)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":9656,"name":"Ihar Hrachyshka","email":"ihrachys@redhat.com","username":"ihrachys","status":"Red Hat Networking Systems Engineer"},"change_message_id":"b3db42b0878cf37524bdd70a531e34d4fb5c320d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"069ad5dd_1dc46e7a","updated":"2023-03-15 15:09:46.000000000","message":"Slawek asked to raise the question about the need / implementation of the ACLs in drivers meeting this Friday. Holding the patches off for now.","commit_id":"dcd69797eb8808bb895f5eac9c3b82b6bf4cd193"},{"author":{"_account_id":9656,"name":"Ihar Hrachyshka","email":"ihrachys@redhat.com","username":"ihrachys","status":"Red Hat Networking Systems Engineer"},"change_message_id":"b693c72bcaf86861a4f43fcc948657d5ad241ec7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1065f797_1be6005a","updated":"2023-03-14 15:41:40.000000000","message":"recheck another timeout in greenthreads waiting for processes","commit_id":"dcd69797eb8808bb895f5eac9c3b82b6bf4cd193"},{"author":{"_account_id":9656,"name":"Ihar Hrachyshka","email":"ihrachys@redhat.com","username":"ihrachys","status":"Red Hat Networking Systems Engineer"},"change_message_id":"72aeee5b127289ece3e4def7fab75a1691add41d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"ee65410c_170392ef","updated":"2023-03-14 21:11:32.000000000","message":"recheck neutron-ovn-rally-task timeout","commit_id":"dcd69797eb8808bb895f5eac9c3b82b6bf4cd193"},{"author":{"_account_id":9656,"name":"Ihar Hrachyshka","email":"ihrachys@redhat.com","username":"ihrachys","status":"Red Hat Networking Systems Engineer"},"change_message_id":"87803420a56a7df6b5d55280339c4494aa2dc5be","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"45331faf_0a2dacb2","updated":"2023-03-29 20:41:34.000000000","message":"I think I lost an integration piece with the metadata patch abandoned... :)","commit_id":"44efd4a14d2cd9fe7f5aab294fbdfe6e1f54d3a2"},{"author":{"_account_id":4694,"name":"Miguel Lavalle","email":"miguel@mlavalle.com","username":"minsel"},"change_message_id":"173f7c0d9261d5ff03ca1710f84c7ac8575c0873","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"08508d60_28449b3a","updated":"2023-04-03 20:58:43.000000000","message":"Do we need a release note?","commit_id":"8f8f32f0c5276ee4cd419f00aa512e68da1a760b"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"ed93f0f5be6a976e029af9f8907ee643475a8fbe","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"57e168db_459b7f2b","updated":"2023-04-03 15:29:55.000000000","message":"recheck OVH mirror issue","commit_id":"8f8f32f0c5276ee4cd419f00aa512e68da1a760b"}],"neutron/common/ovn/acl.py":[{"author":{"_account_id":4694,"name":"Miguel Lavalle","email":"miguel@mlavalle.com","username":"minsel"},"change_message_id":"173f7c0d9261d5ff03ca1710f84c7ac8575c0873","unresolved":true,"context_lines":[{"line_number":276,"context_line":"        txn.add(ovn.pg_acl_add(**acl, may_exist\u003dTrue))"},{"line_number":277,"context_line":""},{"line_number":278,"context_line":""},{"line_number":279,"context_line":"def get_icmpv6_acl(security_group_id, icmp_type, icmp_code):"},{"line_number":280,"context_line":"    icmp_rule \u003d {"},{"line_number":281,"context_line":"        \u0027direction\u0027: const.INGRESS_DIRECTION,"},{"line_number":282,"context_line":"        \u0027ethertype\u0027: const.IPv6,"}],"source_content_type":"text/x-python","patch_set":4,"id":"dc099aff_9043fb32","line":279,"range":{"start_line":279,"start_character":4,"end_line":279,"end_character":18},"updated":"2023-04-03 20:58:43.000000000","message":"nit: should this be _get_icmpv6_acl?","commit_id":"8f8f32f0c5276ee4cd419f00aa512e68da1a760b"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"67b0e73456a8ec3ccd1d00a793e215b37ce3c26e","unresolved":true,"context_lines":[{"line_number":294,"context_line":""},{"line_number":295,"context_line":"def get_stateless_acls(security_group_id):"},{"line_number":296,"context_line":"    ra_acl \u003d get_icmpv6_acl(security_group_id, const.ICMPV6_TYPE_RA, 0)"},{"line_number":297,"context_line":"    na_acl \u003d get_icmpv6_acl(security_group_id, const.ICMPV6_TYPE_NA, 0)"},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"    def service_acl(acl):"},{"line_number":300,"context_line":"        acl \u003d acl.copy()"}],"source_content_type":"text/x-python","patch_set":4,"id":"85bd6eaa_9f0fe96e","line":297,"updated":"2023-04-03 18:52:50.000000000","message":"So I\u0027m a little worried we are missing something here. Re-reading some IPv6 RFCs and our own firewall code, it seems by default we need these:\n\nIngress: RA, NA, NS, MLD query\nEgress: RS, NA*, NS, MLD query\n\nSystems need to be able to send an receive Neighbor Solicitations, receive Neighbor and Router Advertisements, as well as send Router Solicitations.\n\n*They also need to send Neighbor Advertisements, assuming the source address is the one configured on the port.\n\nMLD is needed because systems join a multicast group based on their address(es), for example:\n\n$ ip -6 a\n2: eno1: \u003cBROADCAST,MULTICAST,UP,LOWER_UP\u003e mtu 1500 state UP qlen 1000\n    inet6 2601:18f:700:287c::100a/128 scope global dynamic noprefixroute \n       valid_lft 79938sec preferred_lft 79938sec\n    inet6 fe80::7a95:503c:eb25:f439/64 scope link noprefixroute \n       valid_lft forever preferred_lft forever\n\n$ ip -6 m s dev eno1\n2:\teno1\n\tinet6 ff02::fb\n\tinet6 ff02::1:ff00:100a\n\tinet6 ff02::1:ff25:f439\n\tinet6 ff02::1\n\tinet6 ff01::1\n\nThese are defined in ICMPV6_ALLOWED_INGRESS_TYPES/ICMPV6_ALLOWED_EGRESS_TYPES/ICMPV6_RESTRICTED_EGRESS_TYPES.\n\nI was at the meeting but the text is so vague it doesn\u0027t spell out the details:\n\n\"Regardless of rules defined for a stateless security group, the following\nprotocols are expected to work: ARP, DHCP, IPv6 SLAAC / DHCPv6 stateless\naddress configuration, IPv6 Router and Neighbour Discovery.\"","commit_id":"8f8f32f0c5276ee4cd419f00aa512e68da1a760b"},{"author":{"_account_id":9656,"name":"Ihar Hrachyshka","email":"ihrachys@redhat.com","username":"ihrachys","status":"Red Hat Networking Systems Engineer"},"change_message_id":"3d4d928e0ca8fcbb9f08709e94d65ab9ce30ee91","unresolved":true,"context_lines":[{"line_number":294,"context_line":""},{"line_number":295,"context_line":"def get_stateless_acls(security_group_id):"},{"line_number":296,"context_line":"    ra_acl \u003d get_icmpv6_acl(security_group_id, const.ICMPV6_TYPE_RA, 0)"},{"line_number":297,"context_line":"    na_acl \u003d get_icmpv6_acl(security_group_id, const.ICMPV6_TYPE_NA, 0)"},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"    def service_acl(acl):"},{"line_number":300,"context_line":"        acl \u003d acl.copy()"}],"source_content_type":"text/x-python","patch_set":4,"id":"7c4e3f72_a3452fdb","line":297,"in_reply_to":"0e25acab_9d2d71fc","updated":"2023-04-05 14:52:29.000000000","message":"Great point, I missed that because it wasn\u0027t really part of my test scenario / bug report. :) I will update the patch.\n\nAFAIU you also suggest that we revisit the api-ref patch that listed protocols to be more explicit. I will do that too.\n\nOne other thing I just noticed is that ovs firewall sets the implicit rules to allow the service traffic regardless of stateless-ness of SG. We should probably do the same here. In which case, do we even need revision number in Port_Groups? I don\u0027t think so? We\u0027ll just create the implicit ACLs for service traffic on SG creation, and they will never be deleted or modified.\n\n(I think it also suggests that there are more test scenarios to add here:\n\n- check multicast group behavior;\n- check that service flows work regardless of default egress rules present - for stateless and stateful SGs.)","commit_id":"8f8f32f0c5276ee4cd419f00aa512e68da1a760b"},{"author":{"_account_id":9656,"name":"Ihar Hrachyshka","email":"ihrachys@redhat.com","username":"ihrachys","status":"Red Hat Networking Systems Engineer"},"change_message_id":"ad38763d2b51ace9bebb1dcd365a0e87a07fb421","unresolved":true,"context_lines":[{"line_number":294,"context_line":""},{"line_number":295,"context_line":"def get_stateless_acls(security_group_id):"},{"line_number":296,"context_line":"    ra_acl \u003d get_icmpv6_acl(security_group_id, const.ICMPV6_TYPE_RA, 0)"},{"line_number":297,"context_line":"    na_acl \u003d get_icmpv6_acl(security_group_id, const.ICMPV6_TYPE_NA, 0)"},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"    def service_acl(acl):"},{"line_number":300,"context_line":"        acl \u003d acl.copy()"}],"source_content_type":"text/x-python","patch_set":4,"id":"45b7f83b_f1cfde4d","line":297,"in_reply_to":"7c4e3f72_a3452fdb","updated":"2023-04-05 14:55:22.000000000","message":"To add to above:\n\nWhen I say that ACLs for service traffic won\u0027t change after SG creation, I mean INGRESS flows. For egress flows, since they are port-specific, they should be created on port create / update. (Though I should first check if OVN doesn\u0027t define some ACLs / flows to handle that already.)","commit_id":"8f8f32f0c5276ee4cd419f00aa512e68da1a760b"},{"author":{"_account_id":4694,"name":"Miguel Lavalle","email":"miguel@mlavalle.com","username":"minsel"},"change_message_id":"173f7c0d9261d5ff03ca1710f84c7ac8575c0873","unresolved":true,"context_lines":[{"line_number":294,"context_line":""},{"line_number":295,"context_line":"def get_stateless_acls(security_group_id):"},{"line_number":296,"context_line":"    ra_acl \u003d get_icmpv6_acl(security_group_id, const.ICMPV6_TYPE_RA, 0)"},{"line_number":297,"context_line":"    na_acl \u003d get_icmpv6_acl(security_group_id, const.ICMPV6_TYPE_NA, 0)"},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"    def service_acl(acl):"},{"line_number":300,"context_line":"        acl \u003d acl.copy()"}],"source_content_type":"text/x-python","patch_set":4,"id":"0e25acab_9d2d71fc","line":297,"in_reply_to":"85bd6eaa_9f0fe96e","updated":"2023-04-03 20:58:43.000000000","message":"Good points raised by Brian +1","commit_id":"8f8f32f0c5276ee4cd419f00aa512e68da1a760b"}]}
