Merge pull request #9 from MaurUppi/dns_fix

MaurUppi · web-flow · commit d6eee4cc2056 · 2026-02-18T09:54:59.000+08:00
feat(dns): configurable DNS ingress performance levels
diff --git a/.plan/test-log.md b/.plan/test-log.md
@@ -520,3 +520,113 @@ rg -n "TestAnyfromPoolGetOrCreate_ZeroTTLStillPooled|TestAnyfromPoolGetOrCreate_
 1. 修复已按 High -> Medium 串行落地（F1/F3/F4/F2）。
 2. 本地可执行代码级验证通过。
 3. 编译/运行级回归受 Linux + eBPF 环境限制，需 PR 触发 CI 完成最终闭环。
+
+## dns-traceback-3rd-fix T10: DNS ingress 分级可配置化（T1 -> T6 -> M1）
+
+**日期**: 2026-02-18
+**来源**: `/Users/ouzy/Documents/DevProjects/dae/.plan/code_audit_trace-back-3rd.md`
+**执行文档**: `/Users/ouzy/Documents/DevProjects/dae/.plan/code_audit_trace-back-3rd-dev.md`
+
+### T1（config/config.go）新增 dns ingress 配置结构与字段
+
+**变更文件**
+- `config/config.go`
+
+**测试命令与结果**
+```bash
+rg -n "DnsIngressManual|DnsPerformanceLevel|dns_performance_level|dns_ingress_manual" config/config.go
+→ PASS: 命中新类型与 Global 新字段
+```
+
+### T2（config/patch.go）新增 level 校验与 manual clamp
+
+**变更文件**
+- `config/patch.go`
+
+**测试命令与结果**
+```bash
+rg -n "patchDnsPerformanceLevel|dns_performance_level|dns_ingress_manual" config/patch.go
+→ PASS: 命中 patch 注册、fallback、workers/queue clamp 警告
+```
+
+### T3（config/desc.go）补充描述文本
+
+**变更文件**
+- `config/desc.go`
+
+**测试命令与结果**
+```bash
+rg -n "dns_performance_level" config/desc.go
+→ PASS: 命中 GlobalDesc 说明
+```
+
+### T4（control/control_plane.go）profile 查找表与初始化改造
+
+**变更文件**
+- `control/control_plane.go`
+
+**测试命令与结果**
+```bash
+rg -n "dnsIngressProfile|resolveDnsIngressProfile|dnsIngressWorkerCount|DNS ingress: level" control/control_plane.go
+→ PASS: 命中 profile、解析函数、worker 计数与启动日志
+```
+
+### T5（example.dae）补充示例配置
+
+**变更文件**
+- `example.dae`
+
+**测试命令与结果**
+```bash
+rg -n "dns_performance_level|dns_ingress_manual" example.dae
+→ PASS: 命中 level 与 manual 示例注释
+```
+
+### T6（control/dns_improvement_test.go）新增 profile 解析测试
+
+**变更文件**
+- `control/dns_improvement_test.go`
+
+**测试命令与结果**
+```bash
+rg -n "TestResolveDnsIngressProfile" control/dns_improvement_test.go
+→ PASS: 命中新增测试函数
+```
+
+### M1（本地里程碑验证）
+
+**执行命令与结果**
+```bash
+# 1) 格式化
+gofmt -w config/config.go config/patch.go config/desc.go control/control_plane.go control/dns_improvement_test.go
+→ PASS
+
+# 2) 默认 go.work（环境检查）
+go test ./config -run TestPatchDnsPerformanceLevel -count=1
+→ FAIL: go.work 引用了本机缺失模块 ../cloudpan189-go
+
+# 3) 关闭 go.work 的 config 包编译检查
+GOWORK=off go test ./config -run TestPatchDnsPerformanceLevel -count=1
+→ PASS (no tests to run, 编译通过)
+
+# 4) 关闭 go.work 的 config 运行级回归
+GOWORK=off go test ./config -count=1
+→ FAIL: TestMarshal 要求 example.dae 文件权限 <=0640，本机检出为 0644（历史环境约束）
+
+# 5) 关闭 go.work 的 control 包测试（darwin）
+GOWORK=off go test ./control -run TestResolveDnsIngressProfile -count=1
+→ FAIL: 缺失 Linux netlink/IP_TRANSPARENT 常量（平台限制）
+
+# 6) Linux 目标的 control 包编译尝试
+GOWORK=off GOOS=linux GOARCH=amd64 go test ./control -run TestNoSuch -count=1
+→ FAIL: 缺失 bpfObjects/bpfRoutingResult（需 CI eBPF 生成链路）
+
+# 7) config 包 vet 检查（Linux 目标）
+GOWORK=off GOOS=linux GOARCH=amd64 go vet ./config/
+→ FAIL: config/marshal.go 与 config/parser.go 现存 unreachable code（与本次改动无关）
+```
+
+**结论**
+1. T1~T6 代码改动与结构验证全部完成。
+2. 本地受 go.work、darwin/Linux 差异、eBPF 生成链路限制，无法完成 control 包运行级回归。
+3. 下一步需通过 PR 触发 CI（Linux runner）完成编译/测试闭环。
diff --git a/config/config.go b/config/config.go
@@ -17,6 +17,11 @@ var (
 	Version string
 )
 
+type DnsIngressManual struct {
+	Workers uint16 `mapstructure:"workers" default:"0"`
+	Queue   uint16 `mapstructure:"queue" default:"0"`
+}
+
 type Global struct {
 	TproxyPort        uint16 `mapstructure:"tproxy_port" default:"12345"`
 	TproxyPortProtect bool   `mapstructure:"tproxy_port_protect" default:"true"`
@@ -37,15 +42,17 @@ type Global struct {
 	EnableLocalTcpFastRedirect bool          `mapstructure:"enable_local_tcp_fast_redirect" default:"false"`
 	AutoConfigKernelParameter  bool          `mapstructure:"auto_config_kernel_parameter" default:"false"`
 	// DEPRECATED: not used as of https://github.com/daeuniverse/dae/pull/458
-	AutoConfigFirewallRule bool          `mapstructure:"auto_config_firewall_rule" default:"false"`
-	SniffingTimeout        time.Duration `mapstructure:"sniffing_timeout" default:"100ms"`
-	TlsImplementation      string        `mapstructure:"tls_implementation" default:"tls"`
-	UtlsImitate            string        `mapstructure:"utls_imitate" default:"chrome_auto"`
-	PprofPort              uint16        `mapstructure:"pprof_port" default:"0"`
-	Mptcp                  bool          `mapstructure:"mptcp" default:"false"`
-	FallbackResolver       string        `mapstructure:"fallback_resolver" default:"8.8.8.8:53"`
-	BandwidthMaxTx         string        `mapstructure:"bandwidth_max_tx" default:"0"`
-	BandwidthMaxRx         string        `mapstructure:"bandwidth_max_rx" default:"0"`
+	AutoConfigFirewallRule bool             `mapstructure:"auto_config_firewall_rule" default:"false"`
+	SniffingTimeout        time.Duration    `mapstructure:"sniffing_timeout" default:"100ms"`
+	TlsImplementation      string           `mapstructure:"tls_implementation" default:"tls"`
+	UtlsImitate            string           `mapstructure:"utls_imitate" default:"chrome_auto"`
+	PprofPort              uint16           `mapstructure:"pprof_port" default:"0"`
+	Mptcp                  bool             `mapstructure:"mptcp" default:"false"`
+	FallbackResolver       string           `mapstructure:"fallback_resolver" default:"8.8.8.8:53"`
+	BandwidthMaxTx         string           `mapstructure:"bandwidth_max_tx" default:"0"`
+	BandwidthMaxRx         string           `mapstructure:"bandwidth_max_rx" default:"0"`
+	DnsPerformanceLevel    string           `mapstructure:"dns_performance_level" default:"balanced"`
+	DnsIngressManual       DnsIngressManual `mapstructure:"dns_ingress_manual"`
 }
 
