add auto-generated VM firewall options
authorDietmar Maurer <dietmar@proxmox.com>
Fri, 1 Apr 2016 10:51:41 +0000 (12:51 +0200)
committerDietmar Maurer <dietmar@proxmox.com>
Fri, 1 Apr 2016 10:59:03 +0000 (12:59 +0200)
Makefile
gen-pve-firewall-vm-opts.pl [new file with mode: 0755]
pve-firewall-vm-opts.adoc [new file with mode: 0644]
pve-firewall.adoc

index f7dd025..b4a2830 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -3,7 +3,7 @@ RELEASE=4.1
 PVESM_SOURCES=attributes.txt pvesm.adoc pvesm.1-synopsis.adoc $(shell ls pve-storage-*.adoc)
 PVEUM_SOURCES=attributes.txt pveum.adoc pveum.1-synopsis.adoc
 VZDUMP_SOURCES=attributes.txt vzdump.adoc vzdump.1-synopsis.adoc
-PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc
+PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-vm-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc
 QM_SOURCES=attributes.txt qm.adoc qm.1-synopsis.adoc
 PCT_SOURCES=attributes.txt pct.adoc pct.1-synopsis.adoc
 PVEAM_SOURCES=attributes.txt pveam.adoc pveam.1-synopsis.adoc
@@ -87,6 +87,10 @@ pve-firewall-host-opts.adoc:
        ./gen-pve-firewall-host-opts.pl >$@.tmp
        mv $@.tmp $@
 
+pve-firewall-vm-opts.adoc:
+       ./gen-pve-firewall-vm-opts.pl >$@.tmp
+       mv $@.tmp $@
+
 pve-firewall-rules-opts.adoc:
        ./gen-pve-firewall-rules-opts-adoc.pl >$@.tmp
        mv $@.tmp $@
diff --git a/gen-pve-firewall-vm-opts.pl b/gen-pve-firewall-vm-opts.pl
new file mode 100755 (executable)
index 0000000..651c10e
--- /dev/null
@@ -0,0 +1,11 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use PVE::Firewall;
+use PVE::RESTHandler;
+
+my $prop = $PVE::Firewall::vm_option_properties;
+
+print PVE::RESTHandler::dump_properties($prop);
diff --git a/pve-firewall-vm-opts.adoc b/pve-firewall-vm-opts.adoc
new file mode 100644 (file)
index 0000000..c510a7b
--- /dev/null
@@ -0,0 +1,44 @@
+`dhcp`: `boolean` ::
+
+Enable DHCP.
+
+`enable`: `boolean` ::
+
+Enable/disable firewall rules.
+
+`ipfilter`: `boolean` ::
+
+Enable default IP filters. This is equivalent to adding an empty
+ipfilter-net<id> ipset for every interface. Such ipsets implicitly contain
+sane default restrictions such as restricting IPv6 link local addresses to
+the one derived from the interface's MAC address. For containers the
+configured IP addresses will be implicitly added.
+
+`log_level_in`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for incoming traffic.
+
+`log_level_out`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for outgoing traffic.
+
+`macfilter`: `boolean` ::
+
+Enable/disable MAC address filter.
+
+`ndp`: `boolean` ::
+
+Enable NDP.
+
+`policy_in`: `(ACCEPT | DROP | REJECT)` ::
+
+Input policy.
+
+`policy_out`: `(ACCEPT | DROP | REJECT)` ::
+
+Output policy.
+
+`radv`: `boolean` ::
+
+Allow sending Router Advertisement.
+
index 0e708de..7393e12 100644 (file)
@@ -151,10 +151,23 @@ VM firewall configuration is read from:
 
 and contains the following data:
 
-* IP set definitions
-* Alias definitions
-* Firewall rules for this VM
-* VM specific options
+'[OPTIONS]'::
+
+This is used to set VM/Container related firewall options.
+
+include::pve-firewall-vm-opts.adoc[]
+
+'[RULES]'::
+
+This sections contains VM/Container firewall rules.
+
+'[IPSET <name>]'::
+
+IP set definitions.
+
+'[ALIASES]'::
+
+IP Alias definitions.
 
 
 Enabling the Firewall for VMs and Containers