1 files changed, 20 insertions, 5 deletions

diff --git a/src/leap/bitmask/vpn/fw/firewall.py b/src/leap/bitmask/vpn/fw/firewall.py
index 98b317b0..cc5d76d0 100644
--- a/src/leap/bitmask/vpn/fw/firewall.py
+++ b/src/leap/bitmask/vpn/fw/firewall.py
@@ -25,7 +25,10 @@ import subprocess
 
 from twisted.logger import Logger
 
-from leap.bitmask.system import IS_MAC, IS_LINUX
+from leap.bitmask.system import IS_MAC, IS_LINUX, IS_SNAP
+from leap.bitmask.vpn.constants import BITMASK_ROOT_SYSTEM
+from leap.bitmask.vpn.constants import BITMASK_ROOT_LOCAL
+from leap.bitmask.vpn.constants import BITMASK_ROOT_SNAP
 from leap.common.events import catalog, emit_async
 
 from leap.bitmask.vpn.launchers import darwin
@@ -87,11 +90,23 @@ class _LinuxFirewallManager(object):
     This allows us to achieve fail close on a vpn connection.
     """
 
-    _SYSTEM_BITMASK_ROOT = '/usr/sbin/bitmask-root'
-    if os.path.isfile(_SYSTEM_BITMASK_ROOT):
-        BITMASK_ROOT = _SYSTEM_BITMASK_ROOT
+    # TODO factor out choosing a version of bitmask-root.
+    # together with linux vpnlauncher.
+
+    if IS_SNAP:
+        # snap has its own version under /snap
+        BITMASK_ROOT = BITMASK_ROOT_SNAP
+    elif IS_STANDALONE and os.path.isfile(BITMASK_ROOT_LOCAL):
+        # if this is a bundle, we pick local. bundles ask to install it there.
+        BITMASK_ROOT = BITMASK_ROOT_LOCAL
     else:
-        BITMASK_ROOT = "/usr/local/sbin/bitmask-root"
+        if os.path.isfile(BITMASK_ROOT_SYSTEM):
+            # we can be running from the debian package,
+            # or some other distro. it's the maintainer responsibility to put bitmask-root there.
+            BITMASK_ROOT = BITMASK_ROOT_SYSTEM
+        else:
+            # as a last case, we fall back to installing into the /usr/local/sbin version.
+            BITMASK_ROOT = BITMASK_ROOT_LOCAL
 
     def __init__(self, remotes):
         """