diff options
-rw-r--r-- | changes/feature-bitmask-root-versioning | 1 | ||||
-rw-r--r-- | docs/man/bitmask-root.1.rst | 17 | ||||
-rw-r--r-- | docs/man/bitmask.1.rst | 4 | ||||
-rw-r--r-- | docs/release_checklist.wiki | 1 | ||||
-rwxr-xr-x | pkg/linux/bitmask-root | 41 |
5 files changed, 47 insertions, 17 deletions
diff --git a/changes/feature-bitmask-root-versioning b/changes/feature-bitmask-root-versioning new file mode 100644 index 00000000..bfe69041 --- /dev/null +++ b/changes/feature-bitmask-root-versioning @@ -0,0 +1 @@ +- Add versioning support to bitmask-root. diff --git a/docs/man/bitmask-root.1.rst b/docs/man/bitmask-root.1.rst index 7ed53aa9..c18cc4d6 100644 --- a/docs/man/bitmask-root.1.rst +++ b/docs/man/bitmask-root.1.rst @@ -7,23 +7,24 @@ privileged helper for bitmask, the encrypted internet access toolkit. ------------------------------------------------------------------------ :Author: LEAP Encryption Access Project https://leap.se -:Date: 2014-05-19 +:Date: 2014-06-05 :Copyright: GPLv3+ -:Version: 0.5.1 +:Version: 0.5.2 :Manual section: 1 :Manual group: General Commands Manual SYNOPSIS ======== -bitmask-root [openvpn | firewall | isup ] [start | stop] [ARGS] +bitmask-root [openvpn | firewall | version] [start | stop | isup] [ARGS] DESCRIPTION =========== *bitmask-root* is a privileged helper for bitmask. -It is used to start or stop openvpn and the bitmask firewall. +It is used to start or stop openvpn and the bitmask firewall. To operate, it +needs to be executed with root privileges. OPTIONS @@ -33,7 +34,9 @@ openvpn -------- **start** [ARGS] Starts openvpn. All args are passed to openvpn, and - filtered against a list of allowed args. + filtered against a list of allowed args. If the next + argument is `restart`, the firewall will not be teared + down in the case of errors lauching openvpn. **stop** Stops openvpn. @@ -46,6 +49,10 @@ firewall **stop** Stops the firewall. +version +-------- + +**version** Prints the `bitmask-root` version string. BUGS diff --git a/docs/man/bitmask.1.rst b/docs/man/bitmask.1.rst index 38da64af..6eae7ff5 100644 --- a/docs/man/bitmask.1.rst +++ b/docs/man/bitmask.1.rst @@ -7,9 +7,9 @@ graphical client to control LEAP, the encrypted internet access toolkit. ------------------------------------------------------------------------ :Author: LEAP Encryption Access Project https://leap.se -:Date: 2014-05-19 +:Date: 2014-06-05 :Copyright: GPLv3+ -:Version: 0.5.1 +:Version: 0.5.2 :Manual section: 1 :Manual group: General Commands Manual diff --git a/docs/release_checklist.wiki b/docs/release_checklist.wiki index fc99fdf0..075591a7 100644 --- a/docs/release_checklist.wiki +++ b/docs/release_checklist.wiki @@ -1,5 +1,6 @@ = Bitmask Release Checklist (*) = * [ ] Check that all tests are passing! + * [ ] Check that the version in bitmask_client/pkg/linux/bitmask-root is bumped if needed. * [ ] Tag everything * Should be done for the following packages, in order: * [ ] 1. leap.common diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index d1bf656e..1929b51b 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -51,6 +51,7 @@ cmdcheck = subprocess.check_output ## CONSTANTS ## +VERSION = "1" SCRIPT = "bitmask-root" NAMESERVER = "10.42.0.1" BITMASK_CHAIN = "bitmask" @@ -764,11 +765,13 @@ def firewall_start(args): "--jump", "ACCEPT") # allow multicast Simple Service Discovery Protocol ip4tables("--append", BITMASK_CHAIN, - "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900", + "--protocol", "udp", + "--destination", "239.255.255.250", "--dport", "1900", "-o", default_device, "--jump", "RETURN") # allow multicast Bonjour/mDNS ip4tables("--append", BITMASK_CHAIN, - "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353", + "--protocol", "udp", + "--destination", "224.0.0.251", "--dport", "5353", "-o", default_device, "--jump", "RETURN") if local_network_ipv6: ip6tables("--append", BITMASK_CHAIN, @@ -776,11 +779,13 @@ def firewall_start(args): "--jump", "ACCEPT") # allow multicast Simple Service Discovery Protocol ip6tables("--append", BITMASK_CHAIN, - "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900", + "--protocol", "udp", + "--destination", "FF05::C", "--dport", "1900", "-o", default_device, "--jump", "RETURN") # allow multicast Bonjour/mDNS ip6tables("--append", BITMASK_CHAIN, - "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353", + "--protocol", "udp", + "--destination", "FF02::FB", "--dport", "5353", "-o", default_device, "--jump", "RETURN") # allow ipv4 traffic to gateways @@ -791,15 +796,19 @@ def firewall_start(args): # log rejected packets to syslog if DEBUG: iptables("--append", BITMASK_CHAIN, "-o", default_device, - "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7") + "--jump", "LOG", "--log-prefix", "iptables denied: ", + "--log-level", "7") - # for now, ensure all other ipv6 packets get rejected (regardless of device) + # for now, ensure all other ipv6 packets get rejected (regardless of + # device) # (not sure why, but "-p any" doesn't work) ip6tables("--append", BITMASK_CHAIN, "-p", "tcp", "--jump", "REJECT") ip6tables("--append", BITMASK_CHAIN, "-p", "udp", "--jump", "REJECT") # reject all other ipv4 sent over the default device - ip4tables("--append", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT") + ip4tables("--append", BITMASK_CHAIN, "-o", + default_device, "--jump", "REJECT") + def firewall_stop(): """ @@ -819,7 +828,12 @@ def firewall_stop(): def main(): - if len(sys.argv) >= 3: + """ + Entry point for cmdline execution. + """ + # TODO use argparse instead. + + if len(sys.argv) >= 2: command = "_".join(sys.argv[1:3]) args = sys.argv[3:] @@ -828,6 +842,13 @@ def main(): is_restart = True args.remove('restart') + if command == "version": + print(VERSION) + exit(0) + + if os.getuid() != 0: + bail("ERROR: must be run as root") + if command == "openvpn_start": openvpn_start(args) @@ -840,8 +861,8 @@ def main(): nameserver_setter.start(NAMESERVER) except Exception as ex: if not is_restart: - nameserver_restorer.start() - firewall_stop() + nameserver_restorer.start() + firewall_stop() bail("ERROR: could not start firewall", ex) elif command == "firewall_stop": |