From 8978839d96a3181181ba50a8bc53ef0c600adb4f Mon Sep 17 00:00:00 2001 From: alena Date: Thu, 17 Feb 2011 13:22:22 -0800 Subject: [PATCH] bug 8617: Disable firewall/lb/vpn service for Direct network offering, so when user tries to create PF/LB rule for direct IP address, it fails. status 8617: resolved fixed --- .../commands/CreateIpForwardingRuleCmd.java | 8 +- api/src/com/cloud/network/NetworkService.java | 7 + api/src/com/cloud/network/Networks.java | 8 - server/src/com/cloud/api/ApiDBUtils.java | 4 +- .../src/com/cloud/api/ApiResponseHelper.java | 2 +- .../ConfigurationManagerImpl.java | 15 +- .../src/com/cloud/network/NetworkManager.java | 4 +- .../com/cloud/network/NetworkManagerImpl.java | 92 +++++++- .../lb/LoadBalancingRulesManagerImpl.java | 15 +- .../cloud/network/rules/RulesManagerImpl.java | 207 ++++++++++-------- .../vpn/RemoteAccessVpnManagerImpl.java | 6 + .../cloud/offerings/NetworkOfferingVO.java | 10 +- .../cloud/server/ConfigurationServerImpl.java | 28 ++- .../src/com/cloud/vm/UserVmManagerImpl.java | 6 +- 14 files changed, 283 insertions(+), 129 deletions(-) diff --git a/api/src/com/cloud/api/commands/CreateIpForwardingRuleCmd.java b/api/src/com/cloud/api/commands/CreateIpForwardingRuleCmd.java index 8ee28f75300..098fce762ab 100644 --- a/api/src/com/cloud/api/commands/CreateIpForwardingRuleCmd.java +++ b/api/src/com/cloud/api/commands/CreateIpForwardingRuleCmd.java @@ -30,6 +30,7 @@ import com.cloud.api.ServerApiException; import com.cloud.api.response.FirewallRuleResponse; import com.cloud.api.response.IpForwardingRuleResponse; import com.cloud.event.EventTypes; +import com.cloud.exception.InvalidParameterValueException; import com.cloud.exception.NetworkRuleConflictException; import com.cloud.network.IpAddress; import com.cloud.network.rules.FirewallRule; @@ -144,7 +145,12 @@ public class CreateIpForwardingRuleCmd extends BaseAsyncCreateCmd implements Sta } private long getVirtualMachineId() { - return _networkService.getIp(ipAddressId).getAssociatedWithVmId(); + Long vmId = _networkService.getIp(ipAddressId).getAssociatedWithVmId(); + + if (vmId == null) { + throw new InvalidParameterValueException("Ip address is not associated with any network, unable to create static nat rule"); + } + return vmId; } @Override diff --git a/api/src/com/cloud/network/NetworkService.java b/api/src/com/cloud/network/NetworkService.java index 87973a88d3f..cf1c07cc701 100644 --- a/api/src/com/cloud/network/NetworkService.java +++ b/api/src/com/cloud/network/NetworkService.java @@ -18,6 +18,7 @@ package com.cloud.network; import java.util.List; +import java.util.Map; import com.cloud.api.commands.AssociateIPAddrCmd; import com.cloud.api.commands.CreateNetworkCmd; @@ -31,6 +32,8 @@ import com.cloud.exception.InvalidParameterValueException; import com.cloud.exception.PermissionDeniedException; import com.cloud.exception.ResourceAllocationException; import com.cloud.exception.ResourceUnavailableException; +import com.cloud.network.Network.Capability; +import com.cloud.network.Network.Service; import com.cloud.offering.NetworkOffering; @@ -64,4 +67,8 @@ public interface NetworkService { NetworkProfile getNetworkProfile(long networkId); + Map> getZoneCapabilities(long zoneId); + + Map> getNetworkCapabilities(long networkId); + } diff --git a/api/src/com/cloud/network/Networks.java b/api/src/com/cloud/network/Networks.java index 4527574a4d3..e8c43574367 100644 --- a/api/src/com/cloud/network/Networks.java +++ b/api/src/com/cloud/network/Networks.java @@ -28,14 +28,6 @@ import com.cloud.utils.exception.CloudRuntimeException; */ public class Networks { - public enum Service { - Dhcp, - Dns, - Gateway, - LoadBalancer, - Firewall - } - public enum RouterPrivateIpStrategy { None, DcGlobal, //global to data center diff --git a/server/src/com/cloud/api/ApiDBUtils.java b/server/src/com/cloud/api/ApiDBUtils.java index 49c627ac1a7..7c5a218c4b5 100755 --- a/server/src/com/cloud/api/ApiDBUtils.java +++ b/server/src/com/cloud/api/ApiDBUtils.java @@ -516,8 +516,8 @@ public class ApiDBUtils { return _networkDao.findById(id); } - public static Map> getZoneCapabilities(long zoneId) { - return _networkMgr.getZoneCapabilities(zoneId); + public static Map> getNetworkCapabilities(long networkId) { + return _networkMgr.getNetworkCapabilities(networkId); } public static long getPublicNetworkIdByZone(long zoneId) { diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index cc115fbb03e..c8416838164 