From 655ed10655c0848471d43627a85b1433f38da9d5 Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Wed, 18 Nov 2020 15:56:03 +0000 Subject: [PATCH] bugfix #2 vpc vr: fix issue if static nat is disabled but still other IP used by lb/pf --- .../network/rules/NicPlugInOutRules.java | 7 ++++++- .../rules/VirtualNetworkApplianceFactory.java | 7 +++++++ ...st_multiple_subnets_in_isolated_network.py | 19 ++++++++--------- ...ultiple_subnets_in_isolated_network_rvr.py | 19 ++++++++--------- .../component/test_multiple_subnets_in_vpc.py | 21 +++++++++---------- .../test_multiple_subnets_in_vpc_rvr.py | 21 +++++++++---------- 6 files changed, 51 insertions(+), 43 deletions(-) diff --git a/server/src/main/java/com/cloud/network/rules/NicPlugInOutRules.java b/server/src/main/java/com/cloud/network/rules/NicPlugInOutRules.java index a90264e164a..6ee5e85f271 100644 --- a/server/src/main/java/com/cloud/network/rules/NicPlugInOutRules.java +++ b/server/src/main/java/com/cloud/network/rules/NicPlugInOutRules.java @@ -40,6 +40,7 @@ import com.cloud.network.NetworkModel; import com.cloud.network.Networks.BroadcastDomainType; import com.cloud.network.Networks.IsolationType; import com.cloud.network.PublicIpAddress; +import com.cloud.network.dao.FirewallRulesDao; import com.cloud.network.dao.IPAddressDao; import com.cloud.network.dao.IPAddressVO; import com.cloud.network.router.VirtualRouter; @@ -189,6 +190,7 @@ public class NicPlugInOutRules extends RuleApplier { VpcManager vpcMgr = visitor.getVirtualNetworkApplianceFactory().getVpcMgr(); NicDao nicDao = visitor.getVirtualNetworkApplianceFactory().getNicDao(); IPAddressDao ipAddressDao = visitor.getVirtualNetworkApplianceFactory().getIpAddressDao(); + FirewallRulesDao rulesDao = visitor.getVirtualNetworkApplianceFactory().getFirewallRulesDao(); // find out nics to unplug for (PublicIpAddress ip : _ipAddresses) { @@ -206,7 +208,10 @@ public class NicPlugInOutRules extends RuleApplier { final List allIps = ipAddressDao.listByAssociatedVpc(ip.getVpcId(), null); boolean ipUpdated = false; for (IPAddressVO allIp : allIps) { - if (allIp.getId() != ip.getId() && allIp.getVlanId() == ip.getVlanId() && allIp.getVmIp() != null) { + if (allIp.getId() != ip.getId() && allIp.getVlanId() == ip.getVlanId() + && (allIp.isSourceNat() + || rulesDao.countRulesByIpIdAndState(allIp.getId(), FirewallRule.State.Active) > 0 + || (allIp.isOneToOneNat() && allIp.getRuleState() == null))) { s_logger.debug("Updating the nic " + nic + " with new ip address " + allIp.getAddress().addr()); nic.setIPv4Address(allIp.getAddress().addr()); nicDao.update(nic.getId(), nic); diff --git a/server/src/main/java/com/cloud/network/rules/VirtualNetworkApplianceFactory.java b/server/src/main/java/com/cloud/network/rules/VirtualNetworkApplianceFactory.java index b3edc3b736d..9d4660da557 100644 --- a/server/src/main/java/com/cloud/network/rules/VirtualNetworkApplianceFactory.java +++ b/server/src/main/java/com/cloud/network/rules/VirtualNetworkApplianceFactory.java @@ -26,6 +26,7 @@ import com.cloud.dc.dao.HostPodDao; import com.cloud.dc.dao.VlanDao; import com.cloud.network.IpAddressManager; import com.cloud.network.NetworkModel; +import com.cloud.network.dao.FirewallRulesDao; import com.cloud.network.dao.IPAddressDao; import com.cloud.network.dao.LoadBalancerDao; import com.cloud.network.dao.NetworkDao; @@ -85,6 +86,8 @@ public class VirtualNetworkApplianceFactory { private IpAddressManager _ipAddrMgr; @Inject private NetworkACLManager _networkACLMgr; + @Inject + private FirewallRulesDao _rulesDao; @Autowired @Qualifier("networkHelper") @@ -183,4 +186,8 @@ public class VirtualNetworkApplianceFactory { public NetworkTopologyContext getNetworkTopologyContext() { return _networkTopologyContext; } + + public FirewallRulesDao getFirewallRulesDao() { + return _rulesDao; + } } diff --git a/test/integration/component/test_multiple_subnets_in_isolated_network.py b/test/integration/component/test_multiple_subnets_in_isolated_network.py index 9892a3bc6e9..dee90663a78 100644 --- a/test/integration/component/test_multiple_subnets_in_isolated_network.py +++ b/test/integration/component/test_multiple_subnets_in_isolated_network.py @@ -35,6 +35,7 @@ from marvin.lib.base import (Account, NetworkOffering, VPC, VpcOffering, + StaticNATRule, NATRule, PublicIPAddress, PublicIpRange) @@ -247,7 +248,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): # verify the IPs in VR. eth0 -> guest nic IP, eth2 -> source nat IP # 6. create new public ip range 1 - # 7. get a free ip in new ip range, assign to network, and create port forwarding rules (ssh) to the vm + # 7. get a free ip 4 in new ip range 2, assign to network, and enable static nat to vm # verify the available nics in VR should be "eth0,eth1,eth2,eth3" # verify the IPs in VR. eth0 -> guest nic, eth2 -> source nat IP, eth3 -> new ip 1 # 8. get a free ip in new ip range, assign to network, and create port forwarding rules (ssh) to the vm @@ -395,7 +396,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ) self.cleanup.append(self.public_ip_range1) - # 7. get a free ip in new ip range, assign to network, and create port forwarding rules (ssh) to the vm + # 7. get a free ip 4 in new ip range 2, assign to network, and enable static nat to vm ip_address_1 = self.get_free_ipaddress(self.public_ip_range1.vlan.id) ipaddress_1 = PublicIPAddress.create( self.apiclient, @@ -404,12 +405,11 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ipaddress=ip_address_1 ) - nat_rule = NATRule.create( + StaticNATRule.enable( self.apiclient, - self.virtual_machine1, - self.services["natrule"], + virtualmachineid=self.virtual_machine1.id, ipaddressid=ipaddress_1.ipaddress.id, - openfirewall=True + networkid=self.network1.id ) # verify the available nics in VR should be "eth0,eth1,eth2,eth3" @@ -544,12 +544,11 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ipaddress=ip_address_4 ) - nat_rule = NATRule.create( + StaticNATRule.enable( self.apiclient, - self.virtual_machine1, - self.services["natrule"], + virtualmachineid=self.virtual_machine1.id, ipaddressid=ipaddress_4.ipaddress.id, - openfirewall=True + networkid=self.network1.id ) diff --git a/test/integration/component/test_multiple_subnets_in_isolated_network_rvr.py b/test/integration/component/test_multiple_subnets_in_isolated_network_rvr.py index 2abd076be01..778e04fcee6 100644 --- a/test/integration/component/test_multiple_subnets_in_isolated_network_rvr.py +++ b/test/integration/component/test_multiple_subnets_in_isolated_network_rvr.py @@ -35,6 +35,7 @@ from marvin.lib.base import (Account, NetworkOffering, VPC, VpcOffering, + StaticNATRule, NATRule, PublicIPAddress, PublicIpRange) @@ -247,7 +248,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): # verify the IPs in VR. eth0 -> guest nic IP, eth2 -> source nat IP # 6. create new public ip range 1 - # 7. get a free ip in new ip range, assign to network, and create port forwarding rules (ssh) to the vm + # 7. get a free ip 4 in new ip range 2, assign to network, and enable static nat to vm # verify the available nics in VR should be "eth0,eth1,eth2,eth3" # verify the IPs in VR. eth0 -> guest nic, eth2 -> source nat IP, eth3 -> new ip 1 # 8. get a free ip in new ip range, assign to network, and create port forwarding rules (ssh) to the vm @@ -395,7 +396,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ) self.cleanup.append(self.public_ip_range1) - # 7. get a free