apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-11-03 04:12:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

bug 10617: Intermediate checking

Browse Source 
Changes :
         - Fixing API doc +response name + errorMessage
         - Adding seperate events to Egress rules
         - Egress rules Using the same database table as that of ingress with new column type.

   Pending Tasks:
         - db upgrade
         - database table rename from security_ingress_rule to generic name, renaming some of the jave class from ingress to generic name.
         - Retesting on kvm
This commit is contained in:
Naredula Janardhana Reddy 2011-09-09 18:07:18 +05:30
parent 50efe56335
commit f9b0962ad9
27 changed files with 177 additions and 753 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/src/com/cloud/api/ResponseGenerator.java
View File

@ -180,7 +180,7 @@ public interface ResponseGenerator {
SecurityGroupResponse createSecurityGroupResponseFromIngressRule(List<? extends IngressRule> ingressRules);
SecurityGroupResponse createSecurityGroupResponseFromEgressRule(List<? extends EgressRule> egressRules);
SecurityGroupResponse createSecurityGroupResponseFromEgressRule(List<? extends IngressRule> egressRules);
SecurityGroupResponse createSecurityGroupResponse(SecurityGroup group);

20
api/src/com/cloud/api/commands/AuthorizeSecurityGroupEgressCmd.java
View File

@ -37,17 +37,17 @@ import com.cloud.api.response.SecurityGroupResponse;
import com.cloud.async.AsyncJob;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.network.security.EgressRule;
import com.cloud.network.security.IngressRule;
import com.cloud.user.Account;
import com.cloud.user.UserContext;
import com.cloud.utils.StringUtils;
@Implementation(responseObject = EgressRuleResponse.class, description = "Authorizes a particular ingress rule for this security group")
@Implementation(responseObject = EgressRuleResponse.class, description = "Authorizes a particular egress rule for this security group")
@SuppressWarnings("rawtypes")
public class AuthorizeSecurityGroupEgressCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AuthorizeSecurityGroupEgressCmd.class.getName());
private static final String s_name = "authorizesecuritygroupingress";
private static final String s_name = "authorizesecuritygroupegress";
// ///////////////////////////////////////////////////
// ////////////// API parameters /////////////////////
@ -56,10 +56,10 @@ public class AuthorizeSecurityGroupEgressCmd extends BaseAsyncCmd {
@Parameter(name = ApiConstants.PROTOCOL, type = CommandType.STRING, description = "TCP is default. UDP is the other supported protocol")
private String protocol;
@Parameter(name = ApiConstants.START_PORT, type = CommandType.INTEGER, description = "start port for this ingress rule")
@Parameter(name = ApiConstants.START_PORT, type = CommandType.INTEGER, description = "start port for this egress rule")
private Integer startPort;
@Parameter(name = ApiConstants.END_PORT, type = CommandType.INTEGER, description = "end port for this ingress rule")
@Parameter(name = ApiConstants.END_PORT, type = CommandType.INTEGER, description = "end port for this egress rule")
private Integer endPort;
@Parameter(name = ApiConstants.ICMP_TYPE, type = CommandType.INTEGER, description = "type of the icmp message being sent")
@ -177,7 +177,7 @@ public class AuthorizeSecurityGroupEgressCmd extends BaseAsyncCmd {
@Override
public String getEventType() {
return EventTypes.EVENT_SECURITY_GROUP_AUTHORIZE_INGRESS;
return EventTypes.EVENT_SECURITY_GROUP_AUTHORIZE_EGRESS;
}
@Override
@ -203,20 +203,20 @@ public class AuthorizeSecurityGroupEgressCmd extends BaseAsyncCmd {
sb.append("cidr list: ");
sb.append(StringUtils.join(getCidrList(), ", "));
} else {
sb.append("<error: no ingress parameters>");
sb.append("<error: no egress parameters>");
}
return "authorizing ingress to group: " + getSecurityGroupId() + " to " + sb.toString();
return "authorizing egress to group: " + getSecurityGroupId() + " to " + sb.toString();
}
@Override
public void execute() {
List<? extends EgressRule> egressRules = _securityGroupService.authorizeSecurityGroupEgress(this);
List<? extends IngressRule> egressRules = _securityGroupService.authorizeSecurityGroupEgress(this);
if (egressRules != null && !egressRules.isEmpty()) {
SecurityGroupResponse response = _responseGenerator.createSecurityGroupResponseFromEgressRule(egressRules);
this.setResponseObject(response);
} else {
throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to authorize security group ingress rule(s)");
throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to authorize security group egress rule(s)");
}
}

14
api/src/com/cloud/api/commands/RevokeSecurityGroupEgressCmd.java
View File

@ -32,17 +32,17 @@ import com.cloud.event.EventTypes;
import com.cloud.network.security.SecurityGroup;
import com.cloud.user.Account;
@Implementation(responseObject = SuccessResponse.class, description = "Deletes a particular ingress rule from this security group")
@Implementation(responseObject = SuccessResponse.class, description = "Deletes a particular egress rule from this security group")
public class RevokeSecurityGroupEgressCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RevokeSecurityGroupEgressCmd.class.getName());
private static final String s_name = "revokesecuritygroupingress";
private static final String s_name = "revokesecuritygroupegress";
// ///////////////////////////////////////////////////
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
@Parameter(name = ApiConstants.ID, type = CommandType.LONG, required = true, description = "The ID of the ingress rule")
@Parameter(name = ApiConstants.ID, type = CommandType.LONG, required = true, description = "The ID of the egress rule")
private Long id;
// ///////////////////////////////////////////////////
@ -63,7 +63,7 @@ public class RevokeSecurityGroupEgressCmd extends BaseAsyncCmd {
}
public static String getResultObjectName() {
return "revokesecuritygroupingress";
return "revokesecuritygroupegress";
}
@Override
@ -78,12 +78,12 @@ public class RevokeSecurityGroupEgressCmd extends BaseAsyncCmd {
@Override
public String getEventType() {
return EventTypes.EVENT_SECURITY_GROUP_REVOKE_INGRESS;
return EventTypes.EVENT_SECURITY_GROUP_REVOKE_EGRESS;
}
@Override
public String getEventDescription() {
return "revoking ingress rule id: " + getId();
return "revoking egress rule id: " + getId();
}
@Override
@ -93,7 +93,7 @@ public class RevokeSecurityGroupEgressCmd extends BaseAsyncCmd {
SuccessResponse response = new SuccessResponse(getCommandName());
this.setResponseObject(response);
} else {
throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to revoke security group ingress rule");
throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to revoke security group egress rule");
}
}

12
api/src/com/cloud/api/response/EgressRuleResponse.java
View File

@ -22,10 +22,10 @@ import com.cloud.serializer.Param;
import com.google.gson.annotations.SerializedName;
public class EgressRuleResponse extends BaseResponse {
@SerializedName("ruleid") @Param(description="the id of the ingress rule")
@SerializedName("ruleid") @Param(description="the id of the egress rule")
private Long ruleId;
@SerializedName("protocol") @Param(description="the protocol of the ingress rule")
@SerializedName("protocol") @Param(description="the protocol of the egress rule")
private String protocol;
@SerializedName(ApiConstants.ICMP_TYPE) @Param(description="the type of the ICMP message response")
@ -34,19 +34,19 @@ public class EgressRuleResponse extends BaseResponse {
@SerializedName(ApiConstants.ICMP_CODE) @Param(description="the code for the ICMP message response")
private Integer icmpCode;
@SerializedName(ApiConstants.START_PORT) @Param(description="the starting IP of the ingress rule")
@SerializedName(ApiConstants.START_PORT) @Param(description="the starting IP of the egress rule")
private Integer startPort;
@SerializedName(ApiConstants.END_PORT) @Param(description="the ending IP of the ingress rule ")
@SerializedName(ApiConstants.END_PORT) @Param(description="the ending IP of the egress rule ")
private Integer endPort;
@SerializedName(ApiConstants.SECURITY_GROUP_NAME) @Param(description="security group name")
private String securityGroupName;
@SerializedName(ApiConstants.ACCOUNT) @Param(description="account owning the ingress rule")
@SerializedName(ApiConstants.ACCOUNT) @Param(description="account owning the egress rule")
private String accountName;
@SerializedName(ApiConstants.CIDR) @Param(description="the CIDR notation for the base IP address of the ingress rule")
@SerializedName(ApiConstants.CIDR) @Param(description="the CIDR notation for the base IP address of the egress rule")
private String cidr;
public Long getRuleId() {

8
api/src/com/cloud/api/response/SecurityGroupResponse.java
View File

@ -51,8 +51,8 @@ public class SecurityGroupResponse extends BaseResponse {
@SerializedName("ingressrule") @Param(description="the list of ingress rules associated with the security group", responseObject = IngressRuleResponse.class)
private List<IngressRuleResponse> ingressRules;
@SerializedName("egressrule") @Param(description="the list of ingress rules associated with the security group", responseObject = EgressRuleResponse.class)
private List<EgressRuleResponse> egressRules;
@SerializedName("egressrule") @Param(description="the list of egress rules associated with the security group", responseObject = EgressRuleResponse.class)
private List<IngressRuleResponse> egressRules;
public Long getId() {
return id;
@ -106,7 +106,7 @@ public class SecurityGroupResponse extends BaseResponse {
return ingressRules;
}
public List<EgressRuleResponse> getEgressRules() {
public List<IngressRuleResponse> getEgressRules() {
return egressRules;
}
@ -114,7 +114,7 @@ public class SecurityGroupResponse extends BaseResponse {
this.ingressRules = ingressRules;
}
public void setEgressRules(List<EgressRuleResponse> egressRules) {
public void setEgressRules(List<IngressRuleResponse> egressRules) {
this.egressRules = egressRules;
}

2
api/src/com/cloud/event/EventTypes.java
View File

@ -172,6 +172,8 @@ public class EventTypes {
// Security Groups
public static final String EVENT_SECURITY_GROUP_AUTHORIZE_INGRESS = "SG.AUTH.INGRESS";
public static final String EVENT_SECURITY_GROUP_REVOKE_INGRESS = "SG.REVOKE.INGRESS";
public static final String EVENT_SECURITY_GROUP_AUTHORIZE_EGRESS = "SG.AUTH.EGRESS";
public static final String EVENT_SECURITY_GROUP_REVOKE_EGRESS = "SG.REVOKE.EGRESS";
public static final String EVENT_SECURITY_GROUP_CREATE = "SG.CREATE";
public static final String EVENT_SECURITY_GROUP_DELETE = "SG.DELETE";

2
api/src/com/cloud/network/security/IngressRule.java
View File

@ -26,6 +26,8 @@ import com.cloud.async.AsyncInstanceCreateStatus;
public interface IngressRule {
long getId();
public int getType();
long getSecurityGroupId();
int getStartPort();

2
api/src/com/cloud/network/security/SecurityGroupRules.java
View File

@ -39,4 +39,6 @@ public interface SecurityGroupRules {
Long getAllowedNetworkId();
String getAllowedSourceIpCidr();
int getType();
}

2
api/src/com/cloud/network/security/SecurityGroupService.java
View File

@ -50,6 +50,6 @@ public interface SecurityGroupService {
public List<? extends SecurityGroupRules> searchForSecurityGroupRules(ListSecurityGroupsCmd cmd) throws PermissionDeniedException, InvalidParameterValueException;
public List<? extends IngressRule> authorizeSecurityGroupIngress(AuthorizeSecurityGroupIngressCmd cmd);
public List<? extends EgressRule> authorizeSecurityGroupEgress(AuthorizeSecurityGroupEgressCmd cmd);
public List<? extends IngressRule> authorizeSecurityGroupEgress(AuthorizeSecurityGroupEgressCmd cmd);
}

126
core/src/com/cloud/network/security/EgressRuleVO.java
View File

@ -1,126 +0,0 @@
/**
* Copyright (C) 2010 Cloud.com, Inc. All rights reserved.
*
* This software is licensed under the GNU General Public License v3 or later.
*
* It is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package com.cloud.network.security;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.EnumType;
import javax.persistence.Enumerated;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import com.cloud.async.AsyncInstanceCreateStatus;
import com.google.gson.annotations.Expose;
@Entity
@Table(name = ("security_egress_rule"))
public class EgressRuleVO implements EgressRule {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "security_group_id")
private long securityGroupId;
@Column(name = "start_port")
private int startPort;
@Column(name = "end_port")
private int endPort;
@Column(name = "protocol")
private String protocol;
@Column(name = "allowed_network_id", nullable = true)
private Long allowedNetworkId = null;
@Column(name = "allowed_ip_cidr", nullable = true)
private String allowedDestinationIpCidr = null;
@Expose
@Column(name = "create_status", updatable = true, nullable = false)
@Enumerated(value = EnumType.STRING)
private AsyncInstanceCreateStatus createStatus;
public EgressRuleVO() {
}
public EgressRuleVO(long securityGroupId, int fromPort, int toPort, String protocol, long allowedNetworkId) {
this.securityGroupId = securityGroupId;
this.startPort = fromPort;
this.endPort = toPort;
this.protocol = protocol;
this.allowedNetworkId = allowedNetworkId;
}
public EgressRuleVO(long securityGroupId, int fromPort, int toPort, String protocol, String allowedIpCidr) {
this.securityGroupId = securityGroupId;
this.startPort = fromPort;
this.endPort = toPort;
this.protocol = protocol;
this.allowedDestinationIpCidr = allowedIpCidr;
}
@Override
public long getId() {
return id;
}
@Override
public long getSecurityGroupId() {
return securityGroupId;
}
@Override
public int getStartPort() {
return startPort;
}
@Override
public int getEndPort() {
return endPort;
}
@Override
public String getProtocol() {
return protocol;
}
@Override
public AsyncInstanceCreateStatus getCreateStatus() {
return createStatus;
}
public void setCreateStatus(AsyncInstanceCreateStatus createStatus) {
this.createStatus = createStatus;
}
@Override
public Long getAllowedNetworkId() {
return allowedNetworkId;
}
@Override
public String getAllowedDestinationIpCidr() {
return allowedDestinationIpCidr;
}
}

14
core/src/com/cloud/network/security/IngressRuleVO.java
View File

@ -47,6 +47,9 @@ public class IngressRuleVO implements IngressRule {
@Column(name = "end_port")
private int endPort;
@Column(name = "type")
private int type;
@Column(name = "protocol")
private String protocol;
@ -64,20 +67,22 @@ public class IngressRuleVO implements IngressRule {
public IngressRuleVO() {
}
public IngressRuleVO(long securityGroupId, int fromPort, int toPort, String protocol, long allowedNetworkId) {
public IngressRuleVO(long securityGroupId, int fromPort, int toPort, String protocol, long allowedNetworkId, int type) {
this.securityGroupId = securityGroupId;
this.startPort = fromPort;
this.endPort = toPort;
this.protocol = protocol;
this.allowedNetworkId = allowedNetworkId;
this.type = type;
}
public IngressRuleVO(long securityGroupId, int fromPort, int toPort, String protocol, String allowedIpCidr) {
public IngressRuleVO(long securityGroupId, int fromPort, int toPort, String protocol, String allowedIpCidr, int type) {
this.securityGroupId = securityGroupId;
this.startPort = fromPort;
this.endPort = toPort;
this.protocol = protocol;
this.allowedSourceIpCidr = allowedIpCidr;
this.type = type;
}
@Override
@ -100,6 +105,11 @@ public class IngressRuleVO implements IngressRule {
return endPort;
}
@Override
public int getType() {
return type;
}
@Override
public String getProtocol() {
return protocol;

141
core/src/com/cloud/network/security/SecurityGroupEgressRulesVO.java
View File

@ -1,141 +0,0 @@
/**
* Copyright (C) 2010 Cloud.com, Inc. All rights reserved.
*
* This software is licensed under the GNU General Public License v3 or later.
*
* It is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package com.cloud.network.security;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.PrimaryKeyJoinColumn;
import javax.persistence.SecondaryTable;
import javax.persistence.Table;
@Entity
@Table(name = ("security_group"))
@SecondaryTable(name = "security_egress_rule", join = "left", pkJoinColumns = { @PrimaryKeyJoinColumn(name = "id", referencedColumnName = "security_group_id") })
public class SecurityGroupEgressRulesVO implements SecurityGroupRules {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "name")
private String name;
@Column(name = "description")
private String description;
@Column(name = "domain_id")
private Long domainId;
@Column(name = "account_id")
private Long accountId;
@Column(name = "id", table = "security_egress_rule", insertable = false, updatable = false)
private Long ruleId;
@Column(name = "start_port", table = "security_egress_rule", insertable = false, updatable = false)
private int startPort;
@Column(name = "end_port", table = "security_egress_rule", insertable = false, updatable = false)
private int endPort;
@Column(name = "protocol", table = "security_egress_rule", insertable = false, updatable = false)
private String protocol;
@Column(name = "allowed_network_id", table = "security_egress_rule", insertable = false, updatable = false, nullable = true)
private Long allowedNetworkId = null;
@Column(name = "allowed_ip_cidr", table = "security_egress_rule", insertable = false, updatable = false, nullable = true)
private String allowedDestinationIpCidr = null;
public SecurityGroupEgressRulesVO() {
}
public SecurityGroupEgressRulesVO(long id, String name, String description, Long domainId, Long accountId, Long ruleId, int startPort, int endPort, String protocol, Long allowedNetworkId,
String allowedDestinationIpCidr) {
this.id = id;
this.name = name;
this.description = description;
this.domainId = domainId;
this.accountId = accountId;
this.ruleId = ruleId;
this.startPort = startPort;
this.endPort = endPort;
this.protocol = protocol;
this.allowedNetworkId = allowedNetworkId;
this.allowedDestinationIpCidr = allowedDestinationIpCidr;
}
@Override
public long getId() {
return id;
}
@Override
public String getName() {
return name;
}
@Override
public String getDescription() {
return description;
}
@Override
public Long getDomainId() {
return domainId;
}
@Override
public Long getAccountId() {
return accountId;
}
@Override
public Long getRuleId() {
return ruleId;
}
@Override
public int getStartPort() {
return startPort;
}
@Override
public int getEndPort() {
return endPort;
}
@Override
public String getProtocol() {
return protocol;
}
@Override
public Long getAllowedNetworkId() {
return allowedNetworkId;
}
@Override
public String getAllowedSourceIpCidr() { /* FIXME: need to rename the method name, for this the interface need to change or need create a new interface */
return allowedDestinationIpCidr;
}
}

8
core/src/com/cloud/network/security/SecurityGroupRulesVO.java
View File

@ -51,6 +51,9 @@ public class SecurityGroupRulesVO implements SecurityGroupRules {
@Column(name = "id", table = "security_ingress_rule", insertable = false, updatable = false)
private Long ruleId;
@Column(name = "type", table = "security_ingress_rule", insertable = false, updatable = false)
private int type;
@Column(name = "start_port", table = "security_ingress_rule", insertable = false, updatable = false)
private int startPort;
@ -89,6 +92,11 @@ public class SecurityGroupRulesVO implements SecurityGroupRules {
return id;
}
@Override
public int getType() {
return type;
}
@Override
public String getName() {
return name;

15
scripts/vm/hypervisor/xenserver/vmops
View File

@ -1056,12 +1056,12 @@ def network_rules(session, args):
if protocol == 'all':
if type == 'egress':
iptables = ['iptables', '-I', vmchain, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'dst', '-j', 'ACCEPT']
iptables = ['iptables', '-I', vmchain, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'dst', '-j', 'DROP']
else:
iptables = ['iptables', '-I', vmchain, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'src', '-j', 'ACCEPT']
elif protocol != 'icmp':
if type == 'egress':
iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'dst', '-j', 'ACCEPT']
iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'dst', '-j', 'DROP']
else:
iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-m', 'set', '--match-set', ipsetname, 'src', '-j', 'ACCEPT']
else:
@ -1069,7 +1069,7 @@ def network_rules(session, args):
if start == "-1":
range = "any"
if type == 'egress':
iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-m', 'set', '--match-set', ipsetname, 'dst', '-j', 'ACCEPT']
iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-m', 'set', '--match-set', ipsetname, 'dst', '-j', 'DROP']
else:
iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-m', 'set', '--match-set', ipsetname, 'src', '-j', 'ACCEPT']
util.pread2(iptables)
@ -1077,15 +1077,24 @@ def network_rules(session, args):
if allow_any and protocol != 'all':
if protocol != 'icmp':
if type == 'egress':
iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-j', 'DROP']
else:
iptables = ['iptables', '-I', vmchain, '-p', protocol, '-m', protocol, '--dport', range, '-m', 'state', '--state', 'NEW', '-j', 'ACCEPT']
else:
range = start + "/" + end
if start == "-1":
range = "any"
if type == 'egress':
iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-j', 'DROP']
else:
iptables = ['iptables', '-I', vmchain, '-p', 'icmp', '--icmp-type', range, '-j', 'ACCEPT']
util.pread2(iptables)
util.SMlog(iptables)
if type == 'egress':
util.pread2(['iptables', '-A', vmchain, '-j', 'ACCEPT'])
else:
util.pread2(['iptables', '-A', vmchain, '-j', 'DROP'])
if write_rule_log_for_vm(vm_name, vm_id, vm_ip, domid, signature, seqno) == False:

15
scripts/vm/network/security_group.py
View File

@ -578,8 +578,10 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif
if ruletype == 'egress':
vmchain = vm_name + "-egress"
action = "DROP"
else:
vmchain = vm_name
action = "ACCEPT"
changes = []
@ -621,13 +623,13 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif
if protocol == 'all':
for ip in ips:
if ruletype == 'egress':
execute("iptables -I " + vmchain + " -m state --state NEW -d " + ip + " -j ACCEPT")
execute("iptables -I " + vmchain + " -m state --state NEW -d " + ip + " -j DROP")
else:
execute("iptables -I " + vmchain + " -m state --state NEW -s " + ip + " -j ACCEPT")
elif protocol != 'icmp':
for ip in ips:
if ruletype == 'egress':
execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -d " + ip + " -j ACCEPT")
execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -d " + ip + " -j DROP")
else:
execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -s " + ip + " -j ACCEPT")
else:
@ -636,19 +638,22 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif
range = "any"
for ip in ips:
if ruletype == 'egress':
execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -d " + ip + " -j ACCEPT")
execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -d " + ip + " -j DROP")
else:
execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -s " + ip + " -j ACCEPT")
if allow_any and protocol != 'all':
if protocol != 'icmp':
execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -j ACCEPT")
execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -j " + action)
else:
range = start + "/" + end
if start == "-1":
range = "any"
execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -j ACCEPT")
execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -j "+action)
if ruletype == 'egress':
iptables = "iptables -A " + vmchain + " -j ACCEPT"
else:
iptables = "iptables -A " + vmchain + " -j DROP"
execute(iptables)
if write_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno) == False:

48
server/src/com/cloud/api/ApiResponseHelper.java
View File

@ -1585,6 +1585,7 @@ public class ApiResponseHelper implements ResponseGenerator {
List<IngressRuleResultObject> ingressRules = networkGroup.getIngressRules();
if ((ingressRules != null) && !ingressRules.isEmpty()) {
List<IngressRuleResponse> ingressRulesResponse = new ArrayList<IngressRuleResponse>();
List<IngressRuleResponse> egressRulesResponse = new ArrayList<IngressRuleResponse>();
for (IngressRuleResultObject ingressRule : ingressRules) {
IngressRuleResponse ingressData = new IngressRuleResponse();
@ -1606,38 +1607,18 @@ public class ApiResponseHelper implements ResponseGenerator {
ingressData.setCidr(ingressRule.getAllowedSourceIpCidr());
}
if (ingressRule.getType() == 1)
{
ingressData.setObjectName("ingressrule");
ingressRulesResponse.add(ingressData);
}
else
{
ingressData.setObjectName("egressrule");
egressRulesResponse.add(ingressData);
}
}
netGrpResponse.setIngressRules(ingressRulesResponse);
}
List<EgressRuleResultObject> egressRules = networkGroup.getEgressRules();
if ((egressRules != null) && !egressRules.isEmpty()) {
List<EgressRuleResponse> egressRulesResponse = new ArrayList<EgressRuleResponse>();
for (EgressRuleResultObject egressRule : egressRules) {
EgressRuleResponse egressData = new EgressRuleResponse();
egressData.setRuleId(egressRule.getId());
egressData.setProtocol(egressRule.getProtocol());
if ("icmp".equalsIgnoreCase(egressRule.getProtocol())) {
egressData.setIcmpType(egressRule.getStartPort());
egressData.setIcmpCode(egressRule.getEndPort());
} else {
egressData.setStartPort(egressRule.getStartPort());
egressData.setEndPort(egressRule.getEndPort());
}
if (egressRule.getAllowedSecurityGroup() != null) {
egressData.setSecurityGroupName(egressRule.getAllowedSecurityGroup());
egressData.setAccountName(egressRule.getAllowedSecGroupAcct());
} else {
egressData.setCidr(egressRule.getAllowedDestinationIpCidr());
}
egressData.setObjectName("egressrule");
egressRulesResponse.add(egressData);
}
netGrpResponse.setEgressRules(egressRulesResponse);
}
netGrpResponse.setObjectName("securitygroup");
@ -1662,7 +1643,6 @@ public class ApiResponseHelper implements ResponseGenerator {
response.setObjectName("securitygroup");
return response;
}
@Override
@ -2040,7 +2020,7 @@ public class ApiResponseHelper implements ResponseGenerator {
}
@Override
public SecurityGroupResponse createSecurityGroupResponseFromEgressRule(List<? extends EgressRule> egressRules) {
public SecurityGroupResponse createSecurityGroupResponseFromEgressRule(List<? extends IngressRule> egressRules) {
SecurityGroupResponse response = new SecurityGroupResponse();
Map<Long, Account> securiytGroupAccounts = new HashMap<Long, Account>();
Map<Long, SecurityGroup> allowedSecurityGroups = new HashMap<Long, SecurityGroup>();
@ -2063,9 +2043,9 @@ public class ApiResponseHelper implements ResponseGenerator {
response.setDomainId(account.getDomainId());
response.setDomainName(ApiDBUtils.findDomainById(securityGroup.getDomainId()).getName());
List<EgressRuleResponse> responses = new ArrayList<EgressRuleResponse>();
for (EgressRule egressRule : egressRules) {
EgressRuleResponse egressData = new EgressRuleResponse();
List<IngressRuleResponse> responses = new ArrayList<IngressRuleResponse>();
for (IngressRule egressRule : egressRules) {
IngressRuleResponse egressData = new IngressRuleResponse();
egressData.setRuleId(egressRule.getId());
egressData.setProtocol(egressRule.getProtocol());
@ -2095,7 +2075,7 @@ public class ApiResponseHelper implements ResponseGenerator {
egressData.setAccountName(allowedAccount.getAccountName());
} else {
egressData.setCidr(egressRule.getAllowedDestinationIpCidr());
egressData.setCidr(egressRule.getAllowedSourceIpCidr());
}
egressData.setObjectName("egressrule");

11
server/src/com/cloud/api/response/IngressRuleResultObject.java
View File

@ -33,6 +33,9 @@ public class IngressRuleResultObject {
@Param(name="protocol")
private String protocol;
@Param(name="type")
private int type;
@Param(name="securitygroup")
private String allowedSecurityGroup = null;
@ -62,6 +65,14 @@ public class IngressRuleResultObject {
this.id = id;
}
public int getType() {
return type;
}
public void setType(int type) {
this.type = type;
}
public int getStartPort() {
return startPort;
}

14
server/src/com/cloud/api/response/SecurityGroupResultObject.java
View File

@ -27,7 +27,6 @@ import com.cloud.api.ApiDBUtils;
import com.cloud.network.security.SecurityGroup;
import com.cloud.network.security.SecurityGroupRules;
import com.cloud.network.security.SecurityGroupRulesVO;
import com.cloud.network.security.SecurityGroupEgressRulesVO;
import com.cloud.serializer.Param;
import com.cloud.user.Account;
@ -38,6 +37,9 @@ public class SecurityGroupResultObject {
@Param(name = "name")
private String name;
@Param(name = "type")
private int type;
@Param(name = "description")
private String description;
@ -77,6 +79,14 @@ public class SecurityGroupResultObject {
this.id = id;
}
public Long getType() {
return id;
}
public void setType(int type) {
this.type = type;
}
public String getName() {
return name;
}
@ -163,6 +173,7 @@ public class SecurityGroupResultObject {
groupResult.setName(netGroupRule.getName());
groupResult.setDescription(netGroupRule.getDescription());
groupResult.setDomainId(netGroupRule.getDomainId());
groupResult.setType(netGroupRule.getType());
Account account = accounts.get(netGroupRule.getAccountId());
if (account == null) {
@ -183,6 +194,7 @@ public class SecurityGroupResultObject {
ingressData.setStartPort(netGroupRule.getStartPort());
ingressData.setId(netGroupRule.getRuleId());
ingressData.setProtocol(netGroupRule.getProtocol());
ingressData.setType(netGroupRule.getType());
Long allowedSecurityGroupId = netGroupRule.getAllowedNetworkId();
if (allowedSecurityGroupId != null) {

4
server/src/com/cloud/configuration/DefaultComponentLibrary.java
View File

@ -98,10 +98,8 @@ import com.cloud.network.router.VirtualNetworkApplianceManagerImpl;
import com.cloud.network.rules.RulesManagerImpl;
import com.cloud.network.rules.dao.PortForwardingRulesDaoImpl;
import com.cloud.network.security.SecurityGroupManagerImpl;
import com.cloud.network.security.dao.EgressRuleDaoImpl;
import com.cloud.network.security.dao.IngressRuleDaoImpl;
import com.cloud.network.security.dao.SecurityGroupDaoImpl;
import com.cloud.network.security.dao.SecurityGroupEgressRulesDaoImpl;
import com.cloud.network.security.dao.SecurityGroupRulesDaoImpl;
import com.cloud.network.security.dao.SecurityGroupVMMapDaoImpl;
import com.cloud.network.security.dao.SecurityGroupWorkDaoImpl;
@ -204,10 +202,8 @@ public class DefaultComponentLibrary extends ComponentLibraryBase implements Com
addDao("DataCenterIpAddressDao", DataCenterIpAddressDaoImpl.class);
addDao("SecurityGroupDao", SecurityGroupDaoImpl.class);
addDao("IngressRuleDao", IngressRuleDaoImpl.class);
addDao("EgressRuleDao", EgressRuleDaoImpl.class);
addDao("SecurityGroupVMMapDao", SecurityGroupVMMapDaoImpl.class);
addDao("SecurityGroupRulesDao", SecurityGroupRulesDaoImpl.class);
addDao("SecurityGroupEgressRulesDao", SecurityGroupEgressRulesDaoImpl.class);
addDao("SecurityGroupWorkDao", SecurityGroupWorkDaoImpl.class);
addDao("VmRulesetLogDao", VmRulesetLogDaoImpl.class);
addDao("AlertDao", AlertDaoImpl.class);

