You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ap...@apache.org on 2013/01/31 06:51:05 UTC
[2/2] git commit: refs/heads/master - CLOUDSTACK-299: Egress firewall
rules feature for guest network on VR
Updated Branches:
refs/heads/master 48fdc25da -> b6727e564
CLOUDSTACK-299: Egress firewall rules feature for guest network on VR
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/b6727e56
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/b6727e56
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/b6727e56
Branch: refs/heads/master
Commit: b6727e564654da2604e17ca477e21d03d4afeb05
Parents: 48fdc25
Author: Jayapal <ja...@citrix.com>
Authored: Thu Jan 31 11:20:23 2013 +0530
Committer: Abhinandan Prateek <ap...@apache.org>
Committed: Thu Jan 31 11:20:47 2013 +0530
----------------------------------------------------------------------
api/src/com/cloud/agent/api/to/FirewallRuleTO.java | 20 ++-
api/src/com/cloud/network/Network.java | 8 +-
api/src/com/cloud/network/NetworkProfile.java | 4 +
.../cloud/network/firewall/FirewallService.java | 6 +-
.../user/firewall/CreateFirewallRuleCmd.java | 4 +-
.../user/firewall/CreatePortForwardingRuleCmd.java | 2 +-
.../user/firewall/ListFirewallRulesCmd.java | 4 +
.../loadbalancer/CreateLoadBalancerRuleCmd.java | 2 +-
.../user/nat/CreateIpForwardingRuleCmd.java | 2 +-
.../cloudstack/api/response/FirewallResponse.java | 7 +
client/tomcatconf/commands.properties.in | 5 +
.../virtualnetwork/VirtualRoutingResource.java | 11 +-
.../debian/config/etc/iptables/iptables-router | 4 +-
.../debian/config/opt/cloud/bin/ipassoc.sh | 6 +-
.../hypervisor/vmware/resource/VmwareResource.java | 27 ++-
.../xen/resource/CitrixResourceBase.java | 10 +-
.../element/JuniperSRXExternalFirewallElement.java | 1 +
scripts/network/domr/call_firewall.sh | 21 +-
server/src/com/cloud/api/ApiResponseHelper.java | 13 +-
.../src/com/cloud/network/NetworkManagerImpl.java | 67 ++++--
.../com/cloud/network/dao/FirewallRulesDao.java | 3 +-
.../cloud/network/dao/FirewallRulesDaoImpl.java | 22 ++-
.../network/element/VirtualRouterElement.java | 2 +
.../network/firewall/FirewallManagerImpl.java | 189 ++++++++++-----
.../network/lb/LoadBalancingRulesManagerImpl.java | 7 +-
.../router/VirtualNetworkApplianceManagerImpl.java | 48 +++-
.../com/cloud/network/rules/FirewallManager.java | 6 +-
.../com/cloud/network/rules/FirewallRuleVO.java | 11 +-
.../com/cloud/network/rules/RulesManagerImpl.java | 4 +-
.../network/vpn/RemoteAccessVpnManagerImpl.java | 4 +-
.../src/com/cloud/upgrade/dao/Upgrade40to41.java | 113 +++++++++-
.../com/cloud/network/MockFirewallManagerImpl.java | 79 ++++---
32 files changed, 535 insertions(+), 177 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/agent/api/to/FirewallRuleTO.java b/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
index 95ac57c..38de8d0 100644
--- a/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
+++ b/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
@@ -50,7 +50,7 @@ public class FirewallRuleTO implements InternalIdentity {
FirewallRule.Purpose purpose;
private Integer icmpType;
private Integer icmpCode;
-
+ private FirewallRule.TrafficType trafficType;
protected FirewallRuleTO() {
}
@@ -85,6 +85,7 @@ public class FirewallRuleTO implements InternalIdentity {
this.sourceCidrList = sourceCidr;
this.icmpType = icmpType;
this.icmpCode = icmpCode;
+ this.trafficType = null;
}
public FirewallRuleTO(FirewallRule rule, String srcVlanTag, String srcIp) {
this(rule.getId(),srcVlanTag, srcIp, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getState()==State.Revoke, rule.getState()==State.Active, rule.getPurpose(),rule.getSourceCidrList(),rule.getIcmpType(),rule.getIcmpCode());
@@ -93,6 +94,23 @@ public class FirewallRuleTO implements InternalIdentity {
public FirewallRuleTO(FirewallRule rule, String srcIp) {
this(rule.getId(),null, srcIp, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getState()==State.Revoke, rule.getState()==State.Active, rule.getPurpose(),rule.getSourceCidrList(),rule.getIcmpType(),rule.getIcmpCode());
}
+
+ public FirewallRuleTO(FirewallRule rule, String srcVlanTag, String srcIp, FirewallRule.Purpose purpose) {
+ this(rule.getId(),srcVlanTag, srcIp, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getState()==State.Revoke, rule.getState()==State.Active, purpose,rule.getSourceCidrList(),rule.getIcmpType(),rule.getIcmpCode());
+ }
+
+ public FirewallRuleTO(FirewallRule rule, String srcVlanTag, String srcIp, FirewallRule.Purpose purpose, FirewallRule.TrafficType trafficType) {
+ this(rule.getId(),srcVlanTag, srcIp, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getState()==State.Revoke, rule.getState()==State.Active, purpose,rule.getSourceCidrList(),rule.getIcmpType(),rule.getIcmpCode());
+ this.trafficType = trafficType;
+ }
+
+ public FirewallRuleTO(FirewallRule rule, String srcVlanTag, String srcIp, FirewallRule.Purpose purpose, boolean revokeState, boolean alreadyAdded) {
+ this(rule.getId(),srcVlanTag, srcIp, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), revokeState, alreadyAdded, purpose,rule.getSourceCidrList(),rule.getIcmpType(),rule.getIcmpCode());
+ }
+
+ public FirewallRule.TrafficType getTrafficType(){
+ return trafficType;
+ }
public long getId() {
return id;
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/api/src/com/cloud/network/Network.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/Network.java b/api/src/com/cloud/network/Network.java
index c91f6a9..413b6d9 100644
--- a/api/src/com/cloud/network/Network.java
+++ b/api/src/com/cloud/network/Network.java
@@ -47,8 +47,8 @@ public interface Network extends ControlledEntity, InternalIdentity, Identity {
public static final Service Dhcp = new Service("Dhcp");
public static final Service Dns = new Service("Dns", Capability.AllowDnsSuffixModification);
public static final Service Gateway = new Service("Gateway");
- public static final Service Firewall = new Service("Firewall", Capability.SupportedProtocols,
- Capability.MultipleIps, Capability.TrafficStatistics);
+ public static final Service Firewall = new Service("Firewall", Capability.SupportedProtocols,
+ Capability.MultipleIps, Capability.TrafficStatistics, Capability.SupportedTrafficDirection, Capability.SupportedEgressProtocols);
public static final Service Lb = new Service("Lb", Capability.SupportedLBAlgorithms, Capability.SupportedLBIsolation,
Capability.SupportedProtocols, Capability.TrafficStatistics, Capability.LoadBalancingSupportedIps,
Capability.SupportedStickinessMethods, Capability.ElasticLb);
@@ -173,6 +173,8 @@ public interface Network extends ControlledEntity, InternalIdentity, Identity {
public static final Capability ElasticLb = new Capability("ElasticLb");
public static final Capability AutoScaleCounters = new Capability("AutoScaleCounters");
public static final Capability InlineMode = new Capability("InlineMode");
+ public static final Capability SupportedTrafficDirection = new Capability("SupportedTrafficDirection");
+ public static final Capability SupportedEgressProtocols = new Capability("SupportedEgressProtocols");
private String name;
@@ -287,6 +289,8 @@ public interface Network extends ControlledEntity, InternalIdentity, Identity {
void setPhysicalNetworkId(Long physicalNetworkId);
+ public void setTrafficType(TrafficType type);
+
ACLType getAclType();
boolean isRestartRequired();
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/api/src/com/cloud/network/NetworkProfile.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/NetworkProfile.java b/api/src/com/cloud/network/NetworkProfile.java
index b5c463d..bb59b04 100644
--- a/api/src/com/cloud/network/NetworkProfile.java
+++ b/api/src/com/cloud/network/NetworkProfile.java
@@ -226,4 +226,8 @@ public class NetworkProfile implements Network {
return vpcId;
}
+ @Override
+ public void setTrafficType(TrafficType type) {
+ this.trafficType = type;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/api/src/com/cloud/network/firewall/FirewallService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/firewall/FirewallService.java b/api/src/com/cloud/network/firewall/FirewallService.java
index 3858499..419cc6a 100644
--- a/api/src/com/cloud/network/firewall/FirewallService.java
+++ b/api/src/com/cloud/network/firewall/FirewallService.java
@@ -27,7 +27,8 @@ import com.cloud.user.Account;
import com.cloud.utils.Pair;
public interface FirewallService {
- FirewallRule createFirewallRule(FirewallRule rule) throws NetworkRuleConflictException;
+ FirewallRule createIngressFirewallRule(FirewallRule rule) throws NetworkRuleConflictException;
+ FirewallRule createEgressFirewallRule(FirewallRule rule) throws NetworkRuleConflictException;
Pair<List<? extends FirewallRule>, Integer> listFirewallRules(ListFirewallRulesCmd cmd);
@@ -40,7 +41,8 @@ public interface FirewallService {
*/
boolean revokeFirewallRule(long ruleId, boolean apply);
- boolean applyFirewallRules(long ipId, Account caller) throws ResourceUnavailableException;
+ boolean applyEgressFirewallRules (FirewallRule rule, Account caller) throws ResourceUnavailableException;
+ boolean applyIngressFirewallRules(long Ipid , Account caller) throws ResourceUnavailableException;
FirewallRule getFirewallRule(long ruleId);
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/api/src/org/apache/cloudstack/api/command/user/firewall/CreateFirewallRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/CreateFirewallRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/CreateFirewallRuleCmd.java
index 0dcba5f..f5d7b1b 100644
--- a/api/src/org/apache/cloudstack/api/command/user/firewall/CreateFirewallRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/firewall/CreateFirewallRuleCmd.java
@@ -122,7 +122,7 @@ public class CreateFirewallRuleCmd extends BaseAsyncCreateCmd implements Firewal
FirewallRule rule = _entityMgr.findById(FirewallRule.class, getEntityId());
try {
UserContext.current().setEventDetails("Rule Id: " + getEntityId());
- success = _firewallService.applyFirewallRules(rule.getSourceIpAddressId(), callerContext.getCaller());
+ success = _firewallService.applyIngressFirewallRules(rule.getSourceIpAddressId(), callerContext.getCaller());
// State is different after the rule is applied, so get new object here
rule = _entityMgr.findById(FirewallRule.class, getEntityId());
@@ -238,7 +238,7 @@ public class CreateFirewallRuleCmd extends BaseAsyncCreateCmd implements Firewal
}
try {
- FirewallRule result = _firewallService.createFirewallRule(this);
+ FirewallRule result = _firewallService.createIngressFirewallRule(this);
setEntityId(result.getId());
setEntityUuid(result.getUuid());
} catch (NetworkRuleConflictException ex) {
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
index 7d8dbb0..53348c9 100644
--- a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
@@ -163,7 +163,7 @@ public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements P
UserContext.current().setEventDetails("Rule Id: " + getEntityId());
if (getOpenFirewall()) {
- success = success && _firewallService.applyFirewallRules(ipAddressId, callerContext.getCaller());
+ success = success && _firewallService.applyIngressFirewallRules(ipAddressId, callerContext.getCaller());
}
success = success && _rulesService.applyPortForwardingRules(ipAddressId, callerContext.getCaller());
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/api/src/org/apache/cloudstack/api/command/user/firewall/ListFirewallRulesCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/ListFirewallRulesCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/ListFirewallRulesCmd.java
index 80581fb..5062a4e 100644
--- a/api/src/org/apache/cloudstack/api/command/user/firewall/ListFirewallRulesCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/firewall/ListFirewallRulesCmd.java
@@ -56,6 +56,10 @@ public class ListFirewallRulesCmd extends BaseListTaggedResourcesCmd {
return ipAddressId;
}
+ public FirewallRule.TrafficType getTrafficType () {
+ return FirewallRule.TrafficType.Ingress;
+ }
+
public Long getId() {
return id;
}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/api/src/org/apache/cloudstack/api/command/user/loadbalancer/CreateLoadBalancerRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/CreateLoadBalancerRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/CreateLoadBalancerRuleCmd.java
index b42ff4c..28bde8f 100644
--- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/CreateLoadBalancerRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/CreateLoadBalancerRuleCmd.java
@@ -245,7 +245,7 @@ public class CreateLoadBalancerRuleCmd extends BaseAsyncCreateCmd /*implements
UserContext.current().setEventDetails("Rule Id: " + getEntityId());
if (getOpenFirewall()) {
- success = success && _firewallService.applyFirewallRules(getSourceIpAddressId(), callerContext.getCaller());
+ success = success && _firewallService.applyIngressFirewallRules(getSourceIpAddressId(), callerContext.getCaller());
}
// State might be different after the rule is applied, so get new object here
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/api/src/org/apache/cloudstack/api/command/user/nat/CreateIpForwardingRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/nat/CreateIpForwardingRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/nat/CreateIpForwardingRuleCmd.java
index c3894c4..7867f8d 100644
--- a/api/src/org/apache/cloudstack/api/command/user/nat/CreateIpForwardingRuleCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/nat/CreateIpForwardingRuleCmd.java
@@ -115,7 +115,7 @@ public class CreateIpForwardingRuleCmd extends BaseAsyncCreateCmd implements Sta
UserContext.current().setEventDetails("Rule Id: "+ getEntityId());
if (getOpenFirewall()) {
- result = result && _firewallService.applyFirewallRules(ipAddressId, UserContext.current().getCaller());
+ result = result && _firewallService.applyIngressFirewallRules(ipAddressId, UserContext.current().getCaller());
}
result = result && _rulesService.applyStaticNatRules(ipAddressId, UserContext.current().getCaller());
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/api/src/org/apache/cloudstack/api/response/FirewallResponse.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/response/FirewallResponse.java b/api/src/org/apache/cloudstack/api/response/FirewallResponse.java
index 2799256..d399590 100644
--- a/api/src/org/apache/cloudstack/api/response/FirewallResponse.java
+++ b/api/src/org/apache/cloudstack/api/response/FirewallResponse.java
@@ -40,6 +40,9 @@ public class FirewallResponse extends BaseResponse {
@SerializedName(ApiConstants.IP_ADDRESS_ID) @Param(description="the public ip address id for the firewall rule")
private Long publicIpAddressId;
+ @SerializedName(ApiConstants.NETWORK_ID) @Param(description="the network id of the firewall rule")
+ private Long networkId;
+
@SerializedName(ApiConstants.IP_ADDRESS) @Param(description="the public ip address for the firewall rule")
private String publicIpAddress;
@@ -82,6 +85,10 @@ public class FirewallResponse extends BaseResponse {
this.publicIpAddress = publicIpAddress;
}
+ public void setNetworkId(Long networkId) {
+ this.networkId = networkId;
+ }
+
public void setState(String state) {
this.state = state;
}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/client/tomcatconf/commands.properties.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/commands.properties.in b/client/tomcatconf/commands.properties.in
index 69161be..755a5f2 100644
--- a/client/tomcatconf/commands.properties.in
+++ b/client/tomcatconf/commands.properties.in
@@ -351,6 +351,11 @@ createFirewallRule=15
deleteFirewallRule=15
listFirewallRules=15
+####
+createEgressFirewallRule=15
+deleteEgressFirewallRule=15
+listEgressFirewallRules=15
+
#### hypervisor capabilities commands
updateHypervisorCapabilities=1
listHypervisorCapabilities=1
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
----------------------------------------------------------------------
diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
index 18a0426..05107e7 100755
--- a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
+++ b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
@@ -69,12 +69,14 @@ import com.cloud.agent.api.routing.SetStaticRouteCommand;
import com.cloud.agent.api.routing.Site2SiteVpnCfgCommand;
import com.cloud.agent.api.routing.VmDataCommand;
import com.cloud.agent.api.routing.VpnUsersCfgCommand;
+import com.cloud.agent.api.to.FirewallRuleTO;
import com.cloud.agent.api.to.IpAddressTO;
import com.cloud.agent.api.to.PortForwardingRuleTO;
import com.cloud.agent.api.to.StaticNatRuleTO;
import com.cloud.exception.InternalErrorException;
import com.cloud.network.HAProxyConfigurator;
import com.cloud.network.LoadBalancerConfigurator;
+import com.cloud.network.rules.FirewallRule;
import com.cloud.utils.NumbersUtil;
import com.cloud.utils.component.Manager;
import com.cloud.utils.net.NetUtils;
@@ -214,11 +216,18 @@ public class VirtualRoutingResource implements Manager {
return new SetFirewallRulesAnswer(cmd, false, results);
}
+ FirewallRuleTO[] allrules = cmd.getRules();
+ FirewallRule.TrafficType trafficType = allrules[0].getTrafficType();
+
String[][] rules = cmd.generateFwRules();
final Script command = new Script(_firewallPath, _timeout, s_logger);
command.add(routerIp);
command.add("-F");
-
+
+ if (trafficType == FirewallRule.TrafficType.Egress){
+ command.add("-E");
+ }
+
StringBuilder sb = new StringBuilder();
String[] fwRules = rules[0];
if (fwRules.length > 0) {
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/patches/systemvm/debian/config/etc/iptables/iptables-router
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/etc/iptables/iptables-router b/patches/systemvm/debian/config/etc/iptables/iptables-router
index 28469fb..3f5bc5f 100644
--- a/patches/systemvm/debian/config/etc/iptables/iptables-router
+++ b/patches/systemvm/debian/config/etc/iptables/iptables-router
@@ -24,6 +24,7 @@ COMMIT
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
+:FW_OUTBOUND - [0:0]
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
@@ -37,10 +38,11 @@ COMMIT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A FORWARD -i eth0 -o eth2 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
+-I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/patches/systemvm/debian/config/opt/cloud/bin/ipassoc.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipassoc.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipassoc.sh
index 5af5d92..f326fac 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/ipassoc.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/ipassoc.sh
@@ -212,9 +212,9 @@ add_first_ip() {
ip_addr_add $ethDev $pubIp
sudo iptables -D FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- sudo iptables -D FORWARD -i eth0 -o $ethDev -j ACCEPT
+ sudo iptables -D FORWARD -i eth0 -o $ethDev -j FW_OUTBOUND
sudo iptables -A FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- sudo iptables -A FORWARD -i eth0 -o $ethDev -j ACCEPT
+ sudo iptables -A FORWARD -i eth0 -o $ethDev -j FW_OUTBOUND
add_snat $1
if [ $? -gt 0 -a $? -ne 2 ]
@@ -246,7 +246,7 @@ remove_first_ip() {
[ "$mask" == "" ] && mask="32"
sudo iptables -D FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- sudo iptables -D FORWARD -i eth0 -o $ethDev -j ACCEPT
+ sudo iptables -D FORWARD -i eth0 -o $ethDev -j FW_OUTBOUND
remove_snat $1
sudo ip addr del dev $ethDev "$ipNoMask/$mask"
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java b/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
index dd917f7..96c4348 100755
--- a/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
+++ b/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
@@ -153,6 +153,7 @@ import com.cloud.agent.api.storage.CreatePrivateTemplateAnswer;
import com.cloud.agent.api.storage.DestroyCommand;
import com.cloud.agent.api.storage.PrimaryStorageDownloadAnswer;
import com.cloud.agent.api.storage.PrimaryStorageDownloadCommand;
+import com.cloud.agent.api.to.FirewallRuleTO;
import com.cloud.agent.api.to.IpAddressTO;
import com.cloud.agent.api.to.NicTO;
import com.cloud.agent.api.to.PortForwardingRuleTO;
@@ -190,6 +191,7 @@ import com.cloud.network.HAProxyConfigurator;
import com.cloud.network.LoadBalancerConfigurator;
import com.cloud.network.Networks;
import com.cloud.network.Networks.BroadcastDomainType;
+import com.cloud.network.rules.FirewallRule;
import com.cloud.resource.ServerResource;
import com.cloud.serializer.GsonHelper;
import com.cloud.storage.Storage;
@@ -618,10 +620,16 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
protected SetFirewallRulesAnswer execute(SetFirewallRulesCommand cmd) {
String controlIp = getRouterSshControlIp(cmd);
String[] results = new String[cmd.getRules().length];
+ FirewallRuleTO[] allrules = cmd.getRules();
+ FirewallRule.TrafficType trafficType = allrules[0].getTrafficType();
String[][] rules = cmd.generateFwRules();
String args = "";
args += " -F ";
+ if (trafficType == FirewallRule.TrafficType.Egress){
+ args+= " -E ";
+ }
+
StringBuilder sb = new StringBuilder();
String[] fwRules = rules[0];
if (fwRules.length > 0) {
@@ -634,13 +642,28 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
try {
VmwareManager mgr = getServiceContext().getStockObject(
VmwareManager.CONTEXT_STOCK_NAME);
- Pair<Boolean, String> result = SshHelper.sshExecute(controlIp,
+
+ Pair<Boolean, String> result = null;
+
+ if (trafficType == FirewallRule.TrafficType.Egress){
+ result = SshHelper.sshExecute(controlIp,
+ DEFAULT_DOMR_SSHPORT, "root", mgr.getSystemVMKeyFile(),
+ null, "/root/firewallRule_egress.sh " + args);
+ } else {
+ result = SshHelper.sshExecute(controlIp,
DEFAULT_DOMR_SSHPORT, "root", mgr.getSystemVMKeyFile(),
null, "/root/firewall_rule.sh " + args);
+ }
- if (s_logger.isDebugEnabled())
+ if (s_logger.isDebugEnabled()) {
+ if (trafficType == FirewallRule.TrafficType.Egress){
+ s_logger.debug("Executing script on domain router " + controlIp
+ + ": /root/firewallRule_egress.sh " + args);
+ } else {
s_logger.debug("Executing script on domain router " + controlIp
+ ": /root/firewall_rule.sh " + args);
+ }
+ }
if (!result.first()) {
s_logger.error("SetFirewallRulesCommand failure on setting one rule. args: "
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
index 065d3be..e9690eb 100644
--- a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
+++ b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
@@ -53,6 +53,8 @@ import javax.ejb.Local;
import javax.naming.ConfigurationException;
import javax.xml.parsers.DocumentBuilderFactory;
+import com.cloud.agent.api.to.*;
+import com.cloud.network.rules.FirewallRule;
import org.apache.log4j.Logger;
import org.apache.xmlrpc.XmlRpcException;
import org.w3c.dom.Document;
@@ -7182,14 +7184,18 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
String callResult;
Connection conn = getConnection();
String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP);
-
+ FirewallRuleTO[] allrules = cmd.getRules();
+ FirewallRule.TrafficType trafficType = allrules[0].getTrafficType();
if (routerIp == null) {
return new SetFirewallRulesAnswer(cmd, false, results);
}
String[][] rules = cmd.generateFwRules();
String args = "";
- args += routerIp + " -F ";
+ args += routerIp + " -F";
+ if (trafficType == FirewallRule.TrafficType.Egress){
+ args+= " -E";
+ }
StringBuilder sb = new StringBuilder();
String[] fwRules = rules[0];
if (fwRules.length > 0) {
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java b/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
index 5038cc8..c2874aa 100644
--- a/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
+++ b/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
@@ -277,6 +277,7 @@ public class JuniperSRXExternalFirewallElement extends ExternalFirewallDeviceMan
firewallCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp");
firewallCapabilities.put(Capability.MultipleIps, "true");
firewallCapabilities.put(Capability.TrafficStatistics, "per public ip");
+ firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress");
capabilities.put(Service.Firewall, firewallCapabilities);
// Disabling VPN for Juniper in Acton as it 1) Was never tested 2) probably just doesn't work
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/scripts/network/domr/call_firewall.sh
----------------------------------------------------------------------
diff --git a/scripts/network/domr/call_firewall.sh b/scripts/network/domr/call_firewall.sh
index 08da341..f6ad0be 100755
--- a/scripts/network/domr/call_firewall.sh
+++ b/scripts/network/domr/call_firewall.sh
@@ -46,28 +46,25 @@ then
exit 1
fi
fflag=
-while getopts ':F' OPTION
+eflag=
+while getopts ':FE' OPTION
do
case $OPTION in
F) fflag=1
- ;;
+ ;;
+ E) eflag=1
+ ;;
\?) ;;
esac
done
-if [ -n "$fflag" ]
+if [ -n "$eflag" ]
+then
+ ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewallRule_egress.sh $*"
+elif [ -n "$fflag" ]
then
ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewall_rule.sh $*"
else
ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewall.sh $*"
fi
exit $?
