etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-779 Egress firewall rules support for Juniper SRX

This commit is contained in:
Jayapal 2013-04-10 18:04:02 +05:30 committed by Sheng Yang
parent ee0a91d111
commit a4a059c043
7 changed files with 328 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
api/src/com/cloud/agent/api/to/FirewallRuleTO.java
View File

@ -23,6 +23,7 @@ import org.apache.cloudstack.api.InternalIdentity;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.FirewallRule.State;
import com.cloud.network.rules.FirewallRule.TrafficType;
import com.cloud.utils.net.NetUtils;
/**
@ -109,6 +110,11 @@ public class FirewallRuleTO implements InternalIdentity {
this(rule.getId(),srcVlanTag, srcIp, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), revokeState, alreadyAdded, purpose,rule.getSourceCidrList(),rule.getIcmpType(),rule.getIcmpCode());
}
public FirewallRuleTO(FirewallRule rule, String guestVlanTag, FirewallRule.TrafficType trafficType) {
this(rule.getId(), guestVlanTag, null, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getState()==State.Revoke, rule.getState()==State.Active, rule.getPurpose(), rule.getSourceCidrList(), rule.getIcmpType(), rule.getIcmpCode());
this.trafficType = trafficType;
}
public FirewallRule.TrafficType getTrafficType(){
return trafficType;
}

2
plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
View File

@ -274,7 +274,7 @@ PortForwardingServiceProvider, RemoteAccessVPNServiceProvider, IpDeployer, Junip
firewallCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp");
firewallCapabilities.put(Capability.MultipleIps, "true");
firewallCapabilities.put(Capability.TrafficStatistics, "per public ip");
firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress");
firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress, egress");
capabilities.put(Service.Firewall, firewallCapabilities);
// Disabling VPN for Juniper in Acton as it 1) Was never tested 2) probably just doesn't work

