Package org.midonet.client.resource

Examples of org.midonet.client.resource.RuleChain

308
309
310
311
312
313
314
315
316
317
318
319
        RouterPort[] ports = null;

        RouterPort tenantUplink = null;
        RouterPort providerDownlink = null;

        RuleChain preNat = null;
        RuleChain post = null;
        String accountIdStr = null;
        String routerName = null;

        // Set Source NAT rules on router
        for (PublicIpAddress ip : ipAddress) {
View Full Code Here
616
617
618
619
620
621
622
623
624
625
626
627
628
        RouterPort[] ports = null;

        RouterPort tenantUplink = null;
        RouterPort providerDownlink = null;

        RuleChain preFilter = null;
        RuleChain preNat = null;
        RuleChain post = null;

        String accountIdStr = getAccountUuid(network);
        String networkUUIDStr = String.valueOf(network.getId());

        for (StaticNat rule : rules) {
View Full Code Here
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
            return false;
        }
        if (canHandle(config, Service.Firewall)) {
            String accountIdStr = getAccountUuid(config);
            String networkUUIDStr = String.valueOf(config.getId());
            RuleChain preFilter = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_PREFILTER);
            RuleChain preNat = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_PRENAT);

            // Create a map of Rule description -> Rule for quicker lookups
            Map<String, Rule> existingRules = new HashMap<String, Rule>();

            for (Rule existingRule : preFilter.getRules()) {
                // The "whitelist" rules we're interested in are the Jump rules where src address is specified
                if(existingRule.getType().equals(DtoRule.Jump) && existingRule.getNwSrcAddress() != null){
                    String ruleString = new SimpleFirewallRule(existingRule).toStringArray()[0];
                    existingRules.put(ruleString, existingRule);
                }
            }

            for (FirewallRule rule : rulesToApply) {
                if (rule.getState() == FirewallRule.State.Revoke || rule.getState() == FirewallRule.State.Add) {
                    IpAddress dstIp = _networkModel.getIp(rule.getSourceIpAddressId());
                    FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, dstIp.getAddress().addr());

                    // Convert to string representation
                    SimpleFirewallRule fwRule = new SimpleFirewallRule(ruleTO);
                    String[] ruleStrings = fwRule.toStringArray();

                    if (rule.getState() == FirewallRule.State.Revoke) {
                        // Lookup in existingRules, delete if present
                        for(String revokeRuleString : ruleStrings){
                            Rule foundRule = existingRules.get(revokeRuleString);
                            if(foundRule != null){
                                foundRule.delete();
                            }
                        }
                    } else if (rule.getState() == FirewallRule.State.Add) {
                        // Lookup in existingRules, add if not present
                        for(int i = 0; i < ruleStrings.length; i++){
                            String ruleString = ruleStrings[i];
                            Rule foundRule = existingRules.get(ruleString);
                            if(foundRule == null){
                                // Get the cidr for the related entry in the Source Cidrs list
                                String relatedCidr = fwRule.sourceCidrs.get(i);
                                Pair<String,Integer> cidrParts = NetUtils.getCidr(relatedCidr);

                                // Create rule with correct proto, cidr, ACCEPT, dst IP
                                Rule toApply = preFilter.addRule()
                                        .type(DtoRule.Jump)
                                        .jumpChainId(preNat.getId())
                                        .position(1)
                                        .nwSrcAddress(cidrParts.first())
                                        .nwSrcLength(cidrParts.second())
                                        .nwDstAddress(ruleTO.getSrcIp())
                                        .nwDstLength(32)
View Full Code Here
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
            return false;
        }

        String accountIdStr = getAccountUuid(network);
        String networkUUIDStr = String.valueOf(network.getId());
        RuleChain preNat = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_PRENAT);
        RuleChain postNat = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_POST);
        RuleChain preFilter = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_PREFILTER);
        Router providerRouter = api.getRouter(_providerRouterId);
        Router tenantRouter = getOrCreateGuestNetworkRouter(network);
        RouterPort[] ports = getOrCreateProviderRouterPorts(tenantRouter, providerRouter);
        RouterPort providerDownlink = ports[1];

