extension: support update-vpc-source-nat-ip

Author: weizhouapache

extensions/network-namespace/README.md

@@ -808,7 +808,7 @@ Actions:
 > are NOT removed on destroy — they may still be used by other networks or for
 > VM connectivity.
 
-### VPC lifecycle commands: `implement-vpc`, `shutdown-vpc`, `destroy-vpc`
+### VPC lifecycle commands: `implement-vpc`, `update-vpc-source-nat-ip`, `shutdown-vpc`, `destroy-vpc`
 
 These commands manage VPC-level state. Called by `NetworkExtensionElement` when
 implementing, shutting down, or destroying a VPC (before or after per-tier
@@ -841,6 +841,35 @@ Actions:
 > This command runs **before** any tier networks are implemented. Tier networks
 > inherit the same namespace.
 
+#### `update-vpc-source-nat-ip`
+
+```
+network-namespace-wrapper.sh update-vpc-source-nat-ip \
+    --vpc-id <vpc-id> \
+    --public-ip <new-source-nat-ip> \
+    [--cidr <vpc-cidr>] \
+    [--public-vlan <pvlan>] \
+    [--public-gateway <gw>] \
+    [--public-cidr <cidr>] \
+    [--source-nat true|false]
+```
+
+Actions:
+1. Ensure the target public veth pair exists (`vph-<pvlan>-<vpc-id>` / `vpn-<pvlan>-<vpc-id>`) and assign the new public IP inside the VPC namespace.
+2. Update host and namespace routes for the new source NAT egress path:
+   * keep host route `<public-ip>/32` via `vph-<pvlan>-<vpc-id>`
+   * replace namespace default route via `--public-gateway` on `vpn-<pvlan>-<vpc-id>` when provided.
+3. Rebuild VPC SNAT chain `CS_EXTNET_<vpc-id>_VPC_POST` so exactly one SNAT rule remains:
+   * `-s <vpc-cidr> -o vpn-<pvlan>-<vpc-id> -j SNAT --to-source <public-ip>`.
+4. Reconcile persisted VPC IP markers under
+   `/var/lib/cloudstack/<ext-name>/vpc-<vpc-id>/ips/`:
+   * set the new source NAT IP file to `true`
+   * set all other VPC public IP marker files to `false`
+   * persist/update `<ip>.pvlan` for the new source NAT IP.
+
+> This command is used by `NetworkExtensionElement.updateVpcSourceNatIp()` when
+> `updateVPC` is called with `sourcenatipaddress`; it avoids full VPC restart.
+
 #### `shutdown-vpc`
 
 ```
@@ -1483,7 +1512,8 @@ isolated networks.  Key differences from isolated networks:
   instead of each network getting its own (`cs-net-<networkId>`).
 * **Host affinity**: All tiers of a VPC land on the same KVM host via stable hash-based
   selection using the VPC ID as the routing key.
-* **VPC-level operations**: `implement-vpc`, `shutdown-vpc`, `destroy-vpc` commands
+* **VPC-level operations**: `implement-vpc`, `update-vpc-source-nat-ip`,
+  `shutdown-vpc`, `destroy-vpc` commands
   manage VPC-wide state (namespace creation/teardown).
 * **VPC tier operations**: `implement-network`, `shutdown-network`, `destroy-network`
   commands manage per-tier bridges and routes; the namespace is preserved across
@@ -1514,6 +1544,8 @@ The test covers:
 * Full network lifecycle: implement → assign-ip (source NAT) → static NAT →
   port forwarding → firewall rules → DHCP/DNS → shutdown / destroy.
 * VPC multi-tier networks with shared namespace and automatic host affinity.
+* VPC source NAT IP update flow (`test_09_vpc_source_nat_ip_update`) including
+  source NAT flag flip from old public IP to new public IP.
 * NSP state transitions: Disabled → Enabled → Disabled → Deleted.
 * Tests `test_04`, `test_05`, `test_06` (DHCP, DNS, LB) require `arping`,
   `dnsmasq`, and `haproxy` on the KVM hosts; the test skips them automatically

extensions/network-namespace/network-namespace-wrapper.sh

@@ -3383,6 +3383,129 @@ cmd_implement_vpc() {
     log "implement-vpc: done vpc=${VPC_ID} namespace=${NAMESPACE}"
 }
 
+##############################################################################
+# Command: update-vpc-source-nat-ip
+# Updates VPC source NAT egress to a new public IP without restarting tiers.
+# Reconciles public veth/IP state, default route, VPC SNAT iptables chain,
+# and source NAT markers under ${STATE_DIR}/vpc-<vpcId>/ips/.
+##############################################################################
+
+cmd_update_vpc_source_nat_ip() {
+    parse_vpc_args "$@"
+    acquire_lock "vpc-${VPC_ID}"
+
+    [ -z "${PUBLIC_IP}" ]   && die "update-vpc-source-nat-ip: missing --public-ip"
+
+    local vsd="${STATE_DIR}/vpc-${VPC_ID}"
+    mkdir -p "${vsd}/ips"
+
+    # Load persisted values when omitted by the caller.
+    if [ -z "${VPC_CIDR}" ] && [ -f "${vsd}/cidr" ]; then
+        VPC_CIDR=$(cat "${vsd}/cidr" 2>/dev/null || true)
+    fi
+    if [ -z "${PUBLIC_VLAN}" ] && [ -f "${vsd}/ips/${PUBLIC_IP}.pvlan" ]; then
+        PUBLIC_VLAN=$(cat "${vsd}/ips/${PUBLIC_IP}.pvlan" 2>/dev/null || true)
+    fi
+
+    [ -z "${VPC_CIDR}" ]   && die "update-vpc-source-nat-ip: missing --cidr (or persisted vpc cidr)"
+    [ -z "${PUBLIC_VLAN}" ] && die "update-vpc-source-nat-ip: missing --public-vlan"
+
+    log "update-vpc-source-nat-ip: vpc=${VPC_ID} ns=${NAMESPACE} old=? new=${PUBLIC_IP} pvlan=${PUBLIC_VLAN} cidr=${VPC_CIDR}"
+
+    local old_source_nat_ip=""
+    local old_public_vlan=""
+    local f ip flag
+    for f in "${vsd}/ips/"*; do
+        [ -f "${f}" ] || continue
+        ip=$(basename "${f}")
+        case "${ip}" in
+            *.pvlan|*.tier) continue ;;
+        esac
+        flag=$(cat "${f}" 2>/dev/null || true)
+        if [ "${flag}" = "true" ]; then
+            old_source_nat_ip="${ip}"
+            break
+        fi
+    done
+
+    if [ -n "${old_source_nat_ip}" ] && [ -f "${vsd}/ips/${old_source_nat_ip}.pvlan" ]; then
+        old_public_vlan=$(cat "${vsd}/ips/${old_source_nat_ip}.pvlan" 2>/dev/null || true)
+    fi
+
+    local new_pveth_h new_pveth_n pub_br
+    new_pveth_h=$(pub_veth_host_name "${PUBLIC_VLAN}" "${VPC_ID}")
+    new_pveth_n=$(pub_veth_ns_name   "${PUBLIC_VLAN}" "${VPC_ID}")
+    ensure_host_bridge "${PUB_ETH}" "${PUBLIC_VLAN}"
+    pub_br=$(host_bridge_name "${PUB_ETH}" "${PUBLIC_VLAN}")
+
+    if ! ip link show "${new_pveth_h}" >/dev/null 2>&1; then
+        ip link add "${new_pveth_h}" type veth peer name "${new_pveth_n}"
+        ip link set "${new_pveth_n}" netns "${NAMESPACE}"
+        ip link set "${new_pveth_h}" master "${pub_br}"
+        ip link set "${new_pveth_h}" up
+        ip netns exec "${NAMESPACE}" ip link set "${new_pveth_n}" up
+        log "update-vpc-source-nat-ip: created public veth ${new_pveth_h} <-> ${new_pveth_n}"
+    else
+        ip link set "${new_pveth_h}" up 2>/dev/null || true
+        ip netns exec "${NAMESPACE}" ip link set "${new_pveth_n}" up 2>/dev/null || true
+    fi
+
+    ensure_public_ip_on_namespace "${PUBLIC_IP}" "${PUBLIC_CIDR}" "${new_pveth_n}" "${new_pveth_h}"
+    ip route replace "${PUBLIC_IP}/32" dev "${new_pveth_h}" 2>/dev/null || true
+
+    if [ -n "${old_source_nat_ip}" ] && [ "${old_source_nat_ip}" != "${PUBLIC_IP}" ] && [ -n "${old_public_vlan}" ]; then
+        local old_pveth_n
+        old_pveth_n=$(pub_veth_ns_name "${old_public_vlan}" "${VPC_ID}")
+        if [ "${old_pveth_n}" != "${new_pveth_n}" ]; then
+            ip netns exec "${NAMESPACE}" ip route show default 2>/dev/null | \
+                grep " dev ${old_pveth_n}\b" | \
+                while read -r route; do
+                    ip netns exec "${NAMESPACE}" ip route del ${route} 2>/dev/null || true
+                done
+        fi
+    fi
+
+    if [ -n "${PUBLIC_GATEWAY}" ]; then
+        ip netns exec "${NAMESPACE}" ip route replace default \
+            via "${PUBLIC_GATEWAY}" dev "${new_pveth_n}" 2>/dev/null || \
+        ip netns exec "${NAMESPACE}" ip route add default \
+            via "${PUBLIC_GATEWAY}" dev "${new_pveth_n}" 2>/dev/null || true
+        log "update-vpc-source-nat-ip: default route via ${PUBLIC_GATEWAY} dev ${new_pveth_n}"
+    fi
+
+    local vpc_post_chain="${CHAIN_PREFIX}_${VPC_ID}_VPC_POST"
+    ensure_chain nat "${vpc_post_chain}"
+    ensure_jump  nat POSTROUTING "${vpc_post_chain}"
+
+    # This chain is dedicated to VPC source NAT egress; rebuild to a single rule.
+    ip netns exec "${NAMESPACE}" iptables -t nat -F "${vpc_post_chain}"
+    ip netns exec "${NAMESPACE}" iptables -t nat \
+        -A "${vpc_post_chain}" -s "${VPC_CIDR}" -o "${new_pveth_n}" -j SNAT --to-source "${PUBLIC_IP}"
+
+    # Keep exactly one source-NAT marker: new public IP=true, all others=false.
+    for f in "${vsd}/ips/"*; do
+        [ -f "${f}" ] || continue
+        ip=$(basename "${f}")
+        case "${ip}" in
+            *.pvlan|*.tier) continue ;;
+        esac
+        echo "false" > "${f}"
+    done
+    echo "true" > "${vsd}/ips/${PUBLIC_IP}"
+    echo "${PUBLIC_VLAN}" > "${vsd}/ips/${PUBLIC_IP}.pvlan"
+
+    local _arping_bin
+    _arping_bin=$(_find_arping) || true
+    if [ -n "${_arping_bin}" ]; then
+        ip netns exec "${NAMESPACE}" "${_arping_bin}" -c 3 -U -I "${new_pveth_n}" "${PUBLIC_IP}" \
+            >/dev/null 2>&1 || true
+    fi
+
+    _dump_iptables "${NAMESPACE}"
+    release_lock
+    log "update-vpc-source-nat-ip: done vpc=${VPC_ID} old=${old_source_nat_ip:-none} new=${PUBLIC_IP}"
+}
+
 ##############################################################################
 # Command: shutdown-vpc
 # Removes the VPC namespace after all tiers have been shut down.
@@ -3590,6 +3713,7 @@ case "${COMMAND}" in
     destroy-network)          cmd_destroy_network          "$@" ;;
     # VPC lifecycle
     implement-vpc)            cmd_implement_vpc            "$@" ;;
+    update-vpc-source-nat-ip) cmd_update_vpc_source_nat_ip "$@" ;;
     shutdown-vpc)             cmd_shutdown_vpc             "$@" ;;
     destroy-vpc)              cmd_destroy_vpc              "$@" ;;
     assign-ip)                cmd_assign_ip                "$@" ;;
@@ -3624,7 +3748,7 @@ case "${COMMAND}" in
     custom-action)            cmd_custom_action            "$@" ;;
     "")
         echo "Usage: $0 {implement-network|shutdown-network|destroy-network|" \
-             "implement-vpc|shutdown-vpc|destroy-vpc|" \
+             "implement-vpc|update-vpc-source-nat-ip|shutdown-vpc|destroy-vpc|" \
              "assign-ip|release-ip|" \
              "add-static-nat|delete-static-nat|add-port-forward|delete-port-forward|" \
              "config-dhcp-subnet|remove-dhcp-subnet|add-dhcp-entry|remove-dhcp-entry|set-dhcp-options|" \

framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/network/NetworkExtensionElement.java

@@ -2488,37 +2488,56 @@ public boolean shutdownVpc(Vpc vpc, ReservationContext context)
         return result;
     }
 
-    /** Private gateways are not supported by the network extension element. */
     @Override
     public boolean createPrivateGateway(PrivateGateway gateway)
             throws ConcurrentOperationException, ResourceUnavailableException {
-        return true;
+        throw new UnsupportedOperationException("Private gateways are not supported by the network extension element.");
     }
 
     /** Private gateways are not supported by the network extension element. */
     @Override
     public boolean deletePrivateGateway(PrivateGateway gateway)
             throws ConcurrentOperationException, ResourceUnavailableException {
-        return true;
+        throw new UnsupportedOperationException("Private gateways are not supported by the network extension element.");
     }
 
     /** Static routes are not supported by the network extension element. */
     @Override
     public boolean applyStaticRoutes(Vpc vpc, List<StaticRouteProfile> routes)
             throws ResourceUnavailableException {
-        return true;
+        throw new UnsupportedOperationException("Static routes are not supported by the network extension element.");
     }
 
     /** ACL items on private gateways are not supported by the network extension element. */
     @Override
     public boolean applyACLItemsToPrivateGw(PrivateGateway gateway, List<? extends NetworkACLItem> rules)
             throws ResourceUnavailableException {
-        return true;
+        throw new UnsupportedOperationException("ACL items on private gateways are not supported by the network extension element.");
     }
 
     @Override
     public boolean updateVpcSourceNatIp(Vpc vpc, IpAddress address) {
-        return true;
+        if (vpc == null || address == null || address.getAddress() == null) {
+            logger.warn("updateVpcSourceNatIp: invalid input (vpc={}, address={})", vpc, address);
+            return false;
+        }
+
+        final List<String> args = new ArrayList<>();
+        final VlanVO vlan = vlanDao.findById(address.getVlanId());
+        args.add("--vpc-id");         args.add(String.valueOf(vpc.getId()));
+        args.add("--cidr");           args.add(safeStr(vpc.getCidr()));
+        args.add("--public-ip");      args.add(safeStr(address.getAddress().addr()));
+        args.add("--public-vlan");    args.add(safeStr(getPublicVlanTag(address.getId())));
+        args.add("--public-gateway"); args.add(vlan != null ? safeStr(vlan.getVlanGateway()) : "");
+        args.add("--public-cidr");    args.add(safeStr(getPublicCidr(address.getId())));
+        args.add("--source-nat");     args.add("true");
+
+        final boolean result = executeVpcScript(vpc, "update-vpc-source-nat-ip", args.toArray(new String[0]));
+        if (!result) {
+            logger.warn("updateVpcSourceNatIp: failed to update source NAT IP for VPC {} to {}",
+                    vpc.getId(), address.getAddress().addr());
+        }
+        return result;
     }
 
     /**

server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java

@@ -1683,9 +1683,12 @@ private boolean checkAndUpdateRouterSourceNatIp(Vpc vpc, String sourceNatIp) {
         if (! userIps.isEmpty()) {
             try {
                 _ipAddrMgr.updateSourceNatIpAddress(requestedIp, userIps);
-                if (isVpcForProvider(Provider.Nsx, vpc) || isVpcForProvider(Provider.Netris, vpc)) {
+                if (isVpcForProvider(Provider.Nsx, vpc) || isVpcForProvider(Provider.Netris, vpc)
+                        || isVpcForProvider(Provider.NetworkExtension, vpc)) {
                     boolean isForNsx = _vpcOffSvcMapDao.isProviderForVpcOffering(Provider.Nsx, vpc.getVpcOfferingId());
-                    String providerName = isForNsx ? Provider.Nsx.getName() : Provider.Netris.getName();
+                    boolean isForNetris = _vpcOffSvcMapDao.isProviderForVpcOffering(Provider.Netris, vpc.getVpcOfferingId());
+                    String providerName = isForNsx ? Provider.Nsx.getName()
+                            : (isForNetris ? Provider.Netris.getName() : Provider.NetworkExtension.getName());
                     VpcProvider providerElement = (VpcProvider) _ntwkModel.getElementImplementingProvider(providerName);
                     if (Objects.nonNull(providerElement)) {
                         providerElement.updateVpcSourceNatIp(vpc, requestedIp);