NSX: Add support to re-order ACL rules (NSX FW rules) (#14)

* [WIP] NSX: Add support to re-order ACL rules (NSX FW rules)

* fix reordering of acl rules on all networks that it is associated to

* clean up and attempt test fix

* Fix tests

* Remove unused import

* tweak reorder logic

---------

Co-authored-by: nvazquez <nicovazquez90@gmail.com>

Author: Pearl1594

api/src/main/java/com/cloud/network/element/NetworkACLServiceProvider.java

@@ -21,6 +21,7 @@
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.Network;
 import com.cloud.network.vpc.NetworkACLItem;
+import com.cloud.network.vpc.Vpc;
 
 public interface NetworkACLServiceProvider extends NetworkElement {
 
@@ -32,4 +33,6 @@ public interface NetworkACLServiceProvider extends NetworkElement {
      */
     boolean applyNetworkACLs(Network config, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException;
 
+    boolean reorderAclRules(Vpc vpc, List<? extends Network> networks, List<? extends NetworkACLItem> networkACLItems);
+
 }

engine/components-api/src/main/java/com/cloud/network/vpc/NetworkACLManager.java

@@ -19,6 +19,7 @@
 import java.util.List;
 
 import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.Network;
 import com.cloud.network.dao.NetworkVO;
 
 public interface NetworkACLManager {
@@ -91,4 +92,6 @@ public interface NetworkACLManager {
     boolean revokeACLItemsForPrivateGw(PrivateGateway gateway) throws ResourceUnavailableException;
 
     boolean applyACLToPrivateGw(PrivateGateway gateway) throws ResourceUnavailableException;
+
+    boolean reorderAclRules(VpcVO vpc, List<? extends Network> networks, List<? extends NetworkACLItem> networkACLItems);
 }

plugins/network-elements/bigswitch/src/main/java/com/cloud/network/element/BigSwitchBcfElement.java

@@ -700,6 +700,11 @@ public boolean applyNetworkACLs(Network network,
         return true;
     }
 
+    @Override
+    public boolean reorderAclRules(Vpc vpc, List<? extends Network> networks, List<? extends NetworkACLItem> networkACLItems) {
+        return true;
+    }
+
     @Override
     public boolean applyFWRules(Network network,
             List<? extends FirewallRule> rules)

plugins/network-elements/juniper-contrail/src/main/java/org/apache/cloudstack/network/contrail/management/ContrailVpcElementImpl.java

@@ -185,6 +185,11 @@ public boolean applyNetworkACLs(Network net,
         return true;
     }
 
+    @Override
+    public boolean reorderAclRules(Vpc vpc, List<? extends Network> networks, List<? extends NetworkACLItem> networkACLItems) {
+        return true;
+    }
+
     @Override
     public boolean applyACLItemsToPrivateGw(PrivateGateway privateGateway,
             List<? extends NetworkACLItem> rules)

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxElement.java

@@ -112,7 +112,6 @@
 import javax.naming.ConfigurationException;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Comparator;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
@@ -712,18 +711,7 @@ public boolean applyNetworkACLs(Network network, List<? extends NetworkACLItem>
         boolean success = true;
         for (NetworkACLItem rule : rules) {
             String privatePort = getPrivatePortRangeForACLRule(rule);
-            NsxNetworkRule networkRule = new NsxNetworkRule.Builder()
-                    .setRuleId(rule.getId())
-                    .setSourceCidrList(Objects.nonNull(rule.getSourceCidrList()) ? transformCidrListValues(rule.getSourceCidrList()) : List.of("ANY"))
-                    .setAclAction(transformActionValue(rule.getAction()))
-                    .setTrafficType(rule.getTrafficType().toString())
-                    .setProtocol(rule.getProtocol().toUpperCase())
-                    .setPublicPort(String.valueOf(rule.getSourcePortStart()))
-                    .setPrivatePort(privatePort)
-                    .setIcmpCode(rule.getIcmpCode())
-                    .setIcmpType(rule.getIcmpType())
-                    .setService(Network.Service.NetworkACL)
-                    .build();
+            NsxNetworkRule networkRule = getNsxNetworkRuleForAcl(rule, privatePort);
             if (Arrays.asList(NetworkACLItem.State.Active, NetworkACLItem.State.Add).contains(rule.getState())) {
                 success = success && nsxService.addFirewallRules(network, List.of(networkRule));
             } else if (NetworkACLItem.State.Revoke == rule.getState()) {
@@ -740,9 +728,38 @@ public boolean applyNetworkACLs(Network network, List<? extends NetworkACLItem>
         return success;
     }
 
-    private void reorderRules(List<? extends NetworkACLItem> rules) {
-        rules.sort((Comparator) (r1, r2) -> ((NetworkACLItem) r2).getNumber() - ((NetworkACLItem) r1).getNumber());
+    @Override
+    public boolean reorderAclRules(Vpc vpc, List<? extends Network> networks, List<? extends NetworkACLItem> networkACLItems) {
+        List<NsxNetworkRule> aclRulesList = new ArrayList<>();
+        for (NetworkACLItem rule : networkACLItems) {
+            String privatePort = getPrivatePortRangeForACLRule(rule);
+            aclRulesList.add(getNsxNetworkRuleForAcl(rule, privatePort));
+        }
+        for (Network network: networks) {
+            nsxService.deleteFirewallRules(network, aclRulesList);
+        }
+        boolean success = true;
+        for (Network network : networks) {
+            for (NsxNetworkRule aclRule : aclRulesList) {
+                success = success && nsxService.addFirewallRules(network, List.of(aclRule));
+            }
+        }
+        return success;
+    }
 
+    private NsxNetworkRule getNsxNetworkRuleForAcl(NetworkACLItem rule, String privatePort) {
+        return new NsxNetworkRule.Builder()
+                .setRuleId(rule.getId())
+                .setSourceCidrList(Objects.nonNull(rule.getSourceCidrList()) ? transformCidrListValues(rule.getSourceCidrList()) : List.of("ANY"))
+                .setAclAction(transformActionValue(rule.getAction()))
+                .setTrafficType(rule.getTrafficType().toString())
+                .setProtocol(rule.getProtocol().toUpperCase())
+                .setPublicPort(String.valueOf(rule.getSourcePortStart()))
+                .setPrivatePort(privatePort)
+                .setIcmpCode(rule.getIcmpCode())
+                .setIcmpType(rule.getIcmpType())
+                .setService(Network.Service.NetworkACL)
+                .build();
     }
         @Override
     public boolean applyFWRules(Network network, List<? extends FirewallRule> rules) throws ResourceUnavailableException {

server/src/main/java/com/cloud/network/element/VpcVirtualRouterElement.java

@@ -531,6 +531,11 @@ public boolean applyNetworkACLs(final Network network, final List<? extends Netw
         return result;
     }
 
+    @Override
+    public boolean reorderAclRules(Vpc vpc, List<? extends Network> networks, List<? extends NetworkACLItem> networkACLItems) {
+        return true;
+    }
+
     @Override
     protected Type getVirtualRouterProvider() {
         return Type.VPCVirtualRouter;

server/src/main/java/com/cloud/network/vpc/NetworkACLManagerImpl.java

@@ -370,6 +370,20 @@ public boolean applyACLToPrivateGw(final PrivateGateway gateway) throws Resource
         return applyACLToPrivateGw(gateway, rules);
     }
 
+    @Override
+    public boolean reorderAclRules(VpcVO vpc, List<? extends Network> networks, List<? extends NetworkACLItem> networkACLItems) {
+        List<NetworkACLServiceProvider> nsxElements = new ArrayList<>();
+        nsxElements.add((NetworkACLServiceProvider) _ntwkModel.getElementImplementingProvider(Network.Provider.Nsx.getName()));
+        try {
+            for (final NetworkACLServiceProvider provider : nsxElements) {
+                return provider.reorderAclRules(vpc, networks, networkACLItems);
+            }
+        } catch (final Exception ex) {
+            s_logger.debug("Failed to reorder ACLs on NSX due to: " + ex.getLocalizedMessage());
+        }
+        return false;
+    }
+
     private boolean applyACLToPrivateGw(final PrivateGateway gateway, final List<? extends NetworkACLItem> rules) throws ResourceUnavailableException {
         List<VpcProvider> vpcElements = new ArrayList<VpcProvider>();
         vpcElements.add((VpcProvider)_ntwkModel.getElementImplementingProvider(Network.Provider.VPCVirtualRouter.getName()));

server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java

@@ -993,14 +993,26 @@ public NetworkACLItem moveNetworkAclRuleToNewPosition(MoveNetworkAclItemCmd move
             NetworkACLVO lockedAcl = _networkACLDao.acquireInLockTable(ruleBeingMoved.getAclId());
             List<NetworkACLItemVO> allAclRules = getAllAclRulesSortedByNumber(lockedAcl.getId());
             validateAclConsistency(moveNetworkAclItemCmd, lockedAcl, allAclRules);
-
+            NetworkACLItem networkACLItem = null;
             if (previousRule == null) {
-                return moveRuleToTheTop(ruleBeingMoved, allAclRules);
+                networkACLItem = moveRuleToTheTop(ruleBeingMoved, allAclRules);
+            } else if (nextRule == null) {
+                networkACLItem = moveRuleToTheBottom(ruleBeingMoved, allAclRules);
+            } else {
+                networkACLItem = moveRuleBetweenAclRules(ruleBeingMoved, allAclRules, previousRule, nextRule);
+            }
+            VpcVO vpc = _vpcDao.findById(lockedAcl.getVpcId());
+            if (Objects.isNull(vpc)) {
+                return networkACLItem;
             }
-            if (nextRule == null) {
-                return moveRuleToTheBottom(ruleBeingMoved, allAclRules);
+            final DataCenter dc = _entityMgr.findById(DataCenter.class, vpc.getZoneId());
+            final NsxProviderVO nsxProvider = nsxProviderDao.findByZoneId(dc.getId());
+            List<NetworkVO> networks = _networkDao.listByAclId(lockedAcl.getId());
+            if (Objects.nonNull(nsxProvider) && !networks.isEmpty()) {
+                allAclRules = getAllAclRulesSortedByNumber(lockedAcl.getId());
+                _networkAclMgr.reorderAclRules(vpc, networks, allAclRules);
             }
-            return moveRuleBetweenAclRules(ruleBeingMoved, allAclRules, previousRule, nextRule);
+            return networkACLItem;
         } finally {
             _networkACLDao.releaseFromLockTable(ruleBeingMoved.getAclId());
         }

server/src/test/java/com/cloud/network/vpc/NetworkACLServiceImplTest.java

@@ -34,7 +34,6 @@
 import com.cloud.dc.DataCenter;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.network.dao.NsxProviderDao;
-import com.cloud.network.element.NsxProviderVO;
 import com.cloud.network.vpc.dao.VpcDao;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.ServerApiException;
@@ -138,8 +137,6 @@ public class NetworkACLServiceImplTest {
     private VpcVO vpcVOMock;
     @Mock
     DataCenter dataCenterVO;
-    @Mock
-    NsxProviderVO nsxProviderVO;
 
     @Mock
     private Account accountMock;