Surge5 Mac 增强模式下终端不走代理

rakuyoMo

请问有没有大佬遇到过这个问题，开启增强模式下 chrome 访问正常，但是终端/iTerm 却访问不了代理，Dashboard 中不显示终端，curl github 显示如下：

➜  ~ curl -v https://www.github.com     
* Host www.github.com:443 was resolved.
* IPv6: (none)
* IPv4: 198.18.1.135
*   Trying 198.18.1.135:443...
* Connected to www.github.com (198.18.1.135) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* SSL connection timeout
* Closing connection
curl: (28) SSL connection timeout

我感觉是虚拟网卡的问题... 系统代理+export 就可以在终端中正常使用，但是增强模式就是不行...

没有一点排查思路，只能求助各位了

SurgeTeam

有可能是请求被其他网络类软件拦截了，如 AdGuard，请排查一下。

rakuyoMo

SurgeTeam

我看到文档里提到了三个软件，我应该是都没有装的。

请问还有其他的排查思路吗？

rakuyoMo

排查了一下，确信没有安装增强模式兼容性问题中已知的三个可能导致冲突的软件。包括：

AdGuard
Viscosity
Little Snitch

另外我发现，有时卸载网络扩展重新安装能解决这个问题，但是退出 Surge 重新打开后又不行了。
另外在我反复尝试寻找规律后，现在卸载扩展重装也不行了...
不对，有时重装网络扩展后，可能是增强模式没有生效？终端好像没有走增强模式，所以 github 跑通了... curl youtube.com 是超时的...

我是 macOS 15.5 (24F74)，M4 Macbook Air

请问还有其他的排查思路吗 QAQ

rakuyoMo

我发现可能是 pfctl 的问题... 我的 pfctl 是开机自启的，在命令行中使用 sudo pfctl -d 之后就好了。

还不确定是根本原因，但是好像其他人没有这个问题？不知道是只有我自启，还是说其他人不会因为 pfctl 导致 TUN 错误。

其他人也有 Mac 上的 pfctl 防火墙开机自启的情况。但是我没有搜到因为 pfctl 导致 TUN 失效的相关问题。

SurgeTeam

rakuyoMo 说明你的 pf 有规则将请求拦截了，而不是只要开启了 pf 会导致该问题

rakuyoMo

SurgeTeam

下面是一些配置内容，我不太懂这些但是看上去好像没有什么特别的，我也没有改过/设置过什么内容

➜  ~ sudo pfctl -s info
Password:
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:00:29           Debug: Urgent

State Table                          Total             Rate
  current entries                       12
  searches                            8938          308.2/s
  inserts                               12            0.4/s
  removals                               0            0.0/s
Counters
  match                               7142          246.3/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              2            0.1/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  dummynet                               0            0.0/s
  invalid-port                           0            0.0/s
➜  ~ sudo cat /etc/pf.conf

#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#

#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
➜  ~ sudo pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
pass out on ! lo0 route-to lo0 inet proto tcp from any to <dohhosts> port = 443 flags S/SA keep state
pass out on ! lo0 route-to lo0 inet proto tcp from any to <ztnahosts> flags S/SA keep state
pass in quick on lo0 reply-to lo0 inet proto tcp from ! 127.0.0.0/8 to any flags S/SA keep state
➜  ~ sudo cat /etc/pf.anchors/com.apple
Password:
#
# com.apple ruleset, referred to by the default /etc/pf.conf file.
# See notes in that file regarding the anchor point in the main ruleset.
#
# Copyright (c) 2011 Apple Inc. All rights reserved.
#

#
# AirDrop anchor point.
#
anchor "200.AirDrop/*"

#
# Application Firewall anchor point.
#
anchor "250.ApplicationFirewall/*"