cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kous...@apache.org
Subject [1/2] git commit: refs/heads/cisco-vnmc-api-integration - Egress firewall rule
Date Fri, 22 Mar 2013 08:21:53 GMT
Updated Branches:
  refs/heads/cisco-vnmc-api-integration e81ab3a2f -> 2c386c61e


Egress firewall rule


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/4d2168bf
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/4d2168bf
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/4d2168bf

Branch: refs/heads/cisco-vnmc-api-integration
Commit: 4d2168bfa980f1fa4b8a0d10aaf4bdd2395de7cf
Parents: e81ab3a
Author: Koushik Das <koushik.das@citrix.com>
Authored: Fri Mar 22 00:30:01 2013 +0530
Committer: Koushik Das <koushik.das@citrix.com>
Committed: Fri Mar 22 00:30:01 2013 +0530

----------------------------------------------------------------------
 .../network/cisco/create-egress-acl-rule.xml       |  201 +++++++++++++++
 .../cloud/network/cisco/CiscoVnmcConnection.java   |    6 +
 .../network/cisco/CiscoVnmcConnectionImpl.java     |   34 +++-
 .../cloud/network/resource/CiscoVnmcResource.java  |   24 ++-
 .../network/resource/CiscoVnmcResourceTest.java    |    8 +-
 5 files changed, 264 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4d2168bf/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-egress-acl-rule.xml
----------------------------------------------------------------------
diff --git a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-egress-acl-rule.xml
b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-egress-acl-rule.xml
new file mode 100755
index 0000000..5256759
--- /dev/null
+++ b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-egress-acl-rule.xml
@@ -0,0 +1,201 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<configConfMos
+  cookie="%cookie%"
+  inHierarchical="false">
+  <inConfigs>
+
+    <pair key="%aclruledn%">
+      <policyRule
+        descr="%descr%"
+        dn="%aclruledn%"
+        name="%aclrulename%"
+        order="%order%"
+        status="created"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-action-0">
+      <fwpolicyAction
+        actionType="%actiontype%"
+        dn="%aclruledn%/rule-action-0"
+        id="0"
+        status="created"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-cond-2">
+      <policyRuleCondition
+        dn="%aclruledn%/rule-cond-2"
+        id="2"
+        order="unspecified"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-2/nw-expr2">
+      <policyNetworkExpression
+        dn="%aclruledn%/rule-cond-2/nw-expr2"
+        id="2"
+        opr="eq"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-2/nw-expr2/nw-protocol-2">
+      <policyProtocol
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-2/nw-expr2/nw-protocol-2"
+        id="2"
+        name=""
+        placement="none"
+        status="created"
+        value="%protocolvalue%"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-cond-3">
+      <policyRuleCondition
+        dn="%aclruledn%/rule-cond-3"
+        id="3"
+        order="unspecified"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-3/nw-expr2">
+      <policyNetworkExpression
+        dn="%aclruledn%/rule-cond-3/nw-expr2"
+        id="2"
+        opr="range"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual">
+      <policyNwAttrQualifier
+        attrEp="destination"
+        dn="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-2">
+      <policyIPAddress
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-2"
+        id="2"
+        name=""
+        placement="begin"
+        status="created"
+        value="%deststartip%"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-3">
+      <policyIPAddress
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-3"
+        id="3"
+        name=""
+        placement="end"
+        status="created"
+        value="%destendip%"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-cond-4">
+      <policyRuleCondition
+        dn="%aclruledn%/rule-cond-4"
+        id="4"
+        order="unspecified"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-4/nw-expr2">
+      <policyNetworkExpression
+        dn="%aclruledn%/rule-cond-4/nw-expr2"
+        id="2"
+        opr="eq"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-4/nw-expr2/nw-attr-qual">
+      <policyNwAttrQualifier
+        attrEp="source"
+        dn="%aclruledn%/rule-cond-4/nw-expr2/nw-attr-qual"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-4/nw-expr2/nw-ip-2">
+      <policyIPAddress
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-4/nw-expr2/nw-ip-2"
+        id="2"
+        name=""
+        placement="none"
+        status="created"
+        value="%sourceip%"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-cond-5">
+      <policyRuleCondition
+        dn="%aclruledn%/rule-cond-5"
+        id="5"
+        order="unspecified"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-5/nw-expr2">
+      <policyNetworkExpression
+        dn="%aclruledn%/rule-cond-5/nw-expr2"
+        id="2"
+        opr="range"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-5/nw-expr2/nw-attr-qual">
+      <policyNwAttrQualifier
+        attrEp="source"
+        dn="%aclruledn%/rule-cond-5/nw-expr2/nw-attr-qual"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-5/nw-expr2/nw-port-2">
+      <policyNetworkPort
+        appType="Other"
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-5/nw-expr2/nw-port-2"
+        id="2"
+        name=""
+        placement="begin"
+        status="created"
+        value="%sourcestartport%"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-5/nw-expr2/nw-port-3">
+      <policyNetworkPort
+        appType="Other"
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-5/nw-expr2/nw-port-3"
+        id="3"
+        name=""
+        placement="end"
+        status="created"
+        value="%sourceendport%"/>
+    </pair>
+
+  </inConfigs>
+</configConfMos>
+
+<!--
+    aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy"
+    aclrulename="dummy"
+    descr=value
+    actiontype="drop" or "permit"
+    protocolvalue = "TCP" or UDP or ICMP
+    deststartip="source start ip"
+    destendip="source end ip"
+    sourcestartport="start port at destination"
+    sourceendport="end port at destination"
+    sourceip="public ip at destination"
+--!>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4d2168bf/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
index 59a605e..35df7ec 100644
--- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
+++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
@@ -143,6 +143,12 @@ public interface CiscoVnmcConnection {
             String destStartPort, String destEndPort, String destIp)
             throws ExecutionException;
 
+    public boolean createTenantVDCEgressAclRule(String tenantName,
+            String identifier, String policyIdentifier,
+            String protocol, String sourceStartPort, String sourceEndPort, String sourceIp,
+            String destStartIp, String destEndIp)
+            throws ExecutionException;
+
     public boolean deleteTenantVDCAclRule(String tenantName,
             String identifier, String policyIdentifier) throws ExecutionException;
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4d2168bf/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
index 02e89d1..0b0b70c 100644
--- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
+++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
@@ -92,6 +92,7 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
         LIST_ACL_POLICIES("list-acl-policies.xml", "policy-mgr"),
         CREATE_ACL_POLICY_REF("create-acl-policy-ref.xml", "policy-mgr"),
         CREATE_INGRESS_ACL_RULE("create-ingress-acl-rule.xml", "policy-mgr"),
+        CREATE_EGRESS_ACL_RULE("create-egress-acl-rule.xml", "policy-mgr"),
 
         DELETE_RULE("delete-rule.xml", "policy-mgr"),
 
@@ -659,8 +660,7 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
         xml = replaceXmlValue(xml, "descr", "Edge Security Profile for Tenant VDC" + tenantName);
         xml = replaceXmlValue(xml, "name", getNameForEdgeDeviceSecurityProfile(tenantName));
         xml = replaceXmlValue(xml, "espdn", getDnForTenantVDCEdgeSecurityProfile(tenantName));
-        //xml = replaceXmlValue(xml, "egresspolicysetname", getNameForAclPolicySet(tenantName,
false));
-        xml = replaceXmlValue(xml, "egresspolicysetname", "default-egress"); //FIXME
+        xml = replaceXmlValue(xml, "egresspolicysetname", getNameForAclPolicySet(tenantName,
false));
         xml = replaceXmlValue(xml, "ingresspolicysetname", getNameForAclPolicySet(tenantName,
true));
         xml = replaceXmlValue(xml, "natpolicysetname", getNameForNatPolicySet(tenantName));
 
