test: Add tests and test tool for IPv6 parts of iptables.c.

This commit adds tests for IPv6 enabled iptables. The tests are
identical to the existing iptables tests, except IPv6 "nat" table rules
are not tested as IPv6 NAT is not enabled.

Also a test tool for IPv6 iptables (ip6tables-test) has been added,
which is a clone of iptables-test. iptables-test.c has been modified to
support the changes in iptables.c.

Added ip6tables-save program to configure.ac and use of it in
Makefile.am for the updated iptables-unit test.

3 files changed, 570 insertions, 98 deletions

diff --git a/tools/ip6tables-test.c b/tools/ip6tables-test.c
new file mode 100644
index 00000000..41e842dd
--- /dev/null
+++ b/tools/ip6tables-test.c
@@ -0,0 +1,163 @@
+/*
+ *  Connection Manager
+ *
+ *  Copyright (C) 2007-2012  Intel Corporation. All rights reserved.
+ *  Copyright (C) 2013  BMW Car IT GmbH.
+ *  Copyright (C) 2018  Jolla Ltd. All rights reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ */
+
+#include <getopt.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <glib.h>
+
+#include "../src/connman.h"
+
+enum iptables_command {
+	IPTABLES_COMMAND_APPEND,
+	IPTABLES_COMMAND_INSERT,
+	IPTABLES_COMMAND_DELETE,
+	IPTABLES_COMMAND_POLICY,
+	IPTABLES_COMMAND_CHAIN_INSERT,
+	IPTABLES_COMMAND_CHAIN_DELETE,
+	IPTABLES_COMMAND_CHAIN_FLUSH,
+	IPTABLES_COMMAND_DUMP,
+	IPTABLES_COMMAND_UNKNOWN,
+};
+
+int main(int argc, char *argv[])
+{
+	enum iptables_command cmd = IPTABLES_COMMAND_UNKNOWN;
+	char *table = NULL, *chain = NULL, *rule = NULL, *tmp;
+	int err, c, i;
+
+	opterr = 0;
+
+	while ((c = getopt_long(argc, argv,
+				"-A:I:D:P:N:X:F:Lt:", NULL, NULL)) != -1) {
+		switch (c) {
+		case 'A':
+			chain = optarg;
+			cmd = IPTABLES_COMMAND_APPEND;
+			break;
+		case 'I':
+			chain = optarg;
+			cmd = IPTABLES_COMMAND_INSERT;
+			break;
+		case 'D':
+			chain = optarg;
+			cmd = IPTABLES_COMMAND_DELETE;
+			break;
+		case 'P':
+			chain = optarg;
+			/* The policy will be stored in rule. */
+			cmd = IPTABLES_COMMAND_POLICY;
+			break;
+		case 'N':
+			chain = optarg;
+			cmd = IPTABLES_COMMAND_CHAIN_INSERT;
+			break;
+		case 'X':
+			chain = optarg;
+			cmd = IPTABLES_COMMAND_CHAIN_DELETE;
+			break;
+		case 'F':
+			chain = optarg;
+			cmd = IPTABLES_COMMAND_CHAIN_FLUSH;
+			break;
+		case 'L':
+			cmd = IPTABLES_COMMAND_DUMP;
+			break;
+		case 't':
+			table = optarg;
+			break;
+		default:
+			goto out;
+		}
+	}
+
+out:
+	if (!table)
+		table = "filter";
+
+	for (i = optind - 1; i < argc; i++) {
+		if (rule) {
+			tmp = rule;
+			rule = g_strdup_printf("%s %s", rule,  argv[i]);
+			g_free(tmp);
+		} else
+			rule = g_strdup(argv[i]);
+	}
+
+	__connman_iptables_init();
+
+	switch (cmd) {
+	case IPTABLES_COMMAND_APPEND:
+		err = __connman_iptables_append(AF_INET6, table, chain, rule);
+		break;
+	case IPTABLES_COMMAND_INSERT:
+		err = __connman_iptables_insert(AF_INET6, table, chain, rule);
+		break;
+	case IPTABLES_COMMAND_DELETE:
+		err = __connman_iptables_delete(AF_INET6, table, chain, rule);
+		break;
+	case IPTABLES_COMMAND_POLICY:
+		err = __connman_iptables_change_policy(AF_INET6, table, chain,
+						rule);
+		break;
+	case IPTABLES_COMMAND_CHAIN_INSERT:
+		err = __connman_iptables_new_chain(AF_INET6, table, chain);
+		break;
+	case IPTABLES_COMMAND_CHAIN_DELETE:
+		err = __connman_iptables_delete_chain(AF_INET6, table, chain);
+		break;
+	case IPTABLES_COMMAND_CHAIN_FLUSH:
+		err = __connman_iptables_flush_chain(AF_INET6, table, chain);
+		break;
+	case IPTABLES_COMMAND_DUMP:
+		__connman_log_init(argv[0], "*", false, false,
+			"ip6tables-test", "1");
+		err = __connman_iptables_dump(AF_INET6, table);
+		break;
+	case IPTABLES_COMMAND_UNKNOWN:
+		printf("Missing command\n");
+		printf("usage: ip6tables-test [-t table] {-A|-I|-D} chain rule\n");
+		printf("       ip6tables-test [-t table] {-N|-X|-F} chain\n");
+		printf("       ip6tables-test [-t table] -L\n");
+		printf("       ip6tables-test [-t table] -P chain target\n");
+		exit(-EINVAL);
+	}
+
+	if (err < 0) {
+		printf("Error: %s\n", strerror(-err));
+		exit(err);
+	}
+
+	err = __connman_iptables_commit(AF_INET6, table);
+	if (err < 0) {
+		printf("Failed to commit changes: %s\n", strerror(-err));
+		exit(err);
+	}
+
+	g_free(rule);
+
+	__connman_iptables_cleanup();
+
+	return 0;
+}
diff --git a/tools/iptables-test.c b/tools/iptables-test.c
index 2df53ccd..e9b7cb22 100644
--- a/tools/iptables-test.c
+++ b/tools/iptables-test.c
@@ -108,30 +108,31 @@ out:
 
 	switch (cmd) {
 	case IPTABLES_COMMAND_APPEND:
-		err = __connman_iptables_append(table, chain, rule);
+		err = __connman_iptables_append(AF_INET, table, chain, rule);
 		break;
 	case IPTABLES_COMMAND_INSERT:
-		err = __connman_iptables_insert(table, chain, rule);
+		err = __connman_iptables_insert(AF_INET, table, chain, rule);
 		break;
 	case IPTABLES_COMMAND_DELETE:
-		err = __connman_iptables_delete(table, chain, rule);
+		err = __connman_iptables_delete(AF_INET, table, chain, rule);
 		break;
 	case IPTABLES_COMMAND_POLICY:
-		err = __connman_iptables_change_policy(table, chain, rule);
+		err = __connman_iptables_change_policy(AF_INET, table, chain,
+						rule);
 		break;
 	case IPTABLES_COMMAND_CHAIN_INSERT:
-		err = __connman_iptables_new_chain(table, chain);
+		err = __connman_iptables_new_chain(AF_INET, table, chain);
 		break;
 	case IPTABLES_COMMAND_CHAIN_DELETE:
-		err = __connman_iptables_delete_chain(table, chain);
+		err = __connman_iptables_delete_chain(AF_INET, table, chain);
 		break;
 	case IPTABLES_COMMAND_CHAIN_FLUSH:
-		err = __connman_iptables_flush_chain(table, chain);
+		err = __connman_iptables_flush_chain(AF_INET, table, chain);
 		break;
 	case IPTABLES_COMMAND_DUMP:
 		__connman_log_init(argv[0], "*", false, false,
 			"iptables-test", "1");
-		err = __connman_iptables_dump(table);
+		err = __connman_iptables_dump(AF_INET, table);
 		break;
 	case IPTABLES_COMMAND_UNKNOWN:
 		printf("Missing command\n");
@@ -147,7 +148,7 @@ out:
 		exit(err);
 	}
 
-	err = __connman_iptables_commit(table);
+	err = __connman_iptables_commit(AF_INET, table);
 	if (err < 0) {
 		printf("Failed to commit changes: %s\n", strerror(-err));
 		exit(err);
diff --git a/tools/iptables-unit.c b/tools/iptables-unit.c
index 0ab42491..b91591f2 100644
--- a/tools/iptables-unit.c
+++ b/tools/iptables-unit.c
@@ -28,14 +28,24 @@
 
 #include "../src/connman.h"
 
-static bool assert_rule(const char *table_name, const char *rule)
+static bool assert_rule(int type, const char *table_name, const char *rule)
 {
 	char *cmd, *output, **lines;
 	GError **error = NULL;
 	int i;
 	bool ret = true;
 
-	cmd = g_strdup_printf(IPTABLES_SAVE " -t %s", table_name);
+	switch (type) {
+	case AF_INET:
+		cmd = g_strdup_printf(IPTABLES_SAVE " -t %s", table_name);
+		break;
+	case AF_INET6:
+		cmd = g_strdup_printf(IP6TABLES_SAVE " -t %s", table_name);
+		break;
+	default:
+		return false;
+	}
+
 	g_spawn_command_line_sync(cmd, &output, NULL, NULL, error);
 	g_free(cmd);
 
@@ -57,67 +67,87 @@ static bool assert_rule(const char *table_name, const char *rule)
 	return ret;
 }
 
-static void assert_rule_exists(const char *table_name, const char *rule)
+static void assert_rule_exists(int type, const char *table_name,
+							const char *rule)
 {
-	if (g_strcmp0(IPTABLES_SAVE, "") == 0) {
-		DBG("iptables-save is missing, no assertion possible");
-		return;
+	if (type == AF_INET) {
+		if (g_strcmp0(IPTABLES_SAVE, "") == 0) {
+			DBG("iptables-save is missing, no assertion possible");
+			return;
+		}
 	}
 
-	g_assert(assert_rule(table_name, rule));
+	if (type == AF_INET6) {
+		if (g_strcmp0(IP6TABLES_SAVE, "") == 0) {
+			DBG("ip6tables-save is missing, no assertion possible");
+			return;
+		}
+	}
+
+	g_assert(assert_rule(type, table_name, rule));
 }
 
-static void assert_rule_not_exists(const char *table_name, const char *rule)
+static void assert_rule_not_exists(int type, const char *table_name,
+							const char *rule)
 {
-	if (g_strcmp0(IPTABLES_SAVE, "") == 0) {
-		DBG("iptables-save is missing, no assertion possible");
-		return;
+	if (type == AF_INET) {
+		if (g_strcmp0(IPTABLES_SAVE, "") == 0) {
+			DBG("iptables-save is missing, no assertion possible");
+			return;
+		}
+	}
+
+	if (type == AF_INET6) {
+		if (g_strcmp0(IP6TABLES_SAVE, "") == 0) {
+			DBG("ip6tables-save is missing, no assertion possible");
+			return;
+		}
 	}
 
-	g_assert(!assert_rule(table_name, rule));
+	g_assert(!assert_rule(type, table_name, rule));
 }
 
 static void test_iptables_chain0(void)
 {
 	int err;
 
-	err = __connman_iptables_new_chain("filter", "foo");
+	err = __connman_iptables_new_chain(AF_INET, "filter", "foo");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	assert_rule_exists("filter", ":foo - [0:0]");
+	assert_rule_exists(AF_INET, "filter", ":foo - [0:0]");
 
-	err = __connman_iptables_delete_chain("filter", "foo");
+	err = __connman_iptables_delete_chain(AF_INET, "filter", "foo");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	assert_rule_not_exists("filter", ":foo - [0:0]");
+	assert_rule_not_exists(AF_INET, "filter", ":foo - [0:0]");
 }
 
 static void test_iptables_chain1(void)
 {
 	int err;
 
-	err = __connman_iptables_new_chain("filter", "foo");
+	err = __connman_iptables_new_chain(AF_INET, "filter", "foo");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	err = __connman_iptables_flush_chain("filter", "foo");
+	err = __connman_iptables_flush_chain(AF_INET, "filter", "foo");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	err = __connman_iptables_delete_chain("filter", "foo");
+	err = __connman_iptables_delete_chain(AF_INET, "filter", "foo");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 }
 
@@ -125,16 +155,16 @@ static void test_iptables_chain2(void)
 {
 	int err;
 
-	err = __connman_iptables_change_policy("filter", "INPUT", "DROP");
+	err = __connman_iptables_change_policy(AF_INET, "filter", "INPUT", "DROP");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	err = __connman_iptables_change_policy("filter", "INPUT", "ACCEPT");
+	err = __connman_iptables_change_policy(AF_INET, "filter", "INPUT", "ACCEPT");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 }
 
@@ -142,39 +172,39 @@ static void test_iptables_chain3(void)
 {
 	int err;
 
-	err = __connman_iptables_new_chain("filter", "user-chain-0");
+	err = __connman_iptables_new_chain(AF_INET, "filter", "user-chain-0");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	assert_rule_exists("filter", ":user-chain-0 - [0:0]");
+	assert_rule_exists(AF_INET, "filter", ":user-chain-0 - [0:0]");
 
-	err = __connman_iptables_new_chain("filter", "user-chain-1");
+	err = __connman_iptables_new_chain(AF_INET, "filter", "user-chain-1");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	assert_rule_exists("filter", ":user-chain-0 - [0:0]");
-	assert_rule_exists("filter", ":user-chain-1 - [0:0]");
+	assert_rule_exists(AF_INET, "filter", ":user-chain-0 - [0:0]");
+	assert_rule_exists(AF_INET, "filter", ":user-chain-1 - [0:0]");
 
-	err = __connman_iptables_delete_chain("filter", "user-chain-1");
+	err = __connman_iptables_delete_chain(AF_INET, "filter", "user-chain-1");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	assert_rule_exists("filter", ":user-chain-0 - [0:0]");
-	assert_rule_not_exists("filter", ":user-chain-1 - [0:0]");
+	assert_rule_exists(AF_INET, "filter", ":user-chain-0 - [0:0]");
+	assert_rule_not_exists(AF_INET, "filter", ":user-chain-1 - [0:0]");
 
-	err = __connman_iptables_delete_chain("filter", "user-chain-0");
+	err = __connman_iptables_delete_chain(AF_INET, "filter", "user-chain-0");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	assert_rule_not_exists("filter", ":user-chain-0 - [0:0]");
+	assert_rule_not_exists(AF_INET, "filter", ":user-chain-0 - [0:0]");
 }
 
 static void test_iptables_rule0(void)
@@ -183,24 +213,24 @@ static void test_iptables_rule0(void)
 
 	/* Test simple appending and removing a rule */
 
-	err = __connman_iptables_append("filter", "INPUT",
+	err = __connman_iptables_append(AF_INET, "filter", "INPUT",
 					"-m mark --mark 1 -j LOG");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	assert_rule_exists("filter",
+	assert_rule_exists(AF_INET, "filter",
 				"-A INPUT -m mark --mark 0x1 -j LOG");
 
-	err = __connman_iptables_delete("filter", "INPUT",
+	err = __connman_iptables_delete(AF_INET, "filter", "INPUT",
 					"-m mark --mark 1 -j LOG");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	assert_rule_not_exists("filter",
+	assert_rule_not_exists(AF_INET, "filter",
 				"-A INPUT -m mark --mark 0x1 -j LOG");
 }
 
