resolve ip for sniffed domain

constant/metadata.go

@@ -156,7 +156,8 @@ type Metadata struct {
 	RawSrcAddr net.Addr `json:"-"`
 	RawDstAddr net.Addr `json:"-"`
 	// Only domain rule
-	SniffHost string `json:"sniffHost"`
+	SniffHost  string     `json:"sniffHost"`
+	SniffDstIP netip.Addr `json:"sniffDestinationIP"`
 }
 
 func (m *Metadata) RemoteAddress() string {

rules/common/ipcidr.go

@@ -37,10 +37,17 @@ func (i *IPCIDR) RuleType() C.RuleType {
 
 func (i *IPCIDR) Match(metadata *C.Metadata) (bool, string) {
 	ip := metadata.DstIP
+
+	var ipsValid bool = true
+	ips := metadata.SniffDstIP
+	if ips.IsValid() {
+		ipsValid = i.ipnet.Contains(ips.WithZone(""))
+	}
+
 	if i.isSourceIP {
 		ip = metadata.SrcIP
 	}
-	return ip.IsValid() && i.ipnet.Contains(ip.WithZone("")), i.adapter
+	return ip.IsValid() && i.ipnet.Contains(ip.WithZone("")) && ipsValid, i.adapter
 }
 
 func (i *IPCIDR) Adapter() string {

tunnel/tunnel.go

@@ -619,6 +619,20 @@ func match(metadata *C.Metadata) (C.Proxy, C.Rule, error) {
 			}()
 		}
 
+		if metadata.SniffHost != "" && !metadata.SniffDstIP.IsValid() && rule.ShouldResolveIP() {
+			func() {
+				ctx, cancel := context.WithTimeout(context.Background(), resolver.DefaultDNSTimeout)
+				defer cancel()
+				ip, err := resolver.ResolveIP(ctx, metadata.SniffHost)
+				if err != nil {
+					log.Debugln("[DNS] resolve sniffed host %s error: %s", metadata.SniffHost, err.Error())
+				} else {
+					log.Debugln("[DNS] sniffed %s --> %s", metadata.SniffHost, ip.String())
+					metadata.SniffDstIP = ip
+				}
+			}()
+		}
+
 		if attemptProcessLookup && !findProcessMode.Off() && (findProcessMode.Always() || rule.ShouldFindProcess()) {
 			attemptProcessLookup = false
 			if !features.CMFA {