From ebf8a7fd1e56c7ffe8c9942a4d70327a6e317d0d Mon Sep 17 00:00:00 2001
From: Kishan Kavala <kishan@cloud.com>
Date: Tue, 16 Apr 2013 16:48:56 +0530
Subject: [PATCH] CLOUDSTACK-763: Added APIs to create, delete and list
 NetworkACLlist.

---
 api/src/com/cloud/event/EventTypes.java       |   5 +
 .../network/firewall/NetworkACLService.java   |  16 ++-
 api/src/com/cloud/network/vpc/NetworkACL.java |  32 +++++
 .../cloudstack/api/ResponseGenerator.java     | 102 +++------------
 .../user/network/CreateNetworkACLCmd.java     |   6 +-
 .../user/network/CreateNetworkACLListCmd.java | 117 ++++++++++++++++++
 .../user/network/DeleteNetworkACLCmd.java     |   2 +-
 .../user/network/DeleteNetworkACLListCmd.java | 102 +++++++++++++++
 .../user/network/ListNetworkACLListsCmd.java  |  84 +++++++++++++
 .../user/network/ListNetworkACLsCmd.java      |   4 +-
 .../api/response/NetworkACLListResponse.java  |  57 +++++++++
 client/tomcatconf/applicationContext.xml.in   |   1 +
 client/tomcatconf/commands.properties.in      |   4 +
 .../src/com/cloud/api/ApiResponseHelper.java  |  27 ++--
 .../cloud/network/vpc/NetworkACLManager.java  |   1 +
 .../network/vpc/NetworkACLManagerImpl.java    |  41 +++++-
 .../com/cloud/network/vpc/NetworkACLVO.java   |  78 ++++++++++++
 .../cloud/network/vpc/dao/NetworkACLDao.java  |  23 ++++
 .../network/vpc/dao/NetworkACLDaoImpl.java    |  35 ++++++
 .../cloud/server/ManagementServerImpl.java    |   3 +
 setup/db/create-schema.sql                    |  35 ++++++
 21 files changed, 666 insertions(+), 109 deletions(-)
 create mode 100644 api/src/com/cloud/network/vpc/NetworkACL.java
 create mode 100644 api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLListCmd.java
 create mode 100644 api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLListCmd.java
 create mode 100644 api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
 create mode 100644 api/src/org/apache/cloudstack/api/response/NetworkACLListResponse.java
 create mode 100644 server/src/com/cloud/network/vpc/NetworkACLVO.java
 create mode 100644 server/src/com/cloud/network/vpc/dao/NetworkACLDao.java
 create mode 100644 server/src/com/cloud/network/vpc/dao/NetworkACLDaoImpl.java

diff --git a/api/src/com/cloud/event/EventTypes.java b/api/src/com/cloud/event/EventTypes.java
index 45a904e426c..0125f3641c6 100755
--- a/api/src/com/cloud/event/EventTypes.java
+++ b/api/src/com/cloud/event/EventTypes.java
@@ -344,6 +344,11 @@ public class EventTypes {
     public static final String EVENT_VPC_DELETE = "VPC.DELETE";
     public static final String EVENT_VPC_RESTART = "VPC.RESTART";
 
+    // Network ACL
+    public static final String EVENT_NETWORK_ACL_CREATE = "NETWORK.ACL.CREATE";
+    public static final String EVENT_NETWORK_ACL_UPDATE = "NETWORK.ACL.UPDATE";
+    public static final String EVENT_NETWORK_ACL_DELETE = "NETWORK.ACL.DELETE";
+
     // VPC offerings
     public static final String EVENT_VPC_OFFERING_CREATE = "VPC.OFFERING.CREATE";
     public static final String EVENT_VPC_OFFERING_UPDATE = "VPC.OFFERING.UPDATE";
diff --git a/api/src/com/cloud/network/firewall/NetworkACLService.java b/api/src/com/cloud/network/firewall/NetworkACLService.java
index 97de496f64f..8621e48d70a 100644
--- a/api/src/com/cloud/network/firewall/NetworkACLService.java
+++ b/api/src/com/cloud/network/firewall/NetworkACLService.java
@@ -19,6 +19,9 @@ package com.cloud.network.firewall;
 
 import java.util.List;
 
+import com.cloud.network.vpc.NetworkACL;
+import org.apache.cloudstack.api.command.user.network.CreateNetworkACLListCmd;
+import org.apache.cloudstack.api.command.user.network.ListNetworkACLListsCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
 
 import com.cloud.exception.NetworkRuleConflictException;
@@ -28,14 +31,14 @@ import com.cloud.user.Account;
 import com.cloud.utils.Pair;
 
 public interface NetworkACLService {
-    FirewallRule getNetworkACL(long ruleId);
+    FirewallRule getNetworkACLItem(long ruleId);
     boolean applyNetworkACLs(long networkId, Account caller) throws ResourceUnavailableException;
 
     /**
      * @param createNetworkACLCmd
      * @return
      */
-    FirewallRule createNetworkACL(FirewallRule acl) throws NetworkRuleConflictException;
+    FirewallRule createNetworkACLItem(FirewallRule acl) throws NetworkRuleConflictException;
     /**
      * @param ruleId
      * @param apply
@@ -46,6 +49,13 @@ public interface NetworkACLService {
      * @param listNetworkACLsCmd
      * @return
      */
-    Pair<List<? extends FirewallRule>, Integer> listNetworkACLs(ListNetworkACLsCmd cmd);
+    Pair<List<? extends FirewallRule>, Integer> listNetworkACLItems(ListNetworkACLsCmd cmd);
 
+    NetworkACL createNetworkACL(CreateNetworkACLListCmd cmd);
+
+    NetworkACL getNetworkACL(long id);
+
+    boolean deleteNetworkACL(long id);
+
+    Pair<List<? extends NetworkACL>,Integer> listNetworkACLs(ListNetworkACLListsCmd listNetworkACLListsCmd);
 }
diff --git a/api/src/com/cloud/network/vpc/NetworkACL.java b/api/src/com/cloud/network/vpc/NetworkACL.java
new file mode 100644
index 00000000000..8839ffd2b7c
--- /dev/null
+++ b/api/src/com/cloud/network/vpc/NetworkACL.java
@@ -0,0 +1,32 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package com.cloud.network.vpc;
+
+import org.apache.cloudstack.api.InternalIdentity;
+
+public interface NetworkACL extends InternalIdentity{
+    String getDescription();
+
+    String getUuid();
+
+    Long getVpcId();
+
+    long getId();
+
+    String getName();
+}
diff --git a/api/src/org/apache/cloudstack/api/ResponseGenerator.java b/api/src/org/apache/cloudstack/api/ResponseGenerator.java
index ab8f99583a8..f765dcb37fc 100644
--- a/api/src/org/apache/cloudstack/api/ResponseGenerator.java
+++ b/api/src/org/apache/cloudstack/api/ResponseGenerator.java
@@ -21,94 +21,18 @@ import java.util.EnumSet;
 import java.util.List;
 import java.util.Map;
 
+import com.cloud.vm.NicSecondaryIp;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
+import com.cloud.network.vpc.NetworkACL;
+import com.cloud.network.vpc.PrivateGateway;
+import com.cloud.network.vpc.StaticRoute;
+import com.cloud.network.vpc.Vpc;
+import com.cloud.network.vpc.VpcOffering;
 import org.apache.cloudstack.api.ApiConstants.HostDetails;
 import org.apache.cloudstack.api.ApiConstants.VMDetails;
 import org.apache.cloudstack.api.command.user.job.QueryAsyncJobResultCmd;
-import org.apache.cloudstack.api.response.AccountResponse;
-import org.apache.cloudstack.api.response.ApplicationLoadBalancerResponse;
-import org.apache.cloudstack.api.response.AsyncJobResponse;
-import org.apache.cloudstack.api.response.AutoScalePolicyResponse;
-import org.apache.cloudstack.api.response.AutoScaleVmGroupResponse;
-import org.apache.cloudstack.api.response.AutoScaleVmProfileResponse;
-import org.apache.cloudstack.api.response.CapacityResponse;
-import org.apache.cloudstack.api.response.ClusterResponse;
-import org.apache.cloudstack.api.response.ConditionResponse;
-import org.apache.cloudstack.api.response.ConfigurationResponse;
-import org.apache.cloudstack.api.response.CounterResponse;
-import org.apache.cloudstack.api.response.CreateCmdResponse;
-import org.apache.cloudstack.api.response.DiskOfferingResponse;
-import org.apache.cloudstack.api.response.DomainResponse;
-import org.apache.cloudstack.api.response.DomainRouterResponse;
-import org.apache.cloudstack.api.response.EventResponse;
-import org.apache.cloudstack.api.response.ExtractResponse;
-import org.apache.cloudstack.api.response.FirewallResponse;
-import org.apache.cloudstack.api.response.FirewallRuleResponse;
-import org.apache.cloudstack.api.response.GlobalLoadBalancerResponse;
-import org.apache.cloudstack.api.response.GuestOSResponse;
-import org.apache.cloudstack.api.response.GuestVlanRangeResponse;
-import org.apache.cloudstack.api.response.HostForMigrationResponse;
-import org.apache.cloudstack.api.response.HostResponse;
-import org.apache.cloudstack.api.response.HypervisorCapabilitiesResponse;
-import org.apache.cloudstack.api.response.IPAddressResponse;
-import org.apache.cloudstack.api.response.InstanceGroupResponse;
-import org.apache.cloudstack.api.response.InternalLoadBalancerElementResponse;
-import org.apache.cloudstack.api.response.IpForwardingRuleResponse;
-import org.apache.cloudstack.api.response.IsolationMethodResponse;
-import org.apache.cloudstack.api.response.LBHealthCheckResponse;
-import org.apache.cloudstack.api.response.LBStickinessResponse;
-import org.apache.cloudstack.api.response.LDAPConfigResponse;
-import org.apache.cloudstack.api.response.LoadBalancerResponse;
-import org.apache.cloudstack.api.response.NetworkACLResponse;
-import org.apache.cloudstack.api.response.NetworkOfferingResponse;
-import org.apache.cloudstack.api.response.NetworkResponse;
-import org.apache.cloudstack.api.response.NicResponse;
-import org.apache.cloudstack.api.response.NicSecondaryIpResponse;
-import org.apache.cloudstack.api.response.PhysicalNetworkResponse;
-import org.apache.cloudstack.api.response.PodResponse;
-import org.apache.cloudstack.api.response.PrivateGatewayResponse;
-import org.apache.cloudstack.api.response.ProjectAccountResponse;
-import org.apache.cloudstack.api.response.ProjectInvitationResponse;
-import org.apache.cloudstack.api.response.ProjectResponse;
-import org.apache.cloudstack.api.response.ProviderResponse;
-import org.apache.cloudstack.api.response.RegionResponse;
-import org.apache.cloudstack.api.response.RemoteAccessVpnResponse;
-import org.apache.cloudstack.api.response.ResourceCountResponse;
-import org.apache.cloudstack.api.response.ResourceLimitResponse;
-import org.apache.cloudstack.api.response.ResourceTagResponse;
-import org.apache.cloudstack.api.response.S3Response;
-import org.apache.cloudstack.api.response.SecurityGroupResponse;
-import org.apache.cloudstack.api.response.ServiceOfferingResponse;
-import org.apache.cloudstack.api.response.ServiceResponse;
-import org.apache.cloudstack.api.response.Site2SiteCustomerGatewayResponse;
-import org.apache.cloudstack.api.response.Site2SiteVpnConnectionResponse;
-import org.apache.cloudstack.api.response.Site2SiteVpnGatewayResponse;
-import org.apache.cloudstack.api.response.SnapshotPolicyResponse;
-import org.apache.cloudstack.api.response.SnapshotResponse;
-import org.apache.cloudstack.api.response.SnapshotScheduleResponse;
-import org.apache.cloudstack.api.response.StaticRouteResponse;
-import org.apache.cloudstack.api.response.StorageNetworkIpRangeResponse;
-import org.apache.cloudstack.api.response.StoragePoolForMigrationResponse;
-import org.apache.cloudstack.api.response.StoragePoolResponse;
-import org.apache.cloudstack.api.response.SwiftResponse;
-import org.apache.cloudstack.api.response.SystemVmInstanceResponse;
-import org.apache.cloudstack.api.response.SystemVmResponse;
-import org.apache.cloudstack.api.response.TemplatePermissionsResponse;
-import org.apache.cloudstack.api.response.TemplateResponse;
-import org.apache.cloudstack.api.response.TrafficMonitorResponse;
-import org.apache.cloudstack.api.response.TrafficTypeResponse;
-import org.apache.cloudstack.api.response.UsageRecordResponse;
-import org.apache.cloudstack.api.response.UserResponse;
-import org.apache.cloudstack.api.response.UserVmResponse;
-import org.apache.cloudstack.api.response.VMSnapshotResponse;
-import org.apache.cloudstack.api.response.VirtualRouterProviderResponse;
-import org.apache.cloudstack.api.response.VlanIpRangeResponse;
-import org.apache.cloudstack.api.response.VolumeResponse;
-import org.apache.cloudstack.api.response.VpcOfferingResponse;
-import org.apache.cloudstack.api.response.VpcResponse;
-import org.apache.cloudstack.api.response.VpnUsersResponse;
-import org.apache.cloudstack.api.response.ZoneResponse;
+import org.apache.cloudstack.api.response.*;
 import org.apache.cloudstack.network.lb.ApplicationLoadBalancerRule;
 import org.apache.cloudstack.region.Region;
 import org.apache.cloudstack.usage.Usage;
@@ -154,10 +78,6 @@ import com.cloud.network.rules.StaticNatRule;
 import com.cloud.network.rules.StickinessPolicy;
 import com.cloud.network.security.SecurityGroup;
 import com.cloud.network.security.SecurityRule;
-import com.cloud.network.vpc.PrivateGateway;
-import com.cloud.network.vpc.StaticRoute;
-import com.cloud.network.vpc.Vpc;
-import com.cloud.network.vpc.VpcOffering;
 import com.cloud.offering.DiskOffering;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offering.ServiceOffering;
@@ -381,11 +301,17 @@ public interface ResponseGenerator {
      */
     VpcResponse createVpcResponse(Vpc vpc);
 
+    /**
+     * @param networkACLItem
+     * @return
+     */
+    NetworkACLResponse createNetworkACLItemResponse(FirewallRule networkACLItem);
+
     /**
      * @param networkACL
      * @return
      */
-    NetworkACLResponse createNetworkACLResponse(FirewallRule networkACL);
+    NetworkACLListResponse createNetworkACLResponse(NetworkACL networkACL);
 
     /**
      * @param result
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
index 2e307018eed..ae1ea90545f 100644
--- a/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java
@@ -149,7 +149,7 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
     public void execute() throws ResourceUnavailableException {
         UserContext callerContext = UserContext.current();
         boolean success = false;
-        FirewallRule rule = _networkACLService.getNetworkACL(getEntityId());
+        FirewallRule rule = _networkACLService.getNetworkACLItem(getEntityId());
         try {
             UserContext.current().setEventDetails("Rule Id: " + getEntityId());
             success = _networkACLService.applyNetworkACLs(rule.getNetworkId(), callerContext.getCaller());
@@ -157,7 +157,7 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
             // State is different after the rule is applied, so get new object here
             NetworkACLResponse aclResponse = new NetworkACLResponse();
             if (rule != null) {
-                aclResponse = _responseGenerator.createNetworkACLResponse(rule);
+                aclResponse = _responseGenerator.createNetworkACLItemResponse(rule);
                 setResponseObject(aclResponse);
             }
             aclResponse.setResponseName(getCommandName());
@@ -256,7 +256,7 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd implements FirewallR
         }
 
         try {
-            FirewallRule result = _networkACLService.createNetworkACL(this);
+            FirewallRule result = _networkACLService.createNetworkACLItem(this);
             setEntityId(result.getId());
             setEntityUuid(result.getUuid());
         } catch (NetworkRuleConflictException ex) {
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLListCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLListCmd.java
new file mode 100644
index 00000000000..9c714971203
--- /dev/null
+++ b/api/src/org/apache/cloudstack/api/command/user/network/CreateNetworkACLListCmd.java
@@ -0,0 +1,117 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.user.network;
+
+import com.cloud.event.EventTypes;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.vpc.NetworkACL;
+import com.cloud.network.vpc.Vpc;
+import com.cloud.user.Account;
+import com.cloud.user.UserContext;
+import org.apache.cloudstack.api.*;
+import org.apache.cloudstack.api.response.NetworkACLListResponse;
+import org.apache.cloudstack.api.response.VpcResponse;
+import org.apache.log4j.Logger;
+
+@APICommand(name = "createNetworkACLList", description = "Creates a Network ACL for the given VPC",
+responseObject = NetworkACLListResponse.class)
+public class CreateNetworkACLListCmd extends BaseAsyncCreateCmd {
+    public static final Logger s_logger = Logger.getLogger(CreateNetworkACLListCmd.class.getName());
+
+    private static final String s_name = "createnetworkacllistresponse";
+
+    // ///////////////////////////////////////////////////
+    // ////////////// API parameters /////////////////////
+    // ///////////////////////////////////////////////////
+
+    @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "Name of the network ACL List")
+    private String name;
+
+    @Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "Description of the network ACL List")
+    private String description;
+
+    @Parameter(name = ApiConstants.VPC_ID, type = CommandType.UUID, required = true, entityType = VpcResponse.class, description = "Id of the VPC associated with this network ACL List")
+    private Long vpcId;
+
+    // ///////////////////////////////////////////////////
+    // ///////////////// Accessors ///////////////////////
+    // ///////////////////////////////////////////////////
+
+    public String getName() {
+        return name;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public Long getVpcId() {
+        return vpcId;
+    }
+
+    // ///////////////////////////////////////////////////
+    // ///////////// API Implementation///////////////////
+    // ///////////////////////////////////////////////////
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public void create() {
+        NetworkACL result = _networkACLService.createNetworkACL(this);
+        setEntityId(result.getId());
+        setEntityUuid(result.getUuid());
+    }
+
+    @Override
+    public void execute() throws ResourceUnavailableException {
+        UserContext callerContext = UserContext.current();
+        boolean success = false;
+        NetworkACL acl = _networkACLService.getNetworkACL(getEntityId());
+        if(acl != null){
+            NetworkACLListResponse aclResponse = _responseGenerator.createNetworkACLResponse(acl);
+            setResponseObject(aclResponse);
+            aclResponse.setResponseName(getCommandName());
+        } else {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create network ACL");
+        }
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        Vpc vpc = _vpcService.getVpc(getVpcId());
+        if (vpc == null) {
+            throw new InvalidParameterValueException("Invalid vpcId is given");
+        }
+
+        Account account = _accountService.getAccount(vpc.getAccountId());
+        return account.getId();
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_NETWORK_ACL_CREATE;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "Creating Network ACL with id: "+getEntityUuid();
+    }
+}
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLCmd.java
index 2a2444b3e1b..272a12926d4 100644
--- a/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLCmd.java
@@ -80,7 +80,7 @@ public class DeleteNetworkACLCmd extends BaseAsyncCmd {
     @Override
     public long getEntityOwnerId() {
         if (ownerId == null) {
-            FirewallRule rule = _networkACLService.getNetworkACL(id);
+            FirewallRule rule = _networkACLService.getNetworkACLItem(id);
             if (rule == null) {
                 throw new InvalidParameterValueException("Unable to find network ACL by id=" + id);
             } else {
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLListCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLListCmd.java
new file mode 100644
index 00000000000..f5024759e2e
--- /dev/null
+++ b/api/src/org/apache/cloudstack/api/command/user/network/DeleteNetworkACLListCmd.java
@@ -0,0 +1,102 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.user.network;
+
+import com.cloud.async.AsyncJob;
+import com.cloud.event.EventTypes;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.vpc.NetworkACL;
+import com.cloud.network.vpc.Vpc;
+import com.cloud.user.UserContext;
+import org.apache.cloudstack.api.*;
+import org.apache.cloudstack.api.response.AccountResponse;
+import org.apache.cloudstack.api.response.FirewallRuleResponse;
+import org.apache.cloudstack.api.response.NetworkACLListResponse;
+import org.apache.cloudstack.api.response.SuccessResponse;
+import org.apache.log4j.Logger;
+
+@APICommand(name = "deleteNetworkACLList", description="Deletes a Network ACL", responseObject=SuccessResponse.class)
+public class DeleteNetworkACLListCmd extends BaseAsyncCmd {
+    public static final Logger s_logger = Logger.getLogger(DeleteNetworkACLListCmd.class.getName());
+    private static final String s_name = "deletenetworkacllistresponse";
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = NetworkACLListResponse.class,
+            required=true, description="the ID of the network ACL")
+    private Long id;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getId() {
+        return id;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_NETWORK_ACL_DELETE;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return  ("Deleting Network ACL id=" + id);
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        NetworkACL acl = _networkACLService.getNetworkACL(id);
+        if (acl == null) {
+            throw new InvalidParameterValueException("Unable to find network ACL by id=" + id);
+        } else {
+            long vpcId = acl.getVpcId();
+            Vpc vpc = _vpcService.getVpc(vpcId);
+            if(vpc != null){
+                return vpc.getAccountId();
+            } else {
+                throw new InvalidParameterValueException("Unable to find VPC associated with network ACL by id=" + id);
+            }
+        }
+    }
+
+    @Override
+    public void execute() throws ResourceUnavailableException {
+        UserContext.current().setEventDetails("Network ACL Id: " + id);
+        boolean result = _networkACLService.deleteNetworkACL(id);
+
+        if (result) {
+            SuccessResponse response = new SuccessResponse(getCommandName());
+            this.setResponseObject(response);
+        } else {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete network ACL");
+        }
+    }
+}
+
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
new file mode 100644
index 00000000000..b043eed6ab4
--- /dev/null
+++ b/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLListsCmd.java
@@ -0,0 +1,84 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.user.network;
+
+import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.vpc.NetworkACL;
+import com.cloud.utils.Pair;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseListTaggedResourcesCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.*;
+import org.apache.log4j.Logger;
+
+import java.util.ArrayList;
+import java.util.List;
+
+@APICommand(name = "listNetworkACLLists", description="Lists all network ACLs", responseObject=NetworkACLListResponse.class)
+public class ListNetworkACLListsCmd extends BaseListTaggedResourcesCmd {
+    public static final Logger s_logger = Logger.getLogger(ListNetworkACLListsCmd.class.getName());
+
+    private static final String s_name = "listnetworkacllistsresponse";
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+    @Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = NetworkACLResponse.class,
+            description="Lists network ACL with the specified ID.")
+    private Long id;
+
+    @Parameter(name=ApiConstants.NETWORK_ID, type=CommandType.UUID, entityType = NetworkResponse.class,
+            description="list network ACLs by network Id")
+    private Long networkId;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getNetworkId() {
+        return networkId;
+    }
+
+    public Long getId() {
+        return id;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public void execute(){
+        Pair<List<? extends NetworkACL>,Integer> result = _networkACLService.listNetworkACLs(this);
+        ListResponse<NetworkACLListResponse> response = new ListResponse<NetworkACLListResponse>();
+        List<NetworkACLListResponse> aclResponses = new ArrayList<NetworkACLListResponse>();
+
+        for (NetworkACL acl : result.first()) {
+            NetworkACLListResponse aclResponse = _responseGenerator.createNetworkACLResponse(acl);
+            aclResponses.add(aclResponse);
+        }
+        response.setResponses(aclResponses, result.second());
+        response.setResponseName(getCommandName());
+        this.setResponseObject(response);
+    }
+}
diff --git a/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLsCmd.java b/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLsCmd.java
index d166974e7d1..93842d5c58b 100644
--- a/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLsCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/network/ListNetworkACLsCmd.java
@@ -79,12 +79,12 @@ public class ListNetworkACLsCmd extends BaseListTaggedResourcesCmd {
 
     @Override
     public void execute(){
-        Pair<List<? extends FirewallRule>,Integer> result = _networkACLService.listNetworkACLs(this);
+        Pair<List<? extends FirewallRule>,Integer> result = _networkACLService.listNetworkACLItems(this);
         ListResponse<NetworkACLResponse> response = new ListResponse<NetworkACLResponse>();
         List<NetworkACLResponse> aclResponses = new ArrayList<NetworkACLResponse>();
 
         for (FirewallRule acl : result.first()) {
-            NetworkACLResponse ruleData = _responseGenerator.createNetworkACLResponse(acl);
+            NetworkACLResponse ruleData = _responseGenerator.createNetworkACLItemResponse(acl);
             aclResponses.add(ruleData);
         }
         response.setResponses(aclResponses, result.second());
diff --git a/api/src/org/apache/cloudstack/api/response/NetworkACLListResponse.java b/api/src/org/apache/cloudstack/api/response/NetworkACLListResponse.java
new file mode 100644
index 00000000000..34878510a94
--- /dev/null
+++ b/api/src/org/apache/cloudstack/api/response/NetworkACLListResponse.java
@@ -0,0 +1,57 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.response;
+
+import com.cloud.network.vpc.NetworkACL;
+import com.cloud.serializer.Param;
+import com.google.gson.annotations.SerializedName;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseResponse;
+import org.apache.cloudstack.api.EntityReference;
+
+import java.util.List;
+
+@EntityReference(value = NetworkACL.class)
+public class NetworkACLListResponse extends BaseResponse {
+    @SerializedName(ApiConstants.ID) @Param(description="the ID of the ACL")
+    private String id;
+
+    @SerializedName(ApiConstants.NAME) @Param(description="the Name of the ACL")
+    private String name;
+
+    @SerializedName(ApiConstants.DESCRIPTION) @Param(description="Description of the ACL")
+    private String description;
+
+    @SerializedName(ApiConstants.VPC_ID) @Param(description="Id of the VPC this ACL is associated with")
+    private String vpcId;
+
+    public void setId(String id) {
+        this.id = id;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    public void setVpcId(String vpcId) {
+        this.vpcId = vpcId;
+    }
+}
diff --git a/client/tomcatconf/applicationContext.xml.in b/client/tomcatconf/applicationContext.xml.in
index 67c8ccf9355..60509920492 100644
--- a/client/tomcatconf/applicationContext.xml.in
+++ b/client/tomcatconf/applicationContext.xml.in
@@ -246,6 +246,7 @@
   <bean id="mockVMDaoImpl" class="com.cloud.simulator.dao.MockVMDaoImpl" />
   <bean id="mockVolumeDaoImpl" class="com.cloud.simulator.dao.MockVolumeDaoImpl" />
   <bean id="networkAccountDaoImpl" class="com.cloud.network.dao.NetworkAccountDaoImpl" />
+  <bean id="networkACLDaoImpl" class="com.cloud.network.vpc.dao.NetworkACLDaoImpl" />
   <bean id="networkDaoImpl" class="com.cloud.network.dao.NetworkDaoImpl" />
   <bean id="networkDomainDaoImpl" class="com.cloud.network.dao.NetworkDomainDaoImpl" />
   <bean id="networkExternalFirewallDaoImpl" class="com.cloud.network.dao.NetworkExternalFirewallDaoImpl" />
diff --git a/client/tomcatconf/commands.properties.in b/client/tomcatconf/commands.properties.in
index 0a6ec708166..2078c8da72d 100644
--- a/client/tomcatconf/commands.properties.in
+++ b/client/tomcatconf/commands.properties.in
@@ -435,6 +435,10 @@ deletePrivateGateway=1
 createNetworkACL=15
 deleteNetworkACL=15
 listNetworkACLs=15
+createNetworkACLList=15
+deleteNetworkACLList=15
+listNetworkACLLists=15
+
 
 #### Static route commands
 createStaticRoute=15
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index d5960abba8b..494ca8e9df8 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -34,6 +34,11 @@ import java.util.TimeZone;
 
 import javax.inject.Inject;
 
+import com.cloud.network.vpc.NetworkACL;
+import com.cloud.network.vpc.PrivateGateway;
+import com.cloud.network.vpc.StaticRoute;
+import com.cloud.network.vpc.Vpc;
+import com.cloud.network.vpc.VpcOffering;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.affinity.AffinityGroup;
@@ -84,6 +89,7 @@ import org.apache.cloudstack.api.response.LBStickinessPolicyResponse;
 import org.apache.cloudstack.api.response.LBStickinessResponse;
 import org.apache.cloudstack.api.response.LDAPConfigResponse;
 import org.apache.cloudstack.api.response.LoadBalancerResponse;
+import org.apache.cloudstack.api.response.NetworkACLListResponse;
 import org.apache.cloudstack.api.response.NetworkACLResponse;
 import org.apache.cloudstack.api.response.NetworkOfferingResponse;
 import org.apache.cloudstack.api.response.NetworkResponse;
@@ -230,10 +236,6 @@ import com.cloud.network.security.SecurityGroup;
 import com.cloud.network.security.SecurityGroupVO;
 import com.cloud.network.security.SecurityRule;
 import com.cloud.network.security.SecurityRule.SecurityRuleType;
-import com.cloud.network.vpc.PrivateGateway;
-import com.cloud.network.vpc.StaticRoute;
-import com.cloud.network.vpc.Vpc;
-import com.cloud.network.vpc.VpcOffering;
 import com.cloud.offering.DiskOffering;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offering.NetworkOffering.Detail;
@@ -2547,7 +2549,7 @@ public class ApiResponseHelper implements ResponseGenerator {
     }
 
     @Override
-    public NetworkACLResponse createNetworkACLResponse(FirewallRule networkACL) {
+    public NetworkACLResponse createNetworkACLItemResponse(FirewallRule networkACL) {
         NetworkACLResponse response = new NetworkACLResponse();
 
         response.setId(networkACL.getUuid());
@@ -3808,7 +3810,6 @@ public class ApiResponseHelper implements ResponseGenerator {
         }
     }
 
-    
     @Override
     public InternalLoadBalancerElementResponse createInternalLbElementResponse(VirtualRouterProvider result) {
         if (result.getType() != VirtualRouterProvider.VirtualRouterProviderType.InternalLbVm) {
@@ -3826,7 +3827,6 @@ public class ApiResponseHelper implements ResponseGenerator {
         return response;
     }
 
-    
     @Override
     public IsolationMethodResponse createIsolationMethodResponse(IsolationType method) {
         IsolationMethodResponse response = new IsolationMethodResponse();
@@ -3834,4 +3834,17 @@ public class ApiResponseHelper implements ResponseGenerator {
         response.setObjectName("isolationmethod");
         return response;
     }
+
+    public NetworkACLListResponse createNetworkACLResponse(NetworkACL networkACL) {
+        NetworkACLListResponse response = new NetworkACLListResponse();
+        response.setId(networkACL.getUuid());
+        response.setName(networkACL.getName());
+        response.setDescription(networkACL.getDescription());
+        Vpc vpc = ApiDBUtils.findVpcById(networkACL.getVpcId());
+        if(vpc != null){
+            response.setVpcId(vpc.getUuid());
+        }
+        response.setObjectName("networkacllist");
+        return response;
+    }
 }
diff --git a/server/src/com/cloud/network/vpc/NetworkACLManager.java b/server/src/com/cloud/network/vpc/NetworkACLManager.java
index 91891c01cc8..515c2511773 100644
--- a/server/src/com/cloud/network/vpc/NetworkACLManager.java
+++ b/server/src/com/cloud/network/vpc/NetworkACLManager.java
@@ -22,6 +22,7 @@ import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.firewall.NetworkACLService;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.user.Account;
+import org.apache.cloudstack.api.command.user.network.CreateNetworkACLListCmd;
 
 
 public interface NetworkACLManager extends NetworkACLService{
diff --git a/server/src/com/cloud/network/vpc/NetworkACLManagerImpl.java b/server/src/com/cloud/network/vpc/NetworkACLManagerImpl.java
index cb4486696de..b00f8a15a31 100644
--- a/server/src/com/cloud/network/vpc/NetworkACLManagerImpl.java
+++ b/server/src/com/cloud/network/vpc/NetworkACLManagerImpl.java
@@ -24,6 +24,9 @@ import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import com.cloud.network.vpc.dao.NetworkACLDao;
+import org.apache.cloudstack.api.command.user.network.CreateNetworkACLListCmd;
+import org.apache.cloudstack.api.command.user.network.ListNetworkACLListsCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
 import org.apache.log4j.Logger;
 import org.springframework.stereotype.Component;
@@ -85,6 +88,8 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
     VpcManager _vpcMgr;
     @Inject
     ResourceTagDao _resourceTagDao;
+    @Inject
+    NetworkACLDao _networkACLDao;
 
     @Override
     public boolean applyNetworkACLs(long networkId, Account caller) throws ResourceUnavailableException {
@@ -93,7 +98,7 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
     }
 
     @Override
-    public FirewallRule createNetworkACL(FirewallRule acl) throws NetworkRuleConflictException {
+    public FirewallRule createNetworkACLItem(FirewallRule acl) throws NetworkRuleConflictException {
         if (acl.getSourceCidrList() == null && (acl.getPurpose() == Purpose.Firewall || acl.getPurpose() == Purpose.NetworkACL)) {
             _firewallDao.loadSourceCidrs((FirewallRuleVO)acl);
         }
@@ -174,7 +179,7 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
 
         txn.commit();
 
-        return getNetworkACL(newRule.getId());
+        return getNetworkACLItem(newRule.getId());
     }
     
     
@@ -320,7 +325,7 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
 
     
     @Override
-    public FirewallRule getNetworkACL(long ACLId) {
+    public FirewallRule getNetworkACLItem(long ACLId) {
         FirewallRule rule = _firewallDao.findById(ACLId);
         if (rule != null && rule.getPurpose() == Purpose.NetworkACL) {
             return rule;
@@ -330,7 +335,7 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
 
     
     @Override
-    public Pair<List<? extends FirewallRule>,Integer> listNetworkACLs(ListNetworkACLsCmd cmd) {
+    public Pair<List<? extends FirewallRule>,Integer> listNetworkACLItems(ListNetworkACLsCmd cmd) {
         Long networkId = cmd.getNetworkId();
         Long id = cmd.getId();
         String trafficType = cmd.getTrafficType();
@@ -438,5 +443,31 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
 
         return success;
     }
-    
+
+    @Override
+    public NetworkACL createNetworkACL(CreateNetworkACLListCmd cmd){
+        NetworkACLVO acl = new NetworkACLVO(cmd.getName(), cmd.getDescription(), cmd.getVpcId());
+        _networkACLDao.persist(acl);
+        return acl;
+    }
+
+    @Override
+    public NetworkACL getNetworkACL(long id) {
+        return _networkACLDao.findById(id);
+    }
+
+    @Override
+    public boolean deleteNetworkACL(long id) {
+        return _networkACLDao.remove(id);
+    }
+
+    @Override
+    public Pair<List<? extends NetworkACL>, Integer> listNetworkACLs(ListNetworkACLListsCmd listNetworkACLListsCmd) {
+        SearchBuilder<NetworkACLVO> sb = _networkACLDao.createSearchBuilder();
+        SearchCriteria<NetworkACLVO> sc = sb.create();
+        Filter filter = new Filter(NetworkACLVO.class, "id", false, null, null);
+        Pair<List<NetworkACLVO>, Integer> acls =  _networkACLDao.searchAndCount(sc, filter);
+        return new Pair<List<? extends NetworkACL>, Integer>(acls.first(), acls.second());
+    }
+
 }
diff --git a/server/src/com/cloud/network/vpc/NetworkACLVO.java b/server/src/com/cloud/network/vpc/NetworkACLVO.java
new file mode 100644
index 00000000000..29afc006f46
--- /dev/null
+++ b/server/src/com/cloud/network/vpc/NetworkACLVO.java
@@ -0,0 +1,78 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package com.cloud.network.vpc;
+
+import javax.persistence.*;
+import java.util.UUID;
+
+@Entity
+@Table(name="network_acl")
+public class NetworkACLVO implements NetworkACL{
+
+    @Id
+    @GeneratedValue(strategy= GenerationType.IDENTITY)
+    @Column(name="id")
+    private long id;
+
+    @Column(name="vpc_id")
+    Long vpcId;
+
+    @Column(name="uuid")
+    private String uuid;
+
+    @Column(name="name")
+    private String name;
+
+    @Column(name="description")
+    private String description;
+
+    protected NetworkACLVO(){
+    }
+
+    protected NetworkACLVO(String name, String description, long vpcId){
+        this.uuid = UUID.randomUUID().toString();
+        this.name = name;
+        this.description = description;
+        this.vpcId = vpcId;
+    }
+
+    @Override
+    public String getDescription() {
+        return description;
+    }
+
+    @Override
+    public String getUuid() {
+        return uuid;
+    }
+
+    @Override
+    public Long getVpcId() {
+        return vpcId;
+    }
+
+    @Override
+    public long getId() {
+        return id;
+    }
+
+    @Override
+    public String getName() {
+        return name;
+    }
+}
diff --git a/server/src/com/cloud/network/vpc/dao/NetworkACLDao.java b/server/src/com/cloud/network/vpc/dao/NetworkACLDao.java
new file mode 100644
index 00000000000..fb2b331256c
--- /dev/null
+++ b/server/src/com/cloud/network/vpc/dao/NetworkACLDao.java
@@ -0,0 +1,23 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.vpc.dao;
+
+import com.cloud.network.vpc.NetworkACLVO;
+import com.cloud.utils.db.GenericDao;
+
+public interface NetworkACLDao extends GenericDao<NetworkACLVO, Long>{
+}
diff --git a/server/src/com/cloud/network/vpc/dao/NetworkACLDaoImpl.java b/server/src/com/cloud/network/vpc/dao/NetworkACLDaoImpl.java
new file mode 100644
index 00000000000..fd3308d176f
--- /dev/null
+++ b/server/src/com/cloud/network/vpc/dao/NetworkACLDaoImpl.java
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.vpc.dao;
+
+import com.cloud.network.vpc.NetworkACLVO;
+import com.cloud.utils.db.DB;
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import org.springframework.stereotype.Component;
+
+import javax.ejb.Local;
+
+@Component
+@Local(value = NetworkACLDao.class)
+@DB(txn = false)
+public class NetworkACLDaoImpl extends GenericDaoBase<NetworkACLVO, Long> implements NetworkACLDao{
+
+    protected NetworkACLDaoImpl() {
+    }
+
+}
diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java
index 86c1a640da9..ec19942e054 100755
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@@ -2879,6 +2879,9 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         cmdList.add(ListNetworkIsolationMethodsCmd.class);
         cmdList.add(ListNetworkIsolationMethodsCmd.class);
 
