etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-1578 Egress default policy configurable using network offering in xenserver with VR as firewall provider

This commit is contained in:
Jayapal 2013-06-20 16:27:02 +05:30
parent 4f45673849
commit 6a7ae637dd
21 changed files with 173 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
api/src/com/cloud/offering/NetworkOffering.java
View File

@ -127,5 +127,6 @@ public interface NetworkOffering extends InfrastructureEntity, InternalIdentity,
boolean getInternalLb();
boolean getPublicLb();
boolean getEgressDefaultPolicy();
}

1
api/src/org/apache/cloudstack/api/ApiConstants.java
View File

@ -121,6 +121,7 @@ public class ApiConstants {
public static final String IS_PORTABLE = "isportable";
public static final String IS_PUBLIC = "ispublic";
public static final String IS_PERSISTENT = "ispersistent";
public static final String EGRESS_DEFAULT_POLICY = "egressdefaultpolicy";
public static final String IS_READY = "isready";
public static final String IS_RECURSIVE = "isrecursive";
public static final String ISO_FILTER = "isofilter";

10
api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java
View File

@ -99,6 +99,9 @@ public class CreateNetworkOfferingCmd extends BaseCmd {
" Supported keys are internallbprovider/publiclbprovider with service provider as a value")
protected Map details;
@Parameter(name=ApiConstants.EGRESS_DEFAULT_POLICY, type=CommandType.BOOLEAN, description="true if default guest network egress policy is allow; false if default egress policy is deny")
private Boolean egressDefaultPolicy;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
@ -162,6 +165,13 @@ public class CreateNetworkOfferingCmd extends BaseCmd {
return isPersistent == null ? false : isPersistent;
}
public Boolean getEgressDefaultPolicy() {
if (egressDefaultPolicy == null) {
return true;
}
return egressDefaultPolicy;
}
public Map<String, List<String>> getServiceProviders() {
Map<String, List<String>> serviceProviderMap = null;
if (serviceProviderList != null && !serviceProviderList.isEmpty()) {

7
api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java
View File

@ -88,6 +88,9 @@ public class NetworkOfferingResponse extends BaseResponse {
@SerializedName(ApiConstants.DETAILS) @Param(description="additional key/value details tied with network offering", since="4.2.0")
private Map details;
@SerializedName(ApiConstants.EGRESS_DEFAULT_POLICY) @Param(description="true if network offering supports persistent networks, false otherwise")
private Boolean egressDefaultPolicy;
public void setId(String id) {
this.id = id;
@ -166,4 +169,8 @@ public class NetworkOfferingResponse extends BaseResponse {
this.details = details;
}
public void setEgressDefaultPolicy(Boolean egressDefaultPolicy) {
this.egressDefaultPolicy = egressDefaultPolicy;
}
}

1
core/src/com/cloud/agent/api/routing/NetworkElementCommand.java
View File

@ -33,6 +33,7 @@ public abstract class NetworkElementCommand extends Command {
public static final String ZONE_NETWORK_TYPE = "zone.network.type";
public static final String GUEST_BRIDGE = "guest.bridge";
public static final String VPC_PRIVATE_GATEWAY = "vpc.gateway.private";
public static final String FIREWALL_EGRESS_DEFAULT = "firewall.egress.default";
protected NetworkElementCommand() {

7
engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java
View File

@ -223,6 +223,13 @@ public class FirewallRuleVO implements FirewallRule {
}
public FirewallRuleVO(String xId, Long ipAddressId, Integer portStart, Integer portEnd, String protocol,
long networkId, long accountId, long domainId, Purpose purpose, List<String> sourceCidrs, Integer icmpCode,
Integer icmpType, Long related, TrafficType trafficType, FirewallRuleType type) {
this(xId, ipAddressId, portStart, portEnd, protocol, networkId, accountId, domainId, purpose, sourceCidrs, icmpCode, icmpType, related, trafficType);
this.type = type;
}
public FirewallRuleVO(String xId, long ipAddressId, int port, String protocol, long networkId, long accountId,
long domainId, Purpose purpose, List<String> sourceCidrs, Integer icmpCode, Integer icmpType, Long related) {
this(xId, ipAddressId, port, port, protocol, networkId, accountId, domainId, purpose, sourceCidrs, icmpCode, icmpType, related, null);

10
engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java
View File

@ -130,6 +130,9 @@ public class NetworkOfferingVO implements NetworkOffering {
@Column(name = "is_persistent")
boolean isPersistent;
@Column(name = "egress_default_policy")
boolean egressdefaultpolicy;
@Override
public String getDisplayText() {
return displayText;
@ -275,6 +278,10 @@ public class NetworkOfferingVO implements NetworkOffering {
this.redundantRouter = redundantRouter;
}
public boolean getEgressDefaultPolicy() {
return egressdefaultpolicy;
}
public NetworkOfferingVO(String name, String displayText, TrafficType trafficType, boolean systemOnly, boolean specifyVlan, Integer rateMbps, Integer multicastRateMbps, boolean isDefault,
Availability availability, String tags, Network.GuestType guestType, boolean conserveMode, boolean specifyIpRanges, boolean isPersistent, boolean internalLb, boolean publicLb) {
this.name = name;
@ -306,7 +313,7 @@ public class NetworkOfferingVO implements NetworkOffering {
public NetworkOfferingVO(String name, String displayText, TrafficType trafficType, boolean systemOnly, boolean specifyVlan, Integer rateMbps, Integer multicastRateMbps, boolean isDefault,
Availability availability, String tags, Network.GuestType guestType, boolean conserveMode, boolean dedicatedLb, boolean sharedSourceNat, boolean redundantRouter, boolean elasticIp, boolean elasticLb,
boolean specifyIpRanges, boolean inline, boolean isPersistent, boolean associatePublicIP, boolean publicLb, boolean internalLb) {
boolean specifyIpRanges, boolean inline, boolean isPersistent, boolean associatePublicIP, boolean publicLb, boolean internalLb, boolean egressdefaultpolicy) {
this(name, displayText, trafficType, systemOnly, specifyVlan, rateMbps, multicastRateMbps, isDefault, availability, tags, guestType, conserveMode, specifyIpRanges, isPersistent, internalLb, publicLb);
this.dedicatedLB = dedicatedLb;
this.sharedSourceNat = sharedSourceNat;
@ -315,6 +322,7 @@ public class NetworkOfferingVO implements NetworkOffering {
this.elasticLb = elasticLb;
this.inline = inline;
this.eipAssociatePublicIp = associatePublicIP;
this.egressdefaultpolicy = egressdefaultpolicy;
}
public NetworkOfferingVO() {

26
patches/systemvm/debian/config/root/firewallRule_egress.sh
View File

@ -82,15 +82,14 @@ fw_entry_for_egress() {
[ "$eport" == "-1" ] && typecode="$sport"
[ "$sport" == "-1" ] && typecode="any"
sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
-j ACCEPT
-j $target
result=$?
elif [ "$prot" == "all" ]
then
sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j ACCEPT
sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j $target
result=$?
else
sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr \
$DPORT -j ACCEPT
sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr $DPORT -j $target
result=$?
fi
@ -109,14 +108,18 @@ rules=""
rules_list=""
ip=""
dev=""
pflag=0
shift
shift
while getopts 'a:' OPTION
while getopts 'a:P:' OPTION
do
case $OPTION in
a) aflag=1
rules="$OPTARG"
;;
P) pflag=1
pvalue="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
@ -142,6 +145,13 @@ fi
success=0
if [ "$pvalue" == "0" -o "$pvalue" == "2" ]
then
target="ACCEPT"
else
target="DROP"
fi
fw_egress_chain
for r in $rules_list
do
@ -162,6 +172,12 @@ then
fw_egress_backup_restore
else
logger -t cloud "deleting backup for guest network"
if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
then
#Adding default policy rule
sudo iptables -A FW_EGRESS_RULES -j ACCEPT
fi
fi
fw_egress_remove_backup

8
plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
View File

@ -7994,6 +7994,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
String callResult;
Connection conn = getConnection();
String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP);
String egressDefault = cmd.getAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT);
FirewallRuleTO[] allrules = cmd.getRules();
FirewallRule.TrafficType trafficType = allrules[0].getTrafficType();
if (routerIp == null) {
@ -8005,6 +8006,13 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
args += routerIp + " -F";
if (trafficType == FirewallRule.TrafficType.Egress){
args+= " -E";
if (egressDefault.equals("true")) {
args+= " -P 1";
} else if (egressDefault.equals("System")) {
args+= " -P 2";
} else {
args+= " -P 0";
}
}
StringBuilder sb = new StringBuilder();
String[] fwRules = rules[0];

