Re: [pve-devel] [PATCH firewall 4/4] config: combine group/ipset and their comments

[Leo Nunner <l.nunner@proxmox.com>]

On 2023-01-27 12:41, Wolfgang Bumiller wrote:
> On Thu, Jan 26, 2023 at 03:30:19PM +0100, Leo Nunner wrote:
>> This patch restructures the parsed config structure a bit to be more
>> consistent across objects.
>>
>> group_comments and ipset_comments were removed from the config structure
>> and are now stored directly within the group/ipset objects themselves.
>> They now follow the same structure as aliases, with
>>
>> <name> => {
>>     comment => <...>,
>>     [entries|rules] => { <...> },
>> }
>>
>> We don't need to store separate instances of the original + the
>> lower-case name for aliases anymore, so the structure was changed to
>>
>> <name> => {
>>     comment => <...>,
>>     cidr => <...>,
>>     ipversion => <...>,
>> }
>>
>> Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
>> ---
>> RFC: This one is optional, it's just that while experimenting with 
>> the capitalization issue I also looked into using a "name" property 
>> for everything (like for aliases), and while I was at it, I also transfered 
>> the comments into the main object… I feel like this structure is nicer, but 
>> we don't _need_ it. My main worry is that there might still be some calls to
>> $conf->{ipset}->{foo} instead of $conf->{ipset}->{foo}->{entries}, but I
>> couldn't find any aside from the ones modified in this patch ^^
> But in the end you dropped the `name` property of aliases instead.
> Could you clarify your conclusion a bit?

When I added a name property for everything, it seemed to me that the
change was more invasive; the API endpoints needed to be expanded to
also return the actual name (like it was already the case with aliases),
and a bunch of changes were necessary to use that value instead of just
using the key iirc…

What also threw me off a bit was the need to add lc() calls all over the
place: for API calls, are we only going to take the lower-case value? Or
also the upper-case one? With the second one, we're going to need to
convert it in all the endpoints, since until now, they were always
expected to already be lower-cased. And not accepting the original name
in the API seems like it kind of defeats the purpose for me.

> Because now we have hashes with original names and need to `grep` their
> keys instead of doing lookups because we don't know their
> capitalization, and need to remember doing so everywhere.

Not *everywhere*, though? In the cases where I did it, it was as to not
have two groups/… with the same name (regardless of capitalization), and
that is only called when using the create/rename endpoint. I see how
that would be a non-issue when using a 'name' property, but this
shouldn't be *too* hard on the performance, since it's not called
regularly, right?

The call for aliases is a different story, since we'll have old config
files where the definition keeps the original name, while all
occurrences afterwards use the lower-case one (in rules/sets). If we
used a name property, are we going to do this everywhere? In the report
that partially motivated this patch [1], it was mentioned that
everything gets lower-cased in edit dialogues, and I feel like that
defeats the whole purpose again…

> To me this seems like a step backwards, given that the firewall is
> already quite CPU-hungry at times?
> It seems to me that all-lowercase hashes with original names inside
> would be much eaiser? Sure, we'd have to "undo" this when saving or
> returning stuff via the API for backward compatibility.
[1] https://bugzilla.proxmox.com/show_bug.cgi?id=4414