documentation: Bump version

.github/workflows/build.yml

@@ -1,629 +0,0 @@
-name: Build
-
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        description: "Version name"
-        required: true
-        type: string
-      build:
-        description: "Build type"
-        required: true
-        type: choice
-        default: "All"
-        options:
-          - All
-          - Binary
-          - Android
-          - Apple
-          - app-store
-          - iOS
-          - macOS
-          - tvOS
-          - macOS-standalone
-          - publish-android
-  push:
-    branches:
-      - main-next
-      - dev-next
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
-  cancel-in-progress: true
-
-jobs:
-  calculate_version:
-    name: Calculate version
-    runs-on: ubuntu-latest
-    outputs:
-      version: ${{ steps.outputs.outputs.version }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.23
-      - name: Check input version
-        if: github.event_name == 'workflow_dispatch'
-        run: |-
-          echo "version=${{ inputs.version }}" 
-          echo "version=${{ inputs.version }}" >> "$GITHUB_ENV"
-      - name: Calculate version
-        if: github.event_name != 'workflow_dispatch'
-        run: |-
-          go run -v ./cmd/internal/read_tag --nightly
-      - name: Set outputs
-        id: outputs
-        run: |-
-          echo "version=$version" >> "$GITHUB_OUTPUT"
-  build:
-    name: Build binary
-    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
-    runs-on: ubuntu-latest
-    needs:
-      - calculate_version
-    strategy:
-      matrix:
-        include:
-          - name: linux_386
-            goos: linux
-            goarch: 386
-          - name: linux_amd64
-            goos: linux
-            goarch: amd64
-          - name: linux_arm64
-            goos: linux
-            goarch: arm64
-          - name: linux_arm
-            goos: linux
-            goarch: arm
-            goarm: 6
-          - name: linux_arm_v7
-            goos: linux
-            goarch: arm
-            goarm: 7
-          - name: linux_s390x
-            goos: linux
-            goarch: s390x
-          - name: linux_riscv64
-            goos: linux
-            goarch: riscv64
-          - name: linux_mips64le
-            goos: linux
-            goarch: mips64le
-          - name: windows_amd64
-            goos: windows
-            goarch: amd64
-            require_legacy_go: true
-          - name: windows_386
-            goos: windows
-            goarch: 386
-            require_legacy_go: true
-          - name: windows_arm64
-            goos: windows
-            goarch: arm64
-          - name: darwin_arm64
-            goos: darwin
-            goarch: arm64
-          - name: darwin_amd64
-            goos: darwin
-            goarch: amd64
-            require_legacy_go: true
-          - name: android_arm64
-            goos: android
-            goarch: arm64
-          - name: android_arm
-            goos: android
-            goarch: arm
-            goarm: 7
-          - name: android_amd64
-            goos: android
-            goarch: amd64
-          - name: android_386
-            goos: android
-            goarch: 386
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.23
-      - name: Cache legacy Go
-        if: matrix.require_legacy_go
-        id: cache-legacy-go
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/go1.20.14
-          key: go120
-      - name: Setup legacy Go
-        if: matrix.require_legacy_go == 'true' && steps.cache-legacy-go.outputs.cache-hit != 'true'
-        run: |-
-          wget https://dl.google.com/go/go1.20.14.linux-amd64.tar.gz
-          tar -xzf go1.20.14.linux-amd64.tar.gz
-          mv go $HOME/go/go1.20.14
-      - name: Setup Android NDK
-        if: matrix.goos == 'android'
-        uses: nttld/setup-ndk@v1
-        with:
-          ndk-version: r28-beta2
-          local-cache: true
-      - name: Setup Goreleaser
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          distribution: goreleaser-pro
-          version: latest
-          install-only: true
-      - name: Extract signing key
-        run: |-
-          mkdir -p $HOME/.gnupg
-          cat > $HOME/.gnupg/sagernet.key <<EOF
-          ${{ secrets.GPG_KEY }}
-          EOF
-          echo "HOME=$HOME" >> "$GITHUB_ENV"
-      - name: Set tag
-        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
-      - name: Build
-        if: matrix.goos != 'android'
-        run: |-
-          goreleaser release --clean --split
-        env:
-          GOOS: ${{ matrix.goos }}
-          GOARCH: ${{ matrix.goarch }}
-          GOPATH: ${{ env.HOME }}/go
-          GOARM: ${{ matrix.goarm }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
-          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-      - name: Build Android
-        if: matrix.goos == 'android'
-        run: |-
-          go install -v ./cmd/internal/build
-          GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build goreleaser release --clean --split
-        env:
-          BUILD_GOOS: ${{ matrix.goos }}
-          BUILD_GOARCH: ${{ matrix.goarch }}
-          GOARM: ${{ matrix.goarm }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
-          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-      - name: Upload artifact
-        if: github.event_name == 'workflow_dispatch'
-        uses: actions/upload-artifact@v4
-        with:
-          name: binary-${{ matrix.name }}
-          path: 'dist'
-  build_android:
-    name: Build Android
-    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
-    runs-on: ubuntu-latest
-    needs:
-      - calculate_version
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-          submodules: 'recursive'
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.23
-      - name: Setup Android NDK
-        id: setup-ndk
-        uses: nttld/setup-ndk@v1
-        with:
-          ndk-version: r28-beta2
-      - name: Setup OpenJDK
-        run: |-
-          sudo apt update && sudo apt install -y openjdk-17-jdk-headless
-          /usr/lib/jvm/java-17-openjdk-amd64/bin/java --version
-      - name: Set tag
-        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
-      - name: Build library
-        run: |-
-          make lib_install
-          export PATH="$PATH:$(go env GOPATH)/bin"
-          make lib_android
-        env:
-          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
-          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
-      - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
-        run: |-
-          cd clients/android
-          git checkout main
-      - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
-        run: |-
-          cd clients/android
-          git checkout dev
-      - name: Gradle cache
-        uses: actions/cache@v4
-        with:
-          path: ~/.gradle
-          key: gradle-${{ hashFiles('**/*.gradle') }}
-      - name: Build release
-        if: github.event_name == 'workflow_dispatch'
-        run: |-
-          go run -v ./cmd/internal/update_android_version --ci
-          mkdir clients/android/app/libs
-          cp libbox.aar clients/android/app/libs
-          cd clients/android
-          ./gradlew :app:assemblePlayRelease :app:assembleOtherRelease
-        env:
-          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
-          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
-          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
-      - name: Build debug
-        if: github.event_name != 'workflow_dispatch'
-        run: |-
-          go run -v ./cmd/internal/update_android_version --ci
-          mkdir clients/android/app/libs
-          cp libbox.aar clients/android/app/libs
-          cd clients/android
-          ./gradlew :app:assemblePlayRelease
-        env:
-          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
-          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
-          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
-      - name: Prepare release upload
-        if: github.event_name == 'workflow_dispatch'
-        run: |-
-          mkdir -p dist/release
-          cp clients/android/app/build/outputs/apk/play/release/*.apk dist/release
-          cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist/release
-      - name: Prepare debug upload
-        if: github.event_name != 'workflow_dispatch'
-        run: |-
-          mkdir -p dist/release
-          cp clients/android/app/build/outputs/apk/play/release/*.apk dist/release
-      - name: Upload artifact
-        if: github.event_name == 'workflow_dispatch'
-        uses: actions/upload-artifact@v4
-        with:
-          name: binary-android-apks
-          path: 'dist'
-      - name: Upload debug apk (arm64-v8a)
-        if: github.event_name != 'workflow_dispatch'
-        uses: actions/upload-artifact@v4
-        with:
-          name: "SFA-${{ needs.calculate_version.outputs.version }}-arm64-v8a.apk"
-          path: 'dist/release/*-arm64-v8a.apk'
-      - name: Upload debug apk (universal)
-        if: github.event_name != 'workflow_dispatch'
-        uses: actions/upload-artifact@v4
-        with:
-          name: "SFA-${{ needs.calculate_version.outputs.version }}-universal.apk"
-          path: 'dist/release/*-universal.apk'
-  publish_android:
-    name: Publish Android
-    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
-    runs-on: ubuntu-latest
-    needs:
-      - calculate_version
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-          submodules: 'recursive'
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.23
-      - name: Setup Android NDK
-        id: setup-ndk
-        uses: nttld/setup-ndk@v1
-        with:
-          ndk-version: r28-beta2
-      - name: Setup OpenJDK
-        run: |-
-          sudo apt update && sudo apt install -y openjdk-17-jdk-headless
-          /usr/lib/jvm/java-17-openjdk-amd64/bin/java --version
-      - name: Set tag
-        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
-      - name: Build library
-        run: |-
-          make lib_install
-          export PATH="$PATH:$(go env GOPATH)/bin"
-          make lib_android
-        env:
-          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
-          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
-      - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
-        run: |-
-          cd clients/android
-          git checkout main
-      - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
-        run: |-
-          cd clients/android
-          git checkout dev
-      - name: Gradle cache
-        uses: actions/cache@v4
-        with:
-          path: ~/.gradle
-          key: gradle-${{ hashFiles('**/*.gradle') }}
-      - name: Build
-        run: |-
-          go run -v ./cmd/internal/update_android_version --ci
-          mkdir clients/android/app/libs
-          cp libbox.aar clients/android/app/libs
-          cd clients/android
-          echo -n "$SERVICE_ACCOUNT_CREDENTIALS" | base64 --decode > service-account-credentials.json
-          ./gradlew :app:publishPlayReleaseBundle
-        env:
-          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
-          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
-          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
-          SERVICE_ACCOUNT_CREDENTIALS: ${{ secrets.SERVICE_ACCOUNT_CREDENTIALS }}
-  build_apple:
-    name: Build Apple clients
-    runs-on: macos-15
-    needs:
-      - calculate_version
-    strategy:
-      matrix:
-        include:
-          - name: iOS
-            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'iOS' }}
-            platform: ios
-            scheme: SFI
-            destination: 'generic/platform=iOS'
-            archive: build/SFI.xcarchive
-            upload: SFI/Upload.plist
-          - name: macOS
-            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'macOS' }}
-            platform: macos
-            scheme: SFM
-            destination: 'generic/platform=macOS'
-            archive: build/SFM.xcarchive
-            upload: SFI/Upload.plist
-          - name: tvOS
-            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'tvOS' }}
-            platform: tvos
-            scheme: SFT
-            destination: 'generic/platform=tvOS'
-            archive: build/SFT.xcarchive
-            upload: SFI/Upload.plist
-          - name: macOS-standalone
-            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone' }}
-            platform: macos
-            scheme: SFM.System
-            destination: 'generic/platform=macOS'
-            archive: build/SFM.System.xcarchive
-            export: SFM.System/Export.plist
-            export_path: build/SFM.System
-    steps:
-      - name: Checkout
-        if: matrix.if
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-          submodules: 'recursive'
-      - name: Setup Go
-        if: matrix.if
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.23
-      - name: Setup Xcode stable
-        if: matrix.if && github.ref == 'refs/heads/main-next'
-        run: |-
-          sudo xcode-select -s /Applications/Xcode_16.2.app
-      - name: Setup Xcode beta
-        if: matrix.if && github.ref == 'refs/heads/dev-next'
-        run: |-
-          sudo xcode-select -s /Applications/Xcode_16.2.app
-      - name: Set tag
-        if: matrix.if
-        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
-          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
-      - name: Checkout main branch
-        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
-        run: |-
-          cd clients/apple
-          git checkout main
-      - name: Checkout dev branch
-        if: matrix.if && github.ref == 'refs/heads/dev-next'
-        run: |-
-          cd clients/apple
-          git checkout dev
-      - name: Setup certificates
-        if: matrix.if
-        run: |-
-          CERTIFICATE_PATH=$RUNNER_TEMP/Certificates.p12
-          KEYCHAIN_PATH=$RUNNER_TEMP/certificates.keychain-db
-          echo -n "$CERTIFICATES_P12" | base64 --decode -o $CERTIFICATE_PATH
-          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
-          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
-          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
-          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
-          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
-          security list-keychain -d user -s $KEYCHAIN_PATH
-
-          PROFILES_ZIP_PATH=$RUNNER_TEMP/Profiles.zip
-          echo -n "$PROVISIONING_PROFILES" | base64 --decode -o $PROFILES_ZIP_PATH
-          
-          PROFILES_PATH="$HOME/Library/MobileDevice/Provisioning Profiles"
-          mkdir -p "$PROFILES_PATH"
-          unzip $PROFILES_ZIP_PATH -d "$PROFILES_PATH"
-          
-          ASC_KEY_PATH=$RUNNER_TEMP/Key.p12
-          echo -n "$ASC_KEY" | base64 --decode -o $ASC_KEY_PATH
-          
-          xcrun notarytool store-credentials "notarytool-password" \
-            --key $ASC_KEY_PATH \
-            --key-id $ASC_KEY_ID \
-            --issuer $ASC_KEY_ISSUER_ID
-          
-          echo "ASC_KEY_PATH=$ASC_KEY_PATH" >> "$GITHUB_ENV"
-          echo "ASC_KEY_ID=$ASC_KEY_ID" >> "$GITHUB_ENV"
-          echo "ASC_KEY_ISSUER_ID=$ASC_KEY_ISSUER_ID" >> "$GITHUB_ENV"
-        env:
-          CERTIFICATES_P12: ${{ secrets.CERTIFICATES_P12 }}
-          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
-          KEYCHAIN_PASSWORD: ${{ secrets.P12_PASSWORD }}
-          PROVISIONING_PROFILES: ${{ secrets.PROVISIONING_PROFILES }}
-          ASC_KEY: ${{ secrets.ASC_KEY }}
-          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
-          ASC_KEY_ISSUER_ID: ${{ secrets.ASC_KEY_ISSUER_ID }}
-      - name: Build library
-        if: matrix.if
-        run: |-
-          make lib_install
-          export PATH="$PATH:$(go env GOPATH)/bin"
-          go run ./cmd/internal/build_libbox -target apple -platform ${{ matrix.platform }}
-          mv Libbox.xcframework clients/apple
-      - name: Update macOS version
-        if: matrix.if && matrix.name == 'macOS' && github.event_name == 'workflow_dispatch'
-        run: |-
-          MACOS_PROJECT_VERSION=$(go run -v ./cmd/internal/app_store_connect next_macos_project_version)
-          echo "MACOS_PROJECT_VERSION=$MACOS_PROJECT_VERSION"
-          echo "MACOS_PROJECT_VERSION=$MACOS_PROJECT_VERSION" >> "$GITHUB_ENV"
-      - name: Build
-        if: matrix.if
-        run: |-
-          go run -v ./cmd/internal/update_apple_version --ci
-          cd clients/apple
-          xcodebuild archive \
-            -scheme "${{ matrix.scheme }}" \
-            -configuration Release \
-            -destination "${{ matrix.destination }}" \
-            -archivePath "${{ matrix.archive }}" \
-            -allowProvisioningUpdates \
-            -authenticationKeyPath $ASC_KEY_PATH \
-            -authenticationKeyID $ASC_KEY_ID \
-            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
-      - name: Upload to App Store Connect
-        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch'
-        run: |-
-          go run -v ./cmd/internal/app_store_connect cancel_app_store ${{ matrix.platform }}
-          cd clients/apple
-          xcodebuild -exportArchive \
-            -archivePath "${{ matrix.archive }}" \
-            -exportOptionsPlist ${{ matrix.upload }} \
-            -allowProvisioningUpdates \
-            -authenticationKeyPath $ASC_KEY_PATH \
-            -authenticationKeyID $ASC_KEY_ID \
-            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
-      - name: Publish to TestFlight
-        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
-        run: |-
-          go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
-      - name: Build image
-        if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
-        run: |-
-          pushd clients/apple
-          xcodebuild -exportArchive \
-          	-archivePath "${{ matrix.archive }}" \
-          	-exportOptionsPlist ${{ matrix.export }} \
-          	-exportPath "${{ matrix.export_path }}"
-          brew install create-dmg
-          create-dmg \
-          	--volname "sing-box" \
-          	--volicon "${{ matrix.export_path }}/SFM.app/Contents/Resources/AppIcon.icns" \
-          	--icon "SFM.app" 0 0 \
-          		--hide-extension "SFM.app" \
-          		--app-drop-link 0 0 \
-          		--skip-jenkins \
-          	SFM.dmg "${{ matrix.export_path }}/SFM.app"
-          xcrun notarytool submit "SFM.dmg" --wait --keychain-profile "notarytool-password"          
-          cd "${{ matrix.archive }}"
-          zip -r SFM.dSYMs.zip dSYMs
-          popd
-          
-          mkdir -p dist/release
-          cp clients/apple/SFM.dmg "dist/release/SFM-${VERSION}-universal.dmg"
-          cp "clients/apple/${{ matrix.archive }}/SFM.dSYMs.zip" "dist/release/SFM-${VERSION}-universal.dSYMs.zip"
-      - name: Upload image
-        if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
-        uses: actions/upload-artifact@v4
-        with:
-          name: binary-macos-dmg
-          path: 'dist'
-  upload:
-    name: Upload builds
-    if: always() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')
-    runs-on: ubuntu-latest
-    needs:
-      - calculate_version
-      - build
-      - build_android
-      - build_apple
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Goreleaser
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          distribution: goreleaser-pro
-          version: latest
-          install-only: true
-      - name: Cache ghr
-        uses: actions/cache@v4
-        id: cache-ghr
-        with:
-          path: |
-            ~/go/bin/ghr
-          key: ghr
-      - name: Setup ghr
-        if: steps.cache-ghr.outputs.cache-hit != 'true'
-        run: |-
-          cd $HOME
-          git clone https://github.com/nekohasekai/ghr ghr
-          cd ghr
-          go install -v .
-      - name: Set tag
-        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
-          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
-      - name: Download builds
-        uses: actions/download-artifact@v4
-        with:
-          path: dist
-          merge-multiple: true
-      - name: Merge builds
-        if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
-        run: |-
-          goreleaser continue --merge --skip publish
-          mkdir -p dist/release
-          mv dist/*/sing-box*{tar.gz,zip,deb,rpm,_amd64.pkg.tar.zst,_arm64.pkg.tar.zst} dist/release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-      - name: Upload builds
-        if: ${{ env.PUBLISHED == 'false' }}
-        run: |-
-          export PATH="$PATH:$HOME/go/bin"
-          ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Replace builds
-        if: ${{ env.PUBLISHED != 'false' }}
-        run: |-
-          export PATH="$PATH:$HOME/go/bin"
-          ghr --replace -p 5 "v${VERSION}" dist/release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/debug.yml

@@ -0,0 +1,219 @@
+name: Debug build
+
+on:
+  push:
+    branches:
+      - stable-next
+      - main-next
+      - dev-next
+    paths-ignore:
+      - '**.md'
+      - '.github/**'
+      - '!.github/workflows/debug.yml'
+  pull_request:
+    branches:
+      - stable-next
+      - main-next
+      - dev-next
+
+jobs:
+  build:
+    name: Debug build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.23
+      - name: Run Test
+        run: |
+          go test -v ./...
+  build_go120:
+    name: Debug build (Go 1.20)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ~1.20
+      - name: Cache go module
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/go/pkg/mod
+          key: go120-${{ hashFiles('**/go.sum') }}
+      - name: Run Test
+        run: make ci_build_go120
+  build_go121:
+    name: Debug build (Go 1.21)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ~1.21
+      - name: Cache go module
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/go/pkg/mod
+          key: go121-${{ hashFiles('**/go.sum') }}
+      - name: Run Test
+        run: make ci_build
+  build_go122:
+    name: Debug build (Go 1.22)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ~1.22
+      - name: Cache go module
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/go/pkg/mod
+          key: go122-${{ hashFiles('**/go.sum') }}
+      - name: Run Test
+        run: make ci_build
+  cross:
+    strategy:
+      matrix:
+        include:
+          # windows
+          - name: windows-amd64
+            goos: windows
+            goarch: amd64
+            goamd64: v1
+          - name: windows-amd64-v3
+            goos: windows
+            goarch: amd64
+            goamd64: v3
+          - name: windows-386
+            goos: windows
+            goarch: 386
+          - name: windows-arm64
+            goos: windows
+            goarch: arm64
+          - name: windows-arm32v7
+            goos: windows
+            goarch: arm
+            goarm: 7
+          
+          # linux
+          - name: linux-amd64
+            goos: linux
+            goarch: amd64
+            goamd64: v1
+          - name: linux-amd64-v3
+            goos: linux
+            goarch: amd64
+            goamd64: v3
+          - name: linux-386
+            goos: linux
+            goarch: 386
+          - name: linux-arm64
+            goos: linux
+            goarch: arm64
+          - name: linux-armv5
+            goos: linux
+            goarch: arm
+            goarm: 5
+          - name: linux-armv6
+            goos: linux
+            goarch: arm
+            goarm: 6
+          - name: linux-armv7
+            goos: linux
+            goarch: arm
+            goarm: 7
+          - name: linux-mips-softfloat
+            goos: linux
+            goarch: mips
+            gomips: softfloat
+          - name: linux-mips-hardfloat
+            goos: linux
+            goarch: mips
+            gomips: hardfloat
+          - name: linux-mipsel-softfloat
+            goos: linux
+            goarch: mipsle
+            gomips: softfloat
+          - name: linux-mipsel-hardfloat
+            goos: linux
+            goarch: mipsle
+            gomips: hardfloat
+          - name: linux-mips64
+            goos: linux
+            goarch: mips64
+          - name: linux-mips64el
+            goos: linux
+            goarch: mips64le
+          - name: linux-s390x
+            goos: linux
+            goarch: s390x
+          # darwin
+          - name: darwin-amd64
+            goos: darwin
+            goarch: amd64
+            goamd64: v1
+          - name: darwin-amd64-v3
+            goos: darwin
+            goarch: amd64
+            goamd64: v3
+          - name: darwin-arm64
+            goos: darwin
+            goarch: arm64
+          # freebsd
+          - name: freebsd-amd64
+            goos: freebsd
+            goarch: amd64
+            goamd64: v1
+          - name: freebsd-amd64-v3
+            goos: freebsd
+            goarch: amd64
+            goamd64: v3
+          - name: freebsd-386
+            goos: freebsd
+            goarch: 386
+          - name: freebsd-arm64
+            goos: freebsd
+            goarch: arm64
+      fail-fast: true
+    runs-on: ubuntu-latest
+    env:
+      GOOS: ${{ matrix.goos }}
+      GOARCH: ${{ matrix.goarch }}
+      GOAMD64: ${{ matrix.goamd64 }}
+      GOARM: ${{ matrix.goarm }}
+      GOMIPS: ${{ matrix.gomips }}
+      CGO_ENABLED: 0
+      TAGS: with_gvisor,with_dhcp,with_wireguard,with_clash_api,with_quic,with_utls,with_ech
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.21
+      - name: Build
+        id: build
+        run: make

.github/workflows/linux.yml

@@ -22,6 +22,7 @@ jobs:
           mkdir -p $HOME/.gnupg
           cat > $HOME/.gnupg/sagernet.key <<EOF
           ${{ secrets.GPG_KEY }}
+          echo "HOME=$HOME" >> "$GITHUB_ENV"
           EOF
           echo "HOME=$HOME" >> "$GITHUB_ENV"
       - name: Publish release

.golangci.yml

@@ -22,16 +22,6 @@ linters-settings:
 
 run:
   go: "1.23"
-  build-tags:
-    - with_gvisor
-    - with_quic
-    - with_dhcp
-    - with_wireguard
-    - with_ech
-    - with_utls
-    - with_reality_server
-    - with_acme
-    - with_clash_api
 
 issues:
   exclude-dirs:

.goreleaser.yaml

@@ -201,5 +201,3 @@ release:
     - archive
     - package
   skip_upload: true
-partial:
-  by: target

Makefile

@@ -28,7 +28,7 @@ ci_build:
 	go build $(MAIN_PARAMS) $(MAIN)
 
 generate_completions:
-	go run -v --tags $(TAGS),generate,generate_completions $(MAIN)
+	go run -v --tags generate,generate_completions $(MAIN)
 
 install:
 	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
@@ -71,7 +71,7 @@ release:
 		dist/*_amd64.pkg.tar.zst \
 		dist/*_arm64.pkg.tar.zst \
 		dist/release
-	ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release
+	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
 	rm -r dist/release
 
 release_repo:
@@ -90,7 +90,7 @@ upload_android:
 	mkdir -p dist/release_android
 	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
 	cp ../sing-box-for-android/app/build/outputs/apk/other/release/*-universal.apk dist/release_android
-	ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release_android
+	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 
 release_android: lib_android update_android_version build_android upload_android
@@ -182,22 +182,10 @@ release_tvos: build_tvos upload_tvos_app_store
 update_apple_version:
 	go run ./cmd/internal/update_apple_version
 
-update_macos_version:
-	MACOS_PROJECT_VERSION=$(shell go run -v ./cmd/internal/app_store_connect next_macos_project_version) go run ./cmd/internal/update_apple_version
-
 release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_standalone
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
 
-publish_testflight:
-	go run -v ./cmd/internal/app_store_connect publish_testflight
-
-prepare_app_store:
-	go run -v ./cmd/internal/app_store_connect prepare_app_store
-
-publish_app_store:
-	go run -v ./cmd/internal/app_store_connect publish_app_store
-
 test:
 	@go test -v ./... && \
 	cd test && \
@@ -213,14 +201,8 @@ test_stdio:
 lib_android:
 	go run ./cmd/internal/build_libbox -target android
 
-lib_android_debug:
-	go run ./cmd/internal/build_libbox -target android -debug
-
-lib_apple:
-	go run ./cmd/internal/build_libbox -target apple
-
 lib_ios:
-	go run ./cmd/internal/build_libbox -target apple -platform ios -debug
+	go run ./cmd/internal/build_libbox -target ios
 
 lib:
 	go run ./cmd/internal/build_libbox -target android

adapter/inbound.go

@@ -72,7 +72,7 @@ type InboundContext struct {
 	UDPConnect                bool
 	UDPTimeout                time.Duration
 
-	NetworkStrategy     *C.NetworkStrategy
+	NetworkStrategy     C.NetworkStrategy
 	NetworkType         []C.InterfaceType
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration

adapter/network.go

@@ -28,7 +28,7 @@ type NetworkManager interface {
 }
 
 type NetworkOptions struct {
-	NetworkStrategy     *C.NetworkStrategy
+	NetworkStrategy     C.NetworkStrategy
 	NetworkType         []C.InterfaceType
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration

box.go

@@ -12,10 +12,8 @@ import (
 	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/taskmonitor"
-	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
@@ -85,6 +83,7 @@ func New(options Options) (*Box, error) {
 		ctx = context.Background()
 	}
 	ctx = service.ContextWithDefaultRegistry(ctx)
+
 	endpointRegistry := service.FromContext[adapter.EndpointRegistry](ctx)
 	inboundRegistry := service.FromContext[adapter.InboundRegistry](ctx)
 	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
@@ -101,10 +100,7 @@ func New(options Options) (*Box, error) {
 
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
-	debugOptions := common.PtrValueOrDefault(experimentalOptions.Debug)
+	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
-	applyDebugOptions(debugOptions)
-	ctx = conntrack.ContextWithDefaultTracker(ctx, debugOptions.OOMKiller, uint64(debugOptions.MemoryLimit))
-
 	var needCacheFile bool
 	var needClashAPI bool
 	var needV2RayAPI bool
@@ -153,14 +149,6 @@ func New(options Options) (*Box, error) {
 	if err != nil {
 		return nil, E.Cause(err, "initialize router")
 	}
-
-	ntpOptions := common.PtrValueOrDefault(options.NTP)
-	var timeService *tls.TimeServiceWrapper
-	if ntpOptions.Enabled {
-		timeService = new(tls.TimeServiceWrapper)
-		service.MustRegister[ntp.TimeService](ctx, timeService)
-	}
-
 	for i, endpointOptions := range options.Endpoints {
 		var tag string
 		if endpointOptions.Tag != "" {
@@ -266,12 +254,13 @@ func New(options Options) (*Box, error) {
 			service.MustRegister[adapter.V2RayServer](ctx, v2rayServer)
 		}
 	}
+	ntpOptions := common.PtrValueOrDefault(options.NTP)
 	if ntpOptions.Enabled {
 		ntpDialer, err := dialer.New(ctx, ntpOptions.DialerOptions)
 		if err != nil {
 			return nil, E.Cause(err, "create NTP service")
 		}
-		ntpService := ntp.NewService(ntp.Options{
+		timeService := ntp.NewService(ntp.Options{
 			Context:       ctx,
 			Dialer:        ntpDialer,
 			Logger:        logFactory.NewLogger("ntp"),
@@ -279,8 +268,8 @@ func New(options Options) (*Box, error) {
 			Interval:      time.Duration(ntpOptions.Interval),
 			WriteToSystem: ntpOptions.WriteToSystem,
 		})
-		timeService.TimeService = ntpService
+		service.MustRegister[ntp.TimeService](ctx, timeService)
-		services = append(services, adapter.NewLifecycleService(ntpService, "ntp service"))
+		services = append(services, adapter.NewLifecycleService(timeService, "ntp service"))
 	}
 	return &Box{
 		network:    networkManager,

cmd/internal/app_store_connect/main.go

@@ -1,445 +0,0 @@
-package main
-
-import (
-	"context"
-	"net/http"
-	"os"
-	"strconv"
-	"time"
-
-	"github.com/sagernet/asc-go/asc"
-	"github.com/sagernet/sing-box/cmd/internal/build_shared"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
-)
-
-func main() {
-	ctx := context.Background()
-	switch os.Args[1] {
-	case "next_macos_project_version":
-		err := fetchMacOSVersion(ctx)
-		if err != nil {
-			log.Fatal(err)
-		}
-	case "publish_testflight":
-		err := publishTestflight(ctx)
-		if err != nil {
-			log.Fatal(err)
-		}
-	case "cancel_app_store":
-		err := cancelAppStore(ctx, os.Args[2])
-		if err != nil {
-			log.Fatal(err)
-		}
-	case "prepare_app_store":
-		err := prepareAppStore(ctx)
-		if err != nil {
-			log.Fatal(err)
-		}
-	case "publish_app_store":
-		err := publishAppStore(ctx)
-		if err != nil {
-			log.Fatal(err)
-		}
-	default:
-		log.Fatal("unknown action: ", os.Args[1])
-	}
-}
-
-const (
-	appID   = "6673731168"
-	groupID = "5c5f3b78-b7a0-40c0-bcad-e6ef87bbefda"
-)
-
-func createClient(expireDuration time.Duration) *asc.Client {
-	privateKey, err := os.ReadFile(os.Getenv("ASC_KEY_PATH"))
-	if err != nil {
-		log.Fatal(err)
-	}
-	tokenConfig, err := asc.NewTokenConfig(os.Getenv("ASC_KEY_ID"), os.Getenv("ASC_KEY_ISSUER_ID"), expireDuration, privateKey)
-	if err != nil {
-		log.Fatal(err)
-	}
-	return asc.NewClient(tokenConfig.Client())
-}
-
-func fetchMacOSVersion(ctx context.Context) error {
-	client := createClient(time.Minute)
-	versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
-		FilterPlatform: []string{"MAC_OS"},
-	})
-	if err != nil {
-		return err
-	}
-	var versionID string
-findVersion:
-	for _, version := range versions.Data {
-		switch *version.Attributes.AppStoreState {
-		case asc.AppStoreVersionStateReadyForSale,
-			asc.AppStoreVersionStatePendingDeveloperRelease:
-			versionID = version.ID
-			break findVersion
-		}
-	}
-	if versionID == "" {
-		return E.New("no version found")
-	}
-	latestBuild, _, err := client.Builds.GetBuildForAppStoreVersion(ctx, versionID, &asc.GetBuildForAppStoreVersionQuery{})
-	if err != nil {
-		return err
-	}
-	versionInt, err := strconv.Atoi(*latestBuild.Data.Attributes.Version)
-	if err != nil {
-		return E.Cause(err, "parse version code")
-	}
-	os.Stdout.WriteString(F.ToString(versionInt+1, "\n"))
-	return nil
-}
-
-func publishTestflight(ctx context.Context) error {
-	tagVersion, err := build_shared.ReadTagVersion()
-	if err != nil {
-		return err
-	}
-	tag := tagVersion.VersionString()
-	client := createClient(10 * time.Minute)
-
-	log.Info(tag, " list build IDs")
-	buildIDsResponse, _, err := client.TestFlight.ListBuildIDsForBetaGroup(ctx, groupID, nil)
-	if err != nil {
-		return err
-	}
-	buildIDs := common.Map(buildIDsResponse.Data, func(it asc.RelationshipData) string {
-		return it.ID
-	})
-	var platforms []asc.Platform
-	if len(os.Args) == 3 {
-		switch os.Args[2] {
-		case "ios":
-			platforms = []asc.Platform{asc.PlatformIOS}
-		case "macos":
-			platforms = []asc.Platform{asc.PlatformMACOS}
-		case "tvos":
-			platforms = []asc.Platform{asc.PlatformTVOS}
-		default:
-			return E.New("unknown platform: ", os.Args[2])
-		}
-	} else {
-		platforms = []asc.Platform{
-			asc.PlatformIOS,
-			asc.PlatformMACOS,
-			asc.PlatformTVOS,
-		}
-	}
-	for _, platform := range platforms {
-		log.Info(string(platform), " list builds")
-		for {
-			builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
-				FilterApp:                       []string{appID},
-				FilterPreReleaseVersionPlatform: []string{string(platform)},
-			})
-			if err != nil {
-				return err
-			}
-			build := builds.Data[0]
-			if common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 5*time.Minute {
-				log.Info(string(platform), " ", tag, " waiting for process")
-				time.Sleep(15 * time.Second)
-				continue
-			}
-			if *build.Attributes.ProcessingState != "VALID" {
-				log.Info(string(platform), " ", tag, " waiting for process: ", *build.Attributes.ProcessingState)
-				time.Sleep(15 * time.Second)
-				continue
-			}
-			log.Info(string(platform), " ", tag, " list localizations")
-			localizations, _, err := client.TestFlight.ListBetaBuildLocalizationsForBuild(ctx, build.ID, nil)
-			if err != nil {
-				return err
-			}
-			localization := common.Find(localizations.Data, func(it asc.BetaBuildLocalization) bool {
-				return *it.Attributes.Locale == "en-US"
-			})
-			if localization.ID == "" {
-				log.Fatal(string(platform), " ", tag, " no en-US localization found")
-			}
-			if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
-				log.Info(string(platform), " ", tag, " update localization")
-				_, _, err = client.TestFlight.UpdateBetaBuildLocalization(ctx, localization.ID, common.Ptr(
-					F.ToString("sing-box ", tagVersion.String()),
-				))
-				if err != nil {
-					return err
-				}
-			}
-			log.Info(string(platform), " ", tag, " publish")
-			response, err := client.TestFlight.AddBuildsToBetaGroup(ctx, groupID, []string{build.ID})
-			if response != nil && response.StatusCode == http.StatusUnprocessableEntity {
-				log.Info("waiting for process")
-				time.Sleep(15 * time.Second)
-				continue
-			} else if err != nil {
-				return err
-			}
-			log.Info(string(platform), " ", tag, " list submissions")
-			betaSubmissions, _, err := client.TestFlight.ListBetaAppReviewSubmissions(ctx, &asc.ListBetaAppReviewSubmissionsQuery{
-				FilterBuild: []string{build.ID},
-			})
-			if err != nil {
-				return err
-			}
-			if len(betaSubmissions.Data) == 0 {
-				log.Info(string(platform), " ", tag, " create submission")
-				_, _, err = client.TestFlight.CreateBetaAppReviewSubmission(ctx, build.ID)
-				if err != nil {
-					return err
-				}
-			}
-			break
-		}
-	}
-	return nil
-}
-
-func cancelAppStore(ctx context.Context, platform string) error {
-	switch platform {
-	case "ios":
-		platform = string(asc.PlatformIOS)
-	case "macos":
-		platform = string(asc.PlatformMACOS)
-	case "tvos":
-		platform = string(asc.PlatformTVOS)
-	}
-	tag, err := build_shared.ReadTag()
-	if err != nil {
-		return err
-	}
-	client := createClient(time.Minute)
-	for {
-		log.Info(platform, " list versions")
-		versions, response, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
-			FilterPlatform: []string{string(platform)},
-		})
-		if isRetryable(response) {
-			continue
-		} else if err != nil {
-			return err
-		}
-		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
-			return *it.Attributes.VersionString == tag
-		})
-		if version.ID == "" {
-			return nil
-		}
-		log.Info(platform, " ", tag, " get submission")
-		submission, response, err := client.Submission.GetAppStoreVersionSubmissionForAppStoreVersion(ctx, version.ID, nil)
-		if response != nil && response.StatusCode == http.StatusNotFound {
-			return nil
-		}
-		if isRetryable(response) {
-			continue
-		} else if err != nil {
-			return err
-		}
-		log.Info(platform, " ", tag, " delete submission")
-		_, err = client.Submission.DeleteSubmission(ctx, submission.Data.ID)
-		if err != nil {
-			return err
-		}
-		return nil
-	}
-}
-
-func prepareAppStore(ctx context.Context) error {
-	tag, err := build_shared.ReadTag()
-	if err != nil {
-		return err
-	}
-	client := createClient(time.Minute)
-	for _, platform := range []asc.Platform{
-		asc.PlatformIOS,
-		asc.PlatformMACOS,
-		asc.PlatformTVOS,
-	} {
-		log.Info(string(platform), " list versions")
-		versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
-			FilterPlatform: []string{string(platform)},
-		})
-		if err != nil {
-			return err
-		}
-		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
-			return *it.Attributes.VersionString == tag
-		})
-		log.Info(string(platform), " ", tag, " list builds")
-		builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
-			FilterApp:                       []string{appID},
-			FilterPreReleaseVersionPlatform: []string{string(platform)},
-		})
-		if err != nil {
-			return err
-		}
-		if len(builds.Data) == 0 {
-			log.Fatal(platform, " ", tag, " no build found")
-		}
-		buildID := common.Ptr(builds.Data[0].ID)
-		if version.ID == "" {
-			log.Info(string(platform), " ", tag, " create version")
-			newVersion, _, err := client.Apps.CreateAppStoreVersion(ctx, asc.AppStoreVersionCreateRequestAttributes{
-				Platform:      platform,
-				VersionString: tag,
-			}, appID, buildID)
-			if err != nil {
-				return err
-			}
-			version = newVersion.Data
-
-		} else {
-			log.Info(string(platform), " ", tag, " check build")
-			currentBuild, response, err := client.Apps.GetBuildIDForAppStoreVersion(ctx, version.ID)
-			if err != nil {
-				return err
-			}
-			if response.StatusCode != http.StatusOK || currentBuild.Data.ID != *buildID {
-				switch *version.Attributes.AppStoreState {
-				case asc.AppStoreVersionStatePrepareForSubmission,
-					asc.AppStoreVersionStateRejected,
-					asc.AppStoreVersionStateDeveloperRejected:
-				case asc.AppStoreVersionStateWaitingForReview,
-					asc.AppStoreVersionStateInReview,
-					asc.AppStoreVersionStatePendingDeveloperRelease:
-					submission, _, err := client.Submission.GetAppStoreVersionSubmissionForAppStoreVersion(ctx, version.ID, nil)
-					if err != nil {
-						return err
-					}
-					if submission != nil {
-						log.Info(string(platform), " ", tag, " delete submission")
-						_, err = client.Submission.DeleteSubmission(ctx, submission.Data.ID)
-						if err != nil {
-							return err
-						}
-						time.Sleep(5 * time.Second)
-					}
-				default:
-					log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
-				}
-				log.Info(string(platform), " ", tag, " update build")
-				response, err = client.Apps.UpdateBuildForAppStoreVersion(ctx, version.ID, buildID)
-				if err != nil {
-					return err
-				}
-				if response.StatusCode != http.StatusNoContent {
-					response.Write(os.Stderr)
-					log.Fatal(string(platform), " ", tag, " unexpected response: ", response.Status)
-				}
-			} else {
-				switch *version.Attributes.AppStoreState {
-				case asc.AppStoreVersionStatePrepareForSubmission,
-					asc.AppStoreVersionStateRejected,
-					asc.AppStoreVersionStateDeveloperRejected:
-				case asc.AppStoreVersionStateWaitingForReview,
-					asc.AppStoreVersionStateInReview,
-					asc.AppStoreVersionStatePendingDeveloperRelease:
-					continue
-				default:
-					log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
-				}
-			}
-		}
-		log.Info(string(platform), " ", tag, " list localization")
-		localizations, _, err := client.Apps.ListLocalizationsForAppStoreVersion(ctx, version.ID, nil)
-		if err != nil {
-			return err
-		}
-		localization := common.Find(localizations.Data, func(it asc.AppStoreVersionLocalization) bool {
-			return *it.Attributes.Locale == "en-US"
-		})
-		if localization.ID == "" {
-			log.Info(string(platform), " ", tag, " no en-US localization found")
-		}
-		if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
-			log.Info(string(platform), " ", tag, " update localization")
-			_, _, err = client.Apps.UpdateAppStoreVersionLocalization(ctx, localization.ID, &asc.AppStoreVersionLocalizationUpdateRequestAttributes{
-				PromotionalText: common.Ptr("Yet another distribution for sing-box, the universal proxy platform."),
-				WhatsNew:        common.Ptr(F.ToString("sing-box ", tag, ": Fixes and improvements.")),
-			})
-			if err != nil {
-				return err
-			}
-		}
-		log.Info(string(platform), " ", tag, " create submission")
-	fixSubmit:
-		for {
-			_, response, err := client.Submission.CreateSubmission(ctx, version.ID)
-			if err != nil {
-				switch response.StatusCode {
-				case http.StatusInternalServerError:
-					continue
-				default:
-					return err
-				}
-			}
-			switch response.StatusCode {
-			case http.StatusCreated:
-				break fixSubmit
-			default:
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func publishAppStore(ctx context.Context) error {
-	tag, err := build_shared.ReadTag()
-	if err != nil {
-		return err
-	}
-	client := createClient(time.Minute)
-	for _, platform := range []asc.Platform{
-		asc.PlatformIOS,
-		asc.PlatformMACOS,
-		asc.PlatformTVOS,
-	} {
-		log.Info(string(platform), " list versions")
-		versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
-			FilterPlatform: []string{string(platform)},
-		})
-		if err != nil {
-			return err
-		}
-		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
-			return *it.Attributes.VersionString == tag
-		})
-		switch *version.Attributes.AppStoreState {
-		case asc.AppStoreVersionStatePrepareForSubmission, asc.AppStoreVersionStateDeveloperRejected:
-			log.Fatal(string(platform), " ", tag, " not submitted")
-		case asc.AppStoreVersionStateWaitingForReview,
-			asc.AppStoreVersionStateInReview:
-			log.Warn(string(platform), " ", tag, " waiting for review")
-			continue
-		case asc.AppStoreVersionStatePendingDeveloperRelease:
-		default:
-			log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
-		}
-		_, _, err = client.Publishing.CreatePhasedRelease(ctx, common.Ptr(asc.PhasedReleaseStateComplete), version.ID)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func isRetryable(response *asc.Response) bool {
-	if response == nil {
-		return false
-	}
-	switch response.StatusCode {
-	case http.StatusInternalServerError, http.StatusUnprocessableEntity:
-		return true
-	default:
-		return false
-	}
-}

cmd/internal/build_libbox/main.go

@@ -10,21 +10,17 @@ import (
 	_ "github.com/sagernet/gomobile"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
-	"github.com/sagernet/sing/common/shell"
 )
 
 var (
 	debugEnabled bool
 	target       string
-	platform     string
 )
 
 func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
-	flag.StringVar(&platform, "platform", "", "specify platform")
 }
 
 func main() {
@@ -35,8 +31,8 @@ func main() {
 	switch target {
 	case "android":
 		buildAndroid()
-	case "apple":
+	case "ios":
-		buildApple()
+		buildiOS()
 	}
 }
 
@@ -66,35 +62,9 @@ func init() {
 func buildAndroid() {
 	build_shared.FindSDK()
 
-	var javaPath string
-	javaHome := os.Getenv("JAVA_HOME")
-	if javaHome == "" {
-		javaPath = "java"
-	} else {
-		javaPath = filepath.Join(javaHome, "bin", "java")
-	}
-
-	javaVersion, err := shell.Exec(javaPath, "--version").ReadOutput()
-	if err != nil {
-		log.Fatal(E.Cause(err, "check java version"))
-	}
-	if !strings.Contains(javaVersion, "openjdk 17") {
-		log.Fatal("java version should be openjdk 17")
-	}
-
-	var bindTarget string
-	if platform != "" {
-		bindTarget = platform
-	} else if debugEnabled {
-		bindTarget = "android/arm64"
-	} else {
-		bindTarget = "android"
-	}
-
 	args := []string{
 		"bind",
 		"-v",
-		"-target", bindTarget,
 		"-androidapi", "21",
 		"-javapkg=io.nekohasekai",
 		"-libname=box",
@@ -116,7 +86,7 @@ func buildAndroid() {
 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr
-	err = command.Run()
+	err := command.Run()
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -133,20 +103,11 @@ func buildAndroid() {
 	}
 }
 
-func buildApple() {
+func buildiOS() {
-	var bindTarget string
-	if platform != "" {
-		bindTarget = platform
-	} else if debugEnabled {
-		bindTarget = "ios"
-	} else {
-		bindTarget = "ios,tvos,macos"
-	}
-
 	args := []string{
 		"bind",
 		"-v",
-		"-target", bindTarget,
+		"-target", "ios,iossimulator,tvos,tvossimulator,macos",
 		"-libname=box",
 	}
 	if !debugEnabled {

cmd/internal/build_shared/sdk.go

@@ -11,7 +11,9 @@ import (
 
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/sing/common/shell"
 )
 
 var (
@@ -40,6 +42,14 @@ func FindSDK() {
 		log.Fatal("android NDK not found")
 	}
 
+	javaVersion, err := shell.Exec("java", "--version").ReadOutput()
+	if err != nil {
+		log.Fatal(E.Cause(err, "check java version"))
+	}
+	if !strings.Contains(javaVersion, "openjdk 17") {
+		log.Fatal("java version should be openjdk 17")
+	}
+
 	os.Setenv("ANDROID_HOME", androidSDKPath)
 	os.Setenv("ANDROID_SDK_HOME", androidSDKPath)
 	os.Setenv("ANDROID_NDK_HOME", androidNDKPath)
@@ -48,16 +58,12 @@ func FindSDK() {
 }
 
 func findNDK() bool {
-	const fixedVersion = "28.0.12674087"
+	const fixedVersion = "26.2.11394342"
 	const versionFile = "source.properties"
 	if fixedPath := filepath.Join(androidSDKPath, "ndk", fixedVersion); rw.IsFile(filepath.Join(fixedPath, versionFile)) {
 		androidNDKPath = fixedPath
 		return true
 	}
-	if ndkHomeEnv := os.Getenv("ANDROID_NDK_HOME"); rw.IsFile(filepath.Join(ndkHomeEnv, versionFile)) {
-		androidNDKPath = ndkHomeEnv
-		return true
-	}
 	ndkVersions, err := os.ReadDir(filepath.Join(androidSDKPath, "ndk"))
 	if err != nil {
 		return false

cmd/internal/build_shared/tag.go

@@ -20,11 +20,6 @@ func ReadTag() (string, error) {
 	return version.String() + "-" + shortCommit, nil
 }
 
-func ReadTagVersionRev() (badversion.Version, error) {
-	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())
-	return badversion.Parse(currentTagRev[1:]), nil
-}
-
 func ReadTagVersion() (badversion.Version, error) {
 	currentTag := common.Must1(shell.Exec("git", "describe", "--tags").ReadOutput())
 	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())

cmd/internal/read_tag/main.go

@@ -1,62 +1,21 @@
 package main
 
 import (
-	"flag"
 	"os"
 
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 )
 
-var nightly bool
-
-func init() {
-	flag.BoolVar(&nightly, "nightly", false, "Print nightly tag")
-}
-
 func main() {
-	flag.Parse()
+	currentTag, err := build_shared.ReadTag()
-	if nightly {
+	if err != nil {
-		version, err := build_shared.ReadTagVersionRev()
+		log.Error(err)
-		if err != nil {
+		_, err = os.Stdout.WriteString("unknown\n")
-			log.Fatal(err)
-		}
-		var versionStr string
-		if version.PreReleaseIdentifier != "" {
-			versionStr = version.VersionString() + "-nightly"
-		} else {
-			version.Patch++
-			versionStr = version.VersionString() + "-nightly"
-		}
-		err = setGitHubEnv("version", versionStr)
-		if err != nil {
-			log.Fatal(err)
-		}
 	} else {
-		tag, err := build_shared.ReadTag()
+		_, err = os.Stdout.WriteString(currentTag + "\n")
-		if err != nil {
+	}
-			log.Error(err)
+	if err != nil {
-			os.Stdout.WriteString("unknown\n")
+		log.Error(err)
-		} else {
-			os.Stdout.WriteString(tag + "\n")
-		}
 	}
 }
-
-func setGitHubEnv(name string, value string) error {
-	outputFile, err := os.OpenFile(os.Getenv("GITHUB_ENV"), os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o644)
-	if err != nil {
-		return err
-	}
-	_, err = outputFile.WriteString(name + "=" + value + "\n")
-	if err != nil {
-		outputFile.Close()
-		return err
-	}
-	err = outputFile.Close()
-	if err != nil {
-		return err
-	}
-	os.Stderr.WriteString(name + "=" + value + "\n")
-	return nil
-}

cmd/internal/update_android_version/main.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"flag"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -13,22 +12,9 @@ import (
 	"github.com/sagernet/sing/common"
 )
 
