Return-Path: X-Original-To: apmail-cloudstack-commits-archive@www.apache.org Delivered-To: apmail-cloudstack-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 20744F8D9 for ; Wed, 10 Apr 2013 21:59:17 +0000 (UTC) Received: (qmail 39863 invoked by uid 500); 10 Apr 2013 21:59:04 -0000 Delivered-To: apmail-cloudstack-commits-archive@cloudstack.apache.org Received: (qmail 39802 invoked by uid 500); 10 Apr 2013 21:59:04 -0000 Mailing-List: contact commits-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list commits@cloudstack.apache.org Received: (qmail 38707 invoked by uid 99); 10 Apr 2013 21:59:03 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Apr 2013 21:59:03 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id DAC34818FB3; Wed, 10 Apr 2013 21:59:02 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: bfederle@apache.org To: commits@cloudstack.apache.org Date: Wed, 10 Apr 2013 21:59:46 -0000 Message-Id: In-Reply-To: <55af5cd9135e428e8514053af9c4d1a0@git.apache.org> References: <55af5cd9135e428e8514053af9c4d1a0@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [46/50] git commit: updated refs/heads/ui-vm-affinity to b6c354a CLOUDSTACK-779 Egress firewall rules support for Juniper SRX Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a4a059c0 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a4a059c0 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a4a059c0 Branch: refs/heads/ui-vm-affinity Commit: a4a059c0430eabf30bd96261c71aa700e62cca0c Parents: ee0a91d Author: Jayapal Authored: Wed Apr 10 18:04:02 2013 +0530 Committer: Sheng Yang Committed: Wed Apr 10 10:54:04 2013 -0700 ---------------------------------------------------------------------- api/src/com/cloud/agent/api/to/FirewallRuleTO.java | 6 + .../element/JuniperSRXExternalFirewallElement.java | 2 +- .../cloud/network/resource/JuniperSrxResource.java | 322 +++++++++++---- scripts/network/juniper/application-add.xml | 2 +- scripts/network/juniper/security-policy-add.xml | 4 +- .../network/ExternalFirewallDeviceManagerImpl.java | 12 +- .../src/com/cloud/upgrade/dao/Upgrade410to420.java | 60 +++ 7 files changed, 328 insertions(+), 80 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/api/src/com/cloud/agent/api/to/FirewallRuleTO.java ---------------------------------------------------------------------- diff --git a/api/src/com/cloud/agent/api/to/FirewallRuleTO.java b/api/src/com/cloud/agent/api/to/FirewallRuleTO.java index 7f77936..f296aa4 100644 --- a/api/src/com/cloud/agent/api/to/FirewallRuleTO.java +++ b/api/src/com/cloud/agent/api/to/FirewallRuleTO.java @@ -23,6 +23,7 @@ import org.apache.cloudstack.api.InternalIdentity; import com.cloud.network.rules.FirewallRule; import com.cloud.network.rules.FirewallRule.State; +import com.cloud.network.rules.FirewallRule.TrafficType; import com.cloud.utils.net.NetUtils; /** @@ -109,6 +110,11 @@ public class FirewallRuleTO implements InternalIdentity { this(rule.getId(),srcVlanTag, srcIp, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), revokeState, alreadyAdded, purpose,rule.getSourceCidrList(),rule.getIcmpType(),rule.getIcmpCode()); } + public FirewallRuleTO(FirewallRule rule, String guestVlanTag, FirewallRule.TrafficType trafficType) { + this(rule.getId(), guestVlanTag, null, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getState()==State.Revoke, rule.getState()==State.Active, rule.getPurpose(), rule.getSourceCidrList(), rule.getIcmpType(), rule.getIcmpCode()); + this.trafficType = trafficType; + } + public FirewallRule.TrafficType getTrafficType(){ return trafficType; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java b/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java index af0912a..64b0f5a 100644 --- a/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java +++ b/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java @@ -274,7 +274,7 @@ PortForwardingServiceProvider, RemoteAccessVPNServiceProvider, IpDeployer, Junip firewallCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp"); firewallCapabilities.put(Capability.MultipleIps, "true"); firewallCapabilities.put(Capability.TrafficStatistics, "per public ip"); - firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress"); + firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress, egress"); capabilities.put(Service.Firewall, firewallCapabilities); // Disabling VPN for Juniper in Acton as it 1) Was never tested 2) probably just doesn't work http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java b/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java index 8482168..a0068c3 100644 --- a/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java +++ b/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java @@ -303,7 +303,7 @@ public class JuniperSrxResource implements ServerResource { } private enum Protocol { - tcp, udp, icmp, any; + tcp, udp, icmp, all, any; } private enum RuleMatchCondition { @@ -320,7 +320,8 @@ public class JuniperSrxResource implements ServerResource { private enum SecurityPolicyType { STATIC_NAT("staticnat"), DESTINATION_NAT("destnat"), - VPN("vpn"); + VPN("vpn"), + SECURITYPOLICY_EGRESS("egress"); private String identifier; @@ -776,6 +777,43 @@ public class JuniperSrxResource implements ServerResource { s_logger.debug(msg); } + private Map> getActiveFirewallEgressRules(FirewallRuleTO[] allRules) { + Map> activeRules = new HashMap>(); + + for (FirewallRuleTO rule : allRules) { + String guestVlan; + guestVlan = rule.getSrcVlanTag(); + + ArrayList activeRulesForNetwork = activeRules.get(guestVlan); + + if (activeRulesForNetwork == null) { + activeRulesForNetwork = new ArrayList(); + } + + if (!rule.revoked() || rule.isAlreadyAdded()) { + activeRulesForNetwork.add(rule); + } + + activeRules.put(guestVlan, activeRulesForNetwork); + } + + return activeRules; + } + + private List extractCidrs(List rules) throws ExecutionException { + List allCidrs = new ArrayList(); + List cidrs = new ArrayList(); + + for (FirewallRuleTO rule : rules) { + cidrs = (rule.getSourceCidrList()); + for (String cidr: cidrs) { + if (!allCidrs.contains(cidr)) { + allCidrs.add(cidr); + } + } + } + return allCidrs; + } /* security policies */ private synchronized Answer execute(SetFirewallRulesCommand cmd) { @@ -787,24 +825,39 @@ public class JuniperSrxResource implements ServerResource { FirewallRuleTO[] rules = cmd.getRules(); try { openConfiguration(); + if (rules[0].getTrafficType() == FirewallRule.TrafficType.Egress) { + Map> activeRules = getActiveFirewallEgressRules(rules); + Set guestVlans = activeRules.keySet(); + List cidrs = new ArrayList(); - for (FirewallRuleTO rule : rules) { - int startPort = 0, endPort = 0; - if (rule.getSrcPortRange() != null) { - startPort = rule.getSrcPortRange()[0]; - endPort = rule.getSrcPortRange()[1]; + for (String guestVlan : guestVlans) { + List activeRulesForGuestNw = activeRules.get(guestVlan); + + removeEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS, guestVlan, extractCidrs(activeRulesForGuestNw)); + if (activeRulesForGuestNw.size() > 0) { + addEgressSecurityPolicyAndApplications(SecurityPolicyType.SECURITYPOLICY_EGRESS, guestVlan, extractApplications(activeRulesForGuestNw), extractCidrs(activeRulesForGuestNw)); + } } - FirewallFilterTerm term = new FirewallFilterTerm(genIpIdentifier(rule.getSrcIp()) + "-" + String.valueOf(rule.getId()), rule.getSourceCidrList(), - rule.getSrcIp(), rule.getProtocol(), startPort, endPort, - rule.getIcmpType(), rule.getIcmpCode(), genIpIdentifier(rule.getSrcIp()) + _usageFilterIPInput.getCounterIdentifier()); - if (!rule.revoked()) { - manageFirewallFilter(SrxCommand.ADD, term, _publicZoneInputFilterName); - } else { - manageFirewallFilter(SrxCommand.DELETE, term, _publicZoneInputFilterName); + commitConfiguration(); + } else { + for (FirewallRuleTO rule : rules) { + int startPort = 0, endPort = 0; + if (rule.getSrcPortRange() != null) { + startPort = rule.getSrcPortRange()[0]; + endPort = rule.getSrcPortRange()[1]; + FirewallFilterTerm term = new FirewallFilterTerm(genIpIdentifier(rule.getSrcIp()) + "-" + String.valueOf(rule.getId()), rule.getSourceCidrList(), + rule.getSrcIp(), rule.getProtocol(), startPort, endPort, + rule.getIcmpType(), rule.getIcmpCode(), genIpIdentifier(rule.getSrcIp()) + _usageFilterIPInput.getCounterIdentifier()); + if (!rule.revoked()) { + manageFirewallFilter(SrxCommand.ADD, term, _publicZoneInputFilterName); + } else { + manageFirewallFilter(SrxCommand.DELETE, term, _publicZoneInputFilterName); + } + } + commitConfiguration(); } } - commitConfiguration(); return new Answer(cmd); } catch (ExecutionException e) { s_logger.error(e); @@ -992,7 +1045,7 @@ public class JuniperSrxResource implements ServerResource { // Delete all security policies for (String securityPolicyName : getVpnObjectNames(SrxXml.SECURITY_POLICY_GETALL, accountId)) { - manageSecurityPolicy(SecurityPolicyType.VPN, SrxCommand.DELETE, accountId, null, null, null, securityPolicyName); + manageSecurityPolicy(SecurityPolicyType.VPN, SrxCommand.DELETE, accountId, null, null, null, null, securityPolicyName); } // Delete all address book entries @@ -1064,7 +1117,7 @@ public class JuniperSrxResource implements ServerResource { manageAddressBookEntry(srxCmd, _privateZone , guestNetworkCidr, ipsecVpnName); // Security policy - manageSecurityPolicy(SecurityPolicyType.VPN, srxCmd, null, null, guestNetworkCidr, null, ipsecVpnName); + manageSecurityPolicy(SecurityPolicyType.VPN, srxCmd, null, null, guestNetworkCidr, null, null, ipsecVpnName); } commitConfiguration(); @@ -2455,38 +2508,44 @@ public class JuniperSrxResource implements ServerResource { * Applications */ - private String genApplicationName(Protocol protocol, int startPort, int endPort) { + private String genApplicationName(SecurityPolicyType type, Protocol protocol, int startPort, int endPort) { if (protocol.equals(Protocol.any)) { return Protocol.any.toString(); } else { - return genObjectName(protocol.toString(), String.valueOf(startPort), String.valueOf(endPort)); + if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) { + return genObjectName(type.getIdentifier(), protocol.toString(), String.valueOf(startPort), String.valueOf(endPort)); + } else { + return genObjectName(protocol.toString(), String.valueOf(startPort), String.valueOf(endPort)); + } } } - private Object[] parseApplicationName(String applicationName) throws ExecutionException { + private Object[] parseApplicationName(SecurityPolicyType type, String applicationName) throws ExecutionException { String errorMsg = "Invalid application: " + applicationName; String[] applicationComponents = applicationName.split("-"); Protocol protocol; Integer startPort; Integer endPort; + int offset = 0; try { - protocol = getProtocol(applicationComponents[0]); - startPort = Integer.parseInt(applicationComponents[1]); - endPort = Integer.parseInt(applicationComponents[2]); - } catch (Exception e) { + offset = type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS) ? 