diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java index 98c718576735..bf5b4ac59b2a 100644 --- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java +++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java @@ -4846,6 +4846,8 @@ protected long getMemoryFreeInKBs(Domain dm) throws LibvirtException { } private boolean canBridgeFirewall(final String prvNic) { + if (getAllowNestedVMAccess()) + return true; // If nested VM is allowed, then we skip call to security group and allow bypassing firewall final Script cmd = new Script(securityGroupPath, timeout, LOGGER); cmd.add("can_bridge_firewall"); cmd.add("--privnic", prvNic); diff --git a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java index ca47393f434b..f91f0fd7e717 100644 --- a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java +++ b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java @@ -329,6 +329,9 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage public static final ConfigKey PUBLIC_IP_ADDRESS_QUARANTINE_DURATION = new ConfigKey<>("Network", Integer.class, "public.ip.address.quarantine.duration", "0", "The duration (in minutes) for the public IP address to be quarantined when it is disassociated.", true, ConfigKey.Scope.Domain); + + public static final ConfigKey AllowNestedVMAccess = new ConfigKey<>("Advanced", Boolean.class, "allow.nested.vm.access", + "false", "Allows nested VM access by bypassing security group restrictions. Use with caution.", true, ConfigKey.Scope.Global); private Random rand = new Random(System.currentTimeMillis()); @@ -2453,6 +2456,10 @@ public static ConfigKey getSystemvmpublicipreservationmodestrictness() return SystemVmPublicIpReservationModeStrictness; } + public static ConfigKey getAllowNestedVMAccess() { + return AllowNestedVMAccess; + } + @Override public boolean canPublicIpAddressBeAllocated(IpAddress ip, Account newOwner) { PublicIpQuarantineVO publicIpQuarantineVO = publicIpQuarantineDao.findByPublicIpAddressId(ip.getId()); diff --git a/server/src/test/java/com/cloud/network/IpAddressManagerTest.java b/server/src/test/java/com/cloud/network/IpAddressManagerTest.java index 824d4ee47019..16c7454138a2 100644 --- a/server/src/test/java/com/cloud/network/IpAddressManagerTest.java +++ b/server/src/test/java/com/cloud/network/IpAddressManagerTest.java @@ -491,4 +491,14 @@ public void checkIfIpResourceCountShouldBeUpdatedTestIpIsAssociatedToVpcAndNotDe Assert.assertTrue(result); } + + @Test + public void testCanBridgeFirewallWithNestedVMAccessEnabled() { + // Force config to return true for AllowNestedVMAccess + Mockito.doReturn(true).when(ipAddressManager).getAllowNestedVMAccessConfig(); + + boolean result = ipAddressManager.canBridgeFirewall("eth0"); + + Assert.assertTrue("Should return true when AllowNestedVMAccess is enabled", result); + } }