etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Firewall tab changes

This commit is contained in:
Harikrishna Patnala 2026-05-11 12:01:53 +05:30
parent 2e5b02ff64
commit 60c66f0d2d
3 changed files with 28 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
systemvm/debian/opt/cloud/bin/configure.py
View File

@ -703,12 +703,26 @@ class CsAcl(CsDataBag):
self.add_routing_rules()
return
fw_chains_created = set()
for item in self.dbag:
if item == "id":
continue
if self.config.is_vpc() and not ("purpose" in self.dbag[item] and self.dbag[item]["purpose"] == "Firewall"):
self.AclDevice(self.dbag[item], self.config).create()
else:
# For VPC firewall rules, create the PREROUTING jump and chain skeleton
# once per public IP before adding the individual rule
if self.config.is_vpc() and self.dbag[item].get("purpose") == "Firewall":
src_ip = self.dbag[item].get("src_ip")
if src_ip and src_ip not in fw_chains_created:
fw = self.config.get_fw()
fw.append(["mangle", "front",
"-A PREROUTING -d %s/32 -j FIREWALL_%s" % (src_ip, src_ip)])
fw.append(["mangle", "front",
"-A FIREWALL_%s -m state --state RELATED,ESTABLISHED -j RETURN" % src_ip])
fw.append(["mangle", "",
"-A FIREWALL_%s -j DROP" % src_ip])
fw_chains_created.add(src_ip)
self.AclIP(self.dbag[item], self.config).create()
class CsIpv6Firewall(CsDataBag):

11
systemvm/debian/opt/cloud/bin/cs/CsAddress.py
View File

@ -647,17 +647,6 @@ class CsIP:
(self.address['network'], self.address['network'])])
if self.get_type() in ["public"]:
# Add PREROUTING firewall chain jump for public IP
self.fw.append(["mangle", "front",
"-A PREROUTING " +
"-d %s/32 -j FIREWALL_%s" % (self.address['public_ip'], self.address['public_ip'])])
# Add the firewall chain with default DROP policy
self.fw.append(["mangle", "front",
"-A FIREWALL_%s " % self.address['public_ip'] +
"-m state --state RELATED,ESTABLISHED -j RETURN"])
self.fw.append(["mangle", "",
"-A FIREWALL_%s -j DROP" % self.address['public_ip']])
self.fw.append(
["mangle", "", "-A FORWARD -j VPN_STATS_%s" % self.dev])

27
ui/src/views/network/PublicIpResource.vue
View File

@ -135,33 +135,27 @@ export default {
return
}
if (this.resource && this.resource.vpcid) {
const vpc = await this.fetchVpc()
`` const vpc = await this.fetchVpc()
// VPC IPs with source nat have only VPN when VPC offering conserve mode = false
if (this.resource.issourcenat && vpc?.vpcofferingconservemode === false) {
let tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => tab.name === 'vpn'))
if (this.resource.associatednetworkid) {
tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => ['vpn', 'firewall'].includes(tab.name)))
}
this.tabs = tabs
this.tabs = this.addFirewallTab(tabs)
return
}
// VPC IPs with static nat have nothing
// VPC IPs with static nat keep existing VPN behavior and always show firewall
if (this.resource.isstaticnat) {
let tabs = this.defaultTabs
if (this.resource.virtualmachinetype === 'DomainRouter') {
this.tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => ['vpn', 'firewall'].includes(tab.name)))
} else {
this.tabs = this.defaultTabs
tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => tab.name === 'vpn'))
}
this.tabs = this.addFirewallTab(tabs)
return
}
// VPC IPs have all tabs, but firewall only if associatednetworkid present
// VPC IPs have all tabs, and firewall should always be visible
let tabs = this.$route.meta.tabs
if (!this.resource.associatednetworkid) {
tabs = tabs.filter(tab => tab.name !== 'firewall')
}
const network = await this.fetchNetwork()
if (network && network.networkofferingconservemode) {
@ -209,6 +203,13 @@ export default {
fetchAction () {
this.actions = this.$route.meta.actions || []
},
addFirewallTab (tabs) {
const firewallTab = this.$route.meta.tabs.find(tab => tab.name === 'firewall')
if (!firewallTab || tabs.some(tab => tab.name === 'firewall')) {
return tabs
}
return tabs.concat(firewallTab)
},
fetchVpc () {
if (!this.resource.vpcid) {
return null