enable to create VPC portfowarding rules with source cidr

[RodrigoDLopez]

Description

Fixes: #7483

When a guest network is created, ACS allows the configuration of the firewall and port forwarding, load balancing, and VPN rules for all IPs associated with the network (including the source NAT). However, when creating a VPC, firewall configurations are possible only via ACLs; port forwarding and load balancing rules are only possible for other public IPs assigned to the network. Thus, situations, where it is necessary to combine firewall rules and port forwarding/load balancing in VPCs, are not possible.

To work around the situation, this PR implements an extension to allow the definition of source CIDR when creating port forwarding rules. If the cidrlist parameter is not informed, the current behavior is maintained. This attribute will only be used when creating port forwarding rules in VPCs, since in guest networks it is possible to combine firewall and port forwarding/load balancing rules directly on the public IPs allocated to that network.

(scc) > create portforwardingrule protocol=tcp privateport=22 publicport=22 openfirewall=false vmguestip=10.1.1.248 virtualmachineid=334d4279-a0e6-4c0a-a999-37aabda08acd ipaddressid=5cca136d-5425-44fa-b6af-aafc29df269e networkid=b61abc91-ee24-4578-bae6-fa2d06cf9370 cidrlist=192.168.200.170/32
{
  "portforwardingrule": {
    "cidrlist": "192.168.200.170/32",
    "fordisplay": true,
    "id": "210bab98-91f3-4911-8680-5189387a7135",
    "ipaddress": "172.16.200.51",
    "ipaddressid": "5cca136d-5425-44fa-b6af-aafc29df269e",
    "networkid": "b61abc91-ee24-4578-bae6-fa2d06cf9370",
    "privateendport": "22",
    "privateport": "22",
    "protocol": "tcp",
    "publicendport": "22",
    "publicport": "22",
    "state": "Active",
    "tags": [],
    "virtualmachinedisplayname": "pf-01",
    "virtualmachineid": "334d4279-a0e6-4c0a-a999-37aabda08acd",
    "virtualmachinename": "pf-01",
    "vmguestip": "10.1.1.248"
  }
}

Furthermore, it was observed that when removing a port forwarding rule, even if the ACS confirmed the removal of said rule, it remained active in the VR. This behavior has changed so that the rule is removed properly.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale

• Major
• Minor

How Has This Been Tested?

For testing purposes, I created a VPC: vpc-01 and a Tier: vpc-01-tier-01. Using this tier three instances PF01, PF02, PF03 was created and the port forward and ACL rules described below were created.

Firewall Rules Applied (ACL)

Origin	Start Port	End Port	Protocolo
0.0.0.0/0	22	22	TCP (Allow)
172.16.200.170/32	23	23	TCP (Allow)
172.16.200.170/32	24	24	TCP (Allow)
0.0.0.0/0	-----	-----	ALL (Deny)

Port forward rules

Private port	Public port	Protocol	Source CIDR	VM
22 - 22	22 - 22	TCP	---	PF01
22 - 22	23 - 23	TCP	---	PF02
22 - 22	24 - 24	TCP	---	PF03

This way, after applying the ACL rule that authorizes access to port 22 from any IP (0.0.0.0/0); access to other instances (PF02 and PF03) turns out to be exposed. After applying the port forward rule limiting access to a list of CIDRs, the observed result was that access to the resources/services of instances PF02 and PF03 was limited to the CIDR informed when creating the port forward rule

Regras de port forward

Private port	Public port	Protocol	Source CIDR	VM
22 - 22	22 - 22	TCP	---	A
22 - 22	23 - 23	TCP	172.16.200.170/32	B
22 - 22	24 - 24	TCP	172.16.200.170/32	C

[codecov]

Codecov Report

Attention: Patch coverage is 20.00000% with 100 lines in your changes missing coverage. Please review.

Project coverage is 15.78%. Comparing base (46201ee) to head (4a438b6).
Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
...java/com/cloud/network/rules/RulesManagerImpl.java	0.00%	29 Missing ⚠️
.../network/rules/dao/PortForwardingRulesDaoImpl.java	0.00%	24 Missing ⚠️
...om/cloud/network/firewall/FirewallManagerImpl.java	52.94%	9 Missing and 7 partials ⚠️
...m/cloud/network/dao/FirewallRulesCidrsDaoImpl.java	0.00%	11 Missing ⚠️
.../com/cloud/network/rules/PortForwardingRuleVO.java	25.00%	6 Missing ⚠️
...a/com/cloud/agent/api/to/PortForwardingRuleTO.java	33.33%	3 Missing and 1 partial ⚠️
...and/user/firewall/UpdatePortForwardingRuleCmd.java	0.00%	4 Missing ⚠️
.../resource/virtualnetwork/model/ForwardingRule.java	40.00%	3 Missing ⚠️
...and/user/firewall/CreatePortForwardingRuleCmd.java	0.00%	2 Missing ⚠️
...a/com/cloud/network/router/CommandSetupHelper.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##               main    #7081     +/-   ##
===========================================
  Coverage     15.78%   15.78%             
- Complexity    12565    12571      +6     
===========================================
  Files          5627     5627             
  Lines        492260   492351     +91     
  Branches      63882    61358   -2524     
===========================================
+ Hits          77710    77728     +18     
- Misses       406076   406148     +72     
- Partials       8474     8475      +1     

Flag	Coverage Δ
uitests	4.04% <ø> (-0.01%)	⬇️
unittests	16.60% <20.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sonarqubecloud]

SonarCloud Quality Gate failed.   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
4 Code Smells

3.4% Coverage
0.0% Duplication

[DaanHoogland]

@RodrigoDLopez can you please look at the sonar warning? They look serious in this case.

[weizhouapache]

Hi @RodrigoDLopez

Have you tested

• create with a list of cidrs ?
• same operation on isolated networks ?
• create port forwarding rule with same public and same private port, but different cidr
• create port forwarding rule with same public and different private port
• update cidrlist of port forwarding rule ?
• restart vpc with/without cleanup
• restart vpc router

something are missing

• ui changes
• unit tests
• marvin test

Please also ask one of your colleagues to test it.

[assistanz247]

@RodrigoDLopez

Yes, our use case has been covered in the PR. Thanks a lot :-)

[weizhouapache]

@RodrigoDLopez

Yes, our use case has been covered in the PR. Thanks a lot :-)

cool, good to know it

[github-actions]

This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch.

[shwstppr]

@RodrigoDLopez can you please address the merge conflicts and check review comments

[DaanHoogland]

ping @RodrigoDLopez

[sureshanaparti]

Hi @RodrigoDLopez It seems the issue #7483 is fixed with this PR. Can target this PR for 4.19.1?

[DaanHoogland]

@RodrigoDLopez can you look at the conflicts?

[weizhouapache]

I suggest we use SOURCE_CIDR_LIST

[winterhazel]

I'm keeping the param as cidrlist for now so that it matches the createLoadBalancerRule API and so that we don't add another parameter or change an existing param's name while we don't have a well-defined protocol to introduce breaking changes. However, I'll address it as "source CIDR list" in the UI and change its description to provide a better idea on what the parameter represents.

[weizhouapache]

Also sourceCidrList

[weizhouapache]

I remember there are some changes for source cidr of load balancing rules. Does it work in isolated networks? If yes, this could be extended to support isolated networks as well.

[winterhazel]

This could be extended to also support isolated networks. However, I don't see a point in doing so, as a similar result can be accomplished by combining firewall and port forwarding rules when using isolated networks.

[winterhazel]

Hi @RodrigoDLopez It seems the issue #7483 is fixed with this PR. Can target this PR for 4.19.1?

@winterhazel , will you considder this?

My bad, I missed this message. Yes, I'll target 4.19.

[github-actions]

This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch.

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11493

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-11741)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 46174 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7081-t11741-kvm-ol8.zip
Smoke tests completed. 132 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_secure_vm_migration	Error	133.38	test_vm_life_cycle.py
test_01_secure_vm_migration	Error	133.38	test_vm_life_cycle.py

[DaanHoogland]

@RodrigoDLopez @winterhazel , are you guys testing this?

[winterhazel]

@RodrigoDLopez @winterhazel , are you guys testing this?

@DaanHoogland I already tested it in #7081 (comment), and consider this PR as ready for merge.