Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-10-01 01:25:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

mgmt1: rethink firewall Admin API

Browse Source 
Handling each rule separately makes sense on from qvm-firewall tool
point of view, but not from overall configuration integrity. If multiple
tools try to configure firewall simultaneously, doing it at individual
rules level can end very badly.
So, get/set the whole firewall at once. If some race condition happen
here, it will end up with one firewall rules set being overwritten by
the other one. But it will still be a consistent rules set.
This commit is contained in:
Marek Marczykowski-Górecki 2017-05-01 02:48:23 +02:00
parent 986b2ec00f
commit 141ed82589
No known key found for this signature in database
GPG Key ID: F32894BE9684938A
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
services/mgmt1.md
View File

@ -51,10 +51,12 @@ to set the policy using current mechanism.
| `mgmt.vm.tag.Get` | vm | tag | - | `0` or `1` | retcode? | | `mgmt.vm.tag.Get` | vm | tag | - | `0` or `1` | retcode? |
| `mgmt.vm.tag.Remove` | vm | tag | - | - | | `mgmt.vm.tag.Remove` | vm | tag | - | - |
| `mgmt.vm.tag.Set` | vm | tag | - | - | | `mgmt.vm.tag.Set` | vm | tag | - | - |
| `mgmt.vm.firewall.List` | vm | - | - | `<rule id> <rule>\n` | | `mgmt.vm.firewall.Get` | vm | - | - | `<rule>\n` | rules syntax as in [firewall interface](/doc/vm-interface/#firewall-rules-in-4x) with addition of `expire=` and `comment=` options; `comment=` (if present) must be the last option
| `mgmt.vm.firewall.InsertRule` | vm | rule id | rule | rule id | insert before given rule, use `END` as rule id to add rule at the end | `mgmt.vm.firewall.Set` | vm | - | `<rule>\n` | - | set firewall rules, see `mgmt.vm.firewall.Get` for syntax
| `mgmt.vm.firewall.RemoveRule` | vm | rule id | - | - |
| `mgmt.vm.firewall.Flush` | vm | - | - | - | | `mgmt.vm.firewall.Flush` | vm | - | - | - |
| `mgmt.vm.firewall.SetPolicy` | vm | - | `accept|drop` | - |
| `mgmt.vm.firewall.GetPolicy` | vm | - | - | `accept|drop` |
| `mgmt.vm.firewall.Reload` | vm | - | - | - | force reload firewall without changing any rule
| `mgmt.vm.device.<class>.Attach` | vm | device | options | - | optional options given in `key=value` format, separated with spaces | `mgmt.vm.device.<class>.Attach` | vm | device | options | - | optional options given in `key=value` format, separated with spaces
| `mgmt.vm.device.<class>.Detach` | vm | device | - | - | | `mgmt.vm.device.<class>.Detach` | vm | device | - | - |
| `mgmt.vm.device.<class>.List` | vm | - | - | `<device> <options>\n` | | `mgmt.vm.device.<class>.List` | vm | - | - | `<device> <options>\n` |