incubator-cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From alena1...@apache.org
Subject [2/4] git commit: VPC: initial checkin for network ACLs
Date Thu, 21 Jun 2012 00:21:41 GMT
VPC: initial checkin for network ACLs

Conflicts:

	client/tomcatconf/commands.properties.in


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/374a6007
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/374a6007
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/374a6007

Branch: refs/heads/vpc
Commit: 374a600746585a2b0fc30d7dc1245a0b6333aa9f
Parents: 7fda630
Author: Alena Prokharchyk <alena.prokharchyk@citrix.com>
Authored: Wed Jun 20 12:48:00 2012 -0700
Committer: Alena Prokharchyk <alena.prokharchyk@citrix.com>
Committed: Wed Jun 20 17:19:49 2012 -0700

----------------------------------------------------------------------
 .../agent/api/routing/SetNetworkACLAnswer.java     |   21 +
 .../agent/api/routing/SetNetworkACLCommand.java    |   35 ++
 .../routing/SetPortForwardingRulesVpcCommand.java  |   29 ++
 api/src/com/cloud/agent/api/to/NetworkACLTO.java   |  109 +++++
 api/src/com/cloud/api/BaseCmd.java                 |    4 +-
 api/src/com/cloud/api/ResponseGenerator.java       |    8 +
 .../cloud/api/commands/CreateFirewallRuleCmd.java  |    2 +-
 .../api/commands/CreateIpForwardingRuleCmd.java    |    2 +-
 .../cloud/api/commands/CreateNetworkACLCmd.java    |  314 +++++++++++++++
 .../api/commands/CreatePortForwardingRuleCmd.java  |    2 +-
 .../com/cloud/api/response/FirewallResponse.java   |   10 +-
 .../com/cloud/api/response/NetworkACLResponse.java |   84 ++++
 .../network/element/NetworkACLServiceProvider.java |   34 ++
 .../cloud/network/firewall/NetworkACLService.java  |   38 ++
 .../com/cloud/network/lb/LoadBalancingRule.java    |    2 +-
 api/src/com/cloud/network/rules/FirewallRule.java  |    8 +-
 api/src/com/cloud/network/rules/NetworkACL.java    |   26 ++
 api/src/com/cloud/network/rules/StaticNatRule.java |    2 +-
 client/tomcatconf/commands.properties.in           |    6 +-
 .../xen/resource/CitrixResourceBase.java           |   16 +
 server/src/com/cloud/api/ApiResponseHelper.java    |   35 ++
 .../configuration/DefaultComponentLibrary.java     |    2 +
 .../ExternalLoadBalancerDeviceManagerImpl.java     |    2 +-
 .../src/com/cloud/network/NetworkManagerImpl.java  |    9 +-
 .../com/cloud/network/dao/FirewallRulesDao.java    |    3 +
 .../cloud/network/dao/FirewallRulesDaoImpl.java    |   17 +
 .../network/element/VpcVirtualRouterElement.java   |   25 ++-
 .../network/firewall/FirewallManagerImpl.java      |   62 ++--
 .../network/firewall/NetworkACLManagerImpl.java    |  301 ++++++++++++++
 .../network/lb/LoadBalancingRulesManagerImpl.java  |    2 +-
 .../router/VirtualNetworkApplianceManagerImpl.java |   10 +-
 .../router/VpcVirtualNetworkApplianceManager.java  |   12 +
 .../VpcVirtualNetworkApplianceManagerImpl.java     |   54 +++
 .../com/cloud/network/rules/FirewallManager.java   |    8 +-
 .../com/cloud/network/rules/FirewallRuleVO.java    |   34 ++-
 .../cloud/network/rules/PortForwardingRuleVO.java  |    2 +-
 .../com/cloud/network/rules/RulesManagerImpl.java  |    8 +-
 .../com/cloud/network/rules/StaticNatRuleImpl.java |    2 +-
 setup/db/create-schema.sql                         |    5 +-
 39 files changed, 1274 insertions(+), 71 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/agent/api/routing/SetNetworkACLAnswer.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/agent/api/routing/SetNetworkACLAnswer.java b/api/src/com/cloud/agent/api/routing/SetNetworkACLAnswer.java
new file mode 100644
index 0000000..b715a72
--- /dev/null
+++ b/api/src/com/cloud/agent/api/routing/SetNetworkACLAnswer.java
@@ -0,0 +1,21 @@
+// Copyright 2012 Citrix Systems, Inc. Licensed under the
+package com.cloud.agent.api.routing;
+
+import com.cloud.agent.api.Answer;
+
+public class SetNetworkACLAnswer extends Answer {
+    String[] results;
+    
+    protected SetNetworkACLAnswer() {
+    }
+    
+    public SetNetworkACLAnswer(SetNetworkACLCommand cmd, boolean success, String[] results) {
+        super(cmd, success, null);
+        assert (cmd.getRules().length == results.length) : "ACLs and their results should be the same length";
+        this.results = results;
+    }
+    
+    public String[] getResults() {
+        return results;
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/agent/api/routing/SetNetworkACLCommand.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/agent/api/routing/SetNetworkACLCommand.java b/api/src/com/cloud/agent/api/routing/SetNetworkACLCommand.java
new file mode 100644
index 0000000..f26e337
--- /dev/null
+++ b/api/src/com/cloud/agent/api/routing/SetNetworkACLCommand.java
@@ -0,0 +1,35 @@
+// Copyright 2012 Citrix Systems, Inc. Licensed under the
+// Apache License, Version 2.0 (the "License"); you may not use this
+// file except in compliance with the License.  Citrix Systems, Inc.
+// reserves all rights not expressly granted by the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// 
+// Automatically generated by addcopyright.py at 04/03/2012
+package com.cloud.agent.api.routing;
+
+import java.util.List;
+
+import com.cloud.agent.api.to.NetworkACLTO;
+
+/**
+ * @author Alena Prokharchyk
+ */
+public class SetNetworkACLCommand extends NetworkElementCommand{
+    NetworkACLTO[] rules;
+
+    protected SetNetworkACLCommand() {
+    }
+    
+    public SetNetworkACLCommand(List<NetworkACLTO> rules) {
+        this.rules = rules.toArray(new NetworkACLTO[rules.size()]); 
+    }
+    
+    public NetworkACLTO[] getRules() {
+        return rules;
+    }
+}

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/agent/api/routing/SetPortForwardingRulesVpcCommand.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/agent/api/routing/SetPortForwardingRulesVpcCommand.java b/api/src/com/cloud/agent/api/routing/SetPortForwardingRulesVpcCommand.java
new file mode 100644
index 0000000..e6e91f5
--- /dev/null
+++ b/api/src/com/cloud/agent/api/routing/SetPortForwardingRulesVpcCommand.java
@@ -0,0 +1,29 @@
+// Copyright 2012 Citrix Systems, Inc. Licensed under the
+// Apache License, Version 2.0 (the "License"); you may not use this
+// file except in compliance with the License.  Citrix Systems, Inc.
+// reserves all rights not expressly granted by the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// 
+// Automatically generated by addcopyright.py at 04/03/2012
+package com.cloud.agent.api.routing;
+
+import java.util.List;
+
+import com.cloud.agent.api.to.PortForwardingRuleTO;
+
+/**
+ * @author Alena Prokharchyk
+ */
+public class SetPortForwardingRulesVpcCommand extends SetPortForwardingRulesCommand{
+    protected SetPortForwardingRulesVpcCommand() {
+    }
+    
+    public SetPortForwardingRulesVpcCommand(List<? extends PortForwardingRuleTO> pfRules) {
+        super(pfRules);
+    }
+}

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/agent/api/to/NetworkACLTO.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/agent/api/to/NetworkACLTO.java b/api/src/com/cloud/agent/api/to/NetworkACLTO.java
new file mode 100644
index 0000000..2f72563
--- /dev/null
+++ b/api/src/com/cloud/agent/api/to/NetworkACLTO.java
@@ -0,0 +1,109 @@
+// Copyright 2012 Citrix Systems, Inc. Licensed under the
+package com.cloud.agent.api.to;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.rules.FirewallRule.TrafficType;
+import com.cloud.utils.net.NetUtils;
+
+
+public class NetworkACLTO {
+    long id;
+    String vlanTag;
+    String protocol;
+    int[] portRange;
+    boolean revoked;
+    boolean alreadyAdded;
+    private List<String> cidrList;
+    private Integer icmpType;
+    private Integer icmpCode;
+    private FirewallRule.TrafficType trafficType;
+    
+
+    protected NetworkACLTO() {
+    }
+    
+
+    public NetworkACLTO(long id,String vlanTag, String protocol, Integer portStart, Integer portEnd, boolean revoked,
+            boolean alreadyAdded, List<String> cidrList, Integer icmpType,Integer icmpCode,TrafficType trafficType) {
+        this.vlanTag = vlanTag;
+        this.protocol = protocol;
+        
+        if (portStart != null) {
+            List<Integer> range = new ArrayList<Integer>();
+            range.add(portStart);
+            if (portEnd != null) {
+                range.add(portEnd);
+            }
+            
+            portRange = new int[range.size()];
+            int i = 0;
+            for (Integer port : range) {
+                portRange[i] = port.intValue();
+                i ++;
+            }   
+        } 
+        
+        this.revoked = revoked;
+        this.alreadyAdded = alreadyAdded;
+        this.cidrList = cidrList;
+        this.icmpType = icmpType;
+        this.icmpCode = icmpCode;
+        this.trafficType = trafficType;
+    }
+
+    public NetworkACLTO(FirewallRule rule, String vlanTag, FirewallRule.TrafficType  trafficType ) {
+        this(rule.getId(), vlanTag, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), 
+                rule.getState() == FirewallRule.State.Revoke, rule.getState() == FirewallRule.State.Active,
+                rule.getSourceCidrList() ,rule.getIcmpType(), rule.getIcmpCode(),trafficType);
+    }
+    
+    public long getId() {
+        return id;
+    }
+
+    public String getSrcVlanTag() {
+    	return vlanTag;
+    }
+
+    public String getProtocol() {
+        return protocol;
+    }
+
+    public int[] getSrcPortRange() {
+        return portRange;
+    }
+    
+    public Integer getIcmpType(){
+    	return icmpType;
+    }
+    
+    public Integer getIcmpCode(){
+    	return icmpCode;  
+    }
+    
+    public String getStringPortRange() {
+    	if (portRange == null || portRange.length < 2)
+    		return "0:0";
+    	else
+    		return NetUtils.portRangeToString(portRange);
+    }
+
+    public boolean revoked() {
+        return revoked;
+    }
+    
+    public List<String> getSourceCidrList() {
+        return cidrList;
+    }
+    
+    public boolean isAlreadyAdded() {
+        return alreadyAdded;
+    }
+
+    public FirewallRule.TrafficType getTrafficType() {
+        return trafficType;
+    }
+}

