apache · bradywilkin · May 4, 2025 · weizhouapache · May 5, 2025 · Copilot
diff --git a/...rvisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java b/...rvisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
@@ -4846,6 +4846,8 @@ protected long getMemoryFreeInKBs(Domain dm) throws LibvirtException {
     }
 
     private boolean canBridgeFirewall(final String prvNic) {
+        if (getAllowNestedVMAccess())
+            return true; // If nested VM is allowed, then we skip call to security group and allow bypassing firewall
-        if (getAllowNestedVMAccess())
-            return true; // If nested VM is allowed, then we skip call to security group and allow bypassing firewall
+        if (getAllowNestedVMAccess()) {
+            return true; // If nested VM is allowed, then we skip call to security group and allow bypassing firewall
+        }
-        if (getAllowNestedVMAccess())
-            return true; // If nested VM is allowed, then we skip call to security group and allow bypassing firewall
+        if (getAllowNestedVMAccess()) {
+            return true; // If nested VM is allowed, then we skip call to security group and allow bypassing firewall
+        }
         final Script cmd = new Script(securityGroupPath, timeout, LOGGER);
         cmd.add("can_bridge_firewall");
         cmd.add("--privnic", prvNic);

diff --git a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
@@ -329,6 +329,9 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
 
     public static final ConfigKey<Integer> PUBLIC_IP_ADDRESS_QUARANTINE_DURATION = new ConfigKey<>("Network", Integer.class, "public.ip.address.quarantine.duration",
             "0", "The duration (in minutes) for the public IP address to be quarantined when it is disassociated.", true, ConfigKey.Scope.Domain);
+
+    public static final ConfigKey<Boolean> AllowNestedVMAccess = new ConfigKey<>("Advanced", Boolean.class, "allow.nested.vm.access",
+            "false", "Allows nested VM access by bypassing security group restrictions. Use with caution.", true, ConfigKey.Scope.Global);
 
     private Random rand = new Random(System.currentTimeMillis());
 
@@ -2453,6 +2456,10 @@ public static ConfigKey<Boolean> getSystemvmpublicipreservationmodestrictness()
         return SystemVmPublicIpReservationModeStrictness;
     }
 
+    public static ConfigKey<Boolean> getAllowNestedVMAccess() {
+        return AllowNestedVMAccess;
+    }
+
     @Override
     public boolean canPublicIpAddressBeAllocated(IpAddress ip, Account newOwner) {
         PublicIpQuarantineVO publicIpQuarantineVO = publicIpQuarantineDao.findByPublicIpAddressId(ip.getId());

diff --git a/server/src/test/java/com/cloud/network/IpAddressManagerTest.java b/server/src/test/java/com/cloud/network/IpAddressManagerTest.java
@@ -491,4 +491,14 @@ public void checkIfIpResourceCountShouldBeUpdatedTestIpIsAssociatedToVpcAndNotDe
 
         Assert.assertTrue(result);
     }
+
+    @Test
+    public void testCanBridgeFirewallWithNestedVMAccessEnabled() {
+        // Force config to return true for AllowNestedVMAccess
+        Mockito.doReturn(true).when(ipAddressManager).getAllowNestedVMAccessConfig();
+
+        boolean result = ipAddressManager.canBridgeFirewall("eth0");
+
+        Assert.assertTrue("Should return true when AllowNestedVMAccess is enabled", result);
+    }
 }