documentation: Bump version

Reference: https://gitlab.com/go-extension/tls

.github/setup_legacy_go.sh

@@ -1,27 +1,25 @@
 #!/usr/bin/env bash
 
-VERSION="1.25.4"
+VERSION="1.23.12"
 
 mkdir -p $HOME/go
 cd $HOME/go
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
-mv go go_win7
-cd go_win7
+mv go go_legacy
+cd go_legacy
 
 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-# this patch file only works on golang1.25.x
-# that means after golang1.26 release it must be changed
-# see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
+# this patch file only works on golang1.23.x
+# that means after golang1.24 release it must be changed
+# see: https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
 # revert:
 # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
 
-alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
-
-curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/69e2eed6dd0f6d815ebf15797761c13f31213dd6.diff | patch --verbose -p 1

.github/setup_musl_cross.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-set -xeuo pipefail
-
-TARGET="$1"
-
-# Download musl-cross toolchain from musl.cc
-cd "$HOME"
-wget -q "https://musl.cc/${TARGET}-cross.tgz"
-mkdir -p musl-cross
-tar -xf "${TARGET}-cross.tgz" -C musl-cross --strip-components=1
-rm "${TARGET}-cross.tgz"

.github/update_cronet.sh

@@ -1,7 +0,0 @@
-#!/usr/bin/env bash
-
-PROJECTS=$(dirname "$0")/../..
-git -C $PROJECTS/cronet-go fetch origin go
-go get -x github.com/sagernet/cronet-go/all@$(git -C $PROJECTS/cronet-go rev-parse origin/go)
-
-go mod tidy

.github/workflows/build.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.4
+          go-version: ^1.25.1
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -88,11 +88,15 @@ jobs:
           - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
 
           - { os: windows, arch: amd64 }
-          - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
+          - { os: windows, arch: amd64, legacy_go123: true, legacy_name: "windows-7" }
           - { os: windows, arch: "386" }
-          - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
+          - { os: windows, arch: "386", legacy_go123: true, legacy_name: "windows-7" }
           - { os: windows, arch: arm64 }
 
+          - { os: darwin, arch: amd64 }
+          - { os: darwin, arch: arm64 }
+          - { os: darwin, arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
+
           - { os: android, arch: arm64, ndk: "aarch64-linux-android21" }
           - { os: android, arch: arm, ndk: "armv7a-linux-androideabi21" }
           - { os: android, arch: amd64, ndk: "x86_64-linux-android21" }
@@ -103,32 +107,32 @@ jobs:
         with:
           fetch-depth: 0
       - name: Setup Go
-        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
+        if: ${{ ! (matrix.legacy_go123 || matrix.legacy_go124) }}
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.4
+          go-version: ^1.25.1
       - name: Setup Go 1.24
         if: matrix.legacy_go124
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.24.10
-      - name: Cache Go for Windows 7
-        if: matrix.legacy_win7
-        id: cache-go-for-windows7
+          go-version: ~1.24.6
+      - name: Cache Go 1.23
+        if: matrix.legacy_go123
+        id: cache-legacy-go
         uses: actions/cache@v4
         with:
           path: |
-            ~/go/go_win7
-          key: go_win7_1254
-      - name: Setup Go for Windows 7
-        if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
+            ~/go/go_legacy
+          key: go_legacy_12312
+      - name: Setup Go 1.23
+        if: matrix.legacy_go123 && steps.cache-legacy-go.outputs.cache-hit != 'true'
         run: |-
-          .github/setup_go_for_windows7.sh
-      - name: Setup Go for Windows 7
-        if: matrix.legacy_win7
+          .github/setup_legacy_go.sh
+      - name: Setup Go 1.23
+        if: matrix.legacy_go123
         run: |-
-          echo "PATH=$HOME/go/go_win7/bin:$PATH" >> $GITHUB_ENV
-          echo "GOROOT=$HOME/go/go_win7" >> $GITHUB_ENV
+          echo "PATH=$HOME/go/go_legacy/bin:$PATH" >> $GITHUB_ENV
+          echo "GOROOT=$HOME/go/go_legacy" >> $GITHUB_ENV
       - name: Setup Android NDK
         if: matrix.os == 'android'
         uses: nttld/setup-ndk@v1
@@ -142,10 +146,7 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,badlinkname,tfogo_checklinkname0'
-          if [[ "${{ matrix.os }}" == "android" ]]; then
-            TAGS="${TAGS},with_naive_outbound"
-          fi
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale'
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
       - name: Build
         if: matrix.os != 'android'
@@ -284,199 +285,6 @@ jobs:
         with:
           name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
           path: "dist"
-  build_darwin:
-    name: Build Darwin binaries
-    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
-    runs-on: macos-latest
-    needs:
-      - calculate_version
-    strategy:
-      matrix:
-        include:
-          - { arch: amd64 }
-          - { arch: arm64 }
-          - { arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        if: ${{ ! matrix.legacy_go124 }}
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.25.3
-      - name: Setup Go 1.24
-        if: matrix.legacy_go124
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.24.6
-      - name: Set tag
-        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
-      - name: Set build tags
-        run: |
-          set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_naive_outbound,badlinkname,tfogo_checklinkname0'
-          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Build
-        run: |
-          set -xeuo pipefail
-          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
-          ./cmd/sing-box
-        env:
-          CGO_ENABLED: "1"
-          GOOS: darwin
-          GOARCH: ${{ matrix.arch }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set name
-        run: |-
-          DIR_NAME="sing-box-${{ needs.calculate_version.outputs.version }}-darwin-${{ matrix.arch }}"
-          if [[ -n "${{ matrix.legacy_name }}" ]]; then
-            DIR_NAME="${DIR_NAME}-legacy-${{ matrix.legacy_name }}"
-          fi
-          echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
-      - name: Archive
-        run: |
-          set -xeuo pipefail
-          cd dist
-          mkdir -p "${DIR_NAME}"
-          cp ../LICENSE "${DIR_NAME}"
-          cp sing-box "${DIR_NAME}"
-          tar -czvf "${DIR_NAME}.tar.gz" "${DIR_NAME}"
-          rm -r "${DIR_NAME}"
-      - name: Cleanup
-        run: rm dist/sing-box
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: binary-darwin_${{ matrix.arch }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
-          path: "dist"
-  build_naive_linux:
-    name: Build Linux with naive outbound
-    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
-    runs-on: ubuntu-latest
-    needs:
-      - calculate_version
-    strategy:
-      matrix:
-        include:
-          # Linux glibc (dynamic linking with Debian Bullseye sysroot)
-          - { arch: amd64, sysroot_arch: amd64, sysroot_sha: "36a164623d03f525e3dfb783a5e9b8a00e98e1ddd2b5cff4e449bd016dd27e50", cc_target: "x86_64-linux-gnu", suffix: "-naive" }
-          - { arch: arm64, sysroot_arch: arm64, sysroot_sha: "2f915d821eec27515c0c6d21b69898e23762908d8d7ccc1aa2a8f5f25e8b7e18", cc_target: "aarch64-linux-gnu", suffix: "-naive" }
-          - { arch: "386", sysroot_arch: i386, sysroot_sha: "63f0e5128b84f7b0421956a4a40affa472be8da0e58caf27e9acbc84072daee7", cc_target: "i686-linux-gnu", suffix: "-naive" }
-          - { arch: arm, goarm: "7", sysroot_arch: armhf, sysroot_sha: "47b3a0b161ca011b2b33d4fc1ef6ef269b8208a0b7e4c900700c345acdfd1814", cc_target: "arm-linux-gnueabihf", suffix: "-naive" }
-          # Linux musl (static linking)
-          - { arch: amd64, musl: true, cc_target: "x86_64-linux-musl", suffix: "-naive-musl" }
-          - { arch: arm64, musl: true, cc_target: "aarch64-linux-musl", suffix: "-naive-musl" }
-          - { arch: "386", musl: true, cc_target: "i686-linux-musl", suffix: "-naive-musl" }
-          - { arch: arm, goarm: "7", musl: true, cc_target: "arm-linux-musleabihf", suffix: "-naive-musl" }
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.25.4
-      - name: Set tag
-        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
-      - name: Download sysroot (glibc)
-        if: ${{ ! matrix.musl }}
-        run: |
-          set -xeuo pipefail
-          wget -q "https://commondatastorage.googleapis.com/chrome-linux-sysroot/${{ matrix.sysroot_sha }}" -O sysroot.tar.xz
-          mkdir -p /tmp/sysroot
-          tar -xf sysroot.tar.xz -C /tmp/sysroot
-      - name: Install cross compiler (glibc)
-        if: ${{ ! matrix.musl }}
-        run: |
-          set -xeuo pipefail
-          sudo apt-get update
-          sudo apt-get install -y clang lld
-          if [[ "${{ matrix.arch }}" == "arm64" ]]; then
-            sudo apt-get install -y libc6-dev-arm64-cross
-          elif [[ "${{ matrix.arch }}" == "386" ]]; then
-            sudo apt-get install -y libc6-dev-i386-cross
-          elif [[ "${{ matrix.arch }}" == "arm" ]]; then
-            sudo apt-get install -y libc6-dev-armhf-cross
-          fi
-      - name: Install musl cross compiler
-        if: matrix.musl
-        run: |
-          set -xeuo pipefail
-          .github/setup_musl_cross.sh "${{ matrix.cc_target }}"
-          echo "PATH=$HOME/musl-cross/bin:$PATH" >> $GITHUB_ENV
-      - name: Set build tags
-        run: |
-          set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_naive_outbound,badlinkname,tfogo_checklinkname0'
-          if [[ "${{ matrix.musl }}" == "true" ]]; then
-            TAGS="${TAGS},with_musl"
-          fi
-          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Build (glibc)
-        if: ${{ ! matrix.musl }}
-        run: |
-          set -xeuo pipefail
-          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0 -linkmode=external -extldflags "-fuse-ld=lld --sysroot=/tmp/sysroot"' \
-          ./cmd/sing-box
-        env:
-          CGO_ENABLED: "1"
-          GOOS: linux
-          GOARCH: ${{ matrix.arch }}
-          GOARM: ${{ matrix.goarm }}
-          CC: "clang --target=${{ matrix.cc_target }} --sysroot=/tmp/sysroot"
-          CXX: "clang++ --target=${{ matrix.cc_target }} --sysroot=/tmp/sysroot"
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build (musl)
-        if: matrix.musl
-        run: |
-          set -xeuo pipefail
-          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0 -linkmode=external -extldflags "-static"' \
-          ./cmd/sing-box
-        env:
-          CGO_ENABLED: "1"
-          GOOS: linux
-          GOARCH: ${{ matrix.arch }}
-          GOARM: ${{ matrix.goarm }}
-          CC: "${{ matrix.cc_target }}-gcc"
-          CXX: "${{ matrix.cc_target }}-g++"
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set name
-        run: |-
-          DIR_NAME="sing-box-${{ needs.calculate_version.outputs.version }}-linux-${{ matrix.arch }}"
-          if [[ -n "${{ matrix.goarm }}" ]]; then
-            DIR_NAME="${DIR_NAME}v${{ matrix.goarm }}"
-          fi
-          DIR_NAME="${DIR_NAME}${{ matrix.suffix }}"
-          echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
-      - name: Archive
-        run: |
-          set -xeuo pipefail
-          cd dist
-          mkdir -p "${DIR_NAME}"
-          cp ../LICENSE "${DIR_NAME}"
-          cp sing-box "${DIR_NAME}"
-          tar -czvf "${DIR_NAME}.tar.gz" "${DIR_NAME}"
-          rm -r "${DIR_NAME}"
-      - name: Cleanup
-        run: rm dist/sing-box
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: binary-linux_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.suffix }}
-          path: "dist"
   build_android:
     name: Build Android
     if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
@@ -492,7 +300,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.4
+          go-version: ^1.25.1
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -572,7 +380,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.4
+          go-version: ^1.25.1
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -624,8 +432,7 @@ jobs:
           SERVICE_ACCOUNT_CREDENTIALS: ${{ secrets.SERVICE_ACCOUNT_CREDENTIALS }}
   build_apple:
     name: Build Apple clients
-    runs-on: macos-26
-    if: false
+    runs-on: macos-15
     needs:
       - calculate_version
     strategy:
@@ -671,7 +478,15 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.4
+          go-version: ^1.25.1
+      - name: Setup Xcode stable
+        if: matrix.if && github.ref == 'refs/heads/main-next'
+        run: |-
+          sudo xcode-select -s /Applications/Xcode_16.4.app
+      - name: Setup Xcode beta
+        if: matrix.if && github.ref == 'refs/heads/dev-next'
+        run: |-
+          sudo xcode-select -s /Applications/Xcode_16.4.app
       - name: Set tag
         if: matrix.if
         run: |-
@@ -811,8 +626,6 @@ jobs:
     needs:
       - calculate_version
       - build
-      - build_darwin
-      - build_naive_linux
       - build_android
       - build_apple
     steps:

.github/workflows/lint.yml

@@ -28,11 +28,11 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25
+          go-version: ~1.24.6
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v8
         with:
-          version: v2.4.0
+          version: latest
           args: --timeout=30m
           install-mode: binary
           verify: false

.github/workflows/linux.yml

@@ -30,7 +30,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.4
+          go-version: ^1.25.1
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -71,7 +71,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.4
+          go-version: ^1.25.1
       - name: Setup Android NDK
         if: matrix.os == 'android'
         uses: nttld/setup-ndk@v1
@@ -85,14 +85,14 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,badlinkname,tfogo_checklinkname0'
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale'
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
       - name: Build
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"

.gitignore

@@ -15,6 +15,4 @@
 .DS_Store
 /config.d/
 /venv/
-CLAUDE.md
-AGENTS.md
-/.claude/
+

.golangci.yml

@@ -1,6 +1,6 @@
 version: "2"
 run:
-  go: "1.25"
+  go: "1.24"
   build-tags:
     - with_gvisor
     - with_quic

.goreleaser.fury.yaml

@@ -0,0 +1,103 @@
+project_name: sing-box
+builds:
+  - id: main
+    main: ./cmd/sing-box
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
+      - -s
+      - -buildid=
+    tags:
+      - with_gvisor
+      - with_quic
+      - with_dhcp
+      - with_wireguard
+      - with_utls
+      - with_acme
+      - with_clash_api
+      - with_tailscale
+    env:
+      - CGO_ENABLED=0
+    targets:
+      - linux_386
+      - linux_amd64_v1
+      - linux_arm64
+      - linux_arm_7
+      - linux_s390x
+      - linux_riscv64
+      - linux_mips64le
+    mod_timestamp: '{{ .CommitTimestamp }}'
+snapshot:
+  name_template: "{{ .Version }}.{{ .ShortCommit }}"
+nfpms:
+  - &template
+    id: package
+    package_name: sing-box
+    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    builds:
+      - main
+    homepage: https://sing-box.sagernet.org/
+    maintainer: nekohasekai <contact-git@sekai.icu>
+    description: The universal proxy platform.
+    license: GPLv3 or later
+    formats:
+      - deb
+      - rpm
+    priority: extra
+    contents:
+      - src: release/config/config.json
+        dst: /etc/sing-box/config.json
+        type: "config|noreplace"
+
+      - src: release/config/sing-box.service
+        dst: /usr/lib/systemd/system/sing-box.service
+      - src: release/config/sing-box@.service
+        dst: /usr/lib/systemd/system/sing-box@.service
+      - src: release/config/sing-box.sysusers
+        dst: /usr/lib/sysusers.d/sing-box.conf
+      - src: release/config/sing-box.rules
+        dst: /usr/share/polkit-1/rules.d/sing-box.rules
+      - src: release/config/sing-box-split-dns.xml
+        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
+
+      - src: release/completions/sing-box.bash
+        dst: /usr/share/bash-completion/completions/sing-box.bash
+      - src: release/completions/sing-box.fish
+        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
+      - src: release/completions/sing-box.zsh
+        dst: /usr/share/zsh/site-functions/_sing-box
+
+      - src: LICENSE
+        dst: /usr/share/licenses/sing-box/LICENSE
+    deb:
+      signature:
+        key_file: "{{ .Env.NFPM_KEY_PATH }}"
+      fields:
+        Bugs: https://github.com/SagerNet/sing-box/issues
+    rpm:
+      signature:
+        key_file: "{{ .Env.NFPM_KEY_PATH }}"
+    conflicts:
+      - sing-box-beta
+  - id: package_beta
+    <<: *template
+    package_name: sing-box-beta
+    file_name_template: '{{ .ProjectName }}-beta_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    formats:
+      - deb
+      - rpm
+    conflicts:
+      - sing-box
+release:
+  disable: true
+furies:
+  - account: sagernet
+    ids:
+      - package
+    disable: "{{ not (not .Prerelease) }}"
+  - account: sagernet
+    ids:
+      - package_beta
+    disable: "{{ not .Prerelease }}"

.goreleaser.yaml

@@ -0,0 +1,213 @@
+version: 2
+project_name: sing-box
+builds:
+  - &template
+    id: main
+    main: ./cmd/sing-box
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
+      - -s
+      - -buildid=
+    tags:
+      - with_gvisor
+      - with_quic
+      - with_dhcp
+      - with_wireguard
+      - with_utls
+      - with_acme
+      - with_clash_api
+      - with_tailscale
+    env:
+      - CGO_ENABLED=0
+      - GOTOOLCHAIN=local
+    targets:
+      - linux_386
+      - linux_amd64_v1
+      - linux_arm64
+      - linux_arm_6
+      - linux_arm_7
+      - linux_s390x
+      - linux_riscv64
+      - linux_mips64le
+      - windows_amd64_v1
+      - windows_386
+      - windows_arm64
+      - darwin_amd64_v1
+      - darwin_arm64
+    mod_timestamp: '{{ .CommitTimestamp }}'
+  - id: legacy
+    <<: *template
+    tags:
+      - with_gvisor
+      - with_quic
+      - with_dhcp
+      - with_wireguard
+      - with_utls
+      - with_acme
+      - with_clash_api
+      - with_tailscale
+    env:
+      - CGO_ENABLED=0
+      - GOROOT={{ .Env.GOPATH }}/go_legacy
+    tool: "{{ .Env.GOPATH }}/go_legacy/bin/go"
+    targets:
+      - windows_amd64_v1
+      - windows_386
+  - id: android
+    <<: *template
+    env:
+      - CGO_ENABLED=1
+      - GOTOOLCHAIN=local
+    overrides:
+      - goos: android
+        goarch: arm
+        goarm: 7
+        env:
+          - CC=armv7a-linux-androideabi21-clang
+          - CXX=armv7a-linux-androideabi21-clang++
+      - goos: android
+        goarch: arm64
+        env:
+          - CC=aarch64-linux-android21-clang
+          - CXX=aarch64-linux-android21-clang++
+      - goos: android
+        goarch: 386
+        env:
+          - CC=i686-linux-android21-clang
+          - CXX=i686-linux-android21-clang++
+      - goos: android
+        goarch: amd64
+        goamd64: v1
+        env:
+          - CC=x86_64-linux-android21-clang
+          - CXX=x86_64-linux-android21-clang++
+    targets:
+      - android_arm_7
+      - android_arm64
+      - android_386
+      - android_amd64
+archives:
+  - &template
+    id: archive
+    builds:
+      - main
+      - android
+    formats:
+      - tar.gz
+    format_overrides:
+      - goos: windows
+        formats:
+          - zip
+    wrap_in_directory: true
+    files:
+      - LICENSE
+    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+  - id: archive-legacy
+    <<: *template
+    builds:
+      - legacy
+    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}-legacy'
+nfpms:
+  - id: package
+    package_name: sing-box
+    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    builds:
+      - main
+    homepage: https://sing-box.sagernet.org/
+    maintainer: nekohasekai <contact-git@sekai.icu>
+    description: The universal proxy platform.
+    license: GPLv3 or later
+    formats:
+      - deb
+      - rpm
+      - archlinux
+#      - apk
+#      - ipk
+    priority: extra
+    contents:
+      - src: release/config/config.json
+        dst: /etc/sing-box/config.json
+        type: "config|noreplace"
+
+      - src: release/config/sing-box.service
+        dst: /usr/lib/systemd/system/sing-box.service
+      - src: release/config/sing-box@.service
+        dst: /usr/lib/systemd/system/sing-box@.service
+      - src: release/config/sing-box.sysusers
+        dst: /usr/lib/sysusers.d/sing-box.conf
+      - src: release/config/sing-box.rules
+        dst: /usr/share/polkit-1/rules.d/sing-box.rules
+      - src: release/config/sing-box-split-dns.xml
+        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
+
+      - src: release/completions/sing-box.bash
+        dst: /usr/share/bash-completion/completions/sing-box.bash
+      - src: release/completions/sing-box.fish
+        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
+      - src: release/completions/sing-box.zsh
+        dst: /usr/share/zsh/site-functions/_sing-box
+
+      - src: LICENSE
+        dst: /usr/share/licenses/sing-box/LICENSE
+    deb:
+      signature:
+        key_file: "{{ .Env.NFPM_KEY_PATH }}"
+      fields:
+        Bugs: https://github.com/SagerNet/sing-box/issues
+    rpm:
+      signature:
+        key_file: "{{ .Env.NFPM_KEY_PATH }}"
+    overrides:
+      apk:
+        contents:
+          - src: release/config/config.json
+            dst: /etc/sing-box/config.json
+            type: config
+
+          - src: release/config/sing-box.initd
+            dst: /etc/init.d/sing-box
+
+          - src: release/completions/sing-box.bash
+            dst: /usr/share/bash-completion/completions/sing-box.bash
+          - src: release/completions/sing-box.fish
+            dst: /usr/share/fish/vendor_completions.d/sing-box.fish
+          - src: release/completions/sing-box.zsh
+            dst: /usr/share/zsh/site-functions/_sing-box
+
+          - src: LICENSE
+            dst: /usr/share/licenses/sing-box/LICENSE
+      ipk:
+        contents:
+          - src: release/config/config.json
+            dst: /etc/sing-box/config.json
+            type: config
+
+          - src: release/config/openwrt.init
+            dst: /etc/init.d/sing-box
+          - src: release/config/openwrt.conf
+            dst: /etc/config/sing-box
+source:
+  enabled: false
+  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
+  prefix_template: '{{ .ProjectName }}-{{ .Version }}/'
+checksum:
+  disable: true
+  name_template: '{{ .ProjectName }}-{{ .Version }}.checksum'
+signs:
+  - artifacts: checksum
+release:
+  github:
+    owner: SagerNet
+    name: sing-box
+  draft: true
+  prerelease: auto
+  mode: replace
+  ids:
+    - archive
+    - package
+  skip_upload: true
+partial:
+  by: target

Dockerfile

@@ -13,13 +13,15 @@ RUN set -ex \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
     && go build -v -trimpath -tags \
-        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,badlinkname,tfogo_checklinkname0" \
+        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale" \
         -o /go/bin/sing-box \
         -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid= -checklinkname=0" \
         ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
+    && apk upgrade \
+    && apk add bash tzdata ca-certificates nftables \
+    && rm -rf /var/cache/apk/*
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]

Makefile

@@ -1,6 +1,6 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,badlinkname,tfogo_checklinkname0
+TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
@@ -17,10 +17,6 @@ build:
 	export GOTOOLCHAIN=local && \
 	go build $(MAIN_PARAMS) $(MAIN)
 
-race:
-	export GOTOOLCHAIN=local && \
-	go build -race $(MAIN_PARAMS) $(MAIN)
-
 ci_build:
 	export GOTOOLCHAIN=local && \
 	go build $(PARAMS) $(MAIN) && \
@@ -38,7 +34,7 @@ fmt:
 	@gci write --custom-order -s standard -s "prefix(github.com/sagernet/)" -s "default" .
 
 fmt_install:
-	go install -v mvdan.cc/gofumpt@v0.8.0
+	go install -v mvdan.cc/gofumpt@latest
 	go install -v github.com/daixiang0/gci@latest
 
 lint:
@@ -49,7 +45,7 @@ lint:
 	GOOS=freebsd golangci-lint run ./...
 
 lint_install:
-	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.4.0
+	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
 
 proto:
 	@go run ./cmd/internal/protogen

README.md

@@ -1,11 +1,3 @@
-> Sponsored by [Warp](https://go.warp.dev/sing-box), built for coding with multiple AI agents
-
-<a href="https://go.warp.dev/sing-box">
-<img alt="Warp sponsorship" width="400" src="https://github.com/warpdotdev/brand-assets/raw/refs/heads/main/Github/Sponsor/Warp-Github-LG-02.png">
-</a>
-
----
-
 # sing-box
 
 The universal proxy platform.

adapter/network.go

@@ -10,7 +10,6 @@ import (
 
 type NetworkManager interface {
 	Lifecycle
-	Initialize(ruleSets []RuleSet)
 	InterfaceFinder() control.InterfaceFinder
 	UpdateInterfaces() error
 	DefaultNetworkInterface() *NetworkInterface
@@ -25,10 +24,9 @@ type NetworkManager interface {
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
-	NeedWIFIState() bool
 	WIFIState() WIFIState
-	UpdateWIFIState()
 	ResetNetwork()
+	UpdateWIFIState()
 }
 
 type NetworkOptions struct {

adapter/router.go

@@ -24,6 +24,7 @@ type Router interface {
 	PreMatch(metadata InboundContext, context tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error)
 	ConnectionRouterEx
 	RuleSet(tag string) (RuleSet, bool)
+	NeedWIFIState() bool
 	Rules() []Rule
 	AppendTracker(tracker ConnectionTracker)
 	ResetNetwork()

adapter/upstream.go

@@ -73,7 +73,7 @@ func NewUpstreamContextHandlerEx(
 }
 
 func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	_, myMetadata := ExtendContext(ctx)
+	myMetadata := ContextFrom(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -84,7 +84,7 @@ func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context,
 }
 
 func (w *myUpstreamContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	_, myMetadata := ExtendContext(ctx)
+	myMetadata := ContextFrom(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -146,7 +146,7 @@ type routeContextHandlerWrapperEx struct {
 }
 
 func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	_, metadata := ExtendContext(ctx)
+	metadata := ContextFrom(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}
@@ -157,7 +157,7 @@ func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn
 }
 
 func (r *routeContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	_, metadata := ExtendContext(ctx)
+	metadata := ContextFrom(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}

box.go

@@ -184,7 +184,7 @@ func New(options Options) (*Box, error) {
 	service.MustRegister[adapter.ServiceManager](ctx, serviceManager)
 	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
 	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
-	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions, dnsOptions)
+	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions)
 	if err != nil {
 		return nil, E.Cause(err, "initialize network manager")
 	}

cmd/internal/app_store_connect/main.go

@@ -134,7 +134,6 @@ func publishTestflight(ctx context.Context) error {
 			asc.PlatformTVOS,
 		}
 	}
-	waitingForProcess := false
 	for _, platform := range platforms {
 		log.Info(string(platform), " list builds")
 		for {
@@ -146,13 +145,12 @@ func publishTestflight(ctx context.Context) error {
 				return err
 			}
 			build := builds.Data[0]
-			if !waitingForProcess && (common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 30*time.Minute) {
+			if common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 30*time.Minute {
 				log.Info(string(platform), " ", tag, " waiting for process")
 				time.Sleep(15 * time.Second)
 				continue
 			}
 			if *build.Attributes.ProcessingState != "VALID" {
-				waitingForProcess = true
 				log.Info(string(platform), " ", tag, " waiting for process: ", *build.Attributes.ProcessingState)
 				time.Sleep(15 * time.Second)
 				continue

cmd/internal/build_libbox/main.go

@@ -62,7 +62,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=  -checklinkname=0")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -checklinkname=0")
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api", "with_conntrack", "badlinkname", "tfogo_checklinkname0")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api", "with_conntrack")
 	macOSTags = append(macOSTags, "with_dhcp")
 	memcTags = append(memcTags, "with_tailscale")
 	notMemcTags = append(notMemcTags, "with_low_memory")
@@ -107,8 +107,10 @@ func buildAndroid() {
 	}
 
 	if !debugEnabled {
+		// sharedFlags[3] = sharedFlags[3] + " -checklinkname=0"
 		args = append(args, sharedFlags...)
 	} else {
+		// debugFlags[1] = debugFlags[1] + " -checklinkname=0"
 		args = append(args, debugFlags...)
 	}
 

cmd/sing-box/cmd_tools_fetch_http3.go

@@ -22,7 +22,7 @@ func initializeHTTP3Client(instance *box.Box) error {
 	}
 	http3Client = &http.Client{
 		Transport: &http3.Transport{
-			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) {
+			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 				destination := M.ParseSocksaddr(addr)
 				udpConn, dErr := dialer.DialContext(ctx, N.NetworkUDP, destination)
 				if dErr != nil {

common/badtls/raw_conn.go

@@ -1,4 +1,4 @@
-//go:build go1.25 && badlinkname
+//go:build go1.25 && !without_badtls
 
 package badtls
 

common/badtls/raw_half_conn.go

@@ -1,4 +1,4 @@
-//go:build go1.25 && badlinkname
+//go:build go1.25 && !without_badtls
 
 package badtls
 

common/badtls/read_wait.go

@@ -1,4 +1,4 @@
-//go:build go1.25 && badlinkname
+//go:build go1.25 && !without_badtls
 
 package badtls
 

common/badtls/read_wait_stub.go

@@ -1,4 +1,4 @@
-//go:build !go1.25 || !badlinkname
+//go:build !go1.25 || without_badtls
 
 package badtls
 

common/badtls/registry.go

@@ -1,4 +1,4 @@
-//go:build go1.25 && badlinkname
+//go:build go1.25 && !without_badtls
 
 package badtls
 

common/badtls/registry_utls.go

@@ -1,4 +1,4 @@
-//go:build go1.25 && badlinkname
+//go:build go1.25 && !without_badtls
 
 package badtls
 

common/badversion/version.go

@@ -5,8 +5,6 @@ import (
 	"strings"
 
 	F "github.com/sagernet/sing/common/format"
-
-	"golang.org/x/mod/semver"
 )
 
 type Version struct {
@@ -18,19 +16,7 @@ type Version struct {
 	PreReleaseVersion    int
 }
 
-func (v Version) LessThan(anotherVersion Version) bool {
-	return !v.GreaterThanOrEqual(anotherVersion)
-}
-
-func (v Version) LessThanOrEqual(anotherVersion Version) bool {
-	return v == anotherVersion || anotherVersion.GreaterThan(v)
-}
-
-func (v Version) GreaterThanOrEqual(anotherVersion Version) bool {
-	return v == anotherVersion || v.GreaterThan(anotherVersion)
-}
-
-func (v Version) GreaterThan(anotherVersion Version) bool {
+func (v Version) After(anotherVersion Version) bool {
 	if v.Major > anotherVersion.Major {
 		return true
 	} else if v.Major < anotherVersion.Major {
@@ -58,29 +44,19 @@ func (v Version) GreaterThan(anotherVersion Version) bool {
 			} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
 				return false
 			}
-		}
-		preReleaseIdentifier := parsePreReleaseIdentifier(v.PreReleaseIdentifier)
-		anotherPreReleaseIdentifier := parsePreReleaseIdentifier(anotherVersion.PreReleaseIdentifier)
-		if preReleaseIdentifier < anotherPreReleaseIdentifier {
+		} else if v.PreReleaseIdentifier == "rc" && anotherVersion.PreReleaseIdentifier == "beta" {
 			return true
-		} else if preReleaseIdentifier > anotherPreReleaseIdentifier {
+		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "rc" {
+			return false
+		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
+			return true
+		} else if v.PreReleaseIdentifier == "alpha" && anotherVersion.PreReleaseIdentifier == "beta" {
 			return false
 		}
 	}
 	return false
 }
 
-func parsePreReleaseIdentifier(identifier string) int {
-	if strings.HasPrefix(identifier, "rc") {
-		return 1
-	} else if strings.HasPrefix(identifier, "beta") {
-		return 2
-	} else if strings.HasPrefix(identifier, "alpha") {
-		return 3
-	}
-	return 0
-}
-
 func (v Version) VersionString() string {
 	return F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
 }
@@ -107,10 +83,6 @@ func (v Version) BadString() string {
 	return version
 }
 
-func IsValid(versionName string) bool {
-	return semver.IsValid("v" + versionName)
-}
-
 func Parse(versionName string) (version Version) {
 	if strings.HasPrefix(versionName, "v") {
 		versionName = versionName[1:]

common/badversion/version_test.go

@@ -10,9 +10,9 @@ func TestCompareVersion(t *testing.T) {
 	t.Parallel()
 	require.Equal(t, "1.3.0-beta.1", Parse("v1.3.0-beta1").String())
 	require.Equal(t, "1.3-beta1", Parse("v1.3.0-beta.1").BadString())
-	require.True(t, Parse("1.3.0").GreaterThan(Parse("1.3-beta1")))
-	require.True(t, Parse("1.3.0").GreaterThan(Parse("1.3.0-beta1")))
-	require.True(t, Parse("1.3.0-beta1").GreaterThan(Parse("1.3.0-alpha1")))
-	require.True(t, Parse("1.3.1").GreaterThan(Parse("1.3.0")))
-	require.True(t, Parse("1.4").GreaterThan(Parse("1.3")))
+	require.True(t, Parse("1.3.0").After(Parse("1.3-beta1")))
+	require.True(t, Parse("1.3.0").After(Parse("1.3.0-beta1")))
+	require.True(t, Parse("1.3.0-beta1").After(Parse("1.3.0-alpha1")))
+	require.True(t, Parse("1.3.1").After(Parse("1.3.0")))
+	require.True(t, Parse("1.4").After(Parse("1.3")))
 }

common/certificate/store.go

@@ -7,7 +7,6 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-	"sync"
 
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
@@ -22,7 +21,6 @@ import (
 var _ adapter.CertificateStore = (*Store)(nil)
 
 type Store struct {
-	access                    sync.RWMutex
 	systemPool                *x509.CertPool
 	currentPool               *x509.CertPool
 	certificate               string
@@ -117,14 +115,10 @@ func (s *Store) Close() error {
 }
 
 func (s *Store) Pool() *x509.CertPool {
-	s.access.RLock()
-	defer s.access.RUnlock()
 	return s.currentPool
 }
 
 func (s *Store) update() error {
-	s.access.Lock()
-	defer s.access.Unlock()
 	var currentPool *x509.CertPool
 	if s.systemPool == nil {
 		currentPool = x509.NewCertPool()

common/dialer/default.go

@@ -20,8 +20,6 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
-
-	"github.com/database64128/tfo-go/v2"
 )
 
 var (
@@ -30,8 +28,8 @@ var (
 )
 
 type DefaultDialer struct {
-	dialer4                tfo.Dialer
-	dialer6                tfo.Dialer
+	dialer4                tcpDialer
+	dialer6                tcpDialer
 	udpDialer4             net.Dialer
 	udpDialer6             net.Dialer
 	udpListener            net.ListenConfig
@@ -143,18 +141,9 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 	} else {
 		dialer.Timeout = C.TCPConnectTimeout
 	}
-	if !options.DisableTCPKeepAlive {
-		keepIdle := time.Duration(options.TCPKeepAlive)
-		if keepIdle == 0 {
-			keepIdle = C.TCPKeepAliveInitial
-		}
-		keepInterval := time.Duration(options.TCPKeepAliveInterval)
-		if keepInterval == 0 {
-			keepInterval = C.TCPKeepAliveInterval
-		}
-		dialer.KeepAlive = keepIdle
-		dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(keepIdle, keepInterval))
-	}
+	// TODO: Add an option to customize the keep alive period
+	dialer.KeepAlive = C.TCPKeepAliveInitial
+	dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment
@@ -188,10 +177,19 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		udpAddr6 = M.SocksaddrFrom(bindAddr, 0).String()
 	}
 	if options.TCPMultiPath {
-		dialer4.SetMultipathTCP(true)
+		if !go121Available {
+			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
+		}
+		setMultiPathTCP(&dialer4)
+	}
+	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
+	if err != nil {
+		return nil, err
+	}
+	tcpDialer6, err := newTCPDialer(dialer6, options.TCPFastOpen)
+	if err != nil {
+		return nil, err
 	}
-	tcpDialer4 := tfo.Dialer{Dialer: dialer4, DisableTFO: !options.TCPFastOpen}
-	tcpDialer6 := tfo.Dialer{Dialer: dialer6, DisableTFO: !options.TCPFastOpen}
 	return &DefaultDialer{
 		dialer4:                tcpDialer4,
 		dialer6:                tcpDialer6,
@@ -271,7 +269,7 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	}
 	var dialer net.Dialer
 	if N.NetworkName(network) == N.NetworkTCP {
-		dialer = d.dialer4.Dialer
+		dialer = dialerFromTCPDialer(d.dialer4)
 	} else {
 		dialer = d.udpDialer4
 	}
@@ -319,9 +317,9 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 
 func (d *DefaultDialer) DialerForICMPDestination(destination netip.Addr) net.Dialer {
 	if !destination.Is6() {
-		return d.dialer6.Dialer
+		return dialerFromTCPDialer(d.dialer6)
 	} else {
-		return d.dialer4.Dialer
+		return dialerFromTCPDialer(d.dialer4)
 	}
 }
 
@@ -358,8 +356,18 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 	return trackPacketConn(packetConn, nil)
 }
 
-func (d *DefaultDialer) WireGuardControl() control.Func {
-	return d.udpListener.Control
+func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
+	udpListener := d.udpListener
+	udpListener.Control = control.Append(udpListener.Control, func(network, address string, conn syscall.RawConn) error {
+		for _, wgControlFn := range WgControlFns {
+			err := wgControlFn(network, address, conn)
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	return udpListener.ListenPacket(context.Background(), network, address)
 }
 
 func trackConn(conn net.Conn, err error) (net.Conn, error) {

common/dialer/default_go1.20.go

@@ -0,0 +1,19 @@
+//go:build go1.20
+
+package dialer
+
+import (
+	"net"
+
+	"github.com/metacubex/tfo-go"
+)
+
+type tcpDialer = tfo.Dialer
+
+func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
+	return tfo.Dialer{Dialer: dialer, DisableTFO: !tfoEnabled}, nil
+}
+
+func dialerFromTCPDialer(dialer tcpDialer) net.Dialer {
+	return dialer.Dialer
+}

common/dialer/default_go1.21.go

@@ -0,0 +1,11 @@
+//go:build go1.21
+
+package dialer
+
+import "net"
+
+const go121Available = true
+
+func setMultiPathTCP(dialer *net.Dialer) {
+	dialer.SetMultipathTCP(true)
+}

common/dialer/default_nongo1.20.go

@@ -0,0 +1,22 @@
+//go:build !go1.20
+
+package dialer
+
+import (
+	"net"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type tcpDialer = net.Dialer
+
+func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
+	if tfoEnabled {
+		return dialer, E.New("TCP Fast Open requires go1.20, please recompile your binary.")
+	}
+	return dialer, nil
+}
+
+func dialerFromTCPDialer(dialer tcpDialer) net.Dialer {
+	return dialer
+}

common/dialer/default_nongo1.21.go

@@ -0,0 +1,12 @@
+//go:build !go1.21
+
+package dialer
+
+import (
+	"net"
+)
+
+const go121Available = false
+
+func setMultiPathTCP(dialer *net.Dialer) {
+}

common/dialer/tfo.go

@@ -1,3 +1,5 @@
+//go:build go1.20
+
 package dialer
 
 import (
@@ -14,7 +16,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 
-	"github.com/database64128/tfo-go/v2"
+	"github.com/metacubex/tfo-go"
 )
 
 type slowOpenConn struct {
@@ -30,7 +32,7 @@ type slowOpenConn struct {
 	err         error
 }
 
-func DialSlowContext(dialer *tfo.Dialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	if dialer.DisableTFO || N.NetworkName(network) != N.NetworkTCP {
 		switch N.NetworkName(network) {
 		case N.NetworkTCP, N.NetworkUDP:

common/dialer/tfo_stub.go

@@ -0,0 +1,20 @@
+//go:build !go1.20
+
+package dialer
+
+import (
+	"context"
+	"net"
+
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	switch N.NetworkName(network) {
+	case N.NetworkTCP, N.NetworkUDP:
+		return dialer.DialContext(ctx, network, destination.String())
+	default:
+		return dialer.DialContext(ctx, network, destination.AddrString())
+	}
+}

common/dialer/wireguard.go

@@ -1,9 +1,13 @@
 package dialer
 
 import (
+	"net"
+
 	"github.com/sagernet/sing/common/control"
 )
 
 type WireGuardListener interface {
-	WireGuardControl() control.Func
+	ListenPacketCompat(network, address string) (net.PacketConn, error)
 }
+
+var WgControlFns []control.Func

common/ktls/ktls.go

@@ -1,12 +1,10 @@
-//go:build linux && go1.25 && badlinkname
+//go:build linux && go1.25 && !without_badtls
 
 package ktls
 
 import (
-	"bytes"
 	"context"
 	"crypto/tls"
-	"errors"
 	"io"
 	"net"
 	"os"
@@ -17,8 +15,6 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 	aTLS "github.com/sagernet/sing/common/tls"
-
-	"golang.org/x/sys/unix"
 )
 
 type Conn struct {
@@ -32,7 +28,6 @@ type Conn struct {
 	readWaitOptions N.ReadWaitOptions
 	kernelTx        bool
 	kernelRx        bool
-	pendingRxSplice bool
 }
 
 func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
@@ -66,7 +61,7 @@ func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, t
 		for rawConn.Hand.Len() > 0 {
 			err = rawConn.HandlePostHandshakeMessage()
 			if err != nil {
-				return nil, E.Cause(err, "handle post-handshake messages")
+				return nil, E.Cause(err, "ktls: failed to handle post-handshake messages")
 			}
 		}
 	}
@@ -90,7 +85,7 @@ func (c *Conn) Upstream() any {
 	return c.Conn
 }
 
-func (c *Conn) SyscallConnForRead() syscall.RawConn {
+func (c *Conn) SyscallConnForRead() syscall.Conn {
 	if !c.kernelRx {
 		return nil
 	}
@@ -99,35 +94,13 @@ func (c *Conn) SyscallConnForRead() syscall.RawConn {
 		return nil
 	}
 	c.logger.DebugContext(c.ctx, "ktls: RX splice requested")
-	return c.rawSyscallConn
+	return c.syscallConn
 }
 
-func (c *Conn) HandleSyscallReadError(inputErr error) ([]byte, error) {
-	if errors.Is(inputErr, unix.EINVAL) {
-		c.pendingRxSplice = true
-		err := c.readRecord()
-		if err != nil {
-			return nil, E.Cause(err, "ktls: handle non-application-data record")
-		}
-		var input bytes.Buffer
-		if c.rawConn.Input.Len() > 0 {
-			_, err = c.rawConn.Input.WriteTo(&input)
-			if err != nil {
-				return nil, err
-			}
-		}
-		return input.Bytes(), nil
-	} else if errors.Is(inputErr, unix.EBADMSG) {
-		return nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertBadRecordMAC))
-	} else {
-		return nil, E.Cause(inputErr, "ktls: unexpected errno")
-	}
-}
-
-func (c *Conn) SyscallConnForWrite() syscall.RawConn {
+func (c *Conn) SyscallConnForWrite() syscall.Conn {
 	if !c.kernelTx {
 		return nil
 	}
 	c.logger.DebugContext(c.ctx, "ktls: TX splice requested")
-	return c.rawSyscallConn
+	return c.syscallConn
 }

common/ktls/ktls_alert.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && badlinkname
+//go:build linux && go1.25 && !without_badtls
 
 package ktls
 

common/ktls/ktls_cipher_suites_linux.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && badlinkname
+//go:build linux && go1.25 && !without_badtls
 
 package ktls
 

common/ktls/ktls_close.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && badlinkname
+//go:build linux && go1.25 && !without_badtls
 
 package ktls
 

common/ktls/ktls_const.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && badlinkname
+//go:build linux && go1.25 && !without_badtls
 
 package ktls
 

common/ktls/ktls_handshake_messages.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && badlinkname
+//go:build linux && go1.25 && !without_badtls
 
 package ktls
 

common/ktls/ktls_key_update.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && badlinkname
+//go:build linux && go1.25 && !without_badtls
 
 package ktls
 

common/ktls/ktls_linux.go

@@ -1,4 +1,4 @@
-//go:build linux && go1.25 && badlinkname
+//go:build linux && go1.25 && !without_badtls
 
 package ktls
 
@@ -12,11 +12,11 @@ import (
 	"syscall"
 	"unsafe"
 
-	"github.com/sagernet/sing-box/common/badversion"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/shell"
 
+	"github.com/blang/semver/v4"
 	"golang.org/x/sys/unix"
 )
 
@@ -55,42 +55,46 @@ var KernelSupport = sync.OnceValues(func() (*Support, error) {
 		return nil, err
 	}
 
-	kernelVersion := badversion.Parse(strings.Trim(string(uname.Release[:]), "\x00"))
+	kernelVersion, err := semver.Parse(strings.Trim(string(uname.Release[:]), "\x00"))
 	if err != nil {
 		return nil, err
 	}
+	kernelVersion.Pre = nil
+	kernelVersion.Build = nil
+
 	var support Support
+
 	switch {
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 6, Minor: 14}):
+	case kernelVersion.GTE(semver.Version{Major: 6, Minor: 14}):
 		support.TLS_Version13_KeyUpdate = true
 		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 6, Minor: 1}):
+	case kernelVersion.GTE(semver.Version{Major: 6, Minor: 1}):
 		support.TLS_ARIA_GCM = true
 		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 6}):
+	case kernelVersion.GTE(semver.Version{Major: 6}):
 		support.TLS_Version13_RX = true
 		support.TLS_RX_NOPADDING = true
 		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 19}):
+	case kernelVersion.GTE(semver.Version{Major: 5, Minor: 19}):
 		support.TLS_TX_ZEROCOPY = true
 		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 16}):
+	case kernelVersion.GTE(semver.Version{Major: 5, Minor: 16}):
 		support.TLS_SM4 = true
 		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 11}):
+	case kernelVersion.GTE(semver.Version{Major: 5, Minor: 11}):
 		support.TLS_CHACHA20_POLY1305 = true
 		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 2}):
+	case kernelVersion.GTE(semver.Version{Major: 5, Minor: 2}):
 		support.TLS_AES_128_CCM = true
 		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 1}):
+	case kernelVersion.GTE(semver.Version{Major: 5, Minor: 1}):
 		support.TLS_AES_256_GCM = true
 		support.TLS_Version13 = true
 		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 4, Minor: 17}):
+	case kernelVersion.GTE(semver.Version{Major: 4, Minor: 17}):
 		support.TLS_RX = true
 		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 4, Minor: 13}):
+	case kernelVersion.GTE(semver.Version{Major: 4, Minor: 13}):
 		support.TLS = true
 	}
 
@@ -114,7 +118,7 @@ var KernelSupport = sync.OnceValues(func() (*Support, error) {
 func Load() error {
 	support, err := KernelSupport()
 	if err != nil {
-		return E.Cause(err, "ktls: check availability")
+		return err
 	}
 	if !support.TLS || !support.TLS_Version13 {
 		return E.New("ktls: kernel does not support TLS 1.3")
@@ -128,10 +132,10 @@ func (c *Conn) setupKernel(txOffload, rxOffload bool) error {
 	}
 	support, err := KernelSupport()
 	if err != nil {
-		return E.Cause(err, "check availability")
+		return err
 	}
 	if !support.TLS || !support.TLS_Version13 {
-		return E.New("kernel does not support TLS 1.3")
+		return E.New("ktls: kernel does not support TLS 1.3")
 	}
 	c.rawConn.Out.Lock()
 	defer c.rawConn.Out.Unlock()
@@ -139,13 +143,13 @@ func (c *Conn) setupKernel(txOffload, rxOffload bool) error {
 		return syscall.SetsockoptString(int(fd), unix.SOL_TCP, unix.TCP_ULP, "tls")
 	})
 	if err != nil {
-		return os.NewSyscallError("setsockopt", err)
+		return E.Cause(err, "initialize kernel TLS")
 	}
 
 	if txOffload {
 		txCrypto := kernelCipher(support, c.rawConn.Out, *c.rawConn.CipherSuite, false)
 		if txCrypto == nil {
-			return E.New("unsupported cipher suite")
+			return E.New("kTLS: unsupported cipher suite")
 		}
 		err = control.Raw(c.rawSyscallConn, func(fd uintptr) error {
 			return syscall.SetsockoptString(int(fd), unix.SOL_TLS, TLS_TX, txCrypto.String())
@@ -168,7 +172,7 @@ func (c *Conn) setupKernel(txOffload, rxOffload bool) error {
 	if rxOffload {
 		rxCrypto := kernelCipher(support, c.rawConn.In, *c.rawConn.CipherSuite, true)
 		if rxCrypto == nil {
-			return E.New("unsupported cipher suite")
+			return E.New("kTLS: unsupported cipher suite")
 		}
 		err = control.Raw(c.rawSyscallConn, func(fd uintptr) error {
 			return syscall.SetsockoptString(int(fd), unix.SOL_TLS, TLS_RX, rxCrypto.String())
@@ -258,14 +262,14 @@ func (c *Conn) readKernelRecord() (uint8, []byte, error) {
 	var err error
 	er := c.rawSyscallConn.Read(func(fd uintptr) bool {
 		n, err = recvmsg(int(fd), &msg, 0)
-		return err != unix.EAGAIN || c.pendingRxSplice
+		return err != unix.EAGAIN
 	})
 	if er != nil {
 		return 0, nil, er
 	}
 	switch err {
 	case nil:
-	case syscall.EINVAL, syscall.EAGAIN:
+	case syscall.EINVAL:
 		return 0, nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertProtocolVersion))
 	case syscall.EMSGSIZE:
 		return 0, nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertRecordOverflow))
@@ -276,7 +280,7 @@ func (c *Conn) readKernelRecord() (uint8, []byte, error) {
 	}
 
 	if n <= 0 {
-		return 0, nil, c.rawConn.In.SetErrorLocked(io.EOF)
+		return 0, nil, io.EOF
 	}
 
 	if cmsg.Level == unix.SOL_TLS && cmsg.Type == TLS_GET_RECORD_TYPE {

common/ktls/ktls_prf.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && badlinkname
+//go:build linux && go1.25 && !without_badtls
 
 package ktls
 

common/ktls/ktls_read.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && badlinkname
+//go:build linux && go1.25 && !without_badtls
 
 package ktls
 

common/ktls/ktls_read_wait.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && badlinkname
+//go:build linux && go1.25 && !without_badtls
 
 package ktls
 

common/ktls/ktls_stub.go

@@ -1,15 +1,15 @@
-//go:build !linux
+//go:build !linux || !go1.25 || without_badtls
 
 package ktls
 
 import (
 	"context"
+	"os"
 
-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
 func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
-	return nil, E.New("kTLS is only supported on Linux")
+	return nil, os.ErrInvalid
 }

common/ktls/ktls_stub_nolinkname.go

@@ -1,15 +0,0 @@
-//go:build linux && go1.25 && !badlinkname
-
-package ktls
-
-import (
-	"context"
-
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	aTLS "github.com/sagernet/sing/common/tls"
-)
-
-func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
-	return nil, E.New("kTLS requires build flags `badlinkname` and `-ldflags=-checklinkname=0`, please recompile your binary")
-}

common/ktls/ktls_stub_oldgo.go

@@ -1,15 +0,0 @@
-//go:build linux && !go1.25
-
-package ktls
-
-import (
-	"context"
-
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	aTLS "github.com/sagernet/sing/common/tls"
-)
-
-func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
-	return nil, E.New("kTLS requires Go 1.25 or later, please recompile your binary")
-}

common/ktls/ktls_write.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && badlinkname
+//go:build linux && go1.25 && !without_badtls
 
 package ktls
 

common/listener/listener_go121.go

@@ -0,0 +1,11 @@
+//go:build go1.21
+
+package listener
+
+import "net"
+
+const go121Available = true
+
+func setMultiPathTCP(listenConfig *net.ListenConfig) {
+	listenConfig.SetMultipathTCP(true)
+}

common/listener/listener_go123.go

@@ -0,0 +1,16 @@
+//go:build go1.23
+
+package listener
+
+import (
+	"net"
+	"time"
+)
+
+func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
+	listener.KeepAliveConfig = net.KeepAliveConfig{
+		Enable:   true,
+		Idle:     idle,
+		Interval: interval,
+	}
+}

common/listener/listener_nongo121.go

@@ -0,0 +1,10 @@
+//go:build !go1.21
+
+package listener
+
+import "net"
+
+const go121Available = false
+
+func setMultiPathTCP(listenConfig *net.ListenConfig) {
+}

common/listener/listener_nongo123.go

@@ -0,0 +1,15 @@
+//go:build !go1.23
+
+package listener
+
+import (
+	"net"
+	"time"
+
+	"github.com/sagernet/sing/common/control"
+)
+
+func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
+	listener.KeepAlive = idle
+	listener.Control = control.Append(listener.Control, control.SetKeepAlivePeriod(idle, interval))
+}

common/listener/listener_tcp.go

@@ -3,7 +3,6 @@ package listener
 import (
 	"net"
 	"net/netip"
-	"strings"
 	"syscall"
 	"time"
 
@@ -17,7 +16,7 @@ import (
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 
-	"github.com/database64128/tfo-go/v2"
+	"github.com/metacubex/tfo-go"
 )
 
 func (l *Listener) ListenTCP() (net.Listener, error) {
@@ -37,7 +36,7 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 	if l.listenOptions.ReuseAddr {
 		listenConfig.Control = control.Append(listenConfig.Control, control.ReuseAddr())
 	}
-	if !l.listenOptions.DisableTCPKeepAlive {
+	if l.listenOptions.TCPKeepAlive >= 0 {
 		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
 		if keepIdle == 0 {
 			keepIdle = C.TCPKeepAliveInitial
@@ -46,19 +45,18 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 		if keepInterval == 0 {
 			keepInterval = C.TCPKeepAliveInterval
 		}
-		listenConfig.KeepAliveConfig = net.KeepAliveConfig{
-			Enable:   true,
-			Idle:     keepIdle,
-			Interval: keepInterval,
-		}
+		setKeepAliveConfig(&listenConfig, keepIdle, keepInterval)
 	}
 	if l.listenOptions.TCPMultiPath {
-		listenConfig.SetMultipathTCP(true)
+		if !go121Available {
+			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
+		}
+		setMultiPathTCP(&listenConfig)
 	}
 	if l.tproxy {
 		listenConfig.Control = control.Append(listenConfig.Control, func(network, address string, conn syscall.RawConn) error {
 			return control.Raw(conn, func(fd uintptr) error {
-				return redir.TProxy(fd, !strings.HasSuffix(network, "4"), false)
+				return redir.TProxy(fd, !M.ParseSocksaddr(address).IsIPv4(), false)
 			})
 		})
 	}

common/listener/listener_udp.go

@@ -5,7 +5,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strings"
 	"syscall"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -42,7 +41,7 @@ func (l *Listener) ListenUDP() (net.PacketConn, error) {
 	if l.tproxy {
 		listenConfig.Control = control.Append(listenConfig.Control, func(network, address string, conn syscall.RawConn) error {
 			return control.Raw(conn, func(fd uintptr) error {
-				return redir.TProxy(fd, !strings.HasSuffix(network, "4"), true)
+				return redir.TProxy(fd, !M.ParseSocksaddr(address).IsIPv4(), true)
 			})
 		})
 	}

common/settings/wifi.go

@@ -1,9 +0,0 @@
-package settings
-
-import "github.com/sagernet/sing-box/adapter"
-
-type WIFIMonitor interface {
-	ReadWIFIState() adapter.WIFIState
-	Start() error
-	Close() error
-}

common/settings/wifi_linux.go

@@ -1,46 +0,0 @@
-package settings
-
-import (
-	"github.com/sagernet/sing-box/adapter"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type LinuxWIFIMonitor struct {
-	monitor WIFIMonitor
-}
-
-func NewWIFIMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
-	monitors := []func(func(adapter.WIFIState)) (WIFIMonitor, error){
-		newNetworkManagerMonitor,
-		newIWDMonitor,
-		newWpaSupplicantMonitor,
-		newConnManMonitor,
-	}
-	var errors []error
-	for _, factory := range monitors {
-		monitor, err := factory(callback)
-		if err == nil {
-			return &LinuxWIFIMonitor{monitor: monitor}, nil
-		}
-		errors = append(errors, err)
-	}
-	return nil, E.Cause(E.Errors(errors...), "no supported WIFI manager found")
-}
-
-func (m *LinuxWIFIMonitor) ReadWIFIState() adapter.WIFIState {
-	return m.monitor.ReadWIFIState()
-}
-
-func (m *LinuxWIFIMonitor) Start() error {
-	if m.monitor != nil {
-		return m.monitor.Start()
-	}
-	return nil
-}
-
-func (m *LinuxWIFIMonitor) Close() error {
-	if m.monitor != nil {
-		return m.monitor.Close()
-	}
-	return nil
-}

common/settings/wifi_linux_connman.go

@@ -1,166 +0,0 @@
-package settings
-
-import (
-	"context"
-	"strings"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-
-	"github.com/godbus/dbus/v5"
-)
-
-type connmanMonitor struct {
-	conn       *dbus.Conn
-	callback   func(adapter.WIFIState)
-	cancel     context.CancelFunc
-	signalChan chan *dbus.Signal
-}
-
-func newConnManMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
-	conn, err := dbus.ConnectSystemBus()
-	if err != nil {
-		return nil, err
-	}
-	cmObj := conn.Object("net.connman", "/")
-	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
-	defer cancel()
-	call := cmObj.CallWithContext(ctx, "net.connman.Manager.GetServices", 0)
-	if call.Err != nil {
-		conn.Close()
-		return nil, call.Err
-	}
-	return &connmanMonitor{conn: conn, callback: callback}, nil
-}
-
-func (m *connmanMonitor) ReadWIFIState() adapter.WIFIState {
-	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
-	defer cancel()
-
-	cmObj := m.conn.Object("net.connman", "/")
-	var services []interface{}
-	err := cmObj.CallWithContext(ctx, "net.connman.Manager.GetServices", 0).Store(&services)
-	if err != nil {
-		return adapter.WIFIState{}
-	}
-
-	for _, service := range services {
-		servicePair, ok := service.([]interface{})
-		if !ok || len(servicePair) != 2 {
-			continue
-		}
-
-		serviceProps, ok := servicePair[1].(map[string]dbus.Variant)
-		if !ok {
-			continue
-		}
-
-		typeVariant, hasType := serviceProps["Type"]
-		if !hasType {
-			continue
-		}
-		serviceType, ok := typeVariant.Value().(string)
-		if !ok || serviceType != "wifi" {
-			continue
-		}
-
-		stateVariant, hasState := serviceProps["State"]
-		if !hasState {
-			continue
-		}
-		state, ok := stateVariant.Value().(string)
-		if !ok || (state != "online" && state != "ready") {
-			continue
-		}
-
-		nameVariant, hasName := serviceProps["Name"]
-		if !hasName {
-			continue
-		}
-		ssid, ok := nameVariant.Value().(string)
-		if !ok || ssid == "" {
-			continue
-		}
-
-		bssidVariant, hasBSSID := serviceProps["BSSID"]
-		if !hasBSSID {
-			return adapter.WIFIState{SSID: ssid}
-		}
-		bssid, ok := bssidVariant.Value().(string)
-		if !ok {
-			return adapter.WIFIState{SSID: ssid}
-		}
-
-		return adapter.WIFIState{
-			SSID:  ssid,
-			BSSID: strings.ToUpper(strings.ReplaceAll(bssid, ":", "")),
-		}
-	}
-
-	return adapter.WIFIState{}
-}
-
-func (m *connmanMonitor) Start() error {
-	if m.callback == nil {
-		return nil
-	}
-	ctx, cancel := context.WithCancel(context.Background())
-	m.cancel = cancel
-
-	m.signalChan = make(chan *dbus.Signal, 10)
-	m.conn.Signal(m.signalChan)
-
-	err := m.conn.AddMatchSignal(
-		dbus.WithMatchInterface("net.connman.Service"),
-		dbus.WithMatchSender("net.connman"),
-	)
-	if err != nil {
-		return err
-	}
-
-	state := m.ReadWIFIState()
-	go m.monitorSignals(ctx, m.signalChan, state)
-	m.callback(state)
-
-	return nil
-}
-
-func (m *connmanMonitor) monitorSignals(ctx context.Context, signalChan chan *dbus.Signal, lastState adapter.WIFIState) {
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case signal, ok := <-signalChan:
-			if !ok {
-				return
-			}
-			// godbus Signal.Name uses "interface.member" format (e.g. "net.connman.Service.PropertyChanged"),
-			// not just the member name. This differs from the D-Bus signal member in the match rule.
-			if signal.Name == "net.connman.Service.PropertyChanged" {
-				state := m.ReadWIFIState()
-				if state != lastState {
-					lastState = state
-					m.callback(state)
-				}
-			}
-		}
-	}
-}
-
-func (m *connmanMonitor) Close() error {
-	if m.cancel != nil {
-		m.cancel()
-	}
-	if m.signalChan != nil {
-		m.conn.RemoveSignal(m.signalChan)
-		close(m.signalChan)
-	}
-	if m.conn != nil {
-		m.conn.RemoveMatchSignal(
-			dbus.WithMatchInterface("net.connman.Service"),
-			dbus.WithMatchSender("net.connman"),
-		)
-		return m.conn.Close()
-	}
-	return nil
-}

common/settings/wifi_linux_iwd.go

@@ -1,188 +0,0 @@
-package settings
-
-import (
-	"context"
-	"strings"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-
-	"github.com/godbus/dbus/v5"
-)
-
-type iwdMonitor struct {
-	conn       *dbus.Conn
-	callback   func(adapter.WIFIState)
-	cancel     context.CancelFunc
-	signalChan chan *dbus.Signal
-}
-
-func newIWDMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
-	conn, err := dbus.ConnectSystemBus()
-	if err != nil {
-		return nil, err
-	}
-	iwdObj := conn.Object("net.connman.iwd", "/")
-	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
-	defer cancel()
-	call := iwdObj.CallWithContext(ctx, "org.freedesktop.DBus.ObjectManager.GetManagedObjects", 0)
-	if call.Err != nil {
-		conn.Close()
-		return nil, call.Err
-	}
-	return &iwdMonitor{conn: conn, callback: callback}, nil
-}
-
-func (m *iwdMonitor) ReadWIFIState() adapter.WIFIState {
-	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
-	defer cancel()
-
-	iwdObj := m.conn.Object("net.connman.iwd", "/")
-	var objects map[dbus.ObjectPath]map[string]map[string]dbus.Variant
-	err := iwdObj.CallWithContext(ctx, "org.freedesktop.DBus.ObjectManager.GetManagedObjects", 0).Store(&objects)
-	if err != nil {
-		return adapter.WIFIState{}
-	}
-
-	for _, interfaces := range objects {
-		stationProps, hasStation := interfaces["net.connman.iwd.Station"]
-		if !hasStation {
-			continue
-		}
-
-		stateVariant, hasState := stationProps["State"]
-		if !hasState {
-			continue
-		}
-		state, ok := stateVariant.Value().(string)
-		if !ok || state != "connected" {
-			continue
-		}
-
-		connectedNetworkVariant, hasNetwork := stationProps["ConnectedNetwork"]
-		if !hasNetwork {
-			continue
-		}
-		networkPath, ok := connectedNetworkVariant.Value().(dbus.ObjectPath)
-		if !ok || networkPath == "/" {
-			continue
-		}
-
-		networkInterfaces, hasNetworkPath := objects[networkPath]
-		if !hasNetworkPath {
-			continue
-		}
-
-		networkProps, hasNetworkInterface := networkInterfaces["net.connman.iwd.Network"]
-		if !hasNetworkInterface {
-			continue
-		}
-
-		nameVariant, hasName := networkProps["Name"]
-		if !hasName {
-			continue
-		}
-		ssid, ok := nameVariant.Value().(string)
-		if !ok {
-			continue
-		}
-
-		connectedBSSVariant, hasBSS := stationProps["ConnectedAccessPoint"]
-		if !hasBSS {
-			return adapter.WIFIState{SSID: ssid}
-		}
-		bssPath, ok := connectedBSSVariant.Value().(dbus.ObjectPath)
-		if !ok || bssPath == "/" {
-			return adapter.WIFIState{SSID: ssid}
-		}
-
-		bssInterfaces, hasBSSPath := objects[bssPath]
-		if !hasBSSPath {
-			return adapter.WIFIState{SSID: ssid}
-		}
-
-		bssProps, hasBSSInterface := bssInterfaces["net.connman.iwd.BasicServiceSet"]
-		if !hasBSSInterface {
-			return adapter.WIFIState{SSID: ssid}
-		}
-
-		addressVariant, hasAddress := bssProps["Address"]
-		if !hasAddress {
-			return adapter.WIFIState{SSID: ssid}
-		}
-		bssid, ok := addressVariant.Value().(string)
-		if !ok {
-			return adapter.WIFIState{SSID: ssid}
-		}
-
-		return adapter.WIFIState{
-			SSID:  ssid,
-			BSSID: strings.ToUpper(strings.ReplaceAll(bssid, ":", "")),
-		}
-	}
-
-	return adapter.WIFIState{}
-}
-
-func (m *iwdMonitor) Start() error {
-	if m.callback == nil {
-		return nil
-	}
-	ctx, cancel := context.WithCancel(context.Background())
-	m.cancel = cancel
-
-	m.signalChan = make(chan *dbus.Signal, 10)
-	m.conn.Signal(m.signalChan)
-
-	err := m.conn.AddMatchSignal(
-		dbus.WithMatchInterface("org.freedesktop.DBus.Properties"),
-		dbus.WithMatchSender("net.connman.iwd"),
-	)
-	if err != nil {
-		return err
-	}
-
-	state := m.ReadWIFIState()
-	go m.monitorSignals(ctx, m.signalChan, state)
-	m.callback(state)
-
-	return nil
-}
-
-func (m *iwdMonitor) monitorSignals(ctx context.Context, signalChan chan *dbus.Signal, lastState adapter.WIFIState) {
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case signal, ok := <-signalChan:
-			if !ok {
-				return
-			}
-			if signal.Name == "org.freedesktop.DBus.Properties.PropertiesChanged" {
-				state := m.ReadWIFIState()
-				if state != lastState {
-					lastState = state
-					m.callback(state)
-				}
-			}
-		}
-	}
-}
-
-func (m *iwdMonitor) Close() error {
-	if m.cancel != nil {
-		m.cancel()
-	}
-	if m.signalChan != nil {
-		m.conn.RemoveSignal(m.signalChan)
-		close(m.signalChan)
-	}
-	if m.conn != nil {
-		m.conn.RemoveMatchSignal(
-			dbus.WithMatchInterface("org.freedesktop.DBus.Properties"),
-			dbus.WithMatchSender("net.connman.iwd"),
-		)
-		return m.conn.Close()
-	}
-	return nil
-}

common/settings/wifi_linux_nm.go

@@ -1,163 +0,0 @@
-package settings
-
-import (
-	"context"
-	"strings"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-
-	"github.com/godbus/dbus/v5"
-)
-
-type networkManagerMonitor struct {
-	conn       *dbus.Conn
-	callback   func(adapter.WIFIState)
-	cancel     context.CancelFunc
-	signalChan chan *dbus.Signal
-}
-
-func newNetworkManagerMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
-	conn, err := dbus.ConnectSystemBus()
-	if err != nil {
-		return nil, err
-	}
-	nmObj := conn.Object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager")
-	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
-	defer cancel()
-	var state uint32
-	err = nmObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager", "State").Store(&state)
-	if err != nil {
-		conn.Close()
-		return nil, err
-	}
-	return &networkManagerMonitor{conn: conn, callback: callback}, nil
-}
-
-func (m *networkManagerMonitor) ReadWIFIState() adapter.WIFIState {
-	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
-	defer cancel()
-
-	nmObj := m.conn.Object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager")
-
-	var activeConnectionPaths []dbus.ObjectPath
-	err := nmObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager", "ActiveConnections").Store(&activeConnectionPaths)
-	if err != nil || len(activeConnectionPaths) == 0 {
-		return adapter.WIFIState{}
-	}
-
-	for _, connectionPath := range activeConnectionPaths {
-		connObj := m.conn.Object("org.freedesktop.NetworkManager", connectionPath)
-
-		var devicePaths []dbus.ObjectPath
-		err = connObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Connection.Active", "Devices").Store(&devicePaths)
-		if err != nil || len(devicePaths) == 0 {
-			continue
-		}
-
-		for _, devicePath := range devicePaths {
-			deviceObj := m.conn.Object("org.freedesktop.NetworkManager", devicePath)
-
-			var deviceType uint32
-			err = deviceObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Device", "DeviceType").Store(&deviceType)
-			if err != nil || deviceType != 2 {
-				continue
-			}
-
-			var accessPointPath dbus.ObjectPath
-			err = deviceObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Device.Wireless", "ActiveAccessPoint").Store(&accessPointPath)
-			if err != nil || accessPointPath == "/" {
-				continue
-			}
-
-			apObj := m.conn.Object("org.freedesktop.NetworkManager", accessPointPath)
-
-			var ssidBytes []byte
-			err = apObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.AccessPoint", "Ssid").Store(&ssidBytes)
-			if err != nil {
-				continue
-			}
-
-			var hwAddress string
-			err = apObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.AccessPoint", "HwAddress").Store(&hwAddress)
-			if err != nil {
-				continue
-			}
-
-			ssid := strings.TrimSpace(string(ssidBytes))
-			if ssid == "" {
-				continue
-			}
-
-			return adapter.WIFIState{
-				SSID:  ssid,
-				BSSID: strings.ToUpper(strings.ReplaceAll(hwAddress, ":", "")),
-			}
-		}
-	}
-
-	return adapter.WIFIState{}
-}
-
-func (m *networkManagerMonitor) Start() error {
-	if m.callback == nil {
-		return nil
-	}
-	ctx, cancel := context.WithCancel(context.Background())
-	m.cancel = cancel
-
-	m.signalChan = make(chan *dbus.Signal, 10)
-	m.conn.Signal(m.signalChan)
-
-	err := m.conn.AddMatchSignal(
-		dbus.WithMatchSender("org.freedesktop.NetworkManager"),
-		dbus.WithMatchInterface("org.freedesktop.DBus.Properties"),
-	)
-	if err != nil {
-		return err
-	}
-
-	state := m.ReadWIFIState()
-	go m.monitorSignals(ctx, m.signalChan, state)
-	m.callback(state)
-
-	return nil
-}
-
-func (m *networkManagerMonitor) monitorSignals(ctx context.Context, signalChan chan *dbus.Signal, lastState adapter.WIFIState) {
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case signal, ok := <-signalChan:
-			if !ok {
-				return
-			}
-			if signal.Name == "org.freedesktop.DBus.Properties.PropertiesChanged" {
-				state := m.ReadWIFIState()
-				if state != lastState {
-					lastState = state
-					m.callback(state)
-				}
-			}
-		}
-	}
-}
-
-func (m *networkManagerMonitor) Close() error {
-	if m.cancel != nil {
-		m.cancel()
-	}
-	if m.signalChan != nil {
-		m.conn.RemoveSignal(m.signalChan)
-		close(m.signalChan)
-	}
-	if m.conn != nil {
-		m.conn.RemoveMatchSignal(
-			dbus.WithMatchSender("org.freedesktop.NetworkManager"),
-			dbus.WithMatchInterface("org.freedesktop.DBus.Properties"),
-		)
-		return m.conn.Close()
-	}
-	return nil
-}

common/settings/wifi_linux_wpa.go

@@ -1,225 +0,0 @@
-package settings
-
-import (
-	"bufio"
-	"context"
-	"fmt"
-	"net"
-	"os"
-	"path/filepath"
-	"strings"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-)
-
-var wpaSocketCounter atomic.Uint64
-
-type wpaSupplicantMonitor struct {
-	socketPath  string
-	callback    func(adapter.WIFIState)
-	cancel      context.CancelFunc
-	monitorConn *net.UnixConn
-	connMutex   sync.Mutex
-}
-
-func newWpaSupplicantMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
-	socketDirs := []string{"/var/run/wpa_supplicant", "/run/wpa_supplicant"}
-	for _, socketDir := range socketDirs {
-		entries, err := os.ReadDir(socketDir)
-		if err != nil {
-			continue
-		}
-		for _, entry := range entries {
-			if entry.IsDir() || entry.Name() == "." || entry.Name() == ".." {
-				continue
-			}
-			socketPath := filepath.Join(socketDir, entry.Name())
-			id := wpaSocketCounter.Add(1)
-			localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-%d-%d", os.Getpid(), id), Net: "unixgram"}
-			remoteAddr := &net.UnixAddr{Name: socketPath, Net: "unixgram"}
-			conn, err := net.DialUnix("unixgram", localAddr, remoteAddr)
-			if err != nil {
-				continue
-			}
-			conn.Close()
-			return &wpaSupplicantMonitor{socketPath: socketPath, callback: callback}, nil
-		}
-	}
-	return nil, os.ErrNotExist
-}
-
-func (m *wpaSupplicantMonitor) ReadWIFIState() adapter.WIFIState {
-	id := wpaSocketCounter.Add(1)
-	localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-%d-%d", os.Getpid(), id), Net: "unixgram"}
-	remoteAddr := &net.UnixAddr{Name: m.socketPath, Net: "unixgram"}
-	conn, err := net.DialUnix("unixgram", localAddr, remoteAddr)
-	if err != nil {
-		return adapter.WIFIState{}
-	}
-	defer conn.Close()
-
-	conn.SetDeadline(time.Now().Add(3 * time.Second))
-
-	status, err := m.sendCommand(conn, "STATUS")
-	if err != nil {
-		return adapter.WIFIState{}
-	}
-
-	var ssid, bssid string
-	var connected bool
-	scanner := bufio.NewScanner(strings.NewReader(status))
-	for scanner.Scan() {
-		line := scanner.Text()
-		if strings.HasPrefix(line, "wpa_state=") {
-			state := strings.TrimPrefix(line, "wpa_state=")
-			connected = state == "COMPLETED"
-		} else if strings.HasPrefix(line, "ssid=") {
-			ssid = strings.TrimPrefix(line, "ssid=")
-		} else if strings.HasPrefix(line, "bssid=") {
-			bssid = strings.TrimPrefix(line, "bssid=")
-		}
-	}
-
-	if !connected || ssid == "" {
-		return adapter.WIFIState{}
-	}
-
-	return adapter.WIFIState{
-		SSID:  ssid,
-		BSSID: strings.ToUpper(strings.ReplaceAll(bssid, ":", "")),
-	}
-}
-
-// sendCommand sends a command to wpa_supplicant and returns the response.
-// Commands are sent without trailing newlines per the wpa_supplicant control
-// interface protocol - the official wpa_ctrl.c sends raw command strings.
-func (m *wpaSupplicantMonitor) sendCommand(conn *net.UnixConn, command string) (string, error) {
-	_, err := conn.Write([]byte(command))
-	if err != nil {
-		return "", err
-	}
-
-	buf := make([]byte, 4096)
-	n, err := conn.Read(buf)
-	if err != nil {
-		return "", err
-	}
-
-	response := string(buf[:n])
-	if strings.HasPrefix(response, "FAIL") {
-		return "", os.ErrInvalid
-	}
-
-	return strings.TrimSpace(response), nil
-}
-
-func (m *wpaSupplicantMonitor) Start() error {
-	if m.callback == nil {
-		return nil
-	}
-	ctx, cancel := context.WithCancel(context.Background())
-	m.cancel = cancel
-
-	state := m.ReadWIFIState()
-	go m.monitorEvents(ctx, state)
-	m.callback(state)
-
-	return nil
-}
-
-func (m *wpaSupplicantMonitor) monitorEvents(ctx context.Context, lastState adapter.WIFIState) {
-	var consecutiveErrors int
-	var debounceTimer *time.Timer
-	var debounceMutex sync.Mutex
-
-	localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-mon-%d", os.Getpid()), Net: "unixgram"}
-	remoteAddr := &net.UnixAddr{Name: m.socketPath, Net: "unixgram"}
-	conn, err := net.DialUnix("unixgram", localAddr, remoteAddr)
-	if err != nil {
-		return
-	}
-	defer conn.Close()
-
-	m.connMutex.Lock()
-	m.monitorConn = conn
-	m.connMutex.Unlock()
-
-	// ATTACH/DETACH commands use os_strcmp() for exact matching in wpa_supplicant,
-	// so they must be sent without trailing newlines.
-	// See: https://w1.fi/cgit/hostap/tree/wpa_supplicant/ctrl_iface_unix.c
-	_, err = conn.Write([]byte("ATTACH"))
-	if err != nil {
-		return
-	}
-
-	buf := make([]byte, 4096)
-	n, err := conn.Read(buf)
-	if err != nil || !strings.HasPrefix(string(buf[:n]), "OK") {
-		return
-	}
-
-	for {
-		select {
-		case <-ctx.Done():
-			debounceMutex.Lock()
-			if debounceTimer != nil {
-				debounceTimer.Stop()
-			}
-			debounceMutex.Unlock()
-			conn.Write([]byte("DETACH"))
-			return
-		default:
-		}
-
-		conn.SetReadDeadline(time.Now().Add(30 * time.Second))
-		n, err := conn.Read(buf)
-		if err != nil {
-			if netErr, ok := err.(net.Error); ok && netErr.Timeout() {
-				continue
-			}
-			select {
-			case <-ctx.Done():
-				return
-			default:
-			}
-			consecutiveErrors++
-			if consecutiveErrors > 10 {
-				return
-			}
-			time.Sleep(time.Second)
-			continue
-		}
-		consecutiveErrors = 0
-
-		msg := string(buf[:n])
-		if strings.Contains(msg, "CTRL-EVENT-CONNECTED") || strings.Contains(msg, "CTRL-EVENT-DISCONNECTED") {
-			debounceMutex.Lock()
-			if debounceTimer != nil {
-				debounceTimer.Stop()
-			}
-			debounceTimer = time.AfterFunc(500*time.Millisecond, func() {
-				state := m.ReadWIFIState()
-				if state != lastState {
-					lastState = state
-					m.callback(state)
-				}
-			})
-			debounceMutex.Unlock()
-		}
-	}
-}
-
-func (m *wpaSupplicantMonitor) Close() error {
-	if m.cancel != nil {
-		m.cancel()
-	}
-	m.connMutex.Lock()
-	if m.monitorConn != nil {
-		m.monitorConn.Close()
-	}
-	m.connMutex.Unlock()
-	return nil
-}

common/settings/wifi_stub.go

@@ -1,27 +0,0 @@
-//go:build !linux && !windows
-
-package settings
-
-import (
-	"os"
-
-	"github.com/sagernet/sing-box/adapter"
-)
-
-type stubWIFIMonitor struct{}
-
-func NewWIFIMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
-	return nil, os.ErrInvalid
-}
-
-func (m *stubWIFIMonitor) ReadWIFIState() adapter.WIFIState {
-	return adapter.WIFIState{}
-}
-
-func (m *stubWIFIMonitor) Start() error {
-	return nil
-}
-
-func (m *stubWIFIMonitor) Close() error {
-	return nil
-}

common/settings/wifi_windows.go

@@ -1,144 +0,0 @@
-//go:build windows
-
-package settings
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"sync"
-	"syscall"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing/common/winwlanapi"
-
-	"golang.org/x/sys/windows"
-)
-
-type windowsWIFIMonitor struct {
-	handle    windows.Handle
-	callback  func(adapter.WIFIState)
-	cancel    context.CancelFunc
-	lastState adapter.WIFIState
-	mutex     sync.Mutex
-}
-
-func NewWIFIMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
-	handle, err := winwlanapi.OpenHandle()
-	if err != nil {
-		return nil, err
-	}
-
-	interfaces, err := winwlanapi.EnumInterfaces(handle)
-	if err != nil {
-		winwlanapi.CloseHandle(handle)
-		return nil, err
-	}
-	if len(interfaces) == 0 {
-		winwlanapi.CloseHandle(handle)
-		return nil, fmt.Errorf("no wireless interfaces found")
-	}
-
-	return &windowsWIFIMonitor{
-		handle:   handle,
-		callback: callback,
-	}, nil
-}
-
-func (m *windowsWIFIMonitor) ReadWIFIState() adapter.WIFIState {
-	interfaces, err := winwlanapi.EnumInterfaces(m.handle)
-	if err != nil || len(interfaces) == 0 {
-		return adapter.WIFIState{}
-	}
-
-	for _, iface := range interfaces {
-		if iface.InterfaceState != winwlanapi.InterfaceStateConnected {
-			continue
-		}
-
-		guid := iface.InterfaceGUID
-		attrs, err := winwlanapi.QueryCurrentConnection(m.handle, &guid)
-		if err != nil {
-			continue
-		}
-
-		ssidLength := attrs.AssociationAttributes.SSID.Length
-		if ssidLength == 0 || ssidLength > winwlanapi.Dot11SSIDMaxLength {
-			continue
-		}
-
-		ssid := string(attrs.AssociationAttributes.SSID.SSID[:ssidLength])
-		bssid := formatBSSID(attrs.AssociationAttributes.BSSID)
-
-		return adapter.WIFIState{
-			SSID:  strings.TrimSpace(ssid),
-			BSSID: bssid,
-		}
-	}
-
-	return adapter.WIFIState{}
-}
-
-func formatBSSID(mac winwlanapi.Dot11MacAddress) string {
-	return fmt.Sprintf("%02X%02X%02X%02X%02X%02X",
-		mac[0], mac[1], mac[2], mac[3], mac[4], mac[5])
-}
-
-func (m *windowsWIFIMonitor) Start() error {
-	if m.callback == nil {
-		return nil
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	m.cancel = cancel
-
-	m.lastState = m.ReadWIFIState()
-
-	callbackFunc := func(data *winwlanapi.NotificationData, callbackContext uintptr) uintptr {
-		if data.NotificationSource != winwlanapi.NotificationSourceACM {
-			return 0
-		}
-		switch data.NotificationCode {
-		case winwlanapi.NotificationACMConnectionComplete,
-			winwlanapi.NotificationACMDisconnected:
-			m.checkAndNotify()
-		}
-		return 0
-	}
-
-	callbackPointer := syscall.NewCallback(callbackFunc)
-
-	err := winwlanapi.RegisterNotification(m.handle, winwlanapi.NotificationSourceACM, callbackPointer, 0)
-	if err != nil {
-		cancel()
-		return err
-	}
-
-	go func() {
-		<-ctx.Done()
-	}()
-
-	m.callback(m.lastState)
-	return nil
-}
-
-func (m *windowsWIFIMonitor) checkAndNotify() {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	state := m.ReadWIFIState()
-	if state != m.lastState {
-		m.lastState = state
-		if m.callback != nil {
-			m.callback(state)
-		}
-	}
-}
-
-func (m *windowsWIFIMonitor) Close() error {
-	if m.cancel != nil {
-		m.cancel()
-	}
-	winwlanapi.UnregisterNotification(m.handle)
-	return winwlanapi.CloseHandle(m.handle)
-}

common/tls/client.go

@@ -20,12 +20,7 @@ func NewDialerFromOptions(ctx context.Context, logger logger.ContextLogger, dial
 	if !options.Enabled {
 		return dialer, nil
 	}
-	config, err := NewClientWithOptions(ClientOptions{
-		Context:       ctx,
-		Logger:        logger,
-		ServerAddress: serverAddress,
-		Options:       options,
-	})
+	config, err := NewClient(ctx, logger, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
@@ -33,40 +28,15 @@ func NewDialerFromOptions(ctx context.Context, logger logger.ContextLogger, dial
 }
 
 func NewClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return NewClientWithOptions(ClientOptions{
-		Context:       ctx,
-		Logger:        logger,
-		ServerAddress: serverAddress,
-		Options:       options,
-	})
-}
-
-type ClientOptions struct {
-	Context        context.Context
-	Logger         logger.ContextLogger
-	ServerAddress  string
-	Options        option.OutboundTLSOptions
-	KTLSCompatible bool
-}
-
-func NewClientWithOptions(options ClientOptions) (Config, error) {
-	if !options.Options.Enabled {
+	if !options.Enabled {
 		return nil, nil
 	}
-	if !options.KTLSCompatible {
-		if options.Options.KernelTx {
-			options.Logger.Warn("enabling kTLS TX in current scenarios will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_tx")
-		}
+	if options.Reality != nil && options.Reality.Enabled {
+		return NewRealityClient(ctx, logger, serverAddress, options)
+	} else if options.UTLS != nil && options.UTLS.Enabled {
+		return NewUTLSClient(ctx, logger, serverAddress, options)
 	}
-	if options.Options.KernelRx {
-		options.Logger.Warn("enabling kTLS RX will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_rx")
-	}
-	if options.Options.Reality != nil && options.Options.Reality.Enabled {
-		return NewRealityClient(options.Context, options.Logger, options.ServerAddress, options.Options)
-	} else if options.Options.UTLS != nil && options.Options.UTLS.Enabled {
-		return NewUTLSClient(options.Context, options.Logger, options.ServerAddress, options.Options)
-	}
-	return NewSTDClient(options.Context, options.Logger, options.ServerAddress, options.Options)
+	return NewSTDClient(ctx, logger, serverAddress, options)
 }
 
 func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
@@ -119,19 +89,21 @@ func (d *defaultDialer) dialContext(ctx context.Context, destination M.Socksaddr
 	if err != nil {
 		return nil, err
 	}
-	tlsConn, err := aTLS.ClientHandshake(ctx, conn, d.config)
-	if err != nil {
-		conn.Close()
+	tlsConn, err := ClientHandshake(ctx, conn, d.config)
+	if err == nil {
+		return tlsConn, nil
+	}
+	conn.Close()
+	if echRetry {
 		var echErr *tls.ECHRejectionError
-		if echRetry && errors.As(err, &echErr) && len(echErr.RetryConfigList) > 0 {
+		if errors.As(err, &echErr) && len(echErr.RetryConfigList) > 0 {
 			if echConfig, isECH := d.config.(ECHCapableConfig); isECH {
 				echConfig.SetECHConfigList(echErr.RetryConfigList)
-				return d.dialContext(ctx, destination, false)
 			}
 		}
-		return nil, err
+		return d.dialContext(ctx, destination, false)
 	}
-	return tlsConn, nil
+	return nil, err
 }
 
 func (d *defaultDialer) Upstream() any {

common/tls/ech.go

@@ -69,7 +69,11 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	} else {
 		return E.New("missing ECH keys")
 	}
-	echKeys, err := parseECHKeys(echKey)
+	block, rest := pem.Decode(echKey)
+	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
+		return E.New("invalid ECH keys pem")
+	}
+	echKeys, err := UnmarshalECHKeys(block.Bytes)
 	if err != nil {
 		return E.Cause(err, "parse ECH keys")
 	}
@@ -81,29 +85,21 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	return nil
 }
 
-func (c *STDServerConfig) setECHServerConfig(echKey []byte) error {
-	echKeys, err := parseECHKeys(echKey)
+func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
+	echKey, err := os.ReadFile(echKeyPath)
 	if err != nil {
-		return err
+		return E.Cause(err, "reload ECH keys from ", echKeyPath)
 	}
-	c.access.Lock()
-	config := c.config.Clone()
-	config.EncryptedClientHelloKeys = echKeys
-	c.config = config
-	c.access.Unlock()
-	return nil
-}
-
-func parseECHKeys(echKey []byte) ([]tls.EncryptedClientHelloKey, error) {
 	block, _ := pem.Decode(echKey)
 	if block == nil || block.Type != "ECH KEYS" {
-		return nil, E.New("invalid ECH keys pem")
+		return E.New("invalid ECH keys pem")
 	}
 	echKeys, err := UnmarshalECHKeys(block.Bytes)
 	if err != nil {
-		return nil, E.Cause(err, "parse ECH keys")
+		return E.Cause(err, "parse ECH keys")
 	}
-	return echKeys, nil
+	tlsConfig.EncryptedClientHelloKeys = echKeys
+	return nil
 }
 
 type ECHClientConfig struct {

common/tls/ech_stub.go

@@ -0,0 +1,23 @@
+//go:build !go1.24
+
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, options option.OutboundTLSOptions) (Config, error) {
+	return nil, E.New("ECH requires go1.24, please recompile your binary.")
+}
+
+func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions, tlsConfig *tls.Config, echKeyPath *string) error {
+	return E.New("ECH requires go1.24, please recompile your binary.")
+}
+
+func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
+	return E.New("ECH requires go1.24, please recompile your binary.")
+}

common/tls/ktls.go

@@ -5,7 +5,6 @@ import (
 	"net"
 
 	"github.com/sagernet/sing-box/common/ktls"
-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	aTLS "github.com/sagernet/sing/common/tls"
 )
@@ -21,12 +20,7 @@ func (w *KTLSClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (
 	if err != nil {
 		return nil, err
 	}
-	kConn, err := ktls.NewConn(ctx, w.logger, tlsConn, w.kernelTx, w.kernelRx)
-	if err != nil {
-		tlsConn.Close()
-		return nil, E.Cause(err, "initialize kernel TLS")
-	}
-	return kConn, nil
+	return ktls.NewConn(ctx, w.logger, tlsConn, w.kernelTx, w.kernelRx)
 }
 
 func (w *KTLSClientConfig) Clone() Config {
@@ -49,12 +43,7 @@ func (w *KTlSServerConfig) ServerHandshake(ctx context.Context, conn net.Conn) (
 	if err != nil {
 		return nil, err
 	}
-	kConn, err := ktls.NewConn(ctx, w.logger, tlsConn, w.kernelTx, w.kernelRx)
-	if err != nil {
-		tlsConn.Close()
-		return nil, E.Cause(err, "initialize kernel TLS")
-	}
-	return kConn, nil
+	return ktls.NewConn(ctx, w.logger, tlsConn, w.kernelTx, w.kernelRx)
 }
 
 func (w *KTlSServerConfig) Clone() Config {

common/tls/reality_client.go

@@ -28,7 +28,6 @@ import (
 	"unsafe"
 
 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/debug"
@@ -51,7 +50,7 @@ type RealityClientConfig struct {
 	shortID   [8]byte
 }
 
-func NewRealityClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewRealityClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
 	if options.UTLS == nil || !options.UTLS.Enabled {
 		return nil, E.New("uTLS is required by reality client")
 	}
@@ -76,20 +75,7 @@ func NewRealityClient(ctx context.Context, logger logger.ContextLogger, serverAd
 	if decodedLen > 8 {
 		return nil, E.New("invalid short_id")
 	}
-
-	var config Config = &RealityClientConfig{ctx, uClient.(*UTLSClientConfig), publicKey, shortID}
-	if options.KernelRx || options.KernelTx {
-		if !C.IsLinux {
-			return nil, E.New("kTLS is only supported on Linux")
-		}
-		config = &KTLSClientConfig{
-			Config:   config,
-			logger:   logger,
-			kernelTx: options.KernelTx,
-			kernelRx: options.KernelRx,
-		}
-	}
-	return config, nil
+	return &RealityClientConfig{ctx, uClient.(*UTLSClientConfig), publicKey, shortID}, nil
 }
 
 func (e *RealityClientConfig) ServerName() string {

common/tls/reality_server.go

@@ -12,7 +12,6 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/common/dialer"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -29,7 +28,7 @@ type RealityServerConfig struct {
 	config *utls.RealityConfig
 }
 
-func NewRealityServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
 	var tlsConfig utls.RealityConfig
 
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
@@ -68,10 +67,7 @@ func NewRealityServer(ctx context.Context, logger log.ContextLogger, options opt
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
-	if len(options.CurvePreferences) > 0 {
-		return nil, E.New("curve preferences is unavailable in reality")
-	}
-	if len(options.Certificate) > 0 || options.CertificatePath != "" || len(options.ClientCertificatePublicKeySHA256) > 0 {
+	if len(options.Certificate) > 0 || options.CertificatePath != "" {
 		return nil, E.New("certificate is unavailable in reality")
 	}
 	if len(options.Key) > 0 || options.KeyPath != "" {
@@ -126,19 +122,11 @@ func NewRealityServer(ctx context.Context, logger log.ContextLogger, options opt
 	if options.ECH != nil && options.ECH.Enabled {
 		return nil, E.New("Reality is conflict with ECH")
 	}
-	var config ServerConfig = &RealityServerConfig{&tlsConfig}
-	if options.KernelTx || options.KernelRx {
-		if !C.IsLinux {
-			return nil, E.New("kTLS is only supported on Linux")
-		}
-		config = &KTlSServerConfig{
-			ServerConfig: config,
-			logger:       logger,
-			kernelTx:     options.KernelTx,
-			kernelRx:     options.KernelRx,
-		}
+	if options.KernelRx || options.KernelTx {
+		return nil, E.New("Reality is conflict with kTLS")
 	}
-	return config, nil
+
+	return &RealityServerConfig{&tlsConfig}, nil
 }
 
 func (c *RealityServerConfig) ServerName() string {

common/tls/server.go

@@ -12,37 +12,14 @@ import (
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-type ServerOptions struct {
-	Context        context.Context
-	Logger         log.ContextLogger
-	Options        option.InboundTLSOptions
-	KTLSCompatible bool
-}
-
 func NewServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
-	return NewServerWithOptions(ServerOptions{
-		Context: ctx,
-		Logger:  logger,
-		Options: options,
-	})
-}
-
-func NewServerWithOptions(options ServerOptions) (ServerConfig, error) {
-	if !options.Options.Enabled {
+	if !options.Enabled {
 		return nil, nil
 	}
-	if !options.KTLSCompatible {
-		if options.Options.KernelTx {
-			options.Logger.Warn("enabling kTLS TX in current scenarios will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_tx")
-		}
+	if options.Reality != nil && options.Reality.Enabled {
+		return NewRealityServer(ctx, logger, options)
 	}
-	if options.Options.KernelRx {
-		options.Logger.Warn("enabling kTLS RX will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_rx")
-	}
-	if options.Options.Reality != nil && options.Options.Reality.Enabled {
-		return NewRealityServer(options.Context, options.Logger, options.Options)
-	}
-	return NewSTDServer(options.Context, options.Logger, options.Options)
+	return NewSTDServer(ctx, logger, options)
 }
 
 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {

common/tls/std_client.go

@@ -1,12 +1,9 @@
 package tls
 
 import (
-	"bytes"
 	"context"
-	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/base64"
 	"net"
 	"os"
 	"strings"
@@ -111,15 +108,6 @@ func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 			return err
 		}
 	}
-	if len(options.CertificatePublicKeySHA256) > 0 {
-		if len(options.Certificate) > 0 || options.CertificatePath != "" {
-			return nil, E.New("certificate_public_key_sha256 is conflict with certificate or certificate_path")
-		}
-		tlsConfig.InsecureSkipVerify = true
-		tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-			return verifyPublicKeySHA256(options.CertificatePublicKeySHA256, rawCerts, tlsConfig.Time)
-		}
-	}
 	if len(options.ALPN) > 0 {
 		tlsConfig.NextProtos = options.ALPN
 	}
@@ -149,9 +137,6 @@ func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
-	for _, curve := range options.CurvePreferences {
-		tlsConfig.CurvePreferences = append(tlsConfig.CurvePreferences, tls.CurveID(curve))
-	}
 	var certificate []byte
 	if len(options.Certificate) > 0 {
 		certificate = []byte(strings.Join(options.Certificate, "\n"))
@@ -169,35 +154,6 @@ func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 		}
 		tlsConfig.RootCAs = certPool
 	}
-	var clientCertificate []byte
-	if len(options.ClientCertificate) > 0 {
-		clientCertificate = []byte(strings.Join(options.ClientCertificate, "\n"))
-	} else if options.ClientCertificatePath != "" {
-		content, err := os.ReadFile(options.ClientCertificatePath)
-		if err != nil {
-			return nil, E.Cause(err, "read client certificate")
-		}
-		clientCertificate = content
-	}
-	var clientKey []byte
-	if len(options.ClientKey) > 0 {
-		clientKey = []byte(strings.Join(options.ClientKey, "\n"))
-	} else if options.ClientKeyPath != "" {
-		content, err := os.ReadFile(options.ClientKeyPath)
-		if err != nil {
-			return nil, E.Cause(err, "read client key")
-		}
-		clientKey = content
-	}
-	if len(clientCertificate) > 0 && len(clientKey) > 0 {
-		keyPair, err := tls.X509KeyPair(clientCertificate, clientKey)
-		if err != nil {
-			return nil, E.Cause(err, "parse client x509 key pair")
-		}
-		tlsConfig.Certificates = []tls.Certificate{keyPair}
-	} else if len(clientCertificate) > 0 || len(clientKey) > 0 {
-		return nil, E.New("client certificate and client key must be provided together")
-	}
 	var config Config = &STDClientConfig{ctx, &tlsConfig, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
 		var err error
@@ -219,22 +175,3 @@ func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 	}
 	return config, nil
 }
-
-func verifyPublicKeySHA256(knownHashValues [][]byte, rawCerts [][]byte, timeFunc func() time.Time) error {
-	leafCertificate, err := x509.ParseCertificate(rawCerts[0])
-	if err != nil {
-		return E.Cause(err, "failed to parse leaf certificate")
-	}
-
-	pubKeyBytes, err := x509.MarshalPKIXPublicKey(leafCertificate.PublicKey)
-	if err != nil {
-		return E.Cause(err, "failed to marshal public key")
-	}
-	hashValue := sha256.Sum256(pubKeyBytes)
-	for _, value := range knownHashValues {
-		if bytes.Equal(value, hashValue[:]) {
-			return nil
-		}
-	}
-	return E.New("unrecognized remote public key: ", base64.StdEncoding.EncodeToString(hashValue[:]))
-}

common/tls/std_server.go

@@ -3,16 +3,13 @@ package tls
 import (
 	"context"
 	"crypto/tls"
-	"crypto/x509"
 	"net"
 	"os"
 	"strings"
-	"sync"
 	"time"
 
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@@ -23,36 +20,26 @@ import (
 var errInsecureUnused = E.New("tls: insecure unused")
 
 type STDServerConfig struct {
-	access                sync.RWMutex
-	config                *tls.Config
-	logger                log.Logger
-	acmeService           adapter.SimpleLifecycle
-	certificate           []byte
-	key                   []byte
-	certificatePath       string
-	keyPath               string
-	clientCertificatePath []string
-	echKeyPath            string
-	watcher               *fswatch.Watcher
+	config          *tls.Config
+	logger          log.Logger
+	acmeService     adapter.SimpleLifecycle
+	certificate     []byte
+	key             []byte
+	certificatePath string
+	keyPath         string
+	echKeyPath      string
+	watcher         *fswatch.Watcher
 }
 
 func (c *STDServerConfig) ServerName() string {
-	c.access.RLock()
-	defer c.access.RUnlock()
 	return c.config.ServerName
 }
 
 func (c *STDServerConfig) SetServerName(serverName string) {
-	c.access.Lock()
-	defer c.access.Unlock()
-	config := c.config.Clone()
-	config.ServerName = serverName
-	c.config = config
+	c.config.ServerName = serverName
 }
 
 func (c *STDServerConfig) NextProtos() []string {
-	c.access.RLock()
-	defer c.access.RUnlock()
 	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
 		return c.config.NextProtos[1:]
 	} else {
@@ -61,15 +48,11 @@ func (c *STDServerConfig) NextProtos() []string {
 }
 
 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
-	c.access.Lock()
-	defer c.access.Unlock()
-	config := c.config.Clone()
 	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
-		config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
+		c.config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
 	} else {
-		config.NextProtos = nextProto
+		c.config.NextProtos = nextProto
 	}
-	c.config = config
 }
 
 func (c *STDServerConfig) STDConfig() (*STDConfig, error) {
@@ -94,6 +77,9 @@ func (c *STDServerConfig) Start() error {
 	if c.acmeService != nil {
 		return c.acmeService.Start()
 	} else {
+		if c.certificatePath == "" && c.keyPath == "" {
+			return nil
+		}
 		err := c.startWatcher()
 		if err != nil {
 			c.logger.Warn("create fsnotify watcher: ", err)
@@ -113,12 +99,6 @@ func (c *STDServerConfig) startWatcher() error {
 	if c.echKeyPath != "" {
 		watchPath = append(watchPath, c.echKeyPath)
 	}
-	if len(c.clientCertificatePath) > 0 {
-		watchPath = append(watchPath, c.clientCertificatePath...)
-	}
-	if len(watchPath) == 0 {
-		return nil
-	}
 	watcher, err := fswatch.NewWatcher(fswatch.Options{
 		Path: watchPath,
 		Callback: func(path string) {
@@ -158,42 +138,10 @@ func (c *STDServerConfig) certificateUpdated(path string) error {
 		if err != nil {
 			return E.Cause(err, "reload key pair")
 		}
-		c.access.Lock()
-		config := c.config.Clone()
-		config.Certificates = []tls.Certificate{keyPair}
-		c.config = config
-		c.access.Unlock()
+		c.config.Certificates = []tls.Certificate{keyPair}
 		c.logger.Info("reloaded TLS certificate")
-	} else if common.Contains(c.clientCertificatePath, path) {
-		clientCertificateCA := x509.NewCertPool()
-		var reloaded bool
-		for _, certPath := range c.clientCertificatePath {
-			content, err := os.ReadFile(certPath)
-			if err != nil {
-				c.logger.Error(E.Cause(err, "reload certificate from ", c.clientCertificatePath))
-				continue
-			}
-			if !clientCertificateCA.AppendCertsFromPEM(content) {
-				c.logger.Error(E.New("invalid client certificate file: ", certPath))
-				continue
-			}
-			reloaded = true
-		}
-		if !reloaded {
-			return E.New("client certificates is empty")
-		}
-		c.access.Lock()
-		config := c.config.Clone()
-		config.ClientCAs = clientCertificateCA
-		c.config = config
-		c.access.Unlock()
-		c.logger.Info("reloaded client certificates")
 	} else if path == c.echKeyPath {
-		echKey, err := os.ReadFile(c.echKeyPath)
-		if err != nil {
-			return E.Cause(err, "reload ECH keys from ", c.echKeyPath)
-		}
-		err = c.setECHServerConfig(echKey)
+		err := reloadECHKeys(c.echKeyPath, c.config)
 		if err != nil {
 			return err
 		}
@@ -264,14 +212,8 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
-	for _, curveID := range options.CurvePreferences {
-		tlsConfig.CurvePreferences = append(tlsConfig.CurvePreferences, tls.CurveID(curveID))
-	}
-	tlsConfig.ClientAuth = tls.ClientAuthType(options.ClientAuthentication)
-	var (
-		certificate []byte
-		key         []byte
-	)
+	var certificate []byte
+	var key []byte
 	if acmeService == nil {
 		if len(options.Certificate) > 0 {
 			certificate = []byte(strings.Join(options.Certificate, "\n"))
@@ -313,43 +255,6 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 			tlsConfig.Certificates = []tls.Certificate{keyPair}
 		}
 	}
-	if len(options.ClientCertificate) > 0 || len(options.ClientCertificatePath) > 0 {
-		if tlsConfig.ClientAuth == tls.NoClientCert {
-			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
-		}
-	}
-	if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert {
-		if len(options.ClientCertificate) > 0 {
-			clientCertificateCA := x509.NewCertPool()
-			if !clientCertificateCA.AppendCertsFromPEM([]byte(strings.Join(options.ClientCertificate, "\n"))) {
-				return nil, E.New("invalid client certificate strings")
-			}
-			tlsConfig.ClientCAs = clientCertificateCA
-		} else if len(options.ClientCertificatePath) > 0 {
-			clientCertificateCA := x509.NewCertPool()
-			for _, path := range options.ClientCertificatePath {
-				content, err := os.ReadFile(path)
-				if err != nil {
-					return nil, E.Cause(err, "read client certificate from ", path)
-				}
-				if !clientCertificateCA.AppendCertsFromPEM(content) {
-					return nil, E.New("invalid client certificate file: ", path)
-				}
-			}
-			tlsConfig.ClientCAs = clientCertificateCA
-		} else if len(options.ClientCertificatePublicKeySHA256) > 0 {
-			if tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert {
-				tlsConfig.ClientAuth = tls.RequireAnyClientCert
-			} else if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven {
-				tlsConfig.ClientAuth = tls.RequestClientCert
-			}
-			tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-				return verifyPublicKeySHA256(options.ClientCertificatePublicKeySHA256, rawCerts, tlsConfig.Time)
-			}
-		} else {
-			return nil, E.New("missing client_certificate, client_certificate_path or client_certificate_public_key_sha256 for client authentication")
-		}
-	}
 	var echKeyPath string
 	if options.ECH != nil && options.ECH.Enabled {
 		err = parseECHServerConfig(ctx, options, tlsConfig, &echKeyPath)
@@ -357,27 +262,17 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 			return nil, err
 		}
 	}
-	serverConfig := &STDServerConfig{
-		config:                tlsConfig,
-		logger:                logger,
-		acmeService:           acmeService,
-		certificate:           certificate,
-		key:                   key,
-		certificatePath:       options.CertificatePath,
-		clientCertificatePath: options.ClientCertificatePath,
-		keyPath:               options.KeyPath,
-		echKeyPath:            echKeyPath,
+	var config ServerConfig = &STDServerConfig{
+		config:          tlsConfig,
+		logger:          logger,
+		acmeService:     acmeService,
+		certificate:     certificate,
+		key:             key,
+		certificatePath: options.CertificatePath,
+		keyPath:         options.KeyPath,
+		echKeyPath:      echKeyPath,
 	}
-	serverConfig.config.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
-		serverConfig.access.Lock()
-		defer serverConfig.access.Unlock()
-		return serverConfig.config, nil
-	}
-	var config ServerConfig = serverConfig
 	if options.KernelTx || options.KernelRx {
-		if !C.IsLinux {
-			return nil, E.New("kTLS is only supported on Linux")
-		}
 		config = &KTlSServerConfig{
 			ServerConfig: config,
 			logger:       logger,

common/tls/utls_client.go

@@ -16,7 +16,6 @@ import (
 	"github.com/sagernet/sing-box/common/tlsfragment"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/common/ntp"
@@ -167,15 +166,6 @@ func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre
 		}
 		tlsConfig.InsecureServerNameToVerify = serverName
 	}
-	if len(options.CertificatePublicKeySHA256) > 0 {
-		if len(options.Certificate) > 0 || options.CertificatePath != "" {
-			return nil, E.New("certificate_public_key_sha256 is conflict with certificate or certificate_path")
-		}
-		tlsConfig.InsecureSkipVerify = true
-		tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-			return verifyPublicKeySHA256(options.CertificatePublicKeySHA256, rawCerts, tlsConfig.Time)
-		}
-	}
 	if len(options.ALPN) > 0 {
 		tlsConfig.NextProtos = options.ALPN
 	}
@@ -222,35 +212,6 @@ func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre
 		}
 		tlsConfig.RootCAs = certPool
 	}
-	var clientCertificate []byte
-	if len(options.ClientCertificate) > 0 {
-		clientCertificate = []byte(strings.Join(options.ClientCertificate, "\n"))
-	} else if options.ClientCertificatePath != "" {
-		content, err := os.ReadFile(options.ClientCertificatePath)
-		if err != nil {
-			return nil, E.Cause(err, "read client certificate")
-		}
-		clientCertificate = content
-	}
-	var clientKey []byte
-	if len(options.ClientKey) > 0 {
-		clientKey = []byte(strings.Join(options.ClientKey, "\n"))
-	} else if options.ClientKeyPath != "" {
-		content, err := os.ReadFile(options.ClientKeyPath)
-		if err != nil {
-			return nil, E.Cause(err, "read client key")
-		}
-		clientKey = content
-	}
-	if len(clientCertificate) > 0 && len(clientKey) > 0 {
-		keyPair, err := utls.X509KeyPair(clientCertificate, clientKey)
-		if err != nil {
-			return nil, E.Cause(err, "parse client x509 key pair")
-		}
-		tlsConfig.Certificates = []utls.Certificate{keyPair}
-	} else if len(clientCertificate) > 0 || len(clientKey) > 0 {
-		return nil, E.New("client certificate and client key must be provided together")
-	}
 	id, err := uTLSClientHelloID(options.UTLS.Fingerprint)
 	if err != nil {
 		return nil, err
@@ -265,7 +226,10 @@ func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre
 			return nil, err
 		}
 	}
-	if (options.KernelRx || options.KernelTx) && !common.PtrValueOrDefault(options.Reality).Enabled {
+	if options.KernelRx || options.KernelTx {
+		if options.Reality != nil && options.Reality.Enabled {
+			return nil, E.New("Reality is conflict with kTLS")
+		}
 		if !C.IsLinux {
 			return nil, E.New("kTLS is only supported on Linux")
 		}

common/tls/utls_stub.go

@@ -8,14 +8,13 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 )
 
-func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS is not included in this build, rebuild with -tags with_utls`)
 }
 
-func NewRealityClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS, which is required by reality is not included in this build, rebuild with -tags with_utls`)
 }
 

common/urltest/urltest.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
@@ -46,15 +47,15 @@ func (s *HistoryStorage) LoadURLTestHistory(tag string) *adapter.URLTestHistory
 func (s *HistoryStorage) DeleteURLTestHistory(tag string) {
 	s.access.Lock()
 	delete(s.delayHistory, tag)
-	s.notifyUpdated()
 	s.access.Unlock()
+	s.notifyUpdated()
 }
 
 func (s *HistoryStorage) StoreURLTestHistory(tag string, history *adapter.URLTestHistory) {
 	s.access.Lock()
 	s.delayHistory[tag] = history
-	s.notifyUpdated()
 	s.access.Unlock()
+	s.notifyUpdated()
 }
 
 func (s *HistoryStorage) notifyUpdated() {
@@ -68,8 +69,6 @@ func (s *HistoryStorage) notifyUpdated() {
 }
 
 func (s *HistoryStorage) Close() error {
-	s.access.Lock()
-	defer s.access.Unlock()
 	s.updateHook = nil
 	return nil
 }
@@ -99,7 +98,7 @@ func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err e
 		return
 	}
 	defer instance.Close()
-	if N.NeedHandshakeForWrite(instance) {
+	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](instance); isEarlyConn && earlyConn.NeedHandshake() {
 		start = time.Now()
 	}
 	req, err := http.NewRequest(http.MethodHead, link, nil)

constant/proxy.go

@@ -28,7 +28,6 @@ const (
 	TypeDERP         = "derp"
 	TypeResolved     = "resolved"
 	TypeSSMAPI       = "ssm-api"
-	TypeCCM          = "ccm"
 )
 
 const (

constant/timeout.go

@@ -3,7 +3,7 @@ package constant
 import "time"
 
 const (
-	TCPKeepAliveInitial        = 5 * time.Minute
+	TCPKeepAliveInitial        = 10 * time.Minute
 	TCPKeepAliveInterval       = 75 * time.Second
 	TCPConnectTimeout          = 5 * time.Second
 	TCPTimeout                 = 15 * time.Second

dns/client.go

@@ -95,20 +95,6 @@ func (c *Client) Start() {
 	}
 }
 
-func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
-	for _, record := range response.Ns {
-		if soa, isSOA := record.(*dns.SOA); isSOA {
-			soaTTL := soa.Header().Ttl
-			soaMinimum := soa.Minttl
-			if soaTTL < soaMinimum {
-				return soaTTL, true
-			}
-			return soaMinimum, true
-		}
-	}
-	return 0, false
-}
-
 func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
@@ -228,7 +214,6 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			response.Answer = append(response.Answer, validResponse.Answer...)
 		}
 	}*/
-	disableCache = disableCache || (response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError)
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
@@ -265,17 +250,10 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		}
 	}
 	var timeToLive uint32
-	if len(response.Answer) == 0 {
-		if soaTTL, hasSOA := extractNegativeTTL(response); hasSOA {
-			timeToLive = soaTTL
-		}
-	}
-	if timeToLive == 0 {
-		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-			for _, record := range recordList {
-				if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
-					timeToLive = record.Header().Ttl
-				}
+	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+		for _, record := range recordList {
+			if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
+				timeToLive = record.Header().Ttl
 			}
 		}
 	}
@@ -302,7 +280,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		}
 	}
 	logExchangedResponse(c.logger, ctx, response, timeToLive)
-	return response, nil
+	return response, err
 }
 
 func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
@@ -385,18 +363,14 @@ func (c *Client) LookupCache(domain string, strategy C.DomainStrategy) ([]netip.
 			Qtype:  dns.TypeA,
 			Qclass: dns.ClassINET,
 		}, nil)
-		if response4 == nil {
-			return nil, false
-		}
 		response6, _ := c.loadResponse(dns.Question{
 			Name:   dnsName,
 			Qtype:  dns.TypeAAAA,
 			Qclass: dns.ClassINET,
 		}, nil)
-		if response6 == nil {
-			return nil, false
+		if response4 != nil || response6 != nil {
+			return sortAddresses(MessageToAddresses(response4), MessageToAddresses(response6), strategy), true
 		}
-		return sortAddresses(MessageToAddresses(response4), MessageToAddresses(response6), strategy), true
 	}
 	return nil, false
 }

dns/client_truncate.go

@@ -15,7 +15,8 @@ func TruncateDNSMessage(request *dns.Msg, response *dns.Msg, headroom int) (*buf
 	}
 	responseLen := response.Len()
 	if responseLen > maxLen {
-		response = response.Copy()
+		copyResponse := *response
+		response = &copyResponse
 		response.Truncate(maxLen)
 	}
 	buffer := buf.NewSize(headroom*2 + 1 + responseLen)

dns/rcode.go

@@ -5,7 +5,6 @@ import (
 )
 
 const (
-	RcodeSuccess     RcodeError = mDNS.RcodeSuccess
 	RcodeFormatError RcodeError = mDNS.RcodeFormatError
 	RcodeNameError   RcodeError = mDNS.RcodeNameError
 	RcodeRefused     RcodeError = mDNS.RcodeRefused

dns/router.go

@@ -386,7 +386,12 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 			if rule != nil {
 				switch action := rule.Action().(type) {
 				case *R.RuleActionReject:
-					return nil, &R.RejectedError{Cause: action.Error(ctx)}
+					switch action.Method {
+					case C.RuleActionRejectMethodDefault:
+						return nil, nil
+					case C.RuleActionRejectMethodDrop:
+						return nil, tun.ErrDrop
+					}
 				case *R.RuleActionPredefined:
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)

dns/transport/dhcp/dhcp.go

@@ -2,13 +2,10 @@ package dhcp
 
 import (
 	"context"
-	"errors"
-	"io"
 	"net"
 	"runtime"
 	"strings"
 	"sync"
-	"syscall"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -198,17 +195,7 @@ func (t *Transport) fetchServers0(ctx context.Context, iface *control.Interface)
 	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
 		listenAddr = "255.255.255.255:68"
 	}
-	var (
-		packetConn net.PacketConn
-		err        error
-	)
-	for i := 0; i < 5; i++ {
-		packetConn, err = listener.ListenPacket(t.ctx, "udp4", listenAddr)
-		if err == nil || !errors.Is(err, syscall.EADDRINUSE) {
-			break
-		}
-		time.Sleep(time.Second)
-	}
+	packetConn, err := listener.ListenPacket(t.ctx, "udp4", listenAddr)
 	if err != nil {
 		return err
 	}
@@ -245,9 +232,6 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 	for {
 		_, _, err := buffer.ReadPacketFrom(packetConn)
 		if err != nil {
-			if errors.Is(err, io.ErrShortBuffer) {
-				continue
-			}
 			return err
 		}
 

dns/transport/dhcp/dhcp_shared.go

@@ -2,13 +2,12 @@ package dhcp
 
 import (
 	"context"
-	"errors"
 	"math/rand"
 	"strings"
-	"syscall"
+	"time"
 
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
@@ -44,7 +43,7 @@ func (t *Transport) exchangeParallel(ctx context.Context, servers []M.Socksaddr,
 			if response.Rcode != mDNS.RcodeSuccess {
 				err = dns.RcodeError(response.Rcode)
 			} else if len(dns.MessageToAddresses(response)) == 0 {
-				err = dns.RcodeSuccess
+				err = E.New(fqdn, ": empty result")
 			}
 		}
 		select {
@@ -84,7 +83,7 @@ func (t *Transport) tryOneName(ctx context.Context, servers []M.Socksaddr, fqdn
 			server := servers[j]
 			question := message.Question[0]
 			question.Name = fqdn
-			response, err := t.exchangeOne(ctx, server, question)
+			response, err := t.exchangeOne(ctx, server, question, C.DNSTimeout, false, true)
 			if err != nil {
 				lastErr = err
 				continue
@@ -95,77 +94,62 @@ func (t *Transport) tryOneName(ctx context.Context, servers []M.Socksaddr, fqdn
 	return nil, E.Cause(lastErr, fqdn)
 }
 
-func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question) (*mDNS.Msg, error) {
+func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question, timeout time.Duration, useTCP, ad bool) (*mDNS.Msg, error) {
 	if server.Port == 0 {
 		server.Port = 53
 	}
+	var networks []string
+	if useTCP {
+		networks = []string{N.NetworkTCP}
+	} else {
+		networks = []string{N.NetworkUDP, N.NetworkTCP}
+	}
 	request := &mDNS.Msg{
 		MsgHdr: mDNS.MsgHdr{
 			Id:                uint16(rand.Uint32()),
 			RecursionDesired:  true,
-			AuthenticatedData: true,
+			AuthenticatedData: ad,
 		},
 		Question: []mDNS.Question{question},
 		Compress: true,
 	}
 	request.SetEdns0(buf.UDPBufferSize, false)
-	return t.exchangeUDP(ctx, server, request)
-}
-
-func (t *Transport) exchangeUDP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg) (*mDNS.Msg, error) {
-	conn, err := t.dialer.DialContext(ctx, N.NetworkUDP, server)
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-		conn.SetDeadline(deadline)
-	}
 	buffer := buf.Get(buf.UDPBufferSize)
 	defer buf.Put(buffer)
-	rawMessage, err := request.PackBuffer(buffer)
-	if err != nil {
-		return nil, E.Cause(err, "pack request")
-	}
-	_, err = conn.Write(rawMessage)
-	if err != nil {
-		if errors.Is(err, syscall.EMSGSIZE) {
-			return t.exchangeTCP(ctx, server, request)
+	for _, network := range networks {
+		ctx, cancel := context.WithDeadline(ctx, time.Now().Add(timeout))
+		defer cancel()
+		conn, err := t.dialer.DialContext(ctx, network, server)
+		if err != nil {
+			return nil, err
 		}
-		return nil, E.Cause(err, "write request")
-	}
-	n, err := conn.Read(buffer)
-	if err != nil {
-		if errors.Is(err, syscall.EMSGSIZE) {
-			return t.exchangeTCP(ctx, server, request)
+		defer conn.Close()
+		if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
+			conn.SetDeadline(deadline)
 		}
-		return nil, E.Cause(err, "read response")
+		rawMessage, err := request.PackBuffer(buffer)
+		if err != nil {
+			return nil, E.Cause(err, "pack request")
+		}
+		_, err = conn.Write(rawMessage)
+		if err != nil {
+			return nil, E.Cause(err, "write request")
+		}
+		n, err := conn.Read(buffer)
+		if err != nil {
+			return nil, E.Cause(err, "read response")
+		}
+		var response mDNS.Msg
+		err = response.Unpack(buffer[:n])
+		if err != nil {
+			return nil, E.Cause(err, "unpack response")
+		}
+		if response.Truncated && network == N.NetworkUDP {
+			continue
+		}
+		return &response, nil
 	}
-	var response mDNS.Msg
-	err = response.Unpack(buffer[:n])
-	if err != nil {
-		return nil, E.Cause(err, "unpack response")
-	}
-	if response.Truncated {
-		return t.exchangeTCP(ctx, server, request)
-	}
-	return &response, nil
-}
-
-func (t *Transport) exchangeTCP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg) (*mDNS.Msg, error) {
-	conn, err := t.dialer.DialContext(ctx, N.NetworkTCP, server)
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-		conn.SetDeadline(deadline)
-	}
-	err = transport.WriteMessage(conn, 0, request)
-	if err != nil {
-		return nil, err
-	}
-	return transport.ReadMessage(conn)
+	panic("unexpected")
 }
 
 func (t *Transport) nameList(name string) []string {

dns/transport/https.go

@@ -8,6 +8,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"os"
 	"strconv"
 	"sync"
 	"time"
@@ -25,6 +26,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	aTLS "github.com/sagernet/sing/common/tls"
 	sHTTP "github.com/sagernet/sing/protocol/http"
 
 	mDNS "github.com/miekg/dns"
@@ -46,7 +48,7 @@ type HTTPSTransport struct {
 	destination      *url.URL
 	headers          http.Header
 	transportAccess  sync.Mutex
-	transport        *HTTPSTransportWrapper
+	transport        *http.Transport
 	transportResetAt time.Time
 }
 
@@ -61,8 +63,11 @@ func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options
 	if err != nil {
 		return nil, err
 	}
-	if len(tlsConfig.NextProtos()) == 0 {
-		tlsConfig.SetNextProtos([]string{http2.NextProtoTLS, "http/1.1"})
+	if common.Error(tlsConfig.STDConfig()) == nil && !common.Contains(tlsConfig.NextProtos(), http2.NextProtoTLS) {
+		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), http2.NextProtoTLS))
+	}
+	if !common.Contains(tlsConfig.NextProtos(), "http/1.1") {
+		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), "http/1.1"))
 	}
 	headers := options.Headers.Build()
 	host := headers.Get("Host")
@@ -120,13 +125,37 @@ func NewHTTPSRaw(
 	serverAddr M.Socksaddr,
 	tlsConfig tls.Config,
 ) *HTTPSTransport {
+	var transport *http.Transport
+	if tlsConfig != nil {
+		transport = &http.Transport{
+			ForceAttemptHTTP2: true,
+			DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				tcpConn, hErr := dialer.DialContext(ctx, network, serverAddr)
+				if hErr != nil {
+					return nil, hErr
+				}
+				tlsConn, hErr := aTLS.ClientHandshake(ctx, tcpConn, tlsConfig)
+				if hErr != nil {
+					tcpConn.Close()
+					return nil, hErr
+				}
+				return tlsConn, nil
+			},
+		}
+	} else {
+		transport = &http.Transport{
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return dialer.DialContext(ctx, network, serverAddr)
+			},
+		}
+	}
 	return &HTTPSTransport{
 		TransportAdapter: adapter,
 		logger:           logger,
 		dialer:           dialer,
 		destination:      destination,
 		headers:          headers,
-		transport:        NewHTTPSTransportWrapper(tls.NewDialer(dialer, tlsConfig), serverAddr),
+		transport:        transport,
 	}
 }
 
@@ -149,7 +178,7 @@ func (t *HTTPSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS
 	startAt := time.Now()
 	response, err := t.exchange(ctx, message)
 	if err != nil {
-		if errors.Is(err, context.DeadlineExceeded) {
+		if errors.Is(err, os.ErrDeadlineExceeded) {
 			t.transportAccess.Lock()
 			defer t.transportAccess.Unlock()
 			if t.transportResetAt.After(startAt) {

dns/transport/https_transport.go

@@ -1,80 +0,0 @@
-package transport
-
-import (
-	"context"
-	"errors"
-	"net"
-	"net/http"
-	"sync/atomic"
-
-	"github.com/sagernet/sing-box/common/tls"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-
-	"golang.org/x/net/http2"
-)
-
-var errFallback = E.New("fallback to HTTP/1.1")
-
-type HTTPSTransportWrapper struct {
-	http2Transport *http2.Transport
-	httpTransport  *http.Transport
-	fallback       *atomic.Bool
-}
-
-func NewHTTPSTransportWrapper(dialer tls.Dialer, serverAddr M.Socksaddr) *HTTPSTransportWrapper {
-	var fallback atomic.Bool
-	return &HTTPSTransportWrapper{
-		http2Transport: &http2.Transport{
-			DialTLSContext: func(ctx context.Context, _, _ string, _ *tls.STDConfig) (net.Conn, error) {
-				tlsConn, err := dialer.DialTLSContext(ctx, serverAddr)
-				if err != nil {
-					return nil, err
-				}
-				state := tlsConn.ConnectionState()
-				if state.NegotiatedProtocol == http2.NextProtoTLS {
-					return tlsConn, nil
-				}
-				tlsConn.Close()
-				fallback.Store(true)
-				return nil, errFallback
-			},
-		},
-		httpTransport: &http.Transport{
-			DialTLSContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
-				return dialer.DialTLSContext(ctx, serverAddr)
-			},
-		},
-		fallback: &fallback,
-	}
-}
-
-func (h *HTTPSTransportWrapper) RoundTrip(request *http.Request) (*http.Response, error) {
-	if h.fallback.Load() {
-		return h.httpTransport.RoundTrip(request)
-	} else {
-		response, err := h.http2Transport.RoundTrip(request)
-		if err != nil {
-			if errors.Is(err, errFallback) {
-				return h.httpTransport.RoundTrip(request)
-			}
-			return nil, err
-		}
-		return response, nil
-	}
-}
-
-func (h *HTTPSTransportWrapper) CloseIdleConnections() {
-	h.http2Transport.CloseIdleConnections()
-	h.httpTransport.CloseIdleConnections()
-}
-
-func (h *HTTPSTransportWrapper) Clone() *HTTPSTransportWrapper {
-	return &HTTPSTransportWrapper{
-		httpTransport: h.httpTransport,
-		http2Transport: &http2.Transport{
-			DialTLSContext: h.http2Transport.DialTLSContext,
-		},
-		fallback: h.fallback,
-	}
-}

dns/transport/local/local.go

@@ -53,15 +53,13 @@ func (t *Transport) Start(stage adapter.StartStage) error {
 	switch stage {
 	case adapter.StartStateInitialize:
 		if !t.preferGo {
-			if isSystemdResolvedManaged() {
-				resolvedResolver, err := NewResolvedResolver(t.ctx, t.logger)
+			resolvedResolver, err := NewResolvedResolver(t.ctx, t.logger)
+			if err == nil {
+				err = resolvedResolver.Start()
 				if err == nil {
-					err = resolvedResolver.Start()
-					if err == nil {
-						t.resolved = resolvedResolver
-					} else {
-						t.logger.Warn(E.Cause(err, "initialize resolved resolver"))
-					}
+					t.resolved = resolvedResolver
+				} else {
+					t.logger.Warn(E.Cause(err, "initialize resolved resolver"))
 				}
 			}
 		}
@@ -84,11 +82,12 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 		}
 	}
 	question := message.Question[0]
+	domain := dns.FqdnToDomain(question.Name)
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		addresses := t.hosts.Lookup(dns.FqdnToDomain(question.Name))
+		addresses := t.hosts.Lookup(domain)
 		if len(addresses) > 0 {
 			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 		}
 	}
-	return t.exchange(ctx, message, question.Name)
+	return t.exchange(ctx, message, domain)
 }

dns/transport/local/local_darwin.go

@@ -96,14 +96,15 @@ func (t *Transport) Close() error {
 
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	question := message.Question[0]
+	domain := dns.FqdnToDomain(question.Name)
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		addresses := t.hosts.Lookup(dns.FqdnToDomain(question.Name))
+		addresses := t.hosts.Lookup(domain)
 		if len(addresses) > 0 {
 			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 		}
 	}
 	if !t.fallback {
-		return t.exchange(ctx, message, question.Name)
+		return t.exchange(ctx, message, domain)
 	}
 	if !C.IsIos {
 		if t.dhcpTransport != nil {
@@ -115,7 +116,7 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 	}
 	if t.preferGo {
 		// Assuming the user knows what they are doing, we still execute the query which will fail.
-		return t.exchange(ctx, message, question.Name)
+		return t.exchange(ctx, message, domain)
 	}
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
 		var network string
@@ -124,7 +125,7 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 		} else {
 			network = "ip6"
 		}
-		addresses, err := t.resolver.LookupNetIP(ctx, network, question.Name)
+		addresses, err := t.resolver.LookupNetIP(ctx, network, domain)
 		if err != nil {
 			var dnsError *net.DNSError
 			if errors.As(err, &dnsError) && dnsError.IsNotFound {

dns/transport/local/local_resolved_linux.go

@@ -1,11 +1,9 @@
 package local
 
 import (
-	"bufio"
 	"context"
 	"errors"
 	"os"
-	"strings"
 	"sync"
 	"sync/atomic"
 
@@ -24,25 +22,6 @@ import (
 	mDNS "github.com/miekg/dns"
 )
 
-func isSystemdResolvedManaged() bool {
-	resolvContent, err := os.Open("/etc/resolv.conf")
-	if err != nil {
-		return false
-	}
-	defer resolvContent.Close()
-	scanner := bufio.NewScanner(resolvContent)
-	for scanner.Scan() {
-		line := strings.TrimSpace(scanner.Text())
-		if line == "" || line[0] != '#' {
-			return false
-		}
-		if strings.Contains(line, "systemd-resolved") {
-			return true
-		}
-	}
-	return false
-}
-
 type DBusResolvedResolver struct {
 	ctx               context.Context
 	logger            logger.ContextLogger
@@ -209,7 +188,7 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 		int32(defaultInterface.Index),
 	)
 	if call.Err != nil {
-		return nil, call.Err
+		return nil, err
 	}
 	var linkPath dbus.ObjectPath
 	err = call.Store(&linkPath)
@@ -235,12 +214,15 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 				return nil, E.New("No appropriate name servers or networks for name found")
 			}
 		}
-		return nil, E.New("link has no DNS servers configured")
+		return &ResolvedObject{
+			BusObject: dbusObject,
+		}, nil
+	} else {
+		return &ResolvedObject{
+			BusObject:      dbusObject,
+			InterfaceIndex: int32(defaultInterface.Index),
+		}, nil
 	}
-	return &ResolvedObject{
-		BusObject:      dbusObject,
-		InterfaceIndex: int32(defaultInterface.Index),
-	}, nil
 }
 
 func (t *DBusResolvedResolver) updateDefaultInterface(defaultInterface *control.Interface, flags int) {

dns/transport/local/local_resolved_stub.go

@@ -9,10 +9,6 @@ import (
 	"github.com/sagernet/sing/common/logger"
 )
 
-func isSystemdResolvedManaged() bool {
-	return false
-}
-
 func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
 	return nil, os.ErrInvalid
 }

dns/transport/local/local_shared.go

@@ -2,13 +2,10 @@ package local
 
 import (
 	"context"
-	"errors"
 	"math/rand"
-	"syscall"
 	"time"
 
 	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
@@ -109,6 +106,12 @@ func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, questio
 	if server.Port == 0 {
 		server.Port = 53
 	}
+	var networks []string
+	if useTCP {
+		networks = []string{N.NetworkTCP}
+	} else {
+		networks = []string{N.NetworkUDP, N.NetworkTCP}
+	}
 	request := &mDNS.Msg{
 		MsgHdr: mDNS.MsgHdr{
 			Id:                uint16(rand.Uint32()),
@@ -119,73 +122,40 @@ func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, questio
 		Compress: true,
 	}
 	request.SetEdns0(buf.UDPBufferSize, false)
-	if !useTCP {
-		return t.exchangeUDP(ctx, server, request, timeout)
-	} else {
-		return t.exchangeTCP(ctx, server, request, timeout)
-	}
-}
-
-func (t *Transport) exchangeUDP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg, timeout time.Duration) (*mDNS.Msg, error) {
-	conn, err := t.dialer.DialContext(ctx, N.NetworkUDP, server)
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-		newDeadline := time.Now().Add(timeout)
-		if deadline.After(newDeadline) {
-			deadline = newDeadline
-		}
-		conn.SetDeadline(deadline)
-	}
 	buffer := buf.Get(buf.UDPBufferSize)
 	defer buf.Put(buffer)
-	rawMessage, err := request.PackBuffer(buffer)
-	if err != nil {
-		return nil, E.Cause(err, "pack request")
-	}
-	_, err = conn.Write(rawMessage)
-	if err != nil {
-		if errors.Is(err, syscall.EMSGSIZE) {
-			return t.exchangeTCP(ctx, server, request, timeout)
+	for _, network := range networks {
+		ctx, cancel := context.WithDeadline(ctx, time.Now().Add(timeout))
+		defer cancel()
+		conn, err := t.dialer.DialContext(ctx, network, server)
+		if err != nil {
+			return nil, err
 		}
-		return nil, E.Cause(err, "write request")
-	}
-	n, err := conn.Read(buffer)
-	if err != nil {
-		if errors.Is(err, syscall.EMSGSIZE) {
-			return t.exchangeTCP(ctx, server, request, timeout)
+		defer conn.Close()
+		if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
+			conn.SetDeadline(deadline)
 		}
-		return nil, E.Cause(err, "read response")
+		rawMessage, err := request.PackBuffer(buffer)
+		if err != nil {
+			return nil, E.Cause(err, "pack request")
+		}
+		_, err = conn.Write(rawMessage)
+		if err != nil {
+			return nil, E.Cause(err, "write request")
+		}
+		n, err := conn.Read(buffer)
+		if err != nil {
+			return nil, E.Cause(err, "read response")
+		}
+		var response mDNS.Msg
+		err = response.Unpack(buffer[:n])
+		if err != nil {
+			return nil, E.Cause(err, "unpack response")
+		}
+		if response.Truncated && network == N.NetworkUDP {
+			continue
+		}
+		return &response, nil
 	}
-	var response mDNS.Msg
-	err = response.Unpack(buffer[:n])
-	if err != nil {
-		return nil, E.Cause(err, "unpack response")
-	}
-	if response.Truncated {
-		return t.exchangeTCP(ctx, server, request, timeout)
-	}
-	return &response, nil
-}
-
-func (t *Transport) exchangeTCP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg, timeout time.Duration) (*mDNS.Msg, error) {
-	conn, err := t.dialer.DialContext(ctx, N.NetworkTCP, server)
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-		newDeadline := time.Now().Add(timeout)
-		if deadline.After(newDeadline) {
-			deadline = newDeadline
-		}
-		conn.SetDeadline(deadline)
-	}
-	err = transport.WriteMessage(conn, 0, request)
-	if err != nil {
-		return nil, err
-	}
-	return transport.ReadMessage(conn)
+	panic("unexpected")
 }

dns/transport/quic/http3.go

@@ -102,7 +102,7 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options
 		destination:      &destinationURL,
 		headers:          headers,
 		transport: &http3.Transport{
-			Dial: func(ctx context.Context, addr string, tlsCfg *tls.STDConfig, cfg *quic.Config) (*quic.Conn, error) {
+			Dial: func(ctx context.Context, addr string, tlsCfg *tls.STDConfig, cfg *quic.Config) (quic.EarlyConnection, error) {
 				conn, dialErr := transportDialer.DialContext(ctx, N.NetworkUDP, serverAddr)
 				if dialErr != nil {
 					return nil, dialErr

dns/transport/quic/quic.go

@@ -38,7 +38,7 @@ type Transport struct {
 	serverAddr M.Socksaddr
 	tlsConfig  tls.Config
 	access     sync.Mutex
-	connection *quic.Conn
+	connection quic.EarlyConnection
 }
 
 func NewQUIC(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteTLSDNSServerOptions) (adapter.DNSTransport, error) {
@@ -88,7 +88,7 @@ func (t *Transport) Close() error {
 
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	var (
-		conn     *quic.Conn
+		conn     quic.Connection
 		err      error
 		response *mDNS.Msg
 	)
@@ -110,7 +110,7 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 	return nil, err
 }
 
-func (t *Transport) openConnection() (*quic.Conn, error) {
+func (t *Transport) openConnection() (quic.EarlyConnection, error) {
 	connection := t.connection
 	if connection != nil && !common.Done(connection.Context()) {
 		return connection, nil
@@ -139,7 +139,7 @@ func (t *Transport) openConnection() (*quic.Conn, error) {
 	return earlyConnection, nil
 }
 
-func (t *Transport) exchange(ctx context.Context, message *mDNS.Msg, conn *quic.Conn) (*mDNS.Msg, error) {
+func (t *Transport) exchange(ctx context.Context, message *mDNS.Msg, conn quic.Connection) (*mDNS.Msg, error) {
 	stream, err := conn.OpenStreamSync(ctx)
 	if err != nil {
 		return nil, err

docs/changelog.md

@@ -2,153 +2,96 @@
 icon: material/alert-decagram
 ---
 
-#### 1.13.0-alpha.28
+#### 1.13.0-alpha.9
 
-* Update quic-go to v0.57.1
-* Add `disable_tcp_keep_alive`, `tcp_keep_alive` and `tcp_keep_alive_interval` options for dial fields **1**
-* Update default TCP keep-alive initial period from 10 minutes to 5 minutes
+* Add kTLS support **1**
 * Fixes and improvements
 
 **1**:
 
-See [Dial Fields](/configuration/shared/dial/#tcp_keep_alive).
-
-__Unfortunately, for non-technical reasons, we are currently unable to notarize the standalone version of the macOS client:
-because system extensions require signatures to function, we have had to temporarily halt its release.__
-
-__We plan to fix the App Store release issue and launch a new standalone desktop client, but until then,
-only clients on TestFlight will be available (unless you have an Apple Developer Program and compile from source code).__
-
-#### 1.12.13
-
-* Fixes and improvements
-
-__Unfortunately, for non-technical reasons, we are currently unable to notarize the standalone version of the macOS client:
-because system extensions require signatures to function, we have had to temporarily halt its release.__
-
-__We plan to fix the App Store release issue and launch a new standalone desktop client, but until then,
-only clients on TestFlight will be available (unless you have an Apple Developer Program and compile from source code).__
-
-#### 1.12.12
-
-* Fixes and improvements
-
-#### 1.13.0-alpha.26
-
-* Update quic-go to v0.55.0
-* Fix memory leak in hysteria2
-* Fixes and improvements
-
-#### 1.12.11
-
-* Fixes and improvements
-
-#### 1.13.0-alpha.24
-
-* Add Claude Code Multiplexer service **1**
-* Fixes and improvements
-
-**1**:
-
-CCM (Claude Code Multiplexer) service allows you to access your local Claude Code subscription remotely through custom tokens, eliminating the need for OAuth authentication on remote clients.
-
-See [CCM](/configuration/service/ccm).
-
-#### 1.13.0-alpha.23
-
-* Fix compatibility with MPTCP **1**
-* Fixes and improvements
-
-**1**:
-
-`auto_redirect` now rejects MPTCP connections by default to fix compatibility issues,
-but you can change it to bypass the sing-box via the new `exclude_mptcp` option.
-
-See [TUN](/configuration/inbound/tun/#exclude_mptcp).
-
-#### 1.13.0-alpha.22
-
-* Update uTLS to v1.8.1 **1**
-* Fixes and improvements
-
-**1**:
-
-This update fixes an critical issue that could cause simulated Chrome fingerprints to be detected,
-see https://github.com/refraction-networking/utls/pull/375.
-
-#### 1.12.10
-
-* Update uTLS to v1.8.1 **1**
-* Fixes and improvements
-
-**1**:
-
-This update fixes an critical issue that could cause simulated Chrome fingerprints to be detected,
-see https://github.com/refraction-networking/utls/pull/375.
-
-#### 1.13.0-alpha.21
-
-* Fix missing mTLS support in client options **1**
-* Fixes and improvements
-
 See [TLS](/configuration/shared/tls/).
 
-#### 1.12.9
-
-* Fixes and improvements
-
-#### 1.13.0-alpha.16
-
-* Add curve preferences, pinned public key SHA256 and mTLS for TLS options **1**
-* Fixes and improvements
-
-See [TLS](/configuration/shared/tls/).
-
-#### 1.13.0-alpha.15
-
-* Update quic-go to v0.54.0
-* Update gVisor to v20250811
-* Update Tailscale to v1.86.5
-* Fixes and improvements
-
-#### 1.12.8
-
-* Fixes and improvements
-
-#### 1.13.0-alpha.11
-
-* Fixes and improvements
-
-#### 1.12.5
-
-* Fixes and improvements
-
-#### 1.13.0-alpha.10
-
-* Improve kTLS support **1**
-* Fixes and improvements
-
-**1**:
-
-kTLS is now compatible with custom TLS implementations other than uTLS.
-
 #### 1.12.4
 
 * Fixes and improvements
 
+#### 1.13.0-alpha.7
+
+* Add reject support for ICMP echo supports **1**
+* Fixes and improvements
+
+**1**:
+
+You can now reject, drop, or directly reply to ICMP echo (ping) requests using `reject` Route Action.
+
+See [Route Action](/configuration/route/rule_action/#reject).
+
+#### 1.13.0-alpha.6
+
+* Add proxy support for ICMP echo requests **1**
+* Fixes and improvements
+
+**1**:
+
+You can now match ICMP echo (ping) requests using the new `icmp` network in routing rules.
+
+Such traffic originates from `TUN`, `WireGuard`, and `Tailscale` inbounds and can be routed to `Direct`, `WireGuard`, and `Tailscale` outbounds.
+
+See [Route Rule](/configuration/route/rule/#network).
+
 #### 1.12.3
 
 * Fixes and improvements
 
+#### 1.13.0-alpha.4
+
+* Fixes and improvements
+
 #### 1.12.2
 
 * Fixes and improvements
 
+#### 1.13.0-alpha.3
+
+* Improve `local` DNS server **1**
+* Fixes and improvements
+
+**1**:
+
+On Apple platforms, Windows, and Linux (when using systemd-resolved), 
+`local` DNS server now works with Tun inbound which overrides system DNS servers.
+
+See [Local DNS Server](/configuration/dns/server/local/).
+
+#### 1.13.0-alpha.2
+
+* Add `preferred_by` rule item **1**
+* Fixes and improvements
+
+**1**:
+
+The new `preferred_by` routing rule item allows you to
+match preferred domains and addresses for specific outbounds.
+
+See [Route Rule](/configuration/route/rule/#preferred_by).
+
+#### 1.13.0-alpha.1
+
+* Add interface address rule items **1**
+* Fixes and improvements
+
+**1**:
+
+New interface address rules allow you to dynamically adjust rules based on your network environment.
+
+See [Route Rule](/configuration/route/rule/), [DNS Route Rule](/configuration/dns/rule/)
+and [Headless Rule](/configuration/rule-set/headless-rule/).
+
 #### 1.12.1
 
 * Fixes and improvements
 
-#### 1.12.0
+### 1.12.0
 
 * Refactor DNS servers **1**
 * Add domain resolver options**2**
@@ -214,8 +157,7 @@ See [Tailscale](/configuration/endpoint/tailscale/).
 
 Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.
 
-For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches
-from [MetaCubeX/go](https://github.com/MetaCubeX/go).
+For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
 
 **7**:
 
@@ -277,8 +219,7 @@ See [Tun](/configuration/inbound/tun/#loopback_address).
 
 We have significantly improved the performance of tun inbound on Apple platforms, especially in the gVisor stack.
 
-The following data was tested
-using [tun_bench](https://github.com/SagerNet/sing-box/blob/dev-next/cmd/internal/tun_bench/main.go) on M4 MacBook pro.
+The following data was tested using [tun_bench](https://github.com/SagerNet/sing-box/blob/dev-next/cmd/internal/tun_bench/main.go) on M4 MacBook pro.
 
 | Version     | Stack  | MTU   | Upload | Download |
 |-------------|--------|-------|--------|----------|
@@ -297,11 +238,11 @@ using [tun_bench](https://github.com/SagerNet/sing-box/blob/dev-next/cmd/interna
 
 **18**:
 
-We continue to experience issues updating our sing-box apps on the App Store and Play Store.
-Until we rewrite and resubmit the apps, they are considered irrecoverable.
+We continue to experience issues updating our sing-box apps on the App Store and Play Store. 
+Until we rewrite and resubmit the apps, they are considered irrecoverable. 
 Therefore, after this release, we will not be repeating this notice unless there is new information.
 
-### 1.11.15
+#### 1.11.15
 
 * Fixes and improvements
 
@@ -317,7 +258,7 @@ violated the rules (TestFlight users are not affected)._
 
 We have significantly improved the performance of tun inbound on Apple platforms, especially in the gVisor stack.
 
-### 1.11.14
+#### 1.11.14
 
 * Fixes and improvements
 
@@ -367,7 +308,7 @@ You can now choose what the DERP home page shows, just like with derper's `-home
 
 See [DERP](/configuration/service/derp/#home).
 
-### 1.11.13
+#### 1.11.13
 
 * Fixes and improvements
 
@@ -405,7 +346,7 @@ SSM API service is a RESTful API server for managing Shadowsocks servers.
 
 See [SSM API Service](/configuration/service/ssm-api/).
 
-### 1.11.11
+#### 1.11.11
 
 * Fixes and improvements
 
@@ -437,7 +378,7 @@ You can now set `bind_interface`, `routing_mark` and `reuse_addr` in Listen Fiel
 
 See [Listen Fields](/configuration/shared/listen/).
 
-### 1.11.10
+#### 1.11.10
 
 * Undeprecate the `block` outbound **1**
 * Fixes and improvements
@@ -455,7 +396,7 @@ violated the rules (TestFlight users are not affected)._
 * Update quic-go to v0.51.0
 * Fixes and improvements
 
-### 1.11.9
+#### 1.11.9
 
 * Fixes and improvements
 
@@ -466,7 +407,7 @@ violated the rules (TestFlight users are not affected)._
 
 * Fixes and improvements
 
-### 1.11.8
+#### 1.11.8
 
 * Improve `auto_redirect` **1**
 * Fixes and improvements
@@ -483,7 +424,7 @@ violated the rules (TestFlight users are not affected)._
 
 * Fixes and improvements
 
-### 1.11.7
+#### 1.11.7
 
 * Fixes and improvements
 
@@ -499,7 +440,7 @@ violated the rules (TestFlight users are not affected)._
 Now `auto_redirect` fixes compatibility issues between tun and Docker bridge networks,
 see [Tun](/configuration/inbound/tun/#auto_redirect).
 
-### 1.11.6
+#### 1.11.6
 
 * Fixes and improvements
 
@@ -540,7 +481,7 @@ See [Protocol Sniff](/configuration/route/sniff/).
 
 See [Dial Fields](/configuration/shared/dial/#domain_resolver).
 
-### 1.11.5
+#### 1.11.5
 
 * Fixes and improvements
 
@@ -556,7 +497,7 @@ violated the rules (TestFlight users are not affected)._
 
 See [DNS Rule Action](/configuration/dns/rule_action/#predefined).
 
-### 1.11.4
+#### 1.11.4
 
 * Fixes and improvements
 
@@ -579,8 +520,7 @@ See [AnyTLS Inbound](/configuration/inbound/anytls/) and [AnyTLS Outbound](/conf
 
 **2**:
 
-`resolve` route action now accepts `disable_cache` and other options like in DNS route actions,
-see [Route Action](/configuration/route/rule_action).
+`resolve` route action now accepts `disable_cache` and other options like in DNS route actions, see [Route Action](/configuration/route/rule_action).
 
 **3**:
 
@@ -611,10 +551,9 @@ See [Tailscale](/configuration/endpoint/tailscale/).
 
 Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.
 
-For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches
-from [MetaCubeX/go](https://github.com/MetaCubeX/go).
+For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
 
-### 1.11.3
+#### 1.11.3
 
 * Fixes and improvements
 
@@ -625,7 +564,7 @@ process._
 
 * Fixes and improvements
 
-### 1.11.1
+#### 1.11.1
 
 * Fixes and improvements
 
@@ -804,7 +743,7 @@ See [Hysteria2](/configuration/outbound/hysteria2/).
 
 When `up_mbps` and `down_mbps` are set, `ignore_client_bandwidth` instead denies clients from using BBR CC.
 
-### 1.10.7
+#### 1.10.7
 
 * Fixes and improvements
 
@@ -899,7 +838,7 @@ and the old outbound will be removed in sing-box 1.13.0.
 See [Endpoint](/configuration/endpoint/), [WireGuard Endpoint](/configuration/endpoint/wireguard/)
 and [Migrate WireGuard outbound fields to route options](/migration/#migrate-wireguard-outbound-to-endpoint).
 
-### 1.10.2
+#### 1.10.2
 
 * Add deprecated warnings
 * Fix proxying websocket connections in HTTP/mixed inbounds
@@ -1036,7 +975,7 @@ See [Rule Action](/configuration/route/rule_action/).
 * Update quic-go to v0.48.0
 * Fixes and improvements
 
-### 1.10.1
+#### 1.10.1
 
 * Fixes and improvements
 

docs/clients/apple/index.md

@@ -9,7 +9,7 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 
 !!! failure ""
 
-    Due to non-technical reasons, we are temporarily unable to update the sing-box app on the App Store and release the standalone version of the macOS client (TestFlight users are not affected)
+    We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected).
 
 ## :material-graph: Requirements
 
@@ -18,7 +18,7 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 
 ## :material-download: Download
 
-* ~~[App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)~~
+* [App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)
 * TestFlight (Beta)
 
 TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
@@ -26,15 +26,15 @@ TestFlight quota is only available to [sponsors](https://github.com/sponsors/nek
 Once you donate, you can get an invitation by join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot)
 or sending us your Apple ID [via email](mailto:contact@sagernet.org).
 
-## ~~:material-file-download: Download (macOS standalone version)~~
+## :material-file-download: Download (macOS standalone version)
 
-* ~~[Homebrew Cask](https://formulae.brew.sh/cask/sfm)~~
+* [Homebrew Cask](https://formulae.brew.sh/cask/sfm)
 
 ```bash
-# brew install sfm
+brew install sfm
 ```
 
-* ~~[GitHub Releases](https://github.com/SagerNet/sing-box/releases)~~
+* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
 
 ## :material-source-repository: Source code
 

docs/configuration/certificate/index.zh.md

@@ -1,54 +0,0 @@
----
-icon: material/new-box
----
-
-!!! question "自 sing-box 1.12.0 起"
-
-# 证书
-
-### 结构
-
-```json
-{
-  "store": "",
-  "certificate": [],
-  "certificate_path": [],
-  "certificate_directory_path": []
-}
-```
-
-!!! note ""
-
-    当内容只有一项时，可以忽略 JSON 数组 [] 标签
-
-### 字段
-
-#### store
-
-默认的 X509 受信任 CA 证书列表。
-
-| 类型                | 描述                                                                                       |
-|--------------------|--------------------------------------------------------------------------------------------|
-| `system`（默认）    | 系统受信任的 CA 证书                                                                        |
-| `mozilla`          | [Mozilla 包含列表](https://wiki.mozilla.org/CA/Included_Certificates)（已移除中国 CA 证书） |
-| `none`             | 空列表                                                                                     |
-
-#### certificate
-
-要信任的证书行数组，PEM 格式。
-
-#### certificate_path
-
-!!! note ""
-
-    文件修改时将自动重新加载。
-
-要信任的证书路径，PEM 格式。
-
-#### certificate_directory_path
-
-!!! note ""
-
-    文件修改时将自动重新加载。
-
-搜索要信任的证书的目录路径，PEM 格式。