etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

merge with master

This commit is contained in:
Nitin Mehta 2013-05-13 16:36:41 +05:30
parent 941a9a5fb7 78ffb7ae5e
commit 8d53b1ef05
70 changed files with 3710 additions and 854 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
api/src/com/cloud/agent/api/to/NetworkACLTO.java
View File

@ -20,10 +20,10 @@ package com.cloud.agent.api.to;
import java.util.ArrayList;
import java.util.List;
import com.cloud.network.vpc.NetworkACLItem;
import com.cloud.network.vpc.NetworkACLItem.TrafficType;
import org.apache.cloudstack.api.InternalIdentity;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.FirewallRule.TrafficType;
import com.cloud.utils.net.NetUtils;
@ -37,15 +37,16 @@ public class NetworkACLTO implements InternalIdentity {
private List<String> cidrList;
private Integer icmpType;
private Integer icmpCode;
private FirewallRule.TrafficType trafficType;
private TrafficType trafficType;
String action;
int number;
protected NetworkACLTO() {
}
public NetworkACLTO(long id,String vlanTag, String protocol, Integer portStart, Integer portEnd, boolean revoked,
boolean alreadyAdded, List<String> cidrList, Integer icmpType,Integer icmpCode,TrafficType trafficType) {
boolean alreadyAdded, List<String> cidrList, Integer icmpType,Integer icmpCode,TrafficType trafficType, boolean allow, int number) {
this.vlanTag = vlanTag;
this.protocol = protocol;
@ -70,12 +71,20 @@ public class NetworkACLTO implements InternalIdentity {
this.icmpType = icmpType;
this.icmpCode = icmpCode;
this.trafficType = trafficType;
if(!allow){
this.action = "DROP";
} else {
this.action = "ACCEPT";
}
this.number = number;
}
public NetworkACLTO(FirewallRule rule, String vlanTag, FirewallRule.TrafficType trafficType ) {
public NetworkACLTO(NetworkACLItem rule, String vlanTag, NetworkACLItem.TrafficType trafficType ) {
this(rule.getId(), vlanTag, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(),
rule.getState() == FirewallRule.State.Revoke, rule.getState() == FirewallRule.State.Active,
rule.getSourceCidrList() ,rule.getIcmpType(), rule.getIcmpCode(),trafficType);
rule.getState() == NetworkACLItem.State.Revoke, rule.getState() == NetworkACLItem.State.Active,
rule.getSourceCidrList() ,rule.getIcmpType(), rule.getIcmpCode(),trafficType, rule.getAction() == NetworkACLItem.Action.Allow, rule.getNumber());
}
public long getId() {
@ -83,7 +92,7 @@ public class NetworkACLTO implements InternalIdentity {
}
public String getSrcVlanTag() {
return vlanTag;
return vlanTag;
}
public String getProtocol() {
@ -95,18 +104,18 @@ public class NetworkACLTO implements InternalIdentity {
}
public Integer getIcmpType(){
return icmpType;
return icmpType;
}
public Integer getIcmpCode(){
return icmpCode;
return icmpCode;
}
public String getStringPortRange() {
if (portRange == null || portRange.length < 2)
return "0:0";
else
return NetUtils.portRangeToString(portRange);
if (portRange == null || portRange.length < 2)
return "0:0";
else
return NetUtils.portRangeToString(portRange);
}
public boolean revoked() {
@ -121,7 +130,15 @@ public class NetworkACLTO implements InternalIdentity {
return alreadyAdded;
}
public FirewallRule.TrafficType getTrafficType() {
public TrafficType getTrafficType() {
return trafficType;
}
public String getAction() {
return action;
}
public int getNumber(){
return number;
}
}

8
api/src/com/cloud/event/EventTypes.java
View File

@ -351,6 +351,14 @@ public class EventTypes {
public static final String EVENT_VPC_DELETE = "VPC.DELETE";
public static final String EVENT_VPC_RESTART = "VPC.RESTART";
// Network ACL
public static final String EVENT_NETWORK_ACL_CREATE = "NETWORK.ACL.CREATE";
public static final String EVENT_NETWORK_ACL_DELETE = "NETWORK.ACL.DELETE";
public static final String EVENT_NETWORK_ACL_REPLACE = "NETWORK.ACL.REPLACE";
public static final String EVENT_NETWORK_ACL_ITEM_CREATE = "NETWORK.ACL.ITEM.CREATE";
public static final String EVENT_NETWORK_ACL_ITEM_UPDATE = "NETWORK.ACL.ITEM.UPDATE";
public static final String EVENT_NETWORK_ACL_ITEM_DELETE = "NETWORK.ACL.ITEM.DELETE";
// VPC offerings
public static final String EVENT_VPC_OFFERING_CREATE = "VPC.OFFERING.CREATE";
public static final String EVENT_VPC_OFFERING_UPDATE = "VPC.OFFERING.UPDATE";

3
api/src/com/cloud/network/Network.java
View File

@ -329,4 +329,7 @@ public interface Network extends ControlledEntity, StateObject<Network.State>, I
*/
Long getVpcId();
Long getNetworkACLId();
void setNetworkACLId(Long networkACLId);
}

12
api/src/com/cloud/network/NetworkProfile.java
View File

@ -53,6 +53,7 @@ public class NetworkProfile implements Network {
private boolean specifyIpRanges;
private Long vpcId;
private boolean displayNetwork;
private Long networkAclId;
public NetworkProfile(Network network) {
this.id = network.getId();
@ -83,6 +84,7 @@ public class NetworkProfile implements Network {
this.specifyIpRanges = network.getSpecifyIpRanges();
this.vpcId = network.getVpcId();
this.displayNetwork = network.getDisplayNetwork();
this.networkAclId = network.getNetworkACLId();
}
public String getDns1() {
@ -243,6 +245,16 @@ public class NetworkProfile implements Network {
return vpcId;
}
@Override
public Long getNetworkACLId() {
return networkAclId;
}
@Override
public void setNetworkACLId(Long networkACLId) {
this.networkAclId = networkACLId;
}
@Override
public void setTrafficType(TrafficType type) {
this.trafficType = type;

3
api/src/com/cloud/network/element/NetworkACLServiceProvider.java
View File

@ -21,6 +21,7 @@ import java.util.List;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.Network;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.vpc.NetworkACLItem;
public interface NetworkACLServiceProvider extends NetworkElement{
@ -30,6 +31,6 @@ public interface NetworkACLServiceProvider extends NetworkElement{
* @return
* @throws ResourceUnavailableException
*/
boolean applyNetworkACLs(Network config, List<? extends FirewallRule> rules) throws ResourceUnavailableException;
boolean applyNetworkACLs(Network config, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException;
}

51
api/src/com/cloud/network/firewall/NetworkACLService.java
View File

@ -1,51 +0,0 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.firewall;
import java.util.List;
import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
import com.cloud.exception.NetworkRuleConflictException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.rules.FirewallRule;
import com.cloud.user.Account;
import com.cloud.utils.Pair;
public interface NetworkACLService {
FirewallRule getNetworkACL(long ruleId);
boolean applyNetworkACLs(long networkId, Account caller) throws ResourceUnavailableException;
/**
* @param createNetworkACLCmd
* @return
*/
FirewallRule createNetworkACL(FirewallRule acl) throws NetworkRuleConflictException;
/**
* @param ruleId
* @param apply
* @return
*/
boolean revokeNetworkACL(long ruleId, boolean apply);
/**
* @param listNetworkACLsCmd
* @return
*/
Pair<List<? extends FirewallRule>, Integer> listNetworkACLs(ListNetworkACLsCmd cmd);
}

36
api/src/com/cloud/network/vpc/NetworkACL.java Normal file
View File

@ -0,0 +1,36 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.vpc;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.api.InternalIdentity;
public interface NetworkACL extends InternalIdentity{
public static final long DEFAULT_DENY = 1;
public static final long DEFAULT_ALLOW = 2;
String getDescription();
String getUuid();
Long getVpcId();
long getId();
String getName();
}

80
api/src/com/cloud/network/vpc/NetworkACLItem.java Normal file
View File

@ -0,0 +1,80 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.vpc;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.api.Identity;
import org.apache.cloudstack.api.InternalIdentity;
import java.util.List;
public interface NetworkACLItem extends InternalIdentity {
String getUuid();
Action getAction();
int getNumber();
enum State {
Staged, // Rule been created but has never got through network rule conflict detection. Rules in this state can not be sent to network elements.
Add, // Add means the rule has been created and has gone through network rule conflict detection.
Active, // Rule has been sent to the network elements and reported to be active.
Revoke // Revoke means this rule has been revoked. If this rule has been sent to the network elements, the rule will be deleted from database.
}
enum TrafficType {
Ingress,
Egress
}
enum Action {
Allow,
Deny
}
/**
* @return first port of the source port range.
*/
Integer getSourcePortStart();
/**
* @return last port of the source prot range. If this is null, that means only one port is mapped.
*/
Integer getSourcePortEnd();
/**
* @return protocol to open these ports for.
*/
String getProtocol();
State getState();
long getAclId();
Integer getIcmpCode();
Integer getIcmpType();
List<String> getSourceCidrList();
/**
* @return
*/
TrafficType getTrafficType();
}

125
api/src/com/cloud/network/vpc/NetworkACLService.java Normal file
View File

@ -0,0 +1,125 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.vpc;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.utils.Pair;
import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
import java.util.List;
public interface NetworkACLService {
/**
* Creates Network ACL for the specified VPC
* @param name
* @param description
* @param vpcId
* @return
*/
NetworkACL createNetworkACL(String name, String description, long vpcId);
/**
* Get Network ACL with specified Id
* @param id
* @return
*/
NetworkACL getNetworkACL(long id);
/**
* List NetworkACLs by Id/Name/Network or Vpc it belongs to
* @param id
* @param name
* @param networkId
* @param vpcId
* @return
*/
Pair<List<? extends NetworkACL>,Integer> listNetworkACLs(Long id, String name, Long networkId, Long vpcId);
/**
* Delete specified network ACL. Deletion fails if the list is not empty
* @param id
* @return
*/
boolean deleteNetworkACL(long id);
/**
* Associates ACL with specified Network
* @param aclId
* @param networkId
* @return
* @throws ResourceUnavailableException
*/
boolean replaceNetworkACL(long aclId, long networkId) throws ResourceUnavailableException;
/**
* Applied ACL to associated networks
* @param aclId
* @return
* @throws ResourceUnavailableException
*/
boolean applyNetworkACL(long aclId) throws ResourceUnavailableException;
/**
* Creates a Network ACL Item within an ACL and applies the ACL to associated networks
* @param createNetworkACLCmd
* @return
*/
NetworkACLItem createNetworkACLItem(CreateNetworkACLCmd aclItemCmd);
/**
* Return ACL item with specified Id
* @param ruleId
* @return
*/
NetworkACLItem getNetworkACLItem(long ruleId);
/**
* Lists Network ACL Items by Id, Network, ACLId, Traffic Type, protocol
* @param listNetworkACLsCmd
* @return
*/
Pair<List<? extends NetworkACLItem>, Integer> listNetworkACLItems(ListNetworkACLsCmd cmd);
/**
* Revoked ACL Item with specified Id
* @param ruleId
* @param apply
* @return
*/
boolean revokeNetworkACLItem(long ruleId);
/**
* Updates existing aclItem applies to associated networks
* @param id
* @param protocol
* @param sourceCidrList
* @param trafficType
* @param action
* @param number
* @param sourcePortStart
* @param sourcePortEnd
* @param icmpCode
* @param icmpType
* @return
* @throws ResourceUnavailableException
*/
NetworkACLItem updateNetworkACLItem(Long id, String protocol, List<String> sourceCidrList, NetworkACLItem.TrafficType trafficType,
String action, Integer number, Integer sourcePortStart, Integer sourcePortEnd,
Integer icmpCode, Integer icmpType) throws ResourceUnavailableException;
}

2
api/src/org/apache/cloudstack/api/ApiConstants.java
View File

@ -495,6 +495,8 @@ public class ApiConstants {
public static final String AFFINITY_GROUP_NAMES = "affinitygroupnames";
public static final String ASA_INSIDE_PORT_PROFILE = "insideportprofile";
public static final String AFFINITY_GROUP_ID = "affinitygroupid";
public static final String ACL_ID = "aclid";
public static final String NUMBER = "number";
public enum HostDetails {
all, capacity, events, stats, min;

2
api/src/org/apache/cloudstack/api/BaseCmd.java
View File

@ -53,7 +53,7 @@ import com.cloud.network.StorageNetworkService;
import com.cloud.network.VpcVirtualNetworkApplianceService;
import com.cloud.network.as.AutoScaleService;
import com.cloud.network.firewall.FirewallService;
import com.cloud.network.firewall.NetworkACLService;
import com.cloud.network.vpc.NetworkACLService;
import com.cloud.network.lb.LoadBalancingRulesService;
import com.cloud.network.rules.RulesService;
import com.cloud.network.security.SecurityGroupService;

20
api/src/org/apache/cloudstack/api/ResponseGenerator.java
View File

@ -21,8 +21,15 @@ import java.util.EnumSet;
import java.util.List;
import java.util.Map;
import com.cloud.vm.NicSecondaryIp;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.AffinityGroupResponse;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.network.vpc.NetworkACLItem;
import com.cloud.network.vpc.PrivateGateway;
import com.cloud.network.vpc.StaticRoute;
import com.cloud.network.vpc.Vpc;
import com.cloud.network.vpc.VpcOffering;
import org.apache.cloudstack.api.ApiConstants.HostDetails;
import org.apache.cloudstack.api.ApiConstants.VMDetails;
import org.apache.cloudstack.api.command.user.job.QueryAsyncJobResultCmd;
@ -109,6 +116,7 @@ import org.apache.cloudstack.api.response.VpcOfferingResponse;
import org.apache.cloudstack.api.response.VpcResponse;
import org.apache.cloudstack.api.response.VpnUsersResponse;
import org.apache.cloudstack.api.response.ZoneResponse;
import org.apache.cloudstack.api.response.*;
import org.apache.cloudstack.network.lb.ApplicationLoadBalancerRule;
import org.apache.cloudstack.region.Region;
import org.apache.cloudstack.usage.Usage;
@ -154,10 +162,6 @@ import com.cloud.network.rules.StaticNatRule;
import com.cloud.network.rules.StickinessPolicy;
import com.cloud.network.security.SecurityGroup;
import com.cloud.network.security.SecurityRule;
import com.cloud.network.vpc.PrivateGateway;
import com.cloud.network.vpc.StaticRoute;
import com.cloud.network.vpc.Vpc;
import com.cloud.network.vpc.VpcOffering;
import com.cloud.offering.DiskOffering;
import com.cloud.offering.NetworkOffering;
import com.cloud.offering.ServiceOffering;
@ -381,11 +385,17 @@ public interface ResponseGenerator {
*/
VpcResponse createVpcResponse(Vpc vpc);
/**
* @param networkACLItem
* @return
*/
NetworkACLItemResponse createNetworkACLItemResponse(NetworkACLItem networkACLItem);
/**
* @param networkACL
* @return
*/
NetworkACLResponse createNetworkACLResponse(FirewallRule networkACL);
NetworkACLResponse createNetworkACLResponse(NetworkACL networkACL);
/**
* @param result

222
api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
View File

@ -19,6 +19,8 @@ package org.apache.cloudstack.api.command.user.network;
import java.util.ArrayList;
import java.util.List;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.network.vpc.NetworkACLItem;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
@ -26,6 +28,7 @@ import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.NetworkACLItemResponse;
import org.apache.cloudstack.api.response.NetworkACLResponse;
import org.apache.cloudstack.api.response.NetworkResponse;
import org.apache.log4j.Logger;
@ -36,15 +39,14 @@ import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.NetworkRuleConflictException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.Network;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.vpc.Vpc;
import com.cloud.user.Account;
import com.cloud.user.UserContext;
import com.cloud.utils.net.NetUtils;
@APICommand(name = "createNetworkACL", description = "Creates a ACL rule the given network (the network has to belong to VPC)",
responseObject = NetworkACLResponse.class)
public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallRule {
@APICommand(name = "createNetworkACL", description = "Creates a ACL rule in the given network (the network has to belong to VPC)",
responseObject = NetworkACLItemResponse.class)
public class CreateNetworkACLCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateNetworkACLCmd.class.getName());
private static final String s_name = "createnetworkaclresponse";
@ -54,7 +56,7 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
// ///////////////////////////////////////////////////
@Parameter(name = ApiConstants.PROTOCOL, type = CommandType.STRING, required = true, description =
"the protocol for the ACL rule. Valid values are TCP/UDP/ICMP.")
"the protocol for the ACL rule. Valid values are TCP/UDP/ICMP/ALL or valid protocol number")
private String protocol;
@Parameter(name = ApiConstants.START_PORT, type = CommandType.INTEGER, description = "the starting port of ACL")
@ -74,23 +76,27 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
private Integer icmpCode;
@Parameter(name=ApiConstants.NETWORK_ID, type=CommandType.UUID, entityType = NetworkResponse.class,
required=true,
description="The network of the vm the ACL will be created for")
private Long networkId;
@Parameter(name=ApiConstants.ACL_ID, type=CommandType.UUID, entityType = NetworkACLResponse.class,
description="The network of the vm the ACL will be created for")
private Long aclId;
@Parameter(name=ApiConstants.TRAFFIC_TYPE, type=CommandType.STRING, description="the traffic type for the ACL," +
"can be Ingress or Egress, defaulted to Ingress if not specified")
private String trafficType;
@Parameter(name=ApiConstants.NUMBER, type=CommandType.INTEGER, description="The network of the vm the ACL will be created for")
private Integer number;
@Parameter(name=ApiConstants.ACTION, type=CommandType.STRING, description="scl entry action, allow or deny")
private String action;
// ///////////////////////////////////////////////////
// ///////////////// Accessors ///////////////////////
// ///////////////////////////////////////////////////
public Long getIpAddressId() {
return null;
}
@Override
public String getProtocol() {
return protocol.trim();
}
@ -105,26 +111,11 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
}
}
public long getVpcId() {
Network network = _networkService.getNetwork(getNetworkId());
if (network == null) {
throw new InvalidParameterValueException("Invalid networkId is given");
}
Long vpcId = network.getVpcId();
if (vpcId == null) {
throw new InvalidParameterValueException("Can create network ACL only for the network belonging to the VPC");
}
return vpcId;
}
@Override
public FirewallRule.TrafficType getTrafficType() {
public NetworkACLItem.TrafficType getTrafficType() {
if (trafficType == null) {
return FirewallRule.TrafficType.Ingress;
return NetworkACLItem.TrafficType.Ingress;
}
for (FirewallRule.TrafficType type : FirewallRule.TrafficType.values()) {
for (NetworkACLItem.TrafficType type : NetworkACLItem.TrafficType.values()) {
if (type.toString().equalsIgnoreCase(trafficType)) {
return type;
}
@ -141,192 +132,103 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
return s_name;
}
public void setSourceCidrList(List<String> cidrs){
cidrlist = cidrs;
public String getAction() {
return action;
}
@Override
public void execute() throws ResourceUnavailableException {
UserContext callerContext = UserContext.current();
boolean success = false;
FirewallRule rule = _networkACLService.getNetworkACL(getEntityId());
try {
UserContext.current().setEventDetails("Rule Id: " + getEntityId());
success = _networkACLService.applyNetworkACLs(rule.getNetworkId(), callerContext.getCaller());
// State is different after the rule is applied, so get new object here
NetworkACLResponse aclResponse = new NetworkACLResponse();
if (rule != null) {
aclResponse = _responseGenerator.createNetworkACLResponse(rule);
setResponseObject(aclResponse);
}
aclResponse.setResponseName(getCommandName());
} finally {
if (!success || rule == null) {
_networkACLService.revokeNetworkACL(getEntityId(), true);
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create network ACL");
}
}
public Integer getNumber() {
return number;
}
@Override
public long getId() {
throw new UnsupportedOperationException("database id can only provided by VO objects");
}
@Override
public String getXid() {
// FIXME: We should allow for end user to specify Xid.
return null;
}
@Override
public String getUuid() {
// TODO Auto-generated method stub
return null;
}
@Override
public Long getSourceIpAddressId() {
return null;
}
@Override
public Integer getSourcePortStart() {
if (publicStartPort != null) {
return publicStartPort.intValue();
}
return null;
return publicStartPort;
}
@Override
public Integer getSourcePortEnd() {
if (publicEndPort == null) {
if (publicStartPort != null) {
return publicStartPort.intValue();
return publicStartPort;
}
} else {
return publicEndPort.intValue();
return publicEndPort;
}
return null;
}
@Override
public Purpose getPurpose() {
return Purpose.Firewall;
}
@Override
public State getState() {
throw new UnsupportedOperationException("Should never call me to find the state");
}
@Override
public long getNetworkId() {
public Long getNetworkId() {
return networkId;
}
@Override
public long getEntityOwnerId() {
Vpc vpc = _vpcService.getVpc(getVpcId());
if (vpc == null) {
throw new InvalidParameterValueException("Invalid vpcId is given");
}
Account account = _accountService.getAccount(vpc.getAccountId());
return account.getId();
}
@Override
public long getDomainId() {
Vpc vpc = _vpcService.getVpc(getVpcId());
return vpc.getDomainId();
}
@Override
public void create() {
if (getSourceCidrList() != null) {
for (String cidr: getSourceCidrList()){
if (!NetUtils.isValidCIDR(cidr)){
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Source cidrs formatting error " + cidr);
}
}
}
try {
FirewallRule result = _networkACLService.createNetworkACL(this);
setEntityId(result.getId());
setEntityUuid(result.getUuid());
} catch (NetworkRuleConflictException ex) {
s_logger.info("Network rule conflict: " + ex.getMessage());
s_logger.trace("Network Rule Conflict: ", ex);
throw new ServerApiException(ApiErrorCode.NETWORK_RULE_CONFLICT_ERROR, ex.getMessage());
}
Account caller = UserContext.current().getCaller();
return caller.getAccountId();
}
@Override
public String getEventType() {
return EventTypes.EVENT_FIREWALL_OPEN;
return EventTypes.EVENT_NETWORK_ACL_ITEM_CREATE;
}
@Override
public String getEventDescription() {
Network network = _networkService.getNetwork(networkId);
return ("Createing Network ACL for Netowrk: " + network + " for protocol:" + this.getProtocol());
return "Creating Network ACL Item";
}
@Override
public long getAccountId() {
Vpc vpc = _vpcService.getVpc(getVpcId());
return vpc.getAccountId();
}
@Override
public String getSyncObjType() {
return BaseAsyncCmd.networkSyncObject;
}
@Override
public Long getSyncObjId() {
return getNetworkId();
}
@Override
public Integer getIcmpCode() {
if (icmpCode != null) {
return icmpCode;
} else if (protocol.equalsIgnoreCase(NetUtils.ICMP_PROTO)) {
} else if (getProtocol().equalsIgnoreCase(NetUtils.ICMP_PROTO)) {
return -1;
}
return null;
}
@Override
public Integer getIcmpType() {
if (icmpType != null) {
return icmpType;
} else if (protocol.equalsIgnoreCase(NetUtils.ICMP_PROTO)) {
} else if (getProtocol().equalsIgnoreCase(NetUtils.ICMP_PROTO)) {
return -1;
}
return null;
}
@Override
public Long getRelated() {
return null;
public Long getACLId() {
return aclId;
}
@Override
public FirewallRuleType getType() {
return FirewallRuleType.User;
public void create() {
NetworkACLItem result = _networkACLService.createNetworkACLItem(this);
setEntityId(result.getId());
setEntityUuid(result.getUuid());
}
@Override
public AsyncJob.Type getInstanceType() {
return AsyncJob.Type.FirewallRule;
public void execute() throws ResourceUnavailableException {
boolean success = false;
NetworkACLItem rule = _networkACLService.getNetworkACLItem(getEntityId());
try {
UserContext.current().setEventDetails("Rule Id: " + getEntityId());
success = _networkACLService.applyNetworkACL(rule.getAclId());
// State is different after the rule is applied, so get new object here
rule = _networkACLService.getNetworkACLItem(getEntityId());
NetworkACLItemResponse aclResponse = new NetworkACLItemResponse();
if (rule != null) {
aclResponse = _responseGenerator.createNetworkACLItemResponse(rule);
setResponseObject(aclResponse);
}
aclResponse.setResponseName(getCommandName());
} finally {
if (!success || rule == null) {
_networkACLService.revokeNetworkACLItem(getEntityId());
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create network ACL Item");
}
}
}
}

