From ddcaf040e2a3e9571a74de9f037c5882df370609 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= Date: Fri, 10 Apr 2026 10:15:02 +0800 Subject: [PATCH] Un-deprecate `ip_accept_any` DNS rule item --- dns/router.go | 11 ++++------- docs/configuration/dns/rule.md | 22 ++++++++-------------- docs/configuration/dns/rule.zh.md | 22 ++++++++-------------- docs/deprecated.md | 7 ------- docs/deprecated.zh.md | 7 ------- docs/migration.md | 2 +- docs/migration.zh.md | 2 +- experimental/deprecated/constants.go | 10 ---------- option/rule_dns.go | 3 +-- route/rule/rule_dns.go | 7 +------ 10 files changed, 24 insertions(+), 69 deletions(-) diff --git a/dns/router.go b/dns/router.go index 8fbaa2729..a14cecd0e 100644 --- a/dns/router.go +++ b/dns/router.go @@ -841,10 +841,10 @@ func (r *Router) ResetNetwork() { } func defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule option.DefaultDNSRule) bool { - if rule.IPAcceptAny || rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck + if rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck return true } - return !rule.MatchResponse && (len(rule.IPCIDR) > 0 || rule.IPIsPrivate) + return !rule.MatchResponse && (rule.IPAcceptAny || len(rule.IPCIDR) > 0 || rule.IPIsPrivate) } func hasResponseMatchFields(rule option.DefaultDNSRule) bool { @@ -1049,17 +1049,14 @@ func validateLegacyDNSModeDisabledRuleTree(rule option.DNSRule) (bool, error) { func validateLegacyDNSModeDisabledDefaultRule(rule option.DefaultDNSRule) (bool, error) { hasResponseRecords := hasResponseMatchFields(rule) - if (hasResponseRecords || len(rule.IPCIDR) > 0 || rule.IPIsPrivate) && !rule.MatchResponse { - return false, E.New("Response Match Fields (ip_cidr, ip_is_private, response_rcode, response_answer, response_ns, response_extra) require match_response to be enabled") + if (hasResponseRecords || len(rule.IPCIDR) > 0 || rule.IPIsPrivate || rule.IPAcceptAny) && !rule.MatchResponse { + return false, E.New("Response Match Fields (ip_cidr, ip_is_private, ip_accept_any, response_rcode, response_answer, response_ns, response_extra) require match_response to be enabled") } // Intentionally do not reject rule_set here. A referenced rule set may mix // destination-IP predicates with pre-response predicates such as domain items. // When match_response is false, those destination-IP branches fail closed during // pre-response evaluation instead of consuming DNS response state, while sibling // non-response branches remain matchable. - if rule.IPAcceptAny { //nolint:staticcheck - return false, E.New(deprecated.OptionIPAcceptAny.MessageWithLink()) - } if rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck return false, E.New(deprecated.OptionRuleSetIPCIDRAcceptEmpty.MessageWithLink()) } diff --git a/docs/configuration/dns/rule.md b/docs/configuration/dns/rule.md index aacdc003f..9281271fd 100644 --- a/docs/configuration/dns/rule.md +++ b/docs/configuration/dns/rule.md @@ -8,7 +8,6 @@ icon: material/alert-decagram :material-plus: [source_hostname](#source_hostname) :material-plus: [match_response](#match_response) :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty) - :material-delete-clock: [ip_accept_any](#ip_accept_any) :material-plus: [response_rcode](#response_rcode) :material-plus: [response_answer](#response_answer) :material-plus: [response_ns](#response_ns) @@ -178,6 +177,7 @@ icon: material/alert-decagram "192.168.0.1" ], "ip_is_private": false, + "ip_accept_any": false, "response_rcode": "", "response_answer": [], "response_ns": [], @@ -191,7 +191,6 @@ icon: material/alert-decagram // Deprecated - "ip_accept_any": false, "rule_set_ip_cidr_accept_empty": false, "rule_set_ipcidr_match_source": false, "geosite": [ @@ -500,7 +499,13 @@ instead of only matching the original query. The evaluated response can also be returned directly by a later [`respond`](/configuration/dns/rule_action/#respond) action. Required for Response Match Fields (`response_rcode`, `response_answer`, `response_ns`, `response_extra`). -Also required for `ip_cidr` and `ip_is_private` when used with `evaluate` or Response Match Fields. +Also required for `ip_cidr`, `ip_is_private`, and `ip_accept_any` when used with `evaluate` or Response Match Fields. + +#### ip_accept_any + +!!! question "Since sing-box 1.12.0" + +Match when the DNS query response contains at least one address. #### invert @@ -600,17 +605,6 @@ check [Migration](/migration/#migrate-address-filter-fields-to-response-matching Make `ip_cidr` rules in rule-sets accept empty query response. -#### ip_accept_any - -!!! question "Since sing-box 1.12.0" - -!!! failure "Deprecated in sing-box 1.14.0" - - `ip_accept_any` is deprecated and will be removed in sing-box 1.16.0, - check [Migration](/migration/#migrate-address-filter-fields-to-response-matching). - -Match any IP with query response. - ### Response Match Fields !!! question "Since sing-box 1.14.0" diff --git a/docs/configuration/dns/rule.zh.md b/docs/configuration/dns/rule.zh.md index a3633789f..dabbe8c25 100644 --- a/docs/configuration/dns/rule.zh.md +++ b/docs/configuration/dns/rule.zh.md @@ -8,7 +8,6 @@ icon: material/alert-decagram :material-plus: [source_hostname](#source_hostname) :material-plus: [match_response](#match_response) :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty) - :material-delete-clock: [ip_accept_any](#ip_accept_any) :material-plus: [response_rcode](#response_rcode) :material-plus: [response_answer](#response_answer) :material-plus: [response_ns](#response_ns) @@ -178,6 +177,7 @@ icon: material/alert-decagram "192.168.0.1" ], "ip_is_private": false, + "ip_accept_any": false, "response_rcode": "", "response_answer": [], "response_ns": [], @@ -191,7 +191,6 @@ icon: material/alert-decagram // 已弃用 - "ip_accept_any": false, "rule_set_ip_cidr_accept_empty": false, "rule_set_ipcidr_match_source": false, "geosite": [ @@ -498,7 +497,13 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`. 该已评估的响应也可以被后续的 [`respond`](/zh/configuration/dns/rule_action/#respond) 动作直接返回。 响应匹配字段(`response_rcode`、`response_answer`、`response_ns`、`response_extra`)需要此选项。 -当与 `evaluate` 或响应匹配字段一起使用时,`ip_cidr` 和 `ip_is_private` 也需要此选项。 +当与 `evaluate` 或响应匹配字段一起使用时,`ip_cidr`、`ip_is_private` 和 `ip_accept_any` 也需要此选项。 + +#### ip_accept_any + +!!! question "自 sing-box 1.12.0 起" + +当 DNS 查询响应包含至少一个地址时匹配。 #### invert @@ -599,17 +604,6 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`. 使规则集中的 `ip_cidr` 规则接受空查询响应。 -#### ip_accept_any - -!!! question "自 sing-box 1.12.0 起" - -!!! failure "已在 sing-box 1.14.0 废弃" - - `ip_accept_any` 已废弃且将在 sing-box 1.16.0 中被移除, - 参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。 - -匹配任意 IP。 - ### 响应匹配字段 !!! question "自 sing-box 1.14.0 起" diff --git a/docs/deprecated.md b/docs/deprecated.md index 70084b6df..094ff9ea7 100644 --- a/docs/deprecated.md +++ b/docs/deprecated.md @@ -21,13 +21,6 @@ check [Migration](../migration/#migrate-dns-rule-action-strategy-to-rule-items). Old fields will be removed in sing-box 1.16.0. -#### Legacy `ip_accept_any` DNS rule item - -Legacy `ip_accept_any` DNS rule item is deprecated, -check [Migration](../migration/#migrate-address-filter-fields-to-response-matching). - -Old fields will be removed in sing-box 1.16.0. - #### Legacy `rule_set_ip_cidr_accept_empty` DNS rule item Legacy `rule_set_ip_cidr_accept_empty` DNS rule item is deprecated, diff --git a/docs/deprecated.zh.md b/docs/deprecated.zh.md index f98b0c010..8e299df9b 100644 --- a/docs/deprecated.zh.md +++ b/docs/deprecated.zh.md @@ -21,13 +21,6 @@ TLS 中的内联 ACME 选项(`tls.acme`)已废弃, 旧字段将在 sing-box 1.16.0 中被移除。 -#### 旧版 `ip_accept_any` DNS 规则项 - -旧版 `ip_accept_any` DNS 规则项已废弃, -参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。 - -旧字段将在 sing-box 1.16.0 中被移除。 - #### 旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项 旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项已废弃, diff --git a/docs/migration.md b/docs/migration.md index 91e771bab..9bcd9764a 100644 --- a/docs/migration.md +++ b/docs/migration.md @@ -129,7 +129,7 @@ Use `ip_version` or `query_type` rule items to control which query types a rule ### Migrate address filter fields to response matching Legacy Address Filter Fields (`ip_cidr`, `ip_is_private` without `match_response`) in DNS rules are deprecated, -along with Legacy `ip_accept_any` and Legacy `rule_set_ip_cidr_accept_empty` DNS rule items. +along with the Legacy `rule_set_ip_cidr_accept_empty` DNS rule item. In sing-box 1.14.0, use the [`evaluate`](/configuration/dns/rule_action/#evaluate) action to fetch a DNS response, then match against it explicitly with `match_response`. diff --git a/docs/migration.zh.md b/docs/migration.zh.md index 3f1274055..e8cbe1bdf 100644 --- a/docs/migration.zh.md +++ b/docs/migration.zh.md @@ -129,7 +129,7 @@ sing-box 1.14.0 新增字段参阅 [ACME](/zh/configuration/shared/certificate-p ### 迁移地址筛选字段到响应匹配 旧版地址筛选字段(不使用 `match_response` 的 `ip_cidr`、`ip_is_private`)已废弃, -旧版 `ip_accept_any` 和旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项也已废弃。 +旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项也已废弃。 在 sing-box 1.14.0 中,请使用 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作 获取 DNS 响应,然后通过 `match_response` 显式匹配。 diff --git a/experimental/deprecated/constants.go b/experimental/deprecated/constants.go index 543a10bb6..afe5c021a 100644 --- a/experimental/deprecated/constants.go +++ b/experimental/deprecated/constants.go @@ -93,15 +93,6 @@ var OptionInlineACME = Note{ MigrationLink: "https://sing-box.sagernet.org/migration/#migrate-inline-acme-to-certificate-provider", } -var OptionIPAcceptAny = Note{ - Name: "dns-rule-ip-accept-any", - Description: "Legacy `ip_accept_any` DNS rule item", - DeprecatedVersion: "1.14.0", - ScheduledVersion: "1.16.0", - EnvName: "DNS_RULE_IP_ACCEPT_ANY", - MigrationLink: "https://sing-box.sagernet.org/migration/#migrate-address-filter-fields-to-response-matching", -} - var OptionRuleSetIPCIDRAcceptEmpty = Note{ Name: "dns-rule-rule-set-ip-cidr-accept-empty", Description: "Legacy `rule_set_ip_cidr_accept_empty` DNS rule item", @@ -134,7 +125,6 @@ var Options = []Note{ OptionMissingDomainResolver, OptionLegacyDomainStrategyOptions, OptionInlineACME, - OptionIPAcceptAny, OptionRuleSetIPCIDRAcceptEmpty, OptionLegacyDNSAddressFilter, OptionLegacyDNSRuleStrategy, diff --git a/option/rule_dns.go b/option/rule_dns.go index d1298635b..5582e7df4 100644 --- a/option/rule_dns.go +++ b/option/rule_dns.go @@ -107,6 +107,7 @@ type RawDefaultDNSRule struct { MatchResponse bool `json:"match_response,omitempty"` IPCIDR badoption.Listable[string] `json:"ip_cidr,omitempty"` IPIsPrivate bool `json:"ip_is_private,omitempty"` + IPAcceptAny bool `json:"ip_accept_any,omitempty"` ResponseRcode *DNSRCode `json:"response_rcode,omitempty"` ResponseAnswer badoption.Listable[DNSRecordOptions] `json:"response_answer,omitempty"` ResponseNs badoption.Listable[DNSRecordOptions] `json:"response_ns,omitempty"` @@ -117,8 +118,6 @@ type RawDefaultDNSRule struct { Geosite badoption.Listable[string] `json:"geosite,omitempty"` SourceGeoIP badoption.Listable[string] `json:"source_geoip,omitempty"` GeoIP badoption.Listable[string] `json:"geoip,omitempty"` - // Deprecated: use match_response with response items - IPAcceptAny bool `json:"ip_accept_any,omitempty"` // Deprecated: removed in sing-box 1.11.0 RuleSetIPCIDRAcceptEmpty bool `json:"rule_set_ip_cidr_accept_empty,omitempty"` // Deprecated: renamed to rule_set_ip_cidr_match_source diff --git a/route/rule/rule_dns.go b/route/rule/rule_dns.go index 20fb195f1..c406f0674 100644 --- a/route/rule/rule_dns.go +++ b/route/rule/rule_dns.go @@ -177,12 +177,7 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item) rule.allItems = append(rule.allItems, item) } - if options.IPAcceptAny { //nolint:staticcheck - if legacyDNSMode { - deprecated.Report(ctx, deprecated.OptionIPAcceptAny) - } else { - return nil, E.New(deprecated.OptionIPAcceptAny.MessageWithLink()) - } + if options.IPAcceptAny { item := NewIPAcceptAnyItem() rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item) rule.allItems = append(rule.allItems, item)