-var flagRunInCI bool
-
-func init() {
-	flag.BoolVar(&flagRunInCI, "ci", false, "Run in CI")
-}
-
 func main() {
-	flag.Parse()
+	newVersion := common.Must1(build_shared.ReadTagVersion())
-	newVersion := common.Must1(build_shared.ReadTag())
+	androidPath, err := filepath.Abs("../sing-box-for-android")
-	var androidPath string
-	if flagRunInCI {
-		androidPath = "clients/android"
-	} else {
-		androidPath = "../sing-box-for-android"
-	}
-	androidPath, err := filepath.Abs(androidPath)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -45,10 +31,10 @@ func main() {
 	for _, propPair := range propsList {
 		switch propPair[0] {
 		case "VERSION_NAME":
-			if propPair[1] != newVersion {
+			if propPair[1] != newVersion.String() {
 				versionUpdated = true
-				propPair[1] = newVersion
+				propPair[1] = newVersion.String()
-				log.Info("updated version to ", newVersion)
+				log.Info("updated version to ", newVersion.String())
 			}
 		case "GO_VERSION":
 			if propPair[1] != runtime.Version() {

cmd/internal/update_apple_version/main.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"flag"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -14,22 +13,9 @@ import (
 	"howett.net/plist"
 )
 
-var flagRunInCI bool
-
-func init() {
-	flag.BoolVar(&flagRunInCI, "ci", false, "Run in CI")
-}
-
 func main() {
-	flag.Parse()
 	newVersion := common.Must1(build_shared.ReadTagVersion())
-	var applePath string
+	applePath, err := filepath.Abs("../sing-box-for-apple")
-	if flagRunInCI {
-		applePath = "clients/apple"
-	} else {
-		applePath = "../sing-box-for-apple"
-	}
-	applePath, err := filepath.Abs(applePath)
 	if err != nil {
 		log.Fatal(err)
 	}

cmd/sing-box/cmd_merge.go

@@ -18,7 +18,7 @@ import (
 )
 
 var commandMerge = &cobra.Command{
-	Use:   "merge <output-path>",
+	Use:   "merge <output>",
 	Short: "Merge configurations",
 	Run: func(cmd *cobra.Command, args []string) {
 		err := merge(args[0])

cmd/sing-box/cmd_rule_set_merge.go

@@ -1,162 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"io"
-	"os"
-	"path/filepath"
-	"sort"
-	"strings"
-
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json"
-	"github.com/sagernet/sing/common/json/badjson"
-	"github.com/sagernet/sing/common/rw"
-
-	"github.com/spf13/cobra"
-)
-
-var (
-	ruleSetPaths       []string
-	ruleSetDirectories []string
-)
-
-var commandRuleSetMerge = &cobra.Command{
-	Use:   "merge <output-path>",
-	Short: "Merge rule-set source files",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := mergeRuleSet(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.ExactArgs(1),
-}
-
-func init() {
-	commandRuleSetMerge.Flags().StringArrayVarP(&ruleSetPaths, "config", "c", nil, "set input rule-set file path")
-	commandRuleSetMerge.Flags().StringArrayVarP(&ruleSetDirectories, "config-directory", "C", nil, "set input rule-set directory path")
-	commandRuleSet.AddCommand(commandRuleSetMerge)
-}
-
-type RuleSetEntry struct {
-	content []byte
-	path    string
-	options option.PlainRuleSetCompat
-}
-
-func readRuleSetAt(path string) (*RuleSetEntry, error) {
-	var (
-		configContent []byte
-		err           error
-	)
-	if path == "stdin" {
-		configContent, err = io.ReadAll(os.Stdin)
-	} else {
-		configContent, err = os.ReadFile(path)
-	}
-	if err != nil {
-		return nil, E.Cause(err, "read config at ", path)
-	}
-	options, err := json.UnmarshalExtendedContext[option.PlainRuleSetCompat](globalCtx, configContent)
-	if err != nil {
-		return nil, E.Cause(err, "decode config at ", path)
-	}
-	return &RuleSetEntry{
-		content: configContent,
-		path:    path,
-		options: options,
-	}, nil
-}
-
-func readRuleSet() ([]*RuleSetEntry, error) {
-	var optionsList []*RuleSetEntry
-	for _, path := range ruleSetPaths {
-		optionsEntry, err := readRuleSetAt(path)
-		if err != nil {
-			return nil, err
-		}
-		optionsList = append(optionsList, optionsEntry)
-	}
-	for _, directory := range ruleSetDirectories {
-		entries, err := os.ReadDir(directory)
-		if err != nil {
-			return nil, E.Cause(err, "read rule-set directory at ", directory)
-		}
-		for _, entry := range entries {
-			if !strings.HasSuffix(entry.Name(), ".json") || entry.IsDir() {
-				continue
-			}
-			optionsEntry, err := readRuleSetAt(filepath.Join(directory, entry.Name()))
-			if err != nil {
-				return nil, err
-			}
-			optionsList = append(optionsList, optionsEntry)
-		}
-	}
-	sort.Slice(optionsList, func(i, j int) bool {
-		return optionsList[i].path < optionsList[j].path
-	})
-	return optionsList, nil
-}
-
-func readRuleSetAndMerge() (option.PlainRuleSetCompat, error) {
-	optionsList, err := readRuleSet()
-	if err != nil {
-		return option.PlainRuleSetCompat{}, err
-	}
-	if len(optionsList) == 1 {
-		return optionsList[0].options, nil
-	}
-	var optionVersion uint8
-	for _, options := range optionsList {
-		if optionVersion < options.options.Version {
-			optionVersion = options.options.Version
-		}
-	}
-	var mergedMessage json.RawMessage
-	for _, options := range optionsList {
-		mergedMessage, err = badjson.MergeJSON(globalCtx, options.options.RawMessage, mergedMessage, false)
-		if err != nil {
-			return option.PlainRuleSetCompat{}, E.Cause(err, "merge config at ", options.path)
-		}
-	}
-	mergedOptions, err := json.UnmarshalExtendedContext[option.PlainRuleSetCompat](globalCtx, mergedMessage)
-	if err != nil {
-		return option.PlainRuleSetCompat{}, E.Cause(err, "unmarshal merged config")
-	}
-	mergedOptions.Version = optionVersion
-	return mergedOptions, nil
-}
-
-func mergeRuleSet(outputPath string) error {
-	mergedOptions, err := readRuleSetAndMerge()
-	if err != nil {
-		return err
-	}
-	buffer := new(bytes.Buffer)
-	encoder := json.NewEncoder(buffer)
-	encoder.SetIndent("", "  ")
-	err = encoder.Encode(mergedOptions)
-	if err != nil {
-		return E.Cause(err, "encode config")
-	}
-	if existsContent, err := os.ReadFile(outputPath); err != nil {
-		if string(existsContent) == buffer.String() {
-			return nil
-		}
-	}
-	err = rw.MkdirParent(outputPath)
-	if err != nil {
-		return err
-	}
-	err = os.WriteFile(outputPath, buffer.Bytes(), 0o644)
-	if err != nil {
-		return err
-	}
-	outputPath, _ = filepath.Abs(outputPath)
-	os.Stderr.WriteString(outputPath + "\n")
-	return nil
-}

cmd/sing-box/cmd_tools.go

@@ -30,7 +30,7 @@ func createPreStartedClient() (*box.Box, error) {
 			return nil, err
 		}
 	}
-	instance, err := box.New(box.Options{Context: globalCtx, Options: options})
+	instance, err := box.New(box.Options{Options: options})
 	if err != nil {
 		return nil, E.Cause(err, "create service")
 	}

cmd/sing-box/cmd_tools_fetch_http3.go

@@ -21,7 +21,7 @@ func initializeHTTP3Client(instance *box.Box) error {
 		return err
 	}
 	http3Client = &http.Client{
-		Transport: &http3.Transport{
+		Transport: &http3.RoundTripper{
 			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 				destination := M.ParseSocksaddr(addr)
 				udpConn, dErr := dialer.DialContext(ctx, N.NetworkUDP, destination)

common/conntrack/conn.go

@@ -0,0 +1,54 @@
+package conntrack
+
+import (
+	"io"
+	"net"
+
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type Conn struct {
+	net.Conn
+	element *list.Element[io.Closer]
+}
+
+func NewConn(conn net.Conn) (net.Conn, error) {
+	connAccess.Lock()
+	element := openConnection.PushBack(conn)
+	connAccess.Unlock()
+	if KillerEnabled {
+		err := KillerCheck()
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+	}
+	return &Conn{
+		Conn:    conn,
+		element: element,
+	}, nil
+}
+
+func (c *Conn) Close() error {
+	if c.element.Value != nil {
+		connAccess.Lock()
+		if c.element.Value != nil {
+			openConnection.Remove(c.element)
+			c.element.Value = nil
+		}
+		connAccess.Unlock()
+	}
+	return c.Conn.Close()
+}
+
+func (c *Conn) Upstream() any {
+	return c.Conn
+}
+
+func (c *Conn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *Conn) WriterReplaceable() bool {
+	return true
+}

common/conntrack/context.go

@@ -1,14 +0,0 @@
-package conntrack
-
-import (
-	"context"
-
-	"github.com/sagernet/sing/service"
-)
-
-func ContextWithDefaultTracker(ctx context.Context, killerEnabled bool, memoryLimit uint64) context.Context {
-	if service.FromContext[Tracker](ctx) != nil {
-		return ctx
-	}
-	return service.ContextWith[Tracker](ctx, NewDefaultTracker(killerEnabled, memoryLimit))
-}

common/conntrack/default.go

@@ -1,245 +0,0 @@
-package conntrack
-
-import (
-	"net"
-	"net/netip"
-	runtimeDebug "runtime/debug"
-	"sync"
-	"time"
-
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/memory"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/x/list"
-)
-
-var _ Tracker = (*DefaultTracker)(nil)
-
-type DefaultTracker struct {
-	connAccess  sync.RWMutex
-	connList    list.List[net.Conn]
-	connAddress map[netip.AddrPort]netip.AddrPort
-
-	packetConnAccess  sync.RWMutex
-	packetConnList    list.List[AbstractPacketConn]
-	packetConnAddress map[netip.AddrPort]bool
-
-	pendingAccess sync.RWMutex
-	pendingList   list.List[netip.AddrPort]
-
-	killerEnabled   bool
-	memoryLimit     uint64
-	killerLastCheck time.Time
-}
-
-func NewDefaultTracker(killerEnabled bool, memoryLimit uint64) *DefaultTracker {
-	return &DefaultTracker{
-		connAddress:       make(map[netip.AddrPort]netip.AddrPort),
-		packetConnAddress: make(map[netip.AddrPort]bool),
-		killerEnabled:     killerEnabled,
-		memoryLimit:       memoryLimit,
-	}
-}
-
-func (t *DefaultTracker) NewConn(conn net.Conn) (net.Conn, error) {
-	err := t.KillerCheck()
-	if err != nil {
-		conn.Close()
-		return nil, err
-	}
-	t.connAccess.Lock()
-	element := t.connList.PushBack(conn)
-	t.connAddress[M.AddrPortFromNet(conn.LocalAddr())] = M.AddrPortFromNet(conn.RemoteAddr())
-	t.connAccess.Unlock()
-	return &Conn{
-		Conn: conn,
-		closeFunc: common.OnceFunc(func() {
-			t.removeConn(element)
-		}),
-	}, nil
-}
-
-func (t *DefaultTracker) NewConnEx(conn net.Conn) (N.CloseHandlerFunc, error) {
-	err := t.KillerCheck()
-	if err != nil {
-		conn.Close()
-		return nil, err
-	}
-	t.connAccess.Lock()
-	element := t.connList.PushBack(conn)
-	t.connAddress[M.AddrPortFromNet(conn.LocalAddr())] = M.AddrPortFromNet(conn.RemoteAddr())
-	t.connAccess.Unlock()
-	return N.OnceClose(func(it error) {
-		t.removeConn(element)
-	}), nil
-}
-
-func (t *DefaultTracker) NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
-	err := t.KillerCheck()
-	if err != nil {
-		conn.Close()
-		return nil, err
-	}
-	t.packetConnAccess.Lock()
-	element := t.packetConnList.PushBack(conn)
-	t.packetConnAddress[M.AddrPortFromNet(conn.LocalAddr())] = true
-	t.packetConnAccess.Unlock()
-	return &PacketConn{
-		PacketConn: conn,
-		closeFunc: common.OnceFunc(func() {
-			t.removePacketConn(element)
-		}),
-	}, nil
-}
-
-func (t *DefaultTracker) NewPacketConnEx(conn AbstractPacketConn) (N.CloseHandlerFunc, error) {
-	err := t.KillerCheck()
-	if err != nil {
-		conn.Close()
-		return nil, err
-	}
-	t.packetConnAccess.Lock()
-	element := t.packetConnList.PushBack(conn)
-	t.packetConnAddress[M.AddrPortFromNet(conn.LocalAddr())] = true
-	t.packetConnAccess.Unlock()
-	return N.OnceClose(func(it error) {
-		t.removePacketConn(element)
-	}), nil
-}
-
-func (t *DefaultTracker) CheckConn(source netip.AddrPort, destination netip.AddrPort) bool {
-	t.connAccess.RLock()
-	defer t.connAccess.RUnlock()
-	return t.connAddress[source] == destination
-}
-
-func (t *DefaultTracker) CheckPacketConn(source netip.AddrPort) bool {
-	t.packetConnAccess.RLock()
-	defer t.packetConnAccess.RUnlock()
-	return t.packetConnAddress[source]
-}
-
-func (t *DefaultTracker) AddPendingDestination(destination netip.AddrPort) func() {
-	t.pendingAccess.Lock()
-	defer t.pendingAccess.Unlock()
-	element := t.pendingList.PushBack(destination)
-	return func() {
-		t.pendingAccess.Lock()
-		defer t.pendingAccess.Unlock()
-		t.pendingList.Remove(element)
-	}
-}
-
-func (t *DefaultTracker) CheckDestination(destination netip.AddrPort) bool {
-	t.pendingAccess.RLock()
-	defer t.pendingAccess.RUnlock()
-	for element := t.pendingList.Front(); element != nil; element = element.Next() {
-		if element.Value == destination {
-			return true
-		}
-	}
-	return false
-}
-
-func (t *DefaultTracker) KillerCheck() error {
-	if !t.killerEnabled {
-		return nil
-	}
-	nowTime := time.Now()
-	if nowTime.Sub(t.killerLastCheck) < 3*time.Second {
-		return nil
-	}
-	t.killerLastCheck = nowTime
-	if memory.Total() > t.memoryLimit {
-		t.Close()
-		go func() {
-			time.Sleep(time.Second)
-			runtimeDebug.FreeOSMemory()
-		}()
-		return E.New("out of memory")
-	}
-	return nil
-}
-
-func (t *DefaultTracker) Count() int {
-	t.connAccess.RLock()
-	defer t.connAccess.RUnlock()
-	t.packetConnAccess.RLock()
-	defer t.packetConnAccess.RUnlock()
-	return t.connList.Len() + t.packetConnList.Len()
-}
-
-func (t *DefaultTracker) Close() {
-	t.connAccess.Lock()
-	for element := t.connList.Front(); element != nil; element = element.Next() {
-		element.Value.Close()
-	}
-	t.connList.Init()
-	t.connAccess.Unlock()
-	t.packetConnAccess.Lock()
-	for element := t.packetConnList.Front(); element != nil; element = element.Next() {
-		element.Value.Close()
-	}
-	t.packetConnList.Init()
-	t.packetConnAccess.Unlock()
-}
-
-func (t *DefaultTracker) removeConn(element *list.Element[net.Conn]) {
-	t.connAccess.Lock()
-	defer t.connAccess.Unlock()
-	delete(t.connAddress, M.AddrPortFromNet(element.Value.LocalAddr()))
-	t.connList.Remove(element)
-}
-
-func (t *DefaultTracker) removePacketConn(element *list.Element[AbstractPacketConn]) {
-	t.packetConnAccess.Lock()
-	defer t.packetConnAccess.Unlock()
-	delete(t.packetConnAddress, M.AddrPortFromNet(element.Value.LocalAddr()))
-	t.packetConnList.Remove(element)
-}
-
-type Conn struct {
-	net.Conn
-	closeFunc func()
-}
-
-func (c *Conn) Close() error {
-	c.closeFunc()
-	return c.Conn.Close()
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-func (c *Conn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *Conn) WriterReplaceable() bool {
-	return true
-}
-
-type PacketConn struct {
-	net.PacketConn
-	closeFunc func()
-}
-
-func (c *PacketConn) Close() error {
-	c.closeFunc()
-	return c.PacketConn.Close()
-}
-
-func (c *PacketConn) Upstream() any {
-	return c.PacketConn
-}
-
-func (c *PacketConn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) WriterReplaceable() bool {
-	return true
-}

common/conntrack/killer.go

@@ -0,0 +1,35 @@
+package conntrack
+
+import (
+	runtimeDebug "runtime/debug"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/memory"
+)
+
+var (
+	KillerEnabled   bool
+	MemoryLimit     uint64
+	killerLastCheck time.Time
+)
+
+func KillerCheck() error {
+	if !KillerEnabled {
+		return nil
+	}
+	nowTime := time.Now()
+	if nowTime.Sub(killerLastCheck) < 3*time.Second {
+		return nil
+	}
+	killerLastCheck = nowTime
+	if memory.Total() > MemoryLimit {
+		Close()
+		go func() {
+			time.Sleep(time.Second)
+			runtimeDebug.FreeOSMemory()
+		}()
+		return E.New("out of memory")
+	}
+	return nil
+}

common/conntrack/packet_conn.go

@@ -0,0 +1,55 @@
+package conntrack
+
+import (
+	"io"
+	"net"
+
+	"github.com/sagernet/sing/common/bufio"
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type PacketConn struct {
+	net.PacketConn
+	element *list.Element[io.Closer]
+}
+
+func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
+	connAccess.Lock()
+	element := openConnection.PushBack(conn)
+	connAccess.Unlock()
+	if KillerEnabled {
+		err := KillerCheck()
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+	}
+	return &PacketConn{
+		PacketConn: conn,
+		element:    element,
+	}, nil
+}
+
+func (c *PacketConn) Close() error {
+	if c.element.Value != nil {
+		connAccess.Lock()
+		if c.element.Value != nil {
+			openConnection.Remove(c.element)
+			c.element.Value = nil
+		}
+		connAccess.Unlock()
+	}
+	return c.PacketConn.Close()
+}
+
+func (c *PacketConn) Upstream() any {
+	return bufio.NewPacketConn(c.PacketConn)
+}
+
+func (c *PacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *PacketConn) WriterReplaceable() bool {
+	return true
+}

common/conntrack/track.go

@@ -0,0 +1,47 @@
+package conntrack
+
+import (
+	"io"
+	"sync"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/x/list"
+)
+
+var (
+	connAccess     sync.RWMutex
+	openConnection list.List[io.Closer]
+)
+
+func Count() int {
+	if !Enabled {
+		return 0
+	}
+	return openConnection.Len()
+}
+
+func List() []io.Closer {
+	if !Enabled {
+		return nil
+	}
+	connAccess.RLock()
+	defer connAccess.RUnlock()
+	connList := make([]io.Closer, 0, openConnection.Len())
+	for element := openConnection.Front(); element != nil; element = element.Next() {
+		connList = append(connList, element.Value)
+	}
+	return connList
+}
+
+func Close() {
+	if !Enabled {
+		return
+	}
+	connAccess.Lock()
+	defer connAccess.Unlock()
+	for element := openConnection.Front(); element != nil; element = element.Next() {
+		common.Close(element.Value)
+		element.Value = nil
+	}
+	openConnection.Init()
+}

common/conntrack/track_disable.go

@@ -0,0 +1,5 @@
+//go:build !with_conntrack
+
+package conntrack
+
+const Enabled = false

common/conntrack/track_enable.go

@@ -0,0 +1,5 @@
+//go:build with_conntrack
+
+package conntrack
+
+const Enabled = true

common/conntrack/tracker.go

@@ -1,32 +0,0 @@
-package conntrack
-
-import (
-	"net"
-	"net/netip"
-	"time"
-
-	N "github.com/sagernet/sing/common/network"
-)
-
-// TODO: add to N
-type AbstractPacketConn interface {
-	Close() error
-	LocalAddr() net.Addr
-	SetDeadline(t time.Time) error
-	SetReadDeadline(t time.Time) error
-	SetWriteDeadline(t time.Time) error
-}
-
-type Tracker interface {
-	NewConn(conn net.Conn) (net.Conn, error)
-	NewPacketConn(conn net.PacketConn) (net.PacketConn, error)
-	NewConnEx(conn net.Conn) (N.CloseHandlerFunc, error)
-	NewPacketConnEx(conn AbstractPacketConn) (N.CloseHandlerFunc, error)
-	CheckConn(source netip.AddrPort, destination netip.AddrPort) bool
-	CheckPacketConn(source netip.AddrPort) bool
-	AddPendingDestination(destination netip.AddrPort) func()
-	CheckDestination(destination netip.AddrPort) bool
-	KillerCheck() error
-	Count() int
-	Close()
-}

common/dialer/default.go

@@ -2,16 +2,13 @@ package dialer
 
 import (
 	"context"
-	"errors"
 	"net"
 	"net/netip"
-	"syscall"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/conntrack"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/atomic"
@@ -19,7 +16,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 )
 
 var (
@@ -28,38 +24,31 @@ var (
 )
 
 type DefaultDialer struct {
-	tracker                conntrack.Tracker
+	dialer4              tcpDialer
-	dialer4                tcpDialer
+	dialer6              tcpDialer
-	dialer6                tcpDialer
+	udpDialer4           net.Dialer
-	udpDialer4             net.Dialer
+	udpDialer6           net.Dialer
-	udpDialer6             net.Dialer
+	udpListener          net.ListenConfig
-	udpListener            net.ListenConfig
+	udpAddr4             string
-	udpAddr4               string
+	udpAddr6             string
-	udpAddr6               string
+	isWireGuardListener  bool
-	isWireGuardListener    bool
+	networkManager       adapter.NetworkManager
-	networkManager         adapter.NetworkManager
+	networkStrategy      C.NetworkStrategy
-	networkStrategy        *C.NetworkStrategy
+	networkType          []C.InterfaceType
-	defaultNetworkStrategy bool
+	fallbackNetworkType  []C.InterfaceType
-	networkType            []C.InterfaceType
+	networkFallbackDelay time.Duration
-	fallbackNetworkType    []C.InterfaceType
+	networkLastFallback  atomic.TypedValue[time.Time]
-	networkFallbackDelay   time.Duration
-	networkLastFallback    atomic.TypedValue[time.Time]
 }
 
-func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
+func NewDefault(networkManager adapter.NetworkManager, options option.DialerOptions) (*DefaultDialer, error) {
-	tracker := service.FromContext[conntrack.Tracker](ctx)
-	networkManager := service.FromContext[adapter.NetworkManager](ctx)
-	platformInterface := service.FromContext[platform.Interface](ctx)
-
 	var (
-		dialer                 net.Dialer
+		dialer               net.Dialer
-		listener               net.ListenConfig
+		listener             net.ListenConfig
-		interfaceFinder        control.InterfaceFinder
+		interfaceFinder      control.InterfaceFinder
-		networkStrategy        *C.NetworkStrategy
+		networkStrategy      C.NetworkStrategy
-		defaultNetworkStrategy bool
+		networkType          []C.InterfaceType
-		networkType            []C.InterfaceType
+		fallbackNetworkType  []C.InterfaceType
-		fallbackNetworkType    []C.InterfaceType
+		networkFallbackDelay time.Duration
-		networkFallbackDelay   time.Duration
 	)
 	if networkManager != nil {
 		interfaceFinder = networkManager.InterfaceFinder()
@@ -85,52 +74,39 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 			listener.Control = control.Append(listener.Control, control.RoutingMark(autoRedirectOutputMark))
 		}
 	}
-	disableDefaultBind := options.BindInterface != "" || options.Inet4BindAddress != nil || options.Inet6BindAddress != nil
+	if C.NetworkStrategy(options.NetworkStrategy) != C.NetworkStrategyDefault {
-	if disableDefaultBind || options.TCPFastOpen {
+		if options.BindInterface != "" || options.Inet4BindAddress != nil || options.Inet6BindAddress != nil {
-		if options.NetworkStrategy != nil || len(options.NetworkType) > 0 && options.FallbackNetworkType == nil && options.FallbackDelay == 0 {
+			return nil, E.New("`network_strategy` is conflict with `bind_interface`, `inet4_bind_address` and `inet6_bind_address`")
-			return nil, E.New("`network_strategy` is conflict with `bind_interface`, `inet4_bind_address`, `inet6_bind_address` and `tcp_fast_open`")
+		}
+		networkStrategy = C.NetworkStrategy(options.NetworkStrategy)
+		networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
+		fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
+		networkFallbackDelay = time.Duration(options.NetworkFallbackDelay)
+		if networkManager == nil || !networkManager.AutoDetectInterface() {
+			return nil, E.New("`route.auto_detect_interface` is require by `network_strategy`")
 		}
 	}
-
+	if networkManager != nil && options.BindInterface == "" && options.Inet4BindAddress == nil && options.Inet6BindAddress == nil {
-	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if !disableDefaultBind {
+		if defaultOptions.BindInterface != "" {
-			if defaultOptions.BindInterface != "" {
+			bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
-				bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
+			dialer.Control = control.Append(dialer.Control, bindFunc)
+			listener.Control = control.Append(listener.Control, bindFunc)
+		} else if networkManager.AutoDetectInterface() {
+			if defaultOptions.NetworkStrategy != C.NetworkStrategyDefault && C.NetworkStrategy(options.NetworkStrategy) == C.NetworkStrategyDefault {
+				networkStrategy = defaultOptions.NetworkStrategy
+				networkType = defaultOptions.NetworkType
+				fallbackNetworkType = defaultOptions.FallbackNetworkType
+				networkFallbackDelay = defaultOptions.FallbackDelay
+				bindFunc := networkManager.ProtectFunc()
+				dialer.Control = control.Append(dialer.Control, bindFunc)
+				listener.Control = control.Append(listener.Control, bindFunc)
+			} else {
+				bindFunc := networkManager.AutoDetectInterfaceFunc()
 				dialer.Control = control.Append(dialer.Control, bindFunc)
 				listener.Control = control.Append(listener.Control, bindFunc)
-			} else if networkManager.AutoDetectInterface() {
-				if platformInterface != nil {
-					networkStrategy = (*C.NetworkStrategy)(options.NetworkStrategy)
-					if networkStrategy == nil {
-						networkStrategy = common.Ptr(C.NetworkStrategyDefault)
-						defaultNetworkStrategy = true
-					}
-					networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
-					fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
-					if networkStrategy == nil && len(networkType) == 0 && len(fallbackNetworkType) == 0 {
-						networkStrategy = defaultOptions.NetworkStrategy
-						networkType = defaultOptions.NetworkType
-						fallbackNetworkType = defaultOptions.FallbackNetworkType
-					}
-					networkFallbackDelay = time.Duration(options.FallbackDelay)
-					if networkFallbackDelay == 0 && defaultOptions.FallbackDelay != 0 {
-						networkFallbackDelay = defaultOptions.FallbackDelay
-					}
-					bindFunc := networkManager.ProtectFunc()
-					dialer.Control = control.Append(dialer.Control, bindFunc)
-					listener.Control = control.Append(listener.Control, bindFunc)
-				} else {
-					bindFunc := networkManager.AutoDetectInterfaceFunc()
-					dialer.Control = control.Append(dialer.Control, bindFunc)
-					listener.Control = control.Append(listener.Control, bindFunc)
-				}
 			}
 		}
-		if options.RoutingMark == 0 && defaultOptions.RoutingMark != 0 {
-			dialer.Control = control.Append(dialer.Control, control.RoutingMark(defaultOptions.RoutingMark))
-			listener.Control = control.Append(listener.Control, control.RoutingMark(defaultOptions.RoutingMark))
-		}
 	}
 	if options.ReuseAddr {
 		listener.Control = control.Append(listener.Control, control.ReuseAddr())
@@ -190,6 +166,9 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 			listener.Control = control.Append(listener.Control, controlFn)
 		}
 	}
+	if networkStrategy != C.NetworkStrategyDefault && options.TCPFastOpen {
+		return nil, E.New("`tcp_fast_open` is conflict with `network_strategy` or `route.default_network_strategy`")
+	}
 	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
 	if err != nil {
 		return nil, err
@@ -199,21 +178,19 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		return nil, err
 	}
 	return &DefaultDialer{
-		tracker:                tracker,
+		dialer4:              tcpDialer4,
-		dialer4:                tcpDialer4,
+		dialer6:              tcpDialer6,
-		dialer6:                tcpDialer6,
+		udpDialer4:           udpDialer4,
-		udpDialer4:             udpDialer4,
+		udpDialer6:           udpDialer6,
-		udpDialer6:             udpDialer6,
+		udpListener:          listener,
-		udpListener:            listener,
+		udpAddr4:             udpAddr4,
-		udpAddr4:               udpAddr4,
+		udpAddr6:             udpAddr6,
-		udpAddr6:               udpAddr6,
+		isWireGuardListener:  options.IsWireGuardListener,
-		isWireGuardListener:    options.IsWireGuardListener,
+		networkManager:       networkManager,
-		networkManager:         networkManager,
+		networkStrategy:      networkStrategy,
-		networkStrategy:        networkStrategy,
+		networkType:          networkType,
-		defaultNetworkStrategy: defaultNetworkStrategy,
+		fallbackNetworkType:  fallbackNetworkType,
-		networkType:            networkType,
+		networkFallbackDelay: networkFallbackDelay,
-		fallbackNetworkType:    fallbackNetworkType,
-		networkFallbackDelay:   networkFallbackDelay,
 	}, nil
 }
 
@@ -221,48 +198,31 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 	if !address.IsValid() {
 		return nil, E.New("invalid address")
 	}
-	if d.networkStrategy == nil {
+	if d.networkStrategy == C.NetworkStrategyDefault {
-		if address.IsFqdn() {
-			return nil, E.New("unexpected domain destination")
-		}
-		// Since pending check is only used by ndis, it is not performed for non-windows connections which are only supported on platform clients
-		if d.tracker != nil {
-			done := d.tracker.AddPendingDestination(address.AddrPort())
-			defer done()
-		}
 		switch N.NetworkName(network) {
 		case N.NetworkUDP:
 			if !address.IsIPv6() {
-				return d.trackConn(d.udpDialer4.DialContext(ctx, network, address.String()))
+				return trackConn(d.udpDialer4.DialContext(ctx, network, address.String()))
 			} else {
-				return d.trackConn(d.udpDialer6.DialContext(ctx, network, address.String()))
+				return trackConn(d.udpDialer6.DialContext(ctx, network, address.String()))
 			}
 		}
 		if !address.IsIPv6() {
-			return d.trackConn(DialSlowContext(&d.dialer4, ctx, network, address))
+			return trackConn(DialSlowContext(&d.dialer4, ctx, network, address))
 		} else {
-			return d.trackConn(DialSlowContext(&d.dialer6, ctx, network, address))
+			return trackConn(DialSlowContext(&d.dialer6, ctx, network, address))
 		}
 	} else {
 		return d.DialParallelInterface(ctx, network, address, d.networkStrategy, d.networkType, d.fallbackNetworkType, d.networkFallbackDelay)
 	}
 }
 
-func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network string, address M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network string, address M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
-	if strategy == nil {
+	if strategy == C.NetworkStrategyDefault {
-		strategy = d.networkStrategy
-	}
-	if strategy == nil {
 		return d.DialContext(ctx, network, address)
 	}
-	if len(interfaceType) == 0 {
+	if !d.networkManager.AutoDetectInterface() {
-		interfaceType = d.networkType
+		return nil, E.New("`route.auto_detect_interface` is require by `network_strategy`")
-	}
-	if len(fallbackInterfaceType) == 0 {
-		fallbackInterfaceType = d.fallbackNetworkType
-	}
-	if fallbackDelay == 0 {
-		fallbackDelay = d.networkFallbackDelay
 	}
 	var dialer net.Dialer
 	if N.NetworkName(network) == N.NetworkTCP {
@@ -277,86 +237,61 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 		err       error
 	)
 	if !fastFallback {
-		conn, isPrimary, err = d.dialParallelInterface(ctx, dialer, network, address.String(), *strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
+		conn, isPrimary, err = d.dialParallelInterface(ctx, dialer, network, address.String(), strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	} else {
-		conn, isPrimary, err = d.dialParallelInterfaceFastFallback(ctx, dialer, network, address.String(), *strategy, interfaceType, fallbackInterfaceType, fallbackDelay, d.networkLastFallback.Store)
+		conn, isPrimary, err = d.dialParallelInterfaceFastFallback(ctx, dialer, network, address.String(), strategy, interfaceType, fallbackInterfaceType, fallbackDelay, d.networkLastFallback.Store)
 	}
 	if err != nil {
-		// bind interface failed on legacy xiaomi systems
+		return nil, err
-		if d.defaultNetworkStrategy && errors.Is(err, syscall.EPERM) {
-			d.networkStrategy = nil
-			return d.DialContext(ctx, network, address)
-		} else {
-			return nil, err
-		}
 	}
 	if !fastFallback && !isPrimary {
 		d.networkLastFallback.Store(time.Now())
 	}
-	return d.trackConn(conn, nil)
+	return trackConn(conn, nil)
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if d.networkStrategy == nil {
+	if d.networkStrategy == C.NetworkStrategyDefault {
 		if destination.IsIPv6() {
-			return d.trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
+			return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
 		} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
-			return d.trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP+"4", d.udpAddr4))
+			return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP+"4", d.udpAddr4))
 		} else {
-			return d.trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
+			return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
 		}
 	} else {
 		return d.ListenSerialInterfacePacket(ctx, destination, d.networkStrategy, d.networkType, d.fallbackNetworkType, d.networkFallbackDelay)
 	}
 }
 
-func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
+func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
-	if strategy == nil {
+	if strategy == C.NetworkStrategyDefault {
-		strategy = d.networkStrategy
-	}
-	if strategy == nil {
 		return d.ListenPacket(ctx, destination)
 	}
-	if len(interfaceType) == 0 {
+	if !d.networkManager.AutoDetectInterface() {
-		interfaceType = d.networkType
+		return nil, E.New("`route.auto_detect_interface` is require by `network_strategy`")
-	}
-	if len(fallbackInterfaceType) == 0 {
-		fallbackInterfaceType = d.fallbackNetworkType
-	}
-	if fallbackDelay == 0 {
-		fallbackDelay = d.networkFallbackDelay
 	}
 	network := N.NetworkUDP
 	if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
 		network += "4"
 	}
-	packetConn, err := d.listenSerialInterfacePacket(ctx, d.udpListener, network, "", *strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
+	return trackPacketConn(d.listenSerialInterfacePacket(ctx, d.udpListener, network, "", strategy, interfaceType, fallbackInterfaceType, fallbackDelay))
-	if err != nil {
-		// bind interface failed on legacy xiaomi systems
-		if d.defaultNetworkStrategy && errors.Is(err, syscall.EPERM) {
-			d.networkStrategy = nil
-			return d.ListenPacket(ctx, destination)
-		} else {
-			return nil, err
-		}
-	}
-	return d.trackPacketConn(packetConn, nil)
 }
 
 func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
-	return d.udpListener.ListenPacket(context.Background(), network, address)
+	return trackPacketConn(d.udpListener.ListenPacket(context.Background(), network, address))
 }
 
-func (d *DefaultDialer) trackConn(conn net.Conn, err error) (net.Conn, error) {
+func trackConn(conn net.Conn, err error) (net.Conn, error) {
-	if d.tracker == nil || err != nil {
+	if !conntrack.Enabled || err != nil {
 		return conn, err
 	}
-	return d.tracker.NewConn(conn)
+	return conntrack.NewConn(conn)
 }
 
-func (d *DefaultDialer) trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
+func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
-	if err != nil {
+	if !conntrack.Enabled || err != nil {
 		return conn, err
 	}
-	return d.tracker.NewPacketConn(conn)
+	return conntrack.NewPacketConn(conn)
 }

common/dialer/default_parallel_interface.go

@@ -35,12 +35,12 @@ func (d *DefaultDialer) dialParallelInterface(ctx context.Context, dialer net.Di
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
-			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Index, ")"), primary: primary}:
+			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Name, ")"), primary: primary}:
 			case <-returned:
 			}
 		} else {
 			select {
-			case results <- dialResult{Conn: conn, primary: primary}:
+			case results <- dialResult{Conn: conn}:
 			case <-returned:
 				conn.Close()
 			}
@@ -107,12 +107,12 @@ func (d *DefaultDialer) dialParallelInterfaceFastFallback(ctx context.Context, d
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
-			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Index, ")"), primary: primary}:
+			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Name, ")"), primary: primary}:
 			case <-returned:
 			}
 		} else {
 			select {
-			case results <- dialResult{Conn: conn, primary: primary}:
+			case results <- dialResult{Conn: conn}:
 			case <-returned:
 				if primary && time.Since(startAt) <= fallbackDelay {
 					resetFastFallback(time.Time{})
@@ -157,7 +157,7 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 		if err == nil {
 			return conn, nil
 		}
-		errors = append(errors, E.Cause(err, "listen ", primaryInterface.Name, " (", primaryInterface.Index, ")"))
+		errors = append(errors, E.Cause(err, "listen ", primaryInterface.Name, " (", primaryInterface.Name, ")"))
 	}
 	for _, fallbackInterface := range fallbackInterfaces {
 		perNetListener := listener
@@ -166,7 +166,7 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 		if err == nil {
 			return conn, nil
 		}
-		errors = append(errors, E.Cause(err, "listen ", fallbackInterface.Name, " (", fallbackInterface.Index, ")"))
+		errors = append(errors, E.Cause(err, "listen ", fallbackInterface.Name, " (", fallbackInterface.Name, ")"))
 	}
 	return nil, E.Errors(errors...)
 }
@@ -177,57 +177,44 @@ func selectInterfaces(networkManager adapter.NetworkManager, strategy C.NetworkS
 	case C.NetworkStrategyDefault:
 		if len(interfaceType) == 0 {
 			defaultIf := networkManager.InterfaceMonitor().DefaultInterface()
-			if defaultIf != nil {
+			for _, iif := range interfaces {
-				for _, iif := range interfaces {
+				if iif.Index == defaultIf.Index {
-					if iif.Index == defaultIf.Index {
+					primaryInterfaces = append(primaryInterfaces, iif)
-						primaryInterfaces = append(primaryInterfaces, iif)
+				} else {
-					}
+					fallbackInterfaces = append(fallbackInterfaces, iif)
 				}
-			} else {
-				primaryInterfaces = interfaces
 			}
 		} else {
-			primaryInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
+			primaryInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
-				return common.Contains(interfaceType, it.Type)
+				return common.Contains(interfaceType, iif.Type)
 			})
 		}
 	case C.NetworkStrategyHybrid:
 		if len(interfaceType) == 0 {
 			primaryInterfaces = interfaces
 		} else {
-			primaryInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
+			primaryInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
-				return common.Contains(interfaceType, it.Type)
+				return common.Contains(interfaceType, iif.Type)
 			})
 		}
 	case C.NetworkStrategyFallback:
 		if len(interfaceType) == 0 {
 			defaultIf := networkManager.InterfaceMonitor().DefaultInterface()
-			if defaultIf != nil {
+			for _, iif := range interfaces {
-				for _, iif := range interfaces {
+				if iif.Index == defaultIf.Index {
-					if iif.Index == defaultIf.Index {
+					primaryInterfaces = append(primaryInterfaces, iif)
-						primaryInterfaces = append(primaryInterfaces, iif)
+				} else {
-						break
+					fallbackInterfaces = append(fallbackInterfaces, iif)
-					}
 				}
-			} else {
-				primaryInterfaces = interfaces
 			}
 		} else {
-			primaryInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
+			primaryInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
-				return common.Contains(interfaceType, it.Type)
+				return common.Contains(interfaceType, iif.Type)
-			})
-		}
-		if len(fallbackInterfaceType) == 0 {
-			fallbackInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
-				return !common.Any(primaryInterfaces, func(iif adapter.NetworkInterface) bool {
-					return it.Index == iif.Index
-				})
-			})
-		} else {
-			fallbackInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
-				return common.Contains(fallbackInterfaceType, iif.Type)
 			})
 		}
+		fallbackInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+			return common.Contains(fallbackInterfaceType, iif.Type)
+		})
 	}
 	return primaryInterfaces, fallbackInterfaces
 }

common/dialer/default_parallel_network.go

@@ -13,13 +13,7 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )
 
-func DialSerialNetwork(ctx context.Context, dialer N.Dialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func DialSerialNetwork(ctx context.Context, dialer N.Dialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
-	if len(destinationAddresses) == 0 {
-		if !destination.IsIP() {
-			panic("invalid usage")
-		}
-		destinationAddresses = []netip.Addr{destination.Addr}
-	}
 	if parallelDialer, isParallel := dialer.(ParallelNetworkDialer); isParallel {
 		return parallelDialer.DialParallelNetwork(ctx, network, destination, destinationAddresses, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	}
@@ -44,14 +38,7 @@ func DialSerialNetwork(ctx context.Context, dialer N.Dialer, network string, des
 	return nil, E.Errors(errors...)
 }
 
-func DialParallelNetwork(ctx context.Context, dialer ParallelInterfaceDialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, preferIPv6 bool, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func DialParallelNetwork(ctx context.Context, dialer ParallelInterfaceDialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, preferIPv6 bool, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
-	if len(destinationAddresses) == 0 {
-		if !destination.IsIP() {
-			panic("invalid usage")
-		}
-		destinationAddresses = []netip.Addr{destination.Addr}
-	}
-
 	if fallbackDelay == 0 {
 		fallbackDelay = N.DefaultFallbackDelay
 	}
@@ -129,13 +116,7 @@ func DialParallelNetwork(ctx context.Context, dialer ParallelInterfaceDialer, ne
 	}
 }
 
-func ListenSerialNetworkPacket(ctx context.Context, dialer N.Dialer, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
+func ListenSerialNetworkPacket(ctx context.Context, dialer N.Dialer, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
-	if len(destinationAddresses) == 0 {
-		if !destination.IsIP() {
-			panic("invalid usage")
-		}
-		destinationAddresses = []netip.Addr{destination.Addr}
-	}
 	if parallelDialer, isParallel := dialer.(ParallelNetworkDialer); isParallel {
 		return parallelDialer.ListenSerialNetworkPacket(ctx, destination, destinationAddresses, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	}

common/dialer/dialer.go

@@ -17,15 +17,16 @@ import (
 )
 
 func New(ctx context.Context, options option.DialerOptions) (N.Dialer, error) {
+	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	if options.IsWireGuardListener {
-		return NewDefault(ctx, options)
+		return NewDefault(networkManager, options)
 	}
 	var (
 		dialer N.Dialer
 		err    error
 	)
 	if options.Detour == "" {
-		dialer, err = NewDefault(ctx, options)
+		dialer, err = NewDefault(networkManager, options)
 		if err != nil {
 			return nil, err
 		}
@@ -36,6 +37,9 @@ func New(ctx context.Context, options option.DialerOptions) (N.Dialer, error) {
 		}
 		dialer = NewDetour(outboundManager, options.Detour)
 	}
+	if networkManager == nil {
+		return NewDefault(networkManager, options)
+	}
 	if options.Detour == "" {
 		router := service.FromContext[adapter.Router](ctx)
 		if router != nil {
@@ -54,10 +58,11 @@ func NewDirect(ctx context.Context, options option.DialerOptions) (ParallelInter
 	if options.Detour != "" {
 		return nil, E.New("`detour` is not supported in direct context")
 	}
+	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	if options.IsWireGuardListener {
-		return NewDefault(ctx, options)
+		return NewDefault(networkManager, options)
 	}
-	dialer, err := NewDefault(ctx, options)
+	dialer, err := NewDefault(networkManager, options)
 	if err != nil {
 		return nil, err
 	}
@@ -72,11 +77,11 @@ func NewDirect(ctx context.Context, options option.DialerOptions) (ParallelInter
 
 type ParallelInterfaceDialer interface {
 	N.Dialer
-	DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
+	DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
-	ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error)
+	ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error)
 }
 
 type ParallelNetworkDialer interface {
-	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
+	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
-	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
+	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }

common/dialer/resolve.go

@@ -106,7 +106,7 @@ func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	return bufio.NewNATPacketConn(bufio.NewPacketConn(conn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
 }
 
-func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
@@ -134,7 +134,7 @@ func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context
 	}
 }
 
-func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
+func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}

common/tls/ech_client.go

@@ -64,7 +64,6 @@ type echConnWrapper struct {
 
 func (c *echConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
-	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,

common/tls/ech_keygen.go

@@ -147,9 +147,6 @@ func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite [
 		pair.rawConf = b
 
 		secBuf, err := sec.MarshalBinary()
-		if err != nil {
-			return nil, E.Cause(err, "serialize ECH private key")
-		}
 		sk := []byte{}
 		sk = be.AppendUint16(sk, uint16(len(secBuf)))
 		sk = append(sk, secBuf...)

common/tls/ech_quic.go

@@ -28,7 +28,7 @@ func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, ad
 }
 
 func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config) http.RoundTripper {
-	return &http3.Transport{
+	return &http3.RoundTripper{
 		TLSClientConfig: c.config,
 		QUICConfig:      quicConfig,
 		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {

common/tls/reality_server.go

@@ -174,7 +174,6 @@ type realityConnWrapper struct {
 
 func (c *realityConnWrapper) ConnectionState() ConnectionState {
 	state := c.Conn.ConnectionState()
-	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,

common/tls/time_wrapper.go

@@ -1,22 +0,0 @@
-package tls
-
-import (
-	"time"
-
-	"github.com/sagernet/sing/common/ntp"
-)
-
-type TimeServiceWrapper struct {
-	ntp.TimeService
-}
-
-func (w *TimeServiceWrapper) TimeFunc() func() time.Time {
-	if w.TimeService == nil {
-		return nil
-	}
-	return w.TimeService.TimeFunc()
-}
-
-func (w *TimeServiceWrapper) Upstream() any {
-	return w.TimeService
-}

common/tls/utls_client.go

@@ -69,7 +69,6 @@ type utlsConnWrapper struct {
 
 func (c *utlsConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
-	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,

constant/hysteria2.go

@@ -1,7 +0,0 @@
-package constant
-
-const (
-	Hysterai2MasqueradeTypeFile   = "file"
-	Hysterai2MasqueradeTypeProxy  = "proxy"
-	Hysterai2MasqueradeTypeString = "string"
-)

constant/proxy.go

@@ -23,7 +23,6 @@ const (
 	TypeVLESS        = "vless"
 	TypeTUIC         = "tuic"
 	TypeHysteria2    = "hysteria2"
-	TypeNDIS         = "ndis"
 )
 
 const (
@@ -81,8 +80,6 @@ func ProxyDisplayName(proxyType string) string {
 		return "Selector"
 	case TypeURLTest:
 		return "URLTest"
-	case TypeNDIS:
-		return "NDIS"
 	default:
 		return "Unknown"
 	}

debug.go

@@ -3,6 +3,7 @@ package box
 import (
 	"runtime/debug"
 
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -25,5 +26,9 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit != 0 {
 		debug.SetMemoryLimit(int64(float64(options.MemoryLimit) / 1.5))
+		conntrack.MemoryLimit = uint64(options.MemoryLimit)
+	}
+	if options.OOMKiller != nil {
+		conntrack.KillerEnabled = *options.OOMKiller
 	}
 }

docs/changelog.md

@@ -2,57 +2,14 @@
 icon: material/alert-decagram
 ---
 
-#### 1.11.0-beta.20
+#### 1.11.0-beta.2
 
-* Hysteria2 `ignore_client_bandwidth` behavior update **1**
 * Fixes and improvements
 
-**1**:
+### 1.10.3
 
-When `up_mbps` and `down_mbps` are set, `ignore_client_bandwidth` instead denies clients from using BBR CC.
-
-See [Hysteria2](/configuration/inbound/hysteria2/#ignore_client_bandwidth).
-
-#### 1.11.0-beta.17
-
-* Add port hopping support for Hysteria2 **1**
 * Fixes and improvements
 
-**1**:
-
-See [Hysteria2](/configuration/outbound/hysteria2/).
-
-#### 1.11.0-beta.14
-
-* Allow adding route (exclude) address sets to routes **1**
-* Fixes and improvements
-
-**1**:
-
-When `auto_redirect` is not enabled, directly add `route[_exclude]_address_set`
-to tun routes (equivalent to `route[_exclude]_address`).
-
-Note that it **doesn't work on the Android graphical client** due to
-the Android VpnService not being able to handle a large number of routes (DeadSystemException),
-but otherwise it works fine on all command line clients and Apple platforms.
-
-See [route_address_set](/configuration/inbound/tun/#route_address_set) and
-[route_exclude_address_set](/configuration/inbound/tun/#route_exclude_address_set).
-
-#### 1.11.0-beta.12
-
-* Add `rule-set merge` command
-* Fixes and improvements
-
-#### 1.11.0-beta.3
-
-* Add more masquerade options for hysteria2 **1**
-* Fixes and improvements
-
-**1**:
-
-See [Hysteria2](/configuration/inbound/hysteria2/#masquerade).
-
 #### 1.11.0-alpha.25
 
 * Update quic-go to v0.48.2

docs/configuration/inbound/hysteria2.md

@@ -1,20 +1,11 @@
----
-icon: material/alert-decagram
----
-
-!!! quote "Changes in sing-box 1.11.0"
-
-    :material-alert: [masquerade](#masquerade)  
-    :material-alert: [ignore_client_bandwidth](#ignore_client_bandwidth)
-
 ### Structure
 
 ```json
 {
   "type": "hysteria2",
   "tag": "hy2-in",
-  
+  ...
-  ... // Listen Fields
+  // Listen Fields
 
   "up_mbps": 100,
   "down_mbps": 100,
@@ -30,7 +21,7 @@ icon: material/alert-decagram
   ],
   "ignore_client_bandwidth": false,
   "tls": {},
-  "masquerade": "", // or {}
+  "masquerade": "",
   "brutal_debug": false
 }
 ```
@@ -76,13 +67,9 @@ Authentication password
 
 #### ignore_client_bandwidth
 
-*When `up_mbps` and `down_mbps` are not set*:
+Commands the client to use the BBR flow control algorithm instead of Hysteria CC.
 
-Commands clients to use the BBR CC instead of Hysteria CC.
+Conflict with `up_mbps` and `down_mbps`.
-
-*When `up_mbps` and `down_mbps` are set*:
-
-Deny clients to use the BBR CC.
 
 #### tls
 
@@ -92,54 +79,14 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 
 #### masquerade
 
-HTTP3 server behavior (URL string configuration) when authentication fails.
+HTTP3 server behavior when authentication fails.
 
 | Scheme       | Example                 | Description        |
 |--------------|-------------------------|--------------------|
 | `file`       | `file:///var/www`       | As a file server   |
 | `http/https` | `http://127.0.0.1:8080` | As a reverse proxy |
 
-Conflict with `masquerade.type`.
+A 404 page will be returned if empty.
-
-A 404 page will be returned if masquerade is not configured.
-
-#### masquerade.type
-
-HTTP3 server behavior (Object configuration) when authentication fails.
-
-| Type     | Description                 | Fields                              |
-|----------|-----------------------------|-------------------------------------|
-| `file`   | As a file server            | `directory`                         |
-| `proxy`  | As a reverse proxy          | `url`, `rewrite_host`               |
-| `string` | Reply with a fixed response | `status_code`, `headers`, `content` |
-
-Conflict with `masquerade`.
-
-A 404 page will be returned if masquerade is not configured.
-
-#### masquerade.directory
-
-File server root directory.
-
-#### masquerade.url
-
-Reverse proxy target URL.
-
-#### masquerade.rewrite_host
-
-Rewrite the `Host` header to the target URL.
-
-#### masquerade.status_code
-
-Fixed response status code.
-
-#### masquerade.headers
-
-Fixed response headers.
-
-#### masquerade.content
-
-Fixed response content.
 
 #### brutal_debug
 

docs/configuration/inbound/hysteria2.zh.md

@@ -1,20 +1,11 @@
----
-icon: material/alert-decagram
----
-
-!!! quote "sing-box 1.11.0 中的更改"
-
-    :material-alert: [masquerade](#masquerade)  
-    :material-alert: [ignore_client_bandwidth](#ignore_client_bandwidth)
-
 ### 结构
 
 ```json
 {
   "type": "hysteria2",
   "tag": "hy2-in",
-  
+  ...
-  ... // 监听字段
+  // 监听字段
 
   "up_mbps": 100,
   "down_mbps": 100,
@@ -30,7 +21,7 @@ icon: material/alert-decagram
   ],
   "ignore_client_bandwidth": false,
   "tls": {},
-  "masquerade": "", // 或 {}
+  "masquerade": "",
   "brutal_debug": false
 }
 ```
@@ -73,13 +64,9 @@ Hysteria 用户
 
 #### ignore_client_bandwidth
 
-*当 `up_mbps` 和 `down_mbps` 未设定时*:
-
 命令客户端使用 BBR 拥塞控制算法而不是 Hysteria CC。
 
-*当 `up_mbps` 和 `down_mbps` 已设定时*:
+与 `up_mbps` 和 `down_mbps` 冲突。
-
-禁止客户端使用 BBR 拥塞控制算法。
 
 #### tls
 
@@ -89,54 +76,14 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### masquerade
 
-HTTP3 服务器认证失败时的行为 （URL 字符串配置）。
+HTTP3 服务器认证失败时的行为。
 
 | Scheme       | 示例                      | 描述      |
 |--------------|-------------------------|---------|
 | `file`       | `file:///var/www`       | 作为文件服务器 |
 | `http/https` | `http://127.0.0.1:8080` | 作为反向代理  |
 
-如果 masquerade 未配置，则返回 404 页。
+如果为空，则返回 404 页。
-
-与 `masquerade.type` 冲突。
-
-#### masquerade.type
-
-HTTP3 服务器认证失败时的行为 （对象配置）。
-
-| Type     | 描述      | 字段                                  |
-|----------|---------|-------------------------------------|
-| `file`   | 作为文件服务器 | `directory`                         |
-| `proxy`  | 作为反向代理  | `url`, `rewrite_host`               |
-| `string` | 返回固定响应  | `status_code`, `headers`, `content` |
-
-如果 masquerade 未配置，则返回 404 页。
-
-与 `masquerade` 冲突。
-
-#### masquerade.directory
-
-文件服务器根目录。
-
-#### masquerade.url
-
-反向代理目标 URL。
-
-#### masquerade.rewrite_host
-
-重写请求头中的 Host 字段到目标 URL。
-
-#### masquerade.status_code
-
-固定响应状态码。
-
-#### masquerade.headers
-
-固定响应头。
-
-#### masquerade.content
-
-固定响应内容。
 
 #### brutal_debug
 

docs/configuration/inbound/tun.md

@@ -5,8 +5,6 @@ icon: material/alert-decagram
 !!! quote "Changes in sing-box 1.11.0"
 
     :material-delete-alert: [gso](#gso)
-    :material-alert-decagram: [route_address_set](#stack)  
-    :material-alert-decagram: [route_exclude_address_set](#stack)
 
 !!! quote "Changes in sing-box 1.10.0"
 
@@ -90,13 +88,13 @@ icon: material/alert-decagram
     0
   ],
   "include_uid_range": [
-    "1000:99999"
+    "1000-99999"
   ],
   "exclude_uid": [
     1000
   ],
   "exclude_uid_range": [
-    "1000:99999"
+    "1000-99999"
   ],
   "include_android_user": [
     0,
@@ -250,7 +248,7 @@ use [VPNHotspot](https://github.com/Mygod/VPNHotspot).
 
 !!! question "Since sing-box 1.10.0"
 
-Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.
+Connection input mark used by `route_address_set` and `route_exclude_address_set`.
 
 `0x2023` is used by default.
 
@@ -258,7 +256,7 @@ Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`
 
 !!! question "Since sing-box 1.10.0"
 
-Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.
+Connection output mark used by `route_address_set` and `route_exclude_address_set`.
 
 `0x2024` is used by default.
 
@@ -331,55 +329,29 @@ Exclude custom routes when `auto_route` is enabled.
 
 #### route_address_set
 
-=== "With `auto_redirect` enabled"
+!!! question "Since sing-box 1.10.0"
 
-    !!! question "Since sing-box 1.10.0"
+!!! quote ""
-
-    !!! quote ""
-    
-        Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
-    
-    Add the destination IP CIDR rules in the specified rule-sets to the firewall.
-    Unmatched traffic will bypass the sing-box routes.
-    
-    Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
-
-=== "Without `auto_redirect` enabled"
-
-    !!! question "Since sing-box 1.11.0"
-    
-    Add the destination IP CIDR rules in the specified rule-sets to routes, equivalent to adding to `route_address`.
-    Unmatched traffic will bypass the sing-box routes.
-
-    Note that it **doesn't work on the Android graphical client** due to
-    the Android VpnService not being able to handle a large number of routes (DeadSystemException),
-    but otherwise it works fine on all command line clients and Apple platforms.
-
-#### route_exclude_address_set
-
-=== "With `auto_redirect` enabled"
-
-    !!! question "Since sing-box 1.10.0"
-
-    !!! quote ""
 
     Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
 
-    Add the destination IP CIDR rules in the specified rule-sets to the firewall.
+Add the destination IP CIDR rules in the specified rule-sets to the firewall.
-    Matched traffic will bypass the sing-box routes.
+Unmatched traffic will bypass the sing-box routes.
 
-    Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
+Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
 
-=== "Without `auto_redirect` enabled"
+#### route_exclude_address_set
 
-    !!! question "Since sing-box 1.11.0"
+!!! question "Since sing-box 1.10.0"
 
-    Add the destination IP CIDR rules in the specified rule-sets to routes, equivalent to adding to `route_exclude_address`.
+!!! quote ""
-    Matched traffic will bypass the sing-box routes.
 
-    Note that it **doesn't work on the Android graphical client** due to
+    Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
-    the Android VpnService not being able to handle a large number of routes (DeadSystemException),
+
-    but otherwise it works fine on all command line clients and Apple platforms.
+Add the destination IP CIDR rules in the specified rule-sets to the firewall.
+Matched traffic will bypass the sing-box routes.
+
+Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
 
 #### endpoint_independent_nat
 

docs/configuration/inbound/tun.zh.md

@@ -5,8 +5,6 @@ icon: material/alert-decagram
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-delete-alert: [gso](#gso)
-    :material-alert-decagram: [route_address_set](#stack)  
-    :material-alert-decagram: [route_exclude_address_set](#stack)
 
 !!! quote "sing-box 1.10.0 中的更改"
 
@@ -90,13 +88,13 @@ icon: material/alert-decagram
     0
   ],
   "include_uid_range": [
-    "1000:99999"
+    "1000-99999"
   ],
   "exclude_uid": [
     1000
   ],
   "exclude_uid_range": [
-    "1000:99999"
+    "1000-99999"
   ],
   "include_android_user": [
     0,
@@ -331,53 +329,29 @@ tun 接口的 IPv6 前缀。
 
 #### route_address_set
 
-=== "`auto_redirect` 已启用"
+!!! question "自 sing-box 1.10.0 起"
 
-    !!! question "自 sing-box 1.10.0 起"
+!!! quote ""
 
-    !!! quote ""
+    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
 
-        仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
+将指定规则集中的目标 IP CIDR 规则添加到防火墙。
+不匹配的流量将绕过 sing-box 路由。
 
-    将指定规则集中的目标 IP CIDR 规则添加到防火墙。
+与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
-    不匹配的流量将绕过 sing-box 路由。
-    
-    与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
-
-=== "`auto_redirect` 未启用"
-
-    !!! question "自 sing-box 1.11.0 起"
-
-    将指定规则集中的目标 IP CIDR 规则添加到路由，相当于添加到 `route_address`。
-    不匹配的流量将绕过 sing-box 路由。
-
-    请注意，由于 Android VpnService 无法处理大量路由（DeadSystemException），
-    因此它**在 Android 图形客户端上不起作用**，但除此之外，它在所有命令行客户端和 Apple 平台上都可以正常工作。
 
 #### route_exclude_address_set
 
-=== "`auto_redirect` 已启用"
+!!! question "自 sing-box 1.10.0 起"
 
-    !!! question "自 sing-box 1.10.0 起"
+!!! quote ""
 
-    !!! quote ""
+    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。
 
-        仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
+将指定规则集中的目标 IP CIDR 规则添加到防火墙。
+匹配的流量将绕过 sing-box 路由。
 
-    将指定规则集中的目标 IP CIDR 规则添加到防火墙。
+与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
-    匹配的流量将绕过 sing-box 路由。
-
-    与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
-
-=== "`auto_redirect` 未启用"
-
-    !!! question "自 sing-box 1.11.0 起"
-
-    将指定规则集中的目标 IP CIDR 规则添加到路由，相当于添加到 `route_exclude_address`。
-    匹配的流量将绕过 sing-box 路由。
-
-    请注意，由于 Android VpnService 无法处理大量路由（DeadSystemException），
-    因此它**在 Android 图形客户端上不起作用**，但除此之外，它在所有命令行客户端和 Apple 平台上都可以正常工作。
 
 #### endpoint_independent_nat
 

docs/configuration/outbound/direct.md

@@ -4,8 +4,8 @@ icon: material/alert-decagram
 
 !!! quote "Changes in sing-box 1.11.0"
 
-    :material-delete-clock: [override_address](#override_address)  
+    :material-alert-decagram: [override_address](#override_address)  
-    :material-delete-clock: [override_port](#override_port)
+    :material-alert-decagram: [override_port](#override_port)
 
 `direct` outbound send requests directly.
 

docs/configuration/outbound/hysteria2.md

@@ -1,12 +1,3 @@
----
-icon: material/new-box
----
-
-!!! quote "Changes in sing-box 1.11.0"
-
-    :material-plus: [server_ports](#server_ports)  
-    :material-plus: [hop_interval](#hop_interval)
-
 ### Structure
 
 ```json
@@ -16,10 +7,6 @@ icon: material/new-box
   
   "server": "127.0.0.1",
   "server_port": 1080,
-  "server_ports": [
-    "2080:3000"
-  ],
-  "hop_interval": "",
   "up_mbps": 100,
   "down_mbps": 100,
   "obfs": {
@@ -35,10 +22,6 @@ icon: material/new-box
 }
 ```
 
-!!! note ""
-
-    You can ignore the JSON Array [] tag when the content is only one item
-
 !!! warning "Difference from official Hysteria2"
 
     The official Hysteria2 supports an authentication method called **userpass**,
@@ -61,24 +44,6 @@ The server address.
 
 The server port.
 
-Ignored if `server_ports` is set.
-
-#### server_ports
-
-!!! question "Since sing-box 1.11.0"
-
-Server port range list.
-
-Conflicts with `server_port`.
-
-#### hop_interval
-
-!!! question "Since sing-box 1.11.0"
-
-Port hopping interval.
-
-`30s` is used by default.
-
 #### up_mbps, down_mbps
 
 Max bandwidth, in Mbps.

docs/configuration/outbound/hysteria2.zh.md

@@ -1,12 +1,3 @@
----
-icon: material/new-box
----
-
-!!! quote "sing-box 1.11.0 中的更改"
-
-    :material-plus: [server_ports](#server_ports)  
-    :material-plus: [hop_interval](#hop_interval)
-
 ### 结构
 
 ```json
@@ -16,10 +7,6 @@ icon: material/new-box
 
   "server": "127.0.0.1",
   "server_port": 1080,
-  "server_ports": [
-    "2080:3000"
-  ],
-  "hop_interval": "",
   "up_mbps": 100,
   "down_mbps": 100,
   "obfs": {
@@ -35,10 +22,6 @@ icon: material/new-box
 }
 ```
 
-!!! note ""
-
-    当内容只有一项时，可以忽略 JSON 数组 [] 标签
-
 !!! warning "与官方 Hysteria2 的区别"
 
     官方程序支持一种名为 **userpass** 的验证方式，
@@ -59,24 +42,6 @@ icon: material/new-box
 
 服务器端口。
 
-如果设置了 `server_ports`，则忽略此项。
-
-#### server_ports
-
-!!! question "自 sing-box 1.11.0 起"
-
-服务器端口范围列表。
-
-与 `server_port` 冲突。
-
-#### hop_interval
-
-!!! question "自 sing-box 1.11.0 起"
-
-端口跳跃间隔。
-
-默认使用 `30s`。
-
 #### up_mbps, down_mbps
 
 最大带宽。

experimental/clashapi/api_meta_group.go

@@ -32,7 +32,7 @@ func groupRouter(server *Server) http.Handler {
 
 func getGroups(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		groups := common.Map(common.Filter(server.outbound.Outbounds(), func(it adapter.Outbound) bool {
+		groups := common.Map(common.Filter(server.outboundManager.Outbounds(), func(it adapter.Outbound) bool {
 			_, isGroup := it.(adapter.OutboundGroup)
 			return isGroup
 		}), func(it adapter.Outbound) *badjson.JSONObject {
@@ -86,7 +86,7 @@ func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 			result, err = urlTestGroup.URLTest(ctx)
 		} else {
 			outbounds := common.FilterNotNil(common.Map(outboundGroup.All(), func(it string) adapter.Outbound {
-				itOutbound, _ := server.outbound.Outbound(it)
+				itOutbound, _ := server.outboundManager.Outbound(it)
 				return itOutbound
 			}))
 			b, _ := batch.New(ctx, batch.WithConcurrencyNum[any](10))
@@ -100,7 +100,7 @@ func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 					continue
 				}
 				checked[realTag] = true
-				p, loaded := server.outbound.Outbound(realTag)
+				p, loaded := server.outboundManager.Outbound(realTag)
 				if !loaded {
 					continue
 				}

experimental/clashapi/proxies.go

@@ -46,7 +46,7 @@ func findProxyByName(server *Server) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			name := r.Context().Value(CtxKeyProxyName).(string)
-			proxy, exist := server.outbound.Outbound(name)
+			proxy, exist := server.outboundManager.Outbound(name)
 			if !exist {
 				render.Status(r, http.StatusNotFound)
 				render.JSON(w, r, ErrNotFound)
@@ -86,14 +86,9 @@ func proxyInfo(server *Server, detour adapter.Outbound) *badjson.JSONObject {
 func getProxies(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var proxyMap badjson.JSONObject
-		outbounds := common.Filter(server.outbound.Outbounds(), func(detour adapter.Outbound) bool {
+		outbounds := common.Filter(server.outboundManager.Outbounds(), func(detour adapter.Outbound) bool {
 			return detour.Tag() != ""
 		})
-		outbounds = append(outbounds, common.Map(common.Filter(server.endpoint.Endpoints(), func(detour adapter.Endpoint) bool {
-			return detour.Tag() != ""
-		}), func(it adapter.Endpoint) adapter.Outbound {
-			return it
-		})...)
 
 		allProxies := make([]string, 0, len(outbounds))
 
@@ -105,7 +100,7 @@ func getProxies(server *Server) func(w http.ResponseWriter, r *http.Request) {
 			allProxies = append(allProxies, detour.Tag())
 		}
 
-		defaultTag := server.outbound.Default().Tag()
+		defaultTag := server.outboundManager.Default().Tag()
 
 		sort.SliceStable(allProxies, func(i, j int) bool {
 			return allProxies[i] == defaultTag

experimental/clashapi/server.go

@@ -40,17 +40,16 @@ func init() {
 var _ adapter.ClashServer = (*Server)(nil)
 
 type Server struct {
-	ctx            context.Context
+	ctx             context.Context
-	router         adapter.Router
+	router          adapter.Router
-	outbound       adapter.OutboundManager
+	outboundManager adapter.OutboundManager
-	endpoint       adapter.EndpointManager
+	logger          log.Logger
-	logger         log.Logger
+	httpServer      *http.Server
-	httpServer     *http.Server
+	trafficManager  *trafficontrol.Manager
-	trafficManager *trafficontrol.Manager
+	urlTestHistory  *urltest.HistoryStorage
-	urlTestHistory *urltest.HistoryStorage
+	mode            string
-	mode           string
+	modeList        []string
-	modeList       []string
+	modeUpdateHook  chan<- struct{}
-	modeUpdateHook chan<- struct{}
 
 	externalController       bool
 	externalUI               string
@@ -62,11 +61,10 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 	trafficManager := trafficontrol.NewManager()
 	chiRouter := chi.NewRouter()
 	s := &Server{
-		ctx:      ctx,
+		ctx:             ctx,
-		router:   service.FromContext[adapter.Router](ctx),
+		router:          service.FromContext[adapter.Router](ctx),
-		outbound: service.FromContext[adapter.OutboundManager](ctx),
+		outboundManager: service.FromContext[adapter.OutboundManager](ctx),
-		endpoint: service.FromContext[adapter.EndpointManager](ctx),
+		logger:          logFactory.NewLogger("clash-api"),
-		logger:   logFactory.NewLogger("clash-api"),
 		httpServer: &http.Server{
 			Addr:    options.ExternalController,
 			Handler: chiRouter,
@@ -128,8 +126,11 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 	if options.ExternalUI != "" {
 		s.externalUI = filemanager.BasePath(ctx, os.ExpandEnv(options.ExternalUI))
 		chiRouter.Group(func(r chi.Router) {
-			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusMovedPermanently).ServeHTTP)
+			fs := http.StripPrefix("/ui", http.FileServer(http.Dir(s.externalUI)))
-			r.Handle("/ui/*", http.StripPrefix("/ui/", http.FileServer(http.Dir(s.externalUI))))
+			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusTemporaryRedirect).ServeHTTP)
+			r.Get("/ui/*", func(w http.ResponseWriter, r *http.Request) {
+				fs.ServeHTTP(w, r)
+			})
 		})
 	}
 	return s, nil
@@ -241,11 +242,11 @@ func (s *Server) TrafficManager() *trafficontrol.Manager {
 }
 
 func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule, matchOutbound adapter.Outbound) net.Conn {
-	return trafficontrol.NewTCPTracker(conn, s.trafficManager, metadata, s.outbound, matchedRule, matchOutbound)
+	return trafficontrol.NewTCPTracker(conn, s.trafficManager, metadata, s.outboundManager, matchedRule, matchOutbound)
 }
 
 func (s *Server) RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, matchedRule adapter.Rule, matchOutbound adapter.Outbound) N.PacketConn {
-	return trafficontrol.NewUDPTracker(conn, s.trafficManager, metadata, s.outbound, matchedRule, matchOutbound)
+	return trafficontrol.NewUDPTracker(conn, s.trafficManager, metadata, s.outboundManager, matchedRule, matchOutbound)
 }
 
 func authentication(serverSecret string) func(next http.Handler) http.Handler {
@@ -320,15 +321,18 @@ func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter,
 		tick := time.NewTicker(time.Second)
 		defer tick.Stop()
 		buf := &bytes.Buffer{}
-		uploadTotal, downloadTotal := trafficManager.Total()
+		var (
+			uploadTotal   int64
+			doanloadTotal int64
+			err           error
+		)
 		for range tick.C {
 			buf.Reset()
 			uploadTotalNew, downloadTotalNew := trafficManager.Total()
-			err := json.NewEncoder(buf).Encode(Traffic{
+			if err := json.NewEncoder(buf).Encode(Traffic{
 				Up:   uploadTotalNew - uploadTotal,
-				Down: downloadTotalNew - downloadTotal,
+				Down: downloadTotalNew - doanloadTotal,
-			})
+			}); err != nil {
-			if err != nil {
 				break
 			}
 			if conn == nil {
@@ -340,9 +344,8 @@ func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter,
 			if err != nil {
 				break
 			}
-
 			uploadTotal = uploadTotalNew
-			downloadTotal = downloadTotalNew
+			doanloadTotal = downloadTotalNew
 		}
 	}
 }

experimental/clashapi/server_resources.go

@@ -44,13 +44,13 @@ func (s *Server) downloadExternalUI() error {
 	s.logger.Info("downloading external ui")
 	var detour adapter.Outbound
 	if s.externalUIDownloadDetour != "" {
-		outbound, loaded := s.outbound.Outbound(s.externalUIDownloadDetour)
+		outbound, loaded := s.outboundManager.Outbound(s.externalUIDownloadDetour)
 		if !loaded {
 			return E.New("detour outbound not found: ", s.externalUIDownloadDetour)
 		}
 		detour = outbound
 	} else {
-		outbound := s.outbound.Default()
+		outbound := s.outboundManager.Default()
 		detour = outbound
 	}
 	httpClient := &http.Client{

experimental/deprecated/constants.go

@@ -1,11 +1,8 @@
 package deprecated
 
 import (
-	"fmt"
-
 	"github.com/sagernet/sing-box/common/badversion"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/locale"
 	F "github.com/sagernet/sing/common/format"
 
