)]}'
{"neutron/agent/linux/openvswitch_firewall/firewall.py":[{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"f9fcec9862811d0c6a006b35da8f6dd64af5fc42","unresolved":true,"context_lines":[{"line_number":962,"context_line":"                    nd_target\u003dip_addr,"},{"line_number":963,"context_line":"                    actions\u003d\u0027resubmit(,%d)\u0027 % ("},{"line_number":964,"context_line":"                        ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)"},{"line_number":965,"context_line":"                )"},{"line_number":966,"context_line":""},{"line_number":967,"context_line":"    def _initialize_egress_no_port_security(self, port_id, ovs_ports\u003dNone):"},{"line_number":968,"context_line":"        try:"}],"source_content_type":"text/x-python","patch_set":1,"id":"fddd338d_26a19113","line":965,"updated":"2021-04-12 14:55:11.000000000","message":"So maybe it\u0027s too early for me, but this only results in a single flow, right?  I believe the NA will only be sent a specific way, but it\u0027s been a while since I read the RFCs.","commit_id":"d5f706a80558cc8fdb84947f1829325fc6df61ca"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"616e9051da53d212af23950039bd568420721c13","unresolved":true,"context_lines":[{"line_number":962,"context_line":"                    nd_target\u003dip_addr,"},{"line_number":963,"context_line":"                    actions\u003d\u0027resubmit(,%d)\u0027 % ("},{"line_number":964,"context_line":"                        ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)"},{"line_number":965,"context_line":"                )"},{"line_number":966,"context_line":""},{"line_number":967,"context_line":"    def _initialize_egress_no_port_security(self, port_id, ovs_ports\u003dNone):"},{"line_number":968,"context_line":"        try:"}],"source_content_type":"text/x-python","patch_set":1,"id":"4132e7f8_3729473e","line":965,"in_reply_to":"3a37ad37_5510e47a","updated":"2021-04-15 06:59:13.000000000","message":"But please check comment 17 in the related bug https://bugs.launchpad.net/neutron/+bug/1902917/comments/17 - It is possible to have proper source/destination addresses but spoofed IP in tgt field (nd_target). And that rule is to avoid spoofing in that way. I was testing that locally and it worked as expected for me.","commit_id":"d5f706a80558cc8fdb84947f1829325fc6df61ca"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"410ac02d7b6109d6345a85b53095b4098a1d5648","unresolved":true,"context_lines":[{"line_number":962,"context_line":"                    nd_target\u003dip_addr,"},{"line_number":963,"context_line":"                    actions\u003d\u0027resubmit(,%d)\u0027 % ("},{"line_number":964,"context_line":"                        ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)"},{"line_number":965,"context_line":"                )"},{"line_number":966,"context_line":""},{"line_number":967,"context_line":"    def _initialize_egress_no_port_security(self, port_id, ovs_ports\u003dNone):"},{"line_number":968,"context_line":"        try:"}],"source_content_type":"text/x-python","patch_set":1,"id":"003816f2_27334570","line":965,"in_reply_to":"4132e7f8_3729473e","updated":"2021-04-26 14:09:49.000000000","message":"Ack, I guess this looks good then. Thanks Slawek!","commit_id":"d5f706a80558cc8fdb84947f1829325fc6df61ca"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"6b78e61c0e927a4c5df8caf569a7a60773c622db","unresolved":true,"context_lines":[{"line_number":962,"context_line":"                    nd_target\u003dip_addr,"},{"line_number":963,"context_line":"                    actions\u003d\u0027resubmit(,%d)\u0027 % ("},{"line_number":964,"context_line":"                        ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)"},{"line_number":965,"context_line":"                )"},{"line_number":966,"context_line":""},{"line_number":967,"context_line":"    def _initialize_egress_no_port_security(self, port_id, ovs_ports\u003dNone):"},{"line_number":968,"context_line":"        try:"}],"source_content_type":"text/x-python","patch_set":1,"id":"3a37ad37_5510e47a","line":965,"in_reply_to":"644b0f2c_975f12e1","updated":"2021-04-13 16:21:41.000000000","message":"I don\u0027t think we need to change it.  Looking at a capture it seems the NA comes from the target address - global or link-local, so as long as we cover that case and responses work we should be Ok.\n\n\nFrame 2645: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface eno1, id 0\nEthernet II, Src: Dell_84:77:f9 (64:00:6a:84:77:f9), Dst: Tp-LinkT_d6:87:30 (1c:3b:f3:d6:87:30)\nInternet Protocol Version 6, Src: 2601:18f:700:287c::1009, Dst: fe80::1e3b:f3ff:fed6:8730\n    0110 .... \u003d Version: 6\n    .... 0000 0000 .... .... .... .... .... \u003d Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)\n    .... .... .... 0000 0000 0000 0000 0000 \u003d Flow Label: 0x00000\n    Payload Length: 24\n    Next Header: ICMPv6 (58)\n    Hop Limit: 255\n    Source: 2601:18f:700:287c::1009\n    Destination: fe80::1e3b:f3ff:fed6:8730\n    [Destination SA MAC: Tp-LinkT_d6:87:30 (1c:3b:f3:d6:87:30)]\nInternet Control Message Protocol v6\n    Type: Neighbor Advertisement (136)\n    Code: 0\n    Checksum: 0xd2be [correct]\n    [Checksum Status: Good]\n    Flags: 0x40000000, Solicited\n    Target Address: 2601:18f:700:287c::1009\n\n\nFrame 6052: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface eno1, id 0\nEthernet II, Src: Dell_84:77:f9 (64:00:6a:84:77:f9), Dst: Tp-LinkT_d6:87:30 (1c:3b:f3:d6:87:30)\nInternet Protocol Version 6, Src: fe80::9186:7f83:bfe7:4395, Dst: fe80::1e3b:f3ff:fed6:8730\n    0110 .... \u003d Version: 6\n    .... 0000 0000 .... .... .... .... .... \u003d Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)\n    .... .... .... 0000 0000 0000 0000 0000 \u003d Flow Label: 0x00000\n    Payload Length: 32\n    Next Header: ICMPv6 (58)\n    Hop Limit: 255\n    Source: fe80::9186:7f83:bfe7:4395\n    Destination: fe80::1e3b:f3ff:fed6:8730\n    [Destination SA MAC: Tp-LinkT_d6:87:30 (1c:3b:f3:d6:87:30)]\nInternet Control Message Protocol v6\n    Type: Neighbor Advertisement (136)\n    Code: 0\n    Checksum: 0x1252 [correct]\n    [Checksum Status: Good]\n    Flags: 0x60000000, Solicited, Override\n    Target Address: fe80::9186:7f83:bfe7:4395\n    ICMPv6 Option (Target link-layer address : 64:00:6a:84:77:f9)","commit_id":"d5f706a80558cc8fdb84947f1829325fc6df61ca"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"c975a71395acd65ab457b218c7d561d86c1fd109","unresolved":true,"context_lines":[{"line_number":962,"context_line":"                    nd_target\u003dip_addr,"},{"line_number":963,"context_line":"                    actions\u003d\u0027resubmit(,%d)\u0027 % ("},{"line_number":964,"context_line":"                        ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)"},{"line_number":965,"context_line":"                )"},{"line_number":966,"context_line":""},{"line_number":967,"context_line":"    def _initialize_egress_no_port_security(self, port_id, ovs_ports\u003dNone):"},{"line_number":968,"context_line":"        try:"}],"source_content_type":"text/x-python","patch_set":1,"id":"644b0f2c_975f12e1","line":965,"in_reply_to":"fddd338d_26a19113","updated":"2021-04-13 15:52:44.000000000","message":"yes, only one flow for now but maybe some day we will add another types to that restricted list and then there will be more flows here. Do You want me to change it?","commit_id":"d5f706a80558cc8fdb84947f1829325fc6df61ca"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"f9fcec9862811d0c6a006b35da8f6dd64af5fc42","unresolved":true,"context_lines":[{"line_number":1095,"context_line":"                        (port.mac, \u00270.0.0.0\u0027),"},{"line_number":1096,"context_line":"                    )"},{"line_number":1097,"context_line":"                ]"},{"line_number":1098,"context_line":"            elif ip_version \u003d\u003d \"ipv6\":"},{"line_number":1099,"context_line":"                dl_type \u003d lib_const.ETHERTYPE_IPV6"},{"line_number":1100,"context_line":"                src_port \u003d 546"},{"line_number":1101,"context_line":"                dst_port \u003d 547"}],"source_content_type":"text/x-python","patch_set":1,"id":"a1b3cc9f_98183bdc","line":1098,"range":{"start_line":1098,"start_character":12,"end_line":1098,"end_character":16},"updated":"2021-04-12 14:55:11.000000000","message":"s/if","commit_id":"d5f706a80558cc8fdb84947f1829325fc6df61ca"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"f9fcec9862811d0c6a006b35da8f6dd64af5fc42","unresolved":true,"context_lines":[{"line_number":1104,"context_line":"                    for mac, ip in allowed_mac_ipv6_pairs"},{"line_number":1105,"context_line":"                ]"},{"line_number":1106,"context_line":"            else:"},{"line_number":1107,"context_line":"                continue"},{"line_number":1108,"context_line":"            for additional_filters in additional_filter_list:"},{"line_number":1109,"context_line":"                self._add_flow("},{"line_number":1110,"context_line":"                    table\u003dovs_consts.BASE_EGRESS_TABLE,"}],"source_content_type":"text/x-python","patch_set":1,"id":"b6fd5f18_351973dc","line":1107,"updated":"2021-04-12 14:55:11.000000000","message":"This else should be removed since it can\u0027t happen based on L1086 only having (\"ipv4\", \"ipv6\").  I\u0027m guessing there was some pep8 warning due to additional_filter_list ?","commit_id":"d5f706a80558cc8fdb84947f1829325fc6df61ca"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"c975a71395acd65ab457b218c7d561d86c1fd109","unresolved":true,"context_lines":[{"line_number":1104,"context_line":"                    for mac, ip in allowed_mac_ipv6_pairs"},{"line_number":1105,"context_line":"                ]"},{"line_number":1106,"context_line":"            else:"},{"line_number":1107,"context_line":"                continue"},{"line_number":1108,"context_line":"            for additional_filters in additional_filter_list:"},{"line_number":1109,"context_line":"                self._add_flow("},{"line_number":1110,"context_line":"                    table\u003dovs_consts.BASE_EGRESS_TABLE,"}],"source_content_type":"text/x-python","patch_set":1,"id":"30d3a4ab_fdb1bf0c","line":1107,"in_reply_to":"b6fd5f18_351973dc","updated":"2021-04-13 15:52:44.000000000","message":"I changed this part a bit","commit_id":"d5f706a80558cc8fdb84947f1829325fc6df61ca"}]}