路由器Tproxy模式下执行dig @8.8.8.8 www.google.com超时异常

[endsock]

Verify steps

• [X] 确保你使用的是本仓库最新的的 mihomo 或 mihomo Alpha 版本 Ensure you are using the latest version of Mihomo or Mihomo Alpha from this repository.
• [ ] 如果你可以自己 debug 并解决的话，提交 PR 吧 Is this something you can debug and fix? Send a pull request! Bug fixes and documentation fixes are welcome.
• [X] 我已经在 Issue Tracker 中找过我要提出的问题 I have searched on the issue tracker for a related issue.
• [X] 我已经使用 Alpha 分支版本测试过，问题依旧存在 I have tested using the dev branch, and the issue still exists.
• [X] 我已经仔细看过 Documentation 并无法自行解决问题 I have read the documentation and was unable to solve the issue.
• [X] 这是 Mihomo 核心的问题，并非我所使用的 Mihomo 衍生版本（如 OpenMihomo、KoolMihomo 等）的特定问题 This is an issue of the Mihomo core per se, not to the derivatives of Mihomo, like OpenMihomo or KoolMihomo.

Mihomo version

Mihomo Meta v1.17.0 linux amd64 with go1.20.11 Sun Dec 3 01:03:59 UTC 2023

What OS are you seeing the problem on?

Linux

Mihomo config

bind-address: "*"
allow-lan: true
mode: rule
log-level: error
external-controller: 0.0.0.0:9095
secret: xxxxx
find-process-mode: off
external-ui: "/data/opt/clashmeta/ui/metaui/"
external-ui-name: xd
external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip"
ipv6: false
geox-url:
  geoip: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat"
  geosite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat"
  mmdb: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb"
geo-auto-update: false # 是否自动更新 geodata
geo-update-interval: 24 # 更新间隔，单位：小时

sniffer:
  enable: true
  override-destination: true
  sniff: # TLS 和 QUIC 默认如果不配置 ports 默认嗅探 443
    QUIC:
    #  ports: [ 443 ]
    TLS:
    #  ports: [443, 8443]

    # 默认嗅探 80
    HTTP: # 需要嗅探的端口
      # 可覆盖 sniffer.override-destination
      override-destination: true
  sniffing:
    - tls
    - http

dns:
  enable: true
  listen: 0.0.0.0:7874
  ipv6: false
  default-nameserver:
  - 119.29.29.29
  - 223.5.5.5
  enhanced-mode: fake-ip
  use-hosts: true
  nameserver:
    - 119.29.29.29
  fallback:
    - 127.0.0.1:1153 # dns2socks自建的过墙dns
  fallback-filter:
    geoip: true

  fake-ip-range: 198.18.0.1/16
  fake-ip-filter:
    - "+.*"
  nameserver-policy:
    '+.vlook.top': '114.114.114.114'
    '+.nn.ci': '119.29.29.29'

listeners:
  - name: tproxy-in-1
    type: tproxy
    port: 7895
    listen: 0.0.0.0
    udp: true
  - name: socks5-in-1
    type: socks
    port: 7891
    udp: true
    #listen: 0.0.0.0 # 默认监听 0.0.0.0
    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理
    # udp: false # 默认 true