@@ -210,22 +240,22 @@ static void test_iptables_rule1(void)
 
 	/* Test if we can do NAT stuff */
 
-	err = __connman_iptables_append("nat", "POSTROUTING",
+	err = __connman_iptables_append(AF_INET, "nat", "POSTROUTING",
 				"-s 10.10.1.0/24 -o eth0 -j MASQUERADE");
 
-	err = __connman_iptables_commit("nat");
+	err = __connman_iptables_commit(AF_INET, "nat");
 	g_assert(err == 0);
 
-	assert_rule_exists("nat",
+	assert_rule_exists(AF_INET, "nat",
 		"-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE");
 
-	err = __connman_iptables_delete("nat", "POSTROUTING",
+	err = __connman_iptables_delete(AF_INET, "nat", "POSTROUTING",
 				"-s 10.10.1.0/24 -o eth0 -j MASQUERADE");
 
-	err = __connman_iptables_commit("nat");
+	err = __connman_iptables_commit(AF_INET, "nat");
 	g_assert(err == 0);
 
-	assert_rule_not_exists("nat",
+	assert_rule_not_exists(AF_INET, "nat",
 		"-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE");
 }
 
@@ -235,48 +265,48 @@ static void test_iptables_rule2(void)
 
 	/* Test if the right rule is removed */
 
-	err = __connman_iptables_append("filter", "INPUT",
+	err = __connman_iptables_append(AF_INET, "filter", "INPUT",
 					"-m mark --mark 1 -j LOG");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	assert_rule_exists("filter",
+	assert_rule_exists(AF_INET, "filter",
 				"-A INPUT -m mark --mark 0x1 -j LOG");
 
-	err = __connman_iptables_append("filter", "INPUT",
+	err = __connman_iptables_append(AF_INET, "filter", "INPUT",
 					"-m mark --mark 2 -j LOG");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	assert_rule_exists("filter",
+	assert_rule_exists(AF_INET, "filter",
 				"-A INPUT -m mark --mark 0x1 -j LOG");
-	assert_rule_exists("filter",
+	assert_rule_exists(AF_INET, "filter",
 				"-A INPUT -m mark --mark 0x2 -j LOG");
 
-	err = __connman_iptables_delete("filter", "INPUT",
+	err = __connman_iptables_delete(AF_INET, "filter", "INPUT",
 					"-m mark --mark 2 -j LOG");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	assert_rule_exists("filter",
+	assert_rule_exists(AF_INET, "filter",
 				"-A INPUT -m mark --mark 0x1 -j LOG");
-	assert_rule_not_exists("filter",
+	assert_rule_not_exists(AF_INET, "filter",
 				"-A INPUT -m mark --mark 0x2 -j LOG");
 
-	err = __connman_iptables_delete("filter", "INPUT",
+	err = __connman_iptables_delete(AF_INET, "filter", "INPUT",
 					"-m mark --mark 1 -j LOG");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET, "filter");
 	g_assert(err == 0);
 
-	assert_rule_not_exists("filter",
+	assert_rule_not_exists(AF_INET, "filter",
 				"-A INPUT -m mark --mark 0x1 -j LOG");
 }
 
@@ -286,36 +316,306 @@ static void test_iptables_target0(void)
 
 	/* Test if 'fallthrough' targets work */
 
-	err = __connman_iptables_append("filter", "INPUT",
+	err = __connman_iptables_append(AF_INET, "filter", "INPUT",
+					"-m mark --mark 1");
+	g_assert(err == 0);
+
+	err = __connman_iptables_append(AF_INET, "filter", "INPUT",
+					"-m mark --mark 2");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET, "filter");
+	g_assert(err == 0);
+
+	assert_rule_exists(AF_INET, "filter", "-A INPUT -m mark --mark 0x1");
+	assert_rule_exists(AF_INET, "filter", "-A INPUT -m mark --mark 0x2");
+
+	err = __connman_iptables_delete(AF_INET, "filter", "INPUT",
+					"-m mark --mark 1");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET, "filter");
+	g_assert(err == 0);
+
+	err = __connman_iptables_delete(AF_INET, "filter", "INPUT",
+					"-m mark --mark 2");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET, "filter");
+	g_assert(err == 0);
+
+	assert_rule_not_exists(AF_INET, "filter",
+					"-A INPUT -m mark --mark 0x1");
+	assert_rule_not_exists(AF_INET, "filter",
+					"-A INPUT -m mark --mark 0x2");
+}
+
+static void test_ip6tables_chain0(void)
+{
+	int err;
+
+	err = __connman_iptables_new_chain(AF_INET6, "filter", "foo");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	assert_rule_exists(AF_INET6, "filter", ":foo - [0:0]");
+
+	err = __connman_iptables_delete_chain(AF_INET6, "filter", "foo");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	assert_rule_not_exists(AF_INET6, "filter", ":foo - [0:0]");
+}
+
+static void test_ip6tables_chain1(void)
+{
+	int err;
+
+	err = __connman_iptables_new_chain(AF_INET6, "filter", "foo");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	err = __connman_iptables_flush_chain(AF_INET6, "filter", "foo");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	err = __connman_iptables_delete_chain(AF_INET6, "filter", "foo");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+}
+
+static void test_ip6tables_chain2(void)
+{
+	int err;
+
+	err = __connman_iptables_change_policy(AF_INET6, "filter", "INPUT",
+							"DROP");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	err = __connman_iptables_change_policy(AF_INET6, "filter", "INPUT",
+								"ACCEPT");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+}
+
+static void test_ip6tables_chain3(void)
+{
+	int err;
+
+	err = __connman_iptables_new_chain(AF_INET6, "filter", "user-chain-0");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	assert_rule_exists(AF_INET6, "filter", ":user-chain-0 - [0:0]");
+
+	err = __connman_iptables_new_chain(AF_INET6, "filter", "user-chain-1");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	assert_rule_exists(AF_INET6, "filter", ":user-chain-0 - [0:0]");
+	assert_rule_exists(AF_INET6, "filter", ":user-chain-1 - [0:0]");
+
+	err = __connman_iptables_delete_chain(AF_INET6, "filter",
+						"user-chain-1");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	assert_rule_exists(AF_INET6, "filter", ":user-chain-0 - [0:0]");
+	assert_rule_not_exists(AF_INET6, "filter", ":user-chain-1 - [0:0]");
+
+	err = __connman_iptables_delete_chain(AF_INET6, "filter",
+						"user-chain-0");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	assert_rule_not_exists(AF_INET6, "filter", ":user-chain-0 - [0:0]");
