network: fix event, acl, firewall for ipv6 nw

api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/CreateIpv6FirewallRuleCmd.java

@@ -21,6 +21,7 @@
 
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseAsyncCreateCmd;
@@ -252,4 +253,14 @@ public void execute() throws ResourceUnavailableException {
             }
         }
     }
+
+    @Override
+    public Long getApiResourceId() {
+        return getNetworkId();
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.Network;
+    }
 }

api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/DeleteIpv6FirewallRuleCmd.java

@@ -17,6 +17,7 @@
 package org.apache.cloudstack.api.command.user.ipv6;
 
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseAsyncCmd;
@@ -94,4 +95,17 @@ public void execute() throws ResourceUnavailableException {
         }
     }
 
+    @Override
+    public Long getApiResourceId() {
+        FirewallRule rule = _firewallService.getFirewallRule(id);
+        if (rule != null) {
+            return rule.getNetworkId();
+        }
+        return null;
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.Network;
+    }
 }

api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/UpdateIpv6FirewallRuleCmd.java

@@ -20,6 +20,7 @@
 
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseAsyncCustomIdCmd;
 import org.apache.cloudstack.api.Parameter;
@@ -172,4 +173,17 @@ public void checkUuid() {
         }
     }
 
+    @Override
+    public Long getApiResourceId() {
+        FirewallRule rule = _firewallService.getFirewallRule(id);
+        if (rule != null) {
+            return rule.getNetworkId();
+        }
+        return null;
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.Network;
+    }
 }

core/src/main/java/com/cloud/agent/api/routing/SetIpv6FirewallRulesCommand.java

@@ -30,18 +30,24 @@
  */
 public class SetIpv6FirewallRulesCommand extends NetworkElementCommand {
     FirewallRuleTO[] rules;
+    String guestIp6Cidr;
 
     protected SetIpv6FirewallRulesCommand() {
     }
 
-    public SetIpv6FirewallRulesCommand(List<FirewallRuleTO> rules) {
+    public SetIpv6FirewallRulesCommand(List<FirewallRuleTO> rules, String guestIp6Cidr) {
         this.rules = rules.toArray(new FirewallRuleTO[rules.size()]);
+        this.guestIp6Cidr = guestIp6Cidr;
     }
 
     public FirewallRuleTO[] getRules() {
         return rules;
     }
 
+    public String getGuestIp6Cidr() {
+        return guestIp6Cidr;
+    }
+
     @Override
     public int getAnswersCount() {
         return rules.length;

core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetIpv6FirewallRulesConfigItem.java

@@ -42,6 +42,7 @@ public List<ConfigItem> generateConfig(final NetworkElementCommand cmd) {
             final FirewallRule fwRule = new FirewallRule(rule.getId(), rule.getSrcVlanTag(), rule.getSrcIp(), rule.getProtocol(), rule.getSrcPortRange(), rule.revoked(),
                     rule.isAlreadyAdded(), rule.getSourceCidrList(), rule.getDestCidrList(), rule.getPurpose().toString(), rule.getIcmpType(), rule.getIcmpCode(), rule.getTrafficType().toString(),
                     rule.getGuestCidr(), rule.isDefaultEgressPolicy());
+            fwRule.setGuestIp6Cidr(command.getGuestIp6Cidr());
             rules.add(fwRule);
         }
 

core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/FirewallRule.java

@@ -38,6 +38,7 @@ public class FirewallRule {
     private String guestCidr;
     private boolean defaultEgressPolicy;
     private String type;
+    private String guestIp6Cidr;
 
     public FirewallRule() {
         // Empty constructor for (de)serialization
@@ -174,4 +175,11 @@ public void setDefaultEgressPolicy(boolean defaultEgressPolicy) {
         this.defaultEgressPolicy = defaultEgressPolicy;
     }
 
+    public String getGuestIp6Cidr() {
+        return guestIp6Cidr;
+    }
+
+    public void setGuestIp6Cidr(String guestIp6Cidr) {
+        this.guestIp6Cidr = guestIp6Cidr;
+    }
 }

engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDao.java

@@ -73,5 +73,7 @@ public interface NetworkOfferingDao extends GenericDao<NetworkOfferingVO, Long>
 
     NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offeringId);
 
+    NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offeringId, NetUtils.InternetProtocol defaultProtocol);
+
     boolean isIpv6Supported(long offeringId);
 }

engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDaoImpl.java

@@ -278,6 +278,15 @@ public NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offerin
         return NetUtils.InternetProtocol.fromValue(internetProtocolStr);
     }
 
+    @Override
+    public NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offeringId,NetUtils.InternetProtocol defaultProtocol) {
+        NetUtils.InternetProtocol protocol = getNetworkOfferingInternetProtocol(offeringId);
+        if (protocol == null) {
+            return defaultProtocol;
+        }
+        return protocol;
+    }
+
     @Override
     public boolean isIpv6Supported(long offeringId) {
         NetUtils.InternetProtocol internetProtocol = getNetworkOfferingInternetProtocol(offeringId);

server/src/main/java/com/cloud/api/ApiResponseHelper.java

@@ -2533,7 +2533,7 @@ public NetworkResponse createNetworkResponse(ResponseView view, Network network)
         response.setBytesSent(bytesSent);
 
         if (networkOfferingDao.isIpv6Supported(network.getNetworkOfferingId())) {
-            response.setInternetProtocol(networkOfferingDao.getNetworkOfferingInternetProtocol(network.getNetworkOfferingId()).toString());
+            response.setInternetProtocol(networkOfferingDao.getNetworkOfferingInternetProtocol(network.getNetworkOfferingId(), NetUtils.InternetProtocol.IPv4).toString());
             response.setIpv6Routing(Network.Routing.Static.toString());
             response.setIpv6Routes(new LinkedHashSet<>());
             if (Network.GuestType.Isolated.equals(networkOffering.getGuestType())) {

server/src/main/java/com/cloud/api/query/dao/NetworkOfferingJoinDaoImpl.java

@@ -19,6 +19,7 @@
 
 import java.util.List;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.cloudstack.api.response.NetworkOfferingResponse;
 import org.apache.log4j.Logger;
 
@@ -27,6 +28,7 @@
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.net.NetUtils;
 
 public class NetworkOfferingJoinDaoImpl extends GenericDaoBase<NetworkOfferingJoinVO, Long> implements NetworkOfferingJoinDao {
     public static final Logger s_logger = Logger.getLogger(NetworkOfferingJoinDaoImpl.class);
@@ -99,7 +101,11 @@ public NetworkOfferingResponse newNetworkOfferingResponse(NetworkOffering offeri
             networkOfferingResponse.setDomain(networkOfferingJoinVO.getDomainPath());
             networkOfferingResponse.setZoneId(networkOfferingJoinVO.getZoneUuid());
             networkOfferingResponse.setZone(networkOfferingJoinVO.getZoneName());
-            networkOfferingResponse.setInternetProtocol(networkOfferingJoinVO.getInternetProtocol());
+            String protocol = networkOfferingJoinVO.getInternetProtocol();
+            if (StringUtils.isEmpty(protocol)) {
+                protocol = NetUtils.InternetProtocol.IPv4.toString();
+            }
+            networkOfferingResponse.setInternetProtocol(protocol);
         }
         networkOfferingResponse.setObjectName("networkoffering");
 

server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java

@@ -20,13 +20,15 @@
 import java.util.List;
 
 import org.apache.cloudstack.api.response.VpcOfferingResponse;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
 
 import com.cloud.api.query.vo.VpcOfferingJoinVO;
 import com.cloud.network.vpc.VpcOffering;
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.net.NetUtils;
 
 public class VpcOfferingJoinDaoImpl extends GenericDaoBase<VpcOfferingJoinVO, Long> implements VpcOfferingJoinDao {
     public static final Logger s_logger = Logger.getLogger(VpcOfferingJoinDaoImpl.class);
@@ -70,7 +72,11 @@ public VpcOfferingResponse newVpcOfferingResponse(VpcOffering offering) {
             offeringResponse.setDomain(offeringJoinVO.getDomainPath());
             offeringResponse.setZoneId(offeringJoinVO.getZoneUuid());
             offeringResponse.setZone(offeringJoinVO.getZoneName());
-            offeringResponse.setInternetProtocol(offeringJoinVO.getInternetProtocol());
+            String protocol = offeringJoinVO.getInternetProtocol();
+            if (StringUtils.isEmpty(protocol)) {
+                protocol = NetUtils.InternetProtocol.IPv4.toString();
+            }
+            offeringResponse.setInternetProtocol(protocol);
         }
         offeringResponse.setObjectName("vpcoffering");
 

server/src/main/java/com/cloud/network/router/CommandSetupHelper.java

@@ -461,7 +461,9 @@ public void createApplyFirewallRulesCommands(final List<? extends FirewallRule>
     public void createApplyIpv6FirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
         final List<FirewallRuleTO> rulesTO = new ArrayList<>();
         String systemRule = null;
-        Boolean defaultEgressPolicy = false;
+        final NetworkVO network = _networkDao.findById(guestNetworkId);
+        final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
+        Boolean defaultEgressPolicy = offering.isEgressDefaultPolicy();;
         if (rules != null) {
             if (rules.size() > 0) {
                 if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
@@ -476,16 +478,13 @@ public void createApplyIpv6FirewallRulesCommands(final List<? extends FirewallRu
                     final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, null, Purpose.Ipv6Firewall, trafficType);
                     rulesTO.add(ruleTO);
                 } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
-                    final NetworkVO network = _networkDao.findById(guestNetworkId);
-                    final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
-                    defaultEgressPolicy = offering.isEgressDefaultPolicy();
                     final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Ipv6Firewall, trafficType, defaultEgressPolicy);
                     rulesTO.add(ruleTO);
                 }
             }
         }
 
-        final SetIpv6FirewallRulesCommand cmd = new SetIpv6FirewallRulesCommand(rulesTO);
+        final SetIpv6FirewallRulesCommand cmd = new SetIpv6FirewallRulesCommand(rulesTO, network.getIp6Cidr());
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, _routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()));
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
@@ -547,7 +546,9 @@ public void createFirewallRulesCommands(final List<? extends FirewallRule> rules
     public void createIpv6FirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
         final List<FirewallRuleTO> rulesTO = new ArrayList<>();
         String systemRule = null;
-        Boolean defaultEgressPolicy = false;
+        final NetworkVO network = _networkDao.findById(guestNetworkId);
+        final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
+        Boolean defaultEgressPolicy = offering.isEgressDefaultPolicy();
         if (rules != null) {
             if (rules.size() > 0) {
                 if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
@@ -562,16 +563,13 @@ public void createIpv6FirewallRulesCommands(final List<? extends FirewallRule> r
                     final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, null, Purpose.Ipv6Firewall, traffictype);
                     rulesTO.add(ruleTO);
                 } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
-                    final NetworkVO network = _networkDao.findById(guestNetworkId);
-                    final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
-                    defaultEgressPolicy = offering.isEgressDefaultPolicy();
                     final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Ipv6Firewall, traffictype, defaultEgressPolicy);
                     rulesTO.add(ruleTO);
                 }
             }
         }
 
-        final SetIpv6FirewallRulesCommand cmd = new SetIpv6FirewallRulesCommand(rulesTO);
+        final SetIpv6FirewallRulesCommand cmd = new SetIpv6FirewallRulesCommand(rulesTO, network.getIp6Cidr());
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, _routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()));
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());

systemvm/debian/opt/cloud/bin/configure.py

@@ -296,17 +296,13 @@ def __process_ip6(self, direction, rule_list):
                 return
             tier_cidr = self.ip6_cidr
             chain = "%s_%s_policy" % (self.device, direction)
-            rule = "accept"
-            parent_chain = "acl_output"
+            parent_chain = "acl_forward"
             cidr_key = "saddr"
-            parent_chain_rule = "ip6 saddr ::/0 jump %s" % (chain)
             if direction == "ingress":
-                rule = "drop"
-                parent_chain = "acl_input"
                 cidr_key = "daddr"
             parent_chain_rule = "ip6 %s %s jump %s" % (cidr_key, tier_cidr, chain)
-            self.ipv6_acl.append({'type': "", 'chain': parent_chain, 'rule': parent_chain_rule})
-            self.ipv6_acl.insert(0, {'type': "chain", 'chain': chain, 'rule': rule})
+            self.ipv6_acl.insert(0, {'type': "", 'chain': parent_chain, 'rule': parent_chain_rule})
+            self.ipv6_acl.insert(0, {'type': "chain", 'chain': chain})
             for rule in rule_list:
                 cidr = rule['cidr']
                 if cidr != None and cidr != "":
@@ -369,6 +365,8 @@ def __process_ip6(self, direction, rule_list):
                     self.ipv6_acl.insert(0, {'type': type, 'chain': chain, 'rule': rstr})
                 else:
                     self.ipv6_acl.append({'type': type, 'chain': chain, 'rule': rstr})
+            rstr = "counter packets 0 bytes 0 drop"
+            self.ipv6_acl.append({'type': "", 'chain': chain, 'rule': rstr})
 
         def process(self, direction, rule_list, base):
             count = base
@@ -480,10 +478,30 @@ def flushAllRules(self):
     def process(self):
         fw = self.config.get_ipv6_fw()
         logging.info("Processing IPv6 firewall rules %s; %s" % (self.dbag, fw))
+        chains_added = False
+        egress_policy = None
         for item in self.dbag:
             if item == "id":
                 continue
             rule = self.dbag[item]
+
+            if chains_added == False:
+                guest_cidr = rule['guest_ip6_cidr']
+                parent_chain = "fw_forward"
+                chain = "fw_chain_egress"
+                parent_chain_rule = "ip6 saddr %s jump %s" % (guest_cidr, chain)
+                fw.append({'type': "chain", 'chain': chain})
+                fw.append({'type': "", 'chain': parent_chain, 'rule': parent_chain_rule})
+                chain = "fw_chain_ingress"
+                parent_chain_rule = "ip6 daddr %s jump %s" % (guest_cidr, chain)
+                fw.append({'type': "chain", 'chain': chain})
+                fw.append({'type': "", 'chain': parent_chain, 'rule': parent_chain_rule})
+                if rule['default_egress_policy']:
+                    egress_policy = "accept"
+                else:
+                    egress_policy = "drop"
+                chains_added = True
+
             rstr = ""
 
             chain = "fw_chain_ingress"
@@ -561,14 +579,14 @@ def process(self):
             rstr = appendStringIfNotEmpty(rstr, proto)
             if rstr and action:
                 rstr = rstr + " " + action
-            else:
-                type = "chain"
-                rstr = action
-            logging.debug("Process IPv6 firewall rule %s" % rstr)
-            if type == "chain":
-                fw.insert(0, {'type': type, 'chain': chain, 'rule': rstr})
-            else:
+                logging.debug("Process IPv6 firewall rule %s" % rstr)
                 fw.append({'type': type, 'chain': chain, 'rule': rstr})
+        if chains_added:
+            base_rstr = "counter packets 0 bytes 0"
+            rstr = "%s drop" % base_rstr
+            fw.append({'type': "", 'chain': "fw_chain_ingress", 'rule': rstr})
+            rstr = "%s %s" % (base_rstr, egress_policy)
+            fw.append({'type': "", 'chain': "fw_chain_egress", 'rule': rstr})
 
 
 class CsVmMetadata(CsDataBag):