Skip to content

Commit 5511eb2

Browse files
author
Koushik Das
committed
CLOUDSTACK-2509: [Cisco VNMC]No way to block incoming traffic as ACL created with PF/Static Nat is Source is Any
No longer creating firewall rule as part of PF/Static NAT rule creation. Now firewall rule needs to be configured separately. Also made some changes to exception handling.
1 parent 265acca commit 5511eb2

6 files changed

Lines changed: 88 additions & 107 deletions

File tree

plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-egress-acl-rule.xml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,7 @@ under the License.
8080
</pair>
8181
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual">
8282
<policyNwAttrQualifier
83-
attrEp="destination"
83+
attrEp="source"
8484
dn="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual"
8585
status="created"/>
8686
</pair>
@@ -93,7 +93,7 @@ under the License.
9393
name=""
9494
placement="begin"
9595
status="created"
96-
value="%deststartip%"/>
96+
value="%sourcestartip%"/>
9797
</pair>
9898
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-3">
9999
<policyIPAddress
@@ -104,7 +104,7 @@ under the License.
104104
name=""
105105
placement="end"
106106
status="created"
107-
value="%destendip%"/>
107+
value="%sourceendip%"/>
108108
</pair>
109109

110110
<pair key="%aclruledn%/rule-cond-4">
@@ -161,8 +161,8 @@ under the License.
161161
descr=value
162162
actiontype="drop" or "permit"
163163
protocolvalue = "TCP" or "UDP"
164-
deststartip="destination start ip"
165-
destendip="destination end ip"
164+
sourcestartip="source start ip"
165+
sourceendip="source end ip"
166166
deststartport="start port at destination"
167167
destendport="end port at destination"
168168
--!>

plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-generic-egress-acl-no-protocol-rule.xml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ under the License.
5454
</pair>
5555
<pair key="%aclruledn%/rule-cond-2/nw-expr2/nw-attr-qual">
5656
<policyNwAttrQualifier
57-
attrEp="destination"
57+
attrEp="source"
5858
dn="%aclruledn%/rule-cond-2/nw-expr2/nw-attr-qual"
5959
status="created"/>
6060
</pair>
@@ -67,7 +67,7 @@ under the License.
6767
name=""
6868
placement="begin"
6969
status="created"
70-
value="%deststartip%"/>
70+
value="%sourcestartip%"/>
7171
</pair>
7272
<pair key="%aclruledn%/rule-cond-2/nw-expr2/nw-ip-3">
7373
<policyIPAddress
@@ -78,7 +78,7 @@ under the License.
7878
name=""
7979
placement="end"
8080
status="created"
81-
value="%destendip%"/>
81+
value="%sourceendip%"/>
8282
</pair>
8383

8484
</inConfigs>
@@ -89,6 +89,6 @@ under the License.
8989
aclrulename="dummy"
9090
descr=value
9191
actiontype="drop" or "permit"
92-
deststartip="destination start ip"
93-
destendip="destination end ip"
92+
sourcestartip="source start ip"
93+
sourceendip="source end ip"
9494
--!>

plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-generic-egress-acl-rule.xml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,7 @@ under the License.
8080
</pair>
8181
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual">
8282
<policyNwAttrQualifier
83-
attrEp="destination"
83+
attrEp="source"
8484
dn="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual"
8585
status="created"/>
8686
</pair>
@@ -93,7 +93,7 @@ under the License.
9393
name=""
9494
placement="begin"
9595
status="created"
96-
value="%deststartip%"/>
96+
value="%sourcestartip%"/>
9797
</pair>
9898
<pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-3">
9999
<policyIPAddress
@@ -104,7 +104,7 @@ under the License.
104104
name=""
105105
placement="end"
106106
status="created"
107-
value="%destendip%"/>
107+
value="%sourceendip%"/>
108108
</pair>
109109

110110
</inConfigs>
@@ -116,6 +116,6 @@ under the License.
116116
descr=value
117117
actiontype="drop" or "permit"
118118
protocolvalue = "TCP" or "UDP" or "ICMP"
119-
deststartip="destination start ip"
120-
destendip="destination end ip"
119+
sourcestartip="source start ip"
120+
sourceendip="source end ip"
121121
--!>

plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -150,13 +150,13 @@ public boolean createTenantVDCIngressAclRule(String tenantName,
150150

151151
public boolean createTenantVDCEgressAclRule(String tenantName,
152152
String identifier, String policyIdentifier,
153-
String protocol, String destStartIp, String destEndIp,
153+
String protocol, String sourceStartIp, String sourceEndIp,
154154
String destStartPort, String destEndPort)
155155
throws ExecutionException;
156156

157157
public boolean createTenantVDCEgressAclRule(String tenantName,
158158
String identifier, String policyIdentifier,
159-
String protocol, String destStartIp, String destEndIp)
159+
String protocol, String sourceStartIp, String sourceEndIp)
160160
throws ExecutionException;
161161

162162
public boolean deleteTenantVDCAclRule(String tenantName,

plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -729,7 +729,7 @@ public boolean createTenantVDCIngressAclRule(String tenantName,
729729
@Override
730730
public boolean createTenantVDCEgressAclRule(String tenantName,
731731
String identifier, String policyIdentifier,
732-
String protocol, String destStartIp, String destEndIp,
732+
String protocol, String sourceStartIp, String sourceEndIp,
733733
String destStartPort, String destEndPort) throws ExecutionException {
734734
String xml = VnmcXml.CREATE_EGRESS_ACL_RULE.getXml();
735735
String service = VnmcXml.CREATE_EGRESS_ACL_RULE.getService();
@@ -740,8 +740,8 @@ public boolean createTenantVDCEgressAclRule(String tenantName,
740740
xml = replaceXmlValue(xml, "descr", "Egress ACL rule for Tenant VDC " + tenantName);
741741
xml = replaceXmlValue(xml, "actiontype", "permit");
742742
xml = replaceXmlValue(xml, "protocolvalue", protocol);
743-
xml = replaceXmlValue(xml, "deststartip", destStartIp);
744-
xml = replaceXmlValue(xml, "destendip", destEndIp);
743+
xml = replaceXmlValue(xml, "sourcestartip", sourceStartIp);
744+
xml = replaceXmlValue(xml, "sourceendip", sourceEndIp);
745745
xml = replaceXmlValue(xml, "deststartport", destStartPort);
746746
xml = replaceXmlValue(xml, "destendport", destEndPort);
747747

@@ -759,7 +759,7 @@ public boolean createTenantVDCEgressAclRule(String tenantName,
759759
@Override
760760
public boolean createTenantVDCEgressAclRule(String tenantName,
761761
String identifier, String policyIdentifier,
762-
String protocol, String destStartIp, String destEndIp) throws ExecutionException {
762+
String protocol, String sourceStartIp, String sourceEndIp) throws ExecutionException {
763763
String xml = VnmcXml.CREATE_GENERIC_EGRESS_ACL_RULE.getXml();
764764
String service = VnmcXml.CREATE_GENERIC_EGRESS_ACL_RULE.getService();
765765
if (protocol.equalsIgnoreCase("all")) { // any protocol
@@ -773,8 +773,8 @@ public boolean createTenantVDCEgressAclRule(String tenantName,
773773
xml = replaceXmlValue(xml, "aclrulename", getNameForAclRule(tenantName, identifier));
774774
xml = replaceXmlValue(xml, "descr", "Egress ACL rule for Tenant VDC " + tenantName);
775775
xml = replaceXmlValue(xml, "actiontype", "permit");
776-
xml = replaceXmlValue(xml, "deststartip", destStartIp);
777-
xml = replaceXmlValue(xml, "destendip", destEndIp);
776+
xml = replaceXmlValue(xml, "sourcestartip", sourceStartIp);
777+
xml = replaceXmlValue(xml, "sourceendip", sourceEndIp);
778778

779779
List<String> rules = listChildren(getDnForAclPolicy(tenantName, policyIdentifier));
780780
int order = 100;

0 commit comments

Comments
 (0)