Soft delete port forwarding, load balancing and firewall rules by bernardodemarco · Pull Request #13015 · apache/cloudstack · GitHub
Skip to content

Soft delete port forwarding, load balancing and firewall rules#13015

Draft
bernardodemarco wants to merge 1 commit intoapache:mainfrom
scclouds:soft-delete-pf-lb-and-fw-rules
Draft

Soft delete port forwarding, load balancing and firewall rules#13015
bernardodemarco wants to merge 1 commit intoapache:mainfrom
scclouds:soft-delete-pf-lb-and-fw-rules

Conversation

@bernardodemarco
Copy link
Copy Markdown
Member

@bernardodemarco bernardodemarco commented Apr 13, 2026

Description

Currently, when port forwarding, load balancing and firewall rules are removed, their records are permanently deleted from the database. This makes it impossible to track and audit previously applied rules after their removal.

Therefore, this PR proposes to, instead of deleting the records associated with such network rules, only marking them as removed. To achieve that, a removed column has been added to the tables that store the rules metadata, allowing to track the exact date and time when a rule was removed.

Maintaining these records is essential for auditing and traceability purposes. It ensures that historical network configurations remain accessible for cloud administrators/operators, enabling proper investigation, compliance verification and analysis of past behavior, even after rules are no longer active.

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • Build/CI
  • Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Screenshots (if appropriate):

How Has This Been Tested?

Egress rules (ER)

  1. I added an ER and verified that connectivity to the outside world was successfully established.
  2. I deleted and reintroduced the same ER and verified that connectivity to the outside world was successfully established.
  3. I added an ER allowing outbound TCP traffic for a specific port range and CIDR, and verified that connectivity to the outside world was successfully established.
  4. I restarted the guest network with clean up and verified that the ER continued to be applied successfully.
  5. I performed a live patch on the VR and verified that the ER continued to be applied successfully.
  6. I deleted the network and verified that all egress rules were marked as deleted in the DB.
Records persisted in the database after the tests 
MariaDB [cloud]> SELECT * FROM firewall_rules fw LEFT JOIN firewall_rules_cidrs fw_cidr ON fw.id = fw_cidr.firewall_rule_id LEFT JOIN firewall_rules_dcidrs fw_d_cidr ON fw.id = fw_d_cidr.firewall_rule_id\G
*************************** 1. row ***************************
              id: 1
            uuid: 969cd29e-ca98-46bb-ac43-633283cc9b58
   ip_address_id: NULL
      start_port: NULL
        end_port: NULL
           state: Revoke
        protocol: tcp
         purpose: Firewall
      account_id: 2
       domain_id: 1
      network_id: 205
             xid: 25bde535-5550-457c-98c1-f8e283c6c84e
         created: 2026-04-13 19:11:14
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: Egress
         display: 1
         removed: 2026-04-13 19:12:54
              id: 1
firewall_rule_id: 1
     source_cidr: 10.1.1.0/24
              id: NULL
firewall_rule_id: NULL
destination_cidr: NULL
*************************** 2. row ***************************
              id: 2
            uuid: 03448b4d-4e79-40f6-b8ef-d95cb879ec7e
   ip_address_id: 6
      start_port: NULL
        end_port: NULL
           state: Revoke
        protocol: tcp
         purpose: Firewall
      account_id: 2
       domain_id: 1
      network_id: 205
             xid: 2402345a-df09-4885-b6ba-79996f8c5c70
         created: 2026-04-13 19:12:12
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: Ingress
         display: 1
         removed: 2026-04-13 19:16:54
              id: 2
firewall_rule_id: 2
     source_cidr: 0.0.0.0/0
              id: NULL
firewall_rule_id: NULL
destination_cidr: NULL
*************************** 3. row ***************************
              id: 3
            uuid: 06a589af-1b76-4f55-9e7a-aeb3e4edad88
   ip_address_id: NULL
      start_port: NULL
        end_port: NULL
           state: Revoke
        protocol: all
         purpose: Firewall
      account_id: 2
       domain_id: 1
      network_id: 205
             xid: 23ec2ac4-73ef-4b73-a02b-a836b0221a87
         created: 2026-04-13 19:12:58
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: Egress
         display: 1
         removed: 2026-04-13 19:13:05
              id: 3
firewall_rule_id: 3
     source_cidr: 10.1.1.0/24
              id: NULL
firewall_rule_id: NULL
destination_cidr: NULL
*************************** 4. row ***************************
              id: 4
            uuid: 8ef1e486-1a0a-4862-80d1-eb766f75cfeb
   ip_address_id: NULL
      start_port: NULL
        end_port: NULL
           state: Revoke
        protocol: all
         purpose: Firewall
      account_id: 2
       domain_id: 1
      network_id: 205
             xid: d164f1d8-c5d2-4aa1-84a6-ec9f20ae6687
         created: 2026-04-13 19:13:25
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: Egress
         display: 1
         removed: 2026-04-13 19:13:49
              id: 4
firewall_rule_id: 4
     source_cidr: 10.1.1.0/24
              id: NULL
firewall_rule_id: NULL
destination_cidr: NULL
*************************** 5. row ***************************
              id: 5
            uuid: 37826bb2-b845-4208-a86f-2c0098e82570
   ip_address_id: NULL
      start_port: 22
        end_port: 22
           state: Revoke
        protocol: tcp
         purpose: Firewall
      account_id: 2
       domain_id: 1
      network_id: 205
             xid: bd2ee1c8-5c88-4170-bc6c-e7903ae7a170
         created: 2026-04-13 19:14:03
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: Egress
         display: 1
         removed: 2026-04-13 19:14:25
              id: NULL
firewall_rule_id: NULL
     source_cidr: NULL
              id: 1
firewall_rule_id: 5
destination_cidr: 192.168.122.0/24
*************************** 6. row ***************************
              id: 6
            uuid: a8ce6b28-5d3d-4b61-9e60-ba21c916df1e
   ip_address_id: NULL
      start_port: NULL
        end_port: NULL
           state: Revoke
        protocol: all
         purpose: Firewall
      account_id: 2
       domain_id: 1
      network_id: 205
             xid: ecdd0ffd-71a2-4c10-b2cc-a7f2b53261df
         created: 2026-04-13 19:15:09
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: Egress
         display: 1
         removed: 2026-04-13 19:17:15
              id: 5
firewall_rule_id: 6
     source_cidr: 10.1.1.0/24
              id: NULL
firewall_rule_id: NULL
destination_cidr: NULL
6 rows in set (0.000 sec)

Firewall (FW)

  1. I added an FW rule allowing inbound TCP traffic from any source and verified its behavior.
  2. I deleted and reintroduced the same FW rule and verified its behavior.
  3. I deleted the previous rule and introduced a new one with a specific source CIDR and port range, and validated its behavior.
  4. I restarted the guest network with clean up and verified that the FW rule behavior remained consistent.
  5. I performed a live patch on the VR and verified that the FW rule behavior remained consistent.
  6. I deleted the network and verified that all egress rules were marked as deleted in the DB.
Records persisted in the database after the tests 
MariaDB [cloud]> SELECT * FROM firewall_rules fw LEFT JOIN firewall_rules_cidrs fw_cidr     ON fw.id = fw_cidr.firewall_rule_id LEFT JOIN firewall_rules_dcidrs fw_d_cidr ON fw.id = fw_d_cidr.firewall_rule_id WHERE fw.purpose = 'Firewall' AND fw.traffic_type = 'Ingress'\G
*************************** 1. row ***************************
              id: 2
            uuid: 03448b4d-4e79-40f6-b8ef-d95cb879ec7e
   ip_address_id: 6
      start_port: NULL
        end_port: NULL
           state: Revoke
        protocol: tcp
         purpose: Firewall
      account_id: 2
       domain_id: 1
      network_id: 205
             xid: 2402345a-df09-4885-b6ba-79996f8c5c70
         created: 2026-04-13 19:12:12
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: Ingress
         display: 1
         removed: 2026-04-13 19:16:54
              id: 2
firewall_rule_id: 2
     source_cidr: 0.0.0.0/0
              id: NULL
firewall_rule_id: NULL
destination_cidr: NULL
*************************** 2. row ***************************
              id: 7
            uuid: 424797c4-5931-4bc1-8ae6-cf7140f84098
   ip_address_id: 3
      start_port: NULL
        end_port: NULL
           state: Revoke
        protocol: tcp
         purpose: Firewall
      account_id: 2
       domain_id: 1
      network_id: 206
             xid: e9037cad-4dd1-4733-94c4-ff990cbaebc5
         created: 2026-04-13 19:20:10
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: Ingress
         display: 1
         removed: 2026-04-13 19:20:55
              id: 6
firewall_rule_id: 7
     source_cidr: 0.0.0.0/0
              id: NULL
firewall_rule_id: NULL
destination_cidr: NULL
*************************** 3. row ***************************
              id: 9
            uuid: 4623d80d-9562-4fea-8330-5bfaed436cc5
   ip_address_id: 3
      start_port: 22
        end_port: 22
           state: Revoke
        protocol: tcp
         purpose: Firewall
      account_id: 2
       domain_id: 1
      network_id: 206
             xid: 04a471f3-04d4-48e3-9d62-e380eee41f31
         created: 2026-04-13 19:21:10
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: Ingress
         display: 1
         removed: 2026-04-13 19:34:53
              id: 7
firewall_rule_id: 9
     source_cidr: 0.0.0.0/0
              id: NULL
firewall_rule_id: NULL
destination_cidr: NULL
3 rows in set (0.001 sec)

Port forwarding (PF)

  1. I added PF rules and validated their behavior.
  2. I deleted and reintroduced the rules and validated their behavior.
  3. I restarted the guest network with clean up and validated that the PF rules continued to work correctly.
  4. I performed a live patch on the VR and validated that the PF rules continued to work correctly.
  5. I verified that conflicting PF rules were properly validated.
  6. I deleted the network and verified that all egress rules were marked as deleted in the DB.
Records persisted in the database after the tests 
MariaDB [cloud]> SELECT *     FROM firewall_rules fw     JOIN port_forwarding_rules pf         ON fw.id = pf.id     LEFT JOIN
firewall_rules_cidrs fw_cidr         ON fw.id = fw_cidr.firewall_rule_id     LEFT JOIN firewall_rules_dcidrs fw_d_cidr
 ON fw.id = fw_d_cidr.firewall_rule_id\G
*************************** 1. row ***************************
              id: 8
            uuid: df083b12-3936-41a3-8a26-eeb7dfb76b73
   ip_address_id: 3
      start_port: 22
        end_port: 22
           state: Revoke
        protocol: tcp
         purpose: PortForwarding
      account_id: 2
       domain_id: 1
      network_id: 206
             xid: b40c4908-e850-4ece-86f9-b2279a2d4fd9
         created: 2026-04-13 19:20:34
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: NULL
         display: 1
         removed: 2026-04-13 19:34:36
              id: 8
     instance_id: 34
 dest_ip_address: 10.1.1.201
 dest_port_start: 22
   dest_port_end: 22
              id: NULL
firewall_rule_id: NULL
     source_cidr: NULL
              id: NULL
firewall_rule_id: NULL
destination_cidr: NULL
*************************** 2. row ***************************
              id: 12
            uuid: fd063651-9b8e-4ff3-b9b8-20506757ea5f
   ip_address_id: 3
      start_port: 22
        end_port: 22
           state: Revoke
        protocol: tcp
         purpose: PortForwarding
      account_id: 2
       domain_id: 1
      network_id: 207
             xid: 9e5a3b48-78fe-4f19-8b79-299edbe160bd
         created: 2026-04-13 19:36:55
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: NULL
         display: 1
         removed: 2026-04-13 19:40:47
              id: 12
     instance_id: 36
 dest_ip_address: 10.1.1.243
 dest_port_start: 22
   dest_port_end: 22
              id: NULL
firewall_rule_id: NULL
     source_cidr: NULL
              id: NULL
firewall_rule_id: NULL
destination_cidr: NULL
*************************** 3. row ***************************
              id: 13
            uuid: 32b54eee-7b4c-40cf-8afa-771d1b0c0579
   ip_address_id: 3
      start_port: 2222
        end_port: 2222
           state: Revoke
        protocol: tcp
         purpose: PortForwarding
      account_id: 2
       domain_id: 1
      network_id: 207
             xid: 79359742-80a3-4b4f-858b-73a38f30f70d
         created: 2026-04-13 19:38:18
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: NULL
         display: 1
         removed: 2026-04-13 19:38:48
              id: 13
     instance_id: 36
 dest_ip_address: 10.1.1.243
 dest_port_start: 22
   dest_port_end: 22
              id: NULL
firewall_rule_id: NULL
     source_cidr: NULL
              id: NULL
firewall_rule_id: NULL
destination_cidr: NULL
*************************** 4. row ***************************
              id: 14
            uuid: 00ab94f5-a3b6-46d9-9f4d-809ba0fe1316
   ip_address_id: 3
      start_port: 2222
        end_port: 2222
           state: Revoke
        protocol: tcp
         purpose: PortForwarding
      account_id: 2
       domain_id: 1
      network_id: 207
             xid: d8d3ddd6-1af9-4fd7-98bb-638fb64c05d7
         created: 2026-04-13 19:38:58
       icmp_code: NULL
       icmp_type: NULL
         related: NULL
            type: User
          vpc_id: NULL
    traffic_type: NULL
         display: 1
         removed: 2026-04-13 19:41:18
              id: 14
     instance_id: 36
 dest_ip_address: 10.1.1.243
 dest_port_start: 22
   dest_port_end: 22
              id: NULL
firewall_rule_id: NULL
     source_cidr: NULL
              id: NULL
firewall_rule_id: NULL
destination_cidr: NULL
4 rows in set (0.001 sec)

Public Load balancing (LB)

  1. I created a public LB rule and validated its behavior.
  2. I added a stickiness method.
  3. I removed a VM from the LB and validated its behavior.
  4. I reintroduced the VM into the LB and validated its behavior.
  5. I removed the VM again and validated its behavior.
  6. I deleted and reintroduced the stickiness method.
  7. I deleted the LB rule and verified that the VM mappings and stickiness methods were successfully removed.
Records persisted in the database after the tests 
MariaDB [cloud]> SELECT *
    -> FROM firewall_rules fw
    -> JOIN load_balancing_rules lb
    ->     ON fw.id = lb.id
    -> LEFT JOIN firewall_rules_cidrs fw_cidr
    ->     ON fw.id = fw_cidr.firewall_rule_id
    -> LEFT JOIN firewall_rules_dcidrs fw_d_cidr
    ->     ON fw.id = fw_d_cidr.firewall_rule_id
    -> LEFT JOIN load_balancer_vm_map lb_vm_map
    ->     ON fw.id = lb_vm_map.load_balancer_id
    -> LEFT JOIN load_balancer_stickiness_policies lb_stickiness_map
    ->     ON fw.id = lb_stickiness_map.load_balancer_id
    -> \G
*************************** 1. row ***************************
                          id: 15
                        uuid: 8d950836-cada-4ce9-9643-eff0adeaeaaa
               ip_address_id: 3
                  start_port: 22
                    end_port: 22
                       state: Add
                    protocol: tcp
                     purpose: LoadBalancing
                  account_id: 2
                   domain_id: 1
                  network_id: 208
                         xid: 0a6aaf01-daa7-4b9d-b566-2741ec06e2c8
                     created: 2026-04-13 19:44:27
                   icmp_code: NULL
                   icmp_type: NULL
                     related: NULL
                        type: User
                      vpc_id: NULL
                traffic_type: NULL
                     display: 1
                     removed: 2026-04-13 20:16:09
                          id: 15
                        name: lb
                 description: NULL
          default_port_start: 22
            default_port_end: 22
                   algorithm: roundrobin
           source_ip_address: NULL
source_ip_address_network_id: NULL
                      scheme: Public
                 lb_protocol: tcp
                   cidr_list: 
                          id: NULL
            firewall_rule_id: NULL
                 source_cidr: NULL
                          id: NULL
            firewall_rule_id: NULL
            destination_cidr: NULL
                          id: 2
            load_balancer_id: 15
                 instance_id: 40
                      revoke: 1
                       state: NULL
                 instance_ip: 10.1.1.202
                     removed: 2026-04-13 20:16:09
                          id: 1
                        uuid: ebf6d3aa-32ea-4914-bc23-ec1c0aa8ca6f
            load_balancer_id: 15
                        name: name
                 description: NULL
                 method_name: LbCookie
                      params: 
                      revoke: 1
                     display: 1
                     removed: 2026-04-13 19:51:25
*************************** 2. row ***************************
                          id: 15
                        uuid: 8d950836-cada-4ce9-9643-eff0adeaeaaa
               ip_address_id: 3
                  start_port: 22
                    end_port: 22
                       state: Add
                    protocol: tcp
                     purpose: LoadBalancing
                  account_id: 2
                   domain_id: 1
                  network_id: 208
                         xid: 0a6aaf01-daa7-4b9d-b566-2741ec06e2c8
                     created: 2026-04-13 19:44:27
                   icmp_code: NULL
                   icmp_type: NULL
                     related: NULL
                        type: User
                      vpc_id: NULL
                traffic_type: NULL
                     display: 1
                     removed: 2026-04-13 20:16:09
                          id: 15
                        name: lb
                 description: NULL
          default_port_start: 22
            default_port_end: 22
                   algorithm: roundrobin
           source_ip_address: NULL
source_ip_address_network_id: NULL
                      scheme: Public
                 lb_protocol: tcp
                   cidr_list: 
                          id: NULL
            firewall_rule_id: NULL
                 source_cidr: NULL
                          id: NULL
            firewall_rule_id: NULL
            destination_cidr: NULL
                          id: 3
            load_balancer_id: 15
                 instance_id: 38
                      revoke: 1
                       state: NULL
                 instance_ip: 10.1.1.145
                     removed: 2026-04-13 20:16:09
                          id: 1
                        uuid: ebf6d3aa-32ea-4914-bc23-ec1c0aa8ca6f
            load_balancer_id: 15
                        name: name
                 description: NULL
                 method_name: LbCookie
                      params: 
                      revoke: 1
                     display: 1
                     removed: 2026-04-13 19:51:25
*************************** 3. row ***************************
                          id: 18
                        uuid: d781daff-75e2-46c7-ad95-3fbfb012f27b
               ip_address_id: 3
                  start_port: 22
                    end_port: 22
                       state: Add
                    protocol: tcp
                     purpose: LoadBalancing
                  account_id: 2
                   domain_id: 1
                  network_id: 209
                         xid: 9ca1c4c7-6304-4647-bae4-b2eabf9036f9
                     created: 2026-04-13 20:20:19
                   icmp_code: NULL
                   icmp_type: NULL
                     related: NULL
                        type: User
