Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] 0.46.015更新后,ipv6 tcp直连流量报错:“error: reject loopback connection” #3924

Closed
5 of 7 tasks
jelly21fish opened this issue Jun 16, 2024 · 3 comments
Closed
5 of 7 tasks

[Bug] 0.46.015更新后,ipv6 tcp直连流量报错:“error: reject loopback connection” #3924

jelly21fish opened this issue Jun 16, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@jelly21fish
Copy link
Contributor

jelly21fish commented Jun 16, 2024
edited
Loading

Verify Steps

  • Tracker 我已经在 Issue Tracker 中找过我要提出的问题
  • Branch 我知道 OpenClash 的 Dev 分支切换开关位于插件设置-版本更新中,或者我会手动下载并安装 Dev 分支的 OpenClash
  • Latest 我已经使用最新 Dev 版本测试过,问题依旧存在
  • Relevant 我知道 OpenClash 与 内核(Core)、控制面板(Dashboard)、在线订阅转换(Subconverter)等项目之间无直接关系,仅相互调用
  • Definite 这确实是 OpenClash 出现的问题
  • Contributors 我有能力协助 OpenClash 开发并解决此问题
  • Meaningless 我提交的是无意义的催促更新或修复请求

OpenClash Version

v0.46.015-beta

Bug on Environment

Immortalwrt

OpenWrt Version

ImmortalWrt 23.05.2 r27625-416c8c5c91

Bug on Platform

Linux-arm64

Describe the Bug

非常感谢 @vernesong 大神在看到我的issue #3919 后,修复了ipv6的路由本机代理在非TUN模式下没有生效的问题:9d5e4d0

但是,在升级了v0.46.015后,我出现了ipv6 tcp流量直连失败的状况。从日志中可以看出,ipv6 tcp连接请求被路由器解析,路由器对目标ip发起直连(正常情况应该是对域名发起连接?),然后出现“error: reject loopback connection”的报错。

不过,ipv6的udp流量以及走代理的tcp流量没有问题。路由本机的ipv6代理问题也确实被解决了~

To Reproduce

1)设备可以正常访问 ipv6.baidu.com
2)开启ipv6代理和解析,模式选择tproxy或redirect
3)设备无法访问 ipv6.baidu.com

OpenClash Log

OpenClash 调试日志

生成时间: 2024-06-17 00:38:22
插件版本: v0.46.015-beta
隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息



#===================== 系统信息 =====================#

主机型号: FriendlyElec NanoPi R2S
固件版本: ImmortalWrt 23.05.2 r27625-416c8c5c91
LuCI版本: git-24.086.26304-1d8fc03
内核版本: 5.15.150
处理器架构: aarch64_generic

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: server

DNS劫持: Dnsmasq 转发
#DNS劫持为Dnsmasq时,此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 未安装
libcap-bin: 未安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 已安装
unzip: 已安装
kmod-nft-tproxy: 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
运行内核:Meta
进程pid: 6968
运行权限: 6968: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-arm64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2023.08.17-13-gdcc8d87
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.18.0-13-gd034a40
Dev内核文件: 存在
Dev内核运行权限: 正常

Meta内核版本: alpha-g40f40f6
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/config.yaml
启动配置文件: /etc/openclash/config.yaml
运行模式: fake-ip
默认代理模式: rule
UDP流量转发(tproxy): 启用
自定义DNS: 停用
IPV6代理: 启用
IPV6-DNS解析: 启用
禁用Dnsmasq缓存: 启用
自定义规则: 启用
仅允许内网: 启用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 配置文件 =====================#

mode: rule
redir-port: 7892
tproxy-port: 7895
mixed-port: 7893
allow-lan: true
log-level: debug
ipv6: true
external-controller: 0.0.0.0:9090
external-ui: "/usr/share/openclash/ui"
dns:
  enable: true
  ipv6: true
  listen: 0.0.0.0:7874
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  nameserver:
  - 223.5.5.5
  fake-ip-filter:
  - dns.msftncsi.com
  - www.msftncsi.com
  - www.msftconnecttest.com
proxy-groups:
- name: Proxy
  type: select
  proxies:
  - 新加坡01
  - 新加坡02
  - 日本01
  - 日本02
  url: http://www.gstatic.com/generate_204
  interval: 86400
rules:
- DST-PORT,7895,REJECT
- DST-PORT,7892,REJECT
- IP-CIDR,198.18.0.1/16,REJECT,no-resolve
- DOMAIN-SUFFIX,services.googleapis.cn,Proxy
- DOMAIN-SUFFIX,xn--ngstr-lra8j.com,Proxy
- DOMAIN,safebrowsing.urlsec.qq.com,DIRECT
- DOMAIN,safebrowsing.googleapis.com,DIRECT
- DOMAIN,developer.apple.com,Proxy
- DOMAIN-SUFFIX,digicert.com,Proxy
- DOMAIN,ocsp.apple.com,Proxy
- DOMAIN,ocsp.comodoca.com,Proxy
- DOMAIN,ocsp.usertrust.com,Proxy
- DOMAIN,ocsp.sectigo.com,Proxy
- DOMAIN,ocsp.verisign.net,Proxy
- DOMAIN-SUFFIX,apple-dns.net,Proxy
- DOMAIN,testflight.apple.com,Proxy
- DOMAIN,sandbox.itunes.apple.com,Proxy
- DOMAIN,itunes.apple.com,Proxy
- DOMAIN-SUFFIX,apps.apple.com,Proxy
- DOMAIN-SUFFIX,blobstore.apple.com,Proxy
- DOMAIN,cvws.icloud-content.com,Proxy
- DOMAIN-SUFFIX,mzstatic.com,DIRECT
- DOMAIN-SUFFIX,itunes.apple.com,DIRECT
- DOMAIN-SUFFIX,icloud.com,DIRECT
- DOMAIN-SUFFIX,icloud-content.com,DIRECT
- DOMAIN-SUFFIX,me.com,DIRECT
- DOMAIN-SUFFIX,aaplimg.com,DIRECT
- DOMAIN-SUFFIX,cdn20.com,DIRECT
- DOMAIN-SUFFIX,cdn-apple.com,DIRECT
- DOMAIN-SUFFIX,akadns.net,DIRECT
- DOMAIN-SUFFIX,akamaiedge.net,DIRECT
- DOMAIN-SUFFIX,edgekey.net,DIRECT
- DOMAIN-SUFFIX,mwcloudcdn.com,DIRECT
- DOMAIN-SUFFIX,mwcname.com,DIRECT
- DOMAIN-SUFFIX,apple.com,DIRECT
- DOMAIN-SUFFIX,apple-cloudkit.com,DIRECT
- DOMAIN-SUFFIX,apple-mapkit.com,DIRECT
- DOMAIN-SUFFIX,126.com,DIRECT
- DOMAIN-SUFFIX,126.net,DIRECT
- DOMAIN-SUFFIX,127.net,DIRECT
- DOMAIN-SUFFIX,163.com,DIRECT
- DOMAIN-SUFFIX,360buyimg.com,DIRECT
- DOMAIN-SUFFIX,36kr.com,DIRECT
- DOMAIN-SUFFIX,acfun.tv,DIRECT
- DOMAIN-SUFFIX,air-matters.com,DIRECT
- DOMAIN-SUFFIX,aixifan.com,DIRECT
- DOMAIN-KEYWORD,alicdn,DIRECT
- DOMAIN-KEYWORD,alipay,DIRECT
- DOMAIN-KEYWORD,taobao,DIRECT
- DOMAIN-SUFFIX,amap.com,DIRECT
- DOMAIN-SUFFIX,autonavi.com,DIRECT
- DOMAIN-KEYWORD,baidu,DIRECT
- DOMAIN-SUFFIX,bdimg.com,DIRECT
- DOMAIN-SUFFIX,bdstatic.com,DIRECT
- DOMAIN-SUFFIX,bilibili.com,DIRECT
- DOMAIN-SUFFIX,bilivideo.com,DIRECT
- DOMAIN-SUFFIX,caiyunapp.com,DIRECT
- DOMAIN-SUFFIX,clouddn.com,DIRECT
- DOMAIN-SUFFIX,cnbeta.com,DIRECT
- DOMAIN-SUFFIX,cnbetacdn.com,DIRECT
- DOMAIN-SUFFIX,cootekservice.com,DIRECT
- DOMAIN-SUFFIX,csdn.net,DIRECT
- DOMAIN-SUFFIX,ctrip.com,DIRECT
- DOMAIN-SUFFIX,dgtle.com,DIRECT
- DOMAIN-SUFFIX,dianping.com,DIRECT
- DOMAIN-SUFFIX,douban.com,DIRECT
- DOMAIN-SUFFIX,doubanio.com,DIRECT
- DOMAIN-SUFFIX,duokan.com,DIRECT
- DOMAIN-SUFFIX,easou.com,DIRECT
- DOMAIN-SUFFIX,ele.me,DIRECT
- DOMAIN-SUFFIX,feng.com,DIRECT
- DOMAIN-SUFFIX,fir.im,DIRECT
- DOMAIN-SUFFIX,frdic.com,DIRECT
- DOMAIN-SUFFIX,g-cores.com,DIRECT
- DOMAIN-SUFFIX,godic.net,DIRECT
- DOMAIN-SUFFIX,gtimg.com,DIRECT
- DOMAIN,cdn.hockeyapp.net,DIRECT
- DOMAIN-SUFFIX,hongxiu.com,DIRECT
- DOMAIN-SUFFIX,hxcdn.net,DIRECT
- DOMAIN-SUFFIX,iciba.com,DIRECT
- DOMAIN-SUFFIX,ifeng.com,DIRECT
- DOMAIN-SUFFIX,ifengimg.com,DIRECT
- DOMAIN-SUFFIX,ipip.net,DIRECT
- DOMAIN-SUFFIX,iqiyi.com,DIRECT
- DOMAIN-SUFFIX,jd.com,DIRECT
- DOMAIN-SUFFIX,jianshu.com,DIRECT
- DOMAIN-SUFFIX,knewone.com,DIRECT
- DOMAIN-SUFFIX,le.com,DIRECT
- DOMAIN-SUFFIX,lecloud.com,DIRECT
- DOMAIN-SUFFIX,lemicp.com,DIRECT
- DOMAIN-SUFFIX,licdn.com,DIRECT
- DOMAIN-SUFFIX,luoo.net,DIRECT
- DOMAIN-SUFFIX,meituan.com,DIRECT
- DOMAIN-SUFFIX,meituan.net,DIRECT
- DOMAIN-SUFFIX,mi.com,DIRECT
- DOMAIN-SUFFIX,miaopai.com,DIRECT
- DOMAIN-SUFFIX,microsoft.com,DIRECT
- DOMAIN-SUFFIX,microsoftonline.com,DIRECT
- DOMAIN-SUFFIX,miui.com,DIRECT
- DOMAIN-SUFFIX,miwifi.com,DIRECT
- DOMAIN-SUFFIX,mob.com,DIRECT
- DOMAIN-SUFFIX,netease.com,DIRECT
- DOMAIN-SUFFIX,office.com,DIRECT
- DOMAIN-SUFFIX,office365.com,DIRECT
- DOMAIN-KEYWORD,officecdn,DIRECT
- DOMAIN-SUFFIX,oschina.net,DIRECT
- DOMAIN-SUFFIX,ppsimg.com,DIRECT
- DOMAIN-SUFFIX,pstatp.com,DIRECT
- DOMAIN-SUFFIX,qcloud.com,DIRECT
- DOMAIN-SUFFIX,qdaily.com,DIRECT
- DOMAIN-SUFFIX,qdmm.com,DIRECT
- DOMAIN-SUFFIX,qhimg.com,DIRECT
- DOMAIN-SUFFIX,qhres.com,DIRECT
- DOMAIN-SUFFIX,qidian.com,DIRECT
- DOMAIN-SUFFIX,qihucdn.com,DIRECT
- DOMAIN-SUFFIX,qiniu.com,DIRECT
- DOMAIN-SUFFIX,qiniucdn.com,DIRECT
