From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 7B140909AC for ; Mon, 30 Jan 2023 10:02:06 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5D74DCBD2 for ; Mon, 30 Jan 2023 10:01:36 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 30 Jan 2023 10:01:35 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 1505C4517F for ; Mon, 30 Jan 2023 10:01:35 +0100 (CET) Message-ID: <91d83b86-52f7-a7b7-9aac-a8218e26152b@proxmox.com> Date: Mon, 30 Jan 2023 10:01:33 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Content-Language: en-US To: Wolfgang Bumiller Cc: pve-devel@lists.proxmox.com References: <20230126143020.150338-1-l.nunner@proxmox.com> <20230126143020.150338-5-l.nunner@proxmox.com> <20230127114125.bquh7kdugu2arvd2@fwblub> From: Leo Nunner In-Reply-To: <20230127114125.bquh7kdugu2arvd2@fwblub> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.128 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.09 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH firewall 4/4] config: combine group/ipset and their comments X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2023 09:02:06 -0000 On 2023-01-27 12:41, Wolfgang Bumiller wrote: > On Thu, Jan 26, 2023 at 03:30:19PM +0100, Leo Nunner wrote: >> This patch restructures the parsed config structure a bit to be more >> consistent across objects. >> >> group_comments and ipset_comments were removed from the config structure >> and are now stored directly within the group/ipset objects themselves. >> They now follow the same structure as aliases, with >> >> => { >> comment => <...>, >> [entries|rules] => { <...> }, >> } >> >> We don't need to store separate instances of the original + the >> lower-case name for aliases anymore, so the structure was changed to >> >> => { >> comment => <...>, >> cidr => <...>, >> ipversion => <...>, >> } >> >> Signed-off-by: Leo Nunner >> --- >> RFC: This one is optional, it's just that while experimenting with >> the capitalization issue I also looked into using a "name" property >> for everything (like for aliases), and while I was at it, I also transfered >> the comments into the main object… I feel like this structure is nicer, but >> we don't _need_ it. My main worry is that there might still be some calls to >> $conf->{ipset}->{foo} instead of $conf->{ipset}->{foo}->{entries}, but I >> couldn't find any aside from the ones modified in this patch ^^ > But in the end you dropped the `name` property of aliases instead. > Could you clarify your conclusion a bit? When I added a name property for everything, it seemed to me that the change was more invasive; the API endpoints needed to be expanded to also return the actual name (like it was already the case with aliases), and a bunch of changes were necessary to use that value instead of just using the key iirc… What also threw me off a bit was the need to add lc() calls all over the place: for API calls, are we only going to take the lower-case value? Or also the upper-case one? With the second one, we're going to need to convert it in all the endpoints, since until now, they were always expected to already be lower-cased. And not accepting the original name in the API seems like it kind of defeats the purpose for me. > Because now we have hashes with original names and need to `grep` their > keys instead of doing lookups because we don't know their > capitalization, and need to remember doing so everywhere. Not *everywhere*, though? In the cases where I did it, it was as to not have two groups/… with the same name (regardless of capitalization), and that is only called when using the create/rename endpoint. I see how that would be a non-issue when using a 'name' property, but this shouldn't be *too* hard on the performance, since it's not called regularly, right? The call for aliases is a different story, since we'll have old config files where the definition keeps the original name, while all occurrences afterwards use the lower-case one (in rules/sets). If we used a name property, are we going to do this everywhere? In the report that partially motivated this patch [1], it was mentioned that everything gets lower-cased in edit dialogues, and I feel like that defeats the whole purpose again… > To me this seems like a step backwards, given that the firewall is > already quite CPU-hungry at times? > It seems to me that all-lowercase hashes with original names inside > would be much eaiser? Sure, we'd have to "undo" this when saving or > returning stuff via the API for backward compatibility. [1] https://bugzilla.proxmox.com/show_bug.cgi?id=4414