3 files changed, 37 insertions, 7 deletions

diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index 6942b99b..d9c8a61f 100755
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -809,6 +809,12 @@ def main():
             except Exception as ex:
                 bail("ERROR: could not stop firewall", ex)
 
+        elif command == "firewall_isup":
+            if ipv4_chain_exists(BITMASK_CHAIN):
+                print("%s: INFO: bitmask firewall is up" % (SCRIPT,))
+            else:
+                bail("INFO: bitmask firewall is down")
+
         else:
             bail("ERROR: No such command")
     else:
diff --git a/src/leap/bitmask/backend.py b/src/leap/bitmask/backend.py
index bd26bb1c..41fdc06e 100644
--- a/src/leap/bitmask/backend.py
+++ b/src/leap/bitmask/backend.py
@@ -17,8 +17,10 @@
 """
 Backend for everything
 """
+import commands
 import logging
 import os
+import time
 
 from functools import partial
 from Queue import Queue, Empty
@@ -32,6 +34,7 @@ import zope.interface
 from leap.bitmask.config.providerconfig import ProviderConfig
 from leap.bitmask.crypto.srpauth import SRPAuth
 from leap.bitmask.crypto.srpregister import SRPRegister
+from leap.bitmask.platform_init import IS_LINUX
 from leap.bitmask.provider import get_provider_path
 from leap.bitmask.provider.providerbootstrapper import ProviderBootstrapper
 from leap.bitmask.services.eip import eipconfig
@@ -366,6 +369,34 @@ class EIP(object):
         Stop the service.
         """
         self._vpn.terminate(shutdown)
+        if IS_LINUX:
+            self._wait_for_firewall_down()
+
+    def _wait_for_firewall_down(self):
+        """
+        Wait for the firewall to come down.
+        """
+        # Due to how we delay the resolvconf action in linux.
+        # XXX this *has* to wait for a reasonable lapse, since we have some
+        # delay in vpn.terminate.
+        # For a better solution it should be signaled from backend that
+        # everything is clear to proceed, or a timeout happened.
+        MAX_FW_WAIT_RETRIES = 25
+        FW_WAIT_STEP = 0.5
+
+        retry = 0
+
+        fw_up_cmd = "pkexec /usr/sbin/bitmask-root firewall isup"
+        fw_is_down = lambda: commands.getstatusoutput(fw_up_cmd)[0] == 256
+
+        while retry < MAX_FW_WAIT_RETRIES:
+            if fw_is_down():
+                return
+            else:
+                time.sleep(FW_WAIT_STEP)
+                retry += 1
+        logger.warning("After waiting, firewall is not down... "
+                       "You might experience lack of connectivity")
 
     def terminate(self):
         """
diff --git a/src/leap/bitmask/gui/mainwindow.py b/src/leap/bitmask/gui/mainwindow.py
index 681432b3..c55dbb82 100644
--- a/src/leap/bitmask/gui/mainwindow.py
+++ b/src/leap/bitmask/gui/mainwindow.py
@@ -2068,13 +2068,6 @@ class MainWindow(QtGui.QMainWindow):
         logger.debug('Terminating vpn')
         self._backend.stop_eip(shutdown=True)
 
-        # XXX this *has* to wait for a reasonable lapse, since we have some
-        # delay in vpn.terminate.
-        # For a better solution it should receive be
-        # signaled from backend that
-        # everything is clear to proceed, or timeout happened.
-        time.sleep(1.5)
-
         self._cancel_ongoing_defers()
 
         # TODO missing any more cancels?