etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added changes related to icmp

This commit is contained in:
Koushik Das 2013-04-02 17:50:57 +05:30
parent bcecb589de
commit 05e3d04b55
8 changed files with 354 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-egress-acl-rule.xml
View File

@ -192,10 +192,10 @@ under the License.
aclrulename="dummy"
descr=value
actiontype="drop" or "permit"
protocolvalue = "TCP" or UDP or ICMP
deststartip="source start ip"
destendip="source end ip"
sourcestartport="start port at destination"
sourceendport="end port at destination"
sourceip="public ip at destination"
protocolvalue = "TCP" or "UDP"
deststartip="destination start ip"
destendip="destination end ip"
sourcestartport="start port at source"
sourceendport="end port at source"
sourceip="source ip"
--!>

122
plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-generic-egress-acl-rule.xml Executable file
View File

@ -0,0 +1,122 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<configConfMos
cookie="%cookie%"
inHierarchical="false">
<inConfigs>
<pair key="%aclruledn%">
<policyRule
descr="%descr%"
dn="%aclruledn%"
name="%aclrulename%"
order="%order%"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-action-0">
<fwpolicyAction
actionType="%actiontype%"
dn="%aclruledn%/rule-action-0"
id="0"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-cond-2">
<policyRuleCondition
dn="%aclruledn%/rule-cond-2"
id="2"
order="unspecified"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-cond-2/nw-expr2">
<policyNetworkExpression
dn="%aclruledn%/rule-cond-2/nw-expr2"
id="2"
opr="eq"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-cond-2/nw-expr2/nw-protocol-2">
<policyProtocol
dataType="string"
descr=""
dn="%aclruledn%/rule-cond-2/nw-expr2/nw-protocol-2"
id="2"
name=""
placement="none"
status="created"
value="%protocolvalue%"/>
</pair>
<pair key="%aclruledn%/rule-cond-3">
<policyRuleCondition
dn="%aclruledn%/rule-cond-3"
id="3"
order="unspecified"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-cond-3/nw-expr2">
<policyNetworkExpression
dn="%aclruledn%/rule-cond-3/nw-expr2"
id="2"
opr="range"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual">
<policyNwAttrQualifier
attrEp="destination"
dn="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-2">
<policyIPAddress
dataType="string"
descr=""
dn="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-2"
id="2"
name=""
placement="begin"
status="created"
value="%deststartip%"/>
</pair>
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-3">
<policyIPAddress
dataType="string"
descr=""
dn="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-3"
id="3"
name=""
placement="end"
status="created"
value="%destendip%"/>
</pair>
</inConfigs>
</configConfMos>
<!--
aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy"
aclrulename="dummy"
descr=value
actiontype="drop" or "permit"
protocolvalue = "TCP" or "UDP" or "ICMP"
deststartip="destination start ip"
destendip="destination end ip"
sourceip="source ip"
--!>

121
plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-generic-ingress-acl-rule.xml Executable file
View File

@ -0,0 +1,121 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<configConfMos
cookie="%cookie%"
inHierarchical="false">
<inConfigs>
<pair key="%aclruledn%">
<policyRule
descr="%descr%"
dn="%aclruledn%"
name="%aclrulename%"
order="%order%"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-action-0">
<fwpolicyAction
actionType="%actiontype%"
dn="%aclruledn%/rule-action-0"
id="0"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-cond-2">
<policyRuleCondition
dn="%aclruledn%/rule-cond-2"
id="2"
order="unspecified"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-cond-2/nw-expr2">
<policyNetworkExpression
dn="%aclruledn%/rule-cond-2/nw-expr2"
id="2"
opr="eq"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-cond-2/nw-expr2/nw-protocol-2">
<policyProtocol
dataType="string"
descr=""
dn="%aclruledn%/rule-cond-2/nw-expr2/nw-protocol-2"
id="2"
name=""
placement="none"
status="created"
value="%protocolvalue%"/>
</pair>
<pair key="%aclruledn%/rule-cond-3">
<policyRuleCondition
dn="%aclruledn%/rule-cond-3"
id="3"
order="unspecified"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-cond-3/nw-expr2">
<policyNetworkExpression
dn="%aclruledn%/rule-cond-3/nw-expr2"
id="2"
opr="range"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual">
<policyNwAttrQualifier
attrEp="source"
dn="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual"
status="created"/>
</pair>
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-2">
<policyIPAddress
dataType="string"
descr=""
dn="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-2"
id="2"
name=""
placement="begin"
status="created"
value="%sourcestartip%"/>
</pair>
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-3">
<policyIPAddress
dataType="string"
descr=""
dn="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-3"
id="3"
name=""
placement="end"
status="created"
value="%sourceendip%"/>
</pair>
</inConfigs>
</configConfMos>
<!--
aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy"
aclrulename="dummy"
descr=value
actiontype="drop" or "permit"
protocolvalue = "TCP" or "UDP" or "ICMP"
sourcestartip = "source start IP"
sourceendip = "source end IP"
--!>

4
plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml
View File

@ -192,10 +192,10 @@ under the License.
aclrulename="dummy"
descr=value
actiontype="drop" or "permit"
protocolvalue = "TCP" or UDP or ICMP
protocolvalue = "TCP" or "UDP"
sourcestartip="source start ip"
sourceendip="source end ip"
deststartport="start port at destination"
destendport="end port at destination"
destinationip="public ip at destination"
destip="destination ip"
--!>

10
plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
View File

@ -143,12 +143,22 @@ public interface CiscoVnmcConnection {
String destStartPort, String destEndPort, String destIp)
throws ExecutionException;
public boolean createTenantVDCIngressAclRule(String tenantName,
String identifier, String policyIdentifier,
String protocol, String sourceStartIp, String sourceEndIp, String destIp)
throws ExecutionException;
public boolean createTenantVDCEgressAclRule(String tenantName,
String identifier, String policyIdentifier,
String protocol, String sourceStartPort, String sourceEndPort, String sourceIp,
String destStartIp, String destEndIp)
throws ExecutionException;
public boolean createTenantVDCEgressAclRule(String tenantName,
String identifier, String policyIdentifier,
String protocol, String sourceIp, String destStartIp, String destEndIp)
throws ExecutionException;
public boolean deleteTenantVDCAclRule(String tenantName,
String identifier, String policyIdentifier) throws ExecutionException;

64
plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
View File

@ -93,6 +93,8 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
CREATE_ACL_POLICY_REF("create-acl-policy-ref.xml", "policy-mgr"),
CREATE_INGRESS_ACL_RULE("create-ingress-acl-rule.xml", "policy-mgr"),
CREATE_EGRESS_ACL_RULE("create-egress-acl-rule.xml", "policy-mgr"),
CREATE_GENERIC_INGRESS_ACL_RULE("create-generic-ingress-acl-rule.xml", "policy-mgr"),
CREATE_GENERIC_EGRESS_ACL_RULE("create-generic-egress-acl-rule.xml", "policy-mgr"),
DELETE_RULE("delete-rule.xml", "policy-mgr"),
@ -674,10 +676,11 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
String destStartPort, String destEndPort, String destIp) throws ExecutionException {
String xml = VnmcXml.CREATE_INGRESS_ACL_RULE.getXml();
String service = VnmcXml.CREATE_INGRESS_ACL_RULE.getService();
xml = replaceXmlValue(xml, "cookie", _cookie);
xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier));
xml = replaceXmlValue(xml, "descr", "Ingress ACL policy for Tenant VDC" + tenantName);
xml = replaceXmlValue(xml, "descr", "Ingress ACL rule for Tenant VDC " + tenantName);
xml = replaceXmlValue(xml, "actiontype", "permit");
xml = replaceXmlValue(xml, "protocolvalue", protocol);
xml = replaceXmlValue(xml, "sourcestartip", sourceStartIp);
@ -697,6 +700,34 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
return verifySuccess(response);
}
@Override
public boolean createTenantVDCIngressAclRule(String tenantName,
String identifier, String policyIdentifier,
String protocol, String sourceStartIp, String sourceEndIp,
String destIp) throws ExecutionException {
String xml = VnmcXml.CREATE_GENERIC_INGRESS_ACL_RULE.getXml();
String service = VnmcXml.CREATE_GENERIC_INGRESS_ACL_RULE.getService();
xml = replaceXmlValue(xml, "cookie", _cookie);
xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier));
xml = replaceXmlValue(xml, "descr", "Ingress ACL rule for Tenant VDC " + tenantName);
xml = replaceXmlValue(xml, "actiontype", "permit");
xml = replaceXmlValue(xml, "protocolvalue", protocol);
xml = replaceXmlValue(xml, "sourcestartip", sourceStartIp);
xml = replaceXmlValue(xml, "sourceendip", sourceEndIp);
List<String> rules = listChildren(getDnForAclPolicy(tenantName, policyIdentifier));
int order = 100;
if (rules != null) {
order += rules.size();
}
xml = replaceXmlValue(xml, "order", Integer.toString(order));
String response = sendRequest(service, xml);
return verifySuccess(response);
}
@Override
public boolean createTenantVDCEgressAclRule(String tenantName,
String identifier, String policyIdentifier,
@ -704,15 +735,44 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
String destStartIp, String destEndIp) throws ExecutionException {
String xml = VnmcXml.CREATE_EGRESS_ACL_RULE.getXml();
String service = VnmcXml.CREATE_EGRESS_ACL_RULE.getService();
xml = replaceXmlValue(xml, "cookie", _cookie);
xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier));
xml = replaceXmlValue(xml, "descr", "Egress ACL policy for Tenant VDC" + tenantName);
xml = replaceXmlValue(xml, "descr", "Egress ACL rule for Tenant VDC " + tenantName);
xml = replaceXmlValue(xml, "actiontype", "permit");
xml = replaceXmlValue(xml, "protocolvalue", protocol);
xml = replaceXmlValue(xml, "deststartip", destStartIp);
xml = replaceXmlValue(xml, "destendip", destEndIp);
xml = replaceXmlValue(xml, "sourcestartport", sourceStartPort);
xml = replaceXmlValue(xml, "sourceendport", sourceEndPort);
xml = replaceXmlValue(xml, "sourceip", sourceIp);
List<String> rules = listChildren(getDnForAclPolicy(tenantName, policyIdentifier));
int order = 100;
if (rules != null) {
order += rules.size();
}
xml = replaceXmlValue(xml, "order", Integer.toString(order));
String response = sendRequest(service, xml);
return verifySuccess(response);
}
@Override
public boolean createTenantVDCEgressAclRule(String tenantName,
String identifier, String policyIdentifier,
String protocol, String sourceIp,
String destStartIp, String destEndIp) throws ExecutionException {
String xml = VnmcXml.CREATE_GENERIC_EGRESS_ACL_RULE.getXml();
String service = VnmcXml.CREATE_GENERIC_EGRESS_ACL_RULE.getService();
xml = replaceXmlValue(xml, "cookie", _cookie);
xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier));
xml = replaceXmlValue(xml, "descr", "Egress ACL rule for Tenant VDC " + tenantName);
xml = replaceXmlValue(xml, "actiontype", "permit");
xml = replaceXmlValue(xml, "protocolvalue", protocol);
xml = replaceXmlValue(xml, "deststartip", destStartIp);
xml = replaceXmlValue(xml, "destendip", destEndIp);

