From e3ca32af2ae408b3d5ea4cae47cdf21bcce52d26 Mon Sep 17 00:00:00 2001 From: Alena Prokharchyk Date: Mon, 2 Jul 2012 16:44:18 -0700 Subject: [PATCH] VPC: remove network ACLs from VPC VR when shutdown guest network --- .../com/cloud/network/NetworkManagerImpl.java | 25 ++++++++++++++++++- .../element/VpcVirtualRouterElement.java | 6 ++--- ...VpcVirtualNetworkApplianceManagerImpl.java | 7 +++--- 3 files changed, 29 insertions(+), 9 deletions(-) diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java index ede0698bcc4..25030247c0f 100755 --- a/server/src/com/cloud/network/NetworkManagerImpl.java +++ b/server/src/com/cloud/network/NetworkManagerImpl.java @@ -3731,7 +3731,7 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag handled = ((FirewallServiceProvider) ne).applyFWRules(network, rules); break; case NetworkACL: - boolean isNetworkACLProvider = isProviderSupportServiceInNetwork(network.getId(), Service.Firewall, provider); + boolean isNetworkACLProvider = isProviderSupportServiceInNetwork(network.getId(), Service.NetworkACL, provider); if (!(ne instanceof NetworkACLServiceProvider && isNetworkACLProvider)) { continue; } @@ -6114,6 +6114,29 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag s_logger.warn("Failed to cleanup firewall rules as a part of shutdownNetworkRules due to ", ex); success = false; } + + //revoke all Network ACLs for the network w/o applying them in the DB + List networkACLs = _firewallDao.listByNetworkAndPurpose(networkId, Purpose.NetworkACL); + if (s_logger.isDebugEnabled()) { + s_logger.debug("Releasing " + networkACLs.size() + " Network ACLs for network id=" + networkId + + " as a part of shutdownNetworkRules"); + } + + for (FirewallRuleVO networkACL : networkACLs) { + s_logger.trace("Marking network ACL " + networkACL + " with Revoke state"); + networkACL.setState(FirewallRule.State.Revoke); + } + + try { + if (!_firewallMgr.applyRules(networkACLs, true, false)) { + s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules"); + success = false; + } + } catch (ResourceUnavailableException ex) { + s_logger.warn("Failed to cleanup network ACLs as a part of shutdownNetworkRules due to ", ex); + success = false; + } + // Get all ip addresses, mark as releasing and release them on the backend Network network = getNetwork(networkId); diff --git a/server/src/com/cloud/network/element/VpcVirtualRouterElement.java b/server/src/com/cloud/network/element/VpcVirtualRouterElement.java index 801e4f2493d..7cc57f18978 100644 --- a/server/src/com/cloud/network/element/VpcVirtualRouterElement.java +++ b/server/src/com/cloud/network/element/VpcVirtualRouterElement.java @@ -112,9 +112,7 @@ public class VpcVirtualRouterElement extends VirtualRouterElement implements Vpc s_logger.trace("Element " + getProvider().getName() + " doesn't support service " + service.getName() + " in the network " + network); return false; - } else if (service == Service.Firewall) { - //todo - get capability here - } + } } return true; @@ -399,7 +397,7 @@ public class VpcVirtualRouterElement extends VirtualRouterElement implements Vpc @Override public boolean applyNetworkACLs(Network config, List rules) throws ResourceUnavailableException { - if (canHandle(config, Service.Firewall)) { + if (canHandle(config, Service.NetworkACL)) { List routers = _routerDao.listByNetworkAndRole(config.getId(), Role.VIRTUAL_ROUTER); if (routers == null || routers.isEmpty()) { s_logger.debug("Virtual router elemnt doesn't need to apply firewall rules on the backend; virtual " + diff --git a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java index 1e92edb5c9b..649c8766d86 100644 --- a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java @@ -897,7 +897,7 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian super.finalizeNetworkRulesForNetwork(cmds, router, provider, guestNetworkId); - if (_networkMgr.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall, Provider.VPCVirtualRouter)) { + if (_networkMgr.isProviderSupportServiceInNetwork(guestNetworkId, Service.NetworkACL, Provider.VPCVirtualRouter)) { List networkACLs = _networkACLMgr.listNetworkACLs(guestNetworkId); s_logger.debug("Found " + networkACLs.size() + " network ACLs to apply as a part of VPC VR " + router + " start for guest network id=" + guestNetworkId); @@ -1001,9 +1001,8 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian if (publicIps != null && !publicIps.isEmpty()) { s_logger.debug("Found " + publicIps.size() + " ip(s) to apply as a part of domR " + router + " start."); // Re-apply public ip addresses - should come before PF/LB/VPN - if (_networkMgr.isProviderSupportServiceInNetwork(guestNetworkId, Service.Firewall, provider)) { - createVpcAssociatePublicIPCommands(router, publicIps, cmds); - } + createVpcAssociatePublicIPCommands(router, publicIps, cmds); + } }