[dependencies] Update github-actions

The upstream OpenAI WebSocket endpoint requires the
OpenAI-Beta: responses_websockets=2026-02-06 header. Set it
automatically when the client doesn't provide it.

Also capture and log the response body on non-429 WebSocket
handshake failures to surface the actual error from upstream.

.fpm_systemd

@@ -4,7 +4,6 @@
 --license GPL-3.0-or-later
 --description "The universal proxy platform."
 --url "https://sing-box.sagernet.org/"
---vendor SagerNet
 --maintainer "nekohasekai <contact-git@sekai.icu>"
 --deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
 --no-deb-generate-changes

.github/detect_track.sh

@@ -1,33 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-branches=$(git branch -r --contains HEAD)
-if echo "$branches" | grep -q 'origin/stable'; then
-  track=stable
-elif echo "$branches" | grep -q 'origin/testing'; then
-  track=testing
-elif echo "$branches" | grep -q 'origin/oldstable'; then
-  track=oldstable
-else
-  echo "ERROR: HEAD is not on any known release branch (stable/testing/oldstable)" >&2
-  exit 1
-fi
-
-if [[ "$track" == "stable" ]]; then
-  tag=$(git describe --tags --exact-match HEAD 2>/dev/null || true)
-  if [[ -n "$tag" && "$tag" == *"-"* ]]; then
-    track=beta
-  fi
-fi
-
-case "$track" in
-  stable)    name=sing-box;           docker_tag=latest ;;
-  beta)      name=sing-box-beta;      docker_tag=latest-beta ;;
-  testing)   name=sing-box-testing;   docker_tag=latest-testing ;;
-  oldstable) name=sing-box-oldstable; docker_tag=latest-oldstable ;;
-esac
-
-echo "track=${track} name=${name} docker_tag=${docker_tag}" >&2
-echo "TRACK=${track}" >> "$GITHUB_ENV"
-echo "NAME=${name}" >> "$GITHUB_ENV"
-echo "DOCKER_TAG=${docker_tag}" >> "$GITHUB_ENV"

.github/workflows/build.yml

@@ -41,13 +41,13 @@ jobs:
       version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -117,14 +117,14 @@ jobs:
           - { os: android, arch: "386", ndk: "i686-linux-android23" }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         if: ${{ ! matrix.legacy_win7 }}
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Cache Go for Windows 7
         if: matrix.legacy_win7
         id: cache-go-for-windows7
@@ -458,7 +458,7 @@ jobs:
           - { arch: amd64, legacy_osx: true, legacy_name: "macos-10.13" }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -551,7 +551,7 @@ jobs:
           - { arch: arm64, naive: true }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -634,14 +634,14 @@ jobs:
       - calculate_version
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -724,14 +724,14 @@ jobs:
       - calculate_version
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -822,7 +822,7 @@ jobs:
     steps:
       - name: Checkout
         if: matrix.if
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
@@ -830,7 +830,7 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Set tag
         if: matrix.if
         run: |-
@@ -976,7 +976,7 @@ jobs:
       - build_apple
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Cache ghr

.github/workflows/docker.yml

@@ -19,6 +19,7 @@ env:
 jobs:
   build_binary:
     name: Build binary
+    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
     runs-on: ubuntu-latest
     strategy:
       fail-fast: true
@@ -48,14 +49,14 @@ jobs:
           echo "ref=$ref"
           echo "ref=$ref" >> $GITHUB_OUTPUT
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ steps.ref.outputs.ref }}
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Clone cronet-go
         if: matrix.naive
         run: |
@@ -187,7 +188,7 @@ jobs:
           echo "ref=$ref"
           echo "ref=$ref" >> $GITHUB_OUTPUT
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ steps.ref.outputs.ref }}
           fetch-depth: 0
@@ -259,13 +260,13 @@ jobs:
           fi
           echo "ref=$ref"
           echo "ref=$ref" >> $GITHUB_OUTPUT
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          ref: ${{ steps.ref.outputs.ref }}
-          fetch-depth: 0
-      - name: Detect track
-        run: bash .github/detect_track.sh
+          if [[ $ref == *"-"* ]]; then
+            latest=latest-beta
+          else
+            latest=latest
+          fi
+          echo "latest=$latest"
+          echo "latest=$latest" >> $GITHUB_OUTPUT
       - name: Download digests
         uses: actions/download-artifact@v5
         with:
@@ -285,11 +286,11 @@ jobs:
         working-directory: /tmp/digests
         run: |
           docker buildx imagetools create \
-            -t "${{ env.REGISTRY_IMAGE }}:${{ env.DOCKER_TAG }}" \
+            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}" \
             -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
             $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
       - name: Inspect image
         if: github.event_name != 'push'
         run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ env.DOCKER_TAG }}
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
           docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}

.github/workflows/lint.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go

.github/workflows/linux.yml

@@ -11,6 +11,11 @@ on:
         description: "Version name"
         required: true
         type: string
+      forceBeta:
+        description: "Force beta"
+        required: false
+        type: boolean
+        default: false
   release:
     types:
       - published
@@ -18,18 +23,19 @@ on:
 jobs:
   calculate_version:
     name: Calculate version
+    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -66,13 +72,13 @@ jobs:
           - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.8
+          go-version: ~1.26.0
       - name: Clone cronet-go
         if: matrix.naive
         run: |
@@ -162,8 +168,14 @@ jobs:
       - name: Set mtime
         run: |-
           TZ=UTC touch -t '197001010000' dist/sing-box
-      - name: Detect track
-        run: bash .github/detect_track.sh
+      - name: Set name
+        if: (! contains(needs.calculate_version.outputs.version, '-')) && !inputs.forceBeta
+        run: |-
+          echo "NAME=sing-box" >> "$GITHUB_ENV"
+      - name: Set beta name
+        if: contains(needs.calculate_version.outputs.version, '-') || inputs.forceBeta
+        run: |-
+          echo "NAME=sing-box-beta" >> "$GITHUB_ENV"
       - name: Set version
         run: |-
           PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
@@ -224,7 +236,7 @@ jobs:
       - build
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: Set tag

adapter/certificate/adapter.go

@@ -1,21 +0,0 @@
-package certificate
-
-type Adapter struct {
-	providerType string
-	providerTag  string
-}
-
-func NewAdapter(providerType string, providerTag string) Adapter {
-	return Adapter{
-		providerType: providerType,
-		providerTag:  providerTag,
-	}
-}
-
-func (a *Adapter) Type() string {
-	return a.providerType
-}
-
-func (a *Adapter) Tag() string {
-	return a.providerTag
-}

adapter/certificate/manager.go

@@ -1,158 +0,0 @@
-package certificate
-
-import (
-	"context"
-	"os"
-	"sync"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/taskmonitor"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
-)
-
-var _ adapter.CertificateProviderManager = (*Manager)(nil)
-
-type Manager struct {
-	logger        log.ContextLogger
-	registry      adapter.CertificateProviderRegistry
-	access        sync.Mutex
-	started       bool
-	stage         adapter.StartStage
-	providers     []adapter.CertificateProviderService
-	providerByTag map[string]adapter.CertificateProviderService
-}
-
-func NewManager(logger log.ContextLogger, registry adapter.CertificateProviderRegistry) *Manager {
-	return &Manager{
-		logger:        logger,
-		registry:      registry,
-		providerByTag: make(map[string]adapter.CertificateProviderService),
-	}
-}
-
-func (m *Manager) Start(stage adapter.StartStage) error {
-	m.access.Lock()
-	if m.started && m.stage >= stage {
-		panic("already started")
-	}
-	m.started = true
-	m.stage = stage
-	providers := m.providers
-	m.access.Unlock()
-	for _, provider := range providers {
-		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
-		m.logger.Trace(stage, " ", name)
-		startTime := time.Now()
-		err := adapter.LegacyStart(provider, stage)
-		if err != nil {
-			return E.Cause(err, stage, " ", name)
-		}
-		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
-	}
-	return nil
-}
-
-func (m *Manager) Close() error {
-	m.access.Lock()
-	defer m.access.Unlock()
-	if !m.started {
-		return nil
-	}
-	m.started = false
-	providers := m.providers
-	m.providers = nil
-	monitor := taskmonitor.New(m.logger, C.StopTimeout)
-	var err error
-	for _, provider := range providers {
-		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
-		m.logger.Trace("close ", name)
-		startTime := time.Now()
-		monitor.Start("close ", name)
-		err = E.Append(err, provider.Close(), func(err error) error {
-			return E.Cause(err, "close ", name)
-		})
-		monitor.Finish()
-		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
-	}
-	return err
-}
-
-func (m *Manager) CertificateProviders() []adapter.CertificateProviderService {
-	m.access.Lock()
-	defer m.access.Unlock()
-	return m.providers
-}
-
-func (m *Manager) Get(tag string) (adapter.CertificateProviderService, bool) {
-	m.access.Lock()
-	provider, found := m.providerByTag[tag]
-	m.access.Unlock()
-	return provider, found
-}
-
-func (m *Manager) Remove(tag string) error {
-	m.access.Lock()
-	provider, found := m.providerByTag[tag]
-	if !found {
-		m.access.Unlock()
-		return os.ErrInvalid
-	}
-	delete(m.providerByTag, tag)
-	index := common.Index(m.providers, func(it adapter.CertificateProviderService) bool {
-		return it == provider
-	})
-	if index == -1 {
-		panic("invalid certificate provider index")
-	}
-	m.providers = append(m.providers[:index], m.providers[index+1:]...)
-	started := m.started
-	m.access.Unlock()
-	if started {
-		return provider.Close()
-	}
-	return nil
-}
-
-func (m *Manager) Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) error {
-	provider, err := m.registry.Create(ctx, logger, tag, providerType, options)
-	if err != nil {
-		return err
-	}
-	m.access.Lock()
-	defer m.access.Unlock()
-	if m.started {
-		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
-		for _, stage := range adapter.ListStartStages {
-			m.logger.Trace(stage, " ", name)
-			startTime := time.Now()
-			err = adapter.LegacyStart(provider, stage)
-			if err != nil {
-				return E.Cause(err, stage, " ", name)
-			}
-			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
-		}
-	}
-	if existsProvider, loaded := m.providerByTag[tag]; loaded {
-		if m.started {
-			err = existsProvider.Close()
-			if err != nil {
-				return E.Cause(err, "close certificate-provider/", existsProvider.Type(), "[", existsProvider.Tag(), "]")
-			}
-		}
-		existsIndex := common.Index(m.providers, func(it adapter.CertificateProviderService) bool {
-			return it == existsProvider
-		})
-		if existsIndex == -1 {
-			panic("invalid certificate provider index")
-		}
-		m.providers = append(m.providers[:existsIndex], m.providers[existsIndex+1:]...)
-	}
-	m.providers = append(m.providers, provider)
-	m.providerByTag[tag] = provider
-	return nil
-}

adapter/certificate/registry.go

@@ -1,72 +0,0 @@
-package certificate
-
-import (
-	"context"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type ConstructorFunc[T any] func(ctx context.Context, logger log.ContextLogger, tag string, options T) (adapter.CertificateProviderService, error)
-
-func Register[Options any](registry *Registry, providerType string, constructor ConstructorFunc[Options]) {
-	registry.register(providerType, func() any {
-		return new(Options)
-	}, func(ctx context.Context, logger log.ContextLogger, tag string, rawOptions any) (adapter.CertificateProviderService, error) {
-		var options *Options
-		if rawOptions != nil {
-			options = rawOptions.(*Options)
-		}
-		return constructor(ctx, logger, tag, common.PtrValueOrDefault(options))
-	})
-}
-
-var _ adapter.CertificateProviderRegistry = (*Registry)(nil)
-
-type (
-	optionsConstructorFunc func() any
-	constructorFunc        func(ctx context.Context, logger log.ContextLogger, tag string, options any) (adapter.CertificateProviderService, error)
-)
-
-type Registry struct {
-	access      sync.Mutex
-	optionsType map[string]optionsConstructorFunc
-	constructor map[string]constructorFunc
-}
-
-func NewRegistry() *Registry {
-	return &Registry{
-		optionsType: make(map[string]optionsConstructorFunc),
-		constructor: make(map[string]constructorFunc),
-	}
-}
-
-func (m *Registry) CreateOptions(providerType string) (any, bool) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	optionsConstructor, loaded := m.optionsType[providerType]
-	if !loaded {
-		return nil, false
-	}
-	return optionsConstructor(), true
-}
-
-func (m *Registry) Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) (adapter.CertificateProviderService, error) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	constructor, loaded := m.constructor[providerType]
-	if !loaded {
-		return nil, E.New("certificate provider type not found: " + providerType)
-	}
-	return constructor(ctx, logger, tag, options)
-}
-
-func (m *Registry) register(providerType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	m.optionsType[providerType] = optionsConstructor
-	m.constructor[providerType] = constructor
-}

adapter/certificate_provider.go

@@ -1,38 +0,0 @@
-package adapter
-
-import (
-	"context"
-	"crypto/tls"
-
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-)
-
-type CertificateProvider interface {
-	GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
-}
-
-type ACMECertificateProvider interface {
-	CertificateProvider
-	GetACMENextProtos() []string
-}
-
-type CertificateProviderService interface {
-	Lifecycle
-	Type() string
-	Tag() string
-	CertificateProvider
-}
-
-type CertificateProviderRegistry interface {
-	option.CertificateProviderOptionsRegistry
-	Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) (CertificateProviderService, error)
-}
-
-type CertificateProviderManager interface {
-	Lifecycle
-	CertificateProviders() []CertificateProviderService
-	Get(tag string) (CertificateProviderService, bool)
-	Remove(tag string) error
-	Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) error
-}

adapter/dns.go

@@ -25,8 +25,8 @@ type DNSRouter interface {
 
 type DNSClient interface {
 	Start()
-	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(response *dns.Msg) bool) (*dns.Msg, error)
-	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error)
+	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
+	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
 	ClearCache()
 }
 
@@ -72,6 +72,11 @@ type DNSTransport interface {
 	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
 }
 
+type LegacyDNSTransport interface {
+	LegacyStrategy() C.DomainStrategy
+	LegacyClientSubnet() netip.Prefix
+}
+
 type DNSTransportRegistry interface {
 	option.DNSTransportOptionsRegistry
 	CreateDNSTransport(ctx context.Context, logger log.ContextLogger, tag string, transportType string, options any) (DNSTransport, error)

adapter/inbound.go

@@ -10,8 +10,6 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
-
-	"github.com/miekg/dns"
 )
 
 type Inbound interface {
@@ -81,16 +79,14 @@ type InboundContext struct {
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration
 
-	DestinationAddresses                []netip.Addr
-	DNSResponse                         *dns.Msg
-	DestinationAddressMatchFromResponse bool
-	SourceGeoIPCode                     string
-	GeoIPCode                           string
-	ProcessInfo                         *ConnectionOwner
-	SourceMACAddress                    net.HardwareAddr
-	SourceHostname                      string
-	QueryType                           uint16
-	FakeIP                              bool
+	DestinationAddresses []netip.Addr
+	SourceGeoIPCode      string
+	GeoIPCode            string
+	ProcessInfo          *ConnectionOwner
+	SourceMACAddress     net.HardwareAddr
+	SourceHostname       string
+	QueryType            uint16
+	FakeIP               bool
 
 	// rule cache
 
@@ -108,10 +104,6 @@ type InboundContext struct {
 func (c *InboundContext) ResetRuleCache() {
 	c.IPCIDRMatchSource = false
 	c.IPCIDRAcceptEmpty = false
-	c.ResetRuleMatchCache()
-}
-
-func (c *InboundContext) ResetRuleMatchCache() {
 	c.SourceAddressMatch = false
 	c.SourcePortMatch = false
 	c.DestinationAddressMatch = false
@@ -119,46 +111,6 @@ func (c *InboundContext) ResetRuleMatchCache() {
 	c.DidMatch = false
 }
 
-func (c *InboundContext) DestinationAddressesForMatch() []netip.Addr {
-	if c.DestinationAddressMatchFromResponse {
-		return DNSResponseAddresses(c.DNSResponse)
-	}
-	return c.DestinationAddresses
-}
-
-func (c *InboundContext) DNSResponseAddressesForMatch() []netip.Addr {
-	return DNSResponseAddresses(c.DNSResponse)
-}
-
-func DNSResponseAddresses(response *dns.Msg) []netip.Addr {
-	if response == nil || response.Rcode != dns.RcodeSuccess {
-		return nil
-	}
-	addresses := make([]netip.Addr, 0, len(response.Answer))
-	for _, rawRecord := range response.Answer {
-		switch record := rawRecord.(type) {
-		case *dns.A:
-			addresses = append(addresses, M.AddrFromIP(record.A))
-		case *dns.AAAA:
-			addresses = append(addresses, M.AddrFromIP(record.AAAA))
-		case *dns.HTTPS:
-			for _, value := range record.SVCB.Value {
-				switch hint := value.(type) {
-				case *dns.SVCBIPv4Hint:
-					for _, ip := range hint.Hint {
-						addresses = append(addresses, M.AddrFromIP(ip).Unmap())
-					}
-				case *dns.SVCBIPv6Hint:
-					for _, ip := range hint.Hint {
-						addresses = append(addresses, M.AddrFromIP(ip))
-					}
-				}
-			}
-		}
-	}
-	return addresses
-}
-
 type inboundContextKey struct{}
 
 func WithContext(ctx context.Context, inboundContext *InboundContext) context.Context {

adapter/inbound_test.go

@@ -1,45 +0,0 @@
-package adapter
-
-import (
-	"net"
-	"net/netip"
-	"testing"
-
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/require"
-)
-
-func TestDNSResponseAddressesUnmapsHTTPSIPv4Hints(t *testing.T) {
-	t.Parallel()
-
-	ipv4Hint := net.ParseIP("1.1.1.1")
-	require.NotNil(t, ipv4Hint)
-
-	response := &dns.Msg{
-		MsgHdr: dns.MsgHdr{
-			Response: true,
-			Rcode:    dns.RcodeSuccess,
-		},
-		Answer: []dns.RR{
-			&dns.HTTPS{
-				SVCB: dns.SVCB{
-					Hdr: dns.RR_Header{
-						Name:   dns.Fqdn("example.com"),
-						Rrtype: dns.TypeHTTPS,
-						Class:  dns.ClassINET,
-						Ttl:    60,
-					},
-					Priority: 1,
-					Target:   ".",
-					Value: []dns.SVCBKeyValue{
-						&dns.SVCBIPv4Hint{Hint: []net.IP{ipv4Hint}},
-					},
-				},
-			},
-		},
-	}
-
-	addresses := DNSResponseAddresses(response)
-	require.Equal(t, []netip.Addr{netip.MustParseAddr("1.1.1.1")}, addresses)
-	require.True(t, addresses[0].Is4())
-}

adapter/platform.go

@@ -51,11 +51,11 @@ type FindConnectionOwnerRequest struct {
 }
 
 type ConnectionOwner struct {
-	ProcessID           uint32
-	UserId              int32
-	UserName            string
-	ProcessPath         string
-	AndroidPackageNames []string
+	ProcessID          uint32
+	UserId             int32
+	UserName           string
+	ProcessPath        string
+	AndroidPackageName string
 }
 
 type Notification struct {

adapter/router.go

@@ -66,14 +66,10 @@ type RuleSet interface {
 
 type RuleSetUpdateCallback func(it RuleSet)
 
-// Rule-set metadata only exposes headless-rule capabilities that outer routers
-// need before evaluating nested matches. Headless rules do not support
-// ip_version, so there is intentionally no ContainsIPVersionRule flag here.
 type RuleSetMetadata struct {
-	ContainsProcessRule      bool
-	ContainsWIFIRule         bool
-	ContainsIPCIDRRule       bool
-	ContainsDNSQueryTypeRule bool
+	ContainsProcessRule bool
+	ContainsWIFIRule    bool
+	ContainsIPCIDRRule  bool
 }
 type HTTPStartContext struct {
 	ctx             context.Context

adapter/rule.go

@@ -2,8 +2,6 @@ package adapter
 
 import (
 	C "github.com/sagernet/sing-box/constant"
-
-	"github.com/miekg/dns"
 )
 
 type HeadlessRule interface {
@@ -20,9 +18,8 @@ type Rule interface {
 
 type DNSRule interface {
 	Rule
-	LegacyPreMatch(metadata *InboundContext) bool
 	WithAddressLimit() bool
-	MatchAddressLimit(metadata *InboundContext, response *dns.Msg) bool
+	MatchAddressLimit(metadata *InboundContext) bool
 }
 
 type RuleAction interface {

box.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	boxCertificate "github.com/sagernet/sing-box/adapter/certificate"
 	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
@@ -38,21 +37,20 @@ import (
 var _ adapter.SimpleLifecycle = (*Box)(nil)
 
 type Box struct {
-	createdAt           time.Time
-	logFactory          log.Factory
-	logger              log.ContextLogger
-	network             *route.NetworkManager
-	endpoint            *endpoint.Manager
-	inbound             *inbound.Manager
-	outbound            *outbound.Manager
-	service             *boxService.Manager
-	certificateProvider *boxCertificate.Manager
-	dnsTransport        *dns.TransportManager
-	dnsRouter           *dns.Router
-	connection          *route.ConnectionManager
-	router              *route.Router
-	internalService     []adapter.LifecycleService
-	done                chan struct{}
+	createdAt       time.Time
+	logFactory      log.Factory
+	logger          log.ContextLogger
+	network         *route.NetworkManager
+	endpoint        *endpoint.Manager
+	inbound         *inbound.Manager
+	outbound        *outbound.Manager
+	service         *boxService.Manager
+	dnsTransport    *dns.TransportManager
+	dnsRouter       *dns.Router
+	connection      *route.ConnectionManager
+	router          *route.Router
+	internalService []adapter.LifecycleService
+	done            chan struct{}
 }
 
 type Options struct {
@@ -68,7 +66,6 @@ func Context(
 	endpointRegistry adapter.EndpointRegistry,
 	dnsTransportRegistry adapter.DNSTransportRegistry,
 	serviceRegistry adapter.ServiceRegistry,
-	certificateProviderRegistry adapter.CertificateProviderRegistry,
 ) context.Context {
 	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
 		service.FromContext[adapter.InboundRegistry](ctx) == nil {
@@ -93,10 +90,6 @@ func Context(
 		ctx = service.ContextWith[option.ServiceOptionsRegistry](ctx, serviceRegistry)
 		ctx = service.ContextWith[adapter.ServiceRegistry](ctx, serviceRegistry)
 	}
-	if service.FromContext[adapter.CertificateProviderRegistry](ctx) == nil {
-		ctx = service.ContextWith[option.CertificateProviderOptionsRegistry](ctx, certificateProviderRegistry)
-		ctx = service.ContextWith[adapter.CertificateProviderRegistry](ctx, certificateProviderRegistry)
-	}
 	return ctx
 }
 
@@ -113,7 +106,6 @@ func New(options Options) (*Box, error) {
 	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
 	dnsTransportRegistry := service.FromContext[adapter.DNSTransportRegistry](ctx)
 	serviceRegistry := service.FromContext[adapter.ServiceRegistry](ctx)
-	certificateProviderRegistry := service.FromContext[adapter.CertificateProviderRegistry](ctx)
 
 	if endpointRegistry == nil {
 		return nil, E.New("missing endpoint registry in context")
@@ -130,9 +122,6 @@ func New(options Options) (*Box, error) {
 	if serviceRegistry == nil {
 		return nil, E.New("missing service registry in context")
 	}
-	if certificateProviderRegistry == nil {
-		return nil, E.New("missing certificate provider registry in context")
-	}
 
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
@@ -190,13 +179,11 @@ func New(options Options) (*Box, error) {
 	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, endpointManager, routeOptions.Final)
 	dnsTransportManager := dns.NewTransportManager(logFactory.NewLogger("dns/transport"), dnsTransportRegistry, outboundManager, dnsOptions.Final)
 	serviceManager := boxService.NewManager(logFactory.NewLogger("service"), serviceRegistry)
-	certificateProviderManager := boxCertificate.NewManager(logFactory.NewLogger("certificate-provider"), certificateProviderRegistry)
 	service.MustRegister[adapter.EndpointManager](ctx, endpointManager)
 	service.MustRegister[adapter.InboundManager](ctx, inboundManager)
 	service.MustRegister[adapter.OutboundManager](ctx, outboundManager)
 	service.MustRegister[adapter.DNSTransportManager](ctx, dnsTransportManager)
 	service.MustRegister[adapter.ServiceManager](ctx, serviceManager)
-	service.MustRegister[adapter.CertificateProviderManager](ctx, certificateProviderManager)
 	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
 	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
 	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions, dnsOptions)
@@ -285,24 +272,6 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize inbound[", i, "]")
 		}
 	}
-	for i, serviceOptions := range options.Services {
-		var tag string
-		if serviceOptions.Tag != "" {
-			tag = serviceOptions.Tag
-		} else {
-			tag = F.ToString(i)
-		}
-		err = serviceManager.Create(
-			ctx,
-			logFactory.NewLogger(F.ToString("service/", serviceOptions.Type, "[", tag, "]")),
-			tag,
-			serviceOptions.Type,
-			serviceOptions.Options,
-		)
-		if err != nil {
-			return nil, E.Cause(err, "initialize service[", i, "]")
-		}
-	}
 	for i, outboundOptions := range options.Outbounds {
 		var tag string
 		if outboundOptions.Tag != "" {
@@ -329,22 +298,22 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize outbound[", i, "]")
 		}
 	}
-	for i, certificateProviderOptions := range options.CertificateProviders {
+	for i, serviceOptions := range options.Services {
 		var tag string
-		if certificateProviderOptions.Tag != "" {
-			tag = certificateProviderOptions.Tag
+		if serviceOptions.Tag != "" {
+			tag = serviceOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
-		err = certificateProviderManager.Create(
+		err = serviceManager.Create(
 			ctx,
-			logFactory.NewLogger(F.ToString("certificate-provider/", certificateProviderOptions.Type, "[", tag, "]")),
+			logFactory.NewLogger(F.ToString("service/", serviceOptions.Type, "[", tag, "]")),
 			tag,
-			certificateProviderOptions.Type,
-			certificateProviderOptions.Options,
+			serviceOptions.Type,
+			serviceOptions.Options,
 		)
 		if err != nil {
-			return nil, E.Cause(err, "initialize certificate provider[", i, "]")
+			return nil, E.Cause(err, "initialize service[", i, "]")
 		}
 	}
 	outboundManager.Initialize(func() (adapter.Outbound, error) {
@@ -414,21 +383,20 @@ func New(options Options) (*Box, error) {
 		internalServices = append(internalServices, adapter.NewLifecycleService(ntpService, "ntp service"))
 	}
 	return &Box{
-		network:             networkManager,
-		endpoint:            endpointManager,
-		inbound:             inboundManager,
-		outbound:            outboundManager,
-		dnsTransport:        dnsTransportManager,
-		service:             serviceManager,
-		certificateProvider: certificateProviderManager,
-		dnsRouter:           dnsRouter,
-		connection:          connectionManager,
-		router:              router,
-		createdAt:           createdAt,
-		logFactory:          logFactory,
-		logger:              logFactory.Logger(),
-		internalService:     internalServices,
-		done:                make(chan struct{}),
+		network:         networkManager,
+		endpoint:        endpointManager,
+		inbound:         inboundManager,
+		outbound:        outboundManager,
+		dnsTransport:    dnsTransportManager,
+		service:         serviceManager,
+		dnsRouter:       dnsRouter,
+		connection:      connectionManager,
+		router:          router,
+		createdAt:       createdAt,
+		logFactory:      logFactory,
+		logger:          logFactory.Logger(),
+		internalService: internalServices,
+		done:            make(chan struct{}),
 	}, nil
 }
 
@@ -482,11 +450,11 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service, s.certificateProvider)
+	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.network, s.connection, s.router, s.dnsRouter)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
 	if err != nil {
 		return err
 	}
@@ -502,19 +470,11 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.endpoint)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.certificateProvider)
-	if err != nil {
-		return err
-	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.service)
-	if err != nil {
-		return err
-	}
-	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.endpoint, s.certificateProvider, s.inbound, s.service)
+	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
@@ -522,7 +482,7 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.endpoint, s.certificateProvider, s.inbound, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
@@ -546,9 +506,8 @@ func (s *Box) Close() error {
 		service adapter.Lifecycle
 	}{
 		{"service", s.service},
-		{"inbound", s.inbound},
-		{"certificate-provider", s.certificateProvider},
 		{"endpoint", s.endpoint},
+		{"inbound", s.inbound},
 		{"outbound", s.outbound},
 		{"router", s.router},
 		{"connection", s.connection},

common/dialer/default.go

@@ -239,7 +239,7 @@ func setMarkWrapper(networkManager adapter.NetworkManager, mark uint32, isDefaul
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {
 	if !address.IsValid() {
 		return nil, E.New("invalid address")
-	} else if address.IsDomain() {
+	} else if address.IsFqdn() {
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
@@ -329,9 +329,9 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 
 func (d *DefaultDialer) DialerForICMPDestination(destination netip.Addr) net.Dialer {
 	if !destination.Is6() {
-		return d.dialer4.Dialer
-	} else {
 		return d.dialer6.Dialer
+	} else {
+		return d.dialer4.Dialer
 	}
 }
 

common/dialer/resolve.go

@@ -96,7 +96,7 @@ func (d *resolveDialer) DialContext(ctx context.Context, network string, destina
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsDomain() {
+	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -116,7 +116,7 @@ func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsDomain() {
+	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -144,7 +144,7 @@ func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsDomain() {
+	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -167,7 +167,7 @@ func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.C
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsDomain() {
+	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)

common/ktls/ktls_read.go

@@ -12,7 +12,6 @@ import (
 	"fmt"
 	"io"
 	"net"
-	"unsafe"
 )
 
 func (c *Conn) Read(b []byte) (int, error) {
@@ -230,7 +229,7 @@ func (c *Conn) readRawRecord() (typ uint8, data []byte, err error) {
 	record := c.rawConn.RawInput.Next(recordHeaderLen + n)
 	data, typ, err = c.rawConn.In.Decrypt(record)
 	if err != nil {
-		err = c.rawConn.In.SetErrorLocked(c.sendAlert(*(*uint8)((*[2]unsafe.Pointer)(unsafe.Pointer(&err))[1])))
+		err = c.rawConn.In.SetErrorLocked(c.sendAlert(uint8(err.(tls.AlertError))))
 		return
 	}
 	return

common/process/searcher.go

@@ -14,7 +14,6 @@ import (
 
 type Searcher interface {
 	FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error)
-	Close() error
 }
 
 var ErrNotFound = E.New("process not found")
@@ -29,7 +28,7 @@ func FindProcessInfo(searcher Searcher, ctx context.Context, network string, sou
 	if err != nil {
 		return nil, err
 	}
-	if info.UserId != -1 && info.UserName == "" {
+	if info.UserId != -1 {
 		osUser, _ := user.LookupId(F.ToString(info.UserId))
 		if osUser != nil {
 			info.UserName = osUser.Username

common/process/searcher_android.go

@@ -6,7 +6,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
 )
 
 var _ Searcher = (*androidSearcher)(nil)
@@ -19,30 +18,22 @@ func NewSearcher(config Config) (Searcher, error) {
 	return &androidSearcher{config.PackageManager}, nil
 }
 
-func (s *androidSearcher) Close() error {
-	return nil
-}
-
 func (s *androidSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	family, protocol, err := socketDiagSettings(network, source)
+	_, uid, err := resolveSocketByNetlink(network, source, destination)
 	if err != nil {
 		return nil, err
 	}
-	_, uid, err := querySocketDiagOnce(family, protocol, source)
-	if err != nil {
-		return nil, err
+	if sharedPackage, loaded := s.packageManager.SharedPackageByID(uid % 100000); loaded {
+		return &adapter.ConnectionOwner{
+			UserId:             int32(uid),
+			AndroidPackageName: sharedPackage,
+		}, nil
 	}
-	appID := uid % 100000
-	var packageNames []string
-	if sharedPackage, loaded := s.packageManager.SharedPackageByID(appID); loaded {
-		packageNames = append(packageNames, sharedPackage)
+	if packageName, loaded := s.packageManager.PackageByID(uid % 100000); loaded {
+		return &adapter.ConnectionOwner{
+			UserId:             int32(uid),
+			AndroidPackageName: packageName,
+		}, nil
 	}
-	if packages, loaded := s.packageManager.PackagesByID(appID); loaded {
-		packageNames = append(packageNames, packages...)
-	}
-	packageNames = common.Uniq(packageNames)
-	return &adapter.ConnectionOwner{
-		UserId:              int32(uid),
-		AndroidPackageNames: packageNames,
-	}, nil
+	return &adapter.ConnectionOwner{UserId: int32(uid)}, nil
 }

common/process/searcher_darwin.go

@@ -1,15 +1,19 @@
-//go:build darwin
-
 package process
 
 import (
 	"context"
+	"encoding/binary"
 	"net/netip"
+	"os"
 	"strconv"
 	"strings"
 	"syscall"
+	"unsafe"
 
 	"github.com/sagernet/sing-box/adapter"
+	N "github.com/sagernet/sing/common/network"
+
+	"golang.org/x/sys/unix"
 )
 
 var _ Searcher = (*darwinSearcher)(nil)
@@ -20,12 +24,12 @@ func NewSearcher(_ Config) (Searcher, error) {
 	return &darwinSearcher{}, nil
 }
 
-func (d *darwinSearcher) Close() error {
-	return nil
-}
-
 func (d *darwinSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	return FindDarwinConnectionOwner(network, source, destination)
+	processName, err := findProcessName(network, source.Addr(), int(source.Port()))
+	if err != nil {
+		return nil, err
+	}
+	return &adapter.ConnectionOwner{ProcessPath: processName, UserId: -1}, nil
 }
 
 var structSize = func() int {
@@ -43,3 +47,107 @@ var structSize = func() int {
 		return 384
 	}
 }()
+
+func findProcessName(network string, ip netip.Addr, port int) (string, error) {
+	var spath string
+	switch network {
+	case N.NetworkTCP:
+		spath = "net.inet.tcp.pcblist_n"
+	case N.NetworkUDP:
+		spath = "net.inet.udp.pcblist_n"
+	default:
+		return "", os.ErrInvalid
+	}
+
+	isIPv4 := ip.Is4()
+
+	value, err := unix.SysctlRaw(spath)
+	if err != nil {
+		return "", err
+	}
+
+	buf := value
+
+	// from darwin-xnu/bsd/netinet/in_pcblist.c:get_pcblist_n
+	// size/offset are round up (aligned) to 8 bytes in darwin
+	// rup8(sizeof(xinpcb_n)) + rup8(sizeof(xsocket_n)) +
+	// 2 * rup8(sizeof(xsockbuf_n)) + rup8(sizeof(xsockstat_n))
+	itemSize := structSize
+	if network == N.NetworkTCP {
+		// rup8(sizeof(xtcpcb_n))
+		itemSize += 208
+	}
+
+	var fallbackUDPProcess string
+	// skip the first xinpgen(24 bytes) block
+	for i := 24; i+itemSize <= len(buf); i += itemSize {
+		// offset of xinpcb_n and xsocket_n
+		inp, so := i, i+104
+
+		srcPort := binary.BigEndian.Uint16(buf[inp+18 : inp+20])
+		if uint16(port) != srcPort {
+			continue
+		}
+
+		// xinpcb_n.inp_vflag
+		flag := buf[inp+44]
+
+		var srcIP netip.Addr
+		srcIsIPv4 := false
+		switch {
+		case flag&0x1 > 0 && isIPv4:
+			// ipv4
+			srcIP = netip.AddrFrom4([4]byte(buf[inp+76 : inp+80]))
+			srcIsIPv4 = true
+		case flag&0x2 > 0 && !isIPv4:
+			// ipv6
+			srcIP = netip.AddrFrom16([16]byte(buf[inp+64 : inp+80]))
+		default:
+			continue
+		}
+
+		if ip == srcIP {
+			// xsocket_n.so_last_pid
+			pid := readNativeUint32(buf[so+68 : so+72])
+			return getExecPathFromPID(pid)
+		}
+
+		// udp packet connection may be not equal with srcIP
+		if network == N.NetworkUDP && srcIP.IsUnspecified() && isIPv4 == srcIsIPv4 {
+			pid := readNativeUint32(buf[so+68 : so+72])
+			fallbackUDPProcess, _ = getExecPathFromPID(pid)
+		}
+	}
+
+	if network == N.NetworkUDP && len(fallbackUDPProcess) > 0 {
+		return fallbackUDPProcess, nil
+	}
+
+	return "", ErrNotFound
+}
+
+func getExecPathFromPID(pid uint32) (string, error) {
+	const (
+		procpidpathinfo     = 0xb
+		procpidpathinfosize = 1024
+		proccallnumpidinfo  = 0x2
+	)
+	buf := make([]byte, procpidpathinfosize)
+	_, _, errno := syscall.Syscall6(
+		syscall.SYS_PROC_INFO,
+		proccallnumpidinfo,
+		uintptr(pid),
+		procpidpathinfo,
+		0,
+		uintptr(unsafe.Pointer(&buf[0])),
+		procpidpathinfosize)
+	if errno != 0 {
+		return "", errno
+	}
+
+	return unix.ByteSliceToString(buf), nil
+}
+
+func readNativeUint32(b []byte) uint32 {
+	return *(*uint32)(unsafe.Pointer(&b[0]))
+}

common/process/searcher_darwin_shared.go

@@ -1,269 +0,0 @@
-//go:build darwin
-
-package process
-
-import (
-	"encoding/binary"
-	"net/netip"
-	"os"
-	"sync"
-	"syscall"
-	"time"
-	"unsafe"
-
-	"github.com/sagernet/sing-box/adapter"
-	N "github.com/sagernet/sing/common/network"
-
-	"golang.org/x/sys/unix"
-)
-
-const (
-	darwinSnapshotTTL = 200 * time.Millisecond
-
-	darwinXinpgenSize        = 24
-	darwinXsocketOffset      = 104
-	darwinXinpcbForeignPort  = 16
-	darwinXinpcbLocalPort    = 18
-	darwinXinpcbVFlag        = 44
-	darwinXinpcbForeignAddr  = 48
-	darwinXinpcbLocalAddr    = 64
-	darwinXinpcbIPv4Addr     = 12
-	darwinXsocketUID         = 64
-	darwinXsocketLastPID     = 68
-	darwinTCPExtraStructSize = 208
-)
-
-type darwinConnectionEntry struct {
-	localAddr  netip.Addr
-	remoteAddr netip.Addr
-	localPort  uint16
-	remotePort uint16
-	pid        uint32
-	uid        int32
-}
-
-type darwinConnectionMatchKind uint8
-
-const (
-	darwinConnectionMatchExact darwinConnectionMatchKind = iota
-	darwinConnectionMatchLocalFallback
-	darwinConnectionMatchWildcardFallback
-)
-
-type darwinSnapshot struct {
-	createdAt time.Time
-	entries   []darwinConnectionEntry
-}
-
-type darwinConnectionFinder struct {
-	access    sync.Mutex
-	ttl       time.Duration
-	snapshots map[string]darwinSnapshot
-	builder   func(string) (darwinSnapshot, error)
-}
-
-var sharedDarwinConnectionFinder = newDarwinConnectionFinder(darwinSnapshotTTL)
-
-func newDarwinConnectionFinder(ttl time.Duration) *darwinConnectionFinder {
-	return &darwinConnectionFinder{
-		ttl:       ttl,
-		snapshots: make(map[string]darwinSnapshot),
-		builder:   buildDarwinSnapshot,
-	}
-}
-
-func FindDarwinConnectionOwner(network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	return sharedDarwinConnectionFinder.find(network, source, destination)
-}
-
-func (f *darwinConnectionFinder) find(network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	networkName := N.NetworkName(network)
-	source = normalizeDarwinAddrPort(source)
-	destination = normalizeDarwinAddrPort(destination)
-	var lastOwner *adapter.ConnectionOwner
-	for attempt := 0; attempt < 2; attempt++ {
-		snapshot, fromCache, err := f.loadSnapshot(networkName, attempt > 0)
-		if err != nil {
-			return nil, err
-		}
-		entry, matchKind, err := matchDarwinConnectionEntry(snapshot.entries, networkName, source, destination)
-		if err != nil {
-			if err == ErrNotFound && fromCache {
-				continue
-			}
-			return nil, err
-		}
-		if fromCache && matchKind != darwinConnectionMatchExact {
-			continue
-		}
-		owner := &adapter.ConnectionOwner{
-			UserId: entry.uid,
-		}
-		lastOwner = owner
-		if entry.pid == 0 {
-			return owner, nil
-		}
-		processPath, err := getExecPathFromPID(entry.pid)
-		if err == nil {
-			owner.ProcessPath = processPath
-			return owner, nil
-		}
-		if fromCache {
-			continue
-		}
-		return owner, nil
-	}
-	if lastOwner != nil {
-		return lastOwner, nil
-	}
-	return nil, ErrNotFound
-}
-
-func (f *darwinConnectionFinder) loadSnapshot(network string, forceRefresh bool) (darwinSnapshot, bool, error) {
-	f.access.Lock()
-	defer f.access.Unlock()
-	if !forceRefresh {
-		if snapshot, loaded := f.snapshots[network]; loaded && time.Since(snapshot.createdAt) < f.ttl {
-			return snapshot, true, nil
-		}
-	}
-	snapshot, err := f.builder(network)
-	if err != nil {
-		return darwinSnapshot{}, false, err
-	}
-	f.snapshots[network] = snapshot
-	return snapshot, false, nil
-}
-
-func buildDarwinSnapshot(network string) (darwinSnapshot, error) {
-	spath, itemSize, err := darwinSnapshotSettings(network)
-	if err != nil {
-		return darwinSnapshot{}, err
-	}
-	value, err := unix.SysctlRaw(spath)
-	if err != nil {
-		return darwinSnapshot{}, err
-	}
-	return darwinSnapshot{
-		createdAt: time.Now(),
-		entries:   parseDarwinSnapshot(value, itemSize),
-	}, nil
-}
-
-func darwinSnapshotSettings(network string) (string, int, error) {
-	itemSize := structSize
-	switch network {
-	case N.NetworkTCP:
-		return "net.inet.tcp.pcblist_n", itemSize + darwinTCPExtraStructSize, nil
-	case N.NetworkUDP:
-		return "net.inet.udp.pcblist_n", itemSize, nil
-	default:
-		return "", 0, os.ErrInvalid
-	}
-}
-
-func parseDarwinSnapshot(buf []byte, itemSize int) []darwinConnectionEntry {
-	entries := make([]darwinConnectionEntry, 0, (len(buf)-darwinXinpgenSize)/itemSize)
-	for i := darwinXinpgenSize; i+itemSize <= len(buf); i += itemSize {
-		inp := i
-		so := i + darwinXsocketOffset
-		entry, ok := parseDarwinConnectionEntry(buf[inp:so], buf[so:so+structSize-darwinXsocketOffset])
-		if ok {
-			entries = append(entries, entry)
-		}
-	}
-	return entries
-}
-
-func parseDarwinConnectionEntry(inp []byte, so []byte) (darwinConnectionEntry, bool) {
-	if len(inp) < darwinXsocketOffset || len(so) < structSize-darwinXsocketOffset {
-		return darwinConnectionEntry{}, false
-	}
-	entry := darwinConnectionEntry{
-		remotePort: binary.BigEndian.Uint16(inp[darwinXinpcbForeignPort : darwinXinpcbForeignPort+2]),
-		localPort:  binary.BigEndian.Uint16(inp[darwinXinpcbLocalPort : darwinXinpcbLocalPort+2]),
-		pid:        binary.NativeEndian.Uint32(so[darwinXsocketLastPID : darwinXsocketLastPID+4]),
-		uid:        int32(binary.NativeEndian.Uint32(so[darwinXsocketUID : darwinXsocketUID+4])),
-	}
-	flag := inp[darwinXinpcbVFlag]
-	switch {
-	case flag&0x1 != 0:
-		entry.remoteAddr = netip.AddrFrom4([4]byte(inp[darwinXinpcbForeignAddr+darwinXinpcbIPv4Addr : darwinXinpcbForeignAddr+darwinXinpcbIPv4Addr+4]))
-		entry.localAddr = netip.AddrFrom4([4]byte(inp[darwinXinpcbLocalAddr+darwinXinpcbIPv4Addr : darwinXinpcbLocalAddr+darwinXinpcbIPv4Addr+4]))
-		return entry, true
-	case flag&0x2 != 0:
-		entry.remoteAddr = netip.AddrFrom16([16]byte(inp[darwinXinpcbForeignAddr : darwinXinpcbForeignAddr+16]))
-		entry.localAddr = netip.AddrFrom16([16]byte(inp[darwinXinpcbLocalAddr : darwinXinpcbLocalAddr+16]))
-		return entry, true
-	default:
-		return darwinConnectionEntry{}, false
-	}
-}
-
-func matchDarwinConnectionEntry(entries []darwinConnectionEntry, network string, source netip.AddrPort, destination netip.AddrPort) (darwinConnectionEntry, darwinConnectionMatchKind, error) {
-	sourceAddr := source.Addr()
-	if !sourceAddr.IsValid() {
-		return darwinConnectionEntry{}, darwinConnectionMatchExact, os.ErrInvalid
-	}
-	var localFallback darwinConnectionEntry
-	var hasLocalFallback bool
-	var wildcardFallback darwinConnectionEntry
-	var hasWildcardFallback bool
-	for _, entry := range entries {
-		if entry.localPort != source.Port() || sourceAddr.BitLen() != entry.localAddr.BitLen() {
-			continue
-		}
-		if entry.localAddr == sourceAddr && destination.IsValid() && entry.remotePort == destination.Port() && entry.remoteAddr == destination.Addr() {
-			return entry, darwinConnectionMatchExact, nil
-		}
-		if !destination.IsValid() && entry.localAddr == sourceAddr {
-			return entry, darwinConnectionMatchExact, nil
-		}
-		if network != N.NetworkUDP {
-			continue
-		}
-		if !hasLocalFallback && entry.localAddr == sourceAddr {
-			hasLocalFallback = true
-			localFallback = entry
-		}
-		if !hasWildcardFallback && entry.localAddr.IsUnspecified() {
-			hasWildcardFallback = true
-			wildcardFallback = entry
-		}
-	}
-	if hasLocalFallback {
-		return localFallback, darwinConnectionMatchLocalFallback, nil
-	}
-	if hasWildcardFallback {
-		return wildcardFallback, darwinConnectionMatchWildcardFallback, nil
-	}
-	return darwinConnectionEntry{}, darwinConnectionMatchExact, ErrNotFound
-}
-
-func normalizeDarwinAddrPort(addrPort netip.AddrPort) netip.AddrPort {
-	if !addrPort.IsValid() {
-		return addrPort
-	}
-	return netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port())
-}
-
-func getExecPathFromPID(pid uint32) (string, error) {
-	const (
-		procpidpathinfo     = 0xb
-		procpidpathinfosize = 1024
-		proccallnumpidinfo  = 0x2
-	)
-	buf := make([]byte, procpidpathinfosize)
-	_, _, errno := syscall.Syscall6(
-		syscall.SYS_PROC_INFO,
-		proccallnumpidinfo,
-		uintptr(pid),
-		procpidpathinfo,
-		0,
-		uintptr(unsafe.Pointer(&buf[0])),
-		procpidpathinfosize)
-	if errno != 0 {
-		return "", errno
-	}
-	return unix.ByteSliceToString(buf), nil
-}

common/process/searcher_linux.go

@@ -4,82 +4,33 @@ package process
 
 import (
 	"context"
-	"errors"
 	"net/netip"
-	"syscall"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
-	E "github.com/sagernet/sing/common/exceptions"
 )
 
 var _ Searcher = (*linuxSearcher)(nil)
 
 type linuxSearcher struct {
-	logger           log.ContextLogger
-	diagConns        [4]*socketDiagConn
-	processPathCache *uidProcessPathCache
+	logger log.ContextLogger
 }
 
 func NewSearcher(config Config) (Searcher, error) {
-	searcher := &linuxSearcher{
-		logger:           config.Logger,
-		processPathCache: newUIDProcessPathCache(time.Second),
-	}
-	for _, family := range []uint8{syscall.AF_INET, syscall.AF_INET6} {
-		for _, protocol := range []uint8{syscall.IPPROTO_TCP, syscall.IPPROTO_UDP} {
-			searcher.diagConns[socketDiagConnIndex(family, protocol)] = newSocketDiagConn(family, protocol)
-		}
-	}
-	return searcher, nil
-}
-
-func (s *linuxSearcher) Close() error {
-	var errs []error
-	for _, conn := range s.diagConns {
-		if conn == nil {
-			continue
-		}
-		errs = append(errs, conn.Close())
-	}
-	return E.Errors(errs...)
+	return &linuxSearcher{config.Logger}, nil
 }
 
 func (s *linuxSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	inode, uid, err := s.resolveSocketByNetlink(network, source, destination)
+	inode, uid, err := resolveSocketByNetlink(network, source, destination)
 	if err != nil {
 		return nil, err
 	}
-	processInfo := &adapter.ConnectionOwner{
-		UserId: int32(uid),
-	}
-	processPath, err := s.processPathCache.findProcessPath(inode, uid)
+	processPath, err := resolveProcessNameByProcSearch(inode, uid)
 	if err != nil {
 		s.logger.DebugContext(ctx, "find process path: ", err)
-	} else {
-		processInfo.ProcessPath = processPath
 	}
-	return processInfo, nil
-}
-
-func (s *linuxSearcher) resolveSocketByNetlink(network string, source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
-	family, protocol, err := socketDiagSettings(network, source)
-	if err != nil {
-		return 0, 0, err
-	}
-	conn := s.diagConns[socketDiagConnIndex(family, protocol)]
-	if conn == nil {
-		return 0, 0, E.New("missing socket diag connection for family=", family, " protocol=", protocol)
-	}
-	if destination.IsValid() && source.Addr().BitLen() == destination.Addr().BitLen() {
-		inode, uid, err = conn.query(source, destination)
-		if err == nil {
-			return inode, uid, nil
-		}
-		if !errors.Is(err, ErrNotFound) {
-			return 0, 0, err
-		}
-	}
-	return querySocketDiagOnce(family, protocol, source)
+	return &adapter.ConnectionOwner{
+		UserId:      int32(uid),
+		ProcessPath: processPath,
+	}, nil
 }

common/process/searcher_linux_shared.go

@@ -3,67 +3,43 @@
 package process
 
 import (
+	"bytes"
 	"encoding/binary"
-	"errors"
+	"fmt"
+	"net"
 	"net/netip"
 	"os"
-	"path/filepath"
+	"path"
 	"strings"
-	"sync"
 	"syscall"
-	"time"
 	"unicode"
+	"unsafe"
 
-	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/contrab/freelru"
-	"github.com/sagernet/sing/contrab/maphash"
 )
 
+// from https://github.com/vishvananda/netlink/blob/bca67dfc8220b44ef582c9da4e9172bf1c9ec973/nl/nl_linux.go#L52-L62
+var nativeEndian = func() binary.ByteOrder {
+	var x uint32 = 0x01020304
+	if *(*byte)(unsafe.Pointer(&x)) == 0x01 {
+		return binary.BigEndian
+	}
+
+	return binary.LittleEndian
+}()
+
 const (
-	sizeOfSocketDiagRequestData = 56
-	sizeOfSocketDiagRequest     = syscall.SizeofNlMsghdr + sizeOfSocketDiagRequestData
-	socketDiagResponseMinSize   = 72
-	socketDiagByFamily          = 20
-	pathProc                    = "/proc"
+	sizeOfSocketDiagRequest = syscall.SizeofNlMsghdr + 8 + 48
+	socketDiagByFamily      = 20
+	pathProc                = "/proc"
 )
 
-type socketDiagConn struct {
-	access   sync.Mutex
-	family   uint8
-	protocol uint8
-	fd       int
-}
+func resolveSocketByNetlink(network string, source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
+	var family uint8
+	var protocol uint8
 
-type uidProcessPathCache struct {
-	cache freelru.Cache[uint32, *uidProcessPaths]
-}
-
-type uidProcessPaths struct {
-	entries map[uint32]string
-}
-
-func newSocketDiagConn(family, protocol uint8) *socketDiagConn {
-	return &socketDiagConn{
-		family:   family,
-		protocol: protocol,
-		fd:       -1,
-	}
-}
-
-func socketDiagConnIndex(family, protocol uint8) int {
-	index := 0
-	if protocol == syscall.IPPROTO_UDP {
-		index += 2
-	}
-	if family == syscall.AF_INET6 {
-		index++
-	}
-	return index
-}
-
-func socketDiagSettings(network string, source netip.AddrPort) (family, protocol uint8, err error) {
 	switch network {
 	case N.NetworkTCP:
 		protocol = syscall.IPPROTO_TCP
@@ -72,308 +48,151 @@ func socketDiagSettings(network string, source netip.AddrPort) (family, protocol
 	default:
 		return 0, 0, os.ErrInvalid
 	}
-	switch {
-	case source.Addr().Is4():
+
+	if source.Addr().Is4() {
 		family = syscall.AF_INET
-	case source.Addr().Is6():
+	} else {
 		family = syscall.AF_INET6
-	default:
-		return 0, 0, os.ErrInvalid
 	}
-	return family, protocol, nil
-}
 
-func newUIDProcessPathCache(ttl time.Duration) *uidProcessPathCache {
-	cache := common.Must1(freelru.NewSharded[uint32, *uidProcessPaths](64, maphash.NewHasher[uint32]().Hash32))
-	cache.SetLifetime(ttl)
-	return &uidProcessPathCache{cache: cache}
-}
+	req := packSocketDiagRequest(family, protocol, source)
 
-func (c *uidProcessPathCache) findProcessPath(targetInode, uid uint32) (string, error) {
-	if cached, ok := c.cache.Get(uid); ok {
-		if processPath, found := cached.entries[targetInode]; found {
-			return processPath, nil
-		}
-	}
-	processPaths, err := buildProcessPathByUIDCache(uid)
-	if err != nil {
-		return "", err
-	}
-	c.cache.Add(uid, &uidProcessPaths{entries: processPaths})
-	processPath, found := processPaths[targetInode]
-	if !found {
-		return "", E.New("process of uid(", uid, "), inode(", targetInode, ") not found")
-	}
-	return processPath, nil
-}
-
-func (c *socketDiagConn) Close() error {
-	c.access.Lock()
-	defer c.access.Unlock()
-	return c.closeLocked()
-}
-
-func (c *socketDiagConn) query(source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
-	c.access.Lock()
-	defer c.access.Unlock()
-	request := packSocketDiagRequest(c.family, c.protocol, source, destination, false)
-	for attempt := 0; attempt < 2; attempt++ {
-		err = c.ensureOpenLocked()
-		if err != nil {
-			return 0, 0, E.Cause(err, "dial netlink")
-		}
-		inode, uid, err = querySocketDiag(c.fd, request)
-		if err == nil || errors.Is(err, ErrNotFound) {
-			return inode, uid, err
-		}
-		if !shouldRetrySocketDiag(err) {
-			return 0, 0, err
-		}
-		_ = c.closeLocked()
-	}
-	return 0, 0, err
-}
-
-func querySocketDiagOnce(family, protocol uint8, source netip.AddrPort) (inode, uid uint32, err error) {
-	fd, err := openSocketDiag()
+	socket, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM, syscall.NETLINK_INET_DIAG)
 	if err != nil {
 		return 0, 0, E.Cause(err, "dial netlink")
 	}
-	defer syscall.Close(fd)
-	return querySocketDiag(fd, packSocketDiagRequest(family, protocol, source, netip.AddrPort{}, true))
-}
+	defer syscall.Close(socket)
 
-func (c *socketDiagConn) ensureOpenLocked() error {
-	if c.fd != -1 {
-		return nil
-	}
-	fd, err := openSocketDiag()
-	if err != nil {
-		return err
-	}
-	c.fd = fd
-	return nil
-}
+	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, &syscall.Timeval{Usec: 100})
+	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, &syscall.Timeval{Usec: 100})
 
-func openSocketDiag() (int, error) {
-	fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM|syscall.SOCK_CLOEXEC, syscall.NETLINK_INET_DIAG)
-	if err != nil {
-		return -1, err
-	}
-	timeout := &syscall.Timeval{Usec: 100}
-	if err = syscall.SetsockoptTimeval(fd, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, timeout); err != nil {
-		syscall.Close(fd)
-		return -1, err
-	}
-	if err = syscall.SetsockoptTimeval(fd, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, timeout); err != nil {
-		syscall.Close(fd)
-		return -1, err
-	}
-	if err = syscall.Connect(fd, &syscall.SockaddrNetlink{
+	err = syscall.Connect(socket, &syscall.SockaddrNetlink{
 		Family: syscall.AF_NETLINK,
+		Pad:    0,
 		Pid:    0,
 		Groups: 0,
-	}); err != nil {
-		syscall.Close(fd)
-		return -1, err
+	})
+	if err != nil {
+		return
 	}
-	return fd, nil
-}
 
-func (c *socketDiagConn) closeLocked() error {
-	if c.fd == -1 {
-		return nil
-	}
-	err := syscall.Close(c.fd)
-	c.fd = -1
-	return err
-}
-
-func packSocketDiagRequest(family, protocol byte, source netip.AddrPort, destination netip.AddrPort, dump bool) []byte {
-	request := make([]byte, sizeOfSocketDiagRequest)
-
-	binary.NativeEndian.PutUint32(request[0:4], sizeOfSocketDiagRequest)
-	binary.NativeEndian.PutUint16(request[4:6], socketDiagByFamily)
-	flags := uint16(syscall.NLM_F_REQUEST)
-	if dump {
-		flags |= syscall.NLM_F_DUMP
-	}
-	binary.NativeEndian.PutUint16(request[6:8], flags)
-	binary.NativeEndian.PutUint32(request[8:12], 0)
-	binary.NativeEndian.PutUint32(request[12:16], 0)
-
-	request[16] = family
-	request[17] = protocol
-	request[18] = 0
-	request[19] = 0
-	if dump {
-		binary.NativeEndian.PutUint32(request[20:24], 0xFFFFFFFF)
-	}
-	requestSource := source
-	requestDestination := destination
-	if protocol == syscall.IPPROTO_UDP && !dump && destination.IsValid() {
-		// udp_dump_one expects the exact-match endpoints reversed for historical reasons.
-		requestSource, requestDestination = destination, source
-	}
-	binary.BigEndian.PutUint16(request[24:26], requestSource.Port())
-	binary.BigEndian.PutUint16(request[26:28], requestDestination.Port())
-	if family == syscall.AF_INET6 {
-		copy(request[28:44], requestSource.Addr().AsSlice())
-		if requestDestination.IsValid() {
-			copy(request[44:60], requestDestination.Addr().AsSlice())
-		}
-	} else {
-		copy(request[28:32], requestSource.Addr().AsSlice())
-		if requestDestination.IsValid() {
-			copy(request[44:48], requestDestination.Addr().AsSlice())
-		}
-	}
-	binary.NativeEndian.PutUint32(request[60:64], 0)
-	binary.NativeEndian.PutUint64(request[64:72], 0xFFFFFFFFFFFFFFFF)
-	return request
-}
-
-func querySocketDiag(fd int, request []byte) (inode, uid uint32, err error) {
-	_, err = syscall.Write(fd, request)
+	_, err = syscall.Write(socket, req)
 	if err != nil {
 		return 0, 0, E.Cause(err, "write netlink request")
 	}
-	buffer := make([]byte, 64<<10)
-	n, err := syscall.Read(fd, buffer)
+
+	buffer := buf.New()
+	defer buffer.Release()
+
+	n, err := syscall.Read(socket, buffer.FreeBytes())
 	if err != nil {
 		return 0, 0, E.Cause(err, "read netlink response")
 	}
-	messages, err := syscall.ParseNetlinkMessage(buffer[:n])
+
+	buffer.Truncate(n)
+
+	messages, err := syscall.ParseNetlinkMessage(buffer.Bytes())
 	if err != nil {
 		return 0, 0, E.Cause(err, "parse netlink message")
+	} else if len(messages) == 0 {
+		return 0, 0, E.New("unexcepted netlink response")
 	}
-	return unpackSocketDiagMessages(messages)
+
+	message := messages[0]
+	if message.Header.Type&syscall.NLMSG_ERROR != 0 {
+		return 0, 0, E.New("netlink message: NLMSG_ERROR")
+	}
+
+	inode, uid = unpackSocketDiagResponse(&messages[0])
+	return
 }
 
-func unpackSocketDiagMessages(messages []syscall.NetlinkMessage) (inode, uid uint32, err error) {
-	for _, message := range messages {
-		switch message.Header.Type {
-		case syscall.NLMSG_DONE:
-			continue
-		case syscall.NLMSG_ERROR:
-			err = unpackSocketDiagError(&message)
-			if err != nil {
-				return 0, 0, err
-			}
-		case socketDiagByFamily:
-			inode, uid = unpackSocketDiagResponse(&message)
-			if inode != 0 || uid != 0 {
-				return inode, uid, nil
-			}
-		}
-	}
-	return 0, 0, ErrNotFound
+func packSocketDiagRequest(family, protocol byte, source netip.AddrPort) []byte {
+	s := make([]byte, 16)
+	copy(s, source.Addr().AsSlice())
+
+	buf := make([]byte, sizeOfSocketDiagRequest)
+
+	nativeEndian.PutUint32(buf[0:4], sizeOfSocketDiagRequest)
+	nativeEndian.PutUint16(buf[4:6], socketDiagByFamily)
+	nativeEndian.PutUint16(buf[6:8], syscall.NLM_F_REQUEST|syscall.NLM_F_DUMP)
+	nativeEndian.PutUint32(buf[8:12], 0)
+	nativeEndian.PutUint32(buf[12:16], 0)
+
+	buf[16] = family
+	buf[17] = protocol
+	buf[18] = 0
+	buf[19] = 0
+	nativeEndian.PutUint32(buf[20:24], 0xFFFFFFFF)
+
+	binary.BigEndian.PutUint16(buf[24:26], source.Port())
+	binary.BigEndian.PutUint16(buf[26:28], 0)
+
+	copy(buf[28:44], s)
+	copy(buf[44:60], net.IPv6zero)
+
+	nativeEndian.PutUint32(buf[60:64], 0)
+	nativeEndian.PutUint64(buf[64:72], 0xFFFFFFFFFFFFFFFF)
+
+	return buf
 }
 
 func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid uint32) {
-	if len(msg.Data) < socketDiagResponseMinSize {
+	if len(msg.Data) < 72 {
 		return 0, 0
 	}
-	uid = binary.NativeEndian.Uint32(msg.Data[64:68])
-	inode = binary.NativeEndian.Uint32(msg.Data[68:72])
-	return inode, uid
+
+	data := msg.Data
+
+	uid = nativeEndian.Uint32(data[64:68])
+	inode = nativeEndian.Uint32(data[68:72])
+
+	return
 }
 
-func unpackSocketDiagError(msg *syscall.NetlinkMessage) error {
-	if len(msg.Data) < 4 {
-		return E.New("netlink message: NLMSG_ERROR")
-	}
-	errno := int32(binary.NativeEndian.Uint32(msg.Data[:4]))
-	if errno == 0 {
-		return nil
-	}
-	if errno < 0 {
-		errno = -errno
-	}
-	sysErr := syscall.Errno(errno)
-	switch sysErr {
-	case syscall.ENOENT, syscall.ESRCH:
-		return ErrNotFound
-	default:
-		return E.New("netlink message: ", sysErr)
-	}
-}
-
-func shouldRetrySocketDiag(err error) bool {
-	return err != nil && !errors.Is(err, ErrNotFound)
-}
-
-func buildProcessPathByUIDCache(uid uint32) (map[uint32]string, error) {
+func resolveProcessNameByProcSearch(inode, uid uint32) (string, error) {
 	files, err := os.ReadDir(pathProc)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
+
 	buffer := make([]byte, syscall.PathMax)
-	processPaths := make(map[uint32]string)
-	for _, file := range files {
-		if !file.IsDir() || !isPid(file.Name()) {
+	socket := []byte(fmt.Sprintf("socket:[%d]", inode))
+
+	for _, f := range files {
+		if !f.IsDir() || !isPid(f.Name()) {
 			continue
 		}
-		info, err := file.Info()
+
+		info, err := f.Info()
 		if err != nil {
-			if isIgnorableProcError(err) {
-				continue
-			}
-			return nil, err
+			return "", err
 		}
 		if info.Sys().(*syscall.Stat_t).Uid != uid {
 			continue
 		}
-		processPath := filepath.Join(pathProc, file.Name())
-		fdPath := filepath.Join(processPath, "fd")
-		exePath, err := os.Readlink(filepath.Join(processPath, "exe"))
-		if err != nil {
-			if isIgnorableProcError(err) {
-				continue
-			}
-			return nil, err
-		}
+
+		processPath := path.Join(pathProc, f.Name())
+		fdPath := path.Join(processPath, "fd")
+
 		fds, err := os.ReadDir(fdPath)
 		if err != nil {
 			continue
 		}
+
 		for _, fd := range fds {
-			n, err := syscall.Readlink(filepath.Join(fdPath, fd.Name()), buffer)
+			n, err := syscall.Readlink(path.Join(fdPath, fd.Name()), buffer)
 			if err != nil {
 				continue
 			}
-			inode, ok := parseSocketInode(buffer[:n])
-			if !ok {
-				continue
-			}
-			if _, loaded := processPaths[inode]; !loaded {
-				processPaths[inode] = exePath
+
+			if bytes.Equal(buffer[:n], socket) {
+				return os.Readlink(path.Join(processPath, "exe"))
 			}
 		}
 	}
-	return processPaths, nil
-}
 
-func isIgnorableProcError(err error) bool {
-	return os.IsNotExist(err) || os.IsPermission(err)
-}
-
-func parseSocketInode(link []byte) (uint32, bool) {
-	const socketPrefix = "socket:["
-	if len(link) <= len(socketPrefix) || string(link[:len(socketPrefix)]) != socketPrefix || link[len(link)-1] != ']' {
-		return 0, false
-	}
-	var inode uint64
-	for _, char := range link[len(socketPrefix) : len(link)-1] {
-		if char < '0' || char > '9' {
-			return 0, false
-		}
-		inode = inode*10 + uint64(char-'0')
-		if inode > uint64(^uint32(0)) {
-			return 0, false
-		}
-	}
-	return uint32(inode), true
+	return "", fmt.Errorf("process of uid(%d),inode(%d) not found", uid, inode)
 }
 
 func isPid(s string) bool {

common/process/searcher_linux_shared_test.go

@@ -1,60 +0,0 @@
-//go:build linux
-
-package process
-
-import (
-	"net"
-	"net/netip"
-	"os"
-	"syscall"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestQuerySocketDiagUDPExact(t *testing.T) {
-	t.Parallel()
-	server, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
-	require.NoError(t, err)
-	defer server.Close()
-
-	client, err := net.DialUDP("udp4", nil, server.LocalAddr().(*net.UDPAddr))
-	require.NoError(t, err)
-	defer client.Close()
-
-	err = client.SetDeadline(time.Now().Add(time.Second))
-	require.NoError(t, err)
-	_, err = client.Write([]byte{0})
-	require.NoError(t, err)
-
-	err = server.SetReadDeadline(time.Now().Add(time.Second))
-	require.NoError(t, err)
-	buffer := make([]byte, 1)
-	_, _, err = server.ReadFromUDP(buffer)
-	require.NoError(t, err)
-
-	source := addrPortFromUDPAddr(t, client.LocalAddr())
-	destination := addrPortFromUDPAddr(t, client.RemoteAddr())
-
-	fd, err := openSocketDiag()
-	require.NoError(t, err)
-	defer syscall.Close(fd)
-
-	inode, uid, err := querySocketDiag(fd, packSocketDiagRequest(syscall.AF_INET, syscall.IPPROTO_UDP, source, destination, false))
-	require.NoError(t, err)
-	require.NotZero(t, inode)
-	require.EqualValues(t, os.Getuid(), uid)
-}
-
-func addrPortFromUDPAddr(t *testing.T, addr net.Addr) netip.AddrPort {
-	t.Helper()
-
-	udpAddr, ok := addr.(*net.UDPAddr)
-	require.True(t, ok)
-
-	ip, ok := netip.AddrFromSlice(udpAddr.IP)
-	require.True(t, ok)
-
-	return netip.AddrPortFrom(ip.Unmap(), uint16(udpAddr.Port))
-}

common/process/searcher_windows.go

@@ -28,10 +28,6 @@ func initWin32API() error {
 	return winiphlpapi.LoadExtendedTable()
 }
 
-func (s *windowsSearcher) Close() error {
-	return nil
-}
-
 func (s *windowsSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
 	pid, err := winiphlpapi.FindPid(network, source)
 	if err != nil {

common/tls/acme.go

@@ -38,6 +38,37 @@ func (w *acmeWrapper) Close() error {
 	return nil
 }
 
+type acmeLogWriter struct {
+	logger logger.Logger
+}
+
+func (w *acmeLogWriter) Write(p []byte) (n int, err error) {
+	logLine := strings.ReplaceAll(string(p), "	", ": ")
+	switch {
+	case strings.HasPrefix(logLine, "error: "):
+		w.logger.Error(logLine[7:])
+	case strings.HasPrefix(logLine, "warn: "):
+		w.logger.Warn(logLine[6:])
+	case strings.HasPrefix(logLine, "info: "):
+		w.logger.Info(logLine[6:])
+	case strings.HasPrefix(logLine, "debug: "):
+		w.logger.Debug(logLine[7:])
+	default:
+		w.logger.Debug(logLine)
+	}
+	return len(p), nil
+}
+
+func (w *acmeLogWriter) Sync() error {
+	return nil
+}
+
+func encoderConfig() zapcore.EncoderConfig {
+	config := zap.NewProductionEncoderConfig()
+	config.TimeKey = zapcore.OmitKey
+	return config
+}
+
 func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
 	var acmeServer string
 	switch options.Provider {
@@ -60,8 +91,8 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		storage = certmagic.Default.Storage
 	}
 	zapLogger := zap.New(zapcore.NewCore(
-		zapcore.NewConsoleEncoder(ACMEEncoderConfig()),
-		&ACMELogWriter{Logger: logger},
+		zapcore.NewConsoleEncoder(encoderConfig()),
+		&acmeLogWriter{logger: logger},
 		zap.DebugLevel,
 	))
 	config := &certmagic.Config{
@@ -127,7 +158,7 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 	} else {
 		tlsConfig = &tls.Config{
 			GetCertificate: config.GetCertificate,
-			NextProtos:     []string{C.ACMETLS1Protocol},
+			NextProtos:     []string{ACMETLS1Protocol},
 		}
 	}
 	return tlsConfig, &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil

common/tls/acme_contstant.go

@@ -1,3 +1,3 @@
-package constant
+package tls
 
 const ACMETLS1Protocol = "acme-tls/1"

common/tls/acme_logger.go

@@ -1,41 +0,0 @@
-package tls
-
-import (
-	"strings"
-
-	"github.com/sagernet/sing/common/logger"
-
-	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
-)
-
-type ACMELogWriter struct {
-	Logger logger.Logger
-}
-
-func (w *ACMELogWriter) Write(p []byte) (n int, err error) {
-	logLine := strings.ReplaceAll(string(p), "	", ": ")
-	switch {
-	case strings.HasPrefix(logLine, "error: "):
-		w.Logger.Error(logLine[7:])
-	case strings.HasPrefix(logLine, "warn: "):
-		w.Logger.Warn(logLine[6:])
-	case strings.HasPrefix(logLine, "info: "):
-		w.Logger.Info(logLine[6:])
-	case strings.HasPrefix(logLine, "debug: "):
-		w.Logger.Debug(logLine[7:])
-	default:
-		w.Logger.Debug(logLine)
-	}
-	return len(p), nil
-}
-
-func (w *ACMELogWriter) Sync() error {
-	return nil
-}
-
-func ACMEEncoderConfig() zapcore.EncoderConfig {
-	config := zap.NewProductionEncoderConfig()
-	config.TimeKey = zapcore.OmitKey
-	return config
-}

common/tls/reality_server.go

@@ -32,10 +32,6 @@ type RealityServerConfig struct {
 func NewRealityServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
 	var tlsConfig utls.RealityConfig
 
-	if options.CertificateProvider != nil {
-		return nil, E.New("certificate_provider is unavailable in reality")
-	}
-	//nolint:staticcheck
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in reality")
 	}

common/tls/std_server.go

@@ -13,87 +13,19 @@ import (
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
-	"github.com/sagernet/sing/service"
 )
 
 var errInsecureUnused = E.New("tls: insecure unused")
 
-type managedCertificateProvider interface {
-	adapter.CertificateProvider
-	adapter.SimpleLifecycle
-}
-
-type sharedCertificateProvider struct {
-	tag      string
-	manager  adapter.CertificateProviderManager
-	provider adapter.CertificateProviderService
-}
-
-func (p *sharedCertificateProvider) Start() error {
-	provider, found := p.manager.Get(p.tag)
-	if !found {
-		return E.New("certificate provider not found: ", p.tag)
-	}
-	p.provider = provider
-	return nil
-}
-
-func (p *sharedCertificateProvider) Close() error {
-	return nil
-}
-
-func (p *sharedCertificateProvider) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	return p.provider.GetCertificate(hello)
-}
-
-func (p *sharedCertificateProvider) GetACMENextProtos() []string {
-	return getACMENextProtos(p.provider)
-}
-
-type inlineCertificateProvider struct {
-	provider adapter.CertificateProviderService
-}
-
-func (p *inlineCertificateProvider) Start() error {
-	for _, stage := range adapter.ListStartStages {
-		err := adapter.LegacyStart(p.provider, stage)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (p *inlineCertificateProvider) Close() error {
-	return p.provider.Close()
-}
-
-func (p *inlineCertificateProvider) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	return p.provider.GetCertificate(hello)
-}
-
-func (p *inlineCertificateProvider) GetACMENextProtos() []string {
-	return getACMENextProtos(p.provider)
-}
-
-func getACMENextProtos(provider adapter.CertificateProvider) []string {
-	if acmeProvider, isACME := provider.(adapter.ACMECertificateProvider); isACME {
-		return acmeProvider.GetACMENextProtos()
-	}
-	return nil
-}
-
 type STDServerConfig struct {
 	access                sync.RWMutex
 	config                *tls.Config
 	logger                log.Logger
-	certificateProvider   managedCertificateProvider
 	acmeService           adapter.SimpleLifecycle
 	certificate           []byte
 	key                   []byte
@@ -121,17 +53,18 @@ func (c *STDServerConfig) SetServerName(serverName string) {
 func (c *STDServerConfig) NextProtos() []string {
 	c.access.RLock()
 	defer c.access.RUnlock()
-	if c.hasACMEALPN() && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == C.ACMETLS1Protocol {
+	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
 		return c.config.NextProtos[1:]
+	} else {
+		return c.config.NextProtos
 	}
-	return c.config.NextProtos
 }
 
 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.access.Lock()
 	defer c.access.Unlock()
 	config := c.config.Clone()
-	if c.hasACMEALPN() && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == C.ACMETLS1Protocol {
+	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
 		config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
 	} else {
 		config.NextProtos = nextProto
@@ -139,18 +72,6 @@ func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.config = config
 }
 
-func (c *STDServerConfig) hasACMEALPN() bool {
-	if c.acmeService != nil {
-		return true
-	}
-	if c.certificateProvider != nil {
-		if acmeProvider, isACME := c.certificateProvider.(adapter.ACMECertificateProvider); isACME {
-			return len(acmeProvider.GetACMENextProtos()) > 0
-		}
-	}
-	return false
-}
-
 func (c *STDServerConfig) STDConfig() (*STDConfig, error) {
 	return c.config, nil
 }
@@ -170,39 +91,15 @@ func (c *STDServerConfig) Clone() Config {
 }
 
 func (c *STDServerConfig) Start() error {
-	if c.certificateProvider != nil {
-		err := c.certificateProvider.Start()
-		if err != nil {
-			return err
-		}
-		if acmeProvider, isACME := c.certificateProvider.(adapter.ACMECertificateProvider); isACME {
-			nextProtos := acmeProvider.GetACMENextProtos()
-			if len(nextProtos) > 0 {
-				c.access.Lock()
-				config := c.config.Clone()
-				mergedNextProtos := append([]string{}, nextProtos...)
-				for _, nextProto := range config.NextProtos {
-					if !common.Contains(mergedNextProtos, nextProto) {
-						mergedNextProtos = append(mergedNextProtos, nextProto)
-					}
-				}
-				config.NextProtos = mergedNextProtos
-				c.config = config
-				c.access.Unlock()
-			}
-		}
-	}
 	if c.acmeService != nil {
-		err := c.acmeService.Start()
+		return c.acmeService.Start()
+	} else {
+		err := c.startWatcher()
 		if err != nil {
-			return err
+			c.logger.Warn("create fsnotify watcher: ", err)
 		}
+		return nil
 	}
-	err := c.startWatcher()
-	if err != nil {
-		c.logger.Warn("create fsnotify watcher: ", err)
-	}
-	return nil
 }
 
 func (c *STDServerConfig) startWatcher() error {
@@ -306,34 +203,23 @@ func (c *STDServerConfig) certificateUpdated(path string) error {
 }
 
 func (c *STDServerConfig) Close() error {
-	return common.Close(c.certificateProvider, c.acmeService, c.watcher)
+	if c.acmeService != nil {
+		return c.acmeService.Close()
+	}
+	if c.watcher != nil {
+		return c.watcher.Close()
+	}
+	return nil
 }
 
 func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
-	//nolint:staticcheck
-	if options.CertificateProvider != nil && options.ACME != nil {
-		return nil, E.New("certificate_provider and acme are mutually exclusive")
-	}
 	var tlsConfig *tls.Config
-	var certificateProvider managedCertificateProvider
 	var acmeService adapter.SimpleLifecycle
 	var err error
-	if options.CertificateProvider != nil {
-		certificateProvider, err = newCertificateProvider(ctx, logger, options.CertificateProvider)
-		if err != nil {
-			return nil, err
-		}
-		tlsConfig = &tls.Config{
-			GetCertificate: certificateProvider.GetCertificate,
-		}
-		if options.Insecure {
-			return nil, errInsecureUnused
-		}
-	} else if options.ACME != nil && len(options.ACME.Domain) > 0 { //nolint:staticcheck
-		deprecated.Report(ctx, deprecated.OptionInlineACME)
+	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		//nolint:staticcheck
 		tlsConfig, acmeService, err = startACME(ctx, logger, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
@@ -386,7 +272,7 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 		certificate []byte
 		key         []byte
 	)
-	if certificateProvider == nil && acmeService == nil {
+	if acmeService == nil {
 		if len(options.Certificate) > 0 {
 			certificate = []byte(strings.Join(options.Certificate, "\n"))
 		} else if options.CertificatePath != "" {
@@ -474,7 +360,6 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 	serverConfig := &STDServerConfig{
 		config:                tlsConfig,
 		logger:                logger,
-		certificateProvider:   certificateProvider,
 		acmeService:           acmeService,
 		certificate:           certificate,
 		key:                   key,
@@ -484,8 +369,8 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 		echKeyPath:            echKeyPath,
 	}
 	serverConfig.config.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
-		serverConfig.access.RLock()
-		defer serverConfig.access.RUnlock()
+		serverConfig.access.Lock()
+		defer serverConfig.access.Unlock()
 		return serverConfig.config, nil
 	}
 	var config ServerConfig = serverConfig
@@ -502,27 +387,3 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 	}
 	return config, nil
 }
-
-func newCertificateProvider(ctx context.Context, logger log.ContextLogger, options *option.CertificateProviderOptions) (managedCertificateProvider, error) {
-	if options.IsShared() {
-		manager := service.FromContext[adapter.CertificateProviderManager](ctx)
-		if manager == nil {
-			return nil, E.New("missing certificate provider manager in context")
-		}
-		return &sharedCertificateProvider{
-			tag:     options.Tag,
-			manager: manager,
-		}, nil
-	}
-	registry := service.FromContext[adapter.CertificateProviderRegistry](ctx)
-	if registry == nil {
-		return nil, E.New("missing certificate provider registry in context")
-	}
-	provider, err := registry.Create(ctx, logger, "", options.Type, options.Options)
-	if err != nil {
-		return nil, E.Cause(err, "create inline certificate provider")
-	}
-	return &inlineCertificateProvider{
-		provider: provider,
-	}, nil
-}

constant/dns.go

@@ -15,18 +15,19 @@ const (
 )
 
 const (
-	DNSTypeLegacy    = "legacy"
-	DNSTypeUDP       = "udp"
-	DNSTypeTCP       = "tcp"
-	DNSTypeTLS       = "tls"
-	DNSTypeHTTPS     = "https"
-	DNSTypeQUIC      = "quic"
-	DNSTypeHTTP3     = "h3"
-	DNSTypeLocal     = "local"
-	DNSTypeHosts     = "hosts"
-	DNSTypeFakeIP    = "fakeip"
-	DNSTypeDHCP      = "dhcp"
-	DNSTypeTailscale = "tailscale"
+	DNSTypeLegacy      = "legacy"
+	DNSTypeLegacyRcode = "legacy_rcode"
+	DNSTypeUDP         = "udp"
+	DNSTypeTCP         = "tcp"
+	DNSTypeTLS         = "tls"
+	DNSTypeHTTPS       = "https"
+	DNSTypeQUIC        = "quic"
+	DNSTypeHTTP3       = "h3"
+	DNSTypeLocal       = "local"
+	DNSTypeHosts       = "hosts"
+	DNSTypeFakeIP      = "fakeip"
+	DNSTypeDHCP        = "dhcp"
+	DNSTypeTailscale   = "tailscale"
 )
 
 const (

constant/proxy.go

@@ -1,38 +1,36 @@
 package constant
 
 const (
-	TypeTun                = "tun"
-	TypeRedirect           = "redirect"
-	TypeTProxy             = "tproxy"
-	TypeDirect             = "direct"
-	TypeBlock              = "block"
-	TypeDNS                = "dns"
-	TypeSOCKS              = "socks"
-	TypeHTTP               = "http"
-	TypeMixed              = "mixed"
-	TypeShadowsocks        = "shadowsocks"
-	TypeVMess              = "vmess"
-	TypeTrojan             = "trojan"
-	TypeNaive              = "naive"
-	TypeWireGuard          = "wireguard"
-	TypeHysteria           = "hysteria"
-	TypeTor                = "tor"
-	TypeSSH                = "ssh"
-	TypeShadowTLS          = "shadowtls"
-	TypeAnyTLS             = "anytls"
-	TypeShadowsocksR       = "shadowsocksr"
-	TypeVLESS              = "vless"
-	TypeTUIC               = "tuic"
-	TypeHysteria2          = "hysteria2"
-	TypeTailscale          = "tailscale"
-	TypeDERP               = "derp"
-	TypeResolved           = "resolved"
-	TypeSSMAPI             = "ssm-api"
-	TypeCCM                = "ccm"
-	TypeOCM                = "ocm"
-	TypeOOMKiller          = "oom-killer"
-	TypeACME               = "acme"
-	TypeCloudflareOriginCA = "cloudflare-origin-ca"
+	TypeTun          = "tun"
+	TypeRedirect     = "redirect"
+	TypeTProxy       = "tproxy"
+	TypeDirect       = "direct"
+	TypeBlock        = "block"
+	TypeDNS          = "dns"
+	TypeSOCKS        = "socks"
+	TypeHTTP         = "http"
+	TypeMixed        = "mixed"
+	TypeShadowsocks  = "shadowsocks"
+	TypeVMess        = "vmess"
+	TypeTrojan       = "trojan"
+	TypeNaive        = "naive"
+	TypeWireGuard    = "wireguard"
+	TypeHysteria     = "hysteria"
+	TypeTor          = "tor"
+	TypeSSH          = "ssh"
+	TypeShadowTLS    = "shadowtls"
+	TypeAnyTLS       = "anytls"
+	TypeShadowsocksR = "shadowsocksr"
+	TypeVLESS        = "vless"
+	TypeTUIC         = "tuic"
+	TypeHysteria2    = "hysteria2"
+	TypeTailscale    = "tailscale"
+	TypeDERP         = "derp"
+	TypeResolved     = "resolved"
+	TypeSSMAPI       = "ssm-api"
+	TypeCCM          = "ccm"
+	TypeOCM          = "ocm"
+	TypeOOMKiller    = "oom-killer"
 )
 
 const (

constant/rule.go

@@ -29,7 +29,6 @@ const (
 const (
 	RuleActionTypeRoute        = "route"
 	RuleActionTypeRouteOptions = "route-options"
-	RuleActionTypeEvaluate     = "evaluate"
 	RuleActionTypeDirect       = "direct"
 	RuleActionTypeBypass       = "bypass"
 	RuleActionTypeReject       = "reject"

daemon/started_service.go

@@ -168,7 +168,7 @@ func (s *StartedService) waitForStarted(ctx context.Context) error {
 func (s *StartedService) StartOrReloadService(profileContent string, options *OverrideOptions) error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
-	case ServiceStatus_IDLE, ServiceStatus_STARTED, ServiceStatus_STARTING, ServiceStatus_FATAL:
+	case ServiceStatus_IDLE, ServiceStatus_STARTED, ServiceStatus_STARTING:
 	default:
 		s.serviceAccess.Unlock()
 		return os.ErrInvalid
@@ -226,14 +226,13 @@ func (s *StartedService) CloseService() error {
 		return os.ErrInvalid
 	}
 	s.updateStatus(ServiceStatus_STOPPING)
-	instance := s.instance
-	s.instance = nil
-	if instance != nil {
-		err := instance.Close()
+	if s.instance != nil {
+		err := s.instance.Close()
 		if err != nil {
 			return s.updateStatusError(err)
 		}
 	}
+	s.instance = nil
 	s.startedAt = time.Time{}
 	s.updateStatus(ServiceStatus_IDLE)
 	s.serviceAccess.Unlock()
@@ -950,11 +949,11 @@ func buildConnectionProto(metadata *trafficontrol.TrackerMetadata) *Connection {
 	var processInfo *ProcessInfo
 	if metadata.Metadata.ProcessInfo != nil {
 		processInfo = &ProcessInfo{
-			ProcessId:    metadata.Metadata.ProcessInfo.ProcessID,
-			UserId:       metadata.Metadata.ProcessInfo.UserId,
-			UserName:     metadata.Metadata.ProcessInfo.UserName,
-			ProcessPath:  metadata.Metadata.ProcessInfo.ProcessPath,
-			PackageNames: metadata.Metadata.ProcessInfo.AndroidPackageNames,
+			ProcessId:   metadata.Metadata.ProcessInfo.ProcessID,
+			UserId:      metadata.Metadata.ProcessInfo.UserId,
+			UserName:    metadata.Metadata.ProcessInfo.UserName,
+			ProcessPath: metadata.Metadata.ProcessInfo.ProcessPath,
+			PackageName: metadata.Metadata.ProcessInfo.AndroidPackageName,
 		}
 	}
 	return &Connection{

daemon/started_service.pb.go

@@ -1460,7 +1460,7 @@ type ProcessInfo struct {
 	UserId        int32                  `protobuf:"varint,2,opt,name=userId,proto3" json:"userId,omitempty"`
 	UserName      string                 `protobuf:"bytes,3,opt,name=userName,proto3" json:"userName,omitempty"`
 	ProcessPath   string                 `protobuf:"bytes,4,opt,name=processPath,proto3" json:"processPath,omitempty"`
-	PackageNames  []string               `protobuf:"bytes,5,rep,name=packageNames,proto3" json:"packageNames,omitempty"`
+	PackageName   string                 `protobuf:"bytes,5,opt,name=packageName,proto3" json:"packageName,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -1523,11 +1523,11 @@ func (x *ProcessInfo) GetProcessPath() string {
 	return ""
 }
 
-func (x *ProcessInfo) GetPackageNames() []string {
+func (x *ProcessInfo) GetPackageName() string {
 	if x != nil {
-		return x.PackageNames
+		return x.PackageName
 	}
-	return nil
+	return ""
 }
 
 type CloseConnectionRequest struct {
@@ -1884,13 +1884,13 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\boutbound\x18\x13 \x01(\tR\boutbound\x12\"\n" +
 	"\foutboundType\x18\x14 \x01(\tR\foutboundType\x12\x1c\n" +
 	"\tchainList\x18\x15 \x03(\tR\tchainList\x125\n" +
-	"\vprocessInfo\x18\x16 \x01(\v2\x13.daemon.ProcessInfoR\vprocessInfo\"\xa5\x01\n" +
+	"\vprocessInfo\x18\x16 \x01(\v2\x13.daemon.ProcessInfoR\vprocessInfo\"\xa3\x01\n" +
 	"\vProcessInfo\x12\x1c\n" +
 	"\tprocessId\x18\x01 \x01(\rR\tprocessId\x12\x16\n" +
 	"\x06userId\x18\x02 \x01(\x05R\x06userId\x12\x1a\n" +
 	"\buserName\x18\x03 \x01(\tR\buserName\x12 \n" +
-	"\vprocessPath\x18\x04 \x01(\tR\vprocessPath\x12\"\n" +
-	"\fpackageNames\x18\x05 \x03(\tR\fpackageNames\"(\n" +
+	"\vprocessPath\x18\x04 \x01(\tR\vprocessPath\x12 \n" +
+	"\vpackageName\x18\x05 \x01(\tR\vpackageName\"(\n" +
 	"\x16CloseConnectionRequest\x12\x0e\n" +
 	"\x02id\x18\x01 \x01(\tR\x02id\"K\n" +
 	"\x12DeprecatedWarnings\x125\n" +

daemon/started_service.proto

@@ -195,7 +195,7 @@ message ProcessInfo {
   int32 userId = 2;
   string userName = 3;
   string processPath = 4;
-  repeated string packageNames = 5;
+  string packageName = 5;
 }
 
 message CloseConnectionRequest {

dns/client.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"net"
 	"net/netip"
+	"strings"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -13,6 +14,7 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
@@ -107,7 +109,7 @@ func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
 	return 0, false
 }
 
-func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) (*dns.Msg, error) {
+func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
 			c.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
@@ -237,10 +239,13 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	disableCache = disableCache || (response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError)
 	if responseChecker != nil {
 		var rejected bool
+		// TODO: add accept_any rule and support to check response instead of addresses
 		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 			rejected = true
+		} else if len(response.Answer) == 0 {
+			rejected = !responseChecker(nil)
 		} else {
-			rejected = !responseChecker(response)
+			rejected = !responseChecker(MessageToAddresses(response))
 		}
 		if rejected {
 			if !disableCache && c.rdrc != nil {
@@ -310,7 +315,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	return response, nil
 }
 
-func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error) {
+func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
 	domain = FqdnToDomain(domain)
 	dnsName := dns.Fqdn(domain)
 	var strategy C.DomainStrategy
@@ -395,7 +400,7 @@ func (c *Client) storeCache(transport adapter.DNSTransport, question dns.Questio
 	}
 }
 
-func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error) {
+func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
 	question := dns.Question{
 		Name:   name,
 		Qtype:  qType,
@@ -510,7 +515,25 @@ func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransp
 }
 
 func MessageToAddresses(response *dns.Msg) []netip.Addr {
-	return adapter.DNSResponseAddresses(response)
+	if response == nil || response.Rcode != dns.RcodeSuccess {
+		return nil
+	}
+	addresses := make([]netip.Addr, 0, len(response.Answer))
+	for _, rawAnswer := range response.Answer {
+		switch answer := rawAnswer.(type) {
+		case *dns.A:
+			addresses = append(addresses, M.AddrFromIP(answer.A))
+		case *dns.AAAA:
+			addresses = append(addresses, M.AddrFromIP(answer.AAAA))
+		case *dns.HTTPS:
+			for _, value := range answer.SVCB.Value {
+				if value.Key() == dns.SVCB_IPV4HINT || value.Key() == dns.SVCB_IPV6HINT {
+					addresses = append(addresses, common.Map(strings.Split(value.String(), ","), M.ParseAddr)...)
+				}
+			}
+		}
+	}
+	return addresses
 }
 
 func wrapError(err error) error {

dns/repro_test.go

@@ -1,111 +0,0 @@
-package dns
-
-import (
-	"context"
-	"errors"
-	"net/netip"
-	"testing"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/json/badoption"
-
-	mDNS "github.com/miekg/dns"
-	"github.com/stretchr/testify/require"
-)
-
-func TestReproLookupWithRulesUsesRequestStrategy(t *testing.T) {
-	t.Parallel()
-
-	defaultTransport := &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP}
-	var qTypes []uint16
-	router := newTestRouter(t, nil, &fakeDNSTransportManager{
-		defaultTransport: defaultTransport,
-		transports: map[string]adapter.DNSTransport{
-			"default": defaultTransport,
-		},
-	}, &fakeDNSClient{
-		exchange: func(transport adapter.DNSTransport, message *mDNS.Msg) (*mDNS.Msg, error) {
-			qTypes = append(qTypes, message.Question[0].Qtype)
-			if message.Question[0].Qtype == mDNS.TypeA {
-				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("2.2.2.2")}, 60), nil
-			}
-			return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("2001:db8::1")}, 60), nil
-		},
-	})
-
-	addrs, err := router.Lookup(context.Background(), "example.com", adapter.DNSQueryOptions{
-		Strategy: C.DomainStrategyIPv4Only,
-	})
-	require.NoError(t, err)
-	require.Equal(t, []uint16{mDNS.TypeA}, qTypes)
-	require.Equal(t, []netip.Addr{netip.MustParseAddr("2.2.2.2")}, addrs)
-}
-
-func TestReproLogicalMatchResponseIPCIDR(t *testing.T) {
-	t.Parallel()
-
-	transportManager := &fakeDNSTransportManager{
-		defaultTransport: &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP},
-		transports: map[string]adapter.DNSTransport{
-			"upstream": &fakeDNSTransport{tag: "upstream", transportType: C.DNSTypeUDP},
-			"selected": &fakeDNSTransport{tag: "selected", transportType: C.DNSTypeUDP},
-			"default":  &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP},
-		},
-	}
-	client := &fakeDNSClient{
-		exchange: func(transport adapter.DNSTransport, message *mDNS.Msg) (*mDNS.Msg, error) {
-			switch transport.Tag() {
-			case "upstream":
-				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("1.1.1.1")}, 60), nil
-			case "selected":
-				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("8.8.8.8")}, 60), nil
-			default:
-				return nil, errors.New("unexpected transport")
-			}
-		},
-	}
-	rules := []option.DNSRule{
-		{
-			Type: C.RuleTypeDefault,
-			DefaultOptions: option.DefaultDNSRule{
-				RawDefaultDNSRule: option.RawDefaultDNSRule{
-					Domain: badoption.Listable[string]{"example.com"},
-				},
-				DNSRuleAction: option.DNSRuleAction{
-					Action:       C.RuleActionTypeEvaluate,
-					RouteOptions: option.DNSRouteActionOptions{Server: "upstream"},
-				},
-			},
-		},
-		{
-			Type: C.RuleTypeLogical,
-			LogicalOptions: option.LogicalDNSRule{
-				RawLogicalDNSRule: option.RawLogicalDNSRule{
-					Mode: C.LogicalTypeOr,
-					Rules: []option.DNSRule{{
-						Type: C.RuleTypeDefault,
-						DefaultOptions: option.DefaultDNSRule{
-							RawDefaultDNSRule: option.RawDefaultDNSRule{
-								MatchResponse: true,
-								IPCIDR:        badoption.Listable[string]{"1.1.1.0/24"},
-							},
-						},
-					}},
-				},
-				DNSRuleAction: option.DNSRuleAction{
-					Action:       C.RuleActionTypeRoute,
-					RouteOptions: option.DNSRouteActionOptions{Server: "selected"},
-				},
-			},
-		},
-	}
-	router := newTestRouter(t, rules, transportManager, client)
-
-	response, err := router.Exchange(context.Background(), &mDNS.Msg{
-		Question: []mDNS.Question{fixedQuestion("example.com", mDNS.TypeA)},
-	}, adapter.DNSQueryOptions{})
-	require.NoError(t, err)
-	require.Equal(t, []netip.Addr{netip.MustParseAddr("8.8.8.8")}, MessageToAddresses(response))
-}

dns/router.go

@@ -5,13 +5,11 @@ import (
 	"errors"
 	"net/netip"
 	"strings"
-	"sync"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	R "github.com/sagernet/sing-box/route/rule"
@@ -21,8 +19,6 @@ import (
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/common/task"
-	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
 	"github.com/sagernet/sing/service"
@@ -32,29 +28,16 @@ import (
 
 var _ adapter.DNSRouter = (*Router)(nil)
 
-type dnsRuleSetCallback struct {
-	ruleSet adapter.RuleSet
-	element *list.Element[adapter.RuleSetUpdateCallback]
-}
-
 type Router struct {
-	ctx                             context.Context
-	logger                          logger.ContextLogger
-	transport                       adapter.DNSTransportManager
-	outbound                        adapter.OutboundManager
-	client                          adapter.DNSClient
-	rawRules                        []option.DNSRule
-	rules                           []adapter.DNSRule
-	defaultDomainStrategy           C.DomainStrategy
-	dnsReverseMapping               freelru.Cache[netip.Addr, string]
-	platformInterface               adapter.PlatformInterface
-	legacyDNSMode                   bool
-	rulesAccess                     sync.RWMutex
-	rebuildAccess                   sync.Mutex
-	closing                         bool
-	ruleSetCallbacks                []dnsRuleSetCallback
-	addressFilterDeprecatedReported bool
-	ruleStrategyDeprecatedReported  bool
+	ctx                   context.Context
+	logger                logger.ContextLogger
+	transport             adapter.DNSTransportManager
+	outbound              adapter.OutboundManager
+	client                adapter.DNSClient
+	rules                 []adapter.DNSRule
+	defaultDomainStrategy C.DomainStrategy
+	dnsReverseMapping     freelru.Cache[netip.Addr, string]
+	platformInterface     adapter.PlatformInterface
 }
 
 func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOptions) *Router {
@@ -63,7 +46,6 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOp
 		logger:                logFactory.NewLogger("dns"),
 		transport:             service.FromContext[adapter.DNSTransportManager](ctx),
 		outbound:              service.FromContext[adapter.OutboundManager](ctx),
-		rawRules:              make([]option.DNSRule, 0, len(options.Rules)),
 		rules:                 make([]adapter.DNSRule, 0, len(options.Rules)),
 		defaultDomainStrategy: C.DomainStrategy(options.Strategy),
 	}
@@ -92,12 +74,13 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOp
 }
 
 func (r *Router) Initialize(rules []option.DNSRule) error {
-	r.rawRules = append(r.rawRules[:0], rules...)
-	newRules, _, err := r.buildRules(false)
-	if err != nil {
-		return err
+	for i, ruleOptions := range rules {
+		dnsRule, err := R.NewDNSRule(r.ctx, r.logger, ruleOptions, true)
+		if err != nil {
+			return E.Cause(err, "parse dns rule[", i, "]")
+		}
+		r.rules = append(r.rules, dnsRule)
 	}
-	closeRules(newRules)
 	return nil
 }
 
@@ -109,24 +92,12 @@ func (r *Router) Start(stage adapter.StartStage) error {
 		r.client.Start()
 		monitor.Finish()
 
-		monitor.Start("initialize DNS rules")
-		err := r.rebuildRules(true)
-		monitor.Finish()
-		if err != nil {
-			return err
-		}
-		monitor.Start("register DNS rule-set callbacks")
-		needsRulesRefresh, err := r.registerRuleSetCallbacks()
-		monitor.Finish()
-		if err != nil {
-			return err
-		}
-		if needsRulesRefresh {
-			monitor.Start("refresh DNS rules after callback registration")
-			err = r.rebuildRules(true)
+		for i, rule := range r.rules {
+			monitor.Start("initialize DNS rule[", i, "]")
+			err := rule.Start()
 			monitor.Finish()
 			if err != nil {
-				r.logger.Error(E.Cause(err, "refresh DNS rules after callback registration"))
+				return E.Cause(err, "initialize DNS rule[", i, "]")
 			}
 		}
 	}
@@ -135,18 +106,8 @@ func (r *Router) Start(stage adapter.StartStage) error {
 
 func (r *Router) Close() error {
 	monitor := taskmonitor.New(r.logger, C.StopTimeout)
-	r.rulesAccess.Lock()
-	r.closing = true
-	callbacks := r.ruleSetCallbacks
-	r.ruleSetCallbacks = nil
-	runtimeRules := r.rules
-	r.rules = nil
-	for _, callback := range callbacks {
-		callback.ruleSet.UnregisterCallback(callback.element)
-	}
-	r.rulesAccess.Unlock()
 	var err error
-	for i, rule := range runtimeRules {
+	for i, rule := range r.rules {
 		monitor.Start("close dns rule[", i, "]")
 		err = E.Append(err, rule.Close(), func(err error) error {
 			return E.Cause(err, "close dns rule[", i, "]")
@@ -156,151 +117,6 @@ func (r *Router) Close() error {
 	return err
 }
 
-func (r *Router) rebuildRules(startRules bool) error {
-	r.rebuildAccess.Lock()
-	defer r.rebuildAccess.Unlock()
-	if r.isClosing() {
-		return nil
-	}
-	newRules, legacyDNSMode, err := r.buildRules(startRules)
-	if err != nil {
-		if r.isClosing() {
-			return nil
-		}
-		return err
-	}
-	shouldReportAddressFilterDeprecated := startRules &&
-		legacyDNSMode &&
-		!r.addressFilterDeprecatedReported &&
-		common.Any(newRules, func(rule adapter.DNSRule) bool { return rule.WithAddressLimit() })
-	shouldReportRuleStrategyDeprecated := startRules &&
-		legacyDNSMode &&
-		!r.ruleStrategyDeprecatedReported &&
-		hasDNSRuleActionStrategy(r.rawRules)
-	r.rulesAccess.Lock()
-	if r.closing {
-		r.rulesAccess.Unlock()
-		closeRules(newRules)
-		return nil
-	}
-	oldRules := r.rules
-	r.rules = newRules
-	r.legacyDNSMode = legacyDNSMode
-	if shouldReportAddressFilterDeprecated {
-		r.addressFilterDeprecatedReported = true
-	}
-	if shouldReportRuleStrategyDeprecated {
-		r.ruleStrategyDeprecatedReported = true
-	}
-	r.rulesAccess.Unlock()
-	closeRules(oldRules)
-	if shouldReportAddressFilterDeprecated {
-		deprecated.Report(r.ctx, deprecated.OptionLegacyDNSAddressFilter)
-	}
-	if shouldReportRuleStrategyDeprecated {
-		deprecated.Report(r.ctx, deprecated.OptionLegacyDNSRuleStrategy)
-	}
-	return nil
-}
-
-func (r *Router) isClosing() bool {
-	r.rulesAccess.RLock()
-	defer r.rulesAccess.RUnlock()
-	return r.closing
-}
-
-func (r *Router) buildRules(startRules bool) ([]adapter.DNSRule, bool, error) {
-	for i, ruleOptions := range r.rawRules {
-		err := R.ValidateNoNestedDNSRuleActions(ruleOptions)
-		if err != nil {
-			return nil, false, E.Cause(err, "parse dns rule[", i, "]")
-		}
-	}
-	router := service.FromContext[adapter.Router](r.ctx)
-	legacyDNSMode, err := resolveLegacyDNSMode(router, r.rawRules)
-	if err != nil {
-		return nil, false, err
-	}
-	if !legacyDNSMode {
-		err = validateLegacyDNSModeDisabledRules(r.rawRules)
-		if err != nil {
-			return nil, false, err
-		}
-	}
-	newRules := make([]adapter.DNSRule, 0, len(r.rawRules))
-	for i, ruleOptions := range r.rawRules {
-		dnsRule, err := R.NewDNSRule(r.ctx, r.logger, ruleOptions, true, legacyDNSMode)
-		if err != nil {
-			closeRules(newRules)
-			return nil, false, E.Cause(err, "parse dns rule[", i, "]")
-		}
-		newRules = append(newRules, dnsRule)
-	}
-	if startRules {
-		for i, rule := range newRules {
-			err := rule.Start()
-			if err != nil {
-				closeRules(newRules)
-				return nil, false, E.Cause(err, "initialize DNS rule[", i, "]")
-			}
-		}
-	}
-	return newRules, legacyDNSMode, nil
-}
-
-func closeRules(rules []adapter.DNSRule) {
-	for _, rule := range rules {
-		_ = rule.Close()
-	}
-}
-
-func (r *Router) registerRuleSetCallbacks() (bool, error) {
-	tags := referencedDNSRuleSetTags(r.rawRules)
-	if len(tags) == 0 {
-		return false, nil
-	}
-	r.rulesAccess.RLock()
-	if len(r.ruleSetCallbacks) > 0 {
-		r.rulesAccess.RUnlock()
-		return true, nil
-	}
-	r.rulesAccess.RUnlock()
-	router := service.FromContext[adapter.Router](r.ctx)
-	if router == nil {
-		return false, E.New("router service not found")
-	}
-	callbacks := make([]dnsRuleSetCallback, 0, len(tags))
-	for _, tag := range tags {
-		ruleSet, loaded := router.RuleSet(tag)
-		if !loaded {
-			for _, callback := range callbacks {
-				callback.ruleSet.UnregisterCallback(callback.element)
-			}
-			return false, E.New("rule-set not found: ", tag)
-		}
-		element := ruleSet.RegisterCallback(func(adapter.RuleSet) {
-			err := r.rebuildRules(true)
-			if err != nil {
-				r.logger.Error(E.Cause(err, "rebuild DNS rules after rule-set update"))
-			}
-		})
-		callbacks = append(callbacks, dnsRuleSetCallback{
-			ruleSet: ruleSet,
-			element: element,
-		})
-	}
-	r.rulesAccess.Lock()
-	if len(r.ruleSetCallbacks) == 0 {
-		r.ruleSetCallbacks = callbacks
-		callbacks = nil
-	}
-	r.rulesAccess.Unlock()
-	for _, callback := range callbacks {
-		callback.ruleSet.UnregisterCallback(callback.element)
-	}
-	return true, nil
-}
-
 func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int, isAddressQuery bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, adapter.DNSRule, int) {
 	metadata := adapter.ContextFrom(ctx)
 	if metadata == nil {
@@ -316,12 +132,16 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 			continue
 		}
 		metadata.ResetRuleCache()
-		metadata.DestinationAddressMatchFromResponse = false
-		if currentRule.LegacyPreMatch(metadata) {
-			if ruleDescription := currentRule.String(); ruleDescription != "" {
-				r.logger.DebugContext(ctx, "match[", currentRuleIndex, "] ", currentRule, " => ", currentRule.Action())
+		if currentRule.Match(metadata) {
+			displayRuleIndex := currentRuleIndex
+			if displayRuleIndex != -1 {
+				displayRuleIndex += displayRuleIndex + 1
+			}
+			ruleDescription := currentRule.String()
+			if ruleDescription != "" {
+				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] ", currentRule, " => ", currentRule.Action())
 			} else {
-				r.logger.DebugContext(ctx, "match[", currentRuleIndex, "] => ", currentRule.Action())
+				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
 			}
 			switch action := currentRule.Action().(type) {
 			case *R.RuleActionDNSRoute:
@@ -346,6 +166,14 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 				if action.ClientSubnet.IsValid() {
 					options.ClientSubnet = action.ClientSubnet
 				}
+				if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+					if options.Strategy == C.DomainStrategyAsIS {
+						options.Strategy = legacyTransport.LegacyStrategy()
+					}
+					if !options.ClientSubnet.IsValid() {
+						options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+					}
+				}
 				return transport, currentRule, currentRuleIndex
 			case *R.RuleActionDNSRouteOptions:
 				if action.Strategy != C.DomainStrategyAsIS {
@@ -368,281 +196,17 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 		}
 	}
 	transport := r.transport.Default()
+	if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+		if options.Strategy == C.DomainStrategyAsIS {
+			options.Strategy = legacyTransport.LegacyStrategy()
+		}
+		if !options.ClientSubnet.IsValid() {
+			options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+		}
+	}
 	return transport, nil, -1
 }
 
