apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-11-03 04:12:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-763: Upgrade networkAcls from firewall_rules to network_acl_item table

Browse Source
This commit is contained in:
Kishan Kavala 2013-05-03 18:06:57 +05:30
parent b30a01a705
commit a1023e4d04
1 changed files with 153 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
engine/schema/src/com/cloud/upgrade/dao/Upgrade410to420.java
View File

@ -19,11 +19,14 @@ package com.cloud.upgrade.dao;
import java.io.File;
import java.sql.Connection;
import java.sql.Date;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Types;
import java.util.UUID;
import com.cloud.network.vpc.NetworkACL;
import org.apache.log4j.Logger;
import com.cloud.utils.exception.CloudRuntimeException;
@ -69,6 +72,7 @@ public class Upgrade410to420 implements DbUpgrade {
upgradeEIPNetworkOfferings(conn);
upgradeDefaultVpcOffering(conn);
upgradePhysicalNtwksWithInternalLbProvider(conn);
updateNetworkACLs(conn);
}
private void updateSystemVmTemplates(Connection conn) {
@ -309,6 +313,7 @@ public class Upgrade410to420 implements DbUpgrade {
}
}
}
private void addEgressFwRulesForSRXGuestNw(Connection conn) {
PreparedStatement pstmt = null;
ResultSet rs = null;
@ -390,11 +395,159 @@ public class Upgrade410to420 implements DbUpgrade {
}
} catch (SQLException e) {
throw new CloudRuntimeException("Unable to set elastic_ip_service for network offerings with EIP service enabled.", e);
}
}
private void updateNetworkACLs(Connection conn) {
//Fetch all VPC Tiers
//For each tier create a network ACL and move all the acl_items to network_acl_item table
// If there are no acl_items for a tier, associate it with default ACL
s_logger.debug("Updating network ACLs");
PreparedStatement pstmt = null;
PreparedStatement pstmtDelete = null;
ResultSet rs = null;
ResultSet rsAcls = null;
ResultSet rsCidr = null;
//1,2 are default acl Ids, start Ids from 3
long nextAclId = 3;
try {
pstmt = conn.prepareStatement("SELECT id, vpc_id, uuid FROM `cloud`.`networks` where vpc_id is not null and removed is null");
rs = pstmt.executeQuery();
while (rs.next()) {
Long networkId = rs.getLong(1);
s_logger.debug("Updating network ACLs for network: "+networkId);
Long vpcId = rs.getLong(2);
String tierUuid = rs.getString(3);
pstmt = conn.prepareStatement("SELECT id, uuid, start_port, end_port, state, protocol, icmp_code, icmp_type, created, traffic_type FROM `cloud`.`firewall_rules` where network_id = ? and purpose = 'NetworkACL'");
pstmt.setLong(1, networkId);
rsAcls = pstmt.executeQuery();
boolean hasAcls = false;
Long aclId = null;
int number = 1;
while(rsAcls.next()){
if(!hasAcls){
hasAcls = true;
aclId = nextAclId++;
//create ACL
s_logger.debug("Creating network ACL for tier: "+tierUuid);
pstmt = conn.prepareStatement("INSERT INTO `cloud`.`network_acl` (id, uuid, vpc_id, description, name) values (?, UUID(), ? , ?, ?)");
pstmt.setLong(1, aclId);
pstmt.setLong(2, vpcId);
pstmt.setString(3, "ACL for tier " + tierUuid);
pstmt.setString(4, "tier_" + tierUuid);
pstmt.executeUpdate();
}
Long fwRuleId = rsAcls.getLong(1);
String cidr = null;
//get cidr
pstmt = conn.prepareStatement("SELECT id, source_cidr FROM `cloud`.`firewall_rules_cidrs` where firewall_rule_id = ?");
pstmt.setLong(1, fwRuleId);
rsCidr = pstmt.executeQuery();
while(rsCidr.next()){
Long cidrId = rsCidr.getLong(1);
String sourceCidr = rsCidr.getString(2);
if(cidr == null){
cidr = sourceCidr;
} else {
cidr += ","+sourceCidr;
}
//Delete cidr entry
pstmtDelete = conn.prepareStatement("DELETE FROM `cloud`.`firewall_rules_cidrs` where id = ?");
pstmtDelete.setLong(1, cidrId);
pstmtDelete.executeUpdate();
}
String aclItemUuid = rsAcls.getString(2);
//Move acl to network_acl_item table
s_logger.debug("Moving firewall rule: "+aclItemUuid);
pstmt = conn.prepareStatement("INSERT INTO `cloud`.`network_acl_item` (uuid, acl_id, start_port, end_port, state, protocol, icmp_code, icmp_type, created, traffic_type, cidr, number, action) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )");
//uuid
pstmt.setString(1, aclItemUuid);
//aclId
pstmt.setLong(2, aclId);
//Start port
Integer startPort = rsAcls.getInt(3);
if(rsAcls.wasNull()){
pstmt.setNull(3, Types.INTEGER);
} else {
pstmt.setLong(3, startPort);
}
//End port
Integer endPort = rsAcls.getInt(4);
if(rsAcls.wasNull()){
pstmt.setNull(4, Types.INTEGER);
} else {
pstmt.setLong(4, endPort);
}
//State
String state = rsAcls.getString(5);
pstmt.setString(5, state);
//protocol
String protocol = rsAcls.getString(6);
pstmt.setString(6, protocol);
//icmp_code
Integer icmpCode = rsAcls.getInt(7);
if(rsAcls.wasNull()){
pstmt.setNull(7, Types.INTEGER);
} else {
pstmt.setLong(7, icmpCode);
}
//icmp_type
Integer icmpType = rsAcls.getInt(8);
if(rsAcls.wasNull()){
pstmt.setNull(8, Types.INTEGER);
} else {
pstmt.setLong(8, icmpType);
}
//created
Date created = rsAcls.getDate(9);
pstmt.setDate(9, created);
//traffic type
String trafficType = rsAcls.getString(10);
pstmt.setString(10, trafficType);
//cidr
pstmt.setString(11, cidr);
//number
pstmt.setInt(12, number++);
//action
pstmt.setString(13, "Allow");
pstmt.executeUpdate();
//Delete firewall rule
pstmtDelete = conn.prepareStatement("DELETE FROM `cloud`.`firewall_rules` where id = ?");
pstmtDelete.setLong(1, fwRuleId);
pstmtDelete.executeUpdate();
}
if(!hasAcls){
//no network ACls for this network.
// Assign default Deny ACL
aclId = NetworkACL.DEFAULT_DENY;
}
//Assign acl to network
pstmt = conn.prepareStatement("UPDATE `cloud`.`networks` set network_acl_id=? where id=?");
pstmt.setLong(1, aclId);
pstmt.setLong(2, networkId);
pstmt.executeUpdate();
}
s_logger.debug("Done updating network ACLs ");
} catch (SQLException e) {
throw new CloudRuntimeException("Unable to move network acls from firewall rules table to network_acl_item table", e);
} finally {
try {
if (rs != null) {
rs.close();
}
if (rsAcls != null) {
rsAcls.close();
}
if (rsCidr != null) {
rsCidr.close();
}
if (pstmt != null) {
pstmt.close();
}