[Bug] route-exclude-address-set 未处理IPv6 CIDR

[Xarth-Mai]

Verify steps

• [ ] I have not reviewed the documentation and resolve this issue.
• [X] I have read the documentation and understand the meaning of all configuration items I have written, avoiding a large number of seemingly useful options or default values.
• [X] I have not searched the Issue Tracker for the problem I am going to raise.
• [X] I have tested with the latest Alpha branch version, and the issue still persists.
• [X] I have provided server and client configuration files and processes that can reproduce the issue locally, rather than a desensitized complex client configuration file.
• [X] I have provided the simplest configuration that can reproduce the error I reported, rather than relying on remote servers, TUN, graphical client interfaces, or other closed-source software.
• [X] I have provided complete configuration files and logs, rather than providing only parts that I believe are useful due to confidence in my own intelligence.

Operating System

Linux

System Version

ArchLinux 6.10.10-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Thu, 12 Sep 2024 17:17:51 +0000 x86_64 GNU/Linux

Mihomo Version

➜  ~ clash-meta -v
Mihomo Meta 2024092319.59a2b245 linux amd64 with go1.23.1 2024-09-23 13:01:47+00:00
Use tags: with_gvisor
➜  ~ 

Configuration File

mode: rule
mixed-port: 7897
allow-lan: false
log-level: debug
ipv6: true
external-controller: 127.0.0.1:9097
secret: ''
global-client-fingerprint: random
profile:
  store-selected: true
unified-delay: true
geo-update-interval: 72
tcp-concurrent: true

tun:
  enable: true
  stack: system
  auto-route: true
  auto-redirect: true
  auto-detect-interface: true
  device: utun0
  strict-route: true
  gso: true
  dns-hijack:
  - any:53
  route-exclude-address-set:
  - cncidr
  - lancidr
  mtu: 1500

proxies:
  - {
      name: "CCCCCCC",
      type: vless
    }

rule-providers:
  cncidr:
    type: http
    behavior: ipcidr
    url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/cncidr.txt
    path: ./ruleset/cncidr.yaml
    proxy: CCCCCCC
    interval: 86400
  lancidr:
    type: http
    behavior: ipcidr
    url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/lancidr.txt
    path: ./ruleset/lancidr.yaml
    proxy: CCCCCCC
    interval: 86400

rules:
- RULE-SET,lancidr,DIRECT
- RULE-SET,cncidr,DIRECT

Description

使用此配置文件运行Mihomo 通过sudo nft list ruleset查看防火墙规则 发现route-exclude-address-set指定规则集中的目标IPv6 CIDR未被添加进防火墙

➜  ~ nft -v          
nftables v1.1.0 (Commodore Bullmoose)
➜  ~ 

➜  ~ sudo nft list ruleset               
table inet filter {
    chain input {
        type filter hook input priority filter; policy drop;
        ct state invalid drop comment "early drop of invalid connections"
        ct state { established, related } accept comment "allow tracked connections"
        iif "lo" accept comment "allow from loopback"
        ip protocol icmp accept comment "allow icmp"
        meta l4proto ipv6-icmp accept comment "allow icmp v6"
        tcp dport 22 accept comment "allow sshd"
        meta pkttype host limit rate 5/second burst 5 packets counter packets 39 bytes 18167 reject with icmpx admin-prohibited
        counter packets 1547 bytes 596600
    }

    chain forward {
        type filter hook forward priority filter; policy drop;
    }
}
table inet mihomo {
    set inet4_route_exclude_address_set {
        type ipv4_addr
        flags interval
        elements = { 0.0.0.0/8,
                 203.62.2.0/24, 203.62.131.0/24,
                 203.62.139.0/24, 203.62.161.0/24,
                 203.62.197.0/24, 203.62.228.0/22,
                 203.62.234.0/24, 203.62.246.0/24,
                 203.65.240.0/22, 203.76.160.0/22,
                 203.76.168.0/22, 203.76.208.0-203.76.219.255,
                 203.76.240.0/22, 203.77.180.0/22,
                 203.78.48.0/20, 203.78.156.0/22,
                 203.79.0.0/20, 203.80.4.0/23,
                 203.80.32.0/20, 203.80.57.0/24,
                 203.80.129.0/24, 203.80.132.0/22,
                 203.80.144.0/20, 203.81.16.0/20,
                 203.81.244.0/22, 203.82.0.0/23,
                 203.82.112.0/20, 203.82.224.0/20,
                 203.83.0.0/22, 203.83.12.0/22,
                 203.83.56.0/21, 203.83.224.0/20,
                 203.86.0.0-203.86.97.255, 203.86.108.0/24,
                 203.86.110.0/24, 203.86.112.0/24,
                 203.86.116.0/23, 203.86.250.0/24,
                 203.86.254.0/23, 203.88.32.0/19,
                 203.88.192.0/19, 203.89.0.0/22,
                 203.89.8.0/23, 203.89.100.0/22}
    }

    set inet6_route_exclude_address_set {
        type ipv6_addr
        flags interval
    }

    set inet4_local_address_set {
        type ipv4_addr
        flags interval
        elements = { 127.0.0.0/8, 192.168.20.0/24,
                 198.18.0.0/30 }
    }

    set inet6_local_address_set {
        type ipv6_addr
        flags interval
        elements = { ::1,
                 240e:9438:4a38:1111::/64,
                 240e:9524:4a50:5555::/64 }
    }

    chain output {
        type nat hook output priority mangle; policy accept;
        meta mark 0x00002024 counter packets 549 bytes 36671 return
        meta nfproto ipv4 oifname != "lo" meta l4proto { tcp, udp } th dport 53 dnat ip to 198.18.0.2 counter packets 0 bytes 0
        meta nfproto ipv6 oifname != "lo" meta l4proto { tcp, udp } th dport 53 dnat ip6 to fdfe:dcba:9876::2 counter packets 0 bytes 0
        ip daddr @inet4_local_address_set counter packets 18 bytes 1080 return
        ip6 daddr @inet6_local_address_set counter packets 27 bytes 1944 return
        ip daddr @inet4_route_exclude_address_set counter packets 169 bytes 10156 return
        ip6 daddr @inet6_route_exclude_address_set counter packets 0 bytes 0 return
        meta l4proto tcp counter packets 498 bytes 33720 redirect to :40015 return
    }

    chain output_udp {
        type route hook output priority mangle; policy accept;
        meta mark 0x00002024 counter packets 15146 bytes 3710151 return
        meta l4proto != udp return
        ip daddr @inet4_local_address_set counter packets 512 bytes 34368 return
        ip6 daddr @inet6_local_address_set counter packets 0 bytes 0 return
        ip daddr @inet4_route_exclude_address_set counter packets 1 bytes 76 return
        ip6 daddr @inet6_route_exclude_address_set counter packets 0 bytes 0 return
        meta mark set 0x00002023 ct mark set meta mark counter packets 688 bytes 250970
    }

    chain prerouting {
        type nat hook prerouting priority mangle; policy accept;
        meta nfproto ipv4 meta l4proto { tcp, udp } th dport 53 dnat ip to 198.18.0.2 counter packets 0 bytes 0
        meta nfproto ipv6 meta l4proto { tcp, udp } th dport 53 dnat ip6 to fdfe:dcba:9876::2 counter packets 0 bytes 0
        ip daddr @inet4_local_address_set counter packets 115 bytes 6900 return
        ip6 daddr @inet6_local_address_set counter packets 0 bytes 0 return
        ip daddr @inet4_route_exclude_address_set counter packets 0 bytes 0 return
        ip6 daddr @inet6_route_exclude_address_set counter packets 0 bytes 0 return
        meta l4proto tcp counter packets 0 bytes 0 redirect to :40015 return
        meta mark set 0x00002023 ct mark set meta mark counter packets 1173 bytes 489805
    }

    chain prerouting_udp {
        type filter hook prerouting priority mangle + 1; policy accept;
        ip daddr @inet4_local_address_set counter packets 36393 bytes 44754493 return
        ip6 daddr @inet6_local_address_set counter packets 7754 bytes 8346127 return
        meta l4proto udp ct mark 0x00002023 meta mark set ct mark counter packets 237 bytes 44996
    }
}
table inet lxc {
    chain input {
        type filter hook input priority filter; policy accept;
        iifname "waydroid0" udp dport { 53, 67 } accept
        iifname "waydroid0" tcp dport { 53, 67 } accept
    }

    chain forward {
        type filter hook forward priority filter; policy accept;
        iifname "waydroid0" accept
        oifname "waydroid0" accept
    }
}
table ip lxc {
    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        ip saddr 192.168.240.0/24 ip daddr != 192.168.240.0/24 counter packets 11 bytes 2698 masquerade
    }
}

Reproduction Steps

sudo mihomo -d /opt/mihomo sudo nft list ruleset

Logs

➜  ~ sudo clash-meta -d ~/Desktop
INFO[2024-09-24T13:31:18.628462847+08:00] Start initial configuration in progress      
WARN[2024-09-24T13:31:18.628548079+08:00] To use xtls-rprx-vision, ensure your server is upgrade to Xray-core v1.8.0+ 
INFO[2024-09-24T13:31:18.628569324+08:00] Geodata Loader mode: memconservative         
INFO[2024-09-24T13:31:18.628572543+08:00] Geosite Matcher implementation: succinct     
INFO[2024-09-24T13:31:18.628753398+08:00] Initial configuration complete, total time: 0ms 
INFO[2024-09-24T13:31:18.628939301+08:00] RESTful API listening at: 127.0.0.1:9097     
INFO[2024-09-24T13:31:18.640094708+08:00] Sniffer is closed                            
INFO[2024-09-24T13:31:18.640109221+08:00] Use tcp concurrent                           
INFO[2024-09-24T13:31:18.640162048+08:00] Mixed(http+socks) proxy listening at: 127.0.0.1:7897 
WARN[2024-09-24T13:31:18.640359433+08:00] [TUN] default interface changed by monitor,  => enp4s0 
DEBU[2024-09-24T13:31:18.642509261+08:00] batch write packet: invalid offset           
INFO[2024-09-24T13:31:18.658119782+08:00] [TUN] Tun adapter listening at: utun0([198.18.0.1/30],[fdfe:dcba:9876::1/126]), mtu: 1500, auto route: true, auto redir: true, ip stack: System 
INFO[2024-09-24T13:31:18.658192857+08:00] Start initial provider lancidr               
INFO[2024-09-24T13:31:18.65825205+08:00] Start initial provider cncidr                
ERRO[2024-09-24T13:31:18.668260649+08:00] update route address set: conn.Receive: netlink receive: file exists 
INFO[2024-09-24T13:31:18.745789419+08:00] Start initial Compatible provider default    
ERRO[2024-09-24T13:31:18.764285105+08:00] update route address set: conn.Receive: netlink receive: file exists 
DEBU[2024-09-24T13:31:19.648742829+08:00] [DNS] hijack udp:198.18.0.2:53 from 192.168.9.66:37803 
DEBU[2024-09-24T13:31:19.649619905+08:00] [DNS] hijack udp:198.18.0.2:53 from 192.168.9.66:58210 
^CWARN[2024-09-24T13:31:26.62287094+08:00] Mihomo shutting down                         
➜  ~ 

[xishang0128]

版本号不对,请使用官方构建

[xishang0128]

@Xarth-Mai I have tested with the latest Alpha branch version, and the issue still persists.

没做到就不要勾选

[Xarth-Mai]

@Xarth-Mai I have tested with the latest Alpha branch version, and the issue still persists.

没做到就不要勾选

Sry, when I opened the issue, I was using an alpha branch I built a few hours ago. I just tried the version from https://github.com/MetaCubeX/mihomo/actions/runs/11007562649/artifacts/1969795331 and got the same result.

➜  bin clash-meta -v            
Mihomo Meta alpha-6c03830 linux amd64 with go1.23.1 Tue Sep 24 05:26:45 UTC 2024
Use tags: with_gvisor

[xishang0128]

@Xarth-Mai 尝试使用本地规则集合,写两个测试ip

[Xarth-Mai]

@Xarth-Mai 尝试使用本地规则集合,写两个测试ip

It doesnt work,

➜  ruleset sudo nft list ruleset

table inet mihomo {
    set inet4_route_exclude_address_set {
        type ipv4_addr
        flags interval
        elements = { 1.0.32.0/19 }
    }

    set inet6_route_exclude_address_set {
        type ipv6_addr
        flags interval
    }

    set inet4_local_address_set {
        type ipv4_addr
        flags interval
        elements = { 127.0.0.0/8, 192.168.23.0/24,
                 192.168.240.0/24, 198.18.0.0/30 }
    }

    set inet6_local_address_set {
        type ipv6_addr
        flags interval
        elements = { ::1,
                 240e:822a:4c30:9a40::/64,
                 240e:822a:4c38:9420::/64,
                 240e:823b:4c30:e950::/64 }
    }

    chain output {
        type nat hook output priority mangle; policy accept;
        meta mark 0x00002024 counter packets 0 bytes 0 return
        meta nfproto ipv4 oifname != "lo" meta l4proto { tcp, udp } th dport 53 dnat ip to 198.18.0.2 counter packets 0 bytes 0
        meta nfproto ipv6 oifname != "lo" meta l4proto { tcp, udp } th dport 53 dnat ip6 to fdfe:dcba:9876::2 counter packets 0 bytes 0
        ip daddr @inet4_local_address_set counter packets 0 bytes 0 return
        ip6 daddr @inet6_local_address_set counter packets 0 bytes 0 return
        ip daddr @inet4_route_exclude_address_set counter packets 0 bytes 0 return
        ip6 daddr @inet6_route_exclude_address_set counter packets 0 bytes 0 return
        meta l4proto tcp counter packets 0 bytes 0 redirect to :38777 return
    }

    chain output_udp {
        type route hook output priority mangle; policy accept;
        meta mark 0x00002024 counter packets 0 bytes 0 return
        meta l4proto != udp return
        ip daddr @inet4_local_address_set counter packets 40 bytes 2624 return
        ip6 daddr @inet6_local_address_set counter packets 0 bytes 0 return
        ip daddr @inet4_route_exclude_address_set counter packets 0 bytes 0 return
        ip6 daddr @inet6_route_exclude_address_set counter packets 0 bytes 0 return
        meta mark set 0x00002023 ct mark set meta mark counter packets 0 bytes 0
    }

    chain prerouting {
        type nat hook prerouting priority mangle; policy accept;
        meta nfproto ipv4 meta l4proto { tcp, udp } th dport 53 dnat ip to 198.18.0.2 counter packets 0 bytes 0
        meta nfproto ipv6 meta l4proto { tcp, udp } th dport 53 dnat ip6 to fdfe:dcba:9876::2 counter packets 0 bytes 0
        ip daddr @inet4_local_address_set counter packets 0 bytes 0 return
        ip6 daddr @inet6_local_address_set counter packets 0 bytes 0 return
        ip daddr @inet4_route_exclude_address_set counter packets 0 bytes 0 return
        ip6 daddr @inet6_route_exclude_address_set counter packets 0 bytes 0 return
        meta l4proto tcp counter packets 0 bytes 0 redirect to :38777 return
        meta mark set 0x00002023 ct mark set meta mark counter packets 0 bytes 0
    }

    chain prerouting_udp {
        type filter hook prerouting priority mangle + 1; policy accept;
        ip daddr @inet4_local_address_set counter packets 41 bytes 2664 return
        ip6 daddr @inet6_local_address_set counter packets 0 bytes 0 return
        meta l4proto udp ct mark 0x00002023 meta mark set ct mark counter packets 0 bytes 0
    }
}

The config.yaml:

mode: rule
mixed-port: 7897
allow-lan: false
log-level: debug
ipv6: true
external-controller: 127.0.0.1:9097
secret: ""
global-client-fingerprint: random
profile:
  store-selected: true
unified-delay: true
geo-update-interval: 72
tcp-concurrent: true

tun:
  enable: true
  stack: system
  auto-route: true
  auto-redirect: true
  auto-detect-interface: true
  device: utun0
  strict-route: true
  gso: true
  dns-hijack:
    - any:53
  route-exclude-address-set:
    - test
  mtu: 1500

rule-providers:
  test:
    type: file
    behavior: ipcidr
    path: ./ruleset/test.yaml
    interval: 86400

rules:
  - RULE-SET,test,DIRECT
  - MATCH,DIRECT

The test.yaml:

payload:
  - '2001:470:d:32f::/64'
  - '2001:470:d:330::/64'
  - '2001:470:d:333::/64'
  - '2001:470:d:334::/63'
  - '2001:470:d:33b::/64'
  - '2001:470:d:33c::/63'
  - '2001:470:d:341::/64'
  - '2001:470:d:344::/64'
  - '2001:470:d:349::/64'
  - '2001:470:d:34b::/64'
  - 'fc00::/7'
  - 'fe80::/10'
  - 'ff00::/8'
  - '1.0.32.0/19'

Log:

➜  ~ sudo clash-meta -d ~/Desktop
INFO[2024-09-24T16:14:59.935185704+08:00] Start initial configuration in progress      
INFO[2024-09-24T16:14:59.935270585+08:00] Geodata Loader mode: memconservative         
INFO[2024-09-24T16:14:59.935274673+08:00] Geosite Matcher implementation: succinct     
INFO[2024-09-24T16:14:59.935455764+08:00] Initial configuration complete, total time: 0ms 
INFO[2024-09-24T16:14:59.935665381+08:00] RESTful API listening at: 127.0.0.1:9097     
INFO[2024-09-24T16:14:59.947944855+08:00] Sniffer is closed                            
INFO[2024-09-24T16:14:59.947959731+08:00] Use tcp concurrent                           
INFO[2024-09-24T16:14:59.948015305+08:00] Mixed(http+socks) proxy listening at: 127.0.0.1:7897 
WARN[2024-09-24T16:14:59.948328717+08:00] [TUN] default interface changed by monitor,  => enp4s0 
DEBU[2024-09-24T16:14:59.952020688+08:00] batch write packet: invalid offset           
INFO[2024-09-24T16:14:59.963490461+08:00] [TUN] Tun adapter listening at: utun0([198.18.0.1/30],[fdfe:dcba:9876::1/126]), mtu: 1500, auto route: true, auto redir: true, ip stack: System 
INFO[2024-09-24T16:14:59.963558689+08:00] Start initial provider test                  
INFO[2024-09-24T16:14:59.964385008+08:00] Start initial Compatible provider default    
ERRO[2024-09-24T16:14:59.969387969+08:00] update route address set: conn.Receive: netlink receive: file exists 
DEBU[2024-09-24T16:14:59.973668623+08:00] [DNS] hijack udp:198.18.0.2:53 from 192.168.23.270:45826 
DEBU[2024-09-24T16:14:59.97371819+08:00] [DNS] hijack udp:198.18.0.2:53 from 192.168.23.270:33925 
^CWARN[2024-09-24T16:15:06.767392039+08:00] Mihomo shutting down                         
➜  ~ sudo clash-meta -v
Mihomo Meta alpha-6c03830 linux amd64 with go1.23.1 Tue Sep 24 05:26:45 UTC 2024
Use tags: with_gvisor
➜  ~ 

[Xarth-Mai]

The rule itself should be correct and can be properly processed after the traffic enters the Clash core.

Host: www.bilibili.com:443
Downloaded: 9.50 KB
Uploaded: 1.41 KB
DL Speed: 0 B/s
UL Speed: 0 B/s
Chains: DIRECT
Rule: RuleSet(cncidr)
Process:
Time: a few seconds ago
Source: fdfe:dcba:9876::1:49104
Destination IP: 2408:873c:6810:3::11
Type: Tun(tcp)

[xishang0128]

@Xarth-Mai 去除fe80等地址,私有地址不应使用在route-exclude-address-set