From 9c7f560f0ee4a034ebc6710c7923ed0dcbd255ab Mon Sep 17 00:00:00 2001 From: Remi Bergsma Date: Thu, 29 Mar 2018 15:50:43 +0200 Subject: [PATCH] Switch default ACL to Deny on the public_ips --- .../main/java/com/cloud/network/dao/IPAddressDaoImpl.java | 2 ++ .../src/main/java/com/cloud/network/dao/IPAddressVO.java | 7 ++++--- .../main/java/com/cloud/network/IpAddressManagerImpl.java | 3 +++ 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/cosmic-core/engine/schema/src/main/java/com/cloud/network/dao/IPAddressDaoImpl.java b/cosmic-core/engine/schema/src/main/java/com/cloud/network/dao/IPAddressDaoImpl.java index 07deb24cf4..c87a661240 100644 --- a/cosmic-core/engine/schema/src/main/java/com/cloud/network/dao/IPAddressDaoImpl.java +++ b/cosmic-core/engine/schema/src/main/java/com/cloud/network/dao/IPAddressDaoImpl.java @@ -4,6 +4,7 @@ import com.cloud.dc.VlanVO; import com.cloud.dc.dao.VlanDao; import com.cloud.network.IpAddress.State; +import com.cloud.network.vpc.NetworkACL; import com.cloud.resourcedetail.dao.UserIpAddressDetailsDao; import com.cloud.tags.dao.ResourceTagDao; import com.cloud.utils.db.DB; @@ -157,6 +158,7 @@ public IPAddressVO markAsUnavailable(final long ipAddressId) { final IPAddressVO ip = createForUpdate(); ip.setState(State.Releasing); + ip.setIpACLId(NetworkACL.DEFAULT_DENY); if (update(ip, sc) != 1) { return null; } diff --git a/cosmic-core/engine/schema/src/main/java/com/cloud/network/dao/IPAddressVO.java b/cosmic-core/engine/schema/src/main/java/com/cloud/network/dao/IPAddressVO.java index 1d4614cd35..7d64ba773a 100644 --- a/cosmic-core/engine/schema/src/main/java/com/cloud/network/dao/IPAddressVO.java +++ b/cosmic-core/engine/schema/src/main/java/com/cloud/network/dao/IPAddressVO.java @@ -1,6 +1,7 @@ package com.cloud.network.dao; import com.cloud.network.IpAddress; +import com.cloud.network.vpc.NetworkACL; import com.cloud.utils.db.GenericDao; import com.cloud.utils.net.Ip; @@ -84,7 +85,7 @@ public class IPAddressVO implements IpAddress { protected IPAddressVO() { uuid = UUID.randomUUID().toString(); - ipACLId = 2L; // Default Allow ACL + ipACLId = NetworkACL.DEFAULT_DENY; } public IPAddressVO(final Ip address, final long dataCenterId, final long macAddress, final long vlanDbId, final boolean sourceNat) { @@ -98,7 +99,7 @@ public IPAddressVO(final Ip address, final long dataCenterId, final long macAddr state = State.Free; this.macAddress = macAddress; uuid = UUID.randomUUID().toString(); - ipACLId = 2L; // Default Allow ACL + ipACLId = NetworkACL.DEFAULT_DENY; } public IPAddressVO(final Ip address, final long dataCenterId, final Long networkId, final Long vpcId, final long physicalNetworkId, final long sourceNetworkId, final long @@ -111,7 +112,7 @@ public IPAddressVO(final Ip address, final long dataCenterId, final Long network this.sourceNetworkId = sourceNetworkId; vlanId = vlanDbId; uuid = UUID.randomUUID().toString(); - ipACLId = 2L; // Default Allow ACL + ipACLId = NetworkACL.DEFAULT_DENY; } public void setId(final long id) { diff --git a/cosmic-core/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java b/cosmic-core/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java index ce72b077d5..bd5a572b47 100644 --- a/cosmic-core/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java +++ b/cosmic-core/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java @@ -55,6 +55,7 @@ import com.cloud.network.rules.FirewallRuleVO; import com.cloud.network.rules.RulesManager; import com.cloud.network.rules.StaticNat; +import com.cloud.network.vpc.NetworkACL; import com.cloud.network.vpc.Vpc; import com.cloud.network.vpc.VpcVO; import com.cloud.network.vpc.dao.VpcDao; @@ -644,6 +645,7 @@ public IPAddressVO doInTransaction(final TransactionStatus status) throws Insuff addr.setAllocatedInDomainId(owner.getDomainId()); addr.setAllocatedToAccountId(owner.getId()); addr.setSystem(isSystem); + addr.setIpACLId(NetworkACL.DEFAULT_DENY); if (displayIp != null) { addr.setDisplay(displayIp); } @@ -795,6 +797,7 @@ public boolean applyIpAssociations(final Network network, final boolean continue for (final IPAddressVO addr : userIps) { if (addr.getState() == IpAddress.State.Allocating) { addr.setAssociatedWithNetworkId(network.getId()); + addr.setIpACLId(NetworkACL.DEFAULT_DENY); markPublicIpAsAllocated(addr); } else if (addr.getState() == IpAddress.State.Releasing) { // Cleanup all the resources for ip address if there are any, and only then un-assign ip in the system