120
api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLListCmd.java Normal file
View File

@ -0,0 +1,120 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.user.network;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.network.vpc.Vpc;
import com.cloud.user.Account;
import com.cloud.user.UserContext;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.NetworkACLResponse;
import org.apache.cloudstack.api.response.VpcResponse;
import org.apache.log4j.Logger;
@APICommand(name = "createNetworkACLList", description = "Creates a Network ACL for the given VPC",
responseObject = NetworkACLResponse.class)
public class CreateNetworkACLListCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateNetworkACLListCmd.class.getName());
private static final String s_name = "createnetworkacllistresponse";
// ///////////////////////////////////////////////////
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "Name of the network ACL List")
private String name;
@Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "Description of the network ACL List")
private String description;
@Parameter(name = ApiConstants.VPC_ID, type = CommandType.UUID, required = true, entityType = VpcResponse.class, description = "Id of the VPC associated with this network ACL List")
private Long vpcId;
// ///////////////////////////////////////////////////
// ///////////////// Accessors ///////////////////////
// ///////////////////////////////////////////////////
public String getName() {
return name;
}
public String getDescription() {
return description;
}
public Long getVpcId() {
return vpcId;
}
// ///////////////////////////////////////////////////
// ///////////// API Implementation///////////////////
// ///////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public void create() {
NetworkACL result = _networkACLService.createNetworkACL(getName(), getDescription(), getVpcId());
setEntityId(result.getId());
setEntityUuid(result.getUuid());
}
@Override
public void execute() throws ResourceUnavailableException {
NetworkACL acl = _networkACLService.getNetworkACL(getEntityId());
if(acl != null){
NetworkACLResponse aclResponse = _responseGenerator.createNetworkACLResponse(acl);
setResponseObject(aclResponse);
aclResponse.setResponseName(getCommandName());
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create network ACL");
}
}
@Override
public long getEntityOwnerId() {
Vpc vpc = _vpcService.getVpc(getVpcId());
if (vpc == null) {
throw new InvalidParameterValueException("Invalid vpcId is given");
}
Account account = _accountService.getAccount(vpc.getAccountId());
return account.getId();
}
@Override
public String getEventType() {
return EventTypes.EVENT_NETWORK_ACL_CREATE;
}
@Override
public String getEventDescription() {
return "Creating Network ACL with id: "+getEntityUuid();
}
}

15
api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java
View File

@ -22,13 +22,7 @@ import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.DomainResponse;
import org.apache.cloudstack.api.response.NetworkOfferingResponse;
import org.apache.cloudstack.api.response.NetworkResponse;
import org.apache.cloudstack.api.response.PhysicalNetworkResponse;
import org.apache.cloudstack.api.response.ProjectResponse;
import org.apache.cloudstack.api.response.VpcResponse;
import org.apache.cloudstack.api.response.ZoneResponse;
import org.apache.cloudstack.api.response.*;
import org.apache.log4j.Logger;
import com.cloud.exception.ConcurrentOperationException;
@ -129,6 +123,9 @@ public class CreateNetworkCmd extends BaseCmd {
@Parameter(name=ApiConstants.DISPLAY_NETWORK, type=CommandType.BOOLEAN, description="an optional field, whether to the display the network to the end user or not.")
private Boolean displayNetwork;
@Parameter(name=ApiConstants.ACL_ID, type=CommandType.UUID, entityType = NetworkACLResponse.class,
description="Network ACL Id associated for the network")
private Long aclId;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
@ -254,6 +251,10 @@ public class CreateNetworkCmd extends BaseCmd {
return ip6Cidr.toLowerCase();
}
public Long getAclId() {
return aclId;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////

43
api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLCmd.java
View File

@ -16,6 +16,8 @@
// under the License.
package org.apache.cloudstack.api.command.user.network;
import com.cloud.network.vpc.NetworkACLItem;
import com.cloud.user.Account;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
@ -24,6 +26,7 @@ import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.FirewallRuleResponse;
import org.apache.cloudstack.api.response.NetworkACLItemResponse;
import org.apache.cloudstack.api.response.SuccessResponse;
import org.apache.log4j.Logger;
@ -43,14 +46,10 @@ public class DeleteNetworkACLCmd extends BaseAsyncCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = FirewallRuleResponse.class,
@Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = NetworkACLItemResponse.class,
required=true, description="the ID of the network ACL")
private Long id;
// unexposed parameter needed for events logging
@Parameter(name=ApiConstants.ACCOUNT_ID, type=CommandType.UUID, entityType = AccountResponse.class,
expose=false)
private Long ownerId;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
@ -69,7 +68,7 @@ public class DeleteNetworkACLCmd extends BaseAsyncCmd {
@Override
public String getEventType() {
return EventTypes.EVENT_FIREWALL_CLOSE;
return EventTypes.EVENT_NETWORK_ACL_ITEM_DELETE;
}
@Override
@ -79,44 +78,22 @@ public class DeleteNetworkACLCmd extends BaseAsyncCmd {
@Override
public long getEntityOwnerId() {
if (ownerId == null) {
FirewallRule rule = _networkACLService.getNetworkACL(id);
if (rule == null) {
throw new InvalidParameterValueException("Unable to find network ACL by id=" + id);
} else {
ownerId = rule.getAccountId();
}
}
return ownerId;
Account caller = UserContext.current().getCaller();
return caller.getAccountId();
}
@Override
public void execute() throws ResourceUnavailableException {
UserContext.current().setEventDetails("Network ACL Id: " + id);
boolean result = _networkACLService.revokeNetworkACL(id, true);
UserContext.current().setEventDetails("Network ACL Item Id: " + id);
boolean result = _networkACLService.revokeNetworkACLItem(id);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
this.setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete network ACL");
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete network ACL Item");
}
}
@Override
public String getSyncObjType() {
return BaseAsyncCmd.networkSyncObject;
}
@Override
public Long getSyncObjId() {
return _firewallService.getFirewallRule(id).getNetworkId();
}
@Override
public AsyncJob.Type getInstanceType() {
return AsyncJob.Type.FirewallRule;
}
}

93
api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLListCmd.java Normal file
View File

@ -0,0 +1,93 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.user.network;
import com.cloud.async.AsyncJob;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.network.vpc.Vpc;
import com.cloud.user.Account;
import com.cloud.user.UserContext;
import org.apache.cloudstack.api.*;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.FirewallRuleResponse;
import org.apache.cloudstack.api.response.NetworkACLResponse;
import org.apache.cloudstack.api.response.SuccessResponse;
import org.apache.log4j.Logger;
@APICommand(name = "deleteNetworkACLList", description="Deletes a Network ACL", responseObject=SuccessResponse.class)
public class DeleteNetworkACLListCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteNetworkACLListCmd.class.getName());
private static final String s_name = "deletenetworkacllistresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = NetworkACLResponse.class,
required=true, description="the ID of the network ACL")
private Long id;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public long getId() {
return id;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public String getEventType() {
return EventTypes.EVENT_NETWORK_ACL_DELETE;
}
@Override
public String getEventDescription() {
return ("Deleting Network ACL id=" + id);
}
@Override
public long getEntityOwnerId() {
Account caller = UserContext.current().getCaller();
return caller.getAccountId();
}
@Override
public void execute() throws ResourceUnavailableException {
UserContext.current().setEventDetails("Network ACL Id: " + id);
boolean result = _networkACLService.deleteNetworkACL(id);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
this.setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete network ACL");
}
}
}

102
api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java Normal file
View File

@ -0,0 +1,102 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.user.network;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.utils.Pair;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.NetworkACLResponse;
import org.apache.cloudstack.api.response.NetworkResponse;
import org.apache.cloudstack.api.response.VpcResponse;
import org.apache.log4j.Logger;
import java.util.ArrayList;
import java.util.List;
@APICommand(name = "listNetworkACLLists", description="Lists all network ACLs", responseObject=NetworkACLResponse.class)
public class ListNetworkACLListsCmd extends BaseListCmd {
public static final Logger s_logger = Logger.getLogger(ListNetworkACLListsCmd.class.getName());
private static final String s_name = "listnetworkacllistsresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = NetworkACLResponse.class,
description="Lists network ACL with the specified ID.")
private Long id;
@Parameter(name=ApiConstants.NETWORK_ID, type=CommandType.UUID, entityType = NetworkResponse.class,
description="list network ACLs by network Id")
private Long networkId;
@Parameter(name=ApiConstants.VPC_ID, type=CommandType.UUID, entityType = VpcResponse.class,
description="list network ACLs by Vpc Id")
private Long vpcId;
@Parameter(name=ApiConstants.NAME, type=CommandType.STRING, description="list network ACLs by specified name")
private String name;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getNetworkId() {
return networkId;
}
public Long getId() {
return id;
}
public Long getVpcId() {
return vpcId;
}
public String getName(){
return name;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public void execute(){
Pair<List<? extends NetworkACL>,Integer> result = _networkACLService.listNetworkACLs(getId(), getName(), getNetworkId(), getVpcId());
ListResponse<NetworkACLResponse> response = new ListResponse<NetworkACLResponse>();
List<NetworkACLResponse> aclResponses = new ArrayList<NetworkACLResponse>();
for (NetworkACL acl : result.first()) {
NetworkACLResponse aclResponse = _responseGenerator.createNetworkACLResponse(acl);
aclResponses.add(aclResponse);
}
response.setResponses(aclResponses, result.second());
response.setResponseName(getCommandName());
this.setResponseObject(response);
}
}

46
api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLsCmd.java
View File

@ -19,20 +19,18 @@ package org.apache.cloudstack.api.command.user.network;
import java.util.ArrayList;
import java.util.List;
import com.cloud.network.vpc.NetworkACLItem;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListTaggedResourcesCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.FirewallRuleResponse;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.NetworkACLResponse;
import org.apache.cloudstack.api.response.NetworkResponse;
import org.apache.cloudstack.api.response.*;
import org.apache.log4j.Logger;
import com.cloud.network.rules.FirewallRule;
import com.cloud.utils.Pair;
@APICommand(name = "listNetworkACLs", description="Lists all network ACLs", responseObject=NetworkACLResponse.class)
@APICommand(name = "listNetworkACLs", description="Lists all network ACL items", responseObject=NetworkACLItemResponse.class)
public class ListNetworkACLsCmd extends BaseListTaggedResourcesCmd {
public static final Logger s_logger = Logger.getLogger(ListNetworkACLsCmd.class.getName());
@ -42,16 +40,26 @@ public class ListNetworkACLsCmd extends BaseListTaggedResourcesCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = FirewallRuleResponse.class,
description="Lists network ACL with the specified ID.")
description="Lists network ACL Item with the specified ID")
private Long id;
@Parameter(name=ApiConstants.NETWORK_ID, type=CommandType.UUID, entityType = NetworkResponse.class,
description="list network ACLs by network Id")
description="list network ACL Items by network Id")
private Long networkId;
@Parameter(name=ApiConstants.TRAFFIC_TYPE, type=CommandType.STRING, description="list network ACLs by traffic type - Ingress or Egress")
@Parameter(name=ApiConstants.TRAFFIC_TYPE, type=CommandType.STRING, description="list network ACL Items by traffic type - Ingress or Egress")
private String trafficType;
@Parameter(name=ApiConstants.ACL_ID, type=CommandType.UUID, entityType = NetworkACLResponse.class,
description="list network ACL Items by ACL Id")
private Long aclId;
@Parameter(name=ApiConstants.PROTOCOL, type=CommandType.STRING, description="list network ACL Items by Protocol")
private String protocol;
@Parameter(name=ApiConstants.ACTION, type=CommandType.STRING, description="list network ACL Items by Action")
private String action;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
@ -68,6 +76,18 @@ public class ListNetworkACLsCmd extends BaseListTaggedResourcesCmd {
return trafficType;
}
public Long getAclId(){
return aclId;
}
public String getProtocol() {
return protocol;
}
public String getAction() {
return action;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@ -79,12 +99,12 @@ public class ListNetworkACLsCmd extends BaseListTaggedResourcesCmd {
@Override
public void execute(){
Pair<List<? extends FirewallRule>,Integer> result = _networkACLService.listNetworkACLs(this);
ListResponse<NetworkACLResponse> response = new ListResponse<NetworkACLResponse>();
List<NetworkACLResponse> aclResponses = new ArrayList<NetworkACLResponse>();
Pair<List<? extends NetworkACLItem>,Integer> result = _networkACLService.listNetworkACLItems(this);
ListResponse<NetworkACLItemResponse> response = new ListResponse<NetworkACLItemResponse>();
List<NetworkACLItemResponse> aclResponses = new ArrayList<NetworkACLItemResponse>();
for (FirewallRule acl : result.first()) {
NetworkACLResponse ruleData = _responseGenerator.createNetworkACLResponse(acl);
for (NetworkACLItem acl : result.first()) {
NetworkACLItemResponse ruleData = _responseGenerator.createNetworkACLItemResponse(acl);
aclResponses.add(ruleData);
}
response.setResponses(aclResponses, result.second());

98
api/src/org/apache/cloudstack/api/command/user/network/ReplaceNetworkACLListCmd.java Normal file
View File

@ -0,0 +1,98 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.user.network;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.network.vpc.Vpc;
import com.cloud.user.Account;
import com.cloud.user.UserContext;
import org.apache.cloudstack.api.*;
import org.apache.cloudstack.api.response.NetworkACLResponse;
import org.apache.cloudstack.api.response.NetworkResponse;
import org.apache.cloudstack.api.response.SuccessResponse;
import org.apache.log4j.Logger;
@APICommand(name = "replaceNetworkACLList", description="Replaces ACL associated with a Network", responseObject=SuccessResponse.class)
public class ReplaceNetworkACLListCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(ReplaceNetworkACLListCmd.class.getName());
private static final String s_name = "replacenetworkacllistresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.ACL_ID, type=CommandType.UUID, entityType = NetworkACLResponse.class,
required=true, description="the ID of the network ACL")
private long aclId;
@Parameter(name=ApiConstants.NETWORK_ID, type=CommandType.UUID, entityType = NetworkResponse.class,
required=true, description="the ID of the network")
private long networkId;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public long getAclId() {
return aclId;
}
public long getNetworkId(){
return networkId;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public String getEventType() {
return EventTypes.EVENT_NETWORK_ACL_REPLACE;
}
@Override
public String getEventDescription() {
return ("Associating Network ACL id=" + aclId+ " with Network id="+ networkId);
}
@Override
public long getEntityOwnerId() {
Account caller = UserContext.current().getCaller();
return caller.getAccountId();
}
@Override
public void execute() throws ResourceUnavailableException {
UserContext.current().setEventDetails("Network ACL Id: " + aclId);
boolean result = _networkACLService.replaceNetworkACL(aclId, networkId);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
this.setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to replace network ACL");
}
}
}

173
api/src/org/apache/cloudstack/api/command/user/network/UpdateNetworkACLItemCmd.java Normal file
View File

@ -0,0 +1,173 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.command.user.network;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.vpc.NetworkACLItem;
import com.cloud.user.Account;
import com.cloud.user.UserContext;
import com.cloud.utils.net.NetUtils;
import org.apache.cloudstack.api.*;
import org.apache.cloudstack.api.response.NetworkACLItemResponse;
import org.apache.cloudstack.api.response.NetworkACLResponse;
import org.apache.cloudstack.api.response.NetworkResponse;
import org.apache.log4j.Logger;
import java.util.ArrayList;
import java.util.List;
@APICommand(name = "updateNetworkACLItem", description = "Updates ACL Item with specified Id",
responseObject = NetworkACLItemResponse.class)
public class UpdateNetworkACLItemCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(UpdateNetworkACLItemCmd.class.getName());
private static final String s_name = "createnetworkaclresponse";
// ///////////////////////////////////////////////////
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
@Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = NetworkACLItemResponse.class,
required=true, description="the ID of the network ACL Item")
private Long id;
@Parameter(name = ApiConstants.PROTOCOL, type = CommandType.STRING, description =
"the protocol for the ACL rule. Valid values are TCP/UDP/ICMP/ALL or valid protocol number")
private String protocol;
@Parameter(name = ApiConstants.START_PORT, type = CommandType.INTEGER, description = "the starting port of ACL")
private Integer publicStartPort;
@Parameter(name = ApiConstants.END_PORT, type = CommandType.INTEGER, description = "the ending port of ACL")
private Integer publicEndPort;
@Parameter(name = ApiConstants.CIDR_LIST, type = CommandType.LIST, collectionType = CommandType.STRING,
description = "the cidr list to allow traffic from/to")
private List<String> cidrlist;
@Parameter(name = ApiConstants.ICMP_TYPE, type = CommandType.INTEGER, description = "type of the icmp message being sent")
private Integer icmpType;
@Parameter(name = ApiConstants.ICMP_CODE, type = CommandType.INTEGER, description = "error code for this icmp message")
private Integer icmpCode;
@Parameter(name=ApiConstants.TRAFFIC_TYPE, type=CommandType.STRING, description="the traffic type for the ACL," +
"can be Ingress or Egress, defaulted to Ingress if not specified")
private String trafficType;
@Parameter(name=ApiConstants.NUMBER, type=CommandType.INTEGER, description="The network of the vm the ACL will be created for")
private Integer number;
@Parameter(name=ApiConstants.ACTION, type=CommandType.STRING, description="scl entry action, allow or deny")
private String action;
// ///////////////////////////////////////////////////
// ///////////////// Accessors ///////////////////////
// ///////////////////////////////////////////////////
public Long getId() {
return id;
}
public String getProtocol() {
if(protocol != null){
return protocol.trim();
} else
return null;
}
public List<String> getSourceCidrList() {
return cidrlist;
}
public NetworkACLItem.TrafficType getTrafficType() {
if (trafficType != null) {
for (NetworkACLItem.TrafficType type : NetworkACLItem.TrafficType.values()) {
if (type.toString().equalsIgnoreCase(trafficType)) {
return type;
}
}
}
return null;
}
// ///////////////////////////////////////////////////
// ///////////// API Implementation///////////////////
// ///////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
public String getAction() {
return action;
}
public Integer getNumber() {
return number;
}
public Integer getSourcePortStart() {
return publicStartPort;
}
public Integer getSourcePortEnd() {
return publicEndPort;
}
@Override
public long getEntityOwnerId() {
Account caller = UserContext.current().getCaller();
return caller.getAccountId();
}
@Override
public String getEventType() {
return EventTypes.EVENT_NETWORK_ACL_ITEM_UPDATE;
}
@Override
public String getEventDescription() {
return "Updating Network ACL Item";
}
public Integer getIcmpCode() {
return icmpCode;
}
public Integer getIcmpType() {
return icmpType;
}
@Override
public void execute() throws ResourceUnavailableException {
UserContext.current().setEventDetails("Rule Id: " + getId());
NetworkACLItem aclItem = _networkACLService.updateNetworkACLItem(getId(), getProtocol(), getSourceCidrList(), getTrafficType(),
getAction(), getNumber(), getSourcePortStart(), getSourcePortEnd(), getIcmpCode(), getIcmpType());
if (aclItem == null) {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to update network ACL Item");
}
NetworkACLItemResponse aclResponse = _responseGenerator.createNetworkACLItemResponse(aclItem);
setResponseObject(aclResponse);
aclResponse.setResponseName(getCommandName());
}
}

122
api/src/org/apache/cloudstack/api/response/NetworkACLItemResponse.java Normal file
View File

@ -0,0 +1,122 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.api.response;
import java.util.List;
import com.cloud.network.vpc.NetworkACLItem;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import com.cloud.serializer.Param;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.api.EntityReference;
@EntityReference(value = NetworkACLItem.class)
public class NetworkACLItemResponse extends BaseResponse {
@SerializedName(ApiConstants.ID) @Param(description="the ID of the ACL Item")
private String id;
@SerializedName(ApiConstants.PROTOCOL) @Param(description="the protocol of the ACL")
private String protocol;
@SerializedName(ApiConstants.START_PORT) @Param(description="the starting port of ACL's port range")
private String startPort;
@SerializedName(ApiConstants.END_PORT) @Param(description = "the ending port of ACL's port range")
private String endPort;
@SerializedName(ApiConstants.TRAFFIC_TYPE) @Param(description="the traffic type for the ACL")
private String trafficType;
@SerializedName(ApiConstants.STATE) @Param(description="the state of the rule")
private String state;
@SerializedName(ApiConstants.CIDR_LIST) @Param(description="the cidr list to forward traffic from")
private String cidrList;
@SerializedName(ApiConstants.ICMP_TYPE) @Param(description= "type of the icmp message being sent")
private Integer icmpType;
@SerializedName(ApiConstants.ICMP_CODE) @Param(description = "error code for this icmp message")
private Integer icmpCode;
@SerializedName(ApiConstants.TAGS) @Param(description="the list of resource tags associated with the network ACLs",
responseObject = ResourceTagResponse.class)
private List<ResourceTagResponse> tags;
@SerializedName(ApiConstants.ACL_ID) @Param(description="the ID of the ACL this item belongs to")
private String aclId;
@SerializedName(ApiConstants.NUMBER) @Param(description= "Number of the ACL Item")
private Integer number;
@SerializedName(ApiConstants.ACTION) @Param(description="Action of ACL Item. Allow/Deny")
private String action;
public void setId(String id) {
this.id = id;
}
public void setProtocol(String protocol) {
this.protocol = protocol;
}
public void setStartPort(String startPort) {
this.startPort = startPort;
}
public void setEndPort(String endPort) {
this.endPort = endPort;
}
public void setState(String state) {
this.state = state;
}
public void setCidrList(String cidrList) {
this.cidrList = cidrList;
}
public void setIcmpType(Integer icmpType) {
this.icmpType = icmpType;
}
public void setIcmpCode(Integer icmpCode) {
this.icmpCode = icmpCode;
}
public void setTrafficType(String trafficType) {
this.trafficType = trafficType;
}
public void setTags(List<ResourceTagResponse> tags) {
this.tags = tags;
}
public void setAclId(String aclId) {
this.aclId = aclId;
}
public void setNumber(Integer number) {
this.number = number;
}
public void setAction(String action) {
this.action = action;
}
}

80
api/src/org/apache/cloudstack/api/response/NetworkACLResponse.java
View File

@ -16,84 +16,42 @@
// under the License.
package org.apache.cloudstack.api.response;
import java.util.List;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.serializer.Param;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseResponse;
import org.apache.cloudstack.api.EntityReference;
@SuppressWarnings("unused")
import java.util.List;
@EntityReference(value = NetworkACL.class)
public class NetworkACLResponse extends BaseResponse {
@SerializedName(ApiConstants.ID) @Param(description="the ID of the ACL")
private String id;
@SerializedName(ApiConstants.PROTOCOL) @Param(description="the protocol of the ACL")
private String protocol;
@SerializedName(ApiConstants.NAME) @Param(description="the Name of the ACL")
private String name;
@SerializedName(ApiConstants.START_PORT) @Param(description="the starting port of ACL's port range")
private String startPort;
@SerializedName(ApiConstants.DESCRIPTION) @Param(description="Description of the ACL")
private String description;
@SerializedName(ApiConstants.END_PORT) @Param(description = "the ending port of ACL's port range")
private String endPort;
@SerializedName(ApiConstants.TRAFFIC_TYPE) @Param(description="the traffic type for the ACL")
private String trafficType;
@SerializedName(ApiConstants.STATE) @Param(description="the state of the rule")
private String state;
@SerializedName(ApiConstants.CIDR_LIST) @Param(description="the cidr list to forward traffic from")
private String cidrList;
@SerializedName(ApiConstants.ICMP_TYPE) @Param(description= "type of the icmp message being sent")
private Integer icmpType;
@SerializedName(ApiConstants.ICMP_CODE) @Param(description = "error code for this icmp message")
private Integer icmpCode;
@SerializedName(ApiConstants.TAGS) @Param(description="the list of resource tags associated with the network ACLs",
responseObject = ResourceTagResponse.class)
private List<ResourceTagResponse> tags;
@SerializedName(ApiConstants.VPC_ID) @Param(description="Id of the VPC this ACL is associated with")
private String vpcId;
public void setId(String id) {
this.id = id;
}
public void setProtocol(String protocol) {
this.protocol = protocol;
public void setName(String name) {
this.name = name;
}
public void setStartPort(String startPort) {
this.startPort = startPort;
public void setDescription(String description) {
this.description = description;
}
public void setEndPort(String endPort) {
this.endPort = endPort;
}
public void setState(String state) {
this.state = state;
}
public void setCidrList(String cidrList) {
this.cidrList = cidrList;
}
public void setIcmpType(Integer icmpType) {
this.icmpType = icmpType;
}
public void setIcmpCode(Integer icmpCode) {
this.icmpCode = icmpCode;
}
public void setTrafficType(String trafficType) {
this.trafficType = trafficType;
}
public void setTags(List<ResourceTagResponse> tags) {
this.tags = tags;
public void setVpcId(String vpcId) {
this.vpcId = vpcId;
}
}

3
client/tomcatconf/applicationContext.xml.in
View File

@ -246,6 +246,8 @@
<bean id="mockVMDaoImpl" class="com.cloud.simulator.dao.MockVMDaoImpl" />
<bean id="mockVolumeDaoImpl" class="com.cloud.simulator.dao.MockVolumeDaoImpl" />
<bean id="networkAccountDaoImpl" class="com.cloud.network.dao.NetworkAccountDaoImpl" />
<bean id="networkACLDaoImpl" class="com.cloud.network.vpc.dao.NetworkACLDaoImpl" />
<bean id="networkACLItemDaoImpl" class="com.cloud.network.vpc.dao.NetworkACLItemDaoImpl" />
<bean id="networkDaoImpl" class="com.cloud.network.dao.NetworkDaoImpl" />
<bean id="networkDomainDaoImpl" class="com.cloud.network.dao.NetworkDomainDaoImpl" />
<bean id="networkExternalFirewallDaoImpl" class="com.cloud.network.dao.NetworkExternalFirewallDaoImpl" />
@ -690,6 +692,7 @@
<bean id="keystoreManagerImpl" class="com.cloud.keystore.KeystoreManagerImpl" />
<bean id="loadBalancingRulesManagerImpl" class="com.cloud.network.lb.LoadBalancingRulesManagerImpl" />
<bean id="networkACLManagerImpl" class="com.cloud.network.vpc.NetworkACLManagerImpl" />
<bean id="networkACLServiceImpl" class="com.cloud.network.vpc.NetworkACLServiceImpl" />
<bean id="networkServiceImpl" class="com.cloud.network.NetworkServiceImpl" />
<bean id="networkUsageManagerImpl" class="com.cloud.network.NetworkUsageManagerImpl" />
<bean id="oCFS2ManagerImpl" class="com.cloud.storage.OCFS2ManagerImpl" />

6
client/tomcatconf/commands.properties.in
View File

@ -442,8 +442,14 @@ deletePrivateGateway=1
#### Network ACL commands
createNetworkACL=15
updateNetworkACLItem=15
deleteNetworkACL=15
listNetworkACLs=15
createNetworkACLList=15
deleteNetworkACLList=15
replaceNetworkACLList=15
listNetworkACLLists=15
#### Static route commands
createStaticRoute=15

19
core/src/com/cloud/agent/api/routing/SetNetworkACLCommand.java
View File

@ -17,6 +17,9 @@
package com.cloud.agent.api.routing;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
@ -42,11 +45,17 @@ public class SetNetworkACLCommand extends NetworkElementCommand{
public String[][] generateFwRules() {
String [][] result = new String [2][];
Set<String> toAdd = new HashSet<String>();
List<NetworkACLTO> aclList = Arrays.asList(rules);
Collections.sort(aclList, new Comparator<NetworkACLTO>() {
@Override
public int compare(NetworkACLTO acl1, NetworkACLTO acl2) {
return acl1.getNumber() > acl2.getNumber() ? 1 : -1;
}
});
for (NetworkACLTO aclTO: rules) {
/* example : Ingress:tcp:80:80:0.0.0.0/0:,Egress:tcp:220:220:0.0.0.0/0:,
* each entry format Ingress/Egress:protocol:start port: end port:scidrs:
for (NetworkACLTO aclTO: aclList) {
/* example : Ingress:tcp:80:80:0.0.0.0/0:ACCEPT:,Egress:tcp:220:220:0.0.0.0/0:DROP:,
* each entry format Ingress/Egress:protocol:start port: end port:scidrs:action:
* reverted entry format Ingress/Egress:reverted:0:0:0:
*/
if (aclTO.revoked() == true)
@ -80,7 +89,7 @@ public class SetNetworkACLCommand extends NetworkElementCommand{
firstEntry = false;
}
}
sb.append(":");
sb.append(":").append(aclTO.getAction()).append(":");
String aclRuleEntry = sb.toString();
toAdd.add(aclRuleEntry);

1
docs/en-US/Installation_Guide.xml
View File

@ -55,6 +55,7 @@
<xi:include href="choosing-a-hypervisor.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="aws-interface-compatibility.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="network-setup.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="storage-setup.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="networks.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="best-practices.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="Revision_History_Install_Guide.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>

21
docs/en-US/gslb.xml
View File

@ -157,6 +157,7 @@
</section>
<section id="gslb-workflow">
<title>Configuring GSLB</title>
<<<<<<< HEAD
<para>A GSLB deployment is the logical collection of GSLB virtual server, GSLB service, LB
virtual server, service, domain, and ADNS service. To create a GSLB site, you must configure
load balancing in the zone. You must create GSLB vservers and GSLB services for each site. You
@ -180,6 +181,17 @@
on the two appliances at the two different sites are identical, although each sites
load-balancing configuration is specific to that site.</para>
<para>Perform the following as a cloud administrator. As per the above example, the
=======
<para>To configure a GSLB deployment, you must first configure a standard load balancing setup
for each zone. This enables you to balance load across the different servers in each zone in
the region. Then on the NetScaler side, configure both NetScaler appliances that you plan to
add to each zone as authoritative DNS (ADNS) servers. Next, create a GSLB site for each zone,
configure GSLB virtual servers for each site, create GLSB services, and bind the GSLB services
to the GSLB virtual servers. Finally, bind the domain to the GSLB virtual servers. The GSLB
configurations on the two appliances at the two different zones are identical, although each
sites load-balancing configuration is specific to that site.</para>
<para>Perform the following as a cloud administrator. As per the example given above, the
>>>>>>> master
administrator of xyztelco is the one who sets up GSLB:</para>
<orderedlist>
<listitem>
@ -200,7 +212,13 @@
>Configuring an Authoritative DNS Service</ulink>.</para>
</listitem>
<listitem>
<<<<<<< HEAD
<para>Configure a GSLB site with site name formed from the domain name details.</para>
=======
<para>Configure a GSLB site with the site name formed from the domain name.</para>
<para>As per the example given above, the site names are A.xyztelco.com and
B.xyztelco.com.</para>
>>>>>>> master
<para>For more information, see <ulink
url="http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-basic-site-tsk.html"
>Configuring a Basic GSLB Site</ulink>.</para>
@ -459,7 +477,10 @@
</section>
<section id="assign-lb-gslb">
<title>Assigning Load Balancing Rules to GSLB</title>
<<<<<<< HEAD
<para/>
=======
>>>>>>> master
<orderedlist>
<listitem>
<para>Log in to the &PRODUCT; UI as a domain administrator or user.</para>

192
docs/en-US/storage-setup.xml Normal file
View File

@ -0,0 +1,192 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<chapter id="storage-setup">
<title>Storage Setup</title>
<para>&PRODUCT; is designed to work with a wide variety of commodity and enterprise-grade storage. Local disk may be used as well, if supported by the selected hypervisor. Storage type support for guest virtual disks differs based on hypervisor selection.</para>
<informaltable>
<tgroup cols="4" align="left" colsep="1" rowsep="1">
<thead>
<row>
<entry><para></para></entry>
<entry><para>XenServer</para></entry>
<entry><para>vSphere</para></entry>
<entry><para>KVM</para></entry>
</row>
</thead>
<tbody>
<row>
<entry><para>NFS</para></entry>
<entry><para>Supported</para></entry>
<entry><para>Supported</para></entry>
<entry><para>Supported</para></entry>
</row>
<row>
<entry><para>iSCSI</para></entry>
<entry><para>Supported</para></entry>
<entry><para>Supported via VMFS</para></entry>
<entry><para>Supported via Clustered Filesystems</para></entry>
</row>
<row>
<entry><para>Fiber Channel</para></entry>
<entry><para>Supported via Pre-existing SR</para></entry>
<entry><para>Supported</para></entry>
<entry><para>Supported via Clustered Filesystems</para></entry>
</row>
<row>
<entry><para>Local Disk</para></entry>
<entry><para>Supported</para></entry>
<entry><para>Supported</para></entry>
<entry><para>Supported</para></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>The use of the Cluster Logical Volume Manager (CLVM) for KVM is not officially supported with &PRODUCT;.</para>
<section id="storage-set-small-scale">
<title>Small-Scale Setup</title>
<para>In a small-scale setup, a single NFS server can function as both primary and secondary storage. The NFS server just needs to export two separate shares, one for primary storage and the other for secondary storage.</para>
</section>
<section id="storage-set-secondary">
<title>Secondary Storage</title>
<para>&PRODUCT; is designed to work with any scalable secondary storage system. The only requirement is the secondary storage system supports the NFS protocol.</para>
<note>
<para>The storage server should be a machine with a large number of disks. The disks should ideally be managed by a hardware RAID controller. Modern hardware RAID controllers support hot plug functionality independent of the operating system so you can replace faulty disks without impacting the running operating system.</para>
</note>
</section>
<section id="storage-set-example-config">
<title>Example Configurations</title>
<para>In this section we go through a few examples of how to set up storage to work properly on a few types of NFS and iSCSI storage systems.</para>
<section id="storage-set-example-config-local-das">
<title>Linux NFS on Local Disks and DAS</title>
<para>This section describes how to configure an NFS export on a standard Linux installation. The exact commands might vary depending on the operating system version.</para>
<orderedlist>
<listitem><para>Install the RHEL/CentOS distribution on the storage server.</para></listitem>
<listitem><para>If the root volume is more than 2 TB in size, create a smaller boot volume to install RHEL/CentOS. A root volume of 20 GB should be sufficient.</para></listitem>
<listitem><para>After the system is installed, create a directory called /export. This can each be a directory in the root partition itself or a mount point for a large disk volume.</para></listitem>
<listitem><para>If you have more than 16TB of storage on one host, create multiple EXT3 file systems and multiple NFS exports. Individual EXT3 file systems cannot exceed 16TB.</para></listitem>
<listitem>
<para>After /export directory is created, run the following command to configure it as an NFS export.</para>
<programlisting># echo "/export &lt;CIDR&gt;(rw,async,no_root_squash)" >> /etc/exports</programlisting>
<para>Adjust the above command to suit your deployment needs.</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Limiting NFS export.</emphasis> It is highly recommended that you limit the NFS export to a particular subnet by specifying a subnet mask (e.g.,”192.168.1.0/24”). By allowing access from only within the expected cluster, you avoid having non-pool member mount the storage. The limit you place must include the management network(s) and the storage network(s). If the two are the same network then one CIDR is sufficient. If you have a separate storage network you must provide separate CIDRs for both or one CIDR that is broad enough to span both.</para>
<para>The following is an example with separate CIDRs:</para>
<programlisting>/export 192.168.1.0/24(rw,async,no_root_squash) 10.50.1.0/24(rw,async,no_root_squash)</programlisting>
</listitem>
<listitem>
<para><emphasis role="bold">Removing the async flag.</emphasis> The async flag improves performance by allowing the NFS server to respond before writes are committed to the disk. Remove the async flag in your mission critical production deployment.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Run the following command to enable NFS service.</para>
<programlisting># chkconfig nfs on</programlisting>
</listitem>
<listitem>
<para>Edit the /etc/sysconfig/nfs file and uncomment the following lines.</para>
<programlisting>LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020</programlisting>
</listitem>
<listitem>
<para>Edit the /etc/sysconfig/iptables file and add the following lines at the beginning of the INPUT chain.</para>
<programlisting>
-A INPUT -m state --state NEW -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 32803 -j ACCEPT
-A INPUT -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A INPUT -m state --state NEW -p udp --dport 892 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A INPUT -m state --state NEW -p udp --dport 875 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A INPUT -m state --state NEW -p udp --dport 662 -j ACCEPT
</programlisting>
</listitem>
<listitem>
<para>Reboot the server.</para>
<para>An NFS share called /export is now set up.</para>
</listitem>
</orderedlist>
<note><para>When copying and pasting a command, be sure the command has pasted as a single line before executing. Some document viewers may introduce unwanted line breaks in copied text.</para></note>
</section>
<section id="storage-set-example-config-iscsi">
<title>Linux NFS on iSCSI</title>
<para>Use the following steps to set up a Linux NFS server export on an iSCSI volume. These steps apply to RHEL/CentOS 5 distributions.</para>
<orderedlist>
<listitem>
<para>Install iscsiadm.</para>
<programlisting>
# yum install iscsi-initiator-utils
# service iscsi start
# chkconfig --add iscsi
# chkconfig iscsi on
</programlisting>
</listitem>
<listitem>
<para>Discover the iSCSI target.</para>
<programlisting># iscsiadm -m discovery -t st -p &lt;iSCSI Server IP address&gt;:3260</programlisting>
<para>For example:</para>
<programlisting># iscsiadm -m discovery -t st -p 172.23.10.240:3260
172.23.10.240:3260,1 iqn.2001-05.com.equallogic:0-8a0906-83bcb3401-16e0002fd0a46f3d-rhel5-test </programlisting>
</listitem>
<listitem>
<para>Log in.</para>
<programlisting># iscsiadm -m node -T &lt;Complete Target Name&gt; -l -p &lt;Group IP&gt;:3260</programlisting>
<para>For example:</para>
<programlisting># iscsiadm -m node -l -T iqn.2001-05.com.equallogic:83bcb3401-16e0002fd0a46f3d-rhel5-test -p 172.23.10.240:3260 </programlisting>
</listitem>
<listitem>
<para>Discover the SCSI disk. For example:</para>
<programlisting>
# iscsiadm -m session -P3 | grep Attached
Attached scsi disk sdb State: running
</programlisting>
</listitem>
<listitem>
<para>Format the disk as ext3 and mount the volume.</para>
<programlisting># mkfs.ext3 /dev/sdb
# mkdir -p /export
# mount /dev/sdb /export
</programlisting>
</listitem>
<listitem>
<para>Add the disk to /etc/fstab to make sure it gets mounted on boot.</para>
<programlisting>/dev/sdb /export ext3 _netdev 0 0</programlisting>
</listitem>
</orderedlist>
<para>Now you can set up /export as an NFS share.</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Limiting NFS export.</emphasis> In order to avoid data loss, it is highly recommended that you limit the NFS export to a particular subnet by specifying a subnet mask (e.g.,”192.168.1.0/24”). By allowing access from only within the expected cluster, you avoid having non-pool member mount the storage and inadvertently delete all its data. The limit you place must include the management network(s) and the storage network(s). If the two are the same network then one CIDR is sufficient. If you have a separate storage network you must provide separate CIDRs for both or one CIDR that is broad enough to span both. </para>
<para>The following is an example with separate CIDRs:</para>
<programlisting>/export 192.168.1.0/24(rw,async,no_root_squash) 10.50.1.0/24(rw,async,no_root_squash)</programlisting>
</listitem>
<listitem><para><emphasis role="bold">Removing the async flag.</emphasis> The async flag improves performance by allowing the NFS server to respond before writes are committed to the disk. Remove the async flag in your mission critical production deployment.</para></listitem>
</itemizedlist>
</section>
</section>
</chapter>

2
engine/schema/src/com/cloud/network/dao/NetworkDao.java
View File

@ -111,4 +111,6 @@ public interface NetworkDao extends GenericDao<NetworkVO, Long> , StateDao<State
List<NetworkVO> listNetworksByAccount(long accountId, long zoneId, Network.GuestType type, boolean isSystem);
List<NetworkVO> listRedundantNetworks();
List<NetworkVO> listByAclId(long aclId);
}

9
engine/schema/src/com/cloud/network/dao/NetworkDaoImpl.java
View File

@ -104,6 +104,7 @@ public class NetworkDaoImpl extends GenericDaoBase<NetworkVO, Long> implements N
AllFieldsSearch.and("physicalNetwork", AllFieldsSearch.entity().getPhysicalNetworkId(), Op.EQ);
AllFieldsSearch.and("broadcastUri", AllFieldsSearch.entity().getBroadcastUri(), Op.EQ);
AllFieldsSearch.and("vpcId", AllFieldsSearch.entity().getVpcId(), Op.EQ);
AllFieldsSearch.and("aclId", AllFieldsSearch.entity().getNetworkACLId(), Op.EQ);
SearchBuilder<NetworkOfferingVO> join1 = _ntwkOffDao.createSearchBuilder();
join1.and("isSystem", join1.entity().isSystemOnly(), Op.EQ);
join1.and("isRedundant", join1.entity().getRedundantRouter(), Op.EQ);
@ -618,4 +619,12 @@ public class NetworkDaoImpl extends GenericDaoBase<NetworkVO, Long> implements N
sc.setJoinParameters("offerings", "isRedundant", true);
return listBy(sc, null);
}
@Override
public List<NetworkVO> listByAclId(long aclId) {
SearchCriteria<NetworkVO> sc = AllFieldsSearch.create();
sc.setParameters("aclId", aclId);
return listBy(sc, null);
}
}

13
engine/schema/src/com/cloud/network/dao/NetworkVO.java
View File

@ -163,6 +163,9 @@ public class NetworkVO implements Network {
@Column(name="display_network", updatable=true, nullable=false)
protected boolean displayNetwork = true;
@Column(name="network_acl_id")
Long networkACLId;
public NetworkVO() {
this.uuid = UUID.randomUUID().toString();
}
@ -549,4 +552,14 @@ public class NetworkVO implements Network {
public void setDisplayNetwork(boolean displayNetwork) {
this.displayNetwork = displayNetwork;
}
@Override
public void setNetworkACLId(Long networkACLId) {
this.networkACLId = networkACLId;
}
@Override
public Long getNetworkACLId() {
return networkACLId;
}
}

159
engine/schema/src/com/cloud/upgrade/dao/Upgrade410to420.java
View File

@ -19,11 +19,14 @@ package com.cloud.upgrade.dao;
import java.io.File;
import java.sql.Connection;
import java.sql.Date;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Types;
import java.util.UUID;
import com.cloud.network.vpc.NetworkACL;
import org.apache.log4j.Logger;
import com.cloud.utils.exception.CloudRuntimeException;
@ -69,6 +72,7 @@ public class Upgrade410to420 implements DbUpgrade {
upgradeEIPNetworkOfferings(conn);
upgradeDefaultVpcOffering(conn);
upgradePhysicalNtwksWithInternalLbProvider(conn);
updateNetworkACLs(conn);
}
private void updateSystemVmTemplates(Connection conn) {
@ -309,6 +313,7 @@ public class Upgrade410to420 implements DbUpgrade {
}
}
}
private void addEgressFwRulesForSRXGuestNw(Connection conn) {
PreparedStatement pstmt = null;
ResultSet rs = null;
@ -390,11 +395,164 @@ public class Upgrade410to420 implements DbUpgrade {
}
} catch (SQLException e) {
throw new CloudRuntimeException("Unable to set elastic_ip_service for network offerings with EIP service enabled.", e);
}
}
private void updateNetworkACLs(Connection conn) {
//Fetch all VPC Tiers
//For each tier create a network ACL and move all the acl_items to network_acl_item table
// If there are no acl_items for a tier, associate it with default ACL
s_logger.debug("Updating network ACLs");
PreparedStatement pstmt = null;
PreparedStatement pstmtDelete = null;
ResultSet rs = null;
ResultSet rsAcls = null;
ResultSet rsCidr = null;
//1,2 are default acl Ids, start acl Ids from 3
long nextAclId = 3;
try {
//Get all VPC tiers
pstmt = conn.prepareStatement("SELECT id, vpc_id, uuid FROM `cloud`.`networks` where vpc_id is not null and removed is null");
rs = pstmt.executeQuery();
while (rs.next()) {
Long networkId = rs.getLong(1);
s_logger.debug("Updating network ACLs for network: "+networkId);
Long vpcId = rs.getLong(2);
String tierUuid = rs.getString(3);
pstmt = conn.prepareStatement("SELECT id, uuid, start_port, end_port, state, protocol, icmp_code, icmp_type, created, traffic_type FROM `cloud`.`firewall_rules` where network_id = ? and purpose = 'NetworkACL'");
pstmt.setLong(1, networkId);
rsAcls = pstmt.executeQuery();
boolean hasAcls = false;
Long aclId = null;
int number = 1;
while(rsAcls.next()){
if(!hasAcls){
hasAcls = true;
aclId = nextAclId++;
//create ACL for the tier
s_logger.debug("Creating network ACL for tier: "+tierUuid);
pstmt = conn.prepareStatement("INSERT INTO `cloud`.`network_acl` (id, uuid, vpc_id, description, name) values (?, UUID(), ? , ?, ?)");
pstmt.setLong(1, aclId);
pstmt.setLong(2, vpcId);
pstmt.setString(3, "ACL for tier " + tierUuid);
pstmt.setString(4, "tier_" + tierUuid);
pstmt.executeUpdate();
}
Long fwRuleId = rsAcls.getLong(1);
String cidr = null;
//get cidr from firewall_rules_cidrs
pstmt = conn.prepareStatement("SELECT id, source_cidr FROM `cloud`.`firewall_rules_cidrs` where firewall_rule_id = ?");
pstmt.setLong(1, fwRuleId);
rsCidr = pstmt.executeQuery();
while(rsCidr.next()){
Long cidrId = rsCidr.getLong(1);
String sourceCidr = rsCidr.getString(2);
if(cidr == null){
cidr = sourceCidr;
} else {
cidr += ","+sourceCidr;
}
//Delete cidr entry
pstmtDelete = conn.prepareStatement("DELETE FROM `cloud`.`firewall_rules_cidrs` where id = ?");
pstmtDelete.setLong(1, cidrId);
pstmtDelete.executeUpdate();
}
String aclItemUuid = rsAcls.getString(2);
//Move acl to network_acl_item table
s_logger.debug("Moving firewall rule: "+aclItemUuid);
pstmt = conn.prepareStatement("INSERT INTO `cloud`.`network_acl_item` (uuid, acl_id, start_port, end_port, state, protocol, icmp_code, icmp_type, created, traffic_type, cidr, number, action) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )");
//uuid
pstmt.setString(1, aclItemUuid);
//aclId
pstmt.setLong(2, aclId);
//Start port
Integer startPort = rsAcls.getInt(3);
if(rsAcls.wasNull()){
pstmt.setNull(3, Types.INTEGER);
} else {
pstmt.setLong(3, startPort);
}
//End port
Integer endPort = rsAcls.getInt(4);
if(rsAcls.wasNull()){
pstmt.setNull(4, Types.INTEGER);
} else {
pstmt.setLong(4, endPort);
}
//State
String state = rsAcls.getString(5);
pstmt.setString(5, state);
//protocol
String protocol = rsAcls.getString(6);
pstmt.setString(6, protocol);
//icmp_code
Integer icmpCode = rsAcls.getInt(7);
if(rsAcls.wasNull()){
pstmt.setNull(7, Types.INTEGER);
} else {
pstmt.setLong(7, icmpCode);
}
//icmp_type
Integer icmpType = rsAcls.getInt(8);
if(rsAcls.wasNull()){
pstmt.setNull(8, Types.INTEGER);
} else {
pstmt.setLong(8, icmpType);
}
//created
Date created = rsAcls.getDate(9);
pstmt.setDate(9, created);
//traffic type
String trafficType = rsAcls.getString(10);
pstmt.setString(10, trafficType);
//cidr
pstmt.setString(11, cidr);
//number
pstmt.setInt(12, number++);
//action
pstmt.setString(13, "Allow");
pstmt.executeUpdate();
//Delete firewall rule
pstmtDelete = conn.prepareStatement("DELETE FROM `cloud`.`firewall_rules` where id = ?");
pstmtDelete.setLong(1, fwRuleId);
pstmtDelete.executeUpdate();
}
if(!hasAcls){
//no network ACls for this network.
// Assign default Deny ACL
aclId = NetworkACL.DEFAULT_DENY;
}
//Assign acl to network
pstmt = conn.prepareStatement("UPDATE `cloud`.`networks` set network_acl_id=? where id=?");
pstmt.setLong(1, aclId);
pstmt.setLong(2, networkId);
pstmt.executeUpdate();
}
s_logger.debug("Done updating network ACLs ");
} catch (SQLException e) {
throw new CloudRuntimeException("Unable to move network acls from firewall rules table to network_acl_item table", e);
} finally {
try {
if (rs != null) {
rs.close();
}
if (rsAcls != null) {
rsAcls.close();
}
if (rsCidr != null) {
rsCidr.close();
}
if (pstmt != null) {
pstmt.close();
}
@ -438,6 +596,7 @@ public class Upgrade410to420 implements DbUpgrade {
}
private void upgradePhysicalNtwksWithInternalLbProvider(Connection conn) {
PreparedStatement pstmt = null;

11
patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
View File

@ -102,6 +102,7 @@ acl_entry_for_guest_network() {
local sport=$(echo $rule | cut -d: -f3)
local eport=$(echo $rule | cut -d: -f4)
local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
local action=$(echo $rule | cut -d: -f6)
if [ "$sport" == "0" -a "$eport" == "0" ]
then
DPORT=""
@ -123,21 +124,21 @@ acl_entry_for_guest_network() {
if [ "$ttype" == "Ingress" ]
then
sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
--icmp-type $typecode -j ACCEPT
--icmp-type $typecode -j $action
else
let egress++
sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
--icmp-type $typecode -j ACCEPT
--icmp-type $typecode -j $action
fi
else
if [ "$ttype" == "Ingress" ]
then
sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
$DPORT -j ACCEPT
$DPORT -j $action
else
let egress++
sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
$DPORT -j ACCEPT
$DPORT -j $action
fi
fi
result=$?
@ -195,7 +196,7 @@ fi
# protocal:sport:eport:cidr
#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:ACCEPT:,172.16.92.44:tcp:220:220:0.0.0.0/0:DROP,200.1.1.2:reverted:0:0:0
success=0

8
plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
View File

@ -72,7 +72,7 @@ public class CiscoVnmcResource implements ServerResource {
private String _username;
private String _password;
private String _guid;
private Integer _numRetries;
private Integer _numRetries = 1;
private CiscoVnmcConnectionImpl _connection;
@ -155,9 +155,9 @@ public class CiscoVnmcResource implements ServerResource {
// Open a socket and login
_connection = new CiscoVnmcConnectionImpl(_ip, _username, _password);
//if (!refreshVnmcConnection()) {
// throw new ConfigurationException("Unable to open a connection to the VNMC.");
//}
if (!refreshVnmcConnection()) {
throw new ConfigurationException("Unable to connect to VNMC, check if ip/username/password is valid.");
}
return true;
} catch (Exception e) {

13
plugins/network-elements/cisco-vnmc/test/com/cloud/network/resource/CiscoVnmcResourceTest.java
View File

@ -77,19 +77,19 @@ public class CiscoVnmcResourceTest {
_parameters.put("timeout", "300");
}
@Test(expected=ConfigurationException.class)
//@Test(expected=ConfigurationException.class)
public void resourceConfigureFailure() throws ConfigurationException {
_resource.configure("CiscoVnmcResource", Collections.<String,Object>emptyMap());
}
@Test
//@Test
public void resourceConfigure() throws ConfigurationException {
_resource.configure("CiscoVnmcResource", _parameters);
assertTrue("CiscoVnmc".equals(_resource.getName()));
assertTrue(_resource.getType() == Host.Type.ExternalFirewall);
}
@Test
//@Test
public void testInitialization() throws ConfigurationException {
_resource.configure("CiscoVnmcResource", _parameters);
StartupCommand[] sc = _resource.initialize();
@ -101,7 +101,6 @@ public class CiscoVnmcResourceTest {
@Test
public void testPingCommandStatusOk() throws ConfigurationException, ExecutionException {
_resource.configure("CiscoVnmcResource", _parameters);
_resource.setConnection(_connection);
when(_connection.login()).thenReturn(true);
PingCommand ping = _resource.getCurrentStatus(1);
@ -112,7 +111,6 @@ public class CiscoVnmcResourceTest {
@Test
public void testPingCommandStatusFail() throws ConfigurationException, ExecutionException {
_resource.configure("CiscoVnmcResource", _parameters);
_resource.setConnection(_connection);
when(_connection.login()).thenReturn(false);
PingCommand ping = _resource.getCurrentStatus(1);
@ -128,7 +126,6 @@ public class CiscoVnmcResourceTest {
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "1.2.3.4/32");
_resource.configure("CiscoVnmcResource", _parameters);
_resource.setConnection(_connection);
when(_connection.login()).thenReturn(true);
when(_connection.createTenantVDCNatPolicySet(anyString())).thenReturn(true);
@ -162,7 +159,6 @@ public class CiscoVnmcResourceTest {
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "1.2.3.4/32");
_resource.configure("CiscoVnmcResource", _parameters);
_resource.setConnection(_connection);
when(_connection.createTenantVDCAclPolicySet(anyString(), anyBoolean())).thenReturn(true);
when(_connection.createTenantVDCAclPolicy(anyString(), anyString())).thenReturn(true);
@ -198,7 +194,6 @@ public class CiscoVnmcResourceTest {
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "1.2.3.4/32");
_resource.configure("CiscoVnmcResource", _parameters);
_resource.setConnection(_connection);
when(_connection.createTenantVDCNatPolicySet(anyString())).thenReturn(true);
when(_connection.createTenantVDCAclPolicySet(anyString(), anyBoolean())).thenReturn(true);
@ -235,7 +230,6 @@ public class CiscoVnmcResourceTest {
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "1.2.3.4/32");
_resource.configure("CiscoVnmcResource", _parameters);
_resource.setConnection(_connection);
when(_connection.createTenantVDCNatPolicySet(anyString())).thenReturn(true);
when(_connection.createTenantVDCAclPolicySet(anyString(), anyBoolean())).thenReturn(true);
@ -267,7 +261,6 @@ public class CiscoVnmcResourceTest {
cmd.getPublicGateways().add("1.1.1.1");
cmd.getPublicGateways().add("2.2.2.2");
_resource.configure("CiscoVnmcResource", _parameters);
_resource.setConnection(_connection);
when(_connection.createTenant(anyString())).thenReturn(true);
when(_connection.createTenantVDC(anyString())).thenReturn(true);

31
server/src/com/cloud/api/ApiDBUtils.java
View File

@ -25,6 +25,21 @@ import java.util.Set;
import javax.annotation.PostConstruct;
import javax.inject.Inject;
import com.cloud.network.rules.LoadBalancer;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.network.vpc.StaticRouteVO;
import com.cloud.network.vpc.VpcGatewayVO;
import com.cloud.network.vpc.VpcManager;
import com.cloud.network.vpc.VpcOffering;
import com.cloud.network.vpc.VpcProvisioningService;
import com.cloud.network.vpc.VpcVO;
import com.cloud.network.vpc.dao.NetworkACLDao;
import com.cloud.network.vpc.dao.StaticRouteDao;
import com.cloud.network.vpc.dao.VpcDao;
import com.cloud.network.vpc.dao.VpcGatewayDao;
import com.cloud.network.vpc.dao.VpcOfferingDao;
import com.cloud.region.ha.GlobalLoadBalancingRulesService;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.AffinityGroupResponse;
import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
@ -187,16 +202,6 @@ import com.cloud.network.security.SecurityGroup;
import com.cloud.network.security.SecurityGroupManager;
import com.cloud.network.security.SecurityGroupVO;
import com.cloud.network.security.dao.SecurityGroupDao;
import com.cloud.network.vpc.StaticRouteVO;
import com.cloud.network.vpc.VpcGatewayVO;
import com.cloud.network.vpc.VpcManager;
import com.cloud.network.vpc.VpcOffering;
import com.cloud.network.vpc.VpcProvisioningService;
import com.cloud.network.vpc.VpcVO;
import com.cloud.network.vpc.dao.StaticRouteDao;
import com.cloud.network.vpc.dao.VpcDao;
import com.cloud.network.vpc.dao.VpcGatewayDao;
import com.cloud.network.vpc.dao.VpcOfferingDao;
import com.cloud.offering.DiskOffering;
import com.cloud.offering.NetworkOffering;
import com.cloud.offering.ServiceOffering;
@ -397,6 +402,7 @@ public class ApiDBUtils {
static AffinityGroupDao _affinityGroupDao;
static AffinityGroupJoinDao _affinityGroupJoinDao;
static GlobalLoadBalancingRulesService _gslbService;
static NetworkACLDao _networkACLDao;
@Inject private ManagementServer ms;
@Inject public AsyncJobManager asyncMgr;
@ -506,6 +512,7 @@ public class ApiDBUtils {
@Inject private AffinityGroupDao affinityGroupDao;
@Inject private AffinityGroupJoinDao affinityGroupJoinDao;
@Inject private GlobalLoadBalancingRulesService gslbService;
@Inject private NetworkACLDao networkACLDao;
@PostConstruct
void init() {
@ -615,6 +622,7 @@ public class ApiDBUtils {
_gslbService = gslbService;
// Note: stats collector should already have been initialized by this time, otherwise a null instance is returned
_statsCollector = StatsCollector.getInstance();
_networkACLDao = networkACLDao;
}
// ///////////////////////////////////////////////////////////
@ -1290,6 +1298,9 @@ public class ApiDBUtils {
return _vpcOfferingDao.findById(offeringId);
}
public static NetworkACL findByNetworkACLId(long aclId){
return _networkACLDao.findById(aclId);
}
public static AsyncJob findAsyncJobById(long jobId){
return _asyncJobDao.findById(jobId);

73
server/src/com/cloud/api/ApiResponseHelper.java
View File

@ -34,6 +34,18 @@ import java.util.TimeZone;
import javax.inject.Inject;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.network.vpc.NetworkACLItem;
import com.cloud.network.vpc.PrivateGateway;
import com.cloud.network.vpc.StaticRoute;
import com.cloud.network.vpc.Vpc;
import com.cloud.network.vpc.VpcOffering;
import com.cloud.vm.*;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.network.vpc.PrivateGateway;
import com.cloud.network.vpc.StaticRoute;
import com.cloud.network.vpc.Vpc;
import com.cloud.network.vpc.VpcOffering;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.affinity.AffinityGroup;
@ -84,6 +96,7 @@ import org.apache.cloudstack.api.response.LBStickinessPolicyResponse;
import org.apache.cloudstack.api.response.LBStickinessResponse;
import org.apache.cloudstack.api.response.LDAPConfigResponse;
import org.apache.cloudstack.api.response.LoadBalancerResponse;
import org.apache.cloudstack.api.response.NetworkACLItemResponse;
import org.apache.cloudstack.api.response.NetworkACLResponse;
import org.apache.cloudstack.api.response.NetworkOfferingResponse;
import org.apache.cloudstack.api.response.NetworkResponse;
@ -230,10 +243,6 @@ import com.cloud.network.security.SecurityGroup;
import com.cloud.network.security.SecurityGroupVO;
import com.cloud.network.security.SecurityRule;
import com.cloud.network.security.SecurityRule.SecurityRuleType;
import com.cloud.network.vpc.PrivateGateway;
import com.cloud.network.vpc.StaticRoute;
import com.cloud.network.vpc.Vpc;
import com.cloud.network.vpc.VpcOffering;
import com.cloud.offering.DiskOffering;
import com.cloud.offering.NetworkOffering;
import com.cloud.offering.NetworkOffering.Detail;
@ -2548,37 +2557,43 @@ public class ApiResponseHelper implements ResponseGenerator {
}
@Override
public NetworkACLResponse createNetworkACLResponse(FirewallRule networkACL) {
NetworkACLResponse response = new NetworkACLResponse();
public NetworkACLItemResponse createNetworkACLItemResponse(NetworkACLItem aclItem) {
NetworkACLItemResponse response = new NetworkACLItemResponse();
response.setId(networkACL.getUuid());
response.setProtocol(networkACL.getProtocol());
if (networkACL.getSourcePortStart() != null) {
response.setStartPort(Integer.toString(networkACL.getSourcePortStart()));
response.setId(aclItem.getUuid());
response.setProtocol(aclItem.getProtocol());
if (aclItem.getSourcePortStart() != null) {
response.setStartPort(Integer.toString(aclItem.getSourcePortStart()));
}
if (networkACL.getSourcePortEnd() != null) {
response.setEndPort(Integer.toString(networkACL.getSourcePortEnd()));
if (aclItem.getSourcePortEnd() != null) {
response.setEndPort(Integer.toString(aclItem.getSourcePortEnd()));
}
List<String> cidrs = ApiDBUtils.findFirewallSourceCidrs(networkACL.getId());
response.setCidrList(StringUtils.join(cidrs, ","));
response.setCidrList(StringUtils.join(aclItem.getSourceCidrList(), ","));
response.setTrafficType(networkACL.getTrafficType().toString());
response.setTrafficType(aclItem.getTrafficType().toString());
FirewallRule.State state = networkACL.getState();
NetworkACLItem.State state = aclItem.getState();
String stateToSet = state.toString();
if (state.equals(FirewallRule.State.Revoke)) {
if (state.equals(NetworkACLItem.State.Revoke)) {
stateToSet = "Deleting";
}
response.setIcmpCode(networkACL.getIcmpCode());
response.setIcmpType(networkACL.getIcmpType());
response.setIcmpCode(aclItem.getIcmpCode());
response.setIcmpType(aclItem.getIcmpType());
response.setState(stateToSet);
response.setNumber(aclItem.getNumber());
response.setAction(aclItem.getAction().toString());
NetworkACL acl = ApiDBUtils.findByNetworkACLId(aclItem.getAclId());
if(acl != null){
response.setAclId(acl.getUuid());
}
//set tag information
List<? extends ResourceTag> tags = ApiDBUtils.listByResourceTypeAndId(TaggedResourceType.NetworkACL, networkACL.getId());
List<? extends ResourceTag> tags = ApiDBUtils.listByResourceTypeAndId(TaggedResourceType.NetworkACL, aclItem.getId());
List<ResourceTagResponse> tagResponses = new ArrayList<ResourceTagResponse>();
for (ResourceTag tag : tags) {
ResourceTagResponse tagResponse = createResourceTagResponse(tag, true);
@ -3809,7 +3824,7 @@ public class ApiResponseHelper implements ResponseGenerator {
}
}
@Override
public InternalLoadBalancerElementResponse createInternalLbElementResponse(VirtualRouterProvider result) {
if (result.getType() != VirtualRouterProvider.VirtualRouterProviderType.InternalLbVm) {
@ -3827,7 +3842,7 @@ public class ApiResponseHelper implements ResponseGenerator {
return response;
}
@Override
public IsolationMethodResponse createIsolationMethodResponse(IsolationType method) {
IsolationMethodResponse response = new IsolationMethodResponse();
@ -3835,4 +3850,18 @@ public class ApiResponseHelper implements ResponseGenerator {
response.setObjectName("isolationmethod");
return response;
}
public NetworkACLResponse createNetworkACLResponse(NetworkACL networkACL) {
NetworkACLResponse response = new NetworkACLResponse();
response.setId(networkACL.getUuid());
response.setName(networkACL.getName());
response.setDescription(networkACL.getDescription());
Vpc vpc = ApiDBUtils.findVpcById(networkACL.getVpcId());
if(vpc != null){
response.setVpcId(vpc.getUuid());
}
response.setObjectName("networkacllist");
return response;
}
}

2
server/src/com/cloud/api/query/QueryManagerImpl.java
View File

@ -32,6 +32,7 @@ import org.apache.cloudstack.affinity.AffinityGroupVMMapVO;
import org.apache.cloudstack.affinity.dao.AffinityGroupVMMapDao;
import com.cloud.storage.VolumeDetailVO;
import com.cloud.storage.dao.VolumeDetailsDao;
import org.apache.cloudstack.api.BaseListProjectAndAccountResourcesCmd;
import org.apache.cloudstack.api.command.admin.host.ListHostsCmd;
import org.apache.cloudstack.api.command.admin.internallb.ListInternalLBVMsCmd;
@ -992,6 +993,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
response.setResponses(routerResponses, result.second());
return response;
}
@Override
public ListResponse<DomainRouterResponse> searchForInternalLbVms(ListInternalLBVMsCmd cmd) {

36
server/src/com/cloud/network/NetworkManagerImpl.java
View File

@ -2687,7 +2687,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
}
//apply network ACLs
if (!_networkACLMgr.applyNetworkACLs(networkId, caller)) {
if (!_networkACLMgr.applyACLToNetwork(networkId)) {
s_logger.warn("Failed to reapply network ACLs as a part of of network id=" + networkId + " restart");
success = false;
}
@ -3158,7 +3158,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
//revoke all network ACLs for network
try {
if (_networkACLMgr.revokeAllNetworkACLsForNetwork(networkId, callerUserId, caller)) {
if (_networkACLMgr.revokeACLItemsForNetwork(networkId, callerUserId, caller)) {
s_logger.debug("Successfully cleaned up NetworkACLs for network id=" + networkId);
} else {
success = false;
@ -3311,28 +3311,26 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
success = false;
}
//revoke all Network ACLs for the network w/o applying them in the DB
List<FirewallRuleVO> networkACLs = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.NetworkACL);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Releasing " + networkACLs.size() + " Network ACLs for network id=" + networkId +
" as a part of shutdownNetworkRules");
}
if(network.getVpcId() != null){
if (s_logger.isDebugEnabled()) {
s_logger.debug("Releasing Network ACL Items for network id=" + networkId +
" as a part of shutdownNetworkRules");
}
for (FirewallRuleVO networkACL : networkACLs) {
s_logger.trace("Marking network ACL " + networkACL + " with Revoke state");
networkACL.setState(FirewallRule.State.Revoke);
}
try {
if (!_firewallMgr.applyRules(networkACLs, true, false)) {
s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules");
try {
//revoke all Network ACLs for the network w/o applying them in the DB
if (!_networkACLMgr.revokeACLItemsForNetwork(networkId, callerUserId, caller)) {
s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules");
success = false;
}
} catch (ResourceUnavailableException ex) {
s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules due to ", ex);
success = false;
}
} catch (ResourceUnavailableException ex) {
s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules due to ", ex);
success = false;
}
//release all static nats for the network
if (!_rulesMgr.applyStaticNatForNetwork(networkId, false, caller, true)) {
s_logger.warn("Failed to disable static nats as part of shutdownNetworkRules for network id " + networkId);

37
server/src/com/cloud/network/NetworkServiceImpl.java
View File

@ -18,6 +18,8 @@ package com.cloud.network;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.InetAddress;
import java.net.Inet6Address;
import java.net.UnknownHostException;
import java.security.InvalidParameterException;
import java.sql.PreparedStatement;
@ -44,11 +46,24 @@ import org.apache.cloudstack.api.command.admin.network.DedicateGuestVlanRangeCmd
import org.apache.cloudstack.api.command.admin.network.ListDedicatedGuestVlanRangesCmd;
import org.apache.cloudstack.api.command.admin.usage.ListTrafficTypeImplementorsCmd;
import org.apache.cloudstack.api.command.user.network.*;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.network.vpc.dao.NetworkACLDao;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.command.admin.usage.ListTrafficTypeImplementorsCmd;
import org.apache.cloudstack.api.command.user.network.CreateNetworkCmd;
import org.apache.cloudstack.api.command.user.network.ListNetworksCmd;
import org.apache.cloudstack.api.command.user.network.RestartNetworkCmd;
import org.apache.cloudstack.api.command.user.vm.ListNicsCmd;
import org.apache.cloudstack.network.element.InternalLoadBalancerElementService;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.api.command.user.vm.ListNicsCmd;
import org.bouncycastle.util.IPAddress;
import com.cloud.configuration.Config;
import com.cloud.configuration.ConfigurationManager;
import com.cloud.configuration.dao.ConfigurationDao;
@ -299,6 +314,8 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
DataCenterVnetDao _datacneter_vnet;
@Inject
AccountGuestVlanMapDao _accountGuestVlanMapDao;
@Inject
NetworkACLDao _networkACLDao;
int _cidrLimit;
boolean _allowSubdomainNetworkAccess;
@ -929,6 +946,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
String ip6Gateway = cmd.getIp6Gateway();
String ip6Cidr = cmd.getIp6Cidr();
Boolean displayNetwork = cmd.getDisplayNetwork();
Long aclId = cmd.getAclId();
// Validate network offering
NetworkOfferingVO ntwkOff = _networkOfferingDao.findById(networkOfferingId);
@ -1219,7 +1237,22 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
throw new InvalidParameterValueException("Network offering can't be used for VPC networks");
}
network = _vpcMgr.createVpcGuestNetwork(networkOfferingId, name, displayText, gateway, cidr, vlanId,
networkDomain, owner, sharedDomainId, pNtwk, zoneId, aclType, subdomainAccess, vpcId, caller, displayNetwork);
networkDomain, owner, sharedDomainId, pNtwk, zoneId, aclType, subdomainAccess, vpcId, aclId, caller, displayNetwork);
if(aclId == null){
//Use default deny all ACL, when aclId is not specified
aclId = NetworkACL.DEFAULT_DENY;
} else {
NetworkACL acl = _networkACLDao.findById(aclId);
if(acl == null){
throw new InvalidParameterValueException("Unable to find specified NetworkACL");
}
if(vpcId != acl.getVpcId()){
throw new InvalidParameterValueException("ACL: "+aclId+" do not belong to the VPC");
}
}
network = _vpcMgr.createVpcGuestNetwork(networkOfferingId, name, displayText, gateway, cidr, vlanId,
networkDomain, owner, sharedDomainId, pNtwk, zoneId, aclType, subdomainAccess, vpcId, aclId, caller, displayNetwork);
} else {
if (_configMgr.isOfferingForVpc(ntwkOff)){
throw new InvalidParameterValueException("Network offering can be used for VPC networks only");
@ -1842,6 +1875,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
@ActionEvent(eventType = EventTypes.EVENT_NETWORK_UPDATE, eventDescription = "updating network", async = true)
public Network updateGuestNetwork(long networkId, String name, String displayText, Account callerAccount,
User callerUser, String domainSuffix, Long networkOfferingId, Boolean changeCidr, String guestVmCidr, Boolean displayNetwork) {
boolean restartNetwork = false;
// verify input parameters
@ -3776,6 +3810,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
//create Guest network
privateNetwork = _networkMgr.createGuestNetwork(ntwkOff.getId(), networkName, displayText, gateway, cidr, vlan,
null, owner, null, pNtwk, pNtwk.getDataCenterId(), ACLType.Account, null, null, null, null, true);
s_logger.debug("Created private network " + privateNetwork);
} else {
s_logger.debug("Private network already exists: " + privateNetwork);

8
server/src/com/cloud/network/element/VpcVirtualRouterElement.java
View File

@ -25,6 +25,7 @@ import java.util.Set;
import javax.ejb.Local;
import javax.inject.Inject;
import com.cloud.network.vpc.*;
import org.apache.log4j.Logger;
import com.cloud.dc.DataCenter;
@ -48,11 +49,6 @@ import com.cloud.network.router.VirtualRouter;
import com.cloud.network.router.VirtualRouter.Role;
import com.cloud.network.router.VpcVirtualNetworkApplianceManager;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.vpc.PrivateGateway;
import com.cloud.network.vpc.StaticRouteProfile;
import com.cloud.network.vpc.Vpc;
import com.cloud.network.vpc.VpcGateway;
import com.cloud.network.vpc.VpcManager;
import com.cloud.offering.NetworkOffering;
import com.cloud.utils.exception.CloudRuntimeException;
import com.cloud.vm.DomainRouterVO;
@ -390,7 +386,7 @@ public class VpcVirtualRouterElement extends VirtualRouterElement implements Vpc
}
@Override
public boolean applyNetworkACLs(Network config, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
public boolean applyNetworkACLs(Network config, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException {
if (canHandle(config, Service.NetworkACL)) {
List<DomainRouterVO> routers = _routerDao.listByNetworkAndRole(config.getId(), Role.VIRTUAL_ROUTER);
if (routers == null || routers.isEmpty()) {

4
server/src/com/cloud/network/firewall/FirewallManagerImpl.java
View File

@ -579,7 +579,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
break;
}
break;
case NetworkACL:
/* case NetworkACL:
for (NetworkACLServiceProvider element: _networkAclElements) {
Network.Provider provider = element.getProvider();
boolean isAclProvider = _networkModel.isProviderSupportServiceInNetwork(network.getId(), Service.NetworkACL, provider);
@ -590,7 +590,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
if (handled)
break;
}
break;
break;*/
default:
assert(false): "Unexpected fall through in applying rules to the network elements";
s_logger.error("FirewallManager cannot process rules of type " + purpose);

7
server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManager.java
View File

@ -25,10 +25,7 @@ import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.Network;
import com.cloud.network.Site2SiteVpnConnection;
import com.cloud.network.VpcVirtualNetworkApplianceService;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.vpc.PrivateGateway;
import com.cloud.network.vpc.StaticRouteProfile;
import com.cloud.network.vpc.Vpc;
import com.cloud.network.vpc.*;
import com.cloud.user.Account;
import com.cloud.vm.DomainRouterVO;
import com.cloud.vm.VirtualMachineProfile.Param;
@ -57,7 +54,7 @@ public interface VpcVirtualNetworkApplianceManager extends VirtualNetworkApplian
* @return
* @throws ResourceUnavailableException
*/
boolean applyNetworkACLs(Network network, List<? extends FirewallRule> rules, List<? extends VirtualRouter> routers)
boolean applyNetworkACLs(Network network, List<? extends NetworkACLItem> rules, List<? extends VirtualRouter> routers)
throws ResourceUnavailableException;
/**

29
server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java
View File

@ -27,6 +27,7 @@ import java.util.TreeSet;
import javax.ejb.Local;
import javax.inject.Inject;
import com.cloud.network.vpc.*;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
@ -93,16 +94,6 @@ import com.cloud.network.dao.Site2SiteVpnGatewayVO;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.FirewallRule.Purpose;
import com.cloud.network.rules.FirewallRuleVO;
import com.cloud.network.vpc.NetworkACLManager;
import com.cloud.network.vpc.PrivateGateway;
import com.cloud.network.vpc.PrivateIpAddress;
import com.cloud.network.vpc.PrivateIpVO;
import com.cloud.network.vpc.StaticRoute;
import com.cloud.network.vpc.StaticRouteProfile;
import com.cloud.network.vpc.Vpc;
import com.cloud.network.vpc.VpcGateway;
import com.cloud.network.vpc.VpcManager;
import com.cloud.network.vpc.VpcVO;
import com.cloud.network.vpc.dao.PrivateIpDao;
import com.cloud.network.vpc.dao.StaticRouteDao;
import com.cloud.network.vpc.dao.VpcDao;
@ -704,7 +695,7 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian
}
@Override
public boolean applyNetworkACLs(Network network, final List<? extends FirewallRule> rules, List<? extends VirtualRouter> routers)
public boolean applyNetworkACLs(Network network, final List<? extends NetworkACLItem> rules, List<? extends VirtualRouter> routers)
throws ResourceUnavailableException {
if (rules == null || rules.isEmpty()) {
s_logger.debug("No network ACLs to be applied for network " + network.getId());
@ -719,14 +710,14 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian
}
protected boolean sendNetworkACLs(VirtualRouter router, List<? extends FirewallRule> rules, long guestNetworkId)
protected boolean sendNetworkACLs(VirtualRouter router, List<? extends NetworkACLItem> rules, long guestNetworkId)
throws ResourceUnavailableException {
Commands cmds = new Commands(OnError.Continue);
createNetworkACLsCommands(rules, router, cmds, guestNetworkId);
return sendCommandsToRouter(router, cmds);
}
private void createNetworkACLsCommands(List<? extends FirewallRule> rules, VirtualRouter router, Commands cmds,
private void createNetworkACLsCommands(List<? extends NetworkACLItem> rules, VirtualRouter router, Commands cmds,
long guestNetworkId) {
List<NetworkACLTO> rulesTO = null;
String guestVlan = null;
@ -739,11 +730,11 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian
if (rules != null) {
rulesTO = new ArrayList<NetworkACLTO>();
for (FirewallRule rule : rules) {
if (rule.getSourceCidrList() == null && (rule.getPurpose() == Purpose.Firewall || rule.getPurpose() == Purpose.NetworkACL)) {
_firewallDao.loadSourceCidrs((FirewallRuleVO)rule);
}
NetworkACLTO ruleTO = new NetworkACLTO(rule, guestVlan, rule.getTrafficType());
for (NetworkACLItem rule : rules) {
// if (rule.getSourceCidrList() == null && (rule.getPurpose() == Purpose.Firewall || rule.getPurpose() == Purpose.NetworkACL)) {
// _firewallDao.loadSourceCidrs((FirewallRuleVO)rule);
// }
NetworkACLTO ruleTO = new NetworkACLTO((NetworkACLItemVO)rule, guestVlan, rule.getTrafficType());
rulesTO.add(ruleTO);
}
}
@ -929,7 +920,7 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian
if (router.getVpcId() != null) {
if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.NetworkACL, Provider.VPCVirtualRouter)) {
List<? extends FirewallRule> networkACLs = _networkACLMgr.listNetworkACLs(guestNetworkId);
List<NetworkACLItemVO> networkACLs = _networkACLMgr.listNetworkACLItems(guestNetworkId);
s_logger.debug("Found " + networkACLs.size() + " network ACLs to apply as a part of VPC VR " + router
+ " start for guest network id=" + guestNetworkId);
if (!networkACLs.isEmpty()) {

37
server/src/com/cloud/network/vpc/NetworkACLItemDao.java Normal file
View File

@ -0,0 +1,37 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.vpc;
import com.cloud.utils.db.GenericDao;
import java.util.List;
/*
* Data Access Object for network_acl_item table
*/
public interface NetworkACLItemDao extends GenericDao<NetworkACLItemVO, Long> {
boolean setStateToAdd(NetworkACLItemVO rule);
boolean revoke(NetworkACLItemVO rule);
List<NetworkACLItemVO> listByACL(long aclId);
int getMaxNumberByACL(long aclId);
NetworkACLItemVO findByAclAndNumber(long aclId, int number);
}

237
server/src/com/cloud/network/vpc/NetworkACLItemVO.java Normal file
View File

@ -0,0 +1,237 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.vpc;
import com.cloud.network.rules.FirewallRule;
import com.cloud.utils.db.GenericDao;
import com.cloud.utils.net.NetUtils;
import javax.persistence.*;
import java.util.*;
@Entity
@Table(name="network_acl_item")
public class NetworkACLItemVO implements NetworkACLItem {
@Id
@GeneratedValue(strategy=GenerationType.IDENTITY)
@Column(name="id")
long id;
@Column(name="start_port", updatable=false)
Integer sourcePortStart;
@Column(name="end_port", updatable=false)
Integer sourcePortEnd;
@Column(name="protocol", updatable=false)
String protocol = NetUtils.TCP_PROTO;
@Enumerated(value=EnumType.STRING)
@Column(name="state")
State state;
@Column(name=GenericDao.CREATED_COLUMN)
Date created;
@Column(name="acl_id")
long aclId;
@Column(name="icmp_code")
Integer icmpCode;
@Column(name="icmp_type")
Integer icmpType;
@Column(name="traffic_type")
@Enumerated(value=EnumType.STRING)
TrafficType trafficType;
@Column(name="cidr")
String sourceCidrs;
@Column(name="uuid")
String uuid;
@Column(name="number")
int number;
@Column(name="action")
@Enumerated(value=EnumType.STRING)
Action action;
public NetworkACLItemVO() {
this.uuid = UUID.randomUUID().toString();
}
public NetworkACLItemVO(Integer portStart, Integer portEnd, String protocol,
long aclId, List<String> sourceCidrs, Integer icmpCode,
Integer icmpType, TrafficType trafficType, Action action, int number) {
this.sourcePortStart = portStart;
this.sourcePortEnd = portEnd;
this.protocol = protocol;
this.aclId = aclId;
this.state = State.Staged;
this.icmpCode = icmpCode;
this.icmpType = icmpType;
setSourceCidrList(sourceCidrs);
this.uuid = UUID.randomUUID().toString();
this.trafficType = trafficType;
this.action = action;
this.number = number;
}
public void setSourceCidrList(List<String> sourceCidrs) {
if(sourceCidrs == null){
this.sourceCidrs = null;
} else {
StringBuilder sb = new StringBuilder();
for(String cidr : sourceCidrs){
if(sb.length() != 0){
sb.append(",");
}
sb.append(cidr);
}
this.sourceCidrs=sb.toString();
}
}
@Override
public List<String> getSourceCidrList() {
if(sourceCidrs == null || sourceCidrs.isEmpty()){
return null;
} else {
List<String> cidrList = new ArrayList<String>();
String[] cidrs = sourceCidrs.split(",");
for(String cidr : cidrs){
cidrList.add(cidr);
}
return cidrList;
}
}
@Override
public long getId() {
return id;
}
@Override
public Integer getSourcePortStart() {
return sourcePortStart;
}
@Override
public Integer getSourcePortEnd() {
return sourcePortEnd;
}
@Override
public String getProtocol() {
return protocol;
}
public void setState(State state) {
this.state = state;
}
@Override
public State getState() {
return state;
}
@Override
public long getAclId() {
return aclId;
}
public Date getCreated() {
return created;
}
@Override
public String toString() {
return new StringBuilder("Rule[").append(id).append("-").append("NetworkACL").append("-").append(state).append("]").toString();
}
@Override
public Integer getIcmpCode() {
return icmpCode;
}
@Override
public Integer getIcmpType() {
return icmpType;
}
@Override
public String getUuid() {
return this.uuid;
}
@Override
public Action getAction() {
return action;
}
@Override
public int getNumber() {
return number;
}
@Override
public TrafficType getTrafficType() {
return trafficType;
}
public void setSourcePortStart(Integer sourcePortStart) {
this.sourcePortStart = sourcePortStart;
}
public void setSourcePortEnd(Integer sourcePortEnd) {
this.sourcePortEnd = sourcePortEnd;
}
public void setProtocol(String protocol) {
this.protocol = protocol;
}
public void setIcmpCode(Integer icmpCode) {
this.icmpCode = icmpCode;
}
public void setIcmpType(Integer icmpType) {
this.icmpType = icmpType;
}
public void setTrafficType(TrafficType trafficType) {
this.trafficType = trafficType;
}
public void setSourceCidrs(String sourceCidrs) {
this.sourceCidrs = sourceCidrs;
}
public void setNumber(int number) {
this.number = number;
}
public void setAction(Action action) {
this.action = action;
}
}

120
server/src/com/cloud/network/vpc/NetworkACLManager.java
View File

@ -16,25 +16,127 @@
// under the License.
package com.cloud.network.vpc;
import java.util.List;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.firewall.NetworkACLService;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.dao.NetworkVO;
import com.cloud.user.Account;
import java.util.List;
public interface NetworkACLManager{
public interface NetworkACLManager extends NetworkACLService{
/**
* Creates Network ACL for the specified VPC
* @param name
* @param description
* @param vpcId
* @return
*/
NetworkACL createNetworkACL(String name, String description, long vpcId);
/**
* Fetches Network ACL with specified Id
* @param id
* @return
*/
NetworkACL getNetworkACL(long id);
/**
* Applies the items in the ACL to all associated networks
* @param aclId
* @return
* @throws ResourceUnavailableException
*/
boolean applyNetworkACL(long aclId) throws ResourceUnavailableException;
/**
* Deletes the specified Network ACL
* @param id
* @return
*/
boolean deleteNetworkACL(NetworkACL acl);
/**
* Associates acl with a network and applies the ACLItems
* @param acl
* @param network
* @return
*/
boolean replaceNetworkACL(NetworkACL acl, NetworkVO network) throws ResourceUnavailableException;
/**
* Creates a Network ACL Item within an ACL and applies it to associated networks
* @param sourcePortStart
* @param sourcePortEnd
* @param protocol
* @param sourceCidrList
* @param icmpCode
* @param icmpType
* @param trafficType
* @param aclId
* @param action
* @param number
* @return
*/
NetworkACLItem createNetworkACLItem(Integer sourcePortStart, Integer sourcePortEnd, String protocol,
List<String> sourceCidrList, Integer icmpCode, Integer icmpType,
NetworkACLItem.TrafficType trafficType, Long aclId, String action, Integer number);
/**
* Returns Network ACL Item with specified Id
* @param ruleId
* @return
*/
NetworkACLItem getNetworkACLItem(long ruleId);
/**
* Revoke ACL Item and apply changes
* @param ruleId
* @return
*/
boolean revokeNetworkACLItem(long ruleId);
/**
* Revoke ACL Items for network and remove them in back-end. Db is not updated
* @param networkId
* @param userId
* @param caller
* @return
* @throws ResourceUnavailableException
*/
boolean revokeAllNetworkACLsForNetwork(long networkId, long userId, Account caller) throws ResourceUnavailableException;
List<? extends FirewallRule> listNetworkACLs(long guestNtwkId);
boolean revokeACLItemsForNetwork(long networkId, long userId, Account caller) throws ResourceUnavailableException;
/**
* List network ACL items by network
* @param guestNtwkId
* @return
*/
List<NetworkACLItemVO> listNetworkACLItems(long guestNtwkId);
/**
* Applies asscociated ACL to specified network
* @param networkId
* @return
* @throws ResourceUnavailableException
*/
boolean applyACLToNetwork(long networkId) throws ResourceUnavailableException;
/**
* Updates and existing network ACL Item
* @param id
* @param protocol
* @param sourceCidrList
* @param trafficType
* @param action
* @param number
* @param sourcePortStart
* @param sourcePortEnd
* @param icmpCode
* @param icmpType
* @return
* @throws ResourceUnavailableException
*/
NetworkACLItem updateNetworkACLItem(Long id, String protocol, List<String> sourceCidrList, NetworkACLItem.TrafficType trafficType,
String action, Integer number, Integer sourcePortStart, Integer sourcePortEnd,
Integer icmpCode, Integer icmpType) throws ResourceUnavailableException;
}

582
server/src/com/cloud/network/vpc/NetworkACLManagerImpl.java
View File

@ -16,427 +16,307 @@
// under the License.
package com.cloud.network.vpc;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.NetworkRuleConflictException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.Network;
import com.cloud.network.Network.Capability;
import com.cloud.network.Network.Service;
import com.cloud.network.NetworkModel;
import com.cloud.network.Networks;
import com.cloud.network.dao.FirewallRulesDao;
import com.cloud.network.firewall.NetworkACLService;
import com.cloud.network.rules.FirewallManager;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.FirewallRule.Purpose;
import com.cloud.network.rules.FirewallRule.TrafficType;
import com.cloud.network.rules.FirewallRuleVO;
import com.cloud.projects.Project.ListProjectResourcesCriteria;
import com.cloud.server.ResourceTag.TaggedResourceType;
import com.cloud.tags.ResourceTagVO;
import com.cloud.network.dao.NetworkDao;
import com.cloud.network.dao.NetworkVO;
import com.cloud.network.element.NetworkACLServiceProvider;
import com.cloud.network.vpc.NetworkACLItem.State;
import com.cloud.network.vpc.dao.NetworkACLDao;
import com.cloud.tags.dao.ResourceTagDao;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.UserContext;
import com.cloud.utils.Pair;
import com.cloud.utils.Ternary;
import com.cloud.utils.component.Manager;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.db.DB;
import com.cloud.utils.db.Filter;
import com.cloud.utils.db.JoinBuilder;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.SearchCriteria.Op;
import com.cloud.utils.db.Transaction;
import com.cloud.utils.exception.CloudRuntimeException;
import com.cloud.utils.net.NetUtils;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import javax.ejb.Local;
import javax.inject.Inject;
import java.util.List;
@Component
@Local(value = { NetworkACLService.class, NetworkACLManager.class})
@Local(value = { NetworkACLManager.class})
public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLManager{
private static final Logger s_logger = Logger.getLogger(NetworkACLManagerImpl.class);
@Inject
AccountManager _accountMgr;
@Inject
FirewallManager _firewallMgr;
@Inject
FirewallRulesDao _firewallDao;
@Inject
NetworkModel _networkMgr;
@Inject
VpcManager _vpcMgr;
@Inject
ResourceTagDao _resourceTagDao;
@Inject
NetworkACLDao _networkACLDao;
@Inject
NetworkACLItemDao _networkACLItemDao;
@Inject
List<NetworkACLServiceProvider> _networkAclElements;
@Inject
NetworkModel _networkModel;
@Inject
NetworkDao _networkDao;
@Override
public boolean applyNetworkACLs(long networkId, Account caller) throws ResourceUnavailableException {
List<FirewallRuleVO> rules = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.NetworkACL);
return _firewallMgr.applyFirewallRules(rules, false, caller);
public NetworkACL createNetworkACL(String name, String description, long vpcId) {
NetworkACLVO acl = new NetworkACLVO(name, description, vpcId);
return _networkACLDao.persist(acl);
}
@Override
public FirewallRule createNetworkACL(FirewallRule acl) throws NetworkRuleConflictException {
if (acl.getSourceCidrList() == null && (acl.getPurpose() == Purpose.Firewall || acl.getPurpose() == Purpose.NetworkACL)) {
_firewallDao.loadSourceCidrs((FirewallRuleVO)acl);
}
return createNetworkACL(UserContext.current().getCaller(), acl.getXid(), acl.getSourcePortStart(),
acl.getSourcePortEnd(), acl.getProtocol(), acl.getSourceCidrList(), acl.getIcmpCode(),
acl.getIcmpType(), null, acl.getType(), acl.getNetworkId(), acl.getTrafficType());
}
@DB
@ActionEvent(eventType = EventTypes.EVENT_FIREWALL_OPEN, eventDescription = "creating firewall rule", create = true)
protected FirewallRule createNetworkACL(Account caller, String xId, Integer portStart,
Integer portEnd, String protocol, List<String> sourceCidrList, Integer icmpCode, Integer icmpType,
Long relatedRuleId, FirewallRule.FirewallRuleType type, long networkId, TrafficType trafficType) throws NetworkRuleConflictException {
Network network = _networkMgr.getNetwork(networkId);
if (network == null) {
throw new InvalidParameterValueException("Can't find network by id");
}
if (network.getVpcId() == null) {
throw new UnsupportedOperationException("Network ACL rules are supported just for VPC networks");
}
Vpc vpc = _vpcMgr.getVpc(network.getVpcId());
Account aclOwner = _accountMgr.getAccount(vpc.getAccountId());
//check if the caller can access vpc
_accountMgr.checkAccess(caller, null, false, vpc);
//check if the acl can be created for this network
_accountMgr.checkAccess(aclOwner, AccessType.UseNetwork, false, network);
if (!_networkMgr.areServicesSupportedInNetwork(networkId, Service.NetworkACL)) {
throw new InvalidParameterValueException("Service " + Service.NetworkACL + " is not supported in network " + network);
}
// icmp code and icmp type can't be passed in for any other protocol rather than icmp
if (!protocol.equalsIgnoreCase(NetUtils.ICMP_PROTO) && (icmpCode != null || icmpType != null)) {
throw new InvalidParameterValueException("Can specify icmpCode and icmpType for ICMP protocol only");
}
if (protocol.equalsIgnoreCase(NetUtils.ICMP_PROTO) && (portStart != null || portEnd != null)) {
throw new InvalidParameterValueException("Can't specify start/end port when protocol is ICMP");
}
//validate icmp code and type
if (icmpType != null) {
if (icmpType.longValue() != -1 && !NetUtils.validateIcmpType(icmpType.longValue())) {
throw new InvalidParameterValueException("Invalid icmp type; should belong to [0-255] range");
public boolean applyNetworkACL(long aclId) throws ResourceUnavailableException {
boolean handled = true;
List<NetworkACLItemVO> rules = _networkACLItemDao.listByACL(aclId);
//Find all networks using this ACL and apply the ACL
List<NetworkVO> networks = _networkDao.listByAclId(aclId);
for(NetworkVO network : networks){
if(!applyACLItemsToNetwork(network.getId(), rules)) {
handled = false;
break;
}
if (icmpCode != null) {
if (icmpCode.longValue() != -1 && !NetUtils.validateIcmpCode(icmpCode.longValue())) {
throw new InvalidParameterValueException("Invalid icmp code; should belong to [0-15] range and can" +
" be defined when icmpType belongs to [0-40] range");
}
if(handled){
for (NetworkACLItem rule : rules) {
if (rule.getState() == NetworkACLItem.State.Revoke) {
removeRule(rule);
} else if (rule.getState() == NetworkACLItem.State.Add) {
NetworkACLItemVO ruleVO = _networkACLItemDao.findById(rule.getId());
ruleVO.setState(NetworkACLItem.State.Active);
_networkACLItemDao.update(ruleVO.getId(), ruleVO);
}
}
}
return handled;
}
validateNetworkACL(caller, network, portStart, portEnd, protocol);
@Override
public NetworkACL getNetworkACL(long id) {
return _networkACLDao.findById(id);
}
@Override
public boolean deleteNetworkACL(NetworkACL acl) {
List<NetworkACLItemVO> aclItems = _networkACLItemDao.listByACL(acl.getId());
if(aclItems.size() > 0){
throw new CloudRuntimeException("ACL is not empty. Cannot delete network ACL: "+acl.getUuid());
}
return _networkACLDao.remove(acl.getId());
}
@Override
public boolean replaceNetworkACL(NetworkACL acl, NetworkVO network) throws ResourceUnavailableException {
network.setNetworkACLId(acl.getId());
//Update Network ACL
if(_networkDao.update(network.getId(), network)){
//Apply ACL to network
return applyACLToNetwork(network.getId());
}
return false;
}
@Override
@DB
@ActionEvent(eventType = EventTypes.EVENT_NETWORK_ACL_ITEM_CREATE, eventDescription = "creating network ACL Item", create = true)
public NetworkACLItem createNetworkACLItem(Integer portStart, Integer portEnd, String protocol, List<String> sourceCidrList,
Integer icmpCode, Integer icmpType, NetworkACLItem.TrafficType trafficType, Long aclId,
String action, Integer number) {
NetworkACLItem.Action ruleAction = NetworkACLItem.Action.Allow;
if("deny".equalsIgnoreCase(action)){
ruleAction = NetworkACLItem.Action.Deny;
}
// If number is null, set it to currentMax + 1 (for backward compatibility)
if(number == null){
number = _networkACLItemDao.getMaxNumberByACL(aclId) + 1;
}
Transaction txn = Transaction.currentTxn();
txn.start();
FirewallRuleVO newRule = new FirewallRuleVO(xId, null, portStart, portEnd, protocol.toLowerCase(), networkId,
aclOwner.getAccountId(), aclOwner.getDomainId(), Purpose.NetworkACL, sourceCidrList, icmpCode, icmpType,
relatedRuleId, trafficType);
newRule.setType(type);
newRule = _firewallDao.persist(newRule);
NetworkACLItemVO newRule = new NetworkACLItemVO(portStart, portEnd, protocol.toLowerCase(), aclId, sourceCidrList, icmpCode, icmpType, trafficType, ruleAction, number);
newRule = _networkACLItemDao.persist(newRule);
if (type == FirewallRule.FirewallRuleType.User) {
detectNetworkACLConflict(newRule);
}
if (!_firewallDao.setStateToAdd(newRule)) {
if (!_networkACLItemDao.setStateToAdd(newRule)) {
throw new CloudRuntimeException("Unable to update the state to add for " + newRule);
}
UserContext.current().setEventDetails("Rule Id: " + newRule.getId());
UserContext.current().setEventDetails("ACL Item Id: " + newRule.getId());
txn.commit();
return getNetworkACL(newRule.getId());
return getNetworkACLItem(newRule.getId());
}
protected void validateNetworkACL(Account caller, Network network, Integer portStart, Integer portEnd,
String proto) {
if (portStart != null && !NetUtils.isValidPort(portStart)) {
throw new InvalidParameterValueException("publicPort is an invalid value: " + portStart);
}
if (portEnd != null && !NetUtils.isValidPort(portEnd)) {
throw new InvalidParameterValueException("Public port range is an invalid value: " + portEnd);
}
// start port can't be bigger than end port
if (portStart != null && portEnd != null && portStart > portEnd) {
throw new InvalidParameterValueException("Start port can't be bigger than end port");
}
if (network.getTrafficType() != Networks.TrafficType.Guest) {
throw new InvalidParameterValueException("Network ACL can be created just for networks of type " + Networks.TrafficType.Guest);
}
// Verify that the network guru supports the protocol specified
Map<Network.Capability, String> caps = _networkMgr.getNetworkServiceCapabilities(network.getId(), Service.NetworkACL);
if (caps != null) {
String supportedProtocols = caps.get(Capability.SupportedProtocols).toLowerCase();
if (!supportedProtocols.contains(proto.toLowerCase())) {
throw new InvalidParameterValueException("Protocol " + proto + " is not supported by the network " + network);
}
} else {
throw new InvalidParameterValueException("No capabilities are found for network " + network);
}
}
protected void detectNetworkACLConflict(FirewallRuleVO newRule) throws NetworkRuleConflictException {
if (newRule.getPurpose() != Purpose.NetworkACL) {
return;
}
List<FirewallRuleVO> rules = _firewallDao.listByNetworkPurposeTrafficTypeAndNotRevoked(newRule.getNetworkId(),
Purpose.NetworkACL, newRule.getTrafficType());
assert (rules.size() >= 1) : "For network ACLs, we now always first persist the rule and then check for " +
"network conflicts so we should at least have one rule at this point.";
for (FirewallRuleVO rule : rules) {
if (rule.getId() == newRule.getId() || !rule.getProtocol().equalsIgnoreCase(newRule.getProtocol())) {
continue; // Skips my own rule and skip the rule if the protocol is different
}
// if one cidr overlaps another, do port veirficatino
boolean duplicatedCidrs = false;
// Verify that the rules have different cidrs
_firewallDao.loadSourceCidrs(rule);
List<String> ruleCidrList = rule.getSourceCidrList();
List<String> newRuleCidrList = newRule.getSourceCidrList();
if (ruleCidrList == null || newRuleCidrList == null) {
continue;
}
for (String newCidr : newRuleCidrList) {
for (String ruleCidr : ruleCidrList) {
if (NetUtils.isNetworksOverlap(newCidr, ruleCidr)) {
duplicatedCidrs = true;
break;
}
if (duplicatedCidrs) {
break;
}
}
}
if (newRule.getProtocol().equalsIgnoreCase(NetUtils.ICMP_PROTO)
&& newRule.getProtocol().equalsIgnoreCase(rule.getProtocol())) {
if ((newRule.getIcmpCode().longValue() == rule.getIcmpCode().longValue()
|| rule.getIcmpCode().longValue() == -1 || newRule.getIcmpCode().longValue() == -1)
&& (newRule.getIcmpType().longValue() == rule.getIcmpType().longValue()
|| rule.getIcmpType().longValue() == -1 || newRule.getIcmpType().longValue() == -1)
&& newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()) && duplicatedCidrs) {
throw new InvalidParameterValueException("New network ACL conflicts with existing network ACL id=" + rule.getId());
}
}
boolean notNullPorts = (newRule.getSourcePortStart() != null && newRule.getSourcePortEnd() != null &&
rule.getSourcePortStart() != null && rule.getSourcePortEnd() != null);
if (!notNullPorts) {
continue;
} else if (duplicatedCidrs
&& ((rule.getSourcePortStart().intValue() <= newRule.getSourcePortStart().intValue()
&& rule.getSourcePortEnd().intValue() >= newRule.getSourcePortStart().intValue())
|| (rule.getSourcePortStart().intValue() <= newRule.getSourcePortEnd().intValue()
&& rule.getSourcePortEnd().intValue() >= newRule.getSourcePortEnd().intValue())
|| (newRule.getSourcePortStart().intValue() <= rule.getSourcePortStart().intValue()
&& newRule.getSourcePortEnd().intValue() >= rule.getSourcePortStart().intValue())
|| (newRule.getSourcePortStart().intValue() <= rule.getSourcePortEnd().intValue()
&& newRule.getSourcePortEnd().intValue() >= rule.getSourcePortEnd().intValue()))) {
throw new NetworkRuleConflictException("The range specified, " + newRule.getSourcePortStart() + "-"
+ newRule.getSourcePortEnd() + ", conflicts with rule " + rule.getId()
+ " which has " + rule.getSourcePortStart() + "-" + rule.getSourcePortEnd());
}
}
if (s_logger.isDebugEnabled()) {
s_logger.debug("No network rule conflicts detected for " + newRule + " against " + (rules.size() - 1)
+ " existing network ACLs");
}
}
@Override
public boolean revokeNetworkACL(long ruleId, boolean apply) {
Account caller = UserContext.current().getCaller();
long userId = UserContext.current().getCallerUserId();
return revokeNetworkACL(ruleId, apply, caller, userId);
public NetworkACLItem getNetworkACLItem(long ruleId) {
return _networkACLItemDao.findById(ruleId);
}
@ActionEvent(eventType = EventTypes.EVENT_FIREWALL_CLOSE, eventDescription = "revoking firewall rule", async = true)
protected boolean revokeNetworkACL(long ruleId, boolean apply, Account caller, long userId) {
FirewallRuleVO rule = _firewallDao.findById(ruleId);
if (rule == null || rule.getPurpose() != Purpose.NetworkACL) {
throw new InvalidParameterValueException("Unable to find " + ruleId + " having purpose " + Purpose.NetworkACL);
}
_accountMgr.checkAccess(caller, null, true, rule);
@ActionEvent(eventType = EventTypes.EVENT_NETWORK_ACL_DELETE, eventDescription = "revoking network acl", async = true)
public boolean revokeNetworkACLItem(long ruleId) {
_firewallMgr.revokeRule(rule, caller, userId, false);
NetworkACLItemVO rule = _networkACLItemDao.findById(ruleId);
revokeRule(rule);
boolean success = false;
if (apply) {
List<FirewallRuleVO> rules = _firewallDao.listByNetworkAndPurpose(rule.getNetworkId(), Purpose.NetworkACL);
success = _firewallMgr.applyFirewallRules(rules, false, caller);
} else {
try {
applyNetworkACL(rule.getAclId());
success = true;
} catch (ResourceUnavailableException e) {
return false;
}
return success;
}
@DB
private void revokeRule(NetworkACLItemVO rule) {
if (rule.getState() == State.Staged) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Found a rule that is still in stage state so just removing it: " + rule);
}
_networkACLItemDao.remove(rule.getId());
} else if (rule.getState() == State.Add || rule.getState() == State.Active) {
rule.setState(State.Revoke);
_networkACLItemDao.update(rule.getId(), rule);
}
}
@Override
public FirewallRule getNetworkACL(long ACLId) {
FirewallRule rule = _firewallDao.findById(ACLId);
if (rule != null && rule.getPurpose() == Purpose.NetworkACL) {
return rule;
public boolean revokeACLItemsForNetwork(long networkId, long userId, Account caller) throws ResourceUnavailableException {
Network network = _networkDao.findById(networkId);
if(network.getNetworkACLId() == null){
return true;
}
List<NetworkACLItemVO> aclItems = _networkACLItemDao.listByACL(network.getNetworkACLId());
if (aclItems.isEmpty()) {
s_logger.debug("Found no network ACL Items for network id=" + networkId);
return true;
}
if (s_logger.isDebugEnabled()) {
s_logger.debug("Releasing " + aclItems.size() + " Network ACL Items for network id=" + networkId);
}
for (NetworkACLItemVO aclItem : aclItems) {
// Mark all Network ACLs rules as Revoke, but don't update in DB
if (aclItem.getState() == State.Add || aclItem.getState() == State.Active) {
aclItem.setState(State.Revoke);
}
}
boolean success = applyACLItemsToNetwork(network.getId(), aclItems);
if (s_logger.isDebugEnabled() && success) {
s_logger.debug("Successfully released Network ACLs for network id=" + networkId + " and # of rules now = "
+ aclItems.size());
}
return success;
}
@Override
public List<NetworkACLItemVO> listNetworkACLItems(long guestNtwkId) {
Network network = _networkMgr.getNetwork(guestNtwkId);
return _networkACLItemDao.listByACL(network.getNetworkACLId());
}
private void removeRule(NetworkACLItem rule) {
//remove the rule
_networkACLItemDao.remove(rule.getId());
}
@Override
public boolean applyACLToNetwork(long networkId) throws ResourceUnavailableException {
Network network = _networkDao.findById(networkId);
if(network.getNetworkACLId() == null){
return true;
}
List<NetworkACLItemVO> rules = _networkACLItemDao.listByACL(network.getNetworkACLId());
return applyACLItemsToNetwork(networkId, rules);
}
@Override
public NetworkACLItem updateNetworkACLItem(Long id, String protocol, List<String> sourceCidrList, NetworkACLItem.TrafficType trafficType,
String action, Integer number, Integer sourcePortStart, Integer sourcePortEnd, Integer icmpCode,
Integer icmpType) throws ResourceUnavailableException {
NetworkACLItemVO aclItem = _networkACLItemDao.findById(id);
aclItem.setState(State.Add);
if(protocol != null){
aclItem.setProtocol(protocol);
}
if(sourceCidrList != null){
aclItem.setSourceCidrList(sourceCidrList);
}
if(trafficType != null){
aclItem.setTrafficType(trafficType);
}
if(action != null){
NetworkACLItem.Action ruleAction = NetworkACLItem.Action.Allow;
if("deny".equalsIgnoreCase(action)){
ruleAction = NetworkACLItem.Action.Deny;
}
aclItem.setAction(ruleAction);
}
if(number != null){
aclItem.setNumber(number);
}
if(sourcePortStart != null){
aclItem.setSourcePortStart(sourcePortStart);
}
if(sourcePortEnd != null){
aclItem.setSourcePortEnd(sourcePortEnd);
}
if(icmpCode != null){
aclItem.setIcmpCode(icmpCode);
}
if(icmpType != null){
aclItem.setIcmpType(icmpType);
}
if(_networkACLItemDao.update(id, aclItem)){
if(applyNetworkACL(aclItem.getAclId())){
return aclItem;
} else {
throw new CloudRuntimeException("Failed to apply Network ACL Item: "+aclItem.getUuid());
}
}
return null;
}
@Override
public Pair<List<? extends FirewallRule>,Integer> listNetworkACLs(ListNetworkACLsCmd cmd) {
Long networkId = cmd.getNetworkId();
Long id = cmd.getId();
String trafficType = cmd.getTrafficType();
Map<String, String> tags = cmd.getTags();
Account caller = UserContext.current().getCaller();
List<Long> permittedAccounts = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject =
new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
_accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
domainIdRecursiveListProject, cmd.listAll(), false);
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(FirewallRuleVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<FirewallRuleVO> sb = _firewallDao.createSearchBuilder();
_accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), Op.EQ);
sb.and("networkId", sb.entity().getNetworkId(), Op.EQ);
sb.and("purpose", sb.entity().getPurpose(), Op.EQ);
sb.and("trafficType", sb.entity().getTrafficType(), Op.EQ);
if (tags != null && !tags.isEmpty()) {
SearchBuilder<ResourceTagVO> tagSearch = _resourceTagDao.createSearchBuilder();
for (int count=0; count < tags.size(); count++) {
tagSearch.or().op("key" + String.valueOf(count), tagSearch.entity().getKey(), SearchCriteria.Op.EQ);
tagSearch.and("value" + String.valueOf(count), tagSearch.entity().getValue(), SearchCriteria.Op.EQ);
tagSearch.cp();
public boolean applyACLItemsToNetwork(long networkId, List<NetworkACLItemVO> rules) throws ResourceUnavailableException {
Network network = _networkDao.findById(networkId);
boolean handled = false;
for (NetworkACLServiceProvider element: _networkAclElements) {
Network.Provider provider = element.getProvider();
boolean isAclProvider = _networkModel.isProviderSupportServiceInNetwork(network.getId(), Service.NetworkACL, provider);
if (!isAclProvider) {
continue;
}
tagSearch.and("resourceType", tagSearch.entity().getResourceType(), SearchCriteria.Op.EQ);
sb.groupBy(sb.entity().getId());
sb.join("tagSearch", tagSearch, sb.entity().getId(), tagSearch.entity().getResourceId(), JoinBuilder.JoinType.INNER);
handled = element.applyNetworkACLs(network, rules);
if (handled)
break;
}
SearchCriteria<FirewallRuleVO> sc = sb.create();
_accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
}
if (networkId != null) {
sc.setParameters("networkId", networkId);
}
if (trafficType != null) {
sc.setParameters("trafficType", trafficType);
}
if (tags != null && !tags.isEmpty()) {
int count = 0;
sc.setJoinParameters("tagSearch", "resourceType", TaggedResourceType.NetworkACL.toString());
for (String key : tags.keySet()) {
sc.setJoinParameters("tagSearch", "key" + String.valueOf(count), key);
sc.setJoinParameters("tagSearch", "value" + String.valueOf(count), tags.get(key));
count++;
}
}
sc.setParameters("purpose", Purpose.NetworkACL);
Pair<List<FirewallRuleVO>, Integer> result = _firewallDao.searchAndCount(sc, filter);
return new Pair<List<? extends FirewallRule>, Integer>(result.first(), result.second());
return handled;
}
@Override
public List<? extends FirewallRule> listNetworkACLs(long guestNtwkId) {
return _firewallDao.listByNetworkAndPurpose(guestNtwkId, Purpose.NetworkACL);
}
@Override
public boolean revokeAllNetworkACLsForNetwork(long networkId, long userId, Account caller) throws ResourceUnavailableException {
List<FirewallRuleVO> ACLs = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.NetworkACL);
if (ACLs.isEmpty()) {
s_logger.debug("Found no network ACLs for network id=" + networkId);
return true;
}
if (s_logger.isDebugEnabled()) {
s_logger.debug("Releasing " + ACLs.size() + " Network ACLs for network id=" + networkId);
}
for (FirewallRuleVO ACL : ACLs) {
// Mark all Network ACLs rules as Revoke, but don't revoke them yet - we have to revoke all rules for ip, no
// need to send them one by one
revokeNetworkACL(ACL.getId(), false, caller, Account.ACCOUNT_ID_SYSTEM);
}
List<FirewallRuleVO> ACLsToRevoke = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.NetworkACL);
// now send everything to the backend
boolean success = _firewallMgr.applyFirewallRules(ACLsToRevoke, false, caller);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Successfully released Network ACLs for network id=" + networkId + " and # of rules now = "
+ ACLs.size());
}
return success;
}
}

448
server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java Normal file
View File

@ -0,0 +1,448 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.vpc;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.Network;
import com.cloud.network.NetworkModel;
import com.cloud.network.Networks;
import com.cloud.network.dao.NetworkDao;
import com.cloud.network.dao.NetworkVO;
import com.cloud.network.vpc.dao.NetworkACLDao;
import com.cloud.projects.Project.ListProjectResourcesCriteria;
import com.cloud.server.ResourceTag.TaggedResourceType;
import com.cloud.tags.ResourceTagVO;
import com.cloud.tags.dao.ResourceTagDao;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.UserContext;
import com.cloud.utils.Pair;
import com.cloud.utils.Ternary;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.db.Filter;
import com.cloud.utils.db.JoinBuilder;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.SearchCriteria.Op;
import com.cloud.utils.net.NetUtils;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import javax.ejb.Local;
import javax.inject.Inject;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
@Component
@Local(value = { NetworkACLService.class})
public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLService{
private static final Logger s_logger = Logger.getLogger(NetworkACLServiceImpl.class);
@Inject
AccountManager _accountMgr;
@Inject
NetworkModel _networkMgr;
@Inject
VpcManager _vpcMgr;
@Inject
ResourceTagDao _resourceTagDao;
@Inject
NetworkACLDao _networkACLDao;
@Inject
NetworkACLItemDao _networkACLItemDao;
@Inject
NetworkModel _networkModel;
@Inject
NetworkDao _networkDao;
@Inject
NetworkACLManager _networkAclMgr;
@Override
public NetworkACL createNetworkACL(String name, String description, long vpcId) {
Account caller = UserContext.current().getCaller();
Vpc vpc = _vpcMgr.getVpc(vpcId);
if(vpc == null){
throw new InvalidParameterValueException("Unable to find VPC");
}
_accountMgr.checkAccess(caller, null, true, vpc);
return _networkAclMgr.createNetworkACL(name, description, vpcId);
}
@Override
public NetworkACL getNetworkACL(long id) {
return _networkAclMgr.getNetworkACL(id);
}
@Override
public Pair<List<? extends NetworkACL>, Integer> listNetworkACLs(Long id, String name, Long networkId, Long vpcId) {
SearchBuilder<NetworkACLVO> sb = _networkACLDao.createSearchBuilder();
sb.and("id", sb.entity().getId(), Op.EQ);
sb.and("name", sb.entity().getName(), Op.EQ);
sb.and("vpcId", sb.entity().getVpcId(), Op.EQ);
if(networkId != null){
SearchBuilder<NetworkVO> network = _networkDao.createSearchBuilder();
network.and("networkId", network.entity().getId(), Op.EQ);
sb.join("networkJoin", network, sb.entity().getId(), network.entity().getNetworkACLId(), JoinBuilder.JoinType.INNER);
}
SearchCriteria<NetworkACLVO> sc = sb.create();
if(id != null){
sc.setParameters("id", id);
}
if(name != null){
sc.setParameters("name", name);
}
if(vpcId != null){
sc.setParameters("vpcId", name);
}
if(networkId != null){
sc.setJoinParameters("networkJoin", "networkId", networkId);
}
Filter filter = new Filter(NetworkACLVO.class, "id", false, null, null);
Pair<List<NetworkACLVO>, Integer> acls = _networkACLDao.searchAndCount(sc, filter);
return new Pair<List<? extends NetworkACL>, Integer>(acls.first(), acls.second());
}
@Override
public boolean deleteNetworkACL(long id) {
Account caller = UserContext.current().getCaller();
NetworkACL acl = _networkACLDao.findById(id);
if(acl == null) {
throw new InvalidParameterValueException("Unable to find specified ACL");
}
//Do not allow deletion of default ACLs
if(acl.getId() == NetworkACL.DEFAULT_ALLOW || acl.getId() == NetworkACL.DEFAULT_DENY){
throw new InvalidParameterValueException("Default ACL cannot be removed");
}
Vpc vpc = _vpcMgr.getVpc(acl.getVpcId());
if(vpc == null){
throw new InvalidParameterValueException("Unable to find specified VPC associated with the ACL");
}
_accountMgr.checkAccess(caller, null, true, vpc);
return _networkAclMgr.deleteNetworkACL(acl);
}
@Override
public boolean replaceNetworkACL(long aclId, long networkId) throws ResourceUnavailableException {
Account caller = UserContext.current().getCaller();
NetworkVO network = _networkDao.findById(networkId);
if(network == null){
throw new InvalidParameterValueException("Unable to find specified Network");
}
NetworkACL acl = _networkACLDao.findById(aclId);
if(acl == null){
throw new InvalidParameterValueException("Unable to find specified NetworkACL");
}
if(network.getVpcId() == null){
throw new InvalidParameterValueException("Network is not part of a VPC: "+ network.getUuid());
}
if (network.getTrafficType() != Networks.TrafficType.Guest) {
throw new InvalidParameterValueException("Network ACL can be created just for networks of type " + Networks.TrafficType.Guest);
}
if(aclId != NetworkACL.DEFAULT_DENY) {
//ACL is not default DENY
// ACL should be associated with a VPC
Vpc vpc = _vpcMgr.getVpc(acl.getVpcId());
if(vpc == null){
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
_accountMgr.checkAccess(caller, null, true, vpc);
if(network.getVpcId() != acl.getVpcId()){
throw new InvalidParameterValueException("Network: "+networkId+" and ACL: "+aclId+" do not belong to the same VPC");
}
}
return _networkAclMgr.replaceNetworkACL(acl, network);
}
@Override
public NetworkACLItem createNetworkACLItem(CreateNetworkACLCmd aclItemCmd){
Account caller = UserContext.current().getCaller();
Long aclId = aclItemCmd.getACLId();
if(aclId == null){
//ACL id is not specified. Get the ACL details from network
if(aclItemCmd.getNetworkId() == null){
throw new InvalidParameterValueException("Cannot create Network ACL Item. ACL Id or network Id is required");
}
Network network = _networkMgr.getNetwork(aclItemCmd.getNetworkId());
if(network.getVpcId() == null){
throw new InvalidParameterValueException("Network: "+network.getUuid()+" does not belong to VPC");
}
aclId = network.getNetworkACLId();
}
NetworkACL acl = _networkAclMgr.getNetworkACL(aclId);
if(acl == null){
throw new InvalidParameterValueException("Unable to find specified ACL");
}
Vpc vpc = _vpcMgr.getVpc(acl.getVpcId());
if(vpc == null){
throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL");
}
_accountMgr.checkAccess(caller, null, true, vpc);
//Ensure that number is unique within the ACL
if(aclItemCmd.getNumber() != null){
if(_networkACLItemDao.findByAclAndNumber(aclId, aclItemCmd.getNumber()) != null){
throw new InvalidParameterValueException("ACL item with number "+aclItemCmd.getNumber()+" already exists in ACL: "+acl.getUuid());
}
}
validateNetworkACLItem(aclItemCmd.getSourcePortStart(), aclItemCmd.getSourcePortEnd(), aclItemCmd.getSourceCidrList(),
aclItemCmd.getProtocol(), aclItemCmd.getIcmpCode(), aclItemCmd.getIcmpType(), aclItemCmd.getAction());
return _networkAclMgr.createNetworkACLItem(aclItemCmd.getSourcePortStart(),
aclItemCmd.getSourcePortEnd(), aclItemCmd.getProtocol(), aclItemCmd.getSourceCidrList(), aclItemCmd.getIcmpCode(),
aclItemCmd.getIcmpType(), aclItemCmd.getTrafficType(), aclId, aclItemCmd.getAction(), aclItemCmd.getNumber());
}
private void validateNetworkACLItem(Integer portStart, Integer portEnd, List<String> sourceCidrList, String protocol, Integer icmpCode,
Integer icmpType, String action) {
if (portStart != null && !NetUtils.isValidPort(portStart)) {
throw new InvalidParameterValueException("publicPort is an invalid value: " + portStart);
}
if (portEnd != null && !NetUtils.isValidPort(portEnd)) {
throw new InvalidParameterValueException("Public port range is an invalid value: " + portEnd);
}
// start port can't be bigger than end port
if (portStart != null && portEnd != null && portStart > portEnd) {
throw new InvalidParameterValueException("Start port can't be bigger than end port");
}
if (sourceCidrList != null) {
for (String cidr: sourceCidrList){
if (!NetUtils.isValidCIDR(cidr)){
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Source cidrs formatting error " + cidr);
}
}
}
//Validate Protocol
//Check if protocol is a number
if(StringUtils.isNumeric(protocol)){
int protoNumber = Integer.parseInt(protocol);
if(protoNumber < 0 || protoNumber > 255){
throw new InvalidParameterValueException("Invalid protocol number: " + protoNumber);
}
} else {
//Protocol is not number
//Check for valid protocol strings
String supportedProtocols = "tcp,udp,icmp,all";
if(!supportedProtocols.contains(protocol.toLowerCase())){
throw new InvalidParameterValueException("Invalid protocol: " + protocol);
}
}
// icmp code and icmp type can't be passed in for any other protocol rather than icmp
if (!protocol.equalsIgnoreCase(NetUtils.ICMP_PROTO) && (icmpCode != null || icmpType != null)) {
throw new InvalidParameterValueException("Can specify icmpCode and icmpType for ICMP protocol only");
}
if (protocol.equalsIgnoreCase(NetUtils.ICMP_PROTO) && (portStart != null || portEnd != null)) {
throw new InvalidParameterValueException("Can't specify start/end port when protocol is ICMP");
}
//validate icmp code and type
if (icmpType != null) {
if (icmpType.longValue() != -1 && !NetUtils.validateIcmpType(icmpType.longValue())) {
throw new InvalidParameterValueException("Invalid icmp type; should belong to [0-255] range");
}
if (icmpCode != null) {
if (icmpCode.longValue() != -1 && !NetUtils.validateIcmpCode(icmpCode.longValue())) {
throw new InvalidParameterValueException("Invalid icmp code; should belong to [0-15] range and can" +
" be defined when icmpType belongs to [0-40] range");
}
}
}
//Check ofr valid action Allow/Deny
if(action != null){
try {
NetworkACLItem.Action.valueOf(action);
} catch (IllegalArgumentException ex) {
throw new InvalidParameterValueException("Invalid action. Allowed actions are Allow and Deny");
}
}
}
@Override
public NetworkACLItem getNetworkACLItem(long ruleId) {
return _networkAclMgr.getNetworkACLItem(ruleId);
}
@Override
public boolean applyNetworkACL(long aclId) throws ResourceUnavailableException {
return _networkAclMgr.applyNetworkACL(aclId);
}
@Override
public Pair<List<? extends NetworkACLItem>, Integer> listNetworkACLItems(ListNetworkACLsCmd cmd) {
Long networkId = cmd.getNetworkId();
Long id = cmd.getId();
Long aclId = cmd.getAclId();
String trafficType = cmd.getTrafficType();
String protocol = cmd.getProtocol();
String action = cmd.getAction();
Map<String, String> tags = cmd.getTags();
Account caller = UserContext.current().getCaller();
List<Long> permittedAccounts = new ArrayList<Long>();
Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject =
new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(), cmd.isRecursive(), null);
_accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts,
domainIdRecursiveListProject, cmd.listAll(), false);
Long domainId = domainIdRecursiveListProject.first();
Boolean isRecursive = domainIdRecursiveListProject.second();
ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third();
Filter filter = new Filter(NetworkACLItemVO.class, "id", false, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchBuilder<NetworkACLItemVO> sb = _networkACLItemDao.createSearchBuilder();
//_accountMgr.buildACLSearchBuilder(sb, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
sb.and("id", sb.entity().getId(), Op.EQ);
sb.and("aclId", sb.entity().getAclId(), Op.EQ);
sb.and("trafficType", sb.entity().getTrafficType(), Op.EQ);
sb.and("protocol", sb.entity().getProtocol(), Op.EQ);
sb.and("action", sb.entity().getAction(), Op.EQ);
if (tags != null && !tags.isEmpty()) {
SearchBuilder<ResourceTagVO> tagSearch = _resourceTagDao.createSearchBuilder();
for (int count=0; count < tags.size(); count++) {
tagSearch.or().op("key" + String.valueOf(count), tagSearch.entity().getKey(), Op.EQ);
tagSearch.and("value" + String.valueOf(count), tagSearch.entity().getValue(), Op.EQ);
tagSearch.cp();
}
tagSearch.and("resourceType", tagSearch.entity().getResourceType(), Op.EQ);
sb.groupBy(sb.entity().getId());
sb.join("tagSearch", tagSearch, sb.entity().getId(), tagSearch.entity().getResourceId(), JoinBuilder.JoinType.INNER);
}
SearchCriteria<NetworkACLItemVO> sc = sb.create();
// _accountMgr.buildACLSearchCriteria(sc, domainId, isRecursive, permittedAccounts, listProjectResourcesCriteria);
if (id != null) {
sc.setParameters("id", id);
}
if (networkId != null) {
Network network = _networkDao.findById(networkId);
aclId = network.getNetworkACLId();
}
if (trafficType != null) {
sc.setParameters("trafficType", trafficType);
}
if(aclId != null){
sc.setParameters("aclId", aclId);
}
if(protocol != null){
sc.setParameters("protocol", protocol);
}
if(action != null){
sc.setParameters("action", action);
}
if (tags != null && !tags.isEmpty()) {
int count = 0;
sc.setJoinParameters("tagSearch", "resourceType", TaggedResourceType.NetworkACL.toString());
for (String key : tags.keySet()) {
sc.setJoinParameters("tagSearch", "key" + String.valueOf(count), key);
sc.setJoinParameters("tagSearch", "value" + String.valueOf(count), tags.get(key));
count++;
}
}
Pair<List<NetworkACLItemVO>, Integer> result = _networkACLItemDao.searchAndCount(sc, filter);
return new Pair<List<? extends NetworkACLItem>, Integer>(result.first(), result.second());
}
@Override
public boolean revokeNetworkACLItem(long ruleId) {
NetworkACLItemVO aclItem = _networkACLItemDao.findById(ruleId);
if(aclItem != null){
if((aclItem.getAclId() == NetworkACL.DEFAULT_ALLOW) || (aclItem.getAclId() == NetworkACL.DEFAULT_DENY)){
throw new InvalidParameterValueException("ACL Items in default ACL cannot be deleted");
}
}
return _networkAclMgr.revokeNetworkACLItem(ruleId);
}
@Override
public NetworkACLItem updateNetworkACLItem(Long id, String protocol, List<String> sourceCidrList, NetworkACLItem.TrafficType trafficType,
String action, Integer number, Integer sourcePortStart, Integer sourcePortEnd, Integer icmpCode,
Integer icmpType) throws ResourceUnavailableException {
NetworkACLItemVO aclItem = _networkACLItemDao.findById(id);
if(aclItem == null){
throw new InvalidParameterValueException("Unable to find ACL Item cannot be found");
}
if(aclItem.getAclId() == NetworkACL.DEFAULT_ALLOW || aclItem.getAclId() == NetworkACL.DEFAULT_DENY){
throw new InvalidParameterValueException("Default ACL Items cannot be updated");
}
NetworkACL acl = _networkAclMgr.getNetworkACL(aclItem.getAclId());
Vpc vpc = _vpcMgr.getVpc(acl.getVpcId());
Account caller = UserContext.current().getCaller();
_accountMgr.checkAccess(caller, null, true, vpc);
if(number != null){
//Check if ACL Item with specified number already exists
NetworkACLItemVO aclNumber = _networkACLItemDao.findByAclAndNumber(acl.getId(), number);
if((aclNumber != null) && (aclNumber.getId() != id)){
throw new InvalidParameterValueException("ACL item with number "+number+" already exists in ACL: "+acl.getUuid());
}
}
validateNetworkACLItem((sourcePortStart == null) ? aclItem.getSourcePortStart() : sourcePortStart, (sourcePortEnd == null) ? aclItem.getSourcePortEnd() : sourcePortEnd,
sourceCidrList, protocol, icmpCode, (icmpType == null) ? aclItem.getIcmpType() : icmpType, action);
return _networkAclMgr.updateNetworkACLItem(id, protocol, sourceCidrList, trafficType, action, number, sourcePortStart,
sourcePortEnd, icmpCode, icmpType);
}
}

79
server/src/com/cloud/network/vpc/NetworkACLVO.java Normal file
View File

@ -0,0 +1,79 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.vpc;
import javax.persistence.*;
import java.util.UUID;
@Entity
@Table(name="network_acl")
public class NetworkACLVO implements NetworkACL{
@Id
@GeneratedValue(strategy= GenerationType.IDENTITY)
@Column(name="id")
private long id;
@Column(name="vpc_id")
Long vpcId;
@Column(name="uuid")
private String uuid;
@Column(name="name")
private String name;
@Column(name="description")
private String description;
public NetworkACLVO(){
}
protected NetworkACLVO(String name, String description, long vpcId){
this.uuid = UUID.randomUUID().toString();
this.name = name;
this.description = description;
this.vpcId = vpcId;
}
@Override
public String getDescription() {
return description;
}
@Override
public String getUuid() {
return uuid;
}
@Override
public Long getVpcId() {
return vpcId;
}
@Override
public long getId() {
return id;
}
@Override
public String getName() {
return name;
}
}

3
server/src/com/cloud/network/vpc/VpcManager.java
View File

@ -106,7 +106,8 @@ public interface VpcManager extends VpcService{
*/
Network createVpcGuestNetwork(long ntwkOffId, String name, String displayText, String gateway, String cidr,
String vlanId, String networkDomain, Account owner, Long domainId, PhysicalNetwork pNtwk, long zoneId,
ACLType aclType, Boolean subdomainAccess, long vpcId, Account caller, Boolean displayNetworkEnabled)
ACLType aclType, Boolean subdomainAccess, long vpcId, Long aclId, Account caller, Boolean displayNetworkEnabled)
throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException;

9
server/src/com/cloud/network/vpc/VpcManagerImpl.java
View File

@ -1969,7 +1969,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
@Override
public Network createVpcGuestNetwork(long ntwkOffId, String name, String displayText, String gateway,
String cidr, String vlanId, String networkDomain, Account owner, Long domainId,
PhysicalNetwork pNtwk, long zoneId, ACLType aclType, Boolean subdomainAccess, long vpcId, Account caller, Boolean isDisplayNetworkEnabled)
PhysicalNetwork pNtwk, long zoneId, ACLType aclType, Boolean subdomainAccess, long vpcId, Long aclId, Account caller, Boolean isDisplayNetworkEnabled)
throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException {
Vpc vpc = getActiveVpc(vpcId);
@ -1993,9 +1993,14 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
validateNtwkOffForNtwkInVpc(null, ntwkOffId, cidr, networkDomain, vpc, gateway, owner);
//2) Create network
Network guestNetwork = _ntwkMgr.createGuestNetwork(ntwkOffId, name, displayText, gateway, cidr, vlanId,
Network guestNetwork = _ntwkMgr.createGuestNetwork(ntwkOffId, name, displayText, gateway, cidr, vlanId,
networkDomain, owner, domainId, pNtwk, zoneId, aclType, subdomainAccess, vpcId, null, null, isDisplayNetworkEnabled);
if(guestNetwork != null){
guestNetwork.setNetworkACLId(aclId);
_ntwkDao.update(guestNetwork.getId(), (NetworkVO)guestNetwork);
}
return guestNetwork;
}

23
server/src/com/cloud/network/vpc/dao/NetworkACLDao.java Normal file
View File

@ -0,0 +1,23 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.vpc.dao;
import com.cloud.network.vpc.NetworkACLVO;
import com.cloud.utils.db.GenericDao;
public interface NetworkACLDao extends GenericDao<NetworkACLVO, Long>{
}

35
server/src/com/cloud/network/vpc/dao/NetworkACLDaoImpl.java Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.vpc.dao;
import com.cloud.network.vpc.NetworkACLVO;
import com.cloud.utils.db.DB;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import org.springframework.stereotype.Component;
import javax.ejb.Local;
@Component
@Local(value = NetworkACLDao.class)
@DB(txn = false)
public class NetworkACLDaoImpl extends GenericDaoBase<NetworkACLVO, Long> implements NetworkACLDao{
protected NetworkACLDaoImpl() {
}
}

113
server/src/com/cloud/network/vpc/dao/NetworkACLItemDaoImpl.java Normal file
View File

@ -0,0 +1,113 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.vpc.dao;
import com.cloud.network.vpc.NetworkACLItem.State;
import com.cloud.network.vpc.NetworkACLItemDao;
import com.cloud.network.vpc.NetworkACLItemVO;
import com.cloud.utils.db.*;
import com.cloud.utils.db.SearchCriteria.Op;
import org.springframework.stereotype.Component;
import javax.ejb.Local;
import java.util.List;
@Component
@Local(value = NetworkACLItemDao.class)
@DB(txn = false)
public class NetworkACLItemDaoImpl extends GenericDaoBase<NetworkACLItemVO, Long> implements NetworkACLItemDao {
protected final SearchBuilder<NetworkACLItemVO> AllFieldsSearch;
protected final SearchBuilder<NetworkACLItemVO> NotRevokedSearch;
protected final SearchBuilder<NetworkACLItemVO> ReleaseSearch;
protected final GenericSearchBuilder<NetworkACLItemVO, Integer> MaxNumberSearch;
protected NetworkACLItemDaoImpl() {
super();
AllFieldsSearch = createSearchBuilder();
AllFieldsSearch.and("protocol", AllFieldsSearch.entity().getProtocol(), Op.EQ);
AllFieldsSearch.and("state", AllFieldsSearch.entity().getState(), Op.EQ);
AllFieldsSearch.and("id", AllFieldsSearch.entity().getId(), Op.EQ);
AllFieldsSearch.and("aclId", AllFieldsSearch.entity().getAclId(), Op.EQ);
AllFieldsSearch.and("trafficType", AllFieldsSearch.entity().getTrafficType(), Op.EQ);
AllFieldsSearch.and("number", AllFieldsSearch.entity().getNumber(), Op.EQ);
AllFieldsSearch.and("action", AllFieldsSearch.entity().getAction(), Op.EQ);
AllFieldsSearch.done();
NotRevokedSearch = createSearchBuilder();
NotRevokedSearch.and("state", NotRevokedSearch.entity().getState(), Op.NEQ);
NotRevokedSearch.and("protocol", NotRevokedSearch.entity().getProtocol(), Op.EQ);
NotRevokedSearch.and("sourcePortStart", NotRevokedSearch.entity().getSourcePortStart(), Op.EQ);
NotRevokedSearch.and("sourcePortEnd", NotRevokedSearch.entity().getSourcePortEnd(), Op.EQ);
NotRevokedSearch.and("aclId", NotRevokedSearch.entity().getAclId(), Op.EQ);
NotRevokedSearch.and("trafficType", NotRevokedSearch.entity().getTrafficType(), Op.EQ);
NotRevokedSearch.done();
ReleaseSearch = createSearchBuilder();
ReleaseSearch.and("protocol", ReleaseSearch.entity().getProtocol(), Op.EQ);
ReleaseSearch.and("ports", ReleaseSearch.entity().getSourcePortStart(), Op.IN);
ReleaseSearch.done();
MaxNumberSearch = createSearchBuilder(Integer.class);
MaxNumberSearch.select(null, SearchCriteria.Func.MAX, MaxNumberSearch.entity().getNumber());
MaxNumberSearch.and("aclId", MaxNumberSearch.entity().getAclId(), Op.EQ);
MaxNumberSearch.done();
}
@Override
public boolean setStateToAdd(NetworkACLItemVO rule) {
SearchCriteria<NetworkACLItemVO> sc = AllFieldsSearch.create();
sc.setParameters("id", rule.getId());
sc.setParameters("state", State.Staged);
rule.setState(State.Add);
return update(rule, sc) > 0;
}
@Override
public boolean revoke(NetworkACLItemVO rule) {
rule.setState(State.Revoke);
return update(rule.getId(), rule);
}
@Override
public List<NetworkACLItemVO> listByACL(long aclId) {
SearchCriteria<NetworkACLItemVO> sc = AllFieldsSearch.create();
sc.setParameters("aclId", aclId);
return listBy(sc);
}
@Override
public int getMaxNumberByACL(long aclId) {
SearchCriteria<Integer> sc = MaxNumberSearch.create();
sc.setParameters("aclId", aclId);
Integer max = customSearch(sc, null).get(0);
return (max == null) ? 0 : max;
}
@Override
public NetworkACLItemVO findByAclAndNumber(long aclId, int number) {
SearchCriteria<NetworkACLItemVO> sc = AllFieldsSearch.create();
sc.setParameters("aclId", aclId);
sc.setParameters("number", number);
return findOneBy(sc);
}
}

40
server/src/com/cloud/server/ManagementServerImpl.java
View File

@ -277,6 +277,21 @@ import org.apache.cloudstack.api.command.user.nat.DisableStaticNatCmd;
import org.apache.cloudstack.api.command.user.nat.EnableStaticNatCmd;
import org.apache.cloudstack.api.command.user.nat.ListIpForwardingRulesCmd;
import org.apache.cloudstack.api.command.user.network.*;
import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
import org.apache.cloudstack.api.command.user.network.CreateNetworkACLListCmd;
import org.apache.cloudstack.api.command.user.network.CreateNetworkCmd;
import org.apache.cloudstack.api.command.user.network.DeleteNetworkACLCmd;
import org.apache.cloudstack.api.command.user.network.DeleteNetworkACLListCmd;
import org.apache.cloudstack.api.command.user.network.DeleteNetworkCmd;
import org.apache.cloudstack.api.command.user.network.ListNetworkACLListsCmd;
import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
import org.apache.cloudstack.api.command.user.network.ListNetworkOfferingsCmd;
import org.apache.cloudstack.api.command.user.network.ListNetworksCmd;
import org.apache.cloudstack.api.command.user.network.ReplaceNetworkACLListCmd;
import org.apache.cloudstack.api.command.user.network.RestartNetworkCmd;
import org.apache.cloudstack.api.command.user.network.UpdateNetworkACLItemCmd;
import org.apache.cloudstack.api.command.user.network.UpdateNetworkCmd;
import org.apache.cloudstack.api.command.user.offering.ListDiskOfferingsCmd;
import org.apache.cloudstack.api.command.user.offering.ListServiceOfferingsCmd;
import org.apache.cloudstack.api.command.user.project.ActivateProjectCmd;
@ -356,6 +371,15 @@ import org.apache.cloudstack.api.command.user.vmsnapshot.DeleteVMSnapshotCmd;
import org.apache.cloudstack.api.command.user.vmsnapshot.ListVMSnapshotCmd;
import org.apache.cloudstack.api.command.user.vmsnapshot.RevertToVMSnapshotCmd;
import org.apache.cloudstack.api.command.user.volume.*;
import org.apache.cloudstack.api.command.user.volume.AttachVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.CreateVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.DeleteVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.DetachVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.ExtractVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.ListVolumesCmd;
import org.apache.cloudstack.api.command.user.volume.MigrateVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.ResizeVolumeCmd;
import org.apache.cloudstack.api.command.user.volume.UploadVolumeCmd;
import org.apache.cloudstack.api.command.user.vpc.CreateStaticRouteCmd;
import org.apache.cloudstack.api.command.user.vpc.CreateVPCCmd;
import org.apache.cloudstack.api.command.user.vpc.DeleteStaticRouteCmd;
@ -1609,6 +1633,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
paramCountCheck++;
}
if (paramCountCheck > 1) {
throw new InvalidParameterValueException("cannot handle multiple IDs, provide only one ID corresponding to the scope");
}
@ -2858,14 +2883,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
cmdList.add(ListAffinityGroupsCmd.class);
cmdList.add(UpdateVMAffinityGroupCmd.class);
cmdList.add(ListAffinityGroupTypesCmd.class);
cmdList.add(AddVolumeDetailCmd.class);
cmdList.add(UpdateVolumeDetailCmd.class);
cmdList.add(RemoveVolumeDetailCmd.class);
cmdList.add(ListVolumeDetailsCmd.class);
cmdList.add(AddNicDetailCmd.class);
cmdList.add(UpdateNicDetailCmd.class);
cmdList.add(RemoveNicDetailCmd.class);
cmdList.add(ListNicDetailsCmd.class);
cmdList.add(AddResourceDetailCmd.class);
cmdList.add(RemoveResourceDetailCmd.class);
cmdList.add(ListResourceDetailsCmd.class);
@ -2874,7 +2892,11 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
cmdList.add(ListInternalLBVMsCmd.class);
cmdList.add(ListNetworkIsolationMethodsCmd.class);
cmdList.add(ListNetworkIsolationMethodsCmd.class);
cmdList.add(CreateNetworkACLListCmd.class);
cmdList.add(DeleteNetworkACLListCmd.class);
cmdList.add(ListNetworkACLListsCmd.class);
cmdList.add(ReplaceNetworkACLListCmd.class);
cmdList.add(UpdateNetworkACLItemCmd.class);
return cmdList;
}

4
server/src/com/cloud/tags/TaggedResourceManagerImpl.java
View File

@ -26,6 +26,7 @@ import javax.inject.Inject;
import javax.naming.ConfigurationException;
import com.cloud.vm.dao.NicDao;
import com.cloud.network.vpc.NetworkACLItemDao;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
@ -120,6 +121,8 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
VMSnapshotDao _vmSnapshotDao;
@Inject
NicDao _nicDao;
NetworkACLItemDao _networkACLItemDao;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
@ -138,6 +141,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
_daoMap.put(TaggedResourceType.Vpc, _vpcDao);
_daoMap.put(TaggedResourceType.NetworkACL, _firewallDao);
_daoMap.put(TaggedResourceType.Nic, _nicDao);
_daoMap.put(TaggedResourceType.NetworkACL, _networkACLItemDao);
_daoMap.put(TaggedResourceType.StaticRoute, _staticRouteDao);
_daoMap.put(TaggedResourceType.VMSnapshot, _vmSnapshotDao);
_daoMap.put(TaggedResourceType.RemoteAccessVpn, _vpnDao);

8
server/test/com/cloud/network/MockNetworkManagerImpl.java
View File

@ -640,8 +640,12 @@ public class MockNetworkManagerImpl extends ManagerBase implements NetworkManage
}
@Override
public Network createPrivateNetwork(String s, String s2, long l, String s3, String s4, String s5, String s6, String s7, long l2, Long aLong, Boolean aBoolean) throws ResourceAllocationException, ConcurrentOperationException, InsufficientCapacityException {
return null; //To change body of implemented methods use File | Settings | File Templates.
public Network createPrivateNetwork(String networkName, String displayText, long physicalNetworkId, String vlan,
String startIp, String endIP, String gateway, String netmask, long networkOwnerId, Long vpcId, Boolean sourceNat)
throws ResourceAllocationException, ConcurrentOperationException, InsufficientCapacityException {
// TODO Auto-generated method stub
return null;
}
/* (non-Javadoc)

3
server/test/com/cloud/vpc/MockNetworkManagerImpl.java
View File

@ -85,6 +85,9 @@ import com.cloud.user.User;
import com.cloud.utils.Pair;
import com.cloud.utils.component.ManagerBase;
import com.cloud.vm.VirtualMachine.Type;
import com.cloud.vm.VirtualMachineProfile;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.api.command.admin.network.DedicateGuestVlanRangeCmd;
import org.apache.cloudstack.api.command.admin.network.ListDedicatedGuestVlanRangesCmd;

10
server/test/com/cloud/vpc/MockVpcManagerImpl.java
View File

@ -24,6 +24,7 @@ import javax.ejb.Local;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.api.command.user.vpc.ListPrivateGatewaysCmd;
import org.apache.cloudstack.api.command.user.vpc.ListStaticRoutesCmd;
@ -298,14 +299,9 @@ public class MockVpcManagerImpl extends ManagerBase implements VpcManager {
}
/* (non-Javadoc)
* @see com.cloud.network.vpc.VpcManager#createVpcGuestNetwork(long, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, com.cloud.user.Account, java.lang.Long, com.cloud.network.PhysicalNetwork, long, org.apache.cloudstack.acl.ControlledEntity.ACLType, java.lang.Boolean, long, com.cloud.user.Account)
*/
@Override
public Network createVpcGuestNetwork(long ntwkOffId, String name, String displayText, String gateway, String cidr, String vlanId, String networkDomain, Account owner, Long domainId, PhysicalNetwork pNtwk,
long zoneId, ACLType aclType, Boolean subdomainAccess, long vpcId, Account caller, Boolean displayNetworkEnabled) throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException {
// TODO Auto-generated method stub
return null;
public Network createVpcGuestNetwork(long ntwkOffId, String name, String displayText, String gateway, String cidr, String vlanId, String networkDomain, Account owner, Long domainId, PhysicalNetwork pNtwk, long zoneId, ACLType aclType, Boolean subdomainAccess, long vpcId, Long aclId, Account caller, Boolean displayNetworkEnabled) throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException {
return null; //To change body of implemented methods use File | Settings | File Templates.
}
/* (non-Javadoc)

10
server/test/com/cloud/vpc/MockVpcVirtualNetworkApplianceManager.java
View File

@ -23,6 +23,7 @@ import java.util.Map;
import javax.ejb.Local;
import javax.naming.ConfigurationException;
import com.cloud.network.vpc.NetworkACLItem;
import org.apache.cloudstack.api.command.admin.router.UpgradeRouterCmd;
import org.springframework.stereotype.Component;
@ -336,14 +337,9 @@ VpcVirtualNetworkApplianceService {
return null;
}
/* (non-Javadoc)
* @see com.cloud.network.router.VpcVirtualNetworkApplianceManager#applyNetworkACLs(com.cloud.network.Network, java.util.List, java.util.List)
*/
@Override
public boolean applyNetworkACLs(Network network, List<? extends FirewallRule> rules,
List<? extends VirtualRouter> routers) throws ResourceUnavailableException {
// TODO Auto-generated method stub
return false;
public boolean applyNetworkACLs(Network network, List<? extends NetworkACLItem> rules, List<? extends VirtualRouter> routers) throws ResourceUnavailableException {
return false; //To change body of implemented methods use File | Settings | File Templates.
}
/* (non-Javadoc)

195
server/test/com/cloud/vpc/NetworkACLManagerTest.java Normal file
View File

@ -0,0 +1,195 @@
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.cloud.vpc;
import com.cloud.network.Network;
import com.cloud.network.NetworkManager;
import com.cloud.network.NetworkModel;
import com.cloud.network.dao.NetworkDao;
import com.cloud.network.dao.NetworkVO;
import com.cloud.network.element.NetworkACLServiceProvider;
import com.cloud.network.vpc.NetworkACLItem;
import com.cloud.network.vpc.NetworkACLItemDao;
import com.cloud.network.vpc.NetworkACLItemVO;
import com.cloud.network.vpc.NetworkACLManager;
import com.cloud.network.vpc.NetworkACLManagerImpl;
import com.cloud.network.vpc.NetworkACLVO;
import com.cloud.network.vpc.VpcManager;
import com.cloud.network.vpc.dao.NetworkACLDao;
import com.cloud.tags.dao.ResourceTagDao;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.AccountVO;
import com.cloud.user.UserContext;
import com.cloud.utils.component.ComponentContext;
import com.cloud.utils.exception.CloudRuntimeException;
import junit.framework.TestCase;
import org.apache.cloudstack.test.utils.SpringUtils;
import org.apache.log4j.Logger;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mockito;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.FilterType;
import org.springframework.core.type.classreading.MetadataReader;
import org.springframework.core.type.classreading.MetadataReaderFactory;
import org.springframework.core.type.filter.TypeFilter;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.context.support.AnnotationConfigContextLoader;
import javax.inject.Inject;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.UUID;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(loader = AnnotationConfigContextLoader.class)
public class NetworkACLManagerTest extends TestCase{
@Inject
NetworkACLManager _aclMgr;
@Inject
AccountManager _accountMgr;
@Inject
VpcManager _vpcMgr;
@Inject
NetworkACLDao _networkACLDao;
@Inject
NetworkACLItemDao _networkACLItemDao;
@Inject
NetworkDao _networkDao;
@Inject
NetworkModel _networkModel;
@Inject
List<NetworkACLServiceProvider> _networkAclElements;
private NetworkACLVO acl;
private NetworkACLItemVO aclItem;
private static final Logger s_logger = Logger.getLogger( NetworkACLManagerTest.class);
@Before
public void setUp() {
ComponentContext.initComponentsLifeCycle();
Account account = new AccountVO("testaccount", 1, "testdomain", (short) 0, UUID.randomUUID().toString());
UserContext.registerContext(1, account, null, true);
acl = Mockito.mock(NetworkACLVO.class);
aclItem = Mockito.mock(NetworkACLItemVO.class);
}
@Test
public void testCreateACL() throws Exception {
Mockito.when(_networkACLDao.persist(Mockito.any(NetworkACLVO.class))).thenReturn(acl);
assertNotNull(_aclMgr.createNetworkACL("acl_new", "acl desc", 1L));
}
@Test
public void testApplyACL() throws Exception {
NetworkVO network = Mockito.mock(NetworkVO.class);
Mockito.when(_networkDao.findById(Mockito.anyLong())).thenReturn(network);
Mockito.when(_networkModel.isProviderSupportServiceInNetwork(Mockito.anyLong(), Mockito.any(Network.Service.class), Mockito.any(Network.Provider.class))).thenReturn(true);
Mockito.when(_networkAclElements.get(0).applyNetworkACLs(Mockito.any(Network.class), Mockito.anyList())).thenReturn(true);
assertTrue(_aclMgr.applyACLToNetwork(1L));
}
@Test
public void testRevokeACLItem() throws Exception {
Mockito.when(_networkACLItemDao.findById(Mockito.anyLong())).thenReturn(aclItem);
assertTrue(_aclMgr.revokeNetworkACLItem(1L));
}
@Test
public void testUpdateACLItem() throws Exception {
Mockito.when(_networkACLItemDao.findById(Mockito.anyLong())).thenReturn(aclItem);
Mockito.when(_networkACLItemDao.update(Mockito.anyLong(), Mockito.any(NetworkACLItemVO.class))).thenReturn(true);
assertNotNull(_aclMgr.updateNetworkACLItem(1L, "UDP", null, NetworkACLItem.TrafficType.Ingress, "Deny", 10, 22, 32, null, null));
}
@Test(expected = CloudRuntimeException.class)
public void deleteNonEmptyACL() throws Exception {
List<NetworkACLItemVO> aclItems = new ArrayList<NetworkACLItemVO>();
aclItems.add(aclItem);
Mockito.when(_networkACLItemDao.listByACL(Mockito.anyLong())).thenReturn(aclItems);
_aclMgr.deleteNetworkACL(acl);
}
@Configuration
@ComponentScan(basePackageClasses={NetworkACLManagerImpl.class},
includeFilters={@ComponentScan.Filter(value=NetworkACLTestConfiguration.Library.class, type= FilterType.CUSTOM)},
useDefaultFilters=false)
public static class NetworkACLTestConfiguration extends SpringUtils.CloudStackTestConfiguration{
@Bean
public AccountManager accountManager() {
return Mockito.mock(AccountManager.class);
}
@Bean
public NetworkManager networkManager() {
return Mockito.mock(NetworkManager.class);
}
@Bean
public NetworkModel networkModel() {
return Mockito.mock(NetworkModel.class);
}
@Bean
public VpcManager vpcManager() {
return Mockito.mock(VpcManager.class);
}
@Bean
public ResourceTagDao resourceTagDao() {
return Mockito.mock(ResourceTagDao.class);
}
@Bean
public NetworkACLDao networkACLDao() {
return Mockito.mock(NetworkACLDao.class);
}
@Bean
public NetworkACLItemDao networkACLItemDao() {
return Mockito.mock(NetworkACLItemDao.class);
}
@Bean
public NetworkDao networkDao() {
return Mockito.mock(NetworkDao.class);
}
@Bean
public NetworkACLServiceProvider networkElements() {
return Mockito.mock(NetworkACLServiceProvider.class);
}
public static class Library implements TypeFilter {
@Override
public boolean match(MetadataReader mdr, MetadataReaderFactory arg1) throws IOException {
mdr.getClassMetadata().getClassName();
ComponentScan cs = NetworkACLTestConfiguration.class.getAnnotation(ComponentScan.class);
return SpringUtils.includedInBasePackageClasses(mdr.getClassMetadata().getClassName(), cs);
}
}
}
}

219
server/test/com/cloud/vpc/NetworkACLServiceTest.java Normal file
View File

@ -0,0 +1,219 @@
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.cloud.vpc;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.network.NetworkManager;
import com.cloud.network.NetworkModel;
import com.cloud.network.dao.NetworkDao;
import com.cloud.network.vpc.*;
import com.cloud.network.vpc.dao.NetworkACLDao;
import com.cloud.tags.dao.ResourceTagDao;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.AccountVO;
import com.cloud.user.UserContext;
import com.cloud.utils.component.ComponentContext;
import junit.framework.TestCase;
import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
import org.apache.cloudstack.test.utils.SpringUtils;
import org.apache.log4j.Logger;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mockito;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.FilterType;
import org.springframework.core.type.classreading.MetadataReader;
import org.springframework.core.type.classreading.MetadataReaderFactory;
import org.springframework.core.type.filter.TypeFilter;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.context.support.AnnotationConfigContextLoader;
import javax.inject.Inject;
import java.io.IOException;
import java.util.UUID;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(loader = AnnotationConfigContextLoader.class)
public class NetworkACLServiceTest extends TestCase{
@Inject
NetworkACLService _aclService;
@Inject
AccountManager _accountMgr;
@Inject
VpcManager _vpcMgr;
@Inject
NetworkACLManager _networkAclMgr;
@Inject
NetworkACLDao _networkACLDao;
@Inject
NetworkACLItemDao _networkACLItemDao;
private CreateNetworkACLCmd createACLItemCmd;
private NetworkACLVO acl;
private NetworkACLItemVO aclItem;
private static final Logger s_logger = Logger.getLogger( NetworkACLServiceTest.class);
@Before
public void setUp() {
ComponentContext.initComponentsLifeCycle();
Account account = new AccountVO("testaccount", 1, "testdomain", (short) 0, UUID.randomUUID().toString());
UserContext.registerContext(1, account, null, true);
createACLItemCmd = new CreateNetworkACLCmd(){
@Override
public Long getACLId(){
return 1L;
}
@Override
public Integer getNumber(){
return 1;
}
@Override
public String getProtocol(){
return "TCP";
}
};
acl = new NetworkACLVO(){
@Override
public Long getVpcId(){
return 1L;
}
@Override
public long getId(){
return 1L;
}
};
aclItem = new NetworkACLItemVO(){
@Override
public long getAclId(){
return 4L;
}
};
}
@Test
public void testCreateACL() throws Exception {
Mockito.when(_vpcMgr.getVpc(Mockito.anyLong())).thenReturn(new VpcVO());
Mockito.when(_networkAclMgr.createNetworkACL("acl_new", "acl desc", 1L)).thenReturn(acl);
assertNotNull(_aclService.createNetworkACL("acl_new", "acl desc", 1L));
}
@Test(expected = InvalidParameterValueException.class)
public void testDeleteDefaultACL() throws Exception {
Mockito.when(_networkACLDao.findById(Mockito.anyLong())).thenReturn(acl);
Mockito.when(_networkAclMgr.deleteNetworkACL(acl)).thenReturn(true);
_aclService.deleteNetworkACL(1L);
}
@Test
public void testCreateACLItem() throws Exception {
Mockito.when(_vpcMgr.getVpc(Mockito.anyLong())).thenReturn(new VpcVO());
Mockito.when(_networkAclMgr.getNetworkACL(Mockito.anyLong())).thenReturn(acl);
Mockito.when(_networkAclMgr.createNetworkACLItem(Mockito.anyInt(), Mockito.anyInt(), Mockito.anyString(), Mockito.anyList(), Mockito.anyInt(), Mockito.anyInt(),
Mockito.any(NetworkACLItem.TrafficType.class), Mockito.anyLong(), Mockito.anyString(), Mockito.anyInt())).thenReturn(new NetworkACLItemVO());
assertNotNull(_aclService.createNetworkACLItem(createACLItemCmd));
}
@Test(expected = InvalidParameterValueException.class)
public void testCreateACLItemDuplicateNumber() throws Exception {
Mockito.when(_vpcMgr.getVpc(Mockito.anyLong())).thenReturn(new VpcVO());
Mockito.when(_networkAclMgr.getNetworkACL(Mockito.anyLong())).thenReturn(acl);
Mockito.when(_networkACLItemDao.findByAclAndNumber(Mockito.anyLong(), Mockito.anyInt())).thenReturn(new NetworkACLItemVO());
_aclService.createNetworkACLItem(createACLItemCmd);
}
@Test
public void testDeleteACLItem() throws Exception {
Mockito.when(_networkACLItemDao.findById(Mockito.anyLong())).thenReturn(aclItem);
Mockito.when(_networkAclMgr.revokeNetworkACLItem(Mockito.anyLong())).thenReturn(true);
assertTrue(_aclService.revokeNetworkACLItem(1L));
}
@Configuration
@ComponentScan(basePackageClasses={NetworkACLServiceImpl.class},
includeFilters={@ComponentScan.Filter(value=NetworkACLTestConfiguration.Library.class, type= FilterType.CUSTOM)},
useDefaultFilters=false)
public static class NetworkACLTestConfiguration extends SpringUtils.CloudStackTestConfiguration{
@Bean
public AccountManager accountManager() {
return Mockito.mock(AccountManager.class);
}
@Bean
public NetworkManager networkManager() {
return Mockito.mock(NetworkManager.class);
}
@Bean
public NetworkModel networkModel() {
return Mockito.mock(NetworkModel.class);
}
@Bean
public VpcManager vpcManager() {
return Mockito.mock(VpcManager.class);
}
@Bean
public ResourceTagDao resourceTagDao() {
return Mockito.mock(ResourceTagDao.class);
}
@Bean
public NetworkACLDao networkACLDao() {
return Mockito.mock(NetworkACLDao.class);
}
@Bean
public NetworkACLItemDao networkACLItemDao() {
return Mockito.mock(NetworkACLItemDao.class);
}
@Bean
public NetworkDao networkDao() {
return Mockito.mock(NetworkDao.class);
}
@Bean
public NetworkACLManager networkACLManager() {
return Mockito.mock(NetworkACLManager.class);
}
public static class Library implements TypeFilter {
@Override
public boolean match(MetadataReader mdr, MetadataReaderFactory arg1) throws IOException {
mdr.getClassMetadata().getClassName();
ComponentScan cs = NetworkACLTestConfiguration.class.getAnnotation(ComponentScan.class);
return SpringUtils.includedInBasePackageClasses(mdr.getClassMetadata().getClassName(), cs);
}
}
}
}

5
server/test/com/cloud/vpc/dao/MockNetworkDaoImpl.java
View File

@ -362,4 +362,9 @@ public class MockNetworkDaoImpl extends GenericDaoBase<NetworkVO, Long> implemen
return null;
}
@Override
public List<NetworkVO> listByAclId(long aclId) {
return null;
}
}

43
setup/db/db/schema-410to420.sql
View File

@ -1539,3 +1539,46 @@ CREATE TABLE `cloud`.`account_vnet_map` (
ALTER TABLE `cloud`.`op_dc_vnet_alloc` ADD COLUMN account_vnet_map_id bigint unsigned;
ALTER TABLE `cloud`.`op_dc_vnet_alloc` ADD CONSTRAINT `fk_op_dc_vnet_alloc__account_vnet_map_id` FOREIGN KEY `fk_op_dc_vnet_alloc__account_vnet_map_id` (`account_vnet_map_id`) REFERENCES `account_vnet_map` (`id`);
CREATE TABLE `cloud`.`network_acl` (
`id` bigint unsigned NOT NULL auto_increment COMMENT 'id',
`name` varchar(255) NOT NULL COMMENT 'name of the network acl',
`uuid` varchar(40),
`vpc_id` bigint unsigned COMMENT 'vpc this network acl belongs to',
`description` varchar(1024),
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `cloud`.`network_acl_item` (
`id` bigint unsigned NOT NULL auto_increment COMMENT 'id',
`uuid` varchar(40),
`acl_id` bigint unsigned NOT NULL COMMENT 'network acl id',
`start_port` int(10) COMMENT 'starting port of a port range',
`end_port` int(10) COMMENT 'end port of a port range',
`state` char(32) NOT NULL COMMENT 'current state of this rule',
`protocol` char(16) NOT NULL default 'TCP' COMMENT 'protocol to open these ports for',
`created` datetime COMMENT 'Date created',
`icmp_code` int(10) COMMENT 'The ICMP code (if protocol=ICMP). A value of -1 means all codes for the given ICMP type.',
`icmp_type` int(10) COMMENT 'The ICMP type (if protocol=ICMP). A value of -1 means all types.',
`traffic_type` char(32) COMMENT 'the traffic type of the rule, can be Ingress or Egress',
`cidr` varchar(255) COMMENT 'comma seperated cidr list',
`number` int(10) NOT NULL COMMENT 'priority number of the acl item',
`action` varchar(10) NOT NULL COMMENT 'rule action, allow or deny',
PRIMARY KEY (`id`),
UNIQUE KEY (`acl_id`, `number`),
CONSTRAINT `fk_network_acl_item__acl_id` FOREIGN KEY(`acl_id`) REFERENCES `network_acl`(`id`) ON DELETE CASCADE,
CONSTRAINT `uc_network_acl_item__uuid` UNIQUE (`uuid`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
ALTER TABLE `cloud`.`networks` add column `network_acl_id` bigint unsigned COMMENT 'network acl id';
-- Add Default ACL deny_all
INSERT INTO `cloud`.`network_acl` (id, uuid, vpc_id, description, name) values (1, UUID(), 0, "Default Network ACL Deny All", "default_deny");
INSERT INTO `cloud`.`network_acl_item` (id, uuid, acl_id, state, protocol, created, traffic_type, cidr, number, action) values (1, UUID(), 1, "Active", "all", now(), "Ingress", "0.0.0.0/0", 1, "Deny");
INSERT INTO `cloud`.`network_acl_item` (id, uuid, acl_id, state, protocol, created, traffic_type, cidr, number, action) values (2, UUID(), 1, "Active", "all", now(), "Egress", "0.0.0.0/0", 2, "Deny");
-- Add Default ACL allow_all
INSERT INTO `cloud`.`network_acl` (id, uuid, vpc_id, description, name) values (2, UUID(), 0, "Default Network ACL Allow All", "default_allow");
INSERT INTO `cloud`.`network_acl_item` (id, uuid, acl_id, state, protocol, created, traffic_type, cidr, number, action) values (3, UUID(), 2, "Active", "all", now(), "Ingress", "0.0.0.0/0", 1, "Allow");
INSERT INTO `cloud`.`network_acl_item` (id, uuid, acl_id, state, protocol, created, traffic_type, cidr, number, action) values (4, UUID(), 2, "Active", "all", now(), "Egress", "0.0.0.0/0", 2, "Allow");
>>>>>>> master

119
test/integration/smoke/test_network_acl.py Normal file
View File

@ -0,0 +1,119 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
""" Tests for Network ACLs in VPC
"""
#Import Local Modules
from marvin.cloudstackTestCase import *
from marvin.cloudstackAPI import *
from marvin.integration.lib.utils import *
from marvin.integration.lib.base import *
from marvin.integration.lib.common import *
class TestNetworkACL(cloudstackTestCase):
networkOfferingId = 11
networkId = None
vmId = None
vpcId = None
aclId = None
zoneId = 1
serviceOfferingId = 1
templateId = 5
def setUp(self):
self.apiClient = self.testClient.getApiClient()
def test_networkAcl(self):
# 1) Create VPC
self.createVPC()
# 2) Create ACl
self.createACL()
# 3) Create ACl Item
self.createACLItem()
# 4) Create network with ACL
self.createNetwork()
# 5) Deploy a vm
self.deployVm()
def createACL(self):
createAclCmd = createNetworkACLList.createNetworkACLListCmd()
createAclCmd.name = "acl1"
createAclCmd.description = "new acl"
createAclCmd.vpcId = TestNetworkACL.vpcId
createAclResponse = self.apiClient.createNetworkACLList(createAclCmd)
TestNetworkACL.aclId = createAclResponse.id
def createACLItem(self):
createAclItemCmd = createNetworkACL.createNetworkACLCmd()
createAclItemCmd.cidr = "0.0.0.0/0"
createAclItemCmd.protocol = "TCP"
createAclItemCmd.number = "10"
createAclItemCmd.action = "Deny"
createAclItemCmd.aclId = TestNetworkACL.aclId
createAclItemResponse = self.apiClient.createNetworkACL(createAclItemCmd)
self.assertIsNotNone(createAclItemResponse.id, "Network failed to aclItem")
def createVPC(self):
createVPCCmd = createVPC.createVPCCmd()
createVPCCmd.name = "new vpc"
createVPCCmd.cidr = "10.1.1.0/24"
createVPCCmd.displaytext = "new vpc"
createVPCCmd.vpcofferingid = 1
createVPCCmd.zoneid = self.zoneId
createVPCResponse = self.apiClient.createVPC(createVPCCmd)
TestNetworkACL.vpcId = createVPCResponse.id
def createNetwork(self):
createNetworkCmd = createNetwork.createNetworkCmd()
createNetworkCmd.name = "vpc network"
createNetworkCmd.displaytext = "vpc network"
createNetworkCmd.netmask = "255.255.255.0"
createNetworkCmd.gateway = "10.1.1.1"
createNetworkCmd.zoneid = self.zoneId
createNetworkCmd.vpcid = TestNetworkACL.vpcId
createNetworkCmd.networkofferingid = TestNetworkACL.networkOfferingId
createNetworkCmd.aclId = TestNetworkACL.aclId
createNetworkResponse = self.apiClient.createNetwork(createNetworkCmd)
TestNetworkACL.networkId = createNetworkResponse.id
self.assertIsNotNone(createNetworkResponse.id, "Network failed to create")
def deployVm(self):
deployVirtualMachineCmd = deployVirtualMachine.deployVirtualMachineCmd()
deployVirtualMachineCmd.networkids = TestNetworkACL.networkId
deployVirtualMachineCmd.serviceofferingid = TestNetworkACL.serviceOfferingId
deployVirtualMachineCmd.zoneid = TestNetworkACL.zoneId
deployVirtualMachineCmd.templateid = TestNetworkACL.templateId
deployVirtualMachineCmd.hypervisor = "XenServer"
deployVMResponse = self.apiClient.deployVirtualMachine(deployVirtualMachineCmd)
TestNetworkACL.vmId = deployVMResponse.id
def tearDown(self):
#destroy the vm
if TestNetworkACL.vmId is not None:
destroyVirtualMachineCmd = destroyVirtualMachine.destroyVirtualMachineCmd()
destroyVirtualMachineCmd.id = TestNetworkACL.vmId
destroyVirtualMachineResponse = self.apiClient.destroyVirtualMachine(destroyVirtualMachineCmd)

14
tools/marvin/setup.py
View File

@ -19,9 +19,13 @@
try:
from setuptools import setup, find_packages
except ImportError:
from distribute_setup import use_setuptools
use_setuptools()
from setuptools import setup, find_packages
try:
from distribute_setup import use_setuptools
use_setuptools()
from setuptools import setup, find_packages
except ImportError:
raise RuntimeError("python setuptools is required to build Marvin")
VERSION = '0.1.0'
@ -35,10 +39,10 @@ setup(name="Marvin",
author="Edison Su",
author_email="Edison.Su@citrix.com",
maintainer="Prasanna Santhanam",
maintainer_email="Prasanna.Santhanam@citrix.com",
maintainer_email="tsp@apache.org",
long_description="Marvin is the Apache CloudStack python client written around the unittest framework",
platforms=("Any",),
url="https://builds.apache.org/view/CloudStack/job/cloudstack-marvin/",
url="https://builds.apache.org/job/cloudstack-marvin/",
packages=["marvin", "marvin.cloudstackAPI", "marvin.integration",
"marvin.integration.lib", "marvin.sandbox",
"marvin.sandbox.advanced", "marvin.sandbox.basic"],

10
ui/scripts/events.js
View File

@ -36,9 +36,10 @@
label: 'label.menu.events',
fields: {
description: { label: 'label.description' },
level: { label: 'label.level' },
level: { label: 'label.level' },
type: {label:'Type'},
domain: { label: 'label.domain' },
account: { label: 'label.account' },
account: { label: 'label.account' },
created: { label: 'label.date', converter: cloudStack.converters.toLocalDate }
},
@ -329,6 +330,7 @@
label: 'label.menu.alerts',
fields: {
description: { label: 'label.description' },
type: {label:'Type'},
sent: { label: 'label.date', converter: cloudStack.converters.toLocalDate }
},
@ -347,7 +349,7 @@
title:'Delete Alerts',
desc: '',
fields: {
type: { label: 'By event type' , docID:'helpAlertsDeleteType'},
type: { label: 'By Alert type' , docID:'helpAlertsDeleteType'},
date: { label: 'By date (older than)' ,docID:'helpAlertsDeleteDate', isDatepicker: true }
}
},
@ -393,7 +395,7 @@
title:'Archive Alerts',
desc: '',
fields: {
type: { label: 'By event type', docID:'helpAlertsArchiveType' },
type: { label: 'By Alert type', docID:'helpAlertsArchiveType' },
date: { label: 'By date (older than)' , docID:'helpAlertsArchiveDate', isDatepicker: true }
}
},

9
ui/scripts/vpc.js
View File

@ -950,7 +950,14 @@
id: { label: 'label.id' },
zonename: { label: 'label.zone' },
domain: { label: 'label.domain' },
account: { label: 'label.account' }
account: { label: 'label.account' },
sourcenatsupported:{
label: 'SourceNAT Supported' ,
converter: function(str) {
return str ? 'Yes' : 'No';
}
}
}
],
dataProvider: function(args) {