cisco-vnmc-api-integration - Adding appropriate ACL rules for PF and static NAT

koushik Fri, 08 Mar 2013 01:58:12 -0800

Adding appropriate ACL rules for PF and static NAT


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: 
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/cc824e85
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/cc824e85
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/cc824e85

Branch: refs/heads/cisco-vnmc-api-integration
Commit: cc824e8585dc011843125f070f9bbf8dbf985384
Parents: fb23c50
Author: Koushik Das <[email protected]>
Authored: Thu Mar 7 12:16:29 2013 +0530
Committer: Koushik Das <[email protected]>
Committed: Thu Mar 7 12:16:29 2013 +0530

----------------------------------------------------------------------
 .../scripts/network/cisco/create-dnat-rule.xml     |   10 +-
 .../cisco/create-ingress-acl-rule-for-dnat.xml     |   64 +++++++
 .../cisco/create-ingress-acl-rule-for-pf.xml       |  138 +++++++++++++++
 .../network/cisco/create-ingress-acl-rule.xml      |    7 +-
 .../scripts/network/cisco/create-pf-rule.xml       |   24 ++--
 .../cloud/network/cisco/CiscoVnmcConnection.java   |   17 ++-
 .../network/cisco/CiscoVnmcConnectionImpl.java     |   54 +++++-
 .../cloud/network/resource/CiscoVnmcResource.java  |   54 +++++--
 8 files changed, 326 insertions(+), 42 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/cc824e85/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-dnat-rule.xml
----------------------------------------------------------------------
diff --git 
a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-dnat-rule.xml
 
b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-dnat-rule.xml
index 8193762..688e295 100755
--- 
a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-dnat-rule.xml
+++ 
b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-dnat-rule.xml
@@ -16,7 +16,7 @@
     <pair key="%natruledn%/nat-action">
       <natpolicyNatAction
         actionType="static"
-        destTranslatedIpPool=""
+        destTranslatedIpPool="%ippoolname%"
         destTranslatedPortPool=""
         dn="%natruledn%/nat-action"
         id="0"
@@ -25,7 +25,7 @@
         isNoProxyArpEnabled="no"
         isRoundRobinIpEnabled="no"
         srcTranslatedIpPatPool=""
-        srcTranslatedIpPool="%ippoolname%"
+        srcTranslatedIpPool=""
         srcTranslatedPortPool=""
         status="created"/>
     </pair>
@@ -39,7 +39,7 @@
     </pair>
     <pair key="%natruledn%/rule-cond-2/nw-expr2/nw-attr-qual">
       <policyNwAttrQualifier
-        attrEp="source"
+        attrEp="destination"
         dn="%natruledn%/rule-cond-2/nw-expr2/nw-attr-qual"
         status="created"/>
     </pair>
@@ -59,7 +59,7 @@
         name=""
         placement="none"
         status="created"
-        value="%srcip%"/>
+        value="%ip%"/>
     </pair>
 
   </inConfigs>
@@ -70,5 +70,5 @@
     natrulename="bbb"
     descr=value
     ippoolname="ccc"
-    srcip="10.147.30.230"
+    ip="10.147.30.230"
 --!>

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/cc824e85/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-dnat.xml
----------------------------------------------------------------------
diff --git 
a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-dnat.xml
 
b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-dnat.xml
new file mode 100755
index 0000000..de7305f
--- /dev/null
+++ 
b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-dnat.xml
@@ -0,0 +1,64 @@
+<configConfMos
+  cookie="%cookie%"
+  inHierarchical="false">
+  <inConfigs>
+
+    <pair key="%aclruledn%">
+      <policyRule
+        descr="%descr%"
+        dn="%aclruledn%"
+        name="%aclrulename%"
+        order="300"
+        status="created"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-action-0">
+      <fwpolicyAction
+        actionType="%actiontype%"
+        dn="%aclruledn%/rule-action-0"
+        id="0"
+        status="created"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-cond-2">
+      <policyRuleCondition
+        dn="%aclruledn%/rule-cond-2"
+        id="2"
+        order="unspecified"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-2/nw-expr2">
+      <policyNetworkExpression
+        dn="%aclruledn%/rule-cond-2/nw-expr2"
+        id="2"
+        opr="eq"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-2/nw-expr2/nw-attr-qual">
+      <policyNwAttrQualifier
+        attrEp="destination"
+        dn="%aclruledn%/rule-cond-2/nw-expr2/nw-attr-qual"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-2/nw-expr2/nw-ip-2">
+      <policyIPAddress
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-2/nw-expr2/nw-ip-2"
+        id="2"
+        name=""
+        placement="none"
+        status="created"
+        value="%ip%"/>
+    </pair>
+
+  </inConfigs>
+</configConfMos>
+
+<!--
+    
aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy"
+    aclrulename="dummy"
+    descr=value
+    actiontype="drop" or "permit"
+    ip="public ip at destination"
+--!>

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/cc824e85/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-pf.xml
----------------------------------------------------------------------
diff --git 
a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-pf.xml
 
b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-pf.xml
new file mode 100755
index 0000000..9d37552
--- /dev/null
+++ 
b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule-for-pf.xml
@@ -0,0 +1,138 @@
+<configConfMos
+  cookie="%cookie%"
+  inHierarchical="false">
+  <inConfigs>
+
+    <pair key="%aclruledn%">
+      <policyRule
+        descr="%descr%"
+        dn="%aclruledn%"
+        name="%aclrulename%"
+        order="300"
+        status="created"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-action-0">
+      <fwpolicyAction
+        actionType="%actiontype%"
+        dn="%aclruledn%/rule-action-0"
+        id="0"
+        status="created"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-cond-2">
+      <policyRuleCondition
+        dn="%aclruledn%/rule-cond-2"
+        id="2"
+        order="unspecified"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-2/nw-expr2">
+      <policyNetworkExpression
+        dn="%aclruledn%/rule-cond-2/nw-expr2"
+        id="2"
+        opr="eq"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-2/nw-expr2/nw-protocol-2">
+      <policyProtocol
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-2/nw-expr2/nw-protocol-2"
+        id="2"
+        name=""
+        placement="none"
+        status="created"
+        value="%protocolvalue%"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-cond-3">
+      <policyRuleCondition
+        dn="%aclruledn%/rule-cond-3"
+        id="3"
+        order="unspecified"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-3/nw-expr2">
+      <policyNetworkExpression
+        dn="%aclruledn%/rule-cond-3/nw-expr2"
+        id="2"
+        opr="eq"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual">
+      <policyNwAttrQualifier
+        attrEp="destination"
+        dn="%aclruledn%/rule-cond-3/nw-expr2/nw-attr-qual"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-2">
+      <policyIPAddress
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-3/nw-expr2/nw-ip-2"
+        id="2"
+        name=""
+        placement="begin"
+        status="created"
+        value="%ip%"/>
+    </pair>
+
+    <pair key="%aclruledn%/rule-cond-4">
+      <policyRuleCondition
+        dn="%aclruledn%/rule-cond-4"
+        id="4"
+        order="unspecified"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-4/nw-expr2">
+      <policyNetworkExpression
+        dn="%aclruledn%/rule-cond-4/nw-expr2"
+        id="2"
+        opr="range"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-4/nw-expr2/nw-attr-qual">
+      <policyNwAttrQualifier
+        attrEp="destination"
+        dn="%aclruledn%/rule-cond-4/nw-expr2/nw-attr-qual"
+        status="created"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-4/nw-expr2/nw-port-2">
+      <policyNetworkPort
+        appType="Other"
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-4/nw-expr2/nw-port-2"
+        id="2"
+        name=""
+        placement="begin"
+        status="created"
+        value="%startport%"/>
+    </pair>
+    <pair key="%aclruledn%/rule-cond-4/nw-expr2/nw-port-3">
+      <policyNetworkPort
+        appType="Other"
+        dataType="string"
+        descr=""
+        dn="%aclruledn%/rule-cond-4/nw-expr2/nw-port-3"
+        id="3"
+        name=""
+        placement="end"
+        status="created"
+        value="%endport%"/>
+    </pair>
+
+  </inConfigs>
+</configConfMos>
+
+<!--
+    
aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy"
+    aclrulename="dummy"
+    descr=value
+    actiontype="drop" or "permit"
+    protocolvalue="TCP" or "UDP"
+    ip="public ip at destination"
+    startport="start port at destination"
+    endport="end port at destination"
+--!>

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/cc824e85/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml
----------------------------------------------------------------------
diff --git 
a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml
 
b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml
index 8fb38a4..57f12d0 100755
--- 
a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml
+++ 
b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-ingress-acl-rule.xml
@@ -5,7 +5,7 @@
 
     <pair key="%aclruledn%">
       <policyRule
-        descr=""
+        descr="%descr%"
         dn="%aclruledn%"
         name="%aclrulename%"
         order="300"
@@ -172,11 +172,12 @@
 <!--
     
aclruledn="org-root/org-vlan-123/org-VDC-vlan-123/pol-test_policy/rule-dummy"
     aclrulename="dummy"
+    descr=value
     actiontype="drop" or "permit"
     protocolvalue = "TCP" or UDP or ICMP
     sourcestartip="source start ip"
     sourceendip="source end ip"
-    startport="start port at destination"
-    endport="end port at destination"
+    deststartport="start port at destination"
+    destendport="end port at destination"
     destinationip="public ip at destination"
 --!>

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/cc824e85/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-pf-rule.xml
----------------------------------------------------------------------
diff --git 
a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-pf-rule.xml 
b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-pf-rule.xml
index 8f53003..b6d2840 100755
--- 
a/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-pf-rule.xml
+++ 
b/plugins/network-elements/cisco-vnmc/scripts/network/cisco/create-pf-rule.xml
@@ -16,8 +16,8 @@
     <pair key="%natruledn%/nat-action">
       <natpolicyNatAction
         actionType="static"
-        destTranslatedIpPool=""
-        destTranslatedPortPool=""
+        destTranslatedIpPool="%ippoolname%"
+        destTranslatedPortPool="%portpoolname%"
         dn="%natruledn%/nat-action"
         id="0"
         isBidirectionalEnabled="yes"
@@ -25,8 +25,8 @@
         isNoProxyArpEnabled="no"
         isRoundRobinIpEnabled="no"
         srcTranslatedIpPatPool=""
-        srcTranslatedIpPool="%ippoolname%"
-        srcTranslatedPortPool="%portpoolname%"
+        srcTranslatedIpPool=""
+        srcTranslatedPortPool=""
         status="created"/>
     </pair>
 
@@ -39,7 +39,7 @@
     </pair>
     <pair key="%natruledn%/rule-cond-2/nw-expr2/nw-attr-qual">
       <policyNwAttrQualifier
-        attrEp="source"
+        attrEp="destination"
         dn="%natruledn%/rule-cond-2/nw-expr2/nw-attr-qual"
         status="created"/>
     </pair>
@@ -59,7 +59,7 @@
         name=""
         placement="none"
         status="created"
-        value="%srcip%"/>
+        value="%ip%"/>
     </pair>
 
     <pair key="%natruledn%/rule-cond-3">
@@ -71,7 +71,7 @@
     </pair>
     <pair key="%natruledn%/rule-cond-3/nw-expr2/nw-attr-qual">
       <policyNwAttrQualifier
-        attrEp="source"
+        attrEp="destination"
         dn="%natruledn%/rule-cond-3/nw-expr2/nw-attr-qual"
         status="created"/>
     </pair>
@@ -92,7 +92,7 @@
         name=""
         placement="begin"
         status="created"
-        value="%srcportstart%"/>
+        value="%startport%"/>
     </pair>
     <pair key="%natruledn%/rule-cond-3/nw-expr2/nw-port-3">
       <policyNetworkPort
@@ -104,7 +104,7 @@
         name=""
         placement="end"
         status="created"
-        value="%srcportend%"/>
+        value="%endport%"/>
     </pair>
 
     <pair key="%natruledn%/rule-cond-4">
@@ -142,8 +142,8 @@
     descr=value
     ippoolname="ccc"
     portpoolname="ddd"
-    srcip="10.147.30.230"
-    srcportstart="22"
-    srcportend="22"
+    ip="10.147.30.230"
+    startport="22"
+    endport="22"
     protocolvalue="TCP"
 --!>

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/cc824e85/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
----------------------------------------------------------------------
diff --git 
a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
 
b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
index 20bfa15..c5961d2 100644
--- 
a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
+++ 
b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnection.java
@@ -76,7 +76,12 @@ public interface CiscoVnmcConnection {
 
     public boolean createTenantVDCDNatRule(String tenantName,
             String identifier, String policyIdentifier,
-            String sourceIp)
+            String publicIp)
+            throws ExecutionException;
+
+    public boolean createTenantVDCIngressAclRuleForDNat(String tenantName,
+            String identifier, String policyIdentifier,
+            String publicIp)
             throws ExecutionException;
 
     public boolean createTenantVDCDNatPolicy(String tenantName, String 
identifier)
@@ -97,8 +102,14 @@ public interface CiscoVnmcConnection {
 
     public boolean createTenantVDCPFRule(String tenantName,
             String identifier, String policyIdentifier,
-            String protocol, String sourceIp,
-            String startSourcePort, String endSourcePort)
+            String protocol, String publicIp,
+            String startPort, String endPort)
+            throws ExecutionException;
+
+    public boolean createTenantVDCIngressAclRuleForPF(String tenantName,
+            String identifier, String policyIdentifier,
+            String protocol, String publicIp,
+            String startPort, String endPort)
             throws ExecutionException;
 
     public boolean createTenantVDCPFPolicy(String tenantName, String 
identifier)

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/cc824e85/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
----------------------------------------------------------------------
diff --git 
a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
 
b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
index b967aa2..eac3e67 100644
--- 
a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
+++ 
b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/cisco/CiscoVnmcConnectionImpl.java
@@ -77,7 +77,9 @@ public class CiscoVnmcConnectionImpl implements 
CiscoVnmcConnection {
         CREATE_IP_POOL("create-ip-pool.xml", "policy-mgr"),
 
         CREATE_PF_RULE("create-pf-rule.xml", "policy-mgr"),
+        CREATE_INGRESS_ACL_RULE_FOR_PF("create-ingress-acl-rule-for-pf.xml", 
"policy-mgr"),
         CREATE_DNAT_RULE("create-dnat-rule.xml", "policy-mgr"),
+        
CREATE_INGRESS_ACL_RULE_FOR_DNAT("create-ingress-acl-rule-for-dnat.xml", 
"policy-mgr"),
         CREATE_SOURCE_NAT_RULE("create-source-nat-rule.xml", "policy-mgr"),
 
         CREATE_ACL_POLICY_SET("create-acl-policy-set.xml", "policy-mgr"),
@@ -662,9 +664,9 @@ public class CiscoVnmcConnectionImpl implements 
CiscoVnmcConnection {
         String xml = VnmcXml.CREATE_INGRESS_ACL_RULE.getXml();
         String service = VnmcXml.CREATE_INGRESS_ACL_RULE.getService();
         xml = replaceXmlValue(xml, "cookie", _cookie);
-        //xml = replaceXmlValue(xml, "descr", "Ingress ACL policy for Tenant 
VDC" + tenantName);
         xml = replaceXmlValue(xml, "aclruledn", getDnForAclRule(tenantName, 
identifier, policyIdentifier));
         xml = replaceXmlValue(xml, "aclrulename", 
getNameForAclRule(tenantName, identifier));
+        xml = replaceXmlValue(xml, "descr", "Ingress ACL policy for Tenant 
VDC" + tenantName);
         xml = replaceXmlValue(xml, "actiontype", "permit");
         xml = replaceXmlValue(xml, "protocolvalue", protocol);
         xml = replaceXmlValue(xml, "sourcestartip", sourceStartIp);
@@ -838,8 +840,8 @@ public class CiscoVnmcConnectionImpl implements 
CiscoVnmcConnection {
     @Override
     public boolean createTenantVDCPFRule(String tenantName,
             String identifier, String policyIdentifier,
-            String protocol, String sourceIp,
-            String startSourcePort, String endSourcePort) throws 
ExecutionException {
+            String protocol, String publicIp,
+            String startPort, String endPort) throws ExecutionException {
         String xml = VnmcXml.CREATE_PF_RULE.getXml();
         String service = VnmcXml.CREATE_PF_RULE.getService();
         xml = replaceXmlValue(xml, "cookie", _cookie);
@@ -848,10 +850,30 @@ public class CiscoVnmcConnectionImpl implements 
CiscoVnmcConnection {
         xml = replaceXmlValue(xml, "descr", "PF rule for Tenant VDC " + 
tenantName);
         xml = replaceXmlValue(xml, "ippoolname", 
getNameForPFIpPool(tenantName, policyIdentifier + "-" + identifier));
         xml = replaceXmlValue(xml, "portpoolname", 
getNameForPFPortPool(tenantName, policyIdentifier + "-" + identifier));
-        xml = replaceXmlValue(xml, "srcip", sourceIp);
-        xml = replaceXmlValue(xml, "srcportstart", startSourcePort);
-        xml = replaceXmlValue(xml, "srcportend", endSourcePort);
+        xml = replaceXmlValue(xml, "ip", publicIp);
+        xml = replaceXmlValue(xml, "startport", startPort);
+        xml = replaceXmlValue(xml, "endport", endPort);
+        xml = replaceXmlValue(xml, "protocolvalue", protocol);
+
+        String response =  sendRequest(service, xml);
+        return verifySuccess(response);
+    }
+
+    @Override
+    public boolean createTenantVDCIngressAclRuleForPF(String tenantName,
+            String identifier, String policyIdentifier, String protocol,
+            String publicIp, String startPort, String endPort)
+            throws ExecutionException {
+        String xml = VnmcXml.CREATE_INGRESS_ACL_RULE_FOR_PF.getXml();
+        String service = VnmcXml.CREATE_INGRESS_ACL_RULE_FOR_PF.getService();
+        xml = replaceXmlValue(xml, "cookie", _cookie);
+        xml = replaceXmlValue(xml, "natruledn", getDnForAclRule(tenantName, 
identifier, policyIdentifier));
+        xml = replaceXmlValue(xml, "natrulename", 
getNameForAclRule(tenantName, identifier));
+        xml = replaceXmlValue(xml, "descr", "ACL rule for Tenant VDC " + 
tenantName);
         xml = replaceXmlValue(xml, "protocolvalue", protocol);
+        xml = replaceXmlValue(xml, "ip", publicIp);
+        xml = replaceXmlValue(xml, "startport", startPort);
+        xml = replaceXmlValue(xml, "endport", endPort);
 
         String response =  sendRequest(service, xml);
         return verifySuccess(response);
@@ -919,7 +941,7 @@ public class CiscoVnmcConnectionImpl implements 
CiscoVnmcConnection {
 
     @Override
     public boolean createTenantVDCDNatRule(String tenantName,
-            String identifier, String policyIdentifier, String sourceIp)
+            String identifier, String policyIdentifier, String publicIp)
             throws ExecutionException {
         String xml = VnmcXml.CREATE_DNAT_RULE.getXml();
         String service = VnmcXml.CREATE_DNAT_RULE.getService();
@@ -928,7 +950,23 @@ public class CiscoVnmcConnectionImpl implements 
CiscoVnmcConnection {
         xml = replaceXmlValue(xml, "natrulename", 
getNameForDNatRule(tenantName, identifier));
         xml = replaceXmlValue(xml, "descr", "DNAT rule for Tenant VDC " + 
tenantName);
         xml = replaceXmlValue(xml, "ippoolname", 
getNameForDNatIpPool(tenantName, policyIdentifier + "-" + identifier));
-        xml = replaceXmlValue(xml, "srcip", sourceIp);
+        xml = replaceXmlValue(xml, "ip", publicIp);
+
+        String response =  sendRequest(service, xml);
+        return verifySuccess(response);
+    }
+
+    @Override
+    public boolean createTenantVDCIngressAclRuleForDNat(String tenantName,
+            String identifier, String policyIdentifier, String publicIp)
+            throws ExecutionException {
+        String xml = VnmcXml.CREATE_INGRESS_ACL_RULE_FOR_DNAT.getXml();
+        String service = VnmcXml.CREATE_INGRESS_ACL_RULE_FOR_DNAT.getService();
+        xml = replaceXmlValue(xml, "cookie", _cookie);
+        xml = replaceXmlValue(xml, "natruledn", getDnForAclRule(tenantName, 
identifier, policyIdentifier));
+        xml = replaceXmlValue(xml, "natrulename", 
getNameForAclRule(tenantName, identifier));
+        xml = replaceXmlValue(xml, "descr", "ACL rule for Tenant VDC " + 
tenantName);
+        xml = replaceXmlValue(xml, "ip", publicIp);
 
         String response =  sendRequest(service, xml);
         return verifySuccess(response);

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/cc824e85/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
----------------------------------------------------------------------
diff --git 
a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
 
b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
index 3ab6626..e49952e 100644
--- 
a/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
+++ 
b/plugins/network-elements/cisco-vnmc/src/com/cloud/network/resource/CiscoVnmcResource.java
@@ -347,9 +347,9 @@ public class CiscoVnmcResource implements ServerResource{
             for (String publicIp : publicIpRulesMap.keySet()) {
                 String policyIdentifier = publicIp.replace('.', '-');
 
-                if (!_connection.deleteTenantVDCAclPolicy(tenant, 
policyIdentifier)) {
+                /*if (!_connection.deleteTenantVDCAclPolicy(tenant, 
policyIdentifier)) {
                     throw new Exception("Failed to delete ACL ingress policy 
in VNMC for guest network with vlan " + vlanId);
-                }
+                }*/
                 // TODO for egress
 
                 if (!_connection.createTenantVDCAclPolicy(tenant, 
policyIdentifier, true)) {
@@ -368,8 +368,12 @@ public class CiscoVnmcResource implements ServerResource{
                         String[] result = cidr.split("\\/");
                         assert (result.length == 2) : "Something is wrong with 
source cidr " + cidr;
                         long size = Long.valueOf(result[1]);
-                        String externalStartIp = 
NetUtils.getIpRangeStartIpFromCidr(result[0], size);
-                        String externalEndIp = 
NetUtils.getIpRangeEndIpFromCidr(result[0], size);
+                        String externalStartIp = result[0];
+                        String externalEndIp = result[0];
+                        if (size < 32) {
+                            externalStartIp = 
NetUtils.getIpRangeStartIpFromCidr(result[0], size);
+                            externalEndIp = 
NetUtils.getIpRangeEndIpFromCidr(result[0], size);
+                        }
 
                         if (!_connection.createIngressAclRule(tenant,
                                 Long.toString(rule.getId()), policyIdentifier,
@@ -425,9 +429,9 @@ public class CiscoVnmcResource implements ServerResource{
             for (String publicIp : publicIpRulesMap.keySet()) {
                 String policyIdentifier = publicIp.replace('.', '-');
 
-                if (!_connection.deleteTenantVDCDNatPolicy(tenant, 
policyIdentifier)) {
-                    throw new Exception("Failed to delete ACL ingress policy 
in VNMC for guest network with vlan " + vlanId);
-                }
+                /*if (!_connection.deleteTenantVDCDNatPolicy(tenant, 
policyIdentifier)) {
+                    throw new Exception("Failed to delete DNAT policy in VNMC 
for guest network with vlan " + vlanId);
+                }*/
 
                 if (!_connection.createTenantVDCDNatPolicy(tenant, 
policyIdentifier)) {
                     throw new Exception("Failed to create DNAT policy in VNMC 
for guest network with vlan " + vlanId);
@@ -436,9 +440,17 @@ public class CiscoVnmcResource implements ServerResource{
                     throw new Exception("Failed to associate DNAT policy with 
NAT policy set in VNMC for guest network with vlan " + vlanId);
                 }
 
+                if (!_connection.createTenantVDCAclPolicy(tenant, 
policyIdentifier, true)) {
+                    throw new Exception("Failed to create ACL ingress policy 
in VNMC for guest network with vlan " + vlanId);
+                }
+                if (!_connection.createTenantVDCAclPolicyRef(tenant, 
policyIdentifier, true)) {
+                    throw new Exception("Failed to associate ACL ingress 
policy with ACL ingress policy set in VNMC for guest network with vlan " + 
vlanId);
+                }
+
                 for (StaticNatRuleTO rule : publicIpRulesMap.get(publicIp)) {
                     if (rule.revoked()) {
-                        //_connection.deleteDNatRule(tenant, 
Long.toString(rule.getId()), publicIp);
+                        //_connection.deleteDNatRule(tenant, 
Long.toString(rule.getId()), policyIdentifier);
+                        //_connection.deleteAclRule(tenant, 
Long.toString(rule.getId()), policyIdentifier);
                     } else {
                         if (!_connection.createTenantVDCDNatIpPool(tenant, 
policyIdentifier + "-" + rule.getId(), rule.getDstIp())) {
                             throw new Exception("Failed to create DNAT ip pool 
in VNMC for guest network with vlan " + vlanId);
@@ -448,6 +460,11 @@ public class CiscoVnmcResource implements ServerResource{
                                 Long.toString(rule.getId()), policyIdentifier, 
rule.getSrcIp())) {
                             throw new Exception("Failed to create DNAT rule in 
VNMC for guest network with vlan " + vlanId);
                         }
+
+                        if 
(!_connection.createTenantVDCIngressAclRuleForDNat(tenant,
+                                Long.toString(rule.getId()), policyIdentifier, 
rule.getSrcIp())) {
+                            throw new Exception("Failed to create ACL ingress 
rule for DNAT in VNMC for guest network with vlan " + vlanId);
+                        }
                     }
                 }
             }
@@ -495,9 +512,9 @@ public class CiscoVnmcResource implements ServerResource{
             for (String publicIp : publicIpRulesMap.keySet()) {
                 String policyIdentifier = publicIp.replace('.', '-');
 
-                if (!_connection.deleteTenantVDCPFPolicy(tenant, 
policyIdentifier)) {
+                /*if (!_connection.deleteTenantVDCPFPolicy(tenant, 
policyIdentifier)) {
                     throw new Exception("Failed to delete ACL ingress policy 
in VNMC for guest network with vlan " + vlanId);
-                }
+                }*/
 
                 if (!_connection.createTenantVDCPFPolicy(tenant, 
policyIdentifier)) {
                     throw new Exception("Failed to create PF policy in VNMC 
for guest network with vlan " + vlanId);
@@ -506,9 +523,17 @@ public class CiscoVnmcResource implements ServerResource{
                     throw new Exception("Failed to associate PF policy with 
NAT policy set in VNMC for guest network with vlan " + vlanId);
                 }
 
+                if (!_connection.createTenantVDCAclPolicy(tenant, 
policyIdentifier, true)) {
+                    throw new Exception("Failed to create ACL ingress policy 
in VNMC for guest network with vlan " + vlanId);
+                }
+                if (!_connection.createTenantVDCAclPolicyRef(tenant, 
policyIdentifier, true)) {
+                    throw new Exception("Failed to associate ACL ingress 
policy with ACL ingress policy set in VNMC for guest network with vlan " + 
vlanId);
+                }
+
                 for (PortForwardingRuleTO rule : 
publicIpRulesMap.get(publicIp)) {
                     if (rule.revoked()) {
-                        //_connection.deletePFRule(tenant, 
Long.toString(rule.getId()), publicIp);
+                        //_connection.deletePFRule(tenant, 
Long.toString(rule.getId()), policyIdentifier);
+                        //_connection.deleteAclRule(tenant, 
Long.toString(rule.getId()), policyIdentifier);
                     } else {
                         if (!_connection.createTenantVDCPFIpPool(tenant, 
policyIdentifier + "-" + rule.getId(), rule.getDstIp())) {
                             throw new Exception("Failed to create PF ip pool 
in VNMC for guest network with vlan " + vlanId);
@@ -525,6 +550,13 @@ public class CiscoVnmcResource implements ServerResource{
                                 Integer.toString(rule.getSrcPortRange()[0]), 
Integer.toString(rule.getSrcPortRange()[1]))) {
                             throw new Exception("Failed to create PF rule in 
VNMC for guest network with vlan " + vlanId);
                         }
+
+                        if 
(!_connection.createTenantVDCIngressAclRuleForPF(tenant,
+                                Long.toString(rule.getId()), policyIdentifier,
+                                rule.getProtocol().toUpperCase(), 
rule.getSrcIp(),
+                                Integer.toString(rule.getSrcPortRange()[0]), 
Integer.toString(rule.getSrcPortRange()[1]))) {
+                            throw new Exception("Failed to create ACL ingress 
rule for PF in VNMC for guest network with vlan " + vlanId);
+                        }
                     }
                 }
             }

[1/4] git commit: refs/heads/cisco-vnmc-api-integration - Adding appropriate ACL rules for PF and static NAT

Reply via email to