summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--changes/feature-bitmask-root-versioning1
-rw-r--r--docs/man/bitmask-root.1.rst17
-rw-r--r--docs/man/bitmask.1.rst4
-rw-r--r--docs/release_checklist.wiki1
-rwxr-xr-xpkg/linux/bitmask-root41
5 files changed, 47 insertions, 17 deletions
diff --git a/changes/feature-bitmask-root-versioning b/changes/feature-bitmask-root-versioning
new file mode 100644
index 00000000..bfe69041
--- /dev/null
+++ b/changes/feature-bitmask-root-versioning
@@ -0,0 +1 @@
+- Add versioning support to bitmask-root.
diff --git a/docs/man/bitmask-root.1.rst b/docs/man/bitmask-root.1.rst
index 7ed53aa9..c18cc4d6 100644
--- a/docs/man/bitmask-root.1.rst
+++ b/docs/man/bitmask-root.1.rst
@@ -7,23 +7,24 @@ privileged helper for bitmask, the encrypted internet access toolkit.
------------------------------------------------------------------------
:Author: LEAP Encryption Access Project https://leap.se
-:Date: 2014-05-19
+:Date: 2014-06-05
:Copyright: GPLv3+
-:Version: 0.5.1
+:Version: 0.5.2
:Manual section: 1
:Manual group: General Commands Manual
SYNOPSIS
========
-bitmask-root [openvpn | firewall | isup ] [start | stop] [ARGS]
+bitmask-root [openvpn | firewall | version] [start | stop | isup] [ARGS]
DESCRIPTION
===========
*bitmask-root* is a privileged helper for bitmask.
-It is used to start or stop openvpn and the bitmask firewall.
+It is used to start or stop openvpn and the bitmask firewall. To operate, it
+needs to be executed with root privileges.
OPTIONS
@@ -33,7 +34,9 @@ openvpn
--------
**start** [ARGS] Starts openvpn. All args are passed to openvpn, and
- filtered against a list of allowed args.
+ filtered against a list of allowed args. If the next
+ argument is `restart`, the firewall will not be teared
+ down in the case of errors lauching openvpn.
**stop** Stops openvpn.
@@ -46,6 +49,10 @@ firewall
**stop** Stops the firewall.
+version
+--------
+
+**version** Prints the `bitmask-root` version string.
BUGS
diff --git a/docs/man/bitmask.1.rst b/docs/man/bitmask.1.rst
index 38da64af..6eae7ff5 100644
--- a/docs/man/bitmask.1.rst
+++ b/docs/man/bitmask.1.rst
@@ -7,9 +7,9 @@ graphical client to control LEAP, the encrypted internet access toolkit.
------------------------------------------------------------------------
:Author: LEAP Encryption Access Project https://leap.se
-:Date: 2014-05-19
+:Date: 2014-06-05
:Copyright: GPLv3+
-:Version: 0.5.1
+:Version: 0.5.2
:Manual section: 1
:Manual group: General Commands Manual
diff --git a/docs/release_checklist.wiki b/docs/release_checklist.wiki
index fc99fdf0..075591a7 100644
--- a/docs/release_checklist.wiki
+++ b/docs/release_checklist.wiki
@@ -1,5 +1,6 @@
= Bitmask Release Checklist (*) =
* [ ] Check that all tests are passing!
+ * [ ] Check that the version in bitmask_client/pkg/linux/bitmask-root is bumped if needed.
* [ ] Tag everything
* Should be done for the following packages, in order:
* [ ] 1. leap.common
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index d1bf656e..1929b51b 100755
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -51,6 +51,7 @@ cmdcheck = subprocess.check_output
## CONSTANTS
##
+VERSION = "1"
SCRIPT = "bitmask-root"
NAMESERVER = "10.42.0.1"
BITMASK_CHAIN = "bitmask"
@@ -764,11 +765,13 @@ def firewall_start(args):
"--jump", "ACCEPT")
# allow multicast Simple Service Discovery Protocol
ip4tables("--append", BITMASK_CHAIN,
- "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900",
+ "--protocol", "udp",
+ "--destination", "239.255.255.250", "--dport", "1900",
"-o", default_device, "--jump", "RETURN")
# allow multicast Bonjour/mDNS
ip4tables("--append", BITMASK_CHAIN,
- "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353",
+ "--protocol", "udp",
+ "--destination", "224.0.0.251", "--dport", "5353",
"-o", default_device, "--jump", "RETURN")
if local_network_ipv6:
ip6tables("--append", BITMASK_CHAIN,
@@ -776,11 +779,13 @@ def firewall_start(args):
"--jump", "ACCEPT")
# allow multicast Simple Service Discovery Protocol
ip6tables("--append", BITMASK_CHAIN,
- "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900",
+ "--protocol", "udp",
+ "--destination", "FF05::C", "--dport", "1900",
"-o", default_device, "--jump", "RETURN")
# allow multicast Bonjour/mDNS
ip6tables("--append", BITMASK_CHAIN,
- "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353",
+ "--protocol", "udp",
+ "--destination", "FF02::FB", "--dport", "5353",
"-o", default_device, "--jump", "RETURN")
# allow ipv4 traffic to gateways
@@ -791,15 +796,19 @@ def firewall_start(args):
# log rejected packets to syslog
if DEBUG:
iptables("--append", BITMASK_CHAIN, "-o", default_device,
- "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7")
+ "--jump", "LOG", "--log-prefix", "iptables denied: ",
+ "--log-level", "7")
- # for now, ensure all other ipv6 packets get rejected (regardless of device)
+ # for now, ensure all other ipv6 packets get rejected (regardless of
+ # device)
# (not sure why, but "-p any" doesn't work)
ip6tables("--append", BITMASK_CHAIN, "-p", "tcp", "--jump", "REJECT")
ip6tables("--append", BITMASK_CHAIN, "-p", "udp", "--jump", "REJECT")
# reject all other ipv4 sent over the default device
- ip4tables("--append", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT")
+ ip4tables("--append", BITMASK_CHAIN, "-o",
+ default_device, "--jump", "REJECT")
+
def firewall_stop():
"""
@@ -819,7 +828,12 @@ def firewall_stop():
def main():
- if len(sys.argv) >= 3:
+ """
+ Entry point for cmdline execution.
+ """
+ # TODO use argparse instead.
+
+ if len(sys.argv) >= 2:
command = "_".join(sys.argv[1:3])
args = sys.argv[3:]
@@ -828,6 +842,13 @@ def main():
is_restart = True
args.remove('restart')
+ if command == "version":
+ print(VERSION)
+ exit(0)
+
+ if os.getuid() != 0:
+ bail("ERROR: must be run as root")
+
if command == "openvpn_start":
openvpn_start(args)
@@ -840,8 +861,8 @@ def main():
nameserver_setter.start(NAMESERVER)
except Exception as ex:
if not is_restart:
- nameserver_restorer.start()
- firewall_stop()
+ nameserver_restorer.start()
+ firewall_stop()
bail("ERROR: could not start firewall", ex)
elif command == "firewall_stop":