cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kis...@apache.org
Subject [45/50] [abbrv] git commit: updated refs/heads/network_acl to 1609d01
Date Fri, 03 May 2013 13:15:27 GMT
CLOUDSTACK-763: Added replaceNetworkACLList API. Added support for ACL action allow/deny and also number


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/604754d1
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/604754d1
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/604754d1

Branch: refs/heads/network_acl
Commit: 604754d1db5ac73590e650676c09d544ca861b84
Parents: 0d5e950
Author: Kishan Kavala <kishan@cloud.com>
Authored: Tue Apr 23 10:54:44 2013 +0530
Committer: Kishan Kavala <kishan@cloud.com>
Committed: Fri May 3 18:34:18 2013 +0530

----------------------------------------------------------------------
 .../agent/api/routing/SetNetworkACLCommand.java    |   19 +-
 api/src/com/cloud/agent/api/to/NetworkACLTO.java   |   35 +-
 api/src/com/cloud/event/EventTypes.java            |    3 +
 api/src/com/cloud/network/Network.java             |    1 +
 api/src/com/cloud/network/NetworkProfile.java      |    7 +
 .../network/element/NetworkACLServiceProvider.java |    3 +-
 .../cloud/network/firewall/NetworkACLService.java  |   15 +-
 api/src/com/cloud/network/vpc/NetworkACL.java      |    3 +-
 api/src/com/cloud/network/vpc/NetworkACLItem.java  |   87 +++
 .../org/apache/cloudstack/api/ApiConstants.java    |    1 +
 .../apache/cloudstack/api/ResponseGenerator.java   |   14 +-
 .../command/user/network/CreateNetworkACLCmd.java  |  107 ++---
 .../user/network/CreateNetworkACLListCmd.java      |    6 +-
 .../command/user/network/DeleteNetworkACLCmd.java  |    7 +-
 .../user/network/DeleteNetworkACLListCmd.java      |    4 +-
 .../user/network/ListNetworkACLListsCmd.java       |   12 +-
 .../command/user/network/ListNetworkACLsCmd.java   |   15 +-
 .../user/network/ReplaceNetworkACLListCmd.java     |  107 ++++
 .../api/response/NetworkACLItemResponse.java       |  106 ++++
 .../api/response/NetworkACLListResponse.java       |   57 --
 .../api/response/NetworkACLResponse.java           |   78 +--
 client/tomcatconf/applicationContext.xml.in        |    1 +
 client/tomcatconf/commands.properties.in           |    1 +
 server/src/com/cloud/api/ApiDBUtils.java           |   28 +-
 server/src/com/cloud/api/ApiResponseHelper.java    |   25 +-
 .../src/com/cloud/network/NetworkManagerImpl.java  |    4 +-
 server/src/com/cloud/network/dao/NetworkDao.java   |    2 +
 .../src/com/cloud/network/dao/NetworkDaoImpl.java  |    9 +
 server/src/com/cloud/network/dao/NetworkVO.java    |   12 +
 .../network/element/VpcVirtualRouterElement.java   |    8 +-
 .../network/firewall/FirewallManagerImpl.java      |    4 +-
 .../router/VpcVirtualNetworkApplianceManager.java  |    7 +-
 .../VpcVirtualNetworkApplianceManagerImpl.java     |   29 +-
 .../com/cloud/network/vpc/NetworkACLItemDao.java   |   44 ++
 .../com/cloud/network/vpc/NetworkACLItemVO.java    |  198 +++++++
 .../com/cloud/network/vpc/NetworkACLManager.java   |    9 +-
 .../cloud/network/vpc/NetworkACLManagerImpl.java   |  424 +++++++--------
 server/src/com/cloud/network/vpc/NetworkACLVO.java |   10 +
 .../network/vpc/dao/NetworkACLItemDaoImpl.java     |  147 +++++
 .../src/com/cloud/server/ManagementServerImpl.java |    1 +
 setup/db/db/schema-410to420.sql                    |    9 +-
 41 files changed, 1138 insertions(+), 521 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/com/cloud/agent/api/routing/SetNetworkACLCommand.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/agent/api/routing/SetNetworkACLCommand.java b/api/src/com/cloud/agent/api/routing/SetNetworkACLCommand.java
index dba7354..d876c61 100644
--- a/api/src/com/cloud/agent/api/routing/SetNetworkACLCommand.java
+++ b/api/src/com/cloud/agent/api/routing/SetNetworkACLCommand.java
@@ -17,6 +17,9 @@
 
 package com.cloud.agent.api.routing;
 
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Comparator;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
@@ -42,11 +45,17 @@ public class SetNetworkACLCommand extends NetworkElementCommand{
     public String[][] generateFwRules() {
         String [][] result = new String [2][];
         Set<String> toAdd = new HashSet<String>();
+        List<NetworkACLTO> aclList = Arrays.asList(rules);
+        Collections.sort(aclList, new Comparator<NetworkACLTO>() {
+            @Override
+            public int compare(NetworkACLTO acl1, NetworkACLTO acl2) {
+                return acl1.getNumber() > acl2.getNumber() ? 1 : -1;
+            }
+        });
 
-
-        for (NetworkACLTO aclTO: rules) {
-        /*  example  :  Ingress:tcp:80:80:0.0.0.0/0:,Egress:tcp:220:220:0.0.0.0/0:,
-         *  each entry format      Ingress/Egress:protocol:start port: end port:scidrs:
+        for (NetworkACLTO aclTO: aclList) {
+        /*  example  :  Ingress:tcp:80:80:0.0.0.0/0:ACCEPT:,Egress:tcp:220:220:0.0.0.0/0:DROP:,
+         *  each entry format      Ingress/Egress:protocol:start port: end port:scidrs:action:
          *  reverted entry format  Ingress/Egress:reverted:0:0:0:
          */
             if (aclTO.revoked() == true)
@@ -80,7 +89,7 @@ public class SetNetworkACLCommand extends NetworkElementCommand{
                    firstEntry = false;
                 }
             }
-            sb.append(":");
+            sb.append(":").append(aclTO.getAction()).append(":");
             String aclRuleEntry = sb.toString();
 
             toAdd.add(aclRuleEntry);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/com/cloud/agent/api/to/NetworkACLTO.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/agent/api/to/NetworkACLTO.java b/api/src/com/cloud/agent/api/to/NetworkACLTO.java
index 8818e13..48de40c 100644
--- a/api/src/com/cloud/agent/api/to/NetworkACLTO.java
+++ b/api/src/com/cloud/agent/api/to/NetworkACLTO.java
@@ -20,10 +20,10 @@ package com.cloud.agent.api.to;
 import java.util.ArrayList;
 import java.util.List;
 
+import com.cloud.network.vpc.NetworkACLItem;
+import com.cloud.network.vpc.NetworkACLItem.TrafficType;
 import org.apache.cloudstack.api.InternalIdentity;
 
-import com.cloud.network.rules.FirewallRule;
-import com.cloud.network.rules.FirewallRule.TrafficType;
 import com.cloud.utils.net.NetUtils;
 
 
@@ -37,15 +37,16 @@ public class NetworkACLTO implements InternalIdentity {
     private List<String> cidrList;
     private Integer icmpType;
     private Integer icmpCode;
-    private FirewallRule.TrafficType trafficType;
-
+    private TrafficType trafficType;
+    String action;
+    int number;
 
     protected NetworkACLTO() {
     }
 
 
     public NetworkACLTO(long id,String vlanTag, String protocol, Integer portStart, Integer portEnd, boolean revoked,
-            boolean alreadyAdded, List<String> cidrList, Integer icmpType,Integer icmpCode,TrafficType trafficType) {
+            boolean alreadyAdded, List<String> cidrList, Integer icmpType,Integer icmpCode,TrafficType trafficType, boolean allow, int number) {
         this.vlanTag = vlanTag;
         this.protocol = protocol;
 
@@ -70,12 +71,20 @@ public class NetworkACLTO implements InternalIdentity {
         this.icmpType = icmpType;
         this.icmpCode = icmpCode;
         this.trafficType = trafficType;
+
+        if(allow){
+            this.action = "ACCEPT";
+        } else {
+            this.action = "DROP";
+        }
+
+        this.number = number;
     }
 
-    public NetworkACLTO(FirewallRule rule, String vlanTag, FirewallRule.TrafficType  trafficType ) {
+    public NetworkACLTO(NetworkACLItem rule, String vlanTag, NetworkACLItem.TrafficType trafficType ) {
         this(rule.getId(), vlanTag, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(),
-                rule.getState() == FirewallRule.State.Revoke, rule.getState() == FirewallRule.State.Active,
-                rule.getSourceCidrList() ,rule.getIcmpType(), rule.getIcmpCode(),trafficType);
+                rule.getState() == NetworkACLItem.State.Revoke, rule.getState() == NetworkACLItem.State.Active,
+                rule.getSourceCidrList() ,rule.getIcmpType(), rule.getIcmpCode(),trafficType, rule.getAction() == NetworkACLItem.Action.Allow, rule.getNumber());
     }
 
     public long getId() {
@@ -121,7 +130,15 @@ public class NetworkACLTO implements InternalIdentity {
         return alreadyAdded;
     }
 
-    public FirewallRule.TrafficType getTrafficType() {
+    public TrafficType getTrafficType() {
         return trafficType;
     }
+
+    public String getAction() {
+        return action;
+    }
+
+    public int getNumber(){
+        return number;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/com/cloud/event/EventTypes.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/event/EventTypes.java b/api/src/com/cloud/event/EventTypes.java
index 06f652f..81dea38 100755
--- a/api/src/com/cloud/event/EventTypes.java
+++ b/api/src/com/cloud/event/EventTypes.java
@@ -338,6 +338,9 @@ public class EventTypes {
     public static final String EVENT_NETWORK_ACL_CREATE = "NETWORK.ACL.CREATE";
     public static final String EVENT_NETWORK_ACL_UPDATE = "NETWORK.ACL.UPDATE";
     public static final String EVENT_NETWORK_ACL_DELETE = "NETWORK.ACL.DELETE";
+    public static final String EVENT_NETWORK_ACL_REPLACE = "NETWORK.ACL.REPLACE";
+    public static final String EVENT_NETWORK_ACL_ITEM_CREATE = "NETWORK.ACL.ITEM.CREATE";
+    public static final String EVENT_NETWORK_ACL_ITEM_DELETE = "NETWORK.ACL.ITEM.DELETE";
 
     // VPC offerings
     public static final String EVENT_VPC_OFFERING_CREATE = "VPC.OFFERING.CREATE";

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/com/cloud/network/Network.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/Network.java b/api/src/com/cloud/network/Network.java
index 4472dba..0b20122 100644
--- a/api/src/com/cloud/network/Network.java
+++ b/api/src/com/cloud/network/Network.java
@@ -324,4 +324,5 @@ public interface Network extends ControlledEntity, StateObject<Network.State>, I
      */
     Long getVpcId();
 
+    Long getNetworkACLId();
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/com/cloud/network/NetworkProfile.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/NetworkProfile.java b/api/src/com/cloud/network/NetworkProfile.java
index 2f56645..568edf7 100644
--- a/api/src/com/cloud/network/NetworkProfile.java
+++ b/api/src/com/cloud/network/NetworkProfile.java
@@ -52,6 +52,7 @@ public class NetworkProfile implements Network {
     private boolean restartRequired;
     private boolean specifyIpRanges;
     private Long vpcId;
+    private Long networkAclId;
 
     public NetworkProfile(Network network) {
         this.id = network.getId();
@@ -81,6 +82,7 @@ public class NetworkProfile implements Network {
         this.restartRequired = network.isRestartRequired();
         this.specifyIpRanges = network.getSpecifyIpRanges();
         this.vpcId = network.getVpcId();
+        this.networkAclId = network.getNetworkACLId();
     }
 
     public String getDns1() {
@@ -237,6 +239,11 @@ public class NetworkProfile implements Network {
     }
 
     @Override
+    public Long getNetworkACLId() {
+        return networkAclId;
+    }
+
+    @Override
     public void setTrafficType(TrafficType type) {
         this.trafficType = type;
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/com/cloud/network/element/NetworkACLServiceProvider.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/element/NetworkACLServiceProvider.java b/api/src/com/cloud/network/element/NetworkACLServiceProvider.java
index 4073b07..dac0a25 100644
--- a/api/src/com/cloud/network/element/NetworkACLServiceProvider.java
+++ b/api/src/com/cloud/network/element/NetworkACLServiceProvider.java
@@ -21,6 +21,7 @@ import java.util.List;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.Network;
 import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.vpc.NetworkACLItem;
 
 public interface NetworkACLServiceProvider extends NetworkElement{
 
@@ -30,6 +31,6 @@ public interface NetworkACLServiceProvider extends NetworkElement{
      * @return
      * @throws ResourceUnavailableException
      */
-    boolean applyNetworkACLs(Network config, List<? extends FirewallRule> rules) throws ResourceUnavailableException;
+    boolean applyNetworkACLs(Network config, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException;
 
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/com/cloud/network/firewall/NetworkACLService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/firewall/NetworkACLService.java b/api/src/com/cloud/network/firewall/NetworkACLService.java
index 8621e48..ae46d83 100644
--- a/api/src/com/cloud/network/firewall/NetworkACLService.java
+++ b/api/src/com/cloud/network/firewall/NetworkACLService.java
@@ -20,36 +20,37 @@ package com.cloud.network.firewall;
 import java.util.List;
 
 import com.cloud.network.vpc.NetworkACL;
+import com.cloud.network.vpc.NetworkACLItem;
+import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
 import org.apache.cloudstack.api.command.user.network.CreateNetworkACLListCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLListsCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
 
 import com.cloud.exception.NetworkRuleConflictException;
 import com.cloud.exception.ResourceUnavailableException;
-import com.cloud.network.rules.FirewallRule;
 import com.cloud.user.Account;
 import com.cloud.utils.Pair;
 
 public interface NetworkACLService {
-    FirewallRule getNetworkACLItem(long ruleId);
-    boolean applyNetworkACLs(long networkId, Account caller) throws ResourceUnavailableException;
+    NetworkACLItem getNetworkACLItem(long ruleId);
+    boolean applyNetworkACLtoNetworks(long aclId, Account caller) throws ResourceUnavailableException;
 
     /**
      * @param createNetworkACLCmd
      * @return
      */
-    FirewallRule createNetworkACLItem(FirewallRule acl) throws NetworkRuleConflictException;
+    NetworkACLItem createNetworkACLItem(CreateNetworkACLCmd aclItemCmd) throws NetworkRuleConflictException;
     /**
      * @param ruleId
      * @param apply
      * @return
      */
-    boolean revokeNetworkACL(long ruleId, boolean apply);
+    boolean revokeNetworkACLItem(long ruleId, boolean apply);
     /**
      * @param listNetworkACLsCmd
      * @return
      */
-    Pair<List<? extends FirewallRule>, Integer> listNetworkACLItems(ListNetworkACLsCmd cmd);
+    Pair<List<? extends NetworkACLItem>, Integer> listNetworkACLItems(ListNetworkACLsCmd cmd);
 
     NetworkACL createNetworkACL(CreateNetworkACLListCmd cmd);
 
@@ -58,4 +59,6 @@ public interface NetworkACLService {
     boolean deleteNetworkACL(long id);
 
     Pair<List<? extends NetworkACL>,Integer> listNetworkACLs(ListNetworkACLListsCmd listNetworkACLListsCmd);
+
+    boolean replaceNetworkACL(long aclId, long networkId);
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/com/cloud/network/vpc/NetworkACL.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/vpc/NetworkACL.java b/api/src/com/cloud/network/vpc/NetworkACL.java
index 8839ffd..1b171e3 100644
--- a/api/src/com/cloud/network/vpc/NetworkACL.java
+++ b/api/src/com/cloud/network/vpc/NetworkACL.java
@@ -17,9 +17,10 @@
 
 package com.cloud.network.vpc;
 
+import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.api.InternalIdentity;
 
-public interface NetworkACL extends InternalIdentity{
+public interface NetworkACL extends InternalIdentity, ControlledEntity{
     String getDescription();
 
     String getUuid();

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/com/cloud/network/vpc/NetworkACLItem.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/vpc/NetworkACLItem.java b/api/src/com/cloud/network/vpc/NetworkACLItem.java
new file mode 100644
index 0000000..9cce187
--- /dev/null
+++ b/api/src/com/cloud/network/vpc/NetworkACLItem.java
@@ -0,0 +1,87 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.vpc;
+
+import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.api.Identity;
+import org.apache.cloudstack.api.InternalIdentity;
+
+import java.util.List;
+
+public interface NetworkACLItem extends InternalIdentity {
+
+    String getUuid();
+
+    Action getAction();
+
+    int getNumber();
+
+    enum NetworkACLType {
+        System, // The pre-defined rules created by admin, in the system wide
+        User // the rules created by user, to a specific ip
+    }
+
+    enum State {
+        Staged, // Rule been created but has never got through network rule conflict detection.  Rules in this state can not be sent to network elements.
+        Add,    // Add means the rule has been created and has gone through network rule conflict detection.
+        Active, // Rule has been sent to the network elements and reported to be active.
+        Revoke  // Revoke means this rule has been revoked. If this rule has been sent to the network elements, the rule will be deleted from database.
+    }
+
+    enum TrafficType {
+        Ingress,
+        Egress
+    }
+
+    enum Action {
+        Allow,
+        Deny
+    }
+
+    /**
+     * @return first port of the source port range.
+     */
+    Integer getSourcePortStart();
+
+    /**
+     * @return last port of the source prot range.  If this is null, that means only one port is mapped.
+     */
+    Integer getSourcePortEnd();
+
+    /**
+     * @return protocol to open these ports for.
+     */
+    String getProtocol();
+
+    State getState();
+
+    long getACLId();
+
+    Integer getIcmpCode();
+
+    Integer getIcmpType();
+
+    List<String> getSourceCidrList();
+
+    NetworkACLType getType();
+
+    /**
+     * @return
+     */
+    TrafficType getTrafficType();
+
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/org/apache/cloudstack/api/ApiConstants.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/ApiConstants.java b/api/src/org/apache/cloudstack/api/ApiConstants.java
index 1165c7b..733dda4 100755
--- a/api/src/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/org/apache/cloudstack/api/ApiConstants.java
@@ -482,6 +482,7 @@ public class ApiConstants {
     public static final String AFFINITY_GROUP_NAMES = "affinitygroupnames";
     public static final String ASA_INSIDE_PORT_PROFILE = "insideportprofile";
     public static final String AFFINITY_GROUP_ID = "affinitygroupid";
+    public static final String ACL_ID = "aclid";
 
     public enum HostDetails {
         all, capacity, events, stats, min;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/org/apache/cloudstack/api/ResponseGenerator.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/ResponseGenerator.java b/api/src/org/apache/cloudstack/api/ResponseGenerator.java
index a681fe0..e7f4203 100644
--- a/api/src/org/apache/cloudstack/api/ResponseGenerator.java
+++ b/api/src/org/apache/cloudstack/api/ResponseGenerator.java
@@ -20,17 +20,15 @@ import java.text.DecimalFormat;
 import java.util.EnumSet;
 import java.util.List;
 
-<<<<<<< HEAD
-import com.cloud.vm.NicSecondaryIp;
-import org.apache.cloudstack.affinity.AffinityGroup;
-import org.apache.cloudstack.affinity.AffinityGroupResponse;
-=======
 import com.cloud.network.vpc.NetworkACL;
+import com.cloud.network.vpc.NetworkACLItem;
 import com.cloud.network.vpc.PrivateGateway;
 import com.cloud.network.vpc.StaticRoute;
 import com.cloud.network.vpc.Vpc;
 import com.cloud.network.vpc.VpcOffering;
->>>>>>> CLOUDSTACK-763: Added APIs to create, delete and list NetworkACLlist.
+import com.cloud.vm.NicSecondaryIp;
+import org.apache.cloudstack.affinity.AffinityGroup;
+import org.apache.cloudstack.affinity.AffinityGroupResponse;
 import org.apache.cloudstack.api.ApiConstants.HostDetails;
 import org.apache.cloudstack.api.ApiConstants.VMDetails;
 import org.apache.cloudstack.api.command.user.job.QueryAsyncJobResultCmd;
@@ -357,13 +355,13 @@ public interface ResponseGenerator {
      * @param networkACLItem
      * @return
      */
-    NetworkACLResponse createNetworkACLItemResponse(FirewallRule networkACLItem);
+    NetworkACLItemResponse createNetworkACLItemResponse(NetworkACLItem networkACLItem);
 
     /**
      * @param networkACL
      * @return
      */
-    NetworkACLListResponse createNetworkACLResponse(NetworkACL networkACL);
+    NetworkACLResponse createNetworkACLResponse(NetworkACL networkACL);
 
     /**
      * @param result

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
index ae1ea90..b6c0eb6 100644
--- a/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
@@ -19,6 +19,9 @@ package org.apache.cloudstack.api.command.user.network;
 import java.util.ArrayList;
 import java.util.List;
 
+import com.cloud.network.vpc.NetworkACL;
+import com.cloud.network.vpc.NetworkACLItem;
+import com.cloud.network.vpc.NetworkACLItem.NetworkACLType;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -26,6 +29,7 @@ import org.apache.cloudstack.api.BaseAsyncCmd;
 import org.apache.cloudstack.api.BaseAsyncCreateCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.NetworkACLItemResponse;
 import org.apache.cloudstack.api.response.NetworkACLResponse;
 import org.apache.cloudstack.api.response.NetworkResponse;
 import org.apache.log4j.Logger;
@@ -36,15 +40,14 @@ import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.NetworkRuleConflictException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.Network;
-import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.vpc.Vpc;
 import com.cloud.user.Account;
 import com.cloud.user.UserContext;
 import com.cloud.utils.net.NetUtils;
 
 @APICommand(name = "createNetworkACL", description = "Creates a ACL rule the given network (the network has to belong to VPC)",
-responseObject = NetworkACLResponse.class)
-public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallRule {
+responseObject = NetworkACLItemResponse.class)
+public class CreateNetworkACLCmd extends BaseAsyncCreateCmd {
     public static final Logger s_logger = Logger.getLogger(CreateNetworkACLCmd.class.getName());
 
     private static final String s_name = "createnetworkaclresponse";
@@ -74,10 +77,13 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
     private Integer icmpCode;
 
     @Parameter(name=ApiConstants.NETWORK_ID, type=CommandType.UUID, entityType = NetworkResponse.class,
-            required=true,
         description="The network of the vm the ACL will be created for")
     private Long networkId;
 
+    @Parameter(name=ApiConstants.ACL_ID, type=CommandType.UUID, entityType = NetworkACLResponse.class,
+            description="The network of the vm the ACL will be created for")
+    private Long aclId;
+
     @Parameter(name=ApiConstants.TRAFFIC_TYPE, type=CommandType.STRING, description="the traffic type for the ACL," +
             "can be Ingress or Egress, defaulted to Ingress if not specified")
     private String trafficType;
@@ -90,7 +96,6 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
         return null;
     }
 
-    @Override
     public String getProtocol() {
         return protocol.trim();
     }
@@ -106,25 +111,34 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
     }
 
     public long getVpcId() {
-        Network network = _networkService.getNetwork(getNetworkId());
-        if (network == null) {
-            throw new InvalidParameterValueException("Invalid networkId is given");
+        Long vpcId = null;
+
+        if(getACLId() != null){
+            NetworkACL acl = _networkACLService.getNetworkACL(getACLId());
+            if(acl == null){
+                throw new InvalidParameterValueException("Invalid aclId is given");
+            }
+            vpcId = acl.getVpcId();
+        } else if(getNetworkId() != null){
+            Network network = _networkService.getNetwork(getNetworkId());
+            if (network == null) {
+                throw new InvalidParameterValueException("Invalid networkId is given");
+            }
+            vpcId = network.getVpcId();
         }
 
-        Long vpcId = network.getVpcId();
         if (vpcId == null) {
-            throw new InvalidParameterValueException("Can create network ACL only for the network belonging to the VPC");
+            throw new InvalidParameterValueException("Can create network ACL only for the ACL belonging to the VPC");
         }
 
         return vpcId;
     }
 
-    @Override
-    public FirewallRule.TrafficType getTrafficType() {
+    public NetworkACLItem.TrafficType getTrafficType() {
         if (trafficType == null) {
-            return FirewallRule.TrafficType.Ingress;
+            return NetworkACLItem.TrafficType.Ingress;
         }
-        for (FirewallRule.TrafficType type : FirewallRule.TrafficType.values()) {
+        for (NetworkACLItem.TrafficType type : NetworkACLItem.TrafficType.values()) {
             if (type.toString().equalsIgnoreCase(trafficType)) {
                 return type;
             }
@@ -149,13 +163,13 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
     public void execute() throws ResourceUnavailableException {
         UserContext callerContext = UserContext.current();
         boolean success = false;
-        FirewallRule rule = _networkACLService.getNetworkACLItem(getEntityId());
+        NetworkACLItem rule = _networkACLService.getNetworkACLItem(getEntityId());
         try {
             UserContext.current().setEventDetails("Rule Id: " + getEntityId());
-            success = _networkACLService.applyNetworkACLs(rule.getNetworkId(), callerContext.getCaller());
+            success = _networkACLService.applyNetworkACLtoNetworks(rule.getACLId(), callerContext.getCaller());
 
             // State is different after the rule is applied, so get new object here
-            NetworkACLResponse aclResponse = new NetworkACLResponse();
+            NetworkACLItemResponse aclResponse = new NetworkACLItemResponse();
             if (rule != null) {
                 aclResponse = _responseGenerator.createNetworkACLItemResponse(rule);
                 setResponseObject(aclResponse);
@@ -163,36 +177,16 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
             aclResponse.setResponseName(getCommandName());
         } finally {
             if (!success || rule == null) {
-                _networkACLService.revokeNetworkACL(getEntityId(), true);
+                _networkACLService.revokeNetworkACLItem(getEntityId(), true);
                 throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create network ACL");
             }
         }
     }
 
-    @Override
-    public long getId() {
-        throw new UnsupportedOperationException("database id can only provided by VO objects");
-    }
-
-    @Override
-    public String getXid() {
-        // FIXME: We should allow for end user to specify Xid.
-        return null;
-    }
-
-
-    @Override
-    public String getUuid() {
-        // TODO Auto-generated method stub
-        return null;
-    }
-
-    @Override
     public Long getSourceIpAddressId() {
         return null;
     }
 
-    @Override
     public Integer getSourcePortStart() {
         if (publicStartPort != null) {
             return publicStartPort.intValue();
@@ -200,7 +194,6 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
         return null;
     }
 
-    @Override
     public Integer getSourcePortEnd() {
         if (publicEndPort == null) {
             if (publicStartPort != null) {
@@ -213,18 +206,11 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
         return null;
     }
 
-    @Override
-    public Purpose getPurpose() {
-        return Purpose.Firewall;
-    }
-
-    @Override
-    public State getState() {
+    public NetworkACLItem.State getState() {
         throw new UnsupportedOperationException("Should never call me to find the state");
     }
 
-    @Override
-    public long getNetworkId() {
+    public Long getNetworkId() {
         return networkId;
     }
 
@@ -239,7 +225,6 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
         return account.getId();
     }
 
-    @Override
     public long getDomainId() {
         Vpc vpc = _vpcService.getVpc(getVpcId());
         return vpc.getDomainId();
@@ -256,7 +241,7 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
         }
 
         try {
-            FirewallRule result = _networkACLService.createNetworkACLItem(this);
+            NetworkACLItem result = _networkACLService.createNetworkACLItem(this);
             setEntityId(result.getId());
             setEntityUuid(result.getUuid());
         } catch (NetworkRuleConflictException ex) {
@@ -268,16 +253,15 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
 
     @Override
     public String getEventType() {
-        return EventTypes.EVENT_FIREWALL_OPEN;
+        return EventTypes.EVENT_NETWORK_ACL_ITEM_CREATE;
     }
 
     @Override
     public String getEventDescription() {
-        Network network = _networkService.getNetwork(networkId);
-        return ("Createing Network ACL for Netowrk: " + network + " for protocol:" + this.getProtocol());
+        //Network network = _networkService.getNetwork(networkId);
+        return ("Creating Network ACL Item for protocol:" + this.getProtocol());
     }
 
-    @Override
     public long getAccountId() {
         Vpc vpc = _vpcService.getVpc(getVpcId());
         return vpc.getAccountId();
@@ -293,7 +277,6 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
         return getNetworkId();
     }
 
-    @Override
     public Integer getIcmpCode() {
         if (icmpCode != null) {
             return icmpCode;
@@ -303,7 +286,6 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
         return null;
     }
 
-    @Override
     public Integer getIcmpType() {
         if (icmpType != null) {
             return icmpType;
@@ -314,14 +296,8 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
         return null;
     }
 
-    @Override
-    public Long getRelated() {
-        return null;
-    }
-
-    @Override
-    public FirewallRuleType getType() {
-        return FirewallRuleType.User;
+    public NetworkACLType getType() {
+        return NetworkACLType.User;
     }
 
     @Override
@@ -329,4 +305,7 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
         return AsyncJob.Type.FirewallRule;
     }
 
+    public Long getACLId() {
+        return aclId;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLListCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLListCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLListCmd.java
index 9c71497..0cc460d 100644
--- a/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLListCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLListCmd.java
@@ -24,12 +24,12 @@ import com.cloud.network.vpc.Vpc;
 import com.cloud.user.Account;
 import com.cloud.user.UserContext;
 import org.apache.cloudstack.api.*;
-import org.apache.cloudstack.api.response.NetworkACLListResponse;
+import org.apache.cloudstack.api.response.NetworkACLResponse;
 import org.apache.cloudstack.api.response.VpcResponse;
 import org.apache.log4j.Logger;
 
 @APICommand(name = "createNetworkACLList", description = "Creates a Network ACL for the given VPC",
-responseObject = NetworkACLListResponse.class)
+responseObject = NetworkACLResponse.class)
 public class CreateNetworkACLListCmd extends BaseAsyncCreateCmd {
     public static final Logger s_logger = Logger.getLogger(CreateNetworkACLListCmd.class.getName());
 
@@ -86,7 +86,7 @@ public class CreateNetworkACLListCmd extends BaseAsyncCreateCmd {
         boolean success = false;
         NetworkACL acl = _networkACLService.getNetworkACL(getEntityId());
         if(acl != null){
-            NetworkACLListResponse aclResponse = _responseGenerator.createNetworkACLResponse(acl);
+            NetworkACLResponse aclResponse = _responseGenerator.createNetworkACLResponse(acl);
             setResponseObject(aclResponse);
             aclResponse.setResponseName(getCommandName());
         } else {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLCmd.java
index 272a129..2f88230 100644
--- a/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLCmd.java
@@ -16,6 +16,7 @@
 // under the License.
 package org.apache.cloudstack.api.command.user.network;
 
+import com.cloud.network.vpc.NetworkACLItem;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -80,11 +81,11 @@ public class DeleteNetworkACLCmd extends BaseAsyncCmd {
     @Override
     public long getEntityOwnerId() {
         if (ownerId == null) {
-            FirewallRule rule = _networkACLService.getNetworkACLItem(id);
+            NetworkACLItem rule = _networkACLService.getNetworkACLItem(id);
             if (rule == null) {
                 throw new InvalidParameterValueException("Unable to find network ACL by id=" + id);
             } else {
-                ownerId = rule.getAccountId();
+                //ownerId = rule.getAccountId();
             }
         }
         return ownerId;
@@ -93,7 +94,7 @@ public class DeleteNetworkACLCmd extends BaseAsyncCmd {
     @Override
     public void execute() throws ResourceUnavailableException {
         UserContext.current().setEventDetails("Network ACL Id: " + id);
-        boolean result = _networkACLService.revokeNetworkACL(id, true);
+        boolean result = _networkACLService.revokeNetworkACLItem(id, true);
 
         if (result) {
             SuccessResponse response = new SuccessResponse(getCommandName());

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLListCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLListCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLListCmd.java
index f502475..42ecd8d 100644
--- a/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLListCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLListCmd.java
@@ -27,7 +27,7 @@ import com.cloud.user.UserContext;
 import org.apache.cloudstack.api.*;
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.FirewallRuleResponse;
-import org.apache.cloudstack.api.response.NetworkACLListResponse;
+import org.apache.cloudstack.api.response.NetworkACLResponse;
 import org.apache.cloudstack.api.response.SuccessResponse;
 import org.apache.log4j.Logger;
 
@@ -40,7 +40,7 @@ public class DeleteNetworkACLListCmd extends BaseAsyncCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
-    @Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = NetworkACLListResponse.class,
+    @Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = NetworkACLResponse.class,
             required=true, description="the ID of the network ACL")
     private Long id;
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
index b043eed..55d6147 100644
--- a/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
@@ -23,13 +23,15 @@ import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseListTaggedResourcesCmd;
 import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.response.*;
+import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.api.response.NetworkACLResponse;
+import org.apache.cloudstack.api.response.NetworkResponse;
 import org.apache.log4j.Logger;
 
 import java.util.ArrayList;
 import java.util.List;
 
-@APICommand(name = "listNetworkACLLists", description="Lists all network ACLs", responseObject=NetworkACLListResponse.class)
+@APICommand(name = "listNetworkACLLists", description="Lists all network ACLs", responseObject=NetworkACLResponse.class)
 public class ListNetworkACLListsCmd extends BaseListTaggedResourcesCmd {
     public static final Logger s_logger = Logger.getLogger(ListNetworkACLListsCmd.class.getName());
 
@@ -70,11 +72,11 @@ public class ListNetworkACLListsCmd extends BaseListTaggedResourcesCmd {
     @Override
     public void execute(){
         Pair<List<? extends NetworkACL>,Integer> result = _networkACLService.listNetworkACLs(this);
-        ListResponse<NetworkACLListResponse> response = new ListResponse<NetworkACLListResponse>();
-        List<NetworkACLListResponse> aclResponses = new ArrayList<NetworkACLListResponse>();
+        ListResponse<NetworkACLResponse> response = new ListResponse<NetworkACLResponse>();
+        List<NetworkACLResponse> aclResponses = new ArrayList<NetworkACLResponse>();
 
         for (NetworkACL acl : result.first()) {
-            NetworkACLListResponse aclResponse = _responseGenerator.createNetworkACLResponse(acl);
+            NetworkACLResponse aclResponse = _responseGenerator.createNetworkACLResponse(acl);
             aclResponses.add(aclResponse);
         }
         response.setResponses(aclResponses, result.second());

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLsCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLsCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLsCmd.java
index 93842d5..53e19d7 100644
--- a/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLsCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLsCmd.java
@@ -19,20 +19,21 @@ package org.apache.cloudstack.api.command.user.network;
 import java.util.ArrayList;
 import java.util.List;
 
+import com.cloud.network.vpc.NetworkACLItem;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseListTaggedResourcesCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.response.FirewallRuleResponse;
 import org.apache.cloudstack.api.response.ListResponse;
-import org.apache.cloudstack.api.response.NetworkACLResponse;
+import org.apache.cloudstack.api.response.NetworkACLItemResponse;
 import org.apache.cloudstack.api.response.NetworkResponse;
 import org.apache.log4j.Logger;
 
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.utils.Pair;
 
-@APICommand(name = "listNetworkACLs", description="Lists all network ACLs", responseObject=NetworkACLResponse.class)
+@APICommand(name = "listNetworkACLs", description="Lists all network ACL items", responseObject=NetworkACLItemResponse.class)
 public class ListNetworkACLsCmd extends BaseListTaggedResourcesCmd {
     public static final Logger s_logger = Logger.getLogger(ListNetworkACLsCmd.class.getName());
 
@@ -79,12 +80,12 @@ public class ListNetworkACLsCmd extends BaseListTaggedResourcesCmd {
 
     @Override
     public void execute(){
-        Pair<List<? extends FirewallRule>,Integer> result = _networkACLService.listNetworkACLItems(this);
-        ListResponse<NetworkACLResponse> response = new ListResponse<NetworkACLResponse>();
-        List<NetworkACLResponse> aclResponses = new ArrayList<NetworkACLResponse>();
+        Pair<List<? extends NetworkACLItem>,Integer> result = _networkACLService.listNetworkACLItems(this);
+        ListResponse<NetworkACLItemResponse> response = new ListResponse<NetworkACLItemResponse>();
+        List<NetworkACLItemResponse> aclResponses = new ArrayList<NetworkACLItemResponse>();
 
-        for (FirewallRule acl : result.first()) {
-            NetworkACLResponse ruleData = _responseGenerator.createNetworkACLItemResponse(acl);
+        for (NetworkACLItem acl : result.first()) {
+            NetworkACLItemResponse ruleData = _responseGenerator.createNetworkACLItemResponse(acl);
             aclResponses.add(ruleData);
         }
         response.setResponses(aclResponses, result.second());

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/org/apache/cloudstack/api/command/user/network/ReplaceNetworkACLListCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/ReplaceNetworkACLListCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/ReplaceNetworkACLListCmd.java
new file mode 100644
index 0000000..78e0b1a
--- /dev/null
+++ b/api/src/org/apache/cloudstack/api/command/user/network/ReplaceNetworkACLListCmd.java
@@ -0,0 +1,107 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.user.network;
+
+import com.cloud.event.EventTypes;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.vpc.NetworkACL;
+import com.cloud.network.vpc.Vpc;
+import com.cloud.user.UserContext;
+import org.apache.cloudstack.api.*;
+import org.apache.cloudstack.api.response.NetworkACLResponse;
+import org.apache.cloudstack.api.response.NetworkResponse;
+import org.apache.cloudstack.api.response.SuccessResponse;
+import org.apache.log4j.Logger;
+
+@APICommand(name = "replaceNetworkACLList", description="Replaces ACL associated with a Network", responseObject=SuccessResponse.class)
+public class ReplaceNetworkACLListCmd extends BaseAsyncCmd {
+    public static final Logger s_logger = Logger.getLogger(ReplaceNetworkACLListCmd.class.getName());
+    private static final String s_name = "replacenetworkacllistresponse";
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name=ApiConstants.ACL_ID, type=CommandType.UUID, entityType = NetworkACLResponse.class,
+            required=true, description="the ID of the network ACL")
+    private long aclId;
+
+    @Parameter(name=ApiConstants.NETWORK_ID, type=CommandType.UUID, entityType = NetworkResponse.class,
+            required=true, description="the ID of the network")
+    private long networkId;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public long getAclId() {
+        return aclId;
+    }
+
+    public long getNetworkId(){
+        return networkId;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_NETWORK_ACL_REPLACE;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return  ("Associating Network ACL id=" + aclId+ " with Network id="+ networkId);
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        NetworkACL acl = _networkACLService.getNetworkACL(aclId);
+        if (acl == null) {
+            throw new InvalidParameterValueException("Unable to find network ACL by id=" + aclId);
+        } else {
+            long vpcId = acl.getVpcId();
+            Vpc vpc = _vpcService.getVpc(vpcId);
+            if(vpc != null){
+                return vpc.getAccountId();
+            } else {
+                throw new InvalidParameterValueException("Unable to find VPC associated with network ACL by id=" + aclId);
+            }
+        }
+    }
+
+    @Override
+    public void execute() throws ResourceUnavailableException {
+        UserContext.current().setEventDetails("Network ACL Id: " + aclId);
+        boolean result = _networkACLService.replaceNetworkACL(aclId, networkId);
+
+        if (result) {
+            SuccessResponse response = new SuccessResponse(getCommandName());
+            this.setResponseObject(response);
+        } else {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to replace network ACL");
+        }
+    }
+}
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/org/apache/cloudstack/api/response/NetworkACLItemResponse.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/response/NetworkACLItemResponse.java b/api/src/org/apache/cloudstack/api/response/NetworkACLItemResponse.java
new file mode 100644
index 0000000..d40acbf
--- /dev/null
+++ b/api/src/org/apache/cloudstack/api/response/NetworkACLItemResponse.java
@@ -0,0 +1,106 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.response;
+
+import java.util.List;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseResponse;
+
+import com.cloud.serializer.Param;
+import com.google.gson.annotations.SerializedName;
+
+@SuppressWarnings("unused")
+public class NetworkACLItemResponse extends BaseResponse {
+    @SerializedName(ApiConstants.ID) @Param(description="the ID of the ACL Item")
+    private String id;
+
+    @SerializedName(ApiConstants.PROTOCOL) @Param(description="the protocol of the ACL")
+    private String protocol;
+
+    @SerializedName(ApiConstants.START_PORT) @Param(description="the starting port of ACL's port range")
+    private String startPort;
+
+    @SerializedName(ApiConstants.END_PORT)  @Param(description = "the ending port of ACL's port range")
+    private String endPort;
+
+    @SerializedName(ApiConstants.TRAFFIC_TYPE) @Param(description="the traffic type for the ACL")
+    private String trafficType;
+
+    @SerializedName(ApiConstants.STATE) @Param(description="the state of the rule")
+    private String state;
+
+    @SerializedName(ApiConstants.CIDR_LIST) @Param(description="the cidr list to forward traffic from")
+    private String cidrList;
+
+    @SerializedName(ApiConstants.ICMP_TYPE) @Param(description= "type of the icmp message being sent")
+    private Integer icmpType;
+
+    @SerializedName(ApiConstants.ICMP_CODE) @Param(description = "error code for this icmp message")
+    private Integer icmpCode;
+
+    @SerializedName(ApiConstants.TAGS)  @Param(description="the list of resource tags associated with the network ACLs",
+            responseObject = ResourceTagResponse.class)
+    private List<ResourceTagResponse> tags;
+
+    @SerializedName(ApiConstants.ACL_ID) @Param(description="the ID of the ACL this item belongs to")
+    private String aclId;
+
+    public void setId(String id) {
+        this.id = id;
+    }
+
+    public void setProtocol(String protocol) {
+        this.protocol = protocol;
+    }
+
+    public void setStartPort(String startPort) {
+        this.startPort = startPort;
+    }
+
+    public void setEndPort(String endPort) {
+        this.endPort = endPort;
+    }
+
+    public void setState(String state) {
+        this.state = state;
+    }
+
+    public void setCidrList(String cidrList) {
+        this.cidrList = cidrList;
+    }
+
+    public void setIcmpType(Integer icmpType) {
+        this.icmpType = icmpType;
+    }
+
+    public void setIcmpCode(Integer icmpCode) {
+        this.icmpCode = icmpCode;
+    }
+
+    public void setTrafficType(String trafficType) {
+        this.trafficType = trafficType;
+    }
+
+    public void setTags(List<ResourceTagResponse> tags) {
+        this.tags = tags;
+    }
+
+    public void setAclId(String aclId) {
+        this.aclId = aclId;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/org/apache/cloudstack/api/response/NetworkACLListResponse.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/response/NetworkACLListResponse.java b/api/src/org/apache/cloudstack/api/response/NetworkACLListResponse.java
deleted file mode 100644
index 3487851..0000000
--- a/api/src/org/apache/cloudstack/api/response/NetworkACLListResponse.java
+++ /dev/null
@@ -1,57 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.response;
-
-import com.cloud.network.vpc.NetworkACL;
-import com.cloud.serializer.Param;
-import com.google.gson.annotations.SerializedName;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseResponse;
-import org.apache.cloudstack.api.EntityReference;
-
-import java.util.List;
-
-@EntityReference(value = NetworkACL.class)
-public class NetworkACLListResponse extends BaseResponse {
-    @SerializedName(ApiConstants.ID) @Param(description="the ID of the ACL")
-    private String id;
-
-    @SerializedName(ApiConstants.NAME) @Param(description="the Name of the ACL")
-    private String name;
-
-    @SerializedName(ApiConstants.DESCRIPTION) @Param(description="Description of the ACL")
-    private String description;
-
-    @SerializedName(ApiConstants.VPC_ID) @Param(description="Id of the VPC this ACL is associated with")
-    private String vpcId;
-
-    public void setId(String id) {
-        this.id = id;
-    }
-
-    public void setName(String name) {
-        this.name = name;
-    }
-
-    public void setDescription(String description) {
-        this.description = description;
-    }
-
-    public void setVpcId(String vpcId) {
-        this.vpcId = vpcId;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/api/src/org/apache/cloudstack/api/response/NetworkACLResponse.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/response/NetworkACLResponse.java b/api/src/org/apache/cloudstack/api/response/NetworkACLResponse.java
index b45b43c..12ca38b 100644
--- a/api/src/org/apache/cloudstack/api/response/NetworkACLResponse.java
+++ b/api/src/org/apache/cloudstack/api/response/NetworkACLResponse.java
@@ -16,84 +16,42 @@
 // under the License.
 package org.apache.cloudstack.api.response;
 
-import java.util.List;
-
+import com.cloud.network.vpc.NetworkACL;
+import com.cloud.serializer.Param;
+import com.google.gson.annotations.SerializedName;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseResponse;
+import org.apache.cloudstack.api.EntityReference;
 
-import com.cloud.serializer.Param;
-import com.google.gson.annotations.SerializedName;
+import java.util.List;
 
-@SuppressWarnings("unused")
+@EntityReference(value = NetworkACL.class)
 public class NetworkACLResponse extends BaseResponse {
     @SerializedName(ApiConstants.ID) @Param(description="the ID of the ACL")
     private String id;
 
-    @SerializedName(ApiConstants.PROTOCOL) @Param(description="the protocol of the ACL")
-    private String protocol;
-
-    @SerializedName(ApiConstants.START_PORT) @Param(description="the starting port of ACL's port range")
-    private String startPort;
-
-    @SerializedName(ApiConstants.END_PORT)  @Param(description = "the ending port of ACL's port range")
-    private String endPort;
-
-    @SerializedName(ApiConstants.TRAFFIC_TYPE) @Param(description="the traffic type for the ACL")
-    private String trafficType;
-
-    @SerializedName(ApiConstants.STATE) @Param(description="the state of the rule")
-    private String state;
-
-    @SerializedName(ApiConstants.CIDR_LIST) @Param(description="the cidr list to forward traffic from")
-    private String cidrList;
-
-    @SerializedName(ApiConstants.ICMP_TYPE) @Param(description= "type of the icmp message being sent")
-    private Integer icmpType;
+    @SerializedName(ApiConstants.NAME) @Param(description="the Name of the ACL")
+    private String name;
 
-    @SerializedName(ApiConstants.ICMP_CODE) @Param(description = "error code for this icmp message")
-    private Integer icmpCode;
+    @SerializedName(ApiConstants.DESCRIPTION) @Param(description="Description of the ACL")
+    private String description;
 
-    @SerializedName(ApiConstants.TAGS)  @Param(description="the list of resource tags associated with the network ACLs",
-            responseObject = ResourceTagResponse.class)
-    private List<ResourceTagResponse> tags;
+    @SerializedName(ApiConstants.VPC_ID) @Param(description="Id of the VPC this ACL is associated with")
+    private String vpcId;
 
     public void setId(String id) {
         this.id = id;
     }
 
-    public void setProtocol(String protocol) {
-        this.protocol = protocol;
-    }
-
-    public void setStartPort(String startPort) {
-        this.startPort = startPort;
-    }
-
-    public void setEndPort(String endPort) {
-        this.endPort = endPort;
-    }
-
-    public void setState(String state) {
-        this.state = state;
-    }
-
-    public void setCidrList(String cidrList) {
-        this.cidrList = cidrList;
-    }
-
-    public void setIcmpType(Integer icmpType) {
-        this.icmpType = icmpType;
-    }
-
-    public void setIcmpCode(Integer icmpCode) {
-        this.icmpCode = icmpCode;
+    public void setName(String name) {
+        this.name = name;
     }
 
-    public void setTrafficType(String trafficType) {
-        this.trafficType = trafficType;
+    public void setDescription(String description) {
+        this.description = description;
     }
 
-    public void setTags(List<ResourceTagResponse> tags) {
-        this.tags = tags;
+    public void setVpcId(String vpcId) {
+        this.vpcId = vpcId;
     }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/client/tomcatconf/applicationContext.xml.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/applicationContext.xml.in b/client/tomcatconf/applicationContext.xml.in
index 6154f5b..b9df70e 100644
--- a/client/tomcatconf/applicationContext.xml.in
+++ b/client/tomcatconf/applicationContext.xml.in
@@ -247,6 +247,7 @@
   <bean id="mockVolumeDaoImpl" class="com.cloud.simulator.dao.MockVolumeDaoImpl" />
   <bean id="networkAccountDaoImpl" class="com.cloud.network.dao.NetworkAccountDaoImpl" />
   <bean id="networkACLDaoImpl" class="com.cloud.network.vpc.dao.NetworkACLDaoImpl" />
+  <bean id="networkACLItemDaoImpl" class="com.cloud.network.vpc.dao.NetworkACLItemDaoImpl" />
   <bean id="networkDaoImpl" class="com.cloud.network.dao.NetworkDaoImpl" />
   <bean id="networkDomainDaoImpl" class="com.cloud.network.dao.NetworkDomainDaoImpl" />
   <bean id="networkExternalFirewallDaoImpl" class="com.cloud.network.dao.NetworkExternalFirewallDaoImpl" />

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/client/tomcatconf/commands.properties.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/commands.properties.in b/client/tomcatconf/commands.properties.in
index e93e686..bd1c7af 100644
--- a/client/tomcatconf/commands.properties.in
+++ b/client/tomcatconf/commands.properties.in
@@ -434,6 +434,7 @@ deleteNetworkACL=15
 listNetworkACLs=15
 createNetworkACLList=15
 deleteNetworkACLList=15
+replaceNetworkACLList=15
 listNetworkACLLists=15
 
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/server/src/com/cloud/api/ApiDBUtils.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiDBUtils.java b/server/src/com/cloud/api/ApiDBUtils.java
index e291c84..c16c3e6 100755
--- a/server/src/com/cloud/api/ApiDBUtils.java
+++ b/server/src/com/cloud/api/ApiDBUtils.java
@@ -26,6 +26,18 @@ import javax.annotation.PostConstruct;
 import javax.inject.Inject;
 
 import com.cloud.network.rules.LoadBalancer;
+import com.cloud.network.vpc.NetworkACL;
+import com.cloud.network.vpc.StaticRouteVO;
+import com.cloud.network.vpc.VpcGatewayVO;
+import com.cloud.network.vpc.VpcManager;
+import com.cloud.network.vpc.VpcOffering;
+import com.cloud.network.vpc.VpcProvisioningService;
+import com.cloud.network.vpc.VpcVO;
+import com.cloud.network.vpc.dao.NetworkACLDao;
+import com.cloud.network.vpc.dao.StaticRouteDao;
+import com.cloud.network.vpc.dao.VpcDao;
+import com.cloud.network.vpc.dao.VpcGatewayDao;
+import com.cloud.network.vpc.dao.VpcOfferingDao;
 import com.cloud.region.ha.GlobalLoadBalancingRulesService;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
@@ -183,16 +195,6 @@ import com.cloud.network.security.SecurityGroup;
 import com.cloud.network.security.SecurityGroupManager;
 import com.cloud.network.security.SecurityGroupVO;
 import com.cloud.network.security.dao.SecurityGroupDao;
-import com.cloud.network.vpc.StaticRouteVO;
-import com.cloud.network.vpc.VpcGatewayVO;
-import com.cloud.network.vpc.VpcManager;
-import com.cloud.network.vpc.VpcOffering;
-import com.cloud.network.vpc.VpcProvisioningService;
-import com.cloud.network.vpc.VpcVO;
-import com.cloud.network.vpc.dao.StaticRouteDao;
-import com.cloud.network.vpc.dao.VpcDao;
-import com.cloud.network.vpc.dao.VpcGatewayDao;
-import com.cloud.network.vpc.dao.VpcOfferingDao;
 import com.cloud.offering.DiskOffering;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offering.ServiceOffering;
@@ -391,6 +393,7 @@ public class ApiDBUtils {
     static AffinityGroupDao _affinityGroupDao;
     static AffinityGroupJoinDao _affinityGroupJoinDao;
     static GlobalLoadBalancingRulesService _gslbService;
+    static NetworkACLDao _networkACLDao;
 
     @Inject private ManagementServer ms;
     @Inject public AsyncJobManager asyncMgr;
@@ -498,6 +501,7 @@ public class ApiDBUtils {
     @Inject private AffinityGroupDao affinityGroupDao;
     @Inject private AffinityGroupJoinDao affinityGroupJoinDao;
     @Inject private GlobalLoadBalancingRulesService gslbService;
+    @Inject private NetworkACLDao networkACLDao;
 
     @PostConstruct
     void init() {
@@ -606,6 +610,7 @@ public class ApiDBUtils {
         _gslbService = gslbService;
         // Note: stats collector should already have been initialized by this time, otherwise a null instance is returned
         _statsCollector = StatsCollector.getInstance();
+        _networkACLDao = networkACLDao;
     }
 
     // ///////////////////////////////////////////////////////////
@@ -1272,6 +1277,9 @@ public class ApiDBUtils {
         return _vpcOfferingDao.findById(offeringId);
     }
 
+    public static NetworkACL findByNetworkACLId(long aclId){
+        return _networkACLDao.findById(aclId);
+    }
 
     public static AsyncJob findAsyncJobById(long jobId){
         return _asyncJobDao.findById(jobId);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/server/src/com/cloud/api/ApiResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index 97e82ec..0524aa3 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -34,6 +34,12 @@ import java.util.TimeZone;
 
 import javax.inject.Inject;
 
+import com.cloud.network.vpc.NetworkACL;
+import com.cloud.network.vpc.NetworkACLItem;
+import com.cloud.network.vpc.PrivateGateway;
+import com.cloud.network.vpc.StaticRoute;
+import com.cloud.network.vpc.Vpc;
+import com.cloud.network.vpc.VpcOffering;
 import com.cloud.vm.*;
 import com.cloud.network.vpc.NetworkACL;
 import com.cloud.network.vpc.PrivateGateway;
@@ -82,7 +88,7 @@ import org.apache.cloudstack.api.response.LBStickinessPolicyResponse;
 import org.apache.cloudstack.api.response.LBStickinessResponse;
 import org.apache.cloudstack.api.response.LDAPConfigResponse;
 import org.apache.cloudstack.api.response.LoadBalancerResponse;
-import org.apache.cloudstack.api.response.NetworkACLListResponse;
+import org.apache.cloudstack.api.response.NetworkACLItemResponse;
 import org.apache.cloudstack.api.response.NetworkACLResponse;
 import org.apache.cloudstack.api.response.NetworkOfferingResponse;
 import org.apache.cloudstack.api.response.NetworkResponse;
@@ -2548,8 +2554,8 @@ public class ApiResponseHelper implements ResponseGenerator {
     }
 
     @Override
-    public NetworkACLResponse createNetworkACLItemResponse(FirewallRule networkACL) {
-        NetworkACLResponse response = new NetworkACLResponse();
+    public NetworkACLItemResponse createNetworkACLItemResponse(NetworkACLItem networkACL) {
+        NetworkACLItemResponse response = new NetworkACLItemResponse();
 
         response.setId(networkACL.getUuid());
         response.setProtocol(networkACL.getProtocol());
@@ -2566,9 +2572,9 @@ public class ApiResponseHelper implements ResponseGenerator {
 
         response.setTrafficType(networkACL.getTrafficType().toString());
 
-        FirewallRule.State state = networkACL.getState();
+        NetworkACLItem.State state = networkACL.getState();
         String stateToSet = state.toString();
-        if (state.equals(FirewallRule.State.Revoke)) {
+        if (state.equals(NetworkACLItem.State.Revoke)) {
             stateToSet = "Deleting";
         }
 
@@ -2577,6 +2583,11 @@ public class ApiResponseHelper implements ResponseGenerator {
 
         response.setState(stateToSet);
 
+        NetworkACL acl = ApiDBUtils.findByNetworkACLId(networkACL.getACLId());
+        if(acl != null){
+            response.setAclId(acl.getUuid());
+        }
+
         //set tag information
         List<? extends ResourceTag> tags = ApiDBUtils.listByResourceTypeAndId(TaggedResourceType.NetworkACL, networkACL.getId());
         List<ResourceTagResponse> tagResponses = new ArrayList<ResourceTagResponse>();
@@ -3718,8 +3729,8 @@ public class ApiResponseHelper implements ResponseGenerator {
         }
     }
 
-    public NetworkACLListResponse createNetworkACLResponse(NetworkACL networkACL) {
-        NetworkACLListResponse response = new NetworkACLListResponse();
+    public NetworkACLResponse createNetworkACLResponse(NetworkACL networkACL) {
+        NetworkACLResponse response = new NetworkACLResponse();
         response.setId(networkACL.getUuid());
         response.setName(networkACL.getName());
         response.setDescription(networkACL.getDescription());

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/server/src/com/cloud/network/NetworkManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java
index 5179e87..f2815d2 100755
--- a/server/src/com/cloud/network/NetworkManagerImpl.java
+++ b/server/src/com/cloud/network/NetworkManagerImpl.java
@@ -2636,7 +2636,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
         }
 
         //apply network ACLs
-        if (!_networkACLMgr.applyNetworkACLs(networkId, caller)) {
+        if (!_networkACLMgr.applyNetworkACL(networkId, caller)) {
             s_logger.warn("Failed to reapply network ACLs as a part of  of network id=" + networkId + " restart");
             success = false;
         }
@@ -3107,7 +3107,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
 
         //revoke all network ACLs for network
         try {
-            if (_networkACLMgr.revokeAllNetworkACLsForNetwork(networkId, callerUserId, caller)) {
+            if (_networkACLMgr.revokeACLItemsForNetwork(networkId, callerUserId, caller)) {
                 s_logger.debug("Successfully cleaned up NetworkACLs for network id=" + networkId);
             } else {
                 success = false;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/server/src/com/cloud/network/dao/NetworkDao.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/dao/NetworkDao.java b/server/src/com/cloud/network/dao/NetworkDao.java
index 1d3f0b8..43cabe7 100644
--- a/server/src/com/cloud/network/dao/NetworkDao.java
+++ b/server/src/com/cloud/network/dao/NetworkDao.java
@@ -111,4 +111,6 @@ public interface NetworkDao extends GenericDao<NetworkVO, Long> , StateDao<State
     List<NetworkVO> listNetworksByAccount(long accountId, long zoneId, Network.GuestType type, boolean isSystem);
 
     List<NetworkVO> listRedundantNetworks();
+
+    List<NetworkVO> listByAclId(long aclId);
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/server/src/com/cloud/network/dao/NetworkDaoImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/dao/NetworkDaoImpl.java b/server/src/com/cloud/network/dao/NetworkDaoImpl.java
index 1bc8973..5b3b526 100644
--- a/server/src/com/cloud/network/dao/NetworkDaoImpl.java
+++ b/server/src/com/cloud/network/dao/NetworkDaoImpl.java
@@ -104,6 +104,7 @@ public class NetworkDaoImpl extends GenericDaoBase<NetworkVO, Long> implements N
         AllFieldsSearch.and("physicalNetwork", AllFieldsSearch.entity().getPhysicalNetworkId(), Op.EQ);
         AllFieldsSearch.and("broadcastUri", AllFieldsSearch.entity().getBroadcastUri(), Op.EQ);
         AllFieldsSearch.and("vpcId", AllFieldsSearch.entity().getVpcId(), Op.EQ);
+        AllFieldsSearch.and("aclId", AllFieldsSearch.entity().getNetworkACLId(), Op.EQ);
         SearchBuilder<NetworkOfferingVO> join1 = _ntwkOffDao.createSearchBuilder();
         join1.and("isSystem", join1.entity().isSystemOnly(), Op.EQ);
         join1.and("isRedundant", join1.entity().getRedundantRouter(), Op.EQ);
@@ -618,4 +619,12 @@ public class NetworkDaoImpl extends GenericDaoBase<NetworkVO, Long> implements N
         sc.setJoinParameters("offerings", "isRedundant", true);
         return listBy(sc, null);
     }
+
+    @Override
+    public List<NetworkVO> listByAclId(long aclId) {
+        SearchCriteria<NetworkVO> sc = AllFieldsSearch.create();
+        sc.setParameters("aclId", aclId);
+
+        return listBy(sc, null);
+    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/server/src/com/cloud/network/dao/NetworkVO.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/dao/NetworkVO.java b/server/src/com/cloud/network/dao/NetworkVO.java
index 77b40c8..664bc77 100644
--- a/server/src/com/cloud/network/dao/NetworkVO.java
+++ b/server/src/com/cloud/network/dao/NetworkVO.java
@@ -163,6 +163,9 @@ public class NetworkVO implements Network {
     @Column(name="ip6_cidr")
     String ip6Cidr;
 
+    @Column(name="network_acl_id")
+    Long networkACLId;
+
     public NetworkVO() {
     	this.uuid = UUID.randomUUID().toString();
     }
@@ -540,4 +543,13 @@ public class NetworkVO implements Network {
 	public void setIp6Gateway(String ip6Gateway) {
 		this.ip6Gateway = ip6Gateway;
 	}
+
+    public void setNetworkACLId(Long networkACLId) {
+        this.networkACLId = networkACLId;
+    }
+
+    @Override
+    public Long getNetworkACLId() {
+        return networkACLId;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/server/src/com/cloud/network/element/VpcVirtualRouterElement.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/element/VpcVirtualRouterElement.java b/server/src/com/cloud/network/element/VpcVirtualRouterElement.java
index 0844369..8b0c58a 100644
--- a/server/src/com/cloud/network/element/VpcVirtualRouterElement.java
+++ b/server/src/com/cloud/network/element/VpcVirtualRouterElement.java
@@ -25,6 +25,7 @@ import java.util.Set;
 import javax.ejb.Local;
 import javax.inject.Inject;
 
+import com.cloud.network.vpc.*;
 import org.apache.log4j.Logger;
 
 import com.cloud.dc.DataCenter;
@@ -48,11 +49,6 @@ import com.cloud.network.router.VirtualRouter;
 import com.cloud.network.router.VirtualRouter.Role;
 import com.cloud.network.router.VpcVirtualNetworkApplianceManager;
 import com.cloud.network.rules.FirewallRule;
-import com.cloud.network.vpc.PrivateGateway;
-import com.cloud.network.vpc.StaticRouteProfile;
-import com.cloud.network.vpc.Vpc;
-import com.cloud.network.vpc.VpcGateway;
-import com.cloud.network.vpc.VpcManager;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.vm.DomainRouterVO;
@@ -390,7 +386,7 @@ public class VpcVirtualRouterElement extends VirtualRouterElement implements Vpc
     }
 
     @Override
-    public boolean applyNetworkACLs(Network config, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
+    public boolean applyNetworkACLs(Network config, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException {
         if (canHandle(config, Service.NetworkACL)) {
             List<DomainRouterVO> routers = _routerDao.listByNetworkAndRole(config.getId(), Role.VIRTUAL_ROUTER);
             if (routers == null || routers.isEmpty()) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
index 4ad8868..20a45de 100644
--- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -574,7 +574,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
                     break;
             }
             break;
-        case NetworkACL:
+/*        case NetworkACL:
             for (NetworkACLServiceProvider element: _networkAclElements) {
                 Network.Provider provider = element.getProvider();
                 boolean  isAclProvider = _networkModel.isProviderSupportServiceInNetwork(network.getId(), Service.NetworkACL, provider);
@@ -585,7 +585,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
                 if (handled)
                     break;
             }
-            break;
+            break;*/
         default:
             assert(false): "Unexpected fall through in applying rules to the network elements";
             s_logger.error("FirewallManager cannot process rules of type " + purpose);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManager.java b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManager.java
index 76c8aa8..306b1a8 100644
--- a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManager.java
+++ b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManager.java
@@ -25,10 +25,7 @@ import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.Network;
 import com.cloud.network.Site2SiteVpnConnection;
 import com.cloud.network.VpcVirtualNetworkApplianceService;
-import com.cloud.network.rules.FirewallRule;
-import com.cloud.network.vpc.PrivateGateway;
-import com.cloud.network.vpc.StaticRouteProfile;
-import com.cloud.network.vpc.Vpc;
+import com.cloud.network.vpc.*;
 import com.cloud.user.Account;
 import com.cloud.vm.DomainRouterVO;
 import com.cloud.vm.VirtualMachineProfile.Param;
@@ -57,7 +54,7 @@ public interface VpcVirtualNetworkApplianceManager extends VirtualNetworkApplian
      * @return
      * @throws ResourceUnavailableException
      */
-    boolean applyNetworkACLs(Network network, List<? extends FirewallRule> rules, List<? extends VirtualRouter> routers) 
+    boolean applyNetworkACLs(Network network, List<? extends NetworkACLItem> rules, List<? extends VirtualRouter> routers)
             throws ResourceUnavailableException;
 
     /**

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java
index ebf2d42..1d901d9 100644
--- a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java
@@ -27,6 +27,7 @@ import java.util.TreeSet;
 import javax.ejb.Local;
 import javax.inject.Inject;
 
+import com.cloud.network.vpc.*;
 import org.apache.log4j.Logger;
 import org.springframework.stereotype.Component;
 
@@ -93,16 +94,6 @@ import com.cloud.network.dao.Site2SiteVpnGatewayVO;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRule.Purpose;
 import com.cloud.network.rules.FirewallRuleVO;
-import com.cloud.network.vpc.NetworkACLManager;
-import com.cloud.network.vpc.PrivateGateway;
-import com.cloud.network.vpc.PrivateIpAddress;
-import com.cloud.network.vpc.PrivateIpVO;
-import com.cloud.network.vpc.StaticRoute;
-import com.cloud.network.vpc.StaticRouteProfile;
-import com.cloud.network.vpc.Vpc;
-import com.cloud.network.vpc.VpcGateway;
-import com.cloud.network.vpc.VpcManager;
-import com.cloud.network.vpc.VpcVO;
 import com.cloud.network.vpc.dao.PrivateIpDao;
 import com.cloud.network.vpc.dao.StaticRouteDao;
 import com.cloud.network.vpc.dao.VpcDao;
@@ -704,7 +695,7 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian
     }
     
     @Override
-    public boolean applyNetworkACLs(Network network, final List<? extends FirewallRule> rules, List<? extends VirtualRouter> routers)
+    public boolean applyNetworkACLs(Network network, final List<? extends NetworkACLItem> rules, List<? extends VirtualRouter> routers)
             throws ResourceUnavailableException {
         if (rules == null || rules.isEmpty()) {
             s_logger.debug("No network ACLs to be applied for network " + network.getId());
@@ -719,14 +710,14 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian
     }
 
     
-    protected boolean sendNetworkACLs(VirtualRouter router, List<? extends FirewallRule> rules, long guestNetworkId) 
+    protected boolean sendNetworkACLs(VirtualRouter router, List<? extends NetworkACLItem> rules, long guestNetworkId)
             throws ResourceUnavailableException {
         Commands cmds = new Commands(OnError.Continue);
         createNetworkACLsCommands(rules, router, cmds, guestNetworkId);
         return sendCommandsToRouter(router, cmds);
     }
     
-    private void createNetworkACLsCommands(List<? extends FirewallRule> rules, VirtualRouter router, Commands cmds, 
+    private void createNetworkACLsCommands(List<? extends NetworkACLItem> rules, VirtualRouter router, Commands cmds,
             long guestNetworkId) {
         List<NetworkACLTO> rulesTO = null;
         String guestVlan = null;
@@ -739,11 +730,11 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian
         if (rules != null) {
             rulesTO = new ArrayList<NetworkACLTO>();
             
-            for (FirewallRule rule : rules) {
-                if (rule.getSourceCidrList() == null && (rule.getPurpose() == Purpose.Firewall || rule.getPurpose() == Purpose.NetworkACL)) {
-                    _firewallDao.loadSourceCidrs((FirewallRuleVO)rule);
-                }
-                NetworkACLTO ruleTO = new NetworkACLTO(rule, guestVlan, rule.getTrafficType());
+            for (NetworkACLItem rule : rules) {
+//                if (rule.getSourceCidrList() == null && (rule.getPurpose() == Purpose.Firewall || rule.getPurpose() == Purpose.NetworkACL)) {
+//                    _firewallDao.loadSourceCidrs((FirewallRuleVO)rule);
+//                }
+                NetworkACLTO ruleTO = new NetworkACLTO((NetworkACLItemVO)rule, guestVlan, rule.getTrafficType());
                 rulesTO.add(ruleTO);
             }
         }
@@ -929,7 +920,7 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian
         
         if (router.getVpcId() != null) {
             if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.NetworkACL, Provider.VPCVirtualRouter)) {
-                List<? extends FirewallRule> networkACLs = _networkACLMgr.listNetworkACLs(guestNetworkId);
+                List<NetworkACLItemVO> networkACLs = _networkACLMgr.listNetworkACLItems(guestNetworkId);
                 s_logger.debug("Found " + networkACLs.size() + " network ACLs to apply as a part of VPC VR " + router 
                         + " start for guest network id=" + guestNetworkId);
                 if (!networkACLs.isEmpty()) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/604754d1/server/src/com/cloud/network/vpc/NetworkACLItemDao.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/NetworkACLItemDao.java b/server/src/com/cloud/network/vpc/NetworkACLItemDao.java
new file mode 100644
index 0000000..739aa8c
--- /dev/null
+++ b/server/src/com/cloud/network/vpc/NetworkACLItemDao.java
@@ -0,0 +1,44 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+// 
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.vpc;
+
+import com.cloud.utils.db.GenericDao;
+
+import java.util.List;
+
+/*
+ * Data Access Object for network_acl_item table
+ */
+public interface NetworkACLItemDao extends GenericDao<NetworkACLItemVO, Long> {
+
+    List<NetworkACLItemVO> listByACLAndNotRevoked(long aclId);
+
+    boolean setStateToAdd(NetworkACLItemVO rule);
+
+    boolean revoke(NetworkACLItemVO rule);
+
+    boolean releasePorts(long ipAddressId, String protocol, int[] ports);
+
+    List<NetworkACLItemVO> listByACL(long aclId);
+
+    List<NetworkACLItemVO> listSystemRules();
+
+    List<NetworkACLItemVO> listByACLTrafficTypeAndNotRevoked(long aclId, NetworkACLItemVO.TrafficType trafficType);
+    List<NetworkACLItemVO> listByACLTrafficType(long aclId, NetworkACLItemVO.TrafficType trafficType);
+    
+    void loadSourceCidrs(NetworkACLItemVO rule);
+}


Mime
View raw message