Fix restart VPC with cleanup

Author: harikrishna-patnala

engine/schema/src/main/java/com/cloud/network/dao/FirewallRulesDao.java

@@ -69,6 +69,8 @@ public interface FirewallRulesDao extends GenericDao<FirewallRuleVO, Long> {
 
     List<FirewallRuleVO> listByNetworkPurposeTrafficType(long networkId, FirewallRule.Purpose purpose, FirewallRule.TrafficType trafficType);
 
+    List<FirewallRuleVO> listByVpcPurposeTrafficType(long vpcId, FirewallRule.Purpose purpose, FirewallRule.TrafficType trafficType);
+
     List<FirewallRuleVO> listByIpAndPurposeWithState(Long addressId, FirewallRule.Purpose purpose, FirewallRule.State state);
 
     void loadSourceCidrs(FirewallRuleVO rule);

engine/schema/src/main/java/com/cloud/network/dao/FirewallRulesDaoImpl.java

@@ -74,6 +74,7 @@ protected FirewallRulesDaoImpl() {
         AllFieldsSearch.and("domain", AllFieldsSearch.entity().getDomainId(), Op.EQ);
         AllFieldsSearch.and("id", AllFieldsSearch.entity().getId(), Op.EQ);
         AllFieldsSearch.and("networkId", AllFieldsSearch.entity().getNetworkId(), Op.EQ);
+        AllFieldsSearch.and("vpcId", AllFieldsSearch.entity().getVpcId(), Op.EQ);
         AllFieldsSearch.and("related", AllFieldsSearch.entity().getRelated(), Op.EQ);
         AllFieldsSearch.and("trafficType", AllFieldsSearch.entity().getTrafficType(), Op.EQ);
         AllFieldsSearch.done();
@@ -355,6 +356,22 @@ public List<FirewallRuleVO> listByNetworkPurposeTrafficType(long networkId, Purp
         return listBy(sc);
     }
 
+    @Override
+    public List<FirewallRuleVO> listByVpcPurposeTrafficType(long vpcId, Purpose purpose, TrafficType trafficType) {
+        SearchCriteria<FirewallRuleVO> sc = AllFieldsSearch.create();
+        sc.setParameters("vpcId", vpcId);
+
+        if (purpose != null) {
+            sc.setParameters("purpose", purpose);
+        }
+
+        if (trafficType != null) {
+            sc.setParameters("trafficType", trafficType);
+        }
+
+        return listBy(sc);
+    }
+
     @Override
     @DB
     public boolean remove(Long id) {

server/src/main/java/com/cloud/network/router/CommandSetupHelper.java

@@ -547,7 +547,7 @@ public void createApplyIpv6FirewallRulesCommands(final List<? extends FirewallRu
         cmds.addCommand(cmd);
     }
 
-    public void createFirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
+    public void createFirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final Long guestNetworkId) {
         final List<FirewallRuleTO> rulesTO = new ArrayList<>();
         String systemRule = null;
         Boolean defaultEgressPolicy = false;
@@ -581,7 +581,9 @@ public void createFirewallRulesCommands(final List<? extends FirewallRule> rules
 
         final SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rulesTO);
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
-        cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, _routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()));
+        if (guestNetworkId != null) {
+            cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, _routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()));
+        }
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
         final DataCenterVO dcVo = _dcDao.findById(router.getDataCenterId());
         cmd.setAccessDetail(NetworkElementCommand.ZONE_NETWORK_TYPE, dcVo.getNetworkType().toString());

server/src/main/java/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java

@@ -72,6 +72,7 @@
 import com.cloud.network.dao.LoadBalancerVO;
 import com.cloud.network.dao.MonitoringServiceVO;
 import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.dao.RemoteAccessVpnVO;
 import com.cloud.network.dao.Site2SiteVpnConnectionVO;
 import com.cloud.network.lb.LoadBalancingRule;
@@ -567,6 +568,10 @@ public boolean finalizeCommandsOnStart(final Commands cmds, final VirtualMachine
                 finalizeMonitorService(cmds, profile, domainRouterVO, provider, publicNics.get(0).second().getId(), true, routerHealthCheckConfig);
             }
 
+            if (reprogramGuestNtwks) {
+                reapplyVpcFirewallIngressRules(cmds, domainRouterVO, provider);
+            }
+
             for (final Pair<Nic, Network> nicNtwk : guestNics) {
                 final Nic guestNic = nicNtwk.first();
                 final long guestNetworkId = guestNic.getNetworkId();
@@ -638,6 +643,26 @@ protected void finalizeNetworkRulesForNetwork(final Commands cmds, final DomainR
         }
     }
 
+    private void reapplyVpcFirewallIngressRules(final Commands cmds, final DomainRouterVO domainRouterVO, final Provider provider) {
+        final Long vpcId = domainRouterVO.getVpcId();
+        if (vpcId == null) {
+            return;
+        }
+
+        if (!_vpcMgr.isProviderSupportServiceInVpc(vpcId, Service.Firewall, provider)) {
+            return;
+        }
+
+        final List<FirewallRule> firewallRulesIngress = new ArrayList<>(
+                _rulesDao.listByVpcPurposeTrafficType(vpcId, FirewallRule.Purpose.Firewall, FirewallRule.TrafficType.Ingress));
+        if (firewallRulesIngress.isEmpty()) {
+            return;
+        }
+
+        logger.debug("Found {} VPC firewall ingress rule(s) to apply as a part of domR {} start for VPC {}", firewallRulesIngress.size(), domainRouterVO, vpcId);
+        _commandSetupHelper.createFirewallRulesCommands(firewallRulesIngress, domainRouterVO, cmds, null);
+    }
+
     protected boolean sendNetworkRulesToRouter(final long routerId, final long networkId, final boolean reprogramNetwork) throws ResourceUnavailableException {
         final DomainRouterVO router = _routerDao.findById(routerId);
         final Commands cmds = new Commands(OnError.Continue);