From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id D37531FF15E for ; Fri, 4 Oct 2024 17:36:43 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7D3CF117DA; Fri, 4 Oct 2024 17:37:05 +0200 (CEST) Message-ID: <6ca59f85-6e36-4cc8-b75f-df6d760818e3@proxmox.com> Date: Fri, 4 Oct 2024 17:36:31 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Thomas Lamprecht , Proxmox VE development discussion References: <20240911093116.112960-1-s.hanreich@proxmox.com> <20240911093116.112960-11-s.hanreich@proxmox.com> Content-Language: en-US From: Stefan Hanreich In-Reply-To: X-SPAM-LEVEL: Spam detection results: 0 AWL 0.634 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH pve-firewall 10/15] api: add vnet endpoints X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" On 9/26/24 08:37, Thomas Lamprecht wrote: > I'd prefer a _hook suffix for such a method for slightly added clarity. > > And FWIW, if all you do now is check privileges, and there's nothing you already > know that's gonna get added here soon, you could just name it after what it does > and avoid being all to generic, i.e. something like > > sub assert_privs_for_method Thats's probably the better approach for naming this function, since I don't have any future additions in mind. >> +my $option_properties = $PVE::Firewall::vnet_option_properties; > > might need a clone to avoid modifying the original reference I think Yes, I think we never write to it - but accidents happen and better safe than sorry. Might make sense to also do this in the other API modules as well in a separate patch then. > Hmm, I'm wondering might it make sense to add a SDN.Firewall privilege to separate > allowing VNet allocation and allowing to configure a VNet's firewall? > While adding privs is a bit tricky, this one might be dooable later one too though. > > But whatever gets chosen should then be also addressed in a commit message with some > background reasoning (if it's already then I might have overlooked, I did not checked > every all too closely yet). Initial reasoning was that there's not really a privilege like that for DC / Host / Guests, where it is always tied to the networking permissions. Maybe it would make sense to create a completely separate Firewall permission that is then also used for DC / Host / Guests? Of course this could only happen in the next major release. Thanks for the review! _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel