[PATCH 3/3] doc: document new filters and not documented ones
Aleksandr Alekseev
alexander.alekseev at virtuozzo.com
Thu Oct 22 18:15:52 UTC 2020
Signed-off-by: Aleksandr Alekseev <alexander.alekseev at virtuozzo.com>
---
docs/firewall.html.in | 9 ++++++++
docs/formatnwfilter.html.in | 41 ++++++++++++++++++++++++++++++++++---
2 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/docs/firewall.html.in b/docs/firewall.html.in
index 62f37e0eea..15b4f397be 100644
--- a/docs/firewall.html.in
+++ b/docs/firewall.html.in
@@ -283,12 +283,21 @@ UUID Name
15b1ab2b-b1ac-1be2-ed49-2042caba4abb allow-arp
6c51a466-8d14-6d11-46b0-68b1a883d00f allow-dhcp
7517ad6c-bd90-37c8-26c9-4eabcb69848d allow-dhcp-server
+7680776c-77aa-496f-90d6-13097664b925 allow-dhcpv6
+9cdaad60-7631-4172-8ccb-ef774be7485b allow-dhcpv6-server
3d38b406-7cf0-8335-f5ff-4b9add35f288 allow-incoming-ipv4
+908543c1-902e-45f6-a6ca-1a0ad35e7599 allow-incoming-ipv6
5ff06320-9228-2899-3db0-e32554933415 allow-ipv4
+ce8904cc-ad3a-4454-896c-53452882f817 allow-ipv6
db0b1767-d62b-269b-ea96-0cc8b451144e clean-traffic
+6d6ddcc8-1242-4c43-ac63-63af80493132 clean-traffic-gateway
+4cf38077-c7d5-4e25-99bb-6c4c9efad294 no-arp-ip-spoofing
+0b11a636-ce58-497f-be90-17f63c92487a no-arp-mac-spoofing
f88f1932-debf-4aa1-9fbe-f10d3aa4bc95 no-arp-spoofing
772f112d-52e4-700c-0250-e178a3d91a7a no-ip-multicast
7ee20370-8106-765d-f7ff-8a60d5aaf30b no-ip-spoofing
+f8a51c43-a08f-49b3-b9e2-393d54522dc0 no-ipv6-multicast
+a7f0afe9-a428-44b8-8566-c8ee2a669271 no-ipv6-spoofing
d5d3c490-c2eb-68b1-24fc-3ee362fc8af3 no-mac-broadcast
fb57c546-76dc-a372-513f-e8179011b48a no-mac-spoofing
dba10ea7-446d-76de-346f-335bd99c1d05 no-other-l2-traffic
diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
index 796c16549d..04aeda06ec 100644
--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -467,8 +467,7 @@ DSTPORTS = [ 80, 8080 ]
</tr>
<tr>
<td> IPV6 </td>
- <td> Not currently implemented:
- the list of IPV6 addresses in use by an interface </td>
+ <td> The list of IPV6 addresses in use by an interface </td>
</tr>
<tr>
<td> DHCPSERVER </td>
@@ -2011,11 +2010,35 @@ echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout
only allows ARP request and reply messages and enforces
that those packets contain the MAC and IP addresses
of the VM.</td>
+ </tr>
+ <tr>
+ <td> allow-arp </td>
+ <td> Allow ARP traffic in both directions</td>
+ </tr>
+ <tr>
+ <td> allow-ipv4 </td>
+ <td> Allow IPv4 traffic in both directions</td>
+ </tr>
+ <tr>
+ <td> allow-ipv6 </td>
+ <td> Allow IPv6 traffic in both directions</td>
+ </tr>
+ <tr>
+ <td> allow-incoming-ipv4 </td>
+ <td> Allow incoming IPv4 traffic</td>
+ </tr>
+ <tr>
+ <td> allow-incoming-ipv6 </td>
+ <td> Allow incoming IPv6 traffic</td>
</tr>
<tr>
<td> allow-dhcp </td>
<td> Allow a VM to request an IP address via DHCP (from any
DHCP server)</td>
+ </tr>
+ <tr>
+ <td> allow-dhcpv6 </td>
+ <td> Similar to allow-dhcp, but for DHCPv6 </td>
</tr>
<tr>
<td> allow-dhcp-server </td>
@@ -2023,16 +2046,28 @@ echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout
DHCP server. The dotted decimal IP address of the DHCP
server must be provided in a reference to this filter.
The name of the variable must be <i>DHCPSERVER</i>.</td>
+ </tr>
+ <tr>
+ <td> allow-dhcpv6-server </td>
+ <td> Similar to allow-dhcp-server, but for DHCPv6 </td>
</tr>
<tr>
<td> no-ip-spoofing </td>
- <td> Prevent a VM from sending of IP packets with
+ <td> Prevent a VM from sending of IPv4 packets with
a source IP address different from the one
in the packet. </td>
+ </tr>
+ <tr>
+ <td> no-ipv6-spoofing </td>
+ <td> Similar to no-ip-spoofing, but for IPv6 </td>
</tr>
<tr>
<td> no-ip-multicast </td>
<td> Prevent a VM from sending IP multicast packets. </td>
+ </tr>
+ <tr>
+ <td> no-ipv6-multicast </td>
+ <td> Similar to no-ip-multicast, but for IPv6 </td>
</tr>
<tr>
<td> clean-traffic </td>
--
2.28.0.97.gdc04167d37
More information about the libvir-list
mailing list