TPROXY IPv6 filtering method is broken in version 4.5

[sfionov]

Seems that IPv6 is not filtered on older devices with does not have IPv6 NAT table.

They does not show AdGuard certificate.

To reproduce, you should use rooted device without nat table in ip6tables.

In this case AG fallbacks to older TPROXY method.

But seems that rules are created incorrectly:

ip -6 rule shows that AG uses two fwmarks - 0x1a and 0x1b:

8000:   from all fwmark 0x1a lookup 800 
8001:   from all fwmark 0x1b lookup 800 

But ip6tables-save show another marks:

-A ADGUARD_OUTPUT -p tcp -m tcp --dport 53 -j MARK --set-xmark 0x1b/0xffffffff
-A ADGUARD_OUTPUT -p tcp -m tcp --dport 80:5221 -j MARK --set-xmark 0x1c/0xffffffff
-A ADGUARD_OUTPUT -p tcp -m tcp --dport 5299:65535 -j MARK --set-xmark 0x1c/0xffffffff
-A ADGUARD_PREROUTING -p tcp -m mark --mark 0x1b -j TPROXY --on-port 1152 --on-ip ::1 --tproxy-mark 0x0/0x0
-A ADGUARD_PREROUTING -p tcp -m mark --mark 0x1c -j TPROXY --on-port 41551 --on-ip ::1 --tproxy-mark 0x0/0x0
-A ADGUARD_PREROUTING -p tcp -m mark --mark 0x1c -j TPROXY --on-port 41551 --on-ip ::1 --tproxy-mark 0x0/0x0

So, output traffic is marked as 0x1c which is not handled in ip -6 rule.

At some point, marks were desynchronized, breaking IPv6 filtering.