@DB private void revokeRule(NetworkACLItemVO rule) { if (rule.getState() == State.Staged) { if (s_logger.isDebugEnabled()) { s_logger.debug("Found a rule that is still in stage state so just removing it: " + rule); } _networkACLItemDao.remove(rule.getId()); } else if (rule.getState() == State.Add || rule.getState() == State.Active) { rule.setState(State.Revoke); _networkACLItemDao.update(rule.getId(), rule); } }
@Override @DB @ActionEvent( eventType = EventTypes.EVENT_NETWORK_ACL_ITEM_CREATE, eventDescription = "creating network ACL Item", create = true) public NetworkACLItem createNetworkACLItem( Integer portStart, Integer portEnd, String protocol, List<String> sourceCidrList, Integer icmpCode, Integer icmpType, NetworkACLItem.TrafficType trafficType, Long aclId, String action, Integer number) { NetworkACLItem.Action ruleAction = NetworkACLItem.Action.Allow; if ("deny".equalsIgnoreCase(action)) { ruleAction = NetworkACLItem.Action.Deny; } // If number is null, set it to currentMax + 1 (for backward compatibility) if (number == null) { number = _networkACLItemDao.getMaxNumberByACL(aclId) + 1; } Transaction txn = Transaction.currentTxn(); txn.start(); NetworkACLItemVO newRule = new NetworkACLItemVO( portStart, portEnd, protocol.toLowerCase(), aclId, sourceCidrList, icmpCode, icmpType, trafficType, ruleAction, number); newRule = _networkACLItemDao.persist(newRule); if (!_networkACLItemDao.setStateToAdd(newRule)) { throw new CloudRuntimeException("Unable to update the state to add for " + newRule); } CallContext.current().setEventDetails("ACL Item Id: " + newRule.getId()); txn.commit(); return getNetworkACLItem(newRule.getId()); }
@Override public boolean applyACLToPrivateGw(PrivateGateway gateway) throws ResourceUnavailableException { VpcGatewayVO vpcGatewayVO = _vpcGatewayDao.findById(gateway.getId()); List<? extends NetworkACLItem> rules = _networkACLItemDao.listByACL(vpcGatewayVO.getNetworkACLId()); return applyACLToPrivateGw(gateway, rules); }
@Override public boolean deleteNetworkACL(NetworkACL acl) { List<NetworkACLItemVO> aclItems = _networkACLItemDao.listByACL(acl.getId()); if (aclItems.size() > 0) { throw new CloudRuntimeException( "ACL is not empty. Cannot delete network ACL: " + acl.getUuid()); } List<NetworkVO> networks = _networkDao.listByAclId(acl.getId()); if (networks != null && networks.size() > 0) { throw new CloudRuntimeException( "ACL is still associated with " + networks.size() + " tier(s). Cannot delete network ACL: " + acl.getUuid()); } List<VpcGatewayVO> pvtGateways = _vpcGatewayDao.listByAclIdAndType(acl.getId(), VpcGateway.Type.Private); if (pvtGateways != null && pvtGateways.size() > 0) { throw new CloudRuntimeException( "ACL is still associated with " + pvtGateways.size() + " private gateway(s). Cannot delete network ACL: " + acl.getUuid()); } return _networkACLDao.remove(acl.getId()); }
@Override public List<NetworkACLItemVO> listNetworkACLItems(long guestNtwkId) { Network network = _networkMgr.getNetwork(guestNtwkId); if (network.getNetworkACLId() == null) { return null; } return _networkACLItemDao.listByACL(network.getNetworkACLId()); }
@Override public boolean applyACLToNetwork(long networkId) throws ResourceUnavailableException { Network network = _networkDao.findById(networkId); if (network.getNetworkACLId() == null) { return true; } List<NetworkACLItemVO> rules = _networkACLItemDao.listByACL(network.getNetworkACLId()); return applyACLItemsToNetwork(networkId, rules); }
@Override public boolean applyNetworkACL(long aclId) throws ResourceUnavailableException { boolean handled = true; boolean aclApplyStatus = true; List<NetworkACLItemVO> rules = _networkACLItemDao.listByACL(aclId); // Find all networks using this ACL and apply the ACL List<NetworkVO> networks = _networkDao.listByAclId(aclId); for (NetworkVO network : networks) { if (!applyACLItemsToNetwork(network.getId(), rules)) { handled = false; break; } } List<VpcGatewayVO> vpcGateways = _vpcGatewayDao.listByAclIdAndType(aclId, VpcGateway.Type.Private); for (VpcGatewayVO vpcGateway : vpcGateways) { PrivateGateway privateGateway = _vpcMgr.getVpcPrivateGateway(vpcGateway.getId()); if (!applyACLToPrivateGw(privateGateway)) { aclApplyStatus = false; s_logger.debug( "failed to apply network acl item on private gateway " + privateGateway.getId() + "acl id " + aclId); break; } } if (handled && aclApplyStatus) { for (NetworkACLItem rule : rules) { if (rule.getState() == NetworkACLItem.State.Revoke) { removeRule(rule); } else if (rule.getState() == NetworkACLItem.State.Add) { NetworkACLItemVO ruleVO = _networkACLItemDao.findById(rule.getId()); ruleVO.setState(NetworkACLItem.State.Active); _networkACLItemDao.update(ruleVO.getId(), ruleVO); } } } return handled && aclApplyStatus; }
@Override public boolean replaceNetworkACL(NetworkACL acl, NetworkVO network) throws ResourceUnavailableException { NetworkOffering guestNtwkOff = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId()); if (guestNtwkOff == null) { throw new InvalidParameterValueException( "Can't find network offering associated with network: " + network.getUuid()); } // verify that ACLProvider is supported by network offering if (!_ntwkModel.areServicesSupportedByNetworkOffering( guestNtwkOff.getId(), Service.NetworkACL)) { throw new InvalidParameterValueException( "Cannot apply NetworkACL. Network Offering does not support NetworkACL service"); } if (network.getNetworkACLId() != null) { // Revoke ACL Items of the existing ACL if the new ACL is empty // Existing rules won't be removed otherwise List<NetworkACLItemVO> aclItems = _networkACLItemDao.listByACL(acl.getId()); if (aclItems == null || aclItems.isEmpty()) { s_logger.debug("New network ACL is empty. Revoke existing rules before applying ACL"); if (!revokeACLItemsForNetwork(network.getId())) { throw new CloudRuntimeException( "Failed to replace network ACL. Error while removing existing ACL items for network: " + network.getId()); } } } network.setNetworkACLId(acl.getId()); // Update Network ACL if (_networkDao.update(network.getId(), network)) { s_logger.debug( "Updated network: " + network.getId() + " with Network ACL Id: " + acl.getId() + ", Applying ACL items"); // Apply ACL to network return applyACLToNetwork(network.getId()); } return false; }
@Override @ActionEvent( eventType = EventTypes.EVENT_NETWORK_ACL_DELETE, eventDescription = "revoking network acl", async = true) public boolean revokeNetworkACLItem(long ruleId) { NetworkACLItemVO rule = _networkACLItemDao.findById(ruleId); revokeRule(rule); boolean success = false; try { applyNetworkACL(rule.getAclId()); success = true; } catch (ResourceUnavailableException e) { return false; } return success; }
@Override public boolean replaceNetworkACLForPrivateGw(NetworkACL acl, PrivateGateway gateway) throws ResourceUnavailableException { VpcGatewayVO vpcGatewayVo = _vpcGatewayDao.findById(gateway.getId()); List<NetworkACLItemVO> aclItems = _networkACLItemDao.listByACL(acl.getId()); if (aclItems == null || aclItems.isEmpty()) { // Revoke ACL Items of the existing ACL if the new network acl is empty // Other wise existing rules will not be removed on the router elelment s_logger.debug("New network ACL is empty. Revoke existing rules before applying ACL"); if (!revokeACLItemsForPrivateGw(gateway)) { throw new CloudRuntimeException( "Failed to replace network ACL. Error while removing existing ACL " + "items for privatewa gateway: " + gateway.getId()); } } vpcGatewayVo.setNetworkACLId(acl.getId()); if (_vpcGatewayDao.update(vpcGatewayVo.getId(), vpcGatewayVo)) { return applyACLToPrivateGw(gateway); } return false; }
