[Bug] 使用策略规则模式,无法分流.求帮助 #4855
Description
Verify Steps
- Tracker 我已经在 Issue Tracker 中找过我要提出的问题
- Branch 我知道 OpenClash 的 Dev 分支切换开关位于插件设置-版本更新中,或者我会手动下载并安装 Dev 分支的 OpenClash
- Latest 我已经使用最新 Dev 版本测试过,问题依旧存在
- Relevant 我知道 OpenClash 与 内核(Core)、控制面板(Dashboard)、在线订阅转换(Subconverter)等项目之间无直接关系,仅相互调用
- Definite 这确实是 OpenClash 出现的问题
- Contributors 我有能力协助 OpenClash 开发并解决此问题
- Meaningless 我提交的是无意义的催促更新或修复请求
OpenClash Version
v0.47.028
Bug on Environment
Official OpenWrt
OpenWrt Version
OpenWrt 24.10-SNAPSHOT (r0-984a219)
Bug on Platform
Linux-arm64
Describe the Bug
使用策略规则模式,无法分流.求帮助
To Reproduce
单网口旁路由
防火墙单个区域lan,出入站及转均为接受,开启IP动态伪装,MSS限制,无其他通信及NAT规则
仅一个eth0接口
openwrt 版本 24.10
自建mosdns,监听端口5353 dnsmasq转发到127.0.0.1#5353 国内外域名分流
openclash 版本 v0.47.028
开启选项:
Redir-Host混合模式
绕过大陆地址
路由本机
绕过服务器地址
关闭域名嗅探
关闭DNS代理
关闭流媒体解锁
禁用DNS劫持
三个自定义上游DNS 至 127.0.0.1:5353
之前用得好好的,今天突然外网无法访问,规则模式失效,只有使用全局才可以访问外网
使用规则模式,在控制面板的链接里看不到任何链接?
好像无法分流失效,防火墙修改不成功??
偶然发现日志里面有这个
2025-11-19 15:40:29 【10/10】5 分钟内重置已超过限制次数,跳过本次 OpenClash 防火墙规则重置...
2025-11-19 15:40:22 【10/10】5 分钟内重置已超过限制次数,跳过本次 OpenClash 防火墙规则重置...
2025-11-19 15:40:07 【10/10】5 分钟内重置已超过限制次数,跳过本次 OpenClash 防火墙规则重置...
2025-11-19 15:40:00 【10/10】5 分钟内重置已超过限制次数,跳过本次 OpenClash 防火墙规则重置...
OpenClash Log
插件日志:
2025-11-19 15:25:19 提示:OpenClash 启动成功,请等待服务器上线!
2025-11-19 15:25:19 提示:开始添加自定义防火墙规则...
2025-11-19 15:25:19 提示:正在根据防火墙端口转发和防火墙通信规则添加端口绕过规则...
2025-11-19 15:25:16 提示:检测到 Firewall4,使用 NFTABLE 规则...
2025-11-19 15:25:16 提示:DNS 劫持未开启...
2025-11-19 15:25:09 第六步: 内核状态检查及防火墙规则设置...
2025-11-19 15:25:09 第五步: 添加计划任务,启动进程守护程序...
2025-11-19 15:25:09 第四步: 启动主程序...
2025-11-19 15:25:09 第三步: 快速启动模式,跳过修改配置文件...
2025-11-19 15:25:09 第二步: 组件运行前检查...
2025-11-19 15:25:07 第一步: 获取配置...
2025-11-19 15:25:07 提示:OpenClash 开始启动...
内核日志:
2025-11-19 15:25:33 level=warning msg="[TCP] dial GLOBAL 192.168.199.62:56995 --> 142.250.198.110:443 error: connect failed: dial tcp 142.250.198.110:443: i/o timeout"
2025-11-19 15:25:28 level=warning msg="[TCP] dial GLOBAL 192.168.199.62:56992 --> 142.250.198.110:443 error: connect failed: dial tcp 142.250.198.110:443: i/o timeout"
2025-11-19 15:25:15 level=info msg="UI already exists, skip downloading"
2025-11-19 15:25:14 level=info msg="Start initial provider Bilibili"
2025-11-19 15:25:14 level=info msg="Start initial provider WeTV"
2025-11-19 15:25:14 level=info msg="Start initial provider AdBlock"
2025-11-19 15:25:14 level=info msg="Start initial provider TikTok"
2025-11-19 15:25:14 level=info msg="Start initial provider Niconico"
2025-11-19 15:25:14 level=info msg="Start initial provider PROXY"
2025-11-19 15:25:14 level=info msg="Start initial provider Abema TV"
2025-11-19 15:25:14 level=info msg="Start initial provider Steam"
2025-11-19 15:25:14 level=info msg="Start initial provider DMM"
2025-11-19 15:25:14 level=info msg="Start initial provider Fox+"
2025-11-19 15:25:14 level=info msg="Start initial provider YouTube"
2025-11-19 15:25:14 level=info msg="Start initial provider Speedtest"
2025-11-19 15:25:14 level=info msg="Start initial provider Microsoft"
2025-11-19 15:25:14 level=info msg="Start initial provider DAZN"
2025-11-19 15:25:14 level=info msg="Start initial provider Hulu Japan"
2025-11-19 15:25:14 level=info msg="Start initial provider JOOX"
2025-11-19 15:25:14 level=info msg="Start initial provider Pornhub"
2025-11-19 15:25:14 level=info msg="Start initial provider encoreTVB"
2025-11-19 15:25:14 level=info msg="Start initial provider Crypto"
2025-11-19 15:25:14 level=info msg="Start initial provider LAN"
2025-11-19 15:25:14 level=info msg="Start initial provider HTTPDNS"
2025-11-19 15:25:14 level=info msg="Start initial provider Hulu"
2025-11-19 15:25:14 level=info msg="Start initial provider Fox Now"
2025-11-19 15:25:14 level=info msg="Start initial provider Spotify"
2025-11-19 15:25:14 level=info msg="Start initial provider Youku"
2025-11-19 15:25:14 level=info msg="Start initial provider Soundcloud"
2025-11-19 15:25:14 level=info msg="Start initial provider Domestic"
2025-11-19 15:25:14 level=info msg="Start initial provider Disney Plus"
2025-11-19 15:25:14 level=info msg="Start initial provider Line TV"
2025-11-19 15:25:14 level=info msg="Start initial provider Amazon"
2025-11-19 15:25:14 level=info msg="Start initial provider myTV SUPER"
2025-11-19 15:25:14 level=info msg="Start initial provider AI Suite"
2025-11-19 15:25:14 level=info msg="Start initial provider ABC"
2025-11-19 15:25:14 level=info msg="Start initial provider Telegram"
2025-11-19 15:25:14 level=info msg="Start initial provider Apple Music"
2025-11-19 15:25:14 level=info msg="Start initial provider Scholar"
2025-11-19 15:25:14 level=info msg="Start initial provider Tencent Video"
2025-11-19 15:25:14 level=info msg="Start initial provider KKTV"
2025-11-19 15:25:14 level=info msg="Start initial provider BBC iPlayer"
2025-11-19 15:25:14 level=info msg="Start initial provider Discovery Plus"
2025-11-19 15:25:14 level=info msg="Start initial provider ViuTV"
2025-11-19 15:25:14 level=info msg="Start initial provider PBS"
2025-11-19 15:25:14 level=info msg="Start initial provider Bahamut"
2025-11-19 15:25:14 level=info msg="Start initial provider Max"
2025-11-19 15:25:14 level=info msg="Start initial provider Domestic IPs"
2025-11-19 15:25:14 level=info msg="Start initial provider Discord"
2025-11-19 15:25:14 level=info msg="Start initial provider KKBOX"
2025-11-19 15:25:14 level=info msg="Start initial provider Special"
2025-11-19 15:25:14 level=info msg="Start initial provider Apple"
2025-11-19 15:25:14 level=info msg="Start initial provider miHoYo"
2025-11-19 15:25:14 level=info msg="Start initial provider Letv"
2025-11-19 15:25:14 level=info msg="Start initial provider Apple News"
2025-11-19 15:25:14 level=info msg="Start initial provider Japonx"
2025-11-19 15:25:14 level=info msg="Start initial provider Pandora"
2025-11-19 15:25:14 level=info msg="Start initial provider IQIYI"
2025-11-19 15:25:14 level=info msg="Start initial provider F1 TV"
2025-11-19 15:25:14 level=info msg="Start initial provider PayPal"
2025-11-19 15:25:14 level=info msg="Start initial provider IQ"
2025-11-19 15:25:14 level=info msg="Start initial provider Netflix"
2025-11-19 15:25:14 level=info msg="Start initial provider Google FCM"
2025-11-19 15:25:14 level=info msg="Start initial provider Apple TV"
2025-11-19 15:25:14 level=info msg="Start initial provider Netease Music"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider miHoYo"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Spotify"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Discord"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Netflix"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Others"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Telegram"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Scholar"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Crypto"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider HTTPDNS"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider TikTok"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider AdBlock"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider YouTube"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Speedtest"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider CN Mainland TV"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Google FCM"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Apple TV"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Disney Plus"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Global TV"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider default"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Asian TV"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Steam"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Microsoft"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider AI Suite"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Proxy"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider PayPal"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Apple"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Domestic"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Max"
2025-11-19 15:25:14 level=info msg="Start initial compatible provider Auto - UrlTest"
2025-11-19 15:25:14 level=info msg="[TUN] Tun adapter listening at: utun([198.18.0.1/30],[]), mtu: 9000, auto route: false, auto redir: false, ip stack: Mixed"
2025-11-19 15:25:14 level=info msg="Mixed(http+socks) proxy listening at: [::]:7893"
2025-11-19 15:25:14 level=info msg="TProxy server listening at: [::]:7895"
2025-11-19 15:25:14 level=info msg="Redirect proxy listening at: [::]:7892"
2025-11-19 15:25:14 level=info msg="SOCKS proxy listening at: [::]:7891"
2025-11-19 15:25:14 level=info msg="DNS server(TCP) listening at: [::]:7874"
2025-11-19 15:25:14 level=info msg="DNS server(UDP) listening at: [::]:7874"
2025-11-19 15:25:14 level=info msg="HTTP proxy listening at: [::]:7890"
2025-11-19 15:25:14 level=info msg="Sniffer is closed"
2025-11-19 15:25:14 level=info msg="RESTful API listening at: [::]:9090"
2025-11-19 15:25:14 level=info msg="Initial configuration complete, total time: 2890ms"
2025-11-19 15:25:14 level=info msg="Finished initial GeoIP rule cn => dns.fallback-filter.geoip, records: 19252"
2025-11-19 15:25:14 level=info msg="Finished initial GeoIP rule cn => Domestic, records: 19252"
2025-11-19 15:25:11 level=info msg="Load GeoIP rule: cn"
2025-11-19 15:25:11 level=info msg="Geosite Matcher implementation: succinct"
2025-11-19 15:25:11 level=info msg="Geodata Loader mode: standard"
2025-11-19 15:25:11 level=info msg="Start initial configuration in progress"
防火墙规则:
root@OpenWrt:~# nft list ruleset
table inet fw4 {
set china_ip_route {
type ipv4_addr
flags interval
auto-merge
elements = { 此处省略国内IP段 }
}
set china_ip_route_pass {
type ipv4_addr
flags interval
auto-merge
}
set localnetwork {
type ipv4_addr
flags interval
auto-merge
elements = { 0.0.0.0/8, 1.1.1.1,
10.0.0.0/8, 70.39.204.10,
100.64.0.0/10, 106.126.8.73,
106.126.8.81, 106.126.8.144-106.126.8.149,
113.108.84.71-113.108.84.72, 113.108.84.75,
113.108.84.98, 127.0.0.0/8,
148.178.21.17, 169.254.0.0/16,
172.16.0.0/12, 192.168.0.0/16,
210.0.255.250/31, 224.0.0.0/3 }
}
flowtable ft {
hook ingress priority filter
devices = { eth0, tun0 }
counter
}
chain input {
type filter hook input priority filter; policy accept;
meta l4proto { tcp, udp } iifname "utun" counter packets 0 bytes 0 accept comment "OpenClash TUN Input"
iif "lo" accept comment "!fw4: Accept traffic from loopback"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
iifname "eth0" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "tun0" jump input_EasyTier comment "!fw4: Handle EasyTier IPv4/IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy accept;
meta l4proto { tcp, udp } iifname "utun" counter packets 1243 bytes 985609 accept comment "OpenClash TUN Forward"
meta l4proto { tcp, udp } oifname "utun" counter packets 753 bytes 281347 accept comment "OpenClash TUN Forward"
meta l4proto { tcp, udp } flow add @ft
ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
iifname "eth0" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "tun0" jump forward_EasyTier comment "!fw4: Handle EasyTier IPv4/IPv6 forward traffic"
jump upnp_forward comment "Hook into miniupnpd forwarding chain"
}
chain output {
type filter hook output priority filter; policy accept;
oif "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "eth0" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "tun0" jump output_EasyTier comment "!fw4: Handle EasyTier IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "eth0" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_EasyTier comment "!fw4: Accept lan to EasyTier forwarding"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "eth0" counter packets 2739 bytes 3991723 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "eth0" counter packets 4452 bytes 892955 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_EasyTier {
jump accept_from_EasyTier
}
chain output_EasyTier {
jump accept_to_EasyTier
}
chain forward_EasyTier {
jump accept_to_lan comment "!fw4: Accept EasyTier to lan forwarding"
jump accept_to_EasyTier
}
chain accept_from_EasyTier {
iifname "tun0" counter packets 0 bytes 0 accept comment "!fw4: accept EasyTier IPv4/IPv6 traffic"
}
chain accept_to_EasyTier {
meta nfproto ipv4 oifname "tun0" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
oifname "tun0" counter packets 11 bytes 888 accept comment "!fw4: accept EasyTier IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
ip protocol tcp counter packets 55 bytes 5625 jump openclash
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
meta nfproto ipv4 oifname "utun" counter packets 27 bytes 34506 return comment "OpenClash TUN Postrouting"
oifname "tun0" jump srcnat_EasyTier comment "!fw4: Handle EasyTier IPv4/IPv6 srcnat traffic"
jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
}
chain srcnat_EasyTier {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 EasyTier traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
ip protocol udp counter packets 5047 bytes 3525989 jump openclash_mangle
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
oifname "eth0" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 egress MTU fixing"
oifname "tun0" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone EasyTier IPv4/IPv6 egress MTU fixing"
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
meta nfproto ipv4 meta l4proto { tcp, udp } counter packets 7940 bytes 10027357 jump openclash_mangle_output
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "eth0" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 ingress MTU fixing"
iifname "tun0" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone EasyTier IPv4/IPv6 ingress MTU fixing"
}
chain upnp_forward {
}
chain upnp_prerouting {
}
chain upnp_postrouting {
}
chain nat_output {
type nat hook output priority filter - 1; policy accept;
ip protocol tcp counter packets 185 bytes 11100 jump openclash_output
}
chain openclash {
ip daddr != 198.18.0.0/16 ip saddr @localnetwork tcp sport 53 counter packets 0 bytes 0 return comment "53"
meta nfproto ipv4 tcp sport 11011 counter packets 0 bytes 0 return
meta nfproto ipv4 tcp sport 11012 counter packets 0 bytes 0 return
meta nfproto ipv4 tcp sport 11010 counter packets 0 bytes 0 return
ip daddr @localnetwork counter packets 12 bytes 624 return
ct direction reply counter packets 0 bytes 0 return
ip daddr @china_ip_route ip daddr != @china_ip_route_pass counter packets 3 bytes 156 return
ip protocol tcp counter packets 40 bytes 4845 redirect to :7892
}
chain openclash_output {
ip daddr != 198.18.0.0/16 ip saddr @localnetwork tcp sport 53 counter packets 0 bytes 0 return comment "53"
meta nfproto ipv4 tcp sport 11011 counter packets 0 bytes 0 return
meta nfproto ipv4 tcp sport 11012 counter packets 0 bytes 0 return
meta nfproto ipv4 tcp sport 11010 counter packets 0 bytes 0 return
meta skgid 65534 counter packets 125 bytes 7500 return
ip daddr @localnetwork counter packets 51 bytes 3060 return
ct direction reply counter packets 0 bytes 0 return
ip daddr @china_ip_route ip daddr != @china_ip_route_pass counter packets 4 bytes 240 return
ip protocol tcp counter packets 5 bytes 300 redirect to :7892
}
chain openclash_mangle_output {
ip daddr != 198.18.0.0/16 ip saddr @localnetwork udp sport 53 counter packets 65 bytes 10514 return comment "53"
meta nfproto ipv4 udp sport 11010 counter packets 0 bytes 0 return
meta skgid 65534 counter packets 4420 bytes 6954078 return
ip daddr @localnetwork counter packets 2192 bytes 2651547 return
ct direction reply counter packets 41 bytes 2636 return
meta l4proto { tcp, udp } ip daddr 198.18.0.0/16 meta mark set 0x00000162 counter packets 0 bytes 0
ip daddr @china_ip_route ip daddr != @china_ip_route_pass counter packets 1149 bytes 401338 return
meta l4proto udp meta mark set 0x00000162 counter packets 0 bytes 0
}
chain openclash_mangle {
ip daddr != 198.18.0.0/16 ip saddr @localnetwork udp sport 53 counter packets 30 bytes 5478 return comment "53"
meta nfproto ipv4 udp sport 11010 counter packets 0 bytes 0 return
meta l4proto { tcp, udp } iifname "utun" counter packets 1243 bytes 985609 return
ip daddr @localnetwork counter packets 3018 bytes 2250938 return
ct direction reply counter packets 0 bytes 0 return
ip daddr @china_ip_route ip daddr != @china_ip_route_pass counter packets 3 bytes 2617 return
ip protocol udp counter packets 753 bytes 281347 jump openclash_upnp
meta mark set 0x00000162 counter packets 753 bytes 281347
}
chain openclash_upnp {
}
}