add auto-generated VM firewall options

2025-03-05 20:58:19 +03:00 · 2016-04-01 12:51:41 +02:00 · 2016-04-01 12:51:41 +02:00 · 78ef35dc78
commit 78ef35dc78
parent 888c41167a
4 changed files with 77 additions and 5 deletions
--- a/6
+++ b/6
@ -3,7 +3,7 @@ RELEASE=4.1
 PVESM_SOURCES=attributes.txt pvesm.adoc pvesm.1-synopsis.adoc $(shell ls pve-storage-*.adoc)
 PVEUM_SOURCES=attributes.txt pveum.adoc pveum.1-synopsis.adoc
 VZDUMP_SOURCES=attributes.txt vzdump.adoc vzdump.1-synopsis.adoc
-PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc
+PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-vm-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc
 QM_SOURCES=attributes.txt qm.adoc qm.1-synopsis.adoc
 PCT_SOURCES=attributes.txt pct.adoc pct.1-synopsis.adoc
 PVEAM_SOURCES=attributes.txt pveam.adoc pveam.1-synopsis.adoc
@ -87,6 +87,10 @@ pve-firewall-host-opts.adoc:
 	./gen-pve-firewall-host-opts.pl >$@.tmp
 	mv $@.tmp $@

+pve-firewall-vm-opts.adoc:
+	./gen-pve-firewall-vm-opts.pl >$@.tmp
+	mv $@.tmp $@
+
 pve-firewall-rules-opts.adoc:
 	./gen-pve-firewall-rules-opts-adoc.pl >$@.tmp
 	mv $@.tmp $@
--- a/gen-pve-firewall-vm-opts.pl
+++ b/gen-pve-firewall-vm-opts.pl
@ -0,0 +1,11 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use PVE::Firewall;
+use PVE::RESTHandler;
+
+my $prop = $PVE::Firewall::vm_option_properties;
+
+print PVE::RESTHandler::dump_properties($prop);
--- a/pve-firewall-vm-opts.adoc
+++ b/pve-firewall-vm-opts.adoc
@ -0,0 +1,44 @@
+`dhcp`: `boolean` ::
+
+Enable DHCP.
+
+`enable`: `boolean` ::
+
+Enable/disable firewall rules.
+
+`ipfilter`: `boolean` ::
+
+Enable default IP filters. This is equivalent to adding an empty
+ipfilter-net<id> ipset for every interface. Such ipsets implicitly contain
+sane default restrictions such as restricting IPv6 link local addresses to
+the one derived from the interface's MAC address. For containers the
+configured IP addresses will be implicitly added.
+
+`log_level_in`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for incoming traffic.
+
+`log_level_out`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for outgoing traffic.
+
+`macfilter`: `boolean` ::
+
+Enable/disable MAC address filter.
+
+`ndp`: `boolean` ::
+
+Enable NDP.
+
+`policy_in`: `(ACCEPT | DROP | REJECT)` ::
+
+Input policy.
+
+`policy_out`: `(ACCEPT | DROP | REJECT)` ::
+
+Output policy.
+
+`radv`: `boolean` ::
+
+Allow sending Router Advertisement.
+
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@ -151,10 +151,23 @@ VM firewall configuration is read from:

 and contains the following data:

-* IP set definitions
-* Alias definitions
-* Firewall rules for this VM
-* VM specific options
+'[OPTIONS]'::
+
+This is used to set VM/Container related firewall options.
+
+include::pve-firewall-vm-opts.adoc[]
+
+'[RULES]'::
+
+This sections contains VM/Container firewall rules.
+
+'[IPSET <name>]'::
+
+IP set definitions.
+
+'[ALIASES]'::
+
+IP Alias definitions.


 Enabling the Firewall for VMs and Containers