public FirewallRuleTO(FirewallRule rule, String srcVlanTag, String srcIp, FirewallRule.Purpose purpose) { this(rule.getId(), srcVlanTag, srcIp, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getState() == State.Revoke, rule.getState() == State.Active, purpose, rule.getSourceCidrList(), rule.getIcmpType(), rule.getIcmpCode()); }
@Override @ActionEvent(eventType = EventTypes.EVENT_FIREWALL_OPEN, eventDescription = "creating firewall rule", create = true) public FirewallRule createIngressFirewallRule(FirewallRule rule) throws NetworkRuleConflictException { Account caller = CallContext.current().getCallingAccount(); Long sourceIpAddressId = rule.getSourceIpAddressId(); return createFirewallRule(sourceIpAddressId, caller, rule.getXid(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getProtocol(), rule.getSourceCidrList(), null, rule.getIcmpCode(), rule.getIcmpType(), null, rule.getType(), rule.getNetworkId(), rule.getTrafficType(), rule.isDisplay()); } //Destination CIDR capability is currently implemented for egress rules only. For others, the field is passed as null.
@Override public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflictException { List<FirewallRuleVO> rules; if (newRule.getSourceIpAddressId() != null) { rules = _firewallDao.listByIpAndPurposeAndNotRevoked(newRule.getSourceIpAddressId(), null); assert (rules.size() >= 1) : "For network rules, we now always first persist the rule and then check for " + "network conflicts so we should at least have one rule at this point."; } else { rules = _firewallDao.listByNetworkPurposeTrafficTypeAndNotRevoked(newRule.getNetworkId(), Purpose.Firewall, newRule.getTrafficType()); assert (rules.size() >= 1); if (rule.getId() == newRule.getId()) { continue; // Skips my own rule. ((rule.getPurpose() == Purpose.Firewall || newRule.getPurpose() == Purpose.Firewall) && ((newRule.getPurpose() != rule.getPurpose()) || (!newRule.getProtocol() .equalsIgnoreCase(rule.getProtocol())))); boolean bothRulesFirewall = (rule.getPurpose() == newRule.getPurpose() && rule.getPurpose() == Purpose.Firewall); boolean duplicatedCidrs = false; if (bothRulesFirewall) { if (rule.getSourceCidrList() == null || newRule.getSourceCidrList() == null) { continue; duplicatedCidrs = (detectConflictingCidrs(rule.getSourceCidrList(), newRule.getSourceCidrList()) && detectConflictingCidrs(rule.getDestinationCidrList(), newRule.getDestinationCidrList())); if (rule.getPurpose() == Purpose.StaticNat && newRule.getPurpose() != Purpose.StaticNat) { throw new NetworkRuleConflictException("There is 1 to 1 Nat rule specified for the ip address id=" + newRule.getSourceIpAddressId()); } else if (rule.getPurpose() != Purpose.StaticNat && newRule.getPurpose() == Purpose.StaticNat) {
response.setId(fwRule.getUuid()); response.setProtocol(fwRule.getProtocol()); if (fwRule.getSourcePortStart() != null) { response.setStartPort(fwRule.getSourcePortStart()); if (fwRule.getSourcePortEnd() != null) { response.setEndPort(fwRule.getSourcePortEnd()); List<String> cidrs = ApiDBUtils.findFirewallSourceCidrs(fwRule.getId()); response.setCidrList(StringUtils.join(cidrs, ",")); if(fwRule.getTrafficType() == FirewallRule.TrafficType.Egress){ List<String> destCidrs = ApiDBUtils.findFirewallDestCidrs(fwRule.getId()); response.setDestCidr(StringUtils.join(destCidrs,",")); if (fwRule.getTrafficType() == FirewallRule.TrafficType.Ingress) { IpAddress ip = ApiDBUtils.findIpAddressById(fwRule.getSourceIpAddressId()); response.setPublicIpAddressId(ip.getUuid()); response.setPublicIpAddress(ip.getAddress().addr()); Network network = ApiDBUtils.findNetworkById(fwRule.getNetworkId()); response.setNetworkId(network.getUuid()); FirewallRule.State state = fwRule.getState(); String stateToSet = state.toString(); if (state.equals(FirewallRule.State.Revoke)) { response.setIcmpCode(fwRule.getIcmpCode()); response.setIcmpType(fwRule.getIcmpType());
public VspAclRule buildVspAclRule(FirewallRule firewallRule, Network network, IPAddressVO staticNat) { VspAclRule.Builder vspAclRuleBuilder = new VspAclRule.Builder() .uuid(firewallRule.getUuid()) .protocol(firewallRule.getProtocol()) .startPort(firewallRule.getSourcePortStart()) .endPort(firewallRule.getSourcePortEnd()) .sourceCidrList(firewallRule.getSourceCidrList()) .priority(-1) .type(VspAclRule.ACLType.Firewall) .state(getEnumValue(firewallRule.getState(), VspAclRule.ACLState.class)) .trafficType(getEnumValue(firewallRule.getTrafficType(), VspAclRule.ACLTrafficType.class)); NetworkOfferingVO networkOffering = _networkOfferingDao.findById(network.getNetworkOfferingId()); if (firewallRule.getTrafficType() == FirewallRule.TrafficType.Egress && networkOffering.isEgressDefaultPolicy()) { vspAclRuleBuilder.deny(); } else { vspAclRuleBuilder.allow(); } if (staticNat == null && firewallRule.getSourceIpAddressId() != null) { IPAddressVO staticNatIp = _ipAddressDao.findById(firewallRule.getSourceIpAddressId()); if (staticNatIp != null) { VlanVO staticNatVlan = _vlanDao.findById(staticNatIp.getVlanId()); NicVO nic = _nicDao.findByIp4AddressAndNetworkId(staticNatIp.getVmIp(), staticNatIp.getAssociatedWithNetworkId()); vspAclRuleBuilder.staticNat(buildVspStaticNat(null, staticNatIp, staticNatVlan, nic)); } } return vspAclRuleBuilder.build(); }
List<String> cidrList; for(FirewallRule r: rules){ if(r.getState()==FirewallRule.State.Revoke){ continue; cidrList = r.getSourceCidrList(); if(cidrList != null){ if(cidrList.size()>1 || !r.getSourcePortEnd().equals(r.getSourcePortStart())){ throw new ResourceUnavailableException("One CIDR and one port only please.", Network.class, network.getId());
return true; Purpose purpose = rules.get(0).getPurpose(); if (!_ipAddrMgr.applyRules(rules, purpose, this, continueOnError)) { s_logger.warn("Rules are not completely applied"); if (updateRulesInDB) { for (FirewallRule rule : rules) { if (rule.getState() == FirewallRule.State.Revoke) { FirewallRuleVO relatedRule = _firewallDao.findByRelatedId(rule.getId()); if (relatedRule != null) { s_logger.warn("Can't remove the firewall rule id=" + rule.getId() + " as it has related firewall rule id=" + relatedRule.getId() + "; leaving it in Revoke state"); success = false; } else { removeRule(rule); if (rule.getSourceIpAddressId() != null) { IpAddress ip = _ipAddressDao.findById(rule.getSourceIpAddressId()); _vpcMgr.unassignIPFromVpcNetwork(ip.getId(), rule.getNetworkId()); } else if (rule.getState() == FirewallRule.State.Add) { FirewallRuleVO ruleVO = _firewallDao.findById(rule.getId()); ruleVO.setState(FirewallRule.State.Active); _firewallDao.update(ruleVO.getId(), ruleVO);
if (rule.getSourceCidrList() == null && (rule.getPurpose() == Purpose.Firewall || rule.getPurpose() == Purpose.NetworkACL)) { _fwRulesDao.loadSourceCidrs((FirewallRuleVO)rule); if (rule.getPurpose() == Purpose.Firewall && rule.getTrafficType() == FirewallRule.TrafficType.Egress) { String guestVlanTag = BroadcastDomainType.getValue(network.getBroadcastUri()); String guestCidr = network.getCidr(); ruleTO = new FirewallRuleTO(rule, guestVlanTag, rule.getTrafficType(), guestCidr, defaultEgressPolicy, rule.getType()); } else { IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId()); Vlan vlan = _vlanDao.findById(sourceIp.getVlanId());
@Override public void doInTransactionWithoutResult(TransactionStatus status) { _remoteAccessVpnDao.remove(vpn.getId()); // Stop billing of VPN users when VPN is removed. VPN_User_ADD events will be generated when VPN is created again List<VpnUserVO> vpnUsers = _vpnUsersDao.listByAccount(vpn.getAccountId()); for (VpnUserVO user : vpnUsers) { // VPN_USER_REMOVE event is already generated for users in Revoke state if (user.getState() != VpnUser.State.Revoke) { UsageEventUtils.publishUsageEvent(EventTypes.EVENT_VPN_USER_REMOVE, user.getAccountId(), 0, user.getId(), user.getUsername(), user.getClass().getName(), user.getUuid()); } } if (vpnFwRules != null) { for (FirewallRule vpnFwRule : vpnFwRules) { _rulesDao.remove(vpnFwRule.getId()); s_logger.debug("Successfully removed firewall rule with ip id=" + vpnFwRule.getSourceIpAddressId() + " and port " + vpnFwRule.getSourcePortStart().intValue() + " as a part of vpn cleanup"); } } } });
if (rules != null) { if (rules.size() > 0) { if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) { systemRule = String.valueOf(FirewallRule.FirewallRuleType.System); _rulesDao.loadSourceCidrs((FirewallRuleVO) rule); _rulesDao.loadDestinationCidrs((FirewallRuleVO)rule); final FirewallRule.TrafficType traffictype = rule.getTrafficType(); if (traffictype == FirewallRule.TrafficType.Ingress) { final IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId()); final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(), Purpose.Firewall, traffictype); rulesTO.add(ruleTO); } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) { final NetworkVO network = _networkDao.findById(guestNetworkId); final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId()); defaultEgressPolicy = offering.isEgressDefaultPolicy(); assert rule.getSourceIpAddressId() == null : "ipAddressId should be null for egress firewall rule. "; final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Firewall, traffictype, defaultEgressPolicy); rulesTO.add(ruleTO);
Network network = _networksDao.findById(rules.get(0).getNetworkId()); FirewallRuleVO.TrafficType trafficType = rules.get(0).getTrafficType(); List<PublicIp> publicIps = new ArrayList<PublicIp>(); if (!(rules.get(0).getPurpose() == FirewallRule.Purpose.Firewall && trafficType == FirewallRule.TrafficType.Egress)) {
@Override public long getEntityOwnerId() { if (ownerId == null) { FirewallRule rule = _entityMgr.findById(FirewallRule.class, id); if (rule == null || rule.getTrafficType() != TrafficType.Ingress) { throw new InvalidParameterValueException("Unable to find firewall rule by ID"); } else { ownerId = _entityMgr.findById(FirewallRule.class, id).getAccountId(); } } return ownerId; } }
@Override public void create() { if (getSourceCidrList() != null) { for (String cidr : getSourceCidrList()) { if (!NetUtils.isValidIp4Cidr(cidr) && !NetUtils.isValidIp6Cidr(cidr)) { throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Source CIDRs formatting error " + cidr); } } } try { FirewallRule result = _firewallService.createIngressFirewallRule(this); if (result != null) { setEntityId(result.getId()); setEntityUuid(result.getUuid()); } } catch (NetworkRuleConflictException ex) { s_logger.trace("Network Rule Conflict: ", ex); throw new ServerApiException(ApiErrorCode.NETWORK_RULE_CONFLICT_ERROR, ex.getMessage(), ex); } }
@Override public boolean applyFWRules(final Network network, final List<? extends FirewallRule> rules) throws ResourceUnavailableException { boolean result = true; if (canHandle(network, Service.Firewall)) { final List<DomainRouterVO> routers = getRouters(network); if (routers == null || routers.isEmpty()) { s_logger.debug("Virtual router elemnt doesn't need to apply firewall rules on the backend; virtual " + "router doesn't exist in the network " + network.getId()); return true; } if (rules != null && rules.size() == 1) { // for VR no need to add default egress rule to ALLOW traffic //The default allow rule is added from the router defalut iptables rules iptables-router if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System && _networkMdl.getNetworkEgressDefaultPolicy(network.getId())) { return true; } } final DataCenterVO dcVO = _dcDao.findById(network.getDataCenterId()); final NetworkTopology networkTopology = networkTopologyContext.retrieveNetworkTopology(dcVO); for (final DomainRouterVO domainRouterVO : routers) { result = result && networkTopology.applyFirewallRules(network, rules, domainRouterVO); } } return result; }
@Override public StaticNatRule buildStaticNatRule(FirewallRule rule, boolean forRevoke) { IpAddress ip = _ipAddressDao.findById(rule.getSourceIpAddressId()); FirewallRuleVO ruleVO = _firewallDao.findById(rule.getId()); if (ip == null || !ip.isOneToOneNat() || ip.getAssociatedWithVmId() == null) { InvalidParameterValueException ex = new InvalidParameterValueException("Source ip address of the specified firewall rule id is not static nat enabled"); ex.addProxyObject(ruleVO.getUuid(), "ruleId"); throw ex; } String dstIp = ip.getVmIp(); if (dstIp == null) { InvalidParameterValueException ex = new InvalidParameterValueException("VM ip address of the specified public ip is not set "); ex.addProxyObject(ruleVO.getUuid(), "ruleId"); throw ex; } return new StaticNatRuleImpl(ruleVO, dstIp); }
@Override public long getEntityOwnerId() { if (ownerId == null) { FirewallRule rule = _entityMgr.findById(FirewallRule.class, id); if (rule == null) { throw new InvalidParameterValueException("Unable to find static NAT rule by ID: " + id); } else { ownerId = rule.getAccountId(); } } return ownerId; }
@Override public void execute() throws ResourceUnavailableException { CallContext callerContext = CallContext.current(); boolean success = false; FirewallRule rule = _entityMgr.findById(FirewallRule.class, getEntityId()); try { CallContext.current().setEventDetails("Rule ID: " + getEntityId()); success = _firewallService.applyIngressFwRules(rule.getSourceIpAddressId(), callerContext.getCallingAccount()); // State is different after the rule is applied, so get new object here rule = _entityMgr.findById(FirewallRule.class, getEntityId()); FirewallResponse fwResponse = new FirewallResponse(); if (rule != null) { fwResponse = _responseGenerator.createFirewallResponse(rule); setResponseObject(fwResponse); } fwResponse.setResponseName(getCommandName()); } finally { if (!success || rule == null) { _firewallService.revokeIngressFwRule(getEntityId(), true); throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create firewall rule"); } } }
if (rules != null) { if (rules.size() > 0) { if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) { systemRule = String.valueOf(FirewallRule.FirewallRuleType.System); final FirewallRule.TrafficType traffictype = rule.getTrafficType(); if (traffictype == FirewallRule.TrafficType.Ingress) { final IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId()); final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(), Purpose.Firewall, traffictype); rulesTO.add(ruleTO); } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) { final NetworkVO network = _networkDao.findById(guestNetworkId); final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId()); defaultEgressPolicy = offering.isEgressDefaultPolicy(); assert rule.getSourceIpAddressId() == null : "ipAddressId should be null for egress firewall rule. "; final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Firewall, traffictype, defaultEgressPolicy); rulesTO.add(ruleTO);
@Override public long getEntityOwnerId() { if (ownerId == null) { FirewallRule rule = _entityMgr.findById(FirewallRule.class, id); if (rule == null || rule.getTrafficType() != TrafficType.Egress) { throw new InvalidParameterValueException("Unable to find egress firewall rule by ID"); } else { ownerId = _entityMgr.findById(FirewallRule.class, id).getAccountId(); } } return ownerId; } }