Updated Branches: refs/heads/master 4f4567384 -> bb50c0d2d
CLOUDSTACK-1578 Egress default policy configurable using network offering in xenserver with VR as firewall provider Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6a7ae637 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6a7ae637 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6a7ae637 Branch: refs/heads/master Commit: 6a7ae637dd3043c1fcf432c4e7037037f07def04 Parents: 4f45673 Author: Jayapal <jaya...@apache.org> Authored: Thu Jun 20 16:27:02 2013 +0530 Committer: Jayapal <jaya...@apache.org> Committed: Mon Jun 24 13:37:00 2013 +0530 ---------------------------------------------------------------------- api/src/com/cloud/offering/NetworkOffering.java | 1 + .../org/apache/cloudstack/api/ApiConstants.java | 1 + .../admin/network/CreateNetworkOfferingCmd.java | 10 ++++++ .../api/response/NetworkOfferingResponse.java | 7 ++++ .../api/routing/NetworkElementCommand.java | 1 + .../com/cloud/network/rules/FirewallRuleVO.java | 7 ++++ .../com/cloud/offerings/NetworkOfferingVO.java | 10 +++++- .../debian/config/root/firewallRule_egress.sh | 26 +++++++++++--- .../xen/resource/CitrixResourceBase.java | 8 +++++ server/src/com/cloud/api/ApiResponseHelper.java | 1 + .../configuration/ConfigurationManager.java | 2 +- .../configuration/ConfigurationManagerImpl.java | 10 ++++-- .../com/cloud/network/NetworkManagerImpl.java | 37 +++++++++++++------- .../network/firewall/FirewallManagerImpl.java | 31 ++++++++++++++++ .../VirtualNetworkApplianceManagerImpl.java | 32 ++++++++++++----- .../cloud/network/rules/FirewallManager.java | 1 + .../cloud/server/ConfigurationServerImpl.java | 2 +- .../cloud/network/MockFirewallManagerImpl.java | 5 +++ .../cloud/vpc/MockConfigurationManagerImpl.java | 2 +- .../CreateNetworkOfferingTest.java | 20 +++++------ setup/db/db/schema-410to420.sql | 1 + 21 files changed, 173 insertions(+), 42 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/api/src/com/cloud/offering/NetworkOffering.java ---------------------------------------------------------------------- diff --git a/api/src/com/cloud/offering/NetworkOffering.java b/api/src/com/cloud/offering/NetworkOffering.java index 5f522eb..43312db 100644 --- a/api/src/com/cloud/offering/NetworkOffering.java +++ b/api/src/com/cloud/offering/NetworkOffering.java @@ -127,5 +127,6 @@ public interface NetworkOffering extends InfrastructureEntity, InternalIdentity, boolean getInternalLb(); boolean getPublicLb(); + boolean getEgressDefaultPolicy(); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/api/src/org/apache/cloudstack/api/ApiConstants.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/ApiConstants.java b/api/src/org/apache/cloudstack/api/ApiConstants.java index 50832a3..8ac7c3f 100755 --- a/api/src/org/apache/cloudstack/api/ApiConstants.java +++ b/api/src/org/apache/cloudstack/api/ApiConstants.java @@ -121,6 +121,7 @@ public class ApiConstants { public static final String IS_PORTABLE = "isportable"; public static final String IS_PUBLIC = "ispublic"; public static final String IS_PERSISTENT = "ispersistent"; + public static final String EGRESS_DEFAULT_POLICY = "egressdefaultpolicy"; public static final String IS_READY = "isready"; public static final String IS_RECURSIVE = "isrecursive"; public static final String ISO_FILTER = "isofilter"; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java b/api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java index febb0c3..94e263c 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java @@ -99,6 +99,9 @@ public class CreateNetworkOfferingCmd extends BaseCmd { " Supported keys are internallbprovider/publiclbprovider with service provider as a value") protected Map details; + @Parameter(name=ApiConstants.EGRESS_DEFAULT_POLICY, type=CommandType.BOOLEAN, description="true if default guest network egress policy is allow; false if default egress policy is deny") + private Boolean egressDefaultPolicy; + ///////////////////////////////////////////////////// /////////////////// Accessors /////////////////////// ///////////////////////////////////////////////////// @@ -162,6 +165,13 @@ public class CreateNetworkOfferingCmd extends BaseCmd { return isPersistent == null ? false : isPersistent; } + public Boolean getEgressDefaultPolicy() { + if (egressDefaultPolicy == null) { + return true; + } + return egressDefaultPolicy; + } + public Map<String, List<String>> getServiceProviders() { Map<String, List<String>> serviceProviderMap = null; if (serviceProviderList != null && !serviceProviderList.isEmpty()) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java b/api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java index 7a7e371..6b35d7b 100644 --- a/api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java +++ b/api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java @@ -88,6 +88,9 @@ public class NetworkOfferingResponse extends BaseResponse { @SerializedName(ApiConstants.DETAILS) @Param(description="additional key/value details tied with network offering", since="4.2.0") private Map details; + @SerializedName(ApiConstants.EGRESS_DEFAULT_POLICY) @Param(description="true if network offering supports persistent networks, false otherwise") + private Boolean egressDefaultPolicy; + public void setId(String id) { this.id = id; @@ -166,4 +169,8 @@ public class NetworkOfferingResponse extends BaseResponse { this.details = details; } + public void setEgressDefaultPolicy(Boolean egressDefaultPolicy) { + this.egressDefaultPolicy = egressDefaultPolicy; + } + } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/core/src/com/cloud/agent/api/routing/NetworkElementCommand.java ---------------------------------------------------------------------- diff --git a/core/src/com/cloud/agent/api/routing/NetworkElementCommand.java b/core/src/com/cloud/agent/api/routing/NetworkElementCommand.java index ddb7ac8..843d213 100644 --- a/core/src/com/cloud/agent/api/routing/NetworkElementCommand.java +++ b/core/src/com/cloud/agent/api/routing/NetworkElementCommand.java @@ -33,6 +33,7 @@ public abstract class NetworkElementCommand extends Command { public static final String ZONE_NETWORK_TYPE = "zone.network.type"; public static final String GUEST_BRIDGE = "guest.bridge"; public static final String VPC_PRIVATE_GATEWAY = "vpc.gateway.private"; + public static final String FIREWALL_EGRESS_DEFAULT = "firewall.egress.default"; protected NetworkElementCommand() { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java ---------------------------------------------------------------------- diff --git a/engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java b/engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java index 9f73029..a51c364 100644 --- a/engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java +++ b/engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java @@ -223,6 +223,13 @@ public class FirewallRuleVO implements FirewallRule { } + public FirewallRuleVO(String xId, Long ipAddressId, Integer portStart, Integer portEnd, String protocol, + long networkId, long accountId, long domainId, Purpose purpose, List<String> sourceCidrs, Integer icmpCode, + Integer icmpType, Long related, TrafficType trafficType, FirewallRuleType type) { + this(xId, ipAddressId, portStart, portEnd, protocol, networkId, accountId, domainId, purpose, sourceCidrs, icmpCode, icmpType, related, trafficType); + this.type = type; + } + public FirewallRuleVO(String xId, long ipAddressId, int port, String protocol, long networkId, long accountId, long domainId, Purpose purpose, List<String> sourceCidrs, Integer icmpCode, Integer icmpType, Long related) { this(xId, ipAddressId, port, port, protocol, networkId, accountId, domainId, purpose, sourceCidrs, icmpCode, icmpType, related, null); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java ---------------------------------------------------------------------- diff --git a/engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java b/engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java index fae315b..6317f72 100755 --- a/engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java +++ b/engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java @@ -130,6 +130,9 @@ public class NetworkOfferingVO implements NetworkOffering { @Column(name = "is_persistent") boolean isPersistent; + @Column(name = "egress_default_policy") + boolean egressdefaultpolicy; + @Override public String getDisplayText() { return displayText; @@ -275,6 +278,10 @@ public class NetworkOfferingVO implements NetworkOffering { this.redundantRouter = redundantRouter; } + public boolean getEgressDefaultPolicy() { + return egressdefaultpolicy; + } + public NetworkOfferingVO(String name, String displayText, TrafficType trafficType, boolean systemOnly, boolean specifyVlan, Integer rateMbps, Integer multicastRateMbps, boolean isDefault, Availability availability, String tags, Network.GuestType guestType, boolean conserveMode, boolean specifyIpRanges, boolean isPersistent, boolean internalLb, boolean publicLb) { this.name = name; @@ -306,7 +313,7 @@ public class NetworkOfferingVO implements NetworkOffering { public NetworkOfferingVO(String name, String displayText, TrafficType trafficType, boolean systemOnly, boolean specifyVlan, Integer rateMbps, Integer multicastRateMbps, boolean isDefault, Availability availability, String tags, Network.GuestType guestType, boolean conserveMode, boolean dedicatedLb, boolean sharedSourceNat, boolean redundantRouter, boolean elasticIp, boolean elasticLb, - boolean specifyIpRanges, boolean inline, boolean isPersistent, boolean associatePublicIP, boolean publicLb, boolean internalLb) { + boolean specifyIpRanges, boolean inline, boolean isPersistent, boolean associatePublicIP, boolean publicLb, boolean internalLb, boolean egressdefaultpolicy) { this(name, displayText, trafficType, systemOnly, specifyVlan, rateMbps, multicastRateMbps, isDefault, availability, tags, guestType, conserveMode, specifyIpRanges, isPersistent, internalLb, publicLb); this.dedicatedLB = dedicatedLb; this.sharedSourceNat = sharedSourceNat; @@ -315,6 +322,7 @@ public class NetworkOfferingVO implements NetworkOffering { this.elasticLb = elasticLb; this.inline = inline; this.eipAssociatePublicIp = associatePublicIP; + this.egressdefaultpolicy = egressdefaultpolicy; } public NetworkOfferingVO() { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/patches/systemvm/debian/config/root/firewallRule_egress.sh ---------------------------------------------------------------------- diff --git a/patches/systemvm/debian/config/root/firewallRule_egress.sh b/patches/systemvm/debian/config/root/firewallRule_egress.sh index 0da7718..b1e7a40 100755 --- a/patches/systemvm/debian/config/root/firewallRule_egress.sh +++ b/patches/systemvm/debian/config/root/firewallRule_egress.sh @@ -82,15 +82,14 @@ fw_entry_for_egress() { [ "$eport" == "-1" ] && typecode="$sport" [ "$sport" == "-1" ] && typecode="any" sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \ - -j ACCEPT + -j $target result=$? elif [ "$prot" == "all" ] then - sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j ACCEPT + sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j $target result=$? else - sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr \ - $DPORT -j ACCEPT + sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr $DPORT -j $target result=$? fi @@ -109,14 +108,18 @@ rules="" rules_list="" ip="" dev="" +pflag=0 shift shift -while getopts 'a:' OPTION +while getopts 'a:P:' OPTION do case $OPTION in a) aflag=1 rules="$OPTARG" ;; + P) pflag=1 + pvalue="$OPTARG" + ;; ?) usage unlock_exit 2 $lock $locked ;; @@ -142,6 +145,13 @@ fi success=0 +if [ "$pvalue" == "0" -o "$pvalue" == "2" ] + then + target="ACCEPT" + else + target="DROP" + fi + fw_egress_chain for r in $rules_list do @@ -162,6 +172,12 @@ then fw_egress_backup_restore else logger -t cloud "deleting backup for guest network" + if [ "$pvalue" == "1" -o "$pvalue" == "2" ] + then + #Adding default policy rule + sudo iptables -A FW_EGRESS_RULES -j ACCEPT + fi + fi fw_egress_remove_backup http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java ---------------------------------------------------------------------- diff --git a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java index fa0e1d0..af640a2 100644 --- a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java +++ b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java @@ -7994,6 +7994,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe String callResult; Connection conn = getConnection(); String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP); + String egressDefault = cmd.getAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT); FirewallRuleTO[] allrules = cmd.getRules(); FirewallRule.TrafficType trafficType = allrules[0].getTrafficType(); if (routerIp == null) { @@ -8005,6 +8006,13 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe args += routerIp + " -F"; if (trafficType == FirewallRule.TrafficType.Egress){ args+= " -E"; + if (egressDefault.equals("true")) { + args+= " -P 1"; + } else if (egressDefault.equals("System")) { + args+= " -P 2"; + } else { + args+= " -P 0"; + } } StringBuilder sb = new StringBuilder(); String[] fwRules = rules[0]; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/server/src/com/cloud/api/ApiResponseHelper.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index 7d91e95..b56aa4a 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -2009,6 +2009,7 @@ public class ApiResponseHelper implements ResponseGenerator { response.setAvailability(offering.getAvailability().toString()); response.setIsPersistent(offering.getIsPersistent()); response.setNetworkRate(ApiDBUtils.getNetworkRate(offering.getId())); + response.setEgressDefaultPolicy(offering.getEgressDefaultPolicy()); Long so = null; if (offering.getServiceOfferingId() != null) { so = offering.getServiceOfferingId(); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/server/src/com/cloud/configuration/ConfigurationManager.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/configuration/ConfigurationManager.java b/server/src/com/cloud/configuration/ConfigurationManager.java index 93cadfa..98eae37 100755 --- a/server/src/com/cloud/configuration/ConfigurationManager.java +++ b/server/src/com/cloud/configuration/ConfigurationManager.java @@ -215,7 +215,7 @@ public interface ConfigurationManager extends ConfigurationService, Manager { NetworkOfferingVO createNetworkOffering(String name, String displayText, TrafficType trafficType, String tags, boolean specifyVlan, Availability availability, Integer networkRate, Map<Service, Set<Provider>> serviceProviderMap, boolean isDefault, Network.GuestType type, boolean systemOnly, Long serviceOfferingId, boolean conserveMode, Map<Service, Map<Capability, String>> serviceCapabilityMap, - boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details); + boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details, boolean egressDefaultPolicy); Vlan createVlanAndPublicIpRange(long zoneId, long networkId, long physicalNetworkId, boolean forVirtualNetwork, Long podId, String startIP, String endIP, String vlanGateway, String vlanNetmask, String vlanId, Account vlanOwner, String startIPv6, String endIPv6, String vlanIp6Gateway, String vlanIp6Cidr) throws InsufficientCapacityException, ConcurrentOperationException, InvalidParameterValueException; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/server/src/com/cloud/configuration/ConfigurationManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java index f7440c0..425c8be 100755 --- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java +++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java @@ -3824,6 +3824,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati boolean specifyIpRanges = cmd.getSpecifyIpRanges(); boolean isPersistent = cmd.getIsPersistent(); Map<String, String> detailsStr = cmd.getDetails(); + Boolean egressDefaultPolicy = cmd.getEgressDefaultPolicy(); // Verify traffic type for (TrafficType tType : TrafficType.values()) { @@ -4011,6 +4012,9 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati Set<Provider> firewallProviderSet = new HashSet<Provider>(); firewallProviderSet.add(firewallProvider); serviceProviderMap.put(Service.Firewall, firewallProviderSet); + if (!(firewallProvider.getName().equals(Provider.JuniperSRX.getName()) || firewallProvider.getName().equals(Provider.VirtualRouter.getName())) && egressDefaultPolicy == false) { + throw new InvalidParameterValueException("Firewall egress with default policy " + egressDefaultPolicy + "is not supported by the provider "+ firewallProvider.getName()); + } } Map<NetworkOffering.Detail, String> details = new HashMap<NetworkOffering.Detail, String>(); @@ -4032,7 +4036,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati return createNetworkOffering(name, displayText, trafficType, tags, specifyVlan, availability, networkRate, serviceProviderMap, false, guestType, false, serviceOfferingId, conserveMode, serviceCapabilityMap, - specifyIpRanges, isPersistent, details); + specifyIpRanges, isPersistent, details, egressDefaultPolicy); } void validateLoadBalancerServiceCapabilities(Map<Capability, String> lbServiceCapabilityMap) { @@ -4167,7 +4171,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati Map<Service, Set<Provider>> serviceProviderMap, boolean isDefault, Network.GuestType type, boolean systemOnly, Long serviceOfferingId, boolean conserveMode, Map<Service, Map<Capability, String>> serviceCapabilityMap, boolean specifyIpRanges, boolean isPersistent, - Map<NetworkOffering.Detail, String> details) { + Map<NetworkOffering.Detail, String> details, boolean egressDefaultPolicy) { String multicastRateStr = _configDao.getValue("multicast.throttling.rate"); int multicastRate = ((multicastRateStr == null) ? 10 : Integer.parseInt(multicastRateStr)); @@ -4310,7 +4314,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati NetworkOfferingVO offering = new NetworkOfferingVO(name, displayText, trafficType, systemOnly, specifyVlan, networkRate, multicastRate, isDefault, availability, tags, type, conserveMode, dedicatedLb, sharedSourceNat, redundantRouter, elasticIp, elasticLb, specifyIpRanges, inline, isPersistent, - associatePublicIp, publicLb, internalLb); + associatePublicIp, publicLb, internalLb, egressDefaultPolicy); if (serviceOfferingId != null) { offering.setServiceOfferingId(serviceOfferingId); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/server/src/com/cloud/network/NetworkManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java index 541082e..674a35f 100755 --- a/server/src/com/cloud/network/NetworkManagerImpl.java +++ b/server/src/com/cloud/network/NetworkManagerImpl.java @@ -1307,7 +1307,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L _configMgr.createNetworkOffering(NetworkOffering.QuickCloudNoServices, "Offering for QuickCloud with no services", TrafficType.Guest, null, true, Availability.Optional, null, new HashMap<Network.Service, Set<Network.Provider>>(), true, - Network.GuestType.Shared, false, null, true, null, true, false, null); + Network.GuestType.Shared, false, null, true, null, true, false, null, false); offering.setState(NetworkOffering.State.Enabled); _networkOfferingDao.update(offering.getId(), offering); } @@ -1318,7 +1318,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L _configMgr.createNetworkOffering(NetworkOffering.DefaultSharedNetworkOfferingWithSGService, "Offering for Shared Security group enabled networks", TrafficType.Guest, null, true, Availability.Optional, null, defaultSharedNetworkOfferingProviders, true, - Network.GuestType.Shared, false, null, true, null, true, false, null); + Network.GuestType.Shared, false, null, true, null, true, false, null, false); offering.setState(NetworkOffering.State.Enabled); _networkOfferingDao.update(offering.getId(), offering); } @@ -1326,7 +1326,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L //#3 - shared network offering with no SG service if (_networkOfferingDao.findByUniqueName(NetworkOffering.DefaultSharedNetworkOffering) == null) { offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultSharedNetworkOffering, "Offering for Shared networks", TrafficType.Guest, null, true, Availability.Optional, null, - defaultSharedNetworkOfferingProviders, true, Network.GuestType.Shared, false, null, true, null, true, false, null); + defaultSharedNetworkOfferingProviders, true, Network.GuestType.Shared, false, null, true, null, true, false, null, false); offering.setState(NetworkOffering.State.Enabled); _networkOfferingDao.update(offering.getId(), offering); } @@ -1337,7 +1337,8 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingWithSourceNatService, "Offering for Isolated networks with Source Nat service enabled", TrafficType.Guest, null, false, Availability.Required, null, defaultIsolatedSourceNatEnabledNetworkOfferingProviders, - true, Network.GuestType.Isolated, false, null, true, null, false, false, null); + true, Network.GuestType.Isolated, false, null, true, null, false, false, null, false); + offering.setState(NetworkOffering.State.Enabled); _networkOfferingDao.update(offering.getId(), offering); } @@ -1347,7 +1348,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworks, "Offering for Isolated VPC networks with Source Nat service enabled", TrafficType.Guest, null, false, Availability.Optional, null, defaultVPCOffProviders, - true, Network.GuestType.Isolated, false, null, false, null, false, false, null); + true, Network.GuestType.Isolated, false, null, false, null, false, false, null,false); offering.setState(NetworkOffering.State.Enabled); _networkOfferingDao.update(offering.getId(), offering); } @@ -1359,7 +1360,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworksNoLB, "Offering for Isolated VPC networks with Source Nat service enabled and LB service disabled", TrafficType.Guest, null, false, Availability.Optional, null, defaultVPCOffProviders, - true, Network.GuestType.Isolated, false, null, false, null, false, false, null); + true, Network.GuestType.Isolated, false, null, false, null, false, false, null, false); offering.setState(NetworkOffering.State.Enabled); _networkOfferingDao.update(offering.getId(), offering); } @@ -1369,7 +1370,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOffering, "Offering for Isolated networks with no Source Nat service", TrafficType.Guest, null, true, Availability.Optional, null, defaultIsolatedNetworkOfferingProviders, true, Network.GuestType.Isolated, - false, null, true, null, true, false, null); + false, null, true, null, true, false, null, false); offering.setState(NetworkOffering.State.Enabled); _networkOfferingDao.update(offering.getId(), offering); } @@ -1395,7 +1396,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB, "Offering for Isolated VPC networks with Internal Lb support", TrafficType.Guest, null, false, Availability.Optional, null, internalLbOffProviders, - true, Network.GuestType.Isolated, false, null, false, null, false, false, null); + true, Network.GuestType.Isolated, false, null, false, null, false, false, null, false); offering.setState(NetworkOffering.State.Enabled); offering.setInternalLb(true); _networkOfferingDao.update(offering.getId(), offering); @@ -1425,7 +1426,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L if (_networkOfferingDao.findByUniqueName(NetworkOffering.DefaultSharedEIPandELBNetworkOffering) == null) { offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultSharedEIPandELBNetworkOffering, "Offering for Shared networks with Elastic IP and Elastic LB capabilities", TrafficType.Guest, null, true, - Availability.Optional, null, netscalerServiceProviders, true, Network.GuestType.Shared, false, null, true, serviceCapabilityMap, true, false, null); + Availability.Optional, null, netscalerServiceProviders, true, Network.GuestType.Shared, false, null, true, serviceCapabilityMap, true, false, null, false); offering.setState(NetworkOffering.State.Enabled); offering.setDedicatedLB(false); _networkOfferingDao.update(offering.getId(), offering); @@ -3089,9 +3090,21 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L } List<FirewallRuleVO> firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress); - if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) { - s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart"); - success = false; + if (firewallEgressRulesToApply.size() == 0) { + NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId()); + //there are no egress rules then apply the default egress rule + DataCenter zone = _dcDao.findById(network.getDataCenterId()); + if (offering.getEgressDefaultPolicy() && _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) + && (network.getGuestType() == Network.GuestType.Isolated || + (network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced))) { + // add default egress rule to accept the traffic + _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), true); + } + } else { + if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) { + s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart"); + success = false; + } } // apply port forwarding rules http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/server/src/com/cloud/network/firewall/FirewallManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java index f7275b0..d250a08 100644 --- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java +++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java @@ -616,6 +616,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, @Override public boolean applyEgressFirewallRules (FirewallRule rule, Account caller) throws ResourceUnavailableException { List<FirewallRuleVO> rules = _firewallDao.listByNetworkPurposeTrafficType(rule.getNetworkId(), Purpose.Firewall, FirewallRule.TrafficType.Egress); + applyDefaultEgressFirewallRule(rule.getNetworkId(), true); return applyFirewallRules(rules, false, caller); } @@ -649,6 +650,36 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, } @Override + public boolean applyDefaultEgressFirewallRule(Long networkId, boolean defaultPolicy) throws ResourceUnavailableException { + + if (defaultPolicy == false) { + //If default policy is false no need apply rules on backend because firewall provider blocks by default + return true; + } + s_logger.debug("applying default firewall egress rules "); + + NetworkVO network = _networkDao.findById(networkId); + List<String> sourceCidr = new ArrayList<String>(); + + sourceCidr.add(NetUtils.ALL_CIDRS); + FirewallRuleVO ruleVO = new FirewallRuleVO(null, null, null, null, "all", networkId, network.getAccountId(), network.getDomainId(), Purpose.Firewall, sourceCidr, + null, null, null, FirewallRule.TrafficType.Egress, FirewallRuleType.System); + List<FirewallRuleVO> rules = new ArrayList<FirewallRuleVO>(); + rules.add(ruleVO); + + try { + //this is not required to store in db because we don't to add this rule along with the normal rules + if (!applyRules(rules, false, false)) { + return false; + } + } catch (ResourceUnavailableException ex) { + s_logger.warn("Failed to apply default egress rules for guest network due to ", ex); + return false; + } + return true; + } + + @Override @ActionEvent(eventType = EventTypes.EVENT_FIREWALL_CLOSE, eventDescription = "revoking firewall rule", async = true) public boolean revokeFirewallRule(long ruleId, boolean apply, Account caller, long userId) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java index fbb8cf2..5a8cf5d 100755 --- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java @@ -164,6 +164,7 @@ import com.cloud.network.rules.dao.PortForwardingRulesDao; import com.cloud.network.vpn.Site2SiteVpnManager; import com.cloud.offering.NetworkOffering; import com.cloud.offering.ServiceOffering; +import com.cloud.offerings.NetworkOfferingVO; import com.cloud.offerings.dao.NetworkOfferingDao; import com.cloud.resource.ResourceManager; import com.cloud.server.ConfigurationServer; @@ -3680,29 +3681,44 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V private void createFirewallRulesCommands(List<? extends FirewallRule> rules, VirtualRouter router, Commands cmds, long guestNetworkId) { List<FirewallRuleTO> rulesTO = null; + String systemRule = null; if (rules != null) { + if (rules.size() > 0) { + if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) { + systemRule = String.valueOf(FirewallRule.FirewallRuleType.System); + } + } rulesTO = new ArrayList<FirewallRuleTO>(); for (FirewallRule rule : rules) { FirewallRule.TrafficType traffictype = rule.getTrafficType(); if(traffictype == FirewallRule.TrafficType.Ingress){ - IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId()); - FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(),Purpose.Firewall,traffictype); - rulesTO.add(ruleTO); - } - else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress){ - assert (rule.getSourceIpAddressId()==null) : "ipAddressId should be null for egress firewall rule. "; - FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null,"",Purpose.Firewall,traffictype); - rulesTO.add(ruleTO); + IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId()); + FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr(),Purpose.Firewall,traffictype); + rulesTO.add(ruleTO); + } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress){ + assert (rule.getSourceIpAddressId()==null) : "ipAddressId should be null for egress firewall rule. "; + FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null,"",Purpose.Firewall, traffictype); + rulesTO.add(ruleTO); } } } + + NetworkVO network = _networkDao.findById(guestNetworkId); + NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId()); + Boolean defaultEgressPolicy = offering.getEgressDefaultPolicy(); SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO); cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, getRouterControlIp(router.getId())); cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, getRouterIpInNetwork(guestNetworkId, router.getId())); cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName()); DataCenterVO dcVo = _dcDao.findById(router.getDataCenterId()); cmd.setAccessDetail(NetworkElementCommand.ZONE_NETWORK_TYPE, dcVo.getNetworkType().toString()); + if (systemRule != null) { + cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, systemRule); + } else { + cmd.setAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT, String.valueOf(defaultEgressPolicy)); + } + cmds.addCommand(cmd); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/server/src/com/cloud/network/rules/FirewallManager.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/network/rules/FirewallManager.java b/server/src/com/cloud/network/rules/FirewallManager.java index 2bce8fe..6d36ed3 100644 --- a/server/src/com/cloud/network/rules/FirewallManager.java +++ b/server/src/com/cloud/network/rules/FirewallManager.java @@ -85,4 +85,5 @@ public interface FirewallManager extends FirewallService { */ void removeRule(FirewallRule rule); + boolean applyDefaultEgressFirewallRule(Long networkId, boolean defaultPolicy) throws ResourceUnavailableException; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/server/src/com/cloud/server/ConfigurationServerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/server/ConfigurationServerImpl.java b/server/src/com/cloud/server/ConfigurationServerImpl.java index 8e952aa..1ddfcfa 100755 --- a/server/src/com/cloud/server/ConfigurationServerImpl.java +++ b/server/src/com/cloud/server/ConfigurationServerImpl.java @@ -1093,7 +1093,7 @@ public class ConfigurationServerImpl extends ManagerBase implements Configuratio "Offering for Shared networks with Elastic IP and Elastic LB capabilities", TrafficType.Guest, false, true, null, null, true, Availability.Optional, - null, Network.GuestType.Shared, true, false, false, false, true, true, true, false, false, true, true, false); + null, Network.GuestType.Shared, true, false, false, false, true, true, true, false, false, true, true, false, false); defaultNetscalerNetworkOffering.setState(NetworkOffering.State.Enabled); defaultNetscalerNetworkOffering = _networkOfferingDao.persistDefaultNetworkOffering(defaultNetscalerNetworkOffering); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/server/test/com/cloud/network/MockFirewallManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/network/MockFirewallManagerImpl.java b/server/test/com/cloud/network/MockFirewallManagerImpl.java index 95bb1d1..c50459e 100644 --- a/server/test/com/cloud/network/MockFirewallManagerImpl.java +++ b/server/test/com/cloud/network/MockFirewallManagerImpl.java @@ -169,6 +169,11 @@ public class MockFirewallManagerImpl extends ManagerBase implements FirewallMana } @Override + public boolean applyDefaultEgressFirewallRule(Long networkId, boolean defaultPolicy) throws ResourceUnavailableException { + return false; //To change body of implemented methods use File | Settings | File Templates. + } + + @Override public FirewallRule createFirewallRule(Long ipAddrId, Account caller, String xId, Integer portStart, Integer portEnd, String protocol, List<String> sourceCidrList, Integer icmpCode, Integer icmpType, http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/server/test/com/cloud/vpc/MockConfigurationManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/vpc/MockConfigurationManagerImpl.java b/server/test/com/cloud/vpc/MockConfigurationManagerImpl.java index 6e3d187..95230a5 100755 --- a/server/test/com/cloud/vpc/MockConfigurationManagerImpl.java +++ b/server/test/com/cloud/vpc/MockConfigurationManagerImpl.java @@ -555,7 +555,7 @@ public class MockConfigurationManagerImpl extends ManagerBase implements Configu @Override public NetworkOfferingVO createNetworkOffering(String name, String displayText, TrafficType trafficType, String tags, boolean specifyVlan, Availability availability, Integer networkRate, Map<Service, Set<Provider>> serviceProviderMap, boolean isDefault, GuestType type, boolean systemOnly, Long serviceOfferingId, boolean conserveMode, - Map<Service, Map<Capability, String>> serviceCapabilityMap, boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details) { + Map<Service, Map<Capability, String>> serviceCapabilityMap, boolean specifyIpRanges, boolean isPersistent, Map<NetworkOffering.Detail,String> details, boolean egressDefaultPolicy) { // TODO Auto-generated method stub return null; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/server/test/org/apache/cloudstack/networkoffering/CreateNetworkOfferingTest.java ---------------------------------------------------------------------- diff --git a/server/test/org/apache/cloudstack/networkoffering/CreateNetworkOfferingTest.java b/server/test/org/apache/cloudstack/networkoffering/CreateNetworkOfferingTest.java index 4a2c867..36564d9 100644 --- a/server/test/org/apache/cloudstack/networkoffering/CreateNetworkOfferingTest.java +++ b/server/test/org/apache/cloudstack/networkoffering/CreateNetworkOfferingTest.java @@ -94,7 +94,7 @@ public class CreateNetworkOfferingTest extends TestCase{ public void createSharedNtwkOffWithVlan() { NetworkOfferingVO off = configMgr.createNetworkOffering("shared", "shared", TrafficType.Guest, null, true, Availability.Optional, 200, null, false, Network.GuestType.Shared, false, - null, false, null, true, false, null); + null, false, null, true, false, null, false); assertNotNull("Shared network offering with specifyVlan=true failed to create ", off); } @@ -103,7 +103,7 @@ public class CreateNetworkOfferingTest extends TestCase{ try { NetworkOfferingVO off = configMgr.createNetworkOffering("shared", "shared", TrafficType.Guest, null, false, Availability.Optional, 200, null, false, Network.GuestType.Shared, false, - null, false, null, true, false, null); + null, false, null, true, false, null, false); assertNull("Shared network offering with specifyVlan=false was created", off); } catch (InvalidParameterValueException ex) { } @@ -113,7 +113,7 @@ public class CreateNetworkOfferingTest extends TestCase{ public void createSharedNtwkOffWithSpecifyIpRanges() { NetworkOfferingVO off = configMgr.createNetworkOffering("shared", "shared", TrafficType.Guest, null, true, Availability.Optional, 200, null, false, Network.GuestType.Shared, false, - null, false, null, true, false, null); + null, false, null, true, false, null, false); assertNotNull("Shared network offering with specifyIpRanges=true failed to create ", off); } @@ -123,7 +123,7 @@ public class CreateNetworkOfferingTest extends TestCase{ try { NetworkOfferingVO off = configMgr.createNetworkOffering("shared", "shared", TrafficType.Guest, null, true, Availability.Optional, 200, null, false, Network.GuestType.Shared, false, - null, false, null, false, false, null); + null, false, null, false, false, null, false); assertNull("Shared network offering with specifyIpRanges=false was created", off); } catch (InvalidParameterValueException ex) { } @@ -138,7 +138,7 @@ public class CreateNetworkOfferingTest extends TestCase{ serviceProviderMap.put(Network.Service.SourceNat, vrProvider); NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, false, Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false, - null, false, null, false, false, null); + null, false, null, false, false, null, false); assertNotNull("Isolated network offering with specifyIpRanges=false failed to create ", off); } @@ -151,7 +151,7 @@ public class CreateNetworkOfferingTest extends TestCase{ serviceProviderMap.put(Network.Service.SourceNat, vrProvider); NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, true, Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false, - null, false, null, false, false, null); + null, false, null, false, false, null, false); assertNotNull("Isolated network offering with specifyVlan=true wasn't created", off); } @@ -165,7 +165,7 @@ public class CreateNetworkOfferingTest extends TestCase{ serviceProviderMap.put(Network.Service.SourceNat, vrProvider); NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, false, Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false, - null, false, null, true, false, null); + null, false, null, true, false, null, false); assertNull("Isolated network offering with specifyIpRanges=true and source nat service enabled, was created", off); } catch (InvalidParameterValueException ex) { } @@ -178,7 +178,7 @@ public class CreateNetworkOfferingTest extends TestCase{ Set<Network.Provider> vrProvider = new HashSet<Network.Provider>(); NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, false, Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false, - null, false, null, true, false, null); + null, false, null, true, false, null, false); assertNotNull("Isolated network offering with specifyIpRanges=true and with no sourceNatService, failed to create", off); } @@ -196,7 +196,7 @@ public class CreateNetworkOfferingTest extends TestCase{ serviceProviderMap.put(Network.Service.Lb , vrProvider); NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, true, Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false, - null, false, null, false, false, null); + null, false, null, false, false, null, false); // System.out.println("Creating Vpc Network Offering"); assertNotNull("Vpc Isolated network offering with Vpc provider ", off); } @@ -216,7 +216,7 @@ public class CreateNetworkOfferingTest extends TestCase{ serviceProviderMap.put(Network.Service.Lb, lbProvider); NetworkOfferingVO off = configMgr.createNetworkOffering("isolated", "isolated", TrafficType.Guest, null, true, Availability.Optional, 200, serviceProviderMap, false, Network.GuestType.Isolated, false, null, false, - null, false, false, null); + null, false, false, null, false); // System.out.println("Creating Vpc Network Offering"); assertNotNull("Vpc Isolated network offering with Vpc and Netscaler provider ", off); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a7ae637/setup/db/db/schema-410to420.sql ---------------------------------------------------------------------- diff --git a/setup/db/db/schema-410to420.sql b/setup/db/db/schema-410to420.sql index db30c04..325924b 100644 --- a/setup/db/db/schema-410to420.sql +++ b/setup/db/db/schema-410to420.sql @@ -2147,3 +2147,4 @@ ALTER TABLE `cloud`.`baremetal_pxe_devices` ADD CONSTRAINT `fk_external_pxe_devi ALTER TABLE `cloud`.`baremetal_pxe_devices` ADD CONSTRAINT `fk_external_pxe_devices_host_id` FOREIGN KEY (`host_id`) REFERENCES `host`(`id`) ON DELETE CASCADE; ALTER TABLE `cloud`.`baremetal_pxe_devices` ADD CONSTRAINT `fk_external_pxe_devices_physical_network_id` FOREIGN KEY (`physical_network_id`) REFERENCES `physical_network`(`id`) ON DELETE CASCADE; +alter table `cloud`.`network_offerings` add column egress_default_policy boolean default false;
