cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jaya...@apache.org
Subject [3/3] git commit: updated refs/heads/master to 55e11cd
Date Thu, 16 Oct 2014 04:08:08 GMT
CLOUDSTACK-7728: Fixed adding iptables rules for egress allow on VR reboot


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/55e11cdd
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/55e11cdd
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/55e11cdd

Branch: refs/heads/master
Commit: 55e11cddca1f9db3a3fe29404b4eff634da60bcb
Parents: 7cd3438
Author: Jayapal <jayapal@apache.org>
Authored: Wed Oct 15 17:26:51 2014 +0530
Committer: Jayapal <jayapal@apache.org>
Committed: Thu Oct 16 09:37:43 2014 +0530

----------------------------------------------------------------------
 .../VirtualNetworkApplianceManagerImpl.java     | 30 ++++++++++++++++++++
 1 file changed, 30 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/55e11cdd/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index 29576bc..315bdde 100644
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -174,10 +174,12 @@ import com.cloud.network.rules.RulesManager;
 import com.cloud.network.rules.StaticNat;
 import com.cloud.network.rules.StaticNatImpl;
 import com.cloud.network.rules.StaticNatRule;
+import com.cloud.network.rules.FirewallRuleVO;
 import com.cloud.network.rules.dao.PortForwardingRulesDao;
 import com.cloud.network.vpn.Site2SiteVpnManager;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offering.ServiceOffering;
+import com.cloud.offerings.NetworkOfferingVO;
 import com.cloud.offerings.dao.NetworkOfferingDao;
 import com.cloud.resource.ResourceManager;
 import com.cloud.server.ConfigurationServer;
@@ -1780,6 +1782,10 @@ Configurable, StateListener<State, VirtualMachine.Event, VirtualMachine>
{
         // Fetch firewall Egress rules.
         if (_networkModel.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall,
provider)) {
             firewallRulesEgress.addAll(_rulesDao.listByNetworkPurposeTrafficType(guestNetworkId,
Purpose.Firewall, FirewallRule.TrafficType.Egress));
+            if (firewallRulesEgress.isEmpty()) {
+                //create egress default rule for VR
+                createDefaultEgressFirewallRule(firewallRulesEgress, guestNetworkId);
+            }
         }
 
         // Re-apply firewall Egress rules
@@ -1904,6 +1910,30 @@ Configurable, StateListener<State, VirtualMachine.Event, VirtualMachine>
{
         }
     }
 
+    private void createDefaultEgressFirewallRule(List<FirewallRule> rules, long networkId)
{
+        String systemRule = null;
+
+        Boolean defaultEgressPolicy = false;
+        NetworkVO network = _networkDao.findById(networkId);
+        NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
+        defaultEgressPolicy = offering.getEgressDefaultPolicy();
+
+
+        // construct rule when egress policy is true. In true case for VR we default allow
rule need to be added
+        if (defaultEgressPolicy) {
+            systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
+
+            List<String> sourceCidr = new ArrayList<String>();
+
+            sourceCidr.add(NetUtils.ALL_CIDRS);
+            FirewallRule rule = new FirewallRuleVO(null, null, null, null, "all", networkId,
network.getAccountId(), network.getDomainId(), Purpose.Firewall, sourceCidr,
+                    null, null, null, FirewallRule.TrafficType.Egress, FirewallRule.FirewallRuleType.System);
+
+            rules.add(rule);
+        }
+    }
+
+
     private void removeRevokedIpAliasFromDb(final List<NicIpAliasVO> revokedIpAliasVOs)
{
         for (final NicIpAliasVO ipalias : revokedIpAliasVOs) {
             _nicIpAliasDao.expunge(ipalias.getId());


Mime
View raw message