Open sfionov opened 1 week ago
Seems that IPv6 is not filtered on older devices with does not have IPv6 NAT table.
They does not show AdGuard certificate.
To reproduce, you should use rooted device without nat table in ip6tables.
nat
ip6tables
In this case AG fallbacks to older TPROXY method.
But seems that rules are created incorrectly:
ip -6 rule shows that AG uses two fwmarks - 0x1a and 0x1b:
ip -6 rule
8000: from all fwmark 0x1a lookup 800 8001: from all fwmark 0x1b lookup 800
But ip6tables-save show another marks:
ip6tables-save
-A ADGUARD_OUTPUT -p tcp -m tcp --dport 53 -j MARK --set-xmark 0x1b/0xffffffff -A ADGUARD_OUTPUT -p tcp -m tcp --dport 80:5221 -j MARK --set-xmark 0x1c/0xffffffff -A ADGUARD_OUTPUT -p tcp -m tcp --dport 5299:65535 -j MARK --set-xmark 0x1c/0xffffffff -A ADGUARD_PREROUTING -p tcp -m mark --mark 0x1b -j TPROXY --on-port 1152 --on-ip ::1 --tproxy-mark 0x0/0x0 -A ADGUARD_PREROUTING -p tcp -m mark --mark 0x1c -j TPROXY --on-port 41551 --on-ip ::1 --tproxy-mark 0x0/0x0 -A ADGUARD_PREROUTING -p tcp -m mark --mark 0x1c -j TPROXY --on-port 41551 --on-ip ::1 --tproxy-mark 0x0/0x0
So, output traffic is marked as 0x1c which is not handled in ip -6 rule.
At some point, marks were desynchronized, breaking IPv6 filtering.
Seems that IPv6 is not filtered on older devices with does not have IPv6 NAT table.
They does not show AdGuard certificate.
To reproduce, you should use rooted device without
nat
table inip6tables
.In this case AG fallbacks to older TPROXY method.
But seems that rules are created incorrectly:
ip -6 rule
shows that AG uses two fwmarks - 0x1a and 0x1b:But
ip6tables-save
show another marks:So, output traffic is marked as 0x1c which is not handled in
ip -6 rule
.At some point, marks were desynchronized, breaking IPv6 filtering.