Static NAT with multiple public interfaces uses wrong outgoing IP

[richardlawley]

ISSUE TYPE

• Bug Report

COMPONENT NAME

VR

CLOUDSTACK VERSION

4.11.2

CONFIGURATION

Advanced Networking, XenServer 6.5, Non-VPC

SUMMARY

This is a regression, caused by f60f3ce I believe. When a VR has public IPs on multiple interfaces, a static NAT rule which is not on the first public interface will have outgoing traffic originating from the Source NAT IP. I believe this is because the logic of marking packets was changed from interface number to 100+interface number everywhere except where the static NAT rules are configured in configure.py.

I've been able to fix this temporarily in my own VR by changing configure.py L930 from hex(int(device[len("eth"):])) to hex(100 + int(device[len("eth"):]))

STEPS TO REPRODUCE

• Assign public IP from different subnet to VR (so that VR gets eth3 created).
• Deploy a VM on this network
• Create static NAT rule for this new public IP to the new VM
• Run curl -s http://ipecho.net/plain inside the VM

EXPECTED RESULTS

Output should be the Static NAT IP

Created firewall rule in mangle / PREROUTING should be: state NEW MARK set 0x67

ACTUAL RESULTS

Output is the Source NAT IP

Created firewall rule in mangle / PREROUTING is be: state NEW MARK set 0x3

[richardlawley]

There were a couple of other places I could find the mark being used:

• configure.py L961 - hex(int(public_fwinterface[3:]))
• CsAddress.py L261 - self.dnum = hex(int(dev[3:]))

I'm not entirely sure what these are each for and whether they should all be updated.