From 9b10160d9cc64f1f6ae0a1b2d21be955ea21f484 Mon Sep 17 00:00:00 2001
From: Peter Gerber <pgerber@tocco.ch>
Date: Sat, 21 Feb 2026 08:54:00 +0100
Subject: [PATCH] security/acme-client: adjust to new disableipv6 property

`ipv6allow` was renamed to `disableipv6`. It is now always set
and its meaning was flipped.
---
 .../OPNsense/AcmeClient/LeValidation/HttpOpnsense.php | 11 +++--------
 .../OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php  | 11 +++--------
 .../OPNsense/AcmeClient/lighttpd-acme-challenge.conf  |  2 +-
 3 files changed, 7 insertions(+), 17 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
index bbb2cb594..3db1dae60 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -28,6 +28,8 @@
 
 namespace OPNsense\AcmeClient\LeValidation;
 
+require_once('util.inc');
+
 use OPNsense\AcmeClient\LeValidationInterface;
 use OPNsense\AcmeClient\LeUtils;
 use OPNsense\Core\Config;
@@ -87,13 +89,6 @@ class HttpOpnsense extends Base implements LeValidationInterface
             }
         }
 
-        // Check if IPv6 support is enabled
-        if (isset($configObj->system->ipv6allow) && ($configObj->system->ipv6allow == '1')) {
-            $_ipv6_enabled = true;
-        } else {
-            $_ipv6_enabled = false;
-        }
-
         // Generate rules for all IP addresses
         $anchor_rules = "";
         if (!empty($iplist)) {
@@ -105,7 +100,7 @@ class HttpOpnsense extends Base implements LeValidationInterface
                     $_dst = '127.0.0.1';
                     $_family = 'inet';
                     LeUtils::log("using IPv4 address: {$ip}");
-                } elseif (($_ipv6_enabled == true) && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
+                } elseif (is_ipv6_allowed() && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
                     // IPv6
                     $_dst = '::1';
                     $_family = 'inet6';
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
index f662e90a2..fb9d4794d 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
@@ -28,6 +28,8 @@
 
 namespace OPNsense\AcmeClient\LeValidation;
 
+require_once('util.inc');
+
 use OPNsense\AcmeClient\LeValidationInterface;
 use OPNsense\AcmeClient\LeUtils;
 use OPNsense\Core\Config;
@@ -88,13 +90,6 @@ class TlsalpnAcme extends Base implements LeValidationInterface
             }
         }
 
-        // Check if IPv6 support is enabled
-        if (isset($configObj->system->ipv6allow) && ($configObj->system->ipv6allow == '1')) {
-            $_ipv6_enabled = true;
-        } else {
-            $_ipv6_enabled = false;
-        }
-
         // Generate rules for all IP addresses
         $anchor_rules = "";
         if (!empty($iplist)) {
@@ -106,7 +101,7 @@ class TlsalpnAcme extends Base implements LeValidationInterface
                     $_dst = '127.0.0.1';
                     $_family = 'inet';
                     LeUtils::log("using IPv4 address: {$ip}");
-                } elseif (($_ipv6_enabled == true) && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
+                } elseif (is_ipv6_allowed() && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
                     // IPv6
                     $_dst = '::1';
                     $_family = 'inet6';
diff --git a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
index b59553e26..605f7e3fe 100644
--- a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
+++ b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
@@ -64,7 +64,7 @@ server.bind = "127.0.0.1"
 server.port = {{OPNsense.AcmeClient.settings.challengePort}}
 $SERVER["socket"]  == "127.0.0.1:{{OPNsense.AcmeClient.settings.challengePort}}" { }
 
-{% if helpers.exists('system.ipv6allow') and system.ipv6allow|default("0") == "1" %}
+{% if OPNsense.Interfaces.settings.disableipv6 == "0" %}
 # IPv6
 $SERVER["socket"]  == "[::1]:{{OPNsense.AcmeClient.settings.challengePort}}" { }
 {% endif %}