[NSX] Add ACL types support (#8224)

* NSX: Create segment group on segment creation

* Add unit tests

* Remove group for segment before removing segment

* Create Distributed Firewall rules

* Remove distributed firewall policy on segment deletion

* Fix policy rule ID and add more unit tests

* Fix DROP action rules and transform tests

* Add new ACL rules

* Fixes

* associate security policies with groups and not to DFW and add deletion of rules

* Fix name convention

---------

Co-authored-by: Pearl Dsilva <pearl1594@gmail.com>

Author: nvazquez

engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java

@@ -1735,8 +1735,7 @@ protected boolean reprogramNetworkRules(final long networkId, final Account call
         }
 
         //apply network ACLs
-        // TODO: remove check for NSX
-        if (!offering.isForNsx() && !_networkACLMgr.applyACLToNetwork(networkId)) {
+        if (!_networkACLMgr.applyACLToNetwork(networkId)) {
             s_logger.warn("Failed to reapply network ACLs as a part of  of network id=" + networkId + " restart");
             success = false;
         }

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/agent/api/CreateNsxDistributedFirewallRulesCommand.java

@@ -0,0 +1,49 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.agent.api;
+
+import org.apache.cloudstack.resource.NsxNetworkRule;
+
+import java.util.List;
+
+public class CreateNsxDistributedFirewallRulesCommand extends NsxCommand {
+
+    private Long vpcId;
+    private long networkId;
+    private List<NsxNetworkRule> rules;
+
+    public CreateNsxDistributedFirewallRulesCommand(long domainId, long accountId, long zoneId,
+                                                    Long vpcId, long networkId,
+                                                    List<NsxNetworkRule> rules) {
+        super(domainId, accountId, zoneId);
+        this.vpcId = vpcId;
+        this.networkId = networkId;
+        this.rules = rules;
+    }
+
+    public Long getVpcId() {
+        return vpcId;
+    }
+
+    public long getNetworkId() {
+        return networkId;
+    }
+
+    public List<NsxNetworkRule> getRules() {
+        return rules;
+    }
+}

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/agent/api/DeletedNsxDistributedFirewallRulesCommand.java

@@ -0,0 +1,28 @@
+
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.agent.api;
+
+import org.apache.cloudstack.resource.NsxNetworkRule;
+
+import java.util.List;
+
+public class DeletedNsxDistributedFirewallRulesCommand extends CreateNsxDistributedFirewallRulesCommand {
+    public DeletedNsxDistributedFirewallRulesCommand(long domainId, long accountId, long zoneId, Long vpcId, long networkId, List<NsxNetworkRule> rules) {
+        super(domainId, accountId, zoneId, vpcId, networkId, rules);
+    }
+}

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxNetworkRule.java

@@ -16,9 +16,16 @@
 // under the License.
 package org.apache.cloudstack.resource;
 
+import com.cloud.network.Network;
+
 import java.util.List;
 
 public class NsxNetworkRule {
+
+    public enum NsxRuleAction {
+        ALLOW, DROP
+    }
+
     private long domainId;
     private long accountId;
     private long zoneId;
@@ -34,6 +41,36 @@ public class NsxNetworkRule {
     private String protocol;
     private String algorithm;
     private List<NsxLoadBalancerMember> memberList;
+    private NsxRuleAction aclAction;
+    private List<String> cidrList;
+    private String trafficType;
+    private Integer icmpCode;
+    private Integer icmpType;
+    private Network.Service service;
+
+    public Integer getIcmpCode() {
+        return icmpCode;
+    }
+
+    public void setIcmpCode(Integer icmpCode) {
+        this.icmpCode = icmpCode;
+    }
+
+    public Integer getIcmpType() {
+        return icmpType;
+    }
+
+    public void setIcmpType(Integer icmpType) {
+        this.icmpType = icmpType;
+    }
+
+    public Network.Service getService() {
+        return service;
+    }
+
+    public void setService(Network.Service service) {
+        this.service = service;
+    }
 
     public long getDomainId() {
         return domainId;
@@ -155,6 +192,30 @@ public void setMemberList(List<NsxLoadBalancerMember> memberList) {
         this.memberList = memberList;
     }
 
+    public NsxRuleAction getAclAction() {
+        return aclAction;
+    }
+
+    public void setAclAction(NsxRuleAction aclAction) {
+        this.aclAction = aclAction;
+    }
+
+    public List<String> getCidrList() {
+        return cidrList;
+    }
+
+    public void setCidrList(List<String> cidrList) {
+        this.cidrList = cidrList;
+    }
+
+    public String getTrafficType() {
+        return trafficType;
+    }
+
+    public void setTrafficType(String trafficType) {
+        this.trafficType = trafficType;
+    }
+
     public static final class Builder {
         private long domainId;
         private long accountId;
@@ -172,6 +233,12 @@ public static final class Builder {
         private String protocol;
         private String algorithm;
         private List<NsxLoadBalancerMember> memberList;
+        private NsxRuleAction aclAction;
+        private List<String> cidrList;
+        private String trafficType;
+        private Integer icmpType;
+        private Integer icmpCode;
+        private Network.Service service;
 
         public Builder() {
         }
@@ -252,6 +319,36 @@ public Builder setMemberList(List<NsxLoadBalancerMember> memberList) {
             return this;
         }
 
+        public Builder setAclAction(NsxRuleAction aclAction) {
+            this.aclAction = aclAction;
+            return this;
+        }
+
+        public Builder setCidrList(List<String> cidrList) {
+            this.cidrList = cidrList;
+            return this;
+        }
+
+        public Builder setTrafficType(String trafficType) {
+            this.trafficType = trafficType;
+            return this;
+        }
+
+        public Builder setIcmpType(Integer icmpType) {
+            this.icmpType = icmpType;
+            return this;
+        }
+
+        public Builder setIcmpCode(Integer icmpCode) {
+            this.icmpCode = icmpCode;
+            return this;
+        }
+
+        public Builder setService(Network.Service service) {
+            this.service = service;
+            return this;
+        }
+
         public NsxNetworkRule build() {
             NsxNetworkRule rule = new NsxNetworkRule();
             rule.setDomainId(this.domainId);
@@ -269,6 +366,12 @@ public NsxNetworkRule build() {
             rule.setRuleId(this.ruleId);
             rule.setAlgorithm(this.algorithm);
             rule.setMemberList(this.memberList);
+            rule.setAclAction(this.aclAction);
+            rule.setCidrList(this.cidrList);
+            rule.setTrafficType(this.trafficType);
+            rule.setIcmpType(this.icmpType);
+            rule.setIcmpCode(this.icmpCode);
+            rule.setService(this.service);
             return rule;
         }
     }

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java

@@ -36,6 +36,7 @@
 import org.apache.cloudstack.NsxAnswer;
 import org.apache.cloudstack.StartupNsxCommand;
 import org.apache.cloudstack.agent.api.CreateNsxDhcpRelayConfigCommand;
+import org.apache.cloudstack.agent.api.CreateNsxDistributedFirewallRulesCommand;
 import org.apache.cloudstack.agent.api.CreateNsxLoadBalancerRuleCommand;
 import org.apache.cloudstack.agent.api.CreateNsxPortForwardRuleCommand;
 import org.apache.cloudstack.agent.api.CreateNsxSegmentCommand;
@@ -46,6 +47,7 @@
 import org.apache.cloudstack.agent.api.DeleteNsxSegmentCommand;
 import org.apache.cloudstack.agent.api.DeleteNsxNatRuleCommand;
 import org.apache.cloudstack.agent.api.DeleteNsxTier1GatewayCommand;
+import org.apache.cloudstack.agent.api.DeletedNsxDistributedFirewallRulesCommand;
 import org.apache.cloudstack.service.NsxApiClient;
 import org.apache.cloudstack.utils.NsxControllerUtils;
 import org.apache.commons.collections.CollectionUtils;
@@ -123,6 +125,10 @@ public Answer executeRequest(Command cmd) {
             return executeRequest((CreateNsxLoadBalancerRuleCommand) cmd);
         } else if (cmd instanceof DeleteNsxLoadBalancerRuleCommand) {
             return executeRequest((DeleteNsxLoadBalancerRuleCommand) cmd);
+        }  else  if (cmd instanceof DeletedNsxDistributedFirewallRulesCommand) {
+            return executeRequest((DeletedNsxDistributedFirewallRulesCommand) cmd);
+        } else if (cmd instanceof CreateNsxDistributedFirewallRulesCommand) {
+            return executeRequest((CreateNsxDistributedFirewallRulesCommand) cmd);
         } else {
             return Answer.createUnsupportedCommandAnswer(cmd);
         }
@@ -353,6 +359,7 @@ private Answer executeRequest(CreateNsxSegmentCommand cmd) {
             String tier1GatewayName = NsxControllerUtils.getTier1GatewayName(cmd.getDomainId(), cmd.getAccountId(),
                     cmd.getZoneId(), networkResourceId, isResourceVpc);
             nsxApiClient.createSegment(segmentName, tier1GatewayName, gatewayAddress, enforcementPointPath, transportZones);
+            nsxApiClient.createGroupForSegment(segmentName);
         } catch (Exception e) {
             LOGGER.error(String.format("Failed to create network: %s", cmd.getNetworkName()));
             return new NsxAnswer(cmd, new CloudRuntimeException(e.getMessage()));
@@ -394,8 +401,8 @@ private NsxAnswer executeRequest(CreateNsxPortForwardRuleCommand cmd) {
                 cmd.getNetworkResourceId(), cmd.isResourceVpc());
         try {
             String privatePort = cmd.getPrivatePort();
-            String service = privatePort.contains("-") ? nsxApiClient.createNsxInfraService(ruleName, privatePort, cmd.getProtocol()) :
-                    nsxApiClient.getNsxInfraServices(ruleName, privatePort, cmd.getProtocol());
+            String service = privatePort.contains("-") ? nsxApiClient.getServicePath(ruleName, privatePort, cmd.getProtocol(), null, null) :
+                    nsxApiClient.getNsxInfraServices(ruleName, privatePort, cmd.getProtocol(), null, null);
 
             nsxApiClient.createPortForwardingRule(ruleName, tier1GatewayName, cmd.getNetworkResourceName(), cmd.getPublicIp(),
                     cmd.getVmIp(), cmd.getPublicPort(), service);
@@ -454,6 +461,32 @@ private NsxAnswer executeRequest(DeleteNsxLoadBalancerRuleCommand cmd) {
         return new NsxAnswer(cmd, true, null);
     }
 
+    private NsxAnswer executeRequest(CreateNsxDistributedFirewallRulesCommand cmd) {
+        String segmentName = NsxControllerUtils.getNsxSegmentId(cmd.getDomainId(), cmd.getAccountId(),
+                cmd.getZoneId(), cmd.getVpcId(), cmd.getNetworkId());
+        List<NsxNetworkRule> rules = cmd.getRules();
+        try {
+            nsxApiClient.createSegmentDistributedFirewall(segmentName, rules);
+        } catch (Exception e) {
+            LOGGER.error(String.format("Failed to create NSX distributed firewall %s: %s", segmentName, e.getMessage()), e);
+            return new NsxAnswer(cmd, new CloudRuntimeException(e.getMessage()));
+        }
+        return new NsxAnswer(cmd, true, null);
+    }
+
+    private NsxAnswer executeRequest(DeletedNsxDistributedFirewallRulesCommand cmd) {
+        String segmentName = NsxControllerUtils.getNsxSegmentId(cmd.getDomainId(), cmd.getAccountId(),
+                cmd.getZoneId(), cmd.getVpcId(), cmd.getNetworkId());
+        List<NsxNetworkRule> rules = cmd.getRules();
+        try {
+            nsxApiClient.deleteDistributedFirewallRules(segmentName, rules);
+        } catch (Exception e) {
+            LOGGER.error(String.format("Failed to create NSX distributed firewall %s: %s", segmentName, e.getMessage()), e);
+            return new NsxAnswer(cmd, new CloudRuntimeException(e.getMessage()));
+        }
+        return new NsxAnswer(cmd, true, null);
+    }
+
     @Override
     public boolean start() {
         return true;