)]}'
{"neutron/agent/l3/router_info.py":[{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"a35de31fc1577a2ad715826be237f064a331f8c5","unresolved":false,"context_lines":[{"line_number":884,"context_line":"    def _prevent_snat_for_internal_traffic_rule(self, interface_name):"},{"line_number":885,"context_line":"        return ("},{"line_number":886,"context_line":"            \u0027POSTROUTING\u0027, \u0027! -o %(interface_name)s -m conntrack \u0027"},{"line_number":887,"context_line":"                           \u0027! --ctstate DNAT -j ACCEPT\u0027 %"},{"line_number":888,"context_line":"                           {\u0027interface_name\u0027: interface_name})"},{"line_number":889,"context_line":""},{"line_number":890,"context_line":"    def external_gateway_nat_fip_rules(self, ex_gw_ip, interface_name):"}],"source_content_type":"text/x-python","patch_set":1,"id":"9fb8cfa7_b6f0a392","line":887,"updated":"2019-07-02 06:02:07.000000000","message":"one question: The previous rule matches only traffic between internal interfaces. The new rule seems to match traffic from other interfaces to an interface specified by \"interface_name\"? Doesn\u0027t it cause any problem?","commit_id":"dfa37b2233b2dbe6dd12ec5e2ee4f1f32a4be4ba"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"ba4e47d544466e4b026650600e2d1795f2bf8640","unresolved":false,"context_lines":[{"line_number":884,"context_line":"    def _prevent_snat_for_internal_traffic_rule(self, interface_name):"},{"line_number":885,"context_line":"        return ("},{"line_number":886,"context_line":"            \u0027POSTROUTING\u0027, \u0027! -o %(interface_name)s -m conntrack \u0027"},{"line_number":887,"context_line":"                           \u0027! --ctstate DNAT -j ACCEPT\u0027 %"},{"line_number":888,"context_line":"                           {\u0027interface_name\u0027: interface_name})"},{"line_number":889,"context_line":""},{"line_number":890,"context_line":"    def external_gateway_nat_fip_rules(self, ex_gw_ip, interface_name):"}],"source_content_type":"text/x-python","patch_set":1,"id":"9fb8cfa7_a5f06792","line":887,"in_reply_to":"9fb8cfa7_39a264fd","updated":"2019-07-02 12:17:01.000000000","message":"Thanks for the detail explanation. It makes sense to me.","commit_id":"dfa37b2233b2dbe6dd12ec5e2ee4f1f32a4be4ba"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"afdf5737b8b4dcb6ccb9e0c96ae32944f2680a7b","unresolved":false,"context_lines":[{"line_number":884,"context_line":"    def _prevent_snat_for_internal_traffic_rule(self, interface_name):"},{"line_number":885,"context_line":"        return ("},{"line_number":886,"context_line":"            \u0027POSTROUTING\u0027, \u0027! -o %(interface_name)s -m conntrack \u0027"},{"line_number":887,"context_line":"                           \u0027! --ctstate DNAT -j ACCEPT\u0027 %"},{"line_number":888,"context_line":"                           {\u0027interface_name\u0027: interface_name})"},{"line_number":889,"context_line":""},{"line_number":890,"context_line":"    def external_gateway_nat_fip_rules(self, ex_gw_ip, interface_name):"}],"source_content_type":"text/x-python","patch_set":1,"id":"9fb8cfa7_39a264fd","line":887,"in_reply_to":"9fb8cfa7_b6f0a392","updated":"2019-07-02 06:54:50.000000000","message":"Previous rule in practice was exactly the same as the new one because in post routing chain there is no information about input device so this field couldn\u0027t be match, and it doesn\u0027t matter if it was this device or another.\nSo this change don\u0027t change anything from logical point of view for iptables. But as nftables behaves differently when there is attempt to match on non existing field, this old rule caused problems when using nftables. That\u0027s why this change is needed :)\n\nAnd also, this rule matches only internal traffic still because it matches only traffic which will not be send via qg- interface. And all \"external\" traffic will be router through qg- interface and this rule will not match for such packets.","commit_id":"dfa37b2233b2dbe6dd12ec5e2ee4f1f32a4be4ba"}]}