dante-sockd: add firewall rule

[hgy59]

Motivation: Add firewall rule for port configured with wizard
Linked issues: This is a follow up of #4898

Checklist

• Build rule all-supported completed successfully
• Package upgrade completed successfully
• New installation of package completed successfully

TODO

• make group creation DSM 7 compatible => package will never be DSM 7 compatible, as service must be started as root
• fix interface name in sockd.conf or use ip address (on my DS218 and DS918+ systems eth0 has no inet addr assigned, but ovs_eth0 has)

[hgy59]

This PR provides a solution to use custom service ports defined in the installation wizard.
We do not want to enable port configuration for all packages (as discussed in #4613).
But in some situations this is probably a good solution.

As both the ejabberd and mosquitto packages serve the default MQTT port 1883 we could either declare those packages as conflicting (add install_conflict_packagesto the INFO file), or enhance the two packages to configure the MQTT port with the installation wizard.

[hgy59]

@publicarray configurable ports may be usefull for the dnscrypt-proxy package as discussed in #4744 (and other issues ?)

[hgy59]

@publicarray do you know how to create an interface selection dialog in the wizard - similar as we do for the volume for shared folders?

[publicarray]

Why not let the user choose any valid port number? In the install script you could also create the firewall rule on the fly.

The DSM6 docs still have wizard information: https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/6.0/enu/DSM_Developer_Guide_6_0.pdf#page72

I did this on mobile so the json is probably invalid

[
    {
        "step_title": "Conf",
        "items": [
            {
                "type": "combobox",
                "desc":"port",
                "subitems": [
                    {
                        "key": "wizard_port",
                        "desc": "port",
                        "displayField": "display_name",
                        "valueField": "port",
                        "editable": false,

"mode": "local",
                        "store": {
                            "xtype": "arraystore",
                            "fields": ["port", "display_text],
                                "data": [["53","53/dns"], ["80","80/http"]]
                            ]
                    }
                ]
            },
        ]
    }
]

[hgy59]

@publicarray you probably mixed up my two questions/remarks above.

The dante-sockd wizard let the user choose any valid port. The tricky part is, that the firewall rule file (".sc) must be generated/updated in the preinst step or it will not be applied by DSM installer.
And in the preinst step, the folder ${SYNOPKG_PKGDIST} is not yet created. The file must be updated in the ${SYNOPKG_PKGINST_TEMP_DIR} folder where the spk file is extracted before it gets copied to ${SYNOPKG_PKGDIST}.

And as the *.sc file in the spk package contains a placeholder for the port, the DSM installer is not able to verify whether the port entered in the wizard is already in use. So the validation is done in service-setup.sh.

and, i tried to use {{wizard-variable-name}} as placeholder, but it is apparently not handled as in resource workers...

---

The other question was about enumerating the available network internaces similar to the list of volumes in DSM 7 compatible wizards for shared folder volumes.

[publicarray]

I haven't done it before (the volume selection was a copy and paste from the official DSM6 docs), but the dropdown can use a web API: https://global.download.synology.com/download/Document/Software/DeveloperGuide/Os/DSM/All/enu/DSM_Login_Web_API_Guide_enu.pdf

• <NAS IP:5001>/webapi/entry.cgi?api=SYNO.API.Info&version=1&method=query lists all APIs
• /webapi/entry.cgi?api=SYNO.API.Auth&version=6&method=login&account=<USER>&passwd=<PASS>&session=FileStation&format=cookie for a login cookie
• /webapi/entry.cgi?api=SYNO.Core.Network.Interface&version=1&method=list to get the interfaces
• /webapi/entry.cgi?api=SYNO.Core.Network.Interface&version=1&method=list&limit=-1&offset=0&location=internal to emulate the combobox

[publicarray]

I found an issue with the missing $USER variable #5041 and did a quick workaround (not an actual fix since I don't know the impact).

[hgy59]

@publicarray thanks for the wizard update. Thats what I was looking for.

Permissions on DSM 6 do not work yet, I got the following log:

# cat dante-sockd.log
Mon Jan  3 19:31:41 CET 2022
Starting dante-sockd command /volume1/@appstore/dante-sockd/sbin/sockd -f /volume1/@appstore/dante-sockd/var/sockd.conf -p /volume1/@appstore/dante-sockd/var/dante-sockd.pid -D
Jan  3 19:31:42 (1641234702.001380) sockd[27004]: warning: checkugid(): could not seteuid(2) to privileged uid 0: Operation not permitted
Jan  3 19:31:42 (1641234702.001561) sockd[27004]: warning: checkugid(): could not seteuid(2) to unprivileged uid 99: Operation not permitted
Jan  3 19:31:42 (1641234702.001581) sockd[27004]: warning: checkugid(): could not seteuid(2) to libwrap uid 99: Operation not permitted
Jan  3 19:31:42 (1641234702.001604) sockd[27004]: warning: sockd_initprivs(): setegid(2) to unprivileged gid 99 failed: Operation not permitted
Jan  3 19:31:42 (1641234702.001618) sockd[27004]: warning: configure_privileges(): could not initialize privileges (Operation not permitted).  Usually we need to be started by root if special privileges are to be available
Jan  3 19:31:42 (1641234702.001635) sockd[27004]: error: parseconfig(): could not configure privileges: Operation not permitted
Jan  3 19:31:42 (1641234702.001696) sockd[27004]: alert: mother[1/1]: shutting down
dante-sockd is not running

[publicarray]

@hgy59 this should work again 😃