Open csc202409 opened 3 days ago
装不了吗 iptables-mod-extra
docker里面运行sulinggg/openwrt:x86_64是安装不了iptables-mod-extra, 软件源里面没有iptables-mod-extra. docker换成运行crazygit/openwrt-x86-64, 可以安装成功iptables-mod-extra, 但是执行iptables -t nat -A openclash_output -m owner ! --uid-owner 65534 -p tcp -j REDIRECT --to-ports 7892还是报缺少owner模块. 应该是宿主机Qnap的内核不支持owner模块, docker里面装什么模块都是没用的, 毕竟docker改变不了宿主机的内核.
/ # opkg install iptables-mod-extra Package iptables-mod-extra (1.8.3-1) installed in root is up to date. / # iptables -t nat -A openclash_output -m owner ! --uid-owner 65534 -p tcp -j REDIRECT --to-ports 7892 iptables v1.8.3 (legacy): Couldn't load match `owner':No such file or directory
Try `iptables -h' or 'iptables --help' for more information. / #
跟宿主机有啥关系,你找个2305的op固件,1806后装的一般都不行
Verify Steps
OpenClash Version
v0.46.033-beta
Bug on Environment
Immortalwrt
OpenWrt Version
ImmortalWrt 18.06-k5.4-SNAPSHOT r12339-8b50c1df21 / LuCI openwrt-18.06-k5.4 branch (git-22.312.35760-7afcfb2)
Bug on Platform
Linux-amd64(x86-64)
Describe the Bug
Qnap的内核是Linux NAS2022 5.10.60-qnap #1 SMP Sat Aug 17 01:50:51 CST 2024 x86_64 GNU/Linux, 这上面通过Docker运行sulinggg/openwrt:x86_64, 然后在openwrt里面运行openclash, 配置完成后启动openclash, 其他机器将网关设置成openwrt的ip, 是可以正常访问墙外网站的, 但openwrt本身是没法访问墙外网站的, 所以导致openclash检查更新都是失败的. 排查后是因为qnap上的iptables不支持owner和addrtype这两个模块,
root@openwrt:~# iptables -m owner -help iptables v1.8.7 (legacy): Couldn't load match `owner':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
这会导致"路由本机代理"时执行iptables时会出错, 但openclash在set_firewall把error给重定向到了/dev/null, 所以log里面看不到错误输出, 只是最终的iptables表里面缺少相应的规则. 下面的这种命令在Qnap里面执行都会失败, 报缺少相应的模块: iptables -t nat -A openclash_output -m owner ! --uid-owner 65534 -p tcp -j REDIRECT --to-ports 7892 iptables -t nat -A openclash_post -m addrtype ! --src-type LOCAL -m owner ! --uid-owner 65534 -j MASQUERADE
owner模块会影响"路由本机代理", addrtype模块会影响“旁路网关(旁路由)兼容”, 不过“旁路网关(旁路由)兼容”这个开不开都不影响功能的正常使用.
在openwrt里面安装Passwall, 启动Passwall后openwrt里面的其他进程是可以访问墙外网站的. passwall和openclash区别就是passwall实现这个功能时iptables并没有基于owner模块, 而是用mark去判断. 按理来说, 通过owner模块实现可以避免出现死循环, 实现起来也更简单, 但并不是所有机器都支持owner模块. 这个bug可修也可以不修, 要更新时可以修改/etc/resolve.conf为本地dns, 然后手工加上iptables -t nat -A openclash_output -d 198.18.0.0/16 -p tcp -j REDIRECT --to-ports 7892这条就可以让"路由本机代理"正常工作了, 影响并不大.
passwall启动后iptables的规则如下:
Generated by iptables-save v1.8.7 on Thu Oct 17 15:42:16 2024
*mangle :PREROUTING ACCEPT [511:94032] :INPUT ACCEPT [511:94032] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [572:87584] :POSTROUTING ACCEPT [572:87584] :PSW - [0:0] :PSW_DIVERT - [0:0] :PSW_OUTPUT - [0:0] :PSW_RULE - [0:0] :RRDIPT_FORWARD - [0:0] :RRDIPT_INPUT - [0:0] :RRDIPT_OUTPUT - [0:0] -A PREROUTING -j PSW -A INPUT -j RRDIPT_INPUT -A FORWARD -j RRDIPT_FORWARD -A OUTPUT -o lo -m comment --comment "\'mangle-OUTPUT-PSW\'" -j RETURN -A OUTPUT -j RRDIPT_OUTPUT -A OUTPUT -p udp -m comment --comment "\'mangle-OUTPUT-PSW\'" -j PSW_OUTPUT -A OUTPUT -m comment --comment "\'mangle-OUTPUT-PSW\'" -m mark --mark 0x1 -j RETURN -A PSW -m set --match-set laniplist dst -j RETURN -A PSW -m set --match-set vpsiplist dst -j RETURN -A PSW -m set --match-set whitelist dst -j RETURN -A PSW -m set --match-set blocklist dst -j DROP -A PSW -d 192.168.10.155/32 -m comment --comment "\'WAN_IP_RETURN\'" -j RETURN -A PSW -i lo -p udp -m comment --comment "\'本机\'" -j RETURN -A PSW -p udp -m udp --dport 53 -j RETURN -A PSW -p tcp -m comment --comment "\'默认\'" -j RETURN -A PSW -d 198.18.0.0/16 -p udp -m comment --comment "\'默认\'" -m multiport --dports 80,443 -j DROP -A PSW -p udp -m comment --comment "\'默认\'" -m multiport --dports 80,443 -m set --match-set shuntlist dst -j DROP -A PSW -p udp -m comment --comment "\'默认\'" -m multiport --dports 80,443 -m set --match-set blacklist dst -j DROP -A PSW -p udp -m comment --comment "\'默认\'" -m multiport --dports 80,443 -m set ! --match-set chnroute dst -j DROP -A PSW -d 198.18.0.0/16 -p udp -m comment --comment "\'默认\'" -j PSW_RULE -A PSW -p udp -m comment --comment "\'默认\'" -m set --match-set shuntlist dst -j PSW_RULE -A PSW -p udp -m comment --comment "\'默认\'" -m set --match-set blacklist dst -j PSW_RULE -A PSW -p udp -m comment --comment "\'默认\'" -m set ! --match-set chnroute dst -j PSW_RULE -A PSW -p udp -m comment --comment "\'默认\'" -j RETURN -A PSW_DIVERT -j MARK --set-xmark 0x1/0xffffffff -A PSW_DIVERT -j ACCEPT -A PSW_OUTPUT -m set --match-set laniplist dst -j RETURN -A PSW_OUTPUT -m set --match-set vpsiplist dst -j RETURN -A PSW_OUTPUT -m set --match-set whitelist dst -j RETURN -A PSW_OUTPUT -m mark --mark 0xff -j RETURN -A PSW_OUTPUT -m set --match-set blocklist dst -j DROP -A PSW_OUTPUT -d 198.18.0.0/16 -p udp -m multiport --dports 80,443 -j DROP -A PSW_OUTPUT -p udp -m multiport --dports 80,443 -m set --match-set shuntlist dst -j DROP -A PSW_OUTPUT -p udp -m multiport --dports 80,443 -m set --match-set blacklist dst -j DROP -A PSW_OUTPUT -p udp -m multiport --dports 80,443 -m set ! --match-set chnroute dst -j DROP -A PSW_OUTPUT -d 198.18.0.0/16 -p udp -j PSW_RULE -A PSW_OUTPUT -p udp -m set --match-set shuntlist dst -j PSW_RULE -A PSW_OUTPUT -p udp -m set --match-set blacklist dst -j PSW_RULE -A PSW_OUTPUT -p udp -m set ! --match-set chnroute dst -j PSW_RULE -A PSW_RULE -m mark --mark 0x1 -j RETURN -A PSW_RULE -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 0x1/0xffffffff -A PSW_RULE -p udp -m conntrack --ctstate NEW -j MARK --set-xmark 0x1/0xffffffff -A RRDIPT_FORWARD -s 192.168.10.1/32 -j RETURN -A RRDIPT_FORWARD -d 192.168.10.1/32 -j RETURN -A RRDIPT_FORWARD -s 192.168.10.207/32 -j RETURN -A RRDIPT_FORWARD -d 192.168.10.207/32 -j RETURN -A RRDIPT_FORWARD -s 192.168.10.136/32 -j RETURN -A RRDIPT_FORWARD -d 192.168.10.136/32 -j RETURN -A RRDIPT_FORWARD -s 192.168.10.11/32 -j RETURN -A RRDIPT_FORWARD -d 192.168.10.11/32 -j RETURN -A RRDIPT_INPUT -i eth0 -j RETURN -A RRDIPT_OUTPUT -o eth0 -j RETURN COMMIT
Completed on Thu Oct 17 15:42:16 2024
Generated by iptables-save v1.8.7 on Thu Oct 17 15:42:16 2024
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :forwarding_lan_rule - [0:0] :forwarding_rule - [0:0] :forwarding_wan_rule - [0:0] :input_lan_rule - [0:0] :input_rule - [0:0] :input_wan_rule - [0:0] :output_lan_rule - [0:0] :output_rule - [0:0] :output_wan_rule - [0:0] :reject - [0:0] :zone_lan_dest_ACCEPT - [0:0] :zone_lan_forward - [0:0] :zone_lan_input - [0:0] :zone_lan_output - [0:0] :zone_lan_src_ACCEPT - [0:0] :zone_wan_dest_ACCEPT - [0:0] :zone_wan_forward - [0:0] :zone_wan_input - [0:0] :zone_wan_output - [0:0] :zone_wan_src_ACCEPT - [0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable -A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT COMMIT
Completed on Thu Oct 17 15:42:16 2024
Generated by iptables-save v1.8.7 on Thu Oct 17 15:42:16 2024
*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [43:2911] :POSTROUTING ACCEPT [56:4773] :PSW - [0:0] :PSW_OUTPUT - [0:0] :PSW_REDIRECT - [0:0] :postrouting_lan_rule - [0:0] :postrouting_rule - [0:0] :postrouting_wan_rule - [0:0] :prerouting_lan_rule - [0:0] :prerouting_rule - [0:0] :prerouting_wan_rule - [0:0] :zone_lan_postrouting - [0:0] :zone_lan_prerouting - [0:0] :zone_wan_postrouting - [0:0] :zone_wan_prerouting - [0:0] -A PREROUTING -j PSW_REDIRECT -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule -A PREROUTING -p tcp -j PSW -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting -A OUTPUT -p tcp -j PSW_OUTPUT -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting -A PSW -m set --match-set laniplist dst -j RETURN -A PSW -m set --match-set vpsiplist dst -j RETURN -A PSW -m set --match-set whitelist dst -j RETURN -A PSW -d 192.168.10.155/32 -m comment --comment "\'WAN_IP_RETURN\'" -j RETURN -A PSW -d 198.18.0.0/16 -p tcp -m comment --comment "\'默认\'" -j REDIRECT --to-ports 1041 -A PSW -p tcp -m comment --comment "\'默认\'" -m multiport --dports 22,25,53,143,465,587,853,993,995,80,443 -m set --match-set shuntlist dst -j REDIRECT --to-ports 1041 -A PSW -p tcp -m comment --comment "\'默认\'" -m multiport --dports 22,25,53,143,465,587,853,993,995,80,443 -m set --match-set blacklist dst -j REDIRECT --to-ports 1041 -A PSW -p tcp -m comment --comment "\'默认\'" -m multiport --dports 22,25,53,143,465,587,853,993,995,80,443 -m set ! --match-set chnroute dst -j REDIRECT --to-ports 1041 -A PSW -p tcp -m comment --comment "\'默认\'" -j RETURN -A PSW_OUTPUT -m set --match-set laniplist dst -j RETURN -A PSW_OUTPUT -m set --match-set vpsiplist dst -j RETURN -A PSW_OUTPUT -m set --match-set whitelist dst -j RETURN -A PSW_OUTPUT -m mark --mark 0xff -j RETURN -A PSW_OUTPUT -d 198.18.0.0/16 -p tcp -j REDIRECT --to-ports 1041 -A PSW_OUTPUT -p tcp -m multiport --dports 22,25,53,143,465,587,853,993,995,80,443 -m set --match-set shuntlist dst -j REDIRECT --to-ports 1041 -A PSW_OUTPUT -p tcp -m multiport --dports 22,25,53,143,465,587,853,993,995,80,443 -m set --match-set blacklist dst -j REDIRECT --to-ports 1041 -A PSW_OUTPUT -p tcp -m multiport --dports 22,25,53,143,465,587,853,993,995,80,443 -m set ! --match-set chnroute dst -j REDIRECT --to-ports 1041 -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule COMMIT
Completed on Thu Oct 17 15:42:16 2024
To Reproduce
在Qnap的NAS上通过Docker运行sulinggg/openwrt:x86_64, 然后在openwrt里面运行openclash
OpenClash Log
OpenClash Config
No response
Expected Behavior
"路由本机代理"能在Qnap上正常运行
Additional Context
No response