From 8aa3f1508b7a41a2a9a24b1facc0171828863d0b Mon Sep 17 00:00:00 2001
From: OniriCorpe <oniricorpe@disroot.org>
Date: Tue, 26 Dec 2023 23:14:07 +0100
Subject: [PATCH] handle closing unnecessary ports at restore and upgrade

---
 scripts/restore | 14 ++++++++++++++
 scripts/upgrade |  7 +++++++
 2 files changed, 21 insertions(+)

diff --git a/scripts/restore b/scripts/restore
index eccf9ef..4a2edb7 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -10,6 +10,20 @@
 source ../settings/scripts/_common.sh
 source /usr/share/yunohost/helpers
 
+#=================================================
+# CLOSE UNNECESSARY PORTS
+# no need to open the ports, as they were opened at the 'Provisioning ports' step
+#=================================================
+
+if [ "$dns_over_https" == "false" ]; then
+    # if dns_over_https is false, we need to close ports,
+    # as they were opened at the 'Provisioning ports' step
+    ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_http"
+    ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_http"
+    ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_quic"
+    ynh_exec_warn_less yunohost firewall reload
+fi
+
 #=================================================
 # RESTORE THE APP MAIN DIR
 #=================================================
diff --git a/scripts/upgrade b/scripts/upgrade
index 49447c9..df9debd 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -33,10 +33,17 @@ if [ -n "$dns_over_https" ] && [ "$dns_over_https" == "1" ];
 then
 	dns_over_https="true"
 	ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https
+	# no need to open the ports, as they were opened at the 'Provisioning ports' step
 elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ];
 then
 	dns_over_https="false"
 	ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https
+	# if dns_over_https is false, we need to close ports,
+    # as they were opened at the 'Provisioning ports' step
+    ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_http"
+    ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_http"
+    ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_quic"
+    ynh_exec_warn_less yunohost firewall reload
 fi
 
 #=================================================