summaryrefslogtreecommitdiff
path: root/src/leap/bitmask/vpn/fw/firewall.py
diff options
context:
space:
mode:
authorKali Kaneko (leap communications) <kali@leap.se>2017-01-31 13:31:13 +0100
committerKali Kaneko (leap communications) <kali@leap.se>2017-02-23 00:37:25 +0100
commitca0e1c4518749e27bccad817d22ab87afbf8acf7 (patch)
tree636c1188683c1ea91d70b3aecd2810aafa7cf724 /src/leap/bitmask/vpn/fw/firewall.py
parentff5ec25029db7669163854886be254fccde90e80 (diff)
[feature] initial port of legacy vpn code
non functional at the moment, but started doing some cleanup
Diffstat (limited to 'src/leap/bitmask/vpn/fw/firewall.py')
-rw-r--r--src/leap/bitmask/vpn/fw/firewall.py95
1 files changed, 95 insertions, 0 deletions
diff --git a/src/leap/bitmask/vpn/fw/firewall.py b/src/leap/bitmask/vpn/fw/firewall.py
new file mode 100644
index 0000000..4335b8e
--- /dev/null
+++ b/src/leap/bitmask/vpn/fw/firewall.py
@@ -0,0 +1,95 @@
+# -*- coding: utf-8 -*-
+# manager.py
+# Copyright (C) 2015 LEAP
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Firewall Manager
+"""
+
+import commands
+import subprocess
+
+from leap.bitmask.vpn.constants import IS_MAC
+
+
+class FirewallManager(object):
+
+ """
+ Firewall manager that blocks/unblocks all the internet traffic with some
+ exceptions.
+ This allows us to achieve fail close on a vpn connection.
+ """
+
+ # FIXME -- get the path
+ BITMASK_ROOT = "/usr/local/sbin/bitmask-root"
+
+ def __init__(self, remotes):
+ """
+ Initialize the firewall manager with a set of remotes that we won't
+ block.
+
+ :param remotes: the gateway(s) that we will allow
+ :type remotes: list
+ """
+ self._remotes = remotes
+
+ def start(self, restart=False):
+ """
+ Launch the firewall using the privileged wrapper.
+
+ :returns: True if the exitcode of calling the root helper in a
+ subprocess is 0.
+ :rtype: bool
+ """
+ gateways = [gateway for gateway, port in self._remotes]
+
+ # XXX check for wrapper existence, check it's root owned etc.
+ # XXX check that the iptables rules are in place.
+
+ cmd = ["pkexec", self.BITMASK_ROOT, "firewall", "start"]
+ if restart:
+ cmd.append("restart")
+
+ # FIXME -- use a processprotocol
+ exitCode = subprocess.call(cmd + gateways)
+ return True if exitCode is 0 else False
+
+ # def tear_down_firewall(self):
+ def stop(self):
+ """
+ Tear the firewall down using the privileged wrapper.
+ """
+ if IS_MAC:
+ # We don't support Mac so far
+ return True
+
+ exitCode = subprocess.call(["pkexec", self.BITMASK_ROOT,
+ "firewall", "stop"])
+ return True if exitCode is 0 else False
+
+ # def is_fw_down(self):
+ def is_up(self):
+ """
+ Return whether the firewall is up or not.
+
+ :rtype: bool
+ """
+ # TODO test this, refactored from is_fw_down
+
+ cmd = "pkexec {0} firewall isup".format(self.BITMASK_ROOT)
+ output = commands.getstatusoutput(cmd)[0]
+
+ return output != 256