[Bug] TUN 1.18.6添加了一个新路由,使得入站包的回应都走了TUN接口
zeyugao opened this issue · comments
Verify steps
- I have read the documentation and understand the meaning of all configuration items I have written, avoiding a large number of seemingly useful options or default values.
- I have not reviewed the documentation and resolve this issue.
- I have not searched the Issue Tracker for the problem I am going to raise.
- I have tested with the latest Alpha branch version, and the issue still persists.
- I have provided server and client configuration files and processes that can reproduce the issue locally, rather than a desensitized complex client configuration file.
- I have provided the simplest configuration that can reproduce the error I reported, rather than relying on remote servers, TUN, graphical client interfaces, or other closed-source software.
- I have provided complete configuration files and logs, rather than providing only parts that I believe are useful due to confidence in my own intelligence.
Operating System
Linux
System Version
Ubuntu 22.04
Mihomo Version
Mihomo Meta v1.18.6 linux amd64 with go1.22.4 Mon Jul 1 15:01:54 UTC 2024
Use tags: with_gvisor
Configuration File
find-process-mode: strict
mode: rule
tun:
enable: true
stack: system # gvisor/mixed
dns-hijack:
- any:53
auto-detect-interface: true # 自动识别出口网卡
auto-route: true # 配置路由表
inet4-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由
- 0.0.0.0/1
- 128.0.0.0/1
inet6-address: null
sniffer:
enable: false
# DNS 配置
dns:
cache-algorithm: arc
enable: true # 关闭将使用系统 DNS
prefer-h3: true # 开启 DoH 支持 HTTP/3,将并发尝试
listen: 0.0.0.0:53 # 开启 DNS 服务器监听
default-nameserver:
- 114.114.114.114
- 8.8.8.8
- tls://1.12.12.12:853
- tls://223.5.5.5:853
enhanced-mode: fake-ip # or redir-host
fake-ip-range: 198.18.0.1/16 # fake-ip 池设置
fake-ip-filter:
- '*.lan'
nameserver:
- 114.114.114.114 # default value
- 8.8.8.8 # default value
- tls://223.5.5.5:853 # DNS over TLS
- https://doh.pub/dns-query # DNS over HTTPS
- https://dns.alidns.com/dns-query#h3=true # 强制 HTTP/3,与 perfer-h3 无关,强制开启 DoH 的 HTTP/3 支持,若不支持将无法使用
- https://mozilla.cloudflare-dns.com/dns-query#DNS&h3=true # 指定策略组和使用 HTTP/3
- quic://dns.adguard.com:784 # DNS over QUIC
nameserver-policy:
"geosite:cn,private,apple":
- https://doh.pub/dns-query
- https://dns.alidns.com/dns-query
"geosite:category-ads-all": rcode://success
"www.baidu.com,+.google.cn": [223.5.5.5, https://dns.alidns.com/dns-query]
Description
在1.18.6里面,添加一个额外的rule,使得入站流量的回包都走了虚拟网卡,导致无法外部入站
看1.18.6的release note,改了tun那一边的感觉与这个相关 09be5cb#diff-06e23ea20a066a0e717b5eaa625dfd3f1d11439f4ad5bd705d16d6e1758b39c0 ,但是根据里面新的config好像又没有关系
Reproduction Steps
使用1.18.6,在开起来之后,看路由的rule,里面比较相关的是
9000: from all to 198.18.0.0/30 lookup 2022
9001: from all lookup 2022 suppress_prefixlength 0
9002: not from all dport 53 lookup main suppress_prefixlength 0
9002: from all ipproto icmp goto 9010
9002: from all iif Meta goto 9010
9003: not from all iif lo lookup 2022
9003: from 0.0.0.0 iif lo lookup 2022
9003: from 198.18.0.0/30 iif lo lookup 2022
9010: from all nop
但是里面的9001这个优先级的会让所有的都走Meta的device去了,导致入站连接,比如ssh的回应发送到Meta的网卡里面去,导致入站无法建立连接,如果手动加上一些源进源出的规则,跳过Meta的路由,就可以正常入站
ip rule add from xxx.xxx.xxx.xxx/24 goto 9010 priority 8998
在上一个1.18.5的版本里面,ip rule就没有 from all lookup 2022 suppress_prefixlength 0
这一条
9000: from all to 198.18.0.0/30 lookup 2022
9001: from all ipproto icmp goto 9010
9002: not from all dport 53 lookup main suppress_prefixlength 0
9002: not from all iif lo lookup 2022
9002: from 0.0.0.0 iif lo lookup 2022
9002: from 198.18.0.0/30 iif lo lookup 2022
9010: from all nop
都是使用的相同的配置文件
Logs
No response
inet4-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由
- 0.0.0.0/1
- 128.0.0.0/1
去掉
inet4-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由 - 0.0.0.0/1 - 128.0.0.0/1 去掉
我这里观察到一个现象,远程服务器上使用1.18.6版本时,设置任意 route-exclude-address
,如
route-exclude-address:
- 0.0.0.0/8
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/12
也会导致SSH断开连接,去掉则不会。
1.18.5及以前的版本无此问题