 type Utls struct {
diff --git a/config/desc.go b/config/desc.go
@@ -58,6 +58,9 @@ var GlobalDesc = Desc{
 	"tls_implementation":           "TLS implementation. \"tls\" is to use Go's crypto/tls. \"utls\" is to use uTLS, which can imitate browser's Client Hello.",
 	"utls_imitate":                 "The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls. See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17",
 	"mptcp":                        "Enable Multipath TCP.  If is true, dae will try to use MPTCP to connect all nodes, but it will only take effects when the node supports MPTCP. It can use for load balance and failover to multiple interfaces and IPs.",
+	"dns_performance_level": "DNS ingress performance level. Options: lean, balanced (default), aggressive, manual. " +
+		"Use 'lean' for low-power devices, 'aggressive' for high-load environments. " +
+		"Only set 'manual' if you need fine-grained control over worker and queue sizes.",
 }
 
 var DnsDesc = Desc{
diff --git a/config/patch.go b/config/patch.go
@@ -19,6 +19,7 @@ type patch func(params *Config) error
 var patches = []patch{
 	patchTcpCheckHttpMethod,
 	patchEmptyDns,
+	patchDnsPerformanceLevel,
 	patchMustOutbound,
 }
 
@@ -40,6 +41,46 @@ func patchEmptyDns(params *Config) error {
 	return nil
 }
 
+func patchDnsPerformanceLevel(params *Config) error {
+	level := strings.ToLower(strings.TrimSpace(params.Global.DnsPerformanceLevel))
+	switch level {
+	case "lean", "balanced", "aggressive", "manual":
+		params.Global.DnsPerformanceLevel = level
+	case "":
+		params.Global.DnsPerformanceLevel = "balanced"
+	default:
+		logrus.Warnf("Unknown dns_performance_level '%s', falling back to 'balanced'", params.Global.DnsPerformanceLevel)
+		params.Global.DnsPerformanceLevel = "balanced"
+	}
+
+	if params.Global.DnsPerformanceLevel == "manual" {
+		m := &params.Global.DnsIngressManual
+		const minW, maxW uint16 = 32, 1024
+		const minQ, maxQ uint16 = 128, 16384
+		if m.Workers == 0 {
+			m.Workers = 256
+		}
+		if m.Queue == 0 {
+			m.Queue = 2048
+		}
+		if m.Workers < minW {
+			logrus.Warnf("dns_ingress_manual.workers %d below min %d, clamping", m.Workers, minW)
+			m.Workers = minW
+		} else if m.Workers > maxW {
+			logrus.Warnf("dns_ingress_manual.workers %d above max %d, clamping", m.Workers, maxW)
+			m.Workers = maxW
+		}
+		if m.Queue < minQ {
+			logrus.Warnf("dns_ingress_manual.queue %d below min %d, clamping", m.Queue, minQ)
+			m.Queue = minQ
+		} else if m.Queue > maxQ {
+			logrus.Warnf("dns_ingress_manual.queue %d above max %d, clamping", m.Queue, maxQ)
+			m.Queue = maxQ
+		}
+	}
+	return nil
+}
+
 func patchMustOutbound(params *Config) error {
 	for i := range params.Routing.Rules {
 		if strings.HasPrefix(params.Routing.Rules[i].Outbound.Name, "must_") {
diff --git a/control/control_plane.go b/control/control_plane.go
@@ -48,11 +48,33 @@ import (
 
 const (
 	// DNS packets are handled by dedicated workers instead of per-src queue.
-	dnsIngressWorkerCount   = 256
-	dnsIngressQueueLength   = 2048
 	dnsIngressQueueLogEvery = 100
 )
 
