documentation: Bump version

Co-authored-by: Hiddify <114227601+hiddify1@users.noreply.github.com>

.github/workflows/debug.yml

@@ -3,7 +3,6 @@ name: Debug build
 on:
   push:
     branches:
-      - stable-next
       - main-next
       - dev-next
     paths-ignore:
@@ -12,7 +11,6 @@ on:
       - '!.github/workflows/debug.yml'
   pull_request:
     branches:
-      - stable-next
       - main-next
       - dev-next
 
@@ -22,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -50,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -70,7 +68,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -201,7 +199,7 @@ jobs:
       TAGS: with_clash_api,with_quic
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Get latest go version

.github/workflows/docker.yml

@@ -9,20 +9,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@v3
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v2
       - name: Setup QEMU for Docker Buildx
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v2
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker metadata
         id: metadata
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v4
         with:
           images: ghcr.io/sagernet/sing-box
       - name: Get tag to build
@@ -35,7 +35,7 @@ jobs:
             echo "versioned=ghcr.io/sagernet/sing-box:${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
           fi
       - name: Build and release Docker images
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v4
         with:
           platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
           target: dist

.github/workflows/lint.yml

@@ -3,7 +3,6 @@ name: Lint
 on:
   push:
     branches:
-      - stable-next
       - main-next
       - dev-next
     paths-ignore:
@@ -12,7 +11,6 @@ on:
       - '!.github/workflows/lint.yml'
   pull_request:
     branches:
-      - stable-next
       - main-next
       - dev-next
 
@@ -22,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -36,6 +34,4 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: latest
-          args: --timeout=30m
-          install-mode: binary
+          version: latest

.goreleaser.yaml

@@ -16,7 +16,6 @@ builds:
       - with_quic
       - with_dhcp
       - with_wireguard
-      - with_ech
       - with_utls
       - with_reality_server
       - with_clash_api
@@ -36,35 +35,6 @@ builds:
       - darwin_amd64_v3
       - darwin_arm64
     mod_timestamp: '{{ .CommitTimestamp }}'
-  - id: legacy
-    main: ./cmd/sing-box
-    flags:
-      - -v
-      - -trimpath
-    asmflags:
-      - all=-trimpath={{.Env.GOPATH}}
-    gcflags:
-      - all=-trimpath={{.Env.GOPATH}}
-    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_ech
-      - with_utls
-      - with_reality_server
-      - with_clash_api
-    env:
-      - CGO_ENABLED=0
-      - GOROOT=/nix/store/5h8gjl89zx8qxgc572wa3k81zplv8v4z-go-1.20.10/share/go
-    gobinary: /nix/store/5h8gjl89zx8qxgc572wa3k81zplv8v4z-go-1.20.10/bin/go
-    targets:
-      - windows_amd64_v1
-      - windows_386
-      - darwin_amd64_v1
-    mod_timestamp: '{{ .CommitTimestamp }}'
   - id: android
     main: ./cmd/sing-box
     flags:
@@ -81,7 +51,6 @@ builds:
       - with_quic
       - with_dhcp
       - with_wireguard
-      - with_ech
       - with_utls
       - with_clash_api
     env:
@@ -119,9 +88,6 @@ snapshot:
   name_template: "{{ .Version }}.{{ .ShortCommit }}"
 archives:
   - id: archive
-    builds:
-      - main
-      - android
     format: tar.gz
     format_overrides:
       - goos: windows
@@ -130,17 +96,6 @@ archives:
     files:
       - LICENSE
     name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-  - id: archive-legacy
-    builds:
-      - legacy
-    format: tar.gz
-    format_overrides:
-      - goos: windows
-        format: zip
-    wrap_in_directory: true
-    files:
-      - LICENSE
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}-legacy'
 nfpms:
   - id: package
     package_name: sing-box

Makefile

@@ -28,7 +28,7 @@ ci_build:
 	go build $(MAIN_PARAMS) $(MAIN)
 
 install:
-	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
+	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)
 
 fmt:
 	@gofumpt -l -w .
@@ -63,7 +63,7 @@ release:
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
-	rm -r dist/release
+	rm -r dist
 
 release_install:
 	go install -v github.com/goreleaser/goreleaser@latest
@@ -73,7 +73,7 @@ update_android_version:
 	go run ./cmd/internal/update_android_version
 
 build_android:
-	cd ../sing-box-for-android && ./gradlew :app:assembleRelease && ./gradlew --stop
+	cd ../sing-box-for-android && ./gradlew :app:assembleRelease
 
 upload_android:
 	mkdir -p dist/release_android
@@ -93,7 +93,7 @@ build_ios:
 
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist
 
 release_ios: build_ios upload_ios_app_store
 
@@ -104,7 +104,7 @@ build_macos:
 
 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist
 
 release_macos: build_macos upload_macos_app_store
 
@@ -115,7 +115,7 @@ build_macos_independent:
 
 notarize_macos_independent:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist
 
 wait_notarize_macos_independent:
 	sleep 60
@@ -132,23 +132,24 @@ upload_macos_independent:
 	zip -ry "SFM-${VERSION}-universal.zip" SFM.app && \
 	ghr --replace --draft --prerelease "v${VERSION}" *.zip
 
-release_macos_independent: build_macos_independent notarize_macos_independent wait_notarize_macos_independent export_macos_independent upload_macos_independent
+release_macos_independent: build_macos_independent notarize_macos_independent export_macos_independent wait_notarize_macos_independent upload_macos_independent
 
 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
+	export DEVELOPER_DIR=/Applications/Xcode-beta.app/Contents/Developer && \
 	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive
 
 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist
 
 release_tvos: build_tvos upload_tvos_app_store
 
 update_apple_version:
 	go run ./cmd/internal/update_apple_version
 
-release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
+release_apple: update_apple_version release_ios release_macos release_tvos release_macos_independent
 	rm -rf dist
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
@@ -178,8 +179,8 @@ lib:
 
 lib_install:
 	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230915142329-c6740b6d2950
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230915142329-c6740b6d2950
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230728014906-3de089147f59
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230728014906-3de089147f59
 
 clean:
 	rm -rf bin dist sing-box

adapter/inbound.go

@@ -75,11 +75,3 @@ func AppendContext(ctx context.Context) (context.Context, *InboundContext) {
 	metadata = new(InboundContext)
 	return WithContext(ctx, metadata), metadata
 }
-
-func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
-	var newMetadata InboundContext
-	if metadata := ContextFrom(ctx); metadata != nil {
-		newMetadata = *metadata
-	}
-	return WithContext(ctx, &newMetadata), &newMetadata
-}

adapter/v2ray.go

@@ -5,6 +5,7 @@ import (
 	"net"
 
 	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -18,6 +19,7 @@ type V2RayServerTransport interface {
 type V2RayServerTransportHandler interface {
 	N.TCPConnectionHandler
 	E.Handler
+	FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error
 }
 
 type V2RayClientTransport interface {

box_outbound.go

@@ -69,7 +69,7 @@ func (s *Box) startOutbounds() error {
 			}
 			problemOutbound := outbounds[problemOutboundTag]
 			if problemOutbound == nil {
-				return E.New("dependency[", problemOutboundTag, "] not found for outbound[", outboundTags[oCurrent], "]")
+				return E.New("dependency[", problemOutbound, "] not found for outbound[", outboundTags[oCurrent], "]")
 			}
 			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
 		}

cmd/internal/build_libbox/main.go

@@ -54,7 +54,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
 	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	debugTags = append(debugTags, "debug")
 }

cmd/internal/update_apple_version/main.go

@@ -29,17 +29,11 @@ func main() {
 	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
 	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
 	if updated0 || updated1 {
-		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
-	}
-	var updated2 bool
-	if macProjectVersion := os.Getenv("MACOS_PROJECT_VERSION"); macProjectVersion != "" {
-		newContent, updated2 = findAndReplaceProjectVersion(objectsMap, newContent, []string{"SFM"}, macProjectVersion)
-		if updated2 {
-			log.Info("updated macos project version to ", macProjectVersion)
-		}
-	}
-	if updated0 || updated1 || updated2 {
+		log.Info("updated version to ", newVersion.VersionString())
+		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj.bak", []byte(projectContent), 0o644))
 		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj", []byte(newContent), 0o644))
+	} else {
+		log.Info("version not changed")
 	}
 }
 
@@ -67,30 +61,6 @@ func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDLi
 	return projectContent, updated
 }
 
-func findAndReplaceProjectVersion(objectsMap map[string]any, projectContent string, directoryList []string, newVersion string) (string, bool) {
-	objectKeyList := findObjectKeyByDirectory(objectsMap, directoryList)
-	var updated bool
-	for _, objectKey := range objectKeyList {
-		matchRegexp := common.Must1(regexp.Compile(objectKey + ".*= \\{"))
-		indexes := matchRegexp.FindStringIndex(projectContent)
-		if len(indexes) < 2 {
-			println(projectContent)
-			log.Fatal("failed to find object key ", objectKey, ": ", strings.Index(projectContent, objectKey))
-		}
-		indexStart := indexes[1]
-		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
-		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "CURRENT_PROJECT_VERSION = ") + 26
-		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
-		version := projectContent[versionStart:versionEnd]
-		if version == newVersion {
-			continue
-		}
-		updated = true
-		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
-	}
-	return projectContent, updated
-}
-
 func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
 	var objectKeyList []string
 	for objectKey, object := range objectsMap {
@@ -108,24 +78,3 @@ func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
 	}
 	return objectKeyList
 }
-
-func findObjectKeyByDirectory(objectsMap map[string]any, directoryList []string) []string {
-	var objectKeyList []string
-	for objectKey, object := range objectsMap {
-		buildSettings := object.(map[string]any)["buildSettings"]
-		if buildSettings == nil {
-			continue
-		}
-		infoPListFile := buildSettings.(map[string]any)["INFOPLIST_FILE"]
-		if infoPListFile == nil {
-			continue
-		}
-		for _, searchDirectory := range directoryList {
-			if strings.HasPrefix(infoPListFile.(string), searchDirectory+"/") {
-				objectKeyList = append(objectKeyList, objectKey)
-			}
-		}
-
-	}
-	return objectKeyList
-}

cmd/sing-box/cmd_generate.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/gofrs/uuid/v5"
 	"github.com/spf13/cobra"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
 var commandGenerate = &cobra.Command{
@@ -21,7 +22,8 @@ var commandGenerate = &cobra.Command{
 func init() {
 	commandGenerate.AddCommand(commandGenerateUUID)
 	commandGenerate.AddCommand(commandGenerateRandom)
-
+	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
+	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
 	mainCommand.AddCommand(commandGenerate)
 }
 
@@ -90,3 +92,48 @@ func generateUUID() error {
 	_, err = os.Stdout.WriteString(newUUID.String() + "\n")
 	return err
 }
+
+var commandGenerateWireGuardKeyPair = &cobra.Command{
+	Use:   "wg-keypair",
+	Short: "Generate WireGuard key pair",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateWireGuardKey()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateWireGuardKey() error {
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return err
+	}
+	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
+	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
+	return nil
+}
+
+var commandGenerateRealityKeyPair = &cobra.Command{
+	Use:   "reality-keypair",
+	Short: "Generate reality key pair",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateRealityKey()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateRealityKey() error {
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return err
+	}
+	publicKey := privateKey.PublicKey()
+	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
+	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
+	return nil
+}

cmd/sing-box/cmd_generate_tls.go

@@ -1,40 +0,0 @@
-package main
-
-import (
-	"os"
-	"time"
-
-	"github.com/sagernet/sing-box/common/tls"
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-)
-
-var flagGenerateTLSKeyPairMonths int
-
-var commandGenerateTLSKeyPair = &cobra.Command{
-	Use:   "tls-keypair <server_name>",
-	Short: "Generate TLS self sign key pair",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateTLSKeyPair(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGenerateTLSKeyPair.Flags().IntVarP(&flagGenerateTLSKeyPairMonths, "months", "m", 1, "Valid months")
-	commandGenerate.AddCommand(commandGenerateTLSKeyPair)
-}
-
-func generateTLSKeyPair(serverName string) error {
-	privateKeyPem, publicKeyPem, err := tls.GenerateKeyPair(time.Now, serverName, time.Now().AddDate(0, flagGenerateTLSKeyPairMonths, 0))
-	if err != nil {
-		return err
-	}
-	os.Stdout.WriteString(string(privateKeyPem) + "\n")
-	os.Stdout.WriteString(string(publicKeyPem) + "\n")
-	return nil
-}

cmd/sing-box/cmd_generate_vapid.go

@@ -1,40 +0,0 @@
-//go:build go1.20
-
-package main
-
-import (
-	"crypto/ecdh"
-	"crypto/rand"
-	"encoding/base64"
-	"os"
-
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-)
-
-var commandGenerateVAPIDKeyPair = &cobra.Command{
-	Use:   "vapid-keypair",
-	Short: "Generate VAPID key pair",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateVAPIDKeyPair()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGenerate.AddCommand(commandGenerateVAPIDKeyPair)
-}
-
-func generateVAPIDKeyPair() error {
-	privateKey, err := ecdh.P256().GenerateKey(rand.Reader)
-	if err != nil {
-		return err
-	}
-	publicKey := privateKey.PublicKey()
-	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey.Bytes()) + "\n")
-	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey.Bytes()) + "\n")
-	return nil
-}

cmd/sing-box/cmd_generate_wireguard.go

@@ -1,61 +0,0 @@
-package main
-
-import (
-	"encoding/base64"
-	"os"
-
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-)
-
-func init() {
-	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
-	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
-}
-
-var commandGenerateWireGuardKeyPair = &cobra.Command{
-	Use:   "wg-keypair",
-	Short: "Generate WireGuard key pair",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateWireGuardKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateWireGuardKey() error {
-	privateKey, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return err
-	}
-	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
-	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
-	return nil
-}
-
-var commandGenerateRealityKeyPair = &cobra.Command{
-	Use:   "reality-keypair",
-	Short: "Generate reality key pair",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateRealityKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateRealityKey() error {
-	privateKey, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return err
-	}
-	publicKey := privateKey.PublicKey()
-	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
-	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
-	return nil
-}

cmd/sing-box/cmd_merge.go

@@ -1,174 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/sagernet/sing-box/common/json"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/rw"
-
-	"github.com/spf13/cobra"
-)
-
-var commandMerge = &cobra.Command{
-	Use:   "merge [output]",
-	Short: "Merge configurations",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := merge(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.ExactArgs(1),
-}
-
-func init() {
-	mainCommand.AddCommand(commandMerge)
-}
-
-func merge(outputPath string) error {
-	mergedOptions, err := readConfigAndMerge()
-	if err != nil {
-		return err
-	}
-	err = mergePathResources(&mergedOptions)
-	if err != nil {
-		return err
-	}
-	buffer := new(bytes.Buffer)
-	encoder := json.NewEncoder(buffer)
-	encoder.SetIndent("", "  ")
-	err = encoder.Encode(mergedOptions)
-	if err != nil {
-		return E.Cause(err, "encode config")
-	}
-	if existsContent, err := os.ReadFile(outputPath); err != nil {
-		if string(existsContent) == buffer.String() {
-			return nil
-		}
-	}
-	err = rw.WriteFile(outputPath, buffer.Bytes())
-	if err != nil {
-		return err
-	}
-	outputPath, _ = filepath.Abs(outputPath)
-	os.Stderr.WriteString(outputPath + "\n")
-	return nil
-}
-
-func mergePathResources(options *option.Options) error {
-	for index, inbound := range options.Inbounds {
-		switch inbound.Type {
-		case C.TypeHTTP:
-			inbound.HTTPOptions.TLS = mergeTLSInboundOptions(inbound.HTTPOptions.TLS)
-		case C.TypeMixed:
-			inbound.MixedOptions.TLS = mergeTLSInboundOptions(inbound.MixedOptions.TLS)
-		case C.TypeVMess:
-			inbound.VMessOptions.TLS = mergeTLSInboundOptions(inbound.VMessOptions.TLS)
-		case C.TypeTrojan:
-			inbound.TrojanOptions.TLS = mergeTLSInboundOptions(inbound.TrojanOptions.TLS)
-		case C.TypeNaive:
-			inbound.NaiveOptions.TLS = mergeTLSInboundOptions(inbound.NaiveOptions.TLS)
-		case C.TypeHysteria:
-			inbound.HysteriaOptions.TLS = mergeTLSInboundOptions(inbound.HysteriaOptions.TLS)
-		case C.TypeVLESS:
-			inbound.VLESSOptions.TLS = mergeTLSInboundOptions(inbound.VLESSOptions.TLS)
-		case C.TypeTUIC:
-			inbound.TUICOptions.TLS = mergeTLSInboundOptions(inbound.TUICOptions.TLS)
-		case C.TypeHysteria2:
-			inbound.Hysteria2Options.TLS = mergeTLSInboundOptions(inbound.Hysteria2Options.TLS)
-		default:
-			continue
-		}
-		options.Inbounds[index] = inbound
-	}
-	for index, outbound := range options.Outbounds {
-		switch outbound.Type {
-		case C.TypeHTTP:
-			outbound.HTTPOptions.TLS = mergeTLSOutboundOptions(outbound.HTTPOptions.TLS)
-		case C.TypeVMess:
-			outbound.VMessOptions.TLS = mergeTLSOutboundOptions(outbound.VMessOptions.TLS)
-		case C.TypeTrojan:
-			outbound.TrojanOptions.TLS = mergeTLSOutboundOptions(outbound.TrojanOptions.TLS)
-		case C.TypeHysteria:
-			outbound.HysteriaOptions.TLS = mergeTLSOutboundOptions(outbound.HysteriaOptions.TLS)
-		case C.TypeSSH:
-			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
-		case C.TypeVLESS:
-			outbound.VLESSOptions.TLS = mergeTLSOutboundOptions(outbound.VLESSOptions.TLS)
-		case C.TypeTUIC:
-			outbound.TUICOptions.TLS = mergeTLSOutboundOptions(outbound.TUICOptions.TLS)
-		case C.TypeHysteria2:
-			outbound.Hysteria2Options.TLS = mergeTLSOutboundOptions(outbound.Hysteria2Options.TLS)
-		default:
-			continue
-		}
-		options.Outbounds[index] = outbound
-	}
-	return nil
-}
-
-func mergeTLSInboundOptions(options *option.InboundTLSOptions) *option.InboundTLSOptions {
-	if options == nil {
-		return nil
-	}
-	if options.CertificatePath != "" {
-		if content, err := os.ReadFile(options.CertificatePath); err == nil {
-			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	if options.KeyPath != "" {
-		if content, err := os.ReadFile(options.KeyPath); err == nil {
-			options.Key = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	if options.ECH != nil {
-		if options.ECH.KeyPath != "" {
-			if content, err := os.ReadFile(options.ECH.KeyPath); err == nil {
-				options.ECH.Key = trimStringArray(strings.Split(string(content), "\n"))
-			}
-		}
-	}
-	return options
-}
-
-func mergeTLSOutboundOptions(options *option.OutboundTLSOptions) *option.OutboundTLSOptions {
-	if options == nil {
-		return nil
-	}
-	if options.CertificatePath != "" {
-		if content, err := os.ReadFile(options.CertificatePath); err == nil {
-			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	if options.ECH != nil {
-		if options.ECH.ConfigPath != "" {
-			if content, err := os.ReadFile(options.ECH.ConfigPath); err == nil {
-				options.ECH.Config = trimStringArray(strings.Split(string(content), "\n"))
-			}
-		}
-	}
-	return options
-}
-
-func mergeSSHOutboundOptions(options option.SSHOutboundOptions) option.SSHOutboundOptions {
-	if options.PrivateKeyPath != "" {
-		if content, err := os.ReadFile(os.ExpandEnv(options.PrivateKeyPath)); err == nil {
-			options.PrivateKey = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	return options
-}
-
-func trimStringArray(array []string) []string {
-	return common.Filter(array, func(it string) bool {
-		return strings.TrimSpace(it) != ""
-	})
-}

cmd/sing-box/cmd_run.go

@@ -143,16 +143,14 @@ func create() (*box.Box, context.CancelFunc, error) {
 		signal.Stop(osSignals)
 		close(osSignals)
 	}()
-	startCtx, finishStart := context.WithCancel(context.Background())
+
 	go func() {
 		_, loaded := <-osSignals
 		if loaded {
 			cancel()
-			closeMonitor(startCtx)
 		}
 	}()
 	err = instance.Start()
-	finishStart()
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "start service")

cmd/sing-box/main.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"github.com/getsentry/sentry-go"
 	"os"
 	"time"
 
@@ -16,7 +15,6 @@ var (
 	configDirectories []string
 	workingDir        string
 	disableColor      bool
-	enableDebug       bool
 )
 
 var mainCommand = &cobra.Command{
@@ -29,25 +27,12 @@ func init() {
 	mainCommand.PersistentFlags().StringArrayVarP(&configDirectories, "config-directory", "C", nil, "set configuration directory path")
 	mainCommand.PersistentFlags().StringVarP(&workingDir, "directory", "D", "", "set working directory")
 	mainCommand.PersistentFlags().BoolVarP(&disableColor, "disable-color", "", false, "disable color output")
-	mainCommand.PersistentFlags().BoolVarP(&enableDebug, "debug", "", false, "enable sentry debug mode")
 }
 
 func main() {
 	if err := mainCommand.Execute(); err != nil {
 		log.Fatal(err)
 	}
-
-	if enableDebug {
-		err := sentry.Init(sentry.ClientOptions{
-			Dsn: "",
-		})
-
-		if err != nil {
-			log.Fatal("sentry.Init: %s", err)
-		}
-
-		defer sentry.Flush(2 * time.Second)
-	}
 }
 
 func preRun(cmd *cobra.Command, args []string) {

common/baderror/baderror.go

@@ -0,0 +1,62 @@
+package baderror
+
+import (
+	"context"
+	"io"
+	"net"
+	"strings"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func Contains(err error, msgList ...string) bool {
+	for _, msg := range msgList {
+		if strings.Contains(err.Error(), msg) {
+			return true
+		}
+	}
+	return false
+}
+
+func WrapH2(err error) error {
+	if err == nil {
+		return nil
+	}
+	err = E.Unwrap(err)
+	if err == io.ErrUnexpectedEOF {
+		return io.EOF
+	}
+	if Contains(err, "client disconnected", "body closed by handler", "response body closed", "; CANCEL") {
+		return net.ErrClosed
+	}
+	return err
+}
+
+func WrapGRPC(err error) error {
+	// grpc uses stupid internal error types
+	if err == nil {
+		return nil
+	}
+	if Contains(err, "EOF") {
+		return io.EOF
+	}
+	if Contains(err, "Canceled") {
+		return context.Canceled
+	}
+	if Contains(err,
+		"the client connection is closing",
+		"server closed the stream without sending trailers") {
+		return net.ErrClosed
+	}
+	return err
+}
+
+func WrapQUIC(err error) error {
+	if err == nil {
+		return nil
+	}
+	if Contains(err, "canceled by local with error code 0") {
+		return net.ErrClosed
+	}
+	return err
+}

common/dialer/conntrack/conn.go

@@ -17,7 +17,7 @@ func NewConn(conn net.Conn) (net.Conn, error) {
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := KillerCheck()
+		err := killerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err

common/dialer/conntrack/killer.go

@@ -1,20 +1,20 @@
 package conntrack
 
 import (
+	"runtime"
 	runtimeDebug "runtime/debug"
 	"time"
 
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/memory"
 )
 
 var (
 	KillerEnabled   bool
-	MemoryLimit     uint64
+	MemoryLimit     int64
 	killerLastCheck time.Time
 )
 
-func KillerCheck() error {
+func killerCheck() error {
 	if !KillerEnabled {
 		return nil
 	}
@@ -23,7 +23,10 @@ func KillerCheck() error {
 		return nil
 	}
 	killerLastCheck = nowTime
-	if memory.Total() > MemoryLimit {
+	var memStats runtime.MemStats
+	runtime.ReadMemStats(&memStats)
+	inuseMemory := int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
+	if inuseMemory > MemoryLimit {
 		Close()
 		go func() {
 			time.Sleep(time.Second)

common/dialer/conntrack/packet_conn.go

@@ -18,7 +18,7 @@ func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := KillerCheck()
+		err := killerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err

common/dialer/default.go

@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/control"
@@ -137,12 +137,10 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if destination.IsIPv6() {
-		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
-	} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
-		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP+"4", d.udpAddr4))
-	} else {
+	if !destination.IsIPv6() {
 		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
+	} else {
+		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
 	}
 }
 

common/dialer/dialer.go

@@ -29,12 +29,7 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	}
 	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
-		dialer = NewResolveDialer(
-			router,
-			dialer,
-			options.Detour == "" && !options.TCPFastOpen,
-			domainStrategy,
-			time.Duration(options.FallbackDelay))
+		dialer = NewResolveDialer(router, dialer, domainStrategy, time.Duration(options.FallbackDelay))
 	}
 	return dialer, nil
 }

common/dialer/resolve.go

@@ -16,16 +16,14 @@ import (
 
 type ResolveDialer struct {
 	dialer        N.Dialer
-	parallel      bool
 	router        adapter.Router
 	strategy      dns.DomainStrategy
 	fallbackDelay time.Duration
 }
 
-func NewResolveDialer(router adapter.Router, dialer N.Dialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
+func NewResolveDialer(router adapter.Router, dialer N.Dialer, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
 	return &ResolveDialer{
 		dialer,
-		parallel,
 		router,
 		strategy,
 		fallbackDelay,
@@ -36,7 +34,7 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
 	metadata.Destination = destination
 	metadata.Domain = ""
@@ -50,18 +48,14 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if err != nil {
 		return nil, err
 	}
-	if d.parallel {
-		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
-	} else {
-		return N.DialSerial(ctx, d.dialer, network, destination, addresses)
-	}
+	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
 }
 
 func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
 	metadata.Destination = destination
 	metadata.Domain = ""

common/dialer/tfo.go

@@ -7,7 +7,6 @@ import (
 	"io"
 	"net"
 	"os"
-	"sync"
 	"time"
 
 	"github.com/sagernet/sing/common"
@@ -25,7 +24,6 @@ type slowOpenConn struct {
 	destination M.Socksaddr
 	conn        net.Conn
 	create      chan struct{}
-	access      sync.Mutex
 	err         error
 }
 
@@ -62,26 +60,16 @@ func (c *slowOpenConn) Read(b []byte) (n int, err error) {
 }
 
 func (c *slowOpenConn) Write(b []byte) (n int, err error) {
-	if c.conn != nil {
-		return c.conn.Write(b)
-	}
-	c.access.Lock()
-	defer c.access.Unlock()
-	select {
-	case <-c.create:
-		if c.err != nil {
-			return 0, c.err
+	if c.conn == nil {
+		c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
+		if err != nil {
+			c.conn = nil
+			c.err = E.Cause(err, "dial tcp fast open")
 		}
-		return c.conn.Write(b)
-	default:
+		close(c.create)
+		return
 	}
-	c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
-	if err != nil {
-		c.conn = nil
-		c.err = E.Cause(err, "dial tcp fast open")
-	}
-	close(c.create)
-	return
+	return c.conn.Write(b)
 }
 
 func (c *slowOpenConn) Close() error {

common/humanize/bytes.go

@@ -1,158 +0,0 @@
-package humanize
-
-import (
-	"fmt"
-	"math"
-	"strconv"
-	"strings"
-	"unicode"
-)
-
-// IEC Sizes.
-// kibis of bits
-const (
-	Byte = 1 << (iota * 10)
-	KiByte
-	MiByte
-	GiByte
-	TiByte
-	PiByte
-	EiByte
-)
-
-// SI Sizes.
-const (
-	IByte = 1
-	KByte = IByte * 1000
-	MByte = KByte * 1000
-	GByte = MByte * 1000
-	TByte = GByte * 1000
-	PByte = TByte * 1000
-	EByte = PByte * 1000
-)
-
-var defaultSizeTable = map[string]uint64{
-	"b":   Byte,
-	"kib": KiByte,
-	"kb":  KByte,
-	"mib": MiByte,
-	"mb":  MByte,
-	"gib": GiByte,
-	"gb":  GByte,
-	"tib": TiByte,
-	"tb":  TByte,
-	"pib": PiByte,
-	"pb":  PByte,
-	"eib": EiByte,
-	"eb":  EByte,
-	// Without suffix
-	"":   Byte,
-	"ki": KiByte,
-	"k":  KByte,
-	"mi": MiByte,
-	"m":  MByte,
-	"gi": GiByte,
-	"g":  GByte,
-	"ti": TiByte,
-	"t":  TByte,
-	"pi": PiByte,
-	"p":  PByte,
-	"ei": EiByte,
-	"e":  EByte,
-}
-
-var memorysSizeTable = map[string]uint64{
-	"b":  Byte,
-	"kb": KiByte,
-	"mb": MiByte,
-	"gb": GiByte,
-	"tb": TiByte,
-	"pb": PiByte,
-	"eb": EiByte,
-	"":   Byte,
-	"k":  KiByte,
-	"m":  MiByte,
-	"g":  GiByte,
-	"t":  TiByte,
-	"p":  PiByte,
-	"e":  EiByte,
-}
-
-var (
-	defaultSizes = []string{"B", "kB", "MB", "GB", "TB", "PB", "EB"}
-	iSizes       = []string{"B", "KiB", "MiB", "GiB", "TiB", "PiB", "EiB"}
-)
-
-func Bytes(s uint64) string {
-	return humanateBytes(s, 1000, defaultSizes)
-}
-
-func MemoryBytes(s uint64) string {
-	return humanateBytes(s, 1024, defaultSizes)
-}
-
-func IBytes(s uint64) string {
-	return humanateBytes(s, 1024, iSizes)
-}
-
-func logn(n, b float64) float64 {
-	return math.Log(n) / math.Log(b)
-}
-
-func humanateBytes(s uint64, base float64, sizes []string) string {
-	if s < 10 {
-		return fmt.Sprintf("%d B", s)
-	}
-	e := math.Floor(logn(float64(s), base))
-	suffix := sizes[int(e)]
-	val := math.Floor(float64(s)/math.Pow(base, e)*10+0.5) / 10
-	f := "%.0f %s"
-	if val < 10 {
-		f = "%.1f %s"
-	}
-
-	return fmt.Sprintf(f, val, suffix)
-}
-
-func ParseBytes(s string) (uint64, error) {
-	return parseBytes0(s, defaultSizeTable)
-}
-
-func ParseMemoryBytes(s string) (uint64, error) {
-	return parseBytes0(s, memorysSizeTable)
-}
-
-func parseBytes0(s string, sizeTable map[string]uint64) (uint64, error) {
-	lastDigit := 0
-	hasComma := false
-	for _, r := range s {
-		if !(unicode.IsDigit(r) || r == '.' || r == ',') {
-			break
-		}
-		if r == ',' {
-			hasComma = true
-		}
-		lastDigit++
-	}
-
-	num := s[:lastDigit]
-	if hasComma {
-		num = strings.Replace(num, ",", "", -1)
-	}
-
-	f, err := strconv.ParseFloat(num, 64)
-	if err != nil {
-		return 0, err
-	}
-
-	extra := strings.ToLower(strings.TrimSpace(s[lastDigit:]))
-	if m, ok := sizeTable[extra]; ok {
-		f *= float64(m)
-		if f >= math.MaxUint64 {
-			return 0, fmt.Errorf("too large: %v", s)
-		}
-		return uint64(f), nil
-	}
-
-	return 0, fmt.Errorf("unhandled size name: %v", extra)
-}