 	"golang.org/x/mod/semver"
@@ -37,9 +34,15 @@ func (n Note) Impending() bool {
 
 func (n Note) Message() string {
 	if n.MigrationLink != "" {
-		return fmt.Sprintf(locale.Current().DeprecatedMessage, n.Description, n.DeprecatedVersion, n.ScheduledVersion)
+		return F.ToString(
+			n.Description, " is deprecated in sing-box ", n.DeprecatedVersion,
+			" and will be removed in sing-box ", n.ScheduledVersion, ", please checkout documentation for migration.",
+		)
 	} else {
-		return fmt.Sprintf(locale.Current().DeprecatedMessageNoLink, n.Description, n.DeprecatedVersion, n.ScheduledVersion)
+		return F.ToString(
+			n.Description, " is deprecated in sing-box ", n.DeprecatedVersion,
+			" and will be removed in sing-box ", n.ScheduledVersion, ".",
+		)
 	}
 }
 

experimental/libbox/command_client.go

@@ -113,24 +113,11 @@ func (c *CommandClient) Connect() error {
 		if err != nil {
 			return err
 		}
-		if sFixAndroidStack {
+		c.handler.Connected()
-			go func() {
+		c.handler.InitializeClashMode(newIterator(modeList), currentMode)
-				c.handler.Connected()
-				c.handler.InitializeClashMode(newIterator(modeList), currentMode)
-				if len(modeList) == 0 {
-					conn.Close()
-					c.handler.Disconnected(os.ErrInvalid.Error())
-				}
-			}()
-		} else {
-			c.handler.Connected()
-			c.handler.InitializeClashMode(newIterator(modeList), currentMode)
-			if len(modeList) == 0 {
-				conn.Close()
-				c.handler.Disconnected(os.ErrInvalid.Error())
-			}
-		}
 		if len(modeList) == 0 {
+			conn.Close()
+			c.handler.Disconnected(os.ErrInvalid.Error())
 			return nil
 		}
 		go c.handleModeConn(conn)

experimental/libbox/command_conntrack.go

@@ -5,6 +5,8 @@ import (
 	"net"
 	runtimeDebug "runtime/debug"
 	"time"
+
+	"github.com/sagernet/sing-box/common/conntrack"
 )
 
 func (c *CommandClient) CloseConnections() error {
@@ -17,7 +19,7 @@ func (c *CommandClient) CloseConnections() error {
 }
 
 func (s *CommandServer) handleCloseConnections(conn net.Conn) error {
-	tracker.Close()
+	conntrack.Close()
 	go func() {
 		time.Sleep(time.Second)
 		runtimeDebug.FreeOSMemory()

experimental/libbox/command_status.go

@@ -6,6 +6,7 @@ import (
 	"runtime"
 	"time"
 
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/memory"
@@ -27,7 +28,7 @@ func (s *CommandServer) readStatus() StatusMessage {
 	var message StatusMessage
 	message.Memory = int64(memory.Inuse())
 	message.Goroutines = int32(runtime.NumGoroutine())
-	message.ConnectionsOut = int32(tracker.Count())
+	message.ConnectionsOut = int32(conntrack.Count())
 
 	if s.service != nil {
 		message.TrafficAvailable = true
@@ -48,10 +49,19 @@ func (s *CommandServer) handleStatusConn(conn net.Conn) error {
 	ticker := time.NewTicker(time.Duration(interval))
 	defer ticker.Stop()
 	ctx := connKeepAlive(conn)
-	status := s.readStatus()
+	var (
-	uploadTotal := status.UplinkTotal
+		status        StatusMessage
-	downloadTotal := status.DownlinkTotal
+		uploadTotal   int64
+		downloadTotal int64
+	)
 	for {
+		status = s.readStatus()
+		upload := status.UplinkTotal - uploadTotal
+		download := status.DownlinkTotal - downloadTotal
+		uploadTotal = status.UplinkTotal
+		downloadTotal = status.DownlinkTotal
+		status.Uplink = upload
+		status.Downlink = download
 		err = binary.Write(conn, binary.BigEndian, status)
 		if err != nil {
 			return err
@@ -61,13 +71,6 @@ func (s *CommandServer) handleStatusConn(conn net.Conn) error {
 			return ctx.Err()
 		case <-ticker.C:
 		}
-		status = s.readStatus()
-		upload := status.UplinkTotal - uploadTotal
-		download := status.DownlinkTotal - downloadTotal
-		uploadTotal = status.UplinkTotal
-		downloadTotal = status.DownlinkTotal
-		status.Uplink = upload
-		status.Downlink = download
 	}
 }
 

experimental/libbox/config.go

@@ -66,10 +66,6 @@ func (s *platformInterfaceStub) OpenTun(options *tun.Options, platformOptions op
 	return nil, os.ErrInvalid
 }
 
-func (s *platformInterfaceStub) UpdateRouteOptions(options *tun.Options, platformInterface option.TunPlatformOptions) error {
-	return os.ErrInvalid
-}
-
 func (s *platformInterfaceStub) UsePlatformDefaultInterfaceMonitor() bool {
 	return true
 }
@@ -134,17 +130,17 @@ func (s *platformInterfaceStub) SendNotification(notification *platform.Notifica
 	return nil
 }
 
-func FormatConfig(configContent string) (*StringBox, error) {
+func FormatConfig(configContent string) (string, error) {
 	options, err := parseConfig(box.Context(context.Background(), include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry()), configContent)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 	var buffer bytes.Buffer
 	encoder := json.NewEncoder(&buffer)
 	encoder.SetIndent("", "  ")
 	err = encoder.Encode(options)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
-	return wrapString(buffer.String()), nil
+	return buffer.String(), nil
 }

experimental/libbox/http.go

@@ -50,7 +50,8 @@ type HTTPRequest interface {
 }
 
 type HTTPResponse interface {
-	GetContent() (*StringBox, error)
+	GetContent() ([]byte, error)
+	GetContentString() (string, error)
 	WriteTo(path string) error
 }
 
@@ -209,22 +210,27 @@ type httpResponse struct {
 }
 
 func (h *httpResponse) errorString() string {
-	content, err := h.GetContent()
+	content, err := h.GetContentString()
 	if err != nil {
 		return fmt.Sprint("HTTP ", h.Status)
 	}
 	return fmt.Sprint("HTTP ", h.Status, ": ", content)
 }
 
-func (h *httpResponse) GetContent() (*StringBox, error) {
+func (h *httpResponse) GetContent() ([]byte, error) {
 	h.getContentOnce.Do(func() {
 		defer h.Body.Close()
 		h.content, h.contentError = io.ReadAll(h.Body)
 	})
-	if h.contentError != nil {
+	return h.content, h.contentError
-		return nil, h.contentError
+}
+
+func (h *httpResponse) GetContentString() (string, error) {
+	content, err := h.GetContent()
+	if err != nil {
+		return "", err
 	}
-	return wrapString(string(h.content)), nil
+	return string(content), nil
 }
 
 func (h *httpResponse) WriteTo(path string) error {

experimental/libbox/memory.go

@@ -7,21 +7,17 @@ import (
 	"github.com/sagernet/sing-box/common/conntrack"
 )
 
-var tracker *conntrack.DefaultTracker
-
 func SetMemoryLimit(enabled bool) {
-	if tracker != nil {
-		tracker.Close()
-	}
 	const memoryLimit = 45 * 1024 * 1024
 	const memoryLimitGo = memoryLimit / 1.5
 	if enabled {
 		runtimeDebug.SetGCPercent(10)
 		runtimeDebug.SetMemoryLimit(memoryLimitGo)
-		tracker = conntrack.NewDefaultTracker(true, memoryLimit)
+		conntrack.KillerEnabled = true
+		conntrack.MemoryLimit = memoryLimit
 	} else {
 		runtimeDebug.SetGCPercent(100)
 		runtimeDebug.SetMemoryLimit(math.MaxInt64)
-		tracker = conntrack.NewDefaultTracker(false, 0)
+		conntrack.KillerEnabled = false
 	}
 }

experimental/libbox/monitor.go

@@ -55,14 +55,6 @@ func (m *platformDefaultInterfaceMonitor) UnregisterCallback(element *list.Eleme
 }
 
 func (m *platformDefaultInterfaceMonitor) UpdateDefaultInterface(interfaceName string, interfaceIndex32 int32, isExpensive bool, isConstrained bool) {
-	if sFixAndroidStack {
-		go m.updateDefaultInterface(interfaceName, interfaceIndex32, isExpensive, isConstrained)
-	} else {
-		m.updateDefaultInterface(interfaceName, interfaceIndex32, isExpensive, isConstrained)
-	}
-}
-
-func (m *platformDefaultInterfaceMonitor) updateDefaultInterface(interfaceName string, interfaceIndex32 int32, isExpensive bool, isConstrained bool) {
 	m.isExpensive = isExpensive
 	m.isConstrained = isConstrained
 	err := m.networkManager.UpdateInterfaces()

experimental/libbox/panic.go

@@ -1,12 +0,0 @@
-package libbox
-
-// https://github.com/golang/go/issues/46893
-// TODO: remove after `bulkBarrierPreWrite: unaligned arguments` fixed
-
-type StringBox struct {
-	Value string
-}
-
-func wrapString(value string) *StringBox {
-	return &StringBox{Value: value}
-}

experimental/libbox/platform.go

@@ -9,7 +9,6 @@ type PlatformInterface interface {
 	UsePlatformAutoDetectInterfaceControl() bool
 	AutoDetectInterfaceControl(fd int32) error
 	OpenTun(options TunOptions) (int32, error)
-	UpdateRouteOptions(options TunOptions) error
 	WriteLog(message string)
 	UseProcFS() bool
 	FindConnectionOwner(ipProtocol int32, sourceAddress string, sourcePort int32, destinationAddress string, destinationPort int32) (int32, error)

experimental/libbox/platform/interface.go

@@ -13,7 +13,6 @@ type Interface interface {
 	UsePlatformAutoDetectInterfaceControl() bool
 	AutoDetectInterfaceControl(fd int) error
 	OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error)
-	UpdateRouteOptions(options *tun.Options, platformOptions option.TunPlatformOptions) error
 	CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor
 	Interfaces() ([]adapter.NetworkInterface, error)
 	UnderNetworkExtension() bool

experimental/libbox/service.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-box/common/urltest"
 	C "github.com/sagernet/sing-box/constant"
@@ -61,7 +60,6 @@ func NewService(configContent string, platformInterface PlatformInterface) (*Box
 		useProcFS: platformInterface.UseProcFS(),
 	}
 	service.MustRegister[platform.Interface](ctx, platformWrapper)
-	service.MustRegister[conntrack.Tracker](ctx, tracker)
 	instance, err := box.New(box.Options{
 		Context:           ctx,
 		Options:           options,
@@ -83,36 +81,23 @@ func NewService(configContent string, platformInterface PlatformInterface) (*Box
 }
 
 func (s *BoxService) Start() error {
-	if sFixAndroidStack {
+	return s.instance.Start()
-		var err error
-		done := make(chan struct{})
-		go func() {
-			err = s.instance.Start()
-			close(done)
-		}()
-		<-done
-		return err
-	} else {
-		return s.instance.Start()
-	}
 }
 
 func (s *BoxService) Close() error {
+	done := make(chan struct{})
+	defer close(done)
+	go func() {
+		select {
+		case <-done:
+			return
+		case <-time.After(C.FatalStopTimeout):
+			os.Exit(1)
+		}
+	}()
 	s.cancel()
 	s.urlTestHistoryStorage.Close()
-	var err error
+	return s.instance.Close()
-	done := make(chan struct{})
-	go func() {
-		err = s.instance.Close()
-		close(done)
-	}()
-	select {
-	case <-done:
-		return err
-	case <-time.After(C.FatalStopTimeout):
-		os.Exit(1)
-		return nil
-	}
 }
 
 func (s *BoxService) NeedWIFIState() bool {
@@ -150,10 +135,10 @@ func (w *platformInterfaceWrapper) AutoDetectInterfaceControl(fd int) error {
 
 func (w *platformInterfaceWrapper) OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error) {
 	if len(options.IncludeUID) > 0 || len(options.ExcludeUID) > 0 {
-		return nil, E.New("platform: unsupported uid options")
+		return nil, E.New("android: unsupported uid options")
 	}
 	if len(options.IncludeAndroidUser) > 0 {
-		return nil, E.New("platform: unsupported android_user option")
+		return nil, E.New("android: unsupported android_user option")
 	}
 	routeRanges, err := options.BuildAutoRouteRanges(true)
 	if err != nil {
@@ -176,20 +161,6 @@ func (w *platformInterfaceWrapper) OpenTun(options *tun.Options, platformOptions
 	return tun.New(*options)
 }
 
-func (w *platformInterfaceWrapper) UpdateRouteOptions(options *tun.Options, platformOptions option.TunPlatformOptions) error {
-	if len(options.IncludeUID) > 0 || len(options.ExcludeUID) > 0 {
-		return E.New("android: unsupported uid options")
-	}
-	if len(options.IncludeAndroidUser) > 0 {
-		return E.New("android: unsupported android_user option")
-	}
-	routeRanges, err := options.BuildAutoRouteRanges(true)
-	if err != nil {
-		return err
-	}
-	return w.iif.UpdateRouteOptions(&tunOptions{options, routeRanges, platformOptions})
-}
-
 func (w *platformInterfaceWrapper) CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor {
 	return &platformDefaultInterfaceMonitor{
 		platformInterfaceWrapper: w,

experimental/libbox/service_error.go

@@ -13,12 +13,12 @@ func ClearServiceError() {
 	os.Remove(serviceErrorPath())
 }
 
-func ReadServiceError() (*StringBox, error) {
+func ReadServiceError() (string, error) {
 	data, err := os.ReadFile(serviceErrorPath())
 	if err == nil {
 		os.Remove(serviceErrorPath())
 	}
-	return wrapString(string(data)), err
+	return string(data), err
 }
 
 func WriteServiceError(message string) error {

experimental/libbox/setup.go

@@ -9,65 +9,48 @@ import (
 
 	"github.com/sagernet/sing-box/common/humanize"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/locale"
 	"github.com/sagernet/sing-box/log"
 )
 
 var (
-	sBasePath        string
+	sBasePath    string
-	sWorkingPath     string
+	sWorkingPath string
-	sTempPath        string
+	sTempPath    string
-	sUserID          int
+	sUserID      int
-	sGroupID         int
+	sGroupID     int
-	sTVOS            bool
+	sTVOS        bool
-	sFixAndroidStack bool
 )
 
 func init() {
 	debug.SetPanicOnFault(true)
 }
 
-type SetupOptions struct {
+func Setup(basePath string, workingPath string, tempPath string, isTVOS bool) {
-	BasePath        string
+	sBasePath = basePath
-	WorkingPath     string
+	sWorkingPath = workingPath
-	TempPath        string
+	sTempPath = tempPath
-	Username        string
+	sUserID = os.Getuid()
-	IsTVOS          bool
+	sGroupID = os.Getgid()
-	FixAndroidStack bool
+	sTVOS = isTVOS
-}
-
-func Setup(options *SetupOptions) error {
-	sBasePath = options.BasePath
-	sWorkingPath = options.WorkingPath
-	sTempPath = options.TempPath
-	if options.Username != "" {
-		sUser, err := user.Lookup(options.Username)
-		if err != nil {
-			return err
-		}
-		sUserID, _ = strconv.Atoi(sUser.Uid)
-		sGroupID, _ = strconv.Atoi(sUser.Gid)
-	} else {
-		sUserID = os.Getuid()
-		sGroupID = os.Getgid()
-	}
-	sTVOS = options.IsTVOS
-
-	// TODO: remove after fixed
-	// https://github.com/golang/go/issues/68760
-	sFixAndroidStack = options.FixAndroidStack
-
 	os.MkdirAll(sWorkingPath, 0o777)
 	os.MkdirAll(sTempPath, 0o777)
-	if options.Username != "" {
-		os.Chown(sWorkingPath, sUserID, sGroupID)
-		os.Chown(sTempPath, sUserID, sGroupID)
-	}
-	return nil
 }
 
-func SetLocale(localeId string) {
+func SetupWithUsername(basePath string, workingPath string, tempPath string, username string) error {
-	locale.Set(localeId)
+	sBasePath = basePath
+	sWorkingPath = workingPath
+	sTempPath = tempPath
+	sUser, err := user.Lookup(username)
+	if err != nil {
+		return err
+	}
+	sUserID, _ = strconv.Atoi(sUser.Uid)
+	sGroupID, _ = strconv.Atoi(sUser.Gid)
+	os.MkdirAll(sWorkingPath, 0o777)
+	os.MkdirAll(sTempPath, 0o777)
+	os.Chown(sWorkingPath, sUserID, sGroupID)
+	os.Chown(sTempPath, sUserID, sGroupID)
+	return nil
 }
 
 func Version() string {

experimental/libbox/tun.go

@@ -13,7 +13,7 @@ import (
 type TunOptions interface {
 	GetInet4Address() RoutePrefixIterator
 	GetInet6Address() RoutePrefixIterator
-	GetDNSServerAddress() (*StringBox, error)
+	GetDNSServerAddress() (string, error)
 	GetMTU() int32
 	GetAutoRoute() bool
 	GetStrictRoute() bool
@@ -89,11 +89,11 @@ func (o *tunOptions) GetInet6Address() RoutePrefixIterator {
 	return mapRoutePrefix(o.Inet6Address)
 }
 
-func (o *tunOptions) GetDNSServerAddress() (*StringBox, error) {
+func (o *tunOptions) GetDNSServerAddress() (string, error) {
 	if len(o.Inet4Address) == 0 || o.Inet4Address[0].Bits() == 32 {
-		return nil, E.New("need one more IPv4 address for DNS hijacking")
+		return "", E.New("need one more IPv4 address for DNS hijacking")
 	}
-	return wrapString(o.Inet4Address[0].Addr().Next().String()), nil
+	return o.Inet4Address[0].Addr().Next().String(), nil
 }
 
 func (o *tunOptions) GetMTU() int32 {

experimental/locale/locale.go

@@ -1,30 +0,0 @@
-package locale
-
-var (
-	localeRegistry = make(map[string]*Locale)
-	current        = defaultLocal
-)
-
-type Locale struct {
-	// deprecated messages for graphical clients
-	DeprecatedMessage       string
-	DeprecatedMessageNoLink string
-}
-
-var defaultLocal = &Locale{
-	DeprecatedMessage:       "%s is deprecated in sing-box %s and will be removed in sing-box %s please checkout documentation for migration.",
-	DeprecatedMessageNoLink: "%s is deprecated in sing-box %s and will be removed in sing-box %s.",
-}
-
-func Current() *Locale {
-	return current
-}
-
-func Set(localeId string) bool {
-	locale, loaded := localeRegistry[localeId]
-	if !loaded {
-		return false
-	}
-	current = locale
-	return true
-}

experimental/locale/locale_zh_CN.go

@@ -1,10 +0,0 @@
-package locale
-
-var warningMessageForEndUsers = "\n\n如果您不明白此消息意味着什么：您的配置文件已过时，且将很快不可用。请联系您的配置提供者以更新配置。"
-
-func init() {
-	localeRegistry["zh_CN"] = &Locale{
-		DeprecatedMessage:       "%s 已在 sing-box %s 中被弃用，且将在 sing-box %s 中被移除，请参阅迁移指南。" + warningMessageForEndUsers,
-		DeprecatedMessageNoLink: "%s 已在 sing-box %s 中被弃用，且将在 sing-box %s 中被移除。" + warningMessageForEndUsers,
-	}
-}

go.mod

@@ -17,7 +17,6 @@ require (
 	github.com/mholt/acmez v1.2.0
 	github.com/miekg/dns v1.1.62
 	github.com/oschwald/maxminddb-golang v1.12.0
-	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
 	github.com/sagernet/cors v1.2.1
@@ -26,29 +25,28 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20241123041152-536d05261cff
 	github.com/sagernet/quic-go v0.48.2-beta.1
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.6.0-beta.9
+	github.com/sagernet/sing v0.6.0-beta.2
 	github.com/sagernet/sing-dns v0.4.0-beta.1
 	github.com/sagernet/sing-mux v0.3.0-alpha.1
-	github.com/sagernet/sing-quic v0.4.0-beta.3
+	github.com/sagernet/sing-quic v0.4.0-alpha.4
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.2.0-alpha.2
-	github.com/sagernet/sing-tun v0.6.0-beta.7
+	github.com/sagernet/sing-tun v0.6.0-beta.1
-	github.com/sagernet/sing-vmess v0.2.0-beta.2
+	github.com/sagernet/sing-vmess v0.2.0-beta.1
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/utls v1.6.7
-	github.com/sagernet/wireguard-go v0.0.1-beta.5
+	github.com/sagernet/wireguard-go v0.0.1-beta.4
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
-	github.com/wiresock/ndisapi-go v0.0.0-20241230094942-3299a7566e08
 	go.uber.org/zap v1.27.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.31.0
+	golang.org/x/crypto v0.29.0
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 	golang.org/x/mod v0.20.0
 	golang.org/x/net v0.31.0
-	golang.org/x/sys v0.28.0
+	golang.org/x/sys v0.27.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	google.golang.org/grpc v1.63.2
 	google.golang.org/protobuf v1.33.0
@@ -60,9 +58,7 @@ require (
 require (
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.6 // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
@@ -70,7 +66,6 @@ require (
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -93,8 +88,8 @@ require (
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sync v0.9.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/text v0.20.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect

go.sum

@@ -4,8 +4,6 @@ github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sx
 github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/caddyserver/certmagic v0.20.0 h1:bTw7LcEZAh9ucYCRXyCpIrSAGplplI0vGYJ4BpCQ/Fc=
 github.com/caddyserver/certmagic v0.20.0/go.mod h1:N4sXgpICQUskEWpj7zVzvWD41p3NYacrNoZYiRM2jTg=
-github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
-github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
@@ -14,8 +12,6 @@ github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbe
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbYd8tQGRWacE9kU=
-github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
@@ -36,11 +32,8 @@ github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
@@ -96,8 +89,6 @@ github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1
 github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs=
 github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1 h1:qi+ijeREa0yfAaO+NOcZ81gv4uzOfALUIdhkiIFvmG4=
-github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1/go.mod h1:JULDuzTMn2gyZFcjpTVZP4/UuwAdbHJ0bum2RdjXojU=
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkkD2QgdTuzQG263YZ+2emfpeyGqW0=
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1 h1:YbmpqPQEMdlk9oFSKYWRqVuu9qzNiOayIonKmv1gCXY=
@@ -119,30 +110,30 @@ github.com/sagernet/quic-go v0.48.2-beta.1/go.mod h1:1WgdDIVD1Gybp40JTWketeSfKA/
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.6.0-beta.9 h1:P8lKa5hN53fRNAVCIKy5cWd6/kLO5c4slhdsfehSmHs=
+github.com/sagernet/sing v0.6.0-beta.2 h1:Dcutp3kxrsZes9q3oTiHQhYYjQvDn5rwp1OI9fDLYwQ=
-github.com/sagernet/sing v0.6.0-beta.9/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.6.0-beta.2/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-dns v0.4.0-beta.1 h1:W1XkdhigwxDOMgMDVB+9kdomCpb7ExsZfB4acPcTZFY=
 github.com/sagernet/sing-dns v0.4.0-beta.1/go.mod h1:8wuFcoFkWM4vJuQyg8e97LyvDwe0/Vl7G839WLcKDs8=
 github.com/sagernet/sing-mux v0.3.0-alpha.1 h1:IgNX5bJBpL41gGbp05pdDOvh/b5eUQ6cv9240+Ngipg=
 github.com/sagernet/sing-mux v0.3.0-alpha.1/go.mod h1:FTcImmdfW38Lz7b+HQ+mxxOth1lz4ao8uEnz+MwIJQE=
-github.com/sagernet/sing-quic v0.4.0-beta.3 h1:cOBjlhVdRZmBm6hIw1GleERpnTSFdBB2htgx5kQ5uqg=
+github.com/sagernet/sing-quic v0.4.0-alpha.4 h1:P9xAx3nIfcqb9M8jfgs0uLm+VxCcaY++FCqaBfHY3dQ=
-github.com/sagernet/sing-quic v0.4.0-beta.3/go.mod h1:1UNObFodd8CnS3aCT53x9cigjPSCl3P//8dfBMCwBDM=
+github.com/sagernet/sing-quic v0.4.0-alpha.4/go.mod h1:h5RkKTmUhudJKzK7c87FPXD5w1bJjVyxMN9+opZcctA=
 github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegEZaKMv9ipx8=
 github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.0-alpha.2 h1:RPrpgAdkP5td0vLfS5ldvYosFjSsZtRPxiyLV6jyKg0=
 github.com/sagernet/sing-shadowtls v0.2.0-alpha.2/go.mod h1:0j5XlzKxaWRIEjc1uiSKmVoWb0k+L9QgZVb876+thZA=
-github.com/sagernet/sing-tun v0.6.0-beta.7 h1:FCSX8oGBqb0H57AAvfGeeH/jMGYWCOg6XWkN/oeES+0=
+github.com/sagernet/sing-tun v0.6.0-beta.1 h1:oiliCesdz+Ewu6uwrUIRT6fjpm7+PZwjchpLYQDX9Pk=
-github.com/sagernet/sing-tun v0.6.0-beta.7/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
+github.com/sagernet/sing-tun v0.6.0-beta.1/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
-github.com/sagernet/sing-vmess v0.2.0-beta.2 h1:obAkAL35X7ql4RnGzDg4dBYIRpGXRKqcN4LyLZpZGSs=
+github.com/sagernet/sing-vmess v0.2.0-beta.1 h1:5sXQ23uwNlZuDvygzi0dFtnG0Csm/SNqTjAHXJkpuj4=
-github.com/sagernet/sing-vmess v0.2.0-beta.2/go.mod h1:HGhf9XUdeE2iOWrX0hQNFgXPbKyGlzpeYFyX0c/pykk=
+github.com/sagernet/sing-vmess v0.2.0-beta.1/go.mod h1:fLyE1emIcvQ5DV8reFWnufquZ7MkCSYM5ThodsR9NrQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
 github.com/sagernet/utls v1.6.7 h1:Ep3+aJ8FUGGta+II2IEVNUc3EDhaRCZINWkj/LloIA8=
 github.com/sagernet/utls v1.6.7/go.mod h1:Uua1TKO/FFuAhLr9rkaVnnrTmmiItzDjv1BUb2+ERwM=
-github.com/sagernet/wireguard-go v0.0.1-beta.5 h1:aBEsxJUMEONwOZqKPIkuAcv4zJV5p6XlzEN04CF0FXc=
+github.com/sagernet/wireguard-go v0.0.1-beta.4 h1:8uyM5fxfEXdu4RH05uOK+v25i3lTNdCYMPSAUJ14FnI=
-github.com/sagernet/wireguard-go v0.0.1-beta.5/go.mod h1:jGXij2Gn2wbrWuYNUmmNhf1dwcZtvyAvQoe8Xd8MbUo=
+github.com/sagernet/wireguard-go v0.0.1-beta.4/go.mod h1:jGXij2Gn2wbrWuYNUmmNhf1dwcZtvyAvQoe8Xd8MbUo=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854/go.mod h1:LtfoSK3+NG57tvnVEHgcuBW9ujgE8enPSgzgwStwCAA=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
@@ -158,8 +149,6 @@ github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gV
 github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-github.com/wiresock/ndisapi-go v0.0.0-20241230094942-3299a7566e08 h1:is+7xN6CAKtgxt3mDSl9OQNvjfi6LggugSP07QhDtws=
-github.com/wiresock/ndisapi-go v0.0.0-20241230094942-3299a7566e08/go.mod h1:lFE7JYt3LC2UYJ31mRDwl/K35pbtxDnkSDlXrYzgyqg=
 github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
 github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
@@ -174,8 +163,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
@@ -184,8 +173,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
 golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -193,22 +182,19 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
 golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
 golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=

include/ndis.go

@@ -1,12 +0,0 @@
-//go:build windows && with_gvisor
-
-package include
-
-import (
-	"github.com/sagernet/sing-box/adapter/inbound"
-	"github.com/sagernet/sing-box/protocol/ndis"
-)
-
-func registerNDISInbound(registry *inbound.Registry) {
-	ndis.RegisterInbound(registry)
-}

include/ndis_nongvisor_stub.go

@@ -1,20 +0,0 @@
-//go:build windows && !with_gvisor
-
-package include
-
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/adapter/inbound"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-tun"
-)
-
-func registerNDISInbound(registry *inbound.Registry) {
-	inbound.Register[option.NDISInboundOptions](registry, C.TypeNDIS, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.NDISInboundOptions) (adapter.Inbound, error) {
-		return nil, tun.ErrGVisorNotIncluded
-	})
-}

include/ndis_nonwindows_stub.go

@@ -1,20 +0,0 @@
-//go:build !windows
-
-package include
-
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/adapter/inbound"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-func registerNDISInbound(registry *inbound.Registry) {
-	inbound.Register[option.NDISInboundOptions](registry, C.TypeNDIS, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.NDISInboundOptions) (adapter.Inbound, error) {
-		return nil, E.New("NDIS is only supported in windows")
-	})
-}

include/registry.go

@@ -51,7 +51,6 @@ func InboundRegistry() *inbound.Registry {
 
 	registerQUICInbounds(registry)
 	registerStubForRemovedInbounds(registry)
-	registerNDISInbound(registry)
 
 	return registry
 }

option/debug.go

@@ -13,7 +13,7 @@ type DebugOptions struct {
 	PanicOnFault *bool       `json:"panic_on_fault,omitempty"`
 	TraceBack    string      `json:"trace_back,omitempty"`
 	MemoryLimit  MemoryBytes `json:"memory_limit,omitempty"`
-	OOMKiller    bool        `json:"oom_killer,omitempty"`
+	OOMKiller    *bool       `json:"oom_killer,omitempty"`
 }
 
 type MemoryBytes uint64

option/hysteria2.go

@@ -1,15 +1,5 @@
 package option
 
-import (
-	"net/url"
-
-	C "github.com/sagernet/sing-box/constant"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json"
-	"github.com/sagernet/sing/common/json/badjson"
-	"github.com/sagernet/sing/common/json/badoption"
-)
-
 type Hysteria2InboundOptions struct {
 	ListenOptions
 	UpMbps                int             `json:"up_mbps,omitempty"`
@@ -18,8 +8,8 @@ type Hysteria2InboundOptions struct {
 	Users                 []Hysteria2User `json:"users,omitempty"`
 	IgnoreClientBandwidth bool            `json:"ignore_client_bandwidth,omitempty"`
 	InboundTLSOptionsContainer
-	Masquerade  *Hysteria2Masquerade `json:"masquerade,omitempty"`
+	Masquerade  string `json:"masquerade,omitempty"`
-	BrutalDebug bool                 `json:"brutal_debug,omitempty"`
+	BrutalDebug bool   `json:"brutal_debug,omitempty"`
 }
 
 type Hysteria2Obfs struct {
@@ -32,92 +22,14 @@ type Hysteria2User struct {
 	Password string `json:"password,omitempty"`
 }
 
-type _Hysteria2Masquerade struct {
-	Type          string                    `json:"type,omitempty"`
-	FileOptions   Hysteria2MasqueradeFile   `json:"-"`
-	ProxyOptions  Hysteria2MasqueradeProxy  `json:"-"`
-	StringOptions Hysteria2MasqueradeString `json:"-"`
-}
-
-type Hysteria2Masquerade _Hysteria2Masquerade
-
-func (m Hysteria2Masquerade) MarshalJSON() ([]byte, error) {
-	var v any
-	switch m.Type {
-	case C.Hysterai2MasqueradeTypeFile:
-		v = m.FileOptions
-	case C.Hysterai2MasqueradeTypeProxy:
-		v = m.ProxyOptions
-	case C.Hysterai2MasqueradeTypeString:
-		v = m.StringOptions
-	default:
-		return nil, E.New("unknown masquerade type: ", m.Type)
-	}
-	return badjson.MarshallObjects((_Hysteria2Masquerade)(m), v)
-}
-
-func (m *Hysteria2Masquerade) UnmarshalJSON(bytes []byte) error {
-	var urlString string
-	err := json.Unmarshal(bytes, &urlString)
-	if err == nil {
-		masqueradeURL, err := url.Parse(urlString)
-		if err != nil {
-			return E.Cause(err, "invalid masquerade URL")
-		}
-		switch masqueradeURL.Scheme {
-		case "file":
-			m.Type = C.Hysterai2MasqueradeTypeFile
-			m.FileOptions.Directory = masqueradeURL.Path
-		case "http", "https":
-			m.Type = C.Hysterai2MasqueradeTypeProxy
-			m.ProxyOptions.URL = urlString
-		default:
-			return E.New("unknown masquerade URL scheme: ", masqueradeURL.Scheme)
-		}
-	}
-	err = json.Unmarshal(bytes, (*_Hysteria2Masquerade)(m))
-	if err != nil {
-		return err
-	}
-	var v any
-	switch m.Type {
-	case C.Hysterai2MasqueradeTypeFile:
-		v = &m.FileOptions
-	case C.Hysterai2MasqueradeTypeProxy:
-		v = &m.ProxyOptions
-	case C.Hysterai2MasqueradeTypeString:
-		v = &m.StringOptions
-	default:
-		return E.New("unknown masquerade type: ", m.Type)
-	}
-	return badjson.UnmarshallExcluded(bytes, (*_Hysteria2Masquerade)(m), v)
-}
-
-type Hysteria2MasqueradeFile struct {
-	Directory string `json:"directory"`
-}
-
-type Hysteria2MasqueradeProxy struct {
-	URL         string `json:"url"`
-	RewriteHost bool   `json:"rewrite_host,omitempty"`
-}
-
-type Hysteria2MasqueradeString struct {
-	StatusCode int                  `json:"status_code,omitempty"`
-	Headers    badoption.HTTPHeader `json:"headers,omitempty"`
-	Content    string               `json:"content"`
-}
-
 type Hysteria2OutboundOptions struct {
 	DialerOptions
 	ServerOptions
-	ServerPorts badoption.Listable[string] `json:"server_ports,omitempty"`
+	UpMbps   int            `json:"up_mbps,omitempty"`
-	HopInterval badoption.Duration         `json:"hop_interval,omitempty"`
+	DownMbps int            `json:"down_mbps,omitempty"`
-	UpMbps      int                        `json:"up_mbps,omitempty"`
+	Obfs     *Hysteria2Obfs `json:"obfs,omitempty"`
-	DownMbps    int                        `json:"down_mbps,omitempty"`
+	Password string         `json:"password,omitempty"`
-	Obfs        *Hysteria2Obfs             `json:"obfs,omitempty"`
+	Network  NetworkList    `json:"network,omitempty"`
-	Password    string                     `json:"password,omitempty"`
-	Network     NetworkList                `json:"network,omitempty"`
 	OutboundTLSOptionsContainer
 	BrutalDebug bool `json:"brutal_debug,omitempty"`
 }

option/ndis.go

@@ -1,17 +0,0 @@
-package option
-
-import (
-	"net/netip"
-
-	"github.com/sagernet/sing/common/json/badoption"
-)
-
-type NDISInboundOptions struct {
-	Network                NetworkList                      `json:"network,omitempty"`
-	RouteAddress           badoption.Listable[netip.Prefix] `json:"route_address,omitempty"`
-	RouteAddressSet        badoption.Listable[string]       `json:"route_address_set,omitempty"`
-	RouteExcludeAddress    badoption.Listable[netip.Prefix] `json:"route_exclude_address,omitempty"`
-	RouteExcludeAddressSet badoption.Listable[string]       `json:"route_exclude_address_set,omitempty"`
-	InterfaceName          string                           `json:"interface_name,omitempty"`
-	UDPTimeout             UDPTimeoutCompat                 `json:"udp_timeout,omitempty"`
-}

option/outbound.go

@@ -65,24 +65,25 @@ type DialerOptionsWrapper interface {
 }
 
 type DialerOptions struct {
-	Detour              string                            `json:"detour,omitempty"`
+	Detour               string                            `json:"detour,omitempty"`
-	BindInterface       string                            `json:"bind_interface,omitempty"`
+	BindInterface        string                            `json:"bind_interface,omitempty"`
-	Inet4BindAddress    *badoption.Addr                   `json:"inet4_bind_address,omitempty"`
+	Inet4BindAddress     *badoption.Addr                   `json:"inet4_bind_address,omitempty"`
-	Inet6BindAddress    *badoption.Addr                   `json:"inet6_bind_address,omitempty"`
+	Inet6BindAddress     *badoption.Addr                   `json:"inet6_bind_address,omitempty"`
-	ProtectPath         string                            `json:"protect_path,omitempty"`
+	ProtectPath          string                            `json:"protect_path,omitempty"`
-	RoutingMark         FwMark                            `json:"routing_mark,omitempty"`
+	RoutingMark          FwMark                            `json:"routing_mark,omitempty"`
-	ReuseAddr           bool                              `json:"reuse_addr,omitempty"`
+	ReuseAddr            bool                              `json:"reuse_addr,omitempty"`
-	ConnectTimeout      badoption.Duration                `json:"connect_timeout,omitempty"`
+	ConnectTimeout       badoption.Duration                `json:"connect_timeout,omitempty"`
-	TCPFastOpen         bool                              `json:"tcp_fast_open,omitempty"`
+	TCPFastOpen          bool                              `json:"tcp_fast_open,omitempty"`
-	TCPMultiPath        bool                              `json:"tcp_multi_path,omitempty"`
+	TCPMultiPath         bool                              `json:"tcp_multi_path,omitempty"`
-	UDPFragment         *bool                             `json:"udp_fragment,omitempty"`
+	UDPFragment          *bool                             `json:"udp_fragment,omitempty"`
-	UDPFragmentDefault  bool                              `json:"-"`
+	UDPFragmentDefault   bool                              `json:"-"`
-	DomainStrategy      DomainStrategy                    `json:"domain_strategy,omitempty"`
+	DomainStrategy       DomainStrategy                    `json:"domain_strategy,omitempty"`
-	NetworkStrategy     *NetworkStrategy                  `json:"network_strategy,omitempty"`
+	NetworkStrategy      NetworkStrategy                   `json:"network_strategy,omitempty"`
-	NetworkType         badoption.Listable[InterfaceType] `json:"network_type,omitempty"`
+	NetworkType          badoption.Listable[InterfaceType] `json:"network_type,omitempty"`
-	FallbackNetworkType badoption.Listable[InterfaceType] `json:"fallback_network_type,omitempty"`
+	FallbackNetworkType  badoption.Listable[InterfaceType] `json:"fallback_network_type,omitempty"`
-	FallbackDelay       badoption.Duration                `json:"fallback_delay,omitempty"`
+	FallbackDelay        badoption.Duration                `json:"fallback_delay,omitempty"`
-	IsWireGuardListener bool                              `json:"-"`
+	NetworkFallbackDelay badoption.Duration                `json:"network_fallback_delay,omitempty"`
+	IsWireGuardListener  bool                              `json:"-"`
 }
 
 func (o *DialerOptions) TakeDialerOptions() DialerOptions {

option/route.go

@@ -12,8 +12,8 @@ type RouteOptions struct {
 	AutoDetectInterface        bool                              `json:"auto_detect_interface,omitempty"`
 	OverrideAndroidVPN         bool                              `json:"override_android_vpn,omitempty"`
 	DefaultInterface           string                            `json:"default_interface,omitempty"`
-	DefaultMark                FwMark                            `json:"default_mark,omitempty"`
+	DefaultMark                uint32                            `json:"default_mark,omitempty"`
-	DefaultNetworkStrategy     *NetworkStrategy                  `json:"default_network_strategy,omitempty"`
+	DefaultNetworkStrategy     NetworkStrategy                   `json:"default_network_strategy,omitempty"`
 	DefaultNetworkType         badoption.Listable[InterfaceType] `json:"default_network_type,omitempty"`
 	DefaultFallbackNetworkType badoption.Listable[InterfaceType] `json:"default_fallback_network_type,omitempty"`
 	DefaultFallbackDelay       badoption.Duration                `json:"default_fallback_delay,omitempty"`

option/rule_action.go

@@ -145,8 +145,8 @@ type RawRouteOptionsActionOptions struct {
 	OverrideAddress string `json:"override_address,omitempty"`
 	OverridePort    uint16 `json:"override_port,omitempty"`
 
-	NetworkStrategy *NetworkStrategy `json:"network_strategy,omitempty"`
+	NetworkStrategy NetworkStrategy `json:"network_strategy,omitempty"`
-	FallbackDelay   uint32           `json:"fallback_delay,omitempty"`
+	FallbackDelay   uint32          `json:"fallback_delay,omitempty"`
 
 	UDPDisableDomainUnmapping bool               `json:"udp_disable_domain_unmapping,omitempty"`
 	UDPConnect                bool               `json:"udp_connect,omitempty"`

option/rule_set.go

@@ -194,9 +194,8 @@ func (r LogicalHeadlessRule) IsValid() bool {
 }
 
 type _PlainRuleSetCompat struct {
-	Version    uint8           `json:"version"`
+	Version uint8        `json:"version"`
-	Options    PlainRuleSet    `json:"-"`
+	Options PlainRuleSet `json:"-"`
-	RawMessage json.RawMessage `json:"-"`
 }
 
 type PlainRuleSetCompat _PlainRuleSetCompat
@@ -230,7 +229,6 @@ func (r *PlainRuleSetCompat) UnmarshalJSON(bytes []byte) error {
 	if err != nil {
 		return err
 	}
-	r.RawMessage = bytes
 	return nil
 }
 

protocol/direct/inbound.go

@@ -97,7 +97,6 @@ func (i *Inbound) NewPacketEx(buffer *buf.Buffer, source M.Socksaddr) {
 func (i *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
 	metadata.Inbound = i.Tag()
 	metadata.InboundType = i.Type()
-	metadata.Destination = M.SocksaddrFromNet(conn.LocalAddr())
 	switch i.overrideOption {
 	case 1:
 		metadata.Destination = i.overrideDestination
@@ -108,9 +107,7 @@ func (i *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata a
 	case 3:
 		metadata.Destination.Port = i.overrideDestination.Port
 	}
-	if i.overrideOption != 0 {
+	i.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
-		i.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
-	}
 	i.router.RouteConnectionEx(ctx, conn, metadata, onClose)
 }
 

protocol/direct/outbound.go

@@ -32,12 +32,16 @@ var (
 
 type Outbound struct {
 	outbound.Adapter
-	logger              logger.ContextLogger
+	logger               logger.ContextLogger
-	dialer              dialer.ParallelInterfaceDialer
+	dialer               dialer.ParallelInterfaceDialer
-	domainStrategy      dns.DomainStrategy
+	domainStrategy       dns.DomainStrategy
-	fallbackDelay       time.Duration
+	fallbackDelay        time.Duration
-	overrideOption      int
+	networkStrategy      C.NetworkStrategy
-	overrideDestination M.Socksaddr
+	networkType          []C.InterfaceType
+	fallbackNetworkType  []C.InterfaceType
+	networkFallbackDelay time.Duration
+	overrideOption       int
+	overrideDestination  M.Socksaddr
 	// loopBack *loopBackDetector
 }
 
@@ -48,11 +52,15 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		return nil, err
 	}
 	outbound := &Outbound{
-		Adapter:        outbound.NewAdapterWithDialerOptions(C.TypeDirect, tag, []string{N.NetworkTCP, N.NetworkUDP}, options.DialerOptions),
+		Adapter:              outbound.NewAdapterWithDialerOptions(C.TypeDirect, tag, []string{N.NetworkTCP, N.NetworkUDP}, options.DialerOptions),
-		logger:         logger,
+		logger:               logger,
-		domainStrategy: dns.DomainStrategy(options.DomainStrategy),
+		domainStrategy:       dns.DomainStrategy(options.DomainStrategy),
-		fallbackDelay:  time.Duration(options.FallbackDelay),
+		fallbackDelay:        time.Duration(options.FallbackDelay),
-		dialer:         outboundDialer,
+		networkStrategy:      C.NetworkStrategy(options.NetworkStrategy),
+		networkType:          common.Map(options.NetworkType, option.InterfaceType.Build),
+		fallbackNetworkType:  common.Map(options.FallbackNetworkType, option.InterfaceType.Build),
+		networkFallbackDelay: time.Duration(options.NetworkFallbackDelay),
+		dialer:               outboundDialer,
 		// loopBack:       newLoopBackDetector(router),
 	}
 	//nolint:staticcheck
@@ -170,10 +178,10 @@ func (h *Outbound) DialParallel(ctx context.Context, network string, destination
 			return nil, E.New("no IPv6 address available for ", destination)
 		}
 	}
-	return dialer.DialParallelNetwork(ctx, h.dialer, network, destination, destinationAddresses, domainStrategy == dns.DomainStrategyPreferIPv6, nil, nil, nil, h.fallbackDelay)
+	return dialer.DialParallelNetwork(ctx, h.dialer, network, destination, destinationAddresses, domainStrategy == dns.DomainStrategyPreferIPv6, h.networkStrategy, h.networkType, h.fallbackNetworkType, h.fallbackDelay)
 }
 
-func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, networkStrategy *C.NetworkStrategy, networkType []C.InterfaceType, fallbackNetworkType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, networkStrategy C.NetworkStrategy, networkType []C.InterfaceType, fallbackNetworkType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
@@ -213,7 +221,7 @@ func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, dest
 	return dialer.DialParallelNetwork(ctx, h.dialer, network, destination, destinationAddresses, domainStrategy == dns.DomainStrategyPreferIPv6, networkStrategy, networkType, fallbackNetworkType, fallbackDelay)
 }
 
-func (h *Outbound) ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, networkStrategy *C.NetworkStrategy, networkType []C.InterfaceType, fallbackNetworkType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
+func (h *Outbound) ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, networkStrategy C.NetworkStrategy, networkType []C.InterfaceType, fallbackNetworkType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination

protocol/dns/outbound.go

@@ -42,21 +42,20 @@ func (d *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	return nil, os.ErrInvalid
 }
 
-func (d *Outbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+// Deprecated
+func (d *Outbound) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	metadata.Destination = M.Socksaddr{}
+	defer conn.Close()
 	for {
 		conn.SetReadDeadline(time.Now().Add(C.DNSTimeout))
 		err := HandleStreamDNSRequest(ctx, d.router, conn, metadata)
 		if err != nil {
-			conn.Close()
+			return err
-			if onClose != nil {
-				onClose(err)
-			}
-			return
 		}
 	}
 }
 
-func (d *Outbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+// Deprecated
-	NewDNSPacketConnection(ctx, d.router, conn, nil, metadata)
+func (d *Outbound) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return NewDNSPacketConnection(ctx, d.router, conn, nil, metadata)
 }

protocol/http/inbound.go

@@ -82,16 +82,16 @@ func (h *Inbound) Close() error {
 }
 
 func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	var err error
 	if h.tlsConfig != nil {
-		tlsConn, err := tls.ServerHandshake(ctx, conn, h.tlsConfig)
+		conn, err = tls.ServerHandshake(ctx, conn, h.tlsConfig)
 		if err != nil {
 			N.CloseOnHandshakeFailure(conn, onClose, err)
 			h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source, ": TLS handshake"))
 			return
 		}
-		conn = tlsConn
 	}
-	err := http.HandleConnectionEx(ctx, conn, std_bufio.NewReader(conn), h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, onClose)
+	err = http.HandleConnectionEx(ctx, conn, std_bufio.NewReader(conn), h.authenticator, nil, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
 		h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source))

protocol/hysteria/inbound.go

@@ -67,7 +67,7 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 	if len(options.Down) > 0 {
 		receiveBps, err = humanize.ParseBytes(options.Down)
 		if err != nil {
-			return nil, E.Cause(err, "invalid down speed format: ", options.Down)
+			return nil, E.New("invalid down speed format: ", options.Down)
 		}
 	} else {
 		receiveBps = uint64(options.DownMbps) * hysteria.MbpsToBps

protocol/hysteria2/inbound.go

@@ -60,40 +60,26 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		}
 	}
 	var masqueradeHandler http.Handler
-	if options.Masquerade != nil && options.Masquerade.Type != "" {
+	if options.Masquerade != "" {
-		switch options.Masquerade.Type {
+		masqueradeURL, err := url.Parse(options.Masquerade)
-		case C.Hysterai2MasqueradeTypeFile:
+		if err != nil {
-			masqueradeHandler = http.FileServer(http.Dir(options.Masquerade.FileOptions.Directory))
+			return nil, E.Cause(err, "parse masquerade URL")
-		case C.Hysterai2MasqueradeTypeProxy:
+		}
-			masqueradeURL, err := url.Parse(options.Masquerade.ProxyOptions.URL)
+		switch masqueradeURL.Scheme {
-			if err != nil {
+		case "file":
-				return nil, E.Cause(err, "parse masquerade URL")
+			masqueradeHandler = http.FileServer(http.Dir(masqueradeURL.Path))
-			}
+		case "http", "https":
 			masqueradeHandler = &httputil.ReverseProxy{
 				Rewrite: func(r *httputil.ProxyRequest) {
 					r.SetURL(masqueradeURL)
-					if !options.Masquerade.ProxyOptions.RewriteHost {
+					r.Out.Host = r.In.Host
-						r.Out.Host = r.In.Host
-					}
 				},
 				ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) {
 					w.WriteHeader(http.StatusBadGateway)
 				},
 			}
-		case C.Hysterai2MasqueradeTypeString:
-			masqueradeHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				if options.Masquerade.StringOptions.StatusCode != 0 {
-					w.WriteHeader(options.Masquerade.StringOptions.StatusCode)
-				}
-				for key, values := range options.Masquerade.StringOptions.Headers {
-					for _, value := range values {
-						w.Header().Add(key, value)
-					}
-				}
-				w.Write([]byte(options.Masquerade.StringOptions.Content))
-			})
 		default:
-			return nil, E.New("unknown masquerade type: ", options.Masquerade.Type)
+			return nil, E.New("unknown masquerade URL scheme: ", masqueradeURL.Scheme)
 		}
 	}
 	inbound := &Inbound{

protocol/hysteria2/outbound.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"net"
 	"os"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/adapter/outbound"
@@ -71,8 +70,6 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		Logger:             logger,
 		BrutalDebug:        options.BrutalDebug,
 		ServerAddress:      options.ServerOptions.Build(),
-		ServerPorts:        options.ServerPorts,
-		HopInterval:        time.Duration(options.HopInterval),
 		SendBPS:            uint64(options.UpMbps * hysteria.MbpsToBps),
 		ReceiveBPS:         uint64(options.DownMbps * hysteria.MbpsToBps),
 		SalamanderPassword: salamanderPassword,

protocol/mixed/inbound.go

@@ -85,9 +85,9 @@ func (h *Inbound) newConnection(ctx context.Context, conn net.Conn, metadata ada
 	}
 	switch headerBytes[0] {
 	case socks4.Version, socks5.Version:
-		return socks.HandleConnectionEx(ctx, conn, reader, h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, onClose)
+		return socks.HandleConnectionEx(ctx, conn, reader, h.authenticator, nil, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, metadata.Destination, onClose)
 	default:
-		return http.HandleConnectionEx(ctx, conn, reader, h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, onClose)
+		return http.HandleConnectionEx(ctx, conn, reader, h.authenticator, nil, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, onClose)
 	}
 }
 
@@ -110,19 +110,11 @@ func (h *Inbound) streamUserPacketConnection(ctx context.Context, conn N.PacketC
 	metadata.InboundType = h.Type()
 	user, loaded := auth.UserFromContext[string](ctx)
 	if !loaded {
-		if !metadata.Destination.IsValid() {
+		h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
-			h.logger.InfoContext(ctx, "inbound packet connection")
-		} else {
-			h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
-		}
 		h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 		return
 	}
 	metadata.User = user
-	if !metadata.Destination.IsValid() {
+	h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
-		h.logger.InfoContext(ctx, "[", user, "] inbound packet connection")
-	} else {
-		h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
-	}
 	h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 }

protocol/ndis/endpoint.go

@@ -1,110 +0,0 @@
-//go:build windows
-
-package ndis
-
-import (
-	"sync"
-
-	"github.com/sagernet/gvisor/pkg/buffer"
-	"github.com/sagernet/gvisor/pkg/tcpip"
-	"github.com/sagernet/gvisor/pkg/tcpip/header"
-	"github.com/sagernet/gvisor/pkg/tcpip/stack"
-
-	"github.com/wiresock/ndisapi-go"
-	"github.com/wiresock/ndisapi-go/driver"
-)
-
-var _ stack.LinkEndpoint = (*ndisEndpoint)(nil)
-
-type ndisEndpoint struct {
-	filter     *driver.QueuedPacketFilter
-	mtu        uint32
-	address    tcpip.LinkAddress
-	dispatcher stack.NetworkDispatcher
-}
-
-func (e *ndisEndpoint) MTU() uint32 {
-	return e.mtu
-}
-
-func (e *ndisEndpoint) SetMTU(mtu uint32) {
-}
-
-func (e *ndisEndpoint) MaxHeaderLength() uint16 {
-	return header.EthernetMinimumSize
-}
-
-func (e *ndisEndpoint) LinkAddress() tcpip.LinkAddress {
-	return e.address
-}
-
-func (e *ndisEndpoint) SetLinkAddress(addr tcpip.LinkAddress) {
-}
-
-func (e *ndisEndpoint) Capabilities() stack.LinkEndpointCapabilities {
-	return 0
-}
-
-func (e *ndisEndpoint) Attach(dispatcher stack.NetworkDispatcher) {
-	e.dispatcher = dispatcher
-}
-
-func (e *ndisEndpoint) IsAttached() bool {
-	return e.dispatcher != nil
-}
-
-func (e *ndisEndpoint) Wait() {
-}
-
-func (e *ndisEndpoint) ARPHardwareType() header.ARPHardwareType {
-	return header.ARPHardwareEther
-}
-
-func (e *ndisEndpoint) AddHeader(pkt *stack.PacketBuffer) {
-	eth := header.Ethernet(pkt.LinkHeader().Push(header.EthernetMinimumSize))
-	fields := header.EthernetFields{
-		SrcAddr: pkt.EgressRoute.LocalLinkAddress,
-		DstAddr: pkt.EgressRoute.RemoteLinkAddress,
-		Type:    pkt.NetworkProtocolNumber,
-	}
-	eth.Encode(&fields)
-}
-
-func (e *ndisEndpoint) ParseHeader(pkt *stack.PacketBuffer) bool {
-	_, ok := pkt.LinkHeader().Consume(header.EthernetMinimumSize)
-	return ok
-}
-
-func (e *ndisEndpoint) Close() {
-}
-
-func (e *ndisEndpoint) SetOnCloseAction(f func()) {
-}
-
-var bufferPool = sync.Pool{
-	New: func() any {
-		return new(ndisapi.IntermediateBuffer)
-	},
-}
-
-func (e *ndisEndpoint) WritePackets(list stack.PacketBufferList) (int, tcpip.Error) {
-	for _, packetBuffer := range list.AsSlice() {
-		ndisBuf := bufferPool.Get().(*ndisapi.IntermediateBuffer)
-		viewList, offset := packetBuffer.AsViewList()
-		var view *buffer.View
-		for view = viewList.Front(); view != nil && offset >= view.Size(); view = view.Next() {
-			offset -= view.Size()
-		}
-		index := copy(ndisBuf.Buffer[:], view.AsSlice()[offset:])
-		for view = view.Next(); view != nil; view = view.Next() {
-			index += copy(ndisBuf.Buffer[index:], view.AsSlice())
-		}
-		ndisBuf.Length = uint32(index)
-		err := e.filter.InsertPacketToMstcp(ndisBuf)
-		bufferPool.Put(ndisBuf)
-		if err != nil {
-			return 0, &tcpip.ErrAborted{}
-		}
-	}
-	return list.Len(), nil
-}

protocol/ndis/inbound.go

@@ -1,203 +0,0 @@
-//go:build windows
-
-package ndis
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/adapter/inbound"
-	"github.com/sagernet/sing-box/common/conntrack"
-	"github.com/sagernet/sing-box/common/taskmonitor"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/x/list"
-	"github.com/sagernet/sing/service"
-
-	"github.com/wiresock/ndisapi-go"
-	"go4.org/netipx"
-)
-
-func RegisterInbound(registry *inbound.Registry) {
-	inbound.Register[option.NDISInboundOptions](registry, C.TypeNDIS, NewInbound)
-}
-
-type Inbound struct {
-	inbound.Adapter
-	ctx                         context.Context
-	router                      adapter.Router
-	logger                      log.ContextLogger
-	api                         *ndisapi.NdisApi
-	tracker                     conntrack.Tracker
-	routeAddress                []netip.Prefix
-	routeExcludeAddress         []netip.Prefix
-	routeRuleSet                []adapter.RuleSet
-	routeRuleSetCallback        []*list.Element[adapter.RuleSetUpdateCallback]
-	routeExcludeRuleSet         []adapter.RuleSet
-	routeExcludeRuleSetCallback []*list.Element[adapter.RuleSetUpdateCallback]
-	stack                       *Stack
-}
-
-func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.NDISInboundOptions) (adapter.Inbound, error) {
-	api, err := ndisapi.NewNdisApi()
-	if err != nil {
-		return nil, E.Cause(err, "create NDIS API")
-	}
-	//if !api.IsDriverLoaded() {
-	//	return nil, E.New("missing NDIS driver")
-	//}
-	networkManager := service.FromContext[adapter.NetworkManager](ctx)
-	trackerOut := service.FromContext[conntrack.Tracker](ctx)
-	var udpTimeout time.Duration
-	if options.UDPTimeout != 0 {
-		udpTimeout = time.Duration(options.UDPTimeout)
-	} else {
-		udpTimeout = C.UDPTimeout
-	}
-	var (
-		routeRuleSet        []adapter.RuleSet
-		routeExcludeRuleSet []adapter.RuleSet
-	)
-	for _, routeAddressSet := range options.RouteAddressSet {
-		ruleSet, loaded := router.RuleSet(routeAddressSet)
-		if !loaded {
-			return nil, E.New("parse route_address_set: rule-set not found: ", routeAddressSet)
-		}
-		ruleSet.IncRef()
-		routeRuleSet = append(routeRuleSet, ruleSet)
-	}
-	for _, routeExcludeAddressSet := range options.RouteExcludeAddressSet {
-		ruleSet, loaded := router.RuleSet(routeExcludeAddressSet)
-		if !loaded {
-			return nil, E.New("parse route_exclude_address_set: rule-set not found: ", routeExcludeAddressSet)
-		}
-		ruleSet.IncRef()
-		routeExcludeRuleSet = append(routeExcludeRuleSet, ruleSet)
-	}
-	trackerIn := conntrack.NewDefaultTracker(false, 0)
-	return &Inbound{
-		Adapter:             inbound.NewAdapter(C.TypeNDIS, tag),
-		ctx:                 ctx,
-		router:              router,
-		logger:              logger,
-		api:                 api,
-		tracker:             trackerIn,
-		routeRuleSet:        routeRuleSet,
-		routeExcludeRuleSet: routeExcludeRuleSet,
-		stack: &Stack{
-			ctx:                 ctx,
-			logger:              logger,
-			network:             networkManager,
-			trackerIn:           trackerIn,
-			trackerOut:          trackerOut,
-			api:                 api,
-			udpTimeout:          udpTimeout,
-			routeAddress:        options.RouteAddress,
-			routeExcludeAddress: options.RouteExcludeAddress,
-		},
-	}, nil
-}
-
-func (t *Inbound) Start(stage adapter.StartStage) error {
-	switch stage {
-	case adapter.StartStateStart:
-		monitor := taskmonitor.New(t.logger, C.StartTimeout)
-		var (
-			routeAddressSet        []*netipx.IPSet
-			routeExcludeAddressSet []*netipx.IPSet
-		)
-		for _, routeRuleSet := range t.routeRuleSet {
-			ipSets := routeRuleSet.ExtractIPSet()
-			if len(ipSets) == 0 {
-				t.logger.Warn("route_address_set: no destination IP CIDR rules found in rule-set: ", routeRuleSet.Name())
-			}
-			t.routeRuleSetCallback = append(t.routeRuleSetCallback, routeRuleSet.RegisterCallback(t.updateRouteAddressSet))
-			routeRuleSet.DecRef()
-			routeAddressSet = append(routeAddressSet, ipSets...)
-		}
-		for _, routeExcludeRuleSet := range t.routeExcludeRuleSet {
-			ipSets := routeExcludeRuleSet.ExtractIPSet()
-			if len(ipSets) == 0 {
-				t.logger.Warn("route_exclude_address_set: no destination IP CIDR rules found in rule-set: ", routeExcludeRuleSet.Name())
-			}
-			t.routeExcludeRuleSetCallback = append(t.routeExcludeRuleSetCallback, routeExcludeRuleSet.RegisterCallback(t.updateRouteAddressSet))
-			routeExcludeRuleSet.DecRef()
-			routeExcludeAddressSet = append(routeExcludeAddressSet, ipSets...)
-		}
-		t.stack.routeAddressSet = routeAddressSet
-		t.stack.routeExcludeAddressSet = routeExcludeAddressSet
-		monitor.Start("starting NDIS stack")
-		t.stack.handler = t
-		err := t.stack.Start()
-		monitor.Finish()
-		if err != nil {
-			return E.Cause(err, "starting NDIS stack")
-		}
-	}
-	return nil
-}
-
-func (t *Inbound) Close() error {
-	if t.api != nil {
-		t.stack.Close()
-		t.api.Close()
-	}
-	return nil
-}
-
-func (t *Inbound) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr) error {
-	return t.router.PreMatch(adapter.InboundContext{
-		Inbound:     t.Tag(),
-		InboundType: C.TypeNDIS,
-		Network:     network,
-		Source:      source,
-		Destination: destination,
-	})
-}
-
-func (t *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	ctx = log.ContextWithNewID(ctx)
-	var metadata adapter.InboundContext
-	metadata.Inbound = t.Tag()
-	metadata.InboundType = C.TypeNDIS
-	metadata.Source = source
-	metadata.Destination = destination
-	t.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
-	t.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
-	done, err := t.tracker.NewConnEx(conn)
-	if err != nil {
-		t.logger.ErrorContext(ctx, E.Cause(err, "track inbound connection"))
-		return
-	}
-	t.router.RouteConnectionEx(ctx, conn, metadata, N.AppendClose(onClose, done))
-}
-
-func (t *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	ctx = log.ContextWithNewID(ctx)
-	var metadata adapter.InboundContext
-	metadata.Inbound = t.Tag()
-	metadata.InboundType = C.TypeNDIS
-	metadata.Source = source
-	metadata.Destination = destination
-	t.logger.InfoContext(ctx, "inbound packet connection from ", metadata.Source)
-	t.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
-	done, err := t.tracker.NewPacketConnEx(conn)
-	if err != nil {
-		t.logger.ErrorContext(ctx, E.Cause(err, "track inbound connection"))
-		return
-	}
-	t.router.RoutePacketConnectionEx(ctx, conn, metadata, N.AppendClose(onClose, done))
-}
-
-func (t *Inbound) updateRouteAddressSet(it adapter.RuleSet) {
-	t.stack.routeAddressSet = common.FlatMap(t.routeRuleSet, adapter.RuleSet.ExtractIPSet)
-	t.stack.routeExcludeAddressSet = common.FlatMap(t.routeExcludeRuleSet, adapter.RuleSet.ExtractIPSet)
-}

protocol/ndis/stack.go

@@ -1,267 +0,0 @@
-//go:build windows
-
-package ndis
-
-import (
-	"context"
-	"net/netip"
-	"time"
-
-	"github.com/sagernet/gvisor/pkg/buffer"
-	"github.com/sagernet/gvisor/pkg/tcpip"
-	"github.com/sagernet/gvisor/pkg/tcpip/header"
-	"github.com/sagernet/gvisor/pkg/tcpip/stack"
-	"github.com/sagernet/gvisor/pkg/tcpip/transport/tcp"
-	"github.com/sagernet/gvisor/pkg/tcpip/transport/udp"
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
-	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common/control"
-	"github.com/sagernet/sing/common/debug"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-
-	"github.com/wiresock/ndisapi-go"
-	"github.com/wiresock/ndisapi-go/driver"
-	"go4.org/netipx"
-	"golang.org/x/net/ipv4"
-	"golang.org/x/net/ipv6"
-)
-
-type Stack struct {
-	ctx                    context.Context
-	logger                 logger.ContextLogger
-	network                adapter.NetworkManager
-	trackerIn              conntrack.Tracker
-	trackerOut             conntrack.Tracker
-	api                    *ndisapi.NdisApi
-	handler                tun.Handler
-	udpTimeout             time.Duration
-	filter                 *driver.QueuedPacketFilter
-	stack                  *stack.Stack
-	endpoint               *ndisEndpoint
-	routeAddress           []netip.Prefix
-	routeExcludeAddress    []netip.Prefix
-	routeAddressSet        []*netipx.IPSet
-	routeExcludeAddressSet []*netipx.IPSet
-	currentInterface       *control.Interface
-}
-
-func (s *Stack) Start() error {
-	err := s.start(s.network.InterfaceMonitor().DefaultInterface())
-	if err != nil {
-		return err
-	}
-	s.network.InterfaceMonitor().RegisterCallback(s.updateDefaultInterface)
-	return nil
-}
-
-func (s *Stack) updateDefaultInterface(defaultInterface *control.Interface, flags int) {
-	if s.currentInterface.Equals(*defaultInterface) {
-		return
-	}
-	err := s.start(defaultInterface)
-	if err != nil {
-		s.logger.Error(E.Cause(err, "reconfigure NDIS at: ", defaultInterface.Name))
-	}
-}
-
-func (s *Stack) start(defaultInterface *control.Interface) error {
-	_ = s.Close()
-	adapters, err := s.api.GetTcpipBoundAdaptersInfo()
-	if err != nil {
-		return err
-	}
-	if defaultInterface != nil {
-		for index := 0; index < int(adapters.AdapterCount); index++ {
-			name := s.api.ConvertWindows2000AdapterName(string(adapters.AdapterNameList[index][:]))
-			if name != defaultInterface.Name {
-				continue
-			}
-			s.filter, err = driver.NewQueuedPacketFilter(s.api, adapters, nil, s.processOut)
-			if err != nil {
-				return err
-			}
-			address := tcpip.LinkAddress(adapters.CurrentAddress[index][:])
-			mtu := uint32(adapters.MTU[index])
-			endpoint := &ndisEndpoint{
-				filter:  s.filter,
-				mtu:     mtu,
-				address: address,
-			}
-			s.stack, err = tun.NewGVisorStack(endpoint)
-			if err != nil {
-				s.filter = nil
-				return err
-			}
-			s.stack.SetTransportProtocolHandler(tcp.ProtocolNumber, tun.NewTCPForwarder(s.ctx, s.stack, s.handler).HandlePacket)
-			s.stack.SetTransportProtocolHandler(udp.ProtocolNumber, tun.NewUDPForwarder(s.ctx, s.stack, s.handler, s.udpTimeout).HandlePacket)
-			err = s.filter.StartFilter(index)
-			if err != nil {
-				s.filter = nil
-				s.stack.Close()
-				s.stack = nil
-				return err
-			}
-			s.endpoint = endpoint
-			s.logger.Info("started at ", defaultInterface.Name)
-			break
-		}
-	}
-	s.currentInterface = defaultInterface
-	return nil
-}
-
-func (s *Stack) Close() error {
-	if s.filter != nil {
-		s.filter.StopFilter()
-		s.filter.Close()
-		s.filter = nil
-	}
-	if s.stack != nil {
-		s.stack.Close()
-		for _, endpoint := range s.stack.CleanupEndpoints() {
-			endpoint.Abort()
-		}
-		s.stack = nil
-	}
-	return nil
-}
-
-func (s *Stack) processOut(handle ndisapi.Handle, packet *ndisapi.IntermediateBuffer) ndisapi.FilterAction {
-	if packet.Length < header.EthernetMinimumSize {
-		return ndisapi.FilterActionPass
-	}
-	if s.endpoint.dispatcher == nil || s.filterPacket(packet.Buffer[:packet.Length]) {
-		return ndisapi.FilterActionPass
-	}
-	packetBuffer := stack.NewPacketBuffer(stack.PacketBufferOptions{
-		Payload: buffer.MakeWithData(packet.Buffer[:packet.Length]),
-	})
-	_, ok := packetBuffer.LinkHeader().Consume(header.EthernetMinimumSize)
-	if !ok {
-		packetBuffer.DecRef()
-		return ndisapi.FilterActionPass
-	}
-	ethHdr := header.Ethernet(packetBuffer.LinkHeader().Slice())
-	destinationAddress := ethHdr.DestinationAddress()
-	if destinationAddress == header.EthernetBroadcastAddress {
-		packetBuffer.PktType = tcpip.PacketBroadcast
-	} else if header.IsMulticastEthernetAddress(destinationAddress) {
-		packetBuffer.PktType = tcpip.PacketMulticast
-	} else if destinationAddress == s.endpoint.address {
-		packetBuffer.PktType = tcpip.PacketHost
-	} else {
-		packetBuffer.PktType = tcpip.PacketOtherHost
-	}
-	s.endpoint.dispatcher.DeliverNetworkPacket(ethHdr.Type(), packetBuffer)
-	packetBuffer.DecRef()
-	return ndisapi.FilterActionDrop
-}
-
-func (s *Stack) filterPacket(packet []byte) bool {
-	var ipHdr header.Network
-	switch header.IPVersion(packet[header.EthernetMinimumSize:]) {
-	case ipv4.Version:
-		ipHdr = header.IPv4(packet[header.EthernetMinimumSize:])
-	case ipv6.Version:
-		ipHdr = header.IPv6(packet[header.EthernetMinimumSize:])
-	default:
-		return true
-	}
-	sourceAddr := tun.AddrFromAddress(ipHdr.SourceAddress())
-	destinationAddr := tun.AddrFromAddress(ipHdr.DestinationAddress())
-	if !destinationAddr.IsGlobalUnicast() {
-		return true
-	}
-	var (
-		transportProtocol tcpip.TransportProtocolNumber
-		transportHdr      header.Transport
-	)
-	switch ipHdr.TransportProtocol() {
-	case tcp.ProtocolNumber:
-		transportProtocol = header.TCPProtocolNumber
-		transportHdr = header.TCP(ipHdr.Payload())
-	case udp.ProtocolNumber:
-		transportProtocol = header.UDPProtocolNumber
-		transportHdr = header.UDP(ipHdr.Payload())
-	default:
-		return false
-	}
-	source := netip.AddrPortFrom(sourceAddr, transportHdr.SourcePort())
-	destination := netip.AddrPortFrom(destinationAddr, transportHdr.DestinationPort())
-	if transportProtocol == header.TCPProtocolNumber {
-		if s.trackerIn.CheckConn(source, destination) {
-			if debug.Enabled {
-				s.logger.Trace("fall exists TCP ", source, " ", destination)
-			}
-			return false
-		}
-	} else {
-		if s.trackerIn.CheckPacketConn(source) {
-			if debug.Enabled {
-				s.logger.Trace("fall exists UDP ", source, " ", destination)
-			}
-		}
-	}
-	if len(s.routeAddress) > 0 {
-		var match bool
-		for _, route := range s.routeAddress {
-			if route.Contains(destinationAddr) {
-				match = true
-			}
-		}
-		if !match {
-			return true
-		}
-	}
-	if len(s.routeAddressSet) > 0 {
-		var match bool
-		for _, ipSet := range s.routeAddressSet {
-			if ipSet.Contains(destinationAddr) {
-				match = true
-			}
-		}
-		if !match {
-			return true
-		}
-	}
-	if len(s.routeExcludeAddress) > 0 {
-		for _, address := range s.routeExcludeAddress {
-			if address.Contains(destinationAddr) {
-				return true
-			}
-		}
-	}
-	if len(s.routeExcludeAddressSet) > 0 {
-		for _, ipSet := range s.routeAddressSet {
-			if ipSet.Contains(destinationAddr) {
-				return true
-			}
-		}
-	}
-	if s.trackerOut.CheckDestination(destination) {
-		if debug.Enabled {
-			s.logger.Trace("passing pending ", source, " ", destination)
-		}
-		return true
-	}
-	if transportProtocol == header.TCPProtocolNumber {
-		if s.trackerOut.CheckConn(source, destination) {
-			if debug.Enabled {
-				s.logger.Trace("passing TCP ", source, " ", destination)
-			}
-			return true
-		}
-	} else {
-		if s.trackerOut.CheckPacketConn(source) {
-			if debug.Enabled {
-				s.logger.Trace("passing UDP ", source, " ", destination)
-			}
-		}
-	}
-	if debug.Enabled {
-		s.logger.Trace("fall ", source, " ", destination)
-	}
-	return false
-}

protocol/redirect/tproxy.go

@@ -93,8 +93,6 @@ func (t *TProxy) Close() error {
 }
 
 func (t *TProxy) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
-	metadata.Inbound = t.Tag()
-	metadata.InboundType = t.Type()
 	metadata.Destination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
 	t.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
 	t.router.RouteConnectionEx(ctx, conn, metadata, onClose)

protocol/socks/inbound.go

@@ -62,7 +62,7 @@ func (h *Inbound) Close() error {
 }
 
 func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
-	err := socks.HandleConnectionEx(ctx, conn, std_bufio.NewReader(conn), h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, onClose)
+	err := socks.HandleConnectionEx(ctx, conn, std_bufio.NewReader(conn), h.authenticator, nil, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, metadata.Destination, onClose)
 	N.CloseOnHandshakeFailure(conn, onClose, err)
 	if err != nil {
 		if E.IsClosedOrCanceled(err) {
@@ -92,19 +92,11 @@ func (h *Inbound) streamUserPacketConnection(ctx context.Context, conn N.PacketC
 	metadata.InboundType = h.Type()
 	user, loaded := auth.UserFromContext[string](ctx)
 	if !loaded {
-		if !metadata.Destination.IsValid() {
+		h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
-			h.logger.InfoContext(ctx, "inbound packet connection")
-		} else {
-			h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
-		}
 		h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 		return
 	}
 	metadata.User = user
-	if !metadata.Destination.IsValid() {
+	h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
-		h.logger.InfoContext(ctx, "[", user, "] inbound packet connection")
-	} else {
-		h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
-	}
 	h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 }