From 740609c339ff37649a0ffafbe6b6cb6d49d439c7 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Wed, 14 Dec 2022 17:04:54 -0800
Subject: [PATCH] minidlna: Fix incorrect marking for firewall local protection

MiniDLNA's TCP service has been incorrectly marked as needing to be protected
from local users. This leads to service not being accessible from local network.
Fix this by removing local protection.

As reported on https://discuss.freedombox.org/t/minidlna-on-22-26/2386

Tests:

- With MiniDLNA installed, apply the changes and restart service. 'nft list
ruleset ip', 'nft list ruleset ip6' and 'cat /etc/firewalld/direct.xml' confirm
that port 8200 is no longer protected as a local service.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 plinth/modules/minidlna/__init__.py | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/plinth/modules/minidlna/__init__.py b/plinth/modules/minidlna/__init__.py
index 514033995..dbb1b9e8f 100644
--- a/plinth/modules/minidlna/__init__.py
+++ b/plinth/modules/minidlna/__init__.py
@@ -7,10 +7,10 @@ from django.utils.translation import gettext_lazy as _
 from plinth import app as app_module
 from plinth import frontpage, menu
 from plinth.daemon import Daemon
+from plinth.modules import firewall
 from plinth.modules.apache.components import Webserver
 from plinth.modules.backups.components import BackupRestore
-from plinth.modules.firewall.components import (Firewall,
-                                                FirewallLocalProtection)
+from plinth.modules.firewall.components import Firewall
 from plinth.modules.users.components import UsersAndGroups
 from plinth.package import Packages, install
 from plinth.utils import Version
@@ -34,7 +34,7 @@ class MiniDLNAApp(app_module.App):
 
     app_id = 'minidlna'
 
-    _version = 3
+    _version = 4
 
     def __init__(self):
         """Initialize the app components."""
@@ -75,10 +75,6 @@ class MiniDLNAApp(app_module.App):
                             is_external=False)
         self.add(firewall)
 
-        firewall_local_protection = FirewallLocalProtection(
-            'firewall-local-protection-minidlna', ['8200'])
-        self.add(firewall_local_protection)
-
         webserver = Webserver('webserver-minidlna', 'minidlna-freedombox',
                               urls=['https://{host}/_minidlna/'])
         self.add(webserver)
@@ -98,6 +94,14 @@ class MiniDLNAApp(app_module.App):
         """Install and configure the app."""
         super().setup(old_version)
         privileged.setup()
+        if old_version == 3:
+            # Version 3 of the app incorrectly declared port 8200 for firewall
+            # local protection.
+            firewall.remove_passthrough('ipv6', '-A', 'INPUT', '-p', 'tcp',
+                                        '--dport', '8200', '-j', 'REJECT')
+            firewall.remove_passthrough('ipv4', '-A', 'INPUT', '-p', 'tcp',
+                                        '--dport', '8200', '-j', 'REJECT')
+
         if not old_version:
             self.enable()