Dst-Port 规则哪儿冒出来的？

[MaurUppi]

用的是ConnerHua规则集 无意中在Yacd面板链接中发现Dst-Port规则，将443, 80, 22 都放去Others，而Others 默认又是Proxy规则。 这就很不合理了，翻遍所有设置地方都没看到哪儿加了这幺蛾子规则。 在“配置文件编辑” 功能中 - “OpenClash修改后用于启动的配置文件”的确看到“rules:” 里边有这三条规则，但是无法编辑。 因此，无奈之下只好手动去/etc/openchash/config.yaml 然后再次启动Clash就好了。。

所以，有人知道哪儿冒出来的吗？

`

`OpenClash 调试日志

生成时间: 2021-12-02 16:19:29
插件版本: v0.44.02-beta
隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息

===================== 系统信息 =====================

主机型号: VMware, Inc. VMware Virtual Platform 固件版本: OpenWrt 21.02.1 11.26.2021 LuCI版本: 内核版本: 5.4.154 处理器架构: x86_64

此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP

IPV6-DHCP:

此项结果应仅有配置文件的DNS监听地址

Dnsmasq转发设置: 127.0.0.1#7874

===================== 依赖检查 =====================

dnsmasq-full: 已安装 coreutils: 已安装 coreutils-nohup: 已安装 bash: 已安装 curl: 已安装 ca-certificates: 未安装 ipset: 已安装 ip-full: 已安装 iptables-mod-tproxy: 已安装 kmod-ipt-tproxy: 已安装 iptables-mod-extra: 已安装 kmod-ipt-extra: 已安装 libcap: 已安装 libcap-bin: 已安装 ruby: 已安装 ruby-yaml: 已安装 ruby-psych: 已安装 ruby-pstore: 已安装 ruby-dbm: 已安装 kmod-tun(TUN模式): 已安装 luci-compat(Luci-19.07): 已安装

===================== 内核检查 =====================

运行状态: 运行中 进程pid: 18205 2159 运行权限: 18205: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_resource=eip 2159: =ep 运行用户: nobody 已选择的架构: linux-amd64

下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限

Tun内核版本: 2021.11.08 Tun内核文件: 存在 Tun内核运行权限: 正常

Dev内核版本: v1.8.0-7-g075d8ed Dev内核文件: 存在 Dev内核运行权限: 正常

===================== 插件设置 =====================

当前配置文件: /etc/openclash/config/config.yaml 启动配置文件: /etc/openclash/config.yaml 运行模式: fake-ip-tun 默认代理模式: rule UDP流量转发(tproxy): 停用 DNS劫持: 启用 自定义DNS: 启用 IPV6代理: 停用 IPV6-DNS解析: 停用 禁用Dnsmasq缓存: 停用 自定义规则: 启用 仅允许内网: 启用 仅代理命中规则流量: 启用 仅允许常用端口流量: 停用 绕过中国大陆IP: 停用

启动异常时建议关闭此项后重试

混合节点: 停用 保留配置: 停用

启动异常时建议关闭此项后重试

第三方规则: 启用

===================== 自定义规则 一 =====================

script:

shortcuts:

quic: network == 'udp' and dst_port == 443 and (geoip(resolve_ip(host)) != 'CN' or geoip(dst_ip) != 'CN')

time-limit: in_cidr(src_ip,'192.168.1.2/32') and time.now().hour < 20 or time.now().hour > 21

time-limit: src_ip == '192.168.1.2' and time.now().hour < 20 or time.now().hour > 21

rules:

- SCRIPT,quic,REJECT #shortcuts rule

- SCRIPT,time-limit,REJECT #shortcuts rule

- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)

- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)

- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)

- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)

- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)

- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)

- DST-PORT,80,DIRECT #匹配数据目标端口(直连)

- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

排序在上的规则优先生效,如添加（去除规则前的#号）：

IP段：192.168.1.2-192.168.1.200 直连

- SRC-IP-CIDR,192.168.1.2/31,DIRECT

- SRC-IP-CIDR,192.168.1.4/30,DIRECT

- SRC-IP-CIDR,192.168.1.8/29,DIRECT

- SRC-IP-CIDR,192.168.1.16/28,DIRECT

- SRC-IP-CIDR,192.168.1.32/27,DIRECT

- SRC-IP-CIDR,192.168.1.64/26,DIRECT

- SRC-IP-CIDR,192.168.1.128/26,DIRECT

- SRC-IP-CIDR,192.168.1.192/29,DIRECT

- SRC-IP-CIDR,192.168.1.200/32,DIRECT

IP段：192.168.1.202-192.168.1.255 直连

- SRC-IP-CIDR,192.168.1.202/31,DIRECT

- SRC-IP-CIDR,192.168.1.204/30,DIRECT

- SRC-IP-CIDR,192.168.1.208/28,DIRECT

- SRC-IP-CIDR,192.168.1.224/27,DIRECT

此时IP为192.168.1.1和192.168.1.201的客户端流量走代理（策略），其余客户端不走代理

因为Fake-IP模式下，IP地址为192.168.1.1的路由器自身流量可走代理（策略），所以需要排除

仅设置路由器自身直连：

- SRC-IP-CIDR,192.168.1.1/32,DIRECT

- SRC-IP-CIDR,198.18.0.1/32,DIRECT

DDNS

- DOMAIN-SUFFIX,checkip.dyndns.org,DIRECT

- DOMAIN-SUFFIX,checkipv6.dyndns.org,DIRECT

- DOMAIN-SUFFIX,checkip.synology.com,DIRECT

- DOMAIN-SUFFIX,ifconfig.co,DIRECT

- DOMAIN-SUFFIX,api.myip.com,DIRECT

- DOMAIN-SUFFIX,ip-api.com,DIRECT

- DOMAIN-SUFFIX,ipapi.co,DIRECT

- DOMAIN-SUFFIX,ip6.seeip.org,DIRECT

- DOMAIN-SUFFIX,members.3322.org,DIRECT

在线IP段转CIDR地址：http://ip2cidr.com

===================== 自定义规则 二 =====================

script:

shortcuts:

common_port: dst_port not in [21, 22, 23, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 998, 2052, 2053, 2082, 2083, 2086, 2095, 2096, 5222, 5228, 5229, 5230, 8080, 8443, 8880, 8888, 8889]

rules:

- SCRIPT,common_port,DIRECT #shortcuts rule

- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)

- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)

- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)

- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)

- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)

- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)

- DST-PORT,80,DIRECT #匹配数据目标端口(直连)

- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

===================== 配置文件 =====================

proxy-groups:

• name: Auto - UrlTest type: url-test use:
  • boslife
  • BoomCloud url: https://cp.cloudflare.com/generate_204 interval: '600' tolerance: 100
• name: Proxy type: select proxies:
  • Auto - UrlTest
  • DIRECT use:
  • boslife
  • BoomCloud
• name: Domestic type: select proxies:
  • DIRECT
  • Proxy
• name: Others type: select proxies:
  • Proxy
  • DIRECT
  • Domestic
• name: AsianTV type: select proxies:
  • DIRECT
  • Proxy use:
  • boslife
  • BoomCloud
• name: GlobalTV type: select proxies:
  • Proxy
  • DIRECT use:
  • boslife
  • BoomCloud rules:
• RULE-SET,国内IP白名单,DIRECT
• RULE-SET,国内域名白名单,DIRECT
• RULE-SET,微软服务,DIRECT
• RULE-SET,TIDAL,DIRECT
• RULE-SET,反劫持规则,REJECT
• RULE-SET,广告规则(By lhie1),REJECT
• IP-CIDR,198.18.0.1/16,REJECT,no-resolve
• DOMAIN-SUFFIX,awesome-hd.me,DIRECT
• DOMAIN-SUFFIX,broadcasthe.net,DIRECT
• DOMAIN-SUFFIX,chdbits.co,DIRECT
• DOMAIN-SUFFIX,classix-unlimited.co.uk,DIRECT
• DOMAIN-SUFFIX,empornium.me,DIRECT
• DOMAIN-SUFFIX,gazellegames.net,DIRECT
• DOMAIN-SUFFIX,hdchina.org,DIRECT
• DOMAIN-SUFFIX,hdsky.me,DIRECT
• DOMAIN-SUFFIX,icetorrent.org,DIRECT
• DOMAIN-SUFFIX,jpopsuki.eu,DIRECT
• DOMAIN-SUFFIX,icetorrent.org,DIRECT
• DOMAIN-SUFFIX,keepfrds.com,DIRECT
• DOMAIN-SUFFIX,madsrevolution.net,DIRECT
• DOMAIN-SUFFIX,m-team.cc,DIRECT
• DOMAIN-SUFFIX,nanyangpt.com,DIRECT
• DOMAIN-SUFFIX,ncore.cc,DIRECT
• DOMAIN-SUFFIX,open.cd,DIRECT
• DOMAIN-SUFFIX,ourbits.club,DIRECT
• DOMAIN-SUFFIX,passthepopcorn.me,DIRECT
• DOMAIN-SUFFIX,privatehd.to,DIRECT
• DOMAIN-SUFFIX,redacted.ch,DIRECT
• DOMAIN-SUFFIX,springsunday.net,DIRECT
• DOMAIN-SUFFIX,tjupt.org,DIRECT
• DOMAIN-SUFFIX,totheglory.im,DIRECT
• DOMAIN-KEYWORD,announce,DIRECT
• DOMAIN-KEYWORD,torrent,DIRECT
• RULE-SET,Unbreak,DIRECT
• RULE-SET,Streaming,GlobalTV
• RULE-SET,StreamingSE,AsianTV
• RULE-SET,Global,Proxy
• RULE-SET,China,Domestic
• IP-CIDR,192.168.0.0/16,DIRECT
• IP-CIDR,10.0.0.0/8,DIRECT
• IP-CIDR,172.16.0.0/12,DIRECT
• IP-CIDR,127.0.0.0/8,DIRECT
• IP-CIDR,100.64.0.0/10,DIRECT
• IP-CIDR,224.0.0.0/4,DIRECT
• IP-CIDR,fe80::/10,DIRECT
• RULE-SET,ChinaIP,Domestic
• IP-CIDR,119.28.28.28/32,DIRECT
• IP-CIDR,182.254.116.0/24,DIRECT
• DOMAIN-KEYWORD,intel,DIRECT
• DOMAIN-KEYWORD,teams,DIRECT
• DOMAIN-KEYWORD,huafa,DIRECT
• DOMAIN-KEYWORD,torrentleech,DIRECT
• DOMAIN-KEYWORD,rarbg,DIRECT
• RULE-SET,国外常用网站合集,Proxy
• RULE-SET,国外流媒体合集,Proxy
• RULE-SET,国内流媒体国际版合集,AsianTV
• MATCH,DIRECT dns: nameserver:
  • 119.29.29.29
  • 192.168.1.253
  • 114.114.114.114
  • https://doh.pub/dns-query
  • https://dns.alidns.com/dns-query fallback:
  • https://dns.cloudflare.com/dns-query
  • https://public.dns.iij.jp/dns-query
  • https://jp.tiar.app/dns-query
  • https://jp.tiarap.org/dns-query
  • tls://dot.tiar.app enable: true ipv6: false enhanced-mode: fake-ip fake-ip-range: 198.18.0.1/16 listen: 127.0.0.1:7874 fake-ip-filter:
  • "*.lan"
  • "*.localdomain"
  • "*.example"
  • "*.invalid"
  • "*.localhost"
  • "*.test"
  • "*.local"
  • "*.home.arpa"
  • time.*.com
  • time.*.gov
  • time.*.edu.cn
  • time.*.apple.com
  • time1.*.com
  • time2.*.com
  • time3.*.com
  • time4.*.com
  • time5.*.com
  • time6.*.com
  • time7.*.com
  • ntp.*.com
  • ntp1.*.com
  • ntp2.*.com
  • ntp3.*.com
  • ntp4.*.com
  • ntp5.*.com
  • ntp6.*.com
  • ntp7.*.com
  • "*.time.edu.cn"
  • "*.ntp.org.cn"
  • "+.pool.ntp.org"
  • time1.cloud.tencent.com
  • music.163.com
  • "*.music.163.com"
  • "*.126.net"
  • musicapi.taihe.com
  • music.taihe.com
  • songsearch.kugou.com
  • trackercdn.kugou.com
  • "*.kuwo.cn"
  • api-jooxtt.sanook.com
  • api.joox.com
  • joox.com
  • y.qq.com
  • "*.y.qq.com"
  • streamoc.music.tc.qq.com
  • mobileoc.music.tc.qq.com
  • isure.stream.qqmusic.qq.com
  • dl.stream.qqmusic.qq.com
  • aqqmusic.tc.qq.com
  • amobile.music.tc.qq.com
  • "*.xiami.com"
  • "*.music.migu.cn"
  • music.migu.cn
  • "*.msftconnecttest.com"
  • "*.msftncsi.com"
  • msftconnecttest.com
  • msftncsi.com
  • localhost.ptlogin2.qq.com
  • localhost.sec.qq.com
  • "+.srv.nintendo.net"
  • "+.stun.playstation.net"
  • xbox.*.microsoft.com
  • xnotify.xboxlive.com
  • "+.battlenet.com.cn"
  • "+.wotgame.cn"
  • "+.wggames.cn"
  • "+.wowsgame.cn"
  • "+.wargaming.net"
  • proxy.golang.org
  • stun..
  • stun...*
  • "+.stun.."
  • "+.stun...*"
  • "+.stun...."
  • heartbeat.belkin.com
  • "*.linksys.com"
  • "*.linksyssmartwifi.com"
  • "*.router.asus.com"
  • mesu.apple.com
  • swscan.apple.com
  • swquery.apple.com
  • swdownload.apple.com
  • swcdn.apple.com
  • swdist.apple.com
  • lens.l.google.com
  • stun.l.google.com
  • "+.nflxvideo.net"
  • "*.square-enix.com"
  • "*.finalfantasyxiv.com"
  • "*.ffxiv.com"
  • "*.mcdn.bilivideo.cn" default-nameserver:
  • 119.29.29.29
  • 192.168.1.253
  • 114.114.114.114 fallback-filter: geoip: true geoip-code: CN ipcidr:
  • 0.0.0.0/8
  • 10.0.0.0/8
  • 100.64.0.0/10
  • 127.0.0.0/8
  • 169.254.0.0/16
  • 172.16.0.0/12
  • 192.0.0.0/24
  • 192.0.2.0/24
  • 192.88.99.0/24
  • 192.168.0.0/16
  • 198.18.0.0/15
  • 198.51.100.0/24
  • 203.0.113.0/24
  • 224.0.0.0/4
  • 240.0.0.0/4
  • 255.255.255.255/32 domain:
  • "+.google.com"
  • "+.facebook.com"
  • "+.youtube.com"
  • "+.githubusercontent.com"
  • "+.googlevideo.com" redir-port: 7892 tproxy-port: 7895 port: 7890 socks-port: 7891 mixed-port: 7893 mode: rule log-level: error allow-lan: true external-controller: 192.168.1.250:9090 bind-address: 192.168.1.250 external-ui: "/usr/share/openclash/dashboard" ipv6: false tun: enable: true stack: system dns-hijack:
  • tcp://8.8.8.8:53
  • tcp://8.8.4.4:53 profile: store-selected: true store-fake-ip: true rule-providers: Unbreak: type: http behavior: classical path: "./rule_provider/Unbreak.yaml" url: https://raw.githubusercontent.com/DivineEngine/Profiles/master/Clash/RuleSet/Unbreak.yaml interval: 86400 Streaming: type: http behavior: classical path: "./rule_provider/Streaming.yaml" url: https://raw.githubusercontent.com/DivineEngine/Profiles/master/Clash/RuleSet/StreamingMedia/Streaming.yaml interval: 86400 StreamingSE: type: http behavior: classical path: "./rule_provider/StreamingSE.yaml" url: https://raw.githubusercontent.com/DivineEngine/Profiles/master/Clash/RuleSet/StreamingMedia/StreamingSE.yaml interval: 86400 Global: type: http behavior: classical path: "./rule_provider/Global.yaml" url: https://raw.githubusercontent.com/DivineEngine/Profiles/master/Clash/RuleSet/Global.yaml interval: 86400 China: type: http behavior: classical path: "./rule_provider/China.yaml" url: https://raw.githubusercontent.com/DivineEngine/Profiles/master/Clash/RuleSet/China.yaml interval: 86400 ChinaIP: type: http behavior: ipcidr path: "./rule_provider/ChinaIP.yaml" url: https://raw.githubusercontent.com/DivineEngine/Profiles/master/Clash/RuleSet/Extra/ChinaIP.yaml interval: 86400 广告规则(By lhie1): type: http behavior: classical path: "/etc/openclash/rule_provider/Reject.yaml" url: https://cdn.jsdelivr.net/gh/lhie1/Rules@master/Clash/Provider/Reject.yaml interval: 86400 反劫持规则: type: http behavior: classical path: "/etc/openclash/rule_provider/Hijacking.yaml" url: https://cdn.jsdelivr.net/gh/DivineEngine/Profiles@master/Clash/RuleSet/Guard/Hijacking.yaml interval: 86400 TIDAL: type: http behavior: classical path: "/etc/openclash/rule_provider/TIDAL.yaml" url: https://cdn.jsdelivr.net/gh/DivineEngine/Profiles@master/Clash/RuleSet/StreamingMedia/Music/TIDAL.yaml interval: 86400 微软服务: type: http behavior: classical path: "/etc/openclash/rule_provider/Microsoft.yaml" url: https://cdn.jsdelivr.net/gh/lhie1/Rules@master/Clash/Provider/Microsoft.yaml interval: 86400 国内域名白名单: type: http behavior: classical path: "/etc/openclash/rule_provider/China.yaml" url: https://cdn.jsdelivr.net/gh/DivineEngine/Profiles@master/Clash/RuleSet/China.yaml interval: 86400 国内IP白名单: type: http behavior: ipcidr path: "/etc/openclash/rule_provider/ChinaIP.yaml" url: https://cdn.jsdelivr.net/gh/DivineEngine/Profiles@master/Clash/RuleSet/Extra/ChinaIP.yaml interval: 86400 国外常用网站合集: type: http behavior: classical path: "/etc/openclash/rule_provider/Global.yaml" url: https://cdn.jsdelivr.net/gh/DivineEngine/Profiles@master/Clash/RuleSet/Global.yaml interval: 86400 国外流媒体合集: type: http behavior: classical path: "/etc/openclash/rule_provider/Streaming.yaml" url: https://cdn.jsdelivr.net/gh/DivineEngine/Profiles@master/Clash/RuleSet/StreamingMedia/Streaming.yaml interval: 86400 国内流媒体国际版合集: type: http behavior: classical path: "/etc/openclash/rule_provider/StreamingSE.yaml" url: https://cdn.jsdelivr.net/gh/DivineEngine/Profiles@master/Clash/RuleSet/StreamingMedia/StreamingSE.yaml interval: 86400

===================== 防火墙设置 =====================

IPv4 NAT chain

Generated by iptables-save v1.8.7 on Thu Dec 2 16:19:30 2021

*nat :PREROUTING ACCEPT [14922:1149535] :INPUT ACCEPT [8982:808166] :OUTPUT ACCEPT [11741:738803] :POSTROUTING ACCEPT [18697:1153909] :openclash_post - [0:0] :postrouting_lan_rule - [0:0] :postrouting_rule - [0:0] :postrouting_wan_rule - [0:0] :prerouting_lan_rule - [0:0] :prerouting_rule - [0:0] :prerouting_wan_rule - [0:0] :zone_lan_postrouting - [0:0] :zone_lan_prerouting - [0:0] :zone_wan_postrouting - [0:0] :zone_wan_prerouting - [0:0] -A PREROUTING -p tcp -m comment --comment "OpenClash TCP DNS Hijack" -m tcp --dport 53 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "DNS Hijack" -j REDIRECT --to-ports 53 -A PREROUTING -p udp -m udp --dport 53 -m comment --comment "DNS Hijack" -j REDIRECT --to-ports 53 -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting -A PREROUTING -p udp -m comment --comment DNSMASQ -m udp --dport 53 -j REDIRECT --to-ports 53 -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting -A POSTROUTING -j openclash_post -A openclash_post -d 127.0.0.1/32 -i lo -m owner ! --uid-owner 65534 -j SNAT --to-source 192.168.1.250 -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule COMMIT

Completed on Thu Dec 2 16:19:30 2021

IPv4 Mangle chain

Generated by iptables-save v1.8.7 on Thu Dec 2 16:19:30 2021

*mangle :PREROUTING ACCEPT [219433:158691435] :INPUT ACCEPT [174779:153913434] :FORWARD ACCEPT [44654:4778001] :OUTPUT ACCEPT [165664:169153419] :POSTROUTING ACCEPT [210257:173928119] :openclash - [0:0] :openclash_dns_hijack - [0:0] :openclash_output - [0:0] -A PREROUTING -j openclash -A OUTPUT -j openclash_output -A openclash -p udp -m udp --sport 500 -j RETURN -A openclash -p udp -m udp --sport 68 -j RETURN -A openclash -m set --match-set localnetwork dst -j RETURN -A openclash -j MARK --set-xmark 0x162/0xffffffff -A openclash_output -p udp -m udp --sport 500 -j RETURN -A openclash_output -p udp -m udp --sport 68 -j RETURN -A openclash_output -m set --match-set localnetwork dst -j RETURN -A openclash_output -d 198.18.0.0/16 -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff -A openclash_output -p tcp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff COMMIT

Completed on Thu Dec 2 16:19:30 2021

IPv6 NAT chain

Generated by ip6tables-save v1.8.7 on Thu Dec 2 16:19:30 2021

*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [6:519] :POSTROUTING ACCEPT [6:519] -A PREROUTING -p udp -m comment --comment DNSMASQ -m udp --dport 53 -j REDIRECT --to-ports 53 COMMIT

Completed on Thu Dec 2 16:19:30 2021

IPv6 Mangle chain

Generated by ip6tables-save v1.8.7 on Thu Dec 2 16:19:30 2021

*mangle :PREROUTING ACCEPT [559:60209] :INPUT ACCEPT [559:60209] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [634:65909] :POSTROUTING ACCEPT [634:65909] COMMIT

Completed on Thu Dec 2 16:19:30 2021

===================== IPSET状态 =====================

Name: china_ip_route Name: localnetwork

===================== 路由表状态 =====================

route -n

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.253 0.0.0.0 UG 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 198.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 utun

ip route list

default via 192.168.1.253 dev eth0 proto static 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.250 198.18.0.0/16 dev utun proto kernel scope link src 198.18.0.1

ip rule show

0: from all lookup local 32765: from all fwmark 0x162 lookup 354 32766: from all lookup main 32767: from all lookup default

===================== Tun设备状态 =====================

utun: tun

===================== 端口占用状态 =====================

tcp 0 0 192.168.1.250:7891 0.0.0.0: LISTEN 18205/clash tcp 0 0 192.168.1.250:7892 0.0.0.0: LISTEN 18205/clash tcp 0 0 192.168.1.250:7893 0.0.0.0: LISTEN 18205/clash tcp 0 0 192.168.1.250:7895 0.0.0.0: LISTEN 18205/clash tcp 0 0 198.18.0.1:7777 0.0.0.0: LISTEN 18205/clash tcp 0 0 192.168.1.250:9090 0.0.0.0: LISTEN 18205/clash tcp 0 0 192.168.1.250:7890 0.0.0.0: LISTEN 18205/clash udp 0 0 198.18.0.1:7777 0.0.0.0: 18205/clash udp 0 0 127.0.0.1:7874 0.0.0.0: 18205/clash udp 0 0 192.168.1.250:7891 0.0.0.0: 18205/clash udp 0 0 192.168.1.250:7892 0.0.0.0: 18205/clash udp 0 0 192.168.1.250:7893 0.0.0.0: 18205/clash udp 0 0 192.168.1.250:7895 0.0.0.0: 18205/clash udp 0 0 :::36268 ::: 18205/clash udp 0 0 :::49103 ::: 18205/clash udp 0 0 :::35400 ::: 18205/clash udp 0 0 :::46241 ::: 18205/clash udp 0 0 :::57050 ::: 18205/clash udp 0 0 :::52981 ::: 18205/clash udp 0 0 :::49449 ::: 18205/clash udp 0 0 :::52527 :::* 18205/clash

===================== 测试本机DNS查询 =====================

Server: 127.0.0.1 Address: 127.0.0.1#53

Name: www.baidu.com Address 1: 198.18.1.108 *** Can't find www.baidu.com: No answer

===================== resolv.conf.auto =====================

Interface lan

nameserver 192.168.1.253 nameserver 119.29.29.29

===================== resolv.conf.d =====================

Interface lan

nameserver 192.168.1.253 nameserver 119.29.29.29

===================== 测试本机网络连接 =====================

HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: keep-alive Content-Length: 277 Content-Type: text/html Date: Thu, 02 Dec 2021 08:19:31 GMT Etag: "575e1f72-115" Last-Modified: Mon, 13 Jun 2016 02:50:26 GMT Pragma: no-cache Server: bfe/1.0.8.18

===================== 测试本机网络下载 =====================

===================== 最近运行日志 =====================

time="2021-12-02T15:59:36+08:00" level=info msg="Start initial rule provider 广告规则(By lhie1)" time="2021-12-02T15:59:36+08:00" level=info msg="Start initial rule provider TIDAL" time="2021-12-02T15:59:36+08:00" level=info msg="Start initial rule provider 国内IP白名单" time="2021-12-02T15:59:36+08:00" level=info msg="Start initial rule provider 反劫持规则" time="2021-12-02T15:59:36+08:00" level=info msg="Start initial rule provider 国内流媒体国际版合集" time="2021-12-02T15:59:36+08:00" level=info msg="Start initial rule provider China" time="2021-12-02T15:59:36+08:00" level=info msg="Start initial rule provider Global" time="2021-12-02T15:59:36+08:00" level=info msg="Start initial rule provider StreamingSE" time="2021-12-02T15:59:36+08:00" level=info msg="Start initial rule provider 国内域名白名单" time="2021-12-02T15:59:36+08:00" level=info msg="Start initial rule provider ChinaIP" time="2021-12-02T15:59:36+08:00" level=info msg="Start initial rule provider 国外流媒体合集" time="2021-12-02T15:59:36+08:00" level=info msg="DNS server listening at: 127.0.0.1:7874" 2021-12-02 15:59:39 Step 6: Wait For The File Downloading... 2021-12-02 15:59:39 Step 7: Set Control Panel... 2021-12-02 15:59:39 Step 8: Set Firewall Rules... 2021-12-02 15:59:41 Step 9: Restart Dnsmasq... 2021-12-02 15:59:41 Setting Secondary DNS Server List... 2021-12-02 15:59:41 Step 10: Add Cron Rules, Start Daemons... 2021-12-02 15:59:41 OpenClash Start Successful! 2021-12-02 15:59:46 Reload OpenClash Firewall Rules... Accept [/] Access-Control-Request-Headers [authorization,content-type] Origin [http://192.168.1.250] User-Agent [Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34] Accept-Encoding [gzip, deflate] Accept-Language [zh,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7,ja;q=0.6,zh-TW;q=0.5] Connection [keep-alive] Access-Control-Request-Method [GET] Sec-Fetch-Mode [cors] Referer [http://192.168.1.250/] Referer [http://192.168.1.250/] Accept-Encoding [gzip, deflate] Origin [http://192.168.1.250] Sec-Fetch-Mode [cors] Accept [/] Access-Control-Request-Method [GET] Access-Control-Request-Headers [authorization,content-type] User-Agent [Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34] Accept-Language [zh,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7,ja;q=0.6,zh-TW;q=0.5] Connection [keep-alive] Origin [http://192.168.1.250] User-Agent [Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34] Accept-Encoding [gzip, deflate] Accept-Language [zh,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7,ja;q=0.6,zh-TW;q=0.5] Connection [keep-alive] Access-Control-Request-Headers [authorization,content-type] Sec-Fetch-Mode [cors] Referer [http://192.168.1.250/] Accept [/] Access-Control-Request-Method [GET]

`

[paladin4fan]

这难道不是你订阅的规则里带的吗 很多规则里 都会把没匹配到任何IP和域名规则的80 443 22的链接放进clash内核 正常情况不是在面板里把这个策略设置成直连吗

[MaurUppi]

你说的是这最后的一条？

测试了一下，貌似还真是。。。

[MaurUppi]

今天又试了下lhie1的规则，也有如下三个 - DST-PORT。 难道是openclash自带的嘛？ 我的理解与诉求是匹配完所有规则之后， 就是- MATCH,DIRECT， 这MATCH之前的 DST-PORT是怎么考虑的呢？

@vernesong

- DST-PORT,80,Proxy
- DST-PORT,443,Proxy
- DST-PORT,22,Proxy
- MATCH,DIRECT

[vernesong]

[MaurUppi]

是的，发现 不勾选 这个选项，就 不激活 如下三个。 但是，对于如下三条规则，我的立即是“兜底”规则，是有些疑问的。

1. 在“第三方规则集与策略组管理（仅TUN内核）” 设定的“规则集匹配顺序”， 为“扩展（补充）” 且假定 “策略组 = DIRECT ”的时候，这三条就会在 “扩展（补充）”规则前面，那么造成希望直连反而是代理了。
2. ”仅代理命中规则流量“ ，这个字面上的理解，我的理解，应该是 ”加载的各个规则“ 之外的，都是 DIRECT。 如果是， 那么 ”DST-PORT, xx, Proxy“的不就是有点 全局代理 的意思嘛？

- DST-PORT,80,Proxy
- DST-PORT,443,Proxy
- DST-PORT,22,Proxy
- MATCH, DIRECT

[vernesong]

是的，发现 不勾选 这个选项，就 不激活 如下三个。 但是，对于如下三条规则，我的立即是“兜底”规则，是有些疑问的。

1. 在“第三方规则集与策略组管理（仅TUN内核）” 设定的“规则集匹配顺序”， 为“扩展（补充）” 且假定 “策略组 = DIRECT ”的时候，这三条就会在 “扩展（补充）”规则前面，那么造成希望直连反而是代理了。
2. ”仅代理命中规则流量“ ，这个字面上的理解，我的理解，应该是 ”加载的各个规则“ 之外的，都是 DIRECT。 如果是， 那么 ”DST-PORT, xx, Proxy“的不就是有点 全局代理 的意思嘛？

- DST-PORT,80,Proxy
- DST-PORT,443,Proxy
- DST-PORT,22,Proxy
- MATCH, DIRECT

你没有geoip的规则，逻辑是这三个放到match前一个，ruleset放到geoip前，在geoip,cn,direct存在的情况下80，443根据match的代理组设置（一般是代理）能尽量保证国外网络的连通性且防止BT、P2P下载

[ilhaformosa]

是的，发现 不勾选 这个选项，就 不激活 如下三个。 但是，对于如下三条规则，我的立即是“兜底”规则，是有些疑问的。

1. 在“第三方规则集与策略组管理（仅TUN内核）” 设定的“规则集匹配顺序”， 为“扩展（补充）” 且假定 “策略组 = DIRECT ”的时候，这三条就会在 “扩展（补充）”规则前面，那么造成希望直连反而是代理了。
2. ”仅代理命中规则流量“ ，这个字面上的理解，我的理解，应该是 ”加载的各个规则“ 之外的，都是 DIRECT。 如果是， 那么 ”DST-PORT, xx, Proxy“的不就是有点 全局代理 的意思嘛？

- DST-PORT,80,Proxy
- DST-PORT,443,Proxy
- DST-PORT,22,Proxy
- MATCH, DIRECT

你没有geoip的规则，逻辑是这三个放到match前一个，ruleset放到geoip前，在geoip,cn,direct存在的情况下80，443根据match的代理组设置（一般是代理）能尽量保证国外网络的连通性且防止BT、P2P下载

正好遇到了同样的状况，看到已经有commit处理了。只是有一点建议。 选项本身没有任何问题，也不会引起误会，只是关于BT和P2P的小字注释有些容易造成困惑。

因为是机场托管的配置，最后的match本意类似于Final走proxy，也就是对国内分流用白名单，所有国内分流规则之外的都走proxy。选项下关于BT和P2P的小字注释可能会引起困惑，我勾选了“仅代理命中规则流量”并理解成：open clash有对应的BT、P2P分流规格（仔细想也会发现理解有问题）。出现代理分流错误后开始排查配置文件，搜到这个issue算是解惑了。

[yuxuan0107]

我也正在困惑这个问题，这下明白了

[science2468]

• DST-PORT,7895,REJECT
• DST-PORT,7892,REJECT 这2个规则不知道怎么取消，我试过删除原本的配置文件，让openclash生成config.yaml，编辑好启动后，openclash还是有这2个规则，有遇到相同的吗？

[image72]

我也看到了有DstPort(403) 这个规则， 仅代理命中流量已购选,一晚8小时 偷跑流量200多MB.