Skip to content

Commit

Permalink
Switch default ACL to Deny on the public_ips
Browse files Browse the repository at this point in the history
  • Loading branch information
remibergsma committed Apr 10, 2018
1 parent be27a2f commit af2c306
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import com.cloud.dc.VlanVO;
import com.cloud.dc.dao.VlanDao;
import com.cloud.network.IpAddress.State;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.resourcedetail.dao.UserIpAddressDetailsDao;
import com.cloud.tags.dao.ResourceTagDao;
import com.cloud.utils.db.DB;
Expand Down Expand Up @@ -157,6 +158,7 @@ public IPAddressVO markAsUnavailable(final long ipAddressId) {

final IPAddressVO ip = createForUpdate();
ip.setState(State.Releasing);
ip.setIpACLId(NetworkACL.DEFAULT_DENY);
if (update(ip, sc) != 1) {
return null;
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package com.cloud.network.dao;

import com.cloud.network.IpAddress;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.utils.db.GenericDao;
import com.cloud.utils.net.Ip;

Expand Down Expand Up @@ -84,7 +85,7 @@ public class IPAddressVO implements IpAddress {

protected IPAddressVO() {
uuid = UUID.randomUUID().toString();
ipACLId = 2L; // Default Allow ACL
ipACLId = NetworkACL.DEFAULT_DENY;
}

public IPAddressVO(final Ip address, final long dataCenterId, final long macAddress, final long vlanDbId, final boolean sourceNat) {
Expand All @@ -98,7 +99,7 @@ public IPAddressVO(final Ip address, final long dataCenterId, final long macAddr
state = State.Free;
this.macAddress = macAddress;
uuid = UUID.randomUUID().toString();
ipACLId = 2L; // Default Allow ACL
ipACLId = NetworkACL.DEFAULT_DENY;
}

public IPAddressVO(final Ip address, final long dataCenterId, final Long networkId, final Long vpcId, final long physicalNetworkId, final long sourceNetworkId, final long
Expand All @@ -111,7 +112,7 @@ public IPAddressVO(final Ip address, final long dataCenterId, final Long network
this.sourceNetworkId = sourceNetworkId;
vlanId = vlanDbId;
uuid = UUID.randomUUID().toString();
ipACLId = 2L; // Default Allow ACL
ipACLId = NetworkACL.DEFAULT_DENY;
}

public void setId(final long id) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@
import com.cloud.network.rules.FirewallRuleVO;
import com.cloud.network.rules.RulesManager;
import com.cloud.network.rules.StaticNat;
import com.cloud.network.vpc.NetworkACL;
import com.cloud.network.vpc.Vpc;
import com.cloud.network.vpc.VpcVO;
import com.cloud.network.vpc.dao.VpcDao;
Expand Down Expand Up @@ -644,6 +645,7 @@ public IPAddressVO doInTransaction(final TransactionStatus status) throws Insuff
addr.setAllocatedInDomainId(owner.getDomainId());
addr.setAllocatedToAccountId(owner.getId());
addr.setSystem(isSystem);
addr.setIpACLId(NetworkACL.DEFAULT_DENY);
if (displayIp != null) {
addr.setDisplay(displayIp);
}
Expand Down Expand Up @@ -795,6 +797,7 @@ public boolean applyIpAssociations(final Network network, final boolean continue
for (final IPAddressVO addr : userIps) {
if (addr.getState() == IpAddress.State.Allocating) {
addr.setAssociatedWithNetworkId(network.getId());
addr.setIpACLId(1L); // Default DENY ACL
markPublicIpAsAllocated(addr);
} else if (addr.getState() == IpAddress.State.Releasing) {
// Cleanup all the resources for ip address if there are any, and only then un-assign ip in the system
Expand Down

0 comments on commit af2c306

Please sign in to comment.