fix adding multiple pf rules

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/agent/api/DeleteNsxNatRuleCommand.java

@@ -21,10 +21,15 @@ import com.cloud.network.Network;
 public class DeleteNsxNatRuleCommand extends NsxNetworkCommand {
     private Long ruleId;
     private Network.Service service;
+
+    private String privatePort;
+    private String protocol;
     public DeleteNsxNatRuleCommand(long domainId, long accountId, long zoneId, Long networkResourceId, String networkResourceName,
-                                   boolean isResourceVpc, Long vmId, Long ruleId, String publicIp, String vmIp) {
-        super(domainId, accountId, zoneId, networkResourceId, networkResourceName, isResourceVpc, vmId, publicIp, vmIp);
+                                   boolean isResourceVpc, Long vmId, Long ruleId, String privatePort, String protocol) {
+        super(domainId, accountId, zoneId, networkResourceId, networkResourceName, isResourceVpc, vmId);
         this.ruleId = ruleId;
+        this.privatePort = privatePort;
+        this.protocol = protocol;
     }
 
     public Long getRuleId() {
@@ -38,4 +43,12 @@ public class DeleteNsxNatRuleCommand extends NsxNetworkCommand {
     public void setService(Network.Service service) {
         this.service = service;
     }
+
+    public String getPrivatePort() {
+        return privatePort;
+    }
+
+    public String getProtocol() {
+        return protocol;
+    }
 }

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/agent/api/NsxNetworkCommand.java

@@ -37,6 +37,15 @@ public class NsxNetworkCommand extends NsxCommand {
         this.vmIp = vmIp;
     }
 
+    public NsxNetworkCommand(long domainId, long accountId, long zoneId, Long networkResourceId, String networkResourceName,
+                            boolean isResourceVpc, Long vmId) {
+        super(domainId, accountId, zoneId);
+        this.networkResourceId = networkResourceId;
+        this.networkResourceName = networkResourceName;
+        this.isResourceVpc = isResourceVpc;
+        this.vmId = vmId;
+    }
+
     public Long getNetworkResourceId() {
         return networkResourceId;
     }

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java

@@ -361,26 +361,6 @@ public class NsxResource implements ServerResource {
         return new NsxAnswer(cmd, true, null);
     }
 
-    private NsxAnswer executeRequest(DeleteNsxNatRuleCommand cmd) {
-        String ruleName = null;
-        if (cmd.getService() == Network.Service.StaticNat) {
-            ruleName = NsxControllerUtils.getStaticNatRuleName(cmd.getDomainId(), cmd.getAccountId(), cmd.getZoneId(),
-                    cmd.getNetworkResourceId(), cmd.isResourceVpc());
-        } else if (cmd.getService() == Network.Service.PortForwarding) {
-            ruleName = NsxControllerUtils.getPortForwardRuleName(cmd.getDomainId(), cmd.getAccountId(), cmd.getZoneId(),
-                    cmd.getNetworkResourceId(), cmd.getRuleId(), cmd.isResourceVpc());
-        }
-        String tier1GatewayName = NsxControllerUtils.getTier1GatewayName(cmd.getDomainId(), cmd.getAccountId(), cmd.getZoneId(),
-                cmd.getNetworkResourceId(), cmd.isResourceVpc());
-        try {
-            nsxApiClient.deleteNatRule(cmd.getNetworkResourceName(), tier1GatewayName, ruleName);
-        } catch (Exception e) {
-            LOGGER.error(String.format("Failed to add NSX static NAT rule %s for network: %s", ruleName, cmd.getNetworkResourceName()));
-            return new NsxAnswer(cmd, new CloudRuntimeException(e.getMessage()));
-        }
-        return new NsxAnswer(cmd, true, null);
-    }
-
     private NsxAnswer executeRequest(CreateNsxPortForwardRuleCommand cmd) {
         String ruleName = NsxControllerUtils.getPortForwardRuleName(cmd.getDomainId(), cmd.getAccountId(), cmd.getZoneId(),
                 cmd.getNetworkResourceId(), cmd.getRuleId(), cmd.isResourceVpc());
@@ -400,6 +380,27 @@ public class NsxResource implements ServerResource {
         return new NsxAnswer(cmd, true, null);
     }
 
+    private NsxAnswer executeRequest(DeleteNsxNatRuleCommand cmd) {
+        String ruleName = null;
+        if (cmd.getService() == Network.Service.StaticNat) {
+            ruleName = NsxControllerUtils.getStaticNatRuleName(cmd.getDomainId(), cmd.getAccountId(), cmd.getZoneId(),
+                    cmd.getNetworkResourceId(), cmd.isResourceVpc());
+        } else if (cmd.getService() == Network.Service.PortForwarding) {
+            ruleName = NsxControllerUtils.getPortForwardRuleName(cmd.getDomainId(), cmd.getAccountId(), cmd.getZoneId(),
+                    cmd.getNetworkResourceId(), cmd.getRuleId(), cmd.isResourceVpc());
+        }
+        String tier1GatewayName = NsxControllerUtils.getTier1GatewayName(cmd.getDomainId(), cmd.getAccountId(), cmd.getZoneId(),
+                cmd.getNetworkResourceId(), cmd.isResourceVpc());
+        try {
+            nsxApiClient.deleteNatRule(cmd.getService(), cmd.getPrivatePort(), cmd.getProtocol(),
+                    cmd.getNetworkResourceName(), tier1GatewayName, ruleName);
+        } catch (Exception e) {
+            LOGGER.error(String.format("Failed to add NSX static NAT rule %s for network: %s", ruleName, cmd.getNetworkResourceName()));
+            return new NsxAnswer(cmd, new CloudRuntimeException(e.getMessage()));
+        }
+        return new NsxAnswer(cmd, true, null);
+    }
+
     @Override
     public boolean start() {
         return true;

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxApiClient.java

@@ -17,6 +17,7 @@
 package org.apache.cloudstack.service;
 
 import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.network.Network;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.vmware.nsx.model.TransportZone;
 import com.vmware.nsx.model.TransportZoneListResult;
@@ -332,11 +333,18 @@ public class NsxApiClient {
         }
     }
 
-    public void deleteNatRule(String networkName, String tier1GatewayName, String ruleName) {
+    public void deleteNatRule(Network.Service service, String privatePort, String protocol, String networkName, String tier1GatewayName, String ruleName) {
         try {
             NatRules natService = (NatRules) nsxService.apply(NatRules.class);
             LOGGER.debug(String.format("Deleting NSX static NAT rule %s for tier-1 gateway %s (network: %s)", ruleName, tier1GatewayName, networkName));
+            // delete NAT rule
             natService.delete(tier1GatewayName, NatId.USER.name(), ruleName);
+            if (service == Network.Service.PortForwarding) {
+                String svcName = getServiceName(ruleName, privatePort, protocol);
+                // Delete service
+                Services services = (Services) nsxService.apply(Services.class);
+                services.delete(svcName);
+            }
         } catch (Error error) {
             ApiError ae = error.getData()._convertTo(ApiError.class);
             String msg = String.format("Failed to delete NSX Static NAT rule %s for tier-1 gateway %s (VPC: %s), due to %s",
@@ -408,8 +416,8 @@ public class NsxApiClient {
 
     public String createNsxInfraService(String ruleName, String port, String protocol) {
         try {
-            String serviceEntryName = ruleName + "-SE-" + port;
-            String serviceName = ruleName + "-SVC-" + port;
+            String serviceEntryName = getServiceEntryName(ruleName, port, protocol);
+            String serviceName = getServiceName(ruleName, port, protocol);
             Services service = (Services) nsxService.apply(Services.class);
             com.vmware.nsx_policy.model.Service infraService = new com.vmware.nsx_policy.model.Service.Builder()
                     .setServiceEntries(List.of(
@@ -448,4 +456,12 @@ public class NsxApiClient {
         }
         return null;
     }
+
+    private String getServiceName(String ruleName, String port, String protocol) {
+        return ruleName + "-SVC-" + port + "-" +protocol;
+    }
+
+    private String getServiceEntryName(String ruleName, String port, String protocol) {
+        return ruleName + "-SE-" + port + "-" + protocol;
+    }
 }

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxElement.java

@@ -523,7 +523,7 @@ public class NsxElement extends AdapterBase implements DhcpServiceProvider, DnsS
                     .build();
             if (rule.getState() == FirewallRule.State.Add) {
                 return nsxService.createPortForwardRule(networkRule);
-            } else {
+            } else if (rule.getState() == FirewallRule.State.Revoke) {
                 return nsxService.deletePortForwardRule(networkRule);
             }
         }

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxServiceImpl.java

@@ -119,7 +119,7 @@ public class NsxServiceImpl implements NsxService {
     public boolean deletePortForwardRule(NsxNetworkRule netRule) {
         DeleteNsxNatRuleCommand deleteCmd = new DeleteNsxNatRuleCommand(netRule.getDomainId(),
                 netRule.getAccountId(), netRule.getZoneId(), netRule.getNetworkResourceId(),
-                netRule.getNetworkResourceName(), netRule.isVpcResource(),  netRule.getVmId(), netRule.getRuleId(), null, null);
+                netRule.getNetworkResourceName(), netRule.isVpcResource(),  netRule.getVmId(), netRule.getRuleId(), netRule.getPrivatePort(), netRule.getPublicPort());
         deleteCmd.setService(Network.Service.PortForwarding);
         NsxAnswer result = nsxControllerUtils.sendNsxCommand(deleteCmd, netRule.getZoneId());
         return result.getResult();