为什么openwrt停留在openclash的运行状态就占这么高的cpu[Bug]

[skill7899]

Verify Steps

• [x] Tracker 我已经在 Issue Tracker 中找过我要提出的问题
• [X] Latest 我已经使用最新 Dev 版本测试过，问题依旧存在
• [X] Core 这是 OpenClash 存在的问题，并非我所使用的 Clash 或 Meta 等内核的特定问题
• [X] Meaningful 我提交的不是无意义的 催促更新或修复 请求

OpenClash Version

v0.45.70-beta

Bug on Environment

Official OpenWrt

Bug on Platform

Linux-amd64(x86-64)

To Reproduce

lxc运行的openwert。点击openclcash运行状态，占用cpu过高。

Describe the Bug

每次点用运行状态都好卡，发现占用cpu真的好高，居高不下，可不可以优化一下

OpenClash Log

OpenClash 调试日志

生成时间: 2022-11-10 14:37:54 插件版本: v0.45.70-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息

#===================== 系统信息 =====================#

主机型号: ASRock Z390M Pro4
固件版本: OpenWrt 22.03.0-rc6 08.01.2022
LuCI版本: git-20.074.84698-ead5e81
内核版本: 5.15.64-1-pve
处理器架构: x86_64

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: hybrid

#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 未安装
unzip: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
kmod-ipt-nat: 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
进程pid: 2377568
运行权限: 2377568: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2022.08.26-16-gb4d832d
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.11.12-1-gde264c4
Dev内核文件: 存在
Dev内核运行权限: 正常

Meta内核版本: v1.13.2
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/config (1).yaml
启动配置文件: /etc/openclash/config (1).yaml
运行模式: fake-ip-tun
默认代理模式: rule
UDP流量转发(tproxy): 停用
DNS劫持: 启用
自定义DNS: 停用
IPV6代理: 停用
IPV6-DNS解析: 启用
禁用Dnsmasq缓存: 启用
自定义规则: 启用
仅允许内网: 启用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 启用
DNS远程解析: 停用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 自定义规则 一 =====================#
script:

rules:
 # 自定义规则
  ## 您可以在此处插入您补充的自定义规则（请注意保持缩进）
  #  - SRC-IP-CIDR,192.168.60.102/32,REJECT
  # Apple
  - GEOSITE,category-ads-all,REJECT
  - GEOSITE,icloud@cn,DIRECT
  - GEOSITE,apple@cn,DIRECT
  - GEOSITE,apple-cn,DIRECT
  - GEOSITE,microsoft@cn,DIRECT
  - GEOSITE,facebook,PROXY
  - GEOSITE,youtube,PROXY
  - GEOSITE,geolocation-cn,DIRECT
  - GEOSITE,geolocation-!cn,PROXY
  - DOMAIN,api.ipify.org,DIRECT
  - DOMAIN,captive.apple.com,DIRECT
##- SCRIPT,quic,REJECT #shortcuts rule
##- SCRIPT,time-limit,REJECT #shortcuts rule

##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

##排序在上的规则优先生效,如添加（去除规则前的#号）：
##IP段：192.168.1.2-192.168.1.200 直连
##- SRC-IP-CIDR,192.168.1.2/31,DIRECT
##- SRC-IP-CIDR,192.168.1.4/30,DIRECT
##- SRC-IP-CIDR,192.168.1.8/29,DIRECT
##- SRC-IP-CIDR,192.168.1.16/28,DIRECT
##- SRC-IP-CIDR,192.168.1.32/27,DIRECT
##- SRC-IP-CIDR,192.168.1.64/26,DIRECT
##- SRC-IP-CIDR,192.168.1.128/26,DIRECT
##- SRC-IP-CIDR,192.168.1.192/29,DIRECT
##- SRC-IP-CIDR,192.168.1.200/32,DIRECT

##IP段：192.168.1.202-192.168.1.255 直连
##- SRC-IP-CIDR,192.168.1.202/31,DIRECT
##- SRC-IP-CIDR,192.168.1.204/30,DIRECT
##- SRC-IP-CIDR,192.168.1.208/28,DIRECT
##- SRC-IP-CIDR,192.168.1.224/27,DIRECT

##此时IP为192.168.1.1和192.168.1.201的客户端流量走代理（策略），其余客户端不走代理
##因为Fake-IP模式下，IP地址为192.168.1.1的路由器自身流量可走代理（策略），所以需要排除

##仅设置路由器自身直连：
##- SRC-IP-CIDR,192.168.1.1/32,DIRECT
##- SRC-IP-CIDR,198.18.0.1/32,DIRECT

##DDNS
##- DOMAIN-SUFFIX,checkip.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkipv6.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkip.synology.com,DIRECT
##- DOMAIN-SUFFIX,ifconfig.co,DIRECT
##- DOMAIN-SUFFIX,api.myip.com,DIRECT
##- DOMAIN-SUFFIX,ip-api.com,DIRECT
##- DOMAIN-SUFFIX,ipapi.co,DIRECT
##- DOMAIN-SUFFIX,ip6.seeip.org,DIRECT
##- DOMAIN-SUFFIX,members.3322.org,DIRECT

##在线IP段转CIDR地址：http://ip2cidr.com
#===================== 自定义规则 二 =====================#
script:
##  shortcuts:
##    common_port: dst_port not in [21, 22, 23, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 998, 2052, 2053, 2082, 2083, 2086, 2095, 2096, 5222, 5228, 5229, 5230, 8080, 8443, 8880, 8888, 8889]

rules:
##- SCRIPT,common_port,DIRECT #shortcuts rule

##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

#===================== 配置文件 =====================#

mixed-port: 7893
tproxy-port: 7895
redir-port: 7892
external-controller: 0.0.0.0:9090
external-ui: "/usr/share/openclash/ui"
tun:
  enable: true
  stack: system
  device: utun
  auto-route: false
  auto-detect-interface: false
  dns-hijack:
  - tcp://any:53
fake-ip-range: 198.18.0.1/16
allow-lan: true
bind-address: "*"
mode: rule
log-level: silent
proxy-groups:
- name: PROXY
  type: select
  proxies:
  - hysteria
  - trojan-ws
  - trojan
dns:
  enable: true
  default-nameserver:
  - 114.114.114.114
  - 8.8.8.8
  nameserver:
  - https://doh.pub/dns-query
  - https://dns.alidns.com/dns-query
  fallback-filter:
    geoip: true
  enhanced-mode: fake-ip
  listen: 0.0.0.0:7874
  fake-ip-filter:
  - "*.lan"
  - "*.futurespeed.cn"
  - "*.linksys.com"
  - "*.linksyssmartwifi.com"
  - swscan.apple.com
  - mesu.apple.com
  - "*.msftconnecttest.com"
  - "*.msftncsi.com"
  ipv6: true
  fake-ip-range: 198.18.0.1/16
rule-providers:
  reject:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt
    path: "./rule_provider/reject.yaml"
    interval: 86400
  icloud:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt
    path: "./rule_provider/icloud.yaml"
    interval: 86400
  apple:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt
    path: "./rule_provider/apple.yaml"
    interval: 86400
  google:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt
    path: "./rule_provider/google.yaml"
    interval: 86400
  proxy:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt
    path: "./rule_provider/proxy.yaml"
    interval: 86400
  direct:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt
    path: "./rule_provider/direct.yaml"
    interval: 86400
  private:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt
    path: "./rule_provider/private.yaml"
    interval: 86400
  gfw:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt
    path: "./rule_provider/gfw.yaml"
    interval: 86400
  greatfire:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/greatfire.txt
    path: "./rule_provider/greatfire.yaml"
    interval: 86400
  tld-not-cn:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt
    path: "./rule_provider/tld-not-cn.yaml"
    interval: 86400
  telegramcidr:
    type: http
    behavior: ipcidr
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt
    path: "./rule_provider/telegramcidr.yaml"
    interval: 86400
  cncidr:
    type: http
    behavior: ipcidr
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt
    path: "./rule_provider/cncidr.yaml"
    interval: 86400
  lancidr:
    type: http
    behavior: ipcidr
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt
    path: "./rule_provider/lancidr.yaml"
    interval: 86400
  applications:
    type: http
    behavior: classical
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/applications.txt
    path: "./rule_provider/applications.yaml"
    interval: 86400
rules:
- DST-PORT,7895,REJECT
- DST-PORT,7892,REJECT
- IP-CIDR,198.18.0.1/16,REJECT,no-resolve
- GEOSITE,category-ads-all,REJECT
- GEOSITE,icloud@cn,DIRECT
- GEOSITE,apple@cn,DIRECT
- GEOSITE,apple-cn,DIRECT
- GEOSITE,microsoft@cn,DIRECT
- GEOSITE,facebook,PROXY
- GEOSITE,youtube,PROXY
- GEOSITE,geolocation-cn,DIRECT
- GEOSITE,geolocation-!cn,PROXY
- DOMAIN,api.ipify.org,DIRECT
- DOMAIN,captive.apple.com,DIRECT
- RULE-SET,applications,DIRECT
- DOMAIN,clash.razord.top,DIRECT
- DOMAIN,yacd.haishan.me,DIRECT
- RULE-SET,private,DIRECT
- RULE-SET,reject,REJECT
- RULE-SET,icloud,DIRECT
- RULE-SET,apple,DIRECT
- RULE-SET,google,DIRECT
- RULE-SET,proxy,PROXY
- RULE-SET,direct,DIRECT
- RULE-SET,lancidr,DIRECT
- RULE-SET,cncidr,DIRECT
- RULE-SET,telegramcidr,PROXY
- GEOIP,LAN,DIRECT
- GEOIP,CN,DIRECT
- MATCH,PROXY
port: 7890
socks-port: 7891
ipv6: false
geodata-mode: false
geodata-loader: memconservative
tcp-concurrent: false
sniffer:
  enable: true
  sniffing:
  - tls
  - http
  ForceDnsMapping: false
  ParsePureIp: true
  skip-domain:
  - "+.courier.push.apple.com"
  - Mijia Cloud
  - "+.jd.com"
  - "+.apple.com"
profile:
  store-selected: true
  store-fake-ip: true
authentication:
- Clash:uxnbOE3X

#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.7 on Thu Nov 10 14:37:58 2022
*nat
:PREROUTING ACCEPT [450:42674]
:INPUT ACCEPT [175:14321]
:OUTPUT ACCEPT [107:6565]
:POSTROUTING ACCEPT [274:19537]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -p tcp -m comment --comment "OpenClash TCP DNS Hijack" -m tcp --dport 53 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -s 192.168.191.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.191.0/24 -j MASQUERADE
-A POSTROUTING -o ztuze33iip -j MASQUERADE
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A MINIUPNPD -p tcp -m tcp --dport 36825 -j DNAT --to-destination 192.168.60.120:34356
-A MINIUPNPD -p udp -m udp --dport 36825 -j DNAT --to-destination 192.168.60.120:36825
-A MINIUPNPD -p tcp -m tcp --dport 35226 -j DNAT --to-destination 192.168.60.120:35226
-A MINIUPNPD -p tcp -m tcp --dport 52606 -j DNAT --to-destination 192.168.60.201:52606
-A MINIUPNPD -p udp -m udp --dport 52606 -j DNAT --to-destination 192.168.60.201:52606
-A MINIUPNPD -p tcp -m tcp --dport 25609 -j DNAT --to-destination 192.168.60.201:25609
-A MINIUPNPD -p udp -m udp --dport 25609 -j DNAT --to-destination 192.168.60.201:25609
-A MINIUPNPD -p tcp -m tcp --dport 43229 -j DNAT --to-destination 192.168.60.201:43229
-A MINIUPNPD -p udp -m udp --dport 43229 -j DNAT --to-destination 192.168.60.201:43229
-A MINIUPNPD -p tcp -m tcp --dport 41155 -j DNAT --to-destination 192.168.60.193:41155
-A MINIUPNPD -p udp -m udp --dport 41155 -j DNAT --to-destination 192.168.60.193:41155
-A MINIUPNPD -p udp -m udp --dport 6958 -j DNAT --to-destination 192.168.60.193:6958
-A MINIUPNPD -p tcp -m tcp --dport 6958 -j DNAT --to-destination 192.168.60.193:6958
-A MINIUPNPD -p tcp -m tcp --dport 13862 -j DNAT --to-destination 192.168.60.150:1080
-A MINIUPNPD -p udp -m udp --dport 13862 -j DNAT --to-destination 192.168.60.150:3027
-A MINIUPNPD -p tcp -m tcp --dport 43847 -j DNAT --to-destination 192.168.60.193:43847
-A MINIUPNPD -p udp -m udp --dport 43847 -j DNAT --to-destination 192.168.60.193:43847
-A MINIUPNPD -p udp -m udp --dport 6912 -j DNAT --to-destination 192.168.60.193:6912
-A MINIUPNPD -p tcp -m tcp --dport 6912 -j DNAT --to-destination 192.168.60.193:6912
-A MINIUPNPD -p udp -m udp --dport 8738 -j DNAT --to-destination 192.168.60.210:8738
-A MINIUPNPD -p udp -m udp --dport 33935 -j DNAT --to-destination 192.168.60.204:33935
-A MINIUPNPD -p udp -m udp --dport 34238 -j DNAT --to-destination 192.168.60.134:34238
-A MINIUPNPD -p udp -m udp --dport 41158 -j DNAT --to-destination 192.168.60.197:41158
-A MINIUPNPD -p tcp -m tcp --dport 6881 -j DNAT --to-destination 192.168.60.201:6881
-A MINIUPNPD -p udp -m udp --dport 6881 -j DNAT --to-destination 192.168.60.201:6881
-A MINIUPNPD -p udp -m udp --dport 40172 -j DNAT --to-destination 192.168.60.140:40172
-A MINIUPNPD -p udp -m udp --dport 49549 -j DNAT --to-destination 192.168.60.140:49549
-A MINIUPNPD -p udp -m udp --dport 49045 -j DNAT --to-destination 192.168.60.201:49045
-A MINIUPNPD-POSTROUTING -s 192.168.60.120/32 -p tcp -m tcp --sport 34356 -j MASQUERADE --to-ports 36825
-A MINIUPNPD-POSTROUTING -s 192.168.60.150/32 -p tcp -m tcp --sport 1080 -j MASQUERADE --to-ports 13862
-A MINIUPNPD-POSTROUTING -s 192.168.60.150/32 -p udp -m udp --sport 3027 -j MASQUERADE --to-ports 13862
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.100/32 -p tcp -m tcp --dport 8006 -m comment --comment "!fw3: pve (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.20/32 -p tcp -m tcp --dport 5001 -m comment --comment "!fw3: dsm (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.10/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: lede (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.20/32 -p tcp -m tcp --dport 6690 -m comment --comment "!fw3: dsm-drive (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.11/32 -p tcp -m tcp --dport 6800 -m comment --comment "!fw3: aria2 (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.11/32 -p tcp -m tcp --dport 9000 -m comment --comment "!fw3: docker (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.11/32 -p tcp -m tcp --dport 9117 -m comment --comment "!fw3: jackett (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.11/32 -p tcp -m tcp --dport 6888 -m comment --comment "!fw3: ar-bt (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.11/32 -p udp -m udp --dport 6888 -m comment --comment "!fw3: ar-bt (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.164/32 -p tcp -m tcp --dport 8096 -m comment --comment "!fw3: jellyfin (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.11/32 -p tcp -m tcp --dport 6880 -m comment --comment "!fw3: ariaNg (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.11/32 -p tcp -m tcp --dport 3001 -m comment --comment "!fw3: rrshare (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.11/32 -p tcp -m tcp --dport 8989 -m comment --comment "!fw3: sonarr (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.11/32 -p tcp -m tcp --dport 9200 -m comment --comment "!fw3: qb-web (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.12/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: vnc (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.20/32 -p tcp -m tcp --dport 8283 -m comment --comment "!fw3: nas-ww (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.20/32 -p udp -m udp --dport 8283 -m comment --comment "!fw3: nas-ww (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.110/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.110/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: ipsec (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.11/32 -p tcp -m tcp --dport 6881 -m comment --comment "!fw3: qb (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_postrouting -s 192.168.60.0/24 -d 192.168.60.11/32 -p udp -m udp --dport 6881 -m comment --comment "!fw3: qb (reflection)" -j SNAT --to-source 192.168.60.10
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 6100 -m comment --comment "!fw3: pve (reflection)" -j DNAT --to-destination 192.168.60.100:8006
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 6500 -m comment --comment "!fw3: dsm (reflection)" -j DNAT --to-destination 192.168.60.20:5001
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 6688 -m comment --comment "!fw3: lede (reflection)" -j DNAT --to-destination 192.168.60.10:443
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 6690 -m comment --comment "!fw3: dsm-drive (reflection)" -j DNAT --to-destination 192.168.60.20:6690
-A zone_lan_prerouting -p tcp -m tcp --dport 6688 -m comment --comment "!fw3: lede" -j DNAT --to-destination 192.168.60.10:443
-A zone_lan_prerouting -p tcp -m tcp --dport 6100 -m comment --comment "!fw3: pve" -j DNAT --to-destination 192.168.60.100:8006
-A zone_lan_prerouting -p tcp -m tcp --dport 6622 -m comment --comment "!fw3: lede-ssh" -j DNAT --to-destination 192.168.60.10:22
