From c5cbdb317cafd503e3e8debfcb3fb0efd32b3df3 Mon Sep 17 00:00:00 2001
From: Richard Tollerton <rich.tollerton@ni.com>
Date: Mon, 16 Dec 2024 15:55:30 -0600
Subject: [PATCH] Pin niroco to port 55184 and open it to incoming VPN traffic

By default, niroco allocates an ephemeral server port, which cannot be
effectively firewalled. We can force it to use a specific port with an
INI fragment installed to /usr/share/niroco.d, so that _firewall_config.py can
allow incoming traffic to that port.

We choose port 55184 more or less entirely arbitrarily, but placing it firmly in
the ephemeral range more or less demands that this cannot be the long-term
static port decision.

Signed-off-by: Richard Tollerton <rich.tollerton@ni.com>
---
 Makefile                                | 6 ++++++
 nilrt_snac/_configs/_firewall_config.py | 4 ++++
 src/x-niroco-static-port.ini            | 2 ++
 3 files changed, 12 insertions(+)
 create mode 100644 src/x-niroco-static-port.ini

diff --git a/Makefile b/Makefile
index 5b58c4d..c0f2bfe 100644
--- a/Makefile
+++ b/Makefile
@@ -99,6 +99,11 @@ install : all mkinstalldirs $(DIST_FILES)
 		src/ni-wireguard-labview/ni-wireguard-labview.initd \
 		"$(DESTDIR)/etc/init.d/ni-wireguard-labview"
 
+	# firewall configuration pieces
+	install --mode=0644 \
+		src/x-niroco-static-port.ini \
+		"$(DESTDIR)/usr/share/niroco.d"
+
 	# install python library
 	for pyfile in $(PYNILRT_SNAC_FILES); do \
 		install -D "$${pyfile}" "$(DESTDIR)$(libdir)/$(PACKAGE)/$${pyfile}"; \
@@ -121,6 +126,7 @@ mkinstalldirs :
 	mkdir -p "$(DESTDIR)$(docdir)/$(PACKAGE)"
 	mkdir -p "$(DESTDIR)$(libdir)/$(PACKAGE)"
 	mkdir -p "$(DESTDIR)$(sbindir)"
+	mkdir -p "$(DESTDIR)/usr/share/niroco.d"
 
 
 uninstall :
diff --git a/nilrt_snac/_configs/_firewall_config.py b/nilrt_snac/_configs/_firewall_config.py
index dd62ba6..72b90ef 100644
--- a/nilrt_snac/_configs/_firewall_config.py
+++ b/nilrt_snac/_configs/_firewall_config.py
@@ -103,6 +103,10 @@ def configure(self, args: argparse.Namespace) -> None:
                     "--add-service=ni-rpc-server",
                     "--add-service=ni-service-locator",
                     )
+        _offlinecmd("--policy=work-in",
+                    # Temporary port add; see x-niroco-static-port.ini
+                    "--add-port=55184/tcp",
+                    )
         _offlinecmd("--policy=work-out",
                     "--add-service=amqp",
                     "--add-service=salt-master",
diff --git a/src/x-niroco-static-port.ini b/src/x-niroco-static-port.ini
new file mode 100644
index 0000000..433353a
--- /dev/null
+++ b/src/x-niroco-static-port.ini
@@ -0,0 +1,2 @@
+[RemoteServer]
+port=55184