From 124a48819d34547d5355396c151279a23899ff65 Mon Sep 17 00:00:00 2001 From: Koushik Das Date: Thu, 21 Feb 2013 17:53:12 +0530 Subject: [PATCH] Separated out creation of ACL policy set and policy in VNMC --- .../cisco/associate-acl-policy-set.xml | 2 +- .../network/cisco/create-acl-policy-ref.xml | 21 ++++++ .../network/cisco/create-acl-policy-set.xml | 13 +--- .../network/cisco/create-ingress-acl-rule.xml | 18 ++--- .../network/cisco/CiscoVnmcConnection.java | 15 +++-- .../cisco/CiscoVnmcConnectionImpl.java | 66 +++++++++++------- .../network/element/CiscoVnmcElement.java | 1 - .../network/resource/CiscoVnmcResource.java | 67 ++++++++++++------- 8 files changed, 126 insertions(+), 77 deletions(-) create mode 100755 plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-ref.xml diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/associate-acl-policy-set.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/associate-acl-policy-set.xml index ae40a8832a3..908b40f982b 100755 --- a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/associate-acl-policy-set.xml +++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/associate-acl-policy-set.xml @@ -3,7 +3,7 @@ inHierarchical="false"> - + + + + + + + + + + \ No newline at end of file diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-set.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-set.xml index 4038b9151cd..4e9d2ced285 100755 --- a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-set.xml +++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-set.xml @@ -3,13 +3,6 @@ cookie="%cookie%" inHierarchical="false"> - - - \ No newline at end of file diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml index 2c3fdabf81f..8fb38a40f68 100755 --- a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml +++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml @@ -170,13 +170,13 @@ diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java index 5d59c6552b4..3cb1ea57753 100644 --- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java +++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java @@ -64,18 +64,23 @@ public interface CiscoVnmcConnection { public boolean associateNatPolicySet(String tenantName) throws ExecutionException; - public boolean createIngressAclRule(String tenantName, String identifier, + public boolean createIngressAclRule(String tenantName, + String identifier, String policyIdentifier, String protocol, String sourceStartIp, String sourceEndIp, String destStartPort, String destEndPort, String destIp) throws ExecutionException; - public boolean deleteAclRule(String tenantName, String identifier) + public boolean deleteAclRule(String policyIdentifier, + String identifier, String destIp) throws ExecutionException; - public boolean createTenantVDCAclPolicy(String tenantName, boolean ingress) - throws ExecutionException; + public boolean createTenantVDCAclPolicy(String tenantName, String identifier, + boolean ingress) throws ExecutionException; - public boolean deleteTenantVDCAclPolicy(String tenantName, boolean ingress) + public boolean createTenantVDCAclPolicyRef(String tenantName, String identifier, + boolean ingress) throws ExecutionException; + + public boolean deleteTenantVDCAclPolicy(String tenantName, String identifier) throws ExecutionException; public boolean createTenantVDCAclPolicySet(String tenantName, boolean ingress) diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java index b304e05bcbf..e159dd1e77d 100644 --- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java +++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java @@ -66,6 +66,7 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection { DELETE_ACL_RULE("delete-acl-rule.xml", "policy-mgr"), CREATE_ACL_POLICY("create-acl-policy.xml", "policy-mgr"), DELETE_ACL_POLICY("delete-acl-policy.xml", "policy-mgr"), + CREATE_ACL_POLICY_REF("create-acl-policy-ref.xml", "policy-mgr"), CREATE_ACL_POLICY_SET("create-acl-policy-set.xml", "policy-mgr"), RESOLVE_ACL_POLICY_SET("associate-acl-policy-set.xml", "policy-mgr"), CREATE_EDGE_FIREWALL("create-edge-firewall.xml", "resource-mgr"), @@ -566,37 +567,38 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection { return getDnForTenantVDC(tenantName) + "/pset-" + getNameForAclPolicySet(tenantName, ingress) ; } - private String getNameForAclPolicy(String tenantName, boolean ingress) { - return (ingress ? "Ingress-" : "Egress-") + "ACL-For-" + tenantName; + private String getNameForAclPolicy(String tenantName, String identifier) { + return "Policy-" + tenantName + "-" + identifier; } - private String getDnForAclPolicy(String tenantName, boolean ingress) { - return getDnForTenantVDC(tenantName) + "/pol-" + getNameForAclPolicy(tenantName, ingress); + private String getDnForAclPolicy(String tenantName, String identifier) { + return getDnForTenantVDC(tenantName) + "/pol-" + getNameForAclPolicy(tenantName, identifier); } - private String getDnForAclPolicyRef(String tenantName, boolean ingress) { - return getDnForAclPolicySet(tenantName, ingress) + "/polref-" + getNameForAclPolicy(tenantName, ingress); + private String getDnForAclPolicyRef(String tenantName, String identifier, boolean ingress) { + return getDnForAclPolicySet(tenantName, ingress) + "/polref-" + getNameForAclPolicy(tenantName, identifier); } - private String getNameForAclRule(String tenantName, String identifier, boolean ingress) { - return (ingress ? "Ingress-" : "Egress-") + "ACL-Rule-For-" + tenantName + "-" + identifier; + private String getNameForAclRule(String tenantName, String identifier) { + return "Rule-" + tenantName + "-" + identifier; } - private String getDnForAclRule(String tenantName, String identifier, boolean ingress) { - return getDnForAclPolicy(tenantName, ingress) + "/rule-" + getNameForAclRule(tenantName, identifier, ingress); + private String getDnForAclRule(String tenantName, String identifier, String policyIdentifier) { + return getDnForAclPolicy(tenantName, policyIdentifier) + "/rule-" + getNameForAclRule(tenantName, identifier); } /* (non-Javadoc) * @see com.cloud.network.resource.CiscoVnmcConnection#createTenantVDCAclPolicy(java.lang.String) */ @Override - public boolean createTenantVDCAclPolicy(String tenantName, boolean ingress) throws ExecutionException { + public boolean createTenantVDCAclPolicy(String tenantName, String identifier, boolean ingress) throws ExecutionException { String xml = VnmcXml.CREATE_ACL_POLICY.getXml(); String service = VnmcXml.CREATE_ACL_POLICY.getService(); xml = replaceXmlValue(xml, "cookie", _cookie); //xml = replaceXmlValue(xml, "descr", "ACL Policy for Tenant VDC " + tenantName); - xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, ingress)); - xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, ingress)); + xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, identifier)); + xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, identifier)); + xml = replaceXmlValue(xml, "aclpolicyrefdn", getDnForAclPolicyRef(tenantName, identifier, ingress)); String response = sendRequest(service, xml); @@ -607,12 +609,29 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection { * @see com.cloud.network.resource.CiscoVnmcConnection#deleteTenantVDCAclPolicy(java.lang.String) */ @Override - public boolean deleteTenantVDCAclPolicy(String tenantName, boolean ingress) throws ExecutionException { + public boolean deleteTenantVDCAclPolicy(String tenantName, String identifier) throws ExecutionException { String xml = VnmcXml.DELETE_ACL_POLICY.getXml(); String service = VnmcXml.DELETE_ACL_POLICY.getService(); xml = replaceXmlValue(xml, "cookie", _cookie); - xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, ingress)); - xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, ingress)); + xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, identifier)); + xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, identifier)); + + String response = sendRequest(service, xml); + + return verifySuccess(response); + } + + /* (non-Javadoc) + * @see com.cloud.network.resource.CiscoVnmcConnection#createTenantVDCAclPolicySet(java.lang.String) + */ + @Override + public boolean createTenantVDCAclPolicyRef(String tenantName, String identifier, boolean ingress) throws ExecutionException { + String xml = VnmcXml.CREATE_ACL_POLICY_REF.getXml(); + String service = VnmcXml.CREATE_ACL_POLICY_REF.getService(); + xml = replaceXmlValue(xml, "cookie", _cookie); + xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, identifier)); + xml = replaceXmlValue(xml, "aclpolicydn", getDnForAclPolicy(tenantName, identifier)); + xml = replaceXmlValue(xml, "aclpolicyrefdn", getDnForAclPolicyRef(tenantName, identifier, ingress)); String response = sendRequest(service, xml); @@ -628,10 +647,8 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection { String service = VnmcXml.CREATE_ACL_POLICY_SET.getService(); xml = replaceXmlValue(xml, "cookie", _cookie); //xml = replaceXmlValue(xml, "descr", "ACL Policy Set for Tenant VDC " + tenantName); - xml = replaceXmlValue(xml, "aclpolicyname", getNameForAclPolicy(tenantName, ingress)); xml = replaceXmlValue(xml, "aclpolicysetname", getNameForAclPolicySet(tenantName, ingress)); xml = replaceXmlValue(xml, "aclpolicysetdn", getDnForAclPolicySet(tenantName, ingress)); - xml = replaceXmlValue(xml, "aclpolicyrefdn", getDnForAclPolicyRef(tenantName, ingress)); String response = sendRequest(service, xml); @@ -663,15 +680,16 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection { * @see com.cloud.network.resource.CiscoVnmcConnection#createIngressAclRule(java.lang.String) */ @Override - public boolean createIngressAclRule(String tenantName, String identifier, + public boolean createIngressAclRule(String tenantName, + String identifier, String policyIdentifier, String protocol, String sourceStartIp, String sourceEndIp, String destStartPort, String destEndPort, String destIp) throws ExecutionException { String xml = VnmcXml.CREATE_INGRESS_ACL_RULE.getXml(); String service = VnmcXml.CREATE_INGRESS_ACL_RULE.getService(); xml = replaceXmlValue(xml, "cookie", _cookie); //xml = replaceXmlValue(xml, "descr", "Ingress ACL Policy for Tenant VDC" + tenantName); - xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, true)); - xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier, true)); + xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier)); + xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier)); xml = replaceXmlValue(xml, "actiontype", "permit"); xml = replaceXmlValue(xml, "protocolvalue", protocol); xml = replaceXmlValue(xml, "sourcestartip", sourceStartIp); @@ -689,12 +707,12 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection { * @see com.cloud.network.resource.CiscoVnmcConnection#deleteAclRule(java.lang.String) */ @Override - public boolean deleteAclRule(String tenantName, String identifier) throws ExecutionException { + public boolean deleteAclRule(String tenantName, String identifier, String policyIdentifier) throws ExecutionException { String xml = VnmcXml.DELETE_ACL_RULE.getXml(); String service = VnmcXml.DELETE_ACL_RULE.getService(); xml = replaceXmlValue(xml, "cookie", _cookie); - xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, true)); - xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier, true)); + xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier)); + xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier)); String response = sendRequest(service, xml); diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/element/CiscoVnmcElement.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/element/CiscoVnmcElement.java index c96abac2a67..22d58a65cae 100644 --- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/element/CiscoVnmcElement.java +++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/element/CiscoVnmcElement.java @@ -147,7 +147,6 @@ public class CiscoVnmcElement extends AdapterBase implements SourceNatServicePro CiscoAsa1000vDao _ciscoAsa1000vDao; @Inject NetworkAsa1000vMapDao _networkAsa1000vMapDao; - private boolean canHandle(Network network) { if (network.getBroadcastDomainType() != BroadcastDomainType.Vlan) { diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java index 3e58398537c..85188c8deee 100644 --- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java +++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java @@ -17,6 +17,7 @@ package com.cloud.network.resource; import java.util.ArrayList; +import java.util.HashMap; import java.util.List; import java.util.Map; @@ -319,39 +320,53 @@ public class CiscoVnmcResource implements ServerResource{ private Answer execute(SetFirewallRulesCommand cmd, int numRetries) { String vlanId = cmd.getContextParam(NetworkElementCommand.GUEST_VLAN_TAG); String tenant = "vlan-" + vlanId; + + FirewallRuleTO[] rules = cmd.getRules(); + Map> publicIpRulesMap = new HashMap>(); + for (FirewallRuleTO rule : rules) { + String publicIp = rule.getSrcIp(); + if (!publicIpRulesMap.containsKey(publicIp)) { + List publicIpRulesList = new ArrayList(); + publicIpRulesMap.put(publicIp, publicIpRulesList); + } + publicIpRulesMap.get(publicIp).add(rule); + } + try { // create-acl-policy-set for ingress _connection.createTenantVDCAclPolicySet(tenant, true); - - // delete-acl-policy for ingress - _connection.deleteTenantVDCAclPolicy(tenant, true); - // delete-acl-policy for egress - - // create-acl-policy for ingress - _connection.createTenantVDCAclPolicy(tenant, true); - // create-acl-policy-set for egress - // create-acl-policy for egress - FirewallRuleTO[] rules = cmd.getRules(); - for (FirewallRuleTO rule : rules) { - if (rule.revoked()) { - // delete-acl-rule - //_connection.deleteAclRule(tenant, Long.toString(rule.getId())); - } else { - String cidr = rule.getSourceCidrList().get(0); - String[] result = cidr.split("\\/"); - assert (result.length == 2) : "Something is wrong with source cidr " + cidr; - long size = Long.valueOf(result[1]); - String startIp = NetUtils.getIpRangeStartIpFromCidr(result[0], size); - String endIp = NetUtils.getIpRangeEndIpFromCidr(result[0], size); - // create-ingress-acl-rule - _connection.createIngressAclRule(tenant, - Long.toString(rule.getId()), rule.getProtocol().toUpperCase(), startIp, endIp, - Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), rule.getSrcIp()); + for (String publicIp : publicIpRulesMap.keySet()) { + String policyIdentifier = publicIp.replace('.', '-'); + // delete-acl-policy for ingress + _connection.deleteTenantVDCAclPolicy(tenant, policyIdentifier); + // delete-acl-policy for egress + + // create-acl-policy for ingress + _connection.createTenantVDCAclPolicy(tenant, policyIdentifier, true); + _connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, true); + // create-acl-policy for egress + + for (FirewallRuleTO rule : publicIpRulesMap.get(publicIp)) { + if (rule.revoked()) { + // delete-acl-rule + //_connection.deleteAclRule(tenant, Long.toString(rule.getId()), publicIp); + } else { + String cidr = rule.getSourceCidrList().get(0); + String[] result = cidr.split("\\/"); + assert (result.length == 2) : "Something is wrong with source cidr " + cidr; + long size = Long.valueOf(result[1]); + String externalStartIp = NetUtils.getIpRangeStartIpFromCidr(result[0], size); + String externalEndIp = NetUtils.getIpRangeEndIpFromCidr(result[0], size); + // create-ingress-acl-rule + _connection.createIngressAclRule(tenant, + Long.toString(rule.getId()), policyIdentifier, + rule.getProtocol().toUpperCase(), externalStartIp, externalEndIp, + Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), publicIp); + } } } - // associate-acl-policy-set _connection.associateAclPolicySet(tenant); } catch (Throwable e) {