docs(proxy): surface QUIC policy diagnostics

maybeknott · maybeknott · commit e6b6f3874a70 · 2026-05-24T19:51:54.000+03:30
Expose the local QUIC policy decisions added to the SOCKS5 UDP relay so users can tell when fallback steering is active. The desktop traffic panel now shows the number of UDP/443 datagrams dropped by block_quic and the number of DNS HTTPS/SVCB questions answered locally.

Document the behavior in the main guide without expanding the troubleshooting section into a new feature walkthrough. The note explains that block_quic now covers both UDP/443 datagrams and DNS HTTP/3 advertisement hints, causing browsers to fall back to TCP/HTTPS sooner.

Add block_quic to the primary Apps Script and Full Mode TOML examples so new configs make the default traffic policy explicit near the listener and SOCKS settings.
diff --git a/config.example.toml b/config.example.toml
@@ -10,6 +10,8 @@ listen_host = "127.0.0.1"
 listen_port = 8085
 socks5_port = 8086
 verify_ssl = true
+# Suppress QUIC UDP/443 and DNS HTTPS/SVCB hints so browsers fall back to TCP.
+block_quic = true
 
 [network.hosts]
 
diff --git a/config.full.example.toml b/config.full.example.toml
@@ -10,6 +10,8 @@ listen_host = "127.0.0.1"
 listen_port = 8085
 socks5_port = 8086
 verify_ssl = true
+# Suppress QUIC UDP/443 and DNS HTTPS/SVCB hints so browsers fall back to TCP.
+block_quic = true
 
 [network.hosts]
 
diff --git a/docs/guide.md b/docs/guide.md
@@ -317,6 +317,8 @@ Memory footprint ~15–20 MB resident — fine on anything ≥128 MB RAM. No UI
 - **`mhrv-rs test-sni`** — parallel TLS probe of every SNI name in your rotation pool against `google_ip`. Tells you which front-domain names pass through your ISP's DPI. UI has same thing in **SNI pool…** window with checkboxes, per-row **Test** buttons, and **Keep ✓ only** to auto-trim.
 - **Periodic stats** logged every 60 s at `info` level (relay calls, cache hit rate, bytes relayed, active vs blacklisted scripts). UI shows live.
 
+When `block_quic = true`, the SOCKS5 UDP relay drops UDP/443 datagrams and answers DNS HTTPS/SVCB (type 65/64) questions with an empty successful response. Browsers then skip HTTP/3 advertisement and fall back to TCP/HTTPS sooner, without forwarding those QUIC discovery packets through the relay.
+
 ### SNI pool editor
 
 By default, mhrv-rs rotates through `{www, mail, drive, docs, calendar}.google.com` on outbound TLS to your `google_ip`, to avoid fingerprinting one name too heavily. Some may be locally blocked (e.g. `mail.google.com` has been targeted in Iran at various times).
diff --git a/src/bin/ui.rs b/src/bin/ui.rs
@@ -1193,6 +1193,11 @@ impl eframe::App for App {
                         ),
                         ("cache size", format!("{} KB", s.cache_bytes / 1024)),
                         ("bytes relayed", fmt_bytes(s.bytes_relayed)),
+                        ("QUIC drops", s.policy_quic_udp_drops.to_string()),
+                        (
+                            "HTTPS RR",
+                            s.policy_https_rr_suppressed.to_string(),
+                        ),
                         (
                             "active scripts",
                             format!(
