protected boolean applyPortForwardingRules(long ipId, boolean continueOnError, Account caller) { List<PortForwardingRuleVO> rules = _portForwardingDao.listForApplication(ipId); if (rules.size() == 0) { s_logger.debug("There are no port forwarding rules to apply for ip id=" + ipId); return true; } if (caller != null) { _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()])); } try { if (!_firewallMgr.applyRules(rules, continueOnError, true)) { return false; } } catch (ResourceUnavailableException ex) { s_logger.warn("Failed to apply port forwarding rules for ip due to ", ex); return false; } return true; }
@Override public void doInTransactionWithoutResult(TransactionStatus status) { for (FirewallRuleVO newRule : rules) { _firewallMgr.removeRule(newRule); } } });
if (!_firewallMgr.revokeFirewallRulesForIp(ipId, userId, caller)) { s_logger.warn("Unable to revoke all the firewall rules for ip id=" + ipId + " as a part of ip release"); success = false;
_firewallMgr.createRuleForAllCidrs(ipAddrId, caller, rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getProtocol(), null, null, newRule.getId(), networkId); _firewallMgr.detectRulesConflict(newRule); if (!_firewallDao.setStateToAdd(newRule)) { throw new CloudRuntimeException("Unable to update the state to add for " + newRule); if (newRule != null) { _firewallMgr.revokeRelatedFirewallRule(newRule.getId(), false); _firewallMgr.removeRule(newRule);
_firewallMgr.createRuleForAllCidrs(sourceIpId, caller.getCallingAccount(), srcPort, srcPort, protocol, null, null, newRule.getId(), networkId); _firewallMgr.detectRulesConflict(newRule); if (!_firewallDao.setStateToAdd(newRule)) { throw new CloudRuntimeException("Unable to update the state to add for " + newRule); } finally { if (!success && newRule != null) { _firewallMgr.revokeRelatedFirewallRule(newRule.getId(), false); removeLBRule(newRule);
if (!_firewallMgr.applyRules(pfRules, true, false)) { s_logger.warn("Failed to cleanup pf rules as a part of shutdownNetworkRules"); success = false; if (!_firewallMgr.applyRules(staticNatRules, true, false)) { s_logger.warn("Failed to cleanup static nat rules as a part of shutdownNetworkRules"); success = false; if (!_firewallMgr.applyRules(firewallRules, true, false)) { s_logger.warn("Failed to cleanup firewall ingress rules as a part of shutdownNetworkRules"); success = false; && (network.getGuestType() == Network.GuestType.Isolated || network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced)) { _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), _networkModel.getNetworkEgressDefaultPolicy(networkId), false); if (!_firewallMgr.applyRules(firewallEgressRules, true, false)) { s_logger.warn("Failed to cleanup firewall egress rules as a part of shutdownNetworkRules"); success = false;
&& (network.getGuestType() == Network.GuestType.Isolated || network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced)) { _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), offering.isEgressDefaultPolicy(), true); if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) { s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart"); success = false; if (!_firewallMgr.applyFirewallRules(firewallIngressRulesToApply, false, caller)) { s_logger.warn("Failed to reapply Ingress firewall rule(s) as a part of network id=" + networkId + " restart"); success = false;
success = _firewallMgr.applyIngressFirewallRules(ipId, caller);
if (_firewallMgr.revokeAllFirewallRulesForNetwork(networkId, userId, caller)) { s_logger.debug("Successfully cleaned up firewallRules rules for network id=" + networkId); } else {
try { for (FirewallRuleVO newRule : rules) { _firewallMgr.detectRulesConflict(newRule);
@Override public void doInTransactionWithoutResult(TransactionStatus status) throws NetworkRuleConflictException { for (int i = 0; i < ports.length; i++) { rules[i] = new FirewallRuleVO(null, ip.getId(), ports[i], protocol, ip.getAssociatedWithNetworkId(), ip.getAllocatedToAccountId(), ip.getAllocatedInDomainId(), purpose, null, null, null, null); rules[i] = _firewallDao.persist(rules[i]); if (openFirewall) { _firewallMgr.createRuleForAllCidrs(ip.getId(), caller, ports[i], ports[i], protocol, null, null, rules[i].getId(), ip.getAssociatedWithNetworkId()); } } } });
_firewallMgr.addSystemFirewallRules(addr, owner);
_firewallMgr.createRuleForAllCidrs(ipAddrId, caller, rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getProtocol(), null, null, newRule.getId(), networkId); _firewallMgr.detectRulesConflict(newRule); if (!_firewallDao.setStateToAdd(newRule)) { throw new CloudRuntimeException("Unable to update the state to add for " + newRule); if (newRule != null) { _firewallMgr.revokeRelatedFirewallRule(newRule.getId(), false); removePFRule(newRule);
boolean firewallOpened = true; if (openFirewall) { firewallOpened = _firewallMgr.applyIngressFirewallRules(vpn.getServerAddressId(), caller);
if (_firewallMgr.revokeAllFirewallRulesForNetwork(networkId, callerUserId, caller)) { s_logger.debug("Successfully cleaned up firewallRules rules for network id=" + networkId); } else {
@Override public boolean applyPortForwardingRulesForNetwork(long networkId, boolean continueOnError, Account caller) { List<PortForwardingRuleVO> rules = listByNetworkId(networkId); if (rules.size() == 0) { s_logger.debug("There are no port forwarding rules to apply for network id=" + networkId); return true; } if (caller != null) { _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()])); } try { if (!_firewallMgr.applyRules(rules, continueOnError, true)) { return false; } } catch (ResourceUnavailableException ex) { s_logger.warn("Failed to apply port forwarding rules for network due to ", ex); return false; } return true; }
return false; } else { _firewallMgr.removeRule(lb);
if (!_firewallMgr.revokeFirewallRulesForIp(ipId, callerUserId, caller)) { s_logger.warn("Unable to revoke all the firewall rules for ip id=" + ipId + " as a part of disable statis nat"); success = false;
protected boolean applyStaticNatRulesForIp(long sourceIpId, boolean continueOnError, Account caller, boolean forRevoke) { List<? extends FirewallRule> rules = _firewallDao.listByIpAndPurpose(sourceIpId, Purpose.StaticNat); List<StaticNatRule> staticNatRules = new ArrayList<StaticNatRule>(); if (rules.size() == 0) { s_logger.debug("There are no static nat rules to apply for ip id=" + sourceIpId); return true; } for (FirewallRule rule : rules) { staticNatRules.add(buildStaticNatRule(rule, forRevoke)); } if (caller != null) { _accountMgr.checkAccess(caller, null, true, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()])); } try { if (!_firewallMgr.applyRules(staticNatRules, continueOnError, true)) { return false; } } catch (ResourceUnavailableException ex) { s_logger.warn("Failed to apply static nat rules for ip due to ", ex); return false; } return true; }
@Override public boolean applyStaticNatRulesForNetwork(long networkId, boolean continueOnError, Account caller) { List<FirewallRuleVO> rules = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.StaticNat); List<StaticNatRule> staticNatRules = new ArrayList<StaticNatRule>(); if (rules.size() == 0) { s_logger.debug("There are no static nat rules to apply for network id=" + networkId); return true; } if (caller != null) { _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRule[rules.size()])); } for (FirewallRuleVO rule : rules) { staticNatRules.add(buildStaticNatRule(rule, false)); } try { if (!_firewallMgr.applyRules(staticNatRules, continueOnError, true)) { return false; } } catch (ResourceUnavailableException ex) { s_logger.warn("Failed to apply static nat rules for network due to ", ex); return false; } return true; }