Package org.midonet.client.resource

Examples of org.midonet.client.resource.RuleChain


        RouterPort[] ports = null;

        RouterPort tenantUplink = null;
        RouterPort providerDownlink = null;

        RuleChain preNat = null;
        RuleChain post = null;
        String accountIdStr = null;
        String routerName = null;

        // Set Source NAT rules on router
        for (PublicIpAddress ip : ipAddress) {
View Full Code Here


        RouterPort[] ports = null;

        RouterPort tenantUplink = null;
        RouterPort providerDownlink = null;

        RuleChain preFilter = null;
        RuleChain preNat = null;
        RuleChain post = null;

        String accountIdStr = getAccountUuid(network);
        String networkUUIDStr = String.valueOf(network.getId());

        for (StaticNat rule : rules) {
View Full Code Here

            return false;
        }
        if (canHandle(config, Service.Firewall)) {
            String accountIdStr = getAccountUuid(config);
            String networkUUIDStr = String.valueOf(config.getId());
            RuleChain preFilter = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_PREFILTER);
            RuleChain preNat = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_PRENAT);

            // Create a map of Rule description -> Rule for quicker lookups
            Map<String, Rule> existingRules = new HashMap<String, Rule>();

            for (Rule existingRule : preFilter.getRules()) {
                // The "whitelist" rules we're interested in are the Jump rules where src address is specified
                if(existingRule.getType().equals(DtoRule.Jump) && existingRule.getNwSrcAddress() != null){
                    String ruleString = new SimpleFirewallRule(existingRule).toStringArray()[0];
                    existingRules.put(ruleString, existingRule);
                }
            }

            for (FirewallRule rule : rulesToApply) {
                if (rule.getState() == FirewallRule.State.Revoke || rule.getState() == FirewallRule.State.Add) {
                    IpAddress dstIp = _networkModel.getIp(rule.getSourceIpAddressId());
                    FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, dstIp.getAddress().addr());

                    // Convert to string representation
                    SimpleFirewallRule fwRule = new SimpleFirewallRule(ruleTO);
                    String[] ruleStrings = fwRule.toStringArray();

                    if (rule.getState() == FirewallRule.State.Revoke) {
                        // Lookup in existingRules, delete if present
                        for(String revokeRuleString : ruleStrings){
                            Rule foundRule = existingRules.get(revokeRuleString);
                            if(foundRule != null){
                                foundRule.delete();
                            }
                        }
                    } else if (rule.getState() == FirewallRule.State.Add) {
                        // Lookup in existingRules, add if not present
                        for(int i = 0; i < ruleStrings.length; i++){
                            String ruleString = ruleStrings[i];
                            Rule foundRule = existingRules.get(ruleString);
                            if(foundRule == null){
                                // Get the cidr for the related entry in the Source Cidrs list
                                String relatedCidr = fwRule.sourceCidrs.get(i);
                                Pair<String,Integer> cidrParts = NetUtils.getCidr(relatedCidr);

                                // Create rule with correct proto, cidr, ACCEPT, dst IP
                                Rule toApply = preFilter.addRule()
                                        .type(DtoRule.Jump)
                                        .jumpChainId(preNat.getId())
                                        .position(1)
                                        .nwSrcAddress(cidrParts.first())
                                        .nwSrcLength(cidrParts.second())
                                        .nwDstAddress(ruleTO.getSrcIp())
                                        .nwDstLength(32)
View Full Code Here

            return false;
        }

        String accountIdStr = getAccountUuid(network);
        String networkUUIDStr = String.valueOf(network.getId());
        RuleChain preNat = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_PRENAT);
        RuleChain postNat = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_POST);
        RuleChain preFilter = getChain(accountIdStr, networkUUIDStr, RuleChainCode.TR_PREFILTER);
        Router providerRouter = api.getRouter(_providerRouterId);
        Router tenantRouter = getOrCreateGuestNetworkRouter(network);
        RouterPort[] ports = getOrCreateProviderRouterPorts(tenantRouter, providerRouter);
        RouterPort providerDownlink = ports[1];

        // Rules in the preNat table
        Map<String, Rule> existingPreNatRules = new HashMap<String, Rule>();
        for (Rule existingRule : preNat.getRules()) {
            // The "port forwarding" rules we're interested in are dnat rules where src / dst ports are specified
            if(existingRule.getType().equals(DtoRule.DNAT) && existingRule.getTpDst() != null){
                String ruleString = new SimpleFirewallRule(existingRule).toStringArray()[0];
                existingPreNatRules.put(ruleString, existingRule);
            }
        }

        /*
         * Counts of rules associated with an IP address. Use this to check
         * how many rules we have of a given IP address. When it reaches 0,
         * we can delete the route associated with it.
         */
        Map<String, Integer> ipRuleCounts = new HashMap<String, Integer>();
        for (Rule rule : preNat.getRules()) {
            String ip = rule.getNwDstAddress();
            if (ip != null && rule.getNwDstLength() == 32) {
                if (ipRuleCounts.containsKey(ip)) {
                    ipRuleCounts.put(ip, new Integer(ipRuleCounts.get(ip).intValue() + 1));
                } else {
                    ipRuleCounts.put(ip, new Integer(1));
                }
            }
        }

        /*
         * Routes associated with IP. When we delete all the rules associated
         * with a given IP, we can delete the route associated with it.
         */
        Map<String, Route> routes = new HashMap<String, Route>();
        for (Route route : providerRouter.getRoutes(new MultivaluedMapImpl())) {
            String ip = route.getDstNetworkAddr();
            if (ip != null && route.getDstNetworkLength() == 32) {
                routes.put(ip, route);
            }
        }

        for (PortForwardingRule rule : rules) {
            IpAddress dstIp = _networkModel.getIp(rule.getSourceIpAddressId());
            PortForwardingRuleTO ruleTO = new PortForwardingRuleTO(rule, null, dstIp.getAddress().addr());
            SimpleFirewallRule fwRule = new SimpleFirewallRule(ruleTO);
            String[] ruleStrings = fwRule.toStringArray();

            if (rule.getState() == FirewallRule.State.Revoke) {
                /*
                 * Lookup in existingRules, delete if present
                 * We need to delete from both the preNat table and the
                 * postNat table.
                 */
                for(String revokeRuleString : ruleStrings){
                    Rule foundPreNatRule = existingPreNatRules.get(revokeRuleString);
                    if(foundPreNatRule != null){
                        String ip = foundPreNatRule.getNwDstAddress();
                        // is this the last rule associated with this IP?
                        Integer cnt = ipRuleCounts.get(ip);
                        if (cnt != null) {
                            if (cnt == 1) {
                                ipRuleCounts.remove(ip);
                                // no more rules for this IP. delete the route.
                                Route route = routes.remove(ip);
                                route.delete();
                            } else {
                                ipRuleCounts.put(ip, new Integer(ipRuleCounts.get(ip).intValue() - 1));
                            }
                        }
                        foundPreNatRule.delete();
                    }
                }
            } else if (rule.getState() == FirewallRule.State.Add) {
                for(int i = 0; i < ruleStrings.length; i++){
                    String ruleString = ruleStrings[i];
                    Rule foundRule = existingPreNatRules.get(ruleString);
                    if(foundRule == null){

                        String vmIp = ruleTO.getDstIp();
                        String publicIp = dstIp.getAddress().addr();
                        int privPortStart = ruleTO.getDstPortRange()[0];
                        int privPortEnd = ruleTO.getDstPortRange()[1];
                        int pubPortStart = ruleTO.getSrcPortRange()[0];
                        int pubPortEnd = ruleTO.getSrcPortRange()[1];

                        DtoRule.DtoNatTarget[] preTargets = new DtoRule.DtoNatTarget[]{
                            new DtoRule.DtoNatTarget(vmIp, vmIp, privPortStart, privPortEnd)};

                        Rule preNatRule = preNat.addRule()
                            .type(DtoRule.DNAT)
                            .flowAction(DtoRule.Accept)
                            .nwDstAddress(publicIp)
                            .nwDstLength(32)
                            .tpDst(new DtoRange(pubPortStart, pubPortEnd))
                            .natTargets(preTargets)
                            .nwProto(SimpleFirewallRule.stringToProtocolNumber(rule.getProtocol()))
                            .position(1);

