Skip to content

Support Firewall for public IPs in VPC#12706

Draft
harikrishna-patnala wants to merge 5 commits intoapache:mainfrom
shapeblue:FWinVPCpublicIP
Draft

Support Firewall for public IPs in VPC#12706
harikrishna-patnala wants to merge 5 commits intoapache:mainfrom
shapeblue:FWinVPCpublicIP

Conversation

@harikrishna-patnala
Copy link
Member

@harikrishna-patnala harikrishna-patnala commented Feb 25, 2026

Description

This PR adds support for firewall rules on public IPs in VPC networks.

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • Build/CI
  • Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

@harikrishna-patnala
Copy link
Member Author

@blueorangutan package

@blueorangutan
Copy link

@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

@blueorangutan
Copy link

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16942

Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for firewall rules on public IPs in VPC networks, which were previously only available for non-VPC isolated networks. This is a major feature addition that enables VPC users to configure ingress/egress firewall rules on their public IP addresses, similar to the functionality available in traditional isolated networks.

Changes:

  • Enabled Firewall service for VPC offerings and networks by removing it from the list of non-supported services
  • Added Firewall capability to VpcVirtualRouterElement by removing the code that previously excluded it
  • Updated UI to show firewall tabs for VPC public IPs in various states (source NAT, static NAT, port forwarding, load balancing)
  • Implemented iptables firewall chain logic in VPC virtual routers to support per-public-IP firewall rules
  • Added database migration to retrofit existing VPC offerings, VPC networks, and VPCs with Firewall service

Reviewed changes

Copilot reviewed 9 out of 11 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
ui/src/views/offering/AddVpcOffering.vue Adds Firewall service with VpcVirtualRouter provider to the list of services when creating VPC offerings
ui/src/views/network/PublicIpResource.vue Updates tab visibility logic to show firewall tab for VPC IPs in various states (source NAT, static NAT, etc.)
systemvm/debian/opt/cloud/bin/cs/CsAddress.py Implements PREROUTING firewall chain jump and firewall chain with default DROP policy for public IPs in VPC routers
systemvm/debian/opt/cloud/bin/configure.py Modifies ACL processing to use AclIP (per-IP firewall) instead of AclDevice for VPC firewall rules
server/src/main/java/org/apache/cloudstack/network/RoutedIpv4ManagerImpl.java Removes VPCVirtualRouter check from isVirtualRouterGateway method for Network parameter
server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java Removes Service.Firewall from the list of non-supported VPC services
server/src/main/java/com/cloud/network/element/VpcVirtualRouterElement.java Re-enables Firewall capability for VPC Virtual Router by removing the code that excluded it
server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java Updates network offering validation to no longer automatically set forVpc=false when Firewall service is included
plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java Updates Kubernetes VPC network offering creation to include Firewall service with VPCVirtualRouter provider
engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java Adds database migration to insert Firewall service mappings for existing VPC offerings, networks, and VPCs
engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java Adds Firewall service to default VPC offering providers

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@blueorangutan
Copy link

[SF] Trillian Build Failed (tid-15532)

@harikrishna-patnala
Copy link
Member Author

@blueorangutan package

@blueorangutan
Copy link

@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

@codecov
Copy link

codecov bot commented Feb 26, 2026

Codecov Report

❌ Patch coverage is 1.36986% with 72 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.92%. Comparing base (a5b6bc3) to head (47bbce0).
⚠️ Report is 45 commits behind head on main.

Files with missing lines Patch % Lines
...ava/com/cloud/upgrade/dao/Upgrade42210to42300.java 0.00% 64 Missing ⚠️
...java/com/cloud/server/ConfigurationServerImpl.java 0.00% 4 Missing ⚠️
...ache/cloudstack/network/RoutedIpv4ManagerImpl.java 0.00% 2 Missing ⚠️
...tack/engine/orchestration/NetworkOrchestrator.java 0.00% 1 Missing ⚠️
...bernetes/cluster/KubernetesClusterManagerImpl.java 0.00% 1 Missing ⚠️
Additional details and impacted files
@@             Coverage Diff              @@
##               main   #12706      +/-   ##
============================================
+ Coverage     17.89%   17.92%   +0.02%     
- Complexity    16092    16156      +64     
============================================
  Files          5936     5939       +3     
  Lines        532734   533214     +480     
  Branches      65165    65244      +79     
============================================
+ Hits          95347    95573     +226     
- Misses       426711   426901     +190     
- Partials      10676    10740      +64     
Flag Coverage Δ
uitests 3.66% <ø> (-0.02%) ⬇️
unittests 19.03% <1.36%> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 12 changed files in this pull request and generated 5 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@harikrishna-patnala
Copy link
Member Author

@blueorangutan package

@blueorangutan
Copy link

@harikrishna-patnala a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants