bugfix #6 vpc vr: Add iptables rules for ACL of private gateway

api/src/main/java/com/cloud/agent/api/to/IpAddressTO.java

@@ -35,6 +35,7 @@ public class IpAddressTO {
     private String networkName;
     private Integer nicDevId;
     private boolean newNic;
+    private boolean isPrivateGateway;
 
     public IpAddressTO(long accountId, String ipAddress, boolean add, boolean firstIP, boolean sourceNat, String broadcastUri, String vlanGateway, String vlanNetmask,
             String vifMacAddress, Integer networkRate, boolean isOneToOneNat) {
@@ -133,4 +134,12 @@ public class IpAddressTO {
     public void setNewNic(boolean newNic) {
         this.newNic = newNic;
     }
+
+    public boolean isPrivateGateway() {
+        return isPrivateGateway;
+    }
+
+    public void setPrivateGateway(boolean isPrivateGateway) {
+        this.isPrivateGateway = isPrivateGateway;
+    }
 }

core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/IpAssociationConfigItem.java

@@ -42,6 +42,7 @@ public class IpAssociationConfigItem extends AbstractConfigItemFacade {
         for (final IpAddressTO ip : command.getIpAddresses()) {
             final IpAddress ipAddress = new IpAddress(ip.getPublicIp(), ip.isSourceNat(), ip.isAdd(), ip.isOneToOneNat(), ip.isFirstIP(), ip.getVlanGateway(), ip.getVlanNetmask(),
                     ip.getVifMacAddress(), ip.getNicDevId(), ip.isNewNic(), ip.getTrafficType().toString());
+            ipAddress.setPrivateGateway(ip.isPrivateGateway());
             ips.add(ipAddress);
         }
 

core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/IpAddress.java

@@ -32,6 +32,7 @@ public class IpAddress {
     private Integer nicDevId;
     private boolean newNic;
     private String nwType;
+    private boolean isPrivateGateway;
 
     public IpAddress() {
         // Empty constructor for (de)serialization
@@ -133,4 +134,12 @@ public class IpAddress {
         this.newNic = newNic;
     }
 
+    public boolean isPrivateGateway() {
+        return isPrivateGateway;
+    }
+
+    public void setPrivateGateway(boolean isPrivateGateway) {
+        this.isPrivateGateway = isPrivateGateway;
+    }
+
 }

server/src/main/java/com/cloud/network/router/CommandSetupHelper.java

@@ -104,9 +104,7 @@ import com.cloud.network.vpc.PrivateIpAddress;
 import com.cloud.network.vpc.StaticRouteProfile;
 import com.cloud.network.vpc.Vpc;
 import com.cloud.network.vpc.VpcGateway;
-import com.cloud.network.vpc.VpcGatewayVO;
 import com.cloud.network.vpc.dao.VpcDao;
-import com.cloud.network.vpc.dao.VpcGatewayDao;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offerings.NetworkOfferingVO;
 import com.cloud.offerings.dao.NetworkOfferingDao;
@@ -172,8 +170,6 @@ public class CommandSetupHelper {
     @Inject
     private VpcDao _vpcDao;
     @Inject
-    private VpcGatewayDao _vpcGatewayDao;
-    @Inject
     private VlanDao _vlanDao;
     @Inject
     private IPAddressDao _ipAddressDao;
@@ -726,8 +722,7 @@ public class CommandSetupHelper {
                 final IpAddressTO ip = new IpAddressTO(ipAddr.getAccountId(), ipAddr.getAddress().addr(), add, firstIP, sourceNat, BroadcastDomainType.fromString(ipAddr.getVlanTag()).toString(), ipAddr.getGateway(),
                         ipAddr.getNetmask(), macAddress, networkRate, ipAddr.isOneToOneNat());
 
