summaryrefslogtreecommitdiff
path: root/src/leap/bitmask/vpn/fw
diff options
context:
space:
mode:
authorKali Kaneko <kali@leap.se>2017-06-08 15:36:37 -0700
committerKali Kaneko (leap communications) <kali@leap.se>2017-06-09 00:48:40 +0200
commita003e13cec2c44160b46047d0fee8d52dfc6253f (patch)
tree6322f118707e5ce5da435873744024eee9afb3d6 /src/leap/bitmask/vpn/fw
parent6f961fc09dd633d0bcf5397787139c0032e0661e (diff)
[bug] make openvpn and firewall able to launch
with these fixes, I'm able to finally launch openvpn and firewall on osx. :) all that's left for a minimum vpn release is packaging and installing all the helpers in the proper place.
Diffstat (limited to 'src/leap/bitmask/vpn/fw')
-rw-r--r--src/leap/bitmask/vpn/fw/firewall.py47
-rwxr-xr-xsrc/leap/bitmask/vpn/fw/osx/bitmask-helper19
2 files changed, 48 insertions, 18 deletions
diff --git a/src/leap/bitmask/vpn/fw/firewall.py b/src/leap/bitmask/vpn/fw/firewall.py
index 23bdbd9..dcd956d 100644
--- a/src/leap/bitmask/vpn/fw/firewall.py
+++ b/src/leap/bitmask/vpn/fw/firewall.py
@@ -25,14 +25,12 @@ import subprocess
from twisted.logger import Logger
-from leap.bitmask.vpn.constants import IS_MAC
+from leap.bitmask.vpn.constants import IS_MAC, IS_LINUX
from leap.common.events import catalog, emit_async
-log = Logger()
-
-
-# TODO -- subclass it for osx/windows, not only for linux.
+from leap.bitmask.vpn.launchers import darwin
+log = Logger()
# A regular user should not run bitmask as root, but we contemplate
# this case for tests inside docker.
@@ -46,7 +44,34 @@ def check_root(cmd):
return cmd
-class FirewallManager(object):
+class _OSXFirewallManager(object):
+ def __init__(self, remotes):
+ self._remotes = list(remotes)
+ self._helper = darwin.HelperCommand()
+
+ def start(self, restart=False):
+ gateways = [gateway for gateway, port in self._remotes]
+ cmd = 'firewall_start %s' % (' '.join(gateways),)
+ self._helper.send(cmd)
+ # TODO parse OK from result
+ return True
+
+ def stop(self):
+ cmd = 'firewall_stop'
+ self._helper.send(cmd)
+ return True
+
+ def is_up(self):
+ # TODO implement!!!
+ return True
+
+ @property
+ def status(self):
+ # TODO implement!!! -- factor out, too
+ return {'status': 'on', 'error': None}
+
+
+class _LinuxFirewallManager(object):
"""
Firewall manager that blocks/unblocks all the internet traffic with some
@@ -100,10 +125,6 @@ class FirewallManager(object):
"""
Tear the firewall down using the privileged wrapper.
"""
- # We don't support Mac so far
- if IS_MAC:
- return True
-
cmd = [self.BITMASK_ROOT, "firewall", "stop"]
cmd = check_root(cmd)
exitCode = subprocess.call(cmd)
@@ -133,3 +154,9 @@ class FirewallManager(object):
status = 'on'
return {'status': status, 'error': None}
+
+
+if IS_LINUX:
+ FirewallManager = _LinuxFirewallManager
+elif IS_MAC:
+ FirewallManager = _OSXFirewallManager
diff --git a/src/leap/bitmask/vpn/fw/osx/bitmask-helper b/src/leap/bitmask/vpn/fw/osx/bitmask-helper
index 68be7db..2990219 100755
--- a/src/leap/bitmask/vpn/fw/osx/bitmask-helper
+++ b/src/leap/bitmask/vpn/fw/osx/bitmask-helper
@@ -2,7 +2,7 @@
# -*- coding: utf-8 -*-
#
# Author: Kali Kaneko
-# Copyright (C) 2015-2016 LEAP Encryption Access Project
+# Copyright (C) 2015-2017 LEAP Encryption Access Project
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -42,11 +42,10 @@ To see the loaded rules:
To test the commands, you can write directly to the unix socket. Remember to
terminate the command properly:
- echo 'firewall_stop/CMD' | socat - UNIX-CONNECT:/tmp/bitmask-helper.socket
+ echo 'firewall_stop/CMD' | socat - UNIX-CONNECT:/tmp/bitmask-helper.socket
"""
import os
-import re
import socket
import signal
import subprocess
@@ -75,7 +74,6 @@ FIXED_FLAGS = [
"--setenv", "LEAPOPENVPN", "1",
"--nobind",
"--client",
- "--dev", "tun",
"--tls-client",
"--remote-cert-tls", "server",
"--management-signal",
@@ -243,14 +241,19 @@ def openvpn_start(*args):
opts += ['--dhcp-option', 'DNS', '10.42.0.1',
'--up', RESOURCES_PATH + 'client.up.sh',
'--down', RESOURCES_PATH + 'client.down.sh']
+ opts += ["--dev", "tun"]
binary = [RESOURCES_PATH + 'openvpn.leap']
-
- syslog.syslog(syslog.LOG_WARNING, ' '.join(binary + opts))
+ cmd = binary + opts
+ #syslog.syslog(syslog.LOG_WARNING, 'LAUNCHING VPN: ' + ' '.join(cmd))
# TODO sanitize options
global openvpn_proc
- openvpn_proc = subprocess.Popen(binary + opts, shell=False)
- syslog.syslog(syslog.LOG_WARNING, "OpenVPN PID: %s" % str(openvpn_proc.pid))
+ openvpn_proc = subprocess.Popen(cmd, shell=False, bufsize=-1)
+ #try:
+ # result = subprocess.check_output(cmd, shell=False, stderr=subprocess.STDOUT)
+ #except Exception as exc:
+ # syslog.syslog(syslog.LOG_WARNING, exc.output)
+ #syslog.syslog(syslog.LOG_WARNING, "OpenVPN PID: %s" % str(openvpn_proc.pid))
def openvpn_stop(sig='TERM'):