From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id A1C039EC1B for ; Wed, 7 Jun 2023 12:18:30 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 878633F831 for ; Wed, 7 Jun 2023 12:18:00 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 7 Jun 2023 12:17:59 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 37CCC41E46 for ; Wed, 7 Jun 2023 12:17:59 +0200 (CEST) From: Leo Nunner To: pve-devel@lists.proxmox.com Date: Wed, 7 Jun 2023 12:17:47 +0200 Message-Id: <20230607101751.87616-1-l.nunner@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.107 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH firewall/manager] firewall: introduce scoping for ipsets/aliases X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2023 10:18:30 -0000 This patch introduces scoping mechanisms for IPsets and aliases, since its possible to have two of them with the same name on different layers (i.e. one on the cluster layer, and one on the VM layer). Datacenter entries are now prefixed with "dc/", and VM entries are prefixed with "ct/". The first two patches: fix #4556: introduce 'dc' and 'vm' prefix for IPSets fix #4556: introduce 'dc' and 'vm' prefix for aliases should retain backwards compatibility with existing setups. All older configs will continue to work as previously, since unscoped values retain the previous behaviour. fix #4556: api: return scoped IPSets and aliases firewall: add scope field to IPRefSelector introduce new return values to the API endpoints for /refs, leading to all new entries that are being added via the GUI being scoped by default. This will break compatibility with older systems, since the scoped values cannot be parsed. firewall: Leo Nunner (3): fix #4556: introduce 'dc' and 'vm' prefix for IPSets fix #4556: introduce 'dc' and 'vm' prefix for aliases fix #4556: api: return scoped IPSets and aliases src/PVE/API2/Firewall/Cluster.pm | 34 ++------------- src/PVE/API2/Firewall/IPSet.pm | 9 ++-- src/PVE/API2/Firewall/VM.pm | 47 +++++---------------- src/PVE/Firewall.pm | 71 +++++++++++++++++++++----------- src/PVE/Firewall/Helpers.pm | 43 +++++++++++++++++++ 5 files changed, 110 insertions(+), 94 deletions(-) manager: Leo Nunner (1): firewall: add scope field to IPRefSelector www/manager6/form/IPRefSelector.js | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) -- 2.30.2