public void saveSourceCidrs(FirewallRuleVO firewallRule, List<String> cidrList) { if (cidrList == null) { return; } _firewallRulesCidrsDao.persist(firewallRule.getId(), cidrList); }
public void saveDestinationCidrs(FirewallRuleVO firewallRule, List<String> cidrList){ if(cidrList == null){ return; } _firewallRulesDcidrsDao.persist(firewallRule.getId(), cidrList); }
@Override public boolean revoke(FirewallRuleVO rule) { rule.setState(State.Revoke); return update(rule.getId(), rule); }
@Override public void loadSourceCidrs(FirewallRuleVO rule) { List<String> sourceCidrs = _firewallRulesCidrsDao.getSourceCidrs(rule.getId()); rule.setSourceCidrList(sourceCidrs); }
@Override public void loadDestinationCidrs(FirewallRuleVO rule){ List<String> destCidrs = _firewallRulesDcidrsDao.getDestCidrs(rule.getId()); rule.setDestinationCidrsList(destCidrs); }
private List<VspAclRule> getFirewallRulesToApply(final Network network, FirewallRule.TrafficType trafficType) { List<FirewallRuleVO> firewallRulesToApply = _firewallRulesDao.listByNetworkPurposeTrafficType(network.getId(), FirewallRule.Purpose.Firewall, trafficType); List<VspAclRule> vspAclRulesToApply = Lists.newArrayListWithExpectedSize(firewallRulesToApply.size()); for (FirewallRuleVO rule : firewallRulesToApply) { rule.setSourceCidrList(_firewallRulesCidrsDao.getSourceCidrs(rule.getId())); VspAclRule vspAclRule = _nuageVspEntityBuilder.buildVspAclRule(rule, network); vspAclRulesToApply.add(vspAclRule); } return vspAclRulesToApply; }
@Override @ActionEvent(eventType = EventTypes.EVENT_FIREWALL_CLOSE, eventDescription = "revoking firewall rule", async = true) public boolean revokeAllFirewallRulesForNetwork(long networkId, long userId, Account caller) throws ResourceUnavailableException { List<FirewallRule> rules = new ArrayList<FirewallRule>(); List<FirewallRuleVO> fwRules = _firewallDao.listByNetworkAndPurposeAndNotRevoked(networkId, Purpose.Firewall); if (s_logger.isDebugEnabled()) { s_logger.debug("Releasing " + fwRules.size() + " firewall rules for network id=" + networkId); } for (FirewallRuleVO rule : fwRules) { // Mark all Firewall rules as Revoke, but don't revoke them yet - we have to revoke all rules for ip, no // need to send them one by one revokeFirewallRule(rule.getId(), false, caller, Account.ACCOUNT_ID_SYSTEM); } // now send everything to the backend List<FirewallRuleVO> rulesToApply = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.Firewall); boolean success = applyFirewallRules(rulesToApply, true, caller); // Now we check again in case more rules have been inserted. rules.addAll(_firewallDao.listByNetworkAndPurposeAndNotRevoked(networkId, Purpose.Firewall)); if (s_logger.isDebugEnabled()) { s_logger.debug("Successfully released firewall rules for network id=" + networkId + " and # of rules now = " + rules.size()); } return success && rules.size() == 0; }
@Override public boolean applyFirewallRules(List<FirewallRuleVO> rules, boolean continueOnError, Account caller) { if (rules.size() == 0) { s_logger.debug("There are no firewall rules to apply"); return true; } for (FirewallRuleVO rule : rules) { // load cidrs if any rule.setSourceCidrList(_firewallCidrsDao.getSourceCidrs(rule.getId())); rule.setDestinationCidrsList(_firewallDcidrsDao.getDestCidrs(rule.getId())); } if (caller != null) { _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRuleVO[rules.size()])); } try { if (!applyRules(rules, continueOnError, true)) { return false; } } catch (ResourceUnavailableException ex) { s_logger.warn("Failed to apply firewall rules due to : "+ ex.getMessage()); return false; } return true; }
@Override @ActionEvent(eventType = EventTypes.EVENT_FIREWALL_CLOSE, eventDescription = "revoking firewall rule", async = true) public boolean revokeFirewallRulesForIp(long ipId, long userId, Account caller) throws ResourceUnavailableException { List<FirewallRule> rules = new ArrayList<FirewallRule>(); List<FirewallRuleVO> fwRules = _firewallDao.listByIpAndPurposeAndNotRevoked(ipId, Purpose.Firewall); if (s_logger.isDebugEnabled()) { s_logger.debug("Releasing " + fwRules.size() + " firewall rules for ip id=" + ipId); } for (FirewallRuleVO rule : fwRules) { // Mark all Firewall rules as Revoke, but don't revoke them yet - we have to revoke all rules for ip, no // need to send them one by one revokeFirewallRule(rule.getId(), false, caller, Account.ACCOUNT_ID_SYSTEM); } // now send everything to the backend List<FirewallRuleVO> rulesToApply = _firewallDao.listByIpAndPurpose(ipId, Purpose.Firewall); //apply rules if (!applyFirewallRules(rulesToApply, rulesContinueOnErrFlag, caller)) { if (!rulesContinueOnErrFlag) { return false; } } // Now we check again in case more rules have been inserted. rules.addAll(_firewallDao.listByIpAndPurposeAndNotRevoked(ipId, Purpose.Firewall)); if (s_logger.isDebugEnabled()) { s_logger.debug("Successfully released firewall rules for ip id=" + ipId + " and # of rules now = " + rules.size()); } return rules.size() == 0; }
@Override public void doInTransactionWithoutResult(TransactionStatus status) { boolean generateUsageEvent = false; if (rule.getState() == State.Staged) { if (s_logger.isDebugEnabled()) { s_logger.debug("Found a rule that is still in stage state so just removing it: " + rule); } removeRule(rule); generateUsageEvent = true; } else if (rule.getState() == State.Add || rule.getState() == State.Active) { rule.setState(State.Revoke); _firewallDao.update(rule.getId(), rule); generateUsageEvent = true; } if (generateUsageEvent && needUsageEvent) { UsageEventUtils.publishUsageEvent(EventTypes.EVENT_NET_RULE_DELETE, rule.getAccountId(), 0, rule.getId(), null, rule.getClass().getName(), rule.getUuid()); } } });
revokeStaticNatRuleInternal(rule.getId(), caller, userId, false);
revokeStaticNatRuleInternal(rule.getId(), caller, userId, false);
@Override public boolean setStateToAdd(FirewallRuleVO rule) { SearchCriteria<FirewallRuleVO> sc = AllFieldsSearch.create(); sc.setParameters("id", rule.getId()); sc.setParameters("state", State.Staged); rule.setState(State.Add); return update(rule, sc) > 0; }
if (rule.getNetworkId() == nic.getNetworkId()) { result.add(rule); s_logger.debug("Found rule " + rule.getId() + " " + rule.getPurpose() + " configured"); Purpose.StaticNat, null, null, null, null, null); result.add(staticNatRule); s_logger.debug("Found rule " + staticNatRule.getId() + " " + staticNatRule.getPurpose() + " configured"); if (lbRule.getNetworkId() == nic.getNetworkId()) { result.add(lbRule); s_logger.debug("Found rule " + lbRule.getId() + " " + lbRule.getPurpose() + " configured");
public StaticNatRuleImpl(FirewallRuleVO rule, String dstIp) { id = rule.getId(); xid = rule.getXid(); uuid = rule.getUuid(); protocol = rule.getProtocol(); portStart = rule.getSourcePortStart().intValue(); portEnd = rule.getSourcePortEnd().intValue(); state = rule.getState(); accountId = rule.getAccountId(); domainId = rule.getDomainId(); networkId = rule.getNetworkId(); sourceIpAddressId = rule.getSourceIpAddressId(); destIpAddress = dstIp; forDisplay = rule.isDisplay(); }
FirewallRuleVO relatedRule = _firewallDao.findByRelatedId(rule.getId()); if (relatedRule != null) { s_logger.warn("Can't remove the firewall rule id=" + rule.getId() + " as it has related firewall rule id=" + relatedRule.getId() + "; leaving it in Revoke state"); success = false; FirewallRuleVO ruleVO = _firewallDao.findById(rule.getId()); ruleVO.setState(FirewallRule.State.Active); _firewallDao.update(ruleVO.getId(), ruleVO);
@Override public FirewallRuleVO doInTransaction(TransactionStatus status) throws NetworkRuleConflictException { FirewallRuleVO newRule = new FirewallRuleVO(xId, ipAddrId, portStart, portEnd, protocol.toLowerCase(), networkId, accountIdFinal, domainIdFinal, Purpose.Firewall, sourceCidrList, destCidrList, icmpCode, icmpType, relatedRuleId, trafficType); newRule.setType(type); if (forDisplay != null) { newRule.setDisplay(forDisplay); } newRule = _firewallDao.persist(newRule); if (type == FirewallRuleType.User) detectRulesConflict(newRule); if (!_firewallDao.setStateToAdd(newRule)) { throw new CloudRuntimeException("Unable to update the state to add for " + newRule); } CallContext.current().setEventDetails("Rule Id: " + newRule.getId()); return newRule; } });
newRule.getId(), networkId); throw new CloudRuntimeException("Unable to update the state to add for " + newRule); CallContext.current().setEventDetails("Rule Id: " + newRule.getId()); UsageEventUtils.publishUsageEvent(EventTypes.EVENT_NET_RULE_ADD, newRule.getAccountId(), 0, newRule.getId(), null, FirewallRule.class.getName(), newRule.getUuid()); if (newRule != null) { _firewallMgr.revokeRelatedFirewallRule(newRule.getId(), false); _firewallMgr.removeRule(newRule);
@Override public void doInTransactionWithoutResult(TransactionStatus status) throws NetworkRuleConflictException { for (int i = 0; i < ports.length; i++) { rules[i] = new FirewallRuleVO(null, ip.getId(), ports[i], protocol, ip.getAssociatedWithNetworkId(), ip.getAllocatedToAccountId(), ip.getAllocatedInDomainId(), purpose, null, null, null, null); rules[i] = _firewallDao.persist(rules[i]); if (openFirewall) { _firewallMgr.createRuleForAllCidrs(ip.getId(), caller, ports[i], ports[i], protocol, null, null, rules[i].getId(), ip.getAssociatedWithNetworkId()); } } } });
AllFieldsSearch.and("account", AllFieldsSearch.entity().getAccountId(), Op.EQ); AllFieldsSearch.and("domain", AllFieldsSearch.entity().getDomainId(), Op.EQ); AllFieldsSearch.and("id", AllFieldsSearch.entity().getId(), Op.EQ); AllFieldsSearch.and("networkId", AllFieldsSearch.entity().getNetworkId(), Op.EQ); AllFieldsSearch.and("related", AllFieldsSearch.entity().getRelated(), Op.EQ); RulesByIpCount.select(null, Func.COUNT, RulesByIpCount.entity().getId()); RulesByIpCount.and("ipAddressId", RulesByIpCount.entity().getSourceIpAddressId(), Op.EQ); RulesByIpCount.and("state", RulesByIpCount.entity().getState(), Op.EQ);