vernesong / OpenClash

A Clash Client For OpenWrt
MIT License
17.83k stars 3.21k forks source link

[Bug] 45.103版本-用一段时间后卡死-守护程序:检测到 Clash 内核崩溃,重启中... #3147

Closed tactan closed 1 year ago

tactan commented 1 year ago

Verify Steps

OpenClash Version

v0.45.103-beta

Bug on Environment

Official OpenWrt

Bug on Platform

Linux-amd64(x86-64)

To Reproduce

上传本地配置文件,proxy-providers、rule-providers,使用一段时间后,无网络,openwrt系统无法访问

Describe the Bug

软路由模式运行,openwrt跑在ESXI上,旁路网关,OpenClash使用本地配置文件,proxy-providers、rule-providers,使用一段时间后,无网络,openwrt系统无法访问,只能强制重启openwrt,重启后OpenClash无法自动运行,看日志反复报内核崩溃,重启中;用自带的在线配置订阅转换无此问题

通过查阅之前的issue,删除/etc/openclash/cache.db和/etc/openclash/history后,重新上传proxy和rule文件到对应文件夹覆盖,再启动可以恢复,但一段时间后还是会这样;只删除db文件也是无法启动的,必须覆盖配置文件

大概从从v0.45.47-beta开始用的,一直到最新的版本,应该都有这个问题;因为不想用第三方订阅转换,电脑上的配置文件一直是根据 通用模板 自己写的,结合providers,用起来也比较方便,基本不用维护

因为这个问题,目前还是只能用订阅转换;另外用providers,proxy和rule都无法在线下载,需要先手动上传到对应目录,再启动OpenClash

OpenClash Log

OpenClash 调试日志

生成时间: 2023-03-28 14:32:53 插件版本: v0.45.103-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息


#===================== 系统信息 =====================#

主机型号: VMware - Intel(R) Celeron(R) N5105 @ 2.00GHz : 1 Core 1 Thread
固件版本: OpenWrt SNAPSHOT r4359-679ae72af
LuCI版本: git-22.068.45502-a50e601-1
内核版本: 5.15.30
处理器架构: x86_64

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: 

DNS劫持: Dnsmasq 转发
#DNS劫持为Dnsmasq时,此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 未安装
unzip: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
kmod-ipt-nat: 已安装

#===================== 内核检查 =====================#

运行状态: 未运行
已选择的架构: TUN

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2023.03.04-5-g4a8cefb
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.13.0-7-g4ffc999
Dev内核文件: 存在
Dev内核运行权限: 正常

Meta内核版本: alpha-g2f992e9
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/Combined.yaml
启动配置文件: /etc/openclash/Combined.yaml
运行模式: fake-ip-tun
默认代理模式: rule
UDP流量转发(tproxy): 停用
自定义DNS: 启用
IPV6代理: 停用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 停用
仅允许内网: 停用
仅代理命中规则流量: 启用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 配置文件 =====================#

port: 7890
socks-port: 7891
redir-port: 7892
allow-lan: true
bind-address: "*"
mode: rule
log-level: silent
external-controller: 0.0.0.0:9090
hosts:
  xxx.com: 1.1.1.1
dns:
  enable: true
  listen: 0.0.0.0:7874
  ipv6: false
  default-nameserver:
  - 119.29.29.29
  - 223.5.5.5
  - 114.114.114.114
  - 10.0.100.1
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  fake-ip-filter:
  - "*.lan"
  - "*.localdomain"
  - "*.example"
  - "*.invalid"
  - "*.localhost"
  - "*.test"
  - "*.local"
  - "*.home.arpa"
  - time.*.com
  - time.*.gov
  - time.*.edu.cn
  - time.*.apple.com
  - time1.*.com
  - time2.*.com
  - time3.*.com
  - time4.*.com
  - time5.*.com
  - time6.*.com
  - time7.*.com
  - ntp.*.com
  - ntp1.*.com
  - ntp2.*.com
  - ntp3.*.com
  - ntp4.*.com
  - ntp5.*.com
  - ntp6.*.com
  - ntp7.*.com
  - "*.time.edu.cn"
  - "*.ntp.org.cn"
  - "+.pool.ntp.org"
  - time1.cloud.tencent.com
  - music.163.com
  - "*.music.163.com"
  - "*.126.net"
  - musicapi.taihe.com
  - music.taihe.com
  - songsearch.kugou.com
  - trackercdn.kugou.com
  - "*.kuwo.cn"
  - api-jooxtt.sanook.com
  - api.joox.com
  - joox.com
  - y.qq.com
  - "*.y.qq.com"
  - streamoc.music.tc.qq.com
  - mobileoc.music.tc.qq.com
  - isure.stream.qqmusic.qq.com
  - dl.stream.qqmusic.qq.com
  - aqqmusic.tc.qq.com
  - amobile.music.tc.qq.com
  - "*.xiami.com"
  - "*.music.migu.cn"
  - music.migu.cn
  - "*.msftconnecttest.com"
  - "*.msftncsi.com"
  - msftconnecttest.com
  - msftncsi.com
  - localhost.ptlogin2.qq.com
  - localhost.sec.qq.com
  - "+.srv.nintendo.net"
  - "+.stun.playstation.net"
  - xbox.*.microsoft.com
  - xnotify.xboxlive.com
  - "+.battlenet.com.cn"
  - "+.wotgame.cn"
  - "+.wggames.cn"
  - "+.wowsgame.cn"
  - "+.wargaming.net"
  - proxy.golang.org
  - stun.*.*
  - stun.*.*.*
  - "+.stun.*.*"
  - "+.stun.*.*.*"
  - "+.stun.*.*.*.*"
  - heartbeat.belkin.com
  - "*.linksys.com"
  - "*.linksyssmartwifi.com"
  - "*.router.asus.com"
  - mesu.apple.com
  - swscan.apple.com
  - swquery.apple.com
  - swdownload.apple.com
  - swcdn.apple.com
  - swdist.apple.com
  - lens.l.google.com
  - stun.l.google.com
  - "+.nflxvideo.net"
  - "*.square-enix.com"
  - "*.finalfantasyxiv.com"
  - "*.ffxiv.com"
  - "*.mcdn.bilivideo.cn"
  nameserver:
  - 10.0.100.1
  - 119.29.29.29
  - 223.5.5.5
  - https://doh.pub/dns-query
  - https://dns.alidns.com/dns-query
  fallback-filter:
    geoip: false
    ipcidr:
    - 0.0.0.0/8
    - 10.0.0.0/8
    - 100.64.0.0/10
    - 127.0.0.0/8
    - 169.254.0.0/16
    - 172.16.0.0/12
    - 192.0.0.0/24
    - 192.0.2.0/24
    - 192.88.99.0/24
    - 192.168.0.0/16
    - 198.18.0.0/15
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 224.0.0.0/4
    - 240.0.0.0/4
    - 255.255.255.255/32
    domain:
    - "+.google.com"
    - "+.facebook.com"
    - "+.youtube.com"
    - "+.githubusercontent.com"
    - "+.googlevideo.com"
  fallback:
  - https://dns.cloudflare.com/dns-query
  - tls://dns.google:853
  - https://1.1.1.1/dns-query
  - tls://1.1.1.1:853
  - tls://8.8.8.8:853
  - https://public.dns.iij.jp/dns-query
  - https://jp.tiar.app/dns-query
  - https://jp.tiarap.org/dns-query
  - tls://dot.tiar.app
  use-hosts: true
tun:
  enable: true
  stack: system
  auto-route: false
  auto-detect-interface: false
  dns-hijack:
  - tcp://any:53
proxy-providers:
  D:
    type: http
    path: ./Server/d.yaml
    url: https://xxx.com
    interval: 3600
    health-check:
        enable: true
        url: http://www.gstatic.com/generate_204
        interval: 300
  D1:
    type: http
    path: ./Server/d.yaml
    url: https://xxx.com
    interval: 3600
    health-check:
        enable: true
        url: http://www.gstatic.com/generate_204
        interval: 300
    filter: '香港|HK|美国|US|台湾|日本'
  M:
    type: http
    path: ./Server/M.yaml
    url: https://xxx.com/flag=clash
    interval: 3600
    health-check:
        enable: true
        url: http://www.gstatic.com/generate_204
        interval: 300
  P:
    type: http
    path: ./Server/p.yaml
    url: https://xxx1.com
    interval: 3600
    health-check:
        enable: true
        url: http://www.gstatic.com/generate_204
        interval: 300
proxy-groups:
- name: PROXY
  type: select
  use:
  - D
  proxies:
  - Autotest
  - Fallback
  - Mna
  - P
- name: Autotest
  type: url-test
  url: http://www.gstatic.com/generate_204
  tolerance: 50
  interval: 300
  use:
  - D1
  filter: 香港|HK|美国|US|台湾|日本
- name: Fallback
  type: fallback
  url: http://www.gstatic.com/generate_204
  interval: 300
  use:
  - D1
  filter: 香港|HK|美国|US|台湾|日本
- name: Mna
  type: select
  use:
  - M
- name: P
  type: select
  use:
  - Pr
- name: AD
  type: select
  proxies:
  - REJECT
  - DIRECT
  - PROXY
- name: Netease
  type: select
  proxies:
  - DIRECT
  - PROXY
rule-providers:
  reject:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt
    path: "./rule_provider/reject.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  icloud:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt
    path: "./rule_provider/icloud.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  apple:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt
    path: "./rule_provider/apple.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  google:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt
    path: "./rule_provider/google.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  proxy:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt
    path: "./rule_provider/proxy.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  direct:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt
    path: "./rule_provider/direct.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  private:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt
    path: "./rule_provider/private.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  gfw:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt
    path: "./rule_provider/gfw.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  greatfire:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/greatfire.txt
    path: "./rule_provider/greatfire.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  tld-not-cn:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt
    path: "./rule_provider/tld-not-cn.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  telegramcidr:
    type: http
    behavior: ipcidr
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt
    path: "./rule_provider/telegramcidr.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  cncidr:
    type: http
    behavior: ipcidr
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt
    path: "./rule_provider/cncidr.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  lancidr:
    type: http
    behavior: ipcidr
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt
    path: "./rule_provider/lancidr.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  applications:
    type: http
    behavior: classical
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/applications.txt
    path: "./rule_provider/applications.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  banad:
    type: http
    behavior: classical
    url: https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/BanAD.yaml
    path: "./rule_provider/banad.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
  banprogramad:
    type: http
    behavior: classical
    url: https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/BanProgramAD.yaml
    path: "./rule_provider/banprogramad.yaml"
    interval: 86400
    health-check:
      enable: true
      url: http://www.gstatic.com/generate_204
      interval: 300
rules:
- DST-PORT,7895,REJECT
- DST-PORT,7892,REJECT
- IP-CIDR,198.18.0.1/16,REJECT,no-resolve
- DOMAIN-SUFFIX,awesome-hd.me,DIRECT
- DOMAIN-SUFFIX,broadcasthe.net,DIRECT
- DOMAIN-SUFFIX,chdbits.co,DIRECT
- DOMAIN-SUFFIX,classix-unlimited.co.uk,DIRECT
- DOMAIN-SUFFIX,empornium.me,DIRECT
- DOMAIN-SUFFIX,gazellegames.net,DIRECT
- DOMAIN-SUFFIX,hdchina.org,DIRECT
- DOMAIN-SUFFIX,hdsky.me,DIRECT
- DOMAIN-SUFFIX,icetorrent.org,DIRECT
- DOMAIN-SUFFIX,jpopsuki.eu,DIRECT
- DOMAIN-SUFFIX,keepfrds.com,DIRECT
- DOMAIN-SUFFIX,madsrevolution.net,DIRECT
- DOMAIN-SUFFIX,m-team.cc,DIRECT
- DOMAIN-SUFFIX,nanyangpt.com,DIRECT
- DOMAIN-SUFFIX,ncore.cc,DIRECT
- DOMAIN-SUFFIX,open.cd,DIRECT
- DOMAIN-SUFFIX,ourbits.club,DIRECT
- DOMAIN-SUFFIX,passthepopcorn.me,DIRECT
- DOMAIN-SUFFIX,privatehd.to,DIRECT
- DOMAIN-SUFFIX,redacted.ch,DIRECT
- DOMAIN-SUFFIX,springsunday.net,DIRECT
- DOMAIN-SUFFIX,tjupt.org,DIRECT
- DOMAIN-SUFFIX,totheglory.im,DIRECT
- DOMAIN-SUFFIX,smtp,DIRECT
- DOMAIN-KEYWORD,announce,DIRECT
- DOMAIN-KEYWORD,torrent,DIRECT
- DOMAIN-KEYWORD,tracker,DIRECT
- DOMAIN,clash.razord.top,DIRECT
- DOMAIN,yacd.haishan.me,DIRECT
- RULE-SET,applications,DIRECT
- RULE-SET,banad,AD
- RULE-SET,banprogramad,AD
- RULE-SET,private,DIRECT
- RULE-SET,reject,REJECT
- RULE-SET,tld-not-cn,PROXY
- RULE-SET,gfw,PROXY
- RULE-SET,greatfire,PROXY
- RULE-SET,telegramcidr,PROXY
- DOMAIN-SUFFIX,163yun.com,Netease
- DOMAIN-SUFFIX,music.163.com,Netease
- DOMAIN-SUFFIX,music.126.net,Netease
- DOMAIN-SUFFIX,api.iplay.163.com,Netease
- DOMAIN-SUFFIX,apm.music.163.com,Netease
- DOMAIN-SUFFIX,apm3.music.163.com,Netease
- DOMAIN-SUFFIX,interface.music.163.com,Netease
- DOMAIN-SUFFIX,interface3.music.163.com,Netease
- DOMAIN-SUFFIX,mam.netease.com,Netease
- DOMAIN-SUFFIX,hz.netease.com,Netease
- IP-CIDR,39.105.63.80/32,Netease
- IP-CIDR,45.254.48.1/32,Netease
- IP-CIDR,47.100.127.239/32,Netease
- IP-CIDR,59.111.21.14/31,Netease
- IP-CIDR,59.111.179.214/32,Netease
- IP-CIDR,59.111.181.38/32,Netease
- IP-CIDR,59.111.181.60/32,Netease
- IP-CIDR,59.111.160.195/32,Netease
- IP-CIDR,59.111.160.197/32,Netease
- IP-CIDR,59.111.181.35/32,Netease
- IP-CIDR,59.111.238.29/32,Netease
- IP-CIDR,101.71.154.241/32,Netease
- IP-CIDR,103.126.92.132/32,Netease
- IP-CIDR,103.126.92.133/32,Netease
- IP-CIDR,112.13.119.17/32,Netease
- IP-CIDR,112.13.122.1/32,Netease
- IP-CIDR,115.236.118.33/32,Netease
- IP-CIDR,115.236.121.1/32,Netease
- IP-CIDR,118.24.63.156/32,Netease
- IP-CIDR,193.112.159.225/32,Netease
- IP-CIDR,223.252.199.66/32,Netease
- IP-CIDR,223.252.199.67/32,Netease
- PROCESS-NAME,aria2c,DIRECT
- PROCESS-NAME,BitComet,DIRECT
- PROCESS-NAME,fdm,DIRECT
- PROCESS-NAME,NetTransport,DIRECT
- PROCESS-NAME,qbittorrent,DIRECT
- PROCESS-NAME,Thunder,DIRECT
- PROCESS-NAME,transmission-daemon,DIRECT
- PROCESS-NAME,transmission-qt,DIRECT
- PROCESS-NAME,uTorrent,DIRECT
- PROCESS-NAME,WebTorrent,DIRECT
- PROCESS-NAME,aria2c,DIRECT
- PROCESS-NAME,fdm,DIRECT
- PROCESS-NAME,Folx,DIRECT
- PROCESS-NAME,NetTransport,DIRECT
- PROCESS-NAME,qbittorrent,DIRECT
- PROCESS-NAME,Thunder,DIRECT
- PROCESS-NAME,Transmission,DIRECT
- PROCESS-NAME,transmission,DIRECT
- PROCESS-NAME,uTorrent,DIRECT
- PROCESS-NAME,WebTorrent,DIRECT
- PROCESS-NAME,WebTorrent Helper,DIRECT
- PROCESS-NAME,v2ray,DIRECT
- PROCESS-NAME,ss-local,DIRECT
- PROCESS-NAME,ssr-local,DIRECT
- PROCESS-NAME,ss-redir,DIRECT
- PROCESS-NAME,ssr-redir,DIRECT
- PROCESS-NAME,ss-server,DIRECT
- PROCESS-NAME,trojan-go,DIRECT
- PROCESS-NAME,xray,DIRECT
- PROCESS-NAME,hysteria,DIRECT
- PROCESS-NAME,UUBooster,DIRECT
- PROCESS-NAME,uugamebooster,DIRECT
- DST-PORT,80,DIRECT
- DST-PORT,443,DIRECT
- DST-PORT,22,DIRECT
- MATCH,DIRECT
tproxy-port: 7895
mixed-port: 7893
external-ui: "/usr/share/openclash/ui"
ipv6: false
experimental:
  sniff-tls-sni: true
profile:
  store-selected: true
  store-fake-ip: true
authentication:
- Clash:DJchTYZ0

#===================== 自定义覆写设置 =====================#

#!/bin/sh
. /usr/share/openclash/ruby.sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom overwrite scripts here, they will be take effict after the OpenClash own srcipts

LOG_OUT "Tip: Start Running Custom Overwrite Scripts..."
LOGTIME=$(echo $(date "+%Y-%m-%d %H:%M:%S"))
LOG_FILE="/tmp/openclash.log"
CONFIG_FILE="$1" #config path

#Simple Demo:
    #General Demo
    #1--config path
    #2--key name
    #3--value
    #ruby_edit "$CONFIG_FILE" "['redir-port']" "7892"
    #ruby_edit "$CONFIG_FILE" "['secret']" "123456"
    #ruby_edit "$CONFIG_FILE" "['dns']['enable']" "true"

    #Hash Demo
    #1--config path
    #2--key name
    #3--hash type value
    #ruby_edit "$CONFIG_FILE" "['experimental']" "{'sniff-tls-sni'=>true}"
    #ruby_edit "$CONFIG_FILE" "['sniffer']" "{'sniffing'=>['tls','http']}"

    #Array Demo:
    #1--config path
    #2--key name
    #3--position(start from 0, end with -1)
    #4--value
    #ruby_arr_insert "$CONFIG_FILE" "['dns']['nameserver']" "0" "114.114.114.114"

    #Array Add From Yaml File Demo:
    #1--config path
    #2--key name
    #3--position(start from 0, end with -1)
    #4--value file path
    #5--value key name in #4 file
    #ruby_arr_add_file "$CONFIG_FILE" "['dns']['fallback-filter']['ipcidr']" "0" "/etc/openclash/custom/openclash_custom_fallback_filter.yaml" "['fallback-filter']['ipcidr']"

#Ruby Script Demo:
    #ruby -ryaml -rYAML -I "/usr/share/openclash" -E UTF-8 -e "
    #   begin
    #      Value = YAML.load_file('$CONFIG_FILE');
    #   rescue Exception => e
    #      puts '${LOGTIME} Error: Load File Failed,【' + e.message + '】';
    #   end;

        #General
    #   begin
    #   Thread.new{
    #      Value['redir-port']=7892;
    #      Value['tproxy-port']=7895;
    #      Value['port']=7890;
    #      Value['socks-port']=7891;
    #      Value['mixed-port']=7893;
    #   }.join;

    #   rescue Exception => e
    #      puts '${LOGTIME} Error: Set General Failed,【' + e.message + '】';
    #   ensure
    #      File.open('$CONFIG_FILE','w') {|f| YAML.dump(Value, f)};
    #   end" 2>/dev/null >> $LOG_FILE

exit 0
#===================== 自定义防火墙设置 =====================#

#!/bin/sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom firewall rules here, they will be added after the end of the OpenClash iptables rules

LOG_OUT "Tip: Start Add Custom Firewall Rules..."

exit 0
#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.7 on Tue Mar 28 14:32:55 2023
*nat
:PREROUTING ACCEPT [216:14675]
:INPUT ACCEPT [140:10294]
:OUTPUT ACCEPT [276:19277]
:POSTROUTING ACCEPT [468:31495]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_ipsecserver_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_ipsecserver_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_ipsecserver_postrouting - [0:0]
:zone_ipsecserver_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -p tcp -m comment --comment "OpenClash TCP DNS Hijack" -m tcp --dport 53 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A PREROUTING -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A POSTROUTING -o ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_postrouting
-A zone_ipsecserver_postrouting -m comment --comment "!fw3: Custom ipsecserver postrouting rule chain" -j postrouting_ipsecserver_rule
-A zone_ipsecserver_prerouting -m comment --comment "!fw3: Custom ipsecserver prerouting rule chain" -j prerouting_ipsecserver_rule
-A zone_lan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -j MINIUPNPD
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_vpn_prerouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT
COMMIT
# Completed on Tue Mar 28 14:32:55 2023

#IPv4 Mangle chain

# Generated by iptables-save v1.8.7 on Tue Mar 28 14:32:55 2023
*mangle
:PREROUTING ACCEPT [5685:655575]
:INPUT ACCEPT [4510:479590]
:FORWARD ACCEPT [1172:175586]
:OUTPUT ACCEPT [3900:881282]
:POSTROUTING ACCEPT [5072:1056868]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
:openclash - [0:0]
:openclash_dns_hijack - [0:0]
:openclash_output - [0:0]
:openclash_upnp - [0:0]
-A PREROUTING -j openclash
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A OUTPUT -j RRDIPT_OUTPUT
-A OUTPUT -j openclash_output
-A RRDIPT_FORWARD -s 10.0.100.1/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.100.1/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.100.4/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.100.4/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.100.8/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.100.8/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.100.9/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.100.9/32 -j RETURN
-A RRDIPT_INPUT -i eth0 -j RETURN
-A RRDIPT_INPUT -i br-lan -j RETURN
-A RRDIPT_OUTPUT -o eth0 -j RETURN
-A RRDIPT_OUTPUT -o br-lan -j RETURN
-A openclash -p tcp -m tcp --sport 1688 -j RETURN
-A openclash -p tcp -m tcp --sport 1723 -j RETURN
-A openclash -p udp -m udp --sport 1194 -j RETURN
-A openclash -p tcp -m tcp --sport 1194 -j RETURN
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -p udp -m udp --sport 68 -j RETURN
-A openclash -i utun -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p udp -j openclash_upnp
-A openclash -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1723 -j RETURN
-A openclash_output -p udp -m udp --sport 1194 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1194 -j RETURN
-A openclash_output -p udp -m udp --sport 500 -j RETURN
-A openclash_output -p udp -m udp --sport 68 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -d 198.18.0.0/16 -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
COMMIT
# Completed on Tue Mar 28 14:32:55 2023

#IPv4 Filter chain

# Generated by iptables-save v1.8.7 on Tue Mar 28 14:32:55 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_ipsecserver_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_ipsecserver_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_ipsecserver_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_ipsecserver_dest_ACCEPT - [0:0]
:zone_ipsecserver_forward - [0:0]
:zone_ipsecserver_input - [0:0]
:zone_ipsecserver_output - [0:0]
:zone_ipsecserver_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_input
-A FORWARD -o utun -p udp -m udp --dport 443 -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip_route dst -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o utun -m comment --comment "OpenClash TUN Forward" -j ACCEPT
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -o ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_output
-A forwarding_rule -i pppoe+ -j RETURN
-A forwarding_rule -o pppoe+ -j RETURN
-A forwarding_rule -i ppp+ -m conntrack --ctstate NEW -j ACCEPT
-A forwarding_rule -o ppp+ -m conntrack --ctstate NEW -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A zone_ipsecserver_dest_ACCEPT -o ipsec0 -m comment --comment "!fw3" -j ACCEPT
-A zone_ipsecserver_forward -m comment --comment "!fw3: Custom ipsecserver forwarding rule chain" -j forwarding_ipsecserver_rule
-A zone_ipsecserver_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_ipsecserver_forward -m comment --comment "!fw3" -j zone_ipsecserver_dest_ACCEPT
-A zone_ipsecserver_input -m comment --comment "!fw3: Custom ipsecserver input rule chain" -j input_ipsecserver_rule
-A zone_ipsecserver_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_ipsecserver_input -m comment --comment "!fw3" -j zone_ipsecserver_src_ACCEPT
-A zone_ipsecserver_output -m comment --comment "!fw3: Custom ipsecserver output rule chain" -j output_ipsecserver_rule
-A zone_ipsecserver_output -m comment --comment "!fw3" -j zone_ipsecserver_dest_ACCEPT
-A zone_ipsecserver_src_ACCEPT -i ipsec0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -j MINIUPNPD
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT
-A zone_wan_input -p gre -m comment --comment "!fw3: gre" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Tue Mar 28 14:32:55 2023

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.7 on Tue Mar 28 14:32:55 2023
*nat
:PREROUTING ACCEPT [48:5071]
:INPUT ACCEPT [36:3296]
:OUTPUT ACCEPT [407:38120]
:POSTROUTING ACCEPT [407:38120]
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
COMMIT
# Completed on Tue Mar 28 14:32:55 2023

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.7 on Tue Mar 28 14:32:55 2023
*mangle
:PREROUTING ACCEPT [1297:115508]
:INPUT ACCEPT [1284:113661]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1253:117371]
:POSTROUTING ACCEPT [1261:118417]
COMMIT
# Completed on Tue Mar 28 14:32:55 2023

#IPv6 Filter chain

# Generated by ip6tables-save v1.8.7 on Tue Mar 28 14:32:55 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_ipsecserver_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_ipsecserver_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_ipsecserver_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_ipsecserver_dest_ACCEPT - [0:0]
:zone_ipsecserver_forward - [0:0]
:zone_ipsecserver_input - [0:0]
:zone_ipsecserver_output - [0:0]
:zone_ipsecserver_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -i ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -o ipsec0 -m comment --comment "!fw3" -j zone_ipsecserver_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A zone_ipsecserver_dest_ACCEPT -o ipsec0 -m comment --comment "!fw3" -j ACCEPT
-A zone_ipsecserver_forward -m comment --comment "!fw3: Custom ipsecserver forwarding rule chain" -j forwarding_ipsecserver_rule
-A zone_ipsecserver_forward -m comment --comment "!fw3" -j zone_ipsecserver_dest_ACCEPT
-A zone_ipsecserver_input -m comment --comment "!fw3: Custom ipsecserver input rule chain" -j input_ipsecserver_rule
-A zone_ipsecserver_input -m comment --comment "!fw3" -j zone_ipsecserver_src_ACCEPT
-A zone_ipsecserver_output -m comment --comment "!fw3: Custom ipsecserver output rule chain" -j output_ipsecserver_rule
-A zone_ipsecserver_output -m comment --comment "!fw3" -j zone_ipsecserver_dest_ACCEPT
-A zone_ipsecserver_src_ACCEPT -i ipsec0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -j MINIUPNPD
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT
-A zone_wan_input -p gre -m comment --comment "!fw3: gre" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Tue Mar 28 14:32:55 2023

#===================== IPSET状态 =====================#

Name: mwan3_connected_v4
Name: mwan3_connected_v6
Name: mwan3_source_v6
Name: mwan3_dynamic_v4
Name: mwan3_dynamic_v6
Name: mwan3_custom_v4
Name: mwan3_custom_v6
Name: cn
Name: ct
Name: cnc
Name: cmcc
Name: crtc
Name: cernet
Name: gwbn
Name: othernet
Name: china_ip_route
Name: china_ip_route_pass
Name: localnetwork
Name: china
Name: mwan3_connected

#===================== 路由表状态 =====================#

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.100.1      0.0.0.0         UG    0      0        0 br-lan
10.0.100.0      0.0.0.0         255.255.255.0   U     0      0        0 br-lan
#ip route list
default via 10.0.100.1 dev br-lan proto static 
10.0.100.0/24 dev br-lan proto kernel scope link src 10.0.100.2 
#ip rule show
0:  from all lookup local
32763:  from all fwmark 0x162 lookup 354
32764:  from all fwmark 0x162 lookup 354
32765:  from all fwmark 0x162 lookup 354
32766:  from all lookup main
32767:  from all lookup default

#===================== Tun设备状态 =====================#

#===================== 端口占用状态 =====================#

#===================== 测试本机DNS查询(www.baidu.com) =====================#

Server:     127.0.0.1
Address:    127.0.0.1:53

*** Can't find www.baidu.com: No answer

#===================== 测试内核DNS查询(www.instagram.com) =====================#

#===================== resolv.conf.d =====================#

# Interface lan
nameserver 10.0.100.1

#===================== 测试本机网络连接(www.baidu.com) =====================#

#===================== 测试本机网络下载(raw.githubusercontent.com) =====================#

#===================== 最近运行日志(自动切换为Debug模式) =====================#

2023-03-28 14:30:16 OpenClash Stoping...
2023-03-28 14:30:16 Step 1: Backup The Current Groups State...
2023-03-28 14:30:16 Step 2: Delete OpenClash Firewall Rules...
2023-03-28 14:30:12【/tmp/openclash_last_version】Download Failed:【curl: (6) Could not resolve host: raw.githubusercontent.com】
2023-03-28 14:30:17 Step 3: Close The OpenClash Daemons...
2023-03-28 14:30:17 Step 4: Close The Clash Core Process...
2023-03-28 14:30:17 Step 5: Restart Dnsmasq...
2023-03-28 14:30:17 Step 6: Delete OpenClash Residue File...
2023-03-28 14:30:17 OpenClash Start Running...
2023-03-28 14:30:17 Step 1: Get The Configuration...
2023-03-28 14:30:17 Step 2: Check The Components...
2023-03-28 14:30:18 Step 3: Modify The Config File...
2023-03-28 14:30:13【/tmp/clash_last_version】Download Failed:【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
2023-03-28 14:30:18 Tip: You have seted the authentication of SOCKS5/HTTP(S) proxy with【Clash:DJchTYZ0】
2023-03-28 14:30:18 Warning: You May Need to Turn off The Rebinding Protection Option of Dnsmasq When Hosts Has Set a Reserved Address
2023-03-28 14:30:18 Tip: Start Running Custom Overwrite Scripts...
2023-03-28 14:30:18 Step 4: Start Running The Clash Core...
2023-03-28 14:30:18 Tip: Detected The Exclusive Function of The TUN Core, Use TUN Core to Start...
2023-03-28 14:30:19 Step 5: Check The Core Status...
14:30:20 INF [Config] start initial provider name=D1
14:30:20 INF [Config] start initial provider name=M
14:30:20 INF [Config] start initial provider name=Pr
14:30:20 INF [Config] start initial provider name=D
14:30:20 INF [Config] initial compatible provider name=PROXY
14:30:20 INF [Config] initial compatible provider name=AD
14:30:20 INF [Config] initial compatible provider name=Netease
14:30:20 INF [Config] initial rule provider name=private
14:30:20 INF [Config] initial rule provider name=direct
2023-03-28 14:30:16【/tmp/openclash_last_version】Download Failed:【curl: (6) Could not resolve host: raw.githubusercontent.com】
2023-03-28 14:30:22 Step 6: Wait For The File Downloading...
2023-03-28 14:30:12【/tmp/openclash_last_version】Download Failed:【curl: (6) Could not resolve host: raw.githubusercontent.com】
2023-03-28 14:30:24 Step 7: Set Firewall Rules...
2023-03-28 14:30:24 Tip: DNS Hijacking Mode is Dnsmasq Redirect...
2023-03-28 14:30:24 Tip: Waiting for TUN Interface Start...
2023-03-28 14:30:13【/tmp/clash_last_version】Download Failed:【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
14:30:25 WRN [Provider] pull resource failed error=Get "https://xxx.com": lookup xxx.com: i/o timeout name=D1
14:30:25 WRN [Provider] pull resource failed error=Get "https://xxx.com/flag=clash": lookup xxx.com: i/o timeout name=M
14:30:25 WRN [Provider] pull resource failed error=Get "https://xxx.com": lookup xxx.com: i/o timeout name=Pr
14:30:25 WRN [Provider] pull resource failed error=Get "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt": lookup cdn.jsdelivr.net: i/o timeout name=private
14:30:25 WRN [Provider] pull resource failed error=Get "https://xxx.com": lookup xxx.com: i/o timeout name=D
14:30:25 FTL [Config] parse config failed error=initial rule provider direct error: Get "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt": lookup cdn.jsdelivr.net: i/o timeout
2023-03-28 14:30:26 Tip: Start Add Port Bypassing Rules For Firewall Redirect and Firewall Rules...
2023-03-28 14:30:26 Tip: Start Add Custom Firewall Rules...
2023-03-28 14:30:26 Step 8: Restart Dnsmasq...
2023-03-28 14:30:26 Step 9: Add Cron Rules, Start Daemons...
2023-03-28 14:30:26 OpenClash Start Successful!
2023-03-28 14:30:16【/tmp/openclash_last_version】Download Failed:【curl: (6) Could not resolve host: raw.githubusercontent.com】
2023-03-28 14:30:12【/tmp/openclash_last_version】Download Failed:【curl: (6) Could not resolve host: raw.githubusercontent.com】
2023-03-28 14:30:13【/tmp/clash_last_version】Download Failed:【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
2023-03-28 14:30:16【/tmp/openclash_last_version】Download Failed:【curl: (6) Could not resolve host: raw.githubusercontent.com】
2023-03-28 14:30:30【/tmp/openclash_last_version】Download Failed:【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
2023-03-28 14:30:35【/tmp/openclash_last_version】Download Failed:【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
2023-03-28 14:30:30【/tmp/openclash_last_version】Download Failed:【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
2023-03-28 14:30:35【/tmp/openclash_last_version】Download Failed:【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
2023-03-28 14:30:30【/tmp/openclash_last_version】Download Failed:【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
2023-03-28 14:30:35【/tmp/openclash_last_version】Download Failed:【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
2023-03-28 14:31:26 Watchdog: Clash Core Problem, Restart...
14:31:27 INF [Config] start initial provider name=D
14:31:27 INF [Config] start initial provider name=D1
14:31:27 INF [Config] start initial provider name=M
14:31:27 INF [Config] start initial provider name=Pr
14:31:27 INF [Config] initial compatible provider name=PROXY
14:31:27 INF [Config] initial compatible provider name=AD
14:31:27 INF [Config] initial compatible provider name=Netease
14:31:27 INF [Config] initial rule provider name=openai
14:31:27 INF [Config] initial rule provider name=proxy
14:31:32 WRN [Provider] pull resource failed error=Get "https://xxx.com": lookup xxx.com: i/o timeout name=D
14:31:32 WRN [Provider] pull resource failed error=Get "https://xxx.com": lookup xxx.com: i/o timeout name=D1
14:31:32 WRN [Provider] pull resource failed error=Get "https://xxx.com/flag=clash": lookup xxx.com: i/o timeout name=M
14:31:32 WRN [Provider] pull resource failed error=Get "https://xxx.com/ChatGPT.yaml": lookup xxx.com: i/o timeout name=openai
14:31:32 WRN [Provider] pull resource failed error=Get "https://xxx.com": lookup xxx.com: i/o timeout name=Pr
14:31:32 FTL [Config] parse config failed error=initial rule provider proxy error: Get "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt": lookup cdn.jsdelivr.net: i/o timeout
2023-03-28 14:32:29 Watchdog: Clash Core Problem, Restart...
14:32:30 INF [Config] start initial provider name=D1
14:32:30 INF [Config] start initial provider name=M
14:32:30 INF [Config] start initial provider name=Pr
14:32:30 INF [Config] start initial provider name=D
14:32:30 INF [Config] initial compatible provider name=AD
14:32:30 INF [Config] initial compatible provider name=PROXY
14:32:30 INF [Config] initial compatible provider name=Netease
14:32:30 INF [Config] initial rule provider name=openai
14:32:30 INF [Config] initial rule provider name=cncidr
14:32:30 INF [Config] initial rule provider name=proxy
14:32:35 WRN [Provider] pull resource failed error=Get "https://xxx.com": lookup xxx.com: i/o timeout name=D1
14:32:35 WRN [Provider] pull resource failed error=Get "https://xxx.com/flag=clash": lookup xxx.com: i/o timeout name=M
14:32:35 WRN [Provider] pull resource failed error=Get "https://xxx.com": lookup xxx.com: i/o timeout name=Pr
14:32:35 WRN [Provider] pull resource failed error=Get "https://xxx.com/ChatGPT.yaml": lookup xxx.com: i/o timeout name=openai
14:32:35 WRN [Provider] pull resource failed error=Get "https://xxx.com": lookup xxx.com: i/o timeout name=D
14:32:35 WRN [Provider] pull resource failed error=Get "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt": lookup cdn.jsdelivr.net: i/o timeout name=cncidr
14:32:35 FTL [Config] parse config failed error=initial rule provider proxy error: Get "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt": lookup cdn.jsdelivr.net: i/o timeout
2023-03-28 14:32:51【/tmp/clash_last_version】Download Failed:【curl: (6) Could not resolve host: raw.githubusercontent.com】
2023-03-28 14:32:56【/tmp/clash_last_version】Download Failed:【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
2023-03-28 14:32:56【/tmp/clash_last_version】Download Failed:【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
2023-03-28 14:32:56【/tmp/clash_last_version】Download Failed:【curl: (6) Could not resolve host: ftp.jaist.ac.jp】

#===================== 最近运行日志获取完成(自动切换为silent模式) =====================#

#===================== 活动连接信息 =====================#

OpenClash Config

No response

Expected Behavior

上传的本地配置文件,应该跟在线订阅转换一样,持续稳定运行

Screenshots

No response

tactan commented 1 year ago

目前测试,出现这种情况后:

1、只删除两个.db文件,无法启动,还是报内核崩溃 2、删除两个.db文件,覆盖更新proxy_provider里面的文件,无法启动,还是报内核崩溃 3、删除两个.db文件,覆盖更新proxy_provider里面的文件,再覆盖更新rule_provider里面的文件,可以正常启动

覆盖的provider文件来自PC上的ClashX Pro,拷出来上传覆盖

考虑是不是由于rule_provider里面的某些文件较大导致的,最近一次奔溃后,看里面有些文件已经有4M了,但实际规则最多的一个文件,大概1.5M的样子,正常更新应该不会翻倍的变大;由于rule_provider正常没法自动更新,查issue看有提到,加了health-check就会正常更新,实际观察也是这样,下次再出问题,下载一个配置文件下来看看

vernesong commented 1 year ago

你想办法把内核的报错日志发出来

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

tactan commented 1 year ago

OpenClash-2023-6-5-13-22-25.log @vernesong 看看这个日志可以用嘛,出现问题后,还是无网络,openwrt系统无法访问,只能强制重启openwrt,重启后OpenClash无法自动运行,看日志反复报内核崩溃,重启中;切换到自带的在线配置订阅转换无此问题;按照上面回复的,删除db文件,覆盖更新provider,再次启动就能恢复正常;出现问题后,内核日志无法切换到其他模式,只能在Silent模式下运行,尝试切换模式会报错,或者提示切换成功,但又会立即切换回Silent,在线配置订阅转换无此问题;看起来就像本地的provider文件都存在,而且是正常的,但OpenClash无法识别这些文件了,必须要手动覆盖更新一次,尤其是rule provider

vernesong commented 1 year ago

规则下载不了你用meta内核先启动

tactan commented 1 year ago

规则下载不了你用meta内核先启动

@vernesong 切换到meta内核确实就可以正常启动了,其他都没改动,也没手动覆盖本地文件;所有的插件、内核版本也都还是提交issue时的;这样的话,自己上传配置文件时,就推荐直接在meta内核下运行嘛,还是后期也可能切换回tun内核的

vernesong commented 1 year ago

下载问题需要自己改下载地址的cdn

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days