Fix private gateway acl on static routes

[vishesh92]

Description

This PR fixes #9837

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[vishesh92]

@blueorangutan package

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 15.15%. Comparing base (90c960e) to head (77fb01c).
Report is 13 commits behind head on 4.19.

Additional details and impacted files

@@             Coverage Diff              @@
##               4.19   #10262      +/-   ##
============================================
- Coverage     15.16%   15.15%   -0.01%     
- Complexity    11314    11318       +4     
============================================
  Files          5409     5409              
  Lines        474473   474663     +190     
  Branches      57876    57903      +27     
============================================
+ Hits          71947    71952       +5     
- Misses       394482   394666     +184     
- Partials       8044     8045       +1     

Flag	Coverage Δ
uitests	4.29% <ø> (ø)
unittests	15.88% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[weizhouapache]

@blueorangutan package

[vishesh92]

@blueorangutan test

[weizhouapache]

iptables rules for ingress look good

-A FORWARD -d 10.200.0.0/24 -o eth2 -j ACL_INBOUND_eth2
-A FORWARD -d xx.xx.80.0/24 -o eth2 -j ACL_INBOUND_eth2
-A FORWARD -d xx.xx.81.0/24 -o eth2 -j ACL_INBOUND_eth2

however, the rules for egress seem wrong

-A PREROUTING -s 10.200.0.0/24 ! -d 10.200.0.1/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2
-A PREROUTING -s 10.200.0.0/24 ! -d xx.xx.80.0/24 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2
-A PREROUTING -s 10.200.0.0/24 ! -d xx.xx.81.0/24 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2

I think it should be like

-A PREROUTING -s 10.200.0.0/24 ! -d 10.200.0.4/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2
-A PREROUTING -s xx.xx.80.0/24 ! -d 10.200.0.4/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2
-A PREROUTING -s xx.xx.81.0/24 ! -d 10.200.0.4/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2

note:
in my testing, private gatway ip is 10.200.0.4, gateway is 10.200.0.1

[vishesh92]

@blueorangutan package

[weizhouapache]

@vishesh92
I added a commit to #10268
8d3468e

similar change might be needed

[weizhouapache]

@blueorangutan package

[weizhouapache]

@blueorangutan package

[weizhouapache]

@blueorangutan test

[blueorangutan]

[SF] Trillian test result (tid-12347)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 53108 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10262-t12347-kvm-ol8.zip
Smoke tests completed. 131 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_secure_vm_migration	Error	326.77	test_vm_life_cycle.py
test_02_unsecure_vm_migration	Error	3739.89	test_vm_life_cycle.py
test_03_secured_to_nonsecured_vm_migration	Error	395.59	test_vm_life_cycle.py
test_04_nonsecured_to_secured_vm_migration	Error	350.28	test_vm_life_cycle.py
test_04_deploy_vnf_appliance	Error	143.70	test_vnf_templates.py
test_04_deploy_vnf_appliance	Error	143.70	test_vnf_templates.py
test_05_delete_vnf_template	Error	1.12	test_vnf_templates.py
ContextSuite context=TestVnfTemplates>:teardown	Error	2.28	test_vnf_templates.py

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 12392

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-12361)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 46829 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10262-t12361-kvm-ol8.zip
Smoke tests completed. 132 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_04_nonsecured_to_secured_vm_migration	Error	393.61	test_vm_life_cycle.py

[DaanHoogland]

tested this in a lab env with two VPCs
10.10.0.0/16 and 10.11.0.0/16
private gateways 10.200.20.1 and 10.200.20.2 connected (as each others gateway and tested several acl lists configurations to block/allow tcp/icmp.

The only noteworthy limitation is that running processes won't get blocked. I do not consider that part of this PR/issue and am not sure if that needs solving, as restart with cleanup would take care of that.

[weizhouapache]

code lgtm