4
plugins/network-elements/cisco-vnmc/src/com/cloud/network/element/CiscoVnmcElement.java
View File

@ -187,7 +187,9 @@ public class CiscoVnmcElement extends AdapterBase implements SourceNatServicePro
Map<Capability, String> firewallCapabilities = new HashMap<Capability, String>();
firewallCapabilities.put(Capability.TrafficStatistics, "per public ip");
firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress,egress");
firewallCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp");
firewallCapabilities.put(Capability.SupportedEgressProtocols, "tcp,udp,icmp");
firewallCapabilities.put(Capability.MultipleIps, "true");
capabilities.put(Service.Firewall, firewallCapabilities);
@ -650,7 +652,7 @@ public class CiscoVnmcElement extends AdapterBase implements SourceNatServicePro
List<FirewallRuleTO> rulesTO = new ArrayList<FirewallRuleTO>();
for (FirewallRule rule : rules) {
IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr());
FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(), rule.getPurpose(), rule.getTrafficType());
rulesTO.add(ruleTO);
}

40
plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
View File

@ -358,25 +358,41 @@ public class CiscoVnmcResource implements ServerResource {
for (FirewallRuleTO rule : publicIpRulesMap.get(publicIp)) {
if (rule.revoked()) {
if (!_connection.deleteTenantVDCAclRule(tenant, Long.toString(rule.getId()), publicIp)) {
if (!_connection.deleteTenantVDCAclRule(tenant, Long.toString(rule.getId()), policyIdentifier)) {
throw new Exception("Failed to delete ACL rule in VNMC for guest network with vlan " + vlanId);
}
} else {
String[] externalIpRange = getIpRangeFromCidr(rule.getSourceCidrList().get(0));
if (rule.getTrafficType() == TrafficType.Ingress) {
if (!_connection.createTenantVDCIngressAclRule(tenant,
Long.toString(rule.getId()), policyIdentifier,
rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1],
Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), publicIp)) {
throw new Exception("Failed to create ACL ingress rule in VNMC for guest network with vlan " + vlanId);
if (!rule.getProtocol().equalsIgnoreCase("icmp")) {
if (!_connection.createTenantVDCIngressAclRule(tenant,
Long.toString(rule.getId()), policyIdentifier,
rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1],
Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), publicIp)) {
throw new Exception("Failed to create ACL ingress rule in VNMC for guest network with vlan " + vlanId);
}
} else {
if (!_connection.createTenantVDCIngressAclRule(tenant,
Long.toString(rule.getId()), policyIdentifier,
rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1], publicIp)) {
throw new Exception("Failed to create ACL ingress rule in VNMC for guest network with vlan " + vlanId);
}
}
} else {
if (!_connection.createTenantVDCEgressAclRule(tenant,
Long.toString(rule.getId()), policyIdentifier,
rule.getProtocol().toUpperCase(),
Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), publicIp,
externalIpRange[0], externalIpRange[1])) {
throw new Exception("Failed to create ACL egress rule in VNMC for guest network with vlan " + vlanId);
if (!rule.getProtocol().equalsIgnoreCase("icmp")) {
if (!_connection.createTenantVDCEgressAclRule(tenant,
Long.toString(rule.getId()), policyIdentifier,
rule.getProtocol().toUpperCase(),
Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), publicIp,
externalIpRange[0], externalIpRange[1])) {
throw new Exception("Failed to create ACL egress rule in VNMC for guest network with vlan " + vlanId);
}
} else {
if (!_connection.createTenantVDCEgressAclRule(tenant,
Long.toString(rule.getId()), policyIdentifier,
rule.getProtocol().toUpperCase(), publicIp, externalIpRange[0], externalIpRange[1])) {
throw new Exception("Failed to create ACL egress rule in VNMC for guest network with vlan " + vlanId);
}
}
}
}