docs: correct invalid xml

* docs/internals.html.in: Fix xml errors.
* docs/formatstorageencryption.html.in: Likewise.
* docs/drvesx.html.in: Likewise.
* docs/archnetwork.html.in: Likewise.
* docs/logging.html.in: Likewise.
* docs/drvvmware.html.in: Likewise.
* docs/api.html.in: Likewise.
* docs/formatnwfilter.html.in: Likewise.
* docs/formatdomain.html.in: Likewise.
* docs/windows.html.in: Likewise.
This commit is contained in:
Eric Blake 2011-04-01 16:02:10 -06:00
parent da3c471467
commit b5ec89d955
10 changed files with 83 additions and 80 deletions

View File

@ -4,7 +4,7 @@
<h1>The libvirt API concepts</h1> <h1>The libvirt API concepts</h1>
<p> This page describes the main principles and architecture choices <p> This page describes the main principles and architecture choices
behind the definition of the libvirt API: behind the definition of the libvirt API:</p>
<ul id="toc"></ul> <ul id="toc"></ul>
@ -22,7 +22,7 @@
possible to use both KVM and LinuxContainers on the same node). A NULL possible to use both KVM and LinuxContainers on the same node). A NULL
name will default to a preselected hypervisor but it's probably not a name will default to a preselected hypervisor but it's probably not a
wise thing to do in most cases. See the <a href="uri.html">connection wise thing to do in most cases. See the <a href="uri.html">connection
URI</a> page for a full descriptions of the values allowed.<p> URI</a> page for a full descriptions of the values allowed.</p>
<p> Once the application obtained a <code class='docref'>virConnectPtr</code> <p> Once the application obtained a <code class='docref'>virConnectPtr</code>
connection to the connection to the
hypervisor it can then use it to manage domains and related resources hypervisor it can then use it to manage domains and related resources
@ -61,7 +61,7 @@
<code>defined</code> in which case they are inactive but there is <code>defined</code> in which case they are inactive but there is
a permanent definition available in the system for them. Based on this a permanent definition available in the system for them. Based on this
thay can be activated dynamically in order to be used.</p> thay can be activated dynamically in order to be used.</p>
<p> Most kind of object can also be named in various ways:<p> <p> Most kind of object can also be named in various ways:</p>
<ul> <ul>
<li>by their <code>name</code>, an user friendly identifier but <li>by their <code>name</code>, an user friendly identifier but
whose unicity cannot be garanteed between two nodes.</li> whose unicity cannot be garanteed between two nodes.</li>
@ -82,7 +82,7 @@
<p> For each first class object you will find apis <p> For each first class object you will find apis
for the following actions:</p> for the following actions:</p>
<ul> <ul>
<li><b>Lookup</b>:...LookupByName, <li><b>Lookup</b>:...LookupByName,</li>
<li><b>Enumeration</b>:virConnectList... and virConnectNumOf...: <li><b>Enumeration</b>:virConnectList... and virConnectNumOf...:
those are used to enumerate a set of object available to an given those are used to enumerate a set of object available to an given
hypervisor connection like: hypervisor connection like:
@ -108,7 +108,8 @@
<li><b>Destruction</b>: ... </li> <li><b>Destruction</b>: ... </li>
</ul> </ul>
<p> For more in-depth details of the storage related APIs see <p> For more in-depth details of the storage related APIs see
<a href="storage.html">the storage management page</a>, <a href="storage.html">the storage management page</a>.
</p>
<h2><a name="Driver">The libvirt drivers</a></h2> <h2><a name="Driver">The libvirt drivers</a></h2>
<p></p> <p></p>
<p class="image"> <p class="image">

View File

@ -32,7 +32,7 @@
</li> </li>
<li><strong>Guest C</strong>. The only network interface is connected <li><strong>Guest C</strong>. The only network interface is connected
to a virtual network <code>VLAN 2</code>. It has no direct connectivity to a virtual network <code>VLAN 2</code>. It has no direct connectivity
to a physical LAN, relying on <code>Guest B</codE> to route traffic to a physical LAN, relying on <code>Guest B</code> to route traffic
on its behalf. on its behalf.
</li> </li>
</ul> </ul>

View File

@ -74,7 +74,7 @@ vpx://example-vcenter.com/dc1/cluster1/example-esx.com
</pre> </pre>
<h4><a name="extraparams">Extra parameters</h4> <h4><a name="extraparams">Extra parameters</a></h4>
<p> <p>
Extra parameters can be added to a URI as part of the query string Extra parameters can be added to a URI as part of the query string
(the part following <code>?</code>). A single parameter is formed by a (the part following <code>?</code>). A single parameter is formed by a
@ -308,7 +308,7 @@ error: invalid argument in libvirt was built without the 'esx' driver
There are several specialties in the domain XML config for ESX domains. There are several specialties in the domain XML config for ESX domains.
</p> </p>
<h3><a name="restrictions">Restrictions</h3> <h3><a name="restrictions">Restrictions</a></h3>
<p> <p>
There are some restrictions for some values of the domain XML config. There are some restrictions for some values of the domain XML config.
The driver will complain if this restrictions are violated. The driver will complain if this restrictions are violated.
@ -328,7 +328,7 @@ error: invalid argument in libvirt was built without the 'esx' driver
</ul> </ul>
<h3><a name="datastore">Datastore references</h3> <h3><a name="datastore">Datastore references</a></h3>
<p> <p>
Storage is managed in datastores. VMware uses a special path format to Storage is managed in datastores. VMware uses a special path format to
reference files in a datastore. Basically, the datastore name is put reference files in a datastore. Basically, the datastore name is put
@ -347,7 +347,7 @@ error: invalid argument in libvirt was built without the 'esx' driver
</p> </p>
<h3><a name="macaddresses">MAC addresses</h3> <h3><a name="macaddresses">MAC addresses</a></h3>
<p> <p>
VMware has registered two MAC address prefixes for domains: VMware has registered two MAC address prefixes for domains:
<code>00:0c:29</code> and <code>00:50:56</code>. These prefixes are <code>00:0c:29</code> and <code>00:50:56</code>. These prefixes are
@ -408,7 +408,7 @@ ethernet0.checkMACAddress = "false"
</pre> </pre>
<h3><a name="hardware">Available hardware</h3> <h3><a name="hardware">Available hardware</a></h3>
<p> <p>
VMware ESX supports different models of SCSI controllers and network VMware ESX supports different models of SCSI controllers and network
cards. cards.

View File

@ -8,7 +8,9 @@
</p> </p>
<p> <p>
This driver uses the "vmrun" utility which is distributed with the VMware VIX API. This driver uses the "vmrun" utility which is distributed with the VMware VIX API.
You can download the VIX API from <a href="http://www.vmware.com/support/developer/vix-api/">here</a>. You can download the VIX API
from <a href="http://www.vmware.com/support/developer/vix-api/">here</a>.
</p>
<h2>Connections to VMware driver</h2> <h2>Connections to VMware driver</h2>

View File

@ -1277,7 +1277,7 @@
<p> <p>
Provides direct attachment of the virtual machine's NIC to the given Provides direct attachment of the virtual machine's NIC to the given
physial interface of the host. physial interface of the host.
<span class="since">Since 0.7.7 (QEMU and KVM only)</span><br> <span class="since">Since 0.7.7 (QEMU and KVM only)</span><br/>
This setup requires the Linux macvtap This setup requires the Linux macvtap
driver to be available. <span class="since">(Since Linux 2.6.34.)</span> driver to be available. <span class="since">(Since Linux 2.6.34.)</span>
One of the modes 'vepa' One of the modes 'vepa'
@ -1299,7 +1299,7 @@
originate from are directly delivered to the target macvtap device. originate from are directly delivered to the target macvtap device.
Both origin and destination devices need to be in bridge mode Both origin and destination devices need to be in bridge mode
for direct delivery. If either one of them is in <code>vepa</code> mode, for direct delivery. If either one of them is in <code>vepa</code> mode,
a VEPA capable bridge is required. a VEPA capable bridge is required.</dd>
<dt><code>private</code></dt> <dt><code>private</code></dt>
<dd>All packets are sent to the external bridge and will only be <dd>All packets are sent to the external bridge and will only be
delivered to a target VM on the same host if they are sent through an delivered to a target VM on the same host if they are sent through an
@ -1488,23 +1488,23 @@ qemu-kvm -net nic,model=? /dev/null
The <code>txmode</code> attribute specifies how to handle The <code>txmode</code> attribute specifies how to handle
transmission of packets when the transmit buffer is full. The transmission of packets when the transmit buffer is full. The
value can be either 'iothread' or 'timer'. value can be either 'iothread' or 'timer'.
<span class="since">Since 0.8.8 (QEMU and KVM only)</span><br><br> <span class="since">Since 0.8.8 (QEMU and KVM only)</span><br/><br/>
If set to 'iothread', packet tx is all done in an iothread in If set to 'iothread', packet tx is all done in an iothread in
the bottom half of the driver (this option translates into the bottom half of the driver (this option translates into
adding "tx=bh" to the qemu commandline -device virtio-net-pci adding "tx=bh" to the qemu commandline -device virtio-net-pci
option).<br><br> option).<br/><br/>
If set to 'timer', tx work is done in qemu, and if there is If set to 'timer', tx work is done in qemu, and if there is
more tx data than can be sent at the present time, a timer is more tx data than can be sent at the present time, a timer is
set before qemu moves on to do other things; when the timer set before qemu moves on to do other things; when the timer
fires, another attempt is made to send more data.<br><br> fires, another attempt is made to send more data.<br/><br/>
The resulting difference, according to the qemu developer who The resulting difference, according to the qemu developer who
added the option is: "bh makes tx more asynchronous and reduces added the option is: "bh makes tx more asynchronous and reduces
latency, but potentially causes more processor bandwidth latency, but potentially causes more processor bandwidth
contention since the cpu doing the tx isn't necessarily the contention since the cpu doing the tx isn't necessarily the
cpu where the guest generated the packets."<br><br> cpu where the guest generated the packets."<br/><br/>
<b>In general you should leave this option alone, unless you <b>In general you should leave this option alone, unless you
are very certain you know what you are doing.</b> are very certain you know what you are doing.</b>
@ -1628,8 +1628,8 @@ qemu-kvm -net nic,model=? /dev/null
in clear text. The <code>keymap</code> attribute specifies the keymap in clear text. The <code>keymap</code> attribute specifies the keymap
to use. It is possible to set a limit on the validity of the password to use. It is possible to set a limit on the validity of the password
be giving an timestamp <code>passwdValidTo='2010-04-09T15:51:00'</code> be giving an timestamp <code>passwdValidTo='2010-04-09T15:51:00'</code>
assumed to be in UTC. NB, this may not be supported by all hypervisors.<br> assumed to be in UTC. NB, this may not be supported by all hypervisors.<br/>
<br> <br/>
Rather than using listen/port, QEMU supports a <code>socket</code> Rather than using listen/port, QEMU supports a <code>socket</code>
attribute for listening on a unix domain socket path. attribute for listening on a unix domain socket path.
<span class="since">Since 0.8.8</span> <span class="since">Since 0.8.8</span>
@ -2103,7 +2103,7 @@ qemu-kvm -net nic,model=? /dev/null
Alternatively you can use <code>telnet</code> instead of <code>raw</code> TCP. Alternatively you can use <code>telnet</code> instead of <code>raw</code> TCP.
<span class="since">Since 0.8.5</span> you can also use <code>telnets</code> <span class="since">Since 0.8.5</span> you can also use <code>telnets</code>
(secure telnet) and <code>tls</code>. (secure telnet) and <code>tls</code>.
<p> </p>
<pre> <pre>
... ...

View File

@ -25,18 +25,18 @@
cannot be circumvented from within cannot be circumvented from within
the virtual machine, it makes them mandatory from the point of the virtual machine, it makes them mandatory from the point of
view of a virtual machine user. view of a virtual machine user.
<br><br> <br/><br/>
The network filter subsystem allows each virtual machine's network The network filter subsystem allows each virtual machine's network
traffic filtering rules to be configured individually on a per traffic filtering rules to be configured individually on a per
interface basis. The rules are interface basis. The rules are
applied on the host when the virtual machine is started and can be modified applied on the host when the virtual machine is started and can be modified
while the virtual machine is running. The latter can be achieved by while the virtual machine is running. The latter can be achieved by
modifying the XML description of a network filter. modifying the XML description of a network filter.
<br><br> <br/><br/>
Multiple virtual machines can make use of the same generic network filter. Multiple virtual machines can make use of the same generic network filter.
When such a filter is modified, the network traffic filtering rules When such a filter is modified, the network traffic filtering rules
of all running virtual machines that reference this filter are updated. of all running virtual machines that reference this filter are updated.
<br><br> <br/><br/>
Network filtering support is available <span class="since">since 0.8.1 Network filtering support is available <span class="since">since 0.8.1
(Qemu, KVM)</span> (Qemu, KVM)</span>
</p> </p>
@ -79,7 +79,7 @@
other filters can be used, a <i>tree</i> of filters can be built. other filters can be used, a <i>tree</i> of filters can be built.
The <code>clean-traffic</code> filter can be viewed using the The <code>clean-traffic</code> filter can be viewed using the
command <code>virsh nwfilter-dumpxml clean-traffic</code>. command <code>virsh nwfilter-dumpxml clean-traffic</code>.
<br><br> <br/><br/>
As previously mentioned, a single network filter can be referenced As previously mentioned, a single network filter can be referenced
by multiple virtual machines. Since interfaces will typically by multiple virtual machines. Since interfaces will typically
have individual parameters associated with their respective traffic have individual parameters associated with their respective traffic
@ -108,7 +108,7 @@
10.0.0.1 and enforce that the traffic from this interface will 10.0.0.1 and enforce that the traffic from this interface will
always be using 10.0.0.1 as the source IP address, which is always be using 10.0.0.1 as the source IP address, which is
one of the purposes of this particular filter. one of the purposes of this particular filter.
<br><br> <br/><br/>
</p> </p>
<h3><a name="nwfconceptsvars">Usage of variables in filters</a></h3> <h3><a name="nwfconceptsvars">Usage of variables in filters</a></h3>
@ -117,7 +117,7 @@
Two variables names have so far been reserved for usage by the Two variables names have so far been reserved for usage by the
network traffic filtering subsystem: <code>MAC</code> and network traffic filtering subsystem: <code>MAC</code> and
<code>IP</code>. <code>IP</code>.
<br><br> <br/><br/>
<code>MAC</code> is the MAC address of the <code>MAC</code> is the MAC address of the
network interface. A filtering rule that references this variable network interface. A filtering rule that references this variable
will automatically be instantiated with the MAC address of the will automatically be instantiated with the MAC address of the
@ -125,7 +125,7 @@
the MAC parameter. Even though it is possible to specify the MAC the MAC parameter. Even though it is possible to specify the MAC
parameter similar to the IP parameter above, it is discouraged parameter similar to the IP parameter above, it is discouraged
since libvirt knows what MAC address an interface will be using. since libvirt knows what MAC address an interface will be using.
<br><br> <br/><br/>
The parameter <code>IP</code> represents the IP address The parameter <code>IP</code> represents the IP address
that the operating system inside the virtual machine is expected that the operating system inside the virtual machine is expected
to use on the given interface. The <code>IP</code> parameter to use on the given interface. The <code>IP</code> parameter
@ -136,7 +136,7 @@
For current limitations on IP address detection, consult the For current limitations on IP address detection, consult the
<a href="#nwflimits">section on limitations</a> on how to use this <a href="#nwflimits">section on limitations</a> on how to use this
feature and what to expect when using it. feature and what to expect when using it.
<br><br> <br/><br/>
The following is the XML description of the network filer The following is the XML description of the network filer
<code>no-arp-spoofing</code>. It serves as an example for <code>no-arp-spoofing</code>. It serves as an example for
a network filter XML referencing the <code>MAC</code> and a network filter XML referencing the <code>MAC</code> and
@ -205,7 +205,7 @@
filters may be referenced multiple times in a filter tree but filters may be referenced multiple times in a filter tree but
references between filters must not introduce loops (directed references between filters must not introduce loops (directed
acyclic graph). acyclic graph).
<br><br> <br/><br/>
The following shows the XML of the <code>clean-traffic</code> The following shows the XML of the <code>clean-traffic</code>
network filter referencing several other filters. network filter referencing several other filters.
</p> </p>
@ -226,7 +226,7 @@
needs to be provided inside a <code>filter</code> node. This needs to be provided inside a <code>filter</code> node. This
node must have the attribute <code>filter</code> whose value contains node must have the attribute <code>filter</code> whose value contains
the name of the filter to be referenced. the name of the filter to be referenced.
<br><br> <br/><br/>
New network filters can be defined at any time and New network filters can be defined at any time and
may contain references to network filters that are may contain references to network filters that are
not known to libvirt, yet. However, once a virtual machine not known to libvirt, yet. However, once a virtual machine
@ -282,7 +282,7 @@
<li> <li>
statematch -- optional; possible values are '0' or 'false' to statematch -- optional; possible values are '0' or 'false' to
turn the underlying connection state matching off; default is 'true' turn the underlying connection state matching off; default is 'true'
<br> <br/>
Also read the section on <a href="#nwfelemsRulesAdv">advanced configuration</a> Also read the section on <a href="#nwfelemsRulesAdv">advanced configuration</a>
topics. topics.
</li> </li>
@ -294,7 +294,7 @@
traffic of type <code>ip</code> is also associated with the chain traffic of type <code>ip</code> is also associated with the chain
'ipv4' then that filter's rules will be ordered relative to the priority 'ipv4' then that filter's rules will be ordered relative to the priority
500 of the shown rule. 500 of the shown rule.
<br><br> <br/><br/>
A rule may contain a single rule for filtering of traffic. The A rule may contain a single rule for filtering of traffic. The
above example shows that traffic of type <code>ip</code> is to be above example shows that traffic of type <code>ip</code> is to be
filtered. filtered.
@ -325,7 +325,7 @@
<li>STRING: A string</li> <li>STRING: A string</li>
</ul> </ul>
<p> <p>
<br><br> <br/><br/>
Every attribute except for those of type IP_MASK or IPV6_MASK can Every attribute except for those of type IP_MASK or IPV6_MASK can
be negated using the <code>match</code> be negated using the <code>match</code>
attribute with value <code>no</code>. Multiple negated attributes attribute with value <code>no</code>. Multiple negated attributes
@ -349,14 +349,14 @@
the protocol property attribute1 does not match value1 AND the protocol property attribute1 does not match value1 AND
the protocol property attribute2 does not match value2 AND the protocol property attribute2 does not match value2 AND
the protocol property attribute3 matches value3. the protocol property attribute3 matches value3.
<br><br> <br/><br/>
</p> </p>
<h5><a name="nwfelemsRulesProtoMAC">MAC (Ethernet)</a></h5> <h5><a name="nwfelemsRulesProtoMAC">MAC (Ethernet)</a></h5>
<p> <p>
Protocol ID: <code>mac</code> Protocol ID: <code>mac</code>
<br> <br/>
Note: Rules of this type should go into the <code>root</code> chain. Note: Rules of this type should go into the <code>root</code> chain.
</p> </p>
<table class="top_table"> <table class="top_table">
@ -408,7 +408,7 @@
<h5><a name="nwfelemsRulesProtoARP">ARP/RARP</a></h5> <h5><a name="nwfelemsRulesProtoARP">ARP/RARP</a></h5>
<p> <p>
Protocol ID: <code>arp</code> or <code>rarp</code> Protocol ID: <code>arp</code> or <code>rarp</code>
<br> <br/>
Note: Rules of this type should either go into the Note: Rules of this type should either go into the
<code>root</code> or <code>arp/rarp</code> chain. <code>root</code> or <code>arp/rarp</code> chain.
</p> </p>
@ -483,7 +483,7 @@
Valid strings for the <code>Opcode</code> field are: Valid strings for the <code>Opcode</code> field are:
Request, Reply, Request_Reverse, Reply_Reverse, DRARP_Request, Request, Reply, Request_Reverse, Reply_Reverse, DRARP_Request,
DRARP_Reply, DRARP_Error, InARP_Request, ARP_NAK DRARP_Reply, DRARP_Error, InARP_Request, ARP_NAK
<br><br> <br/><br/>
</p> </p>
<h5><a name="nwfelemsRulesProtoIP">IPv4</a></h5> <h5><a name="nwfelemsRulesProtoIP">IPv4</a></h5>
@ -572,7 +572,7 @@
<p> <p>
Valid strings for <code>protocol</code> are: Valid strings for <code>protocol</code> are:
tcp, udp, udplite, esp, ah, icmp, igmp, sctp tcp, udp, udplite, esp, ah, icmp, igmp, sctp
<br><br> <br/><br/>
</p> </p>
@ -662,13 +662,13 @@
<p> <p>
