clash
clash copied to clipboard
Published
20 hours ago •
Dreamacro
Dreamacro
[Bug] Tun模式下Ping不通,对于不能代理的流量(ICMP),能否做些处理
Verify steps
- [X] 如果你可以自己 debug 并解决的话,提交 PR 吧 Is this something you can debug and fix? Send a pull request! Bug fixes and documentation fixes are welcome.
- [X] 我已经在 Issue Tracker 中找过我要提出的问题 I have searched on the issue tracker for a related issue.
- [X] 我已经使用 dev 分支版本测试过,问题依旧存在 I have tested using the dev branch, and the issue still exists.
- [X] 我已经仔细看过 Documentation 并无法自行解决问题 I have read the documentation and was unable to solve the issue.
- [X] 这是 Clash 核心的问题,并非我所使用的 Clash 衍生版本(如 OpenClash、KoolClash 等)的特定问题 This is an issue of the Clash core per se, not to the derivatives of Clash, like OpenClash or KoolClash.
Clash version
1.10.0
What OS are you seeing the problem on?
macOS
Clash config
# 配置文件需要放置在 $HOME/.config/clash/config.yaml
# 懒人规则:
# https://github.com/Hackl0us/SS-Rule-Snippet/wiki/clash(X)
# 官方文档:
# https://github.com/Dreamacro/clash/wiki/Premium-Core-Features
# 第三方文档:
# https://lancellc.gitbook.io/clash/clash-config-file/dns#fallback
mixed-port: 7890
allow-lan: false
bind-address: "*"
mode: rule
log-level: info
ipv6: true
external-controller: 127.0.0.1:9090
dns:
enable: true
listen: 0.0.0.0:53
ipv6: true # 当此选项为 false 时, AAAA 请求将返回空
default-nameserver:
- 119.29.29.29
- 223.5.5.5
enhanced-mode: fake-ip # 或 redir-host
fake-ip-range: 198.18.0.1/16 # Fake IP 地址池 (CIDR 形式)
# use-hosts: true # 查询 hosts 并返回 IP 记录
# 在以下列表的域名将不会被解析为 fake ip,这些域名相关的解析请求将会返回它们真实的 IP 地址
fake-ip-filter:
# 以下域名列表参考自 vernesong/OpenClash 项目,并由 Hackl0us 整理补充
- '*.lan'
nameserver:
- https://doh.pub/dns-query
- https://dns.alidns.com/dns-query
# 当 fallback 参数被配置时, DNS 请求将同时发送至上方 nameserver 列表和下方 fallback 列表中配置的所有 DNS 服务器.
# 当解析得到的 IP 地址的地理位置不是 CN 时,clash 将会选用 fallback 中 DNS 服务器的解析结果。
# fallback:
# - https://1.1.1.1/dns-query
# - https://dns.google/dns-query
# https://raw.githubusercontent.com/Loyalsoldier/geoip/release/Country.mmdb
# https://github.com/Hackl0us/GeoIP2-CN/raw/release/Country.mmdb
fallback-filter:
geoip: false
ipcidr:
- 0.0.0.0/8
- 10.0.0.0/8
- 100.64.0.0/10
- 127.0.0.0/8
- 169.254.0.0/16
- 172.16.0.0/12
- 192.0.0.0/24
- 192.0.2.0/24
- 192.88.99.0/24
- 192.168.0.0/16
- 198.18.0.0/15
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- 240.0.0.0/4
- 255.255.255.255/32
domain:
- '+.google.com'
- '+.facebook.com'
- '+.youtube.com'
- '+.githubusercontent.com'
- '+.googlevideo.com'
tun:
enable: true
stack: system # system 或 gvisor
auto-route: true
auto-detect-interface: true
dns-hijack:
- tcp://8.8.8.8:53
- tcp://8.8.4.4:53
proxy-groups:
- name: 自建节点
type: select
icon: https://raw.githubusercontent.com/Orz-3/mini/master/Color/Personal.png
proxies:
- VPS.1
- VPS.2
- name: 苹果服务
type: select
icon: https://raw.githubusercontent.com/Orz-3/mini/master/Color/Apple.png
proxies:
- DIRECT
- 自建节点
- name: 微软服务
type: select
icon: https://raw.githubusercontent.com/Orz-3/mini/master/Color/Microsoft.png
proxies:
- DIRECT
- 自建节点
- name: 漏网之鱼
type: select
icon: https://raw.githubusercontent.com/Orz-3/mini/master/Color/Final.png
proxies:
- DIRECT
- 自建节点
- name: 游戏平台
type: select
icon: https://raw.githubusercontent.com/Orz-3/mini/master/Color/XD.png
proxies:
- DIRECT
- 自建节点
- name: 广告拦截
type: select
icon: https://raw.githubusercontent.com/Orz-3/mini/master/Color/Adblock.png
proxies:
- REJECT
- DIRECT
# https://github.com/Loyalsoldier/clash-rules
rule-providers:
reject:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
path: ./ruleset/reject.yaml
interval: 86400
icloud:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt"
path: ./ruleset/icloud.yaml
interval: 86400
apple:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt"
path: ./ruleset/apple.yaml
interval: 86400
google:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt"
path: ./ruleset/google.yaml
interval: 86400
proxy:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt"
path: ./ruleset/proxy.yaml
interval: 86400
direct:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt"
path: ./ruleset/direct.yaml
interval: 86400
private:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt"
path: ./ruleset/private.yaml
interval: 86400
gfw:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt"
path: ./ruleset/gfw.yaml
interval: 86400
greatfire:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/greatfire.tx\
t"
path: ./ruleset/greatfire.yaml
interval: 86400
tld-not-cn:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.t\
xt"
path: ./ruleset/tld-not-cn.yaml
interval: 86400
telegramcidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr\
.txt"
path: ./ruleset/telegramcidr.yaml
interval: 86400
cncidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt"
path: ./ruleset/cncidr.yaml
interval: 86400
lancidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt"
path: ./ruleset/lancidr.yaml
interval: 86400
applications:
type: http
behavior: classical
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/applications\
.txt"
path: ./ruleset/applications.yaml
interval: 86400
rules:
- DOMAIN,plugins.jetbrains.com,自建节点
- DOMAIN,officecdn-microsoft-com.akamaized.net,自建节点
- DOMAIN-SUFFIX,parastorage.com,自建节点
- DOMAIN-SUFFIX,wixmp.com,自建节点
- RULE-SET,applications,DIRECT
- DOMAIN,clash.razord.top,DIRECT
- DOMAIN,yacd.haishan.me,DIRECT
- RULE-SET,icloud,苹果服务
- RULE-SET,apple,苹果服务
- RULE-SET,private,DIRECT
- RULE-SET,reject,REJECT
- RULE-SET,tld-not-cn,自建节点
- RULE-SET,gfw,自建节点
- RULE-SET,greatfire,自建节点
- RULE-SET,telegramcidr,自建节点
- GEOIP,LAN,DIRECT
- GEOIP,CN,DIRECT
- MATCH,漏网之鱼
Clash log
No response
Description
开启tun模式后,ping不同任何地址,关掉正常。我知道icmp不被clash代理,但为何会导致无法工作呢,只能每次手动开关tun模式?
我这儿遇到同样的问题,本地开发的时候,会通过 ping 验证目标机器是否存活,开启 tun 的情况下,ping 任意一个 local 的地址,都会成功,即使是一个不存在的地址。
我这儿遇到同样的问题,本地开发的时候,会通过 ping 验证目标机器是否存活,开启 tun 的情况下,ping 任意一个 local 的地址,都会成功,即使是一个不存在的地址。
可以换个思路,检查服务是否存活。
我这儿遇到同样的问题,本地开发的时候,会通过 ping 验证目标机器是否存活,开启 tun 的情况下,ping 任意一个 local 的地址,都会成功,即使是一个不存在的地址。
推荐一个我的用来绕过 clash 的工具 https://github.com/Kr328/without-clash
https://github.com/Kr328/without-clash
clash就不应该处理它不能代理的流量
你知道现在 clash 推荐使用的 DNS 增强模式是 fake-ip 吗
而且 clash 的 tun 会响应 ping 请求
目前 clash premium 的 auto-route 加的 route policy 会将所有匹配到 default 的转发到 tun,实际上你可以不这么做,这样对于你要 ping 的 ip 大概率不会走到 tun。
$ ip rule
0: from all lookup local
9000: not from all dport 53 lookup main suppress_prefixlength 0
9010: not from all iif lo lookup 1970566510
9020: from 0.0.0.0 iif lo uidrange 0-4294967294 lookup 1970566510
9030: from 198.18.0.1 iif lo uidrange 0-4294967294 lookup 1970566510
32766: from all lookup main
32767: from all lookup default
9000: not from all dport 53 lookup main suppress_prefixlength 0
suppress_prefixlength 0 会过滤掉匹配到 default destination 的 packge,走下一条 rule,所以还是走了 tun
删掉 suppress_prefixlength 0,即:
9000: not from all dport 53 lookup main
可以不过 tun,但是对于直接通过 IP 访问的请求没办法过 tun 了,不过在 fake-ip mode 下,似乎不会有大的影响。
我这儿遇到同样的问题,本地开发的时候,会通过 ping 验证目标机器是否存活,开启 tun 的情况下,ping 任意一个 local 的地址,都会成功,即使是一个不存在的地址。
按照 clash 设置的 ip policy 和 route,local 地址应该不会过 clash 的。
