From d467144cf2c76b1740277de16b25ba63e1b33f6e Mon Sep 17 00:00:00 2001 From: Aleksandr Alekseev Date: Thu, 22 Oct 2020 21:15:52 +0300 Subject: [PATCH] doc: document new filters and not documented ones MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aleksandr Alekseev Reviewed-by: Ján Tomko Signed-off-by: Ján Tomko --- docs/firewall.html.in | 9 ++++++++ docs/formatnwfilter.html.in | 41 ++++++++++++++++++++++++++++++++++--- 2 files changed, 47 insertions(+), 3 deletions(-) diff --git a/docs/firewall.html.in b/docs/firewall.html.in index 62f37e0eea..15b4f397be 100644 --- a/docs/firewall.html.in +++ b/docs/firewall.html.in @@ -283,12 +283,21 @@ UUID Name 15b1ab2b-b1ac-1be2-ed49-2042caba4abb allow-arp 6c51a466-8d14-6d11-46b0-68b1a883d00f allow-dhcp 7517ad6c-bd90-37c8-26c9-4eabcb69848d allow-dhcp-server +7680776c-77aa-496f-90d6-13097664b925 allow-dhcpv6 +9cdaad60-7631-4172-8ccb-ef774be7485b allow-dhcpv6-server 3d38b406-7cf0-8335-f5ff-4b9add35f288 allow-incoming-ipv4 +908543c1-902e-45f6-a6ca-1a0ad35e7599 allow-incoming-ipv6 5ff06320-9228-2899-3db0-e32554933415 allow-ipv4 +ce8904cc-ad3a-4454-896c-53452882f817 allow-ipv6 db0b1767-d62b-269b-ea96-0cc8b451144e clean-traffic +6d6ddcc8-1242-4c43-ac63-63af80493132 clean-traffic-gateway +4cf38077-c7d5-4e25-99bb-6c4c9efad294 no-arp-ip-spoofing +0b11a636-ce58-497f-be90-17f63c92487a no-arp-mac-spoofing f88f1932-debf-4aa1-9fbe-f10d3aa4bc95 no-arp-spoofing 772f112d-52e4-700c-0250-e178a3d91a7a no-ip-multicast 7ee20370-8106-765d-f7ff-8a60d5aaf30b no-ip-spoofing +f8a51c43-a08f-49b3-b9e2-393d54522dc0 no-ipv6-multicast +a7f0afe9-a428-44b8-8566-c8ee2a669271 no-ipv6-spoofing d5d3c490-c2eb-68b1-24fc-3ee362fc8af3 no-mac-broadcast fb57c546-76dc-a372-513f-e8179011b48a no-mac-spoofing dba10ea7-446d-76de-346f-335bd99c1d05 no-other-l2-traffic diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in index 796c16549d..04aeda06ec 100644 --- a/docs/formatnwfilter.html.in +++ b/docs/formatnwfilter.html.in @@ -467,8 +467,7 @@ DSTPORTS = [ 80, 8080 ] IPV6 - Not currently implemented: - the list of IPV6 addresses in use by an interface + The list of IPV6 addresses in use by an interface DHCPSERVER @@ -2011,11 +2010,35 @@ echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout only allows ARP request and reply messages and enforces that those packets contain the MAC and IP addresses of the VM. + + + allow-arp + Allow ARP traffic in both directions + + + allow-ipv4 + Allow IPv4 traffic in both directions + + + allow-ipv6 + Allow IPv6 traffic in both directions + + + allow-incoming-ipv4 + Allow incoming IPv4 traffic + + + allow-incoming-ipv6 + Allow incoming IPv6 traffic allow-dhcp Allow a VM to request an IP address via DHCP (from any DHCP server) + + + allow-dhcpv6 + Similar to allow-dhcp, but for DHCPv6 allow-dhcp-server @@ -2023,16 +2046,28 @@ echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout DHCP server. The dotted decimal IP address of the DHCP server must be provided in a reference to this filter. The name of the variable must be DHCPSERVER. + + + allow-dhcpv6-server + Similar to allow-dhcp-server, but for DHCPv6 no-ip-spoofing - Prevent a VM from sending of IP packets with + Prevent a VM from sending of IPv4 packets with a source IP address different from the one in the packet. + + + no-ipv6-spoofing + Similar to no-ip-spoofing, but for IPv6 no-ip-multicast Prevent a VM from sending IP multicast packets. + + + no-ipv6-multicast + Similar to no-ip-multicast, but for IPv6 clean-traffic