Un-deprecate ip_accept_any DNS rule item

2026-04-11 17:47:20 +10:00 · 2026-04-10 10:15:02 +08:00
parent 57039ac11d
commit ddcaf040e2
10 changed files with 24 additions and 69 deletions
--- a/dns/router.go
+++ b/dns/router.go
@@ -841,10 +841,10 @@ func (r *Router) ResetNetwork() {
 }
 func defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule option.DefaultDNSRule) bool {
-	if rule.IPAcceptAny || rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
+	if rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
 		return true
 	}
-	return !rule.MatchResponse && (len(rule.IPCIDR) > 0 || rule.IPIsPrivate)
+	return !rule.MatchResponse && (rule.IPAcceptAny || len(rule.IPCIDR) > 0 || rule.IPIsPrivate)
 }
 func hasResponseMatchFields(rule option.DefaultDNSRule) bool {
@@ -1049,17 +1049,14 @@ func validateLegacyDNSModeDisabledRuleTree(rule option.DNSRule) (bool, error) {
 func validateLegacyDNSModeDisabledDefaultRule(rule option.DefaultDNSRule) (bool, error) {
 	hasResponseRecords := hasResponseMatchFields(rule)
-	if (hasResponseRecords || len(rule.IPCIDR) > 0 || rule.IPIsPrivate) && !rule.MatchResponse {
+	if (hasResponseRecords || len(rule.IPCIDR) > 0 || rule.IPIsPrivate || rule.IPAcceptAny) && !rule.MatchResponse {
-		return false, E.New("Response Match Fields (ip_cidr, ip_is_private, response_rcode, response_answer, response_ns, response_extra) require match_response to be enabled")
+		return false, E.New("Response Match Fields (ip_cidr, ip_is_private, ip_accept_any, response_rcode, response_answer, response_ns, response_extra) require match_response to be enabled")
 	}
 	// Intentionally do not reject rule_set here. A referenced rule set may mix
 	// destination-IP predicates with pre-response predicates such as domain items.
 	// When match_response is false, those destination-IP branches fail closed during
 	// pre-response evaluation instead of consuming DNS response state, while sibling
 	// non-response branches remain matchable.
 	if rule.IPAcceptAny { //nolint:staticcheck
 		return false, E.New(deprecated.OptionIPAcceptAny.MessageWithLink())
 	}
 	if rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
 		return false, E.New(deprecated.OptionRuleSetIPCIDRAcceptEmpty.MessageWithLink())
 	}
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -8,7 +8,6 @@ icon: material/alert-decagram
    :material-plus: [source_hostname](#source_hostname)  
    :material-plus: [match_response](#match_response)  
    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
    :material-delete-clock: [ip_accept_any](#ip_accept_any)  
    :material-plus: [response_rcode](#response_rcode)  
    :material-plus: [response_answer](#response_answer)  
    :material-plus: [response_ns](#response_ns)  
@@ -178,6 +177,7 @@ icon: material/alert-decagram
          "192.168.0.1"
        ],
        "ip_is_private": false,
        "ip_accept_any": false,
        "response_rcode": "",
        "response_answer": [],
        "response_ns": [],
@@ -191,7 +191,6 @@ icon: material/alert-decagram
        // Deprecated
        "ip_accept_any": false,
        "rule_set_ip_cidr_accept_empty": false,
        "rule_set_ipcidr_match_source": false,
        "geosite": [
@@ -500,7 +499,13 @@ instead of only matching the original query.
 The evaluated response can also be returned directly by a later [`respond`](/configuration/dns/rule_action/#respond) action.
 Required for Response Match Fields (`response_rcode`, `response_answer`, `response_ns`, `response_extra`).
-Also required for `ip_cidr` and `ip_is_private` when used with `evaluate` or Response Match Fields.
+Also required for `ip_cidr`, `ip_is_private`, and `ip_accept_any` when used with `evaluate` or Response Match Fields.
 #### ip_accept_any
 !!! question "Since sing-box 1.12.0"
 Match when the DNS query response contains at least one address.
 #### invert
@@ -600,17 +605,6 @@ check [Migration](/migration/#migrate-address-filter-fields-to-response-matching
 Make `ip_cidr` rules in rule-sets accept empty query response.
 #### ip_accept_any
 !!! question "Since sing-box 1.12.0"
 !!! failure "Deprecated in sing-box 1.14.0"
    `ip_accept_any` is deprecated and will be removed in sing-box 1.16.0,
    check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
 Match any IP with query response.
 ### Response Match Fields
 !!! question "Since sing-box 1.14.0"
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -8,7 +8,6 @@ icon: material/alert-decagram
    :material-plus: [source_hostname](#source_hostname)  
    :material-plus: [match_response](#match_response)  
    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
    :material-delete-clock: [ip_accept_any](#ip_accept_any)  
    :material-plus: [response_rcode](#response_rcode)  
    :material-plus: [response_answer](#response_answer)  
    :material-plus: [response_ns](#response_ns)  
@@ -178,6 +177,7 @@ icon: material/alert-decagram
          "192.168.0.1"
        ],
        "ip_is_private": false,
        "ip_accept_any": false,
        "response_rcode": "",
        "response_answer": [],
        "response_ns": [],
@@ -191,7 +191,6 @@ icon: material/alert-decagram
        // 已弃用
        "ip_accept_any": false,
        "rule_set_ip_cidr_accept_empty": false,
        "rule_set_ipcidr_match_source": false,
        "geosite": [
@@ -498,7 +497,13 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 该已评估的响应也可以被后续的 [`respond`](/zh/configuration/dns/rule_action/#respond) 动作直接返回。
 响应匹配字段（`response_rcode`、`response_answer`、`response_ns`、`response_extra`）需要此选项。
-当与 `evaluate` 或响应匹配字段一起使用时，`ip_cidr` 和 `ip_is_private` 也需要此选项。
+当与 `evaluate` 或响应匹配字段一起使用时，`ip_cidr`、`ip_is_private` 和 `ip_accept_any` 也需要此选项。
 #### ip_accept_any
 !!! question "自 sing-box 1.12.0 起"
 当 DNS 查询响应包含至少一个地址时匹配。
 #### invert
@@ -599,17 +604,6 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 使规则集中的 `ip_cidr` 规则接受空查询响应。
 #### ip_accept_any
 !!! question "自 sing-box 1.12.0 起"
 !!! failure "已在 sing-box 1.14.0 废弃"
    `ip_accept_any` 已废弃且将在 sing-box 1.16.0 中被移除，
    参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
 匹配任意 IP。
 ### 响应匹配字段
 !!! question "自 sing-box 1.14.0 起"
--- a/docs/deprecated.md
+++ b/docs/deprecated.md
@@ -21,13 +21,6 @@ check [Migration](../migration/#migrate-dns-rule-action-strategy-to-rule-items).
 Old fields will be removed in sing-box 1.16.0.
 #### Legacy `ip_accept_any` DNS rule item
 Legacy `ip_accept_any` DNS rule item is deprecated,
 check [Migration](../migration/#migrate-address-filter-fields-to-response-matching).
 Old fields will be removed in sing-box 1.16.0.
 #### Legacy `rule_set_ip_cidr_accept_empty` DNS rule item
 Legacy `rule_set_ip_cidr_accept_empty` DNS rule item is deprecated,
--- a/docs/deprecated.zh.md
+++ b/docs/deprecated.zh.md
@@ -21,13 +21,6 @@ TLS 中的内联 ACME 选项（`tls.acme`）已废弃，
 旧字段将在 sing-box 1.16.0 中被移除。
 #### 旧版 `ip_accept_any` DNS 规则项
 旧版 `ip_accept_any` DNS 规则项已废弃，
 参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
 旧字段将在 sing-box 1.16.0 中被移除。
 #### 旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项
 旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项已废弃，
--- a/docs/migration.md
+++ b/docs/migration.md
@@ -129,7 +129,7 @@ Use `ip_version` or `query_type` rule items to control which query types a rule
 ### Migrate address filter fields to response matching
 Legacy Address Filter Fields (`ip_cidr`, `ip_is_private` without `match_response`) in DNS rules are deprecated,
-along with Legacy `ip_accept_any` and Legacy `rule_set_ip_cidr_accept_empty` DNS rule items.
+along with the Legacy `rule_set_ip_cidr_accept_empty` DNS rule item.
 In sing-box 1.14.0, use the [`evaluate`](/configuration/dns/rule_action/#evaluate) action
 to fetch a DNS response, then match against it explicitly with `match_response`.
--- a/docs/migration.zh.md
+++ b/docs/migration.zh.md
@@ -129,7 +129,7 @@ sing-box 1.14.0 新增字段参阅 [ACME](/zh/configuration/shared/certificate-p
 ### 迁移地址筛选字段到响应匹配
 旧版地址筛选字段（不使用 `match_response` 的 `ip_cidr`、`ip_is_private`）已废弃，
-旧版 `ip_accept_any` 和旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项也已废弃。
+旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项也已废弃。
 在 sing-box 1.14.0 中，请使用 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作
 获取 DNS 响应，然后通过 `match_response` 显式匹配。
--- a/experimental/deprecated/constants.go
+++ b/experimental/deprecated/constants.go
@@ -93,15 +93,6 @@ var OptionInlineACME = Note{
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-inline-acme-to-certificate-provider",
 }
 var OptionIPAcceptAny = Note{
 	Name:              "dns-rule-ip-accept-any",
 	Description:       "Legacy `ip_accept_any` DNS rule item",
 	DeprecatedVersion: "1.14.0",
 	ScheduledVersion:  "1.16.0",
 	EnvName:           "DNS_RULE_IP_ACCEPT_ANY",
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-address-filter-fields-to-response-matching",
 }
 var OptionRuleSetIPCIDRAcceptEmpty = Note{
 	Name:              "dns-rule-rule-set-ip-cidr-accept-empty",
 	Description:       "Legacy `rule_set_ip_cidr_accept_empty` DNS rule item",
@@ -134,7 +125,6 @@ var Options = []Note{
 	OptionMissingDomainResolver,
 	OptionLegacyDomainStrategyOptions,
 	OptionInlineACME,
 	OptionIPAcceptAny,
 	OptionRuleSetIPCIDRAcceptEmpty,
 	OptionLegacyDNSAddressFilter,
 	OptionLegacyDNSRuleStrategy,
--- a/option/rule_dns.go
+++ b/option/rule_dns.go
@@ -107,6 +107,7 @@ type RawDefaultDNSRule struct {
 	MatchResponse            bool                                                                        `json:"match_response,omitempty"`
 	IPCIDR                   badoption.Listable[string]                                                  `json:"ip_cidr,omitempty"`
 	IPIsPrivate              bool                                                                        `json:"ip_is_private,omitempty"`
 	IPAcceptAny              bool                                                                        `json:"ip_accept_any,omitempty"`
 	ResponseRcode            *DNSRCode                                                                   `json:"response_rcode,omitempty"`
 	ResponseAnswer           badoption.Listable[DNSRecordOptions]                                        `json:"response_answer,omitempty"`
 	ResponseNs               badoption.Listable[DNSRecordOptions]                                        `json:"response_ns,omitempty"`
@@ -117,8 +118,6 @@ type RawDefaultDNSRule struct {
 	Geosite     badoption.Listable[string] `json:"geosite,omitempty"`
 	SourceGeoIP badoption.Listable[string] `json:"source_geoip,omitempty"`
 	GeoIP       badoption.Listable[string] `json:"geoip,omitempty"`
 	// Deprecated: use match_response with response items
 	IPAcceptAny bool `json:"ip_accept_any,omitempty"`
 	// Deprecated: removed in sing-box 1.11.0
 	RuleSetIPCIDRAcceptEmpty bool `json:"rule_set_ip_cidr_accept_empty,omitempty"`
 	// Deprecated: renamed to rule_set_ip_cidr_match_source
--- a/route/rule/rule_dns.go
+++ b/route/rule/rule_dns.go
@@ -177,12 +177,7 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
-	if options.IPAcceptAny { //nolint:staticcheck
+	if options.IPAcceptAny {
 		if legacyDNSMode {
 			deprecated.Report(ctx, deprecated.OptionIPAcceptAny)
 		} else {
 			return nil, E.New(deprecated.OptionIPAcceptAny.MessageWithLink())
 		}
 		item := NewIPAcceptAnyItem()
 		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)