Add a configuration variable for IPv6 firewall binaries

This is only relevant for iptables at the moment.

android/project/jni/config.h

@@ -32,6 +32,9 @@
 /* Path to firewall command executable (it should match the firewall type). */
 #define FIREWALL_EXE "/sbin/iptables"
 
+/* Path to firewall command executable for IPv6 (it should match the firewall type). */
+#define FIREWALL_EXE_IPV6 "/sbin/ip6tables"
+
 /* The firewall type: ipf. */
 /* #undef FIREWALL_IPF */
 

configure.ac

@@ -685,6 +685,24 @@ dnl
     ]
   )
 
+dnl Check for ip6tables
+dnl
+  AC_ARG_WITH([ip6tables],
+    [AS_HELP_STRING([--with-ip6tables=/path/to/ip6tables],
+      [Specify path to the ip6tables executable @<:@default=check path@:>@])],
+    [
+      AS_IF([ test "x$withval" = xno ], [],
+        AS_IF([ test "x$withval" = x -o "x$withval" = xyes ],
+          [AC_MSG_ERROR([--with-ip6tables requires an argument specifying a path to ip6tables])],
+          [ FORCE_IP6TABLES_EXE=$withval ]
+        )
+      )
+    ],
+    [
+      AC_PATH_PROG(IP6TABLES_EXE, [ip6tables], [], [$APP_PATH])
+    ]
+  )
+
 dnl Check for ipfw
 dnl
   AC_ARG_WITH([ipfw],
@@ -815,6 +833,9 @@ dnl
   AC_DEFINE_UNQUOTED([FIREWALL_EXE], ["$FIREWALL_EXE"],
     [Path to firewall command executable (it should match the firewall type).])
 
+  AC_DEFINE_UNQUOTED([FIREWALL_EXE_IPV6], ["$FIREWALL_EXE_IPV6"],
+    [Path to firewall command executable for IPv6 (it should match the firewall type).])
+
   ],
   [test "$want_server" = no], [
     use_ndbm=no

extras/openwrt/package/fwknop/Makefile

@@ -40,7 +40,8 @@ endef
 CONFIGURE_ARGS += \
        --disable-client \
        --without-gpgme \
-       --with-iptables=/usr/sbin/iptables
+       --with-iptables=/usr/sbin/iptables \
+       --with-ip6tables=/usr/sbin/ip6tables
 
 
 
@@ -108,6 +109,7 @@ define Build/Configure
 		--with-gpgme \
 		--with-gpg=/usr/bin/gpg \
 		--with-iptables=/usr/sbin/iptables \
+		--with-ip6tables=/usr/sbin/ip6tables \
 		--with-sh=/bin/sh \
 	)
 endef

iphone/Classes/config.h

@@ -26,6 +26,9 @@ Copyright (C) Max Kastanas 2010
 /* Path to firewall command executable (it should match the firewall type). */
 #define FIREWALL_EXE "/sbin/iptables"
 
+/* Path to firewall command executable for IPv6 (it should match the firewall type). */
+#define FIREWALL_EXE_IPV6 "/sbin/ip6tables"
+
 /* The firewall type: ipf. */
 /* #undef FIREWALL_IPF */
 

server/cmd_opts.h

@@ -142,6 +142,7 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
     "GPG_EXE",
     "SUDO_EXE",
     "FIREWALL_EXE",
+    "FIREWALL_EXE_IPV6",
     "VERBOSE",
 #if AFL_FUZZING
     "AFL_PKT_FILE",

server/fw_util_iptables.c

@@ -1031,6 +1031,7 @@ fw_config_init(fko_srv_options_t * const opts)
     /* Set our firewall exe command path (iptables in most cases).
     */
     strlcpy(fwc.fw_command, opts->config[CONF_FIREWALL_EXE], sizeof(fwc.fw_command));
+    strlcpy(fwc.fw_command6, opts->config[CONF_FIREWALL_EXE_IPV6], sizeof(fwc.fw_command6));
 
 #if HAVE_LIBFIU
     fiu_return_on("fw_config_init", 0);

server/fwknopd.conf

@@ -559,5 +559,6 @@
 #
 #FIREWALL_EXE                /bin/firewall-cmd;
 #FIREWALL_EXE                /sbin/iptables;
+#FIREWALL_EXE_IPV6           /sbin/ip6tables;
 
 ###EOF###

server/fwknopd_common.h

@@ -347,6 +347,7 @@ enum {
     CONF_GPG_EXE,
     CONF_SUDO_EXE,
     CONF_FIREWALL_EXE,
+    CONF_FIREWALL_EXE_IPV6,
     CONF_VERBOSE,
 #if AFL_FUZZING
     CONF_AFL_PKT_FILE,
@@ -521,6 +522,7 @@ typedef struct cmd_cycle_list
   struct fw_config {
       struct fw_chain chain[NUM_FWKNOP_ACCESS_TYPES];
       char            fw_command[MAX_PATH_LEN];
+      char            fw_command6[MAX_PATH_LEN];
 
       /* Flag for setting destination field in rule
       */

test/afl/test-cases/server-conf/iptables/fwknopd.conf

@@ -43,5 +43,6 @@ DIGEST_FILE                 /var/run/fwknop/digest.cache
 GPG_HOME_DIR                /root/.gnupg
 GPG_EXE                     /usr/bin/gpg
 FIREWALL_EXE                /sbin/iptables
+FIREWALL_EXE_IPV6           /sbin/ip6tables
 VERBOSE                     Y
 #FAULT_INJECTION_TAG         <not set>