        // Rules in the preNat table
        Map<String, Rule> existingPreNatRules = new HashMap<String, Rule>();
        for (Rule existingRule : preNat.getRules()) {
            // The "port forwarding" rules we're interested in are dnat rules where src / dst ports are specified
            if(existingRule.getType().equals(DtoRule.DNAT) && existingRule.getTpDst() != null){
                String ruleString = new SimpleFirewallRule(existingRule).toStringArray()[0];
                existingPreNatRules.put(ruleString, existingRule);
            }
        }

        /*
         * Counts of rules associated with an IP address. Use this to check
         * how many rules we have of a given IP address. When it reaches 0,
         * we can delete the route associated with it.
         */
        Map<String, Integer> ipRuleCounts = new HashMap<String, Integer>();
        for (Rule rule : preNat.getRules()) {
            String ip = rule.getNwDstAddress();
            if (ip != null && rule.getNwDstLength() == 32) {
                if (ipRuleCounts.containsKey(ip)) {
                    ipRuleCounts.put(ip, new Integer(ipRuleCounts.get(ip).intValue() + 1));
                } else {
                    ipRuleCounts.put(ip, new Integer(1));
                }
            }
        }

        /*
         * Routes associated with IP. When we delete all the rules associated
         * with a given IP, we can delete the route associated with it.
         */
        Map<String, Route> routes = new HashMap<String, Route>();
        for (Route route : providerRouter.getRoutes(new MultivaluedMapImpl())) {
            String ip = route.getDstNetworkAddr();
            if (ip != null && route.getDstNetworkLength() == 32) {
                routes.put(ip, route);
            }
        }

        for (PortForwardingRule rule : rules) {
            IpAddress dstIp = _networkModel.getIp(rule.getSourceIpAddressId());
            PortForwardingRuleTO ruleTO = new PortForwardingRuleTO(rule, null, dstIp.getAddress().addr());
            SimpleFirewallRule fwRule = new SimpleFirewallRule(ruleTO);
            String[] ruleStrings = fwRule.toStringArray();

            if (rule.getState() == FirewallRule.State.Revoke) {
                /*
                 * Lookup in existingRules, delete if present
                 * We need to delete from both the preNat table and the
                 * postNat table.
                 */
                for(String revokeRuleString : ruleStrings){
                    Rule foundPreNatRule = existingPreNatRules.get(revokeRuleString);
                    if(foundPreNatRule != null){
                        String ip = foundPreNatRule.getNwDstAddress();
                        // is this the last rule associated with this IP?
                        Integer cnt = ipRuleCounts.get(ip);
                        if (cnt != null) {
                            if (cnt == 1) {
                                ipRuleCounts.remove(ip);
                                // no more rules for this IP. delete the route.
                                Route route = routes.remove(ip);
                                route.delete();
                            } else {
                                ipRuleCounts.put(ip, new Integer(ipRuleCounts.get(ip).intValue() - 1));
                            }
                        }
                        foundPreNatRule.delete();
                    }
                }
            } else if (rule.getState() == FirewallRule.State.Add) {
                for(int i = 0; i < ruleStrings.length; i++){
                    String ruleString = ruleStrings[i];
                    Rule foundRule = existingPreNatRules.get(ruleString);
                    if(foundRule == null){

                        String vmIp = ruleTO.getDstIp();
                        String publicIp = dstIp.getAddress().addr();
                        int privPortStart = ruleTO.getDstPortRange()[0];
                        int privPortEnd = ruleTO.getDstPortRange()[1];
                        int pubPortStart = ruleTO.getSrcPortRange()[0];
                        int pubPortEnd = ruleTO.getSrcPortRange()[1];

                        DtoRule.DtoNatTarget[] preTargets = new DtoRule.DtoNatTarget[]{
                            new DtoRule.DtoNatTarget(vmIp, vmIp, privPortStart, privPortEnd)};

                        Rule preNatRule = preNat.addRule()
                            .type(DtoRule.DNAT)
                            .flowAction(DtoRule.Accept)
                            .nwDstAddress(publicIp)
                            .nwDstLength(32)
                            .tpDst(new DtoRange(pubPortStart, pubPortEnd))
                            .natTargets(preTargets)
                            .nwProto(SimpleFirewallRule.stringToProtocolNumber(rule.getProtocol()))
                            .position(1);

                        Integer cnt = ipRuleCounts.get(publicIp);
                        if (cnt != null) {
                            ipRuleCounts.put(publicIp, new Integer(cnt.intValue() + 1));
                        } else {
                            ipRuleCounts.put(publicIp, new Integer(1));
                        }
                        String preNatRuleStr = new SimpleFirewallRule(preNatRule).toStringArray()[0];
                        existingPreNatRules.put(preNatRuleStr, preNatRule);
                        preNatRule.create();

                        if (routes.get(publicIp) == null) {
                            Route route = providerRouter.addRoute()
                                            .type("Normal")
                                            .weight(100)
                                            .srcNetworkAddr("0.0.0.0")
                                            .srcNetworkLength(0)
                                            .dstNetworkAddr(publicIp)
                                            .dstNetworkLength(32)
                                            .nextHopPort(providerDownlink.getId());
                            route.create();
                            routes.put(publicIp, route);
                        }

                        // If Firewall is in our service offering, set up the
                        // default firewall rule
                        if (canHandle(network, Service.Firewall)) {
                            boolean defaultBlock = false;
                            for (Rule filterRule : preFilter.getRules()) {
                                String pfDstIp = filterRule.getNwDstAddress();
                                if (pfDstIp != null && filterRule.getNwDstAddress().equals(publicIp)) {
                                    defaultBlock = true;
                                    break;
                                }
                            }
                            if (!defaultBlock) {
                                preFilter.addRule().type(DtoRule.Drop)
                                    .nwDstAddress(publicIp)
                                    .nwDstLength(32)
                                    .create();
                            }
                        }
View Full Code Here
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
    protected void resetEgressACLFilter(Network network) {
        boolean isVpc = getIsVpc(network);
        long id = getRouterId(network, isVpc);
        String routerName = getRouterName(isVpc, id);

        RuleChain egressChain = getChain(String.valueOf(network.getId()),
                                         getAccountUuid(network),
                                         routerName,
                                         RuleChainCode.ACL_EGRESS);

        // Clear all the rules out
        for (Rule rule : egressChain.getRules()) {
            rule.delete();
        }

        // Add a matchForwardFlow rule so that we can accept all return traffic
        egressChain.addRule().type(DtoRule.Accept)
            .matchForwardFlow(true)
            .position(1)
            .create();
    }
View Full Code Here
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
    protected RuleChain getOrInitEgressACLFilter(Network network) {
        boolean isVpc = getIsVpc(network);
        long id = getRouterId(network, isVpc);
        String routerName = getRouterName(isVpc, id);

        RuleChain egressChain = getChain(String.valueOf(network.getId()),
                                         getAccountUuid(network),
                                         routerName,
                                         RuleChainCode.ACL_EGRESS);

        // Rules set by the user will have a protocol, so we count the ACL
        // rules by counting how much have the nwProto field set.
        int totalRules = 0;
        for (Rule rule : egressChain.getRules()) {
            if (rule.getNwProto() != 0) {
                totalRules++;
            }
        }

        if (totalRules > 0) {
            // There are already rules present, no need to init.
            return egressChain;
        } else {
            // We need to delete any placeholder rules
            for (Rule rule : egressChain.getRules()) {
                rule.delete();
            }
        }

        int pos = 1;
        // If it is ARP, accept it
        egressChain.addRule().type(DtoRule.Accept)
            .dlType(0x0806)
            .position(pos++)
            .create();

        // If it is ICMP to the router, accept that
        egressChain.addRule().type(DtoRule.Accept)
            .nwProto(SimpleFirewallRule.stringToProtocolNumber("icmp"))
            .nwDstAddress(network.getGateway())
            .nwDstLength(32)
            .position(pos++)
            .create();

        // Everything else gets dropped
        egressChain.addRule()
            .type(DtoRule.Drop)
            .position(pos)
            .create();

        return egressChain;
View Full Code Here
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
        if (getIsVpc(network)) {
            // Create ACL filter chain for traffic coming INTO the network
            // (outbound from the port
            int pos = 1;

            RuleChain inc = api.addChain()
                .name(getChainName(String.valueOf(network.getId()),
                                   routerName,
                                   RuleChainCode.ACL_INGRESS))
                .tenantId(accountIdStr)
                .create();


            // If it is ARP, accept it
            inc.addRule().type(DtoRule.Accept)
                         .dlType(0x0806)
                         .position(pos++)
                         .create();

            // If it is ICMP to the router, accept that
            inc.addRule().type(DtoRule.Accept)
                   .nwProto(SimpleFirewallRule.stringToProtocolNumber("icmp"))
                         .nwDstAddress(network.getGateway())
                         .nwDstLength(32)
                         .position(pos++)
                         .create();

            // If it is connection tracked, accept that as well
            inc.addRule().type(DtoRule.Accept)
                         .matchReturnFlow(true)
                         .position(pos++)
                         .create();

            inc.addRule().type(DtoRule.Drop)
                         .position(pos)
                         .create();

            //
            RuleChain out = api.addChain()
                .name(getChainName(String.valueOf(network.getId()),
                                   routerName,
                                   RuleChainCode.ACL_EGRESS))
                .tenantId(accountIdStr)
                .create();

            // Creating the first default rule here that does nothing
            // but start connection tracking.
            out.addRule().type(DtoRule.Accept)
                         .matchForwardFlow(true)
                         .position(1)
                         .create();

            routerPort.outboundFilterId(inc.getId());
            routerPort.inboundFilterId(out.getId());
        }

        routerPort.create();

        // Link them up
View Full Code Here
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
    protected Router createRouter(long id, String accountUuid, boolean isVpc) {

        String routerName = getRouterName(isVpc, id);

        //Set up rule chains
        RuleChain pre = api.addChain()
                            .name(getChainName(routerName, RuleChainCode.TR_PRE))
                            .tenantId(accountUuid)
                            .create();
        RuleChain post = api.addChain()
                            .name(getChainName(routerName, RuleChainCode.TR_POST))
                            .tenantId(accountUuid)
                            .create();

        // Set up NAT and filter chains for pre-routing
        RuleChain preFilter = api.addChain()
                                  .name(getChainName(routerName, RuleChainCode.TR_PREFILTER))
                                  .tenantId(accountUuid)
                                  .create();
        RuleChain preNat = api.addChain()
                                  .name(getChainName(routerName, RuleChainCode.TR_PRENAT))
                                  .tenantId(accountUuid)
                                  .create();

        // Hook the chains in - first jump to Filter chain, then jump to Nat chain
        pre.addRule().type(DtoRule.Jump)
                     .jumpChainId(preFilter.getId())
                     .position(1)
                     .create();
        pre.addRule().type(DtoRule.Jump)
                     .jumpChainId(preNat.getId())
                     .position(2)
                     .create();

        return api.addRouter()
                   .tenantId(accountUuid)
View Full Code Here
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
            // Remove inbound and outbound filter chains
            String accountIdStr = String.valueOf(accountUuid);
            String routerName = getRouterName(isVpc, id);

            RuleChain pre = api.getChain(tenantRouter.getInboundFilterId());
            RuleChain preFilter = getChain(accountIdStr, routerName, RuleChainCode.TR_PREFILTER);
            RuleChain preNat = getChain(accountIdStr, routerName, RuleChainCode.TR_PRENAT);
            RuleChain post = api.getChain(tenantRouter.getOutboundFilterId());

            pre.delete();
            preFilter.delete();
            preNat.delete();
            post.delete();


            // Remove routes
            for(Route r : tenantRouter.getRoutes(new MultivaluedMapImpl())) {
                r.delete();
View Full Code Here
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
            // Remove inbound and outbound filter chains
            String accountIdStr = String.valueOf(accountUuid);
            String routerName = getRouterName(isVpc, id);

            RuleChain pre = api.getChain(tenantRouter.getInboundFilterId());
            RuleChain preFilter = getChain(accountIdStr, routerName, RuleChainCode.TR_PREFILTER);
            RuleChain preNat = getChain(accountIdStr, routerName, RuleChainCode.TR_PRENAT);
            RuleChain post = api.getChain(tenantRouter.getOutboundFilterId());

            pre.delete();
            preFilter.delete();
            preNat.delete();
            post.delete();

            // Remove routes
            for (Route r : tenantRouter.getRoutes(new MultivaluedMapImpl())) {
                r.delete();
            }
View Full Code Here
TOP

Related Classes of org.midonet.client.resource.RuleChain

  • com.cloud.network.element.MidoNetElement
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.