cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kis...@apache.org
Subject [06/16] git commit: updated refs/heads/master to 595f78f
Date Mon, 13 May 2013 06:34:42 GMT
CLOUDSTACK-763: Added acl_id param to createNetwork API. Backend changes for acl_deny. Support
for all protocol and protocol number


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/b30a01a7
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/b30a01a7
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/b30a01a7

Branch: refs/heads/master
Commit: b30a01a7051197b25d568a853f945732a733bc75
Parents: 750bfe7
Author: Kishan Kavala <kishan@cloud.com>
Authored: Thu May 2 17:53:56 2013 +0530
Committer: Kishan Kavala <kishan@cloud.com>
Committed: Mon May 13 12:03:38 2013 +0530

----------------------------------------------------------------------
 api/src/com/cloud/network/Network.java             |    2 +
 api/src/com/cloud/network/NetworkProfile.java      |    5 ++
 api/src/com/cloud/network/vpc/NetworkACL.java      |    3 +
 .../command/user/network/CreateNetworkACLCmd.java  |    2 +-
 .../api/command/user/network/CreateNetworkCmd.java |   15 +++--
 .../src/com/cloud/network/dao/NetworkVO.java       |    1 +
 .../debian/config/opt/cloud/bin/vpc_acl.sh         |   11 ++--
 .../src/com/cloud/network/NetworkServiceImpl.java  |   30 +++++++++-
 .../com/cloud/network/vpc/NetworkACLItemDao.java   |    1 +
 .../cloud/network/vpc/NetworkACLManagerImpl.java   |   14 ++---
 .../cloud/network/vpc/NetworkACLServiceImpl.java   |   46 +++++++++++++--
 server/src/com/cloud/network/vpc/VpcManager.java   |    2 +-
 .../src/com/cloud/network/vpc/VpcManagerImpl.java  |    7 ++-
 .../network/vpc/dao/NetworkACLItemDaoImpl.java     |    9 +++
 server/test/com/cloud/vpc/MockVpcManagerImpl.java  |    2 +-
 setup/db/create-schema.sql                         |    1 -
 setup/db/db/schema-410to420.sql                    |   12 +++-
 17 files changed, 125 insertions(+), 38 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/api/src/com/cloud/network/Network.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/Network.java b/api/src/com/cloud/network/Network.java
index e359550..2f4021f 100644
--- a/api/src/com/cloud/network/Network.java
+++ b/api/src/com/cloud/network/Network.java
@@ -328,4 +328,6 @@ public interface Network extends ControlledEntity, StateObject<Network.State>,
I
     Long getVpcId();
 
     Long getNetworkACLId();
+
+    void setNetworkACLId(Long networkACLId);
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/api/src/com/cloud/network/NetworkProfile.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/NetworkProfile.java b/api/src/com/cloud/network/NetworkProfile.java
index 568edf7..1807021 100644
--- a/api/src/com/cloud/network/NetworkProfile.java
+++ b/api/src/com/cloud/network/NetworkProfile.java
@@ -244,6 +244,11 @@ public class NetworkProfile implements Network {
     }
 
     @Override
+    public void setNetworkACLId(Long networkACLId) {
+        this.networkAclId = networkACLId;
+    }
+
+    @Override
     public void setTrafficType(TrafficType type) {
         this.trafficType = type;
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/api/src/com/cloud/network/vpc/NetworkACL.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/vpc/NetworkACL.java b/api/src/com/cloud/network/vpc/NetworkACL.java
index 1b171e3..c5a0d6d 100644
--- a/api/src/com/cloud/network/vpc/NetworkACL.java
+++ b/api/src/com/cloud/network/vpc/NetworkACL.java
@@ -21,6 +21,9 @@ import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.api.InternalIdentity;
 
 public interface NetworkACL extends InternalIdentity, ControlledEntity{
+    public static final long DEFAULT_DENY = 1;
+    public static final long DEFAULT_ALLOW = 2;
+
     String getDescription();
 
     String getUuid();

