Call firewall-port in IPv6 when management is in IPv6

benjamreis · benjamreis · commit cc4c324a8411 · 2024-11-14T09:05:46.000+01:00
Signed-off-by: Benjamin Reis &lt;benjamin.reis@vates.tech&gt;
diff --git a/ocaml/xapi/dbsync_slave.ml b/ocaml/xapi/dbsync_slave.ml
@@ -126,8 +126,15 @@ let refresh_localhost_info ~__context info =
   ) else
     Db.Host.remove_from_other_config ~__context ~self:host
       ~key:Xapi_globs.host_no_local_storage ;
+  let options =
+    match Helpers.get_management_iface_primary_address_type with
+    | `IPv4 ->
+        ["check"; "80"]
+    | `IPv6 ->
+        ["-6"; "check"; "80"]
+  in
   let script_output =
-    Helpers.call_script !Xapi_globs.firewall_port_config_script ["check"; "80"]
+    Helpers.call_script !Xapi_globs.firewall_port_config_script options
   in
   try
     let network_state = Scanf.sscanf script_output "Port 80 open: %B" Fun.id in
diff --git a/ocaml/xapi/helpers.ml b/ocaml/xapi/helpers.ml
@@ -165,6 +165,10 @@ let get_localhost ~__context =
   | true ->
       get_localhost_uncached ~__context
 
+let get_management_iface_primary_address_type =
+  Record_util.primary_address_type_of_string
+    (Xapi_inventory.lookup Xapi_inventory._management_address_type)
+
 (* Determine the gateway and DNS PIFs:
  * If one of the PIFs with IP has other_config:defaultroute=true, then
  * pick this one as gateway PIF. If there are multiple, pick a random one of these.
diff --git a/ocaml/xapi/nm.ml b/ocaml/xapi/nm.ml
@@ -796,10 +796,17 @@ let bring_pif_up ~__context ?(management_interface = false) (pif : API.ref_PIF)
               | `vxlan ->
                   debug
                     "Opening VxLAN UDP port for tunnel with protocol 'vxlan'" ;
+                  let options =
+                    match Helpers.get_management_iface_primary_address_type with
+                    | `IPv4 ->
+                        ["open"; "4789"; "udp"]
+                    | `IPv6 ->
+                        ["-6"; "open"; "4789"; "udp"]
+                  in
                   ignore
                   @@ Helpers.call_script
                        !Xapi_globs.firewall_port_config_script
-                       ["open"; "4789"; "udp"]
+                       options
               | `gre ->
                   ()
             )
@@ -857,10 +864,17 @@ let bring_pif_down ~__context ?(force = false) (pif : API.ref_PIF) =
                 in
                 if no_more_vxlan then (
                   debug "Last VxLAN tunnel was closed, closing VxLAN UDP port" ;
+                  let options =
+                    match Helpers.get_management_iface_primary_address_type with
+                    | `IPv4 ->
+                        ["close"; "4789"; "udp"]
+                    | `IPv6 ->
+                        ["-6"; "close"; "4789"; "udp"]
+                  in
                   ignore
                   @@ Helpers.call_script
                        !Xapi_globs.firewall_port_config_script
-                       ["close"; "4789"; "udp"]
+                       options
                 )
             | `gre ->
                 ()
diff --git a/ocaml/xapi/xapi_clustering.ml b/ocaml/xapi/xapi_clustering.ml
@@ -274,9 +274,16 @@ module Daemon = struct
         raise Api_errors.(Server_error (not_implemented, ["Cluster.create"]))
     ) ;
     ( try
+        let options =
+          match Helpers.get_management_iface_primary_address_type with
+          | `IPv4 ->
+              ["open"; port]
+          | `IPv6 ->
+              ["-6"; "open"; port]
+        in
         maybe_call_script ~__context
           !Xapi_globs.firewall_port_config_script
-          ["open"; port] ;
+          options ;
         maybe_call_script ~__context !Xapi_globs.systemctl ["enable"; service] ;
         maybe_call_script ~__context !Xapi_globs.systemctl ["start"; service]
       with _ ->
@@ -295,9 +302,14 @@ module Daemon = struct
     Atomic.set enabled false ;
     maybe_call_script ~__context !Xapi_globs.systemctl ["disable"; service] ;
     maybe_call_script ~__context !Xapi_globs.systemctl ["stop"; service] ;
-    maybe_call_script ~__context
-      !Xapi_globs.firewall_port_config_script
-      ["close"; port] ;
+    let options =
+      match Helpers.get_management_iface_primary_address_type with
+      | `IPv4 ->
+          ["close"; port]
+      | `IPv6 ->
+          ["-6"; "close"; port]
+    in
+    maybe_call_script ~__context !Xapi_globs.firewall_port_config_script options ;
     debug "Cluster daemon: disabled & stopped"
 
   let restart ~__context =
diff --git a/ocaml/xapi/xapi_host.ml b/ocaml/xapi/xapi_host.ml
@@ -3045,10 +3045,15 @@ let set_https_only ~__context ~self ~value =
   let state = match value with true -> "close" | false -> "open" in
   match cc_prep () with
   | false ->
+      let options =
+        match Helpers.get_management_iface_primary_address_type with
+        | `IPv4 ->
+            [state; "80"]
+        | `IPv6 ->
+            ["-6"; state; "80"]
+      in
       ignore
-      @@ Helpers.call_script
-           !Xapi_globs.firewall_port_config_script
-           [state; "80"] ;
+      @@ Helpers.call_script !Xapi_globs.firewall_port_config_script options ;
       Db.Host.set_https_only ~__context ~self ~value
   | true when value = Db.Host.get_https_only ~__context ~self ->
       (* the new value is the same as the old value *)