322
plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
View File

@ -303,7 +303,7 @@ public class JuniperSrxResource implements ServerResource {
}
private enum Protocol {
tcp, udp, icmp, any;
tcp, udp, icmp, all, any;
}
private enum RuleMatchCondition {
@ -320,7 +320,8 @@ public class JuniperSrxResource implements ServerResource {
private enum SecurityPolicyType {
STATIC_NAT("staticnat"),
DESTINATION_NAT("destnat"),
VPN("vpn");
VPN("vpn"),
SECURITYPOLICY_EGRESS("egress");
private String identifier;
@ -776,6 +777,43 @@ public class JuniperSrxResource implements ServerResource {
s_logger.debug(msg);
}
private Map<String, ArrayList<FirewallRuleTO>> getActiveFirewallEgressRules(FirewallRuleTO[] allRules) {
Map<String, ArrayList<FirewallRuleTO>> activeRules = new HashMap<String, ArrayList<FirewallRuleTO>>();
for (FirewallRuleTO rule : allRules) {
String guestVlan;
guestVlan = rule.getSrcVlanTag();
ArrayList<FirewallRuleTO> activeRulesForNetwork = activeRules.get(guestVlan);
if (activeRulesForNetwork == null) {
activeRulesForNetwork = new ArrayList<FirewallRuleTO>();
}
if (!rule.revoked() || rule.isAlreadyAdded()) {
activeRulesForNetwork.add(rule);
}
activeRules.put(guestVlan, activeRulesForNetwork);
}
return activeRules;
}
private List<String> extractCidrs(List<FirewallRuleTO> rules) throws ExecutionException {
List<String> allCidrs = new ArrayList<String>();
List<String> cidrs = new ArrayList<String>();
for (FirewallRuleTO rule : rules) {
cidrs = (rule.getSourceCidrList());
for (String cidr: cidrs) {
if (!allCidrs.contains(cidr)) {
allCidrs.add(cidr);
}
}
}
return allCidrs;
}
/* security policies */
private synchronized Answer execute(SetFirewallRulesCommand cmd) {
@ -787,24 +825,39 @@ public class JuniperSrxResource implements ServerResource {
FirewallRuleTO[] rules = cmd.getRules();
try {
openConfiguration();
if (rules[0].getTrafficType() == FirewallRule.TrafficType.Egress) {
Map<String, ArrayList<FirewallRuleTO>> activeRules = getActiveFirewallEgressRules(rules);
Set<String> guestVlans = activeRules.keySet();
List<String> cidrs = new ArrayList();
for (FirewallRuleTO rule : rules) {
int startPort = 0, endPort = 0;
if (rule.getSrcPortRange() != null) {
startPort = rule.getSrcPortRange()[0];
endPort = rule.getSrcPortRange()[1];
for (String guestVlan : guestVlans) {
List<FirewallRuleTO> activeRulesForGuestNw = activeRules.get(guestVlan);
removeEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS, guestVlan, extractCidrs(activeRulesForGuestNw));
if (activeRulesForGuestNw.size() > 0) {
addEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS, guestVlan, extractApplications(activeRulesForGuestNw), extractCidrs(activeRulesForGuestNw));
}
}
FirewallFilterTerm term = new FirewallFilterTerm(genIpIdentifier(rule.getSrcIp()) + "-" + String.valueOf(rule.getId()), rule.getSourceCidrList(),
rule.getSrcIp(), rule.getProtocol(), startPort, endPort,
rule.getIcmpType(), rule.getIcmpCode(), genIpIdentifier(rule.getSrcIp()) + _usageFilterIPInput.getCounterIdentifier());
if (!rule.revoked()) {
manageFirewallFilter(SrxCommand.ADD, term, _publicZoneInputFilterName);
} else {
manageFirewallFilter(SrxCommand.DELETE, term, _publicZoneInputFilterName);
commitConfiguration();
} else {
for (FirewallRuleTO rule : rules) {
int startPort = 0, endPort = 0;
if (rule.getSrcPortRange() != null) {
startPort = rule.getSrcPortRange()[0];
endPort = rule.getSrcPortRange()[1];
FirewallFilterTerm term = new FirewallFilterTerm(genIpIdentifier(rule.getSrcIp()) + "-" + String.valueOf(rule.getId()), rule.getSourceCidrList(),
rule.getSrcIp(), rule.getProtocol(), startPort, endPort,
rule.getIcmpType(), rule.getIcmpCode(), genIpIdentifier(rule.getSrcIp()) + _usageFilterIPInput.getCounterIdentifier());
if (!rule.revoked()) {
manageFirewallFilter(SrxCommand.ADD, term, _publicZoneInputFilterName);
} else {
manageFirewallFilter(SrxCommand.DELETE, term, _publicZoneInputFilterName);
}
}
commitConfiguration();
}
}
commitConfiguration();
return new Answer(cmd);
} catch (ExecutionException e) {
s_logger.error(e);
@ -992,7 +1045,7 @@ public class JuniperSrxResource implements ServerResource {
// Delete all security policies
for (String securityPolicyName : getVpnObjectNames(SrxXml.SECURITY_POLICY_GETALL, accountId)) {
manageSecurityPolicy(SecurityPolicyType.VPN, SrxCommand.DELETE, accountId, null, null, null, securityPolicyName);
manageSecurityPolicy(SecurityPolicyType.VPN, SrxCommand.DELETE, accountId, null, null, null, null, securityPolicyName);
}
// Delete all address book entries
@ -1064,7 +1117,7 @@ public class JuniperSrxResource implements ServerResource {
manageAddressBookEntry(srxCmd, _privateZone , guestNetworkCidr, ipsecVpnName);
// Security policy
manageSecurityPolicy(SecurityPolicyType.VPN, srxCmd, null, null, guestNetworkCidr, null, ipsecVpnName);
manageSecurityPolicy(SecurityPolicyType.VPN, srxCmd, null, null, guestNetworkCidr, null, null, ipsecVpnName);
}
commitConfiguration();
@ -2455,38 +2508,44 @@ public class JuniperSrxResource implements ServerResource {
* Applications
*/
private String genApplicationName(Protocol protocol, int startPort, int endPort) {
private String genApplicationName(SecurityPolicyType type, Protocol protocol, int startPort, int endPort) {
if (protocol.equals(Protocol.any)) {
return Protocol.any.toString();
} else {
return genObjectName(protocol.toString(), String.valueOf(startPort), String.valueOf(endPort));
if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) {
return genObjectName(type.getIdentifier(), protocol.toString(), String.valueOf(startPort), String.valueOf(endPort));
} else {
return genObjectName(protocol.toString(), String.valueOf(startPort), String.valueOf(endPort));
}
}
}
private Object[] parseApplicationName(String applicationName) throws ExecutionException {
private Object[] parseApplicationName(SecurityPolicyType type, String applicationName) throws ExecutionException {
String errorMsg = "Invalid application: " + applicationName;
String[] applicationComponents = applicationName.split("-");
Protocol protocol;
Integer startPort;
Integer endPort;
int offset = 0;
try {
protocol = getProtocol(applicationComponents[0]);
startPort = Integer.parseInt(applicationComponents[1]);
endPort = Integer.parseInt(applicationComponents[2]);
} catch (Exception e) {
offset = type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS) ? 1 : 0;
protocol = getProtocol(applicationComponents[offset + 0]);
startPort = Integer.parseInt(applicationComponents[offset + 1]);
endPort = Integer.parseInt(applicationComponents[offset + 2]);
} catch (Exception e) {
throw new ExecutionException(errorMsg);
}
return new Object[]{protocol, startPort, endPort};
}
private boolean manageApplication(SrxCommand command, Protocol protocol, int startPort, int endPort) throws ExecutionException {
private boolean manageApplication(SecurityPolicyType type, SrxCommand command, Protocol protocol, int startPort, int endPort) throws ExecutionException {
if (protocol.equals(Protocol.any)) {
return true;
}
String applicationName = genApplicationName(protocol, startPort, endPort);
String applicationName = genApplicationName(type, protocol, startPort, endPort);
String xml;
switch (command) {
@ -2498,23 +2557,28 @@ public class JuniperSrxResource implements ServerResource {
return sendRequestAndCheckResponse(command, xml, "name", applicationName);
case ADD:
if (manageApplication(SrxCommand.CHECK_IF_EXISTS, protocol, startPort, endPort)) {
if (manageApplication(type, SrxCommand.CHECK_IF_EXISTS, protocol, startPort, endPort)) {
return true;
}
String icmpOrDestPort;
xml = SrxXml.APPLICATION_ADD.getXml();
xml = replaceXmlValue(xml, "name", applicationName);
xml = replaceXmlValue(xml, "protocol", protocol.toString());
String destPort;
if (startPort == endPort) {
destPort = String.valueOf(startPort);
if (protocol.toString() == Protocol.icmp.toString()) {
icmpOrDestPort = "<icmp-type>" + startPort + "</icmp-type>";
icmpOrDestPort += "<icmp-code>" + endPort + "</icmp-code>";
} else {
destPort = startPort + "-" + endPort;
String destPort;
if (startPort == endPort) {
destPort = String.valueOf(startPort);
} else {
destPort = startPort + "-" + endPort;
}
icmpOrDestPort = "<destination-port>" + destPort + "</destination-port>";
}
xml = replaceXmlValue(xml, "dest-port", destPort);
xml = replaceXmlValue(xml, "dest-port-icmp", icmpOrDestPort);
if (!sendRequestAndCheckResponse(command, xml)) {
throw new ExecutionException("Failed to add application " + applicationName);
} else {
@ -2522,7 +2586,7 @@ public class JuniperSrxResource implements ServerResource {
}
case DELETE:
if (!manageApplication(SrxCommand.CHECK_IF_EXISTS, protocol, startPort, endPort)) {
if (!manageApplication(type, SrxCommand.CHECK_IF_EXISTS, protocol, startPort, endPort)) {
return true;
}
@ -2543,13 +2607,13 @@ public class JuniperSrxResource implements ServerResource {
}
private List<String> getUnusedApplications(List<String> applications) throws ExecutionException {
private List<String> getUnusedApplications(List<String> applications, String fromZone, String toZone) throws ExecutionException {
List<String> unusedApplications = new ArrayList<String>();
// Check if any of the applications are unused by existing security policies
String xml = SrxXml.SECURITY_POLICY_GETALL.getXml();
xml = replaceXmlValue(xml, "from-zone", _publicZone);
xml = replaceXmlValue(xml, "to-zone", _privateZone);
xml = replaceXmlValue(xml, "from-zone", fromZone);
xml = replaceXmlValue(xml, "to-zone", toZone);
String allPolicies = sendRequest(xml);
for (String application : applications) {
@ -2560,10 +2624,7 @@ public class JuniperSrxResource implements ServerResource {
return unusedApplications;
}
private List<String> getApplicationsForSecurityPolicy(SecurityPolicyType type, String privateIp) throws ExecutionException {
String fromZone = _publicZone;
String toZone = _privateZone;
private List<String> getApplicationsForSecurityPolicy(SecurityPolicyType type, String privateIp, String fromZone, String toZone) throws ExecutionException {
String policyName = genSecurityPolicyName(type, null, null, fromZone, toZone, privateIp);
String xml = SrxXml.SECURITY_POLICY_GETONE.getXml();
xml = setDelete(xml, false);
@ -2591,8 +2652,31 @@ public class JuniperSrxResource implements ServerResource {
for (FirewallRuleTO rule : rules) {
Object[] application = new Object[3];
application[0] = getProtocol(rule.getProtocol());
application[1] = rule.getSrcPortRange()[0];
application[2] = rule.getSrcPortRange()[1];
if (application[0] == Protocol.icmp) {
if (rule.getIcmpType() == -1) {
application[1] = 255;
} else {
application[1] = rule.getIcmpType();
}
if (rule.getIcmpCode() == -1) {
application[2] = 255;
} else {
application[2] = rule.getIcmpCode();
}
} else if (application[0] == Protocol.tcp || application[0] == Protocol.udp) {
if (rule.getSrcPortRange() != null) {
application[1] = rule.getSrcPortRange()[0];
application[2] = rule.getSrcPortRange()[1];
} else {
application[1] = 0;
application[2] = 65535;
}
} else if (application[0] == Protocol.all) {
application[1] = 0;
application[2] = 65535;
}
applications.add(application);
}
@ -2611,16 +2695,20 @@ public class JuniperSrxResource implements ServerResource {
}
}
private boolean manageSecurityPolicy(SecurityPolicyType type, SrxCommand command, Long accountId, String username, String privateIp, List<String> applicationNames, String ipsecVpnName) throws ExecutionException {
private boolean manageSecurityPolicy(SecurityPolicyType type, SrxCommand command, Long accountId, String username, String privateIp, List<String> applicationNames, List<String> cidrs, String ipsecVpnName) throws ExecutionException {
String fromZone = _publicZone;
String toZone = _privateZone;
String securityPolicyName;
String addressBookEntryName;
String addressBookEntryName = null;
if (type.equals(SecurityPolicyType.VPN) && ipsecVpnName != null) {
securityPolicyName = ipsecVpnName;
addressBookEntryName = ipsecVpnName;
securityPolicyName = ipsecVpnName;
addressBookEntryName = ipsecVpnName;
} else if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) {
fromZone = _privateZone;
toZone = _publicZone;
securityPolicyName = genSecurityPolicyName(type, accountId, username, fromZone, toZone, privateIp);
} else {
securityPolicyName = genSecurityPolicyName(type, accountId, username, fromZone, toZone, privateIp);
addressBookEntryName = genAddressBookEntryName(privateIp);
@ -2661,17 +2749,38 @@ public class JuniperSrxResource implements ServerResource {
return false;
case ADD:
if (!manageAddressBookEntry(SrxCommand.CHECK_IF_EXISTS, toZone, privateIp, ipsecVpnName)) {
throw new ExecutionException("No address book entry for policy: " + securityPolicyName);
if (!type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) {
if (!manageAddressBookEntry(SrxCommand.CHECK_IF_EXISTS, toZone, privateIp, addressBookEntryName)) {
throw new ExecutionException("No address book entry for policy: " + securityPolicyName);
}
}
String srcAddrs = "";
String dstAddrs = "";
xml = SrxXml.SECURITY_POLICY_ADD.getXml();
xml = replaceXmlValue(xml, "policy-name", securityPolicyName);
if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) {
xml = replaceXmlValue(xml, "from-zone", _privateZone);
xml = replaceXmlValue(xml, "to-zone", _publicZone);
if (cidrs == null) {
srcAddrs = "<source-address>any</source-address>";
} else {
for (String cidr : cidrs) {
srcAddrs += "<source-address>" + genAddressBookEntryName(cidr) + "</source-address>";
}
}
xml = replaceXmlValue(xml, "src-address", srcAddrs);
dstAddrs = "<destination-address>any</destination-address>";
xml = replaceXmlValue(xml, "dst-address", dstAddrs);
} else {
xml = replaceXmlValue(xml, "from-zone", fromZone);
xml = replaceXmlValue(xml, "to-zone", toZone);
srcAddrs = "<source-address>any</source-address>";
xml = replaceXmlValue(xml, "src-address", srcAddrs);
dstAddrs = "<destination-address>" + addressBookEntryName + "</destination-address>";
xml = replaceXmlValue(xml, "dst-address", dstAddrs);
}
xml = SrxXml.SECURITY_POLICY_ADD.getXml();
xml = replaceXmlValue(xml, "from-zone", fromZone);
xml = replaceXmlValue(xml, "to-zone", toZone);
xml = replaceXmlValue(xml, "policy-name", securityPolicyName);
xml = replaceXmlValue(xml, "src-address", "any");
xml = replaceXmlValue(xml, "dest-address", addressBookEntryName);
if (type.equals(SecurityPolicyType.VPN) && ipsecVpnName != null) {
xml = replaceXmlValue(xml, "tunnel", "<tunnel><ipsec-vpn>" + ipsecVpnName + "</ipsec-vpn></tunnel>");
} else {
@ -2679,7 +2788,7 @@ public class JuniperSrxResource implements ServerResource {
}
String applications;
if (applicationNames == null) {
if (applicationNames == null || applicationNames.size() == 0) {
applications = "<application>any</application>";
} else {
applications = "";
@ -2697,11 +2806,11 @@ public class JuniperSrxResource implements ServerResource {
}
case DELETE:
if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp, applicationNames, ipsecVpnName)) {
if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp, applicationNames, cidrs, ipsecVpnName)) {
return true;
}
if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp, applicationNames, ipsecVpnName)) {
if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp, applicationNames, cidrs, ipsecVpnName)) {
return true;
}
@ -2757,42 +2866,42 @@ public class JuniperSrxResource implements ServerResource {
int startPort = application[1] != null ? ((Integer) application[1]) : -1;
int endPort = application[2] != null ? ((Integer) application[2]) : -1;
String applicationName = genApplicationName(protocol, startPort, endPort);
String applicationName = genApplicationName(type, protocol, startPort, endPort);
if (!applicationNames.contains(applicationName)) {
applicationNames.add(applicationName);
}
manageApplication(SrxCommand.ADD, protocol, startPort, endPort);
manageApplication(type, SrxCommand.ADD, protocol, startPort, endPort);
}
// Add a new security policy
manageSecurityPolicy(type, SrxCommand.ADD, null, null, privateIp, applicationNames, null);
manageSecurityPolicy(type, SrxCommand.ADD, null, null, privateIp, applicationNames, null, null);
return true;
}
private boolean removeSecurityPolicyAndApplications(SecurityPolicyType type, String privateIp) throws ExecutionException {
if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp, null, null)) {
if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp, null,null, null)) {
return true;
}
if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp, null, null)) {
if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp, null, null, null)) {
return true;
}
// Get a list of applications for this security policy
List<String> applications = getApplicationsForSecurityPolicy(type, privateIp);
List<String> applications = getApplicationsForSecurityPolicy(type, privateIp, _publicZone, _privateZone);
// Remove the security policy
manageSecurityPolicy(type, SrxCommand.DELETE, null, null, privateIp, null, null);
// Remove the security policy
manageSecurityPolicy(type, SrxCommand.DELETE, null, null, privateIp, null, null, null);
// Remove any applications for the removed security policy that are no longer in use
List<String> unusedApplications = getUnusedApplications(applications);
List<String> unusedApplications = getUnusedApplications(applications, _publicZone, _privateZone);
for (String application : unusedApplications) {
Object[] applicationComponents;
try {
applicationComponents = parseApplicationName(application);
applicationComponents = parseApplicationName(type, application);
} catch (ExecutionException e) {
s_logger.error("Found an invalid application: " + application + ". Not attempting to clean up.");
continue;
@ -2800,13 +2909,78 @@ public class JuniperSrxResource implements ServerResource {
Protocol protocol = (Protocol) applicationComponents[0];
Integer startPort = (Integer) applicationComponents[1];
Integer endPort = (Integer) applicationComponents[2];
manageApplication(SrxCommand.DELETE, protocol, startPort, endPort);
Integer endPort = (Integer) applicationComponents[2];
manageApplication(type, SrxCommand.DELETE, protocol, startPort, endPort);
}
return true;
}
private boolean removeEgressSecurityPolicyAndApplications(SecurityPolicyType type, String guestVlan, List <String> cidrs) throws ExecutionException {
if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, guestVlan, null, cidrs, null)) {
return true;
}
// Get a list of applications for this security policy
List<String> applications;
applications = getApplicationsForSecurityPolicy(type, guestVlan, _privateZone, _publicZone);
// Remove the security policy even if it is in use
manageSecurityPolicy(type, SrxCommand.DELETE, null, null, guestVlan, null, cidrs, null);
// Remove any applications for the removed security policy that are no longer in use
List<String> unusedApplications;
unusedApplications = getUnusedApplications(applications, _privateZone, _publicZone);
for (String application : unusedApplications) {
Object[] applicationComponents;
try {
applicationComponents = parseApplicationName(type, application);
} catch (ExecutionException e) {
s_logger.error("Found an invalid application: " + application + ". Not attempting to clean up.");
continue;
}
Protocol protocol = (Protocol) applicationComponents[0];
Integer startPort = (Integer) applicationComponents[1];
Integer endPort = (Integer) applicationComponents[2];
manageApplication(type, SrxCommand.DELETE, protocol, startPort, endPort);
}
for (String cidr: cidrs) {
manageAddressBookEntry(SrxCommand.DELETE, _publicZone, cidr, null);
}
return true;
}
private boolean addEgressSecurityPolicyAndApplications(SecurityPolicyType type, String guestVlan, List<Object[]> applications, List <String> cidrs) throws ExecutionException {
// Add all necessary applications
List<String> applicationNames = new ArrayList<String>();
for (Object[] application : applications) {
Protocol protocol = (Protocol) application[0];
if (!protocol.equals(Protocol.all)) {
int startPort = application[1] != null ? ((Integer) application[1]) : 0;
int endPort = application[2] != null ? ((Integer) application[2]) : 65535;
String applicationName = genApplicationName(type, protocol, startPort, endPort);
if (!applicationNames.contains(applicationName)) {
applicationNames.add(applicationName);
}
manageApplication(type, SrxCommand.ADD, protocol, startPort, endPort);
}
}
for (String cidr: cidrs) {
manageAddressBookEntry(SrxCommand.ADD, _privateZone, cidr, null);
}
// Add a new security policy
manageSecurityPolicy(type, SrxCommand.ADD, null, null, guestVlan, applicationNames, cidrs, null);
s_logger.debug("Added Egress firewall rule for guest network " + guestVlan);
return true;
}
/*
* Filter terms
*/

2
scripts/network/juniper/application-add.xml
View File

@ -23,7 +23,7 @@ under the License.
<application>
<name>%name%</name>
<protocol>%protocol%</protocol>
<destination-port>%dest-port%</destination-port>
%dest-port-icmp%
</application>
</applications>
</configuration>

4
scripts/network/juniper/security-policy-add.xml
View File

@ -27,8 +27,8 @@ under the License.
<policy>
<name>%policy-name%</name>
<match>
<source-address>%src-address%</source-address>
<destination-address>%dest-address%</destination-address>
%src-address%
%dst-address%
%applications%
</match>
<then>

12
server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java
View File

@ -1,3 +1,4 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
@ -541,8 +542,15 @@ public abstract class ExternalFirewallDeviceManagerImpl extends AdapterBase impl
if (rule.getSourceCidrList() == null && (rule.getPurpose() == Purpose.Firewall || rule.getPurpose() == Purpose.NetworkACL)) {
_fwRulesDao.loadSourceCidrs((FirewallRuleVO)rule);
}
IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr());
FirewallRuleTO ruleTO;
if (rule.getPurpose() == Purpose.Firewall && rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
String guestVlanTag = network.getBroadcastUri().getHost();
String guestCidr = network.getCidr();
ruleTO = new FirewallRuleTO(rule, guestVlanTag, rule.getTrafficType());
} else {
IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr());
}
rulesTO.add(ruleTO);
}

60
server/src/com/cloud/upgrade/dao/Upgrade410to420.java
View File

@ -65,6 +65,7 @@ public class Upgrade410to420 implements DbUpgrade {
updateSystemVmTemplates(conn);
updateCluster_details(conn);
updatePrimaryStore(conn);
addEgressFwRulesForSRXGuestNw(conn);
}
private void updateSystemVmTemplates(Connection conn) {
@ -305,4 +306,63 @@ public class Upgrade410to420 implements DbUpgrade {
}
}
}
private void addEgressFwRulesForSRXGuestNw(Connection conn) {
PreparedStatement pstmt = null;
ResultSet rs = null;
ResultSet rsId = null;
ResultSet rsNw = null;
try {
pstmt = conn.prepareStatement("select network_id FROM `cloud`.`ntwk_service_map` where service='Firewall' and provider='JuniperSRX' ");
rs = pstmt.executeQuery();
while (rs.next()) {
long netId = rs.getLong(1);
//checking for Isolated OR Virtual
pstmt = conn.prepareStatement("select account_id, domain_id FROM `cloud`.`networks` where (guest_type='Isolated' OR guest_type='Virtual') and traffic_type='Guest' and vpc_id is NULL and (state='implemented' OR state='Shutdown') and id=? ");
pstmt.setLong(1, netId);
s_logger.debug("Getting account_id, domain_id from networks table: " + pstmt);
rsNw = pstmt.executeQuery();
if(rsNw.next()) {
long accountId = rsNw.getLong(1);
long domainId = rsNw.getLong(2);
//Add new rule for the existing networks
s_logger.debug("Adding default egress firewall rule for network " + netId);
pstmt = conn.prepareStatement("INSERT INTO firewall_rules (uuid, state, protocol, purpose, account_id, domain_id, network_id, xid, created, traffic_type) VALUES (?, 'Active', 'all', 'Firewall', ?, ?, ?, ?, now(), 'Egress')");
pstmt.setString(1, UUID.randomUUID().toString());
pstmt.setLong(2, accountId);
pstmt.setLong(3, domainId);
pstmt.setLong(4, netId);
pstmt.setString(5, UUID.randomUUID().toString());
s_logger.debug("Inserting default egress firewall rule " + pstmt);
pstmt.executeUpdate();
pstmt = conn.prepareStatement("select id from firewall_rules where protocol='all' and network_id=?");
pstmt.setLong(1, netId);
rsId = pstmt.executeQuery();
long firewallRuleId;
if(rsId.next()) {
firewallRuleId = rsId.getLong(1);
pstmt = conn.prepareStatement("insert into firewall_rules_cidrs (firewall_rule_id,source_cidr) values (?, '0.0.0.0/0')");
pstmt.setLong(1, firewallRuleId);
s_logger.debug("Inserting rule for cidr 0.0.0.0/0 for the new Firewall rule id=" + firewallRuleId + " with statement " + pstmt);
pstmt.executeUpdate();
}
}
}
} catch (SQLException e) {
throw new CloudRuntimeException("Unable to set egress firewall rules ", e);
} finally {
try {
if (rs != null) {
rs.close();
}
if (pstmt != null) {
pstmt.close();
}
} catch (SQLException e) {
}
}
}
}