CLOUDSTACK-763: Upgrade networkAcls from firewall_rules to network_acl_item table
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a1023e4d Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a1023e4d Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a1023e4d Branch: refs/heads/ui-vpc-redesign Commit: a1023e4d04826f772cb852b578ba4504760c0e12 Parents: b30a01a Author: Kishan Kavala <[email protected]> Authored: Fri May 3 18:06:57 2013 +0530 Committer: Kishan Kavala <[email protected]> Committed: Mon May 13 12:03:38 2013 +0530 ---------------------------------------------------------------------- .../src/com/cloud/upgrade/dao/Upgrade410to420.java | 153 +++++++++++++++ 1 files changed, 153 insertions(+), 0 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a1023e4d/engine/schema/src/com/cloud/upgrade/dao/Upgrade410to420.java ---------------------------------------------------------------------- diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade410to420.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade410to420.java index 3a164c4..0616515 100644 --- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade410to420.java +++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade410to420.java @@ -19,11 +19,14 @@ package com.cloud.upgrade.dao; import java.io.File; import java.sql.Connection; +import java.sql.Date; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; +import java.sql.Types; import java.util.UUID; +import com.cloud.network.vpc.NetworkACL; import org.apache.log4j.Logger; import com.cloud.utils.exception.CloudRuntimeException; @@ -69,6 +72,7 @@ public class Upgrade410to420 implements DbUpgrade { upgradeEIPNetworkOfferings(conn); upgradeDefaultVpcOffering(conn); upgradePhysicalNtwksWithInternalLbProvider(conn); + updateNetworkACLs(conn); } private void updateSystemVmTemplates(Connection conn) { @@ -309,6 +313,7 @@ public class Upgrade410to420 implements DbUpgrade { } } } + private void addEgressFwRulesForSRXGuestNw(Connection conn) { PreparedStatement pstmt = null; ResultSet rs = null; @@ -390,11 +395,159 @@ public class Upgrade410to420 implements DbUpgrade { } } catch (SQLException e) { throw new CloudRuntimeException("Unable to set elastic_ip_service for network offerings with EIP service enabled.", e); + } + } + + private void updateNetworkACLs(Connection conn) { + //Fetch all VPC Tiers + //For each tier create a network ACL and move all the acl_items to network_acl_item table + // If there are no acl_items for a tier, associate it with default ACL + s_logger.debug("Updating network ACLs"); + PreparedStatement pstmt = null; + PreparedStatement pstmtDelete = null; + ResultSet rs = null; + ResultSet rsAcls = null; + ResultSet rsCidr = null; + //1,2 are default acl Ids, start Ids from 3 + long nextAclId = 3; + try { + pstmt = conn.prepareStatement("SELECT id, vpc_id, uuid FROM `cloud`.`networks` where vpc_id is not null and removed is null"); + rs = pstmt.executeQuery(); + while (rs.next()) { + Long networkId = rs.getLong(1); + s_logger.debug("Updating network ACLs for network: "+networkId); + Long vpcId = rs.getLong(2); + String tierUuid = rs.getString(3); + pstmt = conn.prepareStatement("SELECT id, uuid, start_port, end_port, state, protocol, icmp_code, icmp_type, created, traffic_type FROM `cloud`.`firewall_rules` where network_id = ? and purpose = 'NetworkACL'"); + pstmt.setLong(1, networkId); + rsAcls = pstmt.executeQuery(); + boolean hasAcls = false; + Long aclId = null; + int number = 1; + while(rsAcls.next()){ + if(!hasAcls){ + hasAcls = true; + aclId = nextAclId++; + //create ACL + s_logger.debug("Creating network ACL for tier: "+tierUuid); + pstmt = conn.prepareStatement("INSERT INTO `cloud`.`network_acl` (id, uuid, vpc_id, description, name) values (?, UUID(), ? , ?, ?)"); + pstmt.setLong(1, aclId); + pstmt.setLong(2, vpcId); + pstmt.setString(3, "ACL for tier " + tierUuid); + pstmt.setString(4, "tier_" + tierUuid); + pstmt.executeUpdate(); + } + + Long fwRuleId = rsAcls.getLong(1); + String cidr = null; + //get cidr + pstmt = conn.prepareStatement("SELECT id, source_cidr FROM `cloud`.`firewall_rules_cidrs` where firewall_rule_id = ?"); + pstmt.setLong(1, fwRuleId); + rsCidr = pstmt.executeQuery(); + while(rsCidr.next()){ + Long cidrId = rsCidr.getLong(1); + String sourceCidr = rsCidr.getString(2); + if(cidr == null){ + cidr = sourceCidr; + } else { + cidr += ","+sourceCidr; + } + //Delete cidr entry + pstmtDelete = conn.prepareStatement("DELETE FROM `cloud`.`firewall_rules_cidrs` where id = ?"); + pstmtDelete.setLong(1, cidrId); + pstmtDelete.executeUpdate(); + } + + + String aclItemUuid = rsAcls.getString(2); + //Move acl to network_acl_item table + s_logger.debug("Moving firewall rule: "+aclItemUuid); + pstmt = conn.prepareStatement("INSERT INTO `cloud`.`network_acl_item` (uuid, acl_id, start_port, end_port, state, protocol, icmp_code, icmp_type, created, traffic_type, cidr, number, action) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )"); + //uuid + pstmt.setString(1, aclItemUuid); + //aclId + pstmt.setLong(2, aclId); + //Start port + Integer startPort = rsAcls.getInt(3); + if(rsAcls.wasNull()){ + pstmt.setNull(3, Types.INTEGER); + } else { + pstmt.setLong(3, startPort); + } + //End port + Integer endPort = rsAcls.getInt(4); + if(rsAcls.wasNull()){ + pstmt.setNull(4, Types.INTEGER); + } else { + pstmt.setLong(4, endPort); + } + //State + String state = rsAcls.getString(5); + pstmt.setString(5, state); + //protocol + String protocol = rsAcls.getString(6); + pstmt.setString(6, protocol); + //icmp_code + Integer icmpCode = rsAcls.getInt(7); + if(rsAcls.wasNull()){ + pstmt.setNull(7, Types.INTEGER); + } else { + pstmt.setLong(7, icmpCode); + } + + //icmp_type + Integer icmpType = rsAcls.getInt(8); + if(rsAcls.wasNull()){ + pstmt.setNull(8, Types.INTEGER); + } else { + pstmt.setLong(8, icmpType); + } + + //created + Date created = rsAcls.getDate(9); + pstmt.setDate(9, created); + //traffic type + String trafficType = rsAcls.getString(10); + pstmt.setString(10, trafficType); + + //cidr + pstmt.setString(11, cidr); + //number + pstmt.setInt(12, number++); + //action + pstmt.setString(13, "Allow"); + pstmt.executeUpdate(); + + //Delete firewall rule + pstmtDelete = conn.prepareStatement("DELETE FROM `cloud`.`firewall_rules` where id = ?"); + pstmtDelete.setLong(1, fwRuleId); + pstmtDelete.executeUpdate(); + } + if(!hasAcls){ + //no network ACls for this network. + // Assign default Deny ACL + aclId = NetworkACL.DEFAULT_DENY; + } + //Assign acl to network + pstmt = conn.prepareStatement("UPDATE `cloud`.`networks` set network_acl_id=? where id=?"); + pstmt.setLong(1, aclId); + pstmt.setLong(2, networkId); + pstmt.executeUpdate(); + } + s_logger.debug("Done updating network ACLs "); + } catch (SQLException e) { + throw new CloudRuntimeException("Unable to move network acls from firewall rules table to network_acl_item table", e); } finally { try { if (rs != null) { rs.close(); } + if (rsAcls != null) { + rsAcls.close(); + } + if (rsCidr != null) { + rsCidr.close(); + } if (pstmt != null) { pstmt.close(); }
