add auto-generated host firewall options

diff --git a/Makefile b/Makefile
index d22045cc4a5da20ea6b15715ea617d53734868dc..f7dd025d58f8d43b783c00f2e5595ebc86c44096 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -3,7 +3,7 @@ RELEASE=4.1
 PVESM_SOURCES=attributes.txt pvesm.adoc pvesm.1-synopsis.adoc $(shell ls pve-storage-*.adoc)
 PVEUM_SOURCES=attributes.txt pveum.adoc pveum.1-synopsis.adoc
 VZDUMP_SOURCES=attributes.txt vzdump.adoc vzdump.1-synopsis.adoc
-PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc
+PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc
 QM_SOURCES=attributes.txt qm.adoc qm.1-synopsis.adoc
 PCT_SOURCES=attributes.txt pct.adoc pct.1-synopsis.adoc
 PVEAM_SOURCES=attributes.txt pveam.adoc pveam.1-synopsis.adoc
@@ -83,6 +83,10 @@ pve-firewall-cluster-opts.adoc:
        ./gen-pve-firewall-cluster-opts.pl >$@.tmp
        mv $@.tmp $@
 
+pve-firewall-host-opts.adoc:
+       ./gen-pve-firewall-host-opts.pl >$@.tmp
+       mv $@.tmp $@
+
 pve-firewall-rules-opts.adoc:
        ./gen-pve-firewall-rules-opts-adoc.pl >$@.tmp
        mv $@.tmp $@

diff --git a/gen-pve-firewall-host-opts.pl b/gen-pve-firewall-host-opts.pl
new file mode 100755 (executable)
index 0000000..6ca2e7f
--- /dev/null
+++ b/gen-pve-firewall-host-opts.pl
@@ -0,0 +1,11 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use PVE::Firewall;
+use PVE::RESTHandler;
+
+my $prop = $PVE::Firewall::host_option_properties;
+
+print PVE::RESTHandler::dump_properties($prop);

diff --git a/pve-firewall-host-opts.adoc b/pve-firewall-host-opts.adoc
new file mode 100644 (file)
index 0000000..ff955a1
--- /dev/null
+++ b/pve-firewall-host-opts.adoc
@@ -0,0 +1,40 @@
+`enable`: `boolean` ::
+
+Enable host firewall rules.
+
+`log_level_in`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for incoming traffic.
+
+`log_level_out`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for outgoing traffic.
+
+`ndp`: `boolean` ::
+
+Enable NDP.
+
+`nf_conntrack_max`: `integer (32768 - N)` ::
+
+Maximum number of tracked connections.
+
+`nf_conntrack_tcp_timeout_established`: `integer (7875 - N)` ::
+
+Conntrack established timeout.
+
+`nosmurfs`: `boolean` ::
+
+Enable SMURFS filter.
+
+`smurf_log_level`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for SMURFS filter.
+
+`tcp_flags_log_level`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for illegal tcp flags filter.
+
+`tcpflags`: `boolean` ::
+
+Filter illegal combinations of TCP flags.
+

diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index bb02365e51fbba730a728d8b77b73951eee33843..0e708de89e8da06c384bb57ffced2fa6b5402415 100644 (file)
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -129,7 +129,17 @@ Host related configuration is read from:
 
 This is useful if you want to overwrite rules from 'cluster.fw'
 config. You can also increase log verbosity, and set netfilter related
-options.
+options. The configuration can contain the following sections:
+
+'[OPTIONS]'::
+
+This is used to set host related firewall options.
+
+include::pve-firewall-host-opts.adoc[]
+
+'[RULES]'::
+
+This sections contains host specific firewall rules.
 
 
 VM/Container configuration