[Bug] 143版本会一直尝试重置防火墙规则

Verify Steps

[X] Tracker 我已经在 Issue Tracker 中找过我要提出的问题
[X] Latest 我已经使用最新 Dev 版本测试过，问题依旧存在
[X] Core 这是 OpenClash 存在的问题，并非我所使用的 Clash 或 Meta 等内核的特定问题
[X] Meaningful 我提交的不是无意义的催促更新或修复请求

OpenClash Version

v0.45.143-beta

Bug on Environment

Other

Bug on Platform

Linux-amd64(x86-64)

To Reproduce

更新至143版本出现的问题，此前使用141并没有这个问题，

Describe the Bug

一直在重复以下步骤：

2023-09-30 08:21:23 提示：正在根据防火墙端口转发和防火墙通信规则添加端口绕过规则...
2023-09-30 08:21:22 提示：正在等待 TUN 接口启动...
2023-09-30 08:21:22 提示：IPv6 代理模式为 TProxy...
2023-09-30 08:21:22 提示：DNS 劫持未开启...
2023-09-30 08:21:17 配置文件【/etc/openclash/Redirhost.yaml】测试成功...
2023-09-30 08:21:15 启动前调用内核测试配置文件...
2023-09-30 08:21:14 重置 OpenClash 防火墙规则...

OpenClash Log

2023-09-30 08:23:24 提示：正在根据防火墙端口转发和防火墙通信规则添加端口绕过规则...
2023-09-30 08:23:24 提示：正在等待 TUN 接口启动...
2023-09-30 08:23:24 提示：IPv6 代理模式为 TProxy...
2023-09-30 08:23:24 提示：DNS 劫持未开启...
2023-09-30 08:23:19 配置文件【/etc/openclash/Redirhost.yaml】测试成功...
2023-09-30 08:23:17 启动前调用内核测试配置文件...
2023-09-30 08:23:16 重置 OpenClash 防火墙规则...
2023-09-30 08:23:11 守护程序：检测到转发规则顺序错误，修改插件防火墙规则...
2023-09-30 08:23:04 提示：正在根据防火墙端口转发和防火墙通信规则添加端口绕过规则...
2023-09-30 08:23:04 提示：正在等待 TUN 接口启动...
2023-09-30 08:23:04 提示：IPv6 代理模式为 TProxy...
2023-09-30 08:23:04 提示：DNS 劫持未开启...
2023-09-30 08:22:59 配置文件【/etc/openclash/Redirhost.yaml】测试成功...
2023-09-30 08:22:57 启动前调用内核测试配置文件...
2023-09-30 08:22:56 重置 OpenClash 防火墙规则...
2023-09-30 08:22:43 提示：正在根据防火墙端口转发和防火墙通信规则添加端口绕过规则...
2023-09-30 08:22:43 提示：正在等待 TUN 接口启动...
2023-09-30 08:22:43 提示：IPv6 代理模式为 TProxy...
2023-09-30 08:22:43 提示：DNS 劫持未开启...
2023-09-30 08:22:38 配置文件【/etc/openclash/Redirhost.yaml】测试成功...
2023-09-30 08:22:36 启动前调用内核测试配置文件...
2023-09-30 08:22:35 重置 OpenClash 防火墙规则...
2023-09-30 08:22:23 提示：正在根据防火墙端口转发和防火墙通信规则添加端口绕过规则...
2023-09-30 08:22:23 提示：正在等待 TUN 接口启动...
2023-09-30 08:22:23 提示：IPv6 代理模式为 TProxy...
2023-09-30 08:22:23 提示：DNS 劫持未开启...
2023-09-30 08:22:18 配置文件【/etc/openclash/Redirhost.yaml】测试成功...
2023-09-30 08:22:16 启动前调用内核测试配置文件...
2023-09-30 08:22:15 重置 OpenClash 防火墙规则...
2023-09-30 08:22:11 守护程序：检测到转发规则顺序错误，修改插件防火墙规则...
2023-09-30 08:22:02 提示：正在根据防火墙端口转发和防火墙通信规则添加端口绕过规则...
2023-09-30 08:22:02 提示：正在等待 TUN 接口启动...
2023-09-30 08:22:02 提示：IPv6 代理模式为 TProxy...
2023-09-30 08:22:02 提示：DNS 劫持未开启...
2023-09-30 08:21:57 配置文件【/etc/openclash/Redirhost.yaml】测试成功...
2023-09-30 08:21:55 启动前调用内核测试配置文件...
2023-09-30 08:21:54 重置 OpenClash 防火墙规则...
2023-09-30 08:21:42 提示：正在根据防火墙端口转发和防火墙通信规则添加端口绕过规则...
2023-09-30 08:21:42 提示：正在等待 TUN 接口启动...
2023-09-30 08:21:42 提示：IPv6 代理模式为 TProxy...
2023-09-30 08:21:42 提示：DNS 劫持未开启...
2023-09-30 08:21:37 配置文件【/etc/openclash/Redirhost.yaml】测试成功...
2023-09-30 08:21:30【/tmp/openclash_last_version】下载失败：【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
2023-09-30 08:21:35 启动前调用内核测试配置文件...
2023-09-30 08:21:34 重置 OpenClash 防火墙规则...
2023-09-30 08:19:55【/tmp/openclash_last_version】下载失败：【curl: (28) Operation too slow. Less than 1 bytes/sec transferred the last 30 seconds】
2023-09-30 08:19:50【/tmp/openclash_last_version】下载失败：【curl: (28) Operation too slow. Less than 1 bytes/sec transferred the last 30 seconds】
2023-09-30 08:21:23 提示：正在根据防火墙端口转发和防火墙通信规则添加端口绕过规则...
2023-09-30 08:21:22 提示：正在等待 TUN 接口启动...
2023-09-30 08:21:22 提示：IPv6 代理模式为 TProxy...
2023-09-30 08:21:22 提示：DNS 劫持未开启...
2023-09-30 08:21:17 配置文件【/etc/openclash/Redirhost.yaml】测试成功...
2023-09-30 08:21:15 启动前调用内核测试配置文件...
2023-09-30 08:21:14 重置 OpenClash 防火墙规则...
2023-09-30 08:21:08【/tmp/clash_last_version】下载失败：【curl: (6) Could not resolve host: ftp.jaist.ac.jp】
2023-09-30 08:21:10 守护程序：检测到转发规则顺序错误，修改插件防火墙规则...
2023-09-30 08:21:02【/tmp/clash_last_version】下载失败：【curl: (6) Could not resolve host: raw.githubusercontent.com】
2023-09-30 08:21:02 提示：正在根据防火墙端口转发和防火墙通信规则添加端口绕过规则...
2023-09-30 08:21:02 提示：正在等待 TUN 接口启动...
2023-09-30 08:21:02 提示：IPv6 代理模式为 TProxy...
2023-09-30 08:21:02 提示：DNS 劫持未开启...
2023-09-30 08:19:55【/tmp/openclash_last_version】下载失败：【curl: (28) Operation too slow. Less than 1 bytes/sec transferred the last 30 seconds】
2023-09-30 08:20:57 配置文件【/etc/openclash/Redirhost.yaml】测试成功...
2023-09-30 08:20:55 启动前调用内核测试配置文件...
2023-09-30 08:20:54 重置 OpenClash 防火墙规则...
2023-09-30 08:19:50【/tmp/openclash_last_version】下载失败：【curl: (28) Operation too slow. Less than 1 bytes/sec transferred the last 30 seconds】

OpenClash Config

OpenClash 调试日志

生成时间: 2023-09-30 08:25:26
插件版本: v0.45.143-beta
隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息

#===================== 系统信息 =====================#

主机型号: To be filled by O.E.M. To be filled by O.E.M.
固件版本: ImmortalWrt 21.02-SNAPSHOT r20074-a8bbadefaf
LuCI版本: git-20.074.84698-ead5e81
内核版本: 5.4.255
处理器架构: 

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: server

DNS劫持: 停用
#DNS劫持为Dnsmasq时，此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#5335

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 已安装
unzip: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
kmod-ipt-nat: 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
运行内核：Meta
进程pid: 3983
运行权限: 3983: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2023.08.17-13-gdcc8d87
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.18.0-13-gd034a40
Dev内核文件: 存在
Dev内核运行权限: 正常

Meta内核版本: alpha-g5f6de61
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/Redirhost.yaml
启动配置文件: /etc/openclash/Redirhost.yaml
运行模式: redir-host-mix
默认代理模式: rule
UDP流量转发(tproxy): 停用
自定义DNS: 启用
IPV6代理: 启用
IPV6-DNS解析: 启用
禁用Dnsmasq缓存: 停用
自定义规则: 停用
仅允许内网: 启用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 启用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 配置文件 =====================#

port: 7890
socks-port: 7891
redir-port: 7892
tproxy-port: 7895
mixed-port: 7893
allow-lan: true
bind-address: "*"
mode: rule
log-level: debug
ipv6: true
external-controller: 0.0.0.0:9090
hosts:
  music.163-my-beloved.com: 76.76.21.21
  msftconnecttest.com: 127.0.0.1
profile:
  store-selected: true
  store-fake-ip: true
dns:
  enable: true
  listen: 0.0.0.0:7874
  enhanced-mode: redir-host

  default-nameserver:
  - 223.6.6.6
  - 119.29.29.29
  nameserver:
  - https://.cloudflare-gateway.com/dns-query
  - tls://dns.google
  proxy-server-nameserver:
  - 119.29.29.29
  - 223.6.6.6
  nameserver-policy:
    geosite:cn,private,microsoft@cn,apple@cn,apple-cn:
    - 223.6.6.6
    - 22.227
    rule-set:SteamCN,Speedtest,BILIBILIHMT_domain,Epicgames,Rockstar,DomesticDNS:
    - 223.6.6.6
    - 22.227
  ipv6: true
  use-hosts: true
proxy-groups:
- name: "✈️PROXY"
  type: select
  proxies:
  - Auto
  - Manual
- name: Auto
  type: fallback
  proxies:
  - main(Auto)
  - backup(Auto)
  url: https://www.youtube.com/generate_204
  interval: 60
- name: main(Auto)
  type: url-test
  use:
  - Airport A
  url: https://www.youtube.com/generate_204
  interval: 300
  tolerance: 40
  filter: 香港|hk|hong|台湾
  lazy: false
- name: backup(Auto)
  type: url-test
  use:
  - Airport B
  url: https://www.youtube.com/generate_204
  interval: 300
  tolerance: 40
- name: Manual
  type: select
  proxies:
  - main (Manual)
  - backup (Manual)
- name: main (Manual)
  type: select
  use:
  - Airport A
- name: backup (Manual)
  type: select
  use:
  - Airport B
- name: "\U0001F1F9\U0001F1FCBaha"
  type: url-test
  use:
  - Airport A
  filter: "(?!.*(游戏)).*(台湾|taiwan|TW)"
  url: https://ani.gamer.com.tw/
  interval: 900
  lazy: true
  tolerance: 50
- name: e-hentai auto
  type: load-balance
  strategy: round-robin
  use:
  - Airport A
  proxies:
  - backup(Auto)
  url: https://e-hentai.org
  interval: 900
  tolerance: 50
- name: javdb
  type: load-balance
  strategy: round-robin
  use:

rules:
- DST-PORT,7895,REJECT
- DST-PORT,7892,REJECT
- IP-CIDR,198.18.0.1/16,REJECT,no-resolve
- RULE-SET,Refuse,REJECT
- DOMAIN,connectivitycheck.gstatic.com,✈️PROXY
- RULE-SET,private,DIRECT
- "RULE-SET,baha,\U0001F1F9\U0001F1FCBaha"
- "RULE-SET,TikTok,\U0001F1EF\U0001F1F5DMM/Mgstage/Tiktok"
- "DOMAIN-SUFFIX,mgstage.com,\U0001F1EF\U0001F1F5DMM/Mgstage/Tiktok"
- "RULE-SET,DMM_domain,\U0001F1EF\U0001F1F5DMM/Mgstage/Tiktok"
- RULE-SET,E-Hentai_domain,e-hentai auto
- RULE-SET,Vercel,Vercel
- GEOSITE,javdb,javdb
- RULE-SET,SteamCN,DIRECT
- RULE-SET,Steam,✈️PROXY
- "GEOSITE,openai,\U0001F1FA\U0001F1F8AI"
- "DOMAIN,bard.google.com,\U0001F1FA\U0001F1F8AI"
- "DOMAIN-SUFFIX,anthropic.com,\U0001F1FA\U0001F1F8AI"
- "DOMAIN-SUFFIX,claude.ai,\U0001F1FA\U0001F1F8AI"
- DOMAIN-SUFFIX,chinadigitaltimes.net,backup (Manual)
- DOMAIN-SUFFIX,ttvnw.net,EsportsVid
- "RULE-SET,\U0001F9F1gfw,✈️PROXY"
- RULE-SET,Proxy,✈️PROXY
- "RULE-SET,RiotGames,\U0001F44ARiotGames"
- RULE-SET,Speedtest,♿speedtest
- RULE-SET,BILIBILIHMT_domain,Bilibili国台
- RULE-SET,Epicgames,DIRECT
- RULE-SET,bt-trackers,DIRECT
- GEOSITE,microsoft@cn,DIRECT
- RULE-SET,Microsoft,✈️PROXY
- GEOSITE,apple@cn,DIRECT
- GEOSITE,apple-cn,DIRECT
- "RULE-SET,\U0001F34EApple_domain,✈️PROXY"
- RULE-SET,Rockstar,DIRECT
- RULE-SET,domestic,DIRECT
- IP-CIDR,198.18.0.1/16,REJECT,no-resolve
- RULE-SET,reject_ip,REJECT,no-resolve
- RULE-SET,lancidr,DIRECT,no-resolve
- "RULE-SET,\U0001F3AEonline game,\U0001F3AEonline game,no-resolve"
- IP-CIDR,76.76.21.21/32,Vercel
- RULE-SET,Telegram_ip,✈️PROXY,no-resolve
- GEOIP,CN,DIRECT
- DST-PORT,80,DST-PORT
- DST-PORT,443,DST-PORT
- DST-PORT,22,DST-PORT
- DST-PORT,9993,DIRECT
- SRC-PORT,9993,DIRECT
- MATCH,✈️PROXY
external-ui: "/usr/share/openclash/ui"
geodata-loader: memconservative
tcp-concurrent: true
sniffer:
  enable: true
  force-dns-mapping: true
  parse-pure-ip: true
  force-domain:
  - "+.netflix.com"
  - "+.nflxvideo.net"
  - "+.amazonaws.com"
  - "+.media.dssott.com"
  skip-domain:
  - "+.apple.com"
  - Mijia Cloud
  - "+.jd.com"
  sniff:
    TLS:
    HTTP:
      ports:
      - 80
      - 8080-8880
      override-destination: true
tun:
  enable: true
  stack: system
  device: utun
  auto-route: false
  auto-detect-interface: false
  dns-hijack:
  - tcp://any:53
authentication:
- Clash:GfWeEbwi

#===================== 自定义覆写设置 =====================#

#!/bin/sh
. /usr/share/openclash/ruby.sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom overwrite scripts here, they will be take effict after the OpenClash own srcipts

LOG_OUT "Tip: Start Running Custom Overwrite Scripts..."
LOGTIME=$(echo $(date "+%Y-%m-%d %H:%M:%S"))
LOG_FILE="/tmp/openclash.log"
CONFIG_FILE="$1" #config path

#ruby -ryaml -rYAML -I "/usr/share/openclash" -E UTF-8 -e "
#   begin
#      Value = YAML.load_file('$CONFIG_FILE');
#   rescue Exception => e
#      puts '${LOGTIME} Error: Load File Failed,【' + e.message + '】';
#   end;

    #General
#   begin
#   Thread.new{
#      Value['redir-port']=7892;
#      Value['tproxy-port']=7895;
#      Value['port']=7890;
#      Value['socks-port']=7891;
#      Value['mixed-port']=7893;
#   }.join;
#   rescue Exception => e
#      puts '${LOGTIME} Error: Set General Failed,【' + e.message + '】';
#   ensure
#      File.open('$CONFIG_FILE','w') {|f| YAML.dump(Value, f)};
#   end" 2>/dev/null >> $LOG_FILE

exit 0
#===================== 自定义防火墙设置 =====================#

#!/bin/sh

# This script is called by /etc/init.d/openclash
#iptables -t mangle -I openclash -s 192.168.1.219/32 -j RETURN
#nft 'insert rule inet fw4 openclash_dns_redirect position 0 ip saddr {192.168.1.219} counter return' 2>/dev/null
#nft 'insert rule inet fw4 openclash_dns_redirect position 0 ether saddr 00:E0:B4:1D:36:9A counter return' 2>/dev/null
#nft 'insert rule inet fw4 openclash_mangle ip saddr {192.168.1.219} counter return' 2>/dev/null
#iptables -t mangle -A openclash -m set --match-set 00:E0:B4:1D:36:9A src -j RETURN >/dev/null 2>&1
#iptables -t nat -A openclash -m set --match-set 00:E0:B4:1D:36:9A src -j RETURN >/dev/null 2>&1
#iptables -t nat -A openclash -m set --match-set 192.168.1.219/32 src -j RETURN >/dev/null 2>&1
#iptables -t mangle -A openclash -m set --match-set 192.168.1.219/32 src -j RETURN >/dev/null 2>&1

#nft 'add rule inet fw4 openclash ip saddr [fd8f:2de7:b000::2a2] counter return' 2>/dev/null
#nft 'add rule inet fw4 openclash ip saddr [240e:390:818:1b80::2a2] counter return' 2>/dev/null
exit 0
#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.7 on Sat Sep 30 08:25:29 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [1:52]
:OUTPUT ACCEPT [5:300]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_docker_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_docker_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:ts-postrouting - [0:0]
:zone_docker_postrouting - [0:0]
:zone_docker_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -p tcp -j openclash
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i utun -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth3 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i docker0 -m comment --comment "!fw3" -j zone_docker_prerouting
-A PREROUTING -p udp -m comment --comment DNSMASQ -m udp --dport 53 -j REDIRECT --to-ports 53
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j openclash_output
-A POSTROUTING -j ts-postrouting
-A POSTROUTING -s 172.19.0.0/16 ! -o br-f9f0172bbecf -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o utun -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth3 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o docker0 -m comment --comment "!fw3" -j zone_docker_postrouting
-A DOCKER -i br-f9f0172bbecf -j RETURN
-A DOCKER -i docker0 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -m set --match-set lan_ac_black_macs src -j RETURN
-A openclash -m set --match-set china_ip_route dst -m set ! --match-set china_ip_route_pass dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -m owner ! --uid-owner 65534 -m set --match-set china_ip_route dst -m set ! --match-set china_ip_route_pass dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A ts-postrouting -m mark --mark 0x40000/0xff0000 -j MASQUERADE
-A zone_docker_postrouting -m comment --comment "!fw3: Custom docker postrouting rule chain" -j postrouting_docker_rule
-A zone_docker_prerouting -m comment --comment "!fw3: Custom docker prerouting rule chain" -j prerouting_docker_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT
COMMIT
# Completed on Sat Sep 30 08:25:29 2023

#IPv4 Mangle chain

# Generated by iptables-save v1.8.7 on Sat Sep 30 08:25:29 2023
*mangle
:PREROUTING ACCEPT [895:287307]
:INPUT ACCEPT [424:179910]
:FORWARD ACCEPT [29:3155]
:OUTPUT ACCEPT [447:46014]
:POSTROUTING ACCEPT [476:49169]
:openclash - [0:0]
:openclash_dns_hijack - [0:0]
:openclash_upnp - [0:0]
-A PREROUTING -p udp -j openclash
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -p udp -m udp --sport 68 -j RETURN
-A openclash -i utun -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -m set --match-set lan_ac_black_macs src -j RETURN
-A openclash -m set --match-set china_ip_route dst -m set ! --match-set china_ip_route_pass dst -j RETURN
-A openclash -p udp -j openclash_upnp
-A openclash -j MARK --set-xmark 0x162/0xffffffff
COMMIT
# Completed on Sat Sep 30 08:25:29 2023

#IPv4 Filter chain

# Generated by iptables-save v1.8.7 on Sat Sep 30 08:25:29 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:forwarding_docker_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_docker_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:openclash_wan_input - [0:0]
:output_docker_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:ts-forward - [0:0]
:ts-input - [0:0]
:zone_docker_dest_ACCEPT - [0:0]
:zone_docker_forward - [0:0]
:zone_docker_input - [0:0]
:zone_docker_output - [0:0]
:zone_docker_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i eth3 -m set ! --match-set localnetwork src -j openclash_wan_input
-A INPUT -i pppoe-wan -m set ! --match-set localnetwork src -j openclash_wan_input
-A INPUT -j ts-input
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i utun -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth3 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input
-A FORWARD -o utun -p udp -m udp --dport 443 -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip_route dst -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o utun -m comment --comment "OpenClash TUN Forward" -j ACCEPT
-A FORWARD -j ts-forward
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-f9f0172bbecf -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-f9f0172bbecf -j DOCKER
-A FORWARD -i br-f9f0172bbecf ! -o br-f9f0172bbecf -j ACCEPT
-A FORWARD -i br-f9f0172bbecf -o br-f9f0172bbecf -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i utun -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth3 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o utun -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth3 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output
-A DOCKER-ISOLATION-STAGE-1 -i br-f9f0172bbecf ! -o br-f9f0172bbecf -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-f9f0172bbecf -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -i eth3 -o docker0 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN
-A openclash_wan_input -p udp -m multiport --dports 7892,7895,9090,7890,7891,7893,7874 -j REJECT --reject-with icmp-port-unreachable
-A openclash_wan_input -p tcp -m multiport --dports 7892,7895,9090,7890,7891,7893,7874 -j REJECT --reject-with icmp-port-unreachable
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000
-A ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
-A ts-forward -s 100.64.0.0/10 -o tailscale0 -j DROP
-A ts-forward -o tailscale0 -j ACCEPT
-A ts-input -s 100.73.77.7/32 -i lo -j ACCEPT
-A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN
-A ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
-A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT
-A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule
-A zone_docker_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule
-A zone_docker_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_ACCEPT
-A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule
-A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_src_ACCEPT -i docker0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o utun -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i utun -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth3 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth3 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth3 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Sep 30 08:25:29 2023

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.7 on Sat Sep 30 08:25:29 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:openclash_output - [0:0]
:ts-postrouting - [0:0]
-A PREROUTING -d 2001:4860:4860::8844/128 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j ACCEPT
-A PREROUTING -d 2001:4860:4860::8888/128 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j ACCEPT
-A PREROUTING -p udp -m comment --comment DNSMASQ -m udp --dport 53 -j REDIRECT --to-ports 53
-A OUTPUT -j openclash_output
-A POSTROUTING -j ts-postrouting
-A openclash_output -m set --match-set localnetwork6 dst -j RETURN
-A openclash_output -m owner ! --uid-owner 65534 -m set --match-set china_ip6_route dst -m set ! --match-set china_ip6_route_pass dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A ts-postrouting -m mark --mark 0x40000/0xff0000 -j MASQUERADE
COMMIT
# Completed on Sat Sep 30 08:25:29 2023

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.7 on Sat Sep 30 08:25:29 2023
*mangle
:PREROUTING ACCEPT [10:788]
:INPUT ACCEPT [9:716]
:FORWARD ACCEPT [1:72]
:OUTPUT ACCEPT [10:956]
:POSTROUTING ACCEPT [10:956]
:openclash - [0:0]
-A PREROUTING -j openclash
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -p udp -m udp --sport 546 -j RETURN
-A openclash -i lo -j RETURN
-A openclash -m set --match-set localnetwork6 dst -j RETURN
-A openclash -p udp -m udp --dport 53 -j RETURN
-A openclash -m set --match-set lan_ac_black_macs src -j RETURN
-A openclash -m set --match-set china_ip6_route dst -m set ! --match-set china_ip6_route_pass dst -j RETURN
-A openclash -p tcp -m comment --comment "OpenClash TCP Tproxy" -j TPROXY --on-port 7895 --on-ip :: --tproxy-mark 0x162/0xffffffff
-A openclash -p udp -m comment --comment "OpenClash UDP Tproxy" -j TPROXY --on-port 7895 --on-ip :: --tproxy-mark 0x162/0xffffffff
COMMIT
# Completed on Sat Sep 30 08:25:29 2023

#IPv6 Filter chain

# Generated by ip6tables-save v1.8.7 on Sat Sep 30 08:25:29 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_docker_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_docker_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:openclash_wan_input - [0:0]
:output_docker_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:ts-forward - [0:0]
:ts-input - [0:0]
:zone_docker_dest_ACCEPT - [0:0]
:zone_docker_forward - [0:0]
:zone_docker_input - [0:0]
:zone_docker_output - [0:0]
:zone_docker_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i eth3 -m set ! --match-set localnetwork6 src -j openclash_wan_input
-A INPUT -i pppoe-wan -m set ! --match-set localnetwork6 src -j openclash_wan_input
-A INPUT -p udp -m udp --dport 443 -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip6_route dst -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -j ts-input
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i utun -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth3 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input
-A FORWARD -j ts-forward
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i utun -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth3 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o utun -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth3 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output
-A openclash_wan_input -p udp -m multiport --dports 7892,7895,9090,7890,7891,7893,7874 -j REJECT --reject-with icmp6-port-unreachable
-A openclash_wan_input -p tcp -m multiport --dports 7892,7895,9090,7890,7891,7893,7874 -j REJECT --reject-with icmp6-port-unreachable
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000
-A ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
-A ts-forward -o tailscale0 -j ACCEPT
-A ts-input -s fd7a:115c:a1e0:ab12:4843:cd96:6249:4d07/128 -i lo -j ACCEPT
-A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT
-A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule
-A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule
-A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_ACCEPT
-A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule
-A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
-A zone_docker_src_ACCEPT -i docker0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o utun -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i utun -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth3 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth3 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth3 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Sep 30 08:25:29 2023

#===================== IPSET状态 =====================#

Name: lan_ac_black_macs
Type: hash:mac
Revision: 0
Header: hashsize 1024 maxelem 65536
Size in memory: 256
References: 3
Number of entries: 1

Name: localnetwork
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 1088
References: 5
Number of entries: 10

Name: china_ip_route
Type: hash:net
Revision: 6
Header: family inet hashsize 4096 maxelem 1000000
Size in memory: 248200
References: 4
Number of entries: 8660

Name: china_ip_route_pass
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 1000000
Size in memory: 448
References: 3
Number of entries: 0

Name: china_ip6_route
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 1000000
Size in memory: 105840
References: 3
Number of entries: 1983

Name: china_ip6_route_pass
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 1000000
Size in memory: 1232
References: 2
Number of entries: 0

Name: localnetwork6
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 3360
References: 4
Number of entries: 19

#===================== 路由表状态 =====================#

#IPv4

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.19.32.1     0.0.0.0         UG    0      0        0 pppoe-wan
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-f9f0172bbecf
172.19.32.1     0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-wan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
198.18.0.0      0.0.0.0         255.255.255.252 U     0      0        0 utun

#ip route list
default via 172.19.32.1 dev pppoe-wan proto static 
172.19.0.0/16 dev br-f9f0172bbecf proto kernel scope link src 172.19.0.1 
172.19.32.1 dev pppoe-wan proto kernel scope link src *WAN IP*.57 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
198.18.0.0/30 dev utun proto kernel scope link src 198.18.0.1 

#ip rule show
0:  from all lookup local
5209:   from all fwmark 0x162 lookup 354
5210:   from all fwmark 0x80000/0xff0000 lookup main
5230:   from all fwmark 0x80000/0xff0000 lookup default
5250:   from all fwmark 0x80000/0xff0000 unreachable
5270:   from all lookup 52
32766:  from all lookup main
32767:  from all lookup default

#IPv6

#route -A inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
fd7a:115c:a1e0::/48                         ::                                      U     1024   5        0 tailscale0
::/0                                        ::                                      !n    -1     2        0 lo      
::/0                                        ::                                      U     1024   1        0 lo      
::/0                                        ::                                      !n    -1     2        0 lo      
::/0                                        ::                                      !n    -1     2        0 lo      
::/0                                        fe80::d6c1:c8ff:fe95:c450               UG    512    5        0 pppoe-wan
::/0                                        fe80::d6c1:c8ff:fe95:c450               UG    512    6        0 pppoe-wan
2408:8240:803:30b::/64                      ::                                      !n    2147483647 2        0 lo      
2408:8240:820:7830::/64                     ::                                      U     1024   5        0 br-lan  
2408:8240:820:7830::/60                     ::                                      !n    2147483647 1        0 lo      
fd7a:115c:a1e0:ab12:4843:cd96:6249:4d07/128 ::                                      U     256    3        0 tailscale0
fd8f:2de7:b000::/64                         ::                                      U     1024   5        0 br-lan  
fd8f:2de7:b000::/48                         ::                                      !n    2147483647 1        0 lo      
fe80::2e2:697f:cb24:7a07/128                ::                                      U     256    1        0 pppoe-wan
fe80::d6c1:c8ff:fe95:c450/128               ::                                      U     1      1        0 pppoe-wan
fe80::/64                                   ::                                      U     256    1        0 ifb4eth3
fe80::/64                                   ::                                      U     256    1        0 veth66cff0e
fe80::/64                                   ::                                      U     256    1        0 br-f9f0172bbecf
fe80::/64                                   ::                                      U     256    1        0 veth436712b
fe80::/64                                   ::                                      U     256    1        0 tailscale0
fe80::/64                                   ::                                      U     256    4        0 br-lan  
fe80::/64                                   ::                                      U     256    1        0 eth3    
fe80::/64                                   ::                                      U     256    1        0 utun    
::/0                                        ::                                      !n    -1     2        0 lo      
::1/128                                     ::                                      Un    0      7        0 lo      
2408:8240:803:30b::/128                     ::                                      Un    0      3        0 pppoe-wan
*WAN IP*:7a07/128    ::                                      Un    0      8        0 pppoe-wan
2408:8240:820:7830::/128                    ::                                      Un    0      3        0 br-lan  
2408:8240:820:7830::1/128                   ::                                      Un    0      7        0 br-lan  
fd7a:115c:a1e0:ab12:4843:cd96:6249:4d07/128 ::                                      Un    0      4        0 tailscale0
fd8f:2de7:b000::/128                        ::                                      Un    0      3        0 br-lan  
fd8f:2de7:b000::1/128                       ::                                      Un    0      7        0 br-lan  
fe80::/128                                  ::                                      Un    0      7        0 ifb4eth3
fe80::/128                                  ::                                      Un    0      3        0 veth66cff0e
fe80::/128                                  ::                                      Un    0      3        0 br-f9f0172bbecf
fe80::/128                                  ::                                      Un    0      3        0 veth436712b
fe80::/128                                  ::                                      Un    0      3        0 tailscale0
fe80::/128                                  ::                                      Un    0      3        0 br-lan  
fe80::/128                                  ::                                      Un    0      3        0 eth3    
fe80::/128                                  ::                                      Un    0      3        0 utun    
fe80::42:eaff:fed9:ee87/128                 ::                                      Un    0      2        0 br-f9f0172bbecf
fe80::2e2:697f:cb24:7a07/128                ::                                      Un    0      4        0 pppoe-wan
fe80::2e2:69ff:fe24:7a04/128                ::                                      Un    0      8        0 br-lan  
fe80::2e2:69ff:fe24:7a07/128                ::                                      Un    0      2        0 eth3    
fe80::40f4:faff:fe36:dbc5/128               ::                                      Un    0      3        0 veth436712b
fe80::686c:caff:fe41:f71c/128               ::                                      Un    0      3        0 ifb4eth3
fe80::bceb:61ff:fe86:34b9/128               ::                                      Un    0      3        0 veth66cff0e
fe80::d1f0:ad22:2df1:a7ab/128               ::                                      Un    0      2        0 utun    
fe80::d585:91b2:ef16:8209/128               ::                                      Un    0      3        0 tailscale0
ff00::/8                                    ::                                      U     256    1        0 ifb4eth3
ff00::/8                                    ::                                      U     256    1        0 veth66cff0e
ff00::/8                                    ::                                      U     256    1        0 br-f9f0172bbecf
ff00::/8                                    ::                                      U     256    1        0 veth436712b
ff00::/8                                    ::                                      U     256    1        0 tailscale0
ff00::/8                                    ::                                      U     256    5        0 br-lan  
ff00::/8                                    ::                                      U     256    5        0 eth3    
ff00::/8                                    ::                                      U     256    3        0 pppoe-wan
ff00::/8                                    ::                                      U     256    4        0 utun    
::/0                                        ::                                      !n    -1     2        0 lo      

#ip -6 route list
default from 2408:8240:803:30b::/64 via fe80::d6c1:c8ff:fe95:c450 dev pppoe-wan proto static metric 512 pref medium
default from 2408:8240:820:7830::/60 via fe80::d6c1:c8ff:fe95:c450 dev pppoe-wan proto static metric 512 pref medium
unreachable 2408:8240:803:30b::/64 dev lo proto static metric 2147483647 pref medium
2408:8240:820:7830::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2408:8240:820:7830::/60 dev lo proto static metric 2147483647 pref medium
fd7a:115c:a1e0:ab12:4843:cd96:6249:4d07 dev tailscale0 proto kernel metric 256 pref medium
fd8f:2de7:b000::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd8f:2de7:b000::/48 dev lo proto static metric 2147483647 pref medium
fe80::2e2:697f:cb24:7a07 dev pppoe-wan proto kernel metric 256 pref medium
fe80::d6c1:c8ff:fe95:c450 dev pppoe-wan metric 1 pref medium
fe80::/64 dev ifb4eth3 proto kernel metric 256 pref medium
fe80::/64 dev veth66cff0e proto kernel metric 256 pref medium
fe80::/64 dev br-f9f0172bbecf proto kernel metric 256 pref medium
fe80::/64 dev veth436712b proto kernel metric 256 pref medium
fe80::/64 dev tailscale0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth3 proto kernel metric 256 pref medium
fe80::/64 dev utun proto kernel metric 256 pref medium

#ip -6 rule show
0:  from all lookup local
5209:   from all fwmark 0x162 lookup 354
5210:   from all fwmark 0x80000/0xff0000 lookup main
5230:   from all fwmark 0x80000/0xff0000 lookup default
5250:   from all fwmark 0x80000/0xff0000 unreachable
5270:   from all lookup 52
32766:  from all lookup main
4200000000: from 2408:8240:820:7830::1/60 iif br-lan unreachable
4200000001: from all iif lo failed_policy
4200000077: from all iif br-lan failed_policy
4200000078: from all iif pppoe-wan failed_policy
4200000078: from all iif pppoe-wan failed_policy
4200000082: from all iif utun failed_policy

#===================== Tun设备状态 =====================#

tailscale0: tun vnet_hdr
utun: tun

#===================== 端口占用状态 =====================#

tcp        0      0 198.18.0.1:45883        0.0.0.0:*               LISTEN      3983/clash
tcp        0      0 :::7893                 :::*                    LISTEN      3983/clash
tcp        0      0 :::7895                 :::*                    LISTEN      3983/clash
tcp        0      0 fdfe:dcba:9876::1:36127 :::*                    LISTEN      3983/clash
tcp        0      0 :::9090                 :::*                    LISTEN      3983/clash
tcp        0      0 :::7890                 :::*                    LISTEN      3983/clash
tcp        0      0 :::7891                 :::*                    LISTEN      3983/clash
tcp        0      0 :::7892                 :::*                    LISTEN      3983/clash
udp        0      0 :::7874                 :::*                                3983/clash
udp        0      0 :::7891                 :::*                                3983/clash
udp        0      0 :::7892                 :::*                                3983/clash
udp        0      0 :::7893                 :::*                                3983/clash
udp        0      0 :::7895                 :::*                                3983/clash

#===================== 测试本机DNS查询(www.baidu.com) =====================#

#===================== 测试内核DNS查询(www.instagram.com) =====================#

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 1
  Qclass: 1

Answer: 
  TTL: 3600
  data: geo-p42.instagram.com.
  name: www.instagram.com.
  type: 5

  TTL: 3600
  data: z-p42-instagram.c10r.instagram.com.
  name: geo-p42.instagram.com.
  type: 5

  TTL: 60
  data: 157.240.209.174
  name: z-p42-instagram.c10r.instagram.com.
  type: 1

Dnsmasq 当前默认 resolv 文件：/tmp/resolv.conf.d/resolv.conf.auto

#===================== /tmp/resolv.conf.auto =====================#

# Interface wan
nameserver 227
nameserver 2227
# Interface wan_6
nameserver 24::8
nameserver 24:8

#===================== /tmp/resolv.conf.d/resolv.conf.auto =====================#

# Interface wan
nameserver 227
nameserver 2217
# Interface wan_6
nameserver 24::8
nameserver 248

#===================== 测试本机网络连接(www.baidu.com) =====================#

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Sat, 30 Sep 2023 00:25:35 GMT
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
Server: bfe/1.0.8.18

#===================== 测试本机网络下载(raw.githubusercontent.com) =====================#

HTTP/2 404 
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
content-type: text/plain; charset=utf-8
x-github-request-id: A6D6:25359:480FCF:5206A6:65176AD2
accept-ranges: bytes
date: Sat, 30 Sep 2023 00:25:36 GMT
via: 1.1 varnish
x-served-by: cache-nrt-rjtf7700043-NRT
x-cache: HIT
x-cache-hits: 2
x-timer: S1696033537.710651,VS0,VE0
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
x-fastly-request-id: 13e5e366d2d9fbb9adf22c6bfc0053e8e222ead8
expires: Sat, 30 Sep 2023 00:30:36 GMT
source-age: 45
content-length: 14

#===================== 最近运行日志(自动切换为Debug模式) =====================#

#===================== 最近运行日志获取完成(自动切换为silent模式) =====================#

#===================== 活动连接信息 =====================#

1. SourceIP:【192.168.1.154】 - Host:【Empty】 - DestinationIP:【91.108.56.170】 - Network:【tcp】 - RulePayload:【Telegram_ip】 - Lastchain:【🇨🇳 台湾高级 IEPL 中继 1】
2. SourceIP:【192.168.1.154】 - Host:【twitter.com】 - DestinationIP:【104.244.42.193】 - Network:【tcp】 - RulePayload:【🧱gfw】 - Lastchain:【🇭🇰 香港高级 IEPL 中继 1】
3. SourceIP:【172.19.0.2】 - Host:【Empty】 - DestinationIP:【91.108.56.108】 - Network:【tcp】 - RulePayload:【Telegram_ip】 - Lastchain:【🇭🇰 香港标准 IEPL 中继 2】
4. SourceIP:【192.168.1.243】 - Host:【edge-mqtt.facebook.com】 - DestinationIP:【157.240.209.23】 - Network:【tcp】 - RulePayload:【🧱gfw】 - Lastchain:【🇭🇰 香港高级 IEPL 中继 1】
5. SourceIP:【192.168.1.243】 - Host:【securecdn.oculus.com】 - DestinationIP:【157.240.209.50】 - Network:【tcp】 - RulePayload:【🧱gfw】 - Lastchain:【🇭🇰 香港高级 IEPL 中继 2】
6. SourceIP:【192.168.1.154】 - Host:【github.githubassets.com】 - DestinationIP:【185.199.111.154】 - Network:【tcp】 - RulePayload:【🧱gfw】 - Lastchain:【🇭🇰 香港高级 IEPL 中继 2】
7. SourceIP:【192.168.1.154】 - Host:【www.youtube.com】 - DestinationIP:【172.217.160.78】 - Network:【tcp】 - RulePayload:【🧱gfw】 - Lastchain:【🇭🇰 香港高级 IEPL 中继 1】
8. SourceIP:【192.168.1.154】 - Host:【nleditor.osi.office.net】 - DestinationIP:【20.89.57.112】 - Network:【tcp】 - RulePayload:【Microsoft】 - Lastchain:【🇨🇳 台湾标准 IEPL 中继 2】
9. SourceIP:【192.168.1.154】 - Host:【github.com】 - DestinationIP:【20.205.243.166】 - Network:【tcp】 - RulePayload:【🧱gfw】 - Lastchain:【🇭🇰 香港高级 IEPL 中继 1】
10. SourceIP:【192.168.1.243】 - Host:【mqtt-mini.facebook.com】 - DestinationIP:【199.59.150.45】 - Network:【tcp】 - RulePayload:【🧱gfw】 - Lastchain:【🇭🇰 香港标准 IEPL 中继 4】
11. SourceIP:【192.168.1.154】 - Host:【Empty】 - DestinationIP:【91.108.56.170】 - Network:【tcp】 - RulePayload:【Telegram_ip】 - Lastchain:【🇭🇰 香港高级 IEPL 中继 2】
12. SourceIP:【192.168.1.243】 - Host:【edge-mqtt.facebook.com】 - DestinationIP:【157.240.209.23】 - Network:【tcp】 - RulePayload:【🧱gfw】 - Lastchain:【🇭🇰 香港高级 IEPL 中继 1】
13. SourceIP:【192.168.1.154】 - Host:【vscode-sync.trafficmanager.net】 - DestinationIP:【20.205.69.80】 - Network:【tcp】 - RulePayload:【Microsoft】 - Lastchain:【🇭🇰 香港高级 IEPL 中继 2】
14. SourceIP:【192.168.1.154】 - Host:【optimizationguide-pa.googleapis.com】 - DestinationIP:【142.251.43.10】 - Network:【tcp】 - RulePayload:【🧱gfw】 - Lastchain:【🇭🇰 香港高级 IEPL 中继 2】
15. SourceIP:【192.168.1.243】 - Host:【www.meta.com】 - DestinationIP:【157.240.209.16】 - Network:【tcp】 - RulePayload:【443】 - Lastchain:【🇭🇰 香港高级 IEPL 中继 2】
16. SourceIP:【192.168.1.154】 - Host:【www.duyaoss.com】 - DestinationIP:【172.67.72.165】 - Network:【tcp】 - RulePayload:【🧱gfw】 - Lastchain:【🇭🇰 香港高级 IEPL 中继 2】



### Expected Behavior

不再重复重置防火墙规则

### Screenshots

_No response_

vernesong / OpenClash

[Bug] 143版本会一直尝试重置防火墙规则 #3539

Verify Steps

OpenClash Version

Bug on Environment

Bug on Platform

To Reproduce

Describe the Bug

OpenClash Log

OpenClash Config