diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-egress-acl-rule.xml b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-egress-acl-rule.xml
new file mode 100755
index 00000000000..5256759ca5f
--- /dev/null
+++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-egress-acl-rule.xml
@@ -0,0 +1,201 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
index 59a605eef14..35df7ec0471 100644
--- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
+++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
@@ -143,6 +143,12 @@ public interface CiscoVnmcConnection {
String destStartPort, String destEndPort, String destIp)
throws ExecutionException;
+ public boolean createTenantVDCEgressAclRule(String tenantName,
+ String identifier, String policyIdentifier,
+ String protocol, String sourceStartPort, String sourceEndPort, String sourceIp,
+ String destStartIp, String destEndIp)
+ throws ExecutionException;
+
public boolean deleteTenantVDCAclRule(String tenantName,
String identifier, String policyIdentifier) throws ExecutionException;
diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
index 02e89d1603c..0b0b70cc547 100644
--- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
+++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
@@ -92,6 +92,7 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
LIST_ACL_POLICIES("list-acl-policies.xml", "policy-mgr"),
CREATE_ACL_POLICY_REF("create-acl-policy-ref.xml", "policy-mgr"),
CREATE_INGRESS_ACL_RULE("create-ingress-acl-rule.xml", "policy-mgr"),
+ CREATE_EGRESS_ACL_RULE("create-egress-acl-rule.xml", "policy-mgr"),
DELETE_RULE("delete-rule.xml", "policy-mgr"),
@@ -659,8 +660,7 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
xml = replaceXmlValue(xml, "descr", "Edge Security Profile for Tenant VDC" + tenantName);
xml = replaceXmlValue(xml, "name", getNameForEdgeDeviceSecurityProfile(tenantName));
xml = replaceXmlValue(xml, "espdn", getDnForTenantVDCEdgeSecurityProfile(tenantName));
- //xml = replaceXmlValue(xml, "egresspolicysetname", getNameForAclPolicySet(tenantName, false));
- xml = replaceXmlValue(xml, "egresspolicysetname", "default-egress"); //FIXME
+ xml = replaceXmlValue(xml, "egresspolicysetname", getNameForAclPolicySet(tenantName, false));
xml = replaceXmlValue(xml, "ingresspolicysetname", getNameForAclPolicySet(tenantName, true));
xml = replaceXmlValue(xml, "natpolicysetname", getNameForNatPolicySet(tenantName));
@@ -698,6 +698,36 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
return verifySuccess(response);
}
+ @Override
+ public boolean createTenantVDCEgressAclRule(String tenantName,
+ String identifier, String policyIdentifier,
+ String protocol, String sourceStartPort, String sourceEndPort, String sourceIp,
+ String destStartIp, String destEndIp) throws ExecutionException {
+ String xml = VnmcXml.CREATE_EGRESS_ACL_RULE.getXml();
+ String service = VnmcXml.CREATE_EGRESS_ACL_RULE.getService();
+ xml = replaceXmlValue(xml, "cookie", _cookie);
+ xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
+ xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier));
+ xml = replaceXmlValue(xml, "descr", "Egress ACL policy for Tenant VDC" + tenantName);
+ xml = replaceXmlValue(xml, "actiontype", "permit");
+ xml = replaceXmlValue(xml, "protocolvalue", protocol);
+ xml = replaceXmlValue(xml, "sourcestartport", sourceStartPort);
+ xml = replaceXmlValue(xml, "sourceendport", sourceEndPort);
+ xml = replaceXmlValue(xml, "sourceip", sourceIp);
+ xml = replaceXmlValue(xml, "deststartip", destStartIp);
+ xml = replaceXmlValue(xml, "destendip", destEndIp);
+
+ List rules = listChildren(getDnForAclPolicy(tenantName, policyIdentifier));
+ int order = 100;
+ if (rules != null) {
+ order += rules.size();
+ }
+ xml = replaceXmlValue(xml, "order", Integer.toString(order));
+
+ String response = sendRequest(service, xml);
+ return verifySuccess(response);
+ }
+
@Override
public boolean deleteTenantVDCAclRule(String tenantName, String identifier, String policyIdentifier) throws ExecutionException {
return deleteTenantVDCRule(
diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
index 262fed03d41..58dcb086405 100644
--- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
+++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
@@ -336,7 +336,9 @@ public class CiscoVnmcResource implements ServerResource {
if (!_connection.createTenantVDCAclPolicySet(tenant, true)) {
throw new Exception("Failed to create ACL ingress policy set in VNMC for guest network with vlan " + vlanId);
}
- // TODO for egress
+ if (!_connection.createTenantVDCAclPolicySet(tenant, false)) {
+ throw new Exception("Failed to create ACL egress policy set in VNMC for guest network with vlan " + vlanId);
+ }
for (String publicIp : publicIpRulesMap.keySet()) {
String policyIdentifier = publicIp.replace('.', '-');
@@ -344,7 +346,6 @@ public class CiscoVnmcResource implements ServerResource {
/*if (!_connection.deleteTenantVDCAclPolicy(tenant, policyIdentifier)) {
throw new Exception("Failed to delete ACL ingress policy in VNMC for guest network with vlan " + vlanId);
}*/
- // TODO for egress
if (!_connection.createTenantVDCAclPolicy(tenant, policyIdentifier, true)) {
throw new Exception("Failed to create ACL ingress policy in VNMC for guest network with vlan " + vlanId);
@@ -352,16 +353,21 @@ public class CiscoVnmcResource implements ServerResource {
if (!_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, true)) {
throw new Exception("Failed to associate ACL ingress policy with ACL ingress policy set in VNMC for guest network with vlan " + vlanId);
}
- // TODO for egress
+ if (!_connection.createTenantVDCAclPolicy(tenant, policyIdentifier, false)) {
+ throw new Exception("Failed to create ACL egress policy in VNMC for guest network with vlan " + vlanId);
+ }
+ if (!_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, false)) {
+ throw new Exception("Failed to associate ACL egress policy with ACL egress policy set in VNMC for guest network with vlan " + vlanId);
+ }
for (FirewallRuleTO rule : publicIpRulesMap.get(publicIp)) {
if (rule.revoked()) {
if (!_connection.deleteTenantVDCAclRule(tenant, Long.toString(rule.getId()), publicIp)) {
- throw new Exception("Failed to delete ACL ingress rule in VNMC for guest network with vlan " + vlanId);
+ throw new Exception("Failed to delete ACL rule in VNMC for guest network with vlan " + vlanId);
}
} else {
+ String[] externalIpRange = getIpRangeFromCidr(rule.getSourceCidrList().get(0));
if (rule.getTrafficType() == TrafficType.Ingress) {
- String[] externalIpRange = getIpRangeFromCidr(rule.getSourceCidrList().get(0));
if (!_connection.createTenantVDCIngressAclRule(tenant,
Long.toString(rule.getId()), policyIdentifier,
rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1],
@@ -369,7 +375,13 @@ public class CiscoVnmcResource implements ServerResource {
throw new Exception("Failed to create ACL ingress rule in VNMC for guest network with vlan " + vlanId);
}
} else {
- // TODO for egress
+ if (!_connection.createTenantVDCEgressAclRule(tenant,
+ Long.toString(rule.getId()), policyIdentifier,
+ rule.getProtocol().toUpperCase(),
+ Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), publicIp,
+ externalIpRange[0], externalIpRange[1])) {
+ throw new Exception("Failed to create ACL egress rule in VNMC for guest network with vlan " + vlanId);
+ }
}
}
}
diff --git a/plugins/network-elements/cisco-vnmc/test/com/cloud/network/resource/CiscoVnmcResourceTest.java b/plugins/network-elements/cisco-vnmc/test/com/cloud/network/resource/CiscoVnmcResourceTest.java
index 7a723186f27..69ef046506b 100755
--- a/plugins/network-elements/cisco-vnmc/test/com/cloud/network/resource/CiscoVnmcResourceTest.java
+++ b/plugins/network-elements/cisco-vnmc/test/com/cloud/network/resource/CiscoVnmcResourceTest.java
@@ -147,9 +147,11 @@ public class CiscoVnmcResourceTest {
public void testFirewall() throws ConfigurationException, Exception {
long vlanId = 123;
List rules = new ArrayList();
+ List cidrList = new ArrayList();
+ cidrList.add("2.3.2.3/32");
FirewallRuleTO active = new FirewallRuleTO(1,
null, "1.2.3.4", "tcp", 22, 22, false, false,
- FirewallRule.Purpose.Firewall, null, null, null);
+ FirewallRule.Purpose.Firewall, cidrList, null, null);
rules.add(active);
FirewallRuleTO revoked = new FirewallRuleTO(1,
null, "1.2.3.4", "tcp", 22, 22, true, false,
@@ -170,6 +172,10 @@ public class CiscoVnmcResourceTest {
anyString(), anyString(), anyString(),
anyString(), anyString(), anyString(),
anyString(), anyString(), anyString())).thenReturn(true);
+ when(_connection.createTenantVDCEgressAclRule(
+ anyString(), anyString(), anyString(),
+ anyString(), anyString(), anyString(),
+ anyString(), anyString(), anyString())).thenReturn(true);
when(_connection.associateAclPolicySet(anyString())).thenReturn(true);
Answer answer = _resource.executeRequest(cmd);