From 78ef35dc78d5dc73c029f1c6e3024e34656e4c2f Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Fri, 1 Apr 2016 12:51:41 +0200 Subject: [PATCH] add auto-generated VM firewall options --- Makefile | 6 ++++- gen-pve-firewall-vm-opts.pl | 11 ++++++++++ pve-firewall-vm-opts.adoc | 44 +++++++++++++++++++++++++++++++++++++ pve-firewall.adoc | 21 ++++++++++++++---- 4 files changed, 77 insertions(+), 5 deletions(-) create mode 100755 gen-pve-firewall-vm-opts.pl create mode 100644 pve-firewall-vm-opts.adoc diff --git a/Makefile b/Makefile index f7dd025..b4a2830 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ RELEASE=4.1 PVESM_SOURCES=attributes.txt pvesm.adoc pvesm.1-synopsis.adoc $(shell ls pve-storage-*.adoc) PVEUM_SOURCES=attributes.txt pveum.adoc pveum.1-synopsis.adoc VZDUMP_SOURCES=attributes.txt vzdump.adoc vzdump.1-synopsis.adoc -PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc +PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-vm-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc QM_SOURCES=attributes.txt qm.adoc qm.1-synopsis.adoc PCT_SOURCES=attributes.txt pct.adoc pct.1-synopsis.adoc PVEAM_SOURCES=attributes.txt pveam.adoc pveam.1-synopsis.adoc @@ -87,6 +87,10 @@ pve-firewall-host-opts.adoc: ./gen-pve-firewall-host-opts.pl >$@.tmp mv $@.tmp $@ +pve-firewall-vm-opts.adoc: + ./gen-pve-firewall-vm-opts.pl >$@.tmp + mv $@.tmp $@ + pve-firewall-rules-opts.adoc: ./gen-pve-firewall-rules-opts-adoc.pl >$@.tmp mv $@.tmp $@ diff --git a/gen-pve-firewall-vm-opts.pl b/gen-pve-firewall-vm-opts.pl new file mode 100755 index 0000000..651c10e --- /dev/null +++ b/gen-pve-firewall-vm-opts.pl @@ -0,0 +1,11 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +use PVE::Firewall; +use PVE::RESTHandler; + +my $prop = $PVE::Firewall::vm_option_properties; + +print PVE::RESTHandler::dump_properties($prop); diff --git a/pve-firewall-vm-opts.adoc b/pve-firewall-vm-opts.adoc new file mode 100644 index 0000000..c510a7b --- /dev/null +++ b/pve-firewall-vm-opts.adoc @@ -0,0 +1,44 @@ +`dhcp`: `boolean` :: + +Enable DHCP. + +`enable`: `boolean` :: + +Enable/disable firewall rules. + +`ipfilter`: `boolean` :: + +Enable default IP filters. This is equivalent to adding an empty +ipfilter-net ipset for every interface. Such ipsets implicitly contain +sane default restrictions such as restricting IPv6 link local addresses to +the one derived from the interface's MAC address. For containers the +configured IP addresses will be implicitly added. + +`log_level_in`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` :: + +Log level for incoming traffic. + +`log_level_out`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` :: + +Log level for outgoing traffic. + +`macfilter`: `boolean` :: + +Enable/disable MAC address filter. + +`ndp`: `boolean` :: + +Enable NDP. + +`policy_in`: `(ACCEPT | DROP | REJECT)` :: + +Input policy. + +`policy_out`: `(ACCEPT | DROP | REJECT)` :: + +Output policy. + +`radv`: `boolean` :: + +Allow sending Router Advertisement. + diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 0e708de..7393e12 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -151,10 +151,23 @@ VM firewall configuration is read from: and contains the following data: -* IP set definitions -* Alias definitions -* Firewall rules for this VM -* VM specific options +'[OPTIONS]':: + +This is used to set VM/Container related firewall options. + +include::pve-firewall-vm-opts.adoc[] + +'[RULES]':: + +This sections contains VM/Container firewall rules. + +'[IPSET ]':: + +IP set definitions. + +'[ALIASES]':: + +IP Alias definitions. Enabling the Firewall for VMs and Containers -- 2.39.2