CLOUDSTACK-234: create/delete firewa/lb/pf rule: send ip assoc command

murali-reddy · murali-reddy · commit ea8b85af2a30 · 2013-07-08T14:52:12.000+05:30
only on first rule is created on the IP and last rule is revoked on the
IP

Current suboptima logic of IP Assoc

 - On associate IP to GuestNetwork there is an IPAssoc command sent to
   corresponding network service providers of the network
 - On every rule apply on IP associated with the network send IP assoc
   to the network service providers
 - On every rule deletion on IP associated with a network sernd IP assoc
   command to the network service providers

With this fix logic of IP assoc is changed as below which eliminates
executio of unnessary and expensive IpAssocCommand resource command

 - On associate IP to GuestNetwork, associate IP only to the network,
   Untill any service is associated with the IP dont send IP Assoc
 - On creation of first rule on the IP send IPAssoc to corresponding
   network service provider. Since IP is used for a service, IPAssoc
   need to be sent to correpondign service provider
 - On deletion of last rule on the IP send IPAssoc to corresponding
   network service provider. When last rule is deleted, IP has no
   service associated with it, so send IP assoc to service provider to
   remove the IP association
diff --git a/engine/schema/src/com/cloud/network/dao/FirewallRulesDao.java b/engine/schema/src/com/cloud/network/dao/FirewallRulesDao.java
@@ -54,7 +54,9 @@ public interface FirewallRulesDao extends GenericDao<FirewallRuleVO, Long> {
     List<FirewallRuleVO> listByIpAndNotRevoked(long ipAddressId);
 
     long countRulesByIpId(long sourceIpId);
-    
+
+    long countRulesByIpIdAndState(long sourceIpId, FirewallRule.State state);
+
     List<FirewallRuleVO> listByNetworkPurposeTrafficTypeAndNotRevoked(long networkId, FirewallRule.Purpose purpose, FirewallRule.TrafficType trafficType);
     List<FirewallRuleVO> listByNetworkPurposeTrafficType(long networkId, FirewallRule.Purpose purpose, FirewallRule.TrafficType trafficType);
     
diff --git a/engine/schema/src/com/cloud/network/dao/FirewallRulesDaoImpl.java b/engine/schema/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
@@ -100,6 +100,7 @@ protected FirewallRulesDaoImpl() {
         RulesByIpCount = createSearchBuilder(Long.class);
         RulesByIpCount.select(null, Func.COUNT, RulesByIpCount.entity().getId());
         RulesByIpCount.and("ipAddressId", RulesByIpCount.entity().getSourceIpAddressId(), Op.EQ);
+        RulesByIpCount.and("state", RulesByIpCount.entity().getState(), Op.EQ);
         RulesByIpCount.done();
     }
 
@@ -328,6 +329,16 @@ public boolean remove(Long id) {
         return result;
     }
 
+    @Override
+    public long countRulesByIpIdAndState(long sourceIpId, FirewallRule.State state) {
+        SearchCriteria<Long> sc = RulesByIpCount.create();
+        sc.setParameters("ipAddressId", sourceIpId);
+        if (state != null) {
+            sc.setParameters("state", state);
+        }
+        return customSearch(sc, null).get(0);
+    }
+
     @Override
     public List<FirewallRuleVO> listByIpAndPurposeWithState(Long ipId, Purpose purpose, State state) {
         SearchCriteria<FirewallRuleVO> sc = AllFieldsSearch.create();
diff --git a/server/src/com/cloud/network/NetworkManager.java b/server/src/com/cloud/network/NetworkManager.java
@@ -191,7 +191,7 @@ boolean associateIpAddressListToAccount(long userId, long accountId, long zoneId
 
     public String acquireGuestIpAddress(Network network, String requestedIp);
 
