Fix Static NAT/Port Forwarding when VM NIC is not the default

api/src/main/java/com/cloud/agent/api/to/StaticNatRuleTO.java

@@ -28,6 +28,7 @@
 
 public class StaticNatRuleTO extends FirewallRuleTO {
     String dstIp;
+    boolean destinationIpOnDefaultNic = true;
 
     protected StaticNatRuleTO() {
     }
@@ -79,4 +80,12 @@ public String getDstIp() {
         return dstIp;
     }
 
+    public boolean isDestinationIpOnDefaultNic() {
+        return destinationIpOnDefaultNic;
+    }
+
+    public void setDestinationIpOnDefaultNic(boolean destinationIpOnDefaultNic) {
+        this.destinationIpOnDefaultNic = destinationIpOnDefaultNic;
+    }
+
 }

core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetStaticNatRulesConfigItem.java

@@ -39,7 +39,8 @@ public List<ConfigItem> generateConfig(final NetworkElementCommand cmd) {
 
         final LinkedList<StaticNatRule> rules = new LinkedList<>();
         for (final StaticNatRuleTO rule : command.getRules()) {
-            final StaticNatRule staticNatRule = new StaticNatRule(rule.revoked(), rule.getProtocol(), rule.getSrcIp(), rule.getStringSrcPortRange(), rule.getDstIp());
+            final StaticNatRule staticNatRule = new StaticNatRule(rule.revoked(), rule.getProtocol(), rule.getSrcIp(),
+                    rule.getStringSrcPortRange(), rule.getDstIp(), rule.isDestinationIpOnDefaultNic());
             rules.add(staticNatRule);
         }
         final StaticNatRules staticNatRules = new StaticNatRules(rules);

core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/StaticNatRule.java

@@ -25,18 +25,25 @@ public class StaticNatRule {
     private String sourceIpAddress;
     private String sourcePortRange;
     private String destinationIpAddress;
+    private boolean destinationIpOnDefaultNic = true;
 
     public StaticNatRule() {
         // Empty constructor for (de)serialization
     }
 
     public StaticNatRule(boolean revoke, String protocol, String sourceIpAddress, String sourcePortRange, String destinationIpAddress) {
+        this(revoke, protocol, sourceIpAddress, sourcePortRange, destinationIpAddress, true);
+    }
+
+    public StaticNatRule(boolean revoke, String protocol, String sourceIpAddress, String sourcePortRange,
+                         String destinationIpAddress, boolean destinationIpOnDefaultNic) {
         super();
         this.revoke = revoke;
         this.protocol = protocol;
         this.sourceIpAddress = sourceIpAddress;
         this.sourcePortRange = sourcePortRange;
         this.destinationIpAddress = destinationIpAddress;
+        this.destinationIpOnDefaultNic = destinationIpOnDefaultNic;
     }
 
     public boolean isRevoke() {
@@ -79,4 +86,12 @@ public void setDestinationIpAddress(String destinationIpAddress) {
         this.destinationIpAddress = destinationIpAddress;
     }
 
+    public boolean isDestinationIpOnDefaultNic() {
+        return destinationIpOnDefaultNic;
+    }
+
+    public void setDestinationIpOnDefaultNic(boolean destinationIpOnDefaultNic) {
+        this.destinationIpOnDefaultNic = destinationIpOnDefaultNic;
+    }
+
 }

server/src/main/java/com/cloud/network/router/CommandSetupHelper.java

@@ -446,6 +446,7 @@ public void createApplyStaticNatRulesCommands(final List<? extends StaticNatRule
             for (final StaticNatRule rule : rules) {
                 final IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
                 final StaticNatRuleTO ruleTO = new StaticNatRuleTO(rule, null, sourceIp.getAddress().addr(), rule.getDestIpAddress());
+                ruleTO.setDestinationIpOnDefaultNic(isDestinationIpOnDefaultNic(guestNetworkId, rule.getDestIpAddress()));
                 rulesTO.add(ruleTO);
             }
         }
@@ -459,6 +460,15 @@ public void createApplyStaticNatRulesCommands(final List<? extends StaticNatRule
         cmds.addCommand(cmd);
     }
 
+    private boolean isDestinationIpOnDefaultNic(final long networkId, final String destinationIp) {
+        final NicVO destinationNic = _nicDao.findByIp4AddressAndNetworkId(destinationIp, networkId);
+        if (destinationNic == null) {
+            logger.debug("Unable to find destination NIC for ip [{}] in network [{}], assuming default NIC.", destinationIp, networkId);
+            return true;
+        }
+        return destinationNic.isDefaultNic();
+    }
+
     public void createApplyFirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
         final List<FirewallRuleTO> rulesTO = new ArrayList<>();
         String systemRule = null;
@@ -697,6 +707,7 @@ public void createApplyStaticNatCommands(final List<? extends StaticNat> rules,
                 final IpAddress sourceIp = _networkModel.getIp(rule.getSourceIpAddressId());
                 final StaticNatRuleTO ruleTO = new StaticNatRuleTO(0, sourceIp.getAddress().addr(), null, null, rule.getDestIpAddress(), null, null, null, rule.isForRevoke(),
                         false);
+                ruleTO.setDestinationIpOnDefaultNic(isDestinationIpOnDefaultNic(guestNetworkId, rule.getDestIpAddress()));
                 rulesTO.add(ruleTO);
             }
         }

systemvm/debian/opt/cloud/bin/configure.py

@@ -1448,7 +1448,7 @@ def forward_vr(self, rule):
               )
         fw4 = "-j SNAT --to-source %s -A POSTROUTING -s %s -d %s/32 -o %s -p %s -m %s --dport %s" % \
               (
-                self.getGuestIp(),
+                self.getGuestIpByIp(rule['internal_ip']),
                 self.getNetworkByIp(rule['internal_ip']),
                 rule['internal_ip'],
                 internal_fwinterface,
@@ -1567,6 +1567,14 @@ def processStaticNatRule(self, rule):
         self.fw.append(["nat", "front", "-A POSTROUTING -s %s -d %s -j SNAT -o %s --to-source %s" %
                         (self.getNetworkByIp(rule['internal_ip']), rule["internal_ip"], self.getDeviceByIp(rule["internal_ip"]), self.getGuestIpByIp(rule["internal_ip"]))])
 
+        destination_ip_on_default_nic = rule.get("destination_ip_on_default_nic", True)
+        if not destination_ip_on_default_nic:
+            internal_device = self.getDeviceByIp(rule["internal_ip"])
+            internal_vr_ip = self.getGuestIpByIp(rule["internal_ip"])
+            if internal_device and internal_vr_ip and internal_device != device:
+                self.fw.append(["nat", "front",
+                                "-A POSTROUTING -o %s -d %s/32 -j SNAT --to-source %s" % (internal_device, rule["internal_ip"], internal_vr_ip)])
+
 
 class IpTablesExecutor:
 

systemvm/debian/opt/cloud/bin/cs_forwardingrules.py

@@ -27,6 +27,8 @@ def merge(dbag, rules):
         newrule = dict()
         newrule["public_ip"] = source_ip
         newrule["internal_ip"] = destination_ip
+        if "destination_ip_on_default_nic" in rule:
+            newrule["destination_ip_on_default_nic"] = rule["destination_ip_on_default_nic"]
 
         if rules["type"] == "staticnatrules":
             newrule["type"] = "staticnat"