1 : 0; + protocol = getProtocol(applicationComponents[offset + 0]); + startPort = Integer.parseInt(applicationComponents[offset + 1]); + endPort = Integer.parseInt(applicationComponents[offset + 2]); + } catch (Exception e) { throw new ExecutionException(errorMsg); } return new Object[]{protocol, startPort, endPort}; } - private boolean manageApplication(SrxCommand command, Protocol protocol, int startPort, int endPort) throws ExecutionException { + private boolean manageApplication(SecurityPolicyType type, SrxCommand command, Protocol protocol, int startPort, int endPort) throws ExecutionException { if (protocol.equals(Protocol.any)) { return true; } - String applicationName = genApplicationName(protocol, startPort, endPort); + String applicationName = genApplicationName(type, protocol, startPort, endPort); String xml; switch (command) { @@ -2498,23 +2557,28 @@ public class JuniperSrxResource implements ServerResource { return sendRequestAndCheckResponse(command, xml, "name", applicationName); case ADD: - if (manageApplication(SrxCommand.CHECK_IF_EXISTS, protocol, startPort, endPort)) { + if (manageApplication(type, SrxCommand.CHECK_IF_EXISTS, protocol, startPort, endPort)) { return true; } - + String icmpOrDestPort; xml = SrxXml.APPLICATION_ADD.getXml(); xml = replaceXmlValue(xml, "name", applicationName); xml = replaceXmlValue(xml, "protocol", protocol.toString()); - - String destPort; - if (startPort == endPort) { - destPort = String.valueOf(startPort); + if (protocol.toString() == Protocol.icmp.toString()) { + icmpOrDestPort = "" + startPort + ""; + icmpOrDestPort += "" + endPort + ""; } else { - destPort = startPort + "-" + endPort; - } + String destPort; - xml = replaceXmlValue(xml, "dest-port", destPort); + if (startPort == endPort) { + destPort = String.valueOf(startPort); + } else { + destPort = startPort + "-" + endPort; + } + icmpOrDestPort = "" + destPort + ""; + } + xml = replaceXmlValue(xml, "dest-port-icmp", icmpOrDestPort); if (!sendRequestAndCheckResponse(command, xml)) { throw new ExecutionException("Failed to add application " + applicationName); } else { @@ -2522,7 +2586,7 @@ public class JuniperSrxResource implements ServerResource { } case DELETE: - if (!manageApplication(SrxCommand.CHECK_IF_EXISTS, protocol, startPort, endPort)) { + if (!manageApplication(type, SrxCommand.CHECK_IF_EXISTS, protocol, startPort, endPort)) { return true; } @@ -2543,13 +2607,13 @@ public class JuniperSrxResource implements ServerResource { } - private List getUnusedApplications(List applications) throws ExecutionException { + private List getUnusedApplications(List applications, String fromZone, String toZone) throws ExecutionException { List unusedApplications = new ArrayList(); // Check if any of the applications are unused by existing security policies String xml = SrxXml.SECURITY_POLICY_GETALL.getXml(); - xml = replaceXmlValue(xml, "from-zone", _publicZone); - xml = replaceXmlValue(xml, "to-zone", _privateZone); + xml = replaceXmlValue(xml, "from-zone", fromZone); + xml = replaceXmlValue(xml, "to-zone", toZone); String allPolicies = sendRequest(xml); for (String application : applications) { @@ -2560,10 +2624,7 @@ public class JuniperSrxResource implements ServerResource { return unusedApplications; } - - private List getApplicationsForSecurityPolicy(SecurityPolicyType type, String privateIp) throws ExecutionException { - String fromZone = _publicZone; - String toZone = _privateZone; + private List getApplicationsForSecurityPolicy(SecurityPolicyType type, String privateIp, String fromZone, String toZone) throws ExecutionException { String policyName = genSecurityPolicyName(type, null, null, fromZone, toZone, privateIp); String xml = SrxXml.SECURITY_POLICY_GETONE.getXml(); xml = setDelete(xml, false); @@ -2591,8 +2652,31 @@ public class JuniperSrxResource implements ServerResource { for (FirewallRuleTO rule : rules) { Object[] application = new Object[3]; application[0] = getProtocol(rule.getProtocol()); - application[1] = rule.getSrcPortRange()[0]; - application[2] = rule.getSrcPortRange()[1]; + if (application[0] == Protocol.icmp) { + if (rule.getIcmpType() == -1) { + application[1] = 255; + } else { + application[1] = rule.getIcmpType(); + } + + if (rule.getIcmpCode() == -1) { + application[2] = 255; + } else { + application[2] = rule.getIcmpCode(); + } + } else if (application[0] == Protocol.tcp || application[0] == Protocol.udp) { + if (rule.getSrcPortRange() != null) { + application[1] = rule.getSrcPortRange()[0]; + application[2] = rule.getSrcPortRange()[1]; + } else { + application[1] = 0; + application[2] = 65535; + } + } else if (application[0] == Protocol.all) { + application[1] = 0; + application[2] = 65535; + } + applications.add(application); } @@ -2611,16 +2695,20 @@ public class JuniperSrxResource implements ServerResource { } } - private boolean manageSecurityPolicy(SecurityPolicyType type, SrxCommand command, Long accountId, String username, String privateIp, List applicationNames, String ipsecVpnName) throws ExecutionException { + private boolean manageSecurityPolicy(SecurityPolicyType type, SrxCommand command, Long accountId, String username, String privateIp, List applicationNames, List cidrs, String ipsecVpnName) throws ExecutionException { String fromZone = _publicZone; String toZone = _privateZone; String securityPolicyName; - String addressBookEntryName; - + String addressBookEntryName = null; + if (type.equals(SecurityPolicyType.VPN) && ipsecVpnName != null) { - securityPolicyName = ipsecVpnName; - addressBookEntryName = ipsecVpnName; + securityPolicyName = ipsecVpnName; + addressBookEntryName = ipsecVpnName; + } else if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) { + fromZone = _privateZone; + toZone = _publicZone; + securityPolicyName = genSecurityPolicyName(type, accountId, username, fromZone, toZone, privateIp); } else { securityPolicyName = genSecurityPolicyName(type, accountId, username, fromZone, toZone, privateIp); addressBookEntryName = genAddressBookEntryName(privateIp); @@ -2661,17 +2749,38 @@ public class JuniperSrxResource implements ServerResource { return false; case ADD: - if (!manageAddressBookEntry(SrxCommand.CHECK_IF_EXISTS, toZone, privateIp, ipsecVpnName)) { - throw new ExecutionException("No address book entry for policy: " + securityPolicyName); + if (!type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) { + if (!manageAddressBookEntry(SrxCommand.CHECK_IF_EXISTS, toZone, privateIp, addressBookEntryName)) { + throw new ExecutionException("No address book entry for policy: " + securityPolicyName); + } + } + + String srcAddrs = ""; + String dstAddrs = ""; + xml = SrxXml.SECURITY_POLICY_ADD.getXml(); + xml = replaceXmlValue(xml, "policy-name", securityPolicyName); + if (type.equals(SecurityPolicyType.SECURITYPOLICY_EGRESS)) { + xml = replaceXmlValue(xml, "from-zone", _privateZone); + xml = replaceXmlValue(xml, "to-zone", _publicZone); + if (cidrs == null) { + srcAddrs = "any"; + } else { + for (String cidr : cidrs) { + srcAddrs += "" + genAddressBookEntryName(cidr) + ""; + } + } + xml = replaceXmlValue(xml, "src-address", srcAddrs); + dstAddrs = "any"; + xml = replaceXmlValue(xml, "dst-address", dstAddrs); + } else { + xml = replaceXmlValue(xml, "from-zone", fromZone); + xml = replaceXmlValue(xml, "to-zone", toZone); + srcAddrs = "any"; + xml = replaceXmlValue(xml, "src-address", srcAddrs); + dstAddrs = "" + addressBookEntryName + ""; + xml = replaceXmlValue(xml, "dst-address", dstAddrs); } - xml = SrxXml.SECURITY_POLICY_ADD.getXml(); - xml = replaceXmlValue(xml, "from-zone", fromZone); - xml = replaceXmlValue(xml, "to-zone", toZone); - xml = replaceXmlValue(xml, "policy-name", securityPolicyName); - xml = replaceXmlValue(xml, "src-address", "any"); - xml = replaceXmlValue(xml, "dest-address", addressBookEntryName); - if (type.equals(SecurityPolicyType.VPN) && ipsecVpnName != null) { xml = replaceXmlValue(xml, "tunnel", "" + ipsecVpnName + ""); } else { @@ -2679,7 +2788,7 @@ public class JuniperSrxResource implements ServerResource { } String applications; - if (applicationNames == null) { + if (applicationNames == null || applicationNames.size() == 0) { applications = "any"; } else { applications = ""; @@ -2697,11 +2806,11 @@ public class JuniperSrxResource implements ServerResource { } case DELETE: - if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp, applicationNames, ipsecVpnName)) { + if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp, applicationNames, cidrs, ipsecVpnName)) { return true; } - if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp, applicationNames, ipsecVpnName)) { + if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp, applicationNames, cidrs, ipsecVpnName)) { return true; } @@ -2757,42 +2866,77 @@ public class JuniperSrxResource implements ServerResource { int startPort = application[1] != null ? ((Integer) application[1]) : -1; int endPort = application[2] != null ? ((Integer) application[2]) : -1; - String applicationName = genApplicationName(protocol, startPort, endPort); + String applicationName = genApplicationName(type, protocol, startPort, endPort); if (!applicationNames.contains(applicationName)) { applicationNames.add(applicationName); } - manageApplication(SrxCommand.ADD, protocol, startPort, endPort); + manageApplication(type, SrxCommand.ADD, protocol, startPort, endPort); } // Add a new security policy - manageSecurityPolicy(type, SrxCommand.ADD, null, null, privateIp, applicationNames, null); + manageSecurityPolicy(type, SrxCommand.ADD, null, null, privateIp, applicationNames, null, null); return true; } private boolean removeSecurityPolicyAndApplications(SecurityPolicyType type, String privateIp) throws ExecutionException { - if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp, null, null)) { + if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, privateIp, null,null, null)) { return true; } - if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp, null, null)) { + if (manageSecurityPolicy(type, SrxCommand.CHECK_IF_IN_USE, null, null, privateIp, null, null, null)) { return true; } // Get a list of applications for this security policy - List applications = getApplicationsForSecurityPolicy(type, privateIp); + List applications = getApplicationsForSecurityPolicy(type, privateIp, _publicZone, _privateZone); + + // Remove the security policy + manageSecurityPolicy(type, SrxCommand.DELETE, null, null, privateIp, null, null, null); + + // Remove any applications for the removed security policy that are no longer in use + List unusedApplications = getUnusedApplications(applications, _publicZone, _privateZone); + for (String application : unusedApplications) { + Object[] applicationComponents; + + try { + applicationComponents = parseApplicationName(type, application); + } catch (ExecutionException e) { + s_logger.error("Found an invalid application: " + application + ". Not attempting to clean up."); + continue; + } + + Protocol protocol = (Protocol) applicationComponents[0]; + Integer startPort = (Integer) applicationComponents[1]; + Integer endPort = (Integer) applicationComponents[2]; + manageApplication(type, SrxCommand.DELETE, protocol, startPort, endPort); + } + + return true; + } + + + private boolean removeEgressSecurityPolicyAndApplications(SecurityPolicyType type, String guestVlan, List cidrs) throws ExecutionException { + if (!manageSecurityPolicy(type, SrxCommand.CHECK_IF_EXISTS, null, null, guestVlan, null, cidrs, null)) { + return true; + } + // Get a list of applications for this security policy + List applications; + applications = getApplicationsForSecurityPolicy(type, guestVlan, _privateZone, _publicZone); - // Remove the security policy - manageSecurityPolicy(type, SrxCommand.DELETE, null, null, privateIp, null, null); + // Remove the security policy even if it is in use + manageSecurityPolicy(type, SrxCommand.DELETE, null, null, guestVlan, null, cidrs, null); // Remove any applications for the removed security policy that are no longer in use - List unusedApplications = getUnusedApplications(applications); + List