… response items, deprecated fields at bottom

Legacy DNS address-filter mode still accepts destination-side IP
predicates with a deprecation warning, but the recent evaluate/
match_response refactor started evaluating those predicates during
pre-response Match(). That broke rules whose transport selection must
be deferred until MatchAddressLimit() can inspect the upstream reply.

Restore the old defer behavior by reintroducing an internal
IgnoreDestinationIPCIDRMatch flag on InboundContext and using it only
for legacy pre-response DNS matching. Default and logical DNS rules now
carry the legacy mode bit, set the ignore flag on metadata copies while
performing pre-response Match(), and explicitly clear it again for
match_response and MatchAddressLimit() so response-phase matching still
checks the returned addresses.

Add regression coverage for direct legacy destination-IP rules,
rule_set-backed CIDR rules, logical wrappers, and the legacy Lookup
router path, including fallback after a rejected response. This keeps
legacy configs working without changing new-mode evaluate semantics.

Tests: go test ./route/rule ./dns
Tests: make

Remove SetIncludeAllowed(true) from the DNS record zone parser.
The $INCLUDE directive allows opening arbitrary files via os.Open,
which is unnecessary and dangerous when parsing a single record string
from configuration (especially remote profiles).

Fix displayRuleIndex arithmetic in dns/router.go that computed
2*index+1 instead of the correct 0-based index. This was a
reintroduction of a bug previously fixed in be8ee37. Both
matchDNS and logRuleMatch now use the index directly, matching
the pattern in route/route.go.

…heck

MatchAddressLimit internally copies metadata and sets DNSResponse,
making the prior assignment in the closure unnecessary.

…response_extra

- Rename nested_action.go to rule_nested_action.go for naming consistency
- Export error message constants from option package to deduplicate
- Fix RuleActionRouteOptions.Descriptions using wrong field for fallback-network-type

- dns/router: add r.closing guard in registerRuleSetCallbacks to
  prevent callback leak when Close() races with Start() in daemon path
- adapter/inbound: validate addr.IsValid() in DNSResponseAddresses
  before appending to guard against zero-RDATA DNS records
- adapter/rule: add evaluate to non-final actions in IsFinalAction

…ields

- Replace dnsRuleModeRequirements 4-tuple return with dnsRuleModeFlags struct
- Eliminate redundant hasDNSRuleActionStrategy tree walk by reusing mode flags from buildRules
- Remove single-field lookupWithRulesResponse wrapper
- Accept fields directly in resolveDNSRoute instead of *RuleActionDNSRoute
- Extract rulesAndMode() helper to deduplicate snapshot unpacking
- Trim verbose RuleSetMetadata comment

Remove all user-facing references to the internal `legacyDNSMode` variable
name. Error messages now reuse the deprecated.Note.MessageWithLink() method
to provide consistent deprecation text with migration URLs. Other internal
jargon ("consume response state", "response_*") is replaced with
user-friendly descriptions.

Add two migration guide entries under 1.14.0: one for strategy → rule items,
one for address filter fields → evaluate with match_response.

Use concrete feature names per design spec: "Legacy Address Filter
Fields", "Legacy `strategy` DNS rule action option", "Legacy
`ip_accept_any` DNS rule item", "Legacy `rule_set_ip_cidr_accept_empty`
DNS rule item" for deprecated features, and "Response Match Fields" for
the new response matching section.

Remove resolveDNSRoute indirection from evaluate action since
evaluate+fakeip is already rejected at build time, making the
dnsRouteStatusSkipped branch dead code. Inline transport lookup
directly instead.

Also remove the context-cancellation early return that was not
part of the design spec, and fix test naming to avoid newMode.

ip_cidr and ip_is_private are Response Match Fields in new mode,
same as response_rcode/answer/ns/extra. Use a single consistent
error message when any of them appear without match_response.

Remove the 754-line boolean satisfiability formula system
(rule_dns_legacy.go) and restore the original IgnoreDestinationIPCIDRMatch
flag for legacy address filter pre-matching. Adding complexity to
optimize a legacy compatibility path is not worthwhile.