changes for VPC with firewall and without capabilities

harikrishna-patnala · harikrishna-patnala · commit 18da77794887 · 2026-06-11T19:34:32.000+05:30
diff --git a/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -2168,6 +2168,11 @@ protected StringBuilder createGuestBootLoadArgs(final NicProfile guestNic, final
             buf.append(" ip6firewall=true");
         }
 
+        if (guestNetwork.getVpcId() != null) {
+            boolean isVpcFirewallEnabled = vpcManager.isProviderSupportServiceInVpc(guestNetwork.getVpcId(), Service.Firewall, Provider.VPCVirtualRouter);
+            buf.append(" vpc_firewall_enabled=").append(isVpcFirewallEnabled);
+        }
+
         final boolean isRedundant = router.getIsRedundantRouter();
         if (isRedundant) {
             buf.append(createRedundantRouterArgs(guestNic, router));
diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py
@@ -703,30 +703,28 @@ def process(self):
             self.add_routing_rules()
             return
 
-        desired_firewall_ips = self._get_desired_vpc_firewall_ips()
+        desired_firewall_ips = set()
+        if self.config.is_vpc() and self.config.is_vpc_firewall_enabled():
+            desired_firewall_ips = self._get_desired_vpc_firewall_ips()
+
         fw_chains_created = set()
+
         for item in self.dbag:
             if item == "id":
                 continue
             if self.config.is_vpc() and not ("purpose" in self.dbag[item] and self.dbag[item]["purpose"] == "Firewall"):
                 self.AclDevice(self.dbag[item], self.config).create()
             else:
+                if self.config.is_vpc() and self.dbag[item].get("purpose") == "Firewall" and not self.config.is_vpc_firewall_enabled():
+                    continue
                 # For VPC firewall rules, create the PREROUTING jump and chain skeleton
                 # once per public IP before adding the individual rule
-                if self.config.is_vpc() and self.dbag[item].get("purpose") == "Firewall":
+                if self.config.is_vpc() and self.config.is_vpc_firewall_enabled() and self.dbag[item].get("purpose") == "Firewall":
                     src_ip = self.dbag[item].get("src_ip")
-                    if src_ip and src_ip not in fw_chains_created:
-                        fw = self.config.get_fw()
-                        fw.append(["mangle", "front",
-                                   "-A PREROUTING -d %s/32 -j FIREWALL_%s" % (src_ip, src_ip)])
-                        fw.append(["mangle", "front",
-                                   "-A FIREWALL_%s -m state --state RELATED,ESTABLISHED -j RETURN" % src_ip])
-                        fw.append(["mangle", "",
-                                   "-A FIREWALL_%s -j DROP" % src_ip])
-                        fw_chains_created.add(src_ip)
+                    self._ensure_vpc_firewall_chains([src_ip], fw_chains_created)
                 self.AclIP(self.dbag[item], self.config).create()
 
-        if self.config.is_vpc():
+        if self.config.is_vpc() and self.config.is_vpc_firewall_enabled():
             self._cleanup_removed_vpc_firewall_chains(desired_firewall_ips)
 
     def _get_desired_vpc_firewall_ips(self):
@@ -744,8 +742,20 @@ def _get_desired_vpc_firewall_ips(self):
                     desired_firewall_ips.add(src_ip)
         return desired_firewall_ips
 
+    def _ensure_vpc_firewall_chains(self, source_ips, fw_chains_created):
+        fw = self.config.get_fw()
+        for src_ip in source_ips:
+            if not src_ip or src_ip in fw_chains_created:
+                continue
+            fw.append(["mangle", "front",
+                       "-A PREROUTING -d %s/32 -j FIREWALL_%s" % (src_ip, src_ip)])
+            fw.append(["mangle", "front",
+                       "-A FIREWALL_%s -m state --state RELATED,ESTABLISHED -j RETURN" % src_ip])
+            fw.append(["mangle", "",
+                       "-A FIREWALL_%s -j DROP" % src_ip])
+            fw_chains_created.add(src_ip)
+
     def _cleanup_removed_vpc_firewall_chains(self, desired_firewall_ips):
-        """Delete FIREWALL_<ip> chain only when no firewall rule remains for that VPC public IP."""
         try:
             mangle_save = CsHelper.execute("iptables-save -t mangle")
             existing_firewall_ips = []
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
@@ -647,7 +647,6 @@ def fw_vpcrouter(self):
                                 (self.address['network'], self.address['network'])])
 
         if self.get_type() in ["public"]:
-
             self.fw.append(
                 ["mangle", "", "-A FORWARD -j VPN_STATS_%s" % self.dev])
             self.fw.append(
@@ -681,6 +680,7 @@ def fw_vpcrouter(self):
         self.fw.append(["filter", "", "-P INPUT DROP"])
         self.fw.append(["filter", "", "-P FORWARD DROP"])
 
+
     def fw_router_routing(self):
         if self.config.is_vpc() or not self.config.is_routed():
             return
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsConfig.py b/systemvm/debian/opt/cloud/bin/cs/CsConfig.py
@@ -155,3 +155,6 @@ def get_egress_table(self):
 
     def has_public_network(self):
         return self.cmdline().idata().get('has_public_network', 'true') == 'true'
+
+    def is_vpc_firewall_enabled(self):
+        return self.cmdline().idata().get('vpc_firewall_enabled', 'false') == 'true'
