CLOUDSTACK-3352 fixed removing previous acl rules when emply acl is applied

api/src/com/cloud/network/element/VpcProvider.java

@@ -24,6 +24,7 @@ import com.cloud.exception.ConcurrentOperationException;
 import com.cloud.exception.InsufficientCapacityException;
 import com.cloud.exception.InsufficientNetworkCapacityException;
 import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.vpc.NetworkACLItem;
 import com.cloud.network.vpc.PrivateGateway;
 import com.cloud.network.vpc.StaticRouteProfile;
 import com.cloud.network.vpc.Vpc;
@@ -53,5 +54,5 @@ public interface VpcProvider extends NetworkElement{
 
     boolean applyStaticRoutes(Vpc vpc, List<StaticRouteProfile> routes) throws ResourceUnavailableException;
 
-    boolean applyACLItemsToPrivateGw(PrivateGateway gateway) throws ResourceUnavailableException;
+    boolean applyACLItemsToPrivateGw(PrivateGateway gateway, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException;
 }

server/src/com/cloud/network/element/VpcVirtualRouterElement.java

@@ -343,7 +343,8 @@ public class VpcVirtualRouterElement extends VirtualRouterElement implements Vpc
 
         if ( _vpcRouterMgr.setupPrivateGateway(gateway, router) ) {
             try {
-                if (!applyACLItemsToPrivateGw(gateway)) {
+                List<NetworkACLItemVO> rules = _networkACLItemDao.listByACL(gateway.getNetworkACLId());
+                if (!applyACLItemsToPrivateGw(gateway, rules)) {
                     s_logger.debug ("Failed to apply network acl id  "+ gateway.getNetworkACLId() + "  on gateway ");
                     return  false;
                 }
@@ -446,9 +447,8 @@ public class VpcVirtualRouterElement extends VirtualRouterElement implements Vpc
     }
 
     @Override
-    public boolean applyACLItemsToPrivateGw(PrivateGateway gateway) throws ResourceUnavailableException {
+    public boolean applyACLItemsToPrivateGw(PrivateGateway gateway,List<? extends NetworkACLItem> rules) throws ResourceUnavailableException {
         VpcGatewayVO vpcGatewayVo = _vpcGatewayDao.findById(gateway.getId());
-        List<NetworkACLItemVO> rules = _networkACLItemDao.listByACL(vpcGatewayVo.getNetworkACLId());
         Network config = _networkDao.findById(gateway.getNetworkId());
         boolean isPrivateGateway = true;
 

server/src/com/cloud/network/vpc/NetworkACLManagerImpl.java

@@ -153,6 +153,17 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
     @Override
     public boolean replaceNetworkACLForPrivateGw(NetworkACL acl, PrivateGateway gateway) throws ResourceUnavailableException {
         VpcGatewayVO vpcGatewayVo = _vpcGatewayDao.findById(gateway.getId());
+        List<NetworkACLItemVO> aclItems = _networkACLItemDao.listByACL(acl.getId());
+        if (aclItems == null || aclItems.isEmpty()) {
+            //Revoke ACL Items of the existing ACL if the new network acl is empty
+            //Other wise existing rules will not be removed on the router elelment
+            s_logger.debug("New network ACL is empty. Revoke existing rules before applying ACL");
+            if(!revokeACLItemsForPrivateGw (gateway)){
+                throw new CloudRuntimeException("Failed to replace network ACL. Error while removing existing ACL " +
+                        "items for privatewa gateway: "+ gateway.getId());
+            }
+        }
+
         vpcGatewayVo.setNetworkACLId(acl.getId());
         if (_vpcGatewayDao.update(vpcGatewayVo.getId(),vpcGatewayVo)) {
             return applyACLToPrivateGw(gateway);
@@ -318,7 +329,7 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
             }
         }
 
-        boolean success = applyACLItemsToPrivateGw(gateway, aclItems);
+        boolean success = applyACLToPrivateGw(gateway, aclItems);
 
         if (s_logger.isDebugEnabled() && success) {
             s_logger.debug("Successfully released Network ACLs for private gateway id=" + gateway.getId() + " and # of rules now = "
@@ -345,11 +356,11 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
     @Override
     public boolean applyACLToPrivateGw(PrivateGateway gateway) throws ResourceUnavailableException {
         VpcGatewayVO vpcGatewayVO = _vpcGatewayDao.findById(gateway.getId());
-        List<NetworkACLItemVO> rules = _networkACLItemDao.listByACL(vpcGatewayVO.getNetworkACLId());
-        return applyACLItemsToPrivateGw(gateway, rules);
+        List<? extends NetworkACLItem> rules = _networkACLItemDao.listByACL(vpcGatewayVO.getNetworkACLId());
+        return applyACLToPrivateGw(gateway, rules);
     }
 
-    private boolean applyACLItemsToPrivateGw(PrivateGateway gateway, List<NetworkACLItemVO> rules) throws ResourceUnavailableException {
+    private boolean applyACLToPrivateGw(PrivateGateway gateway, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException {
         List<VpcProvider> vpcElements = null;
         vpcElements = new ArrayList<VpcProvider>();
         vpcElements.add((VpcProvider)_ntwkModel.getElementImplementingProvider(Network.Provider.VPCVirtualRouter.getName()));
@@ -359,7 +370,7 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
         }
 
         for (VpcProvider provider: vpcElements){
-            return provider.applyACLItemsToPrivateGw(gateway);
+            return provider.applyACLItemsToPrivateGw(gateway, rules);
             }
         return false;
     }