Unverified Commit b7a7eb22 authored by Kali Kaneko's avatar Kali Kaneko

[bug] disable temporarily ipv6 as part of the firewall

Since we're blocking ipv6, it's nice to avoid resolving dual-stack sites
to ipv6, because many tools don't work otherwise.

- Resolves: #9027
parent 5970fcb5
Pipeline #18789 passed with stages
in 80 minutes and 21 seconds
......@@ -28,6 +28,9 @@ Expected paths:
When installed by bundle or from git:
/usr/local/sbin/bitmask-root
When installed by snap:
/snap/bin/riseup-vpn.bitmask-root
USAGE:
bitmask-root firewall stop
bitmask-root firewall start [restart] GATEWAY1 GATEWAY2 ...
......@@ -58,7 +61,7 @@ cmdcheck = subprocess.check_output
#
# CONSTANTS
#
def get_no_group_name():
......@@ -100,6 +103,7 @@ SMTP_PORT = "2013"
IP = "/sbin/ip"
IPTABLES = "/sbin/iptables"
IP6TABLES = "/sbin/ip6tables"
SYSCTL = "/sbin/sysctl"
OPENVPN_USER = "nobody"
OPENVPN_GROUP = get_no_group_name()
......@@ -561,6 +565,17 @@ def ip6tables(*args, **options):
"""
run_iptable_with_check(IP6TABLES, *args, **options)
def toggle_ipv6(status='disable'):
if status == 'disable':
arg = 1
elif status == 'enable':
arg = 0
else:
return
cmdcheck([SYSCTL, '-w', 'net.ipv6.conf.all.disable_ipv6=%s' % arg])
#
# NOTE: these tests to see if a chain exists might incorrectly return false.
# This happens when there is an error in calling `iptables --list bitmask`.
......@@ -761,6 +776,8 @@ def firewall_start(args):
elif QUBES_VER == 3:
run("systemctl", "restart", "qubes-firewall.service")
toggle_ipv6('disable')
def firewall_stop():
"""
......@@ -839,6 +856,8 @@ def firewall_stop():
"chain (maybe it is already destroyed?)", exc)
ok = False
toggle_ipv6('enable')
if not (ok or ipv4_chain_exists or ipv6_chain_exists):
raise Exception("firewall might still be left up. "
"Please try `firewall stop` again.")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment