@Override
public boolean applyEgressFirewallRules(FirewallRule rule, Account caller)
throws ResourceUnavailableException {
List<FirewallRuleVO> rules =
_firewallDao.listByNetworkPurposeTrafficType(
rule.getNetworkId(), Purpose.Firewall, FirewallRule.TrafficType.Egress);
applyDefaultEgressFirewallRule(rule.getNetworkId(), true);
return applyFirewallRules(rules, false, caller);
}
@Override
public long getEntityOwnerId() {
if (ownerId == null) {
FirewallRule rule = _entityMgr.findById(FirewallRule.class, id);
if (rule == null || rule.getTrafficType() != TrafficType.Egress) {
throw new InvalidParameterValueException("Unable to find egress firewall rule by ID");
} else {
ownerId = _entityMgr.findById(FirewallRule.class, id).getAccountId();
}
}
return ownerId;
}
@Override
public long getEntityOwnerId() {
if (ownerId == null) {
FirewallRule rule = _entityMgr.findById(FirewallRule.class, id);
if (rule == null) {
throw new InvalidParameterValueException("Unable to find static nat rule by id: " + id);
} else {
ownerId = rule.getAccountId();
}
}
return ownerId;
}
@Override
public boolean removeAllLoadBalanacersForIp(long ipId, Account caller, long callerUserId) {
List<FirewallRuleVO> rules =
_firewallDao.listByIpAndPurposeAndNotRevoked(ipId, Purpose.LoadBalancing);
if (rules != null) s_logger.debug("Found " + rules.size() + " lb rules to cleanup");
for (FirewallRule rule : rules) {
boolean result = deleteLoadBalancerRule(rule.getId(), true, caller, callerUserId);
if (result == false) {
s_logger.warn("Unable to remove load balancer rule " + rule.getId());
return false;
}
}
return true;
}
protected DomainRouterVO findElbVmForLb(FirewallRule lb) { // TODO: use a table to lookup
ElasticLbVmMapVO map = _elbVmMapDao.findOneByIp(lb.getSourceIpAddressId());
if (map == null) {
return null;
}
DomainRouterVO elbVm = _routerDao.findById(map.getElbVmId());
return elbVm;
}
@Override
public boolean revokeRelatedFirewallRule(long ruleId, boolean apply) {
FirewallRule fwRule = _firewallDao.findByRelatedId(ruleId);
if (fwRule == null) {
s_logger.trace(
"No related firewall rule exists for rule id=" + ruleId + " so returning true here");
return true;
}
s_logger.debug(
"Revoking Firewall rule id="
+ fwRule.getId()
+ " as a part of rule delete id="
+ ruleId
+ " with apply="
+ apply);
return revokeFirewallRule(fwRule.getId(), apply);
}
@Override
public boolean applyRules(
List<? extends FirewallRule> rules, boolean continueOnError, boolean updateRulesInDB)
throws ResourceUnavailableException {
boolean success = true;
if (rules == null || rules.size() == 0) {
s_logger.debug("There are no rules to forward to the network elements");
return true;
}
Purpose purpose = rules.get(0).getPurpose();
if (!_ipAddrMgr.applyRules(rules, purpose, this, continueOnError)) {
s_logger.warn("Rules are not completely applied");
return false;
} else {
if (updateRulesInDB) {
for (FirewallRule rule : rules) {
if (rule.getState() == FirewallRule.State.Revoke) {
FirewallRuleVO relatedRule = _firewallDao.findByRelatedId(rule.getId());
if (relatedRule != null) {
s_logger.warn(
"Can't remove the firewall rule id="
+ rule.getId()
+ " as it has related firewall rule id="
+ relatedRule.getId()
+ "; leaving it in Revoke state");
success = false;
} else {
removeRule(rule);
if (rule.getSourceIpAddressId() != null) {
// if the rule is the last one for the ip address assigned to VPC, unassign it from
// the network
IpAddress ip = _ipAddressDao.findById(rule.getSourceIpAddressId());
_vpcMgr.unassignIPFromVpcNetwork(ip.getId(), rule.getNetworkId());
}
}
} else if (rule.getState() == FirewallRule.State.Add) {
FirewallRuleVO ruleVO = _firewallDao.findById(rule.getId());
ruleVO.setState(FirewallRule.State.Active);
_firewallDao.update(ruleVO.getId(), ruleVO);
}
}
}
}
return success;
}
@Override
@DB
public void destroyRemoteAccessVpn(long ipId, Account caller)
throws ResourceUnavailableException {
RemoteAccessVpnVO vpn = _remoteAccessVpnDao.findById(ipId);
if (vpn == null) {
s_logger.debug("vpn id=" + ipId + " does not exists ");
return;
}
_accountMgr.checkAccess(caller, null, true, vpn);
Network network = _networkMgr.getNetwork(vpn.getNetworkId());
vpn.setState(RemoteAccessVpn.State.Removed);
_remoteAccessVpnDao.update(vpn.getServerAddressId(), vpn);
boolean success = false;
try {
for (RemoteAccessVPNServiceProvider element : _vpnServiceProviders) {
if (element.stopVpn(network, vpn)) {
success = true;
break;
}
}
} finally {
if (success) {
// Cleanup corresponding ports
List<? extends FirewallRule> vpnFwRules = _rulesDao.listByIpAndPurpose(ipId, Purpose.Vpn);
Transaction txn = Transaction.currentTxn();
boolean applyFirewall = false;
List<FirewallRuleVO> fwRules = new ArrayList<FirewallRuleVO>();
// if related firewall rule is created for the first vpn port, it would be created for the 2
// other ports as well, so need to cleanup the backend
if (_rulesDao.findByRelatedId(vpnFwRules.get(0).getId()) != null) {
applyFirewall = true;
}
if (applyFirewall) {
txn.start();
for (FirewallRule vpnFwRule : vpnFwRules) {
// don't apply on the backend yet; send all 3 rules in a banch
_firewallMgr.revokeRelatedFirewallRule(vpnFwRule.getId(), false);
fwRules.add(_rulesDao.findByRelatedId(vpnFwRule.getId()));
}
s_logger.debug(
"Marked "
+ fwRules.size()
+ " firewall rules as Revoked as a part of disable remote access vpn");
txn.commit();
// now apply vpn rules on the backend
s_logger.debug(
"Reapplying firewall rules for ip id="
+ ipId
+ " as a part of disable remote access vpn");
success = _firewallMgr.applyIngressFirewallRules(ipId, caller);
}
if (success) {
try {
txn.start();
_remoteAccessVpnDao.remove(ipId);
// Stop billing of VPN users when VPN is removed. VPN_User_ADD events will be generated
// when VPN is created again
List<VpnUserVO> vpnUsers = _vpnUsersDao.listByAccount(vpn.getAccountId());
for (VpnUserVO user : vpnUsers) {
// VPN_USER_REMOVE event is already generated for users in Revoke state
if (user.getState() != VpnUser.State.Revoke) {
UsageEventUtils.publishUsageEvent(
EventTypes.EVENT_VPN_USER_REMOVE,
user.getAccountId(),
0,
user.getId(),
user.getUsername(),
user.getClass().getName(),
user.getUuid());
}
}
if (vpnFwRules != null) {
for (FirewallRule vpnFwRule : vpnFwRules) {
_rulesDao.remove(vpnFwRule.getId());
s_logger.debug(
"Successfully removed firewall rule with ip id="
+ vpnFwRule.getSourceIpAddressId()
+ " and port "
+ vpnFwRule.getSourcePortStart()
+ " as a part of vpn cleanup");
}
}
txn.commit();
} catch (Exception ex) {
txn.rollback();
s_logger.warn("Unable to release the three vpn ports from the firewall rules", ex);
}
}
}
}
}
@Override
public boolean applyFWRules(Network network, List<? extends FirewallRule> rules)
throws ResourceUnavailableException {
if (!_networkModel.isProviderSupportServiceInNetwork(
network.getId(), Service.Firewall, Provider.CiscoVnmc)) {
s_logger.error(
"Firewall service is not provided by Cisco Vnmc device on network " + network.getName());
return false;
}
// Find VNMC host for physical network
List<CiscoVnmcControllerVO> devices =
_ciscoVnmcDao.listByPhysicalNetwork(network.getPhysicalNetworkId());
if (devices.isEmpty()) {
s_logger.error("No Cisco Vnmc device on network " + network.getName());
return true;
}
// Find if ASA 1000v is associated with network
NetworkAsa1000vMapVO asaForNetwork = _networkAsa1000vMapDao.findByNetworkId(network.getId());
if (asaForNetwork == null) {
s_logger.debug("Cisco ASA 1000v device is not associated with network " + network.getName());
return true;
}
if (network.getState() == Network.State.Allocated) {
s_logger.debug(
"External firewall was asked to apply firewall rules for network with ID "
+ network.getId()
+ "; this network is not implemented. Skipping backend commands.");
return true;
}
CiscoVnmcControllerVO ciscoVnmcDevice = devices.get(0);
HostVO ciscoVnmcHost = _hostDao.findById(ciscoVnmcDevice.getHostId());
List<FirewallRuleTO> rulesTO = new ArrayList<FirewallRuleTO>();
for (FirewallRule rule : rules) {
String address = "0.0.0.0";
if (rule.getTrafficType() == TrafficType.Ingress) {
IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
address = sourceIp.getAddress().addr();
}
FirewallRuleTO ruleTO =
new FirewallRuleTO(rule, null, address, rule.getPurpose(), rule.getTrafficType());
rulesTO.add(ruleTO);
}
if (!rulesTO.isEmpty()) {
SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
cmd.setContextParam(
NetworkElementCommand.GUEST_VLAN_TAG, network.getBroadcastUri().getHost());
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, network.getCidr());
Answer answer = _agentMgr.easySend(ciscoVnmcHost.getId(), cmd);
if (answer == null || !answer.getResult()) {
String details = (answer != null) ? answer.getDetails() : "details unavailable";
String msg =
"Unable to apply firewall rules to Cisco ASA 1000v appliance due to: " + details + ".";
s_logger.error(msg);
throw new ResourceUnavailableException(msg, DataCenter.class, network.getDataCenterId());
}
}
return true;
}
@Override
public void removeRule(FirewallRule rule) {
// remove the rule
_firewallDao.remove(rule.getId());
}
@Override
public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflictException {
List<FirewallRuleVO> rules;
if (newRule.getSourceIpAddressId() != null) {
rules = _firewallDao.listByIpAndPurposeAndNotRevoked(newRule.getSourceIpAddressId(), null);
assert (rules.size() >= 1)
: "For network rules, we now always first persist the rule and then check for "
+ "network conflicts so we should at least have one rule at this point.";
} else {
// fetches only firewall egress rules.
rules =
_firewallDao.listByNetworkPurposeTrafficTypeAndNotRevoked(
newRule.getNetworkId(), Purpose.Firewall, newRule.getTrafficType());
assert (rules.size() >= 1);
}
for (FirewallRuleVO rule : rules) {
if (rule.getId() == newRule.getId()) {
continue; // Skips my own rule.
}
boolean oneOfRulesIsFirewall =
((rule.getPurpose() == Purpose.Firewall || newRule.getPurpose() == Purpose.Firewall)
&& ((newRule.getPurpose() != rule.getPurpose())
|| (!newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()))));
// if both rules are firewall and their cidrs are different, we can skip port ranges
// verification
boolean bothRulesFirewall =
(rule.getPurpose() == newRule.getPurpose() && rule.getPurpose() == Purpose.Firewall);
boolean duplicatedCidrs = false;
if (bothRulesFirewall) {
// Verify that the rules have different cidrs
_firewallDao.loadSourceCidrs(rule);
_firewallDao.loadSourceCidrs((FirewallRuleVO) newRule);
List<String> ruleCidrList = rule.getSourceCidrList();
List<String> newRuleCidrList = newRule.getSourceCidrList();
if (ruleCidrList == null || newRuleCidrList == null) {
continue;
}
Collection<String> similar = new HashSet<String>(ruleCidrList);
similar.retainAll(newRuleCidrList);
if (similar.size() > 0) {
duplicatedCidrs = true;
}
}
if (!oneOfRulesIsFirewall) {
if (rule.getPurpose() == Purpose.StaticNat && newRule.getPurpose() != Purpose.StaticNat) {
throw new NetworkRuleConflictException(
"There is 1 to 1 Nat rule specified for the ip address id="
+ newRule.getSourceIpAddressId());
} else if (rule.getPurpose() != Purpose.StaticNat
&& newRule.getPurpose() == Purpose.StaticNat) {
throw new NetworkRuleConflictException(
"There is already firewall rule specified for the ip address id="
+ newRule.getSourceIpAddressId());
}
}
if (rule.getNetworkId() != newRule.getNetworkId() && rule.getState() != State.Revoke) {
throw new NetworkRuleConflictException(
"New rule is for a different network than what's specified in rule " + rule.getXid());
}
if (newRule.getProtocol().equalsIgnoreCase(NetUtils.ICMP_PROTO)
&& newRule.getProtocol().equalsIgnoreCase(rule.getProtocol())) {
if (newRule.getIcmpCode().longValue() == rule.getIcmpCode().longValue()
&& newRule.getIcmpType().longValue() == rule.getIcmpType().longValue()
&& newRule.getProtocol().equalsIgnoreCase(rule.getProtocol())
&& duplicatedCidrs) {
throw new InvalidParameterValueException(
"New rule conflicts with existing rule id=" + rule.getId());
}
}
boolean notNullPorts =
(newRule.getSourcePortStart() != null
&& newRule.getSourcePortEnd() != null
&& rule.getSourcePortStart() != null
&& rule.getSourcePortEnd() != null);
if (!notNullPorts) {
continue;
} else if (!oneOfRulesIsFirewall
&& !(bothRulesFirewall && !duplicatedCidrs)
&& ((rule.getSourcePortStart().intValue() <= newRule.getSourcePortStart().intValue()
&& rule.getSourcePortEnd().intValue() >= newRule.getSourcePortStart().intValue())
|| (rule.getSourcePortStart().intValue() <= newRule.getSourcePortEnd().intValue()
&& rule.getSourcePortEnd().intValue() >= newRule.getSourcePortEnd().intValue())
|| (newRule.getSourcePortStart().intValue() <= rule.getSourcePortStart().intValue()
&& newRule.getSourcePortEnd().intValue() >= rule.getSourcePortStart().intValue())
|| (newRule.getSourcePortStart().intValue() <= rule.getSourcePortEnd().intValue()
&& newRule.getSourcePortEnd().intValue()
>= rule.getSourcePortEnd().intValue()))) {
// we allow port forwarding rules with the same parameters but different protocols
boolean allowPf =
(rule.getPurpose() == Purpose.PortForwarding
&& newRule.getPurpose() == Purpose.PortForwarding
&& !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));
boolean allowStaticNat =
(rule.getPurpose() == Purpose.StaticNat
&& newRule.getPurpose() == Purpose.StaticNat
&& !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));
if (!(allowPf || allowStaticNat || oneOfRulesIsFirewall)) {
throw new NetworkRuleConflictException(
"The range specified, "
+ newRule.getSourcePortStart()
+ "-"
+ newRule.getSourcePortEnd()
+ ", conflicts with rule "
+ rule.getId()
+ " which has "
+ rule.getSourcePortStart()
+ "-"
+ rule.getSourcePortEnd());
}
}
}
if (s_logger.isDebugEnabled()) {
s_logger.debug(
"No network rule conflicts detected for "
+ newRule
+ " against "
+ (rules.size() - 1)
+ " existing rules");
}
}
@Override
@ActionEvent(
eventType = EventTypes.EVENT_FIREWALL_OPEN,
eventDescription = "creating firewall rule",
create = true)
public FirewallRule createIngressFirewallRule(FirewallRule rule)
throws NetworkRuleConflictException {
Account caller = CallContext.current().getCallingAccount();
Long sourceIpAddressId = rule.getSourceIpAddressId();
return createFirewallRule(
sourceIpAddressId,
caller,
rule.getXid(),
rule.getSourcePortStart(),
rule.getSourcePortEnd(),
rule.getProtocol(),
rule.getSourceCidrList(),
rule.getIcmpCode(),
rule.getIcmpType(),
null,
rule.getType(),
rule.getNetworkId(),
rule.getTrafficType());
}
@Override
@ActionEvent(
eventType = EventTypes.EVENT_FIREWALL_OPEN,
eventDescription = "creating firewall rule",
create = true)
public FirewallRule createEgressFirewallRule(FirewallRule rule)
throws NetworkRuleConflictException {
Account caller = CallContext.current().getCallingAccount();
Network network = _networkDao.findById(rule.getNetworkId());
if (network.getGuestType() == Network.GuestType.Shared) {
throw new InvalidParameterValueException(
"Egress firewall rules are not supported for " + network.getGuestType() + " networks");
}
return createFirewallRule(
null,
caller,
rule.getXid(),
rule.getSourcePortStart(),
rule.getSourcePortEnd(),
rule.getProtocol(),
rule.getSourceCidrList(),
rule.getIcmpCode(),
rule.getIcmpType(),
null,
rule.getType(),
rule.getNetworkId(),
rule.getTrafficType());
}