-
-
-
-
-
-
-
-
-
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/api/ApiResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index 1c8849a..641f25b 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -2313,10 +2313,15 @@ public class ApiResponseHelper implements ResponseGenerator {
List<String> cidrs = ApiDBUtils.findFirewallSourceCidrs(fwRule.getId());
response.setCidrList(StringUtils.join(cidrs, ","));
-
- IpAddress ip = ApiDBUtils.findIpAddressById(fwRule.getSourceIpAddressId());
- response.setPublicIpAddressId(ip.getId());
- response.setPublicIpAddress(ip.getAddress().addr());
+
+ if (fwRule.getTrafficType() == FirewallRule.TrafficType.Ingress) {
+ IpAddress ip = ApiDBUtils.findIpAddressById(fwRule.getSourceIpAddressId());
+ response.setPublicIpAddressId(ip.getId());
+ response.setPublicIpAddress(ip.getAddress().addr());
+ } else if (fwRule.getTrafficType() == FirewallRule.TrafficType.Egress) {
+ response.setPublicIpAddress(null);
+ response.setNetworkId(fwRule.getNetworkId());
+ }
FirewallRule.State state = fwRule.getState();
String stateToSet = state.toString();
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/network/NetworkManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java
index 6c7377f..0a4851f 100755
--- a/server/src/com/cloud/network/NetworkManagerImpl.java
+++ b/server/src/com/cloud/network/NetworkManagerImpl.java
@@ -2285,20 +2285,23 @@ public class NetworkManagerImpl implements NetworkManager, Manager, Listener {
boolean success = true;
Network network = _networksDao.findById(rules.get(0).getNetworkId());
-
- // get the list of public ip's owned by the network
- List<IPAddressVO> userIps = _ipAddressDao.listByAssociatedNetwork(network.getId(), null);
- List<PublicIp> publicIps = new ArrayList<PublicIp>();
- if (userIps != null && !userIps.isEmpty()) {
- for (IPAddressVO userIp : userIps) {
+ FirewallRuleVO.TrafficType trafficType = rules.get(0).getTrafficType();
+ List<PublicIp> publicIps = new ArrayList<PublicIp>();
+
+ if (! (rules.get(0).getPurpose() == FirewallRule.Purpose.Firewall && trafficType == FirewallRule.TrafficType.Egress)) {
+ // get the list of public ip's owned by the network
+ List<IPAddressVO> userIps = _ipAddressDao.listByAssociatedNetwork(network.getId(), null);
+ if (userIps != null && !userIps.isEmpty()) {
+ for (IPAddressVO userIp : userIps) {
PublicIp publicIp = new PublicIp(userIp, _vlanDao.findById(userIp.getVlanId()), NetUtils.createSequenceBasedMacAddress(userIp.getMacAddress()));
publicIps.add(publicIp);
- }
- }
+ }
+ }
// rules can not programmed unless IP is associated with network service provider, so run IP assoication for
// the network so as to ensure IP is associated before applying rules (in add state)
applyIpAssociations(network, false, continueOnError, publicIps);
+ }
try {
applier.applyRules(network, purpose, rules);
@@ -2310,8 +2313,10 @@ public class NetworkManagerImpl implements NetworkManager, Manager, Listener {
success = false;
}
- // if all the rules configured on public IP are revoked then dis-associate IP with network service provider
- applyIpAssociations(network, true, continueOnError, publicIps);
+ if (! (rules.get(0).getPurpose() == FirewallRule.Purpose.Firewall && trafficType == FirewallRule.TrafficType.Egress) ) {
+ // if all the rules configured on public IP are revoked then dis-associate IP with network service provider
+ applyIpAssociations(network, true, continueOnError, publicIps);
+ }
return success;
}
@@ -2460,9 +2465,15 @@ public class NetworkManagerImpl implements NetworkManager, Manager, Listener {
}
// apply firewall rules
- List<FirewallRuleVO> firewallRulesToApply = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.Firewall);
- if (!_firewallMgr.applyFirewallRules(firewallRulesToApply, false, caller)) {
- s_logger.warn("Failed to reapply firewall rule(s) as a part of network id=" + networkId + " restart");
+ List<FirewallRuleVO> firewallIngressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Ingress);
+ if (!_firewallMgr.applyFirewallRules(firewallIngressRulesToApply, false, caller)) {
+ s_logger.warn("Failed to reapply Ingress firewall rule(s) as a part of network id=" + networkId + " restart");
+ success = false;
+ }
+
+ List<FirewallRuleVO> firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
+ if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) {
+ s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart");
success = false;
}
@@ -3027,23 +3038,43 @@ public class NetworkManagerImpl implements NetworkManager, Manager, Listener {
}
// revoke all firewall rules for the network w/o applying them on the DB
- List<FirewallRuleVO> firewallRules = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.Firewall);
+ List<FirewallRuleVO> firewallRules = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Ingress);
if (s_logger.isDebugEnabled()) {
- s_logger.debug("Releasing " + firewallRules.size() + " firewall rules for network id=" + networkId + " as a part of shutdownNetworkRules");
+ s_logger.debug("Releasing " + firewallRules.size() + " firewall ingress rules for network id=" + networkId + " as a part of shutdownNetworkRules");
}
for (FirewallRuleVO firewallRule : firewallRules) {
- s_logger.trace("Marking firewall rule " + firewallRule + " with Revoke state");
+ s_logger.trace("Marking firewall ingress rule " + firewallRule + " with Revoke state");
firewallRule.setState(FirewallRule.State.Revoke);
}
try {
if (!_firewallMgr.applyRules(firewallRules, true, false)) {
- s_logger.warn("Failed to cleanup firewall rules as a part of shutdownNetworkRules");
+ s_logger.warn("Failed to cleanup firewall ingress rules as a part of shutdownNetworkRules");
+ success = false;
+ }
+ } catch (ResourceUnavailableException ex) {
+ s_logger.warn("Failed to cleanup firewall ingress rules as a part of shutdownNetworkRules due to ", ex);
+ success = false;
+ }
+
+ List<FirewallRuleVO> firewallEgressRules = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Releasing " + firewallEgressRules.size() + " firewall egress rules for network id=" + networkId + " as a part of shutdownNetworkRules");
+ }
+
+ for (FirewallRuleVO firewallRule : firewallEgressRules) {
+ s_logger.trace("Marking firewall egress rule " + firewallRule + " with Revoke state");
+ firewallRule.setState(FirewallRule.State.Revoke);
+ }
+
+ try {
+ if (!_firewallMgr.applyRules(firewallEgressRules, true, false)) {
+ s_logger.warn("Failed to cleanup firewall egress rules as a part of shutdownNetworkRules");
success = false;
}
} catch (ResourceUnavailableException ex) {
- s_logger.warn("Failed to cleanup firewall rules as a part of shutdownNetworkRules due to ", ex);
+ s_logger.warn("Failed to cleanup firewall egress rules as a part of shutdownNetworkRules due to ", ex);
success = false;
}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/network/dao/FirewallRulesDao.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/dao/FirewallRulesDao.java b/server/src/com/cloud/network/dao/FirewallRulesDao.java
index cc184c8..b5b7f99 100644
--- a/server/src/com/cloud/network/dao/FirewallRulesDao.java
+++ b/server/src/com/cloud/network/dao/FirewallRulesDao.java
@@ -56,6 +56,7 @@ public interface FirewallRulesDao extends GenericDao<FirewallRuleVO, Long> {
long countRulesByIpId(long sourceIpId);
List<FirewallRuleVO> listByNetworkPurposeTrafficTypeAndNotRevoked(long networkId, FirewallRule.Purpose purpose, FirewallRule.TrafficType trafficType);
-
+ List<FirewallRuleVO> listByNetworkPurposeTrafficType(long networkId, FirewallRule.Purpose purpose, FirewallRule.TrafficType trafficType);
+
List<FirewallRuleVO> listByIpAndPurposeWithState(Long addressId, FirewallRule.Purpose purpose, FirewallRule.State state);
}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java b/server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
index 2fff15a..8bc0c47 100644
--- a/server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
+++ b/server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
@@ -67,6 +67,7 @@ public class FirewallRulesDaoImpl extends GenericDaoBase<FirewallRuleVO, Long> i
AllFieldsSearch.and("id", AllFieldsSearch.entity().getId(), Op.EQ);
AllFieldsSearch.and("networkId", AllFieldsSearch.entity().getNetworkId(), Op.EQ);
AllFieldsSearch.and("related", AllFieldsSearch.entity().getRelated(), Op.EQ);
+ AllFieldsSearch.and("trafficType", AllFieldsSearch.entity().getTrafficType(), Op.EQ);
AllFieldsSearch.done();
NotRevokedSearch = createSearchBuilder();
@@ -162,6 +163,20 @@ public class FirewallRulesDaoImpl extends GenericDaoBase<FirewallRuleVO, Long> i
}
@Override
+ public List<FirewallRuleVO> listByNetworkPurposeTrafficTypeAndNotRevoked(long networkId, FirewallRule.Purpose purpose, TrafficType trafficType) {
+ SearchCriteria<FirewallRuleVO> sc = NotRevokedSearch.create();
+ sc.setParameters("networkId", networkId);
+ sc.setParameters("state", State.Revoke);
+ if (purpose != null) {
+ sc.setParameters("purpose", purpose);
+ }
+ sc.setParameters("trafficType", trafficType);
+
+ return listBy(sc);
+ }
+
+
+ @Override
public boolean setStateToAdd(FirewallRuleVO rule) {
SearchCriteria<FirewallRuleVO> sc = AllFieldsSearch.create();
sc.setParameters("id", rule.getId());
@@ -275,10 +290,9 @@ public class FirewallRulesDaoImpl extends GenericDaoBase<FirewallRuleVO, Long> i
}
@Override
- public List<FirewallRuleVO> listByNetworkPurposeTrafficTypeAndNotRevoked(long networkId, Purpose purpose, TrafficType trafficType) {
- SearchCriteria<FirewallRuleVO> sc = NotRevokedSearch.create();
+ public List<FirewallRuleVO> listByNetworkPurposeTrafficType(long networkId, Purpose purpose, TrafficType trafficType) {
+ SearchCriteria<FirewallRuleVO> sc = AllFieldsSearch.create();
sc.setParameters("networkId", networkId);
- sc.setParameters("state", State.Revoke);
if (purpose != null) {
sc.setParameters("purpose", purpose);
@@ -288,6 +302,8 @@ public class FirewallRulesDaoImpl extends GenericDaoBase<FirewallRuleVO, Long> i
return listBy(sc);
}
+
+ @Override
@DB
public boolean remove(Long id) {
Transaction txn = Transaction.currentTxn();
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/network/element/VirtualRouterElement.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/element/VirtualRouterElement.java b/server/src/com/cloud/network/element/VirtualRouterElement.java
index 0ea06e1..8293ad7 100755
--- a/server/src/com/cloud/network/element/VirtualRouterElement.java
+++ b/server/src/com/cloud/network/element/VirtualRouterElement.java
@@ -565,6 +565,8 @@ public class VirtualRouterElement extends AdapterBase implements VirtualRouterEl
Map<Capability, String> firewallCapabilities = new HashMap<Capability, String>();
firewallCapabilities.put(Capability.TrafficStatistics, "per public ip");
firewallCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp");
+ firewallCapabilities.put(Capability.SupportedEgressProtocols, "tcp,udp,icmp, all");
+ firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress, egress");
firewallCapabilities.put(Capability.MultipleIps, "true");
capabilities.put(Service.Firewall, firewallCapabilities);
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
index 7bab1ba..d4958f3 100644
--- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -29,6 +29,12 @@ import javax.naming.ConfigurationException;
import org.apache.cloudstack.api.command.user.firewall.ListFirewallRulesCmd;
import org.apache.log4j.Logger;
+import com.mysql.jdbc.ConnectionPropertiesImpl;
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.api.BaseListCmd;
+import org.apache.cloudstack.api.command.user.firewall.ListEgressFirewallRulesCmd;
+import org.apache.cloudstack.api.command.user.firewall.ListFirewallRulesCmd;
import com.cloud.configuration.Config;
import com.cloud.configuration.dao.ConfigurationDao;
import com.cloud.domain.dao.DomainDao;
@@ -43,8 +49,10 @@ import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.IPAddressVO;
import com.cloud.network.IpAddress;
import com.cloud.network.Network;
+import com.cloud.network.NetworkVO;
import com.cloud.network.Network.Capability;
import com.cloud.network.Network.Service;
+import com.cloud.network.Networks.TrafficType;
import com.cloud.network.NetworkManager;
import com.cloud.network.NetworkModel;
import com.cloud.network.NetworkRuleApplier;
@@ -166,32 +174,44 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
}
@Override
- public FirewallRule createFirewallRule(FirewallRule rule) throws NetworkRuleConflictException {
+ public FirewallRule createEgressFirewallRule(FirewallRule rule) throws NetworkRuleConflictException {
Account caller = UserContext.current().getCaller();
- return createFirewallRule(rule.getSourceIpAddressId(), caller, rule.getXid(), rule.getSourcePortStart(),
+ return createFirewallRule(null, caller, rule.getXid(), rule.getSourcePortStart(),
rule.getSourcePortEnd(), rule.getProtocol(), rule.getSourceCidrList(), rule.getIcmpCode(),
- rule.getIcmpType(), null, rule.getType(), rule.getNetworkId());
+ rule.getIcmpType(), null, rule.getType(), rule.getNetworkId(), rule.getTrafficType());
}
+ public FirewallRule createIngressFirewallRule(FirewallRule rule) throws NetworkRuleConflictException {
+ Account caller = UserContext.current().getCaller();
+ Long sourceIpAddressId = rule.getSourceIpAddressId();
+
+ return createFirewallRule(sourceIpAddressId, caller, rule.getXid(), rule.getSourcePortStart(),
+ rule.getSourcePortEnd(), rule.getProtocol(), rule.getSourceCidrList(), rule.getIcmpCode(),
+ rule.getIcmpType(), null, rule.getType(), rule.getNetworkId(), rule.getTrafficType());
+ }
+
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_FIREWALL_OPEN, eventDescription = "creating firewall rule", create = true)
- public FirewallRule createFirewallRule(long ipAddrId, Account caller, String xId, Integer portStart,
- Integer portEnd, String protocol, List<String> sourceCidrList, Integer icmpCode, Integer icmpType,
- Long relatedRuleId, FirewallRule.FirewallRuleType type, long networkId) throws NetworkRuleConflictException {
-
- IPAddressVO ipAddress = _ipAddressDao.findById(ipAddrId);
- // Validate ip address
- if (ipAddress == null && type == FirewallRule.FirewallRuleType.User) {
- throw new InvalidParameterValueException("Unable to create firewall rule; ip id=" + ipAddrId +
- " doesn't exist in the system");
- }
-
- _networkModel.checkIpForService(ipAddress, Service.Firewall, null);
-
- validateFirewallRule(caller, ipAddress, portStart, portEnd, protocol, Purpose.Firewall, type);
-
+ public FirewallRule createFirewallRule(Long ipAddrId, Account caller, String xId, Integer portStart,
+ Integer portEnd, String protocol, List<String> sourceCidrList, Integer icmpCode, Integer icmpType,
+ Long relatedRuleId, FirewallRule.FirewallRuleType type, Long networkId, FirewallRule.TrafficType trafficType) throws NetworkRuleConflictException {
+
+ IPAddressVO ipAddress = null;
+ if (ipAddrId != null){
+ // this for ingress firewall rule, for egress id is null
+ ipAddress = _ipAddressDao.findById(ipAddrId);
+ // Validate ip address
+ if (ipAddress == null && type == FirewallRule.FirewallRuleType.User) {
+ throw new InvalidParameterValueException("Unable to create firewall rule; " +
+ "couldn't locate IP address by id in the system");
+ }
+ _networkModel.checkIpForService(ipAddress, Service.Firewall, null);
+ }
+
+ validateFirewallRule(caller, ipAddress, portStart, portEnd, protocol, Purpose.Firewall, type, networkId, trafficType);
+
// icmp code and icmp type can't be passed in for any other protocol rather than icmp
if (!protocol.equalsIgnoreCase(NetUtils.ICMP_PROTO) && (icmpCode != null || icmpType != null)) {
throw new InvalidParameterValueException("Can specify icmpCode and icmpType for ICMP protocol only");
@@ -205,15 +225,21 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
Long domainId = null;
if (ipAddress != null) {
+ //Ingress firewall rule
accountId = ipAddress.getAllocatedToAccountId();
domainId = ipAddress.getAllocatedInDomainId();
+ } else if (networkId != null) {
+ //egress firewall rule
+ Network network = _networkModel.getNetwork(networkId);
+ accountId = network.getAccountId();
+ domainId = network.getDomainId();
}
Transaction txn = Transaction.currentTxn();
txn.start();
FirewallRuleVO newRule = new FirewallRuleVO(xId, ipAddrId, portStart, portEnd, protocol.toLowerCase(), networkId,
- accountId, domainId, Purpose.Firewall, sourceCidrList, icmpCode, icmpType, relatedRuleId, null);
+ accountId, domainId, Purpose.Firewall, sourceCidrList, icmpCode, icmpType, relatedRuleId, trafficType);
newRule.setType(type);
newRule = _firewallDao.persist(newRule);
@@ -234,7 +260,9 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
public Pair<List<? extends FirewallRule>, Integer> listFirewallRules(ListFirewallRulesCmd cmd) {
Long ipId = cmd.getIpAddressId();
Long id = cmd.getId();
+ Long networkId = null;
Map<String, String> tags = cmd.getTags();
+ FirewallRule.TrafficType trafficType = cmd.getTrafficType();
Account caller = UserContext.current().getCaller();
List<Long> permittedAccounts = new ArrayList<Long>();
@@ -258,7 +286,13 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
_accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), Op.EQ);
- sb.and("ip", sb.entity().getSourceIpAddressId(), Op.EQ);
+ sb.and("trafficType", sb.entity().getTrafficType(), Op.EQ);
+ if (cmd instanceof ListEgressFirewallRulesCmd ) {
+ networkId =((ListEgressFirewallRulesCmd)cmd).getNetworkId();
+ sb.and("networkId", sb.entity().getNetworkId(), Op.EQ);
+ } else {
+ sb.and("ip", sb.entity().getSourceIpAddressId(), Op.EQ);
+ }
sb.and("purpose", sb.entity().getPurpose(), Op.EQ);
@@ -293,9 +327,14 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
if (ipId != null) {
sc.setParameters("ip", ipId);
+ } else if (cmd instanceof ListEgressFirewallRulesCmd) {
+ if (networkId != null) {
+ sc.setParameters("networkId", networkId);
+ }
}
sc.setParameters("purpose", Purpose.Firewall);
+ sc.setParameters("trafficType", trafficType);
Pair<List<FirewallRuleVO>, Integer> result = _firewallDao.searchAndCount(sc, filter);
return new Pair<List<? extends FirewallRule>, Integer>(result.first(), result.second());
@@ -303,10 +342,17 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
@Override
public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflictException {
+ List<FirewallRuleVO> rules;
+ if(newRule.getSourceIpAddressId() != null){
+ rules = _firewallDao.listByIpAndPurposeAndNotRevoked(newRule.getSourceIpAddressId(), null);
+ assert (rules.size() >= 1) : "For network rules, we now always first persist the rule and then check for " +
+ "network conflicts so we should at least have one rule at this point.";
+ } else {
+ // fetches only firewall egress rules.
+ rules = _firewallDao.listByNetworkPurposeTrafficTypeAndNotRevoked(newRule.getNetworkId(), Purpose.Firewall, newRule.getTrafficType());
+ assert (rules.size() >= 1);
+ }
- List<FirewallRuleVO> rules = _firewallDao.listByIpAndPurposeAndNotRevoked(newRule.getSourceIpAddressId(), null);
- assert (rules.size() >= 1) : "For network rules, we now always first persist the rule and then check for " +
- "network conflicts so we should at least have one rule at this point.";
for (FirewallRuleVO rule : rules) {
if (rule.getId() == newRule.getId()) {
@@ -394,7 +440,7 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
@Override
public void validateFirewallRule(Account caller, IPAddressVO ipAddress, Integer portStart, Integer portEnd,
- String proto, Purpose purpose, FirewallRuleType type) {
+ String proto, Purpose purpose, FirewallRuleType type, Long networkId, FirewallRule.TrafficType trafficType ) {
if (portStart != null && !NetUtils.isValidPort(portStart)) {
throw new InvalidParameterValueException("publicPort is an invalid value: " + portStart);
}
@@ -411,38 +457,56 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
return;
}
- // Validate ip address
- _accountMgr.checkAccess(caller, null, true, ipAddress);
+ if (ipAddress!=null){
+ if (ipAddress.getAssociatedWithNetworkId() == null) {
+ throw new InvalidParameterValueException("Unable to create firewall rule ; ip with specified id is not associated with any network");
+ } else {
+ networkId = ipAddress.getAssociatedWithNetworkId();
+ }
- Long networkId = null;
+ // Validate ip address
+ _accountMgr.checkAccess(caller, null, true, ipAddress);
- if (ipAddress.getAssociatedWithNetworkId() == null) {
- throw new InvalidParameterValueException("Unable to create firewall rule ; ip id=" +
- ipAddress.getId() + " is not associated with any network");
- } else {
- networkId = ipAddress.getAssociatedWithNetworkId();
- }
+ Network network = _networkModel.getNetwork(networkId);
+ assert network != null : "Can't create port forwarding rule as network associated with public ip address is null?";
- Network network = _networkModel.getNetwork(networkId);
- assert network != null : "Can't create port forwarding rule as network associated with public ip address is null?";
+ if (trafficType == FirewallRule.TrafficType.Egress) {
+ _accountMgr.checkAccess(caller, null, true, network);
+ }
- // Verify that the network guru supports the protocol specified
- Map<Network.Capability, String> caps = null;
+ // Verify that the network guru supports the protocol specified
+ Map<Network.Capability, String> caps = null;
- if (purpose == Purpose.LoadBalancing) {
- if (!_elbEnabled) {
- caps = _networkModel.getNetworkServiceCapabilities(network.getId(), Service.Lb);
+ if (purpose == Purpose.LoadBalancing) {
+ if (!_elbEnabled) {
+ caps = _networkModel.getNetworkServiceCapabilities(network.getId(), Service.Lb);
+ }
+ } else if (purpose == Purpose.PortForwarding) {
+ caps = _networkModel.getNetworkServiceCapabilities(network.getId(), Service.PortForwarding);
+ }else if (purpose == Purpose.Firewall){
+ caps = _networkModel.getNetworkServiceCapabilities(network.getId(),Service.Firewall);
}
- } else if (purpose == Purpose.PortForwarding) {
- caps = _networkModel.getNetworkServiceCapabilities(network.getId(), Service.PortForwarding);
- }
- if (caps != null) {
- String supportedProtocols = caps.get(Capability.SupportedProtocols).toLowerCase();
- if (!supportedProtocols.contains(proto.toLowerCase())) {
- throw new InvalidParameterValueException("Protocol " + proto + " is not supported in zone " + network.getDataCenterId());
- } else if (proto.equalsIgnoreCase(NetUtils.ICMP_PROTO) && purpose != Purpose.Firewall) {
- throw new InvalidParameterValueException("Protocol " + proto + " is currently supported only for rules with purpose " + Purpose.Firewall);
+ if (caps != null) {
+ String supportedProtocols;
+ String supportedTrafficTypes = null;
+ if (purpose == FirewallRule.Purpose.Firewall) {
+ supportedTrafficTypes = caps.get(Capability.SupportedTrafficDirection).toLowerCase();
+ }
+
+ if (purpose == FirewallRule.Purpose.Firewall && trafficType == FirewallRule.TrafficType.Egress) {
+ supportedProtocols = caps.get(Capability.SupportedEgressProtocols).toLowerCase();
+ } else {
+ supportedProtocols = caps.get(Capability.SupportedProtocols).toLowerCase();
+ }
+
+ if (!supportedProtocols.contains(proto.toLowerCase())) {
+ throw new InvalidParameterValueException("Protocol " + proto + " is not supported in zone " + network.getDataCenterId());
+ } else if (proto.equalsIgnoreCase(NetUtils.ICMP_PROTO) && purpose != Purpose.Firewall) {
+ throw new InvalidParameterValueException("Protocol " + proto + " is currently supported only for rules with purpose " + Purpose.Firewall);
+ } else if (purpose == Purpose.Firewall && !supportedTrafficTypes.contains(trafficType.toString().toLowerCase())) {
+ throw new InvalidParameterValueException("Traffic Type " + trafficType + " is currently supported by Firewall in network " + networkId);
+ }
}
}
}
@@ -536,12 +600,18 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
}
@Override
- public boolean applyFirewallRules(long ipId, Account caller) throws ResourceUnavailableException {
+ public boolean applyIngressFirewallRules(long ipId, Account caller) throws ResourceUnavailableException {
List<FirewallRuleVO> rules = _firewallDao.listByIpAndPurpose(ipId, Purpose.Firewall);
return applyFirewallRules(rules, false, caller);
}
@Override
+ public boolean applyEgressFirewallRules (FirewallRule rule, Account caller) throws ResourceUnavailableException {
+ List<FirewallRuleVO> rules = _firewallDao.listByNetworkPurposeTrafficType(rule.getNetworkId(), Purpose.Firewall, FirewallRule.TrafficType.Egress);
+ return applyFirewallRules(rules, false, caller);
+ }
+
+ @Override
public boolean applyFirewallRules(List<FirewallRuleVO> rules, boolean continueOnError, Account caller) {
if (rules.size() == 0) {
@@ -588,10 +658,19 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
revokeRule(rule, caller, userId, false);
boolean success = false;
+ Long networkId = rule.getNetworkId();
if (apply) {
- List<FirewallRuleVO> rules = _firewallDao.listByIpAndPurpose(rule.getSourceIpAddressId(), Purpose.Firewall);
- return applyFirewallRules(rules, false, caller);
+ // ingress firewall rule
+ if (rule.getSourceIpAddressId() != null){
+ //feteches ingress firewall, ingress firewall rules associated with the ip
+ List<FirewallRuleVO> rules = _firewallDao.listByIpAndPurpose(rule.getSourceIpAddressId(), Purpose.Firewall);
+ return applyFirewallRules(rules, false, caller);
+ //egress firewall rule
+ } else if ( networkId != null){
+ List<FirewallRuleVO> rules = _firewallDao.listByNetworkPurposeTrafficType(rule.getNetworkId(), Purpose.Firewall, FirewallRule.TrafficType.Egress);
+ return applyFirewallRules(rules, false, caller);
+ }
} else {
success = true;
}
@@ -686,7 +765,7 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
List<String> oneCidr = new ArrayList<String>();
oneCidr.add(NetUtils.ALL_CIDRS);
return createFirewallRule(ipAddrId, caller, null, startPort, endPort, protocol, oneCidr, icmpCode, icmpType,
- relatedRuleId, FirewallRule.FirewallRuleType.User, networkId);
+ relatedRuleId, FirewallRule.FirewallRuleType.User, networkId, FirewallRule.TrafficType.Ingress);
}
@Override
@@ -778,7 +857,7 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
for (Long ipId : ipsToReprogram) {
s_logger.debug("Applying firewall rules for ip address id=" + ipId + " as a part of vm expunge");
try {
- success = success && applyFirewallRules(ipId, _accountMgr.getSystemAccount());
+ success = success && applyIngressFirewallRules(ipId, _accountMgr.getSystemAccount());
} catch (ResourceUnavailableException ex) {
s_logger.warn("Failed to apply port forwarding rules for ip id=" + ipId);
success = false;
@@ -794,7 +873,7 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ne
for (FirewallRuleVO rule : systemRules) {
try {
this.createFirewallRule(ip.getId(), acct, rule.getXid(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getProtocol(),
- rule.getSourceCidrList(), rule.getIcmpCode(), rule.getIcmpType(), rule.getRelated(), FirewallRuleType.System, rule.getNetworkId());
+ rule.getSourceCidrList(), rule.getIcmpCode(), rule.getIcmpType(), rule.getRelated(), FirewallRuleType.System, rule.getNetworkId(), rule.getTrafficType());
} catch (Exception e) {
s_logger.debug("Failed to add system wide firewall rule, due to:" + e.toString());
}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
index dfd5232..482c1fe 100755
--- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
+++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
@@ -1054,9 +1054,6 @@ public class LoadBalancingRulesManagerImpl<Type> implements LoadBalancingRulesMa
throw ex;
}
- _firewallMgr.validateFirewallRule(caller.getCaller(), ipAddr, srcPortStart, srcPortEnd, lb.getProtocol(),
- Purpose.LoadBalancing, FirewallRuleType.User);
-
Long networkId = ipAddr.getAssociatedWithNetworkId();
if (networkId == null) {
InvalidParameterValueException ex = new InvalidParameterValueException("Unable to create load balancer rule ; specified sourceip id is not associated with any network");
@@ -1064,6 +1061,10 @@ public class LoadBalancingRulesManagerImpl<Type> implements LoadBalancingRulesMa
throw ex;
}
+
+ _firewallMgr.validateFirewallRule(caller.getCaller(), ipAddr, srcPortStart, srcPortEnd, lb.getProtocol(),
+ Purpose.LoadBalancing, FirewallRuleType.User, networkId, null);
+
NetworkVO network = _networkDao.findById(networkId);
_accountMgr.checkAccess(caller.getCaller(), null, true, ipAddr);
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index 156c3a6..132dbaa 100755
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -40,8 +40,8 @@ import java.util.concurrent.TimeUnit;
import javax.ejb.Local;
import javax.naming.ConfigurationException;
-
import org.apache.cloudstack.api.command.admin.router.UpgradeRouterCmd;
+import com.cloud.agent.api.to.*;
import org.apache.log4j.Logger;
import com.cloud.agent.AgentManager;
@@ -2224,13 +2224,25 @@ public class VirtualNetworkApplianceManagerImpl implements VirtualNetworkApplian
s_logger.debug("Resending ipAssoc, port forwarding, load balancing rules as a part of Virtual router start");
ArrayList<? extends PublicIpAddress> publicIps = getPublicIpsToApply(router, provider, guestNetworkId);
+ List<FirewallRule> firewallRulesEgress = new ArrayList<FirewallRule>();
+
+ // Fetch firewall Egress rules.
+ if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall, provider)) {
+ firewallRulesEgress.addAll(_rulesDao.listByNetworkPurposeTrafficType(guestNetworkId, Purpose.Firewall,FirewallRule.TrafficType.Egress));
+ }
+
+ // Re-apply firewall Egress rules
+ s_logger.debug("Found " + firewallRulesEgress.size() + " firewall Egress rule(s) to apply as a part of domR " + router + " start.");
+ if (!firewallRulesEgress.isEmpty()) {
+ createFirewallRulesCommands(firewallRulesEgress, router, cmds, guestNetworkId);
+ }
if (publicIps != null && !publicIps.isEmpty()) {
List<RemoteAccessVpn> vpns = new ArrayList<RemoteAccessVpn>();
List<PortForwardingRule> pfRules = new ArrayList<PortForwardingRule>();
List<FirewallRule> staticNatFirewallRules = new ArrayList<FirewallRule>();
List<StaticNat> staticNats = new ArrayList<StaticNat>();
- List<FirewallRule> firewallRules = new ArrayList<FirewallRule>();
+ List<FirewallRule> firewallRulesIngress = new ArrayList<FirewallRule>();
//Get information about all the rules (StaticNats and StaticNatRules; PFVPN to reapply on domR start)
for (PublicIpAddress ip : publicIps) {
@@ -2241,7 +2253,7 @@ public class VirtualNetworkApplianceManagerImpl implements VirtualNetworkApplian
staticNatFirewallRules.addAll(_rulesDao.listByIpAndPurpose(ip.getId(), Purpose.StaticNat));
}
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall, provider)) {
- firewallRules.addAll(_rulesDao.listByIpAndPurpose(ip.getId(), Purpose.Firewall));
+ firewallRulesIngress.addAll(_rulesDao.listByIpAndPurpose(ip.getId(), Purpose.Firewall));
}
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Vpn, provider)) {
@@ -2259,17 +2271,17 @@ public class VirtualNetworkApplianceManagerImpl implements VirtualNetworkApplian
}
}
}
-
- //Re-apply static nats
+
+ // Re-apply static nats
s_logger.debug("Found " + staticNats.size() + " static nat(s) to apply as a part of domR " + router + " start.");
if (!staticNats.isEmpty()) {
createApplyStaticNatCommands(staticNats, router, cmds, guestNetworkId);
}
-
- //Re-apply firewall rules
- s_logger.debug("Found " + staticNats.size() + " firewall rule(s) to apply as a part of domR " + router + " start.");
- if (!firewallRules.isEmpty()) {
- createFirewallRulesCommands(firewallRules, router, cmds, guestNetworkId);
+
+ // Re-apply firewall Ingress rules
+ s_logger.debug("Found " + firewallRulesIngress.size() + " firewall Ingress rule(s) to apply as a part of domR " + router + " start.");
+ if (!firewallRulesIngress.isEmpty()) {
+ createFirewallRulesCommands(firewallRulesIngress, router, cmds, guestNetworkId);
}
// Re-apply port forwarding rules
@@ -2926,7 +2938,7 @@ public class VirtualNetworkApplianceManagerImpl implements VirtualNetworkApplian
int srcPort = rule.getSourcePortStart();
List<LbDestination> destinations = rule.getDestinations();
List<LbStickinessPolicy> stickinessPolicies = rule.getStickinessPolicies();
- LoadBalancerTO lb = new LoadBalancerTO(uuid, srcIp, srcPort, protocol, algorithm, revoked, false, false, destinations, stickinessPolicies);
+ LoadBalancerTO lb = new LoadBalancerTO(uuid, srcIp, srcPort, protocol, algorithm, revoked, false, inline, destinations, stickinessPolicies);
lbs[i++] = lb;
}
String routerPublicIp = null;
@@ -3254,9 +3266,17 @@ public class VirtualNetworkApplianceManagerImpl implements VirtualNetworkApplian
if (rules != null) {
rulesTO = new ArrayList<FirewallRuleTO>();
for (FirewallRule rule : rules) {
- IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
- FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr());
- rulesTO.add(ruleTO);
+ FirewallRule.TrafficType traffictype = rule.getTrafficType();
+ if(traffictype == FirewallRule.TrafficType.Ingress){
+ IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
+ FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(),Purpose.Firewall,traffictype);
+ rulesTO.add(ruleTO);
+ }
+ else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress){
+ assert (rule.getSourceIpAddressId()==null) : "ipAddressId should be null for egress firewall rule. ";
+ FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null,"",Purpose.Firewall,traffictype);
+ rulesTO.add(ruleTO);
+ }
}
}
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/network/rules/FirewallManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/rules/FirewallManager.java b/server/src/com/cloud/network/rules/FirewallManager.java
index 8473c56..25cce7c 100644
--- a/server/src/com/cloud/network/rules/FirewallManager.java
+++ b/server/src/com/cloud/network/rules/FirewallManager.java
@@ -45,7 +45,7 @@ public interface FirewallManager extends FirewallService {
void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflictException;
void validateFirewallRule(Account caller, IPAddressVO ipAddress, Integer portStart, Integer portEnd, String proto,
- Purpose purpose, FirewallRuleType type);
+ Purpose purpose, FirewallRuleType type, Long networkid, FirewallRule.TrafficType trafficType);
boolean applyRules(List<? extends FirewallRule> rules, boolean continueOnError, boolean updateRulesInDB) throws ResourceUnavailableException;
@@ -68,8 +68,8 @@ public interface FirewallManager extends FirewallService {
*/
boolean revokeFirewallRule(long ruleId, boolean apply, Account caller, long userId);
- FirewallRule createFirewallRule(long ipAddrId, Account caller, String xId, Integer portStart, Integer portEnd, String protocol, List<String> sourceCidrList, Integer icmpCode, Integer icmpType, Long relatedRuleId,
- FirewallRule.FirewallRuleType type, long networkId)
+ FirewallRule createFirewallRule(Long ipAddrId, Account caller, String xId, Integer portStart, Integer portEnd, String protocol, List<String> sourceCidrList, Integer icmpCode, Integer icmpType, Long relatedRuleId,
+ FirewallRule.FirewallRuleType type, Long networkId, FirewallRule.TrafficType traffictype)
throws NetworkRuleConflictException;
FirewallRule createRuleForAllCidrs(long ipAddrId, Account caller, Integer startPort, Integer endPort, String protocol, Integer icmpCode, Integer icmpType, Long relatedRuleId, long networkId) throws NetworkRuleConflictException;
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/network/rules/FirewallRuleVO.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/rules/FirewallRuleVO.java b/server/src/com/cloud/network/rules/FirewallRuleVO.java
index 63ace5b..e493673 100644
--- a/server/src/com/cloud/network/rules/FirewallRuleVO.java
+++ b/server/src/com/cloud/network/rules/FirewallRuleVO.java
@@ -45,7 +45,7 @@ import org.apache.cloudstack.api.InternalIdentity;
@Table(name="firewall_rules")
@Inheritance(strategy=InheritanceType.JOINED)
@DiscriminatorColumn(name="purpose", discriminatorType=DiscriminatorType.STRING, length=32)
-public class FirewallRuleVO implements FirewallRule {
+public class FirewallRuleVO implements Identity, FirewallRule {
protected final FirewallRulesCidrsDaoImpl _firewallRulesCidrsDao = ComponentLocator.inject(FirewallRulesCidrsDaoImpl.class);
@Id
@@ -87,8 +87,8 @@ public class FirewallRuleVO implements FirewallRule {
Date created;
@Column(name="network_id")
- long networkId;
-
+ Long networkId;
+
@Column(name="icmp_code")
Integer icmpCode;
@@ -209,11 +209,6 @@ public class FirewallRuleVO implements FirewallRule {
}
this.accountId = accountId;
this.domainId = domainId;
-
- if (ipAddressId == null) {
- assert (purpose == Purpose.NetworkACL) : "ipAddressId can be null for " + Purpose.NetworkACL + " only";
- }
-
this.sourceIpAddressId = ipAddressId;
this.sourcePortStart = portStart;
this.sourcePortEnd = portEnd;
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/network/rules/RulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java
index fc12660..fe86a8e 100755
--- a/server/src/com/cloud/network/rules/RulesManagerImpl.java
+++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java
@@ -204,7 +204,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager {
try {
_firewallMgr.validateFirewallRule(caller, ipAddress, rule.getSourcePortStart(), rule.getSourcePortEnd(),
- rule.getProtocol(), Purpose.PortForwarding, FirewallRuleType.User);
+ rule.getProtocol(), Purpose.PortForwarding, FirewallRuleType.User, networkId, rule.getTrafficType());
Long accountId = ipAddress.getAllocatedToAccountId();
Long domainId = ipAddress.getAllocatedInDomainId();
@@ -323,7 +323,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager {
throw new NetworkRuleConflictException("Can't do static nat on ip address: " + ipAddress.getAddress());
}
- _firewallMgr.validateFirewallRule(caller, ipAddress, rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getProtocol(), Purpose.StaticNat, FirewallRuleType.User);
+ _firewallMgr.validateFirewallRule(caller, ipAddress, rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getProtocol(), Purpose.StaticNat, FirewallRuleType.User,null, rule.getTrafficType() );
Long networkId = ipAddress.getAssociatedWithNetworkId();
Long accountId = ipAddress.getAllocatedToAccountId();
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
index 81721ea..e360bca 100755
--- a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
+++ b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
@@ -269,7 +269,7 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
//now apply vpn rules on the backend
s_logger.debug("Reapplying firewall rules for ip id=" + ipId + " as a part of disable remote access vpn");
- success = _firewallMgr.applyFirewallRules(ipId, caller);
+ success = _firewallMgr.applyIngressFirewallRules(ipId, caller);
}
if (success) {
@@ -383,7 +383,7 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
try {
boolean firewallOpened = true;
if (openFirewall) {
- firewallOpened = _firewallMgr.applyFirewallRules(vpn.getServerAddressId(), caller);
+ firewallOpened = _firewallMgr.applyIngressFirewallRules(vpn.getServerAddressId(), caller);
}
if (firewallOpened) {
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/b6727e56/server/src/com/cloud/upgrade/dao/Upgrade40to41.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/upgrade/dao/Upgrade40to41.java b/server/src/com/cloud/upgrade/dao/Upgrade40to41.java
index cd9e20c..d3a8cd5 100644
--- a/server/src/com/cloud/upgrade/dao/Upgrade40to41.java
+++ b/server/src/com/cloud/upgrade/dao/Upgrade40to41.java
@@ -22,12 +22,22 @@ import com.cloud.utils.script.Script;
import java.io.File;
import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.UUID;
+
+import org.apache.log4j.Logger;
/**
* @author htrippaers
*
*/
public class Upgrade40to41 implements DbUpgrade {
+ final static Logger s_logger = Logger.getLogger(Upgrade40to41.class);
/**
*
@@ -78,7 +88,8 @@ public class Upgrade40to41 implements DbUpgrade {
*/
@Override
public void performDataMigration(Connection conn) {
-
+ upgradeEIPNetworkOfferings(conn);
+ upgradeEgressFirewallRules(conn);
}
/* (non-Javadoc)
@@ -89,4 +100,104 @@ public class Upgrade40to41 implements DbUpgrade {
return new File[0];
}
+ private void upgradeEIPNetworkOfferings(Connection conn) {
+ PreparedStatement pstmt = null;
+ ResultSet rs = null;
+
+ try {
+ pstmt = conn.prepareStatement("select id, elastic_ip_service from `cloud`.`network_offerings` where traffic_type='Guest'");
+ rs = pstmt.executeQuery();
+ while (rs.next()) {
+ long id = rs.getLong(1);
+ // check if elastic IP service is enabled for network offering
+ if (rs.getLong(2) != 0) {
+ //update network offering with eip_associate_public_ip set to true
+ pstmt = conn.prepareStatement("UPDATE `cloud`.`network_offerings` set eip_associate_public_ip=? where id=?");
+ pstmt.setBoolean(1, true);
+ pstmt.setLong(2, id);
+ pstmt.executeUpdate();
+ }
+ }
+ } catch (SQLException e) {
+ throw new CloudRuntimeException("Unable to set elastic_ip_service for network offerings with EIP service enabled.", e);
+ } finally {
+ try {
+ if (rs != null) {
+ rs.close();
+ }
+ if (pstmt != null) {
+ pstmt.close();
+ }
+ } catch (SQLException e) {
+ }
+ }
+ }
+
+
+ private void upgradeEgressFirewallRules(Connection conn) {
+ PreparedStatement pstmt = null;
+ ResultSet rs = null;
+ ResultSet rsId = null;
+ ResultSet rsNw = null;
+ try {
+ // update the existing ingress rules traffic type
+ pstmt = conn.prepareStatement("update `cloud`.`firewall_rules` set traffic_type='Ingress' where purpose='Firewall' and ip_address_id is not null and traffic_type is null");
+ s_logger.debug("Updating firewall Ingress rule traffic type: " + pstmt);
+ pstmt.executeUpdate();
+
+ pstmt = conn.prepareStatement("select network_id FROM `cloud`.`ntwk_service_map` where service='Firewall' and provider='VirtualRouter' ");
+ rs = pstmt.executeQuery();
+ while (rs.next()) {
+ long netId = rs.getLong(1);
+ //When upgraded from 2.2.14 to 3.0.6 guest_type is updated to Isolated in the 2214to30 clean up sql. clean up executes
+ //after this. So checking for Isolated OR Virtual
+ pstmt = conn.prepareStatement("select account_id, domain_id FROM `cloud`.`networks` where (guest_type='Isolated' OR guest_type='Virtual') and traffic_type='Guest' and vpc_id is NULL and (state='implemented' OR state='Shutdown') and id=? ");
+ pstmt.setLong(1, netId);
+ s_logger.debug("Getting account_id, domain_id from networks table: " + pstmt);
+ rsNw = pstmt.executeQuery();
+
+ if(rsNw.next()) {
+ long accountId = rsNw.getLong(1);
+ long domainId = rsNw.getLong(2);
+
+ //Add new rule for the existing networks
+ s_logger.debug("Adding default egress firewall rule for network " + netId);
+ pstmt = conn.prepareStatement("INSERT INTO firewall_rules (uuid, state, protocol, purpose, account_id, domain_id, network_id, xid, created, traffic_type) VALUES (?, 'Active', 'all', 'Firewall', ?, ?, ?, ?, now(), 'Egress')");
+ pstmt.setString(1, UUID.randomUUID().toString());
+ pstmt.setLong(2, accountId);
+ pstmt.setLong(3, domainId);
+ pstmt.setLong(4, netId);
+ pstmt.setString(5, UUID.randomUUID().toString());
+ s_logger.debug("Inserting default egress firewall rule " + pstmt);
+ pstmt.executeUpdate();
+
+ pstmt = conn.prepareStatement("select id from firewall_rules where protocol='all' and network_id=?");
+ pstmt.setLong(1, netId);
+ rsId = pstmt.executeQuery();
+
+ long firewallRuleId;
+ if(rsId.next()) {
+ firewallRuleId = rsId.getLong(1);
+ pstmt = conn.prepareStatement("insert into firewall_rules_cidrs (firewall_rule_id,source_cidr) values (?, '0.0.0.0/0')");
+ pstmt.setLong(1, firewallRuleId);
+ s_logger.debug("Inserting rule for cidr 0.0.0.0/0 for the new Firewall rule id=" + firewallRuleId + " with statement " + pstmt);
+ pstmt.executeUpdate();
+ }
+ }
+ }
+ } catch (SQLException e) {
+ throw new CloudRuntimeException("Unable to set egress firewall rules ", e);
+ } finally {
+ try {
+ if (rs != null) {
+ rs.close();
+ }
+ if (pstmt != null) {
+ pstmt.close();
+ }
+ } catch (SQLException e) {
+ }
+ }
+ }
+
}