build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp

Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go) from 1.31.0 to 1.43.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.31.0...v1.43.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp dependency-version: 1.43.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
tools: Network Quality
2026-04-11 17:47:20 +10:00 · 2026-04-08 19:46:34 +00:00 · 2026-04-08 14:44:14 +08:00 · 2026-04-07 23:39:49 +08:00 · 2026-04-07 23:38:44 +08:00 · 2026-04-07 23:37:48 +08:00
185 changed files with 16583 additions and 1707 deletions
--- a/.github/CRONET_GO_VERSION
+++ b/.github/CRONET_GO_VERSION
@@ -1 +1 @@
-2fef65f9dba90ddb89a87d00a6eb6165487c10c1
+ea7cd33752aed62603775af3df946c1b83f4b0b3
--- a/adapter/certificate/adapter.go
+++ b/adapter/certificate/adapter.go
@@ -0,0 +1,21 @@
+package certificate
+
+type Adapter struct {
+	providerType string
+	providerTag  string
+}
+
+func NewAdapter(providerType string, providerTag string) Adapter {
+	return Adapter{
+		providerType: providerType,
+		providerTag:  providerTag,
+	}
+}
+
+func (a *Adapter) Type() string {
+	return a.providerType
+}
+
+func (a *Adapter) Tag() string {
+	return a.providerTag
+}
--- a/adapter/certificate/manager.go
+++ b/adapter/certificate/manager.go
@@ -0,0 +1,158 @@
+package certificate
+
+import (
+	"context"
+	"os"
+	"sync"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/taskmonitor"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ adapter.CertificateProviderManager = (*Manager)(nil)
+
+type Manager struct {
+	logger        log.ContextLogger
+	registry      adapter.CertificateProviderRegistry
+	access        sync.Mutex
+	started       bool
+	stage         adapter.StartStage
+	providers     []adapter.CertificateProviderService
+	providerByTag map[string]adapter.CertificateProviderService
+}
+
+func NewManager(logger log.ContextLogger, registry adapter.CertificateProviderRegistry) *Manager {
+	return &Manager{
+		logger:        logger,
+		registry:      registry,
+		providerByTag: make(map[string]adapter.CertificateProviderService),
+	}
+}
+
+func (m *Manager) Start(stage adapter.StartStage) error {
+	m.access.Lock()
+	if m.started && m.stage >= stage {
+		panic("already started")
+	}
+	m.started = true
+	m.stage = stage
+	providers := m.providers
+	m.access.Unlock()
+	for _, provider := range providers {
+		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
+		m.logger.Trace(stage, " ", name)
+		startTime := time.Now()
+		err := adapter.LegacyStart(provider, stage)
+		if err != nil {
+			return E.Cause(err, stage, " ", name)
+		}
+		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
+	}
+	return nil
+}
+
+func (m *Manager) Close() error {
+	m.access.Lock()
+	defer m.access.Unlock()
+	if !m.started {
+		return nil
+	}
+	m.started = false
+	providers := m.providers
+	m.providers = nil
+	monitor := taskmonitor.New(m.logger, C.StopTimeout)
+	var err error
+	for _, provider := range providers {
+		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
+		m.logger.Trace("close ", name)
+		startTime := time.Now()
+		monitor.Start("close ", name)
+		err = E.Append(err, provider.Close(), func(err error) error {
+			return E.Cause(err, "close ", name)
+		})
+		monitor.Finish()
+		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
+	}
+	return err
+}
+
+func (m *Manager) CertificateProviders() []adapter.CertificateProviderService {
+	m.access.Lock()
+	defer m.access.Unlock()
+	return m.providers
+}
+
+func (m *Manager) Get(tag string) (adapter.CertificateProviderService, bool) {
+	m.access.Lock()
+	provider, found := m.providerByTag[tag]
+	m.access.Unlock()
+	return provider, found
+}
+
+func (m *Manager) Remove(tag string) error {
+	m.access.Lock()
+	provider, found := m.providerByTag[tag]
+	if !found {
+		m.access.Unlock()
+		return os.ErrInvalid
+	}
+	delete(m.providerByTag, tag)
+	index := common.Index(m.providers, func(it adapter.CertificateProviderService) bool {
+		return it == provider
+	})
+	if index == -1 {
+		panic("invalid certificate provider index")
+	}
+	m.providers = append(m.providers[:index], m.providers[index+1:]...)
+	started := m.started
+	m.access.Unlock()
+	if started {
+		return provider.Close()
+	}
+	return nil
+}
+
+func (m *Manager) Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) error {
+	provider, err := m.registry.Create(ctx, logger, tag, providerType, options)
+	if err != nil {
+		return err
+	}
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.started {
+		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
+		for _, stage := range adapter.ListStartStages {
+			m.logger.Trace(stage, " ", name)
+			startTime := time.Now()
+			err = adapter.LegacyStart(provider, stage)
+			if err != nil {
+				return E.Cause(err, stage, " ", name)
+			}
+			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
+		}
+	}
+	if existsProvider, loaded := m.providerByTag[tag]; loaded {
+		if m.started {
+			err = existsProvider.Close()
+			if err != nil {
+				return E.Cause(err, "close certificate-provider/", existsProvider.Type(), "[", existsProvider.Tag(), "]")
+			}
+		}
+		existsIndex := common.Index(m.providers, func(it adapter.CertificateProviderService) bool {
+			return it == existsProvider
+		})
+		if existsIndex == -1 {
+			panic("invalid certificate provider index")
+		}
+		m.providers = append(m.providers[:existsIndex], m.providers[existsIndex+1:]...)
+	}
+	m.providers = append(m.providers, provider)
+	m.providerByTag[tag] = provider
+	return nil
+}
--- a/adapter/certificate/registry.go
+++ b/adapter/certificate/registry.go
@@ -0,0 +1,72 @@
+package certificate
+
+import (
+	"context"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type ConstructorFunc[T any] func(ctx context.Context, logger log.ContextLogger, tag string, options T) (adapter.CertificateProviderService, error)
+
+func Register[Options any](registry *Registry, providerType string, constructor ConstructorFunc[Options]) {
+	registry.register(providerType, func() any {
+		return new(Options)
+	}, func(ctx context.Context, logger log.ContextLogger, tag string, rawOptions any) (adapter.CertificateProviderService, error) {
+		var options *Options
+		if rawOptions != nil {
+			options = rawOptions.(*Options)
+		}
+		return constructor(ctx, logger, tag, common.PtrValueOrDefault(options))
+	})
+}
+
+var _ adapter.CertificateProviderRegistry = (*Registry)(nil)
+
+type (
+	optionsConstructorFunc func() any
+	constructorFunc        func(ctx context.Context, logger log.ContextLogger, tag string, options any) (adapter.CertificateProviderService, error)
+)
+
+type Registry struct {
+	access      sync.Mutex
+	optionsType map[string]optionsConstructorFunc
+	constructor map[string]constructorFunc
+}
+
+func NewRegistry() *Registry {
+	return &Registry{
+		optionsType: make(map[string]optionsConstructorFunc),
+		constructor: make(map[string]constructorFunc),
+	}
+}
+
+func (m *Registry) CreateOptions(providerType string) (any, bool) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	optionsConstructor, loaded := m.optionsType[providerType]
+	if !loaded {
+		return nil, false
+	}
+	return optionsConstructor(), true
+}
+
+func (m *Registry) Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) (adapter.CertificateProviderService, error) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	constructor, loaded := m.constructor[providerType]
+	if !loaded {
+		return nil, E.New("certificate provider type not found: " + providerType)
+	}
+	return constructor(ctx, logger, tag, options)
+}
+
+func (m *Registry) register(providerType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	m.optionsType[providerType] = optionsConstructor
+	m.constructor[providerType] = constructor
+}
--- a/adapter/certificate_provider.go
+++ b/adapter/certificate_provider.go
@@ -0,0 +1,38 @@
+package adapter
+
+import (
+	"context"
+	"crypto/tls"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+)
+
+type CertificateProvider interface {
+	GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
+}
+
+type ACMECertificateProvider interface {
+	CertificateProvider
+	GetACMENextProtos() []string
+}
+
+type CertificateProviderService interface {
+	Lifecycle
+	Type() string
+	Tag() string
+	CertificateProvider
+}
+
+type CertificateProviderRegistry interface {
+	option.CertificateProviderOptionsRegistry
+	Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) (CertificateProviderService, error)
+}
+
+type CertificateProviderManager interface {
+	Lifecycle
+	CertificateProviders() []CertificateProviderService
+	Get(tag string) (CertificateProviderService, bool)
+	Remove(tag string) error
+	Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) error
+}
--- a/adapter/dns.go
+++ b/adapter/dns.go
@@ -25,8 +25,8 @@ type DNSRouter interface {

 type DNSClient interface {
 	Start()
-	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
-	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
+	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(response *dns.Msg) bool) (*dns.Msg, error)
+	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error)
 	ClearCache()
 }

@@ -72,11 +72,6 @@ type DNSTransport interface {
 	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
 }

-type LegacyDNSTransport interface {
-	LegacyStrategy() C.DomainStrategy
-	LegacyClientSubnet() netip.Prefix
-}
-
 type DNSTransportRegistry interface {
 	option.DNSTransportOptionsRegistry
 	CreateDNSTransport(ctx context.Context, logger log.ContextLogger, tag string, transportType string, options any) (DNSTransport, error)
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -2,6 +2,7 @@ package adapter

 import (
 	"context"
+	"net"
 	"net/netip"
 	"time"

@@ -9,6 +10,8 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
+
+	"github.com/miekg/dns"
 )

 type Inbound interface {
@@ -78,12 +81,16 @@ type InboundContext struct {
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration

-	DestinationAddresses []netip.Addr
-	SourceGeoIPCode      string
-	GeoIPCode            string
-	ProcessInfo          *ConnectionOwner
-	QueryType            uint16
-	FakeIP               bool
+	DestinationAddresses                []netip.Addr
+	DNSResponse                         *dns.Msg
+	DestinationAddressMatchFromResponse bool
+	SourceGeoIPCode                     string
+	GeoIPCode                           string
+	ProcessInfo                         *ConnectionOwner
+	SourceMACAddress                    net.HardwareAddr
+	SourceHostname                      string
+	QueryType                           uint16
+	FakeIP                              bool

 	// rule cache

@@ -112,6 +119,51 @@ func (c *InboundContext) ResetRuleMatchCache() {
 	c.DidMatch = false
 }

+func (c *InboundContext) DNSResponseAddressesForMatch() []netip.Addr {
+	return DNSResponseAddresses(c.DNSResponse)
+}
+
+func DNSResponseAddresses(response *dns.Msg) []netip.Addr {
+	if response == nil || response.Rcode != dns.RcodeSuccess {
+		return nil
+	}
+	addresses := make([]netip.Addr, 0, len(response.Answer))
+	for _, rawRecord := range response.Answer {
+		switch record := rawRecord.(type) {
+		case *dns.A:
+			addr := M.AddrFromIP(record.A)
+			if addr.IsValid() {
+				addresses = append(addresses, addr)
+			}
+		case *dns.AAAA:
+			addr := M.AddrFromIP(record.AAAA)
+			if addr.IsValid() {
+				addresses = append(addresses, addr)
+			}
+		case *dns.HTTPS:
+			for _, value := range record.SVCB.Value {
+				switch hint := value.(type) {
+				case *dns.SVCBIPv4Hint:
+					for _, ip := range hint.Hint {
+						addr := M.AddrFromIP(ip).Unmap()
+						if addr.IsValid() {
+							addresses = append(addresses, addr)
+						}
+					}
+				case *dns.SVCBIPv6Hint:
+					for _, ip := range hint.Hint {
+						addr := M.AddrFromIP(ip)
+						if addr.IsValid() {
+							addresses = append(addresses, addr)
+						}
+					}
+				}
+			}
+		}
+	}
+	return addresses
+}
+
 type inboundContextKey struct{}

 func WithContext(ctx context.Context, inboundContext *InboundContext) context.Context {
--- a/adapter/inbound_test.go
+++ b/adapter/inbound_test.go
@@ -0,0 +1,45 @@
+package adapter
+
+import (
+	"net"
+	"net/netip"
+	"testing"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDNSResponseAddressesUnmapsHTTPSIPv4Hints(t *testing.T) {
+	t.Parallel()
+
+	ipv4Hint := net.ParseIP("1.1.1.1")
+	require.NotNil(t, ipv4Hint)
+
+	response := &dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			Response: true,
+			Rcode:    dns.RcodeSuccess,
+		},
+		Answer: []dns.RR{
+			&dns.HTTPS{
+				SVCB: dns.SVCB{
+					Hdr: dns.RR_Header{
+						Name:   dns.Fqdn("example.com"),
+						Rrtype: dns.TypeHTTPS,
+						Class:  dns.ClassINET,
+						Ttl:    60,
+					},
+					Priority: 1,
+					Target:   ".",
+					Value: []dns.SVCBKeyValue{
+						&dns.SVCBIPv4Hint{Hint: []net.IP{ipv4Hint}},
+					},
+				},
+			},
+		},
+	}
+
+	addresses := DNSResponseAddresses(response)
+	require.Equal(t, []netip.Addr{netip.MustParseAddr("1.1.1.1")}, addresses)
+	require.True(t, addresses[0].Is4())
+}
--- a/adapter/neighbor.go
+++ b/adapter/neighbor.go
@@ -0,0 +1,23 @@
+package adapter
+
+import (
+	"net"
+	"net/netip"
+)
+
+type NeighborEntry struct {
+	Address    netip.Addr
+	MACAddress net.HardwareAddr
+	Hostname   string
+}
+
+type NeighborResolver interface {
+	LookupMAC(address netip.Addr) (net.HardwareAddr, bool)
+	LookupHostname(address netip.Addr) (string, bool)
+	Start() error
+	Close() error
+}
+
+type NeighborUpdateListener interface {
+	UpdateNeighborTable(entries []NeighborEntry)
+}
--- a/adapter/platform.go
+++ b/adapter/platform.go
@@ -36,6 +36,10 @@ type PlatformInterface interface {

 	UsePlatformNotification() bool
 	SendNotification(notification *Notification) error
+
+	UsePlatformNeighborResolver() bool
+	StartNeighborMonitor(listener NeighborUpdateListener) error
+	CloseNeighborMonitor(listener NeighborUpdateListener) error
 }

 type FindConnectionOwnerRequest struct {
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -26,6 +26,8 @@ type Router interface {
 	RuleSet(tag string) (RuleSet, bool)
 	Rules() []Rule
 	NeedFindProcess() bool
+	NeedFindNeighbor() bool
+	NeighborResolver() NeighborResolver
 	AppendTracker(tracker ConnectionTracker)
 	ResetNetwork()
 }
@@ -64,10 +66,16 @@ type RuleSet interface {

 type RuleSetUpdateCallback func(it RuleSet)

+type DNSRuleSetUpdateValidator interface {
+	ValidateRuleSetMetadataUpdate(tag string, metadata RuleSetMetadata) error
+}
+
+// ip_version is not a headless-rule item, so ContainsIPVersionRule is intentionally absent.
 type RuleSetMetadata struct {
-	ContainsProcessRule bool
-	ContainsWIFIRule    bool
-	ContainsIPCIDRRule  bool
+	ContainsProcessRule      bool
+	ContainsWIFIRule         bool
+	ContainsIPCIDRRule       bool
+	ContainsDNSQueryTypeRule bool
 }
 type HTTPStartContext struct {
 	ctx             context.Context
--- a/adapter/rule.go
+++ b/adapter/rule.go
@@ -2,6 +2,8 @@ package adapter

 import (
 	C "github.com/sagernet/sing-box/constant"
+
+	"github.com/miekg/dns"
 )

 type HeadlessRule interface {
@@ -18,8 +20,9 @@ type Rule interface {

 type DNSRule interface {
 	Rule
+	LegacyPreMatch(metadata *InboundContext) bool
 	WithAddressLimit() bool
-	MatchAddressLimit(metadata *InboundContext) bool
+	MatchAddressLimit(metadata *InboundContext, response *dns.Msg) bool
 }

 type RuleAction interface {
@@ -29,7 +32,7 @@ type RuleAction interface {

 func IsFinalAction(action RuleAction) bool {
 	switch action.Type() {
-	case C.RuleActionTypeSniff, C.RuleActionTypeResolve:
+	case C.RuleActionTypeSniff, C.RuleActionTypeResolve, C.RuleActionTypeEvaluate:
 		return false
 	default:
 		return true
--- a/box.go
+++ b/box.go
@@ -9,6 +9,7 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
+	boxCertificate "github.com/sagernet/sing-box/adapter/certificate"
 	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
@@ -37,20 +38,21 @@ import (
 var _ adapter.SimpleLifecycle = (*Box)(nil)

 type Box struct {
-	createdAt       time.Time
-	logFactory      log.Factory
-	logger          log.ContextLogger
-	network         *route.NetworkManager
-	endpoint        *endpoint.Manager
-	inbound         *inbound.Manager
-	outbound        *outbound.Manager
-	service         *boxService.Manager
-	dnsTransport    *dns.TransportManager
-	dnsRouter       *dns.Router
-	connection      *route.ConnectionManager
-	router          *route.Router
-	internalService []adapter.LifecycleService
-	done            chan struct{}
+	createdAt           time.Time
+	logFactory          log.Factory
+	logger              log.ContextLogger
+	network             *route.NetworkManager
+	endpoint            *endpoint.Manager
+	inbound             *inbound.Manager
+	outbound            *outbound.Manager
+	service             *boxService.Manager
+	certificateProvider *boxCertificate.Manager
+	dnsTransport        *dns.TransportManager
+	dnsRouter           *dns.Router
+	connection          *route.ConnectionManager
+	router              *route.Router
+	internalService     []adapter.LifecycleService
+	done                chan struct{}
 }

 type Options struct {
@@ -66,6 +68,7 @@ func Context(
 	endpointRegistry adapter.EndpointRegistry,
 	dnsTransportRegistry adapter.DNSTransportRegistry,
 	serviceRegistry adapter.ServiceRegistry,
+	certificateProviderRegistry adapter.CertificateProviderRegistry,
 ) context.Context {
 	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
 		service.FromContext[adapter.InboundRegistry](ctx) == nil {
@@ -90,6 +93,10 @@ func Context(
 		ctx = service.ContextWith[option.ServiceOptionsRegistry](ctx, serviceRegistry)
 		ctx = service.ContextWith[adapter.ServiceRegistry](ctx, serviceRegistry)
 	}
+	if service.FromContext[adapter.CertificateProviderRegistry](ctx) == nil {
+		ctx = service.ContextWith[option.CertificateProviderOptionsRegistry](ctx, certificateProviderRegistry)
+		ctx = service.ContextWith[adapter.CertificateProviderRegistry](ctx, certificateProviderRegistry)
+	}
 	return ctx
 }

@@ -106,6 +113,7 @@ func New(options Options) (*Box, error) {
 	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
 	dnsTransportRegistry := service.FromContext[adapter.DNSTransportRegistry](ctx)
 	serviceRegistry := service.FromContext[adapter.ServiceRegistry](ctx)
+	certificateProviderRegistry := service.FromContext[adapter.CertificateProviderRegistry](ctx)

 	if endpointRegistry == nil {
 		return nil, E.New("missing endpoint registry in context")
@@ -122,6 +130,9 @@ func New(options Options) (*Box, error) {
 	if serviceRegistry == nil {
 		return nil, E.New("missing service registry in context")
 	}
+	if certificateProviderRegistry == nil {
+		return nil, E.New("missing certificate provider registry in context")
+	}

 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
@@ -160,10 +171,7 @@ func New(options Options) (*Box, error) {

 	var internalServices []adapter.LifecycleService
 	certificateOptions := common.PtrValueOrDefault(options.Certificate)
-	if C.IsAndroid || certificateOptions.Store != "" && certificateOptions.Store != C.CertificateStoreSystem ||
-		len(certificateOptions.Certificate) > 0 ||
-		len(certificateOptions.CertificatePath) > 0 ||
-		len(certificateOptions.CertificateDirectoryPath) > 0 {
+	if C.IsAndroid || C.IsDarwin || certificateOptions.Store != "" {
 		certificateStore, err := certificate.NewStore(ctx, logFactory.NewLogger("certificate"), certificateOptions)
 		if err != nil {
 			return nil, err
@@ -179,13 +187,16 @@ func New(options Options) (*Box, error) {
 	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, endpointManager, routeOptions.Final)
 	dnsTransportManager := dns.NewTransportManager(logFactory.NewLogger("dns/transport"), dnsTransportRegistry, outboundManager, dnsOptions.Final)
 	serviceManager := boxService.NewManager(logFactory.NewLogger("service"), serviceRegistry)
+	certificateProviderManager := boxCertificate.NewManager(logFactory.NewLogger("certificate-provider"), certificateProviderRegistry)
 	service.MustRegister[adapter.EndpointManager](ctx, endpointManager)
 	service.MustRegister[adapter.InboundManager](ctx, inboundManager)
 	service.MustRegister[adapter.OutboundManager](ctx, outboundManager)
 	service.MustRegister[adapter.DNSTransportManager](ctx, dnsTransportManager)
 	service.MustRegister[adapter.ServiceManager](ctx, serviceManager)
+	service.MustRegister[adapter.CertificateProviderManager](ctx, certificateProviderManager)
 	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
 	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
+	service.MustRegister[adapter.DNSRuleSetUpdateValidator](ctx, dnsRouter)
 	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions, dnsOptions)
 	if err != nil {
 		return nil, E.Cause(err, "initialize network manager")
@@ -272,6 +283,24 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize inbound[", i, "]")
 		}
 	}
+	for i, serviceOptions := range options.Services {
+		var tag string
+		if serviceOptions.Tag != "" {
+			tag = serviceOptions.Tag
+		} else {
+			tag = F.ToString(i)
+		}
+		err = serviceManager.Create(
+			ctx,
+			logFactory.NewLogger(F.ToString("service/", serviceOptions.Type, "[", tag, "]")),
+			tag,
+			serviceOptions.Type,
+			serviceOptions.Options,
+		)
+		if err != nil {
+			return nil, E.Cause(err, "initialize service[", i, "]")
+		}
+	}
 	for i, outboundOptions := range options.Outbounds {
 		var tag string
 		if outboundOptions.Tag != "" {
@@ -298,22 +327,22 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize outbound[", i, "]")
 		}
 	}
-	for i, serviceOptions := range options.Services {
+	for i, certificateProviderOptions := range options.CertificateProviders {
 		var tag string
-		if serviceOptions.Tag != "" {
-			tag = serviceOptions.Tag
+		if certificateProviderOptions.Tag != "" {
+			tag = certificateProviderOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
-		err = serviceManager.Create(
+		err = certificateProviderManager.Create(
 			ctx,
-			logFactory.NewLogger(F.ToString("service/", serviceOptions.Type, "[", tag, "]")),
+			logFactory.NewLogger(F.ToString("certificate-provider/", certificateProviderOptions.Type, "[", tag, "]")),
 			tag,
-			serviceOptions.Type,
-			serviceOptions.Options,
+			certificateProviderOptions.Type,
+			certificateProviderOptions.Options,
 		)
 		if err != nil {
-			return nil, E.Cause(err, "initialize service[", i, "]")
+			return nil, E.Cause(err, "initialize certificate provider[", i, "]")
 		}
 	}
 	outboundManager.Initialize(func() (adapter.Outbound, error) {
@@ -383,20 +412,21 @@ func New(options Options) (*Box, error) {
 		internalServices = append(internalServices, adapter.NewLifecycleService(ntpService, "ntp service"))
 	}
 	return &Box{
-		network:         networkManager,
-		endpoint:        endpointManager,
-		inbound:         inboundManager,
-		outbound:        outboundManager,
-		dnsTransport:    dnsTransportManager,
-		service:         serviceManager,
-		dnsRouter:       dnsRouter,
-		connection:      connectionManager,
-		router:          router,
-		createdAt:       createdAt,
-		logFactory:      logFactory,
-		logger:          logFactory.Logger(),
-		internalService: internalServices,
-		done:            make(chan struct{}),
+		network:             networkManager,
+		endpoint:            endpointManager,
+		inbound:             inboundManager,
+		outbound:            outboundManager,
+		dnsTransport:        dnsTransportManager,
+		service:             serviceManager,
+		certificateProvider: certificateProviderManager,
+		dnsRouter:           dnsRouter,
+		connection:          connectionManager,
+		router:              router,
+		createdAt:           createdAt,
+		logFactory:          logFactory,
+		logger:              logFactory.Logger(),
+		internalService:     internalServices,
+		done:                make(chan struct{}),
 	}, nil
 }

@@ -450,11 +480,11 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service, s.certificateProvider)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.network, s.connection, s.router, s.dnsRouter)
 	if err != nil {
 		return err
 	}
@@ -470,11 +500,19 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.endpoint)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.certificateProvider)
+	if err != nil {
+		return err
+	}
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.service)
+	if err != nil {
+		return err
+	}
+	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.endpoint, s.certificateProvider, s.inbound, s.service)
 	if err != nil {
 		return err
 	}
@@ -482,7 +520,7 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.endpoint, s.certificateProvider, s.inbound, s.service)
 	if err != nil {
 		return err
 	}
@@ -506,8 +544,9 @@ func (s *Box) Close() error {
 		service adapter.Lifecycle
 	}{
 		{"service", s.service},
-		{"endpoint", s.endpoint},
 		{"inbound", s.inbound},
+		{"certificate-provider", s.certificateProvider},
+		{"endpoint", s.endpoint},
 		{"outbound", s.outbound},
 		{"router", s.router},
 		{"connection", s.connection},
--- a/cmd/sing-box/cmd_tools_networkquality.go
+++ b/cmd/sing-box/cmd_tools_networkquality.go
@@ -0,0 +1,122 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/sagernet/sing-box/common/networkquality"
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	commandNetworkQualityFlagConfigURL  string
+	commandNetworkQualityFlagSerial     bool
+	commandNetworkQualityFlagMaxRuntime int
+)
+
+var commandNetworkQuality = &cobra.Command{
+	Use:   "networkquality",
+	Short: "Run a network quality test",
+	Run: func(cmd *cobra.Command, args []string) {
+		err := runNetworkQuality()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandNetworkQuality.Flags().StringVar(
+		&commandNetworkQualityFlagConfigURL,
+		"config-url", "",
+		"Network quality test config URL (default: Apple mensura)",
+	)
+	commandNetworkQuality.Flags().BoolVar(
+		&commandNetworkQualityFlagSerial,
+		"serial", false,
+		"Run download and upload tests sequentially instead of in parallel",
+	)
+	commandNetworkQuality.Flags().IntVar(
+		&commandNetworkQualityFlagMaxRuntime,
+		"max-runtime", int(networkquality.DefaultMaxRuntime/time.Second),
+		"Network quality maximum runtime in seconds",
+	)
+	commandTools.AddCommand(commandNetworkQuality)
+}
+
+func runNetworkQuality() error {
+	instance, err := createPreStartedClient()
+	if err != nil {
+		return err
+	}
+	defer instance.Close()
+
+	dialer, err := createDialer(instance, commandToolsFlagOutbound)
+	if err != nil {
+		return err
+	}
+
+	httpClient := networkquality.NewHTTPClient(dialer)
+	defer httpClient.CloseIdleConnections()
+
+	fmt.Fprintln(os.Stderr, "==== NETWORK QUALITY TEST ====")
+
+	result, err := networkquality.Run(networkquality.Options{
+		ConfigURL:  commandNetworkQualityFlagConfigURL,
+		HTTPClient: httpClient,
+		Serial:     commandNetworkQualityFlagSerial,
+		MaxRuntime: time.Duration(commandNetworkQualityFlagMaxRuntime) * time.Second,
+		Context:    globalCtx,
+		OnProgress: func(p networkquality.Progress) {
+			if !commandNetworkQualityFlagSerial && p.Phase != networkquality.PhaseIdle {
+				fmt.Fprintf(os.Stderr, "\rDownload: %s  RPM: %d  Upload: %s  RPM: %d",
+					formatBitrate(p.DownloadCapacity), p.DownloadRPM,
+					formatBitrate(p.UploadCapacity), p.UploadRPM)
+				return
+			}
+			switch networkquality.Phase(p.Phase) {
+			case networkquality.PhaseIdle:
+				if p.IdleLatencyMs > 0 {
+					fmt.Fprintf(os.Stderr, "\rIdle Latency: %d ms", p.IdleLatencyMs)
+				} else {
+					fmt.Fprint(os.Stderr, "\rMeasuring idle latency...")
+				}
+			case networkquality.PhaseDownload:
+				fmt.Fprintf(os.Stderr, "\rDownload: %s  RPM: %d",
+					formatBitrate(p.DownloadCapacity), p.DownloadRPM)
+			case networkquality.PhaseUpload:
+				fmt.Fprintf(os.Stderr, "\rUpload: %s  RPM: %d",
+					formatBitrate(p.UploadCapacity), p.UploadRPM)
+			}
+		},
+	})
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintln(os.Stderr)
+	fmt.Fprintln(os.Stderr, strings.Repeat("-", 40))
+	fmt.Fprintf(os.Stderr, "Idle Latency:            %d ms\n", result.IdleLatencyMs)
+	fmt.Fprintf(os.Stderr, "Download Capacity:       %-20s Accuracy: %s\n", formatBitrate(result.DownloadCapacity), result.DownloadCapacityAccuracy)
+	fmt.Fprintf(os.Stderr, "Upload Capacity:         %-20s Accuracy: %s\n", formatBitrate(result.UploadCapacity), result.UploadCapacityAccuracy)
+	fmt.Fprintf(os.Stderr, "Download Responsiveness: %-20s Accuracy: %s\n", fmt.Sprintf("%d RPM", result.DownloadRPM), result.DownloadRPMAccuracy)
+	fmt.Fprintf(os.Stderr, "Upload Responsiveness:   %-20s Accuracy: %s\n", fmt.Sprintf("%d RPM", result.UploadRPM), result.UploadRPMAccuracy)
+	return nil
+}
+
+func formatBitrate(bps int64) string {
+	switch {
+	case bps >= 1_000_000_000:
+		return fmt.Sprintf("%.1f Gbps", float64(bps)/1_000_000_000)
+	case bps >= 1_000_000:
+		return fmt.Sprintf("%.1f Mbps", float64(bps)/1_000_000)
+	case bps >= 1_000:
+		return fmt.Sprintf("%.1f Kbps", float64(bps)/1_000)
+	default:
+		return fmt.Sprintf("%d bps", bps)
+	}
+}
--- a/common/networkquality/http.go
+++ b/common/networkquality/http.go
@@ -0,0 +1,109 @@
+package networkquality
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"strings"
+
+	C "github.com/sagernet/sing-box/constant"
+	sBufio "github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+// NewHTTPClient creates an http.Client that dials through the given dialer.
+// The dialer should already handle DNS resolution if needed.
+func NewHTTPClient(dialer N.Dialer) *http.Client {
+	transport := &http.Transport{
+		ForceAttemptHTTP2:   true,
+		TLSHandshakeTimeout: C.TCPTimeout,
+	}
+	if dialer != nil {
+		transport.DialContext = func(ctx context.Context, network string, addr string) (net.Conn, error) {
+			return dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+		}
+	}
+	return &http.Client{Transport: transport}
+}
+
+func baseTransportFromClient(client *http.Client) (*http.Transport, error) {
+	if client == nil {
+		return nil, E.New("http client is nil")
+	}
+	if client.Transport == nil {
+		return http.DefaultTransport.(*http.Transport).Clone(), nil
+	}
+	transport, ok := client.Transport.(*http.Transport)
+	if !ok {
+		return nil, E.New("http client transport must be *http.Transport")
+	}
+	return transport.Clone(), nil
+}
+
+func newMeasurementClient(
+	baseClient *http.Client,
+	connectEndpoint string,
+	singleConnection bool,
+	disableKeepAlives bool,
+	readCounters []N.CountFunc,
+	writeCounters []N.CountFunc,
+) (*http.Client, error) {
+	transport, err := baseTransportFromClient(baseClient)
+	if err != nil {
+		return nil, err
+	}
+	transport.DisableCompression = true
+	transport.DisableKeepAlives = disableKeepAlives
+	if singleConnection {
+		transport.MaxConnsPerHost = 1
+		transport.MaxIdleConnsPerHost = 1
+		transport.MaxIdleConns = 1
+	}
+
+	baseDialContext := transport.DialContext
+	if baseDialContext == nil {
+		dialer := &net.Dialer{}
+		baseDialContext = dialer.DialContext
+	}
+	connectEndpoint = strings.TrimSpace(connectEndpoint)
+	transport.DialContext = func(ctx context.Context, network string, addr string) (net.Conn, error) {
+		dialAddr := addr
+		if connectEndpoint != "" {
+			dialAddr = rewriteDialAddress(addr, connectEndpoint)
+		}
+		conn, dialErr := baseDialContext(ctx, network, dialAddr)
+		if dialErr != nil {
+			return nil, dialErr
+		}
+		if len(readCounters) > 0 || len(writeCounters) > 0 {
+			return sBufio.NewCounterConn(conn, readCounters, writeCounters), nil
+		}
+		return conn, nil
+	}
+
+	return &http.Client{
+		Transport:     transport,
+		CheckRedirect: baseClient.CheckRedirect,
+		Jar:           baseClient.Jar,
+		Timeout:       baseClient.Timeout,
+	}, nil
+}
+
+func rewriteDialAddress(addr string, connectEndpoint string) string {
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		return addr
+	}
+	endpointHost, endpointPort, err := net.SplitHostPort(connectEndpoint)
+	if err == nil {
+		host = endpointHost
+		if endpointPort != "" {
+			port = endpointPort
+		}
+	} else if connectEndpoint != "" {
+		host = connectEndpoint
+	}
+	return net.JoinHostPort(host, port)
+}
--- a/common/networkquality/networkquality.go
+++ b/common/networkquality/networkquality.go
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -38,37 +38,6 @@ func (w *acmeWrapper) Close() error {
 	return nil
 }

-type acmeLogWriter struct {
-	logger logger.Logger
-}
-
-func (w *acmeLogWriter) Write(p []byte) (n int, err error) {
-	logLine := strings.ReplaceAll(string(p), "	", ": ")
-	switch {
-	case strings.HasPrefix(logLine, "error: "):
-		w.logger.Error(logLine[7:])
-	case strings.HasPrefix(logLine, "warn: "):
-		w.logger.Warn(logLine[6:])
-	case strings.HasPrefix(logLine, "info: "):
-		w.logger.Info(logLine[6:])
-	case strings.HasPrefix(logLine, "debug: "):
-		w.logger.Debug(logLine[7:])
-	default:
-		w.logger.Debug(logLine)
-	}
-	return len(p), nil
-}
-
-func (w *acmeLogWriter) Sync() error {
-	return nil
-}
-
-func encoderConfig() zapcore.EncoderConfig {
-	config := zap.NewProductionEncoderConfig()
-	config.TimeKey = zapcore.OmitKey
-	return config
-}
-
 func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
 	var acmeServer string
 	switch options.Provider {
@@ -91,8 +60,8 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		storage = certmagic.Default.Storage
 	}
 	zapLogger := zap.New(zapcore.NewCore(
-		zapcore.NewConsoleEncoder(encoderConfig()),
-		&acmeLogWriter{logger: logger},
+		zapcore.NewConsoleEncoder(ACMEEncoderConfig()),
+		&ACMELogWriter{Logger: logger},
 		zap.DebugLevel,
 	))
 	config := &certmagic.Config{
@@ -158,7 +127,7 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 	} else {
 		tlsConfig = &tls.Config{
 			GetCertificate: config.GetCertificate,
-			NextProtos:     []string{ACMETLS1Protocol},
+			NextProtos:     []string{C.ACMETLS1Protocol},
 		}
 	}
 	return tlsConfig, &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
--- a/common/tls/acme_logger.go
+++ b/common/tls/acme_logger.go
@@ -0,0 +1,41 @@
+package tls
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing/common/logger"
+
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+)
+
+type ACMELogWriter struct {
+	Logger logger.Logger
+}
+
+func (w *ACMELogWriter) Write(p []byte) (n int, err error) {
+	logLine := strings.ReplaceAll(string(p), "	", ": ")
+	switch {
+	case strings.HasPrefix(logLine, "error: "):
+		w.Logger.Error(logLine[7:])
+	case strings.HasPrefix(logLine, "warn: "):
+		w.Logger.Warn(logLine[6:])
+	case strings.HasPrefix(logLine, "info: "):
+		w.Logger.Info(logLine[6:])
+	case strings.HasPrefix(logLine, "debug: "):
+		w.Logger.Debug(logLine[7:])
+	default:
+		w.Logger.Debug(logLine)
+	}
+	return len(p), nil
+}
+
+func (w *ACMELogWriter) Sync() error {
+	return nil
+}
+
+func ACMEEncoderConfig() zapcore.EncoderConfig {
+	config := zap.NewProductionEncoderConfig()
+	config.TimeKey = zapcore.OmitKey
+	return config
+}
--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@@ -32,6 +32,10 @@ type RealityServerConfig struct {
 func NewRealityServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
 	var tlsConfig utls.RealityConfig

+	if options.CertificateProvider != nil {
+		return nil, E.New("certificate_provider is unavailable in reality")
+	}
+	//nolint:staticcheck
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in reality")
 	}
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -13,19 +13,87 @@ import (
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
+	"github.com/sagernet/sing/service"
 )

 var errInsecureUnused = E.New("tls: insecure unused")

+type managedCertificateProvider interface {
+	adapter.CertificateProvider
+	adapter.SimpleLifecycle
+}
+
+type sharedCertificateProvider struct {
+	tag      string
+	manager  adapter.CertificateProviderManager
+	provider adapter.CertificateProviderService
+}
+
+func (p *sharedCertificateProvider) Start() error {
+	provider, found := p.manager.Get(p.tag)
+	if !found {
+		return E.New("certificate provider not found: ", p.tag)
+	}
+	p.provider = provider
+	return nil
+}
+
+func (p *sharedCertificateProvider) Close() error {
+	return nil
+}
+
+func (p *sharedCertificateProvider) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	return p.provider.GetCertificate(hello)
+}
+
+func (p *sharedCertificateProvider) GetACMENextProtos() []string {
+	return getACMENextProtos(p.provider)
+}
+
+type inlineCertificateProvider struct {
+	provider adapter.CertificateProviderService
+}
+
+func (p *inlineCertificateProvider) Start() error {
+	for _, stage := range adapter.ListStartStages {
+		err := adapter.LegacyStart(p.provider, stage)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (p *inlineCertificateProvider) Close() error {
+	return p.provider.Close()
+}
+
+func (p *inlineCertificateProvider) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	return p.provider.GetCertificate(hello)
+}
+
+func (p *inlineCertificateProvider) GetACMENextProtos() []string {
+	return getACMENextProtos(p.provider)
+}
+
+func getACMENextProtos(provider adapter.CertificateProvider) []string {
+	if acmeProvider, isACME := provider.(adapter.ACMECertificateProvider); isACME {
+		return acmeProvider.GetACMENextProtos()
+	}
+	return nil
+}
+
 type STDServerConfig struct {
 	access                sync.RWMutex
 	config                *tls.Config
 	logger                log.Logger
+	certificateProvider   managedCertificateProvider
 	acmeService           adapter.SimpleLifecycle
 	certificate           []byte
 	key                   []byte
@@ -53,18 +121,17 @@ func (c *STDServerConfig) SetServerName(serverName string) {
 func (c *STDServerConfig) NextProtos() []string {
 	c.access.RLock()
 	defer c.access.RUnlock()
-	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
+	if c.hasACMEALPN() && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == C.ACMETLS1Protocol {
 		return c.config.NextProtos[1:]
-	} else {
-		return c.config.NextProtos
 	}
+	return c.config.NextProtos
 }

 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.access.Lock()
 	defer c.access.Unlock()
 	config := c.config.Clone()
-	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
+	if c.hasACMEALPN() && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == C.ACMETLS1Protocol {
 		config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
 	} else {
 		config.NextProtos = nextProto
@@ -72,6 +139,18 @@ func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.config = config
 }

+func (c *STDServerConfig) hasACMEALPN() bool {
+	if c.acmeService != nil {
+		return true
+	}
+	if c.certificateProvider != nil {
+		if acmeProvider, isACME := c.certificateProvider.(adapter.ACMECertificateProvider); isACME {
+			return len(acmeProvider.GetACMENextProtos()) > 0
+		}
+	}
+	return false
+}
+
 func (c *STDServerConfig) STDConfig() (*STDConfig, error) {
 	return c.config, nil
 }
@@ -91,15 +170,39 @@ func (c *STDServerConfig) Clone() Config {
 }

 func (c *STDServerConfig) Start() error {
-	if c.acmeService != nil {
-		return c.acmeService.Start()
-	} else {
-		err := c.startWatcher()
+	if c.certificateProvider != nil {
+		err := c.certificateProvider.Start()
 		if err != nil {
-			c.logger.Warn("create fsnotify watcher: ", err)
+			return err
+		}
+		if acmeProvider, isACME := c.certificateProvider.(adapter.ACMECertificateProvider); isACME {
+			nextProtos := acmeProvider.GetACMENextProtos()
+			if len(nextProtos) > 0 {
+				c.access.Lock()
+				config := c.config.Clone()
+				mergedNextProtos := append([]string{}, nextProtos...)
+				for _, nextProto := range config.NextProtos {
+					if !common.Contains(mergedNextProtos, nextProto) {
+						mergedNextProtos = append(mergedNextProtos, nextProto)
+					}
+				}
+				config.NextProtos = mergedNextProtos
+				c.config = config
+				c.access.Unlock()
+			}
 		}
-		return nil
 	}
+	if c.acmeService != nil {
+		err := c.acmeService.Start()
+		if err != nil {
+			return err
+		}
+	}
+	err := c.startWatcher()
+	if err != nil {
+		c.logger.Warn("create fsnotify watcher: ", err)
+	}
+	return nil
 }

 func (c *STDServerConfig) startWatcher() error {
@@ -203,23 +306,34 @@ func (c *STDServerConfig) certificateUpdated(path string) error {
 }

 func (c *STDServerConfig) Close() error {
-	if c.acmeService != nil {
-		return c.acmeService.Close()
-	}
-	if c.watcher != nil {
-		return c.watcher.Close()
-	}
-	return nil
+	return common.Close(c.certificateProvider, c.acmeService, c.watcher)
 }

 func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
+	//nolint:staticcheck
+	if options.CertificateProvider != nil && options.ACME != nil {
+		return nil, E.New("certificate_provider and acme are mutually exclusive")
+	}
 	var tlsConfig *tls.Config
+	var certificateProvider managedCertificateProvider
 	var acmeService adapter.SimpleLifecycle
 	var err error
-	if options.ACME != nil && len(options.ACME.Domain) > 0 {
+	if options.CertificateProvider != nil {
+		certificateProvider, err = newCertificateProvider(ctx, logger, options.CertificateProvider)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig = &tls.Config{
+			GetCertificate: certificateProvider.GetCertificate,
+		}
+		if options.Insecure {
+			return nil, errInsecureUnused
+		}
+	} else if options.ACME != nil && len(options.ACME.Domain) > 0 { //nolint:staticcheck
+		deprecated.Report(ctx, deprecated.OptionInlineACME)
 		//nolint:staticcheck
 		tlsConfig, acmeService, err = startACME(ctx, logger, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
@@ -272,7 +386,7 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 		certificate []byte
 		key         []byte
 	)
-	if acmeService == nil {
+	if certificateProvider == nil && acmeService == nil {
 		if len(options.Certificate) > 0 {
 			certificate = []byte(strings.Join(options.Certificate, "\n"))
 		} else if options.CertificatePath != "" {
@@ -360,6 +474,7 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 	serverConfig := &STDServerConfig{
 		config:                tlsConfig,
 		logger:                logger,
+		certificateProvider:   certificateProvider,
 		acmeService:           acmeService,
 		certificate:           certificate,
 		key:                   key,
@@ -369,8 +484,8 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 		echKeyPath:            echKeyPath,
 	}
 	serverConfig.config.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
-		serverConfig.access.Lock()
-		defer serverConfig.access.Unlock()
+		serverConfig.access.RLock()
+		defer serverConfig.access.RUnlock()
 		return serverConfig.config, nil
 	}
 	var config ServerConfig = serverConfig
@@ -387,3 +502,27 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 	}
 	return config, nil
 }
+
+func newCertificateProvider(ctx context.Context, logger log.ContextLogger, options *option.CertificateProviderOptions) (managedCertificateProvider, error) {
+	if options.IsShared() {
+		manager := service.FromContext[adapter.CertificateProviderManager](ctx)
+		if manager == nil {
+			return nil, E.New("missing certificate provider manager in context")
+		}
+		return &sharedCertificateProvider{
+			tag:     options.Tag,
+			manager: manager,
+		}, nil
+	}
+	registry := service.FromContext[adapter.CertificateProviderRegistry](ctx)
+	if registry == nil {
+		return nil, E.New("missing certificate provider registry in context")
+	}
+	provider, err := registry.Create(ctx, logger, "", options.Type, options.Options)
+	if err != nil {
+		return nil, E.Cause(err, "create inline certificate provider")
+	}
+	return &inlineCertificateProvider{
+		provider: provider,
+	}, nil
+}
--- a/constant/dns.go
+++ b/constant/dns.go
@@ -15,19 +15,18 @@ const (
 )

 const (
-	DNSTypeLegacy      = "legacy"
-	DNSTypeLegacyRcode = "legacy_rcode"
-	DNSTypeUDP         = "udp"
-	DNSTypeTCP         = "tcp"
-	DNSTypeTLS         = "tls"
-	DNSTypeHTTPS       = "https"
-	DNSTypeQUIC        = "quic"
-	DNSTypeHTTP3       = "h3"
-	DNSTypeLocal       = "local"
-	DNSTypeHosts       = "hosts"
-	DNSTypeFakeIP      = "fakeip"
-	DNSTypeDHCP        = "dhcp"
-	DNSTypeTailscale   = "tailscale"
+	DNSTypeLegacy    = "legacy"
+	DNSTypeUDP       = "udp"
+	DNSTypeTCP       = "tcp"
+	DNSTypeTLS       = "tls"
+	DNSTypeHTTPS     = "https"
+	DNSTypeQUIC      = "quic"
+	DNSTypeHTTP3     = "h3"
+	DNSTypeLocal     = "local"
+	DNSTypeHosts     = "hosts"
+	DNSTypeFakeIP    = "fakeip"
+	DNSTypeDHCP      = "dhcp"
+	DNSTypeTailscale = "tailscale"
 )

 const (
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -1,36 +1,38 @@
 package constant

 const (
-	TypeTun          = "tun"
-	TypeRedirect     = "redirect"
-	TypeTProxy       = "tproxy"
-	TypeDirect       = "direct"
-	TypeBlock        = "block"
-	TypeDNS          = "dns"
-	TypeSOCKS        = "socks"
-	TypeHTTP         = "http"
-	TypeMixed        = "mixed"
-	TypeShadowsocks  = "shadowsocks"
-	TypeVMess        = "vmess"
-	TypeTrojan       = "trojan"
-	TypeNaive        = "naive"
-	TypeWireGuard    = "wireguard"
-	TypeHysteria     = "hysteria"
-	TypeTor          = "tor"
-	TypeSSH          = "ssh"
-	TypeShadowTLS    = "shadowtls"
-	TypeAnyTLS       = "anytls"
-	TypeShadowsocksR = "shadowsocksr"
-	TypeVLESS        = "vless"
-	TypeTUIC         = "tuic"
-	TypeHysteria2    = "hysteria2"
-	TypeTailscale    = "tailscale"
-	TypeDERP         = "derp"
-	TypeResolved     = "resolved"
-	TypeSSMAPI       = "ssm-api"
-	TypeCCM          = "ccm"
-	TypeOCM          = "ocm"
-	TypeOOMKiller    = "oom-killer"
+	TypeTun                = "tun"
+	TypeRedirect           = "redirect"
+	TypeTProxy             = "tproxy"
+	TypeDirect             = "direct"
+	TypeBlock              = "block"
+	TypeDNS                = "dns"
+	TypeSOCKS              = "socks"
+	TypeHTTP               = "http"
+	TypeMixed              = "mixed"
+	TypeShadowsocks        = "shadowsocks"
+	TypeVMess              = "vmess"
+	TypeTrojan             = "trojan"
+	TypeNaive              = "naive"
+	TypeWireGuard          = "wireguard"
+	TypeHysteria           = "hysteria"
+	TypeTor                = "tor"
+	TypeSSH                = "ssh"
+	TypeShadowTLS          = "shadowtls"
+	TypeAnyTLS             = "anytls"
+	TypeShadowsocksR       = "shadowsocksr"
+	TypeVLESS              = "vless"
+	TypeTUIC               = "tuic"
+	TypeHysteria2          = "hysteria2"
+	TypeTailscale          = "tailscale"
+	TypeDERP               = "derp"
+	TypeResolved           = "resolved"
+	TypeSSMAPI             = "ssm-api"
+	TypeCCM                = "ccm"
+	TypeOCM                = "ocm"
+	TypeOOMKiller          = "oom-killer"
+	TypeACME               = "acme"
+	TypeCloudflareOriginCA = "cloudflare-origin-ca"
 )

 const (
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -29,6 +29,8 @@ const (
 const (
 	RuleActionTypeRoute        = "route"
 	RuleActionTypeRouteOptions = "route-options"
+	RuleActionTypeEvaluate     = "evaluate"
+	RuleActionTypeRespond      = "respond"
 	RuleActionTypeDirect       = "direct"
 	RuleActionTypeBypass       = "bypass"
 	RuleActionTypeReject       = "reject"
--- a/common/tls/acme_contstant.go
+++ b/common/tls/acme_contstant.go
@@ -1,3 +1,3 @@
-package tls
+package constant

 const ACMETLS1Protocol = "acme-tls/1"
--- a/daemon/instance.go
+++ b/daemon/instance.go
@@ -87,12 +87,17 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 			}
 		}
 	}
-	if s.oomKiller && C.IsIos {
+	if s.oomKillerEnabled {
 		if !common.Any(options.Services, func(it option.Service) bool {
 			return it.Type == C.TypeOOMKiller
 		}) {
+			oomOptions := &option.OOMKillerServiceOptions{
+				KillerDisabled:      s.oomKillerDisabled,
+				MemoryLimitOverride: s.oomMemoryLimit,
+			}
 			options.Services = append(options.Services, option.Service{
-				Type: C.TypeOOMKiller,
+				Type:    C.TypeOOMKiller,
+				Options: oomOptions,
 			})
 		}
 	}
--- a/daemon/platform.go
+++ b/daemon/platform.go
@@ -5,5 +5,6 @@ type PlatformHandler interface {
 	ServiceReload() error
 	SystemProxyStatus() (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(enabled bool) error
+	TriggerNativeCrash() error
 	WriteDebugMessage(message string)
 }
--- a/daemon/started_service.go
+++ b/daemon/started_service.go
@@ -8,12 +8,15 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
+	"github.com/sagernet/sing-box/common/networkquality"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/protocol/group"
+	"github.com/sagernet/sing-box/service/oomkiller"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/batch"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -24,6 +27,8 @@ import (

 	"github.com/gofrs/uuid/v5"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"
 )

@@ -32,10 +37,12 @@ var _ StartedServiceServer = (*StartedService)(nil)
 type StartedService struct {
 	ctx context.Context
 	// platform adapter.PlatformInterface
-	handler     PlatformHandler
-	debug       bool
-	logMaxLines int
-	oomKiller   bool
+	handler           PlatformHandler
+	debug             bool
+	logMaxLines       int
+	oomKillerEnabled  bool
+	oomKillerDisabled bool
+	oomMemoryLimit    uint64
 	// workingDirectory string
 	// tempDirectory    string
 	// userID           int
@@ -64,10 +71,12 @@ type StartedService struct {
 type ServiceOptions struct {
 	Context context.Context
 	// Platform           adapter.PlatformInterface
-	Handler     PlatformHandler
-	Debug       bool
-	LogMaxLines int
-	OOMKiller   bool
+	Handler           PlatformHandler
+	Debug             bool
+	LogMaxLines       int
+	OOMKillerEnabled  bool
+	OOMKillerDisabled bool
+	OOMMemoryLimit    uint64
 	// WorkingDirectory   string
 	// TempDirectory      string
 	// UserID             int
@@ -79,10 +88,12 @@ func NewStartedService(options ServiceOptions) *StartedService {
 	s := &StartedService{
 		ctx: options.Context,
 		// platform:                options.Platform,
-		handler:     options.Handler,
-		debug:       options.Debug,
-		logMaxLines: options.LogMaxLines,
-		oomKiller:   options.OOMKiller,
+		handler:           options.Handler,
+		debug:             options.Debug,
+		logMaxLines:       options.LogMaxLines,
+		oomKillerEnabled:  options.OOMKillerEnabled,
+		oomKillerDisabled: options.OOMKillerDisabled,
+		oomMemoryLimit:    options.OOMMemoryLimit,
 		// workingDirectory: options.WorkingDirectory,
 		// tempDirectory:    options.TempDirectory,
 		// userID:           options.UserID,
@@ -685,6 +696,41 @@ func (s *StartedService) SetSystemProxyEnabled(ctx context.Context, request *Set
 	return nil, err
 }

+func (s *StartedService) TriggerDebugCrash(ctx context.Context, request *DebugCrashRequest) (*emptypb.Empty, error) {
+	if !s.debug {
+		return nil, status.Error(codes.PermissionDenied, "debug crash trigger unavailable")
+	}
+	if request == nil {
+		return nil, status.Error(codes.InvalidArgument, "missing debug crash request")
+	}
+	switch request.Type {
+	case DebugCrashRequest_GO:
+		time.AfterFunc(200*time.Millisecond, func() {
+			panic("debug go crash")
+		})
+	case DebugCrashRequest_NATIVE:
+		err := s.handler.TriggerNativeCrash()
+		if err != nil {
+			return nil, err
+		}
+	default:
+		return nil, status.Error(codes.InvalidArgument, "unknown debug crash type")
+	}
+	return &emptypb.Empty{}, nil
+}
+
+func (s *StartedService) TriggerOOMReport(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error) {
+	instance := s.Instance()
+	if instance == nil {
+		return nil, status.Error(codes.FailedPrecondition, "service not started")
+	}
+	reporter := service.FromContext[oomkiller.OOMReporter](instance.ctx)
+	if reporter == nil {
+		return nil, status.Error(codes.Unavailable, "OOM reporter not available")
+	}
+	return &emptypb.Empty{}, reporter.WriteReport(memory.Total())
+}
+
 func (s *StartedService) SubscribeConnections(request *SubscribeConnectionsRequest, server grpc.ServerStreamingServer[ConnectionEvents]) error {
 	err := s.waitForStarted(server.Context())
 	if err != nil {
@@ -1019,9 +1065,12 @@ func (s *StartedService) GetDeprecatedWarnings(ctx context.Context, empty *empty
 	return &DeprecatedWarnings{
 		Warnings: common.Map(notes, func(it deprecated.Note) *DeprecatedWarning {
 			return &DeprecatedWarning{
-				Message:       it.Message(),
-				Impending:     it.Impending(),
-				MigrationLink: it.MigrationLink,
+				Message:           it.Message(),
+				Impending:         it.Impending(),
+				MigrationLink:     it.MigrationLink,
+				Description:       it.Description,
+				DeprecatedVersion: it.DeprecatedVersion,
+				ScheduledVersion:  it.ScheduledVersion,
 			}
 		}),
 	}, nil
@@ -1033,6 +1082,149 @@ func (s *StartedService) GetStartedAt(ctx context.Context, empty *emptypb.Empty)
 	return &StartedAt{StartedAt: s.startedAt.UnixMilli()}, nil
 }

+func (s *StartedService) ListOutbounds(ctx context.Context, _ *emptypb.Empty) (*OutboundList, error) {
+	s.serviceAccess.RLock()
+	if s.serviceStatus.Status != ServiceStatus_STARTED {
+		s.serviceAccess.RUnlock()
+		return nil, os.ErrInvalid
+	}
+	boxService := s.instance
+	s.serviceAccess.RUnlock()
+	historyStorage := boxService.urlTestHistoryStorage
+	outbounds := boxService.instance.Outbound().Outbounds()
+	var list OutboundList
+	for _, ob := range outbounds {
+		item := &GroupItem{
+			Tag:  ob.Tag(),
+			Type: ob.Type(),
+		}
+		if history := historyStorage.LoadURLTestHistory(adapter.OutboundTag(ob)); history != nil {
+			item.UrlTestTime = history.Time.Unix()
+			item.UrlTestDelay = int32(history.Delay)
+		}
+		list.Outbounds = append(list.Outbounds, item)
+	}
+	return &list, nil
+}
+
+func (s *StartedService) SubscribeOutbounds(_ *emptypb.Empty, server grpc.ServerStreamingServer[OutboundList]) error {
+	err := s.waitForStarted(server.Context())
+	if err != nil {
+		return err
+	}
+	subscription, done, err := s.urlTestObserver.Subscribe()
+	if err != nil {
+		return err
+	}
+	defer s.urlTestObserver.UnSubscribe(subscription)
+	for {
+		s.serviceAccess.RLock()
+		if s.serviceStatus.Status != ServiceStatus_STARTED {
+			s.serviceAccess.RUnlock()
+			return os.ErrInvalid
+		}
+		boxService := s.instance
+		s.serviceAccess.RUnlock()
+		historyStorage := boxService.urlTestHistoryStorage
+		outbounds := boxService.instance.Outbound().Outbounds()
+		var list OutboundList
+		for _, ob := range outbounds {
+			item := &GroupItem{
+				Tag:  ob.Tag(),
+				Type: ob.Type(),
+			}
+			if history := historyStorage.LoadURLTestHistory(adapter.OutboundTag(ob)); history != nil {
+				item.UrlTestTime = history.Time.Unix()
+				item.UrlTestDelay = int32(history.Delay)
+			}
+			list.Outbounds = append(list.Outbounds, item)
+		}
+		err = server.Send(&list)
+		if err != nil {
+			return err
+		}
+		select {
+		case <-subscription:
+		case <-s.ctx.Done():
+			return s.ctx.Err()
+		case <-server.Context().Done():
+			return server.Context().Err()
+		case <-done:
+			return nil
+		}
+	}
+}
+
+func (s *StartedService) StartNetworkQualityTest(
+	request *NetworkQualityTestRequest,
+	server grpc.ServerStreamingServer[NetworkQualityTestProgress],
+) error {
+	err := s.waitForStarted(server.Context())
+	if err != nil {
+		return err
+	}
+	s.serviceAccess.RLock()
+	boxService := s.instance
+	s.serviceAccess.RUnlock()
+
+	var outbound adapter.Outbound
+	if request.OutboundTag == "" {
+		outbound = boxService.instance.Outbound().Default()
+	} else {
+		var loaded bool
+		outbound, loaded = boxService.instance.Outbound().Outbound(request.OutboundTag)
+		if !loaded {
+			return E.New("outbound not found: ", request.OutboundTag)
+		}
+	}
+
+	resolvedDialer := dialer.NewResolveDialer(boxService.ctx, outbound, true, "", adapter.DNSQueryOptions{}, 0)
+	httpClient := networkquality.NewHTTPClient(resolvedDialer)
+	defer httpClient.CloseIdleConnections()
+
+	result, nqErr := networkquality.Run(networkquality.Options{
+		ConfigURL:  request.ConfigURL,
+		HTTPClient: httpClient,
+		Serial:     request.Serial,
+		MaxRuntime: time.Duration(request.MaxRuntimeSeconds) * time.Second,
+		Context:    server.Context(),
+		OnProgress: func(p networkquality.Progress) {
+			_ = server.Send(&NetworkQualityTestProgress{
+				Phase:                    int32(p.Phase),
+				DownloadCapacity:         p.DownloadCapacity,
+				UploadCapacity:           p.UploadCapacity,
+				DownloadRPM:              p.DownloadRPM,
+				UploadRPM:                p.UploadRPM,
+				IdleLatencyMs:            p.IdleLatencyMs,
+				ElapsedMs:                p.ElapsedMs,
+				DownloadCapacityAccuracy: int32(p.DownloadCapacityAccuracy),
+				UploadCapacityAccuracy:   int32(p.UploadCapacityAccuracy),
+				DownloadRPMAccuracy:      int32(p.DownloadRPMAccuracy),
+				UploadRPMAccuracy:        int32(p.UploadRPMAccuracy),
+			})
+		},
+	})
+	if nqErr != nil {
+		return server.Send(&NetworkQualityTestProgress{
+			IsFinal: true,
+			Error:   nqErr.Error(),
+		})
+	}
+	return server.Send(&NetworkQualityTestProgress{
+		Phase:                    int32(networkquality.PhaseDone),
+		DownloadCapacity:         result.DownloadCapacity,
+		UploadCapacity:           result.UploadCapacity,
+		DownloadRPM:              result.DownloadRPM,
+		UploadRPM:                result.UploadRPM,
+		IdleLatencyMs:            result.IdleLatencyMs,
+		IsFinal:                  true,
+		DownloadCapacityAccuracy: int32(result.DownloadCapacityAccuracy),
+		UploadCapacityAccuracy:   int32(result.UploadCapacityAccuracy),
+		DownloadRPMAccuracy:      int32(result.DownloadRPMAccuracy),
+		UploadRPMAccuracy:        int32(result.UploadRPMAccuracy),
+	})
+}
+
 func (s *StartedService) mustEmbedUnimplementedStartedServiceServer() {
 }

--- a/daemon/started_service.pb.go
+++ b/daemon/started_service.pb.go
@@ -182,6 +182,52 @@ func (ServiceStatus_Type) EnumDescriptor() ([]byte, []int) {
 	return file_daemon_started_service_proto_rawDescGZIP(), []int{0, 0}
 }

+type DebugCrashRequest_Type int32
+
+const (
+	DebugCrashRequest_GO     DebugCrashRequest_Type = 0
+	DebugCrashRequest_NATIVE DebugCrashRequest_Type = 1
+)
+
+// Enum value maps for DebugCrashRequest_Type.
+var (
+	DebugCrashRequest_Type_name = map[int32]string{
+		0: "GO",
+		1: "NATIVE",
+	}
+	DebugCrashRequest_Type_value = map[string]int32{
+		"GO":     0,
+		"NATIVE": 1,
+	}
+)
+
+func (x DebugCrashRequest_Type) Enum() *DebugCrashRequest_Type {
+	p := new(DebugCrashRequest_Type)
+	*p = x
+	return p
+}
+
+func (x DebugCrashRequest_Type) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (DebugCrashRequest_Type) Descriptor() protoreflect.EnumDescriptor {
+	return file_daemon_started_service_proto_enumTypes[3].Descriptor()
+}
+
+func (DebugCrashRequest_Type) Type() protoreflect.EnumType {
+	return &file_daemon_started_service_proto_enumTypes[3]
+}
+
+func (x DebugCrashRequest_Type) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use DebugCrashRequest_Type.Descriptor instead.
+func (DebugCrashRequest_Type) EnumDescriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{16, 0}
+}
+
 type ServiceStatus struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Status        ServiceStatus_Type     `protobuf:"varint,1,opt,name=status,proto3,enum=daemon.ServiceStatus_Type" json:"status,omitempty"`
@@ -1062,6 +1108,50 @@ func (x *SetSystemProxyEnabledRequest) GetEnabled() bool {
 	return false
 }

+type DebugCrashRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Type          DebugCrashRequest_Type `protobuf:"varint,1,opt,name=type,proto3,enum=daemon.DebugCrashRequest_Type" json:"type,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *DebugCrashRequest) Reset() {
+	*x = DebugCrashRequest{}
+	mi := &file_daemon_started_service_proto_msgTypes[16]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *DebugCrashRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DebugCrashRequest) ProtoMessage() {}
+
+func (x *DebugCrashRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[16]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DebugCrashRequest.ProtoReflect.Descriptor instead.
+func (*DebugCrashRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{16}
+}
+
+func (x *DebugCrashRequest) GetType() DebugCrashRequest_Type {
+	if x != nil {
+		return x.Type
+	}
+	return DebugCrashRequest_GO
+}
+
 type SubscribeConnectionsRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Interval      int64                  `protobuf:"varint,1,opt,name=interval,proto3" json:"interval,omitempty"`
@@ -1071,7 +1161,7 @@ type SubscribeConnectionsRequest struct {

 func (x *SubscribeConnectionsRequest) Reset() {
 	*x = SubscribeConnectionsRequest{}
-	mi := &file_daemon_started_service_proto_msgTypes[16]
+	mi := &file_daemon_started_service_proto_msgTypes[17]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1083,7 +1173,7 @@ func (x *SubscribeConnectionsRequest) String() string {
 func (*SubscribeConnectionsRequest) ProtoMessage() {}

 func (x *SubscribeConnectionsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[16]
+	mi := &file_daemon_started_service_proto_msgTypes[17]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1096,7 +1186,7 @@ func (x *SubscribeConnectionsRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use SubscribeConnectionsRequest.ProtoReflect.Descriptor instead.
 func (*SubscribeConnectionsRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{16}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{17}
 }

 func (x *SubscribeConnectionsRequest) GetInterval() int64 {
@@ -1120,7 +1210,7 @@ type ConnectionEvent struct {

 func (x *ConnectionEvent) Reset() {
 	*x = ConnectionEvent{}
-	mi := &file_daemon_started_service_proto_msgTypes[17]
+	mi := &file_daemon_started_service_proto_msgTypes[18]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1132,7 +1222,7 @@ func (x *ConnectionEvent) String() string {
 func (*ConnectionEvent) ProtoMessage() {}

 func (x *ConnectionEvent) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[17]
+	mi := &file_daemon_started_service_proto_msgTypes[18]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1145,7 +1235,7 @@ func (x *ConnectionEvent) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ConnectionEvent.ProtoReflect.Descriptor instead.
 func (*ConnectionEvent) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{17}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{18}
 }

 func (x *ConnectionEvent) GetType() ConnectionEventType {
@@ -1200,7 +1290,7 @@ type ConnectionEvents struct {

 func (x *ConnectionEvents) Reset() {
 	*x = ConnectionEvents{}
-	mi := &file_daemon_started_service_proto_msgTypes[18]
+	mi := &file_daemon_started_service_proto_msgTypes[19]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1212,7 +1302,7 @@ func (x *ConnectionEvents) String() string {
 func (*ConnectionEvents) ProtoMessage() {}

 func (x *ConnectionEvents) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[18]
+	mi := &file_daemon_started_service_proto_msgTypes[19]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1225,7 +1315,7 @@ func (x *ConnectionEvents) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ConnectionEvents.ProtoReflect.Descriptor instead.
 func (*ConnectionEvents) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{18}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{19}
 }

 func (x *ConnectionEvents) GetEvents() []*ConnectionEvent {
@@ -1272,7 +1362,7 @@ type Connection struct {

 func (x *Connection) Reset() {
 	*x = Connection{}
-	mi := &file_daemon_started_service_proto_msgTypes[19]
+	mi := &file_daemon_started_service_proto_msgTypes[20]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1284,7 +1374,7 @@ func (x *Connection) String() string {
 func (*Connection) ProtoMessage() {}

 func (x *Connection) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[19]
+	mi := &file_daemon_started_service_proto_msgTypes[20]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1297,7 +1387,7 @@ func (x *Connection) ProtoReflect() protoreflect.Message {

 // Deprecated: Use Connection.ProtoReflect.Descriptor instead.
 func (*Connection) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{19}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{20}
 }

 func (x *Connection) GetId() string {
@@ -1467,7 +1557,7 @@ type ProcessInfo struct {

 func (x *ProcessInfo) Reset() {
 	*x = ProcessInfo{}
-	mi := &file_daemon_started_service_proto_msgTypes[20]
+	mi := &file_daemon_started_service_proto_msgTypes[21]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1479,7 +1569,7 @@ func (x *ProcessInfo) String() string {
 func (*ProcessInfo) ProtoMessage() {}

 func (x *ProcessInfo) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[20]
+	mi := &file_daemon_started_service_proto_msgTypes[21]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1492,7 +1582,7 @@ func (x *ProcessInfo) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ProcessInfo.ProtoReflect.Descriptor instead.
 func (*ProcessInfo) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{20}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{21}
 }

 func (x *ProcessInfo) GetProcessId() uint32 {
@@ -1539,7 +1629,7 @@ type CloseConnectionRequest struct {

 func (x *CloseConnectionRequest) Reset() {
 	*x = CloseConnectionRequest{}
-	mi := &file_daemon_started_service_proto_msgTypes[21]
+	mi := &file_daemon_started_service_proto_msgTypes[22]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1551,7 +1641,7 @@ func (x *CloseConnectionRequest) String() string {
 func (*CloseConnectionRequest) ProtoMessage() {}

 func (x *CloseConnectionRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[21]
+	mi := &file_daemon_started_service_proto_msgTypes[22]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1564,7 +1654,7 @@ func (x *CloseConnectionRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use CloseConnectionRequest.ProtoReflect.Descriptor instead.
 func (*CloseConnectionRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{21}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{22}
 }

 func (x *CloseConnectionRequest) GetId() string {
@@ -1583,7 +1673,7 @@ type DeprecatedWarnings struct {

 func (x *DeprecatedWarnings) Reset() {
 	*x = DeprecatedWarnings{}
-	mi := &file_daemon_started_service_proto_msgTypes[22]
+	mi := &file_daemon_started_service_proto_msgTypes[23]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1595,7 +1685,7 @@ func (x *DeprecatedWarnings) String() string {
 func (*DeprecatedWarnings) ProtoMessage() {}

 func (x *DeprecatedWarnings) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[22]
+	mi := &file_daemon_started_service_proto_msgTypes[23]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1608,7 +1698,7 @@ func (x *DeprecatedWarnings) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DeprecatedWarnings.ProtoReflect.Descriptor instead.
 func (*DeprecatedWarnings) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{22}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{23}
 }

 func (x *DeprecatedWarnings) GetWarnings() []*DeprecatedWarning {
@@ -1619,17 +1709,20 @@ func (x *DeprecatedWarnings) GetWarnings() []*DeprecatedWarning {
 }

 type DeprecatedWarning struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Message       string                 `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
-	Impending     bool                   `protobuf:"varint,2,opt,name=impending,proto3" json:"impending,omitempty"`
-	MigrationLink string                 `protobuf:"bytes,3,opt,name=migrationLink,proto3" json:"migrationLink,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
+	state             protoimpl.MessageState `protogen:"open.v1"`
+	Message           string                 `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
+	Impending         bool                   `protobuf:"varint,2,opt,name=impending,proto3" json:"impending,omitempty"`
+	MigrationLink     string                 `protobuf:"bytes,3,opt,name=migrationLink,proto3" json:"migrationLink,omitempty"`
+	Description       string                 `protobuf:"bytes,4,opt,name=description,proto3" json:"description,omitempty"`
+	DeprecatedVersion string                 `protobuf:"bytes,5,opt,name=deprecatedVersion,proto3" json:"deprecatedVersion,omitempty"`
+	ScheduledVersion  string                 `protobuf:"bytes,6,opt,name=scheduledVersion,proto3" json:"scheduledVersion,omitempty"`
+	unknownFields     protoimpl.UnknownFields
+	sizeCache         protoimpl.SizeCache
 }

 func (x *DeprecatedWarning) Reset() {
 	*x = DeprecatedWarning{}
-	mi := &file_daemon_started_service_proto_msgTypes[23]
+	mi := &file_daemon_started_service_proto_msgTypes[24]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1641,7 +1734,7 @@ func (x *DeprecatedWarning) String() string {
 func (*DeprecatedWarning) ProtoMessage() {}

 func (x *DeprecatedWarning) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[23]
+	mi := &file_daemon_started_service_proto_msgTypes[24]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1654,7 +1747,7 @@ func (x *DeprecatedWarning) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DeprecatedWarning.ProtoReflect.Descriptor instead.
 func (*DeprecatedWarning) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{23}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{24}
 }

 func (x *DeprecatedWarning) GetMessage() string {
@@ -1678,6 +1771,27 @@ func (x *DeprecatedWarning) GetMigrationLink() string {
 	return ""
 }

+func (x *DeprecatedWarning) GetDescription() string {
+	if x != nil {
+		return x.Description
+	}
+	return ""
+}
+
+func (x *DeprecatedWarning) GetDeprecatedVersion() string {
+	if x != nil {
+		return x.DeprecatedVersion
+	}
+	return ""
+}
+
+func (x *DeprecatedWarning) GetScheduledVersion() string {
+	if x != nil {
+		return x.ScheduledVersion
+	}
+	return ""
+}
+
 type StartedAt struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	StartedAt     int64                  `protobuf:"varint,1,opt,name=startedAt,proto3" json:"startedAt,omitempty"`
@@ -1687,7 +1801,7 @@ type StartedAt struct {

 func (x *StartedAt) Reset() {
 	*x = StartedAt{}
-	mi := &file_daemon_started_service_proto_msgTypes[24]
+	mi := &file_daemon_started_service_proto_msgTypes[25]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1699,7 +1813,7 @@ func (x *StartedAt) String() string {
 func (*StartedAt) ProtoMessage() {}

 func (x *StartedAt) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[24]
+	mi := &file_daemon_started_service_proto_msgTypes[25]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1712,7 +1826,7 @@ func (x *StartedAt) ProtoReflect() protoreflect.Message {

 // Deprecated: Use StartedAt.ProtoReflect.Descriptor instead.
 func (*StartedAt) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{24}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{25}
 }

 func (x *StartedAt) GetStartedAt() int64 {
@@ -1722,6 +1836,258 @@ func (x *StartedAt) GetStartedAt() int64 {
 	return 0
 }

+type OutboundList struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Outbounds     []*GroupItem           `protobuf:"bytes,1,rep,name=outbounds,proto3" json:"outbounds,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *OutboundList) Reset() {
+	*x = OutboundList{}
+	mi := &file_daemon_started_service_proto_msgTypes[26]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *OutboundList) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*OutboundList) ProtoMessage() {}
+
+func (x *OutboundList) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[26]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use OutboundList.ProtoReflect.Descriptor instead.
+func (*OutboundList) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{26}
+}
+
+func (x *OutboundList) GetOutbounds() []*GroupItem {
+	if x != nil {
+		return x.Outbounds
+	}
+	return nil
+}
+
+type NetworkQualityTestRequest struct {
+	state             protoimpl.MessageState `protogen:"open.v1"`
+	ConfigURL         string                 `protobuf:"bytes,1,opt,name=configURL,proto3" json:"configURL,omitempty"`
+	OutboundTag       string                 `protobuf:"bytes,2,opt,name=outboundTag,proto3" json:"outboundTag,omitempty"`
+	Serial            bool                   `protobuf:"varint,3,opt,name=serial,proto3" json:"serial,omitempty"`
+	MaxRuntimeSeconds int32                  `protobuf:"varint,4,opt,name=maxRuntimeSeconds,proto3" json:"maxRuntimeSeconds,omitempty"`
+	unknownFields     protoimpl.UnknownFields
+	sizeCache         protoimpl.SizeCache
+}
+
+func (x *NetworkQualityTestRequest) Reset() {
+	*x = NetworkQualityTestRequest{}
+	mi := &file_daemon_started_service_proto_msgTypes[27]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *NetworkQualityTestRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*NetworkQualityTestRequest) ProtoMessage() {}
+
+func (x *NetworkQualityTestRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[27]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use NetworkQualityTestRequest.ProtoReflect.Descriptor instead.
+func (*NetworkQualityTestRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{27}
+}
+
+func (x *NetworkQualityTestRequest) GetConfigURL() string {
+	if x != nil {
+		return x.ConfigURL
+	}
+	return ""
+}
+
+func (x *NetworkQualityTestRequest) GetOutboundTag() string {
+	if x != nil {
+		return x.OutboundTag
+	}
+	return ""
+}
+
+func (x *NetworkQualityTestRequest) GetSerial() bool {
+	if x != nil {
+		return x.Serial
+	}
+	return false
+}
+
+func (x *NetworkQualityTestRequest) GetMaxRuntimeSeconds() int32 {
+	if x != nil {
+		return x.MaxRuntimeSeconds
+	}
+	return 0
+}
+
+type NetworkQualityTestProgress struct {
+	state                    protoimpl.MessageState `protogen:"open.v1"`
+	Phase                    int32                  `protobuf:"varint,1,opt,name=phase,proto3" json:"phase,omitempty"`
+	DownloadCapacity         int64                  `protobuf:"varint,2,opt,name=downloadCapacity,proto3" json:"downloadCapacity,omitempty"`
+	UploadCapacity           int64                  `protobuf:"varint,3,opt,name=uploadCapacity,proto3" json:"uploadCapacity,omitempty"`
+	DownloadRPM              int32                  `protobuf:"varint,4,opt,name=downloadRPM,proto3" json:"downloadRPM,omitempty"`
+	UploadRPM                int32                  `protobuf:"varint,5,opt,name=uploadRPM,proto3" json:"uploadRPM,omitempty"`
+	IdleLatencyMs            int32                  `protobuf:"varint,6,opt,name=idleLatencyMs,proto3" json:"idleLatencyMs,omitempty"`
+	ElapsedMs                int64                  `protobuf:"varint,7,opt,name=elapsedMs,proto3" json:"elapsedMs,omitempty"`
+	IsFinal                  bool                   `protobuf:"varint,8,opt,name=isFinal,proto3" json:"isFinal,omitempty"`
+	Error                    string                 `protobuf:"bytes,9,opt,name=error,proto3" json:"error,omitempty"`
+	DownloadCapacityAccuracy int32                  `protobuf:"varint,10,opt,name=downloadCapacityAccuracy,proto3" json:"downloadCapacityAccuracy,omitempty"`
+	UploadCapacityAccuracy   int32                  `protobuf:"varint,11,opt,name=uploadCapacityAccuracy,proto3" json:"uploadCapacityAccuracy,omitempty"`
+	DownloadRPMAccuracy      int32                  `protobuf:"varint,12,opt,name=downloadRPMAccuracy,proto3" json:"downloadRPMAccuracy,omitempty"`
+	UploadRPMAccuracy        int32                  `protobuf:"varint,13,opt,name=uploadRPMAccuracy,proto3" json:"uploadRPMAccuracy,omitempty"`
+	unknownFields            protoimpl.UnknownFields
+	sizeCache                protoimpl.SizeCache
+}
+
+func (x *NetworkQualityTestProgress) Reset() {
+	*x = NetworkQualityTestProgress{}
+	mi := &file_daemon_started_service_proto_msgTypes[28]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *NetworkQualityTestProgress) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*NetworkQualityTestProgress) ProtoMessage() {}
+
+func (x *NetworkQualityTestProgress) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[28]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use NetworkQualityTestProgress.ProtoReflect.Descriptor instead.
+func (*NetworkQualityTestProgress) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{28}
+}
+
+func (x *NetworkQualityTestProgress) GetPhase() int32 {
+	if x != nil {
+		return x.Phase
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetDownloadCapacity() int64 {
+	if x != nil {
+		return x.DownloadCapacity
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetUploadCapacity() int64 {
+	if x != nil {
+		return x.UploadCapacity
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetDownloadRPM() int32 {
+	if x != nil {
+		return x.DownloadRPM
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetUploadRPM() int32 {
+	if x != nil {
+		return x.UploadRPM
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetIdleLatencyMs() int32 {
+	if x != nil {
+		return x.IdleLatencyMs
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetElapsedMs() int64 {
+	if x != nil {
+		return x.ElapsedMs
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetIsFinal() bool {
+	if x != nil {
+		return x.IsFinal
+	}
+	return false
+}
+
+func (x *NetworkQualityTestProgress) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+func (x *NetworkQualityTestProgress) GetDownloadCapacityAccuracy() int32 {
+	if x != nil {
+		return x.DownloadCapacityAccuracy
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetUploadCapacityAccuracy() int32 {
+	if x != nil {
+		return x.UploadCapacityAccuracy
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetDownloadRPMAccuracy() int32 {
+	if x != nil {
+		return x.DownloadRPMAccuracy
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetUploadRPMAccuracy() int32 {
+	if x != nil {
+		return x.UploadRPMAccuracy
+	}
+	return 0
+}
+
 type Log_Message struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Level         LogLevel               `protobuf:"varint,1,opt,name=level,proto3,enum=daemon.LogLevel" json:"level,omitempty"`
@@ -1732,7 +2098,7 @@ type Log_Message struct {

 func (x *Log_Message) Reset() {
 	*x = Log_Message{}
-	mi := &file_daemon_started_service_proto_msgTypes[25]
+	mi := &file_daemon_started_service_proto_msgTypes[29]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1744,7 +2110,7 @@ func (x *Log_Message) String() string {
 func (*Log_Message) ProtoMessage() {}

 func (x *Log_Message) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[25]
+	mi := &file_daemon_started_service_proto_msgTypes[29]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1845,7 +2211,13 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\tavailable\x18\x01 \x01(\bR\tavailable\x12\x18\n" +
 	"\aenabled\x18\x02 \x01(\bR\aenabled\"8\n" +
 	"\x1cSetSystemProxyEnabledRequest\x12\x18\n" +
-	"\aenabled\x18\x01 \x01(\bR\aenabled\"9\n" +
+	"\aenabled\x18\x01 \x01(\bR\aenabled\"c\n" +
+	"\x11DebugCrashRequest\x122\n" +
+	"\x04type\x18\x01 \x01(\x0e2\x1e.daemon.DebugCrashRequest.TypeR\x04type\"\x1a\n" +
+	"\x04Type\x12\x06\n" +
+	"\x02GO\x10\x00\x12\n" +
+	"\n" +
+	"\x06NATIVE\x10\x01\"9\n" +
 	"\x1bSubscribeConnectionsRequest\x12\x1a\n" +
 	"\binterval\x18\x01 \x01(\x03R\binterval\"\xea\x01\n" +
 	"\x0fConnectionEvent\x12/\n" +
@@ -1894,13 +2266,38 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x16CloseConnectionRequest\x12\x0e\n" +
 	"\x02id\x18\x01 \x01(\tR\x02id\"K\n" +
 	"\x12DeprecatedWarnings\x125\n" +
-	"\bwarnings\x18\x01 \x03(\v2\x19.daemon.DeprecatedWarningR\bwarnings\"q\n" +
+	"\bwarnings\x18\x01 \x03(\v2\x19.daemon.DeprecatedWarningR\bwarnings\"\xed\x01\n" +
 	"\x11DeprecatedWarning\x12\x18\n" +
 	"\amessage\x18\x01 \x01(\tR\amessage\x12\x1c\n" +
 	"\timpending\x18\x02 \x01(\bR\timpending\x12$\n" +
-	"\rmigrationLink\x18\x03 \x01(\tR\rmigrationLink\")\n" +
+	"\rmigrationLink\x18\x03 \x01(\tR\rmigrationLink\x12 \n" +
+	"\vdescription\x18\x04 \x01(\tR\vdescription\x12,\n" +
+	"\x11deprecatedVersion\x18\x05 \x01(\tR\x11deprecatedVersion\x12*\n" +
+	"\x10scheduledVersion\x18\x06 \x01(\tR\x10scheduledVersion\")\n" +
 	"\tStartedAt\x12\x1c\n" +
-	"\tstartedAt\x18\x01 \x01(\x03R\tstartedAt*U\n" +
+	"\tstartedAt\x18\x01 \x01(\x03R\tstartedAt\"?\n" +
+	"\fOutboundList\x12/\n" +
+	"\toutbounds\x18\x01 \x03(\v2\x11.daemon.GroupItemR\toutbounds\"\xa1\x01\n" +
+	"\x19NetworkQualityTestRequest\x12\x1c\n" +
+	"\tconfigURL\x18\x01 \x01(\tR\tconfigURL\x12 \n" +
+	"\voutboundTag\x18\x02 \x01(\tR\voutboundTag\x12\x16\n" +
+	"\x06serial\x18\x03 \x01(\bR\x06serial\x12,\n" +
+	"\x11maxRuntimeSeconds\x18\x04 \x01(\x05R\x11maxRuntimeSeconds\"\x8e\x04\n" +
+	"\x1aNetworkQualityTestProgress\x12\x14\n" +
+	"\x05phase\x18\x01 \x01(\x05R\x05phase\x12*\n" +
+	"\x10downloadCapacity\x18\x02 \x01(\x03R\x10downloadCapacity\x12&\n" +
+	"\x0euploadCapacity\x18\x03 \x01(\x03R\x0euploadCapacity\x12 \n" +
+	"\vdownloadRPM\x18\x04 \x01(\x05R\vdownloadRPM\x12\x1c\n" +
+	"\tuploadRPM\x18\x05 \x01(\x05R\tuploadRPM\x12$\n" +
+	"\ridleLatencyMs\x18\x06 \x01(\x05R\ridleLatencyMs\x12\x1c\n" +
+	"\telapsedMs\x18\a \x01(\x03R\telapsedMs\x12\x18\n" +
+	"\aisFinal\x18\b \x01(\bR\aisFinal\x12\x14\n" +
+	"\x05error\x18\t \x01(\tR\x05error\x12:\n" +
+	"\x18downloadCapacityAccuracy\x18\n" +
+	" \x01(\x05R\x18downloadCapacityAccuracy\x126\n" +
+	"\x16uploadCapacityAccuracy\x18\v \x01(\x05R\x16uploadCapacityAccuracy\x120\n" +
+	"\x13downloadRPMAccuracy\x18\f \x01(\x05R\x13downloadRPMAccuracy\x12,\n" +
+	"\x11uploadRPMAccuracy\x18\r \x01(\x05R\x11uploadRPMAccuracy*U\n" +
 	"\bLogLevel\x12\t\n" +
 	"\x05PANIC\x10\x00\x12\t\n" +
 	"\x05FATAL\x10\x01\x12\t\n" +
@@ -1912,7 +2309,7 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x13ConnectionEventType\x12\x18\n" +
 	"\x14CONNECTION_EVENT_NEW\x10\x00\x12\x1b\n" +
 	"\x17CONNECTION_EVENT_UPDATE\x10\x01\x12\x1b\n" +
-	"\x17CONNECTION_EVENT_CLOSED\x10\x022\xe5\v\n" +
+	"\x17CONNECTION_EVENT_CLOSED\x10\x022\xe4\x0e\n" +
 	"\x0eStartedService\x12=\n" +
 	"\vStopService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12?\n" +
 	"\rReloadService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12K\n" +
@@ -1929,12 +2326,17 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x0eSelectOutbound\x12\x1d.daemon.SelectOutboundRequest\x1a\x16.google.protobuf.Empty\"\x00\x12I\n" +
 	"\x0eSetGroupExpand\x12\x1d.daemon.SetGroupExpandRequest\x1a\x16.google.protobuf.Empty\"\x00\x12K\n" +
 	"\x14GetSystemProxyStatus\x12\x16.google.protobuf.Empty\x1a\x19.daemon.SystemProxyStatus\"\x00\x12W\n" +
-	"\x15SetSystemProxyEnabled\x12$.daemon.SetSystemProxyEnabledRequest\x1a\x16.google.protobuf.Empty\"\x00\x12Y\n" +
+	"\x15SetSystemProxyEnabled\x12$.daemon.SetSystemProxyEnabledRequest\x1a\x16.google.protobuf.Empty\"\x00\x12H\n" +
+	"\x11TriggerDebugCrash\x12\x19.daemon.DebugCrashRequest\x1a\x16.google.protobuf.Empty\"\x00\x12D\n" +
+	"\x10TriggerOOMReport\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\"\x00\x12Y\n" +
 	"\x14SubscribeConnections\x12#.daemon.SubscribeConnectionsRequest\x1a\x18.daemon.ConnectionEvents\"\x000\x01\x12K\n" +
 	"\x0fCloseConnection\x12\x1e.daemon.CloseConnectionRequest\x1a\x16.google.protobuf.Empty\"\x00\x12G\n" +
 	"\x13CloseAllConnections\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\"\x00\x12M\n" +
 	"\x15GetDeprecatedWarnings\x12\x16.google.protobuf.Empty\x1a\x1a.daemon.DeprecatedWarnings\"\x00\x12;\n" +
-	"\fGetStartedAt\x12\x16.google.protobuf.Empty\x1a\x11.daemon.StartedAt\"\x00B%Z#github.com/sagernet/sing-box/daemonb\x06proto3"
+	"\fGetStartedAt\x12\x16.google.protobuf.Empty\x1a\x11.daemon.StartedAt\"\x00\x12?\n" +
+	"\rListOutbounds\x12\x16.google.protobuf.Empty\x1a\x14.daemon.OutboundList\"\x00\x12F\n" +
+	"\x12SubscribeOutbounds\x12\x16.google.protobuf.Empty\x1a\x14.daemon.OutboundList\"\x000\x01\x12d\n" +
+	"\x17StartNetworkQualityTest\x12!.daemon.NetworkQualityTestRequest\x1a\".daemon.NetworkQualityTestProgress\"\x000\x01B%Z#github.com/sagernet/sing-box/daemonb\x06proto3"

 var (
 	file_daemon_started_service_proto_rawDescOnce sync.Once
@@ -1949,101 +2351,118 @@ func file_daemon_started_service_proto_rawDescGZIP() []byte {
 }

 var (
-	file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 26)
+	file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
+	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 30)
 	file_daemon_started_service_proto_goTypes   = []any{
 		(LogLevel)(0),                        // 0: daemon.LogLevel
 		(ConnectionEventType)(0),             // 1: daemon.ConnectionEventType
 		(ServiceStatus_Type)(0),              // 2: daemon.ServiceStatus.Type
-		(*ServiceStatus)(nil),                // 3: daemon.ServiceStatus
-		(*ReloadServiceRequest)(nil),         // 4: daemon.ReloadServiceRequest
-		(*SubscribeStatusRequest)(nil),       // 5: daemon.SubscribeStatusRequest
-		(*Log)(nil),                          // 6: daemon.Log
-		(*DefaultLogLevel)(nil),              // 7: daemon.DefaultLogLevel
-		(*Status)(nil),                       // 8: daemon.Status
-		(*Groups)(nil),                       // 9: daemon.Groups
-		(*Group)(nil),                        // 10: daemon.Group
-		(*GroupItem)(nil),                    // 11: daemon.GroupItem
-		(*URLTestRequest)(nil),               // 12: daemon.URLTestRequest
-		(*SelectOutboundRequest)(nil),        // 13: daemon.SelectOutboundRequest
-		(*SetGroupExpandRequest)(nil),        // 14: daemon.SetGroupExpandRequest
-		(*ClashMode)(nil),                    // 15: daemon.ClashMode
-		(*ClashModeStatus)(nil),              // 16: daemon.ClashModeStatus
-		(*SystemProxyStatus)(nil),            // 17: daemon.SystemProxyStatus
-		(*SetSystemProxyEnabledRequest)(nil), // 18: daemon.SetSystemProxyEnabledRequest
-		(*SubscribeConnectionsRequest)(nil),  // 19: daemon.SubscribeConnectionsRequest
-		(*ConnectionEvent)(nil),              // 20: daemon.ConnectionEvent
-		(*ConnectionEvents)(nil),             // 21: daemon.ConnectionEvents
-		(*Connection)(nil),                   // 22: daemon.Connection
-		(*ProcessInfo)(nil),                  // 23: daemon.ProcessInfo
-		(*CloseConnectionRequest)(nil),       // 24: daemon.CloseConnectionRequest
-		(*DeprecatedWarnings)(nil),           // 25: daemon.DeprecatedWarnings
-		(*DeprecatedWarning)(nil),            // 26: daemon.DeprecatedWarning
-		(*StartedAt)(nil),                    // 27: daemon.StartedAt
-		(*Log_Message)(nil),                  // 28: daemon.Log.Message
-		(*emptypb.Empty)(nil),                // 29: google.protobuf.Empty
+		(DebugCrashRequest_Type)(0),          // 3: daemon.DebugCrashRequest.Type
+		(*ServiceStatus)(nil),                // 4: daemon.ServiceStatus
+		(*ReloadServiceRequest)(nil),         // 5: daemon.ReloadServiceRequest
+		(*SubscribeStatusRequest)(nil),       // 6: daemon.SubscribeStatusRequest
+		(*Log)(nil),                          // 7: daemon.Log
+		(*DefaultLogLevel)(nil),              // 8: daemon.DefaultLogLevel
+		(*Status)(nil),                       // 9: daemon.Status
+		(*Groups)(nil),                       // 10: daemon.Groups
+		(*Group)(nil),                        // 11: daemon.Group
+		(*GroupItem)(nil),                    // 12: daemon.GroupItem
+		(*URLTestRequest)(nil),               // 13: daemon.URLTestRequest
+		(*SelectOutboundRequest)(nil),        // 14: daemon.SelectOutboundRequest
+		(*SetGroupExpandRequest)(nil),        // 15: daemon.SetGroupExpandRequest
+		(*ClashMode)(nil),                    // 16: daemon.ClashMode
+		(*ClashModeStatus)(nil),              // 17: daemon.ClashModeStatus
+		(*SystemProxyStatus)(nil),            // 18: daemon.SystemProxyStatus
+		(*SetSystemProxyEnabledRequest)(nil), // 19: daemon.SetSystemProxyEnabledRequest
+		(*DebugCrashRequest)(nil),            // 20: daemon.DebugCrashRequest
+		(*SubscribeConnectionsRequest)(nil),  // 21: daemon.SubscribeConnectionsRequest
+		(*ConnectionEvent)(nil),              // 22: daemon.ConnectionEvent
+		(*ConnectionEvents)(nil),             // 23: daemon.ConnectionEvents
+		(*Connection)(nil),                   // 24: daemon.Connection
+		(*ProcessInfo)(nil),                  // 25: daemon.ProcessInfo
+		(*CloseConnectionRequest)(nil),       // 26: daemon.CloseConnectionRequest
+		(*DeprecatedWarnings)(nil),           // 27: daemon.DeprecatedWarnings
+		(*DeprecatedWarning)(nil),            // 28: daemon.DeprecatedWarning
+		(*StartedAt)(nil),                    // 29: daemon.StartedAt
+		(*OutboundList)(nil),                 // 30: daemon.OutboundList
+		(*NetworkQualityTestRequest)(nil),    // 31: daemon.NetworkQualityTestRequest
+		(*NetworkQualityTestProgress)(nil),   // 32: daemon.NetworkQualityTestProgress
+		(*Log_Message)(nil),                  // 33: daemon.Log.Message
+		(*emptypb.Empty)(nil),                // 34: google.protobuf.Empty
 	}
 )

 var file_daemon_started_service_proto_depIdxs = []int32{
 	2,  // 0: daemon.ServiceStatus.status:type_name -> daemon.ServiceStatus.Type
-	28, // 1: daemon.Log.messages:type_name -> daemon.Log.Message
+	33, // 1: daemon.Log.messages:type_name -> daemon.Log.Message
 	0,  // 2: daemon.DefaultLogLevel.level:type_name -> daemon.LogLevel
-	10, // 3: daemon.Groups.group:type_name -> daemon.Group
-	11, // 4: daemon.Group.items:type_name -> daemon.GroupItem
-	1,  // 5: daemon.ConnectionEvent.type:type_name -> daemon.ConnectionEventType
-	22, // 6: daemon.ConnectionEvent.connection:type_name -> daemon.Connection
-	20, // 7: daemon.ConnectionEvents.events:type_name -> daemon.ConnectionEvent
-	23, // 8: daemon.Connection.processInfo:type_name -> daemon.ProcessInfo
-	26, // 9: daemon.DeprecatedWarnings.warnings:type_name -> daemon.DeprecatedWarning
-	0,  // 10: daemon.Log.Message.level:type_name -> daemon.LogLevel
-	29, // 11: daemon.StartedService.StopService:input_type -> google.protobuf.Empty
-	29, // 12: daemon.StartedService.ReloadService:input_type -> google.protobuf.Empty
-	29, // 13: daemon.StartedService.SubscribeServiceStatus:input_type -> google.protobuf.Empty
-	29, // 14: daemon.StartedService.SubscribeLog:input_type -> google.protobuf.Empty
-	29, // 15: daemon.StartedService.GetDefaultLogLevel:input_type -> google.protobuf.Empty
-	29, // 16: daemon.StartedService.ClearLogs:input_type -> google.protobuf.Empty
-	5,  // 17: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
-	29, // 18: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
-	29, // 19: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
-	29, // 20: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
-	15, // 21: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
-	12, // 22: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
-	13, // 23: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
-	14, // 24: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
-	29, // 25: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
-	18, // 26: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
-	19, // 27: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
-	24, // 28: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
-	29, // 29: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
-	29, // 30: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
-	29, // 31: daemon.StartedService.GetStartedAt:input_type -> google.protobuf.Empty
-	29, // 32: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
-	29, // 33: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
-	3,  // 34: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
-	6,  // 35: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
-	7,  // 36: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
-	29, // 37: daemon.StartedService.ClearLogs:output_type -> google.protobuf.Empty
-	8,  // 38: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
-	9,  // 39: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
-	16, // 40: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
-	15, // 41: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
-	29, // 42: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
-	29, // 43: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
-	29, // 44: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
-	29, // 45: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
-	17, // 46: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
-	29, // 47: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
-	21, // 48: daemon.StartedService.SubscribeConnections:output_type -> daemon.ConnectionEvents
-	29, // 49: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
-	29, // 50: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
-	25, // 51: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
-	27, // 52: daemon.StartedService.GetStartedAt:output_type -> daemon.StartedAt
-	32, // [32:53] is the sub-list for method output_type
-	11, // [11:32] is the sub-list for method input_type
-	11, // [11:11] is the sub-list for extension type_name
-	11, // [11:11] is the sub-list for extension extendee
-	0,  // [0:11] is the sub-list for field type_name
+	11, // 3: daemon.Groups.group:type_name -> daemon.Group
+	12, // 4: daemon.Group.items:type_name -> daemon.GroupItem
+	3,  // 5: daemon.DebugCrashRequest.type:type_name -> daemon.DebugCrashRequest.Type
+	1,  // 6: daemon.ConnectionEvent.type:type_name -> daemon.ConnectionEventType
+	24, // 7: daemon.ConnectionEvent.connection:type_name -> daemon.Connection
+	22, // 8: daemon.ConnectionEvents.events:type_name -> daemon.ConnectionEvent
+	25, // 9: daemon.Connection.processInfo:type_name -> daemon.ProcessInfo
+	28, // 10: daemon.DeprecatedWarnings.warnings:type_name -> daemon.DeprecatedWarning
+	12, // 11: daemon.OutboundList.outbounds:type_name -> daemon.GroupItem
+	0,  // 12: daemon.Log.Message.level:type_name -> daemon.LogLevel
+	34, // 13: daemon.StartedService.StopService:input_type -> google.protobuf.Empty
+	34, // 14: daemon.StartedService.ReloadService:input_type -> google.protobuf.Empty
+	34, // 15: daemon.StartedService.SubscribeServiceStatus:input_type -> google.protobuf.Empty
+	34, // 16: daemon.StartedService.SubscribeLog:input_type -> google.protobuf.Empty
+	34, // 17: daemon.StartedService.GetDefaultLogLevel:input_type -> google.protobuf.Empty
+	34, // 18: daemon.StartedService.ClearLogs:input_type -> google.protobuf.Empty
+	6,  // 19: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
+	34, // 20: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
+	34, // 21: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
+	34, // 22: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
+	16, // 23: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
+	13, // 24: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
+	14, // 25: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
+	15, // 26: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
+	34, // 27: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
+	19, // 28: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
+	20, // 29: daemon.StartedService.TriggerDebugCrash:input_type -> daemon.DebugCrashRequest
+	34, // 30: daemon.StartedService.TriggerOOMReport:input_type -> google.protobuf.Empty
+	21, // 31: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
+	26, // 32: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
+	34, // 33: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
+	34, // 34: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
+	34, // 35: daemon.StartedService.GetStartedAt:input_type -> google.protobuf.Empty
+	34, // 36: daemon.StartedService.ListOutbounds:input_type -> google.protobuf.Empty
+	34, // 37: daemon.StartedService.SubscribeOutbounds:input_type -> google.protobuf.Empty
+	31, // 38: daemon.StartedService.StartNetworkQualityTest:input_type -> daemon.NetworkQualityTestRequest
+	34, // 39: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
+	34, // 40: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
+	4,  // 41: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
+	7,  // 42: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
+	8,  // 43: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
+	34, // 44: daemon.StartedService.ClearLogs:output_type -> google.protobuf.Empty
+	9,  // 45: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
+	10, // 46: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
+	17, // 47: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
+	16, // 48: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
+	34, // 49: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
+	34, // 50: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
+	34, // 51: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
+	34, // 52: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
+	18, // 53: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
+	34, // 54: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
+	34, // 55: daemon.StartedService.TriggerDebugCrash:output_type -> google.protobuf.Empty
+	34, // 56: daemon.StartedService.TriggerOOMReport:output_type -> google.protobuf.Empty
+	23, // 57: daemon.StartedService.SubscribeConnections:output_type -> daemon.ConnectionEvents
+	34, // 58: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
+	34, // 59: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
+	27, // 60: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
+	29, // 61: daemon.StartedService.GetStartedAt:output_type -> daemon.StartedAt
+	30, // 62: daemon.StartedService.ListOutbounds:output_type -> daemon.OutboundList
+	30, // 63: daemon.StartedService.SubscribeOutbounds:output_type -> daemon.OutboundList
+	32, // 64: daemon.StartedService.StartNetworkQualityTest:output_type -> daemon.NetworkQualityTestProgress
+	39, // [39:65] is the sub-list for method output_type
+	13, // [13:39] is the sub-list for method input_type
+	13, // [13:13] is the sub-list for extension type_name
+	13, // [13:13] is the sub-list for extension extendee
+	0,  // [0:13] is the sub-list for field type_name
 }

 func init() { file_daemon_started_service_proto_init() }
@@ -2056,8 +2475,8 @@ func file_daemon_started_service_proto_init() {
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_started_service_proto_rawDesc), len(file_daemon_started_service_proto_rawDesc)),
-			NumEnums:      3,
-			NumMessages:   26,
+			NumEnums:      4,
+			NumMessages:   30,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/daemon/started_service.proto
+++ b/daemon/started_service.proto
@@ -26,12 +26,18 @@ service StartedService {

  rpc GetSystemProxyStatus(google.protobuf.Empty) returns(SystemProxyStatus) {}
  rpc SetSystemProxyEnabled(SetSystemProxyEnabledRequest) returns(google.protobuf.Empty) {}
+  rpc TriggerDebugCrash(DebugCrashRequest) returns(google.protobuf.Empty) {}
+  rpc TriggerOOMReport(google.protobuf.Empty) returns(google.protobuf.Empty) {}

  rpc SubscribeConnections(SubscribeConnectionsRequest) returns(stream ConnectionEvents) {}
  rpc CloseConnection(CloseConnectionRequest) returns(google.protobuf.Empty) {}
  rpc CloseAllConnections(google.protobuf.Empty) returns(google.protobuf.Empty) {}
  rpc GetDeprecatedWarnings(google.protobuf.Empty) returns(DeprecatedWarnings) {}
  rpc GetStartedAt(google.protobuf.Empty) returns(StartedAt) {}
+
+  rpc ListOutbounds(google.protobuf.Empty) returns (OutboundList) {}
+  rpc SubscribeOutbounds(google.protobuf.Empty) returns (stream OutboundList) {}
+  rpc StartNetworkQualityTest(NetworkQualityTestRequest) returns (stream NetworkQualityTestProgress) {}
 }

 message ServiceStatus {
@@ -141,6 +147,15 @@ message SetSystemProxyEnabledRequest {
  bool enabled = 1;
 }

+message DebugCrashRequest {
+  enum Type {
+    GO = 0;
+    NATIVE = 1;
+  }
+
+  Type type = 1;
+}
+
 message SubscribeConnectionsRequest {
  int64 interval = 1;
 }
@@ -210,8 +225,38 @@ message DeprecatedWarning {
  string message = 1;
  bool impending = 2;
  string migrationLink = 3;
+  string description = 4;
+  string deprecatedVersion = 5;
+  string scheduledVersion = 6;
 }

 message StartedAt {
  int64 startedAt = 1;
-}
+}
+
+message OutboundList {
+  repeated GroupItem outbounds = 1;
+}
+
+message NetworkQualityTestRequest {
+  string configURL = 1;
+  string outboundTag = 2;
+  bool serial = 3;
+  int32 maxRuntimeSeconds = 4;
+}
+
+message NetworkQualityTestProgress {
+  int32 phase = 1;
+  int64 downloadCapacity = 2;
+  int64 uploadCapacity = 3;
+  int32 downloadRPM = 4;
+  int32 uploadRPM = 5;
+  int32 idleLatencyMs = 6;
+  int64 elapsedMs = 7;
+  bool isFinal = 8;
+  string error = 9;
+  int32 downloadCapacityAccuracy = 10;
+  int32 uploadCapacityAccuracy = 11;
+  int32 downloadRPMAccuracy = 12;
+  int32 uploadRPMAccuracy = 13;
+}
--- a/daemon/started_service_grpc.pb.go
+++ b/daemon/started_service_grpc.pb.go
@@ -15,27 +15,32 @@ import (
 const _ = grpc.SupportPackageIsVersion9

 const (
-	StartedService_StopService_FullMethodName            = "/daemon.StartedService/StopService"
-	StartedService_ReloadService_FullMethodName          = "/daemon.StartedService/ReloadService"
-	StartedService_SubscribeServiceStatus_FullMethodName = "/daemon.StartedService/SubscribeServiceStatus"
-	StartedService_SubscribeLog_FullMethodName           = "/daemon.StartedService/SubscribeLog"
-	StartedService_GetDefaultLogLevel_FullMethodName     = "/daemon.StartedService/GetDefaultLogLevel"
-	StartedService_ClearLogs_FullMethodName              = "/daemon.StartedService/ClearLogs"
-	StartedService_SubscribeStatus_FullMethodName        = "/daemon.StartedService/SubscribeStatus"
-	StartedService_SubscribeGroups_FullMethodName        = "/daemon.StartedService/SubscribeGroups"
-	StartedService_GetClashModeStatus_FullMethodName     = "/daemon.StartedService/GetClashModeStatus"
-	StartedService_SubscribeClashMode_FullMethodName     = "/daemon.StartedService/SubscribeClashMode"
-	StartedService_SetClashMode_FullMethodName           = "/daemon.StartedService/SetClashMode"
-	StartedService_URLTest_FullMethodName                = "/daemon.StartedService/URLTest"
-	StartedService_SelectOutbound_FullMethodName         = "/daemon.StartedService/SelectOutbound"
-	StartedService_SetGroupExpand_FullMethodName         = "/daemon.StartedService/SetGroupExpand"
-	StartedService_GetSystemProxyStatus_FullMethodName   = "/daemon.StartedService/GetSystemProxyStatus"
-	StartedService_SetSystemProxyEnabled_FullMethodName  = "/daemon.StartedService/SetSystemProxyEnabled"
-	StartedService_SubscribeConnections_FullMethodName   = "/daemon.StartedService/SubscribeConnections"
-	StartedService_CloseConnection_FullMethodName        = "/daemon.StartedService/CloseConnection"
-	StartedService_CloseAllConnections_FullMethodName    = "/daemon.StartedService/CloseAllConnections"
-	StartedService_GetDeprecatedWarnings_FullMethodName  = "/daemon.StartedService/GetDeprecatedWarnings"
-	StartedService_GetStartedAt_FullMethodName           = "/daemon.StartedService/GetStartedAt"
+	StartedService_StopService_FullMethodName             = "/daemon.StartedService/StopService"
+	StartedService_ReloadService_FullMethodName           = "/daemon.StartedService/ReloadService"
+	StartedService_SubscribeServiceStatus_FullMethodName  = "/daemon.StartedService/SubscribeServiceStatus"
+	StartedService_SubscribeLog_FullMethodName            = "/daemon.StartedService/SubscribeLog"
+	StartedService_GetDefaultLogLevel_FullMethodName      = "/daemon.StartedService/GetDefaultLogLevel"
+	StartedService_ClearLogs_FullMethodName               = "/daemon.StartedService/ClearLogs"
+	StartedService_SubscribeStatus_FullMethodName         = "/daemon.StartedService/SubscribeStatus"
+	StartedService_SubscribeGroups_FullMethodName         = "/daemon.StartedService/SubscribeGroups"
+	StartedService_GetClashModeStatus_FullMethodName      = "/daemon.StartedService/GetClashModeStatus"
+	StartedService_SubscribeClashMode_FullMethodName      = "/daemon.StartedService/SubscribeClashMode"
+	StartedService_SetClashMode_FullMethodName            = "/daemon.StartedService/SetClashMode"
+	StartedService_URLTest_FullMethodName                 = "/daemon.StartedService/URLTest"
+	StartedService_SelectOutbound_FullMethodName          = "/daemon.StartedService/SelectOutbound"
+	StartedService_SetGroupExpand_FullMethodName          = "/daemon.StartedService/SetGroupExpand"
+	StartedService_GetSystemProxyStatus_FullMethodName    = "/daemon.StartedService/GetSystemProxyStatus"
+	StartedService_SetSystemProxyEnabled_FullMethodName   = "/daemon.StartedService/SetSystemProxyEnabled"
+	StartedService_TriggerDebugCrash_FullMethodName       = "/daemon.StartedService/TriggerDebugCrash"
+	StartedService_TriggerOOMReport_FullMethodName        = "/daemon.StartedService/TriggerOOMReport"
+	StartedService_SubscribeConnections_FullMethodName    = "/daemon.StartedService/SubscribeConnections"
+	StartedService_CloseConnection_FullMethodName         = "/daemon.StartedService/CloseConnection"
+	StartedService_CloseAllConnections_FullMethodName     = "/daemon.StartedService/CloseAllConnections"
+	StartedService_GetDeprecatedWarnings_FullMethodName   = "/daemon.StartedService/GetDeprecatedWarnings"
+	StartedService_GetStartedAt_FullMethodName            = "/daemon.StartedService/GetStartedAt"
+	StartedService_ListOutbounds_FullMethodName           = "/daemon.StartedService/ListOutbounds"
+	StartedService_SubscribeOutbounds_FullMethodName      = "/daemon.StartedService/SubscribeOutbounds"
+	StartedService_StartNetworkQualityTest_FullMethodName = "/daemon.StartedService/StartNetworkQualityTest"
 )

 // StartedServiceClient is the client API for StartedService service.
@@ -58,11 +63,16 @@ type StartedServiceClient interface {
 	SetGroupExpand(ctx context.Context, in *SetGroupExpandRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetSystemProxyStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(ctx context.Context, in *SetSystemProxyEnabledRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
+	TriggerDebugCrash(ctx context.Context, in *DebugCrashRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
+	TriggerOOMReport(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error)
 	CloseConnection(ctx context.Context, in *CloseConnectionRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	CloseAllConnections(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*DeprecatedWarnings, error)
 	GetStartedAt(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*StartedAt, error)
+	ListOutbounds(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*OutboundList, error)
+	SubscribeOutbounds(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[OutboundList], error)
+	StartNetworkQualityTest(ctx context.Context, in *NetworkQualityTestRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[NetworkQualityTestProgress], error)
 }

 type startedServiceClient struct {
@@ -278,6 +288,26 @@ func (c *startedServiceClient) SetSystemProxyEnabled(ctx context.Context, in *Se
 	return out, nil
 }

+func (c *startedServiceClient) TriggerDebugCrash(ctx context.Context, in *DebugCrashRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(emptypb.Empty)
+	err := c.cc.Invoke(ctx, StartedService_TriggerDebugCrash_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *startedServiceClient) TriggerOOMReport(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(emptypb.Empty)
+	err := c.cc.Invoke(ctx, StartedService_TriggerOOMReport_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *startedServiceClient) SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[5], StartedService_SubscribeConnections_FullMethodName, cOpts...)
@@ -337,6 +367,54 @@ func (c *startedServiceClient) GetStartedAt(ctx context.Context, in *emptypb.Emp
 	return out, nil
 }

+func (c *startedServiceClient) ListOutbounds(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*OutboundList, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(OutboundList)
+	err := c.cc.Invoke(ctx, StartedService_ListOutbounds_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *startedServiceClient) SubscribeOutbounds(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[OutboundList], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[6], StartedService_SubscribeOutbounds_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[emptypb.Empty, OutboundList]{ClientStream: stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type StartedService_SubscribeOutboundsClient = grpc.ServerStreamingClient[OutboundList]
+
+func (c *startedServiceClient) StartNetworkQualityTest(ctx context.Context, in *NetworkQualityTestRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[NetworkQualityTestProgress], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[7], StartedService_StartNetworkQualityTest_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[NetworkQualityTestRequest, NetworkQualityTestProgress]{ClientStream: stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type StartedService_StartNetworkQualityTestClient = grpc.ServerStreamingClient[NetworkQualityTestProgress]
+
 // StartedServiceServer is the server API for StartedService service.
 // All implementations must embed UnimplementedStartedServiceServer
 // for forward compatibility.
@@ -357,11 +435,16 @@ type StartedServiceServer interface {
 	SetGroupExpand(context.Context, *SetGroupExpandRequest) (*emptypb.Empty, error)
 	GetSystemProxyStatus(context.Context, *emptypb.Empty) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(context.Context, *SetSystemProxyEnabledRequest) (*emptypb.Empty, error)
+	TriggerDebugCrash(context.Context, *DebugCrashRequest) (*emptypb.Empty, error)
+	TriggerOOMReport(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error
 	CloseConnection(context.Context, *CloseConnectionRequest) (*emptypb.Empty, error)
 	CloseAllConnections(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(context.Context, *emptypb.Empty) (*DeprecatedWarnings, error)
 	GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error)
+	ListOutbounds(context.Context, *emptypb.Empty) (*OutboundList, error)
+	SubscribeOutbounds(*emptypb.Empty, grpc.ServerStreamingServer[OutboundList]) error
+	StartNetworkQualityTest(*NetworkQualityTestRequest, grpc.ServerStreamingServer[NetworkQualityTestProgress]) error
 	mustEmbedUnimplementedStartedServiceServer()
 }

@@ -436,6 +519,14 @@ func (UnimplementedStartedServiceServer) SetSystemProxyEnabled(context.Context,
 	return nil, status.Error(codes.Unimplemented, "method SetSystemProxyEnabled not implemented")
 }

+func (UnimplementedStartedServiceServer) TriggerDebugCrash(context.Context, *DebugCrashRequest) (*emptypb.Empty, error) {
+	return nil, status.Error(codes.Unimplemented, "method TriggerDebugCrash not implemented")
+}
+
+func (UnimplementedStartedServiceServer) TriggerOOMReport(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
+	return nil, status.Error(codes.Unimplemented, "method TriggerOOMReport not implemented")
+}
+
 func (UnimplementedStartedServiceServer) SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeConnections not implemented")
 }
@@ -455,6 +546,18 @@ func (UnimplementedStartedServiceServer) GetDeprecatedWarnings(context.Context,
 func (UnimplementedStartedServiceServer) GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetStartedAt not implemented")
 }
+
+func (UnimplementedStartedServiceServer) ListOutbounds(context.Context, *emptypb.Empty) (*OutboundList, error) {
+	return nil, status.Error(codes.Unimplemented, "method ListOutbounds not implemented")
+}
+
+func (UnimplementedStartedServiceServer) SubscribeOutbounds(*emptypb.Empty, grpc.ServerStreamingServer[OutboundList]) error {
+	return status.Error(codes.Unimplemented, "method SubscribeOutbounds not implemented")
+}
+
+func (UnimplementedStartedServiceServer) StartNetworkQualityTest(*NetworkQualityTestRequest, grpc.ServerStreamingServer[NetworkQualityTestProgress]) error {
+	return status.Error(codes.Unimplemented, "method StartNetworkQualityTest not implemented")
+}
 func (UnimplementedStartedServiceServer) mustEmbedUnimplementedStartedServiceServer() {}
 func (UnimplementedStartedServiceServer) testEmbeddedByValue()                        {}

@@ -729,6 +832,42 @@ func _StartedService_SetSystemProxyEnabled_Handler(srv interface{}, ctx context.
 	return interceptor(ctx, in, info, handler)
 }

+func _StartedService_TriggerDebugCrash_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DebugCrashRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(StartedServiceServer).TriggerDebugCrash(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: StartedService_TriggerDebugCrash_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(StartedServiceServer).TriggerDebugCrash(ctx, req.(*DebugCrashRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _StartedService_TriggerOOMReport_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(emptypb.Empty)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(StartedServiceServer).TriggerOOMReport(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: StartedService_TriggerOOMReport_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(StartedServiceServer).TriggerOOMReport(ctx, req.(*emptypb.Empty))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _StartedService_SubscribeConnections_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(SubscribeConnectionsRequest)
 	if err := stream.RecvMsg(m); err != nil {
@@ -812,6 +951,46 @@ func _StartedService_GetStartedAt_Handler(srv interface{}, ctx context.Context,
 	return interceptor(ctx, in, info, handler)
 }

+func _StartedService_ListOutbounds_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(emptypb.Empty)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(StartedServiceServer).ListOutbounds(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: StartedService_ListOutbounds_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(StartedServiceServer).ListOutbounds(ctx, req.(*emptypb.Empty))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _StartedService_SubscribeOutbounds_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(emptypb.Empty)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(StartedServiceServer).SubscribeOutbounds(m, &grpc.GenericServerStream[emptypb.Empty, OutboundList]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type StartedService_SubscribeOutboundsServer = grpc.ServerStreamingServer[OutboundList]
+
+func _StartedService_StartNetworkQualityTest_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(NetworkQualityTestRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(StartedServiceServer).StartNetworkQualityTest(m, &grpc.GenericServerStream[NetworkQualityTestRequest, NetworkQualityTestProgress]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type StartedService_StartNetworkQualityTestServer = grpc.ServerStreamingServer[NetworkQualityTestProgress]
+
 // StartedService_ServiceDesc is the grpc.ServiceDesc for StartedService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -863,6 +1042,14 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "SetSystemProxyEnabled",
 			Handler:    _StartedService_SetSystemProxyEnabled_Handler,
 		},
+		{
+			MethodName: "TriggerDebugCrash",
+			Handler:    _StartedService_TriggerDebugCrash_Handler,
+		},
+		{
+			MethodName: "TriggerOOMReport",
+			Handler:    _StartedService_TriggerOOMReport_Handler,
+		},
 		{
 			MethodName: "CloseConnection",
 			Handler:    _StartedService_CloseConnection_Handler,
@@ -879,6 +1066,10 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetStartedAt",
 			Handler:    _StartedService_GetStartedAt_Handler,
 		},
+		{
+			MethodName: "ListOutbounds",
+			Handler:    _StartedService_ListOutbounds_Handler,
+		},
 	},
 	Streams: []grpc.StreamDesc{
 		{
@@ -911,6 +1102,16 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _StartedService_SubscribeConnections_Handler,
 			ServerStreams: true,
 		},
+		{
+			StreamName:    "SubscribeOutbounds",
+			Handler:       _StartedService_SubscribeOutbounds_Handler,
+			ServerStreams: true,
+		},
+		{
+			StreamName:    "StartNetworkQualityTest",
+			Handler:       _StartedService_StartNetworkQualityTest_Handler,
+			ServerStreams: true,
+		},
 	},
 	Metadata: "daemon/started_service.proto",
 }
--- a/dns/client.go
+++ b/dns/client.go
@@ -5,7 +5,6 @@ import (
 	"errors"
 	"net"
 	"net/netip"
-	"strings"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@@ -14,7 +13,6 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
@@ -109,7 +107,7 @@ func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
 	return 0, false
 }

-func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
+func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
 			c.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
@@ -239,13 +237,10 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	disableCache = disableCache || (response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError)
 	if responseChecker != nil {
 		var rejected bool
-		// TODO: add accept_any rule and support to check response instead of addresses
 		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 			rejected = true
-		} else if len(response.Answer) == 0 {
-			rejected = !responseChecker(nil)
 		} else {
-			rejected = !responseChecker(MessageToAddresses(response))
+			rejected = !responseChecker(response)
 		}
 		if rejected {
 			if !disableCache && c.rdrc != nil {
@@ -315,7 +310,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	return response, nil
 }

-func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
+func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error) {
 	domain = FqdnToDomain(domain)
 	dnsName := dns.Fqdn(domain)
 	var strategy C.DomainStrategy
@@ -400,7 +395,7 @@ func (c *Client) storeCache(transport adapter.DNSTransport, question dns.Questio
 	}
 }

-func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
+func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error) {
 	question := dns.Question{
 		Name:   name,
 		Qtype:  qType,
@@ -515,25 +510,7 @@ func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransp
 }

 func MessageToAddresses(response *dns.Msg) []netip.Addr {
-	if response == nil || response.Rcode != dns.RcodeSuccess {
-		return nil
-	}
-	addresses := make([]netip.Addr, 0, len(response.Answer))
-	for _, rawAnswer := range response.Answer {
-		switch answer := rawAnswer.(type) {
-		case *dns.A:
-			addresses = append(addresses, M.AddrFromIP(answer.A))
-		case *dns.AAAA:
-			addresses = append(addresses, M.AddrFromIP(answer.AAAA))
-		case *dns.HTTPS:
-			for _, value := range answer.SVCB.Value {
-				if value.Key() == dns.SVCB_IPV4HINT || value.Key() == dns.SVCB_IPV6HINT {
-					addresses = append(addresses, common.Map(strings.Split(value.String(), ","), M.ParseAddr)...)
-				}
-			}
-		}
-	}
-	return addresses
+	return adapter.DNSResponseAddresses(response)
 }

 func wrapError(err error) error {
--- a/dns/repro_test.go
+++ b/dns/repro_test.go
@@ -0,0 +1,111 @@
+package dns
+
+import (
+	"context"
+	"net/netip"
+	"testing"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json/badoption"
+
+	mDNS "github.com/miekg/dns"
+	"github.com/stretchr/testify/require"
+)
+
+func TestReproLookupWithRulesUsesRequestStrategy(t *testing.T) {
+	t.Parallel()
+
+	defaultTransport := &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP}
+	var qTypes []uint16
+	router := newTestRouter(t, nil, &fakeDNSTransportManager{
+		defaultTransport: defaultTransport,
+		transports: map[string]adapter.DNSTransport{
+			"default": defaultTransport,
+		},
+	}, &fakeDNSClient{
+		exchange: func(transport adapter.DNSTransport, message *mDNS.Msg) (*mDNS.Msg, error) {
+			qTypes = append(qTypes, message.Question[0].Qtype)
+			if message.Question[0].Qtype == mDNS.TypeA {
+				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("2.2.2.2")}, 60), nil
+			}
+			return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("2001:db8::1")}, 60), nil
+		},
+	})
+
+	addresses, err := router.Lookup(context.Background(), "example.com", adapter.DNSQueryOptions{
+		Strategy: C.DomainStrategyIPv4Only,
+	})
+	require.NoError(t, err)
+	require.Equal(t, []uint16{mDNS.TypeA}, qTypes)
+	require.Equal(t, []netip.Addr{netip.MustParseAddr("2.2.2.2")}, addresses)
+}
+
+func TestReproLogicalMatchResponseIPCIDR(t *testing.T) {
+	t.Parallel()
+
+	transportManager := &fakeDNSTransportManager{
+		defaultTransport: &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP},
+		transports: map[string]adapter.DNSTransport{
+			"upstream": &fakeDNSTransport{tag: "upstream", transportType: C.DNSTypeUDP},
+			"selected": &fakeDNSTransport{tag: "selected", transportType: C.DNSTypeUDP},
+			"default":  &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP},
+		},
+	}
+	client := &fakeDNSClient{
+		exchange: func(transport adapter.DNSTransport, message *mDNS.Msg) (*mDNS.Msg, error) {
+			switch transport.Tag() {
+			case "upstream":
+				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("1.1.1.1")}, 60), nil
+			case "selected":
+				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("8.8.8.8")}, 60), nil
+			default:
+				return nil, E.New("unexpected transport")
+			}
+		},
+	}
+	rules := []option.DNSRule{
+		{
+			Type: C.RuleTypeDefault,
+			DefaultOptions: option.DefaultDNSRule{
+				RawDefaultDNSRule: option.RawDefaultDNSRule{
+					Domain: badoption.Listable[string]{"example.com"},
+				},
+				DNSRuleAction: option.DNSRuleAction{
+					Action:       C.RuleActionTypeEvaluate,
+					RouteOptions: option.DNSRouteActionOptions{Server: "upstream"},
+				},
+			},
+		},
+		{
+			Type: C.RuleTypeLogical,
+			LogicalOptions: option.LogicalDNSRule{
+				RawLogicalDNSRule: option.RawLogicalDNSRule{
+					Mode: C.LogicalTypeOr,
+					Rules: []option.DNSRule{{
+						Type: C.RuleTypeDefault,
+						DefaultOptions: option.DefaultDNSRule{
+							RawDefaultDNSRule: option.RawDefaultDNSRule{
+								MatchResponse: true,
+								IPCIDR:        badoption.Listable[string]{"1.1.1.0/24"},
+							},
+						},
+					}},
+				},
+				DNSRuleAction: option.DNSRuleAction{
+					Action:       C.RuleActionTypeRoute,
+					RouteOptions: option.DNSRouteActionOptions{Server: "selected"},
+				},
+			},
+		},
+	}
+	router := newTestRouter(t, rules, transportManager, client)
+
+	response, err := router.Exchange(context.Background(), &mDNS.Msg{
+		Question: []mDNS.Question{fixedQuestion("example.com", mDNS.TypeA)},
+	}, adapter.DNSQueryOptions{})
+	require.NoError(t, err)
+	require.Equal(t, []netip.Addr{netip.MustParseAddr("8.8.8.8")}, MessageToAddresses(response))
+}
--- a/dns/router.go
+++ b/dns/router.go
@@ -5,11 +5,13 @@ import (
 	"errors"
 	"net/netip"
 	"strings"
+	"sync"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	R "github.com/sagernet/sing-box/route/rule"
@@ -19,6 +21,7 @@ import (
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
 	"github.com/sagernet/sing/service"
@@ -26,7 +29,10 @@ import (
 	mDNS "github.com/miekg/dns"
 )

-var _ adapter.DNSRouter = (*Router)(nil)
+var (
+	_ adapter.DNSRouter                 = (*Router)(nil)
+	_ adapter.DNSRuleSetUpdateValidator = (*Router)(nil)
+)

 type Router struct {
 	ctx                   context.Context
@@ -34,10 +40,15 @@ type Router struct {
 	transport             adapter.DNSTransportManager
 	outbound              adapter.OutboundManager
 	client                adapter.DNSClient
+	rawRules              []option.DNSRule
 	rules                 []adapter.DNSRule
 	defaultDomainStrategy C.DomainStrategy
 	dnsReverseMapping     freelru.Cache[netip.Addr, string]
 	platformInterface     adapter.PlatformInterface
+	legacyDNSMode         bool
+	rulesAccess           sync.RWMutex
+	started               bool
+	closing               bool
 }

 func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOptions) *Router {
@@ -46,6 +57,7 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOp
 		logger:                logFactory.NewLogger("dns"),
 		transport:             service.FromContext[adapter.DNSTransportManager](ctx),
 		outbound:              service.FromContext[adapter.OutboundManager](ctx),
+		rawRules:              make([]option.DNSRule, 0, len(options.Rules)),
 		rules:                 make([]adapter.DNSRule, 0, len(options.Rules)),
 		defaultDomainStrategy: C.DomainStrategy(options.Strategy),
 	}
@@ -74,13 +86,12 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOp
 }

 func (r *Router) Initialize(rules []option.DNSRule) error {
-	for i, ruleOptions := range rules {
-		dnsRule, err := R.NewDNSRule(r.ctx, r.logger, ruleOptions, true)
-		if err != nil {
-			return E.Cause(err, "parse dns rule[", i, "]")
-		}
-		r.rules = append(r.rules, dnsRule)
+	r.rawRules = append(r.rawRules[:0], rules...)
+	newRules, _, _, err := r.buildRules(false)
+	if err != nil {
+		return err
 	}
+	closeRules(newRules)
 	return nil
 }

@@ -92,32 +103,146 @@ func (r *Router) Start(stage adapter.StartStage) error {
 		r.client.Start()
 		monitor.Finish()

-		for i, rule := range r.rules {
-			monitor.Start("initialize DNS rule[", i, "]")
-			err := rule.Start()
-			monitor.Finish()
-			if err != nil {
-				return E.Cause(err, "initialize DNS rule[", i, "]")
-			}
+		monitor.Start("initialize DNS rules")
+		newRules, legacyDNSMode, modeFlags, err := r.buildRules(true)
+		monitor.Finish()
+		if err != nil {
+			return err
+		}
+		r.rulesAccess.Lock()
+		if r.closing {
+			r.rulesAccess.Unlock()
+			closeRules(newRules)
+			return nil
+		}
+		r.rules = newRules
+		r.legacyDNSMode = legacyDNSMode
+		r.started = true
+		r.rulesAccess.Unlock()
+		if legacyDNSMode && common.Any(newRules, func(rule adapter.DNSRule) bool { return rule.WithAddressLimit() }) {
+			deprecated.Report(r.ctx, deprecated.OptionLegacyDNSAddressFilter)
+		}
+		if legacyDNSMode && modeFlags.neededFromStrategy {
+			deprecated.Report(r.ctx, deprecated.OptionLegacyDNSRuleStrategy)
 		}
 	}
 	return nil
 }

 func (r *Router) Close() error {
-	monitor := taskmonitor.New(r.logger, C.StopTimeout)
-	var err error
-	for i, rule := range r.rules {
-		monitor.Start("close dns rule[", i, "]")
-		err = E.Append(err, rule.Close(), func(err error) error {
-			return E.Cause(err, "close dns rule[", i, "]")
-		})
-		monitor.Finish()
+	r.rulesAccess.Lock()
+	if r.closing {
+		r.rulesAccess.Unlock()
+		return nil
 	}
-	return err
+	r.closing = true
+	runtimeRules := r.rules
+	r.rules = nil
+	r.rulesAccess.Unlock()
+	closeRules(runtimeRules)
+	return nil
 }

-func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int, isAddressQuery bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, adapter.DNSRule, int) {
+func (r *Router) buildRules(startRules bool) ([]adapter.DNSRule, bool, dnsRuleModeFlags, error) {
+	for i, ruleOptions := range r.rawRules {
+		err := R.ValidateNoNestedDNSRuleActions(ruleOptions)
+		if err != nil {
+			return nil, false, dnsRuleModeFlags{}, E.Cause(err, "parse dns rule[", i, "]")
+		}
+	}
+	router := service.FromContext[adapter.Router](r.ctx)
+	legacyDNSMode, modeFlags, err := resolveLegacyDNSMode(router, r.rawRules, nil)
+	if err != nil {
+		return nil, false, dnsRuleModeFlags{}, err
+	}
+	if !legacyDNSMode {
+		err = validateLegacyDNSModeDisabledRules(r.rawRules)
+		if err != nil {
+			return nil, false, dnsRuleModeFlags{}, err
+		}
+	}
+	err = validateEvaluateFakeIPRules(r.rawRules, r.transport)
+	if err != nil {
+		return nil, false, dnsRuleModeFlags{}, err
+	}
+	newRules := make([]adapter.DNSRule, 0, len(r.rawRules))
+	for i, ruleOptions := range r.rawRules {
+		var dnsRule adapter.DNSRule
+		dnsRule, err = R.NewDNSRule(r.ctx, r.logger, ruleOptions, true, legacyDNSMode)
+		if err != nil {
+			closeRules(newRules)
+			return nil, false, dnsRuleModeFlags{}, E.Cause(err, "parse dns rule[", i, "]")
+		}
+		newRules = append(newRules, dnsRule)
+	}
+	if startRules {
+		for i, rule := range newRules {
+			err = rule.Start()
+			if err != nil {
+				closeRules(newRules)
+				return nil, false, dnsRuleModeFlags{}, E.Cause(err, "initialize DNS rule[", i, "]")
+			}
+		}
+	}
+	return newRules, legacyDNSMode, modeFlags, nil
+}
+
+func closeRules(rules []adapter.DNSRule) {
+	for _, rule := range rules {
+		_ = rule.Close()
+	}
+}
+
+func (r *Router) ValidateRuleSetMetadataUpdate(tag string, metadata adapter.RuleSetMetadata) error {
+	if len(r.rawRules) == 0 {
+		return nil
+	}
+	router := service.FromContext[adapter.Router](r.ctx)
+	if router == nil {
+		return E.New("router service not found")
+	}
+	overrides := map[string]adapter.RuleSetMetadata{
+		tag: metadata,
+	}
+	r.rulesAccess.RLock()
+	started := r.started
+	legacyDNSMode := r.legacyDNSMode
+	closing := r.closing
+	r.rulesAccess.RUnlock()
+	if closing {
+		return nil
+	}
+	if !started {
+		candidateLegacyDNSMode, _, err := resolveLegacyDNSMode(router, r.rawRules, overrides)
+		if err != nil {
+			return err
+		}
+		if !candidateLegacyDNSMode {
+			return validateLegacyDNSModeDisabledRules(r.rawRules)
+		}
+		return nil
+	}
+	candidateLegacyDNSMode, flags, err := resolveLegacyDNSMode(router, r.rawRules, overrides)
+	if err != nil {
+		return err
+	}
+	if legacyDNSMode {
+		if !candidateLegacyDNSMode && flags.disabled {
+			err := validateLegacyDNSModeDisabledRules(r.rawRules)
+			if err != nil {
+				return err
+			}
+			return E.New(deprecated.OptionLegacyDNSAddressFilter.MessageWithLink())
+		}
+		return nil
+	}
+	if candidateLegacyDNSMode {
+		return E.New(deprecated.OptionLegacyDNSAddressFilter.MessageWithLink())
+	}
+	return nil
+}
+
+func (r *Router) matchDNS(ctx context.Context, rules []adapter.DNSRule, allowFakeIP bool, ruleIndex int, isAddressQuery bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, adapter.DNSRule, int) {
 	metadata := adapter.ContextFrom(ctx)
 	if metadata == nil {
 		panic("no context")
@@ -126,22 +251,18 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 	if ruleIndex != -1 {
 		currentRuleIndex = ruleIndex + 1
 	}
-	for ; currentRuleIndex < len(r.rules); currentRuleIndex++ {
-		currentRule := r.rules[currentRuleIndex]
+	for ; currentRuleIndex < len(rules); currentRuleIndex++ {
+		currentRule := rules[currentRuleIndex]
 		if currentRule.WithAddressLimit() && !isAddressQuery {
 			continue
 		}
 		metadata.ResetRuleCache()
-		if currentRule.Match(metadata) {
-			displayRuleIndex := currentRuleIndex
-			if displayRuleIndex != -1 {
-				displayRuleIndex += displayRuleIndex + 1
-			}
-			ruleDescription := currentRule.String()
-			if ruleDescription != "" {
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] ", currentRule, " => ", currentRule.Action())
+		metadata.DestinationAddressMatchFromResponse = false
+		if currentRule.LegacyPreMatch(metadata) {
+			if ruleDescription := currentRule.String(); ruleDescription != "" {
+				r.logger.DebugContext(ctx, "match[", currentRuleIndex, "] ", currentRule, " => ", currentRule.Action())
 			} else {
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+				r.logger.DebugContext(ctx, "match[", currentRuleIndex, "] => ", currentRule.Action())
 			}
 			switch action := currentRule.Action().(type) {
 			case *R.RuleActionDNSRoute:
@@ -166,14 +287,6 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 				if action.ClientSubnet.IsValid() {
 					options.ClientSubnet = action.ClientSubnet
 				}
-				if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-					if options.Strategy == C.DomainStrategyAsIS {
-						options.Strategy = legacyTransport.LegacyStrategy()
-					}
-					if !options.ClientSubnet.IsValid() {
-						options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-					}
-				}
 				return transport, currentRule, currentRuleIndex
 			case *R.RuleActionDNSRouteOptions:
 				if action.Strategy != C.DomainStrategyAsIS {
@@ -196,15 +309,270 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 		}
 	}
 	transport := r.transport.Default()
-	if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-		if options.Strategy == C.DomainStrategyAsIS {
-			options.Strategy = legacyTransport.LegacyStrategy()
+	return transport, nil, -1
+}
+
+func (r *Router) applyDNSRouteOptions(options *adapter.DNSQueryOptions, routeOptions R.RuleActionDNSRouteOptions) {
+	// Strategy is intentionally skipped here. A non-default DNS rule action strategy
+	// forces legacy mode via resolveLegacyDNSMode, so this path is only reachable
+	// when strategy remains at its default value.
+	if routeOptions.DisableCache {
+		options.DisableCache = true
+	}
+	if routeOptions.RewriteTTL != nil {
+		options.RewriteTTL = routeOptions.RewriteTTL
+	}
+	if routeOptions.ClientSubnet.IsValid() {
+		options.ClientSubnet = routeOptions.ClientSubnet
+	}
+}
+
+type dnsRouteStatus uint8
+
+const (
+	dnsRouteStatusMissing dnsRouteStatus = iota
+	dnsRouteStatusSkipped
+	dnsRouteStatusResolved
+)
+
+func (r *Router) resolveDNSRoute(server string, routeOptions R.RuleActionDNSRouteOptions, allowFakeIP bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, dnsRouteStatus) {
+	transport, loaded := r.transport.Transport(server)
+	if !loaded {
+		return nil, dnsRouteStatusMissing
+	}
+	isFakeIP := transport.Type() == C.DNSTypeFakeIP
+	if isFakeIP && !allowFakeIP {
+		return transport, dnsRouteStatusSkipped
+	}
+	r.applyDNSRouteOptions(options, routeOptions)
+	if isFakeIP {
+		options.DisableCache = true
+	}
+	return transport, dnsRouteStatusResolved
+}
+
+func (r *Router) logRuleMatch(ctx context.Context, ruleIndex int, currentRule adapter.DNSRule) {
+	if ruleDescription := currentRule.String(); ruleDescription != "" {
+		r.logger.DebugContext(ctx, "match[", ruleIndex, "] ", currentRule, " => ", currentRule.Action())
+	} else {
+		r.logger.DebugContext(ctx, "match[", ruleIndex, "] => ", currentRule.Action())
+	}
+}
+
+type exchangeWithRulesResult struct {
+	response     *mDNS.Msg
+	transport    adapter.DNSTransport
+	rejectAction *R.RuleActionReject
+	err          error
+}
+
+const dnsRespondMissingResponseMessage = "respond action requires an evaluated response from a preceding evaluate action"
+
+func (r *Router) exchangeWithRules(ctx context.Context, rules []adapter.DNSRule, message *mDNS.Msg, options adapter.DNSQueryOptions, allowFakeIP bool) exchangeWithRulesResult {
+	metadata := adapter.ContextFrom(ctx)
+	if metadata == nil {
+		panic("no context")
+	}
+	effectiveOptions := options
+	var evaluatedResponse *mDNS.Msg
+	var evaluatedTransport adapter.DNSTransport
+	for currentRuleIndex, currentRule := range rules {
+		metadata.ResetRuleCache()
+		metadata.DNSResponse = evaluatedResponse
+		metadata.DestinationAddressMatchFromResponse = false
+		if !currentRule.Match(metadata) {
+			continue
 		}
-		if !options.ClientSubnet.IsValid() {
-			options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+		r.logRuleMatch(ctx, currentRuleIndex, currentRule)
+		switch action := currentRule.Action().(type) {
+		case *R.RuleActionDNSRouteOptions:
+			r.applyDNSRouteOptions(&effectiveOptions, *action)
+		case *R.RuleActionEvaluate:
+			queryOptions := effectiveOptions
+			transport, loaded := r.transport.Transport(action.Server)
+			if !loaded {
+				r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
+				evaluatedResponse = nil
+				evaluatedTransport = nil
+				continue
+			}
+			r.applyDNSRouteOptions(&queryOptions, action.RuleActionDNSRouteOptions)
+			exchangeOptions := queryOptions
+			if exchangeOptions.Strategy == C.DomainStrategyAsIS {
+				exchangeOptions.Strategy = r.defaultDomainStrategy
+			}
+			response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
+			if err != nil {
+				r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
+				evaluatedResponse = nil
+				evaluatedTransport = nil
+				continue
+			}
+			evaluatedResponse = response
+			evaluatedTransport = transport
+		case *R.RuleActionRespond:
+			if evaluatedResponse == nil {
+				return exchangeWithRulesResult{
+					err: E.New(dnsRespondMissingResponseMessage),
+				}
+			}
+			return exchangeWithRulesResult{
+				response:  evaluatedResponse,
+				transport: evaluatedTransport,
+			}
+		case *R.RuleActionDNSRoute:
+			queryOptions := effectiveOptions
+			transport, status := r.resolveDNSRoute(action.Server, action.RuleActionDNSRouteOptions, allowFakeIP, &queryOptions)
+			switch status {
+			case dnsRouteStatusMissing:
+				r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
+				continue
+			case dnsRouteStatusSkipped:
+				continue
+			}
+			exchangeOptions := queryOptions
+			if exchangeOptions.Strategy == C.DomainStrategyAsIS {
+				exchangeOptions.Strategy = r.defaultDomainStrategy
+			}
+			response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
+			return exchangeWithRulesResult{
+				response:  response,
+				transport: transport,
+				err:       err,
+			}
+		case *R.RuleActionReject:
+			switch action.Method {
+			case C.RuleActionRejectMethodDefault:
+				return exchangeWithRulesResult{
+					response: &mDNS.Msg{
+						MsgHdr: mDNS.MsgHdr{
+							Id:       message.Id,
+							Rcode:    mDNS.RcodeRefused,
+							Response: true,
+						},
+						Question: []mDNS.Question{message.Question[0]},
+					},
+					rejectAction: action,
+				}
+			case C.RuleActionRejectMethodDrop:
+				return exchangeWithRulesResult{
+					rejectAction: action,
+					err:          tun.ErrDrop,
+				}
+			}
+		case *R.RuleActionPredefined:
+			return exchangeWithRulesResult{
+				response: action.Response(message),
+			}
 		}
 	}
-	return transport, nil, -1
+	transport := r.transport.Default()
+	exchangeOptions := effectiveOptions
+	if exchangeOptions.Strategy == C.DomainStrategyAsIS {
+		exchangeOptions.Strategy = r.defaultDomainStrategy
+	}
+	response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
+	return exchangeWithRulesResult{
+		response:  response,
+		transport: transport,
+		err:       err,
+	}
+}
+
+func (r *Router) resolveLookupStrategy(options adapter.DNSQueryOptions) C.DomainStrategy {
+	if options.LookupStrategy != C.DomainStrategyAsIS {
+		return options.LookupStrategy
+	}
+	if options.Strategy != C.DomainStrategyAsIS {
+		return options.Strategy
+	}
+	return r.defaultDomainStrategy
+}
+
+func withLookupQueryMetadata(ctx context.Context, qType uint16) context.Context {
+	ctx, metadata := adapter.ExtendContext(ctx)
+	metadata.QueryType = qType
+	metadata.IPVersion = 0
+	switch qType {
+	case mDNS.TypeA:
+		metadata.IPVersion = 4
+	case mDNS.TypeAAAA:
+		metadata.IPVersion = 6
+	}
+	return ctx
+}
+
+func filterAddressesByQueryType(addresses []netip.Addr, qType uint16) []netip.Addr {
+	switch qType {
+	case mDNS.TypeA:
+		return common.Filter(addresses, func(address netip.Addr) bool {
+			return address.Is4()
+		})
+	case mDNS.TypeAAAA:
+		return common.Filter(addresses, func(address netip.Addr) bool {
+			return address.Is6()
+		})
+	default:
+		return addresses
+	}
+}
+
+func (r *Router) lookupWithRules(ctx context.Context, rules []adapter.DNSRule, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
+	strategy := r.resolveLookupStrategy(options)
+	lookupOptions := options
+	if strategy != C.DomainStrategyAsIS {
+		lookupOptions.Strategy = strategy
+	}
+	if strategy == C.DomainStrategyIPv4Only {
+		return r.lookupWithRulesType(ctx, rules, domain, mDNS.TypeA, lookupOptions)
+	}
+	if strategy == C.DomainStrategyIPv6Only {
+		return r.lookupWithRulesType(ctx, rules, domain, mDNS.TypeAAAA, lookupOptions)
+	}
+	var (
+		response4 []netip.Addr
+		response6 []netip.Addr
+	)
+	var group task.Group
+	group.Append("exchange4", func(ctx context.Context) error {
+		result, err := r.lookupWithRulesType(ctx, rules, domain, mDNS.TypeA, lookupOptions)
+		response4 = result
+		return err
+	})
+	group.Append("exchange6", func(ctx context.Context) error {
+		result, err := r.lookupWithRulesType(ctx, rules, domain, mDNS.TypeAAAA, lookupOptions)
+		response6 = result
+		return err
+	})
+	err := group.Run(ctx)
+	if len(response4) == 0 && len(response6) == 0 {
+		return nil, err
+	}
+	return sortAddresses(response4, response6, strategy), nil
+}
+
+func (r *Router) lookupWithRulesType(ctx context.Context, rules []adapter.DNSRule, domain string, qType uint16, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
+	request := &mDNS.Msg{
+		MsgHdr: mDNS.MsgHdr{
+			RecursionDesired: true,
+		},
+		Question: []mDNS.Question{{
+			Name:   mDNS.Fqdn(domain),
+			Qtype:  qType,
+			Qclass: mDNS.ClassINET,
+		}},
+	}
+	exchangeResult := r.exchangeWithRules(withLookupQueryMetadata(ctx, qType), rules, request, options, false)
+	if exchangeResult.rejectAction != nil {
+		return nil, exchangeResult.rejectAction.Error(ctx)
+	}
+	if exchangeResult.err != nil {
+		return nil, exchangeResult.err
+	}
+	if exchangeResult.response.Rcode != mDNS.RcodeSuccess {
+		return nil, RcodeError(exchangeResult.response.Rcode)
+	}
+	return filterAddressesByQueryType(MessageToAddresses(exchangeResult.response), qType), nil
 }

 func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
@@ -220,6 +588,13 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 		}
 		return &responseMessage, nil
 	}
+	r.rulesAccess.RLock()
+	defer r.rulesAccess.RUnlock()
+	if r.closing {
+		return nil, E.New("dns router closed")
+	}
+	rules := r.rules
+	legacyDNSMode := r.legacyDNSMode
 	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
 	var (
 		response  *mDNS.Msg
@@ -230,6 +605,8 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	ctx, metadata = adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
 	metadata.QueryType = message.Question[0].Qtype
+	metadata.DNSResponse = nil
+	metadata.DestinationAddressMatchFromResponse = false
 	switch metadata.QueryType {
 	case mDNS.TypeA:
 		metadata.IPVersion = 4
@@ -239,18 +616,13 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	metadata.Domain = FqdnToDomain(message.Question[0].Name)
 	if options.Transport != nil {
 		transport = options.Transport
-		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = legacyTransport.LegacyStrategy()
-			}
-			if !options.ClientSubnet.IsValid() {
-				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-			}
-		}
 		if options.Strategy == C.DomainStrategyAsIS {
 			options.Strategy = r.defaultDomainStrategy
 		}
 		response, err = r.client.Exchange(ctx, transport, message, options, nil)
+	} else if !legacyDNSMode {
+		exchangeResult := r.exchangeWithRules(ctx, rules, message, options, true)
+		response, transport, err = exchangeResult.response, exchangeResult.transport, exchangeResult.err
 	} else {
 		var (
 			rule      adapter.DNSRule
@@ -260,7 +632,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 		for {
 			dnsCtx := adapter.OverrideContext(ctx)
 			dnsOptions := options
-			transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &dnsOptions)
+			transport, rule, ruleIndex = r.matchDNS(ctx, rules, true, ruleIndex, isAddressQuery(message), &dnsOptions)
 			if rule != nil {
 				switch action := rule.Action().(type) {
 				case *R.RuleActionReject:
@@ -278,7 +650,9 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 						return nil, tun.ErrDrop
 					}
 				case *R.RuleActionPredefined:
-					return action.Response(message), nil
+					err = nil
+					response = action.Response(message)
+					goto done
 				}
 			}
 			responseCheck := addressLimitResponseCheck(rule, metadata)
@@ -306,6 +680,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 			break
 		}
 	}
+done:
 	if err != nil {
 		return nil, err
 	}
@@ -325,6 +700,13 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 }

 func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
+	r.rulesAccess.RLock()
+	defer r.rulesAccess.RUnlock()
+	if r.closing {
+		return nil, E.New("dns router closed")
+	}
+	rules := r.rules
+	legacyDNSMode := r.legacyDNSMode
 	var (
 		responseAddrs []netip.Addr
 		err           error
@@ -338,6 +720,8 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 				r.logger.DebugContext(ctx, "response rejected for ", domain, " (cached)")
 			} else if errors.Is(err, ErrResponseRejected) {
 				r.logger.DebugContext(ctx, "response rejected for ", domain)
+			} else if R.IsRejected(err) {
+				r.logger.DebugContext(ctx, "lookup rejected for ", domain)
 			} else {
 				r.logger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
 			}
@@ -350,20 +734,16 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
 	metadata.Domain = FqdnToDomain(domain)
+	metadata.DNSResponse = nil
+	metadata.DestinationAddressMatchFromResponse = false
 	if options.Transport != nil {
 		transport := options.Transport
-		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = legacyTransport.LegacyStrategy()
-			}
-			if !options.ClientSubnet.IsValid() {
-				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-			}
-		}
 		if options.Strategy == C.DomainStrategyAsIS {
 			options.Strategy = r.defaultDomainStrategy
 		}
 		responseAddrs, err = r.client.Lookup(ctx, transport, domain, options, nil)
+	} else if !legacyDNSMode {
+		responseAddrs, err = r.lookupWithRules(ctx, rules, domain, options)
 	} else {
 		var (
 			transport adapter.DNSTransport
@@ -374,7 +754,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 		for {
 			dnsCtx := adapter.OverrideContext(ctx)
 			dnsOptions := options
-			transport, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex, true, &dnsOptions)
+			transport, rule, ruleIndex = r.matchDNS(ctx, rules, false, ruleIndex, true, &dnsOptions)
 			if rule != nil {
 				switch action := rule.Action().(type) {
 				case *R.RuleActionReject:
@@ -425,15 +805,14 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }

-func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
+func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(response *mDNS.Msg) bool {
 	if rule == nil || !rule.WithAddressLimit() {
 		return nil
 	}
 	responseMetadata := *metadata
-	return func(responseAddrs []netip.Addr) bool {
+	return func(response *mDNS.Msg) bool {
 		checkMetadata := responseMetadata
-		checkMetadata.DestinationAddresses = responseAddrs
-		return rule.MatchAddressLimit(&checkMetadata)
+		return rule.MatchAddressLimit(&checkMetadata, response)
 	}
 }

@@ -458,3 +837,268 @@ func (r *Router) ResetNetwork() {
 		transport.Reset()
 	}
 }
+
+func defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule option.DefaultDNSRule) bool {
+	if rule.IPAcceptAny || rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
+		return true
+	}
+	return !rule.MatchResponse && (len(rule.IPCIDR) > 0 || rule.IPIsPrivate)
+}
+
+func hasResponseMatchFields(rule option.DefaultDNSRule) bool {
+	return rule.ResponseRcode != nil ||
+		len(rule.ResponseAnswer) > 0 ||
+		len(rule.ResponseNs) > 0 ||
+		len(rule.ResponseExtra) > 0
+}
+
+func defaultRuleDisablesLegacyDNSMode(rule option.DefaultDNSRule) bool {
+	return rule.MatchResponse ||
+		hasResponseMatchFields(rule) ||
+		rule.Action == C.RuleActionTypeEvaluate ||
+		rule.Action == C.RuleActionTypeRespond ||
+		rule.IPVersion > 0 ||
+		len(rule.QueryType) > 0
+}
+
+type dnsRuleModeFlags struct {
+	disabled           bool
+	needed             bool
+	neededFromStrategy bool
+}
+
+func (f *dnsRuleModeFlags) merge(other dnsRuleModeFlags) {
+	f.disabled = f.disabled || other.disabled
+	f.needed = f.needed || other.needed
+	f.neededFromStrategy = f.neededFromStrategy || other.neededFromStrategy
+}
+
+func resolveLegacyDNSMode(router adapter.Router, rules []option.DNSRule, metadataOverrides map[string]adapter.RuleSetMetadata) (bool, dnsRuleModeFlags, error) {
+	flags, err := dnsRuleModeRequirements(router, rules, metadataOverrides)
+	if err != nil {
+		return false, flags, err
+	}
+	if flags.disabled && flags.neededFromStrategy {
+		return false, flags, E.New(deprecated.OptionLegacyDNSRuleStrategy.MessageWithLink())
+	}
+	if flags.disabled {
+		return false, flags, nil
+	}
+	return flags.needed, flags, nil
+}
+
+func dnsRuleModeRequirements(router adapter.Router, rules []option.DNSRule, metadataOverrides map[string]adapter.RuleSetMetadata) (dnsRuleModeFlags, error) {
+	var flags dnsRuleModeFlags
+	for i, rule := range rules {
+		ruleFlags, err := dnsRuleModeRequirementsInRule(router, rule, metadataOverrides)
+		if err != nil {
+			return dnsRuleModeFlags{}, E.Cause(err, "dns rule[", i, "]")
+		}
+		flags.merge(ruleFlags)
+	}
+	return flags, nil
+}
+
+func dnsRuleModeRequirementsInRule(router adapter.Router, rule option.DNSRule, metadataOverrides map[string]adapter.RuleSetMetadata) (dnsRuleModeFlags, error) {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		return dnsRuleModeRequirementsInDefaultRule(router, rule.DefaultOptions, metadataOverrides)
+	case C.RuleTypeLogical:
+		flags := dnsRuleModeFlags{
+			disabled:           dnsRuleActionType(rule) == C.RuleActionTypeEvaluate || dnsRuleActionType(rule) == C.RuleActionTypeRespond,
+			neededFromStrategy: dnsRuleActionHasStrategy(rule.LogicalOptions.DNSRuleAction),
+		}
+		flags.needed = flags.neededFromStrategy
+		for i, subRule := range rule.LogicalOptions.Rules {
+			subFlags, err := dnsRuleModeRequirementsInRule(router, subRule, metadataOverrides)
+			if err != nil {
+				return dnsRuleModeFlags{}, E.Cause(err, "sub rule[", i, "]")
+			}
+			flags.merge(subFlags)
+		}
+		return flags, nil
+	default:
+		return dnsRuleModeFlags{}, nil
+	}
+}
+
+func dnsRuleModeRequirementsInDefaultRule(router adapter.Router, rule option.DefaultDNSRule, metadataOverrides map[string]adapter.RuleSetMetadata) (dnsRuleModeFlags, error) {
+	flags := dnsRuleModeFlags{
+		disabled:           defaultRuleDisablesLegacyDNSMode(rule),
+		neededFromStrategy: dnsRuleActionHasStrategy(rule.DNSRuleAction),
+	}
+	flags.needed = defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule) || flags.neededFromStrategy
+	if len(rule.RuleSet) == 0 {
+		return flags, nil
+	}
+	if router == nil {
+		return dnsRuleModeFlags{}, E.New("router service not found")
+	}
+	for _, tag := range rule.RuleSet {
+		metadata, err := lookupDNSRuleSetMetadata(router, tag, metadataOverrides)
+		if err != nil {
+			return dnsRuleModeFlags{}, err
+		}
+		// ip_version is not a headless-rule item, so ContainsIPVersionRule is intentionally absent.
+		flags.disabled = flags.disabled || metadata.ContainsDNSQueryTypeRule
+		if !rule.RuleSetIPCIDRMatchSource && metadata.ContainsIPCIDRRule {
+			flags.needed = true
+		}
+	}
+	return flags, nil
+}
+
+func lookupDNSRuleSetMetadata(router adapter.Router, tag string, metadataOverrides map[string]adapter.RuleSetMetadata) (adapter.RuleSetMetadata, error) {
+	if metadataOverrides != nil {
+		if metadata, loaded := metadataOverrides[tag]; loaded {
+			return metadata, nil
+		}
+	}
+	ruleSet, loaded := router.RuleSet(tag)
+	if !loaded {
+		return adapter.RuleSetMetadata{}, E.New("rule-set not found: ", tag)
+	}
+	return ruleSet.Metadata(), nil
+}
+
+func referencedDNSRuleSetTags(rules []option.DNSRule) []string {
+	tagMap := make(map[string]bool)
+	var walkRule func(rule option.DNSRule)
+	walkRule = func(rule option.DNSRule) {
+		switch rule.Type {
+		case "", C.RuleTypeDefault:
+			for _, tag := range rule.DefaultOptions.RuleSet {
+				tagMap[tag] = true
+			}
+		case C.RuleTypeLogical:
+			for _, subRule := range rule.LogicalOptions.Rules {
+				walkRule(subRule)
+			}
+		}
+	}
+	for _, rule := range rules {
+		walkRule(rule)
+	}
+	tags := make([]string, 0, len(tagMap))
+	for tag := range tagMap {
+		if tag != "" {
+			tags = append(tags, tag)
+		}
+	}
+	return tags
+}
+
+func validateLegacyDNSModeDisabledRules(rules []option.DNSRule) error {
+	var seenEvaluate bool
+	for i, rule := range rules {
+		requiresPriorEvaluate, err := validateLegacyDNSModeDisabledRuleTree(rule)
+		if err != nil {
+			return E.Cause(err, "validate dns rule[", i, "]")
+		}
+		if requiresPriorEvaluate && !seenEvaluate {
+			return E.New("dns rule[", i, "]: response-based matching requires a preceding evaluate action")
+		}
+		if dnsRuleActionType(rule) == C.RuleActionTypeEvaluate {
+			seenEvaluate = true
+		}
+	}
+	return nil
+}
+
+func validateEvaluateFakeIPRules(rules []option.DNSRule, transportManager adapter.DNSTransportManager) error {
+	if transportManager == nil {
+		return nil
+	}
+	for i, rule := range rules {
+		if dnsRuleActionType(rule) != C.RuleActionTypeEvaluate {
+			continue
+		}
+		server := dnsRuleActionServer(rule)
+		if server == "" {
+			continue
+		}
+		transport, loaded := transportManager.Transport(server)
+		if !loaded || transport.Type() != C.DNSTypeFakeIP {
+			continue
+		}
+		return E.New("dns rule[", i, "]: evaluate action cannot use fakeip server: ", server)
+	}
+	return nil
+}
+
+func validateLegacyDNSModeDisabledRuleTree(rule option.DNSRule) (bool, error) {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		return validateLegacyDNSModeDisabledDefaultRule(rule.DefaultOptions)
+	case C.RuleTypeLogical:
+		requiresPriorEvaluate := dnsRuleActionType(rule) == C.RuleActionTypeRespond
+		for i, subRule := range rule.LogicalOptions.Rules {
+			subRequiresPriorEvaluate, err := validateLegacyDNSModeDisabledRuleTree(subRule)
+			if err != nil {
+				return false, E.Cause(err, "sub rule[", i, "]")
+			}
+			requiresPriorEvaluate = requiresPriorEvaluate || subRequiresPriorEvaluate
+		}
+		return requiresPriorEvaluate, nil
+	default:
+		return false, nil
+	}
+}
+
+func validateLegacyDNSModeDisabledDefaultRule(rule option.DefaultDNSRule) (bool, error) {
+	hasResponseRecords := hasResponseMatchFields(rule)
+	if (hasResponseRecords || len(rule.IPCIDR) > 0 || rule.IPIsPrivate) && !rule.MatchResponse {
+		return false, E.New("Response Match Fields (ip_cidr, ip_is_private, response_rcode, response_answer, response_ns, response_extra) require match_response to be enabled")
+	}
+	// Intentionally do not reject rule_set here. A referenced rule set may mix
+	// destination-IP predicates with pre-response predicates such as domain items.
+	// When match_response is false, those destination-IP branches fail closed during
+	// pre-response evaluation instead of consuming DNS response state, while sibling
+	// non-response branches remain matchable.
+	if rule.IPAcceptAny { //nolint:staticcheck
+		return false, E.New(deprecated.OptionIPAcceptAny.MessageWithLink())
+	}
+	if rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
+		return false, E.New(deprecated.OptionRuleSetIPCIDRAcceptEmpty.MessageWithLink())
+	}
+	return rule.MatchResponse || rule.Action == C.RuleActionTypeRespond, nil
+}
+
+func dnsRuleActionHasStrategy(action option.DNSRuleAction) bool {
+	switch action.Action {
+	case "", C.RuleActionTypeRoute, C.RuleActionTypeEvaluate:
+		return C.DomainStrategy(action.RouteOptions.Strategy) != C.DomainStrategyAsIS
+	case C.RuleActionTypeRouteOptions:
+		return C.DomainStrategy(action.RouteOptionsOptions.Strategy) != C.DomainStrategyAsIS
+	default:
+		return false
+	}
+}
+
+func dnsRuleActionType(rule option.DNSRule) string {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		if rule.DefaultOptions.Action == "" {
+			return C.RuleActionTypeRoute
+		}
+		return rule.DefaultOptions.Action
+	case C.RuleTypeLogical:
+		if rule.LogicalOptions.Action == "" {
+			return C.RuleActionTypeRoute
+		}
+		return rule.LogicalOptions.Action
+	default:
+		return ""
+	}
+}
+
+func dnsRuleActionServer(rule option.DNSRule) string {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		return rule.DefaultOptions.RouteOptions.Server
+	case C.RuleTypeLogical:
+		return rule.LogicalOptions.RouteOptions.Server
+	default:
+		return ""
+	}
+}
--- a/dns/router_test.go
+++ b/dns/router_test.go
--- a/dns/transport_adapter.go
+++ b/dns/transport_adapter.go
@@ -1,21 +1,13 @@
 package dns

 import (
-	"net/netip"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 )

