documentation: Update changelog

Fix v2ray HTTP/1.1 transport compatibility
dns: Fix rewrite TTL
2026-04-12 01:57:18 +10:00 · 2023-04-07 19:18:26 +08:00 · 2023-04-07 18:20:07 +08:00 · 2023-04-07 16:19:34 +08:00 · 2023-04-07 16:19:34 +08:00 · 2023-04-07 13:12:16 +08:00
132 changed files with 1933 additions and 2020 deletions
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -117,8 +117,6 @@ nfpms:
        dst: /etc/systemd/system/sing-box@.service
      - src: LICENSE
        dst: /usr/share/licenses/sing-box/LICENSE
-    scripts:
-      postremove: release/config/postremove.sh
 source:
  enabled: false
  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
--- a/2
+++ b/2
@@ -9,7 +9,7 @@ RUN set -ex \
    && apk add git build-base \
    && export COMMIT=$(git rev-parse --short HEAD) \
    && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags with_quic,with_wireguard,with_reality_server,with_acme \
+    && go build -v -trimpath -tags with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
        -o /go/bin/sing-box \
        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
        ./cmd/sing-box
--- a/5
+++ b/5
@@ -11,4 +11,7 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.

 You should have received a copy of the GNU General Public License
-along with this program. If not, see <http://www.gnu.org/licenses/>.
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+In addition, no derivative work may use the name or imply association
+with this application without prior consent.
--- a/README.md
+++ b/README.md
@@ -25,4 +25,7 @@ GNU General Public License for more details.

 You should have received a copy of the GNU General Public License
 along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+In addition, no derivative work may use the name or imply association
+with this application without prior consent.
 ```
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -27,7 +27,7 @@ type InjectableInbound interface {
 type InboundContext struct {
 	Inbound     string
 	InboundType string
-	IPVersion   uint8
+	IPVersion   int
 	Network     string
 	Source      M.Socksaddr
 	Destination M.Socksaddr
--- a/adapter/outbound.go
+++ b/adapter/outbound.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"net"

-	tun "github.com/sagernet/sing-tun"
 	N "github.com/sagernet/sing/common/network"
 )

@@ -18,8 +17,3 @@ type Outbound interface {
 	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
-
-type IPOutbound interface {
-	Outbound
-	NewIPConnection(ctx context.Context, conn tun.RouteContext, metadata InboundContext) (tun.DirectDestination, error)
-}
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -23,9 +23,6 @@ type Router interface {

 	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
-	RouteIPConnection(ctx context.Context, conn tun.RouteContext, metadata InboundContext) tun.RouteAction
-
-	NatRequired(outbound string) bool

 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
@@ -42,9 +39,7 @@ type Router interface {
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
-
 	Rules() []Rule
-	IPRules() []IPRule

 	TimeService

@@ -83,11 +78,6 @@ type DNSRule interface {
 	DisableCache() bool
 }

-type IPRule interface {
-	Rule
-	Action() tun.ActionType
-}
-
 type InterfaceUpdateListener interface {
 	InterfaceUpdated() error
 }
--- a/box.go
+++ b/box.go
@@ -9,7 +9,6 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/inbound"
@@ -31,18 +30,25 @@ type Box struct {
 	outbounds    []adapter.Outbound
 	logFactory   log.Factory
 	logger       log.ContextLogger
-	logFile      *os.File
 	preServices  map[string]adapter.Service
 	postServices map[string]adapter.Service
 	done         chan struct{}
 }

-func New(ctx context.Context, options option.Options, platformInterface platform.Interface) (*Box, error) {
-	createdAt := time.Now()
+type Options struct {
+	option.Options
+	Context           context.Context
+	PlatformInterface platform.Interface
+}

+func New(options Options) (*Box, error) {
+	ctx := options.Context
+	if ctx == nil {
+		ctx = context.Background()
+	}
+	createdAt := time.Now()
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
-
 	var needClashAPI bool
 	var needV2RayAPI bool
 	if experimentalOptions.ClashAPI != nil && experimentalOptions.ClashAPI.ExternalController != "" {
@@ -51,60 +57,20 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
 		needV2RayAPI = true
 	}
-
-	logOptions := common.PtrValueOrDefault(options.Log)
-
-	var logFactory log.Factory
-	var observableLogFactory log.ObservableFactory
-	var logFile *os.File
-	var logWriter io.Writer
-	if logOptions.Disabled {
-		observableLogFactory = log.NewNOPFactory()
-		logFactory = observableLogFactory
-	} else {
-		switch logOptions.Output {
-		case "":
-			if platformInterface != nil {
-				logWriter = io.Discard
-			} else {
-				logWriter = os.Stdout
-			}
-		case "stderr":
-			logWriter = os.Stderr
-		case "stdout":
-			logWriter = os.Stdout
-		default:
-			var err error
-			logFile, err = os.OpenFile(C.BasePath(logOptions.Output), os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
-			if err != nil {
-				return nil, err
-			}
-			logWriter = logFile
-		}
-		logFormatter := log.Formatter{
-			BaseTime:         createdAt,
-			DisableColors:    logOptions.DisableColor || logFile != nil,
-			DisableTimestamp: !logOptions.Timestamp && logFile != nil,
-			FullTimestamp:    logOptions.Timestamp,
-			TimestampFormat:  "-0700 2006-01-02 15:04:05",
-		}
-		if needClashAPI {
-			observableLogFactory = log.NewObservableFactory(logFormatter, logWriter, platformInterface)
-			logFactory = observableLogFactory
-		} else {
-			logFactory = log.NewFactory(logFormatter, logWriter, platformInterface)
-		}
-		if logOptions.Level != "" {
-			logLevel, err := log.ParseLevel(logOptions.Level)
-			if err != nil {
-				return nil, E.Cause(err, "parse log level")
-			}
-			logFactory.SetLevel(logLevel)
-		} else {
-			logFactory.SetLevel(log.LevelTrace)
-		}
+	var defaultLogWriter io.Writer
+	if options.PlatformInterface != nil {
+		defaultLogWriter = io.Discard
+	}
+	logFactory, err := log.New(log.Options{
+		Options:        common.PtrValueOrDefault(options.Log),
+		Observable:     needClashAPI,
+		DefaultWriter:  defaultLogWriter,
+		BaseTime:       createdAt,
+		PlatformWriter: options.PlatformInterface,
+	})
+	if err != nil {
+		return nil, E.Cause(err, "create log factory")
 	}
-
 	router, err := route.NewRouter(
 		ctx,
 		logFactory,
@@ -112,7 +78,7 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 		common.PtrValueOrDefault(options.DNS),
 		common.PtrValueOrDefault(options.NTP),
 		options.Inbounds,
-		platformInterface,
+		options.PlatformInterface,
 	)
 	if err != nil {
 		return nil, E.Cause(err, "parse route options")
@@ -132,7 +98,7 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
 			inboundOptions,
-			platformInterface,
+			options.PlatformInterface,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "parse inbound[", i, "]")
@@ -169,7 +135,7 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 	preServices := make(map[string]adapter.Service)
 	postServices := make(map[string]adapter.Service)
 	if needClashAPI {
-		clashServer, err := experimental.NewClashServer(router, observableLogFactory, common.PtrValueOrDefault(options.Experimental.ClashAPI))
+		clashServer, err := experimental.NewClashServer(router, logFactory.(log.ObservableFactory), common.PtrValueOrDefault(options.Experimental.ClashAPI))
 		if err != nil {
 			return nil, E.Cause(err, "create clash api server")
 		}
@@ -191,7 +157,6 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 		createdAt:    createdAt,
 		logFactory:   logFactory,
 		logger:       logFactory.Logger(),
-		logFile:      logFile,
 		preServices:  preServices,
 		postServices: postServices,
 		done:         make(chan struct{}),
@@ -238,7 +203,6 @@ func (s *Box) Start() error {

 func (s *Box) preStart() error {
 	for serviceName, service := range s.preServices {
-		s.logger.Trace("pre-starting ", serviceName)
 		err := adapter.PreStart(service)
 		if err != nil {
 			return E.Cause(err, "pre-start ", serviceName)
@@ -246,15 +210,14 @@ func (s *Box) preStart() error {
 	}
 	for i, out := range s.outbounds {
 		if starter, isStarter := out.(common.Starter); isStarter {
-			var tag string
-			if out.Tag() == "" {
-				tag = F.ToString(i)
-			} else {
-				tag = out.Tag()
-			}
-			s.logger.Trace("initializing outbound ", tag)
 			err := starter.Start()
 			if err != nil {
+				var tag string
+				if out.Tag() == "" {
+					tag = F.ToString(i)
+				} else {
+					tag = out.Tag()
+				}
 				return E.Cause(err, "initialize outbound/", out.Type(), "[", tag, "]")
 			}
 		}
@@ -268,30 +231,27 @@ func (s *Box) start() error {
 		return err
 	}
 	for serviceName, service := range s.preServices {
-		s.logger.Trace("starting ", serviceName)
 		err = service.Start()
 		if err != nil {
 			return E.Cause(err, "start ", serviceName)
 		}
 	}
 	for i, in := range s.inbounds {
-		var tag string
-		if in.Tag() == "" {
-			tag = F.ToString(i)
-		} else {
-			tag = in.Tag()
-		}
-		s.logger.Trace("initializing inbound ", tag)
 		err = in.Start()
 		if err != nil {
+			var tag string
+			if in.Tag() == "" {
+				tag = F.ToString(i)
+			} else {
+				tag = in.Tag()
+			}
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
 	for serviceName, service := range s.postServices {
-		s.logger.Trace("start ", serviceName)
 		err = service.Start()
 		if err != nil {
-			return E.Cause(err, "starting ", serviceName)
+			return E.Cause(err, "start ", serviceName)
 		}
 	}
 	return nil
@@ -307,57 +267,34 @@ func (s *Box) Close() error {
 	var errors error
 	for serviceName, service := range s.postServices {
 		errors = E.Append(errors, service.Close(), func(err error) error {
-			s.logger.Trace("closing ", serviceName)
 			return E.Cause(err, "close ", serviceName)
 		})
 	}
 	for i, in := range s.inbounds {
-		var tag string
-		if in.Tag() == "" {
-			tag = F.ToString(i)
-		} else {
-			tag = in.Tag()
-		}
-		s.logger.Trace("closing inbound ", tag)
 		errors = E.Append(errors, in.Close(), func(err error) error {
 			return E.Cause(err, "close inbound/", in.Type(), "[", i, "]")
 		})
 	}
 	for i, out := range s.outbounds {
-		var tag string
-		if out.Tag() == "" {
-			tag = F.ToString(i)
-		} else {
-			tag = out.Tag()
-		}
-		s.logger.Trace("closing outbound ", tag)
 		errors = E.Append(errors, common.Close(out), func(err error) error {
-			return E.Cause(err, "close inbound/", out.Type(), "[", i, "]")
+			return E.Cause(err, "close outbound/", out.Type(), "[", i, "]")
 		})
 	}
-	s.logger.Trace("closing router")
 	if err := common.Close(s.router); err != nil {
 		errors = E.Append(errors, err, func(err error) error {
 			return E.Cause(err, "close router")
 		})
 	}
 	for serviceName, service := range s.preServices {
-		s.logger.Trace("closing ", serviceName)
 		errors = E.Append(errors, service.Close(), func(err error) error {
 			return E.Cause(err, "close ", serviceName)
 		})
 	}
-	s.logger.Trace("closing logger")
 	if err := common.Close(s.logFactory); err != nil {
 		errors = E.Append(errors, err, func(err error) error {
 			return E.Cause(err, "close log factory")
 		})
 	}
-	if s.logFile != nil {
-		errors = E.Append(errors, s.logFile.Close(), func(err error) error {
-			return E.Cause(err, "close log file")
-		})
-	}
 	return errors
 }

--- a/cmd/sing-box/cmd_check.go
+++ b/cmd/sing-box/cmd_check.go
@@ -31,7 +31,10 @@ func check() error {
 		return err
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(ctx, options, nil)
+	instance, err := box.New(box.Options{
+		Context: ctx,
+		Options: options,
+	})
 	if err == nil {
 		instance.Close()
 	}
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@@ -127,7 +127,10 @@ func create() (*box.Box, context.CancelFunc, error) {
 		options.Log.DisableColor = true
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(ctx, options, nil)
+	instance, err := box.New(box.Options{
+		Context: ctx,
+		Options: options,
+	})
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "create service")
--- a/cmd/sing-box/cmd_tools.go
+++ b/cmd/sing-box/cmd_tools.go
@@ -1,8 +1,6 @@
 package main

 import (
-	"context"
-
 	"github.com/sagernet/sing-box"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
@@ -27,7 +25,7 @@ func createPreStartedClient() (*box.Box, error) {
 	if err != nil {
 		return nil, err
 	}
-	instance, err := box.New(context.Background(), options, nil)
+	instance, err := box.New(box.Options{Options: options})
 	if err != nil {
 		return nil, E.Cause(err, "create service")
 	}
--- a/common/canceler/instance.go
+++ b/common/canceler/instance.go
@@ -1,48 +0,0 @@
-package canceler
-
-import (
-	"context"
-	"time"
-)
-
-type Instance struct {
-	ctx        context.Context
-	cancelFunc context.CancelFunc
-	timer      *time.Timer
-	timeout    time.Duration
-}
-
-func New(ctx context.Context, cancelFunc context.CancelFunc, timeout time.Duration) *Instance {
-	instance := &Instance{
-		ctx,
-		cancelFunc,
-		time.NewTimer(timeout),
-		timeout,
-	}
-	go instance.wait()
-	return instance
-}
-
-func (i *Instance) Update() bool {
-	if !i.timer.Stop() {
-		return false
-	}
-	if !i.timer.Reset(i.timeout) {
-		return false
-	}
-	return true
-}
-
-func (i *Instance) wait() {
-	select {
-	case <-i.timer.C:
-	case <-i.ctx.Done():
-	}
-	i.Close()
-}
-
-func (i *Instance) Close() error {
-	i.timer.Stop()
-	i.cancelFunc()
-	return nil
-}
--- a/common/canceler/packet.go
+++ b/common/canceler/packet.go
@@ -1,49 +0,0 @@
-package canceler
-
-import (
-	"context"
-	"time"
-
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type PacketConn struct {
-	N.PacketConn
-	instance *Instance
-}
-
-func NewPacketConn(ctx context.Context, conn N.PacketConn, timeout time.Duration) (context.Context, N.PacketConn) {
-	ctx, cancel := context.WithCancel(ctx)
-	instance := New(ctx, cancel, timeout)
-	return ctx, &PacketConn{conn, instance}
-}
-
-func (c *PacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
-	destination, err = c.PacketConn.ReadPacket(buffer)
-	if err == nil {
-		c.instance.Update()
-	}
-	return
-}
-
-func (c *PacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	err := c.PacketConn.WritePacket(buffer, destination)
-	if err == nil {
-		c.instance.Update()
-	}
-	return err
-}
-
-func (c *PacketConn) Close() error {
-	return common.Close(
-		c.PacketConn,
-		c.instance,
-	)
-}
-
-func (c *PacketConn) Upstream() any {
-	return c.PacketConn
-}
--- a/common/dialer/conntrack/track.go
+++ b/common/dialer/conntrack/track.go
@@ -14,10 +14,16 @@ var (
 )

 func Count() int {
+	if !Enabled {
+		return 0
+	}
 	return openConnection.Len()
 }

 func List() []io.Closer {
+	if !Enabled {
+		return nil
+	}
 	connAccess.RLock()
 	defer connAccess.RUnlock()
 	connList := make([]io.Closer, 0, openConnection.Len())
@@ -28,6 +34,9 @@ func List() []io.Closer {
 }

 func Close() {
+	if !Enabled {
+		return
+	}
 	connAccess.Lock()
 	defer connAccess.Unlock()
 	for element := openConnection.Front(); element != nil; element = element.Next() {
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -154,9 +154,9 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 	switch N.NetworkName(network) {
 	case N.NetworkUDP:
 		if !address.IsIPv6() {
-			return d.udpDialer4.DialContext(ctx, network, address.String())
+			return trackConn(d.udpDialer4.DialContext(ctx, network, address.String()))
 		} else {
-			return d.udpDialer6.DialContext(ctx, network, address.String())
+			return trackConn(d.udpDialer6.DialContext(ctx, network, address.String()))
 		}
 	}
 	if !address.IsIPv6() {
--- a/common/dialer/resolve.go
+++ b/common/dialer/resolve.go
@@ -9,6 +9,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-dns"
+	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -68,11 +69,11 @@ func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if err != nil {
 		return nil, err
 	}
-	conn, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
+	conn, destinationAddress, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
 	if err != nil {
 		return nil, err
 	}
-	return NewResolvePacketConn(ctx, d.router, d.strategy, conn), nil
+	return bufio.NewNATPacketConn(bufio.NewPacketConn(conn), destination, M.SocksaddrFrom(destinationAddress, destination.Port)), nil
 }

 func (d *ResolveDialer) Upstream() any {
--- a/common/dialer/resolve_conn.go
+++ b/common/dialer/resolve_conn.go
@@ -1,84 +0,0 @@
-package dialer
-
-import (
-	"context"
-	"net"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func NewResolvePacketConn(ctx context.Context, router adapter.Router, strategy dns.DomainStrategy, conn net.PacketConn) N.NetPacketConn {
-	if udpConn, ok := conn.(*net.UDPConn); ok {
-		return &ResolveUDPConn{udpConn, ctx, router, strategy}
-	} else {
-		return &ResolvePacketConn{conn, ctx, router, strategy}
-	}
-}
-
-type ResolveUDPConn struct {
-	*net.UDPConn
-	ctx      context.Context
-	router   adapter.Router
-	strategy dns.DomainStrategy
-}
-
-func (w *ResolveUDPConn) ReadPacket(buffer *buf.Buffer) (M.Socksaddr, error) {
-	n, addr, err := w.ReadFromUDPAddrPort(buffer.FreeBytes())
-	if err != nil {
-		return M.Socksaddr{}, err
-	}
-	buffer.Truncate(n)
-	return M.SocksaddrFromNetIP(addr), nil
-}
-
-func (w *ResolveUDPConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	defer buffer.Release()
-	if destination.IsFqdn() {
-		addresses, err := w.router.Lookup(w.ctx, destination.Fqdn, w.strategy)
-		if err != nil {
-			return err
-		}
-		return common.Error(w.UDPConn.WriteToUDPAddrPort(buffer.Bytes(), M.SocksaddrFrom(addresses[0], destination.Port).AddrPort()))
-	}
-	return common.Error(w.UDPConn.WriteToUDPAddrPort(buffer.Bytes(), destination.AddrPort()))
-}
-
-func (w *ResolveUDPConn) Upstream() any {
-	return w.UDPConn
-}
-
-type ResolvePacketConn struct {
-	net.PacketConn
-	ctx      context.Context
-	router   adapter.Router
-	strategy dns.DomainStrategy
-}
-
-func (w *ResolvePacketConn) ReadPacket(buffer *buf.Buffer) (M.Socksaddr, error) {
-	_, addr, err := buffer.ReadPacketFrom(w)
-	if err != nil {
-		return M.Socksaddr{}, err
-	}
-	return M.SocksaddrFromNet(addr), err
-}
-
-func (w *ResolvePacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	defer buffer.Release()
-	if destination.IsFqdn() {
-		addresses, err := w.router.Lookup(w.ctx, destination.Fqdn, w.strategy)
-		if err != nil {
-			return err
-		}
-		return common.Error(w.WriteTo(buffer.Bytes(), M.SocksaddrFrom(addresses[0], destination.Port).UDPAddr()))
-	}
-	return common.Error(w.WriteTo(buffer.Bytes(), destination.UDPAddr()))
-}
-
-func (w *ResolvePacketConn) Upstream() any {
-	return w.PacketConn
-}
--- a/common/dialer/tfo.go
+++ b/common/dialer/tfo.go
@@ -27,12 +27,7 @@ type slowOpenConn struct {

 func DialSlowContext(dialer *tfo.Dialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	if dialer.DisableTFO || N.NetworkName(network) != N.NetworkTCP {
-		switch N.NetworkName(network) {
-		case N.NetworkTCP, N.NetworkUDP:
-			return dialer.Dialer.DialContext(ctx, network, destination.String())
-		default:
-			return dialer.Dialer.DialContext(ctx, network, destination.AddrString())
-		}
+		return dialer.DialContext(ctx, network, destination.String(), nil)
 	}
 	return &slowOpenConn{
 		dialer:      dialer,
@@ -124,6 +119,10 @@ func (c *slowOpenConn) LazyHeadroom() bool {
 	return c.conn == nil
 }

+func (c *slowOpenConn) NeedHandshake() bool {
+	return c.conn == nil
+}
+
 func (c *slowOpenConn) ReadFrom(r io.Reader) (n int64, err error) {
 	if c.conn != nil {
 		return bufio.Copy(c.conn, r)
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -124,8 +124,9 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	binary.BigEndian.PutUint64(hello.SessionId, uint64(nowTime.Unix()))

 	hello.SessionId[0] = 1
-	hello.SessionId[1] = 7
-	hello.SessionId[2] = 5
+	hello.SessionId[1] = 8
+	hello.SessionId[2] = 0
+	binary.BigEndian.PutUint32(hello.SessionId[4:], uint32(time.Now().Unix()))
 	copy(hello.SessionId[8:], e.shortID[:])

 	if debug.Enabled {
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,53 @@
+#### 1.2.3
+
+* Introducing our [new Android client application](/installation/clients/sfa)
+* Improve UDP domain destination NAT
+* Update reality protocol
+* Fix TTL calculation for DNS response
+* Fix v2ray HTTP transport compatibility
+* Fix bugs and update dependencies
+
+#### 1.2.2
+
+* Accept `any` outbound in dns rule **1**
+* Fix bugs and update dependencies
+
+*1*:
+
+Now you can use the `any` outbound rule to match server address queries instead of filling in all server domains
+to `domain` rule.
+
+#### 1.2.1
+
+* Fix missing default host in v2ray http transport`s request
+* Flush DNS cache for macOS when tun start/close
+* Fix tun's DNS hijacking compatibility with systemd-resolved
+
+#### 1.2.0
+
+* Fix bugs and update dependencies
+
+Important changes since 1.1:
+
+* Introducing our [new iOS client application](/installation/clients/sfi)
+* Introducing [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
+* Add [platform options](/configuration/inbound/tun#platform) for tun inbound
+* Add [ShadowTLS protocol v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md)
+* Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
+* Add [reality TLS](/configuration/shared/tls) support
+* Add [NTP service](/configuration/ntp)
+* Add [DHCP DNS server](/configuration/dns/server) support
+* Add SSH [host key validation](/configuration/outbound/ssh) support
+* Add [query_type](/configuration/dns/rule) DNS rule item
+* Add fallback support for v2ray transport
+* Add custom TLS server support for http based v2ray transports
+* Add health check support for http-based v2ray transports
+* Add multiple configuration support
+
+#### 1.2-rc1
+
+* Fix bugs and update dependencies
+
 #### 1.2-beta10

 * Add multiple configuration support **1**
@@ -5,9 +55,11 @@

 *1*:

-Now you can pass the parameter `--config` or `-c` multiple times, or use the new parameter `--config-directory` or `-C` to load all configuration files in a directory.
+Now you can pass the parameter `--config` or `-c` multiple times, or use the new parameter `--config-directory` or `-C`
+to load all configuration files in a directory.

-Loaded configuration files are sorted by name. If you want to control the merge order, add a numeric prefix to the file name.
+Loaded configuration files are sorted by name. If you want to control the merge order, add a numeric prefix to the file
+name.

 #### 1.1.7

--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -232,6 +232,8 @@ Invert match result.

 Match outbound.

+`any` can be used as a value to match any outbound.
+
 #### server

 ==Required==
@@ -254,18 +256,4 @@ Disable cache and save cache in this query.

 #### rules

-Included default rules.
-
-#### invert
-
-Invert match result.
-
-#### server
-
-==Required==
-
-Tag of the target dns server.
-
-#### disable_cache
-
-Disable cache and save cache in this query.
+Included default rules.
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -231,6 +231,8 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 匹配出站。

+`any` 可作为值用于匹配任意出站。
+
 #### server

 ==必填==
@@ -253,18 +255,4 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 #### rules

-包括的默认规则。
-
-#### invert
-
-反选匹配结果。
-
-#### server
-
-==必填==
-
-目标 DNS 服务器的标签。
-
-#### disable_cache
-
-在此查询中禁用缓存。
+包括的默认规则。
--- a/docs/configuration/inbound/http.md
+++ b/docs/configuration/inbound/http.md
@@ -40,4 +40,8 @@ No authentication required if empty.

    Only supported on Linux, Android, Windows, and macOS.

+!!! warning ""
+
+    To work on Android and iOS without privileges, use tun.platform.http_proxy instead.
+
 Automatically set system proxy configuration when start and clean up when stop.
--- a/docs/configuration/inbound/http.zh.md
+++ b/docs/configuration/inbound/http.zh.md
@@ -40,4 +40,8 @@ HTTP 用户

    仅支持 Linux、Android、Windows 和 macOS。

+!!! warning ""
+
+    要在无特权的 Android 和 iOS 上工作，请改用 tun.platform.http_proxy。
+
 启动时自动设置系统代理，停止时自动清理。
--- a/docs/configuration/inbound/mixed.md
+++ b/docs/configuration/inbound/mixed.md
@@ -37,4 +37,8 @@ No authentication required if empty.

    Only supported on Linux, Android, Windows, and macOS.

-Automatically set system proxy configuration when start and clean up when stop.
+!!! warning ""
+
+    To work on Android and iOS without privileges, use tun.platform.http_proxy instead.
+
+Automatically set system proxy configuration when start and clean up when stop.
--- a/docs/configuration/inbound/mixed.zh.md
+++ b/docs/configuration/inbound/mixed.zh.md
@@ -37,4 +37,8 @@ SOCKS 和 HTTP 用户

    仅支持 Linux、Android、Windows 和 macOS。

+!!! warning ""
+
+    要在无特权的 Android 和 iOS 上工作，请改用 tun.platform.http_proxy。
+
 启动时自动设置系统代理，停止时自动清理。
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -107,8 +107,7 @@ Enforce strict routing rules when `auto_route` is enabled:
 * Let unsupported network unreachable
 * Route all connections to tun

-It prevents address leaks and makes DNS hijacking work on Android and Linux with systemd-resolved, but your device will
-not be accessible by others.
+It prevents address leaks and makes DNS hijacking work on Android, but your device will not be accessible by others.

 *In Windows*:

--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -107,7 +107,7 @@ tun 接口的 IPv6 前缀。
 * 让不支持的网络无法到达
 * 将所有连接路由到 tun

-它可以防止地址泄漏，并使 DNS 劫持在 Android 和使用 systemd-resolved 的 Linux 上工作，但你的设备将无法其他设备被访问。
+它可以防止地址泄漏，并使 DNS 劫持在 Android 上工作，但你的设备将无法其他设备被访问。

 *在 Windows 中*:

--- a/docs/examples/linux-server-installation.md
+++ b/docs/examples/linux-server-installation.md
@@ -7,9 +7,9 @@
 #### Install

 ```shell
-git clone https://github.com/SagerNet/sing-box
+git clone -b main https://github.com/SagerNet/sing-box
 cd sing-box
-./release/local/install_go.sh # skip if you have go1.19 already installed
+./release/local/install_go.sh # skip if you have golang already installed
 ./release/local/install.sh
 ```

--- a/docs/examples/linux-server-installation.zh.md
+++ b/docs/examples/linux-server-installation.zh.md
@@ -7,9 +7,9 @@
 #### 安装

 ```shell
-git clone https://github.com/SagerNet/sing-box
+git clone -b main https://github.com/SagerNet/sing-box
 cd sing-box
-./release/local/install_go.sh # 如果已安装 go1.19 则跳过
+./release/local/install_go.sh # 如果已安装 golang 则跳过
 ./release/local/install.sh
 ```

--- a/docs/examples/tun.md
+++ b/docs/examples/tun.md
@@ -23,7 +23,10 @@
        "disable_cache": true
      },
      {
-        "domain": "mydomain.com",
+        "outbound": "any",
+        "server": "local"
+      },
+      {
        "geosite": "cn",
        "server": "local"
      }
--- a/docs/faq/known-issues.md
+++ b/docs/faq/known-issues.md
@@ -9,10 +9,6 @@ the public internet.

 `auto-route` cannot automatically hijack DNS requests when Android's `Private DNS` enabled or `strict_route` disabled.

-##### on Linux
-
-`auto-route` cannot automatically hijack DNS requests with `systemd-resolved` enabled and `strict_route` disabled.
-
 #### System proxy

 ##### on Linux
--- a/docs/faq/known-issues.zh.md
+++ b/docs/faq/known-issues.zh.md
@@ -8,10 +8,6 @@

 `auto-route` 无法自动劫持 DNS 请求如果 `私人 DNS` 开启或 `strict_route` 禁用。

-##### Linux
-
-`auto-route` 无法自动劫持 DNS 请求如果 `systemd-resolved` 开启且 `strict_route` 禁用。
-
 #### 系统代理

 ##### Linux
--- a/docs/index.md
+++ b/docs/index.md
@@ -25,4 +25,7 @@ GNU General Public License for more details.

 You should have received a copy of the GNU General Public License
 along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+In addition, no derivative work may use the name or imply association
+with this application without prior consent.
 ```
--- a/docs/index.zh.md
+++ b/docs/index.zh.md
@@ -25,4 +25,7 @@ GNU General Public License for more details.

 You should have received a copy of the GNU General Public License
 along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+In addition, no derivative work may use the name or imply association
+with this application without prior consent.
 ```
--- a/docs/installation/clients/sfa.md
+++ b/docs/installation/clients/sfa.md
@@ -0,0 +1,16 @@
+# SFA
+
+Experimental Android client for sing-box.
+
+#### Requirements
+
+* Android 5.0+
+
+#### Download
+
+* [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
+
+#### Note
+
+* Working directory is at `/sdcard/Android/data/io.nekohasekai.sfa/files` (External files directory)
+* User Agent is `SFA/$version ($version_code; sing-box $sing_box_version)` in the remote profile request
--- a/docs/installation/clients/sfa.zh.md
+++ b/docs/installation/clients/sfa.zh.md
@@ -0,0 +1,16 @@
+# SFA
+
+实验性的 Android sing-box 客户端。
+
+#### 要求
+
+* Android 5.0+
+
+#### 下载
+
+* [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
+
+#### 注意事项
+
+* 工作目录位于 `/sdcard/Android/data/io.nekohasekai.sfa/files` (外部文件目录)
+* 远程配置文件请求中的 User Agent 为 `SFA/$version ($version_code; sing-box $sing_box_version)`
--- a/docs/installation/clients/sfi/index.md
+++ b/docs/installation/clients/sfi/index.md
@@ -1,6 +1,6 @@
 # SFI

-Experimental official iOS client for sing-box.
+Experimental iOS client for sing-box.

 #### Requirements

@@ -11,9 +11,10 @@ Experimental official iOS client for sing-box.

 * [TestFlight](https://testflight.apple.com/join/c6ylui2j)

-#### Limit
+#### Note

-* `system` tun stack not working
+* `system` tun stack not working on iOS
+* User Agent is `SFI/$version ($version_code; sing-box $sing_box_version)` in the remote profile request

 #### Privacy policy

--- a/docs/installation/clients/sfi/index.zh.md
+++ b/docs/installation/clients/sfi/index.zh.md
@@ -1,6 +1,6 @@
 # SFI

-实验性的官方 iOS sing-box 客户端。
+实验性的 iOS sing-box 客户端。

 #### 要求

@@ -11,9 +11,10 @@

 * [TestFlight](https://testflight.apple.com/join/c6ylui2j)

-#### 限制
+#### 注意事项

-* `system` tun stack 不工作
+* `system` tun stack 在 iOS 不工作
+* 远程配置文件请求中的 User Agent 为 `SFI/$version ($version_code; sing-box $sing_box_version)`

 #### 隐私政策

--- a/experimental/libbox/command.go
+++ b/experimental/libbox/command.go
@@ -1,5 +1,3 @@
-//go:build darwin
-
 package libbox

 const (
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -1,5 +1,3 @@
-//go:build darwin
-
 package libbox

 import (
@@ -46,6 +44,7 @@ func clientConnect(sharedDirectory string) (net.Conn, error) {
 }

 func (c *CommandClient) Connect() error {
+	common.Close(c.conn)
 	conn, err := clientConnect(c.sharedDirectory)
 	if err != nil {
 		return err
--- a/experimental/libbox/command_conntrack.go
+++ b/experimental/libbox/command_conntrack.go
@@ -1,5 +1,3 @@
-//go:build darwin
-
 package libbox

 import (
--- a/experimental/libbox/command_log.go
+++ b/experimental/libbox/command_log.go
@@ -1,5 +1,3 @@
-//go:build darwin
-
 package libbox

 import (
--- a/experimental/libbox/command_reload.go
+++ b/experimental/libbox/command_reload.go
@@ -1,5 +1,3 @@
-//go:build darwin
-
 package libbox

 import (
--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@@ -1,5 +1,3 @@
-//go:build darwin
-
 package libbox

 import (
@@ -10,6 +8,7 @@ import (
 	"sync"

 	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/observable"
 	"github.com/sagernet/sing/common/x/list"
@@ -57,7 +56,10 @@ func (s *CommandServer) Start() error {
 }

 func (s *CommandServer) Close() error {
-	return s.listener.Close()
+	return common.Close(
+		s.listener,
+		s.observer,
+	)
 }

 func (s *CommandServer) loopConnection(listener net.Listener) {
--- a/experimental/libbox/command_status.go
+++ b/experimental/libbox/command_status.go
@@ -1,5 +1,3 @@
-//go:build darwin
-
 package libbox

 import (
--- a/experimental/libbox/command_stop.go
+++ b/experimental/libbox/command_stop.go
@@ -1,5 +1,3 @@
-//go:build darwin
-
 package libbox

 import (
--- a/experimental/libbox/config.go
+++ b/experimental/libbox/config.go
@@ -1,8 +1,11 @@
-//go:build linux || darwin
-
 package libbox

 import (
+	"bytes"
+	"context"
+	"encoding/json"
+
+	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
@@ -15,3 +18,36 @@ func parseConfig(configContent string) (option.Options, error) {
 	}
 	return options, nil
 }
+
+func CheckConfig(configContent string) error {
+	options, err := parseConfig(configContent)
+	if err != nil {
+		return err
+	}
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	instance, err := box.New(box.Options{
+		Context: ctx,
+		Options: options,
+	})
+	if err == nil {
+		instance.Close()
+	}
+	return err
+}
+
+func FormatConfig(configContent string) (string, error) {
+	options, err := parseConfig(configContent)
+	if err != nil {
+		return "", err
+	}
+	var buffer bytes.Buffer
+	json.NewEncoder(&buffer)
+	encoder := json.NewEncoder(&buffer)
+	encoder.SetIndent("", "  ")
+	err = encoder.Encode(options)
+	if err != nil {
+		return "", err
+	}
+	return buffer.String(), nil
+}
--- a/experimental/libbox/http.go
+++ b/experimental/libbox/http.go
@@ -0,0 +1,241 @@
+package libbox
+
+import (
+	"bytes"
+	"context"
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"math/rand"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"strconv"
+	"sync"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/protocol/socks"
+	"github.com/sagernet/sing/protocol/socks/socks5"
+)
+
+type HTTPClient interface {
+	RestrictedTLS()
+	ModernTLS()
+	PinnedTLS12()
+	PinnedSHA256(sumHex string)
+	TrySocks5(port int32)
+	KeepAlive()
+	NewRequest() HTTPRequest
+	Close()
+}
+
+type HTTPRequest interface {
+	SetURL(link string) error
+	SetMethod(method string)
+	SetHeader(key string, value string)
+	SetContent(content []byte)
+	SetContentString(content string)
+	RandomUserAgent()
+	SetUserAgent(userAgent string)
+	Execute() (HTTPResponse, error)
+}
+
+type HTTPResponse interface {
+	GetContent() ([]byte, error)
+	GetContentString() (string, error)
+	WriteTo(path string) error
+}
+
+var (
+	_ HTTPClient   = (*httpClient)(nil)
+	_ HTTPRequest  = (*httpRequest)(nil)
+	_ HTTPResponse = (*httpResponse)(nil)
+)
+
+type httpClient struct {
+	tls       tls.Config
+	client    http.Client
+	transport http.Transport
+}
+
+func NewHTTPClient() HTTPClient {
+	client := new(httpClient)
+	client.client.Timeout = C.TCPTimeout
+	client.client.Transport = &client.transport
+	client.transport.TLSClientConfig = &client.tls
+	client.transport.DisableKeepAlives = true
+	return client
+}
+
+func (c *httpClient) ModernTLS() {
+	c.tls.MinVersion = tls.VersionTLS12
+	c.tls.CipherSuites = common.Map(tls.CipherSuites(), func(it *tls.CipherSuite) uint16 { return it.ID })
+}
+
+func (c *httpClient) RestrictedTLS() {
+	c.tls.MinVersion = tls.VersionTLS13
+	c.tls.CipherSuites = common.Map(common.Filter(tls.CipherSuites(), func(it *tls.CipherSuite) bool {
+		return common.Contains(it.SupportedVersions, uint16(tls.VersionTLS13))
+	}), func(it *tls.CipherSuite) uint16 {
+		return it.ID
+	})
+}
+
+func (c *httpClient) PinnedTLS12() {
+	c.tls.MinVersion = tls.VersionTLS12
+	c.tls.MaxVersion = tls.VersionTLS12
+}
+
+func (c *httpClient) PinnedSHA256(sumHex string) {
+	c.tls.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+		for _, rawCert := range rawCerts {
+			certSum := sha256.Sum256(rawCert)
+			if sumHex == hex.EncodeToString(certSum[:]) {
+				return nil
+			}
+		}
+		return E.New("pinned sha256 sum mismatch")
+	}
+}
+
+func (c *httpClient) TrySocks5(port int32) {
+	dialer := new(net.Dialer)
+	c.transport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
+		for {
+			socksConn, err := dialer.DialContext(ctx, "tcp", "127.0.0.1:"+strconv.Itoa(int(port)))
+			if err != nil {
+				break
+			}
+			_, err = socks.ClientHandshake5(socksConn, socks5.CommandConnect, M.ParseSocksaddr(addr), "", "")
+			if err != nil {
+				break
+			}
+			//nolint:staticcheck
+			return socksConn, err
+		}
+		return dialer.DialContext(ctx, network, addr)
+	}
+}
+
+func (c *httpClient) KeepAlive() {
+	c.transport.ForceAttemptHTTP2 = true
+	c.transport.DisableKeepAlives = false
+}
+
+func (c *httpClient) NewRequest() HTTPRequest {
+	req := &httpRequest{httpClient: c}
+	req.request = http.Request{
+		Method: "GET",
+		Header: http.Header{},
+	}
+	return req
+}
+
+func (c *httpClient) Close() {
+	c.transport.CloseIdleConnections()
+}
+
+type httpRequest struct {
+	*httpClient
+	request http.Request
+}
+
+func (r *httpRequest) SetURL(link string) (err error) {
+	r.request.URL, err = url.Parse(link)
+	if r.request.URL.User != nil {
+		user := r.request.URL.User.Username()
+		password, _ := r.request.URL.User.Password()
+		r.request.SetBasicAuth(user, password)
+	}
+	return
+}
+
+func (r *httpRequest) SetMethod(method string) {
+	r.request.Method = method
+}
+
+func (r *httpRequest) SetHeader(key string, value string) {
+	r.request.Header.Set(key, value)
+}
+
+func (r *httpRequest) RandomUserAgent() {
+	r.request.Header.Set("User-Agent", fmt.Sprintf("curl/7.%d.%d", rand.Int()%54, rand.Int()%2))
+}
+
+func (r *httpRequest) SetUserAgent(userAgent string) {
+	r.request.Header.Set("User-Agent", userAgent)
+}
+
+func (r *httpRequest) SetContent(content []byte) {
+	buffer := bytes.Buffer{}
+	buffer.Write(content)
+	r.request.Body = io.NopCloser(bytes.NewReader(buffer.Bytes()))
+	r.request.ContentLength = int64(len(content))
+}
+
+func (r *httpRequest) SetContentString(content string) {
+	r.SetContent([]byte(content))
+}
+
+func (r *httpRequest) Execute() (HTTPResponse, error) {
+	response, err := r.client.Do(&r.request)
+	if err != nil {
+		return nil, err
+	}
+	httpResp := &httpResponse{Response: response}
+	if response.StatusCode != http.StatusOK {
+		return nil, errors.New(httpResp.errorString())
+	}
+	return httpResp, nil
+}
+
+type httpResponse struct {
+	*http.Response
+
+	getContentOnce sync.Once
+	content        []byte
+	contentError   error
+}
+
+func (h *httpResponse) errorString() string {
+	content, err := h.GetContentString()
+	if err != nil {
+		return fmt.Sprint("HTTP ", h.Status)
+	}
+	return fmt.Sprint("HTTP ", h.Status, ": ", content)
+}
+
+func (h *httpResponse) GetContent() ([]byte, error) {
+	h.getContentOnce.Do(func() {
+		defer h.Body.Close()
+		h.content, h.contentError = io.ReadAll(h.Body)
+	})
+	return h.content, h.contentError
+}
+
+func (h *httpResponse) GetContentString() (string, error) {
+	content, err := h.GetContent()
+	if err != nil {
+		return "", err
+	}
+	return string(content), nil
+}
+
+func (h *httpResponse) WriteTo(path string) error {
+	defer h.Body.Close()
+	file, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	return common.Error(bufio.Copy(file, h.Body))
+}
--- a/experimental/libbox/iterator.go
+++ b/experimental/libbox/iterator.go
@@ -1,5 +1,3 @@
-//go:build linux || darwin
-
 package libbox

 import "github.com/sagernet/sing/common"
--- a/experimental/libbox/platform.go
+++ b/experimental/libbox/platform.go
@@ -1,5 +1,3 @@
-//go:build linux || darwin
-
 package libbox

 import "github.com/sagernet/sing-box/option"
--- a/experimental/libbox/pprof.go
+++ b/experimental/libbox/pprof.go
@@ -1,5 +1,3 @@
-//go:build linux || darwin
-
 package libbox

 import (
--- a/experimental/libbox/service.go
+++ b/experimental/libbox/service.go
@@ -1,5 +1,3 @@
-//go:build linux || darwin
-
 package libbox

 import (
@@ -30,7 +28,11 @@ func NewService(configContent string, platformInterface PlatformInterface) (*Box
 		return nil, err
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(ctx, options, &platformInterfaceWrapper{platformInterface, platformInterface.UseProcFS()})
+	instance, err := box.New(box.Options{
+		Context:           ctx,
+		Options:           options,
+		PlatformInterface: &platformInterfaceWrapper{platformInterface, platformInterface.UseProcFS()},
+	})
 	if err != nil {
 		cancel()
 		return nil, E.Cause(err, "create service")
--- a/experimental/libbox/setup.go
+++ b/experimental/libbox/setup.go
@@ -1,5 +1,3 @@
-//go:build linux || darwin
-
 package libbox

 import (
--- a/experimental/libbox/tun.go
+++ b/experimental/libbox/tun.go
@@ -1,5 +1,3 @@
-//go:build linux || darwin
-
 package libbox

 import (
--- a/go.mod
+++ b/go.mod
@@ -14,40 +14,40 @@ require (
 	github.com/go-chi/render v1.0.2
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/hashicorp/yamux v0.1.1
-	github.com/insomniacslk/dhcp v0.0.0-20230307103557-e252950ab961
+	github.com/insomniacslk/dhcp v0.0.0-20230327135226-74ae03f2425e
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/mholt/acmez v1.1.0
-	github.com/miekg/dns v1.1.52
+	github.com/miekg/dns v1.1.53
 	github.com/ooni/go-libtor v1.1.7
 	github.com/oschwald/maxminddb-golang v1.10.0
 	github.com/pires/go-proxyproto v0.7.0
 	github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0
 	github.com/sagernet/gomobile v0.0.0-20221130124640-349ebaa752ca
 	github.com/sagernet/quic-go v0.0.0-20230202071646-a8c8afb18b32
-	github.com/sagernet/reality v0.0.0-20230312150606-35ea9af0e0b8
-	github.com/sagernet/sing v0.2.1-0.20230321172705-3e60222a1a7d
-	github.com/sagernet/sing-dns v0.1.4
+	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
+	github.com/sagernet/sing v0.2.2-0.20230407053809-308e421e33c2
+	github.com/sagernet/sing-dns v0.1.5-0.20230407055526-2a27418e7855
 	github.com/sagernet/sing-shadowsocks v0.2.0
 	github.com/sagernet/sing-shadowtls v0.1.0
-	github.com/sagernet/sing-tun v0.1.3-0.20230321172818-56bedd2f0558
+	github.com/sagernet/sing-tun v0.1.4-0.20230326080954-8848c0e4cbab
 	github.com/sagernet/sing-vmess v0.1.3
 	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37
 	github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9
 	github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2
 	github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e
 	github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c
-	github.com/spf13/cobra v1.6.1
+	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.2
 	go.etcd.io/bbolt v1.3.7
 	go.uber.org/atomic v1.10.0
 	go.uber.org/zap v1.24.0
 	go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35
 	golang.org/x/crypto v0.7.0
-	golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0
-	golang.org/x/net v0.8.0
-	golang.org/x/sys v0.6.0
+	golang.org/x/exp v0.0.0-20230321023759-10a507213a29
+	golang.org/x/net v0.9.0
+	golang.org/x/sys v0.7.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde
-	google.golang.org/grpc v1.53.0
+	google.golang.org/grpc v1.54.0
 	google.golang.org/protobuf v1.30.0
 	gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c
 )
@@ -64,7 +64,7 @@ require (
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/native v1.1.0 // indirect
 	github.com/klauspost/compress v1.15.15 // indirect
 	github.com/klauspost/cpuid/v2 v2.1.1 // indirect
@@ -84,7 +84,7 @@ require (
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/text v0.8.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
 	golang.org/x/tools v0.6.0 // indirect
 	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
--- a/go.sum
+++ b/go.sum
@@ -49,10 +49,10 @@ github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLe
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
-github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20230307103557-e252950ab961 h1:x/YtdDlmypenG1te/FfH6LVM+3krhXk5CFV8VYNNX5M=
-github.com/insomniacslk/dhcp v0.0.0-20230307103557-e252950ab961/go.mod h1:IKrnDWs3/Mqq5n0lI+RxA2sB7MvN/vbMBP3ehXg65UI=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/insomniacslk/dhcp v0.0.0-20230327135226-74ae03f2425e h1:8ChxkWKTVYg7LKBvYNLNRnlobgbPrzzossZUoST2T7o=
+github.com/insomniacslk/dhcp v0.0.0-20230327135226-74ae03f2425e/go.mod h1:IKrnDWs3/Mqq5n0lI+RxA2sB7MvN/vbMBP3ehXg65UI=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
@@ -70,8 +70,8 @@ github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczG
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/mholt/acmez v1.1.0 h1:IQ9CGHKOHokorxnffsqDvmmE30mDenO1lptYZ1AYkHY=
 github.com/mholt/acmez v1.1.0/go.mod h1:zwo5+fbLLTowAX8o8ETfQzbDtwGEXnPhkmGdKIP+bgs=
-github.com/miekg/dns v1.1.52 h1:Bmlc/qsNNULOe6bpXcUTsuOajd0DzRHwup6D9k1An0c=
-github.com/miekg/dns v1.1.52/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
+github.com/miekg/dns v1.1.53 h1:ZBkuHr5dxHtB1caEOlZTLPo7D3L3TWckgUUs/RHfDxw=
+github.com/miekg/dns v1.1.53/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI=
@@ -107,20 +107,20 @@ github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6E
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/quic-go v0.0.0-20230202071646-a8c8afb18b32 h1:tztuJB+giOWNRKQEBVY2oI3PsheTooMdh+/yxemYQYY=
 github.com/sagernet/quic-go v0.0.0-20230202071646-a8c8afb18b32/go.mod h1:QMCkxXAC3CvBgDZVIJp43NWTuwGBScCzMLVLynjERL8=
-github.com/sagernet/reality v0.0.0-20230312150606-35ea9af0e0b8 h1:4M3+0/kqvJuTsimEORH0/vUYTpMDUETBH2zNUU38SUw=
-github.com/sagernet/reality v0.0.0-20230312150606-35ea9af0e0b8/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
+github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
+github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.1-0.20230321172705-3e60222a1a7d h1:ktk03rtgPqTDyUd2dWg1uzyr5RnptX8grSMvIzedJlQ=
-github.com/sagernet/sing v0.2.1-0.20230321172705-3e60222a1a7d/go.mod h1:9uHswk2hITw8leDbiLS/xn0t9nzBcbePxzm9PJhwdlw=
-github.com/sagernet/sing-dns v0.1.4 h1:7VxgeoSCiiazDSaXXQVcvrTBxFpOePPq/4XdgnUDN+0=
-github.com/sagernet/sing-dns v0.1.4/go.mod h1:1+6pCa48B1AI78lD+/i/dLgpw4MwfnsSpZo0Ds8wzzk=
+github.com/sagernet/sing v0.2.2-0.20230407053809-308e421e33c2 h1:VjeHDxEgpB2fqK5G16yBvtLacibvg3h2MsIjal0UXH0=
+github.com/sagernet/sing v0.2.2-0.20230407053809-308e421e33c2/go.mod h1:9uHswk2hITw8leDbiLS/xn0t9nzBcbePxzm9PJhwdlw=
+github.com/sagernet/sing-dns v0.1.5-0.20230407055526-2a27418e7855 h1:a3W2X1n5C/oYGp/Dd26eoymME3iXN8TJq7LZtO2MSUY=
+github.com/sagernet/sing-dns v0.1.5-0.20230407055526-2a27418e7855/go.mod h1:69PNSHyEmXdjf6C+bXBOdr2GQnPeEyWjIzo/MV8gmz8=
 github.com/sagernet/sing-shadowsocks v0.2.0 h1:ILDWL7pwWfkPLEbviE/MyCgfjaBmJY/JVVY+5jhSb58=
 github.com/sagernet/sing-shadowsocks v0.2.0/go.mod h1:ysYzszRLpNzJSorvlWRMuzU6Vchsp7sd52q+JNY4axw=
 github.com/sagernet/sing-shadowtls v0.1.0 h1:05MYce8aR5xfKIn+y7xRFsdKhKt44QZTSEQW+lG5IWQ=
 github.com/sagernet/sing-shadowtls v0.1.0/go.mod h1:Kn1VUIprdkwCgkS6SXYaLmIpKzQbqBIKJBMY+RvBhYc=
-github.com/sagernet/sing-tun v0.1.3-0.20230321172818-56bedd2f0558 h1:c5Rm6BTOclEeayS6G9+1rI1kTeilCsn0ALSFbOdlgRE=
-github.com/sagernet/sing-tun v0.1.3-0.20230321172818-56bedd2f0558/go.mod h1:cqnZEm+2ArgP4Gq1NcQfVFm9CZaeGw21mG9AcnYOTiU=
+github.com/sagernet/sing-tun v0.1.4-0.20230326080954-8848c0e4cbab h1:a9oeWuPBuIZ70qMhIIH6RrYhp886xN9jJIwsuu4ZFUo=
+github.com/sagernet/sing-tun v0.1.4-0.20230326080954-8848c0e4cbab/go.mod h1:4YxIDEkkCjGXDOTMPw1SXpLmCQUFAWuaQN250oo+928=
 github.com/sagernet/sing-vmess v0.1.3 h1:q/+tsF46dvvapL6CpQBgPHJ6nQrDUZqEtLHCbsjO7iM=
 github.com/sagernet/sing-vmess v0.1.3/go.mod h1:GVXqAHwe9U21uS+Voh4YBIrADQyE4F9v0ayGSixSQAE=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as=
@@ -133,8 +133,8 @@ github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e h1:7uw2njHFGE+V
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e/go.mod h1:45TUl8+gH4SIKr4ykREbxKWTxkDlSzFENzctB1dVRRY=
 github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c h1:vK2wyt9aWYHHvNLWniwijBu/n4pySypiKRhN32u/JGo=
 github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
-github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
-github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -170,8 +170,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0 h1:pVgRXcIictcr+lBQIFeiwuwtDIs4eL21OuM9nyAADmo=
-golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug=
+golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -180,8 +180,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
+golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
@@ -199,15 +199,15 @@ golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
+golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
+golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -223,8 +223,8 @@ golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde h1:ybF7AMzI
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde/go.mod h1:mQqgjkW8GQQcJQsbBvK890TKqUK1DfKWkuBGbOkuMHQ=
 google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w=
 google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/grpc v1.53.0 h1:LAv2ds7cmFV/XTS3XG1NneeENYrXGmorPxsBbptIjNc=
-google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
+google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag=
+google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
--- a/inbound/tun.go
+++ b/inbound/tun.go
@@ -5,10 +5,8 @@ import (
 	"net"
 	"strconv"
 	"strings"
-	"time"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/canceler"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/log"
@@ -21,10 +19,7 @@ import (
 	"github.com/sagernet/sing/common/ranges"
 )

-var (
-	_ adapter.Inbound = (*Tun)(nil)
-	_ tun.Router      = (*Tun)(nil)
-)
+var _ adapter.Inbound = (*Tun)(nil)

 type Tun struct {
 	tag                    string
@@ -43,6 +38,10 @@ type Tun struct {
 }

 func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunInboundOptions, platformInterface platform.Interface) (*Tun, error) {
+	tunName := options.InterfaceName
+	if tunName == "" {
+		tunName = tun.CalculateInterfaceName("")
+	}
 	tunMTU := options.MTU
 	if tunMTU == 0 {
 		tunMTU = 9000
@@ -76,7 +75,7 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		logger:         logger,
 		inboundOptions: options.InboundOptions,
 		tunOptions: tun.Options{
-			Name:               options.InterfaceName,
+			Name:               tunName,
 			MTU:                tunMTU,
 			Inet4Address:       common.Map(options.Inet4Address, option.ListenPrefix.Build),
 			Inet6Address:       common.Map(options.Inet6Address, option.ListenPrefix.Build),
@@ -142,17 +141,12 @@ func (t *Tun) Tag() string {

 func (t *Tun) Start() error {
 	if C.IsAndroid && t.platformInterface == nil {
-		t.logger.Trace("building android rules")
 		t.tunOptions.BuildAndroidRules(t.router.PackageManager(), t)
 	}
-	if t.tunOptions.Name == "" {
-		t.tunOptions.Name = tun.CalculateInterfaceName("")
-	}
 	var (
 		tunInterface tun.Tun
 		err          error
 	)
-	t.logger.Trace("opening interface")
 	if t.platformInterface != nil {
 		tunInterface, err = t.platformInterface.OpenTun(t.tunOptions, t.platformOptions)
 	} else {
@@ -161,12 +155,7 @@ func (t *Tun) Start() error {
 	if err != nil {
 		return E.Cause(err, "configure tun interface")
 	}
-	t.logger.Trace("creating stack")
 	t.tunIf = tunInterface
-	var tunRouter tun.Router
-	if len(t.router.IPRules()) > 0 {
-		tunRouter = t
-	}
 	t.tunStack, err = tun.NewStack(t.stack, tun.StackOptions{
 		Context:                t.ctx,
 		Tun:                    tunInterface,
@@ -176,7 +165,6 @@ func (t *Tun) Start() error {
 		Inet6Address:           t.tunOptions.Inet6Address,
 		EndpointIndependentNat: t.endpointIndependentNat,
 		UDPTimeout:             t.udpTimeout,
-		Router:                 tunRouter,
 		Handler:                t,
 		Logger:                 t.logger,
 		UnderPlatform:          t.platformInterface != nil,
@@ -184,7 +172,6 @@ func (t *Tun) Start() error {
 	if err != nil {
 		return err
 	}
-	t.logger.Trace("starting stack")
 	err = t.tunStack.Start()
 	if err != nil {
 		return err
@@ -200,21 +187,6 @@ func (t *Tun) Close() error {
 	)
 }

-func (t *Tun) RouteConnection(session tun.RouteSession, conn tun.RouteContext) tun.RouteAction {
-	ctx := log.ContextWithNewID(t.ctx)
-	var metadata adapter.InboundContext
-	metadata.Inbound = t.tag
-	metadata.InboundType = C.TypeTun
-	metadata.IPVersion = session.IPVersion
-	metadata.Network = tun.NetworkName(session.Network)
-	metadata.Source = M.SocksaddrFromNetIP(session.Source)
-	metadata.Destination = M.SocksaddrFromNetIP(session.Destination)
-	metadata.InboundOptions = t.inboundOptions
-	t.logger.DebugContext(ctx, "incoming connection from ", metadata.Source)
-	t.logger.DebugContext(ctx, "incoming connection to ", metadata.Destination)
-	return t.router.RouteIPConnection(ctx, conn, metadata)
-}
-
 func (t *Tun) NewConnection(ctx context.Context, conn net.Conn, upstreamMetadata M.Metadata) error {
 	ctx = log.ContextWithNewID(ctx)
 	var metadata adapter.InboundContext
@@ -234,9 +206,6 @@ func (t *Tun) NewConnection(ctx context.Context, conn net.Conn, upstreamMetadata

 func (t *Tun) NewPacketConnection(ctx context.Context, conn N.PacketConn, upstreamMetadata M.Metadata) error {
 	ctx = log.ContextWithNewID(ctx)
-	if tun.NeedTimeoutFromContext(ctx) {
-		ctx, conn = canceler.NewPacketConn(ctx, conn, time.Duration(t.udpTimeout)*time.Second)
-	}
 	var metadata adapter.InboundContext
 	metadata.Inbound = t.tag
 	metadata.InboundType = C.TypeTun
--- a/log/default.go
+++ b/log/default.go
@@ -49,6 +49,10 @@ func (f *simpleFactory) NewLogger(tag string) ContextLogger {
 	return &simpleLogger{f, tag}
 }

+func (f *simpleFactory) Close() error {
+	return nil
+}
+
 var _ ContextLogger = (*simpleLogger)(nil)

 type simpleLogger struct {
--- a/log/factory.go
+++ b/log/factory.go
@@ -15,6 +15,7 @@ type Factory interface {
 	SetLevel(level Level)
 	Logger() ContextLogger
 	NewLogger(tag string) ContextLogger
+	Close() error
 }

 type ObservableFactory interface {
--- a/log/format.go
+++ b/log/format.go
@@ -36,15 +36,16 @@ func (f Formatter) Format(ctx context.Context, level Level, tag string, message
 	if tag != "" {
 		message = tag + ": " + message
 	}
-	var id uint32
+	var id ID
 	var hasId bool
 	if ctx != nil {
 		id, hasId = IDFromContext(ctx)
 	}
 	if hasId {
+		activeDuration := formatDuration(time.Since(id.CreatedAt))
 		if !f.DisableColors {
 			var color aurora.Color
-			color = aurora.Color(uint8(id))
+			color = aurora.Color(uint8(id.ID))
 			color %= 215
 			row := uint(color / 36)
 			column := uint(color % 36)
@@ -62,9 +63,9 @@ func (f Formatter) Format(ctx context.Context, level Level, tag string, message
 			color += 16
 			color = color << 16
 			color |= 1 << 14
-			message = F.ToString("[", aurora.Colorize(id, color).String(), "] ", message)
+			message = F.ToString("[", aurora.Colorize(id.ID, color).String(), " ", activeDuration, "] ", message)
 		} else {
-			message = F.ToString("[", id, "] ", message)
+			message = F.ToString("[", id.ID, " ", activeDuration, "] ", message)
 		}
 	}
 	switch {
@@ -99,15 +100,16 @@ func (f Formatter) FormatWithSimple(ctx context.Context, level Level, tag string
 		message = tag + ": " + message
 	}
 	messageSimple := message
-	var id uint32
+	var id ID
 	var hasId bool
 	if ctx != nil {
 		id, hasId = IDFromContext(ctx)
 	}
 	if hasId {
+		activeDuration := formatDuration(time.Since(id.CreatedAt))
 		if !f.DisableColors {
 			var color aurora.Color
-			color = aurora.Color(uint8(id))
+			color = aurora.Color(uint8(id.ID))
 			color %= 215
 			row := uint(color / 36)
 			column := uint(color % 36)
@@ -125,11 +127,11 @@ func (f Formatter) FormatWithSimple(ctx context.Context, level Level, tag string
 			color += 16
 			color = color << 16
 			color |= 1 << 14
-			message = F.ToString("[", aurora.Colorize(id, color).String(), "] ", message)
+			message = F.ToString("[", aurora.Colorize(id.ID, color).String(), " ", activeDuration, "] ", message)
 		} else {
-			message = F.ToString("[", id, "] ", message)
+			message = F.ToString("[", id.ID, " ", activeDuration, "] ", message)
 		}
-		messageSimple = F.ToString("[", id, "] ", messageSimple)
+		messageSimple = F.ToString("[", id.ID, " ", activeDuration, "] ", messageSimple)

 	}
 	switch {
@@ -153,3 +155,13 @@ func xd(value int, x int) string {
 	}
 	return message
 }
+
+func formatDuration(duration time.Duration) string {
+	if duration < time.Second {
+		return F.ToString(duration.Milliseconds(), "ms")
+	} else if duration < time.Minute {
+		return F.ToString(int64(duration.Seconds()), ".", int64(duration.Seconds()*100)%100, "s")
+	} else {
+		return F.ToString(int64(duration.Minutes()), "m", int64(duration.Seconds())%60, "s")
+	}
+}
--- a/log/id.go
+++ b/log/id.go
@@ -3,6 +3,7 @@ package log
 import (
 	"context"
 	"math/rand"
+	"time"

 	"github.com/sagernet/sing/common/random"
 )
@@ -13,11 +14,19 @@ func init() {

 type idKey struct{}

-func ContextWithNewID(ctx context.Context) context.Context {
-	return context.WithValue(ctx, (*idKey)(nil), rand.Uint32())
+type ID struct {
+	ID        uint32
+	CreatedAt time.Time
 }

-func IDFromContext(ctx context.Context) (uint32, bool) {
-	id, loaded := ctx.Value((*idKey)(nil)).(uint32)
+func ContextWithNewID(ctx context.Context) context.Context {
+	return context.WithValue(ctx, (*idKey)(nil), ID{
+		ID:        rand.Uint32(),
+		CreatedAt: time.Now(),
+	})
+}
+
+func IDFromContext(ctx context.Context) (ID, bool) {
+	id, loaded := ctx.Value((*idKey)(nil)).(ID)
 	return id, loaded
 }
--- a/log/log.go
+++ b/log/log.go
@@ -0,0 +1,110 @@
+package log
+
+import (
+	"io"
+	"os"
+	"time"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type factoryWithFile struct {
+	Factory
+	file *os.File
+}
+
+func (f *factoryWithFile) Close() error {
+	return common.Close(
+		f.Factory,
+		common.PtrOrNil(f.file),
+	)
+}
+
+type observableFactoryWithFile struct {
+	ObservableFactory
+	file *os.File
+}
+
+func (f *observableFactoryWithFile) Close() error {
+	return common.Close(
+		f.ObservableFactory,
+		common.PtrOrNil(f.file),
+	)
+}
+
+type Options struct {
+	Options        option.LogOptions
+	Observable     bool
+	DefaultWriter  io.Writer
+	BaseTime       time.Time
+	PlatformWriter io.Writer
+}
+
+func New(options Options) (Factory, error) {
+	logOptions := options.Options
+
+	if logOptions.Disabled {
+		return NewNOPFactory(), nil
+	}
+
+	var logFile *os.File
+	var logWriter io.Writer
+
+	switch logOptions.Output {
+	case "":
+		logWriter = options.DefaultWriter
+		if logWriter == nil {
+			logWriter = os.Stderr
+		}
+	case "stderr":
+		logWriter = os.Stderr
+	case "stdout":
+		logWriter = os.Stdout
+	default:
+		var err error
+		logFile, err = os.OpenFile(C.BasePath(logOptions.Output), os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
+		if err != nil {
+			return nil, err
+		}
+		logWriter = logFile
+	}
+	logFormatter := Formatter{
+		BaseTime:         options.BaseTime,
+		DisableColors:    logOptions.DisableColor || logFile != nil,
+		DisableTimestamp: !logOptions.Timestamp && logFile != nil,
+		FullTimestamp:    logOptions.Timestamp,
+		TimestampFormat:  "-0700 2006-01-02 15:04:05",
+	}
+	var factory Factory
+	if options.Observable {
+		factory = NewObservableFactory(logFormatter, logWriter, options.PlatformWriter)
+	} else {
+		factory = NewFactory(logFormatter, logWriter, options.PlatformWriter)
+	}
+	if logOptions.Level != "" {
+		logLevel, err := ParseLevel(logOptions.Level)
+		if err != nil {
+			return nil, E.Cause(err, "parse log level")
+		}
+		factory.SetLevel(logLevel)
+	} else {
+		factory.SetLevel(LevelTrace)
+	}
+	if logFile != nil {
+		if options.Observable {
+			factory = &observableFactoryWithFile{
+				ObservableFactory: factory.(ObservableFactory),
+				file:              logFile,
+			}
+		} else {
+			factory = &factoryWithFile{
+				Factory: factory,
+				file:    logFile,
+			}
+		}
+	}
+	return factory, nil
+}
--- a/log/nop.go
+++ b/log/nop.go
@@ -72,6 +72,10 @@ func (f *nopFactory) FatalContext(ctx context.Context, args ...any) {
 func (f *nopFactory) PanicContext(ctx context.Context, args ...any) {
 }

+func (f *nopFactory) Close() error {
+	return nil
+}
+
 func (f *nopFactory) Subscribe() (subscription observable.Subscription[Entry], done <-chan struct{}, err error) {
 	return nil, nil, os.ErrInvalid
 }
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -38,8 +38,8 @@ nav:
  - Installation:
      - From source: installation/from-source.md
      - Clients:
-          - SFI:
-            - installation/clients/sfi/index.md
+          - iOS: installation/clients/sfi.md
+          - Android: installation/clients/sfa.md
  - Configuration:
      - configuration/index.md
      - Log:
--- a/option/dns.go
+++ b/option/dns.go
@@ -1,5 +1,14 @@
 package option

+import (
+	"reflect"
+
+	"github.com/sagernet/sing-box/common/json"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
 type DNSOptions struct {
 	Servers []DNSServerOptions `json:"servers,omitempty"`
 	Rules   []DNSRule          `json:"rules,omitempty"`
@@ -22,3 +31,97 @@ type DNSServerOptions struct {
 	Strategy             DomainStrategy `json:"strategy,omitempty"`
 	Detour               string         `json:"detour,omitempty"`
 }
+
+type _DNSRule struct {
+	Type           string         `json:"type,omitempty"`
+	DefaultOptions DefaultDNSRule `json:"-"`
+	LogicalOptions LogicalDNSRule `json:"-"`
+}
+
+type DNSRule _DNSRule
+
+func (r DNSRule) MarshalJSON() ([]byte, error) {
+	var v any
+	switch r.Type {
+	case C.RuleTypeDefault:
+		r.Type = ""
+		v = r.DefaultOptions
+	case C.RuleTypeLogical:
+		v = r.LogicalOptions
+	default:
+		return nil, E.New("unknown rule type: " + r.Type)
+	}
+	return MarshallObjects((_DNSRule)(r), v)
+}
+
+func (r *DNSRule) UnmarshalJSON(bytes []byte) error {
+	err := json.Unmarshal(bytes, (*_DNSRule)(r))
+	if err != nil {
+		return err
+	}
+	var v any
+	switch r.Type {
+	case "", C.RuleTypeDefault:
+		r.Type = C.RuleTypeDefault
+		v = &r.DefaultOptions
+	case C.RuleTypeLogical:
+		v = &r.LogicalOptions
+	default:
+		return E.New("unknown rule type: " + r.Type)
+	}
+	err = UnmarshallExcluded(bytes, (*_DNSRule)(r), v)
+	if err != nil {
+		return E.Cause(err, "dns route rule")
+	}
+	return nil
+}
+
+type DefaultDNSRule struct {
+	Inbound         Listable[string]       `json:"inbound,omitempty"`
+	IPVersion       int                    `json:"ip_version,omitempty"`
+	QueryType       Listable[DNSQueryType] `json:"query_type,omitempty"`
+	Network         string                 `json:"network,omitempty"`
+	AuthUser        Listable[string]       `json:"auth_user,omitempty"`
+	Protocol        Listable[string]       `json:"protocol,omitempty"`
+	Domain          Listable[string]       `json:"domain,omitempty"`
+	DomainSuffix    Listable[string]       `json:"domain_suffix,omitempty"`
+	DomainKeyword   Listable[string]       `json:"domain_keyword,omitempty"`
+	DomainRegex     Listable[string]       `json:"domain_regex,omitempty"`
+	Geosite         Listable[string]       `json:"geosite,omitempty"`
+	SourceGeoIP     Listable[string]       `json:"source_geoip,omitempty"`
+	SourceIPCIDR    Listable[string]       `json:"source_ip_cidr,omitempty"`
+	SourcePort      Listable[uint16]       `json:"source_port,omitempty"`
+	SourcePortRange Listable[string]       `json:"source_port_range,omitempty"`
+	Port            Listable[uint16]       `json:"port,omitempty"`
+	PortRange       Listable[string]       `json:"port_range,omitempty"`
+	ProcessName     Listable[string]       `json:"process_name,omitempty"`
+	ProcessPath     Listable[string]       `json:"process_path,omitempty"`
+	PackageName     Listable[string]       `json:"package_name,omitempty"`
+	User            Listable[string]       `json:"user,omitempty"`
+	UserID          Listable[int32]        `json:"user_id,omitempty"`
+	Outbound        Listable[string]       `json:"outbound,omitempty"`
+	ClashMode       string                 `json:"clash_mode,omitempty"`
+	Invert          bool                   `json:"invert,omitempty"`
+	Server          string                 `json:"server,omitempty"`
+	DisableCache    bool                   `json:"disable_cache,omitempty"`
+}
+
+func (r DefaultDNSRule) IsValid() bool {
+	var defaultValue DefaultDNSRule
+	defaultValue.Invert = r.Invert
+	defaultValue.Server = r.Server
+	defaultValue.DisableCache = r.DisableCache
+	return !reflect.DeepEqual(r, defaultValue)
+}
+
+type LogicalDNSRule struct {
+	Mode         string           `json:"mode"`
+	Rules        []DefaultDNSRule `json:"rules,omitempty"`
+	Invert       bool             `json:"invert,omitempty"`
+	Server       string           `json:"server,omitempty"`
+	DisableCache bool             `json:"disable_cache,omitempty"`
+}
+
+func (r LogicalDNSRule) IsValid() bool {
+	return len(r.Rules) > 0 && common.All(r.Rules, DefaultDNSRule.IsValid)
+}
--- a/option/route.go
+++ b/option/route.go
@@ -1,9 +1,17 @@
 package option

+import (
+	"reflect"
+
+	"github.com/sagernet/sing-box/common/json"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
 type RouteOptions struct {
 	GeoIP               *GeoIPOptions   `json:"geoip,omitempty"`
 	Geosite             *GeositeOptions `json:"geosite,omitempty"`
-	IPRules             []IPRule        `json:"ip_rules,omitempty"`
 	Rules               []Rule          `json:"rules,omitempty"`
 	Final               string          `json:"final,omitempty"`
 	FindProcess         bool            `json:"find_process,omitempty"`
@@ -24,3 +32,94 @@ type GeositeOptions struct {
 	DownloadURL    string `json:"download_url,omitempty"`
 	DownloadDetour string `json:"download_detour,omitempty"`
 }
+
+type _Rule struct {
+	Type           string      `json:"type,omitempty"`
+	DefaultOptions DefaultRule `json:"-"`
+	LogicalOptions LogicalRule `json:"-"`
+}
+
+type Rule _Rule
+
+func (r Rule) MarshalJSON() ([]byte, error) {
+	var v any
+	switch r.Type {
+	case C.RuleTypeDefault:
+		r.Type = ""
+		v = r.DefaultOptions
+	case C.RuleTypeLogical:
+		v = r.LogicalOptions
+	default:
+		return nil, E.New("unknown rule type: " + r.Type)
+	}
+	return MarshallObjects((_Rule)(r), v)
+}
+
+func (r *Rule) UnmarshalJSON(bytes []byte) error {
+	err := json.Unmarshal(bytes, (*_Rule)(r))
+	if err != nil {
+		return err
+	}
+	var v any
+	switch r.Type {
+	case "", C.RuleTypeDefault:
+		r.Type = C.RuleTypeDefault
+		v = &r.DefaultOptions
+	case C.RuleTypeLogical:
+		v = &r.LogicalOptions
+	default:
+		return E.New("unknown rule type: " + r.Type)
+	}
+	err = UnmarshallExcluded(bytes, (*_Rule)(r), v)
+	if err != nil {
+		return E.Cause(err, "route rule")
+	}
+	return nil
+}
+
+type DefaultRule struct {
+	Inbound         Listable[string] `json:"inbound,omitempty"`
+	IPVersion       int              `json:"ip_version,omitempty"`
+	Network         string           `json:"network,omitempty"`
+	AuthUser        Listable[string] `json:"auth_user,omitempty"`
+	Protocol        Listable[string] `json:"protocol,omitempty"`
+	Domain          Listable[string] `json:"domain,omitempty"`
+	DomainSuffix    Listable[string] `json:"domain_suffix,omitempty"`
+	DomainKeyword   Listable[string] `json:"domain_keyword,omitempty"`
+	DomainRegex     Listable[string] `json:"domain_regex,omitempty"`
+	Geosite         Listable[string] `json:"geosite,omitempty"`
+	SourceGeoIP     Listable[string] `json:"source_geoip,omitempty"`
+	GeoIP           Listable[string] `json:"geoip,omitempty"`
+	SourceIPCIDR    Listable[string] `json:"source_ip_cidr,omitempty"`
+	IPCIDR          Listable[string] `json:"ip_cidr,omitempty"`
+	SourcePort      Listable[uint16] `json:"source_port,omitempty"`
+	SourcePortRange Listable[string] `json:"source_port_range,omitempty"`
+	Port            Listable[uint16] `json:"port,omitempty"`
+	PortRange       Listable[string] `json:"port_range,omitempty"`
+	ProcessName     Listable[string] `json:"process_name,omitempty"`
+	ProcessPath     Listable[string] `json:"process_path,omitempty"`
+	PackageName     Listable[string] `json:"package_name,omitempty"`
+	User            Listable[string] `json:"user,omitempty"`
+	UserID          Listable[int32]  `json:"user_id,omitempty"`
+	ClashMode       string           `json:"clash_mode,omitempty"`
+	Invert          bool             `json:"invert,omitempty"`
+	Outbound        string           `json:"outbound,omitempty"`
+}
+
+func (r DefaultRule) IsValid() bool {
+	var defaultValue DefaultRule
+	defaultValue.Invert = r.Invert
+	defaultValue.Outbound = r.Outbound
+	return !reflect.DeepEqual(r, defaultValue)
+}
+
+type LogicalRule struct {
+	Mode     string        `json:"mode"`
+	Rules    []DefaultRule `json:"rules,omitempty"`
+	Invert   bool          `json:"invert,omitempty"`
+	Outbound string        `json:"outbound,omitempty"`
+}
+
+func (r LogicalRule) IsValid() bool {
+	return len(r.Rules) > 0 && common.All(r.Rules, DefaultRule.IsValid)
+}
--- a/option/rule.go
+++ b/option/rule.go
@@ -1,101 +0,0 @@
-package option
-
-import (
-	"reflect"
-
-	"github.com/sagernet/sing-box/common/json"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type _Rule struct {
-	Type           string      `json:"type,omitempty"`
-	DefaultOptions DefaultRule `json:"-"`
-	LogicalOptions LogicalRule `json:"-"`
-}
-
-type Rule _Rule
-
-func (r Rule) MarshalJSON() ([]byte, error) {
-	var v any
-	switch r.Type {
-	case C.RuleTypeDefault:
-		r.Type = ""
-		v = r.DefaultOptions
-	case C.RuleTypeLogical:
-		v = r.LogicalOptions
-	default:
-		return nil, E.New("unknown rule type: " + r.Type)
-	}
-	return MarshallObjects((_Rule)(r), v)
-}
-
-func (r *Rule) UnmarshalJSON(bytes []byte) error {
-	err := json.Unmarshal(bytes, (*_Rule)(r))
-	if err != nil {
-		return err
-	}
-	var v any
-	switch r.Type {
-	case "", C.RuleTypeDefault:
-		r.Type = C.RuleTypeDefault
-		v = &r.DefaultOptions
-	case C.RuleTypeLogical:
-		v = &r.LogicalOptions
-	default:
-		return E.New("unknown rule type: " + r.Type)
-	}
-	err = UnmarshallExcluded(bytes, (*_Rule)(r), v)
-	if err != nil {
-		return E.Cause(err, "route rule")
-	}
-	return nil
-}
-
-type DefaultRule struct {
-	Inbound         Listable[string] `json:"inbound,omitempty"`
-	IPVersion       int              `json:"ip_version,omitempty"`
-	Network         Listable[string] `json:"network,omitempty"`
-	AuthUser        Listable[string] `json:"auth_user,omitempty"`
-	Protocol        Listable[string] `json:"protocol,omitempty"`
-	Domain          Listable[string] `json:"domain,omitempty"`
-	DomainSuffix    Listable[string] `json:"domain_suffix,omitempty"`
-	DomainKeyword   Listable[string] `json:"domain_keyword,omitempty"`
-	DomainRegex     Listable[string] `json:"domain_regex,omitempty"`
-	Geosite         Listable[string] `json:"geosite,omitempty"`
-	SourceGeoIP     Listable[string] `json:"source_geoip,omitempty"`
-	GeoIP           Listable[string] `json:"geoip,omitempty"`
-	SourceIPCIDR    Listable[string] `json:"source_ip_cidr,omitempty"`
-	IPCIDR          Listable[string] `json:"ip_cidr,omitempty"`
-	SourcePort      Listable[uint16] `json:"source_port,omitempty"`
-	SourcePortRange Listable[string] `json:"source_port_range,omitempty"`
-	Port            Listable[uint16] `json:"port,omitempty"`
-	PortRange       Listable[string] `json:"port_range,omitempty"`
-	ProcessName     Listable[string] `json:"process_name,omitempty"`
-	ProcessPath     Listable[string] `json:"process_path,omitempty"`
-	PackageName     Listable[string] `json:"package_name,omitempty"`
-	User            Listable[string] `json:"user,omitempty"`
-	UserID          Listable[int32]  `json:"user_id,omitempty"`
-	ClashMode       string           `json:"clash_mode,omitempty"`
-	Invert          bool             `json:"invert,omitempty"`
-	Outbound        string           `json:"outbound,omitempty"`
-}
-
-func (r DefaultRule) IsValid() bool {
-	var defaultValue DefaultRule
-	defaultValue.Invert = r.Invert
-	defaultValue.Outbound = r.Outbound
-	return !reflect.DeepEqual(r, defaultValue)
-}
-
-type LogicalRule struct {
-	Mode     string        `json:"mode"`
-	Rules    []DefaultRule `json:"rules,omitempty"`
-	Invert   bool          `json:"invert,omitempty"`
-	Outbound string        `json:"outbound,omitempty"`
-}
-
-func (r LogicalRule) IsValid() bool {
-	return len(r.Rules) > 0 && common.All(r.Rules, DefaultRule.IsValid)
-}
--- a/option/rule_dns.go
+++ b/option/rule_dns.go
@@ -1,104 +0,0 @@
-package option
-
-import (
-	"reflect"
-
-	"github.com/sagernet/sing-box/common/json"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type _DNSRule struct {
-	Type           string         `json:"type,omitempty"`
-	DefaultOptions DefaultDNSRule `json:"-"`
-	LogicalOptions LogicalDNSRule `json:"-"`
-}
-
-type DNSRule _DNSRule
-
-func (r DNSRule) MarshalJSON() ([]byte, error) {
-	var v any
-	switch r.Type {
-	case C.RuleTypeDefault:
-		r.Type = ""
-		v = r.DefaultOptions
-	case C.RuleTypeLogical:
-		v = r.LogicalOptions
-	default:
-		return nil, E.New("unknown rule type: " + r.Type)
-	}
-	return MarshallObjects((_DNSRule)(r), v)
-}
-
-func (r *DNSRule) UnmarshalJSON(bytes []byte) error {
-	err := json.Unmarshal(bytes, (*_DNSRule)(r))
-	if err != nil {
-		return err
-	}
-	var v any
-	switch r.Type {
-	case "", C.RuleTypeDefault:
-		r.Type = C.RuleTypeDefault
-		v = &r.DefaultOptions
-	case C.RuleTypeLogical:
-		v = &r.LogicalOptions
-	default:
-		return E.New("unknown rule type: " + r.Type)
-	}
-	err = UnmarshallExcluded(bytes, (*_DNSRule)(r), v)
-	if err != nil {
-		return E.Cause(err, "dns route rule")
-	}
-	return nil
-}
-
-type DefaultDNSRule struct {
-	Inbound         Listable[string]       `json:"inbound,omitempty"`
-	IPVersion       int                    `json:"ip_version,omitempty"`
-	QueryType       Listable[DNSQueryType] `json:"query_type,omitempty"`
-	Network         Listable[string]       `json:"network,omitempty"`
-	AuthUser        Listable[string]       `json:"auth_user,omitempty"`
-	Protocol        Listable[string]       `json:"protocol,omitempty"`
-	Domain          Listable[string]       `json:"domain,omitempty"`
-	DomainSuffix    Listable[string]       `json:"domain_suffix,omitempty"`
-	DomainKeyword   Listable[string]       `json:"domain_keyword,omitempty"`
-	DomainRegex     Listable[string]       `json:"domain_regex,omitempty"`
-	Geosite         Listable[string]       `json:"geosite,omitempty"`
-	SourceGeoIP     Listable[string]       `json:"source_geoip,omitempty"`
-	SourceIPCIDR    Listable[string]       `json:"source_ip_cidr,omitempty"`
-	SourcePort      Listable[uint16]       `json:"source_port,omitempty"`
-	SourcePortRange Listable[string]       `json:"source_port_range,omitempty"`
-	Port            Listable[uint16]       `json:"port,omitempty"`
-	PortRange       Listable[string]       `json:"port_range,omitempty"`
-	ProcessName     Listable[string]       `json:"process_name,omitempty"`
-	ProcessPath     Listable[string]       `json:"process_path,omitempty"`
-	PackageName     Listable[string]       `json:"package_name,omitempty"`
-	User            Listable[string]       `json:"user,omitempty"`
-	UserID          Listable[int32]        `json:"user_id,omitempty"`
-	Outbound        Listable[string]       `json:"outbound,omitempty"`
-	ClashMode       string                 `json:"clash_mode,omitempty"`
-	Invert          bool                   `json:"invert,omitempty"`
-	Server          string                 `json:"server,omitempty"`
-	DisableCache    bool                   `json:"disable_cache,omitempty"`
-}
-
-func (r DefaultDNSRule) IsValid() bool {
-	var defaultValue DefaultDNSRule
-	defaultValue.Invert = r.Invert
-	defaultValue.Server = r.Server
-	defaultValue.DisableCache = r.DisableCache
-	return !reflect.DeepEqual(r, defaultValue)
-}
-
-type LogicalDNSRule struct {
-	Mode         string           `json:"mode"`
-	Rules        []DefaultDNSRule `json:"rules,omitempty"`
-	Invert       bool             `json:"invert,omitempty"`
-	Server       string           `json:"server,omitempty"`
-	DisableCache bool             `json:"disable_cache,omitempty"`
-}
-
-func (r LogicalDNSRule) IsValid() bool {
-	return len(r.Rules) > 0 && common.All(r.Rules, DefaultDNSRule.IsValid)
-}
--- a/option/rule_ip.go
+++ b/option/rule_ip.go
@@ -1,125 +0,0 @@
-package option
-
-import (
-	"reflect"
-
-	"github.com/sagernet/sing-box/common/json"
-	C "github.com/sagernet/sing-box/constant"
-	tun "github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type _IPRule struct {
-	Type           string        `json:"type,omitempty"`
-	DefaultOptions DefaultIPRule `json:"-"`
-	LogicalOptions LogicalIPRule `json:"-"`
-}
-
-type IPRule _IPRule
-
-func (r IPRule) MarshalJSON() ([]byte, error) {
-	var v any
-	switch r.Type {
-	case C.RuleTypeDefault:
-		r.Type = ""
-		v = r.DefaultOptions
-	case C.RuleTypeLogical:
-		v = r.LogicalOptions
-	default:
-		return nil, E.New("unknown rule type: " + r.Type)
-	}
-	return MarshallObjects((_IPRule)(r), v)
-}
-
-func (r *IPRule) UnmarshalJSON(bytes []byte) error {
-	err := json.Unmarshal(bytes, (*_IPRule)(r))
-	if err != nil {
-		return err
-	}
-	var v any
-	switch r.Type {
-	case "", C.RuleTypeDefault:
-		r.Type = C.RuleTypeDefault
-		v = &r.DefaultOptions
-	case C.RuleTypeLogical:
-		v = &r.LogicalOptions
-	default:
-		return E.New("unknown rule type: " + r.Type)
-	}
-	err = UnmarshallExcluded(bytes, (*_IPRule)(r), v)
-	if err != nil {
-		return E.Cause(err, "ip route rule")
-	}
-	return nil
-}
-
-type DefaultIPRule struct {
-	Inbound         Listable[string] `json:"inbound,omitempty"`
-	IPVersion       int              `json:"ip_version,omitempty"`
-	Network         Listable[string] `json:"network,omitempty"`
-	Domain          Listable[string] `json:"domain,omitempty"`
-	DomainSuffix    Listable[string] `json:"domain_suffix,omitempty"`
-	DomainKeyword   Listable[string] `json:"domain_keyword,omitempty"`
-	DomainRegex     Listable[string] `json:"domain_regex,omitempty"`
-	Geosite         Listable[string] `json:"geosite,omitempty"`
-	SourceGeoIP     Listable[string] `json:"source_geoip,omitempty"`
-	SourceIPCIDR    Listable[string] `json:"source_ip_cidr,omitempty"`
-	SourcePort      Listable[uint16] `json:"source_port,omitempty"`
-	SourcePortRange Listable[string] `json:"source_port_range,omitempty"`
-	Port            Listable[uint16] `json:"port,omitempty"`
-	PortRange       Listable[string] `json:"port_range,omitempty"`
-	Invert          bool             `json:"invert,omitempty"`
-	Action          RouteAction      `json:"action,omitempty"`
-	Outbound        string           `json:"outbound,omitempty"`
-}
-
-type RouteAction tun.ActionType
-
-func (a RouteAction) MarshalJSON() ([]byte, error) {
-	switch tun.ActionType(a) {
-	case tun.ActionTypeReject, tun.ActionTypeDirect:
-	default:
-		return nil, E.New("unknown action: ", a)
-	}
-	return json.Marshal(tun.ActionTypeName(tun.ActionType(a)))
-}
-
-func (a *RouteAction) UnmarshalJSON(bytes []byte) error {
-	var value string
-	err := json.Unmarshal(bytes, &value)
-	if err != nil {
-		return err
-	}
-	actionType, err := tun.ParseActionType(value)
-	if err != nil {
-		return err
-	}
-	switch actionType {
-	case tun.ActionTypeReject, tun.ActionTypeDirect:
-	default:
-		return E.New("unknown action: ", a)
-	}
-	*a = RouteAction(actionType)
-	return nil
-}
-
-func (r DefaultIPRule) IsValid() bool {
-	var defaultValue DefaultIPRule
-	defaultValue.Invert = r.Invert
-	defaultValue.Action = r.Action
-	defaultValue.Outbound = r.Outbound
-	return !reflect.DeepEqual(r, defaultValue)
-}
-
-type LogicalIPRule struct {
-	Mode     string          `json:"mode"`
-	Rules    []DefaultIPRule `json:"rules,omitempty"`
-	Invert   bool            `json:"invert,omitempty"`
-	Action   RouteAction     `json:"action,omitempty"`
-	Outbound string          `json:"outbound,omitempty"`
-}
-
-func (r LogicalIPRule) IsValid() bool {
-	return len(r.Rules) > 0 && common.All(r.Rules, DefaultIPRule.IsValid)
-}
--- a/option/v2ray_transport.go
+++ b/option/v2ray_transport.go
@@ -61,19 +61,19 @@ func (o *V2RayTransportOptions) UnmarshalJSON(bytes []byte) error {
 }

 type V2RayHTTPOptions struct {
-	Host        Listable[string]  `json:"host,omitempty"`
-	Path        string            `json:"path,omitempty"`
-	Method      string            `json:"method,omitempty"`
-	Headers     map[string]string `json:"headers,omitempty"`
-	IdleTimeout Duration          `json:"idle_timeout,omitempty"`
-	PingTimeout Duration          `json:"ping_timeout,omitempty"`
+	Host        Listable[string]            `json:"host,omitempty"`
+	Path        string                      `json:"path,omitempty"`
+	Method      string                      `json:"method,omitempty"`
+	Headers     map[string]Listable[string] `json:"headers,omitempty"`
+	IdleTimeout Duration                    `json:"idle_timeout,omitempty"`
+	PingTimeout Duration                    `json:"ping_timeout,omitempty"`
 }

 type V2RayWebsocketOptions struct {
-	Path                string            `json:"path,omitempty"`
-	Headers             map[string]string `json:"headers,omitempty"`
-	MaxEarlyData        uint32            `json:"max_early_data,omitempty"`
-	EarlyDataHeaderName string            `json:"early_data_header_name,omitempty"`
+	Path                string                      `json:"path,omitempty"`
+	Headers             map[string]Listable[string] `json:"headers,omitempty"`
+	MaxEarlyData        uint32                      `json:"max_early_data,omitempty"`
+	EarlyDataHeaderName string                      `json:"early_data_header_name,omitempty"`
 }

 type V2RayQUICOptions struct{}
--- a/option/wireguard.go
+++ b/option/wireguard.go
@@ -13,5 +13,4 @@ type WireGuardOutboundOptions struct {
 	Workers         int                    `json:"workers,omitempty"`
 	MTU             uint32                 `json:"mtu,omitempty"`
 	Network         NetworkList            `json:"network,omitempty"`
-	IPRewrite       bool                   `json:"ip_rewrite,omitempty"`
 }
--- a/outbound/builder.go
+++ b/outbound/builder.go
@@ -11,6 +11,11 @@ import (
 )

 func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.Outbound) (adapter.Outbound, error) {
+	var metadata *adapter.InboundContext
+	if options.Tag != "" {
+		ctx, metadata = adapter.AppendContext(ctx)
+		metadata.Outbound = options.Tag
+	}
 	if options.Type == "" {
 		return nil, E.New("missing outbound type")
 	}
--- a/outbound/default.go
+++ b/outbound/default.go
@@ -3,17 +3,18 @@ package outbound
 import (
 	"context"
 	"net"
+	"net/netip"
 	"os"
 	"runtime"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/canceler"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
+	"github.com/sagernet/sing/common/canceler"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -56,15 +57,21 @@ func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata a
 func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata adapter.InboundContext) error {
 	ctx = adapter.WithContext(ctx, &metadata)
 	var outConn net.PacketConn
+	var destinationAddress netip.Addr
 	var err error
 	if len(metadata.DestinationAddresses) > 0 {
-		outConn, err = N.ListenSerial(ctx, this, metadata.Destination, metadata.DestinationAddresses)
+		outConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, metadata.DestinationAddresses)
 	} else {
 		outConn, err = this.ListenPacket(ctx, metadata.Destination)
 	}
 	if err != nil {
 		return N.HandshakeFailure(conn, err)
 	}
+	if destinationAddress.IsValid() {
+		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
+			natConn.UpdateDestination(destinationAddress)
+		}
+	}
 	switch metadata.Protocol {
 	case C.ProtocolSTUN:
 		ctx, conn = canceler.NewPacketConn(ctx, conn, C.STUNTimeout)
--- a/outbound/dns.go
+++ b/outbound/dns.go
@@ -7,11 +7,11 @@ import (
 	"os"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/canceler"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/canceler"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/task"
--- a/outbound/http.go
+++ b/outbound/http.go
@@ -37,7 +37,7 @@ func NewHTTP(router adapter.Router, logger log.ContextLogger, tag string, option
 			logger:   logger,
 			tag:      tag,
 		},
-		http.NewClient(detour, options.ServerOptions.Build(), options.Username, options.Password),
+		http.NewClient(detour, options.ServerOptions.Build(), options.Username, options.Password, nil),
 	}, nil
 }

--- a/outbound/shadowsocks.go
+++ b/outbound/shadowsocks.go
@@ -136,6 +136,9 @@ var _ N.Dialer = (*shadowsocksDialer)(nil)
 type shadowsocksDialer Shadowsocks

 func (h *shadowsocksDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	ctx, metadata := adapter.AppendContext(ctx)
+	metadata.Outbound = h.tag
+	metadata.Destination = destination
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
 		var outConn net.Conn
@@ -161,6 +164,9 @@ func (h *shadowsocksDialer) DialContext(ctx context.Context, network string, des
 }

 func (h *shadowsocksDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	ctx, metadata := adapter.AppendContext(ctx)
+	metadata.Outbound = h.tag
+	metadata.Destination = destination
 	outConn, err := h.dialer.DialContext(ctx, N.NetworkUDP, h.serverAddr)
 	if err != nil {
 		return nil, err
--- a/outbound/shadowsocksr.go
+++ b/outbound/shadowsocksr.go
@@ -99,6 +99,9 @@ func NewShadowsocksR(ctx context.Context, router adapter.Router, logger log.Cont
 }

 func (h *ShadowsocksR) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	ctx, metadata := adapter.AppendContext(ctx)
+	metadata.Outbound = h.tag
+	metadata.Destination = destination
 	switch network {
 	case N.NetworkTCP:
 		h.logger.InfoContext(ctx, "outbound connection to ", destination)
@@ -131,6 +134,9 @@ func (h *ShadowsocksR) DialContext(ctx context.Context, network string, destinat
 }

 func (h *ShadowsocksR) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	ctx, metadata := adapter.AppendContext(ctx)
+	metadata.Outbound = h.tag
+	metadata.Destination = destination
 	h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	outConn, err := h.dialer.DialContext(ctx, N.NetworkUDP, h.serverAddr)
 	if err != nil {
--- a/outbound/shadowtls.go
+++ b/outbound/shadowtls.go
@@ -86,23 +86,26 @@ func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.Context
 	return outbound, nil
 }

-func (s *ShadowTLS) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+func (h *ShadowTLS) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	ctx, metadata := adapter.AppendContext(ctx)
+	metadata.Outbound = h.tag
+	metadata.Destination = destination
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
-		return s.client.DialContext(ctx)
+		return h.client.DialContext(ctx)
 	default:
 		return nil, os.ErrInvalid
 	}
 }

-func (s *ShadowTLS) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+func (h *ShadowTLS) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	return nil, os.ErrInvalid
 }

-func (s *ShadowTLS) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	return NewConnection(ctx, s, conn, metadata)
+func (h *ShadowTLS) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	return NewConnection(ctx, h, conn, metadata)
 }

-func (s *ShadowTLS) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+func (h *ShadowTLS) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return os.ErrInvalid
 }
--- a/outbound/vless.go
+++ b/outbound/vless.go
@@ -12,7 +12,6 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/v2ray"
 	"github.com/sagernet/sing-box/transport/vless"
-	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-vmess/packetaddr"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
@@ -105,11 +104,14 @@ func (h *VLESS) DialContext(ctx context.Context, network string, destination M.S
 		if h.xudp {
 			return h.client.DialEarlyXUDPPacketConn(conn, destination)
 		} else if h.packetAddr {
+			if destination.IsFqdn() {
+				return nil, E.New("packetaddr: domain destination is not supported")
+			}
 			packetConn, err := h.client.DialEarlyPacketConn(conn, M.Socksaddr{Fqdn: packetaddr.SeqPacketMagicAddress})
 			if err != nil {
 				return nil, err
 			}
-			return &bufio.BindPacketConn{PacketConn: dialer.NewResolvePacketConn(ctx, h.router, dns.DomainStrategyAsIS, packetaddr.NewConn(packetConn, destination)), Addr: destination}, nil
+			return &bufio.BindPacketConn{PacketConn: packetaddr.NewConn(packetConn, destination), Addr: destination}, nil
 		} else {
 			return h.client.DialEarlyPacketConn(conn, destination)
 		}
@@ -140,11 +142,14 @@ func (h *VLESS) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.
 	if h.xudp {
 		return h.client.DialEarlyXUDPPacketConn(conn, destination)
 	} else if h.packetAddr {
+		if destination.IsFqdn() {
+			return nil, E.New("packetaddr: domain destination is not supported")
+		}
 		conn, err := h.client.DialEarlyPacketConn(conn, M.Socksaddr{Fqdn: packetaddr.SeqPacketMagicAddress})
 		if err != nil {
 			return nil, err
 		}
-		return dialer.NewResolvePacketConn(ctx, h.router, dns.DomainStrategyAsIS, packetaddr.NewConn(conn, destination)), nil
+		return packetaddr.NewConn(conn, destination), nil
 	} else {
 		return h.client.DialEarlyPacketConn(conn, destination)
 	}
--- a/outbound/vmess.go
+++ b/outbound/vmess.go
@@ -12,7 +12,6 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/v2ray"
-	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing-vmess/packetaddr"
 	"github.com/sagernet/sing/common"
@@ -188,7 +187,10 @@ func (h *vmessDialer) ListenPacket(ctx context.Context, destination M.Socksaddr)
 		return nil, err
 	}
 	if h.packetAddr {
-		return dialer.NewResolvePacketConn(ctx, h.router, dns.DomainStrategyAsIS, packetaddr.NewConn(h.client.DialEarlyPacketConn(conn, M.Socksaddr{Fqdn: packetaddr.SeqPacketMagicAddress}), destination)), nil
+		if destination.IsFqdn() {
+			return nil, E.New("packetaddr: domain destination is not supported")
+		}
+		return packetaddr.NewConn(h.client.DialEarlyPacketConn(conn, M.Socksaddr{Fqdn: packetaddr.SeqPacketMagicAddress}), destination), nil
 	} else if h.xudp {
 		return h.client.DialEarlyXUDPPacketConn(conn, destination), nil
 	} else {
--- a/outbound/wireguard.go
+++ b/outbound/wireguard.go
@@ -8,9 +8,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"net"
-	"os"
 	"strings"
-	"syscall"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
@@ -28,7 +26,7 @@ import (
 )

 var (
-	_ adapter.IPOutbound              = (*WireGuard)(nil)
+	_ adapter.Outbound                = (*WireGuard)(nil)
 	_ adapter.InterfaceUpdateListener = (*WireGuard)(nil)
 )

@@ -36,7 +34,6 @@ type WireGuard struct {
 	myOutboundAdapter
 	bind      *wireguard.ClientBind
 	device    *device.Device
-	natDevice wireguard.NatDevice
 	tunDevice wireguard.Device
 }

@@ -109,25 +106,17 @@ func NewWireGuard(ctx context.Context, router adapter.Router, logger log.Context
 	if mtu == 0 {
 		mtu = 1408
 	}
-	var tunDevice wireguard.Device
+	var wireTunDevice wireguard.Device
 	var err error
 	if !options.SystemInterface && tun.WithGVisor {
-		tunDevice, err = wireguard.NewStackDevice(localPrefixes, mtu, options.IPRewrite)
+		wireTunDevice, err = wireguard.NewStackDevice(localPrefixes, mtu)
 	} else {
-		tunDevice, err = wireguard.NewSystemDevice(router, options.InterfaceName, localPrefixes, mtu)
+		wireTunDevice, err = wireguard.NewSystemDevice(router, options.InterfaceName, localPrefixes, mtu)
 	}
 	if err != nil {
 		return nil, E.Cause(err, "create WireGuard device")
 	}
-	natDevice, isNatDevice := tunDevice.(wireguard.NatDevice)
-	if !isNatDevice && router.NatRequired(tag) {
-		natDevice = wireguard.NewNATDevice(tunDevice, options.IPRewrite)
-	}
-	deviceInput := tunDevice
-	if natDevice != nil {
-		deviceInput = natDevice
-	}
-	wgDevice := device.NewDevice(deviceInput, outbound.bind, &device.Logger{
+	wgDevice := device.NewDevice(wireTunDevice, outbound.bind, &device.Logger{
 		Verbosef: func(format string, args ...interface{}) {
 			logger.Debug(fmt.Sprintf(strings.ToLower(format), args...))
 		},
@@ -143,8 +132,7 @@ func NewWireGuard(ctx context.Context, router adapter.Router, logger log.Context
 		return nil, E.Cause(err, "setup wireguard")
 	}
 	outbound.device = wgDevice
-	outbound.natDevice = natDevice
-	outbound.tunDevice = tunDevice
+	outbound.tunDevice = wireTunDevice
 	return outbound, nil
 }

@@ -183,27 +171,6 @@ func (w *WireGuard) NewPacketConnection(ctx context.Context, conn N.PacketConn,
 	return NewPacketConnection(ctx, w, conn, metadata)
 }

-func (w *WireGuard) NewIPConnection(ctx context.Context, conn tun.RouteContext, metadata adapter.InboundContext) (tun.DirectDestination, error) {
-	if w.natDevice == nil {
-		return nil, os.ErrInvalid
-	}
-	session := tun.RouteSession{
-		IPVersion:   metadata.IPVersion,
-		Network:     tun.NetworkFromName(metadata.Network),
-		Source:      metadata.Source.AddrPort(),
-		Destination: metadata.Destination.AddrPort(),
-	}
-	switch session.Network {
-	case syscall.IPPROTO_TCP:
-		w.logger.InfoContext(ctx, "linked connection to ", metadata.Destination)
-	case syscall.IPPROTO_UDP:
-		w.logger.InfoContext(ctx, "linked packet connection to ", metadata.Destination)
-	default:
-		w.logger.InfoContext(ctx, "linked ", metadata.Network, " connection to ", metadata.Destination.AddrString())
-	}
-	return w.natDevice.CreateDestination(session, conn), nil
-}
-
 func (w *WireGuard) Start() error {
 	return w.tunDevice.Start()
 }
@@ -212,5 +179,6 @@ func (w *WireGuard) Close() error {
 	if w.device != nil {
 		w.device.Close()
 	}
-	return common.Close(w.tunDevice)
+	w.tunDevice.Close()
+	return nil
 }
--- a/release/config/postremove.sh
+++ b/release/config/postremove.sh
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-rm -rf /var/lib/sing-box
--- a/release/config/sing-box.service
+++ b/release/config/sing-box.service
@@ -4,10 +4,9 @@ Documentation=https://sing-box.sagernet.org
 After=network.target nss-lookup.target

 [Service]
-WorkingDirectory=/var/lib/sing-box
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
-ExecStart=/usr/bin/sing-box run -c /etc/sing-box/config.json
+ExecStart=/usr/bin/sing-box -D /var/lib/sing-box -C /etc/sing-box run
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure
 RestartSec=10s
--- a/release/config/sing-box@.service
+++ b/release/config/sing-box@.service
@@ -4,10 +4,9 @@ Documentation=https://sing-box.sagernet.org
 After=network.target nss-lookup.target

 [Service]
-WorkingDirectory=/var/lib/sing-box-%i
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
-ExecStart=/usr/bin/sing-box run -c /etc/sing-box/%i.json
+ExecStart=/usr/bin/sing-box -D /var/lib/sing-box-%i -c /etc/sing-box/%i.json run
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure
 RestartSec=10s
--- a/release/local/install_go.sh
+++ b/release/local/install_go.sh
@@ -1,7 +1,9 @@
 #!/usr/bin/env bash

 set -e -o pipefail
-curl -Lo go.tar.gz https://go.dev/dl/go1.20.1.linux-amd64.tar.gz
+
+go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
+curl -Lo go.tar.gz "https://go.dev/dl/go$go_version.linux-amd64.tar.gz"
 sudo rm -rf /usr/local/go
 sudo tar -C /usr/local -xzf go.tar.gz
 rm go.tar.gz
--- a/release/local/sing-box.service
+++ b/release/local/sing-box.service
@@ -4,10 +4,9 @@ Documentation=https://sing-box.sagernet.org
 After=network.target nss-lookup.target

 [Service]
-WorkingDirectory=/var/lib/sing-box
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
-ExecStart=/usr/local/bin/sing-box run -c /usr/local/etc/sing-box/config.json
+ExecStart=/usr/local/bin/sing-box -D /var/lib/sing-box -C /usr/local/etc/sing-box run
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure
 RestartSec=10s
--- a/route/router.go
+++ b/route/router.go
@@ -2,11 +2,14 @@ package route

 import (
 	"context"
+	"io"
 	"net"
+	"net/http"
 	"net/netip"
 	"net/url"
 	"os"
 	"os/user"
+	"path/filepath"
 	"strings"
 	"time"

@@ -34,6 +37,7 @@ import (
 	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/rw"
 	"github.com/sagernet/sing/common/uot"
 )

@@ -68,7 +72,6 @@ type Router struct {
 	outbounds                          []adapter.Outbound
 	outboundByTag                      map[string]adapter.Outbound
 	rules                              []adapter.Rule
-	ipRules                            []adapter.IPRule
 	defaultDetour                      string
 	defaultOutboundForConnection       adapter.Outbound
 	defaultOutboundForPacketConnection adapter.Outbound
@@ -125,7 +128,6 @@ func NewRouter(
 		dnsLogger:             logFactory.NewLogger("dns"),
 		outboundByTag:         make(map[string]adapter.Outbound),
 		rules:                 make([]adapter.Rule, 0, len(options.Rules)),
-		ipRules:               make([]adapter.IPRule, 0, len(options.IPRules)),
 		dnsRules:              make([]adapter.DNSRule, 0, len(dnsOptions.Rules)),
 		needGeoIPDatabase:     hasRule(options.Rules, isGeoIPRule) || hasDNSRule(dnsOptions.Rules, isGeoIPDNSRule),
 		needGeositeDatabase:   hasRule(options.Rules, isGeositeRule) || hasDNSRule(dnsOptions.Rules, isGeositeDNSRule),
@@ -147,13 +149,6 @@ func NewRouter(
 		}
 		router.rules = append(router.rules, routeRule)
 	}
-	for i, ipRuleOptions := range options.IPRules {
-		ipRule, err := NewIPRule(router, router.logger, ipRuleOptions)
-		if err != nil {
-			return nil, E.Cause(err, "parse ip rule[", i, "]")
-		}
-		router.ipRules = append(router.ipRules, ipRule)
-	}
 	for i, dnsRuleOptions := range dnsOptions.Rules {
 		dnsRule, err := NewDNSRule(router, router.logger, dnsRuleOptions)
 		if err != nil {
@@ -161,7 +156,6 @@ func NewRouter(
 		}
 		router.dnsRules = append(router.dnsRules, dnsRule)
 	}
-
 	transports := make([]dns.Transport, len(dnsOptions.Servers))
 	dummyTransportMap := make(map[string]dns.Transport)
 	transportMap := make(map[string]dns.Transport)
@@ -522,6 +516,27 @@ func (r *Router) Close() error {
 	)
 }

+func (r *Router) GeoIPReader() *geoip.Reader {
+	return r.geoIPReader
+}
+
+func (r *Router) LoadGeosite(code string) (adapter.Rule, error) {
+	rule, cached := r.geositeCache[code]
+	if cached {
+		return rule, nil
+	}
+	items, err := r.geositeReader.Read(code)
+	if err != nil {
+		return nil, err
+	}
+	rule, err = NewDefaultRule(r, nil, geosite.Compile(items))
+	if err != nil {
+		return nil, err
+	}
+	r.geositeCache[code] = rule
+	return rule, nil
+}
+
 func (r *Router) Outbound(tag string) (adapter.Outbound, bool) {
 	outbound, loaded := r.outboundByTag[tag]
 	return outbound, loaded
@@ -796,10 +811,6 @@ func (r *Router) Rules() []adapter.Rule {
 	return r.rules
 }

-func (r *Router) IPRules() []adapter.IPRule {
-	return r.ipRules
-}
-
 func (r *Router) NetworkMonitor() tun.NetworkUpdateMonitor {
 	return r.networkMonitor
 }
@@ -835,6 +846,239 @@ func (r *Router) SetV2RayServer(server adapter.V2RayServer) {
 	r.v2rayServer = server
 }

+func hasRule(rules []option.Rule, cond func(rule option.DefaultRule) bool) bool {
+	for _, rule := range rules {
+		switch rule.Type {
+		case C.RuleTypeDefault:
+			if cond(rule.DefaultOptions) {
+				return true
+			}
+		case C.RuleTypeLogical:
+			for _, subRule := range rule.LogicalOptions.Rules {
+				if cond(subRule) {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
+func hasDNSRule(rules []option.DNSRule, cond func(rule option.DefaultDNSRule) bool) bool {
+	for _, rule := range rules {
+		switch rule.Type {
+		case C.RuleTypeDefault:
+			if cond(rule.DefaultOptions) {
+				return true
+			}
+		case C.RuleTypeLogical:
+			for _, subRule := range rule.LogicalOptions.Rules {
+				if cond(subRule) {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
+func isGeoIPRule(rule option.DefaultRule) bool {
+	return len(rule.SourceGeoIP) > 0 && common.Any(rule.SourceGeoIP, notPrivateNode) || len(rule.GeoIP) > 0 && common.Any(rule.GeoIP, notPrivateNode)
+}
+
+func isGeoIPDNSRule(rule option.DefaultDNSRule) bool {
+	return len(rule.SourceGeoIP) > 0 && common.Any(rule.SourceGeoIP, notPrivateNode)
+}
+
+func isGeositeRule(rule option.DefaultRule) bool {
+	return len(rule.Geosite) > 0
+}
+
+func isGeositeDNSRule(rule option.DefaultDNSRule) bool {
+	return len(rule.Geosite) > 0
+}
+
+func isProcessRule(rule option.DefaultRule) bool {
+	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
+}
+
+func isProcessDNSRule(rule option.DefaultDNSRule) bool {
+	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
+}
+
+func notPrivateNode(code string) bool {
+	return code != "private"
+}
+
+func (r *Router) prepareGeoIPDatabase() error {
+	var geoPath string
+	if r.geoIPOptions.Path != "" {
+		geoPath = r.geoIPOptions.Path
+	} else {
+		geoPath = "geoip.db"
+		if foundPath, loaded := C.FindPath(geoPath); loaded {
+			geoPath = foundPath
+		}
+	}
+	geoPath = C.BasePath(geoPath)
+	if !rw.FileExists(geoPath) {
+		r.logger.Warn("geoip database not exists: ", geoPath)
+		var err error
+		for attempts := 0; attempts < 3; attempts++ {
+			err = r.downloadGeoIPDatabase(geoPath)
+			if err == nil {
+				break
+			}
+			r.logger.Error("download geoip database: ", err)
+			os.Remove(geoPath)
+			// time.Sleep(10 * time.Second)
+		}
+		if err != nil {
+			return err
+		}
+	}
+	geoReader, codes, err := geoip.Open(geoPath)
+	if err != nil {
+		return E.Cause(err, "open geoip database")
+	}
+	r.logger.Info("loaded geoip database: ", len(codes), " codes")
+	r.geoIPReader = geoReader
+	return nil
+}
+
+func (r *Router) prepareGeositeDatabase() error {
+	var geoPath string
+	if r.geositeOptions.Path != "" {
+		geoPath = r.geositeOptions.Path
+	} else {
+		geoPath = "geosite.db"
+		if foundPath, loaded := C.FindPath(geoPath); loaded {
+			geoPath = foundPath
+		}
+	}
+	geoPath = C.BasePath(geoPath)
+	if !rw.FileExists(geoPath) {
+		r.logger.Warn("geosite database not exists: ", geoPath)
+		var err error
+		for attempts := 0; attempts < 3; attempts++ {
+			err = r.downloadGeositeDatabase(geoPath)
+			if err == nil {
+				break
+			}
+			r.logger.Error("download geosite database: ", err)
+			os.Remove(geoPath)
+			// time.Sleep(10 * time.Second)
+		}
+		if err != nil {
+			return err
+		}
+	}
+	geoReader, codes, err := geosite.Open(geoPath)
+	if err == nil {
+		r.logger.Info("loaded geosite database: ", len(codes), " codes")
+		r.geositeReader = geoReader
+	} else {
+		return E.Cause(err, "open geosite database")
+	}
+	return nil
+}
+
+func (r *Router) downloadGeoIPDatabase(savePath string) error {
+	var downloadURL string
+	if r.geoIPOptions.DownloadURL != "" {
+		downloadURL = r.geoIPOptions.DownloadURL
+	} else {
+		downloadURL = "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db"
+	}
+	r.logger.Info("downloading geoip database")
+	var detour adapter.Outbound
+	if r.geoIPOptions.DownloadDetour != "" {
+		outbound, loaded := r.Outbound(r.geoIPOptions.DownloadDetour)
+		if !loaded {
+			return E.New("detour outbound not found: ", r.geoIPOptions.DownloadDetour)
+		}
+		detour = outbound
+	} else {
+		detour = r.defaultOutboundForConnection
+	}
+
+	if parentDir := filepath.Dir(savePath); parentDir != "" {
+		os.MkdirAll(parentDir, 0o755)
+	}
+
+	saveFile, err := os.OpenFile(savePath, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return E.Cause(err, "open output file: ", downloadURL)
+	}
+	defer saveFile.Close()
+
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			ForceAttemptHTTP2:   true,
+			TLSHandshakeTimeout: 5 * time.Second,
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return detour.DialContext(ctx, network, M.ParseSocksaddr(addr))
+			},
+		},
+	}
+	defer httpClient.CloseIdleConnections()
+	response, err := httpClient.Get(downloadURL)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+	_, err = io.Copy(saveFile, response.Body)
+	return err
+}
+
+func (r *Router) downloadGeositeDatabase(savePath string) error {
+	var downloadURL string
+	if r.geositeOptions.DownloadURL != "" {
+		downloadURL = r.geositeOptions.DownloadURL
+	} else {
+		downloadURL = "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db"
+	}
+	r.logger.Info("downloading geosite database")
+	var detour adapter.Outbound
+	if r.geositeOptions.DownloadDetour != "" {
+		outbound, loaded := r.Outbound(r.geositeOptions.DownloadDetour)
+		if !loaded {
+			return E.New("detour outbound not found: ", r.geositeOptions.DownloadDetour)
+		}
+		detour = outbound
+	} else {
+		detour = r.defaultOutboundForConnection
+	}
+
+	if parentDir := filepath.Dir(savePath); parentDir != "" {
+		os.MkdirAll(parentDir, 0o755)
+	}
+
+	saveFile, err := os.OpenFile(savePath, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return E.Cause(err, "open output file: ", downloadURL)
+	}
+	defer saveFile.Close()
+
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			ForceAttemptHTTP2:   true,
+			TLSHandshakeTimeout: 5 * time.Second,
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return detour.DialContext(ctx, network, M.ParseSocksaddr(addr))
+			},
+		},
+	}
+	defer httpClient.CloseIdleConnections()
+	response, err := httpClient.Get(downloadURL)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+	_, err = io.Copy(saveFile, response.Body)
+	return err
+}
+
 func (r *Router) OnPackagesUpdated(packages int, sharedUsers int) {
 	r.logger.Info("updated packages list: ", packages, " packages, ", sharedUsers, " shared users")
 }
--- a/route/router_geo_resources.go
+++ b/route/router_geo_resources.go
@@ -1,283 +0,0 @@
-package route
-
-import (
-	"context"
-	"io"
-	"net"
-	"net/http"
-	"os"
-	"path/filepath"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/geoip"
-	"github.com/sagernet/sing-box/common/geosite"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/common/rw"
-)
-
-func (r *Router) GeoIPReader() *geoip.Reader {
-	return r.geoIPReader
-}
-
-func (r *Router) LoadGeosite(code string) (adapter.Rule, error) {
-	rule, cached := r.geositeCache[code]
-	if cached {
-		return rule, nil
-	}
-	items, err := r.geositeReader.Read(code)
-	if err != nil {
-		return nil, err
-	}
-	rule, err = NewDefaultRule(r, nil, geosite.Compile(items))
-	if err != nil {
-		return nil, err
-	}
-	r.geositeCache[code] = rule
-	return rule, nil
-}
-
-func (r *Router) prepareGeoIPDatabase() error {
-	var geoPath string
-	if r.geoIPOptions.Path != "" {
-		geoPath = r.geoIPOptions.Path
-	} else {
-		geoPath = "geoip.db"
-		if foundPath, loaded := C.FindPath(geoPath); loaded {
-			geoPath = foundPath
-		}
-	}
-	geoPath = C.BasePath(geoPath)
-	if rw.FileExists(geoPath) {
-		geoReader, codes, err := geoip.Open(geoPath)
-		if err == nil {
-			r.logger.Info("loaded geoip database: ", len(codes), " codes")
-			r.geoIPReader = geoReader
-			return nil
-		}
-	}
-	if !rw.FileExists(geoPath) {
-		r.logger.Warn("geoip database not exists: ", geoPath)
-		var err error
-		for attempts := 0; attempts < 3; attempts++ {
-			err = r.downloadGeoIPDatabase(geoPath)
-			if err == nil {
-				break
-			}
-			r.logger.Error("download geoip database: ", err)
-			os.Remove(geoPath)
-			// time.Sleep(10 * time.Second)
-		}
-		if err != nil {
-			return err
-		}
-	}
-	geoReader, codes, err := geoip.Open(geoPath)
-	if err != nil {
-		return E.Cause(err, "open geoip database")
-	}
-	r.logger.Info("loaded geoip database: ", len(codes), " codes")
-	r.geoIPReader = geoReader
-	return nil
-}
-
-func (r *Router) prepareGeositeDatabase() error {
-	var geoPath string
-	if r.geositeOptions.Path != "" {
-		geoPath = r.geositeOptions.Path
-	} else {
-		geoPath = "geosite.db"
-		if foundPath, loaded := C.FindPath(geoPath); loaded {
-			geoPath = foundPath
-		}
-	}
-	geoPath = C.BasePath(geoPath)
-	if !rw.FileExists(geoPath) {
-		r.logger.Warn("geosite database not exists: ", geoPath)
-		var err error
-		for attempts := 0; attempts < 3; attempts++ {
-			err = r.downloadGeositeDatabase(geoPath)
-			if err == nil {
-				break
-			}
-			r.logger.Error("download geosite database: ", err)
-			os.Remove(geoPath)
-			// time.Sleep(10 * time.Second)
-		}
-		if err != nil {
-			return err
-		}
-	}
-	geoReader, codes, err := geosite.Open(geoPath)
-	if err == nil {
-		r.logger.Info("loaded geosite database: ", len(codes), " codes")
-		r.geositeReader = geoReader
-	} else {
-		return E.Cause(err, "open geosite database")
-	}
-	return nil
-}
-
-func (r *Router) downloadGeoIPDatabase(savePath string) error {
-	var downloadURL string
-	if r.geoIPOptions.DownloadURL != "" {
-		downloadURL = r.geoIPOptions.DownloadURL
-	} else {
-		downloadURL = "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db"
-	}
-	r.logger.Info("downloading geoip database")
-	var detour adapter.Outbound
-	if r.geoIPOptions.DownloadDetour != "" {
-		outbound, loaded := r.Outbound(r.geoIPOptions.DownloadDetour)
-		if !loaded {
-			return E.New("detour outbound not found: ", r.geoIPOptions.DownloadDetour)
-		}
-		detour = outbound
-	} else {
-		detour = r.defaultOutboundForConnection
-	}
-
-	if parentDir := filepath.Dir(savePath); parentDir != "" {
-		os.MkdirAll(parentDir, 0o755)
-	}
-
-	saveFile, err := os.OpenFile(savePath, os.O_CREATE|os.O_WRONLY, 0o644)
-	if err != nil {
-		return E.Cause(err, "open output file: ", downloadURL)
-	}
-	defer saveFile.Close()
-
-	httpClient := &http.Client{
-		Transport: &http.Transport{
-			ForceAttemptHTTP2:   true,
-			TLSHandshakeTimeout: 5 * time.Second,
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return detour.DialContext(ctx, network, M.ParseSocksaddr(addr))
-			},
-		},
-	}
-	defer httpClient.CloseIdleConnections()
-	response, err := httpClient.Get(downloadURL)
-	if err != nil {
-		return err
-	}
-	defer response.Body.Close()
-	_, err = io.Copy(saveFile, response.Body)
-	return err
-}
-
-func (r *Router) downloadGeositeDatabase(savePath string) error {
-	var downloadURL string
-	if r.geositeOptions.DownloadURL != "" {
-		downloadURL = r.geositeOptions.DownloadURL
-	} else {
-		downloadURL = "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db"
-	}
-	r.logger.Info("downloading geosite database")
-	var detour adapter.Outbound
-	if r.geositeOptions.DownloadDetour != "" {
-		outbound, loaded := r.Outbound(r.geositeOptions.DownloadDetour)
-		if !loaded {
-			return E.New("detour outbound not found: ", r.geositeOptions.DownloadDetour)
-		}
-		detour = outbound
-	} else {
-		detour = r.defaultOutboundForConnection
-	}
-
-	if parentDir := filepath.Dir(savePath); parentDir != "" {
-		os.MkdirAll(parentDir, 0o755)
-	}
-
-	saveFile, err := os.OpenFile(savePath, os.O_CREATE|os.O_WRONLY, 0o644)
-	if err != nil {
-		return E.Cause(err, "open output file: ", downloadURL)
-	}
-	defer saveFile.Close()
-
-	httpClient := &http.Client{
-		Transport: &http.Transport{
-			ForceAttemptHTTP2:   true,
-			TLSHandshakeTimeout: 5 * time.Second,
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return detour.DialContext(ctx, network, M.ParseSocksaddr(addr))
-			},
-		},
-	}
-	defer httpClient.CloseIdleConnections()
-	response, err := httpClient.Get(downloadURL)
-	if err != nil {
-		return err
-	}
-	defer response.Body.Close()
-	_, err = io.Copy(saveFile, response.Body)
-	return err
-}
-
-func hasRule(rules []option.Rule, cond func(rule option.DefaultRule) bool) bool {
-	for _, rule := range rules {
-		switch rule.Type {
-		case C.RuleTypeDefault:
-			if cond(rule.DefaultOptions) {
-				return true
-			}
-		case C.RuleTypeLogical:
-			for _, subRule := range rule.LogicalOptions.Rules {
-				if cond(subRule) {
-					return true
-				}
-			}
-		}
-	}
-	return false
-}
-
-func hasDNSRule(rules []option.DNSRule, cond func(rule option.DefaultDNSRule) bool) bool {
-	for _, rule := range rules {
-		switch rule.Type {
-		case C.RuleTypeDefault:
-			if cond(rule.DefaultOptions) {
-				return true
-			}
-		case C.RuleTypeLogical:
-			for _, subRule := range rule.LogicalOptions.Rules {
-				if cond(subRule) {
-					return true
-				}
-			}
-		}
-	}
-	return false
-}
-
-func isGeoIPRule(rule option.DefaultRule) bool {
-	return len(rule.SourceGeoIP) > 0 && common.Any(rule.SourceGeoIP, notPrivateNode) || len(rule.GeoIP) > 0 && common.Any(rule.GeoIP, notPrivateNode)
-}
-
-func isGeoIPDNSRule(rule option.DefaultDNSRule) bool {
-	return len(rule.SourceGeoIP) > 0 && common.Any(rule.SourceGeoIP, notPrivateNode)
-}
-
-func isGeositeRule(rule option.DefaultRule) bool {
-	return len(rule.Geosite) > 0
-}
-
-func isGeositeDNSRule(rule option.DefaultDNSRule) bool {
-	return len(rule.Geosite) > 0
-}
-
-func isProcessRule(rule option.DefaultRule) bool {
-	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
-}
-
-func isProcessDNSRule(rule option.DefaultDNSRule) bool {
-	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
-}
-
-func notPrivateNode(code string) bool {
-	return code != "private"
-}
--- a/route/router_ip.go
+++ b/route/router_ip.go
@@ -1,47 +0,0 @@
-package route
-
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-tun"
-)
-
-func (r *Router) RouteIPConnection(ctx context.Context, conn tun.RouteContext, metadata adapter.InboundContext) tun.RouteAction {
-	for i, rule := range r.ipRules {
-		if rule.Match(&metadata) {
-			if rule.Action() == tun.ActionTypeReject {
-				r.logger.InfoContext(ctx, "match[", i, "] ", rule.String(), " => reject")
-				return (*tun.ActionReject)(nil)
-			}
-			detour := rule.Outbound()
-			r.logger.InfoContext(ctx, "match[", i, "] ", rule.String(), " => ", detour)
-			outbound, loaded := r.Outbound(detour)
-			if !loaded {
-				r.logger.ErrorContext(ctx, "outbound not found: ", detour)
-				break
-			}
-			ipOutbound, loaded := outbound.(adapter.IPOutbound)
-			if !loaded {
-				r.logger.ErrorContext(ctx, "outbound have no ip connection support: ", detour)
-				break
-			}
-			destination, err := ipOutbound.NewIPConnection(ctx, conn, metadata)
-			if err != nil {
-				r.logger.ErrorContext(ctx, err)
-				break
-			}
-			return &tun.ActionDirect{DirectDestination: destination}
-		}
-	}
-	return (*tun.ActionReturn)(nil)
-}
-
-func (r *Router) NatRequired(outbound string) bool {
-	for _, ipRule := range r.ipRules {
-		if ipRule.Outbound() == outbound {
-			return true
-		}
-	}
-	return false
-}
--- a/route/rule_default.go
+++ b/route/rule_default.go
@@ -1,11 +1,16 @@
 package route

 import (
+	"strings"
+
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+	N "github.com/sagernet/sing/common/network"
 )

 func NewRule(router adapter.Router, logger log.ContextLogger, options option.Rule) (adapter.Rule, error) {
@@ -34,7 +39,14 @@ func NewRule(router adapter.Router, logger log.ContextLogger, options option.Rul
 var _ adapter.Rule = (*DefaultRule)(nil)

 type DefaultRule struct {
-	abstractDefaultRule
+	items                   []RuleItem
+	sourceAddressItems      []RuleItem
+	sourcePortItems         []RuleItem
+	destinationAddressItems []RuleItem
+	destinationPortItems    []RuleItem
+	allItems                []RuleItem
+	invert                  bool
+	outbound                string
 }

 type RuleItem interface {
@@ -44,10 +56,8 @@ type RuleItem interface {

 func NewDefaultRule(router adapter.Router, logger log.ContextLogger, options option.DefaultRule) (*DefaultRule, error) {
 	rule := &DefaultRule{
-		abstractDefaultRule{
-			invert:   options.Invert,
-			outbound: options.Outbound,
-		},
+		invert:   options.Invert,
+		outbound: options.Outbound,
 	}
 	if len(options.Inbound) > 0 {
 		item := NewInboundRule(options.Inbound)
@@ -64,10 +74,15 @@ func NewDefaultRule(router adapter.Router, logger log.ContextLogger, options opt
 			return nil, E.New("invalid ip version: ", options.IPVersion)
 		}
 	}
-	if len(options.Network) > 0 {
-		item := NewNetworkItem(options.Network)
-		rule.items = append(rule.items, item)
-		rule.allItems = append(rule.allItems, item)
+	if options.Network != "" {
+		switch options.Network {
+		case N.NetworkTCP, N.NetworkUDP:
+			item := NewNetworkItem(options.Network)
+			rule.items = append(rule.items, item)
+			rule.allItems = append(rule.allItems, item)
+		default:
+			return nil, E.New("invalid network: ", options.Network)
+		}
 	}
 	if len(options.AuthUser) > 0 {
 		item := NewAuthUserItem(options.AuthUser)
@@ -187,19 +202,130 @@ func NewDefaultRule(router adapter.Router, logger log.ContextLogger, options opt
 	return rule, nil
 }

+func (r *DefaultRule) Type() string {
+	return C.RuleTypeDefault
+}
+
+func (r *DefaultRule) Start() error {
+	for _, item := range r.allItems {
+		err := common.Start(item)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *DefaultRule) Close() error {
+	for _, item := range r.allItems {
+		err := common.Close(item)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *DefaultRule) UpdateGeosite() error {
+	for _, item := range r.allItems {
+		if geositeItem, isSite := item.(*GeositeItem); isSite {
+			err := geositeItem.Update()
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (r *DefaultRule) Match(metadata *adapter.InboundContext) bool {
+	for _, item := range r.items {
+		if !item.Match(metadata) {
+			return r.invert
+		}
+	}
+
+	if len(r.sourceAddressItems) > 0 {
+		var sourceAddressMatch bool
+		for _, item := range r.sourceAddressItems {
+			if item.Match(metadata) {
+				sourceAddressMatch = true
+				break
+			}
+		}
+		if !sourceAddressMatch {
+			return r.invert
+		}
+	}
+
+	if len(r.sourcePortItems) > 0 {
+		var sourcePortMatch bool
+		for _, item := range r.sourcePortItems {
+			if item.Match(metadata) {
+				sourcePortMatch = true
+				break
+			}
+		}
+		if !sourcePortMatch {
+			return r.invert
+		}
+	}
+
+	if len(r.destinationAddressItems) > 0 {
+		var destinationAddressMatch bool
+		for _, item := range r.destinationAddressItems {
+			if item.Match(metadata) {
+				destinationAddressMatch = true
+				break
+			}
+		}
+		if !destinationAddressMatch {
+			return r.invert
+		}
+	}
+
+	if len(r.destinationPortItems) > 0 {
+		var destinationPortMatch bool
+		for _, item := range r.destinationPortItems {
+			if item.Match(metadata) {
+				destinationPortMatch = true
+				break
+			}
+		}
+		if !destinationPortMatch {
+			return r.invert
+		}
+	}
+
+	return !r.invert
+}
+
+func (r *DefaultRule) Outbound() string {
+	return r.outbound
+}
+
+func (r *DefaultRule) String() string {
+	if !r.invert {
+		return strings.Join(F.MapToString(r.allItems), " ")
+	} else {
+		return "!(" + strings.Join(F.MapToString(r.allItems), " ") + ")"
+	}
+}
+
 var _ adapter.Rule = (*LogicalRule)(nil)

 type LogicalRule struct {
-	abstractLogicalRule
+	mode     string
+	rules    []*DefaultRule
+	invert   bool
+	outbound string
 }

 func NewLogicalRule(router adapter.Router, logger log.ContextLogger, options option.LogicalRule) (*LogicalRule, error) {
 	r := &LogicalRule{
-		abstractLogicalRule{
-			rules:    make([]adapter.Rule, len(options.Rules)),
-			invert:   options.Invert,
-			outbound: options.Outbound,
-		},
+		rules:    make([]*DefaultRule, len(options.Rules)),
+		invert:   options.Invert,
+		outbound: options.Outbound,
 	}
 	switch options.Mode {
 	case C.LogicalTypeAnd:
@@ -218,3 +344,68 @@ func NewLogicalRule(router adapter.Router, logger log.ContextLogger, options opt
 	}
 	return r, nil
 }
+
+func (r *LogicalRule) Type() string {
+	return C.RuleTypeLogical
+}
+
+func (r *LogicalRule) UpdateGeosite() error {
+	for _, rule := range r.rules {
+		err := rule.UpdateGeosite()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *LogicalRule) Start() error {
+	for _, rule := range r.rules {
+		err := rule.Start()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *LogicalRule) Close() error {
+	for _, rule := range r.rules {
+		err := rule.Close()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *LogicalRule) Match(metadata *adapter.InboundContext) bool {
+	if r.mode == C.LogicalTypeAnd {
+		return common.All(r.rules, func(it *DefaultRule) bool {
+			return it.Match(metadata)
+		}) != r.invert
+	} else {
+		return common.Any(r.rules, func(it *DefaultRule) bool {
+			return it.Match(metadata)
+		}) != r.invert
+	}
+}
+
+func (r *LogicalRule) Outbound() string {
+	return r.outbound
+}
+
+func (r *LogicalRule) String() string {
+	var op string
+	switch r.mode {
+	case C.LogicalTypeAnd:
+		op = "&&"
+	case C.LogicalTypeOr:
+		op = "||"
+	}
+	if !r.invert {
+		return strings.Join(F.MapToString(r.rules), " "+op+" ")
+	} else {
+		return "!(" + strings.Join(F.MapToString(r.rules), " "+op+" ") + ")"
+	}
+}
--- a/route/rule_abstract.go
+++ b/route/rule_abstract.go
@@ -1,199 +0,0 @@
-package route
-
-import (
-	"strings"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
-	F "github.com/sagernet/sing/common/format"
-)
-
-type abstractDefaultRule struct {
-	items                   []RuleItem
-	sourceAddressItems      []RuleItem
-	sourcePortItems         []RuleItem
-	destinationAddressItems []RuleItem
-	destinationPortItems    []RuleItem
-	allItems                []RuleItem
-	invert                  bool
-	outbound                string
-}
-
-func (r *abstractDefaultRule) Type() string {
-	return C.RuleTypeDefault
-}
-
-func (r *abstractDefaultRule) Start() error {
-	for _, item := range r.allItems {
-		err := common.Start(item)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (r *abstractDefaultRule) Close() error {
-	for _, item := range r.allItems {
-		err := common.Close(item)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (r *abstractDefaultRule) UpdateGeosite() error {
-	for _, item := range r.allItems {
-		if geositeItem, isSite := item.(*GeositeItem); isSite {
-			err := geositeItem.Update()
-			if err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
-	for _, item := range r.items {
-		if !item.Match(metadata) {
-			return r.invert
-		}
-	}
-
-	if len(r.sourceAddressItems) > 0 {
-		var sourceAddressMatch bool
-		for _, item := range r.sourceAddressItems {
-			if item.Match(metadata) {
-				sourceAddressMatch = true
-				break
-			}
-		}
-		if !sourceAddressMatch {
-			return r.invert
-		}
-	}
-
-	if len(r.sourcePortItems) > 0 {
-		var sourcePortMatch bool
-		for _, item := range r.sourcePortItems {
-			if item.Match(metadata) {
-				sourcePortMatch = true
-				break
-			}
-		}
-		if !sourcePortMatch {
-			return r.invert
-		}
-	}
-
-	if len(r.destinationAddressItems) > 0 {
-		var destinationAddressMatch bool
-		for _, item := range r.destinationAddressItems {
-			if item.Match(metadata) {
-				destinationAddressMatch = true
-				break
-			}
-		}
-		if !destinationAddressMatch {
-			return r.invert
-		}
-	}
-
-	if len(r.destinationPortItems) > 0 {
-		var destinationPortMatch bool
-		for _, item := range r.destinationPortItems {
-			if item.Match(metadata) {
-				destinationPortMatch = true
-				break
-			}
-		}
-		if !destinationPortMatch {
-			return r.invert
-		}
-	}
-
-	return !r.invert
-}
-
-func (r *abstractDefaultRule) Outbound() string {
-	return r.outbound
-}
-
-func (r *abstractDefaultRule) String() string {
-	return strings.Join(F.MapToString(r.allItems), " ")
-}
-
-type abstractLogicalRule struct {
-	rules    []adapter.Rule
-	mode     string
-	invert   bool
-	outbound string
-}
-
-func (r *abstractLogicalRule) Type() string {
-	return C.RuleTypeLogical
-}
-
-func (r *abstractLogicalRule) UpdateGeosite() error {
-	for _, rule := range r.rules {
-		err := rule.UpdateGeosite()
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (r *abstractLogicalRule) Start() error {
-	for _, rule := range r.rules {
-		err := rule.Start()
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (r *abstractLogicalRule) Close() error {
-	for _, rule := range r.rules {
-		err := rule.Close()
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (r *abstractLogicalRule) Match(metadata *adapter.InboundContext) bool {
-	if r.mode == C.LogicalTypeAnd {
-		return common.All(r.rules, func(it adapter.Rule) bool {
-			return it.Match(metadata)
-		}) != r.invert
-	} else {
-		return common.Any(r.rules, func(it adapter.Rule) bool {
-			return it.Match(metadata)
-		}) != r.invert
-	}
-}
-
-func (r *abstractLogicalRule) Outbound() string {
-	return r.outbound
-}
-
-func (r *abstractLogicalRule) String() string {
-	var op string
-	switch r.mode {
-	case C.LogicalTypeAnd:
-		op = "&&"
-	case C.LogicalTypeOr:
-		op = "||"
-	}
-	if !r.invert {
-		return strings.Join(F.MapToString(r.rules), " "+op+" ")
-	} else {
-		return "!(" + strings.Join(F.MapToString(r.rules), " "+op+" ") + ")"
-	}
-}
--- a/route/rule_item_auth_user.go
+++ b/route/rule_item_auth_user.go
--- a/route/rule_item_cidr.go
+++ b/route/rule_item_cidr.go
--- a/route/rule_item_clash_mode.go
+++ b/route/rule_item_clash_mode.go
--- a/route/rule_dns.go
+++ b/route/rule_dns.go
@@ -1,11 +1,16 @@
 package route

 import (
+	"strings"
+
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+	N "github.com/sagernet/sing/common/network"
 )

 func NewDNSRule(router adapter.Router, logger log.ContextLogger, options option.DNSRule) (adapter.DNSRule, error) {
@@ -34,16 +39,21 @@ func NewDNSRule(router adapter.Router, logger log.ContextLogger, options option.
 var _ adapter.DNSRule = (*DefaultDNSRule)(nil)

 type DefaultDNSRule struct {
-	abstractDefaultRule
-	disableCache bool
+	items                   []RuleItem
+	sourceAddressItems      []RuleItem
+	sourcePortItems         []RuleItem
+	destinationAddressItems []RuleItem
+	destinationPortItems    []RuleItem
+	allItems                []RuleItem
+	invert                  bool
+	outbound                string
+	disableCache            bool
 }

 func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options option.DefaultDNSRule) (*DefaultDNSRule, error) {
 	rule := &DefaultDNSRule{
-		abstractDefaultRule: abstractDefaultRule{
-			invert:   options.Invert,
-			outbound: options.Server,
-		},
+		invert:       options.Invert,
+		outbound:     options.Server,
 		disableCache: options.DisableCache,
 	}
 	if len(options.Inbound) > 0 {
@@ -66,10 +76,15 @@ func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options
 		rule.items = append(rule.items, item)
 		rule.allItems = append(rule.allItems, item)
 	}
-	if len(options.Network) > 0 {
-		item := NewNetworkItem(options.Network)
-		rule.items = append(rule.items, item)
-		rule.allItems = append(rule.allItems, item)
+	if options.Network != "" {
+		switch options.Network {
+		case N.NetworkTCP, N.NetworkUDP:
+			item := NewNetworkItem(options.Network)
+			rule.items = append(rule.items, item)
+			rule.allItems = append(rule.allItems, item)
+		default:
+			return nil, E.New("invalid network: ", options.Network)
+		}
 	}
 	if len(options.AuthUser) > 0 {
 		item := NewAuthUserItem(options.AuthUser)
@@ -181,24 +196,131 @@ func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options
 	return rule, nil
 }

+func (r *DefaultDNSRule) Type() string {
+	return C.RuleTypeDefault
+}
+
+func (r *DefaultDNSRule) Start() error {
+	for _, item := range r.allItems {
+		err := common.Start(item)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *DefaultDNSRule) Close() error {
+	for _, item := range r.allItems {
+		err := common.Close(item)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *DefaultDNSRule) UpdateGeosite() error {
+	for _, item := range r.allItems {
+		if geositeItem, isSite := item.(*GeositeItem); isSite {
+			err := geositeItem.Update()
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (r *DefaultDNSRule) Match(metadata *adapter.InboundContext) bool {
+	for _, item := range r.items {
+		if !item.Match(metadata) {
+			return r.invert
+		}
+	}
+
+	if len(r.sourceAddressItems) > 0 {
+		var sourceAddressMatch bool
+		for _, item := range r.sourceAddressItems {
+			if item.Match(metadata) {
+				sourceAddressMatch = true
+				break
+			}
+		}
+		if !sourceAddressMatch {
+			return r.invert
+		}
+	}
+
+	if len(r.sourcePortItems) > 0 {
+		var sourcePortMatch bool
+		for _, item := range r.sourcePortItems {
+			if item.Match(metadata) {
+				sourcePortMatch = true
+				break
+			}
+		}
+		if !sourcePortMatch {
+			return r.invert
+		}
+	}
+
+	if len(r.destinationAddressItems) > 0 {
+		var destinationAddressMatch bool
+		for _, item := range r.destinationAddressItems {
+			if item.Match(metadata) {
+				destinationAddressMatch = true
+				break
+			}
+		}
+		if !destinationAddressMatch {
+			return r.invert
+		}
+	}
+
+	if len(r.destinationPortItems) > 0 {
+		var destinationPortMatch bool
+		for _, item := range r.destinationPortItems {
+			if item.Match(metadata) {
+				destinationPortMatch = true
+				break
+			}
+		}
+		if !destinationPortMatch {
+			return r.invert
+		}
+	}
+
+	return !r.invert
+}
+
+func (r *DefaultDNSRule) Outbound() string {
+	return r.outbound
+}
+
 func (r *DefaultDNSRule) DisableCache() bool {
 	return r.disableCache
 }

+func (r *DefaultDNSRule) String() string {
+	return strings.Join(F.MapToString(r.allItems), " ")
+}
+
 var _ adapter.DNSRule = (*LogicalDNSRule)(nil)

 type LogicalDNSRule struct {
-	abstractLogicalRule
+	mode         string
+	rules        []*DefaultDNSRule
+	invert       bool
+	outbound     string
 	disableCache bool
 }

 func NewLogicalDNSRule(router adapter.Router, logger log.ContextLogger, options option.LogicalDNSRule) (*LogicalDNSRule, error) {
 	r := &LogicalDNSRule{
-		abstractLogicalRule: abstractLogicalRule{
-			rules:    make([]adapter.Rule, len(options.Rules)),
-			invert:   options.Invert,
-			outbound: options.Server,
-		},
+		rules:        make([]*DefaultDNSRule, len(options.Rules)),
+		invert:       options.Invert,
+		outbound:     options.Server,
 		disableCache: options.DisableCache,
 	}
 	switch options.Mode {
@@ -219,6 +341,71 @@ func NewLogicalDNSRule(router adapter.Router, logger log.ContextLogger, options
 	return r, nil
 }

+func (r *LogicalDNSRule) Type() string {
+	return C.RuleTypeLogical
+}
+
+func (r *LogicalDNSRule) UpdateGeosite() error {
+	for _, rule := range r.rules {
+		err := rule.UpdateGeosite()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *LogicalDNSRule) Start() error {
+	for _, rule := range r.rules {
+		err := rule.Start()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *LogicalDNSRule) Close() error {
+	for _, rule := range r.rules {
+		err := rule.Close()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *LogicalDNSRule) Match(metadata *adapter.InboundContext) bool {
+	if r.mode == C.LogicalTypeAnd {
+		return common.All(r.rules, func(it *DefaultDNSRule) bool {
+			return it.Match(metadata)
+		}) != r.invert
+	} else {
+		return common.Any(r.rules, func(it *DefaultDNSRule) bool {
+			return it.Match(metadata)
+		}) != r.invert
+	}
+}
+
+func (r *LogicalDNSRule) Outbound() string {
+	return r.outbound
+}
+
 func (r *LogicalDNSRule) DisableCache() bool {
 	return r.disableCache
 }
+
+func (r *LogicalDNSRule) String() string {
+	var op string
+	switch r.mode {
+	case C.LogicalTypeAnd:
+		op = "&&"
+	case C.LogicalTypeOr:
+		op = "||"
+	}
+	if !r.invert {
+		return strings.Join(F.MapToString(r.rules), " "+op+" ")
+	} else {
+		return "!(" + strings.Join(F.MapToString(r.rules), " "+op+" ") + ")"
+	}
+}
--- a/route/rule_item_domain.go
+++ b/route/rule_item_domain.go
--- a/route/rule_item_domain_keyword.go
+++ b/route/rule_item_domain_keyword.go
--- a/route/rule_item_domain_regex.go
+++ b/route/rule_item_domain_regex.go
--- a/route/rule_item_geoip.go
+++ b/route/rule_item_geoip.go
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	72dbf2e2b4	documentation: Update changelog	2023-04-07 19:18:26 +08:00
世界	46c318c6fe	Fix v2ray HTTP/1.1 transport compatibility	2023-04-07 18:20:07 +08:00
世界	05bb1b88c3	dns: Fix rewrite TTL	2023-04-07 16:19:34 +08:00
世界	5176ea9fe0	Update dependencies	2023-04-07 16:19:34 +08:00
世界	36d349acd2	dns: Fix calculate TTL	2023-04-07 13:12:16 +08:00
世界	4feee983b5	Update reality protocol	2023-04-06 19:05:05 +08:00
世界	9b12e3e389	Update client documentation	2023-04-06 12:51:26 +08:00
世界	afd3464216	Minor fixes	2023-04-05 21:41:06 +08:00
世界	8b64446274	platform: Fixes and improvements	2023-04-05 19:54:20 +08:00
世界	28aa4c4d1f	Refactor log factory constructor	2023-04-03 20:24:13 +08:00
世界	0be3cdc8fb	platform: Add http client	2023-04-03 15:12:44 +08:00
armv9	f8be484019	conntrack: Fix missing tracking for udp conn	2023-04-02 12:06:03 +08:00
世界	35f03f092d	Improve UDP domain destination NAT	2023-04-02 12:05:59 +08:00
世界	c3d7401ead	platform: Add check config func	2023-04-02 10:35:03 +08:00
世界	4db7eb9d9e	documentation: Update changelog	2023-03-31 16:29:08 +08:00
世界	fd4efd6104	Fix dns transport read	2023-03-31 14:31:35 +08:00
世界	19a35ec6a4	Fix http2 transport close	2023-03-31 14:31:35 +08:00
世界	2012c0ca1e	Update release scripts	2023-03-31 14:31:35 +08:00
世界	187421c754	Append time to session log	2023-03-31 14:31:35 +08:00
世界	b3fb86d415	Accept "any" outbound in dns rule	2023-03-31 14:31:35 +08:00
世界	88fafd4e30	Fix dns routing context	2023-03-31 09:14:04 +08:00
世界	8056932f9c	Update documentation	2023-03-27 08:23:01 +08:00
世界	c8af003bfc	Update dependencies	2023-03-27 08:22:56 +08:00
世界	4999441a85	Fix missing default host in v2ray http transport`s request	2023-03-27 08:20:59 +08:00
世界	09b001e795	Revert remove install shell	2023-03-27 08:20:55 +08:00
世界	3b3a251008	Update LICENSE	2023-03-27 08:20:51 +08:00
世界	2e4eb9aa39	Update dockerfile	2023-03-24 08:29:11 +08:00
世界	77fd284703	documentation: Update changelog	2023-03-24 08:04:36 +08:00
世界	0a4517f4b7	Update dependencies	2023-03-24 07:06:45 +08:00
世界	4395db3206	documentation: Update set_system_proxy usage	2023-03-23 21:27:50 +08:00
世界	dd5b0abc67	Fix slow open	2023-03-23 17:14:38 +08:00
世界	466800aa3a	Fix wireguard mutex	2023-03-23 15:43:17 +08:00
世界	4328c535a9	Improve timeout canceler	2023-03-23 15:39:12 +08:00
世界	f9516709da	Update documentation	2023-03-23 07:54:24 +08:00
世界	5dce722879	Update dependencies	2023-03-23 07:49:14 +08:00