From 81f5cd2200345ef1033f51208a129cffeda5c42e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= <i@sekai.icu>
Date: Thu, 2 Apr 2026 22:44:41 +0800
Subject: [PATCH] dns: unify match_response gate error for all Response Match
 Fields

ip_cidr and ip_is_private are Response Match Fields in new mode,
same as response_rcode/answer/ns/extra. Use a single consistent
error message when any of them appear without match_response.
---
 dns/router.go      | 7 ++-----
 dns/router_test.go | 4 ++--
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/dns/router.go b/dns/router.go
index 616914c88..79ff81a57 100644
--- a/dns/router.go
+++ b/dns/router.go
@@ -1059,11 +1059,8 @@ func validateLegacyDNSModeDisabledRuleTree(rule option.DNSRule) (bool, error) {
 
 func validateLegacyDNSModeDisabledDefaultRule(rule option.DefaultDNSRule) (bool, error) {
 	hasResponseRecords := hasResponseMatchFields(rule)
-	if hasResponseRecords && !rule.MatchResponse {
-		return false, E.New("Response Match Fields (response_rcode, response_answer, response_ns, response_extra) require match_response to be enabled")
-	}
-	if (len(rule.IPCIDR) > 0 || rule.IPIsPrivate) && !rule.MatchResponse {
-		return false, E.New(deprecated.OptionLegacyDNSAddressFilter.MessageWithLink())
+	if (hasResponseRecords || len(rule.IPCIDR) > 0 || rule.IPIsPrivate) && !rule.MatchResponse {
+		return false, E.New("Response Match Fields (ip_cidr, ip_is_private, response_rcode, response_answer, response_ns, response_extra) require match_response to be enabled")
 	}
 	// Intentionally do not reject rule_set here. A referenced rule set may mix
 	// destination-IP predicates with pre-response predicates such as domain items.
diff --git a/dns/router_test.go b/dns/router_test.go
index bd9df1311..e4fcabe2e 100644
--- a/dns/router_test.go
+++ b/dns/router_test.go
@@ -414,8 +414,8 @@ func TestInitializeRejectsDirectLegacyRuleWhenRuleSetForcesNew(t *testing.T) {
 			},
 		},
 	})
-	require.ErrorContains(t, err, "Address Filter Fields")
-	require.ErrorContains(t, err, "deprecated")
+	require.ErrorContains(t, err, "Response Match Fields")
+	require.ErrorContains(t, err, "require match_response")
 }
 
 func TestLookupLegacyDNSModeDefersRuleSetDestinationIPMatch(t *testing.T) {