Yes I remember the headches with the FreshJR script while running IPV6.Today, my family and I were streaming a program and I was disappointed to see it was being classified as Web Surfing, despite my custom rule for all traffic from the streaming device to be classified as Streaming.
After some analysis of the Tracked Connections from the device, I determined that the stream was happening over IPv6, so it eluded my IPv4-based iptables rule for the device. Sad.
After reviewing my old notes and posts from the FreshJR thread I was reminded of the difficulty creating iptables rules for local IPv6 addresses because in most cases, the addresses are random and change frequently for privacy. Hence, any iptables rule in FlexQoS that includes a local or remote IPv4 address isn’t applied to IPv6 traffic.
So I’m on a bit of a quest to solve this puzzle. Since we cannot rely on a stable, predictable IPv6 address, we need to figure out what we have to work with. MAC address is the obvious missing link, but not available in the POSTROUTING table.
I found a clever post at OpenWRT that has put me on an interesting track using ipsets. I’m only experimenting with manual commands at this point, but this is the approach I’m pursuing (it’s a work-in-progress so not necessarily efficient or fully thought through yet):
It remains to be seen if this is workable for every situation involving local IPs. But so far it seems to be capturing the idle phone home traffic that the Amazon Firestick is doing while I type this.
- We know the local IPv4 address for a device. Derive the MAC address of the IPv4 address.
- Create a hash:mac ipset to hold the MAC address for up to 1 day (my lease duration).
ipset create firestick-mac hash:mac timeout 86400
- Create an iptables rule to capture the MAC address when the known IPv4 address initiates a new connection anywhere.
iptables -t mangle -I PREROUTING -m conntrack --ctstate NEW -s 192.168.50.7 -j SET --add-set firestick-mac src --exist
- Create a hash:ip ipset for IPv6 address for the device to hold the temporary IPv6 addresses as they change, for up to 1 hour.
ipset create firestick hash:ip family inet6 timeout 3600
- Create an ip6tables rule to capture the local IPv6 address when the MAC address initiates a connection.
ip6tables -t mangle -I PREROUTING -m conntrack --ctstate NEW -m set --match-set firestick-mac src -j SET --add-set firestick src --exist
- As the device initiates connections, the firestick ipset should always contain the most recent IPv6 addresses it has been assigned. Now we can use that firestick ipset in an ip6tables rule to capture my streaming traffic.
- Create ip6tables rules to mimic the IPv4 rule I setup in the FlexQoS GUI.
ip6tables -t mangle -A FlexQoS -o br0 -m set --match-set firestick dst -p tcp -j MARK --set-xmark 0x8004ffff/0xc03fffff ip6tables -t mangle -A FlexQoS -o eth0 -m set --match-set firestick src -p tcp -j MARK --set-xmark 0x4004ffff/0xc03fffff
There’s no reward for keeping this half-baked idea to myself, so I post it for anyone to comment on or test themselves if they follow the logic. FreshJR always said he had some ideas how to solve this, but never elaborated.Code:# ip6tables -t mangle -nvL FlexQoS Chain FlexQoS (1 references) pkts bytes target prot opt in out source destination 0 0 MARK udp * br0 ::/0 ::/0 multiport dports 500,4500 multiport sports 500,4500 MARK xset 0x8006ffff/0xc03fffff 0 0 MARK udp * eth0 ::/0 ::/0 multiport sports 500,4500 multiport dports 500,4500 MARK xset 0x4006ffff/0xc03fffff 0 0 MARK udp * br0 ::/0 ::/0 multiport sports 3478:3481 mark match 0x80000000/0xc03fffff MARK xset 0x8006ffff/0xc03fffff 0 0 MARK udp * eth0 ::/0 ::/0 multiport dports 3478:3481 mark match 0x40000000/0xc03fffff MARK xset 0x4006ffff/0xc03fffff 40 4060 MARK tcp * br0 ::/0 ::/0 match-set firestick dst MARK xset 0x8004ffff/0xc03fffff 149 12608 MARK tcp * eth0 ::/0 ::/0 match-set firestick src MARK xset 0x4004ffff/0xc03fffff
I eventually just disabled IPV6 since the gaming rules would also not apply. Guess it's the same for streaming.
I see your currently testing the possibility of workaround with IPV6....will you include this in a future beta Flex script test or it has to de done manually at this time?
Thanks!