search

vernesong / OpenClash

A Clash Client For OpenWrt
MIT License
16.9k stars 3.11k forks source link

日志中出现大量从openwrt路由器发出的数据包,使用随机端口,导致too many open files,然后网络卡顿或者失败 #475

Closed crotoc closed 4 years ago

crotoc commented 4 years ago

非常感谢你的软件。我家里的配置是这样的:两台路由器,att的路由和openwrt路由。att的路由接光纤获得外部地址,局域网地址是192.168.1.254,然后通过局域网端口分配给我的openwrt路由器192.168.1.153,然后我的openwrt路由器局域网使用192.168.251.1,dhcp给我家里的所有设备。我在openwrt路由器上安装openclash,fake-ip模式,用一会就会出现非常密集快速的请求,导致网络失败或者卡顿: image 图中请求的地址是192.168.1.153,应该是路由器本身,指向的地址由于是fake-ip,所以不是很清楚。我想可能是哪里出现了回环,希望能帮忙debug一下,非常感谢!

vernesong commented 4 years ago

这是旧版本的故障,你插件更新了没有?

crotoc commented 4 years ago

谢谢提醒,我赶紧升级了新的版本,目前看日志里面没有了,可能好了,先跑一段时间看一下。请问下这个是什么问题是怎么在新版本里面解决的?想学习一下,谢谢!

vernesong commented 4 years ago

这是回环,fake模式会自动在规则最后加一句reject

crotoc commented 4 years ago

刚刚又出现了,怎么能debug出来那个回环出了问题?谢谢!

crotoc commented 4 years ago

image

crotoc commented 4 years ago

用fakeip模式也不知道我的openwrt路由器尝试连接那个地址,所以也不知道那个链出了问题。

crotoc commented 4 years ago

从刚刚出现大规模这样的数据包之后,openclash自己就重启了好几回。

crotoc commented 4 years ago

我清掉所有的配置,重新安装,然后设置,现在又暂时好了。再运行一阵看看,谢谢了!

crotoc commented 4 years ago

你好。这两天使用fakeip模式的时候,刚开始的时候还好,但是突然就回出现大量的从路由器wan端口的包,导致openclash崩溃重启。感觉还是那个地方的iptables出了问题,但是不知道如何去debug。这是log里面的内容:

020-06-01 18:49:44 Watchdog: Size Limit, Clean Up All Log Records. time="2020-06-01T18:49:44Z" level=info msg="[TCP] 192.168.1.153:46156 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:44Z" level=info msg="[TCP] 192.168.1.153:37154 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:44Z" level=info msg="[TCP] 192.168.1.153:46160 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:44Z" level=info msg="[TCP] 192.168.1.153:37158 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:44Z" level=info msg="[TCP] 192.168.1.153:37164 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:44Z" level=info msg="[TCP] 192.168.1.153:46162 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:44Z" level=info msg="[TCP] 192.168.1.153:46168 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:44Z" level=info msg="[TCP] 192.168.1.153:37166 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:44Z" level=info msg="[TCP] 192.168.1.153:46170 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:44Z" level=info msg="[TCP] 192.168.1.153:37172 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:44Z" level=info msg="[TCP] 192.168.1.153:46176 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:44Z" level=info msg="[TCP] 192.168.1.153:37174 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37180 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46178 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37182 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46184 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37188 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46186 --> 198.18.0.138 match Match using DIRECT" 2020-06-01 18:49:44 Watchdog: Reset Firewall For Enabling Redirect. time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46192 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37212 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37190 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37214 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46202 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37204 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37206 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46208 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46210 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46194 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37198 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46218 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37196 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37220 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46200 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46224 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37222 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37228 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46216 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37230 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46232 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46234 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:37236 --> 198.18.0.26 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46226 --> 198.18.0.138 match Match using DIRECT" time="2020-06-01T18:49:45Z" level=info msg="[TCP] 192.168.1.153:46240 --> 198.18.0.138 match Match using DIRECT"

crotoc commented 4 years ago

这是没有启动openclash的时候,iptables -t nat -S的结果: -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N postrouting_lan_rule -N postrouting_rule -N postrouting_wan_rule -N prerouting_lan_rule -N prerouting_rule -N prerouting_wan_rule -N zone_lan_postrouting -N zone_lan_prerouting -N zone_wan_postrouting -N zone_wan_prerouting -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule -A zone_lan_postrouting -s 192.168.215.0/24 -d 192.168.215.1/32 -p tcp -m tcp --dport 8022 -m comment --comment "!fw3: 8022 (reflection)" -j SNAT --to-source 192.168.215.1 -A zone_lan_postrouting -s 192.168.215.0/24 -d 192.168.215.1/32 -p udp -m udp --dport 8022 -m comment --comment "!fw3: 8022 (reflection)" -j SNAT --to-source 192.168.215.1 -A zone_lan_postrouting -s 192.168.215.0/24 -d 192.168.215.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: 80 (reflection)" -j SNAT --to-source 192.168.215.1 -A zone_lan_postrouting -s 192.168.215.0/24 -d 192.168.215.1/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: 80 (reflection)" -j SNAT --to-source 192.168.215.1 -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule -A zone_lan_prerouting -s 192.168.215.0/24 -d 192.168.1.153/32 -p tcp -m tcp --dport 8022 -m comment --comment "!fw3: 8022 (reflection)" -j DNAT --to-destination 192.168.215.1:8022 -A zone_lan_prerouting -s 192.168.215.0/24 -d 192.168.1.153/32 -p udp -m udp --dport 8022 -m comment --comment "!fw3: 8022 (reflection)" -j DNAT --to-destination 192.168.215.1:8022 -A zone_lan_prerouting -s 192.168.215.0/24 -d 192.168.1.153/32 -p tcp -m tcp --dport 33333 -m comment --comment "!fw3: 80 (reflection)" -j DNAT --to-destination 192.168.215.1:80 -A zone_lan_prerouting -s 192.168.215.0/24 -d 192.168.1.153/32 -p udp -m udp --dport 33333 -m comment --comment "!fw3: 80 (reflection)" -j DNAT --to-destination 192.168.215.1:80 -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule -A zone_wan_prerouting -p tcp -m tcp --dport 8022 -m comment --comment "!fw3: 8022" -j DNAT --to-destination 192.168.215.1:8022 -A zone_wan_prerouting -p udp -m udp --dport 8022 -m comment --comment "!fw3: 8022" -j DNAT --to-destination 192.168.215.1:8022 -A zone_wan_prerouting -p tcp -m tcp --dport 33333 -m comment --comment "!fw3: 80" -j DNAT --to-destination 192.168.215.1:80 -A zone_wan_prerouting -p udp -m udp --dport 33333 -m comment --comment "!fw3: 80" -j DNAT --to-destination 192.168.215.1:80

这是启动openclash后iptables的结果,我将其中openclash加进去的规则黑体了: -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N openclash -N openclash_output -N postrouting_lan_rule -N postrouting_rule -N postrouting_wan_rule -N prerouting_lan_rule -N prerouting_rule -N prerouting_wan_rule -N zone_lan_postrouting -N zone_lan_prerouting -N zone_wan_postrouting -N zone_wan_prerouting -A PREROUTING -d 8.8.4.4/32 -p tcp -j REDIRECT --to-ports 7892 -A PREROUTING -d 8.8.8.8/32 -p tcp -j REDIRECT --to-ports 7892 -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting -A PREROUTING -p tcp -j openclash -A OUTPUT -p tcp -j openclash_output -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting -A openclash -m set --match-set localnetwork dst -j RETURN -A openclash -p tcp -j REDIRECT --to-ports 7892 -A openclash_output -m set --match-set localnetwork dst -j RETURN -A openclash_output -d 198.18.0.0/16 -p tcp -j REDIRECT --to-ports 7892 -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule -A zone_lan_postrouting -s 192.168.215.0/24 -d 192.168.215.1/32 -p tcp -m tcp --dport 8022 -m comment --comment "!fw3: 8022 (reflection)" -j SNAT --to-source 192.168.215.1 -A zone_lan_postrouting -s 192.168.215.0/24 -d 192.168.215.1/32 -p udp -m udp --dport 8022 -m comment --comment "!fw3: 8022 (reflection)" -j SNAT --to-source 192.168.215.1 -A zone_lan_postrouting -s 192.168.215.0/24 -d 192.168.215.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: 80 (reflection)" -j SNAT --to-source 192.168.215.1 -A zone_lan_postrouting -s 192.168.215.0/24 -d 192.168.215.1/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: 80 (reflection)" -j SNAT --to-source 192.168.215.1 -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule -A zone_lan_prerouting -s 192.168.215.0/24 -d 192.168.1.153/32 -p tcp -m tcp --dport 8022 -m comment --comment "!fw3: 8022 (reflection)" -j DNAT --to-destination 192.168.215.1:8022 -A zone_lan_prerouting -s 192.168.215.0/24 -d 192.168.1.153/32 -p udp -m udp --dport 8022 -m comment --comment "!fw3: 8022 (reflection)" -j DNAT --to-destination 192.168.215.1:8022 -A zone_lan_prerouting -s 192.168.215.0/24 -d 192.168.1.153/32 -p tcp -m tcp --dport 33333 -m comment --comment "!fw3: 80 (reflection)" -j DNAT --to-destination 192.168.215.1:80 -A zone_lan_prerouting -s 192.168.215.0/24 -d 192.168.1.153/32 -p udp -m udp --dport 33333 -m comment --comment "!fw3: 80 (reflection)" -j DNAT --to-destination 192.168.215.1:80 -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule

crotoc commented 4 years ago

由于上面的都是fakeip,所以我也不知道到底哪些数据包的dst是哪里,所以没办法知道到底我干了啥导致了上面的状况。

crotoc commented 4 years ago

我仔细的读了一下相关的issue,猜测这个问题和下面这个issue相似:

144

我也是使用回国规则,然后也是出现从路由器到两个fakeip的大量链接,怀疑就是到#144中提到的github的链接。所以我将output中这一条注释掉了: -A openclash_output -d 198.18.0.0/16 -p tcp -j REDIRECT --to-ports 7892 这个openclash_output是不是就是clash自己寻求更新的流量?这个openclash_output存在的意义是什么?可不可以帮忙解释一下,谢谢! 注释掉之后至少服务可以打开了,现在等一等看还会不会出现那样的问题。谢谢!

vernesong commented 4 years ago

新版本会自己在规则后面加一句- IP-CIDR,198.18.0.1/16,REJECT,no-resolve 如果没有,你可以自己加

crotoc commented 4 years ago

好的,的确没有,我在跑跑试试。现在刚启动,暂时没问题! 在我上面注释“-A openclash_output -d 198.18.0.0/16 -p tcp -j REDIRECT --to-ports 7892”以后,也没有影响解锁视频的链接,请问这条有啥用呢?

vernesong commented 4 years ago

好的,的确没有,我在跑跑试试。现在刚启动,暂时没问题!

在我上面注释“-A openclash_output -d 198.18.0.0/16 -p tcp -j REDIRECT --to-ports 7892”以后,也没有影响解锁视频的链接,请问这条有啥用呢?

代理路由自身用的

crotoc commented 4 years ago

谢谢!

平稳运行一天,应该没有问题了,先关掉issue了!