summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xpkg/linux/bitmask-root102
1 files changed, 61 insertions, 41 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index 4463dbaa..6fbafff9 100755
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -47,9 +47,9 @@ import traceback
cmdcheck = subprocess.check_output
-##
-## CONSTANTS
-##
+#
+# CONSTANTS
+#
VERSION = "1"
SCRIPT = "bitmask-root"
@@ -121,9 +121,10 @@ if DEBUG:
syslog.openlog(SCRIPT)
-##
-## UTILITY
-##
+#
+# UTILITY
+#
+
def is_valid_address(value):
"""
@@ -207,7 +208,8 @@ def run(command, *args, **options):
`detach`: If True, run in detached process.
`input`: If True, open command for writing stream to, returning the Popen
object.
- `throw`: If True, raise an exception if there is an error instead of bailing.
+ `throw`: If True, raise an exception if there is an error instead
+ of bailing.
"""
parts = [command]
parts.extend(args)
@@ -233,9 +235,10 @@ def run(command, *args, **options):
except subprocess.CalledProcessError as exc:
if _exitcode:
if exc.returncode != 1:
- # 0 or 1 is to be expected, but anything else should be logged.
- debug("ERROR: Could not run %s: %s" % (exc.cmd, exc.output),
- exception=exc)
+ # 0 or 1 is to be expected, but anything else
+ # should be logged.
+ debug("ERROR: Could not run %s: %s" %
+ (exc.cmd, exc.output), exception=exc)
return exc.returncode
elif _throw:
raise exc
@@ -264,6 +267,7 @@ def log(msg=None, exception=None, priority=syslog.LOG_INFO):
traceback.print_exc()
syslog.syslog(priority, traceback.format_exc())
+
def debug(msg=None, exception=None):
"""
Just like log, but is skipped unless DEBUG. Use syslog.LOG_INFO
@@ -272,6 +276,7 @@ def debug(msg=None, exception=None):
if TEST or DEBUG:
log(msg, exception)
+
def bail(msg=None, exception=None):
"""
abnormal exit. like log(), but exits with error status code.
@@ -279,9 +284,10 @@ def bail(msg=None, exception=None):
log(msg, exception)
exit(1)
-##
-## OPENVPN
-##
+#
+# OPENVPN
+#
+
def get_openvpn_bin():
"""
@@ -314,14 +320,14 @@ def parse_openvpn_flags(args):
flag_params = flag[1:]
if len(flag_params) != len(required_params):
log("%s: ERROR: not enough params for %s" %
- (SCRIPT, flag_name))
+ (SCRIPT, flag_name))
return None
for param, param_type in zip(flag_params, required_params):
if PARAM_FORMATS[param_type](param):
result.append(param)
else:
log("%s: ERROR: Bad argument %s" %
- (SCRIPT, param))
+ (SCRIPT, param))
return None
else:
log("WARNING: unrecognized openvpn flag %s" % flag_name)
@@ -372,9 +378,10 @@ def openvpn_stop(args):
pid = found_leap_openvpn[0][0]
os.kill(int(pid), signal.SIGTERM)
-##
-## FIREWALL
-##
+#
+# FIREWALL
+#
+
def get_gateways(gateways):
"""
@@ -492,6 +499,7 @@ def ip6tables(*args, **options):
# the chain.
#
+
def ipv4_chain_exists(chain, table=None):
"""
Check if a given chain exists. Only returns true if it actually exists,
@@ -501,10 +509,11 @@ def ipv4_chain_exists(chain, table=None):
:type chain: str
:rtype: bool
"""
- if table:
- code = run(IPTABLES, "-t", table, "--list", chain, "--numeric", exitcode=True)
+ if table is not None:
+ code = run(IPTABLES, "-t", table,
+ "--list", chain, "--numeric", exitcode=True)
else:
- code = run(IPTABLES, "--list", chain, "--numeric", exitcode=True)
+ code = run(IPTABLES, "--list", chain, "--numeric", exitcode=True)
if code == 0:
return True
elif code == 1:
@@ -531,13 +540,14 @@ def ipv6_chain_exists(chain):
log("ERROR: Could not determine state of iptable chain")
return False
+
def enable_ip_forwarding():
"""
ip_fowarding must be enabled for the firewall to work.
"""
- file = open('/proc/sys/net/ipv4/ip_forward', 'w')
- file.write('1\n')
- file.close
+ with open('/proc/sys/net/ipv4/ip_forward', 'w') as f:
+ f.write('1\n')
+
def firewall_start(args):
"""
@@ -562,7 +572,8 @@ def firewall_start(args):
ip4tables("--table", "nat", "--insert", "OUTPUT", "--jump", BITMASK_CHAIN)
iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN)
- # route all ipv4 DNS over VPN (note: NAT does not work with ipv6 until kernel 3.7)
+ # route all ipv4 DNS over VPN
+ # (note: NAT does not work with ipv6 until kernel 3.7)
enable_ip_forwarding()
# allow dns to localhost
ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp",
@@ -628,50 +639,59 @@ def firewall_start(args):
def firewall_stop():
"""
- Stop the firewall. Because we really really always want the firewall to be
- stopped if at all possible, this function is cautious and contains a lot of
- trys and excepts.
+ Stop the firewall. Because we really really always want the firewall to
+ be stopped if at all possible, this function is cautious and contains a
+ lot of trys and excepts.
- If there were any problems, we raise an exception at the end. This allows the calling code
- to retry stopping the firewall. Stopping the firewall can fail if iptables is being run by
- another process (only one iptables command can be run at a time).
+ If there were any problems, we raise an exception at the end. This allows
+ the calling code to retry stopping the firewall. Stopping the firewall
+ can fail if iptables is being run by another process (only one iptables
+ command can be run at a time).
"""
ok = True
try:
iptables("--delete", "OUTPUT", "--jump", BITMASK_CHAIN, throw=True)
except subprocess.CalledProcessError as exc:
- debug("INFO: not able to remove bitmask firewall from OUTPUT chain (maybe it is already removed?)", exc)
+ debug("INFO: not able to remove bitmask firewall from OUTPUT chain "
+ "(maybe it is already removed?)", exc)
ok = False
try:
- ip4tables("-t", "nat", "--delete", "OUTPUT", "--jump", BITMASK_CHAIN, throw=True)
+ ip4tables("-t", "nat", "--delete", "OUTPUT",
+ "--jump", BITMASK_CHAIN, throw=True)
except subprocess.CalledProcessError as exc:
- debug("INFO: not able to remove bitmask firewall from OUTPUT chain in 'nat' table (maybe it is already removed?)", exc)
+ debug("INFO: not able to remove bitmask firewall from OUTPUT chain "
+ "in 'nat' table (maybe it is already removed?)", exc)
ok = False
try:
ip4tables("--flush", BITMASK_CHAIN, throw=True)
ip4tables("--delete-chain", BITMASK_CHAIN, throw=True)
except subprocess.CalledProcessError as exc:
- debug("INFO: not able to flush and delete bitmask ipv4 firewall chain (maybe it is already destroyed?)", exc)
+ debug("INFO: not able to flush and delete bitmask ipv4 firewall "
+ "chain (maybe it is already destroyed?)", exc)
ok = False
try:
ip4tables("-t", "nat", "--flush", BITMASK_CHAIN, throw=True)
ip4tables("-t", "nat", "--delete-chain", BITMASK_CHAIN, throw=True)
except subprocess.CalledProcessError as exc:
- debug("INFO: not able to flush and delete bitmask ipv4 firewall chain in 'nat' table (maybe it is already destroyed?)", exc)
+ debug("INFO: not able to flush and delete bitmask ipv4 firewall "
+ "chain in 'nat' table (maybe it is already destroyed?)", exc)
ok = False
try:
ip6tables("--flush", BITMASK_CHAIN, throw=True)
ip6tables("--delete-chain", BITMASK_CHAIN, throw=True)
except subprocess.CalledProcessError as exc:
- debug("INFO: not able to flush and delete bitmask ipv6 firewall chain (maybe it is already destroyed?)", exc)
+ debug("INFO: not able to flush and delete bitmask ipv6 firewall "
+ "chain (maybe it is already destroyed?)", exc)
ok = False
if not (ok or ipv4_chain_exists or ipv6_chain_exists):
- raise Exception("firewall might still be left up. Please try `firewall stop` again.")
+ raise Exception("firewall might still be left up. "
+ "Please try `firewall stop` again.")
+
+#
+# MAIN
+#
-##
-## MAIN
-##
def main():
"""