Bump version

Network Extension was observed to stop for unknown reasons

.github/workflows/build.yml

@@ -144,7 +144,7 @@ jobs:
             ~/go/go1.20.14
           key: go120
       - name: Setup legacy Go
-        if: matrix.require_legacy_go == 'true' && steps.cache-legacy-go.outputs.cache-hit != 'true'
+        if: matrix.require_legacy_go && steps.cache-legacy-go.outputs.cache-hit != 'true'
         run: |-
           wget https://dl.google.com/go/go1.20.14.linux-amd64.tar.gz
           tar -xzf go1.20.14.linux-amd64.tar.gz
@@ -159,7 +159,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser-pro
-          version: latest
+          version: 2.5.1
           install-only: true
       - name: Extract signing key
         run: |-
@@ -224,7 +224,7 @@ jobs:
         id: setup-ndk
         uses: nttld/setup-ndk@v1
         with:
-          ndk-version: r28-beta2
+          ndk-version: r28-beta3
       - name: Setup OpenJDK
         run: |-
           sudo apt update && sudo apt install -y openjdk-17-jdk-headless
@@ -299,7 +299,7 @@ jobs:
         id: setup-ndk
         uses: nttld/setup-ndk@v1
         with:
-          ndk-version: r28-beta2
+          ndk-version: r28-beta3
       - name: Setup OpenJDK
         run: |-
           sudo apt update && sudo apt install -y openjdk-17-jdk-headless
@@ -548,7 +548,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser-pro
-          version: latest
+          version: 2.5.1
           install-only: true
       - name: Cache ghr
         uses: actions/cache@v4

.goreleaser.yaml

@@ -52,7 +52,7 @@ builds:
     env:
       - CGO_ENABLED=0
       - GOROOT={{ .Env.GOPATH }}/go1.20.14
-    gobinary: "{{ .Env.GOPATH }}/go1.20.14/bin/go"
+    tool: "{{ .Env.GOPATH }}/go1.20.14/bin/go"
     targets:
       - windows_amd64_v1
       - windows_386

adapter/experimental.go

@@ -39,17 +39,17 @@ type CacheFile interface {
 	StoreSelected(group string, selected string) error
 	LoadGroupExpand(group string) (isExpand bool, loaded bool)
 	StoreGroupExpand(group string, expand bool) error
-	LoadRuleSet(tag string) *SavedRuleSet
-	SaveRuleSet(tag string, set *SavedRuleSet) error
+	LoadRuleSet(tag string) *SavedBinary
+	SaveRuleSet(tag string, set *SavedBinary) error
 }
 
-type SavedRuleSet struct {
+type SavedBinary struct {
 	Content     []byte
 	LastUpdated time.Time
 	LastEtag    string
 }
 
-func (s *SavedRuleSet) MarshalBinary() ([]byte, error) {
+func (s *SavedBinary) MarshalBinary() ([]byte, error) {
 	var buffer bytes.Buffer
 	err := binary.Write(&buffer, binary.BigEndian, uint8(1))
 	if err != nil {
@@ -70,7 +70,7 @@ func (s *SavedRuleSet) MarshalBinary() ([]byte, error) {
 	return buffer.Bytes(), nil
 }
 
-func (s *SavedRuleSet) UnmarshalBinary(data []byte) error {
+func (s *SavedBinary) UnmarshalBinary(data []byte) error {
 	reader := bytes.NewReader(data)
 	var version uint8
 	err := binary.Read(reader, binary.BigEndian, &version)

box.go

@@ -399,7 +399,7 @@ func (s *Box) Close() error {
 		close(s.done)
 	}
 	err := common.Close(
-		s.inbound, s.outbound, s.router, s.connection, s.network,
+		s.inbound, s.outbound, s.endpoint, s.router, s.connection, s.network,
 	)
 	for _, lifecycleService := range s.services {
 		err = E.Append(err, lifecycleService.Close(), func(err error) error {

cmd/internal/build_shared/sdk.go

@@ -48,7 +48,7 @@ func FindSDK() {
 }
 
 func findNDK() bool {
-	const fixedVersion = "28.0.12674087"
+	const fixedVersion = "28.0.12916984"
 	const versionFile = "source.properties"
 	if fixedPath := filepath.Join(androidSDKPath, "ndk", fixedVersion); rw.IsFile(filepath.Join(fixedPath, versionFile)) {
 		androidNDKPath = fixedPath

cmd/sing-box/cmd_generate_tls.go

@@ -30,7 +30,7 @@ func init() {
 }
 
 func generateTLSKeyPair(serverName string) error {
-	privateKeyPem, publicKeyPem, err := tls.GenerateKeyPair(time.Now, serverName, time.Now().AddDate(0, flagGenerateTLSKeyPairMonths, 0))
+	privateKeyPem, publicKeyPem, err := tls.GenerateCertificate(nil, nil, time.Now, serverName, time.Now().AddDate(0, flagGenerateTLSKeyPairMonths, 0))
 	if err != nil {
 		return err
 	}

cmd/sing-box/cmd_rule_set_upgrade.go

@@ -61,14 +61,15 @@ func upgradeRuleSet(sourcePath string) error {
 		log.Info("already up-to-date")
 		return nil
 	}
-	plainRuleSet, err := plainRuleSetCompat.Upgrade()
+	plainRuleSetCompat.Options, err = plainRuleSetCompat.Upgrade()
 	if err != nil {
 		return err
 	}
+	plainRuleSetCompat.Version = C.RuleSetVersionCurrent
 	buffer := new(bytes.Buffer)
 	encoder := json.NewEncoder(buffer)
 	encoder.SetIndent("", "  ")
-	err = encoder.Encode(plainRuleSet)
+	err = encoder.Encode(plainRuleSetCompat)
 	if err != nil {
 		return E.Cause(err, "encode config")
 	}

common/tls/mkcert.go

@@ -11,8 +11,8 @@ import (
 	"time"
 )
 
-func GenerateCertificate(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
-	privateKeyPem, publicKeyPem, err := GenerateKeyPair(timeFunc, serverName, timeFunc().Add(time.Hour))
+func GenerateKeyPair(parent *x509.Certificate, parentKey any, timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
+	privateKeyPem, publicKeyPem, err := GenerateCertificate(parent, parentKey, timeFunc, serverName, timeFunc().Add(time.Hour))
 	if err != nil {
 		return nil, err
 	}
@@ -23,7 +23,7 @@ func GenerateCertificate(timeFunc func() time.Time, serverName string) (*tls.Cer
 	return &certificate, err
 }
 
-func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.Time) (privateKeyPem []byte, publicKeyPem []byte, err error) {
+func GenerateCertificate(parent *x509.Certificate, parentKey any, timeFunc func() time.Time, serverName string, expire time.Time) (privateKeyPem []byte, publicKeyPem []byte, err error) {
 	if timeFunc == nil {
 		timeFunc = time.Now
 	}
@@ -47,7 +47,11 @@ func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.T
 		},
 		DNSNames: []string{serverName},
 	}
-	publicDer, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
+	if parent == nil {
+		parent = template
+		parentKey = key
+	}
+	publicDer, err := x509.CreateCertificate(rand.Reader, template, parent, key.Public(), parentKey)
 	if err != nil {
 		return
 	}

common/tls/std_server.go

@@ -222,7 +222,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		}
 		if certificate == nil && key == nil && options.Insecure {
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateCertificate(ntp.TimeFuncFromContext(ctx), info.ServerName)
+				return GenerateKeyPair(nil, nil, ntp.TimeFuncFromContext(ctx), info.ServerName)
 			}
 		} else {
 			if certificate == nil {

docs/changelog.md

@@ -2,16 +2,362 @@
 icon: material/alert-decagram
 ---
 
+### 1.11.1
+
+* Fixes and improvements
+
+### 1.11.0
+
+Important changes since 1.10:
+
+* Introducing rule actions **1**
+* Improve tun compatibility **3**
+* Merge route options to route actions **4**
+* Add `network_type`, `network_is_expensive` and `network_is_constrainted` rule items **5**
+* Add multi network dialing **6**
+* Add `cache_capacity` DNS option **7**
+* Add `override_address` and `override_port` route options **8**
+* Upgrade WireGuard outbound to endpoint **9**
+* Add UDP GSO support for WireGuard
+* Make GSO adaptive **10**
+* Add UDP timeout route option **11**
+* Add more masquerade options for hysteria2 **12**
+* Add `rule-set merge` command
+* Add port hopping support for Hysteria2 **13**
+* Hysteria2 `ignore_client_bandwidth` behavior update **14**
+
+**1**:
+
+New rule actions replace legacy inbound fields and special outbound fields,
+and can be used for pre-matching **2**.
+
+See [Rule](/configuration/route/rule/),
+[Rule Action](/configuration/route/rule_action/),
+[DNS Rule](/configuration/dns/rule/) and
+[DNS Rule Action](/configuration/dns/rule_action/).
+
+For migration, see
+[Migrate legacy special outbounds to rule actions](/migration/#migrate-legacy-special-outbounds-to-rule-actions),
+[Migrate legacy inbound fields to rule actions](/migration/#migrate-legacy-inbound-fields-to-rule-actions)
+and [Migrate legacy DNS route options to rule actions](/migration/#migrate-legacy-dns-route-options-to-rule-actions).
+
+**2**:
+
+Similar to Surge's pre-matching.
+
+Specifically, new rule actions allow you to reject connections with
+TCP RST (for TCP connections) and ICMP port unreachable (for UDP packets)
+before connection established to improve tun's compatibility.
+
+See [Rule Action](/configuration/route/rule_action/).
+
+**3**:
+
+When `gvisor` tun stack is enabled, even if the request passes routing,
+if the outbound connection establishment fails,
+the connection still does not need to be established and a TCP RST is replied.
+
+**4**:
+
+Route options in DNS route actions will no longer be considered deprecated,
+see [DNS Route Action](/configuration/dns/rule_action/).
+
+Also, now `udp_disable_domain_unmapping` and `udp_connect` can also be configured in route action,
+see [Route Action](/configuration/route/rule_action/).
+
+**5**:
+
+When using in graphical clients, new routing rule items allow you to match on
+network type (WIFI, cellular, etc.), whether the network is expensive, and whether Low Data Mode is enabled.
+
+See [Route Rule](/configuration/route/rule/), [DNS Route Rule](/configuration/dns/rule/)
+and [Headless Rule](/configuration/rule-set/headless-rule/).
+
+**6**:
+
+Similar to Surge's strategy.
+
+New options allow you to connect using multiple network interfaces,
+prefer or only use one type of interface,
+and configure a timeout to fallback to other interfaces.
+
+See [Dial Fields](/configuration/shared/dial/#network_strategy),
+[Rule Action](/configuration/route/rule_action/#network_strategy)
+and [Route](/configuration/route/#default_network_strategy).
+
+**7**:
+
+See [DNS](/configuration/dns/#cache_capacity).
+
+**8**:
+
+See [Rule Action](/configuration/route/#override_address) and
+[Migrate destination override fields to route options](/migration/#migrate-destination-override-fields-to-route-options).
+
+**9**:
+
+The new WireGuard endpoint combines inbound and outbound capabilities,
+and the old outbound will be removed in sing-box 1.13.0.
+
+See [Endpoint](/configuration/endpoint/), [WireGuard Endpoint](/configuration/endpoint/wireguard/)
+and [Migrate WireGuard outbound fields to route options](/migration/#migrate-wireguard-outbound-to-endpoint).
+
+**10**:
+
+For WireGuard outbound and endpoint, GSO will be automatically enabled when available,
+see [WireGuard Outbound](/configuration/outbound/wireguard/#gso).
+
+For TUN, GSO has been removed,
+see [Deprecated](/deprecated/#gso-option-in-tun).
+
+**11**:
+
+See [Rule Action](/configuration/route/rule_action/#udp_timeout).
+
+**12**:
+
+See [Hysteria2](/configuration/inbound/hysteria2/#masquerade).
+
+**13**:
+
+See [Hysteria2](/configuration/outbound/hysteria2/).
+
+**14**:
+
+When `up_mbps` and `down_mbps` are set, `ignore_client_bandwidth` instead denies clients from using BBR CC.
+
 ### 1.10.7
 
 * Fixes and improvements
 
+#### 1.11.0-beta.20
+
+* Hysteria2 `ignore_client_bandwidth` behavior update **1**
+* Fixes and improvements
+
+**1**:
+
+When `up_mbps` and `down_mbps` are set, `ignore_client_bandwidth` instead denies clients from using BBR CC.
+
+See [Hysteria2](/configuration/inbound/hysteria2/#ignore_client_bandwidth).
+
+#### 1.11.0-beta.17
+
+* Add port hopping support for Hysteria2 **1**
+* Fixes and improvements
+
+**1**:
+
+See [Hysteria2](/configuration/outbound/hysteria2/).
+
+#### 1.11.0-beta.14
+
+* Allow adding route (exclude) address sets to routes **1**
+* Fixes and improvements
+
+**1**:
+
+When `auto_redirect` is not enabled, directly add `route[_exclude]_address_set`
+to tun routes (equivalent to `route[_exclude]_address`).
+
+Note that it **doesn't work on the Android graphical client** due to
+the Android VpnService not being able to handle a large number of routes (DeadSystemException),
+but otherwise it works fine on all command line clients and Apple platforms.
+
+See [route_address_set](/configuration/inbound/tun/#route_address_set) and
+[route_exclude_address_set](/configuration/inbound/tun/#route_exclude_address_set).
+
+#### 1.11.0-beta.12
+
+* Add `rule-set merge` command
+* Fixes and improvements
+
+#### 1.11.0-beta.3
+
+* Add more masquerade options for hysteria2 **1**
+* Fixes and improvements
+
+**1**:
+
+See [Hysteria2](/configuration/inbound/hysteria2/#masquerade).
+
+#### 1.11.0-alpha.25
+
+* Update quic-go to v0.48.2
+* Fixes and improvements
+
+#### 1.11.0-alpha.22
+
+* Add UDP timeout route option **1**
+* Fixes and improvements
+
+**1**:
+
+See [Rule Action](/configuration/route/rule_action/#udp_timeout).
+
+#### 1.11.0-alpha.20
+
+* Add UDP GSO support for WireGuard
+* Make GSO adaptive **1**
+
+**1**:
+
+For WireGuard outbound and endpoint, GSO will be automatically enabled when available,
+see [WireGuard Outbound](/configuration/outbound/wireguard/#gso).
+
+For TUN, GSO has been removed,
+see [Deprecated](/deprecated/#gso-option-in-tun).
+
+#### 1.11.0-alpha.19
+
+* Upgrade WireGuard outbound to endpoint **1**
+* Fixes and improvements
+
+**1**:
+
+The new WireGuard endpoint combines inbound and outbound capabilities,
+and the old outbound will be removed in sing-box 1.13.0.
+
+See [Endpoint](/configuration/endpoint/), [WireGuard Endpoint](/configuration/endpoint/wireguard/)
+and [Migrate WireGuard outbound fields to route options](/migration/#migrate-wireguard-outbound-to-endpoint).
+
 ### 1.10.2
 
 * Add deprecated warnings
 * Fix proxying websocket connections in HTTP/mixed inbounds
 * Fixes and improvements
 
+#### 1.11.0-alpha.18
+
+* Fixes and improvements
+
+#### 1.11.0-alpha.16
+
+* Add `cache_capacity` DNS option **1**
+* Add `override_address` and `override_port` route options **2**
+* Fixes and improvements
+
+**1**:
+
+See [DNS](/configuration/dns/#cache_capacity).
+
+**2**:
+
+See [Rule Action](/configuration/route/#override_address) and
+[Migrate destination override fields to route options](/migration/#migrate-destination-override-fields-to-route-options).
+
+#### 1.11.0-alpha.15
+
+* Improve multi network dialing **1**
+* Fixes and improvements
+
+**1**:
+
+New options allow you to configure the network strategy flexibly.
+
+See [Dial Fields](/configuration/shared/dial/#network_strategy),
+[Rule Action](/configuration/route/rule_action/#network_strategy)
+and [Route](/configuration/route/#default_network_strategy).
+
+#### 1.11.0-alpha.14
+
+* Add multi network dialing **1**
+* Fixes and improvements
+
+**1**:
+
+Similar to Surge's strategy.
+
+New options allow you to connect using multiple network interfaces,
+prefer or only use one type of interface,
+and configure a timeout to fallback to other interfaces.
+
+See [Dial Fields](/configuration/shared/dial/#network_strategy),
+[Rule Action](/configuration/route/rule_action/#network_strategy)
+and [Route](/configuration/route/#default_network_strategy).
+
+#### 1.11.0-alpha.13
+
+* Fixes and improvements
+
+#### 1.11.0-alpha.12
+
+* Merge route options to route actions **1**
+* Add `network_type`, `network_is_expensive` and `network_is_constrainted` rule items **2**
+* Fixes and improvements
+
+**1**:
+
+Route options in DNS route actions will no longer be considered deprecated,
+see [DNS Route Action](/configuration/dns/rule_action/).
+
+Also, now `udp_disable_domain_unmapping` and `udp_connect` can also be configured in route action,
+see [Route Action](/configuration/route/rule_action/).
+
+**2**:
+
+When using in graphical clients, new routing rule items allow you to match on
+network type (WIFI, cellular, etc.), whether the network is expensive, and whether Low Data Mode is enabled.
+
+See [Route Rule](/configuration/route/rule/), [DNS Route Rule](/configuration/dns/rule/)
+and [Headless Rule](/configuration/rule-set/headless-rule/).
+
+#### 1.11.0-alpha.9
+
+* Improve tun compatibility **1**
+* Fixes and improvements
+
+**1**:
+
+When `gvisor` tun stack is enabled, even if the request passes routing,
+if the outbound connection establishment fails,
+the connection still does not need to be established and a TCP RST is replied.
+
+#### 1.11.0-alpha.7
+
+* Introducing rule actions **1**
+
+**1**:
+
+New rule actions replace legacy inbound fields and special outbound fields,
+and can be used for pre-matching **2**.
+
+See [Rule](/configuration/route/rule/),
+[Rule Action](/configuration/route/rule_action/),
+[DNS Rule](/configuration/dns/rule/) and
+[DNS Rule Action](/configuration/dns/rule_action/).
+
+For migration, see
+[Migrate legacy special outbounds to rule actions](/migration/#migrate-legacy-special-outbounds-to-rule-actions),
+[Migrate legacy inbound fields to rule actions](/migration/#migrate-legacy-inbound-fields-to-rule-actions)
+and [Migrate legacy DNS route options to rule actions](/migration/#migrate-legacy-dns-route-options-to-rule-actions).
+
+**2**:
+
+Similar to Surge's pre-matching.
+
+Specifically, new rule actions allow you to reject connections with
+TCP RST (for TCP connections) and ICMP port unreachable (for UDP packets)
+before connection established to improve tun's compatibility.
+
+See [Rule Action](/configuration/route/rule_action/).
+
+#### 1.11.0-alpha.6
+
+* Update quic-go to v0.48.1
+* Set gateway for tun correctly
+* Fixes and improvements
+
+#### 1.11.0-alpha.2
+
+* Add warnings for usage of deprecated features
+* Fixes and improvements
+
+#### 1.11.0-alpha.1
+
+* Update quic-go to v0.48.0
+* Fixes and improvements
+
 ### 1.10.1
 
 * Fixes and improvements
@@ -87,7 +433,7 @@ allows you to write headless rules directly without creating a rule-set file.
 
 **8**:
 
-With the new access control options, not only can you allow Clash dashboards
+With new access control options, not only can you allow Clash dashboards
 to access the Clash API on your local network,
 you can also manually limit the websites that can access the API instead of allowing everyone.
 

docs/configuration/outbound/wireguard.zh.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "已在 sing-box 1.11.0 废弃"
 
-    WireGuard 出站已被启用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-wireguard-outbound-to-endpoint)。
+    WireGuard 出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-wireguard-outbound-to-endpoint)。
 
 !!! quote "sing-box 1.11.0 中的更改"
 

docs/configuration/route/rule_action.md

@@ -31,6 +31,45 @@ Tag of target outbound.
 
 See `route-options` fields below.
 
+### reject
+
+```json
+{
+  "action": "reject",
+  "method": "default", // default
+  "no_drop": false
+}
+```
+
+`reject` reject connections
+
+The specified method is used for reject tun connections if `sniff` action has not been performed yet.
+
+For non-tun connections and already established connections, will just be closed.
+
+#### method
+
+- `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.
+- `drop`: Drop packets.
+
+#### no_drop
+
+If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
+
+Not available when `method` is set to drop.
+
+### hijack-dns
+
+```json
+{
+  "action": "hijack-dns"
+}
+```
+
+`hijack-dns` hijack DNS requests to the sing-box DNS module.
+
+## Non-final actions
+
 ### route-options
 
 ```json
@@ -109,45 +148,6 @@ If no protocol is sniffed, the following ports will be recognized as protocols b
 | 443  | `quic`   |
 | 3478 | `stun`   |
 
-### reject
-
-```json
-{
-  "action": "reject",
-  "method": "default", // default
-  "no_drop": false
-}
-```
-
-`reject` reject connections
-
-The specified method is used for reject tun connections if `sniff` action has not been performed yet.
-
-For non-tun connections and already established connections, will just be closed.
-
-#### method
-
-- `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.
-- `drop`: Drop packets.
-
-#### no_drop
-
-If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
-
-Not available when `method` is set to drop.
-
-### hijack-dns
-
-```json
-{
-  "action": "hijack-dns"
-}
-```
-
-`hijack-dns` hijack DNS requests to the sing-box DNS module.
-
-## Non-final actions
-
 ### sniff
 
 ```json

docs/configuration/route/rule_action.zh.md

@@ -27,6 +27,45 @@ icon: material/new-box
 
 参阅下方的 `route-options` 字段。
 
+### reject
+
+```json
+{
+  "action": "reject",
+  "method": "default",  // 默认
+  "no_drop": false
+}
+```
+
+`reject` 拒绝连接。
+
+如果尚未执行 `sniff` 操作，则将使用指定方法拒绝 tun 连接。
+
+对于非 tun 连接和已建立的连接，将直接关闭。
+
+#### method
+
+- `default`: 对于 TCP 连接回复 RST，对于 UDP 包回复 ICMP 端口不可达。
+- `drop`: 丢弃数据包。
+
+#### no_drop
+
+如果未启用，则 30 秒内触发 50 次后，`method` 将被暂时覆盖为 `drop`。
+
+当 `method` 设为 `drop` 时不可用。
+
+### hijack-dns
+
+```json
+{
+  "action": "hijack-dns"
+}
+```
+
+`hijack-dns` 劫持 DNS 请求至 sing-box DNS 模块。
+
+## 非最终动作
+
 ### route-options
 
 ```json
@@ -107,45 +146,6 @@ UDP 连接超时时间。
 | 443  | `quic` |
 | 3478 | `stun` |
 
-### reject
-
-```json
-{
-  "action": "reject",
-  "method": "default",  // 默认
-  "no_drop": false
-}
-```
-
-`reject` 拒绝连接。
-
-如果尚未执行 `sniff` 操作，则将使用指定方法拒绝 tun 连接。
-
-对于非 tun 连接和已建立的连接，将直接关闭。
-
-#### method
-
-- `default`: 对于 TCP 连接回复 RST，对于 UDP 包回复 ICMP 端口不可达。
-- `drop`: 丢弃数据包。
-
-#### no_drop
-
-如果未启用，则 30 秒内触发 50 次后，`method` 将被暂时覆盖为 `drop`。
-
-当 `method` 设为 `drop` 时不可用。
-
-### hijack-dns
-
-```json
-{
-  "action": "hijack-dns"
-}
-```
-
-`hijack-dns` 劫持 DNS 请求至 sing-box DNS 模块。
-
-## 非最终动作
-
 ### sniff
 
 ```json

experimental/cachefile/cache.go

@@ -284,8 +284,8 @@ func (c *CacheFile) StoreGroupExpand(group string, isExpand bool) error {
 	})
 }
 
-func (c *CacheFile) LoadRuleSet(tag string) *adapter.SavedRuleSet {
-	var savedSet adapter.SavedRuleSet
+func (c *CacheFile) LoadRuleSet(tag string) *adapter.SavedBinary {
+	var savedSet adapter.SavedBinary
 	err := c.DB.View(func(t *bbolt.Tx) error {
 		bucket := c.bucket(t, bucketRuleSet)
 		if bucket == nil {
@@ -303,7 +303,7 @@ func (c *CacheFile) LoadRuleSet(tag string) *adapter.SavedRuleSet {
 	return &savedSet
 }
 
-func (c *CacheFile) SaveRuleSet(tag string, set *adapter.SavedRuleSet) error {
+func (c *CacheFile) SaveRuleSet(tag string, set *adapter.SavedBinary) error {
 	return c.DB.Batch(func(t *bbolt.Tx) error {
 		bucket, err := c.createBucket(t, bucketRuleSet)
 		if err != nil {

experimental/libbox/config.go

@@ -66,10 +66,6 @@ func (s *platformInterfaceStub) OpenTun(options *tun.Options, platformOptions op
 	return nil, os.ErrInvalid
 }
 
-func (s *platformInterfaceStub) UpdateRouteOptions(options *tun.Options, platformInterface option.TunPlatformOptions) error {
-	return os.ErrInvalid
-}
-
 func (s *platformInterfaceStub) UsePlatformDefaultInterfaceMonitor() bool {
 	return true
 }

experimental/libbox/platform.go

@@ -9,7 +9,6 @@ type PlatformInterface interface {
 	UsePlatformAutoDetectInterfaceControl() bool
 	AutoDetectInterfaceControl(fd int32) error
 	OpenTun(options TunOptions) (int32, error)
-	UpdateRouteOptions(options TunOptions) error
 	WriteLog(message string)
 	UseProcFS() bool
 	FindConnectionOwner(ipProtocol int32, sourceAddress string, sourcePort int32, destinationAddress string, destinationPort int32) (int32, error)

experimental/libbox/platform/interface.go

@@ -13,7 +13,6 @@ type Interface interface {
 	UsePlatformAutoDetectInterfaceControl() bool
 	AutoDetectInterfaceControl(fd int) error
 	OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error)
-	UpdateRouteOptions(options *tun.Options, platformOptions option.TunPlatformOptions) error
 	CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor
 	Interfaces() ([]adapter.NetworkInterface, error)
 	UnderNetworkExtension() bool

experimental/libbox/service.go

@@ -174,20 +174,6 @@ func (w *platformInterfaceWrapper) OpenTun(options *tun.Options, platformOptions
 	return tun.New(*options)
 }
 
-func (w *platformInterfaceWrapper) UpdateRouteOptions(options *tun.Options, platformOptions option.TunPlatformOptions) error {
-	if len(options.IncludeUID) > 0 || len(options.ExcludeUID) > 0 {
-		return E.New("android: unsupported uid options")
-	}
-	if len(options.IncludeAndroidUser) > 0 {
-		return E.New("android: unsupported android_user option")
-	}
-	routeRanges, err := options.BuildAutoRouteRanges(true)
-	if err != nil {
-		return err
-	}
-	return w.iif.UpdateRouteOptions(&tunOptions{options, routeRanges, platformOptions})
-}
-
 func (w *platformInterfaceWrapper) CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor {
 	return &platformDefaultInterfaceMonitor{
 		platformInterfaceWrapper: w,

experimental/locale/locale.go

@@ -7,11 +7,13 @@ var (
 
 type Locale struct {
 	// deprecated messages for graphical clients
+	Locale                  string
 	DeprecatedMessage       string
 	DeprecatedMessageNoLink string
 }
 
 var defaultLocal = &Locale{
+	Locale:                  "en_US",
 	DeprecatedMessage:       "%s is deprecated in sing-box %s and will be removed in sing-box %s please checkout documentation for migration.",
 	DeprecatedMessageNoLink: "%s is deprecated in sing-box %s and will be removed in sing-box %s.",
 }

experimental/locale/locale_zh_CN.go

@@ -4,6 +4,7 @@ var warningMessageForEndUsers = "\n\n如果您不明白此消息意味着什么
 
 func init() {
 	localeRegistry["zh_CN"] = &Locale{
+		Locale:                  "zh_CN",
 		DeprecatedMessage:       "%s 已在 sing-box %s 中被弃用，且将在 sing-box %s 中被移除，请参阅迁移指南。" + warningMessageForEndUsers,
 		DeprecatedMessageNoLink: "%s 已在 sing-box %s 中被弃用，且将在 sing-box %s 中被移除。" + warningMessageForEndUsers,
 	}

protocol/tun/inbound.go

@@ -305,7 +305,7 @@ func (t *Inbound) Start(stage adapter.StartStage) error {
 		if t.tunOptions.Name == "" {
 			t.tunOptions.Name = tun.CalculateInterfaceName("")
 		}
-		if t.platformInterface == nil || runtime.GOOS != "android" {
+		if t.platformInterface == nil {
 			t.routeAddressSet = common.FlatMap(t.routeRuleSet, adapter.RuleSet.ExtractIPSet)
 			for _, routeRuleSet := range t.routeRuleSet {
 				ipSets := routeRuleSet.ExtractIPSet()
@@ -421,41 +421,7 @@ func (t *Inbound) Start(stage adapter.StartStage) error {
 func (t *Inbound) updateRouteAddressSet(it adapter.RuleSet) {
 	t.routeAddressSet = common.FlatMap(t.routeRuleSet, adapter.RuleSet.ExtractIPSet)
 	t.routeExcludeAddressSet = common.FlatMap(t.routeExcludeRuleSet, adapter.RuleSet.ExtractIPSet)
-	if t.autoRedirect != nil {
-		t.autoRedirect.UpdateRouteAddressSet()
-	} else {
-		tunOptions := t.tunOptions
-		for _, ipSet := range t.routeAddressSet {
-			for _, prefix := range ipSet.Prefixes() {
-				if prefix.Addr().Is4() {
-					tunOptions.Inet4RouteAddress = append(tunOptions.Inet4RouteAddress, prefix)
-				} else {
-					tunOptions.Inet6RouteAddress = append(tunOptions.Inet6RouteAddress, prefix)
-				}
-			}
-		}
-		for _, ipSet := range t.routeExcludeAddressSet {
-			for _, prefix := range ipSet.Prefixes() {
-				if prefix.Addr().Is4() {
-					tunOptions.Inet4RouteExcludeAddress = append(tunOptions.Inet4RouteExcludeAddress, prefix)
-				} else {
-					tunOptions.Inet6RouteExcludeAddress = append(tunOptions.Inet6RouteExcludeAddress, prefix)
-				}
-			}
-		}
-		if t.platformInterface != nil {
-			err := t.platformInterface.UpdateRouteOptions(&tunOptions, t.platformOptions)
-			if err != nil {
-				t.logger.Error("update route addresses: ", err)
-			}
-		} else {
-			err := t.tunIf.UpdateRouteOptions(tunOptions)
-			if err != nil {
-				t.logger.Error("update route addresses: ", err)
-			}
-		}
-		t.logger.Info("updated route addresses")
-	}
+	t.autoRedirect.UpdateRouteAddressSet()
 	t.routeAddressSet = nil
 	t.routeExcludeAddressSet = nil
 }

route/conn.go

@@ -225,6 +225,17 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source io.Reader
 		}
 		break
 	}
+	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](destination); isEarlyConn && earlyConn.NeedHandshake() {
+		_, err := destination.Write(nil)
+		if err != nil {
+			if !direction {
+				m.logger.ErrorContext(ctx, "connection upload handshake: ", err)
+			} else {
+				m.logger.ErrorContext(ctx, "connection download handshake: ", err)
+			}
+			return
+		}
+	}
 	_, err := bufio.CopyWithCounters(destination, source, originSource, readCounters, writeCounters)
 	if err != nil {
 		common.Close(originDestination)

route/route.go

@@ -33,7 +33,18 @@ import (
 
 // Deprecated: use RouteConnectionEx instead.
 func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	return r.routeConnection(ctx, conn, metadata, nil)
+	done := make(chan interface{})
+	err := r.routeConnection(ctx, conn, metadata, N.OnceClose(func(it error) {
+		close(done)
+	}))
+	if err != nil {
+		return err
+	}
+	select {
+	case <-done:
+	case <-r.ctx.Done():
+	}
+	return nil
 }
 
 func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
@@ -141,7 +152,10 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 }
 
 func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	err := r.routePacketConnection(ctx, conn, metadata, nil)
+	done := make(chan interface{})
+	err := r.routePacketConnection(ctx, conn, metadata, N.OnceClose(func(it error) {
+		close(done)
+	}))
 	if err != nil {
 		conn.Close()
 		if E.IsClosedOrCanceled(err) {
@@ -150,6 +164,10 @@ func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, m
 			r.logger.ErrorContext(ctx, err)
 		}
 	}
+	select {
+	case <-done:
+	case <-r.ctx.Done():
+	}
 	return nil
 }
 

route/router.go

@@ -484,6 +484,13 @@ func (r *Router) Close() error {
 		})
 		monitor.Finish()
 	}
+	for i, ruleSet := range r.ruleSets {
+		monitor.Start("close rule-set[", i, "]")
+		err = E.Append(err, ruleSet.Close(), func(err error) error {
+			return E.Cause(err, "close rule-set[", i, "]")
+		})
+		monitor.Finish()
+	}
 	return err
 }
 

route/rule/rule_set_local.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
@@ -26,14 +27,16 @@ import (
 var _ adapter.RuleSet = (*LocalRuleSet)(nil)
 
 type LocalRuleSet struct {
-	ctx        context.Context
-	logger     logger.Logger
-	tag        string
-	rules      []adapter.HeadlessRule
-	metadata   adapter.RuleSetMetadata
-	fileFormat string
-	watcher    *fswatch.Watcher
-	refs       atomic.Int32
+	ctx            context.Context
+	logger         logger.Logger
+	tag            string
+	rules          []adapter.HeadlessRule
+	metadata       adapter.RuleSetMetadata
+	fileFormat     string
+	watcher        *fswatch.Watcher
+	callbackAccess sync.Mutex
+	callbacks      list.List[adapter.RuleSetUpdateCallback]
+	refs           atomic.Int32
 }
 
 func NewLocalRuleSet(ctx context.Context, logger logger.Logger, options option.RuleSet) (*LocalRuleSet, error) {
@@ -52,13 +55,12 @@ func NewLocalRuleSet(ctx context.Context, logger logger.Logger, options option.R
 			return nil, err
 		}
 	} else {
-		err := ruleSet.reloadFile(filemanager.BasePath(ctx, options.LocalOptions.Path))
+		filePath := filemanager.BasePath(ctx, options.LocalOptions.Path)
+		filePath, _ = filepath.Abs(filePath)
+		err := ruleSet.reloadFile(filePath)
 		if err != nil {
 			return nil, err
 		}
-	}
-	if options.Type == C.RuleSetTypeLocal {
-		filePath, _ := filepath.Abs(options.LocalOptions.Path)
 		watcher, err := fswatch.NewWatcher(fswatch.Options{
 			Path: []string{filePath},
 			Callback: func(path string) {
@@ -141,6 +143,12 @@ func (s *LocalRuleSet) reloadRules(headlessRules []option.HeadlessRule) error {
 	metadata.ContainsIPCIDRRule = hasHeadlessRule(headlessRules, isIPCIDRHeadlessRule)
 	s.rules = rules
 	s.metadata = metadata
+	s.callbackAccess.Lock()
+	callbacks := s.callbacks.Array()
+	s.callbackAccess.Unlock()
+	for _, callback := range callbacks {
+		callback(s)
+	}
 	return nil
 }
 
@@ -173,10 +181,15 @@ func (s *LocalRuleSet) Cleanup() {
 }
 
 func (s *LocalRuleSet) RegisterCallback(callback adapter.RuleSetUpdateCallback) *list.Element[adapter.RuleSetUpdateCallback] {
-	return nil
+	s.callbackAccess.Lock()
+	defer s.callbackAccess.Unlock()
+	return s.callbacks.PushBack(callback)
 }
 
 func (s *LocalRuleSet) UnregisterCallback(element *list.Element[adapter.RuleSetUpdateCallback]) {
+	s.callbackAccess.Lock()
+	defer s.callbackAccess.Unlock()
+	s.callbacks.Remove(element)
 }
 
 func (s *LocalRuleSet) Close() error {

route/rule/rule_set_remote.go

@@ -33,23 +33,23 @@ import (
 var _ adapter.RuleSet = (*RemoteRuleSet)(nil)
 
 type RemoteRuleSet struct {
-	ctx             context.Context
-	cancel          context.CancelFunc
-	outboundManager adapter.OutboundManager
-	logger          logger.ContextLogger
-	options         option.RuleSet
-	metadata        adapter.RuleSetMetadata
-	updateInterval  time.Duration
-	dialer          N.Dialer
-	rules           []adapter.HeadlessRule
-	lastUpdated     time.Time
-	lastEtag        string
-	updateTicker    *time.Ticker
-	cacheFile       adapter.CacheFile
-	pauseManager    pause.Manager
-	callbackAccess  sync.Mutex
-	callbacks       list.List[adapter.RuleSetUpdateCallback]
-	refs            atomic.Int32
+	ctx            context.Context
+	cancel         context.CancelFunc
+	logger         logger.ContextLogger
+	outbound       adapter.OutboundManager
+	options        option.RuleSet
+	metadata       adapter.RuleSetMetadata
+	updateInterval time.Duration
+	dialer         N.Dialer
+	rules          []adapter.HeadlessRule
+	lastUpdated    time.Time
+	lastEtag       string
+	updateTicker   *time.Ticker
+	cacheFile      adapter.CacheFile
+	pauseManager   pause.Manager
+	callbackAccess sync.Mutex
+	callbacks      list.List[adapter.RuleSetUpdateCallback]
+	refs           atomic.Int32
 }
 
 func NewRemoteRuleSet(ctx context.Context, logger logger.ContextLogger, options option.RuleSet) *RemoteRuleSet {
@@ -61,13 +61,13 @@ func NewRemoteRuleSet(ctx context.Context, logger logger.ContextLogger, options
 		updateInterval = 24 * time.Hour
 	}
 	return &RemoteRuleSet{
-		ctx:             ctx,
-		cancel:          cancel,
-		outboundManager: service.FromContext[adapter.OutboundManager](ctx),
-		logger:          logger,
-		options:         options,
-		updateInterval:  updateInterval,
-		pauseManager:    service.FromContext[pause.Manager](ctx),
+		ctx:            ctx,
+		cancel:         cancel,
+		outbound:       service.FromContext[adapter.OutboundManager](ctx),
+		logger:         logger,
+		options:        options,
+		updateInterval: updateInterval,
+		pauseManager:   service.FromContext[pause.Manager](ctx),
 	}
 }
 
@@ -83,13 +83,13 @@ func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext *adapter.
 	s.cacheFile = service.FromContext[adapter.CacheFile](s.ctx)
 	var dialer N.Dialer
 	if s.options.RemoteOptions.DownloadDetour != "" {
-		outbound, loaded := s.outboundManager.Outbound(s.options.RemoteOptions.DownloadDetour)
+		outbound, loaded := s.outbound.Outbound(s.options.RemoteOptions.DownloadDetour)
 		if !loaded {
-			return E.New("download_detour not found: ", s.options.RemoteOptions.DownloadDetour)
+			return E.New("download detour not found: ", s.options.RemoteOptions.DownloadDetour)
 		}
 		dialer = outbound
 	} else {
-		dialer = s.outboundManager.Default()
+		dialer = s.outbound.Default()
 	}
 	s.dialer = dialer
 	if s.cacheFile != nil {
@@ -286,7 +286,7 @@ func (s *RemoteRuleSet) fetchOnce(ctx context.Context, startContext *adapter.HTT
 	}
 	s.lastUpdated = time.Now()
 	if s.cacheFile != nil {
-		err = s.cacheFile.SaveRuleSet(s.options.Tag, &adapter.SavedRuleSet{
+		err = s.cacheFile.SaveRuleSet(s.options.Tag, &adapter.SavedBinary{
 			LastUpdated: s.lastUpdated,
 			Content:     content,
 			LastEtag:    s.lastEtag,
@@ -301,8 +301,10 @@ func (s *RemoteRuleSet) fetchOnce(ctx context.Context, startContext *adapter.HTT
 
 func (s *RemoteRuleSet) Close() error {
 	s.rules = nil
-	s.updateTicker.Stop()
 	s.cancel()
+	if s.updateTicker != nil {
+		s.updateTicker.Stop()
+	}
 	return nil
 }