-    boolean applyStaticNats(List<? extends StaticNat> staticNats, boolean continueOnError) throws ResourceUnavailableException;
+    boolean applyStaticNats(List<? extends StaticNat> staticNats, boolean continueOnError, boolean forRevoke) throws ResourceUnavailableException;
 
     boolean reallocate(VirtualMachineProfile<? extends VMInstanceVO> vm,
             DataCenterDeployment dest) throws InsufficientCapacityException, ConcurrentOperationException;
diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java
@@ -627,45 +627,41 @@ public PublicIp assignDedicateIpAddress(Account owner, Long guestNtwkId, Long vp
     @Override
     public boolean applyIpAssociations(Network network, boolean continueOnError) throws ResourceUnavailableException {
         List<IPAddressVO> userIps = _ipAddressDao.listByAssociatedNetwork(network.getId(), null);
-        List<PublicIp> publicIps = new ArrayList<PublicIp>();
-        if (userIps != null && !userIps.isEmpty()) {
-            for (IPAddressVO userIp : userIps) {
-                PublicIp publicIp = PublicIp.createFromAddrAndVlan(userIp, _vlanDao.findById(userIp.getVlanId()));
-                publicIps.add(publicIp);
-            }
-        }
-
-        boolean success = applyIpAssociations(network, false, continueOnError, publicIps);
+        boolean success = true;
 
-        if (success) {
-            for (IPAddressVO addr : userIps) {
-                if (addr.getState() == IpAddress.State.Allocating) {
-                    markPublicIpAsAllocated(addr);
-                } else if (addr.getState() == IpAddress.State.Releasing) {
-                    // Cleanup all the resources for ip address if there are any, and only then un-assign ip in the
-                    // system
-                    if (cleanupIpResources(addr.getId(), Account.ACCOUNT_ID_SYSTEM, _accountMgr.getSystemAccount())) {
-                        s_logger.debug("Unassiging ip address " + addr);
-                        _ipAddressDao.unassignIpAddress(addr.getId());
-                    } else {
-                        success = false;
-                        s_logger.warn("Failed to release resources for ip address id=" + addr.getId());
-                    }
+        // CloudStack will take a lazy approach to associate an acquired public IP to a network service provider as
+        // it will not know what service an acquired IP will be used for. An IP is actually associated with a provider when first
+        // rule is applied. Similarly when last rule on the acquired IP is revoked, IP is not associated with any provider
+        // but still be associated with the account. At this point just mark IP as allocated or released.
+        for (IPAddressVO addr : userIps) {
+            if (addr.getState() == IpAddress.State.Allocating) {
+                addr.setAssociatedWithNetworkId(network.getId());
+                markPublicIpAsAllocated(addr);
+            } else if (addr.getState() == IpAddress.State.Releasing) {
+                // Cleanup all the resources for ip address if there are any, and only then un-assign ip in the system
+                if (cleanupIpResources(addr.getId(), Account.ACCOUNT_ID_SYSTEM, _accountMgr.getSystemAccount())) {
+                    _ipAddressDao.unassignIpAddress(addr.getId());
+                } else {
+                    success = false;
+                    s_logger.warn("Failed to release resources for ip address id=" + addr.getId());
                 }
             }
         }
 
         return success;
     }
 
-   
 
+    // CloudStack will take a lazy approach to associate an acquired public IP to a network service provider as
+    // it will not know what a acquired IP will be used for. An IP is actually associated with a provider when first
+    // rule is applied. Similarly when last rule on the acquired IP is revoked, IP is not associated with any provider
+    // but still be associated with the account. Its up to caller of this function to decide when to invoke IPAssociation
     @Override
-    public boolean applyIpAssociations(Network network, boolean rulesRevoked, boolean continueOnError, 
+    public boolean applyIpAssociations(Network network, boolean postApplyRules, boolean continueOnError,
             List<? extends PublicIpAddress> publicIps) throws ResourceUnavailableException {
         boolean success = true;
 
-        Map<PublicIpAddress, Set<Service>> ipToServices = _networkModel.getIpToServices(publicIps, rulesRevoked, true);
+        Map<PublicIpAddress, Set<Service>> ipToServices = _networkModel.getIpToServices(publicIps, postApplyRules, true);
         Map<Provider, ArrayList<PublicIpAddress>> providerToIpList = _networkModel.getProviderToIpList(network, ipToServices);
 
         for (Provider provider : providerToIpList.keySet()) {
@@ -2943,11 +2939,10 @@ public boolean applyRules(List<? extends FirewallRule> rules, FirewallRule.Purpo
                     publicIps.add(publicIp);
                 }
             }
-
-            // rules can not programmed unless IP is associated with network
-            // service provider, so run IP assoication for
-            // the network so as to ensure IP is associated before applying
-            // rules (in add state)
+        }
+        // rules can not programmed unless IP is associated with network service provider, so run IP assoication for
+        // the network so as to ensure IP is associated before applying rules (in add state)
+        if (checkIfIpAssocRequired(network, false, publicIps)) {
             applyIpAssociations(network, false, continueOnError, publicIps);
         }
 
@@ -2961,15 +2956,65 @@ public boolean applyRules(List<? extends FirewallRule> rules, FirewallRule.Purpo
             success = false;
         }
 
-        if (!(rules.get(0).getPurpose() == FirewallRule.Purpose.Firewall && trafficType == FirewallRule.TrafficType.Egress)) {
-            // if all the rules configured on public IP are revoked then
-            // dis-associate IP with network service provider
+        // if there are no active rules associated with a public IP, then public IP need not be associated with a provider.
+        // This IPAssoc ensures, public IP is dis-associated after last active rule is revoked.
+        if (checkIfIpAssocRequired(network, true, publicIps)) {
             applyIpAssociations(network, true, continueOnError, publicIps);
         }
 
         return success;
     }
 
+    // An IP association is required in below cases
+    //  1.there is at least one public IP associated with the network on which first rule (PF/static NAT/LB) is being applied.
+    //  2.last rule (PF/static NAT/LB) on the public IP has been revoked. So the public IP should not be associated with any provider
+    boolean checkIfIpAssocRequired(Network network, boolean postApplyRules, List<PublicIp> publicIps) {
+        for (PublicIp ip : publicIps) {
+            if (ip.isSourceNat()) {
+                continue;
+            } else if (ip.isOneToOneNat()) {
+                continue;
+            } else {
+                Long totalCount = null;
+                Long revokeCount = null;
+                Long activeCount = null;
+                Long addCount = null;
+
+                totalCount = _firewallDao.countRulesByIpId(ip.getId());
+                if (postApplyRules) {
+                    revokeCount = _firewallDao.countRulesByIpIdAndState(ip.getId(), FirewallRule.State.Revoke);
+                } else {
+                    activeCount = _firewallDao.countRulesByIpIdAndState(ip.getId(), FirewallRule.State.Active);
+                    addCount = _firewallDao.countRulesByIpIdAndState(ip.getId(), FirewallRule.State.Add);
+                }
+
+                if (totalCount == null || totalCount.longValue() == 0L) {
+                    continue;
+                }
+
+                if (postApplyRules) {
+
+                    if (revokeCount != null && revokeCount.longValue() == totalCount.longValue()) {
+                        s_logger.trace("All rules are in Revoke state, have to dis-assiciate IP from the backend");
+                        return true;
+                    }
+                } else {
+                    if (activeCount != null && activeCount > 0) {
+                        continue;
+                    } else if (addCount != null && addCount.longValue() == totalCount.longValue()) {
+                        s_logger.trace("All rules are in Add state, have to assiciate IP with the backend");
+                        return true;
+                    } else {
+                        continue;
+                    }
+                }
+            }
+        }
+
+        // there are no IP's corresponding to this network that need to be associated with provider
+        return false;
+    }
+
     public class NetworkGarbageCollector implements Runnable {
 
         @Override
@@ -3535,7 +3580,8 @@ public String acquireGuestIpAddress(Network network, String requestedIp) {
 
     
     @Override
-    public boolean applyStaticNats(List<? extends StaticNat> staticNats, boolean continueOnError) throws ResourceUnavailableException {
+    public boolean applyStaticNats(List<? extends StaticNat> staticNats, boolean continueOnError, boolean forRevoke)
+            throws ResourceUnavailableException {
         Network network = _networksDao.findById(staticNats.get(0).getNetworkId());
         boolean success = true;
 
@@ -3554,9 +3600,11 @@ public boolean applyStaticNats(List<? extends StaticNat> staticNats, boolean con
             }
         }
 
-        // static NAT rules can not programmed unless IP is associated with network service provider, so run IP
-        // association for the network so as to ensure IP is associated before applying rules (in add state)
-        applyIpAssociations(network, false, continueOnError, publicIps);
+        // static NAT rules can not programmed unless IP is associated with source NAT service provider, so run IP
+        // association for the network so as to ensure IP is associated before applying rules
+        if (checkStaticNatIPAssocRequired(network, false, forRevoke, publicIps)) {
+            applyIpAssociations(network, false, continueOnError, publicIps);
+        }
 
         // get provider
         StaticNatServiceProvider element = getStaticNatProviderForNetwork(network);
@@ -3587,12 +3635,38 @@ public boolean applyStaticNats(List<? extends StaticNat> staticNats, boolean con
             }
         }
 
-        // if all the rules configured on public IP are revoked then, dis-associate IP with network service provider
-        applyIpAssociations(network, true, continueOnError, publicIps);
+        // if the static NAT rules configured on public IP is revoked then, dis-associate IP with static NAT service provider
+        if (checkStaticNatIPAssocRequired(network, true, forRevoke, publicIps)) {
+            applyIpAssociations(network, true, continueOnError, publicIps);
+        }
 
         return success;
     }
 
+    // checks if there are any public IP assigned to network, that are marked for one-to-one NAT that
+    // needs to be associated/dis-associated with static-nat provider
+    boolean checkStaticNatIPAssocRequired(Network network, boolean postApplyRules, boolean forRevoke, List<PublicIp> publicIps) {
+        for (PublicIp ip : publicIps) {
+            if (ip.isOneToOneNat()) {
+                Long activeFwCount = null;
+                activeFwCount =  _firewallDao.countRulesByIpIdAndState(ip.getId(), FirewallRule.State.Active);
+
+                if (!postApplyRules && !forRevoke) {
+                    if (activeFwCount > 0) {
+                        continue;
+                    } else {
+                        return true;
+                    }
+                } else if (postApplyRules && forRevoke) {
+                    return true;
+                }
+            } else {
+                continue;
+            }
+        }
+        return false;
+    }
+
     @DB
     @Override
     public boolean reallocate(VirtualMachineProfile<? extends VMInstanceVO> vm, DataCenterDeployment dest) throws InsufficientCapacityException, ConcurrentOperationException {
diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java
@@ -273,7 +273,7 @@ Set<Purpose> getPublicIpPurposeInRules(PublicIpAddress ip, boolean includeRevoke
     }
 
     @Override
-    public Map<PublicIpAddress, Set<Service>> getIpToServices(List<? extends PublicIpAddress> publicIps, boolean rulesRevoked, boolean includingFirewall) {
+    public Map<PublicIpAddress, Set<Service>> getIpToServices(List<? extends PublicIpAddress> publicIps, boolean postApplyRules, boolean includingFirewall) {
             Map<PublicIpAddress, Set<Service>> ipToServices = new HashMap<PublicIpAddress, Set<Service>>();
     
             if (publicIps != null && !publicIps.isEmpty()) {
@@ -331,7 +331,7 @@ public Map<PublicIpAddress, Set<Service>> getIpToServices(List<? extends PublicI
                             // IP is not being used for any purpose so skip IPAssoc to network service provider
                             continue;
                         } else {
-                            if (rulesRevoked) {
+                            if (postApplyRules) {
                                 // no active rules/revoked rules are associated with this public IP, so remove the
                                 // association with the provider
                                 if (ip.isSourceNat()) {
diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java
@@ -964,7 +964,7 @@ public boolean applyStaticNatsForNetwork(long networkId, boolean continueOnError
         }
 
         try {
-            if (!_networkMgr.applyStaticNats(staticNats, continueOnError)) {
+            if (!_networkMgr.applyStaticNats(staticNats, continueOnError, false)) {
                 return false;
             }
         } catch (ResourceUnavailableException ex) {
@@ -1307,7 +1307,7 @@ protected boolean applyStaticNatForIp(long sourceIpId, boolean continueOnError,
 
         if (staticNats != null && !staticNats.isEmpty()) {
             try {
-                if (!_networkMgr.applyStaticNats(staticNats, continueOnError)) {
+                if (!_networkMgr.applyStaticNats(staticNats, continueOnError, forRevoke)) {
                     return false;
                 }
             } catch (ResourceUnavailableException ex) {
@@ -1334,7 +1334,7 @@ public boolean applyStaticNatForNetwork(long networkId, boolean continueOnError,
                 s_logger.debug("Found " + staticNats.size() + " static nats to disable for network id " + networkId);
             }
             try {
-                if (!_networkMgr.applyStaticNats(staticNats, continueOnError)) {
+                if (!_networkMgr.applyStaticNats(staticNats, continueOnError, forRevoke)) {
                     return false;
                 }
             } catch (ResourceUnavailableException ex) {
diff --git a/server/test/com/cloud/network/MockNetworkManagerImpl.java b/server/test/com/cloud/network/MockNetworkManagerImpl.java
@@ -323,7 +323,7 @@ public String acquireGuestIpAddress(Network network, String requestedIp) {
 
 
     @Override
-    public boolean applyStaticNats(List<? extends StaticNat> staticNats, boolean continueOnError) throws ResourceUnavailableException {
+    public boolean applyStaticNats(List<? extends StaticNat> staticNats, boolean continueOnError, boolean forRevoke) throws ResourceUnavailableException {
         // TODO Auto-generated method stub
         return false;
     }
diff --git a/server/test/com/cloud/vpc/MockNetworkManagerImpl.java b/server/test/com/cloud/vpc/MockNetworkManagerImpl.java
@@ -987,7 +987,7 @@ public String acquireGuestIpAddress(Network network, String requestedIp) {
      * @see com.cloud.network.NetworkManager#applyStaticNats(java.util.List, boolean)
      */
     @Override
-    public boolean applyStaticNats(List<? extends StaticNat> staticNats, boolean continueOnError)
+    public boolean applyStaticNats(List<? extends StaticNat> staticNats, boolean continueOnError, boolean forRevoke)
             throws ResourceUnavailableException {
         // TODO Auto-generated method stub
         return false;

Original file line number	Diff line number	Diff line change
`@@ -964,7 +964,7 @@ public boolean applyStaticNatsForNetwork(long networkId, boolean continueOnError`
`964`	`964`	`}`
`965`	`965`
`966`	`966`	`try {`
`967`		`- if (!_networkMgr.applyStaticNats(staticNats, continueOnError)) {`
	`967`	`+ if (!_networkMgr.applyStaticNats(staticNats, continueOnError, false)) {`
`968`	`968`	`return false;`
`969`	`969`	`}`
`970`	`970`	`} catch (ResourceUnavailableException ex) {`
`@@ -1307,7 +1307,7 @@ protected boolean applyStaticNatForIp(long sourceIpId, boolean continueOnError,`
`1307`	`1307`
`1308`	`1308`	`if (staticNats != null && !staticNats.isEmpty()) {`
`1309`	`1309`	`try {`
`1310`		`- if (!_networkMgr.applyStaticNats(staticNats, continueOnError)) {`
	`1310`	`+ if (!_networkMgr.applyStaticNats(staticNats, continueOnError, forRevoke)) {`
`1311`	`1311`	`return false;`
`1312`	`1312`	`}`
`1313`	`1313`	`} catch (ResourceUnavailableException ex) {`
`@@ -1334,7 +1334,7 @@ public boolean applyStaticNatForNetwork(long networkId, boolean continueOnError,`
`1334`	`1334`	`s_logger.debug("Found " + staticNats.size() + " static nats to disable for network id " + networkId);`
`1335`	`1335`	`}`
`1336`	`1336`	`try {`
`1337`		`- if (!_networkMgr.applyStaticNats(staticNats, continueOnError)) {`
	`1337`	`+ if (!_networkMgr.applyStaticNats(staticNats, continueOnError, forRevoke)) {`
`1338`	`1338`	`return false;`
`1339`	`1339`	`}`
`1340`	`1340`	`} catch (ResourceUnavailableException ex) {`
Original file line number	Diff line number	Diff line change
`@@ -323,7 +323,7 @@ public String acquireGuestIpAddress(Network network, String requestedIp) {`
`323`	`323`
`324`	`324`
`325`	`325`	`@Override`
`326`		`- public boolean applyStaticNats(List<? extends StaticNat> staticNats, boolean continueOnError) throws ResourceUnavailableException {`
	`326`	`+ public boolean applyStaticNats(List<? extends StaticNat> staticNats, boolean continueOnError, boolean forRevoke) throws ResourceUnavailableException {`
`327`	`327`	`// TODO Auto-generated method stub`
`328`	`328`	`return false;`
`329`	`329`	`}`