CLOUDSTACK-306: Introducing IpDeployingRequester and implement inline mode

For LB device in inline mode, the ip deployer(the owner of public ip) is the firewall in front of it, not itself. So check if it's inline or not, if it's inline, return the firewall as ip deployer
2025-10-26 08:42:29 +01:00 · 2013-01-04 18:56:47 -08:00 · 2013-01-04 18:56:47 -08:00 · 42c8c73ab6
commit 42c8c73ab6
parent 177e157cbf
22 changed files with 508 additions and 225 deletions
--- a/api/src/com/cloud/network/element/IpDeployer.java
+++ b/api/src/com/cloud/network/element/IpDeployer.java
@ -21,6 +21,7 @@ import java.util.Set;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.Network;
 import com.cloud.network.Network.Provider;
 import com.cloud.network.Network.Service;
 import com.cloud.network.PublicIpAddress;
@ -33,4 +34,6 @@ public interface IpDeployer {
     * @throws ResourceUnavailableException
     */
    boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddress, Set<Service> services) throws ResourceUnavailableException;
    Provider getProvider();
 }
--- a/api/src/com/cloud/network/element/IpDeployingRequester.java
+++ b/api/src/com/cloud/network/element/IpDeployingRequester.java
@ -0,0 +1,28 @@
 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
 package com.cloud.network.element;
 import com.cloud.network.Network;
 public interface IpDeployingRequester {
    /**
     * Would return the IpDeployer can deploy IP for this element
     * @param network
     * @return IpDeployer object, or null if there is no deployer for this element
     */
    IpDeployer getIpDeployer(Network network);
 }
--- a/api/src/com/cloud/network/element/LoadBalancingServiceProvider.java
+++ b/api/src/com/cloud/network/element/LoadBalancingServiceProvider.java
@ -22,7 +22,7 @@ import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.Network;
 import com.cloud.network.lb.LoadBalancingRule;
-public interface LoadBalancingServiceProvider extends NetworkElement {
+public interface LoadBalancingServiceProvider extends NetworkElement, IpDeployingRequester {
    /**
     * Apply rules
     * @param network
@ -32,7 +32,6 @@ public interface LoadBalancingServiceProvider extends NetworkElement {
     */
    boolean applyLBRules(Network network, List<LoadBalancingRule> rules) throws ResourceUnavailableException;
    IpDeployer getIpDeployer(Network network);
    /**
     * Validate rules
     * @param network
--- a/api/src/com/cloud/network/element/PortForwardingServiceProvider.java
+++ b/api/src/com/cloud/network/element/PortForwardingServiceProvider.java
@ -22,7 +22,7 @@ import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.Network;
 import com.cloud.network.rules.PortForwardingRule;
-public interface PortForwardingServiceProvider extends NetworkElement {
+public interface PortForwardingServiceProvider extends NetworkElement, IpDeployingRequester {
    /**
     * Apply rules
     * @param network
@ -31,6 +31,4 @@ public interface PortForwardingServiceProvider extends NetworkElement {
     * @throws ResourceUnavailableException
     */
    boolean applyPFRules(Network network, List<PortForwardingRule> rules) throws ResourceUnavailableException;
    IpDeployer getIpDeployer(Network network);
 }
--- a/api/src/com/cloud/network/element/RemoteAccessVPNServiceProvider.java
+++ b/api/src/com/cloud/network/element/RemoteAccessVPNServiceProvider.java
@ -23,12 +23,10 @@ import com.cloud.network.Network;
 import com.cloud.network.RemoteAccessVpn;
 import com.cloud.network.VpnUser;
-public interface RemoteAccessVPNServiceProvider extends NetworkElement {
+public interface RemoteAccessVPNServiceProvider extends NetworkElement, IpDeployingRequester {
    String[] applyVpnUsers(RemoteAccessVpn vpn, List<? extends VpnUser> users) throws ResourceUnavailableException;
    boolean startVpn(Network network, RemoteAccessVpn vpn) throws ResourceUnavailableException;
    boolean stopVpn(Network network, RemoteAccessVpn vpn) throws ResourceUnavailableException;
    IpDeployer getIpDeployer(Network network);
 }
--- a/api/src/com/cloud/network/element/SourceNatServiceProvider.java
+++ b/api/src/com/cloud/network/element/SourceNatServiceProvider.java
@ -16,8 +16,5 @@
 // under the License.
 package com.cloud.network.element;
-import com.cloud.network.Network;
+public interface SourceNatServiceProvider extends NetworkElement, IpDeployingRequester {
 public interface SourceNatServiceProvider extends NetworkElement {
    IpDeployer getIpDeployer(Network network);
 }
--- a/api/src/com/cloud/network/element/StaticNatServiceProvider.java
+++ b/api/src/com/cloud/network/element/StaticNatServiceProvider.java
@ -22,7 +22,7 @@ import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.Network;
 import com.cloud.network.rules.StaticNat;
-public interface StaticNatServiceProvider extends NetworkElement {
+public interface StaticNatServiceProvider extends NetworkElement, IpDeployingRequester {
    /**
     * Creates static nat rule (public IP to private IP mapping) on the network element
     * @param config
@ -31,6 +31,4 @@ public interface StaticNatServiceProvider extends NetworkElement {
     * @throws ResourceUnavailableException
     */
    boolean applyStaticNats(Network config, List<? extends StaticNat> rules) throws ResourceUnavailableException;
    IpDeployer getIpDeployer(Network network);
 }
--- a/plugins/network-elements/f5/src/com/cloud/network/element/F5ExternalLoadBalancerElement.java
+++ b/plugins/network-elements/f5/src/com/cloud/network/element/F5ExternalLoadBalancerElement.java
@ -172,7 +172,8 @@ public class F5ExternalLoadBalancerElement extends ExternalLoadBalancerDeviceMan
    @Override
    public boolean validateLBRule(Network network, LoadBalancingRule rule) {
-        return true;
+        String algo = rule.getAlgorithm();
        return (algo.equals("roundrobin") || algo.equals("leastconn"));
    }
    @Override
@ -471,6 +472,15 @@ public class F5ExternalLoadBalancerElement extends ExternalLoadBalancerDeviceMan
    @Override
    public IpDeployer getIpDeployer(Network network) {
        ExternalLoadBalancerDeviceVO lbDevice = getExternalLoadBalancerForNetwork(network);
        if (lbDevice == null) {
            s_logger.error("Cannot find external load balanacer for network " + network.getName());
            s_logger.error("Make F5 as dummy ip deployer, since we likely met this when clean up resource after shutdown network");
            return this;
        }
        if (_networkManager.isNetworkInlineMode(network)) {
            return getIpDeployerForInlineMode(network);
        }
        return this;
    }
 }
--- a/plugins/network-elements/f5/src/com/cloud/network/resource/F5BigIpResource.java
+++ b/plugins/network-elements/f5/src/com/cloud/network/resource/F5BigIpResource.java
@ -296,7 +296,6 @@ public class F5BigIpResource implements ServerResource {
                for (IpAddressTO ip : ips) {
                    long guestVlanTag = Long.valueOf(ip.getVlanId());
                    // It's a hack, using isOneToOneNat field for indicate if it's inline or not
                    // We'd better have an separate SetupGuestNetwork command later
                    boolean inline = ip.isOneToOneNat();
                    String vlanSelfIp = inline ? tagAddressWithRouteDomain(ip.getVlanGateway(), guestVlanTag) : ip.getVlanGateway();
                    String vlanNetmask = ip.getVlanNetmask();      
@ -364,6 +363,8 @@ public class F5BigIpResource implements ServerResource {
 					}
 				}
 				// Delete the virtual server with this protocol, source IP, and source port, along with its default pool and all pool members
 				deleteVirtualServerAndDefaultPool(virtualServerName);
 				if (!loadBalancer.isRevoked() && destinationsToAdd) {		
 					// Add the pool 
 					addPool(virtualServerName, lbAlgorithm);
@ -378,14 +379,8 @@ public class F5BigIpResource implements ServerResource {
 						}
 					}			
 					// Delete any pool members that aren't in the current list of destinations
 					deleteInactivePoolMembers(virtualServerName, activePoolMembers);
 					// Add the virtual server 
 					addVirtualServer(virtualServerName, lbProtocol, srcIp, srcPort, loadBalancer.getStickinessPolicies());
 				} else {
 					// Delete the virtual server with this protocol, source IP, and source port, along with its default pool and all pool members
 					deleteVirtualServerAndDefaultPool(virtualServerName);			
 				}
 			}																																																		
--- a/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
+++ b/plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
@ -76,6 +76,7 @@ import com.cloud.network.dao.PhysicalNetworkDao;
 import com.cloud.network.resource.JuniperSrxResource;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.PortForwardingRule;
 import com.cloud.network.rules.StaticNat;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offerings.dao.NetworkOfferingDao;
 import com.cloud.resource.ServerResource;
@ -90,7 +91,7 @@ import com.cloud.vm.VirtualMachineProfile;
@Local(value = NetworkElement.class)
 public class JuniperSRXExternalFirewallElement extends ExternalFirewallDeviceManagerImpl implements SourceNatServiceProvider, FirewallServiceProvider,
-        PortForwardingServiceProvider, RemoteAccessVPNServiceProvider, IpDeployer, JuniperSRXFirewallElementService {
+        PortForwardingServiceProvider, RemoteAccessVPNServiceProvider, IpDeployer, JuniperSRXFirewallElementService, StaticNatServiceProvider {
    private static final Logger s_logger = Logger.getLogger(JuniperSRXExternalFirewallElement.class);
@ -302,7 +303,7 @@ public class JuniperSRXExternalFirewallElement extends ExternalFirewallDeviceMan
            return false;
        }
-        return applyFirewallRules(network, rules);
+        return applyPortForwardingRules(network, rules);
    }
    @Override
@ -329,7 +330,7 @@ public class JuniperSRXExternalFirewallElement extends ExternalFirewallDeviceMan
    @Override
    public boolean canEnableIndividualServices() {
-        return false;
+        return true;
    }
    @Override
@ -534,6 +535,10 @@ public class JuniperSRXExternalFirewallElement extends ExternalFirewallDeviceMan
    @Override
    public boolean verifyServicesCombination(Set<Service> services) {
        if (!services.contains(Service.Firewall)) {
            s_logger.warn("SRX must be used as Firewall Service Provider in the network");
            return false;
        }
        return true;
    }
@ -547,4 +552,12 @@ public class JuniperSRXExternalFirewallElement extends ExternalFirewallDeviceMan
        // return true, as IP will be associated as part of static NAT/port forwarding rule configuration
        return true;
    }
 	@Override
 	public boolean applyStaticNats(Network config, List<? extends StaticNat> rules) throws ResourceUnavailableException {
        if (!canHandle(config, Service.StaticNat)) {
            return false;
        }
        return applyStaticNatRules(config, rules);
    }
 }
--- a/plugins/network-elements/netscaler/src/com/cloud/network/element/NetscalerElement.java
+++ b/plugins/network-elements/netscaler/src/com/cloud/network/element/NetscalerElement.java
@ -627,6 +627,14 @@ StaticNatServiceProvider {
    @Override
    public IpDeployer getIpDeployer(Network network) {
        ExternalLoadBalancerDeviceVO lbDevice = getExternalLoadBalancerForNetwork(network);
        if (lbDevice == null) {
            s_logger.error("Cannot find external load balanacer for network " + network.getName());
            return null;
        }
        if (_networkMgr.isNetworkInlineMode(network)) {
            return getIpDeployerForInlineMode(network);
        }
        return this;
    }
--- a/server/src/com/cloud/network/ExternalLoadBalancerDeviceManagerImpl.java
+++ b/server/src/com/cloud/network/ExternalLoadBalancerDeviceManagerImpl.java
@ -64,6 +64,7 @@ import com.cloud.host.dao.HostDetailsDao;
 import com.cloud.network.ExternalLoadBalancerDeviceVO.LBDeviceAllocationState;
 import com.cloud.network.ExternalLoadBalancerDeviceVO.LBDeviceState;
 import com.cloud.network.ExternalNetworkDeviceManager.NetworkDevice;
 import com.cloud.network.Network.Provider;
 import com.cloud.network.Network.Service;
 import com.cloud.network.Networks.TrafficType;
 import com.cloud.network.addr.PublicIp;
@ -79,6 +80,9 @@ import com.cloud.network.dao.NetworkServiceMapDao;
 import com.cloud.network.dao.PhysicalNetworkDao;
 import com.cloud.network.dao.PhysicalNetworkServiceProviderDao;
 import com.cloud.network.dao.PhysicalNetworkServiceProviderVO;
 import com.cloud.network.element.IpDeployer;
 import com.cloud.network.element.NetworkElement;
 import com.cloud.network.element.StaticNatServiceProvider;
 import com.cloud.network.lb.LoadBalancingRule;
 import com.cloud.network.lb.LoadBalancingRule.LbDestination;
 import com.cloud.network.resource.CreateLoadBalancerApplianceAnswer;
@ -86,6 +90,8 @@ import com.cloud.network.resource.DestroyLoadBalancerApplianceAnswer;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRule.Purpose;
 import com.cloud.network.rules.FirewallRuleVO;
 import com.cloud.network.rules.StaticNat;
 import com.cloud.network.rules.StaticNatImpl;
 import com.cloud.network.rules.StaticNatRule;
 import com.cloud.network.rules.StaticNatRuleImpl;
 import com.cloud.network.rules.dao.PortForwardingRulesDao;
@ -688,25 +694,6 @@ public abstract class ExternalLoadBalancerDeviceManagerImpl extends AdapterBase
        return false;
    }
    HostVO getFirewallProviderForNetwork(Network network) {
        HostVO fwHost = null;
        // get the firewall provider (could be either virtual router or external firewall device) for the network
        String fwProvider = _ntwkSrvcProviderDao.getProviderForServiceInNetwork(network.getId(), Service.Firewall);
        if (fwProvider.equalsIgnoreCase("VirtualRouter")) {
            // FIXME: use network service provider container framework support to implement on virtual router
        } else {
            NetworkExternalFirewallVO fwDeviceForNetwork = _networkExternalFirewallDao.findByNetworkId(network.getId());
            assert (fwDeviceForNetwork != null) : "Why firewall provider is not ready for the network to apply static nat rules?";
            long fwDeviceId = fwDeviceForNetwork.getExternalFirewallDeviceId();
            ExternalFirewallDeviceVO fwDevice = _externalFirewallDeviceDao.findById(fwDeviceId);
            fwHost = _hostDao.findById(fwDevice.getHostId());
        }
        return fwHost;
    }
    private NicVO savePlaceholderNic(Network network, String ipAddress) {
        NicVO nic = new NicVO(null, null, network.getId(), null);
        nic.setIp4Address(ipAddress);
@ -727,31 +714,115 @@ public abstract class ExternalLoadBalancerDeviceManagerImpl extends AdapterBase
        return null;
    }
-    private void applyStaticNatRuleForInlineLBRule(DataCenterVO zone, Network network, HostVO firewallHost, boolean revoked, String publicIp, String privateIp) throws ResourceUnavailableException {
+    private void applyStaticNatRuleForInlineLBRule(DataCenterVO zone, Network network, boolean revoked, String publicIp, String privateIp) throws ResourceUnavailableException {
-        List<StaticNatRuleTO> staticNatRules = new ArrayList<StaticNatRuleTO>();
+        List<StaticNat> staticNats = new ArrayList<StaticNat>();
        IPAddressVO ipVO = _ipAddressDao.listByDcIdIpAddress(zone.getId(), publicIp).get(0);
-        VlanVO vlan = _vlanDao.findById(ipVO.getVlanId());
+        StaticNatImpl staticNat = new StaticNatImpl(ipVO.getAllocatedToAccountId(), ipVO.getAllocatedInDomainId(),
-        FirewallRuleVO fwRule = new FirewallRuleVO(null, ipVO.getId(), -1, -1, "any", network.getId(), network.getAccountId(), network.getDomainId(), Purpose.StaticNat, null, null, null, null, null);
+                network.getId(), ipVO.getId(), privateIp, revoked);
-        FirewallRule.State state = !revoked ? FirewallRule.State.Add : FirewallRule.State.Revoke;
+        staticNats.add(staticNat);
-        fwRule.setState(state);
+        StaticNatServiceProvider element = _networkMgr.getStaticNatProviderForNetwork(network);
-        StaticNatRule rule = new StaticNatRuleImpl(fwRule, privateIp);
+        element.applyStaticNats(network, staticNats);
        StaticNatRuleTO ruleTO = new StaticNatRuleTO(rule, vlan.getVlanTag(), publicIp, privateIp);
        staticNatRules.add(ruleTO);
        applyStaticNatRules(staticNatRules, network, firewallHost.getId());
    }
-    protected void applyStaticNatRules(List<StaticNatRuleTO> staticNatRules, Network network, long firewallHostId) throws ResourceUnavailableException {
+    private enum MappingState {
-        if (!staticNatRules.isEmpty()) {
+        Create,
-            SetStaticNatRulesCommand cmd = new SetStaticNatRulesCommand(staticNatRules, null);
+        Remove,
-            Answer answer = _agentMgr.easySend(firewallHostId, cmd);
+        Unchanged,
-            if (answer == null || !answer.getResult()) {
+    };
-                String details = (answer != null) ? answer.getDetails() : "details unavailable";
+    
-                String msg = "firewall provider for the network was unable to apply static nat rules due to: " + details + ".";
+    private class MappingNic {
        private NicVO nic;
        private MappingState state;
        public NicVO getNic() {
            return nic;
        }
        public void setNic(NicVO nic) {
            this.nic = nic;
        }
        public MappingState getState() {
            return state;
        }
        public void setState(MappingState state) {
            this.state = state;
        }
    };
    private MappingNic getLoadBalancingIpNic(DataCenterVO zone, Network network, long sourceIpId, boolean revoked, String existedGuestIp) throws ResourceUnavailableException {
        String srcIp = _networkMgr.getIp(sourceIpId).getAddress().addr();
        InlineLoadBalancerNicMapVO mapping = _inlineLoadBalancerNicMapDao.findByPublicIpAddress(srcIp);
        NicVO loadBalancingIpNic = null;
        MappingNic nic = new MappingNic();
        nic.setState(MappingState.Unchanged);
        if (!revoked) {
            if (mapping == null) {
                // Acquire a new guest IP address and save it as the load balancing IP address
                String loadBalancingIpAddress = existedGuestIp;
                if (loadBalancingIpAddress == null) {
                    loadBalancingIpAddress = _networkMgr.acquireGuestIpAddress(network, null);
                }
                if (loadBalancingIpAddress == null) {
                    String msg = "Ran out of guest IP addresses.";
                    s_logger.error(msg);
-                throw new ResourceUnavailableException(msg, Network.class, network.getId());
+                    throw new ResourceUnavailableException(msg, DataCenter.class, network.getDataCenterId());
                }
                // If a NIC doesn't exist for the load balancing IP address, create one
                loadBalancingIpNic = _nicDao.findByIp4AddressAndNetworkId(loadBalancingIpAddress, network.getId());
                if (loadBalancingIpNic == null) {
                    loadBalancingIpNic = savePlaceholderNic(network, loadBalancingIpAddress);
                }
                // Save a mapping between the source IP address and the load balancing IP address NIC
                mapping = new InlineLoadBalancerNicMapVO(srcIp, loadBalancingIpNic.getId());
                _inlineLoadBalancerNicMapDao.persist(mapping);
                // On the firewall provider for the network, create a static NAT rule between the source IP
                // address and the load balancing IP address
                try {
                    applyStaticNatRuleForInlineLBRule(zone, network, revoked, srcIp, loadBalancingIpNic.getIp4Address());
                } catch (ResourceUnavailableException ex) {
                    // Rollback db operation
                    _inlineLoadBalancerNicMapDao.expunge(mapping.getId());
                    _nicDao.expunge(loadBalancingIpNic.getId());
                    throw ex;
                }
                s_logger.debug("Created static nat rule for inline load balancer");
                nic.setState(MappingState.Create);
            } else {
                loadBalancingIpNic = _nicDao.findById(mapping.getNicId());
            }
        } else {
            if (mapping != null) {
                // Find the NIC that the mapping refers to
                loadBalancingIpNic = _nicDao.findById(mapping.getNicId());
                int count = _networkMgr.getRuleCountForIp(sourceIpId, Purpose.LoadBalancing, FirewallRule.State.Active);
                if (count == 0) {
                    // On the firewall provider for the network, delete the static NAT rule between the source IP
                    // address and the load balancing IP address
                    applyStaticNatRuleForInlineLBRule(zone, network, revoked, srcIp, loadBalancingIpNic.getIp4Address());
                    // Delete the mapping between the source IP address and the load balancing IP address
                    _inlineLoadBalancerNicMapDao.expunge(mapping.getId());
                    // Delete the NIC
                    _nicDao.expunge(loadBalancingIpNic.getId());
                    s_logger.debug("Revoked static nat rule for inline load balancer");
                    nic.setState(MappingState.Remove);
                }
            } else {
                s_logger.debug("Revoking a rule for an inline load balancer that has not been programmed yet.");
                return null;
            }
        }
        nic.setNic(loadBalancingIpNic);
        return nic;
    }
    @Override
@ -788,6 +859,7 @@ public abstract class ExternalLoadBalancerDeviceManagerImpl extends AdapterBase
        }
        List<LoadBalancerTO> loadBalancersToApply = new ArrayList<LoadBalancerTO>();
        List<MappingState> mappingStates = new ArrayList<MappingState>();
        for (int i = 0; i < loadBalancingRules.size(); i++) {
            LoadBalancingRule rule = loadBalancingRules.get(i);
@ -798,63 +870,14 @@ public abstract class ExternalLoadBalancerDeviceManagerImpl extends AdapterBase
            String srcIp = _networkMgr.getIp(rule.getSourceIpAddressId()).getAddress().addr();
            int srcPort = rule.getSourcePortStart();
            List<LbDestination> destinations = rule.getDestinations();
            List<String> sourceCidrs = rule.getSourceCidrList();
            if (externalLoadBalancerIsInline) {
-                InlineLoadBalancerNicMapVO mapping = _inlineLoadBalancerNicMapDao.findByPublicIpAddress(srcIp);
+                MappingNic nic = getLoadBalancingIpNic(zone, network, rule.getSourceIpAddressId(), revoked, null);
-                NicVO loadBalancingIpNic = null;
+                mappingStates.add(nic.getState());
-                HostVO firewallProviderHost = null;
+                NicVO loadBalancingIpNic = nic.getNic();
                if (externalLoadBalancerIsInline) {
                    firewallProviderHost = getFirewallProviderForNetwork(network);
                }
                if (!revoked) {
                    if (mapping == null) {
                        // Acquire a new guest IP address and save it as the load balancing IP address
                        String loadBalancingIpAddress = _networkMgr.acquireGuestIpAddress(network, null);
                        if (loadBalancingIpAddress == null) {
                            String msg = "Ran out of guest IP addresses.";
                            s_logger.error(msg);
                            throw new ResourceUnavailableException(msg, DataCenter.class, network.getDataCenterId());
                        }
                        // If a NIC doesn't exist for the load balancing IP address, create one
                        loadBalancingIpNic = _nicDao.findByIp4AddressAndNetworkId(loadBalancingIpAddress, network.getId());
                if (loadBalancingIpNic == null) {
                            loadBalancingIpNic = savePlaceholderNic(network, loadBalancingIpAddress);
                        }
                        // Save a mapping between the source IP address and the load balancing IP address NIC
                        mapping = new InlineLoadBalancerNicMapVO(rule.getId(), srcIp, loadBalancingIpNic.getId());
                        _inlineLoadBalancerNicMapDao.persist(mapping);
                        // On the firewall provider for the network, create a static NAT rule between the source IP
 // address and the load balancing IP address
                        applyStaticNatRuleForInlineLBRule(zone, network, firewallProviderHost, revoked, srcIp, loadBalancingIpNic.getIp4Address());
                    } else {
                        loadBalancingIpNic = _nicDao.findById(mapping.getNicId());
                    }
                } else {
                    if (mapping != null) {
                        // Find the NIC that the mapping refers to
                        loadBalancingIpNic = _nicDao.findById(mapping.getNicId());
                        // On the firewall provider for the network, delete the static NAT rule between the source IP
 // address and the load balancing IP address
                        applyStaticNatRuleForInlineLBRule(zone, network, firewallProviderHost, revoked, srcIp, loadBalancingIpNic.getIp4Address());
                        // Delete the mapping between the source IP address and the load balancing IP address
                        _inlineLoadBalancerNicMapDao.expunge(mapping.getId());
                        // Delete the NIC
                        _nicDao.expunge(loadBalancingIpNic.getId());
                    } else {
                        s_logger.debug("Revoking a rule for an inline load balancer that has not been programmed yet.");
                    continue;
                }
                }
                // Change the source IP address for the load balancing rule to be the load balancing IP address
                srcIp = loadBalancingIpNic.getIp4Address();
@ -863,13 +886,14 @@ public abstract class ExternalLoadBalancerDeviceManagerImpl extends AdapterBase
            if ((destinations != null && !destinations.isEmpty()) || rule.isAutoScaleConfig()) {
                boolean inline = _networkMgr.isNetworkInlineMode(network);
                LoadBalancerTO loadBalancer = new LoadBalancerTO(uuid, srcIp, srcPort, protocol, algorithm, revoked, false, inline, destinations, rule.getStickinessPolicies());
-                if(rule.isAutoScaleConfig()) {
+                if (rule.isAutoScaleConfig()) {
                    loadBalancer.setAutoScaleVmGroup(rule.getAutoScaleVmGroup());
                }
                loadBalancersToApply.add(loadBalancer);
            }
        }
        try {
            if (loadBalancersToApply.size() > 0) {
                int numLoadBalancersForCommand = loadBalancersToApply.size();
                LoadBalancerTO[] loadBalancersForCommand = loadBalancersToApply.toArray(new LoadBalancerTO[numLoadBalancersForCommand]);
@ -884,6 +908,27 @@ public abstract class ExternalLoadBalancerDeviceManagerImpl extends AdapterBase
                    throw new ResourceUnavailableException(msg, DataCenter.class, network.getDataCenterId());
                }
            }
        } catch (Exception ex) {
            if (externalLoadBalancerIsInline) {
                s_logger.error("Rollbacking static nat operation of inline mode load balancing due to error on applying LB rules!");
                String existedGuestIp = loadBalancersToApply.get(0).getSrcIp();
                // Rollback static NAT operation in current session
                for (int i = 0; i < loadBalancingRules.size(); i++) {
                    LoadBalancingRule rule = loadBalancingRules.get(i);
                    MappingState state = mappingStates.get(i);
                    boolean revoke;
                    if (state == MappingState.Create) {
                        revoke = true;
                    } else if (state == MappingState.Remove) {
                        revoke = false;
                    } else {
                        continue;
                    }
                    getLoadBalancingIpNic(zone, network, rule.getSourceIpAddressId(), revoke, existedGuestIp);
                }
            }
            throw new ResourceUnavailableException(ex.getMessage(), DataCenter.class, network.getDataCenterId());
        }
        return true;
    }
@ -900,12 +945,18 @@ public abstract class ExternalLoadBalancerDeviceManagerImpl extends AdapterBase
        HostVO externalLoadBalancer = null;
        if (add) {
-            ExternalLoadBalancerDeviceVO lbDeviceVO = allocateLoadBalancerForNetwork(guestConfig);
+            ExternalLoadBalancerDeviceVO lbDeviceVO = null;
 	        // on restart network, device could have been allocated already, skip allocation if a device is assigned
            lbDeviceVO = getExternalLoadBalancerForNetwork(guestConfig);
            if (lbDeviceVO == null) {
 		    // allocate a load balancer device for the network
 	            lbDeviceVO = allocateLoadBalancerForNetwork(guestConfig);
 	            if (lbDeviceVO == null) {
 	                String msg = "failed to alloacate a external load balancer for the network " + guestConfig.getId();
 	                s_logger.error(msg);
 	                throw new InsufficientNetworkCapacityException(msg, DataCenter.class, guestConfig.getDataCenterId());
 	            }
            }
            externalLoadBalancer = _hostDao.findById(lbDeviceVO.getHostId());
            s_logger.debug("Allocated external load balancer device:" + lbDeviceVO.getId() + " for the network: " + guestConfig.getId());
        } else {
@ -928,6 +979,12 @@ public abstract class ExternalLoadBalancerDeviceManagerImpl extends AdapterBase
        Integer networkRate = _networkMgr.getNetworkRate(guestConfig.getId(), null);
        if (add) {
 		    // on restart network, network could have already been implemented. If already implemented then return
            NicVO selfipNic = getPlaceholderNic(guestConfig);
            if (selfipNic != null) {
 		    return true;
            }
            // Acquire a self-ip address from the guest network IP address range
            selfIp = _networkMgr.acquireGuestIpAddress(guestConfig, null);
            if (selfIp == null) {
@ -956,8 +1013,9 @@ public abstract class ExternalLoadBalancerDeviceManagerImpl extends AdapterBase
        if (answer == null || !answer.getResult()) {
            String action = add ? "implement" : "shutdown";
-            String answerDetails = (answer != null) ? answer.getDetails() : "answer was null";
+            String answerDetails = (answer != null) ? answer.getDetails() : null;
-            String msg = "External load balancer was unable to " + action + " the guest network on the external load balancer in zone " + zone.getName() + " due to " + answerDetails;
+            answerDetails = (answerDetails != null) ? " due to " + answerDetails : "";
            String msg = "External load balancer was unable to " + action + " the guest network on the external load balancer in zone " + zone.getName() + answerDetails;
            s_logger.error(msg);
            throw new ResourceUnavailableException(msg, Network.class, guestConfig.getId());
        }
@ -1029,4 +1087,25 @@ public abstract class ExternalLoadBalancerDeviceManagerImpl extends AdapterBase
        return new DeleteHostAnswer(true);
    }
    protected IpDeployer getIpDeployerForInlineMode(Network network) {
        //We won't deploy IP, instead the firewall in front of us would do it
        List<Provider> providers = _networkMgr.getProvidersForServiceInNetwork(network, Service.Firewall);
        //Only support one provider now
        if (providers == null)  {
            s_logger.error("Cannot find firewall provider for network " + network.getId());
            return null;
        }
        if (providers.size() != 1) {
            s_logger.error("Found " + providers.size() + " firewall provider for network " + network.getId());
            return null;
        }
        NetworkElement element = _networkMgr.getElementImplementingProvider(providers.get(0).getName());
        if (!(element instanceof IpDeployer)) {
            s_logger.error("The firewall provider for network " + network.getName() + " don't have ability to deploy IP address!");
            return null;
        }
        s_logger.info("Let " + element.getName() + " handle ip association for " + getName() + " in network " + network.getId());
        return (IpDeployer)element;
    }
 }
--- a/server/src/com/cloud/network/InlineLoadBalancerNicMapVO.java
+++ b/server/src/com/cloud/network/InlineLoadBalancerNicMapVO.java
@ -31,9 +31,6 @@ public class InlineLoadBalancerNicMapVO {
    @Column(name="id")
    private long id;
    @Column(name="load_balancer_id")
    private long loadBalancerId;
    @Column(name="public_ip_address")
    private String publicIpAddress;
@ -42,8 +39,7 @@ public class InlineLoadBalancerNicMapVO {
    public InlineLoadBalancerNicMapVO() { }
-    public InlineLoadBalancerNicMapVO(long loadBalancerId, String publicIpAddress, long nicId) {
+    public InlineLoadBalancerNicMapVO(String publicIpAddress, long nicId) {
        this.loadBalancerId = loadBalancerId;
        this.publicIpAddress = publicIpAddress;
        this.nicId = nicId;
    }
@ -52,10 +48,6 @@ public class InlineLoadBalancerNicMapVO {
        return id;
    }
    public long getLoadBalancerId() {
        return loadBalancerId;
    }
    public String getPublicIpAddress() {
    	return publicIpAddress;
    }
--- a/server/src/com/cloud/network/NetworkManager.java
+++ b/server/src/com/cloud/network/NetworkManager.java
@ -40,12 +40,15 @@ import com.cloud.network.Network.Provider;
 import com.cloud.network.Network.Service;
 import com.cloud.network.Networks.TrafficType;
 import com.cloud.network.addr.PublicIp;
 import com.cloud.network.element.LoadBalancingServiceProvider;
 import com.cloud.network.element.NetworkElement;
 import com.cloud.network.element.RemoteAccessVPNServiceProvider;
 import com.cloud.network.element.Site2SiteVpnServiceProvider;
 import com.cloud.network.element.StaticNatServiceProvider;
 import com.cloud.network.element.UserDataServiceProvider;
 import com.cloud.network.guru.NetworkGuru;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRule.Purpose;
 import com.cloud.network.rules.StaticNat;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offerings.NetworkOfferingVO;
@ -483,5 +486,12 @@ public interface NetworkManager extends NetworkService {
     */
    int getNetworkLockTimeout();
    List<Provider> getProvidersForServiceInNetwork(Network network, Service service);
    StaticNatServiceProvider getStaticNatProviderForNetwork(Network network);
    boolean isNetworkInlineMode(Network network);
    int getRuleCountForIp(Long addressId, FirewallRule.Purpose purpose, FirewallRule.State state);
    LoadBalancingServiceProvider getLoadBalancingProviderForNetwork(Network network);
 }
--- a/server/src/com/cloud/network/NetworkManagerImpl.java
+++ b/server/src/com/cloud/network/NetworkManagerImpl.java
@ -732,6 +732,18 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
    public boolean canIpsUseOffering(List<PublicIp> publicIps, long offeringId) {
        Map<PublicIp, Set<Service>> ipToServices = getIpToServices(publicIps, false, true);
        Map<Service, Set<Provider>> serviceToProviders = getNetworkOfferingServiceProvidersMap(offeringId);
        NetworkOfferingVO offering = _networkOfferingDao.findById(offeringId);
        //For inline mode checking, using firewall provider for LB instead, because public ip would apply on firewall provider
        if (offering.isInline()) {
            Provider firewallProvider = null;
            if (serviceToProviders.containsKey(Service.Firewall)) {
                firewallProvider = (Provider)serviceToProviders.get(Service.Firewall).toArray()[0];
            }
            Set<Provider> p = new HashSet<Provider>();
            p.add(firewallProvider);
            serviceToProviders.remove(Service.Lb);
            serviceToProviders.put(Service.Lb, p);
        }
        for (PublicIp ip : ipToServices.keySet()) {
            Set<Service> services = ipToServices.get(ip);
            Provider provider = null;
@ -777,9 +789,18 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
            throw new InvalidParameterException("There is no new provider for IP " + publicIp.getAddress() + " of service " + service.getName() + "!");
        }
        Provider newProvider = (Provider) newProviders.toArray()[0];
-        if (!oldProvider.equals(newProvider)) {
+        Network network = _networksDao.findById(networkId);
        NetworkElement oldElement = getElementImplementingProvider(oldProvider.getName());
        NetworkElement newElement = getElementImplementingProvider(newProvider.getName());
        if (oldElement instanceof IpDeployingRequester && newElement instanceof IpDeployingRequester) {
        	IpDeployer oldIpDeployer = ((IpDeployingRequester)oldElement).getIpDeployer(network);
        	IpDeployer newIpDeployer = ((IpDeployingRequester)newElement).getIpDeployer(network);
        	if (!oldIpDeployer.getProvider().getName().equals(newIpDeployer.getProvider().getName())) {
        		throw new InvalidParameterException("There would be multiple providers for IP " + publicIp.getAddress() + "!");
        	}
        } else {
        	throw new InvalidParameterException("Ip cannot be applied for new provider!");
        }
        return true;
    }
@ -850,21 +871,17 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
                }
                IpDeployer deployer = null;
                NetworkElement element = getElementImplementingProvider(provider.getName());
-                if (element instanceof SourceNatServiceProvider) {
+                if (element instanceof ConnectivityProvider) {
                    deployer = ((SourceNatServiceProvider) element).getIpDeployer(network);
                } else if (element instanceof StaticNatServiceProvider) {
                    deployer = ((StaticNatServiceProvider) element).getIpDeployer(network);
                } else if (element instanceof LoadBalancingServiceProvider) {
                    deployer = ((LoadBalancingServiceProvider) element).getIpDeployer(network);
                } else if (element instanceof PortForwardingServiceProvider) {
                    deployer = ((PortForwardingServiceProvider) element).getIpDeployer(network);
                } else if (element instanceof RemoteAccessVPNServiceProvider) {
                    deployer = ((RemoteAccessVPNServiceProvider) element).getIpDeployer(network);
                } else if (element instanceof ConnectivityProvider) {
                    // Nothing to do
                    s_logger.debug("ConnectivityProvider " + element.getClass().getSimpleName() + " has no ip associations");
                    continue;
-                } else {
+                }
                if (!(element instanceof IpDeployingRequester)) {
                    throw new CloudRuntimeException("Element " + element + " is not a IpDeployingRequester!");
                }
                deployer = ((IpDeployingRequester)element).getIpDeployer(network);
                if (deployer == null) {
                    throw new CloudRuntimeException("Fail to get ip deployer for element: " + element);
                }
                Set<Service> services = new HashSet<Service>();
@ -3724,25 +3741,23 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
    public boolean validateRule(FirewallRule rule) {
        Network network = _networksDao.findById(rule.getNetworkId());
        Purpose purpose = rule.getPurpose();
        for (NetworkElement ne : _networkElements) {
            boolean validated;
        switch (purpose) {
        case LoadBalancing:
-                if (!(ne instanceof LoadBalancingServiceProvider)) {
+            LoadBalancingServiceProvider ne = getLoadBalancingProviderForNetwork(network);
-                    continue;
+            if (!ne.validateLBRule(network, (LoadBalancingRule) rule)) {
                }
                validated = ((LoadBalancingServiceProvider) ne).validateLBRule(network, (LoadBalancingRule) rule);
                if (!validated)
                return false;
            }
            break;
        default:
            s_logger.debug("Unable to validate network rules for purpose: " + purpose.toString());
                validated = false;
            }
        }
        return true;
    }
    protected boolean applyLbRules(Network network, List<LoadBalancingRule> rules, LoadBalancingServiceProvider element) throws ResourceUnavailableException {
        return element.applyLBRules(network, rules);
    }
    @Override
    /* The rules here is only the same kind of rule, e.g. all load balancing rules or all port forwarding rules */
    public boolean applyRules(List<? extends FirewallRule> rules, boolean continueOnError) throws ResourceUnavailableException {
@ -3769,47 +3784,55 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
        // the network so as to ensure IP is associated before applying rules (in add state)
        applyIpAssociations(network, false, continueOnError, publicIps);
-        for (NetworkElement ne : _networkElements) {
+        Service service = null;
-            Provider provider = Network.Provider.getProvider(ne.getName());
+        switch (purpose) {
-            if (provider == null) {
+        case LoadBalancing: 
-                if (ne.getName().equalsIgnoreCase("Ovs") || ne.getName().equalsIgnoreCase("BareMetal")
+            service = Service.Lb;
-                        || ne.getName().equalsIgnoreCase("CiscoNexus1000vVSM")) {
+            break;
-                    continue;
+        case PortForwarding: 
            service = Service.PortForwarding;
            break;
        case StaticNat: 
        case Firewall: 
            service = Service.Firewall;
            break;
        case NetworkACL:
            service = Service.NetworkACL;
            break;
        default:
            break;
        }
-                throw new CloudRuntimeException("Unable to identify the provider by name " + ne.getName());
+
        if (service != null) {
            List<Provider> providers = getProvidersForServiceInNetwork(network, service);
            if (providers == null || providers.size() != 1) {
                // FIXME: If there is a service not made available by network offering, then rule should not get created
                // in first place. For now error out during the apply rules.
                String msg = "Cannot find the " + service.getName() + " provider for network " + network.getId();
                s_logger.error(msg);
                throw new CloudRuntimeException(msg);
            }
            NetworkElement ne = getElementImplementingProvider(providers.get(0).getName());
            try {
                boolean handled;
                switch (purpose) {
                case LoadBalancing:
-                    boolean isLbProvider = isProviderSupportServiceInNetwork(network.getId(), Service.Lb, provider);
+                    assert ne instanceof LoadBalancingServiceProvider;
-                    if (!(ne instanceof LoadBalancingServiceProvider && isLbProvider)) {
+                    handled = applyLbRules(network, (List<LoadBalancingRule>)rules, (LoadBalancingServiceProvider) ne);
                        continue;
                    }
                    handled = ((LoadBalancingServiceProvider) ne).applyLBRules(network, (List<LoadBalancingRule>) rules);
                    break;
                case PortForwarding:
-                    boolean isPfProvider = isProviderSupportServiceInNetwork(network.getId(), Service.PortForwarding, provider);
+                    assert ne instanceof PortForwardingServiceProvider;
                    if (!(ne instanceof PortForwardingServiceProvider && isPfProvider)) {
                        continue;
                    }
                    handled = ((PortForwardingServiceProvider) ne).applyPFRules(network, (List<PortForwardingRule>) rules);
                    break;
                case StaticNat:
                    /* It's firewall rule for static nat, not static nat rule */
                    /* Fall through */
                case Firewall:
-                    boolean isFirewallProvider = isProviderSupportServiceInNetwork(network.getId(), Service.Firewall, provider);
+                    assert ne instanceof FirewallServiceProvider;
                    if (!(ne instanceof FirewallServiceProvider && isFirewallProvider)) {
                        continue;
                    }
                    handled = ((FirewallServiceProvider) ne).applyFWRules(network, rules);
                    break;
                case NetworkACL:
-                    boolean isNetworkACLProvider = isProviderSupportServiceInNetwork(network.getId(), Service.NetworkACL, provider);
+                    assert ne instanceof NetworkACLServiceProvider;
                    if (!(ne instanceof NetworkACLServiceProvider && isNetworkACLProvider)) {
                        continue;
                    }
                    handled = ((NetworkACLServiceProvider) ne).applyNetworkACLs(network, rules);
                    break;
                default:
@ -3824,6 +3847,9 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
                s_logger.warn("Problems with " + ne.getName() + " but pushing on", e);
                success = false;
            }
        } else {
            s_logger.debug("Unable to handle network rules for purpose: " + purpose.toString());
            success = false;
        }
        // if all the rules configured on public IP are revoked then dis-associate IP with network service provider
@ -4398,6 +4424,7 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
    }
    @Override
    public UserDataServiceProvider getPasswordResetProvider(Network network) {
        String passwordProvider = _ntwkSrvcDao.getProviderForServiceInNetwork(network.getId(), Service.UserData);
@ -4827,6 +4854,9 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
                // log assign usage events for new offering
                List<NicVO> nics = _nicDao.listByNetworkId(networkId);
                for (NicVO nic : nics) {
                    if (nic.getReservationStrategy() == Nic.ReservationStrategy.PlaceHolder) {
                        continue;
                    }
                    long vmId = nic.getInstanceId();
                    VMInstanceVO vm = _vmDao.findById(vmId);
                    if (vm == null) {
@ -5043,24 +5073,16 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
        applyIpAssociations(network, false, continueOnError, publicIps);
        // get provider
-        String staticNatProvider = _ntwkSrvcDao.getProviderForServiceInNetwork(network.getId(), Service.StaticNat);
+        StaticNatServiceProvider element = getStaticNatProviderForNetwork(network);
        for (NetworkElement ne : _networkElements) {
        try {
-                if (!(ne instanceof StaticNatServiceProvider && ne.getName().equalsIgnoreCase(staticNatProvider))) {
+            success = element.applyStaticNats(network, staticNats);
                    continue;
                }
                boolean handled = ((StaticNatServiceProvider) ne).applyStaticNats(network, staticNats);
                s_logger.debug("Static Nat for network " + network.getId() + " were " + (handled ? "" : " not") + " handled by " + ne.getName());
        } catch (ResourceUnavailableException e) {
            if (!continueOnError) {
                throw e;
            }
-                s_logger.warn("Problems with " + ne.getName() + " but pushing on", e);
+            s_logger.warn("Problems with " + element.getName() + " but pushing on", e);
            success = false;
        }
        }
        // For revoked static nat IP, set the vm_id to null, indicate it should be revoked
        for (StaticNat staticNat : staticNats) {
@ -7485,8 +7507,55 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
    }
    @Override
    public List<Provider> getProvidersForServiceInNetwork(Network network, Service service) {
        Map<Service, Set<Provider>> service2ProviderMap = getServiceProvidersMap(network.getId());
        if (service2ProviderMap.get(service) != null) {
            List<Provider> providers = new ArrayList<Provider>(service2ProviderMap.get(service));
            return providers;
        }
        return null;
    }
    protected NetworkElement getElementForServiceInNetwork(Network network, Service service) {
        List<Provider> providers = getProvidersForServiceInNetwork(network, service);
        //Only support one provider now
        if (providers == null)  {
            s_logger.error("Cannot find " + service.getName() + " provider for network " + network.getId());
            return null;
        }
        if (providers.size() != 1) {
            s_logger.error("Found " + providers.size() + " " + service.getName() + " providers for network!" + network.getId());
            return null;
        }
        NetworkElement element = getElementImplementingProvider(providers.get(0).getName());
        s_logger.info("Let " + element.getName() + " handle " + service.getName() + " in network " + network.getId());
        return element;
    }
    @Override
    public StaticNatServiceProvider getStaticNatProviderForNetwork(Network network) {
        NetworkElement element = getElementForServiceInNetwork(network, Service.StaticNat);
        assert element instanceof StaticNatServiceProvider;
        return (StaticNatServiceProvider)element;
    }
    @Override
    public LoadBalancingServiceProvider getLoadBalancingProviderForNetwork(Network network) {
        NetworkElement element = getElementForServiceInNetwork(network, Service.Lb);
        assert element instanceof LoadBalancingServiceProvider; 
        return ( LoadBalancingServiceProvider)element;
    }
    public boolean isNetworkInlineMode(Network network) {
        NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
        return offering.isInline();
    }
    @Override
    public int getRuleCountForIp(Long addressId, FirewallRule.Purpose purpose, FirewallRule.State state) {
        List<FirewallRuleVO> rules = _firewallDao.listByIpAndPurposeWithState(addressId, purpose, state);
        if (rules == null) {
            return 0;
        }
        return rules.size();
    }
 }
--- a/server/src/com/cloud/network/dao/FirewallRulesDao.java
+++ b/server/src/com/cloud/network/dao/FirewallRulesDao.java
@ -57,5 +57,5 @@ public interface FirewallRulesDao extends GenericDao<FirewallRuleVO, Long> {
    List<FirewallRuleVO> listByNetworkPurposeTrafficTypeAndNotRevoked(long networkId, FirewallRule.Purpose purpose, FirewallRule.TrafficType trafficType);
-
+    List<FirewallRuleVO> listByIpAndPurposeWithState(Long addressId, FirewallRule.Purpose purpose, FirewallRule.State state);
 }
--- a/server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
+++ b/server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
@ -309,4 +309,19 @@ public class FirewallRulesDaoImpl extends GenericDaoBase<FirewallRuleVO, Long> i
        return result;
    }
    @Override
    public List<FirewallRuleVO> listByIpAndPurposeWithState(Long ipId, Purpose purpose, State state) {
        SearchCriteria<FirewallRuleVO> sc = AllFieldsSearch.create();
        sc.setParameters("ipId", ipId);
        if (state != null) {
            sc.setParameters("state", state);
        }
        if (purpose != null) {
            sc.setParameters("purpose", purpose);
        }
        return listBy(sc);
    }
 }
--- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
+++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
@ -579,8 +579,14 @@ public class LoadBalancingRulesManagerImpl<Type> implements LoadBalancingRulesMa
    private boolean isRollBackAllowedForProvider(LoadBalancerVO loadBalancer) {
        Network network = _networkDao.findById(loadBalancer.getNetworkId());
-        Provider provider = Network.Provider.Netscaler;
+        List<Provider> provider = _networkMgr.getProvidersForServiceInNetwork(network, Service.Lb);
-        return _ntwkSrvcDao.canProviderSupportServiceInNetwork(network.getId(), Service.Lb, provider);
+        if (provider == null || provider.size() == 0) {
            return false;
        }
        if (provider.get(0) == Provider.Netscaler || provider.get(0) == Provider.F5BigIp) {
            return true;
        }
        return false;
    }
    @Override
    @DB
@ -1056,6 +1062,12 @@ public class LoadBalancingRulesManagerImpl<Type> implements LoadBalancingRulesMa
        LoadBalancerVO newRule = new LoadBalancerVO(lb.getXid(), lb.getName(), lb.getDescription(), lb.getSourceIpAddressId(), lb.getSourcePortEnd(), lb.getDefaultPortStart(),
                lb.getAlgorithm(), network.getId(), ipAddr.getAllocatedToAccountId(), ipAddr.getAllocatedInDomainId());
        // verify rule is supported by Lb provider of the network
        LoadBalancingRule loadBalancing = new LoadBalancingRule(newRule, new ArrayList<LbDestination>(), new ArrayList<LbStickinessPolicy>());
        if (!_networkMgr.validateRule(loadBalancing)) {
            throw new InvalidParameterValueException("LB service provider cannot support this rule");
        }
        newRule = _lbDao.persist(newRule);
        if (openFirewall) {
--- a/server/test/com/cloud/network/MockNetworkManagerImpl.java
+++ b/server/test/com/cloud/network/MockNetworkManagerImpl.java
@ -35,12 +35,16 @@ import com.cloud.network.Network.Provider;
 import com.cloud.network.Network.Service;
 import com.cloud.network.Networks.TrafficType;
 import com.cloud.network.addr.PublicIp;
 import com.cloud.network.element.LoadBalancingServiceProvider;
 import com.cloud.network.element.NetworkElement;
 import com.cloud.network.element.RemoteAccessVPNServiceProvider;
 import com.cloud.network.element.Site2SiteVpnServiceProvider;
 import com.cloud.network.element.StaticNatServiceProvider;
 import com.cloud.network.element.UserDataServiceProvider;
 import com.cloud.network.guru.NetworkGuru;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRule.Purpose;
 import com.cloud.network.rules.FirewallRule.State;
 import com.cloud.network.rules.StaticNat;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offerings.NetworkOfferingVO;
@ -1141,4 +1145,29 @@ public class MockNetworkManagerImpl implements NetworkManager, Manager, NetworkS
        // TODO Auto-generated method stub
        return false;
    }
    @Override
    public StaticNatServiceProvider getStaticNatProviderForNetwork(Network network) {
        // TODO Auto-generated method stub
        return null;
    }
    @Override
    public List<Provider> getProvidersForServiceInNetwork(Network network,
            Service service) {
        // TODO Auto-generated method stub
        return null;
    }
    @Override
    public int getRuleCountForIp(Long addressId, Purpose purpose, State state) {
        // TODO Auto-generated method stub
        return 0;
    }
    @Override
    public LoadBalancingServiceProvider getLoadBalancingProviderForNetwork(Network network) {
        // TODO Auto-generated method stub
        return null;
    }
 }
--- a/server/test/com/cloud/vpc/MockNetworkManagerImpl.java
+++ b/server/test/com/cloud/vpc/MockNetworkManagerImpl.java
@ -37,12 +37,16 @@ import com.cloud.network.Network.Service;
 import com.cloud.network.Networks.TrafficType;
 import com.cloud.network.addr.PublicIp;
 import com.cloud.network.dao.NetworkServiceMapDao;
 import com.cloud.network.element.LoadBalancingServiceProvider;
 import com.cloud.network.element.NetworkElement;
 import com.cloud.network.element.RemoteAccessVPNServiceProvider;
 import com.cloud.network.element.Site2SiteVpnServiceProvider;
 import com.cloud.network.element.StaticNatServiceProvider;
 import com.cloud.network.element.UserDataServiceProvider;
 import com.cloud.network.guru.NetworkGuru;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRule.Purpose;
 import com.cloud.network.rules.FirewallRule.State;
 import com.cloud.network.rules.StaticNat;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offerings.NetworkOfferingVO;
@ -1485,4 +1489,28 @@ public class MockNetworkManagerImpl implements NetworkManager, Manager{
        // TODO Auto-generated method stub
        return false;
    }
    @Override
    public List<Provider> getProvidersForServiceInNetwork(Network network, Service service) {
        // TODO Auto-generated method stub
        return null;
    }
    @Override
    public StaticNatServiceProvider getStaticNatProviderForNetwork(Network network) {
        // TODO Auto-generated method stub
        return null;
    }
    @Override
    public int getRuleCountForIp(Long addressId, Purpose purpose, State state) {
        // TODO Auto-generated method stub
        return 0;
    }
    @Override
    public LoadBalancingServiceProvider getLoadBalancingProviderForNetwork(Network network) {
        // TODO Auto-generated method stub
        return null;
    }
 }
--- a/setup/db/create-schema.sql
+++ b/setup/db/create-schema.sql
@ -746,12 +746,10 @@ CREATE TABLE `cloud`.`load_balancer_stickiness_policies` (
 CREATE TABLE `cloud`.`inline_load_balancer_nic_map` (
  `id` bigint unsigned NOT NULL auto_increment,
  `load_balancer_id` bigint unsigned NOT NULL,
  `public_ip_address` char(40) NOT NULL,
  `nic_id` bigint unsigned NULL COMMENT 'nic id',
  PRIMARY KEY  (`id`),
  UNIQUE KEY (`nic_id`),
  CONSTRAINT `fk_inline_load_balancer_nic_map__load_balancer_id` FOREIGN KEY(`load_balancer_id`) REFERENCES `load_balancing_rules`(`id`) ON DELETE CASCADE,
  CONSTRAINT `fk_inline_load_balancer_nic_map__nic_id` FOREIGN KEY(`nic_id`) REFERENCES `nics`(`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
--- a/setup/db/db/schema-40to410.sql
+++ b/setup/db/db/schema-40to410.sql
@ -68,3 +68,7 @@ ALTER TABLE `sync_queue` ADD `queue_size` SMALLINT NOT NULL DEFAULT '0' COMMENT
 ALTER TABLE `sync_queue` ADD `queue_size_limit` SMALLINT NOT NULL DEFAULT '1' COMMENT 'max number of items the queue can process concurrently';
 ALTER TABLE `sync_queue_item` ADD `queue_proc_time` DATETIME NOT NULL COMMENT 'when processing started for the item' AFTER `queue_proc_number`;
 ALTER TABLE `cloud`.`inline_load_balancer_nic_map` DROP FOREIGN KEY fk_inline_load_balancer_nic_map__load_balancer_id;
 ALTER TABLE `cloud`.`inline_load_balancer_nic_map` DROP COLUMN load_balancer_id;