diff options
-rwxr-xr-x | pkg/linux/bitmask-root | 102 |
1 files changed, 61 insertions, 41 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index 4463dbaa..6fbafff9 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -47,9 +47,9 @@ import traceback cmdcheck = subprocess.check_output -## -## CONSTANTS -## +# +# CONSTANTS +# VERSION = "1" SCRIPT = "bitmask-root" @@ -121,9 +121,10 @@ if DEBUG: syslog.openlog(SCRIPT) -## -## UTILITY -## +# +# UTILITY +# + def is_valid_address(value): """ @@ -207,7 +208,8 @@ def run(command, *args, **options): `detach`: If True, run in detached process. `input`: If True, open command for writing stream to, returning the Popen object. - `throw`: If True, raise an exception if there is an error instead of bailing. + `throw`: If True, raise an exception if there is an error instead + of bailing. """ parts = [command] parts.extend(args) @@ -233,9 +235,10 @@ def run(command, *args, **options): except subprocess.CalledProcessError as exc: if _exitcode: if exc.returncode != 1: - # 0 or 1 is to be expected, but anything else should be logged. - debug("ERROR: Could not run %s: %s" % (exc.cmd, exc.output), - exception=exc) + # 0 or 1 is to be expected, but anything else + # should be logged. + debug("ERROR: Could not run %s: %s" % + (exc.cmd, exc.output), exception=exc) return exc.returncode elif _throw: raise exc @@ -264,6 +267,7 @@ def log(msg=None, exception=None, priority=syslog.LOG_INFO): traceback.print_exc() syslog.syslog(priority, traceback.format_exc()) + def debug(msg=None, exception=None): """ Just like log, but is skipped unless DEBUG. Use syslog.LOG_INFO @@ -272,6 +276,7 @@ def debug(msg=None, exception=None): if TEST or DEBUG: log(msg, exception) + def bail(msg=None, exception=None): """ abnormal exit. like log(), but exits with error status code. @@ -279,9 +284,10 @@ def bail(msg=None, exception=None): log(msg, exception) exit(1) -## -## OPENVPN -## +# +# OPENVPN +# + def get_openvpn_bin(): """ @@ -314,14 +320,14 @@ def parse_openvpn_flags(args): flag_params = flag[1:] if len(flag_params) != len(required_params): log("%s: ERROR: not enough params for %s" % - (SCRIPT, flag_name)) + (SCRIPT, flag_name)) return None for param, param_type in zip(flag_params, required_params): if PARAM_FORMATS[param_type](param): result.append(param) else: log("%s: ERROR: Bad argument %s" % - (SCRIPT, param)) + (SCRIPT, param)) return None else: log("WARNING: unrecognized openvpn flag %s" % flag_name) @@ -372,9 +378,10 @@ def openvpn_stop(args): pid = found_leap_openvpn[0][0] os.kill(int(pid), signal.SIGTERM) -## -## FIREWALL -## +# +# FIREWALL +# + def get_gateways(gateways): """ @@ -492,6 +499,7 @@ def ip6tables(*args, **options): # the chain. # + def ipv4_chain_exists(chain, table=None): """ Check if a given chain exists. Only returns true if it actually exists, @@ -501,10 +509,11 @@ def ipv4_chain_exists(chain, table=None): :type chain: str :rtype: bool """ - if table: - code = run(IPTABLES, "-t", table, "--list", chain, "--numeric", exitcode=True) + if table is not None: + code = run(IPTABLES, "-t", table, + "--list", chain, "--numeric", exitcode=True) else: - code = run(IPTABLES, "--list", chain, "--numeric", exitcode=True) + code = run(IPTABLES, "--list", chain, "--numeric", exitcode=True) if code == 0: return True elif code == 1: @@ -531,13 +540,14 @@ def ipv6_chain_exists(chain): log("ERROR: Could not determine state of iptable chain") return False + def enable_ip_forwarding(): """ ip_fowarding must be enabled for the firewall to work. """ - file = open('/proc/sys/net/ipv4/ip_forward', 'w') - file.write('1\n') - file.close + with open('/proc/sys/net/ipv4/ip_forward', 'w') as f: + f.write('1\n') + def firewall_start(args): """ @@ -562,7 +572,8 @@ def firewall_start(args): ip4tables("--table", "nat", "--insert", "OUTPUT", "--jump", BITMASK_CHAIN) iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN) - # route all ipv4 DNS over VPN (note: NAT does not work with ipv6 until kernel 3.7) + # route all ipv4 DNS over VPN + # (note: NAT does not work with ipv6 until kernel 3.7) enable_ip_forwarding() # allow dns to localhost ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp", @@ -628,50 +639,59 @@ def firewall_start(args): def firewall_stop(): """ - Stop the firewall. Because we really really always want the firewall to be - stopped if at all possible, this function is cautious and contains a lot of - trys and excepts. + Stop the firewall. Because we really really always want the firewall to + be stopped if at all possible, this function is cautious and contains a + lot of trys and excepts. - If there were any problems, we raise an exception at the end. This allows the calling code - to retry stopping the firewall. Stopping the firewall can fail if iptables is being run by - another process (only one iptables command can be run at a time). + If there were any problems, we raise an exception at the end. This allows + the calling code to retry stopping the firewall. Stopping the firewall + can fail if iptables is being run by another process (only one iptables + command can be run at a time). """ ok = True try: iptables("--delete", "OUTPUT", "--jump", BITMASK_CHAIN, throw=True) except subprocess.CalledProcessError as exc: - debug("INFO: not able to remove bitmask firewall from OUTPUT chain (maybe it is already removed?)", exc) + debug("INFO: not able to remove bitmask firewall from OUTPUT chain " + "(maybe it is already removed?)", exc) ok = False try: - ip4tables("-t", "nat", "--delete", "OUTPUT", "--jump", BITMASK_CHAIN, throw=True) + ip4tables("-t", "nat", "--delete", "OUTPUT", + "--jump", BITMASK_CHAIN, throw=True) except subprocess.CalledProcessError as exc: - debug("INFO: not able to remove bitmask firewall from OUTPUT chain in 'nat' table (maybe it is already removed?)", exc) + debug("INFO: not able to remove bitmask firewall from OUTPUT chain " + "in 'nat' table (maybe it is already removed?)", exc) ok = False try: ip4tables("--flush", BITMASK_CHAIN, throw=True) ip4tables("--delete-chain", BITMASK_CHAIN, throw=True) except subprocess.CalledProcessError as exc: - debug("INFO: not able to flush and delete bitmask ipv4 firewall chain (maybe it is already destroyed?)", exc) + debug("INFO: not able to flush and delete bitmask ipv4 firewall " + "chain (maybe it is already destroyed?)", exc) ok = False try: ip4tables("-t", "nat", "--flush", BITMASK_CHAIN, throw=True) ip4tables("-t", "nat", "--delete-chain", BITMASK_CHAIN, throw=True) except subprocess.CalledProcessError as exc: - debug("INFO: not able to flush and delete bitmask ipv4 firewall chain in 'nat' table (maybe it is already destroyed?)", exc) + debug("INFO: not able to flush and delete bitmask ipv4 firewall " + "chain in 'nat' table (maybe it is already destroyed?)", exc) ok = False try: ip6tables("--flush", BITMASK_CHAIN, throw=True) ip6tables("--delete-chain", BITMASK_CHAIN, throw=True) except subprocess.CalledProcessError as exc: - debug("INFO: not able to flush and delete bitmask ipv6 firewall chain (maybe it is already destroyed?)", exc) + debug("INFO: not able to flush and delete bitmask ipv6 firewall " + "chain (maybe it is already destroyed?)", exc) ok = False if not (ok or ipv4_chain_exists or ipv6_chain_exists): - raise Exception("firewall might still be left up. Please try `firewall stop` again.") + raise Exception("firewall might still be left up. " + "Please try `firewall stop` again.") + +# +# MAIN +# -## -## MAIN -## def main(): """ |