From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id B7B5C1FF14F
	for <inbox@lore.proxmox.com>; Fri, 08 May 2026 18:33:13 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 6D2431EA63;
	Fri,  8 May 2026 18:32:17 +0200 (CEST)
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network v6 08/24] api: refactor prefix list api structure
Date: Fri,  8 May 2026 18:31:17 +0200
Message-ID: <20260508163134.481912-9-s.hanreich@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260508163134.481912-1-s.hanreich@proxmox.com>
References: <20260508163134.481912-1-s.hanreich@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1778257794824
X-SPAM-LEVEL: Spam detection results:  0
	AWL                    -0.518 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	KAM_MAILER                  2 Automated Mailer Tag Left in Email
	POISEN_SPAM_PILL          0.1 Meta: its spam
	POISEN_SPAM_PILL_1        0.1 random spam to be learned in bayes
	POISEN_SPAM_PILL_3        0.1 random spam to be learned in bayes
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: ZQKV7KZIAFPR2C3OAHZKTBZAJJH5WPAL
X-Message-ID-Hash: ZQKV7KZIAFPR2C3OAHZKTBZAJJH5WPAL
X-MailFrom: s.hanreich@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

The existing prefix list api structure has been adapted as follows:

GET /prefix-lists
Added a verbose parameter. If it is set, then all properties of the
prefix list are returned, otherwise only the id and state (if
pending=1) are returned from the endpoint.

This commit adds CRUD endpoints for manipulating entries of prefix
lists in the /prefix-lists/{id}/entries subfolder:

GET /prefix-lists/{id}/entries/{seq}
Returns the entry with sequence number {seq}.

POST /prefix-lists/{id}/entries
Creates a new entry in the prefix list. If the sequnce number is given
in the body, then that sequence number is used - otherwise a sequence
number will be auto-generated by taking the highest existing sequence
number and adding 5.

PUT /prefix-lists/{id}/entries/{seq}
Updates the entry with sequence number {seq}. If the body contains the
seq field and it is different from the sequence number given in the
URL, then the sequence number will be changed as wel;.

DELETE /prefix-lists/{id}/entries/{seq}
Deletes the entry with sequence number {seq}.

In order to reuse the schema from the prefix list endpoints, a new
method has been added that allows sharing the prefix list entry
properties among the old and new API endpoints.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 src/PVE/API2/Network/SDN/Makefile             |   1 +
 src/PVE/API2/Network/SDN/PrefixLists.pm       | 145 +++---------
 src/PVE/API2/Network/SDN/PrefixLists/Makefile |   9 +
 .../Network/SDN/PrefixLists/PrefixList.pm     | 139 ++++++++++++
 .../SDN/PrefixLists/PrefixListEntry.pm        | 208 ++++++++++++++++++
 src/PVE/Network/SDN/PrefixLists.pm            |  80 ++++---
 6 files changed, 432 insertions(+), 150 deletions(-)
 create mode 100644 src/PVE/API2/Network/SDN/PrefixLists/Makefile
 create mode 100644 src/PVE/API2/Network/SDN/PrefixLists/PrefixList.pm
 create mode 100644 src/PVE/API2/Network/SDN/PrefixLists/PrefixListEntry.pm

diff --git a/src/PVE/API2/Network/SDN/Makefile b/src/PVE/API2/Network/SDN/Makefile
index 770eef24..6b91f8cc 100644
--- a/src/PVE/API2/Network/SDN/Makefile
+++ b/src/PVE/API2/Network/SDN/Makefile
@@ -17,4 +17,5 @@ install:
 	make -C Fabrics install
 	make -C Nodes install
 	make -C RouteMaps install
+	make -C PrefixLists install
 
diff --git a/src/PVE/API2/Network/SDN/PrefixLists.pm b/src/PVE/API2/Network/SDN/PrefixLists.pm
index f2e14d1d..7bd85746 100644
--- a/src/PVE/API2/Network/SDN/PrefixLists.pm
+++ b/src/PVE/API2/Network/SDN/PrefixLists.pm
@@ -3,6 +3,7 @@ package PVE::API2::Network::SDN::PrefixLists;
 use strict;
 use warnings;
 
+use PVE::API2::Network::SDN::PrefixLists::PrefixList;
 use PVE::Exception qw(raise_param_exc);
 use PVE::JSONSchema qw(get_standard_option);
 use PVE::Network::SDN::PrefixLists;
@@ -11,6 +12,11 @@ use PVE::Tools qw(extract_param);
 use PVE::RESTHandler;
 use base qw(PVE::RESTHandler);
 
+__PACKAGE__->register_method({
+    subclass => "PVE::API2::Network::SDN::PrefixLists::PrefixList",
+    path => '{id}',
+});
+
 __PACKAGE__->register_method({
     name => 'list_prefix_lists',
     path => '',
@@ -33,6 +39,11 @@ __PACKAGE__->register_method({
                 optional => 1,
                 description => "Display pending config.",
             },
+            verbose => {
+                type => 'boolean',
+                optional => 1,
+                description => "If 0, only returns id - otherwise returns all properties.",
+            },
         },
     },
     returns => {
@@ -48,6 +59,7 @@ __PACKAGE__->register_method({
 
         my $pending = extract_param($param, 'pending');
         my $running = extract_param($param, 'running');
+        my $verbose = extract_param($param, 'verbose');
 
         my $digest;
         my $prefix_lists;
@@ -86,41 +98,23 @@ __PACKAGE__->register_method({
                     $prefix_list_privs,
                     1,
                 );
-            $prefix_lists->{$prefix_list_id}->{digest} = $digest if $digest;
-            push @res, $prefix_lists->{$prefix_list_id};
-        }
-
-        return \@res;
-    },
-});
 
-__PACKAGE__->register_method({
-    name => 'get_prefix_list_entry',
-    path => '{id}',
-    method => 'GET',
-    permissions => {
-        check => ['perm', '/sdn/prefix-lists/{id}', ['SDN.Audit']],
-    },
-    description => "Get Prefix List",
-    parameters => {
-        properties => {
-            id => get_standard_option('pve-sdn-prefix-list-id'),
-        },
-    },
-    returns => {
-        type => "object",
-        properties => {},
-    },
-    code => sub {
-        my ($param) = @_;
+            if ($verbose) {
+                $prefix_lists->{$prefix_list_id}->{digest} = $digest if $digest;
+                push @res, $prefix_lists->{$prefix_list_id};
+            } else {
+                my $data = {
+                    id => $prefix_list_id,
+                };
 
-        my $prefix_list_id = extract_param($param, 'id');
-        my $prefix_list_entry = PVE::Network::SDN::PrefixLists::config()->get($prefix_list_id);
+                $data->{state} = $prefix_lists->{$prefix_list_id}->{state}
+                    if $pending && $prefix_lists->{$prefix_list_id}->{state};
 
-        raise_param_exc({ 'id' => "$prefix_list_id doesn't exist" })
-            if !$prefix_list_entry;
+                push @res, $data;
+            }
+        }
 
-        return $prefix_list_entry;
+        return \@res;
     },
 });
 
@@ -166,93 +160,4 @@ __PACKAGE__->register_method({
     },
 });
 
-__PACKAGE__->register_method({
-    name => 'update_prefix_list_entry',
-    path => '{id}',
-    method => 'PUT',
-    protected => 1,
-    permissions => {
-        check => ['perm', '/sdn/prefix-lists/{id}', ['SDN.Allocate']],
-    },
-    description => "Update Prefix List",
-    parameters => {
-        properties => {
-            digest => get_standard_option('pve-config-digest'),
-            'lock-token' => get_standard_option('pve-sdn-lock-token'),
-            PVE::Network::SDN::PrefixLists::prefix_list_properties(1)->%*,
-        },
-    },
-    returns => {
-        type => "null",
-    },
-    code => sub {
-        my ($param) = @_;
-
-        my $lock_token = extract_param($param, 'lock-token');
-
-        PVE::Network::SDN::lock_sdn_config(
-            sub {
-                my $config = PVE::Network::SDN::PrefixLists::config();
-
-                my $digest = extract_param($param, 'digest');
-                PVE::Tools::assert_if_modified($config->digest(), $digest) if $digest;
-
-                my $prefix_list_id = extract_param($param, 'id');
-                my $delete = extract_param($param, 'delete');
-
-                $config->update($prefix_list_id, $param, $delete);
-                PVE::Network::SDN::PrefixLists::write_config($config);
-            },
-            "updating prefix list failed",
-            $lock_token,
-        );
-
-        return;
-    },
-});
-
-__PACKAGE__->register_method({
-    name => 'delete_prefix_list_entry',
-    path => '{id}',
-    method => 'DELETE',
-    protected => 1,
-    permissions => {
-        check => ['perm', '/sdn/prefix-lists/{id}', ['SDN.Allocate']],
-    },
-    description => "Delete Prefix List",
-    parameters => {
-        properties => {
-            id => get_standard_option('pve-sdn-prefix-list-id'),
-            'lock-token' => get_standard_option('pve-sdn-lock-token'),
-        },
-    },
-    returns => {
-        type => "null",
-    },
-    code => sub {
-        my ($param) = @_;
-
-        my $lock_token = extract_param($param, 'lock-token');
-
-        PVE::Network::SDN::lock_sdn_config(
-            sub {
-                my $config = PVE::Network::SDN::PrefixLists::config();
-
-                my $digest = extract_param($param, 'digest');
-                PVE::Tools::assert_if_modified($config->digest(), $digest) if $digest;
-
-                my $prefix_list_id = extract_param($param, 'id');
-                PVE::Network::SDN::PrefixLists::check_references($prefix_list_id);
-
-                $config->delete($prefix_list_id);
-                PVE::Network::SDN::PrefixLists::write_config($config);
-            },
-            "deleting prefix list failed",
-            $lock_token,
-        );
-
-        return;
-    },
-});
-
 1;
diff --git a/src/PVE/API2/Network/SDN/PrefixLists/Makefile b/src/PVE/API2/Network/SDN/PrefixLists/Makefile
new file mode 100644
index 00000000..815a4b09
--- /dev/null
+++ b/src/PVE/API2/Network/SDN/PrefixLists/Makefile
@@ -0,0 +1,9 @@
+SOURCES=PrefixList.pm\
+		PrefixListEntry.pm
+
+
+PERL5DIR=${DESTDIR}/usr/share/perl5
+
+.PHONY: install
+install:
+	for i in ${SOURCES}; do install -D -m 0644 $$i ${PERL5DIR}/PVE/API2/Network/SDN/PrefixLists/$$i; done
diff --git a/src/PVE/API2/Network/SDN/PrefixLists/PrefixList.pm b/src/PVE/API2/Network/SDN/PrefixLists/PrefixList.pm
new file mode 100644
index 00000000..d0332441
--- /dev/null
+++ b/src/PVE/API2/Network/SDN/PrefixLists/PrefixList.pm
@@ -0,0 +1,139 @@
+package PVE::API2::Network::SDN::PrefixLists::PrefixList;
+
+use strict;
+use warnings;
+
+use PVE::API2::Network::SDN::PrefixLists::PrefixListEntry;
+use PVE::Exception qw(raise_param_exc);
+use PVE::JSONSchema qw(get_standard_option);
+use PVE::Network::SDN::PrefixLists;
+use PVE::Tools qw(extract_param);
+
+use PVE::RESTHandler;
+use base qw(PVE::RESTHandler);
+
+__PACKAGE__->register_method({
+    subclass => "PVE::API2::Network::SDN::PrefixLists::PrefixListEntry",
+    path => 'entries',
+});
+
+__PACKAGE__->register_method({
+    name => 'get_prefix_list',
+    path => '',
+    method => 'GET',
+    permissions => {
+        check => ['perm', '/sdn/prefix-lists/{id}', ['SDN.Audit']],
+    },
+    description => "Get Prefix List",
+    parameters => {
+        properties => {
+            id => get_standard_option('pve-sdn-prefix-list-id'),
+        },
+    },
+    returns => {
+        type => "object",
+        properties => {},
+    },
+    code => sub {
+        my ($param) = @_;
+
+        my $prefix_list_id = extract_param($param, 'id');
+        my $prefix_list_entry = PVE::Network::SDN::PrefixLists::config()->get($prefix_list_id);
+
+        raise_param_exc({ 'id' => "$prefix_list_id doesn't exist" })
+            if !$prefix_list_entry;
+
+        return $prefix_list_entry;
+    },
+});
+
+__PACKAGE__->register_method({
+    name => 'update_prefix_list',
+    path => '',
+    method => 'PUT',
+    protected => 1,
+    permissions => {
+        check => ['perm', '/sdn/prefix-lists/{id}', ['SDN.Allocate']],
+    },
+    description => "Update Prefix List",
+    parameters => {
+        properties => {
+            digest => get_standard_option('pve-config-digest'),
+            'lock-token' => get_standard_option('pve-sdn-lock-token'),
+            PVE::Network::SDN::PrefixLists::prefix_list_properties(1)->%*,
+        },
+    },
+    returns => {
+        type => "null",
+    },
+    code => sub {
+        my ($param) = @_;
+
+        my $lock_token = extract_param($param, 'lock-token');
+
+        PVE::Network::SDN::lock_sdn_config(
+            sub {
+                my $config = PVE::Network::SDN::PrefixLists::config();
+
+                my $digest = extract_param($param, 'digest');
+                PVE::Tools::assert_if_modified($config->digest(), $digest) if $digest;
+
+                my $prefix_list_id = extract_param($param, 'id');
+                my $delete = extract_param($param, 'delete');
+
+                $config->update($prefix_list_id, $param, $delete);
+                PVE::Network::SDN::PrefixLists::write_config($config);
+            },
+            "updating prefix list failed",
+            $lock_token,
+        );
+
+        return;
+    },
+});
+
+__PACKAGE__->register_method({
+    name => 'delete_prefix_list',
+    path => '',
+    method => 'DELETE',
+    protected => 1,
+    permissions => {
+        check => ['perm', '/sdn/prefix-lists/{id}', ['SDN.Allocate']],
+    },
+    description => "Delete Prefix List",
+    parameters => {
+        properties => {
+            id => get_standard_option('pve-sdn-prefix-list-id'),
+            'lock-token' => get_standard_option('pve-sdn-lock-token'),
+        },
+    },
+    returns => {
+        type => "null",
+    },
+    code => sub {
+        my ($param) = @_;
+
+        my $lock_token = extract_param($param, 'lock-token');
+
+        PVE::Network::SDN::lock_sdn_config(
+            sub {
+                my $config = PVE::Network::SDN::PrefixLists::config();
+
+                my $digest = extract_param($param, 'digest');
+                PVE::Tools::assert_if_modified($config->digest(), $digest) if $digest;
+
+                my $prefix_list_id = extract_param($param, 'id');
+                PVE::Network::SDN::PrefixLists::check_references($prefix_list_id);
+
+                $config->delete($prefix_list_id);
+                PVE::Network::SDN::PrefixLists::write_config($config);
+            },
+            "deleting prefix list failed",
+            $lock_token,
+        );
+
+        return;
+    },
+});
+
+1;
diff --git a/src/PVE/API2/Network/SDN/PrefixLists/PrefixListEntry.pm b/src/PVE/API2/Network/SDN/PrefixLists/PrefixListEntry.pm
new file mode 100644
index 00000000..612fdb92
--- /dev/null
+++ b/src/PVE/API2/Network/SDN/PrefixLists/PrefixListEntry.pm
@@ -0,0 +1,208 @@
+package PVE::API2::Network::SDN::PrefixLists::PrefixListEntry;
+
+use strict;
+use warnings;
+
+use PVE::Exception qw(raise_param_exc);
+use PVE::JSONSchema qw(get_standard_option);
+use PVE::Network::SDN::PrefixLists;
+use PVE::Tools qw(extract_param);
+
+use PVE::RESTHandler;
+use base qw(PVE::RESTHandler);
+
+__PACKAGE__->register_method({
+    name => 'get_prefix_list_entries',
+    path => '',
+    method => 'GET',
+    permissions => {
+        check => ['perm', '/sdn/prefix-lists/{id}', ['SDN.Audit']],
+    },
+    description => "Get Prefix List",
+    parameters => {
+        properties => {
+            id => get_standard_option('pve-sdn-prefix-list-id'),
+        },
+    },
+    returns => {
+        type => 'array',
+        items => {
+            type => "object",
+            properties => {},
+        },
+        links => [{ rel => 'child', href => "{seq}" }],
+    },
+    code => sub {
+        my ($param) = @_;
+
+        my $prefix_list_id = extract_param($param, 'id');
+        return PVE::Network::SDN::PrefixLists::config()->list_entries($prefix_list_id);
+    },
+});
+
+__PACKAGE__->register_method({
+    name => 'get_prefix_list_entry',
+    path => '{url_seq}',
+    method => 'GET',
+    permissions => {
+        check => ['perm', '/sdn/prefix-lists/{id}', ['SDN.Audit']],
+    },
+    description => "Get Prefix List",
+    parameters => {
+        properties => {
+            id => get_standard_option('pve-sdn-prefix-list-id'),
+        },
+    },
+    returns => {
+        type => "object",
+        properties => {},
+    },
+    code => sub {
+        my ($param) = @_;
+
+        my $prefix_list_id = extract_param($param, 'id');
+        my $seq_nr = extract_param($param, 'url_seq');
+        my $prefix_list_entry = PVE::Network::SDN::PrefixLists::config()->get_entry($prefix_list_id, $seq_nr);
+
+        raise_param_exc({ 'id' => "entry $seq_nr in prefix list $prefix_list_id doesn't exist" })
+            if !$prefix_list_entry;
+
+        return $prefix_list_entry;
+    },
+});
+
+__PACKAGE__->register_method({
+    name => 'update_prefix_list_entry',
+    path => '{url_seq}',
+    method => 'PUT',
+    protected => 1,
+    permissions => {
+        check => ['perm', '/sdn/prefix-lists/{id}', ['SDN.Allocate']],
+    },
+    description => "Update Prefix List",
+    parameters => {
+        properties => {
+            digest => get_standard_option('pve-config-digest'),
+            'lock-token' => get_standard_option('pve-sdn-lock-token'),
+            PVE::Network::SDN::PrefixLists::prefix_list_entry_properties(1, 1)->%*,
+        },
+    },
+    returns => {
+        type => "null",
+    },
+    code => sub {
+        my ($param) = @_;
+
+        my $lock_token = extract_param($param, 'lock-token');
+
+        PVE::Network::SDN::lock_sdn_config(
+            sub {
+                my $config = PVE::Network::SDN::PrefixLists::config();
+
+                my $digest = extract_param($param, 'digest');
+                PVE::Tools::assert_if_modified($config->digest(), $digest) if $digest;
+
+                my $prefix_list_id = extract_param($param, 'id');
+                my $old_seq = extract_param($param, 'url_seq');
+                my $delete = extract_param($param, 'delete');
+
+                $config->update_entry($prefix_list_id, $old_seq, $param, $delete);
+                PVE::Network::SDN::PrefixLists::write_config($config);
+            },
+            "updating prefix list entry failed",
+            $lock_token,
+        );
+
+        return;
+    },
+});
+
+__PACKAGE__->register_method({
+    name => 'delete_prefix_list_entry',
+    path => '{url_seq}',
+    method => 'DELETE',
+    protected => 1,
+    permissions => {
+        check => ['perm', '/sdn/prefix-lists/{id}', ['SDN.Allocate']],
+    },
+    description => "Delete Prefix List",
+    parameters => {
+        properties => {
+            id => get_standard_option('pve-sdn-prefix-list-id'),
+            'lock-token' => get_standard_option('pve-sdn-lock-token'),
+        },
+    },
+    returns => {
+        type => "null",
+    },
+    code => sub {
+        my ($param) = @_;
+
+        my $lock_token = extract_param($param, 'lock-token');
+
+        PVE::Network::SDN::lock_sdn_config(
+            sub {
+                my $config = PVE::Network::SDN::PrefixLists::config();
+
+                my $digest = extract_param($param, 'digest');
+                PVE::Tools::assert_if_modified($config->digest(), $digest) if $digest;
+
+                my $prefix_list_id = extract_param($param, 'id');
+                my $seq_nr = extract_param($param, 'url_seq');
+
+                $config->delete_entry($prefix_list_id, $seq_nr);
+                PVE::Network::SDN::PrefixLists::write_config($config);
+            },
+            "deleting prefix list entry failed",
+            $lock_token,
+        );
+
+        return;
+    },
+});
+
+__PACKAGE__->register_method({
+    name => 'create_prefix_list_entry',
+    path => '',
+    method => 'POST',
+    protected => 1,
+    permissions => {
+        check => ['perm', '/sdn/prefix-lists/{id}', ['SDN.Allocate']],
+    },
+    description => "Delete Prefix List",
+    parameters => {
+        properties => {
+            id => get_standard_option('pve-sdn-prefix-list-id'),
+            'lock-token' => get_standard_option('pve-sdn-lock-token'),
+            PVE::Network::SDN::PrefixLists::prefix_list_entry_properties(0, 1)->%*,
+        },
+    },
+    returns => {
+        type => "null",
+    },
+    code => sub {
+        my ($param) = @_;
+
+        my $lock_token = extract_param($param, 'lock-token');
+
+        PVE::Network::SDN::lock_sdn_config(
+            sub {
+                my $config = PVE::Network::SDN::PrefixLists::config();
+
+                my $digest = extract_param($param, 'digest');
+                PVE::Tools::assert_if_modified($config->digest(), $digest) if $digest;
+
+                my $prefix_list_id = extract_param($param, 'id');
+
+                $config->create_entry($prefix_list_id, $param);
+                PVE::Network::SDN::PrefixLists::write_config($config);
+            },
+            "creating prefix list entry failed",
+            $lock_token,
+        );
+
+        return;
+    },
+});
+
+1;
diff --git a/src/PVE/Network/SDN/PrefixLists.pm b/src/PVE/Network/SDN/PrefixLists.pm
index efe1463e..3b27d61b 100644
--- a/src/PVE/Network/SDN/PrefixLists.pm
+++ b/src/PVE/Network/SDN/PrefixLists.pm
@@ -105,44 +105,66 @@ sub check_references {
     }
 }
 
+sub prefix_list_entry_properties {
+    my ($update, $standalone) = @_;
+
+    my $properties = {
+        action => {
+            type => 'string',
+            enum => ['permit', 'deny'],
+            optional => $update,
+        },
+        prefix => {
+            type => 'string',
+            format => 'CIDR',
+            optional => $update,
+        },
+        le => {
+            type => 'integer',
+            minimum => 0,
+            maximum => 128,
+            optional => 1,
+        },
+        ge => {
+            type => 'integer',
+            minimum => 0,
+            maximum => 128,
+            optional => 1,
+        },
+        seq => {
+            type => 'integer',
+            minimum => 0,
+            maximum => 2**32 - 1,
+            optional => 1,
+        },
+    };
+
+    if ($update && $standalone) {
+        $properties->{delete} = {
+            type => 'array',
+            optional => 1,
+            items => {
+                type => 'string',
+                enum => ['le', 'ge', 'seq'],
+            },
+        };
+    }
+
+    return $properties;
+}
+
 sub prefix_list_properties {
     my ($update) = @_;
 
     my $properties = {
+        id => get_standard_option('pve-sdn-prefix-list-id'),
         digest => get_standard_option('pve-config-digest'),
         entries => {
             type => 'array',
             optional => 1,
             items => {
                 type => 'string',
-                format => {
-                    action => {
-                        type => 'string',
-                        enum => ['permit', 'deny'],
-                    },
-                    prefix => {
-                        type => 'string',
-                        format => 'CIDR',
-                    },
-                    le => {
-                        type => 'integer',
-                        minimum => 0,
-                        maximum => 128,
-                        optional => 1,
-                    },
-                    ge => {
-                        type => 'integer',
-                        minimum => 0,
-                        maximum => 128,
-                        optional => 1,
-                    },
-                    seq => {
-                        type => 'integer',
-                        minimum => 0,
-                        maximum => 2**32 - 1,
-                        optional => 1,
-                    },
-                },
+                format => prefix_list_entry_properties($update, 0),
             },
         },
     };
@@ -156,8 +178,6 @@ sub prefix_list_properties {
                 enum => ['entries'],
             },
         };
-    } else {
-        $properties->{id} = get_standard_option('pve-sdn-prefix-list-id');
     }
 
     return $properties;
-- 
2.47.3