[pve-devel] [PATCH firewall 4/4] config: combine group/ipset and their comments
Wolfgang Bumiller
w.bumiller at proxmox.com
Fri Jan 27 12:41:25 CET 2023
On Thu, Jan 26, 2023 at 03:30:19PM +0100, Leo Nunner wrote:
> This patch restructures the parsed config structure a bit to be more
> consistent across objects.
>
> group_comments and ipset_comments were removed from the config structure
> and are now stored directly within the group/ipset objects themselves.
> They now follow the same structure as aliases, with
>
> <name> => {
> comment => <...>,
> [entries|rules] => { <...> },
> }
>
> We don't need to store separate instances of the original + the
> lower-case name for aliases anymore, so the structure was changed to
>
> <name> => {
> comment => <...>,
> cidr => <...>,
> ipversion => <...>,
> }
>
> Signed-off-by: Leo Nunner <l.nunner at proxmox.com>
> ---
> RFC: This one is optional, it's just that while experimenting with
> the capitalization issue I also looked into using a "name" property
> for everything (like for aliases), and while I was at it, I also transfered
> the comments into the main object… I feel like this structure is nicer, but
> we don't _need_ it. My main worry is that there might still be some calls to
> $conf->{ipset}->{foo} instead of $conf->{ipset}->{foo}->{entries}, but I
> couldn't find any aside from the ones modified in this patch ^^
But in the end you dropped the `name` property of aliases instead.
Could you clarify your conclusion a bit?
Because now we have hashes with original names and need to `grep` their
keys instead of doing lookups because we don't know their
capitalization, and need to remember doing so everywhere.
To me this seems like a step backwards, given that the firewall is
already quite CPU-hungry at times?
It seems to me that all-lowercase hashes with original names inside
would be much eaiser? Sure, we'd have to "undo" this when saving or
returning stuff via the API for backward compatibility.
More information about the pve-devel
mailing list