From 4797b7844dbdbe0df9f26bda33e6c1b7ca4982c5 Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Tue, 3 Feb 2026 08:00:09 +0100 Subject: [PATCH] fix(lyrion): Add firewall rules and fix networking for device discovery Open LAN firewall ports (TCP 9000/9090/3483, UDP 3483) on install and service start so Squeezebox devices can discover and connect to Lyrion. Fix LXC config to use host networking properly and add missing Docker TCP 9090 CLI port mapping. Co-Authored-By: Claude Opus 4.5 --- .../files/usr/sbin/lyrionctl | 74 ++++++++++++++++++- 1 file changed, 72 insertions(+), 2 deletions(-) diff --git a/package/secubox/secubox-app-lyrion/files/usr/sbin/lyrionctl b/package/secubox/secubox-app-lyrion/files/usr/sbin/lyrionctl index 61c17a94..5c59a5ad 100755 --- a/package/secubox/secubox-app-lyrion/files/usr/sbin/lyrionctl +++ b/package/secubox/secubox-app-lyrion/files/usr/sbin/lyrionctl @@ -60,6 +60,69 @@ load_config() { ensure_dir() { [ -d "$1" ] || mkdir -p "$1"; } +# Firewall management - open Lyrion ports for LAN device access +firewall_ensure_rules() { + local changed=0 + + # Lyrion Web UI (TCP 9000) + if ! uci show firewall 2>/dev/null | grep -q "Lyrion-Web"; then + log_info "Creating firewall rule for Lyrion Web UI (TCP $port)..." + uci add firewall rule + uci set firewall.@rule[-1].name='Lyrion-Web' + uci set firewall.@rule[-1].src='lan' + uci set firewall.@rule[-1].dest_port="$port" + uci set firewall.@rule[-1].proto='tcp' + uci set firewall.@rule[-1].target='ACCEPT' + uci set firewall.@rule[-1].enabled='1' + changed=1 + fi + + # Lyrion CLI (TCP 9090) + if ! uci show firewall 2>/dev/null | grep -q "Lyrion-CLI"; then + log_info "Creating firewall rule for Lyrion CLI (TCP 9090)..." + uci add firewall rule + uci set firewall.@rule[-1].name='Lyrion-CLI' + uci set firewall.@rule[-1].src='lan' + uci set firewall.@rule[-1].dest_port='9090' + uci set firewall.@rule[-1].proto='tcp' + uci set firewall.@rule[-1].target='ACCEPT' + uci set firewall.@rule[-1].enabled='1' + changed=1 + fi + + # Slim Protocol TCP (TCP 3483) - player control + if ! uci show firewall 2>/dev/null | grep -q "Lyrion-Slim-TCP"; then + log_info "Creating firewall rule for Slim Protocol (TCP 3483)..." + uci add firewall rule + uci set firewall.@rule[-1].name='Lyrion-Slim-TCP' + uci set firewall.@rule[-1].src='lan' + uci set firewall.@rule[-1].dest_port='3483' + uci set firewall.@rule[-1].proto='tcp' + uci set firewall.@rule[-1].target='ACCEPT' + uci set firewall.@rule[-1].enabled='1' + changed=1 + fi + + # Slim Protocol UDP (UDP 3483) - player discovery + if ! uci show firewall 2>/dev/null | grep -q "Lyrion-Slim-UDP"; then + log_info "Creating firewall rule for Slim Discovery (UDP 3483)..." + uci add firewall rule + uci set firewall.@rule[-1].name='Lyrion-Slim-UDP' + uci set firewall.@rule[-1].src='lan' + uci set firewall.@rule[-1].dest_port='3483' + uci set firewall.@rule[-1].proto='udp' + uci set firewall.@rule[-1].target='ACCEPT' + uci set firewall.@rule[-1].enabled='1' + changed=1 + fi + + if [ "$changed" = "1" ]; then + uci commit firewall + /etc/init.d/firewall reload 2>/dev/null || true + log_info "Firewall rules updated - Lyrion ports open on LAN" + fi +} + # Check if a runtime is available has_docker() { command -v docker >/dev/null 2>&1 && \ @@ -166,6 +229,7 @@ docker_run() { exec docker run --rm \ --name "$CONTAINER_NAME" \ -p "${port}:9000" \ + -p "9090:9090" \ -p "3483:3483" \ -p "3483:3483/udp" \ -v "$data_path:/config" \ @@ -453,8 +517,8 @@ lxc.uts.name = $LXC_NAME # Root filesystem lxc.rootfs.path = dir:$LXC_ROOTFS -# Network - use host network for simplicity -lxc.net.0.type = none +# Network - inherit host network (no lxc.net = share host namespace) +# Needed for Squeezebox UDP 3483 broadcast discovery # Mounts lxc.mount.auto = proc:mixed sys:ro cgroup:mixed @@ -580,6 +644,9 @@ cmd_install() { ;; esac + # Ensure firewall rules are in place + firewall_ensure_rules + uci_set enabled '1' /etc/init.d/lyrion enable @@ -688,6 +755,9 @@ cmd_service_run() { require_root load_config + # Ensure firewall rules on every start + firewall_ensure_rules + local rt=$(detect_runtime) || exit 1 case "$rt" in