@Override public boolean applyFWRules(Network network, List<? extends FirewallRule> rules) throws ResourceUnavailableException { if (rules == null || rules.isEmpty()) { return true; } if (rules.size() == 1 && rules.iterator().next().getType().equals(FirewallRuleType.System)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Default ACL added by CS as system is ignored for network " + network.getName() + " with rule " + rules); } return true; } s_logger.info("Applying " + rules.size() + " Firewall Rules for network " + network.getName()); return applyACLRules(network, rules, false, false); }
@Override public boolean applyFWRules(final Network network, final List<? extends FirewallRule> rules) throws ResourceUnavailableException { boolean result = true; if (canHandle(network, Service.Firewall)) { final List<DomainRouterVO> routers = getRouters(network); if (routers == null || routers.isEmpty()) { s_logger.debug("Virtual router elemnt doesn't need to apply firewall rules on the backend; virtual " + "router doesn't exist in the network " + network.getId()); return true; } if (rules != null && rules.size() == 1) { // for VR no need to add default egress rule to ALLOW traffic //The default allow rule is added from the router defalut iptables rules iptables-router if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System && _networkMdl.getNetworkEgressDefaultPolicy(network.getId())) { return true; } } final DataCenterVO dcVO = _dcDao.findById(network.getDataCenterId()); final NetworkTopology networkTopology = networkTopologyContext.retrieveNetworkTopology(dcVO); for (final DomainRouterVO domainRouterVO : routers) { result = result && networkTopology.applyFirewallRules(network, rules, domainRouterVO); } } return result; }
if (rules != null) { if (rules.size() > 0) { if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) { systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
if (rules != null) { if (rules.size() > 0) { if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) { systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
@Override @ActionEvent(eventType = EventTypes.EVENT_FIREWALL_OPEN, eventDescription = "creating firewall rule", create = true) public FirewallRule createIngressFirewallRule(FirewallRule rule) throws NetworkRuleConflictException { Account caller = CallContext.current().getCallingAccount(); Long sourceIpAddressId = rule.getSourceIpAddressId(); return createFirewallRule(sourceIpAddressId, caller, rule.getXid(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getProtocol(), rule.getSourceCidrList(), null, rule.getIcmpCode(), rule.getIcmpType(), null, rule.getType(), rule.getNetworkId(), rule.getTrafficType(), rule.isDisplay()); } //Destination CIDR capability is currently implemented for egress rules only. For others, the field is passed as null.
@Override @ActionEvent(eventType = EventTypes.EVENT_FIREWALL_EGRESS_OPEN, eventDescription = "creating egress firewall rule for network", create = true) public FirewallRule createEgressFirewallRule(FirewallRule rule) throws NetworkRuleConflictException { Account caller = CallContext.current().getCallingAccount(); Network network = _networkDao.findById(rule.getNetworkId()); if (network.getGuestType() == Network.GuestType.Shared) { throw new InvalidParameterValueException("Egress firewall rules are not supported for " + network.getGuestType() + " networks"); } List<String> sourceCidrs = rule.getSourceCidrList(); if (sourceCidrs != null && !sourceCidrs.isEmpty()) Collections.replaceAll(sourceCidrs, "0.0.0.0/0", network.getCidr()); return createFirewallRule(null, caller, rule.getXid(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getProtocol(), sourceCidrs, rule.getDestinationCidrList(), rule.getIcmpCode(), rule.getIcmpType(), null, rule.getType(), rule.getNetworkId(), rule.getTrafficType(), rule.isDisplay()); }
String guestVlanTag = BroadcastDomainType.getValue(network.getBroadcastUri()); String guestCidr = network.getCidr(); ruleTO = new FirewallRuleTO(rule, guestVlanTag, rule.getTrafficType(), guestCidr, defaultEgressPolicy, rule.getType()); } else { IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());