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/api/BaseCmd.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/api/BaseCmd.java b/api/src/com/cloud/api/BaseCmd.java
index 623cdec..294e264 100755
--- a/api/src/com/cloud/api/BaseCmd.java
+++ b/api/src/com/cloud/api/BaseCmd.java
@@ -41,6 +41,7 @@ import com.cloud.network.NetworkService;
 import com.cloud.network.StorageNetworkService;
 import com.cloud.network.VirtualNetworkApplianceService;
 import com.cloud.network.firewall.FirewallService;
+import com.cloud.network.firewall.NetworkACLService;
 import com.cloud.network.lb.LoadBalancingRulesService;
 import com.cloud.network.rules.RulesService;
 import com.cloud.network.security.SecurityGroupService;
@@ -59,7 +60,6 @@ import com.cloud.user.DomainService;
 import com.cloud.user.ResourceLimitService;
 import com.cloud.utils.Pair;
 import com.cloud.utils.component.ComponentLocator;
-import com.cloud.utils.AnnotationHelper;
 import com.cloud.vm.BareMetalVmService;
 import com.cloud.vm.UserVmService;
 
@@ -130,6 +130,7 @@ public abstract class BaseCmd {
     public static IdentityService _identityService;
     public static StorageNetworkService _storageNetworkService;
     public static VpcService _vpcService;
+    public static NetworkACLService _networkACLService;
 
     static void setComponents(ResponseGenerator generator) {
         ComponentLocator locator = ComponentLocator.getLocator(ManagementService.Name);
@@ -158,6 +159,7 @@ public abstract class BaseCmd {
         _identityService = locator.getManager(IdentityService.class);
         _storageNetworkService = locator.getManager(StorageNetworkService.class);
         _vpcService = locator.getManager(VpcService.class);
+        _networkACLService = locator.getManager(NetworkACLService.class);
     }
 
     public abstract void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException, NetworkRuleConflictException;

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/api/ResponseGenerator.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/api/ResponseGenerator.java b/api/src/com/cloud/api/ResponseGenerator.java
index 5886021..201883d 100755
--- a/api/src/com/cloud/api/ResponseGenerator.java
+++ b/api/src/com/cloud/api/ResponseGenerator.java
@@ -23,6 +23,7 @@ import java.util.List;
 import com.cloud.api.ApiConstants.HostDetails;
 import com.cloud.api.ApiConstants.VMDetails;
 import com.cloud.api.commands.QueryAsyncJobResultCmd;
+import com.cloud.api.response.NetworkACLResponse;
 import com.cloud.api.response.AccountResponse;
 import com.cloud.api.response.AsyncJobResponse;
 import com.cloud.api.response.CapacityResponse;
@@ -103,6 +104,7 @@ import com.cloud.network.VpnUser;
 import com.cloud.network.router.VirtualRouter;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.LoadBalancer;
+import com.cloud.network.rules.NetworkACL;
 import com.cloud.network.rules.PortForwardingRule;
 import com.cloud.network.rules.StaticNatRule;
 import com.cloud.network.rules.StickinessPolicy;
@@ -296,4 +298,10 @@ public interface ResponseGenerator {
      * @return
      */
     VpcResponse createVpcResponse(Vpc vpc);
+
+    /**
+     * @param networkACL
+     * @return
+     */
+    NetworkACLResponse createNetworkACLResponse(NetworkACL networkACL);
 }

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/api/commands/CreateFirewallRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/api/commands/CreateFirewallRuleCmd.java b/api/src/com/cloud/api/commands/CreateFirewallRuleCmd.java
index 800dac8..77caf19 100644
--- a/api/src/com/cloud/api/commands/CreateFirewallRuleCmd.java
+++ b/api/src/com/cloud/api/commands/CreateFirewallRuleCmd.java
@@ -159,7 +159,7 @@ public class CreateFirewallRuleCmd extends BaseAsyncCreateCmd implements Firewal
     }
 
     @Override
-    public long getSourceIpAddressId() {
+    public Long getSourceIpAddressId() {
         return ipAddressId;
     }
 

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/api/commands/CreateIpForwardingRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/api/commands/CreateIpForwardingRuleCmd.java b/api/src/com/cloud/api/commands/CreateIpForwardingRuleCmd.java
index 53bd87d..ba2992b 100644
--- a/api/src/com/cloud/api/commands/CreateIpForwardingRuleCmd.java
+++ b/api/src/com/cloud/api/commands/CreateIpForwardingRuleCmd.java
@@ -199,7 +199,7 @@ public class CreateIpForwardingRuleCmd extends BaseAsyncCreateCmd implements Sta
     }
 
     @Override
-    public long getSourceIpAddressId() {
+    public Long getSourceIpAddressId() {
         return ipAddressId;
     }
 

