firewall: update 'useful commands' section with new subcommands

Migrating proxmox-firewall to the proxmox_log crate has removed the RUST_LOG environment variable, among other things. Additionally, the proxmox-firewall binary now has subcommands for dumping the generated firewall ruleset. Update the documentation to provide information on how to use the new subcommands for debugging proxmox-firewall. Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Link: https://lore.proxmox.com/20250527135800.190084-5-s.hanreich@proxmox.com
2025-08-01 12:21:55 +03:00 · 2025-05-27 15:58:00 +02:00
parent 2b0173ef55
commit 0e3aaccaae
1 changed files with 24 additions and 14 deletions
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@ -827,38 +827,48 @@ You can check the generated ruleset via the following command:
 nft list ruleset
 ----

-If you want to debug `proxmox-firewall` you can simply run the daemon in
-foreground with the `RUST_LOG` environment variable set to `trace`. This should
-provide you with detailed debugging output:
+If you want to debug `proxmox-firewall` you can dump the commands generated by
+the firewall via the `compile` subcommand. Additionally, setting the PVE_LOG
+environment variable will print log output to STDERR, which can be useful for
+debugging issues during the generation of the nftables ruleset:

 ----
-RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall
+PVE_LOG=trace /usr/libexec/proxmox/proxmox-firewall compile > firewall.json
+----
+
+The nftables ruleset consists of the skeleton ruleset, that is included in the
+proxmox-firewall binary, as well as the rules generated from the firewall
+configuration. You can obtain the base ruleset via the `skeleton` subcommand:
+
+----
+/usr/libexec/proxmox/proxmox-firewall skeleton
+----
+
+The output of both commands can be piped directly to the `nft` executable. The
+following commands will re-create the whole nftables ruleset from scratch:
+
+----
+/usr/libexec/proxmox/proxmox-firewall skeleton | nft -f -
+/usr/libexec/proxmox/proxmox-firewall compile | nft -j -f -
 ----

 You can also edit the systemctl service if you want to have detailed output for
-your firewall daemon:
+your firewall daemon while it is running:

 ----
 systemctl edit proxmox-firewall
 ----

-Then you need to add the override for the `RUST_LOG` environment variable:
+Then you need to add the override for the `PVE_LOG` environment variable:

 ----
 [Service]
-Environment="RUST_LOG=trace"
+Environment="PVE_LOG=trace"
 ----

 This will generate a large amount of logs very quickly, so only use this for
 debugging purposes. Other, less verbose, log levels are `info` and `debug`.

-Running in foreground writes the log output to STDERR, so you can redirect it
-with the following command (e.g. for submitting logs to the community forum):
-
----
-RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall 2> firewall_log_$(hostname).txt
----
-
 It can be helpful to trace packet flow through the different chains in order to
 debug firewall rules. This can be achieved by setting `nftrace` to 1 for packets
 that you want to track. It is advisable that you do not set this flag for *all*