NSX: Fix ACL rule removal on replacement and fix rule order (#11)

Pearl1594 · nvazquez · commit ba77dbd56e20 · 2024-02-03T17:15:05.000-03:00
diff --git a/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxElement.java b/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxElement.java
@@ -112,6 +112,7 @@
 import javax.naming.ConfigurationException;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Comparator;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
@@ -706,8 +707,9 @@ public boolean applyNetworkACLs(Network network, List<? extends NetworkACLItem>
         if (!canHandle(network, Network.Service.NetworkACL)) {
             return false;
         }
-        List<NsxNetworkRule> nsxAddNetworkRules = new ArrayList<>();
+
         List<NsxNetworkRule> nsxDelNetworkRules = new ArrayList<>();
+        boolean success = true;
         for (NetworkACLItem rule : rules) {
             String privatePort = getPrivatePortRangeForACLRule(rule);
             NsxNetworkRule networkRule = new NsxNetworkRule.Builder()
@@ -723,22 +725,26 @@ public boolean applyNetworkACLs(Network network, List<? extends NetworkACLItem>
                     .setService(Network.Service.NetworkACL)
                     .build();
             if (Arrays.asList(NetworkACLItem.State.Active, NetworkACLItem.State.Add).contains(rule.getState())) {
-                nsxAddNetworkRules.add(networkRule);
+                success = success && nsxService.addFirewallRules(network, List.of(networkRule));
             } else if (NetworkACLItem.State.Revoke == rule.getState()) {
                 nsxDelNetworkRules.add(networkRule);
             }
         }
-        boolean success = true;
+
         if (!nsxDelNetworkRules.isEmpty()) {
             success = nsxService.deleteFirewallRules(network, nsxDelNetworkRules);
             if (!success) {
                 LOGGER.warn("Not all firewall rules were successfully deleted");
             }
         }
-        return success && nsxService.addFirewallRules(network, nsxAddNetworkRules);
+        return success;
     }
 
-    @Override
+    private void reorderRules(List<? extends NetworkACLItem> rules) {
+        rules.sort((Comparator) (r1, r2) -> ((NetworkACLItem) r2).getNumber() - ((NetworkACLItem) r1).getNumber());
+
+    }
+        @Override
     public boolean applyFWRules(Network network, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
 
         if (!canHandle(network, Network.Service.Firewall)) {
diff --git a/server/src/main/java/com/cloud/network/vpc/NetworkACLManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/NetworkACLManagerImpl.java
@@ -206,6 +206,7 @@ public boolean replaceNetworkACL(final NetworkACL acl, final NetworkVO network)
             final List<NetworkACLItemVO> aclItems = _networkACLItemDao.listByACL(acl.getId());
             if (aclItems == null || aclItems.isEmpty()) {
                 s_logger.debug("New network ACL is empty. Revoke existing rules before applying ACL");
+            } else {
                 if (!revokeACLItemsForNetwork(network.getId())) {
                     throw new CloudRuntimeException("Failed to replace network ACL. Error while removing existing ACL items for network: " + network.getId());
                 }

Original file line number	Diff line number	Diff line change
`@@ -206,6 +206,7 @@ public boolean replaceNetworkACL(final NetworkACL acl, final NetworkVO network)`
`206`	`206`	`final List<NetworkACLItemVO> aclItems = _networkACLItemDao.listByACL(acl.getId());`
`207`	`207`	`if (aclItems == null \|\| aclItems.isEmpty()) {`
`208`	`208`	`s_logger.debug("New network ACL is empty. Revoke existing rules before applying ACL");`
	`209`	`+ } else {`
`209`	`210`	`if (!revokeACLItemsForNetwork(network.getId())) {`
`210`	`211`	`throw new CloudRuntimeException("Failed to replace network ACL. Error while removing existing ACL items for network: " + network.getId());`
`211`	`212`	`}`