Add evaluate DNS rule action and related rule items#3968
Open
nekohasekai wants to merge 59 commits intotestingfrom
Open
Add evaluate DNS rule action and related rule items#3968nekohasekai wants to merge 59 commits intotestingfrom
nekohasekai wants to merge 59 commits intotestingfrom
Conversation
nekohasekai
force-pushed
the
evaluate-dns-rule-action
branch
from
e5d0b8c to
4cfc1c6
Compare
nekohasekai
force-pushed
the
testing
branch
3 times, most recently
from
11a8666 to
ebf8a21
Compare
nekohasekai
force-pushed
the
evaluate-dns-rule-action
branch
from
2853fc5 to
6a351be
Compare
… response items, deprecated fields at bottom
Legacy DNS address-filter mode still accepts destination-side IP predicates with a deprecation warning, but the recent evaluate/ match_response refactor started evaluating those predicates during pre-response Match(). That broke rules whose transport selection must be deferred until MatchAddressLimit() can inspect the upstream reply. Restore the old defer behavior by reintroducing an internal IgnoreDestinationIPCIDRMatch flag on InboundContext and using it only for legacy pre-response DNS matching. Default and logical DNS rules now carry the legacy mode bit, set the ignore flag on metadata copies while performing pre-response Match(), and explicitly clear it again for match_response and MatchAddressLimit() so response-phase matching still checks the returned addresses. Add regression coverage for direct legacy destination-IP rules, rule_set-backed CIDR rules, logical wrappers, and the legacy Lookup router path, including fallback after a rejected response. This keeps legacy configs working without changing new-mode evaluate semantics. Tests: go test ./route/rule ./dns Tests: make
Remove SetIncludeAllowed(true) from the DNS record zone parser. The $INCLUDE directive allows opening arbitrary files via os.Open, which is unnecessary and dangerous when parsing a single record string from configuration (especially remote profiles). Fix displayRuleIndex arithmetic in dns/router.go that computed 2*index+1 instead of the correct 0-based index. This was a reintroduction of a bug previously fixed in be8ee37. Both matchDNS and logRuleMatch now use the index directly, matching the pattern in route/route.go.
The field was never set to true after the legacy pre-match refactor in 3549c02. Remove the declaration, guard check, and redundant false assignments.
The legacy path returned predefined responses early, bypassing the reverse mapping cache. Use goto to reach the shared post-exchange block so both legacy and new paths record predefined A/AAAA answers.
…N/EN order - Use standard !!! failure block for strategy deprecation notice - Add Legacy DNS Mode section explaining automatic mode detection - Reorder ip_accept_any/rule_set_ip_cidr_accept_empty in Chinese docs to match English
…display - Add EnvName to four new deprecation constants so users can suppress warnings via ENABLE_DEPRECATED_* environment variables - Add comment explaining why applyDNSRouteOptions skips Strategy - Use dns.RcodeToString in DNSResponseRCodeItem.String() for readability - Remove redundant Fqdn(FqdnToDomain(domain)) round-trip
- Rename addrs to addresses per naming conventions - Replace errors.New with E.New per error-handling rules
- Add t.Cleanup(router.Close) in newTestRouter for automatic cleanup - Remove unnecessary testCase loop variable capture (Go 1.22+) - Add tests for reject drop action, route_options effect, and chained evaluate response overwrite
Add config-time validation in NewDNSRule that rejects RejectMethodReply for both default and logical DNS rules, matching the existing TCP/UDP validation in route/route.go.
Reuse the outer err variable in the rule-construction and rule-startup loops instead of redeclaring it with :=, and declare dnsRule separately.
…heck MatchAddressLimit internally copies metadata and sets DNSResponse, making the prior assignment in the closure unnecessary.
- Rename nested_action.go to rule_nested_action.go for naming consistency - Export error message constants from option package to deduplicate - Fix RuleActionRouteOptions.Descriptions using wrong field for fallback-network-type
- dns/router: add r.closing guard in registerRuleSetCallbacks to prevent callback leak when Close() races with Start() in daemon path - adapter/inbound: validate addr.IsValid() in DNSResponseAddresses before appending to guard against zero-RDATA DNS records - adapter/rule: add evaluate to non-final actions in IsFinalAction
nekohasekai
force-pushed
the
evaluate-dns-rule-action
branch
from
439f9ee to
7757a78
Compare
- Replace dnsRuleModeRequirements 4-tuple return with dnsRuleModeFlags struct - Eliminate redundant hasDNSRuleActionStrategy tree walk by reusing mode flags from buildRules - Remove single-field lookupWithRulesResponse wrapper - Accept fields directly in resolveDNSRoute instead of *RuleActionDNSRoute - Extract rulesAndMode() helper to deduplicate snapshot unpacking - Trim verbose RuleSetMetadata comment
Remove all user-facing references to the internal `legacyDNSMode` variable
name. Error messages now reuse the deprecated.Note.MessageWithLink() method
to provide consistent deprecation text with migration URLs. Other internal
jargon ("consume response state", "response_*") is replaced with
user-friendly descriptions.
Add two migration guide entries under 1.14.0: one for strategy → rule items,
one for address filter fields → evaluate with match_response.
Use concrete feature names per design spec: "Legacy Address Filter Fields", "Legacy `strategy` DNS rule action option", "Legacy `ip_accept_any` DNS rule item", "Legacy `rule_set_ip_cidr_accept_empty` DNS rule item" for deprecated features, and "Response Match Fields" for the new response matching section.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.