diff --git a/api/src/com/cloud/api/ResponseGenerator.java b/api/src/com/cloud/api/ResponseGenerator.java index c21a1ece6d4..37ec55bb2c3 100755 --- a/api/src/com/cloud/api/ResponseGenerator.java +++ b/api/src/com/cloud/api/ResponseGenerator.java @@ -180,7 +180,7 @@ public interface ResponseGenerator { SecurityGroupResponse createSecurityGroupResponseFromIngressRule(List ingressRules); - SecurityGroupResponse createSecurityGroupResponseFromEgressRule(List egressRules); + SecurityGroupResponse createSecurityGroupResponseFromEgressRule(List egressRules); SecurityGroupResponse createSecurityGroupResponse(SecurityGroup group); diff --git a/api/src/com/cloud/api/commands/AuthorizeSecurityGroupEgressCmd.java b/api/src/com/cloud/api/commands/AuthorizeSecurityGroupEgressCmd.java index 53979a6fca3..e7c89e6e827 100644 --- a/api/src/com/cloud/api/commands/AuthorizeSecurityGroupEgressCmd.java +++ b/api/src/com/cloud/api/commands/AuthorizeSecurityGroupEgressCmd.java @@ -37,17 +37,17 @@ import com.cloud.api.response.SecurityGroupResponse; import com.cloud.async.AsyncJob; import com.cloud.event.EventTypes; import com.cloud.exception.InvalidParameterValueException; -import com.cloud.network.security.IngressRule; +import com.cloud.network.security.EgressRule; import com.cloud.user.Account; import com.cloud.user.UserContext; import com.cloud.utils.StringUtils; -@Implementation(responseObject = EgressRuleResponse.class, description = "Authorizes a particular egress rule for this security group") +@Implementation(responseObject = EgressRuleResponse.class, description = "Authorizes a particular ingress rule for this security group") @SuppressWarnings("rawtypes") public class AuthorizeSecurityGroupEgressCmd extends BaseAsyncCmd { public static final Logger s_logger = Logger.getLogger(AuthorizeSecurityGroupEgressCmd.class.getName()); - private static final String s_name = "authorizesecuritygroupegress"; + private static final String s_name = "authorizesecuritygroupingress"; // /////////////////////////////////////////////////// // ////////////// API parameters ///////////////////// @@ -56,10 +56,10 @@ public class AuthorizeSecurityGroupEgressCmd extends BaseAsyncCmd { @Parameter(name = ApiConstants.PROTOCOL, type = CommandType.STRING, description = "TCP is default. UDP is the other supported protocol") private String protocol; - @Parameter(name = ApiConstants.START_PORT, type = CommandType.INTEGER, description = "start port for this egress rule") + @Parameter(name = ApiConstants.START_PORT, type = CommandType.INTEGER, description = "start port for this ingress rule") private Integer startPort; - @Parameter(name = ApiConstants.END_PORT, type = CommandType.INTEGER, description = "end port for this egress rule") + @Parameter(name = ApiConstants.END_PORT, type = CommandType.INTEGER, description = "end port for this ingress rule") private Integer endPort; @Parameter(name = ApiConstants.ICMP_TYPE, type = CommandType.INTEGER, description = "type of the icmp message being sent") @@ -177,7 +177,7 @@ public class AuthorizeSecurityGroupEgressCmd extends BaseAsyncCmd { @Override public String getEventType() { - return EventTypes.EVENT_SECURITY_GROUP_AUTHORIZE_EGRESS; + return EventTypes.EVENT_SECURITY_GROUP_AUTHORIZE_INGRESS; } @Override @@ -203,20 +203,20 @@ public class AuthorizeSecurityGroupEgressCmd extends BaseAsyncCmd { sb.append("cidr list: "); sb.append(StringUtils.join(getCidrList(), ", ")); } else { - sb.append(""); + sb.append(""); } - return "authorizing egress to group: " + getSecurityGroupId() + " to " + sb.toString(); + return "authorizing ingress to group: " + getSecurityGroupId() + " to " + sb.toString(); } @Override public void execute() { - List egressRules = _securityGroupService.authorizeSecurityGroupEgress(this); + List egressRules = _securityGroupService.authorizeSecurityGroupEgress(this); if (egressRules != null && !egressRules.isEmpty()) { SecurityGroupResponse response = _responseGenerator.createSecurityGroupResponseFromEgressRule(egressRules); this.setResponseObject(response); } else { - throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to authorize security group egress rule(s)"); + throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to authorize security group ingress rule(s)"); } } diff --git a/api/src/com/cloud/api/commands/RevokeSecurityGroupEgressCmd.java b/api/src/com/cloud/api/commands/RevokeSecurityGroupEgressCmd.java index 4b249041d70..bfddc9ebc5b 100644 --- a/api/src/com/cloud/api/commands/RevokeSecurityGroupEgressCmd.java +++ b/api/src/com/cloud/api/commands/RevokeSecurityGroupEgressCmd.java @@ -32,17 +32,17 @@ import com.cloud.event.EventTypes; import com.cloud.network.security.SecurityGroup; import com.cloud.user.Account; -@Implementation(responseObject = SuccessResponse.class, description = "Deletes a particular egress rule from this security group") +@Implementation(responseObject = SuccessResponse.class, description = "Deletes a particular ingress rule from this security group") public class RevokeSecurityGroupEgressCmd extends BaseAsyncCmd { public static final Logger s_logger = Logger.getLogger(RevokeSecurityGroupEgressCmd.class.getName()); - private static final String s_name = "revokesecuritygroupegress"; + private static final String s_name = "revokesecuritygroupingress"; // /////////////////////////////////////////////////// // ////////////// API parameters ///////////////////// // /////////////////////////////////////////////////// - @Parameter(name = ApiConstants.ID, type = CommandType.LONG, required = true, description = "The ID of the egress rule") + @Parameter(name = ApiConstants.ID, type = CommandType.LONG, required = true, description = "The ID of the ingress rule") private Long id; // /////////////////////////////////////////////////// @@ -63,7 +63,7 @@ public class RevokeSecurityGroupEgressCmd extends BaseAsyncCmd { } public static String getResultObjectName() { - return "revokesecuritygroupegress"; + return "revokesecuritygroupingress"; } @Override @@ -78,12 +78,12 @@ public class RevokeSecurityGroupEgressCmd extends BaseAsyncCmd { @Override public String getEventType() { - return EventTypes.EVENT_SECURITY_GROUP_REVOKE_EGRESS; + return EventTypes.EVENT_SECURITY_GROUP_REVOKE_INGRESS; } @Override public String getEventDescription() { - return "revoking egress rule id: " + getId(); + return "revoking ingress rule id: " + getId(); } @Override @@ -93,7 +93,7 @@ public class RevokeSecurityGroupEgressCmd extends BaseAsyncCmd { SuccessResponse response = new SuccessResponse(getCommandName()); this.setResponseObject(response); } else { - throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to revoke security group egress rule"); + throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to revoke security group ingress rule"); } } diff --git a/api/src/com/cloud/api/response/EgressRuleResponse.java b/api/src/com/cloud/api/response/EgressRuleResponse.java index daafb511650..ca3b9fba49d 100644 --- a/api/src/com/cloud/api/response/EgressRuleResponse.java +++ b/api/src/com/cloud/api/response/EgressRuleResponse.java @@ -22,10 +22,10 @@ import com.cloud.serializer.Param; import com.google.gson.annotations.SerializedName; public class EgressRuleResponse extends BaseResponse { - @SerializedName("ruleid") @Param(description="the id of the egress rule") + @SerializedName("ruleid") @Param(description="the id of the ingress rule") private Long ruleId; - @SerializedName("protocol") @Param(description="the protocol of the egress rule") + @SerializedName("protocol") @Param(description="the protocol of the ingress rule") private String protocol; @SerializedName(ApiConstants.ICMP_TYPE) @Param(description="the type of the ICMP message response") @@ -34,19 +34,19 @@ public class EgressRuleResponse extends BaseResponse { @SerializedName(ApiConstants.ICMP_CODE) @Param(description="the code for the ICMP message response") private Integer icmpCode; - @SerializedName(ApiConstants.START_PORT) @Param(description="the starting IP of the egress rule") + @SerializedName(ApiConstants.START_PORT) @Param(description="the starting IP of the ingress rule") private Integer startPort; - @SerializedName(ApiConstants.END_PORT) @Param(description="the ending IP of the egress rule ") + @SerializedName(ApiConstants.END_PORT) @Param(description="the ending IP of the ingress rule ") private Integer endPort; @SerializedName(ApiConstants.SECURITY_GROUP_NAME) @Param(description="security group name") private String securityGroupName; - @SerializedName(ApiConstants.ACCOUNT) @Param(description="account owning the egress rule") + @SerializedName(ApiConstants.ACCOUNT) @Param(description="account owning the ingress rule") private String accountName; - @SerializedName(ApiConstants.CIDR) @Param(description="the CIDR notation for the base IP address of the egress rule") + @SerializedName(ApiConstants.CIDR) @Param(description="the CIDR notation for the base IP address of the ingress rule") private String cidr; public Long getRuleId() { diff --git a/api/src/com/cloud/api/response/SecurityGroupResponse.java b/api/src/com/cloud/api/response/SecurityGroupResponse.java index a39b845e882..b4d67466a64 100644 --- a/api/src/com/cloud/api/response/SecurityGroupResponse.java +++ b/api/src/com/cloud/api/response/SecurityGroupResponse.java @@ -51,8 +51,8 @@ public class SecurityGroupResponse extends BaseResponse { @SerializedName("ingressrule") @Param(description="the list of ingress rules associated with the security group", responseObject = IngressRuleResponse.class) private List ingressRules; - @SerializedName("egressrule") @Param(description="the list of egress rules associated with the security group", responseObject = EgressRuleResponse.class) - private List egressRules; + @SerializedName("egressrule") @Param(description="the list of ingress rules associated with the security group", responseObject = EgressRuleResponse.class) + private List egressRules; public Long getId() { return id; @@ -106,7 +106,7 @@ public class SecurityGroupResponse extends BaseResponse { return ingressRules; } - public List getEgressRules() { + public List getEgressRules() { return egressRules; } @@ -114,7 +114,7 @@ public class SecurityGroupResponse extends BaseResponse { this.ingressRules = ingressRules; } - public void setEgressRules(List egressRules) { + public void setEgressRules(List egressRules) { this.egressRules = egressRules; } diff --git a/api/src/com/cloud/event/EventTypes.java b/api/src/com/cloud/event/EventTypes.java index c76ac6ac391..07248e30ada 100755 --- a/api/src/com/cloud/event/EventTypes.java +++ b/api/src/com/cloud/event/EventTypes.java @@ -170,10 +170,8 @@ public class EventTypes { public static final String EVENT_CONFIGURATION_VALUE_EDIT = "CONFIGURATION.VALUE.EDIT"; // Security Groups - public static final String EVENT_SECURITY_GROUP_AUTHORIZE_INGRESS = "SG.AUTH.INGRESS"; + public static final String EVENT_SECURITY_GROUP_AUTHORIZE_INGRESS = "SG.AUTH.INGRESS"; public static final String EVENT_SECURITY_GROUP_REVOKE_INGRESS = "SG.REVOKE.INGRESS"; - public static final String EVENT_SECURITY_GROUP_AUTHORIZE_EGRESS = "SG.AUTH.EGRESS"; - public static final String EVENT_SECURITY_GROUP_REVOKE_EGRESS = "SG.REVOKE.EGRESS"; public static final String EVENT_SECURITY_GROUP_CREATE = "SG.CREATE"; public static final String EVENT_SECURITY_GROUP_DELETE = "SG.DELETE"; diff --git a/api/src/com/cloud/network/security/IngressRule.java b/api/src/com/cloud/network/security/IngressRule.java index 70463ef3f46..6eaeabbcbb1 100644 --- a/api/src/com/cloud/network/security/IngressRule.java +++ b/api/src/com/cloud/network/security/IngressRule.java @@ -25,8 +25,6 @@ import com.cloud.async.AsyncInstanceCreateStatus; */ public interface IngressRule { long getId(); - - public int getType(); long getSecurityGroupId(); diff --git a/api/src/com/cloud/network/security/SecurityGroupRules.java b/api/src/com/cloud/network/security/SecurityGroupRules.java index ee723bd166c..92ad02db00f 100644 --- a/api/src/com/cloud/network/security/SecurityGroupRules.java +++ b/api/src/com/cloud/network/security/SecurityGroupRules.java @@ -39,6 +39,4 @@ public interface SecurityGroupRules { Long getAllowedNetworkId(); String getAllowedSourceIpCidr(); - - int getType(); } diff --git a/api/src/com/cloud/network/security/SecurityGroupService.java b/api/src/com/cloud/network/security/SecurityGroupService.java index a22d9be20f3..1642a2e57dc 100644 --- a/api/src/com/cloud/network/security/SecurityGroupService.java +++ b/api/src/com/cloud/network/security/SecurityGroupService.java @@ -50,6 +50,6 @@ public interface SecurityGroupService { public List searchForSecurityGroupRules(ListSecurityGroupsCmd cmd) throws PermissionDeniedException, InvalidParameterValueException; public List authorizeSecurityGroupIngress(AuthorizeSecurityGroupIngressCmd cmd); - public List authorizeSecurityGroupEgress(AuthorizeSecurityGroupEgressCmd cmd); + public List authorizeSecurityGroupEgress(AuthorizeSecurityGroupEgressCmd cmd); } diff --git a/core/src/com/cloud/network/security/EgressRuleVO.java b/core/src/com/cloud/network/security/EgressRuleVO.java new file mode 100644 index 00000000000..01d7791ecb1 --- /dev/null +++ b/core/src/com/cloud/network/security/EgressRuleVO.java @@ -0,0 +1,126 @@ +/** + * Copyright (C) 2010 Cloud.com, Inc. All rights reserved. + * + * This software is licensed under the GNU General Public License v3 or later. + * + * It is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or any later version. + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + */ + +package com.cloud.network.security; + +import javax.persistence.Column; +import javax.persistence.Entity; +import javax.persistence.EnumType; +import javax.persistence.Enumerated; +import javax.persistence.GeneratedValue; +import javax.persistence.GenerationType; +import javax.persistence.Id; +import javax.persistence.Table; + +import com.cloud.async.AsyncInstanceCreateStatus; +import com.google.gson.annotations.Expose; + +@Entity +@Table(name = ("security_egress_rule")) +public class EgressRuleVO implements EgressRule { + @Id + @GeneratedValue(strategy = GenerationType.IDENTITY) + @Column(name = "id") + private long id; + + @Column(name = "security_group_id") + private long securityGroupId; + + @Column(name = "start_port") + private int startPort; + + @Column(name = "end_port") + private int endPort; + + @Column(name = "protocol") + private String protocol; + + @Column(name = "allowed_network_id", nullable = true) + private Long allowedNetworkId = null; + + @Column(name = "allowed_ip_cidr", nullable = true) + private String allowedDestinationIpCidr = null; + + @Expose + @Column(name = "create_status", updatable = true, nullable = false) + @Enumerated(value = EnumType.STRING) + private AsyncInstanceCreateStatus createStatus; + + public EgressRuleVO() { + } + + public EgressRuleVO(long securityGroupId, int fromPort, int toPort, String protocol, long allowedNetworkId) { + this.securityGroupId = securityGroupId; + this.startPort = fromPort; + this.endPort = toPort; + this.protocol = protocol; + this.allowedNetworkId = allowedNetworkId; + } + + public EgressRuleVO(long securityGroupId, int fromPort, int toPort, String protocol, String allowedIpCidr) { + this.securityGroupId = securityGroupId; + this.startPort = fromPort; + this.endPort = toPort; + this.protocol = protocol; + this.allowedDestinationIpCidr = allowedIpCidr; + } + + @Override + public long getId() { + return id; + } + + @Override + public long getSecurityGroupId() { + return securityGroupId; + } + + @Override + public int getStartPort() { + return startPort; + } + + @Override + public int getEndPort() { + return endPort; + } + + @Override + public String getProtocol() { + return protocol; + } + + @Override + public AsyncInstanceCreateStatus getCreateStatus() { + return createStatus; + } + + public void setCreateStatus(AsyncInstanceCreateStatus createStatus) { + this.createStatus = createStatus; + } + + @Override + public Long getAllowedNetworkId() { + return allowedNetworkId; + } + + @Override + public String getAllowedDestinationIpCidr() { + return allowedDestinationIpCidr; + } +} diff --git a/core/src/com/cloud/network/security/IngressRuleVO.java b/core/src/com/cloud/network/security/IngressRuleVO.java index 79e29c816cd..aeb1170e101 100644 --- a/core/src/com/cloud/network/security/IngressRuleVO.java +++ b/core/src/com/cloud/network/security/IngressRuleVO.java @@ -46,9 +46,6 @@ public class IngressRuleVO implements IngressRule { @Column(name = "end_port") private int endPort; - - @Column(name = "type") - private int type; @Column(name = "protocol") private String protocol; @@ -67,22 +64,20 @@ public class IngressRuleVO implements IngressRule { public IngressRuleVO() { } - public IngressRuleVO(long securityGroupId, int fromPort, int toPort, String protocol, long allowedNetworkId, int type) { + public IngressRuleVO(long securityGroupId, int fromPort, int toPort, String protocol, long allowedNetworkId) { this.securityGroupId = securityGroupId; this.startPort = fromPort; this.endPort = toPort; this.protocol = protocol; this.allowedNetworkId = allowedNetworkId; - this.type = type; } - public IngressRuleVO(long securityGroupId, int fromPort, int toPort, String protocol, String allowedIpCidr, int type) { + public IngressRuleVO(long securityGroupId, int fromPort, int toPort, String protocol, String allowedIpCidr) { this.securityGroupId = securityGroupId; this.startPort = fromPort; this.endPort = toPort; this.protocol = protocol; this.allowedSourceIpCidr = allowedIpCidr; - this.type = type; } @Override @@ -105,11 +100,6 @@ public class IngressRuleVO implements IngressRule { return endPort; } - @Override - public int getType() { - return type; - } - @Override public String getProtocol() { return protocol; diff --git a/core/src/com/cloud/network/security/SecurityGroupEgressRulesVO.java b/core/src/com/cloud/network/security/SecurityGroupEgressRulesVO.java new file mode 100644 index 00000000000..e4b269ecd76 --- /dev/null +++ b/core/src/com/cloud/network/security/SecurityGroupEgressRulesVO.java @@ -0,0 +1,141 @@ +/** + * Copyright (C) 2010 Cloud.com, Inc. All rights reserved. + * + * This software is licensed under the GNU General Public License v3 or later. + * + * It is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or any later version. + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + */ + +package com.cloud.network.security; + +import javax.persistence.Column; +import javax.persistence.Entity; +import javax.persistence.GeneratedValue; +import javax.persistence.GenerationType; +import javax.persistence.Id; +import javax.persistence.PrimaryKeyJoinColumn; +import javax.persistence.SecondaryTable; +import javax.persistence.Table; + +@Entity +@Table(name = ("security_group")) +@SecondaryTable(name = "security_egress_rule", join = "left", pkJoinColumns = { @PrimaryKeyJoinColumn(name = "id", referencedColumnName = "security_group_id") }) +public class SecurityGroupEgressRulesVO implements SecurityGroupRules { + @Id + @GeneratedValue(strategy = GenerationType.IDENTITY) + @Column(name = "id") + private long id; + + @Column(name = "name") + private String name; + + @Column(name = "description") + private String description; + + @Column(name = "domain_id") + private Long domainId; + + @Column(name = "account_id") + private Long accountId; + + @Column(name = "id", table = "security_egress_rule", insertable = false, updatable = false) + private Long ruleId; + + @Column(name = "start_port", table = "security_egress_rule", insertable = false, updatable = false) + private int startPort; + + @Column(name = "end_port", table = "security_egress_rule", insertable = false, updatable = false) + private int endPort; + + @Column(name = "protocol", table = "security_egress_rule", insertable = false, updatable = false) + private String protocol; + + @Column(name = "allowed_network_id", table = "security_egress_rule", insertable = false, updatable = false, nullable = true) + private Long allowedNetworkId = null; + + @Column(name = "allowed_ip_cidr", table = "security_egress_rule", insertable = false, updatable = false, nullable = true) + private String allowedDestinationIpCidr = null; + + public SecurityGroupEgressRulesVO() { + } + + public SecurityGroupEgressRulesVO(long id, String name, String description, Long domainId, Long accountId, Long ruleId, int startPort, int endPort, String protocol, Long allowedNetworkId, + String allowedDestinationIpCidr) { + this.id = id; + this.name = name; + this.description = description; + this.domainId = domainId; + this.accountId = accountId; + this.ruleId = ruleId; + this.startPort = startPort; + this.endPort = endPort; + this.protocol = protocol; + this.allowedNetworkId = allowedNetworkId; + this.allowedDestinationIpCidr = allowedDestinationIpCidr; + } + + @Override + public long getId() { + return id; + } + + @Override + public String getName() { + return name; + } + + @Override + public String getDescription() { + return description; + } + + @Override + public Long getDomainId() { + return domainId; + } + + @Override + public Long getAccountId() { + return accountId; + } + + @Override + public Long getRuleId() { + return ruleId; + } + + @Override + public int getStartPort() { + return startPort; + } + + @Override + public int getEndPort() { + return endPort; + } + + @Override + public String getProtocol() { + return protocol; + } + + @Override + public Long getAllowedNetworkId() { + return allowedNetworkId; + } + + @Override + public String getAllowedSourceIpCidr() { /* FIXME: need to rename the method name, for this the interface need to change or need create a new interface */ + return allowedDestinationIpCidr; + } +} diff --git a/core/src/com/cloud/network/security/SecurityGroupRulesVO.java b/core/src/com/cloud/network/security/SecurityGroupRulesVO.java index 30453a3dd1f..7485711ff94 100644 --- a/core/src/com/cloud/network/security/SecurityGroupRulesVO.java +++ b/core/src/com/cloud/network/security/SecurityGroupRulesVO.java @@ -35,7 +35,7 @@ public class SecurityGroupRulesVO implements SecurityGroupRules { @GeneratedValue(strategy = GenerationType.IDENTITY) @Column(name = "id") private long id; - + @Column(name = "name") private String name; @@ -51,9 +51,6 @@ public class SecurityGroupRulesVO implements SecurityGroupRules { @Column(name = "id", table = "security_ingress_rule", insertable = false, updatable = false) private Long ruleId; - @Column(name = "type", table = "security_ingress_rule", insertable = false, updatable = false) - private int type; - @Column(name = "start_port", table = "security_ingress_rule", insertable = false, updatable = false) private int startPort; @@ -91,11 +88,6 @@ public class SecurityGroupRulesVO implements SecurityGroupRules { public long getId() { return id; } - - @Override - public int getType() { - return type; - } @Override public String getName() { diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops index c84710559b9..28779fe4176 100755 --- a/scripts/vm/hypervisor/xenserver/vmops +++ b/scripts/vm/hypervisor/xenserver/vmops @@ -1056,12 +1056,12 @@ def network_rules(session, args): if protocol == 'all': if type == 'egress': - iptables = ['iptables', '-I', vmchain, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'dst', '-j', 'DROP'] + iptables = ['iptables', '-I', vmchain, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'dst', '-j', 'ACCEPT'] else: iptables = ['iptables', '-I', vmchain, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'src', '-j', 'ACCEPT'] elif protocol != 'icmp': if type == 'egress': - iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'dst', '-j', 'DROP'] + iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'dst', '-j', 'ACCEPT'] else: iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'src', '-j', 'ACCEPT'] else: @@ -1069,7 +1069,7 @@ def network_rules(session, args): if start == "-1": range = "any" if type == 'egress': - iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-m', 'set', '--match-set', ipsetname, 'dst', '-j', 'DROP'] + iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-m', 'set', '--match-set', ipsetname, 'dst', '-j', 'ACCEPT'] else: iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-m', 'set', '--match-set', ipsetname, 'src', '-j', 'ACCEPT'] util.pread2(iptables) @@ -1077,25 +1077,16 @@ def network_rules(session, args): if allow_any and protocol != 'all': if protocol != 'icmp': - if type == 'egress': - iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-j', 'DROP'] - else: - iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-j', 'ACCEPT'] + iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-j', 'ACCEPT'] else: range = start + "/" + end if start == "-1": range = "any" - if type == 'egress': - iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-j', 'DROP'] - else: - iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-j', 'ACCEPT'] + iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-j', 'ACCEPT'] util.pread2(iptables) util.SMlog(iptables) - if type == 'egress': - util.pread2(['iptables', '-A', vmchain, '-j', 'ACCEPT']) - else: - util.pread2(['iptables', '-A', vmchain, '-j', 'DROP']) + util.pread2(['iptables', '-A', vmchain, '-j', 'DROP']) if write_rule_log_for_vm(vm_name, vm_id, vm_ip, domid, signature, seqno) == False: return 'false' diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py index 888701a311c..e91fe45174a 100755 --- a/scripts/vm/network/security_group.py +++ b/scripts/vm/network/security_group.py @@ -578,10 +578,8 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif if ruletype == 'egress': vmchain = vm_name + "-egress" - action = "DROP" else: vmchain = vm_name - action = "ACCEPT" changes = [] @@ -623,13 +621,13 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif if protocol == 'all': for ip in ips: if ruletype == 'egress': - execute("iptables -I " + vmchain + " -m state --state NEW -d " + ip + " -j DROP") + execute("iptables -I " + vmchain + " -m state --state NEW -d " + ip + " -j ACCEPT") else: execute("iptables -I " + vmchain + " -m state --state NEW -s " + ip + " -j ACCEPT") elif protocol != 'icmp': for ip in ips: if ruletype == 'egress': - execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -d " + ip + " -j DROP") + execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -d " + ip + " -j ACCEPT") else: execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -s " + ip + " -j ACCEPT") else: @@ -638,23 +636,20 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif range = "any" for ip in ips: if ruletype == 'egress': - execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -d " + ip + " -j DROP") + execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -d " + ip + " -j ACCEPT") else: execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -s " + ip + " -j ACCEPT") if allow_any and protocol != 'all': if protocol != 'icmp': - execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -j " + action) + execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -j ACCEPT") else: range = start + "/" + end if start == "-1": range = "any" - execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -j "+action) + execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -j ACCEPT") - if ruletype == 'egress': - iptables = "iptables -A " + vmchain + " -j ACCEPT" - else: - iptables = "iptables -A " + vmchain + " -j DROP" + iptables = "iptables -A " + vmchain + " -j DROP" execute(iptables) if write_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno) == False: return 'false' diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index d8554f62d4e..2129f9dbd06 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -1585,8 +1585,7 @@ public class ApiResponseHelper implements ResponseGenerator { List ingressRules = networkGroup.getIngressRules(); if ((ingressRules != null) && !ingressRules.isEmpty()) { List ingressRulesResponse = new ArrayList(); - List egressRulesResponse = new ArrayList(); - + for (IngressRuleResultObject ingressRule : ingressRules) { IngressRuleResponse ingressData = new IngressRuleResponse(); @@ -1607,18 +1606,38 @@ public class ApiResponseHelper implements ResponseGenerator { ingressData.setCidr(ingressRule.getAllowedSourceIpCidr()); } - if (ingressRule.getType() == 1) - { - ingressData.setObjectName("ingressrule"); - ingressRulesResponse.add(ingressData); - } - else - { - ingressData.setObjectName("egressrule"); - egressRulesResponse.add(ingressData); - } + ingressData.setObjectName("ingressrule"); + ingressRulesResponse.add(ingressData); } netGrpResponse.setIngressRules(ingressRulesResponse); + } + List egressRules = networkGroup.getEgressRules(); + if ((egressRules != null) && !egressRules.isEmpty()) { + List egressRulesResponse = new ArrayList(); + + for (EgressRuleResultObject egressRule : egressRules) { + EgressRuleResponse egressData = new EgressRuleResponse(); + + egressData.setRuleId(egressRule.getId()); + egressData.setProtocol(egressRule.getProtocol()); + if ("icmp".equalsIgnoreCase(egressRule.getProtocol())) { + egressData.setIcmpType(egressRule.getStartPort()); + egressData.setIcmpCode(egressRule.getEndPort()); + } else { + egressData.setStartPort(egressRule.getStartPort()); + egressData.setEndPort(egressRule.getEndPort()); + } + + if (egressRule.getAllowedSecurityGroup() != null) { + egressData.setSecurityGroupName(egressRule.getAllowedSecurityGroup()); + egressData.setAccountName(egressRule.getAllowedSecGroupAcct()); + } else { + egressData.setCidr(egressRule.getAllowedDestinationIpCidr()); + } + + egressData.setObjectName("egressrule"); + egressRulesResponse.add(egressData); + } netGrpResponse.setEgressRules(egressRulesResponse); } netGrpResponse.setObjectName("securitygroup"); @@ -1643,6 +1662,7 @@ public class ApiResponseHelper implements ResponseGenerator { response.setObjectName("securitygroup"); return response; + } @Override @@ -2020,7 +2040,7 @@ public class ApiResponseHelper implements ResponseGenerator { } @Override - public SecurityGroupResponse createSecurityGroupResponseFromEgressRule(List egressRules) { + public SecurityGroupResponse createSecurityGroupResponseFromEgressRule(List egressRules) { SecurityGroupResponse response = new SecurityGroupResponse(); Map securiytGroupAccounts = new HashMap(); Map allowedSecurityGroups = new HashMap(); @@ -2043,9 +2063,9 @@ public class ApiResponseHelper implements ResponseGenerator { response.setDomainId(account.getDomainId()); response.setDomainName(ApiDBUtils.findDomainById(securityGroup.getDomainId()).getName()); - List responses = new ArrayList(); - for (IngressRule egressRule : egressRules) { - IngressRuleResponse egressData = new IngressRuleResponse(); + List responses = new ArrayList(); + for (EgressRule egressRule : egressRules) { + EgressRuleResponse egressData = new EgressRuleResponse(); egressData.setRuleId(egressRule.getId()); egressData.setProtocol(egressRule.getProtocol()); @@ -2075,7 +2095,7 @@ public class ApiResponseHelper implements ResponseGenerator { egressData.setAccountName(allowedAccount.getAccountName()); } else { - egressData.setCidr(egressRule.getAllowedSourceIpCidr()); + egressData.setCidr(egressRule.getAllowedDestinationIpCidr()); } egressData.setObjectName("egressrule"); diff --git a/server/src/com/cloud/api/response/IngressRuleResultObject.java b/server/src/com/cloud/api/response/IngressRuleResultObject.java index 2c93368c68d..12d2c054b8d 100644 --- a/server/src/com/cloud/api/response/IngressRuleResultObject.java +++ b/server/src/com/cloud/api/response/IngressRuleResultObject.java @@ -31,10 +31,7 @@ public class IngressRuleResultObject { private int endPort; @Param(name="protocol") - private String protocol; - - @Param(name="type") - private int type; + private String protocol; @Param(name="securitygroup") private String allowedSecurityGroup = null; @@ -63,14 +60,6 @@ public class IngressRuleResultObject { public void setId(Long id) { this.id = id; - } - - public int getType() { - return type; - } - - public void setType(int type) { - this.type = type; } public int getStartPort() { diff --git a/server/src/com/cloud/api/response/SecurityGroupResultObject.java b/server/src/com/cloud/api/response/SecurityGroupResultObject.java index 3105ecb925c..6b25382101f 100644 --- a/server/src/com/cloud/api/response/SecurityGroupResultObject.java +++ b/server/src/com/cloud/api/response/SecurityGroupResultObject.java @@ -27,6 +27,7 @@ import com.cloud.api.ApiDBUtils; import com.cloud.network.security.SecurityGroup; import com.cloud.network.security.SecurityGroupRules; import com.cloud.network.security.SecurityGroupRulesVO; +import com.cloud.network.security.SecurityGroupEgressRulesVO; import com.cloud.serializer.Param; import com.cloud.user.Account; @@ -37,9 +38,6 @@ public class SecurityGroupResultObject { @Param(name = "name") private String name; - @Param(name = "type") - private int type; - @Param(name = "description") private String description; @@ -79,14 +77,6 @@ public class SecurityGroupResultObject { this.id = id; } - public Long getType() { - return id; - } - - public void setType(int type) { - this.type = type; - } - public String getName() { return name; } @@ -173,7 +163,6 @@ public class SecurityGroupResultObject { groupResult.setName(netGroupRule.getName()); groupResult.setDescription(netGroupRule.getDescription()); groupResult.setDomainId(netGroupRule.getDomainId()); - groupResult.setType(netGroupRule.getType()); Account account = accounts.get(netGroupRule.getAccountId()); if (account == null) { @@ -194,7 +183,6 @@ public class SecurityGroupResultObject { ingressData.setStartPort(netGroupRule.getStartPort()); ingressData.setId(netGroupRule.getRuleId()); ingressData.setProtocol(netGroupRule.getProtocol()); - ingressData.setType(netGroupRule.getType()); Long allowedSecurityGroupId = netGroupRule.getAllowedNetworkId(); if (allowedSecurityGroupId != null) { diff --git a/server/src/com/cloud/configuration/DefaultComponentLibrary.java b/server/src/com/cloud/configuration/DefaultComponentLibrary.java index 32a97498ddc..a1b3a52fc6a 100755 --- a/server/src/com/cloud/configuration/DefaultComponentLibrary.java +++ b/server/src/com/cloud/configuration/DefaultComponentLibrary.java @@ -98,8 +98,10 @@ import com.cloud.network.router.VirtualNetworkApplianceManagerImpl; import com.cloud.network.rules.RulesManagerImpl; import com.cloud.network.rules.dao.PortForwardingRulesDaoImpl; import com.cloud.network.security.SecurityGroupManagerImpl; +import com.cloud.network.security.dao.EgressRuleDaoImpl; import com.cloud.network.security.dao.IngressRuleDaoImpl; import com.cloud.network.security.dao.SecurityGroupDaoImpl; +import com.cloud.network.security.dao.SecurityGroupEgressRulesDaoImpl; import com.cloud.network.security.dao.SecurityGroupRulesDaoImpl; import com.cloud.network.security.dao.SecurityGroupVMMapDaoImpl; import com.cloud.network.security.dao.SecurityGroupWorkDaoImpl; @@ -202,8 +204,10 @@ public class DefaultComponentLibrary extends ComponentLibraryBase implements Com addDao("DataCenterIpAddressDao", DataCenterIpAddressDaoImpl.class); addDao("SecurityGroupDao", SecurityGroupDaoImpl.class); addDao("IngressRuleDao", IngressRuleDaoImpl.class); + addDao("EgressRuleDao", EgressRuleDaoImpl.class); addDao("SecurityGroupVMMapDao", SecurityGroupVMMapDaoImpl.class); addDao("SecurityGroupRulesDao", SecurityGroupRulesDaoImpl.class); + addDao("SecurityGroupEgressRulesDao", SecurityGroupEgressRulesDaoImpl.class); addDao("SecurityGroupWorkDao", SecurityGroupWorkDaoImpl.class); addDao("VmRulesetLogDao", VmRulesetLogDaoImpl.class); addDao("AlertDao", AlertDaoImpl.class); diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java index f027dbd61c6..90a6de68893 100755 --- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java +++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java @@ -69,9 +69,11 @@ import com.cloud.exception.ResourceInUseException; import com.cloud.hypervisor.Hypervisor.HypervisorType; import com.cloud.network.NetworkManager; import com.cloud.network.security.SecurityGroupWorkVO.Step; +import com.cloud.network.security.dao.EgressRuleDao; import com.cloud.network.security.dao.IngressRuleDao; import com.cloud.network.security.dao.SecurityGroupDao; import com.cloud.network.security.dao.SecurityGroupRulesDao; +import com.cloud.network.security.dao.SecurityGroupEgressRulesDao; import com.cloud.network.security.dao.SecurityGroupVMMapDao; import com.cloud.network.security.dao.SecurityGroupWorkDao; import com.cloud.network.security.dao.VmRulesetLogDao; @@ -118,10 +120,14 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG @Inject IngressRuleDao _ingressRuleDao; @Inject + EgressRuleDao _egressRuleDao; + @Inject SecurityGroupVMMapDao _securityGroupVMMapDao; @Inject SecurityGroupRulesDao _securityGroupRulesDao; @Inject + SecurityGroupEgressRulesDao _securityGroupEgressRulesDao; + @Inject UserVmDao _userVMDao; @Inject AccountDao _accountDao; @@ -145,8 +151,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG NetworkManager _networkMgr; @Inject AccountManager _accountMgr; - public static final int INGRESS_RULE = 1 ; - public static final int EGRESS_RULE = 2 ; + ScheduledExecutorService _executorPool; ScheduledExecutorService _cleanupExecutor; @@ -327,8 +332,8 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG List groupsForVm = _securityGroupVMMapDao.listByInstanceId(userVmId); for (SecurityGroupVMMapVO mapVO : groupsForVm) { - List rules = _ingressRuleDao.listBySecurityGroupId(mapVO.getSecurityGroupId(),EGRESS_RULE); - for (IngressRuleVO rule : rules) { + List rules = _egressRuleDao.listBySecurityGroupId(mapVO.getSecurityGroupId()); + for (EgressRuleVO rule : rules) { PortAndProto portAndProto = new PortAndProto(rule.getProtocol(), rule.getStartPort(), rule.getEndPort()); Set cidrs = allowed.get(portAndProto); if (cidrs == null) { @@ -344,8 +349,8 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG cidrs.add(cidr); } } - } else if (rule.getAllowedSourceIpCidr() != null) { - cidrs.add(rule.getAllowedSourceIpCidr()); + } else if (rule.getAllowedDestinationIpCidr() != null) { + cidrs.add(rule.getAllowedDestinationIpCidr()); } if (cidrs.size() > 0) { allowed.put(portAndProto, cidrs); @@ -361,7 +366,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG List groupsForVm = _securityGroupVMMapDao.listByInstanceId(userVmId); for (SecurityGroupVMMapVO mapVO : groupsForVm) { - List rules = _ingressRuleDao.listBySecurityGroupId(mapVO.getSecurityGroupId(), INGRESS_RULE); + List rules = _ingressRuleDao.listBySecurityGroupId(mapVO.getSecurityGroupId()); for (IngressRuleVO rule : rules) { PortAndProto portAndProto = new PortAndProto(rule.getProtocol(), rule.getStartPort(), rule.getEndPort()); Set cidrs = allowed.get(portAndProto); @@ -713,21 +718,21 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG return null; } } - IngressRuleVO ingressRule = _ingressRuleDao.findByProtoPortsAndAllowedGroupId(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, ngVO.getId(), INGRESS_RULE); + IngressRuleVO ingressRule = _ingressRuleDao.findByProtoPortsAndAllowedGroupId(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, ngVO.getId()); if (ingressRule != null) { continue; // rule already exists. } - ingressRule = new IngressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, ngVO.getId(),INGRESS_RULE); + ingressRule = new IngressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, ngVO.getId()); ingressRule = _ingressRuleDao.persist(ingressRule); newRules.add(ingressRule); } if (cidrList != null) { for (String cidr : cidrList) { - IngressRuleVO ingressRule = _ingressRuleDao.findByProtoPortsAndCidr(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, cidr, INGRESS_RULE); + IngressRuleVO ingressRule = _ingressRuleDao.findByProtoPortsAndCidr(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, cidr); if (ingressRule != null) { continue; } - ingressRule = new IngressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, cidr,INGRESS_RULE); + ingressRule = new IngressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, cidr); ingressRule = _ingressRuleDao.persist(ingressRule); newRules.add(ingressRule); } @@ -801,7 +806,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG @Override @DB @SuppressWarnings("rawtypes") - public List authorizeSecurityGroupEgress(AuthorizeSecurityGroupEgressCmd cmd) { + public List authorizeSecurityGroupEgress(AuthorizeSecurityGroupEgressCmd cmd) { Long securityGroupId = cmd.getSecurityGroupId(); String protocol = cmd.getProtocol(); Integer startPort = cmd.getStartPort(); @@ -926,7 +931,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG s_logger.warn("Could not acquire lock on network security group: id= " + securityGroupId); return null; } - List newRules = new ArrayList(); + List newRules = new ArrayList(); try { for (final SecurityGroupVO ngVO : authorizedGroups2) { final Long ngId = ngVO.getId(); @@ -939,22 +944,22 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG return null; } } - IngressRuleVO egressRule = _ingressRuleDao.findByProtoPortsAndAllowedGroupId(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, ngVO.getId(), EGRESS_RULE); + EgressRuleVO egressRule = _egressRuleDao.findByProtoPortsAndAllowedGroupId(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, ngVO.getId()); if (egressRule != null) { continue; // rule already exists. } - egressRule = new IngressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, ngVO.getId(), EGRESS_RULE); - egressRule = _ingressRuleDao.persist(egressRule); + egressRule = new EgressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, ngVO.getId()); + egressRule = _egressRuleDao.persist(egressRule); newRules.add(egressRule); } if (cidrList != null) { for (String cidr : cidrList) { - IngressRuleVO egressRule = _ingressRuleDao.findByProtoPortsAndCidr(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, cidr, EGRESS_RULE); + EgressRuleVO egressRule = _egressRuleDao.findByProtoPortsAndCidr(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, cidr); if (egressRule != null) { continue; } - egressRule = new IngressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, cidr, EGRESS_RULE); - egressRule = _ingressRuleDao.persist(egressRule); + egressRule = new EgressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, cidr); + egressRule = _egressRuleDao.persist(egressRule); newRules.add(egressRule); } } @@ -983,7 +988,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG Account caller = UserContext.current().getCaller(); Long id = cmd.getId(); - IngressRuleVO rule = _ingressRuleDao.findById(id); + EgressRuleVO rule = _egressRuleDao.findById(id); if (rule == null) { s_logger.debug("Unable to find egress rule with id " + id); throw new InvalidParameterValueException("Unable to find egress rule with id " + id); @@ -1005,7 +1010,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG return false; } - _ingressRuleDao.remove(id); + _egressRuleDao.remove(id); s_logger.debug("revokeSecurityGroupEgress succeeded for ingress rule id: " + id); final Set affectedVms = new HashSet(); @@ -1384,6 +1389,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG List securityGroups = _securityGroupDao.search(sc, searchFilter); for (SecurityGroupVO group : securityGroups) { securityRulesList.addAll(_securityGroupRulesDao.listSecurityRulesByGroupId(group.getId())); + securityRulesList.addAll(_securityGroupEgressRulesDao.listSecurityEgressRulesByGroupId(group.getId())); } return securityRulesList; diff --git a/server/src/com/cloud/network/security/dao/EgressRuleDao.java b/server/src/com/cloud/network/security/dao/EgressRuleDao.java new file mode 100644 index 00000000000..9cc514d0a86 --- /dev/null +++ b/server/src/com/cloud/network/security/dao/EgressRuleDao.java @@ -0,0 +1,36 @@ +/** + * Copyright (C) 2010 Cloud.com, Inc. All rights reserved. + * + * This software is licensed under the GNU General Public License v3 or later. + * + * It is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or any later version. + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + */ + +package com.cloud.network.security.dao; + +import java.util.List; + +import com.cloud.network.security.EgressRuleVO; +import com.cloud.utils.db.GenericDao; + +public interface EgressRuleDao extends GenericDao { + List listBySecurityGroupId(long networkGroupId); + List listByAllowedSecurityGroupId(long networkGroupId); + EgressRuleVO findByProtoPortsAndCidr(long networkGroupId, String proto, int startPort, int endPort, String cidr); + EgressRuleVO findByProtoPortsAndGroup(String proto, int startPort, int endPort, String networkGroup); + EgressRuleVO findByProtoPortsAndAllowedGroupId(long networkGroupId, String proto, int startPort, int endPort, Long allowedGroupId); + int deleteBySecurityGroup(long securityGroupId); + int deleteByPortProtoAndGroup(long securityGroupId, String protocol, int startPort,int endPort, Long id); + int deleteByPortProtoAndCidr(long securityGroupId, String protocol, int startPort,int endPort, String cidr); + +} diff --git a/server/src/com/cloud/network/security/dao/EgressRuleDaoImpl.java b/server/src/com/cloud/network/security/dao/EgressRuleDaoImpl.java new file mode 100644 index 00000000000..adb11b71e43 --- /dev/null +++ b/server/src/com/cloud/network/security/dao/EgressRuleDaoImpl.java @@ -0,0 +1,167 @@ +/** + * Copyright (C) 2010 Cloud.com, Inc. All rights reserved. + * + * This software is licensed under the GNU General Public License v3 or later. + * + * It is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or any later version. + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + */ + +package com.cloud.network.security.dao; + +import java.util.List; +import java.util.Map; + +import javax.ejb.Local; +import javax.naming.ConfigurationException; + +import com.cloud.network.security.EgressRuleVO; +import com.cloud.network.security.SecurityGroupVO; +import com.cloud.utils.component.Inject; +import com.cloud.utils.db.GenericDaoBase; +import com.cloud.utils.db.JoinBuilder; +import com.cloud.utils.db.SearchBuilder; +import com.cloud.utils.db.SearchCriteria; + +@Local(value={EgressRuleDao.class}) +public class EgressRuleDaoImpl extends GenericDaoBase implements EgressRuleDao { + + @Inject SecurityGroupDao _securityGroupDao; + + protected SearchBuilder securityGroupIdSearch; + protected SearchBuilder allowedSecurityGroupIdSearch; + protected SearchBuilder protoPortsAndCidrSearch; + protected SearchBuilder protoPortsAndSecurityGroupNameSearch; + protected SearchBuilder protoPortsAndSecurityGroupIdSearch; + + + + protected EgressRuleDaoImpl() { + securityGroupIdSearch = createSearchBuilder(); + securityGroupIdSearch.and("securityGroupId", securityGroupIdSearch.entity().getSecurityGroupId(), SearchCriteria.Op.EQ); + securityGroupIdSearch.done(); + + allowedSecurityGroupIdSearch = createSearchBuilder(); + allowedSecurityGroupIdSearch.and("allowedNetworkId", allowedSecurityGroupIdSearch.entity().getAllowedNetworkId(), SearchCriteria.Op.EQ); + allowedSecurityGroupIdSearch.done(); + + protoPortsAndCidrSearch = createSearchBuilder(); + protoPortsAndCidrSearch.and("securityGroupId", protoPortsAndCidrSearch.entity().getSecurityGroupId(), SearchCriteria.Op.EQ); + protoPortsAndCidrSearch.and("proto", protoPortsAndCidrSearch.entity().getProtocol(), SearchCriteria.Op.EQ); + protoPortsAndCidrSearch.and("startPort", protoPortsAndCidrSearch.entity().getStartPort(), SearchCriteria.Op.EQ); + protoPortsAndCidrSearch.and("endPort", protoPortsAndCidrSearch.entity().getEndPort(), SearchCriteria.Op.EQ); + protoPortsAndCidrSearch.and("cidr", protoPortsAndCidrSearch.entity().getAllowedDestinationIpCidr(), SearchCriteria.Op.EQ); + protoPortsAndCidrSearch.done(); + + protoPortsAndSecurityGroupIdSearch = createSearchBuilder(); + protoPortsAndSecurityGroupIdSearch.and("securityGroupId", protoPortsAndSecurityGroupIdSearch.entity().getSecurityGroupId(), SearchCriteria.Op.EQ); + protoPortsAndSecurityGroupIdSearch.and("proto", protoPortsAndSecurityGroupIdSearch.entity().getProtocol(), SearchCriteria.Op.EQ); + protoPortsAndSecurityGroupIdSearch.and("startPort", protoPortsAndSecurityGroupIdSearch.entity().getStartPort(), SearchCriteria.Op.EQ); + protoPortsAndSecurityGroupIdSearch.and("endPort", protoPortsAndSecurityGroupIdSearch.entity().getEndPort(), SearchCriteria.Op.EQ); + protoPortsAndSecurityGroupIdSearch.and("allowedNetworkId", protoPortsAndSecurityGroupIdSearch.entity().getAllowedNetworkId(), SearchCriteria.Op.EQ); + + } + + public List listBySecurityGroupId(long securityGroupId) { + SearchCriteria sc = securityGroupIdSearch.create(); + sc.setParameters("securityGroupId", securityGroupId); + return listBy(sc); + } + + public int deleteBySecurityGroup(long securityGroupId) { + SearchCriteria sc = securityGroupIdSearch.create(); + sc.setParameters("securityGroupId", securityGroupId); + return expunge(sc); + } + + @Override + public List listByAllowedSecurityGroupId(long securityGroupId) { + SearchCriteria sc = allowedSecurityGroupIdSearch.create(); + sc.setParameters("allowedNetworkId", securityGroupId); + return listBy(sc); + } + + @Override + public EgressRuleVO findByProtoPortsAndCidr(long securityGroupId, String proto, int startPort, + int endPort, String cidr) { + SearchCriteria sc = protoPortsAndCidrSearch.create(); + sc.setParameters("securityGroupId", securityGroupId); + sc.setParameters("proto", proto); + sc.setParameters("startPort", startPort); + sc.setParameters("endPort", endPort); + sc.setParameters("cidr", cidr); + return findOneIncludingRemovedBy(sc); + } + + @Override + public EgressRuleVO findByProtoPortsAndGroup(String proto, int startPort, + int endPort, String securityGroup) { + SearchCriteria sc = protoPortsAndSecurityGroupNameSearch.create(); + sc.setParameters("proto", proto); + sc.setParameters("startPort", startPort); + sc.setParameters("endPort", endPort); + sc.setJoinParameters("groupName", "groupName", securityGroup); + return findOneIncludingRemovedBy(sc); + } + + @Override + public boolean configure(String name, Map params) + throws ConfigurationException { + protoPortsAndSecurityGroupNameSearch = createSearchBuilder(); + protoPortsAndSecurityGroupNameSearch.and("proto", protoPortsAndSecurityGroupNameSearch.entity().getProtocol(), SearchCriteria.Op.EQ); + protoPortsAndSecurityGroupNameSearch.and("startPort", protoPortsAndSecurityGroupNameSearch.entity().getStartPort(), SearchCriteria.Op.EQ); + protoPortsAndSecurityGroupNameSearch.and("endPort", protoPortsAndSecurityGroupNameSearch.entity().getEndPort(), SearchCriteria.Op.EQ); + SearchBuilder ngSb = _securityGroupDao.createSearchBuilder(); + ngSb.and("groupName", ngSb.entity().getName(), SearchCriteria.Op.EQ); + protoPortsAndSecurityGroupNameSearch.join("groupName", ngSb, protoPortsAndSecurityGroupNameSearch.entity().getAllowedNetworkId(), ngSb.entity().getId(), JoinBuilder.JoinType.INNER); + protoPortsAndSecurityGroupNameSearch.done(); + return super.configure(name, params); + } + + @Override + public int deleteByPortProtoAndGroup(long securityGroupId, String protocol, int startPort, int endPort, Long allowedGroupId) { + SearchCriteria sc = protoPortsAndSecurityGroupIdSearch.create(); + sc.setParameters("securityGroupId", securityGroupId); + sc.setParameters("proto", protocol); + sc.setParameters("startPort", startPort); + sc.setParameters("endPort", endPort); + sc.setParameters("allowedNetworkId", allowedGroupId); + + return expunge(sc); + + } + + @Override + public int deleteByPortProtoAndCidr(long securityGroupId, String protocol, int startPort, int endPort, String cidr) { + SearchCriteria sc = protoPortsAndCidrSearch.create(); + sc.setParameters("securityGroupId", securityGroupId); + sc.setParameters("proto", protocol); + sc.setParameters("startPort", startPort); + sc.setParameters("endPort", endPort); + sc.setParameters("cidr", cidr); + + return expunge(sc); + } + + @Override + public EgressRuleVO findByProtoPortsAndAllowedGroupId(long securityGroupId, String proto, + int startPort, int endPort, Long allowedGroupId) { + SearchCriteria sc = protoPortsAndSecurityGroupIdSearch.create(); + sc.addAnd("securityGroupId", SearchCriteria.Op.EQ, securityGroupId); + sc.setParameters("proto", proto); + sc.setParameters("startPort", startPort); + sc.setParameters("endPort", endPort); + sc.setParameters("allowedNetworkId", allowedGroupId); + + return findOneIncludingRemovedBy(sc); + } +} diff --git a/server/src/com/cloud/network/security/dao/IngressRuleDao.java b/server/src/com/cloud/network/security/dao/IngressRuleDao.java index 9f33e4a8d73..c95e4ee567b 100644 --- a/server/src/com/cloud/network/security/dao/IngressRuleDao.java +++ b/server/src/com/cloud/network/security/dao/IngressRuleDao.java @@ -24,13 +24,13 @@ import com.cloud.network.security.IngressRuleVO; import com.cloud.utils.db.GenericDao; public interface IngressRuleDao extends GenericDao { - List listBySecurityGroupId(long networkGroupId, int type); + List listBySecurityGroupId(long networkGroupId); List listByAllowedSecurityGroupId(long networkGroupId); - IngressRuleVO findByProtoPortsAndCidr(long networkGroupId, String proto, int startPort, int endPort, String cidr,int type); - IngressRuleVO findByProtoPortsAndGroup(String proto, int startPort, int endPort, String networkGroup,int type); - IngressRuleVO findByProtoPortsAndAllowedGroupId(long networkGroupId, String proto, int startPort, int endPort, Long allowedGroupId,int type); - int deleteBySecurityGroup(long securityGroupId,int type); - int deleteByPortProtoAndGroup(long securityGroupId, String protocol, int startPort,int endPort, Long id,int type); - int deleteByPortProtoAndCidr(long securityGroupId, String protocol, int startPort,int endPort, String cidr,int type); + IngressRuleVO findByProtoPortsAndCidr(long networkGroupId, String proto, int startPort, int endPort, String cidr); + IngressRuleVO findByProtoPortsAndGroup(String proto, int startPort, int endPort, String networkGroup); + IngressRuleVO findByProtoPortsAndAllowedGroupId(long networkGroupId, String proto, int startPort, int endPort, Long allowedGroupId); + int deleteBySecurityGroup(long securityGroupId); + int deleteByPortProtoAndGroup(long securityGroupId, String protocol, int startPort,int endPort, Long id); + int deleteByPortProtoAndCidr(long securityGroupId, String protocol, int startPort,int endPort, String cidr); } diff --git a/server/src/com/cloud/network/security/dao/IngressRuleDaoImpl.java b/server/src/com/cloud/network/security/dao/IngressRuleDaoImpl.java index 2f626d91371..dab386e1170 100644 --- a/server/src/com/cloud/network/security/dao/IngressRuleDaoImpl.java +++ b/server/src/com/cloud/network/security/dao/IngressRuleDaoImpl.java @@ -47,8 +47,7 @@ public class IngressRuleDaoImpl extends GenericDaoBase impl protected IngressRuleDaoImpl() { securityGroupIdSearch = createSearchBuilder(); - securityGroupIdSearch.and("securityGroupId", securityGroupIdSearch.entity().getSecurityGroupId(), SearchCriteria.Op.EQ); - securityGroupIdSearch.and("type", securityGroupIdSearch.entity().getType(), SearchCriteria.Op.EQ); + securityGroupIdSearch.and("securityGroupId", securityGroupIdSearch.entity().getSecurityGroupId(), SearchCriteria.Op.EQ); securityGroupIdSearch.done(); allowedSecurityGroupIdSearch = createSearchBuilder(); @@ -61,31 +60,26 @@ public class IngressRuleDaoImpl extends GenericDaoBase impl protoPortsAndCidrSearch.and("startPort", protoPortsAndCidrSearch.entity().getStartPort(), SearchCriteria.Op.EQ); protoPortsAndCidrSearch.and("endPort", protoPortsAndCidrSearch.entity().getEndPort(), SearchCriteria.Op.EQ); protoPortsAndCidrSearch.and("cidr", protoPortsAndCidrSearch.entity().getAllowedSourceIpCidr(), SearchCriteria.Op.EQ); - protoPortsAndCidrSearch.and("type", protoPortsAndCidrSearch.entity().getType(), SearchCriteria.Op.EQ); protoPortsAndCidrSearch.done(); protoPortsAndSecurityGroupIdSearch = createSearchBuilder(); protoPortsAndSecurityGroupIdSearch.and("securityGroupId", protoPortsAndSecurityGroupIdSearch.entity().getSecurityGroupId(), SearchCriteria.Op.EQ); protoPortsAndSecurityGroupIdSearch.and("proto", protoPortsAndSecurityGroupIdSearch.entity().getProtocol(), SearchCriteria.Op.EQ); protoPortsAndSecurityGroupIdSearch.and("startPort", protoPortsAndSecurityGroupIdSearch.entity().getStartPort(), SearchCriteria.Op.EQ); - protoPortsAndSecurityGroupIdSearch.and("endPort", protoPortsAndSecurityGroupIdSearch.entity().getEndPort(), SearchCriteria.Op.EQ); - protoPortsAndSecurityGroupIdSearch.and("type", protoPortsAndSecurityGroupIdSearch.entity().getType(), SearchCriteria.Op.EQ); + protoPortsAndSecurityGroupIdSearch.and("endPort", protoPortsAndSecurityGroupIdSearch.entity().getEndPort(), SearchCriteria.Op.EQ); protoPortsAndSecurityGroupIdSearch.and("allowedNetworkId", protoPortsAndSecurityGroupIdSearch.entity().getAllowedNetworkId(), SearchCriteria.Op.EQ); - } - public List listBySecurityGroupId(long securityGroupId, int type) { + public List listBySecurityGroupId(long securityGroupId) { SearchCriteria sc = securityGroupIdSearch.create(); - sc.setParameters("securityGroupId", securityGroupId); - sc.setParameters("type", type); + sc.setParameters("securityGroupId", securityGroupId); return listBy(sc); } - public int deleteBySecurityGroup(long securityGroupId,int type) { + public int deleteBySecurityGroup(long securityGroupId) { SearchCriteria sc = securityGroupIdSearch.create(); - sc.setParameters("securityGroupId", securityGroupId); - sc.setParameters("type", type); + sc.setParameters("securityGroupId", securityGroupId); return expunge(sc); } @@ -93,32 +87,29 @@ public class IngressRuleDaoImpl extends GenericDaoBase impl public List listByAllowedSecurityGroupId(long securityGroupId) { SearchCriteria sc = allowedSecurityGroupIdSearch.create(); sc.setParameters("allowedNetworkId", securityGroupId); - return listBy(sc); } @Override public IngressRuleVO findByProtoPortsAndCidr(long securityGroupId, String proto, int startPort, - int endPort, String cidr,int type) { + int endPort, String cidr) { SearchCriteria sc = protoPortsAndCidrSearch.create(); sc.setParameters("securityGroupId", securityGroupId); sc.setParameters("proto", proto); sc.setParameters("startPort", startPort); sc.setParameters("endPort", endPort); sc.setParameters("cidr", cidr); - sc.setParameters("type", type); return findOneIncludingRemovedBy(sc); } @Override public IngressRuleVO findByProtoPortsAndGroup(String proto, int startPort, - int endPort, String securityGroup,int type) { + int endPort, String securityGroup) { SearchCriteria sc = protoPortsAndSecurityGroupNameSearch.create(); sc.setParameters("proto", proto); sc.setParameters("startPort", startPort); sc.setParameters("endPort", endPort); sc.setJoinParameters("groupName", "groupName", securityGroup); - sc.setParameters("type", type); return findOneIncludingRemovedBy(sc); } @@ -137,42 +128,39 @@ public class IngressRuleDaoImpl