-func (r *Router) applyDNSRouteOptions(options *adapter.DNSQueryOptions, routeOptions R.RuleActionDNSRouteOptions) {
-	if routeOptions.DisableCache {
-		options.DisableCache = true
-	}
-	if routeOptions.RewriteTTL != nil {
-		options.RewriteTTL = routeOptions.RewriteTTL
-	}
-	if routeOptions.ClientSubnet.IsValid() {
-		options.ClientSubnet = routeOptions.ClientSubnet
-	}
-}
-
-type dnsRouteStatus uint8
-
-const (
-	dnsRouteStatusMissing dnsRouteStatus = iota
-	dnsRouteStatusSkipped
-	dnsRouteStatusResolved
-)
-
-func (r *Router) resolveDNSRoute(action *R.RuleActionDNSRoute, allowFakeIP bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, dnsRouteStatus) {
-	transport, loaded := r.transport.Transport(action.Server)
-	if !loaded {
-		return nil, dnsRouteStatusMissing
-	}
-	isFakeIP := transport.Type() == C.DNSTypeFakeIP
-	if isFakeIP && !allowFakeIP {
-		return transport, dnsRouteStatusSkipped
-	}
-	r.applyDNSRouteOptions(options, action.RuleActionDNSRouteOptions)
-	if isFakeIP {
-		options.DisableCache = true
-	}
-	return transport, dnsRouteStatusResolved
-}
-
-func (r *Router) logRuleMatch(ctx context.Context, ruleIndex int, currentRule adapter.DNSRule) {
-	if ruleDescription := currentRule.String(); ruleDescription != "" {
-		r.logger.DebugContext(ctx, "match[", ruleIndex, "] ", currentRule, " => ", currentRule.Action())
-	} else {
-		r.logger.DebugContext(ctx, "match[", ruleIndex, "] => ", currentRule.Action())
-	}
-}
-
-type exchangeWithRulesResult struct {
-	response     *mDNS.Msg
-	transport    adapter.DNSTransport
-	rejectAction *R.RuleActionReject
-	err          error
-}
-
-func (r *Router) exchangeWithRules(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions, allowFakeIP bool) exchangeWithRulesResult {
-	metadata := adapter.ContextFrom(ctx)
-	if metadata == nil {
-		panic("no context")
-	}
-	effectiveOptions := options
-	var savedResponse *mDNS.Msg
-	for currentRuleIndex, currentRule := range r.rules {
-		metadata.ResetRuleCache()
-		metadata.DNSResponse = savedResponse
-		metadata.DestinationAddressMatchFromResponse = false
-		if !currentRule.Match(metadata) {
-			continue
-		}
-		r.logRuleMatch(ctx, currentRuleIndex, currentRule)
-		switch action := currentRule.Action().(type) {
-		case *R.RuleActionDNSRouteOptions:
-			r.applyDNSRouteOptions(&effectiveOptions, *action)
-		case *R.RuleActionEvaluate:
-			queryOptions := effectiveOptions
-			transport, status := r.resolveDNSRoute(&R.RuleActionDNSRoute{
-				Server:                    action.Server,
-				RuleActionDNSRouteOptions: action.RuleActionDNSRouteOptions,
-			}, allowFakeIP, &queryOptions)
-			switch status {
-			case dnsRouteStatusMissing:
-				r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
-				savedResponse = nil
-				continue
-			case dnsRouteStatusSkipped:
-				continue
-			}
-			exchangeOptions := queryOptions
-			if exchangeOptions.Strategy == C.DomainStrategyAsIS {
-				exchangeOptions.Strategy = r.defaultDomainStrategy
-			}
-			response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
-			if err != nil {
-				r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
-				savedResponse = nil
-				continue
-			}
-			savedResponse = response
-		case *R.RuleActionDNSRoute:
-			queryOptions := effectiveOptions
-			transport, status := r.resolveDNSRoute(action, allowFakeIP, &queryOptions)
-			switch status {
-			case dnsRouteStatusMissing:
-				r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
-				continue
-			case dnsRouteStatusSkipped:
-				continue
-			}
-			exchangeOptions := queryOptions
-			if exchangeOptions.Strategy == C.DomainStrategyAsIS {
-				exchangeOptions.Strategy = r.defaultDomainStrategy
-			}
-			response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
-			return exchangeWithRulesResult{
-				response:  response,
-				transport: transport,
-				err:       err,
-			}
-		case *R.RuleActionReject:
-			switch action.Method {
-			case C.RuleActionRejectMethodDefault:
-				return exchangeWithRulesResult{
-					response: &mDNS.Msg{
-						MsgHdr: mDNS.MsgHdr{
-							Id:       message.Id,
-							Rcode:    mDNS.RcodeRefused,
-							Response: true,
-						},
-						Question: []mDNS.Question{message.Question[0]},
-					},
-					rejectAction: action,
-				}
-			case C.RuleActionRejectMethodDrop:
-				return exchangeWithRulesResult{
-					rejectAction: action,
-					err:          tun.ErrDrop,
-				}
-			}
-		case *R.RuleActionPredefined:
-			return exchangeWithRulesResult{
-				response: action.Response(message),
-			}
-		}
-	}
-	queryOptions := effectiveOptions
-	transport := r.transport.Default()
-	exchangeOptions := queryOptions
-	if exchangeOptions.Strategy == C.DomainStrategyAsIS {
-		exchangeOptions.Strategy = r.defaultDomainStrategy
-	}
-	response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
-	return exchangeWithRulesResult{
-		response:  response,
-		transport: transport,
-		err:       err,
-	}
-}
-
-type lookupWithRulesResponse struct {
-	addresses []netip.Addr
-}
-
-func (r *Router) resolveLookupStrategy(options adapter.DNSQueryOptions) C.DomainStrategy {
-	if options.LookupStrategy != C.DomainStrategyAsIS {
-		return options.LookupStrategy
-	}
-	if options.Strategy != C.DomainStrategyAsIS {
-		return options.Strategy
-	}
-	return r.defaultDomainStrategy
-}
-
-func lookupStrategyAllowsQueryType(strategy C.DomainStrategy, qType uint16) bool {
-	switch strategy {
-	case C.DomainStrategyIPv4Only:
-		return qType == mDNS.TypeA
-	case C.DomainStrategyIPv6Only:
-		return qType == mDNS.TypeAAAA
-	default:
-		return true
-	}
-}
-
-func withLookupQueryMetadata(ctx context.Context, qType uint16) context.Context {
-	ctx, metadata := adapter.ExtendContext(ctx)
-	metadata.QueryType = qType
-	metadata.IPVersion = 0
-	switch qType {
-	case mDNS.TypeA:
-		metadata.IPVersion = 4
-	case mDNS.TypeAAAA:
-		metadata.IPVersion = 6
-	}
-	return ctx
-}
-
-func filterAddressesByQueryType(addresses []netip.Addr, qType uint16) []netip.Addr {
-	switch qType {
-	case mDNS.TypeA:
-		return common.Filter(addresses, func(address netip.Addr) bool {
-			return address.Is4()
-		})
-	case mDNS.TypeAAAA:
-		return common.Filter(addresses, func(address netip.Addr) bool {
-			return address.Is6()
-		})
-	default:
-		return addresses
-	}
-}
-
-func (r *Router) lookupWithRules(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
-	strategy := r.resolveLookupStrategy(options)
-	lookupOptions := options
-	if strategy != C.DomainStrategyAsIS {
-		lookupOptions.Strategy = strategy
-	}
-	if strategy == C.DomainStrategyIPv4Only {
-		response, err := r.lookupWithRulesType(ctx, domain, mDNS.TypeA, lookupOptions)
-		return response.addresses, err
-	}
-	if strategy == C.DomainStrategyIPv6Only {
-		response, err := r.lookupWithRulesType(ctx, domain, mDNS.TypeAAAA, lookupOptions)
-		return response.addresses, err
-	}
-	var (
-		response4 lookupWithRulesResponse
-		response6 lookupWithRulesResponse
-	)
-	var group task.Group
-	group.Append("exchange4", func(ctx context.Context) error {
-		result, err := r.lookupWithRulesType(ctx, domain, mDNS.TypeA, lookupOptions)
-		response4 = result
-		return err
-	})
-	group.Append("exchange6", func(ctx context.Context) error {
-		result, err := r.lookupWithRulesType(ctx, domain, mDNS.TypeAAAA, lookupOptions)
-		response6 = result
-		return err
-	})
-	err := group.Run(ctx)
-	if len(response4.addresses) == 0 && len(response6.addresses) == 0 {
-		return nil, err
-	}
-	return sortAddresses(response4.addresses, response6.addresses, strategy), nil
-}
-
-func (r *Router) lookupWithRulesType(ctx context.Context, domain string, qType uint16, options adapter.DNSQueryOptions) (lookupWithRulesResponse, error) {
-	request := &mDNS.Msg{
-		MsgHdr: mDNS.MsgHdr{
-			RecursionDesired: true,
-		},
-		Question: []mDNS.Question{{
-			Name:   mDNS.Fqdn(FqdnToDomain(domain)),
-			Qtype:  qType,
-			Qclass: mDNS.ClassINET,
-		}},
-	}
-	exchangeResult := r.exchangeWithRules(withLookupQueryMetadata(ctx, qType), request, options, false)
-	result := lookupWithRulesResponse{}
-	if exchangeResult.rejectAction != nil {
-		return result, exchangeResult.rejectAction.Error(ctx)
-	}
-	if exchangeResult.err != nil {
-		return result, exchangeResult.err
-	}
-	if exchangeResult.response.Rcode != mDNS.RcodeSuccess {
-		return result, RcodeError(exchangeResult.response.Rcode)
-	}
-	if !lookupStrategyAllowsQueryType(r.resolveLookupStrategy(options), qType) {
-		return result, nil
-	}
-	result.addresses = filterAddressesByQueryType(MessageToAddresses(exchangeResult.response), qType)
-	return result, nil
-}
-
 func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
 	if len(message.Question) != 1 {
 		r.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
@@ -656,8 +220,6 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 		}
 		return &responseMessage, nil
 	}
-	r.rulesAccess.RLock()
-	defer r.rulesAccess.RUnlock()
 	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
 	var (
 		response  *mDNS.Msg
@@ -668,8 +230,6 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	ctx, metadata = adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
 	metadata.QueryType = message.Question[0].Qtype
-	metadata.DNSResponse = nil
-	metadata.DestinationAddressMatchFromResponse = false
 	switch metadata.QueryType {
 	case mDNS.TypeA:
 		metadata.IPVersion = 4
@@ -679,13 +239,18 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	metadata.Domain = FqdnToDomain(message.Question[0].Name)
 	if options.Transport != nil {
 		transport = options.Transport
+		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+			if options.Strategy == C.DomainStrategyAsIS {
+				options.Strategy = legacyTransport.LegacyStrategy()
+			}
+			if !options.ClientSubnet.IsValid() {
+				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+			}
+		}
 		if options.Strategy == C.DomainStrategyAsIS {
 			options.Strategy = r.defaultDomainStrategy
 		}
 		response, err = r.client.Exchange(ctx, transport, message, options, nil)
-	} else if !r.legacyDNSMode {
-		exchangeResult := r.exchangeWithRules(ctx, message, options, true)
-		response, transport, err = exchangeResult.response, exchangeResult.transport, exchangeResult.err
 	} else {
 		var (
 			rule      adapter.DNSRule
@@ -760,8 +325,6 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 }
 
 func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
-	r.rulesAccess.RLock()
-	defer r.rulesAccess.RUnlock()
 	var (
 		responseAddrs []netip.Addr
 		err           error
@@ -775,8 +338,6 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 				r.logger.DebugContext(ctx, "response rejected for ", domain, " (cached)")
 			} else if errors.Is(err, ErrResponseRejected) {
 				r.logger.DebugContext(ctx, "response rejected for ", domain)
-			} else if R.IsRejected(err) {
-				r.logger.DebugContext(ctx, "lookup rejected for ", domain)
 			} else {
 				r.logger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
 			}
@@ -789,16 +350,20 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
 	metadata.Domain = FqdnToDomain(domain)
-	metadata.DNSResponse = nil
-	metadata.DestinationAddressMatchFromResponse = false
 	if options.Transport != nil {
 		transport := options.Transport
+		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+			if options.Strategy == C.DomainStrategyAsIS {
+				options.Strategy = legacyTransport.LegacyStrategy()
+			}
+			if !options.ClientSubnet.IsValid() {
+				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+			}
+		}
 		if options.Strategy == C.DomainStrategyAsIS {
 			options.Strategy = r.defaultDomainStrategy
 		}
 		responseAddrs, err = r.client.Lookup(ctx, transport, domain, options, nil)
-	} else if !r.legacyDNSMode {
-		responseAddrs, err = r.lookupWithRules(ctx, domain, options)
 	} else {
 		var (
 			transport adapter.DNSTransport
@@ -860,15 +425,15 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }
 
-func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(response *mDNS.Msg) bool {
+func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
 	if rule == nil || !rule.WithAddressLimit() {
 		return nil
 	}
 	responseMetadata := *metadata
-	return func(response *mDNS.Msg) bool {
+	return func(responseAddrs []netip.Addr) bool {
 		checkMetadata := responseMetadata
-		checkMetadata.DNSResponse = response
-		return rule.MatchAddressLimit(&checkMetadata, response)
+		checkMetadata.DestinationAddresses = responseAddrs
+		return rule.MatchAddressLimit(&checkMetadata)
 	}
 }
 
@@ -893,238 +458,3 @@ func (r *Router) ResetNetwork() {
 		transport.Reset()
 	}
 }
-
-func defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule option.DefaultDNSRule) bool {
-	if rule.IPAcceptAny || rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
-		return true
-	}
-	return !rule.MatchResponse && (len(rule.IPCIDR) > 0 || rule.IPIsPrivate)
-}
-
-func hasResponseMatchFields(rule option.DefaultDNSRule) bool {
-	return rule.ResponseRcode != nil ||
-		len(rule.ResponseAnswer) > 0 ||
-		len(rule.ResponseNs) > 0 ||
-		len(rule.ResponseExtra) > 0
-}
-
-func defaultRuleDisablesLegacyDNSMode(rule option.DefaultDNSRule) bool {
-	return rule.MatchResponse ||
-		hasResponseMatchFields(rule) ||
-		rule.Action == C.RuleActionTypeEvaluate ||
-		rule.IPVersion > 0 ||
-		len(rule.QueryType) > 0
-}
-
-func resolveLegacyDNSMode(router adapter.Router, rules []option.DNSRule) (bool, error) {
-	legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, err := dnsRuleModeRequirements(router, rules)
-	if err != nil {
-		return false, err
-	}
-	if legacyDNSModeDisabled && needsLegacyDNSModeFromStrategy {
-		return false, E.New("DNS rule action strategy is only supported in legacyDNSMode")
-	}
-	if legacyDNSModeDisabled {
-		return false, nil
-	}
-	return needsLegacyDNSMode, nil
-}
-
-func dnsRuleModeRequirements(router adapter.Router, rules []option.DNSRule) (bool, bool, bool, error) {
-	var legacyDNSModeDisabled bool
-	var needsLegacyDNSMode bool
-	var needsLegacyDNSModeFromStrategy bool
-	for i, rule := range rules {
-		ruleLegacyDNSModeDisabled, ruleNeedsLegacyDNSMode, ruleNeedsLegacyDNSModeFromStrategy, err := dnsRuleModeRequirementsInRule(router, rule)
-		if err != nil {
-			return false, false, false, E.Cause(err, "dns rule[", i, "]")
-		}
-		legacyDNSModeDisabled = legacyDNSModeDisabled || ruleLegacyDNSModeDisabled
-		needsLegacyDNSMode = needsLegacyDNSMode || ruleNeedsLegacyDNSMode
-		needsLegacyDNSModeFromStrategy = needsLegacyDNSModeFromStrategy || ruleNeedsLegacyDNSModeFromStrategy
-	}
-	return legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, nil
-}
-
-func dnsRuleModeRequirementsInRule(router adapter.Router, rule option.DNSRule) (bool, bool, bool, error) {
-	switch rule.Type {
-	case "", C.RuleTypeDefault:
-		return dnsRuleModeRequirementsInDefaultRule(router, rule.DefaultOptions)
-	case C.RuleTypeLogical:
-		legacyDNSModeDisabled := dnsRuleActionType(rule) == C.RuleActionTypeEvaluate
-		needsLegacyDNSModeFromStrategy := dnsRuleActionHasStrategy(rule.LogicalOptions.DNSRuleAction)
-		needsLegacyDNSMode := needsLegacyDNSModeFromStrategy
-		for i, subRule := range rule.LogicalOptions.Rules {
-			subLegacyDNSModeDisabled, subNeedsLegacyDNSMode, subNeedsLegacyDNSModeFromStrategy, err := dnsRuleModeRequirementsInRule(router, subRule)
-			if err != nil {
-				return false, false, false, E.Cause(err, "sub rule[", i, "]")
-			}
-			legacyDNSModeDisabled = legacyDNSModeDisabled || subLegacyDNSModeDisabled
-			needsLegacyDNSMode = needsLegacyDNSMode || subNeedsLegacyDNSMode
-			needsLegacyDNSModeFromStrategy = needsLegacyDNSModeFromStrategy || subNeedsLegacyDNSModeFromStrategy
-		}
-		return legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, nil
-	default:
-		return false, false, false, nil
-	}
-}
-
-func dnsRuleModeRequirementsInDefaultRule(router adapter.Router, rule option.DefaultDNSRule) (bool, bool, bool, error) {
-	legacyDNSModeDisabled := defaultRuleDisablesLegacyDNSMode(rule)
-	needsLegacyDNSModeFromStrategy := dnsRuleActionHasStrategy(rule.DNSRuleAction)
-	needsLegacyDNSMode := defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule) || needsLegacyDNSModeFromStrategy
-	if len(rule.RuleSet) == 0 {
-		return legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, nil
-	}
-	if router == nil {
-		return false, false, false, E.New("router service not found")
-	}
-	for _, tag := range rule.RuleSet {
-		ruleSet, loaded := router.RuleSet(tag)
-		if !loaded {
-			return false, false, false, E.New("rule-set not found: ", tag)
-		}
-		metadata := ruleSet.Metadata()
-		// Rule sets are built from headless rules, so query_type is the only
-		// per-query DNS predicate they can contribute here. ip_version is not a
-		// headless-rule item and is therefore intentionally absent from metadata.
-		legacyDNSModeDisabled = legacyDNSModeDisabled || metadata.ContainsDNSQueryTypeRule
-		if !rule.RuleSetIPCIDRMatchSource && metadata.ContainsIPCIDRRule {
-			needsLegacyDNSMode = true
-		}
-	}
-	return legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, nil
-}
-
-func referencedDNSRuleSetTags(rules []option.DNSRule) []string {
-	tagMap := make(map[string]bool)
-	var walkRule func(rule option.DNSRule)
-	walkRule = func(rule option.DNSRule) {
-		switch rule.Type {
-		case "", C.RuleTypeDefault:
-			for _, tag := range rule.DefaultOptions.RuleSet {
-				tagMap[tag] = true
-			}
-		case C.RuleTypeLogical:
-			for _, subRule := range rule.LogicalOptions.Rules {
-				walkRule(subRule)
-			}
-		}
-	}
-	for _, rule := range rules {
-		walkRule(rule)
-	}
-	tags := make([]string, 0, len(tagMap))
-	for tag := range tagMap {
-		if tag != "" {
-			tags = append(tags, tag)
-		}
-	}
-	return tags
-}
-
-func validateLegacyDNSModeDisabledRules(rules []option.DNSRule) error {
-	for i, rule := range rules {
-		consumesResponse, err := validateLegacyDNSModeDisabledRuleTree(rule)
-		if err != nil {
-			return E.Cause(err, "validate dns rule[", i, "]")
-		}
-		action := dnsRuleActionType(rule)
-		if action == C.RuleActionTypeEvaluate && consumesResponse {
-			return E.New("dns rule[", i, "]: evaluate rule cannot consume response state")
-		}
-	}
-	return nil
-}
-
-func validateLegacyDNSModeDisabledRuleTree(rule option.DNSRule) (bool, error) {
-	switch rule.Type {
-	case "", C.RuleTypeDefault:
-		return validateLegacyDNSModeDisabledDefaultRule(rule.DefaultOptions)
-	case C.RuleTypeLogical:
-		var consumesResponse bool
-		for i, subRule := range rule.LogicalOptions.Rules {
-			subConsumesResponse, err := validateLegacyDNSModeDisabledRuleTree(subRule)
-			if err != nil {
-				return false, E.Cause(err, "sub rule[", i, "]")
-			}
-			consumesResponse = consumesResponse || subConsumesResponse
-		}
-		return consumesResponse, nil
-	default:
-		return false, nil
-	}
-}
-
-func validateLegacyDNSModeDisabledDefaultRule(rule option.DefaultDNSRule) (bool, error) {
-	hasResponseRecords := hasResponseMatchFields(rule)
-	if hasResponseRecords && !rule.MatchResponse {
-		return false, E.New("response_* items require match_response")
-	}
-	if (len(rule.IPCIDR) > 0 || rule.IPIsPrivate) && !rule.MatchResponse {
-		return false, E.New("ip_cidr and ip_is_private require match_response when legacyDNSMode is disabled")
-	}
-	// Intentionally do not reject rule_set here. A referenced rule set may mix
-	// destination-IP predicates with pre-response predicates such as domain items.
-	// When match_response is false, those destination-IP branches fail closed during
-	// pre-response evaluation instead of consuming DNS response state, while sibling
-	// non-response branches remain matchable.
-	if rule.IPAcceptAny { //nolint:staticcheck
-		return false, E.New("ip_accept_any is removed when legacyDNSMode is disabled, use ip_cidr with match_response")
-	}
-	if rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
-		return false, E.New("rule_set_ip_cidr_accept_empty is removed when legacyDNSMode is disabled")
-	}
-	return rule.MatchResponse, nil
-}
-
-func hasDNSRuleActionStrategy(rules []option.DNSRule) bool {
-	for _, rule := range rules {
-		if dnsRuleHasActionStrategy(rule) {
-			return true
-		}
-	}
-	return false
-}
-
-func dnsRuleHasActionStrategy(rule option.DNSRule) bool {
-	switch rule.Type {
-	case "", C.RuleTypeDefault:
-		return dnsRuleActionHasStrategy(rule.DefaultOptions.DNSRuleAction)
-	case C.RuleTypeLogical:
-		if dnsRuleActionHasStrategy(rule.LogicalOptions.DNSRuleAction) {
-			return true
-		}
-		return hasDNSRuleActionStrategy(rule.LogicalOptions.Rules)
-	default:
-		return false
-	}
-}
-
-func dnsRuleActionHasStrategy(action option.DNSRuleAction) bool {
-	switch action.Action {
-	case "", C.RuleActionTypeRoute, C.RuleActionTypeEvaluate:
-		return C.DomainStrategy(action.RouteOptions.Strategy) != C.DomainStrategyAsIS
-	case C.RuleActionTypeRouteOptions:
-		return C.DomainStrategy(action.RouteOptionsOptions.Strategy) != C.DomainStrategyAsIS
-	default:
-		return false
-	}
-}
-
-func dnsRuleActionType(rule option.DNSRule) string {
-	switch rule.Type {
-	case "", C.RuleTypeDefault:
-		if rule.DefaultOptions.Action == "" {
-			return C.RuleActionTypeRoute
-		}
-		return rule.DefaultOptions.Action
-	case C.RuleTypeLogical:
-		if rule.LogicalOptions.Action == "" {
-			return C.RuleActionTypeRoute
-		}
-		return rule.LogicalOptions.Action
-	default:
-		return ""
-	}
-}

dns/transport/connector.go

@@ -55,12 +55,6 @@ type contextKeyConnecting struct{}
 
 var errRecursiveConnectorDial = E.New("recursive connector dial")
 