-var _ adapter.LegacyDNSTransport = (*TransportAdapter)(nil)
-
 type TransportAdapter struct {
 	transportType string
 	transportTag  string
 	dependencies  []string
-	strategy      C.DomainStrategy
-	clientSubnet  netip.Prefix
 }

 func NewTransportAdapter(transportType string, transportTag string, dependencies []string) TransportAdapter {
@@ -35,8 +27,6 @@ func NewTransportAdapterWithLocalOptions(transportType string, transportTag stri
 		transportType: transportType,
 		transportTag:  transportTag,
 		dependencies:  dependencies,
-		strategy:      C.DomainStrategy(localOptions.LegacyStrategy),
-		clientSubnet:  localOptions.LegacyClientSubnet,
 	}
 }

@@ -45,15 +35,10 @@ func NewTransportAdapterWithRemoteOptions(transportType string, transportTag str
 	if remoteOptions.DomainResolver != nil && remoteOptions.DomainResolver.Server != "" {
 		dependencies = append(dependencies, remoteOptions.DomainResolver.Server)
 	}
-	if remoteOptions.LegacyAddressResolver != "" {
-		dependencies = append(dependencies, remoteOptions.LegacyAddressResolver)
-	}
 	return TransportAdapter{
 		transportType: transportType,
 		transportTag:  transportTag,
 		dependencies:  dependencies,
-		strategy:      C.DomainStrategy(remoteOptions.LegacyStrategy),
-		clientSubnet:  remoteOptions.LegacyClientSubnet,
 	}
 }

@@ -68,11 +53,3 @@ func (a *TransportAdapter) Tag() string {
 func (a *TransportAdapter) Dependencies() []string {
 	return a.dependencies
 }
-
-func (a *TransportAdapter) LegacyStrategy() C.DomainStrategy {
-	return a.strategy
-}
-
-func (a *TransportAdapter) LegacyClientSubnet() netip.Prefix {
-	return a.clientSubnet
-}
--- a/dns/transport_dialer.go
+++ b/dns/transport_dialer.go
@@ -2,104 +2,25 @@ package dns

 import (
 	"context"
-	"net"
-	"time"

-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 )

 func NewLocalDialer(ctx context.Context, options option.LocalDNSServerOptions) (N.Dialer, error) {
-	if options.LegacyDefaultDialer {
-		return dialer.NewDefaultOutbound(ctx), nil
-	} else {
-		return dialer.NewWithOptions(dialer.Options{
-			Context:         ctx,
-			Options:         options.DialerOptions,
-			DirectResolver:  true,
-			LegacyDNSDialer: options.Legacy,
-		})
-	}
+	return dialer.NewWithOptions(dialer.Options{
+		Context:        ctx,
+		Options:        options.DialerOptions,
+		DirectResolver: true,
+	})
 }

 func NewRemoteDialer(ctx context.Context, options option.RemoteDNSServerOptions) (N.Dialer, error) {
-	if options.LegacyDefaultDialer {
-		transportDialer := dialer.NewDefaultOutbound(ctx)
-		if options.LegacyAddressResolver != "" {
-			transport := service.FromContext[adapter.DNSTransportManager](ctx)
-			resolverTransport, loaded := transport.Transport(options.LegacyAddressResolver)
-			if !loaded {
-				return nil, E.New("address resolver not found: ", options.LegacyAddressResolver)
-			}
-			transportDialer = newTransportDialer(transportDialer, service.FromContext[adapter.DNSRouter](ctx), resolverTransport, C.DomainStrategy(options.LegacyAddressStrategy), time.Duration(options.LegacyAddressFallbackDelay))
-		} else if options.ServerIsDomain() {
-			return nil, E.New("missing address resolver for server: ", options.Server)
-		}
-		return transportDialer, nil
-	} else {
-		return dialer.NewWithOptions(dialer.Options{
-			Context:         ctx,
-			Options:         options.DialerOptions,
-			RemoteIsDomain:  options.ServerIsDomain(),
-			DirectResolver:  true,
-			LegacyDNSDialer: options.Legacy,
-		})
-	}
-}
-
-type legacyTransportDialer struct {
-	dialer        N.Dialer
-	dnsRouter     adapter.DNSRouter
-	transport     adapter.DNSTransport
-	strategy      C.DomainStrategy
-	fallbackDelay time.Duration
-}
-
-func newTransportDialer(dialer N.Dialer, dnsRouter adapter.DNSRouter, transport adapter.DNSTransport, strategy C.DomainStrategy, fallbackDelay time.Duration) *legacyTransportDialer {
-	return &legacyTransportDialer{
-		dialer,
-		dnsRouter,
-		transport,
-		strategy,
-		fallbackDelay,
-	}
-}
-
-func (d *legacyTransportDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	if destination.IsIP() {
-		return d.dialer.DialContext(ctx, network, destination)
-	}
-	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
-		Transport: d.transport,
-		Strategy:  d.strategy,
+	return dialer.NewWithOptions(dialer.Options{
+		Context:        ctx,
+		Options:        options.DialerOptions,
+		RemoteIsDomain: options.ServerIsDomain(),
+		DirectResolver: true,
 	})
-	if err != nil {
-		return nil, err
-	}
-	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == C.DomainStrategyPreferIPv6, d.fallbackDelay)
-}
-
-func (d *legacyTransportDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if destination.IsIP() {
-		return d.dialer.ListenPacket(ctx, destination)
-	}
-	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
-		Transport: d.transport,
-		Strategy:  d.strategy,
-	})
-	if err != nil {
-		return nil, err
-	}
-	conn, _, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
-	return conn, err
-}
-
-func (d *legacyTransportDialer) Upstream() any {
-	return d.dialer
 }
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,18 +2,58 @@
 icon: material/alert-decagram
 ---

+#### 1.14.0-alpha.9
+
+* Fixes and improvements
+
 #### 1.13.6

 * Fixes and improvements

+#### 1.14.0-alpha.8
+
+* Add BBR profile and hop interval randomization for Hysteria2 **1**
+* Fixes and improvements
+
+**1**:
+
+See [Hysteria2 Inbound](/configuration/inbound/hysteria2/#bbr_profile) and [Hysteria2 Outbound](/configuration/outbound/hysteria2/#bbr_profile).
+
+#### 1.14.0-alpha.8
+
+* Fixes and improvements
+
 #### 1.13.5

 * Fixes and improvements

+#### 1.14.0-alpha.7
+
+* Fixes and improvements
+
 #### 1.13.4

 * Fixes and improvements

+#### 1.14.0-alpha.4
+
+* Refactor ACME support to certificate provider system **1**
+* Add Cloudflare Origin CA certificate provider **2**
+* Add Tailscale certificate provider **3**
+* Fixes and improvements
+
+**1**:
+
+See [Certificate Provider](/configuration/shared/certificate-provider/) and [Migration](/migration/#migrate-inline-acme-to-certificate-provider).
+
+**2**:
+
+See [Cloudflare Origin CA](/configuration/shared/certificate-provider/cloudflare-origin-ca).
+
+**3**:
+
+See [Tailscale](/configuration/shared/certificate-provider/tailscale).
+
 #### 1.13.3

 * Add OpenWrt and Alpine APK packages to release **1**
@@ -38,6 +78,59 @@ from [SagerNet/go](https://github.com/SagerNet/go).

 See [OCM](/configuration/service/ocm).

+#### 1.12.24
+
+* Fixes and improvements
+
+#### 1.14.0-alpha.2
+
+* Add OpenWrt and Alpine APK packages to release **1**
+* Backport to macOS 10.13 High Sierra **2**
+* OCM service: Add WebSocket support for Responses API **3**
+* Fixes and improvements
+
+**1**:
+
+Alpine APK files use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix:
+
+- OpenWrt: `sing-box_{version}_openwrt_{architecture}.apk`
+- Alpine: `sing-box_{version}_linux_{architecture}.apk`
+
+**2**:
+
+Legacy macOS binaries (with `-legacy-macos-10.13` suffix) now support
+macOS 10.13 High Sierra, built using Go 1.25 with patches
+from [SagerNet/go](https://github.com/SagerNet/go).
+
+**3**:
+
+See [OCM](/configuration/service/ocm).
+
+#### 1.14.0-alpha.1
+
+* Add `source_mac_address` and `source_hostname` rule items **1**
+* Add `include_mac_address` and `exclude_mac_address` TUN options **2**
+* Update NaiveProxy to 145.0.7632.159 **3**
+* Fixes and improvements
+
+**1**:
+
+New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
+Supported on Linux, macOS, or in graphical clients on Android and macOS.
+
+See [Route Rule](/configuration/route/rule/#source_mac_address), [DNS Rule](/configuration/dns/rule/#source_mac_address) and [Neighbor Resolution](/configuration/shared/neighbor/).
+
+**2**:
+
+Limit or exclude devices from TUN routing by MAC address.
+Only supported on Linux with `auto_route` and `auto_redirect` enabled.
+
+See [TUN](/configuration/inbound/tun/#include_mac_address).
+
+**3**:
+
+This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
+
 #### 1.13.2

 * Fixes and improvements
@@ -659,7 +752,7 @@ DNS servers are refactored for better performance and scalability.

 See [DNS server](/configuration/dns/server/).

-For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers).
+For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-server-formats).

 Compatibility for old formats will be removed in sing-box 1.14.0.

@@ -1129,7 +1222,7 @@ DNS servers are refactored for better performance and scalability.

 See [DNS server](/configuration/dns/server/).

-For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers).
+For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-server-formats).

 Compatibility for old formats will be removed in sing-box 1.14.0.

@@ -1965,7 +2058,7 @@ See [Migration](/migration/#process_path-format-update-on-windows).
 The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
 if using this method.

-See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
+See [Legacy Address Filter Fields](/configuration/dns/rule#legacy-address-filter-fields).

 [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.

@@ -1979,7 +2072,7 @@ the [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users
 **5**:

 The new feature allows you to cache the check results of
-[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
+[Legacy Address Filter Fields](/configuration/dns/rule/#legacy-address-filter-fields) until expiration.

 **6**:

@@ -2160,7 +2253,7 @@ See [TUN](/configuration/inbound/tun) inbound.
 **1**:

 The new feature allows you to cache the check results of
-[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
+[Legacy Address Filter Fields](/configuration/dns/rule/#legacy-address-filter-fields) until expiration.

 #### 1.9.0-alpha.7

@@ -2207,7 +2300,7 @@ See [Migration](/migration/#process_path-format-update-on-windows).
 The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
 if using this method.

-See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
+See [Legacy Address Filter Fields](/configuration/dns/rule#legacy-address-filter-fields).

 [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.

--- a/docs/configuration/dns/fakeip.md
+++ b/docs/configuration/dns/fakeip.md
@@ -1,10 +1,10 @@
 ---
-icon: material/delete-clock
+icon: material/note-remove
 ---

-!!! failure "Deprecated in sing-box 1.12.0"
+!!! failure "Removed in sing-box 1.14.0"

-    Legacy fake-ip configuration is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
+    Legacy fake-ip configuration is deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-server-formats).

 ### Structure

@@ -26,6 +26,6 @@ Enable FakeIP service.

 IPv4 address range for FakeIP.

-#### inet6_address
+#### inet6_range

 IPv6 address range for FakeIP.
--- a/docs/configuration/dns/fakeip.zh.md
+++ b/docs/configuration/dns/fakeip.zh.md
@@ -1,10 +1,10 @@
 ---
-icon: material/delete-clock
+icon: material/note-remove
 ---

-!!! failure "已在 sing-box 1.12.0 废弃"
+!!! failure "已在 sing-box 1.14.0 移除"

-    旧的 fake-ip 配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
+    旧的 fake-ip 配置已在 sing-box 1.12.0 废弃且已在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。

 ### 结构

--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@@ -39,7 +39,7 @@ icon: material/alert-decagram
 |----------|---------------------------------|
 | `server` | List of [DNS Server](./server/) |
 | `rules`  | List of [DNS Rule](./rule/)     |
-| `fakeip` | [FakeIP](./fakeip/)             |
+| `fakeip` | :material-note-remove: [FakeIP](./fakeip/) |

 #### final

@@ -88,4 +88,4 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q

 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.

-Can be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.
+Can be overridden by `servers.[].client_subnet` or `rules.[].client_subnet`.
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@@ -88,6 +88,6 @@ LRU 缓存容量。

 可以被 `servers.[].client_subnet` 或 `rules.[].client_subnet` 覆盖。

-#### fakeip
+#### fakeip :material-note-remove:

 [FakeIP](./fakeip/) 设置。
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -2,6 +2,18 @@
 icon: material/alert-decagram
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [source_mac_address](#source_mac_address)  
+    :material-plus: [source_hostname](#source_hostname)  
+    :material-plus: [match_response](#match_response)  
+    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
+    :material-delete-clock: [ip_accept_any](#ip_accept_any)  
+    :material-plus: [response_rcode](#response_rcode)  
+    :material-plus: [response_answer](#response_answer)  
+    :material-plus: [response_ns](#response_ns)  
+    :material-plus: [response_extra](#response_extra)
+
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [interface_address](#interface_address)  
@@ -89,12 +101,6 @@ icon: material/alert-decagram
          "192.168.0.1"
        ],
        "source_ip_is_private": false,
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_is_private": false,
-        "ip_accept_any": false,
        "source_port": [
          12345
        ],
@@ -149,6 +155,12 @@ icon: material/alert-decagram
        "default_interface_address": [
          "2000::/3"
        ],
+        "source_mac_address": [
+          "00:11:22:33:44:55"
+        ],
+        "source_hostname": [
+          "my-device"
+        ],
        "wifi_ssid": [
          "My WIFI"
        ],
@@ -160,7 +172,16 @@ icon: material/alert-decagram
          "geosite-cn"
        ],
        "rule_set_ip_cidr_match_source": false,
-        "rule_set_ip_cidr_accept_empty": false,
+        "match_response": false,
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_is_private": false,
+        "response_rcode": "",
+        "response_answer": [],
+        "response_ns": [],
+        "response_extra": [],
        "invert": false,
        "outbound": [
          "direct"
@@ -169,7 +190,9 @@ icon: material/alert-decagram
        "server": "local",

        // Deprecated
-        
+
+        "ip_accept_any": false,
+        "rule_set_ip_cidr_accept_empty": false,
        "rule_set_ipcidr_match_source": false,
        "geosite": [
          "cn"
@@ -408,6 +431,26 @@ Matches network interface (same values as `network_type`) address.

 Match default interface address.

+#### source_mac_address
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
+
+Match source device MAC address.
+
+#### source_hostname
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
+
+Match source device hostname from DHCP leases.
+
 #### wifi_ssid

 !!! quote ""
@@ -446,6 +489,19 @@ Make `ip_cidr` rule items in rule-sets match the source IP.

 Make `ip_cidr` rule items in rule-sets match the source IP.

+#### match_response
+
+!!! question "Since sing-box 1.14.0"
+
+Enable response-based matching. When enabled, this rule matches against the evaluated response
+(set by a preceding [`evaluate`](/configuration/dns/rule_action/#evaluate) action)
+instead of only matching the original query.
+
+The evaluated response can also be returned directly by a later [`respond`](/configuration/dns/rule_action/#respond) action.
+
+Required for Response Match Fields (`response_rcode`, `response_answer`, `response_ns`, `response_extra`).
+Also required for `ip_cidr` and `ip_is_private` when used with `evaluate` or Response Match Fields.
+
 #### invert

 Invert match result.
@@ -490,7 +546,12 @@ See [DNS Rule Actions](../rule_action/) for details.

    Moved to [DNS Rule Action](../rule_action#route).

-### Address Filter Fields
+### Legacy Address Filter Fields
+
+!!! failure "Deprecated in sing-box 1.14.0"
+
+    Legacy Address Filter Fields are deprecated and will be removed in sing-box 1.16.0,
+    check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).

 Only takes effect for address requests (A/AAAA/HTTPS). When the query results do not match the address filtering rule items, the current rule will be skipped.

@@ -516,24 +577,73 @@ Match GeoIP with query response.

 Match IP CIDR with query response.

+As a Legacy Address Filter Field, deprecated. Use with `match_response` instead,
+check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
+
 #### ip_is_private

 !!! question "Since sing-box 1.9.0"

 Match private IP with query response.

+As a Legacy Address Filter Field, deprecated. Use with `match_response` instead,
+check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
+
 #### rule_set_ip_cidr_accept_empty

 !!! question "Since sing-box 1.10.0"

+!!! failure "Deprecated in sing-box 1.14.0"
+
+    `rule_set_ip_cidr_accept_empty` is deprecated and will be removed in sing-box 1.16.0,
+    check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
+
 Make `ip_cidr` rules in rule-sets accept empty query response.

 #### ip_accept_any

 !!! question "Since sing-box 1.12.0"

+!!! failure "Deprecated in sing-box 1.14.0"
+
+    `ip_accept_any` is deprecated and will be removed in sing-box 1.16.0,
+    check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
+
 Match any IP with query response.

+### Response Match Fields
+
+!!! question "Since sing-box 1.14.0"
+
+Match fields for the evaluated response. Require `match_response` to be set to `true`
+and a preceding rule with [`evaluate`](/configuration/dns/rule_action/#evaluate) action to populate the response.
+
+That evaluated response may also be returned directly by a later [`respond`](/configuration/dns/rule_action/#respond) action.
+
+#### response_rcode
+
+Match DNS response code.
+
+Accepted values are the same as in the [predefined action rcode](/configuration/dns/rule_action/#rcode).
+
+#### response_answer
+
+Match DNS answer records.
+
+Record format is the same as in [predefined action answer](/configuration/dns/rule_action/#answer).
+
+#### response_ns
+
+Match DNS name server records.
+
+Record format is the same as in [predefined action ns](/configuration/dns/rule_action/#ns).
+
+#### response_extra
+
+Match DNS extra records.
+
+Record format is the same as in [predefined action extra](/configuration/dns/rule_action/#extra).
+
 ### Logical Fields

 #### type
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -2,6 +2,18 @@
 icon: material/alert-decagram
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [source_mac_address](#source_mac_address)  
+    :material-plus: [source_hostname](#source_hostname)  
+    :material-plus: [match_response](#match_response)  
+    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
+    :material-delete-clock: [ip_accept_any](#ip_accept_any)  
+    :material-plus: [response_rcode](#response_rcode)  
+    :material-plus: [response_answer](#response_answer)  
+    :material-plus: [response_ns](#response_ns)  
+    :material-plus: [response_extra](#response_extra)
+
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [interface_address](#interface_address)  
@@ -89,12 +101,6 @@ icon: material/alert-decagram
          "192.168.0.1"
        ],
        "source_ip_is_private": false,
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_is_private": false,
-        "ip_accept_any": false,
        "source_port": [
          12345
        ],
@@ -149,6 +155,12 @@ icon: material/alert-decagram
        "default_interface_address": [
          "2000::/3"
        ],
+        "source_mac_address": [
+          "00:11:22:33:44:55"
+        ],
+        "source_hostname": [
+          "my-device"
+        ],
        "wifi_ssid": [
          "My WIFI"
        ],
@@ -160,7 +172,16 @@ icon: material/alert-decagram
          "geosite-cn"
        ],
        "rule_set_ip_cidr_match_source": false,
-        "rule_set_ip_cidr_accept_empty": false,
+        "match_response": false,
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_is_private": false,
+        "response_rcode": "",
+        "response_answer": [],
+        "response_ns": [],
+        "response_extra": [],
        "invert": false,
        "outbound": [
          "direct"
@@ -169,6 +190,9 @@ icon: material/alert-decagram
        "server": "local",

        // 已弃用
+
+        "ip_accept_any": false,
+        "rule_set_ip_cidr_accept_empty": false,
        "rule_set_ipcidr_match_source": false,
        "geosite": [
          "cn"
@@ -407,6 +431,26 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 匹配默认接口地址。

+#### source_mac_address
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
+
+匹配源设备 MAC 地址。
+
+#### source_hostname
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
+
+匹配源设备从 DHCP 租约获取的主机名。
+
 #### wifi_ssid

 !!! quote ""
@@ -445,6 +489,17 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 使规则集中的 `ip_cidr` 规则匹配源 IP。

+#### match_response
+
+!!! question "自 sing-box 1.14.0 起"
+
+启用响应匹配。启用后，此规则将匹配已评估的响应（由前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作设置），而不仅是匹配原始查询。
+
+该已评估的响应也可以被后续的 [`respond`](/zh/configuration/dns/rule_action/#respond) 动作直接返回。
+
+响应匹配字段（`response_rcode`、`response_answer`、`response_ns`、`response_extra`）需要此选项。
+当与 `evaluate` 或响应匹配字段一起使用时，`ip_cidr` 和 `ip_is_private` 也需要此选项。
+
 #### invert

 反选匹配结果。
@@ -489,7 +544,12 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

    已移动到 [DNS 规则动作](../rule_action#route).

-### 地址筛选字段
+### 旧版地址筛选字段
+
+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    旧版地址筛选字段已废弃，且将在 sing-box 1.16.0 中被移除，
+    参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。

 仅对地址请求 (A/AAAA/HTTPS) 生效。 当查询结果与地址筛选规则项不匹配时，将跳过当前规则。

@@ -516,24 +576,73 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 与查询响应匹配 IP CIDR。

+作为旧版地址筛选字段已废弃。请改为配合 `match_response` 使用，
+参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+
 #### ip_is_private

 !!! question "自 sing-box 1.9.0 起"

 与查询响应匹配非公开 IP。

-#### ip_accept_any
-
-!!! question "自 sing-box 1.12.0 起"
-
-匹配任意 IP。
+作为旧版地址筛选字段已废弃。请改为配合 `match_response` 使用，
+参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。

 #### rule_set_ip_cidr_accept_empty

 !!! question "自 sing-box 1.10.0 起"

+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    `rule_set_ip_cidr_accept_empty` 已废弃且将在 sing-box 1.16.0 中被移除，
+    参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+
 使规则集中的 `ip_cidr` 规则接受空查询响应。

+#### ip_accept_any
+
+!!! question "自 sing-box 1.12.0 起"
+
+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    `ip_accept_any` 已废弃且将在 sing-box 1.16.0 中被移除，
+    参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+
+匹配任意 IP。
+
+### 响应匹配字段
+
+!!! question "自 sing-box 1.14.0 起"
+
+已评估的响应的匹配字段。需要将 `match_response` 设为 `true`，
+且需要前序规则使用 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作来填充响应。
+
+该已评估的响应也可以被后续的 [`respond`](/zh/configuration/dns/rule_action/#respond) 动作直接返回。
+
+#### response_rcode
+
+匹配 DNS 响应码。
+
+接受的值与 [predefined 动作 rcode](/zh/configuration/dns/rule_action/#rcode) 中相同。
+
+#### response_answer
+
+匹配 DNS 应答记录。
+
+记录格式与 [predefined 动作 answer](/zh/configuration/dns/rule_action/#answer) 中相同。
+
+#### response_ns
+
+匹配 DNS 名称服务器记录。
+
+记录格式与 [predefined 动作 ns](/zh/configuration/dns/rule_action/#ns) 中相同。
+
+#### response_extra
+
+匹配 DNS 额外记录。
+
+记录格式与 [predefined 动作 extra](/zh/configuration/dns/rule_action/#extra) 中相同。
+
 ### 逻辑字段

 #### type
--- a/docs/configuration/dns/rule_action.md
+++ b/docs/configuration/dns/rule_action.md
@@ -2,6 +2,12 @@
 icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-delete-clock: [strategy](#strategy)  
+    :material-plus: [evaluate](#evaluate)  
+    :material-plus: [respond](#respond)
+
 !!! quote "Changes in sing-box 1.12.0"

    :material-plus: [strategy](#strategy)  
@@ -34,7 +40,11 @@ Tag of target server.

 !!! question "Since sing-box 1.12.0"

-Set domain strategy for this query.
+!!! failure "Deprecated in sing-box 1.14.0"
+
+    `strategy` is deprecated in sing-box 1.14.0 and will be removed in sing-box 1.16.0.
+
+Set domain strategy for this query. Deprecated, check [Migration](/migration/#migrate-dns-rule-action-strategy-to-rule-items).

 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.

@@ -52,7 +62,68 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q

 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.

-Will overrides `dns.client_subnet`.
+Will override `dns.client_subnet`.
+
+### evaluate
+
+!!! question "Since sing-box 1.14.0"
+
+```json
+{
+  "action": "evaluate",
+  "server": "",
+  "disable_cache": false,
+  "rewrite_ttl": null,
+  "client_subnet": null
+}
+```
+
+`evaluate` sends a DNS query to the specified server and saves the evaluated response for subsequent rules
+to match against using [`match_response`](/configuration/dns/rule/#match_response) and response fields.
+Unlike `route`, it does **not** terminate rule evaluation.
+
+Only allowed on top-level DNS rules (not inside logical sub-rules).
+Rules that use [`match_response`](/configuration/dns/rule/#match_response) or Response Match Fields
+require a preceding top-level rule with `evaluate` action. A rule's own `evaluate` action
+does not satisfy this requirement, because matching happens before the action runs.
+
+#### server
+
+==Required==
+
+Tag of target server.
+
+#### disable_cache
+
+Disable cache and save cache in this query.
+
+#### rewrite_ttl
+
+Rewrite TTL in DNS responses.
+
+#### client_subnet
+
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+
+Will override `dns.client_subnet`.
+
+### respond
+
+!!! question "Since sing-box 1.14.0"
+
+```json
+{
+  "action": "respond"
+}
+```
+
+`respond` terminates rule evaluation and returns the evaluated response from a preceding [`evaluate`](/configuration/dns/rule_action/#evaluate) action.
+
+This action does not send a new DNS query and has no extra options.
+
+Only allowed after a preceding top-level `evaluate` rule. If the action is reached without an evaluated response at runtime, the request fails with an error instead of falling through to later rules.

 ### route-options

--- a/docs/configuration/dns/rule_action.zh.md
+++ b/docs/configuration/dns/rule_action.zh.md
@@ -2,6 +2,12 @@
 icon: material/new-box
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-delete-clock: [strategy](#strategy)  
+    :material-plus: [evaluate](#evaluate)  
+    :material-plus: [respond](#respond)
+
 !!! quote "sing-box 1.12.0 中的更改"

    :material-plus: [strategy](#strategy)  
@@ -34,7 +40,11 @@ icon: material/new-box

 !!! question "自 sing-box 1.12.0 起"

-为此查询设置域名策略。
+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    `strategy` 已在 sing-box 1.14.0 废弃，且将在 sing-box 1.16.0 中被移除。
+
+为此查询设置域名策略。已废弃，参阅[迁移指南](/zh/migration/#迁移-dns-规则动作-strategy-到规则项)。

 可选项：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。

@@ -54,6 +64,65 @@ icon: material/new-box

 将覆盖 `dns.client_subnet`.

+### evaluate
+
+!!! question "自 sing-box 1.14.0 起"
+
+```json
+{
+  "action": "evaluate",
+  "server": "",
+  "disable_cache": false,
+  "rewrite_ttl": null,
+  "client_subnet": null
+}
+```
+
+`evaluate` 向指定服务器发送 DNS 查询并保存已评估的响应，供后续规则通过 [`match_response`](/zh/configuration/dns/rule/#match_response) 和响应字段进行匹配。与 `route` 不同，它**不会**终止规则评估。
+
+仅允许在顶层 DNS 规则中使用（不可在逻辑子规则内部使用）。
+使用 [`match_response`](/zh/configuration/dns/rule/#match_response) 或响应匹配字段的规则，
+需要位于更早的顶层 `evaluate` 规则之后。规则自身的 `evaluate` 动作不能满足这个条件，
+因为匹配发生在动作执行之前。
+
+#### server
+
+==必填==
+
+目标 DNS 服务器的标签。
+
+#### disable_cache
+
+在此查询中禁用缓存。
+
+#### rewrite_ttl
+
+重写 DNS 回应中的 TTL。
+
+#### client_subnet
+
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+
+将覆盖 `dns.client_subnet`.
+
+### respond
+
+!!! question "自 sing-box 1.14.0 起"
+
+```json
+{
+  "action": "respond"
+}
+```
+
+`respond` 会终止规则评估，并直接返回前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作保存的已评估的响应。
+
+此动作不会发起新的 DNS 查询，也没有额外选项。
+
+只能用于前面已有顶层 `evaluate` 规则的场景。如果运行时命中该动作时没有已评估的响应，则请求会直接返回错误，而不是继续匹配后续规则。
+
 ### route-options

 ```json
@@ -84,7 +153,7 @@ icon: material/new-box
 - `default`: 返回 REFUSED。
 - `drop`: 丢弃请求。

-默认使用 `defualt`。
+默认使用 `default`。

 #### no_drop

--- a/docs/configuration/dns/server/index.md
+++ b/docs/configuration/dns/server/index.md
@@ -29,7 +29,7 @@ The type of the DNS server.

 | Type            | Format                    |
 |-----------------|---------------------------|
-| empty (default) | [Legacy](./legacy/)       |
+| empty (default) | :material-note-remove: [Legacy](./legacy/) |
 | `local`         | [Local](./local/)         |
 | `hosts`         | [Hosts](./hosts/)         |
 | `tcp`           | [TCP](./tcp/)             |
--- a/docs/configuration/dns/server/index.zh.md
+++ b/docs/configuration/dns/server/index.zh.md
@@ -29,7 +29,7 @@ DNS 服务器的类型。

 | 类型              | 格式                        |
 |-----------------|---------------------------|
-| empty (default) | [Legacy](./legacy/)       |
+| empty (default) | :material-note-remove: [Legacy](./legacy/) |
 | `local`         | [Local](./local/)         |
 | `hosts`         | [Hosts](./hosts/)         |
 | `tcp`           | [TCP](./tcp/)             |
--- a/docs/configuration/dns/server/legacy.md
+++ b/docs/configuration/dns/server/legacy.md
@@ -1,10 +1,10 @@
 ---
-icon: material/delete-clock
+icon: material/note-remove
 ---

-!!! failure "Deprecated in sing-box 1.12.0"
+!!! failure "Removed in sing-box 1.14.0"

-    Legacy DNS servers is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
+    Legacy DNS servers are deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-server-formats).

 !!! quote "Changes in sing-box 1.9.0"

@@ -108,6 +108,6 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q

 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.

-Can be overrides by `rules.[].client_subnet`.
+Can be overridden by `rules.[].client_subnet`.

-Will overrides `dns.client_subnet`.
+Will override `dns.client_subnet`.
--- a/docs/configuration/dns/server/legacy.zh.md
+++ b/docs/configuration/dns/server/legacy.zh.md
@@ -1,10 +1,10 @@
 ---
-icon: material/delete-clock
+icon: material/note-remove
 ---

-!!! failure "Deprecated in sing-box 1.12.0"
+!!! failure "已在 sing-box 1.14.0 移除"

-    旧的 DNS 服务器配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
+    旧的 DNS 服务器配置已在 sing-box 1.12.0 废弃且已在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。

 !!! quote "sing-box 1.9.0 中的更改"

--- a/docs/configuration/experimental/cache-file.md
+++ b/docs/configuration/experimental/cache-file.md
@@ -44,7 +44,7 @@ Store fakeip in the cache file

 Store rejected DNS response cache in the cache file

-The check results of [Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields)
+The check results of [Legacy Address Filter Fields](/configuration/dns/rule/#legacy-address-filter-fields)
 will be cached until expiration.

 #### rdrc_timeout
--- a/docs/configuration/experimental/cache-file.zh.md
+++ b/docs/configuration/experimental/cache-file.zh.md
@@ -42,7 +42,7 @@

 将拒绝的 DNS 响应缓存存储在缓存文件中。

-[地址筛选 DNS 规则项](/zh/configuration/dns/rule/#地址筛选字段) 的检查结果将被缓存至过期。
+[旧版地址筛选字段](/zh/configuration/dns/rule/#旧版地址筛选字段) 的检查结果将被缓存至过期。

 #### rdrc_timeout

--- a/docs/configuration/inbound/hysteria2.md
+++ b/docs/configuration/inbound/hysteria2.md
@@ -2,6 +2,10 @@
 icon: material/alert-decagram
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [bbr_profile](#bbr_profile)
+
 !!! quote "Changes in sing-box 1.11.0"

    :material-alert: [masquerade](#masquerade)  
@@ -31,6 +35,7 @@ icon: material/alert-decagram
  "ignore_client_bandwidth": false,
  "tls": {},
  "masquerade": "", // or {}
+  "bbr_profile": "",
  "brutal_debug": false
 }
 ```
@@ -141,6 +146,14 @@ Fixed response headers.

 Fixed response content.

+#### bbr_profile
+
+!!! question "Since sing-box 1.14.0"
+
+BBR congestion control algorithm profile, one of `conservative` `standard` `aggressive`.
+
+`standard` is used by default.
+
 #### brutal_debug

 Enable debug information logging for Hysteria Brutal CC.
--- a/docs/configuration/inbound/hysteria2.zh.md
+++ b/docs/configuration/inbound/hysteria2.zh.md
@@ -2,6 +2,10 @@
 icon: material/alert-decagram
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [bbr_profile](#bbr_profile)
+
 !!! quote "sing-box 1.11.0 中的更改"

    :material-alert: [masquerade](#masquerade)  
@@ -31,6 +35,7 @@ icon: material/alert-decagram
  "ignore_client_bandwidth": false,
  "tls": {},
  "masquerade": "", // 或 {}
+  "bbr_profile": "",
  "brutal_debug": false
 }
 ```
@@ -138,6 +143,14 @@ HTTP3 服务器认证失败时的行为 （对象配置）。

 固定响应内容。

+#### bbr_profile
+
+!!! question "自 sing-box 1.14.0 起"
+
+BBR 拥塞控制算法配置，可选 `conservative` `standard` `aggressive`。
+
+默认使用 `standard`。
+
 #### brutal_debug

 启用 Hysteria Brutal CC 的调试信息日志记录。
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -4,7 +4,7 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.14.0"

-    :material-plus: [include_mac_address](#include_mac_address)
+    :material-plus: [include_mac_address](#include_mac_address)  
    :material-plus: [exclude_mac_address](#exclude_mac_address)

 !!! quote "Changes in sing-box 1.13.3"
@@ -134,6 +134,12 @@ icon: material/new-box
  "exclude_package": [
    "com.android.captiveportallogin"
  ],
+  "include_mac_address": [
+    "00:11:22:33:44:55"
+  ],
+  "exclude_mac_address": [
+    "66:77:88:99:aa:bb"
+  ],
  "platform": {
    "http_proxy": {
      "enabled": false,
@@ -560,6 +566,30 @@ Limit android packages in route.

 Exclude android packages in route.

+#### include_mac_address
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux with `auto_route` and `auto_redirect` enabled.
+
+Limit MAC addresses in route. Not limited by default.
+
+Conflict with `exclude_mac_address`.
+
+#### exclude_mac_address
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux with `auto_route` and `auto_redirect` enabled.
+
+Exclude MAC addresses in route.
+
+Conflict with `include_mac_address`.
+
 #### platform

 Platform-specific settings, provided by client applications.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -2,6 +2,11 @@
 icon: material/new-box
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [include_mac_address](#include_mac_address)  
+    :material-plus: [exclude_mac_address](#exclude_mac_address)
+
 !!! quote "sing-box 1.13.3 中的更改"

    :material-alert: [strict_route](#strict_route)
@@ -130,6 +135,12 @@ icon: material/new-box
  "exclude_package": [
    "com.android.captiveportallogin"
  ],
+  "include_mac_address": [
+    "00:11:22:33:44:55"
+  ],
+  "exclude_mac_address": [
+    "66:77:88:99:aa:bb"
+  ],
  "platform": {
    "http_proxy": {
      "enabled": false,
@@ -543,6 +554,30 @@ TCP/IP 栈。

 排除路由的 Android 应用包名。

+#### include_mac_address
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要 `auto_route` 和 `auto_redirect` 已启用。
+
+限制被路由的 MAC 地址。默认不限制。
+
+与 `exclude_mac_address` 冲突。
+
+#### exclude_mac_address
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要 `auto_route` 和 `auto_redirect` 已启用。
+
+排除路由的 MAC 地址。
+
+与 `include_mac_address` 冲突。
+
 #### platform

 平台特定的设置，由客户端应用提供。
--- a/docs/configuration/index.md
+++ b/docs/configuration/index.md
@@ -1,7 +1,6 @@
 # Introduction

 sing-box uses JSON for configuration files.
-
 ### Structure

 ```json
@@ -10,6 +9,7 @@ sing-box uses JSON for configuration files.
  "dns": {},
  "ntp": {},
  "certificate": {},
+  "certificate_providers": [],
  "endpoints": [],
  "inbounds": [],
  "outbounds": [],
@@ -27,6 +27,7 @@ sing-box uses JSON for configuration files.
 | `dns`          | [DNS](./dns/)                   |
 | `ntp`          | [NTP](./ntp/)                   |
 | `certificate`  | [Certificate](./certificate/)   |
+| `certificate_providers` | [Certificate Provider](./shared/certificate-provider/) |
 | `endpoints`    | [Endpoint](./endpoint/)         |
 | `inbounds`     | [Inbound](./inbound/)           |
 | `outbounds`    | [Outbound](./outbound/)         |
@@ -50,4 +51,4 @@ sing-box format -w -c config.json -D config_directory

 ```bash
 sing-box merge output.json -c config.json -D config_directory
-```
+```
--- a/docs/configuration/index.zh.md
+++ b/docs/configuration/index.zh.md
@@ -1,7 +1,6 @@
 # 引言

 sing-box 使用 JSON 作为配置文件格式。
-
 ### 结构

 ```json
@@ -10,6 +9,7 @@ sing-box 使用 JSON 作为配置文件格式。
  "dns": {},
  "ntp": {},
  "certificate": {},
+  "certificate_providers": [],
  "endpoints": [],
  "inbounds": [],
  "outbounds": [],
@@ -27,6 +27,7 @@ sing-box 使用 JSON 作为配置文件格式。
 | `dns`          | [DNS](./dns/)          |
 | `ntp`          | [NTP](./ntp/)          |
 | `certificate`  | [证书](./certificate/)   |
+| `certificate_providers` | [证书提供者](./shared/certificate-provider/) |
 | `endpoints`    | [端点](./endpoint/)      |
 | `inbounds`     | [入站](./inbound/)       |
 | `outbounds`    | [出站](./outbound/)      |
@@ -50,4 +51,4 @@ sing-box format -w -c config.json -D config_directory

 ```bash
 sing-box merge output.json -c config.json -D config_directory
-```
+```
--- a/docs/configuration/outbound/hysteria2.md
+++ b/docs/configuration/outbound/hysteria2.md
@@ -1,3 +1,8 @@
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [hop_interval_max](#hop_interval_max)  
+    :material-plus: [bbr_profile](#bbr_profile)
+
 !!! quote "Changes in sing-box 1.11.0"

    :material-plus: [server_ports](#server_ports)  
@@ -9,13 +14,14 @@
 {
  "type": "hysteria2",
  "tag": "hy2-out",
-  
+
  "server": "127.0.0.1",
  "server_port": 1080,
  "server_ports": [
    "2080:3000"
  ],
  "hop_interval": "",
+  "hop_interval_max": "",
  "up_mbps": 100,
  "down_mbps": 100,
  "obfs": {
@@ -25,8 +31,9 @@
  "password": "goofy_ahh_password",
  "network": "tcp",
  "tls": {},
+  "bbr_profile": "",
  "brutal_debug": false,
-  
+
  ... // Dial Fields
 }
 ```
@@ -75,6 +82,14 @@ Port hopping interval.

 `30s` is used by default.

+#### hop_interval_max
+
+!!! question "Since sing-box 1.14.0"
+
+Maximum port hopping interval, used for randomization.
+
+If set, the actual hop interval will be randomly chosen between `hop_interval` and `hop_interval_max`.
+
 #### up_mbps, down_mbps

 Max bandwidth, in Mbps.
@@ -109,6 +124,14 @@ Both is enabled by default.

 TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

+#### bbr_profile
+
+!!! question "Since sing-box 1.14.0"
+
+BBR congestion control algorithm profile, one of `conservative` `standard` `aggressive`.
+
+`standard` is used by default.
+
 #### brutal_debug

 Enable debug information logging for Hysteria Brutal CC.
--- a/docs/configuration/outbound/hysteria2.zh.md
+++ b/docs/configuration/outbound/hysteria2.zh.md
@@ -1,3 +1,8 @@
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [hop_interval_max](#hop_interval_max)  
+    :material-plus: [bbr_profile](#bbr_profile)
+
 !!! quote "sing-box 1.11.0 中的更改"

    :material-plus: [server_ports](#server_ports)  
@@ -16,6 +21,7 @@
    "2080:3000"
  ],
  "hop_interval": "",
+  "hop_interval_max": "",
  "up_mbps": 100,
  "down_mbps": 100,
  "obfs": {
@@ -25,8 +31,9 @@
  "password": "goofy_ahh_password",
  "network": "tcp",
  "tls": {},
+  "bbr_profile": "",
  "brutal_debug": false,
-  
+
  ... // 拨号字段
 }
 ```
@@ -73,6 +80,14 @@

 默认使用 `30s`。

+#### hop_interval_max
+
+!!! question "自 sing-box 1.14.0 起"
+
+最大端口跳跃间隔，用于随机化。
+
+如果设置，实际跳跃间隔将在 `hop_interval` 和 `hop_interval_max` 之间随机选择。
+
 #### up_mbps, down_mbps

 最大带宽。
@@ -107,6 +122,14 @@ QUIC 流量混淆器密码.

 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。

+#### bbr_profile
+
+!!! question "自 sing-box 1.14.0 起"
+
+BBR 拥塞控制算法配置，可选 `conservative` `standard` `aggressive`。
+
+默认使用 `standard`。
+
 #### brutal_debug

 启用 Hysteria Brutal CC 的调试信息日志记录。
--- a/docs/configuration/route/index.md
+++ b/docs/configuration/route/index.md
@@ -4,6 +4,11 @@ icon: material/alert-decagram

 # Route

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [find_neighbor](#find_neighbor)  
+    :material-plus: [dhcp_lease_files](#dhcp_lease_files)
+
 !!! quote "Changes in sing-box 1.12.0"

    :material-plus: [default_domain_resolver](#default_domain_resolver)  
@@ -35,6 +40,9 @@ icon: material/alert-decagram
    "override_android_vpn": false,
    "default_interface": "",
    "default_mark": 0,
+    "find_process": false,
+    "find_neighbor": false,
+    "dhcp_lease_files": [],
    "default_domain_resolver": "", // or {}
    "default_network_strategy": "",
    "default_network_type": [],
@@ -107,13 +115,45 @@ Set routing mark by default.

 Takes no effect if `outbound.routing_mark` is set.

+#### find_process
+
+!!! quote ""
+
+    Only supported on Linux, Windows, and macOS.
+
+Enable process search for logging when no `process_name`, `process_path`, `package_name`, `user` or `user_id` rules exist.
+
+#### find_neighbor
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux and macOS.
+
+Enable neighbor resolution for logging when no `source_mac_address` or `source_hostname` rules exist.
+
+See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
+
+#### dhcp_lease_files
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux and macOS.
+
+Custom DHCP lease file paths for hostname and MAC address resolution.
+
+Automatically detected from common DHCP servers (dnsmasq, odhcpd, ISC dhcpd, Kea) if empty.
+
 #### default_domain_resolver

 !!! question "Since sing-box 1.12.0"

 See [Dial Fields](/configuration/shared/dial/#domain_resolver) for details.

-Can be overrides by `outbound.domain_resolver`.
+Can be overridden by `outbound.domain_resolver`.

 #### default_network_strategy

@@ -123,7 +163,7 @@ See [Dial Fields](/configuration/shared/dial/#network_strategy) for details.

 Takes no effect if `outbound.bind_interface`, `outbound.inet4_bind_address` or `outbound.inet6_bind_address` is set.

-Can be overrides by `outbound.network_strategy`.
+Can be overridden by `outbound.network_strategy`.

 Conflicts with `default_interface`.

--- a/docs/configuration/route/index.zh.md
+++ b/docs/configuration/route/index.zh.md
@@ -4,6 +4,11 @@ icon: material/alert-decagram

 # 路由

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [find_neighbor](#find_neighbor)  
+    :material-plus: [dhcp_lease_files](#dhcp_lease_files)
+
 !!! quote "sing-box 1.12.0 中的更改"

    :material-plus: [default_domain_resolver](#default_domain_resolver)  
@@ -37,6 +42,9 @@ icon: material/alert-decagram
    "override_android_vpn": false,
    "default_interface": "",
    "default_mark": 0,
+    "find_process": false,
+    "find_neighbor": false,
+    "dhcp_lease_files": [],
    "default_network_strategy": "",
    "default_fallback_delay": ""
  }
@@ -106,6 +114,38 @@ icon: material/alert-decagram

 如果设置了 `outbound.routing_mark` 设置，则不生效。

+#### find_process
+
+!!! quote ""
+
+    仅支持 Linux、Windows 和 macOS。
+
+在没有 `process_name`、`process_path`、`package_name`、`user` 或 `user_id` 规则时启用进程搜索以输出日志。
+
+#### find_neighbor
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux 和 macOS。
+
+在没有 `source_mac_address` 或 `source_hostname` 规则时启用邻居解析以输出日志。
+
+参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
+
+#### dhcp_lease_files
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux 和 macOS。
+
+用于主机名和 MAC 地址解析的自定义 DHCP 租约文件路径。
+
+为空时自动从常见 DHCP 服务器（dnsmasq、odhcpd、ISC dhcpd、Kea）检测。
+
 #### default_domain_resolver

 !!! question "自 sing-box 1.12.0 起"
--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@@ -2,6 +2,11 @@
 icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [source_mac_address](#source_mac_address)  
+    :material-plus: [source_hostname](#source_hostname)
+
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [interface_address](#interface_address)  
@@ -159,6 +164,12 @@ icon: material/new-box
          "tailscale",
          "wireguard"
        ],
+        "source_mac_address": [
+          "00:11:22:33:44:55"
+        ],
+        "source_hostname": [
+          "my-device"
+        ],
        "rule_set": [
          "geoip-cn",
          "geosite-cn"
@@ -449,6 +460,26 @@ Match specified outbounds' preferred routes.
 | `tailscale` | Match MagicDNS domains and peers' allowed IPs |
 | `wireguard` | Match peers's allowed IPs                     |

+#### source_mac_address
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
+
+Match source device MAC address.
+
+#### source_hostname
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
+
+Match source device hostname from DHCP leases.
+
 #### rule_set

 !!! question "Since sing-box 1.8.0"
--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@@ -2,6 +2,11 @@
 icon: material/new-box
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [source_mac_address](#source_mac_address)  
+    :material-plus: [source_hostname](#source_hostname)
+
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [interface_address](#interface_address)  
@@ -157,6 +162,12 @@ icon: material/new-box
          "tailscale",
          "wireguard"
        ],
+        "source_mac_address": [
+          "00:11:22:33:44:55"
+        ],
+        "source_hostname": [
+          "my-device"
+        ],
        "rule_set": [
          "geoip-cn",
          "geosite-cn"
@@ -447,6 +458,26 @@ icon: material/new-box
 | `tailscale` | 匹配 MagicDNS 域名和对端的 allowed IPs |
 | `wireguard` | 匹配对端的 allowed IPs              |

+#### source_mac_address
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
+
+匹配源设备 MAC 地址。
+
+#### source_hostname
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
+
+匹配源设备从 DHCP 租约获取的主机名。
+
 #### rule_set

 !!! question "自 sing-box 1.8.0 起"
--- a/docs/configuration/route/rule_action.md
+++ b/docs/configuration/route/rule_action.md
@@ -316,4 +316,4 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q

 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.

-Will overrides `dns.client_subnet`.
+Will override `dns.client_subnet`.
--- a/docs/configuration/shared/certificate-provider/acme.md
+++ b/docs/configuration/shared/certificate-provider/acme.md
@@ -0,0 +1,150 @@
+---
+icon: material/new-box
+---
+
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [account_key](#account_key)  
+    :material-plus: [key_type](#key_type)  
+    :material-plus: [detour](#detour)
+
+# ACME
+
+!!! quote ""
+
+    `with_acme` build tag required.
+
+### Structure
+
+```json
+{
+  "type": "acme",
+  "tag": "",
+
+  "domain": [],
+  "data_directory": "",
+  "default_server_name": "",
+  "email": "",
+  "provider": "",
+  "account_key": "",
+  "disable_http_challenge": false,
+  "disable_tls_alpn_challenge": false,
+  "alternative_http_port": 0,
+  "alternative_tls_port": 0,
+  "external_account": {
+    "key_id": "",
+    "mac_key": ""
+  },
+  "dns01_challenge": {},
+  "key_type": "",
+  "detour": ""
+}
+```
+
+### Fields
+
+#### domain
+
+==Required==
+
+List of domains.
+
+#### data_directory
+
+The directory to store ACME data.
+
+`$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic` will be used if empty.
+
+#### default_server_name
+
+Server name to use when choosing a certificate if the ClientHello's ServerName field is empty.
+
+#### email
+
+The email address to use when creating or selecting an existing ACME server account.
+
+#### provider
+
+The ACME CA provider to use.
+
+| Value                   | Provider      |
+|-------------------------|---------------|
+| `letsencrypt (default)` | Let's Encrypt |
+| `zerossl`               | ZeroSSL       |
+| `https://...`           | Custom        |
+
+When `provider` is `zerossl`, sing-box will automatically request ZeroSSL EAB credentials if `email` is set and
+`external_account` is empty.
+
+When `provider` is `zerossl`, at least one of `external_account`, `email`, or `account_key` is required.
+
+#### account_key
+
+!!! question "Since sing-box 1.14.0"
+
+The PEM-encoded private key of an existing ACME account.
+
+#### disable_http_challenge
+
+Disable all HTTP challenges.
+
+#### disable_tls_alpn_challenge
+
+Disable all TLS-ALPN challenges
+
+#### alternative_http_port
+
+The alternate port to use for the ACME HTTP challenge; if non-empty, this port will be used instead of 80 to spin up a
+listener for the HTTP challenge.
+
+#### alternative_tls_port
+
+The alternate port to use for the ACME TLS-ALPN challenge; the system must forward 443 to this port for challenge to
+succeed.
+
+#### external_account
+
+EAB (External Account Binding) contains information necessary to bind or map an ACME account to some other account known
+by the CA.
+
+External account bindings are used to associate an ACME account with an existing account in a non-ACME system, such as
+a CA customer database.
+
+To enable ACME account binding, the CA operating the ACME server needs to provide the ACME client with a MAC key and a
+key identifier, using some mechanism outside of ACME. §7.3.4
+
+#### external_account.key_id
+
+The key identifier.
+
+#### external_account.mac_key
+
+The MAC key.
+
+#### dns01_challenge
+
+ACME DNS01 challenge field. If configured, other challenge methods will be disabled.
+
+See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/) for details.
+
+#### key_type
+
+!!! question "Since sing-box 1.14.0"
+
+The private key type to generate for new certificates.
+
+| Value      | Type    |
+|------------|---------|
+| `ed25519`  | Ed25519 |
+| `p256`     | P-256   |
+| `p384`     | P-384   |
+| `rsa2048`  | RSA     |
+| `rsa4096`  | RSA     |
+
+#### detour
+
+!!! question "Since sing-box 1.14.0"
+
+The tag of the upstream outbound.
+
+All provider HTTP requests will use this outbound.
--- a/docs/configuration/shared/certificate-provider/acme.zh.md
+++ b/docs/configuration/shared/certificate-provider/acme.zh.md
@@ -0,0 +1,145 @@
+---
+icon: material/new-box
+---
+
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [account_key](#account_key)  
+    :material-plus: [key_type](#key_type)  
+    :material-plus: [detour](#detour)
+
+# ACME
+
+!!! quote ""
+
+    需要 `with_acme` 构建标签。
+
+### 结构
+
+```json
+{
+  "type": "acme",
+  "tag": "",
+
+  "domain": [],
+  "data_directory": "",
+  "default_server_name": "",
+  "email": "",
+  "provider": "",
+  "account_key": "",
+  "disable_http_challenge": false,
+  "disable_tls_alpn_challenge": false,
+  "alternative_http_port": 0,
+  "alternative_tls_port": 0,
+  "external_account": {
+    "key_id": "",
+    "mac_key": ""
+  },
+  "dns01_challenge": {},
+  "key_type": "",
+  "detour": ""
+}
+```
+
+### 字段
+
+#### domain
+
+==必填==
+
+域名列表。
+
+#### data_directory
+
+ACME 数据存储目录。
+
+如果为空则使用 `$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic`。
+
+#### default_server_name
+
+如果 ClientHello 的 ServerName 字段为空，则选择证书时要使用的服务器名称。
+
+#### email
+
+创建或选择现有 ACME 服务器帐户时使用的电子邮件地址。
+
+#### provider
+
+要使用的 ACME CA 提供商。
+
+| 值                  | 提供商           |
+|--------------------|---------------|
+| `letsencrypt (默认)` | Let's Encrypt |
+| `zerossl`          | ZeroSSL       |
+| `https://...`      | 自定义           |
+
+当 `provider` 为 `zerossl` 时，如果设置了 `email` 且未设置 `external_account`，
+sing-box 会自动向 ZeroSSL 请求 EAB 凭据。
+
+当 `provider` 为 `zerossl` 时，必须至少设置 `external_account`、`email` 或 `account_key` 之一。
+
+#### account_key
+
+!!! question "自 sing-box 1.14.0 起"
+
+现有 ACME 帐户的 PEM 编码私钥。
+
+#### disable_http_challenge
+
+禁用所有 HTTP 质询。
+
+#### disable_tls_alpn_challenge
+
+禁用所有 TLS-ALPN 质询。
+
+#### alternative_http_port
+
+用于 ACME HTTP 质询的备用端口；如果非空，将使用此端口而不是 80 来启动 HTTP 质询的侦听器。
+
+#### alternative_tls_port
+
+用于 ACME TLS-ALPN 质询的备用端口； 系统必须将 443 转发到此端口以使质询成功。
+
+#### external_account
+
+EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到 CA 已知的其他帐户所需的信息。
+
+外部帐户绑定用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联，例如 CA 客户数据库。
+
+为了启用 ACME 帐户绑定，运行 ACME 服务器的 CA 需要使用 ACME 之外的某种机制向 ACME 客户端提供 MAC 密钥和密钥标识符。§7.3.4
+
+#### external_account.key_id
+
+密钥标识符。
+
+#### external_account.mac_key
+
+MAC 密钥。
+
+#### dns01_challenge
+
+ACME DNS01 质询字段。如果配置，将禁用其他质询方法。
+
+参阅 [DNS01 质询字段](/zh/configuration/shared/dns01_challenge/)。
+
+#### key_type
+
+!!! question "自 sing-box 1.14.0 起"
+
+为新证书生成的私钥类型。
+
+| 值         | 类型      |
+|-----------|----------|
+| `ed25519` | Ed25519 |
+| `p256`    | P-256   |
+| `p384`    | P-384   |
+| `rsa2048` | RSA     |
+| `rsa4096` | RSA     |
+
+#### detour
+
+!!! question "自 sing-box 1.14.0 起"
+
+上游出站的标签。
+
+所有提供者 HTTP 请求将使用此出站。
--- a/docs/configuration/shared/certificate-provider/cloudflare-origin-ca.md
+++ b/docs/configuration/shared/certificate-provider/cloudflare-origin-ca.md
@@ -0,0 +1,82 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.14.0"
+
+# Cloudflare Origin CA
+
+### Structure
+
+```json
+{
+  "type": "cloudflare-origin-ca",
+  "tag": "",
+
+  "domain": [],
+  "data_directory": "",
+  "api_token": "",
+  "origin_ca_key": "",
+  "request_type": "",
+  "requested_validity": 0,
+  "detour": ""
+}
+```
+
+### Fields
+
+#### domain
+
+==Required==
+
+List of domain names or wildcard domain names to include in the certificate.
+
+#### data_directory
+
+Root directory used to store the issued certificate, private key, and metadata.
+
+If empty, sing-box uses the same default data directory as the ACME certificate provider:
+`$XDG_DATA_HOME/certmagic` or `$HOME/.local/share/certmagic`.
+
+#### api_token
+
+Cloudflare API token used to create the certificate.
+
+Get or create one in [Cloudflare Dashboard > My Profile > API Tokens](https://dash.cloudflare.com/profile/api-tokens).
+
+Requires the `Zone / SSL and Certificates / Edit` permission.
+
+Conflict with `origin_ca_key`.
+
+#### origin_ca_key
+
+Cloudflare Origin CA Key.
+
+Get it in [Cloudflare Dashboard > My Profile > API Tokens > API Keys > Origin CA Key](https://dash.cloudflare.com/profile/api-tokens).
+
+Conflict with `api_token`.
+
+#### request_type
+
+The signature type to request from Cloudflare.
+
+| Value                | Type        |
+|----------------------|-------------|
+| `origin-rsa`         | RSA         |
+| `origin-ecc`         | ECDSA P-256 |
+
+`origin-rsa` is used if empty.
+
+#### requested_validity
+
+The requested certificate validity in days.
+
+Available values: `7`, `30`, `90`, `365`, `730`, `1095`, `5475`.
+
+`5475` days (15 years) is used if empty.
+
+#### detour
+
+The tag of the upstream outbound.
+
+All provider HTTP requests will use this outbound.
--- a/docs/configuration/shared/certificate-provider/cloudflare-origin-ca.zh.md
+++ b/docs/configuration/shared/certificate-provider/cloudflare-origin-ca.zh.md
@@ -0,0 +1,82 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.14.0 起"
+
+# Cloudflare Origin CA
+
+### 结构
+
+```json
+{
+  "type": "cloudflare-origin-ca",
+  "tag": "",
+
+  "domain": [],
+  "data_directory": "",
+  "api_token": "",
+  "origin_ca_key": "",
+  "request_type": "",
+  "requested_validity": 0,
+  "detour": ""
+}
+```
+
+### 字段
+
+#### domain
+
+==必填==
+
+要写入证书的域名或通配符域名列表。
+
+#### data_directory
+
+保存签发证书、私钥和元数据的根目录。
+
+如果为空，sing-box 会使用与 ACME 证书提供者相同的默认数据目录：
+`$XDG_DATA_HOME/certmagic` 或 `$HOME/.local/share/certmagic`。
+
+#### api_token
+
+用于创建证书的 Cloudflare API Token。
+
+可在 [Cloudflare Dashboard > My Profile > API Tokens](https://dash.cloudflare.com/profile/api-tokens) 获取或创建。
+
+需要 `Zone / SSL and Certificates / Edit` 权限。
+
+与 `origin_ca_key` 冲突。
+
+#### origin_ca_key
+
+Cloudflare Origin CA Key。
+
+可在 [Cloudflare Dashboard > My Profile > API Tokens > API Keys > Origin CA Key](https://dash.cloudflare.com/profile/api-tokens) 获取。
+
+与 `api_token` 冲突。
+
+#### request_type
+
+向 Cloudflare 请求的签名类型。
+
+| 值                   | 类型        |
+|----------------------|-------------|
+| `origin-rsa`         | RSA         |
+| `origin-ecc`         | ECDSA P-256 |
+
+如果为空，使用 `origin-rsa`。
+
+#### requested_validity
+
+请求的证书有效期，单位为天。
+
+可用值：`7`、`30`、`90`、`365`、`730`、`1095`、`5475`。
+
+如果为空，使用 `5475` 天（15 年）。
+
+#### detour
+
+上游出站的标签。
+
+所有提供者 HTTP 请求将使用此出站。
--- a/docs/configuration/shared/certificate-provider/index.md
+++ b/docs/configuration/shared/certificate-provider/index.md
@@ -0,0 +1,32 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.14.0"
+
+# Certificate Provider
+
+### Structure
+
+```json
+{
+  "certificate_providers": [
+    {
+      "type": "",
+      "tag": ""
+    }
+  ]
+}
+```
+
+### Fields
+
+| Type   | Format           |
+|--------|------------------|
+| `acme` | [ACME](/configuration/shared/certificate-provider/acme)   |
+| `tailscale` | [Tailscale](/configuration/shared/certificate-provider/tailscale) |
+| `cloudflare-origin-ca` | [Cloudflare Origin CA](/configuration/shared/certificate-provider/cloudflare-origin-ca) |
+
+#### tag
+
+The tag of the certificate provider.
--- a/docs/configuration/shared/certificate-provider/index.zh.md
+++ b/docs/configuration/shared/certificate-provider/index.zh.md
@@ -0,0 +1,32 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.14.0 起"
+
+# 证书提供者
+
+### 结构
+
+```json
+{
+  "certificate_providers": [
+    {
+      "type": "",
+      "tag": ""
+    }
+  ]
+}
+```
+
+### 字段
+
+| 类型   | 格式             |
+|--------|------------------|
+| `acme` | [ACME](/zh/configuration/shared/certificate-provider/acme)   |
+| `tailscale` | [Tailscale](/zh/configuration/shared/certificate-provider/tailscale) |
+| `cloudflare-origin-ca` | [Cloudflare Origin CA](/zh/configuration/shared/certificate-provider/cloudflare-origin-ca) |
+
+#### tag
+
+证书提供者的标签。
--- a/docs/configuration/shared/certificate-provider/tailscale.md
+++ b/docs/configuration/shared/certificate-provider/tailscale.md
@@ -0,0 +1,27 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.14.0"
+
+# Tailscale
+
+### Structure
+
+```json
+{
+  "type": "tailscale",
+  "tag": "ts-cert",
+  "endpoint": "ts-ep"
+}
+```
+
+### Fields
+
+#### endpoint
+
+==Required==
+
+The tag of the [Tailscale endpoint](/configuration/endpoint/tailscale/) to reuse.
+
+[MagicDNS and HTTPS](https://tailscale.com/kb/1153/enabling-https) must be enabled in the Tailscale admin console.
--- a/docs/configuration/shared/certificate-provider/tailscale.zh.md
+++ b/docs/configuration/shared/certificate-provider/tailscale.zh.md
@@ -0,0 +1,27 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.14.0 起"
+
+# Tailscale
+
+### 结构
+
+```json
+{
+  "type": "tailscale",
+  "tag": "ts-cert",
+  "endpoint": "ts-ep"
+}
+```
+
+### 字段
+
+#### endpoint
+
+==必填==
+
+要复用的 [Tailscale 端点](/zh/configuration/endpoint/tailscale/) 的标签。
+
+必须在 Tailscale 管理控制台中启用 [MagicDNS 和 HTTPS](https://tailscale.com/kb/1153/enabling-https)。
--- a/docs/configuration/shared/dns01_challenge.md
+++ b/docs/configuration/shared/dns01_challenge.md
@@ -2,6 +2,14 @@
 icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [ttl](#ttl)  
+    :material-plus: [propagation_delay](#propagation_delay)  
+    :material-plus: [propagation_timeout](#propagation_timeout)  
+    :material-plus: [resolvers](#resolvers)  
+    :material-plus: [override_domain](#override_domain)
+
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [alidns.security_token](#security_token)  
@@ -12,12 +20,57 @@ icon: material/new-box

 ```json
 {
+  "ttl": "",
+  "propagation_delay": "",
+  "propagation_timeout": "",
+  "resolvers": [],
+  "override_domain": "",
  "provider": "",

  ... // Provider Fields
 }
 ```

+### Fields
+
+#### ttl
+
+!!! question "Since sing-box 1.14.0"
+
+The TTL of the temporary TXT record used for the DNS challenge.
+
+#### propagation_delay
+
+!!! question "Since sing-box 1.14.0"
+
+How long to wait after creating the challenge record before starting propagation checks.
+
+#### propagation_timeout
+
+!!! question "Since sing-box 1.14.0"
+
+The maximum time to wait for the challenge record to propagate.
+
+Set to `-1` to disable propagation checks.
+
+#### resolvers
+
+!!! question "Since sing-box 1.14.0"
+
+Preferred DNS resolvers to use for DNS propagation checks.
+
+#### override_domain
+
+!!! question "Since sing-box 1.14.0"
+
+Override the domain name used for the DNS challenge record.
+
+Useful when `_acme-challenge` is delegated to a different zone.
+
+#### provider
+
+The DNS provider. See below for provider-specific fields.
+
 ### Provider Fields

 #### Alibaba Cloud DNS
--- a/docs/configuration/shared/dns01_challenge.zh.md
+++ b/docs/configuration/shared/dns01_challenge.zh.md
@@ -2,6 +2,14 @@
 icon: material/new-box
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [ttl](#ttl)  
+    :material-plus: [propagation_delay](#propagation_delay)  
+    :material-plus: [propagation_timeout](#propagation_timeout)  
+    :material-plus: [resolvers](#resolvers)  
+    :material-plus: [override_domain](#override_domain)
+
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [alidns.security_token](#security_token)  
@@ -12,12 +20,57 @@ icon: material/new-box

 ```json
 {
+  "ttl": "",
+  "propagation_delay": "",
+  "propagation_timeout": "",
+  "resolvers": [],
+  "override_domain": "",
  "provider": "",

  ... // 提供商字段
 }
 ```

+### 字段
+
+#### ttl
+
+!!! question "自 sing-box 1.14.0 起"
+
+DNS 质询临时 TXT 记录的 TTL。
+
+#### propagation_delay
+
+!!! question "自 sing-box 1.14.0 起"
+
+创建质询记录后，在开始传播检查前要等待的时间。
+
+#### propagation_timeout
+
+!!! question "自 sing-box 1.14.0 起"
+
+等待质询记录传播完成的最长时间。
+
+设为 `-1` 可禁用传播检查。
+
+#### resolvers
+
+!!! question "自 sing-box 1.14.0 起"
+
+进行 DNS 传播检查时优先使用的 DNS 解析器。
+
+#### override_domain
+
+!!! question "自 sing-box 1.14.0 起"
+
+覆盖 DNS 质询记录使用的域名。
+
+适用于将 `_acme-challenge` 委托到其他 zone 的场景。
+
+#### provider
+
+DNS 提供商。提供商专有字段见下文。
+
 ### 提供商字段

 #### Alibaba Cloud DNS
--- a/docs/configuration/shared/neighbor.md
+++ b/docs/configuration/shared/neighbor.md
@@ -0,0 +1,49 @@
+---
+icon: material/lan
+---
+
+# Neighbor Resolution
+
+Match LAN devices by MAC address and hostname using
+[`source_mac_address`](/configuration/route/rule/#source_mac_address) and
+[`source_hostname`](/configuration/route/rule/#source_hostname) rule items.
+
+Neighbor resolution is automatically enabled when these rule items exist.
+Use [`route.find_neighbor`](/configuration/route/#find_neighbor) to force enable it for logging without rules.
+
+## Linux
+
+Works natively. No special setup required.
+
+Hostname resolution requires DHCP lease files,
+automatically detected from common DHCP servers (dnsmasq, odhcpd, ISC dhcpd, Kea).
+Custom paths can be set via [`route.dhcp_lease_files`](/configuration/route/#dhcp_lease_files).
+
+## Android
+
+!!! quote ""
+
+    Only supported in graphical clients.
+
+Requires Android 11 or above and ROOT.
+
+Must use [VPNHotspot](https://github.com/Mygod/VPNHotspot) to share the VPN connection.
+ROM built-in features like "Use VPN for connected devices" can share VPN
+but cannot provide MAC address or hostname information.
+
+Set **IP Masquerade Mode** to **None** in VPNHotspot settings.
+
+Only route/DNS rules are supported. TUN include/exclude routes are not supported.
+
+### Hostname Visibility
+
+Hostname is only visible in sing-box if it is visible in VPNHotspot.
+For Apple devices, change **Private Wi-Fi Address** from **Rotating** to **Fixed** in the Wi-Fi settings
+of the connected network. Non-Apple devices are always visible.
+
+## macOS
+
+Requires the standalone version (macOS system extension).
+The App Store version can share the VPN as a hotspot but does not support MAC address or hostname reading.
+
+See [VPN Hotspot](/manual/misc/vpn-hotspot/#macos) for Internet Sharing setup.
--- a/docs/configuration/shared/neighbor.zh.md
+++ b/docs/configuration/shared/neighbor.zh.md
@@ -0,0 +1,49 @@
+---
+icon: material/lan
+---
+
+# 邻居解析
+
+通过
+[`source_mac_address`](/configuration/route/rule/#source_mac_address) 和
+[`source_hostname`](/configuration/route/rule/#source_hostname) 规则项匹配局域网设备的 MAC 地址和主机名。
+
+当这些规则项存在时，邻居解析自动启用。
+使用 [`route.find_neighbor`](/configuration/route/#find_neighbor) 可在没有规则时强制启用以输出日志。
+
+## Linux
+
+原生支持，无需特殊设置。
+
+主机名解析需要 DHCP 租约文件，
+自动从常见 DHCP 服务器（dnsmasq、odhcpd、ISC dhcpd、Kea）检测。
+可通过 [`route.dhcp_lease_files`](/configuration/route/#dhcp_lease_files) 设置自定义路径。
+
+## Android
+
+!!! quote ""
+
+    仅在图形客户端中支持。
+
+需要 Android 11 或以上版本和 ROOT。
+
+必须使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot) 共享 VPN 连接。
+ROM 自带的「通过 VPN 共享连接」等功能可以共享 VPN，
+但无法提供 MAC 地址或主机名信息。
+
+在 VPNHotspot 设置中将 **IP 遮掩模式** 设为 **无**。
+
+仅支持路由/DNS 规则。不支持 TUN 的 include/exclude 路由。
+
+### 设备可见性
+
+MAC 地址和主机名仅在 VPNHotspot 中可见时 sing-box 才能读取。
+对于 Apple 设备，需要在所连接网络的 Wi-Fi 设置中将**私有无线局域网地址**从**轮替**改为**固定**。
+非 Apple 设备始终可见。
+
+## macOS
+
+需要独立版本（macOS 系统扩展）。
+App Store 版本可以共享 VPN 热点但不支持 MAC 地址或主机名读取。
+
+参阅 [VPN 热点](/manual/misc/vpn-hotspot/#macos) 了解互联网共享设置。
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@@ -2,6 +2,11 @@
 icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [certificate_provider](#certificate_provider)  
+    :material-delete-clock: [acme](#acme-fields)
+
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [kernel_tx](#kernel_tx)  
@@ -49,6 +54,10 @@ icon: material/new-box
  "key_path": "",
  "kernel_tx": false,
  "kernel_rx": false,
+  "certificate_provider": "",
+
+  // Deprecated
+
  "acme": {
    "domain": [],
    "data_directory": "",
@@ -408,6 +417,18 @@ Enable kernel TLS transmit support.

 Enable kernel TLS receive support.

+#### certificate_provider
+
+!!! question "Since sing-box 1.14.0"
+
+==Server only==
+
+A string or an object.
+
+When string, the tag of a shared [Certificate Provider](/configuration/shared/certificate-provider/).
+
+When object, an inline certificate provider. See [Certificate Provider](/configuration/shared/certificate-provider/) for available types and fields.
+
 ## Custom TLS support

 !!! info "QUIC support"
@@ -469,7 +490,7 @@ The ECH key and configuration can be generated by `sing-box generate ech-keypair

 !!! failure "Deprecated in sing-box 1.12.0"

-    ECH support has been migrated to use stdlib in sing-box 1.12.0, which does not come with support for PQ signature schemes, so `pq_signature_schemes_enabled` has been deprecated and no longer works.
+    `pq_signature_schemes_enabled` is deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0.

 Enable support for post-quantum peer certificate signature schemes.

@@ -477,7 +498,7 @@ Enable support for post-quantum peer certificate signature schemes.

 !!! failure "Deprecated in sing-box 1.12.0"

-    `dynamic_record_sizing_disabled` has nothing to do with ECH, was added by mistake, has been deprecated and no longer works.
+    `dynamic_record_sizing_disabled` is deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0.

 Disables adaptive sizing of TLS records.

@@ -566,6 +587,10 @@ Fragment TLS handshake into multiple TLS records to bypass firewalls.

 ### ACME Fields

+!!! failure "Deprecated in sing-box 1.14.0"
+
+    Inline ACME options are deprecated in sing-box 1.14.0 and will be removed in sing-box 1.16.0, check [Migration](/migration/#migrate-inline-acme-to-certificate-provider).
+
 #### domain

 List of domain.
@@ -677,4 +702,4 @@ A hexadecimal string with zero to eight digits.

 The maximum time difference between the server and the client.

-Check disabled if empty.
+Check disabled if empty.
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -2,6 +2,11 @@
 icon: material/new-box
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [certificate_provider](#certificate_provider)  
+    :material-delete-clock: [acme](#acme-字段)
+
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [kernel_tx](#kernel_tx)  
@@ -49,6 +54,10 @@ icon: material/new-box
  "key_path": "",
  "kernel_tx": false,
  "kernel_rx": false,
+  "certificate_provider": "",
+
+  // 废弃的
+
  "acme": {
    "domain": [],
    "data_directory": "",
@@ -407,6 +416,18 @@ echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/

 启用内核 TLS 接收支持。

+#### certificate_provider
+
+!!! question "自 sing-box 1.14.0 起"
+
+==仅服务器==
+
+字符串或对象。
+
+为字符串时，共享[证书提供者](/zh/configuration/shared/certificate-provider/)的标签。
+
+为对象时，内联的证书提供者。可用类型和字段参阅[证书提供者](/zh/configuration/shared/certificate-provider/)。
+
 ## 自定义 TLS 支持

 !!! info "QUIC 支持"
@@ -465,7 +486,7 @@ ECH 密钥和配置可以通过 `sing-box generate ech-keypair` 生成。

 !!! failure "已在 sing-box 1.12.0 废弃"

-    ECH 支持已在 sing-box 1.12.0 迁移至使用标准库，但标准库不支持后量子对等证书签名方案，因此 `pq_signature_schemes_enabled` 已被弃用且不再工作。
+    `pq_signature_schemes_enabled` 已在 sing-box 1.12.0 废弃且已在 sing-box 1.13.0 中被移除。

 启用对后量子对等证书签名方案的支持。

@@ -473,7 +494,7 @@ ECH 密钥和配置可以通过 `sing-box generate ech-keypair` 生成。

 !!! failure "已在 sing-box 1.12.0 废弃"

-    `dynamic_record_sizing_disabled` 与 ECH 无关，是错误添加的，现已弃用且不再工作。
+    `dynamic_record_sizing_disabled` 已在 sing-box 1.12.0 废弃且已在 sing-box 1.13.0 中被移除。

 禁用 TLS 记录的自适应大小调整。

@@ -561,6 +582,10 @@ ECH 配置路径，PEM 格式。

 ### ACME 字段

+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    内联 ACME 选项已在 sing-box 1.14.0 废弃且将在 sing-box 1.16.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移内联-acme-到证书提供者)。
+
 #### domain

 域名列表。
--- a/docs/deprecated.md
+++ b/docs/deprecated.md
@@ -4,14 +4,53 @@ icon: material/delete-alert

 # Deprecated Feature List

+## 1.14.0
+
+#### Inline ACME options in TLS
+
+Inline ACME options (`tls.acme`) are deprecated
+and can be replaced by the ACME certificate provider,
+check [Migration](../migration/#migrate-inline-acme-to-certificate-provider).
+
+Old fields will be removed in sing-box 1.16.0.
+
+#### Legacy `strategy` DNS rule action option
+
+Legacy `strategy` DNS rule action option is deprecated,
+check [Migration](../migration/#migrate-dns-rule-action-strategy-to-rule-items).
+
+Old fields will be removed in sing-box 1.16.0.
+
+#### Legacy `ip_accept_any` DNS rule item
+
+Legacy `ip_accept_any` DNS rule item is deprecated,
+check [Migration](../migration/#migrate-address-filter-fields-to-response-matching).
+
+Old fields will be removed in sing-box 1.16.0.
+
+#### Legacy `rule_set_ip_cidr_accept_empty` DNS rule item
+
+Legacy `rule_set_ip_cidr_accept_empty` DNS rule item is deprecated,
+check [Migration](../migration/#migrate-address-filter-fields-to-response-matching).
+
+Old fields will be removed in sing-box 1.16.0.
+
+#### Legacy Address Filter Fields in DNS rules
+
+Legacy Address Filter Fields (`ip_cidr`, `ip_is_private` without `match_response`)
+in DNS rules are deprecated,
+check [Migration](../migration/#migrate-address-filter-fields-to-response-matching).
+
+Old behavior will be removed in sing-box 1.16.0.
+
 ## 1.12.0

 #### Legacy DNS server formats

 DNS servers are refactored,
-check [Migration](../migration/#migrate-to-new-dns-servers).
+check [Migration](../migration/#migrate-to-new-dns-server-formats).

-Compatibility for old formats will be removed in sing-box 1.14.0.
+Old formats were removed in sing-box 1.14.0.

 #### `outbound` DNS rule item

@@ -28,7 +67,7 @@ so `pq_signature_schemes_enabled` has been deprecated and no longer works.
 Also, `dynamic_record_sizing_disabled` has nothing to do with ECH,
 was added by mistake, has been deprecated and no longer works.

-These fields will be removed in sing-box 1.13.0.
+These fields were removed in sing-box 1.13.0.

 ## 1.11.0

@@ -38,7 +77,7 @@ Legacy special outbounds (`block` / `dns`) are deprecated
 and can be replaced by rule actions,
 check [Migration](../migration/#migrate-legacy-special-outbounds-to-rule-actions).

-Old fields will be removed in sing-box 1.13.0.
+Old fields were removed in sing-box 1.13.0.

 #### Legacy inbound fields

@@ -46,7 +85,7 @@ Legacy inbound fields （`inbound.<sniff/domain_strategy/...>` are deprecated
 and can be replaced by rule actions,
 check [Migration](../migration/#migrate-legacy-inbound-fields-to-rule-actions).

-Old fields will be removed in sing-box 1.13.0.
+Old fields were removed in sing-box 1.13.0.

 #### Destination override fields in direct outbound

@@ -54,18 +93,20 @@ Destination override fields (`override_address` / `override_port`) in direct out
 and can be replaced by rule actions,
 check [Migration](../migration/#migrate-destination-override-fields-to-route-options).

+Old fields were removed in sing-box 1.13.0.
+
 #### WireGuard outbound

 WireGuard outbound is deprecated and can be replaced by endpoint,
 check [Migration](../migration/#migrate-wireguard-outbound-to-endpoint).

-Old outbound will be removed in sing-box 1.13.0.
+Old outbound was removed in sing-box 1.13.0.

 #### GSO option in TUN

 GSO has no advantages for transparent proxy scenarios, is deprecated and no longer works in TUN.

-Old fields will be removed in sing-box 1.13.0.
+Old fields were removed in sing-box 1.13.0.

 ## 1.10.0

@@ -75,12 +116,12 @@ Old fields will be removed in sing-box 1.13.0.
 `inet4_route_address` and `inet6_route_address` are merged into `route_address`,
 `inet4_route_exclude_address` and `inet6_route_exclude_address` are merged into `route_exclude_address`.

-Old fields will be removed in sing-box 1.12.0.
+Old fields were removed in sing-box 1.12.0.

 #### Match source rule items are renamed

 `rule_set_ipcidr_match_source` route and DNS rule items are renamed to
-`rule_set_ip_cidr_match_source` and will be remove in sing-box 1.11.0.
+`rule_set_ip_cidr_match_source` and were removed in sing-box 1.11.0.

 #### Drop support for go1.18 and go1.19

@@ -95,7 +136,7 @@ check [Migration](/migration/#migrate-cache-file-from-clash-api-to-independent-o

 #### GeoIP

-GeoIP is deprecated and will be removed in sing-box 1.12.0.
+GeoIP is deprecated and was removed in sing-box 1.12.0.

 The maxmind GeoIP National Database, as an IP classification database,
 is not entirely suitable for traffic bypassing,
@@ -106,7 +147,7 @@ check [Migration](/migration/#migrate-geoip-to-rule-sets).

 #### Geosite

-Geosite is deprecated and will be removed in sing-box 1.12.0.
+Geosite is deprecated and was removed in sing-box 1.12.0.

 Geosite, the `domain-list-community` project maintained by V2Ray as an early traffic bypassing solution,
 suffers from a number of problems, including lack of maintenance, inaccurate rules, and difficult management.
--- a/docs/deprecated.zh.md
+++ b/docs/deprecated.zh.md
@@ -4,12 +4,52 @@ icon: material/delete-alert

 # 废弃功能列表

+## 1.14.0
+
+#### TLS 中的内联 ACME 选项
+
+TLS 中的内联 ACME 选项（`tls.acme`）已废弃，
+且可以通过 ACME 证书提供者替代，
+参阅 [迁移指南](/zh/migration/#迁移内联-acme-到证书提供者)。
+
+旧字段将在 sing-box 1.16.0 中被移除。
+
+#### 旧版 DNS 规则动作 `strategy` 选项
+
+旧版 DNS 规则动作 `strategy` 选项已废弃，
+参阅[迁移指南](/zh/migration/#迁移-dns-规则动作-strategy-到规则项)。
+
+旧字段将在 sing-box 1.16.0 中被移除。
+
+#### 旧版 `ip_accept_any` DNS 规则项
+
+旧版 `ip_accept_any` DNS 规则项已废弃，
+参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+
+旧字段将在 sing-box 1.16.0 中被移除。
+
+#### 旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项
+
+旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项已废弃，
+参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+
+旧字段将在 sing-box 1.16.0 中被移除。
+
+#### 旧版地址筛选字段 (DNS 规则)
+
+旧版地址筛选字段（不使用 `match_response` 的 `ip_cidr`、`ip_is_private`）已废弃，
+参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+
+旧行为将在 sing-box 1.16.0 中被移除。
+
+## 1.12.0
+
 #### 旧的 DNS 服务器格式

 DNS 服务器已重构，
 参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式).

-对旧格式的兼容性将在 sing-box 1.14.0 中被移除。
+旧格式已在 sing-box 1.14.0 中被移除。

 #### `outbound` DNS 规则项

@@ -24,7 +64,7 @@ ECH 支持已在 sing-box 1.12.0 迁移至使用标准库，但标准库不支

 另外，`dynamic_record_sizing_disabled` 与 ECH 无关，是错误添加的，现已弃用且不再工作。

-相关字段将在 sing-box 1.13.0 中被移除。
+相关字段已在 sing-box 1.13.0 中被移除。

 ## 1.11.0

@@ -33,41 +73,41 @@ ECH 支持已在 sing-box 1.12.0 迁移至使用标准库，但标准库不支
 旧的特殊出站（`block` / `dns`）已废弃且可以通过规则动作替代，
 参阅 [迁移指南](/zh/migration/#迁移旧的特殊出站到规则动作)。

-旧字段将在 sing-box 1.13.0 中被移除。
+旧字段已在 sing-box 1.13.0 中被移除。

 #### 旧的入站字段

 旧的入站字段（`inbound.<sniff/domain_strategy/...>`）已废弃且可以通过规则动作替代，
 参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作)。

-旧字段将在 sing-box 1.13.0 中被移除。
+旧字段已在 sing-box 1.13.0 中被移除。

 #### direct 出站中的目标地址覆盖字段

 direct 出站中的目标地址覆盖字段（`override_address` / `override_port`）已废弃且可以通过规则动作替代，
 参阅 [迁移指南](/zh/migration/#迁移-direct-出站中的目标地址覆盖字段到路由字段)。

-旧字段将在 sing-box 1.13.0 中被移除。
+旧字段已在 sing-box 1.13.0 中被移除。

 #### WireGuard 出站

 WireGuard 出站已废弃且可以通过端点替代，
 参阅 [迁移指南](/zh/migration/#迁移-wireguard-出站到端点)。

-旧出站将在 sing-box 1.13.0 中被移除。
+旧出站已在 sing-box 1.13.0 中被移除。

 #### TUN 的 GSO 字段

 GSO 对透明代理场景没有优势，已废弃且在 TUN 中不再起作用。

-旧字段将在 sing-box 1.13.0 中被移除。
+旧字段已在 sing-box 1.13.0 中被移除。

 ## 1.10.0

 #### Match source 规则项已重命名

 `rule_set_ipcidr_match_source` 路由和 DNS 规则项已被重命名为
-`rule_set_ip_cidr_match_source` 且将在 sing-box 1.11.0 中被移除。
+`rule_set_ip_cidr_match_source` 且已在 sing-box 1.11.0 中被移除。

 #### TUN 地址字段已合并

@@ -75,7 +115,7 @@ GSO 对透明代理场景没有优势，已废弃且在 TUN 中不再起作用
 `inet4_route_address` 和 `inet6_route_address` 已合并为 `route_address`，
 `inet4_route_exclude_address` 和 `inet6_route_exclude_address` 已合并为 `route_exclude_address`。

-旧字段将在 sing-box 1.11.0 中被移除。
+旧字段已在 sing-box 1.12.0 中被移除。

 #### 移除对 go1.18 和 go1.19 的支持

@@ -90,7 +130,7 @@ Clash API 中的 `cache_file` 及相关功能已废弃且已迁移到独立的 `

 #### GeoIP

-GeoIP 已废弃且将在 sing-box 1.12.0 中被移除。
+GeoIP 已废弃且已在 sing-box 1.12.0 中被移除。

 maxmind GeoIP 国家数据库作为 IP 分类数据库，不完全适合流量绕过，
 且现有的实现均存在内存使用大与管理困难的问题。
@@ -100,7 +140,7 @@ sing-box 1.8.0 引入了[规则集](/zh/configuration/rule-set/)，

 #### Geosite

-Geosite 已废弃且将在 sing-box 1.12.0 中被移除。
+Geosite 已废弃且已在 sing-box 1.12.0 中被移除。

 Geosite，即由 V2Ray 维护的 domain-list-community 项目，作为早期流量绕过解决方案，
 存在着包括缺少维护、规则不准确和管理困难内的大量问题。
--- a/docs/migration.md
+++ b/docs/migration.md
@@ -2,6 +2,188 @@
 icon: material/arrange-bring-forward
 ---

+## 1.14.0
+
+### Migrate inline ACME to certificate provider
+
+Inline ACME options in TLS are deprecated and can be replaced by certificate providers.
+
+Most `tls.acme` fields can be moved into the ACME certificate provider unchanged.
+See [ACME](/configuration/shared/certificate-provider/acme/) for fields newly added in sing-box 1.14.0.
+
+!!! info "References"
+
+    [TLS](/configuration/shared/tls/#certificate_provider) /
+    [Certificate Provider](/configuration/shared/certificate-provider/)
+
+=== ":material-card-remove: Deprecated"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "trojan",
+          "tls": {
+            "enabled": true,
+            "acme": {
+              "domain": ["example.com"],
+              "email": "admin@example.com"
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-card-multiple: Inline"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "trojan",
+          "tls": {
+            "enabled": true,
+            "certificate_provider": {
+              "type": "acme",
+              "domain": ["example.com"],
+              "email": "admin@example.com"
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-card-multiple: Shared"
+
+    ```json
+    {
+      "certificate_providers": [
+        {
+          "type": "acme",
+          "tag": "my-cert",
+          "domain": ["example.com"],
+          "email": "admin@example.com"
+        }
+      ],
+      "inbounds": [
+        {
+          "type": "trojan",
+          "tls": {
+            "enabled": true,
+            "certificate_provider": "my-cert"
+          }
+        }
+      ]
+    }
+    ```
+
+### Migrate DNS rule action strategy to rule items
+
+Legacy `strategy` DNS rule action option is deprecated.
+
+In sing-box 1.14.0, internal domain resolution (Lookup) now splits A and AAAA queries
+at the rule level, so each query type is evaluated independently through the full rule chain.
+Use `ip_version` or `query_type` rule items to control which query types a rule matches.
+
+!!! info "References"
+
+    [DNS Rule](/configuration/dns/rule/) /
+    [DNS Rule Action](/configuration/dns/rule_action/)
+
+=== ":material-card-remove: Deprecated"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            "domain_suffix": ".cn",
+            "action": "route",
+            "server": "local",
+            "strategy": "ipv4_only"
+          }
+        ]
+      }
+    }
+    ```
+
+=== ":material-card-multiple: New"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            "domain_suffix": ".cn",
+            "ip_version": 4,
+            "action": "route",
+            "server": "local"
+          }
+        ]
+      }
+    }
+    ```
+
+### Migrate address filter fields to response matching
+
+Legacy Address Filter Fields (`ip_cidr`, `ip_is_private` without `match_response`) in DNS rules are deprecated,
+along with Legacy `ip_accept_any` and Legacy `rule_set_ip_cidr_accept_empty` DNS rule items.
+
+In sing-box 1.14.0, use the [`evaluate`](/configuration/dns/rule_action/#evaluate) action
+to fetch a DNS response, then match against it explicitly with `match_response`.
+
+!!! info "References"
+
+    [DNS Rule](/configuration/dns/rule/) /
+    [DNS Rule Action](/configuration/dns/rule_action/#evaluate)
+
+=== ":material-card-remove: Deprecated"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            "rule_set": "geoip-cn",
+            "action": "route",
+            "server": "local"
+          },
+          {
+            "action": "route",
+            "server": "remote"
+          }
+        ]
+      }
+    }
+    ```
+
+=== ":material-card-multiple: New"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            "action": "evaluate",
+            "server": "remote"
+          },
+          {
+            "match_response": true,
+            "rule_set": "geoip-cn",
+            "action": "route",
+            "server": "local"
+          },
+          {
+            "action": "route",
+            "server": "remote"
+          }
+        ]
+      }
+    }
+    ```
+
 ## 1.12.0

 ### Migrate to new DNS server formats
--- a/docs/migration.zh.md
+++ b/docs/migration.zh.md
@@ -2,6 +2,188 @@
 icon: material/arrange-bring-forward
 ---

+## 1.14.0
+
+### 迁移内联 ACME 到证书提供者
+
+TLS 中的内联 ACME 选项已废弃，且可以被证书提供者替代。
+
+`tls.acme` 的大多数字段都可以原样迁移到 ACME 证书提供者中。
+sing-box 1.14.0 新增字段参阅 [ACME](/zh/configuration/shared/certificate-provider/acme/) 页面。
+
+!!! info "参考"
+
+    [TLS](/zh/configuration/shared/tls/#certificate_provider) /
+    [证书提供者](/zh/configuration/shared/certificate-provider/)
+
+=== ":material-card-remove: 弃用的"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "trojan",
+          "tls": {
+            "enabled": true,
+            "acme": {
+              "domain": ["example.com"],
+              "email": "admin@example.com"
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-card-multiple: 内联"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "trojan",
+          "tls": {
+            "enabled": true,
+            "certificate_provider": {
+              "type": "acme",
+              "domain": ["example.com"],
+              "email": "admin@example.com"
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-card-multiple: 共享"
+
+    ```json
+    {
+      "certificate_providers": [
+        {
+          "type": "acme",
+          "tag": "my-cert",
+          "domain": ["example.com"],
+          "email": "admin@example.com"
+        }
+      ],
+      "inbounds": [
+        {
+          "type": "trojan",
+          "tls": {
+            "enabled": true,
+            "certificate_provider": "my-cert"
+          }
+        }
+      ]
+    }
+    ```
+
+### 迁移 DNS 规则动作 strategy 到规则项
+
+旧版 DNS 规则动作 `strategy` 选项已废弃。
+
+在 sing-box 1.14.0 中，内部域名解析（Lookup）现在在规则层拆分 A 和 AAAA 查询，
+每种查询类型独立通过完整的规则链评估。
+请使用 `ip_version` 或 `query_type` 规则项来控制规则匹配的查询类型。
+
+!!! info "参考"
+
+    [DNS 规则](/zh/configuration/dns/rule/) /
+    [DNS 规则动作](/zh/configuration/dns/rule_action/)
+
+=== ":material-card-remove: 弃用的"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            "domain_suffix": ".cn",
+            "action": "route",
+            "server": "local",
+            "strategy": "ipv4_only"
+          }
+        ]
+      }
+    }
+    ```
+
+=== ":material-card-multiple: 新的"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            "domain_suffix": ".cn",
+            "ip_version": 4,
+            "action": "route",
+            "server": "local"
+          }
+        ]
+      }
+    }
+    ```
+
+### 迁移地址筛选字段到响应匹配
+
+旧版地址筛选字段（不使用 `match_response` 的 `ip_cidr`、`ip_is_private`）已废弃，
+旧版 `ip_accept_any` 和旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项也已废弃。
+
+在 sing-box 1.14.0 中，请使用 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作
+获取 DNS 响应，然后通过 `match_response` 显式匹配。
+
+!!! info "参考"
+
+    [DNS 规则](/zh/configuration/dns/rule/) /
+    [DNS 规则动作](/zh/configuration/dns/rule_action/#evaluate)
+
+=== ":material-card-remove: 弃用的"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            "rule_set": "geoip-cn",
+            "action": "route",
+            "server": "local"
+          },
+          {
+            "action": "route",
+            "server": "remote"
+          }
+        ]
+      }
+    }
+    ```
+
+=== ":material-card-multiple: 新的"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            "action": "evaluate",
+            "server": "remote"
+          },
+          {
+            "match_response": true,
+            "rule_set": "geoip-cn",
+            "action": "route",
+            "server": "local"
+          },
+          {
+            "action": "route",
+            "server": "remote"
+          }
+        ]
+      }
+    }
+    ```
+
 ## 1.12.0

 ### 迁移到新的 DNS 服务器格式
--- a/experimental/deprecated/constants.go
+++ b/experimental/deprecated/constants.go
@@ -57,24 +57,6 @@ func (n Note) MessageWithLink() string {
 	}
 }

-var OptionLegacyDNSTransport = Note{
-	Name:              "legacy-dns-transport",
-	Description:       "legacy DNS servers",
-	DeprecatedVersion: "1.12.0",
-	ScheduledVersion:  "1.14.0",
-	EnvName:           "LEGACY_DNS_SERVERS",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-to-new-dns-server-formats",
-}
-
-var OptionLegacyDNSFakeIPOptions = Note{
-	Name:              "legacy-dns-fakeip-options",
-	Description:       "legacy DNS fakeip options",
-	DeprecatedVersion: "1.12.0",
-	ScheduledVersion:  "1.14.0",
-	EnvName:           "LEGACY_DNS_FAKEIP_OPTIONS",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-to-new-dns-server-formats",
-}
-
 var OptionOutboundDNSRuleItem = Note{
 	Name:              "outbound-dns-rule-item",
 	Description:       "outbound DNS rule item",
@@ -102,10 +84,58 @@ var OptionLegacyDomainStrategyOptions = Note{
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-domain-strategy-options",
 }

+var OptionInlineACME = Note{
+	Name:              "inline-acme-options",
+	Description:       "inline ACME options in TLS",
+	DeprecatedVersion: "1.14.0",
+	ScheduledVersion:  "1.16.0",
+	EnvName:           "INLINE_ACME_OPTIONS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-inline-acme-to-certificate-provider",
+}
+
+var OptionIPAcceptAny = Note{
+	Name:              "dns-rule-ip-accept-any",
+	Description:       "Legacy `ip_accept_any` DNS rule item",
+	DeprecatedVersion: "1.14.0",
+	ScheduledVersion:  "1.16.0",
+	EnvName:           "DNS_RULE_IP_ACCEPT_ANY",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-address-filter-fields-to-response-matching",
+}
+
+var OptionRuleSetIPCIDRAcceptEmpty = Note{
+	Name:              "dns-rule-rule-set-ip-cidr-accept-empty",
+	Description:       "Legacy `rule_set_ip_cidr_accept_empty` DNS rule item",
+	DeprecatedVersion: "1.14.0",
+	ScheduledVersion:  "1.16.0",
+	EnvName:           "DNS_RULE_RULE_SET_IP_CIDR_ACCEPT_EMPTY",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-address-filter-fields-to-response-matching",
+}
+
+var OptionLegacyDNSAddressFilter = Note{
+	Name:              "legacy-dns-address-filter",
+	Description:       "Legacy Address Filter Fields in DNS rules",
+	DeprecatedVersion: "1.14.0",
+	ScheduledVersion:  "1.16.0",
+	EnvName:           "LEGACY_DNS_ADDRESS_FILTER",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-address-filter-fields-to-response-matching",
+}
+
+var OptionLegacyDNSRuleStrategy = Note{
+	Name:              "legacy-dns-rule-strategy",
+	Description:       "Legacy `strategy` DNS rule action option",
+	DeprecatedVersion: "1.14.0",
+	ScheduledVersion:  "1.16.0",
+	EnvName:           "LEGACY_DNS_RULE_STRATEGY",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-dns-rule-action-strategy-to-rule-items",
+}
+
 var Options = []Note{
-	OptionLegacyDNSTransport,
-	OptionLegacyDNSFakeIPOptions,
 	OptionOutboundDNSRuleItem,
 	OptionMissingDomainResolver,
 	OptionLegacyDomainStrategyOptions,
+	OptionInlineACME,
+	OptionIPAcceptAny,
+	OptionRuleSetIPCIDRAcceptEmpty,
+	OptionLegacyDNSAddressFilter,
+	OptionLegacyDNSRuleStrategy,
 }
--- a/experimental/libbox/command.go
+++ b/experimental/libbox/command.go
@@ -6,4 +6,5 @@ const (
 	CommandGroup
 	CommandClashMode
 	CommandConnections
+	CommandOutbounds
 )
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -47,6 +47,7 @@ type CommandClientHandler interface {
 	WriteLogs(messageList LogIterator)
 	WriteStatus(message *StatusMessage)
 	WriteGroups(message OutboundGroupIterator)
+	WriteOutbounds(message OutboundGroupItemIterator)
 	InitializeClashMode(modeList StringIterator, currentMode string)
 	UpdateClashMode(newMode string)
 	WriteConnectionEvents(events *ConnectionEvents)
@@ -243,6 +244,8 @@ func (c *CommandClient) dispatchCommands() error {
 			go c.handleClashModeStream()
 		case CommandConnections:
 			go c.handleConnectionsStream()
+		case CommandOutbounds:
+			go c.handleOutboundsStream()
 		default:
 			return E.New("unknown command: ", command)
 		}
@@ -456,6 +459,25 @@ func (c *CommandClient) handleConnectionsStream() {
 	}
 }

+func (c *CommandClient) handleOutboundsStream() {
+	client, ctx := c.getStreamContext()
+
+	stream, err := client.SubscribeOutbounds(ctx, &emptypb.Empty{})
+	if err != nil {
+		c.handler.Disconnected(err.Error())
+		return
+	}
+
+	for {
+		list, err := stream.Recv()
+		if err != nil {
+			c.handler.Disconnected(err.Error())
+			return
+		}
+		c.handler.WriteOutbounds(outboundGroupItemListFromGRPC(list))
+	}
+}
+
 func (c *CommandClient) SelectOutbound(groupTag string, outboundTag string) error {
 	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
 		return client.SelectOutbound(context.Background(), &daemon.SelectOutboundRequest{
@@ -540,6 +562,31 @@ func (c *CommandClient) SetSystemProxyEnabled(isEnabled bool) error {
 	return err
 }

+func (c *CommandClient) TriggerGoCrash() error {
+	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
+		return client.TriggerDebugCrash(context.Background(), &daemon.DebugCrashRequest{
+			Type: daemon.DebugCrashRequest_GO,
+		})
+	})
+	return err
+}
+
+func (c *CommandClient) TriggerNativeCrash() error {
+	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
+		return client.TriggerDebugCrash(context.Background(), &daemon.DebugCrashRequest{
+			Type: daemon.DebugCrashRequest_NATIVE,
+		})
+	})
+	return err
+}
+
+func (c *CommandClient) TriggerOOMReport() error {
+	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
+		return client.TriggerOOMReport(context.Background(), &emptypb.Empty{})
+	})
+	return err
+}
+
 func (c *CommandClient) GetDeprecatedNotes() (DeprecatedNoteIterator, error) {
 	return callWithResult(c, func(client daemon.StartedServiceClient) (DeprecatedNoteIterator, error) {
 		warnings, err := client.GetDeprecatedWarnings(context.Background(), &emptypb.Empty{})
@@ -549,8 +596,10 @@ func (c *CommandClient) GetDeprecatedNotes() (DeprecatedNoteIterator, error) {
 		var notes []*DeprecatedNote
 		for _, warning := range warnings.Warnings {
 			notes = append(notes, &DeprecatedNote{
-				Description:   warning.Message,
-				MigrationLink: warning.MigrationLink,
+				Description:       warning.Description,
+				DeprecatedVersion: warning.DeprecatedVersion,
+				ScheduledVersion:  warning.ScheduledVersion,
+				MigrationLink:     warning.MigrationLink,
 			})
 		}
 		return newIterator(notes), nil
@@ -576,3 +625,78 @@ func (c *CommandClient) SetGroupExpand(groupTag string, isExpand bool) error {
 	})
 	return err
 }
+
+func (c *CommandClient) ListOutbounds() (OutboundGroupItemIterator, error) {
+	return callWithResult(c, func(client daemon.StartedServiceClient) (OutboundGroupItemIterator, error) {
+		list, err := client.ListOutbounds(context.Background(), &emptypb.Empty{})
+		if err != nil {
+			return nil, err
+		}
+		return outboundGroupItemListFromGRPC(list), nil
+	})
+}
+
+func (c *CommandClient) StartNetworkQualityTest(configURL string, outboundTag string, handler NetworkQualityTestHandler) error {
+	return c.StartNetworkQualityTestWithSerialAndRuntime(
+		configURL,
+		outboundTag,
+		false,
+		NetworkQualityDefaultMaxRuntimeSeconds,
+		handler,
+	)
+}
+
+func (c *CommandClient) StartNetworkQualityTestWithSerial(configURL string, outboundTag string, serial bool, handler NetworkQualityTestHandler) error {
+	return c.StartNetworkQualityTestWithSerialAndRuntime(
+		configURL,
+		outboundTag,
+		serial,
+		NetworkQualityDefaultMaxRuntimeSeconds,
+		handler,
+	)
+}
+
+func (c *CommandClient) StartNetworkQualityTestWithSerialAndRuntime(configURL string, outboundTag string, serial bool, maxRuntimeSeconds int32, handler NetworkQualityTestHandler) error {
+	client, err := c.getClientForCall()
+	if err != nil {
+		return err
+	}
+	if c.standalone {
+		defer c.closeConnection()
+	}
+	stream, err := client.StartNetworkQualityTest(context.Background(), &daemon.NetworkQualityTestRequest{
+		ConfigURL:         configURL,
+		OutboundTag:       outboundTag,
+		Serial:            serial,
+		MaxRuntimeSeconds: maxRuntimeSeconds,
+	})
+	if err != nil {
+		return err
+	}
+	for {
+		event, recvErr := stream.Recv()
+		if recvErr != nil {
+			handler.OnError(recvErr.Error())
+			return recvErr
+		}
+		if event.IsFinal {
+			if event.Error != "" {
+				handler.OnError(event.Error)
+			} else {
+				handler.OnResult(&NetworkQualityResult{
+					DownloadCapacity:         event.DownloadCapacity,
+					UploadCapacity:           event.UploadCapacity,
+					DownloadRPM:              event.DownloadRPM,
+					UploadRPM:                event.UploadRPM,
+					IdleLatencyMs:            event.IdleLatencyMs,
+					DownloadCapacityAccuracy: event.DownloadCapacityAccuracy,
+					UploadCapacityAccuracy:   event.UploadCapacityAccuracy,
+					DownloadRPMAccuracy:      event.DownloadRPMAccuracy,
+					UploadRPMAccuracy:        event.UploadRPMAccuracy,
+				})
+			}
+			return nil
+		}
+		handler.OnProgress(networkQualityProgressFromGRPC(event))
+	}
+}
--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@@ -39,6 +39,7 @@ type CommandServerHandler interface {
 	ServiceReload() error
 	GetSystemProxyStatus() (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(enabled bool) error
+	TriggerNativeCrash() error
 	WriteDebugMessage(message string)
 }

@@ -57,10 +58,12 @@ func NewCommandServer(handler CommandServerHandler, platformInterface PlatformIn
 	server.StartedService = daemon.NewStartedService(daemon.ServiceOptions{
 		Context: ctx,
 		// Platform:         platformWrapper,
-		Handler:     (*platformHandler)(server),
-		Debug:       sDebug,
-		LogMaxLines: sLogMaxLines,
-		OOMKiller:   memoryLimitEnabled,
+		Handler:           (*platformHandler)(server),
+		Debug:             sDebug,
+		LogMaxLines:       sLogMaxLines,
+		OOMKillerEnabled:  sOOMKillerEnabled,
+		OOMKillerDisabled: sOOMKillerDisabled,
+		OOMMemoryLimit:    uint64(sOOMMemoryLimit),
 		// WorkingDirectory: sWorkingPath,
 		// TempDirectory:    sTempPath,
 		// UserID:           sUserID,
@@ -170,11 +173,16 @@ type OverrideOptions struct {
 }

 func (s *CommandServer) StartOrReloadService(configContent string, options *OverrideOptions) error {
-	return s.StartedService.StartOrReloadService(configContent, &daemon.OverrideOptions{
+	saveConfigSnapshot(configContent)
+	err := s.StartedService.StartOrReloadService(configContent, &daemon.OverrideOptions{
 		AutoRedirect:   options.AutoRedirect,
 		IncludePackage: iteratorToArray(options.IncludePackage),
 		ExcludePackage: iteratorToArray(options.ExcludePackage),
 	})
+	if err != nil {
+		return err
+	}
+	return nil
 }

 func (s *CommandServer) CloseService() error {
@@ -271,6 +279,10 @@ func (h *platformHandler) SetSystemProxyEnabled(enabled bool) error {
 	return (*CommandServer)(h).handler.SetSystemProxyEnabled(enabled)
 }

+func (h *platformHandler) TriggerNativeCrash() error {
+	return (*CommandServer)(h).handler.TriggerNativeCrash()
+}
+
 func (h *platformHandler) WriteDebugMessage(message string) {
 	(*CommandServer)(h).handler.WriteDebugMessage(message)
 }
--- a/experimental/libbox/command_types_nq.go
+++ b/experimental/libbox/command_types_nq.go
@@ -0,0 +1,71 @@
+package libbox
+
+import "github.com/sagernet/sing-box/daemon"
+
+type NetworkQualityProgress struct {
+	Phase                    int32
+	DownloadCapacity         int64
+	UploadCapacity           int64
+	DownloadRPM              int32
+	UploadRPM                int32
+	IdleLatencyMs            int32
+	ElapsedMs                int64
+	IsFinal                  bool
+	Error                    string
+	DownloadCapacityAccuracy int32
+	UploadCapacityAccuracy   int32
+	DownloadRPMAccuracy      int32
+	UploadRPMAccuracy        int32
+}
+
+type NetworkQualityResult struct {
+	DownloadCapacity         int64
+	UploadCapacity           int64
+	DownloadRPM              int32
+	UploadRPM                int32
+	IdleLatencyMs            int32
+	DownloadCapacityAccuracy int32
+	UploadCapacityAccuracy   int32
+	DownloadRPMAccuracy      int32
+	UploadRPMAccuracy        int32
+}
+
+type NetworkQualityTestHandler interface {
+	OnProgress(progress *NetworkQualityProgress)
+	OnResult(result *NetworkQualityResult)
+	OnError(message string)
+}
+
+func outboundGroupItemListFromGRPC(list *daemon.OutboundList) OutboundGroupItemIterator {
+	if list == nil || len(list.Outbounds) == 0 {
+		return newIterator([]*OutboundGroupItem{})
+	}
+	var items []*OutboundGroupItem
+	for _, ob := range list.Outbounds {
+		items = append(items, &OutboundGroupItem{
+			Tag:          ob.Tag,
+			Type:         ob.Type,
+			URLTestTime:  ob.UrlTestTime,
+			URLTestDelay: ob.UrlTestDelay,
+		})
+	}
+	return newIterator(items)
+}
+
+func networkQualityProgressFromGRPC(event *daemon.NetworkQualityTestProgress) *NetworkQualityProgress {
+	return &NetworkQualityProgress{
+		Phase:                    event.Phase,
+		DownloadCapacity:         event.DownloadCapacity,
+		UploadCapacity:           event.UploadCapacity,
+		DownloadRPM:              event.DownloadRPM,
+		UploadRPM:                event.UploadRPM,
+		IdleLatencyMs:            event.IdleLatencyMs,
+		ElapsedMs:                event.ElapsedMs,
+		IsFinal:                  event.IsFinal,
+		Error:                    event.Error,
+		DownloadCapacityAccuracy: event.DownloadCapacityAccuracy,
+		UploadCapacityAccuracy:   event.UploadCapacityAccuracy,
+		DownloadRPMAccuracy:      event.DownloadRPMAccuracy,
+		UploadRPMAccuracy:        event.UploadRPMAccuracy,
+	}
+}
--- a/experimental/libbox/config.go
+++ b/experimental/libbox/config.go
@@ -12,6 +12,7 @@ import (
 	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/service/oomkiller"
 	tun "github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -22,6 +23,8 @@ import (
 	"github.com/sagernet/sing/service/filemanager"
 )

+var sOOMReporter oomkiller.OOMReporter
+
 func baseContext(platformInterface PlatformInterface) context.Context {
 	dnsRegistry := include.DNSTransportRegistry()
 	if platformInterface != nil {
@@ -33,7 +36,10 @@ func baseContext(platformInterface PlatformInterface) context.Context {
 	}
 	ctx := context.Background()
 	ctx = filemanager.WithDefault(ctx, sWorkingPath, sTempPath, sUserID, sGroupID)
-	return box.Context(ctx, include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), dnsRegistry, include.ServiceRegistry())
+	if sOOMReporter != nil {
+		ctx = service.ContextWith[oomkiller.OOMReporter](ctx, sOOMReporter)
+	}
+	return box.Context(ctx, include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), dnsRegistry, include.ServiceRegistry(), include.CertificateProviderRegistry())
 }

 func parseConfig(ctx context.Context, configContent string) (option.Options, error) {
@@ -144,6 +150,18 @@ func (s *platformInterfaceStub) SendNotification(notification *adapter.Notificat
 	return nil
 }

+func (s *platformInterfaceStub) UsePlatformNeighborResolver() bool {
+	return false
+}
+
+func (s *platformInterfaceStub) StartNeighborMonitor(listener adapter.NeighborUpdateListener) error {
+	return os.ErrInvalid
+}
+
+func (s *platformInterfaceStub) CloseNeighborMonitor(listener adapter.NeighborUpdateListener) error {
+	return nil
+}
+
 func (s *platformInterfaceStub) UsePlatformLocalDNSTransport() bool {
 	return false
 }
--- a/experimental/libbox/debug.go
+++ b/experimental/libbox/debug.go
@@ -0,0 +1,9 @@
+package libbox
+
+import "time"
+
+func TriggerGoPanic() {
+	time.AfterFunc(200*time.Millisecond, func() {
+		panic("debug go crash")
+	})
+}
--- a/experimental/libbox/internal/oomprofile/builder.go
+++ b/experimental/libbox/internal/oomprofile/builder.go
@@ -0,0 +1,390 @@
+//go:build darwin || linux || windows
+
+package oomprofile
+
+import (
+	"fmt"
+	"io"
+	"runtime"
+	"time"
+)
+
+const (
+	tagProfile_SampleType        = 1
+	tagProfile_Sample            = 2
+	tagProfile_Mapping           = 3
+	tagProfile_Location          = 4
+	tagProfile_Function          = 5
+	tagProfile_StringTable       = 6
+	tagProfile_TimeNanos         = 9
+	tagProfile_PeriodType        = 11
+	tagProfile_Period            = 12
+	tagProfile_DefaultSampleType = 14
+
+	tagValueType_Type = 1
+	tagValueType_Unit = 2
+
+	tagSample_Location = 1
+	tagSample_Value    = 2
+	tagSample_Label    = 3
+
+	tagLabel_Key = 1
+	tagLabel_Str = 2
+	tagLabel_Num = 3
+
+	tagMapping_ID              = 1
+	tagMapping_Start           = 2
+	tagMapping_Limit           = 3
+	tagMapping_Offset          = 4
+	tagMapping_Filename        = 5
+	tagMapping_BuildID         = 6
+	tagMapping_HasFunctions    = 7
+	tagMapping_HasFilenames    = 8
+	tagMapping_HasLineNumbers  = 9
+	tagMapping_HasInlineFrames = 10
+
+	tagLocation_ID        = 1
+	tagLocation_MappingID = 2
+	tagLocation_Address   = 3
+	tagLocation_Line      = 4
+
+	tagLine_FunctionID = 1
+	tagLine_Line       = 2
+
+	tagFunction_ID         = 1
+	tagFunction_Name       = 2
+	tagFunction_SystemName = 3
+	tagFunction_Filename   = 4
+	tagFunction_StartLine  = 5
+)
+
+type memMap struct {
+	start   uintptr
+	end     uintptr
+	offset  uint64
+	file    string
+	buildID string
+	funcs   symbolizeFlag
+	fake    bool
+}
+
+type symbolizeFlag uint8
+
+const (
+	lookupTried symbolizeFlag = 1 << iota
+	lookupFailed
+)
+
+func newProfileBuilder(w io.Writer) *profileBuilder {
+	builder := &profileBuilder{
+		start:     time.Now(),
+		w:         w,
+		strings:   []string{""},
+		stringMap: map[string]int{"": 0},
+		locs:      map[uintptr]locInfo{},
+		funcs:     map[string]int{},
+	}
+	builder.readMapping()
+	return builder
+}
+
+func (b *profileBuilder) stringIndex(s string) int64 {
+	id, ok := b.stringMap[s]
+	if !ok {
+		id = len(b.strings)
+		b.strings = append(b.strings, s)
+		b.stringMap[s] = id
+	}
+	return int64(id)
+}
+
+func (b *profileBuilder) flush() {
+	const dataFlush = 4096
+	if b.err != nil || b.pb.nest != 0 || len(b.pb.data) <= dataFlush {
+		return
+	}
+
+	_, b.err = b.w.Write(b.pb.data)
+	b.pb.data = b.pb.data[:0]
+}
+
+func (b *profileBuilder) pbValueType(tag int, typ string, unit string) {
+	start := b.pb.startMessage()
+	b.pb.int64(tagValueType_Type, b.stringIndex(typ))
+	b.pb.int64(tagValueType_Unit, b.stringIndex(unit))
+	b.pb.endMessage(tag, start)
+}
+
+func (b *profileBuilder) pbSample(values []int64, locs []uint64, labels func()) {
+	start := b.pb.startMessage()
+	b.pb.int64s(tagSample_Value, values)
+	b.pb.uint64s(tagSample_Location, locs)
+	if labels != nil {
+		labels()
+	}
+	b.pb.endMessage(tagProfile_Sample, start)
+	b.flush()
+}
+
+func (b *profileBuilder) pbLabel(tag int, key string, str string, num int64) {
+	start := b.pb.startMessage()
+	b.pb.int64Opt(tagLabel_Key, b.stringIndex(key))
+	b.pb.int64Opt(tagLabel_Str, b.stringIndex(str))
+	b.pb.int64Opt(tagLabel_Num, num)
+	b.pb.endMessage(tag, start)
+}
+
+func (b *profileBuilder) pbLine(tag int, funcID uint64, line int64) {
+	start := b.pb.startMessage()
+	b.pb.uint64Opt(tagLine_FunctionID, funcID)
+	b.pb.int64Opt(tagLine_Line, line)
+	b.pb.endMessage(tag, start)
+}
+
+func (b *profileBuilder) pbMapping(tag int, id uint64, base uint64, limit uint64, offset uint64, file string, buildID string, hasFuncs bool) {
+	start := b.pb.startMessage()
+	b.pb.uint64Opt(tagMapping_ID, id)
+	b.pb.uint64Opt(tagMapping_Start, base)
+	b.pb.uint64Opt(tagMapping_Limit, limit)
+	b.pb.uint64Opt(tagMapping_Offset, offset)
+	b.pb.int64Opt(tagMapping_Filename, b.stringIndex(file))
+	b.pb.int64Opt(tagMapping_BuildID, b.stringIndex(buildID))
+	if hasFuncs {
+		b.pb.bool(tagMapping_HasFunctions, true)
+	}
+	b.pb.endMessage(tag, start)
+}
+
+func (b *profileBuilder) build() error {
+	if b.err != nil {
+		return b.err
+	}
+
+	b.pb.int64Opt(tagProfile_TimeNanos, b.start.UnixNano())
+	for i, mapping := range b.mem {
+		hasFunctions := mapping.funcs == lookupTried
+		b.pbMapping(tagProfile_Mapping, uint64(i+1), uint64(mapping.start), uint64(mapping.end), mapping.offset, mapping.file, mapping.buildID, hasFunctions)
+	}
+	b.pb.strings(tagProfile_StringTable, b.strings)
+	if b.err != nil {
+		return b.err
+	}
+	_, err := b.w.Write(b.pb.data)
+	return err
+}
+
+func allFrames(addr uintptr) ([]runtime.Frame, symbolizeFlag) {
+	frames := runtime.CallersFrames([]uintptr{addr})
+	frame, more := frames.Next()
+	if frame.Function == "runtime.goexit" {
+		return nil, 0
+	}
+
+	result := lookupTried
+	if frame.PC == 0 || frame.Function == "" || frame.File == "" || frame.Line == 0 {
+		result |= lookupFailed
+	}
+	if frame.PC == 0 {
+		frame.PC = addr - 1
+	}
+
+	ret := []runtime.Frame{frame}
+	for frame.Function != "runtime.goexit" && more {
+		frame, more = frames.Next()
+		ret = append(ret, frame)
+	}
+	return ret, result
+}
+
+type locInfo struct {
+	id uint64
+
+	pcs []uintptr
+
+	firstPCFrames          []runtime.Frame
+	firstPCSymbolizeResult symbolizeFlag
+}
+
+func (b *profileBuilder) appendLocsForStack(locs []uint64, stk []uintptr) []uint64 {
+	b.deck.reset()
+	origStk := stk
+	stk = runtimeExpandFinalInlineFrame(stk)
+
+	for len(stk) > 0 {
+		addr := stk[0]
+		if loc, ok := b.locs[addr]; ok {
+			if len(b.deck.pcs) > 0 {
+				if b.deck.tryAdd(addr, loc.firstPCFrames, loc.firstPCSymbolizeResult) {
+					stk = stk[1:]
+					continue
+				}
+			}
+			if id := b.emitLocation(); id > 0 {
+				locs = append(locs, id)
+			}
+			locs = append(locs, loc.id)
+			if len(loc.pcs) > len(stk) {
+				panic(fmt.Sprintf("stack too short to match cached location; stk = %#x, loc.pcs = %#x, original stk = %#x", stk, loc.pcs, origStk))
+			}
+			stk = stk[len(loc.pcs):]
+			continue
+		}
+
+		frames, symbolizeResult := allFrames(addr)
+		if len(frames) == 0 {
+			if id := b.emitLocation(); id > 0 {
+				locs = append(locs, id)
+			}
+			stk = stk[1:]
+			continue
+		}
+
+		if b.deck.tryAdd(addr, frames, symbolizeResult) {
+			stk = stk[1:]
+			continue
+		}
+		if id := b.emitLocation(); id > 0 {
+			locs = append(locs, id)
+		}
+
+		if loc, ok := b.locs[addr]; ok {
+			locs = append(locs, loc.id)
+			stk = stk[len(loc.pcs):]
+		} else {
+			b.deck.tryAdd(addr, frames, symbolizeResult)
+			stk = stk[1:]
+		}
+	}
+	if id := b.emitLocation(); id > 0 {
+		locs = append(locs, id)
+	}
+	return locs
+}
+
+type pcDeck struct {
+	pcs             []uintptr
+	frames          []runtime.Frame
+	symbolizeResult symbolizeFlag
+
+	firstPCFrames          int
+	firstPCSymbolizeResult symbolizeFlag
+}
+
+func (d *pcDeck) reset() {
+	d.pcs = d.pcs[:0]
+	d.frames = d.frames[:0]
+	d.symbolizeResult = 0
+	d.firstPCFrames = 0
+	d.firstPCSymbolizeResult = 0
+}
+
+func (d *pcDeck) tryAdd(pc uintptr, frames []runtime.Frame, symbolizeResult symbolizeFlag) bool {
+	if existing := len(d.frames); existing > 0 {
+		newFrame := frames[0]
+		last := d.frames[existing-1]
+		if last.Func != nil {
+			return false
+		}
+		if last.Entry == 0 || newFrame.Entry == 0 {
+			return false
+		}
+		if last.Entry != newFrame.Entry {
+			return false
+		}
+		if runtimeFrameSymbolName(&last) == runtimeFrameSymbolName(&newFrame) {
+			return false
+		}
+	}
+
+	d.pcs = append(d.pcs, pc)
+	d.frames = append(d.frames, frames...)
+	d.symbolizeResult |= symbolizeResult
+	if len(d.pcs) == 1 {
+		d.firstPCFrames = len(d.frames)
+		d.firstPCSymbolizeResult = symbolizeResult
+	}
+	return true
+}
+
+func (b *profileBuilder) emitLocation() uint64 {
+	if len(b.deck.pcs) == 0 {
+		return 0
+	}
+	defer b.deck.reset()
+
+	addr := b.deck.pcs[0]
+	firstFrame := b.deck.frames[0]
+
+	type newFunc struct {
+		id        uint64
+		name      string
+		file      string
+		startLine int64
+	}
+
+	newFuncs := make([]newFunc, 0, 8)
+	id := uint64(len(b.locs)) + 1
+	b.locs[addr] = locInfo{
+		id:                     id,
+		pcs:                    append([]uintptr{}, b.deck.pcs...),
+		firstPCFrames:          append([]runtime.Frame{}, b.deck.frames[:b.deck.firstPCFrames]...),
+		firstPCSymbolizeResult: b.deck.firstPCSymbolizeResult,
+	}
+
+	start := b.pb.startMessage()
+	b.pb.uint64Opt(tagLocation_ID, id)
+	b.pb.uint64Opt(tagLocation_Address, uint64(firstFrame.PC))
+	for _, frame := range b.deck.frames {
+		funcName := runtimeFrameSymbolName(&frame)
+		funcID := uint64(b.funcs[funcName])
+		if funcID == 0 {
+			funcID = uint64(len(b.funcs)) + 1
+			b.funcs[funcName] = int(funcID)
+			newFuncs = append(newFuncs, newFunc{
+				id:        funcID,
+				name:      funcName,
+				file:      frame.File,
+				startLine: int64(runtimeFrameStartLine(&frame)),
+			})
+		}
+		b.pbLine(tagLocation_Line, funcID, int64(frame.Line))
+	}
+	for i := range b.mem {
+		if (b.mem[i].start <= addr && addr < b.mem[i].end) || b.mem[i].fake {
+			b.pb.uint64Opt(tagLocation_MappingID, uint64(i+1))
+			mapping := b.mem[i]
+			mapping.funcs |= b.deck.symbolizeResult
+			b.mem[i] = mapping
+			break
+		}
+	}
+	b.pb.endMessage(tagProfile_Location, start)
+
+	for _, fn := range newFuncs {
+		start := b.pb.startMessage()
+		b.pb.uint64Opt(tagFunction_ID, fn.id)
+		b.pb.int64Opt(tagFunction_Name, b.stringIndex(fn.name))
+		b.pb.int64Opt(tagFunction_SystemName, b.stringIndex(fn.name))
+		b.pb.int64Opt(tagFunction_Filename, b.stringIndex(fn.file))
+		b.pb.int64Opt(tagFunction_StartLine, fn.startLine)
+		b.pb.endMessage(tagProfile_Function, start)
+	}
+
+	b.flush()
+	return id
+}
+
+func (b *profileBuilder) addMapping(lo uint64, hi uint64, offset uint64, file string, buildID string) {
+	b.addMappingEntry(lo, hi, offset, file, buildID, false)
+}
+
+func (b *profileBuilder) addMappingEntry(lo uint64, hi uint64, offset uint64, file string, buildID string, fake bool) {
+	b.mem = append(b.mem, memMap{
+		start:   uintptr(lo),
+		end:     uintptr(hi),
+		offset:  offset,
+		file:    file,
+		buildID: buildID,
+		fake:    fake,
+	})
+}
--- a/experimental/libbox/internal/oomprofile/defs_darwin_amd64.go
+++ b/experimental/libbox/internal/oomprofile/defs_darwin_amd64.go
@@ -0,0 +1,24 @@
+//go:build darwin && amd64
+
+package oomprofile
+
+type machVMRegionBasicInfoData struct {
+	Protection     int32
+	MaxProtection  int32
+	Inheritance    uint32
+	Shared         uint32
+	Reserved       uint32
+	Offset         [8]byte
+	Behavior       int32
+	UserWiredCount uint16
+	PadCgo1        [2]byte
+}
+
+const (
+	_VM_PROT_READ    = 0x1
+	_VM_PROT_EXECUTE = 0x4
+
+	_MACH_SEND_INVALID_DEST = 0x10000003
+
+	_MAXPATHLEN = 0x400
+)
--- a/experimental/libbox/internal/oomprofile/defs_darwin_arm64.go
+++ b/experimental/libbox/internal/oomprofile/defs_darwin_arm64.go
@@ -0,0 +1,24 @@
+//go:build darwin && arm64
+
+package oomprofile
+
+type machVMRegionBasicInfoData struct {
+	Protection     int32
+	MaxProtection  int32
+	Inheritance    uint32
+	Shared         int32
+	Reserved       int32
+	Offset         [8]byte
+	Behavior       int32
+	UserWiredCount uint16
+	PadCgo1        [2]byte
+}
+
+const (
+	_VM_PROT_READ    = 0x1
+	_VM_PROT_EXECUTE = 0x4
+
+	_MACH_SEND_INVALID_DEST = 0x10000003
+
+	_MAXPATHLEN = 0x400
+)
--- a/experimental/libbox/internal/oomprofile/linkname.go
+++ b/experimental/libbox/internal/oomprofile/linkname.go
@@ -0,0 +1,46 @@
+//go:build darwin || linux || windows
+
+package oomprofile
+
+import (
+	"runtime"
+	_ "runtime/pprof"
+	"unsafe"
+	_ "unsafe"
+)
+
+//go:linkname runtimeMemProfileInternal runtime.pprof_memProfileInternal
+func runtimeMemProfileInternal(p []memProfileRecord, inuseZero bool) (n int, ok bool)
+
+//go:linkname runtimeBlockProfileInternal runtime.pprof_blockProfileInternal
+func runtimeBlockProfileInternal(p []blockProfileRecord) (n int, ok bool)
+
+//go:linkname runtimeMutexProfileInternal runtime.pprof_mutexProfileInternal
+func runtimeMutexProfileInternal(p []blockProfileRecord) (n int, ok bool)
+
+//go:linkname runtimeThreadCreateInternal runtime.pprof_threadCreateInternal
+func runtimeThreadCreateInternal(p []stackRecord) (n int, ok bool)
+
+//go:linkname runtimeGoroutineProfileWithLabels runtime.pprof_goroutineProfileWithLabels
+func runtimeGoroutineProfileWithLabels(p []stackRecord, labels []unsafe.Pointer) (n int, ok bool)
+
+//go:linkname runtimeCyclesPerSecond runtime/pprof.runtime_cyclesPerSecond
+func runtimeCyclesPerSecond() int64
+
+//go:linkname runtimeMakeProfStack runtime.pprof_makeProfStack
+func runtimeMakeProfStack() []uintptr
+
+//go:linkname runtimeFrameStartLine runtime/pprof.runtime_FrameStartLine
+func runtimeFrameStartLine(f *runtime.Frame) int
+
+//go:linkname runtimeFrameSymbolName runtime/pprof.runtime_FrameSymbolName
+func runtimeFrameSymbolName(f *runtime.Frame) string
+
+//go:linkname runtimeExpandFinalInlineFrame runtime/pprof.runtime_expandFinalInlineFrame
+func runtimeExpandFinalInlineFrame(stk []uintptr) []uintptr
+
+//go:linkname stdParseProcSelfMaps runtime/pprof.parseProcSelfMaps
+func stdParseProcSelfMaps(data []byte, addMapping func(lo uint64, hi uint64, offset uint64, file string, buildID string))
+
+//go:linkname stdELFBuildID runtime/pprof.elfBuildID
+func stdELFBuildID(file string) (string, error)
--- a/experimental/libbox/internal/oomprofile/mapping_darwin.go
+++ b/experimental/libbox/internal/oomprofile/mapping_darwin.go
@@ -0,0 +1,56 @@
+//go:build darwin
+
+package oomprofile
+
+import (
+	"encoding/binary"
+	"os"
+	"unsafe"
+	_ "unsafe"
+)
+
+func isExecutable(protection int32) bool {
+	return (protection&_VM_PROT_EXECUTE) != 0 && (protection&_VM_PROT_READ) != 0
+}
+
+func (b *profileBuilder) readMapping() {
+	if !machVMInfo(b.addMapping) {
+		b.addMappingEntry(0, 0, 0, "", "", true)
+	}
+}
+
+func machVMInfo(addMapping func(lo uint64, hi uint64, off uint64, file string, buildID string)) bool {
+	added := false
+	addr := uint64(0x1)
+	for {
+		var regionSize uint64
+		var info machVMRegionBasicInfoData
+		kr := machVMRegion(&addr, &regionSize, unsafe.Pointer(&info))
+		if kr != 0 {
+			if kr == _MACH_SEND_INVALID_DEST {
+				return true
+			}
+			return added
+		}
+		if isExecutable(info.Protection) {
+			addMapping(addr, addr+regionSize, binary.LittleEndian.Uint64(info.Offset[:]), regionFilename(addr), "")
+			added = true
+		}
+		addr += regionSize
+	}
+}
+
+func regionFilename(address uint64) string {
+	buf := make([]byte, _MAXPATHLEN)
+	n := procRegionFilename(os.Getpid(), address, unsafe.SliceData(buf), int64(cap(buf)))
+	if n == 0 {
+		return ""
+	}
+	return string(buf[:n])
+}
+
+//go:linkname machVMRegion runtime/pprof.mach_vm_region
+func machVMRegion(address *uint64, regionSize *uint64, info unsafe.Pointer) int32
+
+//go:linkname procRegionFilename runtime/pprof.proc_regionfilename
+func procRegionFilename(pid int, address uint64, buf *byte, buflen int64) int32
--- a/experimental/libbox/internal/oomprofile/mapping_linux.go
+++ b/experimental/libbox/internal/oomprofile/mapping_linux.go
@@ -0,0 +1,13 @@
+//go:build linux
+
+package oomprofile
+
+import "os"
+
+func (b *profileBuilder) readMapping() {
+	data, _ := os.ReadFile("/proc/self/maps")
+	stdParseProcSelfMaps(data, b.addMapping)
+	if len(b.mem) == 0 {
+		b.addMappingEntry(0, 0, 0, "", "", true)
+	}
+}
--- a/experimental/libbox/internal/oomprofile/mapping_windows.go
+++ b/experimental/libbox/internal/oomprofile/mapping_windows.go
@@ -0,0 +1,58 @@
+//go:build windows
+
+package oomprofile
+
+import (
+	"errors"
+	"os"
+
+	"golang.org/x/sys/windows"
+)
+
+func (b *profileBuilder) readMapping() {
+	snapshot, err := createModuleSnapshot()
+	if err != nil {
+		b.addMappingEntry(0, 0, 0, "", "", true)
+		return
+	}
+	defer windows.CloseHandle(snapshot)
+
+	var module windows.ModuleEntry32
+	module.Size = uint32(windows.SizeofModuleEntry32)
+	err = windows.Module32First(snapshot, &module)
+	if err != nil {
+		b.addMappingEntry(0, 0, 0, "", "", true)
+		return
+	}
+	for err == nil {
+		exe := windows.UTF16ToString(module.ExePath[:])
+		b.addMappingEntry(
+			uint64(module.ModBaseAddr),
+			uint64(module.ModBaseAddr)+uint64(module.ModBaseSize),
+			0,
+			exe,
+			peBuildID(exe),
+			false,
+		)
+		err = windows.Module32Next(snapshot, &module)
+	}
+}
+
+func createModuleSnapshot() (windows.Handle, error) {
+	for {
+		snapshot, err := windows.CreateToolhelp32Snapshot(windows.TH32CS_SNAPMODULE|windows.TH32CS_SNAPMODULE32, uint32(windows.GetCurrentProcessId()))
+		var errno windows.Errno
+		if err != nil && errors.As(err, &errno) && errno == windows.ERROR_BAD_LENGTH {
+			continue
+		}
+		return snapshot, err
+	}
+}
+
+func peBuildID(file string) string {
+	info, err := os.Stat(file)
+	if err != nil {
+		return file
+	}
+	return file + info.ModTime().String()
+}
--- a/experimental/libbox/internal/oomprofile/oomprofile.go
+++ b/experimental/libbox/internal/oomprofile/oomprofile.go
@@ -0,0 +1,380 @@
+//go:build darwin || linux || windows
+
+package oomprofile
+
+import (
+	"fmt"
+	"io"
+	"math"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sort"
+	"strings"
+	"time"
+	"unsafe"
+)
+
+type stackRecord struct {
+	Stack []uintptr
+}
+
+type memProfileRecord struct {
+	AllocBytes, FreeBytes     int64
+	AllocObjects, FreeObjects int64
+	Stack                     []uintptr
+}
+
+func (r *memProfileRecord) InUseBytes() int64 {
+	return r.AllocBytes - r.FreeBytes
+}
+
+func (r *memProfileRecord) InUseObjects() int64 {
+	return r.AllocObjects - r.FreeObjects
+}
+
+type blockProfileRecord struct {
+	Count  int64
+	Cycles int64
+	Stack  []uintptr
+}
+
+type label struct {
+	key   string
+	value string
+}
+
+type labelSet struct {
+	list []label
+}
+
+type labelMap struct {
+	labelSet
+}
+
+func WriteFile(destPath string, name string) (string, error) {
+	writer, ok := profileWriters[name]
+	if !ok {
+		return "", fmt.Errorf("unsupported profile %q", name)
+	}
+
+	filePath := filepath.Join(destPath, name+".pb")
+	file, err := os.Create(filePath)
+	if err != nil {
+		return "", err
+	}
+	defer file.Close()
+
+	if err := writer(file); err != nil {
+		_ = os.Remove(filePath)
+		return "", err
+	}
+	if err := file.Close(); err != nil {
+		_ = os.Remove(filePath)
+		return "", err
+	}
+	return filePath, nil
+}
+
+var profileWriters = map[string]func(io.Writer) error{
+	"allocs":       writeAlloc,
+	"block":        writeBlock,
+	"goroutine":    writeGoroutine,
+	"heap":         writeHeap,
+	"mutex":        writeMutex,
+	"threadcreate": writeThreadCreate,
+}
+
+func writeHeap(w io.Writer) error {
+	return writeHeapInternal(w, "")
+}
+
+func writeAlloc(w io.Writer) error {
+	return writeHeapInternal(w, "alloc_space")
+}
+
+func writeHeapInternal(w io.Writer, defaultSampleType string) error {
+	var profile []memProfileRecord
+	n, ok := runtimeMemProfileInternal(nil, true)
+	for {
+		profile = make([]memProfileRecord, n+50)
+		n, ok = runtimeMemProfileInternal(profile, true)
+		if ok {
+			profile = profile[:n]
+			break
+		}
+	}
+	return writeHeapProto(w, profile, int64(runtime.MemProfileRate), defaultSampleType)
+}
+
+func writeGoroutine(w io.Writer) error {
+	return writeRuntimeProfile(w, "goroutine", runtimeGoroutineProfileWithLabels)
+}
+
+func writeThreadCreate(w io.Writer) error {
+	return writeRuntimeProfile(w, "threadcreate", func(p []stackRecord, _ []unsafe.Pointer) (int, bool) {
+		return runtimeThreadCreateInternal(p)
+	})
+}
+
+func writeRuntimeProfile(w io.Writer, name string, fetch func([]stackRecord, []unsafe.Pointer) (int, bool)) error {
+	var profile []stackRecord
+	var labels []unsafe.Pointer
+
+	n, ok := fetch(nil, nil)
+	for {
+		profile = make([]stackRecord, n+10)
+		labels = make([]unsafe.Pointer, n+10)
+		n, ok = fetch(profile, labels)
+		if ok {
+			profile = profile[:n]
+			labels = labels[:n]
+			break
+		}
+	}
+
+	return writeCountProfile(w, name, &runtimeProfile{profile, labels})
+}
+
+func writeBlock(w io.Writer) error {
+	return writeCycleProfile(w, "contentions", "delay", runtimeBlockProfileInternal)
+}
+
+func writeMutex(w io.Writer) error {
+	return writeCycleProfile(w, "contentions", "delay", runtimeMutexProfileInternal)
+}
+
+func writeCycleProfile(w io.Writer, countName string, cycleName string, fetch func([]blockProfileRecord) (int, bool)) error {
+	var profile []blockProfileRecord
+	n, ok := fetch(nil)
+	for {
+		profile = make([]blockProfileRecord, n+50)
+		n, ok = fetch(profile)
+		if ok {
+			profile = profile[:n]
+			break
+		}
+	}
+
+	sort.Slice(profile, func(i, j int) bool {
+		return profile[i].Cycles > profile[j].Cycles
+	})
+
+	builder := newProfileBuilder(w)
+	builder.pbValueType(tagProfile_PeriodType, countName, "count")
+	builder.pb.int64Opt(tagProfile_Period, 1)
+	builder.pbValueType(tagProfile_SampleType, countName, "count")
+	builder.pbValueType(tagProfile_SampleType, cycleName, "nanoseconds")
+
+	cpuGHz := float64(runtimeCyclesPerSecond()) / 1e9
+	values := []int64{0, 0}
+	var locs []uint64
+	expandedStack := runtimeMakeProfStack()
+	for _, record := range profile {
+		values[0] = record.Count
+		if cpuGHz > 0 {
+			values[1] = int64(float64(record.Cycles) / cpuGHz)
+		} else {
+			values[1] = 0
+		}
+		n := expandInlinedFrames(expandedStack, record.Stack)
+		locs = builder.appendLocsForStack(locs[:0], expandedStack[:n])
+		builder.pbSample(values, locs, nil)
+	}
+
+	return builder.build()
+}
+
+type countProfile interface {
+	Len() int
+	Stack(i int) []uintptr
+	Label(i int) *labelMap
+}
+
+type runtimeProfile struct {
+	stk    []stackRecord
+	labels []unsafe.Pointer
+}
+
+func (p *runtimeProfile) Len() int {
+	return len(p.stk)
+}
+
+func (p *runtimeProfile) Stack(i int) []uintptr {
+	return p.stk[i].Stack
+}
+
+func (p *runtimeProfile) Label(i int) *labelMap {
+	return (*labelMap)(p.labels[i])
+}
+
+func writeCountProfile(w io.Writer, name string, profile countProfile) error {
+	var buf strings.Builder
+	key := func(stk []uintptr, labels *labelMap) string {
+		buf.Reset()
+		buf.WriteByte('@')
+		for _, pc := range stk {
+			fmt.Fprintf(&buf, " %#x", pc)
+		}
+		if labels != nil {
+			buf.WriteString("\n# labels:")
+			for _, label := range labels.list {
+				fmt.Fprintf(&buf, " %q:%q", label.key, label.value)
+			}
+		}
+		return buf.String()
+	}
+
+	counts := make(map[string]int)
+	index := make(map[string]int)
+	var keys []string
+	for i := 0; i < profile.Len(); i++ {
+		k := key(profile.Stack(i), profile.Label(i))
+		if counts[k] == 0 {
+			index[k] = i
+			keys = append(keys, k)
+		}
+		counts[k]++
+	}
+
+	sort.Sort(&keysByCount{keys: keys, count: counts})
+
+	builder := newProfileBuilder(w)
+	builder.pbValueType(tagProfile_PeriodType, name, "count")
+	builder.pb.int64Opt(tagProfile_Period, 1)
+	builder.pbValueType(tagProfile_SampleType, name, "count")
+
+	values := []int64{0}
+	var locs []uint64
+	for _, k := range keys {
+		values[0] = int64(counts[k])
+		idx := index[k]
+		locs = builder.appendLocsForStack(locs[:0], profile.Stack(idx))
+
+		var labels func()
+		if profile.Label(idx) != nil {
+			labels = func() {
+				for _, label := range profile.Label(idx).list {
+					builder.pbLabel(tagSample_Label, label.key, label.value, 0)
+				}
+			}
+		}
+		builder.pbSample(values, locs, labels)
+	}
+
+	return builder.build()
+}
+
+type keysByCount struct {
+	keys  []string
+	count map[string]int
+}
+
+func (x *keysByCount) Len() int {
+	return len(x.keys)
+}
+
+func (x *keysByCount) Swap(i int, j int) {
+	x.keys[i], x.keys[j] = x.keys[j], x.keys[i]
+}
+
+func (x *keysByCount) Less(i int, j int) bool {
+	ki, kj := x.keys[i], x.keys[j]
+	ci, cj := x.count[ki], x.count[kj]
+	if ci != cj {
+		return ci > cj
+	}
+	return ki < kj
+}
+
+func expandInlinedFrames(dst []uintptr, pcs []uintptr) int {
+	frames := runtime.CallersFrames(pcs)
+	var n int
+	for n < len(dst) {
+		frame, more := frames.Next()
+		dst[n] = frame.PC + 1
+		n++
+		if !more {
+			break
+		}
+	}
+	return n
+}
+
+func writeHeapProto(w io.Writer, profile []memProfileRecord, rate int64, defaultSampleType string) error {
+	builder := newProfileBuilder(w)
+	builder.pbValueType(tagProfile_PeriodType, "space", "bytes")
+	builder.pb.int64Opt(tagProfile_Period, rate)
+	builder.pbValueType(tagProfile_SampleType, "alloc_objects", "count")
+	builder.pbValueType(tagProfile_SampleType, "alloc_space", "bytes")
+	builder.pbValueType(tagProfile_SampleType, "inuse_objects", "count")
+	builder.pbValueType(tagProfile_SampleType, "inuse_space", "bytes")
+	if defaultSampleType != "" {
+		builder.pb.int64Opt(tagProfile_DefaultSampleType, builder.stringIndex(defaultSampleType))
+	}
+
+	values := []int64{0, 0, 0, 0}
+	var locs []uint64
+	for _, record := range profile {
+		hideRuntime := true
+		for tries := 0; tries < 2; tries++ {
+			stk := record.Stack
+			if hideRuntime {
+				for i, addr := range stk {
+					if f := runtime.FuncForPC(addr); f != nil && (strings.HasPrefix(f.Name(), "runtime.") || strings.HasPrefix(f.Name(), "internal/runtime/")) {
+						continue
+					}
+					stk = stk[i:]
+					break
+				}
+			}
+			locs = builder.appendLocsForStack(locs[:0], stk)
+			if len(locs) > 0 {
+				break
+			}
+			hideRuntime = false
+		}
+
+		values[0], values[1] = scaleHeapSample(record.AllocObjects, record.AllocBytes, rate)
+		values[2], values[3] = scaleHeapSample(record.InUseObjects(), record.InUseBytes(), rate)
+
+		var blockSize int64
+		if record.AllocObjects > 0 {
+			blockSize = record.AllocBytes / record.AllocObjects
+		}
+		builder.pbSample(values, locs, func() {
+			if blockSize != 0 {
+				builder.pbLabel(tagSample_Label, "bytes", "", blockSize)
+			}
+		})
+	}
+
+	return builder.build()
+}
+
+func scaleHeapSample(count int64, size int64, rate int64) (int64, int64) {
+	if count == 0 || size == 0 {
+		return 0, 0
+	}
+	if rate <= 1 {
+		return count, size
+	}
+
+	avgSize := float64(size) / float64(count)
+	scale := 1 / (1 - math.Exp(-avgSize/float64(rate)))
+	return int64(float64(count) * scale), int64(float64(size) * scale)
+}
+
+type profileBuilder struct {
+	start time.Time
+	w     io.Writer
+	err   error
+
+	pb        protobuf
+	strings   []string
+	stringMap map[string]int
+	locs      map[uintptr]locInfo
+	funcs     map[string]int
+	mem       []memMap
+	deck      pcDeck
+}
--- a/experimental/libbox/internal/oomprofile/protobuf.go
+++ b/experimental/libbox/internal/oomprofile/protobuf.go
@@ -0,0 +1,120 @@
+//go:build darwin || linux || windows
+
+package oomprofile
+
+type protobuf struct {
+	data []byte
+	tmp  [16]byte
+	nest int
+}
+
+func (b *protobuf) varint(x uint64) {
+	for x >= 128 {
+		b.data = append(b.data, byte(x)|0x80)
+		x >>= 7
+	}
+	b.data = append(b.data, byte(x))
+}
+
+func (b *protobuf) length(tag int, length int) {
+	b.varint(uint64(tag)<<3 | 2)
+	b.varint(uint64(length))
+}
+
+func (b *protobuf) uint64(tag int, x uint64) {
+	b.varint(uint64(tag)<<3 | 0)
+	b.varint(x)
+}
+
+func (b *protobuf) uint64s(tag int, x []uint64) {
+	if len(x) > 2 {
+		n1 := len(b.data)
+		for _, u := range x {
+			b.varint(u)
+		}
+		n2 := len(b.data)
+		b.length(tag, n2-n1)
+		n3 := len(b.data)
+		copy(b.tmp[:], b.data[n2:n3])
+		copy(b.data[n1+(n3-n2):], b.data[n1:n2])
+		copy(b.data[n1:], b.tmp[:n3-n2])
+		return
+	}
+	for _, u := range x {
+		b.uint64(tag, u)
+	}
+}
+
+func (b *protobuf) uint64Opt(tag int, x uint64) {
+	if x == 0 {
+		return
+	}
+	b.uint64(tag, x)
+}
+
+func (b *protobuf) int64(tag int, x int64) {
+	b.uint64(tag, uint64(x))
+}
+
+func (b *protobuf) int64Opt(tag int, x int64) {
+	if x == 0 {
+		return
+	}
+	b.int64(tag, x)
+}
+
+func (b *protobuf) int64s(tag int, x []int64) {
+	if len(x) > 2 {
+		n1 := len(b.data)
+		for _, u := range x {
+			b.varint(uint64(u))
+		}
+		n2 := len(b.data)
+		b.length(tag, n2-n1)
+		n3 := len(b.data)
+		copy(b.tmp[:], b.data[n2:n3])
+		copy(b.data[n1+(n3-n2):], b.data[n1:n2])
+		copy(b.data[n1:], b.tmp[:n3-n2])
+		return
+	}
+	for _, u := range x {
+		b.int64(tag, u)
+	}
+}
+
+func (b *protobuf) bool(tag int, x bool) {
+	if x {
+		b.uint64(tag, 1)
+	} else {
+		b.uint64(tag, 0)
+	}
+}
+
+func (b *protobuf) string(tag int, x string) {
+	b.length(tag, len(x))
+	b.data = append(b.data, x...)
+}
+
+func (b *protobuf) strings(tag int, x []string) {
+	for _, s := range x {
+		b.string(tag, s)
+	}
+}
+
+type msgOffset int
+
+func (b *protobuf) startMessage() msgOffset {
+	b.nest++
+	return msgOffset(len(b.data))
+}
+
+func (b *protobuf) endMessage(tag int, start msgOffset) {
+	n1 := int(start)
+	n2 := len(b.data)
+	b.length(tag, n2-n1)
+	n3 := len(b.data)
+	copy(b.tmp[:], b.data[n2:n3])
+	copy(b.data[n1+(n3-n2):], b.data[n1:n2])
+	copy(b.data[n1:], b.tmp[:n3-n2])
+	b.nest--
+}
--- a/experimental/libbox/log.go
+++ b/experimental/libbox/log.go
@@ -1,24 +1,76 @@
-//go:build darwin || linux
+//go:build darwin || linux || windows

 package libbox

 import (
+	"archive/zip"
+	"io"
+	"io/fs"
 	"os"
+	"path/filepath"
 	"runtime"
 	"runtime/debug"
+	"time"
 )

-var crashOutputFile *os.File
+type crashReportMetadata struct {
+	reportMetadata
+	CrashedAt       string `json:"crashedAt,omitempty"`
+	SignalName      string `json:"signalName,omitempty"`
+	SignalCode      string `json:"signalCode,omitempty"`
+	ExceptionName   string `json:"exceptionName,omitempty"`
+	ExceptionReason string `json:"exceptionReason,omitempty"`
+}

-func RedirectStderr(path string) error {
-	if stats, err := os.Stat(path); err == nil && stats.Size() > 0 {
-		_ = os.Rename(path, path+".old")
+func archiveCrashReport(path string, crashReportsDir string) {
+	content, err := os.ReadFile(path)
+	if err != nil || len(content) == 0 {
+		return
 	}
+
+	info, _ := os.Stat(path)
+	crashTime := time.Now().UTC()
+	if info != nil {
+		crashTime = info.ModTime().UTC()
+	}
+
+	initReportDir(crashReportsDir)
+	destPath, err := nextAvailableReportPath(crashReportsDir, crashTime)
+	if err != nil {
+		return
+	}
+	initReportDir(destPath)
+
+	writeReportFile(destPath, "go.log", content)
+	metadata := crashReportMetadata{
+		reportMetadata: baseReportMetadata(),
+		CrashedAt:      crashTime.Format(time.RFC3339),
+	}
+	writeReportMetadata(destPath, metadata)
+	os.Remove(path)
+	copyConfigSnapshot(destPath)
+}
+
+func configSnapshotPath() string {
+	return filepath.Join(sBasePath, "configuration.json")
+}
+
+func saveConfigSnapshot(configContent string) {
+	snapshotPath := configSnapshotPath()
+	os.WriteFile(snapshotPath, []byte(configContent), 0o666)
+	chownReport(snapshotPath)
+}
+
+func redirectStderr(path string) error {
+	crashReportsDir := filepath.Join(sWorkingPath, "crash_reports")
+	archiveCrashReport(path, crashReportsDir)
+	archiveCrashReport(path+".old", crashReportsDir)
+
 	outputFile, err := os.Create(path)
 	if err != nil {
 		return err
 	}
-	if runtime.GOOS != "android" {
+	if runtime.GOOS != "android" && runtime.GOOS != "windows" {
 		err = outputFile.Chown(sUserID, sGroupID)
 		if err != nil {
 			outputFile.Close()
@@ -26,12 +78,88 @@ func RedirectStderr(path string) error {
 			return err
 		}
 	}
+
 	err = debug.SetCrashOutput(outputFile, debug.CrashOptions{})
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputFile.Name())
 		return err
 	}
-	crashOutputFile = outputFile
+	_ = outputFile.Close()
 	return nil
 }
+
+func CreateZipArchive(sourcePath string, destinationPath string) error {
+	sourceInfo, err := os.Stat(sourcePath)
+	if err != nil {
+		return err
+	}
+	if !sourceInfo.IsDir() {
+		return os.ErrInvalid
+	}
+
+	destinationFile, err := os.Create(destinationPath)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		_ = destinationFile.Close()
+	}()
+
+	zipWriter := zip.NewWriter(destinationFile)
+
+	rootName := filepath.Base(sourcePath)
+	err = filepath.WalkDir(sourcePath, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+
+		relativePath, err := filepath.Rel(sourcePath, path)
+		if err != nil {
+			return err
+		}
+		if relativePath == "." {
+			return nil
+		}
+
+		archivePath := filepath.ToSlash(filepath.Join(rootName, relativePath))
+		if d.IsDir() {
+			_, err = zipWriter.Create(archivePath + "/")
+			return err
+		}
+
+		fileInfo, err := d.Info()
+		if err != nil {
+			return err
+		}
+		header, err := zip.FileInfoHeader(fileInfo)
+		if err != nil {
+			return err
+		}
+		header.Name = archivePath
+		header.Method = zip.Deflate
+
+		writer, err := zipWriter.CreateHeader(header)
+		if err != nil {
+			return err
+		}
+
+		sourceFile, err := os.Open(path)
+		if err != nil {
+			return err
+		}
+
+		_, err = io.Copy(writer, sourceFile)
+		closeErr := sourceFile.Close()
+		if err != nil {
+			return err
+		}
+		return closeErr
+	})
+	if err != nil {
+		_ = zipWriter.Close()
+		return err
+	}
+
+	return zipWriter.Close()
+}
--- a/experimental/libbox/memory.go
+++ b/experimental/libbox/memory.go
@@ -1,26 +0,0 @@
-package libbox
-
-import (
-	"math"
-	runtimeDebug "runtime/debug"
-
-	C "github.com/sagernet/sing-box/constant"
-)
-
-var memoryLimitEnabled bool
-
-func SetMemoryLimit(enabled bool) {
-	memoryLimitEnabled = enabled
-	const memoryLimitGo = 45 * 1024 * 1024
-	if enabled {
-		runtimeDebug.SetGCPercent(10)
-		if C.IsIos {
-			runtimeDebug.SetMemoryLimit(memoryLimitGo)
-		}
-	} else {
-		runtimeDebug.SetGCPercent(100)
-		if C.IsIos {
-			runtimeDebug.SetMemoryLimit(math.MaxInt64)
-		}
-	}
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
dependabot[bot]	440c3b947e	build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go) from 1.31.0 to 1.43.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.31.0...v1.43.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp dependency-version: 1.43.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-08 19:46:34 +00:00
世界	f4de7d622a	tools: Network Quality	2026-04-08 14:44:14 +08:00
世界	fcd2b90852	tun: Fixes	2026-04-07 23:39:49 +08:00
世界	0d772e6893	oom-killer: Free memory on pressure notification and use gradual interval backoff	2026-04-07 23:38:44 +08:00
世界	4806d5e588	Fix deprecated warning double-formatting on localized clients	2026-04-07 23:37:48 +08:00
世界	2df43e4d1b	platform: Fix set local	2026-04-07 23:37:48 +08:00
世界	5cbd7974df	Reformat code	2026-04-07 23:37:41 +08:00
nekohasekai	63b79b3087	Add evaluate DNS rule action and related rule items	2026-04-07 20:02:32 +08:00
世界	a8feb5aa21	tun: Reduce iOS TCP buffers	2026-04-07 14:17:18 +08:00
世界	62cb06c02f	Also enable certificate store by default on Apple platforms `SecTrustEvaluateWithError` is serial	2026-04-07 13:43:10 +08:00
世界	00ec31142f	Bump version	2026-04-06 23:39:52 +08:00
世界	83a0b44659	platform: Add OOM Report & Crash Rerport	2026-04-06 23:36:06 +08:00
世界	95fd74a9f9	Add BBR profile and hop interval randomization for Hysteria2	2026-04-06 23:36:06 +08:00
nekohasekai	d98ab6f1b8	Refactor ACME support to certificate provider	2026-04-06 23:36:05 +08:00
世界	b1379a23a5	cronet-go: Update chromium to 145.0.7632.159	2026-04-06 23:36:05 +08:00
世界	c79a3a81e7	documentation: Update descriptions for neighbor rules	2026-04-06 23:36:05 +08:00
世界	18e64323ef	Add macOS support for MAC and hostname rule items	2026-04-06 23:36:05 +08:00
世界	594932a226	Add Android support for MAC and hostname rule items	2026-04-06 23:36:05 +08:00
世界	793ad6ffc5	Add MAC and hostname rule items	2026-04-06 23:36:05 +08:00