Fix Static NAT/Port Forwarding when VM NIC is not the default

[sudo87]

Description

This PR intends to fix #8366

When CloudStack VR forwards traffic to a VM whose NIC is not the VM's default, the VM may reply via its default NIC (asymmetric routing). To force symmetric routing we SNAT the forwarded packet's source to the VR’s guest IP on the VM subnet so the VM replies on-link back to that VR interface. Also fix the port-forwarding SNAT to pick the correct VR guest IP for the VM's subnet

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

1. Deploy instance vm1 on network (net_1)
2. Create Isolated network (iso_2), attach NIC nic_2 from this to vm1
3. Acquire public_ip from iso_2 and enable static nat to vm1
4. Configure firewall rules e.g. enable icmp
5. Ping via public_ip, expect response from instance vm1

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

❌ Patch coverage is 3.57143% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 18.09%. Comparing base (3c1f031) to head (4a9d0f4).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...t/resource/virtualnetwork/model/StaticNatRule.java	0.00%	10 Missing ⚠️
...a/com/cloud/network/router/CommandSetupHelper.java	0.00%	9 Missing ⚠️
...n/java/com/cloud/agent/api/to/StaticNatRuleTO.java	14.28%	6 Missing ⚠️
...ualnetwork/facade/SetStaticNatRulesConfigItem.java	0.00%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #13200      +/-   ##
============================================
+ Coverage     18.08%   18.09%   +0.01%     
- Complexity    16718    16732      +14     
============================================
  Files          6037     6037              
  Lines        542611   542807     +196     
  Branches      66433    66465      +32     
============================================
+ Hits          98136    98233      +97     
- Misses       433448   433526      +78     
- Partials      11027    11048      +21     

Flag	Coverage Δ
uitests	3.51% <ø> (ø)
unittests	19.26% <3.57%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[weizhouapache]

1. this should apply to additional nics of guest VMs only. since there is no issue with first NIC of guest VMs, it is not needed.
2. it would be better to provide an option for end users.

[sudo87]

@blueorangutan package

[blueorangutan]

@sudo87 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17959