etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Rewrite networkacl model to have separate entries for each rule

This commit is contained in:
Hugo Trippaers 2014-07-30 14:13:24 +02:00 committed by wilderrodrigues
parent 9355dd7133
commit 7b8050c056
8 changed files with 348 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
core/src/com/cloud/agent/resource/virtualnetwork/ConfigHelper.java
View File

@ -20,6 +20,7 @@
package com.cloud.agent.resource.virtualnetwork;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
@ -60,10 +61,16 @@ import com.cloud.agent.api.to.IpAddressTO;
import com.cloud.agent.api.to.NicTO;
import com.cloud.agent.api.to.PortForwardingRuleTO;
import com.cloud.agent.api.to.StaticNatRuleTO;
import com.cloud.agent.resource.virtualnetwork.model.AclRule;
import com.cloud.agent.resource.virtualnetwork.model.AllAclRule;
import com.cloud.agent.resource.virtualnetwork.model.GuestNetwork;
import com.cloud.agent.resource.virtualnetwork.model.IcmpAclRule;
import com.cloud.agent.resource.virtualnetwork.model.IpAddress;
import com.cloud.agent.resource.virtualnetwork.model.IpAssociation;
import com.cloud.agent.resource.virtualnetwork.model.NetworkACL;
import com.cloud.agent.resource.virtualnetwork.model.ProtocolAclRule;
import com.cloud.agent.resource.virtualnetwork.model.TcpAclRule;
import com.cloud.agent.resource.virtualnetwork.model.UdpAclRule;
import com.cloud.network.HAProxyConfigurator;
import com.cloud.network.LoadBalancerConfigurator;
import com.cloud.network.rules.FirewallRule;
@ -558,20 +565,45 @@ public class ConfigHelper {
String netmask = Long.toString(NetUtils.getCidrSize(nic.getNetmask()));
StringBuilder sb = new StringBuilder();
List<AclRule> ingressRules = new ArrayList<AclRule>();
List<AclRule> egressRules = new ArrayList<AclRule>();
for (int i = 0; i < aclRules.length; i++) {
sb.append(aclRules[i]).append(',');
AclRule aclRule;
String[] ruleParts = aclRules[i].split(":");
switch (ruleParts[1].toLowerCase()) {
case "icmp":
aclRule = new IcmpAclRule(ruleParts[4], "ACCEPT".equals(ruleParts[5]), Integer.parseInt(ruleParts[2]), Integer.parseInt(ruleParts[3]));
break;
case "tcp":
aclRule = new TcpAclRule(ruleParts[4], "ACCEPT".equals(ruleParts[5]), Integer.parseInt(ruleParts[2]), Integer.parseInt(ruleParts[3]));
break;
case "udp":
aclRule = new UdpAclRule(ruleParts[4], "ACCEPT".equals(ruleParts[5]), Integer.parseInt(ruleParts[2]), Integer.parseInt(ruleParts[3]));
break;
case "all":
aclRule = new AllAclRule(ruleParts[4], "ACCEPT".equals(ruleParts[5]));
break;
default:
aclRule = new ProtocolAclRule(ruleParts[4], "ACCEPT".equals(ruleParts[5]), Integer.parseInt(ruleParts[1]));
}
if ("Ingress".equals(ruleParts[0])) {
ingressRules.add(aclRule);
} else {
egressRules.add(aclRule);
}
}
String rule = sb.toString();
sb.toString();
NetworkACL networkACL = new NetworkACL(dev, nic.getMac(), privateGw != null, nic.getIp(), netmask, rule);
NetworkACL networkACL = new NetworkACL(dev, nic.getMac(), privateGw != null, nic.getIp(), netmask, ingressRules.toArray(new AclRule[ingressRules.size()]),
egressRules.toArray(new AclRule[egressRules.size()]));
ConfigItem networkAclFile = new FileConfigItem(VRScripts.CONFIG_PERSIST_LOCATION, VRScripts.NETWORK_ACL_CONFIG, gson.toJson(networkACL));
cfg.add(networkAclFile);
ConfigItem updateNetworkACL = new ScriptConfigItem(VRScripts.UPDATE_CONFIG, VRScripts.NETWORK_ACL_CONFIG);
cfg.add(updateNetworkACL);
return cfg;
}

60
core/src/com/cloud/agent/resource/virtualnetwork/model/AclRule.java Normal file
View File

@ -0,0 +1,60 @@
//
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
//
package com.cloud.agent.resource.virtualnetwork.model;
public abstract class AclRule {
private String cidr;
private boolean allowed;
public String getCidr() {
return cidr;
}
public void setCidr(String cidr) {
this.cidr = cidr;
}
public boolean isAllowed() {
return allowed;
}
public void setAllowed(boolean allowed) {
this.allowed = allowed;
}
protected AclRule() {
// Empty constructor for (de)serialization
}
protected AclRule(String cidr, boolean allowed) {
this.cidr = cidr;
this.allowed = allowed;
}
}
/*
{"device":"eth2","mac_address":"02:00:56:36:00:02","private_gateway_acl":false,"nic_ip":"172.16.1.1","nic_netmask":"24",
"rule":"Ingress:41:0:0:192.168.5.0/24:DROP:,"
+ "Ingress:all:0:0:192.168.4.0/24:ACCEPT:,"
+ "Ingress:icmp:8:-1:192.168.3.0/24:ACCEPT:,"
+ "Ingress:udp:8080:8081:192.168.2.0/24:ACCEPT:,"
+ "Ingress:tcp:22:22:192.168.1.0/24:ACCEPT:,","type":"networkacl"}
*/

33
core/src/com/cloud/agent/resource/virtualnetwork/model/AllAclRule.java Normal file
View File

@ -0,0 +1,33 @@
//
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
//
package com.cloud.agent.resource.virtualnetwork.model;
public class AllAclRule extends AclRule {
private final String type = "all";
public AllAclRule() {
// Empty constructor for (de)serialization
}
public AllAclRule(String cidr, boolean allowed) {
super(cidr, allowed);
}
}

53
core/src/com/cloud/agent/resource/virtualnetwork/model/IcmpAclRule.java Normal file
View File

@ -0,0 +1,53 @@
//
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
//
package com.cloud.agent.resource.virtualnetwork.model;
public class IcmpAclRule extends AclRule {
private final String ruleType = "icmp";
private int icmpType;
private int icmpCode;
public IcmpAclRule() {
// Empty constructor for (de)serialization
}
public IcmpAclRule(String cidr, boolean allowed, int icmpType, int icmpCode) {
super(cidr, allowed);
this.icmpType = icmpType;
this.icmpCode = icmpCode;
}
public int getIcmpType() {
return icmpType;
}
public void setIcmpType(int icmpType) {
this.icmpType = icmpType;
}
public int getIcmpCode() {
return icmpCode;
}
public void setIcmpCode(int icmpCode) {
this.icmpCode = icmpCode;
}
}

24
core/src/com/cloud/agent/resource/virtualnetwork/model/NetworkACL.java
View File

@ -25,20 +25,22 @@ public class NetworkACL extends ConfigBase {
private boolean privateGatewayAcl;
private String nicIp;
private String nicNetmask;
private String rule;
private AclRule[] ingressRules;
private AclRule[] egressRules;
public NetworkACL() {
setType("networkacl");
}
public NetworkACL(String device, String macAddress, boolean privateGatewayAcl, String nicIp, String nicNetmask, String rule) {
public NetworkACL(String device, String macAddress, boolean privateGatewayAcl, String nicIp, String nicNetmask, AclRule[] ingressRules, AclRule[] egressRules) {
setType("networkacl");
this.device = device;
this.macAddress = macAddress;
this.privateGatewayAcl = privateGatewayAcl;
this.nicIp = nicIp;
this.nicNetmask = nicNetmask;
this.rule = rule; //FIXME Split this in o
this.ingressRules = ingressRules;
this.egressRules = egressRules;
}
public String getDevice() {
@ -81,12 +83,20 @@ public class NetworkACL extends ConfigBase {
this.nicNetmask = nicNetmask;
}
public String getRule() {
return rule;
public AclRule[] getIngressRules() {
return ingressRules;
}
public void setRule(String rule) {
this.rule = rule;
public void setIngressRules(AclRule[] ingressRules) {
this.ingressRules = ingressRules;
}
public AclRule[] getEgressRules() {
return egressRules;
}
public void setEgressRules(AclRule[] egressRules) {
this.egressRules = egressRules;
}
}

43
core/src/com/cloud/agent/resource/virtualnetwork/model/ProtocolAclRule.java Normal file
View File

@ -0,0 +1,43 @@
//
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
//
package com.cloud.agent.resource.virtualnetwork.model;
public class ProtocolAclRule extends AclRule {
private final String type = "protocol";
private int protocol;
public ProtocolAclRule() {
// Empty constructor for (de)serialization
}
public ProtocolAclRule(String cidr, boolean allowed, int protocol) {
super(cidr, allowed);
this.protocol = protocol;
}
public int getProtocol() {
return protocol;
}
public void setProtocol(int protocol) {
this.protocol = protocol;
}
}

53
core/src/com/cloud/agent/resource/virtualnetwork/model/TcpAclRule.java Normal file
View File

@ -0,0 +1,53 @@
//
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
//
package com.cloud.agent.resource.virtualnetwork.model;
public class TcpAclRule extends AclRule {
private final String type = "tcp";
private int firstPort;
private int lastPort;
public TcpAclRule() {
// Empty contructor for (de)serialization
}
public TcpAclRule(String cidr, boolean allowed, int firstPort, int lastPort) {
super(cidr, allowed);
this.firstPort = firstPort;
this.lastPort = lastPort;
}
public int getFirstPort() {
return firstPort;
}
public void setFirstPort(int firstPort) {
this.firstPort = firstPort;
}
public int getLastPort() {
return lastPort;
}
public void setLastPort(int lastPort) {
this.lastPort = lastPort;
}
}

53
core/src/com/cloud/agent/resource/virtualnetwork/model/UdpAclRule.java Normal file
View File

@ -0,0 +1,53 @@
//
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
//
package com.cloud.agent.resource.virtualnetwork.model;
public class UdpAclRule extends AclRule {
private final String type = "ucp";
private int firstPort;
private int lastPort;
public UdpAclRule() {
// Empty contructor for (de)serialization
}
public UdpAclRule(String cidr, boolean allowed, int firstPort, int lastPort) {
super(cidr, allowed);
this.firstPort = firstPort;
this.lastPort = lastPort;
}
public int getFirstPort() {
return firstPort;
}
public void setFirstPort(int firstPort) {
this.firstPort = firstPort;
}
public int getLastPort() {
return lastPort;
}
public void setLastPort(int lastPort) {
this.lastPort = lastPort;
}
}