- if (map.getAccountId() != owner.getAccountId()) {
- throw new InvalidParameterValueException("Vlan " + vlanId + " is dedicated to a different account");
- }
- // Fail network creation if owner has a dedicated range of vlans but the specified vlan belongs to the system pool
- } else {
- List<AccountGuestVlanMapVO> maps = _accountGuestVlanMapDao.listAccountGuestVlanMapsByAccount(owner.getAccountId());
- if (maps != null && !maps.isEmpty()) {
- int vnetsAllocatedToAccount = _datacenterVnetDao.countVnetsAllocatedToAccount(zoneId, owner.getAccountId());
- int vnetsDedicatedToAccount = _datacenterVnetDao.countVnetsDedicatedToAccount(zoneId, owner.getAccountId());
- if (vnetsAllocatedToAccount < vnetsDedicatedToAccount) {
- throw new InvalidParameterValueException("Specified vlan " + vlanId + " doesn't belong" +
- " to the vlan range dedicated to the owner "+ owner.getAccountName());
+ List<DataCenterVnetVO> dcVnets = _datacenterVnetDao.findVnet(zoneId, vlanId.toString());
+ //for the network that is created as part of private gateway,
+ //the vnet is not coming from the data center vnet table, so the list can be empty
+ if (!dcVnets.isEmpty()) {
+ DataCenterVnetVO dcVnet = dcVnets.get(0);
+ // Fail network creation if specified vlan is dedicated to a different account
+ if (dcVnet.getAccountGuestVlanMapId() != null) {
+ Long accountGuestVlanMapId = dcVnet.getAccountGuestVlanMapId();
+ AccountGuestVlanMapVO map = _accountGuestVlanMapDao.findById(accountGuestVlanMapId);
+ if (map.getAccountId() != owner.getAccountId()) {
+ throw new InvalidParameterValueException("Vlan " + vlanId + " is dedicated to a different account");
+ }
+ // Fail network creation if owner has a dedicated range of vlans but the specified vlan belongs to the system pool
+ } else {
+ List<AccountGuestVlanMapVO> maps = _accountGuestVlanMapDao.listAccountGuestVlanMapsByAccount(owner.getAccountId());
+ if (maps != null && !maps.isEmpty()) {
+ int vnetsAllocatedToAccount = _datacenterVnetDao.countVnetsAllocatedToAccount(zoneId, owner.getAccountId());
+ int vnetsDedicatedToAccount = _datacenterVnetDao.countVnetsDedicatedToAccount(zoneId, owner.getAccountId());
+ if (vnetsAllocatedToAccount < vnetsDedicatedToAccount) {
+ throw new InvalidParameterValueException("Specified vlan " + vlanId + " doesn't belong" +
+ " to the vlan range dedicated to the owner "+ owner.getAccountName());
+ }
}
}
}
[3/6] git commit: updated refs/heads/master-6-17-stable to 4f75062
Posted by ja...@apache.org.
CLOUDSTACK-1578 vmware:Egress default policy configurable using network offering on vmware
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/50724d4d
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/50724d4d
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/50724d4d
Branch: refs/heads/master-6-17-stable
Commit: 50724d4dfc98ac17567ac45bf59a3c0c6e2ea70c
Parents: 07034b6
Author: Jayapal <ja...@apache.org>
Authored: Thu Jun 20 16:31:01 2013 +0530
Committer: Jayapal <ja...@apache.org>
Committed: Mon Jun 24 14:30:23 2013 +0530
----------------------------------------------------------------------
.../com/cloud/hypervisor/vmware/resource/VmwareResource.java | 8 ++++++++
1 file changed, 8 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/50724d4d/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java b/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
index 1af4239..20e02b2 100755
--- a/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
+++ b/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
@@ -743,12 +743,20 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
String[] results = new String[cmd.getRules().length];
FirewallRuleTO[] allrules = cmd.getRules();
FirewallRule.TrafficType trafficType = allrules[0].getTrafficType();
+ String egressDefault = cmd.getAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT);
String[][] rules = cmd.generateFwRules();
String args = "";
args += " -F ";
if (trafficType == FirewallRule.TrafficType.Egress){
args+= " -E ";
+ if (egressDefault.equals("true")) {
+ args+= " -P 1 ";
+ } else if (egressDefault.equals("System")) {
+ args+= " -P 2 ";
+ } else {
+ args+= " -P 0 ";
+ }
}
StringBuilder sb = new StringBuilder();
[4/6] git commit: updated refs/heads/master-6-17-stable to 4f75062
Posted by ja...@apache.org.
CLOUDSTACK-1578 kvm:Egress default policy configurable using network offering on kvm
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/95ee2854
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/95ee2854
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/95ee2854
Branch: refs/heads/master-6-17-stable
Commit: 95ee2854a84a102d7375b12e5bf51c196d4c07ba
Parents: 50724d4
Author: Jayapal <ja...@apache.org>
Authored: Thu Jun 20 16:32:11 2013 +0530
Committer: Jayapal <ja...@apache.org>
Committed: Mon Jun 24 14:30:23 2013 +0530
----------------------------------------------------------------------
.../resource/virtualnetwork/VirtualRoutingResource.java | 8 ++++++++
1 file changed, 8 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/95ee2854/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
----------------------------------------------------------------------
diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
index dae1c85..4f0ccec 100755
--- a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
+++ b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
@@ -224,6 +224,7 @@ public class VirtualRoutingResource implements Manager {
results[i] = "Failed";
}
String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP);
+ String egressDefault = cmd.getAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT);
if (routerIp == null) {
return new SetFirewallRulesAnswer(cmd, false, results);
@@ -239,6 +240,13 @@ public class VirtualRoutingResource implements Manager {
if (trafficType == FirewallRule.TrafficType.Egress){
command.add("-E");
+ if (egressDefault.equals("true")) {
+ command.add("-P ", "1");
+ } else if (egressDefault.equals("System")) {
+ command.add("-P ", "2");
+ } else {
+ command.add("-P ", "0");
+ }
}
StringBuilder sb = new StringBuilder();
[6/6] git commit: updated refs/heads/master-6-17-stable to 4f75062
Posted by ja...@apache.org.
CLOUDSTACK-1578 SRX: Egress default policy configurable using network offering on SRX firewall
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/07034b62
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/07034b62
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/07034b62
Branch: refs/heads/master-6-17-stable
Commit: 07034b620620d084ee50810ba986d1b15fa16e9b
Parents: 32b43d2
Author: Jayapal <ja...@apache.org>
Authored: Thu Jun 20 16:28:09 2013 +0530
Committer: Jayapal <ja...@apache.org>
Committed: Mon Jun 24 14:30:23 2013 +0530
----------------------------------------------------------------------
.../com/cloud/agent/api/to/FirewallRuleTO.java | 19 ++++-
.../network/resource/JuniperSrxResource.java | 86 ++++++++++++++------
scripts/network/juniper/security-policy-add.xml | 3 +-
.../ExternalFirewallDeviceManagerImpl.java | 24 ++----
4 files changed, 86 insertions(+), 46 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/07034b62/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/agent/api/to/FirewallRuleTO.java b/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
index f296aa4..29d9c6f 100644
--- a/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
+++ b/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
@@ -53,6 +53,9 @@ public class FirewallRuleTO implements InternalIdentity {
private Integer icmpType;
private Integer icmpCode;
private FirewallRule.TrafficType trafficType;
+ private String guestCidr;
+ private boolean defaultEgressPolicy;
+ private FirewallRule.FirewallRuleType type;
protected FirewallRuleTO() {
}
@@ -110,9 +113,12 @@ public class FirewallRuleTO implements InternalIdentity {
this(rule.getId(),srcVlanTag, srcIp, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), revokeState, alreadyAdded, purpose,rule.getSourceCidrList(),rule.getIcmpType(),rule.getIcmpCode());
}
- public FirewallRuleTO(FirewallRule rule, String guestVlanTag, FirewallRule.TrafficType trafficType) {
+ public FirewallRuleTO(FirewallRule rule, String guestVlanTag, FirewallRule.TrafficType trafficType, String guestCidr, boolean defaultEgressPolicy, FirewallRule.FirewallRuleType type) {
this(rule.getId(), guestVlanTag, null, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getState()==State.Revoke, rule.getState()==State.Active, rule.getPurpose(), rule.getSourceCidrList(), rule.getIcmpType(), rule.getIcmpCode());
this.trafficType = trafficType;
+ this.defaultEgressPolicy = defaultEgressPolicy;
+ this.guestCidr = guestCidr;
+ this.type = type;
}
public FirewallRule.TrafficType getTrafficType(){
@@ -170,4 +176,15 @@ public class FirewallRuleTO implements InternalIdentity {
return purpose;
}
+ public boolean isDefaultEgressPolicy() {
+ return defaultEgressPolicy;
+ }
+
+ public String getGuestCidr() {
+ return guestCidr;
+ }
+
+ public FirewallRule.FirewallRuleType getType() {
+ return type;
+ }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/07034b62/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java b/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
index fd065d5..3d3d797 100644
--- a/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
+++ b/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
@@ -22,6 +22,7 @@ import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.io.StringReader;
+import java.lang.String;
import java.net.Socket;
import java.net.SocketTimeoutException;
import java.util.ArrayList;
@@ -321,7 +322,8 @@ public class JuniperSrxResource implements ServerResource {
STATIC_NAT("staticnat"),
DESTINATION_NAT("destnat"),
VPN("vpn"),
- SECURITYPOLICY_EGRESS("egress");
+ SECURITYPOLICY_EGRESS("egress"),
+ SECURITYPOLICY_EGRESS_DEFAULT("egress-default");
private String identifier;
@@ -828,15 +830,37 @@ public class JuniperSrxResource implements ServerResource {
if (rules[0].getTrafficType() == FirewallRule.TrafficType.Egress) {
Map<String, ArrayList<FirewallRuleTO>> activeRules = getActiveFirewallEgressRules(rules);
Set<String> guestVlans = activeRules.keySet();
- List<String> cidrs = new ArrayList();
+ // List<String> cidrs = new ArrayList();
+ boolean defaultEgressPolicy = rules[0].isDefaultEgressPolicy();
+ FirewallRule.FirewallRuleType type = rules[0].getType();
+ //getting
+ String guestCidr = rules[0].getGuestCidr();
for (String guestVlan : guestVlans) {
List<FirewallRuleTO> activeRulesForGuestNw = activeRules.get(guestVlan);
- removeEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS, guestVlan, extractCidrs(activeRulesForGuestNw));
- if (activeRulesForGuestNw.size() > 0) {
- addEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS, guestVlan, extractApplications(activeRulesForGuestNw), extractCidrs(activeRulesForGuestNw));
+ removeEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS, guestVlan, extractCidrs(activeRulesForGuestNw), defaultEgressPolicy);
+ if (activeRulesForGuestNw.size() > 0 && type == FirewallRule.FirewallRuleType.User) {
+ addEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS, guestVlan, extractApplications(activeRulesForGuestNw), extractCidrs(activeRulesForGuestNw), defaultEgressPolicy);
}
+
+ List<Object[]> applications = new ArrayList<Object[]>();
+ Object[] application = new Object[3];
+ application[0] = Protocol.all;
+ application[1] = NetUtils.PORT_RANGE_MIN;
+ application[2] = NetUtils.PORT_RANGE_MAX;
+ applications.add(application);
+
+ List<String> cidrs = new ArrayList<String>();
+ cidrs.add(guestCidr);
+ //remove required with out comparing default policy because in upgrade network offering we may required to delete
+ // the previously added rule
+ removeEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT, guestVlan, cidrs, false);
+ if (defaultEgressPolicy == true) {
+ //add default egress security policy
+ addEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT, guestVlan, applications, cidrs, false);
+ }
+
}
commitConfiguration();
} else {
@@ -1046,7 +1070,7 @@ public class JuniperSrxResource implements ServerResource {
// Delete all security policies
for (String securityPolicyName : getVpnObjectNames(SrxXml.SECURITY_POLICY_GETALL, accountId)) {
- manageSecurityPolicy(SecurityPolicyType.VPN, SrxCommand.DELETE, accountId, null, null, null, null, securityPolicyName);
+ manageSecurityPolicy(SecurityPolicyType.VPN, SrxCommand.DELETE, accountId, null, null, null, null, securityPolicyName, false);
}
// Delete all address book entries
@@ -1118,7 +1142,7 @@ public class JuniperSrxResource implements ServerResource {
manageAddressBookEntry(srxCmd, _privateZone , guestNetworkCidr, ipsecVpnName);
// Security policy
- manageSecurityPolicy(SecurityPolicyType.VPN, srxCmd, null, null, guestNetworkCidr, null, null, ipsecVpnName);
+ manageSecurityPolicy(SecurityPolicyType.VPN, srxCmd, null, null, guestNetworkCidr, null, null, ipsecVpnName, false);
}
commitConfiguration();
@@ -2511,7 +2535,7 @@ public class JuniperSrxResource implements ServerResource {
if (protocol.equals(Protocol.any)) {
return Protocol.any.toString();
} else {
- if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) {
+ if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS) || type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT)) {
return genObjectName(type.getIdentifier(), protocol.toString(), String.valueOf(startPort), String.valueOf(endPort));
} else {
return genObjectName(protocol.toString(), String.valueOf(startPort), String.valueOf(endPort));
@@ -2528,7 +2552,7 @@ public class JuniperSrxResource implements ServerResource {
Integer endPort;
int offset = 0;
try {
- offset = type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS) ? 1 : 0;
+ offset = (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS) || type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT))? 1 : 0;
protocol = getProtocol(applicationComponents[offset + 0]);
startPort = Integer.parseInt(applicationComponents[offset + 1]);
endPort = Integer.parseInt(applicationComponents[offset + 2]);
@@ -2694,7 +2718,7 @@ public class JuniperSrxResource implements ServerResource {
}
}
- private boolean manageSecurityPolicy(SecurityPolicyType type, SrxCommand command, Long accountId, String username, String privateIp, List<String> applicationNames, List<String> cidrs, String ipsecVpnName) throws ExecutionException {
+ private boolean manageSecurityPolicy(SecurityPolicyType type, SrxCommand command, Long accountId, String username, String privateIp, List<String> applicationNames, List<String> cidrs, String ipsecVpnName, boolean defaultEgressAction) throws ExecutionException {
String fromZone = _publicZone;
String toZone = _privateZone;
@@ -2704,7 +2728,7 @@ public class JuniperSrxResource implements ServerResource {
if (type.equals(SecurityPolicyType.VPN) && ipsecVpnName != null) {
securityPolicyName = ipsecVpnName;
addressBookEntryName = ipsecVpnName;
- } else if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) {
+ } else if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS) || type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT)) {
fromZone = _privateZone;
toZone = _publicZone;
securityPolicyName = genSecurityPolicyName(type, accountId, username, fromZone, toZone, privateIp);
@@ -2748,7 +2772,7 @@ public class JuniperSrxResource implements ServerResource {
return false;
case ADD:
- if (!type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) {
+ if (!(type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS) || type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT))) {
if (!manageAddressBookEntry(SrxCommand.CHECK_IF_EXISTS, toZone, privateIp, addressBookEntryName)) {
throw new ExecutionException("No address book entry for policy: " + securityPolicyName);
}
@@ -2756,9 +2780,10 @@ public class JuniperSrxResource implements ServerResource {
String srcAddrs = "";
String dstAddrs = "";
+ String action = "";
xml = SrxXml.SECURITY_POLICY_ADD.getXml();
xml = replaceXmlValue(xml, "policy-name", securityPolicyName);
- if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) {
+ if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS) || type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT)) {
xml = replaceXmlValue(xml, "from-zone", _privateZone);
xml = replaceXmlValue(xml, "to-zone", _publicZone);
if (cidrs == null) {
@@ -2771,6 +2796,13 @@ public class JuniperSrxResource implements ServerResource {
xml = replaceXmlValue(xml, "src-address", srcAddrs);
dstAddrs = "<destination-address>any</destination-address>";
xml = replaceXmlValue(xml, "dst-address", dstAddrs);
+ if (defaultEgressAction == true) {
+ //configure block rules and default allow the traffic
+ action = "<deny></deny>";
+ } else {
+ action = "<permit></permit>";
+ }
+ xml = replaceXmlValue(xml, "action", action);
} else {
xml = replaceXmlValue(xml, "from-zone", fromZone);
xml = replaceXmlValue(xml, "to-zone", toZone);
@@ -2781,9 +2813,13 @@ public class JuniperSrxResource implements ServerResource {
}
if (type.equals(SecurityPolicyType.VPN) && ipsecVpnName != null) {
- xml = replaceXmlValue(xml, "tunnel", "<tunnel><ipsec-vpn>" + ipsecVpnName + "</ipsec-vpn></tunnel>");
+ xml = replaceXmlValue(xml, "tunnel", "<permit><tunnel><ipsec-vpn>" + ipsecVpnName + "</ipsec-vpn></tunnel></permit>");
} else {
xml = replaceXmlValue(xml, "tunnel", "");
+ if (!(type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS_DEFAULT) || type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS))) {
+ action = "<permit></permit>";
+ xml = replaceXmlValue(xml, "action", action);
+ }
}
String applications;
@@ -2805,11 +2841,11 @@ public class JuniperSrxResource implements ServerResource {
}
case DELETE:
- if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp, applicationNames, cidrs, ipsecVpnName)) {
+ if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp, applicationNames, cidrs, ipsecVpnName, defaultEgressAction)) {
return true;
}
- if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp, applicationNames, cidrs, ipsecVpnName)) {
+ if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp, applicationNames, cidrs, ipsecVpnName, defaultEgressAction)) {
return true;
}
@@ -2874,17 +2910,17 @@ public class JuniperSrxResource implements ServerResource {
}
// Add a new security policy
- manageSecurityPolicy(type, SrxCommand.ADD, null, null, privateIp, applicationNames, null, null);
+ manageSecurityPolicy(type, SrxCommand.ADD, null, null, privateIp, applicationNames, null, null, false);
return true;
}
private boolean removeSecurityPolicyAndApplications(SecurityPolicyType type, String privateIp) throws ExecutionException {
- if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp, null,null, null)) {
+ if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp, null,null, null, false)) {
return true;
}
- if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp, null, null, null)) {
+ if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp, null, null, null, false)) {
return true;
}
@@ -2892,7 +2928,7 @@ public class JuniperSrxResource implements ServerResource {
List<String> applications = getApplicationsForSecurityPolicy(type, privateIp, _publicZone, _privateZone);
// Remove the security policy
- manageSecurityPolicy(type, SrxCommand.DELETE, null, null, privateIp, null, null, null);
+ manageSecurityPolicy(type, SrxCommand.DELETE, null, null, privateIp, null, null, null, false);
// Remove any applications for the removed security policy that are no longer in use
List<String> unusedApplications = getUnusedApplications(applications, _publicZone, _privateZone);
@@ -2916,8 +2952,8 @@ public class JuniperSrxResource implements ServerResource {
}
- private boolean removeEgressSecurityPolicyAndApplications(SecurityPolicyType type, String guestVlan, List <String> cidrs) throws ExecutionException {
- if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, guestVlan, null, cidrs, null)) {
+ private boolean removeEgressSecurityPolicyAndApplications(SecurityPolicyType type, String guestVlan, List <String> cidrs, boolean defaultEgressAction) throws ExecutionException {
+ if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, guestVlan, null, cidrs, null, defaultEgressAction)) {
return true;
}
// Get a list of applications for this security policy
@@ -2925,7 +2961,7 @@ public class JuniperSrxResource implements ServerResource {
applications = getApplicationsForSecurityPolicy(type, guestVlan, _privateZone, _publicZone);
// Remove the security policy even if it is in use
- manageSecurityPolicy(type, SrxCommand.DELETE, null, null, guestVlan, null, cidrs, null);
+ manageSecurityPolicy(type, SrxCommand.DELETE, null, null, guestVlan, null, cidrs, null, defaultEgressAction);
// Remove any applications for the removed security policy that are no longer in use
List<String> unusedApplications;
@@ -2953,7 +2989,7 @@ public class JuniperSrxResource implements ServerResource {
return true;
}
- private boolean addEgressSecurityPolicyAndApplications(SecurityPolicyType type, String guestVlan, List<Object[]> applications, List <String> cidrs) throws ExecutionException {
+ private boolean addEgressSecurityPolicyAndApplications(SecurityPolicyType type, String guestVlan, List<Object[]> applications, List <String> cidrs, boolean defaultEgressAction) throws ExecutionException {
// Add all necessary applications
List<String> applicationNames = new ArrayList<String>();
for (Object[] application : applications) {
@@ -2975,7 +3011,7 @@ public class JuniperSrxResource implements ServerResource {
}
// Add a new security policy
- manageSecurityPolicy(type, SrxCommand.ADD, null, null, guestVlan, applicationNames, cidrs, null);
+ manageSecurityPolicy(type, SrxCommand.ADD, null, null, guestVlan, applicationNames, cidrs, null, defaultEgressAction);
s_logger.debug("Added Egress firewall rule for guest network " + guestVlan);
return true;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/07034b62/scripts/network/juniper/security-policy-add.xml
----------------------------------------------------------------------
diff --git a/scripts/network/juniper/security-policy-add.xml b/scripts/network/juniper/security-policy-add.xml
index 595e026..2e5a7d0 100644
--- a/scripts/network/juniper/security-policy-add.xml
+++ b/scripts/network/juniper/security-policy-add.xml
@@ -32,9 +32,8 @@ under the License.
%applications%
</match>
<then>
-<permit>
+%action%
%tunnel%
-</permit>
<count>
</count>
</then>
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/07034b62/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java b/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java
index 9b190aa..4f5a2d5 100644
--- a/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java
+++ b/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java
@@ -26,6 +26,8 @@ import java.util.Map;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
+import com.cloud.network.dao.*;
+import com.cloud.offerings.NetworkOfferingVO;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.response.ExternalFirewallResponse;
import org.apache.cloudstack.network.ExternalNetworkDeviceManager.NetworkDevice;
@@ -65,23 +67,6 @@ import com.cloud.host.HostVO;
import com.cloud.host.dao.HostDao;
import com.cloud.host.dao.HostDetailsDao;
import com.cloud.network.Networks.TrafficType;
-import com.cloud.network.dao.ExternalFirewallDeviceDao;
-import com.cloud.network.dao.ExternalFirewallDeviceVO;
-import com.cloud.network.dao.FirewallRulesDao;
-import com.cloud.network.dao.IPAddressDao;
-import com.cloud.network.dao.IPAddressVO;
-import com.cloud.network.dao.InlineLoadBalancerNicMapDao;
-import com.cloud.network.dao.InlineLoadBalancerNicMapVO;
-import com.cloud.network.dao.LoadBalancerDao;
-import com.cloud.network.dao.NetworkDao;
-import com.cloud.network.dao.NetworkExternalFirewallDao;
-import com.cloud.network.dao.NetworkExternalFirewallVO;
-import com.cloud.network.dao.NetworkServiceMapDao;
-import com.cloud.network.dao.PhysicalNetworkDao;
-import com.cloud.network.dao.PhysicalNetworkServiceProviderDao;
-import com.cloud.network.dao.PhysicalNetworkServiceProviderVO;
-import com.cloud.network.dao.PhysicalNetworkVO;
-import com.cloud.network.dao.VpnUserDao;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.FirewallRule.Purpose;
import com.cloud.network.rules.FirewallRuleVO;
@@ -538,6 +523,9 @@ public abstract class ExternalFirewallDeviceManagerImpl extends AdapterBase impl
}
List<FirewallRuleTO> rulesTO = new ArrayList<FirewallRuleTO>();
+ NetworkVO networkVO = _networkDao.findById(network.getId());
+ NetworkOfferingVO offering = _networkOfferingDao.findById(networkVO.getNetworkOfferingId());
+ Boolean defaultEgressPolicy = offering.getEgressDefaultPolicy();
for (FirewallRule rule : rules) {
if (rule.getSourceCidrList() == null && (rule.getPurpose() == Purpose.Firewall || rule.getPurpose() == Purpose.NetworkACL)) {
@@ -547,7 +535,7 @@ public abstract class ExternalFirewallDeviceManagerImpl extends AdapterBase impl
if (rule.getPurpose() == Purpose.Firewall && rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
String guestVlanTag = network.getBroadcastUri().getHost();
String guestCidr = network.getCidr();
- ruleTO = new FirewallRuleTO(rule, guestVlanTag, rule.getTrafficType());
+ ruleTO = new FirewallRuleTO(rule, guestVlanTag, rule.getTrafficType(), guestCidr, defaultEgressPolicy, rule.getType());
} else {
IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
Vlan vlan = _vlanDao.findById(sourceIp.getVlanId());
[5/6] git commit: updated refs/heads/master-6-17-stable to 4f75062
Posted by ja...@apache.org.
CLOUDSTACK-3148 failed to create private gw with default acl id
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/4f750626
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/4f750626
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/4f750626
Branch: refs/heads/master-6-17-stable
Commit: 4f75062648da8e56bd53aaddefd2798eca7293f3
Parents: 95ee285
Author: Jayapal <ja...@apache.org>
Authored: Mon Jun 24 12:56:27 2013 +0530
Committer: Jayapal <ja...@apache.org>
Committed: Mon Jun 24 14:30:23 2013 +0530
----------------------------------------------------------------------
server/src/com/cloud/network/vpc/VpcManagerImpl.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4f750626/server/src/com/cloud/network/vpc/VpcManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
index fb9e9b7..93413b4 100644
--- a/server/src/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
@@ -1389,7 +1389,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
if ( aclVO == null) {
throw new InvalidParameterValueException("Invalid network acl id passed ");
}
- if (aclVO.getVpcId() != vpcId ) {
+ if ((aclVO.getVpcId() != vpcId) && !(aclId == NetworkACL.DEFAULT_DENY || aclId == NetworkACL.DEFAULT_ALLOW)) {
throw new InvalidParameterValueException("Private gateway and network acl are not in the same vpc");
}
[2/6] git commit: updated refs/heads/master-6-17-stable to 4f75062
Posted by ja...@apache.org.
CLOUDSTACK-1578 Egress default policy configurable using network offering in xenserver with VR as firewall provider
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/32b43d2b
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/32b43d2b
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/32b43d2b
Branch: refs/heads/master-6-17-stable
Commit: 32b43d2b174496a5a0ae21024062247f6166374c
Parents: f00ebad
Author: Jayapal <ja...@apache.org>
Authored: Mon Jun 24 14:24:49 2013 +0530
Committer: Jayapal <ja...@apache.org>
Committed: Mon Jun 24 14:30:22 2013 +0530
----------------------------------------------------------------------
api/src/com/cloud/offering/NetworkOffering.java | 1 +
.../org/apache/cloudstack/api/ApiConstants.java | 1 +
.../admin/network/CreateNetworkOfferingCmd.java | 10 ++++++
.../api/response/NetworkOfferingResponse.java | 7 ++++
.../api/routing/NetworkElementCommand.java | 1 +
.../com/cloud/network/rules/FirewallRuleVO.java | 7 ++++
.../com/cloud/offerings/NetworkOfferingVO.java | 10 +++++-
.../debian/config/root/firewallRule_egress.sh | 26 +++++++++++---
.../xen/resource/CitrixResourceBase.java | 8 +++++
server/src/com/cloud/api/ApiResponseHelper.java | 1 +
.../configuration/ConfigurationManager.java | 2 +-
.../configuration/ConfigurationManagerImpl.java | 12 +++++--
.../com/cloud/network/NetworkManagerImpl.java | 37 +++++++++++++-------
.../network/firewall/FirewallManagerImpl.java | 31 ++++++++++++++++
.../VirtualNetworkApplianceManagerImpl.java | 32 ++++++++++++-----
.../cloud/network/rules/FirewallManager.java | 1 +
.../cloud/server/ConfigurationServerImpl.java | 2 +-
.../cloud/network/MockFirewallManagerImpl.java | 5 +++
.../cloud/vpc/MockConfigurationManagerImpl.java | 2 +-
.../CreateNetworkOfferingTest.java | 20 +++++------
setup/db/db/schema-410to420.sql | 1 +
21 files changed, 175 insertions(+), 42 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/api/src/com/cloud/offering/NetworkOffering.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/offering/NetworkOffering.java b/api/src/com/cloud/offering/NetworkOffering.java
index 5f522eb..43312db 100644
--- a/api/src/com/cloud/offering/NetworkOffering.java
+++ b/api/src/com/cloud/offering/NetworkOffering.java
@@ -127,5 +127,6 @@ public interface NetworkOffering extends InfrastructureEntity, InternalIdentity,
boolean getInternalLb();
boolean getPublicLb();
+ boolean getEgressDefaultPolicy();
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/api/src/org/apache/cloudstack/api/ApiConstants.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/ApiConstants.java b/api/src/org/apache/cloudstack/api/ApiConstants.java
index b43f06c..c4dba5d 100755
--- a/api/src/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/org/apache/cloudstack/api/ApiConstants.java
@@ -117,6 +117,7 @@ public class ApiConstants {
public static final String IS_PORTABLE = "isportable";
public static final String IS_PUBLIC = "ispublic";
public static final String IS_PERSISTENT = "ispersistent";
+ public static final String EGRESS_DEFAULT_POLICY = "egressdefaultpolicy";
public static final String IS_READY = "isready";
public static final String IS_RECURSIVE = "isrecursive";
public static final String ISO_FILTER = "isofilter";
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java b/api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java
index febb0c3..94e263c 100644
--- a/api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java
@@ -99,6 +99,9 @@ public class CreateNetworkOfferingCmd extends BaseCmd {
" Supported keys are internallbprovider/publiclbprovider with service provider as a value")
protected Map details;
+ @Parameter(name=ApiConstants.EGRESS_DEFAULT_POLICY, type=CommandType.BOOLEAN, description="true if default guest network egress policy is allow; false if default egress policy is deny")
+ private Boolean egressDefaultPolicy;
+
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
@@ -162,6 +165,13 @@ public class CreateNetworkOfferingCmd extends BaseCmd {
return isPersistent == null ? false : isPersistent;
}
+ public Boolean getEgressDefaultPolicy() {
+ if (egressDefaultPolicy == null) {
+ return true;
+ }
+ return egressDefaultPolicy;
+ }
+
public Map<String, List<String>> getServiceProviders() {
Map<String, List<String>> serviceProviderMap = null;
if (serviceProviderList != null && !serviceProviderList.isEmpty()) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java b/api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java
index 7a7e371..6b35d7b 100644
--- a/api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java
+++ b/api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java
@@ -88,6 +88,9 @@ public class NetworkOfferingResponse extends BaseResponse {
@SerializedName(ApiConstants.DETAILS) @Param(description="additional key/value details tied with network offering", since="4.2.0")
private Map details;
+ @SerializedName(ApiConstants.EGRESS_DEFAULT_POLICY) @Param(description="true if network offering supports persistent networks, false otherwise")
+ private Boolean egressDefaultPolicy;
+
public void setId(String id) {
this.id = id;
@@ -166,4 +169,8 @@ public class NetworkOfferingResponse extends BaseResponse {
this.details = details;
}
+ public void setEgressDefaultPolicy(Boolean egressDefaultPolicy) {
+ this.egressDefaultPolicy = egressDefaultPolicy;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/core/src/com/cloud/agent/api/routing/NetworkElementCommand.java
----------------------------------------------------------------------
diff --git a/core/src/com/cloud/agent/api/routing/NetworkElementCommand.java b/core/src/com/cloud/agent/api/routing/NetworkElementCommand.java
index ddb7ac8..843d213 100644
--- a/core/src/com/cloud/agent/api/routing/NetworkElementCommand.java
+++ b/core/src/com/cloud/agent/api/routing/NetworkElementCommand.java
@@ -33,6 +33,7 @@ public abstract class NetworkElementCommand extends Command {
public static final String ZONE_NETWORK_TYPE = "zone.network.type";
public static final String GUEST_BRIDGE = "guest.bridge";
public static final String VPC_PRIVATE_GATEWAY = "vpc.gateway.private";
+ public static final String FIREWALL_EGRESS_DEFAULT = "firewall.egress.default";
protected NetworkElementCommand() {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java b/engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java
index 9f73029..a51c364 100644
--- a/engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java
+++ b/engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java
@@ -223,6 +223,13 @@ public class FirewallRuleVO implements FirewallRule {
}
+ public FirewallRuleVO(String xId, Long ipAddressId, Integer portStart, Integer portEnd, String protocol,
+ long networkId, long accountId, long domainId, Purpose purpose, List<String> sourceCidrs, Integer icmpCode,