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -2302,7 +2302,7 @@ public class ApiResponseHelper implements ResponseGenerator { response.setDns2(profile.getDns2()); //populate capability - Map> serviceCapabilitiesMap = ApiDBUtils.getZoneCapabilities(network.getDataCenterId()); + Map> serviceCapabilitiesMap = ApiDBUtils.getNetworkCapabilities(network.getId()); List serviceResponses = new ArrayList(); if (serviceCapabilitiesMap != null) { for (Service service : serviceCapabilitiesMap.keySet()) { diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java index 2802da7f2fa..ce641102ee9 100755 --- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java +++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java @@ -2434,7 +2434,20 @@ public class ConfigurationManagerImpl implements ConfigurationManager, Configura int networkRate = ((networkRateStr == null) ? 200 : Integer.parseInt(networkRateStr)); int multicastRate = ((multicastRateStr == null) ? 10 : Integer.parseInt(multicastRateStr)); tags = cleanupTags(tags); - NetworkOfferingVO offering = new NetworkOfferingVO(name, displayText, trafficType, false, specifyVlan, networkRate, multicastRate, maxConnections, false, availability, false, false, false, false, false, false, false); + + boolean firewallService = false; + boolean lbService = false; + boolean vpnService = false; + boolean gatewayService = false; + + if (trafficType == TrafficType.Guest) { + firewallService = true; + lbService = true; + vpnService = true; + gatewayService = true; + } + + NetworkOfferingVO offering = new NetworkOfferingVO(name, displayText, trafficType, false, specifyVlan, networkRate, multicastRate, maxConnections, false, availability, true, true, true, gatewayService, firewallService, lbService, vpnService); if ((offering = _networkOfferingDao.persist(offering)) != null) { return offering; diff --git a/server/src/com/cloud/network/NetworkManager.java b/server/src/com/cloud/network/NetworkManager.java index 664c0f1c576..c292447f05b 100644 --- a/server/src/com/cloud/network/NetworkManager.java +++ b/server/src/com/cloud/network/NetworkManager.java @@ -125,8 +125,6 @@ public interface NetworkManager extends NetworkService { boolean applyRules(List rules, boolean continueOnError) throws ResourceUnavailableException; - Map> getZoneCapabilities(long zoneId); - Network getSystemNetworkByZoneAndTrafficType(long zoneId, TrafficType trafficType); List getRemoteAccessVpnElements(); @@ -178,5 +176,7 @@ public interface NetworkManager extends NetworkService { boolean applyIpAssociations(Network network, boolean continueOnError) throws ResourceUnavailableException; boolean deleteNetworkInternal(long networkId, long userId); + + boolean isServiceSupported(long networkId, Network.Service service); } diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java index b02a7b75b9e..2b200291b8d 100755 --- a/server/src/com/cloud/network/NetworkManagerImpl.java +++ b/server/src/com/cloud/network/NetworkManagerImpl.java @@ -677,15 +677,50 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag NetworkOfferingVO storageNetworkOffering = new NetworkOfferingVO(NetworkOfferingVO.SystemStorageNetwork, TrafficType.Storage); storageNetworkOffering = _networkOfferingDao.persistDefaultNetworkOffering(storageNetworkOffering); _systemNetworks.put(NetworkOfferingVO.SystemStorageNetwork, storageNetworkOffering); - NetworkOfferingVO guestNetworkOffering = new NetworkOfferingVO(NetworkOfferingVO.SystemGuestNetwork, TrafficType.Guest); + NetworkOfferingVO guestNetworkOffering = new NetworkOfferingVO( + NetworkOffering.SystemGuestNetwork, + "System Offering for System-Guest-Network", + TrafficType.Guest, + true, + false, + null, + null, + null, + true, + Availability.Required, + //services - all true except for firewall/lb/vpn and gateway services + true, true, true, false, false,false, false); guestNetworkOffering = _networkOfferingDao.persistDefaultNetworkOffering(guestNetworkOffering); _systemNetworks.put(NetworkOfferingVO.SystemGuestNetwork, guestNetworkOffering); - NetworkOfferingVO defaultGuestNetworkOffering = new NetworkOfferingVO(NetworkOffering.DefaultVirtualizedNetworkOffering, "Virtual Vlan", TrafficType.Guest, false, false, null, null, null, true, Availability.Required, false, false, false, false, - false, false, false); + NetworkOfferingVO defaultGuestNetworkOffering = new NetworkOfferingVO( + NetworkOffering.DefaultVirtualizedNetworkOffering, + "Virtual Vlan", + TrafficType.Guest, + false, + false, + null, + null, + null, + true, + Availability.Required, + //services + true, true, true, true,true, true, true); + defaultGuestNetworkOffering = _networkOfferingDao.persistDefaultNetworkOffering(defaultGuestNetworkOffering); - NetworkOfferingVO defaultGuestDirectNetworkOffering = new NetworkOfferingVO(NetworkOffering.DefaultDirectNetworkOffering, "Direct", TrafficType.Public, false, false, null, null, null, true, Availability.Required, false, false, false, false, false, - false, false); + NetworkOfferingVO defaultGuestDirectNetworkOffering = new NetworkOfferingVO( + NetworkOffering.DefaultDirectNetworkOffering, + "Direct", + TrafficType.Public, + false, + false, + null, + null, + null, + true, + Availability.Required, + //services - all true except for firewall/lb/vpn and gateway services + true, true, true, false, false,false, false); defaultGuestDirectNetworkOffering = _networkOfferingDao.persistDefaultNetworkOffering(defaultGuestDirectNetworkOffering); AccountsUsingNetworkSearch = _accountDao.createSearchBuilder(); @@ -2009,7 +2044,7 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag providers.put(Service.UserData, dc.getUserDataProvider()); providers.put(Service.Dhcp, dc.getDhcpProvider()); - Map> networkCapabilities = new HashMap>(); + Map> zoneCapabilities = new HashMap>(); for (NetworkElement element : _networkElements) { if (providers.isEmpty()) { @@ -2031,7 +2066,7 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag assert (service.containsCapability(capability)) : "Capability " + capability.getName() + " is not supported by the service " + service.getName(); } } - networkCapabilities.put(service, capabilities); + zoneCapabilities.put(service, capabilities); it.remove(); } } @@ -2039,6 +2074,26 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag } } } + return zoneCapabilities; + } + + + @Override + public Map> getNetworkCapabilities(long networkId) { + Network network = getNetwork(networkId); + if (network == null) { + throw new InvalidParameterValueException("Unable to find network by id " + networkId); + } + + Map> zoneCapabilities = getZoneCapabilities(network.getDataCenterId()); + Map> networkCapabilities = new HashMap>(); + + for (Service service : zoneCapabilities.keySet()) { + if (isServiceSupported(networkId, service)) { + networkCapabilities.put(service, zoneCapabilities.get(service)); + } + } + return networkCapabilities; } @@ -2239,4 +2294,27 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag Network.Provider.F5BigIp.getName())); } + + @Override + public boolean isServiceSupported(long networkId, Network.Service service) { + Network network = getNetwork(networkId); + NetworkOffering offering = _configMgr.getNetworkOffering(network.getNetworkOfferingId()); + if (service == Service.Lb) { + return offering.isLbService(); + } else if (service == Service.Dhcp) { + return offering.isDhcpService(); + } else if (service == Service.Dns) { + return offering.isDnsService(); + } else if (service == Service.Firewall) { + return offering.isFirewallService(); + } else if (service == Service.UserData) { + return offering.isUserdataService(); + } else if (service == Service.Vpn) { + return offering.isVpnService(); + } else if (service == Service.Gateway) { + return offering.isGatewayService(); + } + + return false; + } } diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java index c5173439537..b8480e898e0 100644 --- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java +++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java @@ -49,6 +49,7 @@ import com.cloud.exception.ResourceUnavailableException; import com.cloud.network.IPAddressVO; import com.cloud.network.LoadBalancerVMMapVO; import com.cloud.network.LoadBalancerVO; +import com.cloud.network.Network.Service; import com.cloud.network.NetworkManager; import com.cloud.network.dao.FirewallRulesDao; import com.cloud.network.dao.IPAddressDao; @@ -355,11 +356,19 @@ public class LoadBalancingRulesManagerImpl implements LoadBalancingRulesManager, throw new InvalidParameterValueException("Invalid algorithm: " + lb.getAlgorithm()); } - Long networkId = lb.getNetworkId(); - if (networkId == -1 ) { - networkId = ipAddr.getAssociatedWithNetworkId(); + Long networkId = ipAddr.getAssociatedWithNetworkId(); + if (networkId == null) { + throw new InvalidParameterValueException("Unable to create load balancer rule ; ip id=" + ipId + " is not associated with any network"); + } + _accountMgr.checkAccess(caller.getCaller(), ipAddr); + + //verify that lb service is supported by the network + if (!_networkMgr.isServiceSupported(networkId, Service.Lb)) { + throw new InvalidParameterValueException("LB service is not supported in network id=" + networkId); + } + LoadBalancerVO newRule = new LoadBalancerVO(lb.getXid(), lb.getName(), lb.getDescription(), lb.getSourceIpAddressId(), lb.getSourcePortEnd(), lb.getDefaultPortStart(), lb.getAlgorithm(), networkId, ipAddr.getAccountId(), ipAddr.getDomainId()); diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java index 659bed9a949..69472620ddc 100644 --- a/server/src/com/cloud/network/rules/RulesManagerImpl.java +++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java @@ -179,6 +179,9 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { public PortForwardingRule createPortForwardingRule(PortForwardingRule rule, Long vmId) throws NetworkRuleConflictException { UserContext ctx = UserContext.current(); Account caller = ctx.getCaller(); + Long networkId = null; + Long accountId = null; + Long domainId = null; Long ipAddrId = rule.getSourceIpAddressId(); @@ -189,42 +192,31 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { throw new InvalidParameterValueException("Unable to create port forwarding rule; ip id=" + ipAddrId + " doesn't exist in the system"); } else if (ipAddress.isOneToOneNat()) { throw new InvalidParameterValueException("Unable to create port forwarding rule; ip id=" + ipAddrId + " has static nat enabled"); - }else { - _accountMgr.checkAccess(caller, ipAddress); - } - - Ip dstIp = rule.getDestinationIpAddress(); - long networkId; - UserVmVO vm = null; - Network network = null; - if (vmId != null) { - // validate user VM exists - vm = _vmDao.findById(vmId); - if (vm == null) { - throw new InvalidParameterValueException("Unable to create port forwarding rule on address " + ipAddress + ", invalid virtual machine id specified (" + vmId + ")."); - } else { - checkRuleAndUserVm(rule, vm, caller); - } - - Pair guestNic = getUserVmGuestIpAddress(vm, false); - dstIp = guestNic.second(); - network = guestNic.first(); - - if (network == null) { - throw new CloudRuntimeException("Unable to find ip address to map to in vm id=" + vmId); - } } else { - network = _networkMgr.getNetwork(rule.getNetworkId()); - if (network == null) { - throw new InvalidParameterValueException("Unable to get the network " + rule.getNetworkId()); - } - } + _accountMgr.checkAccess(caller, ipAddress); + + networkId = ipAddress.getAssociatedWithNetworkId(); + if (networkId == null) { + throw new InvalidParameterValueException("Unable to create port forwarding rule ; ip id=" + ipAddrId + " is not associated with any network"); - _accountMgr.checkAccess(caller, network); + } + //get account/domain info from the ip address (can't get it from the network as the network can be shared between accounts) + accountId = ipAddress.getAccountId(); + domainId = ipAddress.getDomainId(); + } - networkId = network.getId(); - long accountId = network.getAccountId(); - long domainId = network.getDomainId(); + //start port can't be bigger than end port + if (rule.getDestinationPortStart() > rule.getDestinationPortEnd() || rule.getSourcePortStart() > rule.getSourcePortEnd()) { + throw new InvalidParameterValueException("Start port can't be bigger than end port"); + } + + Network network = _networkMgr.getNetwork(networkId); + assert network != null : "Can't create port forwarding rule as network associated with public ip address is null...how is it possible?"; + + //verify that firewall service is supported by the network + if (!_networkMgr.isServiceSupported(networkId, Service.Firewall)) { + throw new InvalidParameterValueException("Firewall service is not supported in network id=" + networkId); + } //Verify that the network guru supports the protocol specified Map firewallCapability = _networkMgr.getServiceCapability(network.getDataCenterId(), Service.Firewall); @@ -233,9 +225,21 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { throw new InvalidParameterValueException("Protocol " + rule.getProtocol() + " is not supported in zone " + network.getDataCenterId()); } - //start port can't be bigger than end port - if (rule.getDestinationPortStart() > rule.getDestinationPortEnd() || rule.getSourcePortStart() > rule.getSourcePortEnd()) { - throw new InvalidParameterValueException("Start port can't be bigger than end port"); + // validate user VM exists + UserVm vm = _vmDao.findById(vmId); + if (vm == null) { + throw new InvalidParameterValueException("Unable to create port forwarding rule on address " + ipAddress + ", invalid virtual machine id specified (" + vmId + ")."); + } else { + checkRuleAndUserVm(rule, vm, caller); + } + + //Verify that vm has nic in the network + Ip dstIp = rule.getDestinationIpAddress(); + Nic guestNic = _networkMgr.getNicInNetwork(vmId, networkId); + if (guestNic == null || guestNic.getIp4Address() == null) { + throw new InvalidParameterValueException("Vm doesn't belong to network associated with ipAddress"); + } else { + dstIp = new Ip(guestNic.getIp4Address()); } PortForwardingRuleVO newRule = @@ -270,12 +274,12 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { } } - - @Override @ActionEvent (eventType=EventTypes.EVENT_NET_RULE_ADD, eventDescription="creating static nat rule", create=true) public StaticNatRule createStaticNatRule(StaticNatRule rule) throws NetworkRuleConflictException { - UserContext ctx = UserContext.current(); - Account caller = ctx.getCaller(); + Account caller = UserContext.current().getCaller(); + Long networkId = null; + Long accountId = null; + Long domainId = null; Long ipAddrId = rule.getSourceIpAddressId(); @@ -286,39 +290,49 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { throw new InvalidParameterValueException("Unable to create static nat rule; ip id=" + ipAddrId + " doesn't exist in the system"); } else if (ipAddress.isSourceNat() || !ipAddress.isOneToOneNat() || ipAddress.getAssociatedWithVmId() == null) { throw new NetworkRuleConflictException("Can't do static nat on ip address: " + ipAddress.getAddress()); - }else { + } else { _accountMgr.checkAccess(caller, ipAddress); + + networkId = ipAddress.getAssociatedWithNetworkId(); + if (networkId == null) { + throw new InvalidParameterValueException("Unable to create static nat rule ; ip id=" + ipAddrId + " is not associated with any network"); + + } + //get account/domain info from the ip address (can't get it from the network as the network can be shared between accounts) + accountId = ipAddress.getAccountId(); + domainId = ipAddress.getDomainId(); } - //Get vm information and verify it - long vmId = ipAddress.getAssociatedWithVmId(); - - // validate user VM exists - UserVmVO vm = _vmDao.findById(vmId); + Network network = _networkMgr.getNetwork(networkId); + assert network != null : "Can't create static nat rule as network associated with public ip address is null...how is it possible?"; + + //Validate user vm information + UserVmVO vm = _vmDao.findById(ipAddress.getAssociatedWithVmId()); if (vm == null) { - throw new InvalidParameterValueException("Unable to create ip forwarding rule on address " + ipAddress + ", invalid virtual machine id specified (" + vmId + ")."); + throw new InvalidParameterValueException("Unable to create ip forwarding rule on address " + ipAddress + ", invalid virtual machine id specified (" + vm.getId() + ")."); } else { checkRuleAndUserVm(rule, vm, caller); } - Pair guestNic = getUserVmGuestIpAddress(vm, false); - Ip dstIp = guestNic.second(); - Network guestNetwork = guestNic.first(); - - if (guestNetwork == null) { - throw new CloudRuntimeException("Unable to find ip address to map to in vm id=" + vmId); + //Verify that vm has nic in the network + String dstIp = rule.getDestIpAddress(); + Nic guestNic = _networkMgr.getNicInNetwork(vm.getId(), networkId); + if (guestNic == null || guestNic.getIp4Address() == null) { + throw new InvalidParameterValueException("Vm doesn't belong to network associated with ipAddress"); + } else { + dstIp = guestNic.getIp4Address(); } - - _accountMgr.checkAccess(caller, guestNetwork); - long accountId = guestNetwork.getAccountId(); - long domainId = guestNetwork.getDomainId(); + //verify that firewall service is supported by the network + if (!