port bug 9978 from 2.3.0 to master

Author: ruansteve

conf/globalConfig/vyos.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<globalConfig xmlns="http://zstack.org/schema/zstack">
+    <config>
+        <category>vyos</category>
+        <name>private.l3.firewall.default.action</name>
+        <description>default action for private l3 network</description>
+        <type>java.lang.String</type>
+        <defaultValue>reject</defaultValue>
+    </config>
+</globalConfig>

conf/springConfigXml/vyos.xml

@@ -17,6 +17,7 @@
             <list>
                 <value>org.zstack.network.service.virtualrouter.lifecycle.VirtualRouterAssembleDecoratorFlow</value>
                 <value>org.zstack.network.service.virtualrouter.vyos.VyosConnectFlow</value>
+                <value>org.zstack.network.service.virtualrouter.vyos.VyosChangePrivateL3FirewallDefaultActionFlow</value>
                 <value>org.zstack.network.service.virtualrouter.vip.VirtualRouterCreateVipForPublicIpFlow</value>
                 <value>org.zstack.network.service.virtualrouter.dns.VirtualRouterSyncDnsOnStartFlow</value>
                 <value>org.zstack.network.service.virtualrouter.dhcp.VirtualRouterSyncDHCPOnStartFlow</value>
@@ -33,6 +34,7 @@
             <list>
                 <value>org.zstack.network.service.virtualrouter.lifecycle.VirtualRouterAssembleDecoratorFlow</value>
                 <value>org.zstack.network.service.virtualrouter.vyos.VyosConnectFlow</value>
+                <value>org.zstack.network.service.virtualrouter.vyos.VyosChangePrivateL3FirewallDefaultActionFlow</value>
                 <value>org.zstack.network.service.virtualrouter.dns.VirtualRouterSyncDnsOnStartFlow</value>
                 <value>org.zstack.network.service.virtualrouter.dhcp.VirtualRouterSyncDHCPOnStartFlow</value>
                 <value>org.zstack.network.service.virtualrouter.nat.VirtualRouterSyncSNATOnStartFlow</value>
@@ -47,6 +49,7 @@
             <list>
                 <value>org.zstack.network.service.virtualrouter.lifecycle.VirtualRouterAssembleDecoratorFlow</value>
                 <value>org.zstack.network.service.virtualrouter.vyos.VyosConnectFlow</value>
+                <value>org.zstack.network.service.virtualrouter.vyos.VyosChangePrivateL3FirewallDefaultActionFlow</value>
                 <value>org.zstack.network.service.virtualrouter.dns.VirtualRouterSyncDnsOnStartFlow</value>
                 <value>org.zstack.network.service.virtualrouter.dhcp.VirtualRouterSyncDHCPOnStartFlow</value>
                 <value>org.zstack.network.service.virtualrouter.nat.VirtualRouterSyncSNATOnStartFlow</value>
@@ -72,6 +75,7 @@
             <list>
                 <value>org.zstack.network.service.virtualrouter.vyos.VyosDeployAgentFlow</value>
                 <value>org.zstack.network.service.virtualrouter.vyos.VyosConnectFlow</value>
+                <value>org.zstack.network.service.virtualrouter.vyos.VyosChangePrivateL3FirewallDefaultActionFlow</value>
                 <value>org.zstack.network.service.virtualrouter.dns.VirtualRouterSyncDnsOnStartFlow</value>
                 <value>org.zstack.network.service.virtualrouter.dhcp.VirtualRouterSyncDHCPOnStartFlow</value>
                 <value>org.zstack.network.service.virtualrouter.nat.VirtualRouterSyncSNATOnStartFlow</value>
@@ -159,4 +163,11 @@
             <zstack:extension interface="org.zstack.network.service.vip.VipFactory" />
         </zstack:plugin>
     </bean>
+
+    <bean id="VyosChangePrivateL3FirewallDefaultActionExtensionPoint" class="org.zstack.network.service.virtualrouter.vyos.VyosChangePrivateL3FirewallDefaultActionExtensionPoint">
+        <zstack:plugin>
+            <zstack:extension interface="org.zstack.header.network.service.VirtualRouterAfterAttachNicExtensionPoint" />
+        </zstack:plugin>
+    </bean>
+
 </beans>

plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/VirtualRouterCommands.java

@@ -63,6 +63,7 @@ public static class NicInfo {
 		private String physicalInterface;
 		private String l2type;
 		private Integer vni;
+		private String firewallDefaultAction;
 
 		public String getIp() {
 			return ip;
@@ -126,6 +127,14 @@ public String getPhysicalInterface() {
 		public void setPhysicalInterface(String physicalInterface) {
 			this.physicalInterface = physicalInterface;
 		}
+
+		public String getFirewallDefaultAction() {
+			return firewallDefaultAction;
+		}
+
+		public void setFirewallDefaultAction(String firewallDefaultAction) {
+			this.firewallDefaultAction = firewallDefaultAction;
+		}
 	}
 
 	public static class ConfigureNicCmd extends AgentCommand {
@@ -143,6 +152,21 @@ public void setNics(List<NicInfo> nics) {
 	public static class ConfigureNicRsp extends AgentResponse {
 	}
 
+	public static class ConfigureNicFirewallDefaultActionCmd extends AgentCommand {
+		private List<NicInfo> nics;
+
+		public List<NicInfo> getNics() {
+			return nics;
+		}
+
+		public void setNics(List<NicInfo> nics) {
+			this.nics = nics;
+		}
+	}
+
+	public static class ConfigureNicFirewallDefaultActionRsp extends AgentResponse {
+	}
+
 	public static class RemoveNicCmd extends AgentCommand {
 		private List<NicInfo> nics;
 

plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/VirtualRouterConstant.java

@@ -24,6 +24,7 @@ public interface VirtualRouterConstant {
 	public static final String VR_ECHO_PATH = "/echo";
 	public static final String VR_CONFIGURE_NIC_PATH = "/configurenic";
 	public static final String VR_REMOVE_NIC_PATH = "/removenic";
+	public static final String VR_CONFIGURE_NIC_FIREWALL_DEFAULT_ACTION_PATH = "/configurenicdefaultaction";
 	public static final String VR_ADD_DHCP_PATH = "/adddhcp";
 	public static final String VR_REMOVE_DHCP_PATH = "/removedhcp";
 	public static final String VR_SET_SNAT_PATH = "/setsnat";

plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosChangePrivateL3FirewallDefaultActionExtensionPoint.java

@@ -0,0 +1,81 @@
+package org.zstack.network.service.virtualrouter.vyos;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.zstack.core.cloudbus.CloudBus;
+import org.zstack.core.cloudbus.CloudBusCallBack;
+import org.zstack.core.timeout.ApiTimeoutManager;
+import org.zstack.header.core.Completion;
+import org.zstack.header.core.NoErrorCompletion;
+import org.zstack.header.errorcode.ErrorCode;
+import org.zstack.header.message.MessageReply;
+import org.zstack.header.network.service.VirtualRouterAfterAttachNicExtensionPoint;
+import org.zstack.header.vm.VmInstanceConstant;
+import org.zstack.header.vm.VmNicInventory;
+import org.zstack.network.service.virtualrouter.*;
+import org.zstack.utils.Utils;
+import org.zstack.utils.logging.CLogger;
+
+import java.util.Collections;
+import static org.zstack.core.Platform.operr;
+
+public class VyosChangePrivateL3FirewallDefaultActionExtensionPoint implements VirtualRouterAfterAttachNicExtensionPoint {
+    @Autowired
+    protected CloudBus bus;
+    @Autowired
+    protected ApiTimeoutManager apiTimeoutManager;
+    private final static CLogger logger = Utils.getLogger(VyosChangePrivateL3FirewallDefaultActionExtensionPoint.class);
+
+    @Override
+    public void afterAttachNic(VmNicInventory nic, Completion completion) {
+        if (!VirtualRouterNicMetaData.GUEST_NIC_MASK_STRING_LIST.contains(nic.getMetaData())) {
+            completion.success();
+            return;
+        }
+
+        String action = VyosGlobalConfig.PRIVATE_L3_FIREWALL_DEFAULT_ACTION.value(String.class);
+        VirtualRouterCommands.NicInfo info = new VirtualRouterCommands.NicInfo();
+        info.setIp(nic.getIp());
+        info.setDefaultRoute(false);
+        info.setGateway(nic.getGateway());
+        info.setMac(nic.getMac());
+        info.setNetmask(nic.getNetmask());
+        info.setFirewallDefaultAction(action);
+
+        VirtualRouterCommands.ConfigureNicFirewallDefaultActionCmd cmd = new VirtualRouterCommands.ConfigureNicFirewallDefaultActionCmd();
+        cmd.setNics(Collections.singletonList(info));
+
+        VirtualRouterAsyncHttpCallMsg cmsg = new VirtualRouterAsyncHttpCallMsg();
+        cmsg.setCommand(cmd);
+        cmsg.setCommandTimeout(apiTimeoutManager.getTimeout(cmd.getClass(), "30m"));
+        cmsg.setPath(VirtualRouterConstant.VR_CONFIGURE_NIC_FIREWALL_DEFAULT_ACTION_PATH);
+        cmsg.setVmInstanceUuid(nic.getVmInstanceUuid());
+        bus.makeTargetServiceIdByResourceUuid(cmsg, VmInstanceConstant.SERVICE_ID, nic.getVmInstanceUuid());
+        bus.send(cmsg, new CloudBusCallBack(completion) {
+            @Override
+            public void run(MessageReply reply) {
+                if (!reply.isSuccess()) {
+                    completion.fail(reply.getError());
+                    return;
+                }
+
+                VirtualRouterAsyncHttpCallReply re = reply.castReply();
+                VirtualRouterCommands.ConfigureNicFirewallDefaultActionRsp rsp = re.toResponse(VirtualRouterCommands.ConfigureNicFirewallDefaultActionRsp.class);
+                if (rsp.isSuccess()) {
+                    logger.debug(String.format("successfully change nic[ip:%s, mac:%s] firewall default action of virtual router vm[uuid:%s]",
+                            nic.getIp(), nic.getMac(), nic.getVmInstanceUuid()));
+                    completion.success();
+                } else {
+                    ErrorCode err = operr("failed to change nic[ip:%s, mac:%s] firewall default action of virtual router vm[uuid:%s], because %s",
+                            nic.getIp(), nic.getMac(), nic.getVmInstanceUuid(), rsp.getError());
+                    completion.fail(err);
+                }
+            }
+        });
+    }
+
+    @Override
+    public void afterAttachNicRollback(VmNicInventory nic, NoErrorCompletion completion) {
+        /* rollback nic will delete all nic configure */
+        completion.done();
+    }
+}

plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosChangePrivateL3FirewallDefaultActionFlow.java

@@ -0,0 +1,96 @@
+package org.zstack.network.service.virtualrouter.vyos;
+
+import org.springframework.beans.factory.annotation.Autowire;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Configurable;
+import org.zstack.core.cloudbus.CloudBus;
+import org.zstack.core.cloudbus.CloudBusCallBack;
+import org.zstack.core.timeout.ApiTimeoutManager;
+import org.zstack.header.core.workflow.FlowTrigger;
+import org.zstack.header.core.workflow.NoRollbackFlow;
+import org.zstack.header.errorcode.ErrorCode;
+import org.zstack.header.message.MessageReply;
+import org.zstack.header.vm.VmInstanceConstant;
+import org.zstack.header.vm.VmNicInventory;
+import org.zstack.network.service.virtualrouter.*;
+import org.zstack.utils.CollectionUtils;
+import org.zstack.utils.Utils;
+import org.zstack.utils.function.Function;
+import org.zstack.utils.logging.CLogger;
+
+import java.util.*;
+
+import static org.zstack.core.Platform.operr;
+
+/**
+ * Created by shixin.ruan on 18-03-10.
+ */
+@Configurable(preConstruction = true, autowire = Autowire.BY_TYPE)
+public class VyosChangePrivateL3FirewallDefaultActionFlow extends NoRollbackFlow {
+    @Autowired
+    protected CloudBus bus;
+    @Autowired
+    protected ApiTimeoutManager apiTimeoutManager;
+
+    private final static CLogger logger = Utils.getLogger(VyosChangePrivateL3FirewallDefaultActionFlow.class);
+
+    @Override
+    public void run(FlowTrigger trigger, Map data) {
+        String action = VyosGlobalConfig.PRIVATE_L3_FIREWALL_DEFAULT_ACTION.value(String.class);
+
+        final VirtualRouterVmInventory servedVm = (VirtualRouterVmInventory) data.get(VirtualRouterConstant.Param.VR.toString());
+        List<VirtualRouterCommands.NicInfo> infos = CollectionUtils.transformToList(servedVm.getGuestNics(), new Function<VirtualRouterCommands.NicInfo, VmNicInventory>() {
+            @Override
+            public VirtualRouterCommands.NicInfo call(VmNicInventory arg) {
+                VirtualRouterCommands.NicInfo info = new VirtualRouterCommands.NicInfo();
+                info.setIp(arg.getIp());
+                info.setDefaultRoute(false);
+                info.setGateway(arg.getGateway());
+                info.setMac(arg.getMac());
+                info.setNetmask(arg.getNetmask());
+                info.setFirewallDefaultAction(action);
+
+                return info;
+            }
+        });
+
+        if (infos == null || infos.isEmpty()) {
+            trigger.next();
+            return;
+        }
+
+        VirtualRouterCommands.ConfigureNicFirewallDefaultActionCmd cmd = new VirtualRouterCommands.ConfigureNicFirewallDefaultActionCmd();
+        cmd.setNics(infos);
+
+        VirtualRouterAsyncHttpCallMsg cmsg = new VirtualRouterAsyncHttpCallMsg();
+        cmsg.setCommand(cmd);
+        cmsg.setCommandTimeout(apiTimeoutManager.getTimeout(cmd.getClass(), "30m"));
+        cmsg.setPath(VirtualRouterConstant.VR_CONFIGURE_NIC_FIREWALL_DEFAULT_ACTION_PATH);
+        cmsg.setVmInstanceUuid(servedVm.getUuid());
+        bus.makeTargetServiceIdByResourceUuid(cmsg, VmInstanceConstant.SERVICE_ID, servedVm.getUuid());
+        bus.send(cmsg, new CloudBusCallBack(trigger) {
+            /* failure in this flow will not block normal process */
+            @Override
+            public void run(MessageReply reply) {
+                if (!reply.isSuccess()) {
+                    logger.debug(String.format("failed to change nic firewall default action of virtual router vm[uuid:%s ip:%s], because %s",
+                            servedVm.getUuid(), servedVm.getManagementNic().getIp(), reply.getError()));
+                    trigger.next();
+                    return;
+                }
+
+                VirtualRouterAsyncHttpCallReply re = reply.castReply();
+                VirtualRouterCommands.ConfigureNicFirewallDefaultActionRsp rsp = re.toResponse(VirtualRouterCommands.ConfigureNicFirewallDefaultActionRsp.class);
+                if (rsp.isSuccess()) {
+                    logger.debug(String.format("successfully change nic firewall default action of virtual router vm[uuid:%s, ip:%s]",
+                            servedVm.getUuid(), servedVm.getManagementNic().getIp()));
+                    trigger.next();
+                } else {
+                    logger.debug(String.format("failed to change nic firewall default action of virtual router vm[uuid:%s ip:%s], because %s",
+                            servedVm.getUuid(), servedVm.getManagementNic().getIp(), rsp.getError()));
+                    trigger.next();
+                }
+            }
+        });
+    }
+}

plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosConstants.java

@@ -12,6 +12,8 @@ public interface VyosConstants {
     String ANSIBLE_PLAYBOOK_NAME = "zvr.py";
     String ANSIBLE_MODULE_PATH = "ansible/zvr";
 
