From 7c0f30ad541fb1659703df9dc865fa304d165bf5 Mon Sep 17 00:00:00 2001 From: Harikrishna Patnala Date: Wed, 25 Feb 2026 15:32:20 +0530 Subject: [PATCH 1/7] Support Firewall for public IPs in VPC --- .../orchestration/NetworkOrchestrator.java | 1 + .../upgrade/dao/Upgrade42210to42300.java | 72 +++++++++++++++++++ .../cluster/KubernetesClusterManagerImpl.java | 3 +- .../ConfigurationManagerImpl.java | 2 +- .../element/VpcVirtualRouterElement.java | 4 -- .../network/RoutedIpv4ManagerImpl.java | 3 +- systemvm/debian/opt/cloud/bin/configure.py | 4 +- systemvm/debian/opt/cloud/bin/cs/CsAddress.py | 12 ++++ ui/src/views/network/PublicIpResource.vue | 18 ++--- ui/src/views/offering/AddVpcOffering.vue | 6 ++ 10 files changed, 106 insertions(+), 19 deletions(-) diff --git a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java index 31144296f602..fb05eab6c0c0 100644 --- a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java +++ b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java @@ -556,6 +556,7 @@ public boolean configure(final String name, final Map params) th defaultVPCOffProviders.put(Service.StaticNat, defaultProviders); defaultVPCOffProviders.put(Service.PortForwarding, defaultProviders); defaultVPCOffProviders.put(Service.Vpn, defaultProviders); + defaultVPCOffProviders.put(Service.Firewall, defaultProviders); Transaction.execute(new TransactionCallbackNoReturn() { @Override diff --git a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java index df4743894c9d..ae8bb4096baa 100644 --- a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java +++ b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java @@ -17,6 +17,12 @@ package com.cloud.upgrade.dao; import java.io.InputStream; +import java.sql.Connection; +import java.sql.PreparedStatement; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.util.Arrays; +import java.util.List; import com.cloud.utils.exception.CloudRuntimeException; @@ -42,4 +48,70 @@ public InputStream[] getPrepareScripts() { return new InputStream[] {script}; } + + @Override + public void performDataMigration(Connection conn) { + updateVpcDefaultOfferingsWithFirewallService(conn); + } + + private void updateVpcDefaultOfferingsWithFirewallService(Connection conn) { + logger.debug("Updating default VPC offerings to add Firewall service with VpcVirtualRouter provider"); + + final List defaultVpcOfferingUniqueNames = Arrays.asList( + "DefaultIsolatedNetworkOfferingForVpcNetworks", + "DefaultIsolatedNetworkOfferingForVpcNetworksNoLB", + "DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB", + "DefaultNATNSXNetworkOfferingForVpc", + "DefaultRoutedNSXNetworkOfferingForVpc", + "DefaultNATNSXNetworkOfferingForVpcWithInternalLB", + "DefaultRoutedNetrisNetworkOfferingForVpc", + "DefaultNATNetrisNetworkOfferingForVpc", + "DefaultNSXVPCNetworkOfferingforKubernetesService" + ); + + try { + for (String uniqueName : defaultVpcOfferingUniqueNames) { + PreparedStatement pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`network_offerings` WHERE unique_name = ?"); + pstmt.setString(1, uniqueName); + + ResultSet rs = pstmt.executeQuery(); + if (!rs.next()) { + continue; + } + + long offeringId = rs.getLong(1); + rs.close(); + pstmt.close(); + + // Insert into ntwk_offering_service_map (if not exists) + pstmt = conn.prepareStatement("INSERT INTO `cloud`.`ntwk_offering_service_map` " + + "(network_offering_id, service, provider, created) " + + "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())"); + pstmt.setLong(1, offeringId); + pstmt.executeUpdate(); + pstmt.close(); + + // Update existing networks (ntwk_service_map) + pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`networks` WHERE network_offering_id = ?"); + pstmt.setLong(1, offeringId); + + rs = pstmt.executeQuery(); + while (rs.next()) { + long networkId = rs.getLong(1); + PreparedStatement insertService = conn.prepareStatement("INSERT INTO `cloud`.`ntwk_service_map` " + + "(network_id, service, provider, created) " + + "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())"); + insertService.setLong(1, networkId); + insertService.executeUpdate(); + insertService.close(); + } + + rs.close(); + pstmt.close(); + } + + } catch (SQLException e) { + logger.warn("Exception while updating VPC default offerings with Firewall service: " + e.getMessage(), e); + } + } } diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java index d19470f8bab2..29b1f693a85f 100644 --- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java +++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java @@ -2713,9 +2713,8 @@ private void createNetworkOfferingForKubernetes(String offeringName, String offe defaultKubernetesServiceNetworkOfferingProviders.put(Service.UserData, provider); if (forVpc) { defaultKubernetesServiceNetworkOfferingProviders.put(Service.NetworkACL, forNsx ? Network.Provider.Nsx : provider); - } else { - defaultKubernetesServiceNetworkOfferingProviders.put(Service.Firewall, forNsx ? Network.Provider.Nsx : provider); } + defaultKubernetesServiceNetworkOfferingProviders.put(Service.Firewall, forNsx ? Network.Provider.Nsx : provider); defaultKubernetesServiceNetworkOfferingProviders.put(Service.Lb, forNsx ? Network.Provider.Nsx : provider); defaultKubernetesServiceNetworkOfferingProviders.put(Service.SourceNat, forNsx ? Network.Provider.Nsx : provider); defaultKubernetesServiceNetworkOfferingProviders.put(Service.StaticNat, forNsx ? Network.Provider.Nsx : provider); diff --git a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java index 7b171e5f996f..e23c312e41d2 100644 --- a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java +++ b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java @@ -6727,7 +6727,7 @@ public NetworkOffering createNetworkOffering(final CreateNetworkOfferingCmd cmd) } if (forVpc == null) { - if (service == Service.SecurityGroup || service == Service.Firewall) { + if (service == Service.SecurityGroup) { forVpc = false; } else if (service == Service.NetworkACL) { forVpc = true; diff --git a/server/src/main/java/com/cloud/network/element/VpcVirtualRouterElement.java b/server/src/main/java/com/cloud/network/element/VpcVirtualRouterElement.java index f393ef8a129d..2b12c1a9f13d 100644 --- a/server/src/main/java/com/cloud/network/element/VpcVirtualRouterElement.java +++ b/server/src/main/java/com/cloud/network/element/VpcVirtualRouterElement.java @@ -412,10 +412,6 @@ private static Map> setCapabilities() { vpnCapabilities.putAll(capabilities.get(Service.Vpn)); vpnCapabilities.put(Capability.VpnTypes, "s2svpn"); capabilities.put(Service.Vpn, vpnCapabilities); - - // remove firewall capability - capabilities.remove(Service.Firewall); - // add network ACL capability final Map networkACLCapabilities = new HashMap(); networkACLCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp"); diff --git a/server/src/main/java/org/apache/cloudstack/network/RoutedIpv4ManagerImpl.java b/server/src/main/java/org/apache/cloudstack/network/RoutedIpv4ManagerImpl.java index 5e49872c64db..b5584cf03fa5 100644 --- a/server/src/main/java/org/apache/cloudstack/network/RoutedIpv4ManagerImpl.java +++ b/server/src/main/java/org/apache/cloudstack/network/RoutedIpv4ManagerImpl.java @@ -989,8 +989,7 @@ public boolean applyRoutingFirewallRule(long id) { @Override public boolean isVirtualRouterGateway(Network network) { return isRoutedNetwork(network) - && (networkServiceMapDao.canProviderSupportServiceInNetwork(network.getId(), Service.Gateway, Provider.VirtualRouter)) - || networkServiceMapDao.canProviderSupportServiceInNetwork(network.getId(), Service.Gateway, Provider.VPCVirtualRouter); + && (networkServiceMapDao.canProviderSupportServiceInNetwork(network.getId(), Service.Gateway, Provider.VirtualRouter)); } @Override diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py index bf48be66694c..b2c0676c65d0 100755 --- a/systemvm/debian/opt/cloud/bin/configure.py +++ b/systemvm/debian/opt/cloud/bin/configure.py @@ -705,8 +705,8 @@ def process(self): for item in self.dbag: if item == "id": - continue - if self.config.is_vpc(): + continue + if self.config.is_vpc() and not ("purpose" in self.dbag[item] and self.dbag[item]["purpose"] == "Firewall"): self.AclDevice(self.dbag[item], self.config).create() else: self.AclIP(self.dbag[item], self.config).create() diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py index c7dac4df47ea..77ec08921cde 100755 --- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py @@ -632,6 +632,18 @@ def fw_vpcrouter(self): (self.address['network'], self.address['network'])]) if self.get_type() in ["public"]: + # Add PREROUTING firewall chain jump for public IP + self.fw.append(["mangle", "front", + "-A PREROUTING " + + "-d %s/32 -j FIREWALL_%s" % (self.address['public_ip'], self.address['public_ip'])]) + + # Add the firewall chain with default DROP policy + self.fw.append(["mangle", "front", + "-A FIREWALL_%s " % self.address['public_ip'] + + "-m state --state RELATED,ESTABLISHED -j RETURN"]) + self.fw.append(["mangle", "", + "-A FIREWALL_%s -j DROP" % self.address['public_ip']]) + self.fw.append( ["mangle", "", "-A FORWARD -j VPN_STATS_%s" % self.dev]) self.fw.append( diff --git a/ui/src/views/network/PublicIpResource.vue b/ui/src/views/network/PublicIpResource.vue index 7c25e1c32bad..299c5b462370 100644 --- a/ui/src/views/network/PublicIpResource.vue +++ b/ui/src/views/network/PublicIpResource.vue @@ -135,22 +135,24 @@ export default { return } if (this.resource && this.resource.vpcid) { - // VPC IPs with source nat have only VPN + // VPC IPs with source nat have VPN and Firewall if (this.resource.issourcenat) { - this.tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => tab.name === 'vpn')) + this.tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => ['vpn', 'firewall'].includes(tab.name))) return } - // VPC IPs with static nat have nothing + // VPC IPs with static nat have firewall if (this.resource.isstaticnat) { if (this.resource.virtualmachinetype === 'DomainRouter') { - this.tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => tab.name === 'vpn')) + this.tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => ['vpn', 'firewall'].includes(tab.name))) + } else { + this.tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => tab.name === 'firewall')) } return } - // VPC IPs don't have firewall - let tabs = this.$route.meta.tabs.filter(tab => tab.name !== 'firewall') + // VPC IPs now have firewall support + let tabs = this.$route.meta.tabs const network = await this.fetchNetwork() if (network && network.networkofferingconservemode) { @@ -161,12 +163,12 @@ export default { this.portFWRuleCount = await this.fetchPortFWRule() this.loadBalancerRuleCount = await this.fetchLoadBalancerRule() - // VPC IPs with PF only have PF + // VPC IPs with PF only have PF (and firewall) if (this.portFWRuleCount > 0) { tabs = tabs.filter(tab => tab.name !== 'loadbalancing') } - // VPC IPs with LB rules only have LB + // VPC IPs with LB rules only have LB (and firewall) if (this.loadBalancerRuleCount > 0) { tabs = tabs.filter(tab => tab.name !== 'portforwarding') } diff --git a/ui/src/views/offering/AddVpcOffering.vue b/ui/src/views/offering/AddVpcOffering.vue index 32aa3e8d3583..0f0ef0c2b100 100644 --- a/ui/src/views/offering/AddVpcOffering.vue +++ b/ui/src/views/offering/AddVpcOffering.vue @@ -525,6 +525,12 @@ export default { { name: 'ConfigDrive' } ] }) + services.push({ + name: 'Firewall', + provider: [ + { name: 'VpcVirtualRouter' } + ] + }) services.push({ name: 'Lb', provider: [ From 2aaa7f7d4832b5121e85800b042c05d60021fec7 Mon Sep 17 00:00:00 2001 From: Harikrishna Patnala Date: Wed, 25 Feb 2026 17:09:14 +0530 Subject: [PATCH 2/7] default offering changes --- .../upgrade/dao/Upgrade42210to42300.java | 66 ++++++++++++++++++- .../cluster/KubernetesClusterManagerImpl.java | 2 +- .../com/cloud/network/vpc/VpcManagerImpl.java | 2 +- 3 files changed, 65 insertions(+), 5 deletions(-) diff --git a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java index ae8bb4096baa..5c530519d46c 100644 --- a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java +++ b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java @@ -51,11 +51,12 @@ public InputStream[] getPrepareScripts() { @Override public void performDataMigration(Connection conn) { - updateVpcDefaultOfferingsWithFirewallService(conn); + updateNetworkDefaultOfferingsForVPCWithFirewallService(conn); + updateVpcOfferingsWithFirewallService(conn); } - private void updateVpcDefaultOfferingsWithFirewallService(Connection conn) { - logger.debug("Updating default VPC offerings to add Firewall service with VpcVirtualRouter provider"); + private void updateNetworkDefaultOfferingsForVPCWithFirewallService(Connection conn) { + logger.debug("Updating default Network offerings for VPC to add Firewall service with VpcVirtualRouter provider"); final List defaultVpcOfferingUniqueNames = Arrays.asList( "DefaultIsolatedNetworkOfferingForVpcNetworks", @@ -114,4 +115,63 @@ private void updateVpcDefaultOfferingsWithFirewallService(Connection conn) { logger.warn("Exception while updating VPC default offerings with Firewall service: " + e.getMessage(), e); } } + + private void updateVpcOfferingsWithFirewallService(Connection conn) { + logger.debug("Updating default VPC offerings to add Firewall service with VpcVirtualRouter provider"); + + final List vpcOfferingUniqueNames = Arrays.asList( + "Default VPC offering", + "Default VPC offering with Netscaler", + "Redundant VPC offering", + "VPC offering with NSX - NAT Mode", + "VPC offering with NSX - Route Mode", + "VPC offering with Netris - Route Mode", + "VPC offering with Netris - NAT Mode" + ); + + try { + for (String uniqueName : vpcOfferingUniqueNames) { + PreparedStatement pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`vpc_offerings` WHERE unique_name = ?"); + pstmt.setString(1, uniqueName); + + ResultSet rs = pstmt.executeQuery(); + if (!rs.next()) { + continue; + } + + long vpcOfferingId = rs.getLong(1); + rs.close(); + pstmt.close(); + + // Insert into vpc_offering_service_map (if not exists) + pstmt = conn.prepareStatement("INSERT INTO `cloud`.`vpc_offering_service_map` " + + "(vpc_offering_id, service, provider, created) " + + "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())"); + pstmt.setLong(1, vpcOfferingId); + pstmt.executeUpdate(); + pstmt.close(); + + // Update existing VPCs + pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`vpcs` WHERE vpc_offering_id = ?"); + pstmt.setLong(1, vpcOfferingId); + + rs = pstmt.executeQuery(); + while (rs.next()) { + long vpcId = rs.getLong(1); + PreparedStatement insertService = conn.prepareStatement("INSERT INTO `cloud`.