From: Dietmar Maurer <dietmar@proxmox.com>
Date: Fri, 1 Apr 2016 10:45:24 +0000 (+0200)
Subject: add auto-generated host firewall options
X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=commitdiff_plain;h=888c41167a2764f696b3e6616a9b3402b634dd0f

add auto-generated host firewall options
---

diff --git a/Makefile b/Makefile
index d22045c..f7dd025 100644
--- a/Makefile
+++ b/Makefile
@@ -3,7 +3,7 @@ RELEASE=4.1
 PVESM_SOURCES=attributes.txt pvesm.adoc pvesm.1-synopsis.adoc $(shell ls pve-storage-*.adoc)
 PVEUM_SOURCES=attributes.txt pveum.adoc pveum.1-synopsis.adoc
 VZDUMP_SOURCES=attributes.txt vzdump.adoc vzdump.1-synopsis.adoc
-PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc
+PVEFW_SOURCES=attributes.txt pve-firewall.adoc pve-firewall-rules-opts.adoc pve-firewall-cluster-opts.adoc pve-firewall-host-opts.adoc pve-firewall-macros.adoc pve-firewall.8-synopsis.adoc
 QM_SOURCES=attributes.txt qm.adoc qm.1-synopsis.adoc
 PCT_SOURCES=attributes.txt pct.adoc pct.1-synopsis.adoc
 PVEAM_SOURCES=attributes.txt pveam.adoc pveam.1-synopsis.adoc
@@ -83,6 +83,10 @@ pve-firewall-cluster-opts.adoc:
 	./gen-pve-firewall-cluster-opts.pl >$@.tmp
 	mv $@.tmp $@
 
+pve-firewall-host-opts.adoc:
+	./gen-pve-firewall-host-opts.pl >$@.tmp
+	mv $@.tmp $@
+
 pve-firewall-rules-opts.adoc:
 	./gen-pve-firewall-rules-opts-adoc.pl >$@.tmp
 	mv $@.tmp $@
diff --git a/gen-pve-firewall-host-opts.pl b/gen-pve-firewall-host-opts.pl
new file mode 100755
index 0000000..6ca2e7f
--- /dev/null
+++ b/gen-pve-firewall-host-opts.pl
@@ -0,0 +1,11 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use PVE::Firewall;
+use PVE::RESTHandler;
+
+my $prop = $PVE::Firewall::host_option_properties;
+
+print PVE::RESTHandler::dump_properties($prop);
diff --git a/pve-firewall-host-opts.adoc b/pve-firewall-host-opts.adoc
new file mode 100644
index 0000000..ff955a1
--- /dev/null
+++ b/pve-firewall-host-opts.adoc
@@ -0,0 +1,40 @@
+`enable`: `boolean` ::
+
+Enable host firewall rules.
+
+`log_level_in`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for incoming traffic.
+
+`log_level_out`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for outgoing traffic.
+
+`ndp`: `boolean` ::
+
+Enable NDP.
+
+`nf_conntrack_max`: `integer (32768 - N)` ::
+
+Maximum number of tracked connections.
+
+`nf_conntrack_tcp_timeout_established`: `integer (7875 - N)` ::
+
+Conntrack established timeout.
+
+`nosmurfs`: `boolean` ::
+
+Enable SMURFS filter.
+
+`smurf_log_level`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for SMURFS filter.
+
+`tcp_flags_log_level`: `(alert | crit | debug | emerg | err | info | nolog | notice | warning)` ::
+
+Log level for illegal tcp flags filter.
+
+`tcpflags`: `boolean` ::
+
+Filter illegal combinations of TCP flags.
+
diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index bb02365..0e708de 100644
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -129,7 +129,17 @@ Host related configuration is read from:
 
 This is useful if you want to overwrite rules from 'cluster.fw'
 config. You can also increase log verbosity, and set netfilter related
-options.
+options. The configuration can contain the following sections:
+
+'[OPTIONS]'::
+
+This is used to set host related firewall options.
+
+include::pve-firewall-host-opts.adoc[]
+
+'[RULES]'::
+
+This sections contains host specific firewall rules.
 
 
 VM/Container configuration