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
b/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
index 984ed57..e78fe44 100644
--- a/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
@@ -56,7 +56,7 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd {
     // ///////////////////////////////////////////////////
 
     @Parameter(name = ApiConstants.PROTOCOL, type = CommandType.STRING, required = true,
description =
-            "the protocol for the ACL rule. Valid values are TCP/UDP/ICMP.")
+            "the protocol for the ACL rule. Valid values are TCP/UDP/ICMP/ALL or valid protocol
number")
     private String protocol;
 
     @Parameter(name = ApiConstants.START_PORT, type = CommandType.INTEGER, description =
"the starting port of ACL")

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java
----------------------------------------------------------------------
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java
b/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java
index fc7bd9f..e88aca7 100644
--- a/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java
@@ -22,13 +22,7 @@ import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.DomainResponse;
-import org.apache.cloudstack.api.response.NetworkOfferingResponse;
-import org.apache.cloudstack.api.response.NetworkResponse;
-import org.apache.cloudstack.api.response.PhysicalNetworkResponse;
-import org.apache.cloudstack.api.response.ProjectResponse;
-import org.apache.cloudstack.api.response.VpcResponse;
-import org.apache.cloudstack.api.response.ZoneResponse;
+import org.apache.cloudstack.api.response.*;
 import org.apache.log4j.Logger;
 
 import com.cloud.exception.ConcurrentOperationException;
@@ -126,6 +120,9 @@ public class CreateNetworkCmd extends BaseCmd {
     @Parameter(name=ApiConstants.IP6_CIDR, type=CommandType.STRING, description="the CIDR
of IPv6 network, must be at least /64")
     private String ip6Cidr;
 
+    @Parameter(name=ApiConstants.ACL_ID, type=CommandType.UUID, entityType = NetworkACLResponse.class,
+            description="Network ACL Id associated for the network")
+    private Long aclId;
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -247,6 +244,10 @@ public class CreateNetworkCmd extends BaseCmd {
         return ip6Cidr.toLowerCase();
     }
 
+    public Long getAclId() {
+        return aclId;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/engine/schema/src/com/cloud/network/dao/NetworkVO.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/com/cloud/network/dao/NetworkVO.java b/engine/schema/src/com/cloud/network/dao/NetworkVO.java
index 7241f1c..ee44349 100644
--- a/engine/schema/src/com/cloud/network/dao/NetworkVO.java
+++ b/engine/schema/src/com/cloud/network/dao/NetworkVO.java
@@ -541,6 +541,7 @@ public class NetworkVO implements Network {
 		this.ip6Gateway = ip6Gateway;
 	}
 
+    @Override
     public void setNetworkACLId(Long networkACLId) {
         this.networkACLId = networkACLId;
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
index 8a207e8..903d6d6 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
@@ -102,6 +102,7 @@ acl_entry_for_guest_network() {
   local sport=$(echo $rule | cut -d: -f3)
   local eport=$(echo $rule | cut -d: -f4)
   local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
+  local action=$(echo $rule | cut -d: -f6)
   if [ "$sport" == "0" -a "$eport" == "0" ]
   then
       DPORT=""
@@ -123,21 +124,21 @@ acl_entry_for_guest_network() {
       if [ "$ttype" == "Ingress" ]
       then
         sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr  \
-                    --icmp-type $typecode  -j ACCEPT
+                    --icmp-type $typecode  -j $action
       else
         let egress++
         sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr  \
-                    --icmp-type $typecode  -j ACCEPT
+                    --icmp-type $typecode  -j $action
       fi
     else
       if [ "$ttype" == "Ingress" ]
       then
         sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
-                    $DPORT -j ACCEPT
+                    $DPORT -j $action
       else
         let egress++
         sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
-                    $DPORT -j ACCEPT
+                    $DPORT -j $action
       fi
     fi
     result=$?
@@ -195,7 +196,7 @@ fi
 # protocal:sport:eport:cidr
 #-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
 #    if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
-# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0

+# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:ACCEPT:,172.16.92.44:tcp:220:220:0.0.0.0/0:DROP,200.1.1.2:reverted:0:0:0
 
 success=0
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/server/src/com/cloud/network/NetworkServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java
index 8815558..92d52da 100755
--- a/server/src/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/com/cloud/network/NetworkServiceImpl.java
@@ -18,6 +18,8 @@ package com.cloud.network;
 
 import java.net.Inet6Address;
 import java.net.InetAddress;
+import java.net.InetAddress;
+import java.net.Inet6Address;
 import java.net.UnknownHostException;
 import java.security.InvalidParameterException;
 import java.sql.PreparedStatement;
@@ -42,6 +44,10 @@ import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.command.admin.network.DedicateGuestVlanRangeCmd;
 import org.apache.cloudstack.api.command.admin.network.ListDedicatedGuestVlanRangesCmd;
+import com.cloud.network.vpc.NetworkACL;
+import com.cloud.network.vpc.dao.NetworkACLDao;
+import org.apache.cloudstack.acl.ControlledEntity.ACLType;
+import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.command.admin.usage.ListTrafficTypeImplementorsCmd;
 import org.apache.cloudstack.api.command.user.network.CreateNetworkCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworksCmd;
@@ -50,6 +56,10 @@ import org.apache.cloudstack.api.command.user.vm.ListNicsCmd;
 import org.apache.cloudstack.network.element.InternalLoadBalancerElementService;
 import org.apache.log4j.Logger;
 import org.springframework.stereotype.Component;
+import org.apache.log4j.Logger;
+import org.springframework.stereotype.Component;
+import org.apache.cloudstack.api.command.user.vm.ListNicsCmd;
+import org.bouncycastle.util.IPAddress;
 
 import com.cloud.configuration.Config;
 import com.cloud.configuration.ConfigurationManager;
@@ -301,6 +311,8 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService
{
     DataCenterVnetDao _datacneter_vnet;
     @Inject
     AccountGuestVlanMapDao _accountGuestVlanMapDao;
+    @Inject
+    NetworkACLDao _networkACLDao;
 
     int _cidrLimit;
     boolean _allowSubdomainNetworkAccess;
@@ -930,6 +942,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService
{
         String endIPv6 = cmd.getEndIpv6();
         String ip6Gateway = cmd.getIp6Gateway();
         String ip6Cidr = cmd.getIp6Cidr();
+        Long aclId = cmd.getAclId();
 
         // Validate network offering
         NetworkOfferingVO ntwkOff = _networkOfferingDao.findById(networkOfferingId);
@@ -1211,8 +1224,21 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService
{
             if (!_configMgr.isOfferingForVpc(ntwkOff)){
                 throw new InvalidParameterValueException("Network offering can't be used
for VPC networks");
             }
-            network = _vpcMgr.createVpcGuestNetwork(networkOfferingId, name, displayText,
gateway, cidr, vlanId,
-                    networkDomain, owner, sharedDomainId, pNtwk, zoneId, aclType, subdomainAccess,
vpcId, caller);
+            if(aclId == null){
+                //Use default deny all ACL, when aclId is not specified
+                aclId = NetworkACL.DEFAULT_DENY;
+            } else {
+                NetworkACL acl = _networkACLDao.findById(aclId);
+                if(acl == null){
+                    throw new InvalidParameterValueException("Unable to find specified NetworkACL");
+                }
+
+                if(vpcId != acl.getVpcId()){
+                    throw new InvalidParameterValueException("ACL: "+aclId+" do not belong
to the VPC");
+                }
+            }
+            network = _vpcMgr.createVpcGuestNetwork(networkOfferingId, name, displayText,
gateway, cidr, vlanId, 
+                    networkDomain, owner, sharedDomainId, pNtwk, zoneId, aclType, subdomainAccess,
vpcId, aclId, caller);
         } else {
             if (_configMgr.isOfferingForVpc(ntwkOff)){
                 throw new InvalidParameterValueException("Network offering can be used for
VPC networks only");

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/server/src/com/cloud/network/vpc/NetworkACLItemDao.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/NetworkACLItemDao.java b/server/src/com/cloud/network/vpc/NetworkACLItemDao.java
index 8f70ac7..e4b1871 100644
--- a/server/src/com/cloud/network/vpc/NetworkACLItemDao.java
+++ b/server/src/com/cloud/network/vpc/NetworkACLItemDao.java
@@ -33,4 +33,5 @@ public interface NetworkACLItemDao extends GenericDao<NetworkACLItemVO,
Long> {
 
     int getMaxNumberByACL(long aclId);
 
+    NetworkACLItemVO findByAclAndNumber(long aclId, int number);
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/server/src/com/cloud/network/vpc/NetworkACLManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/NetworkACLManagerImpl.java b/server/src/com/cloud/network/vpc/NetworkACLManagerImpl.java
index 20fd586..67547c6 100644
--- a/server/src/com/cloud/network/vpc/NetworkACLManagerImpl.java
+++ b/server/src/com/cloud/network/vpc/NetworkACLManagerImpl.java
@@ -77,13 +77,15 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
 
     @Override
     public boolean applyNetworkACL(long aclId) throws ResourceUnavailableException {
-        boolean handled = false;
+        boolean handled = true;
         List<NetworkACLItemVO> rules = _networkACLItemDao.listByACL(aclId);
         //Find all networks using this ACL
         List<NetworkVO> networks = _networkDao.listByAclId(aclId);
         for(NetworkVO network : networks){
-            //Failure case??
-            handled = applyACLItemsToNetwork(network.getId(), rules);
+            if(!applyACLItemsToNetwork(network.getId(), rules)) {
+                handled = false;
+                break;
+            }
         }
         if(handled){
             for (NetworkACLItem rule : rules) {
@@ -115,9 +117,6 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
 
     @Override
     public boolean replaceNetworkACL(NetworkACL acl, NetworkVO network) throws ResourceUnavailableException
{
-        if(network.getVpcId() != acl.getVpcId()){
-            throw new InvalidParameterValueException("Network: "+network.getUuid()+" and
ACL: "+acl.getUuid()+" do not belong to the same VPC");
-        }
         network.setNetworkACLId(acl.getId());
         if(_networkDao.update(network.getId(), network)){
             return applyACLToNetwork(network.getId());
@@ -146,9 +145,6 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
         NetworkACLItemVO newRule = new NetworkACLItemVO(portStart, portEnd, protocol.toLowerCase(),
aclId, sourceCidrList, icmpCode, icmpType, trafficType, ruleAction, number);
         newRule = _networkACLItemDao.persist(newRule);
 
-        //ToDo: Is this required now with number??
-        //detectNetworkACLConflict(newRule);
-
         if (!_networkACLItemDao.setStateToAdd(newRule)) {
             throw new CloudRuntimeException("Unable to update the state to add for " + newRule);
         }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
index 381bc6a..2844dcb 100644
--- a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
+++ b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java
@@ -20,6 +20,7 @@ import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.Network;
 import com.cloud.network.NetworkModel;
+import com.cloud.network.Networks;
 import com.cloud.network.dao.NetworkDao;
 import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.element.NetworkACLServiceProvider;
@@ -46,6 +47,7 @@ import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
+import org.apache.commons.lang.StringUtils;
 import org.apache.log4j.Logger;
 import org.springframework.stereotype.Component;
 
@@ -166,14 +168,24 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
             throw new InvalidParameterValueException("Network is not part of a VPC: "+ network.getUuid());
         }
 
-        Vpc vpc = _vpcMgr.getVpc(acl.getVpcId());
-        if(vpc == null){
-            throw new InvalidParameterValueException("Unable to find Vpc associated with
the NetworkACL");
+        if (network.getTrafficType() != Networks.TrafficType.Guest) {
+            throw new InvalidParameterValueException("Network ACL can be created just for
networks of type " + Networks.TrafficType.Guest);
         }
-        _accountMgr.checkAccess(caller, null, true, vpc);
-        if(network.getVpcId() != acl.getVpcId()){
-            throw new InvalidParameterValueException("Network: "+networkId+" and ACL: "+aclId+"
do not belong to the same VPC");
+
+        if(aclId != NetworkACL.DEFAULT_DENY) {
+            //ACL is not default DENY
+            // ACL should be associated with a VPC
+            Vpc vpc = _vpcMgr.getVpc(acl.getVpcId());
+            if(vpc == null){
+                throw new InvalidParameterValueException("Unable to find Vpc associated with
the NetworkACL");
+            }
+
+            _accountMgr.checkAccess(caller, null, true, vpc);
+            if(network.getVpcId() != acl.getVpcId()){
+                throw new InvalidParameterValueException("Network: "+networkId+" and ACL:
"+aclId+" do not belong to the same VPC");
+            }
         }
+
         return _networkAclMgr.replaceNetworkACL(acl, network);
     }
 
@@ -207,6 +219,12 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
         Account aclOwner = _accountMgr.getAccount(vpc.getAccountId());
         _accountMgr.checkAccess(aclOwner, SecurityChecker.AccessType.ModifyEntry, false,
acl);
 
+        if(aclItemCmd.getNumber() != null){
+            if(_networkACLItemDao.findByAclAndNumber(aclId, aclItemCmd.getNumber()) != null){
+                throw new InvalidParameterValueException("ACL item with number "+aclItemCmd.getNumber()+"
already exists in ACL: "+acl.getUuid());
+            }
+        }
+
         validateNetworkACLItem(aclItemCmd.getSourcePortStart(), aclItemCmd.getSourcePortEnd(),
aclItemCmd.getSourceCidrList(),
                 aclItemCmd.getProtocol(), aclItemCmd.getIcmpCode(), aclItemCmd.getIcmpType(),
aclItemCmd.getAction());
 
@@ -238,6 +256,22 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
             }
         }
 
+        //Validate Protocol
+        //Check if protocol is a number
+        if(StringUtils.isNumeric(protocol)){
+            int protoNumber = Integer.parseInt(protocol);
+            if(protoNumber < 0 || protoNumber > 255){
+                throw new InvalidParameterValueException("Invalid protocol number: " + protoNumber);
+            }
+        } else {
+            //Protocol is not number
+            //Check for valid protocol strings
+            String supportedProtocols = "tcp,udp,icmp,all";
+            if(!supportedProtocols.contains(protocol.toLowerCase())){
+                throw new InvalidParameterValueException("Invalid protocol: " + protocol);
+            }
+        }
+
         // icmp code and icmp type can't be passed in for any other protocol rather than
icmp
         if (!protocol.equalsIgnoreCase(NetUtils.ICMP_PROTO) && (icmpCode != null
|| icmpType != null)) {
             throw new InvalidParameterValueException("Can specify icmpCode and icmpType for
ICMP protocol only");

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/server/src/com/cloud/network/vpc/VpcManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/VpcManager.java b/server/src/com/cloud/network/vpc/VpcManager.java
index 84ab8ef..07b9494 100644
--- a/server/src/com/cloud/network/vpc/VpcManager.java
+++ b/server/src/com/cloud/network/vpc/VpcManager.java
@@ -104,7 +104,7 @@ public interface VpcManager extends VpcService{
      */
     Network createVpcGuestNetwork(long ntwkOffId, String name, String displayText, String
gateway, String cidr, 
             String vlanId, String networkDomain, Account owner, Long domainId, PhysicalNetwork
pNtwk, long zoneId,
-            ACLType aclType, Boolean subdomainAccess, long vpcId, Account caller) 
+            ACLType aclType, Boolean subdomainAccess, long vpcId, long aclId, Account caller)
                     throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException;
 
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/server/src/com/cloud/network/vpc/VpcManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
index e6d71fa..9993c06 100644
--- a/server/src/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
@@ -1969,7 +1969,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager,
VpcProvis
     @Override
     public Network createVpcGuestNetwork(long ntwkOffId, String name, String displayText,
String gateway, 
             String cidr, String vlanId, String networkDomain, Account owner, Long domainId,
-            PhysicalNetwork pNtwk, long zoneId, ACLType aclType, Boolean subdomainAccess,
long vpcId, Account caller) 
+            PhysicalNetwork pNtwk, long zoneId, ACLType aclType, Boolean subdomainAccess,
long vpcId, long aclId, Account caller)
                     throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException
{
 
         Vpc vpc = getActiveVpc(vpcId);
@@ -1995,7 +1995,10 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager,
VpcProvis
         //2) Create network
         Network guestNetwork = _ntwkMgr.createGuestNetwork(ntwkOffId, name, displayText,
gateway, cidr, vlanId, 
                 networkDomain, owner, domainId, pNtwk, zoneId, aclType, subdomainAccess,
vpcId, null, null);
-
+        if(guestNetwork != null){
+            guestNetwork.setNetworkACLId(aclId);
+            _ntwkDao.update(guestNetwork.getId(), (NetworkVO)guestNetwork);
+        }
         return guestNetwork;
     }
     

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/server/src/com/cloud/network/vpc/dao/NetworkACLItemDaoImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpc/dao/NetworkACLItemDaoImpl.java b/server/src/com/cloud/network/vpc/dao/NetworkACLItemDaoImpl.java
index a433e0c..8162ce8 100644
--- a/server/src/com/cloud/network/vpc/dao/NetworkACLItemDaoImpl.java
+++ b/server/src/com/cloud/network/vpc/dao/NetworkACLItemDaoImpl.java
@@ -45,6 +45,8 @@ public class NetworkACLItemDaoImpl extends GenericDaoBase<NetworkACLItemVO,
Long
         AllFieldsSearch.and("id", AllFieldsSearch.entity().getId(), Op.EQ);
         AllFieldsSearch.and("aclId", AllFieldsSearch.entity().getAclId(), Op.EQ);
         AllFieldsSearch.and("trafficType", AllFieldsSearch.entity().getTrafficType(), Op.EQ);
+        AllFieldsSearch.and("number", AllFieldsSearch.entity().getNumber(), Op.EQ);
+        AllFieldsSearch.and("action", AllFieldsSearch.entity().getAction(), Op.EQ);
         AllFieldsSearch.done();
 
         NotRevokedSearch = createSearchBuilder();
@@ -101,4 +103,11 @@ public class NetworkACLItemDaoImpl extends GenericDaoBase<NetworkACLItemVO,
Long
         return (max == null) ? 0 : max;
     }
 
+    @Override
+    public NetworkACLItemVO findByAclAndNumber(long aclId, int number) {
+        SearchCriteria<NetworkACLItemVO> sc = AllFieldsSearch.create();
+        sc.setParameters("aclId", aclId);
+        sc.setParameters("number", number);
+        return findOneBy(sc);
+    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/server/test/com/cloud/vpc/MockVpcManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/vpc/MockVpcManagerImpl.java b/server/test/com/cloud/vpc/MockVpcManagerImpl.java
index baccbd0..b4851d6 100644
--- a/server/test/com/cloud/vpc/MockVpcManagerImpl.java
+++ b/server/test/com/cloud/vpc/MockVpcManagerImpl.java
@@ -303,7 +303,7 @@ public class MockVpcManagerImpl extends ManagerBase implements VpcManager
{
      */
     @Override
     public Network createVpcGuestNetwork(long ntwkOffId, String name, String displayText,
String gateway, String cidr, String vlanId, String networkDomain, Account owner, Long domainId,
PhysicalNetwork pNtwk,
-            long zoneId, ACLType aclType, Boolean subdomainAccess, long vpcId, Account caller)
throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException
{
+            long zoneId, ACLType aclType, Boolean subdomainAccess, long vpcId, long aclId,
Account caller) throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException
{
         // TODO Auto-generated method stub
         return null;
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/setup/db/create-schema.sql
----------------------------------------------------------------------
diff --git a/setup/db/create-schema.sql b/setup/db/create-schema.sql
index 37c2352..b1feb02 100755
--- a/setup/db/create-schema.sql
+++ b/setup/db/create-schema.sql
@@ -268,7 +268,6 @@ CREATE TABLE `cloud`.`networks` (
   `removed` datetime COMMENT 'date removed if not null',
   `specify_ip_ranges` int(1) unsigned NOT NULL DEFAULT 0 COMMENT 'true if the network provides
an ability to define ip ranges',
   `vpc_id` bigint unsigned COMMENT 'vpc this network belongs to',
-  `network_acl_id` bigint unsigned COMMENT 'network acl id',
   PRIMARY KEY (`id`),
   CONSTRAINT `fk_networks__network_offering_id` FOREIGN KEY (`network_offering_id`) REFERENCES
`network_offerings`(`id`),  
   CONSTRAINT `fk_networks__data_center_id` FOREIGN KEY (`data_center_id`) REFERENCES `data_center`(`id`)
ON DELETE CASCADE,

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b30a01a7/setup/db/db/schema-410to420.sql
----------------------------------------------------------------------
diff --git a/setup/db/db/schema-410to420.sql b/setup/db/db/schema-410to420.sql
index d5eb277..09c16c1 100644
--- a/setup/db/db/schema-410to420.sql
+++ b/setup/db/db/schema-410to420.sql
@@ -1204,11 +1204,17 @@ CREATE TABLE `cloud`.`network_acl_item` (
   `number` int(10) NOT NULL COMMENT 'priority number of the acl item',
   `action` varchar(10) NOT NULL COMMENT 'rule action, allow or deny',
   PRIMARY KEY  (`id`),
+  UNIQUE KEY (`acl_id`, `number`),
   CONSTRAINT `fk_network_acl_item__acl_id` FOREIGN KEY(`acl_id`) REFERENCES `network_acl`(`id`)
ON DELETE CASCADE,
   CONSTRAINT `uc_network_acl_item__uuid` UNIQUE (`uuid`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 ALTER TABLE `cloud`.`networks` add column `network_acl_id` bigint unsigned COMMENT 'network
acl id';
-INSERT INTO `cloud`.`network_acl` values (1, UUID(), 0, "Default Network ACL", "default");
-INSERT INTO `cloud`.`network_acl_item` (id, uuid, acl_id, state, protocol, created, traffic_type,
cidr, number, action) values (1, UUID(), 1, "Active", "tcp", now(), "Ingress", "0.0.0.0/0",
1, "Deny");
-INSERT INTO `cloud`.`network_acl_item` (id, uuid, acl_id, state, protocol, created, traffic_type,
cidr, number, action) values (2, UUID(), 1, "Active", "tcp", now(), "Egress", "0.0.0.0/0",
2, "Deny");
+
+INSERT INTO `cloud`.`network_acl` (id, uuid, vpc_id, description, name) values (1, UUID(),
0, "Default Network ACL Deny All", "default_deny");
+INSERT INTO `cloud`.`network_acl_item` (id, uuid, acl_id, state, protocol, created, traffic_type,
cidr, number, action) values (1, UUID(), 1, "Active", "all", now(), "Ingress", "0.0.0.0/0",
1, "Deny");
+INSERT INTO `cloud`.`network_acl_item` (id, uuid, acl_id, state, protocol, created, traffic_type,
cidr, number, action) values (2, UUID(), 1, "Active", "all", now(), "Egress", "0.0.0.0/0",
2, "Deny");
+
+INSERT INTO `cloud`.`network_acl` (id, uuid, vpc_id, description, name) values (2, UUID(),
0, "Default Network ACL Allow All", "default_allow");
+INSERT INTO `cloud`.`network_acl_item` (id, uuid, acl_id, state, protocol, created, traffic_type,
cidr, number, action) values (3, UUID(), 2, "Active", "all", now(), "Ingress", "0.0.0.0/0",
1, "Allow");
+INSERT INTO `cloud`.`network_acl_item` (id, uuid, acl_id, state, protocol, created, traffic_type,
cidr, number, action) values (4, UUID(), 2, "Active", "all", now(), "Egress", "0.0.0.0/0",
2, "Allow");


Mime
View raw message