From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 54EFE1FF14C for ; Fri, 12 Jun 2026 14:52:29 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 64B52132F0; Fri, 12 Jun 2026 14:52:27 +0200 (CEST) Message-ID: <920d1522-9a76-4ba7-90a6-f7fa5ffecc73@proxmox.com> Date: Fri, 12 Jun 2026 14:51:53 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH pve-network 5/9] fix #7294: sdn: register api formats for zones and vnets To: Gabriel Goller References: <20260611145935.147788-1-d.riley@proxmox.com> <20260611145935.147788-6-d.riley@proxmox.com> <178126670392.718919.12595073108998221237.b4-review@b4> Content-Language: en-US From: David Riley In-Reply-To: <178126670392.718919.12595073108998221237.b4-review@b4> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1781268664008 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.167 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: IYFSV5JLNSZWWPX5QSE2JX6DVG6FLPS6 X-Message-ID-Hash: IYFSV5JLNSZWWPX5QSE2JX6DVG6FLPS6 X-MailFrom: d.riley@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: pve-devel@lists.proxmox.com X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Thanks for the feedback. The intention behind adding this segment to the ACL path is to allow for fine-grained, hierarchical permission scoping, not to couple the ACL system to specific VNet properties. I used vlan as a placeholder for 'tag', but in retrospect, the naming is a bit confusing, and I'm happy to adapt this in a v2. From a permission perspective, including the tag in the path makes sense, as it allows us to restrict pool users to a specific VNet and tag combination. So if you have a pool with a VM, storage and VNet + Tag and assign the pool permissions: PVEVMAdmin, PVESDNUser The user can fully manage this VM, including adding a new NIC, but they can only add it using the exact VNet + Tag combination. Just adding the VNet would not work. Let me know if this makes sense. More inline. On 6/12/26 2:17 PM, Gabriel Goller wrote: > Generally on this series: > What was your rationale on adding the vlan tag? IMO having > `vnet///` doesn't really make sense, as not all vnets have > a tag property, and it's also not always a vlan e.g. EVPN vnets have a vni-tag > property. > > One small comment inline as well. > >> [snip] >> diff --git a/src/PVE/Network/SDN/VnetPlugin.pm b/src/PVE/Network/SDN/VnetPlugin.pm >> index e04157573083..2299b46601c2 100644 >> --- a/src/PVE/Network/SDN/VnetPlugin.pm >> +++ b/src/PVE/Network/SDN/VnetPlugin.pm >> @@ -16,17 +16,34 @@ PVE::Cluster::cfs_register_file( >> sub { __PACKAGE__->write_config(@_); }, >> ); >> >> +my $sdn_vnet_id_pattern = '[a-zA-Z][a-zA-Z0-9]*[a-zA-Z0-9]'; >> +my $vnet_min_length = 2; >> +my $vnet_max_length = 8; >> + >> PVE::JSONSchema::register_standard_option( >> 'pve-sdn-vnet-id', >> { >> description => "The SDN vnet object identifier.", >> type => 'string', >> - pattern => '[a-zA-Z][a-zA-Z0-9]*[a-zA-Z0-9]', >> - minLength => 2, >> - maxLength => 8, >> + pattern => $sdn_vnet_id_pattern, >> + minLength => $vnet_min_length, >> + maxLength => $vnet_max_length, >> }, >> ); >> >> +sub pve_verify_sdn_vnet_id { >> + my ($vnet, $noerr) = @_; >> + >> + if ($vnet !~ m/^$sdn_vnet_id_pattern$/) { >> + return undef if $noerr; >> + die "invalid SDN VNet '$vnet' - must be $vnet_min_length-$vnet_max_length characters" >> + . " long, start with a letter, and contain only alphanumeric characters\n"; >> + } >> + return $vnet; >> +} > I think this is missing a min/max lenght check? > You are right. Will fix this in a v2. >> + >> +PVE::JSONSchema::register_format('pve-sdn-vnet-id', \&pve_verify_sdn_vnet_id); >> + >> my $defaultData = { >> >> propertyList => { >> diff --git a/src/PVE/Network/SDN/Zones/Plugin.pm b/src/PVE/Network/SDN/Zones/Plugin.pm >> index 74a3384cd7ae..cd761e0448c3 100644 >> --- a/src/PVE/Network/SDN/Zones/Plugin.pm >> +++ b/src/PVE/Network/SDN/Zones/Plugin.pm >> @@ -19,17 +19,34 @@ PVE::Cluster::cfs_register_file( >> sub { __PACKAGE__->write_config(@_); }, >> ); >> >> +my $sdn_zone_id_pattern = '[a-zA-Z][a-zA-Z0-9]*[a-zA-Z0-9]'; >> +my $zone_min_length = 2; >> +my $zone_max_length = 8; >> + >> PVE::JSONSchema::register_standard_option( >> 'pve-sdn-zone-id', >> { >> description => "The SDN zone object identifier.", >> type => 'string', >> - pattern => '[a-zA-Z][a-zA-Z0-9]*[a-zA-Z0-9]', >> - minLength => 2, >> - maxLength => 8, >> + pattern => $sdn_zone_id_pattern, >> + minLength => $zone_min_length, >> + maxLength => $zone_max_length, >> }, >> ); >> >> +sub pve_verify_sdn_zone_id { >> + my ($zone, $noerr) = @_; >> + >> + if ($zone !~ m/^$sdn_zone_id_pattern$/) { >> + return undef if $noerr; >> + die "invalid SDN zone '$zone' - must be $zone_min_length-$zone_max_length characters" >> + . " long, start with a letter, and contain only alphanumeric characters\n"; >> + } >> + return $zone; >> +} > Here as well. ack.