add auto-generated host firewall options

author Dietmar Maurer <dietmar@proxmox.com>

Fri, 1 Apr 2016 10:45:24 +0000 (12:45 +0200)

committer Dietmar Maurer <dietmar@proxmox.com>

Fri, 1 Apr 2016 10:58:52 +0000 (12:58 +0200)
author Dietmar Maurer <dietmar@proxmox.com>
Fri, 1 Apr 2016 10:45:24 +0000 (12:45 +0200)
committer Dietmar Maurer <dietmar@proxmox.com>
Fri, 1 Apr 2016 10:58:52 +0000 (12:58 +0200)
diff --git a/Makefile b/Makefile

index d22045cc4a5da20ea6b15715ea617d53734868dc..f7dd025d58f8d43b783c00f2e5595ebc86c44096 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -3,7 +3,7 @@ RELEASE=4.1
  PVESM_SOURCES=attributes.txt pvesm.adoc pvesm.1-synopsis.adoc $(shell ls pve-storage-*.adoc)
  PVEUM_SOURCES=attributes.txt pveum.adoc pveum.1-synopsis.adoc
  VZDUMP_SOURCES=attributes.txt vzdump.adoc vzdump.1-synopsis.adoc
  PVESM_SOURCES=attributes.txt pvesm.adoc pvesm.1-synopsis.adoc $(shell ls pve-storage-*.adoc)
  PVEUM_SOURCES=attributes.txt pveum.adoc pveum.1-synopsis.adoc
  VZDUMP_SOURCES=attributes.txt vzdump.adoc vzdump.1-synopsis.adoc
-PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc
+PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc
  QM_SOURCES=attributes.txt qm.adoc qm.1-synopsis.adoc
  PCT_SOURCES=attributes.txt pct.adoc pct.1-synopsis.adoc
  PVEAM_SOURCES=attributes.txt pveam.adoc pveam.1-synopsis.adoc
  QM_SOURCES=attributes.txt qm.adoc qm.1-synopsis.adoc
  PCT_SOURCES=attributes.txt pct.adoc pct.1-synopsis.adoc
  PVEAM_SOURCES=attributes.txt pveam.adoc pveam.1-synopsis.adoc
@@ -83,6 +83,10 @@ pve-firewall-cluster-opts.adoc:
         ./gen-pve-firewall-cluster-opts.pl >$@.tmp
         mv $@.tmp $@
  
         ./gen-pve-firewall-cluster-opts.pl >$@.tmp
         mv $@.tmp $@
  
+pve-firewall-host-opts.adoc:
+       ./gen-pve-firewall-host-opts.pl >$@.tmp
+       mv $@.tmp $@
+
  pve-firewall-rules-opts.adoc:
         ./gen-pve-firewall-rules-opts-adoc.pl >$@.tmp
         mv $@.tmp $@
  pve-firewall-rules-opts.adoc:
         ./gen-pve-firewall-rules-opts-adoc.pl >$@.tmp
         mv $@.tmp $@
diff --git a/gen-pve-firewall-host-opts.pl b/gen-pve-firewall-host-opts.pl

new file mode 100755 (executable)

index 0000000..6ca2e7f
--- /dev/null
+++ b/gen-pve-firewall-host-opts.pl
@@ -0,0 +1,11 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use PVE::Firewall;
+use PVE::RESTHandler;
+
+my $prop = $PVE::Firewall::host_option_properties;
+
+print PVE::RESTHandler::dump_properties($prop);
diff --git a/pve-firewall-host-opts.adoc b/pve-firewall-host-opts.adoc

new file mode 100644 (file)

index 0000000..ff955a1
--- /dev/null
+++ b/pve-firewall-host-opts.adoc
@@ -0,0 +1,40 @@
+`enable`: `boolean` ::
+
+Enable host firewall rules.
+
+`log_level_in`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for incoming traffic.
+
+`log_level_out`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for outgoing traffic.
+
+`ndp`: `boolean` ::
+
+Enable NDP.
+
+`nf_conntrack_max`: `integer (32768 - N)` ::
+
+Maximum number of tracked connections.
+
+`nf_conntrack_tcp_timeout_established`: `integer (7875 - N)` ::
+
+Conntrack established timeout.
+
+`nosmurfs`: `boolean` ::
+
+Enable SMURFS filter.
+
+`smurf_log_level`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for SMURFS filter.
+
+`tcp_flags_log_level`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for illegal tcp flags filter.
+
+`tcpflags`: `boolean` ::
+
+Filter illegal combinations of TCP flags.
+
diff --git a/pve-firewall.adoc b/pve-firewall.adoc

index bb02365e51fbba730a728d8b77b73951eee33843..0e708de89e8da06c384bb57ffced2fa6b5402415 100644 (file)
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -129,7 +129,17 @@ Host related configuration is read from:
  
  This is useful if you want to overwrite rules from 'cluster.fw'
  config. You can also increase log verbosity, and set netfilter related
  
  This is useful if you want to overwrite rules from 'cluster.fw'
  config. You can also increase log verbosity, and set netfilter related
-options.
+options. The configuration can contain the following sections:
+
+'[OPTIONS]'::
+
+This is used to set host related firewall options.
+
+include::pve-firewall-host-opts.adoc[]
+
+'[RULES]'::
+
+This sections contains host specific firewall rules.
  
  
  VM/Container configuration
  
  
  VM/Container configuration
author	Dietmar Maurer <dietmar@proxmox.com>
	Fri, 1 Apr 2016 10:45:24 +0000 (12:45 +0200)
committer	Dietmar Maurer <dietmar@proxmox.com>
	Fri, 1 Apr 2016 10:58:52 +0000 (12:58 +0200)
Makefile		patch \| blob \| blame \| history
gen-pve-firewall-host-opts.pl	[new file with mode: 0755]	patch \| blob
pve-firewall-host-opts.adoc	[new file with mode: 0644]	patch \| blob
pve-firewall.adoc		patch \| blob \| blame \| history