From 5b4759b99f3740fa71cccf8cde1a47489584c0c8 Mon Sep 17 00:00:00 2001 From: Ruan Shixin Date: Tue, 20 Mar 2018 20:13:50 +0800 Subject: [PATCH] port bug 9978 from 2.3.0 to master --- conf/globalConfig/vyos.xml | 10 ++ conf/springConfigXml/vyos.xml | 11 +++ .../virtualrouter/VirtualRouterCommands.java | 24 +++++ .../virtualrouter/VirtualRouterConstant.java | 1 + ...L3FirewallDefaultActionExtensionPoint.java | 81 ++++++++++++++++ ...ngePrivateL3FirewallDefaultActionFlow.java | 96 +++++++++++++++++++ .../virtualrouter/vyos/VyosConstants.java | 2 + .../virtualrouter/vyos/VyosGlobalConfig.java | 16 ++++ .../virtualrouter/VirtualRouterSimulator.java | 18 ++++ .../testlib/VirtualRouterOfferingSpec.groovy | 4 + 10 files changed, 263 insertions(+) create mode 100755 conf/globalConfig/vyos.xml create mode 100644 plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosChangePrivateL3FirewallDefaultActionExtensionPoint.java create mode 100644 plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosChangePrivateL3FirewallDefaultActionFlow.java create mode 100644 plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosGlobalConfig.java diff --git a/conf/globalConfig/vyos.xml b/conf/globalConfig/vyos.xml new file mode 100755 index 00000000000..91bbc512126 --- /dev/null +++ b/conf/globalConfig/vyos.xml @@ -0,0 +1,10 @@ + + + + vyos + private.l3.firewall.default.action + default action for private l3 network + java.lang.String + reject + + \ No newline at end of file diff --git a/conf/springConfigXml/vyos.xml b/conf/springConfigXml/vyos.xml index 5d5eb684531..eed6ed5b240 100755 --- a/conf/springConfigXml/vyos.xml +++ b/conf/springConfigXml/vyos.xml @@ -17,6 +17,7 @@ org.zstack.network.service.virtualrouter.lifecycle.VirtualRouterAssembleDecoratorFlow org.zstack.network.service.virtualrouter.vyos.VyosConnectFlow + org.zstack.network.service.virtualrouter.vyos.VyosChangePrivateL3FirewallDefaultActionFlow org.zstack.network.service.virtualrouter.vip.VirtualRouterCreateVipForPublicIpFlow org.zstack.network.service.virtualrouter.dns.VirtualRouterSyncDnsOnStartFlow org.zstack.network.service.virtualrouter.dhcp.VirtualRouterSyncDHCPOnStartFlow @@ -33,6 +34,7 @@ org.zstack.network.service.virtualrouter.lifecycle.VirtualRouterAssembleDecoratorFlow org.zstack.network.service.virtualrouter.vyos.VyosConnectFlow + org.zstack.network.service.virtualrouter.vyos.VyosChangePrivateL3FirewallDefaultActionFlow org.zstack.network.service.virtualrouter.dns.VirtualRouterSyncDnsOnStartFlow org.zstack.network.service.virtualrouter.dhcp.VirtualRouterSyncDHCPOnStartFlow org.zstack.network.service.virtualrouter.nat.VirtualRouterSyncSNATOnStartFlow @@ -47,6 +49,7 @@ org.zstack.network.service.virtualrouter.lifecycle.VirtualRouterAssembleDecoratorFlow org.zstack.network.service.virtualrouter.vyos.VyosConnectFlow + org.zstack.network.service.virtualrouter.vyos.VyosChangePrivateL3FirewallDefaultActionFlow org.zstack.network.service.virtualrouter.dns.VirtualRouterSyncDnsOnStartFlow org.zstack.network.service.virtualrouter.dhcp.VirtualRouterSyncDHCPOnStartFlow org.zstack.network.service.virtualrouter.nat.VirtualRouterSyncSNATOnStartFlow @@ -72,6 +75,7 @@ org.zstack.network.service.virtualrouter.vyos.VyosDeployAgentFlow org.zstack.network.service.virtualrouter.vyos.VyosConnectFlow + org.zstack.network.service.virtualrouter.vyos.VyosChangePrivateL3FirewallDefaultActionFlow org.zstack.network.service.virtualrouter.dns.VirtualRouterSyncDnsOnStartFlow org.zstack.network.service.virtualrouter.dhcp.VirtualRouterSyncDHCPOnStartFlow org.zstack.network.service.virtualrouter.nat.VirtualRouterSyncSNATOnStartFlow @@ -159,4 +163,11 @@ + + + + + + + diff --git a/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/VirtualRouterCommands.java b/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/VirtualRouterCommands.java index 50f5ed9900c..7641ff39bf3 100755 --- a/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/VirtualRouterCommands.java +++ b/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/VirtualRouterCommands.java @@ -63,6 +63,7 @@ public static class NicInfo { private String physicalInterface; private String l2type; private Integer vni; + private String firewallDefaultAction; public String getIp() { return ip; @@ -126,6 +127,14 @@ public String getPhysicalInterface() { public void setPhysicalInterface(String physicalInterface) { this.physicalInterface = physicalInterface; } + + public String getFirewallDefaultAction() { + return firewallDefaultAction; + } + + public void setFirewallDefaultAction(String firewallDefaultAction) { + this.firewallDefaultAction = firewallDefaultAction; + } } public static class ConfigureNicCmd extends AgentCommand { @@ -143,6 +152,21 @@ public void setNics(List nics) { public static class ConfigureNicRsp extends AgentResponse { } + public static class ConfigureNicFirewallDefaultActionCmd extends AgentCommand { + private List nics; + + public List getNics() { + return nics; + } + + public void setNics(List nics) { + this.nics = nics; + } + } + + public static class ConfigureNicFirewallDefaultActionRsp extends AgentResponse { + } + public static class RemoveNicCmd extends AgentCommand { private List nics; diff --git a/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/VirtualRouterConstant.java b/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/VirtualRouterConstant.java index 05c299f1479..690e18e4006 100755 --- a/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/VirtualRouterConstant.java +++ b/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/VirtualRouterConstant.java @@ -24,6 +24,7 @@ public interface VirtualRouterConstant { public static final String VR_ECHO_PATH = "/echo"; public static final String VR_CONFIGURE_NIC_PATH = "/configurenic"; public static final String VR_REMOVE_NIC_PATH = "/removenic"; + public static final String VR_CONFIGURE_NIC_FIREWALL_DEFAULT_ACTION_PATH = "/configurenicdefaultaction"; public static final String VR_ADD_DHCP_PATH = "/adddhcp"; public static final String VR_REMOVE_DHCP_PATH = "/removedhcp"; public static final String VR_SET_SNAT_PATH = "/setsnat"; diff --git a/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosChangePrivateL3FirewallDefaultActionExtensionPoint.java b/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosChangePrivateL3FirewallDefaultActionExtensionPoint.java new file mode 100644 index 00000000000..2a5221c009e --- /dev/null +++ b/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosChangePrivateL3FirewallDefaultActionExtensionPoint.java @@ -0,0 +1,81 @@ +package org.zstack.network.service.virtualrouter.vyos; + +import org.springframework.beans.factory.annotation.Autowired; +import org.zstack.core.cloudbus.CloudBus; +import org.zstack.core.cloudbus.CloudBusCallBack; +import org.zstack.core.timeout.ApiTimeoutManager; +import org.zstack.header.core.Completion; +import org.zstack.header.core.NoErrorCompletion; +import org.zstack.header.errorcode.ErrorCode; +import org.zstack.header.message.MessageReply; +import org.zstack.header.network.service.VirtualRouterAfterAttachNicExtensionPoint; +import org.zstack.header.vm.VmInstanceConstant; +import org.zstack.header.vm.VmNicInventory; +import org.zstack.network.service.virtualrouter.*; +import org.zstack.utils.Utils; +import org.zstack.utils.logging.CLogger; + +import java.util.Collections; +import static org.zstack.core.Platform.operr; + +public class VyosChangePrivateL3FirewallDefaultActionExtensionPoint implements VirtualRouterAfterAttachNicExtensionPoint { + @Autowired + protected CloudBus bus; + @Autowired + protected ApiTimeoutManager apiTimeoutManager; + private final static CLogger logger = Utils.getLogger(VyosChangePrivateL3FirewallDefaultActionExtensionPoint.class); + + @Override + public void afterAttachNic(VmNicInventory nic, Completion completion) { + if (!VirtualRouterNicMetaData.GUEST_NIC_MASK_STRING_LIST.contains(nic.getMetaData())) { + completion.success(); + return; + } + + String action = VyosGlobalConfig.PRIVATE_L3_FIREWALL_DEFAULT_ACTION.value(String.class); + VirtualRouterCommands.NicInfo info = new VirtualRouterCommands.NicInfo(); + info.setIp(nic.getIp()); + info.setDefaultRoute(false); + info.setGateway(nic.getGateway()); + info.setMac(nic.getMac()); + info.setNetmask(nic.getNetmask()); + info.setFirewallDefaultAction(action); + + VirtualRouterCommands.ConfigureNicFirewallDefaultActionCmd cmd = new VirtualRouterCommands.ConfigureNicFirewallDefaultActionCmd(); + cmd.setNics(Collections.singletonList(info)); + + VirtualRouterAsyncHttpCallMsg cmsg = new VirtualRouterAsyncHttpCallMsg(); + cmsg.setCommand(cmd); + cmsg.setCommandTimeout(apiTimeoutManager.getTimeout(cmd.getClass(), "30m")); + cmsg.setPath(VirtualRouterConstant.VR_CONFIGURE_NIC_FIREWALL_DEFAULT_ACTION_PATH); + cmsg.setVmInstanceUuid(nic.getVmInstanceUuid()); + bus.makeTargetServiceIdByResourceUuid(cmsg, VmInstanceConstant.SERVICE_ID, nic.getVmInstanceUuid()); + bus.send(cmsg, new CloudBusCallBack(completion) { + @Override + public void run(MessageReply reply) { + if (!reply.isSuccess()) { + completion.fail(reply.getError()); + return; + } + + VirtualRouterAsyncHttpCallReply re = reply.castReply(); + VirtualRouterCommands.ConfigureNicFirewallDefaultActionRsp rsp = re.toResponse(VirtualRouterCommands.ConfigureNicFirewallDefaultActionRsp.class); + if (rsp.isSuccess()) { + logger.debug(String.format("successfully change nic[ip:%s, mac:%s] firewall default action of virtual router vm[uuid:%s]", + nic.getIp(), nic.getMac(), nic.getVmInstanceUuid())); + completion.success(); + } else { + ErrorCode err = operr("failed to change nic[ip:%s, mac:%s] firewall default action of virtual router vm[uuid:%s], because %s", + nic.getIp(), nic.getMac(), nic.getVmInstanceUuid(), rsp.getError()); + completion.fail(err); + } + } + }); + } + + @Override + public void afterAttachNicRollback(VmNicInventory nic, NoErrorCompletion completion) { + /* rollback nic will delete all nic configure */ + completion.done(); + } +} diff --git a/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosChangePrivateL3FirewallDefaultActionFlow.java b/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosChangePrivateL3FirewallDefaultActionFlow.java new file mode 100644 index 00000000000..40b5d7f6d02 --- /dev/null +++ b/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosChangePrivateL3FirewallDefaultActionFlow.java @@ -0,0 +1,96 @@ +package org.zstack.network.service.virtualrouter.vyos; + +import org.springframework.beans.factory.annotation.Autowire; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Configurable; +import org.zstack.core.cloudbus.CloudBus; +import org.zstack.core.cloudbus.CloudBusCallBack; +import org.zstack.core.timeout.ApiTimeoutManager; +import org.zstack.header.core.workflow.FlowTrigger; +import org.zstack.header.core.workflow.NoRollbackFlow; +import org.zstack.header.errorcode.ErrorCode; +import org.zstack.header.message.MessageReply; +import org.zstack.header.vm.VmInstanceConstant; +import org.zstack.header.vm.VmNicInventory; +import org.zstack.network.service.virtualrouter.*; +import org.zstack.utils.CollectionUtils; +import org.zstack.utils.Utils; +import org.zstack.utils.function.Function; +import org.zstack.utils.logging.CLogger; + +import java.util.*; + +import static org.zstack.core.Platform.operr; + +/** + * Created by shixin.ruan on 18-03-10. + */ +@Configurable(preConstruction = true, autowire = Autowire.BY_TYPE) +public class VyosChangePrivateL3FirewallDefaultActionFlow extends NoRollbackFlow { + @Autowired + protected CloudBus bus; + @Autowired + protected ApiTimeoutManager apiTimeoutManager; + + private final static CLogger logger = Utils.getLogger(VyosChangePrivateL3FirewallDefaultActionFlow.class); + + @Override + public void run(FlowTrigger trigger, Map data) { + String action = VyosGlobalConfig.PRIVATE_L3_FIREWALL_DEFAULT_ACTION.value(String.class); + + final VirtualRouterVmInventory servedVm = (VirtualRouterVmInventory) data.get(VirtualRouterConstant.Param.VR.toString()); + List infos = CollectionUtils.transformToList(servedVm.getGuestNics(), new Function() { + @Override + public VirtualRouterCommands.NicInfo call(VmNicInventory arg) { + VirtualRouterCommands.NicInfo info = new VirtualRouterCommands.NicInfo(); + info.setIp(arg.getIp()); + info.setDefaultRoute(false); + info.setGateway(arg.getGateway()); + info.setMac(arg.getMac()); + info.setNetmask(arg.getNetmask()); + info.setFirewallDefaultAction(action); + + return info; + } + }); + + if (infos == null || infos.isEmpty()) { + trigger.next(); + return; + } + + VirtualRouterCommands.ConfigureNicFirewallDefaultActionCmd cmd = new VirtualRouterCommands.ConfigureNicFirewallDefaultActionCmd(); + cmd.setNics(infos); + + VirtualRouterAsyncHttpCallMsg cmsg = new VirtualRouterAsyncHttpCallMsg(); + cmsg.setCommand(cmd); + cmsg.setCommandTimeout(apiTimeoutManager.getTimeout(cmd.getClass(), "30m")); + cmsg.setPath(VirtualRouterConstant.VR_CONFIGURE_NIC_FIREWALL_DEFAULT_ACTION_PATH); + cmsg.setVmInstanceUuid(servedVm.getUuid()); + bus.makeTargetServiceIdByResourceUuid(cmsg, VmInstanceConstant.SERVICE_ID, servedVm.getUuid()); + bus.send(cmsg, new CloudBusCallBack(trigger) { + /* failure in this flow will not block normal process */ + @Override + public void run(MessageReply reply) { + if (!reply.isSuccess()) { + logger.debug(String.format("failed to change nic firewall default action of virtual router vm[uuid:%s ip:%s], because %s", + servedVm.getUuid(), servedVm.getManagementNic().getIp(), reply.getError())); + trigger.next(); + return; + } + + VirtualRouterAsyncHttpCallReply re = reply.castReply(); + VirtualRouterCommands.ConfigureNicFirewallDefaultActionRsp rsp = re.toResponse(VirtualRouterCommands.ConfigureNicFirewallDefaultActionRsp.class); + if (rsp.isSuccess()) { + logger.debug(String.format("successfully change nic firewall default action of virtual router vm[uuid:%s, ip:%s]", + servedVm.getUuid(), servedVm.getManagementNic().getIp())); + trigger.next(); + } else { + logger.debug(String.format("failed to change nic firewall default action of virtual router vm[uuid:%s ip:%s], because %s", + servedVm.getUuid(), servedVm.getManagementNic().getIp(), rsp.getError())); + trigger.next(); + } + } + }); + } +} diff --git a/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosConstants.java b/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosConstants.java index 6911e7a5705..5cdcf0d79c6 100755 --- a/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosConstants.java +++ b/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosConstants.java @@ -12,6 +12,8 @@ public interface VyosConstants { String ANSIBLE_PLAYBOOK_NAME = "zvr.py"; String ANSIBLE_MODULE_PATH = "ansible/zvr"; + String PRIVATE_L3_FIREWALL_DEFAULT_ACTION = "reject"; + NetworkServiceProviderType PROVIDER_TYPE = new NetworkServiceProviderType(VyosConstants.VYOS_ROUTER_PROVIDER_TYPE); enum BootstrapInfoKey { diff --git a/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosGlobalConfig.java b/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosGlobalConfig.java new file mode 100644 index 00000000000..15300258d6f --- /dev/null +++ b/plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosGlobalConfig.java @@ -0,0 +1,16 @@ +package org.zstack.network.service.virtualrouter.vyos; + +import org.zstack.core.config.GlobalConfig; +import org.zstack.core.config.GlobalConfigDefinition; +import org.zstack.core.config.GlobalConfigValidation; + +/** + * Created by shixin.ruan on 18/03/09. + */ +@GlobalConfigDefinition +public class VyosGlobalConfig { + public static final String CATEGORY = "vyos"; + + @GlobalConfigValidation(validValues = {"accept", "reject"}) + public static GlobalConfig PRIVATE_L3_FIREWALL_DEFAULT_ACTION = new GlobalConfig(CATEGORY, "private.l3.firewall.default.action"); +} diff --git a/simulator/simulatorImpl/src/main/java/org/zstack/simulator/virtualrouter/VirtualRouterSimulator.java b/simulator/simulatorImpl/src/main/java/org/zstack/simulator/virtualrouter/VirtualRouterSimulator.java index d1ef64f2901..247f1c61d8f 100755 --- a/simulator/simulatorImpl/src/main/java/org/zstack/simulator/virtualrouter/VirtualRouterSimulator.java +++ b/simulator/simulatorImpl/src/main/java/org/zstack/simulator/virtualrouter/VirtualRouterSimulator.java @@ -431,6 +431,24 @@ String configureNic(HttpServletRequest req) { return null; } + @AsyncThread + private void doConfigureNicFirewallDefaultAction(HttpEntity entity) { + ConfigureNicFirewallDefaultActionCmd cmd = JSONObjectUtil.toObject(entity.getBody(), ConfigureNicFirewallDefaultActionCmd.class); + ConfigureNicFirewallDefaultActionRsp rsp = new ConfigureNicFirewallDefaultActionRsp(); + + logger.debug(String.format("successfully configured nics: %s firewall default action", JSONObjectUtil.toJsonString(cmd.getNics()))); + replyer.reply(entity, rsp); + return; + } + + @RequestMapping(value = VirtualRouterConstant.VR_CONFIGURE_NIC_FIREWALL_DEFAULT_ACTION_PATH, method = RequestMethod.POST) + private @ResponseBody + String configureNicFirewallDefaultAction(HttpServletRequest req) { + HttpEntity entity = restf.httpServletRequestToHttpEntity(req); + doConfigureNicFirewallDefaultAction(entity); + return null; + } + @RequestMapping(value = VirtualRouterConstant.VR_REMOVE_DHCP_PATH, method = RequestMethod.POST) private @ResponseBody String removeDchpEntry(HttpServletRequest req) { diff --git a/testlib/src/main/java/org/zstack/testlib/VirtualRouterOfferingSpec.groovy b/testlib/src/main/java/org/zstack/testlib/VirtualRouterOfferingSpec.groovy index c53db420e31..aec04415f83 100755 --- a/testlib/src/main/java/org/zstack/testlib/VirtualRouterOfferingSpec.groovy +++ b/testlib/src/main/java/org/zstack/testlib/VirtualRouterOfferingSpec.groovy @@ -195,6 +195,10 @@ class VirtualRouterOfferingSpec extends InstanceOfferingSpec { return new VirtualRouterCommands.ConfigureNicRsp() } + simulator(VirtualRouterConstant.VR_CONFIGURE_NIC_FIREWALL_DEFAULT_ACTION_PATH) { + return new VirtualRouterCommands.ConfigureNicFirewallDefaultActionRsp() + } + simulator(VirtualRouterConstant.VR_REMOVE_NIC_PATH) { return new VirtualRouterCommands.RemoveNicRsp() }