Support Firewall for public IPs in VPC

engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java

@@ -556,6 +556,7 @@ public boolean configure(final String name, final Map<String, Object> params) th
         defaultVPCOffProviders.put(Service.StaticNat, defaultProviders);
         defaultVPCOffProviders.put(Service.PortForwarding, defaultProviders);
         defaultVPCOffProviders.put(Service.Vpn, defaultProviders);
+        defaultVPCOffProviders.put(Service.Firewall, defaultProviders);
 
         Transaction.execute(new TransactionCallbackNoReturn() {
             @Override

engine/schema/src/main/java/com/cloud/upgrade/DatabaseUpgradeChecker.java

@@ -327,7 +327,10 @@ protected void executeProcedureScripts() {
             Connection conn = txn.getConnection();
 
             for (String filePath : filesPathUnderViewsDirectory) {
-                LOGGER.debug("Executing PROCEDURE script [{}].", filePath);
+                LOGGER.debug(String.format("Executing PROCEDURE script [%s].", filePath));
+                if (filePath.startsWith("/")) {
+                    filePath = filePath.substring(1);
+                }
 
                 InputStream viewScript = Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);
                 runScript(conn, viewScript);
@@ -439,7 +442,10 @@ protected void executeViewScripts() {
             Connection conn = txn.getConnection();
 
             for (String filePath : filesPathUnderViewsDirectory) {
-                LOGGER.debug("Executing VIEW script [{}].", filePath);
+                LOGGER.debug(String.format("Executing VIEW script [%s].", filePath));
+                if (filePath.startsWith("/")) {
+                    filePath = filePath.substring(1);
+                }
 
                 InputStream viewScript = Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);
                 runScript(conn, viewScript);

engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java

@@ -17,7 +17,15 @@
 package com.cloud.upgrade.dao;
 
 import java.io.InputStream;
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.Arrays;
+import java.util.List;
 
+import com.cloud.network.vpc.VpcOffering;
+import com.cloud.offering.NetworkOffering;
 import com.cloud.utils.exception.CloudRuntimeException;
 
 public class Upgrade42210to42300 extends DbUpgradeAbstractImpl implements DbUpgrade, DbUpgradeSystemVmTemplate {
@@ -42,4 +50,126 @@ public InputStream[] getPrepareScripts() {
 
         return new InputStream[] {script};
     }
+
+    @Override
+    public void performDataMigration(Connection conn) {
+        updateNetworkDefaultOfferingsForVPCWithFirewallService(conn);
+        updateVpcOfferingsWithFirewallService(conn);
+    }
+
+    private void updateNetworkDefaultOfferingsForVPCWithFirewallService(Connection conn) {
+        logger.debug("Updating default Network offerings for VPC to add Firewall service with VpcVirtualRouter provider");
+
+        final List<String> defaultVpcOfferingUniqueNames = Arrays.asList(
+                NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworks,
+                NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworksNoLB,
+                NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB,
+                NetworkOffering.DEFAULT_NAT_NSX_OFFERING_FOR_VPC,
+                NetworkOffering.DEFAULT_ROUTED_NSX_OFFERING_FOR_VPC,
+                NetworkOffering.DEFAULT_NAT_NSX_OFFERING_FOR_VPC_WITH_ILB,
+                NetworkOffering.DEFAULT_ROUTED_NETRIS_OFFERING_FOR_VPC,
+                NetworkOffering.DEFAULT_NAT_NETRIS_OFFERING_FOR_VPC
+        );
+
+        try {
+            for (String uniqueName : defaultVpcOfferingUniqueNames) {
+                try (PreparedStatement pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`network_offerings` WHERE unique_name = ?")) {
+                    pstmt.setString(1, uniqueName);
+                    try (ResultSet rs = pstmt.executeQuery()) {
+                        if (!rs.next()) {
+                            continue;
+                        }
+                        long offeringId = rs.getLong(1);
+                        // Insert into ntwk_offering_service_map
+                        try (PreparedStatement insertOfferingPstmt = conn.prepareStatement(
+                                "INSERT IGNORE INTO `cloud`.`ntwk_offering_service_map` " +
+                                        "(network_offering_id, service, provider, created) " +
+                                        "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())")) {
+                            insertOfferingPstmt.setLong(1, offeringId);
+                            insertOfferingPstmt.executeUpdate();
+                        }
+                        // Update existing networks (ntwk_service_map)
+                        try (PreparedStatement selectNetworksPstmt = conn.prepareStatement(
+                                "SELECT id FROM `cloud`.`networks` WHERE network_offering_id = ?")) {
+                            selectNetworksPstmt.setLong(1, offeringId);
+                            try (ResultSet networksRs = selectNetworksPstmt.executeQuery()) {
+                                while (networksRs.next()) {
+                                    long networkId = networksRs.getLong(1);
+                                    try (PreparedStatement insertService = conn.prepareStatement(
+                                            "INSERT INGORE INTO `cloud`.`ntwk_service_map` " +
+                                                    "(network_id, service, provider, created) " +
+                                                    "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())")) {
+                                        insertService.setLong(1, networkId);
+                                        insertService.executeUpdate();
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+
+        } catch (SQLException e) {
+            throw new CloudRuntimeException("Exception while updating VPC default offerings with Firewall service: " + e.getMessage(), e);
+        }
+    }
+
+    private void updateVpcOfferingsWithFirewallService(Connection conn) {
+        logger.debug("Updating default VPC offerings to add Firewall service with VpcVirtualRouter provider");
+
+        final List<String> vpcOfferingUniqueNames = Arrays.asList(
+                VpcOffering.defaultVPCOfferingName,
+                VpcOffering.defaultVPCNSOfferingName,
+                VpcOffering.redundantVPCOfferingName,
+                VpcOffering.DEFAULT_VPC_NAT_NSX_OFFERING_NAME,
+                VpcOffering.DEFAULT_VPC_ROUTE_NSX_OFFERING_NAME,
+                VpcOffering.DEFAULT_VPC_ROUTE_NETRIS_OFFERING_NAME,
+                VpcOffering.DEFAULT_VPC_NAT_NETRIS_OFFERING_NAME
+        );
+
+        try {
+            for (String uniqueName : vpcOfferingUniqueNames) {
+
+                try (PreparedStatement pstmt = conn.prepareStatement("SELECT id FROM `cloud`.`vpc_offerings` WHERE unique_name = ?")) {
+                    pstmt.setString(1, uniqueName);
+                    try (ResultSet rs = pstmt.executeQuery()) {
+                        if (!rs.next()) {
+                            continue;
+                        }
+
+                        long vpcOfferingId = rs.getLong(1);
+                        // Insert into vpc_offering_service_map
+                        try (PreparedStatement insertOfferingPstmt = conn.prepareStatement(
+                                "INSERT IGNORE INTO `cloud`.`vpc_offering_service_map` " +
+                                        "(vpc_offering_id, service, provider, created) " +
+                                        "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())")) {
+
+                            insertOfferingPstmt.setLong(1, vpcOfferingId);
+                            insertOfferingPstmt.executeUpdate();
+                        }
+
+                        // Update existing VPCs (vpc_service_map)
+                        try (PreparedStatement selectVpcsPstmt = conn.prepareStatement("SELECT id FROM `cloud`.`vpcs` WHERE vpc_offering_id = ?")) {
+                            selectVpcsPstmt.setLong(1, vpcOfferingId);
+                            try (ResultSet vpcsRs = selectVpcsPstmt.executeQuery()) {
+                                while (vpcsRs.next()) {
+                                    long vpcId = vpcsRs.getLong(1);
+                                    try (PreparedStatement insertService = conn.prepareStatement(
+                                            "INSERT IGNORE INTO `cloud`.`vpc_service_map` " +
+                                                    "(vpc_id, service, provider, created) " +
+                                                    "VALUES (?, 'Firewall', 'VpcVirtualRouter', now())")) {
+                                        insertService.setLong(1, vpcId);
+                                        insertService.executeUpdate();
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+
+        } catch (SQLException e) {
+            throw new CloudRuntimeException("Exception while updating VPC offerings with Firewall service: " + e.getMessage(), e);
+        }
+    }
 }

plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java

@@ -2713,9 +2713,8 @@ private void createNetworkOfferingForKubernetes(String offeringName, String offe
         defaultKubernetesServiceNetworkOfferingProviders.put(Service.UserData, provider);
         if (forVpc) {
             defaultKubernetesServiceNetworkOfferingProviders.put(Service.NetworkACL, forNsx ? Network.Provider.Nsx : provider);
-        } else {
-            defaultKubernetesServiceNetworkOfferingProviders.put(Service.Firewall, forNsx ? Network.Provider.Nsx : provider);
         }
+        defaultKubernetesServiceNetworkOfferingProviders.put(Service.Firewall, Network.Provider.VPCVirtualRouter);
         defaultKubernetesServiceNetworkOfferingProviders.put(Service.Lb, forNsx ? Network.Provider.Nsx : provider);
         defaultKubernetesServiceNetworkOfferingProviders.put(Service.SourceNat, forNsx ? Network.Provider.Nsx : provider);
         defaultKubernetesServiceNetworkOfferingProviders.put(Service.StaticNat, forNsx ? Network.Provider.Nsx : provider);

server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java

@@ -6727,7 +6727,7 @@ public NetworkOffering createNetworkOffering(final CreateNetworkOfferingCmd cmd)
             }
 
             if (forVpc == null) {
-                if (service == Service.SecurityGroup || service == Service.Firewall) {
+                if (service == Service.SecurityGroup) {
                     forVpc = false;
                 } else if (service == Service.NetworkACL) {
                     forVpc = true;

server/src/main/java/com/cloud/network/element/VpcVirtualRouterElement.java

@@ -412,10 +412,6 @@ private static Map<Service, Map<Capability, String>> setCapabilities() {
         vpnCapabilities.putAll(capabilities.get(Service.Vpn));
         vpnCapabilities.put(Capability.VpnTypes, "s2svpn");
         capabilities.put(Service.Vpn, vpnCapabilities);
-
-        // remove firewall capability
-        capabilities.remove(Service.Firewall);
-
         // add network ACL capability
         final Map<Capability, String> networkACLCapabilities = new HashMap<Capability, String>();
         networkACLCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp");

server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java

@@ -329,7 +329,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
 
     private final ScheduledExecutorService _executor = Executors.newScheduledThreadPool(1, new NamedThreadFactory("VpcChecker"));
     private List<VpcProvider> vpcElements = null;
-    private final List<Service> nonSupportedServices = Arrays.asList(Service.SecurityGroup, Service.Firewall);
+    private final List<Service> nonSupportedServices = Arrays.asList(Service.SecurityGroup);
     private final List<Provider> supportedProviders = Arrays.asList(Provider.VPCVirtualRouter, Provider.NiciraNvp, Provider.InternalLbVm, Provider.Netscaler,
             Provider.JuniperContrailVpcRouter, Provider.Ovs, Provider.BigSwitchBcf, Provider.ConfigDrive, Provider.Nsx, Provider.Netris);
 
@@ -438,7 +438,7 @@ public void doInTransactionWithoutResult(final TransactionStatus status) {
                     final Map<Service, Set<Provider>> svcProviderMap = new HashMap<Service, Set<Provider>>();
                     final Set<Provider> defaultProviders = Set.of(Provider.Nsx);
                     for (final Service svc : getSupportedServices()) {
-                        if (List.of(Service.UserData, Service.Dhcp, Service.Dns).contains(svc)) {
+                        if (List.of(Service.UserData, Service.Dhcp, Service.Dns, Service.Firewall).contains(svc)) {
                             final Set<Provider> userDataProvider = Set.of(Provider.VPCVirtualRouter);
                             svcProviderMap.put(svc, userDataProvider);
                         } else {
@@ -456,7 +456,7 @@ public void doInTransactionWithoutResult(final TransactionStatus status) {
                     final Map<Service, Set<Provider>> svcProviderMap = new HashMap<>();
                     final Set<Provider> defaultProviders = Set.of(Provider.Nsx);
                     for (final Service svc : getSupportedServices()) {
-                        if (List.of(Service.UserData, Service.Dhcp, Service.Dns).contains(svc)) {
+                        if (List.of(Service.UserData, Service.Dhcp, Service.Dns, Service.Firewall).contains(svc)) {
                             final Set<Provider> userDataProvider = Set.of(Provider.VPCVirtualRouter);
                             svcProviderMap.put(svc, userDataProvider);
                         } else if (List.of(Service.SourceNat, Service.NetworkACL).contains(svc)){
@@ -492,7 +492,7 @@ public void doInTransactionWithoutResult(final TransactionStatus status) {
                     final Map<Service, Set<Provider>> svcProviderMap = new HashMap<>();
                     final Set<Provider> defaultProviders = Set.of(Provider.Netris);
                     for (final Service svc : getSupportedServices()) {
-                        if (List.of(Service.UserData, Service.Dhcp, Service.Dns, Service.Vpn).contains(svc)) {
+                        if (List.of(Service.UserData, Service.Dhcp, Service.Dns, Service.Vpn, Service.Firewall).contains(svc)) {
                             final Set<Provider> userDataProvider = Set.of(Provider.VPCVirtualRouter);
                             svcProviderMap.put(svc, userDataProvider);
                         } else {
@@ -1973,6 +1973,7 @@ protected List<Service> getSupportedServices() {
         services.add(Network.Service.StaticNat);
         services.add(Network.Service.Gateway);
         services.add(Network.Service.Vpn);
+        services.add(Network.Service.Firewall);
         return services;
     }
 

server/src/main/java/com/cloud/server/ConfigurationServerImpl.java

@@ -1134,6 +1134,7 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                 defaultVpcNetworkOfferingProviders.put(Service.StaticNat, Provider.VPCVirtualRouter);
                 defaultVpcNetworkOfferingProviders.put(Service.PortForwarding, Provider.VPCVirtualRouter);
                 defaultVpcNetworkOfferingProviders.put(Service.Vpn, Provider.VPCVirtualRouter);
+                defaultVpcNetworkOfferingProviders.put(Service.Firewall, Provider.VPCVirtualRouter);
 
                 for (Map.Entry<Service,Provider> entry : defaultVpcNetworkOfferingProviders.entrySet()) {
                      NetworkOfferingServiceMapVO offService =
@@ -1161,6 +1162,7 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                 defaultVpcNetworkOfferingProvidersNoLB.put(Service.StaticNat, Provider.VPCVirtualRouter);
                 defaultVpcNetworkOfferingProvidersNoLB.put(Service.PortForwarding, Provider.VPCVirtualRouter);
                 defaultVpcNetworkOfferingProvidersNoLB.put(Service.Vpn, Provider.VPCVirtualRouter);
+                defaultVpcNetworkOfferingProvidersNoLB.put(Service.Firewall, Provider.VPCVirtualRouter);
 
                 for (Map.Entry<Service,Provider> entry : defaultVpcNetworkOfferingProvidersNoLB.entrySet()) {
                     NetworkOfferingServiceMapVO offService =
@@ -1186,6 +1188,7 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                 internalLbOffProviders.put(Service.Gateway, Provider.VPCVirtualRouter);
                 internalLbOffProviders.put(Service.Lb, Provider.InternalLbVm);
                 internalLbOffProviders.put(Service.SourceNat, Provider.VPCVirtualRouter);
+                internalLbOffProviders.put(Service.Firewall, Provider.VPCVirtualRouter);
 
                 for (Service service : internalLbOffProviders.keySet()) {
                     NetworkOfferingServiceMapVO offService = new NetworkOfferingServiceMapVO(internalLbOff.getId(), service, internalLbOffProviders.get(service));
@@ -1256,9 +1259,8 @@ private Map<Service, Provider> getServicesAndProvidersForProviderNetwork(Network
         serviceProviderMap.put(Service.UserData, routerProvider);
         if (forVpc) {
             serviceProviderMap.put(Service.NetworkACL, provider);
-        } else {
-            serviceProviderMap.put(Service.Firewall, provider);
         }
+        serviceProviderMap.put(Service.Firewall, routerProvider);
         if (networkMode == NetworkOffering.NetworkMode.NATTED) {
             serviceProviderMap.put(Service.SourceNat, provider);
             serviceProviderMap.put(Service.StaticNat, provider);

server/src/main/java/org/apache/cloudstack/network/RoutedIpv4ManagerImpl.java

@@ -989,15 +989,13 @@ public boolean applyRoutingFirewallRule(long id) {
     @Override
     public boolean isVirtualRouterGateway(Network network) {
         return isRoutedNetwork(network)
-                && (networkServiceMapDao.canProviderSupportServiceInNetwork(network.getId(), Service.Gateway, Provider.VirtualRouter))
-                || networkServiceMapDao.canProviderSupportServiceInNetwork(network.getId(), Service.Gateway, Provider.VPCVirtualRouter);
+                && (networkServiceMapDao.canProviderSupportServiceInNetwork(network.getId(), Service.Gateway, Provider.VirtualRouter));
     }
 
     @Override
     public boolean isVirtualRouterGateway(NetworkOffering networkOffering) {
         return NetworkOffering.NetworkMode.ROUTED.equals(networkOffering.getNetworkMode())
-                && networkOfferingServiceMapDao.canProviderSupportServiceInNetworkOffering(networkOffering.getId(), Service.Gateway, Provider.VirtualRouter)
-                || networkOfferingServiceMapDao.canProviderSupportServiceInNetworkOffering(networkOffering.getId(), Service.Gateway, Provider.VPCVirtualRouter);
+                && networkOfferingServiceMapDao.canProviderSupportServiceInNetworkOffering(networkOffering.getId(), Service.Gateway, Provider.VirtualRouter);
     }
 
     @Override

systemvm/debian/opt/cloud/bin/configure.py

@@ -705,8 +705,8 @@ def process(self):
 
         for item in self.dbag:
             if item == "id":
-                continue
-            if self.config.is_vpc():
+                 continue
+            if self.config.is_vpc() and not ("purpose" in self.dbag[item] and self.dbag[item]["purpose"] == "Firewall"):
                 self.AclDevice(self.dbag[item], self.config).create()
             else:
                 self.AclIP(self.dbag[item], self.config).create()

systemvm/debian/opt/cloud/bin/cs/CsAddress.py

@@ -632,6 +632,18 @@ def fw_vpcrouter(self):
                                 (self.address['network'], self.address['network'])])
 
         if self.get_type() in ["public"]:
+            # Add PREROUTING firewall chain jump for public IP
+            self.fw.append(["mangle", "front",
+                            "-A PREROUTING " +
+                            "-d %s/32 -j FIREWALL_%s" % (self.address['public_ip'], self.address['public_ip'])])
+
+            # Add the firewall chain with default DROP policy
+            self.fw.append(["mangle", "front",
+                            "-A FIREWALL_%s " % self.address['public_ip'] +
+                            "-m state --state RELATED,ESTABLISHED -j RETURN"])
+            self.fw.append(["mangle", "",
+                            "-A FIREWALL_%s -j DROP" % self.address['public_ip']])
+
             self.fw.append(
                 ["mangle", "", "-A FORWARD -j VPN_STATS_%s" % self.dev])
             self.fw.append(