@@ -699,6 +699,36 @@ public class CiscoVnmcConnectionImpl implements CiscoVnmcConnection {
     }
 
     @Override
+    public boolean createTenantVDCEgressAclRule(String tenantName,
+            String identifier, String policyIdentifier,
+            String protocol, String sourceStartPort, String sourceEndPort, String sourceIp,
+            String destStartIp, String destEndIp) throws ExecutionException {
+        String xml = VnmcXml.CREATE_EGRESS_ACL_RULE.getXml();
+        String service = VnmcXml.CREATE_EGRESS_ACL_RULE.getService();
+        xml = replaceXmlValue(xml, "cookie", _cookie);
+        xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, identifier, policyIdentifier));
+        xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier));
+        xml = replaceXmlValue(xml, "descr", "Egress ACL policy for Tenant VDC" + tenantName);
+        xml = replaceXmlValue(xml, "actiontype", "permit");
+        xml = replaceXmlValue(xml, "protocolvalue", protocol);
+        xml = replaceXmlValue(xml, "sourcestartport", sourceStartPort);
+        xml = replaceXmlValue(xml, "sourceendport", sourceEndPort);
+        xml = replaceXmlValue(xml, "sourceip", sourceIp);
+        xml = replaceXmlValue(xml, "deststartip", destStartIp);
+        xml = replaceXmlValue(xml, "destendip", destEndIp);
+
+        List<String> rules = listChildren(getDnForAclPolicy(tenantName, policyIdentifier));
+        int order = 100;
+        if (rules != null) {
+            order += rules.size();
+        }
+        xml = replaceXmlValue(xml, "order", Integer.toString(order));
+
+        String response =  sendRequest(service, xml);
+        return verifySuccess(response);
+    }
+
+    @Override
     public boolean deleteTenantVDCAclRule(String tenantName, String identifier, String policyIdentifier)
throws ExecutionException {
         return deleteTenantVDCRule(
                 getDnForAclRule(tenantName, identifier, policyIdentifier),

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4d2168bf/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
index 262fed0..58dcb08 100644
--- a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
+++ b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
@@ -336,7 +336,9 @@ public class CiscoVnmcResource implements ServerResource {
             if (!_connection.createTenantVDCAclPolicySet(tenant, true)) {
                 throw new Exception("Failed to create ACL ingress policy set in VNMC for
guest network with vlan " + vlanId);
             }
-            // TODO for egress
+            if (!_connection.createTenantVDCAclPolicySet(tenant, false)) {
+                throw new Exception("Failed to create ACL egress policy set in VNMC for guest
network with vlan " + vlanId);
+            }
 
             for (String publicIp : publicIpRulesMap.keySet()) {
                 String policyIdentifier = publicIp.replace('.', '-');
@@ -344,7 +346,6 @@ public class CiscoVnmcResource implements ServerResource {
                 /*if (!_connection.deleteTenantVDCAclPolicy(tenant, policyIdentifier)) {
                     throw new Exception("Failed to delete ACL ingress policy in VNMC for
guest network with vlan " + vlanId);
                 }*/
-                // TODO for egress
 
                 if (!_connection.createTenantVDCAclPolicy(tenant, policyIdentifier, true))
{
                     throw new Exception("Failed to create ACL ingress policy in VNMC for
guest network with vlan " + vlanId);
@@ -352,16 +353,21 @@ public class CiscoVnmcResource implements ServerResource {
                 if (!_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, true))
{
                     throw new Exception("Failed to associate ACL ingress policy with ACL
ingress policy set in VNMC for guest network with vlan " + vlanId);
                 }
-                // TODO for egress
+                if (!_connection.createTenantVDCAclPolicy(tenant, policyIdentifier, false))
{
+                    throw new Exception("Failed to create ACL egress policy in VNMC for guest
network with vlan " + vlanId);
+                }
+                if (!_connection.createTenantVDCAclPolicyRef(tenant, policyIdentifier, false))
{
+                    throw new Exception("Failed to associate ACL egress policy with ACL egress
policy set in VNMC for guest network with vlan " + vlanId);
+                }
 
