Add iptables FORWARD rules for nexthop-based static routes

When static routes use nexthop (gateway) instead of referencing a
private gateway's public IP, the iptables FORWARD rules were not
being generated. This caused traffic to be dropped by ACLs.

This fix:
- Adds a shared helper CsHelper.find_device_for_gateway() to determine
  which interface a gateway belongs to by checking subnet membership
- Updates CsStaticRoutes to use the shared helper instead of duplicating
  the device-finding logic
- Modifies CsAddress firewall rule generation to handle both old-style
  (ip_address-based) and new-style (nexthop-based) static routes
- Generates the required FORWARD and PREROUTING rules for nexthop routes:
  * -A PREROUTING -s <network> ! -d <interface_ip>/32 -i <dev> -j ACL_OUTBOUND_<dev>
  * -A FORWARD -d <network> -o <dev> -j ACL_INBOUND_<dev>
  * -A FORWARD -d <network> -o <dev> -m state --state RELATED,ESTABLISHED -j ACCEPT

Fixes the second part of #12857

Author: bhouse-nexthop

systemvm/debian/opt/cloud/bin/cs/CsAddress.py

@@ -603,10 +603,24 @@ def fw_vpcrouter(self):
                     if item == "id":
                         continue
                     static_route = static_routes.get_bag()[item]
-                    if 'ip_address' in static_route and static_route['ip_address'] == self.address['public_ip'] and not static_route['revoke']:
+                    if static_route['revoke']:
+                        continue
+
+                    # Check if this static route applies to this interface
+                    # Old style: ip_address field matches this interface's public_ip
+                    # New style (nexthop): gateway is in this interface's subnet
+                    applies_to_interface = False
+                    if 'ip_address' in static_route and static_route['ip_address'] == self.address['public_ip']:
+                        applies_to_interface = True
+                    elif 'gateway' in static_route:
+                        device = CsHelper.find_device_for_gateway(self.config, static_route['gateway'])
+                        if device == self.dev:
+                            applies_to_interface = True
+
+                    if applies_to_interface:
                         self.fw.append(["mangle", "",
                                         "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
-                                        (self.dev, static_route['network'], static_route['ip_address'], self.dev)])
+                                        (self.dev, static_route['network'], self.address['public_ip'], self.dev)])
                         self.fw.append(["filter", "front", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
                                         (static_route['network'], self.dev, self.dev)])
                         self.fw.append(["filter", "front",

systemvm/debian/opt/cloud/bin/cs/CsHelper.py

@@ -25,6 +25,7 @@
 import os.path
 import re
 import shutil
+from typing import Optional
 from netaddr import *
 
 PUBLIC_INTERFACES = {"router": "eth2", "vpcrouter": "eth1"}
@@ -270,3 +271,29 @@ def copy(src, dest):
         logging.error("Could not copy %s to %s" % (src, dest))
     else:
         logging.info("Copied %s to %s" % (src, dest))
+
+
+def find_device_for_gateway(config, gateway_ip: str) -> Optional[str]:
+    """
+    Find which ethernet device the gateway IP belongs to by checking
+    if the gateway is in any of the configured interface subnets.
+
+    Args:
+        config: CsConfig instance containing network configuration
+        gateway_ip: IP address of the gateway to locate
+
+    Returns:
+        Device name (e.g., 'eth2') or None if not found
+    """
+    try:
+        interfaces = config.address().get_interfaces()
+        for interface in interfaces:
+            if not interface.is_added():
+                continue
+            if interface.ip_in_subnet(gateway_ip):
+                return interface.get_device()
+        logging.debug("No matching device found for gateway %s" % gateway_ip)
+        return None
+    except Exception as e:
+        logging.error("Error finding device for gateway %s: %s" % (gateway_ip, e))
+        return None

systemvm/debian/opt/cloud/bin/cs/CsStaticRoutes.py

@@ -32,29 +32,7 @@ def process(self):
                 continue
             self.__update(self.dbag[item])
 
-    def __find_device_for_gateway(self, gateway_ip):
-        """
-        Find which ethernet device the gateway IP belongs to by checking
-        if the gateway is in any of the configured interface subnets.
-        Returns device name (e.g., 'eth2') or None if not found.
-        """
-        try:
-            # Get all configured interfaces from the address databag
-            interfaces = self.config.address().get_interfaces()
 
-            for interface in interfaces:
-                if not interface.is_added():
-                    continue
-
-                # Check if gateway IP is in this interface's subnet
-                if interface.ip_in_subnet(gateway_ip):
-                    return interface.get_device()
-
-            logging.debug("No matching device found for gateway %s" % gateway_ip)
-            return None
-        except Exception as e:
-            logging.error("Error finding device for gateway %s: %s" % (gateway_ip, e))
-            return None
 
     def __update(self, route):
         network = route['network']
@@ -66,7 +44,7 @@ def __update(self, route):
             CsHelper.execute(command)
 
             # Delete from PBR table if applicable
-            device = self.__find_device_for_gateway(gateway)
+            device = CsHelper.find_device_for_gateway(self.config, gateway)
             if device:
                 cs_route = CsRoute()
                 table_name = cs_route.get_tablename(device)
@@ -83,7 +61,7 @@ def __update(self, route):
                 logging.info("Added static route %s via %s to main table" % (network, gateway))
 
             # Add to PBR table if applicable
-            device = self.__find_device_for_gateway(gateway)
+            device = CsHelper.find_device_for_gateway(self.config, gateway)
             if device:
                 cs_route = CsRoute()
                 table_name = cs_route.get_tablename(device)