+        cmdList.add(CreateNetworkACLListCmd.class);
+        cmdList.add(DeleteNetworkACLListCmd.class);
+        cmdList.add(ListNetworkACLListsCmd.class);
         return cmdList;
     }
 
diff --git a/setup/db/create-schema.sql b/setup/db/create-schema.sql
index b1feb022836..832ecc6540f 100755
--- a/setup/db/create-schema.sql
+++ b/setup/db/create-schema.sql
@@ -196,6 +196,8 @@ DROP TABLE IF EXISTS `cloud`.`vm_network_map`;
 DROP TABLE IF EXISTS `cloud`.`netapp_volume`;
 DROP TABLE IF EXISTS `cloud`.`netapp_pool`;
 DROP TABLE IF EXISTS `cloud`.`netapp_lun`;
+DROP TABLE IF EXISTS `cloud`.`network_acl`;
+DROP TABLE IF EXISTS `cloud`.`network_acl_item`;
 
 CREATE TABLE `cloud`.`version` (
   `id` bigint unsigned NOT NULL UNIQUE AUTO_INCREMENT COMMENT 'id',
@@ -268,6 +270,7 @@ CREATE TABLE `cloud`.`networks` (
   `removed` datetime COMMENT 'date removed if not null',
   `specify_ip_ranges` int(1) unsigned NOT NULL DEFAULT 0 COMMENT 'true if the network provides an ability to define ip ranges',
   `vpc_id` bigint unsigned COMMENT 'vpc this network belongs to',
+  `network_acl_id` bigint unsigned COMMENT 'network acl id',
   PRIMARY KEY (`id`),
   CONSTRAINT `fk_networks__network_offering_id` FOREIGN KEY (`network_offering_id`) REFERENCES `network_offerings`(`id`),  
   CONSTRAINT `fk_networks__data_center_id` FOREIGN KEY (`data_center_id`) REFERENCES `data_center`(`id`) ON DELETE CASCADE,
@@ -2475,5 +2478,37 @@ CREATE TABLE `cloud`.`nicira_nvp_nic_map` (
   CONSTRAINT `fk_nicira_nvp_nic_map__nic` FOREIGN KEY(`nic`) REFERENCES `nics`(`uuid`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
+CREATE TABLE `cloud`.`network_acl` (
+  `id` bigint unsigned NOT NULL auto_increment COMMENT 'id',
+  `name` varchar(255) NOT NULL COMMENT 'name of the network acl',
+  `uuid` varchar(40),
+  `vpc_id` bigint unsigned COMMENT 'vpc this network acl belongs to',
+  `description` varchar(1024),
+  PRIMARY KEY  (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `cloud`.`network_acl_item` (
+  `id` bigint unsigned NOT NULL auto_increment COMMENT 'id',
+  `uuid` varchar(40),
+  `network_acl_id` bigint unsigned NOT NULL COMMENT 'network acl id',
+  `start_port` int(10) COMMENT 'starting port of a port range',
+  `end_port` int(10) COMMENT 'end port of a port range',
+  `state` char(32) NOT NULL COMMENT 'current state of this rule',
+  `protocol` char(16) NOT NULL default 'TCP' COMMENT 'protocol to open these ports for',
+  `account_id` bigint unsigned NOT NULL COMMENT 'owner id',
+  `domain_id` bigint unsigned NOT NULL COMMENT 'domain id',
+  `xid` char(40) NOT NULL COMMENT 'external id',
+  `created` datetime COMMENT 'Date created',
+  `icmp_code` int(10) COMMENT 'The ICMP code (if protocol=ICMP). A value of -1 means all codes for the given ICMP type.',
+  `icmp_type` int(10) COMMENT 'The ICMP type (if protocol=ICMP). A value of -1 means all types.',
+  `type` varchar(10) NOT NULL DEFAULT 'USER',
+  `traffic_type` char(32) COMMENT 'the traffic type of the rule, can be Ingress or Egress',
+  PRIMARY KEY  (`id`),
+  CONSTRAINT `fk_network_acl_item__account_id` FOREIGN KEY(`account_id`) REFERENCES `account`(`id`) ON DELETE CASCADE,
+  CONSTRAINT `fk_network_acl_item__domain_id` FOREIGN KEY(`domain_id`) REFERENCES `domain`(`id`) ON DELETE CASCADE,
+  CONSTRAINT `fk_network_acl_item__acl_id` FOREIGN KEY(`network_acl_id`) REFERENCES `network_acl`(`id`) ON DELETE CASCADE,
+  CONSTRAINT `uc_network_acl_item__uuid` UNIQUE (`uuid`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
 SET foreign_key_checks = 1;