Netris FR1b: Support Remote Access VPN and Site-to-Site VPN in VPC VR (#41)

* Static Routes: support nexthop

* Update api/src/main/java/org/apache/cloudstack/api/command/user/vpc/CreateStaticRouteCmd.java

Co-authored-by: Pearl Dsilva <[email protected]>

* PR#10064 VR: apply iptables rules when add/remove static routes

* PR#10065 UI: fix cannot open 'Edit tags' modal for static routes

* PR#10066 Static Routes: fix check on wrong global configuration

* PR#10067 VR: fix site-2-site VPN if split connections is enabled

* PR#10081 server: do not allocate nic on public network for NSX VPC VR

* PR#10082 UI: create VPC network offering with conserve mode

* PR#10083 VR: allow outgoing traffic from RAS/VPN clients

* PR#10086 server: fix typo removeaccessvpn in VirtualRouterElement

* server: Add check on Public IP for remote access VPN

* Revert "PR#10083 VR: allow outgoing traffic from RAS/VPN clients"

This reverts commit 2f9b9f428947cac91de322fbdf4a980902a1c0a0.

* VPC: fetch same used IP for domain router if VR is not Source NAT

* VR: pass has_public_network to VR and configure RA/S2S VPN left peers

* Revert "PR#10081 server: do not allocate nic on public network for NSX VPC VR"

This reverts commit 809e269ed6b361d9df1fcef6537762c5612863e0.

* VPC: fetch same used IP for domain router if VR is not Source NAT (v2)

* VR: fix /etc/hosts and nameservers in dnsmasq.conf if VPC VR is not guest gateway

prior to this PR
```
root@r-1167-VM:~# cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	r-1167-VM
::1	localhost ip6-localhost ip6-loopback
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.21.1.33	dummy-vpc-vpn-001
172.21.1.1	r-1167-VM data-server

root@r-1167-VM:~# cat /etc/dnsmasq.d/cloud.conf
dhcp-hostsfile=/etc/dhcphosts.txt
listen-address=127.0.0.1,172.21.1.234
dhcp-range=set:interface-eth1-0,172.21.1.234,static
dhcp-option=tag:interface-eth1-0,15,cs2cloud.internal
dhcp-option=tag:interface-eth1-0,6,172.21.1.1,10.0.32.1,8.8.8.8
dhcp-option=tag:interface-eth1-0,3,172.21.1.1
dhcp-option=eth1,26,1500
dhcp-option=tag:interface-eth1-0,1,255.255.255.0
```

the lines should be
```
172.21.1.234  r-1167-VM data-server

dhcp-option=tag:interface-eth1-0,6,10.0.32.1,8.8.8.8
```

* server: Enable static NAT for Domain router if it is not Source NAT

* server: Enable static NAT for Domain router on UI

* server: assign Public IP to VPC VR and enable static nat if VR is not Source NAT

* server: configure dns1 if VR is not Source NAT

* server: remove check on Firewall service when list network service providers

* UI: remove dot from message.enabled.vpn

* systemvm: add default route via first guest gateway if VR does not have public IP/interface

* VR: add fw_dhcpserver for shared network

* VR: pass has_public_network to VR and configure RA/S2S VPN left peers (v2)

* UI: fix request error when create a VPC tier in a non-Netris/NSX env

* systemvm: add default route via first guest gateway (v2)

* VR: configure iptables rules for S2S vpn on first guest interface

* VR: allow FORWARD to guest interfaces if VR is not Public

* VR: configure remote access vpn on first guest interface if not public

* VR: fix error 789 in RA VPN client when both RA and S2S are configured

* server: Apply Static Route for RA/S2S VPN in VPC VR

* VR: do not set mark for Public interface when VR is not really public

* VPN: do not disable static nat if it is used by a RA/S2S VPN

* server: skip check on network conserve mode if disable/enable RA VPN on Router IP

* server: set forRouter to false when release a IP

* VR: diable IP spoofing protection on default guest network

* VR: fix iptables rules only when only S2S vpn is enabled

* UI: show 'VPN Connections' section

* VPC: new methods to configure/reconfigure Static NAT for VPC VR

* API: set Type in ip address response to DomainRouter if it is used by VR

* server: do not allow IP release if it is used by RA or S2S VPN gateway

* VR: check if interface is added

* VR: add default route only when ip is associated to first guest interface

* VR: fix ipsec conf for l2tp and s2s vpn

* server: save placeholder IP for VPC VR to fix the new VR IP when vpc tier is auto-shutdown

* server: get non-placeholder NIC for VPC VR

* VR: wait 15 seconds after starting password server

* server: fix unable to configure static nat due to 'invalid virtual machine id'

* UI: fix link of router in info card

* VPC: apply static route for VPC VPN if needed (refactoring)

* server: fix VR IP of first VPC tier is the VM gateway

* server: update or remove all existing static routes when shutdown a network

* server: update ipaddress after disabling static nat to fix vpc deletion issue

* servr: disable remote access VPN as part of VPC dstroy

* server: apply static routes when implement a vpc tier

* server: apply static routes even if next hop is null

* server: fix Cannot invoke "com.cloud.vm.NicProfile.getRequestedIPv4()" because "requested" is null

* Netris: Update Vpn provider to VpcVirtualRouter

* Netris: Add Vpn service to network offerings and networks

* server: fix CIDR of VPN ip range

* server: set isVrGuestGateway by SoureNat/Gateway service with Provider.VPCVirtualRouter

* VR: password server takes 10-15 seconds to start if VR IP is not configured in /etc/hosts

* Netris: add back routesPutBody.setStateStatus

* engine/schema: remove SQL changes in schema-41910to42000.sql

---------

Co-authored-by: Pearl Dsilva <[email protected]>

Author: weizhouapache

api/src/main/java/com/cloud/network/IpAddress.java

@@ -99,4 +99,5 @@ enum Purpose {
 
     boolean isForSystemVms();
 
+    boolean isForRouter();
 }

api/src/main/java/com/cloud/network/Site2SiteVpnConnection.java

@@ -24,7 +24,7 @@
 
 public interface Site2SiteVpnConnection extends ControlledEntity, InternalIdentity, Displayable {
     enum State {
-        Pending, Connecting, Connected, Disconnected, Error,
+        Pending, Connecting, Connected, Disconnected, Error, Removed
     }
 
     @Override

api/src/main/java/com/cloud/network/vpc/StaticRoute.java

@@ -33,7 +33,9 @@ enum State {
     /**
      * @return
      */
-    long getVpcGatewayId();
+    Long getVpcGatewayId();
+
+    String getNextHop();
 
     /**
      * @return

api/src/main/java/com/cloud/network/vpc/StaticRouteProfile.java

@@ -23,7 +23,8 @@ public class StaticRouteProfile implements StaticRoute {
     private String targetCidr;
     private long accountId;
     private long domainId;
-    private long gatewayId;
+    private Long gatewayId;
+    private String nextHop;
     private StaticRoute.State state;
     private long vpcId;
     String vlanTag;
@@ -46,6 +47,18 @@ public StaticRouteProfile(StaticRoute staticRoute, VpcGateway gateway) {
         ipAddress = gateway.getIp4Address();
     }
 
+    public StaticRouteProfile(StaticRoute staticRoute) {
+        id = staticRoute.getId();
+        uuid = staticRoute.getUuid();
+        targetCidr = staticRoute.getCidr();
+        accountId = staticRoute.getAccountId();
+        domainId = staticRoute.getDomainId();
+        gatewayId = staticRoute.getVpcGatewayId();
+        state = staticRoute.getState();
+        vpcId = staticRoute.getVpcId();
+        gateway = staticRoute.getNextHop();
+    }
+
     @Override
     public long getAccountId() {
         return accountId;
@@ -57,10 +70,15 @@ public long getDomainId() {
     }
 
     @Override
-    public long getVpcGatewayId() {
+    public Long getVpcGatewayId() {
         return gatewayId;
     }
 
+    @Override
+    public String getNextHop() {
+        return nextHop;
+    }
+
     @Override
     public String getCidr() {
         return targetCidr;

api/src/main/java/com/cloud/network/vpc/VpcService.java

@@ -238,7 +238,7 @@ Pair<List<? extends Vpc>, Integer> listVpcs(Long id, String vpcName, String disp
      * @param cidr
      * @return
      */
-    StaticRoute createStaticRoute(long gatewayId, String cidr) throws NetworkRuleConflictException;
+    StaticRoute createStaticRoute(Long gatewayId, Long vpcId, String nextHop, String cidr) throws NetworkRuleConflictException;
 
     /**
      * Lists static routes based on parameters passed to the call

api/src/main/java/org/apache/cloudstack/api/ApiConstants.java

@@ -257,6 +257,7 @@ public class ApiConstants {
     public static final String PREVIOUS_OWNER_ID = "previousownerid";
     public static final String PREVIOUS_OWNER_NAME = "previousownername";
     public static final String NEXT_ACL_RULE_ID = "nextaclruleid";
+    public static final String NEXT_HOP = "nexthop";
     public static final String MOVE_ACL_CONSISTENCY_HASH = "aclconsistencyhash";
     public static final String IMAGE_PATH = "imagepath";
     public static final String INSTANCE_CONVERSION_SUPPORTED = "instanceconversionsupported";
@@ -876,6 +877,8 @@ public class ApiConstants {
     public static final String NETWORK = "network";
     public static final String VPC_ID = "vpcid";
     public static final String VPC_NAME = "vpcname";
+    public static final String VPC_GATEWAY_ID = "vpcgatewayid";
+    public static final String VPC_GATEWAY_IP = "vpcgatewayip";
     public static final String GATEWAY_ID = "gatewayid";
     public static final String CAN_USE_FOR_DEPLOY = "canusefordeploy";
     public static final String RESOURCE_IDS = "resourceids";

api/src/main/java/org/apache/cloudstack/api/command/user/vpc/CreateStaticRouteCmd.java

@@ -27,6 +27,7 @@
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.response.PrivateGatewayResponse;
 import org.apache.cloudstack.api.response.StaticRouteResponse;
+import org.apache.cloudstack.api.response.VpcResponse;
 import org.apache.cloudstack.context.CallContext;
 
 import com.cloud.event.EventTypes;
@@ -45,20 +46,38 @@ public class CreateStaticRouteCmd extends BaseAsyncCreateCmd {
     @Parameter(name = ApiConstants.GATEWAY_ID,
                type = CommandType.UUID,
                entityType = PrivateGatewayResponse.class,
-               required = true,
-               description = "the gateway id we are creating static route for")
+               description = "the gateway id we are creating static route for. Mutually exclusive with the nexthop parameter")
     private Long gatewayId;
 
+    @Parameter(name = ApiConstants.VPC_ID,
+            type = CommandType.UUID,
+            entityType = VpcResponse.class,
+            description = "the vpc id for which the static route is created. This is required for nexthop parameter")
+    private Long vpcId;
+
+    @Parameter(name = ApiConstants.NEXT_HOP,
+            type = CommandType.STRING,
+            description = "the next hop of static route. Mutually exclusive with the gatewayid parameter")
+    private String nextHop;
+
     @Parameter(name = ApiConstants.CIDR, required = true, type = CommandType.STRING, description = "static route cidr")
     private String cidr;
 
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
-    public long getGatewayId() {
+    public Long getGatewayId() {
         return gatewayId;
     }
 
+    public Long getVpcId() {
+        return vpcId;
+    }
+
+    public String getNextHop() {
+        return nextHop;
+    }
+
     public String getCidr() {
         return cidr;
     }
@@ -69,7 +88,7 @@ public String getCidr() {
     @Override
     public void create() throws ResourceAllocationException {
         try {
-            StaticRoute result = _vpcService.createStaticRoute(getGatewayId(), getCidr());
+            StaticRoute result = _vpcService.createStaticRoute(getGatewayId(), getVpcId(), getNextHop(), getCidr());
             setEntityId(result.getId());
             setEntityUuid(result.getUuid());
         } catch (NetworkRuleConflictException ex) {
@@ -114,11 +133,8 @@ public void execute() throws ResourceUnavailableException {
 
     @Override
     public long getEntityOwnerId() {
-        VpcGateway gateway = _entityMgr.findById(VpcGateway.class, gatewayId);
-        if (gateway == null) {
-            throw new InvalidParameterValueException("Invalid gateway id is specified");
-        }
-        return _entityMgr.findById(Vpc.class, gateway.getVpcId()).getAccountId();
+        Long vpcId = getSyncObjId();
+        return _entityMgr.findById(Vpc.class, vpcId).getAccountId();
     }
 
     @Override
@@ -128,11 +144,20 @@ public String getSyncObjType() {
 
     @Override
     public Long getSyncObjId() {
-        VpcGateway gateway = _entityMgr.findById(VpcGateway.class, gatewayId);
-        if (gateway == null) {
-            throw new InvalidParameterValueException("Invalid id is specified for the gateway");
+        if (gatewayId != null) {
+            VpcGateway gateway = _entityMgr.findById(VpcGateway.class, gatewayId);
+            if (gateway == null) {
+                throw new InvalidParameterValueException("Invalid id is specified for the gateway");
+            }
+            return gateway.getVpcId();
+        } else if (vpcId != null) {
+            Vpc vpc = _entityMgr.findById(Vpc.class, vpcId);
+            if (vpc == null) {
+                throw new InvalidParameterValueException("Invalid vpc id is specified");
+            }
+            return vpc.getId();
         }
-        return gateway.getVpcId();
+        throw new InvalidParameterValueException("One of vpcId or gatewayId must be specified");
     }
 
     @Override

api/src/main/java/org/apache/cloudstack/api/response/StaticRouteResponse.java

@@ -42,9 +42,17 @@ public class StaticRouteResponse extends BaseResponse implements ControlledEntit
     @Param(description = "VPC the static route belongs to")
     private String vpcId;
 
-    @SerializedName(ApiConstants.GATEWAY_ID)
+    @SerializedName(ApiConstants.VPC_GATEWAY_ID)
     @Param(description = "VPC gateway the route is created for")
-    private String gatewayId;
+    private String vpcGatewayId;
+
+    @SerializedName(ApiConstants.VPC_GATEWAY_IP)
+    @Param(description = "IP of VPC gateway the route is created for")
+    private String vpcGatewayIp;
+
+    @SerializedName(ApiConstants.NEXT_HOP)
+    @Param(description = "Next hop of the static route")
+    private String nextHop;
 
     @SerializedName(ApiConstants.CIDR)
     @Param(description = "static route CIDR")
@@ -95,8 +103,16 @@ public void setVpcId(String vpcId) {
         this.vpcId = vpcId;
     }
 
-    public void setGatewayId(String gatewayId) {
-        this.gatewayId = gatewayId;
+    public void setVpcGatewayId(String vpcGatewayId) {
+        this.vpcGatewayId = vpcGatewayId;
+    }
+
+    public void setVpcGatewayIp(String vpcGatewayIp) {
+        this.vpcGatewayIp = vpcGatewayIp;
+    }
+
+    public void setNextHop(String nextHop) {
+        this.nextHop = nextHop;
     }
 
     public void setCidr(String cidr) {

engine/components-api/src/main/java/com/cloud/network/addr/PublicIp.java

@@ -275,5 +275,9 @@ public boolean isForSystemVms() {
         return false;
     }
 
+    @Override
+    public boolean isForRouter() {
+        return _addr.isForRouter();
+    }
 
 }

engine/components-api/src/main/java/com/cloud/network/rules/RulesManager.java

@@ -54,6 +54,8 @@ FirewallRule[] reservePorts(IpAddress ip, String protocol, FirewallRule.Purpose
 
     boolean disableStaticNat(long ipAddressId, Account caller, long callerUserId, boolean releaseIpIfElastic) throws ResourceUnavailableException;
 
+    boolean applyStaticNatForIp(long sourceIpId, boolean continueOnError, Account caller, boolean forRevoke);
+
     /**
      * @param networkId
      * @param continueOnError