Add config-time validation in NewDNSRule that rejects
RejectMethodReply for both default and logical DNS rules,
matching the existing TCP/UDP validation in route/route.go.
- Add EnvName to four new deprecation constants so users can suppress
warnings via ENABLE_DEPRECATED_* environment variables
- Add comment explaining why applyDNSRouteOptions skips Strategy
- Use dns.RcodeToString in DNSResponseRCodeItem.String() for readability
- Remove redundant Fqdn(FqdnToDomain(domain)) round-trip
- Use standard !!! failure block for strategy deprecation notice
- Add Legacy DNS Mode section explaining automatic mode detection
- Reorder ip_accept_any/rule_set_ip_cidr_accept_empty in Chinese docs
to match English
The legacy path returned predefined responses early, bypassing the
reverse mapping cache. Use goto to reach the shared post-exchange
block so both legacy and new paths record predefined A/AAAA answers.
The field was never set to true after the legacy pre-match refactor
in 3549c02b8. Remove the declaration, guard check, and redundant
false assignments.
Exchange and Lookup held rulesAccess.RLock across all DNS network I/O,
blocking rebuildRules from swapping in new rules until every in-flight
query finished. Replace the RWMutex with an atomic pointer to a
refcounted rulesSnapshot so queries only hold a snapshot reference
during execution, allowing concurrent rule rebuilds.
Remove SetIncludeAllowed(true) from the DNS record zone parser.
The $INCLUDE directive allows opening arbitrary files via os.Open,
which is unnecessary and dangerous when parsing a single record string
from configuration (especially remote profiles).
Fix displayRuleIndex arithmetic in dns/router.go that computed
2*index+1 instead of the correct 0-based index. This was a
reintroduction of a bug previously fixed in be8ee370a. Both
matchDNS and logRuleMatch now use the index directly, matching
the pattern in route/route.go.
Legacy DNS address-filter mode still accepts destination-side IP
predicates with a deprecation warning, but the recent evaluate/
match_response refactor started evaluating those predicates during
pre-response Match(). That broke rules whose transport selection must
be deferred until MatchAddressLimit() can inspect the upstream reply.
Restore the old defer behavior by reintroducing an internal
IgnoreDestinationIPCIDRMatch flag on InboundContext and using it only
for legacy pre-response DNS matching. Default and logical DNS rules now
carry the legacy mode bit, set the ignore flag on metadata copies while
performing pre-response Match(), and explicitly clear it again for
match_response and MatchAddressLimit() so response-phase matching still
checks the returned addresses.
Add regression coverage for direct legacy destination-IP rules,
rule_set-backed CIDR rules, logical wrappers, and the legacy Lookup
router path, including fallback after a rejected response. This keeps
legacy configs working without changing new-mode evaluate semantics.
Tests: go test ./route/rule ./dns
Tests: make
