mirror of https://github.com/apache/cloudstack.git
Egress firewall rule
This commit is contained in:
Koushik Das
parent
e81ab3a2f4
commit
4d2168bfa9
|
|
@ -0,0 +1,201 @@
|
|||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one
|
||||
or more contributor license agreements. See the NOTICE file
|
||||
distributed with this work for additional information
|
||||
regarding copyright ownership. The ASF licenses this file
|
||||
to you under the Apache License, Version 2.0 (the
|
||||
"License"); you may not use this file except in compliance
|
||||
with the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing,
|
||||
software distributed under the License is distributed on an
|
||||
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
KIND, either express or implied. See the License for the
|
||||
specific language governing permissions and limitations
|
||||
under the License.
|
||||
-->
|
||||
<configConfMos
|
||||
cookie="%cookie%"
|
||||
inHierarchical="false">
|
||||
<inConfigs>
|
||||
|
||||
<pair key="%aclruledn%">
|
||||
<policyRule
|
||||
descr="%descr%"
|
||||
dn="%aclruledn%"
|
||||
name="%aclrulename%"
|
||||
order="%order%"
|
||||
status="created"/>
|
||||
</pair>
|
||||
|
||||
<pair key="%aclruledn%/rule-action-0">
|
||||
<fwpolicyAction
|
||||
actionType="%actiontype%"
|
||||
dn="%aclruledn%/rule-action-0"
|
||||
id="0"
|
||||
status="created"/>
|
||||
</pair>
|
||||
|
||||
<pair key="%aclruledn%/rule-cond-2">
|
||||
<policyRuleCondition
|
||||
dn="%aclruledn%/rule-cond-2"
|
||||
id="2"
|
||||
order="unspecified"
|
||||
status="created"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-2/nw-expr2">
|
||||
<policyNetworkExpression
|
||||
dn="%aclruledn%/rule-cond-2/nw-expr2"
|
||||
id="2"
|
||||
opr="eq"
|
||||
status="created"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-2/nw-expr2/nw-protocol-2">
|
||||
<policyProtocol
|
||||
dataType="string"
|
||||
descr=""
|
||||
dn="%aclruledn%/rule-cond-2/nw-expr2/nw-protocol-2"
|
||||
id="2"
|
||||
name=""
|
||||
placement="none"
|
||||
status="created"
|
||||
value="%protocolvalue%"/>
|
||||
</pair>
|
||||
|
||||
<pair key="%aclruledn%/rule-cond-3">
|
||||
<policyRuleCondition
|
||||
dn="%aclruledn%/rule-cond-3"
|
||||
id="3"
|
||||
order="unspecified"
|
||||
status="created"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-3/nw-expr2">
|
||||
<policyNetworkExpression
|
||||
dn="%aclruledn%/rule-cond-3/nw-expr2"
|
||||
id="2"
|
||||
opr="range"
|
||||
status="created"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual">
|
||||
<policyNwAttrQualifier
|
||||
attrEp="destination"
|
||||
dn="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual"
|
||||
status="created"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-2">
|
||||
<policyIPAddress
|
||||
dataType="string"
|
||||
descr=""
|
||||
dn="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-2"
|
||||
id="2"
|
||||
name=""
|
||||
placement="begin"
|
||||
status="created"
|
||||
value="%deststartip%"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-3">
|
||||
<policyIPAddress
|
||||
dataType="string"
|
||||
descr=""
|
||||
dn="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-3"
|
||||
id="3"
|
||||
name=""
|
||||
placement="end"
|
||||
status="created"
|
||||
value="%destendip%"/>
|
||||
</pair>
|
||||
|
||||
<pair key="%aclruledn%/rule-cond-4">
|
||||
<policyRuleCondition
|
||||
dn="%aclruledn%/rule-cond-4"
|
||||
id="4"
|
||||
order="unspecified"
|
||||
status="created"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-4/nw-expr2">
|
||||
<policyNetworkExpression
|
||||
dn="%aclruledn%/rule-cond-4/nw-expr2"
|
||||
id="2"
|
||||
opr="eq"
|
||||
status="created"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-4/nw-expr2/nw-attr-qual">
|
||||
<policyNwAttrQualifier
|
||||
attrEp="source"
|
||||
dn="%aclruledn%/rule-cond-4/nw-expr2/nw-attr-qual"
|
||||
status="created"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-4/nw-expr2/nw-ip-2">
|
||||
<policyIPAddress
|
||||
dataType="string"
|
||||
descr=""
|
||||
dn="%aclruledn%/rule-cond-4/nw-expr2/nw-ip-2"
|
||||
id="2"
|
||||
name=""
|
||||
placement="none"
|
||||
status="created"
|
||||
value="%sourceip%"/>
|
||||
</pair>
|
||||
|
||||
<pair key="%aclruledn%/rule-cond-5">
|
||||
<policyRuleCondition
|
||||
dn="%aclruledn%/rule-cond-5"
|
||||
id="5"
|
||||
order="unspecified"
|
||||
status="created"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-5/nw-expr2">
|
||||
<policyNetworkExpression
|
||||
dn="%aclruledn%/rule-cond-5/nw-expr2"
|
||||
id="2"
|
||||
opr="range"
|
||||
status="created"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-5/nw-expr2/nw-attr-qual">
|
||||
<policyNwAttrQualifier
|
||||
attrEp="source"
|
||||
dn="%aclruledn%/rule-cond-5/nw-expr2/nw-attr-qual"
|
||||
status="created"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-5/nw-expr2/nw-port-2">
|
||||
<policyNetworkPort
|
||||
appType="Other"
|
||||
dataType="string"
|
||||
descr=""
|
||||
dn="%aclruledn%/rule-cond-5/nw-expr2/nw-port-2"
|
||||
id="2"
|
||||
name=""
|
||||
placement="begin"
|
||||
status="created"
|
||||
value="%sourcestartport%"/>
|
||||
</pair>
|
||||
<pair key="%aclruledn%/rule-cond-5/nw-expr2/nw-port-3">
|
||||
<policyNetworkPort
|
||||
appType="Other"
|
||||
dataType="string"
|
||||
descr=""
|
||||
dn="%aclruledn%/rule-cond-5/nw-expr2/nw-port-3"
|
||||
id="3"
|
||||
name=""
|
||||
placement="end"
|
||||
status="created"
|
||||
value="%sourceendport%"/>
|
||||
</pair>
|
||||
|
||||
</inConfigs>
|
||||
</configConfMos>
|
||||
|
||||
<!--
|
||||
aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy"
|
||||
aclrulename="dummy"
|
||||
descr=value
|
||||
actiontype="drop" or "permit"
|
||||
protocolvalue = "TCP" or UDP or ICMP
|
||||
deststartip="source start ip"
|
||||
destendip="source end ip"
|
||||
sourcestartport="start port at destination"
|
||||
sourceendport="end port at destination"
|
||||
sourceip="public ip at destination"
|
||||
--!>
|
||||
|
|
@ -143,6 +143,12 @@ public interface CiscoVnmcConnection {
|
|||
String destStartPort, String destEndPort, String destIp)
|
||||
throws ExecutionException;
|
||||
|
||||
public boolean createTenantVDCEgressAclRule(String tenantName,
|
||||
String identifier, String policyIdentifier,
|
||||
String protocol, String sourceStartPort, String sourceEndPort, String sourceIp,
|
||||
String destStartIp, String destEndIp)
|
||||
throws ExecutionException;
|
||||
|
||||
public boolean deleteTenantVDCAclRule(String tenantName,
|
||||
String identifier, String policyIdentifier) throws ExecutionException;
|
||||
|
||||
|
|
|
|||
|
|
@ -92,6 +92,7 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
|
|||
LIST_ACL_POLICIES("list-acl-policies.xml", "policy-mgr"),
|
||||
CREATE_ACL_POLICY_REF("create-acl-policy-ref.xml", "policy-mgr"),
|
||||
CREATE_INGRESS_ACL_RULE("create-ingress-acl-rule.xml", "policy-mgr"),
|
||||
CREATE_EGRESS_ACL_RULE("create-egress-acl-rule.xml", "policy-mgr"),
|
||||
|
||||
DELETE_RULE("delete-rule.xml", "policy-mgr"),
|
||||
|
||||
|
|
@ -659,8 +660,7 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
|
|||
xml = replaceXmlValue(xml, "descr", "Edge Security Profile for Tenant VDC" + tenantName);
|
||||
xml = replaceXmlValue(xml, "name", getNameForEdgeDeviceSecurityProfile(tenantName));
|
||||
xml = replaceXmlValue(xml, "espdn", getDnForTenantVDCEdgeSecurityProfile(tenantName));
|
||||
//xml = replaceXmlValue(xml, "egresspolicysetname", getNameForAclPolicySet(tenantName, false));
|
||||
xml = replaceXmlValue(xml, "egresspolicysetname", "default-egress"); //FIXME
|
||||
xml = replaceXmlValue(xml, "egresspolicysetname", getNameForAclPolicySet(tenantName, false));
|
||||
xml = replaceXmlValue(xml, "ingresspolicysetname", getNameForAclPolicySet(tenantName, true));
|
||||
xml = replaceXmlValue(xml, "natpolicysetname", getNameForNatPolicySet(tenantName));
|
||||
|
||||
|
|
@ -698,6 +698,36 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
|
|||
return verifySuccess(response);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean createTenantVDCEgressAclRule(String tenantName,
|
||||
String identifier, String policyIdentifier,
|
||||
String protocol, String sourceStartPort, String sourceEndPort, String sourceIp,
|
||||
String destStartIp, String destEndIp) throws ExecutionException {
|
||||
String xml = VnmcXml.CREATE_EGRESS_ACL_RULE.getXml();
|
||||
String service = VnmcXml.CREATE_EGRESS_ACL_RULE.getService();
|
||||
xml = replaceXmlValue(xml, "cookie", _cookie);
|
||||
xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
|
||||
xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier));
|
||||
xml = replaceXmlValue(xml, "descr", "Egress ACL policy for Tenant VDC" + tenantName);
|
||||
xml = replaceXmlValue(xml, "actiontype", "permit");
|
||||
xml = replaceXmlValue(xml, "protocolvalue", protocol);
|
||||
xml = replaceXmlValue(xml, "sourcestartport", sourceStartPort);
|
||||
xml = replaceXmlValue(xml, "sourceendport", sourceEndPort);
|
||||
xml = replaceXmlValue(xml, "sourceip", sourceIp);
|
||||
xml = replaceXmlValue(xml, "deststartip", destStartIp);
|
||||
xml = replaceXmlValue(xml, "destendip", destEndIp);
|
||||
|
||||
List<String> rules = listChildren(getDnForAclPolicy(tenantName, policyIdentifier));
|
||||
int order = 100;
|
||||
if (rules != null) {
|
||||
order += rules.size();
|
||||
}
|
||||
xml = replaceXmlValue(xml, "order", Integer.toString(order));
|
||||
|
||||
String response = sendRequest(service, xml);
|
||||
return verifySuccess(response);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean deleteTenantVDCAclRule(String tenantName, String identifier, String policyIdentifier) throws ExecutionException {
|
||||
return deleteTenantVDCRule(
|
||||
|
|
|
|||
|
|
@ -336,7 +336,9 @@ public class CiscoVnmcResource implements ServerResource {
|
|||
if (!_connection.createTenantVDCAclPolicySet(tenant, true)) {
|
||||
throw new Exception("Failed to create ACL ingress policy set in VNMC for guest network with vlan " + vlanId);
|
||||
}
|
||||
// TODO for egress
|
||||
if (!_connection.createTenantVDCAclPolicySet(tenant, false)) {
|
||||
throw new Exception("Failed to create ACL egress policy set in VNMC for guest network with vlan " + vlanId);
|
||||
}
|
||||
|
||||
for (String publicIp : publicIpRulesMap.keySet()) {
|
||||
String policyIdentifier = publicIp.replace('.', '-');
|
||||
|
|
@ -344,7 +346,6 @@ public class CiscoVnmcResource implements ServerResource {
|
|||
/*if (!_connection.deleteTenantVDCAclPolicy(tenant, policyIdentifier)) {
|
||||
throw new Exception("Failed to delete ACL ingress policy in VNMC for guest network with vlan " + vlanId);
|
||||
}*/
|
||||
// TODO for egress
|
||||
|
||||
if (!_connection.createTenantVDCAclPolicy(tenant, policyIdentifier, true)) {
|
||||
throw new Exception("Failed to create ACL ingress policy in VNMC for guest network with vlan " + vlanId);
|
||||
|
|
@ -352,16 +353,21 @@ public class CiscoVnmcResource implements ServerResource {
|
|||
if (!_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, true)) {
|
||||
throw new Exception("Failed to associate ACL ingress policy with ACL ingress policy set in VNMC for guest network with vlan " + vlanId);
|
||||
}
|
||||
// TODO for egress
|
||||
if (!_connection.createTenantVDCAclPolicy(tenant, policyIdentifier, false)) {
|
||||
throw new Exception("Failed to create ACL egress policy in VNMC for guest network with vlan " + vlanId);
|
||||
}
|
||||
if (!_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, false)) {
|
||||
throw new Exception("Failed to associate ACL egress policy with ACL egress policy set in VNMC for guest network with vlan " + vlanId);
|
||||
}
|
||||
|
||||
for (FirewallRuleTO rule : publicIpRulesMap.get(publicIp)) {
|
||||
if (rule.revoked()) {
|
||||
if (!_connection.deleteTenantVDCAclRule(tenant, Long.toString(rule.getId()), publicIp)) {
|
||||
throw new Exception("Failed to delete ACL ingress rule in VNMC for guest network with vlan " + vlanId);
|
||||
throw new Exception("Failed to delete ACL rule in VNMC for guest network with vlan " + vlanId);
|
||||
}
|
||||
} else {
|
||||
String[] externalIpRange = getIpRangeFromCidr(rule.getSourceCidrList().get(0));
|
||||
if (rule.getTrafficType() == TrafficType.Ingress) {
|
||||
String[] externalIpRange = getIpRangeFromCidr(rule.getSourceCidrList().get(0));
|
||||
if (!_connection.createTenantVDCIngressAclRule(tenant,
|
||||
Long.toString(rule.getId()), policyIdentifier,
|
||||
rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1],
|
||||
|
|
@ -369,7 +375,13 @@ public class CiscoVnmcResource implements ServerResource {
|
|||
throw new Exception("Failed to create ACL ingress rule in VNMC for guest network with vlan " + vlanId);
|
||||
}
|
||||
} else {
|
||||
// TODO for egress
|
||||
if (!_connection.createTenantVDCEgressAclRule(tenant,
|
||||
Long.toString(rule.getId()), policyIdentifier,
|
||||
rule.getProtocol().toUpperCase(),
|
||||
Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), publicIp,
|
||||
externalIpRange[0], externalIpRange[1])) {
|
||||
throw new Exception("Failed to create ACL egress rule in VNMC for guest network with vlan " + vlanId);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -147,9 +147,11 @@ public class CiscoVnmcResourceTest {
|
|||
public void testFirewall() throws ConfigurationException, Exception {
|
||||
long vlanId = 123;
|
||||
List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
|
||||
List<String> cidrList = new ArrayList<String>();
|
||||
cidrList.add("2.3.2.3/32");
|
||||
FirewallRuleTO active = new FirewallRuleTO(1,
|
||||
null, "1.2.3.4", "tcp", 22, 22, false, false,
|
||||
FirewallRule.Purpose.Firewall, null, null, null);
|
||||
FirewallRule.Purpose.Firewall, cidrList, null, null);
|
||||
rules.add(active);
|
||||
FirewallRuleTO revoked = new FirewallRuleTO(1,
|
||||
null, "1.2.3.4", "tcp", 22, 22, true, false,
|
||||
|
|
@ -170,6 +172,10 @@ public class CiscoVnmcResourceTest {
|
|||
anyString(), anyString(), anyString(),
|
||||
anyString(), anyString(), anyString(),
|
||||
anyString(), anyString(), anyString())).thenReturn(true);
|
||||
when(_connection.createTenantVDCEgressAclRule(
|
||||
anyString(), anyString(), anyString(),
|
||||
anyString(), anyString(), anyString(),
|
||||
anyString(), anyString(), anyString())).thenReturn(true);
|
||||
when(_connection.associateAclPolicySet(anyString())).thenReturn(true);
|
||||
|
||||
Answer answer = _resource.executeRequest(cmd);
|
||||
|
|
|
|||
Loading…
Reference in New Issue