common/interrupt/conn.go

@@ -1,75 +0,0 @@
-package interrupt
-
-import (
-	"net"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-/*type GroupedConn interface {
-	MarkAsInternal()
-}
-
-func MarkAsInternal(conn any) {
-	if groupedConn, isGroupConn := common.Cast[GroupedConn](conn); isGroupConn {
-		groupedConn.MarkAsInternal()
-	}
-}*/
-
-type Conn struct {
-	net.Conn
-	group   *Group
-	element *list.Element[*groupConnItem]
-}
-
-/*func (c *Conn) MarkAsInternal() {
-	c.element.Value.internal = true
-}*/
-
-func (c *Conn) Close() error {
-	c.group.access.Lock()
-	defer c.group.access.Unlock()
-	c.group.connections.Remove(c.element)
-	return c.Conn.Close()
-}
-
-func (c *Conn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *Conn) WriterReplaceable() bool {
-	return true
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-type PacketConn struct {
-	net.PacketConn
-	group   *Group
-	element *list.Element[*groupConnItem]
-}
-
-/*func (c *PacketConn) MarkAsInternal() {
-	c.element.Value.internal = true
-}*/
-
-func (c *PacketConn) Close() error {
-	c.group.access.Lock()
-	defer c.group.access.Unlock()
-	c.group.connections.Remove(c.element)
-	return c.PacketConn.Close()
-}
-
-func (c *PacketConn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) WriterReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) Upstream() any {
-	return c.PacketConn
-}

common/interrupt/context.go

@@ -1,13 +0,0 @@
-package interrupt
-
-import "context"
-
-type contextKeyIsExternalConnection struct{}
-
-func ContextWithIsExternalConnection(ctx context.Context) context.Context {
-	return context.WithValue(ctx, contextKeyIsExternalConnection{}, true)
-}
-
-func IsExternalConnectionFromContext(ctx context.Context) bool {
-	return ctx.Value(contextKeyIsExternalConnection{}) != nil
-}

common/interrupt/group.go

@@ -1,52 +0,0 @@
-package interrupt
-
-import (
-	"io"
-	"net"
-	"sync"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type Group struct {
-	access      sync.Mutex
-	connections list.List[*groupConnItem]
-}
-
-type groupConnItem struct {
-	conn       io.Closer
-	isExternal bool
-}
-
-func NewGroup() *Group {
-	return &Group{}
-}
-
-func (g *Group) NewConn(conn net.Conn, isExternal bool) net.Conn {
-	g.access.Lock()
-	defer g.access.Unlock()
-	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
-	return &Conn{Conn: conn, group: g, element: item}
-}
-
-func (g *Group) NewPacketConn(conn net.PacketConn, isExternal bool) net.PacketConn {
-	g.access.Lock()
-	defer g.access.Unlock()
-	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
-	return &PacketConn{PacketConn: conn, group: g, element: item}
-}
-
-func (g *Group) Interrupt(interruptExternalConnections bool) {
-	g.access.Lock()
-	defer g.access.Unlock()
-	var toDelete []*list.Element[*groupConnItem]
-	for element := g.connections.Front(); element != nil; element = element.Next() {
-		if !element.Value.isExternal || interruptExternalConnections {
-			element.Value.conn.Close()
-			toDelete = append(toDelete, element)
-		}
-	}
-	for _, element := range toDelete {
-		g.connections.Remove(element)
-	}
-}

common/proxyproto/dialer.go

@@ -0,0 +1,50 @@
+package proxyproto
+
+import (
+	"context"
+	"net"
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	"github.com/pires/go-proxyproto"
+)
+
+var _ N.Dialer = (*Dialer)(nil)
+
+type Dialer struct {
+	N.Dialer
+}
+
+func (d *Dialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	switch N.NetworkName(network) {
+	case N.NetworkTCP:
+		conn, err := d.Dialer.DialContext(ctx, network, destination)
+		if err != nil {
+			return nil, err
+		}
+		var source M.Socksaddr
+		metadata := adapter.ContextFrom(ctx)
+		if metadata != nil {
+			source = metadata.Source
+		}
+		if !source.IsValid() {
+			source = M.SocksaddrFromNet(conn.LocalAddr())
+		}
+		if destination.Addr.Is6() {
+			source = M.SocksaddrFrom(netip.AddrFrom16(source.Addr.As16()), source.Port)
+		}
+		h := proxyproto.HeaderProxyFromAddrs(1, source.TCPAddr(), destination.TCPAddr())
+		_, err = h.WriteTo(conn)
+		if err != nil {
+			conn.Close()
+			return nil, E.Cause(err, "write proxy protocol header")
+		}
+		return conn, nil
+	default:
+		return d.Dialer.DialContext(ctx, network, destination)
+	}
+}

common/proxyproto/listener.go

@@ -0,0 +1,62 @@
+package proxyproto
+
+import (
+	std_bufio "bufio"
+	"net"
+
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
+
+	"github.com/pires/go-proxyproto"
+)
+
+type Listener struct {
+	net.Listener
+	AcceptNoHeader bool
+}
+
+func (l *Listener) Accept() (net.Conn, error) {
+	conn, err := l.Listener.Accept()
+	if err != nil {
+		return nil, err
+	}
+	bufReader := std_bufio.NewReader(conn)
+	header, err := proxyproto.Read(bufReader)
+	if err != nil && !(l.AcceptNoHeader && err == proxyproto.ErrNoProxyProtocol) {
+		return nil, &Error{err}
+	}
+	if bufReader.Buffered() > 0 {
+		cache := buf.NewSize(bufReader.Buffered())
+		_, err = cache.ReadFullFrom(bufReader, cache.FreeLen())
+		if err != nil {
+			return nil, &Error{err}
+		}
+		conn = bufio.NewCachedConn(conn, cache)
+	}
+	if header != nil {
+		return &bufio.AddrConn{Conn: conn, Metadata: M.Metadata{
+			Source:      M.SocksaddrFromNet(header.SourceAddr).Unwrap(),
+			Destination: M.SocksaddrFromNet(header.DestinationAddr).Unwrap(),
+		}}, nil
+	}
+	return conn, nil
+}
+
+var _ net.Error = (*Error)(nil)
+
+type Error struct {
+	error
+}
+
+func (e *Error) Unwrap() error {
+	return e.error
+}
+
+func (e *Error) Timeout() bool {
+	return false
+}
+
+func (e *Error) Temporary() bool {
+	return true
+}

common/qtls/wrapper.go

@@ -0,0 +1,120 @@
+package qtls
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"net/http"
+
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/http3"
+	M "github.com/sagernet/sing/common/metadata"
+	aTLS "github.com/sagernet/sing/common/tls"
+)
+
+type QUICConfig interface {
+	Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.Connection, error)
+	DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.EarlyConnection, error)
+	CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config, enableDatagrams bool) http.RoundTripper
+}
+
+type QUICServerConfig interface {
+	Listen(conn net.PacketConn, config *quic.Config) (QUICListener, error)
+	ListenEarly(conn net.PacketConn, config *quic.Config) (QUICEarlyListener, error)
+	ConfigureHTTP3()
+}
+
+type QUICListener interface {
+	Accept(ctx context.Context) (quic.Connection, error)
+	Close() error
+	Addr() net.Addr
+}
+
+type QUICEarlyListener interface {
+	Accept(ctx context.Context) (quic.EarlyConnection, error)
+	Close() error
+	Addr() net.Addr
+}
+
+func Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config aTLS.Config, quicConfig *quic.Config) (quic.Connection, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICConfig); isQUICConfig {
+		return quicTLSConfig.Dial(ctx, conn, addr, quicConfig)
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return quic.Dial(ctx, conn, addr, tlsConfig, quicConfig)
+}
+
+func DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config aTLS.Config, quicConfig *quic.Config) (quic.EarlyConnection, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICConfig); isQUICConfig {
+		return quicTLSConfig.DialEarly(ctx, conn, addr, quicConfig)
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return quic.DialEarly(ctx, conn, addr, tlsConfig, quicConfig)
+}
+
+func CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, config aTLS.Config, quicConfig *quic.Config, enableDatagrams bool) (http.RoundTripper, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICConfig); isQUICConfig {
+		return quicTLSConfig.CreateTransport(conn, quicConnPtr, serverAddr, quicConfig, enableDatagrams), nil
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return &http3.RoundTripper{
+		TLSClientConfig: tlsConfig,
+		QuicConfig:      quicConfig,
+		EnableDatagrams: enableDatagrams,
+		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
+			if err != nil {
+				return nil, err
+			}
+			*quicConnPtr = quicConn
+			return quicConn, nil
+		},
+	}, nil
+}
+
+func Listen(conn net.PacketConn, config aTLS.ServerConfig, quicConfig *quic.Config) (QUICListener, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICServerConfig); isQUICConfig {
+		return quicTLSConfig.Listen(conn, quicConfig)
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return quic.Listen(conn, tlsConfig, quicConfig)
+}
+
+func ListenEarly(conn net.PacketConn, config aTLS.ServerConfig, quicConfig *quic.Config) (QUICEarlyListener, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICServerConfig); isQUICConfig {
+		return quicTLSConfig.ListenEarly(conn, quicConfig)
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return quic.ListenEarly(conn, tlsConfig, quicConfig)
+}
+
+func ConfigureHTTP3(config aTLS.ServerConfig) error {
+	if len(config.NextProtos()) == 0 {
+		config.SetNextProtos([]string{http3.NextProtoH3})
+	}
+	if quicTLSConfig, isQUICConfig := config.(QUICServerConfig); isQUICConfig {
+		quicTLSConfig.ConfigureHTTP3()
+		return nil
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return err
+	}
+	http3.ConfigureTLSConfig(tlsConfig)
+	return nil
+}

common/settings/proxy_android.go

@@ -1,73 +1,43 @@
 package settings
 
 import (
-	"context"
 	"os"
 	"strings"
 
+	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )
 
-type AndroidSystemProxy struct {
-	useRish      bool
-	rishPath     string
-	serverAddr   M.Socksaddr
-	supportSOCKS bool
-	isEnabled    bool
-}
+var (
+	useRish  bool
+	rishPath string
+)
 
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*AndroidSystemProxy, error) {
+func init() {
 	userId := os.Getuid()
-	var (
-		useRish  bool
-		rishPath string
-	)
 	if userId == 0 || userId == 1000 || userId == 2000 {
 		useRish = false
 	} else {
 		rishPath, useRish = C.FindPath("rish")
-		if !useRish {
-			return nil, E.Cause(os.ErrPermission, "root or system (adb) permission is required for set system proxy")
-		}
 	}
-	return &AndroidSystemProxy{
-		useRish:      useRish,
-		rishPath:     rishPath,
-		serverAddr:   serverAddr,
-		supportSOCKS: supportSOCKS,
-	}, nil
 }
 
-func (p *AndroidSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *AndroidSystemProxy) Enable() error {
-	err := p.runAndroidShell("settings", "put", "global", "http_proxy", p.serverAddr.String())
-	if err != nil {
-		return err
-	}
-	p.isEnabled = true
-	return nil
-}
-
-func (p *AndroidSystemProxy) Disable() error {
-	err := p.runAndroidShell("settings", "put", "global", "http_proxy", ":0")
-	if err != nil {
-		return err
-	}
-	p.isEnabled = false
-	return nil
-}
-
-func (p *AndroidSystemProxy) runAndroidShell(name string, args ...string) error {
-	if !p.useRish {
+func runAndroidShell(name string, args ...string) error {
+	if !useRish {
 		return shell.Exec(name, args...).Attach().Run()
 	} else {
-		return shell.Exec("sh", p.rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return shell.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	}
 }
+
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	err := runAndroidShell("settings", "put", "global", "http_proxy", F.ToString("127.0.0.1:", port))
+	if err != nil {
+		return nil, err
+	}
+	return func() error {
+		return runAndroidShell("settings", "put", "global", "http_proxy", ":0")
+	}, nil
+}

common/settings/proxy_darwin.go

@@ -1,56 +1,56 @@
 package settings
 
 import (
-	"context"
 	"net/netip"
-	"strconv"
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
 )
 
-type DarwinSystemProxy struct {
+type systemProxy struct {
 	monitor       tun.DefaultInterfaceMonitor
 	interfaceName string
 	element       *list.Element[tun.DefaultInterfaceUpdateCallback]
-	serverAddr    M.Socksaddr
-	supportSOCKS  bool
-	isEnabled     bool
+	port          uint16
+	isMixed       bool
 }
 
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*DarwinSystemProxy, error) {
-	interfaceMonitor := adapter.RouterFromContext(ctx).InterfaceMonitor()
-	if interfaceMonitor == nil {
-		return nil, E.New("missing interface monitor")
+func (p *systemProxy) update(event int) {
+	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
+	if p.interfaceName == newInterfaceName {
+		return
 	}
-	proxy := &DarwinSystemProxy{
-		monitor:      interfaceMonitor,
-		serverAddr:   serverAddr,
-		supportSOCKS: supportSOCKS,
+	if p.interfaceName != "" {
+		_ = p.unset()
 	}
-	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
-	return proxy, nil
+	p.interfaceName = newInterfaceName
+	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
+	if err != nil {
+		return
+	}
+	if p.isMixed {
+		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+	}
+	if err == nil {
+		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+	}
+	if err == nil {
+		_ = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+	}
+	return
 }
 
-func (p *DarwinSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *DarwinSystemProxy) Enable() error {
-	return p.update0()
-}
-
-func (p *DarwinSystemProxy) Disable() error {
+func (p *systemProxy) unset() error {
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
 		return err
 	}
-	if p.supportSOCKS {
+	if p.isMixed {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
@@ -59,53 +59,9 @@ func (p *DarwinSystemProxy) Disable() error {
 	if err == nil {
 		err = shell.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
-	if err == nil {
-		p.isEnabled = false
-	}
 	return err
 }
 
-func (p *DarwinSystemProxy) update(event int) {
-	if event&tun.EventInterfaceUpdate == 0 {
-		return
-	}
-	if !p.isEnabled {
-		return
-	}
-	_ = p.update0()
-}
-
-func (p *DarwinSystemProxy) update0() error {
-	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
-	if p.interfaceName == newInterfaceName {
-		return nil
-	}
-	if p.interfaceName != "" {
-		_ = p.Disable()
-	}
-	p.interfaceName = newInterfaceName
-	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
-	if err != nil {
-		return err
-	}
-	if p.supportSOCKS {
-		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
-	}
-	if err != nil {
-		return err
-	}
-	err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
-	if err != nil {
-		return err
-	}
-	err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
-	if err != nil {
-		return err
-	}
-	p.isEnabled = true
-	return nil
-}
-
 func getInterfaceDisplayName(name string) (string, error) {
 	content, err := shell.Exec("networksetup", "-listallhardwareports").ReadOutput()
 	if err != nil {
@@ -121,3 +77,21 @@ func getInterfaceDisplayName(name string) (string, error) {
 	}
 	return "", E.New(name, " not found in networksetup -listallhardwareports")
 }
+
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	interfaceMonitor := router.InterfaceMonitor()
+	if interfaceMonitor == nil {
+		return nil, E.New("missing interface monitor")
+	}
+	proxy := &systemProxy{
+		monitor: interfaceMonitor,
+		port:    port,
+		isMixed: isMixed,
+	}
+	proxy.update(tun.EventInterfaceUpdate)
+	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
+	return func() error {
+		interfaceMonitor.UnregisterCallback(proxy.element)
+		return proxy.unset()
+	}, nil
+}

common/settings/proxy_linux.go

@@ -3,137 +3,106 @@
 package settings
 
 import (
-	"context"
 	"os"
 	"os/exec"
 	"strings"
 
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )
 
-type LinuxSystemProxy struct {
-	hasGSettings     bool
-	hasKWriteConfig5 bool
-	sudoUser         string
-	serverAddr       M.Socksaddr
-	supportSOCKS     bool
-	isEnabled        bool
-}
+var (
+	hasGSettings bool
+	isKDE5       bool
+	sudoUser     string
+)
 
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*LinuxSystemProxy, error) {
-	hasGSettings := common.Error(exec.LookPath("gsettings")) == nil
-	hasKWriteConfig5 := common.Error(exec.LookPath("kwriteconfig5")) == nil
-	var sudoUser string
+func init() {
+	isKDE5 = common.Error(exec.LookPath("kwriteconfig5")) == nil
+	hasGSettings = common.Error(exec.LookPath("gsettings")) == nil
 	if os.Getuid() == 0 {
 		sudoUser = os.Getenv("SUDO_USER")
 	}
-	if !hasGSettings && !hasKWriteConfig5 {
-		return nil, E.New("unsupported desktop environment")
-	}
-	return &LinuxSystemProxy{
-		hasGSettings:     hasGSettings,
-		hasKWriteConfig5: hasKWriteConfig5,
-		sudoUser:         sudoUser,
-		serverAddr:       serverAddr,
-		supportSOCKS:     supportSOCKS,
-	}, nil
 }
 
-func (p *LinuxSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *LinuxSystemProxy) Enable() error {
-	if p.hasGSettings {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
-		if err != nil {
-			return err
-		}
-		if p.supportSOCKS {
-			err = p.setGnomeProxy("ftp", "http", "https", "socks")
-		} else {
-			err = p.setGnomeProxy("http", "https")
-		}
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(p.supportSOCKS))
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
-		if err != nil {
-			return err
-		}
-	}
-	if p.hasKWriteConfig5 {
-		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "1")
-		if err != nil {
-			return err
-		}
-		if p.supportSOCKS {
-			err = p.setKDEProxy("ftp", "http", "https", "socks")
-		} else {
-			err = p.setKDEProxy("http", "https")
-		}
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "Authmode", "0")
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
-		if err != nil {
-			return err
-		}
-	}
-	p.isEnabled = true
-	return nil
-}
-
-func (p *LinuxSystemProxy) Disable() error {
-	if p.hasGSettings {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
-		if err != nil {
-			return err
-		}
-	}
-	if p.hasKWriteConfig5 {
-		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "0")
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
-		if err != nil {
-			return err
-		}
-	}
-	p.isEnabled = false
-	return nil
-}
-
-func (p *LinuxSystemProxy) runAsUser(name string, args ...string) error {
+func runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
 		return shell.Exec(name, args...).Attach().Run()
-	} else if p.sudoUser != "" {
-		return shell.Exec("su", "-", p.sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+	} else if sudoUser != "" {
+		return shell.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}
 }
 
-func (p *LinuxSystemProxy) setGnomeProxy(proxyTypes ...string) error {
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	if hasGSettings {
+		err := runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
+		if err != nil {
+			return nil, err
+		}
+		if isMixed {
+			err = setGnomeProxy(port, "ftp", "http", "https", "socks")
+		} else {
+			err = setGnomeProxy(port, "http", "https")
+		}
+		if err != nil {
+			return nil, err
+		}
+		err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(isMixed))
+		if err != nil {
+			return nil, err
+		}
+		err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
+		if err != nil {
+			return nil, err
+		}
+		return func() error {
+			return runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
+		}, nil
+	}
+	if isKDE5 {
+		err := runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "ProxyType", "1")
+		if err != nil {
+			return nil, err
+		}
+		if isMixed {
+			err = setKDEProxy(port, "ftp", "http", "https", "socks")
+		} else {
+			err = setKDEProxy(port, "http", "https")
+		}
+		if err != nil {
+			return nil, err
+		}
+		err = runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "Authmode", "0")
+		if err != nil {
+			return nil, err
+		}
+		err = runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
+		if err != nil {
+			return nil, err
+		}
+		return func() error {
+			err = runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "ProxyType", "0")
+			if err != nil {
+				return err
+			}
+			return runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
+		}, nil
+	}
+	return nil, E.New("unsupported desktop environment")
+}
+
+func setGnomeProxy(port uint16, proxyTypes ...string) error {
 	for _, proxyType := range proxyTypes {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", p.serverAddr.AddrString())
+		err := runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", "127.0.0.1")
 		if err != nil {
 			return err
 		}
-		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(p.serverAddr.Port))
+		err = runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(port))
 		if err != nil {
 			return err
 		}
@@ -141,20 +110,20 @@ func (p *LinuxSystemProxy) setGnomeProxy(proxyTypes ...string) error {
 	return nil
 }
 
-func (p *LinuxSystemProxy) setKDEProxy(proxyTypes ...string) error {
+func setKDEProxy(port uint16, proxyTypes ...string) error {
 	for _, proxyType := range proxyTypes {
 		var proxyUrl string
 		if proxyType == "socks" {
-			proxyUrl = "socks://" + p.serverAddr.String()
+			proxyUrl = "socks://127.0.0.1:" + F.ToString(port)
 		} else {
-			proxyUrl = "http://" + p.serverAddr.String()
+			proxyUrl = "http://127.0.0.1:" + F.ToString(port)
 		}
-		err := p.runAsUser(
+		err := runAsUser(
 			"kwriteconfig5",
 			"--file",
 			"kioslaverc",
 			"--group",
-			"Proxy Settings",
+			"'Proxy Settings'",
 			"--key", proxyType+"Proxy",
 			proxyUrl,
 		)

common/settings/proxy_stub.go

@@ -3,12 +3,11 @@
 package settings
 
 import (
-	"context"
 	"os"
 
-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing-box/adapter"
 )
 
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (SystemProxy, error) {
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
 	return nil, os.ErrInvalid
 }

common/settings/proxy_windows.go

@@ -1,43 +1,17 @@
 package settings
 
 import (
-	"context"
-
-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/wininet"
 )
 
-type WindowsSystemProxy struct {
-	serverAddr   M.Socksaddr
-	supportSOCKS bool
-	isEnabled    bool
-}
-
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*WindowsSystemProxy, error) {
-	return &WindowsSystemProxy{
-		serverAddr:   serverAddr,
-		supportSOCKS: supportSOCKS,
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	err := wininet.SetSystemProxy(F.ToString("http://127.0.0.1:", port), "")
+	if err != nil {
+		return nil, err
+	}
+	return func() error {
+		return wininet.ClearSystemProxy()
 	}, nil
 }
-
-func (p *WindowsSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *WindowsSystemProxy) Enable() error {
-	err := wininet.SetSystemProxy("http://"+p.serverAddr.String(), "")
-	if err != nil {
-		return err
-	}
-	p.isEnabled = true
-	return nil
-}
-
-func (p *WindowsSystemProxy) Disable() error {
-	err := wininet.ClearSystemProxy()
-	if err != nil {
-		return err
-	}
-	p.isEnabled = false
-	return nil
-}

common/settings/system_proxy.go

@@ -1,7 +0,0 @@
-package settings
-
-type SystemProxy interface {
-	IsEnabled() bool
-	Enable() error
-	Disable() error
-}

common/tls/acme.go

@@ -9,13 +9,10 @@ import (
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 
 	"github.com/caddyserver/certmagic"
-	"github.com/libdns/alidns"
-	"github.com/libdns/cloudflare"
 	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -77,24 +74,6 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
 		Logger:                  config.Logger,
 	}
-	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
-		var solver certmagic.DNS01Solver
-		switch dnsOptions.Provider {
-		case C.DNSProviderAliDNS:
-			solver.DNSProvider = &alidns.Provider{
-				AccKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
-				AccKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
-				RegionID:     dnsOptions.AliDNSOptions.RegionID,
-			}
-		case C.DNSProviderCloudflare:
-			solver.DNSProvider = &cloudflare.Provider{
-				APIToken: dnsOptions.CloudflareOptions.APIToken,
-			}
-		default:
-			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)
-		}
-		acmeConfig.DNS01Solver = &solver
-	}
 	if options.ExternalAccount != nil && options.ExternalAccount.KeyID != "" {
 		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
 	}

common/tls/ech_client.go

@@ -149,8 +149,8 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {
@@ -171,20 +171,8 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 	tlsConfig.ECHEnabled = true
 	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
 	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
-
-	var echConfig []byte
 	if len(options.ECH.Config) > 0 {
-		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
-	} else if options.ECH.ConfigPath != "" {
-		content, err := os.ReadFile(options.ECH.ConfigPath)
-		if err != nil {
-			return nil, E.Cause(err, "read ECH config")
-		}
-		echConfig = content
-	}
-
-	if len(echConfig) > 0 {
-		block, rest := pem.Decode(echConfig)
+		block, rest := pem.Decode([]byte(strings.Join(options.ECH.Config, "\n")))
 		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
 			return nil, E.New("invalid ECH configs pem")
 		}

common/tls/ech_quic.go

@@ -10,13 +10,13 @@ import (
 	"github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/quic-go/ech"
 	"github.com/sagernet/quic-go/http3_ech"
-	"github.com/sagernet/sing-quic"
+	"github.com/sagernet/sing-box/common/qtls"
 	M "github.com/sagernet/sing/common/metadata"
 )
 
 var (
-	_ qtls.Config       = (*echClientConfig)(nil)
-	_ qtls.ServerConfig = (*echServerConfig)(nil)
+	_ qtls.QUICConfig       = (*echClientConfig)(nil)
+	_ qtls.QUICServerConfig = (*echServerConfig)(nil)
 )
 
 func (c *echClientConfig) Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.Connection, error) {
@@ -43,11 +43,11 @@ func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic
 	}
 }
 
-func (c *echServerConfig) Listen(conn net.PacketConn, config *quic.Config) (qtls.Listener, error) {
+func (c *echServerConfig) Listen(conn net.PacketConn, config *quic.Config) (qtls.QUICListener, error) {
 	return quic.Listen(conn, c.config, config)
 }
 
-func (c *echServerConfig) ListenEarly(conn net.PacketConn, config *quic.Config) (qtls.EarlyListener, error) {
+func (c *echServerConfig) ListenEarly(conn net.PacketConn, config *quic.Config) (qtls.QUICEarlyListener, error) {
 	return quic.ListenEarly(conn, c.config, config)
 }
 

common/tls/ech_server.go

@@ -159,7 +159,7 @@ func (c *echServerConfig) startECHWatcher() error {
 	if err != nil {
 		return err
 	}
-	c.echWatcher = watcher
+	c.watcher = watcher
 	go c.loopECHUpdate()
 	return nil
 }
@@ -178,7 +178,7 @@ func (c *echServerConfig) loopECHUpdate() {
 			if err != nil {
 				c.logger.Error(E.Cause(err, "reload ECH key"))
 			}
-		case err, ok := <-c.echWatcher.Errors:
+		case err, ok := <-c.watcher.Errors:
 			if !ok {
 				return
 			}
@@ -277,7 +277,7 @@ func NewECHServer(ctx context.Context, logger log.Logger, options option.Inbound
 		certificate = content
 	}
 	if len(options.Key) > 0 {
-		key = []byte(strings.Join(options.Key, "\n"))
+		key = []byte(strings.Join(options.Key, ""))
 	} else if options.KeyPath != "" {
 		content, err := os.ReadFile(options.KeyPath)
 		if err != nil {
@@ -298,20 +298,7 @@ func NewECHServer(ctx context.Context, logger log.Logger, options option.Inbound
 	}
 	tlsConfig.Certificates = []cftls.Certificate{keyPair}
 
-	var echKey []byte
-	if len(options.ECH.Key) > 0 {
-		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
-	} else if options.KeyPath != "" {
-		content, err := os.ReadFile(options.ECH.KeyPath)
-		if err != nil {
-			return nil, E.Cause(err, "read ECH key")
-		}
-		echKey = content
-	} else {
-		return nil, E.New("missing ECH key")
-	}
-
-	block, rest := pem.Decode(echKey)
+	block, rest := pem.Decode([]byte(strings.Join(options.ECH.Key, "\n")))
 	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
 		return nil, E.New("invalid ECH keys pem")
 	}

common/tls/mkcert.go

@@ -11,34 +11,22 @@ import (
 	"time"
 )
 
-func GenerateCertificate(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
-	privateKeyPem, publicKeyPem, err := GenerateKeyPair(timeFunc, serverName, timeFunc().Add(time.Hour))
-	if err != nil {
-		return nil, err
-	}
-	certificate, err := tls.X509KeyPair(publicKeyPem, privateKeyPem)
-	if err != nil {
-		return nil, err
-	}
-	return &certificate, err
-}
-
-func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.Time) (privateKeyPem []byte, publicKeyPem []byte, err error) {
+func GenerateKeyPair(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
 	if timeFunc == nil {
 		timeFunc = time.Now
 	}
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
-		return
+		return nil, err
 	}
 	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
 	if err != nil {
-		return
+		return nil, err
 	}
 	template := &x509.Certificate{
 		SerialNumber:          serialNumber,
 		NotBefore:             timeFunc().Add(time.Hour * -1),
-		NotAfter:              expire,
+		NotAfter:              timeFunc().Add(time.Hour),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
@@ -49,13 +37,17 @@ func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.T
 	}
 	publicDer, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
 	if err != nil {
-		return
+		return nil, err
 	}
 	privateDer, err := x509.MarshalPKCS8PrivateKey(key)
 	if err != nil {
-		return
+		return nil, err
 	}
-	publicKeyPem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicDer})
-	privateKeyPem = pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateDer})
-	return
+	publicPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicDer})
+	privPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateDer})
+	keyPair, err := tls.X509KeyPair(publicPem, privPem)
+	if err != nil {
+		return nil, err
+	}
+	return &keyPair, err
 }

common/tls/std_client.go

@@ -7,7 +7,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strings"
 
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -112,8 +111,8 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {

common/tls/std_server.go

@@ -233,7 +233,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		}
 		if certificate == nil && key == nil && options.Insecure {
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateCertificate(ntp.TimeFuncFromContext(ctx), info.ServerName)
+				return GenerateKeyPair(ntp.TimeFuncFromContext(ctx), info.ServerName)
 			}
 		} else {
 			if certificate == nil {

common/tls/utls_client.go

@@ -10,7 +10,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strings"
 
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -169,8 +168,8 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {

common/urltest/urltest.go

@@ -8,7 +8,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -97,25 +96,33 @@ func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err e
 		return
 	}
 	defer instance.Close()
-	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](instance); isEarlyConn && earlyConn.NeedHandshake() {
-		start = time.Now()
-	}
+
 	req, err := http.NewRequest(http.MethodHead, link, nil)
 	if err != nil {
 		return
 	}
-	client := http.Client{
-		Transport: &http.Transport{
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return instance, nil
-			},
+	req = req.WithContext(ctx)
+
+	transport := &http.Transport{
+		Dial: func(string, string) (net.Conn, error) {
+			return instance, nil
 		},
+		// from http.DefaultTransport
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+
+	client := http.Client{
+		Transport: transport,
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
 	}
 	defer client.CloseIdleConnections()
-	resp, err := client.Do(req.WithContext(ctx))
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return
 	}

constant/dns.go

@@ -1,6 +0,0 @@
-package constant
-
-const (
-	DNSProviderAliDNS     = "alidns"
-	DNSProviderCloudflare = "cloudflare"
-)

constant/proxy.go

@@ -22,7 +22,6 @@ const (
 	TypeShadowsocksR = "shadowsocksr"
 	TypeVLESS        = "vless"
 	TypeTUIC         = "tuic"
-	TypeHysteria2    = "hysteria2"
 )
 
 const (
@@ -66,8 +65,6 @@ func ProxyDisplayName(proxyType string) string {
 		return "VLESS"
 	case TypeTUIC:
 		return "TUIC"
-	case TypeHysteria2:
-		return "Hysteria2"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:

debug_go118.go

@@ -5,7 +5,7 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -28,7 +28,7 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit != 0 {
 		// debug.SetMemoryLimit(int64(options.MemoryLimit))
-		conntrack.MemoryLimit = uint64(options.MemoryLimit)
+		conntrack.MemoryLimit = int64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_go119.go

@@ -5,7 +5,7 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -27,8 +27,8 @@ func applyDebugOptions(options option.DebugOptions) {
 		debug.SetTraceback(options.TraceBack)
 	}
 	if options.MemoryLimit != 0 {
-		debug.SetMemoryLimit(int64(float64(options.MemoryLimit) / 1.5))
-		conntrack.MemoryLimit = uint64(options.MemoryLimit)
+		debug.SetMemoryLimit(int64(options.MemoryLimit))
+		conntrack.MemoryLimit = int64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_http.go

@@ -7,12 +7,12 @@ import (
 	"runtime/debug"
 
 	"github.com/sagernet/sing-box/common/badjson"
-	"github.com/sagernet/sing-box/common/humanize"
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 
+	"github.com/dustin/go-humanize"
 	"github.com/go-chi/chi/v5"
 )
 
@@ -37,9 +37,9 @@ func applyDebugListenOption(options option.DebugOptions) {
 			runtime.ReadMemStats(&memStats)
 
 			var memObject badjson.JSONObject
-			memObject.Put("heap", humanize.MemoryBytes(memStats.HeapInuse))
-			memObject.Put("stack", humanize.MemoryBytes(memStats.StackInuse))
-			memObject.Put("idle", humanize.MemoryBytes(memStats.HeapIdle-memStats.HeapReleased))
+			memObject.Put("heap", humanize.IBytes(memStats.HeapInuse))
+			memObject.Put("stack", humanize.IBytes(memStats.StackInuse))
+			memObject.Put("idle", humanize.IBytes(memStats.HeapIdle-memStats.HeapReleased))
 			memObject.Put("goroutines", runtime.NumGoroutine())
 			memObject.Put("rss", rusageMaxRSS())
 

docs/changelog.md

@@ -1,318 +1,3 @@
-#### 1.6.0
-
-* Fixes and improvements
-
-Important changes since 1.5:
-
-* Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
-* Update BBR congestion control for TUIC and Hysteria2 **1**
-* Update brutal congestion control for Hysteria2
-* Add `brutal_debug` option for Hysteria2
-* Update legacy Hysteria protocol **2**
-* Add TLS self sign key pair generate command
-* Remove [Deprecated Features](/deprecated) by agreement
-
-**1**:
-
-None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
-This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
-
-**2**
-
-Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
-the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
-
-
-#### 1.5.5
-
-* Fix IPv6 `auto_route` for Linux **1**
-* Add legacy builds for old Windows and macOS systems **2**
-* Fixes and improvements
-
-**1**:
-
-When `auto_route` is enabled and `strict_route` is disabled, the device can now be reached from external IPv6 addresses.
-
-**2**:
-
-Built using Go 1.20, the last version that will run on Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High Sierra, 10.14 Mojave.
-
-
-#### 1.6.0-rc.4
-
-* Fixes and improvements
-
-#### 1.6.0-rc.1
-
-* Add legacy builds for old Windows and macOS systems **1**
-* Fixes and improvements
-
-**1**:
-
-Built using Go 1.20, the last version that will run on Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High Sierra, 10.14 Mojave.
-
-#### 1.6.0-beta.4
-
-* Fix IPv6 `auto_route` for Linux **1**
-* Fixes and improvements
-
-**1**:
-
-When `auto_route` is enabled and `strict_route` is disabled, the device can now be reached from external IPv6 addresses.
-
-#### 1.5.4
-
-* Fix Clash cache crash on arm32 devices
-* Fixes and improvements
-
-#### 1.6.0-beta.3
-
-* Update the legacy Hysteria protocol **1**
-* Fixes and improvements
-
-**1**
-
-Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
-the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
-
-#### 1.6.0-beta.2
-
-* Add TLS self sign key pair generate command
-* Update brutal congestion control for Hysteria2
-* Fix Clash cache crash on arm32 devices
-* Update golang.org/x/net to v0.17.0
-* Fixes and improvements
-
-#### 1.5.3
-
-* Fix compatibility with Android 14
-* Fixes and improvements
-
-#### 1.6.0-beta.1
-
-* Fixes and improvements
-
-#### 1.6.0-alpha.5
-
-* Fix compatibility with Android 14
-* Update BBR congestion control for TUIC and Hysteria2 **1**
-* Fixes and improvements
-
-**1**:
-
-None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
-This update is intended to fix a memory leak flaw in the new implementation introduced in 1.6.0-alpha.1 and may
-introduce new issues.
-
-#### 1.6.0-alpha.4
-
-* Add `brutal_debug` option for Hysteria2
-* Fixes and improvements
-
-#### 1.5.2
-
-* Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
-* Fixes and improvements
-
-#### 1.6.0-alpha.3
-
-* Fixes and improvements
-
-#### 1.6.0-alpha.2
-
-* Fixes and improvements
-
-#### 1.5.1
-
-* Fixes and improvements
-
-#### 1.6.0-alpha.1
-
-* Update BBR congestion control for TUIC and Hysteria2 **1**
-* Update quic-go to v0.39.0
-* Update gVisor to 20230814.0
-* Remove [Deprecated Features](/deprecated) by agreement
-* Fixes and improvements
-
-**1**:
-
-None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
-This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
-
-#### 1.5.0
-
-* Fixes and improvements
-
-Important changes since 1.4:
-
-* Add TLS [ECH server](/configuration/shared/tls) support
-* Improve TLS TCH client configuration
-* Add TLS ECH key pair generator **1**
-* Add TLS ECH support for QUIC based protocols **2**
-* Add KDE support for the `set_system_proxy` option in HTTP inbound
-* Add Hysteria2 protocol support **3**
-* Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **4**
-* Add DNS01 challenge support for ACME TLS certificate issuer **5**
-* Add `merge` command **6**
-* Mark [Deprecated Features](/deprecated)
-
-**1**:
-
-Command: `sing-box generate ech-keypair <plain_server_name> [--pq-signature-schemes-enabled]`
-
-**2**:
-
-All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria[/2]`, `TUIC` and `V2ray QUIC transport`.
-
-**3**:
-
-See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
-
-For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)
-
-**4**:
-
-Interrupt existing connections when the selected outbound has changed.
-
-Only inbound connections are affected by this setting, internal connections will always be interrupted.
-
-**5**:
-
-Only `Alibaba Cloud DNS` and `Cloudflare` are supported, see [ACME Fields](/configuration/shared/tls#acme-fields)
-and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
-
-**6**:
-
-This command also parses path resources that appear in the configuration file and replaces them with embedded
-configuration, such as TLS certificates or SSH private keys.
-
-#### 1.5.0-rc.6
-
-* Fixes and improvements
-
-#### 1.4.6
-
-* Fixes and improvements
-
-#### 1.5.0-rc.5
-
-* Fixed an improper authentication vulnerability in the SOCKS5 inbound
-* Fixes and improvements
-
-**Security Advisory**
-
-This update fixes an improper authentication vulnerability in the sing-box SOCKS inbound. This vulnerability allows an
-attacker to craft special requests to bypass user authentication. All users exposing SOCKS servers with user
-authentication in an insecure environment are advised to update immediately.
-
-此更新修复了 sing-box SOCKS 入站中的一个不正确身份验证漏洞。 该漏洞允许攻击者制作特殊请求来绕过用户身份验证。建议所有将使用用户认证的
-SOCKS 服务器暴露在不安全环境下的用户立更新。
-
-#### 1.4.5
-
-* Fixed an improper authentication vulnerability in the SOCKS5 inbound
-* Fixes and improvements
-
-**Security Advisory**
-
-This update fixes an improper authentication vulnerability in the sing-box SOCKS inbound. This vulnerability allows an
-attacker to craft special requests to bypass user authentication. All users exposing SOCKS servers with user
-authentication in an insecure environment are advised to update immediately.
-
-此更新修复了 sing-box SOCKS 入站中的一个不正确身份验证漏洞。 该漏洞允许攻击者制作特殊请求来绕过用户身份验证。建议所有将使用用户认证的
-SOCKS 服务器暴露在不安全环境下的用户立更新。
-
-#### 1.5.0-rc.3
-
-* Fixes and improvements
-
-#### 1.5.0-beta.12
-
-* Add `merge` command **1**
-* Fixes and improvements
-
-**1**:
-
-This command also parses path resources that appear in the configuration file and replaces them with embedded
-configuration, such as TLS certificates or SSH private keys.
-
-```
-Merge configurations
-
-Usage:
-  sing-box merge [output] [flags]
-
-Flags:
-  -h, --help   help for merge
-
-Global Flags:
-  -c, --config stringArray             set configuration file path
-  -C, --config-directory stringArray   set configuration directory path
-  -D, --directory string               set working directory
-      --disable-color                  disable color output
-```
-
-#### 1.5.0-beta.11
-
-* Add DNS01 challenge support for ACME TLS certificate issuer **1**
-* Fixes and improvements
-
-**1**:
-
-Only `Alibaba Cloud DNS` and `Cloudflare` are supported,
-see [ACME Fields](/configuration/shared/tls#acme-fields)
-and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
-
-#### 1.5.0-beta.10
-
-* Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **1**
-* Fixes and improvements
-
-**1**:
-
-Interrupt existing connections when the selected outbound has changed.
-
-Only inbound connections are affected by this setting, internal connections will always be interrupted.
-
-#### 1.4.3
-
-* Fixes and improvements
-
-#### 1.5.0-beta.8
-
-* Fixes and improvements
-
-#### 1.4.2
-
-* Fixes and improvements
-
-#### 1.5.0-beta.6
-
-* Fix compatibility issues with official Hysteria2 server and client
-* Fixes and improvements
-* Mark [deprecated features](/deprecated)
-
-#### 1.5.0-beta.3
-
-* Fixes and improvements
-* Updated Hysteria2 documentation **1**
-
-**1**:
-
-Added notes indicating compatibility issues with the official
-Hysteria2 server and client when using `fastOpen=false` or UDP MTU >= 1200.
-
-#### 1.5.0-beta.2
-
-* Add hysteria2 protocol support **1**
-* Fixes and improvements
-
-**1**:
-
-See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
-
-For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)
-
 #### 1.5.0-beta.1
 
 * Add TLS [ECH server](/configuration/shared/tls) support
@@ -323,7 +8,7 @@ For protocol description, please refer to [https://v2.hysteria.network](https://
 
 **1**:
 
-Command: `sing-box generate ech-keypair <plain_server_name> [--pq-signature-schemes-enabled]`
+Command: `sing-box generate ech-keypair <plain_server_name> [-pq-signature-schemes-enabled]`
 
 **2**:
 

docs/configuration/experimental/index.md

@@ -78,7 +78,7 @@ ALWAYS set a secret if RESTful API is listening on 0.0.0.0
 
 #### default_mode
 
-Default mode in clash, `Rule` will be used if empty.
+Default mode in clash, `rule` will be used if empty.
 
 This setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.
 

docs/configuration/experimental/index.zh.md

@@ -76,7 +76,7 @@ RESTful API 的密钥（可选）
 
 #### default_mode
 
-Clash 中的默认模式，默认使用 `Rule`。
+Clash 中的默认模式，默认使用 `rule`。
 
 此设置没有直接影响，但可以通过 `clash_mode` 规则项在路由和 DNS 规则中使用。
 

docs/configuration/inbound/hysteria2.md

@@ -1,90 +0,0 @@
-### Structure
-
-```json
-{
-  "type": "hysteria2",
-  "tag": "hy2-in",
-  
-  ... // Listen Fields
-
-  "up_mbps": 100,
-  "down_mbps": 100,
-  "obfs": {
-    "type": "salamander",
-    "password": "cry_me_a_r1ver"
-  },
-  "users": [
-    {
-      "name": "tobyxdd",
-      "password": "goofy_ahh_password"
-    }
-  ],
-  "ignore_client_bandwidth": false,
-  "tls": {},
-  "masquerade": "",
-  "brutal_debug": false
-}
-```
-
-!!! warning ""
-
-    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
-
-### Listen Fields
-
-See [Listen Fields](/configuration/shared/listen) for details.
-
-### Fields
-
-#### up_mbps, down_mbps
-
-Max bandwidth, in Mbps.
-
-Not limited if empty.
-
-Conflict with `ignore_client_bandwidth`.
-
-#### obfs.type
-
-QUIC traffic obfuscator type, only available with `salamander`.
-
-Disabled if empty.
-
-#### obfs.password
-
-QUIC traffic obfuscator password.
-
-#### users
-
-Hysteria2 users
-
-#### users.password
-
-Authentication password
-
-#### ignore_client_bandwidth
-
-Commands the client to use the BBR flow control algorithm instead of Hysteria CC.
-
-Conflict with `up_mbps` and `down_mbps`.
-
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
-
-#### masquerade
-
-HTTP3 server behavior when authentication fails.
-
-| Scheme       | Example                 | Description        |
-|--------------|-------------------------|--------------------|
-| `file`       | `file:///var/www`       | As a file server   |
-| `http/https` | `http://127.0.0.1:8080` | As a reverse proxy |
-
-A 404 page will be returned if empty.
-
-#### brutal_debug
-
-Enable debug information logging for Hysteria Brutal CC.

docs/configuration/inbound/hysteria2.zh.md

@@ -1,88 +0,0 @@
-### 结构
-
-```json
-{
-  "type": "hysteria2",
-  "tag": "hy2-in",
-  
-  ... // 监听字段
-
-  "up_mbps": 100,
-  "down_mbps": 100,
-  "obfs": {
-    "type": "salamander",
-    "password": "cry_me_a_r1ver"
-  },
-  "users": [
-    {
-      "name": "tobyxdd",
-      "password": "goofy_ahh_password"
-    }
-  ],
-  "ignore_client_bandwidth": false,
-  "tls": {},
-  "masquerade": "",
-  "brutal_debug": false
-}
-```
-
-!!! warning ""
-
-    默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
-
-### 监听字段
-
-参阅 [监听字段](/zh/configuration/shared/listen/)。
-
-### 字段
-
-#### up_mbps, down_mbps
-
-支持的速率，默认不限制。
-
-与 `ignore_client_bandwidth` 冲突。
-
-#### obfs.type
-
-QUIC 流量混淆器类型，仅可设为 `salamander`。
-
-如果为空则禁用。
-
-#### obfs.password
-
-QUIC 流量混淆器密码.
-
-#### users
-
-Hysteria 用户
-
-#### users.password
-
-认证密码。
-
-#### ignore_client_bandwidth
-
-命令客户端使用 BBR 流量控制算法而不是 Hysteria CC。
-
-与 `up_mbps` 和 `down_mbps` 冲突。
-
-#### tls
-
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
-
-#### masquerade
-
-HTTP3 服务器认证失败时的行为。
-
-| Scheme       | 示例                      | 描述      |
-|--------------|-------------------------|---------|
-| `file`       | `file:///var/www`       | 作为文件服务器 |
-| `http/https` | `http://127.0.0.1:8080` | 作为反向代理  |
-
-如果为空，则返回 404 页。
-
-#### brutal_debug
-
-启用 Hysteria Brutal CC 的调试信息日志记录。

docs/configuration/inbound/index.md

@@ -27,8 +27,6 @@
 | `naive`       | [Naive](./naive)             | X          |
 | `hysteria`    | [Hysteria](./hysteria)       | X          |
 | `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP        |
-| `tuic`        | [TUIC](./tuic)               | X          |
-| `hysteria2`   | [Hysteria2](./hysteria2)     | X          |
 | `vless`       | [VLESS](./vless)             | TCP        |
 | `tun`         | [Tun](./tun)                 | X          |
 | `redirect`    | [Redirect](./redirect)       | X          |

docs/configuration/inbound/index.zh.md

@@ -26,10 +26,6 @@
 | `trojan`      | [Trojan](./trojan)           | TCP  |
 | `naive`       | [Naive](./naive)             | X    |
 | `hysteria`    | [Hysteria](./hysteria)       | X    |
-| `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP  |
-| `tuic`        | [TUIC](./tuic)               | X    |
-| `hysteria2`   | [Hysteria2](./hysteria2)     | X    |
-| `vless`       | [VLESS](./vless)             | TCP  |
 | `tun`         | [Tun](./tun)                 | X    |
 | `redirect`    | [Redirect](./redirect)       | X    |
 | `tproxy`      | [TProxy](./tproxy)           | X    |

docs/configuration/inbound/shadowsocks.md

@@ -82,3 +82,49 @@ Both if empty.
 | none          | /                                              |
 | 2022 methods  | `sing-box generate rand --base64 <Key Length>` |
 | other methods | any string                                     |
+
+### Listen Fields
+
+#### listen
+
+==Required==
+
+Listen address.
+
+#### listen_port
+
+==Required==
+
+Listen port.
+
+#### tcp_fast_open
+
+Enable tcp fast open for listener.
+
+#### sniff
+
+Enable sniffing.
+
+See [Protocol Sniff](/configuration/route/sniff/) for details.
+
+#### sniff_override_destination
+
+Override the connection destination address with the sniffed domain.
+
+If the domain name is invalid (like tor), this will not work.
+
+#### domain_strategy
+
+One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
+
+If set, the requested domain name will be resolved to IP before routing.
+
+If `sniff_override_destination` is in effect, its value will be taken as a fallback.
+
+#### udp_timeout
+
+UDP NAT expiration time in seconds, default is 300 (5 minutes).
+
+#### proxy_protocol
+
+Parse [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header.

docs/configuration/index.md

@@ -31,17 +31,11 @@ sing-box uses JSON for configuration files.
 ### Check
 
 ```bash
-sing-box check
+$ sing-box check
 ```
 
 ### Format
 
 ```bash
-sing-box format -w -c config.json -D config_directory
-```
-
-### Merge
-
-```bash
-sing-box merge output.json -c config.json -D config_directory
+$ sing-box format -w
 ```

docs/configuration/index.zh.md

@@ -29,17 +29,11 @@ sing-box 使用 JSON 作为配置文件格式。
 ### 检查
 
 ```bash
-sing-box check
+$ sing-box check
 ```
 
 ### 格式化
 
 ```bash
-sing-box format -w -c config.json -D config_directory
-```
-
-### 合并
-
-```bash
-sing-box merge output.json -c config.json -D config_directory
+$ sing-box format -w
 ```

docs/configuration/outbound/hysteria2.md

@@ -1,83 +0,0 @@
-### Structure
-
-```json
-{
-  "type": "hysteria2",
-  "tag": "hy2-out",
-  
-  "server": "127.0.0.1",
-  "server_port": 1080,
-  "up_mbps": 100,
-  "down_mbps": 100,
-  "obfs": {
-    "type": "salamander",
-    "password": "cry_me_a_r1ver"
-  },
-  "password": "goofy_ahh_password",
-  "network": "tcp",
-  "tls": {},
-  "brutal_debug": false,
-  
-  ... // Dial Fields
-}
-```
-
-!!! warning ""
-
-    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
-
-### Fields
-
-#### server
-
-==Required==
-
-The server address.
-
-#### server_port
-
-==Required==
-
-The server port.
-
-#### up_mbps, down_mbps
-
-Max bandwidth, in Mbps.
-
-If empty, the BBR congestion control algorithm will be used instead of Hysteria CC.
-
-#### obfs.type
-
-QUIC traffic obfuscator type, only available with `salamander`.
-
-Disabled if empty.
-
-#### obfs.password
-
-QUIC traffic obfuscator password.
-
-#### password
-
-Authentication password.
-
-#### network
-
-Enabled network
-
-One of `tcp` `udp`.
-
-Both is enabled by default.
-
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
-
-#### brutal_debug
-
-Enable debug information logging for Hysteria Brutal CC.
-
-### Dial Fields
-
-See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/hysteria2.zh.md

@@ -1,83 +0,0 @@
-### 结构
-
-```json
-{
-  "type": "hysteria2",
-  "tag": "hy2-out",
-
-  "server": "127.0.0.1",
-  "server_port": 1080,
-  "up_mbps": 100,
-  "down_mbps": 100,
-  "obfs": {
-    "type": "salamander",
-    "password": "cry_me_a_r1ver"
-  },
-  "password": "goofy_ahh_password",
-  "network": "tcp",
-  "tls": {},
-  "brutal_debug": false,
-  
-  ... // 拨号字段
-}
-```
-
-!!! warning ""
-
-    默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
-
-### 字段
-
-#### server
-
-==必填==
-
-服务器地址。
-
-#### server_port
-
-==必填==
-
-服务器端口。
-
-#### up_mbps, down_mbps
-
-最大带宽。
-
-如果为空，将使用 BBR 流量控制算法而不是 Hysteria CC。
-
-#### obfs.type
-
-QUIC 流量混淆器类型，仅可设为 `salamander`。
-
-如果为空则禁用。
-
-#### obfs.password
-
-QUIC 流量混淆器密码.
-
-#### password
-
-认证密码。
-
-#### network
-
-启用的网络协议。
-
-`tcp` 或 `udp`。
-
-默认所有。
-
-#### tls
-
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
-
-#### brutal_debug
-
-启用 Hysteria Brutal CC 的调试信息日志记录。
-
-### 拨号字段
-
-参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/outbound/index.md

@@ -29,8 +29,6 @@
 | `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
 | `vless`        | [VLESS](./vless)               |
 | `shadowtls`    | [ShadowTLS](./shadowtls)       |
-| `tuic`         | [TUIC](./tuic)                 |
-| `hysteria2`    | [Hysteria2](./hysteria2)       |
 | `tor`          | [Tor](./tor)                   |
 | `ssh`          | [SSH](./ssh)                   |
 | `dns`          | [DNS](./dns)                   |

docs/configuration/outbound/index.zh.md

@@ -28,9 +28,6 @@
 | `hysteria`     | [Hysteria](./hysteria)         |
 | `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
 | `vless`        | [VLESS](./vless)               |
-| `shadowtls`    | [ShadowTLS](./shadowtls)       |
-| `tuic`         | [TUIC](./tuic)                 |
-| `hysteria2`    | [Hysteria2](./hysteria2)       |
 | `tor`          | [Tor](./tor)                   |
 | `ssh`          | [SSH](./ssh)                   |
 | `dns`          | [DNS](./dns)                   |

docs/configuration/outbound/selector.md

@@ -10,8 +10,7 @@
     "proxy-b",
     "proxy-c"
   ],
-  "default": "proxy-c",
-  "interrupt_exist_connections": false
+  "default": "proxy-c"
 }
 ```
 
@@ -29,10 +28,4 @@ List of outbound tags to select.
 
 #### default
 
-The default outbound tag. The first outbound will be used if empty.
-
-#### interrupt_exist_connections
-
-Interrupt existing connections when the selected outbound has changed.
-
-Only inbound connections are affected by this setting, internal connections will always be interrupted.
+The default outbound tag. The first outbound will be used if empty.

docs/configuration/outbound/selector.zh.md

@@ -10,8 +10,7 @@
     "proxy-b",
     "proxy-c"
   ],
-  "default": "proxy-c",
-  "interrupt_exist_connections": false
+  "default": "proxy-c"
 }
 ```
 
@@ -30,9 +29,3 @@
 #### default
 
 默认的出站标签。默认使用第一个出站。
-
-#### interrupt_exist_connections
-
-当选定的出站发生更改时，中断现有连接。
-
-仅入站连接受此设置影响，内部连接将始终被中断。

docs/configuration/outbound/urltest.md

@@ -12,8 +12,7 @@
   ],
   "url": "https://www.gstatic.com/generate_204",
   "interval": "1m",
-  "tolerance": 50,
-  "interrupt_exist_connections": false
+  "tolerance": 50
 }
 ```
 
@@ -36,9 +35,3 @@ The test interval. `1m` will be used if empty.
 #### tolerance
 
 The test tolerance in milliseconds. `50` will be used if empty.
-
-#### interrupt_exist_connections
-
-Interrupt existing connections when the selected outbound has changed.
-
-Only inbound connections are affected by this setting, internal connections will always be interrupted.

docs/configuration/outbound/urltest.zh.md

@@ -12,8 +12,7 @@
   ],
   "url": "https://www.gstatic.com/generate_204",
   "interval": "1m",
-  "tolerance": 50,
-  "interrupt_exist_connections": false
+  "tolerance": 50
 }
 ```
 
@@ -36,9 +35,3 @@
 #### tolerance
 
 以毫秒为单位的测试容差。 默认使用 `50`。
-
-#### interrupt_exist_connections
-
-当选定的出站发生更改时，中断现有连接。
-
-仅入站连接受此设置影响，内部连接将始终被中断。

docs/configuration/shared/dns01_challenge.md

@@ -1,31 +0,0 @@
-### Structure
-
-```json
-{
-  "provider": "",
-  
-  ... // Provider Fields
-}
-```
-
-### Provider Fields
-
-#### Alibaba Cloud DNS
-
-```json
-{
-  "provider": "alidns",
-  "access_key_id": "",
-  "access_key_secret": "",
-  "region_id": ""
-}
-```
-
-#### Cloudflare
-
-```json
-{
-  "provider": "cloudflare",
-  "api_token": ""
-}
-```

docs/configuration/shared/dns01_challenge.zh.md

@@ -1,31 +0,0 @@
-### 结构
-
-```json
-{
-  "provider": "",
-  
-  ... // 提供商字段
-}
-```
-
-### 提供商字段
-
-#### Alibaba Cloud DNS
-
-```json
-{
-  "provider": "alidns",
-  "access_key_id": "",
-  "access_key_secret": "",
-  "region_id": ""
-}
-```
-
-#### Cloudflare
-
-```json
-{
-  "provider": "cloudflare",
-  "api_token": ""
-}
-```

docs/configuration/shared/tls.md

@@ -25,8 +25,7 @@
     "external_account": {
       "key_id": "",
       "mac_key": ""
-    },
-    "dns01_challenge": {}
+    }
   },
   "ech": {
     "enabled": false,
@@ -233,7 +232,7 @@ Chrome fingerprint will be used if empty.
 ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
 message.
 
-The ECH key and configuration can be generated by `sing-box generate ech-keypair [--pq-signature-schemes-enabled]`.
+The ECH key and configuration can be generated by `sing-box generate ech-keypair [-pq-signature-schemes-enabled]`.
 
 #### pq_signature_schemes_enabled
 
@@ -349,12 +348,6 @@ The key identifier.
 
 The MAC key.
 
-#### dns01_challenge
-
-ACME DNS01 challenge field. If configured, other challenge methods will be disabled.
-
-See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge) for details.
-
 ### Reality Fields
 
 !!! warning ""

docs/configuration/shared/tls.zh.md

@@ -25,8 +25,7 @@
     "external_account": {
       "key_id": "",
       "mac_key": ""
-    },
-    "dns01_challenge": {}
+    }
   },
   "ech": {
     "enabled": false,
@@ -228,13 +227,13 @@ ECH (Encrypted Client Hello) 是一个 TLS 扩展，它允许客户端加密其
 信息。
 
 
-ECH 配置和密钥可以通过 `sing-box generate ech-keypair [--pq-signature-schemes-enabled]` 生成。
+ECH 配置和密钥可以通过 `sing-box generated ech-keypair [-pq-signature-schemes-enabled]` 生成。
 
 #### pq_signature_schemes_enabled
 
 启用对后量子对等证书签名方案的支持。
 
-建议匹配 `sing-box generate ech-keypair` 的参数。
+建议匹配 `sing-box generated ech-keypair` 的参数。
 
 #### dynamic_record_sizing_disabled
 
@@ -340,12 +339,6 @@ EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到其他已知
 
 MAC 密钥。
 
-#### dns01_challenge
-
-ACME DNS01 验证字段。如果配置，将禁用其他验证方法。
-
-参阅 [DNS01 验证字段](/configuration/shared/dns01_challenge)。
-
 ### Reality 字段
 
 !!! warning ""

docs/deprecated.md

@@ -1,13 +0,0 @@
-# Deprecated Feature List
-
-The following features will be marked deprecated in 1.5.0 and removed entirely in 1.6.0.
-
-#### ShadowsocksR
-
-ShadowsocksR support has never been enabled by default, since the most commonly used proxy sales panel in the
-illegal industry stopped using this protocol, it does not make sense to continue to maintain it.
-
-#### Proxy Protocol
-
-Proxy Protocol is added by Pull Request, has problems, is only used by the backend of HTTP multiplexers such as nginx,
-is intrusive, and is meaningless for proxy purposes.

docs/installation/clients/sfi.zh.md

@@ -15,7 +15,7 @@
 #### 注意事项
 
 * 远程配置文件请求中的 User Agent 为 `SFI/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `Settings` -> `View Service Log`
+* 崩溃日志位于 `设置` -> `查看服务日志`
 
 #### 隐私政策
 

docs/installation/clients/sfm.zh.md

@@ -21,7 +21,7 @@
 #### 注意事项
 
 * 远程配置文件请求中的 User Agent 为 `SFM/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `Settings` -> `View Service Log`
+* 崩溃日志位于 `设置` -> `查看服务日志`
 
 #### 隐私政策
 

docs/installation/clients/sft.md

@@ -8,7 +8,6 @@ Experimental Apple tvOS client for sing-box.
 
 #### Download
 
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
 * [TestFlight](https://testflight.apple.com/join/AcqO44FH)
 
 #### Features
@@ -16,7 +15,7 @@ Experimental Apple tvOS client for sing-box.
 Full functionality, except for:
 
 * Only remote configuration files can be created manually
-* You need to update SFI to the latest version to import profiles from iPhone/iPad
+* You need to update SFI to the latest beta version to import profiles from iPhone/iPad
 * No iCloud profile support
 
 #### Note

docs/installation/clients/sft.zh.md

@@ -1,31 +0,0 @@
-# SFI
-
-实验性的 Apple tvOS sing-box 客户端。
-
-#### 要求
-
-* tvOS 17.0+
-* 一个非中国大陆地区的 Apple 账号
-
-#### 下载
-
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### 特性
-
-完整的功能，除了：
-
-* 只能手动创建远程配置文件
-* 您需要将 SFI 更新到最新版本才能从 iPhone/iPad 导入配置文件
-* 没有 iCloud 配置文件支持
-
-#### 注意事项
-
-* 远程配置文件请求中的 User Agent 为 `SFT/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `Settings` -> `View Service Log`
-
-#### 隐私政策
-
-* SFT 不收集或共享个人数据。
-* 软件生成的数据始终在您的设备上。

experimental/clashapi/cachefile/cache.go

@@ -1,18 +1,16 @@
 package cachefile
 
 import (
-	"errors"
 	"net/netip"
 	"os"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/sagernet/bbolt"
-	bboltErrors "github.com/sagernet/bbolt/errors"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
+
+	"go.etcd.io/bbolt"
 )
 
 var (
@@ -44,25 +42,13 @@ type CacheFile struct {
 func Open(path string, cacheID string) (*CacheFile, error) {
 	const fileMode = 0o666
 	options := bbolt.Options{Timeout: time.Second}
-	var (
-		db  *bbolt.DB
-		err error
-	)
-	for i := 0; i < 10; i++ {
-		db, err = bbolt.Open(path, fileMode, &options)
-		if err == nil {
+	db, err := bbolt.Open(path, fileMode, &options)
+	switch err {
+	case bbolt.ErrInvalid, bbolt.ErrChecksum, bbolt.ErrVersionMismatch:
+		if err = os.Remove(path); err != nil {
 			break
 		}
-		if errors.Is(err, bboltErrors.ErrTimeout) {
-			continue
-		}
-		if E.IsMulti(err, bboltErrors.ErrInvalid, bboltErrors.ErrChecksum, bboltErrors.ErrVersionMismatch) {
-			rmErr := os.Remove(path)
-			if rmErr != nil {
-				return nil, err
-			}
-		}
-		time.Sleep(100 * time.Millisecond)
+		db, err = bbolt.Open(path, 0o666, &options)
 	}
 	if err != nil {
 		return nil, err

experimental/clashapi/cachefile/fakeip.go

@@ -5,10 +5,11 @@ import (
 	"os"
 	"time"
 
-	"github.com/sagernet/bbolt"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
+
+	"go.etcd.io/bbolt"
 )
 
 const fakeipBucketPrefix = "fakeip_"

experimental/clashapi/server.go

@@ -90,7 +90,7 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 		defaultMode = options.DefaultMode
 	}
 	if !common.Contains(server.modeList, defaultMode) {
-		server.modeList = append([]string{defaultMode}, server.modeList...)
+		server.modeList = append(server.modeList, defaultMode)
 	}
 	server.mode = defaultMode
 	if options.StoreMode || options.StoreSelected || options.StoreFakeIP || options.ExternalController == "" {

experimental/libbox/build_info.go

@@ -1,234 +0,0 @@
-//go:build android
-
-package libbox
-
-import (
-	"archive/zip"
-	"bytes"
-	"debug/buildinfo"
-	"io"
-	"runtime/debug"
-	"strings"
-
-	"github.com/sagernet/sing/common"
-)
-
-const (
-	androidVPNCoreTypeOpenVPN     = "OpenVPN"
-	androidVPNCoreTypeShadowsocks = "Shadowsocks"
-	androidVPNCoreTypeClash       = "Clash"
-	androidVPNCoreTypeV2Ray       = "V2Ray"
-	androidVPNCoreTypeWireGuard   = "WireGuard"
-	androidVPNCoreTypeSingBox     = "sing-box"
-	androidVPNCoreTypeUnknown     = "Unknown"
-)
-
-type AndroidVPNType struct {
-	CoreType  string
-	CorePath  string
-	GoVersion string
-}
-
-func ReadAndroidVPNType(publicSourceDirList StringIterator) (*AndroidVPNType, error) {
-	apkPathList := iteratorToArray[string](publicSourceDirList)
-	var lastError error
-	for _, apkPath := range apkPathList {
-		androidVPNType, err := readAndroidVPNType(apkPath)
-		if androidVPNType == nil {
-			if err != nil {
-				lastError = err
-			}
-			continue
-		}
-		return androidVPNType, nil
-	}
-	return nil, lastError
-}
-
-func readAndroidVPNType(publicSourceDir string) (*AndroidVPNType, error) {
-	reader, err := zip.OpenReader(publicSourceDir)
-	if err != nil {
-		return nil, err
-	}
-	defer reader.Close()
-	var lastError error
-	for _, file := range reader.File {
-		if !strings.HasPrefix(file.Name, "lib/") {
-			continue
-		}
-		vpnType, err := readAndroidVPNTypeEntry(file)
-		if err != nil {
-			lastError = err
-			continue
-		}
-		return vpnType, nil
-	}
-	for _, file := range reader.File {
-		if !strings.HasPrefix(file.Name, "lib/") {
-			continue
-		}
-		if strings.Contains(file.Name, androidVPNCoreTypeOpenVPN) || strings.Contains(file.Name, "ovpn") {
-			return &AndroidVPNType{CoreType: androidVPNCoreTypeOpenVPN}, nil
-		}
-		if strings.Contains(file.Name, androidVPNCoreTypeShadowsocks) {
-			return &AndroidVPNType{CoreType: androidVPNCoreTypeShadowsocks}, nil
-		}
-	}
-	return nil, lastError
-}
-
-func readAndroidVPNTypeEntry(zipFile *zip.File) (*AndroidVPNType, error) {
-	readCloser, err := zipFile.Open()
-	if err != nil {
-		return nil, err
-	}
-	libContent := make([]byte, zipFile.UncompressedSize64)
-	_, err = io.ReadFull(readCloser, libContent)
-	readCloser.Close()
-	if err != nil {
-		return nil, err
-	}
-	buildInfo, err := buildinfo.Read(bytes.NewReader(libContent))
-	if err != nil {
-		return nil, err
-	}
-	var vpnType AndroidVPNType
-	vpnType.GoVersion = buildInfo.GoVersion
-	if !strings.HasPrefix(vpnType.GoVersion, "go") {
-		vpnType.GoVersion = "obfuscated"
-	} else {
-		vpnType.GoVersion = vpnType.GoVersion[2:]
-	}
-	vpnType.CoreType = androidVPNCoreTypeUnknown
-	if len(buildInfo.Deps) == 0 {
-		vpnType.CoreType = "obfuscated"
-		return &vpnType, nil
-	}
-
-	dependencies := make(map[string]bool)
-	dependencies[buildInfo.Path] = true
-	for _, module := range buildInfo.Deps {
-		dependencies[module.Path] = true
-		if module.Replace != nil {
-			dependencies[module.Replace.Path] = true
-		}
-	}
-	for dependency := range dependencies {
-		pkgType, loaded := determinePkgType(dependency)
-		if loaded {
-			vpnType.CoreType = pkgType
-		}
-	}
-	if vpnType.CoreType == androidVPNCoreTypeUnknown {
-		for dependency := range dependencies {
-			pkgType, loaded := determinePkgTypeSecondary(dependency)
-			if loaded {
-				vpnType.CoreType = pkgType
-				return &vpnType, nil
-			}
-		}
-	}
-	if vpnType.CoreType != androidVPNCoreTypeUnknown {
-		vpnType.CorePath, _ = determineCorePath(buildInfo, vpnType.CoreType)
-		return &vpnType, nil
-	}
-	if dependencies["github.com/golang/protobuf"] && dependencies["github.com/v2fly/ss-bloomring"] {
-		vpnType.CoreType = androidVPNCoreTypeV2Ray
-		return &vpnType, nil
-	}
-	return &vpnType, nil
-}
-
-func determinePkgType(pkgName string) (string, bool) {
-	pkgNameLower := strings.ToLower(pkgName)
-	if strings.Contains(pkgNameLower, "clash") {
-		return androidVPNCoreTypeClash, true
-	}
-	if strings.Contains(pkgNameLower, "v2ray") || strings.Contains(pkgNameLower, "xray") {
-		return androidVPNCoreTypeV2Ray, true
-	}
-
-	if strings.Contains(pkgNameLower, "sing-box") {
-		return androidVPNCoreTypeSingBox, true
-	}
-	return "", false
-}
-
-func determinePkgTypeSecondary(pkgName string) (string, bool) {
-	pkgNameLower := strings.ToLower(pkgName)
-	if strings.Contains(pkgNameLower, "wireguard") {
-		return androidVPNCoreTypeWireGuard, true
-	}
-	return "", false
-}
-
-func determineCorePath(pkgInfo *buildinfo.BuildInfo, pkgType string) (string, bool) {
-	switch pkgType {
-	case androidVPNCoreTypeClash:
-		return determineCorePathForPkgs(pkgInfo, []string{"github.com/Dreamacro/clash"}, []string{"clash"})
-	case androidVPNCoreTypeV2Ray:
-		if v2rayVersion, loaded := determineCorePathForPkgs(pkgInfo, []string{
-			"github.com/v2fly/v2ray-core",
-			"github.com/v2fly/v2ray-core/v4",
-			"github.com/v2fly/v2ray-core/v5",
-		}, []string{
-			"v2ray",
-		}); loaded {
-			return v2rayVersion, true
-		}
-		if xrayVersion, loaded := determineCorePathForPkgs(pkgInfo, []string{
-			"github.com/xtls/xray-core",
-		}, []string{
-			"xray",
-		}); loaded {
-			return xrayVersion, true
-		}
-		return "", false
-	case androidVPNCoreTypeSingBox:
-		return determineCorePathForPkgs(pkgInfo, []string{"github.com/sagernet/sing-box"}, []string{"sing-box"})
-	case androidVPNCoreTypeWireGuard:
-		return determineCorePathForPkgs(pkgInfo, []string{"golang.zx2c4.com/wireguard"}, []string{"wireguard"})
-	default:
-		return "", false
-	}
-}
-
-func determineCorePathForPkgs(pkgInfo *buildinfo.BuildInfo, pkgs []string, names []string) (string, bool) {
-	for _, pkg := range pkgs {
-		if pkgInfo.Path == pkg {
-			return pkg, true
-		}
-		strictDependency := common.Find(pkgInfo.Deps, func(module *debug.Module) bool {
-			return module.Path == pkg
-		})
-		if strictDependency != nil {
-			if isValidVersion(strictDependency.Version) {
-				return strictDependency.Path + " " + strictDependency.Version, true
-			} else {
-				return strictDependency.Path, true
-			}
-		}
-	}
-	for _, name := range names {
-		if strings.Contains(pkgInfo.Path, name) {
-			return pkgInfo.Path, true
-		}
-		looseDependency := common.Find(pkgInfo.Deps, func(module *debug.Module) bool {
-			return strings.Contains(module.Path, name) || (module.Replace != nil && strings.Contains(module.Replace.Path, name))
-		})
-		if looseDependency != nil {
-			return looseDependency.Path, true
-		}
-	}
-	return "", false
-}
-
-func isValidVersion(version string) bool {
-	if version == "(devel)" {
-		return false
-	}
-	if strings.Contains(version, "v0.0.0") {
-		return false
-	}
-	return true
-}

experimental/libbox/command.go

@@ -11,6 +11,4 @@ const (
 	CommandGroupExpand
 	CommandClashMode
 	CommandSetClashMode
-	CommandGetSystemProxyStatus
-	CommandSetSystemProxyEnabled
 )

experimental/libbox/command_client.go

@@ -5,7 +5,6 @@ import (
 	"net"
 	"os"
 	"path/filepath"
-	"time"
 
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -25,7 +24,6 @@ type CommandClientOptions struct {
 type CommandClientHandler interface {
 	Connected()
 	Disconnected(message string)
-	ClearLog()
 	WriteLog(message string)
 	WriteStatus(message *StatusMessage)
 	WriteGroups(message OutboundGroupIterator)
@@ -55,24 +53,9 @@ func (c *CommandClient) directConnect() (net.Conn, error) {
 	}
 }
 
-func (c *CommandClient) directConnectWithRetry() (net.Conn, error) {
-	var (
-		conn net.Conn
-		err  error
-	)
-	for i := 0; i < 10; i++ {
-		conn, err = c.directConnect()
-		if err == nil {
-			return conn, nil
-		}
-		time.Sleep(time.Duration(100+i*50) * time.Millisecond)
-	}
-	return nil, err
-}
-
 func (c *CommandClient) Connect() error {
 	common.Close(c.conn)
-	conn, err := c.directConnectWithRetry()
+	conn, err := c.directConnect()
 	if err != nil {
 		return err
 	}

experimental/libbox/command_conntrack.go

@@ -6,7 +6,7 @@ import (
 	runtimeDebug "runtime/debug"
 	"time"
 
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 )
 
 func (c *CommandClient) CloseConnections() error {

experimental/libbox/command_log.go

@@ -23,9 +23,6 @@ func readLog(reader io.Reader) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	if messageLength == 0 {
-		return nil, nil
-	}
 	data := make([]byte, messageLength)
 	_, err = io.ReadFull(reader, data)
 	if err != nil {
@@ -35,24 +32,14 @@ func readLog(reader io.Reader) ([]byte, error) {
 }
 
 func writeLog(writer io.Writer, message []byte) error {
-	err := binary.Write(writer, binary.BigEndian, uint8(0))
+	err := binary.Write(writer, binary.BigEndian, uint16(len(message)))
 	if err != nil {
 		return err
 	}
-	err = binary.Write(writer, binary.BigEndian, uint16(len(message)))
-	if err != nil {
-		return err
-	}
-	if len(message) > 0 {
-		_, err = writer.Write(message)
-	}
+	_, err = writer.Write(message)
 	return err
 }
 
-func writeClearLog(writer io.Writer) error {
-	return binary.Write(writer, binary.BigEndian, uint8(1))
-}
-
 func (s *CommandServer) handleLogConn(conn net.Conn) error {
 	var savedLines []string
 	s.access.Lock()
@@ -82,11 +69,6 @@ func (s *CommandServer) handleLogConn(conn net.Conn) error {
 			if err != nil {
 				return err
 			}
-		case <-s.logReset:
-			err = writeClearLog(conn)
-			if err != nil {
-				return err
-			}
 		case <-done:
 			return nil
 		}
@@ -95,24 +77,12 @@ func (s *CommandServer) handleLogConn(conn net.Conn) error {
 
 func (c *CommandClient) handleLogConn(conn net.Conn) {
 	for {
-		var messageType uint8
-		err := binary.Read(conn, binary.BigEndian, &messageType)
+		message, err := readLog(conn)
 		if err != nil {
 			c.handler.Disconnected(err.Error())
 			return
 		}
-		var message []byte
-		switch messageType {
-		case 0:
-			message, err = readLog(conn)
-			if err != nil {
-				c.handler.Disconnected(err.Error())
-				return
-			}
-			c.handler.WriteLog(string(message))
-		case 1:
-			c.handler.ClearLog()
-		}
+		c.handler.WriteLog(string(message))
 	}
 }
 

experimental/libbox/command_server.go

@@ -23,32 +23,28 @@ type CommandServer struct {
 	handler  CommandServerHandler
 
 	access     sync.Mutex
-	savedLines list.List[string]
+	savedLines *list.List[string]
 	maxLines   int
 	subscriber *observable.Subscriber[string]
 	observer   *observable.Observer[string]
 	service    *BoxService
 
-	// These channels only work with a single client. if multi-client support is needed, replace with Subscriber/Observer
 	urlTestUpdate chan struct{}
 	modeUpdate    chan struct{}
-	logReset      chan struct{}
 }
 
 type CommandServerHandler interface {
 	ServiceReload() error
-	GetSystemProxyStatus() *SystemProxyStatus
-	SetSystemProxyEnabled(isEnabled bool) error
 }
 
 func NewCommandServer(handler CommandServerHandler, maxLines int32) *CommandServer {
 	server := &CommandServer{
 		handler:       handler,
+		savedLines:    new(list.List[string]),
 		maxLines:      int(maxLines),
 		subscriber:    observable.NewSubscriber[string](128),
 		urlTestUpdate: make(chan struct{}, 1),
 		modeUpdate:    make(chan struct{}, 1),
-		logReset:      make(chan struct{}, 1),
 	}
 	server.observer = observable.NewObserver[string](server.subscriber, 64)
 	return server
@@ -58,11 +54,6 @@ func (s *CommandServer) SetService(newService *BoxService) {
 	if newService != nil {
 		service.PtrFromContext[urltest.HistoryStorage](newService.ctx).SetHook(s.urlTestUpdate)
 		newService.instance.Router().ClashServer().(*clashapi.Server).SetModeUpdateHook(s.modeUpdate)
-		s.savedLines.Init()
-		select {
-		case s.logReset <- struct{}{}:
-		default:
-		}
 	}
 	s.service = newService
 	s.notifyURLTestUpdate()
@@ -168,10 +159,6 @@ func (s *CommandServer) handleConnection(conn net.Conn) error {
 		return s.handleModeConn(conn)
 	case CommandSetClashMode:
 		return s.handleSetClashMode(conn)
-	case CommandGetSystemProxyStatus:
-		return s.handleGetSystemProxyStatus(conn)
-	case CommandSetSystemProxyEnabled:
-		return s.handleSetSystemProxyEnabled(conn)
 	default:
 		return E.New("unknown command: ", command)
 	}

experimental/libbox/command_status.go

@@ -6,15 +6,13 @@ import (
 	"runtime"
 	"time"
 
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/memory"
 )
 
 type StatusMessage struct {
 	Memory           int64
-	MemoryInuse      int64
 	Goroutines       int32
 	ConnectionsIn    int32
 	ConnectionsOut   int32
@@ -26,8 +24,10 @@ type StatusMessage struct {
 }
 
 func (s *CommandServer) readStatus() StatusMessage {
+	var memStats runtime.MemStats
+	runtime.ReadMemStats(&memStats)
 	var message StatusMessage
-	message.Memory = int64(memory.Inuse())
+	message.Memory = int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
 	message.Goroutines = int32(runtime.NumGoroutine())
 	message.ConnectionsOut = int32(conntrack.Count())
 

experimental/libbox/command_system_proxy.go

@@ -1,82 +0,0 @@
-package libbox
-
-import (
-	"encoding/binary"
-	"net"
-)
-
-type SystemProxyStatus struct {
-	Available bool
-	Enabled   bool
-}
-
-func (c *CommandClient) GetSystemProxyStatus() (*SystemProxyStatus, error) {
-	conn, err := c.directConnectWithRetry()
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	err = binary.Write(conn, binary.BigEndian, uint8(CommandGetSystemProxyStatus))
-	if err != nil {
-		return nil, err
-	}
-	var status SystemProxyStatus
-	err = binary.Read(conn, binary.BigEndian, &status.Available)
-	if err != nil {
-		return nil, err
-	}
-	if status.Available {
-		err = binary.Read(conn, binary.BigEndian, &status.Enabled)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return &status, nil
-}
-
-func (s *CommandServer) handleGetSystemProxyStatus(conn net.Conn) error {
-	defer conn.Close()
-	status := s.handler.GetSystemProxyStatus()
-	err := binary.Write(conn, binary.BigEndian, status.Available)
-	if err != nil {
-		return err
-	}
-	if status.Available {
-		err = binary.Write(conn, binary.BigEndian, status.Enabled)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (c *CommandClient) SetSystemProxyEnabled(isEnabled bool) error {
-	conn, err := c.directConnect()
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-	err = binary.Write(conn, binary.BigEndian, uint8(CommandSetSystemProxyEnabled))
-	if err != nil {
-		return err
-	}
-	err = binary.Write(conn, binary.BigEndian, isEnabled)
-	if err != nil {
-		return err
-	}
-	return readError(conn)
-}
-
-func (s *CommandServer) handleSetSystemProxyEnabled(conn net.Conn) error {
-	defer conn.Close()
-	var isEnabled bool
-	err := binary.Read(conn, binary.BigEndian, &isEnabled)
-	if err != nil {
-		return err
-	}
-	err = s.handler.SetSystemProxyEnabled(isEnabled)
-	if err != nil {
-		return writeError(conn, err)
-	}
-	return writeError(conn, nil)
-}

experimental/libbox/log.go

@@ -4,7 +4,6 @@ package libbox
 
 import (
 	"os"
-	"runtime"
 
 	"golang.org/x/sys/unix"
 )
@@ -19,14 +18,12 @@ func RedirectStderr(path string) error {
 	if err != nil {
 		return err
 	}
-	if runtime.GOOS != "android" {
-		if sUserID > 0 {
-			err = outputFile.Chown(sUserID, sGroupID)
-			if err != nil {
-				outputFile.Close()
-				os.Remove(outputFile.Name())
-				return err
-			}
+	if sUserID > 0 {
+		err = outputFile.Chown(sUserID, sGroupID)
+		if err != nil {
+			outputFile.Close()
+			os.Remove(outputFile.Name())
+			return err
 		}
 	}
 	err = unix.Dup2(int(outputFile.Fd()), int(os.Stderr.Fd()))

experimental/libbox/memory.go

@@ -4,15 +4,14 @@ import (
 	"math"
 	runtimeDebug "runtime/debug"
 
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 )
 
 func SetMemoryLimit(enabled bool) {
-	const memoryLimit = 45 * 1024 * 1024
-	const memoryLimitGo = memoryLimit / 1.5
+	const memoryLimit = 30 * 1024 * 1024
 	if enabled {
 		runtimeDebug.SetGCPercent(10)
-		runtimeDebug.SetMemoryLimit(memoryLimitGo)
+		runtimeDebug.SetMemoryLimit(memoryLimit)
 		conntrack.KillerEnabled = true
 		conntrack.MemoryLimit = memoryLimit
 	} else {

experimental/libbox/monitor.go

@@ -65,17 +65,6 @@ func (m *platformDefaultInterfaceMonitor) DefaultInterfaceIndex(destination neti
 	return m.defaultInterfaceIndex
 }
 
-func (m *platformDefaultInterfaceMonitor) DefaultInterface(destination netip.Addr) (string, int) {
-	for _, address := range m.networkAddresses {
-		for _, prefix := range address.addresses {
-			if prefix.Contains(destination) {
-				return address.interfaceName, address.interfaceIndex
-			}
-		}
-	}
-	return m.defaultInterfaceName, m.defaultInterfaceIndex
-}
-
 func (m *platformDefaultInterfaceMonitor) OverrideAndroidVPN() bool {
 	return false
 }

experimental/libbox/profile_import.go

@@ -163,29 +163,25 @@ func DecodeProfileContentRequest(data []byte) (*ProfileContentRequest, error) {
 }
 
 type ProfileContent struct {
-	Name               string
-	Type               int32
-	Config             string
-	RemotePath         string
-	AutoUpdate         bool
-	AutoUpdateInterval int32
-	LastUpdated        int64
+	Name        string
+	Type        int32
+	Config      string
+	RemotePath  string
+	AutoUpdate  bool
+	LastUpdated int64
 }
 
 func (c *ProfileContent) Encode() []byte {
 	buffer := new(bytes.Buffer)
 	buffer.WriteByte(MessageTypeProfileContent)
-	buffer.WriteByte(1)
+	buffer.WriteByte(0)
 	writer := gzip.NewWriter(buffer)
 	rw.WriteVString(writer, c.Name)
 	binary.Write(writer, binary.BigEndian, c.Type)
 	rw.WriteVString(writer, c.Config)
 	if c.Type != ProfileTypeLocal {
 		rw.WriteVString(writer, c.RemotePath)
-	}
-	if c.Type == ProfileTypeRemote {
 		binary.Write(writer, binary.BigEndian, c.AutoUpdate)
-		binary.Write(writer, binary.BigEndian, c.AutoUpdateInterval)
 		binary.Write(writer, binary.BigEndian, c.LastUpdated)
 	}
 	writer.Flush()
@@ -206,8 +202,12 @@ func DecodeProfileContent(data []byte) (*ProfileContent, error) {
 	if err != nil {
 		return nil, err
 	}
-	reader, err = gzip.NewReader(reader)
-	if err != nil {
+	if version == 0 {
+		reader, err = gzip.NewReader(reader)
+		if err != nil {
+			return nil, E.Cause(err, "unsupported profile")
+		}
+	} else {
 		return nil, E.Cause(err, "unsupported profile")
 	}
 	var content ProfileContent
@@ -228,18 +228,10 @@ func DecodeProfileContent(data []byte) (*ProfileContent, error) {
 		if err != nil {
 			return nil, err
 		}
-	}
-	if content.Type == ProfileTypeRemote || (version == 0 && content.Type != ProfileTypeLocal) {
 		err = binary.Read(reader, binary.BigEndian, &content.AutoUpdate)
 		if err != nil {
 			return nil, err
 		}
-		if version >= 1 {
-			err = binary.Read(reader, binary.BigEndian, &content.AutoUpdateInterval)
-			if err != nil {
-				return nil, err
-			}
-		}
 		err = binary.Read(reader, binary.BigEndian, &content.LastUpdated)
 		if err != nil {
 			return nil, err

experimental/libbox/service.go

@@ -80,7 +80,6 @@ func (s *BoxService) Sleep() {
 
 func (s *BoxService) Wake() {
 	s.pauseManager.DeviceWake()
-	_ = s.instance.Router().ResetNetwork()
 }
 
 var _ platform.Interface = (*platformInterfaceWrapper)(nil)

experimental/libbox/setup.go

@@ -5,8 +5,9 @@ import (
 	"os/user"
 	"strconv"
 
-	"github.com/sagernet/sing-box/common/humanize"
 	C "github.com/sagernet/sing-box/constant"
+
+	"github.com/dustin/go-humanize"
 )
 
 var (
@@ -45,11 +46,7 @@ func Version() string {
 }
 
 func FormatBytes(length int64) string {
-	return humanize.Bytes(uint64(length))
-}
-
-func FormatMemoryBytes(length int64) string {
-	return humanize.MemoryBytes(uint64(length))
+	return humanize.IBytes(uint64(length))
 }
 
 func ProxyDisplayType(proxyType string) string {

go.mod

@@ -4,37 +4,36 @@ go 1.20
 
 require (
 	berty.tech/go-libtor v1.0.385
+	github.com/Dreamacro/clash v1.17.0
 	github.com/caddyserver/certmagic v0.19.2
-	github.com/cloudflare/circl v1.3.5
+	github.com/cloudflare/circl v1.3.3
 	github.com/cretz/bine v0.2.0
-	github.com/fsnotify/fsnotify v1.7.0
+	github.com/dustin/go-humanize v1.0.1
+	github.com/fsnotify/fsnotify v1.6.0
 	github.com/go-chi/chi/v5 v5.0.10
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
 	github.com/gofrs/uuid/v5 v5.0.0
-	github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c
-	github.com/libdns/alidns v1.0.3
-	github.com/libdns/cloudflare v0.1.0
+	github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/mholt/acmez v1.2.0
-	github.com/miekg/dns v1.1.56
+	github.com/miekg/dns v1.1.55
 	github.com/ooni/go-libtor v1.1.8
 	github.com/oschwald/maxminddb-golang v1.12.0
-	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
+	github.com/pires/go-proxyproto v0.7.0
 	github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a
-	github.com/sagernet/gomobile v0.0.0-20230915142329-c6740b6d2950
-	github.com/sagernet/gvisor v0.0.0-20230930141345-5fef6f2e17ab
-	github.com/sagernet/quic-go v0.0.0-20231008035953-32727fef9460
+	github.com/sagernet/gomobile v0.0.0-20230728014906-3de089147f59
+	github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2
+	github.com/sagernet/quic-go v0.0.0-20230831052420-45809eee2e86
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.2.16-0.20231021090846-8002db54c028
-	github.com/sagernet/sing-dns v0.1.10
-	github.com/sagernet/sing-mux v0.1.3
-	github.com/sagernet/sing-quic v0.1.3-0.20231026034240-fa3d997246b6
-	github.com/sagernet/sing-shadowsocks v0.2.5
-	github.com/sagernet/sing-shadowsocks2 v0.1.4
+	github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c
+	github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1
+	github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8
+	github.com/sagernet/sing-shadowsocks v0.2.4
+	github.com/sagernet/sing-shadowsocks2 v0.1.3
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/sing-tun v0.1.17-0.20231026060825-efd9884154a6
-	github.com/sagernet/sing-vmess v0.1.8
+	github.com/sagernet/sing-tun v0.1.12-0.20230821065522-7545dc2d5641
+	github.com/sagernet/sing-vmess v0.1.7
 	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37
 	github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6
 	github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2
@@ -42,13 +41,15 @@ require (
 	github.com/sagernet/wireguard-go v0.0.0-20230807125731-5d4a7ef2dc5f
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
-	go.uber.org/zap v1.26.0
+	go.etcd.io/bbolt v1.3.7
+	go.uber.org/zap v1.25.0
 	go4.org/netipx v0.0.0-20230824141953-6213f710f925
-	golang.org/x/crypto v0.14.0
-	golang.org/x/net v0.17.0
-	golang.org/x/sys v0.13.0
+	golang.org/x/crypto v0.12.0
+	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
+	golang.org/x/net v0.14.0
+	golang.org/x/sys v0.11.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
-	google.golang.org/grpc v1.59.0
+	google.golang.org/grpc v1.57.0
 	google.golang.org/protobuf v1.31.0
 	howett.net/plist v1.0.0
 )
@@ -56,10 +57,10 @@ require (
 //replace github.com/sagernet/sing => ../sing
 
 require (
+	github.com/Dreamacro/protobytes v0.0.0-20230617041236-6500a9f4f158 // indirect
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/getsentry/sentry-go v0.25.0 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
@@ -68,7 +69,7 @@ require (
 	github.com/hashicorp/yamux v0.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/native v1.1.0 // indirect
-	github.com/klauspost/compress v1.16.0 // indirect
+	github.com/klauspost/compress v1.15.15 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
@@ -76,7 +77,7 @@ require (
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.3.4 // indirect
+	github.com/quic-go/qtls-go1-20 v0.3.3 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
 	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect
@@ -85,12 +86,11 @@ require (
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
-	golang.org/x/mod v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/text v0.12.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.14.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
+	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.2.1 // indirect