Comment 4 for bug 1187107

It seems that the command is classified as ip-netns filter which will run under root permission. That's why the metadata-proxy command filter doesn't take effect.

Actually it's not a 'wrong' behavior.

neutron-rootwrap: (root > root) Executing ['/sbin/ip', 'netns', 'exec', 'qrouter-445757d8-ade8-4c2f-9b44-029942e9fd26', 'neutron-ns-metadata-proxy', '--pid_file=/var/lib/neutron/external/pids/445757d8-ade8-4c2f-9b44-029942e9fd26.pid', '--metadata_proxy_socket=/var/lib/neutron/metadata_proxy', '--router_id=445757d8-ade8-4c2f-9b44-029942e9fd26', '--state_path=/var/lib/neutron', '--metadata_port=9697', '--log-file=neutron-ns-metadata-proxy-445757d8-ade8-4c2f-9b44-029942e9fd26.log', '--log-dir=/var/log/neutron'] (filter match = ip_exec)