add auto-generated VM firewall options

diff --git a/Makefile b/Makefile
index f7dd025d58f8d43b783c00f2e5595ebc86c44096..b4a2830b57db9b8f406773303e096e8ab4e6bf55 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -3,7 +3,7 @@ RELEASE=4.1
 PVESM_SOURCES=attributes.txt pvesm.adoc pvesm.1-synopsis.adoc $(shell ls pve-storage-*.adoc)
 PVEUM_SOURCES=attributes.txt pveum.adoc pveum.1-synopsis.adoc
 VZDUMP_SOURCES=attributes.txt vzdump.adoc vzdump.1-synopsis.adoc
-PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc
+PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-vm-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc
 QM_SOURCES=attributes.txt qm.adoc qm.1-synopsis.adoc
 PCT_SOURCES=attributes.txt pct.adoc pct.1-synopsis.adoc
 PVEAM_SOURCES=attributes.txt pveam.adoc pveam.1-synopsis.adoc
@@ -87,6 +87,10 @@ pve-firewall-host-opts.adoc:
        ./gen-pve-firewall-host-opts.pl >$@.tmp
        mv $@.tmp $@
 
+pve-firewall-vm-opts.adoc:
+       ./gen-pve-firewall-vm-opts.pl >$@.tmp
+       mv $@.tmp $@
+
 pve-firewall-rules-opts.adoc:
        ./gen-pve-firewall-rules-opts-adoc.pl >$@.tmp
        mv $@.tmp $@

diff --git a/gen-pve-firewall-vm-opts.pl b/gen-pve-firewall-vm-opts.pl
new file mode 100755 (executable)
index 0000000..651c10e
--- /dev/null
+++ b/gen-pve-firewall-vm-opts.pl
@@ -0,0 +1,11 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use PVE::Firewall;
+use PVE::RESTHandler;
+
+my $prop = $PVE::Firewall::vm_option_properties;
+
+print PVE::RESTHandler::dump_properties($prop);

diff --git a/pve-firewall-vm-opts.adoc b/pve-firewall-vm-opts.adoc
new file mode 100644 (file)
index 0000000..c510a7b
--- /dev/null
+++ b/pve-firewall-vm-opts.adoc
@@ -0,0 +1,44 @@
+`dhcp`: `boolean` ::
+
+Enable DHCP.
+
+`enable`: `boolean` ::
+
+Enable/disable firewall rules.
+
+`ipfilter`: `boolean` ::
+
+Enable default IP filters. This is equivalent to adding an empty
+ipfilter-net<id> ipset for every interface. Such ipsets implicitly contain
+sane default restrictions such as restricting IPv6 link local addresses to
+the one derived from the interface's MAC address. For containers the
+configured IP addresses will be implicitly added.
+
+`log_level_in`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for incoming traffic.
+
+`log_level_out`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for outgoing traffic.
+
+`macfilter`: `boolean` ::
+
+Enable/disable MAC address filter.
+
+`ndp`: `boolean` ::
+
+Enable NDP.
+
+`policy_in`: `(ACCEPT | DROP | REJECT)` ::
+
+Input policy.
+
+`policy_out`: `(ACCEPT | DROP | REJECT)` ::
+
+Output policy.
+
+`radv`: `boolean` ::
+
+Allow sending Router Advertisement.
+

diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index 0e708de89e8da06c384bb57ffced2fa6b5402415..7393e1205fe8e1ea23cfe506f75b7fdf0d6d4cc8 100644 (file)
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -151,10 +151,23 @@ VM firewall configuration is read from:
 
 and contains the following data:
 
-* IP set definitions
-* Alias definitions
-* Firewall rules for this VM
-* VM specific options
+'[OPTIONS]'::
+
+This is used to set VM/Container related firewall options.
+
+include::pve-firewall-vm-opts.adoc[]
+
+'[RULES]'::
+
+This sections contains VM/Container firewall rules.
+
+'[IPSET <name>]'::
+
+IP set definitions.
+
+'[ALIASES]'::
+
+IP Alias definitions.
 
 
 Enabling the Firewall for VMs and Containers