From: Dietmar Maurer Date: Fri, 1 Apr 2016 10:51:41 +0000 (+0200) Subject: add auto-generated VM firewall options X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=commitdiff_plain;h=78ef35dc78d5dc73c029f1c6e3024e34656e4c2f add auto-generated VM firewall options --- diff --git a/Makefile b/Makefile index f7dd025..b4a2830 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ RELEASE=4.1 PVESM_SOURCES=attributes.txt pvesm.adoc pvesm.1-synopsis.adoc $(shell ls pve-storage-*.adoc) PVEUM_SOURCES=attributes.txt pveum.adoc pveum.1-synopsis.adoc VZDUMP_SOURCES=attributes.txt vzdump.adoc vzdump.1-synopsis.adoc -PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc +PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-vm-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc QM_SOURCES=attributes.txt qm.adoc qm.1-synopsis.adoc PCT_SOURCES=attributes.txt pct.adoc pct.1-synopsis.adoc PVEAM_SOURCES=attributes.txt pveam.adoc pveam.1-synopsis.adoc @@ -87,6 +87,10 @@ pve-firewall-host-opts.adoc: ./gen-pve-firewall-host-opts.pl >$@.tmp mv $@.tmp $@ +pve-firewall-vm-opts.adoc: + ./gen-pve-firewall-vm-opts.pl >$@.tmp + mv $@.tmp $@ + pve-firewall-rules-opts.adoc: ./gen-pve-firewall-rules-opts-adoc.pl >$@.tmp mv $@.tmp $@ diff --git a/gen-pve-firewall-vm-opts.pl b/gen-pve-firewall-vm-opts.pl new file mode 100755 index 0000000..651c10e --- /dev/null +++ b/gen-pve-firewall-vm-opts.pl @@ -0,0 +1,11 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +use PVE::Firewall; +use PVE::RESTHandler; + +my $prop = $PVE::Firewall::vm_option_properties; + +print PVE::RESTHandler::dump_properties($prop); diff --git a/pve-firewall-vm-opts.adoc b/pve-firewall-vm-opts.adoc new file mode 100644 index 0000000..c510a7b --- /dev/null +++ b/pve-firewall-vm-opts.adoc @@ -0,0 +1,44 @@ +`dhcp`: `boolean` :: + +Enable DHCP. + +`enable`: `boolean` :: + +Enable/disable firewall rules. + +`ipfilter`: `boolean` :: + +Enable default IP filters. This is equivalent to adding an empty +ipfilter-net ipset for every interface. Such ipsets implicitly contain +sane default restrictions such as restricting IPv6 link local addresses to +the one derived from the interface's MAC address. For containers the +configured IP addresses will be implicitly added. + +`log_level_in`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` :: + +Log level for incoming traffic. + +`log_level_out`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` :: + +Log level for outgoing traffic. + +`macfilter`: `boolean` :: + +Enable/disable MAC address filter. + +`ndp`: `boolean` :: + +Enable NDP. + +`policy_in`: `(ACCEPT | DROP | REJECT)` :: + +Input policy. + +`policy_out`: `(ACCEPT | DROP | REJECT)` :: + +Output policy. + +`radv`: `boolean` :: + +Allow sending Router Advertisement. + diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 0e708de..7393e12 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -151,10 +151,23 @@ VM firewall configuration is read from: and contains the following data: -* IP set definitions -* Alias definitions -* Firewall rules for this VM -* VM specific options +'[OPTIONS]':: + +This is used to set VM/Container related firewall options. + +include::pve-firewall-vm-opts.adoc[] + +'[RULES]':: + +This sections contains VM/Container firewall rules. + +'[IPSET ]':: + +IP set definitions. + +'[ALIASES]':: + +IP Alias definitions. Enabling the Firewall for VMs and Containers