Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TPROXY IPv6 filtering method is broken in version 4.5 #5370

Open
sfionov opened this issue Jun 21, 2024 · 0 comments
Open

TPROXY IPv6 filtering method is broken in version 4.5 #5370

sfionov opened this issue Jun 21, 2024 · 0 comments
Assignees
@sfionov
Labels
Priority: P3

Comments

@sfionov
Copy link
Member

sfionov commented Jun 21, 2024

Seems that IPv6 is not filtered on older devices with does not have IPv6 NAT table.

They does not show AdGuard certificate.

To reproduce, you should use rooted device without nat table in ip6tables.

In this case AG fallbacks to older TPROXY method.

But seems that rules are created incorrectly:

ip -6 rule shows that AG uses two fwmarks - 0x1a and 0x1b:

8000:	from all fwmark 0x1a lookup 800 
8001:	from all fwmark 0x1b lookup 800

But ip6tables-save show another marks:

-A ADGUARD_OUTPUT -p tcp -m tcp --dport 53 -j MARK --set-xmark 0x1b/0xffffffff
-A ADGUARD_OUTPUT -p tcp -m tcp --dport 80:5221 -j MARK --set-xmark 0x1c/0xffffffff
-A ADGUARD_OUTPUT -p tcp -m tcp --dport 5299:65535 -j MARK --set-xmark 0x1c/0xffffffff
-A ADGUARD_PREROUTING -p tcp -m mark --mark 0x1b -j TPROXY --on-port 1152 --on-ip ::1 --tproxy-mark 0x0/0x0
-A ADGUARD_PREROUTING -p tcp -m mark --mark 0x1c -j TPROXY --on-port 41551 --on-ip ::1 --tproxy-mark 0x0/0x0
-A ADGUARD_PREROUTING -p tcp -m mark --mark 0x1c -j TPROXY --on-port 41551 --on-ip ::1 --tproxy-mark 0x0/0x0

So, output traffic is marked as 0x1c which is not handled in ip -6 rule.

At some point, marks were desynchronized, breaking IPv6 filtering.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfionov sfionov

Labels
Priority: P3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sfionov @adguard-bot @Versty