From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 7301B1FF15F for ; Mon, 18 Nov 2024 10:02:17 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id CA944AB0E; Mon, 18 Nov 2024 10:02:20 +0100 (CET) Message-ID: Date: Mon, 18 Nov 2024 10:02:17 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Thomas Lamprecht , Proxmox VE development discussion References: <20241115120937.169342-1-s.hanreich@proxmox.com> <20241115120937.169342-7-s.hanreich@proxmox.com> Content-Language: en-US From: Stefan Hanreich In-Reply-To: X-SPAM-LEVEL: Spam detection results: 0 AWL 0.659 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH pve-firewall v4 6/9] api: load sdn ipsets X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Wolfgang Bumiller Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" On 11/17/24 15:30, Thomas Lamprecht wrote: > Am 15.11.24 um 13:09 schrieb Stefan Hanreich: >> Since the SDN configuration reads the IPAM config file, which resides > > does that mean the earlier patches already require this? They load > the SDN config already FWICT; and if so, it would be great to either > have that change in those patches or upfront as separate patches, this > has rather reaching consequences after all... That's indeed an oversight on my part, the default behavior of load_clusterfw_conf changed to loading the SDN configuration in v4 so that patch is actually required if they are not all applied at the same time. If we stick with /etc/pve/priv (see below) I'll reorder the commits accordingly. >> in /etc/pve/priv we need to add the protected flag to several >> endpoints. > > That's wrong, the general IPAM config resides in /etc/pve/sdn/ipams.cfg, > the ipam.db from the PVE IPAM Plugin does indeed reside in the private > directory. > > But, why's that? The commits adding it weren't really telling, but there > are no secrets in there, so why does it have to be priv? We could move > them over to /etc/pve/sdn/pve-ipam.db with some backward compat handling > (either in pmxcfs directly or in the backend site of things). Just tell > me if that would be fine in general, or what the original reason for having > this file only visible for root, and I can help you here. Depends on if you consider a database of all assigned IPs inside the cluster as sensitive information, iirc we erred on the side of caution in this case and stored it in /etc/pve/priv. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel