From 20e1ea379a1d17c5cca4811ef077baebc5ebfeaa Mon Sep 17 00:00:00 2001
From: Sven Geuer <68420948@users.noreply.github.com>
Date: Sat, 2 Sep 2023 19:29:47 +0200
Subject: [PATCH] Add options to enforce IPv4 or IPv6 connections to the local
 proxy

---
 cmdline.c               | 32 ++++++++++++++++++++++++++++++--
 cmdline.h               |  2 ++
 docs/proxytunnel.1.adoc |  6 ++++++
 proxytunnel.c           |  4 ++++
 4 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/cmdline.c b/cmdline.c
index d646747..bf6f102 100644
--- a/cmdline.c
+++ b/cmdline.c
@@ -73,6 +73,8 @@ void cmdline_parser_print_help (void) {
 " -z, --no-check-certificate Don't verify server SSL certificate\n"
 " -C, --cacert=STRING        Path to trusted CA certificate or directory\n"
 #endif
+" -4, --ipv4                 Enforce IPv4 connection to local proxy\n"
+" -6, --ipv6                 Enforce IPv6 connection to local proxy\n"
 " -F, --passfile=STRING      File with credentials for proxy authentication\n"
 " -P, --proxyauth=STRING     Proxy auth credentials user:pass combination\n"
 " -R, --remproxyauth=STRING  Remote proxy auth credentials user:pass combination\n"
@@ -179,6 +181,8 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 	args_info->host_arg = NULL; \
 	args_info->no_check_cert_flag = 0; \
 	args_info->cacert_arg = NULL; \
+	args_info->enforceipv4_flag = 0; \
+	args_info->enforceipv6_flag = 0; \
 }
 
 	clear_args();
@@ -227,12 +231,14 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 			{ "no-ssl3",		0, NULL, 'T' },
 			{ "no-check-certificate",0,NULL,'z' },
 			{ "cacert",         1, NULL, 'C' },
+			{ "ipv4",           0, NULL, '4' },
+			{ "ipv6",           0, NULL, '6' },
 			{ NULL,				0, NULL, 0 }
 		};
 
-		c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:", long_options, &option_index);
+		c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:46", long_options, &option_index);
 #else
-		c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:" );
+		c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:46" );
 #endif
 
 		if (c == -1)
@@ -478,6 +484,28 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 				args_info->cacert_arg = gengetopt_strdup (optarg);
 				break;
 
+			case '4':   /* Enforce IPv4 */
+				if ( args_info->enforceipv6_flag ) {
+					fprintf( stderr, "%s: `--ipv4' (`-4') conflicts with `--ipv6' (`-6')\n", PACKAGE );
+					clear_args();
+					exit(1);
+				}
+				args_info->enforceipv4_flag = 1;
+				if( args_info->verbose_flag )
+					message("IPv4 enforced\n");
+				break;
+
+			case '6':   /* Enforce IPv6 */
+				if ( args_info->enforceipv4_flag ) {
+					fprintf( stderr, "%s: `--ipv6' (`-6') conflicts with `--ipv4' (`-4')\n", PACKAGE );
+					clear_args();
+					exit(1);
+				}
+				args_info->enforceipv6_flag = 1;
+				if( args_info->verbose_flag )
+					message("IPv6 enforced\n");
+				break;
+
 			case 0:	/* Long option with no short option */
 
 			case '?':	/* Invalid option.  */
diff --git a/cmdline.h b/cmdline.h
index 6ce019a..d0fe282 100644
--- a/cmdline.h
+++ b/cmdline.h
@@ -53,6 +53,8 @@ struct gengetopt_args_info {
 	int enforcetls1_flag;    /* Override default and enforce TLSv1 */
 	char *host_arg;         /* Optional Host Header */
 	int no_check_cert_flag;	/* Turn off server SSL certificate verification (default=on) */
+	int enforceipv4_flag;   /* Enforce IPv4 (default=off). */
+	int enforceipv6_flag;   /* Enforce IPv6 (default=off). */
 	char *cacert_arg; 		/* Trusted CA certificate (or directory) for server SSL certificate verification */
 	int help_given;			/* Whether help was given. */
 	int version_given;		/* Whether version was given. */
diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc
index 0be08f8..9649227 100644
--- a/docs/proxytunnel.1.adoc
+++ b/docs/proxytunnel.1.adoc
@@ -72,6 +72,12 @@ also be used for other proxy-traversing purposes like proxy bouncing.
     it must be prepared with OpenSSL's c_rehash tool. (default, unless changed at
     compile time using DEFAULT_CA_FILE or DEFAULT_CA_DIR options: /etc/ssl/certs)
 
+*-4*, *--ipv4*::
+    Enforce the use of IPv4 when connecting to the local proxy.
+
+*-6*, *--ipv6*::
+    Enforce the use of IPv6 when connecting to the local proxy.
+
 *-F*, *--passfile*=_filename_::
     Use _filename_ for reading username and password for HTTPS proxy
     authentication, the file uses the same format as .wgetrc and can be shared
diff --git a/proxytunnel.c b/proxytunnel.c
index e5127d8..514fde5 100644
--- a/proxytunnel.c
+++ b/proxytunnel.c
@@ -77,6 +77,10 @@ int tunnel_connect() {
 	char service[6];
 	int sd;
 
+	if ( args_info.enforceipv4_flag )
+		hints.ai_family = AF_INET;
+	else if ( args_info.enforceipv6_flag )
+		hints.ai_family = AF_INET6;
 	rc = snprintf( service, sizeof(service), "%d", args_info.proxyport_arg );
 	if( ( rc < 0 ) || ( rc >= sizeof(service) ) ) {
 		/* this should never happen */