openstack 网络介绍得不错的博客

http://blog.youkuaiyun.com/lynn_kong/article/details/8348187

就要去看iptables的nat写的是否正确了
还有看看 rp_filter参数
是你物理机网卡
你分配了floatingip都会绑定到网卡上


ip netns exec qrouter-a4d90c7f-14a7-453f-985c-81a00762337a ping 192.168.7.3
a4d90c7f-14a7-453f-985c-81a00762337a是路由器，192.168.7.3是内网
http://docs.openstack.org/trunk/openstack-network/admin/content/adv_cfg_l3_agent_metadata.html
http://lists.openstack.org/pipermail/openstack-operators/2012-October/002150.html
http://networkstatic.net/openstack-folsom-quantum-devstack-installation-tutorial/
http://cloudistic.me/blog/openstack-folsom-diving-into-the-new-namespace-model-of-quantum-v2/
https://bugs.launchpad.net/quantum/+bug/1079926

In order to allow access to the metadata service (169.254.169.254), quantum-l3-agent sets NAT rules for the affected router namespace:

-t nat -A quantum-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.111:8775

For setups where all services are running on the same host, this is insufficient. The rule above is simply skipped for packages that were generated by local processes. To make it work, the following rule is required:

-t nat -A quantum-l3-agent-PREROUTING -s 0.0.0.0/0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775

With that rule in place, VMs can reach the metadata service nicely.

inux的rp_filter用于实现反向过滤技术，也即uRPF，它验证反向数据包的流向，以避免伪装IP攻击.但是这和Linux的策略 路由却很容易发生冲突，其本质原因在于，uRPF技术强制规定了一个反向包的“方向”，而实际的路由是没有方向的。策略路由并没有错，错就错在uRPF增 加了一个路由概念本身并没有且从不考虑的约束。

附：

rp_filter - INTEGER

0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet's source address is also tested against the FIB
and if the source address is not reachable via any interface
the packet check will fail.
Current recommended practice in RFC3704 is to enable strict mode
to prevent IP spoofing from DDos attacks. If using asymmetric routing
or other complicated routing, then loose mode is recommended.
The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.
Default value is 0　based our os. Note that some distributions enable it
in startup scripts.

设置方法：

系统配置文件
1. /etc/sysctl.conf

把 net.ipv4.conf.all.rp_filter和net.ipv4.conf.default.rp_filter设为0即可
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
系统启动后，会自动加载这个配置文件，内核会使用这个变量。

2. 命令行
显示一个内核变量 sysctl net.ipv4.conf.all.rp_filter
设置一个内核变量 sysctl -w net.ipv4.conf.all.rp_filter=0
设置完后，会更新内核（实时的内存）中的变量的值，但不会修改sysctl.conf的值

3. 使用/proc文件系统
查看 cat /proc/sys/net/ipv4/conf/all/rp_filter
设置 echo "0">/proc/sys/net/ipv4/conf/all/rp_filter