1
server/src/com/cloud/api/ApiResponseHelper.java
View File

@ -2009,6 +2009,7 @@ public class ApiResponseHelper implements ResponseGenerator {
response.setAvailability(offering.getAvailability().toString());
response.setIsPersistent(offering.getIsPersistent());
response.setNetworkRate(ApiDBUtils.getNetworkRate(offering.getId()));
response.setEgressDefaultPolicy(offering.getEgressDefaultPolicy());
Long so = null;
if (offering.getServiceOfferingId() != null) {
so = offering.getServiceOfferingId();

2
server/src/com/cloud/configuration/ConfigurationManager.java
View File

@ -215,7 +215,7 @@ public interface ConfigurationManager extends ConfigurationService, Manager {
NetworkOfferingVO createNetworkOffering(String name, String displayText, TrafficType trafficType, String tags, boolean specifyVlan, Availability availability, Integer networkRate, Map<Service, Set<Provider>> serviceProviderMap,
boolean isDefault, Network.GuestType type, boolean systemOnly, Long serviceOfferingId, boolean conserveMode, Map<Service, Map<Capability, String>> serviceCapabilityMap,
boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details);
boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details, boolean egressDefaultPolicy);
Vlan createVlanAndPublicIpRange(long zoneId, long networkId, long physicalNetworkId, boolean forVirtualNetwork, Long podId, String startIP, String endIP, String vlanGateway, String vlanNetmask, String vlanId, Account vlanOwner, String startIPv6, String endIPv6, String vlanIp6Gateway, String vlanIp6Cidr) throws InsufficientCapacityException, ConcurrentOperationException, InvalidParameterValueException;

10
server/src/com/cloud/configuration/ConfigurationManagerImpl.java
View File

@ -3824,6 +3824,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
boolean specifyIpRanges = cmd.getSpecifyIpRanges();
boolean isPersistent = cmd.getIsPersistent();
Map<String, String> detailsStr = cmd.getDetails();
Boolean egressDefaultPolicy = cmd.getEgressDefaultPolicy();
// Verify traffic type
for (TrafficType tType : TrafficType.values()) {
@ -4011,6 +4012,9 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
Set<Provider> firewallProviderSet = new HashSet<Provider>();
firewallProviderSet.add(firewallProvider);
serviceProviderMap.put(Service.Firewall, firewallProviderSet);
if (!(firewallProvider.getName().equals(Provider.JuniperSRX.getName()) || firewallProvider.getName().equals(Provider.VirtualRouter.getName())) && egressDefaultPolicy == false) {
throw new InvalidParameterValueException("Firewall egress with default policy " + egressDefaultPolicy + "is not supported by the provider "+ firewallProvider.getName());
}
}
Map<NetworkOffering.Detail, String> details = new HashMap<NetworkOffering.Detail, String>();
@ -4032,7 +4036,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
return createNetworkOffering(name, displayText, trafficType, tags, specifyVlan, availability, networkRate,
serviceProviderMap, false, guestType, false, serviceOfferingId, conserveMode, serviceCapabilityMap,
specifyIpRanges, isPersistent, details);
specifyIpRanges, isPersistent, details, egressDefaultPolicy);
}
void validateLoadBalancerServiceCapabilities(Map<Capability, String> lbServiceCapabilityMap) {
@ -4167,7 +4171,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
Map<Service, Set<Provider>> serviceProviderMap, boolean isDefault, Network.GuestType type,
boolean systemOnly, Long serviceOfferingId, boolean conserveMode,
Map<Service, Map<Capability, String>> serviceCapabilityMap, boolean specifyIpRanges, boolean isPersistent,
Map<NetworkOffering.Detail, String> details) {
Map<NetworkOffering.Detail, String> details, boolean egressDefaultPolicy) {
String multicastRateStr = _configDao.getValue("multicast.throttling.rate");
int multicastRate = ((multicastRateStr == null) ? 10 : Integer.parseInt(multicastRateStr));
@ -4310,7 +4314,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
NetworkOfferingVO offering = new NetworkOfferingVO(name, displayText, trafficType, systemOnly, specifyVlan,
networkRate, multicastRate, isDefault, availability, tags, type, conserveMode, dedicatedLb,
sharedSourceNat, redundantRouter, elasticIp, elasticLb, specifyIpRanges, inline, isPersistent,
associatePublicIp, publicLb, internalLb);
associatePublicIp, publicLb, internalLb, egressDefaultPolicy);
if (serviceOfferingId != null) {
offering.setServiceOfferingId(serviceOfferingId);

37
server/src/com/cloud/network/NetworkManagerImpl.java
View File

@ -1307,7 +1307,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
_configMgr.createNetworkOffering(NetworkOffering.QuickCloudNoServices,
"Offering for QuickCloud with no services", TrafficType.Guest, null, true,
Availability.Optional, null, new HashMap<Network.Service, Set<Network.Provider>>(), true,
Network.GuestType.Shared, false, null, true, null, true, false, null);
Network.GuestType.Shared, false, null, true, null, true, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@ -1318,7 +1318,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
_configMgr.createNetworkOffering(NetworkOffering.DefaultSharedNetworkOfferingWithSGService,
"Offering for Shared Security group enabled networks", TrafficType.Guest, null, true,
Availability.Optional, null, defaultSharedNetworkOfferingProviders, true,
Network.GuestType.Shared, false, null, true, null, true, false, null);
Network.GuestType.Shared, false, null, true, null, true, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@ -1326,7 +1326,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
//#3 - shared network offering with no SG service
if (_networkOfferingDao.findByUniqueName(NetworkOffering.DefaultSharedNetworkOffering) == null) {
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultSharedNetworkOffering, "Offering for Shared networks", TrafficType.Guest, null, true, Availability.Optional, null,
defaultSharedNetworkOfferingProviders, true, Network.GuestType.Shared, false, null, true, null, true, false, null);
defaultSharedNetworkOfferingProviders, true, Network.GuestType.Shared, false, null, true, null, true, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@ -1337,7 +1337,8 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingWithSourceNatService,
"Offering for Isolated networks with Source Nat service enabled", TrafficType.Guest,
null, false, Availability.Required, null, defaultIsolatedSourceNatEnabledNetworkOfferingProviders,
true, Network.GuestType.Isolated, false, null, true, null, false, false, null);
true, Network.GuestType.Isolated, false, null, true, null, false, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@ -1347,7 +1348,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworks,
"Offering for Isolated VPC networks with Source Nat service enabled", TrafficType.Guest,
null, false, Availability.Optional, null, defaultVPCOffProviders,
true, Network.GuestType.Isolated, false, null, false, null, false, false, null);
true, Network.GuestType.Isolated, false, null, false, null, false, false, null,false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@ -1359,7 +1360,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworksNoLB,
"Offering for Isolated VPC networks with Source Nat service enabled and LB service disabled", TrafficType.Guest,
null, false, Availability.Optional, null, defaultVPCOffProviders,
true, Network.GuestType.Isolated, false, null, false, null, false, false, null);
true, Network.GuestType.Isolated, false, null, false, null, false, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@ -1369,7 +1370,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOffering,
"Offering for Isolated networks with no Source Nat service", TrafficType.Guest, null, true,
Availability.Optional, null, defaultIsolatedNetworkOfferingProviders, true, Network.GuestType.Isolated,
false, null, true, null, true, false, null);
false, null, true, null, true, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
_networkOfferingDao.update(offering.getId(), offering);
}
@ -1395,7 +1396,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB,
"Offering for Isolated VPC networks with Internal Lb support", TrafficType.Guest,
null, false, Availability.Optional, null, internalLbOffProviders,
true, Network.GuestType.Isolated, false, null, false, null, false, false, null);
true, Network.GuestType.Isolated, false, null, false, null, false, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
offering.setInternalLb(true);
_networkOfferingDao.update(offering.getId(), offering);
@ -1425,7 +1426,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
if (_networkOfferingDao.findByUniqueName(NetworkOffering.DefaultSharedEIPandELBNetworkOffering) == null) {
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultSharedEIPandELBNetworkOffering, "Offering for Shared networks with Elastic IP and Elastic LB capabilities", TrafficType.Guest, null, true,
Availability.Optional, null, netscalerServiceProviders, true, Network.GuestType.Shared, false, null, true, serviceCapabilityMap, true, false, null);
Availability.Optional, null, netscalerServiceProviders, true, Network.GuestType.Shared, false, null, true, serviceCapabilityMap, true, false, null, false);
offering.setState(NetworkOffering.State.Enabled);
offering.setDedicatedLB(false);
_networkOfferingDao.update(offering.getId(), offering);
@ -3089,9 +3090,21 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
}
List<FirewallRuleVO> firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) {
s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart");
success = false;
if (firewallEgressRulesToApply.size() == 0) {
NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
//there are no egress rules then apply the default egress rule
DataCenter zone = _dcDao.findById(network.getDataCenterId());
if (offering.getEgressDefaultPolicy() && _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall)
&& (network.getGuestType() == Network.GuestType.Isolated ||
(network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced))) {
// add default egress rule to accept the traffic
_firewallMgr.applyDefaultEgressFirewallRule(network.getId(), true);
}
} else {
if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) {
s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart");
success = false;
}
}
// apply port forwarding rules

31
server/src/com/cloud/network/firewall/FirewallManagerImpl.java
View File

@ -616,6 +616,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
@Override
public boolean applyEgressFirewallRules (FirewallRule rule, Account caller) throws ResourceUnavailableException {
List<FirewallRuleVO> rules = _firewallDao.listByNetworkPurposeTrafficType(rule.getNetworkId(), Purpose.Firewall, FirewallRule.TrafficType.Egress);
applyDefaultEgressFirewallRule(rule.getNetworkId(), true);
return applyFirewallRules(rules, false, caller);
}
@ -648,6 +649,36 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
return true;
}
@Override
public boolean applyDefaultEgressFirewallRule(Long networkId, boolean defaultPolicy) throws ResourceUnavailableException {
if (defaultPolicy == false) {
//If default policy is false no need apply rules on backend because firewall provider blocks by default
return true;
}
s_logger.debug("applying default firewall egress rules ");
NetworkVO network = _networkDao.findById(networkId);
List<String> sourceCidr = new ArrayList<String>();
sourceCidr.add(NetUtils.ALL_CIDRS);
FirewallRuleVO ruleVO = new FirewallRuleVO(null, null, null, null, "all", networkId, network.getAccountId(), network.getDomainId(), Purpose.Firewall, sourceCidr,
null, null, null, FirewallRule.TrafficType.Egress, FirewallRuleType.System);
List<FirewallRuleVO> rules = new ArrayList<FirewallRuleVO>();
rules.add(ruleVO);
try {
//this is not required to store in db because we don't to add this rule along with the normal rules
if (!applyRules(rules, false, false)) {
return false;
}
} catch (ResourceUnavailableException ex) {
s_logger.warn("Failed to apply default egress rules for guest network due to ", ex);
return false;
}
return true;
}
@Override
@ActionEvent(eventType = EventTypes.EVENT_FIREWALL_CLOSE, eventDescription = "revoking firewall rule", async = true)
public boolean revokeFirewallRule(long ruleId, boolean apply, Account caller, long userId) {

32
server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
View File

@ -164,6 +164,7 @@ import com.cloud.network.rules.dao.PortForwardingRulesDao;
import com.cloud.network.vpn.Site2SiteVpnManager;
import com.cloud.offering.NetworkOffering;
import com.cloud.offering.ServiceOffering;
import com.cloud.offerings.NetworkOfferingVO;
import com.cloud.offerings.dao.NetworkOfferingDao;
import com.cloud.resource.ResourceManager;
import com.cloud.server.ConfigurationServer;
@ -3680,29 +3681,44 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
private void createFirewallRulesCommands(List<? extends FirewallRule> rules, VirtualRouter router, Commands cmds, long guestNetworkId) {
List<FirewallRuleTO> rulesTO = null;
String systemRule = null;
if (rules != null) {
if (rules.size() > 0) {
if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
}
}
rulesTO = new ArrayList<FirewallRuleTO>();
for (FirewallRule rule : rules) {
FirewallRule.TrafficType traffictype = rule.getTrafficType();
if(traffictype == FirewallRule.TrafficType.Ingress){
IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(),Purpose.Firewall,traffictype);
rulesTO.add(ruleTO);
}
else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress){
assert (rule.getSourceIpAddressId()==null) : "ipAddressId should be null for egress firewall rule. ";
FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null,"",Purpose.Firewall,traffictype);
rulesTO.add(ruleTO);
IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(),Purpose.Firewall,traffictype);
rulesTO.add(ruleTO);
} else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress){
assert (rule.getSourceIpAddressId()==null) : "ipAddressId should be null for egress firewall rule. ";
FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null,"",Purpose.Firewall, traffictype);
rulesTO.add(ruleTO);
}
}
}
NetworkVO network = _networkDao.findById(guestNetworkId);
NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
Boolean defaultEgressPolicy = offering.getEgressDefaultPolicy();
SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, getRouterControlIp(router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, getRouterIpInNetwork(guestNetworkId, router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
DataCenterVO dcVo = _dcDao.findById(router.getDataCenterId());
cmd.setAccessDetail(NetworkElementCommand.ZONE_NETWORK_TYPE, dcVo.getNetworkType().toString());
if (systemRule != null) {
cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, systemRule);
} else {
cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, String.valueOf(defaultEgressPolicy));
}
cmds.addCommand(cmd);
}