                        Integer cnt = ipRuleCounts.get(publicIp);
                        if (cnt != null) {
                            ipRuleCounts.put(publicIp, new Integer(cnt.intValue() + 1));
                        } else {
                            ipRuleCounts.put(publicIp, new Integer(1));
                        }
                        String preNatRuleStr = new SimpleFirewallRule(preNatRule).toStringArray()[0];
                        existingPreNatRules.put(preNatRuleStr, preNatRule);
                        preNatRule.create();

                        if (routes.get(publicIp) == null) {
                            Route route = providerRouter.addRoute()
                                            .type("Normal")
                                            .weight(100)
                                            .srcNetworkAddr("0.0.0.0")
                                            .srcNetworkLength(0)
                                            .dstNetworkAddr(publicIp)
                                            .dstNetworkLength(32)
                                            .nextHopPort(providerDownlink.getId());
                            route.create();
                            routes.put(publicIp, route);
                        }

                        // If Firewall is in our service offering, set up the
                        // default firewall rule
                        if (canHandle(network, Service.Firewall)) {
                            boolean defaultBlock = false;
                            for (Rule filterRule : preFilter.getRules()) {
                                String pfDstIp = filterRule.getNwDstAddress();
                                if (pfDstIp != null && filterRule.getNwDstAddress().equals(publicIp)) {
                                    defaultBlock = true;
                                    break;
                                }
                            }
                            if (!defaultBlock) {
                                preFilter.addRule().type(DtoRule.Drop)
                                    .nwDstAddress(publicIp)
                                    .nwDstLength(32)
                                    .create();
                            }
                        }
View Full Code Here

    protected void resetEgressACLFilter(Network network) {
        boolean isVpc = getIsVpc(network);
        long id = getRouterId(network, isVpc);
        String routerName = getRouterName(isVpc, id);

        RuleChain egressChain = getChain(String.valueOf(network.getId()),
                                         getAccountUuid(network),
                                         routerName,
                                         RuleChainCode.ACL_EGRESS);

        // Clear all the rules out
        for (Rule rule : egressChain.getRules()) {
            rule.delete();
        }

        // Add a matchForwardFlow rule so that we can accept all return traffic
        egressChain.addRule().type(DtoRule.Accept)
            .matchForwardFlow(true)
            .position(1)
            .create();
    }
View Full Code Here

    protected RuleChain getOrInitEgressACLFilter(Network network) {
        boolean isVpc = getIsVpc(network);
        long id = getRouterId(network, isVpc);
        String routerName = getRouterName(isVpc, id);

        RuleChain egressChain = getChain(String.valueOf(network.getId()),
                                         getAccountUuid(network),
                                         routerName,
                                         RuleChainCode.ACL_EGRESS);

        // Rules set by the user will have a protocol, so we count the ACL
        // rules by counting how much have the nwProto field set.
        int totalRules = 0;
        for (Rule rule : egressChain.getRules()) {
            if (rule.getNwProto() != 0) {
                totalRules++;
            }
        }

        if (totalRules > 0) {
            // There are already rules present, no need to init.
            return egressChain;
        } else {
            // We need to delete any placeholder rules
            for (Rule rule : egressChain.getRules()) {
                rule.delete();
            }
        }

        int pos = 1;
        // If it is ARP, accept it
        egressChain.addRule().type(DtoRule.Accept)
            .dlType(0x0806)
            .position(pos++)
            .create();

        // If it is ICMP to the router, accept that
        egressChain.addRule().type(DtoRule.Accept)
            .nwProto(SimpleFirewallRule.stringToProtocolNumber("icmp"))
            .nwDstAddress(network.getGateway())
            .nwDstLength(32)
            .position(pos++)
            .create();

        // Everything else gets dropped
        egressChain.addRule()
            .type(DtoRule.Drop)
            .position(pos)
            .create();

        return egressChain;
View Full Code Here

        if (getIsVpc(network)) {
            // Create ACL filter chain for traffic coming INTO the network
            // (outbound from the port
            int pos = 1;

            RuleChain inc = api.addChain()
                .name(getChainName(String.valueOf(network.getId()),
                                   routerName,
                                   RuleChainCode.ACL_INGRESS))
                .tenantId(accountIdStr)
                .create();


            // If it is ARP, accept it
            inc.addRule().type(DtoRule.Accept)
                         .dlType(0x0806)
                         .position(pos++)
                         .create();

            // If it is ICMP to the router, accept that
            inc.addRule().type(DtoRule.Accept)
                   .nwProto(SimpleFirewallRule.stringToProtocolNumber("icmp"))
                         .nwDstAddress(network.getGateway())
                         .nwDstLength(32)
                         .position(pos++)
                         .create();

            // If it is connection tracked, accept that as well
            inc.addRule().type(DtoRule.Accept)
                         .matchReturnFlow(true)
                         .position(pos++)
                         .create();

            inc.addRule().type(DtoRule.Drop)
                         .position(pos)
                         .create();

            //
            RuleChain out = api.addChain()
                .name(getChainName(String.valueOf(network.getId()),
                                   routerName,
                                   RuleChainCode.ACL_EGRESS))
                .tenantId(accountIdStr)
                .create();

            // Creating the first default rule here that does nothing
            // but start connection tracking.
            out.addRule().type(DtoRule.Accept)
                         .matchForwardFlow(true)
                         .position(1)
                         .create();

            routerPort.outboundFilterId(inc.getId());
            routerPort.inboundFilterId(out.getId());
        }

        routerPort.create();

        // Link them up
View Full Code Here

    protected Router createRouter(long id, String accountUuid, boolean isVpc) {

        String routerName = getRouterName(isVpc, id);

        //Set up rule chains
        RuleChain pre = api.addChain()
                            .name(getChainName(routerName, RuleChainCode.TR_PRE))
                            .tenantId(accountUuid)
                            .create();
        RuleChain post = api.addChain()
                            .name(getChainName(routerName, RuleChainCode.TR_POST))
                            .tenantId(accountUuid)
                            .create();

        // Set up NAT and filter chains for pre-routing
        RuleChain preFilter = api.addChain()
                                  .name(getChainName(routerName, RuleChainCode.TR_PREFILTER))
                                  .tenantId(accountUuid)
                                  .create();
        RuleChain preNat = api.addChain()
                                  .name(getChainName(routerName, RuleChainCode.TR_PRENAT))
                                  .tenantId(accountUuid)
                                  .create();

        // Hook the chains in - first jump to Filter chain, then jump to Nat chain
        pre.addRule().type(DtoRule.Jump)
                     .jumpChainId(preFilter.getId())
                     .position(1)
                     .create();
        pre.addRule().type(DtoRule.Jump)
                     .jumpChainId(preNat.getId())
                     .position(2)
                     .create();

        return api.addRouter()
                   .tenantId(accountUuid)
View Full Code Here

            // Remove inbound and outbound filter chains
            String accountIdStr = String.valueOf(accountUuid);
            String routerName = getRouterName(isVpc, id);

            RuleChain pre = api.getChain(tenantRouter.getInboundFilterId());
            RuleChain preFilter = getChain(accountIdStr, routerName, RuleChainCode.TR_PREFILTER);
            RuleChain preNat = getChain(accountIdStr, routerName, RuleChainCode.TR_PRENAT);
            RuleChain post = api.getChain(tenantRouter.getOutboundFilterId());

            pre.delete();
            preFilter.delete();
            preNat.delete();
            post.delete();


            // Remove routes
            for(Route r : tenantRouter.getRoutes(new MultivaluedMapImpl())) {
                r.delete();
View Full Code Here

            // Remove inbound and outbound filter chains
            String accountIdStr = String.valueOf(accountUuid);
            String routerName = getRouterName(isVpc, id);

            RuleChain pre = api.getChain(tenantRouter.getInboundFilterId());
            RuleChain preFilter = getChain(accountIdStr, routerName, RuleChainCode.TR_PREFILTER);
            RuleChain preNat = getChain(accountIdStr, routerName, RuleChainCode.TR_PRENAT);
            RuleChain post = api.getChain(tenantRouter.getOutboundFilterId());

            pre.delete();
            preFilter.delete();
            preNat.delete();
            post.delete();

            // Remove routes
            for (Route r : tenantRouter.getRoutes(new MultivaluedMapImpl())) {
                r.delete();
            }
View Full Code Here

TOP

Related Classes of org.midonet.client.resource.RuleChain

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.