CP-308800: Dynamic control http firewall service

BengangY · BengangY · commit 6fbb10e68060 · 2025-08-20T07:19:23.000Z
Signed-off-by: Bengang Yuan &lt;bengang.yuan@cloud.com&gt;
diff --git a/ocaml/xapi/dbsync_slave.ml b/ocaml/xapi/dbsync_slave.ml
@@ -134,16 +134,33 @@ let refresh_localhost_info ~__context info =
   ) else
     Db.Host.remove_from_other_config ~__context ~self:host
       ~key:Xapi_globs.host_no_local_storage ;
-  let script_output =
-    Helpers.call_script !Xapi_globs.firewall_port_config_script ["check"; "80"]
+  let update_https_only =
+    match !Xapi_globs.firewall_backend with
+    | "firewalld" ->
+        let enabled =
+          Firewall.is_firewall_service_enabled ~service:Firewall.Xapi_insecure
+        in
+        Db.Host.set_https_only ~__context ~self:host ~value:(not enabled)
+    | "iptables" -> (
+        let script_output =
+          Helpers.call_script
+            !Xapi_globs.firewall_port_config_script
+            ["check"; "80"]
+        in
+        try
+          let network_state =
+            Scanf.sscanf script_output "Port 80 open: %B" Fun.id
+          in
+          Db.Host.set_https_only ~__context ~self:host ~value:network_state
+        with _ ->
+          Helpers.internal_error
+            "unexpected output from /etc/xapi.d/plugins/firewall-port: %s"
+            script_output
+      )
+    | backend ->
+        warn "Unknown firewall backend %s, ignore it." backend
   in
-  try
-    let network_state = Scanf.sscanf script_output "Port 80 open: %B" Fun.id in
-    Db.Host.set_https_only ~__context ~self:host ~value:network_state
-  with _ ->
-    Helpers.internal_error
-      "unexpected output from /etc/xapi.d/plugins/firewall-port: %s"
-      script_output
+  update_https_only
 (*************** update database tools ******************)
 
 (** Record host memory properties in database *)
diff --git a/ocaml/xapi/xapi_host.ml b/ocaml/xapi/xapi_host.ml
@@ -3116,13 +3116,28 @@ let cc_prep () =
       true
 
 let set_https_only ~__context ~self ~value =
-  let state = match value with true -> "close" | false -> "open" in
   match cc_prep () with
   | false ->
-      ignore
-      @@ Helpers.call_script
-           !Xapi_globs.firewall_port_config_script
-           [state; "80"] ;
+      ( match !Xapi_globs.firewall_backend with
+      | "firewalld" ->
+          let status =
+            match value with
+            | true ->
+                Firewall.Disabled
+            | false ->
+                Firewall.Enabled
+          in
+          Firewall.update_firewall_status ~service:Firewall.Xapi_insecure
+            ~status
+      | "iptables" ->
+          let state = match value with true -> "close" | false -> "open" in
+          ignore
+          @@ Helpers.call_script
+               !Xapi_globs.firewall_port_config_script
+               [state; "80"]
+      | backend ->
+          warn "Unknown firewall backend %s, ignore it." backend
+      ) ;
       Db.Host.set_https_only ~__context ~self ~value
   | true when value = Db.Host.get_https_only ~__context ~self ->
       (* the new value is the same as the old value *)
