[pve-devel] [RFC firewall/proxmox{-ve-rs, -firewall, -perl-rs} 00/21] autogenerate ipsets for sdn objects

[Stefan Hanreich]

On 6/28/24 15:46, Gabriel Goller wrote:
> Already talked with Stefan offlist, but some major things I noted when
> testing:
>  * It would be cool to have the generated IPSets visible in the IPSet
>    menu under Firewall (Datacenter). We could add a checkmark to hide
>    them (as there can be quite many) and make them read-only.

As already discussed, this might be a bit tricky to do read-only, since
we want to be able to override those IPSets (as is the case with
management, ipfilter, ..). It might make more sense to just additionally
display the IP sets and make them editable as any other. That way you
can easily append / delete IP addresses. Maybe give an indicator if this
is an auto-generated IPSet or an overridden one in the UI? Maybe I'll
make it a separate patch series that also implements this for the other
auto-generated IPsets.

>  * Zones can be restricted to specific Nodes, but we generate the
>    IPSets on every Node for all Zones. This means some IPSets are
>    useless and we could avoid generating them in the first place.

Will try and add this.

> 
> Otherwise the IPSet generation works fine. The algorithm for generating
> iptables ipset ranges also works perfectly!
> 

Thanks for the review!