private Answer execute(SetFirewallRulesCommand cmd) {
String[] results = new String[cmd.getRules().length];
for (int i = 0; i < cmd.getRules().length; i++) {
results[i] = "Failed";
}
String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP);
if (routerIp == null) {
return new SetFirewallRulesAnswer(cmd, false, results);
}
String[][] rules = cmd.generateFwRules();
final Script command = new Script(_firewallPath, _timeout, s_logger);
command.add(routerIp);
command.add("-F");
StringBuilder sb = new StringBuilder();
String[] fwRules = rules[0];
if (fwRules.length > 0) {
for (int i = 0; i < fwRules.length; i++) {
sb.append(fwRules[i]).append(',');
}
command.add("-a", sb.toString());
}
String result = command.execute();
if (result != null) {
return new SetFirewallRulesAnswer(cmd, false, results);
}
return new SetFirewallRulesAnswer(cmd, true, null);
}
public SetFirewallRulesAnswer(SetFirewallRulesCommand cmd, String[] results) {
super(cmd, true, null);
assert (cmd.getRules().length == results.length)
: "rules and their results should be the same length don't you think?";
this.results = results;
}
@Override
public boolean applyFWRules(Network network, List<? extends FirewallRule> rules)
throws ResourceUnavailableException {
if (!_networkModel.isProviderSupportServiceInNetwork(
network.getId(), Service.Firewall, Provider.CiscoVnmc)) {
s_logger.error(
"Firewall service is not provided by Cisco Vnmc device on network " + network.getName());
return false;
}
// Find VNMC host for physical network
List<CiscoVnmcControllerVO> devices =
_ciscoVnmcDao.listByPhysicalNetwork(network.getPhysicalNetworkId());
if (devices.isEmpty()) {
s_logger.error("No Cisco Vnmc device on network " + network.getName());
return true;
}
// Find if ASA 1000v is associated with network
NetworkAsa1000vMapVO asaForNetwork = _networkAsa1000vMapDao.findByNetworkId(network.getId());
if (asaForNetwork == null) {
s_logger.debug("Cisco ASA 1000v device is not associated with network " + network.getName());
return true;
}
if (network.getState() == Network.State.Allocated) {
s_logger.debug(
"External firewall was asked to apply firewall rules for network with ID "
+ network.getId()
+ "; this network is not implemented. Skipping backend commands.");
return true;
}
CiscoVnmcControllerVO ciscoVnmcDevice = devices.get(0);
HostVO ciscoVnmcHost = _hostDao.findById(ciscoVnmcDevice.getHostId());
List<FirewallRuleTO> rulesTO = new ArrayList<FirewallRuleTO>();
for (FirewallRule rule : rules) {
String address = "0.0.0.0";
if (rule.getTrafficType() == TrafficType.Ingress) {
IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
address = sourceIp.getAddress().addr();
}
FirewallRuleTO ruleTO =
new FirewallRuleTO(rule, null, address, rule.getPurpose(), rule.getTrafficType());
rulesTO.add(ruleTO);
}
if (!rulesTO.isEmpty()) {
SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
cmd.setContextParam(
NetworkElementCommand.GUEST_VLAN_TAG, network.getBroadcastUri().getHost());
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, network.getCidr());
Answer answer = _agentMgr.easySend(ciscoVnmcHost.getId(), cmd);
if (answer == null || !answer.getResult()) {
String details = (answer != null) ? answer.getDetails() : "details unavailable";
String msg =
"Unable to apply firewall rules to Cisco ASA 1000v appliance due to: " + details + ".";
s_logger.error(msg);
throw new ResourceUnavailableException(msg, DataCenter.class, network.getDataCenterId());
}
}
return true;
}