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/api/commands/CreateNetworkACLCmd.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/api/commands/CreateNetworkACLCmd.java b/api/src/com/cloud/api/commands/CreateNetworkACLCmd.java
new file mode 100644
index 0000000..ccc092b
--- /dev/null
+++ b/api/src/com/cloud/api/commands/CreateNetworkACLCmd.java
@@ -0,0 +1,314 @@
+// Copyright 2012 Citrix Systems, Inc. Licensed under the
+package com.cloud.api.commands;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.log4j.Logger;
+
+import com.cloud.api.ApiConstants;
+import com.cloud.api.BaseAsyncCmd;
+import com.cloud.api.BaseAsyncCreateCmd;
+import com.cloud.api.BaseCmd;
+import com.cloud.api.IdentityMapper;
+import com.cloud.api.Implementation;
+import com.cloud.api.Parameter;
+import com.cloud.api.ServerApiException;
+import com.cloud.api.response.NetworkACLResponse;
+import com.cloud.async.AsyncJob;
+import com.cloud.event.EventTypes;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.NetworkRuleConflictException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.Network;
+import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.rules.NetworkACL;
+import com.cloud.network.vpc.Vpc;
+import com.cloud.user.Account;
+import com.cloud.user.UserContext;
+import com.cloud.utils.net.NetUtils;
+
+@Implementation(description = "Creates a ACL rule the given network (the network has to belong to VPC)", 
+responseObject = NetworkACLResponse.class)
+public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements NetworkACL {
+    public static final Logger s_logger = Logger.getLogger(CreateFirewallRuleCmd.class.getName());
+
+    private static final String s_name = "createnetworkaclresponse";
+
+    // ///////////////////////////////////////////////////
+    // ////////////// API parameters /////////////////////
+    // ///////////////////////////////////////////////////
+
+    @Parameter(name = ApiConstants.PROTOCOL, type = CommandType.STRING, required = true, description = 
+            "the protocol for the ACL rule. Valid values are TCP/UDP/ICMP.")
+    private String protocol;
+
+    @Parameter(name = ApiConstants.START_PORT, type = CommandType.INTEGER, required=true, description = "the starting port of ACL")
+    private Integer publicStartPort;
+
+    @Parameter(name = ApiConstants.END_PORT, type = CommandType.INTEGER, description = "the ending port of ACL")
+    private Integer publicEndPort;
+    
+    @Parameter(name = ApiConstants.CIDR_LIST, type = CommandType.LIST, collectionType = CommandType.STRING, 
+            description = "the cidr list to allow traffic from/to")
+    private List<String> cidrlist;
+    
+    @Parameter(name = ApiConstants.ICMP_TYPE, type = CommandType.INTEGER, description = "type of the icmp message being sent")
+    private Integer icmpType;
+
+    @Parameter(name = ApiConstants.ICMP_CODE, type = CommandType.INTEGER, description = "error code for this icmp message")
+    private Integer icmpCode;
+    
+    @IdentityMapper(entityTableName="networks")
+    @Parameter(name=ApiConstants.NETWORK_ID, type=CommandType.LONG, required=true,
+        description="The network of the vm the ACL will be created for")
+    private Long networkId;
+    
+    @Parameter(name=ApiConstants.TRAFFIC_TYPE, type=CommandType.LONG, description="the traffic type for the ACL," +
+    		"can be Ingress or Egress, defaulted to Ingress if not specified")
+    private String trafficType;
+    
+    // ///////////////////////////////////////////////////
+    // ///////////////// Accessors ///////////////////////
+    // ///////////////////////////////////////////////////
+    
+    public String getEntityTable() {
+        return "firewall_rules";
+    }
+
+    public Long getIpAddressId() {
+        return null;
+    }
+
+    @Override
+    public String getProtocol() {
+        return protocol.trim();
+    }
+
+    public List<String> getSourceCidrList() {
+        if (cidrlist != null) {
+            return cidrlist;
+        } else {
+            List<String> oneCidrList = new ArrayList<String>();
+            oneCidrList.add(NetUtils.ALL_CIDRS);
+            return oneCidrList;
+        }
+    }
+    
+    public long getVpcId() {
+        Network network = _networkService.getNetwork(getNetworkId());
+        if (network == null) {
+            throw new InvalidParameterValueException("Invalid networkId is given");
+        }
+        
+        Long vpcId = network.getVpcId();
+        if (vpcId == null) {
+            throw new InvalidParameterValueException("Can create network ACL only for the network belonging to the VPC");
+        }
+        
+        return vpcId;
+    }
+    
+    @Override
+    public FirewallRule.TrafficType getTrafficType() {
+        if (trafficType == null) {
+            return FirewallRule.TrafficType.Ingress;
+        }
+        for (FirewallRule.TrafficType type : FirewallRule.TrafficType.values()) {
+            if (type.toString().equalsIgnoreCase(trafficType)) {
+                return type;
+            }
+        }
+        throw new InvalidParameterValueException("Invalid traffic type " + trafficType);
+    }
+
+    // ///////////////////////////////////////////////////
+    // ///////////// API Implementation///////////////////
+    // ///////////////////////////////////////////////////
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+    
+    public void setSourceCidrList(List<String> cidrs){
+        cidrlist = cidrs;
+    }
+
+    @Override
+    public void execute() throws ResourceUnavailableException {
+        UserContext callerContext = UserContext.current();
+        boolean success = false;
+        NetworkACL rule = _networkACLService.getNetworkACL(getEntityId());
+        try {
+            UserContext.current().setEventDetails("Rule Id: " + getEntityId());
+            success = _networkACLService.applyNetworkACLs(rule.getNetworkId(), callerContext.getCaller());
+
+            // State is different after the rule is applied, so get new object here
+            NetworkACLResponse aclResponse = new NetworkACLResponse(); 
+            if (rule != null) {
+                aclResponse = _responseGenerator.createNetworkACLResponse(rule);
+                setResponseObject(aclResponse);
+            }
+            aclResponse.setResponseName(getCommandName());
+        } finally {
+            if (!success || rule == null) {
+                _networkACLService.revokeNetworkACL(getEntityId(), true);
+                throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to create network ACL");
+            }
+        }
+    }
+
+    @Override
+    public long getId() {
+        throw new UnsupportedOperationException("database id can only provided by VO objects");
+    }
+
+    @Override
+    public String getXid() {
+        // FIXME: We should allow for end user to specify Xid.
+        return null;
+    }
+
+    @Override
+    public Long getSourceIpAddressId() {
+        return null;
+    }
+
+    @Override
+    public Integer getSourcePortStart() {
+        if (publicStartPort != null) {
+            return publicStartPort.intValue();
+        }
+        return null;
+    }
+
+    @Override
+    public Integer getSourcePortEnd() {
+        if (publicEndPort == null) {
+            if (publicStartPort != null) {
+                return publicStartPort.intValue();
+            }
+        } else {
+            return publicEndPort.intValue();
+        }
+        
+        return null;
+    }
+
+    @Override
+    public Purpose getPurpose() {
+        return Purpose.Firewall;
+    }
+
+    @Override
+    public State getState() {
+        throw new UnsupportedOperationException("Should never call me to find the state");
+    }
+
+    @Override
+    public long getNetworkId() {
+        return networkId;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        Vpc vpc = _vpcService.getVpc(getVpcId());
+        if (vpc == null) {
+            throw new InvalidParameterValueException("Invalid vpcId is given");
+        }
+
+        Account account = _accountService.getAccount(vpc.getAccountId());
+        return account.getId();
+    }
+
+    @Override
+    public long getDomainId() {
+        Vpc vpc = _vpcService.getVpc(getVpcId());
+        return vpc.getDomainId();
+    }
+
+    @Override
+    public void create() {
+        if (getSourceCidrList() != null) {
+            for (String cidr: getSourceCidrList()){
+                if (!NetUtils.isValidCIDR(cidr)){
+                    throw new ServerApiException(BaseCmd.PARAM_ERROR, "Source cidrs formatting error " + cidr); 
+                }
+            }
+        }
+
+        try {
+            NetworkACL result = _networkACLService.createNetworkACL(this);
+            setEntityId(result.getId());
+        } catch (NetworkRuleConflictException ex) {
+            s_logger.info("Network rule conflict: " + ex.getMessage());
+            s_logger.trace("Network Rule Conflict: ", ex);
+            throw new ServerApiException(BaseCmd.NETWORK_RULE_CONFLICT_ERROR, ex.getMessage());
+        }
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_FIREWALL_OPEN;
+    }
+
+    @Override
+    public String getEventDescription() {
+        Network network = _networkService.getNetwork(networkId);
+        return ("Createing Network ACL for Netowrk: " + network + " for protocol:" + this.getProtocol());
+    }
+
+    @Override
+    public long getAccountId() {
+        Vpc vpc = _vpcService.getVpc(getVpcId());
+        return vpc.getAccountId();
+    }
+
+    @Override
+    public String getSyncObjType() {
+        return BaseAsyncCmd.networkSyncObject;
+    }
+
+    @Override
+    public Long getSyncObjId() {
+        return getNetworkId();
+    }
+    
+    @Override
+    public Integer getIcmpCode() {
+        if (icmpCode != null) {
+            return icmpCode;
+        } else if (protocol.equalsIgnoreCase(NetUtils.ICMP_PROTO)) {
+            return -1;
+        }
+        return null;
+    }
+    
+    @Override
+    public Integer getIcmpType() {
+        if (icmpType != null) {
+            return icmpType;
+        } else if (protocol.equalsIgnoreCase(NetUtils.ICMP_PROTO)) {
+                return -1;
+            
+        }
+        return null;
+    }
+
+    @Override
+    public Long getRelated() {
+        return null;
+    }
+
+    @Override
+    public FirewallRuleType getType() {
+        return FirewallRuleType.User;
+    }
+    
+    @Override
+    public AsyncJob.Type getInstanceType() {
+        return AsyncJob.Type.FirewallRule;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/api/commands/CreatePortForwardingRuleCmd.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/api/commands/CreatePortForwardingRuleCmd.java b/api/src/com/cloud/api/commands/CreatePortForwardingRuleCmd.java
index b17b6e1..20132a6 100644
--- a/api/src/com/cloud/api/commands/CreatePortForwardingRuleCmd.java
+++ b/api/src/com/cloud/api/commands/CreatePortForwardingRuleCmd.java
@@ -181,7 +181,7 @@ public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements P
     }
 
     @Override
-    public long getSourceIpAddressId() {
+    public Long getSourceIpAddressId() {
         return ipAddressId;
     }
 

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/api/response/FirewallResponse.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/api/response/FirewallResponse.java b/api/src/com/cloud/api/response/FirewallResponse.java
index 0aa5989..a6fd597 100644
--- a/api/src/com/cloud/api/response/FirewallResponse.java
+++ b/api/src/com/cloud/api/response/FirewallResponse.java
@@ -17,10 +17,11 @@
 package com.cloud.api.response;
 
 import com.cloud.api.ApiConstants;
-import com.cloud.utils.IdentityProxy;
 import com.cloud.serializer.Param;
+import com.cloud.utils.IdentityProxy;
 import com.google.gson.annotations.SerializedName;
 
+@SuppressWarnings("unused")
 public class FirewallResponse extends BaseResponse {
     @SerializedName(ApiConstants.ID) @Param(description="the ID of the firewall rule")
     private IdentityProxy id = new IdentityProxy("firewall_rules");
@@ -34,10 +35,10 @@ public class FirewallResponse extends BaseResponse {
     @SerializedName(ApiConstants.END_PORT)  @Param(description = "the ending port of firewall rule's port range")
     private String endPort;
     
-    @SerializedName(ApiConstants.IP_ADDRESS_ID) @Param(description="the public ip address id for the port forwarding rule")
+    @SerializedName(ApiConstants.IP_ADDRESS_ID) @Param(description="the public ip address id for the firewall rule")
     private Long publicIpAddressId;
 
-    @SerializedName(ApiConstants.IP_ADDRESS) @Param(description="the public ip address for the port forwarding rule")
+    @SerializedName(ApiConstants.IP_ADDRESS) @Param(description="the public ip address for the firewall rule")
     private String publicIpAddress;
     
     @SerializedName(ApiConstants.STATE) @Param(description="the state of the rule")
@@ -91,7 +92,4 @@ public class FirewallResponse extends BaseResponse {
     public void setIcmpCode(Integer icmpCode) {
         this.icmpCode = icmpCode;
     }
-
- 
-    
 }

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/api/response/NetworkACLResponse.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/api/response/NetworkACLResponse.java b/api/src/com/cloud/api/response/NetworkACLResponse.java
new file mode 100644
index 0000000..1338d89
--- /dev/null
+++ b/api/src/com/cloud/api/response/NetworkACLResponse.java
@@ -0,0 +1,84 @@
+// Copyright 2012 Citrix Systems, Inc. Licensed under the
+// Apache License, Version 2.0 (the "License"); you may not use this
+// file except in compliance with the License.  Citrix Systems, Inc.
+// reserves all rights not expressly granted by the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// 
+// Automatically generated by addcopyright.py at 04/03/2012
+package com.cloud.api.response;
+
+import com.cloud.api.ApiConstants;
+import com.cloud.serializer.Param;
+import com.cloud.utils.IdentityProxy;
+import com.google.gson.annotations.SerializedName;
+
+@SuppressWarnings("unused")
+public class NetworkACLResponse extends BaseResponse {
+    @SerializedName(ApiConstants.ID) @Param(description="the ID of the ACL")
+    private IdentityProxy id = new IdentityProxy("firewall_rules");
+
+    @SerializedName(ApiConstants.PROTOCOL) @Param(description="the protocol of the ACL")
+    private String protocol;
+
+    @SerializedName(ApiConstants.START_PORT) @Param(description="the starting port of ACL's port range")
+    private String startPort;
+
+    @SerializedName(ApiConstants.END_PORT)  @Param(description = "the ending port of ACL's port range")
+    private String endPort;
+
+    @SerializedName(ApiConstants.TRAFFIC_TYPE) @Param(description="the traffic type for the ACL")
+    private String trafficType;
+    
+    @SerializedName(ApiConstants.STATE) @Param(description="the state of the rule")
+    private String state;
+
+    @SerializedName(ApiConstants.CIDR_LIST) @Param(description="the cidr list to forward traffic from")
+    private String cidrList;
+    
+    @SerializedName(ApiConstants.ICMP_TYPE) @Param(description= "type of the icmp message being sent")
+    private Integer icmpType;
+
+    @SerializedName(ApiConstants.ICMP_CODE) @Param(description = "error code for this icmp message")
+    private Integer icmpCode;
+
+    public void setId(Long id) {
+        this.id.setValue(id);
+    }
+
+    public void setProtocol(String protocol) {
+        this.protocol = protocol;
+    }
+
+    public void setStartPort(String startPort) {
+        this.startPort = startPort;
+    }
+
+    public void setEndPort(String endPort) {
+        this.endPort = endPort;
+    }
+
+    public void setState(String state) {
+        this.state = state;
+    }
+
+    public void setCidrList(String cidrList) {
+        this.cidrList = cidrList;
+    }
+
+    public void setIcmpType(Integer icmpType) {
+        this.icmpType = icmpType;
+    }
+
+    public void setIcmpCode(Integer icmpCode) {
+        this.icmpCode = icmpCode;
+    }
+
+    public void setTrafficType(String trafficType) {
+        this.trafficType = trafficType;
+    }
+}

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/network/element/NetworkACLServiceProvider.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/element/NetworkACLServiceProvider.java b/api/src/com/cloud/network/element/NetworkACLServiceProvider.java
new file mode 100644
index 0000000..92c4bb4
--- /dev/null
+++ b/api/src/com/cloud/network/element/NetworkACLServiceProvider.java
@@ -0,0 +1,34 @@
+// Copyright 2012 Citrix Systems, Inc. Licensed under the
+// Apache License, Version 2.0 (the "License"); you may not use this
+// file except in compliance with the License.  Citrix Systems, Inc.
+// reserves all rights not expressly granted by the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// 
+// Automatically generated by addcopyright.py at 04/03/2012
+package com.cloud.network.element;
+
+import java.util.List;
+
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.Network;
+import com.cloud.network.rules.FirewallRule;
+
+/**
+ * @author Alena Prokharchyk
+ */
+public interface NetworkACLServiceProvider extends NetworkElement{
+
+    /**
+     * @param config
+     * @param rules
+     * @return
+     * @throws ResourceUnavailableException
+     */
+    boolean applyNetworkACLs(Network config, List<? extends FirewallRule> rules) throws ResourceUnavailableException;
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/network/firewall/NetworkACLService.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/firewall/NetworkACLService.java b/api/src/com/cloud/network/firewall/NetworkACLService.java
new file mode 100644
index 0000000..19b3331
--- /dev/null
+++ b/api/src/com/cloud/network/firewall/NetworkACLService.java
@@ -0,0 +1,38 @@
+// Copyright 2012 Citrix Systems, Inc. Licensed under the
+// Apache License, Version 2.0 (the "License"); you may not use this
+// file except in compliance with the License.  Citrix Systems, Inc.
+// reserves all rights not expressly granted by the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// 
+// Automatically generated by addcopyright.py at 04/03/2012
+package com.cloud.network.firewall;
+
+import com.cloud.exception.NetworkRuleConflictException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.rules.NetworkACL;
+import com.cloud.user.Account;
+
+/**
+ * @author Alena Prokharchyk
+ */
+public interface NetworkACLService {
+    NetworkACL getNetworkACL(long ruleId);
+    boolean applyNetworkACLs(long networkId, Account caller) throws ResourceUnavailableException;
+    
+    /**
+     * @param createNetworkACLCmd
+     * @return
+     */
+    NetworkACL createNetworkACL(NetworkACL acl) throws NetworkRuleConflictException;
+    /**
+     * @param ruleId
+     * @param apply
+     * @return
+     */
+    boolean revokeNetworkACL(long ruleId, boolean apply);
+}

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/network/lb/LoadBalancingRule.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/lb/LoadBalancingRule.java b/api/src/com/cloud/network/lb/LoadBalancingRule.java
index c79ab18..d49d0e9 100644
--- a/api/src/com/cloud/network/lb/LoadBalancingRule.java
+++ b/api/src/com/cloud/network/lb/LoadBalancingRule.java
@@ -78,7 +78,7 @@ public class LoadBalancingRule implements FirewallRule, LoadBalancer{
     }
     
     @Override
-    public long getSourceIpAddressId() {
+    public Long getSourceIpAddressId() {
         return lb.getSourceIpAddressId();
     }
     

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/network/rules/FirewallRule.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/rules/FirewallRule.java b/api/src/com/cloud/network/rules/FirewallRule.java
index 7c8fa66..cb79e5e 100644
--- a/api/src/com/cloud/network/rules/FirewallRule.java
+++ b/api/src/com/cloud/network/rules/FirewallRule.java
@@ -27,6 +27,7 @@ public interface FirewallRule extends ControlledEntity {
         LoadBalancing,
         Vpn,
         StaticNat,
+        NetworkACL,
     }
     
     enum FirewallRuleType {
@@ -41,6 +42,11 @@ public interface FirewallRule extends ControlledEntity {
         Revoke  // Revoke means this rule has been revoked. If this rule has been sent to the network elements, the rule will be deleted from database.
     }
     
+    enum TrafficType {
+        Ingress,
+        Egress
+    }
+    
     /**
      * @return database id.
      */
@@ -72,7 +78,7 @@ public interface FirewallRule extends ControlledEntity {
     
     long getNetworkId();
     
-    long getSourceIpAddressId();
+    Long getSourceIpAddressId();
 
     Integer getIcmpCode();
 

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/network/rules/NetworkACL.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/rules/NetworkACL.java b/api/src/com/cloud/network/rules/NetworkACL.java
new file mode 100644
index 0000000..d0f7f21
--- /dev/null
+++ b/api/src/com/cloud/network/rules/NetworkACL.java
@@ -0,0 +1,26 @@
+// Copyright 2012 Citrix Systems, Inc. Licensed under the
+// Apache License, Version 2.0 (the "License"); you may not use this
+// file except in compliance with the License.  Citrix Systems, Inc.
+// reserves all rights not expressly granted by the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// 
+// Automatically generated by addcopyright.py at 04/03/2012
+package com.cloud.network.rules;
+
+
+/**
+ * @author Alena Prokharchyk
+ */
+public interface NetworkACL extends FirewallRule{
+
+    /**
+     * @return
+     */
+    TrafficType getTrafficType();
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/api/src/com/cloud/network/rules/StaticNatRule.java
----------------------------------------------------------------------
diff --git a/api/src/com/cloud/network/rules/StaticNatRule.java b/api/src/com/cloud/network/rules/StaticNatRule.java
index 0cc67d6..601cd6a 100644
--- a/api/src/com/cloud/network/rules/StaticNatRule.java
+++ b/api/src/com/cloud/network/rules/StaticNatRule.java
@@ -40,7 +40,7 @@ public interface StaticNatRule extends ControlledEntity, FirewallRule {
 
     long getNetworkId();
 
-    long getSourceIpAddressId();
+    Long getSourceIpAddressId();
 
     String getDestIpAddress();
 }

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/client/tomcatconf/commands.properties.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/commands.properties.in b/client/tomcatconf/commands.properties.in
index b0154f2..d36329d 100755
--- a/client/tomcatconf/commands.properties.in
+++ b/client/tomcatconf/commands.properties.in
@@ -358,4 +358,8 @@ listVPCOfferings=com.cloud.api.commands.ListVPCOfferingsCmd;15
 
 #### Private network command
 createPrivateNetwork=com.cloud.api.commands.CreatePrivateNetworkCmd;1
-
+
+#### 
+createNetworkACL=com.cloud.api.commands.CreateNetworkACLCmd;15
+#deleteNetworkACL=com.cloud.api.commands.DeleteNetworkACLCmd;15
+#listNetworkACLs=com.cloud.api.commands.ListNetworkACLsCmd;15

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
----------------------------------------------------------------------
diff --git a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
index 2c8666d..7153dc4 100644
--- a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
+++ b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
@@ -148,8 +148,11 @@ import com.cloud.agent.api.routing.RemoteAccessVpnCfgCommand;
 import com.cloud.agent.api.routing.SavePasswordCommand;
 import com.cloud.agent.api.routing.SetFirewallRulesAnswer;
 import com.cloud.agent.api.routing.SetFirewallRulesCommand;
+import com.cloud.agent.api.routing.SetNetworkACLAnswer;
+import com.cloud.agent.api.routing.SetNetworkACLCommand;
 import com.cloud.agent.api.routing.SetPortForwardingRulesAnswer;
 import com.cloud.agent.api.routing.SetPortForwardingRulesCommand;
+import com.cloud.agent.api.routing.SetPortForwardingRulesVpcCommand;
 import com.cloud.agent.api.routing.SetSourceNatCommand;
 import com.cloud.agent.api.routing.SetStaticNatRulesAnswer;
 import com.cloud.agent.api.routing.SetStaticNatRulesCommand;
@@ -535,11 +538,16 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
             return execute((IpAssocVpcCommand) cmd);
         } else if (clazz == SetSourceNatCommand.class) {
             return execute((SetSourceNatCommand) cmd);
+        } else if (clazz == SetNetworkACLCommand.class) {
+            return execute((SetNetworkACLCommand) cmd);
+        } else if (clazz == SetPortForwardingRulesVpcCommand.class) {
+            return execute((SetPortForwardingRulesVpcCommand) cmd);
         } else {
             return Answer.createUnsupportedCommandAnswer(cmd);
         }
     }
 
+
     protected XsLocalNetwork getNativeNetworkForTraffic(Connection conn, TrafficType type, String name) throws XenAPIException, XmlRpcException {
         if (name != null) {
             if (s_logger.isDebugEnabled()) {
@@ -7108,5 +7116,13 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
         return null;
     }
 
+    private SetNetworkACLAnswer execute(SetNetworkACLCommand cmd) {
+        // TODO - add implementation logic here
+        return null;
+    }
 
+    protected SetPortForwardingRulesAnswer execute(SetPortForwardingRulesVpcCommand cmd) {
+       //TODO - add implementation
+        return null;
+    }
 }

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/server/src/com/cloud/api/ApiResponseHelper.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index 634f5d1..f39a8b2 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -32,6 +32,7 @@ import com.cloud.acl.ControlledEntity.ACLType;
 import com.cloud.api.ApiConstants.HostDetails;
 import com.cloud.api.ApiConstants.VMDetails;
 import com.cloud.api.commands.QueryAsyncJobResultCmd;
+import com.cloud.api.response.NetworkACLResponse;
 import com.cloud.api.response.AccountResponse;
 import com.cloud.api.response.ApiResponseSerializer;
 import com.cloud.api.response.AsyncJobResponse;
@@ -137,6 +138,7 @@ import com.cloud.network.VpnUser;
 import com.cloud.network.router.VirtualRouter;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.LoadBalancer;
+import com.cloud.network.rules.NetworkACL;
 import com.cloud.network.rules.PortForwardingRule;
 import com.cloud.network.rules.StaticNatRule;
 import com.cloud.network.rules.StickinessPolicy;
@@ -2959,6 +2961,39 @@ public class ApiResponseHelper implements ResponseGenerator {
         response.setObjectName("firewallrule");
         return response;
     }
+    
+    @Override
+    public NetworkACLResponse createNetworkACLResponse(NetworkACL networkACL) {
+        NetworkACLResponse response = new NetworkACLResponse();
+
+        response.setId(networkACL.getId());
+        response.setProtocol(networkACL.getProtocol());
+        if (networkACL.getSourcePortStart() != null) {
+            response.setStartPort(Integer.toString(networkACL.getSourcePortStart()));
+        }
+
+        if (networkACL.getSourcePortEnd() != null) {
+            response.setEndPort(Integer.toString(networkACL.getSourcePortEnd()));
+        }
+
+        List<String> cidrs = ApiDBUtils.findFirewallSourceCidrs(networkACL.getId());
+        response.setCidrList(StringUtils.join(cidrs, ","));
+
+        response.setTrafficType(networkACL.getTrafficType().toString());
+
+        FirewallRule.State state = networkACL.getState();
+        String stateToSet = state.toString();
+        if (state.equals(FirewallRule.State.Revoke)) {
+            stateToSet = "Deleting";
+        }
+
+        response.setIcmpCode(networkACL.getIcmpCode());
+        response.setIcmpType(networkACL.getIcmpType());
+
+        response.setState(stateToSet);
+        response.setObjectName("networkacl");
+        return response;
+    }
 
     public UserVmData newUserVmData(UserVm userVm) {
         UserVmData userVmData = new UserVmData();

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/server/src/com/cloud/configuration/DefaultComponentLibrary.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/configuration/DefaultComponentLibrary.java b/server/src/com/cloud/configuration/DefaultComponentLibrary.java
index 4841a25..cf0e61a 100755
--- a/server/src/com/cloud/configuration/DefaultComponentLibrary.java
+++ b/server/src/com/cloud/configuration/DefaultComponentLibrary.java
@@ -106,6 +106,7 @@ import com.cloud.network.element.NetscalerLoadBalancerElementService;
 import com.cloud.network.element.VirtualRouterElement;
 import com.cloud.network.element.VirtualRouterElementService;
 import com.cloud.network.firewall.FirewallManagerImpl;
+import com.cloud.network.firewall.NetworkACLManagerImpl;
 import com.cloud.network.lb.ElasticLoadBalancerManagerImpl;
 import com.cloud.network.lb.LoadBalancingRulesManagerImpl;
 import com.cloud.network.lb.dao.ElasticLbVmMapDaoImpl;
@@ -397,6 +398,7 @@ public class DefaultComponentLibrary extends ComponentLibraryBase implements Com
         addManager("HA Manager", HighAvailabilityManagerImpl.class);
         addManager("VPC Manager", VpcManagerImpl.class);
         addManager("VpcVirtualRouterManager", VpcVirtualNetworkApplianceManagerImpl.class);
+        addManager("NetworkACLManager", NetworkACLManagerImpl.class);
     }
 
     @Override

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/server/src/com/cloud/network/ExternalLoadBalancerDeviceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/ExternalLoadBalancerDeviceManagerImpl.java b/server/src/com/cloud/network/ExternalLoadBalancerDeviceManagerImpl.java
index 1acba8b..c91f4ca 100644
--- a/server/src/com/cloud/network/ExternalLoadBalancerDeviceManagerImpl.java
+++ b/server/src/com/cloud/network/ExternalLoadBalancerDeviceManagerImpl.java
@@ -732,7 +732,7 @@ public abstract class ExternalLoadBalancerDeviceManagerImpl extends AdapterBase
         List<StaticNatRuleTO> staticNatRules = new ArrayList<StaticNatRuleTO>();
         IPAddressVO ipVO = _ipAddressDao.listByDcIdIpAddress(zone.getId(), publicIp).get(0);
         VlanVO vlan = _vlanDao.findById(ipVO.getVlanId());
-        FirewallRuleVO fwRule = new FirewallRuleVO(null, ipVO.getId(), -1, -1, "any", network.getId(), network.getAccountId(), network.getDomainId(), Purpose.StaticNat, null, null, null, null);
+        FirewallRuleVO fwRule = new FirewallRuleVO(null, ipVO.getId(), -1, -1, "any", network.getId(), network.getAccountId(), network.getDomainId(), Purpose.StaticNat, null, null, null, null, null);
         FirewallRule.State state = !revoked ? FirewallRule.State.Add : FirewallRule.State.Revoke;
         fwRule.setState(state);
         StaticNatRule rule = new StaticNatRuleImpl(fwRule, privateIp);

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/server/src/com/cloud/network/NetworkManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java
index 09bbf22..c891a3e 100755
--- a/server/src/com/cloud/network/NetworkManagerImpl.java
+++ b/server/src/com/cloud/network/NetworkManagerImpl.java
@@ -125,6 +125,7 @@ import com.cloud.network.element.DhcpServiceProvider;
 import com.cloud.network.element.FirewallServiceProvider;
 import com.cloud.network.element.IpDeployer;
 import com.cloud.network.element.LoadBalancingServiceProvider;
+import com.cloud.network.element.NetworkACLServiceProvider;
 import com.cloud.network.element.NetworkElement;
 import com.cloud.network.element.PortForwardingServiceProvider;
 import com.cloud.network.element.RemoteAccessVPNServiceProvider;
@@ -172,7 +173,6 @@ import com.cloud.user.User;
 import com.cloud.user.UserContext;
 import com.cloud.user.dao.AccountDao;
 import com.cloud.user.dao.UserStatisticsDao;
-import com.cloud.utils.AnnotationHelper;
 import com.cloud.utils.NumbersUtil;
 import com.cloud.utils.Pair;
 import com.cloud.utils.component.Adapters;
@@ -3679,6 +3679,13 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
                     }
                     handled = ((FirewallServiceProvider) ne).applyFWRules(network, rules);
                     break;
+                case NetworkACL:
+                    boolean isNetworkACLProvider = isProviderSupportServiceInNetwork(network.getId(), Service.Firewall, provider);
+                    if (!(ne instanceof NetworkACLServiceProvider && isNetworkACLProvider)) {
+                        continue;
+                    }
+                    handled = ((NetworkACLServiceProvider) ne).applyNetworkACLs(network, rules);
+                    break;
                 default:
                     s_logger.debug("Unable to handle network rules for purpose: " + purpose.toString());
                     handled = false;

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/server/src/com/cloud/network/dao/FirewallRulesDao.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/dao/FirewallRulesDao.java b/server/src/com/cloud/network/dao/FirewallRulesDao.java
index dc9ab00..48aec35 100644
--- a/server/src/com/cloud/network/dao/FirewallRulesDao.java
+++ b/server/src/com/cloud/network/dao/FirewallRulesDao.java
@@ -50,5 +50,8 @@ public interface FirewallRulesDao extends GenericDao<FirewallRuleVO, Long> {
     List<FirewallRuleVO> listByIpAndNotRevoked(long ipAddressId);
 
     long countRulesByIpId(long sourceIpId);
+    
+    List<FirewallRuleVO> listByNetworkPurposeTrafficTypeAndNotRevoked(long networkId, FirewallRule.Purpose purpose, FirewallRule.TrafficType trafficType);
+
 
 }

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java b/server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
index 66cf887..5423ad9 100644
--- a/server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
+++ b/server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
@@ -21,6 +21,7 @@ import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRule.FirewallRuleType;
 import com.cloud.network.rules.FirewallRule.Purpose;
 import com.cloud.network.rules.FirewallRule.State;
+import com.cloud.network.rules.FirewallRule.TrafficType;
 import com.cloud.network.rules.FirewallRuleVO;
 import com.cloud.utils.component.ComponentLocator;
 import com.cloud.utils.db.DB;
@@ -69,6 +70,7 @@ public class FirewallRulesDaoImpl extends GenericDaoBase<FirewallRuleVO, Long> i
         NotRevokedSearch.and("sourcePortStart", NotRevokedSearch.entity().getSourcePortStart(), Op.EQ);
         NotRevokedSearch.and("sourcePortEnd", NotRevokedSearch.entity().getSourcePortEnd(), Op.EQ);
         NotRevokedSearch.and("networkId", NotRevokedSearch.entity().getNetworkId(), Op.EQ);
+        NotRevokedSearch.and("trafficType", NotRevokedSearch.entity().getTrafficType(), Op.EQ);
         NotRevokedSearch.done();
 
         ReleaseSearch = createSearchBuilder();
@@ -265,4 +267,19 @@ public class FirewallRulesDaoImpl extends GenericDaoBase<FirewallRuleVO, Long> i
         return customSearch(sc, null).get(0);
     }
 
+    @Override
+    public List<FirewallRuleVO> listByNetworkPurposeTrafficTypeAndNotRevoked(long networkId, Purpose purpose, TrafficType trafficType) {
+        SearchCriteria<FirewallRuleVO> sc = NotRevokedSearch.create();
+        sc.setParameters("networkId", networkId);
+        sc.setParameters("state", State.Revoke);
+
+        if (purpose != null) {
+            sc.setParameters("purpose", purpose);
+        }
+        
+        sc.setParameters("trafficType", trafficType);
+
+        return listBy(sc);
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/server/src/com/cloud/network/element/VpcVirtualRouterElement.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/element/VpcVirtualRouterElement.java b/server/src/com/cloud/network/element/VpcVirtualRouterElement.java
index b4462db..321e1c0 100644
--- a/server/src/com/cloud/network/element/VpcVirtualRouterElement.java
+++ b/server/src/com/cloud/network/element/VpcVirtualRouterElement.java
@@ -34,7 +34,10 @@ import com.cloud.network.Network.Service;
 import com.cloud.network.NetworkService;
 import com.cloud.network.PublicIpAddress;
 import com.cloud.network.router.VirtualRouter;
+import com.cloud.network.router.VirtualRouter.Role;
 import com.cloud.network.router.VpcVirtualNetworkApplianceManager;
+import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.rules.NetworkACL;
 import com.cloud.network.vpc.Vpc;
 import com.cloud.network.vpc.VpcManager;
 import com.cloud.offering.NetworkOffering;
@@ -51,7 +54,7 @@ import com.cloud.vm.VirtualMachineProfile;
  * @author Alena Prokharchyk
  */
 @Local(value = NetworkElement.class)
-public class VpcVirtualRouterElement extends VirtualRouterElement implements VpcProvider{
+public class VpcVirtualRouterElement extends VirtualRouterElement implements VpcProvider, NetworkACLServiceProvider{
     private static final Logger s_logger = Logger.getLogger(VpcVirtualRouterElement.class);
     @Inject 
     NetworkService _ntwkService;
@@ -341,4 +344,24 @@ public class VpcVirtualRouterElement extends VirtualRouterElement implements Vpc
             return false;
         }
     }
+    
+    @Override
+    public boolean applyNetworkACLs(Network config, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
+        if (canHandle(config, Service.Firewall)) {
+            List<DomainRouterVO> routers = _routerDao.listByNetworkAndRole(config.getId(), Role.VIRTUAL_ROUTER);
+            if (routers == null || routers.isEmpty()) {
+                s_logger.debug("Virtual router elemnt doesn't need to apply firewall rules on the backend; virtual " +
+                        "router doesn't exist in the network " + config.getId());
+                return true;
+            }
+
+            if (!_vpcRouterMgr.applyNetworkACLs(config, (List<NetworkACL>)rules, routers)) {
+                throw new CloudRuntimeException("Failed to apply firewall rules in network " + config.getId());
+            } else {
+                return true;
+            }
+        } else {
+            return true;
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
index 506b615..ea8aec7 100644
--- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -33,7 +33,6 @@ import com.cloud.event.EventTypes;
 import com.cloud.event.UsageEventVO;
 import com.cloud.event.dao.EventDao;
 import com.cloud.event.dao.UsageEventDao;
-import com.cloud.exception.ConcurrentOperationException;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.NetworkRuleConflictException;
 import com.cloud.exception.ResourceUnavailableException;
@@ -73,7 +72,7 @@ import com.cloud.utils.net.NetUtils;
 import com.cloud.vm.UserVmVO;
 import com.cloud.vm.dao.UserVmDao;
 
-@Local(value = { FirewallService.class, FirewallManager.class })
+@Local(value = { FirewallService.class, FirewallManager.class})
 public class FirewallManagerImpl implements FirewallService, FirewallManager, Manager {
     private static final Logger s_logger = Logger.getLogger(FirewallManagerImpl.class);
     String _name;
@@ -147,22 +146,10 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ma
         IPAddressVO ipAddress = _ipAddressDao.findById(ipAddrId);
         // Validate ip address
         if (ipAddress == null && type == FirewallRule.FirewallRuleType.User) {
-            throw new InvalidParameterValueException("Unable to create port forwarding rule; ip id=" + ipAddrId + 
+            throw new InvalidParameterValueException("Unable to create firewall rule; ip id=" + ipAddrId + 
                     " doesn't exist in the system");
         }
         
-        //associate ip address to network (if needed)
-        if (ipAddress.getAssociatedWithNetworkId() == null) {
-            s_logger.debug("The ip is not associated with the network id="+ networkId + " so assigning");
-            try {
-                _networkMgr.associateIPToGuestNetwork(ipAddrId, networkId);
-            } catch (Exception ex) {
-                s_logger.warn("Failed to associate ip id=" + ipAddrId + " to network id=" + networkId + " as " +
-                        "a part of firewall rule creation");
-                return null;
-            }
-        }
-        
         _networkMgr.checkIpForService(ipAddress, Service.Firewall);  
 
         validateFirewallRule(caller, ipAddress, portStart, portEnd, protocol, Purpose.Firewall, type);
@@ -184,16 +171,16 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ma
             domainId = ipAddress.getAllocatedInDomainId();
         }
 
-
         Transaction txn = Transaction.currentTxn();
         txn.start();
 
-        FirewallRuleVO newRule = new FirewallRuleVO(xId, ipAddrId, portStart, portEnd, protocol.toLowerCase(), networkId, accountId, domainId, Purpose.Firewall, sourceCidrList, icmpCode, icmpType, relatedRuleId);
+        FirewallRuleVO newRule = new FirewallRuleVO(xId, ipAddrId, portStart, portEnd, protocol.toLowerCase(), networkId,
+                accountId, domainId, Purpose.Firewall, sourceCidrList, icmpCode, icmpType, relatedRuleId, null);
         newRule.setType(type);
         newRule = _firewallDao.persist(newRule);
 
         if (type == FirewallRuleType.User)
-            detectRulesConflict(newRule, ipAddress);
+            detectRulesConflict(newRule);
 
         if (!_firewallDao.setStateToAdd(newRule)) {
             throw new CloudRuntimeException("Unable to update the state to add for " + newRule);
@@ -252,18 +239,19 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ma
     }
 
     @Override
-    public void detectRulesConflict(FirewallRule newRule, IpAddress ipAddress) throws NetworkRuleConflictException {
-        assert newRule.getSourceIpAddressId() == ipAddress.getId() : "You passed in an ip address that doesn't match the address in the new rule";
+    public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflictException {
 
         List<FirewallRuleVO> rules = _firewallDao.listByIpAndPurposeAndNotRevoked(newRule.getSourceIpAddressId(), null);
-        assert (rules.size() >= 1) : "For network rules, we now always first persist the rule and then check for network conflicts so we should at least have one rule at this point.";
+        assert (rules.size() >= 1) : "For network rules, we now always first persist the rule and then check for " +
+        		"network conflicts so we should at least have one rule at this point.";
 
         for (FirewallRuleVO rule : rules) {
             if (rule.getId() == newRule.getId()) {
                 continue; // Skips my own rule.
             }
 
-            boolean oneOfRulesIsFirewall = ((rule.getPurpose() == Purpose.Firewall || newRule.getPurpose() == Purpose.Firewall) && ((newRule.getPurpose() != rule.getPurpose()) || (!newRule.getProtocol()
+            boolean oneOfRulesIsFirewall = ((rule.getPurpose() == Purpose.Firewall || newRule.getPurpose() == Purpose.Firewall)
+                    && ((newRule.getPurpose() != rule.getPurpose()) || (!newRule.getProtocol()
                     .equalsIgnoreCase(rule.getProtocol()))));
 
             // if both rules are firewall and their cidrs are different, we can skip port ranges verification
@@ -288,24 +276,29 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ma
 
             if (!oneOfRulesIsFirewall) {
                 if (rule.getPurpose() == Purpose.StaticNat && newRule.getPurpose() != Purpose.StaticNat) {
-                    throw new NetworkRuleConflictException("There is 1 to 1 Nat rule specified for the ip address id=" + newRule.getSourceIpAddressId());
+                    throw new NetworkRuleConflictException("There is 1 to 1 Nat rule specified for the ip address id=" 
+                + newRule.getSourceIpAddressId());
                 } else if (rule.getPurpose() != Purpose.StaticNat && newRule.getPurpose() == Purpose.StaticNat) {
-                    throw new NetworkRuleConflictException("There is already firewall rule specified for the ip address id=" + newRule.getSourceIpAddressId());
+                    throw new NetworkRuleConflictException("There is already firewall rule specified for the ip address id="
+                + newRule.getSourceIpAddressId());
                 }
             }
 
             if (rule.getNetworkId() != newRule.getNetworkId() && rule.getState() != State.Revoke) {
-                throw new NetworkRuleConflictException("New rule is for a different network than what's specified in rule " + rule.getXid());
+                throw new NetworkRuleConflictException("New rule is for a different network than what's specified in rule "
+            + rule.getXid());
             }
 
             if (newRule.getProtocol().equalsIgnoreCase(NetUtils.ICMP_PROTO) && newRule.getProtocol().equalsIgnoreCase(rule.getProtocol())) {
-                if (newRule.getIcmpCode().longValue() == rule.getIcmpCode().longValue() && newRule.getIcmpType().longValue() == rule.getIcmpType().longValue()
+                if (newRule.getIcmpCode().longValue() == rule.getIcmpCode().longValue() 
+                        && newRule.getIcmpType().longValue() == rule.getIcmpType().longValue()
                         && newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()) && duplicatedCidrs) {
                     throw new InvalidParameterValueException("New rule conflicts with existing rule id=" + rule.getId());
                 }
             }
 
-            boolean notNullPorts = (newRule.getSourcePortStart() != null && newRule.getSourcePortEnd() != null && rule.getSourcePortStart() != null && rule.getSourcePortEnd() != null);
+            boolean notNullPorts = (newRule.getSourcePortStart() != null && newRule.getSourcePortEnd() != null && 
+                    rule.getSourcePortStart() != null && rule.getSourcePortEnd() != null);
             if (!notNullPorts) {
                 continue;
             } else if (!oneOfRulesIsFirewall && !(bothRulesFirewall && !duplicatedCidrs)
@@ -331,7 +324,8 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ma
     }
 
     @Override
-    public void validateFirewallRule(Account caller, IPAddressVO ipAddress, Integer portStart, Integer portEnd, String proto, Purpose purpose, FirewallRuleType type) {
+    public void validateFirewallRule(Account caller, IPAddressVO ipAddress, Integer portStart, Integer portEnd, 
+            String proto, Purpose purpose, FirewallRuleType type) {
         if (portStart != null && !NetUtils.isValidPort(portStart)) {
             throw new InvalidParameterValueException("publicPort is an invalid value: " + portStart);
         }
@@ -351,10 +345,13 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ma
         // Validate ip address
         _accountMgr.checkAccess(caller, null, true, ipAddress);
 
-        Long networkId = ipAddress.getAssociatedWithNetworkId();
-        if (networkId == null) {
-            throw new InvalidParameterValueException("Unable to create port forwarding rule ; ip id=" + ipAddress.getId() + " is not associated with any network");
+        Long networkId = null;
 
+        if (ipAddress.getAssociatedWithNetworkId() == null) {
+            throw new InvalidParameterValueException("Unable to create port forwarding rule ; ip id=" + 
+                    ipAddress.getId() + " is not associated with any network");
+        } else {
+            networkId = ipAddress.getAssociatedWithNetworkId();
         }
 
         Network network = _networkMgr.getNetwork(networkId);
@@ -441,7 +438,7 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ma
     public boolean applyFirewallRules(List<FirewallRuleVO> rules, boolean continueOnError, Account caller) {
 
         if (rules.size() == 0) {
-            s_logger.debug("There are no firewall rules to apply for ip id=" + rules);
+            s_logger.debug("There are no firewall rules to apply");
             return true;
         }
 
@@ -493,7 +490,6 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ma
         }
 
         return success;
-
     }
 
     @Override

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/server/src/com/cloud/network/firewall/NetworkACLManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/firewall/NetworkACLManagerImpl.java b/server/src/com/cloud/network/firewall/NetworkACLManagerImpl.java
new file mode 100644
index 0000000..366f6bf
--- /dev/null
+++ b/server/src/com/cloud/network/firewall/NetworkACLManagerImpl.java
@@ -0,0 +1,301 @@
+// Copyright 2012 Citrix Systems, Inc. Licensed under the
+// Apache License, Version 2.0 (the "License"); you may not use this
+// file except in compliance with the License.  Citrix Systems, Inc.
+// reserves all rights not expressly granted by the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// 
+// Automatically generated by addcopyright.py at 04/03/2012
+package com.cloud.network.firewall;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+
+import javax.ejb.Local;
+import javax.naming.ConfigurationException;
+
+import org.apache.log4j.Logger;
+
+import com.cloud.acl.SecurityChecker.AccessType;
+import com.cloud.event.ActionEvent;
+import com.cloud.event.EventTypes;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.NetworkRuleConflictException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.Network;
+import com.cloud.network.Network.Capability;
+import com.cloud.network.Network.Service;
+import com.cloud.network.NetworkManager;
+import com.cloud.network.Networks;
+import com.cloud.network.dao.FirewallRulesDao;
+import com.cloud.network.rules.FirewallManager;
+import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.rules.FirewallRule.Purpose;
+import com.cloud.network.rules.FirewallRule.TrafficType;
+import com.cloud.network.rules.FirewallRuleVO;
+import com.cloud.network.rules.NetworkACL;
+import com.cloud.network.vpc.Vpc;
+import com.cloud.network.vpc.VpcManager;
+import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
+import com.cloud.user.UserContext;
+import com.cloud.utils.component.Inject;
+import com.cloud.utils.component.Manager;
+import com.cloud.utils.db.DB;
+import com.cloud.utils.db.Transaction;
+import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.utils.net.NetUtils;
+import com.cloud.vm.Nic.State;
+
+/**
+ * @author Alena Prokharchyk
+ */
+
+@Local(value = { NetworkACLService.class})
+public class NetworkACLManagerImpl implements Manager,NetworkACLService{
+    String _name;
+    private static final Logger s_logger = Logger.getLogger(NetworkACLManagerImpl.class);
+
+    
+    @Inject
+    AccountManager _accountMgr;
+    @Inject
+    FirewallManager _firewallMgr;
+    @Inject
+    FirewallRulesDao _firewallDao;
+    @Inject
+    NetworkManager _networkMgr;
+    @Inject
+    VpcManager _vpcMgr;
+
+
+    @Override
+    public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+        _name = name;
+        return true;
+    }
+
+    @Override
+    public boolean start() {
+        return true;
+    }
+
+
+    @Override
+    public boolean stop() {
+        return true;
+    }
+
+
+    @Override
+    public String getName() {
+        return _name;
+    }
+
+    @Override
+    public NetworkACL getNetworkACL(long ruleId) {
+        return _firewallDao.findById(ruleId);
+    }
+
+    @Override
+    public boolean applyNetworkACLs(long networkId, Account caller) throws ResourceUnavailableException {
+        List<FirewallRuleVO> rules = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.NetworkACL);
+        return _firewallMgr.applyFirewallRules(rules, false, caller);
+    }
+
+    @Override
+    public NetworkACL createNetworkACL(NetworkACL acl) throws NetworkRuleConflictException {
+        return createNetworkACL(UserContext.current().getCaller(), acl.getXid(), acl.getSourcePortStart(), 
+                acl.getSourcePortEnd(), acl.getProtocol(), acl.getSourceCidrList(), acl.getIcmpCode(),
+                acl.getIcmpType(), null, acl.getType(), acl.getNetworkId(), acl.getTrafficType());
+    }
+
+    @DB
+    @ActionEvent(eventType = EventTypes.EVENT_FIREWALL_OPEN, eventDescription = "creating firewall rule", create = true)
+    protected NetworkACL createNetworkACL(Account caller, String xId, Integer portStart, 
+            Integer portEnd, String protocol, List<String> sourceCidrList, Integer icmpCode, Integer icmpType,
+            Long relatedRuleId, FirewallRule.FirewallRuleType type, long networkId, TrafficType trafficType) throws NetworkRuleConflictException {
+        
+        Network network = _networkMgr.getNetwork(networkId);
+        if (network == null) {
+            throw new InvalidParameterValueException("Can't find network by id");
+        }
+        
+        if (network.getVpcId() == null) {
+            throw new UnsupportedOperationException("Network ACL rules are supported just for VPC networks");
+        }
+        
+        Vpc vpc = _vpcMgr.getVpc(network.getVpcId());
+        Account aclOwner = _accountMgr.getAccount(vpc.getAccountId());
+        
+        _accountMgr.checkAccess(caller, AccessType.UseNetwork, false, network);
+
+        
+        if (!_networkMgr.areServicesSupportedInNetwork(networkId, Service.Firewall)) {
+            throw new InvalidParameterValueException("Service " + Service.Firewall + " is not supported in network " + network);
+        }
+        
+        // icmp code and icmp type can't be passed in for any other protocol rather than icmp
+        if (!protocol.equalsIgnoreCase(NetUtils.ICMP_PROTO) && (icmpCode != null || icmpType != null)) {
+            throw new InvalidParameterValueException("Can specify icmpCode and icmpType for ICMP protocol only");
+        }
+
+        if (protocol.equalsIgnoreCase(NetUtils.ICMP_PROTO) && (portStart != null || portEnd != null)) {
+            throw new InvalidParameterValueException("Can't specify start/end port when protocol is ICMP");
+        } 
+
+        validateNetworkACL(caller, network, portStart, portEnd, protocol);
+
+
+        Transaction txn = Transaction.currentTxn();
+        txn.start();
+
+        FirewallRuleVO newRule = new FirewallRuleVO(xId, null, portStart, portEnd, protocol.toLowerCase(), networkId,
+                aclOwner.getAccountId(), aclOwner.getDomainId(), Purpose.NetworkACL, sourceCidrList, icmpCode, icmpType, 
+                relatedRuleId, trafficType);
+        newRule.setType(type);
+        newRule = _firewallDao.persist(newRule);
+
+        if (type == FirewallRule.FirewallRuleType.User) {
+            detectNetworkACLConflict(newRule);
+        }
+
+        if (!_firewallDao.setStateToAdd(newRule)) {
+            throw new CloudRuntimeException("Unable to update the state to add for " + newRule);
+        }
+        UserContext.current().setEventDetails("Rule Id: " + newRule.getId());
+
+        txn.commit();
+
+        return newRule;
+    }
+    
+    
+    protected void validateNetworkACL(Account caller, Network network, Integer portStart, Integer portEnd, 
+            String proto) {
+        
+        if (portStart != null && !NetUtils.isValidPort(portStart)) {
+            throw new InvalidParameterValueException("publicPort is an invalid value: " + portStart);
+        }
+        if (portEnd != null && !NetUtils.isValidPort(portEnd)) {
+            throw new InvalidParameterValueException("Public port range is an invalid value: " + portEnd);
+        }
+
+        // start port can't be bigger than end port
+        if (portStart != null && portEnd != null && portStart > portEnd) {
+            throw new InvalidParameterValueException("Start port can't be bigger than end port");
+        }
+        
+        if (network.getTrafficType() != Networks.TrafficType.Guest) {
+            throw new InvalidParameterValueException("Network ACL can be created just for networks of type " + Networks.TrafficType.Guest);
+        }
+
+        // Verify that the network guru supports the protocol specified
+        Map<Network.Capability, String> protocolCapabilities = _networkMgr.getNetworkServiceCapabilities(network.getId(), Service.Firewall);
+        
+
+        if (protocolCapabilities != null) {
+            String supportedProtocols = protocolCapabilities.get(Capability.SupportedProtocols).toLowerCase();
+            if (!supportedProtocols.contains(proto.toLowerCase())) {
+                throw new InvalidParameterValueException("Protocol " + proto + " is not supported in zone " + network.getDataCenterId());
+            }
+        }
+    }
+    
+    protected void detectNetworkACLConflict(NetworkACL newRule) throws NetworkRuleConflictException {
+
+        List<FirewallRuleVO> rules = _firewallDao.listByNetworkPurposeTrafficTypeAndNotRevoked(newRule.getNetworkId(), Purpose.NetworkACL, newRule.getTrafficType());
+        assert (rules.size() >= 1) : "For network ACLs, we now always first persist the rule and then check for " +
+                "network conflicts so we should at least have one rule at this point.";
+
+        for (FirewallRuleVO rule : rules) {
+            if (rule.getId() == newRule.getId()) {
+                continue; // Skips my own rule.
+            }
+
+            // if rules cidrs are different, we can skip port ranges verification
+            boolean duplicatedCidrs = false;
+            // Verify that the rules have different cidrs
+            List<String> ruleCidrList = rule.getSourceCidrList();
+            List<String> newRuleCidrList = newRule.getSourceCidrList();
+
+            if (ruleCidrList == null || newRuleCidrList == null) {
+                continue;
+            }
+
+            Collection<String> similar = new HashSet<String>(ruleCidrList);
+            similar.retainAll(newRuleCidrList);
+
+            if (similar.size() > 0) {
+                duplicatedCidrs = true;
+            }
+            
+
+            if (newRule.getProtocol().equalsIgnoreCase(NetUtils.ICMP_PROTO) && newRule.getProtocol().equalsIgnoreCase(rule.getProtocol())) {
+                if (newRule.getIcmpCode().longValue() == rule.getIcmpCode().longValue() 
+                        && newRule.getIcmpType().longValue() == rule.getIcmpType().longValue()
+                        && newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()) && duplicatedCidrs) {
+                    throw new InvalidParameterValueException("New network ACL conflicts with existing network ACL id=" + rule.getId());
+                }
+            }
+
+            boolean notNullPorts = (newRule.getSourcePortStart() != null && newRule.getSourcePortEnd() != null && 
+                    rule.getSourcePortStart() != null && rule.getSourcePortEnd() != null);
+            if (!notNullPorts) {
+                continue;
+            } else if (duplicatedCidrs
+                    && ((rule.getSourcePortStart().intValue() <= newRule.getSourcePortStart().intValue() && rule.getSourcePortEnd().intValue() >= newRule.getSourcePortStart().intValue())
+                            || (rule.getSourcePortStart().intValue() <= newRule.getSourcePortEnd().intValue() && rule.getSourcePortEnd().intValue() >= newRule.getSourcePortEnd().intValue())
+                            || (newRule.getSourcePortStart().intValue() <= rule.getSourcePortStart().intValue() && newRule.getSourcePortEnd().intValue() >= rule.getSourcePortStart().intValue())
+                            || (newRule.getSourcePortStart().intValue() <= rule.getSourcePortEnd().intValue() && newRule.getSourcePortEnd().intValue() >= rule.getSourcePortEnd().intValue()))) {
+
+                throw new NetworkRuleConflictException("The range specified, " + newRule.getSourcePortStart() + "-" 
+                            + newRule.getSourcePortEnd() + ", conflicts with rule " + rule.getId()
+                            + " which has " + rule.getSourcePortStart() + "-" + rule.getSourcePortEnd());
+                
+            }
+        }
+
+        if (s_logger.isDebugEnabled()) {
+            s_logger.debug("No network rule conflicts detected for " + newRule + " against " + (rules.size() - 1) + " existing network ACLs");
+        }
+    }
+    
+    @Override
+    public boolean revokeNetworkACL(long ruleId, boolean apply) {
+        Account caller = UserContext.current().getCaller();
+        long userId = UserContext.current().getCallerUserId();
+        return revokeNetworkACL(ruleId, apply, caller, userId);
+    }
+    
+    @ActionEvent(eventType = EventTypes.EVENT_FIREWALL_CLOSE, eventDescription = "revoking firewall rule", async = true)
+    protected boolean revokeNetworkACL(long ruleId, boolean apply, Account caller, long userId) {
+
+        FirewallRuleVO rule = _firewallDao.findById(ruleId);
+        if (rule == null || rule.getPurpose() != Purpose.NetworkACL) {
+            throw new InvalidParameterValueException("Unable to find " + ruleId + " having purpose " + Purpose.NetworkACL);
+        }
+
+        _accountMgr.checkAccess(caller, null, true, rule);
+
+        _firewallMgr.revokeRule(rule, caller, userId, false);
+
+        boolean success = false;
+
+        if (apply) {
+            List<FirewallRuleVO> rules = _firewallDao.listByNetworkAndPurpose(rule.getNetworkId(), Purpose.NetworkACL);
+            return _firewallMgr.applyFirewallRules(rules, false, caller);
+        } else {
+            success = true;
+        }
+
+        return success;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
index 805657b..84221c4 100755
--- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
+++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
@@ -819,7 +819,7 @@ public class LoadBalancingRulesManagerImpl<Type> implements LoadBalancingRulesMa
         boolean success = true;
 
         try {
-            _firewallMgr.detectRulesConflict(newRule, ipAddr);
+            _firewallMgr.detectRulesConflict(newRule);
             if (!_firewallDao.setStateToAdd(newRule)) {
                 throw new CloudRuntimeException("Unable to update the state to add for " + newRule);
             }

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index ee13718..be5d4b6 100755
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -61,6 +61,7 @@ import com.cloud.agent.api.routing.RemoteAccessVpnCfgCommand;
 import com.cloud.agent.api.routing.SavePasswordCommand;
 import com.cloud.agent.api.routing.SetFirewallRulesCommand;
 import com.cloud.agent.api.routing.SetPortForwardingRulesCommand;
+import com.cloud.agent.api.routing.SetPortForwardingRulesVpcCommand;
 import com.cloud.agent.api.routing.SetStaticNatRulesCommand;
 import com.cloud.agent.api.routing.VmDataCommand;
 import com.cloud.agent.api.routing.VpnUsersCfgCommand;
@@ -2533,7 +2534,14 @@ public class VirtualNetworkApplianceManagerImpl implements VirtualNetworkApplian
             }
         }
 
-        SetPortForwardingRulesCommand cmd = new SetPortForwardingRulesCommand(rulesTO);
+        SetPortForwardingRulesCommand cmd = null;
+        
+        if (router.getVpcId() != null) {
+            cmd = new SetPortForwardingRulesVpcCommand(rulesTO);
+        } else {
+            cmd = new SetPortForwardingRulesCommand(rulesTO);
+        }
+        
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, getRouterControlIp(router.getId()));
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, getRouterIpInNetwork(guestNetworkId, router.getId()));
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/374a6007/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManager.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManager.java b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManager.java
index 6816413..3d756bf 100644
--- a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManager.java
+++ b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManager.java
@@ -19,7 +19,9 @@ import com.cloud.deploy.DeployDestination;
 import com.cloud.exception.ConcurrentOperationException;
 import com.cloud.exception.InsufficientCapacityException;
 import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.Network;
 import com.cloud.network.VpcVirtualNetworkApplianceService;
+import com.cloud.network.rules.NetworkACL;
 import com.cloud.network.vpc.Vpc;
 import com.cloud.user.Account;
 import com.cloud.vm.DomainRouterVO;
@@ -44,4 +46,14 @@ public interface VpcVirtualNetworkApplianceManager extends VirtualNetworkApplian
             throws InsufficientCapacityException, ConcurrentOperationException,
             ResourceUnavailableException;
 
+    /**
+     * @param network
+     * @param rules
+     * @param routers
+     * @return
+     * @throws ResourceUnavailableException
+     */
+    boolean applyNetworkACLs(Network network, List<? extends NetworkACL> rules, List<? extends VirtualRouter> routers) 
+            throws ResourceUnavailableException;
+
 }


Mime
View raw message