From 795d1c28927499a404588651ecf3b1f11534b811 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= <i@sekai.icu>
Date: Mon, 23 Mar 2026 12:26:19 +0800
Subject: [PATCH] Fix nested rule-set match cache isolation

---
 adapter/inbound.go               | 4 ++++
 route/rule/rule_item_rule_set.go | 8 +++++---
 route/rule/rule_set_local.go     | 4 +++-
 route/rule/rule_set_remote.go    | 4 +++-
 4 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/adapter/inbound.go b/adapter/inbound.go
index b32e9f827..f047199e4 100644
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -101,6 +101,10 @@ type InboundContext struct {
 func (c *InboundContext) ResetRuleCache() {
 	c.IPCIDRMatchSource = false
 	c.IPCIDRAcceptEmpty = false
+	c.ResetRuleMatchCache()
+}
+
+func (c *InboundContext) ResetRuleMatchCache() {
 	c.SourceAddressMatch = false
 	c.SourcePortMatch = false
 	c.DestinationAddressMatch = false
diff --git a/route/rule/rule_item_rule_set.go b/route/rule/rule_item_rule_set.go
index a0115a044..858bb8773 100644
--- a/route/rule/rule_item_rule_set.go
+++ b/route/rule/rule_item_rule_set.go
@@ -41,10 +41,12 @@ func (r *RuleSetItem) Start() error {
 }
 
 func (r *RuleSetItem) Match(metadata *adapter.InboundContext) bool {
-	metadata.IPCIDRMatchSource = r.ipCidrMatchSource
-	metadata.IPCIDRAcceptEmpty = r.ipCidrAcceptEmpty
 	for _, ruleSet := range r.setList {
-		if ruleSet.Match(metadata) {
+		nestedMetadata := *metadata
+		nestedMetadata.ResetRuleMatchCache()
+		nestedMetadata.IPCIDRMatchSource = r.ipCidrMatchSource
+		nestedMetadata.IPCIDRAcceptEmpty = r.ipCidrAcceptEmpty
+		if ruleSet.Match(&nestedMetadata) {
 			return true
 		}
 	}
diff --git a/route/rule/rule_set_local.go b/route/rule/rule_set_local.go
index b09915ed2..8409831b2 100644
--- a/route/rule/rule_set_local.go
+++ b/route/rule/rule_set_local.go
@@ -203,7 +203,9 @@ func (s *LocalRuleSet) Close() error {
 
 func (s *LocalRuleSet) Match(metadata *adapter.InboundContext) bool {
 	for _, rule := range s.rules {
-		if rule.Match(metadata) {
+		nestedMetadata := *metadata
+		nestedMetadata.ResetRuleMatchCache()
+		if rule.Match(&nestedMetadata) {
 			return true
 		}
 	}
diff --git a/route/rule/rule_set_remote.go b/route/rule/rule_set_remote.go
index 3aba76bab..81a8d3fc2 100644
--- a/route/rule/rule_set_remote.go
+++ b/route/rule/rule_set_remote.go
@@ -323,7 +323,9 @@ func (s *RemoteRuleSet) Close() error {
 
 func (s *RemoteRuleSet) Match(metadata *adapter.InboundContext) bool {
 	for _, rule := range s.rules {
-		if rule.Match(metadata) {
+		nestedMetadata := *metadata
+		nestedMetadata.ResetRuleMatchCache()
+		if rule.Match(&nestedMetadata) {
 			return true
 		}
 	}