[Bug] 绕过指定区域 IPv4 黑名单造成dnsmasq启动失败

vindia9 commented 1 month ago

Verify Steps

[X] Tracker 我已经在 Issue Tracker 中找过我要提出的问题
[X] Branch 我知道 OpenClash 的 Dev 分支切换开关位于插件设置-版本更新中，或者我会手动下载并安装 Dev 分支的 OpenClash
[X] Latest 我已经使用最新 Dev 版本测试过，问题依旧存在
[X] Relevant 我知道 OpenClash 与内核(Core)、控制面板(Dashboard)、在线订阅转换(Subconverter)等项目之间无直接关系，仅相互调用
[X] Definite 这确实是 OpenClash 出现的问题
[X] Contributors 我有能力协助 OpenClash 开发并解决此问题
[ ] Meaningless 我提交的是无意义的催促更新或修复请求

OpenClash Version

v0.46.033-beta

Bug on Environment

Official OpenWrt

OpenWrt Version

OpenWrt 22.03.3 r20028-43d71ad93e

Bug on Platform

Linux-amd64(x86-64)

Describe the Bug

在默认配置下，启动openclash，启动成功后所有网站均无法访问。定位问题后发现只要注释掉插件设置 - 流量控制 - 绕过指定区域 IPv4 黑名单下的所有内容，就可正常启动。

To Reproduce

在openclash管理界面还原默认配置（或使用restore）。此时查看插件设置 - 流量控制 - 绕过指定区域 IPv4 黑名单文本框内的内容如下：
```
#baidu.com
#114.114.114.114
##解决绕过大陆后谷歌商店无法更新
services.googleapis.cn
googleapis.cn
xn--ngstr-lra8j.com
```
上传任意正常可使用的clash.yaml文件。
通过ssh连接openwrt服务器，使用logread -f命令查看日志输出
启动openclash

在ssh的console界面，观察到如下日志

Thu Sep 26 01:15:56 2024 daemon.crit dnsmasq[1]: recompile with HAVE_IPSET defined to enable ipset directives at line 1 of /tmp/dnsmasq.d/dnsmasq_openclash_chnroute_pass.conf
Thu Sep 26 01:15:56 2024 daemon.crit dnsmasq[1]: FAILED to start up
Thu Sep 26 01:16:01 2024 daemon.crit dnsmasq[1]: recompile with HAVE_IPSET defined to enable ipset directives at line 1 of /tmp/dnsmasq.d/dnsmasq_openclash_chnroute_pass.conf
Thu Sep 26 01:16:01 2024 daemon.crit dnsmasq[1]: FAILED to start up
Thu Sep 26 01:16:06 2024 daemon.crit dnsmasq[1]: recompile with HAVE_IPSET defined to enable ipset directives at line 1 of /tmp/dnsmasq.d/dnsmasq_openclash_chnroute_pass.conf
Thu Sep 26 01:16:06 2024 daemon.crit dnsmasq[1]: FAILED to start up
Thu Sep 26 01:16:11 2024 daemon.crit dnsmasq[1]: recompile with HAVE_IPSET defined to enable ipset directives at line 1 of /tmp/dnsmasq.d/dnsmasq_openclash_chnroute_pass.conf
Thu Sep 26 01:16:11 2024 daemon.crit dnsmasq[1]: FAILED to start up
Thu Sep 26 01:16:16 2024 daemon.crit dnsmasq[1]: recompile with HAVE_IPSET defined to enable ipset directives at line 1 of /tmp/dnsmasq.d/dnsmasq_openclash_chnroute_pass.conf
Thu Sep 26 01:16:16 2024 daemon.crit dnsmasq[1]: FAILED to start up
Thu Sep 26 01:16:21 2024 daemon.crit dnsmasq[1]: recompile with HAVE_IPSET defined to enable ipset directives at line 1 of /tmp/dnsmasq.d/dnsmasq_openclash_chnroute_pass.conf
Thu Sep 26 01:16:21 2024 daemon.crit dnsmasq[1]: FAILED to start up
Thu Sep 26 01:16:21 2024 daemon.info procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash

在上面6次启动失败期间，查看临时文件/tmp/dnsmasq.d/dnsmasq_openclash_chnroute_pass.conf

root@OpenWrt:~# cat /tmp/dnsmasq.d/dnsmasq_openclash_chnroute_pass.conf
/china_ip_route_pass eapis.cn
/china_ip_route_pass
ipset=/xn--ngstr-lra8j.com/china_ip_route_pass

测试网络，任意域名DNS均无法解析。
回到步骤1，如果将插件设置 - 流量控制 - 绕过指定区域 IPv4 黑名单文本框内的内容全部注释掉，则不会出现步骤5中的错误日志，openclash启动后DNS解析正常。

OpenClash Log

log 推测和/etc/init.d/oepnclash文件中1177行的if语句有关系

      if [ "$enable_redirect_dns" != "2" ]; then
         mkdir -p ${DNSMASQ_CONF_DIR}
         echo "add set inet fw4 china_ip_route_pass { type ipv4_addr; flags interval; auto-merge; }" >/tmp/openclash_china_ip_route_pass.list
         [ -z `(awk '!/^$/&&!/^#/&&!/([0-9a-zA-Z-]{1,}\.)+([a-zA-Z]{2,})/{printf("    %s\n",$0)}' /etc/openclash/custom/openclash_custom_chnroute_pass.list)` ] || {
            echo "define china_ip_route_pass = {" >>/tmp/openclash_china_ip_route_pass.list
            awk '!/^$/&&!/^#/&&!/([0-9a-zA-Z-]{1,}\.)+([a-zA-Z]{2,})/{printf("    %s,\n",$0)}' /etc/openclash/custom/openclash_custom_chnroute_pass.list |sed '$ s/.$//' >>/tmp/openclash_china_ip_route_pass.list 2>/dev/null
            echo "}" >>/tmp/openclash_china_ip_route_pass.list
            echo 'add element inet fw4 china_ip_route_pass $china_ip_route_pass' >>/tmp/openclash_china_ip_route_pass.list
         }
         awk '!/^$/&&!/^#/&&!/(^([1-9]|1[0-9]|1[1-9]{2}|2[0-4][0-9]|25[0-5])\.)(([0-9]{1,2}|1[1-9]{2}|2[0-4][0-9]|25[0-5])\.){2}([1-9]|[1-9][0-9]|1[0-        9]{2}|2[0-5][0-9]|25[0-4])((\/[0-9][0-9])?)$/{printf("'${settype}'=/%s/'${nftflag}'china_ip_route_pass'" "'\n",$0)}' /etc/openclash/custom/                   openclash_custom_chnroute_pass.list >>${DNSMASQ_CONF_DIR}/dnsmasq_openclash_chnroute_pass.conf 2>/dev/null
         nft 'flush set inet fw4 china_ip_route_pass'
         nft -f '/tmp/openclash_china_ip_route_pass.list'
         rm -rf /tmp/openclash_china_ip_route_pass.list
      fi

root@OpenWrt:~# awk
BusyBox v1.35.0 (2023-01-03 00:24:21 UTC) multi-call binary.

root@OpenWrt:~# sed
BusyBox v1.35.0 (2023-01-03 00:24:21 UTC) multi-call binary.

root@OpenWrt:~# nft -v
nftables v1.0.2 (Lester Gooch)

OpenClash Config

No response

Expected Behavior

定位问题定位了好久，暂时只能注释掉绕过指定区域 IPv4 黑名单功能。

Additional Context

No response

vernesong commented 1 month ago


awk '!/^$/&&!/^#/&&!/(^([1-9]|1[0-9]|1[1-9]{2}|2[0-4][0-9]|25[0-5])\.)(([0-9]{1,2}|1[1-9]{2}|2[0-4][0-9]|25[0-5])\.){2}([1-9]|[1-9][0-9]|1[0-9]{2}|2[0-5][0-9]|25[0-4])((\/[0-9][0-9])?)$/{printf("'${settype}'=/%s/'${nftflag}'china_ip_route_pass'" "'\n",$0)}' /etc/openclash/custom/openclash_custom_chnroute_pass.list
还原以后这个命令显示什么结果，eapis.cn是在哪里配置的域名

vindia9 commented 1 month ago

awk '!/^$/&&!/^#/&&!/(^([1-9]|1[0-9]|1[1-9]{2}|2[0-4][0-9]|25[0-5])\.)(([0-9]{1,2}|1[1-9]{2}|2[0-4][0-9]|25[0-5])\.){2}([1-9]|[1-9][0-9]|1[0-9]{2}|2[0-5][0-9]|25[0-4])((\/[0-9][0-9])?)$/{printf("'${settype}'=/%s/'${nftflag}'china_ip_route_pass'" "'\n",$0)}' /etc/openclash/custom/openclash_custom_chnroute_pass.list
还原以后这个命令显示什么结果，eapis.cn是在哪里配置的域名

我重新复现了一次，现在是这个情况：

# logread -f
Thu Sep 26 15:26:02 2024 daemon.crit dnsmasq[1]: recompile with HAVE_IPSET defined to enable ipset directives at line 1 of /tmp/dnsmasq.d/dnsmasq_openclash_chnroute_pass.conf
Thu Sep 26 15:26:02 2024 daemon.crit dnsmasq[1]: FAILED to start up

# cat /etc/openclash/custom/openclash_custom_chnroute_pass.list
#baidu.com
#114.114.114.114
##解决绕过大陆后谷歌商店无法更新
xn--ngstr-lra8j.com
services.googleapis.cn
googleapis.cn

# cat /tmp/dnsmasq.d/dnsmasq_openclash_chnroute_pass.conf
ipset=/xn--ngstr-lra8j.com/china_ip_route_pass
ipset=/services.googleapis.cn/china_ip_route_pass
ipset=/googleapis.cn/china_ip_route_pass

# awk '!/^$/&&!/^#/&&!/(^([1-9]|1[0-9]|1[1-9]{2}|2[0-4][0-9]|25[0-5])\.)(([0-9]{1,2}|1[1-9]{2}|2[0-4][0-9]|25[0-5])\.){2}([1-9]|[1-9][0-9]|1[0-9
]{2}|2[0-5][0-9]|25[0-4])((\/[0-9][0-9])?)$/{printf("'${settype}'=/%s/'${nftflag}'china_ip_route_pass'" "'\n",$0)}' /etc/openclash/custom/openclash_custom_chn
route_pass.list
=/xn--ngstr-lra8j.com/china_ip_route_pass
=/services.googleapis.cn/china_ip_route_pass
=/googleapis.cn/china_ip_route_pass

vernesong commented 1 month ago

你的dnsmasq缺功能，换固件

vernesong commented 1 month ago

dnsmasq --version

vindia9 commented 1 month ago

dnsmasq --version

# dnsmasq --version
Dnsmasq version 2.86  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

vernesong commented 1 month ago

重装或者换一下固件

vindia9 commented 1 month ago

重装或者换一下固件

好，谢谢。

vernesong / OpenClash