- DOMAIN-SUFFIX,qiyipic.com,DIRECT
- DOMAIN-SUFFIX,qq.com,DIRECT
- DOMAIN-SUFFIX,qqurl.com,DIRECT
- DOMAIN-SUFFIX,rarbg.to,DIRECT
- DOMAIN-SUFFIX,ruguoapp.com,DIRECT
- DOMAIN-SUFFIX,segmentfault.com,DIRECT
- DOMAIN-SUFFIX,sinaapp.com,DIRECT
- DOMAIN-SUFFIX,smzdm.com,DIRECT
- DOMAIN-SUFFIX,snapdrop.net,DIRECT
- DOMAIN-SUFFIX,sogou.com,DIRECT
- DOMAIN-SUFFIX,sogoucdn.com,DIRECT
- DOMAIN-SUFFIX,sohu.com,DIRECT
- DOMAIN-SUFFIX,soku.com,DIRECT
- DOMAIN-SUFFIX,speedtest.net,DIRECT
- DOMAIN-SUFFIX,sspai.com,DIRECT
- DOMAIN-SUFFIX,suning.com,DIRECT
- DOMAIN-SUFFIX,taobao.com,DIRECT
- DOMAIN-SUFFIX,tencent.com,DIRECT
- DOMAIN-SUFFIX,tenpay.com,DIRECT
- DOMAIN-SUFFIX,tianyancha.com,DIRECT
- DOMAIN-SUFFIX,tmall.com,DIRECT
- DOMAIN-SUFFIX,tudou.com,DIRECT
- DOMAIN-SUFFIX,umetrip.com,DIRECT
- DOMAIN-SUFFIX,upaiyun.com,DIRECT
- DOMAIN-SUFFIX,upyun.com,DIRECT
- DOMAIN-SUFFIX,veryzhun.com,DIRECT
- DOMAIN-SUFFIX,weather.com,DIRECT
- DOMAIN-SUFFIX,weibo.com,DIRECT
- DOMAIN-SUFFIX,xiami.com,DIRECT
- DOMAIN-SUFFIX,xiami.net,DIRECT
- DOMAIN-SUFFIX,xiaomicp.com,DIRECT
- DOMAIN-SUFFIX,ximalaya.com,DIRECT
- DOMAIN-SUFFIX,xmcdn.com,DIRECT
- DOMAIN-SUFFIX,xunlei.com,DIRECT
- DOMAIN-SUFFIX,yhd.com,DIRECT
- DOMAIN-SUFFIX,yihaodianimg.com,DIRECT
- DOMAIN-SUFFIX,yinxiang.com,DIRECT
- DOMAIN-SUFFIX,ykimg.com,DIRECT
- DOMAIN-SUFFIX,youdao.com,DIRECT
- DOMAIN-SUFFIX,youku.com,DIRECT
- DOMAIN-SUFFIX,zealer.com,DIRECT
- DOMAIN-SUFFIX,zhihu.com,DIRECT
- DOMAIN-SUFFIX,zhimg.com,DIRECT
- DOMAIN-SUFFIX,zimuzu.tv,DIRECT
- DOMAIN-SUFFIX,zoho.com,DIRECT
- DOMAIN-KEYWORD,amazon,Proxy
- DOMAIN-KEYWORD,google,Proxy
- DOMAIN-KEYWORD,gmail,Proxy
- DOMAIN-KEYWORD,youtube,Proxy
- DOMAIN-KEYWORD,facebook,Proxy
- DOMAIN-SUFFIX,fb.me,Proxy
- DOMAIN-SUFFIX,fbcdn.net,Proxy
- DOMAIN-KEYWORD,twitter,Proxy
- DOMAIN-KEYWORD,instagram,Proxy
- DOMAIN-KEYWORD,dropbox,Proxy
- DOMAIN-SUFFIX,twimg.com,Proxy
- DOMAIN-KEYWORD,blogspot,Proxy
- DOMAIN-SUFFIX,youtu.be,Proxy
- DOMAIN-KEYWORD,whatsapp,Proxy
- DOMAIN-KEYWORD,admarvel,REJECT
- DOMAIN-KEYWORD,admaster,REJECT
- DOMAIN-KEYWORD,adsage,REJECT
- DOMAIN-KEYWORD,adsmogo,REJECT
- DOMAIN-KEYWORD,adsrvmedia,REJECT
- DOMAIN-KEYWORD,adwords,REJECT
- DOMAIN-KEYWORD,adservice,REJECT
- DOMAIN-SUFFIX,appsflyer.com,REJECT
- DOMAIN-KEYWORD,domob,REJECT
- DOMAIN-SUFFIX,doubleclick.net,REJECT
- DOMAIN-KEYWORD,duomeng,REJECT
- DOMAIN-KEYWORD,dwtrack,REJECT
- DOMAIN-KEYWORD,guanggao,REJECT
- DOMAIN-KEYWORD,lianmeng,REJECT
- DOMAIN-SUFFIX,mmstat.com,REJECT
- DOMAIN-KEYWORD,mopub,REJECT
- DOMAIN-KEYWORD,omgmta,REJECT
- DOMAIN-KEYWORD,openx,REJECT
- DOMAIN-KEYWORD,partnerad,REJECT
- DOMAIN-KEYWORD,pingfore,REJECT
- DOMAIN-KEYWORD,supersonicads,REJECT
- DOMAIN-KEYWORD,uedas,REJECT
- DOMAIN-KEYWORD,umeng,REJECT
- DOMAIN-KEYWORD,usage,REJECT
- DOMAIN-SUFFIX,vungle.com,REJECT
- DOMAIN-KEYWORD,wlmonitor,REJECT
- DOMAIN-KEYWORD,zjtoolbar,REJECT
- DOMAIN-SUFFIX,9to5mac.com,Proxy
- DOMAIN-SUFFIX,abpchina.org,Proxy
- DOMAIN-SUFFIX,adblockplus.org,Proxy
- DOMAIN-SUFFIX,adobe.com,Proxy
- DOMAIN-SUFFIX,akamaized.net,Proxy
- DOMAIN-SUFFIX,alfredapp.com,Proxy
- DOMAIN-SUFFIX,amplitude.com,Proxy
- DOMAIN-SUFFIX,ampproject.org,Proxy
- DOMAIN-SUFFIX,android.com,Proxy
- DOMAIN-SUFFIX,angularjs.org,Proxy
- DOMAIN-SUFFIX,aolcdn.com,Proxy
- DOMAIN-SUFFIX,apkpure.com,Proxy
- DOMAIN-SUFFIX,appledaily.com,Proxy
- DOMAIN-SUFFIX,appshopper.com,Proxy
- DOMAIN-SUFFIX,appspot.com,Proxy
- DOMAIN-SUFFIX,arcgis.com,Proxy
- DOMAIN-SUFFIX,archive.org,Proxy
- DOMAIN-SUFFIX,armorgames.com,Proxy
- DOMAIN-SUFFIX,aspnetcdn.com,Proxy
- DOMAIN-SUFFIX,att.com,Proxy
- DOMAIN-SUFFIX,awsstatic.com,Proxy
- DOMAIN-SUFFIX,azureedge.net,Proxy
- DOMAIN-SUFFIX,azurewebsites.net,Proxy
- DOMAIN-SUFFIX,bing.com,Proxy
- DOMAIN-SUFFIX,bintray.com,Proxy
- DOMAIN-SUFFIX,bit.com,Proxy
- DOMAIN-SUFFIX,bit.ly,Proxy
- DOMAIN-SUFFIX,bitbucket.org,Proxy
- DOMAIN-SUFFIX,bjango.com,Proxy
- DOMAIN-SUFFIX,bkrtx.com,Proxy
- DOMAIN-SUFFIX,blog.com,Proxy
- DOMAIN-SUFFIX,blogcdn.com,Proxy
- DOMAIN-SUFFIX,blogger.com,Proxy
- DOMAIN-SUFFIX,blogsmithmedia.com,Proxy
- DOMAIN-SUFFIX,blogspot.com,Proxy
- DOMAIN-SUFFIX,blogspot.hk,Proxy
- DOMAIN-SUFFIX,bloomberg.com,Proxy
- DOMAIN-SUFFIX,box.com,Proxy
- DOMAIN-SUFFIX,box.net,Proxy
- DOMAIN-SUFFIX,cachefly.net,Proxy
- DOMAIN-SUFFIX,chromium.org,Proxy
- DOMAIN-SUFFIX,cl.ly,Proxy
- DOMAIN-SUFFIX,cloudflare.com,Proxy
- DOMAIN-SUFFIX,cloudfront.net,Proxy
- DOMAIN-SUFFIX,cloudmagic.com,Proxy
- DOMAIN-SUFFIX,cmail19.com,Proxy
- DOMAIN-SUFFIX,cnet.com,Proxy
- DOMAIN-SUFFIX,cocoapods.org,Proxy
- DOMAIN-SUFFIX,comodoca.com,Proxy
- DOMAIN-SUFFIX,crashlytics.com,Proxy