_networkMgr.isServiceSupported(networkId, Service.Firewall)) { + throw new InvalidParameterValueException("Firewall service is not supported in network id=" + networkId); + } //Verify that the network guru supports the protocol specified - Map firewallCapability = _networkMgr.getServiceCapability(guestNetwork.getDataCenterId(), Service.Firewall); + Map firewallCapability = _networkMgr.getServiceCapability(network.getDataCenterId(), Service.Firewall); String supportedProtocols = firewallCapability.get(Capability.SupportedProtocols).toLowerCase(); if (!supportedProtocols.contains(rule.getProtocol().toLowerCase())) { - throw new InvalidParameterValueException("Protocol " + rule.getProtocol() + " is not supported in zone " + guestNetwork.getDataCenterId()); + throw new InvalidParameterValueException("Protocol " + rule.getProtocol() + " is not supported in zone " + network.getDataCenterId()); } //start port can't be bigger than end port @@ -332,7 +346,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getProtocol().toLowerCase(), - guestNetwork.getId(), + networkId, accountId, domainId, rule.getPurpose()); @@ -347,7 +361,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { UsageEventVO usageEvent = new UsageEventVO(EventTypes.EVENT_NET_RULE_ADD, newRule.getAccountId(), 0, newRule.getId(), null); _usageEventDao.persist(usageEvent); - StaticNatRule staticNatRule = new StaticNatRuleImpl(newRule, dstIp.addr()); + StaticNatRule staticNatRule = new StaticNatRuleImpl(newRule, dstIp); return staticNatRule; } catch (Exception e) { @@ -362,21 +376,38 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { @Override public boolean enableOneToOneNat(long ipId, long vmId) throws NetworkRuleConflictException{ - IPAddressVO ipAddress = _ipAddressDao.findById(ipId); + Account caller = UserContext.current().getCaller(); - UserVmVO vm = null; - vm = _vmDao.findById(vmId); + //Verify input parameters + UserVmVO vm = _vmDao.findById(vmId); if (vm == null) { - throw new InvalidParameterValueException("Can't enable static nat for the address " + ipAddress + ", invalid virtual machine id specified (" + vmId + ")."); + throw new InvalidParameterValueException("Can't enable static nat for the address id=" + ipId + ", invalid virtual machine id specified (" + vmId + ")."); } + IPAddressVO ipAddress = _ipAddressDao.findById(ipId); + if (ipAddress == null) { + throw new InvalidParameterValueException("Unable to find ip address by id " + ipId); + } + + //Check permissions checkIpAndUserVm(ipAddress, vm, caller); + //Verify that the ip is associated with the network and firewallService is supported for the network + Long networkId = ipAddress.getAssociatedWithNetworkId(); + if (networkId == null) { + throw new InvalidParameterValueException("Unable to enable static nat for the ipAddress id=" + ipId + " as ip is not associated with any network"); + } + + if (!_networkMgr.isServiceSupported(networkId, Service.Firewall)) { + throw new InvalidParameterValueException("Unable to create static nat rule; Firewall service is not supported in network id=" + networkId); + } + + //Verify ip address parameter if (ipAddress.isSourceNat()) { throw new InvalidParameterValueException("Can't enable static, ip address id=" + ipId + " is a sourceNat ip address"); - } - + } + if (!ipAddress.isOneToOneNat()) { List rules = _firewallDao.listByIpAndNotRevoked(ipId, Purpose.PortForwarding); if (rules != null && !rules.isEmpty()) { @@ -394,7 +425,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { if (!ips.isEmpty()) { throw new InvalidParameterValueException("Failed to enable static nat for the ip address id=" + ipId + " as vm id=" + " is already associated with ip id=" + ips.get(0).getId()); } - + ipAddress.setOneToOneNat(true); ipAddress.setAssociatedWithVmId(vmId); return _ipAddressDao.update(ipAddress.getId(), ipAddress); @@ -448,8 +479,6 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { private boolean revokePortForwardingRuleInternal(long ruleId, Account caller, long userId, boolean apply) { PortForwardingRuleVO rule = _forwardingDao.findById(ruleId); - - long ownerId = rule.getAccountId(); revokeRule(rule, caller, userId); @@ -461,7 +490,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { success = true; } if(success){ - UsageEventVO usageEvent = new UsageEventVO(EventTypes.EVENT_NET_RULE_DELETE, ownerId, 0, ruleId, null); + UsageEventVO usageEvent = new UsageEventVO(EventTypes.EVENT_NET_RULE_DELETE, rule.getAccountId(), 0, ruleId, null); _usageEventDao.persist(usageEvent); } return success; @@ -649,17 +678,21 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { UserVmVO vm = _vmDao.findById(sourceIp.getAssociatedWithVmId()); - Pair guestNic = getUserVmGuestIpAddress(vm, true); - Ip dstIp = guestNic.second(); - Network network = guestNic.first(); + Long networkId = sourceIp.getAssociatedWithNetworkId(); + if (networkId == null) { + throw new CloudRuntimeException("Ip address is not associated with any network"); + } + + Network network = _networkMgr.getNetwork(networkId); if (network == null) { throw new CloudRuntimeException("Unable to find ip address to map to in vm id=" + vm.getId()); } + Nic guestNic = _networkMgr.getNicInNetwork(vm.getId(), networkId); FirewallRuleVO ruleVO = _firewallDao.findById(rule.getId()); - staticNatRules.add(new StaticNatRuleImpl(ruleVO, dstIp.addr())); + staticNatRules.add(new StaticNatRuleImpl(ruleVO, guestNic.getIp4Address())); } if (caller != null) { @@ -722,15 +755,10 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { UserVmVO vm = _vmDao.findById(sourceIp.getAssociatedWithVmId()); - Pair guestNic = getUserVmGuestIpAddress(vm, true); - Ip dstIp = guestNic.second(); - Network network = guestNic.first(); + Nic guestNic = _networkMgr.getNicInNetwork(vm.getId(), networkId); + String dstIp = guestNic.getIp4Address(); - if (network == null) { - throw new CloudRuntimeException("Unable to find ip address to map to in vm id=" + vm.getId()); - } - - staticNatRules.add(new StaticNatRuleImpl(rule, dstIp.addr())); + staticNatRules.add(new StaticNatRuleImpl(rule, dstIp)); } try { @@ -1055,20 +1083,13 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { IpAddress ip = _ipAddressDao.findById(rule.getSourceIpAddressId()); FirewallRuleVO ruleVO = _firewallDao.findById(rule.getId()); - if (ip == null || !ip.isOneToOneNat()) { + if (ip == null || !ip.isOneToOneNat() || ip.getAssociatedWithVmId() == null) { throw new InvalidParameterValueException("Source ip address of the rule id=" + rule.getId() + " is not static nat enabled"); } - UserVm vm = _vmDao.findById(ip.getAssociatedWithVmId()); + Nic guestNic = _networkMgr.getNicInNetwork(ip.getAssociatedWithVmId(), rule.getNetworkId()); - if (vm == null) { - throw new InvalidParameterValueException("Static nat rule id=" + rule.getId() + " doesn't have vm assocaited with it"); - } - - Pair guestNic = getUserVmGuestIpAddress(vm, false); - Ip dstIp = guestNic.second(); - - return new StaticNatRuleImpl(ruleVO, dstIp.addr()); + return new StaticNatRuleImpl(ruleVO, guestNic.getIp4Address()); } } diff --git a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java index c42b364650b..5fb03faf1ff 100644 --- a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java +++ b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java @@ -37,6 +37,7 @@ import com.cloud.exception.InvalidParameterValueException; import com.cloud.exception.NetworkRuleConflictException; import com.cloud.exception.ResourceUnavailableException; import com.cloud.network.Network; +import com.cloud.network.Network.Service; import com.cloud.network.NetworkManager; import com.cloud.network.PublicIpAddress; import com.cloud.network.RemoteAccessVpn; @@ -128,6 +129,11 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag } throw new InvalidParameterValueException("A Remote Access VPN already exists for this account"); } + + //Verify that vpn service is enabled for the network + if (!_networkMgr.isServiceSupported(ipAddr.getAssociatedWithNetworkId(), Service.Vpn)) { + throw new InvalidParameterValueException("Vpn service is not supported in network id=" + ipAddr.getAssociatedWithNetworkId()); + } if (ipRange == null) { ipRange = _clientIpRange; diff --git a/server/src/com/cloud/offerings/NetworkOfferingVO.java b/server/src/com/cloud/offerings/NetworkOfferingVO.java index a7cdeb9628b..5b63993d5cb 100644 --- a/server/src/com/cloud/offerings/NetworkOfferingVO.java +++ b/server/src/com/cloud/offerings/NetworkOfferingVO.java @@ -293,7 +293,7 @@ public class NetworkOfferingVO implements NetworkOffering { this.dhcpService = dhcpService; } - public NetworkOfferingVO(String name, String displayText, TrafficType trafficType, boolean systemOnly, boolean specifyVlan, Integer rateMbps, Integer multicastRateMbps, Integer concurrentConnections, boolean isDefault, Availability availability, boolean lbService, boolean gatewayService, boolean dhcpService, boolean firewallService, boolean dnsService, boolean userDataService, boolean vpnService) { + public NetworkOfferingVO(String name, String displayText, TrafficType trafficType, boolean systemOnly, boolean specifyVlan, Integer rateMbps, Integer multicastRateMbps, Integer concurrentConnections, boolean isDefault, Availability availability, boolean dhcpService, boolean dnsService, boolean userDataService, boolean gatewayService, boolean firewallService, boolean lbService, boolean vpnService) { this.name = name; this.displayText = displayText; this.rateMbps = rateMbps; @@ -304,13 +304,13 @@ public class NetworkOfferingVO implements NetworkOffering { this.specifyVlan = specifyVlan; this.isDefault = isDefault; this.availability = availability; - this.gatewayService = gatewayService; - this.lbService = lbService; this.dnsService = dnsService; this.dhcpService = dhcpService; + this.userdataService = userDataService; + this.gatewayService = gatewayService; this.firewallService = firewallService; - this.vpnService = vpnService; - this.userdataService = userDataService; + this.lbService = lbService; + this.vpnService = vpnService; } public NetworkOfferingVO(ServiceOfferingVO offering) { diff --git a/server/src/com/cloud/server/ConfigurationServerImpl.java b/server/src/com/cloud/server/ConfigurationServerImpl.java index d871fdf2b82..4f826c572db 100644 --- a/server/src/com/cloud/server/ConfigurationServerImpl.java +++ b/server/src/com/cloud/server/ConfigurationServerImpl.java @@ -729,12 +729,34 @@ public class ConfigurationServerImpl implements ConfigurationServer { controlNetworkOffering = _networkOfferingDao.persistDefaultNetworkOffering(controlNetworkOffering); NetworkOfferingVO storageNetworkOffering = new NetworkOfferingVO(NetworkOfferingVO.SystemStorageNetwork, TrafficType.Storage); storageNetworkOffering = _networkOfferingDao.persistDefaultNetworkOffering(storageNetworkOffering); - NetworkOfferingVO guestNetworkOffering = new NetworkOfferingVO(NetworkOfferingVO.SystemGuestNetwork, TrafficType.Guest); + NetworkOfferingVO guestNetworkOffering = new NetworkOfferingVO( + NetworkOffering.SystemGuestNetwork, + "System-Guest-Network", + TrafficType.Guest, + true, false, null, null, null, true, + Availability.Required, + true, true, true, //services - all true except for firewall/lb/vpn and gateway + false, false, false, false); + guestNetworkOffering = _networkOfferingDao.persistDefaultNetworkOffering(guestNetworkOffering); - NetworkOfferingVO defaultGuestNetworkOffering = new NetworkOfferingVO(NetworkOffering.DefaultVirtualizedNetworkOffering, "Virtual Vlan", TrafficType.Guest, false, false, null, null, null, true, Availability.Required, false, false, false, false, false, false, false); + NetworkOfferingVO defaultGuestNetworkOffering = new NetworkOfferingVO( + NetworkOffering.DefaultVirtualizedNetworkOffering, + "Virtual Vlan", + TrafficType.Guest, + false, false, null, null, null, true, + Availability.Required, + true, true, true, //services + true, true, true, true); defaultGuestNetworkOffering = _networkOfferingDao.persistDefaultNetworkOffering(defaultGuestNetworkOffering); - NetworkOfferingVO defaultGuestDirectNetworkOffering = new NetworkOfferingVO(NetworkOffering.DefaultDirectNetworkOffering, "Direct", TrafficType.Public, false, false, null, null, null, true, Availability.Required, false, false, false, false, false, false, false); + NetworkOfferingVO defaultGuestDirectNetworkOffering = new NetworkOfferingVO( + NetworkOffering.DefaultDirectNetworkOffering, + "Direct", + TrafficType.Public, + false, false, null, null, null, true, + Availability.Required, + true, true, true, //services - all true except for firewall/lb/vpn and gateway + false, false, false, false); defaultGuestNetworkOffering = _networkOfferingDao.persistDefaultNetworkOffering(defaultGuestDirectNetworkOffering); } diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index 73b52729296..f018992cd23 100755 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -950,19 +950,19 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager //if account is removed, return error if(accountHandle!=null && accountHandle.getRemoved() != null) { - throw new ServerApiException(BaseCmd.ACCOUNT_ERROR, "The account " + accountHandle.getId()+" is removed"); + throw new InvalidParameterValueException("The account " + accountHandle.getId()+" is removed"); } // Verify input parameters UserVmVO vm = _vmDao.findById(vmId.longValue()); if (vm == null) { - throw new ServerApiException(BaseCmd.PARAM_ERROR, "unable to find a virtual machine with id " + vmId); + throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId); } if ((accountHandle != null) && !_domainDao.isChildDomain(accountHandle.getDomainId(), vm.getDomainId())) { // the domain in which the VM lives is not in the admin's domain tree - throw new ServerApiException(BaseCmd.PARAM_ERROR, "Unable to recover virtual machine with id " + vmId + ", invalid id given."); + throw new InvalidParameterValueException("Unable to recover virtual machine with id " + vmId + ", invalid id given."); } if (vm.getRemoved() != null) {