)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"4bc4aa14665bb51420fc593ddcd5285ff999efc0","unresolved":true,"context_lines":[{"line_number":12,"context_line":"This patch is preventing Geneve traffic to be sent to conntrack."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Fix for Train only:"},{"line_number":15,"context_line":"firewall/rule.pp add NEW as default state in the rules,"},{"line_number":16,"context_line":"this fix add INVALID as state for the geneve UDP rules"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Closes-Bug: #1885551"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"c98beb91_dada01d3","line":15,"range":{"start_line":15,"start_character":0,"end_line":15,"end_character":16},"updated":"2023-01-30 08:21:05.000000000","message":"This does not really explain why this should be train only. (you have to explain we use puppet to manage firewall rules in train but it was replaced by ansible in wallaby)","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"},{"author":{"_account_id":7130,"name":"David Hill","email":"davidchill@hotmail.com","username":"dhill"},"change_message_id":"1d43a60d82dd22fc1ba55ca572c706809bc4b938","unresolved":false,"context_lines":[{"line_number":12,"context_line":"This patch is preventing Geneve traffic to be sent to conntrack."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Fix for Train only:"},{"line_number":15,"context_line":"firewall/rule.pp add NEW as default state in the rules,"},{"line_number":16,"context_line":"this fix add INVALID as state for the geneve UDP rules"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Closes-Bug: #1885551"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"d0ba4521_e7a3761a","line":15,"range":{"start_line":15,"start_character":0,"end_line":15,"end_character":16},"in_reply_to":"910907cb_e3bcecb3","updated":"2023-03-14 15:27:35.000000000","message":"Isn\u0027t there another fix we can backport to train instead of writting a new patch here?   Just asking for a friend.","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"},{"author":{"_account_id":33983,"name":"Luigi Dino Tamagnone","display_name":"luigi","email":"ltamagno@redhat.com","username":"ltamagno"},"change_message_id":"dd9c40546a4a4f48b52d1eecb16bf9623231d516","unresolved":false,"context_lines":[{"line_number":12,"context_line":"This patch is preventing Geneve traffic to be sent to conntrack."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Fix for Train only:"},{"line_number":15,"context_line":"firewall/rule.pp add NEW as default state in the rules,"},{"line_number":16,"context_line":"this fix add INVALID as state for the geneve UDP rules"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Closes-Bug: #1885551"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"910907cb_e3bcecb3","line":15,"range":{"start_line":15,"start_character":0,"end_line":15,"end_character":16},"in_reply_to":"c98beb91_dada01d3","updated":"2023-02-23 18:18:52.000000000","message":"Well, I tested and works on Wallaby as it\u0027s defined now.","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"},{"author":{"_account_id":33983,"name":"Luigi Dino Tamagnone","display_name":"luigi","email":"ltamagno@redhat.com","username":"ltamagno"},"change_message_id":"e3e986095191c04b1f75dac7b3cc12ed60c92a8f","unresolved":false,"context_lines":[{"line_number":12,"context_line":"This patch is preventing Geneve traffic to be sent to conntrack."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Fix for Train only:"},{"line_number":15,"context_line":"firewall/rule.pp add NEW as default state in the rules,"},{"line_number":16,"context_line":"this fix add INVALID as state for the geneve UDP rules"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Closes-Bug: #1885551"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"0fc87ac7_2b0cecfc","line":15,"range":{"start_line":15,"start_character":0,"end_line":15,"end_character":16},"in_reply_to":"d0ba4521_e7a3761a","updated":"2023-03-16 08:09:38.000000000","message":"There is a patch on Victoria and Main branch, but it\u0027s not working for Train","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":4694,"name":"Miguel Lavalle","email":"miguel@mlavalle.com","username":"minsel"},"change_message_id":"74f4b2f3d9b760d579562aa25b74f477feddb1d6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"f29e678a_92ea25f3","updated":"2023-01-25 17:33:42.000000000","message":"Thank you for