cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yas...@apache.org
Subject git commit: updated refs/heads/master to a4a059c
Date Wed, 10 Apr 2013 18:01:22 GMT
Updated Branches:
  refs/heads/master ee0a91d11 -> a4a059c04


CLOUDSTACK-779 Egress firewall rules support for Juniper SRX


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a4a059c0
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a4a059c0
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a4a059c0

Branch: refs/heads/master
Commit: a4a059c0430eabf30bd96261c71aa700e62cca0c
Parents: ee0a91d
Author: Jayapal <jayapalreddy.uradi@citrix.com>
Authored: Wed Apr 10 18:04:02 2013 +0530
Committer: Sheng Yang <sheng.yang@citrix.com>
Committed: Wed Apr 10 10:54:04 2013 -0700

----------------------------------------------------------------------
 api/src/com/cloud/agent/api/to/FirewallRuleTO.java |    6 +
 .../element/JuniperSRXExternalFirewallElement.java |    2 +-
 .../cloud/network/resource/JuniperSrxResource.java |  322 +++++++++++----
 scripts/network/juniper/application-add.xml        |    2 +-
 scripts/network/juniper/security-policy-add.xml    |    4 +-
 .../network/ExternalFirewallDeviceManagerImpl.java |   12 +-
 .../src/com/cloud/upgrade/dao/Upgrade410to420.java |   60 +++
 7 files changed, 328 insertions(+), 80 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/agent/api/to/FirewallRuleTO.java b/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
index 7f77936..f296aa4 100644
--- a/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
+++ b/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
@@ -23,6 +23,7 @@ import org.apache.cloudstack.api.InternalIdentity;
 
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRule.State;
+import com.cloud.network.rules.FirewallRule.TrafficType;
 import com.cloud.utils.net.NetUtils;
 
 /**
@@ -109,6 +110,11 @@ public class FirewallRuleTO implements InternalIdentity {
         this(rule.getId(),srcVlanTag, srcIp, rule.getProtocol(), rule.getSourcePortStart(),
rule.getSourcePortEnd(), revokeState, alreadyAdded, purpose,rule.getSourceCidrList(),rule.getIcmpType(),rule.getIcmpCode());
     }
 
+    public FirewallRuleTO(FirewallRule rule, String guestVlanTag, FirewallRule.TrafficType
trafficType) {
+        this(rule.getId(), guestVlanTag, null, rule.getProtocol(), rule.getSourcePortStart(),
rule.getSourcePortEnd(), rule.getState()==State.Revoke, rule.getState()==State.Active, rule.getPurpose(),
rule.getSourceCidrList(), rule.getIcmpType(), rule.getIcmpCode());
+        this.trafficType = trafficType;
+    }
+
     public FirewallRule.TrafficType getTrafficType(){
         return trafficType;
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
b/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
index af0912a..64b0f5a 100644
--- a/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
+++ b/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
@@ -274,7 +274,7 @@ PortForwardingServiceProvider, RemoteAccessVPNServiceProvider, IpDeployer,
Junip
         firewallCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp");
         firewallCapabilities.put(Capability.MultipleIps, "true");
         firewallCapabilities.put(Capability.TrafficStatistics, "per public ip");
-        firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress");
+        firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress, egress");
         capabilities.put(Service.Firewall, firewallCapabilities);
 
         // Disabling VPN for Juniper in Acton as it 1) Was never tested 2) probably just
doesn't work

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
b/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
index 8482168..a0068c3 100644
--- a/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
+++ b/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
@@ -303,7 +303,7 @@ public class JuniperSrxResource implements ServerResource {
     }
 
     private enum Protocol {
-        tcp, udp, icmp, any;
+        tcp, udp, icmp, all, any;
     }
 
     private enum RuleMatchCondition {
@@ -320,7 +320,8 @@ public class JuniperSrxResource implements ServerResource {
     private enum SecurityPolicyType {
         STATIC_NAT("staticnat"),
         DESTINATION_NAT("destnat"),
-        VPN("vpn");
+        VPN("vpn"),
+        SECURITYPOLICY_EGRESS("egress");
 
         private String identifier;
 
@@ -776,6 +777,43 @@ public class JuniperSrxResource implements ServerResource {
         s_logger.debug(msg);
     }
 
