我需要通过REST API创建一个软层网络防火墙规则。 我已经参考了Softlayer文档,但我仍然无法创建防火墙规则。
请建议。
答案 0 :(得分:0)
请尝试此REST请求以添加防火墙规则(SoftLayer_Network_Firewall_Update_Request::createObject):
URL:
https://[username]:[apikey]@api.softlayer.com/rest/v3/SoftLayer_Network_Firewall_Update_Request/createObject
方法:POST
{
"parameters": [
{
"firewallContextAccessControlListId": 2854,
"rules": [
{
"action": "permit",
"destinationIpAddress": "any",
"destinationIpCidr": 0,
"destinationPortRangeEnd": 80,
"destinationPortRangeStart": 80,
"notes": "This is a test",
"orderValue": 1,
"protocol": "tcp",
"sourceIpAddress": "0.0.0.0",
"sourceIpCidr": 0,
"version": 4
},
{
"action": "permit",
"destinationIpAddress": "50.97.51.242",
"destinationIpCidr": 32,
"destinationPortRangeEnd": 80,
"destinationPortRangeStart": 80,
"notes": "This is an API test 2",
"orderValue": 2,
"protocol": "tcp",
"sourceIpAddress": "0.0.0.0",
"sourceIpCidr": 0,
"version": 4
},
{
"action": "permit",
"destinationIpAddress": "50.97.51.240",
"destinationIpCidr": 32,
"destinationPortRangeEnd": 80,
"destinationPortRangeStart": 80,
"notes": "This is an API test 3",
"orderValue": 3,
"protocol": "tcp",
"sourceIpAddress": "0.0.0.0",
"sourceIpCidr": 0,
"version": 4
},
{
"action": "permit",
"destinationIpAddress": "any",
"destinationIpCidr": 0,
"destinationPortRangeEnd": 8080,
"destinationPortRangeStart": 8080,
"notes": "This is an API test 4",
"orderValue": 4,
"protocol": "tcp",
"sourceIpAddress": "2001:db8:85a3:8d3:1319:8a2e:370:7339",
"sourceIpCidr": 128,
"version": 6
}
]
}
]
}
其中:旧规则必须在上面的body request中进行配置,然后添加new rule。就我而言,我正在添加这条新规则:
{
"action": "permit",
"destinationIpAddress": "50.97.51.240",
"destinationIpCidr": 32,
"destinationPortRangeEnd": 80,
"destinationPortRangeStart": 80,
"notes": "This is an API test 3",
"orderValue": 3,
"protocol": "tcp",
"sourceIpAddress": "0.0.0.0",
"sourceIpCidr": 0,
"version": 4
}
要了解rules部分中属性的含义,请参阅:SoftLayer_Network_Firewall_Update_Request_Rule
另外,要获得 firewallContextAccessControlListId ,请参阅:
如果你知道firewall_id,请执行:
https://[username]:[apikey]@api.softlayer.com/rest/v3/SoftLayer_Network_Vlan_Firewall/[firewall_id]/getNetworkVlans?objectMask=mask[id,firewallRules,firewallInterfaces[id,firewallContextAccessControlLists]]
Method: GET
我的回答是:
{
"id": 204016
"firewallInterfaces": [2]
0: {
"id": 5678
"firewallContextAccessControlLists": [0]
}-
1: {
"id": 5679
"firewallContextAccessControlLists": [1]
0: {
"direction": "in"
"firewallContextInterfaceId": 5679
"id": 2854
}
}
…
参考: SoftLayer_Network_Vlan_Firewall::getNetworkVlans
否则,如果您不知道firewall_id,则可以列出添加一些掩码的所有Network_Vlan_Firewall:
https://[username]:[apikey]@api.softlayer.com/rest/v3.1/SoftLayer_Search/advancedSearch?objectMask=mask[resource(SoftLayer_Network_Vlan_Firewall)[id,primaryIpAddress,networkVlans[id,firewallInterfaces[firewallContextAccessControlLists]]]]
方法:POST
Json Payload:
{
"parameters": [
"_objectType:SoftLayer_Network_Vlan_Firewall"
]
}
响应应该与上一个请求类似,但对于所有项目。
注意:在这种情况下,我们在请求中使用v3.1而不是v3,因为advancedSearch服务仅适用于v3.1。
答案 1 :(得分:0)
如果您需要更多信息,请查看此代码告诉我
Value...
# Edit Vlan firewall rule.
#
# A firewall's ruleset is modified by passing a SoftLayer_Network_Firewall_Update_Request template
# object to SoftLayer_Network_Firewall_Update_Request::createObject. The entire ruleset is rewritten
# with each update request. This means it is necessary to include all past unchanged rules along with any
# modifications or additions. This is easily accomplished by pulling in the existing rules as described above
# then modifying the gathered array.
# Each SoftLayer_Network_Component_Firewall_Update_Request_Rule object requires:
#
# action - permit or deny
# destinationIpAddress - destination address
# destinationIpSubnetMask - subnet mask for destination
# sourceIpAddress - originating address
# sourceIpSubnetMask - subnet mask for origin address
# protocol - tcp/udp
# destinationPortRangeStart - first port the rule will effect
# destinationPortRangeEnd - last port the rule will effect
# orderValue - order in which rules are applied (lower is sooner)
#
# Important manual pages:
# http://sldn.softlayer.com/reference/services/SoftLayer_Network_Firewall_Update_Request
# http://sldn.softlayer.com/reference/services/SoftLayer_Network_Firewall_Update_Request/createObject
# @License: http://sldn.softlayer.com/article/License
# @Author: SoftLayer Technologies, Inc. <sldn@softlayer.com>
# So we can talk to the SoftLayer API:
import SoftLayer.API
# For nice debug output:
import pprint
# Your SoftLayer API username and key.
#
# Generate an API key at the SoftLayer Customer Portal
API_USERNAME = 'set me'
API_KEY = 'set me'
vlanId = 211163
# Create the client object
client = SoftLayer.Client(username=API_USERNAME, api_key=API_KEY)
objectMask = 'mask[firewallRules,firewallInterfaces[firewallContextAccessControlLists]]'
vlan = client['SoftLayer_Network_Vlan'].getObject(mask=objectMask, id=vlanId)
rules = vlan['firewallRules']
firewallContextAccessControlListId = ''
# Getting the ID of Access Control List.
# Each VLAN will have two types of firewallInterface: 'inside' and 'outside'.
# firewallContextAccessControlLists are organized by a direction of 'in' or 'out'.
# Currently the SoftLayer Platform supports the 'outside' firewallInterfaces
for firewall in vlan['firewallInterfaces']:
if firewall['name'] == 'inside':
continue
for controlList in firewall['firewallContextAccessControlLists']:
if controlList['direction'] == 'out':
continue
firewallContextAccessControlListId = controlList['id']
try:
# Modifying a rule
ipToAllow = '119.81.91.198 '
index = 0
for rule in rules:
if rule['sourceIpAddress'] == ipToAllow:
rule['action'] = 'permit'
rules[index] = rule
index += 1
updateRequestTemplate = {
'firewallContextAccessControlListId': firewallContextAccessControlListId,
'rules': rules
}
updateRequestClient = client['SoftLayer_Network_Firewall_Update_Request'].createObject(updateRequestTemplate)
pprint.pprint('Rule updated!')
except SoftLayer.SoftLayerAPIError as e:
print("Error updating the rule faultCode=%s, faultString=%s"
% (e.faultCode, e.faultString))
exit(1)