the explanation @Luigi","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"4bc4aa14665bb51420fc593ddcd5285ff999efc0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"4636404d_3901d9e8","updated":"2023-01-30 08:21:05.000000000","message":"There are a few points you can still try/fix though I won\u0027t block this now.","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"},{"author":{"_account_id":33176,"name":"Francois Rigault","email":"rigault.francois@gmail.com","username":"frigo"},"change_message_id":"d3f800a0f36257f3bc6ec35aafbdbec75e555999","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"2e65f547_6b4413b8","updated":"2023-01-01 22:50:28.000000000","message":"tried it, the iptable rule is now matching properly:\n\n$ sudo iptables -L -v -n -t raw\nChain PREROUTING (policy ACCEPT 2810K packets, 4447M bytes)\n pkts bytes target     prot opt in     out     source               destination         \n  455  264K CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 6081 state INVALID /* 121 neutron geneve networks no conntrack ipv4 */ NOTRACK\n\nno more conntrack for port 6081. Looks good, thank you!","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"}],"deployment/ovn/ovn-controller-container-puppet.yaml":[{"author":{"_account_id":4694,"name":"Miguel Lavalle","email":"miguel@mlavalle.com","username":"minsel"},"change_message_id":"4ebd0ab6ceb53d655dbef94e03d06971fb33876a","unresolved":true,"context_lines":[{"line_number":224,"context_line":"                    chain:  \u0027OUTPUT\u0027"},{"line_number":225,"context_line":"                    jump:   \u0027NOTRACK\u0027"},{"line_number":226,"context_line":"                    action: \u0027append\u0027"},{"line_number":227,"context_line":"                    state: [\u0027INVALID\u0027]"},{"line_number":228,"context_line":"              \u0027121 neutron geneve networks no conntrack\u0027:"},{"line_number":229,"context_line":"                    proto:  \u0027udp\u0027"},{"line_number":230,"context_line":"                    dport:  6081"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"4278064f_e240c6a8","line":227,"updated":"2023-01-23 22:37:07.000000000","message":"Looking in master branch, the state is left as empty: https://github.com/openstack/tripleo-heat-templates/blob/9962b52a0a2ff93d57e9d1dff8a03d70991df1a8/deployment/ovn/ovn-controller-container-puppet.yaml#L278\n\nDid you try that? Why not stayed aligned with master?","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"},{"author":{"_account_id":33983,"name":"Luigi Dino Tamagnone","display_name":"luigi","email":"ltamagno@redhat.com","username":"ltamagno"},"change_message_id":"033ae75a29685467970106dec99db28f6da8e81f","unresolved":false,"context_lines":[{"line_number":224,"context_line":"                    chain:  \u0027OUTPUT\u0027"},{"line_number":225,"context_line":"                    jump:   \u0027NOTRACK\u0027"},{"line_number":226,"context_line":"                    action: \u0027append\u0027"},{"line_number":227,"context_line":"                    state: [\u0027INVALID\u0027]"},{"line_number":228,"context_line":"              \u0027121 neutron geneve networks no conntrack\u0027:"},{"line_number":229,"context_line":"                    proto:  \u0027udp\u0027"},{"line_number":230,"context_line":"                    dport:  6081"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"e5799ef3_0209211d","line":227,"in_reply_to":"4278064f_e240c6a8","updated":"2023-01-25 08:32:28.000000000","message":"On Master[1] and Wallabi the code is different from Train[2], as far as I know puppet are mostly removed from Train to Wallabi. So on Train state [] doesn\u0027t work. I already check it. You can test it if you want.\n\n[1] https://opendev.org/openstack/puppet-tripleo/src/branch/master/manifests\n[2] https://opendev.org/openstack/puppet-tripleo/src/branch/stable/train/manifests","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"},{"author":{"_account_id":33983,"name":"Luigi Dino Tamagnone","display_name":"luigi","email":"ltamagno@redhat.com","username":"ltamagno"},"change_message_id":"dd9c40546a4a4f48b52d1eecb16bf9623231d516","unresolved":false,"context_lines":[{"line_number":224,"context_line":"                    chain:  \u0027OUTPUT\u0027"},{"line_number":225,"context_line":"                    jump:   \u0027NOTRACK\u0027"},{"line_number":226,"context_line":"                    action: \u0027append\u0027"},{"line_number":227,"context_line":"                    state: [\u0027INVALID\u0027]"},{"line_number":228,"context_line":"              \u0027121 neutron geneve networks no conntrack\u0027:"},{"line_number":229,"context_line":"                    proto:  \u0027udp\u0027"},{"line_number":230,"context_line":"                    dport:  6081"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1093b2d8_f1a200aa","line":227,"in_reply_to":"c1c145bc_8c24c906","updated":"2023-02-23 18:18:52.000000000","message":"No change in iptables raw rules, if I set null as state.