+}
+
+static void test_ip6tables_rule0(void)
+{
+	int err;
+
+	/* Test simple appending and removing a rule */
+
+	err = __connman_iptables_append(AF_INET6, "filter", "INPUT",
+					"-m mark --mark 1 -j LOG");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	assert_rule_exists(AF_INET6, "filter",
+				"-A INPUT -m mark --mark 0x1 -j LOG");
+
+	err = __connman_iptables_delete(AF_INET6, "filter", "INPUT",
+					"-m mark --mark 1 -j LOG");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	assert_rule_not_exists(AF_INET6, "filter",
+				"-A INPUT -m mark --mark 0x1 -j LOG");
+}
+
+static void test_ip6tables_rule1(void)
+{
+	int err;
+
+	/* Test if the right rule is removed */
+
+	err = __connman_iptables_append(AF_INET6, "filter", "INPUT",
+					"-m mark --mark 1 -j LOG");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	assert_rule_exists(AF_INET6, "filter",
+				"-A INPUT -m mark --mark 0x1 -j LOG");
+
+	err = __connman_iptables_append(AF_INET6, "filter", "INPUT",
+					"-m mark --mark 2 -j LOG");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	assert_rule_exists(AF_INET6, "filter",
+				"-A INPUT -m mark --mark 0x1 -j LOG");
+	assert_rule_exists(AF_INET6, "filter",
+				"-A INPUT -m mark --mark 0x2 -j LOG");
+
+	err = __connman_iptables_delete(AF_INET6, "filter", "INPUT",
+					"-m mark --mark 2 -j LOG");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	assert_rule_exists(AF_INET6, "filter",
+				"-A INPUT -m mark --mark 0x1 -j LOG");
+	assert_rule_not_exists(AF_INET6, "filter",
+				"-A INPUT -m mark --mark 0x2 -j LOG");
+
+	err = __connman_iptables_delete(AF_INET6, "filter", "INPUT",
+					"-m mark --mark 1 -j LOG");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+	g_assert(err == 0);
+
+	assert_rule_not_exists(AF_INET6, "filter",
+				"-A INPUT -m mark --mark 0x1 -j LOG");
+}
+
+static void test_ip6tables_rule2(void)
+{
+	int err;
+
+	err = __connman_iptables_append(AF_INET6, "filter", "INPUT",
+					"-p icmpv6 -m icmpv6 "
+					"--icmpv6-type 128/0 -j DROP");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+
+	g_assert(err == 0);
+
+	assert_rule_exists(AF_INET6, "filter", "-A INPUT -p ipv6-icmp "
+					"-m icmp6 --icmpv6-type 128/0 -j DROP");
+
+	err = __connman_iptables_append(AF_INET6, "filter", "OUTPUT",
+					"-p icmpv6 -m icmpv6 "
+					"--icmpv6-type 129/0 -j DROP");
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+
+	g_assert(err == 0);
+
+	assert_rule_exists(AF_INET6, "filter", "-A OUTPUT -p ipv6-icmp "
+					"-m icmp6 --icmpv6-type 129/0 -j DROP");
+
+	err = __connman_iptables_delete(AF_INET6, "filter", "INPUT",
+					"-p icmpv6 -m icmpv6 "
+					"--icmpv6-type 128/0 -j DROP");
+
+	g_assert(err == 0);
+
+	err = __connman_iptables_delete(AF_INET6, "filter", "OUTPUT",
+					"-p icmpv6 -m icmpv6 "
+					"--icmpv6-type 129/0 -j DROP");
+
+	g_assert(err == 0);
+
+	err = __connman_iptables_commit(AF_INET6, "filter");
+
+	g_assert(err == 0);
+
+}
+
+static void test_ip6tables_target0(void)
+{
+	int err;
+
+	/* Test if 'fallthrough' targets work */
+
+	err = __connman_iptables_append(AF_INET6, "filter", "INPUT",
 					"-m mark --mark 1");
 	g_assert(err == 0);
 
