etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added logic for revoking ACL, PF and Static NAT rules

This commit is contained in:
Koushik Das 2013-03-08 15:26:26 +05:30
parent 4c65b70668
commit ef069b3323
5 changed files with 97 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-acl-policy-set.xml
View File

@ -4,7 +4,7 @@
<inConfigs>
<pair key="%aclpolicysetdn%">
<policyPolicySet
descr=""
descr="%descr%"
dn="%aclpolicysetdn%"
name="%aclpolicysetname%"
status="created"/>

12
plugins/network-elements/cisco-vnmc/scripts/network/cisco/delete-rule.xml
View File

@ -1,17 +1,13 @@
<configConfMos
cookie="%cookie%"
inHierarchical="false">
<inConfigs>
<pair key="%aclruledn%">
<pair key="%ruledn%">
<policyRule
descr=""
dn="%aclruledn%"
name="%aclrulename%"
order="300"
dn="%ruledn%"
name="%rulename%"
status="deleted"/>
</pair>
</inConfigs>
</configConfMos>
</configConfMos>

15
plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
View File

@ -78,6 +78,10 @@ public interface CiscoVnmcConnection {
String publicIp)
throws ExecutionException;
public boolean deleteTenantVDCDNatRule(String tenantName,
String identifier, String policyIdentifier)
throws ExecutionException;
public boolean createTenantVDCIngressAclRuleForDNat(String tenantName,
String identifier, String policyIdentifier,
String publicIp)
@ -105,6 +109,10 @@ public interface CiscoVnmcConnection {
String startPort, String endPort)
throws ExecutionException;
public boolean deleteTenantVDCPFRule(String tenantName,
String identifier, String policyIdentifier)
throws ExecutionException;
public boolean createTenantVDCIngressAclRuleForPF(String tenantName,
String identifier, String policyIdentifier,
String protocol, String publicIp,
@ -129,15 +137,14 @@ public interface CiscoVnmcConnection {
public boolean associateNatPolicySet(String tenantName)
throws ExecutionException;
public boolean createIngressAclRule(String tenantName,
public boolean createTenantVDCIngressAclRule(String tenantName,
String identifier, String policyIdentifier,
String protocol, String sourceStartIp, String sourceEndIp,
String destStartPort, String destEndPort, String destIp)
throws ExecutionException;
public boolean deleteAclRule(String policyIdentifier,
String identifier, String destIp)
throws ExecutionException;
public boolean deleteTenantVDCAclRule(String tenantName,
String identifier, String policyIdentifier) throws ExecutionException;
public boolean createTenantVDCAclPolicy(String tenantName, String identifier,
boolean ingress) throws ExecutionException;

48
plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
View File

@ -92,7 +92,8 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
LIST_ACL_POLICIES("list-acl-policies.xml", "policy-mgr"),
CREATE_ACL_POLICY_REF("create-acl-policy-ref.xml", "policy-mgr"),
CREATE_INGRESS_ACL_RULE("create-ingress-acl-rule.xml", "policy-mgr"),
DELETE_ACL_RULE("delete-acl-rule.xml", "policy-mgr"),
DELETE_RULE("delete-rule.xml", "policy-mgr"),
LIST_CHILDREN("list-children.xml", "policy-mgr"),
@ -632,7 +633,7 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
String xml = VnmcXml.CREATE_ACL_POLICY_SET.getXml();
String service = VnmcXml.CREATE_ACL_POLICY_SET.getService();
xml = replaceXmlValue(xml, "cookie", _cookie);
//xml = replaceXmlValue(xml, "descr", "ACL policy set for Tenant VDC " + tenantName);
xml = replaceXmlValue(xml, "descr", "ACL policy set for Tenant VDC " + tenantName);
xml = replaceXmlValue(xml, "aclpolicysetname", getNameForAclPolicySet(tenantName, ingress));
xml = replaceXmlValue(xml, "aclpolicysetdn", getDnForAclPolicySet(tenantName, ingress));
@ -670,7 +671,7 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
}
@Override
public boolean createIngressAclRule(String tenantName,
public boolean createTenantVDCIngressAclRule(String tenantName,
String identifier, String policyIdentifier,
String protocol, String sourceStartIp, String sourceEndIp,
String destStartPort, String destEndPort, String destIp) throws ExecutionException {
@ -700,15 +701,10 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
}
@Override
public boolean deleteAclRule(String tenantName, String identifier, String policyIdentifier) throws ExecutionException {
String xml = VnmcXml.DELETE_ACL_RULE.getXml();
String service = VnmcXml.DELETE_ACL_RULE.getService();
xml = replaceXmlValue(xml, "cookie", _cookie);
xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier));
String response = sendRequest(service, xml);
return verifySuccess(response);
public boolean deleteTenantVDCAclRule(String tenantName, String identifier, String policyIdentifier) throws ExecutionException {
return deleteTenantVDCRule(
getDnForAclRule(tenantName, identifier, policyIdentifier),
getNameForAclRule(tenantName, identifier));
}
private String getNameForPFPortPool(String tenantName, String identifier) {
@ -796,6 +792,17 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
return verifySuccess(response);
}
private boolean deleteTenantVDCRule(String ruledn, String ruleName) throws ExecutionException {
String xml = VnmcXml.DELETE_RULE.getXml();
String service = VnmcXml.DELETE_RULE.getService();
xml = replaceXmlValue(xml, "cookie", _cookie);
xml = replaceXmlValue(xml, "ruledn", ruledn);
xml = replaceXmlValue(xml, "rulename", ruleName);
String response = sendRequest(service, xml);
return verifySuccess(response);
}
private List<String> listNatPolicies(String tenantName) throws ExecutionException {
String xml = VnmcXml.LIST_NAT_POLICIES.getXml();
@ -928,6 +935,14 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
return verifySuccess(response);
}
@Override
public boolean deleteTenantVDCPFRule(String tenantName, String identifier,
String policyIdentifier) throws ExecutionException {
return deleteTenantVDCRule(
getDnForPFRule(tenantName, identifier, policyIdentifier),
getNameForPFRule(tenantName, identifier));
}
@Override
public boolean createTenantVDCIngressAclRuleForPF(String tenantName,
String identifier, String policyIdentifier, String protocol,
@ -1040,6 +1055,15 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
return verifySuccess(response);
}
@Override
public boolean deleteTenantVDCDNatRule(String tenantName,
String identifier, String policyIdentifier)
throws ExecutionException {
return deleteTenantVDCRule(
getDnForDNatRule(tenantName, identifier, policyIdentifier),
getNameForDNatRule(tenantName, identifier));
}
@Override
public boolean createTenantVDCIngressAclRuleForDNat(String tenantName,
String identifier, String policyIdentifier, String publicIp)

95
plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
View File

@ -71,10 +71,6 @@ public class CiscoVnmcResource implements ServerResource{
private String _password;
private String _guid;
private Integer _numRetries;
private String _publicZone;
private String _privateZone;
private String _publicInterface;
private String _privateInterface;
CiscoVnmcConnectionImpl _connection;
@ -140,26 +136,6 @@ public class CiscoVnmcResource implements ServerResource{
throw new ConfigurationException("Unable to find password");
}
_publicInterface = (String) params.get("publicinterface");
if (_publicInterface == null) {
//throw new ConfigurationException("Unable to find public interface.");
}
_privateInterface = (String) params.get("privateinterface");
if (_privateInterface == null) {
//throw new ConfigurationException("Unable to find private interface.");
}
_publicZone = (String) params.get("publiczone");
if (_publicZone == null) {
_publicZone = "untrust";
}
_privateZone = (String) params.get("privatezone");
if (_privateZone == null) {
_privateZone = "trust";
}
_guid = (String)params.get("guid");
if (_guid == null) {
throw new ConfigurationException("Unable to find the guid");
@ -265,6 +241,20 @@ public class CiscoVnmcResource implements ServerResource{
return new IpAssocAnswer(cmd, results);
}
private String[] getIpRangeFromCidr(String cidr) {
String[] result = new String[2];
String[] cidrData = cidr.split("\\/");
assert (cidrData.length == 2) : "Something is wrong with source cidr " + cidr;
long size = Long.valueOf(cidrData[1]);
result[0] = cidrData[0];
result[1] = cidrData[0];
if (size < 32) {
result[0] = NetUtils.getIpRangeStartIpFromCidr(cidrData[0], size);
result[1] = NetUtils.getIpRangeEndIpFromCidr(cidrData[0], size);
}
return result;
}
/*
* Source NAT
*/
@ -285,6 +275,7 @@ public class CiscoVnmcResource implements ServerResource{
if (!_connection.createTenantVDCSourceNatPolicy(tenant, policyIdentifier)) {
throw new Exception("Failed to create source NAT policy in VNMC for guest network with vlan " + vlanId);
}
if (!_connection.createTenantVDCSourceNatPolicyRef(tenant, policyIdentifier)) {
throw new Exception("Failed to associate source NAT policy with NAT policy set in VNMC for guest network with vlan " + vlanId);
}
@ -293,13 +284,8 @@ public class CiscoVnmcResource implements ServerResource{
throw new Exception("Failed to create source NAT ip pool in VNMC for guest network with vlan " + vlanId);
}
String cidr = cmd.getContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR);
String[] result = cidr.split("\\/");
assert (result.length == 2) : "Something is wrong with guest cidr " + cidr;
long size = Long.valueOf(result[1]);
String startIp = NetUtils.getIpRangeStartIpFromCidr(result[0], size);
String endIp = NetUtils.getIpRangeEndIpFromCidr(result[0], size);
if (!_connection.createTenantVDCSourceNatRule(tenant, policyIdentifier, startIp, endIp)) {
String[] ipRange = getIpRangeFromCidr(cmd.getContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR));
if (!_connection.createTenantVDCSourceNatRule(tenant, policyIdentifier, ipRange[0], ipRange[1])) {
throw new Exception("Failed to create source NAT rule in VNMC for guest network with vlan " + vlanId);
}
@ -362,22 +348,14 @@ public class CiscoVnmcResource implements ServerResource{
for (FirewallRuleTO rule : publicIpRulesMap.get(publicIp)) {
if (rule.revoked()) {
//_connection.deleteAclRule(tenant, Long.toString(rule.getId()), publicIp);
} else {
String cidr = rule.getSourceCidrList().get(0);
String[] result = cidr.split("\\/");
assert (result.length == 2) : "Something is wrong with source cidr " + cidr;
long size = Long.valueOf(result[1]);
String externalStartIp = result[0];
String externalEndIp = result[0];
if (size < 32) {
externalStartIp = NetUtils.getIpRangeStartIpFromCidr(result[0], size);
externalEndIp = NetUtils.getIpRangeEndIpFromCidr(result[0], size);
if (!_connection.deleteTenantVDCAclRule(tenant, Long.toString(rule.getId()), publicIp)) {
throw new Exception("Failed to delete ACL ingress rule in VNMC for guest network with vlan " + vlanId);
}
if (!_connection.createIngressAclRule(tenant,
} else {
String[] externalIpRange = getIpRangeFromCidr(rule.getSourceCidrList().get(0));
if (!_connection.createTenantVDCIngressAclRule(tenant,
Long.toString(rule.getId()), policyIdentifier,
rule.getProtocol().toUpperCase(), externalStartIp, externalEndIp,
rule.getProtocol().toUpperCase(), externalIpRange[0], externalIpRange[1],
Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]), publicIp)) {
throw new Exception("Failed to create ACL ingress rule in VNMC for guest network with vlan " + vlanId);
}
@ -426,6 +404,10 @@ public class CiscoVnmcResource implements ServerResource{
throw new Exception("Failed to create NAT policy set in VNMC for guest network with vlan " + vlanId);
}
if (!_connection.createTenantVDCAclPolicySet(tenant, true)) {
throw new Exception("Failed to create ACL ingress policy set in VNMC for guest network with vlan " + vlanId);
}
for (String publicIp : publicIpRulesMap.keySet()) {
String policyIdentifier = publicIp.replace('.', '-');
@ -449,8 +431,13 @@ public class CiscoVnmcResource implements ServerResource{
for (StaticNatRuleTO rule : publicIpRulesMap.get(publicIp)) {
if (rule.revoked()) {
//_connection.deleteDNatRule(tenant, Long.toString(rule.getId()), policyIdentifier);
//_connection.deleteAclRule(tenant, Long.toString(rule.getId()), policyIdentifier);
if (!_connection.deleteTenantVDCDNatRule(tenant, Long.toString(rule.getId()), policyIdentifier)) {
throw new Exception("Failed to delete DNAT rule in VNMC for guest network with vlan " + vlanId);
}
if (!_connection.deleteTenantVDCAclRule(tenant, Long.toString(rule.getId()), policyIdentifier)) {
throw new Exception("Failed to delete ACL ingress rule for DNAT in VNMC for guest network with vlan " + vlanId);
}
} else {
if (!_connection.createTenantVDCDNatIpPool(tenant, policyIdentifier + "-" + rule.getId(), rule.getDstIp())) {
throw new Exception("Failed to create DNAT ip pool in VNMC for guest network with vlan " + vlanId);
@ -509,6 +496,10 @@ public class CiscoVnmcResource implements ServerResource{
throw new Exception("Failed to create NAT policy set in VNMC for guest network with vlan " + vlanId);
}
if (!_connection.createTenantVDCAclPolicySet(tenant, true)) {
throw new Exception("Failed to create ACL ingress policy set in VNMC for guest network with vlan " + vlanId);
}
for (String publicIp : publicIpRulesMap.keySet()) {
String policyIdentifier = publicIp.replace('.', '-');
@ -532,13 +523,17 @@ public class CiscoVnmcResource implements ServerResource{
for (PortForwardingRuleTO rule : publicIpRulesMap.get(publicIp)) {
if (rule.revoked()) {
//_connection.deletePFRule(tenant, Long.toString(rule.getId()), policyIdentifier);
//_connection.deleteAclRule(tenant, Long.toString(rule.getId()), policyIdentifier);
if (!_connection.deleteTenantVDCPFRule(tenant, Long.toString(rule.getId()), policyIdentifier)) {
throw new Exception("Failed to delete PF rule in VNMC for guest network with vlan " + vlanId);
}
if (!_connection.deleteTenantVDCAclRule(tenant, Long.toString(rule.getId()), policyIdentifier)) {
throw new Exception("Failed to delete ACL ingress rule for PF in VNMC for guest network with vlan " + vlanId);
}
} else {
if (!_connection.createTenantVDCPFIpPool(tenant, policyIdentifier + "-" + rule.getId(), rule.getDstIp())) {
throw new Exception("Failed to create PF ip pool in VNMC for guest network with vlan " + vlanId);
}
if (!_connection.createTenantVDCPFPortPool(tenant, policyIdentifier + "-" + rule.getId(),
Integer.toString(rule.getDstPortRange()[0]), Integer.toString(rule.getDstPortRange()[1]))) {
throw new Exception("Failed to create PF port pool in VNMC for guest network with vlan " + vlanId);