+    private Map<String, ArrayList<FirewallRuleTO>> getActiveFirewallEgressRules(FirewallRuleTO[]
allRules) {
+        Map<String, ArrayList<FirewallRuleTO>> activeRules = new HashMap<String,
ArrayList<FirewallRuleTO>>();
+
+        for (FirewallRuleTO rule : allRules) {
+            String guestVlan;
+            guestVlan = rule.getSrcVlanTag();
+
+            ArrayList<FirewallRuleTO> activeRulesForNetwork = activeRules.get(guestVlan);
+
+            if (activeRulesForNetwork == null) {
+                activeRulesForNetwork = new ArrayList<FirewallRuleTO>();
+            }
+
+            if (!rule.revoked() || rule.isAlreadyAdded()) {
+                activeRulesForNetwork.add(rule);
+            }
+
+            activeRules.put(guestVlan, activeRulesForNetwork);
+        }
+
+        return activeRules;
+    }
+
+    private List<String> extractCidrs(List<FirewallRuleTO> rules) throws ExecutionException
{
+        List<String> allCidrs = new ArrayList<String>();
+        List<String> cidrs = new ArrayList<String>();
+
+        for (FirewallRuleTO rule : rules) {
+            cidrs = (rule.getSourceCidrList());
+            for (String cidr: cidrs) {
+                if (!allCidrs.contains(cidr)) {
+                    allCidrs.add(cidr);
+                }
+            }
+        }
+        return allCidrs;
+    }
 
     /* security policies */
     private synchronized Answer execute(SetFirewallRulesCommand cmd) {
@@ -787,24 +825,39 @@ public class JuniperSrxResource implements ServerResource {
         FirewallRuleTO[] rules = cmd.getRules();
         try {
             openConfiguration();
+            if (rules[0].getTrafficType() == FirewallRule.TrafficType.Egress) {
+                Map<String, ArrayList<FirewallRuleTO>> activeRules = getActiveFirewallEgressRules(rules);
+                Set<String> guestVlans = activeRules.keySet();
+                List<String> cidrs = new ArrayList();
 
-            for (FirewallRuleTO rule : rules) {
-                int startPort = 0, endPort = 0;
-                if (rule.getSrcPortRange() != null) {
-                    startPort = rule.getSrcPortRange()[0];
-                    endPort = rule.getSrcPortRange()[1];
+                for (String guestVlan : guestVlans) {
+                    List<FirewallRuleTO> activeRulesForGuestNw = activeRules.get(guestVlan);
+
+                    removeEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS,
guestVlan, extractCidrs(activeRulesForGuestNw));
+                    if (activeRulesForGuestNw.size() > 0) {
+                        addEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS,
guestVlan, extractApplications(activeRulesForGuestNw), extractCidrs(activeRulesForGuestNw));
+                    }
                 }
-                FirewallFilterTerm term = new FirewallFilterTerm(genIpIdentifier(rule.getSrcIp())
+ "-" + String.valueOf(rule.getId()), rule.getSourceCidrList(), 
-                        rule.getSrcIp(), rule.getProtocol(), startPort, endPort,
-                        rule.getIcmpType(), rule.getIcmpCode(), genIpIdentifier(rule.getSrcIp())
+ _usageFilterIPInput.getCounterIdentifier());
-                if (!rule.revoked()) {
-                    manageFirewallFilter(SrxCommand.ADD, term, _publicZoneInputFilterName);
-                } else {
-                    manageFirewallFilter(SrxCommand.DELETE, term, _publicZoneInputFilterName);
+                commitConfiguration();
+            } else {
+                for (FirewallRuleTO rule : rules) {
+                    int startPort = 0, endPort = 0;
+                    if (rule.getSrcPortRange() != null) {
+                        startPort = rule.getSrcPortRange()[0];
+                        endPort = rule.getSrcPortRange()[1];
+                        FirewallFilterTerm term = new FirewallFilterTerm(genIpIdentifier(rule.getSrcIp())
+ "-" + String.valueOf(rule.getId()), rule.getSourceCidrList(),
+                                rule.getSrcIp(), rule.getProtocol(), startPort, endPort,
+                                rule.getIcmpType(), rule.getIcmpCode(), genIpIdentifier(rule.getSrcIp())
+ _usageFilterIPInput.getCounterIdentifier());
+                        if (!rule.revoked()) {
+                            manageFirewallFilter(SrxCommand.ADD, term, _publicZoneInputFilterName);
+                        } else {
+                            manageFirewallFilter(SrxCommand.DELETE, term, _publicZoneInputFilterName);
+                        }
+                    }
+                    commitConfiguration();
                 }
             }
                 
-            commitConfiguration();
             return new Answer(cmd);
         } catch (ExecutionException e) {
             s_logger.error(e);
@@ -992,7 +1045,7 @@ public class JuniperSrxResource implements ServerResource {
 		
 		// Delete all security policies
 		for (String securityPolicyName : getVpnObjectNames(SrxXml.SECURITY_POLICY_GETALL, accountId))
{
-			manageSecurityPolicy(SecurityPolicyType.VPN, SrxCommand.DELETE, accountId, null, null,
null, securityPolicyName);
+            manageSecurityPolicy(SecurityPolicyType.VPN, SrxCommand.DELETE, accountId, null,
null, null, null, securityPolicyName);
 		}
 		
 		// Delete all address book entries 
@@ -1064,7 +1117,7 @@ public class JuniperSrxResource implements ServerResource {
     			manageAddressBookEntry(srxCmd, _privateZone , guestNetworkCidr, ipsecVpnName);
     			
     			// Security policy
-    			manageSecurityPolicy(SecurityPolicyType.VPN, srxCmd, null, null, guestNetworkCidr,
null, ipsecVpnName);
+                manageSecurityPolicy(SecurityPolicyType.VPN, srxCmd, null, null, guestNetworkCidr,
null, null, ipsecVpnName);
     		}
     		
     		commitConfiguration();
@@ -2455,38 +2508,44 @@ public class JuniperSrxResource implements ServerResource {
      * Applications
      */
 
-    private String genApplicationName(Protocol protocol, int startPort, int endPort) {
+    private String genApplicationName(SecurityPolicyType type, Protocol protocol, int startPort,
int endPort) {
         if (protocol.equals(Protocol.any)) {
             return Protocol.any.toString();
         } else {
-            return genObjectName(protocol.toString(), String.valueOf(startPort), String.valueOf(endPort));
+            if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) {
+                return genObjectName(type.getIdentifier(), protocol.toString(), String.valueOf(startPort),
String.valueOf(endPort));
+            } else {
+                return genObjectName(protocol.toString(), String.valueOf(startPort), String.valueOf(endPort));
+            }
         }
     }
 
-    private Object[] parseApplicationName(String applicationName) throws ExecutionException
{
+    private Object[] parseApplicationName(SecurityPolicyType type, String applicationName)
throws ExecutionException {
         String errorMsg = "Invalid application: " + applicationName;
         String[] applicationComponents = applicationName.split("-");
 
         Protocol protocol;
         Integer startPort;
         Integer endPort;
+        int offset = 0;
         try {
-            protocol = getProtocol(applicationComponents[0]);			
-            startPort = Integer.parseInt(applicationComponents[1]);
-            endPort = Integer.parseInt(applicationComponents[2]);
-        } catch (Exception e) {
+            offset = type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS) ? 1 : 0;
+            protocol = getProtocol(applicationComponents[offset + 0]);
+            startPort = Integer.parseInt(applicationComponents[offset + 1]);
+            endPort = Integer.parseInt(applicationComponents[offset + 2]);
+            } catch (Exception e) {
             throw new ExecutionException(errorMsg);
         }
 
         return new Object[]{protocol, startPort, endPort};
     }
 
-    private boolean manageApplication(SrxCommand command, Protocol protocol, int startPort,
int endPort) throws ExecutionException {
+    private boolean manageApplication(SecurityPolicyType type, SrxCommand command, Protocol
protocol, int startPort, int endPort) throws ExecutionException {
         if (protocol.equals(Protocol.any)) {
             return true;
         }
 
-        String applicationName = genApplicationName(protocol, startPort, endPort);
+        String applicationName = genApplicationName(type, protocol, startPort, endPort);
         String xml;
 
         switch (command) {
@@ -2498,23 +2557,28 @@ public class JuniperSrxResource implements ServerResource {
             return sendRequestAndCheckResponse(command, xml, "name", applicationName);
 
         case ADD:
-            if (manageApplication(SrxCommand.CHECK_IF_EXISTS, protocol, startPort, endPort))
{
+            if (manageApplication(type, SrxCommand.CHECK_IF_EXISTS, protocol, startPort,
endPort)) {
                 return true;
             }
-
+            String icmpOrDestPort;
             xml = SrxXml.APPLICATION_ADD.getXml();
             xml = replaceXmlValue(xml, "name", applicationName);
             xml = replaceXmlValue(xml, "protocol", protocol.toString());
-
-            String destPort;
-            if (startPort == endPort) {
-                destPort = String.valueOf(startPort);
+            if (protocol.toString() == Protocol.icmp.toString()) {
+                icmpOrDestPort = "<icmp-type>" + startPort + "</icmp-type>";
+                icmpOrDestPort += "<icmp-code>" + endPort + "</icmp-code>";
             } else {
-                destPort = startPort + "-" + endPort;
-            }
+                String destPort;
 
-            xml = replaceXmlValue(xml, "dest-port", destPort);
+                if (startPort == endPort) {
+                    destPort = String.valueOf(startPort);
+                } else {
+                    destPort = startPort + "-" + endPort;
+                }
+                icmpOrDestPort = "<destination-port>" + destPort + "</destination-port>";
+            }
 
+            xml = replaceXmlValue(xml, "dest-port-icmp", icmpOrDestPort);
             if (!sendRequestAndCheckResponse(command, xml)) {
                 throw new ExecutionException("Failed to add application " + applicationName);
             } else {
@@ -2522,7 +2586,7 @@ public class JuniperSrxResource implements ServerResource {
             }
 
         case DELETE:
-            if (!manageApplication(SrxCommand.CHECK_IF_EXISTS, protocol, startPort, endPort))
{
+            if (!manageApplication(type, SrxCommand.CHECK_IF_EXISTS, protocol, startPort,
endPort)) {
                 return true;
             }
 
@@ -2543,13 +2607,13 @@ public class JuniperSrxResource implements ServerResource {
 
     }
 
-    private List<String> getUnusedApplications(List<String> applications) throws
ExecutionException {
+    private List<String> getUnusedApplications(List<String> applications, String
fromZone, String toZone) throws ExecutionException {
         List<String> unusedApplications = new ArrayList<String>();
 
         // Check if any of the applications are unused by existing security policies
         String xml = SrxXml.SECURITY_POLICY_GETALL.getXml();
-        xml = replaceXmlValue(xml, "from-zone", _publicZone);
-        xml = replaceXmlValue(xml, "to-zone", _privateZone);
+        xml = replaceXmlValue(xml, "from-zone", fromZone);
+        xml = replaceXmlValue(xml, "to-zone", toZone);
         String allPolicies = sendRequest(xml);
 
         for (String application : applications) {
@@ -2560,10 +2624,7 @@ public class JuniperSrxResource implements ServerResource {
 
         return unusedApplications;
     }
-    
-    private List<String> getApplicationsForSecurityPolicy(SecurityPolicyType type,
String privateIp) throws ExecutionException {
-        String fromZone = _publicZone;
-        String toZone = _privateZone;
+    private List<String> getApplicationsForSecurityPolicy(SecurityPolicyType type,
String privateIp, String fromZone, String toZone) throws ExecutionException {
         String policyName = genSecurityPolicyName(type, null, null, fromZone, toZone, privateIp);
         String xml = SrxXml.SECURITY_POLICY_GETONE.getXml();
         xml = setDelete(xml, false);
@@ -2591,8 +2652,31 @@ public class JuniperSrxResource implements ServerResource {
         for (FirewallRuleTO rule : rules) {
             Object[] application = new Object[3];
             application[0] = getProtocol(rule.getProtocol());
-            application[1] = rule.getSrcPortRange()[0];
-            application[2] = rule.getSrcPortRange()[1];
+            if (application[0] == Protocol.icmp) {
+                if (rule.getIcmpType() == -1) {
+                    application[1] = 255;
+                } else {
+                    application[1] = rule.getIcmpType();
+                }
+
+                if (rule.getIcmpCode() == -1) {
+                    application[2] = 255;
+                } else {
+                    application[2] = rule.getIcmpCode();
+                }
+            } else if (application[0] == Protocol.tcp || application[0] == Protocol.udp)
{
+                if (rule.getSrcPortRange() != null) {
+                    application[1] = rule.getSrcPortRange()[0];
+                    application[2] = rule.getSrcPortRange()[1];
+                } else {
+                    application[1] = 0;
+                    application[2] = 65535;
+                }
+            } else if (application[0] == Protocol.all) {
+                application[1] = 0;
+                application[2] = 65535;
+            }
+
             applications.add(application);
         }
 
@@ -2611,16 +2695,20 @@ public class JuniperSrxResource implements ServerResource {
         }    		    
     }
 
-    private boolean manageSecurityPolicy(SecurityPolicyType type, SrxCommand command, Long
accountId, String username, String privateIp, List<String> applicationNames, String
ipsecVpnName) throws ExecutionException {
+    private boolean manageSecurityPolicy(SecurityPolicyType type, SrxCommand command, Long
accountId, String username, String privateIp, List<String> applicationNames, List<String>
cidrs, String ipsecVpnName) throws ExecutionException {
         String fromZone = _publicZone;
         String toZone = _privateZone;
         
         String securityPolicyName;
-        String addressBookEntryName;
-        
+        String addressBookEntryName = null;
+
         if (type.equals(SecurityPolicyType.VPN) && ipsecVpnName != null) {
-        	securityPolicyName = ipsecVpnName;
-        	addressBookEntryName = ipsecVpnName;
+            securityPolicyName = ipsecVpnName;
+            addressBookEntryName = ipsecVpnName;
+        } else if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) {
+            fromZone = _privateZone;
+            toZone = _publicZone;
+            securityPolicyName = genSecurityPolicyName(type, accountId, username, fromZone,
toZone, privateIp);
         } else {
         	securityPolicyName = genSecurityPolicyName(type, accountId, username, fromZone,
toZone, privateIp);
             addressBookEntryName = genAddressBookEntryName(privateIp);
@@ -2661,17 +2749,38 @@ public class JuniperSrxResource implements ServerResource {
             return false;
 
         case ADD:
-            if (!manageAddressBookEntry(SrxCommand.CHECK_IF_EXISTS, toZone, privateIp, ipsecVpnName))
{
-                throw new ExecutionException("No address book entry for policy: " + securityPolicyName);
+            if (!type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) {
+                if (!manageAddressBookEntry(SrxCommand.CHECK_IF_EXISTS, toZone, privateIp,
addressBookEntryName)) {
+                    throw new ExecutionException("No address book entry for policy: " + securityPolicyName);
+                }
+            }
+
+            String srcAddrs = "";
+            String dstAddrs = "";
+            xml = SrxXml.SECURITY_POLICY_ADD.getXml();
+            xml = replaceXmlValue(xml, "policy-name", securityPolicyName);
+            if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) {
+                xml = replaceXmlValue(xml, "from-zone", _privateZone);
+                xml = replaceXmlValue(xml, "to-zone", _publicZone);
+                if (cidrs == null) {
+                    srcAddrs = "<source-address>any</source-address>";
+                } else {
+                    for (String cidr : cidrs) {
+                        srcAddrs += "<source-address>" + genAddressBookEntryName(cidr)
+ "</source-address>";
+                    }
+                }
+                xml = replaceXmlValue(xml, "src-address", srcAddrs);
+                dstAddrs = "<destination-address>any</destination-address>";
+                xml = replaceXmlValue(xml, "dst-address", dstAddrs);
+            } else {
+                xml = replaceXmlValue(xml, "from-zone", fromZone);
+                xml = replaceXmlValue(xml, "to-zone", toZone);
+                srcAddrs = "<source-address>any</source-address>";
+                xml = replaceXmlValue(xml, "src-address", srcAddrs);
+                dstAddrs = "<destination-address>" + addressBookEntryName + "</destination-address>";
+                xml = replaceXmlValue(xml, "dst-address", dstAddrs);
             }
 
-            xml = SrxXml.SECURITY_POLICY_ADD.getXml();            	            	
-            xml = replaceXmlValue(xml, "from-zone", fromZone);
-            xml = replaceXmlValue(xml, "to-zone", toZone);            
-            xml = replaceXmlValue(xml, "policy-name", securityPolicyName);            
-            xml = replaceXmlValue(xml, "src-address", "any");    
-            xml = replaceXmlValue(xml, "dest-address", addressBookEntryName);
-            
             if (type.equals(SecurityPolicyType.VPN) && ipsecVpnName != null) {
             	xml = replaceXmlValue(xml, "tunnel", "<tunnel><ipsec-vpn>" + ipsecVpnName
+ "</ipsec-vpn></tunnel>");
             } else {      	
@@ -2679,7 +2788,7 @@ public class JuniperSrxResource implements ServerResource {
             }
                         
             String applications;
-            if (applicationNames == null) {
+            if (applicationNames == null || applicationNames.size() == 0) {
             	applications = "<application>any</application>";
             } else {
             	applications = "";
@@ -2697,11 +2806,11 @@ public class JuniperSrxResource implements ServerResource {
             }
 
         case DELETE:
-            if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp,
applicationNames, ipsecVpnName)) {
+            if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp,
applicationNames, cidrs, ipsecVpnName)) {
                 return true;
             }
 
-            if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp,
applicationNames, ipsecVpnName)) {
+            if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp,
applicationNames, cidrs, ipsecVpnName)) {
                 return true;
             }
 
@@ -2757,42 +2866,77 @@ public class JuniperSrxResource implements ServerResource {
             int startPort = application[1] != null ? ((Integer) application[1]) : -1;
             int endPort = application[2] != null ? ((Integer) application[2]) : -1;
 
-            String applicationName = genApplicationName(protocol, startPort, endPort);
+            String applicationName = genApplicationName(type, protocol, startPort, endPort);
             if (!applicationNames.contains(applicationName)) {
                 applicationNames.add(applicationName);
             }
 
-            manageApplication(SrxCommand.ADD, protocol, startPort, endPort);
+            manageApplication(type, SrxCommand.ADD, protocol, startPort, endPort);
         }
 
         // Add a new security policy
-        manageSecurityPolicy(type, SrxCommand.ADD, null, null, privateIp, applicationNames,
null);
+        manageSecurityPolicy(type, SrxCommand.ADD, null, null, privateIp, applicationNames,
null, null);
 
         return true;
     }
 
     private boolean removeSecurityPolicyAndApplications(SecurityPolicyType type, String privateIp)
throws ExecutionException {
-        if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp,
null, null)) {
+        if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp,
null,null, null)) {
             return true;
         }
 
-        if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp,
null, null)) {
+        if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp,
null, null, null)) {
             return true;
         }
 
         // Get a list of applications for this security policy
-        List<String> applications = getApplicationsForSecurityPolicy(type, privateIp);
+        List<String> applications = getApplicationsForSecurityPolicy(type, privateIp,
_publicZone, _privateZone);
+
+        // Remove the security policy
+        manageSecurityPolicy(type, SrxCommand.DELETE, null, null, privateIp, null, null,
null);
+
+        // Remove any applications for the removed security policy that are no longer in
use
+        List<String> unusedApplications = getUnusedApplications(applications, _publicZone,
_privateZone);
+        for (String application : unusedApplications) {
+            Object[] applicationComponents;
+
+            try {
+                applicationComponents = parseApplicationName(type, application);
+            } catch (ExecutionException e) {
+                s_logger.error("Found an invalid application: " + application + ". Not attempting
to clean up.");
+                continue;
+            }
+
+            Protocol protocol = (Protocol) applicationComponents[0];
+            Integer startPort = (Integer) applicationComponents[1];
+            Integer endPort = (Integer) applicationComponents[2];
+            manageApplication(type, SrxCommand.DELETE, protocol, startPort, endPort);
+        }
+
+        return true;
+    }
+
+
+    private boolean removeEgressSecurityPolicyAndApplications(SecurityPolicyType type, String
guestVlan, List <String> cidrs) throws ExecutionException {
+        if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, guestVlan,
null, cidrs, null)) {
+            return true;
+        }
+        // Get a list of applications for this security policy
+        List<String> applications;
+        applications = getApplicationsForSecurityPolicy(type, guestVlan, _privateZone, _publicZone);
 
-        // Remove the security policy 
-        manageSecurityPolicy(type, SrxCommand.DELETE, null, null, privateIp, null, null);
+        // Remove the security policy even if it is in use
+        manageSecurityPolicy(type, SrxCommand.DELETE, null, null, guestVlan, null, cidrs,
null);
 
         // Remove any applications for the removed security policy that are no longer in
use
-        List<String> unusedApplications = getUnusedApplications(applications);
+        List<String> unusedApplications;
+        unusedApplications = getUnusedApplications(applications, _privateZone, _publicZone);
+
         for (String application : unusedApplications) {
             Object[] applicationComponents;
 
             try {
-                applicationComponents = parseApplicationName(application);
+                applicationComponents = parseApplicationName(type, application);
             } catch (ExecutionException e) {
                 s_logger.error("Found an invalid application: " + application + ". Not attempting
to clean up.");
                 continue;
@@ -2800,13 +2944,43 @@ public class JuniperSrxResource implements ServerResource {
 
             Protocol protocol = (Protocol) applicationComponents[0];
             Integer startPort = (Integer) applicationComponents[1];
-            Integer endPort = (Integer) applicationComponents[2];			
-            manageApplication(SrxCommand.DELETE, protocol, startPort, endPort);	
+            Integer endPort = (Integer) applicationComponents[2];
+            manageApplication(type, SrxCommand.DELETE, protocol, startPort, endPort);
         }
+        for (String cidr: cidrs) {
+            manageAddressBookEntry(SrxCommand.DELETE, _publicZone, cidr, null);
+            }
 
         return true;
     }
 
+    private boolean addEgressSecurityPolicyAndApplications(SecurityPolicyType type, String
guestVlan, List<Object[]> applications, List <String> cidrs) throws ExecutionException
{
+        // Add all necessary applications
+        List<String> applicationNames = new ArrayList<String>();
+        for (Object[] application : applications) {
+            Protocol protocol = (Protocol) application[0];
+            if (!protocol.equals(Protocol.all)) {
+                int startPort = application[1] != null ? ((Integer) application[1]) : 0;
+                int endPort = application[2] != null ? ((Integer) application[2]) : 65535;
+
+                String applicationName = genApplicationName(type, protocol, startPort, endPort);
+                if (!applicationNames.contains(applicationName)) {
+                    applicationNames.add(applicationName);
+                }
+                manageApplication(type, SrxCommand.ADD, protocol, startPort, endPort);
+            }
+        }
+
+        for (String cidr: cidrs) {
+            manageAddressBookEntry(SrxCommand.ADD, _privateZone, cidr, null);
+            }
+
+        // Add a new security policy
+        manageSecurityPolicy(type, SrxCommand.ADD, null, null, guestVlan, applicationNames,
cidrs, null);
+        s_logger.debug("Added Egress firewall rule for guest network " + guestVlan);
+        return true;
+    }
+
     /*
      * Filter terms
      */

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/scripts/network/juniper/application-add.xml
----------------------------------------------------------------------
diff --git a/scripts/network/juniper/application-add.xml b/scripts/network/juniper/application-add.xml
index 6603850..177329a 100644
--- a/scripts/network/juniper/application-add.xml
+++ b/scripts/network/juniper/application-add.xml
@@ -23,7 +23,7 @@ under the License.
 <application>           
 <name>%name%</name>     
 <protocol>%protocol%</protocol>    
-<destination-port>%dest-port%</destination-port>        
+%dest-port-icmp%
 </application>   
 </applications>
 </configuration>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/scripts/network/juniper/security-policy-add.xml
----------------------------------------------------------------------
diff --git a/scripts/network/juniper/security-policy-add.xml b/scripts/network/juniper/security-policy-add.xml
index 632a17d..595e026 100644
--- a/scripts/network/juniper/security-policy-add.xml
+++ b/scripts/network/juniper/security-policy-add.xml
@@ -27,8 +27,8 @@ under the License.
 <policy>
 <name>%policy-name%</name>
 <match>
-<source-address>%src-address%</source-address>
-<destination-address>%dest-address%</destination-address>
+%src-address%
+%dst-address%
 %applications%
 </match>
 <then>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java b/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java
index 1fc32d0..c2038e5 100644
--- a/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java
+++ b/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java
@@ -1,3 +1,4 @@
+
 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
@@ -541,8 +542,15 @@ public abstract class ExternalFirewallDeviceManagerImpl extends AdapterBase
impl
             if (rule.getSourceCidrList() == null && (rule.getPurpose() == Purpose.Firewall
|| rule.getPurpose() == Purpose.NetworkACL)) {
                 _fwRulesDao.loadSourceCidrs((FirewallRuleVO)rule);
             }
-            IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
-            FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr());
+            FirewallRuleTO ruleTO;
+            if (rule.getPurpose() == Purpose.Firewall && rule.getTrafficType() ==
FirewallRule.TrafficType.Egress) {
+                String guestVlanTag = network.getBroadcastUri().getHost();
+                String guestCidr = network.getCidr();
+                ruleTO = new FirewallRuleTO(rule, guestVlanTag, rule.getTrafficType());
+            } else {
+                IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
+                ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr());
+            }
             rulesTO.add(ruleTO);
         }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/server/src/com/cloud/upgrade/dao/Upgrade410to420.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/upgrade/dao/Upgrade410to420.java b/server/src/com/cloud/upgrade/dao/Upgrade410to420.java
index f39038f..b43e494 100644
--- a/server/src/com/cloud/upgrade/dao/Upgrade410to420.java
+++ b/server/src/com/cloud/upgrade/dao/Upgrade410to420.java
@@ -65,6 +65,7 @@ public class Upgrade410to420 implements DbUpgrade {
         updateSystemVmTemplates(conn);
         updateCluster_details(conn);
         updatePrimaryStore(conn);
+        addEgressFwRulesForSRXGuestNw(conn);
     }
 	
 	private void updateSystemVmTemplates(Connection conn) {
@@ -305,4 +306,63 @@ public class Upgrade410to420 implements DbUpgrade {
             }
         }
     }
+    private void addEgressFwRulesForSRXGuestNw(Connection conn) {
+        PreparedStatement pstmt = null;
+        ResultSet rs = null;
+        ResultSet rsId = null;
+        ResultSet rsNw = null;
+        try {
+            pstmt = conn.prepareStatement("select network_id FROM `cloud`.`ntwk_service_map`
where service='Firewall' and provider='JuniperSRX' ");
+            rs = pstmt.executeQuery();
+            while (rs.next()) {
+                long netId = rs.getLong(1);
+                //checking for Isolated OR Virtual
+                pstmt = conn.prepareStatement("select account_id, domain_id FROM `cloud`.`networks`
where (guest_type='Isolated' OR guest_type='Virtual') and traffic_type='Guest' and vpc_id
is NULL and (state='implemented' OR state='Shutdown') and id=? ");
+                pstmt.setLong(1, netId);
+                s_logger.debug("Getting account_id, domain_id from networks table: " + pstmt);
+                rsNw = pstmt.executeQuery();
+
+                if(rsNw.next()) {
+                    long accountId = rsNw.getLong(1);
+                    long domainId = rsNw.getLong(2);
+
+                    //Add new rule for the existing networks
+                    s_logger.debug("Adding default egress firewall rule for network " + netId);
+                    pstmt = conn.prepareStatement("INSERT INTO firewall_rules (uuid, state,
protocol, purpose, account_id, domain_id, network_id, xid, created,  traffic_type) VALUES
(?, 'Active', 'all', 'Firewall', ?, ?, ?, ?, now(), 'Egress')");
+                    pstmt.setString(1, UUID.randomUUID().toString());
+                    pstmt.setLong(2, accountId);
+                    pstmt.setLong(3, domainId);
+                    pstmt.setLong(4, netId);
+                    pstmt.setString(5, UUID.randomUUID().toString());
+                    s_logger.debug("Inserting default egress firewall rule " + pstmt);
+                    pstmt.executeUpdate();
+
+                    pstmt = conn.prepareStatement("select id from firewall_rules where protocol='all'
and network_id=?");
+                    pstmt.setLong(1, netId);
+                    rsId = pstmt.executeQuery();
+
+                    long firewallRuleId;
+                    if(rsId.next()) {
+                        firewallRuleId = rsId.getLong(1);
+                        pstmt = conn.prepareStatement("insert into firewall_rules_cidrs (firewall_rule_id,source_cidr)
values (?, '0.0.0.0/0')");
+                        pstmt.setLong(1, firewallRuleId);
+                        s_logger.debug("Inserting rule for cidr 0.0.0.0/0 for the new Firewall
rule id=" + firewallRuleId + " with statement " + pstmt);
+                        pstmt.executeUpdate();
+                    }
+                }
+            }
+        } catch (SQLException e) {
+            throw new CloudRuntimeException("Unable to set egress firewall rules ", e);
+        } finally {
+            try {
+                if (rs != null) {
+                    rs.close();
+                }
+                if (pstmt != null) {
+                    pstmt.close();
+                }
+            } catch (SQLException e) {
+            }
+        }
+    }
 }


Mime
View raw message