+type dnsIngressProfile struct {
+	workers  int
+	queueLen int
+}
+
+var dnsIngressProfiles = map[string]dnsIngressProfile{
+	"lean":       {workers: 32, queueLen: 128},
+	"balanced":   {workers: 256, queueLen: 2048},
+	"aggressive": {workers: 1024, queueLen: 4096},
+}
+
+func resolveDnsIngressProfile(level string, manual config.DnsIngressManual) dnsIngressProfile {
+	if level == "manual" {
+		return dnsIngressProfile{
+			workers:  int(manual.Workers),
+			queueLen: int(manual.Queue),
+		}
+	}
+	if p, ok := dnsIngressProfiles[level]; ok {
+		return p
+	}
+	return dnsIngressProfiles["balanced"]
+}
+
 type dnsIngressTask struct {
 	data          pool.PB
 	convergeSrc   netip.AddrPort
@@ -72,10 +94,11 @@ type ControlPlane struct {
 	outbounds     []*outbound.DialerGroup
 	inConnections sync.Map
 
-	dnsController    *DnsController
-	onceNetworkReady sync.Once
-	dnsIngressQueue  chan dnsIngressTask
-	emitUdpTask      func(key string, task UdpTask)
+	dnsController         *DnsController
+	onceNetworkReady      sync.Once
+	dnsIngressQueue       chan dnsIngressTask
+	dnsIngressWorkerCount int
+	emitUdpTask           func(key string, task UdpTask)
 	// dnsIngressQueueFullTotal tracks how many DNS packets hit full lane queue.
 	dnsIngressQueueFullTotal uint64
 	// dnsIngressDropTotal tracks dropped DNS packets at ingress (queue full).
@@ -404,30 +427,34 @@ func NewControlPlane(
 
 	// New control plane.
 	ctx, cancel := context.WithCancel(context.Background())
+	dnsIngressCfg := resolveDnsIngressProfile(global.DnsPerformanceLevel, global.DnsIngressManual)
 	plane := &ControlPlane{
-		log:               log,
-		core:              core,
-		deferFuncs:        deferFuncs,
-		listenIp:          "0.0.0.0",
-		outbounds:         outbounds,
-		dnsController:     nil,
-		onceNetworkReady:  sync.Once{},
-		dnsIngressQueue:   make(chan dnsIngressTask, dnsIngressQueueLength),
-		emitUdpTask:       DefaultUdpTaskPool.EmitTask,
-		dialMode:          dialMode,
-		routingMatcher:    routingMatcher,
-		ctx:               ctx,
-		cancel:            cancel,
-		ready:             make(chan struct{}),
-		muRealDomainSet:   sync.Mutex{},
-		realDomainSet:     bloom.NewWithEstimates(2048, 0.001),
-		lanInterface:      global.LanInterface,
-		wanInterface:      global.WanInterface,
-		sniffingTimeout:   sniffingTimeout,
-		tproxyPortProtect: global.TproxyPortProtect,
-		soMarkFromDae:     global.SoMarkFromDae,
-		mptcp:             global.Mptcp,
-	}
+		log:                   log,
+		core:                  core,
+		deferFuncs:            deferFuncs,
+		listenIp:              "0.0.0.0",
+		outbounds:             outbounds,
+		dnsController:         nil,
+		onceNetworkReady:      sync.Once{},
+		dnsIngressQueue:       make(chan dnsIngressTask, dnsIngressCfg.queueLen),
+		dnsIngressWorkerCount: dnsIngressCfg.workers,
+		emitUdpTask:           DefaultUdpTaskPool.EmitTask,
+		dialMode:              dialMode,
+		routingMatcher:        routingMatcher,
+		ctx:                   ctx,
+		cancel:                cancel,
+		ready:                 make(chan struct{}),
+		muRealDomainSet:       sync.Mutex{},
+		realDomainSet:         bloom.NewWithEstimates(2048, 0.001),
+		lanInterface:          global.LanInterface,
+		wanInterface:          global.WanInterface,
+		sniffingTimeout:       sniffingTimeout,
+		tproxyPortProtect:     global.TproxyPortProtect,
+		soMarkFromDae:         global.SoMarkFromDae,
+		mptcp:                 global.Mptcp,
+	}
+	log.Infof("DNS ingress: level=%s, workers=%d, queue_len=%d",
+		global.DnsPerformanceLevel, dnsIngressCfg.workers, dnsIngressCfg.queueLen)
 	defer func() {
 		if err != nil {
 			cancel()
@@ -816,7 +843,7 @@ func (c *ControlPlane) dispatchDnsOrQueue(convergeSrc, pktDst netip.AddrPort, dn
 }
 
 func (c *ControlPlane) startDnsIngressWorkers(udpConn *net.UDPConn) {
-	for i := 0; i < dnsIngressWorkerCount; i++ {
+	for i := 0; i < c.dnsIngressWorkerCount; i++ {
 		go func() {
 			for {
 				select {
diff --git a/control/dns_improvement_test.go b/control/dns_improvement_test.go
@@ -348,6 +348,39 @@ func TestDrainDnsIngressQueue_DrainsWithoutCountingDrop(t *testing.T) {
 	}
 }
 
+func TestResolveDnsIngressProfile(t *testing.T) {
+	tests := []struct {
+		name    string
+		level   string
+		manual  config.DnsIngressManual
+		workers int
+		queue   int
+	}{
+		{name: "lean", level: "lean", workers: 32, queue: 128},
+		{name: "balanced", level: "balanced", workers: 256, queue: 2048},
+		{name: "aggressive", level: "aggressive", workers: 1024, queue: 4096},
+		{
+			name:    "manual",
+			level:   "manual",
+			manual:  config.DnsIngressManual{Workers: 512, Queue: 4096},
+			workers: 512,
+			queue:   4096,
+		},
+		{name: "unknown", level: "unknown", workers: 256, queue: 2048},
+		{name: "empty", level: "", workers: 256, queue: 2048},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := resolveDnsIngressProfile(tt.level, tt.manual)
+			if got.workers != tt.workers || got.queueLen != tt.queue {
+				t.Fatalf("resolveDnsIngressProfile(%q, %+v) = {%d, %d}, want {%d, %d}",
+					tt.level, tt.manual, got.workers, got.queueLen, tt.workers, tt.queue)
+			}
+		})
+	}
+}
+
 func TestAnyfromPoolGetOrCreate_ZeroTTLStillPooled(t *testing.T) {
 	p := NewAnyfromPool()
 	var createCalls atomic.Int32
diff --git a/example.dae b/example.dae
@@ -12,6 +12,21 @@ global {
     # Set non-zero value to enable pprof.
     pprof_port: 0
 
+    # DNS ingress performance level.
+    # Options: lean, balanced (default), aggressive, manual.
+    # - lean: for low-power/embedded devices (32 workers)
+    # - balanced: for typical home/small office (256 workers)
+    # - aggressive: for high-load environments (1024 workers)
+    # - manual: expert tuning, requires dns_ingress_manual section below
+    # dns_performance_level: balanced
+
+    # Only effective when dns_performance_level is "manual".
+    # Workers: 32-1024, Queue: 128-16384.
+    # dns_ingress_manual {
+    #     workers: 512
+    #     queue: 2048
+    # }
+
     # If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy
     # rules.
     so_mark_from_dae: 0

Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,9 @@ var GlobalDesc = Desc{`
`58`	`58`	`"tls_implementation": "TLS implementation. \"tls\" is to use Go's crypto/tls. \"utls\" is to use uTLS, which can imitate browser's Client Hello.",`
`59`	`59`	`"utls_imitate": "The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls. See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17",`
`60`	`60`	`"mptcp": "Enable Multipath TCP. If is true, dae will try to use MPTCP to connect all nodes, but it will only take effects when the node supports MPTCP. It can use for load balance and failover to multiple interfaces and IPs.",`
	`61`	`+ "dns_performance_level": "DNS ingress performance level. Options: lean, balanced (default), aggressive, manual. " +`
	`62`	`+ "Use 'lean' for low-power devices, 'aggressive' for high-load environments. " +`
	`63`	`+ "Only set 'manual' if you need fine-grained control over worker and queue sizes.",`
`61`	`64`	`}`
`62`	`65`
`63`	`66`	`var DnsDesc = Desc{`