                 for (FirewallRuleTO rule : publicIpRulesMap.get(publicIp)) {
                     if (rule.revoked()) {
                         if (!_connection.deleteTenantVDCAclRule(tenant, Long.toString(rule.getId()),
publicIp)) {
-                            throw new Exception("Failed to delete ACL ingress rule in VNMC
for guest network with vlan " + vlanId);
+                            throw new Exception("Failed to delete ACL rule in VNMC for guest
network with vlan " + vlanId);
                         }
                     } else {
+                        String[] externalIpRange = getIpRangeFromCidr(rule.getSourceCidrList().get(0));
                         if (rule.getTrafficType() == TrafficType.Ingress) {
-                            String[] externalIpRange = getIpRangeFromCidr(rule.getSourceCidrList().get(0));
                             if (!_connection.createTenantVDCIngressAclRule(tenant,
                                     Long.toString(rule.getId()), policyIdentifier,
                                     rule.getProtocol().toUpperCase(), externalIpRange[0],
externalIpRange[1],
@@ -369,7 +375,13 @@ public class CiscoVnmcResource implements ServerResource {
                                 throw new Exception("Failed to create ACL ingress rule in
VNMC for guest network with vlan " + vlanId);
                             }
                         } else {
-                            // TODO for egress
+                            if (!_connection.createTenantVDCEgressAclRule(tenant,
+                                    Long.toString(rule.getId()), policyIdentifier,
+                                    rule.getProtocol().toUpperCase(),
+                                    Integer.toString(rule.getSrcPortRange()[0]), Integer.toString(rule.getSrcPortRange()[1]),
publicIp,
+                                    externalIpRange[0], externalIpRange[1])) {
+                                throw new Exception("Failed to create ACL egress rule in
VNMC for guest network with vlan " + vlanId);
+                            }
                         }
                     }
                 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4d2168bf/plugins/network-elements/cisco-vnmc/test/com/cloud/network/resource/CiscoVnmcResourceTest.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/cisco-vnmc/test/com/cloud/network/resource/CiscoVnmcResourceTest.java
b/plugins/network-elements/cisco-vnmc/test/com/cloud/network/resource/CiscoVnmcResourceTest.java
index 7a72318..69ef046 100755
--- a/plugins/network-elements/cisco-vnmc/test/com/cloud/network/resource/CiscoVnmcResourceTest.java
+++ b/plugins/network-elements/cisco-vnmc/test/com/cloud/network/resource/CiscoVnmcResourceTest.java
@@ -147,9 +147,11 @@ public class CiscoVnmcResourceTest {
     public void testFirewall() throws ConfigurationException, Exception {
         long vlanId = 123;
         List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
+        List<String> cidrList = new ArrayList<String>();
+        cidrList.add("2.3.2.3/32");
         FirewallRuleTO active = new FirewallRuleTO(1,
                 null, "1.2.3.4", "tcp", 22, 22, false, false,
-                FirewallRule.Purpose.Firewall, null, null, null);
+                FirewallRule.Purpose.Firewall, cidrList, null, null);
         rules.add(active);
         FirewallRuleTO revoked = new FirewallRuleTO(1,
                 null, "1.2.3.4", "tcp", 22, 22, true, false,
@@ -170,6 +172,10 @@ public class CiscoVnmcResourceTest {
                 anyString(), anyString(), anyString(),
                 anyString(), anyString(), anyString(),
                 anyString(), anyString(), anyString())).thenReturn(true);
+        when(_connection.createTenantVDCEgressAclRule(
+                anyString(), anyString(), anyString(),
+                anyString(), anyString(), anyString(),
+                anyString(), anyString(), anyString())).thenReturn(true);
         when(_connection.associateAclPolicySet(anyString())).thenReturn(true);
 
         Answer answer = _resource.executeRequest(cmd);


Mime
View raw message