mirror of https://github.com/apache/cloudstack.git
WIP : edge firewall
Signed-off-by: Chiradeep Vittal <chiradeep@apache.org>
This commit is contained in:
Chiradeep Vittal
parent
6a0964af00
commit
f9cc674b9c
|
|
@ -0,0 +1,71 @@
|
|||
<configConfMos
|
||||
cookie="%cookie%"
|
||||
inHierarchical="false">
|
||||
<inConfigs>
|
||||
<pair key="%edgefwdn%" >
|
||||
<fwEdgeFirewall
|
||||
haMode="standalone"
|
||||
descr="%edgefwdescr%"
|
||||
dn="%edgefwdn%"
|
||||
name="%edgefwname%"
|
||||
status="created"/>
|
||||
</pair>
|
||||
|
||||
<pair key="%insideintfdn%">
|
||||
<fwDataInterface
|
||||
descr="ASA Inside Interface"
|
||||
dn="%insideintfdn%"
|
||||
ipAddressPrimary="%insideip%"
|
||||
ipAddressSecondary="0.0.0.0"
|
||||
ipSubnet="%insidesubnet%"
|
||||
isIpViaDHCP="no"
|
||||
name="%insideintfname%"
|
||||
role="inside"
|
||||
status="created"/>
|
||||
</pair>
|
||||
|
||||
<pair key="%outsideintfdn%">
|
||||
<fwDataInterface
|
||||
descr="ASA Outside interface "
|
||||
dn="%outsideintfdn%"
|
||||
ipAddressPrimary="%publicip%"
|
||||
ipAddressSecondary="0.0.0.0"
|
||||
ipSubnet="%outsidesubnet%"
|
||||
isIpViaDHCP="no"
|
||||
name="%outsideintfname%"
|
||||
role="outside"
|
||||
status="created"/>
|
||||
</pair>
|
||||
|
||||
<pair key="%outsideintfsp%" >
|
||||
<logicalInterfaceServiceProfileAssociation
|
||||
descr=""
|
||||
dn="%outsideintfsp%"
|
||||
name=""
|
||||
profileRef="%secprofileref%"
|
||||
status="created"/>
|
||||
</pair>
|
||||
|
||||
<pair key="%deviceserviceprofiledn%" >
|
||||
<logicalDeviceServiceProfileAssociation
|
||||
descr=""
|
||||
dn="%deviceserviceprofiledn%"
|
||||
name=""
|
||||
profileRef="%deviceserviceprofile%"
|
||||
status="created"/>
|
||||
</pair>
|
||||
</inConfigs>
|
||||
</configConfMos>
|
||||
|
||||
<!--
|
||||
edgefwdn="org-root/org-TenantD/org-VDC-TenantD/efw-ASA-1000v-TenantD"
|
||||
insideintfdn="org-root/org-TenantD/org-VDC-TenantD/efw-ASA-1000v-TenantD/interface-Edge_Inside"
|
||||
descr="%edgefwdescr%"
|
||||
ipAddressPrimary="%insideip%"
|
||||
ipSubnet="%insidesubnet%"
|
||||
name="%insideintfname%"
|
||||
outsideintfdn="%outsideintfdn%"
|
||||
ipAddressPrimary="%publicip%"
|
||||
ipSubnet="%outsidesubnet%"
|
||||
name="%outsideintfname%
|
||||
--!>
|
||||
|
|
@ -1 +0,0 @@
|
|||
<configConfMoscookie="1349308528/b3cb56de-5d62-4d81-bf32-76f7148891eb" inHierarchical="false"> <inConfigs> <pair key="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE" > <policyRuleCondition dn="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE" id="2" order="unspecified" status="created"/> </pair> <pair key="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE/rule-cond-2/nw-expr2/nw-attr-qual" > <policyNwAttrQualifier attrEp="source" dn="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE/rule-cond-2/nw-expr2/nw-attr-qual" status="created"/> </pair> <pair key="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE" > <natpolicyNatRuleBasedPolicy adminState="enabled" descr="Source NAT Rule for Tenant TenantE" dn="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE" name="Source-NAT-For-TenantE" status="created"/> </pair> <pair key="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE/rule-cond-2/nw-expr2/nw-ip-2" <policyIPAddress dataType="string" descr="" dn="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE/rule-cond-2/nw-expr2/nw-ip-2" id="2" name="" placement="begin" status="created" value="10.1.1.2"/> </pair> <pair key="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE/rule-cond-2/nw-expr2/nw-ip-2" > <policyIPAddress dataType="string" descr="" dn="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE/rule-cond-2/nw-expr2/nw-ip-2" id="3" name="" placement="end" status="created" value="10.1.1.254"/> </pair> <pair key="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE/rule-cond-2/nw-expr2" > <policyNetworkExpression dn="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE/rule-cond-2/nw-expr2" id="2" opr="range" status="created"/> </pair> <pair key="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE/rule-cond-2" > <policyRule descr="Source NAT Policy for Tenant TenantE" dn="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE" name="%natrulerulename%" order="100" status="created"/> </pair> <pair key="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE/nat-action" > <natpolicyNatAction actionType="static" destTranslatedIpPool="" destTranslatedPortPool="" dn="org-root/org-TenantE/org-VDC-TenantE/natpol-Source-NAT-For-TenantE/rule-Source-NAT-Policy-Rule-TenantE/nat-action" id="0" isBidirectionalEnabled="yes" isDnsEnabled="yes" isNoProxyArpEnabled="no" isRoundRobinIpEnabled="no" srcTranslatedIpPatPool="" srcTranslatedIpPool="Source-NAT-Pool-For-TenantE" srcTranslatedPortPool="" status="created"/> </pair> </inConfigs></configConfMos>
