Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] 禁用 QUIC 对 IPv6 TUN 模式 无效 #3863

Open
6 of 7 tasks
snachx opened this issue Apr 29, 2024 · 4 comments
Open
6 of 7 tasks

[Bug] 禁用 QUIC 对 IPv6 TUN 模式 无效 #3863

snachx opened this issue Apr 29, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@snachx
Copy link
Contributor

snachx commented Apr 29, 2024

Verify Steps

  • Tracker 我已经在 Issue Tracker 中找过我要提出的问题
  • Branch 我知道 OpenClash 的 Dev 分支切换开关位于插件设置-版本更新中,或者我会手动下载并安装 Dev 分支的 OpenClash
  • Latest 我已经使用最新 Dev 版本测试过,问题依旧存在
  • Relevant 我知道 OpenClash 与 内核(Core)、控制面板(Dashboard)、在线订阅转换(Subconverter)等项目之间无直接关系,仅相互调用
  • Definite 这确实是 OpenClash 出现的问题
  • Contributors 我有能力协助 OpenClash 开发并解决此问题
  • Meaningless 我提交的是无意义的催促更新或修复请求

OpenClash Version

v0.46.007-beta

Bug on Environment

Lean

OpenWrt Version

Openwrt 23.05.3

Bug on Platform

Linux-arm64

Describe the Bug

Meta 内核
运行模式 Redir-Host(TUN)
禁用 QUIC
IPv6 代理模式 TUN 模式

以上设置的前提下,验证发现 IPv6 下会添加 quic reject 规则到 input 链,不会添加到 forward 链

OpenClash/luci-app-openclash/root/etc/init.d/openclash

Line 2895 in e957592

ip6tables -I INPUT -p udp --dport 443 -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip6_route dst -j REJECT >/dev/null 2>&1

作为对比, IPv4 下启用 TUN,quic reject 规则只会添加 forward 链,不启用 TUN, 只会添加到 input 链

OpenClash/luci-app-openclash/root/etc/init.d/openclash

Line 2481 in e957592

iptables -I INPUT -p udp --dport 443 -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip_route dst -j REJECT >/dev/null 2>&1

OpenClash/luci-app-openclash/root/etc/init.d/openclash

Line 2625 in e957592

iptables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip_route dst -j REJECT >/dev/null 2>&1

fw3 和 fw4 都有同样的问题

To Reproduce

Meta 内核
运行模式 Redir-Host(TUN)
禁用 QUIC
IPv6 代理模式 TUN 模式
检查防火墙设置

OpenClash Log

日志无关

OpenClash Config

No response

Expected Behavior

IPv6 下使用 tun 模式也应该在 forward 链添加 quic reject 规则

Additional Context

No response
@snachx snachx added the bug Something isn't working label Apr 29, 2024
vernesong added a commit that referenced this issue Apr 29, 2024
@vernesong
chore: #3863
dc14419
@snachx
Copy link
Contributor Author

snachx commented Apr 30, 2024

@vernesong 测了一下有个 bug, match-set 应该是 china_ip6_route

OpenClash/luci-app-openclash/root/etc/init.d/openclash

Line 2922 in 7256d89

ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip_route dst -j REJECT >/dev/null 2>&1

@zzz6839
Copy link

zzz6839 commented May 15, 2024
edited

这个问题是不是还没修好,我看Youtube会有类似情况
image

@snachx
Copy link
Contributor Author

snachx commented May 15, 2024

v0.46.010 已经修好了,你这个提示跟这个没关系,应该是代理本身的问题

@patsnap-guyong
Copy link

0.46.011版本依然存在问题,表现还是卡:
Tip: Firewall4 was Detected, Use NFTABLE Rules...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@snachx @zzz6839 @patsnap-guyong