Routed VR: accept packets from related and established connections

[weizhouapache]

Description

This PR fixes #12962

the change is similar to #10970

Tested with Routed network and Routed VPC with Dynamic routing

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 16.26%. Comparing base (6f1aa96) to head (605a7e5).
⚠️ Report is 4 commits behind head on 4.20.

Additional details and impacted files

@@             Coverage Diff              @@
##               4.20   #12986      +/-   ##
============================================
- Coverage     16.26%   16.26%   -0.01%     
  Complexity    13434    13434              
============================================
  Files          5665     5665              
  Lines        500530   500530              
  Branches      60787    60787              
============================================
- Hits          81411    81410       -1     
  Misses       410028   410028              
- Partials       9091     9092       +1     

Flag	Coverage Δ
uitests	4.15% <ø> (ø)
unittests	17.11% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17409

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-15829)

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sureshanaparti]

@blueorangutan test

[blueorangutan]

@sureshanaparti a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-15831)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 53594 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12986-t15831-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[DaanHoogland]

clgtm

[weizhouapache]

@khumps
could you please verify this fix ? so we can get it into 4.22.1.0 release. thanks

[kiranchavala]

LGTM

Tested manually on a routed mode isolated network

1. Created a zone with dynamic routing enabled and an IP subnet pool configured

2. Created a network offering with routing mode = Dynamic and default egress policy = Deny

3. Deploy an isolated routed network using that offering
   In the network's IPv4 Routing Firewall, add:
   Ingress rule: TCP port 22 from 0.0.0.0/0
   Egress rule: TCP port 22 to 0.0.0.0/0

4. Deploy a VM in the network

5. Able to SSH to the VM from an external host > works

	
Rules on the router 

	chain fw_chain_egress {
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp dport 22 accept
		counter packets 3 bytes 228 drop
	}

	chain fw_chain_ingress {
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp dport 22 accept
		counter packets 0 bytes 0 drop
	}

6. Remove the egress rule from the network

7. SSH to the VM from an external host > works

	chain fw_chain_egress {
		counter packets 0 bytes 0 drop
	}

	chain fw_chain_ingress {
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp dport 22 accept
		counter packets 0 bytes 0 drop
	}