[Bug] 流量控制->仅允许内网选项未按照预期工作

[paladin4fan]

Verify Steps

• [X] Tracker 我已经在 Issue Tracker 中找过我要提出的问题
• [X] Branch 我知道 OpenClash 的 Dev 分支切换开关位于插件设置-版本更新中，或者我会手动下载并安装 Dev 分支的 OpenClash
• [X] Latest 我已经使用最新 Dev 版本测试过，问题依旧存在
• [X] Relevant 我知道 OpenClash 与 内核(Core)、控制面板(Dashboard)、在线订阅转换(Subconverter)等项目之间无直接关系，仅相互调用
• [X] Definite 这确实是 OpenClash 出现的问题
• [ ] Contributors 我有能力协助 OpenClash 开发并解决此问题
• [ ] Meaningless 我提交的是无意义的催促更新或修复请求

OpenClash Version

v0.46.014-beta

Bug on Environment

Official OpenWrt

OpenWrt Version

23.05.3 r23809-234f1a2efa

Bug on Platform

Linux-amd64(x86-64)

Describe the Bug

关闭 流量控制->仅允许内网 时 远程设备可以通过公网IP直接打开路由器80端口的luci界面 打开 流量控制->仅允许内网 时 远程设备无法访问路由本机防火墙设置里开放的端口 即使选择端口范围绕过核心、不代理路由流量也是一样

To Reproduce

勾选 流量控制->仅允许内网选项

OpenClash Log

OpenClash 调试日志

生成时间: 2024-08-30 04:25:12
插件版本: 
隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息

#===================== 系统信息 =====================#

主机型号: Default string Default string
固件版本: OpenWrt 23.05.3 r23809-234f1a2efa
LuCI版本: git-23.051.66410-a505bb1
内核版本: 5.15.150
处理器架构: x86_64

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: server

DNS劫持: 停用
#DNS劫持为Dnsmasq时，此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 已安装
unzip: 已安装
kmod-nft-tproxy: 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
运行内核：Dev
进程pid: 5122
运行权限: 5122: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2023.08.17-13-gdcc8d87
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.18.0-13-gd034a40
Dev内核文件: 存在
Dev内核运行权限: 正常

Meta内核版本: alpha-g0d4e57c
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/Tsukimori.yaml
启动配置文件: /etc/openclash/Tsukimori.yaml
运行模式: redir-host
默认代理模式: rule
UDP流量转发(tproxy): 停用
自定义DNS: 启用
IPV6代理: 启用
IPV6-DNS解析: 启用
禁用Dnsmasq缓存: 停用
自定义规则: 启用
仅允许内网: 启用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 启用
路由本机代理: 停用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 自定义规则 一 =====================#
script:
##  shortcuts:
##    Notice: The core timezone is UTC
##    CST 20:00-24:00 = time.now().hour > 12 and time.now().hour < 16
##    内核时区为UTC,故以下time.now()函数的取值需要根据本地时区进行转换
##    北京时间(CST) 20:00-24:00 = time.now().hour > 12 and time.now().hour < 16
##    quic: network == 'udp' and dst_port == 443 and (geoip(resolve_ip(host)) != 'CN' or geoip(dst_ip) != 'CN')
##    time-limit: in_cidr(src_ip,'192.168.1.2/32') and time.now().hour < 20 or time.now().hour > 21
##    time-limit: src_ip == '192.168.1.2' and time.now().hour < 20 or time.now().hour > 21

##  code: |
##    def main(ctx, metadata):
##        directkeywordlist = ["baidu"]
##        for directkeyword in directkeywordlist:
##          if directkeyword in metadata["host"]:
##            ctx.log('[Script] matched keyword %s use direct' % directkeyword)
##            return "DIRECT"

rules:
##- SCRIPT,quic,REJECT #shortcuts rule
##- SCRIPT,time-limit,REJECT #shortcuts rule

##- PROCESS-NAME,curl,DIRECT #匹配路由自身进程(curl直连)
##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

##排序在上的规则优先生效,如添加（去除规则前的#号）：
##IP段：192.168.1.2-192.168.1.200 直连
##- SRC-IP-CIDR,192.168.1.2/31,DIRECT
##- SRC-IP-CIDR,192.168.1.4/30,DIRECT
##- SRC-IP-CIDR,192.168.1.8/29,DIRECT
##- SRC-IP-CIDR,192.168.1.16/28,DIRECT
##- SRC-IP-CIDR,192.168.1.32/27,DIRECT
##- SRC-IP-CIDR,192.168.1.64/26,DIRECT
##- SRC-IP-CIDR,192.168.1.128/26,DIRECT
##- SRC-IP-CIDR,192.168.1.192/29,DIRECT
##- SRC-IP-CIDR,192.168.1.200/32,DIRECT

##IP段：192.168.1.202-192.168.1.255 直连
##- SRC-IP-CIDR,192.168.1.202/31,DIRECT
##- SRC-IP-CIDR,192.168.1.204/30,DIRECT
##- SRC-IP-CIDR,192.168.1.208/28,DIRECT
##- SRC-IP-CIDR,192.168.1.224/27,DIRECT

##此时IP为192.168.1.1和192.168.1.201的客户端流量走代理（策略），其余客户端不走代理
##因为Fake-IP模式下，IP地址为192.168.1.1的路由器自身流量可走代理（策略），所以需要排除

##仅设置路由器自身直连：
##- SRC-IP-CIDR,192.168.1.1/32,DIRECT
##- SRC-IP-CIDR,198.18.0.1/32,DIRECT

##DDNS
##- DOMAIN-SUFFIX,checkip.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkipv6.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkip.synology.com,DIRECT
##- DOMAIN-SUFFIX,ifconfig.co,DIRECT
##- DOMAIN-SUFFIX,api.myip.com,DIRECT
##- DOMAIN-SUFFIX,ip-api.com,DIRECT
##- DOMAIN-SUFFIX,ipapi.co,DIRECT
##- DOMAIN-SUFFIX,ip6.seeip.org,DIRECT
##- DOMAIN-SUFFIX,members.3322.org,DIRECT

##在线IP段转CIDR地址：http://ip2cidr.com
- DOMAIN,github.githubassets.com,🇯🇵 Japan
- DOMAIN,gist.githubusercontent.com,🇯🇵 Japan
- DOMAIN,github.githubusercontent.com,🇯🇵 Japan
- DOMAIN,nikgapps.com,🇯🇵 Japan
- DOMAIN,objects.githubusercontent.com,🇯🇵 Japan
- DOMAIN,download.osgeo.org,🇯🇵 Japan
- DOMAIN-SUFFIX,github.com,🇯🇵 Japan
#===================== 自定义规则 二 =====================#
script:
##  shortcuts:
##    common_port: dst_port not in [21, 22, 23, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 998, 2052, 2053, 2082, 2083, 2086, 2095, 2096, 5222, 5228, 5229, 5230, 8080, 8443, 8880, 8888, 8889]

##  code: |
##    def main(ctx, metadata):
##        directkeywordlist = ["baidu"]
##        for directkeyword in directkeywordlist:
##          if directkeyword in metadata["host"]:
##            ctx.log('[Script] matched keyword %s use direct' % directkeyword)
##            return "DIRECT"

rules:
##- SCRIPT,common_port,DIRECT #shortcuts rule

##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

#===================== 配置文件 =====================#

port: 7890
socks-port: 7891
allow-lan: true
mode: rule
log-level: info
external-controller: 0.0.0.0:9090
proxy-groups:
- name: "\U0001F1EF\U0001F1F5 Japan"
  type: select
  proxies:
  - DIRECT
rules:
- DST-PORT,7895,REJECT
- DST-PORT,7892,REJECT
- IP-CIDR,198.18.0.1/16,REJECT,no-resolve
- "DOMAIN,github.githubassets.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN,gist.githubusercontent.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN,github.githubusercontent.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN,nikgapps.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN,objects.githubusercontent.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN,download.osgeo.org,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,github.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,akabeesoft2.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,akabeesoft3.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,akatsukiworks.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,alicesoft.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,cosmiccute.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,ddo.jp,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,dmm-extension.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,dmm.co.jp,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,dmm.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,dmm.hk,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,hibiki-site.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,minori.ph,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,tenco.cc,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,wheel-soft.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN,auth.openai.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,openai.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,chatgpt.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,fc2cn.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,fc2id.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,livechatfc2.com,\U0001F1EF\U0001F1F5 Japan"
- "DOMAIN-SUFFIX,mora.jp,\U0001F1EF\U0001F1F5 Japan"
- MATCH,DIRECT
redir-port: 7892
tproxy-port: 7895
mixed-port: 7893
bind-address: "*"
external-ui: "/usr/share/openclash/ui"
ipv6: true
dns:
  enable: true
  ipv6: true
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  listen: 0.0.0.0:7874
  nameserver:
  - 208.67.220.220
  fallback:
  - 9.9.9.9
  default-nameserver:
  - 114.114.114.114
  - 119.29.29.29
  - 223.5.5.5
  fallback-filter:
    geoip: true
    geoip-code: CN
    ipcidr:
    - 0.0.0.0/8
    - 10.0.0.0/8
    - 100.64.0.0/10
    - 127.0.0.0/8
    - 169.254.0.0/16
    - 172.16.0.0/12
    - 192.0.0.0/24
    - 192.0.2.0/24
    - 192.88.99.0/24
    - 192.168.0.0/16
    - 198.18.0.0/15
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 224.0.0.0/4
    - 240.0.0.0/4
    - 255.255.255.255/32
    domain:
    - "+.google.com"
    - "+.facebook.com"
    - "+.youtube.com"
    - "+.githubusercontent.com"
    - "+.googlevideo.com"
    - "+.msftconnecttest.com"
    - "+.msftncsi.com"
  fake-ip-filter:
  - "+.*"
profile:
  store-selected: true
authentication:
- Clash:CrwmjuxE

#===================== 自定义覆写设置 =====================#

#!/bin/sh
. /usr/share/openclash/ruby.sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom overwrite scripts here, they will be take effict after the OpenClash own srcipts

LOG_OUT "Tip: Start Running Custom Overwrite Scripts..."
LOGTIME=$(echo $(date "+%Y-%m-%d %H:%M:%S"))
LOG_FILE="/tmp/openclash.log"
CONFIG_FILE="$1" #config path

#Simple Demo:
    #General Demo
    #1--config path
    #2--key name
    #3--value
    #ruby_edit "$CONFIG_FILE" "['redir-port']" "7892"
    #ruby_edit "$CONFIG_FILE" "['secret']" "123456"
    #ruby_edit "$CONFIG_FILE" "['dns']['enable']" "true"

    #Hash Demo
    #1--config path
    #2--key name
    #3--hash type value
    #ruby_edit "$CONFIG_FILE" "['experimental']" "{'sniff-tls-sni'=>true}"
    #ruby_edit "$CONFIG_FILE" "['sniffer']" "{'sniffing'=>['tls','http']}"

    #Array Demo:
    #1--config path
    #2--key name
    #3--position(start from 0, end with -1)
    #4--value
    #ruby_arr_insert "$CONFIG_FILE" "['dns']['nameserver']" "0" "114.114.114.114"

    #Array Add From Yaml File Demo:
    #1--config path
    #2--key name
    #3--position(start from 0, end with -1)
    #4--value file path
    #5--value key name in #4 file
    #ruby_arr_add_file "$CONFIG_FILE" "['dns']['fallback-filter']['ipcidr']" "0" "/etc/openclash/custom/openclash_custom_fallback_filter.yaml" "['fallback-filter']['ipcidr']"

#Ruby Script Demo:
    #ruby -ryaml -rYAML -I "/usr/share/openclash" -E UTF-8 -e "
    #   begin
    #      Value = YAML.load_file('$CONFIG_FILE');
    #   rescue Exception => e
    #      puts '${LOGTIME} Error: Load File Failed,【' + e.message + '】';
    #   end;

        #General
    #   begin
    #   Thread.new{
    #      Value['redir-port']=7892;
    #      Value['tproxy-port']=7895;
    #      Value['port']=7890;
    #      Value['socks-port']=7891;
    #      Value['mixed-port']=7893;
    #   }.join;

    #   rescue Exception => e
    #      puts '${LOGTIME} Error: Set General Failed,【' + e.message + '】';
    #   ensure
    #      File.open('$CONFIG_FILE','w') {|f| YAML.dump(Value, f)};
    #   end" 2>/dev/null >> $LOG_FILE

exit 0
#===================== 自定义防火墙设置 =====================#

#!/bin/sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom firewall rules here, they will be added after the end of the OpenClash iptables rules

LOG_OUT "Tip: Start Add Custom Firewall Rules..."

exit 0
#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.8 (nf_tables) on Fri Aug 30 04:25:14 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Fri Aug 30 04:25:14 2024

#IPv4 Mangle chain

# Generated by iptables-save v1.8.8 (nf_tables) on Fri Aug 30 04:25:14 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:mwan3_connected_ipv4 - [0:0]
:mwan3_custom_ipv4 - [0:0]
:mwan3_dynamic_ipv4 - [0:0]
:mwan3_hook - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A OUTPUT -j mwan3_hook
-A mwan3_connected_ipv4 -m set --match-set mwan3_connected_ipv4 dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_custom_ipv4 -m set --match-set mwan3_custom_ipv4 dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_dynamic_ipv4 -m set --match-set mwan3_dynamic_ipv4 dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_custom_ipv4
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected_ipv4
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_dynamic_ipv4
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_custom_ipv4
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected_ipv4
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_dynamic_ipv4
COMMIT
# Completed on Fri Aug 30 04:25:14 2024

#IPv4 Filter chain

# Generated by iptables-save v1.8.8 (nf_tables) on Fri Aug 30 04:25:14 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Aug 30 04:25:14 2024

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.8 (nf_tables) on Fri Aug 30 04:25:14 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Fri Aug 30 04:25:14 2024

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.8 (nf_tables) on Fri Aug 30 04:25:14 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:mwan3_connected_ipv6 - [0:0]
:mwan3_custom_ipv6 - [0:0]
:mwan3_dynamic_ipv6 - [0:0]
:mwan3_hook - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A OUTPUT -j mwan3_hook
-A mwan3_connected_ipv6 -m set --match-set mwan3_connected_ipv6 dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_custom_ipv6 -m set --match-set mwan3_custom_ipv6 dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_dynamic_ipv6 -m set --match-set mwan3_dynamic_ipv6 dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j RETURN
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j RETURN
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
-A mwan3_hook -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j RETURN
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_custom_ipv6
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected_ipv6
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_dynamic_ipv6
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_custom_ipv6
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected_ipv6
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_dynamic_ipv6
COMMIT
# Completed on Fri Aug 30 04:25:14 2024

#IPv6 Filter chain

# Generated by ip6tables-save v1.8.8 (nf_tables) on Fri Aug 30 04:25:14 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Aug 30 04:25:14 2024

#===================== NFTABLES 防火墙设置 =====================#

table inet fw4 {
    chain input {
        type filter hook input priority filter; policy drop;
        iifname "eth3" ip6 saddr != @localnetwork6 counter packets 0 bytes 0 jump openclash_wan6_input
        udp dport 443 ip6 daddr != @china_ip6_route counter packets 0 bytes 0 reject with icmpv6 port-unreachable comment "OpenClash QUIC REJECT"
        udp dport 443 ip daddr != @china_ip_route counter packets 0 bytes 0 reject with icmp port-unreachable comment "OpenClash QUIC REJECT"
        iifname "eth3" ip saddr != @localnetwork counter packets 8913 bytes 7765334 jump openclash_wan_input
        iifname "lo" accept comment "!fw4: Accept traffic from loopback"
        ct state established,related accept comment "!fw4: Allow inbound established and related flows"
        tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
        iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
        iifname { "eth3", "6in4-wan6" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        iifname "ztfp6lice3" jump input_Zerotier comment "!fw4: Handle Zerotier IPv4/IPv6 input traffic"
        jump handle_reject
    }
}
table inet fw4 {
    chain forward {
        type filter hook forward priority filter; policy drop;
        ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
        iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
        iifname { "eth3", "6in4-wan6" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
        iifname "ztfp6lice3" jump forward_Zerotier comment "!fw4: Handle Zerotier IPv4/IPv6 forward traffic"
        jump upnp_forward comment "Hook into miniupnpd forwarding chain"
        jump handle_reject
    }
}
table inet fw4 {
    chain dstnat {
        type nat hook prerouting priority dstnat; policy accept;
        ip6 daddr { 2001:4860:4860::8844, 2001:4860:4860::8888 } tcp dport 53 counter packets 0 bytes 0 accept comment "OpenClash Google DNS Hijack"
        ip daddr { 8.8.4.4, 8.8.8.8 } tcp dport 53 counter packets 0 bytes 0 redirect to :7892 comment "OpenClash Google DNS Hijack"
        iifname { "eth3", "6in4-wan6" } jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
        jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
        ip protocol tcp counter packets 511 bytes 29543 jump openclash
        meta nfproto ipv6 tcp dport 0-65535 counter packets 107 bytes 17023 jump openclash_v6
    }
}
table inet fw4 {
    chain srcnat {
        type nat hook postrouting priority srcnat; policy accept;
        oifname { "eth3", "6in4-wan6" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
    }
}
table inet fw4 {
    chain nat_output {
        type nat hook output priority filter - 1; policy accept;
    }
}
table inet fw4 {
    chain mangle_prerouting {
        type filter hook prerouting priority mangle; policy accept;
    }
}
table inet fw4 {
    chain mangle_output {
        type route hook output priority mangle; policy accept;
    }
}
table inet fw4 {
    chain openclash {
        meta nfproto ipv4 tcp sport 9993 counter packets 0 bytes 0 return
        ip daddr @localnetwork counter packets 25 bytes 1508 return
        ip saddr @localnetwork tcp sport @lan_ac_black_ports counter packets 0 bytes 0 return
        ip daddr @china_ip_route ip daddr != @china_ip_route_pass counter packets 71 bytes 4341 return
        ip protocol tcp counter packets 415 bytes 23694 redirect to :7892
    }
}
table inet fw4 {
    chain openclash_wan_input {
        udp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
        tcp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 138 bytes 6996 reject
    }
}
table inet fw4 {
    chain openclash_wan6_input {
        udp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
        tcp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
    }
}

#===================== IPSET状态 =====================#

Name: mwan3_dynamic_ipv6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 bucketsize 12 initval 0x586b47b2
Size in memory: 1240
References: 1
Number of entries: 0

Name: mwan3_connected_ipv4
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xd81d9f7b
Size in memory: 792
References: 1
Number of entries: 7

Name: mwan3_connected_ipv6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 bucketsize 12 initval 0x628fb9ea
Size in memory: 1456
References: 1
Number of entries: 3

Name: mwan3_custom_ipv4
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0x3d6c4afc
Size in memory: 456
References: 1
Number of entries: 0

Name: mwan3_custom_ipv6
Type: hash:net
Revision: 7
Header: family inet6 hashsize 1024 maxelem 65536 bucketsize 12 initval 0x4665a2a2
Size in memory: 1240
References: 1
Number of entries: 0

Name: mwan3_dynamic_ipv4
Type: list:set
Revision: 3
Header: size 8
Size in memory: 80
References: 1
Number of entries: 0

#===================== 路由表状态 =====================#

#IPv4

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         59.xxx.xxx.1     0.0.0.0         UG    0      0        0 eth3
59.xxx.xxx.0     0.0.0.0         255.255.255.0   U     0      0        0 eth3
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 ztfp6lice3
192.168.10.0    192.168.0.10    255.255.255.0   UG    5000   0        0 ztfp6lice3
192.168.11.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.111.0   192.168.0.111   255.255.255.0   UG    5000   0        0 ztfp6lice3
216.xxx.xxx.6   59.xxx.xxx.1     255.255.255.255 UGH   0      0        0 eth3

#ip route list
default via 59.xxx.xxx.1 dev eth3 proto static src 59.xxxx.xxxx.xxxx 
59.xxx.xxx.0/24 dev eth3 proto kernel scope link src 59.xxxx.xxxx.xxxx 
192.168.0.0/24 dev ztfp6lice3 proto kernel scope link src 192.168.0.11 
192.168.10.0/24 via 192.168.0.10 dev ztfp6lice3 proto static metric 5000 
192.168.11.0/24 dev br-lan proto kernel scope link src 192.168.11.1 
192.168.111.0/24 via 192.168.0.111 dev ztfp6lice3 proto static metric 5000 
216.xxx.xxx.6 via 59.xxx.xxx.1 dev eth3 proto static 

#ip rule show
0:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default

#IPv6

#route -A inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
::/0                                        ::                                      U     1024   5        0 6in4-wan6
::/0                                        ::                                      U     1024   6        0 6in4-wan6
2001:xxxx:xxxx:xxx::/64                        ::                                      Un    256    3        0 6in4-wan6
2001:xxxx:xxxx::/64                          ::                                      U     1024   5        0 br-lan  
2001:xxxx:xxxx::/48                          ::                                      !n    2147483647 2        0 lo      
fe80::/64                                   ::                                      U     256    1        0 eth3    
fe80::/64                                   ::                                      U     256    1        0 ztfp6lice3
fe80::/64                                   ::                                      U     256    5        0 br-lan  
fe80::/64                                   ::                                      Un    256    2        0 6in4-wan6
::/0                                        ::                                      !n    -1     2        0 lo      
::1/128                                     ::                                      Un    0      7        0 lo      
2001:xxx:xxxx:xxxx::/128                       ::                                      Un    0      3        0 6in4-wan6
2001:xxxx:xxxx:xxxx::2/128                      ::                                      Un    0      4        0 6in4-wan6
2001:xxxx:xxxx::/128                         ::                                      Un    0      3        0 br-lan  
2001:xxxx:xxxx::1/128                        ::                                      Un    0      8        0 br-lan  
fe80::/128                                  ::                                      Un    0      6        0 eth3    
fe80::/128                                  ::                                      Un    0      3        0 br-lan  
fe80::/128                                  ::                                      Un    0      3        0 ztfp6lice3
fe80::/128                                  ::                                      Un    0      3        0 6in4-wan6
fe80::3bbc:5753/128                         ::                                      Un    0      2        0 6in4-wan6
fe80::2e2:69ff:fe58:103b/128                ::                                      Un    0      6        0 br-lan  
fe80::2e2:69ff:fe58:103e/128                ::                                      Un    0      3        0 eth3    
fe80::f4b8:95ff:fea1:ddf8/128               ::                                      Un    0      2        0 ztfp6lice3
ff00::/8                                    ::                                      U     256    3        0 eth3    
ff00::/8                                    ::                                      U     256    3        0 ztfp6lice3
ff00::/8                                    ::                                      U     256    5        0 br-lan  
ff00::/8                                    ::                                      U     256    1        0 6in4-wan6
::/0                                        ::                                      !n    -1     2        0 lo      

#ip -6 route list
default from 2001:xxxx:xxxx:xxxx::/64 dev 6in4-wan6 proto static metric 1024 pref medium
default from 2001:xxxx:xxxx::/48 dev 6in4-wan6 proto static metric 1024 pref medium
2001:xxxx:xxxx:xxxx::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
2001:xxxx:xxxx::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2001:xxxx:xxxx::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth3 proto kernel metric 256 pref medium
fe80::/64 dev ztfp6lice3 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev 6in4-wan6 proto kernel metric 256 pref medium

#ip -6 rule show
0:  from all lookup local
32766:  from all lookup main
4200000000: from 2001:470:f93a::1/60 iif br-lan unreachable

#===================== 端口占用状态 =====================#

tcp        0      0 :::7895                 :::*                    LISTEN      5122/clash
tcp        0      0 :::7892                 :::*                    LISTEN      5122/clash
tcp        0      0 :::7893                 :::*                    LISTEN      5122/clash
tcp        0      0 :::7890                 :::*                    LISTEN      5122/clash
tcp        0      0 :::7891                 :::*                    LISTEN      5122/clash
tcp        0      0 :::9090                 :::*                    LISTEN      5122/clash
udp        0      0 :::7874                 :::*                                5122/clash
udp        0      0 :::7891                 :::*                                5122/clash
udp        0      0 :::7892                 :::*                                5122/clash
udp        0      0 :::7893                 :::*                                5122/clash
udp        0      0 :::7895                 :::*                                5122/clash

#===================== 测试本机DNS查询(www.baidu.com) =====================#

Server:     127.0.0.1
Address:    127.0.0.1:53

www.baidu.com   canonical name = www.a.shifen.com
www.a.shifen.com    canonical name = www.wshifen.com

www.baidu.com   canonical name = www.a.shifen.com
www.a.shifen.com    canonical name = www.wshifen.com
Name:   www.wshifen.com
Address: 103.235.47.188
Name:   www.wshifen.com
Address: 103.235.46.96

#===================== 测试内核DNS查询(www.instagram.com) =====================#

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 1
  Qclass: 1

Answer: 
  TTL: 1578
  data: z-p42-instagram.c10r.instagram.com.
  name: www.instagram.com.
  type: 5

  TTL: 48
  data: 163.70.159.174
  name: z-p42-instagram.c10r.instagram.com.
  type: 1

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 28
  Qclass: 1

Answer: 
  TTL: 1578
  data: z-p42-instagram.c10r.instagram.com.
  name: www.instagram.com.
  type: 5

  TTL: 60
  data: 2a03:2880:f215:e8:face:b00c:0:4420
  name: z-p42-instagram.c10r.instagram.com.
  type: 28

Dnsmasq 当前默认 resolv 文件：/tmp/resolv.conf.d/resolv.conf.auto

#===================== /tmp/resolv.conf.d/resolv.conf.auto =====================#

# Interface wan
nameserver 203.xxx.0.xxx
nameserver 203.xxx.0.xxx
nameserver 203.xxx.0.xxx

#===================== 测试本机网络连接(www.baidu.com) =====================#

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Fri, 30 Aug 2024 04:25:14 GMT
Etag: "575e1f6f-115"
Last-Modified: Mon, 13 Jun 2016 02:50:23 GMT
Pragma: no-cache
Server: bfe/1.0.8.18

#===================== 测试本机网络下载(raw.githubusercontent.com) =====================#

HTTP/2 404 
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
content-type: text/plain; charset=utf-8
x-github-request-id: 2375:12A3CD:2542C12:26C202A:66D14978
accept-ranges: bytes
date: Fri, 30 Aug 2024 04:25:14 GMT
via: 1.1 varnish
x-served-by: cache-qpg1229-QPG
x-cache: HIT
x-cache-hits: 1
x-timer: S1724991915.970196,VS0,VE1
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
x-fastly-request-id: 875ae673310271602e0f0c2b44698798fc5800ce
expires: Fri, 30 Aug 2024 04:30:14 GMT
source-age: 50
content-length: 14

#===================== 最近运行日志(自动切换为Debug模式) =====================#

#===================== 最近运行日志获取完成(自动切换为silent模式) =====================#

OpenClash Config

No response

Expected Behavior

该选项开启时按照本机防火墙设置来向wan区域开放端口 关闭时也不应该全部端口都可以放进来

Additional Context

No response

[paladin4fan]

换了各网络重新AB测试了一下 更正一下问题描述 如果Wan口是PPPOE拨号 流量控制-wan接口名称选中物理网口名字+pppoe接口名字 通过公网IP访问开放的端口是正常的 openclash的面板端口会正常拒绝 防火墙其他没开放的端口也会被拒绝 如果wan口是DHCP获取到公网IP地址 流量控制-wan接口名称选中物理网口名字 通过公网IP访问开放的端口也会被拒绝

如果取消勾选流量控制-仅允许内网 OpenClash的端口、防火墙开放的端口都可以从公网访问 ，但是80端口也同时可被访问了

[vernesong]

受影响的只有这些端口

table inet fw4 { chain openclash_wan_input { udp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject tcp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 138 bytes 6996 reject } } table inet fw4 { chain openclash_wan6_input { udp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject tcp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject } }