Class: SoftLayer::VLANFirewall

Inherits:
ModelBase show all
Includes:
DynamicAttribute
Defined in:
lib/softlayer/VLANFirewall.rb

Overview

The VLANFirewall class represents the firewall that protects all the servers on a VLAN in the SoftLayer Environment. It is also known as a “Dedicated Firewall” in some documentation.

Instances of this class are a bit odd because they actually represent a VLAN (the VLAN protected by the firewall to be specific), and not the physical hardware implementing the firewall itself. (although the device is accessible as the “networkVlanFirewall” property)

As a result, instances of this class correspond to certain instances in the SoftLayer_Network_Vlan service.

Instance Attribute Summary

Attributes inherited from ModelBase

#softlayer_client

Class Method Summary collapse

Instance Method Summary collapse

Methods included from DynamicAttribute

included

Methods inherited from ModelBase

#[], #has_sl_property?, #initialize, #refresh_details, sl_attr, #to_ary

Constructor Details

This class inherits a constructor from SoftLayer::ModelBase

Class Method Details

.find_firewalls(client = nil) ⇒ Object

Collect a list of the firewalls on the account.

This list is obtained by asking the account for all the VLANs it has that also have a networkVlanFirewall component.



241
242
243
244
245
246
247
248
249
250
251
252
 
# File 'lib/softlayer/VLANFirewall.rb', line 241

def self.find_firewalls(client = nil)
  softlayer_client = client || Client.default_client
  raise "#{__method__} requires a client but none was given and Client::default_client is not set" if !softlayer_client

  # only VLAN firewalls have a networkVlanFirewall component
  vlan_firewall_filter = SoftLayer::ObjectFilter.new() { |filter|
    filter.accept("networkVlans.networkVlanFirewall").when_it is_not_null
  }

  vlan_firewalls = softlayer_client[:Account].object_mask(vlan_firewall_mask).object_filter(vlan_firewall_filter).getNetworkVlans
  vlan_firewalls.collect { |firewall_data| SoftLayer::VLANFirewall.new(softlayer_client, firewall_data)}
end

Instance Method Details

#cancel!(notes = nil) ⇒ Object

Cancel the firewall

This method cancels the firewall and releases its resources. The cancellation is processed immediately! Call this method with careful deliberation!

Notes is a string that describes the reason for the cancellation. If empty or nil, a default string will be added.



123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
 
# File 'lib/softlayer/VLANFirewall.rb', line 123

def cancel!(notes = nil)
  user = self.softlayer_client[:Account].object_mask("mask[id,account.id]").getCurrentUser
  notes = "Cancelled by a call to #{__method__} in the softlayer_api gem" if notes == nil || notes == ""

  cancellation_request = {
    'accountId' => user['account']['id'],
    'userId'    => user['id'],
    'items' => [ {
      'billingItemId' => self['networkVlanFirewall']['billingItem']['id'],
      'immediateCancellationFlag' => true
      } ],
    'notes' => notes
  }

  self.softlayer_client[:Billing_Item_Cancellation_Request].createObject(cancellation_request)
end

#change_routing_bypass!(routing_symbol) ⇒ Object

This method allows you to route traffic around the firewall and directly to the servers it protects. Compare the behavior of this routine with change_rules_bypass!

It is important to note that changing the routing to :route_around_firewall removes ALL the protection offered by the firewall. This routine should be used with extreme discretion.

Note that this routine constructs a transaction. The Routing change may not happen immediately.

The two symbols accepted as arguments by the routine are: :route_through_firewall - Network traffic is sent through the firewall to the servers in the VLAN segment it protects. This is the usual operating mode of the firewall. :route_around_firewall - Network traffic will be sent directly to the servers in the VLAN segment protected by this firewall. This means that the firewall will NOT be protecting those servers.



221
222
223
224
225
226
227
228
229
230
231
232
233
234
 
# File 'lib/softlayer/VLANFirewall.rb', line 221

def change_routing_bypass!(routing_symbol)
  vlan_firewall_id = self['networkVlanFirewall']['id']

  raise "Could not identify the device for a VLAN firewall" if !vlan_firewall_id

  case routing_symbol
  when :route_through_firewall
    self.softlayer_client[:Network_Vlan_Firewall].object_with_id(vlan_firewall_id).updateRouteBypass(false)
  when :route_around_firewall
    self.softlayer_client[:Network_Vlan_Firewall].object_with_id(vlan_firewall_id).updateRouteBypass(true)
  else
    raise ArgumentError, "An invalid parameter was sent to #{__method__}. It accepts :route_through_firewall and :route_around_firewall"
  end
end

#change_rules!(rules_data) ⇒ Object

Change the set of rules for the firewall. The rules_data parameter should be an array of hashes where each hash gives the conditions of the rule. The keys of the hashes should be entries from the array returned by SoftLayer::ServerFirewall.default_rules_mask_keys

NOTE! When changing the rules on the firewall, you must pass in a complete set of rules each time. The rules you submit will replace the entire ruleset on the destination firewall.

NOTE! The rules themselves have an “orderValue” property. It is this property, and not the order that the rules are found in the rules_data array, which will determine in which order the firewall applies its rules to incoming traffic.

NOTE! Changes to the rules are not applied immediately on the server side. Instead, they are enqueued by the firewall update service and updated periodically. A typical update will take about one minute to apply, but times may vary depending on the system load and other circumstances.



162
163
164
165
166
167
168
169
 
# File 'lib/softlayer/VLANFirewall.rb', line 162

def change_rules!(rules_data)
  change_object = {
    "firewallContextAccessControlListId" => rules_ACL_id(),
    "rules" => rules_data
  }

  self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
end

#change_rules_bypass!(bypass_symbol) ⇒ Object

This method asks the firewall to ignore its rule set and pass all traffic through the firewall. Compare the behavior of this routine with change_routing_bypass!

It is important to note that changing the bypass to :bypass_firewall_rules removes ALL the protection offered by the firewall. This routine should be used with extreme discretion.

Note that this routine queues a rule change and rule changes may take time to process. The change will probably not take effect immediately.

The two symbols accepted as arguments by this routine are: :apply_firewall_rules - The rules of the firewall are applied to traffic. This is the default operating mode of the firewall :bypass_firewall_rules - The rules of the firewall are ignored. In this configuration the firewall provides no protection.



187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
 
# File 'lib/softlayer/VLANFirewall.rb', line 187

def change_rules_bypass!(bypass_symbol)
  change_object = {
    "firewallContextAccessControlListId" => rules_ACL_id(),
    "rules" => self.rules
  }

  case bypass_symbol
  when :apply_firewall_rules
    change_object['bypassFlag'] = false
    self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
  when :bypass_firewall_rules
    change_object['bypassFlag'] = true
    self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
  else
    raise ArgumentError, "An invalid parameter was sent to #{__method__}. It accepts :apply_firewall_rules and :bypass_firewall_rules"
  end
end

#fqdnObject

The fully qualified domain name of the physical device the firewall is implemented by.



82
83
84
85
86
87
88
 
# File 'lib/softlayer/VLANFirewall.rb', line 82

def fqdn
  if self.has_sl_property?('networkVlanFirewall')
    return self['networkVlanFirewall']['fullyQualifiedDomainName']
  else
    return @softlayer_hash
  end
end

#fullyQualifiedDomainNameObject

The fully qualified domain name of the physical device the firewall is implemented by.

DEPRECATION WARNING: This method is deprecated in favor of fqdn and will be removed in the next major release.



96
97
98
99
100
101
102
 
# File 'lib/softlayer/VLANFirewall.rb', line 96

def fullyQualifiedDomainName
  if self.has_sl_property?('networkVlanFirewall')
    return self['networkVlanFirewall']['fullyQualifiedDomainName']
  else
    return @softlayer_hash
  end
end

#high_availability?Boolean

Returns true if this is a “high availability” firewall, that is a firewall that exists as one member of a redundant pair.

Returns:

  • (Boolean) 


107
108
109
110
 
# File 'lib/softlayer/VLANFirewall.rb', line 107

def high_availability?
  # note that highAvailabilityFirewallFlag is a boolean in the softlayer hash
  return self.has_sl_property?('highAvailabilityFirewallFlag') && self['highAvailabilityFirewallFlag']
end

#primary_routerObject

Returns the name of the primary router the firewall is attached to. This is often a “customer router” in one of the datacenters.



65
66
67
 
# File 'lib/softlayer/VLANFirewall.rb', line 65

def primary_router
  return self['primaryRouter']['hostname']
end

#primaryRouterObject

Returns the name of the primary router the firewall is attached to. This is often a “customer router” in one of the datacenters.

DEPRECATION WARNING: This method is deprecated in favor of primary_router and will be removed in the next major release.



75
76
77
 
# File 'lib/softlayer/VLANFirewall.rb', line 75

def primaryRouter
  return self['primaryRouter']['hostname']
end

#rulesObject

Retrieve the set of rules applied by this firewall to incoming traffic. The object will retrieve the rules from the network API every time you ask it for the rules.

The code will sort the rules by their “orderValue” which is the order that the firewall applies the rules, however please see the important note in change_rules! concerning the “orderValue” property of the rules. :call-seq:

rules(force_update=false)



49
50
51
52
53
54
55
56
57
58
59
60
 
# File 'lib/softlayer/VLANFirewall.rb', line 49

sl_dynamic_attr :rules do |firewall_rules|
  firewall_rules.should_update? do
    # firewall rules update every time you ask for them.
    return true
  end

  firewall_rules.to_update do
    acl_id = rules_ACL_id()
    rules_data = self.softlayer_client[:Network_Firewall_AccessControlList].object_with_id(acl_id).object_mask(self.class.default_rules_mask).getRules
    rules_data.sort { |lhs, rhs| lhs['orderValue'] <=> rhs['orderValue'] }
  end
end

#serviceObject

– Methods for the SoftLayer model ++



258
259
260
261
262
263
 
# File 'lib/softlayer/VLANFirewall.rb', line 258

def service
  # Objects of this class are a bit odd because they actually represent VLANs (the VLAN protected by the firewall)
  # and not the physical hardware implementing the firewall itself.  (although the device is accessible as the
  # "networkVlanFirewall" property)
  self.softlayer_client[:Network_Vlan].object_with_id(self.id)
end

#softlayer_properties(object_mask = nil) ⇒ Object 



265
266
267
268
269
 
# File 'lib/softlayer/VLANFirewall.rb', line 265

def softlayer_properties(object_mask = nil)
  service = self.service
  service = service.object_mask(object_mask) if object_mask
  service.object_mask(self.class.vlan_firewall_mask).getObject
end

#vlan_numberObject

:attr_reader: vlan_number

The number of the VLAN protected by this firewall.



27
 
# File 'lib/softlayer/VLANFirewall.rb', line 27

sl_attr :vlan_number, 'vlanNumber'