Don't compile in IPv6 to the firewall when IPv6 is disabled.

Author: davidchisnall

lib/firewall/firewall.cc

@@ -12,6 +12,13 @@
 #include <timeout.hh>
 #include <vector>
 
+#if CHERIOT_RTOS_OPTION_IPv6 == true
+#	define ENABLE_IPV6
+#	define if_ipv6(x) x
+#else
+#	define if_ipv6(x)
+#endif
+
 namespace
 {
 	// TODO These should probably be in their own library.
@@ -48,8 +55,10 @@ namespace
 	enum class EtherType : uint16_t
 	{
 		IPv4 = 0x0008,
+#ifdef ENABLE_IPV6
 		IPv6 = 0xDD86,
-		ARP  = 0x0608,
+#endif
+		ARP = 0x0608,
 	};
 
 	const char *ethertype_as_string(EtherType etherType)
@@ -58,8 +67,10 @@ namespace
 		{
 			case EtherType::IPv4:
 				return "IPv4";
+#ifdef ENABLE_IPV6
 			case EtherType::IPv6:
 				return "IPv6";
+#endif
 			case EtherType::ARP:
 				return "ARP";
 			default:
@@ -479,15 +490,18 @@ namespace
 				}
 				return ret;
 			}
+#ifdef ENABLE_IPV6
 			// For now, permit all outbound IPv6 packets.
+			// FIXME: Check the firewall for IPv6!
 			case EtherType::IPv6:
 			{
 				Debug::log("Permitting outbound IPv6 packet");
 				return true;
 				break;
 			}
+#endif
 		}
-		return true;
+		return false;
 	}
 
 	bool packet_filter_ingress(const uint8_t *data, size_t length)
@@ -503,9 +517,12 @@ namespace
 		  reinterpret_cast<EthernetHeader *>(const_cast<uint8_t *>(data));
 		switch (ethernetHeader->etherType)
 		{
+#ifdef ENABLE_IPV6
 			// For now, testing with v6 disabled.
+			// FIXME: Check the firewall for IPv6!
 			case EtherType::IPv6:
 				return true;
+#endif
 			case EtherType::ARP:
 				Debug::log("Saw ARP frame");
 				return true;
@@ -704,6 +721,7 @@ namespace
 	}
 } // namespace
 
+#ifdef ENABLE_IPV6
 void firewall_add_tcpipv6_endpoint(uint8_t *remoteAddress,
                                    uint16_t localPort,
                                    uint16_t remotePort)
@@ -748,3 +766,5 @@ void firewall_remove_udpipv6_remote_endpoint(uint8_t *remoteAddress,
 		  IPProtocolNumber::UDP, *copy, localPort, remotePort);
 	}
 }
+
+#endif

lib/firewall/xmake.lua

@@ -1,6 +1,11 @@
 
 compartment("Firewall")
   add_includedirs("../../include")
+  on_load(function(target)
+    target:add('options', "IPv6")
+    local IPv6 = get_config("IPv6")
+    target:add("defines", "CHERIOT_RTOS_OPTION_IPv6=" .. tostring(IPv6))
+  end)
   --FIXME: The FreeRTOS compat headers need to work with this mode!
   --add_defines("CHERIOT_NO_AMBIENT_MALLOC", "CHERIOT_NO_NEW_DELETE")
   add_files("firewall.cc")

lib/netapi/NetAPI.cc

@@ -63,7 +63,15 @@ SObj network_socket_connect_tcp(Timeout *timeout,
 		Debug::log("Failed to resolve host");
 		return nullptr;
 	}
-	bool isIPv6       = address.kind == NetworkAddress::AddressKindIPv6;
+	bool isIPv6 = address.kind == NetworkAddress::AddressKindIPv6;
+	if constexpr (!UseIPv6)
+	{
+		if (isIPv6)
+		{
+			Debug::log("IPv6 is not supported");
+			return nullptr;
+		}
+	}
 	auto sealedSocket = network_socket_create_and_bind(
 	  timeout, mallocCapability, isIPv6, ConnectionTypeTCP);
 	auto kind = network_socket_kind(sealedSocket);
@@ -148,8 +156,16 @@ NetworkAddress network_socket_udp_authorise_host(Timeout *timeout,
 	}
 	if (isIPv6)
 	{
-		firewall_add_udpipv6_endpoint(
-		  address.ipv6, kind.localPort, ntohs(host->port));
+		if constexpr (!UseIPv6)
+		{
+			Debug::log("IPv6 is not supported");
+			return {NetworkAddress::AddressKindInvalid};
+		}
+		else
+		{
+			firewall_add_udpipv6_endpoint(
+			  address.ipv6, kind.localPort, ntohs(host->port));
+		}
 	}
 	else
 	{

lib/tcpip/network_wrapper.cc

@@ -580,7 +580,7 @@ int network_socket_close(Timeout *t, SObj mallocCapability, SObj sealedSocket)
 		  // happen in practice and has no impact for us.
 		  FreeRTOS_shutdown(socket->socket, FREERTOS_SHUT_RDWR);
 		  auto localPort = ntohs(socket->socket->usLocalPort);
-		  if (socket->socket->bits.bIsIPv6)
+		  if (UseIPv6 && socket->socket->bits.bIsIPv6)
 		  {
 			  if (isTCP)
 			  {