Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] tun 模式会响应任何icmp请求报文,即使目标地址不可达。 #1698

Open
9 tasks done
Czlun opened this issue Dec 5, 2024 · 7 comments
Open
9 tasks done

[Bug] tun 模式会响应任何icmp请求报文,即使目标地址不可达。 #1698

Czlun opened this issue Dec 5, 2024 · 7 comments
Labels
enhancement New feature or request priority: low

Comments

@Czlun
Copy link

Czlun commented Dec 5, 2024

验证步骤

  • 我已经阅读了 文档,了解所有我编写的配置文件项的含义,而不是大量堆砌看似有用的选项或默认值。
  • 我仔细看过 文档 并未解决问题
  • 我已在 Issue Tracker 中寻找过我要提出的问题,并且没有找到
  • 我是中文用户,而非其他语言用户
  • 我已经使用最新的 Alpha 分支版本测试过,问题依旧存在
  • 我提供了可以在本地重现该问题的服务器、客户端配置文件与流程,而不是一个脱敏的复杂客户端配置文件。
  • 我提供了可用于重现我报告的错误的最简配置,而不是依赖远程服务器或者堆砌大量对于复现无用的配置等。
  • 我提供了完整的日志,而不是出于对自身智力的自信而仅提供了部分认为有用的部分。
  • 我直接使用 Mihomo 命令行程序重现了错误,而不是使用其他工具或脚本。

操作系统

Windows

系统版本

windows 11 23H2 内部版本 22631.4037

Mihomo 版本

Mihomo Meta v1.18.10 windows amd64 with go1.23.2 Sun Nov 3 09:22:18 UTC 2024

配置文件

allow-lan: false
log-level: info
mixed-port: 7897
mode: rule
unified-delay: true
external-controller: 127.0.0.1:9097
external-controller-cors:
  allow-origins:
    - '*'
  allow-private-network: true
secret: ''
profile:
  store-selected: true
dns:
  default-nameserver:
    - 114.114.114.114
    - 223.5.5.5
    - 223.6.6.6
    - tls://223.5.5.5
    - 119.29.29.29
    - tls://1.12.12.12
    - tls://120.53.53.53
    - 8.8.8.8
    - 8.8.4.4
    - tls://8.8.8.8
    - 1.1.1.1
    - 1.0.0.1
    - tls://1.1.1.1
    - tls://1.0.0.1
    - system
  enable: true
  enhanced-mode: redir-host
  fake-ip-filter:
    - '*'
    - '*.lan'
    - '*.local'
    - '*.localdomain'
    - '*.example'
    - '*.invalid'
    - '*.localhost'
    - '*.test'
    - '*.home.arpa'
    - stun.*.*
    - stun.*.*.*
    - stun.*.*.*.*
    - +.stun.*.*
    - +.stun.*.*.*
    - +.stun.*.*.*.*
    - time.*.com
    - time.*.gov
    - time.*.edu.cn
    - time.*.apple.com
    - time1.*.com
    - time2.*.com
    - time3.*.com
    - time4.*.com
    - time5.*.com
    - time6.*.com
    - time7.*.com
    - ntp.*.com
    - ntp1.*.com
    - ntp2.*.com
    - ntp3.*.com
    - ntp4.*.com
    - ntp5.*.com
    - ntp6.*.com
    - ntp7.*.com
    - +.time.edu.cn
    - +.ntp.org.cn
    - +.ntp.org.cn
    - +.openwrt.pool.ntp.org
    - +.pool.ntp.org
    - time1.cloud.tencent.com
    - time.windows.com
    - time.nist.gov
    - time.apple.com
    - time.asia.apple.com
    - time1.cloud.tencent.com
    - time.ustc.edu.cn
    - pool.ntp.org
    - ntp.ubuntu.com
    - ntp.aliyun.com
    - ntp1.aliyun.com
    - ntp2.aliyun.com
    - ntp3.aliyun.com
    - ntp4.aliyun.com
    - ntp5.aliyun.com
    - ntp6.aliyun.com
    - ntp7.aliyun.com
    - time1.aliyun.com
    - time2.aliyun.com
    - time3.aliyun.com
    - time4.aliyun.com
    - time5.aliyun.com
    - time6.aliyun.com
    - time7.aliyun.com
    - time1.apple.com
    - time2.apple.com
    - time3.apple.com
    - time4.apple.com
    - time5.apple.com
    - time6.apple.com
    - time7.apple.com
    - time1.google.com
    - time2.google.com
    - time3.google.com
    - time4.google.com
    - +.google.com
    - +.music.163.com
    - +.126.net
    - +.taihe.com
    - +.kugou.com
    - +.kuwo.cn
    - api-jooxtt.sanook.com
    - api.joox.com
    - joox.com
    - +.y.qq.com
    - streamoc.music.tc.qq.com
    - mobileoc.music.tc.qq.com
    - isure.stream.qqmusic.qq.com
    - dl.stream.qqmusic.qq.com
    - aqqmusic.tc.qq.com
    - amobile.music.tc.qq.com
    - +.xiami.com
    - +.music.migu.cn
    - music.migu.cn
    - +.msftconnecttest.com
    - +.msftncsi.com
    - msftconnecttest.com
    - msftncsi.com
    - localhost.ptlogin2.qq.com
    - localhost.sec.qq.com
    - +.srv.nintendo.net
    - +.stun.playstation.net
    - xbox.*.microsoft.com
    - xnotify.xboxlive.com
    - +.ipv6.microsoft.com
    - +.battlenet.com.cn
    - +.wotgame.cn
    - +.wggames.cn
    - +.wowsgame.cn
    - +.wargaming.net
    - proxy.golang.org
    - heartbeat.belkin.com
    - +.linksys.com
    - +.linksyssmartwifi.com
    - +.router.asus.com
    - mesu.apple.com
    - swscan.apple.com
    - swquery.apple.com
    - swdownload.apple.com
    - swcdn.apple.com
    - swdist.apple.com
    - lens.l.google.com
    - stun.l.google.com
    - +.square-enix.com
    - +.finalfantasyxiv.com
    - +.ffxiv.com
    - +.ff14.sdo.com
    - ff.dorado.sdo.com
    - +.mcdn.bilivideo.cn
    - +.media.dssott.com
    - +.pvp.net
    - +.*.xboxlive.com
    - speedtest.cros.wr.pvp.net
  fake-ip-range: 198.18.0.1/16
  fallback:
    - 8.8.8.8
    - 8.8.4.4
    - tls://8.8.8.8
    - https://dns.google/dns-query
    - 1.1.1.1
    - 1.0.0.1
    - tls://1.1.1.1
    - tls://1.0.0.1
    - https://cloudflare-dns.com/dns-query
    - 9.9.9.9
    - 149.112.112.112
    - tls://dns.quad9.net
    - tls://jp.tiar.app
    - tls://dot.tiar.app
    - https://dns.quad9.net/dns-query
    - https://dns.google/dns-query
    - https://dns.cloudflare.com/dns-query
    - https://1.1.1.1/dns-query
    - https://public.dns.iij.jp/dns-query
    - https://jp.tiar.app/dns-query
    - https://jp.tiarap.org/dns-query
    - https://doh.dnslify.com/dns-query
    - https://dns.twnic.tw/dns-query
    - https://dns.oszx.co/dns-query
    - https://doh.applied-privacy.net/query
    - https://dnsforge.de/dns-query
    - https://doh.ffmuc.net/dns-query
    - https://doh.mullvad.net/dns-query
  fallback-filter:
    domain:
      - +.facebook.com
      - +.twitter.com
      - +.google.com
      - +.googleapis.com
      - +.google.cn
      - +.googleapis.cn
      - +.xn--ngstr-lra8j.com
      - +.googlevideo.com
      - +.gvt1.com
      - +.gmail.com
      - +.youtube.com
      - +.youtu.be
      - +.gvt0.com
      - +.gvt2.com
      - +.gvt3.com
      - +.gstatic.com
      - +.265.com
      - +.2mdn.net
      - +.app-measurement.com
      - +.c.admob.com
      - +.clickserve.dartsearch.net
      - +.crl.pki.goog
      - +.doubleclick.net
      - +.firebase-settings.crashlytics.com
      - +.google-analytics.com
      - +.googleadservices.com
      - +.googleanalytics.com
      - +.googleoptimize.com
      - +.googlesyndication.com
      - +.googletagmanager.com
      - +.googletagservices.com
    ipcidr:
      - 240.0.0.0/4
  ipv6: false
  listen: 127.0.0.1:8853
  nameserver:
    - 114.114.114.114
    - 223.5.5.5
    - 223.6.6.6
    - tls://dns.alidns.com
    - https://dns.alidns.com/dns-query
    - 119.29.29.29
    - tls://1.12.12.12
    - tls://120.53.53.53
    - https://doh.pub/dns-query
  use-system-hosts: false
tun:
  auto-detect-interface: true
  auto-route: true
  dns-hijack:
    - any:53
  enable: true
  stack: mixed
  strict-route: false

描述

现象:向任何一个地址发送icmp请求,都会收到响应,并且响应时间为1ms
Uploading image.png…

诉求1:当目标地址不可达时,不响应icmp。
诉求2:得到真实的icmp响应时间,而不是1ms。

重现方式

启动tun模式之前,对一个不存在的内网地址发送icmp请求。无法收到icmp响应是符合预期的,因为目标地址本就不存在。
启动tun模式,确保路由规则可以将数据路由到tun设备。对一个不存在的内网地址发送icmp请求会收到响应,并且响应时间为1ms。

日志

No response
@Czlun Czlun added the bug Something isn't working label Dec 5, 2024
@Czlun
Copy link
Author

Czlun commented Dec 5, 2024

重新上传了一张图片。
image

@Skyxim Skyxim added enhancement New feature or request and removed bug Something isn't working labels Dec 5, 2024
@JYbill
Copy link

JYbill commented Dec 9, 2024
edited
Loading

  • 系统环境:macos v15.1
  • 好奇,会劫持icmp流量吗?
image
  • 不存在的局域网IP
image

@Czlun
Copy link
Author

Czlun commented Dec 19, 2024

  • 系统环境:macos v15.1
  • 好奇,会劫持icmp流量吗?
image * 不存在的局域网IP image

从你的图片来看就是得到了响应。
64 bytes from x.x.x.x

@Czlun
Copy link
Author

Czlun commented Dec 19, 2024

这个问题会导致工作场景下,无法正常进行网络诊断操作(ping,路由追踪等),每天需要频繁开启关闭tun,而关闭tun又会导致经过tun的tcp连接被中断。工作场景下的堡垒机、vpn等网络连接均被断开。

@qianlongzt
Copy link

tun只路由fake-ip range,
image

tun:
  enable: true
  dns-hijack:
    - any:53
  stack: mixed
  auto-route: true
  auto-redir: true
  route-address: [
      "198.18.0.0/15",
      "fc00::/18",
      # telegram ip
      "91.108.56.0/22",
      "91.108.4.0/22",
      "91.108.8.0/22",
      "91.108.16.0/22",
      "91.108.12.0/22",
      "149.154.160.0/20",
      "91.105.192.0/23",
      "91.108.20.0/22",
      "185.76.151.0/24",
      "2001:b28:f23d::/48",
      "2001:b28:f23f::/48",
      "2001:67c:4e8::/48",
      "2001:b28:f23c::/48",
      "2a0a:f280::/32",
    ]
  auto-detect-interface: true
dns:
  enable: true
  listen: 0.0.0.0:8853
  ipv6: true
  # fake-ip 优先级高
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.0/15
  fake-ip-filter-mode: blacklist
  fake-ip-filter:
    - rule-set:domestic_non_ip
    - rule-set:rule-self-oversea
    - rule-set:rule-self
    - geosite:cn
    - geosite:private
    - "*.lan"
    - "+.internal"
    - "+.in-addr.arpa"
    - "+.ip6.arpa"

    - rule-set:domestic_non_ip
    - rule-set:direct_non_ip
    - rule-set:fake-ip
    - +.ts.net # tailscale

@Czlun
Copy link
Author

Czlun commented Dec 27, 2024

tun只路由fake-ip range, image

tun:
  enable: true
  dns-hijack:
    - any:53
  stack: mixed
  auto-route: true
  auto-redir: true
  route-address: [
      "198.18.0.0/15",
      "fc00::/18",
      # telegram ip
      "91.108.56.0/22",
      "91.108.4.0/22",
      "91.108.8.0/22",
      "91.108.16.0/22",
      "91.108.12.0/22",
      "149.154.160.0/20",
      "91.105.192.0/23",
      "91.108.20.0/22",
      "185.76.151.0/24",
      "2001:b28:f23d::/48",
      "2001:b28:f23f::/48",
      "2001:67c:4e8::/48",
      "2001:b28:f23c::/48",
      "2a0a:f280::/32",
    ]
  auto-detect-interface: true
dns:
  enable: true
  listen: 0.0.0.0:8853
  ipv6: true
  # fake-ip 优先级高
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.0/15
  fake-ip-filter-mode: blacklist
  fake-ip-filter:
    - rule-set:domestic_non_ip
    - rule-set:rule-self-oversea
    - rule-set:rule-self
    - geosite:cn
    - geosite:private
    - "*.lan"
    - "+.internal"
    - "+.in-addr.arpa"
    - "+.ip6.arpa"

    - rule-set:domestic_non_ip
    - rule-set:direct_non_ip
    - rule-set:fake-ip
    - +.ts.net # tailscale

fake-ip 模式 + route-address 指令确实可以在某种程度上解决我的需求,多谢提醒。

@Czlun
Copy link
Author

Czlun commented Dec 27, 2024

tun只路由fake-ip range, image

tun:
  enable: true
  dns-hijack:
    - any:53
  stack: mixed
  auto-route: true
  auto-redir: true
  route-address: [
      "198.18.0.0/15",
      "fc00::/18",
      # telegram ip
      "91.108.56.0/22",
      "91.108.4.0/22",
      "91.108.8.0/22",
      "91.108.16.0/22",
      "91.108.12.0/22",
      "149.154.160.0/20",
      "91.105.192.0/23",
      "91.108.20.0/22",
      "185.76.151.0/24",
      "2001:b28:f23d::/48",
      "2001:b28:f23f::/48",
      "2001:67c:4e8::/48",
      "2001:b28:f23c::/48",
      "2a0a:f280::/32",
    ]
  auto-detect-interface: true
dns:
  enable: true
  listen: 0.0.0.0:8853
  ipv6: true
  # fake-ip 优先级高
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.0/15
  fake-ip-filter-mode: blacklist
  fake-ip-filter:
    - rule-set:domestic_non_ip
    - rule-set:rule-self-oversea
    - rule-set:rule-self
    - geosite:cn
    - geosite:private
    - "*.lan"
    - "+.internal"
    - "+.in-addr.arpa"
    - "+.ip6.arpa"

    - rule-set:domestic_non_ip
    - rule-set:direct_non_ip
    - rule-set:fake-ip
    - +.ts.net # tailscale

但是在我的使用场景中,由于设置了route-address指令,不存在默认路由了,也就无法劫持虚拟机流量的dns请求。
最终效果虚拟机无法复用宿主机的网络。

image
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request priority: low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@qianlongzt @Czlun @JYbill @Skyxim