The HTML5 doctype is simply

  <!DOCTYPE html>

no DTD is present because HTML5 is no longer defined as an
extension of SGML.

XSL has no way to natively output a doctype without a public
or system identifier, so we have to use an <xsl:text> hack
instead.

See also

  https://dev.w3.org/html5/html-author/#doctype-declarationSigned-off-by: NDaniel P. Berrange <berrange@redhat.com>

The 'name' attribute on <a...> elements is deprecated in favour
of the 'id' attribute which is allowed on any element. HTML5
drops 'name' support entirely.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

QEMU should be written all upper or all lower case.

The <pre/> section is rendered as-is on the page. That is, if all
the lines are prefixed with 4 spaces the rendered page will also
have them. Problem is if we put a box around such <pre/> because
the content might not fix into it.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

This finishes the job started by commit 81f3839f - removing the
erroneous reference to nonexistent "igmp-ipv6" protocol.

IGMP is used on IPv4 networks tp setup multicast group memberships. On
IPv6, this job is done by Multicast Listener Discovery (MLD), which
uses ICMPv6 packets rather than its own IP protocol number like IGMP.

The nwfilter documentation lists "igmp-ipv6" as one of the possible
protocols, but this is ignored (and stripped from the xml). This patch
removes that erroneous reference.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1038888

Make use of the ebtables functionality to be able to filter certain
parameters of icmpv6 packets. Extend the XML parser for icmpv6 types,
type ranges, codes, and code ranges. Extend the nwfilter documentation,
schema, and test cases.

Being able to filter icmpv6 types and codes helps extending the DHCP
snooper for IPv6 and filtering at least some parameters of IPv6's NDP
(Neighbor Discovery Protocol) packets. However, the filtering will not
be as good as the filtering of ARP packets since we cannot
check on IP addresses in the payload of the NDP packets.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Added attribute dscp to below supported protocols table in nwfilter docs.
IPV4 (ip)
TCP/UDP/SCTP (tcp/udp/sctp)
ICMP (icmp)
IGMP,ESP,AH,UDPLITE,'ALL' (igmp,esp,ah,udplite,all)
TCP/UDP/SCTP over IPV6 (tcp-ipv6,udp-ipv6,sctp-ipv6)
ICMPV6 (icmpv6)
IGMP,ESP,AH,UDPLITE,'ALL' over IPv6 (igmp-ipv6,esp-ipv6,ah-ipv6,udplite-ipv6,all-ipv6)

Here is a simple example:
[root@localhost ~]# virsh nwfilter-dumpxml myself
<filter name='myself' chain='root'>
  <uuid>7192ef51-cd50-4f14-ad7b-fa5c69ea19e3</uuid>
  <rule action='accept' direction='in' priority='500'>
    <ip dscp='1'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <tcp dscp='1'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <tcp-ipv6 dscp='2'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <icmp dscp='55'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <icmpv6 dscp='55'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <udp dscp='3'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <udp-ipv6 dscp='4'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <udplite dscp='5'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <udplite-ipv6 dscp='6'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <esp dscp='7'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <esp-ipv6 dscp='8'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <ah dscp='9'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <ah-ipv6 dscp='10'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <sctp dscp='11'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <sctp-ipv6 dscp='55'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <igmp dscp='55'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <all-ipv6 dscp='55'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <all dscp='55'/>
  </rule>
</filter>
Signed-off-by: NJán Tomko <jtomko@redhat.com>

'vlanid' is the attribute name in our XML,
'vlan-id' is the ebtables attribute:

[root@localhost ~]# virsh nwfilter-dumpxml myself
<filter name='myself' chain='root'>
  <uuid>7192ef51-cd50-4f14-ad7b-fa5c69ea19e3</uuid>
  <rule action='accept' direction='in' priority='500'>
    <vlan dstmacaddr='00:11:22:33:44:55' vlanid='44'/>
  </rule>
</filter>

[root@localhost ~]# ebtables -t nat -L
Bridge table: nat

...
-p 802_1Q -d 0:11:22:33:44:55 --vlan-id 44 -j ACCEPT

https://bugzilla.redhat.com/show_bug.cgi?id=1126721Signed-off-by: NJán Tomko <jtomko@redhat.com>

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=862887

Add a netmask for the source and destination IP address for the
ebtables --arp-ip-src and --arp-ip-dst options. Extend the XML
parser with support for XML attributes for these netmasks similar
to already supported netmasks. Extend the documentation.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

s/insallations/installations/
Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com>

s/fragement/fragment
Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com>

s/initated/initiated
Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com>

The rule generating the HTML docs passing the --html flag
to xsltproc. This makes it use the legacy HTML parser, which
either ignores or tries to fix all sorts of broken XML tags.
There's no reason why we should be writing broken XML in
the first place, so removing --html and adding the XHTML
doctype to all files forces us to create good XML.

This adds the XHTML doc type and fixes many, many XML tag
problems it exposes.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

This patch adds DHCP snooping support to libvirt. The learning method for
IP addresses is specified by setting the "CTRL_IP_LEARNING" variable to one of
"any" [default] (existing IP learning code), "none" (static only addresses)
or "dhcp" (DHCP snooping).

Active leases are saved in a lease file and reloaded on restart or HUP.

The following interface XML activates and uses the DHCP snooping:

    <interface type='bridge'>
      <source bridge='virbr0'/>
      <filterref filter='clean-traffic'>
        <parameter name='CTRL_IP_LEARNING' value='dhcp'/>
      </filterref>
    </interface>

All filters containing the variable 'IP' are automatically adjusted when
the VM receives an IP address via DHCP. However, multiple IP addresses per
interface are silently ignored in this patch, thus only supporting one IP
address per interface. Multiple IP address support is added in a later
patch in this series.
Signed-off-by: NDavid L Stevens <dlstevens@us.ibm.com>
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

This patch adds support for the recent ipset iptables extension
to libvirt's nwfilter subsystem. Ipset allows to maintain 'sets'
of IP addresses, ports and other packet parameters and allows for
faster lookup (in the order of O(1) vs. O(n)) and rule evaluation
to achieve higher throughput than what can be achieved with
individual iptables rules.

On the command line iptables supports ipset using

iptables ... -m set --match-set <ipset name> <flags> -j ...

where 'ipset name' is the name of a previously created ipset and
flags is a comma-separated list of up to 6 flags. Flags use 'src' and 'dst'
for selecting IP addresses, ports etc. from the source or
destination part of a packet. So a concrete example may look like this:

iptables -A INPUT -m set --match-set test src,src -j ACCEPT

Since ipset management is quite complex, the idea was to leave ipset 
management outside of libvirt but still allow users to reference an ipset.
The user would have to make sure the ipset is available once the VM is
started so that the iptables rule(s) referencing the ipset can be created.

Using XML to describe an ipset in an nwfilter rule would then look as
follows:

  <rule action='accept' direction='in'>
    <all ipset='test' ipsetflags='src,src'/>
  </rule>

The two parameters on the command line are also the two distinct XML attributes
'ipset' and 'ipsetflags'.

FYI: Here is the man page for ipset:

https://ipset.netfilter.org/ipset.man.html

Regards,
    Stefan

This patch adds documentation about the new 'ways' that users can
access the contents of variables in filters:

- access via index: $TEST[2]
- access via iterators $TEST[@1]

Add documentation for the STP filtering support. Describe the XML attributes
that are supported.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Add documentation for the VLAN filtering support. Describe the XML attributes
that are supported.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

This patch adds several aspects of documentation about the network filtering
system:

- chains, chains' priorities and chains' default priorities
- talks about lists of elements, i.e., a variable assigned multiple values
  (part of already ACK-ed series)
- already mentions the vlan, stp and mac chains added later on
  (https://www.redhat.com/archives/libvir-list/2011-October/msg01238.html)
- mentions limitations of vlan filtering (when sent by VM) on Linux systems
 

	This patch adds support for "continue" and "return" actions
in filter rules.
Signed-off-by: NDavid L Stevens <dlstevens@us.ibm.com>

This patch enables filtering of gratuitous ARP packets using the following XML:

<rule action='accept' direction='in' priority='425'>
<arp gratuitous='true'/>
</rule>

Ebtables filtering doesn't work on macvtap device. Remove support for direct type of interface.

This patch adds support for the evaluation of TCP flags in nwfilters.

It adds documentation to the web page and extends the tests as well.
Also, the nwfilter schema is extended.

The following are some example for rules using the tcp flags:

<rule action='accept' direction='in'>
    <tcp state='NONE' flags='SYN/ALL' dsptportstart='80'/>
</rule>
<rule action='drop' direction='in'>
    <tcp state='NONE' flags='SYN/ALL'/>
</rule>

* docs/internals.html.in: Fix xml errors.
* docs/formatstorageencryption.html.in: Likewise.
* docs/drvesx.html.in: Likewise.
* docs/archnetwork.html.in: Likewise.
* docs/logging.html.in: Likewise.
* docs/drvvmware.html.in: Likewise.
* docs/api.html.in: Likewise.
* docs/formatnwfilter.html.in: Likewise.
* docs/formatdomain.html.in: Likewise.
* docs/windows.html.in: Likewise.

Fix this which went into documentation

This patch adds the possibility to not just drop packets, but to also have them rejected where iptables at least sends an ICMP msg back to the originator. On ebtables this again maps into dropping packets since rejecting is not supported.

I am adding 'since 0.8.9' to the docs assuming this will be the next version of libvirt.

This patch adds another example to the nwfilter html page and provides 2 solutions for how to write a filter meeting the given requirements using newly added features.

I am adding a row with information about the newly supported state
attribute to each of the tables describing supported attributes of protocols.

I am adding a row with information about the newly supported comment
attribute to each of the tables describing supported attributes of protocols.

As requested, here a couple of paragraphs about the recently added statematch attribute and some advanced (and tricky) traffic filtering topics.

A build on Ubuntu reported:

|| Generating formatnwfilter.html.tmp
/dados/develop/libvirt/docs/formatnwfilter.html.in|390| HTML parser error : Unexpected end tag : p
||     </p>
||         ^
/dados/develop/libvirt/docs/formatnwfilter.html.in|705| HTML parser error : Unexpected end tag : code
||          <td>End of range of valid source ports</code></td>
||                                                       ^
/dados/develop/libvirt/docs/formatnwfilter.html.in|710| HTML parser error : Unexpected end tag : code
||          <td>Start of range of valid destination ports</code></td>
||                                                              ^

* docs/formatnwfilter.html.in: Fix invalid HTML constructs.
Reported by Eduardo Otubo.

This patch adds documentation of the nwfilter subsystem of libvirt to
the existing (web) docs.