add client-rules, group-begin, group-end

docs/config/client-rule.md

@@ -0,0 +1,86 @@
+---
+hide:
+  - toc
+---
+
+# 客户端规则
+
+smartdns支持根据客户端IP地址，对客户端设置不同的规则，可以实现：
+
+  * 家长控制：限制特定客户端可访问的网站。
+  * 访问控制：禁止未经允许的客户端查询。
+  * 基于客户端域名分流查询：设置规则组和上游组绑定，不同的客户端查询不同的上游。
+
+## 家长控制
+
+设置smartdns针对特定的客户端使用特定的上游查询，也可以设置禁止访问特定的域名或IP地址，来实现家长控制。
+
+```
+# 启用规则组
+group-begin child
+# 设置规则组对应的客户端IP
+client-rules 192.168.1.13
+# 设置规则组使用的上游服务器
+server 1.2.3.4 -e
+# 禁止特定域名
+address /block.com/#
+# 禁止特定IP
+ignore-ip 2.2.2.2
+group-end
+```
+
+为方便管理，也可采用多配置文件的方式，如
+
+1. 主配置文件
+```
+conf-file child.conf -group child
+```
+
+1. 包含的配置文件
+```
+# 设置规则组对应的客户端IP
+client-rules 192.168.1.13
+# 设置规则组使用的上游服务器
+server 1.2.3.4 -e
+# 禁止特定域名
+address /block.com/#
+# 禁止特定IP
+ignore-ip 2.2.2.2
+```
+
+其中group-begin和group-end的配置块，等价于conf-file -group 包含的配置文件，
+
+## 访问控制
+
+smartdns支持基本的ACL功能，可以通过如下参数开启和设置允许访问的主机。
+
+```
+# 启用ACL
+acl-enable yes
+# 设置允许访问的主机
+client-rules 192.168.1.2/24
+```
+
+## 基于客户端域名分流查询
+
+类似家长控制，smartdns可以将特定需要分流和配合ipset/nftset访问的主机，进行分流。
+
+1. 主配置文件
+```
+conf-file oversea.conf -group oversea
+```
+
+1. 包含的配置文件
+```
+# 设置规则组对应的客户端IP
+client-rules 192.168.1.13
+# 设置规则组使用的上游服务器
+server-https https://1.2.3.4 -e
+server-tls tls://1.2.3.4 -e
+# 禁止测速
+speed-check-mode none
+# 禁止IPV6和HTTPS记录
+force-qtype-SOA 28 65
+# 设置ipset
+ipset oversea
+```

docs/config/domain-rule.md

@@ -0,0 +1,23 @@
+---
+hide:
+  - toc
+---
+
+# 域名规则
+
+为方便对同一个域名设置多个规则，smartdns提供了`domain-rules`参数，可以对域名设置多个规则。
+
+1. 使用`domain-rules`设置多个规则，如：
+
+  ```
+  domain-rules /a.com/ -g group -address #6 -ipset ipset
+  ```
+
+  domain-rules的选项请阅读配置选项。
+
+1. 在有/domain/配置的选项使用域名集合，只需要将`/domain/`配置为`/domain-set:[集合名称]/`即可，如：
+
+  ```shell
+  domain-set -name ad -file /etc/smartdns/ad-list.conf
+  domain-rules /domain-set:ad/ -a #
+  ```

docs/configuration.md

@@ -46,7 +46,10 @@ hide:
 | audit-file-mode | 审计归档文件权限 | 0640 | 文件权限 | log-file-mode 644 |
 | audit-console | 是否输出审计日志到控制台 | no | [yes\|no] | audit-console yes |
 | audit-syslog | 是否输出审计日志到系统日志 | no | [yes\|no] | audit-syslog yes |
-| conf-file | 附加配置文件 | 无 | 合法路径字符串，通配符号 | conf-file /etc/smartdns/smartdns.more.conf <br /> conf-file *.conf |
+| acl-enable | 启用ACL | no | [yes\|no] <br /> 和client-rules搭配使用。| acl-enable yes | 
+| group-begin | 规则组开始 | 无 | 组名:<br /> 和group-end搭配使用，启用此参数后，group-begin参数之后的配置项将设置到对应的组中，直到group-end结束。| group-begin group-name | 
+| group-end | 规则组结束 | 无 | 和group-begin搭配使用 | group-end |
+| conf-file | 附加配置文件 | 无 | path [-g\|group group-name] <br />path: 合法路径字符串，通配符号 <br />[-g\|group]: 对应配置文件配置所属规则组 | conf-file /etc/smartdns/smartdns.more.conf <br /> conf-file \*.conf <br /> conf-file \*.conf -group oversea |
 | server | 上游 UDP DNS | 无 | 可重复。<br />[ip][:port]\|URL：服务器 IP:端口（可选）或 URL <br />[-blacklist-ip]：配置 IP 过滤结果。<br />[-whitelist-ip]：指定仅接受参数中配置的 IP 范围<br />[-g\|-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br />[-e\|-exclude-default-group]：将 DNS 服务器从默认组中排除。<br />[-set-mark mark]：设置数据包标记so-mark。<br />[-p\|-proxy name]：设置代理服务器。 <br />[-b\|-bootstrap-dns]：标记此服务器为bootstrap服务器。<br />[-subnet]：指定服务器使用的edns-client-subnet。<br />[-interface]：绑定到对应的网口。| server 8.8.8.8:53 -blacklist-ip -group g1 -proxy proxy<br /> server tls://8.8.8.8|
 | server-tcp | 上游 TCP DNS | 无 | 可重复。<br />[ip][:port]：服务器 IP:端口（可选）<br />[-blacklist-ip]：配置 IP 过滤结果<br />[-whitelist-ip]：指定仅接受参数中配置的 IP 范围。<br />[-g\|-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br />[-e\|-exclude-default-group]：将 DNS 服务器从默认组中排除。<br />[-set-mark mark]：设置数据包标记so-mark。<br />[-p\|-proxy name]：设置代理服务器。 <br />[-b\|-bootstrap-dns]：标记此服务器为bootstrap服务器。<br />[-subnet]：指定服务器使用的edns-client-subnet。<br />[-interface]：绑定到对应的网口。| server-tcp 8.8.8.8:53 |
 | server-tls | 上游 TLS DNS | 无 | 可重复。<br />[ip][:port]：服务器 IP:端口（可选)<br />[-spki-pin [sha256-pin]]：TLS 合法性校验 SPKI 值，base64 编码的 sha256 SPKI pin 值<br />[-host-name]：TLS SNI 名称, 名称设置为-，表示停用SNI名称。<br />[-host-ip]: 主机IP地址。<br />[-tls-host-verify]：TLS 证书主机名校验<br /> [-k\|-no-check-certificate]：跳过证书校验<br />[-blacklist-ip]：配置 IP 过滤结果<br />[-whitelist-ip]：仅接受参数中配置的 IP 范围<br />[-g\|-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br />[-e\|-exclude-default-group]：将 DNS 服务器从默认组中排除。<br />[-set-mark mark]：设置数据包标记so-mark。<br />[-p\|-proxy name]：设置代理服务器。 <br />[-b\|-bootstrap-dns]：标记此服务器为bootstrap服务器。<br />[-subnet]：指定服务器使用的edns-client-subnet。<br />[-interface]：绑定到对应的网口。| server-tls 8.8.8.8:853 |
@@ -64,7 +67,7 @@ hide:
 | hosts-file | 指定hosts文件 | 无 | hosts文件路径 | hosts-file /etc/hosts | 
 | edns-client-subnet | DNS ECS | 无 | edns-client-subnet ip-prefix/mask <br /> 指定EDNS客户端子网 | ip-prefix/mask 1.2.3.4/23 |
 | nameserver | 指定域名使用 server 组解析 | 无 | nameserver /domain/[group\|-], group 为组名，- 表示忽略此规则，配套 server 中的 -group 参数使用 | nameserver /www.example.com/office |
-| ipset | 域名 ipset | 无 | ipset [/domain/][ipset\|-\|#[4\|6]:[ipset\|-][,#[4\|6]:[ipset\|-]]]，-表示忽略此规则 | ipset /www.example.com/#4:dns4,#6:- <br />ipset /www.example.com/dns <br /> ipset ipsetname|
+| ipset | 域名 ipset | 无 | ipset [/domain/][ipset\|-\|#[4\|6]:[ipset\|-][,#[4\|6]:[ipset\|-]]]，-表示忽略此规则，只有ipset名称没有域名时，表示全局生效。| ipset /www.example.com/#4:dns4,#6:- <br />ipset /www.example.com/dns <br /> ipset ipsetname|
 | ipset-timeout | 设置 ipset 超时功能启用  | no | [yes\|no] | ipset-timeout yes |
 | ipset-no-speed | 当测速失败时，将域名结果设置到ipset集合中 | 无 | ipset \| #[4\|6]:ipset | ipset-no-speed #4:ipset4,#6:ipset6 <br /> ipset-no-speed ipset|
 | nftset | 域名 nftset | 无 | nftset [/domain/][#4\|#6\|-]:[family#nftable#nftset\|-][,#[4\|6]:[family#nftable#nftset\|-]]]，<br />-表示忽略此规则；<br />ipv4 地址的 family 只支持 inet 和 ip；<br />ipv6 地址的 family 只支持 inet 和 ip6；<br />由于 nft 限制，两种地址只能分开存放于两个 set 中。| nftset /www.example.com/#4:inet#tab#dns4,#6:- <br /> nftset #4:inet#tab#dns4,#6:-|
@@ -73,6 +76,7 @@ hide:
 | nftset-debug | 设置 nftset 调试功能启用  | no | [yes\|no] | nftset-debug yes |
 | domain-rules | 设置域名规则 | 无 | domain-rules /domain/ [-rules...]<br />[-c\|-speed-check-mode]：测速模式，参考 speed-check-mode 配置<br />[-a\|-address]：参考 address 配置<br />[-n\|-nameserver]：参考 nameserver 配置<br />[-p\|-ipset]：参考ipset配置<br />[-t\|-nftset]：参考nftset配置<br />[-d\|-dualstack-ip-selection]：参考 dualstack-ip-selection<br /> [-no-serve-expired]：禁用过期缓存<br />[-rr-ttl\|-rr-ttl-min\|-rr-ttl-max]: 参考配置rr-ttl, rr-ttl-min, rr-ttl-max<br />[-no-cache]：不缓存当前域名<br />[-r\|-response-mode]：响应模式，参考 response-mode 配置<br />[-delete]：删除对应的规则<br /> [no-ip-alias]: 忽略ip别名规则| domain-rules /www.example.com/ -speed-check-mode none |
 | domain-set | 设置域名集合 | 无 | domain-set [options...]<br />[-n\|-name]：域名集合名称 <br />[-t\|-type]：域名集合类型，当前仅支持list，格式为域名列表，一行一个域名。<br />[-f\|-file]：域名集合文件路径。<br /> 选项需要配合address, nameserver, ipset, nftset等需要指定域名的地方使用，使用方式为 /domain-set:[name]/| domain-set -name set -type list -file /path/to/list <br /> address /domain-set:set/1.2.4.8 |
+| client-rules | 客户端规则 | 无 | [ip/subnet] [-g\|group group-name] [-rules...] <br />设置客户端规则和规则组，规则参数与bind一样，具体参数选项请参考bind，一般情况搭配group-begin、group-end使用。 | client-rules 192.168.1.1 -g oversea |
 | bogus-nxdomain | 假冒 IP 地址过滤 | 无 | [ip/subnet]，可重复 | bogus-nxdomain 1.2.3.4/16 |
 | ignore-ip | 忽略 IP 地址 | 无 | [ip/subnet]，可重复 | ignore-ip 1.2.3.4/16 |
 | whitelist-ip | 白名单 IP 地址 | 无 | [ip/subnet]，可重复 | whitelist-ip 1.2.3.4/16 |

en/docs/config/client-rule.md

@@ -0,0 +1,90 @@
+---
+hide:
+  - toc
+---
+
+# Client Rules
+
+smartdns supports setting different rules for clients based on their IP addresses, allowing for:
+
+  * Parental control: Restricting access to specific websites for certain clients.
+  * Access control: Prohibiting unauthorized clients from making queries.
+  * Client-based domain-based query routing: Binding rule groups with upstream groups, so that different clients can query different upstream servers.
+
+## Parental Control
+
+  By configuring smartdns to use specific upstream queries for certain clients, you can implement parental control by restricting access to specific domains or IP addresses.
+
+  ```
+  # Enable Rule Group
+  group-begin child
+  # Set client IP for the rule group
+  client-rules 192.168.1.13
+  # Set upstream server for the rule group
+  server 1.2.3.4 -e
+  # Block specific domain
+  address /block.com/#
+  # Block specific IP
+  ignore-ip 2.2.2.2
+  group-end
+  ```
+
+For convenience in management, multiple configuration files can also be used, such as:
+
+  1. Main configuration file
+
+    ```
+    conf-file child.conf -group child
+    ```
+
+  1. Included Configuration File
+
+    ```
+    # Set client IP for the rule group
+    client-rules 192.168.1.13
+    # Set upstream server for the rule group
+    server 1.2.3.4 -e
+    # Block specific domain
+    address /block.com/#
+    # Block specific IP
+    ignore-ip 2.2.2.2
+    ```
+
+The configuration blocks of group-begin and group-end are equivalent to the configuration files included with conf-file -group.
+
+## Access Control
+
+  smartdns supports basic ACL functionality, which allows you to enable and set the hosts that are allowed to access.
+
+  ```
+  # Enable ACL
+  acl-enable yes
+  # Set allowed hosts
+  client-rules 192.168.1.2/24
+  ```
+
+## Client-based Domain-based Query Forwarding
+
+Similar to parental control, smartdns can route specific hosts that require redirection and are accessed with ipset/nftset.
+
+  1. Main Configuration File
+
+    ```
+    conf-file oversea.conf -group oversea
+    ```
+
+  1. Included Configuration File
+
+    ```
+    # Set the client IP for the rule group
+    client-rules 192.168.1.13
+    # Set the upstream servers for the rule group
+    server-https https://1.2.3.4 -e
+    server-tls tls://1.2.3.4 -e
+    # Disable speed check
+    speed-check-mode none
+    # Disable IPV6 and HTTPS logging
+    force-qtype-SOA 28 65
+    # Set ipset
+    ipset group-tv
+    ```

en/docs/config/domain-rule.md

@@ -0,0 +1,28 @@
+---
+hide:
+  - toc
+---
+
+# Domain Rules
+
+To facilitate setting multiple rules for the same domain, smartdns provides the `domain-rules` parameter, which allows you to set multiple rules for a domain.
+
+1. Use the `domain-rules` parameter to set multiple rules, for example:
+
+    ```
+    domain-rules /a.com/ -g group -address #6 -ipset ipset
+    ```
+
+    Please refer to the configuration options for more information on the `domain-rules` options.
+
+1. When using domain sets in options with `/domain/` configuration, you only need to replace `/domain/` with `/domain-set:[set name]/`, for example:
+
+    ```shell
+    domain-set -name ad -file /etc/smartdns/ad-list.conf
+    domain-rules /domain-set:ad/ -a #
+    ```
+
+    ```shell
+    domain-set -name ad -file /etc/smartdns/ad-list.conf
+    domain-rules /domain-set:ad/ -a #
+    ```

en/docs/configuration.md

@@ -42,7 +42,10 @@ hide:
 |audit-file-mode|archived audit log file mode|0640|Integer|audit-file-mode 644
 |audit-console|enable output audit log to console|no|[yes\|no]|audit-console yes
 |audit-syslog|enable output audit log to syslog|no|[yes\|no]|audit-syslog yes
-|conf-file|additional conf file|None|File path, wildcard |conf-file /etc/smartdns/smartdns.more.conf <br /> conf-file *.conf 
+|acl-enable|enable ACL| no | [yes\|no] <br /> Used with client-rules.| acl-enable yes | 
+|group-begin|rule group start|None|Group name:<br />Used with group-end, when enabled, the configuration items after group-begin will be set to the corresponding group until group-end is encountered.|group-begin group-name|
+|group-end|rule group end| None | Used group-begin.| group-end |
+|conf-file|additional conf file|None|file [-g\|-group group-name] <br /> file: File path, wildcard. <br />[-g\|-group group-name]: The rule group to which the corresponding configuration file configuration belongs. |conf-file /etc/smartdns/smartdns.more.conf <br /> conf-file \*.conf <br /> conf-file \*.conf -g group-tv | 
 |server|Upstream UDP DNS server|None|Repeatable <br />`[ip][:port]|URL`: Server IP, port optional OR URL. <br />`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br />`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br />`[-g|-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br />`[-e|-exclude-default-group]`: Exclude DNS servers from the default group. <br />`[-set-mark mark]`: set mark on packets <br /> `[-p|-proxy name]`: set proxy server <br /> `[-b|-bootstrap-dns]`: set as bootstrap dns server <br />[-subnet]：set per server edns-client-subnet. <br />[-interface]: bind to interface. | server 8.8.8.8:53 -blacklist-ip<br />server tls://8.8.8.8
 |server-tcp|Upstream TCP DNS server|None|Repeatable <br />`[ip][:port]`: Server IP, port optional. <br />`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br />`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br />`[-g|-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br />`[-e|-exclude-default-group]`: Exclude DNS servers from the default group <br />`[-set-mark mark]`: set mark on packets <br /> `[-p|-proxy name]`: set proxy server <br /> `[-b|-bootstrap-dns]`: set as bootstrap dns server <br />[-subnet]：set per server edns-client-subnet. <br />[-interface]: bind to interface. | server-tcp 8.8.8.8:53
 |server-tls|Upstream TLS DNS server|None|Repeatable <br />`[ip][:port]`: Server IP, port optional. <br />`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br />`[-host-name]`:TLS Server name. `-` to disable SNI name.<br />[-host-ip]: host ip address. <br />`[-tls-host-verify]`: TLS cert hostname to verify. <br />`[-k|-no-check-certificate]`: No check certificate. <br />`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br />`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br />`[-g|-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br />`[-e|-exclude-default-group]`: Exclude DNS servers from the default group <br /> `[-set-mark mark]`: set mark on packets <br /> `[-p|-proxy name]`: set proxy server <br /> `[-b|-bootstrap-dns]`: set as bootstrap dns server <br />[-subnet]：set per server edns-client-subnet. <br />[-interface]: bind to interface. | server-tls 8.8.8.8:853
@@ -69,6 +72,7 @@ hide:
 |nftset-debug|nftset debug enable|no|[yes\|no]|nftset-debug yes
 |domain-rules|set domain rules|None|domain-rules /domain/ [-rules...]<br />[-c\|-speed-check-mode]: set speed check mode, same as parameter `speed-check-mode`<br />[-a\|-address]: same as  parameter `address` <br />[-n\|-nameserver]: same as parameter `nameserver`<br />[-p|-ipset]: same as parameter `nftset`<br />[-t\|-nftset]: same as parameter `nftset`<br />[-d\|-dualstack-ip-selection]: same as parameter `dualstack-ip-selection`<br />  [-no-serve-expired]: disable serve expired<br />[-rr-ttl\|-rr-ttl-min\|-rr-ttl-max]: same as parameter: `rr-ttl`, `rr-ttl-min`, `rr-ttl-max`<br />[-no-cache]：not cache this domain.<br />[-r\|-response-mode]：response mode, same as `response-mod`e<br />[-delete]: delete rule <br /> [no-ip-alias]: ignore ip-alias rule|domain-rules /www.example.com/ -speed-check-mode none
 | domain-set | collection of domains|None| domain-set [options...]<br />[-n\|-name]: name of set <br />[-t\|-type] [list]: set type, only support list, one domain per line <br />[-f\|-file]: file path of domain set<br /> used with address, nameserver, ipset, nftset, example: /domain-set:[name]/ | domain-set -name set -type list -file /path/to/list <br /> address /domain-set:set/1.2.4.8 |
+|client-rules| Client rules | None | [ip/subnet] [-g\|group group-name] [-rules...] <br />Set client rules and rule groups, the rule parameters are the same as bind, please refer to bind for specific parameter options. Generally used with group-begin, group-end. | client-rules 192.168.1.1 -g group-tv |
 |bogus-nxdomain|bogus IP address|None|[IP/subnet], Repeatable| bogus-nxdomain 1.2.3.4/16
 |ignore-ip|ignore ip address|None|[ip/subnet], Repeatable| ignore-ip 1.2.3.4/16
 |whitelist-ip|ip whitelist|None|[ip/subnet], Repeatable, When the filtering server responds IPs in the IP whitelist, only result in whitelist will be accepted| whitelist-ip 1.2.3.4/16

en/mkdocs.yml

@@ -87,9 +87,8 @@ nav:
     - Disable IPV6: 'config/block-ipv6.md'
     - Domain Forwarding: 'config/domain-forwarding.md'
     - Check Speed Mode: 'config/check-speed-mode.md'
-    - Security Related: 'config/security.md'
-    - Resolve Local Hostname: 'config/resolv-dnsmasq-lease.md'
-    - Bootstrap DNS: 'config/bootstrap-dns.md'
+    - Domain Rules: 'config/domain-rule.md'
+    - Client Rules: 'config/client-rule.md'
     - Domain Address: 'config/domain-address.md'
     - CNAME Alias Query: 'config/cname.md'
     - Domain Set: 'config/domain-set.md'
@@ -99,8 +98,11 @@ nav:
     - IP Rule: 'config/ip-rule.md'
     - IP Set: 'config/ip-set.md'
     - IP Alias: 'config/ip-alias.md'
+    - Security Related: 'config/security.md'
     - Forwarding with IPSet: 'config/forwarding-with-ipset.md'
     - Edns Client Subnet: 'config/edns-client-subnet.md'
+    - Bootstrap DNS: 'config/bootstrap-dns.md'
+    - Resolve Local Hostname: 'config/resolv-dnsmasq-lease.md'
   - Configurations: 'configuration.md'
   - Compile: 'compile.md'
   - FAQ: 'faq.md'