Valid strings for <code>protocol</code> are: Valid strings for <code>protocol</code> are:
tcp, udp, udplite, esp, ah, icmpv6, sctp tcp, udp, udplite, esp, ah, icmpv6, sctp
<br><br> <br/><br/>
</p> </p>
<h5><a name="nwfelemsRulesProtoTCP-ipv4">TCP/UDP/SCTP</a></h5> <h5><a name="nwfelemsRulesProtoTCP-ipv4">TCP/UDP/SCTP</a></h5>
<p> <p>
Protocol ID: <code>tcp</code>, <code>udp</code>, <code>sctp</code> Protocol ID: <code>tcp</code>, <code>udp</code>, <code>sctp</code>
<br> <br/>
Note: The chain parameter is ignored for this type of traffic Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to <code>root</code>. and should either be omitted or set to <code>root</code>.
</p> </p>
@ -757,14 +757,14 @@
</tr> </tr>
</table> </table>
<p> <p>
<br><br> <br/><br/>
</p> </p>
<h5><a name="nwfelemsRulesProtoICMP">ICMP</a></h5> <h5><a name="nwfelemsRulesProtoICMP">ICMP</a></h5>
<p> <p>
Protocol ID: <code>icmp</code> Protocol ID: <code>icmp</code>
<br> <br/>
Note: The chain parameter is ignored for this type of traffic Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to <code>root</code>. and should either be omitted or set to <code>root</code>.
</p> </p>
@ -857,13 +857,13 @@
</tr> </tr>
</table> </table>
<p> <p>
<br><br> <br/><br/>
</p> </p>
<h5><a name="nwfelemsRulesProtoMisc">IGMP, ESP, AH, UDPLITE, 'ALL'</a></h5> <h5><a name="nwfelemsRulesProtoMisc">IGMP, ESP, AH, UDPLITE, 'ALL'</a></h5>
<p> <p>
Protocol ID: <code>igmp</code>, <code>esp</code>, <code>ah</code>, <code>udplite</code>, <code>all</code> Protocol ID: <code>igmp</code>, <code>esp</code>, <code>ah</code>, <code>udplite</code>, <code>all</code>
<br> <br/>
Note: The chain parameter is ignored for this type of traffic Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to <code>root</code>. and should either be omitted or set to <code>root</code>.
</p> </p>
@ -946,14 +946,14 @@
</tr> </tr>
</table> </table>
<p> <p>
<br><br> <br/><br/>
</p> </p>
<h5><a name="nwfelemsRulesProtoTCP-ipv6">TCP/UDP/SCTP over IPV6</a></h5> <h5><a name="nwfelemsRulesProtoTCP-ipv6">TCP/UDP/SCTP over IPV6</a></h5>
<p> <p>
Protocol ID: <code>tcp-ipv6</code>, <code>udp-ipv6</code>, <code>sctp-ipv6</code> Protocol ID: <code>tcp-ipv6</code>, <code>udp-ipv6</code>, <code>sctp-ipv6</code>
<br> <br/>
Note: The chain parameter is ignored for this type of traffic Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to <code>root</code>. and should either be omitted or set to <code>root</code>.
</p> </p>
@ -1042,14 +1042,14 @@
</tr> </tr>
</table> </table>
<p> <p>
<br><br> <br/><br/>
</p> </p>
<h5><a name="nwfelemsRulesProtoICMPv6">ICMPv6</a></h5> <h5><a name="nwfelemsRulesProtoICMPv6">ICMPv6</a></h5>
<p> <p>
Protocol ID: <code>icmpv6</code> Protocol ID: <code>icmpv6</code>
<br> <br/>
Note: The chain parameter is ignored for this type of traffic Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to <code>root</code>. and should either be omitted or set to <code>root</code>.
</p> </p>
@ -1128,13 +1128,13 @@
</tr> </tr>
</table> </table>
<p> <p>
<br><br> <br/><br/>
</p> </p>
<h5><a name="nwfelemsRulesProtoMiscv6">IGMP, ESP, AH, UDPLITE, 'ALL' over IPv6</a></h5> <h5><a name="nwfelemsRulesProtoMiscv6">IGMP, ESP, AH, UDPLITE, 'ALL' over IPv6</a></h5>
<p> <p>
Protocol ID: <code>igmp-ipv6</code>, <code>esp-ipv6</code>, <code>ah-ipv6</code>, <code>udplite-ipv6</code>, <code>all-ipv6</code> Protocol ID: <code>igmp-ipv6</code>, <code>esp-ipv6</code>, <code>ah-ipv6</code>, <code>udplite-ipv6</code>, <code>all-ipv6</code>
<br> <br/>
Note: The chain parameter is ignored for this type of traffic Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to <code>root</code>. and should either be omitted or set to <code>root</code>.
</p> </p>
@ -1202,7 +1202,7 @@
</tr> </tr>
</table> </table>
<p> <p>
<br><br> <br/><br/>
</p> </p>
<h3><a name="nwfelemsRulesAdv">Advanced Filter Configuration Topics</a></h3> <h3><a name="nwfelemsRulesAdv">Advanced Filter Configuration Topics</a></h3>
@ -1227,7 +1227,7 @@
port 80 on an attacker site, then the attacker will not be able to port 80 on an attacker site, then the attacker will not be able to
initiate a connection from TCP port 80 back towards the VM. initiate a connection from TCP port 80 back towards the VM.
By default the connection state match that enables connection tracking By default the connection state match that enables connection tracking
and then enforcement of directionality of traffic is turned on. <br> and then enforcement of directionality of traffic is turned on. <br/>
The following shows an example XML fragement where this feature has been The following shows an example XML fragement where this feature has been
turned off for incoming connections to TCP port 12345. turned off for incoming connections to TCP port 12345.
</p> </p>
@ -1277,14 +1277,14 @@
</pre> </pre>
<p> <p>
Note that the rule for the limit has to logically appear Note that the rule for the limit has to logically appear
before the rule for accepting the traffic.<br> before the rule for accepting the traffic.<br/>
An additional rule for letting DNS traffic to port 22 An additional rule for letting DNS traffic to port 22
go out the VM has been added to avoid ssh sessions not go out the VM has been added to avoid ssh sessions not
getting established for reasons related to DNS lookup failures getting established for reasons related to DNS lookup failures
by the ssh daemon. Leaving this rule out may otherwise lead to by the ssh daemon. Leaving this rule out may otherwise lead to
fun-filled debugging joy (symptom: ssh client seems to hang fun-filled debugging joy (symptom: ssh client seems to hang
while trying to connect). while trying to connect).
<br><br> <br/><br/>
Lot of care must be taken with timeouts related Lot of care must be taken with timeouts related
to tracking of traffic. An ICMP ping that to tracking of traffic. An ICMP ping that
the user may have terminated inside the VM may have a long the user may have terminated inside the VM may have a long
@ -1299,7 +1299,7 @@
<p> <p>
sets the ICMP connection tracking timeout to 3 seconds. The sets the ICMP connection tracking timeout to 3 seconds. The
effect of this is that once one ping is terminated, another effect of this is that once one ping is terminated, another
one can start after 3 seconds.<br> one can start after 3 seconds.<br/>
Further, we want to point out that a client that for whatever Further, we want to point out that a client that for whatever
reason has not properly closed a TCP connection may cause a reason has not properly closed a TCP connection may cause a
connection to be held open for a longer period of time, connection to be held open for a longer period of time,
@ -1323,7 +1323,7 @@
with life-cycle support for network filters. All commands related with life-cycle support for network filters. All commands related
to the network filtering subsystem start with the prefix to the network filtering subsystem start with the prefix
<code>nwfilter</code>. The following commands are available: <code>nwfilter</code>. The following commands are available:
<p> </p>
<ul> <ul>
<li>nwfilter-list : list UUIDs and names of all network filters</li> <li>nwfilter-list : list UUIDs and names of all network filters</li>
<li>nwfilter-define : define a new network filter or update an existing one</li> <li>nwfilter-define : define a new network filter or update an existing one</li>
@ -1398,7 +1398,7 @@
the protocols very well that you want to be filtering on so that the protocols very well that you want to be filtering on so that
no further traffic than what you want can pass and that in fact the no further traffic than what you want can pass and that in fact the
traffic you want to allow does pass. traffic you want to allow does pass.
<br><br> <br/><br/>
The network filtering subsystem is currently only available on The network filtering subsystem is currently only available on
Linux hosts and only works for Qemu and KVM type of virtual machines. Linux hosts and only works for Qemu and KVM type of virtual machines.
On Linux On Linux
@ -1412,19 +1412,19 @@
<li>arp, rarp</li> <li>arp, rarp</li>
<li>ip</li> <li>ip</li>
<li>ipv6</li> <li>ipv6</li>
</uL> </ul>
<p> <p>
All other protocols over IPv4 are supported using iptables, those over All other protocols over IPv4 are supported using iptables, those over
IPv6 are implemented using ip6tables. IPv6 are implemented using ip6tables.
<br><br> <br/><br/>
On a Linux host, all traffic filtering instantiated by libvirt's network On a Linux host, all traffic filtering instantiated by libvirt's network
filter subsystem first passes through the filtering support implemented filter subsystem first passes through the filtering support implemented
by ebtables and only then through iptables or ip6tables filters. If by ebtables and only then through iptables or ip6tables filters. If
a filter tree has rules with the protocols <code>mac</code>, a filter tree has rules with the protocols <code>mac</code>,
<code>arp</code>, <code>rarp</code>, <code>ip</code>, or <code>ipv6</code> <code>arp</code>, <code>rarp</code>, <code>ip</code>, or <code>ipv6</code>
ebtables rules will automatically be instantiated. ebtables rules will automatically be instantiated.
<br> <br/>
The role of the <code>chain</code> attribute in the network filter The role of the <code>chain</code> attribute in the network filter
XML is that internally a new user-defined ebtables table is created XML is that internally a new user-defined ebtables table is created
that then for example receives all <code>arp</code> traffic coming that then for example receives all <code>arp</code> traffic coming
@ -1435,7 +1435,7 @@
placed into filters specifying this chain. This type of branching placed into filters specifying this chain. This type of branching
into user-defined tables is only supported with filtering on the ebtables into user-defined tables is only supported with filtering on the ebtables
layer. layer.
<br> <br/>
As an example, it is As an example, it is
possible to filter on UDP traffic by source and destination ports using possible to filter on UDP traffic by source and destination ports using
the <code>ip</code> protocol filter and specifying attributes for the the <code>ip</code> protocol filter and specifying attributes for the
@ -1467,7 +1467,7 @@
The requirement to prevent spoofing is fulfilled by the existing The requirement to prevent spoofing is fulfilled by the existing
<code>clean-traffic</code> network filter, thus we will reference this <code>clean-traffic</code> network filter, thus we will reference this
filter from our custom filter. filter from our custom filter.
<br> <br/>
To enable traffic for TCP ports 22 and 80 we will add 2 rules to To enable traffic for TCP ports 22 and 80 we will add 2 rules to
enable this type of traffic. To allow the VM to send ping traffic enable this type of traffic. To allow the VM to send ping traffic
we will add a rule for ICMP traffic. For simplicity reasons we will add a rule for ICMP traffic. For simplicity reasons
@ -1523,7 +1523,7 @@
per-interface basis and the rules are evaluated based on the knowledge per-interface basis and the rules are evaluated based on the knowledge
about which (tap) interface has sent or will receive the packet rather about which (tap) interface has sent or will receive the packet rather
than what their source or destination IP address may be. than what their source or destination IP address may be.
<br><br> <br/><br/>
An XML fragment for a possible network interface description inside An XML fragment for a possible network interface description inside
the domain XML of the <code>test</code> VM could then look like this: the domain XML of the <code>test</code> VM could then look like this:
</p> </p>
@ -1568,7 +1568,7 @@
<li>allows the VM to send ping traffic from an interface <li>allows the VM to send ping traffic from an interface
but not let the VM be pinged on the interface</li> but not let the VM be pinged on the interface</li>
<li>allows the VM to do DNS lookups (UDP towards port 53)</li> <li>allows the VM to do DNS lookups (UDP towards port 53)</li>
<li>enable an ftp server (in active mode) to be run inside the VM <li>enable an ftp server (in active mode) to be run inside the VM</li>
</ul> </ul>
<p> <p>
The additional requirement of allowing an ftp server to be run inside The additional requirement of allowing an ftp server to be run inside
@ -1577,7 +1577,7 @@
outgoing tcp connection originating from the VM's TCP port 20 back to outgoing tcp connection originating from the VM's TCP port 20 back to
the ftp client (ftp active mode). There are several ways of how this the ftp client (ftp active mode). There are several ways of how this
filter can be written and we present 2 solutions. filter can be written and we present 2 solutions.
<br><br> <br/><br/>
The 1st solution makes use of the <code>state</code> attribute of The 1st solution makes use of the <code>state</code> attribute of
the TCP protocol that gives us a hook into the connection tracking the TCP protocol that gives us a hook into the connection tracking
framework of the Linux host. For the VM-initiated ftp data connection framework of the Linux host. For the VM-initiated ftp data connection
@ -1752,13 +1752,13 @@
to be using. to be using.
Different IP addresses in use by multiple interfaces of a VM Different IP addresses in use by multiple interfaces of a VM
(one IP address each) will be independently detected. (one IP address each) will be independently detected.
<br><br> <br/><br/>
Once a VM's IP address has been detected, its IP network traffic Once a VM's IP address has been detected, its IP network traffic
may be locked to that address, if for example IP address spoofing may be locked to that address, if for example IP address spoofing
is prevented by one of its filters. In that case the user of the VM is prevented by one of its filters. In that case the user of the VM
will not be able to change the IP address on the interface inside will not be able to change the IP address on the interface inside
the VM, which would be considered IP address spoofing. the VM, which would be considered IP address spoofing.
<br><br> <br/><br/>
In case a VM is resumed after suspension or migrated, IP address In case a VM is resumed after suspension or migrated, IP address
detection will be restarted. detection will be restarted.
</p> </p>
@ -1776,7 +1776,7 @@
outside the scope of libvirt to ensure that referenced filters outside the scope of libvirt to ensure that referenced filters
on the source system are equivalent to those on the target system on the source system are equivalent to those on the target system
and vice versa. and vice versa.
<br><br> <br/><br/>
Migration must occur between libvirt insallations of version Migration must occur between libvirt insallations of version
0.8.1 or later in order not to lose the network traffic filters 0.8.1 or later in order not to lose the network traffic filters
associated with an interface. associated with an interface.

