)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":9531,"name":"liuyulong","display_name":"LIU Yulong","email":"i@liuyulong.me","username":"LIU-Yulong"},"change_message_id":"c76fa21a02f6f6937395706634a923bee65156b7","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Test result shows that the remote security group and"},{"line_number":21,"context_line":"allowed address pair works:"},{"line_number":22,"context_line":"1. Port has 0.0.0.0/0 allowed-address-pair clould send any"},{"line_number":23,"context_line":"   IP (src) packet out."},{"line_number":24,"context_line":"2. Ports under same network can reach each other (remote"},{"line_number":25,"context_line":"   security group)."},{"line_number":26,"context_line":"3. Protocol port number could be accessed only when there"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"1fa4df85_8920b49d","line":23,"range":{"start_line":22,"start_character":0,"end_line":23,"end_character":23},"updated":"2020-03-13 08:41:46.000000000","message":"@Slawek this should be your case, it works!","commit_id":"02fa274475f5748d3223eb0750c2fd23fcc9737f"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"7a9f933e1b876fff85f118d89c640add778a680c","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"When add allowed-address-pair 0.0.0.0/0 to one port, it will"},{"line_number":10,"context_line":"unexpectedly open all others\u0027 protocol under same security"},{"line_number":11,"context_line":"group. IPv6 has the same problem."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The root cause is the openflow rules calculation of the"},{"line_number":14,"context_line":"security group, it will unexpectedly allow all IP(4\u00266)"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":8,"id":"1fa4df85_224dd771","line":11,"updated":"2020-03-18 11:56:28.000000000","message":"But, if I\u0027m not wrong, this is this caused by the way we create the conjunctions. Is that correct?","commit_id":"52bdd90f393c4336a93fd2a5bba337235e29f8b1"},{"author":{"_account_id":9531,"name":"liuyulong","display_name":"LIU Yulong","email":"i@liuyulong.me","username":"LIU-Yulong"},"change_message_id":"834942ce34d69c14cad2e6accff9ce0fdcfa0cbc","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"When add allowed-address-pair 0.0.0.0/0 to one port, it will"},{"line_number":10,"context_line":"unexpectedly open all others\u0027 protocol under same security"},{"line_number":11,"context_line":"group. IPv6 has the same problem."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The root cause is the openflow rules calculation of the"},{"line_number":14,"context_line":"security group, it will unexpectedly allow all IP(4\u00266)"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":8,"id":"1fa4df85_22e95719","line":11,"in_reply_to":"1fa4df85_224dd771","updated":"2020-03-18 13:50:29.000000000","message":"I\u0027m not sure, this should be related to the original design opinion of allowed-address-pair. Since Slawek said iptables has the same problem,  I may ask why the code do not consider to check the source MAC, but the allowed-address-pair has mac address attribute. So this patch is trying to fix the issue in such angle, if the allowed IP address is 0.0.0.0/0, check the source mac.","commit_id":"52bdd90f393c4336a93fd2a5bba337235e29f8b1"}],"neutron/api/rpc/handlers/securitygroups_rpc.py":[{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"af289e84db9bd75145d85c578b860832beb0e9e0","unresolved":false,"context_lines":[{"line_number":328,"context_line":"        filters \u003d {\u0027security_group_ids\u0027: tuple(remote_group_ids)}"},{"line_number":329,"context_line":"        for p in self.rcache.get_resources(\u0027Port\u0027, filters):"},{"line_number":330,"context_line":"            port_ips \u003d [str(addr.ip_address)"},{"line_number":331,"context_line":"                        for addr in p.fixed_ips + p.allowed_address_pairs]"},{"line_number":332,"context_line":"            for sg_id in p.security_group_ids:"},{"line_number":333,"context_line":"                if sg_id in ips_by_group:"},{"line_number":334,"context_line":"                    ips_by_group[sg_id].update(set(port_ips))"}],"source_content_type":"text/x-python","patch_set":1,"id":"1fa4df85_94cf7baf","side":"PARENT","line":331,"updated":"2020-03-12 11:09:19.000000000","message":"that will basically break the way how allowed_address_pairs and remote security groups works currently in Neutron","commit_id":"c90011ee49a00d3b1153afebc171f6f72519dda5"},{"author":{"_account_id":9531,"name":"liuyulong","display_name":"LIU Yulong","email":"i@liuyulong.me","username":"LIU-Yulong"},"change_message_id":"a69b9fb8847988606b1855bc7aa48243baa26529","unresolved":false,"context_lines":[{"line_number":328,"context_line":"        filters \u003d {\u0027security_group_ids\u0027: tuple(remote_group_ids)}"},{"line_number":329,"context_line":"        for p in self.rcache.get_resources(\u0027Port\u0027, filters):"},{"line_number":330,"context_line":"            port_ips \u003d [str(addr.ip_address)"},{"line_number":331,"context_line":"                        for addr in p.fixed_ips + p.allowed_address_pairs]"},{"line_number":332,"context_line":"            for sg_id in p.security_group_ids:"},{"line_number":333,"context_line":"                if sg_id in ips_by_group:"},{"line_number":334,"context_line":"                    ips_by_group[sg_id].update(set(port_ips))"}],"source_content_type":"text/x-python","patch_set":1,"id":"1fa4df85_b4771709","side":"PARENT","line":331,"in_reply_to":"1fa4df85_94cf7baf","updated":"2020-03-12 11:48:29.000000000","message":"According to local testing, no break was seen. Both work fine. Let\u0027s wait and see what the zuul say...","commit_id":"c90011ee49a00d3b1153afebc171f6f72519dda5"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f1245e0e81d844febfe3e9f2756087bbd4e694ba","unresolved":false,"context_lines":[{"line_number":328,"context_line":"        filters \u003d {\u0027security_group_ids\u0027: tuple(remote_group_ids)}"},{"line_number":329,"context_line":"        for p in self.rcache.get_resources(\u0027Port\u0027, filters):"},{"line_number":330,"context_line":"            port_ips \u003d [str(addr.ip_address)"},{"line_number":331,"context_line":"                        for addr in p.fixed_ips + p.allowed_address_pairs]"},{"line_number":332,"context_line":"            for sg_id in p.security_group_ids:"},{"line_number":333,"context_line":"                if sg_id in ips_by_group:"},{"line_number":334,"context_line":"                    ips_by_group[sg_id].update(set(port_ips))"}],"source_content_type":"text/x-python","patch_set":1,"id":"1fa4df85_6651e762","side":"PARENT","line":331,"in_reply_to":"1fa4df85_b4771709","updated":"2020-03-13 08:09:43.000000000","message":"I don\u0027t think we have any coverage for that. What it will break is the case like:\n\n1. You have port A with fixed IP a.a.a.a and port B with fixed IP b.b.b.b\n2. Both ports are using same security group which has got rule that allow traffic from ports which belongs to the same security group (it\u0027s one of the default rules in SG).\n3. And now if You want to use e.g. IP c.c.c.c on the VM which uses port B, traffic from c.c.c.c should be allowed to port A. But with Your patch it will not be allowed, as IP c.c.c.c will not be added to the ipset.\n\nOr am I missing something and it will still work?","commit_id":"c90011ee49a00d3b1153afebc171f6f72519dda5"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"886df312b4b6dd7995848ef4704367130b356d3f","unresolved":false,"context_lines":[{"line_number":327,"context_line":""},{"line_number":328,"context_line":"        filters \u003d {\u0027security_group_ids\u0027: tuple(remote_group_ids)}"},{"line_number":329,"context_line":"        for p in self.rcache.get_resources(\u0027Port\u0027, filters):"},{"line_number":330,"context_line":"            allowed_ips \u003d [(str(addr.ip_address), str(addr.mac_address))"},{"line_number":331,"context_line":"                           for addr in p.allowed_address_pairs]"},{"line_number":332,"context_line":"            port_ips \u003d [(str(addr.ip_address), str(p.mac_address))"},{"line_number":333,"context_line":"                        for addr in p.fixed_ips] + allowed_ips"}],"source_content_type":"text/x-python","patch_set":7,"id":"1fa4df85_e9ea5ad6","line":330,"updated":"2020-03-17 11:56:30.000000000","message":"what if addr.mac_address will be not set?","commit_id":"d13e77e49c20091d639fe3b31d390f05399f20a9"},{"author":{"_account_id":9531,"name":"liuyulong","display_name":"LIU Yulong","email":"i@liuyulong.me","username":"LIU-Yulong"},"change_message_id":"592dc27235d332435dc364587378a9eca88e055f","unresolved":false,"context_lines":[{"line_number":327,"context_line":""},{"line_number":328,"context_line":"        filters \u003d {\u0027security_group_ids\u0027: tuple(remote_group_ids)}"},{"line_number":329,"context_line":"        for p in self.rcache.get_resources(\u0027Port\u0027, filters):"},{"line_number":330,"context_line":"            allowed_ips \u003d [(str(addr.ip_address), str(addr.mac_address))"},{"line_number":331,"context_line":"                           for addr in p.allowed_address_pairs]"},{"line_number":332,"context_line":"            port_ips \u003d [(str(addr.ip_address), str(p.mac_address))"},{"line_number":333,"context_line":"                        for addr in p.fixed_ips] + allowed_ips"}],"source_content_type":"text/x-python","patch_set":7,"id":"1fa4df85_046d5003","line":330,"in_reply_to":"1fa4df85_e9ea5ad6","updated":"2020-03-18 02:09:07.000000000","message":"Then it will be the port\u0027s mac by default.","commit_id":"d13e77e49c20091d639fe3b31d390f05399f20a9"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"886df312b4b6dd7995848ef4704367130b356d3f","unresolved":false,"context_lines":[{"line_number":330,"context_line":"            allowed_ips \u003d [(str(addr.ip_address), str(addr.mac_address))"},{"line_number":331,"context_line":"                           for addr in p.allowed_address_pairs]"},{"line_number":332,"context_line":"            port_ips \u003d [(str(addr.ip_address), str(p.mac_address))"},{"line_number":333,"context_line":"                        for addr in p.fixed_ips] + allowed_ips"},{"line_number":334,"context_line":"            for sg_id in p.security_group_ids:"},{"line_number":335,"context_line":"                if sg_id in ips_by_group:"},{"line_number":336,"context_line":"                    ips_by_group[sg_id].update(set(port_ips))"}],"source_content_type":"text/x-python","patch_set":7,"id":"1fa4df85_c9ef5ee7","line":333,"updated":"2020-03-17 11:56:30.000000000","message":"probably because of this change of format of the data, it fails on neutron agent\u0027s side. See logs https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_696/712632/7/check/neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid/696337d/controller/logs/screen-q-agt.txt","commit_id":"d13e77e49c20091d639fe3b31d390f05399f20a9"},{"author":{"_account_id":9531,"name":"liuyulong","display_name":"LIU Yulong","email":"i@liuyulong.me","username":"LIU-Yulong"},"change_message_id":"592dc27235d332435dc364587378a9eca88e055f","unresolved":false,"context_lines":[{"line_number":330,"context_line":"            allowed_ips \u003d [(str(addr.ip_address), str(addr.mac_address))"},{"line_number":331,"context_line":"                           for addr in p.allowed_address_pairs]"},{"line_number":332,"context_line":"            port_ips \u003d [(str(addr.ip_address), str(p.mac_address))"},{"line_number":333,"context_line":"                        for addr in p.fixed_ips] + allowed_ips"},{"line_number":334,"context_line":"            for sg_id in p.security_group_ids:"},{"line_number":335,"context_line":"                if sg_id in ips_by_group:"},{"line_number":336,"context_line":"                    ips_by_group[sg_id].update(set(port_ips))"}],"source_content_type":"text/x-python","patch_set":7,"id":"1fa4df85_c47658d9","line":333,"in_reply_to":"1fa4df85_c9ef5ee7","updated":"2020-03-18 02:09:07.000000000","message":"Yes, I\u0027m working on that, the code path is a bit complicated.","commit_id":"d13e77e49c20091d639fe3b31d390f05399f20a9"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"7a9f933e1b876fff85f118d89c640add778a680c","unresolved":false,"context_lines":[{"line_number":320,"context_line":"            result[device] \u003d port"},{"line_number":321,"context_line":"        return result"},{"line_number":322,"context_line":""},{"line_number":323,"context_line":"    def _select_ips_for_remote_group(self, context, remote_group_ids):"},{"line_number":324,"context_line":"        if not remote_group_ids:"},{"line_number":325,"context_line":"            return {}"},{"line_number":326,"context_line":"        ips_by_group \u003d {rg: set() for rg in remote_group_ids}"}],"source_content_type":"text/x-python","patch_set":8,"id":"1fa4df85_c75ad54e","line":323,"range":{"start_line":323,"start_character":8,"end_line":323,"end_character":36},"updated":"2020-03-18 11:56:28.000000000","message":"This is called from securitygroups_rpc_base twice.\n\n\"_convert_remote_group_id_to_ip_prefix\" is expecting a dict with sets of IP addresses only, not a set of tuples.","commit_id":"52bdd90f393c4336a93fd2a5bba337235e29f8b1"},{"author":{"_account_id":9531,"name":"liuyulong","display_name":"LIU Yulong","email":"i@liuyulong.me","username":"LIU-Yulong"},"change_message_id":"834942ce34d69c14cad2e6accff9ce0fdcfa0cbc","unresolved":false,"context_lines":[{"line_number":320,"context_line":"            result[device] \u003d port"},{"line_number":321,"context_line":"        return result"},{"line_number":322,"context_line":""},{"line_number":323,"context_line":"    def _select_ips_for_remote_group(self, context, remote_group_ids):"},{"line_number":324,"context_line":"        if not remote_group_ids:"},{"line_number":325,"context_line":"            return {}"},{"line_number":326,"context_line":"        ips_by_group \u003d {rg: set() for rg in remote_group_ids}"}],"source_content_type":"text/x-python","patch_set":8,"id":"1fa4df85_e2ffbf64","line":323,"range":{"start_line":323,"start_character":8,"end_line":323,"end_character":36},"in_reply_to":"1fa4df85_c75ad54e","updated":"2020-03-18 13:50:29.000000000","message":"Done","commit_id":"52bdd90f393c4336a93fd2a5bba337235e29f8b1"}],"neutron/db/securitygroups_rpc_base.py":[{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"7a9f933e1b876fff85f118d89c640add778a680c","unresolved":false,"context_lines":[{"line_number":258,"context_line":"                port[\u0027security_group_source_groups\u0027].append(remote_group_id)"},{"line_number":259,"context_line":"                base_rule \u003d rule"},{"line_number":260,"context_line":"                for ip in ips[remote_group_id]:"},{"line_number":261,"context_line":"                    if ip in port.get(\u0027fixed_ips\u0027, []):"},{"line_number":262,"context_line":"                        continue"},{"line_number":263,"context_line":"                    ip_rule \u003d base_rule.copy()"},{"line_number":264,"context_line":"                    version \u003d netaddr.IPNetwork(ip).version"}],"source_content_type":"text/x-python","patch_set":8,"id":"1fa4df85_227637a6","line":261,"range":{"start_line":261,"start_character":20,"end_line":261,"end_character":38},"updated":"2020-03-18 11:56:28.000000000","message":"This will fail, I think. \"ip\" is a tuple (ip,mac)","commit_id":"52bdd90f393c4336a93fd2a5bba337235e29f8b1"},{"author":{"_account_id":9531,"name":"liuyulong","display_name":"LIU Yulong","email":"i@liuyulong.me","username":"LIU-Yulong"},"change_message_id":"834942ce34d69c14cad2e6accff9ce0fdcfa0cbc","unresolved":false,"context_lines":[{"line_number":258,"context_line":"                port[\u0027security_group_source_groups\u0027].append(remote_group_id)"},{"line_number":259,"context_line":"                base_rule \u003d rule"},{"line_number":260,"context_line":"                for ip in ips[remote_group_id]:"},{"line_number":261,"context_line":"                    if ip in port.get(\u0027fixed_ips\u0027, []):"},{"line_number":262,"context_line":"                        continue"},{"line_number":263,"context_line":"                    ip_rule \u003d base_rule.copy()"},{"line_number":264,"context_line":"                    version \u003d netaddr.IPNetwork(ip).version"}],"source_content_type":"text/x-python","patch_set":8,"id":"1fa4df85_a2e6a715","line":261,"range":{"start_line":261,"start_character":20,"end_line":261,"end_character":38},"in_reply_to":"1fa4df85_227637a6","updated":"2020-03-18 13:50:29.000000000","message":"done","commit_id":"52bdd90f393c4336a93fd2a5bba337235e29f8b1"}]}