VPC: remove network ACLs from VPC VR when shutdown guest network

2012-07-02 16:44:18 -07:00 · 2012-07-02 16:44:18 -07:00 · e3ca32af2a
parent ecf1c42baa
commit e3ca32af2a
3 changed files with 29 additions and 9 deletions
--- a/server/src/com/cloud/network/NetworkManagerImpl.java
+++ b/server/src/com/cloud/network/NetworkManagerImpl.java
@ -3731,7 +3731,7 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
                    handled = ((FirewallServiceProvider) ne).applyFWRules(network, rules);
                    break;
                case NetworkACL:
-                    boolean isNetworkACLProvider = isProviderSupportServiceInNetwork(network.getId(), Service.Firewall, provider);
+                    boolean isNetworkACLProvider = isProviderSupportServiceInNetwork(network.getId(), Service.NetworkACL, provider);
                    if (!(ne instanceof NetworkACLServiceProvider && isNetworkACLProvider)) {
                        continue;
                    }
@ -6114,6 +6114,29 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
            s_logger.warn("Failed to cleanup firewall rules as a part of shutdownNetworkRules due to ", ex);
            success = false;
        }
+        
+        //revoke all Network ACLs for the network w/o applying them in the DB
+        List<FirewallRuleVO> networkACLs = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.NetworkACL);
+        if (s_logger.isDebugEnabled()) {
+            s_logger.debug("Releasing " + networkACLs.size() + " Network ACLs for network id=" + networkId +
+                    " as a part of shutdownNetworkRules");
+        }
+
+        for (FirewallRuleVO networkACL : networkACLs) {
+            s_logger.trace("Marking network ACL " + networkACL + " with Revoke state");
+            networkACL.setState(FirewallRule.State.Revoke);
+        }
+
+        try {
+            if (!_firewallMgr.applyRules(networkACLs, true, false)) {
+                s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules");
+                success = false;
+            }
+        } catch (ResourceUnavailableException ex) {
+            s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules due to ", ex);
+            success = false;
+        }
+        

        // Get all ip addresses, mark as releasing and release them on the backend
        Network network = getNetwork(networkId);
--- a/server/src/com/cloud/network/element/VpcVirtualRouterElement.java
+++ b/server/src/com/cloud/network/element/VpcVirtualRouterElement.java
@ -112,9 +112,7 @@ public class VpcVirtualRouterElement extends VirtualRouterElement implements Vpc
                s_logger.trace("Element " + getProvider().getName() + " doesn't support service " + service.getName() 
                        + " in the network " + network);
                return false;
-            } else if (service == Service.Firewall) {
-                //todo - get capability here
-            }
+            } 
        }

        return true;
@ -399,7 +397,7 @@ public class VpcVirtualRouterElement extends VirtualRouterElement implements Vpc
    
    @Override
    public boolean applyNetworkACLs(Network config, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
-        if (canHandle(config, Service.Firewall)) {
+        if (canHandle(config, Service.NetworkACL)) {
            List<DomainRouterVO> routers = _routerDao.listByNetworkAndRole(config.getId(), Role.VIRTUAL_ROUTER);
            if (routers == null || routers.isEmpty()) {
                s_logger.debug("Virtual router elemnt doesn't need to apply firewall rules on the backend; virtual " +
--- a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java
@ -897,7 +897,7 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian
        
        super.finalizeNetworkRulesForNetwork(cmds, router, provider, guestNetworkId);
        
-        if (_networkMgr.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall, Provider.VPCVirtualRouter)) {
+        if (_networkMgr.isProviderSupportServiceInNetwork(guestNetworkId, Service.NetworkACL, Provider.VPCVirtualRouter)) {
            List<? extends NetworkACL> networkACLs = _networkACLMgr.listNetworkACLs(guestNetworkId);
            s_logger.debug("Found " + networkACLs.size() + " network ACLs to apply as a part of VPC VR " + router 
                    + " start for guest network id=" + guestNetworkId);
@ -1001,9 +1001,8 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian
        if (publicIps != null && !publicIps.isEmpty()) {
            s_logger.debug("Found " + publicIps.size() + " ip(s) to apply as a part of domR " + router + " start.");
            // Re-apply public ip addresses - should come before PF/LB/VPN
-            if (_networkMgr.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall, provider)) {
-                createVpcAssociatePublicIPCommands(router, publicIps, cmds);
-            }
+            createVpcAssociatePublicIPCommands(router, publicIps, cmds);
+            
        }
    }