コード例 #1
0
 @Override
 public boolean applyEgressFirewallRules(FirewallRule rule, Account caller)
     throws ResourceUnavailableException {
   List<FirewallRuleVO> rules =
       _firewallDao.listByNetworkPurposeTrafficType(
           rule.getNetworkId(), Purpose.Firewall, FirewallRule.TrafficType.Egress);
   applyDefaultEgressFirewallRule(rule.getNetworkId(), true);
   return applyFirewallRules(rules, false, caller);
 }
 @Override
 public long getEntityOwnerId() {
   if (ownerId == null) {
     FirewallRule rule = _entityMgr.findById(FirewallRule.class, id);
     if (rule == null || rule.getTrafficType() != TrafficType.Egress) {
       throw new InvalidParameterValueException("Unable to find egress firewall rule by ID");
     } else {
       ownerId = _entityMgr.findById(FirewallRule.class, id).getAccountId();
     }
   }
   return ownerId;
 }
コード例 #3
0
 @Override
 public long getEntityOwnerId() {
   if (ownerId == null) {
     FirewallRule rule = _entityMgr.findById(FirewallRule.class, id);
     if (rule == null) {
       throw new InvalidParameterValueException("Unable to find static nat rule by id: " + id);
     } else {
       ownerId = rule.getAccountId();
     }
   }
   return ownerId;
 }
コード例 #4
0
 @Override
 public boolean removeAllLoadBalanacersForIp(long ipId, Account caller, long callerUserId) {
   List<FirewallRuleVO> rules =
       _firewallDao.listByIpAndPurposeAndNotRevoked(ipId, Purpose.LoadBalancing);
   if (rules != null) s_logger.debug("Found " + rules.size() + " lb rules to cleanup");
   for (FirewallRule rule : rules) {
     boolean result = deleteLoadBalancerRule(rule.getId(), true, caller, callerUserId);
     if (result == false) {
       s_logger.warn("Unable to remove load balancer rule " + rule.getId());
       return false;
     }
   }
   return true;
 }
 protected DomainRouterVO findElbVmForLb(FirewallRule lb) { // TODO: use a table to lookup
   ElasticLbVmMapVO map = _elbVmMapDao.findOneByIp(lb.getSourceIpAddressId());
   if (map == null) {
     return null;
   }
   DomainRouterVO elbVm = _routerDao.findById(map.getElbVmId());
   return elbVm;
 }
コード例 #6
0
  @Override
  public boolean revokeRelatedFirewallRule(long ruleId, boolean apply) {
    FirewallRule fwRule = _firewallDao.findByRelatedId(ruleId);

    if (fwRule == null) {
      s_logger.trace(
          "No related firewall rule exists for rule id=" + ruleId + " so returning true here");
      return true;
    }

    s_logger.debug(
        "Revoking Firewall rule id="
            + fwRule.getId()
            + " as a part of rule delete id="
            + ruleId
            + " with apply="
            + apply);
    return revokeFirewallRule(fwRule.getId(), apply);
  }
コード例 #7
0
  @Override
  public boolean applyRules(
      List<? extends FirewallRule> rules, boolean continueOnError, boolean updateRulesInDB)
      throws ResourceUnavailableException {
    boolean success = true;
    if (rules == null || rules.size() == 0) {
      s_logger.debug("There are no rules to forward to the network elements");
      return true;
    }
    Purpose purpose = rules.get(0).getPurpose();
    if (!_ipAddrMgr.applyRules(rules, purpose, this, continueOnError)) {
      s_logger.warn("Rules are not completely applied");
      return false;
    } else {
      if (updateRulesInDB) {
        for (FirewallRule rule : rules) {
          if (rule.getState() == FirewallRule.State.Revoke) {
            FirewallRuleVO relatedRule = _firewallDao.findByRelatedId(rule.getId());
            if (relatedRule != null) {
              s_logger.warn(
                  "Can't remove the firewall rule id="
                      + rule.getId()
                      + " as it has related firewall rule id="
                      + relatedRule.getId()
                      + "; leaving it in Revoke state");
              success = false;
            } else {
              removeRule(rule);
              if (rule.getSourceIpAddressId() != null) {
                // if the rule is the last one for the ip address assigned to VPC, unassign it from
                // the network
                IpAddress ip = _ipAddressDao.findById(rule.getSourceIpAddressId());
                _vpcMgr.unassignIPFromVpcNetwork(ip.getId(), rule.getNetworkId());
              }
            }
          } else if (rule.getState() == FirewallRule.State.Add) {
            FirewallRuleVO ruleVO = _firewallDao.findById(rule.getId());
            ruleVO.setState(FirewallRule.State.Active);
            _firewallDao.update(ruleVO.getId(), ruleVO);
          }
        }
      }
    }

    return success;
  }
コード例 #8
0
  @Override
  @DB
  public void destroyRemoteAccessVpn(long ipId, Account caller)
      throws ResourceUnavailableException {
    RemoteAccessVpnVO vpn = _remoteAccessVpnDao.findById(ipId);
    if (vpn == null) {
      s_logger.debug("vpn id=" + ipId + " does not exists ");
      return;
    }

    _accountMgr.checkAccess(caller, null, true, vpn);

    Network network = _networkMgr.getNetwork(vpn.getNetworkId());

    vpn.setState(RemoteAccessVpn.State.Removed);
    _remoteAccessVpnDao.update(vpn.getServerAddressId(), vpn);

    boolean success = false;
    try {
      for (RemoteAccessVPNServiceProvider element : _vpnServiceProviders) {
        if (element.stopVpn(network, vpn)) {
          success = true;
          break;
        }
      }
    } finally {
      if (success) {
        // Cleanup corresponding ports
        List<? extends FirewallRule> vpnFwRules = _rulesDao.listByIpAndPurpose(ipId, Purpose.Vpn);
        Transaction txn = Transaction.currentTxn();

        boolean applyFirewall = false;
        List<FirewallRuleVO> fwRules = new ArrayList<FirewallRuleVO>();
        // if related firewall rule is created for the first vpn port, it would be created for the 2
        // other ports as well, so need to cleanup the backend
        if (_rulesDao.findByRelatedId(vpnFwRules.get(0).getId()) != null) {
          applyFirewall = true;
        }

        if (applyFirewall) {
          txn.start();

          for (FirewallRule vpnFwRule : vpnFwRules) {
            // don't apply on the backend yet; send all 3 rules in a banch
            _firewallMgr.revokeRelatedFirewallRule(vpnFwRule.getId(), false);
            fwRules.add(_rulesDao.findByRelatedId(vpnFwRule.getId()));
          }

          s_logger.debug(
              "Marked "
                  + fwRules.size()
                  + " firewall rules as Revoked as a part of disable remote access vpn");

          txn.commit();

          // now apply vpn rules on the backend
          s_logger.debug(
              "Reapplying firewall rules for ip id="
                  + ipId
                  + " as a part of disable remote access vpn");
          success = _firewallMgr.applyIngressFirewallRules(ipId, caller);
        }

        if (success) {
          try {
            txn.start();
            _remoteAccessVpnDao.remove(ipId);
            // Stop billing of VPN users when VPN is removed. VPN_User_ADD events will be generated
            // when VPN is created again
            List<VpnUserVO> vpnUsers = _vpnUsersDao.listByAccount(vpn.getAccountId());
            for (VpnUserVO user : vpnUsers) {
              // VPN_USER_REMOVE event is already generated for users in Revoke state
              if (user.getState() != VpnUser.State.Revoke) {
                UsageEventUtils.publishUsageEvent(
                    EventTypes.EVENT_VPN_USER_REMOVE,
                    user.getAccountId(),
                    0,
                    user.getId(),
                    user.getUsername(),
                    user.getClass().getName(),
                    user.getUuid());
              }
            }
            if (vpnFwRules != null) {
              for (FirewallRule vpnFwRule : vpnFwRules) {
                _rulesDao.remove(vpnFwRule.getId());
                s_logger.debug(
                    "Successfully removed firewall rule with ip id="
                        + vpnFwRule.getSourceIpAddressId()
                        + " and port "
                        + vpnFwRule.getSourcePortStart()
                        + " as a part of vpn cleanup");
              }
            }
            txn.commit();
          } catch (Exception ex) {
            txn.rollback();
            s_logger.warn("Unable to release the three vpn ports from the firewall rules", ex);
          }
        }
      }
    }
  }
コード例 #9
0
  @Override
  public boolean applyFWRules(Network network, List<? extends FirewallRule> rules)
      throws ResourceUnavailableException {

    if (!_networkModel.isProviderSupportServiceInNetwork(
        network.getId(), Service.Firewall, Provider.CiscoVnmc)) {
      s_logger.error(
          "Firewall service is not provided by Cisco Vnmc device on network " + network.getName());
      return false;
    }

    // Find VNMC host for physical network
    List<CiscoVnmcControllerVO> devices =
        _ciscoVnmcDao.listByPhysicalNetwork(network.getPhysicalNetworkId());
    if (devices.isEmpty()) {
      s_logger.error("No Cisco Vnmc device on network " + network.getName());
      return true;
    }

    // Find if ASA 1000v is associated with network
    NetworkAsa1000vMapVO asaForNetwork = _networkAsa1000vMapDao.findByNetworkId(network.getId());
    if (asaForNetwork == null) {
      s_logger.debug("Cisco ASA 1000v device is not associated with network " + network.getName());
      return true;
    }

    if (network.getState() == Network.State.Allocated) {
      s_logger.debug(
          "External firewall was asked to apply firewall rules for network with ID "
              + network.getId()
              + "; this network is not implemented. Skipping backend commands.");
      return true;
    }

    CiscoVnmcControllerVO ciscoVnmcDevice = devices.get(0);
    HostVO ciscoVnmcHost = _hostDao.findById(ciscoVnmcDevice.getHostId());

    List<FirewallRuleTO> rulesTO = new ArrayList<FirewallRuleTO>();
    for (FirewallRule rule : rules) {
      String address = "0.0.0.0";
      if (rule.getTrafficType() == TrafficType.Ingress) {
        IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
        address = sourceIp.getAddress().addr();
      }
      FirewallRuleTO ruleTO =
          new FirewallRuleTO(rule, null, address, rule.getPurpose(), rule.getTrafficType());
      rulesTO.add(ruleTO);
    }

    if (!rulesTO.isEmpty()) {
      SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
      cmd.setContextParam(
          NetworkElementCommand.GUEST_VLAN_TAG, network.getBroadcastUri().getHost());
      cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, network.getCidr());
      Answer answer = _agentMgr.easySend(ciscoVnmcHost.getId(), cmd);
      if (answer == null || !answer.getResult()) {
        String details = (answer != null) ? answer.getDetails() : "details unavailable";
        String msg =
            "Unable to apply firewall rules to Cisco ASA 1000v appliance due to: " + details + ".";
        s_logger.error(msg);
        throw new ResourceUnavailableException(msg, DataCenter.class, network.getDataCenterId());
      }
    }

    return true;
  }
コード例 #10
0
  @Override
  public void removeRule(FirewallRule rule) {

    // remove the rule
    _firewallDao.remove(rule.getId());
  }
コード例 #11
0
  @Override
  public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflictException {
    List<FirewallRuleVO> rules;
    if (newRule.getSourceIpAddressId() != null) {
      rules = _firewallDao.listByIpAndPurposeAndNotRevoked(newRule.getSourceIpAddressId(), null);
      assert (rules.size() >= 1)
          : "For network rules, we now always first persist the rule and then check for "
              + "network conflicts so we should at least have one rule at this point.";
    } else {
      // fetches only firewall egress rules.
      rules =
          _firewallDao.listByNetworkPurposeTrafficTypeAndNotRevoked(
              newRule.getNetworkId(), Purpose.Firewall, newRule.getTrafficType());
      assert (rules.size() >= 1);
    }

    for (FirewallRuleVO rule : rules) {
      if (rule.getId() == newRule.getId()) {
        continue; // Skips my own rule.
      }

      boolean oneOfRulesIsFirewall =
          ((rule.getPurpose() == Purpose.Firewall || newRule.getPurpose() == Purpose.Firewall)
              && ((newRule.getPurpose() != rule.getPurpose())
                  || (!newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()))));

      // if both rules are firewall and their cidrs are different, we can skip port ranges
      // verification
      boolean bothRulesFirewall =
          (rule.getPurpose() == newRule.getPurpose() && rule.getPurpose() == Purpose.Firewall);
      boolean duplicatedCidrs = false;
      if (bothRulesFirewall) {
        // Verify that the rules have different cidrs
        _firewallDao.loadSourceCidrs(rule);
        _firewallDao.loadSourceCidrs((FirewallRuleVO) newRule);

        List<String> ruleCidrList = rule.getSourceCidrList();
        List<String> newRuleCidrList = newRule.getSourceCidrList();

        if (ruleCidrList == null || newRuleCidrList == null) {
          continue;
        }

        Collection<String> similar = new HashSet<String>(ruleCidrList);
        similar.retainAll(newRuleCidrList);

        if (similar.size() > 0) {
          duplicatedCidrs = true;
        }
      }

      if (!oneOfRulesIsFirewall) {
        if (rule.getPurpose() == Purpose.StaticNat && newRule.getPurpose() != Purpose.StaticNat) {
          throw new NetworkRuleConflictException(
              "There is 1 to 1 Nat rule specified for the ip address id="
                  + newRule.getSourceIpAddressId());
        } else if (rule.getPurpose() != Purpose.StaticNat
            && newRule.getPurpose() == Purpose.StaticNat) {
          throw new NetworkRuleConflictException(
              "There is already firewall rule specified for the ip address id="
                  + newRule.getSourceIpAddressId());
        }
      }

      if (rule.getNetworkId() != newRule.getNetworkId() && rule.getState() != State.Revoke) {
        throw new NetworkRuleConflictException(
            "New rule is for a different network than what's specified in rule " + rule.getXid());
      }

      if (newRule.getProtocol().equalsIgnoreCase(NetUtils.ICMP_PROTO)
          && newRule.getProtocol().equalsIgnoreCase(rule.getProtocol())) {
        if (newRule.getIcmpCode().longValue() == rule.getIcmpCode().longValue()
            && newRule.getIcmpType().longValue() == rule.getIcmpType().longValue()
            && newRule.getProtocol().equalsIgnoreCase(rule.getProtocol())
            && duplicatedCidrs) {
          throw new InvalidParameterValueException(
              "New rule conflicts with existing rule id=" + rule.getId());
        }
      }

      boolean notNullPorts =
          (newRule.getSourcePortStart() != null
              && newRule.getSourcePortEnd() != null
              && rule.getSourcePortStart() != null
              && rule.getSourcePortEnd() != null);
      if (!notNullPorts) {
        continue;
      } else if (!oneOfRulesIsFirewall
          && !(bothRulesFirewall && !duplicatedCidrs)
          && ((rule.getSourcePortStart().intValue() <= newRule.getSourcePortStart().intValue()
                  && rule.getSourcePortEnd().intValue() >= newRule.getSourcePortStart().intValue())
              || (rule.getSourcePortStart().intValue() <= newRule.getSourcePortEnd().intValue()
                  && rule.getSourcePortEnd().intValue() >= newRule.getSourcePortEnd().intValue())
              || (newRule.getSourcePortStart().intValue() <= rule.getSourcePortStart().intValue()
                  && newRule.getSourcePortEnd().intValue() >= rule.getSourcePortStart().intValue())
              || (newRule.getSourcePortStart().intValue() <= rule.getSourcePortEnd().intValue()
                  && newRule.getSourcePortEnd().intValue()
                      >= rule.getSourcePortEnd().intValue()))) {

        // we allow port forwarding rules with the same parameters but different protocols
        boolean allowPf =
            (rule.getPurpose() == Purpose.PortForwarding
                && newRule.getPurpose() == Purpose.PortForwarding
                && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));
        boolean allowStaticNat =
            (rule.getPurpose() == Purpose.StaticNat
                && newRule.getPurpose() == Purpose.StaticNat
                && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));

        if (!(allowPf || allowStaticNat || oneOfRulesIsFirewall)) {
          throw new NetworkRuleConflictException(
              "The range specified, "
                  + newRule.getSourcePortStart()
                  + "-"
                  + newRule.getSourcePortEnd()
                  + ", conflicts with rule "
                  + rule.getId()
                  + " which has "
                  + rule.getSourcePortStart()
                  + "-"
                  + rule.getSourcePortEnd());
        }
      }
    }

    if (s_logger.isDebugEnabled()) {
      s_logger.debug(
          "No network rule conflicts detected for "
              + newRule
              + " against "
              + (rules.size() - 1)
              + " existing rules");
    }
  }
コード例 #12
0
  @Override
  @ActionEvent(
      eventType = EventTypes.EVENT_FIREWALL_OPEN,
      eventDescription = "creating firewall rule",
      create = true)
  public FirewallRule createIngressFirewallRule(FirewallRule rule)
      throws NetworkRuleConflictException {
    Account caller = CallContext.current().getCallingAccount();
    Long sourceIpAddressId = rule.getSourceIpAddressId();

    return createFirewallRule(
        sourceIpAddressId,
        caller,
        rule.getXid(),
        rule.getSourcePortStart(),
        rule.getSourcePortEnd(),
        rule.getProtocol(),
        rule.getSourceCidrList(),
        rule.getIcmpCode(),
        rule.getIcmpType(),
        null,
        rule.getType(),
        rule.getNetworkId(),
        rule.getTrafficType());
  }
コード例 #13
0
  @Override
  @ActionEvent(
      eventType = EventTypes.EVENT_FIREWALL_OPEN,
      eventDescription = "creating firewall rule",
      create = true)
  public FirewallRule createEgressFirewallRule(FirewallRule rule)
      throws NetworkRuleConflictException {
    Account caller = CallContext.current().getCallingAccount();

    Network network = _networkDao.findById(rule.getNetworkId());
    if (network.getGuestType() == Network.GuestType.Shared) {
      throw new InvalidParameterValueException(
          "Egress firewall rules are not supported for " + network.getGuestType() + "  networks");
    }

    return createFirewallRule(
        null,
        caller,
        rule.getXid(),
        rule.getSourcePortStart(),
        rule.getSourcePortEnd(),
        rule.getProtocol(),
        rule.getSourceCidrList(),
        rule.getIcmpCode(),
        rule.getIcmpType(),
        null,
        rule.getType(),
        rule.getNetworkId(),
        rule.getTrafficType());
  }