)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"7fcfce44018e58afb1f6bca3ba4ecb53ab98a49f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"969374a3_029ce743","updated":"2026-06-19 08:16:39.000000000","message":"change looks generally good for me but please check failed test in the neutron-tempest-plugin-ovn job as it may be related to that change.","commit_id":"6a9ca9595fcb93facda4320d9e98a252eede43a1"},{"author":{"_account_id":32586,"name":"Elvira García Ruiz","display_name":"Elvira","email":"egarciar@redhat.com","username":"elvira"},"change_message_id":"d7100295e532042021c65d8860fa67b18e368cf0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"78424093_0ebc99cc","in_reply_to":"969374a3_029ce743","updated":"2026-06-19 14:47:21.000000000","message":"Yes it was, I should have not taken out completely the inport, it seems like router port needs it.","commit_id":"6a9ca9595fcb93facda4320d9e98a252eede43a1"},{"author":{"_account_id":32586,"name":"Elvira García Ruiz","display_name":"Elvira","email":"egarciar@redhat.com","username":"elvira"},"change_message_id":"4ab7e328ffc6ee28046caf25e061fc35151e2701","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"91f6b4b3_e1e483da","updated":"2026-06-24 13:23:25.000000000","message":"recheck unrelated neutron.tests.unit.services.ovn_l3.test_plugin.OVNL3ExtrarouteTests.test_router_update_with_too_many_routes","commit_id":"454df36b2017c3f2e6ec930cf98fcd3ea85c9d9c"}],"neutron/services/pvlan/drivers/ovn/driver.py":[{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"25f036b56c45e7722556ca8d6c41e78c46578a37","unresolved":true,"context_lines":[{"line_number":174,"context_line":"            action\u003dovn_const.ACL_ACTION_ALLOW_STATELESS,"},{"line_number":175,"context_line":"            log\u003dFalse, name\u003d[], severity\u003d[], meter\u003d[],"},{"line_number":176,"context_line":"            direction\u003d\"to-lport\","},{"line_number":177,"context_line":"            match\u003d(\"outport \u003d\u003d @%(dst)s \u0026\u0026 (inport \u003d\u003d @%(src)s || \""},{"line_number":178,"context_line":"                   \"ip4.src \u003d\u003d $%(src)s_ip4 || \""},{"line_number":179,"context_line":"                   \"ip6.src \u003d\u003d $%(src)s_ip6)\""},{"line_number":180,"context_line":"                   % {\"dst\": pg_name, \"src\": promiscuous_pg}),"}],"source_content_type":"text/x-python","patch_set":2,"id":"db026264_1835f836","line":177,"range":{"start_line":177,"start_character":44,"end_line":177,"end_character":62},"updated":"2026-06-23 13:25:07.000000000","message":"So `inport` is kept because of the router ports. So when the traffic from an isolated or a community port needs to go to/from a router port?","commit_id":"9477297055202f5d1f34239b11784a779a3cda42"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"29bf77c4b0b7ef132587d9ae29d0d1ce5cd7b33d","unresolved":false,"context_lines":[{"line_number":174,"context_line":"            action\u003dovn_const.ACL_ACTION_ALLOW_STATELESS,"},{"line_number":175,"context_line":"            log\u003dFalse, name\u003d[], severity\u003d[], meter\u003d[],"},{"line_number":176,"context_line":"            direction\u003d\"to-lport\","},{"line_number":177,"context_line":"            match\u003d(\"outport \u003d\u003d @%(dst)s \u0026\u0026 (inport \u003d\u003d @%(src)s || \""},{"line_number":178,"context_line":"                   \"ip4.src \u003d\u003d $%(src)s_ip4 || \""},{"line_number":179,"context_line":"                   \"ip6.src \u003d\u003d $%(src)s_ip6)\""},{"line_number":180,"context_line":"                   % {\"dst\": pg_name, \"src\": promiscuous_pg}),"}],"source_content_type":"text/x-python","patch_set":2,"id":"b8cdebfb_3282c957","line":177,"range":{"start_line":177,"start_character":44,"end_line":177,"end_character":62},"in_reply_to":"00aed917_0cce1b09","updated":"2026-06-24 10:58:53.000000000","message":"Nice! that make sense now","commit_id":"9477297055202f5d1f34239b11784a779a3cda42"},{"author":{"_account_id":32586,"name":"Elvira García Ruiz","display_name":"Elvira","email":"egarciar@redhat.com","username":"elvira"},"change_message_id":"6788f0caff9c7144d9cb618368bc47fe0df75397","unresolved":true,"context_lines":[{"line_number":174,"context_line":"            action\u003dovn_const.ACL_ACTION_ALLOW_STATELESS,"},{"line_number":175,"context_line":"            log\u003dFalse, name\u003d[], severity\u003d[], meter\u003d[],"},{"line_number":176,"context_line":"            direction\u003d\"to-lport\","},{"line_number":177,"context_line":"            match\u003d(\"outport \u003d\u003d @%(dst)s \u0026\u0026 (inport \u003d\u003d @%(src)s || \""},{"line_number":178,"context_line":"                   \"ip4.src \u003d\u003d $%(src)s_ip4 || \""},{"line_number":179,"context_line":"                   \"ip6.src \u003d\u003d $%(src)s_ip6)\""},{"line_number":180,"context_line":"                   % {\"dst\": pg_name, \"src\": promiscuous_pg}),"}],"source_content_type":"text/x-python","patch_set":2,"id":"00aed917_0cce1b09","line":177,"range":{"start_line":177,"start_character":44,"end_line":177,"end_character":62},"in_reply_to":"4dff4ab3_4d7a1036","updated":"2026-06-24 10:29:00.000000000","message":"After checking with tcpdump I saw that if I take the inport\u003d@promisc from the match for the isolated an community ports, metadata won\u0027t be reached. I do set metadata to promiscuous and the metadata port address IS in the address set (10.50.0.2 in my example env), but the traffic expected from the VM should come from 169.254.169.254, not from the metadata port IP. So metadata traffic is blocked.\n\nOn tap of isolated port there\u0027s only a SYN and no answer:\n```\nstack@compute-devstack:~$ sudo tcpdump -i tap1d5363a5-6f -nn port 80 and host 169.254.169.254\ntcpdump: verbose output suppressed, use -v[v]... for full protocol decode\nlistening on tap1d5363a5-6f, link-type EN10MB (Ethernet), snapshot length 262144 bytes\n10:17:01.945284 IP 10.50.0.236.48410 \u003e 169.254.169.254.80: Flags [S], seq 1816840085, win 64492, options [mss 1402,sackOK,TS val 270171234 ecr 0,nop,wscale 6], length 0\n10:17:02.964283 IP 10.50.0.236.48410 \u003e 169.254.169.254.80: Flags [S], seq 1816840085, win 64492, options [mss 1402,sackOK,TS val 270172253 ecr 0,nop,wscale 6], length 0\n10:17:04.980309 IP 10.50.0.236.48410 \u003e 169.254.169.254.80: Flags [S], seq 1816840085, win 64492, options [mss 1402,sackOK,TS val 270174269 ecr 0,nop,wscale 6], length 0\n\n```\n\nbut from the metadata agent we can see both SYN and SYN ACK. \n```\nsudo ip netns exec ovnmeta-24368fb6-f758-40b5-8902-eb7f2ae8080d tcpdump -nn port 80\ntcpdump: verbose output suppressed, use -v[v]... for full protocol decode\nlistening on tap24368fb6-f1, link-type EN10MB (Ethernet), snapshot length 262144 bytes\n^C10:19:21.045278 IP 10.50.0.236.54198 \u003e 169.254.169.254.80: Flags [S], seq 1937900102, win 64492, options [mss 1402,sackOK,TS val 270310333 ecr 0,nop,wscale 6], length 0\n10:19:21.045320 IP 169.254.169.254.80 \u003e 10.50.0.236.54198: Flags [S.], seq 1266941879, ack 1937900103, win 65330, options [mss 1402,sackOK,TS val 2889698603 ecr 270307286,nop,wscale 7], length 0\n10:19:23.094884 IP 169.254.169.254.80 \u003e 10.50.0.136.54120: Flags [S.], seq 2937750562, ack 3183187273, win 65330, options [mss 1402,sackOK,TS val 1798606520 ecr 3257767216,nop,wscale 7], length 0\n```\n\nI will update the commit message to correctly explain the use of the inport.","commit_id":"9477297055202f5d1f34239b11784a779a3cda42"},{"author":{"_account_id":32586,"name":"Elvira García Ruiz","display_name":"Elvira","email":"egarciar@redhat.com","username":"elvira"},"change_message_id":"8e4e6fb998d56257c2d6fa933a00afe34086ce87","unresolved":true,"context_lines":[{"line_number":174,"context_line":"            action\u003dovn_const.ACL_ACTION_ALLOW_STATELESS,"},{"line_number":175,"context_line":"            log\u003dFalse, name\u003d[], severity\u003d[], meter\u003d[],"},{"line_number":176,"context_line":"            direction\u003d\"to-lport\","},{"line_number":177,"context_line":"            match\u003d(\"outport \u003d\u003d @%(dst)s \u0026\u0026 (inport \u003d\u003d @%(src)s || \""},{"line_number":178,"context_line":"                   \"ip4.src \u003d\u003d $%(src)s_ip4 || \""},{"line_number":179,"context_line":"                   \"ip6.src \u003d\u003d $%(src)s_ip6)\""},{"line_number":180,"context_line":"                   % {\"dst\": pg_name, \"src\": promiscuous_pg}),"}],"source_content_type":"text/x-python","patch_set":2,"id":"4dff4ab3_4d7a1036","line":177,"range":{"start_line":177,"start_character":44,"end_line":177,"end_character":62},"in_reply_to":"db026264_1835f836","updated":"2026-06-24 10:01:43.000000000","message":"You are right. Metadata traffic does not flow through the router. I wonder why VM setup was failing without the inport, currently trying to re-check. This is 100% related to the metadata because that is what is not being received by isolated and community ports, but I need to understand the traffic flow better.","commit_id":"9477297055202f5d1f34239b11784a779a3cda42"}]}