- DOMAIN-SUFFIX,culturedcode.com,Proxy
- DOMAIN-SUFFIX,d.pr,Proxy
- DOMAIN-SUFFIX,danilo.to,Proxy
- DOMAIN-SUFFIX,dayone.me,Proxy
- DOMAIN-SUFFIX,db.tt,Proxy
- DOMAIN-SUFFIX,deskconnect.com,Proxy
- DOMAIN-SUFFIX,disq.us,Proxy
- DOMAIN-SUFFIX,disqus.com,Proxy
- DOMAIN-SUFFIX,disquscdn.com,Proxy
- DOMAIN-SUFFIX,dnsimple.com,Proxy
- DOMAIN-SUFFIX,docker.com,Proxy
- DOMAIN-SUFFIX,dribbble.com,Proxy
- DOMAIN-SUFFIX,droplr.com,Proxy
- DOMAIN-SUFFIX,duckduckgo.com,Proxy
- DOMAIN-SUFFIX,dueapp.com,Proxy
- DOMAIN-SUFFIX,dytt8.net,Proxy
- DOMAIN-SUFFIX,edgecastcdn.net,Proxy
- DOMAIN-SUFFIX,edgekey.net,Proxy
- DOMAIN-SUFFIX,edgesuite.net,Proxy
- DOMAIN-SUFFIX,engadget.com,Proxy
- DOMAIN-SUFFIX,entrust.net,Proxy
- DOMAIN-SUFFIX,eurekavpt.com,Proxy
- DOMAIN-SUFFIX,evernote.com,Proxy
- DOMAIN-SUFFIX,fabric.io,Proxy
- DOMAIN-SUFFIX,fast.com,Proxy
- DOMAIN-SUFFIX,fastly.net,Proxy
- DOMAIN-SUFFIX,fc2.com,Proxy
- DOMAIN-SUFFIX,feedburner.com,Proxy
- DOMAIN-SUFFIX,feedly.com,Proxy
- DOMAIN-SUFFIX,feedsportal.com,Proxy
- DOMAIN-SUFFIX,fiftythree.com,Proxy
- DOMAIN-SUFFIX,firebaseio.com,Proxy
- DOMAIN-SUFFIX,flexibits.com,Proxy
- DOMAIN-SUFFIX,flickr.com,Proxy
- DOMAIN-SUFFIX,flipboard.com,Proxy
- DOMAIN-SUFFIX,g.co,Proxy
- DOMAIN-SUFFIX,gabia.net,Proxy
- DOMAIN-SUFFIX,geni.us,Proxy
- DOMAIN-SUFFIX,gfx.ms,Proxy
- DOMAIN-SUFFIX,ggpht.com,Proxy
- DOMAIN-SUFFIX,ghostnoteapp.com,Proxy
- DOMAIN-SUFFIX,git.io,Proxy
- DOMAIN-KEYWORD,github,Proxy
- DOMAIN-SUFFIX,globalsign.com,Proxy
- DOMAIN-SUFFIX,gmodules.com,Proxy
- DOMAIN-SUFFIX,godaddy.com,Proxy
- DOMAIN-SUFFIX,golang.org,Proxy
- DOMAIN-SUFFIX,gongm.in,Proxy
- DOMAIN-SUFFIX,goo.gl,Proxy
- DOMAIN-SUFFIX,goodreaders.com,Proxy
- DOMAIN-SUFFIX,goodreads.com,Proxy
- DOMAIN-SUFFIX,gravatar.com,Proxy
- DOMAIN-SUFFIX,gstatic.com,Proxy
- DOMAIN-SUFFIX,gvt0.com,Proxy
- DOMAIN-SUFFIX,hockeyapp.net,Proxy
- DOMAIN-SUFFIX,hotmail.com,Proxy
- DOMAIN-SUFFIX,icons8.com,Proxy
- DOMAIN-SUFFIX,ifixit.com,Proxy
- DOMAIN-SUFFIX,ift.tt,Proxy
- DOMAIN-SUFFIX,ifttt.com,Proxy
- DOMAIN-SUFFIX,iherb.com,Proxy
- DOMAIN-SUFFIX,imageshack.us,Proxy
- DOMAIN-SUFFIX,img.ly,Proxy
- DOMAIN-SUFFIX,imgur.com,Proxy
- DOMAIN-SUFFIX,imore.com,Proxy
- DOMAIN-SUFFIX,instapaper.com,Proxy
- DOMAIN-SUFFIX,ipn.li,Proxy
- DOMAIN-SUFFIX,is.gd,Proxy
- DOMAIN-SUFFIX,issuu.com,Proxy
- DOMAIN-SUFFIX,itgonglun.com,Proxy
- DOMAIN-SUFFIX,itun.es,Proxy
- DOMAIN-SUFFIX,ixquick.com,Proxy
- DOMAIN-SUFFIX,j.mp,Proxy
- DOMAIN-SUFFIX,js.revsci.net,Proxy
- DOMAIN-SUFFIX,jshint.com,Proxy
- DOMAIN-SUFFIX,jtvnw.net,Proxy
- DOMAIN-SUFFIX,justgetflux.com,Proxy
- DOMAIN-SUFFIX,kat.cr,Proxy
- DOMAIN-SUFFIX,klip.me,Proxy
- DOMAIN-SUFFIX,libsyn.com,Proxy
- DOMAIN-SUFFIX,linkedin.com,Proxy
- DOMAIN-SUFFIX,line-apps.com,Proxy
- DOMAIN-SUFFIX,linode.com,Proxy
- DOMAIN-SUFFIX,lithium.com,Proxy
- DOMAIN-SUFFIX,littlehj.com,Proxy
- DOMAIN-SUFFIX,live.com,Proxy
- DOMAIN-SUFFIX,live.net,Proxy
- DOMAIN-SUFFIX,livefilestore.com,Proxy
- DOMAIN-SUFFIX,llnwd.net,Proxy
- DOMAIN-SUFFIX,macid.co,Proxy
- DOMAIN-SUFFIX,macromedia.com,Proxy
- DOMAIN-SUFFIX,macrumors.com,Proxy
- DOMAIN-SUFFIX,mashable.com,Proxy
- DOMAIN-SUFFIX,mathjax.org,Proxy
- DOMAIN-SUFFIX,medium.com,Proxy
- DOMAIN-SUFFIX,mega.co.nz,Proxy
- DOMAIN-SUFFIX,mega.nz,Proxy
- DOMAIN-SUFFIX,megaupload.com,Proxy
- DOMAIN-SUFFIX,microsofttranslator.com,Proxy
- DOMAIN-SUFFIX,mindnode.com,Proxy
- DOMAIN-SUFFIX,mobile01.com,Proxy
- DOMAIN-SUFFIX,modmyi.com,Proxy
- DOMAIN-SUFFIX,msedge.net,Proxy
- DOMAIN-SUFFIX,myfontastic.com,Proxy
- DOMAIN-SUFFIX,name.com,Proxy
- DOMAIN-SUFFIX,nextmedia.com,Proxy
- DOMAIN-SUFFIX,nsstatic.net,Proxy
- DOMAIN-SUFFIX,nssurge.com,Proxy
- DOMAIN-SUFFIX,nyt.com,Proxy
- DOMAIN-SUFFIX,nytimes.com,Proxy
- DOMAIN-SUFFIX,omnigroup.com,Proxy
- DOMAIN-SUFFIX,onedrive.com,Proxy
- DOMAIN-SUFFIX,onenote.com,Proxy
- DOMAIN-SUFFIX,ooyala.com,Proxy
- DOMAIN-SUFFIX,openvpn.net,Proxy
- DOMAIN-SUFFIX,openwrt.org,Proxy
- DOMAIN-SUFFIX,orkut.com,Proxy
- DOMAIN-SUFFIX,osxdaily.com,Proxy
- DOMAIN-SUFFIX,outlook.com,Proxy
- DOMAIN-SUFFIX,ow.ly,Proxy
- DOMAIN-SUFFIX,paddleapi.com,Proxy
- DOMAIN-SUFFIX,parallels.com,Proxy
- DOMAIN-SUFFIX,parse.com,Proxy
- DOMAIN-SUFFIX,pdfexpert.com,Proxy
- DOMAIN-SUFFIX,periscope.tv,Proxy
- DOMAIN-SUFFIX,pinboard.in,Proxy
- DOMAIN-SUFFIX,pinterest.com,Proxy
- DOMAIN-SUFFIX,pixelmator.com,Proxy
- DOMAIN-SUFFIX,pixiv.net,Proxy
- DOMAIN-SUFFIX,playpcesor.com,Proxy
- DOMAIN-SUFFIX,playstation.com,Proxy
- DOMAIN-SUFFIX,playstation.com.hk,Proxy
- DOMAIN-SUFFIX,playstation.net,Proxy
- DOMAIN-SUFFIX,playstationnetwork.com,Proxy
- DOMAIN-SUFFIX,pushwoosh.com,Proxy
- DOMAIN-SUFFIX,rime.im,Proxy
- DOMAIN-SUFFIX,servebom.com,Proxy
- DOMAIN-SUFFIX,sfx.ms,Proxy
- DOMAIN-SUFFIX,shadowsocks.org,Proxy
- DOMAIN-SUFFIX,sharethis.com,Proxy
- DOMAIN-SUFFIX,shazam.com,Proxy
- DOMAIN-SUFFIX,skype.com,Proxy
- DOMAIN-SUFFIX,smartdnsProxy.com,Proxy
- DOMAIN-SUFFIX,smartmailcloud.com,Proxy
- DOMAIN-SUFFIX,sndcdn.com,Proxy
- DOMAIN-SUFFIX,sony.com,Proxy
- DOMAIN-SUFFIX,soundcloud.com,Proxy
- DOMAIN-SUFFIX,sourceforge.net,Proxy
- DOMAIN-SUFFIX,spotify.com,Proxy
- DOMAIN-SUFFIX,squarespace.com,Proxy
- DOMAIN-SUFFIX,sstatic.net,Proxy
- DOMAIN-SUFFIX,st.luluku.pw,Proxy
- DOMAIN-SUFFIX,stackoverflow.com,Proxy
- DOMAIN-SUFFIX,startpage.com,Proxy
- DOMAIN-SUFFIX,staticflickr.com,Proxy
- DOMAIN-SUFFIX,steamcommunity.com,Proxy
- DOMAIN-SUFFIX,symauth.com,Proxy
- DOMAIN-SUFFIX,symcb.com,Proxy
- DOMAIN-SUFFIX,symcd.com,Proxy
- DOMAIN-SUFFIX,tapbots.com,Proxy
- DOMAIN-SUFFIX,tapbots.net,Proxy
- DOMAIN-SUFFIX,tdesktop.com,Proxy
- DOMAIN-SUFFIX,techcrunch.com,Proxy
- DOMAIN-SUFFIX,techsmith.com,Proxy
- DOMAIN-SUFFIX,thepiratebay.org,Proxy
- DOMAIN-SUFFIX,theverge.com,Proxy
- DOMAIN-SUFFIX,time.com,Proxy
- DOMAIN-SUFFIX,timeinc.net,Proxy
- DOMAIN-SUFFIX,tiny.cc,Proxy
- DOMAIN-SUFFIX,tinypic.com,Proxy
- DOMAIN-SUFFIX,tmblr.co,Proxy
- DOMAIN-SUFFIX,todoist.com,Proxy
- DOMAIN-SUFFIX,trello.com,Proxy
- DOMAIN-SUFFIX,trustasiassl.com,Proxy
- DOMAIN-SUFFIX,tumblr.co,Proxy
- DOMAIN-SUFFIX,tumblr.com,Proxy
- DOMAIN-SUFFIX,tweetdeck.com,Proxy
- DOMAIN-SUFFIX,tweetmarker.net,Proxy
- DOMAIN-SUFFIX,twitch.tv,Proxy
- DOMAIN-SUFFIX,txmblr.com,Proxy
- DOMAIN-SUFFIX,typekit.net,Proxy
- DOMAIN-SUFFIX,ubertags.com,Proxy
- DOMAIN-SUFFIX,ublock.org,Proxy
- DOMAIN-SUFFIX,ubnt.com,Proxy
- DOMAIN-SUFFIX,ulyssesapp.com,Proxy
- DOMAIN-SUFFIX,urchin.com,Proxy
- DOMAIN-SUFFIX,usertrust.com,Proxy
- DOMAIN-SUFFIX,v.gd,Proxy
- DOMAIN-SUFFIX,v2ex.com,Proxy
- DOMAIN-SUFFIX,vimeo.com,Proxy
- DOMAIN-SUFFIX,vimeocdn.com,Proxy
- DOMAIN-SUFFIX,vine.co,Proxy
- DOMAIN-SUFFIX,vivaldi.com,Proxy
- DOMAIN-SUFFIX,vox-cdn.com,Proxy
- DOMAIN-SUFFIX,vsco.co,Proxy
- DOMAIN-SUFFIX,vultr.com,Proxy
- DOMAIN-SUFFIX,w.org,Proxy
- DOMAIN-SUFFIX,w3schools.com,Proxy
- DOMAIN-SUFFIX,webtype.com,Proxy
- DOMAIN-SUFFIX,wikiwand.com,Proxy
- DOMAIN-SUFFIX,wikileaks.org,Proxy
- DOMAIN-SUFFIX,wikimedia.org,Proxy
- DOMAIN-SUFFIX,wikipedia.com,Proxy
- DOMAIN-SUFFIX,wikipedia.org,Proxy
- DOMAIN-SUFFIX,windows.com,Proxy
- DOMAIN-SUFFIX,windows.net,Proxy
- DOMAIN-SUFFIX,wire.com,Proxy
- DOMAIN-SUFFIX,wordpress.com,Proxy
- DOMAIN-SUFFIX,workflowy.com,Proxy
- DOMAIN-SUFFIX,wp.com,Proxy
- DOMAIN-SUFFIX,wsj.com,Proxy
- DOMAIN-SUFFIX,wsj.net,Proxy
- DOMAIN-SUFFIX,xda-developers.com,Proxy
- DOMAIN-SUFFIX,xeeno.com,Proxy
- DOMAIN-SUFFIX,xiti.com,Proxy
- DOMAIN-SUFFIX,yahoo.com,Proxy
- DOMAIN-SUFFIX,yimg.com,Proxy
- DOMAIN-SUFFIX,ying.com,Proxy
- DOMAIN-SUFFIX,yoyo.org,Proxy
- DOMAIN-SUFFIX,ytimg.com,Proxy
- DOMAIN-SUFFIX,telegra.ph,Proxy
- DOMAIN-SUFFIX,telegram.org,Proxy
- IP-CIDR,91.108.4.0/22,Proxy,no-resolve
- IP-CIDR,91.108.8.0/21,Proxy,no-resolve
- IP-CIDR,91.108.16.0/22,Proxy,no-resolve
- IP-CIDR,91.108.56.0/22,Proxy,no-resolve
- IP-CIDR,149.154.160.0/20,Proxy,no-resolve
- IP-CIDR6,2001:67c:4e8::/48,Proxy,no-resolve
- IP-CIDR6,2001:b28:f23d::/48,Proxy,no-resolve
- IP-CIDR6,2001:b28:f23f::/48,Proxy,no-resolve
- IP-CIDR,120.232.181.162/32,Proxy,no-resolve
- IP-CIDR,120.241.147.226/32,Proxy,no-resolve
- IP-CIDR,120.253.253.226/32,Proxy,no-resolve
- IP-CIDR,120.253.255.162/32,Proxy,no-resolve
- IP-CIDR,120.253.255.34/32,Proxy,no-resolve
- IP-CIDR,120.253.255.98/32,Proxy,no-resolve
- IP-CIDR,180.163.150.162/32,Proxy,no-resolve
- IP-CIDR,180.163.150.34/32,Proxy,no-resolve
- IP-CIDR,180.163.151.162/32,Proxy,no-resolve
- IP-CIDR,180.163.151.34/32,Proxy,no-resolve
- IP-CIDR,203.208.39.0/24,Proxy,no-resolve
- IP-CIDR,203.208.40.0/24,Proxy,no-resolve
- IP-CIDR,203.208.41.0/24,Proxy,no-resolve
- IP-CIDR,203.208.43.0/24,Proxy,no-resolve
- IP-CIDR,203.208.50.0/24,Proxy,no-resolve
- IP-CIDR,220.181.174.162/32,Proxy,no-resolve
- IP-CIDR,220.181.174.226/32,Proxy,no-resolve
- IP-CIDR,220.181.174.34/32,Proxy,no-resolve
- DOMAIN,injections.adguard.org,DIRECT
- DOMAIN,local.adguard.org,DIRECT
- DOMAIN-SUFFIX,local,DIRECT
- IP-CIDR,127.0.0.0/8,DIRECT
- IP-CIDR,172.16.0.0/12,DIRECT
- IP-CIDR,192.168.0.0/16,DIRECT
- IP-CIDR,10.0.0.0/8,DIRECT
- IP-CIDR,17.0.0.0/8,DIRECT
- IP-CIDR,100.64.0.0/10,DIRECT
- IP-CIDR,224.0.0.0/4,DIRECT
- IP-CIDR6,fe80::/10,DIRECT
- DOMAIN-SUFFIX,cn,DIRECT
- DOMAIN-KEYWORD,-cn,DIRECT
- GEOIP,CN,DIRECT
- MATCH,Proxy
port: 7890
socks-port: 7891
bind-address: "*"
profile:
  store-selected: true
authentication:
- Clash:12345

#===================== NFTABLES 防火墙设置 =====================#

table inet fw4 {
	chain input {
		type filter hook input priority filter; policy drop;
		iifname "eth0" ip6 saddr != @localnetwork6 counter packets 0 bytes 0 jump openclash_wan6_input
		iifname "eth0" ip saddr != @localnetwork counter packets 397 bytes 198601 jump openclash_wan_input
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname "eth0" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		jump handle_reject
	}
}
table inet fw4 {
	chain forward {
		type filter hook forward priority filter; policy drop;
		meta l4proto { tcp, udp } flow add @ft
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		jump handle_reject
	}
}
table inet fw4 {
	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		ip6 daddr { 2001:4860:4860::8844, 2001:4860:4860::8888 } tcp dport 53 counter packets 0 bytes 0 accept comment "OpenClash Google DNS Hijack"
		ip daddr { 8.8.4.4, 8.8.8.8 } tcp dport 53 counter packets 0 bytes 0 redirect to :7892 comment "OpenClash Google DNS Hijack"
		udp dport 53 counter packets 0 bytes 0 redirect to :53 comment "OpenClash DNS Hijack"
		tcp dport 53 counter packets 0 bytes 0 redirect to :53 comment "OpenClash DNS Hijack"
		iifname "eth0" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
		ip protocol tcp counter packets 73 bytes 3876 jump openclash
		meta nfproto ipv6 tcp dport 0-65535 counter packets 0 bytes 0 jump openclash_v6
	}
}
table inet fw4 {
	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "eth0" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
	}
}
table inet fw4 {
	chain nat_output {
		type nat hook output priority filter - 1; policy accept;
		ip protocol tcp counter packets 18 bytes 1080 jump openclash_output
		meta nfproto ipv6 counter packets 5 bytes 411 jump openclash_output_v6
	}
}
table inet fw4 {
	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
		ip protocol udp counter packets 465 bytes 212415 jump openclash_mangle
		meta nfproto ipv6 counter packets 60 bytes 4974 jump openclash_mangle_v6
	}
}
table inet fw4 {
	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}
}
table inet fw4 {
	chain openclash {
		ip daddr @localnetwork counter packets 6 bytes 312 return
		ip protocol tcp ip daddr 198.18.0.0/16 counter packets 53 bytes 2788 redirect to :7892
		ip daddr @wan_ac_black_ips counter packets 0 bytes 0 return
		ip protocol tcp counter packets 14 bytes 776 redirect to :7892
	}
}
table inet fw4 {
	chain openclash_mangle {
		meta nfproto ipv4 udp sport 500 counter packets 0 bytes 0 return
		meta nfproto ipv4 udp sport 68 counter packets 0 bytes 0 return
		meta l4proto udp iifname "lo" counter packets 82 bytes 5858 return
		ip daddr @localnetwork counter packets 361 bytes 189670 return
		udp dport 53 counter packets 0 bytes 0 return
		meta l4proto udp ip daddr 198.18.0.0/16 meta mark set 0x00000162 tproxy ip to 127.0.0.1:7895 counter packets 22 bytes 16887 accept
		ip daddr @wan_ac_black_ips counter packets 0 bytes 0 return
		ip protocol udp counter packets 0 bytes 0 jump openclash_upnp
		meta l4proto udp meta mark set 0x00000162 tproxy ip to 127.0.0.1:7895 counter packets 0 bytes 0 accept
	}
}
table inet fw4 {
	chain openclash_output {
		ip daddr @localnetwork counter packets 5 bytes 300 return
		ip protocol tcp ip daddr 198.18.0.0/16 meta skuid != 65534 counter packets 5 bytes 300 redirect to :7892
		meta skuid != 65534 ip daddr @wan_ac_black_ips counter packets 0 bytes 0 return
		ip protocol tcp meta skuid != 65534 counter packets 0 bytes 0 redirect to :7892
	}
}
table inet fw4 {
	chain openclash_wan_input {
		udp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
		tcp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
	}
}
table inet fw4 {
	chain openclash_mangle_v6 {
		meta nfproto ipv6 udp sport 500 counter packets 0 bytes 0 return
		meta nfproto ipv6 udp sport 546 counter packets 0 bytes 0 return
		ip6 daddr @localnetwork6 counter packets 58 bytes 4830 return
		meta nfproto ipv6 udp dport 53 counter packets 0 bytes 0 return
		ip6 daddr @wan_ac_black_ipv6s counter packets 0 bytes 0 return
		meta nfproto ipv6 udp dport 0-65535 meta mark set 0x00000162 tproxy ip6 to :7895 counter packets 0 bytes 0 accept comment "OpenClash UDP Tproxy"
	}
}
table inet fw4 {
	chain openclash_wan6_input {
		udp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
		tcp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
	}
}

#===================== IPSET状态 =====================#


#===================== 路由表状态 =====================#

#IPv4

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

#ip route list
default via 192.168.1.1 dev eth0 proto static src 192.168.1.2 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1 

#ip rule show
0:	from all lookup local
32765:	from all fwmark 0x162 lookup 354
32766:	from all lookup main
32767:	from all lookup default

#IPv6

#route -A inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
::/0                                        ::                                      U     1024   1        0 lo      
::/0                                        ::                                      !n    -1     2        0 lo      
::/0                                        ::                                      !n    -1     2        0 lo      
::/0                                        fe80::1                                 UG    512    1        0 eth0    
::/0                                        fe80::1                                 UG    512    5        0 eth0    
::/0                                        fe80::1                                 UG    512    5        0 eth0    
*WAN IP*:/64                    ::                                      U     256    1        0 eth0    
*WAN IP*:/64                    ::                                      !n    2147483647 2        0 lo      
24xx:xxxx:xxxx:xx64::/64                    ::                                      U     1024   2        0 br-lan  
24xx:xxxx:xxxx:xx66::/63                    fe80::4e92:37ef:fa7c:de55               UG    1024   3        0 br-lan  
24xx:xxxx:xxxx:xx64::/62                    ::                                      !n    2147483647 1        0 lo      
fd5b:6c70:fafc::/64                         ::                                      U     1024   6        0 br-lan  
fd5b:6c70:fafc:2::/63                       fe80::4e92:37ef:fa7c:de55               UG    1024   1        0 br-lan  
fd5b:6c70:fafc::/48                         ::                                      !n    2147483647 2        0 lo      
fe80::/64                                   ::                                      U     256    5        0 br-lan  
fe80::/64                                   ::                                      U     256    1        0 eth0    
::/0                                        ::                                      !n    -1     2        0 lo      
::1/128                                     ::                                      Un    0      7        0 lo      
*WAN IP*:/128                   ::                                      Un    0      4        0 eth0    
*WAN IP*:1/128                  ::                                      Un    0      2        0 eth0    
*WAN IP*xx:xxxx:xxxx:xxx1/128   ::                                      Un    0      8        0 eth0    
24xx:xxxx:xxxx:xx64::/128                   ::                                      Un    0      3        0 br-lan  
24xx:xxxx:xxxx:xx64::1/128                  ::                                      Un    0      7        0 br-lan  
fd5b:6c70:fafc::/128                        ::                                      Un    0      3        0 br-lan  
fd5b:6c70:fafc::1/128                       ::                                      Un    0      5        0 br-lan  
fe80::/128                                  ::                                      Un    0      3        0 br-lan  
fe80::/128                                  ::                                      Un    0      3        0 eth0    
fe80::xx:xxxx:xxxx:xxx1/128                 ::                                      Un    0      3        0 eth0    
fe80::xx:xxxx:xxxx:xxx2/128                 ::                                      Un    0      6        0 br-lan  
ff00::/8                                    ::                                      U     256    5        0 br-lan  
ff00::/8                                    ::                                      U     256    5        0 eth0    
::/0                                        ::                                      !n    -1     2        0 lo      

#ip -6 route list
default from *WAN IP*:1 via fe80::1 dev eth0 proto static metric 512 pref medium
default from *WAN IP*:/64 via fe80::1 dev eth0 proto static metric 512 pref medium
default from 24xx:xxxx:xxxx:xx64::/62 via fe80::1 dev eth0 proto static metric 512 pref medium
*WAN IP*:/64 dev eth0 proto static metric 256 pref medium
unreachable *WAN IP*:/64 dev lo proto static metric 2147483647 pref medium
24xx:xxxx:xxxx:xx64::/64 dev br-lan proto static metric 1024 pref medium
24xx:xxxx:xxxx:xx66::/63 via fe80::4e92:37ef:fa7c:de55 dev br-lan proto static metric 1024 pref medium
unreachable 24xx:xxxx:xxxx:xx64::/62 dev lo proto static metric 2147483647 pref medium
fd5b:6c70:fafc::/64 dev br-lan proto static metric 1024 pref medium
fd5b:6c70:fafc:2::/63 via fe80::4e92:37ef:fa7c:de55 dev br-lan proto static metric 1024 pref medium
unreachable fd5b:6c70:fafc::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium

#ip -6 rule show
0:	from all lookup local
32765:	from all fwmark 0x162 lookup 354
32766:	from all lookup main
4200000000:	from 24xx:xxxx:xxxx:xx64::1/62 iif br-lan unreachable

#===================== 端口占用状态 =====================#

tcp        0      0 :::9090                 :::*                    LISTEN      6968/clash
tcp        0      0 :::7895                 :::*                    LISTEN      6968/clash
tcp        0      0 :::7893                 :::*                    LISTEN      6968/clash
tcp        0      0 :::7892                 :::*                    LISTEN      6968/clash
tcp        0      0 :::7891                 :::*                    LISTEN      6968/clash
tcp        0      0 :::7890                 :::*                    LISTEN      6968/clash
udp        0      0 :::44474                :::*                                6968/clash
udp        0      0 :::37473                :::*                                6968/clash
udp        0      0 :::7874                 :::*                                6968/clash
udp        0      0 :::7891                 :::*                                6968/clash
udp        0      0 :::7892                 :::*                                6968/clash
udp        0      0 :::7893                 :::*                                6968/clash
udp        0      0 :::7895                 :::*                                6968/clash
udp        0      0 :::56122                :::*                                6968/clash

#===================== 测试本机DNS查询(www.baidu.com) =====================#

Server:		127.0.0.1
Address:	127.0.0.1:53

Name:	www.baidu.com
Address: 198.18.0.20



#===================== 测试内核DNS查询(www.instagram.com) =====================#

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 1
  Qclass: 1

Answer: 
  TTL: 93
  data: 108.160.165.212
  name: www.instagram.com.
  type: 1

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 28
  Qclass: 1

Answer: 
  TTL: 1
  data: 2a03:2880:f10a:83:face:b00c:0:25de
  name: www.instagram.com.
  type: 28


Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto

#===================== /tmp/resolv.conf.auto =====================#

# Interface lan
nameserver 1.1.1.1
nameserver 1.0.0.1
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1
# Interface wan6
nameserver 2606:4700:4700::1111
nameserver 2606:4700:4700::1001

#===================== /tmp/resolv.conf.d/resolv.conf.auto =====================#

# Interface lan
nameserver 1.1.1.1
nameserver 1.0.0.1
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1
# Interface wan6
nameserver 2606:4700:4700::1111
nameserver 2606:4700:4700::1001

#===================== 测试本机网络连接(www.baidu.com) =====================#


#===================== 测试本机网络下载(raw.githubusercontent.com) =====================#

HTTP/2 404 
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
content-type: text/plain; charset=utf-8
x-github-request-id: 09B6:480B0:54AACF:668D4B:666F19EB
accept-ranges: bytes
date: Sun, 16 Jun 2024 16:38:28 GMT
via: 1.1 varnish
x-served-by: cache-qpg1258-QPG
x-cache: MISS
x-cache-hits: 0
x-timer: S1718557168.882274,VS0,VE334
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
x-fastly-request-id: 2a4c1e323973157e2b30864f443e3710d1811386
expires: Sun, 16 Jun 2024 16:43:28 GMT
source-age: 0
content-length: 14


#===================== 最近运行日志(自动切换为Debug模式) =====================#

time="2024-06-16T16:38:19.065190939Z" level=debug msg="[Rule] use default rules"
time="2024-06-16T16:38:19.065753581Z" level=debug msg="[DNS] cache hit for static-pcs-sdk-server.alibaba.com., expire at 2024-06-16 16:39:00"
time="2024-06-16T16:38:19.065959504Z" level=debug msg="[DNS] cache hit for static-pcs-sdk-server.alibaba.com., expire at 2024-06-16 16:38:59"
time="2024-06-16T16:38:19.066174469Z" level=debug msg="[DNS] static-pcs-sdk-server.alibaba.com --> 111.63.137.116"
time="2024-06-16T16:38:19.066400809Z" level=debug msg="[DNS] cache hit for static-pcs-sdk-server.alibaba.com., expire at 2024-06-16 16:39:00"
time="2024-06-16T16:38:19.066553938Z" level=debug msg="[DNS] cache hit for static-pcs-sdk-server.alibaba.com., expire at 2024-06-16 16:38:59"
time="2024-06-16T16:38:19.119007088Z" level=info msg="[TCP] 192.168.2.127:52990 --> static-pcs-sdk-server.alibaba.com:80 match GeoIP(cn) using DIRECT"
time="2024-06-16T16:38:19.894588546Z" level=debug msg="[Rule] use default rules"
time="2024-06-16T16:38:19.895676204Z" level=info msg="[TCP] 192.168.2.127:52991 --> 128.121.146.109:443 match Match using Proxy[新加坡01]"
time="2024-06-16T16:38:24.217052278Z" level=debug msg="[Rule] use default rules"
time="2024-06-16T16:38:24.21795618Z" level=info msg="[TCP] 192.168.2.127:52994 --> steamcommunity.com:443 match DomainSuffix(steamcommunity.com) using Proxy[新加坡01]"
time="2024-06-16T16:38:26.884135148Z" level=debug msg="[DNS] resolve www.instagram.com from udp://223.5.5.5:53"
time="2024-06-16T16:38:26.895763079Z" level=debug msg="[DNS] www.instagram.com --> [108.160.165.212] A from udp://223.5.5.5:53"
time="2024-06-16T16:38:27.123830182Z" level=debug msg="[DNS] resolve www.instagram.com from udp://223.5.5.5:53"
time="2024-06-16T16:38:27.137633719Z" level=debug msg="[DNS] www.instagram.com --> [2a03:2880:f10a:83:face:b00c:0:25de] AAAA from udp://223.5.5.5:53"
time="2024-06-16T16:38:27.21800837Z" level=debug msg="[Rule] use default rules"
time="2024-06-16T16:38:27.218659681Z" level=info msg="[TCP] 192.168.2.127:52996 --> clients4.google.com:443 match DomainKeyword(google) using Proxy[新加坡01]"
time="2024-06-16T16:38:27.382991631Z" level=debug msg="[Rule] use default rules"
time="2024-06-16T16:38:27.383393268Z" level=debug msg="[DNS] resolve www.baidu.com from udp://223.5.5.5:53"
time="2024-06-16T16:38:27.383482812Z" level=debug msg="[DNS] resolve www.baidu.com from udp://223.5.5.5:53"
time="2024-06-16T16:38:27.396645247Z" level=debug msg="[DNS] www.baidu.com --> [120.232.145.144 120.232.145.185] A from udp://223.5.5.5:53"
time="2024-06-16T16:38:27.397810782Z" level=debug msg="[DNS] www.baidu.com --> [2402:56d9:270:83:0:dd:f0a3:bc82 2402:56d9:270:89f:0:dd:f069:7972] AAAA from udp://223.5.5.5:53"
time="2024-06-16T16:38:27.398726643Z" level=info msg="[TCP] 192.168.1.2:60138 --> www.baidu.com:80 match DomainKeyword(baidu) using DIRECT"
time="2024-06-16T16:38:27.398944524Z" level=debug msg="[Rule] use default rules"
time="2024-06-16T16:38:27.39946429Z" level=warning msg="[TCP] dial DIRECT (match GeoIP/cn) [*WAN IP*xx:xxxx:xxxx:xxx1]:46004 --> [2402:56d9:270:83:0:dd:f0a3:bc82]:80 error: reject loopback connection to: [2402:56d9:270:83:0:dd:f0a3:bc82]:80"
time="2024-06-16T16:38:27.645420428Z" level=debug msg="[Rule] use default rules"
time="2024-06-16T16:38:27.653440042Z" level=info msg="[TCP] 192.168.1.2:36568 --> raw.githubusercontent.com:443 match DomainKeyword(github) using Proxy[新加坡01]"
time="2024-06-16T16:38:31.836450561Z" level=debug msg="[Rule] use default rules"
time="2024-06-16T16:38:31.837194917Z" level=debug msg="[DNS] resolve chatgpt.com from udp://223.5.5.5:53"
time="2024-06-16T16:38:31.837305462Z" level=debug msg="[DNS] resolve chatgpt.com from udp://223.5.5.5:53"
time="2024-06-16T16:38:31.85012022Z" level=debug msg="[DNS] chatgpt.com --> [31.13.94.36] A from udp://223.5.5.5:53"
time="2024-06-16T16:38:31.850572025Z" level=debug msg="[DNS] chatgpt.com --> [2a03:2880:f10c:283:face:b00c:0:25de] AAAA from udp://223.5.5.5:53"
time="2024-06-16T16:38:31.850884993Z" level=debug msg="[DNS] chatgpt.com --> 31.13.94.36"
time="2024-06-16T16:38:31.851618556Z" level=info msg="[TCP] 192.168.2.127:53001 --> chatgpt.com:443 match Match using Proxy[新加坡01]"
time="2024-06-16T16:38:32.360186371Z" level=debug msg="[Rule] use default rules"
time="2024-06-16T16:38:32.360942685Z" level=info msg="[TCP] 192.168.2.127:53002 --> 128.121.146.109:443 match Match using Proxy[新加坡01]"
time="2024-06-16T16:38:33.259387727Z" level=debug msg="[Rule] use default rules"
time="2024-06-16T16:38:33.260029704Z" level=info msg="[TCP] 192.168.2.127:53003 --> www.google.com:443 match DomainKeyword(google) using Proxy[新加坡01]"

#===================== 最近运行日志获取完成(自动切换为silent模式) =====================#


#===================== 活动连接信息 =====================#

1. SourceIP:【192.168.2.203】 - Host:【Empty】 - DestinationIP:【129.227.192.10】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【新加坡01】
2. SourceIP:【192.168.2.127】 - Host:【Empty】 - DestinationIP:【91.108.56.114】 - Network:【tcp】 - RulePayload:【91.108.56.0/22】 - Lastchain:【新加坡01】
3. SourceIP:【192.168.2.127】 - Host:【alive.github.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【github】 - Lastchain:【新加坡01】
4. SourceIP:【192.168.2.127】 - Host:【extension.femetrics.grammarly.io】 - DestinationIP:【35.170.142.255】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【新加坡01】
5. SourceIP:【192.168.2.203】 - Host:【Empty】 - DestinationIP:【36.139.237.172】 - Network:【tcp】 - RulePayload:【cn】 - Lastchain:【DIRECT】
6. SourceIP:【192.168.2.127】 - Host:【clients4.google.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【google】 - Lastchain:【新加坡01】
7. SourceIP:【192.168.2.127】 - Host:【steamcommunity.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【steamcommunity.com】 - Lastchain:【新加坡01】
8. SourceIP:【192.168.2.132】 - Host:【fro-4.hac.lp1.penne.srv.nintendo.net】 - DestinationIP:【44.208.61.41】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【新加坡01】
9. SourceIP:【192.168.2.127】 - Host:【Empty】 - DestinationIP:【91.108.56.114】 - Network:【tcp】 - RulePayload:【91.108.56.0/22】 - Lastchain:【新加坡01】
10. SourceIP:【192.168.2.127】 - Host:【www.google.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【google】 - Lastchain:【新加坡01】
11. SourceIP:【192.168.2.127】 - Host:【Empty】 - DestinationIP:【128.121.146.109】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【新加坡01】
12. SourceIP:【192.168.2.203】 - Host:【Empty】 - DestinationIP:【74.125.203.188】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【新加坡01】
13. SourceIP:【192.168.2.127】 - Host:【a.nel.cloudflare.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【cloudflare.com】 - Lastchain:【新加坡01】
14. SourceIP:【192.168.2.127】 - Host:【steamcommunity.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【steamcommunity.com】 - Lastchain:【新加坡01】
15. SourceIP:【192.168.2.127】 - Host:【stats.steaminventoryhelper.com】 - DestinationIP:【104.26.5.15】 - Network:【udp】 - RulePayload:【】 - Lastchain:【新加坡01】
16. SourceIP:【192.168.2.127】 - Host:【chatgpt.com】 - DestinationIP:【31.13.94.36】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【新加坡01】
17. SourceIP:【192.168.2.127】 - Host:【self.events.data.microsoft.com】 - DestinationIP:【】 - Network:【tcp】 - RulePayload:【microsoft.com】 - Lastchain:【DIRECT】
18. SourceIP:【192.168.2.127】 - Host:【a.nel.cloudflare.com】 - DestinationIP:【35.190.80.1】 - Network:【udp】 - RulePayload:【cloudflare.com】 - Lastchain:【新加坡01】
19. SourceIP:【192.168.2.215】 - Host:【Empty】 - DestinationIP:【74.125.203.188】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【新加坡01】
20. SourceIP:【192.168.2.127】 - Host:【Empty】 - DestinationIP:【91.108.56.195】 - Network:【tcp】 - RulePayload:【91.108.56.0/22】 - Lastchain:【新加坡01】

Expected Behavior

直连的ipv6 tcp请求不再报错,同时还能实现ipv6的路由本机代理
@jelly21fish jelly21fish added the bug Something isn't working label Jun 16, 2024
@jelly21fish
Copy link
Contributor Author

补充一下没有被列入调试日志的nft规则

        chain openclash_v6 {
                ip6 daddr @localnetwork6 counter packets 0 bytes 0 return
                ip6 daddr @wan_ac_black_ipv6s counter packets 0 bytes 0 return
                meta nfproto ipv6 tcp dport 0-65535 counter packets 1 bytes 84 redirect to :7892
        }

        chain openclash_output_v6 {
                ip6 daddr @localnetwork6 counter packets 15 bytes 1833 return
                meta skuid != 65534 ip6 daddr @wan_ac_black_ipv6s counter packets 0 bytes 0 return
                meta nfproto ipv6 tcp dport 0-65535 counter packets 63 bytes 5040 redirect to :7892
        }

@jelly21fish
Copy link
Contributor Author

有意思的是,我之前尝试不依赖OpenClash,自己配置防火墙,直接运行mihomo内核,也是出现 error: reject loopback connection 这样的报错。

区别在于,我是连ipv4的直连流量都报错。到现在也不知道问题出在哪里。这次或许可以学习一下如何解决!

最后再补充一下面板现在的错误日志:

12345

@jelly21fish
Copy link
Contributor Author

jelly21fish commented Jun 17, 2024
edited
Loading

此问题已被 82fc7ee 修复!升级至v0.46.016即可解决~

有趣的是,这个bug只改了一句命令,添加了“skuid != 65534”,就解决了。感谢V大!
nft add rule inet fw4 openclash_output_v6 meta nfproto {ipv6} skuid != 65534 tcp dport { 0-65535 } counter redirect to "$proxy_port"

看来,直接运行内核时出现的loopback错误,也可能与uid有关。即使规则没有问题,进程的uid也需要是65534,才能排除直连的流量,防止回环。今天就试试看~

@spirillen spirillen mentioned this issue Feb 23, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jelly21fish