[pve-devel] [PATCH pve-firewall] allow non zero ip address host bits

[Thomas Lamprecht]

Am 08/11/2022 um 15:15 schrieb Stefan Hrdlicka:
>> Could another option be that we normalize CIDRs on entry, i.e., mask out
>> the end? I mean,. would not help existing setups, but at least future
>> proof it a bit for new systems if there's another call site that will
>> trip on this (maybe normalizing here in case of 171 could be an option
>> too). I don't want to shove you in that direction, just wondering if
>> that was considered.
> 
> Yes that would be an option. Was more bit more faffing about when I tried it.
> Also would it then be a good idea to change config a user
> added to the the file, or should that be kept as it was entered?
> 

We normally don't auto-rewrite/update configs on package upgrade, as that can
be brittle and break immediate downgrades due to a, e.g., regression, but when
writing out a FW config anyway we could rewrite it indeed (at least if there's
no disagreement in that beeing a good idea in the first place)

So in any way, we would probably still want some silencing of the verifier,
if you cleanup the slightly confusing odd case with returning $cidr only
on $noerr I would go for that for now as stop gap.