1. Egress default policy rules is send to the firewall provider. It is up to the
provider to configure the rules.
2. The default policy rules are send for both allow and deny default policy.
3. On network shutdown rules for delete are send.
4. For VR and SRX, by default deny the traffic. So no default rule to deny traffic is required.
service and not used for LB
Fix adds a boolean flag to addNetscalerLoadBalancer api, which
will mark added NetScaler for exclusive GSLB service. A netscaler marked
as exclusive gslb service provider is not picked for any guest network's
lb provider.
This patch adds support for trust chains in the netscaler.
I initially planned on using the 10.1 API's "bundle" feature but during
my testing I found that was not working. So I am doing the chain linking
myself. Also NS can have only one entity of a certificate ie lets say
two different users try to add the same certificate on the netscaler
only one of them will go through. The other one says resouce already
exists even though they have different files.
This can be a problem in trust chains where the chain can be shared
between multiple accounts/certificates. So, I am using the figerprint as
an identifier of a certificate and making sure that we delete it only
when no one references it.
Those bugs are related to classes not implementing Serializable, nox overriding the equals and/or hashCode methods and with empty finalize method.
Signed-off-by: Hugo Trippaers <htrippaers@schubergphilis.com>
This patch adds a network plugin to support Palo Alto Networks firewall (their appliance and their VM series firewall).
More information in the FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Palo+Alto+Firewall+Integration
Features supported are:
- List/Add/Delete Palo Alto service provider
- List/Add/Delete Palo Alto network service offering
- List/Add/Delete Palo Alto network with above service offering
- Add instance to the new network (creates the public IP and private gateway/cidr on the PA as well as the source nat rule)
- List/Add/Delete Ingress Firewall rule
- List/Add/Delete Egress Firewall rule
- List/Add/Delete Port Forwarding rule
- List/Add/Delete Static Nat rule
- Supports Palo Alto Networks 'Log Forwarding' profile globally per device (additional docs to come)
- Supports Palo Alto Networks 'Security Profile Groups' functionality globally per device (additional docs to come)
Knowns limitations:
- Only supports one public IP range in CloudStack.
- Currently not verifying SSL certificates when creating a connection between CloudStack and the Palo Alto Networks firewall.
- Currently not tracking usage on Public IPs.
Signed-off-by: Sheng Yang <sheng.yang@citrix.com>
Introduction of a new Transaction API that is more consistent with the style
of Spring's transaction managment. The existing Transaction class was renamed
to TransactionLegacy. All of the non-DAO code in the management server has been
updated to use the new Transaction API.
ACS is now comprised of a hierarchy of spring application contexts.
Each plugin can contribute configuration files to add to an existing
module or create it's own module.
Additionally, for the mgmt server, ACS custom AOP is no longer used
and instead we use Spring AOP to manage interceptors.
The managed context framework provides a simple way to add logic
to ACS at the various entry points of the system. As threads are
launched and ran listeners can be registered for onEntry or onLeave
of the managed context. This framework will be used specifically
to handle DB transaction checking and setting up the CallContext.
This framework is need to transition away from ACS custom AOP to
Spring AOP.
Initial patch for VXLAN support.
Fully functional, hopefully, for GuestNetwork - AdvancedZone.
Patch Note:
in cloudstack-server
- Add isolation method VXLAN
- Add VxlanGuestNetworkGuru as plugin for VXLAN isolation
- Modify NetworkServiceImpl to handle extended vNet range for VXLAN isolation
- Add VXLAN isolation option in zoneWizard UI
in cloudstack-agent (kvm)
- Add modifyvxlan.sh script that handle bridge/vxlan interface manipulation script
-- Usage is exactly same to modifyvlan.sh
- BridgeVifDriver will call modifyvxlan.sh instead of modifyvlan.sh when VXLAN is used for isolation
Database changes:
- No change in database structure.
- VXLAN isolation uses same tables that VLAN uses to store vNet allocation status.
Known Issue and/or TODO:
- Some resource still says 'VLAN' in log even if VXLAN is used
- in UI, "Network - GuestNetworks" dosen't display VNI
-- VLAN ID field displays "N/A"
- Documentation!
Signed-off-by : Toshiaki Hatano <haeena@haeena.net>
A recent code change in NetworkManager causes NullPointerExceptions when DHCP
capability list is null.
The commit which made the NetworkManager change also changed the VirtualRouter
to not use null for the capabilitylist, but didn't make this change for other
network devices, causing DHCP to fail on MidoNet.
This change also updates the MidoNet plugin to use the most recent MidoNet API.
Initial patch for VXLAN support.
Fully functional, hopefully, for GuestNetwork - AdvancedZone.
Patch Note:
in cloudstack-server
- Add isolation method VXLAN
- Add VxlanGuestNetworkGuru as plugin for VXLAN isolation
- Modify NetworkServiceImpl to handle extended vNet range for VXLAN isolation
- Add VXLAN isolation option in zoneWizard UI
in cloudstack-agent (kvm)
- Add modifyvxlan.sh script that handle bridge/vxlan interface manipulation script
-- Usage is exactly same to modifyvlan.sh
- BridgeVifDriver will call modifyvxlan.sh instead of modifyvlan.sh when VXLAN is used for isolation
Database changes:
- No change in database structure.
- VXLAN isolation uses same tables that VLAN uses to store vNet allocation status.
Known Issue:
- Some resource still says 'VLAN' in log even if VXLAN is used
- in UI, "Network - GuestNetworks" dosen't display VNI
-- VLAN ID field displays "N/A"
The existing Maven repo in the POM will be unavailable soon, so I have
changed it to cs-maven.midokura.com.
Signed-off-by: Prasanna Santhanam <tsp@apache.org>
created with gslbmethod=leastconn
Netscaler nitro api to add gslb virtual servers fails for some reason if
both netmask and round robin methods are specified. So working around
with settign netmask to be null while updating vserver.
java.lang.NumberFormatException
While deleting LB monitor and GSLB service binding Nitro API fails
with wierd NumberFormatException. Adding a workaround to delete the LB
monitor after GSLB service is delted (which ensures intenrally LB
monitor is delted).
Issue:
======
Unable to created internalLB Vm. this is due while determining maxconn
value from networkoffering.
to find the networking offering, networkid is passed instead of
networkoffering id which is causing the issue.
fixed:
=====
fixed the issue by passing the network offering id instead of network
id.
Conflicts:
plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
Only one NetScaler device can act as GSLB service provider in a zone for
all the tenants and thier networks, so restrict addign NetScaler device
to be shared use when configure as GSLB service provider.
involved in the GSLB
add weights to each site participating in the GSLB. Traffic will be load
balanced across the sites based on the weigths associated with each
site. If not specified weight of site is defaulted to 1.
-fixing regression due to adding GSLB monitor for GSLB service
-code to add/delete GSLB monitor and GSLB service-monitor binding is
made idempotenet so as to succeed if the resource exists.
Update ImageFormat enum to include VHDX format introduced with Hyper-V
Server 2012.
Remove existing Hyper-V plugin, because it does not work and is dead
code.
Remove references to existing Hyper-V plugin from config files.
Remove Hypervisor.HypervisorType.Hyperv special cases from manager code
that are unused or unsupported.
Specifically, there is no CIFS secondary storage class
"CifsSecondaryStorageResource". Also, the Hyper-V plugin's
ServerResource is contacted by the management server and not the other
way around.
Add Hyperv-V support to ListHypervisorsCmd API call
Signed-off-by: Edison Su <sudison@gmail.com>
Stratosphere SSP is an SDN solution which creates virtual L2
networks backed by vxlan and vlan. SSP will ask hypervisor to set a
specific vlan, then SSP will interact with openflow switches and
put vxlan/vlan translation flow rules.
This plugin provides SSP as "connctivity" service provider.
Signed-off-by: Hiroaki KAWAI <kawai@stratosphere.co.jp>
has dedicated resources and the dedicated resources have all been consumed - use.system.public.ips and use.system.guest.vlans
Both configs are configurable at the account level too.
For static NAT rule an IP pool gets created in VNMC. In order to make the pool name unique the rule id is appended. Since static NAT rules are not stored in CS db. like PF/FW rules, the id was always set to 0.
As a result the pool was always getting overridden everytime a static NAT rule is created. Fixed it by appending the public IP address id along with a character indicating that the pool is used for static NAT rule to the pool name.
mapped to it is serviced by VR
For remote LB services that are not running on NetScaler, there needs to
be a LB monitor bound to GSLB service. Otherwise service is shown down.
This fix binds a LB monitor with GSLB services.
An extra public ip is acquired while implementing the vnmc element as there is a limitation where in the source nat cannot be used as asa outside ip.
As a result of this when the network gets re-implemented an additional ip is acquired every time. The fix involves checking for existing public ips
in the network and reuse it in case it is not a source nat ip for assigning to asa outside interface.
platform
Use the Gson adapters to serialize/deserialize the NatRules
Switch the NiciraNvpApi to a single gson Object with the proper adapters
Fix missing order setting for static nat rules and portforwarding rules
Return an error when a port range is passed in a portforwarding rule
The serializer is not required
Fix a bug where an ip address could be released even if it was still in
use for SourceNat
Throw a json parse exception when the type is unknown to the adapter
Each rule created in VNMC under a policy object needs to have an unique order value. Rules are evaluated based on this value.
Eariler order was computed based on the rule count under a policy object. This resulted in duplicate order value when rules get
deleted and recreated. Changed the logic to compute order based on the CS db id of the rule which is unique.
No longer creating firewall rule as part of PF/Static NAT rule creation. Now firewall rule needs to be configured separately.
Also made some changes to exception handling.
* Updated SQL upgrade scripts to include midonet configs.
* Fixed bug where default ICMP allow rule was missing
on static NAT creation, keeping VMs from being able
to ping the gateway.
* Changed the filter in the MidoNetElement callbacks to allow
calls when Midonet is configured.
Signed-off-by: Hugo Trippaers <htrippaers@schubergphilis.com>
Ip and port pool object names in VNMC were created by appending guest vlan, public ip and id of corresponding rule for better readability. This resulted in the name exceeding max. length allowed.
Shortened the name by removing public ip part from it.
This feature enables adding of guest ip ranges (public ips) form different subnets.
In order to provide the dhcp service to a different subnet we create an ipalias on the router. This allows the router to listen to the dhcp request from the guest vms and respond accordingly. Every time a vm is deployed in the new subnet we configure an ip alias on the router. Cloudstack uses dnsmasq to provide dhcp service. We need to configure the dnsmasq to issue ips on the new subnets. Added a new class dnsmasqconfigurator which generates the dnsmasq confg file, this file replaces the old config in the router.
The details of the alias ips are stored in db in the nic_ip_alias table. Every time a new subnet is added one of the ip from the subnet is used to configure the ip alias.
I have pushed the code to https://github.com/bvbharatk/cloud-stack/tree/Cloudstack-702 , also rebased the code with master.
I need to test the code for advanced sg enabled network using kvm.
I have added the unit test
Marvin tests are at https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=53e4965
Also accomodated some of the changes suggested by koushik.
corrected the import statements. renamed the IpAlias command to createIpAlias command.
This feature supports only ipv4
Koushik Das
Antonio Fornie
Min Chen
Alex Huang
Jayapal
Will Stevens
tuna
Murali Reddy
Syed Ahmed
wilderrodrigues
Darren Shepherd
Hugo Trippaers
Prachi Damle
Rajesh Battala
John Kinsella
Sheng Yang
wilderrodrigues
Edison Su
Pedro Marques
dhoogland
Laszlo Hornyak
Darren Shepherd
ynojima
Alena Prokharchyk
Daan Hoogland
Dave Cahill
Daan Hoogland
Toshiaki Hatano
Prasanna Santhanam
Chip Childers
Amogh Vasekar
Koushik Das
Bharat Kumar
Hiroaki KAWAI
Donal Lafferty
Likitha Shetty
Jayapal
Joe Mills
Pranav Saxena