Skip to content

Commit e9826a6

Browse files
yadvryadvr
committed
CLOUDSTACK-10047: Allow security policies to apply on port groups
- Accepts security policies while creating network offering - Deployed network will have security policies from the network offering applied on the port group (in vmware environment) - Global settings as fallback when security policies are not defined for a network offering - Default promiscuous mode security policy set to REJECT as it's the default for standard/default vswitch Signed-off-by: Rohit Yadav <[email protected]>
1 parent 7ca5b53 commit e9826a6

File tree

12 files changed

+401
-78
lines changed

12 files changed

+401
-78
lines changed

api/src/com/cloud/agent/api/to/NicTO.java

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,10 @@
1616
// under the License.
1717
package com.cloud.agent.api.to;
1818

19+
import com.cloud.offering.NetworkOffering;
20+
1921
import java.util.List;
22+
import java.util.Map;
2023

2124
public class NicTO extends NetworkTO {
2225
int deviceId;
@@ -26,6 +29,7 @@ public class NicTO extends NetworkTO {
2629
boolean pxeDisable;
2730
String nicUuid;
2831
List<String> nicSecIps;
32+
Map<NetworkOffering.Detail, String> details;
2933

3034
public NicTO() {
3135
super();
@@ -97,4 +101,12 @@ public String getNetworkUuid() {
97101
public void setNetworkUuid(String uuid) {
98102
super.setUuid(uuid);
99103
}
104+
105+
public Map<NetworkOffering.Detail, String> getDetails() {
106+
return details;
107+
}
108+
109+
public void setDetails(final Map<NetworkOffering.Detail, String> details) {
110+
this.details = details;
111+
}
100112
}

api/src/com/cloud/offering/NetworkOffering.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ public enum State {
3838
}
3939

4040
public enum Detail {
41-
InternalLbProvider, PublicLbProvider, servicepackageuuid, servicepackagedescription
41+
InternalLbProvider, PublicLbProvider, servicepackageuuid, servicepackagedescription, PromiscuousMode, MacAddressChanges, ForgedTransmits
4242
}
4343

4444
public final static String SystemPublicNetwork = "System-Public-Network";

api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,8 @@ public class CreateNetworkOfferingCmd extends BaseCmd {
113113
private Boolean isPersistent;
114114

115115
@Parameter(name = ApiConstants.DETAILS, type = CommandType.MAP, since = "4.2.0", description = "Network offering details in key/value pairs."
116-
+ " Supported keys are internallbprovider/publiclbprovider with service provider as a value")
116+
+ " Supported keys are internallbprovider/publiclbprovider with service provider as a value, and"
117+
+ " promiscuousmode/macaddresschanges/forgedtransmits with true/false as value to accept/reject the security settings if available for a nic/portgroup")
117118
protected Map details;
118119

119120
@Parameter(name = ApiConstants.EGRESS_DEFAULT_POLICY,

engine/api/src/org/apache/cloudstack/engine/orchestration/service/NetworkOrchestrationService.java

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,15 @@ public interface NetworkOrchestrationService {
7777
ConfigKey<Integer> NetworkThrottlingRate = new ConfigKey<Integer>("Network", Integer.class, NetworkThrottlingRateCK, "200",
7878
"Default data transfer rate in megabits per second allowed in network.", true, ConfigKey.Scope.Zone);
7979

80+
ConfigKey<Boolean> PromiscuousMode = new ConfigKey<Boolean>("Advanced", Boolean.class, "network.promiscuous.mode", "false",
81+
"Whether to allow or deny promiscuous mode on nics for applicable network elements such as for vswitch/dvswitch portgroups.", true);
82+
83+
ConfigKey<Boolean> MacAddressChanges = new ConfigKey<Boolean>("Advanced", Boolean.class, "network.mac.address.changes", "true",
84+
"Whether to allow or deny mac address changes on nics for applicable network elements such as for vswitch/dvswitch porgroups.", true);
85+
86+
ConfigKey<Boolean> ForgedTransmits = new ConfigKey<Boolean>("Advanced", Boolean.class, "network.forged.transmits", "true",
87+
"Whether to allow or deny forged transmits on nics for applicable network elements such as for vswitch/dvswitch portgroups.", true);
88+
8089
List<? extends Network> setupNetwork(Account owner, NetworkOffering offering, DeploymentPlan plan, String name, String displayText, boolean isDefault)
8190
throws ConcurrentOperationException;
8291

engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3663,6 +3663,8 @@ public String getConfigComponentName() {
36633663

36643664
@Override
36653665
public ConfigKey<?>[] getConfigKeys() {
3666-
return new ConfigKey<?>[] {NetworkGcWait, NetworkGcInterval, NetworkLockTimeout, GuestDomainSuffix, NetworkThrottlingRate, MinVRVersion};
3666+
return new ConfigKey<?>[] {NetworkGcWait, NetworkGcInterval, NetworkLockTimeout,
3667+
GuestDomainSuffix, NetworkThrottlingRate, MinVRVersion,
3668+
PromiscuousMode, MacAddressChanges, ForgedTransmits};
36673669
}
36683670
}

plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/manager/VmwareManagerImpl.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -392,11 +392,11 @@ private void prepareHost(HostMO hostMo, String privateTrafficLabel) throws Excep
392392
VirtualSwitchType vsType = VirtualSwitchType.getType(vSwitchType);
393393
//The management network is probably always going to be a physical network with islation type of vlans, so assume BroadcastDomainType VLAN
394394
if (VirtualSwitchType.StandardVirtualSwitch == vsType) {
395-
HypervisorHostHelper.prepareNetwork(vSwitchName, "cloud.private", hostMo, vlanId, null, null, 180000, false, BroadcastDomainType.Vlan, null);
395+
HypervisorHostHelper.prepareNetwork(vSwitchName, "cloud.private", hostMo, vlanId, null, null, 180000, false, BroadcastDomainType.Vlan, null, null);
396396
}
397397
else {
398398
HypervisorHostHelper.prepareNetwork(vSwitchName, "cloud.private", hostMo, vlanId, null, null, null, 180000,
399-
vsType, _portsPerDvPortGroup, null, false, BroadcastDomainType.Vlan, null);
399+
vsType, _portsPerDvPortGroup, null, false, BroadcastDomainType.Vlan, null, null);
400400
}
401401
}
402402

plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1181,11 +1181,11 @@ private void plugPublicNic(VirtualMachineMO vmMo, final String vlanId, final Str
11811181
if (VirtualSwitchType.StandardVirtualSwitch == vSwitchType) {
11821182
networkInfo = HypervisorHostHelper.prepareNetwork(_publicTrafficInfo.getVirtualSwitchName(),
11831183
"cloud.public", vmMo.getRunningHost(), vlanId, null, null,
1184-
_opsTimeout, true, BroadcastDomainType.Vlan, null);
1184+
_opsTimeout, true, BroadcastDomainType.Vlan, null, null);
11851185
} else {
11861186
networkInfo =
11871187
HypervisorHostHelper.prepareNetwork(_publicTrafficInfo.getVirtualSwitchName(), "cloud.public", vmMo.getRunningHost(), vlanId, null, null, null,
1188-
_opsTimeout, vSwitchType, _portsPerDvPortGroup, null, false, BroadcastDomainType.Vlan, _vsmCredentials);
1188+
_opsTimeout, vSwitchType, _portsPerDvPortGroup, null, false, BroadcastDomainType.Vlan, _vsmCredentials, null);
11891189
}
11901190

11911191
int nicIndex = allocPublicNicIndex(vmMo);
@@ -3036,7 +3036,7 @@ private Pair<ManagedObjectReference, String> prepareNetworkFromNicInfo(HostMO ho
30363036
if (VirtualSwitchType.StandardVirtualSwitch == switchType) {
30373037
networkInfo = HypervisorHostHelper.prepareNetwork(switchName, namePrefix, hostMo,
30383038
getVlanInfo(nicTo, vlanToken), nicTo.getNetworkRateMbps(), nicTo.getNetworkRateMulticastMbps(),
3039-
_opsTimeout, !namePrefix.startsWith("cloud.private"), nicTo.getBroadcastType(), nicTo.getUuid());
3039+
_opsTimeout, true, nicTo.getBroadcastType(), nicTo.getUuid(), nicTo.getDetails());
30403040
}
30413041
else {
30423042
String vlanId = getVlanInfo(nicTo, vlanToken);
@@ -3051,7 +3051,7 @@ private Pair<ManagedObjectReference, String> prepareNetworkFromNicInfo(HostMO ho
30513051
}
30523052
networkInfo = HypervisorHostHelper.prepareNetwork(switchName, namePrefix, hostMo, vlanId, svlanId,
30533053
nicTo.getNetworkRateMbps(), nicTo.getNetworkRateMulticastMbps(), _opsTimeout, switchType,
3054-
_portsPerDvPortGroup, nicTo.getGateway(), configureVServiceInNexus, nicTo.getBroadcastType(), _vsmCredentials);
3054+
_portsPerDvPortGroup, nicTo.getGateway(), configureVServiceInNexus, nicTo.getBroadcastType(), _vsmCredentials, nicTo.getDetails());
30553055
}
30563056

30573057
return networkInfo;

server/src/com/cloud/hypervisor/HypervisorGuruBase.java

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,16 +22,20 @@
2222

2323
import javax.inject.Inject;
2424

25+
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
2526
import org.apache.log4j.Logger;
2627

2728
import com.cloud.agent.api.Command;
2829
import com.cloud.agent.api.to.DiskTO;
2930
import com.cloud.agent.api.to.NicTO;
3031
import com.cloud.agent.api.to.VirtualMachineTO;
3132
import com.cloud.gpu.GPU;
33+
import com.cloud.network.Networks.BroadcastDomainType;
3234
import com.cloud.network.dao.NetworkDao;
3335
import com.cloud.network.dao.NetworkVO;
36+
import com.cloud.offering.NetworkOffering;
3437
import com.cloud.offering.ServiceOffering;
38+
import com.cloud.offerings.dao.NetworkOfferingDetailsDao;
3539
import com.cloud.resource.ResourceManager;
3640
import com.cloud.service.ServiceOfferingDetailsVO;
3741
import com.cloud.service.dao.ServiceOfferingDao;
@@ -48,7 +52,6 @@
4852
import com.cloud.vm.dao.NicSecondaryIpDao;
4953
import com.cloud.vm.dao.UserVmDetailsDao;
5054
import com.cloud.vm.dao.VMInstanceDao;
51-
import com.cloud.network.Networks.BroadcastDomainType;
5255

5356
public abstract class HypervisorGuruBase extends AdapterBase implements HypervisorGuru {
5457
public static final Logger s_logger = Logger.getLogger(HypervisorGuruBase.class);
@@ -58,6 +61,8 @@ public abstract class HypervisorGuruBase extends AdapterBase implements Hypervis
5861
@Inject
5962
private NetworkDao _networkDao;
6063
@Inject
64+
private NetworkOfferingDetailsDao networkOfferingDetailsDao;
65+
@Inject
6166
private VMInstanceDao _virtualMachineDao;
6267
@Inject
6368
private UserVmDetailsDao _userVmDetailsDao;
@@ -138,7 +143,24 @@ protected VirtualMachineTO toVirtualMachineTO(VirtualMachineProfile vmProfile) {
138143
if(vm.getType() == VirtualMachine.Type.NetScalerVm) {
139144
nicProfile.setBroadcastType(BroadcastDomainType.Native);
140145
}
141-
nics[i++] = toNicTO(nicProfile);
146+
NicTO nicTo = toNicTO(nicProfile);
147+
final NetworkVO network = _networkDao.findByUuid(nicTo.getNetworkUuid());
148+
if (network != null) {
149+
final Map<NetworkOffering.Detail, String> details = networkOfferingDetailsDao.getNtwkOffDetails(network.getNetworkOfferingId());
150+
if (details != null) {
151+
if (!details.containsKey(NetworkOffering.Detail.PromiscuousMode)) {
152+
details.put(NetworkOffering.Detail.PromiscuousMode, NetworkOrchestrationService.PromiscuousMode.value().toString());
153+
}
154+
if (!details.containsKey(NetworkOffering.Detail.MacAddressChanges)) {
155+
details.put(NetworkOffering.Detail.MacAddressChanges, NetworkOrchestrationService.MacAddressChanges.value().toString());
156+
}
157+
if (!details.containsKey(NetworkOffering.Detail.ForgedTransmits)) {
158+
details.put(NetworkOffering.Detail.ForgedTransmits, NetworkOrchestrationService.ForgedTransmits.value().toString());
159+
}
160+
}
161+
nicTo.setDetails(details);
162+
}
163+
nics[i++] = nicTo;
142164
}
143165

144166
to.setNics(nics);

ui/scripts/configuration.js

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2811,6 +2811,60 @@
28112811
}
28122812
},
28132813

2814+
promiscuousMode: {
2815+
label: 'label.promiscuous.mode',
2816+
select: function(args) {
2817+
args.response.success({
2818+
data: [{
2819+
id: '',
2820+
description: ''
2821+
}, {
2822+
id: 'true',
2823+
description: 'Accept'
2824+
}, {
2825+
id: 'false',
2826+
description: 'Reject'
2827+
}]
2828+
});
2829+
}
2830+
},
2831+
2832+
macAddressChanges: {
2833+
label: 'label.mac.address.changes',
2834+
select: function(args) {
2835+
args.response.success({
2836+
data: [{
2837+
id: '',
2838+
description: ''
2839+
}, {
2840+
id: 'true',
2841+
description: 'Accept'
2842+
}, {
2843+
id: 'false',
2844+
description: 'Reject'
2845+
}]
2846+
});
2847+
}
2848+
},
2849+
2850+
forgedTransmits: {
2851+
label: 'label.forged.trasmits',
2852+
select: function(args) {
2853+
args.response.success({
2854+
data: [{
2855+
id: '',
2856+
description: ''
2857+
}, {
2858+
id: 'true',
2859+
description: 'Accept'
2860+
}, {
2861+
id: 'false',
2862+
description: 'Reject'
2863+
}]
2864+
});
2865+
}
2866+
},
2867+
28142868
supportedServices: {
28152869
label: 'label.supported.services',
28162870

@@ -3341,6 +3395,22 @@
33413395
delete inputData.egressdefaultpolicy;
33423396
}
33433397

3398+
if ("promiscuousMode" in inputData) {
3399+
inputData['details[0].promiscuousMode'] = inputData.promiscuousMode;
3400+
delete inputData.promiscuousMode;
3401+
}
3402+
3403+
if ("macAddressChanges" in inputData) {
3404+
inputData['details[0].macAddressChanges'] = inputData.macAddressChanges;
3405+
delete inputData.macAddressChanges;
3406+
}
3407+
3408+
if ("forgedTransmits" in inputData) {
3409+
inputData['details[0].forgedTransmits'] = inputData.forgedTransmits;
3410+
delete inputData.forgedTransmits;
3411+
}
3412+
3413+
33443414
if (args.$form.find('.form-item[rel=serviceofferingid]').css("display") == "none")
33453415
delete inputData.serviceofferingid;
33463416

@@ -3639,6 +3709,9 @@
36393709
},
36403710
tags: {
36413711
label: 'label.tags'
3712+
},
3713+
details: {
3714+
label: 'label.details'
36423715
}
36433716
}],
36443717

@@ -3649,9 +3722,16 @@
36493722
async: true,
36503723
success: function(json) {
36513724
var item = json.listnetworkofferingsresponse.networkoffering[0];
3725+
if (!item.hasOwnProperty('details')) {
3726+
item.details = {};
3727+
}
36523728
args.response.success({
36533729
actionFilter: networkOfferingActionfilter,
36543730
data: $.extend(item, {
3731+
details: $.map(item.details, function(val, key) {
3732+
return key + "=" + val;
3733+
}).join(', '),
3734+
36553735
supportedServices: $.map(item.service, function(service) {
36563736
return service.name;
36573737
}).join(', '),

vmware-base/pom.xml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,11 @@
4242
<artifactId>cloud-api</artifactId>
4343
<version>${project.version}</version>
4444
</dependency>
45+
<dependency>
46+
<groupId>org.apache.cloudstack</groupId>
47+
<artifactId>cloud-engine-api</artifactId>
48+
<version>${project.version}</version>
49+
</dependency>
4550
<dependency>
4651
<groupId>com.google.code.gson</groupId>
4752
<artifactId>gson</artifactId>

0 commit comments

Comments
 (0)