+    String PRIVATE_L3_FIREWALL_DEFAULT_ACTION = "reject";
+
     NetworkServiceProviderType PROVIDER_TYPE = new NetworkServiceProviderType(VyosConstants.VYOS_ROUTER_PROVIDER_TYPE);
 
     enum BootstrapInfoKey {

plugin/virtualRouterProvider/src/main/java/org/zstack/network/service/virtualrouter/vyos/VyosGlobalConfig.java

@@ -0,0 +1,16 @@
+package org.zstack.network.service.virtualrouter.vyos;
+
+import org.zstack.core.config.GlobalConfig;
+import org.zstack.core.config.GlobalConfigDefinition;
+import org.zstack.core.config.GlobalConfigValidation;
+
+/**
+ * Created by shixin.ruan on 18/03/09.
+ */
+@GlobalConfigDefinition
+public class VyosGlobalConfig {
+    public static final String CATEGORY = "vyos";
+
+    @GlobalConfigValidation(validValues = {"accept", "reject"})
+    public static GlobalConfig PRIVATE_L3_FIREWALL_DEFAULT_ACTION = new GlobalConfig(CATEGORY, "private.l3.firewall.default.action");
+}

simulator/simulatorImpl/src/main/java/org/zstack/simulator/virtualrouter/VirtualRouterSimulator.java

@@ -431,6 +431,24 @@ String configureNic(HttpServletRequest req) {
         return null;
     }
 
+    @AsyncThread
+    private void doConfigureNicFirewallDefaultAction(HttpEntity<String> entity) {
+        ConfigureNicFirewallDefaultActionCmd cmd = JSONObjectUtil.toObject(entity.getBody(), ConfigureNicFirewallDefaultActionCmd.class);
+        ConfigureNicFirewallDefaultActionRsp rsp = new ConfigureNicFirewallDefaultActionRsp();
+
+        logger.debug(String.format("successfully configured nics: %s firewall default action", JSONObjectUtil.toJsonString(cmd.getNics())));
+        replyer.reply(entity, rsp);
+        return;
+    }
+
+    @RequestMapping(value = VirtualRouterConstant.VR_CONFIGURE_NIC_FIREWALL_DEFAULT_ACTION_PATH, method = RequestMethod.POST)
+    private @ResponseBody
+    String configureNicFirewallDefaultAction(HttpServletRequest req) {
+        HttpEntity<String> entity = restf.httpServletRequestToHttpEntity(req);
+        doConfigureNicFirewallDefaultAction(entity);
+        return null;
+    }
+
     @RequestMapping(value = VirtualRouterConstant.VR_REMOVE_DHCP_PATH, method = RequestMethod.POST)
     private @ResponseBody
     String removeDchpEntry(HttpServletRequest req) {

testlib/src/main/java/org/zstack/testlib/VirtualRouterOfferingSpec.groovy

@@ -195,6 +195,10 @@ class VirtualRouterOfferingSpec extends InstanceOfferingSpec {
             return new VirtualRouterCommands.ConfigureNicRsp()
         }
 
+        simulator(VirtualRouterConstant.VR_CONFIGURE_NIC_FIREWALL_DEFAULT_ACTION_PATH) {
+            return new VirtualRouterCommands.ConfigureNicFirewallDefaultActionRsp()
+        }
+
         simulator(VirtualRouterConstant.VR_REMOVE_NIC_PATH) {
             return new VirtualRouterCommands.RemoveNicRsp()
         }