Return-Path: 
 <commits-return-2359-apmail-deltacloud-commits-archive=deltacloud.apache.org@deltacloud.apache.org>
X-Original-To: apmail-deltacloud-commits-archive@www.apache.org
Delivered-To: apmail-deltacloud-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A5391DC48
	for <apmail-deltacloud-commits-archive@www.apache.org>;
 Tue,  4 Sep 2012 08:15:03 +0000 (UTC)
Received: (qmail 37820 invoked by uid 500); 4 Sep 2012 08:15:03 -0000
Delivered-To: apmail-deltacloud-commits-archive@deltacloud.apache.org
Received: (qmail 37768 invoked by uid 500); 4 Sep 2012 08:15:02 -0000
Mailing-List: contact commits-help@deltacloud.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@deltacloud.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@deltacloud.apache.org>
List-Post: <mailto:commits@deltacloud.apache.org>
List-Id: <commits.deltacloud.apache.org>
Reply-To: dev@deltacloud.apache.org
Delivered-To: mailing list commits@deltacloud.apache.org
Received: (qmail 37733 invoked by uid 99); 4 Sep 2012 08:15:01 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Sep 2012 08:15:01 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id 5980D24A68; Tue,  4 Sep 2012 08:15:01 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: marios@apache.org
To: commits@deltacloud.apache.org
X-Mailer: ASF-Git Admin Mailer
Subject: [2/2] git commit: FGCP: add rule action deny accept and log rule
Message-Id: <20120904081501.5980D24A68@tyr.zones.apache.org>
Date: Tue,  4 Sep 2012 08:15:01 +0000 (UTC)

FGCP: add rule action deny accept and log rule


Project: http://git-wip-us.apache.org/repos/asf/deltacloud/repo
Commit: http://git-wip-us.apache.org/repos/asf/deltacloud/commit/755d46ef
Tree: http://git-wip-us.apache.org/repos/asf/deltacloud/tree/755d46ef
Diff: http://git-wip-us.apache.org/repos/asf/deltacloud/diff/755d46ef

Branch: refs/heads/master
Commit: 755d46ef47f585d12a930fd3bb7bbe1f124e53f0
Parents: 9632ab4
Author: Dies Koper <diesk@fast.au.fujitsu.com>
Authored: Mon Sep 3 22:31:22 2012 +1000
Committer: marios <marios@redhat.com>
Committed: Tue Sep 4 11:08:27 2012 +0300

----------------------------------------------------------------------
 server/lib/deltacloud/drivers/fgcp/fgcp_client.rb |    4 ++
 server/lib/deltacloud/drivers/fgcp/fgcp_driver.rb |   44 ++++++++++++++--
 2 files changed, 44 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/deltacloud/blob/755d46ef/server/lib/deltacloud/drivers/fgcp/fgcp_client.rb
----------------------------------------------------------------------
diff --git a/server/lib/deltacloud/drivers/fgcp/fgcp_client.rb b/server/lib/deltacloud/drivers/fgcp/fgcp_client.rb
index eaf2718..74816f0 100644
--- a/server/lib/deltacloud/drivers/fgcp/fgcp_client.rb
+++ b/server/lib/deltacloud/drivers/fgcp/fgcp_client.rb
@@ -90,6 +90,10 @@ class FgcpClient
     request('GetVSYSConfiguration', {'vsysId' => vsys_id})
   end
 