proxies:
  - name: kimsky-shadowtls
    type: ss  #走的自建shadow-tls
    server: 127.0.0.1
    port: 3083
    cipher: chacha20-ietf-poly1305
    password: "ROHTiKF96Bk6b4P0"
    udp: true
  - name: kimsky-orc2
    type: ss  #走的自建shadow-tls
    server: 127.0.0.1
    port: 3084
    cipher: chacha20-ietf-poly1305
    password: "ROHTiKF96Bk6b4P0"
    udp: true
  - name: musichttps
    type: http
    server: 192.168.10.9
    port: 18081
    tls: true
    skip-cert-verify: true
  - name: musichttp
    type: http
    server: 192.168.10.9
    port: 18080
proxy-groups:
  - name: FLYWORLD
    type: select
    proxies:
      - kimsky-shadowtls
      - kimsky-orc2
      - DIRECT
  - name: CNNET
    type: select
    proxies:
      - DIRECT
      - FLYWORLD
  - name: LOCALNET
    type: select
    proxies:
      - DIRECT
rules:
  - DST-PORT,7895,REJECT
  - DST-PORT,1085,REJECT
  - AND,((DST-PORT,443),(NETWORK,udp)),REJECT
  - IP-CIDR,198.18.0.1/16,REJECT,no-resolve
  - RULE-SET,ad,REJECT
  - AND,((DST-PORT,22),(OR,((IP-CIDR,104.225.154.179/32),(IP-CIDR,146.56.185.46/32),(IP-CIDR,193.123.248.110/32),(IP-CIDR,43.129.229.186/32)))),FLYWORLD
  - IP-CIDR,104.225.154.179/32,DIRECT,no-resolve
  - IP-CIDR,193.123.248.110/32,DIRECT,no-resolve
  - DOMAIN-SUFFIX,vlook.top,DIRECT
  - RULE-SET,local_ip,LOCALNET,no-resolve
  - RULE-SET,forcecn_ruleset,CNNET
  - RULE-SET,forcefly_ruleset,FLYWORLD
  - RULE-SET,cn_ip,CNNET
  - RULE-SET,cn_max,CNNET
  - MATCH,FLYWORLD
profile:
  store-selected: true
  store-fake-ip: true
rule-providers:
  local_ip:
    type: http
    behavior: ipcidr
    path: "./rule_provider/local_ip.yaml"
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt
    interval: 86400
  ad:
    type: http
    behavior: domain
    path: "./rule_provider/ad.yaml"
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt
    interval: 86400
  cn_ip:
    type: http
    behavior: ipcidr
    path: "./rule_provider/chnroute.yaml"
    url: https://res.tjy.vlook.top:8686/chnroute.yaml
    interval: 86400
  cn_max:
    type: http
    behavior: classical
    path: "./rule_provider/china_classical_no_ipv6.yaml"
    url: https://cdn.jsdelivr.net/gh/blackmatrix7/ios_rule_script@master/rule/Clash/ChinaMax/ChinaMax_Classical_No_IPv6.yaml
    interval: 86400
  forcecn_ruleset:
    type: http
    behavior: classical
    path: "./rule_provider/forcecn_ruleset.yaml"
    url: https://res.tjy.vlook.top:8686/forcecn_ruleset.yaml
    interval: 86400
  forcefly_ruleset:
    type: http
    behavior: classical
    path: "./rule_provider/forcefly_ruleset.yaml"
    url: https://res.tjy.vlook.top:8686/forcefly_ruleset.yaml
    interval: 86400

Mihomo log

dig @8.8.8.8 www.google.com
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out

Description

这是iptables规则： echo "clean firewall and allowing everyone..." iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT ip rule del fwmark 1 lookup 100 ip route del local 0.0.0.0/0 dev lo table 100

ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -N clash iptables -t mangle -A clash -d 0.0.0.0/8 -j RETURN iptables -t mangle -A clash -d 127.0.0.0/8 -j RETURN iptables -t mangle -A clash -d 192.168.10.0/24 -j RETURN iptables -t mangle -A clash -d 169.254.0.0/16 -j RETURN iptables -t mangle -A clash -d 224.0.0.0/4 -j RETURN iptables -t mangle -A clash -d 240.0.0.0/4 -j RETURN iptables -t mangle -A clash -d 104.225.154.179 -j RETURN iptables -t mangle -A clash -d 193.123.248.110 -j RETURN iptables -t mangle -A clash -p tcp -j TPROXY --on-port 7895 --tproxy-mark 1 iptables -t mangle -A clash -p udp -j TPROXY --on-port 7895 --tproxy-mark 1 iptables -t mangle -A PREROUTING -p tcp -j clash iptables -t mangle -A PREROUTING -p udp -j clash iptables -t nat -A POSTROUTING -o br-lan -j MASQUERADE

iptables -t mangle -N clash_local iptables -t mangle -A clash_local -d 0.0.0.0/8 -j RETURN iptables -t mangle -A clash_local -d 127.0.0.0/8 -j RETURN iptables -t mangle -A clash_local -d 192.168.10.0/24 -j RETURN iptables -t mangle -A clash_local -d 169.254.0.0/16 -j RETURN iptables -t mangle -A clash_local -d 224.0.0.0/4 -j RETURN iptables -t mangle -A clash_local -d 240.0.0.0/4 -j RETURN iptables -t mangle -A clash_local -d 104.225.154.179 -j RETURN iptables -t mangle -A clash_local -d 193.123.248.110 -j RETURN iptables -t mangle -A clash_local -p tcp -j MARK --set-mark 1 iptables -t mangle -A clash_local -p udp -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner clash -j RETURN iptables -t mangle -A OUTPUT -p udp -m owner --uid-owner clash -j RETURN iptables -t mangle -A OUTPUT -p tcp -j clash_local iptables -t mangle -A OUTPUT -p udp -j clash_local

不知道是为什么，dig @8.8.8.8 www.google.com dig @114.114.114.114 www.google.com 都不通，udp下行没有流量，数据无法返回，进了clashmeta之后就如同进入了黑洞一样，仔细检查了配置也没有发现有什么问题。不使用自建节点，换了机场的节点也不行，求助

[echizenryoma]

看看下面的内核参数的值

sudo sysctl -a | grep net.bridge.bridge-nf-call

都改成0试试

[endsock]

目前ipv6禁用，cat /proc/sys/net/bridge/bridge-nf-call-iptables的值是0，udp还是无法传输成功

[antonchen]

1.16.0 也有这个问题

------ Edit -------

最近研究了下，我的问题和这个应该不是一样的。