etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

we use 2 different tables for ip/port fwding and load balancer rules respectively. when we create a new static nat rule, this checkin tests against existing records in either of these tables based on the public ip address being mapped. if such a rule exists in either table, we do not permit creation of a static nat rule on this public ip

This commit is contained in:
abhishek 2010-12-02 13:16:46 -08:00
parent 2680b8ca12
commit e353b7ac2d
3 changed files with 19 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
server/src/com/cloud/network/NetworkManagerImpl.java
View File

@ -3134,13 +3134,20 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
}
}
// check for ip address/port conflicts by checking existing forwarding and load balancing rules
List<FirewallRuleVO> existingNatRules = _rulesDao.findByPublicIpPrivateIpForNatRule(ipAddr, userVM.getGuestIpAddress());
// check for ip address/port conflicts by checking existing port/ip forwarding rules
List<FirewallRuleVO> existingFirewallRules = _rulesDao.findRuleByPublicIp(ipAddr);
if(existingNatRules.size() > 0){
throw new NetworkRuleConflictException("The specified rule for public ip:"+ipAddr+" vm id:"+virtualMachineId+" already exists");
if(existingFirewallRules.size() > 0){
throw new NetworkRuleConflictException("There already exists a firewall rule for public ip:"+ipAddr);
}
//check for ip address/port conflicts by checking existing load balancing rules
List<LoadBalancerVO> existingLoadBalancerRules = _loadBalancerDao.listByIpAddress(ipAddr);
if(existingLoadBalancerRules.size() > 0){
throw new NetworkRuleConflictException("There already exists a load balancer rule for public ip:"+ipAddr);
}
//if given ip address is already source nat, return error
if(ipAddress.isSourceNat()){
throw new PermissionDeniedException("Cannot create a static nat rule for the ip:"+ipAddress.getAddress()+" ,this is already a source nat ip address");

4
server/src/com/cloud/network/dao/FirewallRulesDao.java
View File

@ -49,9 +49,9 @@ public interface FirewallRulesDao extends GenericDao<FirewallRuleVO, Long> {
public List<FirewallRuleVO> listByLoadBalancerId(long loadBalancerId);
public List<FirewallRuleVO> listForwardingByPubAndPrivIp(boolean forwarding, String publicIPAddress, String privateIp);
public FirewallRuleVO findByGroupAndPrivateIp(long groupId, String privateIp, boolean forwarding);
public List<FirewallRuleVO> findByPublicIpPrivateIpForNatRule(String publicIp,String privateIp);
public List<FirewallRuleVO> listByPrivateIp(String privateIp);
public boolean isPublicIpOneToOneNATted(String publicIp);
void deleteIPForwardingByPublicIpAndPort(String ipAddress, String port);
public List<FirewallRuleVO> listIPForwardingForLB(long userId, long dcId);
public List<FirewallRuleVO> listIPForwardingForLB(long userId, long dcId);
public List<FirewallRuleVO> findRuleByPublicIp(String publicIp);
}

16
server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
View File

@ -64,7 +64,7 @@ public class FirewallRulesDaoImpl extends GenericDaoBase<FirewallRuleVO, Long> i
protected SearchBuilder<FirewallRuleVO> FWByIpForLB;
protected SearchBuilder<FirewallRuleVO> FWByGroupAndPrivateIp;
protected SearchBuilder<FirewallRuleVO> FWByPrivateIpPrivatePortPublicIpPublicPortSearch;
protected SearchBuilder<FirewallRuleVO> FWByPublicIpSearch;
protected SearchBuilder<FirewallRuleVO> OneToOneNATSearch;
@ -141,12 +141,9 @@ public class FirewallRulesDaoImpl extends GenericDaoBase<FirewallRuleVO, Long> i
FWByGroupAndPrivateIp.and("forwarding", FWByGroupAndPrivateIp.entity().isForwarding(), SearchCriteria.Op.EQ);
FWByGroupAndPrivateIp.done();
FWByPrivateIpPrivatePortPublicIpPublicPortSearch = createSearchBuilder();
FWByPrivateIpPrivatePortPublicIpPublicPortSearch.and("publicIpAddress", FWByPrivateIpPrivatePortPublicIpPublicPortSearch.entity().getPublicIpAddress(), SearchCriteria.Op.EQ);
FWByPrivateIpPrivatePortPublicIpPublicPortSearch.and("privateIpAddress", FWByPrivateIpPrivatePortPublicIpPublicPortSearch.entity().getPrivateIpAddress(), SearchCriteria.Op.EQ);
FWByPrivateIpPrivatePortPublicIpPublicPortSearch.and("privatePort", FWByPrivateIpPrivatePortPublicIpPublicPortSearch.entity().getPrivatePort(), SearchCriteria.Op.NULL);
FWByPrivateIpPrivatePortPublicIpPublicPortSearch.and("publicPort", FWByPrivateIpPrivatePortPublicIpPublicPortSearch.entity().getPublicPort(), SearchCriteria.Op.NULL);
FWByPrivateIpPrivatePortPublicIpPublicPortSearch.done();
FWByPublicIpSearch = createSearchBuilder();
FWByPublicIpSearch.and("publicIpAddress", FWByPublicIpSearch.entity().getPublicIpAddress(), SearchCriteria.Op.EQ);
FWByPublicIpSearch.done();
OneToOneNATSearch = createSearchBuilder();
OneToOneNATSearch.and("publicIpAddress", OneToOneNATSearch.entity().getPublicIpAddress(), SearchCriteria.Op.EQ);
@ -363,10 +360,9 @@ public class FirewallRulesDaoImpl extends GenericDaoBase<FirewallRuleVO, Long> i
}
@Override
public List<FirewallRuleVO> findByPublicIpPrivateIpForNatRule(String publicIp, String privateIp){
SearchCriteria<FirewallRuleVO> sc = FWByPrivateIpPrivatePortPublicIpPublicPortSearch.create();
public List<FirewallRuleVO> findRuleByPublicIp(String publicIp){
SearchCriteria<FirewallRuleVO> sc = FWByPublicIpSearch.create();
sc.setParameters("publicIpAddress", publicIp);
sc.setParameters("privateIpAddress", privateIp);
return listBy(sc);
}