48
server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
View File

@ -69,11 +69,9 @@ import com.cloud.exception.ResourceInUseException;
import com.cloud.hypervisor.Hypervisor.HypervisorType;
import com.cloud.network.NetworkManager;
import com.cloud.network.security.SecurityGroupWorkVO.Step;
import com.cloud.network.security.dao.EgressRuleDao;
import com.cloud.network.security.dao.IngressRuleDao;
import com.cloud.network.security.dao.SecurityGroupDao;
import com.cloud.network.security.dao.SecurityGroupRulesDao;
import com.cloud.network.security.dao.SecurityGroupEgressRulesDao;
import com.cloud.network.security.dao.SecurityGroupVMMapDao;
import com.cloud.network.security.dao.SecurityGroupWorkDao;
import com.cloud.network.security.dao.VmRulesetLogDao;
@ -120,14 +118,10 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
@Inject
IngressRuleDao _ingressRuleDao;
@Inject
EgressRuleDao _egressRuleDao;
@Inject
SecurityGroupVMMapDao _securityGroupVMMapDao;
@Inject
SecurityGroupRulesDao _securityGroupRulesDao;
@Inject
SecurityGroupEgressRulesDao _securityGroupEgressRulesDao;
@Inject
UserVmDao _userVMDao;
@Inject
AccountDao _accountDao;
@ -151,7 +145,8 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
NetworkManager _networkMgr;
@Inject
AccountManager _accountMgr;
public static final int INGRESS_RULE = 1 ;
public static final int EGRESS_RULE = 2 ;
ScheduledExecutorService _executorPool;
ScheduledExecutorService _cleanupExecutor;
@ -332,8 +327,8 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
List<SecurityGroupVMMapVO> groupsForVm = _securityGroupVMMapDao.listByInstanceId(userVmId);
for (SecurityGroupVMMapVO mapVO : groupsForVm) {
List<EgressRuleVO> rules = _egressRuleDao.listBySecurityGroupId(mapVO.getSecurityGroupId());
for (EgressRuleVO rule : rules) {
List<IngressRuleVO> rules = _ingressRuleDao.listBySecurityGroupId(mapVO.getSecurityGroupId(),EGRESS_RULE);
for (IngressRuleVO rule : rules) {
PortAndProto portAndProto = new PortAndProto(rule.getProtocol(), rule.getStartPort(), rule.getEndPort());
Set<String> cidrs = allowed.get(portAndProto);
if (cidrs == null) {
@ -349,8 +344,8 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
cidrs.add(cidr);
}
}
} else if (rule.getAllowedDestinationIpCidr() != null) {
cidrs.add(rule.getAllowedDestinationIpCidr());
} else if (rule.getAllowedSourceIpCidr() != null) {
cidrs.add(rule.getAllowedSourceIpCidr());
}
if (cidrs.size() > 0) {
allowed.put(portAndProto, cidrs);
@ -366,7 +361,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
List<SecurityGroupVMMapVO> groupsForVm = _securityGroupVMMapDao.listByInstanceId(userVmId);
for (SecurityGroupVMMapVO mapVO : groupsForVm) {
List<IngressRuleVO> rules = _ingressRuleDao.listBySecurityGroupId(mapVO.getSecurityGroupId());
List<IngressRuleVO> rules = _ingressRuleDao.listBySecurityGroupId(mapVO.getSecurityGroupId(), INGRESS_RULE);
for (IngressRuleVO rule : rules) {
PortAndProto portAndProto = new PortAndProto(rule.getProtocol(), rule.getStartPort(), rule.getEndPort());
Set<String> cidrs = allowed.get(portAndProto);
@ -718,21 +713,21 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
return null;
}
}
IngressRuleVO ingressRule = _ingressRuleDao.findByProtoPortsAndAllowedGroupId(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, ngVO.getId());
IngressRuleVO ingressRule = _ingressRuleDao.findByProtoPortsAndAllowedGroupId(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, ngVO.getId(), INGRESS_RULE);
if (ingressRule != null) {
continue; // rule already exists.
}
ingressRule = new IngressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, ngVO.getId());
ingressRule = new IngressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, ngVO.getId(),INGRESS_RULE);
ingressRule = _ingressRuleDao.persist(ingressRule);
newRules.add(ingressRule);
}
if (cidrList != null) {
for (String cidr : cidrList) {
IngressRuleVO ingressRule = _ingressRuleDao.findByProtoPortsAndCidr(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, cidr);
IngressRuleVO ingressRule = _ingressRuleDao.findByProtoPortsAndCidr(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, cidr, INGRESS_RULE);
if (ingressRule != null) {
continue;
}
ingressRule = new IngressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, cidr);
ingressRule = new IngressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, cidr,INGRESS_RULE);
ingressRule = _ingressRuleDao.persist(ingressRule);
newRules.add(ingressRule);
}
@ -806,7 +801,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
@Override
@DB
@SuppressWarnings("rawtypes")
public List<EgressRuleVO> authorizeSecurityGroupEgress(AuthorizeSecurityGroupEgressCmd cmd) {
public List<IngressRuleVO> authorizeSecurityGroupEgress(AuthorizeSecurityGroupEgressCmd cmd) {
Long securityGroupId = cmd.getSecurityGroupId();
String protocol = cmd.getProtocol();
Integer startPort = cmd.getStartPort();
@ -931,7 +926,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
s_logger.warn("Could not acquire lock on network security group: id= " + securityGroupId);
return null;
}
List<EgressRuleVO> newRules = new ArrayList<EgressRuleVO>();
List<IngressRuleVO> newRules = new ArrayList<IngressRuleVO>();
try {
for (final SecurityGroupVO ngVO : authorizedGroups2) {
final Long ngId = ngVO.getId();
@ -944,22 +939,22 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
return null;
}
}
EgressRuleVO egressRule = _egressRuleDao.findByProtoPortsAndAllowedGroupId(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, ngVO.getId());
IngressRuleVO egressRule = _ingressRuleDao.findByProtoPortsAndAllowedGroupId(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, ngVO.getId(), EGRESS_RULE);
if (egressRule != null) {
continue; // rule already exists.
}
egressRule = new EgressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, ngVO.getId());
egressRule = _egressRuleDao.persist(egressRule);
egressRule = new IngressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, ngVO.getId(), EGRESS_RULE);
egressRule = _ingressRuleDao.persist(egressRule);
newRules.add(egressRule);
}
if (cidrList != null) {
for (String cidr : cidrList) {
EgressRuleVO egressRule = _egressRuleDao.findByProtoPortsAndCidr(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, cidr);
IngressRuleVO egressRule = _ingressRuleDao.findByProtoPortsAndCidr(securityGroup.getId(), protocol, startPortOrType, endPortOrCode, cidr, EGRESS_RULE);
if (egressRule != null) {
continue;
}
egressRule = new EgressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, cidr);
egressRule = _egressRuleDao.persist(egressRule);
egressRule = new IngressRuleVO(securityGroup.getId(), startPortOrType, endPortOrCode, protocol, cidr, EGRESS_RULE);
egressRule = _ingressRuleDao.persist(egressRule);
newRules.add(egressRule);
}
}
@ -988,7 +983,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
Account caller = UserContext.current().getCaller();
Long id = cmd.getId();
EgressRuleVO rule = _egressRuleDao.findById(id);
IngressRuleVO rule = _ingressRuleDao.findById(id);
if (rule == null) {
s_logger.debug("Unable to find egress rule with id " + id);
throw new InvalidParameterValueException("Unable to find egress rule with id " + id);
@ -1010,7 +1005,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
return false;
}
_egressRuleDao.remove(id);
_ingressRuleDao.remove(id);
s_logger.debug("revokeSecurityGroupEgress succeeded for ingress rule id: " + id);
final Set<Long> affectedVms = new HashSet<Long>();
@ -1389,7 +1384,6 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
List<SecurityGroupVO> securityGroups = _securityGroupDao.search(sc, searchFilter);
for (SecurityGroupVO group : securityGroups) {
securityRulesList.addAll(_securityGroupRulesDao.listSecurityRulesByGroupId(group.getId()));
securityRulesList.addAll(_securityGroupEgressRulesDao.listSecurityEgressRulesByGroupId(group.getId()));
}
return securityRulesList;

36
server/src/com/cloud/network/security/dao/EgressRuleDao.java
View File

@ -1,36 +0,0 @@
/**
* Copyright (C) 2010 Cloud.com, Inc. All rights reserved.
*
* This software is licensed under the GNU General Public License v3 or later.
*
* It is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package com.cloud.network.security.dao;
import java.util.List;
import com.cloud.network.security.EgressRuleVO;
import com.cloud.utils.db.GenericDao;
public interface EgressRuleDao extends GenericDao<EgressRuleVO, Long> {
List<EgressRuleVO> listBySecurityGroupId(long networkGroupId);
List<EgressRuleVO> listByAllowedSecurityGroupId(long networkGroupId);
EgressRuleVO findByProtoPortsAndCidr(long networkGroupId, String proto, int startPort, int endPort, String cidr);
EgressRuleVO findByProtoPortsAndGroup(String proto, int startPort, int endPort, String networkGroup);
EgressRuleVO findByProtoPortsAndAllowedGroupId(long networkGroupId, String proto, int startPort, int endPort, Long allowedGroupId);
int deleteBySecurityGroup(long securityGroupId);
int deleteByPortProtoAndGroup(long securityGroupId, String protocol, int startPort,int endPort, Long id);
int deleteByPortProtoAndCidr(long securityGroupId, String protocol, int startPort,int endPort, String cidr);
}

