From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <l.nunner@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 7B140909AC
 for <pve-devel@lists.proxmox.com>; Mon, 30 Jan 2023 10:02:06 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 5D74DCBD2
 for <pve-devel@lists.proxmox.com>; Mon, 30 Jan 2023 10:01:36 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Mon, 30 Jan 2023 10:01:35 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 1505C4517F
 for <pve-devel@lists.proxmox.com>; Mon, 30 Jan 2023 10:01:35 +0100 (CET)
Message-ID: <91d83b86-52f7-a7b7-9aac-a8218e26152b@proxmox.com>
Date: Mon, 30 Jan 2023 10:01:33 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.6.0
Content-Language: en-US
To: Wolfgang Bumiller <w.bumiller@proxmox.com>
Cc: pve-devel@lists.proxmox.com
References: <20230126143020.150338-1-l.nunner@proxmox.com>
 <20230126143020.150338-5-l.nunner@proxmox.com>
 <20230127114125.bquh7kdugu2arvd2@fwblub>
From: Leo Nunner <l.nunner@proxmox.com>
In-Reply-To: <20230127114125.bquh7kdugu2arvd2@fwblub>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.128 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 NICE_REPLY_A            -0.09 Looks like a legit reply (A)
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH firewall 4/4] config: combine group/ipset
 and their comments
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2023 09:02:06 -0000

On 2023-01-27 12:41, Wolfgang Bumiller wrote:
> On Thu, Jan 26, 2023 at 03:30:19PM +0100, Leo Nunner wrote:
>> This patch restructures the parsed config structure a bit to be more
>> consistent across objects.
>>
>> group_comments and ipset_comments were removed from the config structure
>> and are now stored directly within the group/ipset objects themselves.
>> They now follow the same structure as aliases, with
>>
>> <name> => {
>>     comment => <...>,
>>     [entries|rules] => { <...> },
>> }
>>
>> We don't need to store separate instances of the original + the
>> lower-case name for aliases anymore, so the structure was changed to
>>
>> <name> => {
>>     comment => <...>,
>>     cidr => <...>,
>>     ipversion => <...>,
>> }
>>
>> Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
>> ---
>> RFC: This one is optional, it's just that while experimenting with 
>> the capitalization issue I also looked into using a "name" property 
>> for everything (like for aliases), and while I was at it, I also transfered 
>> the comments into the main object… I feel like this structure is nicer, but 
>> we don't _need_ it. My main worry is that there might still be some calls to
>> $conf->{ipset}->{foo} instead of $conf->{ipset}->{foo}->{entries}, but I
>> couldn't find any aside from the ones modified in this patch ^^
> But in the end you dropped the `name` property of aliases instead.
> Could you clarify your conclusion a bit?

When I added a name property for everything, it seemed to me that the
change was more invasive; the API endpoints needed to be expanded to
also return the actual name (like it was already the case with aliases),
and a bunch of changes were necessary to use that value instead of just
using the key iirc…

What also threw me off a bit was the need to add lc() calls all over the
place: for API calls, are we only going to take the lower-case value? Or
also the upper-case one? With the second one, we're going to need to
convert it in all the endpoints, since until now, they were always
expected to already be lower-cased. And not accepting the original name
in the API seems like it kind of defeats the purpose for me.

> Because now we have hashes with original names and need to `grep` their
> keys instead of doing lookups because we don't know their
> capitalization, and need to remember doing so everywhere.

Not *everywhere*, though? In the cases where I did it, it was as to not
have two groups/… with the same name (regardless of capitalization), and
that is only called when using the create/rename endpoint. I see how
that would be a non-issue when using a 'name' property, but this
shouldn't be *too* hard on the performance, since it's not called
regularly, right?

The call for aliases is a different story, since we'll have old config
files where the definition keeps the original name, while all
occurrences afterwards use the lower-case one (in rules/sets). If we
used a name property, are we going to do this everywhere? In the report
that partially motivated this patch [1], it was mentioned that
everything gets lower-cased in edit dialogues, and I feel like that
defeats the whole purpose again…

> To me this seems like a step backwards, given that the firewall is
> already quite CPU-hungry at times?
> It seems to me that all-lowercase hashes with original names inside
> would be much eaiser? Sure, we'd have to "undo" this when saving or
> returning stuff via the API for backward compatibility.
[1] https://bugzilla.proxmox.com/show_bug.cgi?id=4414