Merge pull request #2051 from YunoHost/fix_firewall

Fix firewall
YunoHost · Feb 25, 2025 · 892f01b · 892f01b
2 parents fac0900 + e89e55c
commit 892f01b
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 8 deletions.
diff --git a/conf/yunohost/services.yml b/conf/yunohost/services.yml
@@ -54,7 +54,7 @@ yunohost-api:
   log: /var/log/yunohost/yunohost-api.log
   category: admin
 nftables:
-  test_status: nft list chain ip filter input | grep "dport" | grep -q "accept"
+  test_status: nft list chain inet filter input | grep "dport" | grep -q "accept"
   category: security
 yunomdns:
   category: mdns

diff --git a/src/firewall.py b/src/firewall.py
@@ -91,8 +91,12 @@ def list(self, protocol: str, forwarded: bool = False) -> list[int]:
 
     @staticmethod
     def _validate_port(protocol: str, port: int | str) -> tuple[str, int | str]:
-        if isinstance(port, str) and ":" not in port:
-            port = int(port)
+        if isinstance(port, str):
+            # iptables used ":" and app packages might still do
+            port = port.replace(":", "-")
+            # Convert to int if it's not a range
+            if "-" not in port:
+                port = int(port)
         if protocol not in ["tcp", "udp"]:
             raise ValueError(f"protocol should be tcp or udp, not {protocol}")
         return protocol, port
@@ -298,7 +302,7 @@ def firewall_is_open(
     Returns whether the specified port is open.
 
     Keyword arguments:
-        port -- Port or range of ports to open
+        port -- Port or dash-separated range of ports to open
         protocol -- Protocol type to allow (tcp/udp)
 
     """
@@ -317,7 +321,7 @@ def firewall_open(
     Allow connections on a port
 
     Keyword arguments:
-        port -- Port or range of ports to open
+        port -- Port or dash-separated range of ports to open
         protocol -- Protocol type to allow (tcp/udp)
         comment -- A reason for the port to be open
         no_upnp -- Do not add forwarding of this port with UPnP
@@ -367,7 +371,7 @@ def firewall_close(
     Disallow connections on a port
 
     Keyword arguments:
-        port -- Port or range of ports to close
+        port -- Port or dash-separated range of ports to close
         protocol -- Protocol type to disallow (tcp/udp)
         upnp_only -- Only remove forwarding of this port with UPnP
         no_reload -- Do not reload firewall rules
@@ -431,7 +435,7 @@ def firewall_delete(
 
     Keyword arguments:
         protocol -- Protocol type to disallow (tcp/udp)
-        port -- Port or range of ports to close
+        port -- Port or dash-separated range of ports to close
         no_reload -- Do not reload firewall rules
     """
     firewall = YunoFirewall()

diff --git a/src/migrations/0032_firewall_config.py b/src/migrations/0032_firewall_config.py
@@ -67,7 +67,7 @@ def firewall_file_migrate(self) -> None:
         }
         for proto in ["TCP", "UDP"]:
             new_data[proto.lower()] = {
-                port: {
+                port if isinstance(port, int) else port.replace(":", "-"): {
                     "open": True,
                     "upnp": port in old_data["uPnP"][proto],
                     "comment": self._app_comment_of_port(port),