From b7a7eb22b5d145d20083438c166d47ef3f793d8a Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Thu, 6 Sep 2018 10:58:41 +0200 Subject: [bug] disable temporarily ipv6 as part of the firewall Since we're blocking ipv6, it's nice to avoid resolving dual-stack sites to ipv6, because many tools don't work otherwise. - Resolves: #9027 --- src/leap/bitmask/vpn/helpers/linux/bitmask-root | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) (limited to 'src/leap/bitmask/vpn/helpers/linux') diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root index 73b060ad..c76100af 100755 --- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root +++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root @@ -28,6 +28,9 @@ Expected paths: When installed by bundle or from git: /usr/local/sbin/bitmask-root + When installed by snap: + /snap/bin/riseup-vpn.bitmask-root + USAGE: bitmask-root firewall stop bitmask-root firewall start [restart] GATEWAY1 GATEWAY2 ... @@ -58,7 +61,7 @@ cmdcheck = subprocess.check_output # # CONSTANTS -# + def get_no_group_name(): @@ -100,6 +103,7 @@ SMTP_PORT = "2013" IP = "/sbin/ip" IPTABLES = "/sbin/iptables" IP6TABLES = "/sbin/ip6tables" +SYSCTL = "/sbin/sysctl" OPENVPN_USER = "nobody" OPENVPN_GROUP = get_no_group_name() @@ -561,6 +565,17 @@ def ip6tables(*args, **options): """ run_iptable_with_check(IP6TABLES, *args, **options) + +def toggle_ipv6(status='disable'): + if status == 'disable': + arg = 1 + elif status == 'enable': + arg = 0 + else: + return + cmdcheck([SYSCTL, '-w', 'net.ipv6.conf.all.disable_ipv6=%s' % arg]) + + # # NOTE: these tests to see if a chain exists might incorrectly return false. # This happens when there is an error in calling `iptables --list bitmask`. @@ -761,6 +776,8 @@ def firewall_start(args): elif QUBES_VER == 3: run("systemctl", "restart", "qubes-firewall.service") + toggle_ipv6('disable') + def firewall_stop(): """ @@ -839,6 +856,8 @@ def firewall_stop(): "chain (maybe it is already destroyed?)", exc) ok = False + toggle_ipv6('enable') + if not (ok or ipv4_chain_exists or ipv6_chain_exists): raise Exception("firewall might still be left up. " "Please try `firewall stop` again.") -- cgit v1.2.3