1
server/src/com/cloud/network/rules/FirewallManager.java
View File

@ -85,4 +85,5 @@ public interface FirewallManager extends FirewallService {
*/
void removeRule(FirewallRule rule);
boolean applyDefaultEgressFirewallRule(Long networkId, boolean defaultPolicy) throws ResourceUnavailableException;
}

2
server/src/com/cloud/server/ConfigurationServerImpl.java
View File

@ -1093,7 +1093,7 @@ public class ConfigurationServerImpl extends ManagerBase implements Configuratio
"Offering for Shared networks with Elastic IP and Elastic LB capabilities",
TrafficType.Guest,
false, true, null, null, true, Availability.Optional,
null, Network.GuestType.Shared, true, false, false, false, true, true, true, false, false, true, true, false);
null, Network.GuestType.Shared, true, false, false, false, true, true, true, false, false, true, true, false, false);
defaultNetscalerNetworkOffering.setState(NetworkOffering.State.Enabled);
defaultNetscalerNetworkOffering = _networkOfferingDao.persistDefaultNetworkOffering(defaultNetscalerNetworkOffering);

5
server/test/com/cloud/network/MockFirewallManagerImpl.java
View File

@ -168,6 +168,11 @@ public class MockFirewallManagerImpl extends ManagerBase implements FirewallMana
}
@Override
public boolean applyDefaultEgressFirewallRule(Long networkId, boolean defaultPolicy) throws ResourceUnavailableException {
return false; //To change body of implemented methods use File | Settings | File Templates.
}
@Override
public FirewallRule createFirewallRule(Long ipAddrId, Account caller,
String xId, Integer portStart, Integer portEnd, String protocol,

2
server/test/com/cloud/vpc/MockConfigurationManagerImpl.java
View File

@ -555,7 +555,7 @@ public class MockConfigurationManagerImpl extends ManagerBase implements Configu
@Override
public NetworkOfferingVO createNetworkOffering(String name, String displayText, TrafficType trafficType, String tags, boolean specifyVlan, Availability availability, Integer networkRate,
Map<Service, Set<Provider>> serviceProviderMap, boolean isDefault, GuestType type, boolean systemOnly, Long serviceOfferingId, boolean conserveMode,
Map<Service, Map<Capability, String>> serviceCapabilityMap, boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details) {
Map<Service, Map<Capability, String>> serviceCapabilityMap, boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details, boolean egressDefaultPolicy) {
// TODO Auto-generated method stub
return null;
}

20
server/test/org/apache/cloudstack/networkoffering/CreateNetworkOfferingTest.java
View File

