[dependencies] Update github-actions

The upstream OpenAI WebSocket endpoint requires the
OpenAI-Beta: responses_websockets=2026-02-06 header. Set it
automatically when the client doesn't provide it.

Also capture and log the response body on non-429 WebSocket
handshake failures to surface the actual error from upstream.

.fpm_openwrt

@@ -14,6 +14,7 @@
 --depends kmod-inet-diag
 --depends kmod-tun
 --depends firewall4
+--depends kmod-nft-queue
 
 --before-remove release/config/openwrt.prerm
 

.fpm_pacman

@@ -0,0 +1,23 @@
+-s dir
+--name sing-box
+--category net
+--license GPL-3.0-or-later
+--description "The universal proxy platform."
+--url "https://sing-box.sagernet.org/"
+--maintainer "nekohasekai <contact-git@sekai.icu>"
+--config-files etc/sing-box/config.json
+--after-install release/config/sing-box.postinst
+
+release/config/config.json=/etc/sing-box/config.json
+
+release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
+release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
+release/config/sing-box.sysusers=/usr/lib/sysusers.d/sing-box.conf
+release/config/sing-box.rules=usr/share/polkit-1/rules.d/sing-box.rules
+release/config/sing-box-split-dns.xml=/usr/share/dbus-1/system.d/sing-box-split-dns.conf
+
+release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
+release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
+release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
+
+LICENSE=/usr/share/licenses/sing-box/LICENSE

.github/CRONET_GO_VERSION

@@ -0,0 +1 @@
+ea7cd33752aed62603775af3df946c1b83f4b0b3

.github/build_alpine_apk.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+ARCHITECTURE="$1"
+VERSION="$2"
+BINARY_PATH="$3"
+OUTPUT_PATH="$4"
+
+if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
+  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
+  exit 1
+fi
+
+PROJECT=$(cd "$(dirname "$0")/.."; pwd)
+
+# Convert version to APK format:
+#   1.13.0-beta.8  -> 1.13.0_beta8-r0
+#   1.13.0-rc.3    -> 1.13.0_rc3-r0
+#   1.13.0         -> 1.13.0-r0
+APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
+APK_VERSION="${APK_VERSION}-r0"
+
+ROOT_DIR=$(mktemp -d)
+trap 'rm -rf "$ROOT_DIR"' EXIT
+
+# Binary
+install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
+
+# Config files
+install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
+install -Dm755 "$PROJECT/release/config/sing-box.initd" "$ROOT_DIR/etc/init.d/sing-box"
+install -Dm644 "$PROJECT/release/config/sing-box.confd" "$ROOT_DIR/etc/conf.d/sing-box"
+
+# Service files
+install -Dm644 "$PROJECT/release/config/sing-box.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box.service"
+install -Dm644 "$PROJECT/release/config/sing-box@.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box@.service"
+
+# Completions
+install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
+install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
+install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
+
+# License
+install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
+
+# APK metadata
+PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
+mkdir -p "$PACKAGES_DIR"
+
+# .conffiles
+cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
+/etc/conf.d/sing-box
+/etc/init.d/sing-box
+/etc/sing-box/config.json
+EOF
+
+# .conffiles_static (sha256 checksums)
+while IFS= read -r conffile; do
+  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
+  echo "$conffile $sha256"
+done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
+
+# .list (all files, excluding lib/apk/packages/ metadata)
+(cd "$ROOT_DIR" && find . -type f -o -type l) \
+  | sed 's|^\./|/|' \
+  | grep -v '^/lib/apk/packages/' \
+  | sort > "$PACKAGES_DIR/.list"
+
+# Build APK
+apk mkpkg \
+  --info "name:sing-box" \
+  --info "version:${APK_VERSION}" \
+  --info "description:The universal proxy platform." \
+  --info "arch:${ARCHITECTURE}" \
+  --info "license:GPL-3.0-or-later with name use or association addition" \
+  --info "origin:sing-box" \
+  --info "url:https://sing-box.sagernet.org/" \
+  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
+  --files "$ROOT_DIR" \
+  --output "$OUTPUT_PATH"

.github/build_openwrt_apk.sh

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+ARCHITECTURE="$1"
+VERSION="$2"
+BINARY_PATH="$3"
+OUTPUT_PATH="$4"
+
+if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
+  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
+  exit 1
+fi
+
+PROJECT=$(cd "$(dirname "$0")/.."; pwd)
+
+# Convert version to APK format:
+#   1.13.0-beta.8  -> 1.13.0_beta8-r0
+#   1.13.0-rc.3    -> 1.13.0_rc3-r0
+#   1.13.0         -> 1.13.0-r0
+APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
+APK_VERSION="${APK_VERSION}-r0"
+
+ROOT_DIR=$(mktemp -d)
+trap 'rm -rf "$ROOT_DIR"' EXIT
+
+# Binary
+install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
+
+# Config files
+install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
+install -Dm644 "$PROJECT/release/config/openwrt.conf" "$ROOT_DIR/etc/config/sing-box"
+install -Dm755 "$PROJECT/release/config/openwrt.init" "$ROOT_DIR/etc/init.d/sing-box"
+install -Dm644 "$PROJECT/release/config/openwrt.keep" "$ROOT_DIR/lib/upgrade/keep.d/sing-box"
+
+# Completions
+install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
+install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
+install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
+
+# License
+install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
+
+# APK metadata
+PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
+mkdir -p "$PACKAGES_DIR"
+
+# .conffiles
+cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
+/etc/config/sing-box
+/etc/sing-box/config.json
+EOF
+
+# .conffiles_static (sha256 checksums)
+while IFS= read -r conffile; do
+  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
+  echo "$conffile $sha256"
+done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
+
+# .list (all files, excluding lib/apk/packages/ metadata)
+(cd "$ROOT_DIR" && find . -type f -o -type l) \
+  | sed 's|^\./|/|' \
+  | grep -v '^/lib/apk/packages/' \
+  | sort > "$PACKAGES_DIR/.list"
+
+# Build APK
+apk mkpkg \
+  --info "name:sing-box" \
+  --info "version:${APK_VERSION}" \
+  --info "description:The universal proxy platform." \
+  --info "arch:${ARCHITECTURE}" \
+  --info "license:GPL-3.0-or-later" \
+  --info "origin:sing-box" \
+  --info "url:https://sing-box.sagernet.org/" \
+  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
+  --info "depends:ca-bundle kmod-inet-diag kmod-tun firewall4 kmod-nft-queue" \
+  --info "provider-priority:100" \
+  --script "pre-deinstall:${PROJECT}/release/config/openwrt.prerm" \
+  --files "$ROOT_DIR" \
+  --output "$OUTPUT_PATH"

.github/renovate.json

@@ -6,7 +6,7 @@
     ":disableRateLimiting"
   ],
   "baseBranches": [
-    "dev-next"
+    "unstable"
   ],
   "golang": {
     "enabled": false

.github/setup_go_for_macos1013.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+VERSION="1.25.8"
+PATCH_COMMITS=(
+  "afe69d3cec1c6dcf0f1797b20546795730850070"
+  "1ed289b0cf87dc5aae9c6fe1aa5f200a83412938"
+)
+CURL_ARGS=(
+  -fL
+  --silent
+  --show-error
+)
+
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
+
+mkdir -p "$HOME/go"
+cd "$HOME/go"
+wget "https://dl.google.com/go/go${VERSION}.darwin-arm64.tar.gz"
+tar -xzf "go${VERSION}.darwin-arm64.tar.gz"
+#cp -a go go_bootstrap
+mv go go_osx
+cd go_osx
+
+# these patch URLs only work on golang1.25.x
+# that means after golang1.26 release it must be changed
+# see: https://github.com/SagerNet/go/commits/release-branch.go1.25/
+# revert:
+# 33d3f603c1: "cmd/link/internal/ld: use 12.0.0 OS/SDK versions for macOS linking"
+# 937368f84e: "crypto/x509: change how we retrieve chains on darwin"
+
+for patch_commit in "${PATCH_COMMITS[@]}"; do
+  curl "${CURL_ARGS[@]}" "https://github.com/SagerNet/go/commit/${patch_commit}.diff" | patch --verbose -p 1
+done
+
+# Rebuild is not needed: we build with CGO_ENABLED=1, so Apple's external
+# linker handles LC_BUILD_VERSION via MACOSX_DEPLOYMENT_TARGET, and the
+# stdlib (crypto/x509) is compiled from patched src automatically.
+#cd src
+#GOROOT_BOOTSTRAP="$HOME/go/go_bootstrap" ./make.bash
+#cd ../..
+#rm -rf go_bootstrap "go${VERSION}.darwin-arm64.tar.gz"

.github/setup_go_for_windows7.sh

@@ -1,16 +1,35 @@
 #!/usr/bin/env bash
 
-VERSION="1.25.1"
+set -euo pipefail
 
-mkdir -p $HOME/go
+VERSION="1.25.8"
-cd $HOME/go
+PATCH_COMMITS=(
+  "466f6c7a29bc098b0d4c987b803c779222894a11"
+  "1bdabae205052afe1dadb2ad6f1ba612cdbc532a"
+  "a90777dcf692dd2168577853ba743b4338721b06"
+  "f6bddda4e8ff58a957462a1a09562924d5f3d05c"
+  "bed309eff415bcb3c77dd4bc3277b682b89a388d"
+  "34b899c2fb39b092db4fa67c4417e41dc046be4b"
+)
+CURL_ARGS=(
+  -fL
+  --silent
+  --show-error
+)
+
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
+
+mkdir -p "$HOME/go"
+cd "$HOME/go"
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
 mv go go_win7
 cd go_win7
 
 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-# this patch file only works on golang1.25.x
+# these patch URLs only work on golang1.25.x
 # that means after golang1.26 release it must be changed
 # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
 # revert:
@@ -18,10 +37,10 @@ cd go_win7
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
+# fixes:
+# bed309eff415bcb3c77dd4bc3277b682b89a388d: "Fix os.RemoveAll not working on Windows7"
+# 34b899c2fb39b092db4fa67c4417e41dc046be4b: "Revert \"os: remove 5ms sleep on Windows in (*Process).Wait\""
 
-alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
+for patch_commit in "${PATCH_COMMITS[@]}"; do
-
+  curl "${CURL_ARGS[@]}" "https://github.com/MetaCubeX/go/commit/${patch_commit}.diff" | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
+done
-curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1

.github/update_cronet.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+SCRIPT_DIR=$(dirname "$0")
+PROJECTS=$SCRIPT_DIR/../..
+
+git -C $PROJECTS/cronet-go fetch origin main
+git -C $PROJECTS/cronet-go fetch origin go
+go get -x github.com/sagernet/cronet-go/all@$(git -C $PROJECTS/cronet-go rev-parse origin/go)
+go get -x github.com/sagernet/cronet-go@$(git -C $PROJECTS/cronet-go rev-parse origin/go)
+go mod tidy
+git -C $PROJECTS/cronet-go rev-parse origin/go > "$SCRIPT_DIR/CRONET_GO_VERSION"

.github/update_cronet_dev.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+SCRIPT_DIR=$(dirname "$0")
+PROJECTS=$SCRIPT_DIR/../..
+
+git -C $PROJECTS/cronet-go fetch origin dev
+git -C $PROJECTS/cronet-go fetch origin go_dev
+go get -x github.com/sagernet/cronet-go/all@$(git -C $PROJECTS/cronet-go rev-parse origin/go_dev)
+go get -x github.com/sagernet/cronet-go@$(git -C $PROJECTS/cronet-go rev-parse origin/go_dev)
+go mod tidy
+git -C $PROJECTS/cronet-go rev-parse origin/dev > "$SCRIPT_DIR/CRONET_GO_VERSION"

.github/workflows/build.yml

@@ -25,8 +25,9 @@ on:
           - publish-android
   push:
     branches:
-      - main-next
+      - stable
-      - dev-next
+      - testing
+      - unstable
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
@@ -40,13 +41,13 @@ jobs:
       version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
+          go-version: ~1.26.0
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -69,53 +70,61 @@ jobs:
     strategy:
       matrix:
         include:
-          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }
+          - { os: linux, arch: amd64, variant: purego, naive: true }
-          - { os: linux, arch: "386", go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }
+          - { os: linux, arch: amd64, variant: glibc, naive: true }
+          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, alpine: x86_64, openwrt: "x86_64" }
+
+          - { os: linux, arch: arm64, variant: purego, naive: true }
+          - { os: linux, arch: arm64, variant: glibc, naive: true }
+          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, alpine: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
+
+          - { os: linux, arch: "386", go386: sse2 }
+          - { os: linux, arch: "386", variant: glibc, naive: true, go386: sse2 }
+          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, alpine: x86, openwrt: "i386_pentium4" }
+
+          - { os: linux, arch: arm, goarm: "7" }
+          - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
+          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, alpine: armv7, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
+
+          - { os: linux, arch: mipsle, gomips: hardfloat, naive: true, variant: glibc }
+          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, variant: musl, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
+          - { os: linux, arch: mips64le, gomips: hardfloat, naive: true, variant: glibc, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: riscv64, naive: true, variant: glibc }
+          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, alpine: riscv64, openwrt: "riscv64_generic" }
+          - { os: linux, arch: loong64, naive: true, variant: glibc }
+          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, alpine: loongarch64, openwrt: "loongarch64_generic" }
+
           - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
-          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
           - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
           - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl, openwrt: "arm_arm1176jzf-s_vfp" }
-          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
           - { os: linux, arch: mips, gomips: softfloat, openwrt: "mips_24kc mips_4kec mips_mips32" }
-          - { os: linux, arch: mipsle, gomips: hardfloat, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc_24kf" }
+          - { os: linux, arch: mipsle, gomips: hardfloat, openwrt: "mipsel_24kc_24kf" }
-          - { os: linux, arch: mipsle, gomips: softfloat, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
+          - { os: linux, arch: mipsle, gomips: softfloat }
           - { os: linux, arch: mips64, gomips: softfloat, openwrt: "mips64_mips64r2 mips64_octeonplus" }
-          - { os: linux, arch: mips64le, gomips: hardfloat, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: mips64le, gomips: hardfloat }
           - { os: linux, arch: mips64le, gomips: softfloat, openwrt: "mips64el_mips64r2" }
           - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
           - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
+          - { os: linux, arch: riscv64 }
-          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
+          - { os: linux, arch: loong64 }
 
-          - { os: windows, arch: amd64 }
           - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
-          - { os: windows, arch: "386" }
           - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
-          - { os: windows, arch: arm64 }
 
-          - { os: darwin, arch: amd64 }
+          - { os: android, arch: arm64, ndk: "aarch64-linux-android23" }
-          - { os: darwin, arch: arm64 }
+          - { os: android, arch: arm, ndk: "armv7a-linux-androideabi23" }
-          - { os: darwin, arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
+          - { os: android, arch: amd64, ndk: "x86_64-linux-android23" }
-
+          - { os: android, arch: "386", ndk: "i686-linux-android23" }
-          - { os: android, arch: arm64, ndk: "aarch64-linux-android21" }
-          - { os: android, arch: arm, ndk: "armv7a-linux-androideabi21" }
-          - { os: android, arch: amd64, ndk: "x86_64-linux-android21" }
-          - { os: android, arch: "386", ndk: "i686-linux-android21" }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
-        if: ${{ ! (matrix.legacy_go123 || matrix.legacy_go124) }}
+        if: ${{ ! matrix.legacy_win7 }}
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
+          go-version: ~1.26.0
-      - name: Setup Go 1.24
-        if: matrix.legacy_go124
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.24.6
       - name: Cache Go for Windows 7
         if: matrix.legacy_win7
         id: cache-go-for-windows7
@@ -123,9 +132,11 @@ jobs:
         with:
           path: |
             ~/go/go_win7
-          key: go_win7_1251
+          key: go_win7_1258
       - name: Setup Go for Windows 7
         if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
         run: |-
           .github/setup_go_for_windows7.sh
       - name: Setup Go for Windows 7
@@ -139,6 +150,54 @@ jobs:
         with:
           ndk-version: r28
           local-cache: true
+      - name: Clone cronet-go
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          CRONET_GO_VERSION=$(cat .github/CRONET_GO_VERSION)
+          git init ~/cronet-go
+          git -C ~/cronet-go remote add origin https://github.com/sagernet/cronet-go.git
+          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
+          git -C ~/cronet-go checkout FETCH_HEAD
+          git -C ~/cronet-go submodule update --init --recursive --depth=1
+      - name: Regenerate Debian keyring
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
+          cd ~/cronet-go
+          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
+      - name: Cache Chromium toolchain
+        if: matrix.naive
+        id: cache-chromium-toolchain
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
+            ~/cronet-go/naiveproxy/src/gn/out/
+            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
+            ~/cronet-go/naiveproxy/src/out/sysroot-build/
+          key: chromium-toolchain-${{ matrix.arch }}-${{ matrix.variant }}-${{ hashFiles('.github/CRONET_GO_VERSION') }}
+      - name: Download Chromium toolchain
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          cd ~/cronet-go
+          if [[ "${{ matrix.variant }}" == "musl" ]]; then
+            go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl download-toolchain
+          else
+            go run ./cmd/build-naive --target=linux/${{ matrix.arch }} download-toolchain
+          fi
+      - name: Set Chromium toolchain environment
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          cd ~/cronet-go
+          if [[ "${{ matrix.variant }}" == "musl" ]]; then
+            go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl env >> $GITHUB_ENV
+          else
+            go run ./cmd/build-naive --target=linux/${{ matrix.arch }} env >> $GITHUB_ENV
+          fi
       - name: Set tag
         run: |-
           git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
@@ -146,15 +205,83 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,badlinkname,tfogo_checklinkname0'
+          if [[ "${{ matrix.naive }}" == "true" ]]; then
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
+          else
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+          fi
+          if [[ "${{ matrix.variant }}" == "purego" ]]; then
+            TAGS="${TAGS},with_purego"
+          elif [[ "${{ matrix.variant }}" == "musl" ]]; then
+            TAGS="${TAGS},with_musl"
+          fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Build
+      - name: Set shared ldflags
-        if: matrix.os != 'android'
+        run: |
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
+      - name: Build (purego)
+        if: matrix.variant == 'purego'
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "0"
+          GOOS: ${{ matrix.os }}
+          GOARCH: ${{ matrix.arch }}
+          GO386: ${{ matrix.go386 }}
+          GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
+          GOMIPS64: ${{ matrix.gomips }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract libcronet.so
+        if: matrix.variant == 'purego' && matrix.naive
+        run: |
+          cd ~/cronet-go
+          CGO_ENABLED=0 go run -v ./cmd/build-naive extract-lib --target ${{ matrix.os }}/${{ matrix.arch }} -o $GITHUB_WORKSPACE/dist
+      - name: Build (glibc)
+        if: matrix.variant == 'glibc'
+        run: |
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "1"
+          GOOS: linux
+          GOARCH: ${{ matrix.arch }}
+          GO386: ${{ matrix.go386 }}
+          GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
+          GOMIPS64: ${{ matrix.gomips }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build (musl)
+        if: matrix.variant == 'musl'
+        run: |
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "1"
+          GOOS: linux
+          GOARCH: ${{ matrix.arch }}
+          GO386: ${{ matrix.go386 }}
+          GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
+          GOMIPS64: ${{ matrix.gomips }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build (non-variant)
+        if: matrix.os != 'android' && matrix.variant == ''
+        run: |
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -174,7 +301,7 @@ jobs:
           export CXX="${CC}++"
           mkdir -p dist
           GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -193,6 +320,11 @@ jobs:
           elif [[ -n "${{ matrix.legacy_name }}" ]]; then
             DIR_NAME="${DIR_NAME}-legacy-${{ matrix.legacy_name }}"
           fi
+          if [[ "${{ matrix.variant }}" == "glibc" ]]; then
+            DIR_NAME="${DIR_NAME}-glibc"
+          elif [[ "${{ matrix.variant }}" == "musl" ]]; then
+            DIR_NAME="${DIR_NAME}-musl"
+          fi
           echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
           PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
           PKG_VERSION="${PKG_VERSION//-/\~}"
@@ -243,7 +375,7 @@ jobs:
           sudo gem install fpm
           sudo apt-get update
           sudo apt-get install -y libarchive-tools
-          cp .fpm_systemd .fpm
+          cp .fpm_pacman .fpm
           fpm -t pacman \
             -v "$PKG_VERSION" \
             -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.pacman }}.pkg.tar.zst" \
@@ -264,6 +396,30 @@ jobs:
             .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.ipk"
           done
           rm "dist/openwrt.deb"
+      - name: Install apk-tools
+        if: matrix.openwrt != '' || matrix.alpine != ''
+        run: |-
+          docker run --rm -v /usr/local/bin:/mnt alpine:edge sh -c "apk add --no-cache apk-tools-static && cp /sbin/apk.static /mnt/apk && chmod +x /mnt/apk"
+      - name: Package OpenWrt APK
+        if: matrix.openwrt != ''
+        run: |-
+          set -xeuo pipefail
+          for architecture in ${{ matrix.openwrt }}; do
+            .github/build_openwrt_apk.sh \
+              "$architecture" \
+              "${{ needs.calculate_version.outputs.version }}" \
+              "dist/sing-box" \
+              "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.apk"
+          done
+      - name: Package Alpine APK
+        if: matrix.alpine != ''
+        run: |-
+          set -xeuo pipefail
+          .github/build_alpine_apk.sh \
+            "${{ matrix.alpine }}" \
+            "${{ needs.calculate_version.outputs.version }}" \
+            "dist/sing-box" \
+            "dist/sing-box_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.alpine }}.apk"
       - name: Archive
         run: |
           set -xeuo pipefail
@@ -275,32 +431,217 @@ jobs:
             zip -r "${DIR_NAME}.zip" "${DIR_NAME}"
           else
             cp sing-box "${DIR_NAME}"
+            if [ -f libcronet.so ]; then
+              cp libcronet.so "${DIR_NAME}"
+            fi
             tar -czvf "${DIR_NAME}.tar.gz" "${DIR_NAME}"
           fi
           rm -r "${DIR_NAME}"
+      - name: Cleanup
+        run: rm -f dist/sing-box dist/libcronet.so
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}${{ matrix.variant && format('-{0}', matrix.variant) }}
+          path: "dist"
+  build_darwin:
+    name: Build Darwin binaries
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
+    runs-on: macos-latest
+    needs:
+      - calculate_version
+    strategy:
+      matrix:
+        include:
+          - { arch: amd64 }
+          - { arch: arm64 }
+          - { arch: amd64, legacy_osx: true, legacy_name: "macos-10.13" }
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        if: ${{ ! matrix.legacy_osx }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.25.3
+      - name: Cache Go for macOS 10.13
+        if: matrix.legacy_osx
+        id: cache-go-for-macos1013
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/go/go_osx
+          key: go_osx_1258
+      - name: Setup Go for macOS 10.13
+        if: matrix.legacy_osx && steps.cache-go-for-macos1013.outputs.cache-hit != 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |-
+          .github/setup_go_for_macos1013.sh
+      - name: Setup Go for macOS 10.13
+        if: matrix.legacy_osx
+        run: |-
+          echo "PATH=$HOME/go/go_osx/bin:$PATH" >> $GITHUB_ENV
+          echo "GOROOT=$HOME/go/go_osx" >> $GITHUB_ENV
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Set build tags
+        run: |
+          set -xeuo pipefail
+          if [[ "${{ matrix.legacy_osx }}" != "true" ]]; then
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
+          else
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+          fi
+          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Set shared ldflags
+        run: |
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
+      - name: Build
+        run: |
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "1"
+          GOOS: darwin
+          GOARCH: ${{ matrix.arch }}
+          MACOSX_DEPLOYMENT_TARGET: ${{ matrix.legacy_osx && '10.13' || '' }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set name
+        run: |-
+          DIR_NAME="sing-box-${{ needs.calculate_version.outputs.version }}-darwin-${{ matrix.arch }}"
+          if [[ -n "${{ matrix.legacy_name }}" ]]; then
+            DIR_NAME="${DIR_NAME}-legacy-${{ matrix.legacy_name }}"
+          fi
+          echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
+      - name: Archive
+        run: |
+          set -xeuo pipefail
+          cd dist
+          mkdir -p "${DIR_NAME}"
+          cp ../LICENSE "${DIR_NAME}"
+          cp sing-box "${DIR_NAME}"
+          tar -czvf "${DIR_NAME}.tar.gz" "${DIR_NAME}"
+          rm -r "${DIR_NAME}"
       - name: Cleanup
         run: rm dist/sing-box
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
-          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
+          name: binary-darwin_${{ matrix.arch }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
+          path: "dist"
+  build_windows:
+    name: Build Windows binaries
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
+    runs-on: windows-latest
+    needs:
+      - calculate_version
+    strategy:
+      matrix:
+        include:
+          - { arch: amd64, naive: true }
+          - { arch: "386" }
+          - { arch: arm64, naive: true }
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.25.4
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$env:GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Build
+        if: matrix.naive
+        run: |
+          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_WINDOWS
+          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "0"
+          GOOS: windows
+          GOARCH: ${{ matrix.arch }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build
+        if: ${{ !matrix.naive }}
+        run: |
+          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_OTHERS
+          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "0"
+          GOOS: windows
+          GOARCH: ${{ matrix.arch }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract libcronet.dll
+        if: matrix.naive
+        run: |
+          $CRONET_GO_VERSION = Get-Content .github/CRONET_GO_VERSION
+          $env:CGO_ENABLED = "0"
+          go run -v "github.com/sagernet/cronet-go/cmd/build-naive@$CRONET_GO_VERSION" extract-lib --target windows/${{ matrix.arch }} -o dist
+      - name: Archive
+        if: matrix.naive
+        run: |
+          $DIR_NAME = "sing-box-${{ needs.calculate_version.outputs.version }}-windows-${{ matrix.arch }}"
+          mkdir "dist/$DIR_NAME"
+          Copy-Item LICENSE "dist/$DIR_NAME"
+          Copy-Item "dist/sing-box.exe" "dist/$DIR_NAME"
+          Copy-Item "dist/libcronet.dll" "dist/$DIR_NAME"
+          Compress-Archive -Path "dist/$DIR_NAME" -DestinationPath "dist/$DIR_NAME.zip"
+          Remove-Item -Recurse "dist/$DIR_NAME"
+      - name: Archive
+        if: ${{ !matrix.naive }}
+        run: |
+          $DIR_NAME = "sing-box-${{ needs.calculate_version.outputs.version }}-windows-${{ matrix.arch }}"
+          mkdir "dist/$DIR_NAME"
+          Copy-Item LICENSE "dist/$DIR_NAME"
+          Copy-Item "dist/sing-box.exe" "dist/$DIR_NAME"
+          Compress-Archive -Path "dist/$DIR_NAME" -DestinationPath "dist/$DIR_NAME.zip"
+          Remove-Item -Recurse "dist/$DIR_NAME"
+      - name: Cleanup
+        if: matrix.naive
+        run: Remove-Item dist/sing-box.exe, dist/libcronet.dll
+      - name: Cleanup
+        if: ${{ !matrix.naive }}
+        run: Remove-Item dist/sing-box.exe
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-windows_${{ matrix.arch }}
           path: "dist"
   build_android:
     name: Build Android
-    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
+    if: (github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android') && github.ref != 'refs/heads/oldstable'
     runs-on: ubuntu-latest
     needs:
       - calculate_version
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
+          go-version: ~1.26.0
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -323,12 +664,12 @@ jobs:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
       - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/android
           git checkout main
       - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
+        if: github.ref == 'refs/heads/testing'
         run: |-
           cd clients/android
           git checkout dev
@@ -348,9 +689,9 @@ jobs:
       - name: Build
         run: |-
           mkdir clients/android/app/libs
-          cp libbox.aar clients/android/app/libs
+          cp *.aar clients/android/app/libs
           cd clients/android
-          ./gradlew :app:assemblePlayRelease :app:assembleOtherRelease
+          ./gradlew :app:assembleOtherRelease :app:assembleOtherLegacyRelease
         env:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
@@ -358,8 +699,18 @@ jobs:
       - name: Prepare upload
         run: |-
           mkdir -p dist
-          cp clients/android/app/build/outputs/apk/play/release/*.apk dist
+          #cp clients/android/app/build/outputs/apk/play/release/*.apk dist
-          cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist
+          cp clients/android/app/build/outputs/apk/other/release/*.apk dist
+          cp clients/android/app/build/outputs/apk/otherLegacy/release/*.apk dist
+          VERSION_CODE=$(grep VERSION_CODE clients/android/version.properties | cut -d= -f2)
+          VERSION_NAME=$(grep VERSION_NAME clients/android/version.properties | cut -d= -f2)
+          cat > dist/SFA-version-metadata.json << EOF
+          {
+            "version_code": ${VERSION_CODE},
+            "version_name": "${VERSION_NAME}"
+          }
+          EOF
+          cat dist/SFA-version-metadata.json
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
@@ -367,20 +718,20 @@ jobs:
           path: 'dist'
   publish_android:
     name: Publish Android
-    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
+    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android' && github.ref != 'refs/heads/oldstable'
     runs-on: ubuntu-latest
     needs:
       - calculate_version
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
+          go-version: ~1.26.0
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -403,12 +754,12 @@ jobs:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
       - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/android
           git checkout main
       - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
+        if: github.ref == 'refs/heads/testing'
         run: |-
           cd clients/android
           git checkout dev
@@ -421,7 +772,7 @@ jobs:
         run: |-
           go run -v ./cmd/internal/update_android_version --ci
           mkdir clients/android/app/libs
-          cp libbox.aar clients/android/app/libs
+          cp *.aar clients/android/app/libs
           cd clients/android
           echo -n "$SERVICE_ACCOUNT_CREDENTIALS" | base64 --decode > service-account-credentials.json
           ./gradlew :app:publishPlayReleaseBundle
@@ -433,7 +784,7 @@ jobs:
   build_apple:
     name: Build Apple clients
     runs-on: macos-26
-    if: false
+    if: false # github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store' || inputs.build == 'iOS' || inputs.build == 'macOS' || inputs.build == 'tvOS' || inputs.build == 'macOS-standalone'
     needs:
       - calculate_version
     strategy:
@@ -471,7 +822,7 @@ jobs:
     steps:
       - name: Checkout
         if: matrix.if
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
@@ -479,7 +830,7 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
+          go-version: ~1.26.0
       - name: Set tag
         if: matrix.if
         run: |-
@@ -487,12 +838,12 @@ jobs:
           git tag v${{ needs.calculate_version.outputs.version }} -f
           echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
       - name: Checkout main branch
-        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: matrix.if && github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/apple
           git checkout main
       - name: Checkout dev branch
-        if: matrix.if && github.ref == 'refs/heads/dev-next'
+        if: matrix.if && github.ref == 'refs/heads/testing'
         run: |-
           cd clients/apple
           git checkout dev
@@ -578,7 +929,7 @@ jobs:
             -authenticationKeyID $ASC_KEY_ID \
             -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
       - name: Publish to TestFlight
-        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/testing'
         run: |-
           go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
       - name: Build image
@@ -619,11 +970,13 @@ jobs:
     needs:
       - calculate_version
       - build
+      - build_darwin
+      - build_windows
       - build_android
       - build_apple
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Cache ghr

.github/workflows/docker.yml

@@ -1,6 +1,10 @@
 name: Publish Docker Images
 
 on:
+  #push:
+  #  branches:
+  #    - stable
+  #    - testing
   release:
     types:
       - published
@@ -13,20 +17,26 @@ env:
   REGISTRY_IMAGE: ghcr.io/sagernet/sing-box
 
 jobs:
-  build:
+  build_binary:
+    name: Build binary
+    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
     runs-on: ubuntu-latest
     strategy:
       fail-fast: true
       matrix:
-        platform:
+        include:
-          - linux/amd64
+          # Naive-enabled builds (musl)
-          - linux/arm/v6
+          - { arch: amd64, naive: true, docker_platform: "linux/amd64" }
-          - linux/arm/v7
+          - { arch: arm64, naive: true, docker_platform: "linux/arm64" }
-          - linux/arm64
+          - { arch: "386", naive: true, docker_platform: "linux/386" }
-          - linux/386
+          - { arch: arm, goarm: "7", naive: true, docker_platform: "linux/arm/v7" }
-          - linux/ppc64le
+          - { arch: mipsle, gomips: softfloat, naive: true, docker_platform: "linux/mipsle" }
-          - linux/riscv64
+          - { arch: riscv64, naive: true, docker_platform: "linux/riscv64" }
-          - linux/s390x
+          - { arch: loong64, naive: true, docker_platform: "linux/loong64" }
+          # Non-naive builds
+          - { arch: arm, goarm: "6", docker_platform: "linux/arm/v6" }
+          - { arch: ppc64le, docker_platform: "linux/ppc64le" }
+          - { arch: s390x, docker_platform: "linux/s390x" }
     steps:
       - name: Get commit to build
         id: ref
@@ -39,7 +49,146 @@ jobs:
           echo "ref=$ref"
           echo "ref=$ref" >> $GITHUB_OUTPUT
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ~1.26.0
+      - name: Clone cronet-go
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          CRONET_GO_VERSION=$(cat .github/CRONET_GO_VERSION)
+          git init ~/cronet-go
+          git -C ~/cronet-go remote add origin https://github.com/sagernet/cronet-go.git
+          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
+          git -C ~/cronet-go checkout FETCH_HEAD
+          git -C ~/cronet-go submodule update --init --recursive --depth=1
+      - name: Regenerate Debian keyring
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
+          cd ~/cronet-go
+          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
+      - name: Cache Chromium toolchain
+        if: matrix.naive
+        id: cache-chromium-toolchain
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
+            ~/cronet-go/naiveproxy/src/gn/out/
+            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
+            ~/cronet-go/naiveproxy/src/out/sysroot-build/
+          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
+      - name: Download Chromium toolchain
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          cd ~/cronet-go
+          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl download-toolchain
+      - name: Set version
+        run: |
+          set -xeuo pipefail
+          VERSION=$(go run ./cmd/internal/read_tag)
+          echo "VERSION=${VERSION}" >> "${GITHUB_ENV}"
+      - name: Set Chromium toolchain environment
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          cd ~/cronet-go
+          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl env >> $GITHUB_ENV
+      - name: Set build tags
+        run: |
+          set -xeuo pipefail
+          if [[ "${{ matrix.naive }}" == "true" ]]; then
+            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
+          else
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+          fi
+          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Set shared ldflags
+        run: |
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
+      - name: Build (naive)
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "1"
+          GOOS: linux
+          GOARCH: ${{ matrix.arch }}
+          GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
+      - name: Build (non-naive)
+        if: ${{ ! matrix.naive }}
+        run: |
+          set -xeuo pipefail
+          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "0"
+          GOOS: linux
+          GOARCH: ${{ matrix.arch }}
+          GOARM: ${{ matrix.goarm }}
+      - name: Prepare artifact
+        run: |
+          platform=${{ matrix.docker_platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+          # Rename binary to include arch info for Dockerfile.binary
+          BINARY_NAME="sing-box-${{ matrix.arch }}"
+          if [[ -n "${{ matrix.goarm }}" ]]; then
+            BINARY_NAME="${BINARY_NAME}v${{ matrix.goarm }}"
+          fi
+          mv sing-box "${BINARY_NAME}"
+          echo "BINARY_NAME=${BINARY_NAME}" >> $GITHUB_ENV
+      - name: Upload binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-${{ env.PLATFORM_PAIR }}
+          path: ${{ env.BINARY_NAME }}
+          if-no-files-found: error
+          retention-days: 1
+  build_docker:
+    name: Build Docker image
+    runs-on: ubuntu-latest
+    needs:
+      - build_binary
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          - { platform: "linux/amd64" }
+          - { platform: "linux/arm/v6" }
+          - { platform: "linux/arm/v7" }
+          - { platform: "linux/arm64" }
+          - { platform: "linux/386" }
+          # mipsle: no base Docker image available for this platform
+          - { platform: "linux/ppc64le" }
+          - { platform: "linux/riscv64" }
+          - { platform: "linux/s390x" }
+          - { platform: "linux/loong64", base_image: "ghcr.io/loong64/alpine:edge" }
+    steps:
+      - name: Get commit to build
+        id: ref
+        run: |-
+          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
+            ref="${{ github.ref_name }}"
+          else
+            ref="${{ github.event.inputs.tag }}"
+          fi
+          echo "ref=$ref"
+          echo "ref=$ref" >> $GITHUB_OUTPUT
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ steps.ref.outputs.ref }}
           fetch-depth: 0
@@ -47,6 +196,16 @@ jobs:
         run: |
           platform=${{ matrix.platform }}
           echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+      - name: Download binary
+        uses: actions/download-artifact@v5
+        with:
+          name: binary-${{ env.PLATFORM_PAIR }}
+          path: .
+      - name: Prepare binary
+        run: |
+          # Find and make the binary executable
+          chmod +x sing-box-*
+          ls -la sing-box-*
       - name: Setup QEMU
         uses: docker/setup-qemu-action@v3
       - name: Setup Docker Buildx
@@ -68,8 +227,9 @@ jobs:
         with:
           platforms: ${{ matrix.platform }}
           context: .
+          file: Dockerfile.binary
           build-args: |
-            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
+            BASE_IMAGE=${{ matrix.base_image || 'alpine' }}
           labels: ${{ steps.meta.outputs.labels }}
           outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
       - name: Export digest
@@ -85,9 +245,10 @@ jobs:
           if-no-files-found: error
           retention-days: 1
   merge:
+    if: github.event_name != 'push'
     runs-on: ubuntu-latest
     needs:
-      - build
+      - build_docker
     steps:
       - name: Get commit to build
         id: ref
@@ -121,6 +282,7 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Create manifest list and push
+        if: github.event_name != 'push'
         working-directory: /tmp/digests
         run: |
           docker buildx imagetools create \
@@ -128,6 +290,7 @@ jobs:
             -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
             $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
       - name: Inspect image
+        if: github.event_name != 'push'
         run: |
           docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
           docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}

.github/workflows/lint.yml

@@ -3,18 +3,20 @@ name: Lint
 on:
   push:
     branches:
-      - stable-next
+      - oldstable
-      - main-next
+      - stable
-      - dev-next
+      - testing
+      - unstable
     paths-ignore:
       - '**.md'
       - '.github/**'
       - '!.github/workflows/lint.yml'
   pull_request:
     branches:
-      - stable-next
+      - oldstable
-      - main-next
+      - stable
-      - dev-next
+      - testing
+      - unstable
 
 jobs:
   build:
@@ -22,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -32,7 +34,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v8
         with:
-          version: v2.4.0
+          version: latest
           args: --timeout=30m
           install-mode: binary
           verify: false

.github/workflows/linux.yml

@@ -1,6 +1,10 @@
 name: Build Linux Packages
 
 on:
+  #push:
+  #  branches:
+  #    - stable
+  #    - testing
   workflow_dispatch:
     inputs:
       version:
@@ -19,18 +23,19 @@ on:
 jobs:
   calculate_version:
     name: Calculate version
+    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
+          go-version: ~1.26.0
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -52,32 +57,68 @@ jobs:
     strategy:
       matrix:
         include:
-          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64 }
+          # Naive-enabled builds (musl)
-          - { os: linux, arch: "386", debian: i386, rpm: i386 }
+          - { os: linux, arch: amd64, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64 }
+          - { os: linux, arch: arm64, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64 }
+          - { os: linux, arch: "386", naive: true, debian: i386, rpm: i386 }
+          - { os: linux, arch: arm, goarm: "7", naive: true, debian: armhf, rpm: armv7hl, pacman: armv7hl }
+          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, debian: mipsel, rpm: mipsel }
+          - { os: linux, arch: riscv64, naive: true, debian: riscv64, rpm: riscv64 }
+          - { os: linux, arch: loong64, naive: true, debian: loongarch64, rpm: loongarch64 }
+          # Non-naive builds (unsupported architectures)
           - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
-          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl }
-          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64 }
           - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
-          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
           - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
           - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
-          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
+          go-version: ~1.26.0
-      - name: Setup Android NDK
+      - name: Clone cronet-go
-        if: matrix.os == 'android'
+        if: matrix.naive
-        uses: nttld/setup-ndk@v1
+        run: |
+          set -xeuo pipefail
+          CRONET_GO_VERSION=$(cat .github/CRONET_GO_VERSION)
+          git init ~/cronet-go
+          git -C ~/cronet-go remote add origin https://github.com/sagernet/cronet-go.git
+          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
+          git -C ~/cronet-go checkout FETCH_HEAD
+          git -C ~/cronet-go submodule update --init --recursive --depth=1
+      - name: Regenerate Debian keyring
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
+          cd ~/cronet-go
+          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
+      - name: Cache Chromium toolchain
+        if: matrix.naive
+        id: cache-chromium-toolchain
+        uses: actions/cache@v4
         with:
-          ndk-version: r28
+          path: |
-          local-cache: true
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
+            ~/cronet-go/naiveproxy/src/gn/out/
+            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
+            ~/cronet-go/naiveproxy/src/out/sysroot-build/
+          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
+      - name: Download Chromium toolchain
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          cd ~/cronet-go
+          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl download-toolchain
+      - name: Set Chromium toolchain environment
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          cd ~/cronet-go
+          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl env >> $GITHUB_ENV
       - name: Set tag
         run: |-
           git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
@@ -85,14 +126,38 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,badlinkname,tfogo_checklinkname0'
+          if [[ "${{ matrix.naive }}" == "true" ]]; then
+            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
+          else
+            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+          fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Build
+      - name: Set shared ldflags
+        run: |
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
+      - name: Build (naive)
+        if: matrix.naive
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "1"
+          GOOS: linux
+          GOARCH: ${{ matrix.arch }}
+          GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
+          GOMIPS64: ${{ matrix.gomips }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build (non-naive)
+        if: ${{ ! matrix.naive }}
+        run: |
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -171,7 +236,7 @@ jobs:
       - build
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Set tag
@@ -185,5 +250,6 @@ jobs:
           path: dist
           merge-multiple: true
       - name: Publish packages
+        if: github.event_name != 'push'
         run: |-
           ls dist | xargs -I {} curl -F "package=@dist/{}" https://${{ secrets.FURY_TOKEN }}@push.fury.io/sagernet/

.gitignore

@@ -12,6 +12,9 @@
 /*.jar
 /*.aar
 /*.xcframework/
+/experimental/libbox/*.aar
+/experimental/libbox/*.xcframework/
+/experimental/libbox/*.nupkg
 .DS_Store
 /config.d/
 /venv/

.golangci.yml

@@ -9,6 +9,11 @@ run:
     - with_utls
     - with_acme
     - with_clash_api
+    - with_tailscale
+    - with_ccm
+    - with_ocm
+    - badlinkname
+    - tfogo_checklinkname0
 linters:
   default: none
   enable:

.goreleaser.fury.yaml

@@ -1,103 +0,0 @@
-project_name: sing-box
-builds:
-  - id: main
-    main: ./cmd/sing-box
-    flags:
-      - -v
-      - -trimpath
-    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
-      - -s
-      - -buildid=
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_utls
-      - with_acme
-      - with_clash_api
-      - with_tailscale
-    env:
-      - CGO_ENABLED=0
-    targets:
-      - linux_386
-      - linux_amd64_v1
-      - linux_arm64
-      - linux_arm_7
-      - linux_s390x
-      - linux_riscv64
-      - linux_mips64le
-    mod_timestamp: '{{ .CommitTimestamp }}'
-snapshot:
-  name_template: "{{ .Version }}.{{ .ShortCommit }}"
-nfpms:
-  - &template
-    id: package
-    package_name: sing-box
-    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    builds:
-      - main
-    homepage: https://sing-box.sagernet.org/
-    maintainer: nekohasekai <contact-git@sekai.icu>
-    description: The universal proxy platform.
-    license: GPLv3 or later
-    formats:
-      - deb
-      - rpm
-    priority: extra
-    contents:
-      - src: release/config/config.json
-        dst: /etc/sing-box/config.json
-        type: "config|noreplace"
-
-      - src: release/config/sing-box.service
-        dst: /usr/lib/systemd/system/sing-box.service
-      - src: release/config/sing-box@.service
-        dst: /usr/lib/systemd/system/sing-box@.service
-      - src: release/config/sing-box.sysusers
-        dst: /usr/lib/sysusers.d/sing-box.conf
-      - src: release/config/sing-box.rules
-        dst: /usr/share/polkit-1/rules.d/sing-box.rules
-      - src: release/config/sing-box-split-dns.xml
-        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
-
-      - src: release/completions/sing-box.bash
-        dst: /usr/share/bash-completion/completions/sing-box.bash
-      - src: release/completions/sing-box.fish
-        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
-      - src: release/completions/sing-box.zsh
-        dst: /usr/share/zsh/site-functions/_sing-box
-
-      - src: LICENSE
-        dst: /usr/share/licenses/sing-box/LICENSE
-    deb:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-      fields:
-        Bugs: https://github.com/SagerNet/sing-box/issues
-    rpm:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-    conflicts:
-      - sing-box-beta
-  - id: package_beta
-    <<: *template
-    package_name: sing-box-beta
-    file_name_template: '{{ .ProjectName }}-beta_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    formats:
-      - deb
-      - rpm
-    conflicts:
-      - sing-box
-release:
-  disable: true
-furies:
-  - account: sagernet
-    ids:
-      - package
-    disable: "{{ not (not .Prerelease) }}"
-  - account: sagernet
-    ids:
-      - package_beta
-    disable: "{{ not .Prerelease }}"

.goreleaser.yaml

@@ -1,213 +0,0 @@
-version: 2
-project_name: sing-box
-builds:
-  - &template
-    id: main
-    main: ./cmd/sing-box
-    flags:
-      - -v
-      - -trimpath
-    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
-      - -s
-      - -buildid=
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_utls
-      - with_acme
-      - with_clash_api
-      - with_tailscale
-    env:
-      - CGO_ENABLED=0
-      - GOTOOLCHAIN=local
-    targets:
-      - linux_386
-      - linux_amd64_v1
-      - linux_arm64
-      - linux_arm_6
-      - linux_arm_7
-      - linux_s390x
-      - linux_riscv64
-      - linux_mips64le
-      - windows_amd64_v1
-      - windows_386
-      - windows_arm64
-      - darwin_amd64_v1
-      - darwin_arm64
-    mod_timestamp: '{{ .CommitTimestamp }}'
-  - id: legacy
-    <<: *template
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_utls
-      - with_acme
-      - with_clash_api
-      - with_tailscale
-    env:
-      - CGO_ENABLED=0
-      - GOROOT={{ .Env.GOPATH }}/go_legacy
-    tool: "{{ .Env.GOPATH }}/go_legacy/bin/go"
-    targets:
-      - windows_amd64_v1
-      - windows_386
-  - id: android
-    <<: *template
-    env:
-      - CGO_ENABLED=1
-      - GOTOOLCHAIN=local
-    overrides:
-      - goos: android
-        goarch: arm
-        goarm: 7
-        env:
-          - CC=armv7a-linux-androideabi21-clang
-          - CXX=armv7a-linux-androideabi21-clang++
-      - goos: android
-        goarch: arm64
-        env:
-          - CC=aarch64-linux-android21-clang
-          - CXX=aarch64-linux-android21-clang++
-      - goos: android
-        goarch: 386
-        env:
-          - CC=i686-linux-android21-clang
-          - CXX=i686-linux-android21-clang++
-      - goos: android
-        goarch: amd64
-        goamd64: v1
-        env:
-          - CC=x86_64-linux-android21-clang
-          - CXX=x86_64-linux-android21-clang++
-    targets:
-      - android_arm_7
-      - android_arm64
-      - android_386
-      - android_amd64
-archives:
-  - &template
-    id: archive
-    builds:
-      - main
-      - android
-    formats:
-      - tar.gz
-    format_overrides:
-      - goos: windows
-        formats:
-          - zip
-    wrap_in_directory: true
-    files:
-      - LICENSE
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-  - id: archive-legacy
-    <<: *template
-    builds:
-      - legacy
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}-legacy'
-nfpms:
-  - id: package
-    package_name: sing-box
-    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    builds:
-      - main
-    homepage: https://sing-box.sagernet.org/
-    maintainer: nekohasekai <contact-git@sekai.icu>
-    description: The universal proxy platform.
-    license: GPLv3 or later
-    formats:
-      - deb
-      - rpm
-      - archlinux
-#      - apk
-#      - ipk
-    priority: extra
-    contents:
-      - src: release/config/config.json
-        dst: /etc/sing-box/config.json
-        type: "config|noreplace"
-
-      - src: release/config/sing-box.service
-        dst: /usr/lib/systemd/system/sing-box.service
-      - src: release/config/sing-box@.service
-        dst: /usr/lib/systemd/system/sing-box@.service
-      - src: release/config/sing-box.sysusers
-        dst: /usr/lib/sysusers.d/sing-box.conf
-      - src: release/config/sing-box.rules
-        dst: /usr/share/polkit-1/rules.d/sing-box.rules
-      - src: release/config/sing-box-split-dns.xml
-        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
-
-      - src: release/completions/sing-box.bash
-        dst: /usr/share/bash-completion/completions/sing-box.bash
-      - src: release/completions/sing-box.fish
-        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
-      - src: release/completions/sing-box.zsh
-        dst: /usr/share/zsh/site-functions/_sing-box
-
-      - src: LICENSE
-        dst: /usr/share/licenses/sing-box/LICENSE
-    deb:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-      fields:
-        Bugs: https://github.com/SagerNet/sing-box/issues
-    rpm:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-    overrides:
-      apk:
-        contents:
-          - src: release/config/config.json
-            dst: /etc/sing-box/config.json
-            type: config
-
-          - src: release/config/sing-box.initd
-            dst: /etc/init.d/sing-box
-
-          - src: release/completions/sing-box.bash
-            dst: /usr/share/bash-completion/completions/sing-box.bash
-          - src: release/completions/sing-box.fish
-            dst: /usr/share/fish/vendor_completions.d/sing-box.fish
-          - src: release/completions/sing-box.zsh
-            dst: /usr/share/zsh/site-functions/_sing-box
-
-          - src: LICENSE
-            dst: /usr/share/licenses/sing-box/LICENSE
-      ipk:
-        contents:
-          - src: release/config/config.json
-            dst: /etc/sing-box/config.json
-            type: config
-
-          - src: release/config/openwrt.init
-            dst: /etc/init.d/sing-box
-          - src: release/config/openwrt.conf
-            dst: /etc/config/sing-box
-source:
-  enabled: false
-  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
-  prefix_template: '{{ .ProjectName }}-{{ .Version }}/'
-checksum:
-  disable: true
-  name_template: '{{ .ProjectName }}-{{ .Version }}.checksum'
-signs:
-  - artifacts: checksum
-release:
-  github:
-    owner: SagerNet
-    name: sing-box
-  draft: true
-  prerelease: auto
-  mode: replace
-  ids:
-    - archive
-    - package
-  skip_upload: true
-partial:
-  by: target

Dockerfile

@@ -12,16 +12,15 @@ RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags \
+    && export TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS) \
-        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,badlinkname,tfogo_checklinkname0" \
+    && export LDFLAGS_SHARED=$(cat release/LDFLAGS) \
+    && go build -v -trimpath -tags "$TAGS" \
         -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid= -checklinkname=0" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" $LDFLAGS_SHARED -s -w -buildid=" \
         ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && apk upgrade \
+    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
-    && apk add bash tzdata ca-certificates nftables \
-    && rm -rf /var/cache/apk/*
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]

Dockerfile.binary

@@ -0,0 +1,14 @@
+ARG BASE_IMAGE=alpine
+FROM ${BASE_IMAGE}
+ARG TARGETARCH
+ARG TARGETVARIANT
+LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
+RUN set -ex \
+    && if command -v apk > /dev/null; then \
+        apk add --no-cache --upgrade bash tzdata ca-certificates nftables; \
+    else \
+        apt-get update && apt-get install -y --no-install-recommends bash tzdata ca-certificates nftables \
+        && rm -rf /var/lib/apt/lists/*; \
+    fi
+COPY sing-box-${TARGETARCH}${TARGETVARIANT} /usr/local/bin/sing-box
+ENTRYPOINT ["sing-box"]

Makefile

@@ -1,15 +1,18 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,badlinkname,tfogo_checklinkname0
+TAGS ?= $(shell cat release/DEFAULT_BUILD_TAGS_OTHERS)
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)
 
-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid= -checklinkname=0"
+LDFLAGS_SHARED = $(shell cat release/LDFLAGS)
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' $(LDFLAGS_SHARED) -s -w -buildid="
 MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
+SING_FFI ?= sing-ffi
+LIBBOX_FFI_CONFIG ?= ./experimental/libbox/ffi.json
 
 .PHONY: test release docs build
 
@@ -37,8 +40,11 @@ fmt:
 	@gofmt -s -w .
 	@gci write --custom-order -s standard -s "prefix(github.com/sagernet/)" -s "default" .
 
+fmt_docs:
+	go run ./cmd/internal/format_docs
+
 fmt_install:
-	go install -v mvdan.cc/gofumpt@v0.8.0
+	go install -v mvdan.cc/gofumpt@latest
 	go install -v github.com/daixiang0/gci@latest
 
 lint:
@@ -49,7 +55,7 @@ lint:
 	GOOS=freebsd golangci-lint run ./...
 
 lint_install:
-	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.4.0
+	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
 
 proto:
 	@go run ./cmd/internal/protogen
@@ -86,12 +92,12 @@ update_android_version:
 	go run ./cmd/internal/update_android_version
 
 build_android:
-	cd ../sing-box-for-android && ./gradlew :app:clean :app:assemblePlayRelease :app:assembleOtherRelease && ./gradlew --stop
+	cd ../sing-box-for-android && ./gradlew :app:clean :app:assembleOtherRelease :app:assembleOtherLegacyRelease && ./gradlew --stop
 
 upload_android:
 	mkdir -p dist/release_android
-	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/other/release/*.apk dist/release_android
-	cp ../sing-box-for-android/app/build/outputs/apk/other/release/*-universal.apk dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/otherLegacy/release/*.apk dist/release_android
 	ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 
@@ -106,7 +112,7 @@ build_ios:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFI.xcarchive && \
 	xcodebuild clean -scheme SFI && \
-	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates
+	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates | xcbeautify | grep -A 10 -e "Archive Succeeded" -e "ARCHIVE FAILED" -e "❌"
 
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
@@ -127,7 +133,7 @@ release_ios: build_ios upload_ios_app_store
 build_macos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFM.xcarchive && \
-	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive -allowProvisioningUpdates
+	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive -allowProvisioningUpdates | xcbeautify | grep -A 10 -e "Archive Succeeded" -e "ARCHIVE FAILED" -e "❌"
 
 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
@@ -136,54 +142,50 @@ upload_macos_app_store:
 release_macos: build_macos upload_macos_app_store
 
 build_macos_standalone:
-	cd ../sing-box-for-apple && \
+	$(MAKE) -C ../sing-box-for-apple archive_macos_standalone
-	rm -rf build/SFM.System.xcarchive && \
-	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive -allowProvisioningUpdates
 
 build_macos_dmg:
-	rm -rf dist/SFM
+	$(MAKE) -C ../sing-box-for-apple build_macos_dmg
-	mkdir -p dist/SFM
+
-	cd ../sing-box-for-apple && \
+build_macos_pkg:
-	rm -rf build/SFM.System && \
+	$(MAKE) -C ../sing-box-for-apple build_macos_pkg
-	rm -rf build/SFM.dmg && \
-	xcodebuild -exportArchive \
-		-archivePath "build/SFM.System.xcarchive" \
-		-exportOptionsPlist SFM.System/Export.plist -allowProvisioningUpdates \
-		-exportPath "build/SFM.System" && \
-	create-dmg \
-		--volname "sing-box" \
-		--volicon "build/SFM.System/SFM.app/Contents/Resources/AppIcon.icns" \
-		--icon "SFM.app" 0 0 \
- 		--hide-extension "SFM.app" \
- 		--app-drop-link 0 0 \
- 		--skip-jenkins \
-		"../sing-box/dist/SFM/SFM.dmg" "build/SFM.System/SFM.app"
 
 notarize_macos_dmg:
-	xcrun notarytool submit "dist/SFM/SFM.dmg" --wait \
+	$(MAKE) -C ../sing-box-for-apple notarize_macos_dmg
-	  --keychain-profile "notarytool-password" \
+
-  	  --no-s3-acceleration
+notarize_macos_pkg:
+	$(MAKE) -C ../sing-box-for-apple notarize_macos_pkg
 
 upload_macos_dmg:
-	cd dist/SFM && \
+	mkdir -p dist/SFM
-	cp SFM.dmg "SFM-${VERSION}-universal.dmg" && \
+	cp ../sing-box-for-apple/build/SFM-Apple.dmg "dist/SFM/SFM-${VERSION}-Apple.dmg"
-	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dmg"
+	cp ../sing-box-for-apple/build/SFM-Intel.dmg "dist/SFM/SFM-${VERSION}-Intel.dmg"
+	cp ../sing-box-for-apple/build/SFM-Universal.dmg "dist/SFM/SFM-${VERSION}-Universal.dmg"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Apple.dmg"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Intel.dmg"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Universal.dmg"
+
+upload_macos_pkg:
+	mkdir -p dist/SFM
+	cp ../sing-box-for-apple/build/SFM-Apple.pkg "dist/SFM/SFM-${VERSION}-Apple.pkg"
+	cp ../sing-box-for-apple/build/SFM-Intel.pkg "dist/SFM/SFM-${VERSION}-Intel.pkg"
+	cp ../sing-box-for-apple/build/SFM-Universal.pkg "dist/SFM/SFM-${VERSION}-Universal.pkg"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Apple.pkg"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Intel.pkg"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Universal.pkg"
 
 upload_macos_dsyms:
-	pushd ../sing-box-for-apple/build/SFM.System.xcarchive && \
+	mkdir -p dist/SFM
-	zip -r SFM.dSYMs.zip dSYMs && \
+	cd ../sing-box-for-apple/build/SFM.System-universal.xcarchive && zip -r SFM.dSYMs.zip dSYMs
-	mv SFM.dSYMs.zip ../../../sing-box/dist/SFM && \
+	cp ../sing-box-for-apple/build/SFM.System-universal.xcarchive/SFM.dSYMs.zip "dist/SFM/SFM-${VERSION}.dSYMs.zip"
-	popd && \
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}.dSYMs.zip"
-	cd dist/SFM && \
-	cp SFM.dSYMs.zip "SFM-${VERSION}-universal.dSYMs.zip" && \
-	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dSYMs.zip"
 
-release_macos_standalone: build_macos_standalone build_macos_dmg notarize_macos_dmg upload_macos_dmg upload_macos_dsyms
+release_macos_standalone: build_macos_pkg notarize_macos_pkg upload_macos_pkg upload_macos_dsyms
 
 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
-	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive -allowProvisioningUpdates
+	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive -allowProvisioningUpdates | xcbeautify | grep -A 10 -e "Archive Succeeded" -e "ARCHIVE FAILED" -e "❌"
 
 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
@@ -207,12 +209,12 @@ update_apple_version:
 update_macos_version:
 	MACOS_PROJECT_VERSION=$(shell go run -v ./cmd/internal/app_store_connect next_macos_project_version) go run ./cmd/internal/update_apple_version
 
-release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_standalone
+release_apple: lib_apple update_apple_version release_ios release_macos release_tvos release_macos_standalone
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
 
 publish_testflight:
-	go run -v ./cmd/internal/app_store_connect publish_testflight
+	go run -v ./cmd/internal/app_store_connect publish_testflight $(filter-out $@,$(MAKECMDGOALS))
 
 prepare_app_store:
 	go run -v ./cmd/internal/app_store_connect prepare_app_store
@@ -235,22 +237,21 @@ test_stdio:
 lib_android:
 	go run ./cmd/internal/build_libbox -target android
 
-lib_android_debug:
-	go run ./cmd/internal/build_libbox -target android -debug
-
 lib_apple:
 	go run ./cmd/internal/build_libbox -target apple
 
-lib_ios:
+lib_windows:
-	go run ./cmd/internal/build_libbox -target apple -platform ios -debug
+	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type csharp
 
-lib:
+lib_android_new:
-	go run ./cmd/internal/build_libbox -target android
+	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type android
-	go run ./cmd/internal/build_libbox -target ios
+
+lib_apple_new:
+	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type apple
 
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.8
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.12
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.8
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.12
 
 docs:
 	venv/bin/mkdocs serve
@@ -259,8 +260,8 @@ publish_docs:
 	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
 
 docs_install:
-	python -m venv venv
+	python3 -m venv venv
-	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
+	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.7.2" mkdocs-static-i18n=="1.2.*"
 
 clean:
 	rm -rf bin dist sing-box
@@ -270,3 +271,6 @@ update:
 	git fetch
 	git reset FETCH_HEAD --hard
 	git clean -fdx
+
+%:
+	@:

README.md

@@ -1,3 +1,11 @@
+> Sponsored by [Warp](https://go.warp.dev/sing-box), built for coding with multiple AI agents
+
+<a href="https://go.warp.dev/sing-box">
+<img alt="Warp sponsorship" width="400" src="https://github.com/warpdotdev/brand-assets/raw/refs/heads/main/Github/Sponsor/Warp-Github-LG-02.png">
+</a>
+
+---
+
 # sing-box
 
 The universal proxy platform.

adapter/connections.go

@@ -9,6 +9,10 @@ import (
 
 type ConnectionManager interface {
 	Lifecycle
+	Count() int
+	CloseAll()
+	TrackConn(conn net.Conn) net.Conn
+	TrackPacketConn(conn net.PacketConn) net.PacketConn
 	NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
 	NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 }

adapter/dns.go

@@ -27,8 +27,6 @@ type DNSClient interface {
 	Start()
 	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
 	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
-	LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool)
-	ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool)
 	ClearCache()
 }
 
@@ -70,6 +68,7 @@ type DNSTransport interface {
 	Type() string
 	Tag() string
 	Dependencies() []string
+	Reset()
 	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
 }
 

adapter/endpoint/manager.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"os"
 	"sync"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -11,6 +12,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 )
 
 var _ adapter.EndpointManager = (*Manager)(nil)
@@ -46,10 +48,14 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 		return nil
 	}
 	for _, endpoint := range m.endpoints {
+		name := "endpoint/" + endpoint.Type() + "[" + endpoint.Tag() + "]"
+		m.logger.Trace(stage, " ", name)
+		startTime := time.Now()
 		err := adapter.LegacyStart(endpoint, stage)
 		if err != nil {
-			return E.Cause(err, stage, " endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
+			return E.Cause(err, stage, " ", name)
 		}
+		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -66,11 +72,15 @@ func (m *Manager) Close() error {
 	monitor := taskmonitor.New(m.logger, C.StopTimeout)
 	var err error
 	for _, endpoint := range endpoints {
-		monitor.Start("close endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
+		name := "endpoint/" + endpoint.Type() + "[" + endpoint.Tag() + "]"
+		m.logger.Trace("close ", name)
+		startTime := time.Now()
+		monitor.Start("close ", name)
 		err = E.Append(err, endpoint.Close(), func(err error) error {
-			return E.Cause(err, "close endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
+			return E.Cause(err, "close ", name)
 		})
 		monitor.Finish()
+		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -119,11 +129,15 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 	m.access.Lock()
 	defer m.access.Unlock()
 	if m.started {
+		name := "endpoint/" + endpoint.Type() + "[" + endpoint.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
+			m.logger.Trace(stage, " ", name)
+			startTime := time.Now()
 			err = adapter.LegacyStart(endpoint, stage)
 			if err != nil {
-				return E.Cause(err, stage, " endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
+				return E.Cause(err, stage, " ", name)
 			}
+			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	if existsEndpoint, loaded := m.endpointByTag[tag]; loaded {

adapter/experimental.go

@@ -4,8 +4,10 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
+	"io"
 	"time"
 
+	"github.com/sagernet/sing/common/observable"
 	"github.com/sagernet/sing/common/varbin"
 )
 
@@ -14,6 +16,7 @@ type ClashServer interface {
 	ConnectionTracker
 	Mode() string
 	ModeList() []string
+	SetModeUpdateHook(hook *observable.Subscriber[struct{}])
 	HistoryStorage() URLTestHistoryStorage
 }
 
@@ -23,7 +26,7 @@ type URLTestHistory struct {
 }
 
 type URLTestHistoryStorage interface {
-	SetHook(hook chan<- struct{})
+	SetHook(hook *observable.Subscriber[struct{}])
 	LoadURLTestHistory(tag string) *URLTestHistory
 	DeleteURLTestHistory(tag string)
 	StoreURLTestHistory(tag string, history *URLTestHistory)
@@ -66,7 +69,11 @@ func (s *SavedBinary) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	err = varbin.Write(&buffer, binary.BigEndian, s.Content)
+	_, err = varbin.WriteUvarint(&buffer, uint64(len(s.Content)))
+	if err != nil {
+		return nil, err
+	}
+	_, err = buffer.Write(s.Content)
 	if err != nil {
 		return nil, err
 	}
@@ -74,7 +81,11 @@ func (s *SavedBinary) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	err = varbin.Write(&buffer, binary.BigEndian, s.LastEtag)
+	_, err = varbin.WriteUvarint(&buffer, uint64(len(s.LastEtag)))
+	if err != nil {
+		return nil, err
+	}
+	_, err = buffer.WriteString(s.LastEtag)
 	if err != nil {
 		return nil, err
 	}
@@ -88,7 +99,12 @@ func (s *SavedBinary) UnmarshalBinary(data []byte) error {
 	if err != nil {
 		return err
 	}
-	err = varbin.Read(reader, binary.BigEndian, &s.Content)
+	contentLength, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return err
+	}
+	s.Content = make([]byte, contentLength)
+	_, err = io.ReadFull(reader, s.Content)
 	if err != nil {
 		return err
 	}
@@ -98,10 +114,16 @@ func (s *SavedBinary) UnmarshalBinary(data []byte) error {
 		return err
 	}
 	s.LastUpdated = time.Unix(lastUpdated, 0)
-	err = varbin.Read(reader, binary.BigEndian, &s.LastEtag)
+	etagLength, err := binary.ReadUvarint(reader)
 	if err != nil {
 		return err
 	}
+	etagBytes := make([]byte, etagLength)
+	_, err = io.ReadFull(reader, etagBytes)
+	if err != nil {
+		return err
+	}
+	s.LastEtag = string(etagBytes)
 	return nil
 }
 

adapter/inbound.go

@@ -2,6 +2,7 @@ package adapter
 
 import (
 	"context"
+	"net"
 	"net/netip"
 	"time"
 
@@ -66,9 +67,6 @@ type InboundContext struct {
 	LastInbound               string
 	OriginDestination         M.Socksaddr
 	RouteOriginalDestination  M.Socksaddr
-	// Deprecated: to be removed
-	//nolint:staticcheck
-	InboundOptions            option.InboundOptions
 	UDPDisableDomainUnmapping bool
 	UDPConnect                bool
 	UDPTimeout                time.Duration
@@ -85,6 +83,8 @@ type InboundContext struct {
 	SourceGeoIPCode      string
 	GeoIPCode            string
 	ProcessInfo          *ConnectionOwner
+	SourceMACAddress     net.HardwareAddr
+	SourceHostname       string
 	QueryType            uint16
 	FakeIP               bool
 

adapter/inbound/manager.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"os"
 	"sync"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -11,6 +12,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 )
 
 var _ adapter.InboundManager = (*Manager)(nil)
@@ -45,10 +47,14 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 	inbounds := m.inbounds
 	m.access.Unlock()
 	for _, inbound := range inbounds {
+		name := "inbound/" + inbound.Type() + "[" + inbound.Tag() + "]"
+		m.logger.Trace(stage, " ", name)
+		startTime := time.Now()
 		err := adapter.LegacyStart(inbound, stage)
 		if err != nil {
-			return E.Cause(err, stage, " inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+			return E.Cause(err, stage, " ", name)
 		}
+		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -65,11 +71,15 @@ func (m *Manager) Close() error {
 	monitor := taskmonitor.New(m.logger, C.StopTimeout)
 	var err error
 	for _, inbound := range inbounds {
-		monitor.Start("close inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+		name := "inbound/" + inbound.Type() + "[" + inbound.Tag() + "]"
+		m.logger.Trace("close ", name)
+		startTime := time.Now()
+		monitor.Start("close ", name)
 		err = E.Append(err, inbound.Close(), func(err error) error {
-			return E.Cause(err, "close inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+			return E.Cause(err, "close ", name)
 		})
 		monitor.Finish()
+		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -121,11 +131,15 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 	m.access.Lock()
 	defer m.access.Unlock()
 	if m.started {
+		name := "inbound/" + inbound.Type() + "[" + inbound.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
+			m.logger.Trace(stage, " ", name)
+			startTime := time.Now()
 			err = adapter.LegacyStart(inbound, stage)
 			if err != nil {
-				return E.Cause(err, stage, " inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+				return E.Cause(err, stage, " ", name)
 			}
+			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	if existsInbound, loaded := m.inboundByTag[tag]; loaded {

adapter/lifecycle.go

@@ -1,6 +1,14 @@
 package adapter
 
-import E "github.com/sagernet/sing/common/exceptions"
+import (
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+)
 
 type SimpleLifecycle interface {
 	Start() error
@@ -48,22 +56,47 @@ type LifecycleService interface {
 	Lifecycle
 }
 
-func Start(stage StartStage, services ...Lifecycle) error {
+func getServiceName(service any) string {
+	if named, ok := service.(interface {
+		Type() string
+		Tag() string
+	}); ok {
+		tag := named.Tag()
+		if tag != "" {
+			return named.Type() + "[" + tag + "]"
+		}
+		return named.Type()
+	}
+	t := reflect.TypeOf(service)
+	if t.Kind() == reflect.Ptr {
+		t = t.Elem()
+	}
+	return strings.ToLower(t.Name())
+}
+
+func Start(logger log.ContextLogger, stage StartStage, services ...Lifecycle) error {
 	for _, service := range services {
+		name := getServiceName(service)
+		logger.Trace(stage, " ", name)
+		startTime := time.Now()
 		err := service.Start(stage)
 		if err != nil {
 			return err
 		}
+		logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
 
-func StartNamed(stage StartStage, services []LifecycleService) error {
+func StartNamed(logger log.ContextLogger, stage StartStage, services []LifecycleService) error {
 	for _, service := range services {
+		logger.Trace(stage, " ", service.Name())
+		startTime := time.Now()
 		err := service.Start(stage)
 		if err != nil {
 			return E.Cause(err, stage.String(), " ", service.Name())
 		}
+		logger.Trace(stage, " ", service.Name(), " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }

adapter/neighbor.go

@@ -0,0 +1,23 @@
+package adapter
+
+import (
+	"net"
+	"net/netip"
+)
+
+type NeighborEntry struct {
+	Address    netip.Addr
+	MACAddress net.HardwareAddr
+	Hostname   string
+}
+
+type NeighborResolver interface {
+	LookupMAC(address netip.Addr) (net.HardwareAddr, bool)
+	LookupHostname(address netip.Addr) (string, bool)
+	Start() error
+	Close() error
+}
+
+type NeighborUpdateListener interface {
+	UpdateNeighborTable(entries []NeighborEntry)
+}

adapter/outbound/manager.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -13,6 +14,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/logger"
 )
 
@@ -81,10 +83,14 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 		outbounds := m.outbounds
 		m.access.Unlock()
 		for _, outbound := range outbounds {
+			name := "outbound/" + outbound.Type() + "[" + outbound.Tag() + "]"
+			m.logger.Trace(stage, " ", name)
+			startTime := time.Now()
 			err := adapter.LegacyStart(outbound, stage)
 			if err != nil {
-				return E.Cause(err, stage, " outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+				return E.Cause(err, stage, " ", name)
 			}
+			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	return nil
@@ -109,22 +115,29 @@ func (m *Manager) startOutbounds(outbounds []adapter.Outbound) error {
 			}
 			started[outboundTag] = true
 			canContinue = true
+			name := "outbound/" + outboundToStart.Type() + "[" + outboundTag + "]"
 			if starter, isStarter := outboundToStart.(adapter.Lifecycle); isStarter {
-				monitor.Start("start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+				m.logger.Trace("start ", name)
+				startTime := time.Now()
+				monitor.Start("start ", name)
 				err := starter.Start(adapter.StartStateStart)
 				monitor.Finish()
 				if err != nil {
-					return E.Cause(err, "start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+					return E.Cause(err, "start ", name)
 				}
+				m.logger.Trace("start ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 			} else if starter, isStarter := outboundToStart.(interface {
 				Start() error
 			}); isStarter {
-				monitor.Start("start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+				m.logger.Trace("start ", name)
+				startTime := time.Now()
+				monitor.Start("start ", name)
 				err := starter.Start()
 				monitor.Finish()
 				if err != nil {
-					return E.Cause(err, "start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+					return E.Cause(err, "start ", name)
 				}
+				m.logger.Trace("start ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 			}
 		}
 		if len(started) == len(outbounds) {
@@ -171,11 +184,15 @@ func (m *Manager) Close() error {
 	var err error
 	for _, outbound := range outbounds {
 		if closer, isCloser := outbound.(io.Closer); isCloser {
-			monitor.Start("close outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+			name := "outbound/" + outbound.Type() + "[" + outbound.Tag() + "]"
+			m.logger.Trace("close ", name)
+			startTime := time.Now()
+			monitor.Start("close ", name)
 			err = E.Append(err, closer.Close(), func(err error) error {
-				return E.Cause(err, "close outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+				return E.Cause(err, "close ", name)
 			})
 			monitor.Finish()
+			m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	return nil
@@ -256,11 +273,15 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 		return err
 	}
 	if m.started {
+		name := "outbound/" + outbound.Type() + "[" + outbound.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
+			m.logger.Trace(stage, " ", name)
+			startTime := time.Now()
 			err = adapter.LegacyStart(outbound, stage)
 			if err != nil {
-				return E.Cause(err, stage, " outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+				return E.Cause(err, stage, " ", name)
 			}
+			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	m.access.Lock()

adapter/platform.go

@@ -36,6 +36,10 @@ type PlatformInterface interface {
 
 	UsePlatformNotification() bool
 	SendNotification(notification *Notification) error
+
+	UsePlatformNeighborResolver() bool
+	StartNeighborMonitor(listener NeighborUpdateListener) error
+	CloseNeighborMonitor(listener NeighborUpdateListener) error
 }
 
 type FindConnectionOwnerRequest struct {

adapter/router.go

@@ -21,10 +21,13 @@ import (
 type Router interface {
 	Lifecycle
 	ConnectionRouter
-	PreMatch(metadata InboundContext, context tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error)
+	PreMatch(metadata InboundContext, context tun.DirectRouteContext, timeout time.Duration, supportBypass bool) (tun.DirectRouteDestination, error)
 	ConnectionRouterEx
 	RuleSet(tag string) (RuleSet, bool)
 	Rules() []Rule
+	NeedFindProcess() bool
+	NeedFindNeighbor() bool
+	NeighborResolver() NeighborResolver
 	AppendTracker(tracker ConnectionTracker)
 	ResetNetwork()
 }

adapter/service/manager.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"os"
 	"sync"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -11,6 +12,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 )
 
 var _ adapter.ServiceManager = (*Manager)(nil)
@@ -43,10 +45,14 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 	services := m.services
 	m.access.Unlock()
 	for _, service := range services {
+		name := "service/" + service.Type() + "[" + service.Tag() + "]"
+		m.logger.Trace(stage, " ", name)
+		startTime := time.Now()
 		err := adapter.LegacyStart(service, stage)
 		if err != nil {
-			return E.Cause(err, stage, " service/", service.Type(), "[", service.Tag(), "]")
+			return E.Cause(err, stage, " ", name)
 		}
+		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -63,11 +69,15 @@ func (m *Manager) Close() error {
 	monitor := taskmonitor.New(m.logger, C.StopTimeout)
 	var err error
 	for _, service := range services {
-		monitor.Start("close service/", service.Type(), "[", service.Tag(), "]")
+		name := "service/" + service.Type() + "[" + service.Tag() + "]"
+		m.logger.Trace("close ", name)
+		startTime := time.Now()
+		monitor.Start("close ", name)
 		err = E.Append(err, service.Close(), func(err error) error {
-			return E.Cause(err, "close service/", service.Type(), "[", service.Tag(), "]")
+			return E.Cause(err, "close ", name)
 		})
 		monitor.Finish()
+		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -116,11 +126,15 @@ func (m *Manager) Create(ctx context.Context, logger log.ContextLogger, tag stri
 	m.access.Lock()
 	defer m.access.Unlock()
 	if m.started {
+		name := "service/" + service.Type() + "[" + service.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
+			m.logger.Trace(stage, " ", name)
+			startTime := time.Now()
 			err = adapter.LegacyStart(service, stage)
 			if err != nil {
-				return E.Cause(err, stage, " service/", service.Type(), "[", service.Tag(), "]")
+				return E.Cause(err, stage, " ", name)
 			}
+			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	if existsService, loaded := m.serviceByTag[tag]; loaded {

adapter/upstream.go

@@ -73,7 +73,7 @@ func NewUpstreamContextHandlerEx(
 }
 
 func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	myMetadata := ContextFrom(ctx)
+	_, myMetadata := ExtendContext(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -84,7 +84,7 @@ func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context,
 }
 
 func (w *myUpstreamContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	myMetadata := ContextFrom(ctx)
+	_, myMetadata := ExtendContext(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -146,7 +146,7 @@ type routeContextHandlerWrapperEx struct {
 }
 
 func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	metadata := ContextFrom(ctx)
+	_, metadata := ExtendContext(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}
@@ -157,7 +157,7 @@ func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn
 }
 
 func (r *routeContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	metadata := ContextFrom(ctx)
+	_, metadata := ExtendContext(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}

box.go

@@ -125,7 +125,10 @@ func New(options Options) (*Box, error) {
 
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
-	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
+	err := applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
+	if err != nil {
+		return nil, err
+	}
 	var needCacheFile bool
 	var needClashAPI bool
 	var needV2RayAPI bool
@@ -443,15 +446,15 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return E.Cause(err, "start logger")
 	}
-	err = adapter.StartNamed(adapter.StartStateInitialize, s.internalService) // cache-file clash-api v2ray-api
+	err = adapter.StartNamed(s.logger, adapter.StartStateInitialize, s.internalService) // cache-file clash-api v2ray-api
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
 	if err != nil {
 		return err
 	}
@@ -463,27 +466,27 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(adapter.StartStateStart, s.internalService)
+	err = adapter.StartNamed(s.logger, adapter.StartStateStart, s.internalService)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStart, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(adapter.StartStatePostStart, s.internalService)
+	err = adapter.StartNamed(s.logger, adapter.StartStatePostStart, s.internalService)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(adapter.StartStateStarted, s.internalService)
+	err = adapter.StartNamed(s.logger, adapter.StartStateStarted, s.internalService)
 	if err != nil {
 		return err
 	}
@@ -497,17 +500,42 @@ func (s *Box) Close() error {
 	default:
 		close(s.done)
 	}
-	err := common.Close(
+	var err error
-		s.service, s.endpoint, s.inbound, s.outbound, s.router, s.connection, s.dnsRouter, s.dnsTransport, s.network,
+	for _, closeItem := range []struct {
-	)
+		name    string
+		service adapter.Lifecycle
+	}{
+		{"service", s.service},
+		{"endpoint", s.endpoint},
+		{"inbound", s.inbound},
+		{"outbound", s.outbound},
+		{"router", s.router},
+		{"connection", s.connection},
+		{"dns-router", s.dnsRouter},
+		{"dns-transport", s.dnsTransport},
+		{"network", s.network},
+	} {
+		s.logger.Trace("close ", closeItem.name)
+		startTime := time.Now()
+		err = E.Append(err, closeItem.service.Close(), func(err error) error {
+			return E.Cause(err, "close ", closeItem.name)
+		})
+		s.logger.Trace("close ", closeItem.name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
+	}
 	for _, lifecycleService := range s.internalService {
+		s.logger.Trace("close ", lifecycleService.Name())
+		startTime := time.Now()
 		err = E.Append(err, lifecycleService.Close(), func(err error) error {
 			return E.Cause(err, "close ", lifecycleService.Name())
 		})
+		s.logger.Trace("close ", lifecycleService.Name(), " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
+	s.logger.Trace("close logger")
+	startTime := time.Now()
 	err = E.Append(err, s.logFactory.Close(), func(err error) error {
 		return E.Cause(err, "close logger")
 	})
+	s.logger.Trace("close logger completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	return err
 }
 

cmd/internal/app_store_connect/main.go

@@ -100,11 +100,32 @@ findVersion:
 }
 
 func publishTestflight(ctx context.Context) error {
+	if len(os.Args) < 3 {
+		return E.New("platform required: ios, macos, or tvos")
+	}
+	var platform asc.Platform
+	switch os.Args[2] {
+	case "ios":
+		platform = asc.PlatformIOS
+	case "macos":
+		platform = asc.PlatformMACOS
+	case "tvos":
+		platform = asc.PlatformTVOS
+	default:
+		return E.New("unknown platform: ", os.Args[2])
+	}
+
 	tagVersion, err := build_shared.ReadTagVersion()
 	if err != nil {
 		return err
 	}
 	tag := tagVersion.VersionString()
+
+	releaseNotes := F.ToString("sing-box ", tagVersion.String())
+	if len(os.Args) >= 4 {
+		releaseNotes = strings.Join(os.Args[3:], " ")
+	}
+
 	client := createClient(20 * time.Minute)
 
 	log.Info(tag, " list build IDs")
@@ -115,27 +136,8 @@ func publishTestflight(ctx context.Context) error {
 	buildIDs := common.Map(buildIDsResponse.Data, func(it asc.RelationshipData) string {
 		return it.ID
 	})
-	var platforms []asc.Platform
+
-	if len(os.Args) == 3 {
-		switch os.Args[2] {
-		case "ios":
-			platforms = []asc.Platform{asc.PlatformIOS}
-		case "macos":
-			platforms = []asc.Platform{asc.PlatformMACOS}
-		case "tvos":
-			platforms = []asc.Platform{asc.PlatformTVOS}
-		default:
-			return E.New("unknown platform: ", os.Args[2])
-		}
-	} else {
-		platforms = []asc.Platform{
-			asc.PlatformIOS,
-			asc.PlatformMACOS,
-			asc.PlatformTVOS,
-		}
-	}
 	waitingForProcess := false
-	for _, platform := range platforms {
 	log.Info(string(platform), " list builds")
 	for {
 		builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
@@ -146,6 +148,7 @@ func publishTestflight(ctx context.Context) error {
 			return err
 		}
 		build := builds.Data[0]
+		log.Info(string(platform), " ", tag, " found build: ", build.ID, " (", *build.Attributes.Version, ")")
 		if !waitingForProcess && (common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 30*time.Minute) {
 			log.Info(string(platform), " ", tag, " waiting for process")
 			time.Sleep(15 * time.Second)
@@ -170,9 +173,7 @@ func publishTestflight(ctx context.Context) error {
 		}
 		if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
 			log.Info(string(platform), " ", tag, " update localization")
-				_, _, err = client.TestFlight.UpdateBetaBuildLocalization(ctx, localization.ID, common.Ptr(
+			_, _, err = client.TestFlight.UpdateBetaBuildLocalization(ctx, localization.ID, common.Ptr(releaseNotes))
-					F.ToString("sing-box ", tagVersion.String()),
-				))
 			if err != nil {
 				return err
 			}
@@ -206,7 +207,6 @@ func publishTestflight(ctx context.Context) error {
 		}
 		break
 	}
-	}
 	return nil
 }
 

cmd/internal/build_libbox/main.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 
 	_ "github.com/sagernet/gomobile"
@@ -19,14 +20,14 @@ var (
 	debugEnabled bool
 	target       string
 	platform     string
-	withTailscale bool
+	// withTailscale bool
 )
 
 func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
 	flag.StringVar(&platform, "platform", "", "specify platform")
-	flag.BoolVar(&withTailscale, "with-tailscale", false, "build tailscale for iOS and tvOS")
+	// flag.BoolVar(&withTailscale, "with-tailscale", false, "build tailscale for iOS and tvOS")
 }
 
 func main() {
@@ -46,8 +47,8 @@ var (
 	sharedFlags []string
 	debugFlags  []string
 	sharedTags  []string
-	macOSTags   []string
+	darwinTags  []string
-	memcTags    []string
+	// memcTags    []string
 	notMemcTags []string
 	debugTags   []string
 )
@@ -59,19 +60,38 @@ func init() {
 	if err != nil {
 		currentTag = "unknown"
 	}
-	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=  -checklinkname=0")
+	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid=  -checklinkname=0")
-	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -checklinkname=0")
+	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0")
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api", "with_conntrack", "badlinkname", "tfogo_checklinkname0")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "badlinkname", "tfogo_checklinkname0")
-	macOSTags = append(macOSTags, "with_dhcp")
+	darwinTags = append(darwinTags, "with_dhcp", "grpcnotrace")
-	memcTags = append(memcTags, "with_tailscale")
+	// memcTags = append(memcTags, "with_tailscale")
+	sharedTags = append(sharedTags, "with_tailscale", "ts_omit_logtail", "ts_omit_ssh", "ts_omit_drive", "ts_omit_taildrop", "ts_omit_webclient", "ts_omit_doctor", "ts_omit_capture", "ts_omit_kube", "ts_omit_aws", "ts_omit_synology", "ts_omit_bird")
 	notMemcTags = append(notMemcTags, "with_low_memory")
 	debugTags = append(debugTags, "debug")
 }
 
-func buildAndroid() {
+type AndroidBuildConfig struct {
-	build_shared.FindSDK()
+	AndroidAPI int
+	OutputName string
+	Tags       []string
+}
 
+func filterTags(tags []string, exclude ...string) []string {
+	excludeMap := make(map[string]bool)
+	for _, tag := range exclude {
+		excludeMap[tag] = true
+	}
+	var result []string
+	for _, tag := range tags {
+		if !excludeMap[tag] {
+			result = append(result, tag)
+		}
+	}
+	return result
+}
+
+func checkJavaVersion() {
 	var javaPath string
 	javaHome := os.Getenv("JAVA_HOME")
 	if javaHome == "" {
@@ -87,21 +107,24 @@ func buildAndroid() {
 	if !strings.Contains(javaVersion, "openjdk 17") {
 		log.Fatal("java version should be openjdk 17")
 	}
+}
 
-	var bindTarget string
+func getAndroidBindTarget() string {
 	if platform != "" {
-		bindTarget = platform
+		return platform
 	} else if debugEnabled {
-		bindTarget = "android/arm64"
+		return "android/arm64"
-	} else {
-		bindTarget = "android"
 	}
+	return "android"
+}
 
+func buildAndroidVariant(config AndroidBuildConfig, bindTarget string) {
 	args := []string{
 		"bind",
 		"-v",
+		"-o", config.OutputName,
 		"-target", bindTarget,
-		"-androidapi", "21",
+		"-androidapi", strconv.Itoa(config.AndroidAPI),
 		"-javapkg=io.nekohasekai",
 		"-libname=box",
 	}
@@ -112,34 +135,59 @@ func buildAndroid() {
 		args = append(args, debugFlags...)
 	}
 
-	tags := append(sharedTags, memcTags...)
+	args = append(args, "-tags", strings.Join(config.Tags, ","))
-	if debugEnabled {
-		tags = append(tags, debugTags...)
-	}
-
-	args = append(args, "-tags", strings.Join(tags, ","))
 	args = append(args, "./experimental/libbox")
 
 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr
-	err = command.Run()
+	err := command.Run()
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	const name = "libbox.aar"
 	copyPath := filepath.Join("..", "sing-box-for-android", "app", "libs")
 	if rw.IsDir(copyPath) {
 		copyPath, _ = filepath.Abs(copyPath)
-		err = rw.CopyFile(name, filepath.Join(copyPath, name))
+		err = rw.CopyFile(config.OutputName, filepath.Join(copyPath, config.OutputName))
 		if err != nil {
 			log.Fatal(err)
 		}
-		log.Info("copied to ", copyPath)
+		log.Info("copied ", config.OutputName, " to ", copyPath)
 	}
 }
 
+func buildAndroid() {
+	build_shared.FindSDK()
+	checkJavaVersion()
+
+	bindTarget := getAndroidBindTarget()
+
+	// Build main variant (SDK 23)
+	mainTags := append([]string{}, sharedTags...)
+	// mainTags = append(mainTags, memcTags...)
+	if debugEnabled {
+		mainTags = append(mainTags, debugTags...)
+	}
+	buildAndroidVariant(AndroidBuildConfig{
+		AndroidAPI: 23,
+		OutputName: "libbox.aar",
+		Tags:       mainTags,
+	}, bindTarget)
+
+	// Build legacy variant (SDK 21, no naive outbound)
+	legacyTags := filterTags(sharedTags, "with_naive_outbound")
+	// legacyTags = append(legacyTags, memcTags...)
+	if debugEnabled {
+		legacyTags = append(legacyTags, debugTags...)
+	}
+	buildAndroidVariant(AndroidBuildConfig{
+		AndroidAPI: 21,
+		OutputName: "libbox-legacy.aar",
+		Tags:       legacyTags,
+	}, bindTarget)
+}
+
 func buildApple() {
 	var bindTarget string
 	if platform != "" {
@@ -147,7 +195,7 @@ func buildApple() {
 	} else if debugEnabled {
 		bindTarget = "ios"
 	} else {
-		bindTarget = "ios,tvos,macos"
+		bindTarget = "ios,iossimulator,tvos,tvossimulator,macos"
 	}
 
 	args := []string{
@@ -157,11 +205,9 @@ func buildApple() {
 		"-libname=box",
 		"-tags-not-macos=with_low_memory",
 	}
-	if !withTailscale {
+	//if !withTailscale {
-		args = append(args, "-tags-macos="+strings.Join(append(macOSTags, memcTags...), ","))
+	//	args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
-	} else {
+	//}
-		args = append(args, "-tags-macos="+strings.Join(macOSTags, ","))
-	}
 
 	if !debugEnabled {
 		args = append(args, sharedFlags...)
@@ -169,10 +215,10 @@ func buildApple() {
 		args = append(args, debugFlags...)
 	}
 
-	tags := sharedTags
+	tags := append(sharedTags, darwinTags...)
-	if withTailscale {
+	//if withTailscale {
-		tags = append(tags, memcTags...)
+	//	tags = append(tags, memcTags...)
-	}
+	//}
 	if debugEnabled {
 		tags = append(tags, debugTags...)
 	}

cmd/internal/format_docs/main.go

@@ -0,0 +1,117 @@
+package main
+
+import (
+	"bytes"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/sagernet/sing-box/log"
+)
+
+func main() {
+	err := filepath.Walk("docs", func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.IsDir() {
+			return nil
+		}
+		if !strings.HasSuffix(path, ".md") {
+			return nil
+		}
+		return processFile(path)
+	})
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+func processFile(path string) error {
+	content, err := os.ReadFile(path)
+	if err != nil {
+		return err
+	}
+
+	lines := strings.Split(string(content), "\n")
+	modified := false
+	result := make([]string, 0, len(lines))
+
+	inQuoteBlock := false
+	materialLines := []int{} // indices of :material- lines in the block
+
+	for _, line := range lines {
+		// Check for quote block start
+		if strings.HasPrefix(line, "!!! quote \"") && strings.Contains(line, "sing-box") {
+			inQuoteBlock = true
+			materialLines = nil
+			result = append(result, line)
+			continue
+		}
+
+		// Inside a quote block
+		if inQuoteBlock {
+			trimmed := strings.TrimPrefix(line, "    ")
+			isMaterialLine := strings.HasPrefix(trimmed, ":material-")
+			isEmpty := strings.TrimSpace(line) == ""
+			isIndented := strings.HasPrefix(line, "    ")
+
+			if isMaterialLine {
+				materialLines = append(materialLines, len(result))
+				result = append(result, line)
+				continue
+			}
+
+			// Block ends when:
+			// - Empty line AFTER we've seen material lines, OR
+			// - Non-indented, non-empty line
+			blockEnds := (isEmpty && len(materialLines) > 0) || (!isEmpty && !isIndented)
+			if blockEnds {
+				// Process collected material lines
+				if len(materialLines) > 0 {
+					for j, idx := range materialLines {
+						isLast := j == len(materialLines)-1
+						resultLine := strings.TrimRight(result[idx], " ")
+						if !isLast {
+							// Add trailing two spaces for non-last lines
+							resultLine += "  "
+						}
+						if result[idx] != resultLine {
+							modified = true
+							result[idx] = resultLine
+						}
+					}
+				}
+				inQuoteBlock = false
+				materialLines = nil
+			}
+		}
+
+		result = append(result, line)
+	}
+
+	// Handle case where file ends while still in a block
+	if inQuoteBlock && len(materialLines) > 0 {
+		for j, idx := range materialLines {
+			isLast := j == len(materialLines)-1
+			resultLine := strings.TrimRight(result[idx], " ")
+			if !isLast {
+				resultLine += "  "
+			}
+			if result[idx] != resultLine {
+				modified = true
+				result[idx] = resultLine
+			}
+		}
+	}
+
+	if modified {
+		newContent := strings.Join(result, "\n")
+		if !bytes.Equal(content, []byte(newContent)) {
+			log.Info("formatted: ", path)
+			return os.WriteFile(path, []byte(newContent), 0o644)
+		}
+	}
+
+	return nil
+}

cmd/internal/update_apple_version/main.go

@@ -71,12 +71,12 @@ func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDLi
 		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
 		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "MARKETING_VERSION = ") + 20
 		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
-		version := projectContent[versionStart:versionEnd]
+		version := strings.Trim(projectContent[versionStart:versionEnd], "\"")
 		if version == newVersion {
 			continue
 		}
 		updated = true
-		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
+		projectContent = projectContent[:versionStart] + "\"" + newVersion + "\"" + projectContent[versionEnd:]
 	}
 	return projectContent, updated
 }

cmd/internal/update_certificates/main.go

@@ -17,6 +17,10 @@ func main() {
 	if err != nil {
 		log.Error(err)
 	}
+	err = updateChromeIncludedRootCAs()
+	if err != nil {
+		log.Error(err)
+	}
 }
 
 func updateMozillaIncludedRootCAs() error {
@@ -69,3 +73,94 @@ func init() {
 	generated.WriteString("}\n")
 	return os.WriteFile("common/certificate/mozilla.go", []byte(generated.String()), 0o644)
 }
+
+func fetchChinaFingerprints() (map[string]bool, error) {
+	response, err := http.Get("https://ccadb.my.salesforce-sites.com/ccadb/AllCertificateRecordsCSVFormatv4")
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+	reader := csv.NewReader(response.Body)
+	header, err := reader.Read()
+	if err != nil {
+		return nil, err
+	}
+	countryIndex := slices.Index(header, "Country")
+	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")
+
+	chinaFingerprints := make(map[string]bool)
+	for {
+		record, err := reader.Read()
+		if err == io.EOF {
+			break
+		} else if err != nil {
+			return nil, err
+		}
+		if record[countryIndex] == "China" {
+			chinaFingerprints[record[fingerprintIndex]] = true
+		}
+	}
+	return chinaFingerprints, nil
+}
+
+func updateChromeIncludedRootCAs() error {
+	chinaFingerprints, err := fetchChinaFingerprints()
+	if err != nil {
+		return err
+	}
+
+	response, err := http.Get("https://ccadb.my.salesforce-sites.com/ccadb/RootCACertificatesIncludedByRSReportCSV")
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+	reader := csv.NewReader(response.Body)
+	header, err := reader.Read()
+	if err != nil {
+		return err
+	}
+	subjectIndex := slices.Index(header, "Subject")
+	statusIndex := slices.Index(header, "Google Chrome Status")
+	certIndex := slices.Index(header, "X.509 Certificate (PEM)")
+	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")
+
+	generated := strings.Builder{}
+	generated.WriteString(`// Code generated by 'make update_certificates'. DO NOT EDIT.
+
+package certificate
+
+import "crypto/x509"
+
+var chromeIncluded *x509.CertPool
+
+func init() {
+	chromeIncluded = x509.NewCertPool()
+`)
+	for {
+		record, err := reader.Read()
+		if err == io.EOF {
+			break
+		} else if err != nil {
+			return err
+		}
+		if record[statusIndex] != "Included" {
+			continue
+		}
+		if chinaFingerprints[record[fingerprintIndex]] {
+			continue
+		}
+		generated.WriteString("\n	// ")
+		generated.WriteString(record[subjectIndex])
+		generated.WriteString("\n")
+		generated.WriteString("	chromeIncluded.AppendCertsFromPEM([]byte(`")
+		cert := record[certIndex]
+		// Remove single quotes if present
+		if len(cert) > 0 && cert[0] == '\'' {
+			cert = cert[1 : len(cert)-1]
+		}
+		generated.WriteString(cert)
+		generated.WriteString("`))\n")
+	}
+	generated.WriteString("}\n")
+	return os.WriteFile("common/certificate/chrome.go", []byte(generated.String()), 0o644)
+}

common/certificate/store.go

@@ -53,6 +53,8 @@ func NewStore(ctx context.Context, logger logger.Logger, options option.Certific
 		}
 	case C.CertificateStoreMozilla:
 		systemPool = mozillaIncluded
+	case C.CertificateStoreChrome:
+		systemPool = chromeIncluded
 	case C.CertificateStoreNone:
 		systemPool = nil
 	default:

common/conntrack/conn.go

@@ -1,54 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"net"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type Conn struct {
-	net.Conn
-	element *list.Element[io.Closer]
-}
-
-func NewConn(conn net.Conn) (net.Conn, error) {
-	connAccess.Lock()
-	element := openConnection.PushBack(conn)
-	connAccess.Unlock()
-	if KillerEnabled {
-		err := KillerCheck()
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-	}
-	return &Conn{
-		Conn:    conn,
-		element: element,
-	}, nil
-}
-
-func (c *Conn) Close() error {
-	if c.element.Value != nil {
-		connAccess.Lock()
-		if c.element.Value != nil {
-			openConnection.Remove(c.element)
-			c.element.Value = nil
-		}
-		connAccess.Unlock()
-	}
-	return c.Conn.Close()
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-func (c *Conn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *Conn) WriterReplaceable() bool {
-	return true
-}

common/conntrack/killer.go

@@ -1,35 +0,0 @@
-package conntrack
-
-import (
-	runtimeDebug "runtime/debug"
-	"time"
-
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/memory"
-)
-
-var (
-	KillerEnabled   bool
-	MemoryLimit     uint64
-	killerLastCheck time.Time
-)
-
-func KillerCheck() error {
-	if !KillerEnabled {
-		return nil
-	}
-	nowTime := time.Now()
-	if nowTime.Sub(killerLastCheck) < 3*time.Second {
-		return nil
-	}
-	killerLastCheck = nowTime
-	if memory.Total() > MemoryLimit {
-		Close()
-		go func() {
-			time.Sleep(time.Second)
-			runtimeDebug.FreeOSMemory()
-		}()
-		return E.New("out of memory")
-	}
-	return nil
-}

common/conntrack/packet_conn.go

@@ -1,55 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"net"
-
-	"github.com/sagernet/sing/common/bufio"
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type PacketConn struct {
-	net.PacketConn
-	element *list.Element[io.Closer]
-}
-
-func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
-	connAccess.Lock()
-	element := openConnection.PushBack(conn)
-	connAccess.Unlock()
-	if KillerEnabled {
-		err := KillerCheck()
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-	}
-	return &PacketConn{
-		PacketConn: conn,
-		element:    element,
-	}, nil
-}
-
-func (c *PacketConn) Close() error {
-	if c.element.Value != nil {
-		connAccess.Lock()
-		if c.element.Value != nil {
-			openConnection.Remove(c.element)
-			c.element.Value = nil
-		}
-		connAccess.Unlock()
-	}
-	return c.PacketConn.Close()
-}
-
-func (c *PacketConn) Upstream() any {
-	return bufio.NewPacketConn(c.PacketConn)
-}
-
-func (c *PacketConn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) WriterReplaceable() bool {
-	return true
-}

common/conntrack/track.go

@@ -1,47 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"sync"
-
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/x/list"
-)
-
-var (
-	connAccess     sync.RWMutex
-	openConnection list.List[io.Closer]
-)
-
-func Count() int {
-	if !Enabled {
-		return 0
-	}
-	return openConnection.Len()
-}
-
-func List() []io.Closer {
-	if !Enabled {
-		return nil
-	}
-	connAccess.RLock()
-	defer connAccess.RUnlock()
-	connList := make([]io.Closer, 0, openConnection.Len())
-	for element := openConnection.Front(); element != nil; element = element.Next() {
-		connList = append(connList, element.Value)
-	}
-	return connList
-}
-
-func Close() {
-	if !Enabled {
-		return
-	}
-	connAccess.Lock()
-	defer connAccess.Unlock()
-	for element := openConnection.Front(); element != nil; element = element.Next() {
-		common.Close(element.Value)
-		element.Value = nil
-	}
-	openConnection.Init()
-}

common/conntrack/track_disable.go

@@ -1,5 +0,0 @@
-//go:build !with_conntrack
-
-package conntrack
-
-const Enabled = false

common/conntrack/track_enable.go

@@ -1,5 +0,0 @@
-//go:build with_conntrack
-
-package conntrack
-
-const Enabled = true

common/dialer/default.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/listener"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -37,6 +36,7 @@ type DefaultDialer struct {
 	udpAddr4               string
 	udpAddr6               string
 	netns                  string
+	connectionManager      adapter.ConnectionManager
 	networkManager         adapter.NetworkManager
 	networkStrategy        *C.NetworkStrategy
 	defaultNetworkStrategy bool
@@ -47,6 +47,7 @@ type DefaultDialer struct {
 }
 
 func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
+	connectionManager := service.FromContext[adapter.ConnectionManager](ctx)
 	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	platformInterface := service.FromContext[adapter.PlatformInterface](ctx)
 
@@ -89,7 +90,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 
 	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if defaultOptions.BindInterface != "" {
+		if defaultOptions.BindInterface != "" && !disableDefaultBind {
 			bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
 			dialer.Control = control.Append(dialer.Control, bindFunc)
 			listener.Control = control.Append(listener.Control, bindFunc)
@@ -137,14 +138,32 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		dialer.Control = control.Append(dialer.Control, control.ProtectPath(options.ProtectPath))
 		listener.Control = control.Append(listener.Control, control.ProtectPath(options.ProtectPath))
 	}
+	if options.BindAddressNoPort {
+		if !C.IsLinux {
+			return nil, E.New("`bind_address_no_port` is only supported on Linux")
+		}
+		dialer.Control = control.Append(dialer.Control, control.BindAddressNoPort())
+	}
 	if options.ConnectTimeout != 0 {
 		dialer.Timeout = time.Duration(options.ConnectTimeout)
 	} else {
 		dialer.Timeout = C.TCPConnectTimeout
 	}
-	// TODO: Add an option to customize the keep alive period
+	if !options.DisableTCPKeepAlive {
-	dialer.KeepAlive = C.TCPKeepAliveInitial
+		keepIdle := time.Duration(options.TCPKeepAlive)
-	dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
+		if keepIdle == 0 {
+			keepIdle = C.TCPKeepAliveInitial
+		}
+		keepInterval := time.Duration(options.TCPKeepAliveInterval)
+		if keepInterval == 0 {
+			keepInterval = C.TCPKeepAliveInterval
+		}
+		dialer.KeepAliveConfig = net.KeepAliveConfig{
+			Enable:   true,
+			Idle:     keepIdle,
+			Interval: keepInterval,
+		}
+	}
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment
@@ -191,6 +210,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		udpAddr4:               udpAddr4,
 		udpAddr6:               udpAddr6,
 		netns:                  options.NetNs,
+		connectionManager:      connectionManager,
 		networkManager:         networkManager,
 		networkStrategy:        networkStrategy,
 		defaultNetworkStrategy: defaultNetworkStrategy,
@@ -223,7 +243,7 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
-		return trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
+		return d.trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
 			switch N.NetworkName(network) {
 			case N.NetworkUDP:
 				if !address.IsIPv6() {
@@ -288,12 +308,12 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	if !fastFallback && !isPrimary {
 		d.networkLastFallback.Store(time.Now())
 	}
-	return trackConn(conn, nil)
+	return d.trackConn(conn, nil)
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if d.networkStrategy == nil {
-		return trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
+		return d.trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
 			if destination.IsIPv6() {
 				return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6)
 			} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
@@ -345,23 +365,23 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 			return nil, err
 		}
 	}
-	return trackPacketConn(packetConn, nil)
+	return d.trackPacketConn(packetConn, nil)
 }
 
 func (d *DefaultDialer) WireGuardControl() control.Func {
 	return d.udpListener.Control
 }
 
-func trackConn(conn net.Conn, err error) (net.Conn, error) {
+func (d *DefaultDialer) trackConn(conn net.Conn, err error) (net.Conn, error) {
-	if !conntrack.Enabled || err != nil {
+	if d.connectionManager == nil || err != nil {
 		return conn, err
 	}
-	return conntrack.NewConn(conn)
+	return d.connectionManager.TrackConn(conn), nil
 }
 
-func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
+func (d *DefaultDialer) trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
-	if !conntrack.Enabled || err != nil {
+	if d.connectionManager == nil || err != nil {
 		return conn, err
 	}
-	return conntrack.NewPacketConn(conn)
+	return d.connectionManager.TrackPacketConn(conn), nil
 }

common/dialer/dialer.go

@@ -145,3 +145,7 @@ type ParallelNetworkDialer interface {
 	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
 	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }
+
+type PacketDialerWithDestination interface {
+	ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error)
+}

common/geosite/compat_test.go

@@ -0,0 +1,234 @@
+package geosite
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/binary"
+	"strings"
+	"testing"
+
+	"github.com/sagernet/sing/common/varbin"
+
+	"github.com/stretchr/testify/require"
+)
+
+// Old implementation using varbin reflection-based serialization
+
+func oldWriteString(writer varbin.Writer, value string) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, value)
+}
+
+func oldWriteItem(writer varbin.Writer, item Item) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, item)
+}
+
+func oldReadString(reader varbin.Reader) (string, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[string](reader, binary.BigEndian)
+}
+
+func oldReadItem(reader varbin.Reader) (Item, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[Item](reader, binary.BigEndian)
+}
+
+func TestStringCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input string
+	}{
+		{"empty", ""},
+		{"single_char", "a"},
+		{"ascii", "example.com"},
+		{"utf8", "测试域名.中国"},
+		{"special_chars", "\x00\xff\n\t"},
+		{"127_bytes", strings.Repeat("x", 127)},
+		{"128_bytes", strings.Repeat("x", 128)},
+		{"16383_bytes", strings.Repeat("x", 16383)},
+		{"16384_bytes", strings.Repeat("x", 16384)},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWriteString(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = writeString(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> old read
+			readBack, err := oldReadString(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readString(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestItemCompat(t *testing.T) {
+	t.Parallel()
+
+	// Note: varbin.Write has a bug where struct values (not pointers) don't write their fields
+	// because field.CanSet() returns false for non-addressable values.
+	// The old geosite code passed Item values to varbin.Write, which silently wrote nothing.
+	// The new code correctly writes Type + Value using manual serialization.
+	// This test verifies the new serialization format and round-trip correctness.
+
+	cases := []struct {
+		name  string
+		input Item
+	}{
+		{"domain_empty", Item{Type: RuleTypeDomain, Value: ""}},
+		{"domain_normal", Item{Type: RuleTypeDomain, Value: "example.com"}},
+		{"domain_suffix", Item{Type: RuleTypeDomainSuffix, Value: ".example.com"}},
+		{"domain_keyword", Item{Type: RuleTypeDomainKeyword, Value: "google"}},
+		{"domain_regex", Item{Type: RuleTypeDomainRegex, Value: `^.*\.example\.com$`}},
+		{"utf8_domain", Item{Type: RuleTypeDomain, Value: "测试.com"}},
+		{"long_domain", Item{Type: RuleTypeDomainSuffix, Value: strings.Repeat("a", 200) + ".com"}},
+		{"128_bytes_value", Item{Type: RuleTypeDomain, Value: strings.Repeat("x", 128)}},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// New write
+			var newBuf bytes.Buffer
+			err := newBuf.WriteByte(byte(tc.input.Type))
+			require.NoError(t, err)
+			err = writeString(&newBuf, tc.input.Value)
+			require.NoError(t, err)
+
+			// Verify format: Type (1 byte) + Value (uvarint len + bytes)
+			require.True(t, len(newBuf.Bytes()) >= 1, "output too short")
+			require.Equal(t, byte(tc.input.Type), newBuf.Bytes()[0], "type byte mismatch")
+
+			// New write -> old read (varbin can read correctly when given addressable target)
+			readBack, err := oldReadItem(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack)
+
+			// New write -> new read
+			reader := bufio.NewReader(bytes.NewReader(newBuf.Bytes()))
+			typeByte, err := reader.ReadByte()
+			require.NoError(t, err)
+			value, err := readString(reader)
+			require.NoError(t, err)
+			require.Equal(t, tc.input, Item{Type: ItemType(typeByte), Value: value})
+		})
+	}
+}
+
+func TestGeositeWriteReadCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input map[string][]Item
+	}{
+		{
+			"empty_map",
+			map[string][]Item{},
+		},
+		{
+			"single_code_empty_items",
+			map[string][]Item{"test": {}},
+		},
+		{
+			"single_code_single_item",
+			map[string][]Item{"test": {{Type: RuleTypeDomain, Value: "a.com"}}},
+		},
+		{
+			"single_code_multi_items",
+			map[string][]Item{
+				"test": {
+					{Type: RuleTypeDomain, Value: "a.com"},
+					{Type: RuleTypeDomainSuffix, Value: ".b.com"},
+					{Type: RuleTypeDomainKeyword, Value: "keyword"},
+					{Type: RuleTypeDomainRegex, Value: `^.*$`},
+				},
+			},
+		},
+		{
+			"multi_code",
+			map[string][]Item{
+				"cn": {{Type: RuleTypeDomain, Value: "baidu.com"}, {Type: RuleTypeDomainSuffix, Value: ".cn"}},
+				"us": {{Type: RuleTypeDomain, Value: "google.com"}},
+				"jp": {{Type: RuleTypeDomainSuffix, Value: ".jp"}},
+			},
+		},
+		{
+			"utf8_values",
+			map[string][]Item{
+				"test": {
+					{Type: RuleTypeDomain, Value: "测试.中国"},
+					{Type: RuleTypeDomainSuffix, Value: ".テスト"},
+				},
+			},
+		},
+		{
+			"large_items",
+			generateLargeItems(1000),
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Write using new implementation
+			var buf bytes.Buffer
+			err := Write(&buf, tc.input)
+			require.NoError(t, err)
+
+			// Read back and verify
+			reader, codes, err := NewReader(bytes.NewReader(buf.Bytes()))
+			require.NoError(t, err)
+
+			// Verify all codes exist
+			codeSet := make(map[string]bool)
+			for _, code := range codes {
+				codeSet[code] = true
+			}
+			for code := range tc.input {
+				require.True(t, codeSet[code], "missing code: %s", code)
+			}
+
+			// Verify items match
+			for code, expectedItems := range tc.input {
+				items, err := reader.Read(code)
+				require.NoError(t, err)
+				require.Equal(t, expectedItems, items, "items mismatch for code: %s", code)
+			}
+		})
+	}
+}
+
+func generateLargeItems(count int) map[string][]Item {
+	items := make([]Item, count)
+	for i := 0; i < count; i++ {
+		items[i] = Item{
+			Type:  ItemType(i % 4),
+			Value: strings.Repeat("x", i%200) + ".com",
+		}
+	}
+	return map[string][]Item{"large": items}
+}

common/geosite/reader.go

@@ -9,7 +9,6 @@ import (
 	"sync/atomic"
 
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/varbin"
 )
 
 type Reader struct {
@@ -78,7 +77,7 @@ func (r *Reader) readMetadata() error {
 			codeIndex  uint64
 			codeLength uint64
 		)
-		code, err = varbin.ReadValue[string](reader, binary.BigEndian)
+		code, err = readString(reader)
 		if err != nil {
 			return err
 		}
@@ -112,10 +111,17 @@ func (r *Reader) Read(code string) ([]Item, error) {
 	}
 	r.bufferedReader.Reset(r.reader)
 	itemList := make([]Item, r.domainLength[code])
-	err = varbin.Read(r.bufferedReader, binary.BigEndian, &itemList)
+	for i := range itemList {
+		typeByte, err := r.bufferedReader.ReadByte()
 		if err != nil {
 			return nil, err
 		}
+		itemList[i].Type = ItemType(typeByte)
+		itemList[i].Value, err = readString(r.bufferedReader)
+		if err != nil {
+			return nil, err
+		}
+	}
 	return itemList, nil
 }
 
@@ -135,3 +141,18 @@ func (r *readCounter) Read(p []byte) (n int, err error) {
 	}
 	return
 }
+
+func readString(reader io.ByteReader) (string, error) {
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return "", err
+	}
+	bytes := make([]byte, length)
+	for i := range bytes {
+		bytes[i], err = reader.ReadByte()
+		if err != nil {
+			return "", err
+		}
+	}
+	return string(bytes), nil
+}

common/geosite/writer.go

@@ -2,7 +2,6 @@ package geosite
 
 import (
 	"bytes"
-	"encoding/binary"
 	"sort"
 
 	"github.com/sagernet/sing/common/varbin"
@@ -20,7 +19,11 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 	for _, code := range keys {
 		index[code] = content.Len()
 		for _, item := range domains[code] {
-			err := varbin.Write(content, binary.BigEndian, item)
+			err := content.WriteByte(byte(item.Type))
+			if err != nil {
+				return err
+			}
+			err = writeString(content, item.Value)
 			if err != nil {
 				return err
 			}
@@ -38,7 +41,7 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 	}
 
 	for _, code := range keys {
-		err = varbin.Write(writer, binary.BigEndian, code)
+		err = writeString(writer, code)
 		if err != nil {
 			return err
 		}
@@ -59,3 +62,12 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 
 	return nil
 }
+
+func writeString(writer varbin.Writer, value string) error {
+	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write([]byte(value))
+	return err
+}

common/listener/listener.go

@@ -151,6 +151,7 @@ func ListenNetworkNamespace[T any](nameOrPath string, block func() (T, error)) (
 		if err != nil {
 			return common.DefaultValue[T](), E.Cause(err, "get current netns")
 		}
+		defer currentNs.Close()
 		defer netns.Set(currentNs)
 		var targetNs netns.NsHandle
 		if strings.HasPrefix(nameOrPath, "/") {

common/listener/listener_tcp.go

@@ -37,7 +37,7 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 	if l.listenOptions.ReuseAddr {
 		listenConfig.Control = control.Append(listenConfig.Control, control.ReuseAddr())
 	}
-	if l.listenOptions.TCPKeepAlive >= 0 {
+	if !l.listenOptions.DisableTCPKeepAlive {
 		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
 		if keepIdle == 0 {
 			keepIdle = C.TCPKeepAliveInitial
@@ -99,8 +99,6 @@ func (l *Listener) loopTCPIn() {
 		}
 		//nolint:staticcheck
 		metadata.InboundDetour = l.listenOptions.Detour
-		//nolint:staticcheck
-		metadata.InboundOptions = l.listenOptions.InboundOptions
 		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
 		metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
 		ctx := log.ContextWithNewID(l.ctx)

common/settings/wifi_linux_connman.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package settings
 
 import (
@@ -134,7 +136,9 @@ func (m *connmanMonitor) monitorSignals(ctx context.Context, signalChan chan *db
 			if !ok {
 				return
 			}
-			if signal.Name == "PropertyChanged" {
+			// godbus Signal.Name uses "interface.member" format (e.g. "net.connman.Service.PropertyChanged"),
+			// not just the member name. This differs from the D-Bus signal member in the match rule.
+			if signal.Name == "net.connman.Service.PropertyChanged" {
 				state := m.ReadWIFIState()
 				if state != lastState {
 					lastState = state
@@ -154,6 +158,10 @@ func (m *connmanMonitor) Close() error {
 		close(m.signalChan)
 	}
 	if m.conn != nil {
+		m.conn.RemoveMatchSignal(
+			dbus.WithMatchInterface("net.connman.Service"),
+			dbus.WithMatchSender("net.connman"),
+		)
 		return m.conn.Close()
 	}
 	return nil

common/settings/wifi_linux_iwd.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package settings
 
 import (
@@ -178,6 +180,10 @@ func (m *iwdMonitor) Close() error {
 		close(m.signalChan)
 	}
 	if m.conn != nil {
+		m.conn.RemoveMatchSignal(
+			dbus.WithMatchInterface("org.freedesktop.DBus.Properties"),
+			dbus.WithMatchSender("net.connman.iwd"),
+		)
 		return m.conn.Close()
 	}
 	return nil

common/settings/wifi_linux_nm.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package settings
 
 import (
@@ -40,18 +42,19 @@ func (m *networkManagerMonitor) ReadWIFIState() adapter.WIFIState {
 
 	nmObj := m.conn.Object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager")
 
-	var primaryConnectionPath dbus.ObjectPath
+	var activeConnectionPaths []dbus.ObjectPath
-	err := nmObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager", "PrimaryConnection").Store(&primaryConnectionPath)
+	err := nmObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager", "ActiveConnections").Store(&activeConnectionPaths)
-	if err != nil || primaryConnectionPath == "/" {
+	if err != nil || len(activeConnectionPaths) == 0 {
 		return adapter.WIFIState{}
 	}
 
-	connObj := m.conn.Object("org.freedesktop.NetworkManager", primaryConnectionPath)
+	for _, connectionPath := range activeConnectionPaths {
+		connObj := m.conn.Object("org.freedesktop.NetworkManager", connectionPath)
 
 		var devicePaths []dbus.ObjectPath
 		err = connObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Connection.Active", "Devices").Store(&devicePaths)
 		if err != nil || len(devicePaths) == 0 {
-		return adapter.WIFIState{}
+			continue
 		}
 
 		for _, devicePath := range devicePaths {
@@ -93,6 +96,7 @@ func (m *networkManagerMonitor) ReadWIFIState() adapter.WIFIState {
 				BSSID: strings.ToUpper(strings.ReplaceAll(hwAddress, ":", "")),
 			}
 		}
+	}
 
 	return adapter.WIFIState{}
 }
@@ -151,6 +155,10 @@ func (m *networkManagerMonitor) Close() error {
 		close(m.signalChan)
 	}
 	if m.conn != nil {
+		m.conn.RemoveMatchSignal(
+			dbus.WithMatchSender("org.freedesktop.NetworkManager"),
+			dbus.WithMatchInterface("org.freedesktop.DBus.Properties"),
+		)
 		return m.conn.Close()
 	}
 	return nil

common/settings/wifi_linux_wpa.go

@@ -8,15 +8,21 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
+	"sync/atomic"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 )
 
+var wpaSocketCounter atomic.Uint64
+
 type wpaSupplicantMonitor struct {
 	socketPath  string
 	callback    func(adapter.WIFIState)
 	cancel      context.CancelFunc
+	monitorConn *net.UnixConn
+	connMutex   sync.Mutex
 }
 
 func newWpaSupplicantMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
@@ -31,7 +37,8 @@ func newWpaSupplicantMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, err
 				continue
 			}
 			socketPath := filepath.Join(socketDir, entry.Name())
-			localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-%d", os.Getpid()), Net: "unixgram"}
+			id := wpaSocketCounter.Add(1)
+			localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-%d-%d", os.Getpid(), id), Net: "unixgram"}
 			remoteAddr := &net.UnixAddr{Name: socketPath, Net: "unixgram"}
 			conn, err := net.DialUnix("unixgram", localAddr, remoteAddr)
 			if err != nil {
@@ -45,7 +52,8 @@ func newWpaSupplicantMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, err
 }
 
 func (m *wpaSupplicantMonitor) ReadWIFIState() adapter.WIFIState {
-	localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-%d", os.Getpid()), Net: "unixgram"}
+	id := wpaSocketCounter.Add(1)
+	localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-%d-%d", os.Getpid(), id), Net: "unixgram"}
 	remoteAddr := &net.UnixAddr{Name: m.socketPath, Net: "unixgram"}
 	conn, err := net.DialUnix("unixgram", localAddr, remoteAddr)
 	if err != nil {
@@ -85,8 +93,11 @@ func (m *wpaSupplicantMonitor) ReadWIFIState() adapter.WIFIState {
 	}
 }
 
+// sendCommand sends a command to wpa_supplicant and returns the response.
+// Commands are sent without trailing newlines per the wpa_supplicant control
+// interface protocol - the official wpa_ctrl.c sends raw command strings.
 func (m *wpaSupplicantMonitor) sendCommand(conn *net.UnixConn, command string) (string, error) {
-	_, err := conn.Write([]byte(command + "\n"))
+	_, err := conn.Write([]byte(command))
 	if err != nil {
 		return "", err
 	}
@@ -121,6 +132,8 @@ func (m *wpaSupplicantMonitor) Start() error {
 
 func (m *wpaSupplicantMonitor) monitorEvents(ctx context.Context, lastState adapter.WIFIState) {
 	var consecutiveErrors int
+	var debounceTimer *time.Timer
+	var debounceMutex sync.Mutex
 
 	localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-mon-%d", os.Getpid()), Net: "unixgram"}
 	remoteAddr := &net.UnixAddr{Name: m.socketPath, Net: "unixgram"}
@@ -130,7 +143,14 @@ func (m *wpaSupplicantMonitor) monitorEvents(ctx context.Context, lastState adap
 	}
 	defer conn.Close()
 
-	_, err = conn.Write([]byte("ATTACH\n"))
+	m.connMutex.Lock()
+	m.monitorConn = conn
+	m.connMutex.Unlock()
+
+	// ATTACH/DETACH commands use os_strcmp() for exact matching in wpa_supplicant,
+	// so they must be sent without trailing newlines.
+	// See: https://w1.fi/cgit/hostap/tree/wpa_supplicant/ctrl_iface_unix.c
+	_, err = conn.Write([]byte("ATTACH"))
 	if err != nil {
 		return
 	}
@@ -144,6 +164,12 @@ func (m *wpaSupplicantMonitor) monitorEvents(ctx context.Context, lastState adap
 	for {
 		select {
 		case <-ctx.Done():
+			debounceMutex.Lock()
+			if debounceTimer != nil {
+				debounceTimer.Stop()
+			}
+			debounceMutex.Unlock()
+			conn.Write([]byte("DETACH"))
 			return
 		default:
 		}
@@ -151,6 +177,14 @@ func (m *wpaSupplicantMonitor) monitorEvents(ctx context.Context, lastState adap
 		conn.SetReadDeadline(time.Now().Add(30 * time.Second))
 		n, err := conn.Read(buf)
 		if err != nil {
+			if netErr, ok := err.(net.Error); ok && netErr.Timeout() {
+				continue
+			}
+			select {
+			case <-ctx.Done():
+				return
+			default:
+			}
 			consecutiveErrors++
 			if consecutiveErrors > 10 {
 				return
@@ -162,11 +196,18 @@ func (m *wpaSupplicantMonitor) monitorEvents(ctx context.Context, lastState adap
 
 		msg := string(buf[:n])
 		if strings.Contains(msg, "CTRL-EVENT-CONNECTED") || strings.Contains(msg, "CTRL-EVENT-DISCONNECTED") {
+			debounceMutex.Lock()
+			if debounceTimer != nil {
+				debounceTimer.Stop()
+			}
+			debounceTimer = time.AfterFunc(500*time.Millisecond, func() {
 				state := m.ReadWIFIState()
 				if state != lastState {
 					lastState = state
 					m.callback(state)
 				}
+			})
+			debounceMutex.Unlock()
 		}
 	}
 }
@@ -175,5 +216,10 @@ func (m *wpaSupplicantMonitor) Close() error {
 	if m.cancel != nil {
 		m.cancel()
 	}
+	m.connMutex.Lock()
+	if m.monitorConn != nil {
+		m.monitorConn.Close()
+	}
+	m.connMutex.Unlock()
 	return nil
 }

common/settings/wifi_stub.go

@@ -1,4 +1,4 @@
-//go:build !linux
+//go:build !linux && !windows
 
 package settings
 

common/settings/wifi_windows.go

@@ -0,0 +1,144 @@
+//go:build windows
+
+package settings
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"sync"
+	"syscall"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common/winwlanapi"
+
+	"golang.org/x/sys/windows"
+)
+
+type windowsWIFIMonitor struct {
+	handle    windows.Handle
+	callback  func(adapter.WIFIState)
+	cancel    context.CancelFunc
+	lastState adapter.WIFIState
+	mutex     sync.Mutex
+}
+
+func NewWIFIMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
+	handle, err := winwlanapi.OpenHandle()
+	if err != nil {
+		return nil, err
+	}
+
+	interfaces, err := winwlanapi.EnumInterfaces(handle)
+	if err != nil {
+		winwlanapi.CloseHandle(handle)
+		return nil, err
+	}
+	if len(interfaces) == 0 {
+		winwlanapi.CloseHandle(handle)
+		return nil, fmt.Errorf("no wireless interfaces found")
+	}
+
+	return &windowsWIFIMonitor{
+		handle:   handle,
+		callback: callback,
+	}, nil
+}
+
+func (m *windowsWIFIMonitor) ReadWIFIState() adapter.WIFIState {
+	interfaces, err := winwlanapi.EnumInterfaces(m.handle)
+	if err != nil || len(interfaces) == 0 {
+		return adapter.WIFIState{}
+	}
+
+	for _, iface := range interfaces {
+		if iface.InterfaceState != winwlanapi.InterfaceStateConnected {
+			continue
+		}
+
+		guid := iface.InterfaceGUID
+		attrs, err := winwlanapi.QueryCurrentConnection(m.handle, &guid)
+		if err != nil {
+			continue
+		}
+
+		ssidLength := attrs.AssociationAttributes.SSID.Length
+		if ssidLength == 0 || ssidLength > winwlanapi.Dot11SSIDMaxLength {
+			continue
+		}
+
+		ssid := string(attrs.AssociationAttributes.SSID.SSID[:ssidLength])
+		bssid := formatBSSID(attrs.AssociationAttributes.BSSID)
+
+		return adapter.WIFIState{
+			SSID:  strings.TrimSpace(ssid),
+			BSSID: bssid,
+		}
+	}
+
+	return adapter.WIFIState{}
+}
+
+func formatBSSID(mac winwlanapi.Dot11MacAddress) string {
+	return fmt.Sprintf("%02X%02X%02X%02X%02X%02X",
+		mac[0], mac[1], mac[2], mac[3], mac[4], mac[5])
+}
+
+func (m *windowsWIFIMonitor) Start() error {
+	if m.callback == nil {
+		return nil
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	m.cancel = cancel
+
+	m.lastState = m.ReadWIFIState()
+
+	callbackFunc := func(data *winwlanapi.NotificationData, callbackContext uintptr) uintptr {
+		if data.NotificationSource != winwlanapi.NotificationSourceACM {
+			return 0
+		}
+		switch data.NotificationCode {
+		case winwlanapi.NotificationACMConnectionComplete,
+			winwlanapi.NotificationACMDisconnected:
+			m.checkAndNotify()
+		}
+		return 0
+	}
+
+	callbackPointer := syscall.NewCallback(callbackFunc)
+
+	err := winwlanapi.RegisterNotification(m.handle, winwlanapi.NotificationSourceACM, callbackPointer, 0)
+	if err != nil {
+		cancel()
+		return err
+	}
+
+	go func() {
+		<-ctx.Done()
+	}()
+
+	m.callback(m.lastState)
+	return nil
+}
+
+func (m *windowsWIFIMonitor) checkAndNotify() {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	state := m.ReadWIFIState()
+	if state != m.lastState {
+		m.lastState = state
+		if m.callback != nil {
+			m.callback(state)
+		}
+	}
+}
+
+func (m *windowsWIFIMonitor) Close() error {
+	if m.cancel != nil {
+		m.cancel()
+	}
+	winwlanapi.UnregisterNotification(m.handle)
+	return winwlanapi.CloseHandle(m.handle)
+}

common/sniff/quic.go

@@ -303,8 +303,6 @@ find:
 	metadata.Protocol = C.ProtocolQUIC
 	fingerprint, err := ja3.Compute(buffer.Bytes())
 	if err != nil {
-		metadata.Protocol = C.ProtocolQUIC
-		metadata.Client = C.ClientChromium
 		metadata.SniffContext = fragments
 		return E.Cause1(ErrNeedMoreData, err)
 	}
@@ -334,7 +332,7 @@ find:
 		}
 
 		if count(frameTypeList, frameTypeCrypto) > 1 || count(frameTypeList, frameTypePing) > 0 {
-			if maybeUQUIC(fingerprint) {
+			if isQUICGo(fingerprint) {
 				metadata.Client = C.ClientQUICGo
 			} else {
 				metadata.Client = C.ClientChromium

common/sniff/quic_blacklist.go

@@ -1,21 +1,29 @@
 package sniff
 
 import (
-	"crypto/tls"
-
 	"github.com/sagernet/sing-box/common/ja3"
 )
 
-// Chromium sends separate client hello packets, but UQUIC has not yet implemented this behavior
+const (
-// The cronet without this behavior does not have version 115
+	// X25519Kyber768Draft00 - post-quantum curve used by Go crypto/tls
-var uQUICChrome115 = &ja3.ClientHello{
+	x25519Kyber768Draft00 uint16 = 0x11EC // 4588
-	Version:             tls.VersionTLS12,
+	// renegotiation_info extension used by Go crypto/tls
-	CipherSuites:        []uint16{4865, 4866, 4867},
+	extensionRenegotiationInfo uint16 = 0xFF01 // 65281
-	Extensions:          []uint16{0, 10, 13, 16, 27, 43, 45, 51, 57, 17513},
+)
-	EllipticCurves:      []uint16{29, 23, 24},
-	SignatureAlgorithms: []uint16{1027, 2052, 1025, 1283, 2053, 1281, 2054, 1537, 513},
-}
 
-func maybeUQUIC(fingerprint *ja3.ClientHello) bool {
+// isQUICGo detects native quic-go by checking for Go crypto/tls specific features.
-	return !uQUICChrome115.Equals(fingerprint, true)
+// Note: uQUIC with Chromium mimicry cannot be reliably distinguished from real Chromium
+// since it uses the same TLS fingerprint, so it will be identified as Chromium.
+func isQUICGo(fingerprint *ja3.ClientHello) bool {
+	for _, curve := range fingerprint.EllipticCurves {
+		if curve == x25519Kyber768Draft00 {
+			return true
+		}
+	}
+	for _, ext := range fingerprint.Extensions {
+		if ext == extensionRenegotiationInfo {
+			return true
+		}
+	}
+	return false
 }

common/sniff/quic_capture_test.go

@@ -0,0 +1,188 @@
+package sniff_test
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/hex"
+	"errors"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/sniff"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSniffQUICQuicGoFingerprint(t *testing.T) {
+	t.Parallel()
+	const testSNI = "test.example.com"
+
+	udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer udpConn.Close()
+
+	serverAddr := udpConn.LocalAddr().(*net.UDPAddr)
+	packetsChan := make(chan [][]byte, 1)
+
+	go func() {
+		var packets [][]byte
+		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
+		for i := 0; i < 10; i++ {
+			buf := make([]byte, 2048)
+			n, _, err := udpConn.ReadFromUDP(buf)
+			if err != nil {
+				break
+			}
+			packets = append(packets, buf[:n])
+		}
+		packetsChan <- packets
+	}()
+
+	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer clientConn.Close()
+
+	tlsConfig := &tls.Config{
+		ServerName:         testSNI,
+		InsecureSkipVerify: true,
+		NextProtos:         []string{"h3"},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	_, _ = quic.Dial(ctx, clientConn, serverAddr, tlsConfig, &quic.Config{})
+
+	select {
+	case packets := <-packetsChan:
+		t.Logf("Captured %d packets", len(packets))
+
+		var metadata adapter.InboundContext
+		for i, pkt := range packets {
+			err := sniff.QUICClientHello(context.Background(), &metadata, pkt)
+			t.Logf("Packet %d: err=%v, domain=%s, client=%s", i, err, metadata.Domain, metadata.Client)
+			if metadata.Domain != "" {
+				break
+			}
+		}
+
+		t.Logf("\n=== quic-go TLS Fingerprint Analysis ===")
+		t.Logf("Domain: %s", metadata.Domain)
+		t.Logf("Client: %s", metadata.Client)
+		t.Logf("Protocol: %s", metadata.Protocol)
+
+		// The client should be identified as quic-go, not chromium
+		// Current issue: it's being identified as chromium
+		if metadata.Client == "chromium" {
+			t.Log("WARNING: quic-go is being misidentified as chromium!")
+		}
+
+	case <-time.After(5 * time.Second):
+		t.Fatal("Timeout")
+	}
+}
+
+func TestSniffQUICInitialFromQuicGo(t *testing.T) {
+	t.Parallel()
+
+	const testSNI = "test.example.com"
+
+	// Create UDP listener to capture ALL initial packets
+	udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer udpConn.Close()
+
+	serverAddr := udpConn.LocalAddr().(*net.UDPAddr)
+
+	// Channel to receive captured packets
+	packetsChan := make(chan [][]byte, 1)
+
+	// Start goroutine to capture packets
+	go func() {
+		var packets [][]byte
+		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
+		for i := 0; i < 5; i++ { // Capture up to 5 packets
+			buf := make([]byte, 2048)
+			n, _, err := udpConn.ReadFromUDP(buf)
+			if err != nil {
+				break
+			}
+			packets = append(packets, buf[:n])
+		}
+		packetsChan <- packets
+	}()
+
+	// Create QUIC client connection (will fail but we capture the initial packet)
+	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer clientConn.Close()
+
+	tlsConfig := &tls.Config{
+		ServerName:         testSNI,
+		InsecureSkipVerify: true,
+		NextProtos:         []string{"h3"},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	// This will fail (no server) but sends initial packet
+	_, _ = quic.Dial(ctx, clientConn, serverAddr, tlsConfig, &quic.Config{})
+
+	// Wait for captured packets
+	select {
+	case packets := <-packetsChan:
+		t.Logf("Captured %d QUIC packets", len(packets))
+
+		for i, packet := range packets {
+			t.Logf("Packet %d: length=%d, first 30 bytes: %x", i, len(packet), packet[:min(30, len(packet))])
+		}
+
+		// Test sniffer with first packet
+		if len(packets) > 0 {
+			var metadata adapter.InboundContext
+			err := sniff.QUICClientHello(context.Background(), &metadata, packets[0])
+
+			t.Logf("First packet sniff error: %v", err)
+			t.Logf("Protocol: %s", metadata.Protocol)
+			t.Logf("Domain: %s", metadata.Domain)
+			t.Logf("Client: %s", metadata.Client)
+
+			// If first packet needs more data, try with subsequent packets
+			// IMPORTANT: reuse metadata to accumulate CRYPTO fragments via SniffContext
+			if errors.Is(err, sniff.ErrNeedMoreData) && len(packets) > 1 {
+				t.Log("First packet needs more data, trying subsequent packets with shared context...")
+				for i := 1; i < len(packets); i++ {
+					// Reuse same metadata to accumulate fragments
+					err = sniff.QUICClientHello(context.Background(), &metadata, packets[i])
+					t.Logf("Packet %d sniff result: err=%v, domain=%s, sniffCtx=%v", i, err, metadata.Domain, metadata.SniffContext != nil)
+					if metadata.Domain != "" || (err != nil && !errors.Is(err, sniff.ErrNeedMoreData)) {
+						break
+					}
+				}
+			}
+
+			// Print hex dump for debugging
+			t.Logf("First packet hex:\n%s", hex.Dump(packets[0][:min(256, len(packets[0]))]))
+
+			// Log final results
+			t.Logf("Final: Protocol=%s, Domain=%s, Client=%s", metadata.Protocol, metadata.Domain, metadata.Client)
+
+			// Verify SNI extraction
+			if metadata.Domain == "" {
+				t.Errorf("Failed to extract SNI, expected: %s", testSNI)
+			} else {
+				require.Equal(t, testSNI, metadata.Domain, "SNI should match")
+			}
+
+			// Check client identification - quic-go should be identified as quic-go, not chromium
+			t.Logf("Client identified as: %s (expected: quic-go)", metadata.Client)
+		}
+
+	case <-time.After(5 * time.Second):
+		t.Fatal("Timeout waiting for QUIC packets")
+	}
+}

common/sniff/quic_test.go

@@ -19,7 +19,7 @@ func TestSniffQUICChromeNew(t *testing.T) {
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientChromium)
+	require.Empty(t, metadata.Client)
 	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
 	pkt, err = hex.DecodeString("cc0000000108e241a0c601413b4f004046006d8f15dae9999edf39d58df6762822b9a2ab996d7f6a10044338af3b51b1814bc4ac0fa5a87c34c6ae604af8cabc5957c5240174deefc8e378719ffdab2ae4e15bf4514bea44894b626c685cd5d5c965f7e97b3a1bdc520b75813e747f37a3ae83ad38b9ca2acb0de4fc9424839a50c8fb815a62b498609fbbc59145698860e0509cc08a04d1b119daef844ba2f09c16e2665e5cc0b47624b71f7b950c54fd56b4a1fbb826cba44eeeee3949ced8f5de60d4c81b19ee59f75aa1abb33f22c6b13c27095eb1e99cff01fdc93e6e88da2622ee18c08a79f508befd7e33e99bca60e64bef9a47b764384bd93823daeeb6fcb4d7cfbc4ab53eff59b3636f6dcaaf229b5a94941b5712807166b9bd5e82cb4a9708a71451c4cd6f6e33fb2fe40c8c70dd51a30b37ff9c5e35783debde0093fde19ce074b4887b3c90980b107b9c0f32cf61a66f37c251b789abc4d27fc421207966846c8cc7faa42d9af6ad355a6bc94cb78223b612be8b3e2a4df61fee83a674a0ceb8b7c3a29b97102cda22fecdf6a4628e5b612bc17eab64d6f75feedd0b106c0419e484e66725759964cb5935ac5125e5ae920cd280bd40df57c1d7ae1845700bd4eb7b7ab12bc0850950bfe6e69edd6ac1daa5db2c2b07484327196e561c513462d72872dc6771c39f6b60d46a1f2c92343b7338450a0ef8e39f97fa70652b3a12cd04043698951627aaaa82cc95e76df92021d30e8014c984f12eea0143de8b17e5e4a36ec07bf4814251b391f168a59ef75afcd2319249aaba930f06bb7a11b9491e6f71b3d5774a6503a965e94edd0a67737282fc9cb0271779ff14151b7aa9267bb8f7d643185512515aeea513c0c98bfae782381a3317064195d8825cf8b25c17cdab5fced02612a3f2870e40df57e6ca3f08228a2b04e8de1425eb4b970118f9bbdc212223ff86a5d6b648cdf2366722f21de4b14a1014879eadb69215cdb1aa2a9f4f310ecfe3116214fe3ab0a23f4775a0a54b48d7dfd8f7283ed687b3ac7e1a7e42a0bdc3478aba8651c03e1e9cc9df17d106b8130afe854269b0103b7a696f452721887b19d8181830073c9f10684c65f96d3a6c6efbae044eec03d6399e001fa44d54635dc72f9b8ea6b87d0f452cad1e1e32273e2b47c40f2730235adcae8523b8282f86b8cf1ab63ae54aaa06130df3bbf6ecac7d7d1d43d2a87aea837267ff8ccfaa4b7e47b7ded909e6603d0b928a304f8915c839153598adc4178eb48bc0e98ad7793d7980275e1e491ba4847a4a04ae30fe7f5cc7d4b6f4f63a525e9964d72245860ca76a668a4654adb6619f16e9db79131e5675b93cafb96c92f1da8464d4fef2a22e7f9db695965fe2cc27ea30974629c8fe17cfa2f860179e1eb9faaa88a91ec9ce6da28c1a2894c3b932b5e1c807146718cc77ca13c61eaae00c7c99e019f599772064b198c5c2c5e863336367673630b417ac845ddb7c93b0856317e5d64bab208c5730abc2c63536784fbeaaec139dffc917e775715f1e42164ddef5138d4d163609ab3fbdcab968f8738385c0e7e34ff3cf7771a1dc5ba25a8850fdf96dabafa21f9065f307457ce9af4b7a73450c9d20a3b46fa8d3a1163d22bd01a7d17f0ec274181bf9640fa941427694bfeb1346089f7a851efe0fbb7a2041fa6bb6541ccbad77dd3e1a97999fc05f1fef070e7b5c4b385b8b2a8cc32483fdeba6a373970de2fa4139ba18e5916f949aab0aab2894")
 	require.NoError(t, err)
@@ -39,7 +39,7 @@ func TestSniffQUICChromium(t *testing.T) {
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientChromium)
+	require.Empty(t, metadata.Client)
 	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
 	pkt, err = hex.DecodeString("c90000000108f40d654cc09b27f5000044d073eb38807026d4088455e650e7ccf750d01a72f15f9bfc8ff40d223499db1a485cff14dbd45b9be118172834dc35dca3cf62f61a1266f40b92faf3d28d67a466cfdca678ddced15cd606d31959cf441828467857b226d1a241847c82c57312cefe68ba5042d929919bcd4403b39e5699fe87dda05df1b3801e048edee792458e9b1a9b1d4039df05847bcee3be567494b5876e3bd4c3220fe9dfdb2c07d77410f907f744251ef15536cc03b267d3668d5b75bc1ad2fe735cd3bb73519dd9f1625a49e17ad27bdeccf706c83b5ea339a0a05dd0072f4a8f162bd29926b4997f05613c6e4b0270b0c02805ca0543f27c1ff8505a5750bdd33529ee73c491050a10c6903f53c1121dbe0380e84c007c8df74a1b02443ed80ba7766aef5549e618d4fd249844ee28565142005369869299e8c3035ecef3d799f6cada8549e75b4ce4cbf4c85ef071fd7ff067b1ca9b5968dc41d13d011f6d7843823bac97acb1eb8ee45883f0f254b5f9bd4c763b67e2d8c70a7618a0ef0de304cf597a485126e09f8b2fd795b394c0b4bc4cd2634c2057970da2c798c5e8af7aed4f76f5e25d04e3f8c9c5a5b150d17e0d4c74229898c69b8dc7b8bcc9d359eb441de75c68fbdebec62fb669dcccfb1aad03e3fa073adb2ccf7bb14cbaf99e307d2c903ee71a8f028102eb510caee7e7397512086a78d1f95635c7d06845b5a708652dc4e5cd61245aae5b3c05b84815d84d367bce9b9e3f6d6b90701ac3679233c14d5ce2a1eff26469c966266dc6284bdb95c9c6158934c413a872ce22101e4163e3293d236b301592ca4ccacc1fd4c37066e79c2d9857c8a2560dcf0b33b19163c4240c471b19907476e7e25c65f7eb37276594a0f6b4c33c340cc3284178f17ac5e34dbe7509db890e4ddfd0540fbf9deb32a0101d24fe58b26c5f81c627db9d6ae59d7a111a3d5d1f6109f4eec0d0234e6d73c73a44f50999462724b51ce0fd8283535d70d9e83872c79c59897407a0736741011ae5c64862eb0712f9e7b07aa1d5418ca3fde8626257c6fe418f3c5479055bb2b0ab4c25f649923fc2a41c79aaa7d0f3af6d8b8cf06f61f0230d09bbb60bb49b9e49cc5973748a6cf7ffdee7804d424f9423c63e7ff22f4bd24e4867636ef9fe8dd37f59941a8a47c27765caa8e875a30b62834f17c569227e5e6ed15d58e05d36e76332befad065a2cd4079e66d5af189b0337624c89b1560c3b1b0befd5c1f20e6de8e3d664b3ac06b3d154b488983e14aa93266f5f8b621d2a9bb7ccce509eb26e025c9c45f7cccc09ce85b3103af0c93ce9822f82ecb168ca3177829afb2ea0da2c380e7b1728add55a5d42632e2290363d4cbe432b67e13691648e1acfab22cf0d551eee857709b428bb78e27a45aff6eca301c02e4d13cf36cc2494fdd1aef8dede6e18febd79dca4c6964d09b91c25a08f0947c76ab5104de9404459c2edf5f4adb9dfd771be83656f77fbbafb1ad3281717066010be8778952495383c9f2cf0a38527228c662a35171c5981731f1af09bab842fe6c3162ad4152a4221f560eb6f9bea66b294ffbd3643da2fe34096da13c246505452540177a2a0a1a69106e5cfc279a4890fc3be2952f26be245f930e6c2d9e7e26ee960481e72b99594a1185b46b94b6436d00ba6c70ffe135d43907c92c6f1c09fb9453f103730714f5700fa4347f9715c774cb04a7218dacc66d9c2fade18b14e684aa7fc9ebda0a28")
 	require.NoError(t, err)

common/srs/binary.go

@@ -6,6 +6,7 @@ import (
 	"encoding/binary"
 	"io"
 	"net/netip"
+	"unsafe"
 
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -505,7 +506,24 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 }
 
 func readRuleItemString(reader varbin.Reader) ([]string, error) {
-	return varbin.ReadValue[[]string](reader, binary.BigEndian)
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return nil, err
+	}
+	result := make([]string, length)
+	for i := range result {
+		strLen, err := binary.ReadUvarint(reader)
+		if err != nil {
+			return nil, err
+		}
+		buf := make([]byte, strLen)
+		_, err = io.ReadFull(reader, buf)
+		if err != nil {
+			return nil, err
+		}
+		result[i] = string(buf)
+	}
+	return result, nil
 }
 
 func writeRuleItemString(writer varbin.Writer, itemType uint8, value []string) error {
@@ -513,11 +531,34 @@ func writeRuleItemString(writer varbin.Writer, itemType uint8, value []string) e
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
+	_, err = varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	for _, s := range value {
+		_, err = varbin.WriteUvarint(writer, uint64(len(s)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write([]byte(s))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 func readRuleItemUint8[E ~uint8](reader varbin.Reader) ([]E, error) {
-	return varbin.ReadValue[[]E](reader, binary.BigEndian)
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return nil, err
+	}
+	result := make([]E, length)
+	_, err = io.ReadFull(reader, *(*[]byte)(unsafe.Pointer(&result)))
+	if err != nil {
+		return nil, err
+	}
+	return result, nil
 }
 
 func writeRuleItemUint8[E ~uint8](writer varbin.Writer, itemType uint8, value []E) error {
@@ -525,11 +566,25 @@ func writeRuleItemUint8[E ~uint8](writer varbin.Writer, itemType uint8, value []
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
+	_, err = varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write(*(*[]byte)(unsafe.Pointer(&value)))
+	return err
 }
 
 func readRuleItemUint16(reader varbin.Reader) ([]uint16, error) {
-	return varbin.ReadValue[[]uint16](reader, binary.BigEndian)
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return nil, err
+	}
+	result := make([]uint16, length)
+	err = binary.Read(reader, binary.BigEndian, result)
+	if err != nil {
+		return nil, err
+	}
+	return result, nil
 }
 
 func writeRuleItemUint16(writer varbin.Writer, itemType uint8, value []uint16) error {
@@ -537,7 +592,11 @@ func writeRuleItemUint16(writer varbin.Writer, itemType uint8, value []uint16) e
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
+	_, err = varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	return binary.Write(writer, binary.BigEndian, value)
 }
 
 func writeRuleItemCIDR(writer varbin.Writer, itemType uint8, value []string) error {

common/srs/compat_test.go

@@ -0,0 +1,494 @@
+package srs
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/binary"
+	"net/netip"
+	"strings"
+	"testing"
+	"unsafe"
+
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/varbin"
+
+	"github.com/stretchr/testify/require"
+	"go4.org/netipx"
+)
+
+// Old implementations using varbin reflection-based serialization
+
+func oldWriteStringSlice(writer varbin.Writer, value []string) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, value)
+}
+
+func oldReadStringSlice(reader varbin.Reader) ([]string, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[[]string](reader, binary.BigEndian)
+}
+
+func oldWriteUint8Slice[E ~uint8](writer varbin.Writer, value []E) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, value)
+}
+
+func oldReadUint8Slice[E ~uint8](reader varbin.Reader) ([]E, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[[]E](reader, binary.BigEndian)
+}
+
+func oldWriteUint16Slice(writer varbin.Writer, value []uint16) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, value)
+}
+
+func oldReadUint16Slice(reader varbin.Reader) ([]uint16, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[[]uint16](reader, binary.BigEndian)
+}
+
+func oldWritePrefix(writer varbin.Writer, prefix netip.Prefix) error {
+	//nolint:staticcheck
+	err := varbin.Write(writer, binary.BigEndian, prefix.Addr().AsSlice())
+	if err != nil {
+		return err
+	}
+	return binary.Write(writer, binary.BigEndian, uint8(prefix.Bits()))
+}
+
+type oldIPRangeData struct {
+	From []byte
+	To   []byte
+}
+
+// Note: The old writeIPSet had a bug where varbin.Write(writer, binary.BigEndian, data)
+// with a struct VALUE (not pointer) silently wrote nothing because field.CanSet() returned false.
+// This caused IP range data to be missing from the output.
+// The new implementation correctly writes all range data.
+//
+// The old readIPSet used varbin.Read with a pre-allocated slice, which worked because
+// slice elements are addressable and CanSet() returns true for them.
+//
+// For compatibility testing, we verify:
+// 1. New write produces correct output with range data
+// 2. New read can parse the new format correctly
+// 3. Round-trip works correctly
+
+func oldReadIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
+	version, err := reader.ReadByte()
+	if err != nil {
+		return nil, err
+	}
+	if version != 1 {
+		return nil, err
+	}
+	var length uint64
+	err = binary.Read(reader, binary.BigEndian, &length)
+	if err != nil {
+		return nil, err
+	}
+	ranges := make([]oldIPRangeData, length)
+	//nolint:staticcheck
+	err = varbin.Read(reader, binary.BigEndian, &ranges)
+	if err != nil {
+		return nil, err
+	}
+	mySet := &myIPSet{
+		rr: make([]myIPRange, len(ranges)),
+	}
+	for i, rangeData := range ranges {
+		mySet.rr[i].from = M.AddrFromIP(rangeData.From)
+		mySet.rr[i].to = M.AddrFromIP(rangeData.To)
+	}
+	return (*netipx.IPSet)(unsafe.Pointer(mySet)), nil
+}
+
+// New write functions (without itemType prefix for testing)
+
+func newWriteStringSlice(writer varbin.Writer, value []string) error {
+	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	for _, s := range value {
+		_, err = varbin.WriteUvarint(writer, uint64(len(s)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write([]byte(s))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func newWriteUint8Slice[E ~uint8](writer varbin.Writer, value []E) error {
+	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write(*(*[]byte)(unsafe.Pointer(&value)))
+	return err
+}
+
+func newWriteUint16Slice(writer varbin.Writer, value []uint16) error {
+	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	return binary.Write(writer, binary.BigEndian, value)
+}
+
+func newWritePrefix(writer varbin.Writer, prefix netip.Prefix) error {
+	addrSlice := prefix.Addr().AsSlice()
+	_, err := varbin.WriteUvarint(writer, uint64(len(addrSlice)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write(addrSlice)
+	if err != nil {
+		return err
+	}
+	return writer.WriteByte(uint8(prefix.Bits()))
+}
+
+// Tests
+
+func TestStringSliceCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input []string
+	}{
+		{"nil", nil},
+		{"empty", []string{}},
+		{"single_empty", []string{""}},
+		{"single", []string{"test"}},
+		{"multi", []string{"a", "b", "c"}},
+		{"with_empty", []string{"a", "", "c"}},
+		{"utf8", []string{"测试", "テスト", "тест"}},
+		{"long_string", []string{strings.Repeat("x", 128)}},
+		{"many_elements", generateStrings(128)},
+		{"many_elements_256", generateStrings(256)},
+		{"127_byte_string", []string{strings.Repeat("x", 127)}},
+		{"128_byte_string", []string{strings.Repeat("x", 128)}},
+		{"mixed_lengths", []string{"a", strings.Repeat("b", 100), "", strings.Repeat("c", 200)}},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWriteStringSlice(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = newWriteStringSlice(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> old read
+			readBack, err := oldReadStringSlice(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireStringSliceEqual(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readRuleItemString(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			requireStringSliceEqual(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestUint8SliceCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input []uint8
+	}{
+		{"nil", nil},
+		{"empty", []uint8{}},
+		{"single_zero", []uint8{0}},
+		{"single_max", []uint8{255}},
+		{"multi", []uint8{0, 1, 127, 128, 255}},
+		{"boundary", []uint8{0x00, 0x7f, 0x80, 0xff}},
+		{"sequential", generateUint8Slice(256)},
+		{"127_elements", generateUint8Slice(127)},
+		{"128_elements", generateUint8Slice(128)},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWriteUint8Slice(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = newWriteUint8Slice(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> old read
+			readBack, err := oldReadUint8Slice[uint8](bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireUint8SliceEqual(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readRuleItemUint8[uint8](bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			requireUint8SliceEqual(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestUint16SliceCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input []uint16
+	}{
+		{"nil", nil},
+		{"empty", []uint16{}},
+		{"single_zero", []uint16{0}},
+		{"single_max", []uint16{65535}},
+		{"multi", []uint16{0, 255, 256, 32767, 32768, 65535}},
+		{"ports", []uint16{80, 443, 8080, 8443}},
+		{"127_elements", generateUint16Slice(127)},
+		{"128_elements", generateUint16Slice(128)},
+		{"256_elements", generateUint16Slice(256)},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWriteUint16Slice(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = newWriteUint16Slice(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> old read
+			readBack, err := oldReadUint16Slice(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireUint16SliceEqual(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readRuleItemUint16(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			requireUint16SliceEqual(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestPrefixCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input netip.Prefix
+	}{
+		{"ipv4_0", netip.MustParsePrefix("0.0.0.0/0")},
+		{"ipv4_8", netip.MustParsePrefix("10.0.0.0/8")},
+		{"ipv4_16", netip.MustParsePrefix("192.168.0.0/16")},
+		{"ipv4_24", netip.MustParsePrefix("192.168.1.0/24")},
+		{"ipv4_32", netip.MustParsePrefix("1.2.3.4/32")},
+		{"ipv6_0", netip.MustParsePrefix("::/0")},
+		{"ipv6_64", netip.MustParsePrefix("2001:db8::/64")},
+		{"ipv6_128", netip.MustParsePrefix("::1/128")},
+		{"ipv6_full", netip.MustParsePrefix("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128")},
+		{"ipv4_private", netip.MustParsePrefix("172.16.0.0/12")},
+		{"ipv6_link_local", netip.MustParsePrefix("fe80::/10")},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWritePrefix(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = newWritePrefix(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> new read (no old read for prefix)
+			readBack, err := readPrefix(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readPrefix(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestIPSetCompat(t *testing.T) {
+	t.Parallel()
+
+	// Note: The old writeIPSet was buggy (varbin.Write with struct values wrote nothing).
+	// This test verifies the new implementation writes correct data and round-trips correctly.
+
+	cases := []struct {
+		name  string
+		input *netipx.IPSet
+	}{
+		{"single_ipv4", buildIPSet("1.2.3.4")},
+		{"ipv4_range", buildIPSet("192.168.0.0/16")},
+		{"multi_ipv4", buildIPSet("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")},
+		{"single_ipv6", buildIPSet("::1")},
+		{"ipv6_range", buildIPSet("2001:db8::/32")},
+		{"mixed", buildIPSet("10.0.0.0/8", "::1", "2001:db8::/32")},
+		{"large", buildLargeIPSet(100)},
+		{"adjacent_ranges", buildIPSet("192.168.0.0/24", "192.168.1.0/24", "192.168.2.0/24")},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// New write
+			var newBuf bytes.Buffer
+			err := writeIPSet(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Verify format starts with version byte (1) + uint64 count
+			require.True(t, len(newBuf.Bytes()) >= 9, "output too short")
+			require.Equal(t, byte(1), newBuf.Bytes()[0], "version byte mismatch")
+
+			// New write -> old read (varbin.Read with pre-allocated slice works correctly)
+			readBack, err := oldReadIPSet(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireIPSetEqual(t, tc.input, readBack)
+
+			// New write -> new read
+			readBack2, err := readIPSet(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireIPSetEqual(t, tc.input, readBack2)
+		})
+	}
+}
+
+// Helper functions
+
+func generateStrings(count int) []string {
+	result := make([]string, count)
+	for i := range result {
+		result[i] = strings.Repeat("x", i%50)
+	}
+	return result
+}
+
+func generateUint8Slice(count int) []uint8 {
+	result := make([]uint8, count)
+	for i := range result {
+		result[i] = uint8(i % 256)
+	}
+	return result
+}
+
+func generateUint16Slice(count int) []uint16 {
+	result := make([]uint16, count)
+	for i := range result {
+		result[i] = uint16(i * 257)
+	}
+	return result
+}
+
+func buildIPSet(cidrs ...string) *netipx.IPSet {
+	var builder netipx.IPSetBuilder
+	for _, cidr := range cidrs {
+		prefix, err := netip.ParsePrefix(cidr)
+		if err != nil {
+			addr, err := netip.ParseAddr(cidr)
+			if err != nil {
+				panic(err)
+			}
+			builder.Add(addr)
+		} else {
+			builder.AddPrefix(prefix)
+		}
+	}
+	set, _ := builder.IPSet()
+	return set
+}
+
+func buildLargeIPSet(count int) *netipx.IPSet {
+	var builder netipx.IPSetBuilder
+	for i := 0; i < count; i++ {
+		prefix := netip.PrefixFrom(netip.AddrFrom4([4]byte{10, byte(i / 256), byte(i % 256), 0}), 24)
+		builder.AddPrefix(prefix)
+	}
+	set, _ := builder.IPSet()
+	return set
+}
+
+func requireStringSliceEqual(t *testing.T, expected, actual []string) {
+	t.Helper()
+	if len(expected) == 0 && len(actual) == 0 {
+		return
+	}
+	require.Equal(t, expected, actual)
+}
+
+func requireUint8SliceEqual(t *testing.T, expected, actual []uint8) {
+	t.Helper()
+	if len(expected) == 0 && len(actual) == 0 {
+		return
+	}
+	require.Equal(t, expected, actual)
+}
+
+func requireUint16SliceEqual(t *testing.T, expected, actual []uint16) {
+	t.Helper()
+	if len(expected) == 0 && len(actual) == 0 {
+		return
+	}
+	require.Equal(t, expected, actual)
+}
+
+func requireIPSetEqual(t *testing.T, expected, actual *netipx.IPSet) {
+	t.Helper()
+	expectedRanges := expected.Ranges()
+	actualRanges := actual.Ranges()
+	require.Equal(t, len(expectedRanges), len(actualRanges), "range count mismatch")
+	for i := range expectedRanges {
+		require.Equal(t, expectedRanges[i].From(), actualRanges[i].From(), "range[%d].from mismatch", i)
+		require.Equal(t, expectedRanges[i].To(), actualRanges[i].To(), "range[%d].to mismatch", i)
+	}
+}

common/srs/ip_cidr.go

@@ -2,6 +2,7 @@ package srs
 
 import (
 	"encoding/binary"
+	"io"
 	"net/netip"
 
 	M "github.com/sagernet/sing/common/metadata"
@@ -9,11 +10,16 @@ import (
 )
 
 func readPrefix(reader varbin.Reader) (netip.Prefix, error) {
-	addrSlice, err := varbin.ReadValue[[]byte](reader, binary.BigEndian)
+	addrLen, err := binary.ReadUvarint(reader)
 	if err != nil {
 		return netip.Prefix{}, err
 	}
-	prefixBits, err := varbin.ReadValue[uint8](reader, binary.BigEndian)
+	addrSlice := make([]byte, addrLen)
+	_, err = io.ReadFull(reader, addrSlice)
+	if err != nil {
+		return netip.Prefix{}, err
+	}
+	prefixBits, err := reader.ReadByte()
 	if err != nil {
 		return netip.Prefix{}, err
 	}
@@ -21,11 +27,16 @@ func readPrefix(reader varbin.Reader) (netip.Prefix, error) {
 }
 
 func writePrefix(writer varbin.Writer, prefix netip.Prefix) error {
-	err := varbin.Write(writer, binary.BigEndian, prefix.Addr().AsSlice())
+	addrSlice := prefix.Addr().AsSlice()
+	_, err := varbin.WriteUvarint(writer, uint64(len(addrSlice)))
 	if err != nil {
 		return err
 	}
-	err = binary.Write(writer, binary.BigEndian, uint8(prefix.Bits()))
+	_, err = writer.Write(addrSlice)
+	if err != nil {
+		return err
+	}
+	err = writer.WriteByte(uint8(prefix.Bits()))
 	if err != nil {
 		return err
 	}

common/srs/ip_set.go

@@ -2,11 +2,11 @@ package srs
 
 import (
 	"encoding/binary"
+	"io"
 	"net/netip"
 	"os"
 	"unsafe"
 
-	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/varbin"
 
@@ -22,11 +22,6 @@ type myIPRange struct {
 	to   netip.Addr
 }
 
-type myIPRangeData struct {
-	From []byte
-	To   []byte
-}
-
 func readIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
 	version, err := reader.ReadByte()
 	if err != nil {
@@ -41,17 +36,30 @@ func readIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
 	if err != nil {
 		return nil, err
 	}
-	ranges := make([]myIPRangeData, length)
+	mySet := &myIPSet{
-	err = varbin.Read(reader, binary.BigEndian, &ranges)
+		rr: make([]myIPRange, length),
+	}
+	for i := range mySet.rr {
+		fromLen, err := binary.ReadUvarint(reader)
 		if err != nil {
 			return nil, err
 		}
-	mySet := &myIPSet{
+		fromBytes := make([]byte, fromLen)
-		rr: make([]myIPRange, len(ranges)),
+		_, err = io.ReadFull(reader, fromBytes)
+		if err != nil {
+			return nil, err
 		}
-	for i, rangeData := range ranges {
+		toLen, err := binary.ReadUvarint(reader)
-		mySet.rr[i].from = M.AddrFromIP(rangeData.From)
+		if err != nil {
-		mySet.rr[i].to = M.AddrFromIP(rangeData.To)
+			return nil, err
+		}
+		toBytes := make([]byte, toLen)
+		_, err = io.ReadFull(reader, toBytes)
+		if err != nil {
+			return nil, err
+		}
+		mySet.rr[i].from = M.AddrFromIP(fromBytes)
+		mySet.rr[i].to = M.AddrFromIP(toBytes)
 	}
 	return (*netipx.IPSet)(unsafe.Pointer(mySet)), nil
 }
@@ -61,18 +69,27 @@ func writeIPSet(writer varbin.Writer, set *netipx.IPSet) error {
 	if err != nil {
 		return err
 	}
-	dataList := common.Map((*myIPSet)(unsafe.Pointer(set)).rr, func(rr myIPRange) myIPRangeData {
+	mySet := (*myIPSet)(unsafe.Pointer(set))
-		return myIPRangeData{
+	err = binary.Write(writer, binary.BigEndian, uint64(len(mySet.rr)))
-			From: rr.from.AsSlice(),
-			To:   rr.to.AsSlice(),
-		}
-	})
-	err = binary.Write(writer, binary.BigEndian, uint64(len(dataList)))
 	if err != nil {
 		return err
 	}
-	for _, data := range dataList {
+	for _, rr := range mySet.rr {
-		err = varbin.Write(writer, binary.BigEndian, data)
+		fromBytes := rr.from.AsSlice()
+		_, err = varbin.WriteUvarint(writer, uint64(len(fromBytes)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write(fromBytes)
+		if err != nil {
+			return err
+		}
+		toBytes := rr.to.AsSlice()
+		_, err = varbin.WriteUvarint(writer, uint64(len(toBytes)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write(toBytes)
 		if err != nil {
 			return err
 		}

common/tls/acme.go

@@ -14,6 +14,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 
 	"github.com/caddyserver/certmagic"
+	"github.com/libdns/acmedns"
 	"github.com/libdns/alidns"
 	"github.com/libdns/cloudflare"
 	"github.com/mholt/acmez/v3/acme"
@@ -114,13 +115,24 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		switch dnsOptions.Provider {
 		case C.DNSProviderAliDNS:
 			solver.DNSProvider = &alidns.Provider{
-				AccKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
+				CredentialInfo: alidns.CredentialInfo{
-				AccKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
+					AccessKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
+					AccessKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
 					RegionID:        dnsOptions.AliDNSOptions.RegionID,
+					SecurityToken:   dnsOptions.AliDNSOptions.SecurityToken,
+				},
 			}
 		case C.DNSProviderCloudflare:
 			solver.DNSProvider = &cloudflare.Provider{
 				APIToken:  dnsOptions.CloudflareOptions.APIToken,
+				ZoneToken: dnsOptions.CloudflareOptions.ZoneToken,
+			}
+		case C.DNSProviderACMEDNS:
+			solver.DNSProvider = &acmedns.Provider{
+				Username:  dnsOptions.ACMEDNSOptions.Username,
+				Password:  dnsOptions.ACMEDNSOptions.Password,
+				Subdomain: dnsOptions.ACMEDNSOptions.Subdomain,
+				ServerURL: dnsOptions.ACMEDNSOptions.ServerURL,
 			}
 		default:
 			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)

common/tls/ech.go

@@ -15,7 +15,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	aTLS "github.com/sagernet/sing/common/tls"
@@ -38,7 +37,7 @@ func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, op
 	}
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
+		return nil, E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
 	}
 	if len(echConfig) > 0 {
 		block, rest := pem.Decode(echConfig)
@@ -51,6 +50,7 @@ func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, op
 		return &ECHClientConfig{
 			ECHCapableConfig: clientConfig,
 			dnsRouter:        service.FromContext[adapter.DNSRouter](ctx),
+			queryServerName:  options.ECH.QueryServerName,
 		}, nil
 	}
 }
@@ -76,7 +76,7 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	tlsConfig.EncryptedClientHelloKeys = echKeys
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
+		return E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
 	}
 	return nil
 }
@@ -110,6 +110,7 @@ type ECHClientConfig struct {
 	ECHCapableConfig
 	access          sync.Mutex
 	dnsRouter       adapter.DNSRouter
+	queryServerName string
 	lastTTL         time.Duration
 	lastUpdate      time.Time
 }
@@ -130,13 +131,17 @@ func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn)
 	s.access.Lock()
 	defer s.access.Unlock()
 	if len(s.ECHConfigList()) == 0 || s.lastTTL == 0 || time.Since(s.lastUpdate) > s.lastTTL {
+		queryServerName := s.queryServerName
+		if queryServerName == "" {
+			queryServerName = s.ServerName()
+		}
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
 			},
 			Question: []mDNS.Question{
 				{
-					Name:   mDNS.Fqdn(s.ServerName()),
+					Name:   mDNS.Fqdn(queryServerName),
 					Qtype:  mDNS.TypeHTTPS,
 					Qclass: mDNS.ClassINET,
 				},
@@ -175,7 +180,12 @@ func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn)
 }
 
 func (s *ECHClientConfig) Clone() Config {
-	return &ECHClientConfig{ECHCapableConfig: s.ECHCapableConfig.Clone().(ECHCapableConfig), dnsRouter: s.dnsRouter, lastUpdate: s.lastUpdate}
+	return &ECHClientConfig{
+		ECHCapableConfig: s.ECHCapableConfig.Clone().(ECHCapableConfig),
+		dnsRouter:        s.dnsRouter,
+		queryServerName:  s.queryServerName,
+		lastUpdate:       s.lastUpdate,
+	}
 }
 
 func UnmarshalECHKeys(raw []byte) ([]tls.EncryptedClientHelloKey, error) {

common/tls/std_client.go

@@ -169,6 +169,35 @@ func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 		}
 		tlsConfig.RootCAs = certPool
 	}
+	var clientCertificate []byte
+	if len(options.ClientCertificate) > 0 {
+		clientCertificate = []byte(strings.Join(options.ClientCertificate, "\n"))
+	} else if options.ClientCertificatePath != "" {
+		content, err := os.ReadFile(options.ClientCertificatePath)
+		if err != nil {
+			return nil, E.Cause(err, "read client certificate")
+		}
+		clientCertificate = content
+	}
+	var clientKey []byte
+	if len(options.ClientKey) > 0 {
+		clientKey = []byte(strings.Join(options.ClientKey, "\n"))
+	} else if options.ClientKeyPath != "" {
+		content, err := os.ReadFile(options.ClientKeyPath)
+		if err != nil {
+			return nil, E.Cause(err, "read client key")
+		}
+		clientKey = content
+	}
+	if len(clientCertificate) > 0 && len(clientKey) > 0 {
+		keyPair, err := tls.X509KeyPair(clientCertificate, clientKey)
+		if err != nil {
+			return nil, E.Cause(err, "parse client x509 key pair")
+		}
+		tlsConfig.Certificates = []tls.Certificate{keyPair}
+	} else if len(clientCertificate) > 0 || len(clientKey) > 0 {
+		return nil, E.New("client certificate and client key must be provided together")
+	}
 	var config Config = &STDClientConfig{ctx, &tlsConfig, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
 		var err error

common/tls/utls_client.go

@@ -222,6 +222,35 @@ func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre
 		}
 		tlsConfig.RootCAs = certPool
 	}
+	var clientCertificate []byte
+	if len(options.ClientCertificate) > 0 {
+		clientCertificate = []byte(strings.Join(options.ClientCertificate, "\n"))
+	} else if options.ClientCertificatePath != "" {
+		content, err := os.ReadFile(options.ClientCertificatePath)
+		if err != nil {
+			return nil, E.Cause(err, "read client certificate")
+		}
+		clientCertificate = content
+	}
+	var clientKey []byte
+	if len(options.ClientKey) > 0 {
+		clientKey = []byte(strings.Join(options.ClientKey, "\n"))
+	} else if options.ClientKeyPath != "" {
+		content, err := os.ReadFile(options.ClientKeyPath)
+		if err != nil {
+			return nil, E.Cause(err, "read client key")
+		}
+		clientKey = content
+	}
+	if len(clientCertificate) > 0 && len(clientKey) > 0 {
+		keyPair, err := utls.X509KeyPair(clientCertificate, clientKey)
+		if err != nil {
+			return nil, E.Cause(err, "parse client x509 key pair")
+		}
+		tlsConfig.Certificates = []utls.Certificate{keyPair}
+	} else if len(clientCertificate) > 0 || len(clientKey) > 0 {
+		return nil, E.New("client certificate and client key must be provided together")
+	}
 	id, err := uTLSClientHelloID(options.UTLS.Fingerprint)
 	if err != nil {
 		return nil, err

common/urltest/urltest.go

@@ -14,6 +14,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
+	"github.com/sagernet/sing/common/observable"
 )
 
 var _ adapter.URLTestHistoryStorage = (*HistoryStorage)(nil)
@@ -21,7 +22,7 @@ var _ adapter.URLTestHistoryStorage = (*HistoryStorage)(nil)
 type HistoryStorage struct {
 	access       sync.RWMutex
 	delayHistory map[string]*adapter.URLTestHistory
-	updateHook   chan<- struct{}
+	updateHook   *observable.Subscriber[struct{}]
 }
 
 func NewHistoryStorage() *HistoryStorage {
@@ -30,7 +31,7 @@ func NewHistoryStorage() *HistoryStorage {
 	}
 }
 
-func (s *HistoryStorage) SetHook(hook chan<- struct{}) {
+func (s *HistoryStorage) SetHook(hook *observable.Subscriber[struct{}]) {
 	s.updateHook = hook
 }
 
@@ -60,10 +61,7 @@ func (s *HistoryStorage) StoreURLTestHistory(tag string, history *adapter.URLTes
 func (s *HistoryStorage) notifyUpdated() {
 	updateHook := s.updateHook
 	if updateHook != nil {
-		select {
+		updateHook.Emit(struct{}{})
-		case updateHook <- struct{}{}:
-		default:
-		}
 	}
 }
 

constant/certificate.go

@@ -3,5 +3,6 @@ package constant
 const (
 	CertificateStoreSystem  = "system"
 	CertificateStoreMozilla = "mozilla"
+	CertificateStoreChrome  = "chrome"
 	CertificateStoreNone    = "none"
 )

constant/dhcp.go

@@ -4,5 +4,5 @@ import "time"
 
 const (
 	DHCPTTL     = time.Hour
-	DHCPTimeout = time.Minute
+	DHCPTimeout = 5 * time.Second
 )

constant/dns.go

@@ -33,4 +33,5 @@ const (
 const (
 	DNSProviderAliDNS     = "alidns"
 	DNSProviderCloudflare = "cloudflare"
+	DNSProviderACMEDNS    = "acmedns"
 )

constant/proxy.go

@@ -28,6 +28,9 @@ const (
 	TypeDERP         = "derp"
 	TypeResolved     = "resolved"
 	TypeSSMAPI       = "ssm-api"
+	TypeCCM          = "ccm"
+	TypeOCM          = "ocm"
+	TypeOOMKiller    = "oom-killer"
 )
 
 const (
@@ -83,6 +86,8 @@ func ProxyDisplayName(proxyType string) string {
 		return "Hysteria2"
 	case TypeAnyTLS:
 		return "AnyTLS"
+	case TypeTailscale:
+		return "Tailscale"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:

constant/rule.go

@@ -30,6 +30,7 @@ const (
 	RuleActionTypeRoute        = "route"
 	RuleActionTypeRouteOptions = "route-options"
 	RuleActionTypeDirect       = "direct"
+	RuleActionTypeBypass       = "bypass"
 	RuleActionTypeReject       = "reject"
 	RuleActionTypeHijackDNS    = "hijack-dns"
 	RuleActionTypeSniff        = "sniff"

constant/timeout.go

@@ -3,7 +3,7 @@ package constant
 import "time"
 
 const (
-	TCPKeepAliveInitial        = 10 * time.Minute
+	TCPKeepAliveInitial        = 5 * time.Minute
 	TCPKeepAliveInterval       = 75 * time.Second
 	TCPConnectTimeout          = 5 * time.Second
 	TCPTimeout                 = 15 * time.Second

daemon/helper.pb.go

@@ -1,702 +0,0 @@
-package daemon
-
-import (
-	reflect "reflect"
-	sync "sync"
-	unsafe "unsafe"
-
-	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
-	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
-	emptypb "google.golang.org/protobuf/types/known/emptypb"
-)
-
-const (
-	// Verify that this generated code is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
-	// Verify that runtime/protoimpl is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
-)
-
-type SubscribeHelperRequestRequest struct {
-	state                             protoimpl.MessageState `protogen:"open.v1"`
-	AcceptGetWIFIStateRequests        bool                   `protobuf:"varint,1,opt,name=acceptGetWIFIStateRequests,proto3" json:"acceptGetWIFIStateRequests,omitempty"`
-	AcceptFindConnectionOwnerRequests bool                   `protobuf:"varint,2,opt,name=acceptFindConnectionOwnerRequests,proto3" json:"acceptFindConnectionOwnerRequests,omitempty"`
-	AcceptSendNotificationRequests    bool                   `protobuf:"varint,3,opt,name=acceptSendNotificationRequests,proto3" json:"acceptSendNotificationRequests,omitempty"`
-	unknownFields                     protoimpl.UnknownFields
-	sizeCache                         protoimpl.SizeCache
-}
-
-func (x *SubscribeHelperRequestRequest) Reset() {
-	*x = SubscribeHelperRequestRequest{}
-	mi := &file_daemon_helper_proto_msgTypes[0]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *SubscribeHelperRequestRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*SubscribeHelperRequestRequest) ProtoMessage() {}
-
-func (x *SubscribeHelperRequestRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_helper_proto_msgTypes[0]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use SubscribeHelperRequestRequest.ProtoReflect.Descriptor instead.
-func (*SubscribeHelperRequestRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_helper_proto_rawDescGZIP(), []int{0}
-}
-
-func (x *SubscribeHelperRequestRequest) GetAcceptGetWIFIStateRequests() bool {
-	if x != nil {
-		return x.AcceptGetWIFIStateRequests
-	}
-	return false
-}
-
-func (x *SubscribeHelperRequestRequest) GetAcceptFindConnectionOwnerRequests() bool {
-	if x != nil {
-		return x.AcceptFindConnectionOwnerRequests
-	}
-	return false
-}
-
-func (x *SubscribeHelperRequestRequest) GetAcceptSendNotificationRequests() bool {
-	if x != nil {
-		return x.AcceptSendNotificationRequests
-	}
-	return false
-}
-
-type HelperRequest struct {
-	state protoimpl.MessageState `protogen:"open.v1"`
-	Id    int64                  `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
-	// Types that are valid to be assigned to Request:
-	//
-	//	*HelperRequest_GetWIFIState
-	//	*HelperRequest_FindConnectionOwner
-	//	*HelperRequest_SendNotification
-	Request       isHelperRequest_Request `protobuf_oneof:"request"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *HelperRequest) Reset() {
-	*x = HelperRequest{}
-	mi := &file_daemon_helper_proto_msgTypes[1]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *HelperRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*HelperRequest) ProtoMessage() {}
-
-func (x *HelperRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_helper_proto_msgTypes[1]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use HelperRequest.ProtoReflect.Descriptor instead.
-func (*HelperRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_helper_proto_rawDescGZIP(), []int{1}
-}
-
-func (x *HelperRequest) GetId() int64 {
-	if x != nil {
-		return x.Id
-	}
-	return 0
-}
-
-func (x *HelperRequest) GetRequest() isHelperRequest_Request {
-	if x != nil {
-		return x.Request
-	}
-	return nil
-}
-
-func (x *HelperRequest) GetGetWIFIState() *emptypb.Empty {
-	if x != nil {
-		if x, ok := x.Request.(*HelperRequest_GetWIFIState); ok {
-			return x.GetWIFIState
-		}
-	}
-	return nil
-}
-
-func (x *HelperRequest) GetFindConnectionOwner() *FindConnectionOwnerRequest {
-	if x != nil {
-		if x, ok := x.Request.(*HelperRequest_FindConnectionOwner); ok {
-			return x.FindConnectionOwner
-		}
-	}
-	return nil
-}
-
-func (x *HelperRequest) GetSendNotification() *Notification {
-	if x != nil {
-		if x, ok := x.Request.(*HelperRequest_SendNotification); ok {
-			return x.SendNotification
-		}
-	}
-	return nil
-}
-
-type isHelperRequest_Request interface {
-	isHelperRequest_Request()
-}
-
-type HelperRequest_GetWIFIState struct {
-	GetWIFIState *emptypb.Empty `protobuf:"bytes,2,opt,name=getWIFIState,proto3,oneof"`
-}
-
-type HelperRequest_FindConnectionOwner struct {
-	FindConnectionOwner *FindConnectionOwnerRequest `protobuf:"bytes,3,opt,name=findConnectionOwner,proto3,oneof"`
-}
-
-type HelperRequest_SendNotification struct {
-	SendNotification *Notification `protobuf:"bytes,4,opt,name=sendNotification,proto3,oneof"`
-}
-
-func (*HelperRequest_GetWIFIState) isHelperRequest_Request() {}
-
-func (*HelperRequest_FindConnectionOwner) isHelperRequest_Request() {}
-
-func (*HelperRequest_SendNotification) isHelperRequest_Request() {}
-
-type FindConnectionOwnerRequest struct {
-	state              protoimpl.MessageState `protogen:"open.v1"`
-	IpProtocol         int32                  `protobuf:"varint,1,opt,name=ipProtocol,proto3" json:"ipProtocol,omitempty"`
-	SourceAddress      string                 `protobuf:"bytes,2,opt,name=sourceAddress,proto3" json:"sourceAddress,omitempty"`
-	SourcePort         int32                  `protobuf:"varint,3,opt,name=sourcePort,proto3" json:"sourcePort,omitempty"`
-	DestinationAddress string                 `protobuf:"bytes,4,opt,name=destinationAddress,proto3" json:"destinationAddress,omitempty"`
-	DestinationPort    int32                  `protobuf:"varint,5,opt,name=destinationPort,proto3" json:"destinationPort,omitempty"`
-	unknownFields      protoimpl.UnknownFields
-	sizeCache          protoimpl.SizeCache
-}
-
-func (x *FindConnectionOwnerRequest) Reset() {
-	*x = FindConnectionOwnerRequest{}
-	mi := &file_daemon_helper_proto_msgTypes[2]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *FindConnectionOwnerRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*FindConnectionOwnerRequest) ProtoMessage() {}
-
-func (x *FindConnectionOwnerRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_helper_proto_msgTypes[2]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use FindConnectionOwnerRequest.ProtoReflect.Descriptor instead.
-func (*FindConnectionOwnerRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_helper_proto_rawDescGZIP(), []int{2}
-}
-
-func (x *FindConnectionOwnerRequest) GetIpProtocol() int32 {
-	if x != nil {
-		return x.IpProtocol
-	}
-	return 0
-}
-
-func (x *FindConnectionOwnerRequest) GetSourceAddress() string {
-	if x != nil {
-		return x.SourceAddress
-	}
-	return ""
-}
-
-func (x *FindConnectionOwnerRequest) GetSourcePort() int32 {
-	if x != nil {
-		return x.SourcePort
-	}
-	return 0
-}
-
-func (x *FindConnectionOwnerRequest) GetDestinationAddress() string {
-	if x != nil {
-		return x.DestinationAddress
-	}
-	return ""
-}
-
-func (x *FindConnectionOwnerRequest) GetDestinationPort() int32 {
-	if x != nil {
-		return x.DestinationPort
-	}
-	return 0
-}
-
-type Notification struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Identifier    string                 `protobuf:"bytes,1,opt,name=identifier,proto3" json:"identifier,omitempty"`
-	TypeName      string                 `protobuf:"bytes,2,opt,name=typeName,proto3" json:"typeName,omitempty"`
-	TypeId        int32                  `protobuf:"varint,3,opt,name=typeId,proto3" json:"typeId,omitempty"`
-	Title         string                 `protobuf:"bytes,4,opt,name=title,proto3" json:"title,omitempty"`
-	Subtitle      string                 `protobuf:"bytes,5,opt,name=subtitle,proto3" json:"subtitle,omitempty"`
-	Body          string                 `protobuf:"bytes,6,opt,name=body,proto3" json:"body,omitempty"`
-	OpenURL       string                 `protobuf:"bytes,7,opt,name=openURL,proto3" json:"openURL,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *Notification) Reset() {
-	*x = Notification{}
-	mi := &file_daemon_helper_proto_msgTypes[3]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *Notification) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*Notification) ProtoMessage() {}
-
-func (x *Notification) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_helper_proto_msgTypes[3]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use Notification.ProtoReflect.Descriptor instead.
-func (*Notification) Descriptor() ([]byte, []int) {
-	return file_daemon_helper_proto_rawDescGZIP(), []int{3}
-}
-
-func (x *Notification) GetIdentifier() string {
-	if x != nil {
-		return x.Identifier
-	}
-	return ""
-}
-
-func (x *Notification) GetTypeName() string {
-	if x != nil {
-		return x.TypeName
-	}
-	return ""
-}
-
-func (x *Notification) GetTypeId() int32 {
-	if x != nil {
-		return x.TypeId
-	}
-	return 0
-}
-
-func (x *Notification) GetTitle() string {
-	if x != nil {
-		return x.Title
-	}
-	return ""
-}
-
-func (x *Notification) GetSubtitle() string {
-	if x != nil {
-		return x.Subtitle
-	}
-	return ""
-}
-
-func (x *Notification) GetBody() string {
-	if x != nil {
-		return x.Body
-	}
-	return ""
-}
-
-func (x *Notification) GetOpenURL() string {
-	if x != nil {
-		return x.OpenURL
-	}
-	return ""
-}
-
-type HelperResponse struct {
-	state protoimpl.MessageState `protogen:"open.v1"`
-	Id    int64                  `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
-	// Types that are valid to be assigned to Response:
-	//
-	//	*HelperResponse_WifiState
-	//	*HelperResponse_Error
-	//	*HelperResponse_ConnectionOwner
-	Response      isHelperResponse_Response `protobuf_oneof:"response"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *HelperResponse) Reset() {
-	*x = HelperResponse{}
-	mi := &file_daemon_helper_proto_msgTypes[4]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *HelperResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*HelperResponse) ProtoMessage() {}
-
-func (x *HelperResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_helper_proto_msgTypes[4]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use HelperResponse.ProtoReflect.Descriptor instead.
-func (*HelperResponse) Descriptor() ([]byte, []int) {
-	return file_daemon_helper_proto_rawDescGZIP(), []int{4}
-}
-
-func (x *HelperResponse) GetId() int64 {
-	if x != nil {
-		return x.Id
-	}
-	return 0
-}
-
-func (x *HelperResponse) GetResponse() isHelperResponse_Response {
-	if x != nil {
-		return x.Response
-	}
-	return nil
-}
-
-func (x *HelperResponse) GetWifiState() *WIFIState {
-	if x != nil {
-		if x, ok := x.Response.(*HelperResponse_WifiState); ok {
-			return x.WifiState
-		}
-	}
-	return nil
-}
-
-func (x *HelperResponse) GetError() string {
-	if x != nil {
-		if x, ok := x.Response.(*HelperResponse_Error); ok {
-			return x.Error
-		}
-	}
-	return ""
-}
-
-func (x *HelperResponse) GetConnectionOwner() *ConnectionOwner {
-	if x != nil {
-		if x, ok := x.Response.(*HelperResponse_ConnectionOwner); ok {
-			return x.ConnectionOwner
-		}
-	}
-	return nil
-}
-
-type isHelperResponse_Response interface {
-	isHelperResponse_Response()
-}
-
-type HelperResponse_WifiState struct {
-	WifiState *WIFIState `protobuf:"bytes,2,opt,name=wifiState,proto3,oneof"`
-}
-
-type HelperResponse_Error struct {
-	Error string `protobuf:"bytes,3,opt,name=error,proto3,oneof"`
-}
-
-type HelperResponse_ConnectionOwner struct {
-	ConnectionOwner *ConnectionOwner `protobuf:"bytes,4,opt,name=connectionOwner,proto3,oneof"`
-}
-
-func (*HelperResponse_WifiState) isHelperResponse_Response() {}
-
-func (*HelperResponse_Error) isHelperResponse_Response() {}
-
-func (*HelperResponse_ConnectionOwner) isHelperResponse_Response() {}
-
-type ConnectionOwner struct {
-	state              protoimpl.MessageState `protogen:"open.v1"`
-	UserId             int32                  `protobuf:"varint,1,opt,name=userId,proto3" json:"userId,omitempty"`
-	UserName           string                 `protobuf:"bytes,2,opt,name=userName,proto3" json:"userName,omitempty"`
-	ProcessPath        string                 `protobuf:"bytes,3,opt,name=processPath,proto3" json:"processPath,omitempty"`
-	AndroidPackageName string                 `protobuf:"bytes,4,opt,name=androidPackageName,proto3" json:"androidPackageName,omitempty"`
-	unknownFields      protoimpl.UnknownFields
-	sizeCache          protoimpl.SizeCache
-}
-
-func (x *ConnectionOwner) Reset() {
-	*x = ConnectionOwner{}
-	mi := &file_daemon_helper_proto_msgTypes[5]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *ConnectionOwner) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*ConnectionOwner) ProtoMessage() {}
-
-func (x *ConnectionOwner) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_helper_proto_msgTypes[5]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use ConnectionOwner.ProtoReflect.Descriptor instead.
-func (*ConnectionOwner) Descriptor() ([]byte, []int) {
-	return file_daemon_helper_proto_rawDescGZIP(), []int{5}
-}
-
-func (x *ConnectionOwner) GetUserId() int32 {
-	if x != nil {
-		return x.UserId
-	}
-	return 0
-}
-
-func (x *ConnectionOwner) GetUserName() string {
-	if x != nil {
-		return x.UserName
-	}
-	return ""
-}
-
-func (x *ConnectionOwner) GetProcessPath() string {
-	if x != nil {
-		return x.ProcessPath
-	}
-	return ""
-}
-
-func (x *ConnectionOwner) GetAndroidPackageName() string {
-	if x != nil {
-		return x.AndroidPackageName
-	}
-	return ""
-}
-
-type WIFIState struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Ssid          string                 `protobuf:"bytes,1,opt,name=ssid,proto3" json:"ssid,omitempty"`
-	Bssid         string                 `protobuf:"bytes,2,opt,name=bssid,proto3" json:"bssid,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *WIFIState) Reset() {
-	*x = WIFIState{}
-	mi := &file_daemon_helper_proto_msgTypes[6]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *WIFIState) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*WIFIState) ProtoMessage() {}
-
-func (x *WIFIState) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_helper_proto_msgTypes[6]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use WIFIState.ProtoReflect.Descriptor instead.
-func (*WIFIState) Descriptor() ([]byte, []int) {
-	return file_daemon_helper_proto_rawDescGZIP(), []int{6}
-}
-
-func (x *WIFIState) GetSsid() string {
-	if x != nil {
-		return x.Ssid
-	}
-	return ""
-}
-
-func (x *WIFIState) GetBssid() string {
-	if x != nil {
-		return x.Bssid
-	}
-	return ""
-}
-
-var File_daemon_helper_proto protoreflect.FileDescriptor
-
-const file_daemon_helper_proto_rawDesc = "" +
-	"\n" +
-	"\x13daemon/helper.proto\x12\x06daemon\x1a\x1bgoogle/protobuf/empty.proto\"\xf5\x01\n" +
-	"\x1dSubscribeHelperRequestRequest\x12>\n" +
-	"\x1aacceptGetWIFIStateRequests\x18\x01 \x01(\bR\x1aacceptGetWIFIStateRequests\x12L\n" +
-	"!acceptFindConnectionOwnerRequests\x18\x02 \x01(\bR!acceptFindConnectionOwnerRequests\x12F\n" +
-	"\x1eacceptSendNotificationRequests\x18\x03 \x01(\bR\x1eacceptSendNotificationRequests\"\x84\x02\n" +
-	"\rHelperRequest\x12\x0e\n" +
-	"\x02id\x18\x01 \x01(\x03R\x02id\x12<\n" +
-	"\fgetWIFIState\x18\x02 \x01(\v2\x16.google.protobuf.EmptyH\x00R\fgetWIFIState\x12V\n" +
-	"\x13findConnectionOwner\x18\x03 \x01(\v2\".daemon.FindConnectionOwnerRequestH\x00R\x13findConnectionOwner\x12B\n" +
-	"\x10sendNotification\x18\x04 \x01(\v2\x14.daemon.NotificationH\x00R\x10sendNotificationB\t\n" +
-	"\arequest\"\xdc\x01\n" +
-	"\x1aFindConnectionOwnerRequest\x12\x1e\n" +
-	"\n" +
-	"ipProtocol\x18\x01 \x01(\x05R\n" +
-	"ipProtocol\x12$\n" +
-	"\rsourceAddress\x18\x02 \x01(\tR\rsourceAddress\x12\x1e\n" +
-	"\n" +
-	"sourcePort\x18\x03 \x01(\x05R\n" +
-	"sourcePort\x12.\n" +
-	"\x12destinationAddress\x18\x04 \x01(\tR\x12destinationAddress\x12(\n" +
-	"\x0fdestinationPort\x18\x05 \x01(\x05R\x0fdestinationPort\"\xc2\x01\n" +
-	"\fNotification\x12\x1e\n" +
-	"\n" +
-	"identifier\x18\x01 \x01(\tR\n" +
-	"identifier\x12\x1a\n" +
-	"\btypeName\x18\x02 \x01(\tR\btypeName\x12\x16\n" +
-	"\x06typeId\x18\x03 \x01(\x05R\x06typeId\x12\x14\n" +
-	"\x05title\x18\x04 \x01(\tR\x05title\x12\x1a\n" +
-	"\bsubtitle\x18\x05 \x01(\tR\bsubtitle\x12\x12\n" +
-	"\x04body\x18\x06 \x01(\tR\x04body\x12\x18\n" +
-	"\aopenURL\x18\a \x01(\tR\aopenURL\"\xbc\x01\n" +
-	"\x0eHelperResponse\x12\x0e\n" +
-	"\x02id\x18\x01 \x01(\x03R\x02id\x121\n" +
-	"\twifiState\x18\x02 \x01(\v2\x11.daemon.WIFIStateH\x00R\twifiState\x12\x16\n" +
-	"\x05error\x18\x03 \x01(\tH\x00R\x05error\x12C\n" +
-	"\x0fconnectionOwner\x18\x04 \x01(\v2\x17.daemon.ConnectionOwnerH\x00R\x0fconnectionOwnerB\n" +
-	"\n" +
-	"\bresponse\"\x97\x01\n" +
-	"\x0fConnectionOwner\x12\x16\n" +
-	"\x06userId\x18\x01 \x01(\x05R\x06userId\x12\x1a\n" +
-	"\buserName\x18\x02 \x01(\tR\buserName\x12 \n" +
-	"\vprocessPath\x18\x03 \x01(\tR\vprocessPath\x12.\n" +
-	"\x12androidPackageName\x18\x04 \x01(\tR\x12androidPackageName\"5\n" +
-	"\tWIFIState\x12\x12\n" +
-	"\x04ssid\x18\x01 \x01(\tR\x04ssid\x12\x14\n" +
-	"\x05bssid\x18\x02 \x01(\tR\x05bssidB%Z#github.com/sagernet/sing-box/daemonb\x06proto3"
-
-var (
-	file_daemon_helper_proto_rawDescOnce sync.Once
-	file_daemon_helper_proto_rawDescData []byte
-)
-
-func file_daemon_helper_proto_rawDescGZIP() []byte {
-	file_daemon_helper_proto_rawDescOnce.Do(func() {
-		file_daemon_helper_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_daemon_helper_proto_rawDesc), len(file_daemon_helper_proto_rawDesc)))
-	})
-	return file_daemon_helper_proto_rawDescData
-}
-
-var (
-	file_daemon_helper_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
-	file_daemon_helper_proto_goTypes  = []any{
-		(*SubscribeHelperRequestRequest)(nil), // 0: daemon.SubscribeHelperRequestRequest
-		(*HelperRequest)(nil),                 // 1: daemon.HelperRequest
-		(*FindConnectionOwnerRequest)(nil),    // 2: daemon.FindConnectionOwnerRequest
-		(*Notification)(nil),                  // 3: daemon.Notification
-		(*HelperResponse)(nil),                // 4: daemon.HelperResponse
-		(*ConnectionOwner)(nil),               // 5: daemon.ConnectionOwner
-		(*WIFIState)(nil),                     // 6: daemon.WIFIState
-		(*emptypb.Empty)(nil),                 // 7: google.protobuf.Empty
-	}
-)
-
-var file_daemon_helper_proto_depIdxs = []int32{
-	7, // 0: daemon.HelperRequest.getWIFIState:type_name -> google.protobuf.Empty
-	2, // 1: daemon.HelperRequest.findConnectionOwner:type_name -> daemon.FindConnectionOwnerRequest
-	3, // 2: daemon.HelperRequest.sendNotification:type_name -> daemon.Notification
-	6, // 3: daemon.HelperResponse.wifiState:type_name -> daemon.WIFIState
-	5, // 4: daemon.HelperResponse.connectionOwner:type_name -> daemon.ConnectionOwner
-	5, // [5:5] is the sub-list for method output_type
-	5, // [5:5] is the sub-list for method input_type
-	5, // [5:5] is the sub-list for extension type_name
-	5, // [5:5] is the sub-list for extension extendee
-	0, // [0:5] is the sub-list for field type_name
-}
-
-func init() { file_daemon_helper_proto_init() }
-func file_daemon_helper_proto_init() {
-	if File_daemon_helper_proto != nil {
-		return
-	}
-	file_daemon_helper_proto_msgTypes[1].OneofWrappers = []any{
-		(*HelperRequest_GetWIFIState)(nil),
-		(*HelperRequest_FindConnectionOwner)(nil),
-		(*HelperRequest_SendNotification)(nil),
-	}
-	file_daemon_helper_proto_msgTypes[4].OneofWrappers = []any{
-		(*HelperResponse_WifiState)(nil),
-		(*HelperResponse_Error)(nil),
-		(*HelperResponse_ConnectionOwner)(nil),
-	}
-	type x struct{}
-	out := protoimpl.TypeBuilder{
-		File: protoimpl.DescBuilder{
-			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_helper_proto_rawDesc), len(file_daemon_helper_proto_rawDesc)),
-			NumEnums:      0,
-			NumMessages:   7,
-			NumExtensions: 0,
-			NumServices:   0,
-		},
-		GoTypes:           file_daemon_helper_proto_goTypes,
-		DependencyIndexes: file_daemon_helper_proto_depIdxs,
-		MessageInfos:      file_daemon_helper_proto_msgTypes,
-	}.Build()
-	File_daemon_helper_proto = out.File
-	file_daemon_helper_proto_goTypes = nil
-	file_daemon_helper_proto_depIdxs = nil
-}

daemon/helper.proto

@@ -1,61 +0,0 @@
-syntax = "proto3";
-
-package daemon;
-option go_package = "github.com/sagernet/sing-box/daemon";
-
-import "google/protobuf/empty.proto";
-
-message SubscribeHelperRequestRequest {
-  bool acceptGetWIFIStateRequests = 1;
-  bool acceptFindConnectionOwnerRequests = 2;
-  bool acceptSendNotificationRequests = 3;
-}
-
-message HelperRequest {
-  int64 id = 1;
-  oneof request {
-    google.protobuf.Empty getWIFIState = 2;
-    FindConnectionOwnerRequest findConnectionOwner = 3;
-    Notification sendNotification = 4;
-  }
-}
-
-message FindConnectionOwnerRequest {
-  int32 ipProtocol = 1;
-  string sourceAddress = 2;
-  int32 sourcePort = 3;
-  string destinationAddress = 4;
-  int32 destinationPort = 5;
-}
-
-message Notification {
-  string identifier = 1;
-  string typeName = 2;
-  int32 typeId = 3;
-  string title = 4;
-  string subtitle = 5;
-  string body = 6;
-  string openURL = 7;
-}
-
-message HelperResponse {
-  int64 id = 1;
-  oneof response {
-    WIFIState wifiState = 2;
-    string error = 3;
-    ConnectionOwner connectionOwner = 4;
-  }
-}
-
-message ConnectionOwner {
-  int32 userId = 1;
-  string userName = 2;
-  string processPath = 3;
-  string androidPackageName = 4;
-}
-
-message WIFIState {
-  string ssid = 1;
-  string bssid = 2;
-}
-

daemon/instance.go

@@ -8,14 +8,14 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/include"
+	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/service"
-	"github.com/sagernet/sing/service/filemanager"
 	"github.com/sagernet/sing/service/pause"
 )
 
@@ -23,29 +23,19 @@ type Instance struct {
 	ctx                   context.Context
 	cancel                context.CancelFunc
 	instance              *box.Box
+	connectionManager     adapter.ConnectionManager
 	clashServer           adapter.ClashServer
 	cacheFile             adapter.CacheFile
 	pauseManager          pause.Manager
 	urlTestHistoryStorage *urltest.HistoryStorage
 }
 
-func (s *StartedService) baseContext() context.Context {
-	dnsRegistry := include.DNSTransportRegistry()
-	if s.platform != nil && s.platform.UsePlatformLocalDNSTransport() {
-		dns.RegisterTransport[option.LocalDNSServerOptions](dnsRegistry, C.DNSTypeLocal, s.platform.LocalDNSTransport())
-	}
-	ctx := box.Context(s.ctx, include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), dnsRegistry, include.ServiceRegistry())
-	ctx = filemanager.WithDefault(ctx, s.workingDirectory, s.tempDirectory, s.userID, s.groupID)
-	return ctx
-}
-
 func (s *StartedService) CheckConfig(configContent string) error {
-	ctx := s.baseContext()
+	options, err := parseConfig(s.ctx, configContent)
-	options, err := parseConfig(ctx, configContent)
 	if err != nil {
 		return err
 	}
-	ctx, cancel := context.WithCancel(ctx)
+	ctx, cancel := context.WithCancel(s.ctx)
 	defer cancel()
 	instance, err := box.New(box.Options{
 		Context: ctx,
@@ -58,7 +48,7 @@ func (s *StartedService) CheckConfig(configContent string) error {
 }
 
 func (s *StartedService) FormatConfig(configContent string) (string, error) {
-	options, err := parseConfig(s.baseContext(), configContent)
+	options, err := parseConfig(s.ctx, configContent)
 	if err != nil {
 		return "", err
 	}
@@ -79,7 +69,7 @@ type OverrideOptions struct {
 }
 
 func (s *StartedService) newInstance(profileContent string, overrideOptions *OverrideOptions) (*Instance, error) {
-	ctx := s.baseContext()
+	ctx := s.ctx
 	service.MustRegister[deprecated.Manager](ctx, new(deprecatedManager))
 	ctx, cancel := context.WithCancel(include.Context(ctx))
 	options, err := parseConfig(ctx, profileContent)
@@ -97,6 +87,15 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 			}
 		}
 	}
+	if s.oomKiller && C.IsIos {
+		if !common.Any(options.Services, func(it option.Service) bool {
+			return it.Type == C.TypeOOMKiller
+		}) {
+			options.Services = append(options.Services, option.Service{
+				Type: C.TypeOOMKiller,
+			})
+		}
+	}
 	urlTestHistoryStorage := urltest.NewHistoryStorage()
 	ctx = service.ContextWithPtr(ctx, urlTestHistoryStorage)
 	i := &Instance{
@@ -114,9 +113,11 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 		return nil, err
 	}
 	i.instance = boxInstance
+	i.connectionManager = service.FromContext[adapter.ConnectionManager](ctx)
 	i.clashServer = service.FromContext[adapter.ClashServer](ctx)
 	i.pauseManager = service.FromContext[pause.Manager](ctx)
 	i.cacheFile = service.FromContext[adapter.CacheFile](ctx)
+	log.SetStdLogger(boxInstance.LogFactory().Logger())
 	return i, nil
 }
 

daemon/platform.go

@@ -1,11 +1,5 @@
 package daemon
 
-import (
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/option"
-)
-
 type PlatformHandler interface {
 	ServiceStop() error
 	ServiceReload() error
@@ -13,10 +7,3 @@ type PlatformHandler interface {
 	SetSystemProxyEnabled(enabled bool) error
 	WriteDebugMessage(message string)
 }
-
-type PlatformInterface interface {
-	adapter.PlatformInterface
-
-	UsePlatformLocalDNSTransport() bool
-	LocalDNSTransport() dns.TransportConstructorFunc[option.LocalDNSServerOptions]
-}

daemon/started_service.go

@@ -8,7 +8,6 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
@@ -32,15 +31,16 @@ var _ StartedServiceServer = (*StartedService)(nil)
 
 type StartedService struct {
 	ctx context.Context
-	platform                PlatformInterface
+	// platform adapter.PlatformInterface
-	platformHandler         PlatformHandler
+	handler     PlatformHandler
 	debug       bool
 	logMaxLines int
-	workingDirectory        string
+	oomKiller   bool
-	tempDirectory           string
+	// workingDirectory string
-	userID                  int
+	// tempDirectory    string
-	groupID                 int
+	// userID           int
-	systemProxyEnabled      bool
+	// groupID          int
+	// systemProxyEnabled      bool
 	serviceAccess           sync.RWMutex
 	serviceStatus           *ServiceStatus
 	serviceStatusSubscriber *observable.Subscriber[*ServiceStatus]
@@ -50,49 +50,57 @@ type StartedService struct {
 	logSubscriber           *observable.Subscriber[*log.Entry]
 	logObserver             *observable.Observer[*log.Entry]
 	instance                *Instance
+	startedAt               time.Time
 	urlTestSubscriber       *observable.Subscriber[struct{}]
 	urlTestObserver         *observable.Observer[struct{}]
 	urlTestHistoryStorage   *urltest.HistoryStorage
 	clashModeSubscriber     *observable.Subscriber[struct{}]
 	clashModeObserver       *observable.Observer[struct{}]
+
+	connectionEventSubscriber *observable.Subscriber[trafficontrol.ConnectionEvent]
+	connectionEventObserver   *observable.Observer[trafficontrol.ConnectionEvent]
 }
 
 type ServiceOptions struct {
 	Context context.Context
-	Platform           PlatformInterface
+	// Platform           adapter.PlatformInterface
-	PlatformHandler    PlatformHandler
+	Handler     PlatformHandler
 	Debug       bool
 	LogMaxLines int
-	WorkingDirectory   string
+	OOMKiller   bool
-	TempDirectory      string
+	// WorkingDirectory   string
-	UserID             int
+	// TempDirectory      string
-	GroupID            int
+	// UserID             int
-	SystemProxyEnabled bool
+	// GroupID            int
+	// SystemProxyEnabled bool
 }
 
 func NewStartedService(options ServiceOptions) *StartedService {
 	s := &StartedService{
 		ctx: options.Context,
-		platform:                options.Platform,
+		// platform:                options.Platform,
-		platformHandler:         options.PlatformHandler,
+		handler:     options.Handler,
 		debug:       options.Debug,
 		logMaxLines: options.LogMaxLines,
-		workingDirectory:        options.WorkingDirectory,
+		oomKiller:   options.OOMKiller,
-		tempDirectory:           options.TempDirectory,
+		// workingDirectory: options.WorkingDirectory,
-		userID:                  options.UserID,
+		// tempDirectory:    options.TempDirectory,
-		groupID:                 options.GroupID,
+		// userID:           options.UserID,
-		systemProxyEnabled:      options.SystemProxyEnabled,
+		// groupID:          options.GroupID,
+		// systemProxyEnabled:      options.SystemProxyEnabled,
 		serviceStatus:             &ServiceStatus{Status: ServiceStatus_IDLE},
 		serviceStatusSubscriber:   observable.NewSubscriber[*ServiceStatus](4),
 		logSubscriber:             observable.NewSubscriber[*log.Entry](128),
 		urlTestSubscriber:         observable.NewSubscriber[struct{}](1),
 		urlTestHistoryStorage:     urltest.NewHistoryStorage(),
 		clashModeSubscriber:       observable.NewSubscriber[struct{}](1),
+		connectionEventSubscriber: observable.NewSubscriber[trafficontrol.ConnectionEvent](256),
 	}
 	s.serviceStatusObserver = observable.NewObserver(s.serviceStatusSubscriber, 2)
 	s.logObserver = observable.NewObserver(s.logSubscriber, 64)
 	s.urlTestObserver = observable.NewObserver(s.urlTestSubscriber, 1)
 	s.clashModeObserver = observable.NewObserver(s.clashModeSubscriber, 1)
+	s.connectionEventObserver = observable.NewObserver(s.connectionEventSubscriber, 64)
 	return s
 }
 
@@ -117,6 +125,46 @@ func (s *StartedService) updateStatusError(err error) error {
 	return err
 }
 
+func (s *StartedService) waitForStarted(ctx context.Context) error {
+	s.serviceAccess.RLock()
+	currentStatus := s.serviceStatus.Status
+	s.serviceAccess.RUnlock()
+
+	switch currentStatus {
+	case ServiceStatus_STARTED:
+		return nil
+	case ServiceStatus_STARTING:
+	default:
+		return os.ErrInvalid
+	}
+
+	subscription, done, err := s.serviceStatusObserver.Subscribe()
+	if err != nil {
+		return err
+	}
+	defer s.serviceStatusObserver.UnSubscribe(subscription)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-s.ctx.Done():
+			return s.ctx.Err()
+		case status := <-subscription:
+			switch status.Status {
+			case ServiceStatus_STARTED:
+				return nil
+			case ServiceStatus_FATAL:
+				return E.New(status.ErrorMessage)
+			case ServiceStatus_IDLE, ServiceStatus_STOPPING:
+				return os.ErrInvalid
+			}
+		case <-done:
+			return os.ErrClosed
+		}
+	}
+}
+
 func (s *StartedService) StartOrReloadService(profileContent string, options *OverrideOptions) error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
@@ -125,6 +173,13 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 		s.serviceAccess.Unlock()
 		return os.ErrInvalid
 	}
+	oldInstance := s.instance
+	if oldInstance != nil {
+		s.updateStatus(ServiceStatus_STOPPING)
+		s.serviceAccess.Unlock()
+		_ = oldInstance.Close()
+		s.serviceAccess.Lock()
+	}
 	s.updateStatus(ServiceStatus_STARTING)
 	s.resetLogs()
 	instance, err := s.newInstance(profileContent, options)
@@ -132,6 +187,11 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 		return s.updateStatusError(err)
 	}
 	s.instance = instance
+	instance.urlTestHistoryStorage.SetHook(s.urlTestSubscriber)
+	if instance.clashServer != nil {
+		instance.clashServer.SetModeUpdateHook(s.clashModeSubscriber)
+		instance.clashServer.(*clashapi.Server).TrafficManager().SetEventHook(s.connectionEventSubscriber)
+	}
 	s.serviceAccess.Unlock()
 	err = instance.Start()
 	s.serviceAccess.Lock()
@@ -142,12 +202,21 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 	if err != nil {
 		return s.updateStatusError(err)
 	}
+	s.startedAt = time.Now()
 	s.updateStatus(ServiceStatus_STARTED)
 	s.serviceAccess.Unlock()
 	runtime.GC()
 	return nil
 }
 
+func (s *StartedService) Close() {
+	s.serviceStatusSubscriber.Close()
+	s.logSubscriber.Close()
+	s.urlTestSubscriber.Close()
+	s.clashModeSubscriber.Close()
+	s.connectionEventSubscriber.Close()
+}
+
 func (s *StartedService) CloseService() error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
@@ -164,6 +233,7 @@ func (s *StartedService) CloseService() error {
 		}
 	}
 	s.instance = nil
+	s.startedAt = time.Time{}
 	s.updateStatus(ServiceStatus_IDLE)
 	s.serviceAccess.Unlock()
 	runtime.GC()
@@ -173,12 +243,11 @@ func (s *StartedService) CloseService() error {
 func (s *StartedService) SetError(err error) {
 	s.serviceAccess.Lock()
 	s.updateStatusError(err)
-	s.serviceAccess.Unlock()
 	s.WriteMessage(log.LevelError, err.Error())
 }
 
 func (s *StartedService) StopService(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
-	err := s.platformHandler.ServiceStop()
+	err := s.handler.ServiceStop()
 	if err != nil {
 		return nil, err
 	}
@@ -186,7 +255,7 @@ func (s *StartedService) StopService(ctx context.Context, empty *emptypb.Empty)
 }
 
 func (s *StartedService) ReloadService(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
-	err := s.platformHandler.ServiceReload()
+	err := s.handler.ServiceReload()
 	if err != nil {
 		return nil, err
 	}
@@ -227,8 +296,8 @@ func (s *StartedService) SubscribeLog(empty *emptypb.Empty, server grpc.ServerSt
 	for element := s.logLines.Front(); element != nil; element = element.Next() {
 		savedLines = append(savedLines, element.Value)
 	}
-	s.logAccess.Unlock()
 	subscription, done, err := s.logObserver.Subscribe()
+	s.logAccess.Unlock()
 	if err != nil {
 		return err
 	}
@@ -252,30 +321,33 @@ func (s *StartedService) SubscribeLog(empty *emptypb.Empty, server grpc.ServerSt
 		case <-server.Context().Done():
 			return server.Context().Err()
 		case message := <-subscription:
+			var rawMessage Log
 			if message == nil {
-				err = server.Send(&Log{Reset_: true})
+				rawMessage.Reset_ = true
-				if err != nil {
+			} else {
-					return err
+				rawMessage.Messages = append(rawMessage.Messages, &Log_Message{
-				}
-				continue
-			}
-			messages := []*Log_Message{{
 					Level:   LogLevel(message.Level),
 					Message: message.Message,
-			}}
+				})
+			}
 		fetch:
 			for {
 				select {
 				case message = <-subscription:
-					messages = append(messages, &Log_Message{
+					if message == nil {
+						rawMessage.Messages = nil
+						rawMessage.Reset_ = true
+					} else {
+						rawMessage.Messages = append(rawMessage.Messages, &Log_Message{
 							Level:   LogLevel(message.Level),
 							Message: message.Message,
 						})
+					}
 				default:
 					break fetch
 				}
 			}
-			err = server.Send(&Log{Messages: messages})
+			err = server.Send(&rawMessage)
 			if err != nil {
 				return err
 			}
@@ -298,6 +370,11 @@ func (s *StartedService) GetDefaultLogLevel(ctx context.Context, empty *emptypb.
 	return &DefaultLogLevel{Level: LogLevel(logLevel)}, nil
 }
 
+func (s *StartedService) ClearLogs(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
+	s.resetLogs()
+	return &emptypb.Empty{}, nil
+}
+
 func (s *StartedService) SubscribeStatus(request *SubscribeStatusRequest, server grpc.ServerStreamingServer[Status]) error {
 	interval := time.Duration(request.Interval)
 	if interval <= 0 {
@@ -332,10 +409,14 @@ func (s *StartedService) SubscribeStatus(request *SubscribeStatusRequest, server
 
 func (s *StartedService) readStatus() *Status {
 	var status Status
-	status.Memory = memory.Inuse()
+	status.Memory = memory.Total()
 	status.Goroutines = int32(runtime.NumGoroutine())
-	status.ConnectionsOut = int32(conntrack.Count())
+	s.serviceAccess.RLock()
 	nowService := s.instance
+	s.serviceAccess.RUnlock()
+	if nowService != nil && nowService.connectionManager != nil {
+		status.ConnectionsOut = int32(nowService.connectionManager.Count())
+	}
 	if nowService != nil {
 		if clashServer := nowService.clashServer; clashServer != nil {
 			status.TrafficAvailable = true
@@ -348,6 +429,10 @@ func (s *StartedService) readStatus() *Status {
 }
 
 func (s *StartedService) SubscribeGroups(empty *emptypb.Empty, server grpc.ServerStreamingServer[Groups]) error {
+	err := s.waitForStarted(server.Context())
+	if err != nil {
+		return err
+	}
 	subscription, done, err := s.urlTestObserver.Subscribe()
 	if err != nil {
 		return err
@@ -355,18 +440,16 @@ func (s *StartedService) SubscribeGroups(empty *emptypb.Empty, server grpc.Serve
 	defer s.urlTestObserver.UnSubscribe(subscription)
 	for {
 		s.serviceAccess.RLock()
-		switch s.serviceStatus.Status {
+		if s.serviceStatus.Status != ServiceStatus_STARTED {
-		case ServiceStatus_STARTING, ServiceStatus_STARTED:
+			s.serviceAccess.RUnlock()
+			return os.ErrInvalid
+		}
 		groups := s.readGroups()
 		s.serviceAccess.RUnlock()
 		err = server.Send(groups)
 		if err != nil {
 			return err
 		}
-		default:
-			s.serviceAccess.RUnlock()
-			return os.ErrInvalid
-		}
 		select {
 		case <-subscription:
 		case <-s.ctx.Done():
@@ -443,12 +526,27 @@ func (s *StartedService) GetClashModeStatus(ctx context.Context, empty *emptypb.
 }
 
 func (s *StartedService) SubscribeClashMode(empty *emptypb.Empty, server grpc.ServerStreamingServer[ClashMode]) error {
+	err := s.waitForStarted(server.Context())
+	if err != nil {
+		return err
+	}
 	subscription, done, err := s.clashModeObserver.Subscribe()
 	if err != nil {
 		return err
 	}
 	defer s.clashModeObserver.UnSubscribe(subscription)
 	for {
+		s.serviceAccess.RLock()
+		if s.serviceStatus.Status != ServiceStatus_STARTED {
+			s.serviceAccess.RUnlock()
+			return os.ErrInvalid
+		}
+		message := &ClashMode{Mode: s.instance.clashServer.Mode()}
+		s.serviceAccess.RUnlock()
+		err = server.Send(message)
+		if err != nil {
+			return err
+		}
 		select {
 		case <-subscription:
 		case <-s.ctx.Done():
@@ -458,16 +556,6 @@ func (s *StartedService) SubscribeClashMode(empty *emptypb.Empty, server grpc.Se
 		case <-done:
 			return nil
 		}
-		s.serviceAccess.RLock()
-		if s.serviceStatus.Status != ServiceStatus_STARTED {
-			return nil
-		}
-		message := &ClashMode{Mode: s.instance.clashServer.Mode()}
-		s.serviceAccess.RUnlock()
-		err = server.Send(message)
-		if err != nil {
-			return err
-		}
 	}
 }
 
@@ -504,12 +592,7 @@ func (s *StartedService) URLTest(ctx context.Context, request *URLTestRequest) (
 	if isURLTest {
 		go urlTest.CheckOutbounds()
 	} else {
-		var historyStorage adapter.URLTestHistoryStorage
+		historyStorage := boxService.urlTestHistoryStorage
-		if s.instance.clashServer != nil {
-			historyStorage = s.instance.clashServer.HistoryStorage()
-		} else {
-			return nil, E.New("Clash API is required for URLTest on non-URLTest group")
-		}
 
 		outbounds := common.Filter(common.Map(outboundGroup.All(), func(it string) adapter.Outbound {
 			itOutbound, _ := boxService.instance.Outbound().Outbound(it)
@@ -566,6 +649,7 @@ func (s *StartedService) SelectOutbound(ctx context.Context, request *SelectOutb
 	if !selector.SelectOutbound(request.OutboundTag) {
 		return nil, E.New("outbound not found in selector: ", request.OutboundTag)
 	}
+	s.urlTestObserver.Emit(struct{}{})
 	return &emptypb.Empty{}, nil
 }
 
@@ -589,91 +673,290 @@ func (s *StartedService) SetGroupExpand(ctx context.Context, request *SetGroupEx
 }
 
 func (s *StartedService) GetSystemProxyStatus(ctx context.Context, empty *emptypb.Empty) (*SystemProxyStatus, error) {
-	return s.platformHandler.SystemProxyStatus()
+	return s.handler.SystemProxyStatus()
 }
 
 func (s *StartedService) SetSystemProxyEnabled(ctx context.Context, request *SetSystemProxyEnabledRequest) (*emptypb.Empty, error) {
-	err := s.platformHandler.SetSystemProxyEnabled(request.Enabled)
+	err := s.handler.SetSystemProxyEnabled(request.Enabled)
 	if err != nil {
 		return nil, err
 	}
 	return nil, err
 }
 
-func (s *StartedService) SubscribeConnections(request *SubscribeConnectionsRequest, server grpc.ServerStreamingServer[Connections]) error {
+func (s *StartedService) SubscribeConnections(request *SubscribeConnectionsRequest, server grpc.ServerStreamingServer[ConnectionEvents]) error {
-	s.serviceAccess.RLock()
+	err := s.waitForStarted(server.Context())
-	switch s.serviceStatus.Status {
-	case ServiceStatus_STARTING, ServiceStatus_STARTED:
-	default:
-		s.serviceAccess.RUnlock()
-		return os.ErrInvalid
-	}
-	boxService := s.instance
-	s.serviceAccess.RUnlock()
-	ticker := time.NewTicker(time.Duration(request.Interval))
-	defer ticker.Stop()
-	trafficManager := boxService.clashServer.(*clashapi.Server).TrafficManager()
-	var (
-		connections    = make(map[uuid.UUID]*Connection)
-		outConnections []*Connection
-	)
-	for {
-		outConnections = outConnections[:0]
-		for _, connection := range trafficManager.Connections() {
-			outConnections = append(outConnections, newConnection(connections, connection, false))
-		}
-		for _, connection := range trafficManager.ClosedConnections() {
-			outConnections = append(outConnections, newConnection(connections, connection, true))
-		}
-		err := server.Send(&Connections{Connections: outConnections})
 	if err != nil {
 		return err
 	}
+	s.serviceAccess.RLock()
+	boxService := s.instance
+	s.serviceAccess.RUnlock()
+
+	if boxService.clashServer == nil {
+		return E.New("clash server not available")
+	}
+
+	trafficManager := boxService.clashServer.(*clashapi.Server).TrafficManager()
+
+	subscription, done, err := s.connectionEventObserver.Subscribe()
+	if err != nil {
+		return err
+	}
+	defer s.connectionEventObserver.UnSubscribe(subscription)
+
+	connectionSnapshots := make(map[uuid.UUID]connectionSnapshot)
+	initialEvents := s.buildInitialConnectionState(trafficManager, connectionSnapshots)
+	err = server.Send(&ConnectionEvents{
+		Events: initialEvents,
+		Reset_: true,
+	})
+	if err != nil {
+		return err
+	}
+
+	interval := time.Duration(request.Interval)
+	if interval <= 0 {
+		interval = time.Second
+	}
+	ticker := time.NewTicker(interval)
+	defer ticker.Stop()
+
+	for {
 		select {
 		case <-s.ctx.Done():
 			return s.ctx.Err()
 		case <-server.Context().Done():
 			return server.Context().Err()
+		case <-done:
+			return nil
+
+		case event := <-subscription:
+			var pendingEvents []*ConnectionEvent
+			if protoEvent := s.applyConnectionEvent(event, connectionSnapshots); protoEvent != nil {
+				pendingEvents = append(pendingEvents, protoEvent)
+			}
+		drain:
+			for {
+				select {
+				case event = <-subscription:
+					if protoEvent := s.applyConnectionEvent(event, connectionSnapshots); protoEvent != nil {
+						pendingEvents = append(pendingEvents, protoEvent)
+					}
+				default:
+					break drain
+				}
+			}
+			if len(pendingEvents) > 0 {
+				err = server.Send(&ConnectionEvents{Events: pendingEvents})
+				if err != nil {
+					return err
+				}
+			}
+
 		case <-ticker.C:
+			protoEvents := s.buildTrafficUpdates(trafficManager, connectionSnapshots)
+			if len(protoEvents) == 0 {
+				continue
+			}
+			err = server.Send(&ConnectionEvents{Events: protoEvents})
+			if err != nil {
+				return err
+			}
 		}
 	}
 }
 
-func newConnection(connections map[uuid.UUID]*Connection, metadata trafficontrol.TrackerMetadata, isClosed bool) *Connection {
+type connectionSnapshot struct {
-	if oldConnection, loaded := connections[metadata.ID]; loaded {
+	uplink     int64
-		if isClosed {
+	downlink   int64
-			if oldConnection.ClosedAt == 0 {
+	hadTraffic bool
-				oldConnection.Uplink = 0
+}
-				oldConnection.Downlink = 0
+
-				oldConnection.ClosedAt = metadata.ClosedAt.UnixMilli()
+func (s *StartedService) buildInitialConnectionState(manager *trafficontrol.Manager, snapshots map[uuid.UUID]connectionSnapshot) []*ConnectionEvent {
+	var events []*ConnectionEvent
+
+	for _, metadata := range manager.Connections() {
+		events = append(events, &ConnectionEvent{
+			Type:       ConnectionEventType_CONNECTION_EVENT_NEW,
+			Id:         metadata.ID.String(),
+			Connection: buildConnectionProto(metadata),
+		})
+		snapshots[metadata.ID] = connectionSnapshot{
+			uplink:   metadata.Upload.Load(),
+			downlink: metadata.Download.Load(),
 		}
-			return oldConnection
 	}
-		lastUplink := oldConnection.UplinkTotal
+
-		lastDownlink := oldConnection.DownlinkTotal
+	for _, metadata := range manager.ClosedConnections() {
-		uplinkTotal := metadata.Upload.Load()
+		conn := buildConnectionProto(metadata)
-		downlinkTotal := metadata.Download.Load()
+		conn.ClosedAt = metadata.ClosedAt.UnixMilli()
-		oldConnection.Uplink = uplinkTotal - lastUplink
+		events = append(events, &ConnectionEvent{
-		oldConnection.Downlink = downlinkTotal - lastDownlink
+			Type:       ConnectionEventType_CONNECTION_EVENT_NEW,
-		oldConnection.UplinkTotal = uplinkTotal
+			Id:         metadata.ID.String(),
-		oldConnection.DownlinkTotal = downlinkTotal
+			Connection: conn,
-		return oldConnection
+		})
 	}
+
+	return events
+}
+
+func (s *StartedService) applyConnectionEvent(event trafficontrol.ConnectionEvent, snapshots map[uuid.UUID]connectionSnapshot) *ConnectionEvent {
+	switch event.Type {
+	case trafficontrol.ConnectionEventNew:
+		if _, exists := snapshots[event.ID]; exists {
+			return nil
+		}
+		snapshots[event.ID] = connectionSnapshot{
+			uplink:   event.Metadata.Upload.Load(),
+			downlink: event.Metadata.Download.Load(),
+		}
+		return &ConnectionEvent{
+			Type:       ConnectionEventType_CONNECTION_EVENT_NEW,
+			Id:         event.ID.String(),
+			Connection: buildConnectionProto(event.Metadata),
+		}
+	case trafficontrol.ConnectionEventClosed:
+		delete(snapshots, event.ID)
+		protoEvent := &ConnectionEvent{
+			Type: ConnectionEventType_CONNECTION_EVENT_CLOSED,
+			Id:   event.ID.String(),
+		}
+		closedAt := event.ClosedAt
+		if closedAt.IsZero() && !event.Metadata.ClosedAt.IsZero() {
+			closedAt = event.Metadata.ClosedAt
+		}
+		if closedAt.IsZero() {
+			closedAt = time.Now()
+		}
+		protoEvent.ClosedAt = closedAt.UnixMilli()
+		if event.Metadata.ID != uuid.Nil {
+			conn := buildConnectionProto(event.Metadata)
+			conn.ClosedAt = protoEvent.ClosedAt
+			protoEvent.Connection = conn
+		}
+		return protoEvent
+	default:
+		return nil
+	}
+}
+
+func (s *StartedService) buildTrafficUpdates(manager *trafficontrol.Manager, snapshots map[uuid.UUID]connectionSnapshot) []*ConnectionEvent {
+	activeConnections := manager.Connections()
+	activeIndex := make(map[uuid.UUID]*trafficontrol.TrackerMetadata, len(activeConnections))
+	var events []*ConnectionEvent
+
+	for _, metadata := range activeConnections {
+		activeIndex[metadata.ID] = metadata
+		currentUpload := metadata.Upload.Load()
+		currentDownload := metadata.Download.Load()
+		snapshot, exists := snapshots[metadata.ID]
+		if !exists {
+			snapshots[metadata.ID] = connectionSnapshot{
+				uplink:   currentUpload,
+				downlink: currentDownload,
+			}
+			events = append(events, &ConnectionEvent{
+				Type:       ConnectionEventType_CONNECTION_EVENT_NEW,
+				Id:         metadata.ID.String(),
+				Connection: buildConnectionProto(metadata),
+			})
+			continue
+		}
+		uplinkDelta := currentUpload - snapshot.uplink
+		downlinkDelta := currentDownload - snapshot.downlink
+		if uplinkDelta < 0 || downlinkDelta < 0 {
+			if snapshot.hadTraffic {
+				events = append(events, &ConnectionEvent{
+					Type:          ConnectionEventType_CONNECTION_EVENT_UPDATE,
+					Id:            metadata.ID.String(),
+					UplinkDelta:   0,
+					DownlinkDelta: 0,
+				})
+			}
+			snapshot.uplink = currentUpload
+			snapshot.downlink = currentDownload
+			snapshot.hadTraffic = false
+			snapshots[metadata.ID] = snapshot
+			continue
+		}
+		if uplinkDelta > 0 || downlinkDelta > 0 {
+			snapshot.uplink = currentUpload
+			snapshot.downlink = currentDownload
+			snapshot.hadTraffic = true
+			snapshots[metadata.ID] = snapshot
+			events = append(events, &ConnectionEvent{
+				Type:          ConnectionEventType_CONNECTION_EVENT_UPDATE,
+				Id:            metadata.ID.String(),
+				UplinkDelta:   uplinkDelta,
+				DownlinkDelta: downlinkDelta,
+			})
+			continue
+		}
+		if snapshot.hadTraffic {
+			snapshot.uplink = currentUpload
+			snapshot.downlink = currentDownload
+			snapshot.hadTraffic = false
+			snapshots[metadata.ID] = snapshot
+			events = append(events, &ConnectionEvent{
+				Type:          ConnectionEventType_CONNECTION_EVENT_UPDATE,
+				Id:            metadata.ID.String(),
+				UplinkDelta:   0,
+				DownlinkDelta: 0,
+			})
+		}
+	}
+
+	var closedIndex map[uuid.UUID]*trafficontrol.TrackerMetadata
+	for id := range snapshots {
+		if _, exists := activeIndex[id]; exists {
+			continue
+		}
+		if closedIndex == nil {
+			closedIndex = make(map[uuid.UUID]*trafficontrol.TrackerMetadata)
+			for _, metadata := range manager.ClosedConnections() {
+				closedIndex[metadata.ID] = metadata
+			}
+		}
+		closedAt := time.Now()
+		var conn *Connection
+		if metadata, ok := closedIndex[id]; ok {
+			if !metadata.ClosedAt.IsZero() {
+				closedAt = metadata.ClosedAt
+			}
+			conn = buildConnectionProto(metadata)
+			conn.ClosedAt = closedAt.UnixMilli()
+		}
+		events = append(events, &ConnectionEvent{
+			Type:       ConnectionEventType_CONNECTION_EVENT_CLOSED,
+			Id:         id.String(),
+			ClosedAt:   closedAt.UnixMilli(),
+			Connection: conn,
+		})
+		delete(snapshots, id)
+	}
+
+	return events
+}
+
+func buildConnectionProto(metadata *trafficontrol.TrackerMetadata) *Connection {
 	var rule string
 	if metadata.Rule != nil {
 		rule = metadata.Rule.String()
 	}
 	uplinkTotal := metadata.Upload.Load()
 	downlinkTotal := metadata.Download.Load()
-	uplink := uplinkTotal
+	var processInfo *ProcessInfo
-	downlink := downlinkTotal
+	if metadata.Metadata.ProcessInfo != nil {
-	var closedAt int64
+		processInfo = &ProcessInfo{
-	if !metadata.ClosedAt.IsZero() {
+			ProcessId:   metadata.Metadata.ProcessInfo.ProcessID,
-		closedAt = metadata.ClosedAt.UnixMilli()
+			UserId:      metadata.Metadata.ProcessInfo.UserId,
-		uplink = 0
+			UserName:    metadata.Metadata.ProcessInfo.UserName,
-		downlink = 0
+			ProcessPath: metadata.Metadata.ProcessInfo.ProcessPath,
+			PackageName: metadata.Metadata.ProcessInfo.AndroidPackageName,
 		}
-	connection := &Connection{
+	}
+	return &Connection{
 		Id:            metadata.ID.String(),
 		Inbound:       metadata.Metadata.Inbound,
 		InboundType:   metadata.Metadata.InboundType,
@@ -686,18 +969,14 @@ func newConnection(connections map[uuid.UUID]*Connection, metadata trafficontrol
 		User:          metadata.Metadata.User,
 		FromOutbound:  metadata.Metadata.Outbound,
 		CreatedAt:     metadata.CreatedAt.UnixMilli(),
-		ClosedAt:      closedAt,
-		Uplink:        uplink,
-		Downlink:      downlink,
 		UplinkTotal:   uplinkTotal,
 		DownlinkTotal: downlinkTotal,
 		Rule:          rule,
 		Outbound:      metadata.Outbound,
 		OutboundType:  metadata.OutboundType,
 		ChainList:     metadata.Chain,
+		ProcessInfo:   processInfo,
 	}
-	connections[metadata.ID] = connection
-	return connection
 }
 
 func (s *StartedService) CloseConnection(ctx context.Context, request *CloseConnectionRequest) (*emptypb.Empty, error) {
@@ -718,7 +997,12 @@ func (s *StartedService) CloseConnection(ctx context.Context, request *CloseConn
 }
 
 func (s *StartedService) CloseAllConnections(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
-	conntrack.Close()
+	s.serviceAccess.RLock()
+	nowService := s.instance
+	s.serviceAccess.RUnlock()
+	if nowService != nil && nowService.connectionManager != nil {
+		nowService.connectionManager.CloseAll()
+	}
 	return &emptypb.Empty{}, nil
 }
 
@@ -742,12 +1026,10 @@ func (s *StartedService) GetDeprecatedWarnings(ctx context.Context, empty *empty
 	}, nil
 }
 
-func (s *StartedService) SubscribeHelperEvents(empty *emptypb.Empty, server grpc.ServerStreamingServer[HelperRequest]) error {
+func (s *StartedService) GetStartedAt(ctx context.Context, empty *emptypb.Empty) (*StartedAt, error) {
-	return os.ErrInvalid
+	s.serviceAccess.RLock()
-}
+	defer s.serviceAccess.RUnlock()
-
+	return &StartedAt{StartedAt: s.startedAt.UnixMilli()}, nil
-func (s *StartedService) SendHelperResponse(ctx context.Context, response *HelperResponse) (*emptypb.Empty, error) {
-	return nil, os.ErrInvalid
 }
 
 func (s *StartedService) mustEmbedUnimplementedStartedServiceServer() {
@@ -755,15 +1037,15 @@ func (s *StartedService) mustEmbedUnimplementedStartedServiceServer() {
 
 func (s *StartedService) WriteMessage(level log.Level, message string) {
 	item := &log.Entry{Level: level, Message: message}
-	s.logSubscriber.Emit(item)
 	s.logAccess.Lock()
 	s.logLines.PushBack(item)
 	if s.logLines.Len() > s.logMaxLines {
 		s.logLines.Remove(s.logLines.Front())
 	}
 	s.logAccess.Unlock()
+	s.logSubscriber.Emit(item)
 	if s.debug {
-		s.platformHandler.WriteDebugMessage(message)
+		s.handler.WriteDebugMessage(message)
 	}
 }
 

daemon/started_service.pb.go

@@ -78,104 +78,55 @@ func (LogLevel) EnumDescriptor() ([]byte, []int) {
 	return file_daemon_started_service_proto_rawDescGZIP(), []int{0}
 }
 
-type ConnectionFilter int32
+type ConnectionEventType int32
 
 const (
-	ConnectionFilter_ALL    ConnectionFilter = 0
+	ConnectionEventType_CONNECTION_EVENT_NEW    ConnectionEventType = 0
-	ConnectionFilter_ACTIVE ConnectionFilter = 1
+	ConnectionEventType_CONNECTION_EVENT_UPDATE ConnectionEventType = 1
-	ConnectionFilter_CLOSED ConnectionFilter = 2
+	ConnectionEventType_CONNECTION_EVENT_CLOSED ConnectionEventType = 2
 )
 
-// Enum value maps for ConnectionFilter.
+// Enum value maps for ConnectionEventType.
 var (
-	ConnectionFilter_name = map[int32]string{
+	ConnectionEventType_name = map[int32]string{
-		0: "ALL",
+		0: "CONNECTION_EVENT_NEW",
-		1: "ACTIVE",
+		1: "CONNECTION_EVENT_UPDATE",
-		2: "CLOSED",
+		2: "CONNECTION_EVENT_CLOSED",
 	}
-	ConnectionFilter_value = map[string]int32{
+	ConnectionEventType_value = map[string]int32{
-		"ALL":    0,
+		"CONNECTION_EVENT_NEW":    0,
-		"ACTIVE": 1,
+		"CONNECTION_EVENT_UPDATE": 1,
-		"CLOSED": 2,
+		"CONNECTION_EVENT_CLOSED": 2,
 	}
 )
 
-func (x ConnectionFilter) Enum() *ConnectionFilter {
+func (x ConnectionEventType) Enum() *ConnectionEventType {
-	p := new(ConnectionFilter)
+	p := new(ConnectionEventType)
 	*p = x
 	return p
 }
 
-func (x ConnectionFilter) String() string {
+func (x ConnectionEventType) String() string {
 	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
 }
 
-func (ConnectionFilter) Descriptor() protoreflect.EnumDescriptor {
+func (ConnectionEventType) Descriptor() protoreflect.EnumDescriptor {
 	return file_daemon_started_service_proto_enumTypes[1].Descriptor()
 }
 
-func (ConnectionFilter) Type() protoreflect.EnumType {
+func (ConnectionEventType) Type() protoreflect.EnumType {
 	return &file_daemon_started_service_proto_enumTypes[1]
 }
 
-func (x ConnectionFilter) Number() protoreflect.EnumNumber {
+func (x ConnectionEventType) Number() protoreflect.EnumNumber {
 	return protoreflect.EnumNumber(x)
 }
 
-// Deprecated: Use ConnectionFilter.Descriptor instead.
+// Deprecated: Use ConnectionEventType.Descriptor instead.
-func (ConnectionFilter) EnumDescriptor() ([]byte, []int) {
+func (ConnectionEventType) EnumDescriptor() ([]byte, []int) {
 	return file_daemon_started_service_proto_rawDescGZIP(), []int{1}
 }
 
-type ConnectionSortBy int32
-
-const (
-	ConnectionSortBy_DATE          ConnectionSortBy = 0
-	ConnectionSortBy_TRAFFIC       ConnectionSortBy = 1
-	ConnectionSortBy_TOTAL_TRAFFIC ConnectionSortBy = 2
-)
-
-// Enum value maps for ConnectionSortBy.
-var (
-	ConnectionSortBy_name = map[int32]string{
-		0: "DATE",
-		1: "TRAFFIC",
-		2: "TOTAL_TRAFFIC",
-	}
-	ConnectionSortBy_value = map[string]int32{
-		"DATE":          0,
-		"TRAFFIC":       1,
-		"TOTAL_TRAFFIC": 2,
-	}
-)
-
-func (x ConnectionSortBy) Enum() *ConnectionSortBy {
-	p := new(ConnectionSortBy)
-	*p = x
-	return p
-}
-
-func (x ConnectionSortBy) String() string {
-	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
-}
-
-func (ConnectionSortBy) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_started_service_proto_enumTypes[2].Descriptor()
-}
-
-func (ConnectionSortBy) Type() protoreflect.EnumType {
-	return &file_daemon_started_service_proto_enumTypes[2]
-}
-
-func (x ConnectionSortBy) Number() protoreflect.EnumNumber {
-	return protoreflect.EnumNumber(x)
-}
-
-// Deprecated: Use ConnectionSortBy.Descriptor instead.
-func (ConnectionSortBy) EnumDescriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{2}
-}
-
 type ServiceStatus_Type int32
 
 const (
@@ -215,11 +166,11 @@ func (x ServiceStatus_Type) String() string {
 }
 
 func (ServiceStatus_Type) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_started_service_proto_enumTypes[3].Descriptor()
+	return file_daemon_started_service_proto_enumTypes[2].Descriptor()
 }
 
 func (ServiceStatus_Type) Type() protoreflect.EnumType {
-	return &file_daemon_started_service_proto_enumTypes[3]
+	return &file_daemon_started_service_proto_enumTypes[2]
 }
 
 func (x ServiceStatus_Type) Number() protoreflect.EnumNumber {
@@ -1114,8 +1065,6 @@ func (x *SetSystemProxyEnabledRequest) GetEnabled() bool {
 type SubscribeConnectionsRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Interval      int64                  `protobuf:"varint,1,opt,name=interval,proto3" json:"interval,omitempty"`
-	Filter        ConnectionFilter       `protobuf:"varint,2,opt,name=filter,proto3,enum=daemon.ConnectionFilter" json:"filter,omitempty"`
-	SortBy        ConnectionSortBy       `protobuf:"varint,3,opt,name=sortBy,proto3,enum=daemon.ConnectionSortBy" json:"sortBy,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -1157,41 +1106,32 @@ func (x *SubscribeConnectionsRequest) GetInterval() int64 {
 	return 0
 }
 
-func (x *SubscribeConnectionsRequest) GetFilter() ConnectionFilter {
+type ConnectionEvent struct {
-	if x != nil {
-		return x.Filter
-	}
-	return ConnectionFilter_ALL
-}
-
-func (x *SubscribeConnectionsRequest) GetSortBy() ConnectionSortBy {
-	if x != nil {
-		return x.SortBy
-	}
-	return ConnectionSortBy_DATE
-}
-
-type Connections struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
-	Connections   []*Connection          `protobuf:"bytes,1,rep,name=connections,proto3" json:"connections,omitempty"`
+	Type          ConnectionEventType    `protobuf:"varint,1,opt,name=type,proto3,enum=daemon.ConnectionEventType" json:"type,omitempty"`
+	Id            string                 `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
+	Connection    *Connection            `protobuf:"bytes,3,opt,name=connection,proto3" json:"connection,omitempty"`
+	UplinkDelta   int64                  `protobuf:"varint,4,opt,name=uplinkDelta,proto3" json:"uplinkDelta,omitempty"`
+	DownlinkDelta int64                  `protobuf:"varint,5,opt,name=downlinkDelta,proto3" json:"downlinkDelta,omitempty"`
+	ClosedAt      int64                  `protobuf:"varint,6,opt,name=closedAt,proto3" json:"closedAt,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 
-func (x *Connections) Reset() {
+func (x *ConnectionEvent) Reset() {
-	*x = Connections{}
+	*x = ConnectionEvent{}
 	mi := &file_daemon_started_service_proto_msgTypes[17]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 
-func (x *Connections) String() string {
+func (x *ConnectionEvent) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*Connections) ProtoMessage() {}
+func (*ConnectionEvent) ProtoMessage() {}
 
-func (x *Connections) ProtoReflect() protoreflect.Message {
+func (x *ConnectionEvent) ProtoReflect() protoreflect.Message {
 	mi := &file_daemon_started_service_proto_msgTypes[17]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -1203,18 +1143,105 @@ func (x *Connections) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use Connections.ProtoReflect.Descriptor instead.
+// Deprecated: Use ConnectionEvent.ProtoReflect.Descriptor instead.
-func (*Connections) Descriptor() ([]byte, []int) {
+func (*ConnectionEvent) Descriptor() ([]byte, []int) {
 	return file_daemon_started_service_proto_rawDescGZIP(), []int{17}
 }
 
-func (x *Connections) GetConnections() []*Connection {
+func (x *ConnectionEvent) GetType() ConnectionEventType {
 	if x != nil {
-		return x.Connections
+		return x.Type
+	}
+	return ConnectionEventType_CONNECTION_EVENT_NEW
+}
+
+func (x *ConnectionEvent) GetId() string {
+	if x != nil {
+		return x.Id
+	}
+	return ""
+}
+
+func (x *ConnectionEvent) GetConnection() *Connection {
+	if x != nil {
+		return x.Connection
 	}
 	return nil
 }
 
+func (x *ConnectionEvent) GetUplinkDelta() int64 {
+	if x != nil {
+		return x.UplinkDelta
+	}
+	return 0
+}
+
+func (x *ConnectionEvent) GetDownlinkDelta() int64 {
+	if x != nil {
+		return x.DownlinkDelta
+	}
+	return 0
+}
+
+func (x *ConnectionEvent) GetClosedAt() int64 {
+	if x != nil {
+		return x.ClosedAt
+	}
+	return 0
+}
+
+type ConnectionEvents struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Events        []*ConnectionEvent     `protobuf:"bytes,1,rep,name=events,proto3" json:"events,omitempty"`
+	Reset_        bool                   `protobuf:"varint,2,opt,name=reset,proto3" json:"reset,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ConnectionEvents) Reset() {
+	*x = ConnectionEvents{}
+	mi := &file_daemon_started_service_proto_msgTypes[18]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ConnectionEvents) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ConnectionEvents) ProtoMessage() {}
+
+func (x *ConnectionEvents) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[18]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ConnectionEvents.ProtoReflect.Descriptor instead.
+func (*ConnectionEvents) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{18}
+}
+
+func (x *ConnectionEvents) GetEvents() []*ConnectionEvent {
+	if x != nil {
+		return x.Events
+	}
+	return nil
+}
+
+func (x *ConnectionEvents) GetReset_() bool {
+	if x != nil {
+		return x.Reset_
+	}
+	return false
+}
+
 type Connection struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Id            string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
@@ -1238,13 +1265,14 @@ type Connection struct {
 	Outbound      string                 `protobuf:"bytes,19,opt,name=outbound,proto3" json:"outbound,omitempty"`
 	OutboundType  string                 `protobuf:"bytes,20,opt,name=outboundType,proto3" json:"outboundType,omitempty"`
 	ChainList     []string               `protobuf:"bytes,21,rep,name=chainList,proto3" json:"chainList,omitempty"`
+	ProcessInfo   *ProcessInfo           `protobuf:"bytes,22,opt,name=processInfo,proto3" json:"processInfo,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 
 func (x *Connection) Reset() {
 	*x = Connection{}
-	mi := &file_daemon_started_service_proto_msgTypes[18]
+	mi := &file_daemon_started_service_proto_msgTypes[19]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1256,7 +1284,7 @@ func (x *Connection) String() string {
 func (*Connection) ProtoMessage() {}
 
 func (x *Connection) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[18]
+	mi := &file_daemon_started_service_proto_msgTypes[19]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1269,7 +1297,7 @@ func (x *Connection) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use Connection.ProtoReflect.Descriptor instead.
 func (*Connection) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{18}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{19}
 }
 
 func (x *Connection) GetId() string {
@@ -1419,6 +1447,89 @@ func (x *Connection) GetChainList() []string {
 	return nil
 }
 
+func (x *Connection) GetProcessInfo() *ProcessInfo {
+	if x != nil {
+		return x.ProcessInfo
+	}
+	return nil
+}
+
+type ProcessInfo struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	ProcessId     uint32                 `protobuf:"varint,1,opt,name=processId,proto3" json:"processId,omitempty"`
+	UserId        int32                  `protobuf:"varint,2,opt,name=userId,proto3" json:"userId,omitempty"`
+	UserName      string                 `protobuf:"bytes,3,opt,name=userName,proto3" json:"userName,omitempty"`
+	ProcessPath   string                 `protobuf:"bytes,4,opt,name=processPath,proto3" json:"processPath,omitempty"`
+	PackageName   string                 `protobuf:"bytes,5,opt,name=packageName,proto3" json:"packageName,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ProcessInfo) Reset() {
+	*x = ProcessInfo{}
+	mi := &file_daemon_started_service_proto_msgTypes[20]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ProcessInfo) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ProcessInfo) ProtoMessage() {}
+
+func (x *ProcessInfo) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[20]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ProcessInfo.ProtoReflect.Descriptor instead.
+func (*ProcessInfo) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{20}
+}
+
+func (x *ProcessInfo) GetProcessId() uint32 {
+	if x != nil {
+		return x.ProcessId
+	}
+	return 0
+}
+
+func (x *ProcessInfo) GetUserId() int32 {
+	if x != nil {
+		return x.UserId
+	}
+	return 0
+}
+
+func (x *ProcessInfo) GetUserName() string {
+	if x != nil {
+		return x.UserName
+	}
+	return ""
+}
+
+func (x *ProcessInfo) GetProcessPath() string {
+	if x != nil {
+		return x.ProcessPath
+	}
+	return ""
+}
+
+func (x *ProcessInfo) GetPackageName() string {
+	if x != nil {
+		return x.PackageName
+	}
+	return ""
+}
+
 type CloseConnectionRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Id            string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
@@ -1428,7 +1539,7 @@ type CloseConnectionRequest struct {
 
 func (x *CloseConnectionRequest) Reset() {
 	*x = CloseConnectionRequest{}
-	mi := &file_daemon_started_service_proto_msgTypes[19]
+	mi := &file_daemon_started_service_proto_msgTypes[21]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1440,7 +1551,7 @@ func (x *CloseConnectionRequest) String() string {
 func (*CloseConnectionRequest) ProtoMessage() {}
 
 func (x *CloseConnectionRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[19]
+	mi := &file_daemon_started_service_proto_msgTypes[21]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1453,7 +1564,7 @@ func (x *CloseConnectionRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use CloseConnectionRequest.ProtoReflect.Descriptor instead.
 func (*CloseConnectionRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{19}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{21}
 }
 
 func (x *CloseConnectionRequest) GetId() string {
@@ -1472,7 +1583,7 @@ type DeprecatedWarnings struct {
 
 func (x *DeprecatedWarnings) Reset() {
 	*x = DeprecatedWarnings{}
-	mi := &file_daemon_started_service_proto_msgTypes[20]
+	mi := &file_daemon_started_service_proto_msgTypes[22]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1484,7 +1595,7 @@ func (x *DeprecatedWarnings) String() string {
 func (*DeprecatedWarnings) ProtoMessage() {}
 
 func (x *DeprecatedWarnings) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[20]
+	mi := &file_daemon_started_service_proto_msgTypes[22]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1497,7 +1608,7 @@ func (x *DeprecatedWarnings) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use DeprecatedWarnings.ProtoReflect.Descriptor instead.
 func (*DeprecatedWarnings) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{20}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{22}
 }
 
 func (x *DeprecatedWarnings) GetWarnings() []*DeprecatedWarning {
@@ -1518,7 +1629,7 @@ type DeprecatedWarning struct {
 
 func (x *DeprecatedWarning) Reset() {
 	*x = DeprecatedWarning{}
-	mi := &file_daemon_started_service_proto_msgTypes[21]
+	mi := &file_daemon_started_service_proto_msgTypes[23]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1530,7 +1641,7 @@ func (x *DeprecatedWarning) String() string {
 func (*DeprecatedWarning) ProtoMessage() {}
 
 func (x *DeprecatedWarning) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[21]
+	mi := &file_daemon_started_service_proto_msgTypes[23]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1543,7 +1654,7 @@ func (x *DeprecatedWarning) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use DeprecatedWarning.ProtoReflect.Descriptor instead.
 func (*DeprecatedWarning) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{21}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{23}
 }
 
 func (x *DeprecatedWarning) GetMessage() string {
@@ -1567,6 +1678,50 @@ func (x *DeprecatedWarning) GetMigrationLink() string {
 	return ""
 }
 
+type StartedAt struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	StartedAt     int64                  `protobuf:"varint,1,opt,name=startedAt,proto3" json:"startedAt,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *StartedAt) Reset() {
+	*x = StartedAt{}
+	mi := &file_daemon_started_service_proto_msgTypes[24]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *StartedAt) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StartedAt) ProtoMessage() {}
+
+func (x *StartedAt) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[24]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StartedAt.ProtoReflect.Descriptor instead.
+func (*StartedAt) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{24}
+}
+
+func (x *StartedAt) GetStartedAt() int64 {
+	if x != nil {
+		return x.StartedAt
+	}
+	return 0
+}
+
 type Log_Message struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Level         LogLevel               `protobuf:"varint,1,opt,name=level,proto3,enum=daemon.LogLevel" json:"level,omitempty"`
@@ -1577,7 +1732,7 @@ type Log_Message struct {
 
 func (x *Log_Message) Reset() {
 	*x = Log_Message{}
-	mi := &file_daemon_started_service_proto_msgTypes[22]
+	mi := &file_daemon_started_service_proto_msgTypes[25]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1589,7 +1744,7 @@ func (x *Log_Message) String() string {
 func (*Log_Message) ProtoMessage() {}
 
 func (x *Log_Message) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[22]
+	mi := &file_daemon_started_service_proto_msgTypes[25]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1623,7 +1778,7 @@ var File_daemon_started_service_proto protoreflect.FileDescriptor
 
 const file_daemon_started_service_proto_rawDesc = "" +
 	"\n" +
-	"\x1cdaemon/started_service.proto\x12\x06daemon\x1a\x1bgoogle/protobuf/empty.proto\x1a\x13daemon/helper.proto\"\xad\x01\n" +
+	"\x1cdaemon/started_service.proto\x12\x06daemon\x1a\x1bgoogle/protobuf/empty.proto\"\xad\x01\n" +
 	"\rServiceStatus\x122\n" +
 	"\x06status\x18\x01 \x01(\x0e2\x1a.daemon.ServiceStatus.TypeR\x06status\x12\"\n" +
 	"\ferrorMessage\x18\x02 \x01(\tR\ferrorMessage\"D\n" +
@@ -1690,13 +1845,21 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\tavailable\x18\x01 \x01(\bR\tavailable\x12\x18\n" +
 	"\aenabled\x18\x02 \x01(\bR\aenabled\"8\n" +
 	"\x1cSetSystemProxyEnabledRequest\x12\x18\n" +
-	"\aenabled\x18\x01 \x01(\bR\aenabled\"\x9d\x01\n" +
+	"\aenabled\x18\x01 \x01(\bR\aenabled\"9\n" +
 	"\x1bSubscribeConnectionsRequest\x12\x1a\n" +
-	"\binterval\x18\x01 \x01(\x03R\binterval\x120\n" +
+	"\binterval\x18\x01 \x01(\x03R\binterval\"\xea\x01\n" +
-	"\x06filter\x18\x02 \x01(\x0e2\x18.daemon.ConnectionFilterR\x06filter\x120\n" +
+	"\x0fConnectionEvent\x12/\n" +
-	"\x06sortBy\x18\x03 \x01(\x0e2\x18.daemon.ConnectionSortByR\x06sortBy\"C\n" +
+	"\x04type\x18\x01 \x01(\x0e2\x1b.daemon.ConnectionEventTypeR\x04type\x12\x0e\n" +
-	"\vConnections\x124\n" +
+	"\x02id\x18\x02 \x01(\tR\x02id\x122\n" +
-	"\vconnections\x18\x01 \x03(\v2\x12.daemon.ConnectionR\vconnections\"\xde\x04\n" +
+	"\n" +
+	"connection\x18\x03 \x01(\v2\x12.daemon.ConnectionR\n" +
+	"connection\x12 \n" +
+	"\vuplinkDelta\x18\x04 \x01(\x03R\vuplinkDelta\x12$\n" +
+	"\rdownlinkDelta\x18\x05 \x01(\x03R\rdownlinkDelta\x12\x1a\n" +
+	"\bclosedAt\x18\x06 \x01(\x03R\bclosedAt\"Y\n" +
+	"\x10ConnectionEvents\x12/\n" +
+	"\x06events\x18\x01 \x03(\v2\x17.daemon.ConnectionEventR\x06events\x12\x14\n" +
+	"\x05reset\x18\x02 \x01(\bR\x05reset\"\x95\x05\n" +
 	"\n" +
 	"Connection\x12\x0e\n" +
 	"\x02id\x18\x01 \x01(\tR\x02id\x12\x18\n" +
@@ -1720,7 +1883,14 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x04rule\x18\x12 \x01(\tR\x04rule\x12\x1a\n" +
 	"\boutbound\x18\x13 \x01(\tR\boutbound\x12\"\n" +
 	"\foutboundType\x18\x14 \x01(\tR\foutboundType\x12\x1c\n" +
-	"\tchainList\x18\x15 \x03(\tR\tchainList\"(\n" +
+	"\tchainList\x18\x15 \x03(\tR\tchainList\x125\n" +
+	"\vprocessInfo\x18\x16 \x01(\v2\x13.daemon.ProcessInfoR\vprocessInfo\"\xa3\x01\n" +
+	"\vProcessInfo\x12\x1c\n" +
+	"\tprocessId\x18\x01 \x01(\rR\tprocessId\x12\x16\n" +
+	"\x06userId\x18\x02 \x01(\x05R\x06userId\x12\x1a\n" +
+	"\buserName\x18\x03 \x01(\tR\buserName\x12 \n" +
+	"\vprocessPath\x18\x04 \x01(\tR\vprocessPath\x12 \n" +
+	"\vpackageName\x18\x05 \x01(\tR\vpackageName\"(\n" +
 	"\x16CloseConnectionRequest\x12\x0e\n" +
 	"\x02id\x18\x01 \x01(\tR\x02id\"K\n" +
 	"\x12DeprecatedWarnings\x125\n" +
@@ -1728,7 +1898,9 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x11DeprecatedWarning\x12\x18\n" +
 	"\amessage\x18\x01 \x01(\tR\amessage\x12\x1c\n" +
 	"\timpending\x18\x02 \x01(\bR\timpending\x12$\n" +
-	"\rmigrationLink\x18\x03 \x01(\tR\rmigrationLink*U\n" +
+	"\rmigrationLink\x18\x03 \x01(\tR\rmigrationLink\")\n" +
+	"\tStartedAt\x12\x1c\n" +
+	"\tstartedAt\x18\x01 \x01(\x03R\tstartedAt*U\n" +
 	"\bLogLevel\x12\t\n" +
 	"\x05PANIC\x10\x00\x12\t\n" +
 	"\x05FATAL\x10\x01\x12\t\n" +
@@ -1736,23 +1908,18 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x04WARN\x10\x03\x12\b\n" +
 	"\x04INFO\x10\x04\x12\t\n" +
 	"\x05DEBUG\x10\x05\x12\t\n" +
-	"\x05TRACE\x10\x06*3\n" +
+	"\x05TRACE\x10\x06*i\n" +
-	"\x10ConnectionFilter\x12\a\n" +
+	"\x13ConnectionEventType\x12\x18\n" +
-	"\x03ALL\x10\x00\x12\n" +
+	"\x14CONNECTION_EVENT_NEW\x10\x00\x12\x1b\n" +
-	"\n" +
+	"\x17CONNECTION_EVENT_UPDATE\x10\x01\x12\x1b\n" +
-	"\x06ACTIVE\x10\x01\x12\n" +
+	"\x17CONNECTION_EVENT_CLOSED\x10\x022\xe5\v\n" +
-	"\n" +
-	"\x06CLOSED\x10\x02*<\n" +
-	"\x10ConnectionSortBy\x12\b\n" +
-	"\x04DATE\x10\x00\x12\v\n" +
-	"\aTRAFFIC\x10\x01\x12\x11\n" +
-	"\rTOTAL_TRAFFIC\x10\x022\xf8\v\n" +
 	"\x0eStartedService\x12=\n" +
 	"\vStopService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12?\n" +
 	"\rReloadService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12K\n" +
 	"\x16SubscribeServiceStatus\x12\x16.google.protobuf.Empty\x1a\x15.daemon.ServiceStatus\"\x000\x01\x127\n" +
 	"\fSubscribeLog\x12\x16.google.protobuf.Empty\x1a\v.daemon.Log\"\x000\x01\x12G\n" +
-	"\x12GetDefaultLogLevel\x12\x16.google.protobuf.Empty\x1a\x17.daemon.DefaultLogLevel\"\x00\x12E\n" +
+	"\x12GetDefaultLogLevel\x12\x16.google.protobuf.Empty\x1a\x17.daemon.DefaultLogLevel\"\x00\x12=\n" +
+	"\tClearLogs\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\"\x00\x12E\n" +
 	"\x0fSubscribeStatus\x12\x1e.daemon.SubscribeStatusRequest\x1a\x0e.daemon.Status\"\x000\x01\x12=\n" +
 	"\x0fSubscribeGroups\x12\x16.google.protobuf.Empty\x1a\x0e.daemon.Groups\"\x000\x01\x12G\n" +
 	"\x12GetClashModeStatus\x12\x16.google.protobuf.Empty\x1a\x17.daemon.ClashModeStatus\"\x00\x12C\n" +
@@ -1762,13 +1929,12 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x0eSelectOutbound\x12\x1d.daemon.SelectOutboundRequest\x1a\x16.google.protobuf.Empty\"\x00\x12I\n" +
 	"\x0eSetGroupExpand\x12\x1d.daemon.SetGroupExpandRequest\x1a\x16.google.protobuf.Empty\"\x00\x12K\n" +
 	"\x14GetSystemProxyStatus\x12\x16.google.protobuf.Empty\x1a\x19.daemon.SystemProxyStatus\"\x00\x12W\n" +
-	"\x15SetSystemProxyEnabled\x12$.daemon.SetSystemProxyEnabledRequest\x1a\x16.google.protobuf.Empty\"\x00\x12T\n" +
+	"\x15SetSystemProxyEnabled\x12$.daemon.SetSystemProxyEnabledRequest\x1a\x16.google.protobuf.Empty\"\x00\x12Y\n" +
-	"\x14SubscribeConnections\x12#.daemon.SubscribeConnectionsRequest\x1a\x13.daemon.Connections\"\x000\x01\x12K\n" +
+	"\x14SubscribeConnections\x12#.daemon.SubscribeConnectionsRequest\x1a\x18.daemon.ConnectionEvents\"\x000\x01\x12K\n" +
 	"\x0fCloseConnection\x12\x1e.daemon.CloseConnectionRequest\x1a\x16.google.protobuf.Empty\"\x00\x12G\n" +
 	"\x13CloseAllConnections\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\"\x00\x12M\n" +
-	"\x15GetDeprecatedWarnings\x12\x16.google.protobuf.Empty\x1a\x1a.daemon.DeprecatedWarnings\"\x00\x12J\n" +
+	"\x15GetDeprecatedWarnings\x12\x16.google.protobuf.Empty\x1a\x1a.daemon.DeprecatedWarnings\"\x00\x12;\n" +
-	"\x15SubscribeHelperEvents\x12\x16.google.protobuf.Empty\x1a\x15.daemon.HelperRequest\"\x000\x01\x12F\n" +
+	"\fGetStartedAt\x12\x16.google.protobuf.Empty\x1a\x11.daemon.StartedAt\"\x00B%Z#github.com/sagernet/sing-box/daemonb\x06proto3"
-	"\x12SendHelperResponse\x12\x16.daemon.HelperResponse\x1a\x16.google.protobuf.Empty\"\x00B%Z#github.com/sagernet/sing-box/daemonb\x06proto3"
 
 var (
 	file_daemon_started_service_proto_rawDescOnce sync.Once
@@ -1783,100 +1949,101 @@ func file_daemon_started_service_proto_rawDescGZIP() []byte {
 }
 
 var (
-	file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
+	file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 23)
+	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 26)
 	file_daemon_started_service_proto_goTypes   = []any{
 		(LogLevel)(0),                        // 0: daemon.LogLevel
-		(ConnectionFilter)(0),                // 1: daemon.ConnectionFilter
+		(ConnectionEventType)(0),             // 1: daemon.ConnectionEventType
-		(ConnectionSortBy)(0),                // 2: daemon.ConnectionSortBy
+		(ServiceStatus_Type)(0),              // 2: daemon.ServiceStatus.Type
-		(ServiceStatus_Type)(0),              // 3: daemon.ServiceStatus.Type
+		(*ServiceStatus)(nil),                // 3: daemon.ServiceStatus
-		(*ServiceStatus)(nil),                // 4: daemon.ServiceStatus
+		(*ReloadServiceRequest)(nil),         // 4: daemon.ReloadServiceRequest
-		(*ReloadServiceRequest)(nil),         // 5: daemon.ReloadServiceRequest
+		(*SubscribeStatusRequest)(nil),       // 5: daemon.SubscribeStatusRequest
-		(*SubscribeStatusRequest)(nil),       // 6: daemon.SubscribeStatusRequest
+		(*Log)(nil),                          // 6: daemon.Log
-		(*Log)(nil),                          // 7: daemon.Log
+		(*DefaultLogLevel)(nil),              // 7: daemon.DefaultLogLevel
-		(*DefaultLogLevel)(nil),              // 8: daemon.DefaultLogLevel
+		(*Status)(nil),                       // 8: daemon.Status
-		(*Status)(nil),                       // 9: daemon.Status
+		(*Groups)(nil),                       // 9: daemon.Groups
-		(*Groups)(nil),                       // 10: daemon.Groups
+		(*Group)(nil),                        // 10: daemon.Group
-		(*Group)(nil),                        // 11: daemon.Group
+		(*GroupItem)(nil),                    // 11: daemon.GroupItem
-		(*GroupItem)(nil),                    // 12: daemon.GroupItem
+		(*URLTestRequest)(nil),               // 12: daemon.URLTestRequest
-		(*URLTestRequest)(nil),               // 13: daemon.URLTestRequest
+		(*SelectOutboundRequest)(nil),        // 13: daemon.SelectOutboundRequest
-		(*SelectOutboundRequest)(nil),        // 14: daemon.SelectOutboundRequest
+		(*SetGroupExpandRequest)(nil),        // 14: daemon.SetGroupExpandRequest
-		(*SetGroupExpandRequest)(nil),        // 15: daemon.SetGroupExpandRequest
+		(*ClashMode)(nil),                    // 15: daemon.ClashMode
-		(*ClashMode)(nil),                    // 16: daemon.ClashMode
+		(*ClashModeStatus)(nil),              // 16: daemon.ClashModeStatus
-		(*ClashModeStatus)(nil),              // 17: daemon.ClashModeStatus
+		(*SystemProxyStatus)(nil),            // 17: daemon.SystemProxyStatus
-		(*SystemProxyStatus)(nil),            // 18: daemon.SystemProxyStatus
+		(*SetSystemProxyEnabledRequest)(nil), // 18: daemon.SetSystemProxyEnabledRequest
-		(*SetSystemProxyEnabledRequest)(nil), // 19: daemon.SetSystemProxyEnabledRequest
+		(*SubscribeConnectionsRequest)(nil),  // 19: daemon.SubscribeConnectionsRequest
-		(*SubscribeConnectionsRequest)(nil),  // 20: daemon.SubscribeConnectionsRequest
+		(*ConnectionEvent)(nil),              // 20: daemon.ConnectionEvent
-		(*Connections)(nil),                  // 21: daemon.Connections
+		(*ConnectionEvents)(nil),             // 21: daemon.ConnectionEvents
 		(*Connection)(nil),                   // 22: daemon.Connection
-		(*CloseConnectionRequest)(nil),       // 23: daemon.CloseConnectionRequest
+		(*ProcessInfo)(nil),                  // 23: daemon.ProcessInfo
-		(*DeprecatedWarnings)(nil),           // 24: daemon.DeprecatedWarnings
+		(*CloseConnectionRequest)(nil),       // 24: daemon.CloseConnectionRequest
-		(*DeprecatedWarning)(nil),            // 25: daemon.DeprecatedWarning
+		(*DeprecatedWarnings)(nil),           // 25: daemon.DeprecatedWarnings
-		(*Log_Message)(nil),                  // 26: daemon.Log.Message
+		(*DeprecatedWarning)(nil),            // 26: daemon.DeprecatedWarning
-		(*emptypb.Empty)(nil),                // 27: google.protobuf.Empty
+		(*StartedAt)(nil),                    // 27: daemon.StartedAt
-		(*HelperResponse)(nil),               // 28: daemon.HelperResponse
+		(*Log_Message)(nil),                  // 28: daemon.Log.Message
-		(*HelperRequest)(nil),                // 29: daemon.HelperRequest
+		(*emptypb.Empty)(nil),                // 29: google.protobuf.Empty
 	}
 )
 
 var file_daemon_started_service_proto_depIdxs = []int32{
-	3,  // 0: daemon.ServiceStatus.status:type_name -> daemon.ServiceStatus.Type
+	2,  // 0: daemon.ServiceStatus.status:type_name -> daemon.ServiceStatus.Type
-	26, // 1: daemon.Log.messages:type_name -> daemon.Log.Message
+	28, // 1: daemon.Log.messages:type_name -> daemon.Log.Message
 	0,  // 2: daemon.DefaultLogLevel.level:type_name -> daemon.LogLevel
-	11, // 3: daemon.Groups.group:type_name -> daemon.Group
+	10, // 3: daemon.Groups.group:type_name -> daemon.Group
-	12, // 4: daemon.Group.items:type_name -> daemon.GroupItem
+	11, // 4: daemon.Group.items:type_name -> daemon.GroupItem
-	1,  // 5: daemon.SubscribeConnectionsRequest.filter:type_name -> daemon.ConnectionFilter
+	1,  // 5: daemon.ConnectionEvent.type:type_name -> daemon.ConnectionEventType
-	2,  // 6: daemon.SubscribeConnectionsRequest.sortBy:type_name -> daemon.ConnectionSortBy
+	22, // 6: daemon.ConnectionEvent.connection:type_name -> daemon.Connection
-	22, // 7: daemon.Connections.connections:type_name -> daemon.Connection
+	20, // 7: daemon.ConnectionEvents.events:type_name -> daemon.ConnectionEvent
-	25, // 8: daemon.DeprecatedWarnings.warnings:type_name -> daemon.DeprecatedWarning
+	23, // 8: daemon.Connection.processInfo:type_name -> daemon.ProcessInfo
-	0,  // 9: daemon.Log.Message.level:type_name -> daemon.LogLevel
+	26, // 9: daemon.DeprecatedWarnings.warnings:type_name -> daemon.DeprecatedWarning
-	27, // 10: daemon.StartedService.StopService:input_type -> google.protobuf.Empty
+	0,  // 10: daemon.Log.Message.level:type_name -> daemon.LogLevel
-	27, // 11: daemon.StartedService.ReloadService:input_type -> google.protobuf.Empty
+	29, // 11: daemon.StartedService.StopService:input_type -> google.protobuf.Empty
-	27, // 12: daemon.StartedService.SubscribeServiceStatus:input_type -> google.protobuf.Empty
+	29, // 12: daemon.StartedService.ReloadService:input_type -> google.protobuf.Empty
-	27, // 13: daemon.StartedService.SubscribeLog:input_type -> google.protobuf.Empty
+	29, // 13: daemon.StartedService.SubscribeServiceStatus:input_type -> google.protobuf.Empty
-	27, // 14: daemon.StartedService.GetDefaultLogLevel:input_type -> google.protobuf.Empty
+	29, // 14: daemon.StartedService.SubscribeLog:input_type -> google.protobuf.Empty
-	6,  // 15: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
+	29, // 15: daemon.StartedService.GetDefaultLogLevel:input_type -> google.protobuf.Empty
-	27, // 16: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
+	29, // 16: daemon.StartedService.ClearLogs:input_type -> google.protobuf.Empty
-	27, // 17: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
+	5,  // 17: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
-	27, // 18: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
+	29, // 18: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
-	16, // 19: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
+	29, // 19: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
-	13, // 20: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
+	29, // 20: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
-	14, // 21: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
+	15, // 21: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
-	15, // 22: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
+	12, // 22: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
-	27, // 23: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
+	13, // 23: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
-	19, // 24: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
+	14, // 24: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
-	20, // 25: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
+	29, // 25: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
-	23, // 26: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
+	18, // 26: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
-	27, // 27: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
+	19, // 27: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
-	27, // 28: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
+	24, // 28: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
-	27, // 29: daemon.StartedService.SubscribeHelperEvents:input_type -> google.protobuf.Empty
+	29, // 29: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
-	28, // 30: daemon.StartedService.SendHelperResponse:input_type -> daemon.HelperResponse
+	29, // 30: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
-	27, // 31: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
+	29, // 31: daemon.StartedService.GetStartedAt:input_type -> google.protobuf.Empty
-	27, // 32: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
+	29, // 32: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
-	4,  // 33: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
+	29, // 33: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
-	7,  // 34: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
+	3,  // 34: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
-	8,  // 35: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
+	6,  // 35: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
-	9,  // 36: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
+	7,  // 36: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
-	10, // 37: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
+	29, // 37: daemon.StartedService.ClearLogs:output_type -> google.protobuf.Empty
-	17, // 38: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
+	8,  // 38: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
-	16, // 39: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
+	9,  // 39: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
-	27, // 40: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
+	16, // 40: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
-	27, // 41: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
+	15, // 41: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
-	27, // 42: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
+	29, // 42: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
-	27, // 43: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
+	29, // 43: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
-	18, // 44: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
+	29, // 44: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
-	27, // 45: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
+	29, // 45: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
-	21, // 46: daemon.StartedService.SubscribeConnections:output_type -> daemon.Connections
+	17, // 46: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
-	27, // 47: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
+	29, // 47: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
-	27, // 48: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
+	21, // 48: daemon.StartedService.SubscribeConnections:output_type -> daemon.ConnectionEvents
-	24, // 49: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
+	29, // 49: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
-	29, // 50: daemon.StartedService.SubscribeHelperEvents:output_type -> daemon.HelperRequest
+	29, // 50: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
-	27, // 51: daemon.StartedService.SendHelperResponse:output_type -> google.protobuf.Empty
+	25, // 51: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
-	31, // [31:52] is the sub-list for method output_type
+	27, // 52: daemon.StartedService.GetStartedAt:output_type -> daemon.StartedAt
-	10, // [10:31] is the sub-list for method input_type
+	32, // [32:53] is the sub-list for method output_type
-	10, // [10:10] is the sub-list for extension type_name
+	11, // [11:32] is the sub-list for method input_type
-	10, // [10:10] is the sub-list for extension extendee
+	11, // [11:11] is the sub-list for extension type_name
-	0,  // [0:10] is the sub-list for field type_name
+	11, // [11:11] is the sub-list for extension extendee
+	0,  // [0:11] is the sub-list for field type_name
 }
 
 func init() { file_daemon_started_service_proto_init() }
@@ -1884,14 +2051,13 @@ func file_daemon_started_service_proto_init() {
 	if File_daemon_started_service_proto != nil {
 		return
 	}
-	file_daemon_helper_proto_init()
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_started_service_proto_rawDesc), len(file_daemon_started_service_proto_rawDesc)),
-			NumEnums:      4,
+			NumEnums:      3,
-			NumMessages:   23,
+			NumMessages:   26,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

daemon/started_service.proto

@@ -4,7 +4,6 @@ package daemon;
 option go_package = "github.com/sagernet/sing-box/daemon";
 
 import "google/protobuf/empty.proto";
-import "daemon/helper.proto";
 
 service StartedService {
   rpc StopService(google.protobuf.Empty) returns (google.protobuf.Empty);
@@ -13,6 +12,7 @@ service StartedService {
   rpc SubscribeServiceStatus(google.protobuf.Empty) returns(stream ServiceStatus) {}
   rpc SubscribeLog(google.protobuf.Empty) returns(stream Log) {}
   rpc GetDefaultLogLevel(google.protobuf.Empty) returns(DefaultLogLevel) {}
+  rpc ClearLogs(google.protobuf.Empty) returns(google.protobuf.Empty) {}
   rpc SubscribeStatus(SubscribeStatusRequest) returns(stream Status) {}
   rpc SubscribeGroups(google.protobuf.Empty) returns(stream Groups) {}
 
@@ -27,13 +27,11 @@ service StartedService {
   rpc GetSystemProxyStatus(google.protobuf.Empty) returns(SystemProxyStatus) {}
   rpc SetSystemProxyEnabled(SetSystemProxyEnabledRequest) returns(google.protobuf.Empty) {}
 
-  rpc SubscribeConnections(SubscribeConnectionsRequest) returns(stream Connections) {}
+  rpc SubscribeConnections(SubscribeConnectionsRequest) returns(stream ConnectionEvents) {}
   rpc CloseConnection(CloseConnectionRequest) returns(google.protobuf.Empty) {}
   rpc CloseAllConnections(google.protobuf.Empty) returns(google.protobuf.Empty) {}
   rpc GetDeprecatedWarnings(google.protobuf.Empty) returns(DeprecatedWarnings) {}
-
+  rpc GetStartedAt(google.protobuf.Empty) returns(StartedAt) {}
-  rpc SubscribeHelperEvents(google.protobuf.Empty) returns(stream HelperRequest) {}
-  rpc SendHelperResponse(HelperResponse) returns(google.protobuf.Empty) {}
 }
 
 message ServiceStatus {
@@ -145,24 +143,26 @@ message SetSystemProxyEnabledRequest {
 
 message SubscribeConnectionsRequest {
   int64 interval = 1;
-  ConnectionFilter filter = 2;
-  ConnectionSortBy sortBy = 3;
 }
 
-enum ConnectionFilter {
+enum ConnectionEventType {
-  ALL = 0;
+  CONNECTION_EVENT_NEW = 0;
-  ACTIVE = 1;
+  CONNECTION_EVENT_UPDATE = 1;
-  CLOSED = 2;
+  CONNECTION_EVENT_CLOSED = 2;
 }
 
-enum ConnectionSortBy {
+message ConnectionEvent {
-  DATE = 0;
+  ConnectionEventType type = 1;
-  TRAFFIC = 1;
+  string id = 2;
-  TOTAL_TRAFFIC = 2;
+  Connection connection = 3;
+  int64 uplinkDelta = 4;
+  int64 downlinkDelta = 5;
+  int64 closedAt = 6;
 }
 
-message Connections {
+message ConnectionEvents {
-  repeated Connection connections = 1;
+  repeated ConnectionEvent events = 1;
+  bool reset = 2;
 }
 
 message Connection {
@@ -187,6 +187,15 @@ message Connection {
   string outbound = 19;
   string outboundType = 20;
   repeated string chainList = 21;
+  ProcessInfo processInfo = 22;
+}
+
+message ProcessInfo {
+  uint32 processId = 1;
+  int32 userId = 2;
+  string userName = 3;
+  string processPath = 4;
+  string packageName = 5;
 }
 
 message CloseConnectionRequest {
@@ -202,3 +211,7 @@ message DeprecatedWarning {
   bool impending = 2;
   string migrationLink = 3;
 }
+
+message StartedAt {
+  int64 startedAt = 1;
+}

daemon/started_service_grpc.pb.go

@@ -20,6 +20,7 @@ const (
 	StartedService_SubscribeServiceStatus_FullMethodName = "/daemon.StartedService/SubscribeServiceStatus"
 	StartedService_SubscribeLog_FullMethodName           = "/daemon.StartedService/SubscribeLog"
 	StartedService_GetDefaultLogLevel_FullMethodName     = "/daemon.StartedService/GetDefaultLogLevel"
+	StartedService_ClearLogs_FullMethodName              = "/daemon.StartedService/ClearLogs"
 	StartedService_SubscribeStatus_FullMethodName        = "/daemon.StartedService/SubscribeStatus"
 	StartedService_SubscribeGroups_FullMethodName        = "/daemon.StartedService/SubscribeGroups"
 	StartedService_GetClashModeStatus_FullMethodName     = "/daemon.StartedService/GetClashModeStatus"
@@ -34,8 +35,7 @@ const (
 	StartedService_CloseConnection_FullMethodName        = "/daemon.StartedService/CloseConnection"
 	StartedService_CloseAllConnections_FullMethodName    = "/daemon.StartedService/CloseAllConnections"
 	StartedService_GetDeprecatedWarnings_FullMethodName  = "/daemon.StartedService/GetDeprecatedWarnings"
-	StartedService_SubscribeHelperEvents_FullMethodName  = "/daemon.StartedService/SubscribeHelperEvents"
+	StartedService_GetStartedAt_FullMethodName           = "/daemon.StartedService/GetStartedAt"
-	StartedService_SendHelperResponse_FullMethodName     = "/daemon.StartedService/SendHelperResponse"
 )
 
 // StartedServiceClient is the client API for StartedService service.
@@ -47,6 +47,7 @@ type StartedServiceClient interface {
 	SubscribeServiceStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ServiceStatus], error)
 	SubscribeLog(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[Log], error)
 	GetDefaultLogLevel(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*DefaultLogLevel, error)
+	ClearLogs(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	SubscribeStatus(ctx context.Context, in *SubscribeStatusRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[Status], error)
 	SubscribeGroups(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[Groups], error)
 	GetClashModeStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*ClashModeStatus, error)
@@ -57,12 +58,11 @@ type StartedServiceClient interface {
 	SetGroupExpand(ctx context.Context, in *SetGroupExpandRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetSystemProxyStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(ctx context.Context, in *SetSystemProxyEnabledRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
-	SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[Connections], error)
+	SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error)
 	CloseConnection(ctx context.Context, in *CloseConnectionRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	CloseAllConnections(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*DeprecatedWarnings, error)
-	SubscribeHelperEvents(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[HelperRequest], error)
+	GetStartedAt(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*StartedAt, error)
-	SendHelperResponse(ctx context.Context, in *HelperResponse, opts ...grpc.CallOption) (*emptypb.Empty, error)
 }
 
 type startedServiceClient struct {
@@ -141,6 +141,16 @@ func (c *startedServiceClient) GetDefaultLogLevel(ctx context.Context, in *empty
 	return out, nil
 }
 
+func (c *startedServiceClient) ClearLogs(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(emptypb.Empty)
+	err := c.cc.Invoke(ctx, StartedService_ClearLogs_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *startedServiceClient) SubscribeStatus(ctx context.Context, in *SubscribeStatusRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[Status], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[2], StartedService_SubscribeStatus_FullMethodName, cOpts...)
@@ -268,13 +278,13 @@ func (c *startedServiceClient) SetSystemProxyEnabled(ctx context.Context, in *Se
 	return out, nil
 }
 
-func (c *startedServiceClient) SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[Connections], error) {
+func (c *startedServiceClient) SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[5], StartedService_SubscribeConnections_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
-	x := &grpc.GenericClientStream[SubscribeConnectionsRequest, Connections]{ClientStream: stream}
+	x := &grpc.GenericClientStream[SubscribeConnectionsRequest, ConnectionEvents]{ClientStream: stream}
 	if err := x.ClientStream.SendMsg(in); err != nil {
 		return nil, err
 	}
@@ -285,7 +295,7 @@ func (c *startedServiceClient) SubscribeConnections(ctx context.Context, in *Sub
 }
 
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_SubscribeConnectionsClient = grpc.ServerStreamingClient[Connections]
+type StartedService_SubscribeConnectionsClient = grpc.ServerStreamingClient[ConnectionEvents]
 
 func (c *startedServiceClient) CloseConnection(ctx context.Context, in *CloseConnectionRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
@@ -317,29 +327,10 @@ func (c *startedServiceClient) GetDeprecatedWarnings(ctx context.Context, in *em
 	return out, nil
 }
 
-func (c *startedServiceClient) SubscribeHelperEvents(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[HelperRequest], error) {
+func (c *startedServiceClient) GetStartedAt(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*StartedAt, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[6], StartedService_SubscribeHelperEvents_FullMethodName, cOpts...)
+	out := new(StartedAt)
-	if err != nil {
+	err := c.cc.Invoke(ctx, StartedService_GetStartedAt_FullMethodName, in, out, cOpts...)
-		return nil, err
-	}
-	x := &grpc.GenericClientStream[emptypb.Empty, HelperRequest]{ClientStream: stream}
-	if err := x.ClientStream.SendMsg(in); err != nil {
-		return nil, err
-	}
-	if err := x.ClientStream.CloseSend(); err != nil {
-		return nil, err
-	}
-	return x, nil
-}
-
-// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_SubscribeHelperEventsClient = grpc.ServerStreamingClient[HelperRequest]
-
-func (c *startedServiceClient) SendHelperResponse(ctx context.Context, in *HelperResponse, opts ...grpc.CallOption) (*emptypb.Empty, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(emptypb.Empty)
-	err := c.cc.Invoke(ctx, StartedService_SendHelperResponse_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -355,6 +346,7 @@ type StartedServiceServer interface {
 	SubscribeServiceStatus(*emptypb.Empty, grpc.ServerStreamingServer[ServiceStatus]) error
 	SubscribeLog(*emptypb.Empty, grpc.ServerStreamingServer[Log]) error
 	GetDefaultLogLevel(context.Context, *emptypb.Empty) (*DefaultLogLevel, error)
+	ClearLogs(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	SubscribeStatus(*SubscribeStatusRequest, grpc.ServerStreamingServer[Status]) error
 	SubscribeGroups(*emptypb.Empty, grpc.ServerStreamingServer[Groups]) error
 	GetClashModeStatus(context.Context, *emptypb.Empty) (*ClashModeStatus, error)
@@ -365,12 +357,11 @@ type StartedServiceServer interface {
 	SetGroupExpand(context.Context, *SetGroupExpandRequest) (*emptypb.Empty, error)
 	GetSystemProxyStatus(context.Context, *emptypb.Empty) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(context.Context, *SetSystemProxyEnabledRequest) (*emptypb.Empty, error)
-	SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[Connections]) error
+	SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error
 	CloseConnection(context.Context, *CloseConnectionRequest) (*emptypb.Empty, error)
 	CloseAllConnections(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(context.Context, *emptypb.Empty) (*DeprecatedWarnings, error)
-	SubscribeHelperEvents(*emptypb.Empty, grpc.ServerStreamingServer[HelperRequest]) error
+	GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error)
-	SendHelperResponse(context.Context, *HelperResponse) (*emptypb.Empty, error)
 	mustEmbedUnimplementedStartedServiceServer()
 }
 
@@ -382,87 +373,87 @@ type StartedServiceServer interface {
 type UnimplementedStartedServiceServer struct{}
 
 func (UnimplementedStartedServiceServer) StopService(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method StopService not implemented")
+	return nil, status.Error(codes.Unimplemented, "method StopService not implemented")
 }
 
 func (UnimplementedStartedServiceServer) ReloadService(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method ReloadService not implemented")
+	return nil, status.Error(codes.Unimplemented, "method ReloadService not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SubscribeServiceStatus(*emptypb.Empty, grpc.ServerStreamingServer[ServiceStatus]) error {
-	return status.Errorf(codes.Unimplemented, "method SubscribeServiceStatus not implemented")
+	return status.Error(codes.Unimplemented, "method SubscribeServiceStatus not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SubscribeLog(*emptypb.Empty, grpc.ServerStreamingServer[Log]) error {
-	return status.Errorf(codes.Unimplemented, "method SubscribeLog not implemented")
+	return status.Error(codes.Unimplemented, "method SubscribeLog not implemented")
 }
 
 func (UnimplementedStartedServiceServer) GetDefaultLogLevel(context.Context, *emptypb.Empty) (*DefaultLogLevel, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method GetDefaultLogLevel not implemented")
+	return nil, status.Error(codes.Unimplemented, "method GetDefaultLogLevel not implemented")
+}
+
+func (UnimplementedStartedServiceServer) ClearLogs(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
+	return nil, status.Error(codes.Unimplemented, "method ClearLogs not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SubscribeStatus(*SubscribeStatusRequest, grpc.ServerStreamingServer[Status]) error {
-	return status.Errorf(codes.Unimplemented, "method SubscribeStatus not implemented")
+	return status.Error(codes.Unimplemented, "method SubscribeStatus not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SubscribeGroups(*emptypb.Empty, grpc.ServerStreamingServer[Groups]) error {
-	return status.Errorf(codes.Unimplemented, "method SubscribeGroups not implemented")
+	return status.Error(codes.Unimplemented, "method SubscribeGroups not implemented")
 }
 
 func (UnimplementedStartedServiceServer) GetClashModeStatus(context.Context, *emptypb.Empty) (*ClashModeStatus, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method GetClashModeStatus not implemented")
+	return nil, status.Error(codes.Unimplemented, "method GetClashModeStatus not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SubscribeClashMode(*emptypb.Empty, grpc.ServerStreamingServer[ClashMode]) error {
-	return status.Errorf(codes.Unimplemented, "method SubscribeClashMode not implemented")
+	return status.Error(codes.Unimplemented, "method SubscribeClashMode not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SetClashMode(context.Context, *ClashMode) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method SetClashMode not implemented")
+	return nil, status.Error(codes.Unimplemented, "method SetClashMode not implemented")
 }
 
 func (UnimplementedStartedServiceServer) URLTest(context.Context, *URLTestRequest) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method URLTest not implemented")
+	return nil, status.Error(codes.Unimplemented, "method URLTest not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SelectOutbound(context.Context, *SelectOutboundRequest) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method SelectOutbound not implemented")
+	return nil, status.Error(codes.Unimplemented, "method SelectOutbound not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SetGroupExpand(context.Context, *SetGroupExpandRequest) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method SetGroupExpand not implemented")
+	return nil, status.Error(codes.Unimplemented, "method SetGroupExpand not implemented")
 }
 
 func (UnimplementedStartedServiceServer) GetSystemProxyStatus(context.Context, *emptypb.Empty) (*SystemProxyStatus, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method GetSystemProxyStatus not implemented")
+	return nil, status.Error(codes.Unimplemented, "method GetSystemProxyStatus not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SetSystemProxyEnabled(context.Context, *SetSystemProxyEnabledRequest) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method SetSystemProxyEnabled not implemented")
+	return nil, status.Error(codes.Unimplemented, "method SetSystemProxyEnabled not implemented")
 }
 
-func (UnimplementedStartedServiceServer) SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[Connections]) error {
+func (UnimplementedStartedServiceServer) SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error {
-	return status.Errorf(codes.Unimplemented, "method SubscribeConnections not implemented")
+	return status.Error(codes.Unimplemented, "method SubscribeConnections not implemented")
 }
 
 func (UnimplementedStartedServiceServer) CloseConnection(context.Context, *CloseConnectionRequest) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method CloseConnection not implemented")
+	return nil, status.Error(codes.Unimplemented, "method CloseConnection not implemented")
 }
 
 func (UnimplementedStartedServiceServer) CloseAllConnections(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method CloseAllConnections not implemented")
+	return nil, status.Error(codes.Unimplemented, "method CloseAllConnections not implemented")
 }
 
 func (UnimplementedStartedServiceServer) GetDeprecatedWarnings(context.Context, *emptypb.Empty) (*DeprecatedWarnings, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method GetDeprecatedWarnings not implemented")
+	return nil, status.Error(codes.Unimplemented, "method GetDeprecatedWarnings not implemented")
 }
 
-func (UnimplementedStartedServiceServer) SubscribeHelperEvents(*emptypb.Empty, grpc.ServerStreamingServer[HelperRequest]) error {
+func (UnimplementedStartedServiceServer) GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error) {
-	return status.Errorf(codes.Unimplemented, "method SubscribeHelperEvents not implemented")
+	return nil, status.Error(codes.Unimplemented, "method GetStartedAt not implemented")
-}
-
-func (UnimplementedStartedServiceServer) SendHelperResponse(context.Context, *HelperResponse) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method SendHelperResponse not implemented")
 }
 func (UnimplementedStartedServiceServer) mustEmbedUnimplementedStartedServiceServer() {}
 func (UnimplementedStartedServiceServer) testEmbeddedByValue()                        {}
@@ -475,7 +466,7 @@ type UnsafeStartedServiceServer interface {
 }
 
 func RegisterStartedServiceServer(s grpc.ServiceRegistrar, srv StartedServiceServer) {
-	// If the following call pancis, it indicates UnimplementedStartedServiceServer was
+	// If the following call panics, it indicates UnimplementedStartedServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -561,6 +552,24 @@ func _StartedService_GetDefaultLogLevel_Handler(srv interface{}, ctx context.Con
 	return interceptor(ctx, in, info, handler)
 }
 
+func _StartedService_ClearLogs_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(emptypb.Empty)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(StartedServiceServer).ClearLogs(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: StartedService_ClearLogs_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(StartedServiceServer).ClearLogs(ctx, req.(*emptypb.Empty))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _StartedService_SubscribeStatus_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(SubscribeStatusRequest)
 	if err := stream.RecvMsg(m); err != nil {
@@ -725,11 +734,11 @@ func _StartedService_SubscribeConnections_Handler(srv interface{}, stream grpc.S
 	if err := stream.RecvMsg(m); err != nil {
 		return err
 	}
-	return srv.(StartedServiceServer).SubscribeConnections(m, &grpc.GenericServerStream[SubscribeConnectionsRequest, Connections]{ServerStream: stream})
+	return srv.(StartedServiceServer).SubscribeConnections(m, &grpc.GenericServerStream[SubscribeConnectionsRequest, ConnectionEvents]{ServerStream: stream})
 }
 
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_SubscribeConnectionsServer = grpc.ServerStreamingServer[Connections]
+type StartedService_SubscribeConnectionsServer = grpc.ServerStreamingServer[ConnectionEvents]
 
 func _StartedService_CloseConnection_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(CloseConnectionRequest)
@@ -785,31 +794,20 @@ func _StartedService_GetDeprecatedWarnings_Handler(srv interface{}, ctx context.
 	return interceptor(ctx, in, info, handler)
 }
 
-func _StartedService_SubscribeHelperEvents_Handler(srv interface{}, stream grpc.ServerStream) error {
+func _StartedService_GetStartedAt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	m := new(emptypb.Empty)
+	in := new(emptypb.Empty)
-	if err := stream.RecvMsg(m); err != nil {
-		return err
-	}
-	return srv.(StartedServiceServer).SubscribeHelperEvents(m, &grpc.GenericServerStream[emptypb.Empty, HelperRequest]{ServerStream: stream})
-}
-
-// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_SubscribeHelperEventsServer = grpc.ServerStreamingServer[HelperRequest]
-
-func _StartedService_SendHelperResponse_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(HelperResponse)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(StartedServiceServer).SendHelperResponse(ctx, in)
+		return srv.(StartedServiceServer).GetStartedAt(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: StartedService_SendHelperResponse_FullMethodName,
+		FullMethod: StartedService_GetStartedAt_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(StartedServiceServer).SendHelperResponse(ctx, req.(*HelperResponse))
+		return srv.(StartedServiceServer).GetStartedAt(ctx, req.(*emptypb.Empty))
 	}
 	return interceptor(ctx, in, info, handler)
 }
@@ -833,6 +831,10 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetDefaultLogLevel",
 			Handler:    _StartedService_GetDefaultLogLevel_Handler,
 		},
+		{
+			MethodName: "ClearLogs",
+			Handler:    _StartedService_ClearLogs_Handler,
+		},
 		{
 			MethodName: "GetClashModeStatus",
 			Handler:    _StartedService_GetClashModeStatus_Handler,
@@ -874,8 +876,8 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			Handler:    _StartedService_GetDeprecatedWarnings_Handler,
 		},
 		{
-			MethodName: "SendHelperResponse",
+			MethodName: "GetStartedAt",
-			Handler:    _StartedService_SendHelperResponse_Handler,
+			Handler:    _StartedService_GetStartedAt_Handler,
 		},
 	},
 	Streams: []grpc.StreamDesc{
@@ -909,11 +911,6 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _StartedService_SubscribeConnections_Handler,
 			ServerStreams: true,
 		},
-		{
-			StreamName:    "SubscribeHelperEvents",
-			Handler:       _StartedService_SubscribeHelperEvents_Handler,
-			ServerStreams: true,
-		},
 	},
 	Metadata: "daemon/started_service.proto",
 }

debug.go

@@ -3,11 +3,11 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func applyDebugOptions(options option.DebugOptions) {
+func applyDebugOptions(options option.DebugOptions) error {
 	applyDebugListenOption(options)
 	if options.GCPercent != nil {
 		debug.SetGCPercent(*options.GCPercent)
@@ -26,9 +26,9 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit.Value() != 0 {
 		debug.SetMemoryLimit(int64(float64(options.MemoryLimit.Value()) / 1.5))
-		conntrack.MemoryLimit = options.MemoryLimit.Value()
 	}
 	if options.OOMKiller != nil {
-		conntrack.KillerEnabled = *options.OOMKiller
+		return E.New("legacy oom_killer in debug options is removed, use oom-killer service instead")
 	}
+	return nil
 }

dns/client.go

@@ -95,6 +95,20 @@ func (c *Client) Start() {
 	}
 }
 
+func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
+	for _, record := range response.Ns {
+		if soa, isSOA := record.(*dns.SOA); isSOA {
+			soaTTL := soa.Header().Ttl
+			soaMinimum := soa.Minttl
+			if soaTTL < soaMinimum {
+				return soaTTL, true
+			}
+			return soaMinimum, true
+		}
+	}
+	return 0, false
+}
+
 func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
@@ -130,7 +144,11 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		if c.cache != nil {
 			cond, loaded := c.cacheLock.LoadOrStore(question, make(chan struct{}))
 			if loaded {
-				<-cond
+				select {
+				case <-cond:
+				case <-ctx.Done():
+					return nil, ctx.Err()
+				}
 			} else {
 				defer func() {
 					c.cacheLock.Delete(question)
@@ -140,7 +158,11 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		} else if c.transportCache != nil {
 			cond, loaded := c.transportCacheLock.LoadOrStore(question, make(chan struct{}))
 			if loaded {
-				<-cond
+				select {
+				case <-cond:
+				case <-ctx.Done():
+					return nil, ctx.Err()
+				}
 			} else {
 				defer func() {
 					c.transportCacheLock.Delete(question)
@@ -214,12 +236,14 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			response.Answer = append(response.Answer, validResponse.Answer...)
 		}
 	}*/
-	disableCache = disableCache || response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0
+	disableCache = disableCache || (response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError)
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
-		if response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0 {
+		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 			rejected = true
+		} else if len(response.Answer) == 0 {
+			rejected = !responseChecker(nil)
 		} else {
 			rejected = !responseChecker(MessageToAddresses(response))
 		}
@@ -251,6 +275,12 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		}
 	}
 	var timeToLive uint32
+	if len(response.Answer) == 0 {
+		if soaTTL, hasSOA := extractNegativeTTL(response); hasSOA {
+			timeToLive = soaTTL
+		}
+	}
+	if timeToLive == 0 {
 		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 			for _, record := range recordList {
 				if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
@@ -258,6 +288,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 				}
 			}
 		}
+	}
 	if options.RewriteTTL != nil {
 		timeToLive = *options.RewriteTTL
 	}
@@ -293,16 +324,20 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 	} else {
 		strategy = options.Strategy
 	}
+	lookupOptions := options
+	if options.LookupStrategy != C.DomainStrategyAsIS {
+		lookupOptions.Strategy = strategy
+	}
 	if strategy == C.DomainStrategyIPv4Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
 	} else if strategy == C.DomainStrategyIPv6Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
 	}
 	var response4 []netip.Addr
 	var response6 []netip.Addr
 	var group task.Group
 	group.Append("exchange4", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
 		if err != nil {
 			return err
 		}
@@ -310,7 +345,7 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 		return nil
 	})
 	group.Append("exchange6", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
 		if err != nil {
 			return err
 		}
@@ -332,64 +367,6 @@ func (c *Client) ClearCache() {
 	}
 }
 
-func (c *Client) LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool) {
-	if c.disableCache || c.independentCache {
-		return nil, false
-	}
-	if dns.IsFqdn(domain) {
-		domain = domain[:len(domain)-1]
-	}
-	dnsName := dns.Fqdn(domain)
-	if strategy == C.DomainStrategyIPv4Only {
-		addresses, err := c.questionCache(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if err != ErrNotCached {
-			return addresses, true
-		}
-	} else if strategy == C.DomainStrategyIPv6Only {
-		addresses, err := c.questionCache(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeAAAA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if err != ErrNotCached {
-			return addresses, true
-		}
-	} else {
-		response4, _ := c.loadResponse(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		response6, _ := c.loadResponse(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeAAAA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if response4 != nil || response6 != nil {
-			return sortAddresses(MessageToAddresses(response4), MessageToAddresses(response6), strategy), true
-		}
-	}
-	return nil, false
-}
-
-func (c *Client) ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool) {
-	if c.disableCache || c.independentCache || len(message.Question) != 1 {
-		return nil, false
-	}
-	question := message.Question[0]
-	response, ttl := c.loadResponse(question, nil)
-	if response == nil {
-		return nil, false
-	}
-	logCachedResponse(c.logger, ctx, response, ttl)
-	response.Id = message.Id
-	return response, true
-}
-
 func sortAddresses(response4 []netip.Addr, response6 []netip.Addr, strategy C.DomainStrategy) []netip.Addr {
 	if strategy == C.DomainStrategyPreferIPv6 {
 		return append(response6, response4...)

dns/router.go

@@ -195,7 +195,16 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 			}
 		}
 	}
-	return r.transport.Default(), nil, -1
+	transport := r.transport.Default()
+	if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+		if options.Strategy == C.DomainStrategyAsIS {
+			options.Strategy = legacyTransport.LegacyStrategy()
+		}
+		if !options.ClientSubnet.IsValid() {
+			options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+		}
+	}
+	return transport, nil, -1
 }
 
 func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
@@ -213,11 +222,10 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	}
 	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
 	var (
+		response  *mDNS.Msg
 		transport adapter.DNSTransport
 		err       error
 	)
-	response, cached := r.client.ExchangeCache(ctx, message)
-	if !cached {
 	var metadata *adapter.InboundContext
 	ctx, metadata = adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
@@ -273,13 +281,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					return action.Response(message), nil
 				}
 			}
-				var responseCheck func(responseAddrs []netip.Addr) bool
+			responseCheck := addressLimitResponseCheck(rule, metadata)
-				if rule != nil && rule.WithAddressLimit() {
-					responseCheck = func(responseAddrs []netip.Addr) bool {
-						metadata.DestinationAddresses = responseAddrs
-						return rule.MatchAddressLimit(metadata)
-					}
-				}
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -304,7 +306,6 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 			break
 		}
 	}
-	}
 	if err != nil {
 		return nil, err
 	}
@@ -326,7 +327,6 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
 	var (
 		responseAddrs []netip.Addr
-		cached        bool
 		err           error
 	)
 	printResult := func() {
@@ -346,13 +346,6 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 			err = E.Cause(err, "lookup ", domain)
 		}
 	}
-	responseAddrs, cached = r.client.LookupCache(domain, options.Strategy)
-	if cached {
-		if len(responseAddrs) == 0 {
-			return nil, E.New("lookup ", domain, ": empty result (cached)")
-		}
-		return responseAddrs, nil
-	}
 	r.logger.DebugContext(ctx, "lookup domain ", domain)
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
@@ -361,7 +354,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 		transport := options.Transport
 		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
 			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = r.defaultDomainStrategy
+				options.Strategy = legacyTransport.LegacyStrategy()
 			}
 			if !options.ClientSubnet.IsValid() {
 				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
@@ -385,16 +378,13 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 			if rule != nil {
 				switch action := rule.Action().(type) {
 				case *R.RuleActionReject:
-					switch action.Method {
+					return nil, &R.RejectedError{Cause: action.Error(ctx)}
-					case C.RuleActionRejectMethodDefault:
-						return nil, nil
-					case C.RuleActionRejectMethodDrop:
-						return nil, tun.ErrDrop
-					}
 				case *R.RuleActionPredefined:
+					responseAddrs = nil
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)
 					} else {
+						err = nil
 						for _, answer := range action.Answer {
 							switch record := answer.(type) {
 							case *mDNS.A:
@@ -407,13 +397,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 					goto response
 				}
 			}
-			var responseCheck func(responseAddrs []netip.Addr) bool
+			responseCheck := addressLimitResponseCheck(rule, metadata)
-			if rule != nil && rule.WithAddressLimit() {
-				responseCheck = func(responseAddrs []netip.Addr) bool {
-					metadata.DestinationAddresses = responseAddrs
-					return rule.MatchAddressLimit(metadata)
-				}
-			}
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -441,6 +425,18 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }
 
+func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
+	if rule == nil || !rule.WithAddressLimit() {
+		return nil
+	}
+	responseMetadata := *metadata
+	return func(responseAddrs []netip.Addr) bool {
+		checkMetadata := responseMetadata
+		checkMetadata.DestinationAddresses = responseAddrs
+		return rule.MatchAddressLimit(&checkMetadata)
+	}
+}
+
 func (r *Router) ClearCache() {
 	r.client.ClearCache()
 	if r.platformInterface != nil {
@@ -459,6 +455,6 @@ func (r *Router) LookupReverseMapping(ip netip.Addr) (string, bool) {
 func (r *Router) ResetNetwork() {
 	r.ClearCache()
 	for _, transport := range r.transport.Transports() {
-		transport.Close()
+		transport.Reset()
 	}
 }

dns/transport/base.go

@@ -0,0 +1,145 @@
+package transport
+
+import (
+	"context"
+	"os"
+	"sync"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+)
+
+type TransportState int
+
+const (
+	StateNew TransportState = iota
+	StateStarted
+	StateClosing
+	StateClosed
+)
+
+var (
+	ErrTransportClosed = os.ErrClosed
+	ErrConnectionReset = E.New("connection reset")
+)
+
+type BaseTransport struct {
+	dns.TransportAdapter
+	Logger logger.ContextLogger
+
+	mutex           sync.Mutex
+	state           TransportState
+	inFlight        int32
+	queriesComplete chan struct{}
+	closeCtx        context.Context
+	closeCancel     context.CancelFunc
+}
+
+func NewBaseTransport(adapter dns.TransportAdapter, logger logger.ContextLogger) *BaseTransport {
+	ctx, cancel := context.WithCancel(context.Background())
+	return &BaseTransport{
+		TransportAdapter: adapter,
+		Logger:           logger,
+		state:            StateNew,
+		closeCtx:         ctx,
+		closeCancel:      cancel,
+	}
+}
+
+func (t *BaseTransport) State() TransportState {
+	t.mutex.Lock()
+	defer t.mutex.Unlock()
+	return t.state
+}
+
+func (t *BaseTransport) SetStarted() error {
+	t.mutex.Lock()
+	defer t.mutex.Unlock()
+	switch t.state {
+	case StateNew:
+		t.state = StateStarted
+		return nil
+	case StateStarted:
+		return nil
+	default:
+		return ErrTransportClosed
+	}
+}
+
+func (t *BaseTransport) BeginQuery() bool {
+	t.mutex.Lock()
+	defer t.mutex.Unlock()
+	if t.state != StateStarted {
+		return false
+	}
+	t.inFlight++
+	return true
+}
+
+func (t *BaseTransport) EndQuery() {
+	t.mutex.Lock()
+	if t.inFlight > 0 {
+		t.inFlight--
+	}
+	if t.inFlight == 0 && t.queriesComplete != nil {
+		close(t.queriesComplete)
+		t.queriesComplete = nil
+	}
+	t.mutex.Unlock()
+}
+
+func (t *BaseTransport) CloseContext() context.Context {
+	return t.closeCtx
+}
+
+func (t *BaseTransport) Shutdown(ctx context.Context) error {
+	t.mutex.Lock()
+
+	if t.state >= StateClosing {
+		t.mutex.Unlock()
+		return nil
+	}
+
+	if t.state == StateNew {
+		t.state = StateClosed
+		t.mutex.Unlock()
+		t.closeCancel()
+		return nil
+	}
+
+	t.state = StateClosing
+
+	if t.inFlight == 0 {
+		t.state = StateClosed
+		t.mutex.Unlock()
+		t.closeCancel()
+		return nil
+	}
+
+	t.queriesComplete = make(chan struct{})
+	queriesComplete := t.queriesComplete
+	t.mutex.Unlock()
+
+	t.closeCancel()
+
+	select {
+	case <-queriesComplete:
+		t.mutex.Lock()
+		t.state = StateClosed
+		t.mutex.Unlock()
+		return nil
+	case <-ctx.Done():
+		t.mutex.Lock()
+		t.state = StateClosed
+		t.mutex.Unlock()
+		return ctx.Err()
+	}
+}
+
+func (t *BaseTransport) Close() error {
+	ctx, cancel := context.WithTimeout(context.Background(), C.TCPTimeout)
+	defer cancel()
+	return t.Shutdown(ctx)
+}

dns/transport/connector.go

@@ -0,0 +1,287 @@
+package transport
+
+import (
+	"context"
+	"net"
+	"sync"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type ConnectorCallbacks[T any] struct {
+	IsClosed func(connection T) bool
+	Close    func(connection T)
+	Reset    func(connection T)
+}
+
+type Connector[T any] struct {
+	dial      func(ctx context.Context) (T, error)
+	callbacks ConnectorCallbacks[T]
+
+	access           sync.Mutex
+	connection       T
+	hasConnection    bool
+	connectionCancel context.CancelFunc
+	connecting       chan struct{}
+
+	closeCtx context.Context
+	closed   bool
+}
+
+func NewConnector[T any](closeCtx context.Context, dial func(context.Context) (T, error), callbacks ConnectorCallbacks[T]) *Connector[T] {
+	return &Connector[T]{
+		dial:      dial,
+		callbacks: callbacks,
+		closeCtx:  closeCtx,
+	}
+}
+
+func NewSingleflightConnector(closeCtx context.Context, dial func(context.Context) (*Connection, error)) *Connector[*Connection] {
+	return NewConnector(closeCtx, dial, ConnectorCallbacks[*Connection]{
+		IsClosed: func(connection *Connection) bool {
+			return connection.IsClosed()
+		},
+		Close: func(connection *Connection) {
+			connection.CloseWithError(ErrTransportClosed)
+		},
+		Reset: func(connection *Connection) {
+			connection.CloseWithError(ErrConnectionReset)
+		},
+	})
+}
+
+type contextKeyConnecting struct{}
+
+var errRecursiveConnectorDial = E.New("recursive connector dial")
+
+func (c *Connector[T]) Get(ctx context.Context) (T, error) {
+	var zero T
+	for {
+		c.access.Lock()
+
+		if c.closed {
+			c.access.Unlock()
+			return zero, ErrTransportClosed
+		}
+
+		if c.hasConnection && !c.callbacks.IsClosed(c.connection) {
+			connection := c.connection
+			c.access.Unlock()
+			return connection, nil
+		}
+
+		c.hasConnection = false
+		if c.connectionCancel != nil {
+			c.connectionCancel()
+			c.connectionCancel = nil
+		}
+		if isRecursiveConnectorDial(ctx, c) {
+			c.access.Unlock()
+			return zero, errRecursiveConnectorDial
+		}
+
+		if c.connecting != nil {
+			connecting := c.connecting
+			c.access.Unlock()
+
+			select {
+			case <-connecting:
+				continue
+			case <-ctx.Done():
+				return zero, ctx.Err()
+			case <-c.closeCtx.Done():
+				return zero, ErrTransportClosed
+			}
+		}
+
+		if err := ctx.Err(); err != nil {
+			c.access.Unlock()
+			return zero, err
+		}
+
+		c.connecting = make(chan struct{})
+		c.access.Unlock()
+
+		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
+		connection, cancel, err := c.dialWithCancellation(dialContext)
+
+		c.access.Lock()
+		close(c.connecting)
+		c.connecting = nil
+
+		if err != nil {
+			c.access.Unlock()
+			return zero, err
+		}
+
+		if c.closed {
+			cancel()
+			c.callbacks.Close(connection)
+			c.access.Unlock()
+			return zero, ErrTransportClosed
+		}
+		if err = ctx.Err(); err != nil {
+			cancel()
+			c.callbacks.Close(connection)
+			c.access.Unlock()
+			return zero, err
+		}
+
+		c.connection = connection
+		c.hasConnection = true
+		c.connectionCancel = cancel
+		result := c.connection
+		c.access.Unlock()
+
+		return result, nil
+	}
+}
+
+func isRecursiveConnectorDial[T any](ctx context.Context, connector *Connector[T]) bool {
+	dialConnector, loaded := ctx.Value(contextKeyConnecting{}).(*Connector[T])
+	return loaded && dialConnector == connector
+}
+
+func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, context.CancelFunc, error) {
+	var zero T
+	if err := ctx.Err(); err != nil {
+		return zero, nil, err
+	}
+	connCtx, cancel := context.WithCancel(c.closeCtx)
+
+	var (
+		stateAccess  sync.Mutex
+		dialComplete bool
+	)
+	stopCancel := context.AfterFunc(ctx, func() {
+		stateAccess.Lock()
+		if !dialComplete {
+			cancel()
+		}
+		stateAccess.Unlock()
+	})
+	select {
+	case <-ctx.Done():
+		stateAccess.Lock()
+		dialComplete = true
+		stateAccess.Unlock()
+		stopCancel()
+		cancel()
+		return zero, nil, ctx.Err()
+	default:
+	}
+
+	connection, err := c.dial(valueContext{connCtx, ctx})
+	stateAccess.Lock()
+	dialComplete = true
+	stateAccess.Unlock()
+	stopCancel()
+	if err != nil {
+		cancel()
+		return zero, nil, err
+	}
+	return connection, cancel, nil
+}
+
+type valueContext struct {
+	context.Context
+	parent context.Context
+}
+
+func (v valueContext) Value(key any) any {
+	return v.parent.Value(key)
+}
+
+func (v valueContext) Deadline() (time.Time, bool) {
+	return v.parent.Deadline()
+}
+
+func (c *Connector[T]) Close() error {
+	c.access.Lock()
+	defer c.access.Unlock()
+
+	if c.closed {
+		return nil
+	}
+	c.closed = true
+
+	if c.connectionCancel != nil {
+		c.connectionCancel()
+		c.connectionCancel = nil
+	}
+	if c.hasConnection {
+		c.callbacks.Close(c.connection)
+		c.hasConnection = false
+	}
+
+	return nil
+}
+
+func (c *Connector[T]) Reset() {
+	c.access.Lock()
+	defer c.access.Unlock()
+
+	if c.connectionCancel != nil {
+		c.connectionCancel()
+		c.connectionCancel = nil
+	}
+	if c.hasConnection {
+		c.callbacks.Reset(c.connection)
+		c.hasConnection = false
+	}
+}
+
+type Connection struct {
+	net.Conn
+
+	closeOnce  sync.Once
+	done       chan struct{}
+	closeError error
+}
+
+func WrapConnection(conn net.Conn) *Connection {
+	return &Connection{
+		Conn: conn,
+		done: make(chan struct{}),
+	}
+}
+
+func (c *Connection) Done() <-chan struct{} {
+	return c.done
+}
+
+func (c *Connection) IsClosed() bool {
+	select {
+	case <-c.done:
+		return true
+	default:
+		return false
+	}
+}
+
+func (c *Connection) CloseError() error {
+	select {
+	case <-c.done:
+		if c.closeError != nil {
+			return c.closeError
+		}
+		return ErrTransportClosed
+	default:
+		return nil
+	}
+}
+
+func (c *Connection) Close() error {
+	return c.CloseWithError(ErrTransportClosed)
+}
+
+func (c *Connection) CloseWithError(err error) error {
+	var returnError error
+	c.closeOnce.Do(func() {
+		c.closeError = err
+		returnError = c.Conn.Close()
+		close(c.done)
+	})
+	return returnError
+}

dns/transport/connector_test.go

@@ -0,0 +1,263 @@
+package transport
+
+import (
+	"context"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+type testConnectorConnection struct{}
+
+func TestConnectorRecursiveGetFailsFast(t *testing.T) {
+	t.Parallel()
+
+	var (
+		dialCount  atomic.Int32
+		closeCount atomic.Int32
+		connector  *Connector[*testConnectorConnection]
+	)
+
+	dial := func(ctx context.Context) (*testConnectorConnection, error) {
+		dialCount.Add(1)
+		_, err := connector.Get(ctx)
+		if err != nil {
+			return nil, err
+		}
+		return &testConnectorConnection{}, nil
+	}
+
+	connector = NewConnector(context.Background(), dial, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+		Reset: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+	})
+
+	_, err := connector.Get(context.Background())
+	require.ErrorIs(t, err, errRecursiveConnectorDial)
+	require.EqualValues(t, 1, dialCount.Load())
+	require.EqualValues(t, 0, closeCount.Load())
+}
+
+func TestConnectorRecursiveGetAcrossConnectorsAllowed(t *testing.T) {
+	t.Parallel()
+
+	var (
+		outerDialCount atomic.Int32
+		innerDialCount atomic.Int32
+		outerConnector *Connector[*testConnectorConnection]
+		innerConnector *Connector[*testConnectorConnection]
+	)
+
+	innerConnector = NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		innerDialCount.Add(1)
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	outerConnector = NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		outerDialCount.Add(1)
+		_, err := innerConnector.Get(ctx)
+		if err != nil {
+			return nil, err
+		}
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	_, err := outerConnector.Get(context.Background())
+	require.NoError(t, err)
+	require.EqualValues(t, 1, outerDialCount.Load())
+	require.EqualValues(t, 1, innerDialCount.Load())
+}
+
+func TestConnectorDialContextPreservesValueAndDeadline(t *testing.T) {
+	t.Parallel()
+
+	type contextKey struct{}
+
+	var (
+		dialValue       any
+		dialDeadline    time.Time
+		dialHasDeadline bool
+	)
+
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialValue = ctx.Value(contextKey{})
+		dialDeadline, dialHasDeadline = ctx.Deadline()
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	deadline := time.Now().Add(time.Minute)
+	requestContext, cancel := context.WithDeadline(context.WithValue(context.Background(), contextKey{}, "test-value"), deadline)
+	defer cancel()
+
+	_, err := connector.Get(requestContext)
+	require.NoError(t, err)
+	require.Equal(t, "test-value", dialValue)
+	require.True(t, dialHasDeadline)
+	require.WithinDuration(t, deadline, dialDeadline, time.Second)
+}
+
+func TestConnectorDialSkipsCanceledRequest(t *testing.T) {
+	t.Parallel()
+
+	var dialCount atomic.Int32
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialCount.Add(1)
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	_, err := connector.Get(requestContext)
+	require.ErrorIs(t, err, context.Canceled)
+	require.EqualValues(t, 0, dialCount.Load())
+}
+
+func TestConnectorCanceledRequestDoesNotCacheConnection(t *testing.T) {
+	t.Parallel()
+
+	var (
+		dialCount  atomic.Int32
+		closeCount atomic.Int32
+	)
+	dialStarted := make(chan struct{}, 1)
+	releaseDial := make(chan struct{})
+
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialCount.Add(1)
+		select {
+		case dialStarted <- struct{}{}:
+		default:
+		}
+		<-releaseDial
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	result := make(chan error, 1)
+	go func() {
+		_, err := connector.Get(requestContext)
+		result <- err
+	}()
+
+	<-dialStarted
+	cancel()
+	close(releaseDial)
+
+	err := <-result
+	require.ErrorIs(t, err, context.Canceled)
+	require.EqualValues(t, 1, dialCount.Load())
+	require.EqualValues(t, 1, closeCount.Load())
+
+	_, err = connector.Get(context.Background())
+	require.NoError(t, err)
+	require.EqualValues(t, 2, dialCount.Load())
+}
+
+func TestConnectorDialContextNotCanceledByRequestContextAfterDial(t *testing.T) {
+	t.Parallel()
+
+	var dialContext context.Context
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialContext = ctx
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	_, err := connector.Get(requestContext)
+	require.NoError(t, err)
+	require.NotNil(t, dialContext)
+
+	cancel()
+
+	select {
+	case <-dialContext.Done():
+		t.Fatal("dial context canceled by request context after successful dial")
+	case <-time.After(100 * time.Millisecond):
+	}
+
+	err = connector.Close()
+	require.NoError(t, err)
+}
+
+func TestConnectorDialContextCanceledOnClose(t *testing.T) {
+	t.Parallel()
+
+	var dialContext context.Context
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialContext = ctx
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	_, err := connector.Get(context.Background())
+	require.NoError(t, err)
+	require.NotNil(t, dialContext)
+
+	select {
+	case <-dialContext.Done():
+		t.Fatal("dial context canceled before connector close")
+	default:
+	}
+
+	err = connector.Close()
+	require.NoError(t, err)
+
+	select {
+	case <-dialContext.Done():
+	case <-time.After(time.Second):
+		t.Fatal("dial context not canceled after connector close")
+	}
+}

dns/transport/dhcp/dhcp.go

@@ -49,6 +49,7 @@ type Transport struct {
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
 	transportLock     sync.RWMutex
 	updatedAt         time.Time
+	lastError         error
 	servers           []M.Socksaddr
 	search            []string
 	ndots             int
@@ -92,7 +93,7 @@ func (t *Transport) Start(stage adapter.StartStage) error {
 		t.interfaceCallback = t.networkManager.InterfaceMonitor().RegisterCallback(t.interfaceUpdated)
 	}
 	go func() {
-		_, err := t.Fetch()
+		_, err := t.fetch()
 		if err != nil {
 			t.logger.Error(E.Cause(err, "fetch DNS servers"))
 		}
@@ -107,8 +108,15 @@ func (t *Transport) Close() error {
 	return nil
 }
 
+func (t *Transport) Reset() {
+	t.transportLock.Lock()
+	t.updatedAt = time.Time{}
+	t.servers = nil
+	t.transportLock.Unlock()
+}
+
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	servers, err := t.Fetch()
+	servers, err := t.fetch()
 	if err != nil {
 		return nil, err
 	}
@@ -128,11 +136,20 @@ func (t *Transport) Exchange0(ctx context.Context, message *mDNS.Msg, servers []
 	}
 }
 
-func (t *Transport) Fetch() ([]M.Socksaddr, error) {
+func (t *Transport) Fetch() []M.Socksaddr {
+	servers, _ := t.fetch()
+	return servers
+}
+
+func (t *Transport) fetch() ([]M.Socksaddr, error) {
 	t.transportLock.RLock()
 	updatedAt := t.updatedAt
+	lastError := t.lastError
 	servers := t.servers
 	t.transportLock.RUnlock()
+	if lastError != nil {
+		return nil, lastError
+	}
 	if time.Since(updatedAt) < C.DHCPTTL {
 		return servers, nil
 	}
@@ -143,7 +160,7 @@ func (t *Transport) Fetch() ([]M.Socksaddr, error) {
 	}
 	err := t.updateServers()
 	if err != nil {
-		return nil, err
+		return servers, err
 	}
 	return t.servers, nil
 }
@@ -173,12 +190,15 @@ func (t *Transport) updateServers() error {
 	fetchCtx, cancel := context.WithTimeout(t.ctx, C.DHCPTimeout)
 	err = t.fetchServers0(fetchCtx, iface)
 	cancel()
+	t.updatedAt = time.Now()
 	if err != nil {
+		t.lastError = err
 		return err
 	} else if len(t.servers) == 0 {
-		return E.New("dhcp: empty DNS servers response")
+		t.lastError = E.New("dhcp: empty DNS servers response")
+		return t.lastError
 	} else {
-		t.updatedAt = time.Now()
+		t.lastError = nil
 		return nil
 	}
 }
@@ -243,6 +263,7 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 	defer buffer.Release()
 
 	for {
+		buffer.Reset()
 		_, _, err := buffer.ReadPacketFrom(packetConn)
 		if err != nil {
 			if errors.Is(err, io.ErrShortBuffer) {

dns/transport/fakeip/memory.go

@@ -82,8 +82,12 @@ func (s *MemoryStorage) FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr
 }
 
 func (s *MemoryStorage) FakeIPReset() error {
+	s.addressAccess.Lock()
+	s.domainAccess.Lock()
 	s.addressCache = make(map[netip.Addr]string)
 	s.domainCache4 = make(map[string]netip.Addr)
 	s.domainCache6 = make(map[string]netip.Addr)
+	s.domainAccess.Unlock()
+	s.addressAccess.Unlock()
 	return nil
 }