CLOUDSTACK-779 Egress firewall rules support for Juniper SRX

JayapalUradi · Sheng Yang · commit a4a059c0430e · 2013-04-10T10:54:04.000-07:00
diff --git a/api/src/com/cloud/agent/api/to/FirewallRuleTO.java b/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
@@ -23,6 +23,7 @@
 
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRule.State;
+import com.cloud.network.rules.FirewallRule.TrafficType;
 import com.cloud.utils.net.NetUtils;
 
 /**
@@ -109,6 +110,11 @@ public FirewallRuleTO(FirewallRule rule, String srcVlanTag, String srcIp, Firewa
         this(rule.getId(),srcVlanTag, srcIp, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), revokeState, alreadyAdded, purpose,rule.getSourceCidrList(),rule.getIcmpType(),rule.getIcmpCode());
     }
 
+    public FirewallRuleTO(FirewallRule rule, String guestVlanTag, FirewallRule.TrafficType trafficType) {
+        this(rule.getId(), guestVlanTag, null, rule.getProtocol(), rule.getSourcePortStart(), rule.getSourcePortEnd(), rule.getState()==State.Revoke, rule.getState()==State.Active, rule.getPurpose(), rule.getSourceCidrList(), rule.getIcmpType(), rule.getIcmpCode());
+        this.trafficType = trafficType;
+    }
+
     public FirewallRule.TrafficType getTrafficType(){
         return trafficType;
     }
diff --git a/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java b/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
@@ -274,7 +274,7 @@ private static Map<Service, Map<Capability, String>> setCapabilities() {
         firewallCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp");
         firewallCapabilities.put(Capability.MultipleIps, "true");
         firewallCapabilities.put(Capability.TrafficStatistics, "per public ip");
-        firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress");
+        firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress, egress");
         capabilities.put(Service.Firewall, firewallCapabilities);
 
         // Disabling VPN for Juniper in Acton as it 1) Was never tested 2) probably just doesn't work
diff --git a/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java b/plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
diff --git a/scripts/network/juniper/application-add.xml b/scripts/network/juniper/application-add.xml
@@ -23,7 +23,7 @@ under the License.
 <application>           
 <name>%name%</name>     
 <protocol>%protocol%</protocol>    
-<destination-port>%dest-port%</destination-port>        
+%dest-port-icmp%
 </application>   
 </applications>
 </configuration>
diff --git a/scripts/network/juniper/security-policy-add.xml b/scripts/network/juniper/security-policy-add.xml
@@ -27,8 +27,8 @@ under the License.
 <policy>
 <name>%policy-name%</name>
 <match>
-<source-address>%src-address%</source-address>
-<destination-address>%dest-address%</destination-address>
+%src-address%
+%dst-address%
 %applications%
 </match>
 <then>
diff --git a/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java b/server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java
@@ -1,3 +1,4 @@
+
 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
@@ -541,8 +542,15 @@ public boolean applyFirewallRules(Network network, List<? extends FirewallRule>
             if (rule.getSourceCidrList() == null && (rule.getPurpose() == Purpose.Firewall || rule.getPurpose() == Purpose.NetworkACL)) {
                 _fwRulesDao.loadSourceCidrs((FirewallRuleVO)rule);
             }
-            IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
-            FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr());
+            FirewallRuleTO ruleTO;
+            if (rule.getPurpose() == Purpose.Firewall && rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
+                String guestVlanTag = network.getBroadcastUri().getHost();
+                String guestCidr = network.getCidr();
+                ruleTO = new FirewallRuleTO(rule, guestVlanTag, rule.getTrafficType());
+            } else {
+                IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
+                ruleTO = new FirewallRuleTO(rule, null, sourceIp.getAddress().addr());
+            }
             rulesTO.add(ruleTO);
         }
 
diff --git a/server/src/com/cloud/upgrade/dao/Upgrade410to420.java b/server/src/com/cloud/upgrade/dao/Upgrade410to420.java
@@ -65,6 +65,7 @@ public void performDataMigration(Connection conn) {
         updateSystemVmTemplates(conn);
         updateCluster_details(conn);
         updatePrimaryStore(conn);
+        addEgressFwRulesForSRXGuestNw(conn);
     }
 	
 	private void updateSystemVmTemplates(Connection conn) {
@@ -305,4 +306,63 @@ private void updateRemoteAccessVpn(Connection conn) {
             }
         }
     }
+    private void addEgressFwRulesForSRXGuestNw(Connection conn) {
+        PreparedStatement pstmt = null;
+        ResultSet rs = null;
+        ResultSet rsId = null;
+        ResultSet rsNw = null;
+        try {
+            pstmt = conn.prepareStatement("select network_id FROM `cloud`.`ntwk_service_map` where service='Firewall' and provider='JuniperSRX' ");
+            rs = pstmt.executeQuery();
+            while (rs.next()) {
+                long netId = rs.getLong(1);
+                //checking for Isolated OR Virtual
+                pstmt = conn.prepareStatement("select account_id, domain_id FROM `cloud`.`networks` where (guest_type='Isolated' OR guest_type='Virtual') and traffic_type='Guest' and vpc_id is NULL and (state='implemented' OR state='Shutdown') and id=? ");
+                pstmt.setLong(1, netId);
+                s_logger.debug("Getting account_id, domain_id from networks table: " + pstmt);
+                rsNw = pstmt.executeQuery();
+
+                if(rsNw.next()) {
+                    long accountId = rsNw.getLong(1);
+                    long domainId = rsNw.getLong(2);
+
+                    //Add new rule for the existing networks
+                    s_logger.debug("Adding default egress firewall rule for network " + netId);
+                    pstmt = conn.prepareStatement("INSERT INTO firewall_rules (uuid, state, protocol, purpose, account_id, domain_id, network_id, xid, created,  traffic_type) VALUES (?, 'Active', 'all', 'Firewall', ?, ?, ?, ?, now(), 'Egress')");
+                    pstmt.setString(1, UUID.randomUUID().toString());
+                    pstmt.setLong(2, accountId);
+                    pstmt.setLong(3, domainId);
+                    pstmt.setLong(4, netId);
+                    pstmt.setString(5, UUID.randomUUID().toString());
+                    s_logger.debug("Inserting default egress firewall rule " + pstmt);
+                    pstmt.executeUpdate();
+
+                    pstmt = conn.prepareStatement("select id from firewall_rules where protocol='all' and network_id=?");
+                    pstmt.setLong(1, netId);
+                    rsId = pstmt.executeQuery();
+
+                    long firewallRuleId;
+                    if(rsId.next()) {
+                        firewallRuleId = rsId.getLong(1);
+                        pstmt = conn.prepareStatement("insert into firewall_rules_cidrs (firewall_rule_id,source_cidr) values (?, '0.0.0.0/0')");
+                        pstmt.setLong(1, firewallRuleId);
+                        s_logger.debug("Inserting rule for cidr 0.0.0.0/0 for the new Firewall rule id=" + firewallRuleId + " with statement " + pstmt);
+                        pstmt.executeUpdate();
+                    }
+                }
+            }
+        } catch (SQLException e) {
+            throw new CloudRuntimeException("Unable to set egress firewall rules ", e);
+        } finally {
+            try {
+                if (rs != null) {
+                    rs.close();
+                }
+                if (pstmt != null) {
+                    pstmt.close();
+                }
+            } catch (SQLException e) {
+            }
+        }
+    }
 }