@ -94,7 +94,7 @@ public class CreateNetworkOfferingTest extends TestCase{
public void createSharedNtwkOffWithVlan() {
NetworkOfferingVO off = configMgr.createNetworkOffering("shared", "shared", TrafficType.Guest, null, true,
Availability.Optional, 200, null, false, Network.GuestType.Shared, false,
null, false, null, true, false, null);
null, false, null, true, false, null, false);
assertNotNull("Shared network offering with specifyVlan=true failed to create ", off);
}
@ -103,7 +103,7 @@ public class CreateNetworkOfferingTest extends TestCase{
try {
NetworkOfferingVO off = configMgr.createNetworkOffering("shared", "shared", TrafficType.Guest, null, false,
Availability.Optional, 200, null, false, Network.GuestType.Shared, false,
null, false, null, true, false, null);
null, false, null, true, false, null, false);
assertNull("Shared network offering with specifyVlan=false was created", off);
} catch (InvalidParameterValueException ex) {
}
@ -113,7 +113,7 @@ public class CreateNetworkOfferingTest extends TestCase{
public void createSharedNtwkOffWithSpecifyIpRanges() {
NetworkOfferingVO off = configMgr.createNetworkOffering("shared", "shared", TrafficType.Guest, null, true,
Availability.Optional, 200, null, false, Network.GuestType.Shared, false,
null, false, null, true, false, null);
null, false, null, true, false, null, false);
assertNotNull("Shared network offering with specifyIpRanges=true failed to create ", off);
}
@ -123,7 +123,7 @@ public class CreateNetworkOfferingTest extends TestCase{
try {
NetworkOfferingVO off = configMgr.createNetworkOffering("shared", "shared", TrafficType.Guest, null, true,
Availability.Optional, 200, null, false, Network.GuestType.Shared, false,
null, false, null, false, false, null);
null, false, null, false, false, null, false);
assertNull("Shared network offering with specifyIpRanges=false was created", off);
} catch (InvalidParameterValueException ex) {
}
@ -138,7 +138,7 @@ public class CreateNetworkOfferingTest extends TestCase{
serviceProviderMap.put(Network.Service.SourceNat, vrProvider);
NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, false,
Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false,
null, false, null, false, false, null);
null, false, null, false, false, null, false);
assertNotNull("Isolated network offering with specifyIpRanges=false failed to create ", off);
}
@ -151,7 +151,7 @@ public class CreateNetworkOfferingTest extends TestCase{
serviceProviderMap.put(Network.Service.SourceNat, vrProvider);
NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, true,
Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false,
null, false, null, false, false, null);
null, false, null, false, false, null, false);
assertNotNull("Isolated network offering with specifyVlan=true wasn't created", off);
}
@ -165,7 +165,7 @@ public class CreateNetworkOfferingTest extends TestCase{
serviceProviderMap.put(Network.Service.SourceNat, vrProvider);
NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, false,
Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false,
null, false, null, true, false, null);
null, false, null, true, false, null, false);
assertNull("Isolated network offering with specifyIpRanges=true and source nat service enabled, was created", off);
} catch (InvalidParameterValueException ex) {
}
@ -178,7 +178,7 @@ public class CreateNetworkOfferingTest extends TestCase{
Set<Network.Provider> vrProvider = new HashSet<Network.Provider>();
NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, false,
Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false,
null, false, null, true, false, null);
null, false, null, true, false, null, false);
assertNotNull("Isolated network offering with specifyIpRanges=true and with no sourceNatService, failed to create", off);
}
@ -196,7 +196,7 @@ public class CreateNetworkOfferingTest extends TestCase{
serviceProviderMap.put(Network.Service.Lb , vrProvider);
NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, true,
Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false,
null, false, null, false, false, null);
null, false, null, false, false, null, false);
// System.out.println("Creating Vpc Network Offering");
assertNotNull("Vpc Isolated network offering with Vpc provider ", off);
}
@ -216,7 +216,7 @@ public class CreateNetworkOfferingTest extends TestCase{
serviceProviderMap.put(Network.Service.Lb, lbProvider);
NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, true,
Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false, null, false,
null, false, false, null);
null, false, false, null, false);
// System.out.println("Creating Vpc Network Offering");
assertNotNull("Vpc Isolated network offering with Vpc and Netscaler provider ", off);
}

1
setup/db/db/schema-410to420.sql
View File

@ -2147,3 +2147,4 @@ ALTER TABLE `cloud`.`baremetal_pxe_devices` ADD CONSTRAINT `fk_external_pxe_devi
ALTER TABLE `cloud`.`baremetal_pxe_devices` ADD CONSTRAINT `fk_external_pxe_devices_host_id` FOREIGN KEY (`host_id`) REFERENCES `host`(`id`) ON DELETE CASCADE;
ALTER TABLE `cloud`.`baremetal_pxe_devices` ADD CONSTRAINT `fk_external_pxe_devices_physical_network_id` FOREIGN KEY (`physical_network_id`) REFERENCES `physical_network`(`id`) ON DELETE CASCADE;
alter table `cloud`.`network_offerings` add column egress_default_policy boolean default false;