167
server/src/com/cloud/network/security/dao/EgressRuleDaoImpl.java
View File

@ -1,167 +0,0 @@
/**
* Copyright (C) 2010 Cloud.com, Inc. All rights reserved.
*
* This software is licensed under the GNU General Public License v3 or later.
*
* It is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package com.cloud.network.security.dao;
import java.util.List;
import java.util.Map;
import javax.ejb.Local;
import javax.naming.ConfigurationException;
import com.cloud.network.security.EgressRuleVO;
import com.cloud.network.security.SecurityGroupVO;
import com.cloud.utils.component.Inject;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.JoinBuilder;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Local(value={EgressRuleDao.class})
public class EgressRuleDaoImpl extends GenericDaoBase<EgressRuleVO, Long> implements EgressRuleDao {
@Inject SecurityGroupDao _securityGroupDao;
protected SearchBuilder<EgressRuleVO> securityGroupIdSearch;
protected SearchBuilder<EgressRuleVO> allowedSecurityGroupIdSearch;
protected SearchBuilder<EgressRuleVO> protoPortsAndCidrSearch;
protected SearchBuilder<EgressRuleVO> protoPortsAndSecurityGroupNameSearch;
protected SearchBuilder<EgressRuleVO> protoPortsAndSecurityGroupIdSearch;
protected EgressRuleDaoImpl() {
securityGroupIdSearch = createSearchBuilder();
securityGroupIdSearch.and("securityGroupId", securityGroupIdSearch.entity().getSecurityGroupId(), SearchCriteria.Op.EQ);
securityGroupIdSearch.done();
allowedSecurityGroupIdSearch = createSearchBuilder();
allowedSecurityGroupIdSearch.and("allowedNetworkId", allowedSecurityGroupIdSearch.entity().getAllowedNetworkId(), SearchCriteria.Op.EQ);
allowedSecurityGroupIdSearch.done();
protoPortsAndCidrSearch = createSearchBuilder();
protoPortsAndCidrSearch.and("securityGroupId", protoPortsAndCidrSearch.entity().getSecurityGroupId(), SearchCriteria.Op.EQ);
protoPortsAndCidrSearch.and("proto", protoPortsAndCidrSearch.entity().getProtocol(), SearchCriteria.Op.EQ);
protoPortsAndCidrSearch.and("startPort", protoPortsAndCidrSearch.entity().getStartPort(), SearchCriteria.Op.EQ);
protoPortsAndCidrSearch.and("endPort", protoPortsAndCidrSearch.entity().getEndPort(), SearchCriteria.Op.EQ);
protoPortsAndCidrSearch.and("cidr", protoPortsAndCidrSearch.entity().getAllowedDestinationIpCidr(), SearchCriteria.Op.EQ);
protoPortsAndCidrSearch.done();
protoPortsAndSecurityGroupIdSearch = createSearchBuilder();
protoPortsAndSecurityGroupIdSearch.and("securityGroupId", protoPortsAndSecurityGroupIdSearch.entity().getSecurityGroupId(), SearchCriteria.Op.EQ);
protoPortsAndSecurityGroupIdSearch.and("proto", protoPortsAndSecurityGroupIdSearch.entity().getProtocol(), SearchCriteria.Op.EQ);
protoPortsAndSecurityGroupIdSearch.and("startPort", protoPortsAndSecurityGroupIdSearch.entity().getStartPort(), SearchCriteria.Op.EQ);
protoPortsAndSecurityGroupIdSearch.and("endPort", protoPortsAndSecurityGroupIdSearch.entity().getEndPort(), SearchCriteria.Op.EQ);
protoPortsAndSecurityGroupIdSearch.and("allowedNetworkId", protoPortsAndSecurityGroupIdSearch.entity().getAllowedNetworkId(), SearchCriteria.Op.EQ);
}
public List<EgressRuleVO> listBySecurityGroupId(long securityGroupId) {
SearchCriteria<EgressRuleVO> sc = securityGroupIdSearch.create();
sc.setParameters("securityGroupId", securityGroupId);
return listBy(sc);
}
public int deleteBySecurityGroup(long securityGroupId) {
SearchCriteria<EgressRuleVO> sc = securityGroupIdSearch.create();
sc.setParameters("securityGroupId", securityGroupId);
return expunge(sc);
}
@Override
public List<EgressRuleVO> listByAllowedSecurityGroupId(long securityGroupId) {
SearchCriteria<EgressRuleVO> sc = allowedSecurityGroupIdSearch.create();
sc.setParameters("allowedNetworkId", securityGroupId);
return listBy(sc);
}
@Override
public EgressRuleVO findByProtoPortsAndCidr(long securityGroupId, String proto, int startPort,
int endPort, String cidr) {
SearchCriteria<EgressRuleVO> sc = protoPortsAndCidrSearch.create();
sc.setParameters("securityGroupId", securityGroupId);
sc.setParameters("proto", proto);
sc.setParameters("startPort", startPort);
sc.setParameters("endPort", endPort);
sc.setParameters("cidr", cidr);
return findOneIncludingRemovedBy(sc);
}
@Override
public EgressRuleVO findByProtoPortsAndGroup(String proto, int startPort,
int endPort, String securityGroup) {
SearchCriteria<EgressRuleVO> sc = protoPortsAndSecurityGroupNameSearch.create();
sc.setParameters("proto", proto);
sc.setParameters("startPort", startPort);
sc.setParameters("endPort", endPort);
sc.setJoinParameters("groupName", "groupName", securityGroup);
return findOneIncludingRemovedBy(sc);
}
@Override
public boolean configure(String name, Map<String, Object> params)
throws ConfigurationException {
protoPortsAndSecurityGroupNameSearch = createSearchBuilder();
protoPortsAndSecurityGroupNameSearch.and("proto", protoPortsAndSecurityGroupNameSearch.entity().getProtocol(), SearchCriteria.Op.EQ);
protoPortsAndSecurityGroupNameSearch.and("startPort", protoPortsAndSecurityGroupNameSearch.entity().getStartPort(), SearchCriteria.Op.EQ);
protoPortsAndSecurityGroupNameSearch.and("endPort", protoPortsAndSecurityGroupNameSearch.entity().getEndPort(), SearchCriteria.Op.EQ);
SearchBuilder<SecurityGroupVO> ngSb = _securityGroupDao.createSearchBuilder();
ngSb.and("groupName", ngSb.entity().getName(), SearchCriteria.Op.EQ);
protoPortsAndSecurityGroupNameSearch.join("groupName", ngSb, protoPortsAndSecurityGroupNameSearch.entity().getAllowedNetworkId(), ngSb.entity().getId(), JoinBuilder.JoinType.INNER);
protoPortsAndSecurityGroupNameSearch.done();
return super.configure(name, params);
}
@Override
public int deleteByPortProtoAndGroup(long securityGroupId, String protocol, int startPort, int endPort, Long allowedGroupId) {
SearchCriteria<EgressRuleVO> sc = protoPortsAndSecurityGroupIdSearch.create();
sc.setParameters("securityGroupId", securityGroupId);
sc.setParameters("proto", protocol);
sc.setParameters("startPort", startPort);
sc.setParameters("endPort", endPort);
sc.setParameters("allowedNetworkId", allowedGroupId);
return expunge(sc);
}
@Override
public int deleteByPortProtoAndCidr(long securityGroupId, String protocol, int startPort, int endPort, String cidr) {
SearchCriteria<EgressRuleVO> sc = protoPortsAndCidrSearch.create();
sc.setParameters("securityGroupId", securityGroupId);
sc.setParameters("proto", protocol);
sc.setParameters("startPort", startPort);
sc.setParameters("endPort", endPort);
sc.setParameters("cidr", cidr);
return expunge(sc);
}
@Override
public EgressRuleVO findByProtoPortsAndAllowedGroupId(long securityGroupId, String proto,
int startPort, int endPort, Long allowedGroupId) {
SearchCriteria<EgressRuleVO> sc = protoPortsAndSecurityGroupIdSearch.create();
sc.addAnd("securityGroupId", SearchCriteria.Op.EQ, securityGroupId);
sc.setParameters("proto", proto);
sc.setParameters("startPort", startPort);
sc.setParameters("endPort", endPort);
sc.setParameters("allowedNetworkId", allowedGroupId);
return findOneIncludingRemovedBy(sc);
}
}

14
server/src/com/cloud/network/security/dao/IngressRuleDao.java
View File

@ -24,13 +24,13 @@ import com.cloud.network.security.IngressRuleVO;
import com.cloud.utils.db.GenericDao;
public interface IngressRuleDao extends GenericDao<IngressRuleVO, Long> {
List<IngressRuleVO> listBySecurityGroupId(long networkGroupId);
List<IngressRuleVO> listBySecurityGroupId(long networkGroupId, int type);
List<IngressRuleVO> listByAllowedSecurityGroupId(long networkGroupId);
IngressRuleVO findByProtoPortsAndCidr(long networkGroupId, String proto, int startPort, int endPort, String cidr);
IngressRuleVO findByProtoPortsAndGroup(String proto, int startPort, int endPort, String networkGroup);
IngressRuleVO findByProtoPortsAndAllowedGroupId(long networkGroupId, String proto, int startPort, int endPort, Long allowedGroupId);
int deleteBySecurityGroup(long securityGroupId);
int deleteByPortProtoAndGroup(long securityGroupId, String protocol, int startPort,int endPort, Long id);
int deleteByPortProtoAndCidr(long securityGroupId, String protocol, int startPort,int endPort, String cidr);
IngressRuleVO findByProtoPortsAndCidr(long networkGroupId, String proto, int startPort, int endPort, String cidr,int type);
IngressRuleVO findByProtoPortsAndGroup(String proto, int startPort, int endPort, String networkGroup,int type);
IngressRuleVO findByProtoPortsAndAllowedGroupId(long networkGroupId, String proto, int startPort, int endPort, Long allowedGroupId,int type);
int deleteBySecurityGroup(long securityGroupId,int type);
int deleteByPortProtoAndGroup(long securityGroupId, String protocol, int startPort,int endPort, Long id,int type);
int deleteByPortProtoAndCidr(long securityGroupId, String protocol, int startPort,int endPort, String cidr,int type);
}

26
server/src/com/cloud/network/security/dao/IngressRuleDaoImpl.java
View File

@ -48,6 +48,7 @@ public class IngressRuleDaoImpl extends GenericDaoBase<IngressRuleVO, Long> impl
protected IngressRuleDaoImpl() {
securityGroupIdSearch = createSearchBuilder();
securityGroupIdSearch.and("securityGroupId", securityGroupIdSearch.entity().getSecurityGroupId(), SearchCriteria.Op.EQ);
securityGroupIdSearch.and("type", securityGroupIdSearch.entity().getType(), SearchCriteria.Op.EQ);
securityGroupIdSearch.done();
allowedSecurityGroupIdSearch = createSearchBuilder();
@ -60,6 +61,7 @@ public class IngressRuleDaoImpl extends GenericDaoBase<IngressRuleVO, Long> impl
protoPortsAndCidrSearch.and("startPort", protoPortsAndCidrSearch.entity().getStartPort(), SearchCriteria.Op.EQ);
protoPortsAndCidrSearch.and("endPort", protoPortsAndCidrSearch.entity().getEndPort(), SearchCriteria.Op.EQ);
protoPortsAndCidrSearch.and("cidr", protoPortsAndCidrSearch.entity().getAllowedSourceIpCidr(), SearchCriteria.Op.EQ);
protoPortsAndCidrSearch.and("type", protoPortsAndCidrSearch.entity().getType(), SearchCriteria.Op.EQ);
protoPortsAndCidrSearch.done();
protoPortsAndSecurityGroupIdSearch = createSearchBuilder();
@ -67,19 +69,23 @@ public class IngressRuleDaoImpl extends GenericDaoBase<IngressRuleVO, Long> impl
protoPortsAndSecurityGroupIdSearch.and("proto", protoPortsAndSecurityGroupIdSearch.entity().getProtocol(), SearchCriteria.Op.EQ);
protoPortsAndSecurityGroupIdSearch.and("startPort", protoPortsAndSecurityGroupIdSearch.entity().getStartPort(), SearchCriteria.Op.EQ);
protoPortsAndSecurityGroupIdSearch.and("endPort", protoPortsAndSecurityGroupIdSearch.entity().getEndPort(), SearchCriteria.Op.EQ);
protoPortsAndSecurityGroupIdSearch.and("type", protoPortsAndSecurityGroupIdSearch.entity().getType(), SearchCriteria.Op.EQ);
protoPortsAndSecurityGroupIdSearch.and("allowedNetworkId", protoPortsAndSecurityGroupIdSearch.entity().getAllowedNetworkId(), SearchCriteria.Op.EQ);
}
public List<IngressRuleVO> listBySecurityGroupId(long securityGroupId) {
public List<IngressRuleVO> listBySecurityGroupId(long securityGroupId, int type) {
SearchCriteria<IngressRuleVO> sc = securityGroupIdSearch.create();
sc.setParameters("securityGroupId", securityGroupId);
sc.setParameters("type", type);
return listBy(sc);
}
public int deleteBySecurityGroup(long securityGroupId) {
public int deleteBySecurityGroup(long securityGroupId,int type) {
SearchCriteria<IngressRuleVO> sc = securityGroupIdSearch.create();
sc.setParameters("securityGroupId", securityGroupId);
sc.setParameters("type", type);
return expunge(sc);
}
@ -87,29 +93,32 @@ public class IngressRuleDaoImpl extends GenericDaoBase<IngressRuleVO, Long> impl
public List<IngressRuleVO> listByAllowedSecurityGroupId(long securityGroupId) {
SearchCriteria<IngressRuleVO> sc = allowedSecurityGroupIdSearch.create();
sc.setParameters("allowedNetworkId", securityGroupId);
return listBy(sc);
}
@Override
public IngressRuleVO findByProtoPortsAndCidr(long securityGroupId, String proto, int startPort,
int endPort, String cidr) {
int endPort, String cidr,int type) {
SearchCriteria<IngressRuleVO> sc = protoPortsAndCidrSearch.create();
sc.setParameters("securityGroupId", securityGroupId);
sc.setParameters("proto", proto);
sc.setParameters("startPort", startPort);
sc.setParameters("endPort", endPort);
sc.setParameters("cidr", cidr);
sc.setParameters("type", type);
return findOneIncludingRemovedBy(sc);
}
@Override
public IngressRuleVO findByProtoPortsAndGroup(String proto, int startPort,
int endPort, String securityGroup) {
int endPort, String securityGroup,int type) {
SearchCriteria<IngressRuleVO> sc = protoPortsAndSecurityGroupNameSearch.create();
sc.setParameters("proto", proto);
sc.setParameters("startPort", startPort);
sc.setParameters("endPort", endPort);
sc.setJoinParameters("groupName", "groupName", securityGroup);
sc.setParameters("type", type);
return findOneIncludingRemovedBy(sc);
}
@ -128,39 +137,42 @@ public class IngressRuleDaoImpl extends GenericDaoBase<IngressRuleVO, Long> impl
}
@Override
public int deleteByPortProtoAndGroup(long securityGroupId, String protocol, int startPort, int endPort, Long allowedGroupId) {
public int deleteByPortProtoAndGroup(long securityGroupId, String protocol, int startPort, int endPort, Long allowedGroupId,int type) {
SearchCriteria<IngressRuleVO> sc = protoPortsAndSecurityGroupIdSearch.create();
sc.setParameters("securityGroupId", securityGroupId);
sc.setParameters("proto", protocol);
sc.setParameters("startPort", startPort);
sc.setParameters("endPort", endPort);
sc.setParameters("allowedNetworkId", allowedGroupId);
sc.setParameters("type", type);
return expunge(sc);
}
@Override
public int deleteByPortProtoAndCidr(long securityGroupId, String protocol, int startPort, int endPort, String cidr) {
public int deleteByPortProtoAndCidr(long securityGroupId, String protocol, int startPort, int endPort, String cidr,int type) {
SearchCriteria<IngressRuleVO> sc = protoPortsAndCidrSearch.create();
sc.setParameters("securityGroupId", securityGroupId);
sc.setParameters("proto", protocol);
sc.setParameters("startPort", startPort);
sc.setParameters("endPort", endPort);
sc.setParameters("cidr", cidr);
sc.setParameters("type", type);
return expunge(sc);
}
@Override
public IngressRuleVO findByProtoPortsAndAllowedGroupId(long securityGroupId, String proto,
int startPort, int endPort, Long allowedGroupId) {
int startPort, int endPort, Long allowedGroupId,int type) {
SearchCriteria<IngressRuleVO> sc = protoPortsAndSecurityGroupIdSearch.create();
sc.addAnd("securityGroupId", SearchCriteria.Op.EQ, securityGroupId);
sc.setParameters("proto", proto);
sc.setParameters("startPort", startPort);
sc.setParameters("endPort", endPort);
sc.setParameters("allowedNetworkId", allowedGroupId);
sc.setParameters("type", type);
return findOneIncludingRemovedBy(sc);
}

53
server/src/com/cloud/network/security/dao/SecurityGroupEgressRulesDao.java
View File

@ -1,53 +0,0 @@
/**
* Copyright (C) 2010 Cloud.com, Inc. All rights reserved.
*
* This software is licensed under the GNU General Public License v3 or later.
*
* It is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package com.cloud.network.security.dao;
import java.util.List;
import com.cloud.network.security.SecurityGroupEgressRulesVO;
import com.cloud.utils.db.GenericDao;
public interface SecurityGroupEgressRulesDao extends GenericDao<SecurityGroupEgressRulesVO, Long> {
/**
* List a security group and associated ingress rules
* @param accountId the account id of the owner of the security group
* @param groupName the name of the group for which to list rules
* @return the list of ingress rules associated with the security group (and security group info)
*/
List<SecurityGroupEgressRulesVO> listSecurityGroupEgressRules(long accountId, String groupName);
/**
* List security groups and associated ingress rules
* @param accountId the id of the account for which to list groups and associated rules
* @return the list of security groups with associated ingress rules
*/
List<SecurityGroupEgressRulesVO> listSecurityGroupEgressRules(long accountId);
/**
* List all security groups and associated ingress rules
* @return the list of security groups with associated ingress rules
*/
List<SecurityGroupEgressRulesVO> listSecurityGroupEgressRules();
/**
* List all security rules belonging to the specific group
* @return the security group with associated ingress rules
*/
List<SecurityGroupEgressRulesVO> listSecurityEgressRulesByGroupId(long groupId);
}

85
server/src/com/cloud/network/security/dao/SecurityGroupEgressRulesDaoImpl.java
View File

@ -1,85 +0,0 @@
/**
* Copyright (C) 2010 Cloud.com, Inc. All rights reserved.
*
* This software is licensed under the GNU General Public License v3 or later.
*
* It is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package com.cloud.network.security.dao;
import java.util.List;
import javax.ejb.Local;
import com.cloud.network.security.SecurityGroupEgressRulesVO;
import com.cloud.utils.db.Filter;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Local(value={SecurityGroupEgressRulesDao.class})
public class SecurityGroupEgressRulesDaoImpl extends GenericDaoBase<SecurityGroupEgressRulesVO, Long> implements SecurityGroupEgressRulesDao {
private SearchBuilder<SecurityGroupEgressRulesVO> AccountGroupNameSearch;
private SearchBuilder<SecurityGroupEgressRulesVO> AccountSearch;
private SearchBuilder<SecurityGroupEgressRulesVO> GroupSearch;
protected SecurityGroupEgressRulesDaoImpl() {
AccountGroupNameSearch = createSearchBuilder();
AccountGroupNameSearch.and("accountId", AccountGroupNameSearch.entity().getAccountId(), SearchCriteria.Op.EQ);
AccountGroupNameSearch.and("name", AccountGroupNameSearch.entity().getName(), SearchCriteria.Op.EQ);
AccountGroupNameSearch.done();
AccountSearch = createSearchBuilder();
AccountSearch.and("accountId", AccountSearch.entity().getAccountId(), SearchCriteria.Op.EQ);
AccountSearch.done();
GroupSearch = createSearchBuilder();
GroupSearch.and("groupId", GroupSearch.entity().getId(), SearchCriteria.Op.EQ);
GroupSearch.done();
}
@Override
public List<SecurityGroupEgressRulesVO> listSecurityGroupEgressRules() {
Filter searchFilter = new Filter(SecurityGroupEgressRulesVO.class, "id", true, null, null);
return listAll(searchFilter);
}
@Override
public List<SecurityGroupEgressRulesVO> listSecurityGroupEgressRules(long accountId, String groupName) {
Filter searchFilter = new Filter(SecurityGroupEgressRulesVO.class, "id", true, null, null);
SearchCriteria<SecurityGroupEgressRulesVO> sc = AccountGroupNameSearch.create();
sc.setParameters("accountId", accountId);
sc.setParameters("name", groupName);
return listBy(sc, searchFilter);
}
@Override
public List<SecurityGroupEgressRulesVO> listSecurityGroupEgressRules(long accountId) {
Filter searchFilter = new Filter(SecurityGroupEgressRulesVO.class, "id", true, null, null);
SearchCriteria<SecurityGroupEgressRulesVO> sc = AccountSearch.create();
sc.setParameters("accountId", accountId);
return listBy(sc, searchFilter);
}
@Override
public List<SecurityGroupEgressRulesVO> listSecurityEgressRulesByGroupId(long groupId) {
Filter searchFilter = new Filter(SecurityGroupEgressRulesVO.class, "id", true, null, null);
SearchCriteria<SecurityGroupEgressRulesVO> sc = GroupSearch.create();
sc.setParameters("groupId", groupId);
return listBy(sc, searchFilter);
}
}

13
setup/db/create-schema.sql
View File

@ -108,7 +108,6 @@ DROP TABLE IF EXISTS `cloud`.`ovs_work`;
DROP TABLE IF EXISTS `cloud`.`remote_access_vpn`;
DROP TABLE IF EXISTS `cloud`.`resource_count`;
DROP TABLE IF EXISTS `cloud`.`security_ingress_rule`;
DROP TABLE IF EXISTS `cloud`.`security_egress_rule`;
DROP TABLE IF EXISTS `cloud`.`stack_maid`;
DROP TABLE IF EXISTS `cloud`.`storage_pool_work`;
DROP TABLE IF EXISTS `cloud`.`user_vm_details`;
@ -1423,6 +1422,7 @@ CREATE TABLE `cloud`.`security_group` (
CREATE TABLE `cloud`.`security_ingress_rule` (
`id` bigint unsigned NOT NULL auto_increment,
`security_group_id` bigint unsigned NOT NULL,
`type` bigint unsigned NOT NULL,
`start_port` varchar(10) default NULL,
`end_port` varchar(10) default NULL,
`protocol` varchar(16) NOT NULL default 'TCP',
@ -1432,17 +1432,6 @@ CREATE TABLE `cloud`.`security_ingress_rule` (
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `cloud`.`security_egress_rule` (
`id` bigint unsigned NOT NULL auto_increment,
`security_group_id` bigint unsigned NOT NULL,
`start_port` varchar(10) default NULL,
`end_port` varchar(10) default NULL,
`protocol` varchar(16) NOT NULL default 'TCP',
`allowed_network_id` bigint unsigned,
`allowed_ip_cidr` varchar(44),
`create_status` varchar(32) COMMENT 'rule creation status',
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `cloud`.`security_group_vm_map` (
`id` bigint unsigned NOT NULL auto_increment,