View File

@ -30,7 +30,7 @@
by the particular volume format and driver, automatically generate a by the particular volume format and driver, automatically generate a
secret value at the time of volume creation, and store it using the secret value at the time of volume creation, and store it using the
specified <code>uuid</code>. specified <code>uuid</code>.
<p> </p>
<h3><a name="StorageEncryptionDefault">"default" format</a></h3> <h3><a name="StorageEncryptionDefault">"default" format</a></h3>
<p> <p>
<code>&lt;encryption type="default"/&gt;</code> can be specified only <code>&lt;encryption type="default"/&gt;</code> can be specified only

View File

@ -9,9 +9,9 @@
</p> </p>
<ul> <ul>
<li>Introduction to basic rules and guidelines for <a href="hacking.html">hacking<a> <li>Introduction to basic rules and guidelines for <a href="hacking.html">hacking</a>
on libvirt code</li> on libvirt code</li>
<li>Guide to adding <a href="api_extension.html">public APIs<a></li> <li>Guide to adding <a href="api_extension.html">public APIs</a></li>
<li>Approach for <a href="internals/command.html">spawning commands</a> from <li>Approach for <a href="internals/command.html">spawning commands</a> from
libvirt driver code</li> libvirt driver code</li>
</ul> </ul>

View File

@ -82,7 +82,7 @@
<a name="log_daemon">Logging in the daemon</a> <a name="log_daemon">Logging in the daemon</a>
</h3> </h3>
<p>Similarly the daemon logging behaviour can be tuned using 3 config <p>Similarly the daemon logging behaviour can be tuned using 3 config
variables, stored in the configuration file: variables, stored in the configuration file:</p>
<ul> <ul>
<li>log_level: accepts the following values: <li>log_level: accepts the following values:
<ul> <ul>
@ -128,7 +128,7 @@
<p>Multiple filters can be defined in a single string, they just need to be <p>Multiple filters can be defined in a single string, they just need to be
separated by spaces, e.g: <code>"3:remote 4:event"</code> to only get separated by spaces, e.g: <code>"3:remote 4:event"</code> to only get
warning or errors from the remote layer and only errors from the event warning or errors from the remote layer and only errors from the event
layer.<p> layer.</p>
<p>If you specify a log priority in a filter that is below the default log <p>If you specify a log priority in a filter that is below the default log
priority level, messages that match that filter will still be logged, priority level, messages that match that filter will still be logged,
while others will not. In order to see those messages, you must also have while others will not. In order to see those messages, you must also have

View File

@ -30,7 +30,7 @@
and untested Python bindings. and untested Python bindings.
</p> </p>
<h3><a name="caveats">Caveats</h3> <h3><a name="caveats">Caveats</a></h3>
<ul> <ul>
<li> <li>
@ -47,7 +47,7 @@
</li> </li>
</ul> </ul>
<h3><a name="knowninstallerprobs">Existing problems with this installer we know about</a> <h3><a name="knowninstallerprobs">Existing problems with this installer we know about</a></h3>
<p> <p>
These are problems we know about, and need to be fixed in subsequent These are problems we know about, and need to be fixed in subsequent
@ -72,7 +72,7 @@
</ul> </ul>
<h2><a name="conntypes">Connection types</h2> <h2><a name="conntypes">Connection types</a></h2>
<p> <p>
These connection types are known to work: These connection types are known to work:
@ -114,7 +114,7 @@
be used in security sensitive environments.</b> be used in security sensitive environments.</b>
</p> </p>
<h2><a name="esx">Connecting to VMware ESX/vSphere</h2> <h2><a name="esx">Connecting to VMware ESX/vSphere</a></h2>
<p> <p>
Details on the capabilities, certificates, and connection string Details on the capabilities, certificates, and connection string
@ -124,7 +124,7 @@
<a href="http://libvirt.org/drvesx.html">http://libvirt.org/drvesx.html</a> <a href="http://libvirt.org/drvesx.html">http://libvirt.org/drvesx.html</a>
<h2><a name="tlscerts">TLS Certificates</h2> <h2><a name="tlscerts">TLS Certificates</a></h2>
<p> <p>
TLS certificates need to have been created and placed in the correct TLS certificates need to have been created and placed in the correct
@ -184,7 +184,7 @@
<li>C:\Users\someuser\AppData\Roaming\libvirt\pki\libvirt\private\clientkey.pem</li> <li>C:\Users\someuser\AppData\Roaming\libvirt\pki\libvirt\private\clientkey.pem</li>
</ul> </ul>
<h2><a name="feedback">Feedback</h2> <h2><a name="feedback">Feedback</a></h2>
<p> <p>
Feedback and suggestions on changes to make and what else to include Feedback and suggestions on changes to make and what else to include