etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix delete firewall flow

This commit is contained in:
Harikrishna Patnala 2026-05-12 15:29:30 +05:30
parent 27e53953ac
commit ea66ea5dcc
3 changed files with 61 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
View File

@ -894,7 +894,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
success = false;
} else {
removeRule(rule);
if (rule.getSourceIpAddressId() != null) {
if (rule.getSourceIpAddressId() != null && rule.getVpcId() == null) {
//if the rule is the last one for the ip address assigned to VPC, unassign it from the network
_vpcMgr.unassignIPFromVpcNetwork(rule.getSourceIpAddressId(), rule.getNetworkId());
}

51
systemvm/debian/opt/cloud/bin/configure.py
View File

@ -703,6 +703,7 @@ class CsAcl(CsDataBag):
self.add_routing_rules()
return
desired_firewall_ips = self._get_desired_vpc_firewall_ips()
fw_chains_created = set()
for item in self.dbag:
if item == "id":
@ -725,6 +726,56 @@ class CsAcl(CsDataBag):
fw_chains_created.add(src_ip)
self.AclIP(self.dbag[item], self.config).create()
if self.config.is_vpc():
self._cleanup_removed_vpc_firewall_chains(desired_firewall_ips)
def _get_desired_vpc_firewall_ips(self):
desired_firewall_ips = set()
if not self.config.is_vpc():
return desired_firewall_ips
for item in self.dbag:
if item == "id":
continue
rule = self.dbag[item]
if rule.get("purpose") == "Firewall":
src_ip = rule.get("src_ip")
if src_ip:
desired_firewall_ips.add(src_ip)
return desired_firewall_ips
def _cleanup_removed_vpc_firewall_chains(self, desired_firewall_ips):
"""Delete FIREWALL_<ip> chain only when no firewall rule remains for that VPC public IP."""
try:
mangle_save = CsHelper.execute("iptables-save -t mangle")
existing_firewall_ips = []
for line in mangle_save:
if line.startswith(":FIREWALL_"):
chain = line.split(" ")[0][1:]
existing_firewall_ips.append(chain.replace("FIREWALL_", "", 1))
for src_ip in existing_firewall_ips:
if src_ip in desired_firewall_ips:
continue
self._delete_vpc_firewall_chain(src_ip)
except Exception as e:
logging.debug("Failed VPC firewall chain cleanup: %s", e)
def _delete_vpc_firewall_chain(self, src_ip):
chain = "FIREWALL_%s" % src_ip
try:
prerouting_rules = CsHelper.execute("iptables -t mangle -S PREROUTING")
for rule in prerouting_rules:
if ("-d %s/32" % src_ip) in rule and ("-j %s" % chain) in rule:
delete_rule = rule.replace("-A PREROUTING", "-D PREROUTING", 1)
CsHelper.execute2("iptables -t mangle %s" % delete_rule, False)
CsHelper.execute2("iptables -t mangle -F %s" % chain, False)
CsHelper.execute2("iptables -t mangle -X %s" % chain, False)
logging.info("Deleted VPC firewall chain %s as last firewall rule was removed", chain)
except Exception as e:
logging.debug("Failed deleting VPC firewall chain %s: %s", chain, e)
class CsIpv6Firewall(CsDataBag):
"""
Deal with IPv6 Firewall

14
ui/src/views/network/PublicIpResource.vue
View File

@ -147,11 +147,15 @@ export default {
// VPC IPs with static nat keep existing VPN behavior and always show firewall
if (this.resource.isstaticnat) {
let tabs = this.defaultTabs
if (this.resource.virtualmachinetype === 'DomainRouter') {
tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => tab.name === 'vpn'))
}
this.tabs = hasFirewallCapability ? this.addFirewallTab(tabs) : tabs
const tabs = this.addFirewallTab(this.$route.meta.tabs).map(tab => {
if (tab.name !== 'firewall') {
return tab
}
const staticNatFirewallTab = { ...tab }
delete staticNatFirewallTab.networkServiceFilter
return staticNatFirewallTab
})
this.tabs = tabs
return
}