Setting metadata_host to 127.0.0.1 results in incorrect iptables filter rules

The metadata_host option is used by nova-network to setup an iptables rules for handling requests from VMs to the metadata service hosted by nova-api.

In normal operation metadata_host defaults to the local IP of the node running nova-network. In this case (or any case where the IP is not 127.0.0.1) nova-network creates an iptables entry in the NAT table to DNAT requests for the metadata server (169.254.169.254) to the ip specified in metadata_host. Additionally when nova-api started up it creates an iptables entry in the filter table to allow requests from VMs to the metadata server.

nova-network nat entry:
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.1.1:8775

nova-api filter entry:
-A nova-api-INPUT -d 10.1.1.1/32 -p tcp -m tcp --dport 8775 -j ACCEPT

The problem is that if metadata_host is set to 127.0.0.1 nova-network will use the REDIRECT target instead of the DNAT target in its iptables rule. The resulting iptables rule looks like the following.

-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775

The issue is that REDIRECT results in an implicit DNAT the primary address of the incoming interface. As a result requests coming in from VMs will have a destination address of the gateway brought up by nova-network. The nova-api rules are not modified in this case and are only allowing requests destined to 127.0.0.1 and not the gateway IP addresses managed by nova-network.

We need to update the logic used to generate the rules for nova-api to account for the REDIRECT use case.