Support Firewall for public IPs in VPC

[harikrishna-patnala]

Description

This PR adds support for firewall rules on public IPs in VPC networks.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[harikrishna-patnala]

@blueorangutan package

[blueorangutan]

@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16942

[Copilot]

Pull request overview

This PR adds support for firewall rules on public IPs in VPC networks, which were previously only available for non-VPC isolated networks. This is a major feature addition that enables VPC users to configure ingress/egress firewall rules on their public IP addresses, similar to the functionality available in traditional isolated networks.

Changes:

• Enabled Firewall service for VPC offerings and networks by removing it from the list of non-supported services
• Added Firewall capability to VpcVirtualRouterElement by removing the code that previously excluded it
• Updated UI to show firewall tabs for VPC public IPs in various states (source NAT, static NAT, port forwarding, load balancing)
• Implemented iptables firewall chain logic in VPC virtual routers to support per-public-IP firewall rules
• Added database migration to retrofit existing VPC offerings, VPC networks, and VPCs with Firewall service

Reviewed changes

Copilot reviewed 9 out of 11 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
ui/src/views/offering/AddVpcOffering.vue	Adds Firewall service with VpcVirtualRouter provider to the list of services when creating VPC offerings
ui/src/views/network/PublicIpResource.vue	Updates tab visibility logic to show firewall tab for VPC IPs in various states (source NAT, static NAT, etc.)
systemvm/debian/opt/cloud/bin/cs/CsAddress.py	Implements PREROUTING firewall chain jump and firewall chain with default DROP policy for public IPs in VPC routers
systemvm/debian/opt/cloud/bin/configure.py	Modifies ACL processing to use AclIP (per-IP firewall) instead of AclDevice for VPC firewall rules
server/src/main/java/org/apache/cloudstack/network/RoutedIpv4ManagerImpl.java	Removes VPCVirtualRouter check from isVirtualRouterGateway method for Network parameter
server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java	Removes Service.Firewall from the list of non-supported VPC services
server/src/main/java/com/cloud/network/element/VpcVirtualRouterElement.java	Re-enables Firewall capability for VPC Virtual Router by removing the code that excluded it
server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java	Updates network offering validation to no longer automatically set forVpc=false when Firewall service is included
plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java	Updates Kubernetes VPC network offering creation to include Firewall service with VPCVirtualRouter provider
engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java	Adds database migration to insert Firewall service mappings for existing VPC offerings, networks, and VPCs
engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java	Adds Firewall service to default VPC offering providers

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[blueorangutan]

[SF] Trillian Build Failed (tid-15532)

[harikrishna-patnala]

@blueorangutan package

[blueorangutan]

@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

❌ Patch coverage is 1.36986% with 72 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.92%. Comparing base (a5b6bc3) to head (47bbce0).
⚠️ Report is 45 commits behind head on main.

Files with missing lines	Patch %	Lines
...ava/com/cloud/upgrade/dao/Upgrade42210to42300.java	0.00%	64 Missing ⚠️
...java/com/cloud/server/ConfigurationServerImpl.java	0.00%	4 Missing ⚠️
...ache/cloudstack/network/RoutedIpv4ManagerImpl.java	0.00%	2 Missing ⚠️
...tack/engine/orchestration/NetworkOrchestrator.java	0.00%	1 Missing ⚠️
...bernetes/cluster/KubernetesClusterManagerImpl.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #12706      +/-   ##
============================================
+ Coverage     17.89%   17.92%   +0.02%     
- Complexity    16092    16156      +64     
============================================
  Files          5936     5939       +3     
  Lines        532734   533214     +480     
  Branches      65165    65244      +79     
============================================
+ Hits          95347    95573     +226     
- Misses       426711   426901     +190     
- Partials      10676    10740      +64     

Flag	Coverage Δ
uitests	3.66% <ø> (-0.02%)	⬇️
unittests	19.03% <1.36%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 12 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[harikrishna-patnala]

@blueorangutan package

[blueorangutan]

@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.