+  def list_vsys_descriptor
+    request('ListVSYSDescriptor')
+  end
+
   def list_vservers(vsys_id)
     request('ListVServer', {'vsysId' => vsys_id})
   end

http://git-wip-us.apache.org/repos/asf/deltacloud/blob/755d46ef/server/lib/deltacloud/drivers/fgcp/fgcp_driver.rb
----------------------------------------------------------------------
diff --git a/server/lib/deltacloud/drivers/fgcp/fgcp_driver.rb b/server/lib/deltacloud/drivers/fgcp/fgcp_driver.rb
index 53a0ac2..04406b2 100644
--- a/server/lib/deltacloud/drivers/fgcp/fgcp_driver.rb
+++ b/server/lib/deltacloud/drivers/fgcp/fgcp_driver.rb
@@ -845,6 +845,7 @@ eofwpxml
         fw = client.get_efm_configuration(opts[:id], 'FW_POLICY', configuration_xml)
         fw_name = fw['efm'][0]['efmName'][0] # currently always 'Firewall'
         fw_owner_id = fw['efm'][0]['creator'][0]
+        rule50000_log = true
 
         fw['efm'][0]['firewall'][0]['directions'][0]['direction'].each do |direction|
 
@@ -874,15 +875,33 @@ eofwpxml
 
             rules << FirewallRule.new({
               :id             => policy['id'][0],
+              :rule_action    => policy['action'][0].downcase,
+              :log_rule       => policy['log'][0] == 'On',
               :allow_protocol => policy['protocol'][0],
               :port_from      => policy['srcPort'] ? policy['srcPort'][0] : nil, # not set for e.g. ICMP
               :port_to        => policy['dstPort'] ? policy['dstPort'][0] : nil, # not set for e.g. ICMP
               :direction      => ingress,
               :sources        => sources
-              }) unless policy['action'][0] == 'Deny' or policy['id'][0] == '50000' # exclude special case
+            }) unless policy['id'][0] == '50000' # special case added later
+
+            rule50000_log = (policy['log'][0] == 'On') if policy['id'][0] == '50000'
           end
         end
 
+        # add "all deny" rule 50000
+        source_any = {
+          :type    => 'address',
+          :family  => 'ipv4',
+          :address => '0.0.0.0',
+          :prefix  => '0'
+        }
+        rules << FirewallRule.new({
+          :id             => '50000',
+          :rule_action    => 'deny',
+          :log_rule       => rule50000_log,
+          :sources        => [source_any]
+        })
+
         vsys = client.get_vsys_attributes(client.extract_vsys_id(opts[:id]))['vsys'][0]
         firewalls << Firewall.new({
           :id       => opts[:id],
@@ -914,8 +933,14 @@ eofwpxml
   def create_firewall(credentials, opts={})
     safely do
       client = new_client(credentials)
-      # using 'description' as vsysDescriptor
-      vsys_id = client.create_vsys(opts['description'], opts['name'])['vsysId'][0]
+      begin
+        # using 'description' as vsysDescriptor
+        vsys_id = client.create_vsys(opts['description'], opts['name'])['vsysId'][0]
+      rescue Exception => ex
+        raise ex unless ex.message =~ /Template does not exist.*/
+        descriptors = client.list_vsys_descriptor['vsysdescriptors'][0]['vsysdescriptor'].collect { |desc| desc['vsysdescriptorId'][0] }
+        raise "Descriptor [#{opts['name']}] does not exist. Specify one of [#{descriptors.join(', ')}] as firewall description"
+      end
       fw_id = vsys_id + '-S-0001'
       Firewall.new({
         :id           => fw_id,
@@ -934,7 +959,13 @@ eofwpxml
     end
   end
 
-#TODO
+# FW rule creation not supported:
+# fgcp backend requires a mandatory rule id to create (insert) a new rule
+# into the existing accept/deny rules. Also, the first two digits of the
+# five digit rule identify what from and to network segment (e.g. Internet
+# to DMZ, or Secure2 to Secure1) the rule applies to.
+# The current Deltacloud firewall collection API does not cover such
+# functionality so it was deemed not suitable to implement.
 #  def create_firewall_rule(credentials, opts={})
 #    p opts
 #  end
@@ -1288,6 +1319,11 @@ eofwopxml
       status 404
     end
 
+    # wrong FW description (vsys descriptor)
+    on / does not exist. Specify one of / do
+      status 404
+    end
+
     # trying an operation that is not supported (yet) by the target region
     on /NOTFOUND: API to the Version/ do
       status 501 # Not Implemented