extends GenericDaoBase impl } @Override - public int deleteByPortProtoAndGroup(long securityGroupId, String protocol, int startPort, int endPort, Long allowedGroupId,int type) { + public int deleteByPortProtoAndGroup(long securityGroupId, String protocol, int startPort, int endPort, Long allowedGroupId) { SearchCriteria sc = protoPortsAndSecurityGroupIdSearch.create(); sc.setParameters("securityGroupId", securityGroupId); sc.setParameters("proto", protocol); sc.setParameters("startPort", startPort); sc.setParameters("endPort", endPort); sc.setParameters("allowedNetworkId", allowedGroupId); - sc.setParameters("type", type); return expunge(sc); } @Override - public int deleteByPortProtoAndCidr(long securityGroupId, String protocol, int startPort, int endPort, String cidr,int type) { + public int deleteByPortProtoAndCidr(long securityGroupId, String protocol, int startPort, int endPort, String cidr) { SearchCriteria sc = protoPortsAndCidrSearch.create(); sc.setParameters("securityGroupId", securityGroupId); sc.setParameters("proto", protocol); sc.setParameters("startPort", startPort); sc.setParameters("endPort", endPort); sc.setParameters("cidr", cidr); - sc.setParameters("type", type); return expunge(sc); } @Override public IngressRuleVO findByProtoPortsAndAllowedGroupId(long securityGroupId, String proto, - int startPort, int endPort, Long allowedGroupId,int type) { + int startPort, int endPort, Long allowedGroupId) { SearchCriteria sc = protoPortsAndSecurityGroupIdSearch.create(); sc.addAnd("securityGroupId", SearchCriteria.Op.EQ, securityGroupId); sc.setParameters("proto", proto); sc.setParameters("startPort", startPort); sc.setParameters("endPort", endPort); sc.setParameters("allowedNetworkId", allowedGroupId); - sc.setParameters("type", type); return findOneIncludingRemovedBy(sc); } diff --git a/server/src/com/cloud/network/security/dao/SecurityGroupEgressRulesDao.java b/server/src/com/cloud/network/security/dao/SecurityGroupEgressRulesDao.java new file mode 100644 index 00000000000..bba79b7eca7 --- /dev/null +++ b/server/src/com/cloud/network/security/dao/SecurityGroupEgressRulesDao.java @@ -0,0 +1,53 @@ +/** + * Copyright (C) 2010 Cloud.com, Inc. All rights reserved. + * + * This software is licensed under the GNU General Public License v3 or later. + * + * It is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or any later version. + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + */ + +package com.cloud.network.security.dao; + +import java.util.List; + +import com.cloud.network.security.SecurityGroupEgressRulesVO; +import com.cloud.utils.db.GenericDao; + +public interface SecurityGroupEgressRulesDao extends GenericDao { + /** + * List a security group and associated ingress rules + * @param accountId the account id of the owner of the security group + * @param groupName the name of the group for which to list rules + * @return the list of ingress rules associated with the security group (and security group info) + */ + List listSecurityGroupEgressRules(long accountId, String groupName); + + /** + * List security groups and associated ingress rules + * @param accountId the id of the account for which to list groups and associated rules + * @return the list of security groups with associated ingress rules + */ + List listSecurityGroupEgressRules(long accountId); + + /** + * List all security groups and associated ingress rules + * @return the list of security groups with associated ingress rules + */ + List listSecurityGroupEgressRules(); + + /** + * List all security rules belonging to the specific group + * @return the security group with associated ingress rules + */ + List listSecurityEgressRulesByGroupId(long groupId); +} diff --git a/server/src/com/cloud/network/security/dao/SecurityGroupEgressRulesDaoImpl.java b/server/src/com/cloud/network/security/dao/SecurityGroupEgressRulesDaoImpl.java new file mode 100644 index 00000000000..b92e0e1b031 --- /dev/null +++ b/server/src/com/cloud/network/security/dao/SecurityGroupEgressRulesDaoImpl.java @@ -0,0 +1,85 @@ +/** + * Copyright (C) 2010 Cloud.com, Inc. All rights reserved. + * + * This software is licensed under the GNU General Public License v3 or later. + * + * It is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or any later version. + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + */ + +package com.cloud.network.security.dao; + +import java.util.List; + +import javax.ejb.Local; + +import com.cloud.network.security.SecurityGroupEgressRulesVO; +import com.cloud.utils.db.Filter; +import com.cloud.utils.db.GenericDaoBase; +import com.cloud.utils.db.SearchBuilder; +import com.cloud.utils.db.SearchCriteria; + +@Local(value={SecurityGroupEgressRulesDao.class}) +public class SecurityGroupEgressRulesDaoImpl extends GenericDaoBase implements SecurityGroupEgressRulesDao { + private SearchBuilder AccountGroupNameSearch; + private SearchBuilder AccountSearch; + private SearchBuilder GroupSearch; + + protected SecurityGroupEgressRulesDaoImpl() { + AccountGroupNameSearch = createSearchBuilder(); + AccountGroupNameSearch.and("accountId", AccountGroupNameSearch.entity().getAccountId(), SearchCriteria.Op.EQ); + AccountGroupNameSearch.and("name", AccountGroupNameSearch.entity().getName(), SearchCriteria.Op.EQ); + AccountGroupNameSearch.done(); + + AccountSearch = createSearchBuilder(); + AccountSearch.and("accountId", AccountSearch.entity().getAccountId(), SearchCriteria.Op.EQ); + AccountSearch.done(); + + GroupSearch = createSearchBuilder(); + GroupSearch.and("groupId", GroupSearch.entity().getId(), SearchCriteria.Op.EQ); + GroupSearch.done(); + + } + + @Override + public List listSecurityGroupEgressRules() { + Filter searchFilter = new Filter(SecurityGroupEgressRulesVO.class, "id", true, null, null); + return listAll(searchFilter); + } + + @Override + public List listSecurityGroupEgressRules(long accountId, String groupName) { + Filter searchFilter = new Filter(SecurityGroupEgressRulesVO.class, "id", true, null, null); + + SearchCriteria sc = AccountGroupNameSearch.create(); + sc.setParameters("accountId", accountId); + sc.setParameters("name", groupName); + return listBy(sc, searchFilter); + } + + @Override + public List listSecurityGroupEgressRules(long accountId) { + Filter searchFilter = new Filter(SecurityGroupEgressRulesVO.class, "id", true, null, null); + SearchCriteria sc = AccountSearch.create(); + sc.setParameters("accountId", accountId); + return listBy(sc, searchFilter); + } + + + @Override + public List listSecurityEgressRulesByGroupId(long groupId) { + Filter searchFilter = new Filter(SecurityGroupEgressRulesVO.class, "id", true, null, null); + SearchCriteria sc = GroupSearch.create(); + sc.setParameters("groupId", groupId); + return listBy(sc, searchFilter); + } +} diff --git a/setup/db/create-schema.sql b/setup/db/create-schema.sql index a52efbb79e6..07b8e6f4b90 100755 --- a/setup/db/create-schema.sql +++ b/setup/db/create-schema.sql @@ -108,6 +108,7 @@ DROP TABLE IF EXISTS `cloud`.`ovs_work`; DROP TABLE IF EXISTS `cloud`.`remote_access_vpn`; DROP TABLE IF EXISTS `cloud`.`resource_count`; DROP TABLE IF EXISTS `cloud`.`security_ingress_rule`; +DROP TABLE IF EXISTS `cloud`.`security_egress_rule`; DROP TABLE IF EXISTS `cloud`.`stack_maid`; DROP TABLE IF EXISTS `cloud`.`storage_pool_work`; DROP TABLE IF EXISTS `cloud`.`user_vm_details`; @@ -1422,7 +1423,6 @@ CREATE TABLE `cloud`.`security_group` ( CREATE TABLE `cloud`.`security_ingress_rule` ( `id` bigint unsigned NOT NULL auto_increment, `security_group_id` bigint unsigned NOT NULL, - `type` bigint unsigned NOT NULL, `start_port` varchar(10) default NULL, `end_port` varchar(10) default NULL, `protocol` varchar(16) NOT NULL default 'TCP', @@ -1432,6 +1432,17 @@ CREATE TABLE `cloud`.`security_ingress_rule` ( PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; +CREATE TABLE `cloud`.`security_egress_rule` ( + `id` bigint unsigned NOT NULL auto_increment, + `security_group_id` bigint unsigned NOT NULL, + `start_port` varchar(10) default NULL, + `end_port` varchar(10) default NULL, + `protocol` varchar(16) NOT NULL default 'TCP', + `allowed_network_id` bigint unsigned, + `allowed_ip_cidr` varchar(44), + `create_status` varchar(32) COMMENT 'rule creation status', + PRIMARY KEY (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `cloud`.`security_group_vm_map` ( `id` bigint unsigned NOT NULL auto_increment,