From e62dc7bfa28beda8fdd93f61102976ccf7812a2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= <i@sekai.icu>
Date: Tue, 3 Mar 2026 23:26:05 +0800
Subject: [PATCH] Fix rule_set_ip_cidr_accept_empty not working

---
 dns/client.go |  4 +++-
 dns/router.go | 28 ++++++++++++++--------------
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/dns/client.go b/dns/client.go
index 2982d11cf..ed4e8207b 100644
--- a/dns/client.go
+++ b/dns/client.go
@@ -240,8 +240,10 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
-		if response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0 {
+		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 			rejected = true
+		} else if len(response.Answer) == 0 {
+			rejected = !responseChecker(nil)
 		} else {
 			rejected = !responseChecker(MessageToAddresses(response))
 		}
diff --git a/dns/router.go b/dns/router.go
index 18b9e34d2..567f3225f 100644
--- a/dns/router.go
+++ b/dns/router.go
@@ -272,13 +272,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					return action.Response(message), nil
 				}
 			}
-			var responseCheck func(responseAddrs []netip.Addr) bool
-			if rule != nil && rule.WithAddressLimit() {
-				responseCheck = func(responseAddrs []netip.Addr) bool {
-					metadata.DestinationAddresses = responseAddrs
-					return rule.MatchAddressLimit(metadata)
-				}
-			}
+			responseCheck := addressLimitResponseCheck(rule, metadata)
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -394,13 +388,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 					goto response
 				}
 			}
-			var responseCheck func(responseAddrs []netip.Addr) bool
-			if rule != nil && rule.WithAddressLimit() {
-				responseCheck = func(responseAddrs []netip.Addr) bool {
-					metadata.DestinationAddresses = responseAddrs
-					return rule.MatchAddressLimit(metadata)
-				}
-			}
+			responseCheck := addressLimitResponseCheck(rule, metadata)
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -428,6 +416,18 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }
 
+func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
+	if rule == nil || !rule.WithAddressLimit() {
+		return nil
+	}
+	responseMetadata := *metadata
+	return func(responseAddrs []netip.Addr) bool {
+		checkMetadata := responseMetadata
+		checkMetadata.DestinationAddresses = responseAddrs
+		return rule.MatchAddressLimit(&checkMetadata)
+	}
+}
+
 func (r *Router) ClearCache() {
 	r.client.ClearCache()
 	if r.platformInterface != nil {