Firewalls on subnet UI

lib/validation.rb

@@ -121,9 +121,15 @@ def self.validate_postgres_superuser_password(original_password, repeat_password
   end
 
   def self.validate_cidr(cidr)
-    NetAddr::IPv4Net.parse(cidr)
+    if cidr.include?(".")
+      NetAddr::IPv4Net.parse(cidr)
+    elsif cidr.include?(":")
+      NetAddr::IPv6Net.parse(cidr)
+    else
+      fail ValidationFailed.new({cidr: "Invalid CIDR"})
+    end
   rescue NetAddr::ValidationError
-    fail ValidationFailed.new({CIDR: "Invalid CIDR"})
+    fail ValidationFailed.new({cidr: "Invalid CIDR"})
   end
 
   def self.validate_port_range(port_range)

migrate/20240409_move_firewall_to_subnet.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+Sequel.migration do
+  up do
+    alter_table(:firewall) do
+      add_foreign_key :private_subnet_id, :private_subnet, type: :uuid
+    end
+
+    run <<~SQL
+      UPDATE firewall f
+      SET private_subnet_id = (
+        SELECT n.private_subnet_id
+        FROM nic n
+        WHERE n.vm_id = f.vm_id
+      );
+    SQL
+  end
+
+  down do
+    run <<~SQL
+      UPDATE firewall f
+      SET vm_id = (
+        SELECT n.vm_id
+        FROM nic n
+        WHERE n.private_subnet_id = f.private_subnet_id
+      );
+    SQL
+
+    alter_table(:firewall) do
+      drop_column :private_subnet_id
+    end
+  end
+end

migrate/20240412_add_multiple_fw_to_subnet.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+Sequel.migration do
+  up do
+    create_table(:firewalls_private_subnets) do
+      foreign_key :private_subnet_id, :private_subnet, type: :uuid
+      foreign_key :firewall_id, :firewall, type: :uuid
+      primary_key %i[private_subnet_id firewall_id]
+    end
+
+    run <<~SQL
+      INSERT INTO firewalls_private_subnets (private_subnet_id, firewall_id)
+      SELECT private_subnet_id, id AS firewall_id
+      FROM firewall;
+    SQL
+
+    alter_table(:firewall) do
+      drop_column :private_subnet_id
+    end
+  end
+end

migrate/20240425_remove_fw_vm_id.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+Sequel.migration do
+  up do
+    alter_table(:firewall) do
+      drop_column :vm_id
+    end
+  end
+
+  down do
+    alter_table(:firewall) do
+      add_foreign_key :vm_id, :vm, type: :uuid
+    end
+  end
+end

model/firewall.rb

@@ -4,11 +4,28 @@
 
 class Firewall < Sequel::Model
   one_to_many :firewall_rules, key: :firewall_id
-  many_to_one :vm, key: :vm_id
+  many_to_many :private_subnets
 
   plugin :association_dependencies, firewall_rules: :destroy
 
   include ResourceMethods
+  include Authorization::TaggableMethods
+  include Authorization::HyperTagMethods
+  def hyper_tag_name(project)
+    "project/#{project.ubid}/firewall/#{ubid}"
+  end
+
+  dataset_module Pagination
+  dataset_module Authorization::Dataset
+
+  def path
+    "/firewall/#{ubid}"
+  end
+
+  def remove_firewall_rule(firewall_rule)
+    firewall_rule.destroy
+    private_subnets.map(&:incr_update_firewall_rules)
+  end
 
   def insert_firewall_rule(cidr, port_range)
     fwr = FirewallRule.create_with_id(
@@ -17,7 +34,29 @@ def insert_firewall_rule(cidr, port_range)
       port_range: port_range
     )
 
-    vm&.incr_update_firewall_rules
+    private_subnets.each(&:incr_update_firewall_rules)
     fwr
   end
+
+  def destroy
+    DB.transaction do
+      private_subnets.each(&:incr_update_firewall_rules)
+      FirewallsPrivateSubnets.where(firewall_id: id).all.each(&:destroy)
+      super
+    end
+  end
+
+  def associate_with_private_subnet(private_subnet, apply_firewalls: true)
+    add_private_subnet(private_subnet)
+    private_subnet.incr_update_firewall_rules if apply_firewalls
+  end
+
+  def disassociate_from_private_subnet(private_subnet, apply_firewalls: true)
+    FirewallsPrivateSubnets.where(
+      private_subnet_id: private_subnet.id,
+      firewall_id: id
+    ).destroy
+
+    private_subnet.incr_update_firewall_rules if apply_firewalls
+  end
 end

model/firewalls_private_subnets.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require_relative "../model"
+
+class FirewallsPrivateSubnets < Sequel::Model
+  include ResourceMethods
+end

model/postgres/postgres_server.rb

@@ -165,7 +165,8 @@ def health_monitor_socket_path
   end
 
   def create_resource_firewall_rules
-    fw = Firewall.create_with_id(vm_id: vm.id, name: ubid.to_s, description: "Postgres default firewall")
+    fw = Firewall.create_with_id(name: ubid.to_s, description: "Postgres default firewall")
+    fw.add_private_subnet(vm.private_subnets.first)
     resource.firewall_rules.each do |pg_fwr|
       fw.insert_firewall_rule(pg_fwr.cidr.to_s, Sequel.pg_range(5432..5432))
     end

model/private_subnet.rb

@@ -6,7 +6,7 @@ class PrivateSubnet < Sequel::Model
   many_to_many :vms, join_table: Nic.table_name, left_key: :private_subnet_id, right_key: :vm_id
   one_to_many :nics, key: :private_subnet_id
   one_to_one :strand, key: :id
-  one_to_many :firewall_rules
+  many_to_many :firewalls
 
   PRIVATE_SUBNET_RANGES = [
     "10.0.0.0/8",
@@ -23,6 +23,13 @@ def hyper_tag_name(project)
 
   include Authorization::TaggableMethods
 
+  def destroy
+    DB.transaction do
+      FirewallsPrivateSubnets.where(private_subnet_id: id).all.each(&:destroy)
+      super
+    end
+  end
+
   def display_location
     LocationNameConverter.to_display_name(location)
   end
@@ -42,7 +49,7 @@ def display_state
   end
 
   include SemaphoreMethods
-  semaphore :destroy, :refresh_keys, :add_new_nic
+  semaphore :destroy, :refresh_keys, :add_new_nic, :update_firewall_rules
 
   def self.random_subnet
     PRIVATE_SUBNET_RANGES.sample

model/project.rb

@@ -13,6 +13,7 @@ class Project < Sequel::Model
   many_to_many :minio_clusters, join_table: AccessTag.table_name, left_key: :project_id, right_key: :hyper_tag_id
   many_to_many :private_subnets, join_table: AccessTag.table_name, left_key: :project_id, right_key: :hyper_tag_id
   many_to_many :postgres_resources, join_table: AccessTag.table_name, left_key: :project_id, right_key: :hyper_tag_id
+  many_to_many :firewalls, join_table: AccessTag.table_name, left_key: :project_id, right_key: :hyper_tag_id
 
   one_to_many :invoices, order: Sequel.desc(:created_at)
 

model/vm.rb

@@ -11,9 +11,8 @@ class Vm < Sequel::Model
   one_to_one :assigned_vm_address, key: :dst_vm_id, class: :AssignedVmAddress
   one_to_many :vm_storage_volumes, key: :vm_id, order: Sequel.desc(:boot)
   one_to_one :active_billing_record, class: :BillingRecord, key: :resource_id do |ds| ds.active end
-  one_to_many :firewalls, key: :vm_id
 
-  plugin :association_dependencies, sshable: :destroy, assigned_vm_address: :destroy, vm_storage_volumes: :destroy, firewalls: :destroy
+  plugin :association_dependencies, sshable: :destroy, assigned_vm_address: :destroy, vm_storage_volumes: :destroy
 
   dataset_module Pagination
   dataset_module Authorization::Dataset
@@ -31,6 +30,10 @@ def hyper_tag_name(project)
 
   include Authorization::TaggableMethods
 
+  def firewalls
+    private_subnets.flat_map(&:firewalls)
+  end
+
   def display_location
     LocationNameConverter.to_display_name(location)
   end

prog/postgres/postgres_server_nexus.rb

@@ -291,7 +291,6 @@ def before_run
 
     # create a new set of firewall rules
     postgres_server.create_resource_firewall_rules
-    vm.incr_update_firewall_rules
 
     hop_wait
   end

prog/vm/github_runner.rb

@@ -352,7 +352,10 @@ def setup_info
     end
 
     if vm
-      vm.private_subnets.each { _1.incr_destroy }
+      vm.private_subnets.each do |subnet|
+        subnet.firewalls.map(&:destroy)
+        subnet.incr_destroy
+      end
 
       # If the runner is not assigned any job and we destroy it after a
       # timeline, the workflow_job is nil, in that case, we want to be able to

prog/vm/nexus.rb

@@ -72,7 +72,7 @@ def self.assemble(public_key, project_id, name: nil, size: "standard-2",
           raise "Given subnet doesn't exist with the id #{private_subnet_id}" unless subnet
           raise "Given subnet is not available in the given project" unless project.private_subnets.any? { |ps| ps.id == subnet.id }
         else
-          subnet_s = Prog::Vnet::SubnetNexus.assemble(project_id, name: "#{name}-subnet", location: location)
+          subnet_s = Prog::Vnet::SubnetNexus.assemble(project_id, name: "#{name}-subnet", location: location, allow_only_ssh: allow_only_ssh)
           subnet = PrivateSubnet[subnet_s.id]
         end
         nic_s = Prog::Vnet::NicNexus.assemble(subnet.id, name: "#{name}-nic")
@@ -90,10 +90,6 @@ def self.assemble(public_key, project_id, name: nil, size: "standard-2",
         boot_image: boot_image, ip4_enabled: enable_ip4, pool_id: pool_id, arch: arch) { _1.id = ubid.to_uuid }
       nic.update(vm_id: vm.id)
 
-      port_range = allow_only_ssh ? 22..22 : 0..65535
-      fw = Firewall.create_with_id(vm_id: vm.id, name: "#{name}-default")
-      ["0.0.0.0/0", "::/0"].each { |cidr| FirewallRule.create_with_id(firewall_id: fw.id, cidr: cidr, port_range: Sequel.pg_range(port_range)) }
-
       vm.associate_with_project(project)
 
       Strand.create(

prog/vnet/subnet_nexus.rb

@@ -2,9 +2,9 @@
 
 class Prog::Vnet::SubnetNexus < Prog::Base
   subject_is :private_subnet
-  semaphore :destroy, :refresh_keys, :add_new_nic
+  semaphore :destroy, :refresh_keys, :add_new_nic, :update_firewall_rules
 
-  def self.assemble(project_id, name: nil, location: "hetzner-hel1", ipv6_range: nil, ipv4_range: nil)
+  def self.assemble(project_id, name: nil, location: "hetzner-hel1", ipv6_range: nil, ipv4_range: nil, allow_only_ssh: false)
     unless (project = Project[project_id])
       fail "No existing project"
     end
@@ -20,6 +20,12 @@ def self.assemble(project_id, name: nil, location: "hetzner-hel1", ipv6_range: n
     DB.transaction do
       ps = PrivateSubnet.create(name: name, location: location, net6: ipv6_range, net4: ipv4_range, state: "waiting") { _1.id = ubid.to_uuid }
       ps.associate_with_project(project)
+      port_range = allow_only_ssh ? 22..22 : 0..65535
+      fw = Firewall.create_with_id(name: "#{name}-default")
+      fw.associate_with_project(project)
+      ["0.0.0.0/0", "::/0"].each { |cidr| FirewallRule.create_with_id(firewall_id: fw.id, cidr: cidr, port_range: Sequel.pg_range(port_range)) }
+      fw.associate_with_private_subnet(ps, apply_firewalls: false)
+
       Strand.create(prog: "Vnet::SubnetNexus", label: "wait") { _1.id = ubid.to_uuid }
     end
   end
@@ -44,6 +50,11 @@ def before_run
       hop_add_new_nic
     end
 
+    when_update_firewall_rules_set? do
+      private_subnet.vms.map(&:incr_update_firewall_rules)
+      decr_update_firewall_rules
+    end
+
     if private_subnet.last_rekey_at < Time.now - 60 * 60 * 24
       private_subnet.incr_refresh_keys
     end
@@ -128,6 +139,7 @@ def gen_reqid
 
     decr_destroy
     strand.children.each { _1.destroy }
+    private_subnet.firewalls.map { _1.disassociate_from_private_subnet(private_subnet, apply_firewalls: false) }
 
     if private_subnet.nics.empty?
       DB.transaction do