-                ip.setTrafficType(getNetworkTrafficType(network));
-                ip.setNetworkName(_networkModel.getNetworkTag(router.getHypervisorType(), network));
+                setIpAddressNetworkParams(ip, network, router);
                 ipsToSend[i++] = ip;
                 if (ipAddr.isSourceNat()) {
                     sourceNatIpAdd = new Pair<IpAddressTO, Long>(ip, ipAddr.getNetworkId());
@@ -851,8 +846,7 @@ public class CommandSetupHelper {
                 final IpAddressTO ip = new IpAddressTO(ipAddr.getAccountId(), ipAddr.getAddress().addr(), add, firstIP, sourceNat, vlanId, vlanGateway, vlanNetmask,
                         vifMacAddress, networkRate, ipAddr.isOneToOneNat());
 
-                ip.setTrafficType(getNetworkTrafficType(network));
-                ip.setNetworkName(_networkModel.getNetworkTag(router.getHypervisorType(), network));
+                setIpAddressNetworkParams(ip, network, router);
                 ipsToSend[i++] = ip;
                 /*
                  * send the firstIP = true for the first Add, this is to create
@@ -979,8 +973,7 @@ public class CommandSetupHelper {
                 final IpAddressTO ip = new IpAddressTO(Account.ACCOUNT_ID_SYSTEM, ipAddr.getIpAddress(), add, false, ipAddr.getSourceNat(), ipAddr.getBroadcastUri(),
                         ipAddr.getGateway(), ipAddr.getNetmask(), ipAddr.getMacAddress(), null, false);
 
-                ip.setTrafficType(getNetworkTrafficType(network));
-                ip.setNetworkName(_networkModel.getNetworkTag(router.getHypervisorType(), network));
+                setIpAddressNetworkParams(ip, network, router);
                 ipsToSend[i++] = ip;
 
             }
@@ -1136,13 +1129,16 @@ public class CommandSetupHelper {
         return dhcpRange;
     }
 
-    private TrafficType getNetworkTrafficType(Network network) {
-        final VpcGatewayVO gateway = _vpcGatewayDao.getVpcGatewayByNetworkId(network.getId());
-        if (gateway != null) {
+    private void setIpAddressNetworkParams(IpAddressTO ipAddress, final Network network, final VirtualRouter router) {
+        if (_networkModel.isPrivateGateway(network.getId())) {
             s_logger.debug("network " + network.getId() + " (name: " + network.getName() + " ) is a vpc private gateway, set traffic type to Public");
-            return TrafficType.Public;
+            ipAddress.setTrafficType(TrafficType.Public);
+            ipAddress.setPrivateGateway(true);
         } else {
-            return network.getTrafficType();
+            ipAddress.setTrafficType(network.getTrafficType());
+            ipAddress.setPrivateGateway(false);
         }
+        ipAddress.setNetworkName(_networkModel.getNetworkTag(router.getHypervisorType(), network));
     }
+
 }

systemvm/debian/opt/cloud/bin/cs/CsAddress.py

@@ -197,6 +197,11 @@ class CsInterface:
             return True
         return False
 
+    def is_private_gateway(self):
+        if "is_private_gateway" in self.address:
+            return self.address['is_private_gateway']
+        return False
+
     def is_added(self):
         return self.get_attr("add")
 
@@ -476,6 +481,13 @@ class CsIP:
             self.fw.append(["", "front", "-A NETWORK_STATS_%s -o %s -s %s" %
                             ("eth1", "eth1", guestNetworkCidr)])
 
+        if self.is_private_gateway():
+            self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
+                            (self.address['network'], self.dev, self.dev)])
+            self.fw.append(["filter", "", "-A ACL_INBOUND_%s -j DROP" % self.dev])
+            self.fw.append(["mangle", "",
+                            "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
+                            (self.dev, self.address['network'], self.address['gateway'], self.dev)])
             if self.address["source_nat"]:
                 self.fw.append(["nat", "front",
                                 "-A POSTROUTING -o %s -j SNAT --to-source %s" %
@@ -625,6 +637,11 @@ class CsIP:
             return True
         return False
 
+    def is_private_gateway(self):
+        if "is_private_gateway" in self.address:
+            return self.address['is_private_gateway']
+        return False
+
     def ip(self):
         return str(self.address['cidr'])