From dcc798d7aa30b446cf8c8cb9c6a749de510d8218 Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Thu, 21 Nov 2019 06:59:22 +0100 Subject: [PATCH 1/3] vpc: fix acl rule with protocol number is not applied correctly in vpc vr (#3678) When add a acl rule with protocol number, the iptables rules in vpc vr is not applied correctly. for example, when add an ingress acl rule (protocol number:50, cidr: 2.2.2.2/32), we expect to have a iptables rule: "-A ACL_INBOUND_eth2 -s 2.2.2.2/32 -p esp -j ACCEPT" the actual rule is "-A ACL_INBOUND_eth2 -j DROP" It is because the rules in json are not correct. network_acl.json.a8c52dca-0278-4e1c-b72b-987ca7121f4f.gz:{"device":"eth2","mac_address":"02:00:7d:27:00:02","private_gateway_acl":false,"nic_ip":"192.168.11.12","nic_netmask":"28","ingress_rules":[{"type":"protocol","protocol":50,"cidr":"ACCEPT","allowed":false},{"type":"all","cidr":"0.0.0.0/0","allowed":true},],"egress_rules":[],"type":"networkacl"} Fixes: #3602 --- .../virtualnetwork/facade/SetNetworkAclConfigItem.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetNetworkAclConfigItem.java b/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetNetworkAclConfigItem.java index 7247766e5c6..c16e9265a49 100644 --- a/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetNetworkAclConfigItem.java +++ b/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetNetworkAclConfigItem.java @@ -79,7 +79,7 @@ public class SetNetworkAclConfigItem extends AbstractConfigItemFacade { // If we check the size of the array, it will fail to setup the network. // So, let's catch the exception and continue in the loop. try { - aclRule = new ProtocolAclRule(ruleParts[5], false, Integer.parseInt(ruleParts[1])); + aclRule = new ProtocolAclRule(ruleParts[4], "ACCEPT".equals(ruleParts[5]), Integer.parseInt(ruleParts[1])); } catch (final Exception e) { s_logger.warn("Problem occured when reading the entries in the ruleParts array. Actual array size is '" + ruleParts.length + "', but trying to read from index 5."); continue; @@ -104,4 +104,4 @@ public class SetNetworkAclConfigItem extends AbstractConfigItemFacade { return super.generateConfigItems(configuration); } -} \ No newline at end of file +} From 23ca806db99f51e3237b7c86a37146dc1e9d28d6 Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Thu, 21 Nov 2019 07:10:17 +0100 Subject: [PATCH 2/3] kvm: fix issue that network rules for secondary IPs are not applied (#3636) When I add a secondary IP to a nic on shared network in advanced zone with security groups, the network rules for new IP are not applied on KVM hypervisors. It is because "--action -A" cannot be recognized in security_group.py after commit ac73e7e671ba107830f96b9fb534eb716956e405. changing to "--action=-A" will fix it. --- .../cloud/hypervisor/kvm/resource/LibvirtComputingResource.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java index b20f1a58b94..07461393c60 100644 --- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java +++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java @@ -3638,7 +3638,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv cmd.add("network_rules_vmSecondaryIp"); cmd.add("--vmname", vmName); cmd.add("--nicsecips", secIp); - cmd.add("--action", action); + cmd.add("--action=" + action); final String result = cmd.execute(); if (result != null) { From d981edb4bcd84e387ad8986f5792245892900f40 Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Thu, 21 Nov 2019 07:14:41 +0100 Subject: [PATCH 3/3] server: acquire IPv4 address when add secondary IP to nic if IP is not specified (#3635) After commit fbf488497fb863c13fc0908281e3f4f86906df43, admin need to specify an ipv4 or ipv6 addresses when add IP to nic which breaks backward compatibity. If IP is not specified, a IPv4 address should be returned. --- .../src/main/java/com/cloud/network/NetworkServiceImpl.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java index 3359b2773ac..f440ced13b2 100644 --- a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java +++ b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java @@ -732,11 +732,10 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { } try { - if (ipv4Address != null) { - ipaddr = _ipAddrMgr.allocatePublicIpForGuestNic(network, podId, ipOwner, ipv4Address); - } if (ipv6Address != null) { ip6addr = ipv6AddrMgr.allocatePublicIp6ForGuestNic(network, podId, ipOwner, ipv6Address); + } else { + ipaddr = _ipAddrMgr.allocatePublicIpForGuestNic(network, podId, ipOwner, ipv4Address); } if (ipaddr == null && ipv6Address == null) { throw new InvalidParameterValueException("Allocating ip to guest nic " + nicId + " failed");