Neutron：floating IP 的实现路由器的创建为实现租户隔离，OpenStack使用Linux自带的name

路由器的创建

为实现租户隔离，OpenStack 使用 Linux 自带的 namespace 实现路由器，每个路由器对应一个 namespace，namespace 以 qrouter-routerID 命名

[root@controller1 ~]# ip netns
qrouter-7ef6fa94-94dd-4a28-b398-9c88a27b5d05 (id: 7)

floating IP

创建虚拟机分配的是内网 IP，如果想要访问外部网络就需要分配一个 floating IP，通过 floating IP 访问外部网络，这就要依赖于创建的路由器实现三层转发

floating IP 的实现就是在路由器中做 IP-to-IP 的 NAT，对此可以进入 namespace 中查看响应的规则

[root@controller1 ~]# ip netns exec qrouter-7ef6fa94-94dd-4a28-b398-9c88a27b5d05 iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1392  239K neutron-l3-agent-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    40 neutron-l3-agent-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    40 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       all  --  *      *       0.0.0.0/0            20.20.20.250         to:10.10.10.196
    0     0 DNAT       all  --  *      *       0.0.0.0/0            20.20.20.45          to:10.10.10.177

Chain neutron-l3-agent-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    40 ACCEPT     all  --  *      !qg-5b80e591-bc  0.0.0.0/0            0.0.0.0/0            ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   tcp  --  qr-+   *       0.0.0.0/0            169.254.169.254      tcp dpt:80 redir ports 9697
    0     0 DNAT       all  --  *      *       0.0.0.0/0            20.20.20.250         to:10.10.10.196
    0     0 DNAT       all  --  *      *       0.0.0.0/0            20.20.20.45          to:10.10.10.177

Chain neutron-l3-agent-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       10.10.10.196         0.0.0.0/0            to:20.20.20.250 random-fully
    0     0 SNAT       all  --  *      *       10.10.10.177         0.0.0.0/0            to:20.20.20.45 random-fully

Chain neutron-l3-agent-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 SNAT       all  --  *      qg-5b80e591-bc  0.0.0.0/0            0.0.0.0/0            to:20.20.20.93 random-fully
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x2/0xffff ctstate DNAT to:20.20.20.93 random-fully

Chain neutron-postrouting-bottom (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Perform source NAT on outgoing traffic. */

DNAT 规则：比较容易看出是在 PREROUTING 上引用了 neutron-l3-agent-PREROUTING

SNAT 规则：POSTROUTING -> neutron-postrouting-bottom -> neutron-l3-agent-snat -> neutron-l3-agent-float-snat

通过对 nat 表的分析可见每分配一个 floating IP 并将其绑定至 VM 上，对应在路由器中只是将该 floating IP 于 VM 的内部 IP 建立一条 SNAT 和 DNAT 的规则