sing-box doesn't act as a gateway after enabled tun mode

Operating system

Linux

System version

Alpine Linux v3.19 6.6.16-0-virt x86_64

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.8.4

Environment: go1.21.6 linux/amd64
Tags: with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api,with_ech
CGO: enabled

Description

The config.json i'm using is:

{
    "log": {
        "level": "info",
        "timestamp": true
    },
    "dns": {
        "servers": [
            {
                "tag": "dns_proxy",
                "address": "https://1.1.1.1/dns-query",
                "address_resolver": "dns_resolver",
                "strategy": "prefer_ipv4",
                "detour": "proxy"
            },
            {
                "tag": "dns_direct",
                "address": "https://dns.alidns.com/dns-query",
                "address_resolver": "dns_resolver",
                "strategy": "ipv4_only",
                "detour": "direct"
            },
            {
                "tag": "dns_resolver",
                "address": "223.5.5.5",
                "detour": "direct"
            },
            {
                "tag": "dns_local",
                "address": "192.168.1.1",
                "detour": "direct"
            },
            {
                "tag": "dns_block",
                "address": "rcode://success"
            }
        ],
        "rules": [
            {
                "outbound": "any",
                "server": "dns_resolver"
            },
            {
                "domain_suffix": [
                    "qq.com"
                ],
                "server": "dns_local"
            },
            {
                "rule_set": "geosite-geolocation-!cn",
                "server": "dns_proxy"
            }
        ],
        "final": "dns_direct"
    },
    "route": {
        "rule_set": [
            {
                "tag": "geosite-geolocation-!cn",
                "type": "remote",
                "format": "binary",
                "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-!cn.srs",
                "download_detour": "proxy"
            },
            {
                "tag": "geoip-cn",
                "type": "remote",
                "format": "binary",
                "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs",
                "download_detour": "proxy"
            }
        ],
        "rules": [
            {
                "protocol": "dns",
                "outbound": "dns-out"
            },
            {
                "type": "logical",
                "mode": "and",
                "rules": [
                    {
                        "rule_set": "geoip-cn",
                        "invert": true
                    },
                    {
                        "rule_set": "geosite-geolocation-!cn"
                    }
                ],
                "outbound": "proxy"
            },
            {
                "rule_set": "geoip-cn",
                "outbound": "direct"
            },
            {
                "ip_is_private": true,
                "outbound": "direct"
            },
            {
                "domain_suffix": [
                    "qq.com"
                ],
                "outbound": "direct"
        }
        ],
        "final": "direct",
        "auto_detect_interface": true
    },
    "inbounds": [
    {
            "type": "tun",
            "tag": "tun-in",
            "inet4_address": "172.16.0.1/30",
            "auto_route": true,
            "strict_route": false,
            "stack": "mixed",
            "sniff": true,
            "sniff_override_destination": true
        },
        {
            "type": "mixed",
            "listen": "0.0.0.0",
            "listen_port": 7890
        },
        {
            "type": "direct",
        "network": "udp",
            "listen": "0.0.0.0",
            "listen_port": 53,
        "sniff": true
        }
    ],
    "outbounds": [
        {
            "type": "hysteria2",
            "server": "xxxxxx",
            "server_port": 443,
            "up_mbps": 100,
            "down_mbps": 100,
            "password": "xxxx",
            "tls": {
                "enabled": true,
                "server_name": "xxxxx"
            },
            "tag": "proxy"
        },
        {
            "type": "direct",
            "tag": "direct"
        },
        {
            "type": "block",
            "tag": "block"
        },
        {
            "type": "dns",
            "tag": "dns-out"
        }
    ],
    "experimental": {
        "cache_file": {
            "enabled": true,
            "path": "cache.db"
        }
    }
}

CLI to start the sing-box:

$ sudo sing-box run -c ./sing-box/config.json
+0800 2024-02-17 18:43:05 INFO router: updated default interface eth0, index 2
+0800 2024-02-17 18:43:05 INFO inbound/tun[tun-in]: started at tun0
+0800 2024-02-17 18:43:05 INFO inbound/mixed[1]: tcp server started at 0.0.0.0:7890
+0800 2024-02-17 18:43:05 INFO inbound/direct[2]: udp server started at 0.0.0.0:53
+0800 2024-02-17 18:43:05 INFO sing-box started (0.44s)

The sing-box's output while running curl https://x.com at the same host which running sing-box, everything looks well:

+0800 2024-02-17 18:44:41 INFO [1815147228 0ms] inbound/tun[tun-in]: inbound packet connection from 172.16.0.1:54302
+0800 2024-02-17 18:44:41 INFO [1815147228 0ms] inbound/tun[tun-in]: inbound packet connection to 192.168.1.1:53
+0800 2024-02-17 18:44:41 INFO dns: exchanged x.com A x.com. 885 IN A 104.244.42.65
+0800 2024-02-17 18:44:41 INFO dns: exchanged x.com A x.com. 885 IN A 104.244.42.193
+0800 2024-02-17 18:44:41 INFO dns: exchanged x.com A x.com. 885 IN A 104.244.42.1
+0800 2024-02-17 18:44:41 INFO dns: exchanged x.com A x.com. 885 IN A 104.244.42.129
+0800 2024-02-17 18:44:41 INFO dns: exchanged x.com OPT OPT PSEUDOSECTION: EDNS: version 0 flags: MBZ: 0x0375, udp: 1232
+0800 2024-02-17 18:44:41 INFO dns: exchanged x.com. A x.com. 885 IN A 104.244.42.65
+0800 2024-02-17 18:44:41 INFO dns: exchanged x.com. A x.com. 885 IN A 104.244.42.193
+0800 2024-02-17 18:44:41 INFO dns: exchanged x.com. A x.com. 885 IN A 104.244.42.1
+0800 2024-02-17 18:44:41 INFO dns: exchanged x.com. A x.com. 885 IN A 104.244.42.129
+0800 2024-02-17 18:44:41 INFO dns: exchanged x.com SOA x.com. 55 IN SOA a.u10.twtrdns.net. noc.twitter.com. 2023121201 3600 600 604800 300
+0800 2024-02-17 18:44:41 INFO dns: exchanged x.com OPT OPT PSEUDOSECTION: EDNS: version 0 flags: MBZ: 0x0037, udp: 1232
+0800 2024-02-17 18:44:41 INFO [426345967 0ms] inbound/tun[tun-in]: inbound connection from 172.16.0.1:36448
+0800 2024-02-17 18:44:41 INFO [426345967 0ms] inbound/tun[tun-in]: inbound connection to 104.244.42.65:443
+0800 2024-02-17 18:44:41 INFO [426345967 4ms] outbound/hysteria2[proxy]: outbound connection to x.com:443

The sing-box's output while running curl https://twitter.com at another windows machine which set sing-box as the gateway/dns server, there is only DNS queries related output:

+0800 2024-02-17 18:48:02 INFO [190343424 0ms] inbound/direct[2]: inbound packet connection from 192.168.1.23:55109
+0800 2024-02-17 18:48:02 INFO dns: exchanged twitter.com A twitter.com. 1188 IN A 104.244.42.193
+0800 2024-02-17 18:48:02 INFO dns: exchanged twitter.com A twitter.com. 1188 IN A 104.244.42.1
+0800 2024-02-17 18:48:02 INFO dns: exchanged twitter.com A twitter.com. 1188 IN A 104.244.42.65
+0800 2024-02-17 18:48:02 INFO dns: exchanged twitter.com A twitter.com. 1188 IN A 104.244.42.129
+0800 2024-02-17 18:48:02 INFO dns: exchanged twitter.com. A twitter.com. 1188 IN A 104.244.42.193
+0800 2024-02-17 18:48:02 INFO dns: exchanged twitter.com. A twitter.com. 1188 IN A 104.244.42.1
+0800 2024-02-17 18:48:02 INFO dns: exchanged twitter.com. A twitter.com. 1188 IN A 104.244.42.65
+0800 2024-02-17 18:48:02 INFO dns: exchanged twitter.com. A twitter.com. 1188 IN A 104.244.42.129

The output of ipconfig /all in client OS:

以太网适配器 以太网:

   连接特定的 DNS 后缀 . . . . . . . :
   描述. . . . . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   物理地址. . . . . . . . . . . . . : 00-xx-xx-xx-xx-xx
   DHCP 已启用 . . . . . . . . . . . : 否
   自动配置已启用. . . . . . . . . . : 是
   本地链接 IPv6 地址. . . . . . . . : fe80::11ce:86d0:874e:e74c%8(首选)
   IPv4 地址 . . . . . . . . . . . . : 192.168.1.23(首选)
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 192.168.1.3
   DHCPv6 IAID . . . . . . . . . . . : 100668765
   DHCPv6 客户端 DUID  . . . . . . . : 00-01-00-01-2C-18-37-93-00-15-5D-06-58-13
   DNS 服务器  . . . . . . . . . . . : 192.168.1.3
   TCPIP 上的 NetBIOS  . . . . . . . : 已启用

So I back to check the sing-box host's config:

$ uname -a
Linux alpine 6.6.16-0-virt #1-Alpine SMP PREEMPT_DYNAMIC Wed, 07 Feb 2024 18:00:38 +0000 x86_64 Linux

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::54ab:93ff:fed5:58f4/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:c7:0f:4a:09 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
63: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none
    inet 172.16.0.1/30 brd 172.16.0.3 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::57a1:8e39:6cfe:427b/64 scope link stable-privacy proto kernel_ll
       valid_lft forever preferred_lft forever

$ ip rule
0:  from all lookup local
8997:   from all to 192.168.1.3 lookup 2022
8998:   from all iif tun0 lookup main
8999:   from all iif tun0 lookup main
9000:   from all to 172.16.0.0/30 lookup 2022
9001:   from all ipproto icmp goto 9010
9002:   not from all dport 53 lookup main suppress_prefixlength 0
9002:   not from all iif lo lookup 2022
9002:   from 0.0.0.0 iif lo lookup 2022
9002:   from 172.16.0.0/30 iif lo lookup 2022
9010:   from all nop
32766:  from all lookup main
32767:  from all lookup default

$ ip route show table 2022
default dev tun0

$ ip route
default via 192.168.1.1 dev eth0 metric 202
172.16.0.0/30 dev tun0 proto kernel scope link src 172.16.0.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.3

$ sysctl -a|grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0

$ ip link show eth0
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff

$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.0.0/24       anywhere
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  all  --  anywhere             anywhere

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

# sudo dmesg
...[[REMOVED MANULLY]]
[23533.310703] netlink: 'sing-box': attribute type 22 has an invalid length.

NOTE: MASQUERADE all -- anywhere anywhere and MASQUERADE all -- 192.168.0.0/24 anywhere is added manually by myself.

Is there anything more I should do for it to let the sing-box acts as a gateway?

Anything i should do for the dmesg log below:

[23533.310703] netlink: 'sing-box': attribute type 22 has an invalid length.

Reproduction

Restart the sing-box, the same host is still okay and the client OS is still failed to connect to internet via curl.

Logs

No response

Integrity requirements

[X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
[X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
[X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
[X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

SagerNet / sing-box