`vpc_service_map` " + + "(vpc_id, service, provider, created) " + + "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())"); + insertService.setLong(1, vpcId); + insertService.executeUpdate(); + insertService.close(); + } + + rs.close(); + pstmt.close(); + } + + } catch (SQLException e) { + logger.warn("Exception while updating VPC offerings with Firewall service: " + e.getMessage(), e); + } + } } diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java index 29b1f693a85f..92f6d4df077d 100644 --- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java +++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java @@ -2713,8 +2713,8 @@ private void createNetworkOfferingForKubernetes(String offeringName, String offe defaultKubernetesServiceNetworkOfferingProviders.put(Service.UserData, provider); if (forVpc) { defaultKubernetesServiceNetworkOfferingProviders.put(Service.NetworkACL, forNsx ? Network.Provider.Nsx : provider); + defaultKubernetesServiceNetworkOfferingProviders.put(Service.Firewall, Network.Provider.VPCVirtualRouter); } - defaultKubernetesServiceNetworkOfferingProviders.put(Service.Firewall, forNsx ? Network.Provider.Nsx : provider); defaultKubernetesServiceNetworkOfferingProviders.put(Service.Lb, forNsx ? Network.Provider.Nsx : provider); defaultKubernetesServiceNetworkOfferingProviders.put(Service.SourceNat, forNsx ? Network.Provider.Nsx : provider); defaultKubernetesServiceNetworkOfferingProviders.put(Service.StaticNat, forNsx ? Network.Provider.Nsx : provider); diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java index 60b93d409aab..41c5ddf53217 100644 --- a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java +++ b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java @@ -329,7 +329,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis private final ScheduledExecutorService _executor = Executors.newScheduledThreadPool(1, new NamedThreadFactory("VpcChecker")); private List vpcElements = null; - private final List nonSupportedServices = Arrays.asList(Service.SecurityGroup, Service.Firewall); + private final List nonSupportedServices = Arrays.asList(Service.SecurityGroup); private final List supportedProviders = Arrays.asList(Provider.VPCVirtualRouter, Provider.NiciraNvp, Provider.InternalLbVm, Provider.Netscaler, Provider.JuniperContrailVpcRouter, Provider.Ovs, Provider.BigSwitchBcf, Provider.ConfigDrive, Provider.Nsx, Provider.Netris); From d4450b4e88f5a8407cffb0a75c6a179686b227a6 Mon Sep 17 00:00:00 2001 From: Harikrishna Patnala Date: Thu, 26 Feb 2026 11:51:57 +0530 Subject: [PATCH 3/7] Fix default offerings --- .../upgrade/dao/Upgrade42210to42300.java | 45 ++++++++++--------- .../cloud/server/ConfigurationServerImpl.java | 4 +- 2 files changed, 26 insertions(+), 23 deletions(-) diff --git a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java index 5c530519d46c..e8f17fe52e11 100644 --- a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java +++ b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java @@ -24,6 +24,8 @@ import java.util.Arrays; import java.util.List; +import com.cloud.network.vpc.VpcOffering; +import com.cloud.offering.NetworkOffering; import com.cloud.utils.exception.CloudRuntimeException; public class Upgrade42210to42300 extends DbUpgradeAbstractImpl implements DbUpgrade, DbUpgradeSystemVmTemplate { @@ -59,15 +61,14 @@ private void updateNetworkDefaultOfferingsForVPCWithFirewallService(Connection c logger.debug("Updating default Network offerings for VPC to add Firewall service with VpcVirtualRouter provider"); final List defaultVpcOfferingUniqueNames = Arrays.asList( - "DefaultIsolatedNetworkOfferingForVpcNetworks", - "DefaultIsolatedNetworkOfferingForVpcNetworksNoLB", - "DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB", - "DefaultNATNSXNetworkOfferingForVpc", - "DefaultRoutedNSXNetworkOfferingForVpc", - "DefaultNATNSXNetworkOfferingForVpcWithInternalLB", - "DefaultRoutedNetrisNetworkOfferingForVpc", - "DefaultNATNetrisNetworkOfferingForVpc", - "DefaultNSXVPCNetworkOfferingforKubernetesService" + NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworks, + NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworksNoLB, + NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB, + NetworkOffering.DEFAULT_NAT_NSX_OFFERING_FOR_VPC, + NetworkOffering.DEFAULT_ROUTED_NSX_OFFERING_FOR_VPC, + NetworkOffering.DEFAULT_NAT_NSX_OFFERING_FOR_VPC_WITH_ILB, + NetworkOffering.DEFAULT_ROUTED_NETRIS_OFFERING_FOR_VPC, + NetworkOffering.DEFAULT_NAT_NETRIS_OFFERING_FOR_VPC ); try { @@ -84,8 +85,8 @@ private void updateNetworkDefaultOfferingsForVPCWithFirewallService(Connection c rs.close(); pstmt.close(); - // Insert into ntwk_offering_service_map (if not exists) - pstmt = conn.prepareStatement("INSERT INTO `cloud`.`ntwk_offering_service_map` " + + // Insert into ntwk_offering_service_map + pstmt = conn.prepareStatement("INSERT IGNORE INTO `cloud`.`ntwk_offering_service_map` " + "(network_offering_id, service, provider, created) " + "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())"); pstmt.setLong(1, offeringId); @@ -99,7 +100,7 @@ private void updateNetworkDefaultOfferingsForVPCWithFirewallService(Connection c rs = pstmt.executeQuery(); while (rs.next()) { long networkId = rs.getLong(1); - PreparedStatement insertService = conn.prepareStatement("INSERT INTO `cloud`.`ntwk_service_map` " + + PreparedStatement insertService = conn.prepareStatement("INSERT INGORE INTO `cloud`.`ntwk_service_map` " + "(network_id, service, provider, created) " + "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())"); insertService.setLong(1, networkId); @@ -120,13 +121,13 @@ private void updateVpcOfferingsWithFirewallService(Connection conn) { logger.debug("Updating default VPC offerings to add Firewall service with VpcVirtualRouter provider"); final List vpcOfferingUniqueNames = Arrays.asList( - "Default VPC offering", - "Default VPC offering with Netscaler", - "Redundant VPC offering", - "VPC offering with NSX - NAT Mode", - "VPC offering with NSX - Route Mode", - "VPC offering with Netris - Route Mode", - "VPC offering with Netris - NAT Mode" + VpcOffering.defaultVPCOfferingName, + VpcOffering.defaultVPCNSOfferingName, + VpcOffering.redundantVPCOfferingName, + VpcOffering.DEFAULT_VPC_NAT_NSX_OFFERING_NAME, + VpcOffering.DEFAULT_VPC_ROUTE_NSX_OFFERING_NAME, + VpcOffering.DEFAULT_VPC_ROUTE_NETRIS_OFFERING_NAME, + VpcOffering.DEFAULT_VPC_NAT_NETRIS_OFFERING_NAME ); try { @@ -143,8 +144,8 @@ private void updateVpcOfferingsWithFirewallService(Connection conn) { rs.close(); pstmt.close(); - // Insert into vpc_offering_service_map (if not exists) - pstmt = conn.prepareStatement("INSERT INTO `cloud`.`vpc_offering_service_map` " + + // Insert into vpc_offering_service_map + pstmt = conn.prepareStatement("INSERT IGNORE INTO `cloud`.`vpc_offering_service_map` " + "(vpc_offering_id, service, provider, created) " + "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())"); pstmt.setLong(1, vpcOfferingId); @@ -158,7 +159,7 @@ private void updateVpcOfferingsWithFirewallService(Connection conn) { rs = pstmt.executeQuery(); while (rs.next()) { long vpcId = rs.getLong(1); - PreparedStatement insertService = conn.prepareStatement("INSERT INTO `cloud`.`vpc_service_map` " + + PreparedStatement insertService = conn.prepareStatement("INSERT IGNORE INTO `cloud`.`vpc_service_map` " + "(vpc_id, service, provider, created) " + "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())"); insertService.setLong(1, vpcId); diff --git a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java index 8f10dd84b54d..dbd4b5dd390d 100644 --- a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java +++ b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java @@ -1134,6 +1134,7 @@ public void doInTransactionWithoutResult(TransactionStatus status) { defaultVpcNetworkOfferingProviders.put(Service.StaticNat, Provider.VPCVirtualRouter); defaultVpcNetworkOfferingProviders.put(Service.PortForwarding, Provider.VPCVirtualRouter); defaultVpcNetworkOfferingProviders.put(Service.Vpn, Provider.VPCVirtualRouter); + defaultVpcNetworkOfferingProviders.put(Service.Firewall, Provider.VPCVirtualRouter); for (Map.Entry entry : defaultVpcNetworkOfferingProviders.entrySet()) { NetworkOfferingServiceMapVO offService = @@ -1161,6 +1162,7 @@ public void doInTransactionWithoutResult(TransactionStatus status) { defaultVpcNetworkOfferingProvidersNoLB.put(Service.StaticNat, Provider.VPCVirtualRouter); defaultVpcNetworkOfferingProvidersNoLB.put(Service.PortForwarding, Provider.VPCVirtualRouter); defaultVpcNetworkOfferingProvidersNoLB.put(Service.Vpn, Provider.VPCVirtualRouter); + defaultVpcNetworkOfferingProvidersNoLB.put(Service.Firewall, Provider.VPCVirtualRouter); for (Map.Entry entry : defaultVpcNetworkOfferingProvidersNoLB.entrySet()) { NetworkOfferingServiceMapVO offService = @@ -1186,6 +1188,7 @@ public void doInTransactionWithoutResult(TransactionStatus status) { internalLbOffProviders.put(Service.Gateway, Provider.VPCVirtualRouter); internalLbOffProviders.put(Service.Lb, Provider.InternalLbVm); internalLbOffProviders.put(Service.SourceNat, Provider.VPCVirtualRouter); + internalLbOffProviders.put(Service.Firewall, Provider.VPCVirtualRouter); for (Service service : internalLbOffProviders.keySet()) { NetworkOfferingServiceMapVO offService = new NetworkOfferingServiceMapVO(internalLbOff.getId(), service, internalLbOffProviders.get(service)); @@ -1256,7 +1259,6 @@ private Map getServicesAndProvidersForProviderNetwork(Network serviceProviderMap.put(Service.UserData, routerProvider); if (forVpc) { serviceProviderMap.put(Service.NetworkACL, provider); - } else { serviceProviderMap.put(Service.Firewall, provider); } if (networkMode == NetworkOffering.NetworkMode.NATTED) { From 8b950b2d93241faabfccae02d452035206b1149a Mon Sep 17 00:00:00 2001 From: Harikrishna Patnala Date: Thu, 26 Feb 2026 11:56:57 +0530 Subject: [PATCH 4/7] few more fixes --- .../cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java | 2 +- .../org/apache/cloudstack/network/RoutedIpv4ManagerImpl.java | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java index 92f6d4df077d..83f529a407a6 100644 --- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java +++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java @@ -2713,8 +2713,8 @@ private void createNetworkOfferingForKubernetes(String offeringName, String offe defaultKubernetesServiceNetworkOfferingProviders.put(Service.UserData, provider); if (forVpc) { defaultKubernetesServiceNetworkOfferingProviders.put(Service.NetworkACL, forNsx ? Network.Provider.Nsx : provider); - defaultKubernetesServiceNetworkOfferingProviders.put(Service.Firewall, Network.Provider.VPCVirtualRouter); } + defaultKubernetesServiceNetworkOfferingProviders.put(Service.Firewall, Network.Provider.VPCVirtualRouter); defaultKubernetesServiceNetworkOfferingProviders.put(Service.Lb, forNsx ? Network.Provider.Nsx : provider); defaultKubernetesServiceNetworkOfferingProviders.put(Service.SourceNat, forNsx ? Network.Provider.Nsx : provider); defaultKubernetesServiceNetworkOfferingProviders.put(Service.StaticNat, forNsx ? Network.Provider.Nsx : provider); diff --git a/server/src/main/java/org/apache/cloudstack/network/RoutedIpv4ManagerImpl.java b/server/src/main/java/org/apache/cloudstack/network/RoutedIpv4ManagerImpl.java index b5584cf03fa5..063469d05b29 100644 --- a/server/src/main/java/org/apache/cloudstack/network/RoutedIpv4ManagerImpl.java +++ b/server/src/main/java/org/apache/cloudstack/network/RoutedIpv4ManagerImpl.java @@ -995,8 +995,7 @@ public boolean isVirtualRouterGateway(Network network) { @Override public boolean isVirtualRouterGateway(NetworkOffering networkOffering) { return NetworkOffering.NetworkMode.ROUTED.equals(networkOffering.getNetworkMode()) - && networkOfferingServiceMapDao.canProviderSupportServiceInNetworkOffering(networkOffering.getId(), Service.Gateway, Provider.VirtualRouter) - || networkOfferingServiceMapDao.canProviderSupportServiceInNetworkOffering(networkOffering.getId(), Service.Gateway, Provider.VPCVirtualRouter); + && networkOfferingServiceMapDao.canProviderSupportServiceInNetworkOffering(networkOffering.getId(), Service.Gateway, Provider.VirtualRouter); } @Override From 47bbce05c156ce31ed38751b73b547c9313d1ecd Mon Sep 17 00:00:00 2001 From: Harikrishna Patnala Date: Thu, 26 Feb 2026 12:19:20 +0530 Subject: [PATCH 5/7] some improvements --- .../upgrade/dao/Upgrade42210to42300.java | 143 +++++++++--------- .../cloud/server/ConfigurationServerImpl.java | 2 +- 2 files changed, 71 insertions(+), 74 deletions(-) diff --git a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java index e8f17fe52e11..b6d4ea3154f4 100644 --- a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java +++ b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java @@ -73,47 +73,44 @@ private void updateNetworkDefaultOfferingsForVPCWithFirewallService(Connection c try { for (String uniqueName : defaultVpcOfferingUniqueNames) { - PreparedStatement pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`network_offerings` WHERE unique_name = ?"); - pstmt.setString(1, uniqueName); - - ResultSet rs = pstmt.executeQuery(); - if (!rs.next()) { - continue; - } - - long offeringId = rs.getLong(1); - rs.close(); - pstmt.close(); - - // Insert into ntwk_offering_service_map - pstmt = conn.prepareStatement("INSERT IGNORE INTO `cloud`.`ntwk_offering_service_map` " + - "(network_offering_id, service, provider, created) " + - "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())"); - pstmt.setLong(1, offeringId); - pstmt.executeUpdate(); - pstmt.close(); - - // Update existing networks (ntwk_service_map) - pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`networks` WHERE network_offering_id = ?"); - pstmt.setLong(1, offeringId); - - rs = pstmt.executeQuery(); - while (rs.next()) { - long networkId = rs.getLong(1); - PreparedStatement insertService = conn.prepareStatement("INSERT INGORE INTO `cloud`.`ntwk_service_map` " + - "(network_id, service, provider, created) " + - "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())"); - insertService.setLong(1, networkId); - insertService.executeUpdate(); - insertService.close(); + try (PreparedStatement pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`network_offerings` WHERE unique_name = ?")) { + pstmt.setString(1, uniqueName); + try (ResultSet rs = pstmt.executeQuery()) { + if (!rs.next()) { + continue; + } + long offeringId = rs.getLong(1); + // Insert into ntwk_offering_service_map + try (PreparedStatement insertOfferingPstmt = conn.prepareStatement( + "INSERT IGNORE INTO `cloud`.`ntwk_offering_service_map` " + + "(network_offering_id, service, provider, created) " + + "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())")) { + insertOfferingPstmt.setLong(1, offeringId); + insertOfferingPstmt.executeUpdate(); + } + // Update existing networks (ntwk_service_map) + try (PreparedStatement selectNetworksPstmt = conn.prepareStatement( + "SELECT id FROM `cloud`.`networks` WHERE network_offering_id = ?")) { + selectNetworksPstmt.setLong(1, offeringId); + try (ResultSet networksRs = selectNetworksPstmt.executeQuery()) { + while (networksRs.next()) { + long networkId = networksRs.getLong(1); + try (PreparedStatement insertService = conn.prepareStatement( + "INSERT INGORE INTO `cloud`.`ntwk_service_map` " + + "(network_id, service, provider, created) " + + "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())")) { + insertService.setLong(1, networkId); + insertService.executeUpdate(); + } + } + } + } + } } - - rs.close(); - pstmt.close(); } } catch (SQLException e) { - logger.warn("Exception while updating VPC default offerings with Firewall service: " + e.getMessage(), e); + throw new CloudRuntimeException("Exception while updating VPC default offerings with Firewall service: " + e.getMessage(), e); } } @@ -132,47 +129,47 @@ private void updateVpcOfferingsWithFirewallService(Connection conn) { try { for (String uniqueName : vpcOfferingUniqueNames) { - PreparedStatement pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`vpc_offerings` WHERE unique_name = ?"); - pstmt.setString(1, uniqueName); - ResultSet rs = pstmt.executeQuery(); - if (!rs.next()) { - continue; + try (PreparedStatement pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`vpc_offerings` WHERE unique_name = ?")) { + pstmt.setString(1, uniqueName); + try (ResultSet rs = pstmt.executeQuery()) { + if (!rs.next()) { + continue; + } + + long vpcOfferingId = rs.getLong(1); + // Insert into vpc_offering_service_map + try (PreparedStatement insertOfferingPstmt = conn.prepareStatement( + "INSERT IGNORE INTO `cloud`.`vpc_offering_service_map` " + + "(vpc_offering_id, service, provider, created) " + + "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())")) { + + insertOfferingPstmt.setLong(1, vpcOfferingId); + insertOfferingPstmt.executeUpdate(); + } + + // Update existing VPCs (vpc_service_map) + try (PreparedStatement selectVpcsPstmt = conn.prepareStatement("SELECT id FROM `cloud`.`vpcs` WHERE vpc_offering_id = ?")) { + selectVpcsPstmt.setLong(1, vpcOfferingId); + try (ResultSet vpcsRs = selectVpcsPstmt.executeQuery()) { + while (vpcsRs.next()) { + long vpcId = vpcsRs.getLong(1); + try (PreparedStatement insertService = conn.prepareStatement( + "INSERT IGNORE INTO `cloud`.`vpc_service_map` " + + "(vpc_id, service, provider, created) " + + "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())")) { + insertService.setLong(1, vpcId); + insertService.executeUpdate(); + } + } + } + } + } } - - long vpcOfferingId = rs.getLong(1); - rs.close(); - pstmt.close(); - - // Insert into vpc_offering_service_map - pstmt = conn.prepareStatement("INSERT IGNORE INTO `cloud`.`vpc_offering_service_map` " + - "(vpc_offering_id, service, provider, created) " + - "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())"); - pstmt.setLong(1, vpcOfferingId); - pstmt.executeUpdate(); - pstmt.close(); - - // Update existing VPCs - pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`vpcs` WHERE vpc_offering_id = ?"); - pstmt.setLong(1, vpcOfferingId); - - rs = pstmt.executeQuery(); - while (rs.next()) { - long vpcId = rs.getLong(1); - PreparedStatement insertService = conn.prepareStatement("INSERT IGNORE INTO `cloud`.`vpc_service_map` " + - "(vpc_id, service, provider, created) " + - "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())"); - insertService.setLong(1, vpcId); - insertService.executeUpdate(); - insertService.close(); - } - - rs.close(); - pstmt.close(); } } catch (SQLException e) { - logger.warn("Exception while updating VPC offerings with Firewall service: " + e.getMessage(), e); + throw new CloudRuntimeException("Exception while updating VPC offerings with Firewall service: " + e.getMessage(), e); } } } diff --git a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java index dbd4b5dd390d..b2b78a57e2ff 100644 --- a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java +++ b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java @@ -1259,8 +1259,8 @@ private Map getServicesAndProvidersForProviderNetwork(Network serviceProviderMap.put(Service.UserData, routerProvider); if (forVpc) { serviceProviderMap.put(Service.NetworkACL, provider); - serviceProviderMap.put(Service.Firewall, provider); } + serviceProviderMap.put(Service.Firewall, provider); if (networkMode == NetworkOffering.NetworkMode.NATTED) { serviceProviderMap.put(Service.SourceNat, provider); serviceProviderMap.put(Service.StaticNat, provider); From 0a6468a3927fedba1b819adc362da563eb4daab6 Mon Sep 17 00:00:00 2001 From: Harikrishna Patnala Date: Thu, 26 Feb 2026 14:10:32 +0530 Subject: [PATCH 6/7] Default service addition in vpcmanager --- server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java | 1 + 1 file changed, 1 insertion(+) diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java index 41c5ddf53217..cd8c6afbfca2 100644 --- a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java +++ b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java @@ -1973,6 +1973,7 @@ protected List getSupportedServices() { services.add(Network.Service.StaticNat); services.add(Network.Service.Gateway); services.add(Network.Service.Vpn); + services.add(Service.Firewall); return services; } From f1f0cd0d139334f3a123bbf2473485be44578e5d Mon Sep 17 00:00:00 2001 From: Harikrishna Patnala Date: Thu, 26 Feb 2026 14:38:25 +0530 Subject: [PATCH 7/7] Fix vpc provider on service in the offering --- .../java/com/cloud/upgrade/DatabaseUpgradeChecker.java | 10 ++++++++-- .../java/com/cloud/network/vpc/VpcManagerImpl.java | 8 ++++---- .../java/com/cloud/server/ConfigurationServerImpl.java | 2 +- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/engine/schema/src/main/java/com/cloud/upgrade/DatabaseUpgradeChecker.java b/engine/schema/src/main/java/com/cloud/upgrade/DatabaseUpgradeChecker.java index 0e784d961b3d..21b94b9b7a16 100644 --- a/engine/schema/src/main/java/com/cloud/upgrade/DatabaseUpgradeChecker.java +++ b/engine/schema/src/main/java/com/cloud/upgrade/DatabaseUpgradeChecker.java @@ -327,7 +327,10 @@ protected void executeProcedureScripts() { Connection conn = txn.getConnection(); for (String filePath : filesPathUnderViewsDirectory) { - LOGGER.debug("Executing PROCEDURE script [{}].", filePath); + LOGGER.debug(String.format("Executing PROCEDURE script [%s].", filePath)); + if (filePath.startsWith("/")) { + filePath = filePath.substring(1); + } InputStream viewScript = Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath); runScript(conn, viewScript); @@ -439,7 +442,10 @@ protected void executeViewScripts() { Connection conn = txn.getConnection(); for (String filePath : filesPathUnderViewsDirectory) { - LOGGER.debug("Executing VIEW script [{}].", filePath); + LOGGER.debug(String.format("Executing VIEW script [%s].", filePath)); + if (filePath.startsWith("/")) { + filePath = filePath.substring(1); + } InputStream viewScript = Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath); runScript(conn, viewScript); diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java index cd8c6afbfca2..e28e488fd1e0 100644 --- a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java +++ b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java @@ -438,7 +438,7 @@ public void doInTransactionWithoutResult(final TransactionStatus status) { final Map> svcProviderMap = new HashMap>(); final Set defaultProviders = Set.of(Provider.Nsx); for (final Service svc : getSupportedServices()) { - if (List.of(Service.UserData, Service.Dhcp, Service.Dns).contains(svc)) { + if (List.of(Service.UserData, Service.Dhcp, Service.Dns, Service.Firewall).contains(svc)) { final Set userDataProvider = Set.of(Provider.VPCVirtualRouter); svcProviderMap.put(svc, userDataProvider); } else { @@ -456,7 +456,7 @@ public void doInTransactionWithoutResult(final TransactionStatus status) { final Map> svcProviderMap = new HashMap<>(); final Set defaultProviders = Set.of(Provider.Nsx); for (final Service svc : getSupportedServices()) { - if (List.of(Service.UserData, Service.Dhcp, Service.Dns).contains(svc)) { + if (List.of(Service.UserData, Service.Dhcp, Service.Dns, Service.Firewall).contains(svc)) { final Set userDataProvider = Set.of(Provider.VPCVirtualRouter); svcProviderMap.put(svc, userDataProvider); } else if (List.of(Service.SourceNat, Service.NetworkACL).contains(svc)){ @@ -492,7 +492,7 @@ public void doInTransactionWithoutResult(final TransactionStatus status) { final Map> svcProviderMap = new HashMap<>(); final Set defaultProviders = Set.of(Provider.Netris); for (final Service svc : getSupportedServices()) { - if (List.of(Service.UserData, Service.Dhcp, Service.Dns, Service.Vpn).contains(svc)) { + if (List.of(Service.UserData, Service.Dhcp, Service.Dns, Service.Vpn, Service.Firewall).contains(svc)) { final Set userDataProvider = Set.of(Provider.VPCVirtualRouter); svcProviderMap.put(svc, userDataProvider); } else { @@ -1973,7 +1973,7 @@ protected List getSupportedServices() { services.add(Network.Service.StaticNat); services.add(Network.Service.Gateway); services.add(Network.Service.Vpn); - services.add(Service.Firewall); + services.add(Network.Service.Firewall); return services; } diff --git a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java index b2b78a57e2ff..205dcb7cf512 100644 --- a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java +++ b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java @@ -1260,7 +1260,7 @@ private Map getServicesAndProvidersForProviderNetwork(Network if (forVpc) { serviceProviderMap.put(Service.NetworkACL, provider); } - serviceProviderMap.put(Service.Firewall, provider); + serviceProviderMap.put(Service.Firewall, routerProvider); if (networkMode == NetworkOffering.NetworkMode.NATTED) { serviceProviderMap.put(Service.SourceNat, provider); serviceProviderMap.put(Service.StaticNat, provider);