Re: [PR] Add conserve mode for VPC offerings [cloudstack]

Thu, 29 Jan 2026 07:47:00 -0800 


DaanHoogland commented on code in PR #12487:
URL: https://github.com/apache/cloudstack/pull/12487#discussion_r2742299682


##########
server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java:
##########
@@ -395,6 +399,17 @@ public void detectRulesConflict(FirewallRule newRule) 
throws NetworkRuleConflict
             assert (rules.size() >= 1);
         }
 
+        NetworkVO newRuleNetwork = 
_networkDao.findById(newRule.getNetworkId());
+        if (newRuleNetwork == null) {
+            throw new InvalidParameterValueException("Unable to create 
firewall rule as cannot find network by id=" + newRule.getNetworkId());
+        }
+        boolean isNewRuleOnVpcNetwork = newRuleNetwork.getVpcId() != null;
+        boolean isVpcConserveModeEnabled = false;
+        if (isNewRuleOnVpcNetwork) {
+            VpcOfferingVO vpcOffering = 
vpcOfferingDao.findById(newRuleNetwork.getVpcId());
+            isVpcConserveModeEnabled = vpcOffering != null && 
vpcOffering.isConserveMode();
+        }

Review Comment:
   new method(s)?



##########
server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java:
##########
@@ -443,8 +458,14 @@ public void detectRulesConflict(FirewallRule newRule) 
throws NetworkRuleConflict
             }
 
             // Checking if the rule applied is to the same network that is 
passed in the rule.
-            if (rule.getNetworkId() != newRule.getNetworkId() && 
rule.getState() != State.Revoke) {
-                throw new NetworkRuleConflictException("New rule is for a 
different network than what's specified in rule " + rule.getXid());
+            // (except for VPCs with conserve mode = true)
+            if ((!isNewRuleOnVpcNetwork || !isVpcConserveModeEnabled)
+                    && rule.getNetworkId() != newRule.getNetworkId() && 
rule.getState() != State.Revoke) {
+                String errMsg = String.format("New rule is for a different 
network than what's specified in rule %s", rule.getXid());
+                if (isNewRuleOnVpcNetwork) {
+                    errMsg += String.format(" - VPC id=%s is not using 
conserve mode", newRuleNetwork.getVpcId());
+                }
+                throw new NetworkRuleConflictException(errMsg);
             }

Review Comment:
   new method



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to