From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Stefan Hrdlicka <s.hrdlicka@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-firewall] allow non zero ip address host bits
Date: Tue, 8 Nov 2022 18:00:41 +0100 [thread overview]
Message-ID: <bb417e35-62f8-83f9-188e-ab13222c02db@proxmox.com> (raw)
In-Reply-To: <bc830a9f-0bc8-1417-f8df-61245189dd93@proxmox.com>
Am 08/11/2022 um 15:15 schrieb Stefan Hrdlicka:
>> Could another option be that we normalize CIDRs on entry, i.e., mask out
>> the end? I mean,. would not help existing setups, but at least future
>> proof it a bit for new systems if there's another call site that will
>> trip on this (maybe normalizing here in case of 171 could be an option
>> too). I don't want to shove you in that direction, just wondering if
>> that was considered.
>
> Yes that would be an option. Was more bit more faffing about when I tried it.
> Also would it then be a good idea to change config a user
> added to the the file, or should that be kept as it was entered?
>
We normally don't auto-rewrite/update configs on package upgrade, as that can
be brittle and break immediate downgrades due to a, e.g., regression, but when
writing out a FW config anyway we could rewrite it indeed (at least if there's
no disagreement in that beeing a good idea in the first place)
So in any way, we would probably still want some silencing of the verifier,
if you cleanup the slightly confusing odd case with returning $cidr only
on $noerr I would go for that for now as stop gap.
prev parent reply other threads:[~2022-11-08 17:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-25 14:31 Stefan Hrdlicka
2022-10-28 9:28 ` Thomas Lamprecht
2022-11-08 14:15 ` Stefan Hrdlicka
2022-11-08 17:00 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bb417e35-62f8-83f9-188e-ab13222c02db@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=s.hrdlicka@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox