Bump version

.fpm_systemd

@@ -4,7 +4,6 @@
 --license GPL-3.0-or-later
 --description "The universal proxy platform."
 --url "https://sing-box.sagernet.org/"
---vendor SagerNet
 --maintainer "nekohasekai <contact-git@sekai.icu>"
 --deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
 --no-deb-generate-changes

constant/proxy.go

@@ -25,7 +25,6 @@ const (
 	TypeTUIC         = "tuic"
 	TypeHysteria2    = "hysteria2"
 	TypeTailscale    = "tailscale"
-	TypeCloudflared  = "cloudflared"
 	TypeDERP         = "derp"
 	TypeResolved     = "resolved"
 	TypeSSMAPI       = "ssm-api"
@@ -89,8 +88,6 @@ func ProxyDisplayName(proxyType string) string {
 		return "AnyTLS"
 	case TypeTailscale:
 		return "Tailscale"
-	case TypeCloudflared:
-		return "Cloudflared"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:

docs/changelog.md

@@ -2,15 +2,7 @@
 icon: material/alert-decagram
 ---
 
-#### 1.13.6
-
-* Fixes and improvements
-
-#### 1.13.5
-
-* Fixes and improvements
-
-#### 1.13.4
+#### 1.13.4-beta.2
 
 * Fixes and improvements
 

docs/configuration/dns/rule.md

@@ -209,7 +209,7 @@ icon: material/alert-decagram
     (`source_port` || `source_port_range`) &&  
     `other fields`
 
-    Additionally, each branch inside an included rule-set can be considered merged into the outer rule, while different branches keep OR semantics.
+    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
 
 #### inbound
 
@@ -546,4 +546,4 @@ Match any IP with query response.
 
 #### rules
 
-Included rules.
+Included rules.

docs/configuration/dns/rule.zh.md

@@ -208,7 +208,7 @@ icon: material/alert-decagram
     (`source_port` || `source_port_range`) &&  
     `other fields`
 
-    另外，引用规则集中的每个分支都可视为与外层规则合并，不同分支之间仍保持 OR 语义。
+    另外，引用的规则集可视为被合并，而不是作为一个单独的规则子项。
 
 #### inbound
 
@@ -550,4 +550,4 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 ==必填==
 
-包括的规则。
+包括的规则。

docs/configuration/route/rule.md

@@ -199,7 +199,7 @@ icon: material/new-box
     (`source_port` || `source_port_range`) &&  
     `other fields`
 
-    Additionally, each branch inside an included rule-set can be considered merged into the outer rule, while different branches keep OR semantics.
+    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
 
 #### inbound
 

docs/configuration/route/rule.zh.md

@@ -197,7 +197,7 @@ icon: material/new-box
     (`source_port` || `source_port_range`) &&  
     `other fields`
 
-    另外，引用规则集中的每个分支都可视为与外层规则合并，不同分支之间仍保持 OR 语义。
+    另外，引用的规则集可视为被合并，而不是作为一个单独的规则子项。
 
 #### inbound
 
@@ -501,4 +501,4 @@ icon: material/new-box
 
 ==必填==
 
-包括的规则。
+包括的规则。

experimental/libbox/http.go

@@ -52,11 +52,6 @@ type HTTPRequest interface {
 type HTTPResponse interface {
 	GetContent() (*StringBox, error)
 	WriteTo(path string) error
-	WriteToWithProgress(path string, handler HTTPResponseWriteToProgressHandler) error
-}
-
-type HTTPResponseWriteToProgressHandler interface {
-	Update(progress int64, total int64)
 }
 
 var (
@@ -244,31 +239,3 @@ func (h *httpResponse) WriteTo(path string) error {
 	defer file.Close()
 	return common.Error(bufio.Copy(file, h.Body))
 }
-
-func (h *httpResponse) WriteToWithProgress(path string, handler HTTPResponseWriteToProgressHandler) error {
-	defer h.Body.Close()
-	file, err := os.Create(path)
-	if err != nil {
-		return err
-	}
-	defer file.Close()
-	return common.Error(bufio.Copy(&progressWriter{
-		writer:  file,
-		handler: handler,
-		total:   h.ContentLength,
-	}, h.Body))
-}
-
-type progressWriter struct {
-	writer  io.Writer
-	handler HTTPResponseWriteToProgressHandler
-	total   int64
-	written int64
-}
-
-func (w *progressWriter) Write(p []byte) (int, error) {
-	n, err := w.writer.Write(p)
-	w.written += int64(n)
-	w.handler.Update(w.written, w.total)
-	return n, err
-}

go.mod

@@ -33,14 +33,13 @@ require (
 	github.com/sagernet/gomobile v0.1.12
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
 	github.com/sagernet/quic-go v0.59.0-sing-box-mod.4
-	github.com/sagernet/sing v0.8.4
-	github.com/sagernet/sing-cloudflared v0.0.0-20260407120610-7715dc2523fa
+	github.com/sagernet/sing v0.8.3-0.20260315153529-ed51f65fbfde
 	github.com/sagernet/sing-mux v0.3.4
-	github.com/sagernet/sing-quic v0.6.1
+	github.com/sagernet/sing-quic v0.6.0
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.8.7-0.20260402180740-11f6e77ec6c6
+	github.com/sagernet/sing-tun v0.8.6
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.50-sing-box-mod.1
 	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.7
@@ -71,7 +70,6 @@ require (
 	github.com/caddyserver/zerossl v0.1.5 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
-	github.com/coreos/go-oidc/v3 v3.17.0 // indirect
 	github.com/database64128/netx-go v0.1.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
@@ -81,7 +79,6 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/gaissmai/bart v0.18.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
@@ -102,7 +99,6 @@ require (
 	github.com/mdlayher/netlink v1.9.0 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
-	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pires/go-proxyproto v0.8.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
@@ -169,5 +165,4 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect
-	zombiezen.com/go/capnproto2 v2.18.2+incompatible // indirect
 )

go.sum

@@ -28,8 +28,6 @@ github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9
 github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
 github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 h1:8h5+bWd7R6AYUslN6c6iuZWTKsKxUFDlpnmilO6R2n0=
 github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
-github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
-github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
@@ -112,8 +110,6 @@ github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zt
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
-github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
-github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/letsencrypt/challtestsrv v1.4.2 h1:0ON3ldMhZyWlfVNYYpFuWRTmZNnyfiL9Hh5YzC3JVwU=
 github.com/letsencrypt/challtestsrv v1.4.2/go.mod h1:GhqMqcSoeGpYd5zX5TgwA6er/1MbWzx/o7yuuVya+Wk=
 github.com/letsencrypt/pebble/v2 v2.10.0 h1:Wq6gYXlsY6ubqI3hhxsTzdyotvfdjFBxuwYqCLCnj/U=
@@ -146,8 +142,6 @@ github.com/openai/openai-go/v3 v3.26.0 h1:bRt6H/ozMNt/dDkN4gobnLqaEGrRGBzmbVs0xx
 github.com/openai/openai-go/v3 v3.26.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
 github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
-github.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=
-github.com/philhofer/fwd v1.2.0/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
 github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
@@ -242,22 +236,20 @@ github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNen
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4 h1:6qvrUW79S+CrPwWz6cMePXohgjHoKxLo3c+MDhNwc3o=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.8.4 h1:Fj+jlY3F8vhcRfz/G/P3Dwcs5wqnmyNPT7u1RVVmjFI=
-github.com/sagernet/sing v0.8.4/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
-github.com/sagernet/sing-cloudflared v0.0.0-20260407120610-7715dc2523fa h1:165HiOfgfofJIirEp1NGSmsoJAi+++WhR29IhtAu4A4=
-github.com/sagernet/sing-cloudflared v0.0.0-20260407120610-7715dc2523fa/go.mod h1:bH2NKX+NpDTY1Zkxfboxw6MXB/ZywaNLmrDJYgKMJ2Y=
+github.com/sagernet/sing v0.8.3-0.20260315153529-ed51f65fbfde h1:RNQzlpnsXIuu1HGts/fIzJ1PR7RhrzaNlU52MDyiX1c=
+github.com/sagernet/sing v0.8.3-0.20260315153529-ed51f65fbfde/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
 github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
-github.com/sagernet/sing-quic v0.6.1 h1:lx0tcm99wIA1RkyvILNzRSsMy1k7TTQYIhx71E/WBlw=
-github.com/sagernet/sing-quic v0.6.1/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
+github.com/sagernet/sing-quic v0.6.0 h1:dhrFnP45wgVKEOT1EvtsToxdzRnHIDIAgj6WHV9pLyM=
+github.com/sagernet/sing-quic v0.6.0/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
 github.com/sagernet/sing-shadowsocks v0.2.8/go.mod h1:lo7TWEMDcN5/h5B8S0ew+r78ZODn6SwVaFhvB6H+PTI=
 github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnqqs2gQ2/Qioo=
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.7-0.20260402180740-11f6e77ec6c6 h1:HV2I7DicF5Ar8v6F55f03W5FviBB7jgvLhJSDwbFvbk=
-github.com/sagernet/sing-tun v0.8.7-0.20260402180740-11f6e77ec6c6/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
+github.com/sagernet/sing-tun v0.8.6 h1:NydXFikSXhiKqhahHKtuZ90HQPZFzlOFVRONmkr4C7I=
+github.com/sagernet/sing-tun v0.8.6/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=
@@ -302,8 +294,6 @@ github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
 github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
-github.com/tinylib/msgp v1.6.3 h1:bCSxiTz386UTgyT1i0MSCvdbWjVW+8sG3PjkGsZQt4s=
-github.com/tinylib/msgp v1.6.3/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77roAqEA=
 github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
 github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
@@ -411,5 +401,3 @@ lukechampine.com/blake3 v1.3.0 h1:sJ3XhFINmHSrYCgl958hscfIa3bw8x4DqMP3u1YvoYE=
 lukechampine.com/blake3 v1.3.0/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
 software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
 software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
-zombiezen.com/go/capnproto2 v2.18.2+incompatible h1:v3BD1zbruvffn7zjJUU5Pn8nZAB11bhZSQC4W+YnnKo=
-zombiezen.com/go/capnproto2 v2.18.2+incompatible/go.mod h1:XO5Pr2SbXgqZwn0m0Ru54QBqpOf4K5AYBO+8LAOBQEQ=

include/cloudflared.go

@@ -1,12 +0,0 @@
-//go:build with_cloudflared
-
-package include
-
-import (
-	"github.com/sagernet/sing-box/adapter/inbound"
-	"github.com/sagernet/sing-box/protocol/cloudflare"
-)
-
-func registerCloudflaredInbound(registry *inbound.Registry) {
-	cloudflare.RegisterInbound(registry)
-}

include/cloudflared_stub.go

@@ -1,20 +0,0 @@
-//go:build !with_cloudflared
-
-package include
-
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/adapter/inbound"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-func registerCloudflaredInbound(registry *inbound.Registry) {
-	inbound.Register[option.CloudflaredInboundOptions](registry, C.TypeCloudflared, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.CloudflaredInboundOptions) (adapter.Inbound, error) {
-		return nil, E.New(`Cloudflared is not included in this build, rebuild with -tags with_cloudflared`)
-	})
-}

include/registry.go

@@ -64,7 +64,6 @@ func InboundRegistry() *inbound.Registry {
 	anytls.RegisterInbound(registry)
 
 	registerQUICInbounds(registry)
-	registerCloudflaredInbound(registry)
 	registerStubForRemovedInbounds(registry)
 
 	return registry

option/cloudflared.go

@@ -1,16 +0,0 @@
-package option
-
-import "github.com/sagernet/sing/common/json/badoption"
-
-type CloudflaredInboundOptions struct {
-	Token           string              `json:"token,omitempty"`
-	HAConnections   int                 `json:"ha_connections,omitempty"`
-	Protocol        string              `json:"protocol,omitempty"`
-	PostQuantum     bool                `json:"post_quantum,omitempty"`
-	ControlDialer   DialerOptions       `json:"control_dialer,omitempty"`
-	TunnelDialer    DialerOptions       `json:"tunnel_dialer,omitempty"`
-	EdgeIPVersion   int                 `json:"edge_ip_version,omitempty"`
-	DatagramVersion string              `json:"datagram_version,omitempty"`
-	GracePeriod     *badoption.Duration `json:"grace_period,omitempty"`
-	Region          string              `json:"region,omitempty"`
-}

protocol/cloudflare/inbound.go

@@ -1,176 +0,0 @@
-//go:build with_cloudflared
-
-package cloudflare
-
-import (
-	"context"
-	"net"
-	"sync"
-	"time"
-
-	cloudflared "github.com/sagernet/sing-cloudflared"
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/adapter/inbound"
-	boxDialer "github.com/sagernet/sing-box/common/dialer"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json/badoption"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/pipe"
-	tun "github.com/sagernet/sing-tun"
-)
-
-func RegisterInbound(registry *inbound.Registry) {
-	inbound.Register[option.CloudflaredInboundOptions](registry, C.TypeCloudflared, NewInbound)
-}
-
-func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.CloudflaredInboundOptions) (adapter.Inbound, error) {
-	controlDialer, err := boxDialer.NewWithOptions(boxDialer.Options{
-		Context:        ctx,
-		Options:        options.ControlDialer,
-		RemoteIsDomain: true,
-	})
-	if err != nil {
-		return nil, E.Cause(err, "build cloudflared control dialer")
-	}
-	tunnelDialer, err := boxDialer.NewWithOptions(boxDialer.Options{
-		Context: ctx,
-		Options: options.TunnelDialer,
-	})
-	if err != nil {
-		return nil, E.Cause(err, "build cloudflared tunnel dialer")
-	}
-
-	service, err := cloudflared.NewService(cloudflared.ServiceOptions{
-		Logger:           logger,
-		ConnectionDialer: &routerDialer{router: router, tag: tag},
-		ControlDialer:    controlDialer,
-		TunnelDialer:     tunnelDialer,
-		ICMPHandler:      &icmpRouterHandler{router: router, tag: tag},
-		ConnContext: func(ctx context.Context) context.Context {
-			return adapter.WithContext(ctx, &adapter.InboundContext{
-				Inbound:     tag,
-				InboundType: C.TypeCloudflared,
-			})
-		},
-		Token:           options.Token,
-		HAConnections:   options.HAConnections,
-		Protocol:        options.Protocol,
-		PostQuantum:     options.PostQuantum,
-		EdgeIPVersion:   options.EdgeIPVersion,
-		DatagramVersion: options.DatagramVersion,
-		GracePeriod:     resolveGracePeriod(options.GracePeriod),
-		Region:          options.Region,
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	return &Inbound{
-		Adapter: inbound.NewAdapter(C.TypeCloudflared, tag),
-		service: service,
-	}, nil
-}
-
-type Inbound struct {
-	inbound.Adapter
-	service *cloudflared.Service
-}
-
-func (i *Inbound) Start(stage adapter.StartStage) error {
-	if stage != adapter.StartStateStart {
-		return nil
-	}
-	return i.service.Start()
-}
-
-func (i *Inbound) Close() error {
-	return i.service.Close()
-}
-
-func resolveGracePeriod(value *badoption.Duration) time.Duration {
-	if value == nil {
-		return 0
-	}
-	return time.Duration(*value)
-}
-
-// routerDialer bridges N.Dialer to the sing-box router for origin connections.
-type routerDialer struct {
-	router adapter.Router
-	tag    string
-}
-
-func (d *routerDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	input, output := pipe.Pipe()
-	done := make(chan struct{})
-	metadata := adapter.InboundContext{
-		Inbound:     d.tag,
-		InboundType: C.TypeCloudflared,
-		Network:     N.NetworkTCP,
-		Destination: destination,
-	}
-	var closeOnce sync.Once
-	closePipe := func() {
-		closeOnce.Do(func() {
-			common.Close(input, output)
-		})
-	}
-	go d.router.RouteConnectionEx(ctx, output, metadata, N.OnceClose(func(it error) {
-		closePipe()
-		close(done)
-	}))
-	return input, nil
-}
-
-func (d *routerDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	originDialer, ok := d.router.(routedOriginPacketDialer)
-	if !ok {
-		return nil, E.New("router does not support cloudflare routed packet dialing")
-	}
-	packetConn, err := originDialer.DialRoutePacketConnection(ctx, adapter.InboundContext{
-		Inbound:     d.tag,
-		InboundType: C.TypeCloudflared,
-		Network:     N.NetworkUDP,
-		Destination: destination,
-		UDPConnect:  true,
-	})
-	if err != nil {
-		return nil, err
-	}
-	return bufio.NewNetPacketConn(packetConn), nil
-}
-
-type routedOriginPacketDialer interface {
-	DialRoutePacketConnection(ctx context.Context, metadata adapter.InboundContext) (N.PacketConn, error)
-}
-
-// icmpRouterHandler bridges cloudflared.ICMPHandler to router.PreMatch.
-type icmpRouterHandler struct {
-	router adapter.Router
-	tag    string
-}
-
-func (h *icmpRouterHandler) RouteICMPConnection(ctx context.Context, session tun.DirectRouteSession, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
-	var ipVersion uint8
-	if session.Source.Is4() {
-		ipVersion = 4
-	} else {
-		ipVersion = 6
-	}
-	metadata := adapter.InboundContext{
-		Inbound:           h.tag,
-		InboundType:       C.TypeCloudflared,
-		IPVersion:         ipVersion,
-		Network:           N.NetworkICMP,
-		Source:            M.SocksaddrFrom(session.Source, 0),
-		Destination:       M.SocksaddrFrom(session.Destination, 0),
-		OriginDestination: M.SocksaddrFrom(session.Destination, 0),
-	}
-	return h.router.PreMatch(metadata, routeContext, timeout, false)
-}

protocol/naive/inbound.go

@@ -29,10 +29,7 @@ import (
 	"golang.org/x/net/http2/h2c"
 )
 
-var (
-	ConfigureHTTP3ListenerFunc func(ctx context.Context, logger logger.Logger, listener *listener.Listener, handler http.Handler, tlsConfig tls.ServerConfig, options option.NaiveInboundOptions) (io.Closer, error)
-	WrapError                  func(error) error
-)
+var ConfigureHTTP3ListenerFunc func(ctx context.Context, logger logger.Logger, listener *listener.Listener, handler http.Handler, tlsConfig tls.ServerConfig, options option.NaiveInboundOptions) (io.Closer, error)
 
 func RegisterInbound(registry *inbound.Registry) {
 	inbound.Register[option.NaiveInboundOptions](registry, C.TypeNaive, NewInbound)

protocol/naive/inbound_conn.go

@@ -95,7 +95,7 @@ func (p *paddingConn) writeWithPadding(writer io.Writer, data []byte) (n int, er
 		binary.BigEndian.PutUint16(header, uint16(len(data)))
 		header[2] = byte(paddingSize)
 		common.Must1(buffer.Write(data))
-		common.Must(buffer.WriteZeroN(paddingSize))
+		buffer.Extend(paddingSize)
 		_, err = writer.Write(buffer.Bytes())
 		if err == nil {
 			n = len(data)
@@ -117,7 +117,7 @@ func (p *paddingConn) writeBufferWithPadding(writer io.Writer, buffer *buf.Buffe
 		header := buffer.ExtendHeader(3)
 		binary.BigEndian.PutUint16(header, uint16(bufferLen))
 		header[2] = byte(paddingSize)
-		common.Must(buffer.WriteZeroN(paddingSize))
+		buffer.Extend(paddingSize)
 		p.writePadding++
 	}
 	return common.Error(writer.Write(buffer.Bytes()))
@@ -179,18 +179,18 @@ type naiveConn struct {
 
 func (c *naiveConn) Read(p []byte) (n int, err error) {
 	n, err = c.readWithPadding(c.Conn, p)
-	return n, wrapError(err)
+	return n, baderror.WrapH2(err)
 }
 
 func (c *naiveConn) Write(p []byte) (n int, err error) {
 	n, err = c.writeChunked(c.Conn, p)
-	return n, wrapError(err)
+	return n, baderror.WrapH2(err)
 }
 
 func (c *naiveConn) WriteBuffer(buffer *buf.Buffer) error {
 	defer buffer.Release()
 	err := c.writeBufferWithPadding(c.Conn, buffer)
-	return wrapError(err)
+	return baderror.WrapH2(err)
 }
 
 func (c *naiveConn) FrontHeadroom() int      { return c.frontHeadroom() }
@@ -210,7 +210,7 @@ type naiveH2Conn struct {
 
 func (c *naiveH2Conn) Read(p []byte) (n int, err error) {
 	n, err = c.readWithPadding(c.reader, p)
-	return n, wrapError(err)
+	return n, baderror.WrapH2(err)
 }
 
 func (c *naiveH2Conn) Write(p []byte) (n int, err error) {
@@ -218,7 +218,7 @@ func (c *naiveH2Conn) Write(p []byte) (n int, err error) {
 	if err == nil {
 		c.flusher.Flush()
 	}
-	return n, wrapError(err)
+	return n, baderror.WrapH2(err)
 }
 
 func (c *naiveH2Conn) WriteBuffer(buffer *buf.Buffer) error {
@@ -227,15 +227,7 @@ func (c *naiveH2Conn) WriteBuffer(buffer *buf.Buffer) error {
 	if err == nil {
 		c.flusher.Flush()
 	}
-	return wrapError(err)
-}
-
-func wrapError(err error) error {
-	err = baderror.WrapH2(err)
-	if WrapError != nil {
-		err = WrapError(err)
-	}
-	return err
+	return baderror.WrapH2(err)
 }
 
 func (c *naiveH2Conn) Close() error {

protocol/naive/quic/inbound_init.go

@@ -124,5 +124,4 @@ func init() {
 
 		return quicListener, nil
 	}
-	naive.WrapError = qtls.WrapError
 }

release/DEFAULT_BUILD_TAGS

@@ -1 +1 @@
-with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_cloudflared,with_naive_outbound,badlinkname,tfogo_checklinkname0
+with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,badlinkname,tfogo_checklinkname0

release/DEFAULT_BUILD_TAGS_OTHERS

@@ -1 +1 @@
-with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_cloudflared,badlinkname,tfogo_checklinkname0
+with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0

release/DEFAULT_BUILD_TAGS_WINDOWS

@@ -1 +1 @@
-with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_cloudflared,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0
+with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0

route/dial.go

@@ -1,109 +0,0 @@
-package route
-
-import (
-	"context"
-	"net"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer"
-	C "github.com/sagernet/sing-box/constant"
-	R "github.com/sagernet/sing-box/route/rule"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	N "github.com/sagernet/sing/common/network"
-)
-
-// DialRoutePacketConnection dials a routed connected UDP packet connection for metadata.
-func (r *Router) DialRoutePacketConnection(ctx context.Context, metadata adapter.InboundContext) (N.PacketConn, error) {
-	metadata.Network = N.NetworkUDP
-	metadata.UDPConnect = true
-	ctx = adapter.WithContext(ctx, &metadata)
-
-	selectedRule, selectedOutbound, err := r.selectRoutedOutbound(ctx, &metadata, N.NetworkUDP)
-	if err != nil {
-		return nil, err
-	}
-
-	var remoteConn net.Conn
-	if len(metadata.DestinationAddresses) > 0 || metadata.Destination.IsIP() {
-		remoteConn, err = dialer.DialSerialNetwork(
-			ctx,
-			selectedOutbound,
-			N.NetworkUDP,
-			metadata.Destination,
-			metadata.DestinationAddresses,
-			metadata.NetworkStrategy,
-			metadata.NetworkType,
-			metadata.FallbackNetworkType,
-			metadata.FallbackDelay,
-		)
-	} else {
-		remoteConn, err = selectedOutbound.DialContext(ctx, N.NetworkUDP, metadata.Destination)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	var packetConn N.PacketConn = bufio.NewUnbindPacketConn(remoteConn)
-	for _, tracker := range r.trackers {
-		packetConn = tracker.RoutedPacketConnection(ctx, packetConn, metadata, selectedRule, selectedOutbound)
-	}
-	if metadata.FakeIP {
-		packetConn = bufio.NewNATPacketConn(bufio.NewNetPacketConn(packetConn), metadata.OriginDestination, metadata.Destination)
-	}
-	return packetConn, nil
-}
-
-func (r *Router) selectRoutedOutbound(
-	ctx context.Context,
-	metadata *adapter.InboundContext,
-	network string,
-) (adapter.Rule, adapter.Outbound, error) {
-	selectedRule, _, buffers, packetBuffers, err := r.matchRule(ctx, metadata, false, false, nil, nil)
-	if len(buffers) > 0 {
-		buf.ReleaseMulti(buffers)
-	}
-	if len(packetBuffers) > 0 {
-		N.ReleaseMultiPacketBuffer(packetBuffers)
-	}
-	if err != nil {
-		return nil, nil, err
-	}
-
-	var selectedOutbound adapter.Outbound
-	if selectedRule != nil {
-		switch action := selectedRule.Action().(type) {
-		case *R.RuleActionRoute:
-			var loaded bool
-			selectedOutbound, loaded = r.outbound.Outbound(action.Outbound)
-			if !loaded {
-				return nil, nil, E.New("outbound not found: ", action.Outbound)
-			}
-		case *R.RuleActionBypass:
-			if action.Outbound != "" {
-				var loaded bool
-				selectedOutbound, loaded = r.outbound.Outbound(action.Outbound)
-				if !loaded {
-					return nil, nil, E.New("outbound not found: ", action.Outbound)
-				}
-			}
-		case *R.RuleActionReject:
-			if action.Method == C.RuleActionRejectMethodReply {
-				return nil, nil, E.New("reject method `reply` is not supported for dialed connections")
-			}
-			return nil, nil, action.Error(ctx)
-		case *R.RuleActionHijackDNS:
-			return nil, nil, E.New("DNS hijack is not supported for dialed connections")
-		}
-	}
-
-	if selectedOutbound == nil {
-		selectedOutbound = r.outbound.Default()
-	}
-	if !common.Contains(selectedOutbound.Network(), network) {
-		return nil, nil, E.New(network, " is not supported by outbound: ", selectedOutbound.Tag())
-	}
-	return selectedRule, selectedOutbound, nil
-}

route/rule/match_state.go

@@ -87,40 +87,22 @@ type ruleStateMatcher interface {
 	matchStates(metadata *adapter.InboundContext) ruleMatchStateSet
 }
 
-type ruleStateMatcherWithBase interface {
-	matchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet
-}
-
 func matchHeadlessRuleStates(rule adapter.HeadlessRule, metadata *adapter.InboundContext) ruleMatchStateSet {
-	return matchHeadlessRuleStatesWithBase(rule, metadata, 0)
-}
-
-func matchHeadlessRuleStatesWithBase(rule adapter.HeadlessRule, metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
-	if matcher, isStateMatcher := rule.(ruleStateMatcherWithBase); isStateMatcher {
-		return matcher.matchStatesWithBase(metadata, base)
-	}
 	if matcher, isStateMatcher := rule.(ruleStateMatcher); isStateMatcher {
-		return matcher.matchStates(metadata).withBase(base)
+		return matcher.matchStates(metadata)
 	}
 	if rule.Match(metadata) {
-		return emptyRuleMatchState().withBase(base)
+		return emptyRuleMatchState()
 	}
 	return 0
 }
 
 func matchRuleItemStates(item RuleItem, metadata *adapter.InboundContext) ruleMatchStateSet {
-	return matchRuleItemStatesWithBase(item, metadata, 0)
-}
-
-func matchRuleItemStatesWithBase(item RuleItem, metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
-	if matcher, isStateMatcher := item.(ruleStateMatcherWithBase); isStateMatcher {
-		return matcher.matchStatesWithBase(metadata, base)
-	}
 	if matcher, isStateMatcher := item.(ruleStateMatcher); isStateMatcher {
-		return matcher.matchStates(metadata).withBase(base)
+		return matcher.matchStates(metadata)
 	}
 	if item.Match(metadata) {
-		return emptyRuleMatchState().withBase(base)
+		return emptyRuleMatchState()
 	}
 	return 0
 }

route/rule/rule_abstract.go

@@ -72,18 +72,10 @@ func (r *abstractDefaultRule) requiresDestinationAddressMatch(metadata *adapter.
 }
 
 func (r *abstractDefaultRule) matchStates(metadata *adapter.InboundContext) ruleMatchStateSet {
-	return r.matchStatesWithBase(metadata, 0)
-}
-
-func (r *abstractDefaultRule) matchStatesWithBase(metadata *adapter.InboundContext, inheritedBase ruleMatchState) ruleMatchStateSet {
 	if len(r.allItems) == 0 {
-		return emptyRuleMatchState().withBase(inheritedBase)
+		return emptyRuleMatchState()
 	}
-	evaluationBase := inheritedBase
-	if r.invert {
-		evaluationBase = 0
-	}
-	baseState := evaluationBase
+	var baseState ruleMatchState
 	if len(r.sourceAddressItems) > 0 {
 		metadata.DidMatch = true
 		if matchAnyItem(r.sourceAddressItems, metadata) {
@@ -127,15 +119,17 @@ func (r *abstractDefaultRule) matchStatesWithBase(metadata *adapter.InboundConte
 	for _, item := range r.items {
 		metadata.DidMatch = true
 		if !item.Match(metadata) {
-			return r.invertedFailure(inheritedBase)
+			return r.invertedFailure()
 		}
 	}
-	var stateSet ruleMatchStateSet
+	stateSet := singleRuleMatchState(baseState)
 	if r.ruleSetItem != nil {
 		metadata.DidMatch = true
-		stateSet = matchRuleItemStatesWithBase(r.ruleSetItem, metadata, baseState)
-	} else {
-		stateSet = singleRuleMatchState(baseState)
+		ruleSetStates := matchRuleItemStates(r.ruleSetItem, metadata)
+		if ruleSetStates.isEmpty() {
+			return r.invertedFailure()
+		}
+		stateSet = ruleSetStates.withBase(baseState)
 	}
 	stateSet = stateSet.filter(func(state ruleMatchState) bool {
 		if r.requiresSourceAddressMatch(metadata) && !state.has(ruleMatchSourceAddress) {
@@ -153,21 +147,21 @@ func (r *abstractDefaultRule) matchStatesWithBase(metadata *adapter.InboundConte
 		return true
 	})
 	if stateSet.isEmpty() {
-		return r.invertedFailure(inheritedBase)
+		return r.invertedFailure()
 	}
 	if r.invert {
 		// DNS pre-lookup defers destination address-limit checks until the response phase.
 		if metadata.IgnoreDestinationIPCIDRMatch && stateSet == emptyRuleMatchState() && !metadata.DidMatch && len(r.destinationIPCIDRItems) > 0 {
-			return emptyRuleMatchState().withBase(inheritedBase)
+			return emptyRuleMatchState()
 		}
 		return 0
 	}
 	return stateSet
 }
 
-func (r *abstractDefaultRule) invertedFailure(base ruleMatchState) ruleMatchStateSet {
+func (r *abstractDefaultRule) invertedFailure() ruleMatchStateSet {
 	if r.invert {
-		return emptyRuleMatchState().withBase(base)
+		return emptyRuleMatchState()
 	}
 	return 0
 }
@@ -231,24 +225,16 @@ func (r *abstractLogicalRule) Match(metadata *adapter.InboundContext) bool {
 }
 
 func (r *abstractLogicalRule) matchStates(metadata *adapter.InboundContext) ruleMatchStateSet {
-	return r.matchStatesWithBase(metadata, 0)
-}
-
-func (r *abstractLogicalRule) matchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
-	evaluationBase := base
-	if r.invert {
-		evaluationBase = 0
-	}
 	var stateSet ruleMatchStateSet
 	if r.mode == C.LogicalTypeAnd {
-		stateSet = emptyRuleMatchState().withBase(evaluationBase)
+		stateSet = emptyRuleMatchState()
 		for _, rule := range r.rules {
 			nestedMetadata := *metadata
 			nestedMetadata.ResetRuleCache()
-			nestedStateSet := matchHeadlessRuleStatesWithBase(rule, &nestedMetadata, evaluationBase)
+			nestedStateSet := matchHeadlessRuleStates(rule, &nestedMetadata)
 			if nestedStateSet.isEmpty() {
 				if r.invert {
-					return emptyRuleMatchState().withBase(base)
+					return emptyRuleMatchState()
 				}
 				return 0
 			}
@@ -258,11 +244,11 @@ func (r *abstractLogicalRule) matchStatesWithBase(metadata *adapter.InboundConte
 		for _, rule := range r.rules {
 			nestedMetadata := *metadata
 			nestedMetadata.ResetRuleCache()
-			stateSet = stateSet.merge(matchHeadlessRuleStatesWithBase(rule, &nestedMetadata, evaluationBase))
+			stateSet = stateSet.merge(matchHeadlessRuleStates(rule, &nestedMetadata))
 		}
 		if stateSet.isEmpty() {
 			if r.invert {
-				return emptyRuleMatchState().withBase(base)
+				return emptyRuleMatchState()
 			}
 			return 0
 		}

route/rule/rule_headless.go

@@ -45,11 +45,6 @@ func NewDefaultHeadlessRule(ctx context.Context, options option.DefaultHeadlessR
 			invert: options.Invert,
 		},
 	}
-	if len(options.QueryType) > 0 {
-		item := NewQueryTypeItem(options.QueryType)
-		rule.items = append(rule.items, item)
-		rule.allItems = append(rule.allItems, item)
-	}
 	if len(options.Network) > 0 {
 		item := NewNetworkItem(options.Network)
 		rule.items = append(rule.items, item)

route/rule/rule_item_rule_set.go

@@ -45,17 +45,13 @@ func (r *RuleSetItem) Match(metadata *adapter.InboundContext) bool {
 }
 
 func (r *RuleSetItem) matchStates(metadata *adapter.InboundContext) ruleMatchStateSet {
-	return r.matchStatesWithBase(metadata, 0)
-}
-
-func (r *RuleSetItem) matchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
 	var stateSet ruleMatchStateSet
 	for _, ruleSet := range r.setList {
 		nestedMetadata := *metadata
 		nestedMetadata.ResetRuleMatchCache()
 		nestedMetadata.IPCIDRMatchSource = r.ipCidrMatchSource
 		nestedMetadata.IPCIDRAcceptEmpty = r.ipCidrAcceptEmpty
-		stateSet = stateSet.merge(matchHeadlessRuleStatesWithBase(ruleSet, &nestedMetadata, base))
+		stateSet = stateSet.merge(matchHeadlessRuleStates(ruleSet, &nestedMetadata))
 	}
 	return stateSet
 }

route/rule/rule_set_local.go

@@ -206,15 +206,11 @@ func (s *LocalRuleSet) Match(metadata *adapter.InboundContext) bool {
 }
 
 func (s *LocalRuleSet) matchStates(metadata *adapter.InboundContext) ruleMatchStateSet {
-	return s.matchStatesWithBase(metadata, 0)
-}
-
-func (s *LocalRuleSet) matchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
 	var stateSet ruleMatchStateSet
 	for _, rule := range s.rules {
 		nestedMetadata := *metadata
 		nestedMetadata.ResetRuleMatchCache()
-		stateSet = stateSet.merge(matchHeadlessRuleStatesWithBase(rule, &nestedMetadata, base))
+		stateSet = stateSet.merge(matchHeadlessRuleStates(rule, &nestedMetadata))
 	}
 	return stateSet
 }

route/rule/rule_set_remote.go

@@ -326,15 +326,11 @@ func (s *RemoteRuleSet) Match(metadata *adapter.InboundContext) bool {
 }
 
 func (s *RemoteRuleSet) matchStates(metadata *adapter.InboundContext) ruleMatchStateSet {
-	return s.matchStatesWithBase(metadata, 0)
-}
-
-func (s *RemoteRuleSet) matchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
 	var stateSet ruleMatchStateSet
 	for _, rule := range s.rules {
 		nestedMetadata := *metadata
 		nestedMetadata.ResetRuleMatchCache()
-		stateSet = stateSet.merge(matchHeadlessRuleStatesWithBase(rule, &nestedMetadata, base))
+		stateSet = stateSet.merge(matchHeadlessRuleStates(rule, &nestedMetadata))
 	}
 	return stateSet
 }

route/rule/rule_set_semantics_test.go

@@ -149,95 +149,6 @@ func TestRouteRuleSetMergeSourceAndPortGroups(t *testing.T) {
 	})
 }
 
-func TestRouteRuleSetOuterGroupedStateMergesIntoSameGroup(t *testing.T) {
-	t.Parallel()
-	testCases := []struct {
-		name       string
-		metadata   adapter.InboundContext
-		buildOuter func(*testing.T, *abstractDefaultRule)
-		buildInner func(*testing.T, *abstractDefaultRule)
-	}{
-		{
-			name:     "destination address",
-			metadata: testMetadata("www.example.com"),
-			buildOuter: func(t *testing.T, rule *abstractDefaultRule) {
-				t.Helper()
-				addDestinationAddressItem(t, rule, nil, []string{"example.com"})
-			},
-			buildInner: func(t *testing.T, rule *abstractDefaultRule) {
-				t.Helper()
-				addDestinationAddressItem(t, rule, nil, []string{"google.com"})
-			},
-		},
-		{
-			name:     "source address",
-			metadata: testMetadata("www.example.com"),
-			buildOuter: func(t *testing.T, rule *abstractDefaultRule) {
-				t.Helper()
-				addSourceAddressItem(t, rule, []string{"10.0.0.0/8"})
-			},
-			buildInner: func(t *testing.T, rule *abstractDefaultRule) {
-				t.Helper()
-				addSourceAddressItem(t, rule, []string{"198.51.100.0/24"})
-			},
-		},
-		{
-			name:     "source port",
-			metadata: testMetadata("www.example.com"),
-			buildOuter: func(t *testing.T, rule *abstractDefaultRule) {
-				t.Helper()
-				addSourcePortItem(rule, []uint16{1000})
-			},
-			buildInner: func(t *testing.T, rule *abstractDefaultRule) {
-				t.Helper()
-				addSourcePortItem(rule, []uint16{2000})
-			},
-		},
-		{
-			name:     "destination port",
-			metadata: testMetadata("www.example.com"),
-			buildOuter: func(t *testing.T, rule *abstractDefaultRule) {
-				t.Helper()
-				addDestinationPortItem(rule, []uint16{443})
-			},
-			buildInner: func(t *testing.T, rule *abstractDefaultRule) {
-				t.Helper()
-				addDestinationPortItem(rule, []uint16{8443})
-			},
-		},
-		{
-			name: "destination ip cidr",
-			metadata: func() adapter.InboundContext {
-				metadata := testMetadata("lookup.example")
-				metadata.DestinationAddresses = []netip.Addr{netip.MustParseAddr("203.0.113.1")}
-				return metadata
-			}(),
-			buildOuter: func(t *testing.T, rule *abstractDefaultRule) {
-				t.Helper()
-				addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
-			},
-			buildInner: func(t *testing.T, rule *abstractDefaultRule) {
-				t.Helper()
-				addDestinationIPCIDRItem(t, rule, []string{"198.51.100.0/24"})
-			},
-		},
-	}
-	for _, testCase := range testCases {
-		testCase := testCase
-		t.Run(testCase.name, func(t *testing.T) {
-			t.Parallel()
-			ruleSet := newLocalRuleSetForTest("outer-merge-"+testCase.name, headlessDefaultRule(t, func(rule *abstractDefaultRule) {
-				testCase.buildInner(t, rule)
-			}))
-			rule := routeRuleForTest(func(rule *abstractDefaultRule) {
-				testCase.buildOuter(t, rule)
-				addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
-			})
-			require.True(t, rule.Match(&testCase.metadata))
-		})
-	}
-}
-
 func TestRouteRuleSetOtherFieldsStayAnd(t *testing.T) {
 	t.Parallel()
 	metadata := testMetadata("www.example.com")
@@ -251,34 +162,6 @@ func TestRouteRuleSetOtherFieldsStayAnd(t *testing.T) {
 	require.False(t, rule.Match(&metadata))
 }
 
-func TestRouteRuleSetMergedBranchKeepsAndConstraints(t *testing.T) {
-	t.Parallel()
-	t.Run("outer group does not bypass inner non grouped condition", func(t *testing.T) {
-		t.Parallel()
-		metadata := testMetadata("www.example.com")
-		ruleSet := newLocalRuleSetForTest("network-and", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
-			addOtherItem(rule, NewNetworkItem([]string{N.NetworkUDP}))
-		}))
-		rule := routeRuleForTest(func(rule *abstractDefaultRule) {
-			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
-			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
-		})
-		require.False(t, rule.Match(&metadata))
-	})
-	t.Run("outer group does not satisfy different grouped branch", func(t *testing.T) {
-		t.Parallel()
-		metadata := testMetadata("www.example.com")
-		ruleSet := newLocalRuleSetForTest("different-group", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
-			addDestinationAddressItem(t, rule, nil, []string{"google.com"})
-		}))
-		rule := routeRuleForTest(func(rule *abstractDefaultRule) {
-			addSourcePortItem(rule, []uint16{1000})
-			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
-		})
-		require.False(t, rule.Match(&metadata))
-	})
-}
-
 func TestRouteRuleSetOrSemantics(t *testing.T) {
 	t.Parallel()
 	t.Run("later ruleset can satisfy outer group", func(t *testing.T) {
@@ -388,68 +271,6 @@ func TestRouteRuleSetLogicalSemantics(t *testing.T) {
 	})
 }
 
-func TestRouteRuleSetInvertMergedBranchSemantics(t *testing.T) {
-	t.Parallel()
-	t.Run("default invert keeps inherited group outside grouped predicate", func(t *testing.T) {
-		t.Parallel()
-		metadata := testMetadata("www.example.com")
-		ruleSet := newLocalRuleSetForTest("invert-grouped", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
-			rule.invert = true
-			addDestinationAddressItem(t, rule, nil, []string{"google.com"})
-		}))
-		rule := routeRuleForTest(func(rule *abstractDefaultRule) {
-			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
-			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
-		})
-		require.True(t, rule.Match(&metadata))
-	})
-	t.Run("default invert keeps inherited group after negation succeeds", func(t *testing.T) {
-		t.Parallel()
-		metadata := testMetadata("www.example.com")
-		ruleSet := newLocalRuleSetForTest("invert-network", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
-			rule.invert = true
-			addOtherItem(rule, NewNetworkItem([]string{N.NetworkUDP}))
-		}))
-		rule := routeRuleForTest(func(rule *abstractDefaultRule) {
-			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
-			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
-		})
-		require.True(t, rule.Match(&metadata))
-	})
-	t.Run("logical invert keeps inherited group outside grouped predicate", func(t *testing.T) {
-		t.Parallel()
-		metadata := testMetadata("www.example.com")
-		ruleSet := newLocalRuleSetForTest("logical-invert-grouped", headlessLogicalRule(
-			C.LogicalTypeOr,
-			true,
-			headlessDefaultRule(t, func(rule *abstractDefaultRule) {
-				addDestinationAddressItem(t, rule, nil, []string{"google.com"})
-			}),
-		))
-		rule := routeRuleForTest(func(rule *abstractDefaultRule) {
-			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
-			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
-		})
-		require.True(t, rule.Match(&metadata))
-	})
-	t.Run("logical invert keeps inherited group after negation succeeds", func(t *testing.T) {
-		t.Parallel()
-		metadata := testMetadata("www.example.com")
-		ruleSet := newLocalRuleSetForTest("logical-invert-network", headlessLogicalRule(
-			C.LogicalTypeOr,
-			true,
-			headlessDefaultRule(t, func(rule *abstractDefaultRule) {
-				addOtherItem(rule, NewNetworkItem([]string{N.NetworkUDP}))
-			}),
-		))
-		rule := routeRuleForTest(func(rule *abstractDefaultRule) {
-			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
-			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
-		})
-		require.True(t, rule.Match(&metadata))
-	})
-}
-
 func TestRouteRuleSetNoLeakageRegressions(t *testing.T) {
 	t.Parallel()
 	t.Run("same ruleset failed branch does not leak", func(t *testing.T) {
@@ -518,59 +339,6 @@ func TestRouteRuleSetRemoteUsesSameSemantics(t *testing.T) {
 
 func TestDNSRuleSetSemantics(t *testing.T) {
 	t.Parallel()
-	t.Run("outer destination group merges into matching ruleset branch", func(t *testing.T) {
-		t.Parallel()
-		metadata := testMetadata("www.baidu.com")
-		ruleSet := newLocalRuleSetForTest("dns-merged-branch", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
-			addDestinationAddressItem(t, rule, nil, []string{"google.com"})
-		}))
-		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
-			addDestinationAddressItem(t, rule, nil, []string{"baidu.com"})
-			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
-		})
-		require.True(t, rule.Match(&metadata))
-	})
-	t.Run("outer destination group does not bypass ruleset non grouped condition", func(t *testing.T) {
-		t.Parallel()
-		metadata := testMetadata("www.example.com")
-		ruleSet := newLocalRuleSetForTest("dns-network-and", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
-			addOtherItem(rule, NewNetworkItem([]string{N.NetworkUDP}))
-		}))
-		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
-			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
-			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
-		})
-		require.False(t, rule.Match(&metadata))
-	})
-	t.Run("outer destination group stays outside inverted grouped branch", func(t *testing.T) {
-		t.Parallel()
-		metadata := testMetadata("www.baidu.com")
-		ruleSet := newLocalRuleSetForTest("dns-invert-grouped", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
-			rule.invert = true
-			addDestinationAddressItem(t, rule, nil, []string{"google.com"})
-		}))
-		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
-			addDestinationAddressItem(t, rule, nil, []string{"baidu.com"})
-			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
-		})
-		require.True(t, rule.Match(&metadata))
-	})
-	t.Run("outer destination group stays outside inverted logical branch", func(t *testing.T) {
-		t.Parallel()
-		metadata := testMetadata("www.example.com")
-		ruleSet := newLocalRuleSetForTest("dns-logical-invert-network", headlessLogicalRule(
-			C.LogicalTypeOr,
-			true,
-			headlessDefaultRule(t, func(rule *abstractDefaultRule) {
-				addOtherItem(rule, NewNetworkItem([]string{N.NetworkUDP}))
-			}),
-		))
-		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
-			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
-			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
-		})
-		require.True(t, rule.Match(&metadata))
-	})
 	t.Run("match address limit merges destination group", func(t *testing.T) {
 		t.Parallel()
 		metadata := testMetadata("www.example.com")

transport/wireguard/endpoint.go

@@ -229,13 +229,12 @@ func (e *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 }
 
 func (e *Endpoint) Close() error {
+	if e.device != nil {
+		e.device.Close()
+	}
 	if e.pauseCallback != nil {
 		e.pause.UnregisterCallback(e.pauseCallback)
 	}
-	if e.device != nil {
-		e.device.Down()
-		e.device.Close()
-	}
 	return nil
 }