unusedApplications; + unusedApplications = getUnusedApplications(applications, _privateZone, _publicZone); + for (String application : unusedApplications) { Object[] applicationComponents; try { - applicationComponents = parseApplicationName(application); + applicationComponents = parseApplicationName(type, application); } catch (ExecutionException e) { s_logger.error("Found an invalid application: " + application + ". Not attempting to clean up."); continue; @@ -2800,13 +2944,43 @@ public class JuniperSrxResource implements ServerResource { Protocol protocol = (Protocol) applicationComponents[0]; Integer startPort = (Integer) applicationComponents[1]; - Integer endPort = (Integer) applicationComponents[2]; - manageApplication(SrxCommand.DELETE, protocol, startPort, endPort); + Integer endPort = (Integer) applicationComponents[2]; + manageApplication(type, SrxCommand.DELETE, protocol, startPort, endPort); } + for (String cidr: cidrs) { + manageAddressBookEntry(SrxCommand.DELETE, _publicZone, cidr, null); + } return true; } + private boolean addEgressSecurityPolicyAndApplications(SecurityPolicyType type, String guestVlan, List applications, List cidrs) throws ExecutionException { + // Add all necessary applications + List applicationNames = new ArrayList(); + for (Object[] application : applications) { + Protocol protocol = (Protocol) application[0]; + if (!protocol.equals(Protocol.all)) { + int startPort = application[1] != null ? ((Integer) application[1]) : 0; + int endPort = application[2] != null ? ((Integer) application[2]) : 65535; + + String applicationName = genApplicationName(type, protocol, startPort, endPort); + if (!applicationNames.contains(applicationName)) { + applicationNames.add(applicationName); + } + manageApplication(type, SrxCommand.ADD, protocol, startPort, endPort); + } + } + + for (String cidr: cidrs) { + manageAddressBookEntry(SrxCommand.ADD, _privateZone, cidr, null); + } + + // Add a new security policy + manageSecurityPolicy(type, SrxCommand.ADD, null, null, guestVlan, applicationNames, cidrs, null); + s_logger.debug("Added Egress firewall rule for guest network " + guestVlan); + return true; + } + /* * Filter terms */ http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/scripts/network/juniper/application-add.xml ---------------------------------------------------------------------- diff --git a/scripts/network/juniper/application-add.xml b/scripts/network/juniper/application-add.xml index 6603850..177329a 100644 --- a/scripts/network/juniper/application-add.xml +++ b/scripts/network/juniper/application-add.xml @@ -23,7 +23,7 @@ under the License. %name% %protocol% -%dest-port% +%dest-port-icmp% http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/scripts/network/juniper/security-policy-add.xml ---------------------------------------------------------------------- diff --git a/scripts/network/juniper/security-policy-add.xml b/scripts/network/juniper/security-policy-add.xml index 632a17d..595e026 100644 --- a/scripts/network/juniper/security-policy-add.xml +++ b/scripts/network/juniper/security-policy-add.xml @@ -27,8 +27,8 @@ under the License. %policy-name% -%src-address% -%dest-address% +%src-address% +%dst-address% %applications% http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java b/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java index 1fc32d0..c2038e5 100644 --- a/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java +++ b/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java @@ -1,3 +1,4 @@ + // Licensed to the Apache Software Foundation (ASF) under one // or more contributor license agreements. See the NOTICE file // distributed with this work for additional information @@ -541,8 +542,15 @@ public abstract class ExternalFirewallDeviceManagerImpl extends AdapterBase impl if (rule.getSourceCidrList() == null && (rule.getPurpose() == Purpose.Firewall || rule.getPurpose() == Purpose.NetworkACL)) { _fwRulesDao.loadSourceCidrs((FirewallRuleVO)rule); } - IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId()); - FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr()); + FirewallRuleTO ruleTO; + if (rule.getPurpose() == Purpose.Firewall && rule.getTrafficType() == FirewallRule.TrafficType.Egress) { + String guestVlanTag = network.getBroadcastUri().getHost(); + String guestCidr = network.getCidr(); + ruleTO = new FirewallRuleTO(rule, guestVlanTag, rule.getTrafficType()); + } else { + IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId()); + ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr()); + } rulesTO.add(ruleTO); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a4a059c0/server/src/com/cloud/upgrade/dao/Upgrade410to420.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/upgrade/dao/Upgrade410to420.java b/server/src/com/cloud/upgrade/dao/Upgrade410to420.java index f39038f..b43e494 100644 --- a/server/src/com/cloud/upgrade/dao/Upgrade410to420.java +++ b/server/src/com/cloud/upgrade/dao/Upgrade410to420.java @@ -65,6 +65,7 @@ public class Upgrade410to420 implements DbUpgrade { updateSystemVmTemplates(conn); updateCluster_details(conn); updatePrimaryStore(conn); + addEgressFwRulesForSRXGuestNw(conn); } private void updateSystemVmTemplates(Connection conn) { @@ -305,4 +306,63 @@ public class Upgrade410to420 implements DbUpgrade { } } } + private void addEgressFwRulesForSRXGuestNw(Connection conn) { + PreparedStatement pstmt = null; + ResultSet rs = null; + ResultSet rsId = null; + ResultSet rsNw = null; + try { + pstmt = conn.prepareStatement("select network_id FROM `cloud`.`ntwk_service_map` where service='Firewall' and provider='JuniperSRX' "); + rs = pstmt.executeQuery(); + while (rs.next()) { + long netId = rs.getLong(1); + //checking for Isolated OR Virtual + pstmt = conn.prepareStatement("select account_id, domain_id FROM `cloud`.`networks` where (guest_type='Isolated' OR guest_type='Virtual') and traffic_type='Guest' and vpc_id is NULL and (state='implemented' OR state='Shutdown') and id=? "); + pstmt.setLong(1, netId); + s_logger.debug("Getting account_id, domain_id from networks table: " + pstmt); + rsNw = pstmt.executeQuery(); + + if(rsNw.next()) { + long accountId = rsNw.getLong(1); + long domainId = rsNw.getLong(2); + + //Add new rule for the existing networks + s_logger.debug("Adding default egress firewall rule for network " + netId); + pstmt = conn.prepareStatement("INSERT INTO firewall_rules (uuid, state, protocol, purpose, account_id, domain_id, network_id, xid, created, traffic_type) VALUES (?, 'Active', 'all', 'Firewall', ?, ?, ?, ?, now(), 'Egress')"); + pstmt.setString(1, UUID.randomUUID().toString()); + pstmt.setLong(2, accountId); + pstmt.setLong(3, domainId); + pstmt.setLong(4, netId); + pstmt.setString(5, UUID.randomUUID().toString()); + s_logger.debug("Inserting default egress firewall rule " + pstmt); + pstmt.executeUpdate(); + + pstmt = conn.prepareStatement("select id from firewall_rules where protocol='all' and network_id=?"); + pstmt.setLong(1, netId); + rsId = pstmt.executeQuery(); + + long firewallRuleId; + if(rsId.next()) { + firewallRuleId = rsId.getLong(1); + pstmt = conn.prepareStatement("insert into firewall_rules_cidrs (firewall_rule_id,source_cidr) values (?, '0.0.0.0/0')"); + pstmt.setLong(1, firewallRuleId); + s_logger.debug("Inserting rule for cidr 0.0.0.0/0 for the new Firewall rule id=" + firewallRuleId + " with statement " + pstmt); + pstmt.executeUpdate(); + } + } + } + } catch (SQLException e) { + throw new CloudRuntimeException("Unable to set egress firewall rules ", e); + } finally { + try { + if (rs != null) { + rs.close(); + } + if (pstmt != null) { + pstmt.close(); + } + } catch (SQLException e) { + } + } + } }