From 9e55fdcd4174d55693c6068f15808a9c5644cdb4 Mon Sep 17 00:00:00 2001
From: Christopher Laprise <tasket@protonmail.com>
Date: Tue, 27 Mar 2018 00:38:52 -0400
Subject: [PATCH 1/4] Use qubes-firewall.d instead of iphook on Qubes 4

---
 src/leap/bitmask/vpn/helpers/linux/bitmask-root | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
index 3f6c1e74..cbb9ffa3 100755
--- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root
+++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
@@ -158,11 +158,12 @@ QUBES_PROXY = os.path.exists("/var/run/qubes/this-is-proxyvm")
 if os.path.isdir("/etc/qubes"):
     QUBES_CFG = "/rw/config/"
     QUBES_IPHOOK = QUBES_CFG + "qubes-ip-change-hook"
-    QUBES_FW_SCRIPT = QUBES_CFG + "qubes-firewall-user-script"
     if subprocess.call([IPTABLES, "--list", "QBS-FORWARD"]) == 0:
         QUBES_VER = 4
+        QUBES_FW_SCRIPT = QUBES_CFG + "/qubes-firewall.d/90_tunnel-restrict"
     else:
         QUBES_VER = 3
+        QUBES_FW_SCRIPT = QUBES_CFG + "qubes-firewall-user-script"
 else:
     # not a Qubes system
     QUBES_VER = 0
@@ -741,6 +742,9 @@ def firewall_start(args):
     # Must stay on 'top' of chain!
     if QUBES_PROXY and QUBES_VER >= 3 and run("grep", \
         "installed\ by\ " + SCRIPT, QUBES_FW_SCRIPT, exitcode=True) != 0:
+        if QUBES_VER == 4 and \
+            not os.path.isdir(os.path.dirname(QUBES_FW_SCRIPT)):
+            os.makedirs(os.path.dirname(QUBES_FW_SCRIPT))
         with open(QUBES_FW_SCRIPT, mode="w") as qfile:
             qfile.write("#!/bin/sh\n")
             qfile.write("# Anti-leak rules installed by " + SCRIPT + " " \
@@ -752,8 +756,6 @@ def firewall_start(args):
             qfile.write("iptables --insert INPUT -i tun+ -j DROP\n")
             qfile.write("ip6tables --insert INPUT -i tun+ -j DROP\n")
         os.chmod(QUBES_FW_SCRIPT, stat.S_IRWXU)
-        if not os.path.exists(QUBES_IPHOOK):
-            os.symlink(QUBES_FW_SCRIPT, QUBES_IPHOOK)
         if QUBES_VER == 4:
             run(QUBES_FW_SCRIPT)
         elif QUBES_VER == 3:

From 5653e16b4d0c309593b79f47c81b161d545b800c Mon Sep 17 00:00:00 2001
From: Christopher Laprise <tasket@protonmail.com>
Date: Tue, 27 Mar 2018 06:31:30 -0400
Subject: [PATCH 2/4] Backup Qubes 3 script when replacing.

---
 src/leap/bitmask/vpn/helpers/linux/bitmask-root | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
index cbb9ffa3..d27e7c8f 100755
--- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root
+++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
@@ -745,6 +745,8 @@ def firewall_start(args):
         if QUBES_VER == 4 and \
             not os.path.isdir(os.path.dirname(QUBES_FW_SCRIPT)):
             os.makedirs(os.path.dirname(QUBES_FW_SCRIPT))
+        if QUBES_VER == 3 and os.path.exists(QUBES_FW_SCRIPT):
+            os.rename(QUBES_FW_SCRIPT, QUBES_FW_SCRIPT + ".bak")
         with open(QUBES_FW_SCRIPT, mode="w") as qfile:
             qfile.write("#!/bin/sh\n")
             qfile.write("# Anti-leak rules installed by " + SCRIPT + " " \

From 199b2d71596b8ef588f38195d3aacac0b43a802d Mon Sep 17 00:00:00 2001
From: Christopher Laprise <tasket@protonmail.com>
Date: Sat, 31 Mar 2018 08:21:32 -0400
Subject: [PATCH 3/4] Fix path

---
 src/leap/bitmask/vpn/helpers/linux/bitmask-root | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
index d27e7c8f..ba3f2e1c 100755
--- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root
+++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
@@ -160,7 +160,7 @@ if os.path.isdir("/etc/qubes"):
     QUBES_IPHOOK = QUBES_CFG + "qubes-ip-change-hook"
     if subprocess.call([IPTABLES, "--list", "QBS-FORWARD"]) == 0:
         QUBES_VER = 4
-        QUBES_FW_SCRIPT = QUBES_CFG + "/qubes-firewall.d/90_tunnel-restrict"
+        QUBES_FW_SCRIPT = QUBES_CFG + "qubes-firewall.d/90_tunnel-restrict"
     else:
         QUBES_VER = 3
         QUBES_FW_SCRIPT = QUBES_CFG + "qubes-firewall-user-script"

From 35ab6488914596f7c7189de4f9943c6b3d0fa288 Mon Sep 17 00:00:00 2001
From: Christopher Laprise <tasket@protonmail.com>
Date: Fri, 6 Apr 2018 13:48:34 -0400
Subject: [PATCH 4/4] Check for bak file

---
 src/leap/bitmask/vpn/helpers/linux/bitmask-root | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
index ba3f2e1c..2b1681a4 100755
--- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root
+++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
@@ -745,7 +745,8 @@ def firewall_start(args):
         if QUBES_VER == 4 and \
             not os.path.isdir(os.path.dirname(QUBES_FW_SCRIPT)):
             os.makedirs(os.path.dirname(QUBES_FW_SCRIPT))
-        if QUBES_VER == 3 and os.path.exists(QUBES_FW_SCRIPT):
+        if QUBES_VER == 3 and os.path.exists(QUBES_FW_SCRIPT) \
+            and not os.path.exists(QUBES_FW_SCRIPT + ".bak"):
             os.rename(QUBES_FW_SCRIPT, QUBES_FW_SCRIPT + ".bak")
         with open(QUBES_FW_SCRIPT, mode="w") as qfile:
             qfile.write("#!/bin/sh\n")