documentation: Bump version

Co-authored-by: anytls <anytls>

.fpm_systemd

@@ -8,15 +8,11 @@
 --deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
 --no-deb-generate-changes
 --config-files /etc/sing-box/config.json
---after-install release/config/sing-box.postinst
 
 release/config/config.json=/etc/sing-box/config.json
 
 release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
 release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
-release/config/sing-box.sysusers=/usr/lib/sysusers.d/sing-box.conf
-release/config/sing-box.rules=usr/share/polkit-1/rules.d/sing-box.rules
-release/config/sing-box-split-dns.xml=/usr/share/dbus-1/system.d/sing-box-split-dns.conf
 
 release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
 release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish

.github/workflows/build.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24
+          go-version: ^1.24.2
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -109,7 +109,7 @@ jobs:
         if: ${{ ! matrix.legacy_go }}
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24
+          go-version: ^1.24.2
       - name: Cache Legacy Go
         if: matrix.require_legacy_go
         id: cache-legacy-go
@@ -140,7 +140,7 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale'
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_acme,with_clash_api,with_tailscale'
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
       - name: Build
         if: matrix.os != 'android'
@@ -294,7 +294,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24
+          go-version: ^1.24.2
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -374,7 +374,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24
+          go-version: ^1.24.2
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -472,15 +472,15 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24
+          go-version: ^1.24.2
       - name: Setup Xcode stable
         if: matrix.if && github.ref == 'refs/heads/main-next'
         run: |-
-          sudo xcode-select -s /Applications/Xcode_16.4.app
+          sudo xcode-select -s /Applications/Xcode_16.2.app
       - name: Setup Xcode beta
         if: matrix.if && github.ref == 'refs/heads/dev-next'
         run: |-
-          sudo xcode-select -s /Applications/Xcode_16.4.app
+          sudo xcode-select -s /Applications/Xcode_16.2.app
       - name: Set tag
         if: matrix.if
         run: |-
@@ -615,7 +615,7 @@ jobs:
           path: 'dist'
   upload:
     name: Upload builds
-    if: "!failure() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')"
+    if: always() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')
     runs-on: ubuntu-latest
     needs:
       - calculate_version

.github/workflows/lint.yml

@@ -28,7 +28,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24
+          go-version: ^1.24.2
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:

.github/workflows/linux.yml

@@ -25,7 +25,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24
+          go-version: ^1.24.2
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -66,7 +66,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24
+          go-version: ^1.24.2
       - name: Setup Android NDK
         if: matrix.os == 'android'
         uses: nttld/setup-ndk@v1
@@ -80,7 +80,10 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale'
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_acme,with_clash_api'
+          if [ ! '${{ matrix.legacy_go }}' = 'true' ]; then
+            TAGS="${TAGS},with_ech"
+          fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
       - name: Build
         run: |

.golangci.yml

@@ -21,13 +21,14 @@ linters-settings:
       - -SA1003
 
 run:
-  go: "1.23"
+  go: "1.24"
   build-tags:
     - with_gvisor
     - with_quic
     - with_dhcp
     - with_wireguard
     - with_utls
+    - with_reality_server
     - with_acme
     - with_clash_api
 

.goreleaser.fury.yaml

@@ -15,6 +15,7 @@ builds:
       - with_dhcp
       - with_wireguard
       - with_utls
+      - with_reality_server
       - with_acme
       - with_clash_api
       - with_tailscale
@@ -55,12 +56,6 @@ nfpms:
         dst: /usr/lib/systemd/system/sing-box.service
       - src: release/config/sing-box@.service
         dst: /usr/lib/systemd/system/sing-box@.service
-      - src: release/config/sing-box.sysusers
-        dst: /usr/lib/sysusers.d/sing-box.conf
-      - src: release/config/sing-box.rules
-        dst: /usr/share/polkit-1/rules.d/sing-box.rules
-      - src: release/config/sing-box-split-dns.xml
-        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
 
       - src: release/completions/sing-box.bash
         dst: /usr/share/bash-completion/completions/sing-box.bash

.goreleaser.yaml

@@ -17,6 +17,7 @@ builds:
       - with_dhcp
       - with_wireguard
       - with_utls
+      - with_reality_server
       - with_acme
       - with_clash_api
       - with_tailscale
@@ -46,6 +47,7 @@ builds:
       - with_dhcp
       - with_wireguard
       - with_utls
+      - with_reality_server
       - with_acme
       - with_clash_api
       - with_tailscale
@@ -136,12 +138,6 @@ nfpms:
         dst: /usr/lib/systemd/system/sing-box.service
       - src: release/config/sing-box@.service
         dst: /usr/lib/systemd/system/sing-box@.service
-      - src: release/config/sing-box.sysusers
-        dst: /usr/lib/sysusers.d/sing-box.conf
-      - src: release/config/sing-box.rules
-        dst: /usr/share/polkit-1/rules.d/sing-box.rules
-      - src: release/config/sing-box-split-dns.xml
-        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
 
       - src: release/completions/sing-box.bash
         dst: /usr/share/bash-completion/completions/sing-box.bash

Dockerfile

@@ -13,7 +13,7 @@ RUN set -ex \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
     && go build -v -trimpath -tags \
-        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale" \
+        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_acme,with_clash_api,with_tailscale" \
         -o /go/bin/sing-box \
         -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
         ./cmd/sing-box

Makefile

@@ -1,10 +1,11 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale
+TAGS ?= with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls,with_tailscale
+TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_utls,with_reality_server
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
-VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)
+VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)
 
 PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
 MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
@@ -108,16 +109,6 @@ upload_ios_app_store:
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
 
-export_ios_ipa:
-	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Export.plist -allowProvisioningUpdates -exportPath build/SFI && \
-	cp build/SFI/sing-box.ipa dist/SFI.ipa
-
-upload_ios_ipa:
-	cd dist && \
-	cp SFI.ipa "SFI-${VERSION}.ipa" && \
-	ghr --replace --draft --prerelease "v${VERSION}" "SFI-${VERSION}.ipa"
-
 release_ios: build_ios upload_ios_app_store
 
 build_macos:
@@ -185,16 +176,6 @@ upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
 
-export_tvos_ipa:
-	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Export.plist -allowProvisioningUpdates -exportPath build/SFT && \
-	cp build/SFT/sing-box.ipa dist/SFT.ipa
-
-upload_tvos_ipa:
-	cd dist && \
-	cp SFT.ipa "SFT-${VERSION}.ipa" && \
-	ghr --replace --draft --prerelease "v${VERSION}" "SFT-${VERSION}.ipa"
-
 release_tvos: build_tvos upload_tvos_app_store
 
 update_apple_version:

adapter/dns.go

@@ -3,14 +3,11 @@ package adapter
 import (
 	"context"
 	"net/netip"
-	"time"
 
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
-	"github.com/sagernet/sing/service"
 
 	"github.com/miekg/dns"
 )
@@ -34,32 +31,11 @@ type DNSClient interface {
 }
 
 type DNSQueryOptions struct {
-	Transport      DNSTransport
-	Strategy       C.DomainStrategy
-	LookupStrategy C.DomainStrategy
-	Timeout        time.Duration
-	DisableCache   bool
-	RewriteTTL     *uint32
-	ClientSubnet   netip.Prefix
-}
-
-func DNSQueryOptionsFrom(ctx context.Context, options *option.DomainResolveOptions) (*DNSQueryOptions, error) {
-	if options == nil {
-		return &DNSQueryOptions{}, nil
-	}
-	transportManager := service.FromContext[DNSTransportManager](ctx)
-	transport, loaded := transportManager.Transport(options.Server)
-	if !loaded {
-		return nil, E.New("domain resolver not found: " + options.Server)
-	}
-	return &DNSQueryOptions{
-		Transport:    transport,
-		Strategy:     C.DomainStrategy(options.Strategy),
-		Timeout:      time.Duration(options.Timeout),
-		DisableCache: options.DisableCache,
-		RewriteTTL:   options.RewriteTTL,
-		ClientSubnet: options.ClientSubnet.Build(netip.Prefix{}),
-	}, nil
+	Transport    DNSTransport
+	Strategy     C.DomainStrategy
+	DisableCache bool
+	RewriteTTL   *uint32
+	ClientSubnet netip.Prefix
 }
 
 type RDRCStore interface {
@@ -73,7 +49,6 @@ type DNSTransport interface {
 	Type() string
 	Tag() string
 	Dependencies() []string
-	HasDetour() bool
 	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
 }
 

adapter/fakeip.go

@@ -7,7 +7,7 @@ import (
 )
 
 type FakeIPStore interface {
-	SimpleLifecycle
+	Service
 	Contains(address netip.Addr) bool
 	Create(domain string, isIPv6 bool) (netip.Addr, error)
 	Lookup(address netip.Addr) (string, bool)

adapter/inbound.go

@@ -53,11 +53,11 @@ type InboundContext struct {
 
 	// sniffer
 
-	Protocol     string
-	Domain       string
-	Client       string
-	SniffContext any
-	SniffError   error
+	Protocol         string
+	Domain           string
+	Client           string
+	SniffContext     any
+	PacketSniffError error
 
 	// cache
 
@@ -74,7 +74,6 @@ type InboundContext struct {
 	UDPTimeout                time.Duration
 	TLSFragment               bool
 	TLSFragmentFallbackDelay  time.Duration
-	TLSRecordFragment         bool
 
 	NetworkStrategy     *C.NetworkStrategy
 	NetworkType         []C.InterfaceType

adapter/inbound/manager.go

@@ -37,14 +37,13 @@ func NewManager(logger log.ContextLogger, registry adapter.InboundRegistry, endp
 
 func (m *Manager) Start(stage adapter.StartStage) error {
 	m.access.Lock()
+	defer m.access.Unlock()
 	if m.started && m.stage >= stage {
 		panic("already started")
 	}
 	m.started = true
 	m.stage = stage
-	inbounds := m.inbounds
-	m.access.Unlock()
-	for _, inbound := range inbounds {
+	for _, inbound := range m.inbounds {
 		err := adapter.LegacyStart(inbound, stage)
 		if err != nil {
 			return E.Cause(err, stage, " inbound/", inbound.Type(), "[", inbound.Tag(), "]")

adapter/lifecycle.go

@@ -2,11 +2,6 @@ package adapter
 
 import E "github.com/sagernet/sing/common/exceptions"
 
-type SimpleLifecycle interface {
-	Start() error
-	Close() error
-}
-
 type StartStage uint8
 
 const (

adapter/lifecycle_legacy.go

@@ -28,14 +28,14 @@ func LegacyStart(starter any, stage StartStage) error {
 }
 
 type lifecycleServiceWrapper struct {
-	SimpleLifecycle
+	Service
 	name string
 }
 
-func NewLifecycleService(service SimpleLifecycle, name string) LifecycleService {
+func NewLifecycleService(service Service, name string) LifecycleService {
 	return &lifecycleServiceWrapper{
-		SimpleLifecycle: service,
-		name:            name,
+		Service: service,
+		name:    name,
 	}
 }
 
@@ -44,9 +44,9 @@ func (l *lifecycleServiceWrapper) Name() string {
 }
 
 func (l *lifecycleServiceWrapper) Start(stage StartStage) error {
-	return LegacyStart(l.SimpleLifecycle, stage)
+	return LegacyStart(l.Service, stage)
 }
 
 func (l *lifecycleServiceWrapper) Close() error {
-	return l.SimpleLifecycle.Close()
+	return l.Service.Close()
 }

adapter/rule.go

@@ -11,7 +11,7 @@ type HeadlessRule interface {
 
 type Rule interface {
 	HeadlessRule
-	SimpleLifecycle
+	Service
 	Type() string
 	Action() RuleAction
 }

adapter/service.go

@@ -1,27 +1,6 @@
 package adapter
 
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-)
-
 type Service interface {
-	Lifecycle
-	Type() string
-	Tag() string
-}
-
-type ServiceRegistry interface {
-	option.ServiceOptionsRegistry
-	Create(ctx context.Context, logger log.ContextLogger, tag string, serviceType string, options any) (Service, error)
-}
-
-type ServiceManager interface {
-	Lifecycle
-	Services() []Service
-	Get(tag string) (Service, bool)
-	Remove(tag string) error
-	Create(ctx context.Context, logger log.ContextLogger, tag string, serviceType string, options any) error
+	Start() error
+	Close() error
 }

adapter/service/adapter.go

@@ -1,21 +0,0 @@
-package service
-
-type Adapter struct {
-	serviceType string
-	serviceTag  string
-}
-
-func NewAdapter(serviceType string, serviceTag string) Adapter {
-	return Adapter{
-		serviceType: serviceType,
-		serviceTag:  serviceTag,
-	}
-}
-
-func (a *Adapter) Type() string {
-	return a.serviceType
-}
-
-func (a *Adapter) Tag() string {
-	return a.serviceTag
-}

adapter/service/manager.go

@@ -1,144 +0,0 @@
-package service
-
-import (
-	"context"
-	"os"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/taskmonitor"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-var _ adapter.ServiceManager = (*Manager)(nil)
-
-type Manager struct {
-	logger       log.ContextLogger
-	registry     adapter.ServiceRegistry
-	access       sync.Mutex
-	started      bool
-	stage        adapter.StartStage
-	services     []adapter.Service
-	serviceByTag map[string]adapter.Service
-}
-
-func NewManager(logger log.ContextLogger, registry adapter.ServiceRegistry) *Manager {
-	return &Manager{
-		logger:       logger,
-		registry:     registry,
-		serviceByTag: make(map[string]adapter.Service),
-	}
-}
-
-func (m *Manager) Start(stage adapter.StartStage) error {
-	m.access.Lock()
-	if m.started && m.stage >= stage {
-		panic("already started")
-	}
-	m.started = true
-	m.stage = stage
-	services := m.services
-	m.access.Unlock()
-	for _, service := range services {
-		err := adapter.LegacyStart(service, stage)
-		if err != nil {
-			return E.Cause(err, stage, " service/", service.Type(), "[", service.Tag(), "]")
-		}
-	}
-	return nil
-}
-
-func (m *Manager) Close() error {
-	m.access.Lock()
-	defer m.access.Unlock()
-	if !m.started {
-		return nil
-	}
-	m.started = false
-	services := m.services
-	m.services = nil
-	monitor := taskmonitor.New(m.logger, C.StopTimeout)
-	var err error
-	for _, service := range services {
-		monitor.Start("close service/", service.Type(), "[", service.Tag(), "]")
-		err = E.Append(err, service.Close(), func(err error) error {
-			return E.Cause(err, "close service/", service.Type(), "[", service.Tag(), "]")
-		})
-		monitor.Finish()
-	}
-	return nil
-}
-
-func (m *Manager) Services() []adapter.Service {
-	m.access.Lock()
-	defer m.access.Unlock()
-	return m.services
-}
-
-func (m *Manager) Get(tag string) (adapter.Service, bool) {
-	m.access.Lock()
-	service, found := m.serviceByTag[tag]
-	m.access.Unlock()
-	return service, found
-}
-
-func (m *Manager) Remove(tag string) error {
-	m.access.Lock()
-	service, found := m.serviceByTag[tag]
-	if !found {
-		m.access.Unlock()
-		return os.ErrInvalid
-	}
-	delete(m.serviceByTag, tag)
-	index := common.Index(m.services, func(it adapter.Service) bool {
-		return it == service
-	})
-	if index == -1 {
-		panic("invalid service index")
-	}
-	m.services = append(m.services[:index], m.services[index+1:]...)
-	started := m.started
-	m.access.Unlock()
-	if started {
-		return service.Close()
-	}
-	return nil
-}
-
-func (m *Manager) Create(ctx context.Context, logger log.ContextLogger, tag string, serviceType string, options any) error {
-	service, err := m.registry.Create(ctx, logger, tag, serviceType, options)
-	if err != nil {
-		return err
-	}
-	m.access.Lock()
-	defer m.access.Unlock()
-	if m.started {
-		for _, stage := range adapter.ListStartStages {
-			err = adapter.LegacyStart(service, stage)
-			if err != nil {
-				return E.Cause(err, stage, " service/", service.Type(), "[", service.Tag(), "]")
-			}
-		}
-	}
-	if existsService, loaded := m.serviceByTag[tag]; loaded {
-		if m.started {
-			err = existsService.Close()
-			if err != nil {
-				return E.Cause(err, "close service/", existsService.Type(), "[", existsService.Tag(), "]")
-			}
-		}
-		existsIndex := common.Index(m.services, func(it adapter.Service) bool {
-			return it == existsService
-		})
-		if existsIndex == -1 {
-			panic("invalid service index")
-		}
-		m.services = append(m.services[:existsIndex], m.services[existsIndex+1:]...)
-	}
-	m.services = append(m.services, service)
-	m.serviceByTag[tag] = service
-	return nil
-}

adapter/service/registry.go

@@ -1,72 +0,0 @@
-package service
-
-import (
-	"context"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type ConstructorFunc[T any] func(ctx context.Context, logger log.ContextLogger, tag string, options T) (adapter.Service, error)
-
-func Register[Options any](registry *Registry, outboundType string, constructor ConstructorFunc[Options]) {
-	registry.register(outboundType, func() any {
-		return new(Options)
-	}, func(ctx context.Context, logger log.ContextLogger, tag string, rawOptions any) (adapter.Service, error) {
-		var options *Options
-		if rawOptions != nil {
-			options = rawOptions.(*Options)
-		}
-		return constructor(ctx, logger, tag, common.PtrValueOrDefault(options))
-	})
-}
-
-var _ adapter.ServiceRegistry = (*Registry)(nil)
-
-type (
-	optionsConstructorFunc func() any
-	constructorFunc        func(ctx context.Context, logger log.ContextLogger, tag string, options any) (adapter.Service, error)
-)
-
-type Registry struct {
-	access      sync.Mutex
-	optionsType map[string]optionsConstructorFunc
-	constructor map[string]constructorFunc
-}
-
-func NewRegistry() *Registry {
-	return &Registry{
-		optionsType: make(map[string]optionsConstructorFunc),
-		constructor: make(map[string]constructorFunc),
-	}
-}
-
-func (m *Registry) CreateOptions(outboundType string) (any, bool) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	optionsConstructor, loaded := m.optionsType[outboundType]
-	if !loaded {
-		return nil, false
-	}
-	return optionsConstructor(), true
-}
-
-func (m *Registry) Create(ctx context.Context, logger log.ContextLogger, tag string, outboundType string, options any) (adapter.Service, error) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	constructor, loaded := m.constructor[outboundType]
-	if !loaded {
-		return nil, E.New("outbound type not found: " + outboundType)
-	}
-	return constructor(ctx, logger, tag, options)
-}
-
-func (m *Registry) register(outboundType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	m.optionsType[outboundType] = optionsConstructor
-	m.constructor[outboundType] = constructor
-}

adapter/ssm.go

@@ -1,18 +0,0 @@
-package adapter
-
-import (
-	"net"
-
-	N "github.com/sagernet/sing/common/network"
-)
-
-type ManagedSSMServer interface {
-	Inbound
-	SetTracker(tracker SSMTracker)
-	UpdateUsers(users []string, uPSKs []string) error
-}
-
-type SSMTracker interface {
-	TrackConnection(conn net.Conn, metadata InboundContext) net.Conn
-	TrackPacketConnection(conn N.PacketConn, metadata InboundContext) N.PacketConn
-}

adapter/time.go

@@ -3,6 +3,6 @@ package adapter
 import "time"
 
 type TimeService interface {
-	SimpleLifecycle
+	Service
 	TimeFunc() func() time.Time
 }

box.go

@@ -12,7 +12,6 @@ import (
 	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
-	boxService "github.com/sagernet/sing-box/adapter/service"
 	"github.com/sagernet/sing-box/common/certificate"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -35,23 +34,22 @@ import (
 	"github.com/sagernet/sing/service/pause"
 )
 
-var _ adapter.SimpleLifecycle = (*Box)(nil)
+var _ adapter.Service = (*Box)(nil)
 
 type Box struct {
-	createdAt       time.Time
-	logFactory      log.Factory
-	logger          log.ContextLogger
-	network         *route.NetworkManager
-	endpoint        *endpoint.Manager
-	inbound         *inbound.Manager
-	outbound        *outbound.Manager
-	service         *boxService.Manager
-	dnsTransport    *dns.TransportManager
-	dnsRouter       *dns.Router
-	connection      *route.ConnectionManager
-	router          *route.Router
-	internalService []adapter.LifecycleService
-	done            chan struct{}
+	createdAt    time.Time
+	logFactory   log.Factory
+	logger       log.ContextLogger
+	network      *route.NetworkManager
+	endpoint     *endpoint.Manager
+	inbound      *inbound.Manager
+	outbound     *outbound.Manager
+	dnsTransport *dns.TransportManager
+	dnsRouter    *dns.Router
+	connection   *route.ConnectionManager
+	router       *route.Router
+	services     []adapter.LifecycleService
+	done         chan struct{}
 }
 
 type Options struct {
@@ -66,7 +64,6 @@ func Context(
 	outboundRegistry adapter.OutboundRegistry,
 	endpointRegistry adapter.EndpointRegistry,
 	dnsTransportRegistry adapter.DNSTransportRegistry,
-	serviceRegistry adapter.ServiceRegistry,
 ) context.Context {
 	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
 		service.FromContext[adapter.InboundRegistry](ctx) == nil {
@@ -87,10 +84,6 @@ func Context(
 		ctx = service.ContextWith[option.DNSTransportOptionsRegistry](ctx, dnsTransportRegistry)
 		ctx = service.ContextWith[adapter.DNSTransportRegistry](ctx, dnsTransportRegistry)
 	}
-	if service.FromContext[adapter.ServiceRegistry](ctx) == nil {
-		ctx = service.ContextWith[option.ServiceOptionsRegistry](ctx, serviceRegistry)
-		ctx = service.ContextWith[adapter.ServiceRegistry](ctx, serviceRegistry)
-	}
 	return ctx
 }
 
@@ -106,7 +99,6 @@ func New(options Options) (*Box, error) {
 	inboundRegistry := service.FromContext[adapter.InboundRegistry](ctx)
 	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
 	dnsTransportRegistry := service.FromContext[adapter.DNSTransportRegistry](ctx)
-	serviceRegistry := service.FromContext[adapter.ServiceRegistry](ctx)
 
 	if endpointRegistry == nil {
 		return nil, E.New("missing endpoint registry in context")
@@ -117,12 +109,6 @@ func New(options Options) (*Box, error) {
 	if outboundRegistry == nil {
 		return nil, E.New("missing outbound registry in context")
 	}
-	if dnsTransportRegistry == nil {
-		return nil, E.New("missing DNS transport registry in context")
-	}
-	if serviceRegistry == nil {
-		return nil, E.New("missing service registry in context")
-	}
 
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
@@ -156,7 +142,7 @@ func New(options Options) (*Box, error) {
 		return nil, E.Cause(err, "create log factory")
 	}
 
-	var internalServices []adapter.LifecycleService
+	var services []adapter.LifecycleService
 	certificateOptions := common.PtrValueOrDefault(options.Certificate)
 	if C.IsAndroid || certificateOptions.Store != "" && certificateOptions.Store != C.CertificateStoreSystem ||
 		len(certificateOptions.Certificate) > 0 ||
@@ -167,7 +153,7 @@ func New(options Options) (*Box, error) {
 			return nil, err
 		}
 		service.MustRegister[adapter.CertificateStore](ctx, certificateStore)
-		internalServices = append(internalServices, certificateStore)
+		services = append(services, certificateStore)
 	}
 
 	routeOptions := common.PtrValueOrDefault(options.Route)
@@ -176,12 +162,10 @@ func New(options Options) (*Box, error) {
 	inboundManager := inbound.NewManager(logFactory.NewLogger("inbound"), inboundRegistry, endpointManager)
 	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, endpointManager, routeOptions.Final)
 	dnsTransportManager := dns.NewTransportManager(logFactory.NewLogger("dns/transport"), dnsTransportRegistry, outboundManager, dnsOptions.Final)
-	serviceManager := boxService.NewManager(logFactory.NewLogger("service"), serviceRegistry)
 	service.MustRegister[adapter.EndpointManager](ctx, endpointManager)
 	service.MustRegister[adapter.InboundManager](ctx, inboundManager)
 	service.MustRegister[adapter.OutboundManager](ctx, outboundManager)
 	service.MustRegister[adapter.DNSTransportManager](ctx, dnsTransportManager)
-	service.MustRegister[adapter.ServiceManager](ctx, serviceManager)
 	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
 	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
 	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions)
@@ -296,24 +280,6 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize outbound[", i, "]")
 		}
 	}
-	for i, serviceOptions := range options.Services {
-		var tag string
-		if serviceOptions.Tag != "" {
-			tag = serviceOptions.Tag
-		} else {
-			tag = F.ToString(i)
-		}
-		err = serviceManager.Create(
-			ctx,
-			logFactory.NewLogger(F.ToString("service/", serviceOptions.Type, "[", tag, "]")),
-			tag,
-			serviceOptions.Type,
-			serviceOptions.Options,
-		)
-		if err != nil {
-			return nil, E.Cause(err, "initialize service[", i, "]")
-		}
-	}
 	outboundManager.Initialize(common.Must1(
 		direct.NewOutbound(
 			ctx,
@@ -339,7 +305,7 @@ func New(options Options) (*Box, error) {
 	if needCacheFile {
 		cacheFile := cachefile.New(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
 		service.MustRegister[adapter.CacheFile](ctx, cacheFile)
-		internalServices = append(internalServices, cacheFile)
+		services = append(services, cacheFile)
 	}
 	if needClashAPI {
 		clashAPIOptions := common.PtrValueOrDefault(experimentalOptions.ClashAPI)
@@ -350,7 +316,7 @@ func New(options Options) (*Box, error) {
 		}
 		router.AppendTracker(clashServer)
 		service.MustRegister[adapter.ClashServer](ctx, clashServer)
-		internalServices = append(internalServices, clashServer)
+		services = append(services, clashServer)
 	}
 	if needV2RayAPI {
 		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(experimentalOptions.V2RayAPI))
@@ -359,7 +325,7 @@ func New(options Options) (*Box, error) {
 		}
 		if v2rayServer.StatsService() != nil {
 			router.AppendTracker(v2rayServer.StatsService())
-			internalServices = append(internalServices, v2rayServer)
+			services = append(services, v2rayServer)
 			service.MustRegister[adapter.V2RayServer](ctx, v2rayServer)
 		}
 	}
@@ -377,23 +343,22 @@ func New(options Options) (*Box, error) {
 			WriteToSystem: ntpOptions.WriteToSystem,
 		})
 		timeService.TimeService = ntpService
-		internalServices = append(internalServices, adapter.NewLifecycleService(ntpService, "ntp service"))
+		services = append(services, adapter.NewLifecycleService(ntpService, "ntp service"))
 	}
 	return &Box{
-		network:         networkManager,
-		endpoint:        endpointManager,
-		inbound:         inboundManager,
-		outbound:        outboundManager,
-		dnsTransport:    dnsTransportManager,
-		service:         serviceManager,
-		dnsRouter:       dnsRouter,
-		connection:      connectionManager,
-		router:          router,
-		createdAt:       createdAt,
-		logFactory:      logFactory,
-		logger:          logFactory.Logger(),
-		internalService: internalServices,
-		done:            make(chan struct{}),
+		network:      networkManager,
+		endpoint:     endpointManager,
+		inbound:      inboundManager,
+		outbound:     outboundManager,
+		dnsTransport: dnsTransportManager,
+		dnsRouter:    dnsRouter,
+		connection:   connectionManager,
+		router:       router,
+		createdAt:    createdAt,
+		logFactory:   logFactory,
+		logger:       logFactory.Logger(),
+		services:     services,
+		done:         make(chan struct{}),
 	}, nil
 }
 
@@ -443,11 +408,11 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return E.Cause(err, "start logger")
 	}
-	err = adapter.StartNamed(adapter.StartStateInitialize, s.internalService) // cache-file clash-api v2ray-api
+	err = adapter.StartNamed(adapter.StartStateInitialize, s.services) // cache-file clash-api v2ray-api
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
@@ -463,27 +428,31 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(adapter.StartStateStart, s.internalService)
+	err = adapter.StartNamed(adapter.StartStateStart, s.services)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStart, s.inbound, s.endpoint, s.service)
+	err = s.inbound.Start(adapter.StartStateStart)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(adapter.StartStateStart, s.endpoint)
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(adapter.StartStatePostStart, s.internalService)
+	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.StartNamed(adapter.StartStatePostStart, s.services)
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(adapter.StartStateStarted, s.internalService)
+	err = adapter.Start(adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
+	if err != nil {
+		return err
+	}
+	err = adapter.StartNamed(adapter.StartStateStarted, s.services)
 	if err != nil {
 		return err
 	}
@@ -498,9 +467,9 @@ func (s *Box) Close() error {
 		close(s.done)
 	}
 	err := common.Close(
-		s.service, s.endpoint, s.inbound, s.outbound, s.router, s.connection, s.dnsRouter, s.dnsTransport, s.network,
+		s.inbound, s.outbound, s.endpoint, s.router, s.connection, s.dnsRouter, s.dnsTransport, s.network,
 	)
-	for _, lifecycleService := range s.internalService {
+	for _, lifecycleService := range s.services {
 		err = E.Append(err, lifecycleService.Close(), func(err error) error {
 			return E.Cause(err, "close ", lifecycleService.Name())
 		})

cmd/internal/app_store_connect/main.go

@@ -105,7 +105,7 @@ func publishTestflight(ctx context.Context) error {
 		return err
 	}
 	tag := tagVersion.VersionString()
-	client := createClient(20 * time.Minute)
+	client := createClient(10 * time.Minute)
 
 	log.Info(tag, " list build IDs")
 	buildIDsResponse, _, err := client.TestFlight.ListBuildIDsForBetaGroup(ctx, groupID, nil)
@@ -145,7 +145,7 @@ func publishTestflight(ctx context.Context) error {
 				return err
 			}
 			build := builds.Data[0]
-			if common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 30*time.Minute {
+			if common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 5*time.Minute {
 				log.Info(string(platform), " ", tag, " waiting for process")
 				time.Sleep(15 * time.Second)
 				continue

cmd/internal/build_libbox/main.go

@@ -16,17 +16,15 @@ import (
 )
 
 var (
-	debugEnabled  bool
-	target        string
-	platform      string
-	withTailscale bool
+	debugEnabled bool
+	target       string
+	platform     string
 )
 
 func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
 	flag.StringVar(&platform, "platform", "", "specify platform")
-	flag.BoolVar(&withTailscale, "with-tailscale", false, "build tailscale for iOS and tvOS")
 }
 
 func main() {
@@ -61,8 +59,8 @@ func init() {
 	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api", "with_conntrack")
-	iosTags = append(iosTags, "with_dhcp", "with_low_memory")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
+	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	memcTags = append(memcTags, "with_tailscale")
 	debugTags = append(debugTags, "debug")
 }
@@ -153,9 +151,7 @@ func buildApple() {
 		"-v",
 		"-target", bindTarget,
 		"-libname=box",
-	}
-	if !withTailscale {
-		args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
+		"-tags-macos=" + strings.Join(memcTags, ","),
 	}
 
 	if !debugEnabled {
@@ -165,9 +161,6 @@ func buildApple() {
 	}
 
 	tags := append(sharedTags, iosTags...)
-	if withTailscale {
-		tags = append(tags, memcTags...)
-	}
 	if debugEnabled {
 		tags = append(tags, debugTags...)
 	}

cmd/sing-box/cmd.go

@@ -7,6 +7,7 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
@@ -67,5 +68,6 @@ func preRun(cmd *cobra.Command, args []string) {
 	if len(configPaths) == 0 && len(configDirectories) == 0 {
 		configPaths = append(configPaths, "config.json")
 	}
-	globalCtx = include.Context(service.ContextWith(globalCtx, deprecated.NewStderrManager(log.StdLogger())))
+	globalCtx = service.ContextWith(globalCtx, deprecated.NewStderrManager(log.StdLogger()))
+	globalCtx = box.Context(globalCtx, include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), include.DNSTransportRegistry())
 }

cmd/sing-box/cmd_rule_set_convert.go

@@ -5,7 +5,7 @@ import (
 	"os"
 	"strings"
 
-	"github.com/sagernet/sing-box/common/convertor/adguard"
+	"github.com/sagernet/sing-box/cmd/sing-box/internal/convertor/adguard"
 	"github.com/sagernet/sing-box/common/srs"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
@@ -54,7 +54,7 @@ func convertRuleSet(sourcePath string) error {
 	var rules []option.HeadlessRule
 	switch flagRuleSetConvertType {
 	case "adguard":
-		rules, err = adguard.ToOptions(reader, log.StdLogger())
+		rules, err = adguard.Convert(reader)
 	case "":
 		return E.New("source type is required")
 	default:

cmd/sing-box/cmd_rule_set_decompile.go

@@ -6,10 +6,7 @@ import (
 	"strings"
 
 	"github.com/sagernet/sing-box/common/srs"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 
 	"github.com/spf13/cobra"
@@ -53,11 +50,6 @@ func decompileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
-	if hasRule(ruleSet.Options.Rules, func(rule option.DefaultHeadlessRule) bool {
-		return len(rule.AdGuardDomain) > 0
-	}) {
-		return E.New("unable to decompile binary AdGuard rules to rule-set.")
-	}
 	var outputPath string
 	if flagRuleSetDecompileOutput == flagRuleSetDecompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".srs") {
@@ -83,19 +75,3 @@ func decompileRuleSet(sourcePath string) error {
 	outputFile.Close()
 	return nil
 }
-
-func hasRule(rules []option.HeadlessRule, cond func(rule option.DefaultHeadlessRule) bool) bool {
-	for _, rule := range rules {
-		switch rule.Type {
-		case C.RuleTypeDefault:
-			if cond(rule.DefaultOptions) {
-				return true
-			}
-		case C.RuleTypeLogical:
-			if hasRule(rule.LogicalOptions.Rules, cond) {
-				return true
-			}
-		}
-	}
-	return false
-}

cmd/sing-box/cmd_rule_set_match.go

@@ -5,7 +5,6 @@ import (
 	"context"
 	"io"
 	"os"
-	"path/filepath"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/srs"
@@ -57,14 +56,6 @@ func ruleSetMatch(sourcePath string, domain string) error {
 	if err != nil {
 		return E.Cause(err, "read rule-set")
 	}
-	if flagRuleSetMatchFormat == "" {
-		switch filepath.Ext(sourcePath) {
-		case ".json":
-			flagRuleSetMatchFormat = C.RuleSetFormatSource
-		case ".srs":
-			flagRuleSetMatchFormat = C.RuleSetFormatBinary
-		}
-	}
 	var ruleSet option.PlainRuleSetCompat
 	switch flagRuleSetMatchFormat {
 	case C.RuleSetFormatSource:

cmd/sing-box/internal/convertor/adguard/convertor.go

@@ -2,7 +2,6 @@ package adguard
 
 import (
 	"bufio"
-	"bytes"
 	"io"
 	"net/netip"
 	"os"
@@ -10,10 +9,10 @@ import (
 	"strings"
 
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 )
 
@@ -28,7 +27,7 @@ type agdguardRuleLine struct {
 	isImportant bool
 }
 
-func ToOptions(reader io.Reader, logger logger.Logger) ([]option.HeadlessRule, error) {
+func Convert(reader io.Reader) ([]option.HeadlessRule, error) {
 	scanner := bufio.NewScanner(reader)
 	var (
 		ruleLines    []agdguardRuleLine
@@ -37,10 +36,7 @@ func ToOptions(reader io.Reader, logger logger.Logger) ([]option.HeadlessRule, e
 parseLine:
 	for scanner.Scan() {
 		ruleLine := scanner.Text()
-		if ruleLine == "" {
-			continue
-		}
-		if strings.HasPrefix(ruleLine, "!") || strings.HasPrefix(ruleLine, "#") {
+		if ruleLine == "" || ruleLine[0] == '!' || ruleLine[0] == '#' {
 			continue
 		}
 		originRuleLine := ruleLine
@@ -96,7 +92,7 @@ parseLine:
 				}
 				if !ignored {
 					ignoredLines++
-					logger.Debug("ignored unsupported rule with modifier: ", paramParts[0], ": ", originRuleLine)
+					log.Debug("ignored unsupported rule with modifier: ", paramParts[0], ": ", ruleLine)
 					continue parseLine
 				}
 			}
@@ -124,35 +120,27 @@ parseLine:
 			ruleLine = ruleLine[1 : len(ruleLine)-1]
 			if ignoreIPCIDRRegexp(ruleLine) {
 				ignoredLines++
-				logger.Debug("ignored unsupported rule with IPCIDR regexp: ", originRuleLine)
+				log.Debug("ignored unsupported rule with IPCIDR regexp: ", ruleLine)
 				continue
 			}
 			isRegexp = true
 		} else {
 			if strings.Contains(ruleLine, "://") {
 				ruleLine = common.SubstringAfter(ruleLine, "://")
-				isSuffix = true
 			}
 			if strings.Contains(ruleLine, "/") {
 				ignoredLines++
-				logger.Debug("ignored unsupported rule with path: ", originRuleLine)
+				log.Debug("ignored unsupported rule with path: ", ruleLine)
 				continue
 			}
-			if strings.Contains(ruleLine, "?") || strings.Contains(ruleLine, "&") {
+			if strings.Contains(ruleLine, "##") {
 				ignoredLines++
-				logger.Debug("ignored unsupported rule with query: ", originRuleLine)
+				log.Debug("ignored unsupported rule with element hiding: ", ruleLine)
 				continue
 			}
-			if strings.Contains(ruleLine, "[") || strings.Contains(ruleLine, "]") ||
-				strings.Contains(ruleLine, "(") || strings.Contains(ruleLine, ")") ||
-				strings.Contains(ruleLine, "!") || strings.Contains(ruleLine, "#") {
+			if strings.Contains(ruleLine, "#$#") {
 				ignoredLines++
-				logger.Debug("ignored unsupported cosmetic filter: ", originRuleLine)
-				continue
-			}
-			if strings.Contains(ruleLine, "~") {
-				ignoredLines++
-				logger.Debug("ignored unsupported rule modifier: ", originRuleLine)
+				log.Debug("ignored unsupported rule with element hiding: ", ruleLine)
 				continue
 			}
 			var domainCheck string
@@ -163,7 +151,7 @@ parseLine:
 			}
 			if ruleLine == "" {
 				ignoredLines++
-				logger.Debug("ignored unsupported rule with empty domain", originRuleLine)
+				log.Debug("ignored unsupported rule with empty domain", originRuleLine)
 				continue
 			} else {
 				domainCheck = strings.ReplaceAll(domainCheck, "*", "x")
@@ -171,13 +159,13 @@ parseLine:
 					_, ipErr := parseADGuardIPCIDRLine(ruleLine)
 					if ipErr == nil {
 						ignoredLines++
-						logger.Debug("ignored unsupported rule with IPCIDR: ", originRuleLine)
+						log.Debug("ignored unsupported rule with IPCIDR: ", ruleLine)
 						continue
 					}
 					if M.ParseSocksaddr(domainCheck).Port != 0 {
-						logger.Debug("ignored unsupported rule with port: ", originRuleLine)
+						log.Debug("ignored unsupported rule with port: ", ruleLine)
 					} else {
-						logger.Debug("ignored unsupported rule with invalid domain: ", originRuleLine)
+						log.Debug("ignored unsupported rule with invalid domain: ", ruleLine)
 					}
 					ignoredLines++
 					continue
@@ -295,112 +283,10 @@ parseLine:
 			},
 		}
 	}
-	if ignoredLines > 0 {
-		logger.Info("parsed rules: ", len(ruleLines), "/", len(ruleLines)+ignoredLines)
-	}
+	log.Info("parsed rules: ", len(ruleLines), "/", len(ruleLines)+ignoredLines)
 	return []option.HeadlessRule{currentRule}, nil
 }
 
-var ErrInvalid = E.New("invalid binary AdGuard rule-set")
-
-func FromOptions(rules []option.HeadlessRule) ([]byte, error) {
-	if len(rules) != 1 {
-		return nil, ErrInvalid
-	}
-	rule := rules[0]
-	var (
-		importantDomain             []string
-		importantDomainRegex        []string
-		importantExcludeDomain      []string
-		importantExcludeDomainRegex []string
-		domain                      []string
-		domainRegex                 []string
-		excludeDomain               []string
-		excludeDomainRegex          []string
-	)
-parse:
-	for {
-		switch rule.Type {
-		case C.RuleTypeLogical:
-			if !(len(rule.LogicalOptions.Rules) == 2 && rule.LogicalOptions.Rules[0].Type == C.RuleTypeDefault) {
-				return nil, ErrInvalid
-			}
-			if rule.LogicalOptions.Mode == C.LogicalTypeAnd && rule.LogicalOptions.Rules[0].DefaultOptions.Invert {
-				if len(importantExcludeDomain) == 0 && len(importantExcludeDomainRegex) == 0 {
-					importantExcludeDomain = rule.LogicalOptions.Rules[0].DefaultOptions.AdGuardDomain
-					importantExcludeDomainRegex = rule.LogicalOptions.Rules[0].DefaultOptions.DomainRegex
-					if len(importantExcludeDomain)+len(importantExcludeDomainRegex) == 0 {
-						return nil, ErrInvalid
-					}
-				} else {
-					excludeDomain = rule.LogicalOptions.Rules[0].DefaultOptions.AdGuardDomain
-					excludeDomainRegex = rule.LogicalOptions.Rules[0].DefaultOptions.DomainRegex
-					if len(excludeDomain)+len(excludeDomainRegex) == 0 {
-						return nil, ErrInvalid
-					}
-				}
-			} else if rule.LogicalOptions.Mode == C.LogicalTypeOr && !rule.LogicalOptions.Rules[0].DefaultOptions.Invert {
-				importantDomain = rule.LogicalOptions.Rules[0].DefaultOptions.AdGuardDomain
-				importantDomainRegex = rule.LogicalOptions.Rules[0].DefaultOptions.DomainRegex
-				if len(importantDomain)+len(importantDomainRegex) == 0 {
-					return nil, ErrInvalid
-				}
-			} else {
-				return nil, ErrInvalid
-			}
-			rule = rule.LogicalOptions.Rules[1]
-		case C.RuleTypeDefault:
-			domain = rule.DefaultOptions.AdGuardDomain
-			domainRegex = rule.DefaultOptions.DomainRegex
-			if len(domain)+len(domainRegex) == 0 {
-				return nil, ErrInvalid
-			}
-			break parse
-		}
-	}
-	var output bytes.Buffer
-	for _, ruleLine := range importantDomain {
-		output.WriteString(ruleLine)
-		output.WriteString("$important\n")
-	}
-	for _, ruleLine := range importantDomainRegex {
-		output.WriteString("/")
-		output.WriteString(ruleLine)
-		output.WriteString("/$important\n")
-
-	}
-	for _, ruleLine := range importantExcludeDomain {
-		output.WriteString("@@")
-		output.WriteString(ruleLine)
-		output.WriteString("$important\n")
-	}
-	for _, ruleLine := range importantExcludeDomainRegex {
-		output.WriteString("@@/")
-		output.WriteString(ruleLine)
-		output.WriteString("/$important\n")
-	}
-	for _, ruleLine := range domain {
-		output.WriteString(ruleLine)
-		output.WriteString("\n")
-	}
-	for _, ruleLine := range domainRegex {
-		output.WriteString("/")
-		output.WriteString(ruleLine)
-		output.WriteString("/\n")
-	}
-	for _, ruleLine := range excludeDomain {
-		output.WriteString("@@")
-		output.WriteString(ruleLine)
-		output.WriteString("\n")
-	}
-	for _, ruleLine := range excludeDomainRegex {
-		output.WriteString("@@/")
-		output.WriteString(ruleLine)
-		output.WriteString("/\n")
-	}
-	return output.Bytes(), nil
-}
-
 func ignoreIPCIDRRegexp(ruleLine string) bool {
 	if strings.HasPrefix(ruleLine, "(http?:\\/\\/)") {
 		ruleLine = ruleLine[12:]
@@ -408,9 +294,11 @@ func ignoreIPCIDRRegexp(ruleLine string) bool {
 		ruleLine = ruleLine[13:]
 	} else if strings.HasPrefix(ruleLine, "^") {
 		ruleLine = ruleLine[1:]
+	} else {
+		return false
 	}
-	return common.Error(strconv.ParseUint(common.SubstringBefore(ruleLine, "\\."), 10, 8)) == nil ||
-		common.Error(strconv.ParseUint(common.SubstringBefore(ruleLine, "."), 10, 8)) == nil
+	_, parseErr := strconv.ParseUint(common.SubstringBefore(ruleLine, "\\."), 10, 8)
+	return parseErr == nil
 }
 
 func parseAdGuardHostLine(ruleLine string) (string, error) {

cmd/sing-box/internal/convertor/adguard/convertor_test.go

@@ -7,15 +7,13 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/route/rule"
-	"github.com/sagernet/sing/common/logger"
 
 	"github.com/stretchr/testify/require"
 )
 
 func TestConverter(t *testing.T) {
 	t.Parallel()
-	ruleString := `||sagernet.org^$important
-@@|sing-box.sagernet.org^$important
+	rules, err := Convert(strings.NewReader(`
 ||example.org^
 |example.com^
 example.net^
@@ -23,9 +21,10 @@ example.net^
 ||example.edu.tw^
 |example.gov
 example.arpa
-@@|sagernet.example.org^
-`
-	rules, err := ToOptions(strings.NewReader(ruleString), logger.NOP())
+@@|sagernet.example.org|
+||sagernet.org^$important
+@@|sing-box.sagernet.org^$important
+`))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
 	rule, err := rule.NewHeadlessRule(context.Background(), rules[0])
@@ -76,18 +75,15 @@ example.arpa
 			Domain: domain,
 		}), domain)
 	}
-	ruleFromOptions, err := FromOptions(rules)
-	require.NoError(t, err)
-	require.Equal(t, ruleString, string(ruleFromOptions))
 }
 
 func TestHosts(t *testing.T) {
 	t.Parallel()
-	rules, err := ToOptions(strings.NewReader(`
+	rules, err := Convert(strings.NewReader(`
 127.0.0.1 localhost
 ::1 localhost #[IPv6]
 0.0.0.0 google.com
-`), logger.NOP())
+`))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
 	rule, err := rule.NewHeadlessRule(context.Background(), rules[0])
@@ -114,10 +110,10 @@ func TestHosts(t *testing.T) {
 
 func TestSimpleHosts(t *testing.T) {
 	t.Parallel()
-	rules, err := ToOptions(strings.NewReader(`
+	rules, err := Convert(strings.NewReader(`
 example.com
 www.example.org
-`), logger.NOP())
+`))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
 	rule, err := rule.NewHeadlessRule(context.Background(), rules[0])

common/badtls/read_wait_utls.go

@@ -7,8 +7,7 @@ import (
 	_ "unsafe"
 
 	"github.com/sagernet/sing/common"
-
-	"github.com/metacubex/utls"
+	"github.com/sagernet/utls"
 )
 
 func init() {
@@ -25,8 +24,8 @@ func init() {
 	})
 }
 
-//go:linkname utlsReadRecord github.com/metacubex/utls.(*Conn).readRecord
+//go:linkname utlsReadRecord github.com/sagernet/utls.(*Conn).readRecord
 func utlsReadRecord(c *tls.Conn) error
 
-//go:linkname utlsHandlePostHandshakeMessage github.com/metacubex/utls.(*Conn).handlePostHandshakeMessage
+//go:linkname utlsHandlePostHandshakeMessage github.com/sagernet/utls.(*Conn).handlePostHandshakeMessage
 func utlsHandlePostHandshakeMessage(c *tls.Conn) error

common/dialer/default.go

@@ -66,17 +66,11 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		interfaceFinder = control.NewDefaultInterfaceFinder()
 	}
 	if options.BindInterface != "" {
-		if !(C.IsLinux || C.IsDarwin || C.IsWindows) {
-			return nil, E.New("`bind_interface` is only supported on Linux, macOS and Windows")
-		}
 		bindFunc := control.BindToInterface(interfaceFinder, options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
 	if options.RoutingMark > 0 {
-		if !C.IsLinux {
-			return nil, E.New("`routing_mark` is only supported on Linux")
-		}
 		dialer.Control = control.Append(dialer.Control, setMarkWrapper(networkManager, uint32(options.RoutingMark), false))
 		listener.Control = control.Append(listener.Control, setMarkWrapper(networkManager, uint32(options.RoutingMark), false))
 	}
@@ -97,6 +91,10 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 			} else if networkManager.AutoDetectInterface() {
 				if platformInterface != nil {
 					networkStrategy = (*C.NetworkStrategy)(options.NetworkStrategy)
+					if networkStrategy == nil {
+						networkStrategy = common.Ptr(C.NetworkStrategyDefault)
+						defaultNetworkStrategy = true
+					}
 					networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
 					fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
 					if networkStrategy == nil && len(networkType) == 0 && len(fallbackNetworkType) == 0 {
@@ -108,10 +106,6 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 					if networkFallbackDelay == 0 && defaultOptions.FallbackDelay != 0 {
 						networkFallbackDelay = defaultOptions.FallbackDelay
 					}
-					if networkStrategy == nil {
-						networkStrategy = common.Ptr(C.NetworkStrategyDefault)
-						defaultNetworkStrategy = true
-					}
 					bindFunc := networkManager.ProtectFunc()
 					dialer.Control = control.Append(dialer.Control, bindFunc)
 					listener.Control = control.Append(listener.Control, bindFunc)

common/dialer/dialer.go

@@ -89,7 +89,6 @@ func NewWithOptions(options Options) (N.Dialer, error) {
 			dnsQueryOptions = adapter.DNSQueryOptions{
 				Transport:    transport,
 				Strategy:     strategy,
-				Timeout:      time.Duration(dialOptions.DomainResolver.Timeout),
 				DisableCache: dialOptions.DomainResolver.DisableCache,
 				RewriteTTL:   dialOptions.DomainResolver.RewriteTTL,
 				ClientSubnet: dialOptions.DomainResolver.ClientSubnet.Build(netip.Prefix{}),

common/dialer/tfo.go

@@ -10,7 +10,9 @@ import (
 	"sync"
 	"time"
 
+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 
@@ -24,9 +26,7 @@ type slowOpenConn struct {
 	destination M.Socksaddr
 	conn        net.Conn
 	create      chan struct{}
-	done        chan struct{}
 	access      sync.Mutex
-	closeOnce   sync.Once
 	err         error
 }
 
@@ -45,7 +45,6 @@ func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, des
 		network:     network,
 		destination: destination,
 		create:      make(chan struct{}),
-		done:        make(chan struct{}),
 	}, nil
 }
 
@@ -56,8 +55,8 @@ func (c *slowOpenConn) Read(b []byte) (n int, err error) {
 			if c.err != nil {
 				return 0, c.err
 			}
-		case <-c.done:
-			return 0, os.ErrClosed
+		case <-c.ctx.Done():
+			return 0, c.ctx.Err()
 		}
 	}
 	return c.conn.Read(b)
@@ -75,15 +74,12 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 			return 0, c.err
 		}
 		return c.conn.Write(b)
-	case <-c.done:
-		return 0, os.ErrClosed
 	default:
 	}
-	conn, err := c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
+	c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
 	if err != nil {
-		c.err = err
-	} else {
-		c.conn = conn
+		c.conn = nil
+		c.err = E.Cause(err, "dial tcp fast open")
 	}
 	n = len(b)
 	close(c.create)
@@ -91,13 +87,7 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 }
 
 func (c *slowOpenConn) Close() error {
-	c.closeOnce.Do(func() {
-		close(c.done)
-		if c.conn != nil {
-			c.conn.Close()
-		}
-	})
-	return nil
+	return common.Close(c.conn)
 }
 
 func (c *slowOpenConn) LocalAddr() net.Addr {
@@ -162,8 +152,8 @@ func (c *slowOpenConn) WriteTo(w io.Writer) (n int64, err error) {
 			if c.err != nil {
 				return 0, c.err
 			}
-		case <-c.done:
-			return 0, c.err
+		case <-c.ctx.Done():
+			return 0, c.ctx.Err()
 		}
 	}
 	return bufio.Copy(w, c.conn)

common/humanize/bytes.go

@@ -0,0 +1,158 @@
+package humanize
+
+import (
+	"fmt"
+	"math"
+	"strconv"
+	"strings"
+	"unicode"
+)
+
+// IEC Sizes.
+// kibis of bits
+const (
+	Byte = 1 << (iota * 10)
+	KiByte
+	MiByte
+	GiByte
+	TiByte
+	PiByte
+	EiByte
+)
+
+// SI Sizes.
+const (
+	IByte = 1
+	KByte = IByte * 1000
+	MByte = KByte * 1000
+	GByte = MByte * 1000
+	TByte = GByte * 1000
+	PByte = TByte * 1000
+	EByte = PByte * 1000
+)
+
+var defaultSizeTable = map[string]uint64{
+	"b":   Byte,
+	"kib": KiByte,
+	"kb":  KByte,
+	"mib": MiByte,
+	"mb":  MByte,
+	"gib": GiByte,
+	"gb":  GByte,
+	"tib": TiByte,
+	"tb":  TByte,
+	"pib": PiByte,
+	"pb":  PByte,
+	"eib": EiByte,
+	"eb":  EByte,
+	// Without suffix
+	"":   Byte,
+	"ki": KiByte,
+	"k":  KByte,
+	"mi": MiByte,
+	"m":  MByte,
+	"gi": GiByte,
+	"g":  GByte,
+	"ti": TiByte,
+	"t":  TByte,
+	"pi": PiByte,
+	"p":  PByte,
+	"ei": EiByte,
+	"e":  EByte,
+}
+
+var memorysSizeTable = map[string]uint64{
+	"b":  Byte,
+	"kb": KiByte,
+	"mb": MiByte,
+	"gb": GiByte,
+	"tb": TiByte,
+	"pb": PiByte,
+	"eb": EiByte,
+	"":   Byte,
+	"k":  KiByte,
+	"m":  MiByte,
+	"g":  GiByte,
+	"t":  TiByte,
+	"p":  PiByte,
+	"e":  EiByte,
+}
+
+var (
+	defaultSizes = []string{"B", "kB", "MB", "GB", "TB", "PB", "EB"}
+	iSizes       = []string{"B", "KiB", "MiB", "GiB", "TiB", "PiB", "EiB"}
+)
+
+func Bytes(s uint64) string {
+	return humanateBytes(s, 1000, defaultSizes)
+}
+
+func MemoryBytes(s uint64) string {
+	return humanateBytes(s, 1024, defaultSizes)
+}
+
+func IBytes(s uint64) string {
+	return humanateBytes(s, 1024, iSizes)
+}
+
+func logn(n, b float64) float64 {
+	return math.Log(n) / math.Log(b)
+}
+
+func humanateBytes(s uint64, base float64, sizes []string) string {
+	if s < 10 {
+		return fmt.Sprintf("%d B", s)
+	}
+	e := math.Floor(logn(float64(s), base))
+	suffix := sizes[int(e)]
+	val := math.Floor(float64(s)/math.Pow(base, e)*10+0.5) / 10
+	f := "%.0f %s"
+	if val < 10 {
+		f = "%.1f %s"
+	}
+
+	return fmt.Sprintf(f, val, suffix)
+}
+
+func ParseBytes(s string) (uint64, error) {
+	return parseBytes0(s, defaultSizeTable)
+}
+
+func ParseMemoryBytes(s string) (uint64, error) {
+	return parseBytes0(s, memorysSizeTable)
+}
+
+func parseBytes0(s string, sizeTable map[string]uint64) (uint64, error) {
+	lastDigit := 0
+	hasComma := false
+	for _, r := range s {
+		if !(unicode.IsDigit(r) || r == '.' || r == ',') {
+			break
+		}
+		if r == ',' {
+			hasComma = true
+		}
+		lastDigit++
+	}
+
+	num := s[:lastDigit]
+	if hasComma {
+		num = strings.Replace(num, ",", "", -1)
+	}
+
+	f, err := strconv.ParseFloat(num, 64)
+	if err != nil {
+		return 0, err
+	}
+
+	extra := strings.ToLower(strings.TrimSpace(s[lastDigit:]))
+	if m, ok := sizeTable[extra]; ok {
+		f *= float64(m)
+		if f >= math.MaxUint64 {
+			return 0, fmt.Errorf("too large: %v", s)
+		}
+		return uint64(f), nil
+	}
+
+	return 0, fmt.Errorf("unhandled size name: %v", extra)
+}

common/listener/listener.go

@@ -32,7 +32,6 @@ type Listener struct {
 	disablePacketOutput      bool
 	setSystemProxy           bool
 	systemProxySOCKS         bool
-	tproxy                   bool
 
 	tcpListener          net.Listener
 	systemProxy          settings.SystemProxy
@@ -55,7 +54,6 @@ type Options struct {
 	DisablePacketOutput      bool
 	SetSystemProxy           bool
 	SystemProxySOCKS         bool
-	TProxy                   bool
 }
 
 func New(
@@ -73,7 +71,6 @@ func New(
 		disablePacketOutput:      options.DisablePacketOutput,
 		setSystemProxy:           options.SetSystemProxy,
 		systemProxySOCKS:         options.SystemProxySOCKS,
-		tproxy:                   options.TProxy,
 	}
 }
 

common/listener/listener_tcp.go

@@ -3,18 +3,14 @@ package listener
 import (
 	"net"
 	"net/netip"
-	"syscall"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/redir"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 
 	"github.com/metacubex/tfo-go"
 )
@@ -27,15 +23,6 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 	var err error
 	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(netip.AddrFrom4([4]byte{127, 0, 0, 1})), l.listenOptions.ListenPort)
 	var listenConfig net.ListenConfig
-	if l.listenOptions.BindInterface != "" {
-		listenConfig.Control = control.Append(listenConfig.Control, control.BindToInterface(service.FromContext[adapter.NetworkManager](l.ctx).InterfaceFinder(), l.listenOptions.BindInterface, -1))
-	}
-	if l.listenOptions.RoutingMark != 0 {
-		listenConfig.Control = control.Append(listenConfig.Control, control.RoutingMark(uint32(l.listenOptions.RoutingMark)))
-	}
-	if l.listenOptions.ReuseAddr {
-		listenConfig.Control = control.Append(listenConfig.Control, control.ReuseAddr())
-	}
 	if l.listenOptions.TCPKeepAlive >= 0 {
 		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
 		if keepIdle == 0 {
@@ -53,13 +40,6 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 		}
 		setMultiPathTCP(&listenConfig)
 	}
-	if l.tproxy {
-		listenConfig.Control = control.Append(listenConfig.Control, func(network, address string, conn syscall.RawConn) error {
-			return control.Raw(conn, func(fd uintptr) error {
-				return redir.TProxy(fd, !M.ParseSocksaddr(address).IsIPv4(), false)
-			})
-		})
-	}
 	tcpListener, err := ListenNetworkNamespace[net.Listener](l.listenOptions.NetNs, func() (net.Listener, error) {
 		if l.listenOptions.TCPFastOpen {
 			var tfoConfig tfo.ListenConfig

common/listener/listener_udp.go

@@ -5,30 +5,17 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"syscall"
 
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/redir"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 )
 
 func (l *Listener) ListenUDP() (net.PacketConn, error) {
 	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(netip.AddrFrom4([4]byte{127, 0, 0, 1})), l.listenOptions.ListenPort)
-	var listenConfig net.ListenConfig
-	if l.listenOptions.BindInterface != "" {
-		listenConfig.Control = control.Append(listenConfig.Control, control.BindToInterface(service.FromContext[adapter.NetworkManager](l.ctx).InterfaceFinder(), l.listenOptions.BindInterface, -1))
-	}
-	if l.listenOptions.RoutingMark != 0 {
-		listenConfig.Control = control.Append(listenConfig.Control, control.RoutingMark(uint32(l.listenOptions.RoutingMark)))
-	}
-	if l.listenOptions.ReuseAddr {
-		listenConfig.Control = control.Append(listenConfig.Control, control.ReuseAddr())
-	}
+	var lc net.ListenConfig
 	var udpFragment bool
 	if l.listenOptions.UDPFragment != nil {
 		udpFragment = *l.listenOptions.UDPFragment
@@ -36,17 +23,10 @@ func (l *Listener) ListenUDP() (net.PacketConn, error) {
 		udpFragment = l.listenOptions.UDPFragmentDefault
 	}
 	if !udpFragment {
-		listenConfig.Control = control.Append(listenConfig.Control, control.DisableUDPFragment())
-	}
-	if l.tproxy {
-		listenConfig.Control = control.Append(listenConfig.Control, func(network, address string, conn syscall.RawConn) error {
-			return control.Raw(conn, func(fd uintptr) error {
-				return redir.TProxy(fd, !M.ParseSocksaddr(address).IsIPv4(), true)
-			})
-		})
+		lc.Control = control.Append(lc.Control, control.DisableUDPFragment())
 	}
 	udpConn, err := ListenNetworkNamespace[net.PacketConn](l.listenOptions.NetNs, func() (net.PacketConn, error) {
-		return listenConfig.ListenPacket(l.ctx, M.NetworkFromNetAddr(N.NetworkUDP, bindAddr.Addr), bindAddr.String())
+		return lc.ListenPacket(l.ctx, M.NetworkFromNetAddr(N.NetworkUDP, bindAddr.Addr), bindAddr.String())
 	})
 	if err != nil {
 		return nil, err
@@ -57,32 +37,8 @@ func (l *Listener) ListenUDP() (net.PacketConn, error) {
 	return udpConn, err
 }
 
-func (l *Listener) DialContext(dialer net.Dialer, ctx context.Context, network string, address string) (net.Conn, error) {
-	return ListenNetworkNamespace[net.Conn](l.listenOptions.NetNs, func() (net.Conn, error) {
-		if l.listenOptions.BindInterface != "" {
-			dialer.Control = control.Append(dialer.Control, control.BindToInterface(service.FromContext[adapter.NetworkManager](l.ctx).InterfaceFinder(), l.listenOptions.BindInterface, -1))
-		}
-		if l.listenOptions.RoutingMark != 0 {
-			dialer.Control = control.Append(dialer.Control, control.RoutingMark(uint32(l.listenOptions.RoutingMark)))
-		}
-		if l.listenOptions.ReuseAddr {
-			dialer.Control = control.Append(dialer.Control, control.ReuseAddr())
-		}
-		return dialer.DialContext(ctx, network, address)
-	})
-}
-
 func (l *Listener) ListenPacket(listenConfig net.ListenConfig, ctx context.Context, network string, address string) (net.PacketConn, error) {
 	return ListenNetworkNamespace[net.PacketConn](l.listenOptions.NetNs, func() (net.PacketConn, error) {
-		if l.listenOptions.BindInterface != "" {
-			listenConfig.Control = control.Append(listenConfig.Control, control.BindToInterface(service.FromContext[adapter.NetworkManager](l.ctx).InterfaceFinder(), l.listenOptions.BindInterface, -1))
-		}
-		if l.listenOptions.RoutingMark != 0 {
-			listenConfig.Control = control.Append(listenConfig.Control, control.RoutingMark(uint32(l.listenOptions.RoutingMark)))
-		}
-		if l.listenOptions.ReuseAddr {
-			listenConfig.Control = control.Append(listenConfig.Control, control.ReuseAddr())
-		}
 		return listenConfig.ListenPacket(ctx, network, address)
 	})
 }

common/process/searcher_darwin.go

@@ -76,8 +76,6 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 		// rup8(sizeof(xtcpcb_n))
 		itemSize += 208
 	}
-
-	var fallbackUDPProcess string
 	// skip the first xinpgen(24 bytes) block
 	for i := 24; i+itemSize <= len(buf); i += itemSize {
 		// offset of xinpcb_n and xsocket_n
@@ -92,12 +90,10 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 		flag := buf[inp+44]
 
 		var srcIP netip.Addr
-		srcIsIPv4 := false
 		switch {
 		case flag&0x1 > 0 && isIPv4:
 			// ipv4
 			srcIP = netip.AddrFrom4(*(*[4]byte)(buf[inp+76 : inp+80]))
-			srcIsIPv4 = true
 		case flag&0x2 > 0 && !isIPv4:
 			// ipv6
 			srcIP = netip.AddrFrom16(*(*[16]byte)(buf[inp+64 : inp+80]))
@@ -105,21 +101,13 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 			continue
 		}
 
-		if ip == srcIP {
-			// xsocket_n.so_last_pid
-			pid := readNativeUint32(buf[so+68 : so+72])
-			return getExecPathFromPID(pid)
+		if ip != srcIP {
+			continue
 		}
 
-		// udp packet connection may be not equal with srcIP
-		if network == N.NetworkUDP && srcIP.IsUnspecified() && isIPv4 == srcIsIPv4 {
-			pid := readNativeUint32(buf[so+68 : so+72])
-			fallbackUDPProcess, _ = getExecPathFromPID(pid)
-		}
-	}
-
-	if network == N.NetworkUDP && len(fallbackUDPProcess) > 0 {
-		return fallbackUDPProcess, nil
+		// xsocket_n.so_last_pid
+		pid := readNativeUint32(buf[so+68 : so+72])
+		return getExecPathFromPID(pid)
 	}
 
 	return "", ErrNotFound

common/redir/tproxy_linux.go

@@ -12,7 +12,7 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-func TProxy(fd uintptr, isIPv6 bool, isUDP bool) error {
+func TProxy(fd uintptr, isIPv6 bool) error {
 	err := syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_REUSEADDR, 1)
 	if err == nil {
 		err = syscall.SetsockoptInt(int(fd), syscall.SOL_IP, syscall.IP_TRANSPARENT, 1)
@@ -20,13 +20,11 @@ func TProxy(fd uintptr, isIPv6 bool, isUDP bool) error {
 	if err == nil && isIPv6 {
 		err = syscall.SetsockoptInt(int(fd), syscall.SOL_IPV6, unix.IPV6_TRANSPARENT, 1)
 	}
-	if isUDP {
-		if err == nil {
-			err = syscall.SetsockoptInt(int(fd), syscall.SOL_IP, syscall.IP_RECVORIGDSTADDR, 1)
-		}
-		if err == nil && isIPv6 {
-			err = syscall.SetsockoptInt(int(fd), syscall.SOL_IPV6, unix.IPV6_RECVORIGDSTADDR, 1)
-		}
+	if err == nil {
+		err = syscall.SetsockoptInt(int(fd), syscall.SOL_IP, syscall.IP_RECVORIGDSTADDR, 1)
+	}
+	if err == nil && isIPv6 {
+		err = syscall.SetsockoptInt(int(fd), syscall.SOL_IPV6, unix.IPV6_RECVORIGDSTADDR, 1)
 	}
 	return err
 }

common/redir/tproxy_other.go

@@ -9,7 +9,7 @@ import (
 	"github.com/sagernet/sing/common/control"
 )
 
-func TProxy(fd uintptr, isIPv6 bool, isUDP bool) error {
+func TProxy(fd uintptr, isIPv6 bool) error {
 	return os.ErrInvalid
 }
 

common/srs/binary.go

@@ -215,15 +215,16 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 		case ruleItemWIFIBSSID:
 			rule.WIFIBSSID, err = readRuleItemString(reader)
 		case ruleItemAdGuardDomain:
+			if recover {
+				err = E.New("unable to decompile binary AdGuard rules to rule-set")
+				return
+			}
 			var matcher *domain.AdGuardMatcher
 			matcher, err = domain.ReadAdGuardMatcher(reader)
 			if err != nil {
 				return
 			}
 			rule.AdGuardDomainMatcher = matcher
-			if recover {
-				rule.AdGuardDomain = matcher.Dump()
-			}
 		case ruleItemNetworkType:
 			rule.NetworkType, err = readRuleItemUint8[option.InterfaceType](reader)
 		case ruleItemNetworkIsExpensive:

common/tls/acme.go

@@ -5,13 +5,13 @@ package tls
 import (
 	"context"
 	"crypto/tls"
+	"os"
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/alidns"
@@ -37,38 +37,7 @@ func (w *acmeWrapper) Close() error {
 	return nil
 }
 
-type acmeLogWriter struct {
-	logger logger.Logger
-}
-
-func (w *acmeLogWriter) Write(p []byte) (n int, err error) {
-	logLine := strings.ReplaceAll(string(p), "	", ": ")
-	switch {
-	case strings.HasPrefix(logLine, "error: "):
-		w.logger.Error(logLine[7:])
-	case strings.HasPrefix(logLine, "warn: "):
-		w.logger.Warn(logLine[6:])
-	case strings.HasPrefix(logLine, "info: "):
-		w.logger.Info(logLine[6:])
-	case strings.HasPrefix(logLine, "debug: "):
-		w.logger.Debug(logLine[7:])
-	default:
-		w.logger.Debug(logLine)
-	}
-	return len(p), nil
-}
-
-func (w *acmeLogWriter) Sync() error {
-	return nil
-}
-
-func encoderConfig() zapcore.EncoderConfig {
-	config := zap.NewProductionEncoderConfig()
-	config.TimeKey = zapcore.OmitKey
-	return config
-}
-
-func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
+func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
 	var acmeServer string
 	switch options.Provider {
 	case "", "letsencrypt":
@@ -89,15 +58,14 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 	} else {
 		storage = certmagic.Default.Storage
 	}
-	zapLogger := zap.New(zapcore.NewCore(
-		zapcore.NewConsoleEncoder(encoderConfig()),
-		&acmeLogWriter{logger: logger},
-		zap.DebugLevel,
-	))
 	config := &certmagic.Config{
 		DefaultServerName: options.DefaultServerName,
 		Storage:           storage,
-		Logger:            zapLogger,
+		Logger: zap.New(zapcore.NewCore(
+			zapcore.NewConsoleEncoder(zap.NewProductionEncoderConfig()),
+			os.Stderr,
+			zap.InfoLevel,
+		)),
 	}
 	acmeConfig := certmagic.ACMEIssuer{
 		CA:                      acmeServer,
@@ -107,7 +75,7 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		DisableTLSALPNChallenge: options.DisableTLSALPNChallenge,
 		AltHTTPPort:             int(options.AlternativeHTTPPort),
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
-		Logger:                  zapLogger,
+		Logger:                  config.Logger,
 	}
 	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
 		var solver certmagic.DNS01Solver
@@ -135,7 +103,6 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {
 			return config, nil
 		},
-		Logger: zapLogger,
 	})
 	config = certmagic.New(cache, *config)
 	var tlsConfig *tls.Config

common/tls/acme_stub.go

@@ -9,9 +9,8 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 )
 
-func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
+func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
 	return nil, nil, E.New(`ACME is not included in this build, rebuild with -tags with_acme`)
 }

common/tls/config.go

@@ -18,7 +18,6 @@ type (
 	STDConfig       = tls.Config
 	STDConn         = tls.Conn
 	ConnectionState = tls.ConnectionState
-	CurveID         = tls.CurveID
 )
 
 func ParseTLSVersion(version string) (uint16, error) {

common/tls/ech.go

@@ -25,7 +25,7 @@ import (
 	"golang.org/x/crypto/cryptobyte"
 )
 
-func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, options option.OutboundTLSOptions) (Config, error) {
+func parseECHClientConfig(ctx context.Context, options option.OutboundTLSOptions, tlsConfig *tls.Config) (Config, error) {
 	var echConfig []byte
 	if len(options.ECH.Config) > 0 {
 		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
@@ -45,12 +45,12 @@ func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, op
 		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
 			return nil, E.New("invalid ECH configs pem")
 		}
-		clientConfig.SetECHConfigList(block.Bytes)
-		return clientConfig, nil
+		tlsConfig.EncryptedClientHelloConfigList = block.Bytes
+		return &STDClientConfig{tlsConfig}, nil
 	} else {
-		return &ECHClientConfig{
-			ECHCapableConfig: clientConfig,
-			dnsRouter:        service.FromContext[adapter.DNSRouter](ctx),
+		return &STDECHClientConfig{
+			STDClientConfig: STDClientConfig{tlsConfig},
+			dnsRouter:       service.FromContext[adapter.DNSRouter](ctx),
 		}, nil
 	}
 }
@@ -102,15 +102,15 @@ func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
 	return nil
 }
 
-type ECHClientConfig struct {
-	ECHCapableConfig
+type STDECHClientConfig struct {
+	STDClientConfig
 	access     sync.Mutex
 	dnsRouter  adapter.DNSRouter
 	lastTTL    time.Duration
 	lastUpdate time.Time
 }
 
-func (s *ECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
+func (s *STDECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
 	tlsConn, err := s.fetchAndHandshake(ctx, conn)
 	if err != nil {
 		return nil, err
@@ -122,17 +122,17 @@ func (s *ECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (a
 	return tlsConn, nil
 }
 
-func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
+func (s *STDECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
 	s.access.Lock()
 	defer s.access.Unlock()
-	if len(s.ECHConfigList()) == 0 || s.lastTTL == 0 || time.Now().Sub(s.lastUpdate) > s.lastTTL {
+	if len(s.config.EncryptedClientHelloConfigList) == 0 || s.lastTTL == 0 || time.Now().Sub(s.lastUpdate) > s.lastTTL {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
 			},
 			Question: []mDNS.Question{
 				{
-					Name:   mDNS.Fqdn(s.ServerName()),
+					Name:   mDNS.Fqdn(s.config.ServerName),
 					Qtype:  mDNS.TypeHTTPS,
 					Qclass: mDNS.ClassINET,
 				},
@@ -157,21 +157,21 @@ func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn)
 						}
 						s.lastTTL = time.Duration(rr.Header().Ttl) * time.Second
 						s.lastUpdate = time.Now()
-						s.SetECHConfigList(echConfigList)
+						s.config.EncryptedClientHelloConfigList = echConfigList
 						break match
 					}
 				}
 			}
 		}
-		if len(s.ECHConfigList()) == 0 {
+		if len(s.config.EncryptedClientHelloConfigList) == 0 {
 			return nil, E.New("no ECH config found in DNS records")
 		}
 	}
 	return s.Client(conn)
 }
 
-func (s *ECHClientConfig) Clone() Config {
-	return &ECHClientConfig{ECHCapableConfig: s.ECHCapableConfig.Clone().(ECHCapableConfig), dnsRouter: s.dnsRouter, lastUpdate: s.lastUpdate}
+func (s *STDECHClientConfig) Clone() Config {
+	return &STDECHClientConfig{STDClientConfig: STDClientConfig{s.config.Clone()}, dnsRouter: s.dnsRouter, lastUpdate: s.lastUpdate}
 }
 
 func UnmarshalECHKeys(raw []byte) ([]tls.EncryptedClientHelloKey, error) {

common/tls/ech_keygen.go

@@ -11,12 +11,6 @@ import (
 	"github.com/cloudflare/circl/kem"
 )
 
-type ECHCapableConfig interface {
-	Config
-	ECHConfigList() []byte
-	SetECHConfigList([]byte)
-}
-
 func ECHKeygenDefault(serverName string) (configPem string, keyPem string, err error) {
 	cipherSuites := []echCipherSuite{
 		{

common/tls/ech_stub.go

@@ -10,7 +10,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, options option.OutboundTLSOptions) (Config, error) {
+func parseECHClientConfig(ctx context.Context, options option.OutboundTLSOptions, tlsConfig *tls.Config) (Config, error) {
 	return nil, E.New("ECH requires go1.24, please recompile your binary.")
 }
 

common/tls/ech_tag_stub.go

@@ -1,5 +0,0 @@
-//go:build with_ech
-
-package tls
-
-var _ int = "Due to the migration to stdlib, the separate `with_ech` build tag has been deprecated and is no longer needed, please update your build configuration."

common/tls/reality_client.go

@@ -29,13 +29,12 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 	aTLS "github.com/sagernet/sing/common/tls"
+	utls "github.com/sagernet/utls"
 
-	utls "github.com/metacubex/utls"
 	"golang.org/x/crypto/hkdf"
 	"golang.org/x/net/http2"
 )
@@ -74,7 +73,7 @@ func NewRealityClient(ctx context.Context, serverAddress string, options option.
 	if decodedLen > 8 {
 		return nil, E.New("invalid short_id")
 	}
-	return &RealityClientConfig{ctx, uClient.(*UTLSClientConfig), publicKey, shortID}, nil
+	return &RealityClientConfig{ctx, uClient, publicKey, shortID}, nil
 }
 
 func (e *RealityClientConfig) ServerName() string {
@@ -115,22 +114,6 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	if err != nil {
 		return nil, err
 	}
-	for _, extension := range uConn.Extensions {
-		if ce, ok := extension.(*utls.SupportedCurvesExtension); ok {
-			ce.Curves = common.Filter(ce.Curves, func(curveID utls.CurveID) bool {
-				return curveID != utls.X25519MLKEM768
-			})
-		}
-		if ks, ok := extension.(*utls.KeyShareExtension); ok {
-			ks.KeyShares = common.Filter(ks.KeyShares, func(share utls.KeyShare) bool {
-				return share.Group != utls.X25519MLKEM768
-			})
-		}
-	}
-	err = uConn.BuildHandshakeState()
-	if err != nil {
-		return nil, err
-	}
 
 	if len(uConfig.NextProtos) > 0 {
 		for _, extension := range uConn.Extensions {
@@ -165,13 +148,9 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	if err != nil {
 		return nil, err
 	}
-	keyShareKeys := uConn.HandshakeState.State13.KeyShareKeys
-	if keyShareKeys == nil {
-		return nil, E.New("nil KeyShareKeys")
-	}
-	ecdheKey := keyShareKeys.Ecdhe
+	ecdheKey := uConn.HandshakeState.State13.EcdheKey
 	if ecdheKey == nil {
-		return nil, E.New("nil ecdheKey")
+		return nil, E.New("nil ecdhe_key")
 	}
 	authKey, err := ecdheKey.ECDH(publicKey)
 	if err != nil {
@@ -235,6 +214,10 @@ func realityClientFallback(ctx context.Context, uConn net.Conn, serverName strin
 	response.Body.Close()
 }
 
+func (e *RealityClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
+	e.uClient.config.SessionIDGenerator = generator
+}
+
 func (e *RealityClientConfig) Clone() Config {
 	return &RealityClientConfig{
 		e.ctx,

common/tls/reality_server.go

@@ -1,4 +1,4 @@
-//go:build with_utls
+//go:build with_reality_server
 
 package tls
 
@@ -7,29 +7,28 @@ import (
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/hex"
-	"fmt"
 	"net"
 	"time"
 
+	"github.com/sagernet/reality"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
-
-	utls "github.com/metacubex/utls"
 )
 
 var _ ServerConfigCompat = (*RealityServerConfig)(nil)
 
 type RealityServerConfig struct {
-	config *utls.RealityConfig
+	config *reality.Config
 }
 
 func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
-	var tlsConfig utls.RealityConfig
+	var tlsConfig reality.Config
 
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in reality")
@@ -75,11 +74,6 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 	}
 
 	tlsConfig.SessionTicketsDisabled = true
-	tlsConfig.Log = func(format string, v ...any) {
-		if logger != nil {
-			logger.Trace(fmt.Sprintf(format, v...))
-		}
-	}
 	tlsConfig.Type = N.NetworkTCP
 	tlsConfig.Dest = options.Reality.Handshake.ServerOptions.Build().String()
 
@@ -119,6 +113,10 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 		return handshakeDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 	}
 
+	if debug.Enabled {
+		tlsConfig.Show = true
+	}
+
 	return &RealityServerConfig{&tlsConfig}, nil
 }
 
@@ -159,7 +157,7 @@ func (c *RealityServerConfig) Server(conn net.Conn) (Conn, error) {
 }
 
 func (c *RealityServerConfig) ServerHandshake(ctx context.Context, conn net.Conn) (Conn, error) {
-	tlsConn, err := utls.RealityServer(ctx, conn, c.config)
+	tlsConn, err := reality.Server(ctx, conn, c.config)
 	if err != nil {
 		return nil, err
 	}
@@ -175,7 +173,7 @@ func (c *RealityServerConfig) Clone() Config {
 var _ Conn = (*realityConnWrapper)(nil)
 
 type realityConnWrapper struct {
-	*utls.Conn
+	*reality.Conn
 }
 
 func (c *realityConnWrapper) ConnectionState() ConnectionState {

common/tls/reality_stub.go

@@ -1,5 +1,15 @@
-//go:build with_reality_server
+//go:build !with_reality_server
 
 package tls
 
-var _ int = "The separate `with_reality_server` build tag has been merged into `with_utls` and is no longer needed, please update your build configuration."
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+	return nil, E.New(`reality server is not included in this build, rebuild with -tags with_reality_server`)
+}

common/tls/std_client.go

@@ -7,60 +7,43 @@ import (
 	"net"
 	"os"
 	"strings"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tlsfragment"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 )
 
 type STDClientConfig struct {
-	ctx                   context.Context
-	config                *tls.Config
-	fragment              bool
-	fragmentFallbackDelay time.Duration
-	recordFragment        bool
+	config *tls.Config
 }
 
-func (c *STDClientConfig) ServerName() string {
-	return c.config.ServerName
+func (s *STDClientConfig) ServerName() string {
+	return s.config.ServerName
 }
 
-func (c *STDClientConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
+func (s *STDClientConfig) SetServerName(serverName string) {
+	s.config.ServerName = serverName
 }
 
-func (c *STDClientConfig) NextProtos() []string {
-	return c.config.NextProtos
+func (s *STDClientConfig) NextProtos() []string {
+	return s.config.NextProtos
 }
 
-func (c *STDClientConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
+func (s *STDClientConfig) SetNextProtos(nextProto []string) {
+	s.config.NextProtos = nextProto
 }
 
-func (c *STDClientConfig) Config() (*STDConfig, error) {
-	return c.config, nil
+func (s *STDClientConfig) Config() (*STDConfig, error) {
+	return s.config, nil
 }
 
-func (c *STDClientConfig) Client(conn net.Conn) (Conn, error) {
-	if c.recordFragment {
-		conn = tf.NewConn(conn, c.ctx, c.fragment, c.recordFragment, c.fragmentFallbackDelay)
-	}
-	return tls.Client(conn, c.config), nil
+func (s *STDClientConfig) Client(conn net.Conn) (Conn, error) {
+	return tls.Client(conn, s.config), nil
 }
 
-func (c *STDClientConfig) Clone() Config {
-	return &STDClientConfig{c.ctx, c.config.Clone(), c.fragment, c.fragmentFallbackDelay, c.recordFragment}
-}
-
-func (c *STDClientConfig) ECHConfigList() []byte {
-	return c.config.EncryptedClientHelloConfigList
-}
-
-func (c *STDClientConfig) SetECHConfigList(EncryptedClientHelloConfigList []byte) {
-	c.config.EncryptedClientHelloConfigList = EncryptedClientHelloConfigList
+func (s *STDClientConfig) Clone() Config {
+	return &STDClientConfig{s.config.Clone()}
 }
 
 func NewSTDClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
@@ -77,7 +60,9 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 	var tlsConfig tls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
-	if !options.DisableSNI {
+	if options.DisableSNI {
+		tlsConfig.ServerName = "127.0.0.1"
+	} else {
 		tlsConfig.ServerName = serverName
 	}
 	if options.Insecure {
@@ -142,10 +127,8 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 		tlsConfig.RootCAs = certPool
 	}
-	stdConfig := &STDClientConfig{ctx, &tlsConfig, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
-		return parseECHClientConfig(ctx, stdConfig, options)
-	} else {
-		return stdConfig, nil
+		return parseECHClientConfig(ctx, options, &tlsConfig)
 	}
+	return &STDClientConfig{&tlsConfig}, nil
 }

common/tls/std_server.go

@@ -22,7 +22,7 @@ var errInsecureUnused = E.New("tls: insecure unused")
 type STDServerConfig struct {
 	config          *tls.Config
 	logger          log.Logger
-	acmeService     adapter.SimpleLifecycle
+	acmeService     adapter.Service
 	certificate     []byte
 	key             []byte
 	certificatePath string
@@ -165,11 +165,11 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		return nil, nil
 	}
 	var tlsConfig *tls.Config
-	var acmeService adapter.SimpleLifecycle
+	var acmeService adapter.Service
 	var err error
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		//nolint:staticcheck
-		tlsConfig, acmeService, err = startACME(ctx, logger, common.PtrValueOrDefault(options.ACME))
+		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
 			return nil, err
 		}

common/tls/utls_client.go

@@ -8,77 +8,62 @@ import (
 	"crypto/x509"
 	"math/rand"
 	"net"
+	"net/netip"
 	"os"
 	"strings"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tlsfragment"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
+	utls "github.com/sagernet/utls"
 
-	utls "github.com/metacubex/utls"
 	"golang.org/x/net/http2"
 )
 
 type UTLSClientConfig struct {
-	ctx                   context.Context
-	config                *utls.Config
-	id                    utls.ClientHelloID
-	fragment              bool
-	fragmentFallbackDelay time.Duration
-	recordFragment        bool
+	config *utls.Config
+	id     utls.ClientHelloID
 }
 
-func (c *UTLSClientConfig) ServerName() string {
-	return c.config.ServerName
+func (e *UTLSClientConfig) ServerName() string {
+	return e.config.ServerName
 }
 
-func (c *UTLSClientConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
+func (e *UTLSClientConfig) SetServerName(serverName string) {
+	e.config.ServerName = serverName
 }
 
-func (c *UTLSClientConfig) NextProtos() []string {
-	return c.config.NextProtos
+func (e *UTLSClientConfig) NextProtos() []string {
+	return e.config.NextProtos
 }
 
-func (c *UTLSClientConfig) SetNextProtos(nextProto []string) {
+func (e *UTLSClientConfig) SetNextProtos(nextProto []string) {
 	if len(nextProto) == 1 && nextProto[0] == http2.NextProtoTLS {
 		nextProto = append(nextProto, "http/1.1")
 	}
-	c.config.NextProtos = nextProto
+	e.config.NextProtos = nextProto
 }
 
-func (c *UTLSClientConfig) Config() (*STDConfig, error) {
+func (e *UTLSClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for uTLS")
 }
 
-func (c *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
-	if c.recordFragment {
-		conn = tf.NewConn(conn, c.ctx, c.fragment, c.recordFragment, c.fragmentFallbackDelay)
-	}
-	return &utlsALPNWrapper{utlsConnWrapper{utls.UClient(conn, c.config.Clone(), c.id)}, c.config.NextProtos}, nil
+func (e *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
+	return &utlsALPNWrapper{utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}, e.config.NextProtos}, nil
 }
 
-func (c *UTLSClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
-	c.config.SessionIDGenerator = generator
+func (e *UTLSClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
+	e.config.SessionIDGenerator = generator
 }
 
-func (c *UTLSClientConfig) Clone() Config {
+func (e *UTLSClientConfig) Clone() Config {
 	return &UTLSClientConfig{
-		c.ctx, c.config.Clone(), c.id, c.fragment, c.fragmentFallbackDelay, c.recordFragment,
+		config: e.config.Clone(),
+		id:     e.id,
 	}
 }
 
-func (c *UTLSClientConfig) ECHConfigList() []byte {
-	return c.config.EncryptedClientHelloConfigList
-}
-
-func (c *UTLSClientConfig) SetECHConfigList(EncryptedClientHelloConfigList []byte) {
-	c.config.EncryptedClientHelloConfigList = EncryptedClientHelloConfigList
-}
-
 type utlsConnWrapper struct {
 	*utls.UConn
 }
@@ -131,12 +116,14 @@ func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
 	return c.UConn.HandshakeContext(ctx)
 }
 
-func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
 	} else if serverAddress != "" {
-		serverName = serverAddress
+		if _, err := netip.ParseAddr(serverName); err != nil {
+			serverName = serverAddress
+		}
 	}
 	if serverName == "" && !options.Insecure {
 		return nil, E.New("missing server_name or insecure=true")
@@ -145,7 +132,11 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	var tlsConfig utls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
-	tlsConfig.ServerName = serverName
+	if options.DisableSNI {
+		tlsConfig.ServerName = "127.0.0.1"
+	} else {
+		tlsConfig.ServerName = serverName
+	}
 	if options.Insecure {
 		tlsConfig.InsecureSkipVerify = options.Insecure
 	} else if options.DisableSNI {
@@ -201,15 +192,7 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	if err != nil {
 		return nil, err
 	}
-	uConfig := &UTLSClientConfig{ctx, &tlsConfig, id, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
-	if options.ECH != nil && options.ECH.Enabled {
-		if options.Reality != nil && options.Reality.Enabled {
-			return nil, E.New("Reality is conflict with ECH")
-		}
-		return parseECHClientConfig(ctx, uConfig, options)
-	} else {
-		return uConfig, nil
-	}
+	return &UTLSClientConfig{&tlsConfig, id}, nil
 }
 
 var (
@@ -237,7 +220,7 @@ func init() {
 
 func uTLSClientHelloID(name string) (utls.ClientHelloID, error) {
 	switch name {
-	case "chrome_psk", "chrome_psk_shuffle", "chrome_padding_psk_shuffle", "chrome_pq", "chrome_pq_psk":
+	case "chrome_psk", "chrome_psk_shuffle", "chrome_padding_psk_shuffle", "chrome_pq":
 		fallthrough
 	case "chrome", "":
 		return utls.HelloChrome_Auto, nil

common/tls/utls_stub.go

@@ -5,7 +5,6 @@ package tls
 import (
 	"context"
 
-	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
@@ -15,9 +14,5 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 }
 
 func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return nil, E.New(`uTLS, which is required by reality is not included in this build, rebuild with -tags with_utls`)
-}
-
-func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
-	return nil, E.New(`uTLS, which is required by reality is not included in this build, rebuild with -tags with_utls`)
+	return nil, E.New(`uTLS, which is required by reality client is not included in this build, rebuild with -tags with_utls`)
 }

common/tlsfragment/conn.go

@@ -1,15 +1,12 @@
 package tf
 
 import (
-	"bytes"
 	"context"
-	"encoding/binary"
 	"math/rand"
 	"net"
 	"strings"
 	"time"
 
-	C "github.com/sagernet/sing-box/constant"
 	N "github.com/sagernet/sing/common/network"
 
 	"golang.org/x/net/publicsuffix"
@@ -20,24 +17,17 @@ type Conn struct {
 	tcpConn            *net.TCPConn
 	ctx                context.Context
 	firstPacketWritten bool
-	splitPacket        bool
-	splitRecord        bool
 	fallbackDelay      time.Duration
 }
 
-func NewConn(conn net.Conn, ctx context.Context, splitPacket bool, splitRecord bool, fallbackDelay time.Duration) *Conn {
-	if fallbackDelay == 0 {
-		fallbackDelay = C.TLSFragmentFallbackDelay
-	}
+func NewConn(conn net.Conn, ctx context.Context, fallbackDelay time.Duration) (*Conn, error) {
 	tcpConn, _ := N.UnwrapReader(conn).(*net.TCPConn)
 	return &Conn{
 		Conn:          conn,
 		tcpConn:       tcpConn,
 		ctx:           ctx,
-		splitPacket:   splitPacket,
-		splitRecord:   splitRecord,
 		fallbackDelay: fallbackDelay,
-	}
+	}, nil
 }
 
 func (c *Conn) Write(b []byte) (n int, err error) {
@@ -47,12 +37,10 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 		}()
 		serverName := indexTLSServerName(b)
 		if serverName != nil {
-			if c.splitPacket {
-				if c.tcpConn != nil {
-					err = c.tcpConn.SetNoDelay(true)
-					if err != nil {
-						return
-					}
+			if c.tcpConn != nil {
+				err = c.tcpConn.SetNoDelay(true)
+				if err != nil {
+					return
 				}
 			}
 			splits := strings.Split(serverName.ServerName, ".")
@@ -73,50 +61,26 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 					currentIndex++
 				}
 			}
-			var buffer bytes.Buffer
 			for i := 0; i <= len(splitIndexes); i++ {
 				var payload []byte
 				if i == 0 {
 					payload = b[:splitIndexes[i]]
-					if c.splitRecord {
-						payload = payload[recordLayerHeaderLen:]
-					}
 				} else if i == len(splitIndexes) {
 					payload = b[splitIndexes[i-1]:]
 				} else {
 					payload = b[splitIndexes[i-1]:splitIndexes[i]]
 				}
-				if c.splitRecord {
-					if c.splitPacket {
-						buffer.Reset()
+				if c.tcpConn != nil && i != len(splitIndexes) {
+					err = writeAndWaitAck(c.ctx, c.tcpConn, payload, c.fallbackDelay)
+					if err != nil {
+						return
 					}
-					payloadLen := uint16(len(payload))
-					buffer.Write(b[:3])
-					binary.Write(&buffer, binary.BigEndian, payloadLen)
-					buffer.Write(payload)
-					if c.splitPacket {
-						payload = buffer.Bytes()
+				} else {
+					_, err = c.Conn.Write(payload)
+					if err != nil {
+						return
 					}
 				}
-				if c.splitPacket {
-					if c.tcpConn != nil && i != len(splitIndexes) {
-						err = writeAndWaitAck(c.ctx, c.tcpConn, payload, c.fallbackDelay)
-						if err != nil {
-							return
-						}
-					} else {
-						_, err = c.Conn.Write(payload)
-						if err != nil {
-							return
-						}
-					}
-				}
-			}
-			if c.splitRecord && !c.splitPacket {
-				_, err = c.Conn.Write(buffer.Bytes())
-				if err != nil {
-					return
-				}
 			}
 			if c.tcpConn != nil {
 				err = c.tcpConn.SetNoDelay(false)

common/tlsfragment/conn_test.go

@@ -1,42 +0,0 @@
-package tf_test
-
-import (
-	"context"
-	"crypto/tls"
-	"net"
-	"testing"
-
-	tf "github.com/sagernet/sing-box/common/tlsfragment"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestTLSFragment(t *testing.T) {
-	t.Parallel()
-	tcpConn, err := net.Dial("tcp", "1.1.1.1:443")
-	require.NoError(t, err)
-	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), true, false, 0), &tls.Config{
-		ServerName: "www.cloudflare.com",
-	})
-	require.NoError(t, tlsConn.Handshake())
-}
-
-func TestTLSRecordFragment(t *testing.T) {
-	t.Parallel()
-	tcpConn, err := net.Dial("tcp", "1.1.1.1:443")
-	require.NoError(t, err)
-	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), false, true, 0), &tls.Config{
-		ServerName: "www.cloudflare.com",
-	})
-	require.NoError(t, tlsConn.Handshake())
-}
-
-func TestTLS2Fragment(t *testing.T) {
-	t.Parallel()
-	tcpConn, err := net.Dial("tcp", "1.1.1.1:443")
-	require.NoError(t, err)
-	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), true, true, 0), &tls.Config{
-		ServerName: "www.cloudflare.com",
-	})
-	require.NoError(t, tlsConn.Handshake())
-}

constant/proxy.go

@@ -25,9 +25,6 @@ const (
 	TypeTUIC         = "tuic"
 	TypeHysteria2    = "hysteria2"
 	TypeTailscale    = "tailscale"
-	TypeDERP         = "derp"
-	TypeResolved     = "resolved"
-	TypeSSMAPI       = "ssm-api"
 )
 
 const (

constant/timeout.go

@@ -9,7 +9,6 @@ const (
 	TCPTimeout                 = 15 * time.Second
 	ReadPayloadTimeout         = 300 * time.Millisecond
 	DNSTimeout                 = 10 * time.Second
-	DirectDNSTimeout           = 5 * time.Second
 	UDPTimeout                 = 5 * time.Minute
 	DefaultURLTestInterval     = 3 * time.Minute
 	DefaultURLTestIdleTimeout  = 30 * time.Minute

debug.go

@@ -24,9 +24,9 @@ func applyDebugOptions(options option.DebugOptions) {
 	if options.TraceBack != "" {
 		debug.SetTraceback(options.TraceBack)
 	}
-	if options.MemoryLimit.Value() != 0 {
-		debug.SetMemoryLimit(int64(float64(options.MemoryLimit.Value()) / 1.5))
-		conntrack.MemoryLimit = options.MemoryLimit.Value()
+	if options.MemoryLimit != 0 {
+		debug.SetMemoryLimit(int64(float64(options.MemoryLimit) / 1.5))
+		conntrack.MemoryLimit = uint64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_http.go

@@ -7,9 +7,9 @@ import (
 	"runtime/debug"
 	"strings"
 
+	"github.com/sagernet/sing-box/common/humanize"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/byteformats"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/json/badjson"
@@ -38,9 +38,9 @@ func applyDebugListenOption(options option.DebugOptions) {
 			runtime.ReadMemStats(&memStats)
 
 			var memObject badjson.JSONObject
-			memObject.Put("heap", byteformats.FormatMemoryBytes(memStats.HeapInuse))
-			memObject.Put("stack", byteformats.FormatMemoryBytes(memStats.StackInuse))
-			memObject.Put("idle", byteformats.FormatMemoryBytes(memStats.HeapIdle-memStats.HeapReleased))
+			memObject.Put("heap", humanize.MemoryBytes(memStats.HeapInuse))
+			memObject.Put("stack", humanize.MemoryBytes(memStats.StackInuse))
+			memObject.Put("idle", humanize.MemoryBytes(memStats.HeapIdle-memStats.HeapReleased))
 			memObject.Put("goroutines", runtime.NumGoroutine())
 			memObject.Put("rss", rusageMaxRSS())
 

dns/client.go

@@ -30,10 +30,10 @@ var (
 var _ adapter.DNSClient = (*Client)(nil)
 
 type Client struct {
+	timeout          time.Duration
 	disableCache     bool
 	disableExpire    bool
 	independentCache bool
-	clientSubnet     netip.Prefix
 	rdrc             adapter.RDRCStore
 	initRDRCFunc     func() adapter.RDRCStore
 	logger           logger.ContextLogger
@@ -42,24 +42,27 @@ type Client struct {
 }
 
 type ClientOptions struct {
+	Timeout          time.Duration
 	DisableCache     bool
 	DisableExpire    bool
 	IndependentCache bool
 	CacheCapacity    uint32
-	ClientSubnet     netip.Prefix
 	RDRC             func() adapter.RDRCStore
 	Logger           logger.ContextLogger
 }
 
 func NewClient(options ClientOptions) *Client {
 	client := &Client{
+		timeout:          options.Timeout,
 		disableCache:     options.DisableCache,
 		disableExpire:    options.DisableExpire,
 		independentCache: options.IndependentCache,
-		clientSubnet:     options.ClientSubnet,
 		initRDRCFunc:     options.RDRC,
 		logger:           options.Logger,
 	}
+	if client.timeout == 0 {
+		client.timeout = C.DNSTimeout
+	}
 	cacheCapacity := options.CacheCapacity
 	if cacheCapacity < 1024 {
 		cacheCapacity = 1024
@@ -101,12 +104,8 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		return &responseMessage, nil
 	}
 	question := message.Question[0]
-	clientSubnet := options.ClientSubnet
-	if !clientSubnet.IsValid() {
-		clientSubnet = c.clientSubnet
-	}
-	if clientSubnet.IsValid() {
-		message = SetClientSubnet(message, clientSubnet)
+	if options.ClientSubnet.IsValid() {
+		message = SetClientSubnet(message, options.ClientSubnet, true)
 	}
 	isSimpleRequest := len(message.Question) == 1 &&
 		len(message.Ns) == 0 &&
@@ -147,15 +146,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			return nil, ErrResponseRejectedCached
 		}
 	}
-	timeout := options.Timeout
-	if timeout == 0 {
-		if transport.HasDetour() {
-			timeout = C.DNSTimeout
-		} else {
-			timeout = C.DirectDNSTimeout
-		}
-	}
-	ctx, cancel := context.WithTimeout(ctx, timeout)
+	ctx, cancel := context.WithTimeout(ctx, c.timeout)
 	response, err := transport.Exchange(ctx, message)
 	cancel()
 	if err != nil {
@@ -241,20 +232,10 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			record.Header().Ttl = timeToLive
 		}
 	}
+	response.Id = messageId
 	if !disableCache {
 		c.storeCache(transport, question, response, timeToLive)
 	}
-	response.Id = messageId
-	requestEDNSOpt := message.IsEdns0()
-	responseEDNSOpt := response.IsEdns0()
-	if responseEDNSOpt != nil && (requestEDNSOpt == nil || requestEDNSOpt.Version() < responseEDNSOpt.Version()) {
-		response.Extra = common.Filter(response.Extra, func(it dns.RR) bool {
-			return it.Header().Rrtype != dns.TypeOPT
-		})
-		if requestEDNSOpt != nil {
-			response.SetEdns0(responseEDNSOpt.UDPSize(), responseEDNSOpt.Do())
-		}
-	}
 	logExchangedResponse(c.logger, ctx, response, timeToLive)
 	return response, err
 }
@@ -262,15 +243,9 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
 	domain = FqdnToDomain(domain)
 	dnsName := dns.Fqdn(domain)
-	var strategy C.DomainStrategy
-	if options.LookupStrategy != C.DomainStrategyAsIS {
-		strategy = options.LookupStrategy
-	} else {
-		strategy = options.Strategy
-	}
-	if strategy == C.DomainStrategyIPv4Only {
+	if options.Strategy == C.DomainStrategyIPv4Only {
 		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
-	} else if strategy == C.DomainStrategyIPv6Only {
+	} else if options.Strategy == C.DomainStrategyIPv6Only {
 		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
 	}
 	var response4 []netip.Addr
@@ -296,7 +271,7 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 	if len(response4) == 0 && len(response6) == 0 {
 		return nil, err
 	}
-	return sortAddresses(response4, response6, strategy), nil
+	return sortAddresses(response4, response6, options.Strategy), nil
 }
 
 func (c *Client) ClearCache() {
@@ -552,26 +527,12 @@ func transportTagFromContext(ctx context.Context) (string, bool) {
 	return value, loaded
 }
 
-func FixedResponseStatus(message *dns.Msg, rcode int) *dns.Msg {
-	return &dns.Msg{
-		MsgHdr: dns.MsgHdr{
-			Id:       message.Id,
-			Rcode:    rcode,
-			Response: true,
-		},
-		Question: message.Question,
-	}
-}
-
 func FixedResponse(id uint16, question dns.Question, addresses []netip.Addr, timeToLive uint32) *dns.Msg {
 	response := dns.Msg{
 		MsgHdr: dns.MsgHdr{
-			Id:                 id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              dns.RcodeSuccess,
+			Id:       id,
+			Rcode:    dns.RcodeSuccess,
+			Response: true,
 		},
 		Question: []dns.Question{question},
 	}
@@ -604,12 +565,9 @@ func FixedResponse(id uint16, question dns.Question, addresses []netip.Addr, tim
 func FixedResponseCNAME(id uint16, question dns.Question, record string, timeToLive uint32) *dns.Msg {
 	response := dns.Msg{
 		MsgHdr: dns.MsgHdr{
-			Id:                 id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              dns.RcodeSuccess,
+			Id:       id,
+			Rcode:    dns.RcodeSuccess,
+			Response: true,
 		},
 		Question: []dns.Question{question},
 		Answer: []dns.RR{
@@ -630,12 +588,9 @@ func FixedResponseCNAME(id uint16, question dns.Question, record string, timeToL
 func FixedResponseTXT(id uint16, question dns.Question, records []string, timeToLive uint32) *dns.Msg {
 	response := dns.Msg{
 		MsgHdr: dns.MsgHdr{
-			Id:                 id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              dns.RcodeSuccess,
+			Id:       id,
+			Rcode:    dns.RcodeSuccess,
+			Response: true,
 		},
 		Question: []dns.Question{question},
 		Answer: []dns.RR{
@@ -656,12 +611,9 @@ func FixedResponseTXT(id uint16, question dns.Question, records []string, timeTo
 func FixedResponseMX(id uint16, question dns.Question, records []*net.MX, timeToLive uint32) *dns.Msg {
 	response := dns.Msg{
 		MsgHdr: dns.MsgHdr{
-			Id:                 id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              dns.RcodeSuccess,
+			Id:       id,
+			Rcode:    dns.RcodeSuccess,
+			Response: true,
 		},
 		Question: []dns.Question{question},
 	}

dns/extension_edns0_subnet.go

@@ -6,11 +6,7 @@ import (
 	"github.com/miekg/dns"
 )
 
-func SetClientSubnet(message *dns.Msg, clientSubnet netip.Prefix) *dns.Msg {
-	return setClientSubnet(message, clientSubnet, true)
-}
-
-func setClientSubnet(message *dns.Msg, clientSubnet netip.Prefix, clone bool) *dns.Msg {
+func SetClientSubnet(message *dns.Msg, clientSubnet netip.Prefix, override bool) *dns.Msg {
 	var (
 		optRecord    *dns.OPT
 		subnetOption *dns.EDNS0_SUBNET
@@ -23,6 +19,9 @@ findExists:
 				var isEDNS0Subnet bool
 				subnetOption, isEDNS0Subnet = option.(*dns.EDNS0_SUBNET)
 				if isEDNS0Subnet {
+					if !override {
+						return message
+					}
 					break findExists
 				}
 			}
@@ -38,14 +37,14 @@ findExists:
 			},
 		}
 		message.Extra = append(message.Extra, optRecord)
-	} else if clone {
-		return setClientSubnet(message.Copy(), clientSubnet, false)
+	} else {
+		message = message.Copy()
 	}
 	if subnetOption == nil {
 		subnetOption = new(dns.EDNS0_SUBNET)
-		subnetOption.Code = dns.EDNS0SUBNET
 		optRecord.Option = append(optRecord.Option, subnetOption)
 	}
+	subnetOption.Code = dns.EDNS0SUBNET
 	if clientSubnet.Addr().Is4() {
 		subnetOption.Family = 1
 	} else {

dns/router.go

@@ -55,7 +55,6 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOp
 		DisableExpire:    options.DNSClientOptions.DisableExpire,
 		IndependentCache: options.DNSClientOptions.IndependentCache,
 		CacheCapacity:    options.DNSClientOptions.CacheCapacity,
-		ClientSubnet:     options.DNSClientOptions.ClientSubnet.Build(netip.Prefix{}),
 		RDRC: func() adapter.RDRCStore {
 			cacheFile := service.FromContext[adapter.CacheFile](ctx)
 			if cacheFile == nil {
@@ -158,9 +157,6 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 				if action.Strategy != C.DomainStrategyAsIS {
 					options.Strategy = action.Strategy
 				}
-				if action.Timeout > 0 {
-					options.Timeout = action.Timeout
-				}
 				if isFakeIP || action.DisableCache {
 					options.DisableCache = true
 				}
@@ -183,9 +179,6 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 				if action.Strategy != C.DomainStrategyAsIS {
 					options.Strategy = action.Strategy
 				}
-				if action.Timeout > 0 {
-					options.Timeout = action.Timeout
-				}
 				if action.DisableCache {
 					options.DisableCache = true
 				}
@@ -265,14 +258,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					case *R.RuleActionReject:
 						switch action.Method {
 						case C.RuleActionRejectMethodDefault:
-							return &mDNS.Msg{
-								MsgHdr: mDNS.MsgHdr{
-									Id:       message.Id,
-									Rcode:    mDNS.RcodeRefused,
-									Response: true,
-								},
-								Question: []mDNS.Question{message.Question[0]},
-							}, nil
+							return FixedResponse(message.Id, message.Question[0], nil, 0), nil
 						case C.RuleActionRejectMethodDrop:
 							return nil, tun.ErrDrop
 						}
@@ -299,12 +285,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					} else if errors.Is(err, ErrResponseRejected) {
 						rejected = true
 						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
-						/*} else if responseCheck!= nil && errors.Is(err, RcodeError(mDNS.RcodeNameError)) {
-						rejected = true
-						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
-						*/
 					} else if len(message.Question) > 0 {
-						rejected = true
 						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
 					} else {
 						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))

dns/transport/dhcp/dhcp.go

@@ -41,7 +41,6 @@ type Transport struct {
 	dns.TransportAdapter
 	ctx               context.Context
 	dialer            N.Dialer
-	hasDetour         bool
 	logger            logger.ContextLogger
 	networkManager    adapter.NetworkManager
 	interfaceName     string
@@ -60,7 +59,6 @@ func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, opt
 		TransportAdapter: dns.NewTransportAdapterWithLocalOptions(C.DNSTypeDHCP, tag, options.LocalDNSServerOptions),
 		ctx:              ctx,
 		dialer:           transportDialer,
-		hasDetour:        options.Detour != "",
 		logger:           logger,
 		networkManager:   service.FromContext[adapter.NetworkManager](ctx),
 		interfaceName:    options.Interface,
@@ -91,10 +89,6 @@ func (t *Transport) Close() error {
 	return nil
 }
 
-func (t *Transport) HasDetour() bool {
-	return t.hasDetour
-}
-
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	err := t.fetchServers()
 	if err != nil {

dns/transport/https.go

@@ -3,15 +3,11 @@ package transport
 import (
 	"bytes"
 	"context"
-	"errors"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
-	"os"
 	"strconv"
-	"sync"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
@@ -43,13 +39,11 @@ func RegisterHTTPS(registry *dns.TransportRegistry) {
 
 type HTTPSTransport struct {
 	dns.TransportAdapter
-	logger           logger.ContextLogger
-	dialer           N.Dialer
-	destination      *url.URL
-	headers          http.Header
-	transportAccess  sync.Mutex
-	transport        *http.Transport
-	transportResetAt time.Time
+	logger      logger.ContextLogger
+	dialer      N.Dialer
+	destination *url.URL
+	headers     http.Header
+	transport   *http.Transport
 }
 
 func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteHTTPSDNSServerOptions) (adapter.DNSTransport, error) {
@@ -99,11 +93,10 @@ func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options
 		return nil, err
 	}
 	serverAddr := options.DNSServerAddressOptions.Build()
-	if serverAddr.Port == 0 {
-		serverAddr.Port = 443
-	}
-	if !serverAddr.IsValid() {
+	if !serverAddr.Addr.IsValid() {
 		return nil, E.New("invalid server address: ", serverAddr)
+	} else if serverAddr.Port == 0 {
+		serverAddr.Port = 443
 	}
 	return NewHTTPSRaw(
 		dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTPS, tag, options.RemoteDNSServerOptions),
@@ -167,33 +160,12 @@ func (t *HTTPSTransport) Start(stage adapter.StartStage) error {
 }
 
 func (t *HTTPSTransport) Close() error {
-	t.transportAccess.Lock()
-	defer t.transportAccess.Unlock()
 	t.transport.CloseIdleConnections()
 	t.transport = t.transport.Clone()
 	return nil
 }
 
 func (t *HTTPSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	startAt := time.Now()
-	response, err := t.exchange(ctx, message)
-	if err != nil {
-		if errors.Is(err, os.ErrDeadlineExceeded) {
-			t.transportAccess.Lock()
-			defer t.transportAccess.Unlock()
-			if t.transportResetAt.After(startAt) {
-				return nil, err
-			}
-			t.transport.CloseIdleConnections()
-			t.transport = t.transport.Clone()
-			t.transportResetAt = time.Now()
-		}
-		return nil, err
-	}
-	return response, nil
-}
-
-func (t *HTTPSTransport) exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	exMessage := *message
 	exMessage.Id = 0
 	exMessage.Compress = true

dns/transport/local/resolv_darwin_cgo.go

@@ -20,8 +20,7 @@ import (
 )
 
 func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
-	var state C.res_state
-	if C.res_ninit(state) != 0 {
+	if C.res_init() != 0 {
 		return &dnsConfig{
 			servers:  defaultNS,
 			search:   dnsDefaultSearch(),
@@ -34,10 +33,10 @@ func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
 	conf := &dnsConfig{
 		ndots:    1,
 		timeout:  5 * time.Second,
-		attempts: int(state.retry),
+		attempts: int(C._res.retry),
 	}
-	for i := 0; i < int(state.nscount); i++ {
-		ns := state.nsaddr_list[i]
+	for i := 0; i < int(C._res.nscount); i++ {
+		ns := C._res.nsaddr_list[i]
 		addr := C.inet_ntoa(ns.sin_addr)
 		if addr == nil {
 			continue
@@ -45,7 +44,7 @@ func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
 		conf.servers = append(conf.servers, C.GoString(addr))
 	}
 	for i := 0; ; i++ {
-		search := state.dnsrch[i]
+		search := C._res.dnsrch[i]
 		if search == nil {
 			break
 		}

dns/transport/quic/http3.go

@@ -89,11 +89,10 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options
 		return nil, err
 	}
 	serverAddr := options.DNSServerAddressOptions.Build()
-	if serverAddr.Port == 0 {
-		serverAddr.Port = 443
-	}
-	if !serverAddr.IsValid() {
+	if !serverAddr.Addr.IsValid() {
 		return nil, E.New("invalid server address: ", serverAddr)
+	} else if serverAddr.Port == 0 {
+		serverAddr.Port = 443
 	}
 	return &HTTP3Transport{
 		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTP3, tag, options.RemoteDNSServerOptions),

dns/transport/quic/quic.go

@@ -56,11 +56,10 @@ func NewQUIC(ctx context.Context, logger log.ContextLogger, tag string, options
 		tlsConfig.SetNextProtos([]string{"doq"})
 	}
 	serverAddr := options.DNSServerAddressOptions.Build()
-	if serverAddr.Port == 0 {
-		serverAddr.Port = 853
-	}
-	if !serverAddr.IsValid() {
+	if !serverAddr.Addr.IsValid() {
 		return nil, E.New("invalid server address: ", serverAddr)
+	} else if serverAddr.Port == 0 {
+		serverAddr.Port = 853
 	}
 	return &Transport{
 		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeQUIC, tag, options.RemoteDNSServerOptions),

dns/transport/tcp.go

@@ -38,11 +38,10 @@ func NewTCP(ctx context.Context, logger log.ContextLogger, tag string, options o
 		return nil, err
 	}
 	serverAddr := options.DNSServerAddressOptions.Build()
-	if serverAddr.Port == 0 {
-		serverAddr.Port = 53
-	}
-	if !serverAddr.IsValid() {
+	if !serverAddr.Addr.IsValid() {
 		return nil, E.New("invalid server address: ", serverAddr)
+	} else if serverAddr.Port == 0 {
+		serverAddr.Port = 53
 	}
 	return &TCPTransport{
 		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeTCP, tag, options),

dns/transport/tls.go

@@ -54,23 +54,18 @@ func NewTLS(ctx context.Context, logger log.ContextLogger, tag string, options o
 		return nil, err
 	}
 	serverAddr := options.DNSServerAddressOptions.Build()
-	if serverAddr.Port == 0 {
+	if !serverAddr.Addr.IsValid() {
+		return nil, E.New("invalid server address: ", serverAddr)
+	} else if serverAddr.Port == 0 {
 		serverAddr.Port = 853
 	}
-	if !serverAddr.IsValid() {
-		return nil, E.New("invalid server address: ", serverAddr)
-	}
-	return NewTLSRaw(logger, dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeTLS, tag, options.RemoteDNSServerOptions), transportDialer, serverAddr, tlsConfig), nil
-}
-
-func NewTLSRaw(logger logger.ContextLogger, adapter dns.TransportAdapter, dialer N.Dialer, serverAddr M.Socksaddr, tlsConfig tls.Config) *TLSTransport {
 	return &TLSTransport{
-		TransportAdapter: adapter,
+		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeTLS, tag, options.RemoteDNSServerOptions),
 		logger:           logger,
-		dialer:           dialer,
+		dialer:           transportDialer,
 		serverAddr:       serverAddr,
 		tlsConfig:        tlsConfig,
-	}
+	}, nil
 }
 
 func (t *TLSTransport) Start(stage adapter.StartStage) error {

dns/transport/udp.go

@@ -45,11 +45,10 @@ func NewUDP(ctx context.Context, logger log.ContextLogger, tag string, options o
 		return nil, err
 	}
 	serverAddr := options.DNSServerAddressOptions.Build()
-	if serverAddr.Port == 0 {
-		serverAddr.Port = 53
-	}
-	if !serverAddr.IsValid() {
+	if !serverAddr.Addr.IsValid() {
 		return nil, E.New("invalid server address: ", serverAddr)
+	} else if serverAddr.Port == 0 {
+		serverAddr.Port = 53
 	}
 	return NewUDPRaw(logger, dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeUDP, tag, options), transportDialer, serverAddr), nil
 }

dns/transport_adapter.go

@@ -14,7 +14,6 @@ type TransportAdapter struct {
 	transportType string
 	transportTag  string
 	dependencies  []string
-	hasDetour     bool
 	strategy      C.DomainStrategy
 	clientSubnet  netip.Prefix
 }
@@ -36,7 +35,6 @@ func NewTransportAdapterWithLocalOptions(transportType string, transportTag stri
 		transportType: transportType,
 		transportTag:  transportTag,
 		dependencies:  dependencies,
-		hasDetour:     localOptions.Detour != "",
 		strategy:      C.DomainStrategy(localOptions.LegacyStrategy),
 		clientSubnet:  localOptions.LegacyClientSubnet,
 	}
@@ -71,10 +69,6 @@ func (a *TransportAdapter) Dependencies() []string {
 	return a.dependencies
 }
 
-func (a *TransportAdapter) HasDetour() bool {
-	return a.hasDetour
-}
-
 func (a *TransportAdapter) LegacyStrategy() C.DomainStrategy {
 	return a.strategy
 }

docs/changelog.md

@@ -2,154 +2,15 @@
 icon: material/alert-decagram
 ---
 
-#### 1.12.0-beta.30
+#### 1.12.0-beta.6
 
 * Fixes and improvements
 
-### 1.11.14
-
-* Fixes and improvements
-
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
-
-#### 1.12.0-beta.24
-
-* Allow `tls_fragment` and `tls_record_fragment` to be enabled together **1**
-* Also add fragment options for TLS client configuration **2**
-* Fixes and improvements
-
-**1**:
-
-For debugging only, it is recommended to disable if record fragmentation works.
-
-See [Route Action](/configuration/route/rule_action/#tls_fragment).
-
-**2**:
-
-See [TLS](/configuration/shared/tls/).
-
-#### 1.12.0-beta.23
-
-* Add loopback address support for tun **1**
-* Add cache support for ssm-api **2**
-* Fixes and improvements
-
-**1**:
-
-TUN now implements SideStore's StosVPN.
-
-See [Tun](/configuration/inbound/tun/#loopback_address).
-
-**2**:
-
-See [SSM API Service](/configuration/service/ssm-api/#cache_path).
-
-#### 1.12.0-beta.21
-
-* Fix missing `home` option for DERP service **1**
-* Fixes and improvements
-
-**1**:
-
-You can now choose what the DERP home page shows, just like with derper's `-home` flag.
-
-See [DERP](/configuration/service/derp/#home).
-
-### 1.11.13
-
-* Fixes and improvements
-
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
-
-#### 1.12.0-beta.17
-
-* Update quic-go to v0.52.0
-* Fixes and improvements
-
-#### 1.12.0-beta.15
-
-* Add DERP service **1**
-* Add Resolved service and DNS server **2**
-* Add SSM API service **3**
-* Fixes and improvements
-
-**1**:
-
-DERP service is a Tailscale DERP server, similar to [derper](https://pkg.go.dev/tailscale.com/cmd/derper).
-
-See [DERP Service](/configuration/service/derp/).
-
-**2**:
-
-Resolved service is a fake systemd-resolved DBUS service to receive DNS settings from other programs
-(e.g. NetworkManager) and provide DNS resolution.
-
-See [Resolved Service](/configuration/service/resolved/) and [Resolved DNS Server](/configuration/dns/server/resolved/).
-
-**3**:
-
-SSM API service is a RESTful API server for managing Shadowsocks servers.
-
-See [SSM API Service](/configuration/service/ssm-api/).
-
-### 1.11.11
-
-* Fixes and improvements
-
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
-
-#### 1.12.0-beta.13
-
-* Add TLS record fragment route options **1**
-* Add missing `accept_routes` option for Tailscale **2**
-* Fixes and improvements
-
-**1**:
-
-See [Route Action](/configuration/route/rule_action/#tls_record_fragment).
-
-**2**:
-
-See [Tailscale](/configuration/endpoint/tailscale/#accept_routes).
-
-#### 1.12.0-beta.10
-
-* Add control options for listeners **1**
-* Fixes and improvements
-
-**1**:
-
-You can now set `bind_interface`, `routing_mark` and `reuse_addr` in Listen Fields.
-
-See [Listen Fields](/configuration/shared/listen/).
-
-### 1.11.10
-
-* Undeprecate the `block` outbound **1**
-* Fixes and improvements
-
-**1**:
-
-Since we don’t have a replacement for using the `block` outbound in selectors yet,
-we decided to temporarily undeprecate the `block` outbound until a replacement is available in the future.
-
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
-
-#### 1.12.0-beta.9
-
-* Update quic-go to v0.51.0
-* Fixes and improvements
-
 ### 1.11.9
 
 * Fixes and improvements
 
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
 
 #### 1.12.0-beta.5
 
@@ -165,8 +26,7 @@ violated the rules (TestFlight users are not affected)._
 Now `auto_redirect` fixes compatibility issues between TUN and Docker bridge networks,
 see [Tun](/configuration/inbound/tun/#auto_redirect).
 
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
 
 #### 1.12.0-beta.3
 
@@ -176,8 +36,7 @@ violated the rules (TestFlight users are not affected)._
 
 * Fixes and improvements
 
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
 
 #### 1.12.0-beta.1
 
@@ -192,8 +51,7 @@ see [Tun](/configuration/inbound/tun/#auto_redirect).
 
 * Fixes and improvements
 
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
 
 #### 1.12.0-alpha.19
 
@@ -233,8 +91,7 @@ See [Dial Fields](/configuration/shared/dial/#domain_resolver).
 
 * Fixes and improvements
 
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
 
 #### 1.12.0-alpha.13
 
@@ -305,8 +162,7 @@ For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and pa
 
 * Fixes and improvements
 
-_This version overwrites 1.11.2, as incorrect binaries were released due to a bug in the continuous integration
-process._
+_This version overwrites 1.11.2, as incorrect binaries were released due to a bug in the continuous integration process._
 
 #### 1.12.0-alpha.5
 

docs/configuration/dns/index.md

@@ -1,11 +1,7 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 
-!!! quote "Changes in sing-box 1.12.0"
-
-    :material-decagram: [servers](#servers)
-
 !!! quote "Changes in sing-box 1.11.0"
 
     :material-plus: [cache_capacity](#cache_capacity)

docs/configuration/dns/index.zh.md

@@ -1,11 +1,7 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 
-!!! quote "sing-box 1.12.0 中的更改"
-
-    :material-decagram: [servers](#servers)
-
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-plus: [cache_capacity](#cache_capacity)

docs/configuration/dns/rule_action.md

@@ -81,7 +81,7 @@ Will overrides `dns.client_subnet`.
 
 #### method
 
-- `default`: Reply with REFUSED.
+- `default`: Reply with NXDOMAIN.
 - `drop`: Drop the request.
 
 `default` will be used by default.

docs/configuration/dns/rule_action.zh.md

@@ -81,7 +81,7 @@ icon: material/new-box
 
 #### method
 
-- `default`: 返回 REFUSED。
+- `default`: 返回 NXDOMAIN。
 - `drop`: 丢弃请求。
 
 默认使用 `defualt`。

docs/configuration/dns/server/index.md

@@ -41,7 +41,6 @@ The type of the DNS server.
 | `dhcp`          | [DHCP](./dhcp/)           |
 | `fakeip`        | [Fake IP](./fakeip/)      |
 | `tailscale`     | [Tailscale](./tailscale/) |
-| `resolved`      | [Resolved](./resolved/)   |
 
 #### tag
 

docs/configuration/dns/server/index.zh.md

@@ -41,7 +41,6 @@ DNS 服务器的类型。
 | `dhcp`          | [DHCP](./dhcp/)           |
 | `fakeip`        | [Fake IP](./fakeip/)      |
 | `tailscale`     | [Tailscale](./tailscale/) |
-| `resolved`      | [Resolved](./resolved/)   |
 
 #### tag
 

docs/configuration/dns/server/resolved.md

@@ -1,84 +0,0 @@
----
-icon: material/new-box
----
-
-!!! question "Since sing-box 1.12.0"
-
-# Resolved
-
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "type": "resolved",
-        "tag": "",
-
-        "service": "resolved",
-        "accept_default_resolvers": false
-      }
-    ]
-  }
-}
-```
-
-
-### Fields
-
-#### service
-
-==Required==
-
-The tag of the [Resolved Service](/configuration/service/resolved).
-
-#### accept_default_resolvers
-
-Indicates whether the default DNS resolvers should be accepted for fallback queries in addition to matching domains.
-
-Specifically, default DNS resolvers are DNS servers that have `SetLinkDefaultRoute` or `SetLinkDomains ~.` set.
-
-If not enabled, `NXDOMAIN` will be returned for requests that do not match search or match domains.
-
-### Examples
-
-=== "Split DNS only"
-
-    ```json
-    {
-      "dns": {
-        "servers": [
-          {
-            "type": "local",
-            "tag": "local"
-          },
-          {
-            "type": "resolved",
-            "tag": "resolved",
-            "service": "resolved"
-          }
-        ],
-        "rules": [
-          {
-            "ip_accept_any": true,
-            "server": "resolved"
-          }
-        ]
-      }
-    }
-    ```
-
-=== "Use as global DNS"
-
-    ```json
-    {
-      "dns": {
-        "servers": [
-          {
-            "type": "resolved",
-            "service": "resolved",
-            "accept_default_resolvers": true
-          }
-        ]
-      }
-    }
-    ```

docs/configuration/dns/server/tailscale.md

@@ -30,13 +30,13 @@ icon: material/new-box
 
 ==Required==
 
-The tag of the [Tailscale Endpoint](/configuration/endpoint/tailscale).
+The tag of the Tailscale endpoint.
 
 #### accept_default_resolvers
 
 Indicates whether default DNS resolvers should be accepted for fallback queries in addition to MagicDNS。
 
-if not enabled, `NXDOMAIN` will be returned for non-Tailscale domain queries.
+if not enabled, NXDOMAIN will be returned for non-Tailscale domain queries.
 
 ### Examples
 
@@ -80,4 +80,4 @@ if not enabled, `NXDOMAIN` will be returned for non-Tailscale domain queries.
         ]
       }
     }
-    ```
+    ```

docs/configuration/endpoint/index.md

@@ -6,7 +6,7 @@ icon: material/new-box
 
 # Endpoint
 
-An endpoint is a protocol with inbound and outbound behavior.
+Endpoint is protocols that has both inbound and outbound behavior.
 
 ### Structure
 

docs/configuration/endpoint/index.zh.md

@@ -25,7 +25,7 @@ icon: material/new-box
 
 | 类型          | 格式                        |
 |-------------|---------------------------|
-| `wireguard` | [WireGuard](./wireguard/) |
+| `wireguard` | [WireGuard](./wiregaurd/) |
 | `tailscale` | [Tailscale](./tailscale/) |
 
 #### tag

docs/configuration/endpoint/tailscale.md

@@ -15,7 +15,6 @@ icon: material/new-box
   "control_url": "",
   "ephemeral": false,
   "hostname": "",
-  "accept_routes": false,
   "exit_node": "",
   "exit_node_allow_lan_access": false,
   "advertise_routes": [],
@@ -63,10 +62,6 @@ System hostname is used by default.
 
 Example: `localhost`
 
-#### accept_routes
-
-Indicates whether the node should accept routes advertised by other nodes.
-
 #### exit_node
 
 The exit node name or IP address to use.

docs/configuration/experimental/clash-api.md

@@ -59,7 +59,7 @@
     {
       "external_controller": "0.0.0.0:9090",
       "external_ui": "dashboard"
-      // "external_ui_download_detour": "direct"
+      // external_ui_download_detour: "direct"
     }
     ```
 

docs/configuration/experimental/clash-api.zh.md

@@ -59,7 +59,7 @@
     {
       "external_controller": "0.0.0.0:9090",
       "external_ui": "dashboard"
-      // "external_ui_download_detour": "direct"
+      // external_ui_download_detour: "direct"
     }
     ```
 

docs/configuration/inbound/anytls.md

@@ -42,18 +42,16 @@ AnyTLS padding scheme line array.
 
 Default padding scheme:
 
-```json
-[
-  "stop=8",
-  "0=30-30",
-  "1=100-400",
-  "2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000",
-  "3=9-9,500-1000",
-  "4=500-1000",
-  "5=500-1000",
-  "6=500-1000",
-  "7=500-1000"
-]
+```
+stop=8
+0=30-30
+1=100-400
+2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000
+3=9-9,500-1000
+4=500-1000
+5=500-1000
+6=500-1000
+7=500-1000
 ```
 
 #### tls

docs/configuration/inbound/anytls.zh.md

@@ -42,18 +42,16 @@ AnyTLS 填充方案行数组。
 
 默认填充方案:
 
-```json
-[
-  "stop=8",
-  "0=30-30",
-  "1=100-400",
-  "2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000",
-  "3=9-9,500-1000",
-  "4=500-1000",
-  "5=500-1000",
-  "6=500-1000",
-  "7=500-1000"
-]
+```
+stop=8
+0=30-30
+1=100-400
+2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000
+3=9-9,500-1000
+4=500-1000
+5=500-1000
+6=500-1000
+7=500-1000
 ```
 
 #### tls

docs/configuration/inbound/tun.md

@@ -1,11 +1,7 @@
 ---
-icon: material/new-box
+icon: material/alert-decagram
 ---
 
-!!! quote "Changes in sing-box 1.12.0"
-
-    :material-plus: [loopback_address](#loopback_address)
-
 !!! quote "Changes in sing-box 1.11.0"
 
     :material-delete-alert: [gso](#gso)  
@@ -60,12 +56,9 @@ icon: material/new-box
   "auto_route": true,
   "iproute2_table_index": 2022,
   "iproute2_rule_index": 9000,
-  "auto_redirect": true,
+  "auto_redirect": false,
   "auto_redirect_input_mark": "0x2023",
   "auto_redirect_output_mark": "0x2024",
-  "loopback_address": [
-    "10.7.0.1"
-  ],
   "strict_route": true,
   "route_address": [
     "0.0.0.0/1",
@@ -73,6 +66,7 @@ icon: material/new-box
     "::/1",
     "8000::/1"
   ],
+  
   "route_exclude_address": [
     "192.168.0.0/16",
     "fc00::/7"
@@ -123,6 +117,7 @@ icon: material/new-box
       "match_domain": []
     }
   },
+
   // Deprecated
   "gso": false,
   "inet4_address": [
@@ -145,8 +140,8 @@ icon: material/new-box
   "inet6_route_exclude_address": [
     "fc00::/7"
   ],
-  ...
-  // Listen Fields
+  
+  ... // Listen Fields
 }
 ```
 
@@ -278,16 +273,6 @@ Connection output mark used by `auto_redirect`.
 
 `0x2024` is used by default.
 
-#### loopback_address
-
-!!! question "Since sing-box 1.12.0"
-
-Loopback addresses make TCP connections to the specified address connect to the source address.
-
-Setting option value to `10.7.0.1` achieves the same behavior as SideStore/StosVPN.
-
-When `auto_redirect` is enabled, the same behavior can be achieved for LAN devices (not just local) as a gateway.
-
 #### strict_route
 
 Enforce strict routing rules when `auto_route` is enabled:

docs/configuration/inbound/tun.zh.md

@@ -1,11 +1,7 @@
 ---
-icon: material/new-box
+icon: material/alert-decagram
 ---
 
-!!! quote "sing-box 1.12.0 中的更改"
-
-    :material-plus: [loopback_address](#loopback_address)
-
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-delete-alert: [gso](#gso)  
@@ -60,12 +56,9 @@ icon: material/new-box
   "auto_route": true,
   "iproute2_table_index": 2022,
   "iproute2_rule_index": 9000,
-  "auto_redirect": true,
+  "auto_redirect": false,
   "auto_redirect_input_mark": "0x2023",
   "auto_redirect_output_mark": "0x2024",
-  "loopback_address": [
-    "10.7.0.1"
-  ],
   "strict_route": true,
   "route_address": [
     "0.0.0.0/1",
@@ -277,16 +270,6 @@ tun 接口的 IPv6 前缀。
 
 默认使用 `0x2024`。
 
-#### loopback_address
-
-!!! question "自 sing-box 1.12.0 起"
-
-环回地址是用于使指向指定地址的 TCP 连接连接到来源地址的。
-
-将选项值设置为 `10.7.0.1` 可实现与 SideStore/StosVPN 相同的行为。
-
-当启用 `auto_redirect` 时，可以作为网关为局域网设备（而不仅仅是本地）实现相同的行为。
-
 #### strict_route
 
 当启用 `auto_route` 时，强制执行严格的路由规则：
@@ -415,11 +398,11 @@ UDP NAT 过期时间。
 
 TCP/IP 栈。
 
-| 栈       | 描述                                                                                                  | 
-|----------|-------------------------------------------------------------------------------------------------------|
-| `system` | 基于系统网络栈执行 L3 到 L4 转换                                                                        |
-| `gvisor` | 基于 [gVisor](https://github.com/google/gvisor) 虚拟网络栈执行 L3 到 L4 转换                            |
-| `mixed`  | 混合 `system` TCP 栈与 `gvisor` UDP 栈                                                                 |
+| 栈      | 描述                                                               |
+|--------|------------------------------------------------------------------|
+| system | 基于系统网络栈执行 L3 到 L4 转换                                             |
+| gVisor | 基于 [gVisor](https://github.com/google/gvisor) 虚拟网络栈执行 L3 到 L4 转换 |
+| mixed  | 混合 `system` TCP 栈与 `gvisor` UDP 栈                                |
 
 默认使用 `mixed` 栈如果 gVisor 构建标记已启用，否则默认使用 `system` 栈。
 

docs/configuration/index.md

@@ -14,7 +14,6 @@ sing-box uses JSON for configuration files.
   "inbounds": [],
   "outbounds": [],
   "route": {},
-  "services": [],
   "experimental": {}
 }
 ```
@@ -31,7 +30,6 @@ sing-box uses JSON for configuration files.
 | `inbounds`     | [Inbound](./inbound/)           |
 | `outbounds`    | [Outbound](./outbound/)         |
 | `route`        | [Route](./route/)               |
-| `services`     | [Service](./service/)           |
 | `experimental` | [Experimental](./experimental/) |
 
 ### Check

docs/configuration/index.zh.md

@@ -14,7 +14,6 @@ sing-box 使用 JSON 作为配置文件格式。
   "inbounds": [],
   "outbounds": [],
   "route": {},
-  "services": [],
   "experimental": {}
 }
 ```
@@ -31,7 +30,6 @@ sing-box 使用 JSON 作为配置文件格式。
 | `inbounds`     | [入站](./inbound/)       |
 | `outbounds`    | [出站](./outbound/)      |
 | `route`        | [路由](./route/)         |
-| `services`     | [服务](./service/)       |
 | `experimental` | [实验性](./experimental/) |
 
 ### 检查

docs/configuration/outbound/block.md

@@ -2,6 +2,10 @@
 icon: material/delete-clock
 ---
 
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Legacy special outbounds are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
+
 ### Structure
 
 ```json

docs/configuration/outbound/block.zh.md

@@ -2,6 +2,10 @@
 icon: material/delete-clock
 ---
 
+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
+
 `block` 出站关闭所有传入请求。
 
 ### 结构

docs/configuration/route/rule_action.md

@@ -6,7 +6,6 @@ icon: material/new-box
 
     :material-plus: [tls_fragment](#tls_fragment)  
     :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)  
-    :material-plus: [tls_record_fragment](#tls_record_fragment)  
     :material-plus: [resolve.disable_cache](#disable_cache)  
     :material-plus: [resolve.rewrite_ttl](#rewrite_ttl)  
     :material-plus: [resolve.client_subnet](#client_subnet)
@@ -92,8 +91,7 @@ Not available when `method` is set to drop.
   "udp_connect": false,
   "udp_timeout": "",
   "tls_fragment": false,
-  "tls_fragment_fallback_delay": "",
-  "tls_record_fragment": ""
+  "tls_fragment_fallback_delay": ""
 }
 ```
 
@@ -166,17 +164,13 @@ If no protocol is sniffed, the following ports will be recognized as protocols b
 
 Fragment TLS handshakes to bypass firewalls.
 
-This feature is intended to circumvent simple firewalls based on **plaintext packet matching**,
-and should not be used to circumvent real censorship.
+This feature is intended to circumvent simple firewalls based on **plaintext packet matching**, and should not be used to circumvent real censorship.
 
-Due to poor performance, try `tls_record_fragment` first, and only apply to server names known to be blocked.
+Since it is not designed for performance, it should not be applied to all connections, but only to server names that are known to be blocked.
 
-On Linux, Apple platforms, (administrator privileges required) Windows,
-the wait time can be automatically detected. Otherwise, it will fall back to
-waiting for a fixed time specified by `tls_fragment_fallback_delay`.
+On Linux, Apple platforms, (administrator privileges required) Windows, the wait time can be automatically detected, otherwise it will fall back to waiting for a fixed time specified by `tls_fragment_fallback_delay`.
 
-In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,
-because the target is considered to be local or behind a transparent proxy.
+In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time, because the target is considered to be local or behind a transparent proxy.
 
 #### tls_fragment_fallback_delay
 
@@ -186,12 +180,6 @@ The fallback value used when TLS segmentation cannot automatically determine the
 
 `500ms` is used by default.
 
-#### tls_record_fragment
-
-!!! question "Since sing-box 1.12.0"
-
-Fragment TLS handshake into multiple TLS records to bypass firewalls.
-
 ### sniff
 
 ```json

docs/configuration/route/rule_action.zh.md

@@ -5,11 +5,7 @@ icon: material/new-box
 !!! quote "sing-box 1.12.0 中的更改"
 
     :material-plus: [tls_fragment](#tls_fragment)  
-    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)  
-    :material-plus: [tls_record_fragment](#tls_record_fragment)  
-    :material-plus: [resolve.disable_cache](#disable_cache)  
-    :material-plus: [resolve.rewrite_ttl](#rewrite_ttl)  
-    :material-plus: [resolve.client_subnet](#client_subnet)
+    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)
 
 ## 最终动作
 
@@ -163,10 +159,9 @@ UDP 连接超时时间。
 
 此功能旨在规避基于**明文数据包匹配**的简单防火墙，不应该用于规避真的审查。
 
-由于性能不佳，请首先尝试 `tls_record_fragment`，且仅应用于已知被阻止的服务器名称。
+由于它不是为性能设计的，不应被应用于所有连接，而仅应用于已知被阻止的服务器名称。
 
-在 Linux、Apple 平台和需要管理员权限的 Windows 系统上，可自动检测等待时间。
-若无法自动检测，将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。
+在 Linux、Apple 平台和需要管理员权限的 Windows 系统上，可自动检测等待时间。若无法自动检测，将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。
 
 此外，若实际等待时间小于 20 毫秒，同样会回退至固定等待时间模式，因为此时判定目标处于本地或透明代理之后。
 
@@ -178,12 +173,6 @@ UDP 连接超时时间。
 
 默认使用 `500ms`。
 
-#### tls_record_fragment
-
-!!! question "自 sing-box 1.12.0 起"
-
-通过分段 TLS 握手数据包到多个 TLS 记录来绕过防火墙检测。
-
 ### sniff
 
 ```json