diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in index 93db5b00bf..7ea69b556f 100644 --- a/docs/formatnwfilter.html.in +++ b/docs/formatnwfilter.html.in @@ -61,14 +61,14 @@ the filter clean-traffic. 

-  ...
-  <devices>
-    <interface type='bridge'>
-      <mac address='00:16:3e:5d:c7:9e'/>
-      <filterref filter='clean-traffic'/>
-    </interface>
-  </devices>
-  ...
+... +<devices> + <interface type='bridge'> + <mac address='00:16:3e:5d:c7:9e'/> + <filterref filter='clean-traffic'/> + </interface> +</devices> +...

Network filters are written in XML and may either contain references @@ -91,16 +91,16 @@ the parameter IP and a dotted IP address as value. 

-  ...
-  <devices>
-    <interface type='bridge'>
-      <mac address='00:16:3e:5d:c7:9e'/>
-      <filterref filter='clean-traffic'>
-        <parameter name='IP' value='10.0.0.1'/>
-      </filterref>
-    </interface>
-  </devices>
-  ...
+... +<devices> + <interface type='bridge'> + <mac address='00:16:3e:5d:c7:9e'/> + <filterref filter='clean-traffic'> + <parameter name='IP' value='10.0.0.1'/> + </filterref> + </interface> +</devices> +...

In this particular example, the clean-traffic network @@ -285,18 +285,18 @@ providing multiple elements for the IP variable is: 

-  ...
-  <devices>
-    <interface type='bridge'>
-      <mac address='00:16:3e:5d:c7:9e'/>
-      <filterref filter='clean-traffic'>
-        <parameter name='IP' value='10.0.0.1'/>
-        <parameter name='IP' value='10.0.0.2'/>
-        <parameter name='IP' value='10.0.0.3'/>
-      </filterref>
-    </interface>
-  </devices>
-  ...
+... +<devices> + <interface type='bridge'> + <mac address='00:16:3e:5d:c7:9e'/> + <filterref filter='clean-traffic'> + <parameter name='IP' value='10.0.0.1'/> + <parameter name='IP' value='10.0.0.2'/> + <parameter name='IP' value='10.0.0.3'/> + </filterref> + </interface> +</devices> +...

This then allows filters to enable multiple IP addresses per interface. Therefore, with the list @@ -304,11 +304,11 @@ individual filtering rules, one for each IP address. 

-  ...
-  <rule action='accept' direction='in' priority='500'>
-    <tcp srpipaddr='$IP'/>
-  </rule>
-  ...
+...
+<rule action='accept' direction='in' priority='500'>
+  <tcp srpipaddr='$IP'/>
+</rule>
+...

Since 0.9.10 it is possible to access @@ -317,11 +317,11 @@ of the variable DSTPORTS. 

-  ...
-  <rule action='accept' direction='in' priority='500'>
-    <udp dstportstart='$DSTPORTS[1]'/>
-  </rule>
-  ...
+...
+<rule action='accept' direction='in' priority='500'>
+  <udp dstportstart='$DSTPORTS[1]'/>
+</rule>
+...

Since 0.9.10 it is possible to create @@ -336,29 +336,29 @@ iterators to access their elements. 

-  ...
-  <rule action='accept' direction='in' priority='500'>
-    <ip srcipaddr='$SRCIPADDRESSES[@1]' dstportstart='$DSTPORTS[@2]'/>
-  </rule>
-  ...
+...
+<rule action='accept' direction='in' priority='500'>
+  <ip srcipaddr='$SRCIPADDRESSES[@1]' dstportstart='$DSTPORTS[@2]'/>
+</rule>
+...

In an example we assign concrete values to SRCIPADDRESSES and DSTPORTS 

-  SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ]
-  DSTPORTS = [ 80, 8080 ]
+SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ]
+DSTPORTS = [ 80, 8080 ]

Accessing the variables using $SRCIPADDRESSES[@1] and $DSTPORTS[@2] would then result in all combinations of addresses and ports being created: 

-  10.0.0.1, 80
-  10.0.0.1, 8080
-  11.1.2.3, 80
-  11.1.2.3, 8080
+10.0.0.1, 80
+10.0.0.1, 8080
+11.1.2.3, 80
+11.1.2.3, 8080

Accessing the same variables using a single iterator, for example by using @@ -366,8 +366,8 @@ parallel access to both lists and result in the following combinations: 

-  10.0.0.1, 80
-  11.1.2.3, 8080
+10.0.0.1, 80
+11.1.2.3, 8080

Further, the notation of $VARIABLE is short-hand for $VARIABLE[@0]. The @@ -440,12 +440,12 @@ using the DHCP snooping method: 

-    <interface type='bridge'>
-      <source bridge='virbr0'/>
-      <filterref filter='clean-traffic'>
-        <parameter name='CTRL_IP_LEARNING' value='dhcp'/>
-      </filterref>
-    </interface>
+<interface type='bridge'>
+  <source bridge='virbr0'/>
+  <filterref filter='clean-traffic'>
+    <parameter name='CTRL_IP_LEARNING' value='dhcp'/>
+  </filterref>
+</interface>

Reserved Variables

@@ -658,10 +658,10 @@ 

 [...]
-  <rule action='drop' direction='in'>
-    <protocol match='no' attribute1='value1' attribute2='value2'/>
-    <protocol attribute3='value3'/>
-  </rule>
+<rule action='drop' direction='in'>
+  <protocol match='no' attribute1='value1' attribute2='value2'/>
+  <protocol attribute3='value3'/>
+</rule>
 [...]

@@ -1896,11 +1896,11 @@ turned off for incoming connections to TCP port 12345. 

-   [...]
-    <rule direction='in' action='accept' statematch='false'>
-      <tcp dstportstart='12345'/>
-    </rule>
-   [...]
+[...]
+<rule direction='in' action='accept' statematch='false'>
+  <tcp dstportstart='12345'/>
+</rule>
+[...]

This now allows incoming traffic to TCP port 12345, but would also @@ -1918,26 +1918,26 @@ time, the following XML fragment can be used to achieve this. 

-  [...]
-  <rule action='drop' direction='in' priority='400'>
-    <tcp connlimit-above='1'/>
-  </rule>
-  <rule action='accept' direction='in' priority='500'>
-    <tcp dstportstart='22'/>
-  </rule>
-  <rule action='drop' direction='out' priority='400'>
-    <icmp connlimit-above='1'/>
-  </rule>
-  <rule action='accept' direction='out' priority='500'>
-    <icmp/>
-  </rule>
-  <rule action='accept' direction='out' priority='500'>
-    <udp dstportstart='53'/>
-  </rule>
-  <rule action='drop' direction='inout' priority='1000'>
-    <all/>
-  </rule>
-  [...]
+[...]
+<rule action='drop' direction='in' priority='400'>
+  <tcp connlimit-above='1'/>
+</rule>
+<rule action='accept' direction='in' priority='500'>
+  <tcp dstportstart='22'/>
+</rule>
+<rule action='drop' direction='out' priority='400'>
+  <icmp connlimit-above='1'/>
+</rule>
+<rule action='accept' direction='out' priority='500'>
+  <icmp/>
+</rule>
+<rule action='accept' direction='out' priority='500'>
+  <udp dstportstart='53'/>
+</rule>
+<rule action='drop' direction='inout' priority='1000'>
+  <all/>
+</rule>
+[...]

Note that the rule for the limit has to logically appear @@ -1958,7 +1958,7 @@ 

-  echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout
+echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout

sets the ICMP connection tracking timeout to 3 seconds. The @@ -2201,12 +2201,12 @@ the domain XML of the test VM could then look like this: 

-   [...]
-    <interface type='bridge'>
-      <source bridge='mybridge'/>
-      <filterref filter='test-eth0'/>
-    </interface>
-   [...]
+[...]
+<interface type='bridge'>
+  <source bridge='mybridge'/>
+  <filterref filter='test-eth0'/>
+</interface>
+[...]

@@ -2216,15 +2216,15 @@ ICMP rule can be replaced with the following two rules: 

-  <!-- enable outgoing ICMP echo requests-->
-  <rule action='accept' direction='out'>
-    <icmp type='8'/>
-  </rule>
+<!-- enable outgoing ICMP echo requests-->
+<rule action='accept' direction='out'>
+  <icmp type='8'/>
+</rule>
 
-  <!-- enable incoming ICMP echo replies-->
-  <rule action='accept' direction='in'>
-    <icmp type='0'/>
-  </rule>
+<!-- enable incoming ICMP echo replies-->
+<rule action='accept' direction='in'>
+  <icmp type='0'/>
+</rule>

Second example custom filter

@@ -2326,9 +2326,9 @@ the ftp connection with the VM is established. 

-    modprobe nf_conntrack_ftp   # where available  or
+modprobe nf_conntrack_ftp   # where available  or
 
-    modprobe ip_conntrack_ftp   # if above is not available
+modprobe ip_conntrack_ftp   # if above is not available

If other protocols than ftp are to be used in conjunction with the