\n\nFor what I know UDP packets are stateless","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"4bc4aa14665bb51420fc593ddcd5285ff999efc0","unresolved":true,"context_lines":[{"line_number":224,"context_line":"                    chain:  \u0027OUTPUT\u0027"},{"line_number":225,"context_line":"                    jump:   \u0027NOTRACK\u0027"},{"line_number":226,"context_line":"                    action: \u0027append\u0027"},{"line_number":227,"context_line":"                    state: [\u0027INVALID\u0027]"},{"line_number":228,"context_line":"              \u0027121 neutron geneve networks no conntrack\u0027:"},{"line_number":229,"context_line":"                    proto:  \u0027udp\u0027"},{"line_number":230,"context_line":"                    dport:  6081"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"c1c145bc_8c24c906","line":227,"in_reply_to":"e5799ef3_0209211d","updated":"2023-01-30 08:21:05.000000000","message":"I guess you can try null instead of an empty list. If passing null does not work then we likely have to fix puppet-tripleo.\n\nIf we don\u0027t need to care the other status such as NEW then this implementation would be enough, though.\n\nhttps://github.com/puppetlabs/puppetlabs-firewall/blob/main/REFERENCE.md#state","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"},{"author":{"_account_id":4694,"name":"Miguel Lavalle","email":"miguel@mlavalle.com","username":"minsel"},"change_message_id":"4ebd0ab6ceb53d655dbef94e03d06971fb33876a","unresolved":true,"context_lines":[{"line_number":232,"context_line":"                    chain:  \u0027PREROUTING\u0027"},{"line_number":233,"context_line":"                    jump:   \u0027NOTRACK\u0027"},{"line_number":234,"context_line":"                    action: \u0027append\u0027"},{"line_number":235,"context_line":"                    state: [\u0027INVALID\u0027]"},{"line_number":236,"context_line":"          - if:"},{"line_number":237,"context_line":"              - force_config_drive"},{"line_number":238,"context_line":"              - nova::compute::force_config_drive: true"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"daed1803_fb4fe73c","line":235,"updated":"2023-01-23 22:37:07.000000000","message":"Same observation as above: https://github.com/openstack/tripleo-heat-templates/blob/9962b52a0a2ff93d57e9d1dff8a03d70991df1a8/deployment/ovn/ovn-controller-container-puppet.yaml#L286","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"},{"author":{"_account_id":33983,"name":"Luigi Dino Tamagnone","display_name":"luigi","email":"ltamagno@redhat.com","username":"ltamagno"},"change_message_id":"033ae75a29685467970106dec99db28f6da8e81f","unresolved":false,"context_lines":[{"line_number":232,"context_line":"                    chain:  \u0027PREROUTING\u0027"},{"line_number":233,"context_line":"                    jump:   \u0027NOTRACK\u0027"},{"line_number":234,"context_line":"                    action: \u0027append\u0027"},{"line_number":235,"context_line":"                    state: [\u0027INVALID\u0027]"},{"line_number":236,"context_line":"          - if:"},{"line_number":237,"context_line":"              - force_config_drive"},{"line_number":238,"context_line":"              - nova::compute::force_config_drive: true"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"cc2da506_ebb1fd0b","line":235,"in_reply_to":"daed1803_fb4fe73c","updated":"2023-01-25 08:32:28.000000000","message":"On Master[1] and Wallabi the code is different from Train[2], as far as I know puppet are mostly removed from Train to Wallabi. So on Train state [] doesn\u0027t work. I already check it. You can test it if you want.\n\n[1] https://opendev.org/openstack/puppet-tripleo/src/branch/master/manifests\n[2] https://opendev.org/openstack/puppet-tripleo/src/branch/stable/train/manifests","commit_id":"4a27d7c628cfe1f719278303c327dcae7c27adaa"}]}