@Override public boolean revokeACLItemsForPrivateGw(PrivateGateway gateway) throws ResourceUnavailableException { List<NetworkACLItemVO> aclItems = _networkACLItemDao.listByACL(gateway.getNetworkACLId()); if (aclItems.isEmpty()) { s_logger.debug("Found no network ACL Items for private gateway id=" + gateway.getId()); return true; } if (s_logger.isDebugEnabled()) { s_logger.debug( "Releasing " + aclItems.size() + " Network ACL Items for private gateway id=" + gateway.getId()); } for (NetworkACLItemVO aclItem : aclItems) { // Mark all Network ACLs rules as Revoke, but don't update in DB if (aclItem.getState() == State.Add || aclItem.getState() == State.Active) { aclItem.setState(State.Revoke); } } boolean success = applyACLToPrivateGw(gateway, aclItems); if (s_logger.isDebugEnabled() && success) { s_logger.debug( "Successfully released Network ACLs for private gateway id=" + gateway.getId() + " and # of rules now = " + aclItems.size()); } return success; }
@Override public boolean revokeACLItemsForNetwork(long networkId) throws ResourceUnavailableException { Network network = _networkDao.findById(networkId); if (network.getNetworkACLId() == null) { return true; } List<NetworkACLItemVO> aclItems = _networkACLItemDao.listByACL(network.getNetworkACLId()); if (aclItems.isEmpty()) { s_logger.debug("Found no network ACL Items for network id=" + networkId); return true; } if (s_logger.isDebugEnabled()) { s_logger.debug( "Releasing " + aclItems.size() + " Network ACL Items for network id=" + networkId); } for (NetworkACLItemVO aclItem : aclItems) { // Mark all Network ACLs rules as Revoke, but don't update in DB if (aclItem.getState() == State.Add || aclItem.getState() == State.Active) { aclItem.setState(State.Revoke); } } boolean success = applyACLItemsToNetwork(network.getId(), aclItems); if (s_logger.isDebugEnabled() && success) { s_logger.debug( "Successfully released Network ACLs for network id=" + networkId + " and # of rules now = " + aclItems.size()); } return success; }
@Override public NetworkACLItem updateNetworkACLItem( Long id, String protocol, List<String> sourceCidrList, NetworkACLItem.TrafficType trafficType, String action, Integer number, Integer sourcePortStart, Integer sourcePortEnd, Integer icmpCode, Integer icmpType) throws ResourceUnavailableException { NetworkACLItemVO aclItem = _networkACLItemDao.findById(id); aclItem.setState(State.Add); if (protocol != null) { aclItem.setProtocol(protocol); } if (sourceCidrList != null) { aclItem.setSourceCidrList(sourceCidrList); } if (trafficType != null) { aclItem.setTrafficType(trafficType); } if (action != null) { NetworkACLItem.Action ruleAction = NetworkACLItem.Action.Allow; if ("deny".equalsIgnoreCase(action)) { ruleAction = NetworkACLItem.Action.Deny; } aclItem.setAction(ruleAction); } if (number != null) { aclItem.setNumber(number); } if (sourcePortStart != null) { aclItem.setSourcePortStart(sourcePortStart); } if (sourcePortEnd != null) { aclItem.setSourcePortEnd(sourcePortEnd); } if (icmpCode != null) { aclItem.setIcmpCode(icmpCode); } if (icmpType != null) { aclItem.setIcmpType(icmpType); } if (_networkACLItemDao.update(id, aclItem)) { if (applyNetworkACL(aclItem.getAclId())) { return aclItem; } else { throw new CloudRuntimeException("Failed to apply Network ACL Item: " + aclItem.getUuid()); } } return null; }
private void removeRule(NetworkACLItem rule) { // remove the rule _networkACLItemDao.remove(rule.getId()); }
@Override public NetworkACLItem getNetworkACLItem(long ruleId) { return _networkACLItemDao.findById(ruleId); }