-A zone_lan_prerouting -p tcp -m tcp --dport 6500 -m comment --comment "!fw3: dsm" -j DNAT --to-destination 192.168.60.20:5001
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 6800 -m comment --comment "!fw3: aria2 (reflection)" -j DNAT --to-destination 192.168.60.11:6800
-A zone_lan_prerouting -p tcp -m tcp --dport 6800 -m comment --comment "!fw3: aria2-lan" -j DNAT --to-destination 192.168.60.11:6800
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 9000 -m comment --comment "!fw3: docker (reflection)" -j DNAT --to-destination 192.168.60.11:9000
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 9117 -m comment --comment "!fw3: jackett (reflection)" -j DNAT --to-destination 192.168.60.11:9117
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 6888 -m comment --comment "!fw3: ar-bt (reflection)" -j DNAT --to-destination 192.168.60.11:6888
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p udp -m udp --dport 6888 -m comment --comment "!fw3: ar-bt (reflection)" -j DNAT --to-destination 192.168.60.11:6888
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 9096 -m comment --comment "!fw3: jellyfin (reflection)" -j DNAT --to-destination 192.168.60.164:8096
-A zone_lan_prerouting -p tcp -m tcp --dport 9096 -m comment --comment "!fw3: jellyfin" -j DNAT --to-destination 192.168.60.164:8096
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 6801 -m comment --comment "!fw3: ariaNg (reflection)" -j DNAT --to-destination 192.168.60.11:6880
-A zone_lan_prerouting -p tcp -m tcp --dport 6801 -m comment --comment "!fw3: ariaNg-lan" -j DNAT --to-destination 192.168.60.11:6880
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 3001 -m comment --comment "!fw3: rrshare (reflection)" -j DNAT --to-destination 192.168.60.11:3001
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 8989 -m comment --comment "!fw3: sonarr (reflection)" -j DNAT --to-destination 192.168.60.11:8989
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 9200 -m comment --comment "!fw3: qb-web (reflection)" -j DNAT --to-destination 192.168.60.11:9200
-A zone_lan_prerouting -p tcp -m tcp --dport 6122 -m comment --comment "!fw3: pve-ssh-lan" -j DNAT --to-destination 192.168.60.100:22
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 5901 -m comment --comment "!fw3: vnc (reflection)" -j DNAT --to-destination 192.168.60.12:3389
-A zone_lan_prerouting -p tcp -m tcp --dport 6690 -m comment --comment "!fw3: dsm-drive-lan" -j DNAT --to-destination 192.168.60.20:6690
-A zone_lan_prerouting -p tcp -m tcp --dport 9000 -m comment --comment "!fw3: docker-lan" -j DNAT --to-destination 192.168.60.11:9000
-A zone_lan_prerouting -p tcp -m tcp --dport 6689 -m comment --comment "!fw3: op" -j DNAT --to-destination 192.168.60.9:443
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 8283 -m comment --comment "!fw3: nas-ww (reflection)" -j DNAT --to-destination 192.168.60.20:8283
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p udp -m udp --dport 8283 -m comment --comment "!fw3: nas-ww (reflection)" -j DNAT --to-destination 192.168.60.20:8283
-A zone_lan_prerouting -p tcp -m tcp --dport 8283 -m comment --comment "!fw3: nas-ww-lan" -j DNAT --to-destination 192.168.60.20:8283
-A zone_lan_prerouting -p udp -m udp --dport 8283 -m comment --comment "!fw3: nas-ww-lan" -j DNAT --to-destination 192.168.60.20:8283
-A zone_lan_prerouting -p tcp -m tcp --dport 9050 -m comment --comment "!fw3: psw-lan" -j DNAT --to-destination 192.168.60.10:9050
-A zone_lan_prerouting -p udp -m udp --dport 9050 -m comment --comment "!fw3: psw-lan" -j DNAT --to-destination 192.168.60.10:9050
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec (reflection)" -j DNAT --to-destination 192.168.60.110:4500
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: ipsec (reflection)" -j DNAT --to-destination 192.168.60.110:500
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p tcp -m tcp --dport 6881 -m comment --comment "!fw3: qb (reflection)" -j DNAT --to-destination 192.168.60.11:6881
-A zone_lan_prerouting -s 192.168.60.0/24 -d *WAN IP*/32 -p udp -m udp --dport 6881 -m comment --comment "!fw3: qb (reflection)" -j DNAT --to-destination 192.168.60.11:6881
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 6100 -m comment --comment "!fw3: pve" -j DNAT --to-destination 192.168.60.100:8006
-A zone_wan_prerouting -p tcp -m tcp --dport 6500 -m comment --comment "!fw3: dsm" -j DNAT --to-destination 192.168.60.20:5001
-A zone_wan_prerouting -p tcp -m tcp --dport 6688 -m comment --comment "!fw3: lede" -j DNAT --to-destination 192.168.60.10:443
-A zone_wan_prerouting -p tcp -m tcp --dport 6690 -m comment --comment "!fw3: dsm-drive" -j DNAT --to-destination 192.168.60.20:6690
-A zone_wan_prerouting -p tcp -m tcp --dport 6800 -m comment --comment "!fw3: aria2" -j DNAT --to-destination 192.168.60.11:6800
-A zone_wan_prerouting -p tcp -m tcp --dport 9000 -m comment --comment "!fw3: docker" -j DNAT --to-destination 192.168.60.11:9000
-A zone_wan_prerouting -p tcp -m tcp --dport 9117 -m comment --comment "!fw3: jackett" -j DNAT --to-destination 192.168.60.11:9117
-A zone_wan_prerouting -p tcp -m tcp --dport 6888 -m comment --comment "!fw3: ar-bt" -j DNAT --to-destination 192.168.60.11:6888
-A zone_wan_prerouting -p udp -m udp --dport 6888 -m comment --comment "!fw3: ar-bt" -j DNAT --to-destination 192.168.60.11:6888
-A zone_wan_prerouting -p tcp -m tcp --dport 9096 -m comment --comment "!fw3: jellyfin" -j DNAT --to-destination 192.168.60.164:8096
-A zone_wan_prerouting -p tcp -m tcp --dport 6801 -m comment --comment "!fw3: ariaNg" -j DNAT --to-destination 192.168.60.11:6880
-A zone_wan_prerouting -p tcp -m tcp --dport 3001 -m comment --comment "!fw3: rrshare" -j DNAT --to-destination 192.168.60.11:3001
-A zone_wan_prerouting -p tcp -m tcp --dport 8989 -m comment --comment "!fw3: sonarr" -j DNAT --to-destination 192.168.60.11:8989
-A zone_wan_prerouting -p tcp -m tcp --dport 9200 -m comment --comment "!fw3: qb-web" -j DNAT --to-destination 192.168.60.11:9200
-A zone_wan_prerouting -p tcp -m tcp --dport 5901 -m comment --comment "!fw3: vnc" -j DNAT --to-destination 192.168.60.12:3389
-A zone_wan_prerouting -p tcp -m tcp --dport 8283 -m comment --comment "!fw3: nas-ww" -j DNAT --to-destination 192.168.60.20:8283
-A zone_wan_prerouting -p udp -m udp --dport 8283 -m comment --comment "!fw3: nas-ww" -j DNAT --to-destination 192.168.60.20:8283
-A zone_wan_prerouting -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec" -j DNAT --to-destination 192.168.60.110:4500
-A zone_wan_prerouting -p udp -m udp --dport 500 -m comment --comment "!fw3: ipsec" -j DNAT --to-destination 192.168.60.110:500
-A zone_wan_prerouting -p tcp -m tcp --dport 6881 -m comment --comment "!fw3: qb" -j DNAT --to-destination 192.168.60.11:6881
-A zone_wan_prerouting -p udp -m udp --dport 6881 -m comment --comment "!fw3: qb" -j DNAT --to-destination 192.168.60.11:6881
COMMIT
# Completed on Thu Nov 10 14:37:58 2022

#IPv4 Mangle chain

# Generated by iptables-save v1.8.7 on Thu Nov 10 14:37:58 2022
*mangle
:PREROUTING ACCEPT [102045:129416971]
:INPUT ACCEPT [1400:236455]
:FORWARD ACCEPT [100634:129177709]
:OUTPUT ACCEPT [1653:967037]
:POSTROUTING ACCEPT [102268:130143506]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
:openclash - [0:0]
:openclash_dns_hijack - [0:0]
:openclash_output - [0:0]
-A PREROUTING -j openclash
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j RRDIPT_OUTPUT
-A OUTPUT -j openclash_output
-A RRDIPT_FORWARD -s 192.168.60.11/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.11/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.102/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.102/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.110/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.110/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.112/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.112/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.133/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.133/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.221/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.221/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.125/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.125/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.109/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.109/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.222/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.222/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.119/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.119/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.216/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.216/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.225/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.225/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.239/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.239/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.188/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.188/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.198/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.198/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.164/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.164/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.201/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.201/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.120/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.120/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.118/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.118/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.163/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.163/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.243/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.243/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.169/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.169/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.115/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.115/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.204/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.204/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.134/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.134/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.113/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.113/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.189/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.189/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.199/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.199/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.20/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.20/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.238/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.238/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.193/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.193/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.217/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.217/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.150/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.150/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.197/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.197/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.140/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.140/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.1/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.1/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.60.100/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.60.100/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.191.71/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.191.71/32 -j RETURN
-A RRDIPT_INPUT -i eth0 -j RETURN
-A RRDIPT_INPUT -i pppoe-wan -j RETURN
-A RRDIPT_OUTPUT -o eth0 -j RETURN
-A RRDIPT_OUTPUT -o pppoe-wan -j RETURN
-A openclash -p tcp -m tcp --sport 1688 -j RETURN
-A openclash -p udp -m udp --sport 68 -j RETURN
-A openclash -s 192.168.60.11/32 -p udp -m udp --sport 6881 -j RETURN
-A openclash -s 192.168.60.11/32 -p udp -m udp --dport 6881 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --sport 6881 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --dport 6881 -j RETURN
-A openclash -s 192.168.60.110/32 -p udp -m udp --sport 500 -j RETURN
-A openclash -s 192.168.60.110/32 -p udp -m udp --dport 500 -j RETURN
-A openclash -s 192.168.60.110/32 -p udp -m udp --sport 4500 -j RETURN
-A openclash -s 192.168.60.110/32 -p udp -m udp --dport 4500 -j RETURN
-A openclash -s 192.168.60.10/32 -p udp -m udp --sport 9050 -j RETURN
-A openclash -s 192.168.60.10/32 -p udp -m udp --dport 9050 -j RETURN
-A openclash -s 192.168.60.10/32 -p tcp -m tcp --sport 9050 -j RETURN
-A openclash -s 192.168.60.10/32 -p tcp -m tcp --dport 9050 -j RETURN
-A openclash -s 192.168.60.20/32 -p udp -m udp --sport 8283 -j RETURN
-A openclash -s 192.168.60.20/32 -p udp -m udp --dport 8283 -j RETURN
-A openclash -s 192.168.60.20/32 -p tcp -m tcp --sport 8283 -j RETURN
-A openclash -s 192.168.60.20/32 -p tcp -m tcp --dport 8283 -j RETURN
-A openclash -s 192.168.60.20/32 -p udp -m udp --sport 8283 -j RETURN
-A openclash -s 192.168.60.20/32 -p udp -m udp --dport 8283 -j RETURN
-A openclash -s 192.168.60.20/32 -p tcp -m tcp --sport 8283 -j RETURN
-A openclash -s 192.168.60.20/32 -p tcp -m tcp --dport 8283 -j RETURN
-A openclash -s 192.168.60.9/32 -p tcp -m tcp --sport 443 -j RETURN
-A openclash -s 192.168.60.9/32 -p tcp -m tcp --dport 6689 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --sport 9000 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --dport 9000 -j RETURN
-A openclash -s 192.168.60.20/32 -p tcp -m tcp --sport 6690 -j RETURN
-A openclash -s 192.168.60.20/32 -p tcp -m tcp --dport 6690 -j RETURN
-A openclash -s 192.168.60.12/32 -p tcp -m tcp --sport 3389 -j RETURN
-A openclash -s 192.168.60.12/32 -p tcp -m tcp --dport 5901 -j RETURN
-A openclash -s 192.168.60.100/32 -p tcp -m tcp --sport 22 -j RETURN
-A openclash -s 192.168.60.100/32 -p tcp -m tcp --dport 6122 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --sport 9200 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --dport 9200 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --sport 8989 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --dport 8989 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --sport 3001 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --dport 3001 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --sport 6880 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --dport 6801 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --sport 6880 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --dport 6801 -j RETURN
-A openclash -s 192.168.60.164/32 -p tcp -m tcp --sport 8096 -j RETURN
-A openclash -s 192.168.60.164/32 -p tcp -m tcp --dport 9096 -j RETURN
-A openclash -s 192.168.60.164/32 -p tcp -m tcp --sport 8096 -j RETURN
-A openclash -s 192.168.60.164/32 -p tcp -m tcp --dport 9096 -j RETURN
-A openclash -s 192.168.60.11/32 -p udp -m udp --sport 6888 -j RETURN
-A openclash -s 192.168.60.11/32 -p udp -m udp --dport 6888 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --sport 6888 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --dport 6888 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --sport 9117 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --dport 9117 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --sport 9000 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --dport 9000 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --sport 6800 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --dport 6800 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --sport 6800 -j RETURN
-A openclash -s 192.168.60.11/32 -p tcp -m tcp --dport 6800 -j RETURN
-A openclash -s 192.168.60.20/32 -p tcp -m tcp --sport 5001 -j RETURN
-A openclash -s 192.168.60.20/32 -p tcp -m tcp --dport 6500 -j RETURN
-A openclash -s 192.168.60.10/32 -p tcp -m tcp --sport 22 -j RETURN
-A openclash -s 192.168.60.10/32 -p tcp -m tcp --dport 6622 -j RETURN
-A openclash -s 192.168.60.100/32 -p tcp -m tcp --sport 8006 -j RETURN
-A openclash -s 192.168.60.100/32 -p tcp -m tcp --dport 6100 -j RETURN
-A openclash -s 192.168.60.10/32 -p tcp -m tcp --sport 443 -j RETURN
-A openclash -s 192.168.60.10/32 -p tcp -m tcp --dport 6688 -j RETURN
-A openclash -s 192.168.60.20/32 -p tcp -m tcp --sport 6690 -j RETURN
-A openclash -s 192.168.60.20/32 -p tcp -m tcp --dport 6690 -j RETURN
-A openclash -s 192.168.60.10/32 -p tcp -m tcp --sport 443 -j RETURN
-A openclash -s 192.168.60.10/32 -p tcp -m tcp --dport 6688 -j RETURN
-A openclash -s 192.168.60.20/32 -p tcp -m tcp --sport 5001 -j RETURN
-A openclash -s 192.168.60.20/32 -p tcp -m tcp --dport 6500 -j RETURN
-A openclash -s 192.168.60.100/32 -p tcp -m tcp --sport 8006 -j RETURN
-A openclash -s 192.168.60.100/32 -p tcp -m tcp --dport 6100 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -m set --match-set china_ip_route dst -m set ! --match-set china_ip_route_pass dst -j RETURN
-A openclash -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -p udp -m udp --sport 68 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p udp -m udp --dport 6881 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p udp -m udp --sport 6881 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --dport 6881 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --sport 6881 -j RETURN
-A openclash_output -s 192.168.60.110/32 -p udp -m udp --dport 500 -j RETURN
-A openclash_output -s 192.168.60.110/32 -p udp -m udp --sport 500 -j RETURN
-A openclash_output -s 192.168.60.110/32 -p udp -m udp --dport 4500 -j RETURN
-A openclash_output -s 192.168.60.110/32 -p udp -m udp --sport 4500 -j RETURN
-A openclash_output -s 192.168.60.10/32 -p udp -m udp --dport 9050 -j RETURN
-A openclash_output -s 192.168.60.10/32 -p udp -m udp --sport 9050 -j RETURN
-A openclash_output -s 192.168.60.10/32 -p tcp -m tcp --dport 9050 -j RETURN
-A openclash_output -s 192.168.60.10/32 -p tcp -m tcp --sport 9050 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p udp -m udp --dport 8283 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p udp -m udp --sport 8283 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p tcp -m tcp --dport 8283 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p tcp -m tcp --sport 8283 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p udp -m udp --dport 8283 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p udp -m udp --sport 8283 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p tcp -m tcp --dport 8283 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p tcp -m tcp --sport 8283 -j RETURN
-A openclash_output -s 192.168.60.9/32 -p tcp -m tcp --dport 6689 -j RETURN
-A openclash_output -s 192.168.60.9/32 -p tcp -m tcp --sport 443 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --dport 9000 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --sport 9000 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p tcp -m tcp --dport 6690 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p tcp -m tcp --sport 6690 -j RETURN
-A openclash_output -s 192.168.60.12/32 -p tcp -m tcp --dport 5901 -j RETURN
-A openclash_output -s 192.168.60.12/32 -p tcp -m tcp --sport 3389 -j RETURN
-A openclash_output -s 192.168.60.100/32 -p tcp -m tcp --dport 6122 -j RETURN
-A openclash_output -s 192.168.60.100/32 -p tcp -m tcp --sport 22 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --dport 9200 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --sport 9200 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --dport 8989 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --sport 8989 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --dport 3001 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --sport 3001 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --dport 6801 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --sport 6880 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --dport 6801 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --sport 6880 -j RETURN
-A openclash_output -s 192.168.60.164/32 -p tcp -m tcp --dport 9096 -j RETURN
-A openclash_output -s 192.168.60.164/32 -p tcp -m tcp --sport 8096 -j RETURN
-A openclash_output -s 192.168.60.164/32 -p tcp -m tcp --dport 9096 -j RETURN
-A openclash_output -s 192.168.60.164/32 -p tcp -m tcp --sport 8096 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p udp -m udp --dport 6888 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p udp -m udp --sport 6888 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --dport 6888 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --sport 6888 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --dport 9117 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --sport 9117 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --dport 9000 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --sport 9000 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --dport 6800 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --sport 6800 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --dport 6800 -j RETURN
-A openclash_output -s 192.168.60.11/32 -p tcp -m tcp --sport 6800 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p tcp -m tcp --dport 6500 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p tcp -m tcp --sport 5001 -j RETURN
-A openclash_output -s 192.168.60.10/32 -p tcp -m tcp --dport 6622 -j RETURN
-A openclash_output -s 192.168.60.10/32 -p tcp -m tcp --sport 22 -j RETURN
-A openclash_output -s 192.168.60.100/32 -p tcp -m tcp --dport 6100 -j RETURN
-A openclash_output -s 192.168.60.100/32 -p tcp -m tcp --sport 8006 -j RETURN
-A openclash_output -s 192.168.60.10/32 -p tcp -m tcp --dport 6688 -j RETURN
-A openclash_output -s 192.168.60.10/32 -p tcp -m tcp --sport 443 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p tcp -m tcp --dport 6690 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p tcp -m tcp --sport 6690 -j RETURN
-A openclash_output -s 192.168.60.10/32 -p tcp -m tcp --dport 6688 -j RETURN
-A openclash_output -s 192.168.60.10/32 -p tcp -m tcp --sport 443 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p tcp -m tcp --dport 6500 -j RETURN
-A openclash_output -s 192.168.60.20/32 -p tcp -m tcp --sport 5001 -j RETURN
-A openclash_output -s 192.168.60.100/32 -p tcp -m tcp --dport 6100 -j RETURN
-A openclash_output -s 192.168.60.100/32 -p tcp -m tcp --sport 8006 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -d 198.18.0.0/16 -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -m owner ! --uid-owner 65534 -m set --match-set china_ip_route dst -m set ! --match-set china_ip_route_pass dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
COMMIT
# Completed on Thu Nov 10 14:37:58 2022

#IPv4 Filter chain

# Generated by iptables-save v1.8.7 on Thu Nov 10 14:37:58 2022
*filter
:INPUT ACCEPT [11:608]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:openclash_wan_input - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -i pppoe-wan -m set ! --match-set localnetwork src -j openclash_wan_input
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -o utun -m comment --comment "OpenClash TUN Forward" -j ACCEPT
-A FORWARD -o ztuze33iip -j ACCEPT
-A FORWARD -i ztuze33iip -j ACCEPT
-A FORWARD -o ztuze33iip -j ACCEPT
-A FORWARD -i ztuze33iip -j ACCEPT
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A MINIUPNPD -d 192.168.60.120/32 -p tcp -m tcp --dport 34356 -j ACCEPT
-A MINIUPNPD -d 192.168.60.120/32 -p udp -m udp --dport 36825 -j ACCEPT
-A MINIUPNPD -d 192.168.60.120/32 -p tcp -m tcp --dport 35226 -j ACCEPT
-A MINIUPNPD -d 192.168.60.201/32 -p tcp -m tcp --dport 52606 -j ACCEPT
-A MINIUPNPD -d 192.168.60.201/32 -p udp -m udp --dport 52606 -j ACCEPT
-A MINIUPNPD -d 192.168.60.201/32 -p tcp -m tcp --dport 25609 -j ACCEPT
-A MINIUPNPD -d 192.168.60.201/32 -p udp -m udp --dport 25609 -j ACCEPT
-A MINIUPNPD -d 192.168.60.201/32 -p tcp -m tcp --dport 43229 -j ACCEPT
-A MINIUPNPD -d 192.168.60.201/32 -p udp -m udp --dport 43229 -j ACCEPT
-A MINIUPNPD -d 192.168.60.193/32 -p tcp -m tcp --dport 41155 -j ACCEPT
-A MINIUPNPD -d 192.168.60.193/32 -p udp -m udp --dport 41155 -j ACCEPT
-A MINIUPNPD -d 192.168.60.193/32 -p udp -m udp --dport 6958 -j ACCEPT
-A MINIUPNPD -d 192.168.60.193/32 -p tcp -m tcp --dport 6958 -j ACCEPT
-A MINIUPNPD -d 192.168.60.150/32 -p tcp -m tcp --dport 1080 -j ACCEPT
-A MINIUPNPD -d 192.168.60.150/32 -p udp -m udp --dport 3027 -j ACCEPT
-A MINIUPNPD -d 192.168.60.193/32 -p tcp -m tcp --dport 43847 -j ACCEPT
-A MINIUPNPD -d 192.168.60.193/32 -p udp -m udp --dport 43847 -j ACCEPT
-A MINIUPNPD -d 192.168.60.193/32 -p udp -m udp --dport 6912 -j ACCEPT
-A MINIUPNPD -d 192.168.60.193/32 -p tcp -m tcp --dport 6912 -j ACCEPT
-A MINIUPNPD -d 192.168.60.210/32 -p udp -m udp --dport 8738 -j ACCEPT
-A MINIUPNPD -d 192.168.60.204/32 -p udp -m udp --dport 33935 -j ACCEPT
-A MINIUPNPD -d 192.168.60.134/32 -p udp -m udp --dport 34238 -j ACCEPT
-A MINIUPNPD -d 192.168.60.197/32 -p udp -m udp --dport 41158 -j ACCEPT
-A MINIUPNPD -d 192.168.60.201/32 -p tcp -m tcp --dport 6881 -j ACCEPT
-A MINIUPNPD -d 192.168.60.201/32 -p udp -m udp --dport 6881 -j ACCEPT
-A MINIUPNPD -d 192.168.60.140/32 -p udp -m udp --dport 40172 -j ACCEPT
-A MINIUPNPD -d 192.168.60.140/32 -p udp -m udp --dport 49549 -j ACCEPT
-A MINIUPNPD -d 192.168.60.201/32 -p udp -m udp --dport 49045 -j ACCEPT
-A openclash_wan_input -p udp -m multiport --dports 7892,7895,9090,7890,7891,7893,7874 -j REJECT --reject-with icmp-port-unreachable
-A openclash_wan_input -p tcp -m multiport --dports 7892,7895,9090,7890,7891,7893,7874 -j REJECT --reject-with icmp-port-unreachable
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i pppoe-wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Thu Nov 10 14:37:58 2022

#===================== IPSET状态 =====================#

Name: china_ip_route
Name: china_ip_route_pass
Name: localnetwork

#===================== Tun设备状态 =====================#

ztuze33iip: tap
utun: tun

#===================== 端口占用状态 =====================#

tcp        0      0 198.18.0.1:40543        0.0.0.0:*               LISTEN      2377568/clash
tcp        0      0 :::7895                 :::*                    LISTEN      2377568/clash
tcp        0      0 :::7892                 :::*                    LISTEN      2377568/clash
tcp        0      0 :::7893                 :::*                    LISTEN      2377568/clash
tcp        0      0 :::7890                 :::*                    LISTEN      2377568/clash
tcp        0      0 :::7891                 :::*                    LISTEN      2377568/clash
tcp        0      0 :::9090                 :::*                    LISTEN      2377568/clash
tcp        0      0 fdfe:dcba:9876::1:35615 :::*                    LISTEN      2377568/clash
udp        0      0 :::55435                :::*                                2377568/clash
udp        0      0 :::7874                 :::*                                2377568/clash
udp        0      0 :::7891                 :::*                                2377568/clash
udp        0      0 :::7892                 :::*                                2377568/clash
udp        0      0 :::7893                 :::*                                2377568/clash
udp        0      0 :::7895                 :::*                                2377568/clash

#===================== 最近运行日志 =====================#

2022-11-10 12:07:50 Tip: You have seted the authentication of SOCKS5/HTTP(S) proxy with【Clash:uxnbOE3X】
2022-11-10 12:07:51 Step 4: Start Running The Clash Core...
2022-11-10 12:07:51 Tip: Detected The Exclusive Function of The Meta Core, Use Meta Core to Start...
time="2022-11-10T04:07:54Z" level=info msg="Start initial configuration in progress"
time="2022-11-10T04:07:54Z" level=info msg="Geodata Loader mode: memconservative"
2022-11-10 12:07:54 Step 5: Check The Core Status...
time="2022-11-10T04:07:54Z" level=info msg="Start initial GeoSite rule category-ads-all => REJECT, records: 53344"
time="2022-11-10T04:07:55Z" level=info msg="Start initial GeoSite rule icloud@cn => DIRECT, records: 6"
time="2022-11-10T04:07:55Z" level=info msg="Start initial GeoSite rule apple@cn => DIRECT, records: 222"
time="2022-11-10T04:07:55Z" level=info msg="Start initial GeoSite rule apple-cn => DIRECT, records: 124"
time="2022-11-10T04:07:55Z" level=info msg="Start initial GeoSite rule microsoft@cn => DIRECT, records: 45"
time="2022-11-10T04:07:55Z" level=info msg="Start initial GeoSite rule facebook => PROXY, records: 539"
time="2022-11-10T04:07:55Z" level=info msg="Start initial GeoSite rule youtube => PROXY, records: 175"
time="2022-11-10T04:07:55Z" level=info msg="Start initial GeoSite rule geolocation-cn => DIRECT, records: 2849"
time="2022-11-10T04:07:55Z" level=info msg="Start initial GeoSite rule geolocation-!cn => PROXY, records: 32012"
time="2022-11-10T04:07:55Z" level=info msg="Initial configuration complete, total time: 1401ms"
time="2022-11-10T04:07:55Z" level=info msg="Authentication of local server updated"
time="2022-11-10T04:07:55Z" level=info msg="RESTful API listening at: [::]:9090"
time="2022-11-10T04:07:55Z" level=info msg="Sniffer is loaded and working"
time="2022-11-10T04:07:55Z" level=info msg="DNS server listening at: [::]:7874"
time="2022-11-10T04:07:55Z" level=info msg="Start initial compatible provider default"
time="2022-11-10T04:07:55Z" level=info msg="Start initial compatible provider PROXY"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider google"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider icloud"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider applications"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider gfw"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider direct"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider cncidr"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider reject"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider apple"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider tld-not-cn"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider lancidr"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider proxy"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider private"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider greatfire"
time="2022-11-10T04:07:55Z" level=info msg="Start initial provider telegramcidr"
time="2022-11-10T04:07:56Z" level=info msg="HTTP proxy listening at: [::]:7890"
time="2022-11-10T04:07:56Z" level=info msg="SOCKS proxy listening at: [::]:7891"
time="2022-11-10T04:07:56Z" level=info msg="Redirect proxy listening at: [::]:7892"
time="2022-11-10T04:07:56Z" level=info msg="TProxy server listening at: [::]:7895"
time="2022-11-10T04:07:56Z" level=info msg="Mixed(http+socks) proxy listening at: [::]:7893"
time="2022-11-10T04:07:56Z" level=info msg="Tun adapter listening at: utun([198.18.0.1/30],[fdfe:dcba:9876::1/126]), mtu: 9000, auto route: false, ip stack: System"
2022-11-10 12:08:00 Step 6: Wait For The File Downloading...
2022-11-10 12:08:01 Step 7: Set Firewall Rules...
2022-11-10 12:08:16 Tip: Bypass the China IP May Cause the Dnsmasq Load For a Long Time After Restart in FAKE-IP Mode, Hijack the DNS to Core Untill the Dnsmasq Works Well...
2022-11-10 12:08:16 Tip: Waiting for TUN Interface Start...
2022-11-10 12:08:18 Step 8: Restart Dnsmasq...
2022-11-10 12:08:20 Step 9: Add Cron Rules, Start Daemons...
2022-11-10 12:08:21 Warning: OpenClash Start Successful, Please Note That Network May Abnormal With IPv6's DHCP Server
2022-11-10 12:10:39 Tip: Dnsmasq Work is Normal, Restore The Firewall DNS Hijacking Rules...

OpenClash Config

无

Expected Behavior

占用cpu不应该这么高。给两核几乎占到100%，之前的版本估计50%在这个页面，最近发现已经达到100%，只能给4核了

Screenshots

运行状态界面cpu占比

正常

[skill7899]

查出来了，是socat占用大量的线程不放，导致进入这个页面时，新建线程太慢。

[ZevAlain]

查出来了，是socat占用大量的线程不放，导致进入这个页面时，新建线程太慢。

我刚解决就搜到了你的iss，一直以为我op更新之后才导致的问题。没想到是socat。socat删掉了几个端口后暂时正常了。不知道后面会不会再有这个问题。

[skill7899]

查出来了，是socat占用大量的线程不放，导致进入这个页面时，新建线程太慢。

我刚解决就搜到了你的iss，一直以为我op更新之后才导致的问题。没想到是socat。socat删掉了几个端口后暂时正常了。不知道后面会不会再有这个问题。

建议直接用lucky代替socat

[ZevAlain]

查出来了，是socat占用大量的线程不放，导致进入这个页面时，新建线程太慢。

我刚解决就搜到了你的iss，一直以为我op更新之后才导致的问题。没想到是socat。socat删掉了几个端口后暂时正常了。不知道后面会不会再有这个问题。

建议直接用lucky代替socat

感谢。目前直接用防火墙里的端口转发替代了。

[wolaijiuni]

查出来了，是socat占用大量的线程不放，导致进入这个页面时，新建线程太慢。

我刚解决就搜到了你的iss，一直以为我op更新之后才导致的问题。没想到是socat。socat删掉了几个端口后暂时正常了。不知道后面会不会再有这个问题。

建议直接用lucky代替socat

感谢。目前直接用防火墙里的端口转发替代了。

老哥请问 转发哪几个端口？