@Override public long getEntityOwnerId() { if (ownerId == null) { FirewallRule rule = _entityMgr.findById(FirewallRule.class, id); if (rule == null || rule.getTrafficType() != TrafficType.Ingress) { throw new InvalidParameterValueException("Unable to find firewall rule by ID"); } else { ownerId = _entityMgr.findById(FirewallRule.class, id).getAccountId(); } } return ownerId; } }
@Override public long getEntityOwnerId() { if (ownerId == null) { FirewallRule rule = _entityMgr.findById(FirewallRule.class, id); if (rule == null || rule.getTrafficType() != TrafficType.Egress) { throw new InvalidParameterValueException("Unable to find egress firewall rule by ID"); } else { ownerId = _entityMgr.findById(FirewallRule.class, id).getAccountId(); } } return ownerId; } }
@Override public boolean applyFWRules(final Network network, final List<? extends FirewallRule> rules) throws ResourceUnavailableException { boolean result = true; if (canHandle(network, Service.Firewall)) { final List<DomainRouterVO> routers = getRouters(network); if (routers == null || routers.isEmpty()) { s_logger.debug("Virtual router elemnt doesn't need to apply firewall rules on the backend; virtual " + "router doesn't exist in the network " + network.getId()); return true; } if (rules != null && rules.size() == 1) { // for VR no need to add default egress rule to ALLOW traffic //The default allow rule is added from the router defalut iptables rules iptables-router if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System && _networkMdl.getNetworkEgressDefaultPolicy(network.getId())) { return true; } } final DataCenterVO dcVO = _dcDao.findById(network.getDataCenterId()); final NetworkTopology networkTopology = networkTopologyContext.retrieveNetworkTopology(dcVO); for (final DomainRouterVO domainRouterVO : routers) { result = result && networkTopology.applyFirewallRules(network, rules, domainRouterVO); } } return result; }
FirewallRuleVO.TrafficType trafficType = rules.get(0).getTrafficType(); List<PublicIp> publicIps = new ArrayList<PublicIp>();
if (rules != null) { if (rules.size() > 0) { if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) { systemRule = String.valueOf(FirewallRule.FirewallRuleType.System); _rulesDao.loadSourceCidrs((FirewallRuleVO) rule); _rulesDao.loadDestinationCidrs((FirewallRuleVO)rule); final FirewallRule.TrafficType traffictype = rule.getTrafficType(); if (traffictype == FirewallRule.TrafficType.Ingress) { final IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId()); final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(), Purpose.Firewall, traffictype); rulesTO.add(ruleTO); } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) { final NetworkVO network = _networkDao.findById(guestNetworkId); final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
if (rules != null) { if (rules.size() > 0) { if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) { systemRule = String.valueOf(FirewallRule.FirewallRuleType.System); final FirewallRule.TrafficType traffictype = rule.getTrafficType(); if (traffictype == FirewallRule.TrafficType.Ingress) { final IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId()); final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(), Purpose.Firewall, traffictype); rulesTO.add(ruleTO); } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) { final NetworkVO network = _networkDao.findById(guestNetworkId); final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
} else { rules = _firewallDao.listByNetworkPurposeTrafficTypeAndNotRevoked(newRule.getNetworkId(), Purpose.Firewall, newRule.getTrafficType()); assert (rules.size() >= 1);
@Override @ActionEvent(eventType = EventTypes.EVENT_FIREWALL_OPEN, eventDescription = "creating firewall rule", create = true) public FirewallRule createIngressFirewallRule(FirewallRule rule) throws NetworkRuleConflictException { Account caller = CallContext.current().getCallingAccount(); Long sourceIpAddressId = rule.getSourceIpAddressId(); return createFirewallRule(sourceIpAddressId, caller, rule.getXid(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getProtocol(), rule.getSourceCidrList(), null, rule.getIcmpCode(), rule.getIcmpType(), null, rule.getType(), rule.getNetworkId(), rule.getTrafficType(), rule.isDisplay()); } //Destination CIDR capability is currently implemented for egress rules only. For others, the field is passed as null.
if (rule.getPurpose() == Purpose.Firewall && rule.getTrafficType() == FirewallRule.TrafficType.Egress) { String guestVlanTag = BroadcastDomainType.getValue(network.getBroadcastUri()); String guestCidr = network.getCidr(); ruleTO = new FirewallRuleTO(rule, guestVlanTag, rule.getTrafficType(), guestCidr, defaultEgressPolicy, rule.getType()); } else { IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
@Override @ActionEvent(eventType = EventTypes.EVENT_FIREWALL_EGRESS_OPEN, eventDescription = "creating egress firewall rule for network", create = true) public FirewallRule createEgressFirewallRule(FirewallRule rule) throws NetworkRuleConflictException { Account caller = CallContext.current().getCallingAccount(); Network network = _networkDao.findById(rule.getNetworkId()); if (network.getGuestType() == Network.GuestType.Shared) { throw new InvalidParameterValueException("Egress firewall rules are not supported for " + network.getGuestType() + " networks"); } List<String> sourceCidrs = rule.getSourceCidrList(); if (sourceCidrs != null && !sourceCidrs.isEmpty()) Collections.replaceAll(sourceCidrs, "0.0.0.0/0", network.getCidr()); return createFirewallRule(null, caller, rule.getXid(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getProtocol(), sourceCidrs, rule.getDestinationCidrList(), rule.getIcmpCode(), rule.getIcmpType(), null, rule.getType(), rule.getNetworkId(), rule.getTrafficType(), rule.isDisplay()); }
public VspAclRule buildVspAclRule(FirewallRule firewallRule, Network network, IPAddressVO staticNat) { VspAclRule.Builder vspAclRuleBuilder = new VspAclRule.Builder() .uuid(firewallRule.getUuid()) .protocol(firewallRule.getProtocol()) .startPort(firewallRule.getSourcePortStart()) .endPort(firewallRule.getSourcePortEnd()) .sourceCidrList(firewallRule.getSourceCidrList()) .priority(-1) .type(VspAclRule.ACLType.Firewall) .state(getEnumValue(firewallRule.getState(), VspAclRule.ACLState.class)) .trafficType(getEnumValue(firewallRule.getTrafficType(), VspAclRule.ACLTrafficType.class)); NetworkOfferingVO networkOffering = _networkOfferingDao.findById(network.getNetworkOfferingId()); if (firewallRule.getTrafficType() == FirewallRule.TrafficType.Egress && networkOffering.isEgressDefaultPolicy()) { vspAclRuleBuilder.deny(); } else { vspAclRuleBuilder.allow(); } if (staticNat == null && firewallRule.getSourceIpAddressId() != null) { IPAddressVO staticNatIp = _ipAddressDao.findById(firewallRule.getSourceIpAddressId()); if (staticNatIp != null) { VlanVO staticNatVlan = _vlanDao.findById(staticNatIp.getVlanId()); NicVO nic = _nicDao.findByIp4AddressAndNetworkId(staticNatIp.getVmIp(), staticNatIp.getAssociatedWithNetworkId()); vspAclRuleBuilder.staticNat(buildVspStaticNat(null, staticNatIp, staticNatVlan, nic)); } } return vspAclRuleBuilder.build(); }
response.setCidrList(StringUtils.join(cidrs, ",")); if(fwRule.getTrafficType() == FirewallRule.TrafficType.Egress){ List<String> destCidrs = ApiDBUtils.findFirewallDestCidrs(fwRule.getId()); response.setDestCidr(StringUtils.join(destCidrs,",")); if (fwRule.getTrafficType() == FirewallRule.TrafficType.Ingress) { IpAddress ip = ApiDBUtils.findIpAddressById(fwRule.getSourceIpAddressId()); response.setPublicIpAddressId(ip.getUuid());