summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--changes/bug-block-ipv6-clientside1
-rw-r--r--changes/feature-5689-psutil-compat1
-rw-r--r--changes/feature_5692-fix-nameserver-restoring1
-rw-r--r--docs/man/bitmask-root.1.rst54
-rw-r--r--docs/man/bitmask.1.rst22
-rwxr-xr-xpkg/linux/bitmask-root13
-rw-r--r--pkg/requirements.pip5
-rwxr-xr-xsetup.py6
-rw-r--r--src/leap/bitmask/services/eip/vpnprocess.py10
9 files changed, 90 insertions, 23 deletions
diff --git a/changes/bug-block-ipv6-clientside b/changes/bug-block-ipv6-clientside
new file mode 100644
index 00000000..9e6b88c4
--- /dev/null
+++ b/changes/bug-block-ipv6-clientside
@@ -0,0 +1 @@
+- Block ipv6 traffic for the moment. Closes: #5693
diff --git a/changes/feature-5689-psutil-compat b/changes/feature-5689-psutil-compat
new file mode 100644
index 00000000..be11aea3
--- /dev/null
+++ b/changes/feature-5689-psutil-compat
@@ -0,0 +1 @@
+- Make use of cmdline in psutil backwards-compatible. Closes: #5689
diff --git a/changes/feature_5692-fix-nameserver-restoring b/changes/feature_5692-fix-nameserver-restoring
new file mode 100644
index 00000000..10ce3427
--- /dev/null
+++ b/changes/feature_5692-fix-nameserver-restoring
@@ -0,0 +1 @@
+- Fix nameserver restoring. Closes: #5692
diff --git a/docs/man/bitmask-root.1.rst b/docs/man/bitmask-root.1.rst
new file mode 100644
index 00000000..7ed53aa9
--- /dev/null
+++ b/docs/man/bitmask-root.1.rst
@@ -0,0 +1,54 @@
+============
+bitmask-root
+============
+
+------------------------------------------------------------------------
+privileged helper for bitmask, the encrypted internet access toolkit.
+------------------------------------------------------------------------
+
+:Author: LEAP Encryption Access Project https://leap.se
+:Date: 2014-05-19
+:Copyright: GPLv3+
+:Version: 0.5.1
+:Manual section: 1
+:Manual group: General Commands Manual
+
+SYNOPSIS
+========
+
+bitmask-root [openvpn | firewall | isup ] [start | stop] [ARGS]
+
+DESCRIPTION
+===========
+
+*bitmask-root* is a privileged helper for bitmask.
+
+It is used to start or stop openvpn and the bitmask firewall.
+
+
+OPTIONS
+=======
+
+openvpn
+--------
+
+**start** [ARGS] Starts openvpn. All args are passed to openvpn, and
+ filtered against a list of allowed args.
+
+**stop** Stops openvpn.
+
+
+firewall
+---------
+
+**start** [GATEWAYS] Starts the firewall. GATEWAYS is a list of EIP
+ gateways to allow in the firewall.
+
+**stop** Stops the firewall.
+
+
+
+BUGS
+====
+
+Please report any bugs to https://leap.se/code
diff --git a/docs/man/bitmask.1.rst b/docs/man/bitmask.1.rst
index ed4f7133..38da64af 100644
--- a/docs/man/bitmask.1.rst
+++ b/docs/man/bitmask.1.rst
@@ -7,9 +7,9 @@ graphical client to control LEAP, the encrypted internet access toolkit.
------------------------------------------------------------------------
:Author: LEAP Encryption Access Project https://leap.se
-:Date: 2013-08-23
+:Date: 2014-05-19
:Copyright: GPLv3+
-:Version: 0.3.1
+:Version: 0.5.1
:Manual section: 1
:Manual group: General Commands Manual
@@ -80,26 +80,20 @@ WARNING
This software is still in its early phases of testing. So don't trust your life to it!
-At the current time, Bitmask is not compatible with ``openresolv``, but it works with ``resolvconf``.
FILES
=====
-/etc/leap/resolv-update
------------------------
-Post up/down script passed to openvpn. It writes /etc/resolv.conf to avoid dns leaks, and restores the original resolv.conf on exit.
-/etc/leap/resolv-head
----------------------
-/etc/leap/resolv-tail
----------------------
+/usr/share/polkit-1/actions/se.leap.bitmask.policy
+-------------------------------------------------------
-Custom entries that will appear in the written resolv.conf
+PolicyKit policy file, used for granting access to bitmask-root without the need of entering a password each time.
-/usr/share/polkit-1/actions/net.openvpn.gui.leap.policy
--------------------------------------------------------
+/usr/sbin/bitmask-root
+------------------------
-PolicyKit policy file, used for granting access to openvpn without the need of entering a password each time.
+Helper to launch and stop openvpn and the bitmask firewall.
~/.config/leap/
---------------
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index 136fd6a4..6d296ecf 100755
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -566,7 +566,7 @@ class NameserverRestorer(Daemon):
A daemon that will restore the previous nameservers.
"""
- def run(self):
+ def run(self, *args):
"""
Run when daemonized.
"""
@@ -765,6 +765,17 @@ def firewall_start(args):
"--dport", "53", "--destination", allowed_dns,
"--jump", "ACCEPT")
+ # workaround for ipv6 servers being blocked and not falling back to ipv4.
+ # See #5693
+ ip6tables("--append", "OUTPUT", "--jump", "REJECT",
+ "-s", "::/0", "-d", "::/0",
+ "-p", "tcp",
+ "--reject-with", "icmp6-port-unreachable")
+ ip6tables("--append", "OUTPUT", "--jump", "REJECT",
+ "-s", "::/0", "-d", "::/0",
+ "-p", "udp",
+ "--reject-with", "icmp6-port-unreachable")
+
def firewall_stop():
"""
diff --git a/pkg/requirements.pip b/pkg/requirements.pip
index 70427e63..3d6b33a3 100644
--- a/pkg/requirements.pip
+++ b/pkg/requirements.pip
@@ -11,10 +11,7 @@ srp>=1.0.2
pyopenssl
python-dateutil
-# since gnupg requires exactly 1.2.1, this chokes if we
-# don't specify a version. Selecting something lesser than
-# 2.0 is equivalent to pick 1.2.1. See #5489
-psutil<2.0
+psutil
ipaddr
twisted
diff --git a/setup.py b/setup.py
index de31be4b..3d12db64 100755
--- a/setup.py
+++ b/setup.py
@@ -203,9 +203,9 @@ if IS_LINUX:
# globally. Or make specific install command. See #3805
data_files = [
("share/polkit-1/actions",
- ["pkg/linux/polkit/net.openvpn.gui.leap.policy"]),
- ("etc/leap/",
- ["pkg/linux/resolv-update"]),
+ ["pkg/linux/polkit/se.leap.bitmask.policy"]),
+ ("/usr/sbin",
+ ["pkg/linux/bitmask-root"]),
]
diff --git a/src/leap/bitmask/services/eip/vpnprocess.py b/src/leap/bitmask/services/eip/vpnprocess.py
index 1559ea8b..734b88df 100644
--- a/src/leap/bitmask/services/eip/vpnprocess.py
+++ b/src/leap/bitmask/services/eip/vpnprocess.py
@@ -30,9 +30,11 @@ import psutil
try:
# psutil < 2.0.0
from psutil.error import AccessDenied as psutil_AccessDenied
+ PSUTIL_2 = False
except ImportError:
# psutil >= 2.0.0
from psutil import AccessDenied as psutil_AccessDenied
+ PSUTIL_2 = True
from leap.bitmask.config import flags
from leap.bitmask.config.providerconfig import ProviderConfig
@@ -676,7 +678,13 @@ class VPNManager(object):
# we need to be able to filter out arguments in the form
# --openvpn-foo, since otherwise we are shooting ourselves
# in the feet.
- if any(map(lambda s: s.find("LEAPOPENVPN") != -1, p.cmdline)):
+
+ if PSUTIL_2:
+ cmdline = p.cmdline()
+ else:
+ cmdline = p.cmdline
+ if any(map(lambda s: s.find(
+ "LEAPOPENVPN") != -1, cmdline)):
openvpn_process = p
break
except psutil_AccessDenied: