summaryrefslogtreecommitdiff
path: root/pkg/linux
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/linux')
-rwxr-xr-xpkg/linux/bitmask-root28
1 files changed, 13 insertions, 15 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index 9bd5dfce..82e8799f 100755
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -653,6 +653,7 @@ def get_local_network_ipv6(device):
def run_iptable_with_check(cmd, *args, **options):
"""
Run an iptables command checking to see if it should:
+ for --append: run only if rule does not already exist.
for --insert: run only if rule does not already exist.
for --delete: run only if rule does exist.
other commands are run normally.
@@ -662,6 +663,11 @@ def run_iptable_with_check(cmd, *args, **options):
check_code = run(cmd, *check_args, exitcode=True)
if check_code != 0:
run(cmd, *args, **options)
+ elif "--append" in args:
+ check_args = [arg.replace("--append", "--check") for arg in args]
+ check_code = run(cmd, *check_args, exitcode=True)
+ if check_code != 0:
+ run(cmd, *args, **options)
elif "--delete" in args:
check_args = [arg.replace("--delete", "--check") for arg in args]
check_code = run(cmd, *check_args, exitcode=True)
@@ -773,7 +779,7 @@ def firewall_start(args):
"--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353",
"-o", default_device, "--jump", "RETURN")
- # allow traffic to gateways
+ # allow ipv4 traffic to gateways
for gateway in gateways:
ip4tables("--append", BITMASK_CHAIN, "--destination", gateway,
"-o", default_device, "--jump", "ACCEPT")
@@ -783,21 +789,13 @@ def firewall_start(args):
iptables("--append", BITMASK_CHAIN, "-o", default_device,
"--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7")
- # reject everything else
- iptables("--append", BITMASK_CHAIN, "-o", default_device,
- "--jump", "REJECT")
-
- # workaround for ipv6 servers being blocked and not falling back to ipv4.
- # See #5693
- ip6tables("--append", "OUTPUT", "--jump", "REJECT",
- "-s", "::/0", "-d", "::/0",
- "-p", "tcp",
- "--reject-with", "icmp6-port-unreachable")
- ip6tables("--append", "OUTPUT", "--jump", "REJECT",
- "-s", "::/0", "-d", "::/0",
- "-p", "udp",
- "--reject-with", "icmp6-port-unreachable")
+ # for now, ensure all other ipv6 packets get rejected (regardless of device)
+ # (not sure why, but "-p any" doesn't work)
+ ip6tables("--append", BITMASK_CHAIN, "-p", "tcp", "--jump", "REJECT")
+ ip6tables("--append", BITMASK_CHAIN, "-p", "udp", "--jump", "REJECT")
+ # reject all other ipv4 sent over the default device
+ ip4tables("--append", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT")
def firewall_stop():
"""