[Bug] Qnap(威联通) nas的机器上"路由本机代理"的功能无效

[csc202409]

Verify Steps

• [X] Tracker 我已经在 Issue Tracker 中找过我要提出的问题
• [X] Branch 我知道 OpenClash 的 Dev 分支切换开关位于插件设置-版本更新中，或者我会手动下载并安装 Dev 分支的 OpenClash
• [X] Latest 我已经使用最新 Dev 版本测试过，问题依旧存在
• [X] Relevant 我知道 OpenClash 与 内核(Core)、控制面板(Dashboard)、在线订阅转换(Subconverter)等项目之间无直接关系，仅相互调用
• [X] Definite 这确实是 OpenClash 出现的问题
• [X] Contributors 我有能力协助 OpenClash 开发并解决此问题
• [ ] Meaningless 我提交的是无意义的催促更新或修复请求

OpenClash Version

v0.46.033-beta

Bug on Environment

Immortalwrt

OpenWrt Version

ImmortalWrt 18.06-k5.4-SNAPSHOT r12339-8b50c1df21 / LuCI openwrt-18.06-k5.4 branch (git-22.312.35760-7afcfb2)

Bug on Platform

Linux-amd64(x86-64)

Describe the Bug

Qnap的内核是Linux NAS2022 5.10.60-qnap #1 SMP Sat Aug 17 01:50:51 CST 2024 x86_64 GNU/Linux, 这上面通过Docker运行sulinggg/openwrt:x86_64, 然后在openwrt里面运行openclash, 配置完成后启动openclash, 其他机器将网关设置成openwrt的ip, 是可以正常访问墙外网站的, 但openwrt本身是没法访问墙外网站的, 所以导致openclash检查更新都是失败的. 排查后是因为qnap上的iptables不支持owner和addrtype这两个模块,

root@openwrt:~# iptables -m owner -help iptables v1.8.7 (legacy): Couldn't load match `owner':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

这会导致"路由本机代理"时执行iptables时会出错, 但openclash在set_firewall把error给重定向到了/dev/null, 所以log里面看不到错误输出, 只是最终的iptables表里面缺少相应的规则. 下面的这种命令在Qnap里面执行都会失败, 报缺少相应的模块: iptables -t nat -A openclash_output -m owner ! --uid-owner 65534 -p tcp -j REDIRECT --to-ports 7892 iptables -t nat -A openclash_post -m addrtype ! --src-type LOCAL -m owner ! --uid-owner 65534 -j MASQUERADE

owner模块会影响"路由本机代理", addrtype模块会影响“旁路网关（旁路由）兼容”, 不过“旁路网关（旁路由）兼容”这个开不开都不影响功能的正常使用.

在openwrt里面安装Passwall, 启动Passwall后openwrt里面的其他进程是可以访问墙外网站的. passwall和openclash区别就是passwall实现这个功能时iptables并没有基于owner模块, 而是用mark去判断. 按理来说, 通过owner模块实现可以避免出现死循环, 实现起来也更简单, 但并不是所有机器都支持owner模块. 这个bug可修也可以不修, 要更新时可以修改/etc/resolve.conf为本地dns, 然后手工加上iptables -t nat -A openclash_output -d 198.18.0.0/16 -p tcp -j REDIRECT --to-ports 7892这条就可以让"路由本机代理"正常工作了, 影响并不大.

passwall启动后iptables的规则如下:

Generated by iptables-save v1.8.7 on Thu Oct 17 15:42:16 2024

*mangle :PREROUTING ACCEPT [511:94032] :INPUT ACCEPT [511:94032] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [572:87584] :POSTROUTING ACCEPT [572:87584] :PSW - [0:0] :PSW_DIVERT - [0:0] :PSW_OUTPUT - [0:0] :PSW_RULE - [0:0] :RRDIPT_FORWARD - [0:0] :RRDIPT_INPUT - [0:0] :RRDIPT_OUTPUT - [0:0] -A PREROUTING -j PSW -A INPUT -j RRDIPT_INPUT -A FORWARD -j RRDIPT_FORWARD -A OUTPUT -o lo -m comment --comment "\'mangle-OUTPUT-PSW\'" -j RETURN -A OUTPUT -j RRDIPT_OUTPUT -A OUTPUT -p udp -m comment --comment "\'mangle-OUTPUT-PSW\'" -j PSW_OUTPUT -A OUTPUT -m comment --comment "\'mangle-OUTPUT-PSW\'" -m mark --mark 0x1 -j RETURN -A PSW -m set --match-set laniplist dst -j RETURN -A PSW -m set --match-set vpsiplist dst -j RETURN -A PSW -m set --match-set whitelist dst -j RETURN -A PSW -m set --match-set blocklist dst -j DROP -A PSW -d 192.168.10.155/32 -m comment --comment "\'WAN_IP_RETURN\'" -j RETURN -A PSW -i lo -p udp -m comment --comment "\'本机\'" -j RETURN -A PSW -p udp -m udp --dport 53 -j RETURN -A PSW -p tcp -m comment --comment "\'默认\'" -j RETURN -A PSW -d 198.18.0.0/16 -p udp -m comment --comment "\'默认\'" -m multiport --dports 80,443 -j DROP -A PSW -p udp -m comment --comment "\'默认\'" -m multiport --dports 80,443 -m set --match-set shuntlist dst -j DROP -A PSW -p udp -m comment --comment "\'默认\'" -m multiport --dports 80,443 -m set --match-set blacklist dst -j DROP -A PSW -p udp -m comment --comment "\'默认\'" -m multiport --dports 80,443 -m set ! --match-set chnroute dst -j DROP -A PSW -d 198.18.0.0/16 -p udp -m comment --comment "\'默认\'" -j PSW_RULE -A PSW -p udp -m comment --comment "\'默认\'" -m set --match-set shuntlist dst -j PSW_RULE -A PSW -p udp -m comment --comment "\'默认\'" -m set --match-set blacklist dst -j PSW_RULE -A PSW -p udp -m comment --comment "\'默认\'" -m set ! --match-set chnroute dst -j PSW_RULE -A PSW -p udp -m comment --comment "\'默认\'" -j RETURN -A PSW_DIVERT -j MARK --set-xmark 0x1/0xffffffff -A PSW_DIVERT -j ACCEPT -A PSW_OUTPUT -m set --match-set laniplist dst -j RETURN -A PSW_OUTPUT -m set --match-set vpsiplist dst -j RETURN -A PSW_OUTPUT -m set --match-set whitelist dst -j RETURN -A PSW_OUTPUT -m mark --mark 0xff -j RETURN -A PSW_OUTPUT -m set --match-set blocklist dst -j DROP -A PSW_OUTPUT -d 198.18.0.0/16 -p udp -m multiport --dports 80,443 -j DROP -A PSW_OUTPUT -p udp -m multiport --dports 80,443 -m set --match-set shuntlist dst -j DROP -A PSW_OUTPUT -p udp -m multiport --dports 80,443 -m set --match-set blacklist dst -j DROP -A PSW_OUTPUT -p udp -m multiport --dports 80,443 -m set ! --match-set chnroute dst -j DROP -A PSW_OUTPUT -d 198.18.0.0/16 -p udp -j PSW_RULE -A PSW_OUTPUT -p udp -m set --match-set shuntlist dst -j PSW_RULE -A PSW_OUTPUT -p udp -m set --match-set blacklist dst -j PSW_RULE -A PSW_OUTPUT -p udp -m set ! --match-set chnroute dst -j PSW_RULE -A PSW_RULE -m mark --mark 0x1 -j RETURN -A PSW_RULE -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 0x1/0xffffffff -A PSW_RULE -p udp -m conntrack --ctstate NEW -j MARK --set-xmark 0x1/0xffffffff -A RRDIPT_FORWARD -s 192.168.10.1/32 -j RETURN -A RRDIPT_FORWARD -d 192.168.10.1/32 -j RETURN -A RRDIPT_FORWARD -s 192.168.10.207/32 -j RETURN -A RRDIPT_FORWARD -d 192.168.10.207/32 -j RETURN -A RRDIPT_FORWARD -s 192.168.10.136/32 -j RETURN -A RRDIPT_FORWARD -d 192.168.10.136/32 -j RETURN -A RRDIPT_FORWARD -s 192.168.10.11/32 -j RETURN -A RRDIPT_FORWARD -d 192.168.10.11/32 -j RETURN -A RRDIPT_INPUT -i eth0 -j RETURN -A RRDIPT_OUTPUT -o eth0 -j RETURN COMMIT

Completed on Thu Oct 17 15:42:16 2024

Generated by iptables-save v1.8.7 on Thu Oct 17 15:42:16 2024

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :forwarding_lan_rule - [0:0] :forwarding_rule - [0:0] :forwarding_wan_rule - [0:0] :input_lan_rule - [0:0] :input_rule - [0:0] :input_wan_rule - [0:0] :output_lan_rule - [0:0] :output_rule - [0:0] :output_wan_rule - [0:0] :reject - [0:0] :zone_lan_dest_ACCEPT - [0:0] :zone_lan_forward - [0:0] :zone_lan_input - [0:0] :zone_lan_output - [0:0] :zone_lan_src_ACCEPT - [0:0] :zone_wan_dest_ACCEPT - [0:0] :zone_wan_forward - [0:0] :zone_wan_input - [0:0] :zone_wan_output - [0:0] :zone_wan_src_ACCEPT - [0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable -A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT COMMIT

Completed on Thu Oct 17 15:42:16 2024

Generated by iptables-save v1.8.7 on Thu Oct 17 15:42:16 2024

*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [43:2911] :POSTROUTING ACCEPT [56:4773] :PSW - [0:0] :PSW_OUTPUT - [0:0] :PSW_REDIRECT - [0:0] :postrouting_lan_rule - [0:0] :postrouting_rule - [0:0] :postrouting_wan_rule - [0:0] :prerouting_lan_rule - [0:0] :prerouting_rule - [0:0] :prerouting_wan_rule - [0:0] :zone_lan_postrouting - [0:0] :zone_lan_prerouting - [0:0] :zone_wan_postrouting - [0:0] :zone_wan_prerouting - [0:0] -A PREROUTING -j PSW_REDIRECT -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule -A PREROUTING -p tcp -j PSW -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting -A OUTPUT -p tcp -j PSW_OUTPUT -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting -A PSW -m set --match-set laniplist dst -j RETURN -A PSW -m set --match-set vpsiplist dst -j RETURN -A PSW -m set --match-set whitelist dst -j RETURN -A PSW -d 192.168.10.155/32 -m comment --comment "\'WAN_IP_RETURN\'" -j RETURN -A PSW -d 198.18.0.0/16 -p tcp -m comment --comment "\'默认\'" -j REDIRECT --to-ports 1041 -A PSW -p tcp -m comment --comment "\'默认\'" -m multiport --dports 22,25,53,143,465,587,853,993,995,80,443 -m set --match-set shuntlist dst -j REDIRECT --to-ports 1041 -A PSW -p tcp -m comment --comment "\'默认\'" -m multiport --dports 22,25,53,143,465,587,853,993,995,80,443 -m set --match-set blacklist dst -j REDIRECT --to-ports 1041 -A PSW -p tcp -m comment --comment "\'默认\'" -m multiport --dports 22,25,53,143,465,587,853,993,995,80,443 -m set ! --match-set chnroute dst -j REDIRECT --to-ports 1041 -A PSW -p tcp -m comment --comment "\'默认\'" -j RETURN -A PSW_OUTPUT -m set --match-set laniplist dst -j RETURN -A PSW_OUTPUT -m set --match-set vpsiplist dst -j RETURN -A PSW_OUTPUT -m set --match-set whitelist dst -j RETURN -A PSW_OUTPUT -m mark --mark 0xff -j RETURN -A PSW_OUTPUT -d 198.18.0.0/16 -p tcp -j REDIRECT --to-ports 1041 -A PSW_OUTPUT -p tcp -m multiport --dports 22,25,53,143,465,587,853,993,995,80,443 -m set --match-set shuntlist dst -j REDIRECT --to-ports 1041 -A PSW_OUTPUT -p tcp -m multiport --dports 22,25,53,143,465,587,853,993,995,80,443 -m set --match-set blacklist dst -j REDIRECT --to-ports 1041 -A PSW_OUTPUT -p tcp -m multiport --dports 22,25,53,143,465,587,853,993,995,80,443 -m set ! --match-set chnroute dst -j REDIRECT --to-ports 1041 -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule COMMIT

Completed on Thu Oct 17 15:42:16 2024

To Reproduce

在Qnap的NAS上通过Docker运行sulinggg/openwrt:x86_64, 然后在openwrt里面运行openclash

OpenClash Log

OpenClash 调试日志

生成时间: 2024-10-17 15:31:19
插件版本: v0.46.033-beta
隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息

#===================== 系统信息 =====================#

主机型号: 
固件版本: ImmortalWrt 18.06-k5.4-SNAPSHOT r12339-8b50c1df21
LuCI版本: git-22.312.35760-7afcfb2-1
内核版本: 5.10.60-qnap
处理器架构: x86_64

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: 

DNS劫持: Dnsmasq 转发
#DNS劫持为Dnsmasq时，此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 未安装
unzip: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 未安装
kmod-ipt-extra: 未安装
kmod-ipt-nat: 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
运行内核：Meta
进程pid: 4973
运行权限: 4973: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_admin,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限

Meta内核版本: alpha-g59a2b24
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/test.yaml
启动配置文件: /etc/openclash/test.yaml
运行模式: fake-ip
默认代理模式: rule
UDP流量转发(tproxy): 启用
自定义DNS: 停用
IPV6代理: 停用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 停用
自定义规则: 停用
仅允许内网: 停用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.7 on Thu Oct 17 15:31:20 2024
*nat
:PREROUTING ACCEPT [1398:743737]
:INPUT ACCEPT [11682:792333]
:OUTPUT ACCEPT [18655:1202993]
:POSTROUTING ACCEPT [19877:1908502]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -d 8.8.4.4/32 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j REDIRECT --to-ports 7892
-A PREROUTING -d 8.8.8.8/32 -p tcp -m comment --comment "OpenClash Google DNS Hijack" -m tcp --dport 53 -j REDIRECT --to-ports 7892
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "OpenClash DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -p tcp -j openclash
-A OUTPUT -j openclash_output
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -d 198.18.0.0/16 -p tcp -j REDIRECT --to-ports 7892
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Oct 17 15:31:20 2024

#IPv4 Mangle chain

# Generated by iptables-save v1.8.7 on Thu Oct 17 15:31:20 2024
*mangle
:PREROUTING ACCEPT [706061:1522846943]
:INPUT ACCEPT [700257:1520313096]
:FORWARD ACCEPT [5804:2533847]
:OUTPUT ACCEPT [760888:1536581792]
:POSTROUTING ACCEPT [766853:1539135623]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:openclash_upnp - [0:0]
-A PREROUTING -p udp -j openclash
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A OUTPUT -j RRDIPT_OUTPUT
-A OUTPUT -p udp -j openclash_output
-A RRDIPT_FORWARD -s 192.168.10.1/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.10.1/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.10.207/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.10.207/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.10.136/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.10.136/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.10.11/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.10.11/32 -j RETURN
-A RRDIPT_INPUT -i eth0 -j RETURN
-A RRDIPT_OUTPUT -o eth0 -j RETURN
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -p udp -m udp --sport 68 -j RETURN
-A openclash -i lo -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p udp -m udp --dport 53 -j RETURN
-A openclash -p udp -j openclash_upnp
-A openclash_output -p udp -m udp --sport 500 -j RETURN
-A openclash_output -p udp -m udp --sport 68 -j RETURN
COMMIT
# Completed on Thu Oct 17 15:31:20 2024

#IPv4 Filter chain

# Generated by iptables-save v1.8.7 on Thu Oct 17 15:31:20 2024
*filter
:INPUT ACCEPT [100:4024]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -p udp -m udp --dport 443 -m comment --comment "OpenClash QUIC REJECT" -m set ! --match-set china_ip_route dst -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Thu Oct 17 15:31:20 2024

#IPv6 NAT chain

#IPv6 Mangle chain

#IPv6 Filter chain

OpenClash Config

No response

Expected Behavior

"路由本机代理"能在Qnap上正常运行

Additional Context

No response

[vernesong]

装不了吗 iptables-mod-extra

[csc202409]

docker里面运行sulinggg/openwrt:x86_64是安装不了iptables-mod-extra, 软件源里面没有iptables-mod-extra. docker换成运行crazygit/openwrt-x86-64, 可以安装成功iptables-mod-extra, 但是执行iptables -t nat -A openclash_output -m owner ! --uid-owner 65534 -p tcp -j REDIRECT --to-ports 7892还是报缺少owner模块. 应该是宿主机Qnap的内核不支持owner模块, docker里面装什么模块都是没用的, 毕竟docker改变不了宿主机的内核.

/ # opkg install iptables-mod-extra Package iptables-mod-extra (1.8.3-1) installed in root is up to date. / # iptables -t nat -A openclash_output -m owner ! --uid-owner 65534 -p tcp -j REDIRECT --to-ports 7892 iptables v1.8.3 (legacy): Couldn't load match `owner':No such file or directory

Try `iptables -h' or 'iptables --help' for more information. / #

[vernesong]

跟宿主机有啥关系，你找个2305的op固件，1806后装的一般都不行