ip in new ip range, assign to network, and create port forwarding rules (ssh) to the vm + # 7. get a free ip 4 in new ip range 2, assign to network, and enable static nat to vm ip_address_1 = self.get_free_ipaddress(self.public_ip_range1.vlan.id) ipaddress_1 = PublicIPAddress.create( self.apiclient, @@ -404,12 +405,11 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ipaddress=ip_address_1 ) - nat_rule = NATRule.create( + StaticNATRule.enable( self.apiclient, - self.virtual_machine1, - self.services["natrule"], + virtualmachineid=self.virtual_machine1.id, ipaddressid=ipaddress_1.ipaddress.id, - openfirewall=True + networkid=self.network1.id ) # verify the available nics in VR should be "eth0,eth1,eth2,eth3" @@ -544,12 +544,11 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ipaddress=ip_address_4 ) - nat_rule = NATRule.create( + StaticNATRule.enable( self.apiclient, - self.virtual_machine1, - self.services["natrule"], + virtualmachineid=self.virtual_machine1.id, ipaddressid=ipaddress_4.ipaddress.id, - openfirewall=True + networkid=self.network1.id ) diff --git a/test/integration/component/test_multiple_subnets_in_vpc.py b/test/integration/component/test_multiple_subnets_in_vpc.py index a9e36966b72..5366bf4dd7d 100644 --- a/test/integration/component/test_multiple_subnets_in_vpc.py +++ b/test/integration/component/test_multiple_subnets_in_vpc.py @@ -35,6 +35,7 @@ from marvin.lib.base import (Account, NetworkOffering, VPC, VpcOffering, + StaticNATRule, NATRule, PublicIPAddress, PublicIpRange) @@ -272,7 +273,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): # verify the IPs in VR. eth1 -> source nat IP, eth2 -> tier 1, eth3 -> new ip 3, eth4 -> tier 2 # 13. create new public ip range 2 - # 14. get a free ip 4 in new ip range 2, assign to network, and create port forwarding rules (ssh) to the vm + # 14. get a free ip 4 in new ip range 2, assign to network, and enable static nat to vm 2 in tier 2 # verify the available nics in VR should be "eth0,eth1,eth2,eth3,eth4,eth5," # verify the IPs in VR. eth1 -> source nat IP, eth2 -> tier 1, eth3 -> new ip 3, eth4 -> tier 2, eth5 -> new ip 4 # 15. get a free ip 5 in new ip range 2, assign to network, and create port forwarding rules (ssh) to the vm @@ -451,10 +452,9 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ipaddress=ip_address_1 ) - nat_rule = NATRule.create( + StaticNATRule.enable( self.apiclient, - self.virtual_machine1, - self.services["natrule"], + virtualmachineid=self.virtual_machine1.id, ipaddressid=ipaddress_1.ipaddress.id, networkid=vpc_tier_1.id ) @@ -581,7 +581,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ) try: - self.virtual_machine1 = VirtualMachine.create( + self.virtual_machine2 = VirtualMachine.create( self.apiclient, self.services["virtual_machine"], accountid=self.account1.name, @@ -621,7 +621,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ) self.cleanup.append(self.public_ip_range2) - # 14. get a free ip 4 in new ip range 2, assign to network, and create port forwarding rules (ssh) to the vm + # 14. get a free ip 4 in new ip range 2, assign to network, and enable static nat to vm 2 in tier 2 # verify the available nics in VR should be "eth0,eth1,eth2,eth3,eth4,eth5," # verify the IPs in VR. eth1 -> source nat IP, eth2 -> tier 1, eth3 -> new ip 3, eth4 -> tier 2, eth5 -> new ip 4 ip_address_4 = self.get_free_ipaddress(self.public_ip_range2.vlan.id) @@ -632,10 +632,9 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ipaddress=ip_address_4 ) - nat_rule = NATRule.create( + StaticNATRule.enable( self.apiclient, - self.virtual_machine1, - self.services["natrule"], + virtualmachineid=self.virtual_machine2.id, ipaddressid=ipaddress_4.ipaddress.id, networkid=vpc_tier_2.id ) @@ -665,7 +664,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): nat_rule = NATRule.create( self.apiclient, - self.virtual_machine1, + self.virtual_machine2, self.services["natrule"], ipaddressid=ipaddress_5.ipaddress.id, networkid=vpc_tier_2.id @@ -696,7 +695,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): nat_rule = NATRule.create( self.apiclient, - self.virtual_machine1, + self.virtual_machine2, self.services["natrule"], ipaddressid=ipaddress_6.ipaddress.id, networkid=vpc_tier_2.id diff --git a/test/integration/component/test_multiple_subnets_in_vpc_rvr.py b/test/integration/component/test_multiple_subnets_in_vpc_rvr.py index 392620f88cb..18a4ac78eec 100644 --- a/test/integration/component/test_multiple_subnets_in_vpc_rvr.py +++ b/test/integration/component/test_multiple_subnets_in_vpc_rvr.py @@ -35,6 +35,7 @@ from marvin.lib.base import (Account, NetworkOffering, VPC, VpcOffering, + StaticNATRule, NATRule, PublicIPAddress, PublicIpRange) @@ -272,7 +273,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): # verify the IPs in VR. eth1 -> source nat IP, eth2 -> tier 1, eth3 -> new ip 3, eth4 -> tier 2 # 13. create new public ip range 2 - # 14. get a free ip 4 in new ip range 2, assign to network, and create port forwarding rules (ssh) to the vm + # 14. get a free ip 4 in new ip range 2, assign to network, and enable static nat to vm 2 in tier 2 # verify the available nics in VR should be "eth0,eth1,eth2,eth3,eth4,eth5," # verify the IPs in VR. eth1 -> source nat IP, eth2 -> tier 1, eth3 -> new ip 3, eth4 -> tier 2, eth5 -> new ip 4 # 15. get a free ip 5 in new ip range 2, assign to network, and create port forwarding rules (ssh) to the vm @@ -451,10 +452,9 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ipaddress=ip_address_1 ) - nat_rule = NATRule.create( + StaticNATRule.enable( self.apiclient, - self.virtual_machine1, - self.services["natrule"], + virtualmachineid=self.virtual_machine1.id, ipaddressid=ipaddress_1.ipaddress.id, networkid=vpc_tier_1.id ) @@ -581,7 +581,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ) try: - self.virtual_machine1 = VirtualMachine.create( + self.virtual_machine2 = VirtualMachine.create( self.apiclient, self.services["virtual_machine"], accountid=self.account1.name, @@ -621,7 +621,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ) self.cleanup.append(self.public_ip_range2) - # 14. get a free ip 4 in new ip range 2, assign to network, and create port forwarding rules (ssh) to the vm + # 14. get a free ip 4 in new ip range 2, assign to network, and enable static nat to vm 2 in tier 2 # verify the available nics in VR should be "eth0,eth1,eth2,eth3,eth4,eth5," # verify the IPs in VR. eth1 -> source nat IP, eth2 -> tier 1, eth3 -> new ip 3, eth4 -> tier 2, eth5 -> new ip 4 ip_address_4 = self.get_free_ipaddress(self.public_ip_range2.vlan.id) @@ -632,10 +632,9 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): ipaddress=ip_address_4 ) - nat_rule = NATRule.create( + StaticNATRule.enable( self.apiclient, - self.virtual_machine1, - self.services["natrule"], + virtualmachineid=self.virtual_machine2.id, ipaddressid=ipaddress_4.ipaddress.id, networkid=vpc_tier_2.id ) @@ -665,7 +664,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): nat_rule = NATRule.create( self.apiclient, - self.virtual_machine1, + self.virtual_machine2, self.services["natrule"], ipaddressid=ipaddress_5.ipaddress.id, networkid=vpc_tier_2.id @@ -696,7 +695,7 @@ class TestMultiplePublicIpSubnets(cloudstackTestCase): nat_rule = NATRule.create( self.apiclient, - self.virtual_machine1, + self.virtual_machine2, self.services["natrule"], ipaddressid=ipaddress_6.ipaddress.id, networkid=vpc_tier_2.id