                      vpc_id: NULL
                traffic_type: NULL
                     display: 1
                     removed: 2026-04-13 20:23:53
                          id: 18
                        name: lb
                 description: NULL
          default_port_start: 22
            default_port_end: 22
                   algorithm: roundrobin
           source_ip_address: NULL
source_ip_address_network_id: NULL
                      scheme: Public
                 lb_protocol: tcp
                   cidr_list: 
                          id: NULL
            firewall_rule_id: NULL
                 source_cidr: NULL
                          id: NULL
            firewall_rule_id: NULL
            destination_cidr: NULL
                          id: 4
            load_balancer_id: 18
                 instance_id: 43
                      revoke: 1
                       state: NULL
                 instance_ip: 10.1.1.128
                     removed: 2026-04-13 20:22:10
                          id: 2
                        uuid: 90e03462-6674-4833-9256-85d8d31fd3de
            load_balancer_id: 18
                        name: sourcebased
                 description: NULL
                 method_name: SourceBased
                      params: 
                      revoke: 1
                     display: 1
                     removed: 2026-04-13 20:22:55
*************************** 4. row ***************************
                          id: 18
                        uuid: d781daff-75e2-46c7-ad95-3fbfb012f27b
               ip_address_id: 3
                  start_port: 22
                    end_port: 22
                       state: Add
                    protocol: tcp
                     purpose: LoadBalancing
                  account_id: 2
                   domain_id: 1
                  network_id: 209
                         xid: 9ca1c4c7-6304-4647-bae4-b2eabf9036f9
                     created: 2026-04-13 20:20:19
                   icmp_code: NULL
                   icmp_type: NULL
                     related: NULL
                        type: User
                      vpc_id: NULL
                traffic_type: NULL
                     display: 1
                     removed: 2026-04-13 20:23:53
                          id: 18
                        name: lb
                 description: NULL
          default_port_start: 22
            default_port_end: 22
                   algorithm: roundrobin
           source_ip_address: NULL
source_ip_address_network_id: NULL
                      scheme: Public
                 lb_protocol: tcp
                   cidr_list: 
                          id: NULL
            firewall_rule_id: NULL
                 source_cidr: NULL
                          id: NULL
            firewall_rule_id: NULL
            destination_cidr: NULL
                          id: 5
            load_balancer_id: 18
                 instance_id: 41
                      revoke: 1
                       state: NULL
                 instance_ip: 10.1.1.125
                     removed: 2026-04-13 20:23:53
                          id: 2
                        uuid: 90e03462-6674-4833-9256-85d8d31fd3de
            load_balancer_id: 18
                        name: sourcebased
                 description: NULL
                 method_name: SourceBased
                      params: 
                      revoke: 1
                     display: 1
                     removed: 2026-04-13 20:22:55
*************************** 5. row ***************************
                          id: 18
                        uuid: d781daff-75e2-46c7-ad95-3fbfb012f27b
               ip_address_id: 3
                  start_port: 22
                    end_port: 22
                       state: Add
                    protocol: tcp
                     purpose: LoadBalancing
                  account_id: 2
                   domain_id: 1
                  network_id: 209
                         xid: 9ca1c4c7-6304-4647-bae4-b2eabf9036f9
                     created: 2026-04-13 20:20:19
                   icmp_code: NULL
                   icmp_type: NULL
                     related: NULL
                        type: User
                      vpc_id: NULL
                traffic_type: NULL
                     display: 1
                     removed: 2026-04-13 20:23:53
                          id: 18
                        name: lb
                 description: NULL
          default_port_start: 22
            default_port_end: 22
                   algorithm: roundrobin
           source_ip_address: NULL
source_ip_address_network_id: NULL
                      scheme: Public
                 lb_protocol: tcp
                   cidr_list: 
                          id: NULL
            firewall_rule_id: NULL
                 source_cidr: NULL
                          id: NULL
            firewall_rule_id: NULL
            destination_cidr: NULL
                          id: 6
            load_balancer_id: 18
                 instance_id: 43
                      revoke: 1
                       state: NULL
                 instance_ip: 10.1.1.128
                     removed: 2026-04-13 20:22:28
                          id: 2
                        uuid: 90e03462-6674-4833-9256-85d8d31fd3de
            load_balancer_id: 18
                        name: sourcebased
                 description: NULL
                 method_name: SourceBased
                      params: 
                      revoke: 1
                     display: 1
                     removed: 2026-04-13 20:22:55
*************************** 6. row ***************************
                          id: 18
                        uuid: d781daff-75e2-46c7-ad95-3fbfb012f27b
               ip_address_id: 3
                  start_port: 22
                    end_port: 22
                       state: Add
                    protocol: tcp
                     purpose: LoadBalancing
                  account_id: 2
                   domain_id: 1
                  network_id: 209
                         xid: 9ca1c4c7-6304-4647-bae4-b2eabf9036f9
                     created: 2026-04-13 20:20:19
                   icmp_code: NULL
                   icmp_type: NULL
                     related: NULL
                        type: User
                      vpc_id: NULL
                traffic_type: NULL
                     display: 1
                     removed: 2026-04-13 20:23:53
                          id: 18
                        name: lb
                 description: NULL
          default_port_start: 22
            default_port_end: 22
                   algorithm: roundrobin
           source_ip_address: NULL
source_ip_address_network_id: NULL
                      scheme: Public
                 lb_protocol: tcp
                   cidr_list: 
                          id: NULL
            firewall_rule_id: NULL
                 source_cidr: NULL
                          id: NULL
            firewall_rule_id: NULL
            destination_cidr: NULL
                          id: 4
            load_balancer_id: 18
                 instance_id: 43
                      revoke: 1
                       state: NULL
                 instance_ip: 10.1.1.128
                     removed: 2026-04-13 20:22:10
                          id: 3
                        uuid: ebfc3019-e0b3-4663-b203-aee760e63853
            load_balancer_id: 18
                        name: sourcebased
                 description: NULL
                 method_name: SourceBased
                      params: 
                      revoke: 1
                     display: 1
                     removed: 2026-04-13 20:23:53
*************************** 7. row ***************************
                          id: 18
                        uuid: d781daff-75e2-46c7-ad95-3fbfb012f27b
               ip_address_id: 3
                  start_port: 22
                    end_port: 22
                       state: Add
                    protocol: tcp
                     purpose: LoadBalancing
                  account_id: 2
                   domain_id: 1
                  network_id: 209
                         xid: 9ca1c4c7-6304-4647-bae4-b2eabf9036f9
                     created: 2026-04-13 20:20:19
                   icmp_code: NULL
                   icmp_type: NULL
                     related: NULL
                        type: User
                      vpc_id: NULL
                traffic_type: NULL
                     display: 1
                     removed: 2026-04-13 20:23:53
                          id: 18
                        name: lb
                 description: NULL
          default_port_start: 22
            default_port_end: 22
                   algorithm: roundrobin
           source_ip_address: NULL
source_ip_address_network_id: NULL
                      scheme: Public
                 lb_protocol: tcp
                   cidr_list: 
                          id: NULL
            firewall_rule_id: NULL
                 source_cidr: NULL
                          id: NULL
            firewall_rule_id: NULL
            destination_cidr: NULL
                          id: 5
            load_balancer_id: 18
                 instance_id: 41
                      revoke: 1
                       state: NULL
                 instance_ip: 10.1.1.125
                     removed: 2026-04-13 20:23:53
                          id: 3
                        uuid: ebfc3019-e0b3-4663-b203-aee760e63853
            load_balancer_id: 18
                        name: sourcebased
                 description: NULL
                 method_name: SourceBased
                      params: 
                      revoke: 1
                     display: 1
                     removed: 2026-04-13 20:23:53
*************************** 8. row ***************************
                          id: 18
                        uuid: d781daff-75e2-46c7-ad95-3fbfb012f27b
               ip_address_id: 3
                  start_port: 22
                    end_port: 22
                       state: Add
                    protocol: tcp
                     purpose: LoadBalancing
                  account_id: 2
                   domain_id: 1
                  network_id: 209
                         xid: 9ca1c4c7-6304-4647-bae4-b2eabf9036f9
                     created: 2026-04-13 20:20:19
                   icmp_code: NULL
                   icmp_type: NULL
                     related: NULL
                        type: User
                      vpc_id: NULL
                traffic_type: NULL
                     display: 1
                     removed: 2026-04-13 20:23:53
                          id: 18
                        name: lb
                 description: NULL
          default_port_start: 22
            default_port_end: 22
                   algorithm: roundrobin
           source_ip_address: NULL
source_ip_address_network_id: NULL
                      scheme: Public
                 lb_protocol: tcp
                   cidr_list: 
                          id: NULL
            firewall_rule_id: NULL
                 source_cidr: NULL
                          id: NULL
            firewall_rule_id: NULL
            destination_cidr: NULL
                          id: 6
            load_balancer_id: 18
                 instance_id: 43
                      revoke: 1
                       state: NULL
                 instance_ip: 10.1.1.128
                     removed: 2026-04-13 20:22:28
                          id: 3
                        uuid: ebfc3019-e0b3-4663-b203-aee760e63853
            load_balancer_id: 18
                        name: sourcebased
                 description: NULL
                 method_name: SourceBased
                      params: 
                      revoke: 1
                     display: 1
                     removed: 2026-04-13 20:23:53
8 rows in set (0.001 sec)

Internal Load balancing (LB)

  1. I created an internal LB rule and verified its behavior.
  2. I deleted the internal LB rule and verified that the database records were marked as removed.
  3. I reintroduced the internal LB rule and verified its behavior.
  4. I deleted the VM participating in the internal LB and reintroduced it, and verified its behavior.
  5. I deleted the user VMs that were part of the tier, deleted the tier, and verified that the database records were marked as removed, as expected.
Records persisted in the database after the tests 
SELECT * FROM firewall_rules fw JOIN load_balancing_rules lb     ON fw.id = lb.id LEFT JOIN firewall_rules_cidrs fw_cidr     ON fw.id = fw_cidr.firewall_rule_id LEFT JOIN firewall_rules_dcidrs fw_d_cidr     ON fw.id = fw_d_cidr.firewall_rule_id LEFT JOIN load_balancer_vm_map lb_vm_map     ON fw.id = lb_vm_map.load_balancer_id LEFT JOIN load_balancer_stickiness_policies lb_stickiness_map     ON fw.id = lb_stickiness_map.load_balancer_id WHERE lb.scheme = "Internal"\G
*************************** 1. row ***************************
                          id: 19
                        uuid: 021e13ff-379e-416d-8412-b205a5921a43
               ip_address_id: NULL
                  start_port: 22
                    end_port: 22
                       state: Add
                    protocol: tcp
                     purpose: LoadBalancing
                  account_id: 2
                   domain_id: 1
                  network_id: 210
                         xid: eb83f294-5cf9-4403-a104-aac6f23bc9c3
                     created: 2026-04-13 20:30:45
                   icmp_code: NULL
                   icmp_type: NULL
                     related: NULL
                        type: User
                      vpc_id: NULL
                traffic_type: NULL
                     display: 1
                     removed: 2026-04-13 20:32:48
                          id: 19
                        name: internallb
                 description: NULL
          default_port_start: 22
            default_port_end: 22
                   algorithm: Source
           source_ip_address: 10.0.0.240
source_ip_address_network_id: 210
                      scheme: Internal
                 lb_protocol: NULL
                   cidr_list: NULL
                          id: NULL
            firewall_rule_id: NULL
                 source_cidr: NULL
                          id: NULL
            firewall_rule_id: NULL
            destination_cidr: NULL
                          id: 7
            load_balancer_id: 19
                 instance_id: 45
                      revoke: 1
                       state: NULL
                 instance_ip: 10.0.0.157
                     removed: 2026-04-13 20:32:48
                          id: NULL
                        uuid: NULL
            load_balancer_id: NULL
                        name: NULL
                 description: NULL
                 method_name: NULL
                      params: NULL
                      revoke: NULL
                     display: NULL
                     removed: NULL
*************************** 2. row ***************************
                          id: 20
                        uuid: f88dcded-aa42-43ae-9457-1c6c645f7d61
               ip_address_id: NULL
                  start_port: 22
                    end_port: 22
                       state: Add
                    protocol: tcp
                     purpose: LoadBalancing
                  account_id: 2
                   domain_id: 1
                  network_id: 210
                         xid: 733ff32d-9b19-40a9-9e7c-72649d584838
                     created: 2026-04-13 20:34:29
                   icmp_code: NULL
                   icmp_type: NULL
                     related: NULL
                        type: User
                      vpc_id: NULL
                traffic_type: NULL
                     display: 1
                     removed: 2026-04-13 20:38:42
                          id: 20
                        name: internallb
                 description: NULL
          default_port_start: 22
            default_port_end: 22
                   algorithm: Source
           source_ip_address: 10.0.0.115
source_ip_address_network_id: 210
                      scheme: Internal
                 lb_protocol: NULL
                   cidr_list: NULL
                          id: NULL
            firewall_rule_id: NULL
                 source_cidr: NULL
                          id: NULL
            firewall_rule_id: NULL
            destination_cidr: NULL
                          id: 8
            load_balancer_id: 20
                 instance_id: 45
                      revoke: 1
                       state: NULL
                 instance_ip: 10.0.0.157
                     removed: 2026-04-13 20:38:29
                          id: NULL
                        uuid: NULL
            load_balancer_id: NULL
                        name: NULL
                 description: NULL
                 method_name: NULL
                      params: NULL
                      revoke: NULL
                     display: NULL
                     removed: NULL
2 rows in set (0.001 sec)

@bernardodemarco bernardodemarco added this to the 4.23.0 milestone Apr 13, 2026
@bernardodemarco
Copy link
Copy Markdown
Member Author

bernardodemarco commented Apr 13, 2026

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 13, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 3.22581% with 30 lines in your changes missing coverage. Please review.
✅ Project coverage is 18.01%. Comparing base (856d83a) to head (5fc9ad7).

Files with missing lines Patch % Lines
...m/cloud/network/dao/LBStickinessPolicyDaoImpl.java 0.00% 9 Missing ⚠️
...om/cloud/network/dao/LoadBalancerVMMapDaoImpl.java 0.00% 6 Missing ⚠️
...loud/network/lb/LoadBalancingRulesManagerImpl.java 0.00% 6 Missing ⚠️
.../cloud/network/dao/LBHealthCheckPolicyDaoImpl.java 0.00% 4 Missing ⚠️
...n/java/com/cloud/network/rules/FirewallRuleVO.java 0.00% 3 Missing ⚠️
...va/com/cloud/network/dao/FirewallRulesDaoImpl.java 0.00% 1 Missing ⚠️
.../tungsten/dao/TungstenFabricLBHealthMonitorVO.java 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##               main   #13015      +/-   ##
============================================
- Coverage     18.01%   18.01%   -0.01%     
- Complexity    16607    16608       +1     
============================================
  Files          6029     6029              
  Lines        542154   542177      +23     
  Branches      66451    66452       +1     
============================================
+ Hits          97681    97683       +2     
- Misses       433457   433476      +19     
- Partials      11016    11018       +2
Flag Coverage Δ
uitests 3.52% <ø> (ø)
unittests 19.17% <3.22%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@bernardodemarco bernardodemarco marked this pull request as draft April 13, 2026 22:13
@bernardodemarco
Copy link
Copy Markdown
Member Author

bernardodemarco commented Apr 13, 2026

@blueorangutan package

@blueorangutan
Copy link
Copy Markdown

blueorangutan commented Apr 13, 2026

@bernardodemarco a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

@blueorangutan
Copy link
Copy Markdown

blueorangutan commented Apr 13, 2026

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17475

weizhouapache
weizhouapache reviewed Apr 14, 2026
View reviewed changes
Comment thread engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
Copy link
Copy Markdown
Member

@weizhouapache weizhouapache Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is a very good idea to add removed column to firewall rules/lbs/pf rules.
for other tables, I suspect if the changes are necessary

@bernardodemarco bernardodemarco force-pushed the soft-delete-pf-lb-and-fw-rules branch from cfe94ff to 5fc9ad7 Compare April 23, 2026 19:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weizhouapache weizhouapache weizhouapache left review comments

Assignees

No one assigned

Labels

component:networking status:needs-review status:needs-testing

Projects

None yet

Milestone

4.23.0

Development

Successfully merging this pull request may close these issues.

3 participants

@bernardodemarco @blueorangutan @weizhouapache