|
||||
|
|
@ -94,10 +94,8 @@ public class CiscoVnmcResource implements ServerResource {
|
|||
CREATE_SOURCE_NAT_POOL("create-source-nat-pool.xml", "policy-mgr"),
|
||||
CREATE_SOURCE_NAT_POLICY("create-source-nat-policy.xml", "policy-mgr"),
|
||||
CREATE_NAT_POLICY_SET("create-nat-policy-set.xml", "policy-mgr"),
|
||||
RESOLVE_NAT_POLICY_SET("associate-nat-policy-set.xml", "policy-mgr");
|
||||
|
||||
|
||||
|
||||
RESOLVE_NAT_POLICY_SET("associate-nat-policy-set.xml", "policy-mgr"),
|
||||
CREATE_EDGE_FIREWALL("create-edge-firewall.xml", "resource-mgr");
|
||||
|
||||
private String scriptsDir = "scripts/network/cisco";
|
||||
private String xml;
|
||||
|
|
@ -698,6 +696,63 @@ public class CiscoVnmcResource implements ServerResource {
|
|||
|
||||
return verifySuccess(response);
|
||||
}
|
||||
|
||||
private String getNameForEdgeFirewall(String tenantName) {
|
||||
return "ASA-1000v-" + tenantName;
|
||||
}
|
||||
|
||||
private String getDnForEdgeFirewall(String tenantName) {
|
||||
return getDnForTenantVDC(tenantName) + "/efw-" + getNameForEdgeFirewall(tenantName);
|
||||
}
|
||||
|
||||
private String getNameForEdgeInsideIntf(String tenantName) {
|
||||
return "Edge_Inside";
|
||||
}
|
||||
|
||||
private String getNameForEdgeOutsideIntf(String tenantName) {
|
||||
return "Edge_Outside";
|
||||
}
|
||||
|
||||
private String getDnForOutsideIntf(String tenantName) {
|
||||
return getDnForEdgeFirewall(tenantName) + "/interface-" + getNameForEdgeOutsideIntf(tenantName);
|
||||
}
|
||||
|
||||
private String getDnForInsideIntf(String tenantName) {
|
||||
return getDnForEdgeFirewall(tenantName) + "/interface-" + getNameForEdgeInsideIntf(tenantName);
|
||||
}
|
||||
|
||||
public boolean createEdgeFirewall(String tenantName, String publicIp, String insideIp,
|
||||
String insideSubnet, String outsideSubnet) throws ExecutionException {
|
||||
|
||||
String xml = VnmcXml.CREATE_EDGE_FIREWALL.getXml();
|
||||
String service = VnmcXml.CREATE_EDGE_FIREWALL.getService();
|
||||
xml = replaceXmlValue(xml, "cookie", _cookie);
|
||||
xml = replaceXmlValue(xml, "edgefwdescr", "Edge Firewall for Tenant VDC " + tenantName);
|
||||
xml = replaceXmlValue(xml, "edgefwname", getNameForEdgeFirewall(tenantName));
|
||||
xml = replaceXmlValue(xml, "edgefwdn", getDnForEdgeFirewall(tenantName));
|
||||
xml = replaceXmlValue(xml, "insideintfname", getNameForEdgeInsideIntf(tenantName));
|
||||
xml = replaceXmlValue(xml, "outsideintfname", getNameForEdgeOutsideIntf(tenantName));
|
||||
|
||||
xml = replaceXmlValue(xml, "insideintfdn", getDnForInsideIntf(tenantName));
|
||||
xml = replaceXmlValue(xml, "outsideintfdn", getDnForOutsideIntf(tenantName));
|
||||
|
||||
xml = replaceXmlValue(xml, "deviceserviceprofiledn", getDnForEdgeFirewall(tenantName) + "/device-service-profile");
|
||||
xml = replaceXmlValue(xml, "outsideintfsp", getDnForOutsideIntf(tenantName) + "/interface-service-profile");
|
||||
|
||||
xml = replaceXmlValue(xml, "secprofileref", getNameForEdgeDeviceSecurityProfile(tenantName));
|
||||
xml = replaceXmlValue(xml, "deviceserviceprofile", getNameForEdgeDeviceServiceProfile(tenantName));
|
||||
|
||||
|
||||
xml = replaceXmlValue(xml, "insideip", insideIp);
|
||||
xml = replaceXmlValue(xml, "publicip", publicIp);
|
||||
xml = replaceXmlValue(xml, "insidesubnet", insideSubnet);
|
||||
xml = replaceXmlValue(xml, "outsidesubnet", outsideSubnet);
|
||||
|
||||
String response = sendRequest(service, xml);
|
||||
|
||||
return verifySuccess(response);
|
||||
|
||||
}
|
||||
|
||||
private String sendRequest(String service, String xmlRequest) throws ExecutionException {
|
||||
org.apache.commons.httpclient.protocol.Protocol myhttps =
|
||||
|
|
|
|||
|
|
@ -204,6 +204,7 @@ public class CiscoVnmcResourceTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Ignore
|
||||
@Test
|
||||
public void testAssociateNatPolicySet() {
|
||||
try {
|
||||
|
|
@ -215,4 +216,14 @@ public class CiscoVnmcResourceTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCreateEdgeFirewall() {
|
||||
try {
|
||||
boolean response = resource.createEdgeFirewall(tenantName,
|
||||
"44.44.44.44", "192.168.1.1", "255.255.255.0", "255.255.255.192");
|
||||
assertTrue(response);
|
||||
} catch (ExecutionException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue