[Bug] Redir-Host 模式下，本地 DNS 劫持使用 Dnsmasq 转发，则无法关闭路由本机代理

[Centaurus99]

Verify Steps

• Tracker 我已经在 Issue Tracker 中找过我要提出的问题
• Latest 我已经使用最新 Dev 版本测试过，问题依旧存在
• Core 这是 OpenClash 存在的问题，并非我所使用的 Clash 或 Meta 等内核的特定问题
• Meaningful 我提交的不是无意义的 催促更新或修复 请求

OpenClash Version

v0.45.121-beta

Bug on Environment

Official OpenWrt

Bug on Platform

Linux-amd64(x86-64)

To Reproduce

1. OpenClash 运行模式使用 Redir-Host（兼容）模式
2. 本地 DNS 劫持选择 使用 Dnsmasq 转发
3. 路由本机代理选择关闭，查看 nftables 表项，会发现并未生效，仍然会有 nat_output 链

Describe the Bug

查看 /etc/init.d/openclash 后发现，添加 nat_output、 openclash_output 等链的判断条件为 if [ "$enable_redirect_dns" != "2" ] || [ "$router_self_proxy" = "1" ];，会或上不使用 Dnsmasq 转发，如下面两处：

OpenClash/luci-app-openclash/root/etc/init.d/openclash

Lines 1649 to 1673 in 9ee0f02

	if [ "$enable_redirect_dns" != "2" ] || [ "$router_self_proxy" = "1" ]; then
	nft 'add chain inet fw4 openclash_output' 2>/dev/null
	nft 'flush chain inet fw4 openclash_output' 2>/dev/null
	nft 'add rule inet fw4 openclash_output ip daddr @localnetwork counter return' 2>/dev/null
	nft 'add rule inet fw4 openclash_output ip saddr @localnetwork tcp sport @lan_ac_black_ports counter return' 2>/dev/null
	if [ "$en_mode" = "fake-ip" ]; then
	nft add rule inet fw4 openclash_output ip protocol tcp ip daddr { "$fakeip_range" } skuid != 65534 counter redirect to "$proxy_port" 2>/dev/null
	fi
	nft 'add rule inet fw4 openclash_output skuid != 65534 ip daddr @wan_ac_black_ips counter return' 2>/dev/null
	if [ "$en_mode" = "redir-host" ]; then
	nft add rule inet fw4 openclash_output tcp dport != @common_ports skuid != 65534 counter return 2>/dev/null
	fi
	if [ "$china_ip_route" = "1" ]; then
	if [ "$enable_redirect_dns" != "2" ]; then
	nft 'add rule inet fw4 openclash_output skuid != 65534 ip daddr @china_ip_route ip daddr != @china_ip_route_pass counter return' 2>/dev/null
	else
	nft 'add rule inet fw4 openclash_output skuid != 65534 ip daddr @china_ip_route counter return' 2>/dev/null
	fi
	fi
	nft add rule inet fw4 openclash_output ip protocol tcp skuid != 65534 counter redirect to "$proxy_port" 2>/dev/null
	nft 'add chain inet fw4 nat_output { type nat hook output priority -1; }' 2>/dev/null
	nft 'add rule inet fw4 nat_output ip protocol tcp counter jump openclash_output' 2>/dev/null
	fi
	fi

OpenClash/luci-app-openclash/root/etc/init.d/openclash

Lines 1954 to 1979 in 9ee0f02

	if [ "$enable_redirect_dns" != "2" ] || [ "$router_self_proxy" = 1 ]; then
	nft 'add chain inet fw4 openclash_output_v6' 2>/dev/null
	nft 'flush chain inet fw4 openclash_output_v6' 2>/dev/null
	nft 'add rule inet fw4 openclash_output_v6 ip6 daddr @localnetwork6 counter return' 2>/dev/null
	nft 'add rule inet fw4 openclash_output_v6 ip6 saddr @localnetwork6 meta nfproto {ipv6} sport @lan_ac_black_ports counter return' 2>/dev/null
	nft 'add rule inet fw4 openclash_output_v6 skuid != 65534 ip6 daddr @wan_ac_black_ipv6s counter return' 2>/dev/null
	if [ "$en_mode" = "redir-host" ]; then
	nft 'add rule inet fw4 openclash_output_v6 meta nfproto {ipv6} th dport != @common_ports skuid != 65534 counter return' 2>/dev/null
	fi
	if [ "$china_ip6_route" = "1" ]; then
	if [ "$enable_redirect_dns" != "2" ]; then
	nft 'add rule inet fw4 openclash_output_v6 skuid != 65534 ip6 daddr @china_ip6_route ip6 daddr != @china_ip6_route_pass counter return' 2>/dev/null
	else
	nft 'add rule inet fw4 openclash_output_v6 skuid != 65534 ip6 daddr @china_ip6_route counter return' 2>/dev/null
	fi
	fi
	if [ "$ipv6_mode" -eq 2 ]; then
	nft add rule inet fw4 openclash_output_v6 meta nfproto {ipv6} skuid != 65534 tcp dport { 0-65535 } mark set "$PROXY_FWMARK" counter 2>/dev/null
	elif [ "$ipv6_mode" -eq 0 ]; then
	nft add rule inet fw4 openclash_output_v6 meta nfproto {ipv6} skuid != 65534 tcp dport { 0-65535 } mark set "$PROXY_FWMARK" tproxy ip6 to :"$tproxy_port" counter accept comment \"OpenClash TCP Tproxy\" 2>/dev/null
	fi
	nft 'add chain inet fw4 nat_output { type nat hook output priority -1; }' 2>/dev/null
	nft 'add rule inet fw4 nat_output ip protocol tcp counter jump openclash_output_v6' 2>/dev/null
	fi
	fi

所以在使用 Dnsmasq 转发（enable_redirect_dns 为 1）时，就会启用路由本机代理。

OpenClash Log

#===================== 系统信息 =====================#

主机型号: CWWK CW-MBX-AD12
固件版本: OpenWrt 22.03.5 r20134-5f15225c1e
LuCI版本: git-23.093.42303-d58cd69
内核版本: 6.2.11-2-pve
处理器架构: x86_64

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: server

DNS劫持: Dnsmasq 转发
#DNS劫持为Dnsmasq时，此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 已安装
unzip: 已安装
kmod-nft-tproxy: 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
运行内核：Meta
进程pid: 217483
运行权限: 217483: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 
Tun内核文件: 不存在
Tun内核运行权限: 否

Dev内核版本: 
Dev内核文件: 不存在
Dev内核运行权限: 否

Meta内核版本: alpha-g6b1a438
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/config.yaml
启动配置文件: /etc/openclash/config.yaml
运行模式: redir-host
默认代理模式: rule
UDP流量转发(tproxy): 停用
自定义DNS: 停用
IPV6代理: 启用
IPV6-DNS解析: 启用
禁用Dnsmasq缓存: 启用
自定义规则: 停用
仅允许内网: 启用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
路由本机代理: 停用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 自定义覆写设置 =====================#

#!/bin/sh
. /usr/share/openclash/ruby.sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom overwrite scripts here, they will be take effict after the OpenClash own srcipts

LOG_OUT "Tip: Start Running Custom Overwrite Scripts..."
LOGTIME=$(echo $(date "+%Y-%m-%d %H:%M:%S"))
LOG_FILE="/tmp/openclash.log"
CONFIG_FILE="$1" #config path

#Simple Demo:
    #General Demo
    #1--config path
    #2--key name
    #3--value
    #ruby_edit "$CONFIG_FILE" "['redir-port']" "7892"
    #ruby_edit "$CONFIG_FILE" "['secret']" "123456"
    #ruby_edit "$CONFIG_FILE" "['dns']['enable']" "true"

    #Hash Demo
    #1--config path
    #2--key name
    #3--hash type value
    #ruby_edit "$CONFIG_FILE" "['experimental']" "{'sniff-tls-sni'=>true}"
    #ruby_edit "$CONFIG_FILE" "['sniffer']" "{'sniffing'=>['tls','http']}"

    #Array Demo:
    #1--config path
    #2--key name
    #3--position(start from 0, end with -1)
    #4--value
    #ruby_arr_insert "$CONFIG_FILE" "['dns']['nameserver']" "0" "114.114.114.114"

    #Array Add From Yaml File Demo:
    #1--config path
    #2--key name
    #3--position(start from 0, end with -1)
    #4--value file path
    #5--value key name in #4 file
    #ruby_arr_add_file "$CONFIG_FILE" "['dns']['fallback-filter']['ipcidr']" "0" "/etc/openclash/custom/openclash_custom_fallback_filter.yaml" "['fallback-filter']['ipcidr']"

#Ruby Script Demo:
    #ruby -ryaml -rYAML -I "/usr/share/openclash" -E UTF-8 -e "
    #   begin
    #      Value = YAML.load_file('$CONFIG_FILE');
    #   rescue Exception => e
    #      puts '${LOGTIME} Error: Load File Failed,【' + e.message + '】';
    #   end;

        #General
    #   begin
    #   Thread.new{
    #      Value['redir-port']=7892;
    #      Value['tproxy-port']=7895;
    #      Value['port']=7890;
    #      Value['socks-port']=7891;
    #      Value['mixed-port']=7893;
    #   }.join;

    #   rescue Exception => e
    #      puts '${LOGTIME} Error: Set General Failed,【' + e.message + '】';
    #   ensure
    #      File.open('$CONFIG_FILE','w') {|f| YAML.dump(Value, f)};
    #   end" 2>/dev/null >> $LOG_FILE

exit 0
#===================== 自定义防火墙设置 =====================#

#!/bin/sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom firewall rules here, they will be added after the end of the OpenClash iptables rules

LOG_OUT "Tip: Start Add Custom Firewall Rules..."

exit 0
#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.7 on Tue Jun 20 00:13:21 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Jun 20 00:13:21 2023

#IPv4 Mangle chain

# Generated by iptables-save v1.8.7 on Tue Jun 20 00:13:21 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Jun 20 00:13:21 2023

#IPv4 Filter chain

# Generated by iptables-save v1.8.7 on Tue Jun 20 00:13:21 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Jun 20 00:13:21 2023

#IPv6 NAT chain


#IPv6 Mangle chain


#IPv6 Filter chain


#===================== NFTABLES 防火墙设置 =====================#

table inet fw4 {
	chain input {
		type filter hook input priority filter; policy accept;
		iifname "eth0" ip6 saddr != @localnetwork6 counter packets 228 bytes 118678 jump openclash_wan6_input
		udp dport 443 ip6 daddr != @china_ip6_route counter packets 0 bytes 0 reject with icmpv6 port-unreachable comment "OpenClash QUIC REJECT"
		udp dport 443 ip daddr != @china_ip_route counter packets 0 bytes 0 reject with icmp port-unreachable comment "OpenClash QUIC REJECT"
		iifname "eth0" ip saddr != @localnetwork counter packets 311 bytes 182679 jump openclash_wan_input
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname "eth0" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
	}
}
table inet fw4 {
	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		jump handle_reject
	}
}
table inet fw4 {
	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		ip6 daddr { 2001:4860:4860::8844, 2001:4860:4860::8888 } tcp dport 53 counter packets 0 bytes 0 accept comment "OpenClash Google DNS Hijack"
		ip daddr { 8.8.4.4, 8.8.8.8 } tcp dport 53 counter packets 0 bytes 0 redirect to :7892 comment "OpenClash Google DNS Hijack"
		udp dport 53 counter packets 6 bytes 470 redirect to :53 comment "OpenClash DNS Hijack"
		tcp dport 53 counter packets 0 bytes 0 redirect to :53 comment "OpenClash DNS Hijack"
		ip protocol tcp counter packets 16 bytes 828 jump openclash
		meta nfproto ipv6 tcp dport 0-65535 counter packets 13 bytes 944 jump openclash_v6
	}
}
table inet fw4 {
	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "eth0" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
	}
}
table inet fw4 {
	chain nat_output {
		type nat hook output priority filter - 1; policy accept;
		ip protocol tcp counter packets 39 bytes 2340 jump openclash_output
		ip protocol tcp counter packets 36 bytes 2160 jump openclash_output_v6
	}
}
table inet fw4 {
	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}
}
table inet fw4 {
	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}
}
table inet fw4 {
	chain openclash {
		ip daddr @localnetwork counter packets 5 bytes 256 return
		ip protocol tcp counter packets 11 bytes 572 redirect to :7892
	}
}
table inet fw4 {
	chain openclash_output {
		ip daddr @localnetwork counter packets 2 bytes 120 return
		ip protocol tcp meta skuid != 65534 counter packets 3 bytes 180 redirect to :7892
	}
}
table inet fw4 {
	chain openclash_wan_input {
		udp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
		tcp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
	}
}
table inet fw4 {
	chain openclash_wan6_input {
		udp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
		tcp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
	}
}

OpenClash Config

No response

Expected Behavior

使用 Dnsmasq 转发时，也能关闭路由本机代理。

Screenshots

No response