Improve build

2026-04-12 01:57:18 +10:00 · 2022-08-12 18:51:58 +08:00
259 changed files with 1709 additions and 14520 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -9,11 +9,9 @@ body:
      options:
        - label: Yes, I'm using the latest major release. Only such installations are supported.
          required: true
-        - label: Yes, I'm using the latest Golang release. Only such installations are supported.
-          required: true
        - label: Yes, I've searched similar issues on GitHub and didn't find any.
          required: true
-        - label: Yes, I've included all information below (version, config, log, etc).
+        - label: Yes, I've included all information below (version, config, etc).
          required: true

  - type: textarea
@@ -53,19 +51,4 @@ body:

        </details>
    validations:
-      required: true
-
-  - type: textarea
-    id: config
-    attributes:
-      label: Server and client log file
-      value: |-
-        <details>
-
-        ```console
-        # paste log here
-        ```
-
-        </details>
-    validations:
-      required: true
+      required: true
--- a/.github/update_dependencies.sh
+++ b/.github/update_dependencies.sh
@@ -8,3 +8,6 @@ go get -x github.com/sagernet/sing-tun@$(git -C $PROJECTS/sing-tun rev-parse HEA
 go get -x github.com/sagernet/sing-shadowsocks@$(git -C $PROJECTS/sing-shadowsocks rev-parse HEAD)
 go get -x github.com/sagernet/sing-vmess@$(git -C $PROJECTS/sing-vmess rev-parse HEAD)
 go mod tidy
+pushd test
+go mod tidy
+popd
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -47,7 +47,6 @@ jobs:
          go mod init build
          go get -v github.com/sagernet/sing-box@$version
          popd
-        continue-on-error: true
      - name: Run Test
        run: |
          go test -v ./...
@@ -161,7 +160,6 @@ jobs:
      GOARM: ${{ matrix.goarm }}
      GOMIPS: ${{ matrix.gomips }}
      CGO_ENABLED: 0
-      TAGS: with_clash_api,with_quic
    steps:
      - name: Checkout
        uses: actions/checkout@v2
--- a/.github/workflows/mkdocs.yml
+++ b/.github/workflows/mkdocs.yml
@@ -14,5 +14,5 @@ jobs:
      - uses: actions/setup-python@v2
        with:
          python-version: 3.x
-      - run: pip install mkdocs-material mkdocs-static-i18n
+      - run: pip install mkdocs-material
      - run: mkdocs gh-deploy -m "{sha}" --force --ignore-version --no-history
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,15 +0,0 @@
-name: Mark stale issues and pull requests
-
-on:
-  schedule:
-    - cron: "30 1 * * *"
-
-jobs:
-  stale:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/stale@v5
-        with:
-          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
-          days-before-stale: 60
-          days-before-close: 5
--- a/.gitignore
+++ b/.gitignore
@@ -3,5 +3,4 @@
 /*.json
 /*.db
 /site/
-/bin/
-/dist/
+/bin/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -3,15 +3,18 @@ linters:
  enable:
    - gofumpt
    - govet
-#    - gci
+    - gci
    - staticcheck
    - paralleltest

+issues:
+  fix: true
+
 linters-settings:
-#  gci:
-#    sections:
-#      - standard
-#      - prefix(github.com/sagernet/)
-#      - default
+  gci:
+    sections:
+      - standard
+      - prefix(github.com/sagernet/)
+      - default
  staticcheck:
    go: '1.19'
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,83 +0,0 @@
-project_name: sing-box
-builds:
-  - main: ./cmd/sing-box
-    flags:
-      - -v
-      - -trimpath
-    asmflags:
-      - all=-trimpath={{.Env.GOPATH}}
-    gcflags:
-      - all=-trimpath={{.Env.GOPATH}}
-    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Commit={{ .ShortCommit }} -s -w -buildid=
-    tags:
-      - with_quic
-      - with_wireguard
-      - with_acme
-      - with_clash_api
-    env:
-      - CGO_ENABLED=0
-    targets:
-      - linux_amd64_v1
-      - linux_amd64_v3
-      - linux_arm64
-      - linux_arm_7
-      - windows_amd64_v1
-      - windows_amd64_v3
-      - windows_386
-      - windows_arm64
-      - darwin_amd64_v1
-      - darwin_amd64_v3
-      - darwin_arm64
-    mod_timestamp: '{{ .CommitTimestamp }}'
-snapshot:
-  name_template: "{{ .Version }}.{{ .ShortCommit }}"
-archives:
-  - id: archive
-    format: tar.gz
-    format_overrides:
-      - goos: windows
-        format: zip
-    wrap_in_directory: true
-    files:
-      - LICENSE
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-nfpms:
-  - id: package
-    package_name: sing-box
-    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    vendor: sagernet
-    homepage: https://sing-box.sagernet.org/
-    maintainer: nekohasekai <contact-git@sekai.icu>
-    description: The universal proxy platform.
-    license: GPLv3 or later
-    formats:
-      - deb
-      - rpm
-    priority: extra
-    contents:
-      - src: release/config/config.json
-        dst: /etc/sing-box/config.json
-        type: config
-      - src: release/config/sing-box.service
-        dst: /etc/systemd/system/sing-box.service
-      - src: release/config/sing-box@.service
-        dst: /etc/systemd/system/sing-box@.service
-      - src: LICENSE
-        dst: /usr/share/licenses/sing-box/LICENSE
-source:
-  enabled: false
-  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
-  prefix_template: '{{ .ProjectName }}-{{ .Version }}/'
-checksum:
-  disable: true
-  name_template: '{{ .ProjectName }}-{{ .Version }}.checksum'
-signs:
-  - artifacts: checksum
-release:
-  github:
-    owner: SagerNet
-    name: sing-box
-  name_template: '{{ if .IsSnapshot }}{{ nightly }}{{ else }}{{ .Version }}{{ end }}'
-  draft: true
-  mode: replace
--- a/57
+++ b/57
@@ -1,67 +1,46 @@
-NAME = sing-box
-COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_quic,with_wireguard,with_clash_api,with_daemon
-PARAMS = -v -trimpath -tags '$(TAGS)' -ldflags \
+NAME=sing-box
+COMMIT=$(shell git rev-parse --short HEAD)
+PARAMS=-trimpath -tags '$(TAGS)' -ldflags \
 		'-X "github.com/sagernet/sing-box/constant.Commit=$(COMMIT)" \
 		-w -s -buildid='
-MAIN = ./cmd/sing-box
+MAIN=./cmd/sing-box

-.PHONY: test release
+.PHONY: test

 build:
 	go build $(PARAMS) $(MAIN)

+action_version: build
+	echo "::set-output name=VERSION::`./sing-box version -n`"
+
 install:
 	go install $(PARAMS) $(MAIN)

-fmt:
-	@gofumpt -l -w .
-	@gofmt -s -w .
-	@gci write -s "standard,prefix(github.com/sagernet/),default" .
-
 fmt_install:
 	go install -v mvdan.cc/gofumpt@latest
 	go install -v github.com/daixiang0/gci@v0.4.0

+fmt:
+	gofumpt -l -w .
+	gofmt -s -w .
+	gci write -s "standard,prefix(github.com/sagernet/),default" .
+
+lint_install:
+	go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+
 lint:
 	GOOS=linux golangci-lint run ./...
-	GOOS=android golangci-lint run ./...
 	GOOS=windows golangci-lint run ./...
 	GOOS=darwin golangci-lint run ./...
 	GOOS=freebsd golangci-lint run ./...

-lint_install:
-	go install -v github.com/golangci/golangci-lint/cmd/golangci-lint@latest
-
-proto:
-	@go run ./cmd/internal/protogen
-	@gofumpt -l -w .
-	@gofumpt -l -w .
-
-proto_install:
-	go install -v google.golang.org/protobuf/cmd/protoc-gen-go@latest
-	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
-
-snapshot:
-	goreleaser release --rm-dist --snapshot
-	mkdir dist/release
-	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
-	ghr --delete --draft --prerelease -p 1 nightly dist/release
-	rm -r dist
-
-snapshot_install:
-	go install -v github.com/goreleaser/goreleaser@latest
-	go install -v github.com/tcnksm/ghr@latest
-
 test:
-	@go test -v . && \
+	go test -v . && \
 	pushd test && \
-	go mod tidy && \
-	go test -v -tags with_quic,with_wireguard,with_grpc . && \
+	go test -v . && \
 	popd

 clean:
-	rm -rf bin dist
 	rm -f $(shell go env GOPATH)/sing-box

 update:
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -18,7 +18,6 @@ type Inbound interface {
 type InboundContext struct {
 	Inbound     string
 	InboundType string
-	IPVersion   int
 	Network     string
 	Source      M.Socksaddr
 	Destination M.Socksaddr
@@ -29,14 +28,14 @@ type InboundContext struct {

 	// cache

-	OriginDestination        M.Socksaddr
 	DomainStrategy           dns.DomainStrategy
 	SniffEnabled             bool
 	SniffOverrideDestination bool
 	DestinationAddresses     []netip.Addr
-	SourceGeoIPCode          string
-	GeoIPCode                string
-	ProcessInfo              *process.Info
+
+	SourceGeoIPCode string
+	GeoIPCode       string
+	ProcessInfo     *process.Info
 }

 type inboundContextKey struct{}
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -37,7 +37,6 @@ type Router interface {
 	DefaultMark() int
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
-	PackageManager() tun.PackageManager
 	Rules() []Rule
 	SetTrafficController(controller TrafficController)
 }
--- a/adapter/service.go
+++ b/adapter/service.go
@@ -1,6 +1,12 @@
 package adapter

-type Service interface {
+import "io"
+
+type Starter interface {
 	Start() error
-	Close() error
+}
+
+type Service interface {
+	Starter
+	io.Closer
 }
--- a/adapter/v2ray.go
+++ b/adapter/v2ray.go
@@ -1,17 +0,0 @@
-package adapter
-
-import (
-	"context"
-	"net"
-)
-
-type V2RayServerTransport interface {
-	Network() []string
-	Serve(listener net.Listener) error
-	ServePacket(listener net.PacketConn) error
-	Close() error
-}
-
-type V2RayClientTransport interface {
-	DialContext(ctx context.Context) (net.Conn, error)
-}
--- a/box.go
+++ b/box.go
@@ -2,10 +2,8 @@ package box

 import (
 	"context"
-	"fmt"
 	"io"
 	"os"
-	"runtime/debug"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@@ -62,7 +60,6 @@ func New(ctx context.Context, options option.Options) (*Box, error) {
 			if err != nil {
 				return nil, err
 			}
-			logWriter = logFile
 		}
 		logFormatter := log.Formatter{
 			BaseTime:         createdAt,
@@ -170,37 +167,6 @@ func New(ctx context.Context, options option.Options) (*Box, error) {
 }

 func (s *Box) Start() error {
-	err := s.start()
-	if err != nil {
-		// TODO: remove catch error
-		defer func() {
-			v := recover()
-			if v != nil {
-				log.Error(E.Cause(err, "origin error"))
-				debug.PrintStack()
-				panic("panic on early close: " + fmt.Sprint(v))
-			}
-		}()
-		s.Close()
-	}
-	return err
-}
-
-func (s *Box) start() error {
-	for i, out := range s.outbounds {
-		if starter, isStarter := out.(common.Starter); isStarter {
-			err := starter.Start()
-			if err != nil {
-				var tag string
-				if out.Tag() == "" {
-					tag = F.ToString(i)
-				} else {
-					tag = out.Tag()
-				}
-				return E.Cause(err, "initialize outbound/", out.Type(), "[", tag, "]")
-			}
-		}
-	}
 	err := s.router.Start()
 	if err != nil {
 		return err
@@ -208,13 +174,10 @@ func (s *Box) start() error {
 	for i, in := range s.inbounds {
 		err = in.Start()
 		if err != nil {
-			var tag string
-			if in.Tag() == "" {
-				tag = F.ToString(i)
-			} else {
-				tag = in.Tag()
+			for g := 0; g < i; g++ {
+				s.inbounds[g].Close()
 			}
-			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
+			return err
 		}
 	}
 	if s.clashServer != nil {
--- a/cmd/internal/protogen/main.go
+++ b/cmd/internal/protogen/main.go
@@ -1,218 +0,0 @@
-package main
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"go/build"
-	"io"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"runtime"
-	"strings"
-)
-
-// envFile returns the name of the Go environment configuration file.
-// Copy from https://github.com/golang/go/blob/c4f2a9788a7be04daf931ac54382fbe2cb754938/src/cmd/go/internal/cfg/cfg.go#L150-L166
-func envFile() (string, error) {
-	if file := os.Getenv("GOENV"); file != "" {
-		if file == "off" {
-			return "", fmt.Errorf("GOENV=off")
-		}
-		return file, nil
-	}
-	dir, err := os.UserConfigDir()
-	if err != nil {
-		return "", err
-	}
-	if dir == "" {
-		return "", fmt.Errorf("missing user-config dir")
-	}
-	return filepath.Join(dir, "go", "env"), nil
-}
-
-// GetRuntimeEnv returns the value of runtime environment variable,
-// that is set by running following command: `go env -w key=value`.
-func GetRuntimeEnv(key string) (string, error) {
-	file, err := envFile()
-	if err != nil {
-		return "", err
-	}
-	if file == "" {
-		return "", fmt.Errorf("missing runtime env file")
-	}
-	var data []byte
-	var runtimeEnv string
-	data, readErr := os.ReadFile(file)
-	if readErr != nil {
-		return "", readErr
-	}
-	envStrings := strings.Split(string(data), "\n")
-	for _, envItem := range envStrings {
-		envItem = strings.TrimSuffix(envItem, "\r")
-		envKeyValue := strings.Split(envItem, "=")
-		if strings.EqualFold(strings.TrimSpace(envKeyValue[0]), key) {
-			runtimeEnv = strings.TrimSpace(envKeyValue[1])
-		}
-	}
-	return runtimeEnv, nil
-}
-
-// GetGOBIN returns GOBIN environment variable as a string. It will NOT be empty.
-func GetGOBIN() string {
-	// The one set by user explicitly by `export GOBIN=/path` or `env GOBIN=/path command`
-	GOBIN := os.Getenv("GOBIN")
-	if GOBIN == "" {
-		var err error
-		// The one set by user by running `go env -w GOBIN=/path`
-		GOBIN, err = GetRuntimeEnv("GOBIN")
-		if err != nil {
-			// The default one that Golang uses
-			return filepath.Join(build.Default.GOPATH, "bin")
-		}
-		if GOBIN == "" {
-			return filepath.Join(build.Default.GOPATH, "bin")
-		}
-		return GOBIN
-	}
-	return GOBIN
-}
-
-func main() {
-	pwd, err := os.Getwd()
-	if err != nil {
-		fmt.Println("Can not get current working directory.")
-		os.Exit(1)
-	}
-
-	GOBIN := GetGOBIN()
-	binPath := os.Getenv("PATH")
-	pathSlice := []string{pwd, GOBIN, binPath}
-	binPath = strings.Join(pathSlice, string(os.PathListSeparator))
-	os.Setenv("PATH", binPath)
-
-	suffix := ""
-	if runtime.GOOS == "windows" {
-		suffix = ".exe"
-	}
-
-	protoc := "protoc"
-
-	if linkPath, err := os.Readlink(protoc); err == nil {
-		protoc = linkPath
-	}
-
-	protoFilesMap := make(map[string][]string)
-	walkErr := filepath.Walk("./", func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			fmt.Println(err)
-			return err
-		}
-
-		if info.IsDir() {
-			return nil
-		}
-
-		dir := filepath.Dir(path)
-		filename := filepath.Base(path)
-		if strings.HasSuffix(filename, ".proto") &&
-			filename != "typed_message.proto" &&
-			filename != "descriptor.proto" {
-			protoFilesMap[dir] = append(protoFilesMap[dir], path)
-		}
-
-		return nil
-	})
-	if walkErr != nil {
-		fmt.Println(walkErr)
-		os.Exit(1)
-	}
-
-	for _, files := range protoFilesMap {
-		for _, relProtoFile := range files {
-			args := []string{
-				"-I", ".",
-				"--go_out", pwd,
-				"--go_opt", "paths=source_relative",
-				"--go-grpc_out", pwd,
-				"--go-grpc_opt", "paths=source_relative",
-				"--plugin", "protoc-gen-go=" + filepath.Join(GOBIN, "protoc-gen-go"+suffix),
-				"--plugin", "protoc-gen-go-grpc=" + filepath.Join(GOBIN, "protoc-gen-go-grpc"+suffix),
-			}
-			args = append(args, relProtoFile)
-			cmd := exec.Command(protoc, args...)
-			cmd.Env = append(cmd.Env, os.Environ()...)
-			output, cmdErr := cmd.CombinedOutput()
-			if len(output) > 0 {
-				fmt.Println(string(output))
-			}
-			if cmdErr != nil {
-				fmt.Println(cmdErr)
-				os.Exit(1)
-			}
-		}
-	}
-
-	normalizeWalkErr := filepath.Walk("./", func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			fmt.Println(err)
-			return err
-		}
-
-		if info.IsDir() {
-			return nil
-		}
-
-		filename := filepath.Base(path)
-		if strings.HasSuffix(filename, ".pb.go") &&
-			path != "config.pb.go" {
-			if err := NormalizeGeneratedProtoFile(path); err != nil {
-				fmt.Println(err)
-				os.Exit(1)
-			}
-		}
-
-		return nil
-	})
-	if normalizeWalkErr != nil {
-		fmt.Println(normalizeWalkErr)
-		os.Exit(1)
-	}
-}
-
-func NormalizeGeneratedProtoFile(path string) error {
-	fd, err := os.OpenFile(path, os.O_RDWR, 0o644)
-	if err != nil {
-		return err
-	}
-
-	_, err = fd.Seek(0, io.SeekStart)
-	if err != nil {
-		return err
-	}
-	out := bytes.NewBuffer(nil)
-	scanner := bufio.NewScanner(fd)
-	valid := false
-	for scanner.Scan() {
-		if !valid && !strings.HasPrefix(scanner.Text(), "package ") {
-			continue
-		}
-		valid = true
-		out.Write(scanner.Bytes())
-		out.Write([]byte("\n"))
-	}
-	_, err = fd.Seek(0, io.SeekStart)
-	if err != nil {
-		return err
-	}
-	err = fd.Truncate(0)
-	if err != nil {
-		return err
-	}
-	_, err = io.Copy(fd, bytes.NewReader(out.Bytes()))
-	if err != nil {
-		return err
-	}
-	return nil
-}
--- a/cmd/sing-box/cmd_check.go
+++ b/cmd/sing-box/cmd_check.go
@@ -2,9 +2,12 @@ package main

 import (
 	"context"
+	"os"

 	"github.com/sagernet/sing-box"
+	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"

 	"github.com/spf13/cobra"
 )
@@ -12,26 +15,24 @@ import (
 var commandCheck = &cobra.Command{
 	Use:   "check",
 	Short: "Check configuration",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := check()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.NoArgs,
+	Run:   checkConfiguration,
+	Args:  cobra.NoArgs,
 }

-func init() {
-	mainCommand.AddCommand(commandCheck)
-}
-
-func check() error {
-	options, err := readConfig()
+func checkConfiguration(cmd *cobra.Command, args []string) {
+	configContent, err := os.ReadFile(configPath)
 	if err != nil {
-		return err
+		log.Fatal("read config: ", err)
+	}
+	var options option.Options
+	err = json.Unmarshal(configContent, &options)
+	if err != nil {
+		log.Fatal("decode config: ", err)
 	}
 	ctx, cancel := context.WithCancel(context.Background())
 	_, err = box.New(ctx, options)
+	if err != nil {
+		log.Fatal("create service: ", err)
+	}
 	cancel()
-	return err
 }
--- a/cmd/sing-box/cmd_daemon.go
+++ b/cmd/sing-box/cmd_daemon.go
@@ -1,272 +0,0 @@
-//go:build with_daemon
-
-package main
-
-import (
-	"bytes"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-
-	"github.com/sagernet/sing-box/common/json"
-	"github.com/sagernet/sing-box/experimental/daemon"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
-
-	"github.com/spf13/cobra"
-)
-
-var commandDaemon = &cobra.Command{
-	Use: "daemon",
-}
-
-func init() {
-	commandDaemon.AddCommand(commandDaemonInstall)
-	commandDaemon.AddCommand(commandDaemonUninstall)
-	commandDaemon.AddCommand(commandDaemonStart)
-	commandDaemon.AddCommand(commandDaemonStop)
-	commandDaemon.AddCommand(commandDaemonRestart)
-	commandDaemon.AddCommand(commandDaemonRun)
-	mainCommand.AddCommand(commandDaemon)
-	mainCommand.AddCommand(commandStart)
-	mainCommand.AddCommand(commandStop)
-	mainCommand.AddCommand(commandStatus)
-}
-
-var commandDaemonInstall = &cobra.Command{
-	Use:   "install",
-	Short: "Install daemon",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := installDaemon()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.NoArgs,
-}
-
-var commandDaemonUninstall = &cobra.Command{
-	Use:   "uninstall",
-	Short: "Uninstall daemon",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := uninstallDaemon()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.NoArgs,
-}
-
-var commandDaemonStart = &cobra.Command{
-	Use:   "start",
-	Short: "Start daemon",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := startDaemon()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.NoArgs,
-}
-
-var commandDaemonStop = &cobra.Command{
-	Use:   "stop",
-	Short: "Stop daemon",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := stopDaemon()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.NoArgs,
-}
-
-var commandDaemonRestart = &cobra.Command{
-	Use:   "restart",
-	Short: "Restart daemon",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := restartDaemon()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.NoArgs,
-}
-
-var commandDaemonRun = &cobra.Command{
-	Use:   "run",
-	Short: "Run daemon",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := runDaemon()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.NoArgs,
-}
-
-func installDaemon() error {
-	instance, err := daemon.New()
-	if err != nil {
-		return err
-	}
-	return instance.Install()
-}
-
-func uninstallDaemon() error {
-	instance, err := daemon.New()
-	if err != nil {
-		return err
-	}
-	return instance.Uninstall()
-}
-
-func startDaemon() error {
-	instance, err := daemon.New()
-	if err != nil {
-		return err
-	}
-	return instance.Start()
-}
-
-func stopDaemon() error {
-	instance, err := daemon.New()
-	if err != nil {
-		return err
-	}
-	return instance.Stop()
-}
-
-func restartDaemon() error {
-	instance, err := daemon.New()
-	if err != nil {
-		return err
-	}
-	return instance.Restart()
-}
-
-func runDaemon() error {
-	instance, err := daemon.New()
-	if err != nil {
-		return err
-	}
-	return instance.Run()
-}
-
-var commandStart = &cobra.Command{
-	Use:   "start",
-	Short: "Start service",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := startService()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.NoArgs,
-}
-
-var commandStop = &cobra.Command{
-	Use:   "stop",
-	Short: "Stop service",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := stopService()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.NoArgs,
-}
-
-var commandStatus = &cobra.Command{
-	Use:   "status",
-	Short: "Check service",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := checkService()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.NoArgs,
-}
-
-func doRequest(method string, path string, params url.Values, body io.ReadCloser) ([]byte, error) {
-	requestURL := url.URL{
-		Scheme: "http",
-		Path:   path,
-		Host:   net.JoinHostPort("127.0.0.1", F.ToString(daemon.DefaultDaemonPort)),
-	}
-	if params != nil {
-		requestURL.RawQuery = params.Encode()
-	}
-	request, err := http.NewRequest(method, requestURL.String(), body)
-	if err != nil {
-		return nil, err
-	}
-	response, err := http.DefaultClient.Do(request)
-	if err != nil {
-		return nil, err
-	}
-	defer response.Body.Close()
-	var content []byte
-	if response.StatusCode != http.StatusNoContent {
-		content, err = io.ReadAll(response.Body)
-		if err != nil {
-			return nil, err
-		}
-	}
-	if response.StatusCode != http.StatusOK && response.StatusCode != http.StatusNoContent {
-		return nil, E.New(string(content))
-	}
-	return content, nil
-}
-
-func ping() error {
-	response, err := doRequest("GET", "/ping", nil, nil)
-	if err != nil || string(response) != "pong" {
-		return E.New("daemon not running")
-	}
-	return nil
-}
-
-func startService() error {
-	if err := ping(); err != nil {
-		return err
-	}
-	configContent, err := os.ReadFile(configPath)
-	if err != nil {
-		return E.Cause(err, "read config")
-	}
-	return common.Error(doRequest("POST", "/run", nil, io.NopCloser(bytes.NewReader(configContent))))
-}
-
-func stopService() error {
-	if err := ping(); err != nil {
-		return err
-	}
-	return common.Error(doRequest("GET", "/stop", nil, nil))
-}
-
-func checkService() error {
-	if err := ping(); err != nil {
-		return err
-	}
-	response, err := doRequest("GET", "/status", nil, nil)
-	if err != nil {
-		return err
-	}
-	var statusResponse daemon.StatusResponse
-	err = json.Unmarshal(response, &statusResponse)
-	if err != nil {
-		return err
-	}
-	if statusResponse.Running {
-		log.Info("service running")
-	} else {
-		log.Info("service stopped")
-	}
-	return nil
-}
--- a/cmd/sing-box/cmd_format.go
+++ b/cmd/sing-box/cmd_format.go
@@ -8,7 +8,6 @@ import (
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"

 	"github.com/spf13/cobra"
 )
@@ -18,54 +17,47 @@ var commandFormatFlagWrite bool
 var commandFormat = &cobra.Command{
 	Use:   "format",
 	Short: "Format configuration",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := format()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.NoArgs,
+	Run:   formatConfiguration,
+	Args:  cobra.NoArgs,
 }

 func init() {
 	commandFormat.Flags().BoolVarP(&commandFormatFlagWrite, "write", "w", false, "write result to (source) file instead of stdout")
-	mainCommand.AddCommand(commandFormat)
 }

-func format() error {
+func formatConfiguration(cmd *cobra.Command, args []string) {
 	configContent, err := os.ReadFile(configPath)
 	if err != nil {
-		return E.Cause(err, "read config")
+		log.Fatal("read config: ", err)
 	}
 	var options option.Options
 	err = json.Unmarshal(configContent, &options)
 	if err != nil {
-		return E.Cause(err, "decode config")
+		log.Fatal("decode config: ", err)
 	}
 	buffer := new(bytes.Buffer)
 	encoder := json.NewEncoder(buffer)
 	encoder.SetIndent("", "  ")
 	err = encoder.Encode(options)
 	if err != nil {
-		return E.Cause(err, "encode config")
+		log.Fatal("encode config: ", err)
 	}
 	if !commandFormatFlagWrite {
 		os.Stdout.WriteString(buffer.String() + "\n")
-		return nil
+		return
 	}
 	if bytes.Equal(configContent, buffer.Bytes()) {
-		return nil
+		return
 	}
 	output, err := os.Create(configPath)
 	if err != nil {
-		return E.Cause(err, "open output")
+		log.Fatal("open output: ", err)
 	}
 	_, err = output.Write(buffer.Bytes())
 	output.Close()
 	if err != nil {
-		return E.Cause(err, "write output")
+		log.Fatal("write output: ", err)
 	}
 	outputPath, _ := filepath.Abs(configPath)
 	os.Stderr.WriteString(outputPath + "\n")
-	return nil
 }
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@@ -2,16 +2,16 @@ package main

 import (
 	"context"
-	"io"
+	"net/http"
 	"os"
 	"os/signal"
-	runtimeDebug "runtime/debug"
 	"syscall"

 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"

 	"github.com/spf13/cobra"
@@ -20,43 +20,25 @@ import (
 var commandRun = &cobra.Command{
 	Use:   "run",
 	Short: "Run service",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := run()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
+	Run:   run,
 }

-func init() {
-	mainCommand.AddCommand(commandRun)
-}
-
-func readConfig() (option.Options, error) {
-	var (
-		configContent []byte
-		err           error
-	)
-	if configPath == "stdin" {
-		configContent, err = io.ReadAll(os.Stdin)
-	} else {
-		configContent, err = os.ReadFile(configPath)
-	}
+func run(cmd *cobra.Command, args []string) {
+	err := run0()
 	if err != nil {
-		return option.Options{}, E.Cause(err, "read config")
+		log.Fatal(err)
+	}
+}
+
+func run0() error {
+	configContent, err := os.ReadFile(configPath)
+	if err != nil {
+		return E.Cause(err, "read config")
 	}
 	var options option.Options
 	err = json.Unmarshal(configContent, &options)
 	if err != nil {
-		return option.Options{}, E.Cause(err, "decode config")
-	}
-	return options, nil
-}
-
-func create() (*box.Box, context.CancelFunc, error) {
-	options, err := readConfig()
-	if err != nil {
-		return nil, nil, err
+		return E.Cause(err, "decode config")
 	}
 	if disableColor {
 		if options.Log == nil {
@@ -68,40 +50,23 @@ func create() (*box.Box, context.CancelFunc, error) {
 	instance, err := box.New(ctx, options)
 	if err != nil {
 		cancel()
-		return nil, nil, E.Cause(err, "create service")
+		return E.Cause(err, "create service")
 	}
 	err = instance.Start()
 	if err != nil {
 		cancel()
-		return nil, nil, E.Cause(err, "start service")
+		return E.Cause(err, "start service")
 	}
-	return instance, cancel, nil
-}
-
-func run() error {
-	osSignals := make(chan os.Signal, 1)
-	signal.Notify(osSignals, os.Interrupt, syscall.SIGTERM, syscall.SIGHUP)
-	for {
-		instance, cancel, err := create()
-		if err != nil {
-			return err
-		}
-		runtimeDebug.FreeOSMemory()
-		for {
-			osSignal := <-osSignals
-			if osSignal == syscall.SIGHUP {
-				err = check()
-				if err != nil {
-					log.Error(E.Cause(err, "reload service"))
-					continue
-				}
-			}
+	if debug.Enabled {
+		http.HandleFunc("/debug/close", func(writer http.ResponseWriter, request *http.Request) {
 			cancel()
 			instance.Close()
-			if osSignal != syscall.SIGHUP {
-				return nil
-			}
-			break
-		}
+		})
 	}
+	osSignals := make(chan os.Signal, 1)
+	signal.Notify(osSignals, os.Interrupt, syscall.SIGTERM)
+	<-osSignals
+	cancel()
+	instance.Close()
+	return nil
 }
--- a/cmd/sing-box/cmd_version.go
+++ b/cmd/sing-box/cmd_version.go
@@ -21,7 +21,6 @@ var nameOnly bool

 func init() {
 	commandVersion.Flags().BoolVarP(&nameOnly, "name", "n", false, "print version name only")
-	mainCommand.AddCommand(commandVersion)
 }

 func printVersion(cmd *cobra.Command, args []string) {
--- a/cmd/sing-box/main.go
+++ b/cmd/sing-box/main.go
@@ -23,6 +23,11 @@ func init() {
 	mainCommand.PersistentFlags().StringVarP(&configPath, "config", "c", "config.json", "set configuration file path")
 	mainCommand.PersistentFlags().StringVarP(&workingDir, "directory", "D", "", "set working directory")
 	mainCommand.PersistentFlags().BoolVarP(&disableColor, "disable-color", "", false, "disable color output")
+
+	mainCommand.AddCommand(commandRun)
+	mainCommand.AddCommand(commandCheck)
+	mainCommand.AddCommand(commandFormat)
+	mainCommand.AddCommand(commandVersion)
 }

 func main() {
--- a/common/debugio/print.go
+++ b/common/debugio/print.go
@@ -1,19 +0,0 @@
-package debugio
-
-import (
-	"fmt"
-	"reflect"
-
-	"github.com/sagernet/sing/common"
-)
-
-func PrintUpstream(obj any) {
-	for obj != nil {
-		fmt.Println(reflect.TypeOf(obj))
-		if u, ok := obj.(common.WithUpstream); !ok {
-			break
-		} else {
-			obj = u.Upstream()
-		}
-	}
-}
--- a/common/dialer/bind.go
+++ b/common/dialer/bind.go
@@ -1,19 +0,0 @@
-package dialer
-
-import (
-	"syscall"
-
-	"github.com/sagernet/sing/common/control"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func skipIfPrivate(next control.Func) control.Func {
-	return func(network, address string, conn syscall.RawConn) error {
-		destination := M.ParseSocksaddr(address)
-		if !N.IsPublicAddr(destination.Addr) {
-			return nil
-		}
-		return next(network, address, conn)
-	}
-}
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -3,7 +3,6 @@ package dialer
 import (
 	"context"
 	"net"
-	"net/netip"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@@ -53,10 +52,8 @@ var warnTFOOnUnsupportedPlatform = warning.New(
 )

 type DefaultDialer struct {
-	dialer      tfo.Dialer
-	udpDialer   net.Dialer
-	udpListener net.ListenConfig
-	bindUDPAddr string
+	tfo.Dialer
+	net.ListenConfig
 }

 func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDialer {
@@ -64,25 +61,25 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
 		warnBindInterfaceOnUnsupportedPlatform.Check()
-		bindFunc := skipIfPrivate(control.BindToInterface(router.InterfaceBindManager(), options.BindInterface))
+		bindFunc := control.BindToInterface(router.InterfaceBindManager(), options.BindInterface)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	} else if router.AutoDetectInterface() {
 		if C.IsWindows {
-			bindFunc := skipIfPrivate(control.BindToInterfaceIndexFunc(func() int {
+			bindFunc := control.BindToInterfaceIndexFunc(func() int {
 				return router.InterfaceMonitor().DefaultInterfaceIndex()
-			}))
+			})
 			dialer.Control = control.Append(dialer.Control, bindFunc)
 			listener.Control = control.Append(listener.Control, bindFunc)
 		} else {
-			bindFunc := skipIfPrivate(control.BindToInterfaceFunc(router.InterfaceBindManager(), func() string {
+			bindFunc := control.BindToInterfaceFunc(router.InterfaceBindManager(), func() string {
 				return router.InterfaceMonitor().DefaultInterfaceName()
-			}))
+			})
 			dialer.Control = control.Append(dialer.Control, bindFunc)
 			listener.Control = control.Append(listener.Control, bindFunc)
 		}
 	} else if router.DefaultInterface() != "" {
-		bindFunc := skipIfPrivate(control.BindToInterface(router.InterfaceBindManager(), router.DefaultInterface()))
+		bindFunc := control.BindToInterface(router.InterfaceBindManager(), router.DefaultInterface())
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
@@ -111,29 +108,17 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	if options.TCPFastOpen {
 		warnTFOOnUnsupportedPlatform.Check()
 	}
-	var bindUDPAddr string
-	udpDialer := dialer
-	bindAddress := netip.Addr(options.BindAddress)
-	if bindAddress.IsValid() {
-		dialer.LocalAddr = &net.TCPAddr{
-			IP: bindAddress.AsSlice(),
-		}
-		udpDialer.LocalAddr = &net.UDPAddr{
-			IP: bindAddress.AsSlice(),
-		}
-		bindUDPAddr = M.SocksaddrFrom(bindAddress, 0).String()
-	}
-	return &DefaultDialer{tfo.Dialer{Dialer: dialer, DisableTFO: !options.TCPFastOpen}, udpDialer, listener, bindUDPAddr}
+	return &DefaultDialer{tfo.Dialer{Dialer: dialer, DisableTFO: !options.TCPFastOpen}, listener}
 }

 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {
-	switch N.NetworkName(network) {
-	case N.NetworkUDP:
-		return d.udpDialer.DialContext(ctx, network, address.String())
-	}
-	return d.dialer.DialContext(ctx, network, address.Unwrap().String())
+	return d.Dialer.DialContext(ctx, network, address.Unwrap().String())
 }

 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.bindUDPAddr)
+	return d.ListenConfig.ListenPacket(ctx, N.NetworkUDP, "")
+}
+
+func (d *DefaultDialer) Upstream() any {
+	return &d.Dialer
 }
--- a/common/dialer/tls.go
+++ b/common/dialer/tls.go
@@ -20,19 +20,20 @@ type TLSDialer struct {
 	config *tls.Config
 }

-func TLSConfig(serverAddress string, options option.OutboundTLSOptions) (*tls.Config, error) {
+func NewTLS(dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
 	if !options.Enabled {
-		return nil, nil
+		return dialer, nil
 	}
+
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
 	} else if serverAddress != "" {
-		if _, err := netip.ParseAddr(serverName); err == nil {
+		if _, err := netip.ParseAddr(serverName); err != nil {
 			serverName = serverAddress
 		}
 	}
-	if serverName == "" && !options.Insecure {
+	if serverName == "" && options.Insecure {
 		return nil, E.New("missing server_name or insecure=true")
 	}

@@ -104,20 +105,9 @@ func TLSConfig(serverAddress string, options option.OutboundTLSOptions) (*tls.Co
 		}
 		tlsConfig.RootCAs = certPool
 	}
-	return &tlsConfig, nil
-}
-
-func NewTLS(dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
-	if !options.Enabled {
-		return dialer, nil
-	}
-	tlsConfig, err := TLSConfig(serverAddress, options)
-	if err != nil {
-		return nil, err
-	}
 	return &TLSDialer{
 		dialer: dialer,
-		config: tlsConfig,
+		config: &tlsConfig,
 	}, nil
 }

@@ -129,17 +119,13 @@ func (d *TLSDialer) DialContext(ctx context.Context, network string, destination
 	if err != nil {
 		return nil, err
 	}
-	return TLSClient(ctx, conn, d.config)
+	tlsConn := tls.Client(conn, d.config)
+	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
+	defer cancel()
+	err = tlsConn.HandshakeContext(ctx)
+	return tlsConn, err
 }

 func (d *TLSDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	return nil, os.ErrInvalid
 }
-
-func TLSClient(ctx context.Context, conn net.Conn, tlsConfig *tls.Config) (*tls.Conn, error) {
-	tlsConn := tls.Client(conn, tlsConfig)
-	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
-	defer cancel()
-	err := tlsConn.HandshakeContext(ctx)
-	return tlsConn, err
-}
--- a/common/geosite/writer.go
+++ b/common/geosite/writer.go
@@ -20,11 +20,13 @@ func Write(writer io.Writer, domains map[string][]Item) error {
 	for _, code := range keys {
 		index[code] = content.Len()
 		for _, domain := range domains[code] {
-			content.WriteByte(domain.Type)
-			err := rw.WriteVString(content, domain.Value)
+			err := rw.WriteByte(content, domain.Type)
 			if err != nil {
 				return err
 			}
+			if err = rw.WriteVString(content, domain.Value); err != nil {
+				return err
+			}
 		}
 	}

--- a/common/process/searcher.go
+++ b/common/process/searcher.go
@@ -4,35 +4,18 @@ import (
 	"context"
 	"net/netip"

-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
 )

 type Searcher interface {
-	FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error)
+	FindProcessInfo(ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error)
 }

 var ErrNotFound = E.New("process not found")

-type Config struct {
-	Logger         log.ContextLogger
-	PackageManager tun.PackageManager
-}
-
 type Info struct {
 	ProcessPath string
 	PackageName string
 	User        string
 	UserId      int32
 }
-
-func FindProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	info, err := findProcessInfo(searcher, ctx, network, source, destination)
-	if err != nil {
-		if source.Addr().Is4In6() {
-			info, err = findProcessInfo(searcher, ctx, network, netip.AddrPortFrom(netip.AddrFrom4(source.Addr().As4()), source.Port()), destination)
-		}
-	}
-	return info, err
-}
--- a/common/process/searcher_android.go
+++ b/common/process/searcher_android.go
@@ -2,37 +2,170 @@ package process

 import (
 	"context"
+	"encoding/xml"
+	"io"
 	"net/netip"
+	"os"
+	"strconv"

-	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"github.com/fsnotify/fsnotify"
 )

 var _ Searcher = (*androidSearcher)(nil)

 type androidSearcher struct {
-	packageManager tun.PackageManager
+	logger        log.ContextLogger
+	watcher       *fsnotify.Watcher
+	userMap       map[string]int32
+	packageMap    map[int32]string
+	sharedUserMap map[int32]string
 }

-func NewSearcher(config Config) (Searcher, error) {
-	return &androidSearcher{config.PackageManager}, nil
+func NewSearcher(logger log.ContextLogger) (Searcher, error) {
+	return &androidSearcher{logger: logger}, nil
 }

-func (s *androidSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	socket, err := resolveSocketByNetlink(network, source, destination)
+func (s *androidSearcher) Start() error {
+	err := s.updatePackages()
+	if err != nil {
+		return E.Cause(err, "read packages list")
+	}
+	err = s.startWatcher()
+	if err != nil {
+		s.logger.Warn("create fsnotify watcher: ", err)
+	}
+	return nil
+}
+
+func (s *androidSearcher) startWatcher() error {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return err
+	}
+	err = watcher.Add("/data/system/packages.xml")
+	if err != nil {
+		return err
+	}
+	s.watcher = watcher
+	go s.loopUpdate()
+	return nil
+}
+
+func (s *androidSearcher) loopUpdate() {
+	for {
+		select {
+		case _, ok := <-s.watcher.Events:
+			if !ok {
+				return
+			}
+			err := s.updatePackages()
+			if err != nil {
+				s.logger.Error(E.Cause(err, "update packages list"))
+			}
+		case err, ok := <-s.watcher.Errors:
+			if !ok {
+				return
+			}
+			s.logger.Error(E.Cause(err, "fsnotify error"))
+		}
+	}
+}
+
+func (s *androidSearcher) Close() error {
+	return common.Close(common.PtrOrNil(s.watcher))
+}
+
+func (s *androidSearcher) FindProcessInfo(ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error) {
+	_, uid, err := resolveSocketByNetlink(network, srcIP, srcPort)
 	if err != nil {
 		return nil, err
 	}
-	if sharedPackage, loaded := s.packageManager.SharedPackageByID(socket.UID); loaded {
+	if sharedUser, loaded := s.sharedUserMap[uid]; loaded {
 		return &Info{
-			UserId:      int32(socket.UID),
-			PackageName: sharedPackage,
+			UserId:      uid,
+			PackageName: sharedUser,
 		}, nil
 	}
-	if packageName, loaded := s.packageManager.PackageByID(socket.UID); loaded {
+	if packageName, loaded := s.packageMap[uid]; loaded {
 		return &Info{
-			UserId:      int32(socket.UID),
+			UserId:      uid,
 			PackageName: packageName,
 		}, nil
 	}
-	return &Info{UserId: int32(socket.UID)}, nil
+	return &Info{UserId: uid}, nil
+}
+
+func (s *androidSearcher) updatePackages() error {
+	userMap := make(map[string]int32)
+	packageMap := make(map[int32]string)
+	sharedUserMap := make(map[int32]string)
+	packagesData, err := os.Open("/data/system/packages.xml")
+	if err != nil {
+		return err
+	}
+	decoder := xml.NewDecoder(packagesData)
+	var token xml.Token
+	for {
+		token, err = decoder.Token()
+		if err == io.EOF {
+			break
+		} else if err != nil {
+			return err
+		}
+
+		element, isStart := token.(xml.StartElement)
+		if !isStart {
+			continue
+		}
+
+		switch element.Name.Local {
+		case "package":
+			var name string
+			var userID int64
+			for _, attr := range element.Attr {
+				switch attr.Name.Local {
+				case "name":
+					name = attr.Value
+				case "userId", "sharedUserId":
+					userID, err = strconv.ParseInt(attr.Value, 10, 32)
+					if err != nil {
+						return err
+					}
+				}
+			}
+			if userID == 0 && name == "" {
+				continue
+			}
+			userMap[name] = int32(userID)
+			packageMap[int32(userID)] = name
+		case "shared-user":
+			var name string
+			var userID int64
+			for _, attr := range element.Attr {
+				switch attr.Name.Local {
+				case "name":
+					name = attr.Value
+				case "userId":
+					userID, err = strconv.ParseInt(attr.Value, 10, 32)
+					if err != nil {
+						return err
+					}
+					packageMap[int32(userID)] = name
+				}
+			}
+			if userID == 0 && name == "" {
+				continue
+			}
+			sharedUserMap[int32(userID)] = name
+		}
+	}
+	s.logger.Info("updated packages list: ", len(packageMap), " packages, ", len(sharedUserMap), " shared users")
+	s.userMap = userMap
+	s.packageMap = packageMap
+	s.sharedUserMap = sharedUserMap
+	return nil
 }
--- a/common/process/searcher_darwin.go
+++ b/common/process/searcher_darwin.go
@@ -8,6 +8,7 @@ import (
 	"syscall"
 	"unsafe"

+	"github.com/sagernet/sing-box/log"
 	N "github.com/sagernet/sing/common/network"

 	"golang.org/x/sys/unix"
@@ -17,12 +18,12 @@ var _ Searcher = (*darwinSearcher)(nil)

 type darwinSearcher struct{}

-func NewSearcher(_ Config) (Searcher, error) {
+func NewSearcher(logger log.ContextLogger) (Searcher, error) {
 	return &darwinSearcher{}, nil
 }

-func (d *darwinSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	processName, err := findProcessName(network, source.Addr(), int(source.Port()))
+func (d *darwinSearcher) FindProcessInfo(ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error) {
+	processName, err := findProcessName(network, srcIP, srcPort)
 	if err != nil {
 		return nil, err
 	}
--- a/common/process/searcher_linux.go
+++ b/common/process/searcher_linux.go
@@ -15,21 +15,21 @@ type linuxSearcher struct {
 	logger log.ContextLogger
 }

-func NewSearcher(config Config) (Searcher, error) {
-	return &linuxSearcher{config.Logger}, nil
+func NewSearcher(logger log.ContextLogger) (Searcher, error) {
+	return &linuxSearcher{logger}, nil
 }

-func (s *linuxSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	socket, err := resolveSocketByNetlink(network, source, destination)
+func (s *linuxSearcher) FindProcessInfo(ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error) {
+	inode, uid, err := resolveSocketByNetlink(network, srcIP, srcPort)
 	if err != nil {
 		return nil, err
 	}
-	processPath, err := resolveProcessNameByProcSearch(socket.INode, socket.UID)
+	processPath, err := resolveProcessNameByProcSearch(inode, uid)
 	if err != nil {
 		s.logger.DebugContext(ctx, "find process path: ", err)
 	}
 	return &Info{
-		UserId:      int32(socket.UID),
+		UserId:      uid,
 		ProcessPath: processPath,
 	}, nil
 }
--- a/common/process/searcher_linux_shared.go
+++ b/common/process/searcher_linux_shared.go
@@ -6,6 +6,7 @@ import (
 	"bytes"
 	"encoding/binary"
 	"fmt"
+	"net"
 	"net/netip"
 	"os"
 	"path"
@@ -14,7 +15,9 @@ import (
 	"unicode"
 	"unsafe"

-	"github.com/sagernet/netlink"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 )

@@ -34,9 +37,19 @@ const (
 	pathProc                = "/proc"
 )

-func resolveSocketByNetlink(network string, source netip.AddrPort, destination netip.AddrPort) (*netlink.Socket, error) {
-	var family uint8
-	var protocol uint8
+func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (inode int32, uid int32, err error) {
+	for attempts := 0; attempts < 3; attempts++ {
+		inode, uid, err = resolveSocketByNetlink0(network, ip, srcPort)
+		if err == nil {
+			return
+		}
+	}
+	return
+}
+
+func resolveSocketByNetlink0(network string, ip netip.Addr, srcPort int) (inode int32, uid int32, err error) {
+	var family byte
+	var protocol byte

 	switch network {
 	case N.NetworkTCP:
@@ -44,31 +57,114 @@ func resolveSocketByNetlink(network string, source netip.AddrPort, destination n
 	case N.NetworkUDP:
 		protocol = syscall.IPPROTO_UDP
 	default:
-		return nil, os.ErrInvalid
+		return 0, 0, os.ErrInvalid
 	}
-	if source.Addr().Is4() {
+
+	if ip.Is4() {
 		family = syscall.AF_INET
 	} else {
 		family = syscall.AF_INET6
 	}
-	sockets, err := netlink.SocketGet(family, protocol, source, netip.AddrPortFrom(netip.IPv6Unspecified(), 0))
-	if err == nil {
-		sockets, err = netlink.SocketGet(family, protocol, source, destination)
-	}
+
+	req := packSocketDiagRequest(family, protocol, ip, uint16(srcPort))
+
+	socket, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM, syscall.NETLINK_INET_DIAG)
 	if err != nil {
-		return nil, err
+		return 0, 0, E.Cause(err, "dial netlink")
 	}
-	if len(sockets) > 1 {
-		for _, socket := range sockets {
-			if socket.ID.DestinationPort == destination.Port() {
-				return socket, nil
-			}
-		}
+	defer syscall.Close(socket)
+
+	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, &syscall.Timeval{Usec: 100})
+	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, &syscall.Timeval{Usec: 100})
+
+	if err = syscall.Connect(socket, &syscall.SockaddrNetlink{
+		Family: syscall.AF_NETLINK,
+		Pad:    0,
+		Pid:    0,
+		Groups: 0,
+	}); err != nil {
+		return 0, 0, err
 	}
-	return sockets[0], nil
+
+	if _, err = syscall.Write(socket, req); err != nil {
+		return 0, 0, E.Cause(err, "write netlink request")
+	}
+
+	_buffer := buf.StackNew()
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
+	defer buffer.Release()
+
+	n, err := syscall.Read(socket, buffer.FreeBytes())
+	if err != nil {
+		return 0, 0, E.Cause(err, "read netlink response")
+	}
+
+	buffer.Truncate(n)
+
+	messages, err := syscall.ParseNetlinkMessage(buffer.Bytes())
+	if err != nil {
+		return 0, 0, E.Cause(err, "parse netlink message")
+	} else if len(messages) == 0 {
+		return 0, 0, E.New("unexcepted netlink response")
+	}
+
+	message := messages[0]
+	if message.Header.Type&syscall.NLMSG_ERROR != 0 {
+		return 0, 0, E.New("netlink message: NLMSG_ERROR")
+	}
+
+	inode, uid = unpackSocketDiagResponse(&messages[0])
+	if inode < 0 || uid < 0 {
+		return 0, 0, E.New("invalid inode(", inode, ") or uid(", uid, ")")
+	}
+	return
 }

-func resolveProcessNameByProcSearch(inode, uid uint32) (string, error) {
+func packSocketDiagRequest(family, protocol byte, source netip.Addr, sourcePort uint16) []byte {
+	s := make([]byte, 16)
+	copy(s, source.AsSlice())
+
+	buf := make([]byte, sizeOfSocketDiagRequest)
+
+	nativeEndian.PutUint32(buf[0:4], sizeOfSocketDiagRequest)
+	nativeEndian.PutUint16(buf[4:6], socketDiagByFamily)
+	nativeEndian.PutUint16(buf[6:8], syscall.NLM_F_REQUEST|syscall.NLM_F_DUMP)
+	nativeEndian.PutUint32(buf[8:12], 0)
+	nativeEndian.PutUint32(buf[12:16], 0)
+
+	buf[16] = family
+	buf[17] = protocol
+	buf[18] = 0
+	buf[19] = 0
+	nativeEndian.PutUint32(buf[20:24], 0xFFFFFFFF)
+
+	binary.BigEndian.PutUint16(buf[24:26], sourcePort)
+	binary.BigEndian.PutUint16(buf[26:28], 0)
+
+	copy(buf[28:44], s)
+	copy(buf[44:60], net.IPv6zero)
+
+	nativeEndian.PutUint32(buf[60:64], 0)
+	nativeEndian.PutUint64(buf[64:72], 0xFFFFFFFFFFFFFFFF)
+
+	return buf
+}
+
+func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid int32) {
+	if len(msg.Data) < 72 {
+		return 0, 0
+	}
+
+	data := msg.Data
+
+	uid = int32(nativeEndian.Uint32(data[64:68]))
+	inode = int32(nativeEndian.Uint32(data[68:72]))
+
+	return
+}
+
+func resolveProcessNameByProcSearch(inode, uid int32) (string, error) {
 	files, err := os.ReadDir(pathProc)
 	if err != nil {
 		return "", err
@@ -86,7 +182,7 @@ func resolveProcessNameByProcSearch(inode, uid uint32) (string, error) {
 		if err != nil {
 			return "", err
 		}
-		if info.Sys().(*syscall.Stat_t).Uid != uid {
+		if info.Sys().(*syscall.Stat_t).Uid != uint32(uid) {
 			continue
 		}

--- a/common/process/searcher_stub.go
+++ b/common/process/searcher_stub.go
@@ -4,8 +4,10 @@ package process

 import (
 	"os"
+
+	"github.com/sagernet/sing-box/log"
 )

-func NewSearcher(_ Config) (Searcher, error) {
+func NewSearcher(logger log.ContextLogger) (Searcher, error) {
 	return nil, os.ErrInvalid
 }
--- a/common/process/searcher_windows.go
+++ b/common/process/searcher_windows.go
@@ -8,6 +8,7 @@ import (
 	"syscall"
 	"unsafe"

+	"github.com/sagernet/sing-box/log"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"

@@ -18,7 +19,7 @@ var _ Searcher = (*windowsSearcher)(nil)

 type windowsSearcher struct{}

-func NewSearcher(_ Config) (Searcher, error) {
+func NewSearcher(logger log.ContextLogger) (Searcher, error) {
 	err := initWin32API()
 	if err != nil {
 		return nil, E.Cause(err, "init win32 api")
@@ -63,8 +64,8 @@ func initWin32API() error {
 	return nil
 }

-func (s *windowsSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	processName, err := findProcessName(network, source.Addr(), int(source.Port()))
+func (s *windowsSearcher) FindProcessInfo(ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error) {
+	processName, err := findProcessName(network, srcIP, srcPort)
 	if err != nil {
 		return nil, err
 	}
--- a/common/process/searcher_with_name.go
+++ b/common/process/searcher_with_name.go
@@ -1,4 +1,4 @@
-//go:build linux && !android
+//go:build cgo && linux && !android

 package process

@@ -10,8 +10,8 @@ import (
 	F "github.com/sagernet/sing/common/format"
 )

-func findProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	info, err := searcher.FindProcessInfo(ctx, network, source, destination)
+func FindProcessInfo(searcher Searcher, ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error) {
+	info, err := searcher.FindProcessInfo(ctx, network, srcIP, srcPort)
 	if err != nil {
 		return nil, err
 	}
--- a/common/process/searcher_without_name.go
+++ b/common/process/searcher_without_name.go
@@ -1,4 +1,4 @@
-//go:build !linux || android
+//go:build !(cgo && linux && !android)

 package process

@@ -7,6 +7,6 @@ import (
 	"net/netip"
 )

-func findProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	return searcher.FindProcessInfo(ctx, network, source, destination)
+func FindProcessInfo(searcher Searcher, ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error) {
+	return searcher.FindProcessInfo(ctx, network, srcIP, srcPort)
 }
--- a/common/proxyproto/dialer.go
+++ b/common/proxyproto/dialer.go
@@ -1,50 +0,0 @@
-package proxyproto
-
-import (
-	"context"
-	"net"
-	"net/netip"
-
-	"github.com/sagernet/sing-box/adapter"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	"github.com/pires/go-proxyproto"
-)
-
-var _ N.Dialer = (*Dialer)(nil)
-
-type Dialer struct {
-	N.Dialer
-}
-
-func (d *Dialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	switch N.NetworkName(network) {
-	case N.NetworkTCP:
-		conn, err := d.Dialer.DialContext(ctx, network, destination)
-		if err != nil {
-			return nil, err
-		}
-		var source M.Socksaddr
-		metadata := adapter.ContextFrom(ctx)
-		if metadata != nil {
-			source = metadata.Source
-		}
-		if !source.IsValid() {
-			source = M.SocksaddrFromNet(conn.LocalAddr())
-		}
-		if destination.Addr.Is6() {
-			source = M.SocksaddrFrom(netip.AddrFrom16(source.Addr.As16()), source.Port)
-		}
-		h := proxyproto.HeaderProxyFromAddrs(1, source.TCPAddr(), destination.TCPAddr())
-		_, err = h.WriteTo(conn)
-		if err != nil {
-			conn.Close()
-			return nil, E.Cause(err, "write proxy protocol header")
-		}
-		return conn, nil
-	default:
-		return d.Dialer.DialContext(ctx, network, destination)
-	}
-}
--- a/common/proxyproto/listener.go
+++ b/common/proxyproto/listener.go
@@ -1,40 +0,0 @@
-package proxyproto
-
-import (
-	std_bufio "bufio"
-	"net"
-
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
-
-	"github.com/pires/go-proxyproto"
-)
-
-type Listener struct {
-	net.Listener
-}
-
-func (l *Listener) Accept() (net.Conn, error) {
-	conn, err := l.Listener.Accept()
-	if err != nil {
-		return nil, err
-	}
-	bufReader := std_bufio.NewReader(conn)
-	header, err := proxyproto.Read(bufReader)
-	if err != nil {
-		return nil, err
-	}
-	if bufReader.Buffered() > 0 {
-		cache := buf.NewSize(bufReader.Buffered())
-		_, err = cache.ReadFullFrom(bufReader, cache.FreeLen())
-		if err != nil {
-			return nil, err
-		}
-		conn = bufio.NewCachedConn(conn, cache)
-	}
-	return &bufio.AddrConn{Conn: conn, Metadata: M.Metadata{
-		Source:      M.SocksaddrFromNet(header.SourceAddr),
-		Destination: M.SocksaddrFromNet(header.DestinationAddr),
-	}}, nil
-}
--- a/common/redir/redir_linux.go
+++ b/common/redir/redir_linux.go
@@ -3,35 +3,35 @@ package redir
 import (
 	"net"
 	"net/netip"
-	"os"
 	"syscall"

-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/control"
 	M "github.com/sagernet/sing/common/metadata"
 )

 func GetOriginalDestination(conn net.Conn) (destination netip.AddrPort, err error) {
-	syscallConn, ok := common.Cast[syscall.Conn](conn)
-	if !ok {
-		return netip.AddrPort{}, os.ErrInvalid
+	rawConn, err := conn.(syscall.Conn).SyscallConn()
+	if err != nil {
+		return
 	}
-	err = control.Conn(syscallConn, func(fd uintptr) error {
-		const SO_ORIGINAL_DST = 80
-		if conn.RemoteAddr().(*net.TCPAddr).IP.To4() != nil {
-			raw, err := syscall.GetsockoptIPv6Mreq(int(fd), syscall.IPPROTO_IP, SO_ORIGINAL_DST)
-			if err != nil {
-				return err
-			}
-			destination = netip.AddrPortFrom(M.AddrFromIP(raw.Multiaddr[4:8]), uint16(raw.Multiaddr[2])<<8+uint16(raw.Multiaddr[3]))
-		} else {
-			raw, err := syscall.GetsockoptIPv6MTUInfo(int(fd), syscall.IPPROTO_IPV6, SO_ORIGINAL_DST)
-			if err != nil {
-				return err
-			}
-			destination = netip.AddrPortFrom(M.AddrFromIP(raw.Addr.Addr[:]), raw.Addr.Port)
-		}
-		return nil
+	var rawFd uintptr
+	err = rawConn.Control(func(fd uintptr) {
+		rawFd = fd
 	})
-	return
+	if err != nil {
+		return
+	}
+	const SO_ORIGINAL_DST = 80
+	if conn.RemoteAddr().(*net.TCPAddr).IP.To4() != nil {
+		raw, err := syscall.GetsockoptIPv6Mreq(int(rawFd), syscall.IPPROTO_IP, SO_ORIGINAL_DST)
+		if err != nil {
+			return netip.AddrPort{}, err
+		}
+		return netip.AddrPortFrom(M.AddrFromIP(raw.Multiaddr[4:8]), uint16(raw.Multiaddr[2])<<8+uint16(raw.Multiaddr[3])), nil
+	} else {
+		raw, err := syscall.GetsockoptIPv6MTUInfo(int(rawFd), syscall.IPPROTO_IPV6, SO_ORIGINAL_DST)
+		if err != nil {
+			return netip.AddrPort{}, err
+		}
+		return netip.AddrPortFrom(M.AddrFromIP(raw.Addr.Addr[:]), raw.Addr.Port), nil
+	}
 }
--- a/common/settings/command.go
+++ b/common/settings/command.go
@@ -0,0 +1,21 @@
+package settings
+
+import (
+	"os"
+	"os/exec"
+)
+
+func runCommand(name string, args ...string) error {
+	command := exec.Command(name, args...)
+	command.Env = os.Environ()
+	command.Stdin = os.Stdin
+	command.Stdout = os.Stderr
+	command.Stderr = os.Stderr
+	return command.Run()
+}
+
+func readCommand(name string, args ...string) ([]byte, error) {
+	command := exec.Command(name, args...)
+	command.Env = os.Environ()
+	return command.CombinedOutput()
+}
--- a/common/settings/proxy_android.go
+++ b/common/settings/proxy_android.go
@@ -6,7 +6,6 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
 	F "github.com/sagernet/sing/common/format"
 )

@@ -26,9 +25,9 @@ func init() {

 func runAndroidShell(name string, args ...string) error {
 	if !useRish {
-		return common.Exec(name, args...).Attach().Run()
+		return runCommand(name, args...)
 	} else {
-		return common.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return runCommand("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " ")))
 	}
 }

--- a/common/settings/proxy_darwin.go
+++ b/common/settings/proxy_darwin.go
@@ -5,7 +5,6 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/x/list"
@@ -33,13 +32,13 @@ func (p *systemProxy) update() error {
 		return err
 	}
 	if p.isMixed {
-		err = common.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = runCommand("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port))
 	}
 	if err == nil {
-		err = common.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = runCommand("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port))
 	}
 	if err == nil {
-		err = common.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = runCommand("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port))
 	}
 	return err
 }
@@ -50,19 +49,19 @@ func (p *systemProxy) unset() error {
 		return err
 	}
 	if p.isMixed {
-		err = common.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
+		err = runCommand("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off")
 	}
 	if err == nil {
-		err = common.Exec("networksetup", "-setwebproxystate", interfaceDisplayName, "off").Attach().Run()
+		err = runCommand("networksetup", "-setwebproxystate", interfaceDisplayName, "off")
 	}
 	if err == nil {
-		err = common.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
+		err = runCommand("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off")
 	}
 	return err
 }

 func getInterfaceDisplayName(name string) (string, error) {
-	content, err := common.Exec("networksetup", "-listallhardwareports").Read()
+	content, err := readCommand("networksetup", "-listallhardwareports")
 	if err != nil {
 		return "", err
 	}
--- a/common/settings/proxy_linux.go
+++ b/common/settings/proxy_linux.go
@@ -27,9 +27,9 @@ func init() {

 func runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
-		return common.Exec(name, args...).Attach().Run()
+		return runCommand(name, args...)
 	} else if sudoUser != "" {
-		return common.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return runCommand("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " ")))
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}
--- a/constant/dns.go
+++ b/constant/dns.go
@@ -0,0 +1,11 @@
+package constant
+
+type DomainStrategy = uint8
+
+const (
+	DomainStrategyAsIS DomainStrategy = iota
+	DomainStrategyPreferIPv4
+	DomainStrategyPreferIPv6
+	DomainStrategyUseIPv4
+	DomainStrategyUseIPv6
+)
--- a/constant/err.go
+++ b/constant/err.go
@@ -1,5 +0,0 @@
-package constant
-
-import E "github.com/sagernet/sing/common/exceptions"
-
-var ErrTLSRequired = E.New("TLS required")
--- a/constant/os.go
+++ b/constant/os.go
@@ -20,7 +20,7 @@ const IsIos = goos.IsIos == 1

 const IsJs = goos.IsJs == 1

-const IsLinux = goos.IsLinux == 1 || goos.IsAndroid == 1
+const IsLinux = goos.IsLinux == 1

 const IsNacl = goos.IsNacl == 1

--- a/constant/path_unix.go
+++ b/constant/path_unix.go
@@ -1,4 +1,4 @@
-//go:build unix || linux
+//go:build unix

 package constant

@@ -7,9 +7,9 @@ import (
 )

 func init() {
-	resourcePaths = append(resourcePaths, "/etc")
+	resourcePaths = append(resourcePaths, "/etc/config")
 	resourcePaths = append(resourcePaths, "/usr/share")
-	resourcePaths = append(resourcePaths, "/usr/local/etc")
+	resourcePaths = append(resourcePaths, "/usr/local/etc/config")
 	resourcePaths = append(resourcePaths, "/usr/local/share")
 	if homeDir := os.Getenv("HOME"); homeDir != "" {
 		resourcePaths = append(resourcePaths, homeDir+"/.local/share")
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -14,10 +14,6 @@ const (
 	TypeVMess       = "vmess"
 	TypeTrojan      = "trojan"
 	TypeNaive       = "naive"
-	TypeWireGuard   = "wireguard"
-	TypeHysteria    = "hysteria"
-	TypeTor         = "tor"
-	TypeSSH         = "ssh"
 )

 const (
--- a/constant/quic_stub.go
+++ b/constant/quic_stub.go
@@ -2,8 +2,4 @@

 package constant

-import E "github.com/sagernet/sing/common/exceptions"
-
 const QUIC_AVAILABLE = false
-
-var ErrQUICNotIncluded = E.New(`QUIC is not included in this build, rebuild with -tags with_quic`)
--- a/constant/v2ray.go
+++ b/constant/v2ray.go
@@ -1,8 +0,0 @@
-package constant
-
-const (
-	V2RayTransportTypeHTTP      = "http"
-	V2RayTransportTypeWebsocket = "ws"
-	V2RayTransportTypeQUIC      = "quic"
-	V2RayTransportTypeGRPC      = "grpc"
-)
--- a/constant/version.go
+++ b/constant/version.go
@@ -1,6 +1,6 @@
 package constant

 var (
-	Version = "1.0"
+	Version = "20220812"
 	Commit  = ""
 )
--- a/docs/benchmark.md
+++ b/docs/benchmark.md
@@ -0,0 +1,9 @@
+# Benchmark
+
+## Shadowsocks
+
+| /                                  |    none     | aes-128-gcm | 2022-blake3-aes-128-gcm |
+|------------------------------------|:-----------:|:-----------:|:-----------------------:|
+| v2ray-core (5.0.7)                 |  13.0 Gbps  |  5.02 Gbps  |            /            |
+| shadowsocks-rust (v1.15.0-alpha.5) |  10.7 Gbps  |      /      |        9.36 Gbps        |
+| sing-box                           |  29.0 Gbps  |      /      |        11.8 Gbps        |
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,76 +1,7 @@
-#### 2022/08/24
-
-* Fix naive padding
-* Fix unix search path
-* Fix close non-duplex connections
-* Add ACME EAB support
-* Fix early close on windows and catch any
-* Initial zh-CN document translation
-
-#### 2022/08/23
-
-* Add [V2Ray Transport](/configuration/shared/v2ray-transport) support for VMess and Trojan
-* Allow plain http request in Naive inbound (It can now be used with nginx)
-* Add proxy protocol support
-* Free memory after start
-* Parse X-Forward-For in HTTP requests
-* Handle SIGHUP signal
-
-#### 2022/08/22
-
-* Add strategy setting for each [DNS server](/configuration/dns/server)
-* Add bind address to outbound options
-
-#### 2022/08/21
-
-* Add [Tor outbound](/configuration/outbound/tor)
-* Add [SSH outbound](/configuration/outbound/ssh)
-
-#### 2022/08/20
-
-* Attempt to unwrap ip-in-fqdn socksaddr
-* Fix read packages in android 12
-* Fix route on some android devices
-* Improve linux process searcher
-* Fix write socks5 username password auth request
-* Skip bind connection with private destination to interface
-* Add [Trojan connection fallback](/configuration/inbound/trojan#fallback)
-
-#### 2022/08/19
-
-* Add Hysteria [Inbound](/configuration/inbound/hysteria) and [Outbund](/configuration/outbound/hysteria)
-* Add [ACME TLS certificate issuer](/configuration/shared/tls)
-* Allow read config from stdin (-c stdin)
-* Update gVisor to 20220815.0
-
-#### 2022/08/18
-
-* Fix find process with lwip stack
-* Fix crash on shadowsocks server
-* Fix crash on darwin tun
-* Fix write log to file
-
-#### 2022/08/17
-
-* Improve async dns transports
-
-#### 2022/08/16
-
-* Add ip_version (route/dns) rule item
-* Add [WireGuard](/configuration/outbound/wireguard) outbound
-
-#### 2022/08/15
-
-* Add uid, android user and package rules support in [Tun](/configuration/inbound/tun) routing.
-
-#### 2022/08/13
-
-* Fix dns concurrent write
-
 #### 2022/08/12

 * Performance improvements
-* Add UoT option for [SOCKS](/configuration/outbound/socks) outbound
+* Add UoT option for [Socks](/configuration/outbound/socks) outbound

 #### 2022/08/11

--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@@ -33,8 +33,6 @@ Default domain strategy for resolving the domain names.

 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.

-Take no effect if `server.strategy` is set.
-
 #### disable_cache

 Disable dns cache.
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@@ -1,46 +0,0 @@
-# DNS
-
-### 结构
-
-```json
-{
-  "dns": {
-    "servers": [],
-    "rules": [],
-    "final": "",
-    "strategy": "",
-    "disable_cache": false,
-    "disable_expire": false
-  }
-}
-
-```
-
-### 字段
-
-| 键        | 格式                     |
-|----------|------------------------|
-| `server` | 一组 [DNS 服务器](./server) |
-| `rules`  | 一组 [DNS 规则](./rule)    |
-
-#### final
-
-默认 DNS 服务器的标签。
-
-默认使用第一个服务器。
-
-#### strategy
-
-默认解析域名策略。
-
-可选值: `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置了 `server.strategy`，则不生效。
-
-#### disable_cache
-
-禁用 DNS 缓存。
-
-#### disable_expire
-
-禁用 DNS 缓存过期。
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -8,7 +8,6 @@
        "inbound": [
          "mixed-in"
        ],
-        "ip_version": 6,
        "network": "tcp",
        "auth_user": [
          "usera",
@@ -104,19 +103,13 @@

 #### inbound

-Tags of [Inbound](/configuration/inbound).
-
-#### ip_version
-
-4 (A DNS query) or 6 (AAAA DNS query).
-
-Not limited if empty.
+Tags of [inbound](../inbound).

 #### network

 `tcp` or `udp`.

-#### auth_user
+#### user

 Username, see each inbound for details.

--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -1,243 +0,0 @@
-### 结构
-
-```json
-{
-  "dns": {
-    "rules": [
-      {
-        "inbound": [
-          "mixed-in"
-        ],
-        "ip_version": 6,
-        "network": "tcp",
-        "auth_user": [
-          "usera",
-          "userb"
-        ],
-        "protocol": [
-          "tls",
-          "http",
-          "quic"
-        ],
-        "domain": [
-          "test.com"
-        ],
-        "domain_suffix": [
-          ".cn"
-        ],
-        "domain_keyword": [
-          "test"
-        ],
-        "domain_regex": [
-          "^stun\\..+"
-        ],
-        "geosite": [
-          "cn"
-        ],
-        "source_geoip": [
-          "private"
-        ],
-        "source_ip_cidr": [
-          "10.0.0.0/24"
-        ],
-        "source_port": [
-          12345
-        ],
-        "source_port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "port": [
-          80,
-          443
-        ],
-        "port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "process_name": [
-          "curl"
-        ],
-        "package_name": [
-          "com.termux"
-        ],
-        "user": [
-          "sekai"
-        ],
-        "user_id": [
-          1000
-        ],
-        "invert": false,
-        "outbound": [
-          "direct"
-        ],
-        "server": "local",
-        "disable_cache": false
-      },
-      {
-        "type": "logical",
-        "mode": "and",
-        "rules": [],
-        "server": "local",
-        "disable_cache": false
-      }
-    ]
-  }
-}
-
-```
-
-!!! note ""
-
-    当内容只有一项时，可以忽略 JSON 数组 [] 标签
-
-### 默认字段
-
-!!! note ""
-
-    默认规则使用以下匹配逻辑:  
-    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite`) &&  
-    (`source_geoip` || `source_ip_cidr`) &&  
-    `other fields`  
-
-#### inbound
-
-[入站](/zh/configuration/inbound) 标签.
-
-#### ip_version
-
-4 (A DNS 查询) 或 6 (AAAA DNS 查询)。
-
-默认不限制。
-
-#### network
-
-`tcp` 或 `udp`。
-
-#### auth_user
-
-认证用户名，参阅入站设置。
-
-#### protocol
-
-探测到的协议, 参阅 [协议探测](/zh/configuration/route/sniff/)。
-
-#### domain
-
-匹配完整域名。
-
-#### domain_suffix
-
-匹配域名后缀。
-
-#### domain_keyword
-
-匹配域名关键字。
-
-#### domain_regex
-
-匹配域名正则表达式。
-
-#### geosite
-
-匹配 GeoSite。
-
-#### source_geoip
-
-匹配源 GeoIP。
-
-#### source_ip_cidr
-
-匹配源 IP CIDR。
-
-#### source_port
-
-匹配源端口。
-
-#### source_port_range
-
-匹配源端口范围。
-
-#### port
-
-匹配端口。
-
-#### port_range
-
-匹配端口范围。
-
-#### process_name
-
-!!! error ""
-
-    仅支持 Linux、Windows 和 macOS.
-
-匹配进程名称。
-
-#### package_name
-
-匹配 Android 应用包名。
-
-#### user
-
-!!! error ""
-
-    仅支持 Linux。
-
-匹配用户名。
-
-#### user_id
-
-!!! error ""
-
-    仅支持 Linux。
-
-匹配用户 ID。
-
-#### invert
-
-反选匹配结果。
-
-#### outbound
-
-匹配出站。
-
-#### server
-
-==必填==
-
-目标 DNS 服务器的标签。
-
-#### disable_cache
-
-在此查询中禁用缓存。
-
-### 逻辑字段
-
-#### type
-
-`logical`
-
-#### mode
-
-`and` 或 `or`
-
-#### rules
-
-包括的默认规则。
-
-#### invert
-
-反选匹配结果。
-
-#### server
-
-==必填==
-
-目标 DNS 服务器的标签。
-
-#### disable_cache
-
-在此查询中禁用缓存。
--- a/docs/configuration/dns/server.md
+++ b/docs/configuration/dns/server.md
@@ -9,7 +9,6 @@
        "address": "tls://dns.google",
        "address_resolver": "local",
        "address_strategy": "prefer_ipv4",
-        "strategy": "ipv4_only",
        "detour": "direct"
      }
    ]
@@ -43,11 +42,11 @@ The address of the dns server.

 !!! warning ""

-    To ensure that system DNS is in effect, rather than Go's built-in default resolver, enable CGO at compile time.
+    To ensure that system DNS is in effect, rather than go's built-in default resolver, enable CGO at compile time.

 !!! warning ""

-    QUIC and HTTP3 transport is not included by default, see [Installation](/#installation).
+    QUIC and HTTP3 transport is not included by default, see [Installation](/#Installation).

 !!! info ""

@@ -60,7 +59,6 @@ The address of the dns server.
 | `server_failure`  | `Server failure`      |
 | `name_error`      | `Non-existent domain` |
 | `not_implemented` | `Not implemented`     |
-| `refused`         | `Query refused`       |

 #### address_resolver

@@ -76,14 +74,6 @@ One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.

 `dns.strategy` will be used if empty.

-#### strategy
-
-Default domain strategy for resolving the domain names.
-
-One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
-
-Take no effect if override by other settings.
-
 #### detour

 Tag of an outbound for connecting to the dns server.
--- a/docs/configuration/dns/server.zh.md
+++ b/docs/configuration/dns/server.zh.md
@@ -1,91 +0,0 @@
-### 结构
-
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://dns.google",
-        "address_resolver": "local",
-        "address_strategy": "prefer_ipv4",
-        "strategy": "ipv4_only",
-        "detour": "direct"
-      }
-    ]
-  }
-}
-
-```
-
-### 字段
-
-#### tag
-
-DNS 服务器的标签。
-
-#### address
-
-==必填==
-
-DNS 服务器的地址。
-
-| 协议       | 格式                          |
-|----------|-----------------------------|
-| `System` | `local`                     |
-| `TCP`    | `tcp://1.0.0.1`             |
-| `UDP`    | `8.8.8.8` `udp://8.8.4.4`   |
-| `TLS`    | `tls://dns.google`          |
-| `HTTPS`  | `https://1.1.1.1/dns-query` |
-| `QUIC`   | `quic://dns.adguard.com`    |
-| `HTTP3`  | `h3://8.8.8.8/dns-query`    |
-| `RCode`  | `rcode://refused`           |
-
-!!! warning ""
-
-    为了确保系统 DNS 生效，而不是 Go 的内置默认解析器，请在编译时启用 CGO。
-
-!!! warning ""
-
-    默认安装不包含 QUIC 和 HTTP3 传输层，请参阅 [安装](/zh/#installation)。
-
-!!! info ""
-
-    RCode 传输层传输层常用于屏蔽请求. 与 DNS 规则和 `disable_cache` 规则选项一起使用。
-
-| RCode             | 描述       | 
-|-------------------|----------|
-| `success`         | `无错误`    |
-| `format_error`    | `请求格式错误` |
-| `server_failure`  | `服务器出错`  |
-| `name_error`      | `域名不存在`  |
-| `not_implemented` | `功能未实现`  |
-| `refused`         | `请求被拒绝`  |
-
-#### address_resolver
-
-==如果服务器地址包括域名则必须==
-
-用于解析本 DNS 服务器的域名的另一个 DNS 服务器的标签。
-
-#### address_strategy
-
-用于解析本 DNS 服务器的域名的策略。
-
-可选项：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-默认使用 `dns.strategy`。
-
-#### strategy
-
-默认解析策略。
-
-可选项：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果被其他设置覆盖则不生效。
-
-#### detour
-
-用于连接到 DNS 服务器的出站的标签。
-
-如果为空，将使用默认出站。
--- a/docs/configuration/experimental/index.md
+++ b/docs/configuration/experimental/index.md
@@ -16,7 +16,7 @@

 !!! error ""

-    Clash API is not included by default, see [Installation](/#installation).
+    Clash API is not included by default, see [Installation](/#Installation).

 !!! note ""

@@ -29,7 +29,7 @@ RESTful web API listening address. Disabled if empty.
 #### external_ui

 A relative path to the configuration directory or an absolute path to a
-directory in which you put some static web resource. sing-box will then
+directory in which you put some static web resource. Clash core will then
 serve it at `http://{{external-controller}}/ui`.

 #### secret
--- a/docs/configuration/experimental/index.zh.md
+++ b/docs/configuration/experimental/index.zh.md
@@ -1,39 +0,0 @@
-# 实验性
-
-### 结构
-
-```json
-{
-  "experimental": {
-    "clash_api": {
-      "external_controller": "127.0.0.1:9090",
-      "external_ui": "folder",
-      "secret": ""
-    }
-  }
-}
-```
-
-### Clash API 字段
-
-!!! error ""
-
-    默认安装不包含 Clash API，参阅 [安装](/zh/#installation)。
-
-!!! note ""
-
-    流量统计和连接管理将禁用 Linux 中的 TCP splice 并降低性能，使用风险自负。
-
-#### external_controller
-
-RESTful web API 监听地址。
-
-#### external_ui
-
-到静态网页资源目录的相对路径或绝对路径。sing-box 会在 `http://{{external-controller}}/ui` 下提供它。
-
-#### secret
-
-RESTful API 的密钥（可选）
-通过指定 HTTP 标头 `Authorization: Bearer ${secret}` 进行身份验证
-如果 RESTful API 正在监听 0.0.0.0，请始终设置一个密钥。
--- a/docs/configuration/inbound/direct.md
+++ b/docs/configuration/inbound/direct.md
@@ -16,8 +16,7 @@
      "sniff_override_destination": false,
      "domain_strategy": "prefer_ipv6",
      "udp_timeout": 300,
-      "proxy_protocol": false,
-
+      
      "network": "udp",
      "override_address": "1.0.0.1",
      "override_port": 53
@@ -26,22 +25,6 @@
 }
 ```

-### Direct Fields
-
-#### network
-
-Listen network, one of `tcp` `udp`.
-
-Both if empty.
-
-#### override_address
-
-Override the connection destination address.
-
-#### override_port
-
-Override the connection destination port.
-
 ### Listen Fields

 #### listen
@@ -64,7 +47,7 @@ Enable tcp fast open for listener.

 Enable sniffing.

-See [Protocol Sniff](/configuration/route/sniff/) for details.
+See [Sniff](/configuration/route/sniff/) for details.

 #### sniff_override_destination

@@ -84,6 +67,18 @@ If `sniff_override_destination` is in effect, its value will be taken as a fallb

 UDP NAT expiration time in seconds, default is 300 (5 minutes).

-#### proxy_protocol
+### Direct Fields

-Parse [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header.
+#### network
+
+Listen network, one of `tcp` `udp`.
+
+Both if empty.
+
+#### override_address
+
+Override the connection destination address.
+
+#### override_port
+
+Override the connection destination port.
--- a/docs/configuration/inbound/direct.zh.md
+++ b/docs/configuration/inbound/direct.zh.md
@@ -1,89 +0,0 @@
-`direct` 入站是一个隧道服务器。
-
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "direct",
-      "tag": "direct-in",
-
-      "listen": "::",
-      "listen_port": 5353,
-      "tcp_fast_open": false,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      "udp_timeout": 300,
-      
-      "network": "udp",
-      "proxy_protocol": false,
-      "override_address": "1.0.0.1",
-      "override_port": 53
-    }
-  ]
-}
-```
-
-### Direct 字段
-
-#### network
-
-监听的网络协议，`tcp` `udp` 之一。
-
-默认所有。
-
-#### override_address
-
-覆盖连接目标地址。
-
-#### override_port
-
-覆盖连接目标端口。
-
-### 监听字段
-
-#### listen
-
-==必填==
-
-监听地址。
-
-#### listen_port
-
-==必填==
-
-监听端口。
-
-#### tcp_fast_open
-
-为监听器启用 TCP 快速打开。
-
-#### sniff
-
-启用协议探测。
-
-参阅 [协议探测](/zh/configuration/route/sniff/)
-
-#### sniff_override_destination
-
-用探测出的域名覆盖连接目标地址。
-
-如果域名无效（如 Tor），将不生效。
-
-#### domain_strategy
-
-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，请求的域名将在路由之前解析为 IP。
-
-如果 `sniff_override_destination` 生效，它的值将作为后备。
-
-#### udp_timeout
-
-UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。
-
-#### proxy_protocol
-
-解析连接头中的 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
--- a/docs/configuration/inbound/http.md
+++ b/docs/configuration/inbound/http.md
@@ -1,3 +1,5 @@
+`socks` inbound is a http server.
+
 ### Structure

 ```json
@@ -13,8 +15,7 @@
      "sniff": false,
      "sniff_override_destination": false,
      "domain_strategy": "prefer_ipv6",
-      "proxy_protocol": false,
-      
+
      "users": [
        {
          "username": "admin",
@@ -28,26 +29,6 @@
 }
 ```

-### HTTP Fields
-
-#### tls
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
-
-#### users
-
-HTTP users.
-
-No authentication required if empty.
-
-#### set_system_proxy
-
-!!! error ""
-
-    Only supported on Linux, Android, Windows, and macOS.
-
-Automatically set system proxy configuration when start and clean up when stop.
-
 ### Listen Fields

 #### listen
@@ -70,7 +51,7 @@ Enable tcp fast open for listener.

 Enable sniffing.

-See [Protocol Sniff](/configuration/route/sniff/) for details.
+See [Sniff](/configuration/route/sniff/) for details.

 #### sniff_override_destination

@@ -86,6 +67,22 @@ If set, the requested domain name will be resolved to IP before routing.

 If `sniff_override_destination` is in effect, its value will be taken as a fallback.

-#### proxy_protocol
+#### set_system_proxy

-Parse [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header.
+!!! error ""
+
+    Only supported on Linux, Android, Windows, and macOS.
+
+Automatically set system proxy configuration when start and clean up when stop.
+
+### HTTP Fields
+
+#### tls
+
+TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure).
+
+#### users
+
+HTTP users.
+
+No authentication required if empty.
--- a/docs/configuration/inbound/http.zh.md
+++ b/docs/configuration/inbound/http.zh.md
@@ -1,91 +0,0 @@
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "http",
-      "tag": "http-in",
-      
-      "listen": "::",
-      "listen_port": 2080,
-      "tcp_fast_open": false,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      "proxy_protocol": false,
-      
-      "users": [
-        {
-          "username": "admin",
-          "password": "admin"
-        }
-      ],
-      "tls": {},
-      "set_system_proxy": false
-    }
-  ]
-}
-```
-
-### HTTP 字段
-
-#### tls
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
-
-#### users
-
-HTTP 用户
-
-默认不需要验证。
-
-#### set_system_proxy
-
-!!! error ""
-
-    仅支持 Linux、Android、Windows 和 macOS。
-
-启动时自动设置系统代理，停止时自动清理。
-
-### 监听字段
-
-#### listen
-
-==必填==
-
-监听地址。
-
-#### listen_port
-
-==必填==
-
-监听端口。
-
-#### tcp_fast_open
-
-为监听器启用 TCP 快速打开。
-
-#### sniff
-
-启用协议探测。
-
-参阅 [协议探测](/zh/configuration/route/sniff/)
-
-#### sniff_override_destination
-
-用探测出的域名覆盖连接目标地址。
-
-如果域名无效（如 Tor），将不生效。
-
-#### domain_strategy
-
-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，请求的域名将在路由之前解析为 IP。
-
-如果 `sniff_override_destination` 生效，它的值将作为后备。
-
-#### proxy_protocol
-
-解析连接头中的 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
--- a/docs/configuration/inbound/hysteria.md
+++ b/docs/configuration/inbound/hysteria.md
@@ -1,138 +0,0 @@
-### Structure
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "hysteria",
-      "tag": "hysteria-in",
-      
-      "listen": "::",
-      "listen_port": 443,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      
-      "up": "100 Mbps",
-      "up_mbps": 100,
-      "down": "100 Mbps",
-      "down_mbps": 100,
-      "obfs": "fuck me till the daylight",
-      "auth": "",
-      "auth_str": "password",
-      "recv_window_conn": 0,
-      "recv_window_client": 0,
-      "max_conn_client": 0,
-      "disable_mtu_discovery": false,
-      "tls": {}
-    }
-  ]
-}
-```
-
-!!! warning ""
-
-    QUIC, which is required by hysteria is not included by default, see [Installation](/#installation).
-
-### Hysteria Fields
-
-#### up, down
-
-==Required==
-
-Format: `[Integer] [Unit]` e.g. `100 Mbps, 640 KBps, 2 Gbps`
-
-Supported units (case sensitive, b = bits, B = bytes, 8b=1B):
-
-    bps (bits per second)
-    Bps (bytes per second)
-    Kbps (kilobits per second)
-    KBps (kilobytes per second)
-    Mbps (megabits per second)
-    MBps (megabytes per second)
-    Gbps (gigabits per second)
-    GBps (gigabytes per second)
-    Tbps (terabits per second)
-    TBps (terabytes per second)
-
-#### up_mbps, down_mbps
-
-==Required==
-
-`up, down` in Mbps.
-
-#### obfs
-
-Obfuscated password.
-
-#### auth
-
-Authentication password, in base64.
-
-#### auth_str
-
-Authentication password.
-
-#### recv_window_conn
-
-The QUIC stream-level flow control window for receiving data.
-
-`15728640 (15 MB/s)` will be used if empty.
-
-#### recv_window_client
-
-The QUIC connection-level flow control window for receiving data.
-
-`67108864 (64 MB/s)` will be used if empty.
-
-#### max_conn_client
-
-The maximum number of QUIC concurrent bidirectional streams that a peer is allowed to open.
-
-`1024` will be used if empty.
-
-#### disable_mtu_discovery
-
-Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
-
-Force enabled on for systems other than Linux and Windows (according to upstream).
-
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
-
-### Listen Fields
-
-#### listen
-
-==Required==
-
-Listen address.
-
-#### listen_port
-
-==Required==
-
-Listen port.
-
-#### sniff
-
-Enable sniffing.
-
-See [Protocol Sniff](/configuration/route/sniff/) for details.
-
-#### sniff_override_destination
-
-Override the connection destination address with the sniffed domain.
-
-If the domain name is invalid (like tor), this will not work.
-
-#### domain_strategy
-
-One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
-
-If set, the requested domain name will be resolved to IP before routing.
-
-If `sniff_override_destination` is in effect, its value will be taken as a fallback.
--- a/docs/configuration/inbound/hysteria.zh.md
+++ b/docs/configuration/inbound/hysteria.zh.md
@@ -1,138 +0,0 @@
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "hysteria",
-      "tag": "hysteria-in",
-      
-      "listen": "::",
-      "listen_port": 443,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      
-      "up": "100 Mbps",
-      "up_mbps": 100,
-      "down": "100 Mbps",
-      "down_mbps": 100,
-      "obfs": "fuck me till the daylight",
-      "auth": "",
-      "auth_str": "password",
-      "recv_window_conn": 0,
-      "recv_window_client": 0,
-      "max_conn_client": 0,
-      "disable_mtu_discovery": false,
-      "tls": {}
-    }
-  ]
-}
-```
-
-!!! warning ""
-
-    默认安装不包含被 Hysteria 依赖的 QUIC，参阅 [安装](/zh/#installation)。
-
-### Hysteria 字段
-
-#### up, down
-
-==必填==
-
-格式: `[Integer] [Unit]` 例如： `100 Mbps, 640 KBps, 2 Gbps`
-
-支持的单位 (大小写敏感, b = bits, B = bytes, 8b=1B)：
-
-    bps (bits per second)
-    Bps (bytes per second)
-    Kbps (kilobits per second)
-    KBps (kilobytes per second)
-    Mbps (megabits per second)
-    MBps (megabytes per second)
-    Gbps (gigabits per second)
-    GBps (gigabytes per second)
-    Tbps (terabits per second)
-    TBps (terabytes per second)
-
-#### up_mbps, down_mbps
-
-==必填==
-
-以 Mbps 为单位的 `up, down`。
-
-#### obfs
-
-混淆密码。
-
-#### auth
-
-base64 编码的认证密码。
-
-#### auth_str
-
-认证密码。
-
-#### recv_window_conn
-
-用于接收数据的 QUIC 流级流控制窗口。
-
-默认 `15728640 (15 MB/s)`。
-
-#### recv_window_client
-
-用于接收数据的 QUIC 连接级流控制窗口。
-
-默认 `67108864 (64 MB/s)`。
-
-#### max_conn_client
-
-允许对等点打开的 QUIC 并发双向流的最大数量。
-
-默认 `1024`。
-
-#### disable_mtu_discovery
-
-禁用路径 MTU 发现 (RFC 8899)。 数据包的大小最多为 1252 (IPv4) / 1232 (IPv6) 字节。
-
-强制为 Linux 和 Windows 以外的系统启用（根据上游）。
-
-#### tls
-
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
-
-### 监听字段
-
-#### listen
-
-==必填==
-
-监听地址。
-
-#### listen_port
-
-==必填==
-
-监听端口。
-
-#### sniff
-
-启用协议探测。
-
-参阅 [协议探测](/zh/configuration/route/sniff/)。
-
-#### sniff_override_destination
-
-用探测出的域名覆盖连接目标地址。
-
-如果域名无效（如 Tor），将不生效。
-
-#### domain_strategy
-
-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，请求的域名将在路由之前解析为 IP。
-
-如果 `sniff_override_destination` 生效，它的值将作为后备。
--- a/docs/configuration/inbound/index.md
+++ b/docs/configuration/inbound/index.md
@@ -17,13 +17,12 @@
 |---------------|------------------------------|
 | `direct`      | [Direct](./direct)           |
 | `mixed`       | [Mixed](./mixed)             |
-| `socks`       | [SOCKS](./socks)             |
+| `socks`       | [Socks](./socks)             |
 | `http`        | [HTTP](./http)               |
 | `shadowsocks` | [Shadowsocks](./shadowsocks) |
 | `vmess`       | [VMess](./vmess)             |
 | `trojan`      | [Trojan](./trojan)           |
 | `naive`       | [Naive](./naive)             |
-| `hysteria`    | [Hysteria](./hysteria)       |
 | `tun`         | [Tun](./tun)                 |
 | `redirect`    | [Redirect](./redirect)       |
 | `tproxy`      | [TProxy](./tproxy)           |
--- a/docs/configuration/inbound/index.zh.md
+++ b/docs/configuration/inbound/index.zh.md
@@ -1,35 +0,0 @@
-# 入站
-
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "",
-      "tag": ""
-    }
-  ]
-}
-```
-
-### 字段
-
-| 类型            | 格式                           |
-|---------------|------------------------------|
-| `direct`      | [Direct](./direct)           |
-| `mixed`       | [Mixed](./mixed)             |
-| `socks`       | [SOCKS](./socks)             |
-| `http`        | [HTTP](./http)               |
-| `shadowsocks` | [Shadowsocks](./shadowsocks) |
-| `vmess`       | [VMess](./vmess)             |
-| `trojan`      | [Trojan](./trojan)           |
-| `naive`       | [Naive](./naive)             |
-| `hysteria`    | [Hysteria](./hysteria)       |
-| `tun`         | [Tun](./tun)                 |
-| `redirect`    | [Redirect](./redirect)       |
-| `tproxy`      | [TProxy](./tproxy)           |
-
-#### tag
-
-入站的标签。
--- a/docs/configuration/inbound/mixed.md
+++ b/docs/configuration/inbound/mixed.md
@@ -15,7 +15,6 @@
      "sniff": false,
      "sniff_override_destination": false,
      "domain_strategy": "prefer_ipv6",
-      "proxy_protocol": false,
      
      "users": [
        {
@@ -23,28 +22,13 @@
          "password": "admin"
        }
      ],
+      
      "set_system_proxy": false
    }
  ]
 }
 ```

-### Mixed Fields
-
-#### users
-
-SOCKS and HTTP users.
-
-No authentication required if empty.
-
-#### set_system_proxy
-
-!!! error ""
-
-    Only supported on Linux, Android, Windows, and macOS.
-
-Automatically set system proxy configuration when start and clean up when stop.
-
 ### Listen Fields

 #### listen
@@ -67,7 +51,7 @@ Enable tcp fast open for listener.

 Enable sniffing.

-See [Protocol Sniff](/configuration/route/sniff/) for details.
+See [Sniff](/configuration/route/sniff/) for details.

 #### sniff_override_destination

@@ -89,4 +73,12 @@ If `sniff_override_destination` is in effect, its value will be taken as a fallb

    Only supported on Linux, Android, Windows, and macOS.

-Automatically set system proxy configuration when start and clean up when stop.
+Automatically set system proxy configuration when start and clean up when stop.
+
+### Mixed Fields
+
+#### users
+
+Socks and HTTP users.
+
+No authentication required if empty.
--- a/docs/configuration/inbound/mixed.zh.md
+++ b/docs/configuration/inbound/mixed.zh.md
@@ -1,88 +0,0 @@
-`mixed` 入站是一个 socks4, socks4a, socks5 和 http 服务器.
-
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "mixed",
-      "tag": "mixed-in",
-      
-      "listen": "::",
-      "listen_port": 2080,
-      "tcp_fast_open": false,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      "proxy_protocol": false,
-      
-      "users": [
-        {
-          "username": "admin",
-          "password": "admin"
-        }
-      ],
-      "set_system_proxy": false
-    }
-  ]
-}
-```
-
-### Mixed 字段
-
-#### users
-
-SOCKS 和 HTTP 用户
-
-默认不需要验证。
-
-#### set_system_proxy
-
-!!! error ""
-
-    仅支持 Linux、Android、Windows 和 macOS。
-
-启动时自动设置系统代理，停止时自动清理。
-
-### 监听字段
-
-#### listen
-
-==必填==
-
-监听地址。
-
-#### listen_port
-
-==必填==
-
-监听端口。
-
-#### tcp_fast_open
-
-为监听器启用 TCP 快速打开。
-
-#### sniff
-
-启用协议探测。
-
-参阅 [协议探测](/zh/configuration/route/sniff/)。
-
-#### sniff_override_destination
-
-用探测出的域名覆盖连接目标地址。
-
-如果域名无效（如 Tor），将不生效。
-
-#### domain_strategy
-
-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，请求的域名将在路由之前解析为 IP。
-
-如果 `sniff_override_destination` 生效，它的值将作为后备。
-
-#### proxy_protocol
-
-解析连接头中的 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
--- a/docs/configuration/inbound/naive.md
+++ b/docs/configuration/inbound/naive.md
@@ -13,8 +13,7 @@
      "sniff": false,
      "sniff_override_destination": false,
      "domain_strategy": "prefer_ipv6",
-      "proxy_protocol": false,
-      
+
      "network": "udp",
      "users": [
        {
@@ -30,25 +29,7 @@

 !!! warning ""

-    HTTP3 transport is not included by default, see [Installation](/#installation).
-
-### Naive Fields
-
-#### network
-
-Listen network, one of `tcp` `udp`.
-
-Both if empty.
-
-#### users
-
-==Required==
-
-Naive users.
-
-#### tls
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
+    HTTP3 transport is not included by default, see [Installation](/#Installation).

 ### Listen Fields

@@ -72,7 +53,7 @@ Enable tcp fast open for listener.

 Enable sniffing.

-See [Protocol Sniff](/configuration/route/sniff/) for details.
+See [Sniff](/configuration/route/sniff/) for details.

 #### sniff_override_destination

@@ -88,6 +69,22 @@ If set, the requested domain name will be resolved to IP before routing.

 If `sniff_override_destination` is in effect, its value will be taken as a fallback.

-#### proxy_protocol
+### Naive Fields

-Parse [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header.
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure).
+
+#### users
+
+==Required==
+
+Naive users.
+
+#### network
+
+Listen network, one of `tcp` `udp`.
+
+Both if empty.
--- a/docs/configuration/inbound/naive.zh.md
+++ b/docs/configuration/inbound/naive.zh.md
@@ -1,93 +0,0 @@
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "naive",
-      "tag": "naive-in",
-      
-      "listen": "::",
-      "listen_port": 443,
-      "tcp_fast_open": false,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      "proxy_protocol": false,
-
-      "network": "udp",
-      "users": [
-        {
-          "username": "sekai",
-          "password": "password"
-        }
-      ],
-      "tls": {}
-    }
-  ]
-}
-```
-
-!!! warning ""
-
-    默认安装不包含 HTTP3 传输层, 参阅 [安装](/zh/#installation)。
-
-### Naive 字段
-
-#### network
-
-监听的网络协议，`tcp` `udp` 之一。
-
-默认所有。
-
-#### users
-
-==必填==
-
-Naive 用户。
-
-#### tls
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
-
-### 监听字段
-
-#### listen
-
-==必填==
-
-监听地址。
-
-#### listen_port
-
-==必填==
-
-监听端口。
-
-#### tcp_fast_open
-
-为监听器启用 TCP 快速打开。
-
-#### sniff
-
-启用协议探测。
-
-参阅 [协议探测](/zh/configuration/route/sniff/)。
-
-#### sniff_override_destination
-
-用探测出的域名覆盖连接目标地址。
-
-如果域名无效（如 Tor），将不生效。
-
-#### domain_strategy
-
-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，请求的域名将在路由之前解析为 IP。
-
-如果 `sniff_override_destination` 生效，它的值将作为后备。
-
-#### proxy_protocol
-
-解析连接头中的 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
--- a/docs/configuration/inbound/redirect.md
+++ b/docs/configuration/inbound/redirect.md
@@ -1,3 +1,5 @@
+`redirect` inbound is a linux redirect server.
+
 ### Structure

 ```json
@@ -35,7 +37,7 @@ Listen port.

 Enable sniffing.

-See [Protocol Sniff](/configuration/route/sniff/) for details.
+See [Sniff](/configuration/route/sniff/) for details.

 #### sniff_override_destination

--- a/docs/configuration/inbound/redirect.zh.md
+++ b/docs/configuration/inbound/redirect.zh.md
@@ -1,52 +0,0 @@
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "redirect",
-      "tag": "redirect-in",
-      
-      "listen": "::",
-      "listen_port": 5353,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6"
-    }
-  ]
-}
-```
-
-### 监听字段
-
-#### listen
-
-==必填==
-
-监听地址。
-
-#### listen_port
-
-==必填==
-
-监听端口。
-
-#### sniff
-
-启用协议探测。
-
-参阅 [协议探测](/zh/configuration/route/sniff/)。
-
-#### sniff_override_destination
-
-用探测出的域名覆盖连接目标地址。
-
-如果域名无效（如 Tor），将不生效。
-
-#### domain_strategy
-
-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，请求的域名将在路由之前解析为 IP。
-
-如果 `sniff_override_destination` 生效，它的值将作为后备。
--- a/docs/configuration/inbound/shadowsocks.md
+++ b/docs/configuration/inbound/shadowsocks.md
@@ -15,7 +15,6 @@
      "domain_strategy": "prefer_ipv6",
      "udp_timeout": 300,
      "network": "udp",
-      "proxy_protocol": false,
      
      "method": "2022-blake3-aes-128-gcm",
      "password": "8JCsPssfgS8tiRwiMlhARg=="
@@ -24,6 +23,82 @@
 }
 ```

+### Listen Fields
+
+#### listen
+
+==Required==
+
+Listen address.
+
+#### listen_port
+
+==Required==
+
+Listen port.
+
+#### tcp_fast_open
+
+Enable tcp fast open for listener.
+
+#### sniff
+
+Enable sniffing.
+
+See [Sniff](/configuration/route/sniff/) for details.
+
+#### sniff_override_destination
+
+Override the connection destination address with the sniffed domain.
+
+If the domain name is invalid (like tor), this will not work.
+
+#### domain_strategy
+
+One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
+
+If set, the requested domain name will be resolved to IP before routing.
+
+If `sniff_override_destination` is in effect, its value will be taken as a fallback.
+
+#### udp_timeout
+
+UDP NAT expiration time in seconds, default is 300 (5 minutes).
+
+### Shadowsocks Fields
+
+#### network
+
+Listen network, one of `tcp` `udp`.
+
+Both if empty.
+
+#### method
+
+==Required==
+
+| Method                        | Key Length |
+|-------------------------------|------------|
+| 2022-blake3-aes-128-gcm       | 16         |
+| 2022-blake3-aes-256-gcm       | 32         |
+| 2022-blake3-chacha20-poly1305 | 32         |
+| none                          | /          |
+| aes-128-gcm                   | /          |
+| aes-192-gcm                   | /          |
+| aes-256-gcm                   | /          |
+| chacha20-ietf-poly1305        | /          |
+| xchacha20-ietf-poly1305       | /          |
+
+#### password
+
+==Required==
+
+| Method        | Password Format                     |
+|---------------|-------------------------------------|
+| none          | /                                   |
+| 2022 methods  | `openssl rand -base64 <Key Length>` |
+| other methods | any string                          |
+
 ### Multi-User Structure

 ```json
@@ -64,84 +139,4 @@
    }
  ]
 }
-```
-
-### Shadowsocks Fields
-
-#### network
-
-Listen network, one of `tcp` `udp`.
-
-Both if empty.
-
-#### method
-
-==Required==
-
-| Method                        | Key Length |
-|-------------------------------|------------|
-| 2022-blake3-aes-128-gcm       | 16         |
-| 2022-blake3-aes-256-gcm       | 32         |
-| 2022-blake3-chacha20-poly1305 | 32         |
-| none                          | /          |
-| aes-128-gcm                   | /          |
-| aes-192-gcm                   | /          |
-| aes-256-gcm                   | /          |
-| chacha20-ietf-poly1305        | /          |
-| xchacha20-ietf-poly1305       | /          |
-
-#### password
-
-==Required==
-
-| Method        | Password Format                     |
-|---------------|-------------------------------------|
-| none          | /                                   |
-| 2022 methods  | `openssl rand -base64 <Key Length>` |
-| other methods | any string                          |
-
-### Listen Fields
-
-#### listen
-
-==Required==
-
-Listen address.
-
-#### listen_port
-
-==Required==
-
-Listen port.
-
-#### tcp_fast_open
-
-Enable tcp fast open for listener.
-
-#### sniff
-
-Enable sniffing.
-
-See [Protocol Sniff](/configuration/route/sniff/) for details.
-
-#### sniff_override_destination
-
-Override the connection destination address with the sniffed domain.
-
-If the domain name is invalid (like tor), this will not work.
-
-#### domain_strategy
-
-One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
-
-If set, the requested domain name will be resolved to IP before routing.
-
-If `sniff_override_destination` is in effect, its value will be taken as a fallback.
-
-#### udp_timeout
-
-UDP NAT expiration time in seconds, default is 300 (5 minutes).
-
-#### proxy_protocol
-
-Parse [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header.
+```
--- a/docs/configuration/inbound/shadowsocks.zh.md
+++ b/docs/configuration/inbound/shadowsocks.zh.md
@@ -1,147 +0,0 @@
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "tag": "ss-in",
-      
-      "listen": "::",
-      "listen_port": 5353,
-      "tcp_fast_open": false,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      "udp_timeout": 300,
-      "network": "udp",
-      "proxy_protocol": false,
-      
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ]
-}
-```
-
-### 多用户结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==",
-      "users": [
-        {
-          "name": "sekai",
-          "password": "PCD2Z4o12bKUoFa3cC97Hw=="
-        }
-      ]
-    }
-  ]
-}
-```
-
-### 中转结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==",
-      "destinations": [
-        {
-          "name": "test",
-          "server": "example.com",
-          "server_port": 8080,
-          "password": "PCD2Z4o12bKUoFa3cC97Hw=="
-        }
-      ]
-    }
-  ]
-}
-```
-
-### Shadowsocks 字段
-
-#### network
-
-监听的网络协议，`tcp` `udp` 之一。
-
-默认所有。
-
-#### method
-
-==必填==
-
-| 方法                            | 密钥长度 |
-|-------------------------------|------|
-| 2022-blake3-aes-128-gcm       | 16   |
-| 2022-blake3-aes-256-gcm       | 32   |
-| 2022-blake3-chacha20-poly1305 | 32   |
-| none                          | /    |
-| aes-128-gcm                   | /    |
-| aes-192-gcm                   | /    |
-| aes-256-gcm                   | /    |
-| chacha20-ietf-poly1305        | /    |
-| xchacha20-ietf-poly1305       | /    |
-
-#### password
-
-==必填==
-
-| 方法            | 密码格式                          |
-|---------------|-------------------------------|
-| none          | /                             |
-| 2022 methods  | `openssl rand -base64 <密钥长度>` |
-| other methods | 任意字符串                         |
-
-### 监听字段
-
-#### listen
-
-==必填==
-
-监听地址。
-
-#### listen_port
-
-==必填==
-
-监听端口。
-
-#### tcp_fast_open
-
-为监听器启用 TCP 快速打开。
-
-#### sniff
-
-启用协议探测。
-
-参阅 [协议探测](/zh/configuration/route/sniff/)。
-
-#### sniff_override_destination
-
-用探测出的域名覆盖连接目标地址。
-
-如果域名无效（如 Tor），将不生效。
-
-#### domain_strategy
-
-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，请求的域名将在路由之前解析为 IP。
-
-如果 `sniff_override_destination` 生效，它的值将作为后备。
-
-#### udp_timeout
-
-UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。
-
-#### proxy_protocol
-
-解析连接头中的 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
--- a/docs/configuration/inbound/socks.md
+++ b/docs/configuration/inbound/socks.md
@@ -15,8 +15,7 @@
      "sniff": false,
      "sniff_override_destination": false,
      "domain_strategy": "prefer_ipv6",
-      "proxy_protocol": false,
-
+      
      "users": [
        {
          "username": "admin",
@@ -28,52 +27,48 @@
 }
 ```

-### SOCKS Fields
-
-#### users
-
-SOCKS users.
-
-No authentication required if empty.
-
-### 监听字段
+### Listen Fields

 #### listen

-==必填==
+==Required==

-监听地址
+Listen address.

 #### listen_port

-==必填==
+==Required==

-监听端口
+Listen port.

 #### tcp_fast_open

-为监听器启用 TCP 快速打开
+Enable tcp fast open for listener.

 #### sniff

-启用协议探测。
+Enable sniffing.

-参阅 [协议探测](/zh/configuration/route/sniff/)
+See [Sniff](/configuration/route/sniff/) for details.

 #### sniff_override_destination

-用探测出的域名覆盖连接目标地址。
+Override the connection destination address with the sniffed domain.

-如果域名无效（如 Tor），将不生效。
+If the domain name is invalid (like tor), this will not work.

 #### domain_strategy

-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
+One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.

-如果设置，请求的域名将在路由之前解析为 IP。
+If set, the requested domain name will be resolved to IP before routing.

-如果 `sniff_override_destination` 生效，它的值将作为后备。
+If `sniff_override_destination` is in effect, its value will be taken as a fallback.

-#### proxy_protocol
+### Socks Fields

-解析连接头中的 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
+#### users
+
+Socks users.
+
+No authentication required if empty.
--- a/docs/configuration/inbound/socks.zh.md
+++ b/docs/configuration/inbound/socks.zh.md
@@ -1,79 +0,0 @@
-`socks` 入站是一个 socks4, socks4a 和 socks5 服务器.
-
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "socks",
-      "tag": "socks-in",
-      
-      "listen": "::",
-      "listen_port": 2080,
-      "tcp_fast_open": false,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      "proxy_protocol": false,
-
-      "users": [
-        {
-          "username": "admin",
-          "password": "admin"
-        }
-      ]
-    }
-  ]
-}
-```
-
-### SOCKS 字段
-
-#### users
-
-SOCKS 用户
-
-默认不需要验证。
-
-### Listen Fields
-
-#### listen
-
-==必填==
-
-监听地址。
-
-#### listen_port
-
-==必填==
-
-监听端口。
-
-#### tcp_fast_open
-
-为监听器启用 TCP 快速打开。
-
-#### sniff
-
-启用协议探测。
-
-参阅 [协议探测](/zh/configuration/route/sniff/)。
-
-#### sniff_override_destination
-
-用探测出的域名覆盖连接目标地址。
-
-如果域名无效（如 Tor），将不生效。
-
-#### domain_strategy
-
-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，请求的域名将在路由之前解析为 IP。
-
-如果 `sniff_override_destination` 生效，它的值将作为后备。
-
-#### proxy_protocol
-
-解析连接头中的 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
--- a/docs/configuration/inbound/tproxy.md
+++ b/docs/configuration/inbound/tproxy.md
@@ -20,14 +20,6 @@
 }
 ```

-### TProxy Fields
-
-#### network
-
-Listen network, one of `tcp` `udp`.
-
-Both if empty.
-
 ### Listen Fields

 #### listen
@@ -46,7 +38,7 @@ Listen port.

 Enable sniffing.

-See [Protocol Sniff](/configuration/route/sniff/) for details.
+See [Sniff](/configuration/route/sniff/) for details.

 #### sniff_override_destination

@@ -65,3 +57,11 @@ If `sniff_override_destination` is in effect, its value will be taken as a fallb
 #### udp_timeout

 UDP NAT expiration time in seconds, default is 300 (5 minutes).
+
+### TProxy Fields
+
+#### network
+
+Listen network, one of `tcp` `udp`.
+
+Both if empty.
--- a/docs/configuration/inbound/tproxy.zh.md
+++ b/docs/configuration/inbound/tproxy.zh.md
@@ -1,67 +0,0 @@
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "tproxy",
-      "tag": "tproxy-in",
-      
-      "listen": "::",
-      "listen_port": 5353,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      "udp_timeout": 300,
-      
-      "network": "udp"
-    }
-  ]
-}
-```
-
-### TProxy 字段
-
-#### network
-
-监听的网络协议，`tcp` `udp` 之一。
-
-默认所有。
-
-### 监听字段
-
-#### listen
-
-==必填==
-
-监听地址。
-
-#### listen_port
-
-==必填==
-
-监听端口。
-
-#### sniff
-
-启用协议探测。
-
-参阅 [协议探测](/zh/configuration/route/sniff/)。
-
-#### sniff_override_destination
-
-用探测出的域名覆盖连接目标地址。
-
-如果域名无效（如 Tor），将不生效。
-
-#### domain_strategy
-
-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，请求的域名将在路由之前解析为 IP。
-
-如果 `sniff_override_destination` 生效，它的值将作为后备。
-
-#### udp_timeout
-
-UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。
--- a/docs/configuration/inbound/trojan.md
+++ b/docs/configuration/inbound/trojan.md
@@ -13,49 +13,19 @@
      "sniff": false,
      "sniff_override_destination": false,
      "domain_strategy": "prefer_ipv6",
-      "proxy_protocol": false,
-
+      
      "users": [
        {
          "name": "sekai",
          "password": "8JCsPssfgS8tiRwiMlhARg=="
        }
      ],
-      "tls": {},
-      "fallback": {
-        "server": "127.0.0.0.1",
-        "server_port": 8080
-      },
-      "transport": {}
+      "tls": {}
    }
  ]
 }
 ```

-### Trojan Fields
-
-#### users
-
-==Required==
-
-Trojan users.
-
-#### tls
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
-
-#### fallback
-
-!!! error ""
-
-    There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature.
-
-Fallback server configuration. Disabled if empty.
-
-#### transport
-
-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
-
 ### Listen Fields

 #### listen
@@ -78,7 +48,7 @@ Enable tcp fast open for listener.

 Enable sniffing.

-See [Protocol Sniff](/configuration/route/sniff/) for details.
+See [Sniff](/configuration/route/sniff/) for details.

 #### sniff_override_destination

@@ -94,6 +64,12 @@ If set, the requested domain name will be resolved to IP before routing.

 If `sniff_override_destination` is in effect, its value will be taken as a fallback.

-#### proxy_protocol
+### Trojan Fields

-Parse [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header.
+#### users
+
+Trojan users.
+
+#### tls
+
+TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure).
--- a/docs/configuration/inbound/trojan.zh.md
+++ b/docs/configuration/inbound/trojan.zh.md
@@ -1,101 +0,0 @@
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "trojan",
-      "tag": "trojan-in",
-      
-      "listen": "::",
-      "listen_port": 2080,
-      "tcp_fast_open": false,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      "proxy_protocol": false,
-
-      "users": [
-        {
-          "name": "sekai",
-          "password": "8JCsPssfgS8tiRwiMlhARg=="
-        }
-      ],
-      "tls": {},
-      "fallback": {
-        "server": "127.0.0.0.1",
-        "server_port": 8080
-      },
-      "transport": {}
-    }
-  ]
-}
-```
-
-### Trojan 字段
-
-#### users
-
-==必填==
-
-Trojan 用户。
-
-#### tls
-
-==如果启用 HTTP3 则必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
-
-#### fallback
-
-!!! error ""
-
-    没有证据表明 GFW 基于 HTTP 响应检测并阻止木马服务器，并且在服务器上打开标准 http/s 端口是一个更大的特征。
-
-备用服务器配置。默认禁用。
-
-#### transport
-
-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
-
-### 监听字段
-
-#### listen
-
-==必填==
-
-监听地址。
-
-#### listen_port
-
-==必填==
-
-监听端口。
-
-#### tcp_fast_open
-
-为监听器启用 TCP 快速打开。
-
-#### sniff
-
-启用协议探测。
-
-参阅 [协议探测](/zh/configuration/route/sniff/)。
-
-#### sniff_override_destination
-
-用探测出的域名覆盖连接目标地址。
-
-如果域名无效（如 Tor），将不生效。
-
-#### domain_strategy
-
-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，请求的域名将在路由之前解析为 IP。
-
-如果 `sniff_override_destination` 生效，它的值将作为后备。
-
-#### proxy_protocol
-
-解析连接头中的 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -10,6 +10,7 @@
    {
      "type": "tun",
      "tag": "tun-in",
+      
      "interface_name": "tun0",
      "inet4_address": "172.19.0.1/30",
      "inet6_address": "fdfe:dcba:9876::1/128",
@@ -18,30 +19,7 @@
      "endpoint_independent_nat": false,
      "udp_timeout": 300,
      "stack": "gvisor",
-      "include_uid": [
-        0
-      ],
-      "include_uid_range": [
-        [
-          "1000-99999"
-        ]
-      ],
-      "exclude_uid": [
-        1000
-      ],
-      "exclude_uid_range": [
-        "1000-99999"
-      ],
-      "include_android_user": [
-        0,
-        10
-      ],
-      "include_package": [
-        "com.android.chrome"
-      ],
-      "exclude_package": [
-        "com.android.captiveportallogin"
-      ],
+      
      "sniff": true,
      "sniff_override_destination": false,
      "domain_strategy": "prefer_ipv4"
@@ -50,13 +28,9 @@
 }
 ```

-!!! note ""
-
-    You can ignore the JSON Array [] tag when the content is only one item
-
 !!! warning ""

-    If tun is running in non-privileged mode, addresses and MTU will not be configured automatically, please make sure the settings are accurate.
+    If tun is running in non-privileged mode, the address and MTU will not be configured automatically, please make sure the settings are accurate.

 ### Tun Fields

@@ -107,48 +81,7 @@ TCP/IP stack.

 !!! warning ""

-    The LWIP stack is not included by default, see [Installation](/#installation).
-
-#### include_uid
-
-!!! error ""
-
-    UID rules are only supported on Linux and require auto_route.
-
-Limit users in route. Not limited by default.
-
-#### include_uid_range
-
-Limit users in route, but in range.
-
-#### exclude_uid
-
-Exclude users in route.
-
-#### exclude_uid_range
-
-Exclude users in route, but in range.
-
-#### include_android_user
-
-!!! error ""
-
-    Android user and package rules are only supported on Android and require auto_route.
-
-Limit android users in route.
-
-| Common user  | ID  |
-|--------------|-----|
-| Main         | 0   |
-| Work Profile | 10  |
-
-#### include_package
-
-Limit android packages in route.
-
-#### exclude_package
-
-Exclude android packages in route.
+    The LWIP stack is not included by default, see [Installation](/#Installation).

 ### Listen Fields

@@ -156,7 +89,7 @@ Exclude android packages in route.

 Enable sniffing.

-See [Protocol Sniff](/configuration/route/sniff/) for details.
+See [Sniff](/configuration/route/sniff/) for details.

 #### sniff_override_destination

--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -1,173 +0,0 @@
-!!! error ""
-
-    仅支持 Linux、Windows 和 macOS。
-
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "tun",
-      "tag": "tun-in",
-      "interface_name": "tun0",
-      "inet4_address": "172.19.0.1/30",
-      "inet6_address": "fdfe:dcba:9876::1/128",
-      "mtu": 1500,
-      "auto_route": true,
-      "endpoint_independent_nat": false,
-      "udp_timeout": 300,
-      "stack": "gvisor",
-      "include_uid": [
-        0
-      ],
-      "include_uid_range": [
-        [
-          "1000-99999"
-        ]
-      ],
-      "exclude_uid": [
-        1000
-      ],
-      "exclude_uid_range": [
-        "1000-99999"
-      ],
-      "include_android_user": [
-        0,
-        10
-      ],
-      "include_package": [
-        "com.android.chrome"
-      ],
-      "exclude_package": [
-        "com.android.captiveportallogin"
-      ],
-      "sniff": true,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv4"
-    }
-  ]
-}
-```
-
-!!! note ""
-
-    当内容只有一项时，可以忽略 JSON 数组 [] 标签。
-
-!!! warning ""
-
-    如果 tun 在非特权模式下运行，地址和 MTU 将不会自动配置，请确保设置正确。
-
-### Tun 字段
-
-#### interface_name
-
-虚拟设备名称，默认自动选择。
-
-#### inet4_address
-
-==必填==
-
-tun 接口的 IPv4 前缀。
-
-#### inet6_address
-
-tun 接口的 IPv6 前缀。
-
-#### mtu
-
-最大传输单元。
-
-#### auto_route
-
-设置到 Tun 的默认路由。
-
-!!! error ""
-
-    为避免流量环回，请设置 `route.auto_detect_interface` 或 `route.default_interface` 或 `outbound.bind_interface`。
-
-#### endpoint_independent_nat
-
-启用独立于端点的 NAT。
-
-性能可能会略有下降，所以不建议在不需要的时候开启。
-
-#### udp_timeout
-
-UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。
-
-#### stack
-
-TCP/IP 栈。
-
-| 栈                | 上游                                                                    | 状态    |
-|------------------|-----------------------------------------------------------------------|-------|
-| gVisor (default) | [google/gvisor](https://github.com/google/gvisor)                     | 推荐    |
-| LWIP             | [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | 上游已存档 |
-
-!!! warning ""
-
-    默认安装不包含 LWIP 栈，请参阅 [安装](/zh/#installation)。
-
-#### include_uid
-
-!!! error ""
-
-    UID 规则仅在 Linux 下被支持，并且需要 `auto_route`。
-
-限制被路由的的用户。默认不限制。
-
-#### include_uid_range
-
-限制被路由的的用户范围。
-
-#### exclude_uid
-
-排除路由的的用户。
-
-#### exclude_uid_range
-
-排除路由的的用户范围。
-
-#### include_android_user
-
-!!! error ""
-
-    Android 用户和应用规则仅在 Android 下被支持，并且需要 `auto_route`。
-
-限制被路由的 Android 用户。
-
-| 常用用户 | ID  |
-|--|-----|
-| 您 | 0   |
-| 工作资料 | 10  |
-
-#### include_package
-
-限制被路由的 Android 应用包名。
-
-#### exclude_package
-
-排除路由的 Android 应用包名。
-
-### 监听字段
-
-#### sniff
-
-启用协议探测。
-
-参阅 [协议探测](/zh/configuration/route/sniff/)。
-
-#### sniff_override_destination
-
-用探测出的域名覆盖连接目标地址。
-
-如果域名无效（如 Tor），将不生效。
-
-#### domain_strategy
-
-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，请求的域名将在路由之前解析为 IP。
-
-如果 `sniff_override_destination` 生效，它的值将作为后备。
--- a/docs/configuration/inbound/vmess.md
+++ b/docs/configuration/inbound/vmess.md
@@ -13,8 +13,7 @@
      "sniff": false,
      "sniff_override_destination": false,
      "domain_strategy": "prefer_ipv6",
-      "proxy_protocol": false,
-
+      
      "users": [
        {
          "name": "sekai",
@@ -22,38 +21,12 @@
          "alterId": 0
        }
      ],
-      "tls": {},
-      "transport": {}
+      "tls": {}
    }
  ]
 }
 ```

-### VMess Fields
-
-#### users
-
-==Required==
-
-VMess users.
-
-| Alter ID | Description             |
-|----------|-------------------------|
-| 0        | Disable legacy protocol |
-| > 0      | Enable legacy protocol  |
-
-!!! warning ""
-
-    Legacy protocol support (VMess MD5 Authentication) is provided for compatibility purposes only, use of alterId > 1 is not recommended.
-
-#### tls
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
-
-#### transport
-
-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
-
 ### Listen Fields

 #### listen
@@ -76,7 +49,7 @@ Enable tcp fast open for listener.

 Enable sniffing.

-See [Protocol Sniff](/configuration/route/sniff/) for details.
+See [Sniff](/configuration/route/sniff/) for details.

 #### sniff_override_destination

@@ -92,6 +65,21 @@ If set, the requested domain name will be resolved to IP before routing.

 If `sniff_override_destination` is in effect, its value will be taken as a fallback.

-#### proxy_protocol
+### VMess Fields

-Parse [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header.
+#### users
+
+VMess users.
+
+| Alter ID | Description             |
+|----------|-------------------------|
+| 0        | Disable legacy protocol |
+| > 0      | Enable legacy protocol  |
+
+!!! warning ""
+
+    Legacy protocol support (VMess MD5 Authentication) is provided for compatibility purposes only, use of alterId > 1 is not recommended.
+
+#### tls
+
+TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure).
--- a/docs/configuration/inbound/vmess.zh.md
+++ b/docs/configuration/inbound/vmess.zh.md
@@ -1,97 +0,0 @@
-### 结构
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "vmess",
-      "tag": "vmess-in",
-      
-      "listen": "::",
-      "listen_port": 2080,
-      "tcp_fast_open": false,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      "proxy_protocol": false,
-
-      "users": [
-        {
-          "name": "sekai",
-          "uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
-          "alterId": 0
-        }
-      ],
-      "tls": {},
-      "transport": {}
-    }
-  ]
-}
-```
-
-### VMess 字段
-
-#### users
-
-==必填==
-
-VMess 用户。
-
-| Alter ID | 描述    |
-|----------|-------|
-| 0        | 禁用旧协议 |
-| > 0      | 启用旧协议 |
-
-!!! warning ""
-
-    提供旧协议支持（VMess MD5 身份验证）仅出于兼容性目的，不建议使用 alterId > 1。
-
-#### tls
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
-
-#### transport
-
-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
-
-### 监听字段
-
-#### listen
-
-==必填==
-
-监听地址。
-
-#### listen_port
-
-==必填==
-
-监听端口。
-
-#### tcp_fast_open
-
-为监听器启用 TCP 快速打开。
-
-#### sniff
-
-启用协议探测。
-
-参阅 [协议探测](/zh/configuration/route/sniff/)。
-
-#### sniff_override_destination
-
-用探测出的域名覆盖连接目标地址。
-
-如果域名无效（如 Tor），将不生效。
-
-#### domain_strategy
-
-可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，请求的域名将在路由之前解析为 IP。
-
-如果 `sniff_override_destination` 生效，它的值将作为后备。
-
-#### proxy_protocol
-
-解析连接头中的 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
--- a/docs/configuration/index.zh.md
+++ b/docs/configuration/index.zh.md
@@ -1,39 +0,0 @@
-# 引言
-
-sing-box 使用 JSON 作为配置文件格式。
-
-### 结构
-
-```json
-{
-  "log": {},
-  "dns": {},
-  "inbounds": {},
-  "outbounds": {},
-  "route": {},
-  "experimental": {}
-}
-```
-
-### 字段
-
-| Key            | Format                |
-|----------------|-----------------------|
-| `log`          | [日志](./log)           |
-| `dns`          | [DNS](./dns)          |
-| `inbounds`     | [入站](./inbound)       |
-| `outbounds`    | [出站](./outbound)      |
-| `route`        | [路由](./route)         |
-| `experimental` | [实验性](./experimental) |
-
-### 检查
-
-```bash
-$ sing-box check
-```
-
-### 格式化
-
-```bash
-$ sing-box format -w
-```
--- a/docs/configuration/log.md
+++ b/docs/configuration/log.md
@@ -1,3 +1,5 @@
+# Log
+
 ### Structure

 ```json
--- a/docs/configuration/log.zh.md
+++ b/docs/configuration/log.zh.md
@@ -1,31 +0,0 @@
-### 结构
-
-```json
-{
-  "log": {
-    "disabled": false,
-    "level": "info",
-    "output": "box.log",
-    "timestamp": true
-  }
-}
-
-```
-
-### 字段
-
-#### disabled
-
-禁用日志，启动后不输出日志。
-
-#### level
-
-日志等级，可选值：`trace` `debug` `info` `warn` `error` `fatal` `panic`。
-
-#### output
-
-输出文件路径，启动后将不输出到控制台。
-
-#### timestamp
-
-添加时间到每行。
--- a/docs/configuration/outbound/block.md
+++ b/docs/configuration/outbound/block.md
@@ -13,6 +13,6 @@
 }
 ```

-### 字段
+### Fields

 No fields.
--- a/docs/configuration/outbound/block.zh.md
+++ b/docs/configuration/outbound/block.zh.md
@@ -1,18 +0,0 @@
-`block` 出站关闭所有传入请求。
-
-### 结构
-
-```json
-{
-  "outbounds": [
-    {
-      "type": "block",
-      "tag": "block"
-    }
-  ]
-}
-```
-
-### 字段
-
-无字段。
--- a/docs/configuration/outbound/direct.md
+++ b/docs/configuration/outbound/direct.md
@@ -11,11 +11,9 @@
      
      "override_address": "1.0.0.1",
      "override_port": 53,
-      "proxy_protocol": 0,
-      
+
      "detour": "upstream-out",
      "bind_interface": "en0",
-      "bind_address": "0.0.0.0",
      "routing_mark": 1234,
      "reuse_addr": false,
      "connect_timeout": "5s",
@@ -37,12 +35,6 @@ Override the connection destination address.

 Override the connection destination port.

-#### proxy_protocol
-
-Write [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header.
-
-Protocol value can be `1` or `2`.
-
 ### Dial Fields

 #### detour
@@ -55,17 +47,13 @@ Other dial fields will be ignored when enabled.

 The network interface to bind to.

-#### bind_address
-
-The address to bind to.
-
 #### routing_mark

 !!! error ""

-    Only supported on Linux.
+    Linux only

-Set netfilter routing mark.
+The iptables routing mark.

 #### reuse_addr

@@ -84,7 +72,7 @@ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.

-If set, the requested domain name will be resolved to IP before connect.
+If set, the requested domain name will be resolved to IP before routing.

 `dns.strategy` will be used if empty.

--- a/docs/configuration/outbound/direct.zh.md
+++ b/docs/configuration/outbound/direct.zh.md
@@ -1,95 +0,0 @@
-`direct` 出站直接发送请求。
-
-### 结构
-
-```json
-{
-  "outbounds": [
-    {
-      "type": "direct",
-      "tag": "direct-out",
-      
-      "override_address": "1.0.0.1",
-      "override_port": 53,
-      "proxy_protocol": 0,
-      
-      "detour": "upstream-out",
-      "bind_interface": "en0",
-      "bind_address": "0.0.0.0",
-      "routing_mark": 1234,
-      "reuse_addr": false,
-      "connect_timeout": "5s",
-      "tcp_fast_open": false,
-      "domain_strategy": "prefer_ipv6",
-      "fallback_delay": "300ms"
-    }
-  ]
-}
-```
-
-### Direct 字段
-
-#### override_address
-
-覆盖连接目标地址。
-
-#### override_port
-
-覆盖连接目标端口。
-
-#### proxy_protocol
-
-写出 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) 到连接头。
-
-可用协议版本值：`1` 或 `2`。
-
-### 拨号字段
-
-#### detour
-
-上游出站的标签。
-
-启用时，其他拨号字段将被忽略。
-
-#### bind_interface
-
-要绑定到的网络接口。
-
-#### bind_address
-
-要绑定的地址。
-
-#### routing_mark
-
-!!! error ""
-
-    仅支持 Linux。
-
-设置 netfilter 路由标记。
-
-#### reuse_addr
-
-重用监听地址。
-
-#### connect_timeout
-
-连接超时，采用 golang 的 Duration 格式。
-
-持续时间字符串是一个可能有符号的序列十进制数，每个都有可选的分数和单位后缀， 例如 "300ms"、"-1.5h" 或 "2h45m"。
-有效时间单位为 "ns"、"us"（或 "µs"）、"ms"、"s"、"m"、"h"。
-
-#### domain_strategy
-
-可选值：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，域名将在请求发出之前解析为 IP。
-
-默认使用 `dns.strategy`。
-
-#### fallback_delay
-
-在生成 RFC 6555 快速回退连接之前等待的时间长度。
-也就是说，是在假设之前等待 IPv6 成功的时间量如果设置了 "prefer_ipv4"，则 IPv6 配置错误并回退到 IPv4。
-如果为零，则使用 300 毫秒的默认延迟。
-
-仅当 `domain_strategy` 为 `prefer_ipv4` 或 `prefer_ipv6` 时生效。
--- a/docs/configuration/outbound/dns.md
+++ b/docs/configuration/outbound/dns.md
@@ -1,4 +1,4 @@
-`dns` outbound is a internal DNS server.
+`dns` outbound is a DNS server.

 ### Structure

--- a/docs/configuration/outbound/dns.zh.md
+++ b/docs/configuration/outbound/dns.zh.md
@@ -1,22 +0,0 @@
-`dns` 出站是一个内部 DNS 服务器。
-
-### 结构
-
-```json
-{
-  "outbounds": [
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ]
-}
-```
-
-!!! note ""
-
-    DNS 出站没有出站连接，所有请求均在内部处理。
-
-### 字段
-
-无字段。
--- a/docs/configuration/outbound/http.md
+++ b/docs/configuration/outbound/http.md
@@ -1,4 +1,4 @@
-`http` outbound is a HTTP CONNECT proxy client.
+`http` outbound is a HTTP Connect client.

 ### Structure

@@ -17,7 +17,6 @@
      
      "detour": "upstream-out",
      "bind_interface": "en0",
-      "bind_address": "0.0.0.0",
      "routing_mark": 1234,
      "reuse_addr": false,
      "connect_timeout": "5s",
@@ -53,7 +52,7 @@ Basic authorization password.

 #### tls

-TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
+TLS configuration, see [TLS outbound structure](/configuration/shared/tls/#outbound-structure).

 ### Dial Fields

@@ -67,17 +66,13 @@ Other dial fields will be ignored when enabled.

 The network interface to bind to.

-#### bind_address
-
-The address to bind to.
-
 #### routing_mark

 !!! error ""

-    Only supported on Linux.
+    Linux only

-Set netfilter routing mark.
+The iptables routing mark.

 #### reuse_addr

--- a/docs/configuration/outbound/http.zh.md
+++ b/docs/configuration/outbound/http.zh.md
@@ -1,107 +0,0 @@
-`http` 出站是一个 HTTP CONNECT 代理客户端
-
-### 结构
-
-```json
-{
-  "outbounds": [
-    {
-      "type": "http",
-      "tag": "http-out",
-      
-      "server": "127.0.0.1",
-      "server_port": 1080,
-      "username": "sekai",
-      "password": "admin",
-      "tls": {},
-      
-      "detour": "upstream-out",
-      "bind_interface": "en0",
-      "bind_address": "0.0.0.0",
-      "routing_mark": 1234,
-      "reuse_addr": false,
-      "connect_timeout": "5s",
-      "tcp_fast_open": false,
-      "domain_strategy": "prefer_ipv6",
-      "fallback_delay": "300ms"
-    }
-  ]
-}
-```
-
-### HTTP 字段
-
-#### server
-
-==必填==
-
-服务器地址。
-
-#### server_port
-
-==必填==
-
-服务器端口。
-
-#### username
-
-Basic 认证用户名。
-
-#### password
-
-Basic 认证密码。
-
-#### tls
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
-
-### 拨号字段
-
-#### detour
-
-上游出站的标签。
-
-启用时，其他拨号字段将被忽略。
-
-#### bind_interface
-
-要绑定到的网络接口。
-
-#### bind_address
-
-要绑定的地址。
-
-#### routing_mark
-
-!!! error ""
-
-    仅支持 Linux。
-
-设置 netfilter 路由标记。
-
-#### reuse_addr
-
-重用监听地址。
-
-#### connect_timeout
-
-连接超时，采用 golang 的 Duration 格式。
-
-持续时间字符串是一个可能有符号的序列十进制数，每个都有可选的分数和单位后缀， 例如 "300ms"、"-1.5h" 或 "2h45m"。
-有效时间单位为 "ns"、"us"（或 "µs"）、"ms"、"s"、"m"、"h"。
-
-#### domain_strategy
-
-可选值：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，服务器域名将在连接前解析为 IP。
-
-默认使用 `dns.strategy`。
-
-#### fallback_delay
-
-在生成 RFC 6555 快速回退连接之前等待的时间长度。
-也就是说，是在假设之前等待 IPv6 成功的时间量如果设置了 "prefer_ipv4"，则 IPv6 配置错误并回退到 IPv4。
-如果为零，则使用 300 毫秒的默认延迟。
-
-仅当 `domain_strategy` 为 `prefer_ipv4` 或 `prefer_ipv6` 时生效。
--- a/docs/configuration/outbound/hysteria.md
+++ b/docs/configuration/outbound/hysteria.md
@@ -1,178 +0,0 @@
-### Structure
-
-```json
-{
-  "outbounds": [
-    {
-      "type": "hysteria",
-      "tag": "hysteria-out",
-      
-      "server": "127.0.0.1",
-      "server_port": 1080,
-
-      "up": "100 Mbps",
-      "up_mbps": 100,
-      "down": "100 Mbps",
-      "down_mbps": 100,
-      "obfs": "fuck me till the daylight",
-      "auth": "",
-      "auth_str": "password",
-      "recv_window_conn": 0,
-      "recv_window": 0,
-      "disable_mtu_discovery": false,
-      "network": "tcp",
-      "tls": {},
-      
-      "detour": "upstream-out",
-      "bind_interface": "en0",
-      "bind_address": "0.0.0.0",
-      "routing_mark": 1234,
-      "reuse_addr": false,
-      "connect_timeout": "5s",
-      "domain_strategy": "prefer_ipv6",
-      "fallback_delay": "300ms"
-    }
-  ]
-}
-```
-
-!!! warning ""
-
-    QUIC, which is required by hysteria is not included by default, see [Installation](/#installation).
-
-### Hysteria Fields
-
-#### server
-
-==Required==
-
-The server address.
-
-#### server_port
-
-==Required==
-
-The server port.
-
-#### up, down
-
-==Required==
-
-Format: `[Integer] [Unit]` e.g. `100 Mbps, 640 KBps, 2 Gbps`
-
-Supported units (case sensitive, b = bits, B = bytes, 8b=1B):
-
-    bps (bits per second)
-    Bps (bytes per second)
-    Kbps (kilobits per second)
-    KBps (kilobytes per second)
-    Mbps (megabits per second)
-    MBps (megabytes per second)
-    Gbps (gigabits per second)
-    GBps (gigabytes per second)
-    Tbps (terabits per second)
-    TBps (terabytes per second)
-
-#### up_mbps, down_mbps
-
-==Required==
-
-`up, down` in Mbps.
-
-#### obfs
-
-Obfuscated password.
-
-#### auth
-
-Authentication password, in base64.
-
-#### auth_str
-
-Authentication password.
-
-#### recv_window_conn
-
-The QUIC stream-level flow control window for receiving data.
-
-`15728640 (15 MB/s)` will be used if empty.
-
-#### recv_window
-
-The QUIC connection-level flow control window for receiving data.
-
-`67108864 (64 MB/s)` will be used if empty.
-
-#### disable_mtu_discovery
-
-Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
-
-Force enabled on for systems other than Linux and Windows (according to upstream).
-
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
-
-#### network
-
-Enabled network
-
-One of `tcp` `udp`.
-
-Both is enabled by default.
-
-### Dial Fields
-
-#### detour
-
-The tag of the upstream outbound.
-
-Other dial fields will be ignored when enabled.
-
-#### bind_interface
-
-The network interface to bind to.
-
-#### bind_address
-
-The address to bind to.
-
-#### routing_mark
-
-!!! error ""
-
-    Only supported on Linux.
-
-Set netfilter routing mark.
-
-#### reuse_addr
-
-Reuse listener address.
-
-#### connect_timeout
-
-Connect timeout, in golang's Duration format.
-
-A duration string is a possibly signed sequence of
-decimal numbers, each with optional fraction and a unit suffix,
-such as "300ms", "-1.5h" or "2h45m".
-Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-
-#### domain_strategy
-
-One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
-
-If set, the server domain name will be resolved to IP before connecting.
-
-`dns.strategy` will be used if empty.
-
-#### fallback_delay
-
-The length of time to wait before spawning a RFC 6555 Fast Fallback connection.
-That is, is the amount of time to wait for IPv6 to succeed before assuming
-that IPv6 is misconfigured and falling back to IPv4 if `prefer_ipv4` is set.
-If zero, a default delay of 300ms is used.
-
-Only take effect when `domain_strategy` is `prefer_ipv4` or `prefer_ipv6`.
--- a/docs/configuration/outbound/hysteria.zh.md
+++ b/docs/configuration/outbound/hysteria.zh.md
@@ -1,173 +0,0 @@
-### 结构
-
-```json
-{
-  "outbounds": [
-    {
-      "type": "hysteria",
-      "tag": "hysteria-out",
-      
-      "server": "127.0.0.1",
-      "server_port": 1080,
-
-      "up": "100 Mbps",
-      "up_mbps": 100,
-      "down": "100 Mbps",
-      "down_mbps": 100,
-      "obfs": "fuck me till the daylight",
-      "auth": "",
-      "auth_str": "password",
-      "recv_window_conn": 0,
-      "recv_window": 0,
-      "disable_mtu_discovery": false,
-      "network": "tcp",
-      "tls": {},
-      
-      "detour": "upstream-out",
-      "bind_interface": "en0",
-      "bind_address": "0.0.0.0",
-      "routing_mark": 1234,
-      "reuse_addr": false,
-      "connect_timeout": "5s",
-      "domain_strategy": "prefer_ipv6",
-      "fallback_delay": "300ms"
-    }
-  ]
-}
-```
-
-!!! warning ""
-
-    默认安装不包含被 Hysteria 依赖的 QUIC，参阅 [安装](/zh/#installation)。
-
-### Hysteria 字段
-
-#### server
-
-==必填==
-
-服务器地址。
-
-#### server_port
-
-==必填==
-
-服务器端口。
-
-#### up, down
-
-==必填==
-
-格式： `[Integer] [Unit]` 例如： `100 Mbps, 640 KBps, 2 Gbps`
-
-支持的单位 (大小写敏感, b = bits, B = bytes, 8b=1B)：
-
-    bps (bits per second)
-    Bps (bytes per second)
-    Kbps (kilobits per second)
-    KBps (kilobytes per second)
-    Mbps (megabits per second)
-    MBps (megabytes per second)
-    Gbps (gigabits per second)
-    GBps (gigabytes per second)
-    Tbps (terabits per second)
-    TBps (terabytes per second)
-
-#### up_mbps, down_mbps
-
-==必填==
-
-以 Mbps 为单位的 `up, down`。
-
-#### obfs
-
-混淆密码。
-
-#### auth
-
-base64 编码的认证密码。
-
-#### auth_str
-
-认证密码。
-
-#### recv_window_conn
-
-用于接收数据的 QUIC 流级流控制窗口。
-
-默认 `15728640 (15 MB/s)`。
-
-#### recv_window
-
-用于接收数据的 QUIC 连接级流控制窗口。
-
-默认 `67108864 (64 MB/s)`。
-
-#### disable_mtu_discovery
-
-禁用路径 MTU 发现 (RFC 8899)。 数据包的大小最多为 1252 (IPv4) / 1232 (IPv6) 字节。
-
-强制为 Linux 和 Windows 以外的系统启用（根据上游）。
-
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
-
-#### network
-
-启用的网络协议。
-
-`tcp` 或 `udp`。
-
-默认所有。
-
-### 拨号字段
-
-#### detour
-
-上游出站的标签。
-
-启用时，其他拨号字段将被忽略。
-
-#### bind_interface
-
-要绑定到的网络接口。
-
-#### bind_address
-
-要绑定的地址。
-
-#### routing_mark
-
-!!! error ""
-
-    仅支持 Linux。
-
-设置 netfilter 路由标记。
-
-#### reuse_addr
-
-重用监听地址
-
-#### connect_timeout
-
-连接超时，采用 golang 的 Duration 格式。
-
-持续时间字符串是一个可能有符号的序列十进制数，每个都有可选的分数和单位后缀， 例如 "300ms"、"-1.5h" 或 "2h45m"。
-有效时间单位为 "ns"、"us"（或 "µs"）、"ms"、"s"、"m"、"h"。
-
-#### domain_strategy
-
-可选值：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
-
-如果设置，服务器域名将在连接前解析为 IP。
-
-默认使用 `dns.strategy`。
-
-#### fallback_delay
-
-在生成 RFC 6555 快速回退连接之前等待的时间长度。
-也就是说，是在假设之前等待 IPv6 成功的时间量如果设置了 "prefer_ipv4"，则 IPv6 配置错误并回退到 IPv4。
-如果为零，则使用 300 毫秒的默认延迟。
-
-仅当 `domain_strategy` 为 `prefer_ipv4` 或 `prefer_ipv6` 时生效。
--- a/docs/configuration/outbound/index.md
+++ b/docs/configuration/outbound/index.md
@@ -17,15 +17,11 @@
 |---------------|------------------------------|
 | `direct`      | [Direct](./direct)           |
 | `block`       | [Block](./block)             |
-| `socks`       | [SOCKS](./socks)             |
+| `socks`       | [Socks](./socks)             |
 | `http`        | [HTTP](./http)               |
 | `shadowsocks` | [Shadowsocks](./shadowsocks) |
-| `vmess`       | [VMess](./vmess)             |
-| `trojan`      | [Trojan](./trojan)           |
-| `wireguard`   | [Wireguard](./wireguard)     |
-| `hysteria`    | [Hysteria](./hysteria)       |
-| `tor`         | [Tor](./tor)                 |
-| `ssh`         | [SSH](./ssh)                 |
+ | `vmess`       | [VMess](./vmess)             |
+  | `trojan`      | [Trojan](./trojan)           |
 | `dns`         | [DNS](./dns)                 |
 | `selector`    | [Selector](./selector)       |

--- a/Show More
+++ b/Show More