)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"b51874dcf84c9cfa5d32e6b990ba03e7f651a5d1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"85e67432_7a495bb5","updated":"2022-04-25 13:42:15.000000000","message":"\u003e Patch Set 1: Code-Review-1\n\u003e \n\u003e (1 comment)\n\u003e \n\u003e See question inline.\n\u003e \n\u003e As an aside, it looks like you explicitly subscribed Ian\u0027s system administrator account (each of the Gerrit sysadmins have two accounts so that we don\u0027t need to review changes with our administrator privileges active).\n\nI didn\u0027t add anyone yet - but good to know! cc @Chandan","commit_id":"72b84c022ec1b14206bf86d9b8ab9587f3db0555"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"bf2fc9d465d22dbb8c31c96c66528952aabba39b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"85225068_ae6f32c3","updated":"2022-04-25 14:01:25.000000000","message":"I may have a better way.","commit_id":"72b84c022ec1b14206bf86d9b8ab9587f3db0555"}],"nodepool/elements/nodepool-base/install.d/20-iptables":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"e79d20c8a98b6ae90c8ad0b259e94cb5f795d17c","unresolved":false,"context_lines":[{"line_number":45,"context_line":""},{"line_number":46,"context_line":"cat \u003e $ipv4_rules \u003c\u003c EOF"},{"line_number":47,"context_line":"*filter"},{"line_number":48,"context_line":":INPUT DROP [0:0]"},{"line_number":49,"context_line":":FORWARD ACCEPT [0:0]"},{"line_number":50,"context_line":":OUTPUT ACCEPT [0:0]"},{"line_number":51,"context_line":":openstack-INPUT - [0:0]"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"0987541a_707dcb54","line":48,"updated":"2022-04-25 13:35:58.000000000","message":"Can we still explicitly reject (with appropriate \"administratively prohobited\" error responses) anything which falls through to this chain?","commit_id":"72b84c022ec1b14206bf86d9b8ab9587f3db0555"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"b51874dcf84c9cfa5d32e6b990ba03e7f651a5d1","unresolved":false,"context_lines":[{"line_number":45,"context_line":""},{"line_number":46,"context_line":"cat \u003e $ipv4_rules \u003c\u003c EOF"},{"line_number":47,"context_line":"*filter"},{"line_number":48,"context_line":":INPUT DROP [0:0]"},{"line_number":49,"context_line":":FORWARD ACCEPT [0:0]"},{"line_number":50,"context_line":":OUTPUT ACCEPT [0:0]"},{"line_number":51,"context_line":":openstack-INPUT - [0:0]"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"51f1f2dc_75a128f9","line":48,"in_reply_to":"0987541a_707dcb54","updated":"2022-04-25 13:42:15.000000000","message":"Nope:\n\"Set the policy for the built-in (non-user-defined) chain to the given target.  The policy target must be either ACCEPT or DROP.\"\n\nIf we can\u0027t set a proper ordering, using the policy is the only way to ensure we\u0027re eventually matching the rules we want.","commit_id":"72b84c022ec1b14206bf86d9b8ab9587f3db0555"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"fb2ccf7e159a8e3bdd2e6cfca12cf2eb1de9dd1a","unresolved":false,"context_lines":[{"line_number":45,"context_line":""},{"line_number":46,"context_line":"cat \u003e $ipv4_rules \u003c\u003c EOF"},{"line_number":47,"context_line":"*filter"},{"line_number":48,"context_line":":INPUT DROP [0:0]"},{"line_number":49,"context_line":":FORWARD ACCEPT [0:0]"},{"line_number":50,"context_line":":OUTPUT ACCEPT [0:0]"},{"line_number":51,"context_line":":openstack-INPUT - [0:0]"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"84362a26_569fc547","line":48,"in_reply_to":"51f1f2dc_75a128f9","updated":"2022-04-25 13:56:12.000000000","message":"As a side note:\nonce I get the other patch in, with the dedicated TRIPLEO_INPUT chain, I should be able to reconsider the actual \"final REJECT\" with proper rejection code: my goal is to re-work our module to allow a precise rule insertion/management. So I may be able to inject the goto(TRIPLEO_INPUT) at index 0 - and change the openstack-INPUT so that we have the REJECT back. But we first need that dedicated chain to prevent any bad clash.","commit_id":"72b84c022ec1b14206bf86d9b8ab9587f3db0555"}]}