CP-40753 Added change to the firewall-port script to modify the RH-Firewall-1-INPUT chain

jameshensmancitrix · jameshensmancitrix · commit 0ac90b0f06cb · 2022-10-05T11:23:38.000+01:00
Signed-off-by: jameshensmancitrix &lt;james.hensman@citrix.com&gt;
diff --git a/ocaml/xapi/xapi_host.ml b/ocaml/xapi/xapi_host.ml
@@ -2927,7 +2927,7 @@ let apply_updates ~__context ~self ~hash =
   warnings
 
 let set_https_only ~__context ~self ~value =
-  Db.Host.set_https_only ~__context ~self ~value ;
   let state = match value with true -> "close" | false -> "open" in
   ignore
-  @@ Helpers.call_script !Xapi_globs.firewall_port_config_script [state; "80"]
+  @@ Helpers.call_script !Xapi_globs.firewall_port_config_script [state; "80"] ;
+  Db.Host.set_https_only ~__context ~self ~value
diff --git a/scripts/plugins/firewall-port b/scripts/plugins/firewall-port
@@ -16,9 +16,17 @@ set -e
 OP="$1"
 PORT="$2"
 PROTOCOL="${3:-tcp}"
-CHAIN="xapi-INPUT"
 RULE="-p $PROTOCOL -m conntrack --ctstate NEW -m $PROTOCOL --dport $PORT -j ACCEPT"
 
+case "$PORT" in
+    80)
+        CHAIN="RH-Firewall-1-INPUT"
+        ;;
+    *)
+        CHAIN="xapi-INPUT"
+        ;;
+esac
+
 case "${OP}" in
     open)
         if ! iptables -C $CHAIN $RULE 2>/dev/null