-	err = __connman_iptables_append("filter", "INPUT",
+	err = __connman_iptables_append(AF_INET6, "filter", "INPUT",
 					"-m mark --mark 2");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET6, "filter");
 	g_assert(err == 0);
 
-	assert_rule_exists("filter", "-A INPUT -m mark --mark 0x1");
-	assert_rule_exists("filter", "-A INPUT -m mark --mark 0x2");
+	assert_rule_exists(AF_INET6, "filter", "-A INPUT -m mark --mark 0x1");
+	assert_rule_exists(AF_INET6, "filter", "-A INPUT -m mark --mark 0x2");
 
-	err = __connman_iptables_delete("filter", "INPUT",
+	err = __connman_iptables_delete(AF_INET6, "filter", "INPUT",
 					"-m mark --mark 1");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET6, "filter");
 	g_assert(err == 0);
 
-	err = __connman_iptables_delete("filter", "INPUT",
+	err = __connman_iptables_delete(AF_INET6, "filter", "INPUT",
 					"-m mark --mark 2");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("filter");
+	err = __connman_iptables_commit(AF_INET6, "filter");
 	g_assert(err == 0);
 
-	assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x1");
-	assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x2");
+	assert_rule_not_exists(AF_INET6, "filter", "-A INPUT "
+					"-m mark --mark 0x1");
+	assert_rule_not_exists(AF_INET6, "filter", "-A INPUT "
+					"-m mark --mark 0x2");
 }
 
 const struct connman_notifier *nat_notifier;
@@ -349,24 +649,24 @@ static void test_nat_basic0(void)
 	g_assert(err == 0);
 
 	/* test that table is empty */
-	err = __connman_iptables_append("nat", "POSTROUTING",
+	err = __connman_iptables_append(AF_INET, "nat", "POSTROUTING",
 					"-s 192.168.2.1/24 -o eth0 -j MASQUERADE");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("nat");
+	err = __connman_iptables_commit(AF_INET, "nat");
 	g_assert(err == 0);
 
-	assert_rule_exists("nat",
+	assert_rule_exists(AF_INET, "nat",
 		"-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE");
 
-	err = __connman_iptables_delete("nat", "POSTROUTING",
+	err = __connman_iptables_delete(AF_INET, "nat", "POSTROUTING",
 					"-s 192.168.2.1/24 -o eth0 -j MASQUERADE");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("nat");
+	err = __connman_iptables_commit(AF_INET, "nat");
 	g_assert(err == 0);
 
-	assert_rule_not_exists("nat",
+	assert_rule_not_exists(AF_INET, "nat",
 		"-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE");
 
 	__connman_nat_disable("bridge");
@@ -386,21 +686,21 @@ static void test_nat_basic1(void)
 	g_assert(err == 0);
 
 	/* test that table is not empty */
-	err = __connman_iptables_append("nat", "POSTROUTING",
+	err = __connman_iptables_append(AF_INET, "nat", "POSTROUTING",
 					"-s 192.168.2.1/24 -o eth0 -j MASQUERADE");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("nat");
+	err = __connman_iptables_commit(AF_INET, "nat");
 	g_assert(err == 0);
 
 	__connman_nat_disable("bridge");
 
 	/* test that table is empty again */
-	err = __connman_iptables_delete("nat", "POSTROUTING",
+	err = __connman_iptables_delete(AF_INET, "nat", "POSTROUTING",
 					"-s 192.168.2.1/24 -o eth0 -j MASQUERADE");
 	g_assert(err == 0);
 
-	err = __connman_iptables_commit("nat");
+	err = __connman_iptables_commit(AF_INET, "nat");
 	g_assert(err == 0);
 
 	g_free(service);
@@ -462,6 +762,14 @@ int main(int argc, char *argv[])
 	g_test_add_func("/iptables/rule1",  test_iptables_rule1);
 	g_test_add_func("/iptables/rule2",  test_iptables_rule2);
 	g_test_add_func("/iptables/target0", test_iptables_target0);
+	g_test_add_func("/ip6tables/chain0", test_ip6tables_chain0);
+	g_test_add_func("/ip6tables/chain1", test_ip6tables_chain1);
+	g_test_add_func("/ip6tables/chain2", test_ip6tables_chain2);
+	g_test_add_func("/ip6tables/chain3", test_ip6tables_chain3);
+	g_test_add_func("/ip6tables/rule0",  test_ip6tables_rule0);
+	g_test_add_func("/ip6tables/rule1",  test_ip6tables_rule1);
+	g_test_add_func("/ip6tables/rule2",  test_ip6tables_rule2);
+	g_test_add_func("/ip6tables/target0", test_ip6tables_target0);
 	g_test_add_func("/nat/basic0", test_nat_basic0);
 	g_test_add_func("/nat/basic1", test_nat_basic1);