+ Integer icmpType, Long related, TrafficType trafficType, FirewallRuleType type) {
+ this(xId, ipAddressId, portStart, portEnd, protocol, networkId, accountId, domainId, purpose, sourceCidrs, icmpCode, icmpType, related, trafficType);
+ this.type = type;
+ }
+
public FirewallRuleVO(String xId, long ipAddressId, int port, String protocol, long networkId, long accountId,
long domainId, Purpose purpose, List<String> sourceCidrs, Integer icmpCode, Integer icmpType, Long related) {
this(xId, ipAddressId, port, port, protocol, networkId, accountId, domainId, purpose, sourceCidrs, icmpCode, icmpType, related, null);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java b/engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java
index fae315b..6317f72 100755
--- a/engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java
+++ b/engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java
@@ -130,6 +130,9 @@ public class NetworkOfferingVO implements NetworkOffering {
@Column(name = "is_persistent")
boolean isPersistent;
+ @Column(name = "egress_default_policy")
+ boolean egressdefaultpolicy;
+
@Override
public String getDisplayText() {
return displayText;
@@ -275,6 +278,10 @@ public class NetworkOfferingVO implements NetworkOffering {
this.redundantRouter = redundantRouter;
}
+ public boolean getEgressDefaultPolicy() {
+ return egressdefaultpolicy;
+ }
+
public NetworkOfferingVO(String name, String displayText, TrafficType trafficType, boolean systemOnly, boolean specifyVlan, Integer rateMbps, Integer multicastRateMbps, boolean isDefault,
Availability availability, String tags, Network.GuestType guestType, boolean conserveMode, boolean specifyIpRanges, boolean isPersistent, boolean internalLb, boolean publicLb) {
this.name = name;
@@ -306,7 +313,7 @@ public class NetworkOfferingVO implements NetworkOffering {
public NetworkOfferingVO(String name, String displayText, TrafficType trafficType, boolean systemOnly, boolean specifyVlan, Integer rateMbps, Integer multicastRateMbps, boolean isDefault,
Availability availability, String tags, Network.GuestType guestType, boolean conserveMode, boolean dedicatedLb, boolean sharedSourceNat, boolean redundantRouter, boolean elasticIp, boolean elasticLb,
- boolean specifyIpRanges, boolean inline, boolean isPersistent, boolean associatePublicIP, boolean publicLb, boolean internalLb) {
+ boolean specifyIpRanges, boolean inline, boolean isPersistent, boolean associatePublicIP, boolean publicLb, boolean internalLb, boolean egressdefaultpolicy) {
this(name, displayText, trafficType, systemOnly, specifyVlan, rateMbps, multicastRateMbps, isDefault, availability, tags, guestType, conserveMode, specifyIpRanges, isPersistent, internalLb, publicLb);
this.dedicatedLB = dedicatedLb;
this.sharedSourceNat = sharedSourceNat;
@@ -315,6 +322,7 @@ public class NetworkOfferingVO implements NetworkOffering {
this.elasticLb = elasticLb;
this.inline = inline;
this.eipAssociatePublicIp = associatePublicIP;
+ this.egressdefaultpolicy = egressdefaultpolicy;
}
public NetworkOfferingVO() {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/patches/systemvm/debian/config/root/firewallRule_egress.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/root/firewallRule_egress.sh b/patches/systemvm/debian/config/root/firewallRule_egress.sh
index 0da7718..b1e7a40 100755
--- a/patches/systemvm/debian/config/root/firewallRule_egress.sh
+++ b/patches/systemvm/debian/config/root/firewallRule_egress.sh
@@ -82,15 +82,14 @@ fw_entry_for_egress() {
[ "$eport" == "-1" ] && typecode="$sport"
[ "$sport" == "-1" ] && typecode="any"
sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
- -j ACCEPT
+ -j $target
result=$?
elif [ "$prot" == "all" ]
then
- sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j ACCEPT
+ sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j $target
result=$?
else
- sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr \
- $DPORT -j ACCEPT
+ sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr $DPORT -j $target
result=$?
fi
@@ -109,14 +108,18 @@ rules=""
rules_list=""
ip=""
dev=""
+pflag=0
shift
shift
-while getopts 'a:' OPTION
+while getopts 'a:P:' OPTION
do
case $OPTION in
a) aflag=1
rules="$OPTARG"
;;
+ P) pflag=1
+ pvalue="$OPTARG"
+ ;;
?) usage
unlock_exit 2 $lock $locked
;;
@@ -142,6 +145,13 @@ fi
success=0
+if [ "$pvalue" == "0" -o "$pvalue" == "2" ]
+ then
+ target="ACCEPT"
+ else
+ target="DROP"
+ fi
+
fw_egress_chain
for r in $rules_list
do
@@ -162,6 +172,12 @@ then
fw_egress_backup_restore
else
logger -t cloud "deleting backup for guest network"
+ if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
+ then
+ #Adding default policy rule
+ sudo iptables -A FW_EGRESS_RULES -j ACCEPT
+ fi
+
fi
fw_egress_remove_backup
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
index 5e8283a..bb267fb 100644
--- a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
+++ b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
@@ -7920,6 +7920,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
String callResult;
Connection conn = getConnection();
String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP);
+ String egressDefault = cmd.getAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT);
FirewallRuleTO[] allrules = cmd.getRules();
FirewallRule.TrafficType trafficType = allrules[0].getTrafficType();
if (routerIp == null) {
@@ -7931,6 +7932,13 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
args += routerIp + " -F";
if (trafficType == FirewallRule.TrafficType.Egress){
args+= " -E";
+ if (egressDefault.equals("true")) {
+ args+= " -P 1";
+ } else if (egressDefault.equals("System")) {
+ args+= " -P 2";
+ } else {
+ args+= " -P 0";
+ }
}
StringBuilder sb = new StringBuilder();
String[] fwRules = rules[0];
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/server/src/com/cloud/api/ApiResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index c0034ab..14254ac 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -2049,6 +2049,7 @@ public class ApiResponseHelper implements ResponseGenerator {
response.setAvailability(offering.getAvailability().toString());
response.setIsPersistent(offering.getIsPersistent());
response.setNetworkRate(ApiDBUtils.getNetworkRate(offering.getId()));
+ response.setEgressDefaultPolicy(offering.getEgressDefaultPolicy());
Long so = null;
if (offering.getServiceOfferingId() != null) {
so = offering.getServiceOfferingId();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/server/src/com/cloud/configuration/ConfigurationManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/configuration/ConfigurationManager.java b/server/src/com/cloud/configuration/ConfigurationManager.java
index 8db037b..3f0bdbe 100755
--- a/server/src/com/cloud/configuration/ConfigurationManager.java
+++ b/server/src/com/cloud/configuration/ConfigurationManager.java
@@ -205,7 +205,7 @@ public interface ConfigurationManager extends ConfigurationService, Manager {
NetworkOfferingVO createNetworkOffering(String name, String displayText, TrafficType trafficType, String tags, boolean specifyVlan, Availability availability, Integer networkRate, Map<Service, Set<Provider>> serviceProviderMap,
boolean isDefault, Network.GuestType type, boolean systemOnly, Long serviceOfferingId, boolean conserveMode, Map<Service, Map<Capability, String>> serviceCapabilityMap,
- boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details);
+ boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details, boolean egressDefaultPolicy);
Vlan createVlanAndPublicIpRange(long zoneId, long networkId, long physicalNetworkId, boolean forVirtualNetwork, Long podId, String startIP, String endIP, String vlanGateway, String vlanNetmask, String vlanId, Account vlanOwner, String startIPv6, String endIPv6, String vlanIp6Gateway, String vlanIp6Cidr) throws InsufficientCapacityException, ConcurrentOperationException, InvalidParameterValueException;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
index 97f0d33..60e23e5 100755
--- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
@@ -3590,6 +3590,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
boolean specifyIpRanges = cmd.getSpecifyIpRanges();
boolean isPersistent = cmd.getIsPersistent();
Map<String, String> detailsStr = cmd.getDetails();
+ Boolean egressDefaultPolicy = cmd.getEgressDefaultPolicy();
// Verify traffic type
for (TrafficType tType : TrafficType.values()) {
@@ -3757,6 +3758,9 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
Set<Provider> firewallProviderSet = new HashSet<Provider>();
firewallProviderSet.add(firewallProvider);
serviceProviderMap.put(Service.Firewall, firewallProviderSet);
+ if (!(firewallProvider.getName().equals(Provider.JuniperSRX.getName()) || firewallProvider.getName().equals(Provider.VirtualRouter.getName())) && egressDefaultPolicy == false) {
+ throw new InvalidParameterValueException("Firewall egress with default policy " + egressDefaultPolicy + "is not supported by the provider "+ firewallProvider.getName());
+ }
}
Map<NetworkOffering.Detail, String> details = new HashMap<NetworkOffering.Detail, String>();
@@ -3777,7 +3781,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
}
return createNetworkOffering(name, displayText, trafficType, tags, specifyVlan, availability, networkRate, serviceProviderMap, false, guestType, false,
- serviceOfferingId, conserveMode, serviceCapabilityMap, specifyIpRanges, isPersistent, details);
+ serviceOfferingId, conserveMode, serviceCapabilityMap, specifyIpRanges, isPersistent, details, egressDefaultPolicy);
}
void validateLoadBalancerServiceCapabilities(Map<Capability, String> lbServiceCapabilityMap) {
@@ -3885,9 +3889,11 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
@Override
@DB
+
public NetworkOfferingVO createNetworkOffering(String name, String displayText, TrafficType trafficType, String tags, boolean specifyVlan, Availability availability, Integer networkRate,
Map<Service, Set<Provider>> serviceProviderMap, boolean isDefault, Network.GuestType type, boolean systemOnly, Long serviceOfferingId,
- boolean conserveMode, Map<Service, Map<Capability, String>> serviceCapabilityMap, boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details) {
+ boolean conserveMode, Map<Service, Map<Capability, String>> serviceCapabilityMap, boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details,
+ boolean egressDefaultPolicy) {
String multicastRateStr = _configDao.getValue("multicast.throttling.rate");
int multicastRate = ((multicastRateStr == null) ? 10 : Integer.parseInt(multicastRateStr));
@@ -4020,7 +4026,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
NetworkOfferingVO offering = new NetworkOfferingVO(name, displayText, trafficType, systemOnly, specifyVlan,
networkRate, multicastRate, isDefault, availability, tags, type, conserveMode, dedicatedLb,
- sharedSourceNat, redundantRouter, elasticIp, elasticLb, specifyIpRanges, inline, isPersistent, associatePublicIp, publicLb, internalLb);
+ sharedSourceNat, redundantRouter, elasticIp, elasticLb, specifyIpRanges, inline, isPersistent, associatePublicIp, publicLb, internalLb, egressDefaultPolicy);
if (serviceOfferingId != null) {
offering.setServiceOfferingId(serviceOfferingId);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/server/src/com/cloud/network/NetworkManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java
index 8c2806a..67f08ee 100755
--- a/server/src/com/cloud/network/NetworkManagerImpl.java
+++ b/server/src/com/cloud/network/NetworkManagerImpl.java
@@ -1308,7 +1308,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
_configMgr.createNetworkOffering(NetworkOffering.QuickCloudNoServices,
"Offering for QuickCloud with no services", TrafficType.Guest, null, true,
Availability.Optional, null, new HashMap<Network.Service, Set<Network.Provider>>(), true,
- Network.GuestType.Shared, false, null, true, null, true, false, null);
+ Network.GuestType.Shared, false, null, true, null, true, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@@ -1319,7 +1319,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
_configMgr.createNetworkOffering(NetworkOffering.DefaultSharedNetworkOfferingWithSGService,
"Offering for Shared Security group enabled networks", TrafficType.Guest, null, true,
Availability.Optional, null, defaultSharedNetworkOfferingProviders, true,
- Network.GuestType.Shared, false, null, true, null, true, false, null);
+ Network.GuestType.Shared, false, null, true, null, true, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@@ -1327,7 +1327,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
//#3 - shared network offering with no SG service
if (_networkOfferingDao.findByUniqueName(NetworkOffering.DefaultSharedNetworkOffering) == null) {
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultSharedNetworkOffering, "Offering for Shared networks", TrafficType.Guest, null, true, Availability.Optional, null,
- defaultSharedNetworkOfferingProviders, true, Network.GuestType.Shared, false, null, true, null, true, false, null);
+ defaultSharedNetworkOfferingProviders, true, Network.GuestType.Shared, false, null, true, null, true, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@@ -1338,7 +1338,8 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingWithSourceNatService,
"Offering for Isolated networks with Source Nat service enabled", TrafficType.Guest,
null, false, Availability.Required, null, defaultIsolatedSourceNatEnabledNetworkOfferingProviders,
- true, Network.GuestType.Isolated, false, null, true, null, false, false, null);
+ true, Network.GuestType.Isolated, false, null, true, null, false, false, null, false);
+
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@@ -1348,7 +1349,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworks,
"Offering for Isolated VPC networks with Source Nat service enabled", TrafficType.Guest,
null, false, Availability.Optional, null, defaultVPCOffProviders,
- true, Network.GuestType.Isolated, false, null, false, null, false, false, null);
+ true, Network.GuestType.Isolated, false, null, false, null, false, false, null,false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@@ -1360,7 +1361,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworksNoLB,
"Offering for Isolated VPC networks with Source Nat service enabled and LB service disabled", TrafficType.Guest,
null, false, Availability.Optional, null, defaultVPCOffProviders,
- true, Network.GuestType.Isolated, false, null, false, null, false, false, null);
+ true, Network.GuestType.Isolated, false, null, false, null, false, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@@ -1370,7 +1371,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOffering,
"Offering for Isolated networks with no Source Nat service", TrafficType.Guest, null, true,
Availability.Optional, null, defaultIsolatedNetworkOfferingProviders, true, Network.GuestType.Isolated,
- false, null, true, null, true, false, null);
+ false, null, true, null, true, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@@ -1396,7 +1397,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB,
"Offering for Isolated VPC networks with Internal Lb support", TrafficType.Guest,
null, false, Availability.Optional, null, internalLbOffProviders,
- true, Network.GuestType.Isolated, false, null, false, null, false, false, null);
+ true, Network.GuestType.Isolated, false, null, false, null, false, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
offering.setInternalLb(true);
_networkOfferingDao.update(offering.getId(), offering);
@@ -1426,7 +1427,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
if (_networkOfferingDao.findByUniqueName(NetworkOffering.DefaultSharedEIPandELBNetworkOffering) == null) {
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultSharedEIPandELBNetworkOffering, "Offering for Shared networks with Elastic IP and Elastic LB capabilities", TrafficType.Guest, null, true,
- Availability.Optional, null, netscalerServiceProviders, true, Network.GuestType.Shared, false, null, true, serviceCapabilityMap, true, false, null);
+ Availability.Optional, null, netscalerServiceProviders, true, Network.GuestType.Shared, false, null, true, serviceCapabilityMap, true, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
offering.setDedicatedLB(false);
_networkOfferingDao.update(offering.getId(), offering);
@@ -3090,9 +3091,21 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
}
List<FirewallRuleVO> firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
- if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) {
- s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart");
- success = false;
+ if (firewallEgressRulesToApply.size() == 0) {
+ NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
+ //there are no egress rules then apply the default egress rule
+ DataCenter zone = _dcDao.findById(network.getDataCenterId());
+ if (offering.getEgressDefaultPolicy() && _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall)
+ && (network.getGuestType() == Network.GuestType.Isolated ||
+ (network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced))) {
+ // add default egress rule to accept the traffic
+ _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), true);
+ }
+ } else {
+ if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) {
+ s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart");
+ success = false;
+ }
}
// apply port forwarding rules
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
index f7275b0..d250a08 100644
--- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -616,6 +616,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
@Override
public boolean applyEgressFirewallRules (FirewallRule rule, Account caller) throws ResourceUnavailableException {
List<FirewallRuleVO> rules = _firewallDao.listByNetworkPurposeTrafficType(rule.getNetworkId(), Purpose.Firewall, FirewallRule.TrafficType.Egress);
+ applyDefaultEgressFirewallRule(rule.getNetworkId(), true);
return applyFirewallRules(rules, false, caller);
}
@@ -649,6 +650,36 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
}
@Override
+ public boolean applyDefaultEgressFirewallRule(Long networkId, boolean defaultPolicy) throws ResourceUnavailableException {
+
+ if (defaultPolicy == false) {
+ //If default policy is false no need apply rules on backend because firewall provider blocks by default
+ return true;
+ }
+ s_logger.debug("applying default firewall egress rules ");
+
+ NetworkVO network = _networkDao.findById(networkId);
+ List<String> sourceCidr = new ArrayList<String>();
+
+ sourceCidr.add(NetUtils.ALL_CIDRS);
+ FirewallRuleVO ruleVO = new FirewallRuleVO(null, null, null, null, "all", networkId, network.getAccountId(), network.getDomainId(), Purpose.Firewall, sourceCidr,
+ null, null, null, FirewallRule.TrafficType.Egress, FirewallRuleType.System);
+ List<FirewallRuleVO> rules = new ArrayList<FirewallRuleVO>();
+ rules.add(ruleVO);
+
+ try {
+ //this is not required to store in db because we don't to add this rule along with the normal rules
+ if (!applyRules(rules, false, false)) {
+ return false;
+ }
+ } catch (ResourceUnavailableException ex) {
+ s_logger.warn("Failed to apply default egress rules for guest network due to ", ex);
+ return false;
+ }
+ return true;
+ }
+
+ @Override
@ActionEvent(eventType = EventTypes.EVENT_FIREWALL_CLOSE, eventDescription = "revoking firewall rule", async = true)
public boolean revokeFirewallRule(long ruleId, boolean apply, Account caller, long userId) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index 7f3a88e..7e12ce9 100755
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -163,6 +163,7 @@ import com.cloud.network.rules.dao.PortForwardingRulesDao;
import com.cloud.network.vpn.Site2SiteVpnManager;
import com.cloud.offering.NetworkOffering;
import com.cloud.offering.ServiceOffering;
+import com.cloud.offerings.NetworkOfferingVO;
import com.cloud.offerings.dao.NetworkOfferingDao;
import com.cloud.resource.ResourceManager;
import com.cloud.server.ConfigurationServer;
@@ -3679,29 +3680,44 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
private void createFirewallRulesCommands(List<? extends FirewallRule> rules, VirtualRouter router, Commands cmds, long guestNetworkId) {
List<FirewallRuleTO> rulesTO = null;
+ String systemRule = null;
if (rules != null) {
+ if (rules.size() > 0) {
+ if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
+ systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
+ }
+ }
rulesTO = new ArrayList<FirewallRuleTO>();
for (FirewallRule rule : rules) {
FirewallRule.TrafficType traffictype = rule.getTrafficType();
if(traffictype == FirewallRule.TrafficType.Ingress){
- IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
- FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(),Purpose.Firewall,traffictype);
- rulesTO.add(ruleTO);
- }
- else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress){
- assert (rule.getSourceIpAddressId()==null) : "ipAddressId should be null for egress firewall rule. ";
- FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null,"",Purpose.Firewall,traffictype);
- rulesTO.add(ruleTO);
+ IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
+ FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(),Purpose.Firewall,traffictype);
+ rulesTO.add(ruleTO);
+ } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress){
+ assert (rule.getSourceIpAddressId()==null) : "ipAddressId should be null for egress firewall rule. ";
+ FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null,"",Purpose.Firewall, traffictype);
+ rulesTO.add(ruleTO);
}
}
}
+
+ NetworkVO network = _networkDao.findById(guestNetworkId);
+ NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
+ Boolean defaultEgressPolicy = offering.getEgressDefaultPolicy();
SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, getRouterControlIp(router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, getRouterIpInNetwork(guestNetworkId, router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
DataCenterVO dcVo = _dcDao.findById(router.getDataCenterId());
cmd.setAccessDetail(NetworkElementCommand.ZONE_NETWORK_TYPE, dcVo.getNetworkType().toString());
+ if (systemRule != null) {
+ cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, systemRule);
+ } else {
+ cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, String.valueOf(defaultEgressPolicy));
+ }
+
cmds.addCommand(cmd);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/server/src/com/cloud/network/rules/FirewallManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/rules/FirewallManager.java b/server/src/com/cloud/network/rules/FirewallManager.java
index 2bce8fe..6d36ed3 100644
--- a/server/src/com/cloud/network/rules/FirewallManager.java
+++ b/server/src/com/cloud/network/rules/FirewallManager.java
@@ -85,4 +85,5 @@ public interface FirewallManager extends FirewallService {
*/
void removeRule(FirewallRule rule);
+ boolean applyDefaultEgressFirewallRule(Long networkId, boolean defaultPolicy) throws ResourceUnavailableException;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/server/src/com/cloud/server/ConfigurationServerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/server/ConfigurationServerImpl.java b/server/src/com/cloud/server/ConfigurationServerImpl.java
index 510455b..ad4c346 100755
--- a/server/src/com/cloud/server/ConfigurationServerImpl.java
+++ b/server/src/com/cloud/server/ConfigurationServerImpl.java
@@ -1082,7 +1082,7 @@ public class ConfigurationServerImpl extends ManagerBase implements Configuratio
"Offering for Shared networks with Elastic IP and Elastic LB capabilities",
TrafficType.Guest,
false, true, null, null, true, Availability.Optional,
- null, Network.GuestType.Shared, true, false, false, false, true, true, true, false, false, true, true, false);
+ null, Network.GuestType.Shared, true, false, false, false, true, true, true, false, false, true, true, false, false);
defaultNetscalerNetworkOffering.setState(NetworkOffering.State.Enabled);
defaultNetscalerNetworkOffering = _networkOfferingDao.persistDefaultNetworkOffering(defaultNetscalerNetworkOffering);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/server/test/com/cloud/network/MockFirewallManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/network/MockFirewallManagerImpl.java b/server/test/com/cloud/network/MockFirewallManagerImpl.java
index 95bb1d1..c50459e 100644
--- a/server/test/com/cloud/network/MockFirewallManagerImpl.java
+++ b/server/test/com/cloud/network/MockFirewallManagerImpl.java
@@ -169,6 +169,11 @@ public class MockFirewallManagerImpl extends ManagerBase implements FirewallMana
}
@Override
+ public boolean applyDefaultEgressFirewallRule(Long networkId, boolean defaultPolicy) throws ResourceUnavailableException {
+ return false; //To change body of implemented methods use File | Settings | File Templates.
+ }
+
+ @Override
public FirewallRule createFirewallRule(Long ipAddrId, Account caller,
String xId, Integer portStart, Integer portEnd, String protocol,
List<String> sourceCidrList, Integer icmpCode, Integer icmpType,
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/server/test/com/cloud/vpc/MockConfigurationManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/vpc/MockConfigurationManagerImpl.java b/server/test/com/cloud/vpc/MockConfigurationManagerImpl.java
index 21b3590..76a8e84 100755
--- a/server/test/com/cloud/vpc/MockConfigurationManagerImpl.java
+++ b/server/test/com/cloud/vpc/MockConfigurationManagerImpl.java
@@ -554,7 +554,7 @@ public class MockConfigurationManagerImpl extends ManagerBase implements Configu
@Override
public NetworkOfferingVO createNetworkOffering(String name, String displayText, TrafficType trafficType, String tags, boolean specifyVlan, Availability availability, Integer networkRate,
Map<Service, Set<Provider>> serviceProviderMap, boolean isDefault, GuestType type, boolean systemOnly, Long serviceOfferingId, boolean conserveMode,
- Map<Service, Map<Capability, String>> serviceCapabilityMap, boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details) {
+ Map<Service, Map<Capability, String>> serviceCapabilityMap, boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details, boolean egressDefaultPolicy) {
// TODO Auto-generated method stub
return null;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/server/test/org/apache/cloudstack/networkoffering/CreateNetworkOfferingTest.java
----------------------------------------------------------------------
diff --git a/server/test/org/apache/cloudstack/networkoffering/CreateNetworkOfferingTest.java b/server/test/org/apache/cloudstack/networkoffering/CreateNetworkOfferingTest.java
index 4a2c867..36564d9 100644
--- a/server/test/org/apache/cloudstack/networkoffering/CreateNetworkOfferingTest.java
+++ b/server/test/org/apache/cloudstack/networkoffering/CreateNetworkOfferingTest.java
@@ -94,7 +94,7 @@ public class CreateNetworkOfferingTest extends TestCase{
public void createSharedNtwkOffWithVlan() {
NetworkOfferingVO off = configMgr.createNetworkOffering("shared", "shared", TrafficType.Guest, null, true,
Availability.Optional, 200, null, false, Network.GuestType.Shared, false,
- null, false, null, true, false, null);
+ null, false, null, true, false, null, false);
assertNotNull("Shared network offering with specifyVlan=true failed to create ", off);
}
@@ -103,7 +103,7 @@ public class CreateNetworkOfferingTest extends TestCase{
try {
NetworkOfferingVO off = configMgr.createNetworkOffering("shared", "shared", TrafficType.Guest, null, false,
Availability.Optional, 200, null, false, Network.GuestType.Shared, false,
- null, false, null, true, false, null);
+ null, false, null, true, false, null, false);
assertNull("Shared network offering with specifyVlan=false was created", off);
} catch (InvalidParameterValueException ex) {
}
@@ -113,7 +113,7 @@ public class CreateNetworkOfferingTest extends TestCase{
public void createSharedNtwkOffWithSpecifyIpRanges() {
NetworkOfferingVO off = configMgr.createNetworkOffering("shared", "shared", TrafficType.Guest, null, true,
Availability.Optional, 200, null, false, Network.GuestType.Shared, false,
- null, false, null, true, false, null);
+ null, false, null, true, false, null, false);
assertNotNull("Shared network offering with specifyIpRanges=true failed to create ", off);
}
@@ -123,7 +123,7 @@ public class CreateNetworkOfferingTest extends TestCase{
try {
NetworkOfferingVO off = configMgr.createNetworkOffering("shared", "shared", TrafficType.Guest, null, true,
Availability.Optional, 200, null, false, Network.GuestType.Shared, false,
- null, false, null, false, false, null);
+ null, false, null, false, false, null, false);
assertNull("Shared network offering with specifyIpRanges=false was created", off);
} catch (InvalidParameterValueException ex) {
}
@@ -138,7 +138,7 @@ public class CreateNetworkOfferingTest extends TestCase{
serviceProviderMap.put(Network.Service.SourceNat, vrProvider);
NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, false,
Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false,
- null, false, null, false, false, null);
+ null, false, null, false, false, null, false);
assertNotNull("Isolated network offering with specifyIpRanges=false failed to create ", off);
}
@@ -151,7 +151,7 @@ public class CreateNetworkOfferingTest extends TestCase{
serviceProviderMap.put(Network.Service.SourceNat, vrProvider);
NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, true,
Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false,
- null, false, null, false, false, null);
+ null, false, null, false, false, null, false);
assertNotNull("Isolated network offering with specifyVlan=true wasn't created", off);
}
@@ -165,7 +165,7 @@ public class CreateNetworkOfferingTest extends TestCase{
serviceProviderMap.put(Network.Service.SourceNat, vrProvider);
NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, false,
Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false,
- null, false, null, true, false, null);
+ null, false, null, true, false, null, false);
assertNull("Isolated network offering with specifyIpRanges=true and source nat service enabled, was created", off);
} catch (InvalidParameterValueException ex) {
}
@@ -178,7 +178,7 @@ public class CreateNetworkOfferingTest extends TestCase{
Set<Network.Provider> vrProvider = new HashSet<Network.Provider>();
NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, false,
Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false,
- null, false, null, true, false, null);
+ null, false, null, true, false, null, false);
assertNotNull("Isolated network offering with specifyIpRanges=true and with no sourceNatService, failed to create", off);
}
@@ -196,7 +196,7 @@ public class CreateNetworkOfferingTest extends TestCase{
serviceProviderMap.put(Network.Service.Lb , vrProvider);
NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, true,
Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false,
- null, false, null, false, false, null);
+ null, false, null, false, false, null, false);
// System.out.println("Creating Vpc Network Offering");
assertNotNull("Vpc Isolated network offering with Vpc provider ", off);
}
@@ -216,7 +216,7 @@ public class CreateNetworkOfferingTest extends TestCase{
serviceProviderMap.put(Network.Service.Lb, lbProvider);
NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, true,
Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false, null, false,
- null, false, false, null);
+ null, false, false, null, false);
// System.out.println("Creating Vpc Network Offering");
assertNotNull("Vpc Isolated network offering with Vpc and Netscaler provider ", off);
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/32b43d2b/setup/db/db/schema-410to420.sql
----------------------------------------------------------------------
diff --git a/setup/db/db/schema-410to420.sql b/setup/db/db/schema-410to420.sql
index 181f1cb..9d80b3b 100644
--- a/setup/db/db/schema-410to420.sql
+++ b/setup/db/db/schema-410to420.sql
@@ -1857,3 +1857,4 @@ INSERT IGNORE INTO `cloud`.`configuration` VALUES ('Advanced', 'DEFAULT', 'manag
INSERT IGNORE INTO `cloud`.`configuration` VALUES ('Advanced', 'DEFAULT', 'management-server', 'execute.in.sequence.hypervisor.commands', 'false', 'If set to true, StartCommand, StopCommand, CopyVolumeCommand, CreateCommand will be synchronized on the agent side. If set to false, these commands become asynchronous. Default value is false.');
INSERT IGNORE INTO `cloud`.`configuration` VALUES ('Advanced', 'DEFAULT', 'management-server', 'execute.in.sequence.network.element.commands', 'false', 'If set to true, DhcpEntryCommand, SavePasswordCommand, UserDataCommand, VmDataCommand will be synchronized on the agent side. If set to false, these commands become asynchronous. Default value is false.');
+alter table `cloud`.`network_offerings` add column egress_default_policy boolean default false;