-type connectorDialResult[T any] struct {
-	connection T
-	cancel     context.CancelFunc
-	err        error
-}
-
 func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 	var zero T
 	for {
@@ -106,37 +100,41 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 			return zero, err
 		}
 
-		connecting := make(chan struct{})
-		c.connecting = connecting
-		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
-		dialResult := make(chan connectorDialResult[T], 1)
+		c.connecting = make(chan struct{})
 		c.access.Unlock()
 
-		go func() {
-			connection, cancel, err := c.dialWithCancellation(dialContext)
-			dialResult <- connectorDialResult[T]{
-				connection: connection,
-				cancel:     cancel,
-				err:        err,
-			}
-		}()
+		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
+		connection, cancel, err := c.dialWithCancellation(dialContext)
 
-		select {
-		case result := <-dialResult:
-			return c.completeDial(ctx, connecting, result)
-		case <-ctx.Done():
-			go func() {
-				result := <-dialResult
-				_, _ = c.completeDial(ctx, connecting, result)
-			}()
-			return zero, ctx.Err()
-		case <-c.closeCtx.Done():
-			go func() {
-				result := <-dialResult
-				_, _ = c.completeDial(ctx, connecting, result)
-			}()
+		c.access.Lock()
+		close(c.connecting)
+		c.connecting = nil
+
+		if err != nil {
+			c.access.Unlock()
+			return zero, err
+		}
+
+		if c.closed {
+			cancel()
+			c.callbacks.Close(connection)
+			c.access.Unlock()
 			return zero, ErrTransportClosed
 		}
+		if err = ctx.Err(); err != nil {
+			cancel()
+			c.callbacks.Close(connection)
+			c.access.Unlock()
+			return zero, err
+		}
+
+		c.connection = connection
+		c.hasConnection = true
+		c.connectionCancel = cancel
+		result := c.connection
+		c.access.Unlock()
+
+		return result, nil
 	}
 }
 
@@ -145,38 +143,6 @@ func isRecursiveConnectorDial[T any](ctx context.Context, connector *Connector[T
 	return loaded && dialConnector == connector
 }
 
-func (c *Connector[T]) completeDial(ctx context.Context, connecting chan struct{}, result connectorDialResult[T]) (T, error) {
-	var zero T
-
-	c.access.Lock()
-	defer c.access.Unlock()
-	defer func() {
-		if c.connecting == connecting {
-			c.connecting = nil
-		}
-		close(connecting)
-	}()
-
-	if result.err != nil {
-		return zero, result.err
-	}
-	if c.closed || c.closeCtx.Err() != nil {
-		result.cancel()
-		c.callbacks.Close(result.connection)
-		return zero, ErrTransportClosed
-	}
-	if err := ctx.Err(); err != nil {
-		result.cancel()
-		c.callbacks.Close(result.connection)
-		return zero, err
-	}
-
-	c.connection = result.connection
-	c.hasConnection = true
-	c.connectionCancel = result.cancel
-	return c.connection, nil
-}
-
 func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, context.CancelFunc, error) {
 	var zero T
 	if err := ctx.Err(); err != nil {

dns/transport/connector_test.go

@@ -188,157 +188,13 @@ func TestConnectorCanceledRequestDoesNotCacheConnection(t *testing.T) {
 	err := <-result
 	require.ErrorIs(t, err, context.Canceled)
 	require.EqualValues(t, 1, dialCount.Load())
-	require.Eventually(t, func() bool {
-		return closeCount.Load() == 1
-	}, time.Second, 10*time.Millisecond)
+	require.EqualValues(t, 1, closeCount.Load())
 
 	_, err = connector.Get(context.Background())
 	require.NoError(t, err)
 	require.EqualValues(t, 2, dialCount.Load())
 }
 
-func TestConnectorCanceledRequestReturnsBeforeIgnoredDialCompletes(t *testing.T) {
-	t.Parallel()
-
-	var (
-		dialCount  atomic.Int32
-		closeCount atomic.Int32
-	)
-	dialStarted := make(chan struct{}, 1)
-	releaseDial := make(chan struct{})
-
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialCount.Add(1)
-		select {
-		case dialStarted <- struct{}{}:
-		default:
-		}
-		<-releaseDial
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	result := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(requestContext)
-		result <- err
-	}()
-
-	<-dialStarted
-	cancel()
-
-	select {
-	case err := <-result:
-		require.ErrorIs(t, err, context.Canceled)
-	case <-time.After(time.Second):
-		t.Fatal("Get did not return after request cancel")
-	}
-
-	require.EqualValues(t, 1, dialCount.Load())
-	require.EqualValues(t, 0, closeCount.Load())
-
-	close(releaseDial)
-
-	require.Eventually(t, func() bool {
-		return closeCount.Load() == 1
-	}, time.Second, 10*time.Millisecond)
-
-	_, err := connector.Get(context.Background())
-	require.NoError(t, err)
-	require.EqualValues(t, 2, dialCount.Load())
-}
-
-func TestConnectorWaiterDoesNotStartNewDialBeforeCanceledDialCompletes(t *testing.T) {
-	t.Parallel()
-
-	var (
-		dialCount  atomic.Int32
-		closeCount atomic.Int32
-	)
-	firstDialStarted := make(chan struct{}, 1)
-	secondDialStarted := make(chan struct{}, 1)
-	releaseFirstDial := make(chan struct{})
-
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		attempt := dialCount.Add(1)
-		switch attempt {
-		case 1:
-			select {
-			case firstDialStarted <- struct{}{}:
-			default:
-			}
-			<-releaseFirstDial
-		case 2:
-			select {
-			case secondDialStarted <- struct{}{}:
-			default:
-			}
-		}
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	firstResult := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(requestContext)
-		firstResult <- err
-	}()
-
-	<-firstDialStarted
-	cancel()
-
-	secondResult := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(context.Background())
-		secondResult <- err
-	}()
-
-	select {
-	case <-secondDialStarted:
-		t.Fatal("second dial started before first dial completed")
-	case <-time.After(100 * time.Millisecond):
-	}
-
-	select {
-	case err := <-firstResult:
-		require.ErrorIs(t, err, context.Canceled)
-	case <-time.After(time.Second):
-		t.Fatal("first Get did not return after request cancel")
-	}
-
-	close(releaseFirstDial)
-
-	require.Eventually(t, func() bool {
-		return closeCount.Load() == 1
-	}, time.Second, 10*time.Millisecond)
-
-	select {
-	case <-secondDialStarted:
-	case <-time.After(time.Second):
-		t.Fatal("second dial did not start after first dial completed")
-	}
-
-	err := <-secondResult
-	require.NoError(t, err)
-	require.EqualValues(t, 2, dialCount.Load())
-}
-
 func TestConnectorDialContextNotCanceledByRequestContextAfterDial(t *testing.T) {
 	t.Parallel()
 

dns/transport/dhcp/dhcp_shared.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -39,6 +40,13 @@ func (t *Transport) exchangeParallel(ctx context.Context, servers []M.Socksaddr,
 	results := make(chan queryResult)
 	startRacer := func(ctx context.Context, fqdn string) {
 		response, err := t.tryOneName(ctx, servers, fqdn, message)
+		if err == nil {
+			if response.Rcode != mDNS.RcodeSuccess {
+				err = dns.RcodeError(response.Rcode)
+			} else if len(dns.MessageToAddresses(response)) == 0 {
+				err = dns.RcodeSuccess
+			}
+		}
 		select {
 		case results <- queryResult{response, err}:
 		case <-returned:

dns/transport/local/local_shared.go

@@ -7,6 +7,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -48,6 +49,13 @@ func (t *Transport) exchangeParallel(ctx context.Context, systemConfig *dnsConfi
 	results := make(chan queryResult)
 	startRacer := func(ctx context.Context, fqdn string) {
 		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
+		if err == nil {
+			if response.Rcode != mDNS.RcodeSuccess {
+				err = dns.RcodeError(response.Rcode)
+			} else if len(dns.MessageToAddresses(response)) == 0 {
+				err = E.New(fqdn, ": empty result")
+			}
+		}
 		select {
 		case results <- queryResult{response, err}:
 		case <-returned:

dns/transport_adapter.go

@@ -1,13 +1,21 @@
 package dns
 
 import (
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 )
 
+var _ adapter.LegacyDNSTransport = (*TransportAdapter)(nil)
+
 type TransportAdapter struct {
 	transportType string
 	transportTag  string
 	dependencies  []string
+	strategy      C.DomainStrategy
+	clientSubnet  netip.Prefix
 }
 
 func NewTransportAdapter(transportType string, transportTag string, dependencies []string) TransportAdapter {
@@ -27,6 +35,8 @@ func NewTransportAdapterWithLocalOptions(transportType string, transportTag stri
 		transportType: transportType,
 		transportTag:  transportTag,
 		dependencies:  dependencies,
+		strategy:      C.DomainStrategy(localOptions.LegacyStrategy),
+		clientSubnet:  localOptions.LegacyClientSubnet,
 	}
 }
 
@@ -35,10 +45,15 @@ func NewTransportAdapterWithRemoteOptions(transportType string, transportTag str
 	if remoteOptions.DomainResolver != nil && remoteOptions.DomainResolver.Server != "" {
 		dependencies = append(dependencies, remoteOptions.DomainResolver.Server)
 	}
+	if remoteOptions.LegacyAddressResolver != "" {
+		dependencies = append(dependencies, remoteOptions.LegacyAddressResolver)
+	}
 	return TransportAdapter{
 		transportType: transportType,
 		transportTag:  transportTag,
 		dependencies:  dependencies,
+		strategy:      C.DomainStrategy(remoteOptions.LegacyStrategy),
+		clientSubnet:  remoteOptions.LegacyClientSubnet,
 	}
 }
 
@@ -53,3 +68,11 @@ func (a *TransportAdapter) Tag() string {
 func (a *TransportAdapter) Dependencies() []string {
 	return a.dependencies
 }
+
+func (a *TransportAdapter) LegacyStrategy() C.DomainStrategy {
+	return a.strategy
+}
+
+func (a *TransportAdapter) LegacyClientSubnet() netip.Prefix {
+	return a.clientSubnet
+}

dns/transport_dialer.go

@@ -2,25 +2,104 @@ package dns
 
 import (
 	"context"
+	"net"
+	"time"
 
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
 )
 
 func NewLocalDialer(ctx context.Context, options option.LocalDNSServerOptions) (N.Dialer, error) {
-	return dialer.NewWithOptions(dialer.Options{
-		Context:        ctx,
-		Options:        options.DialerOptions,
-		DirectResolver: true,
-	})
+	if options.LegacyDefaultDialer {
+		return dialer.NewDefaultOutbound(ctx), nil
+	} else {
+		return dialer.NewWithOptions(dialer.Options{
+			Context:         ctx,
+			Options:         options.DialerOptions,
+			DirectResolver:  true,
+			LegacyDNSDialer: options.Legacy,
+		})
+	}
 }
 
 func NewRemoteDialer(ctx context.Context, options option.RemoteDNSServerOptions) (N.Dialer, error) {
-	return dialer.NewWithOptions(dialer.Options{
-		Context:        ctx,
-		Options:        options.DialerOptions,
-		RemoteIsDomain: options.ServerIsDomain(),
-		DirectResolver: true,
-	})
+	if options.LegacyDefaultDialer {
+		transportDialer := dialer.NewDefaultOutbound(ctx)
+		if options.LegacyAddressResolver != "" {
+			transport := service.FromContext[adapter.DNSTransportManager](ctx)
+			resolverTransport, loaded := transport.Transport(options.LegacyAddressResolver)
+			if !loaded {
+				return nil, E.New("address resolver not found: ", options.LegacyAddressResolver)
+			}
+			transportDialer = newTransportDialer(transportDialer, service.FromContext[adapter.DNSRouter](ctx), resolverTransport, C.DomainStrategy(options.LegacyAddressStrategy), time.Duration(options.LegacyAddressFallbackDelay))
+		} else if options.ServerIsDomain() {
+			return nil, E.New("missing address resolver for server: ", options.Server)
+		}
+		return transportDialer, nil
+	} else {
+		return dialer.NewWithOptions(dialer.Options{
+			Context:         ctx,
+			Options:         options.DialerOptions,
+			RemoteIsDomain:  options.ServerIsDomain(),
+			DirectResolver:  true,
+			LegacyDNSDialer: options.Legacy,
+		})
+	}
+}
+
+type legacyTransportDialer struct {
+	dialer        N.Dialer
+	dnsRouter     adapter.DNSRouter
+	transport     adapter.DNSTransport
+	strategy      C.DomainStrategy
+	fallbackDelay time.Duration
+}
+
+func newTransportDialer(dialer N.Dialer, dnsRouter adapter.DNSRouter, transport adapter.DNSTransport, strategy C.DomainStrategy, fallbackDelay time.Duration) *legacyTransportDialer {
+	return &legacyTransportDialer{
+		dialer,
+		dnsRouter,
+		transport,
+		strategy,
+		fallbackDelay,
+	}
+}
+
+func (d *legacyTransportDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	if destination.IsIP() {
+		return d.dialer.DialContext(ctx, network, destination)
+	}
+	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
+		Transport: d.transport,
+		Strategy:  d.strategy,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == C.DomainStrategyPreferIPv6, d.fallbackDelay)
+}
+
+func (d *legacyTransportDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	if destination.IsIP() {
+		return d.dialer.ListenPacket(ctx, destination)
+	}
+	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
+		Transport: d.transport,
+		Strategy:  d.strategy,
+	})
+	if err != nil {
+		return nil, err
+	}
+	conn, _, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
+	return conn, err
+}
+
+func (d *legacyTransportDialer) Upstream() any {
+	return d.dialer
 }

docs/changelog.md

@@ -2,51 +2,7 @@
 icon: material/alert-decagram
 ---
 
-#### 1.14.0-alpha.8
-
-* Add BBR profile and hop interval randomization for Hysteria2 **1**
-* Fixes and improvements
-
-**1**:
-
-See [Hysteria2 Inbound](/configuration/inbound/hysteria2/#bbr_profile) and [Hysteria2 Outbound](/configuration/outbound/hysteria2/#bbr_profile).
-
-#### 1.14.0-alpha.8
-
-* Fixes and improvements
-
-#### 1.13.5
-
-* Fixes and improvements
-
-#### 1.14.0-alpha.7
-
-* Fixes and improvements
-
-#### 1.13.4
-
-* Fixes and improvements
-
-#### 1.14.0-alpha.4
-
-* Refactor ACME support to certificate provider system **1**
-* Add Cloudflare Origin CA certificate provider **2**
-* Add Tailscale certificate provider **3**
-* Fixes and improvements
-
-**1**:
-
-See [Certificate Provider](/configuration/shared/certificate-provider/) and [Migration](/migration/#migrate-inline-acme-to-certificate-provider).
-
-**2**:
-
-See [Cloudflare Origin CA](/configuration/shared/certificate-provider/cloudflare-origin-ca).
-
-**3**:
-
-See [Tailscale](/configuration/shared/certificate-provider/tailscale).
-
-#### 1.13.3
+#### 1.14.0-alpha.2
 
 * Add OpenWrt and Alpine APK packages to release **1**
 * Backport to macOS 10.13 High Sierra **2**
@@ -70,11 +26,7 @@ from [SagerNet/go](https://github.com/SagerNet/go).
 
 See [OCM](/configuration/service/ocm).
 
-#### 1.12.24
-
-* Fixes and improvements
-
-#### 1.14.0-alpha.2
+#### 1.13.3-beta.1
 
 * Add OpenWrt and Alpine APK packages to release **1**
 * Backport to macOS 10.13 High Sierra **2**

docs/configuration/dns/fakeip.md

@@ -1,10 +1,10 @@
 ---
-icon: material/note-remove
+icon: material/delete-clock
 ---
 
-!!! failure "Removed in sing-box 1.14.0"
+!!! failure "Deprecated in sing-box 1.12.0"
 
-    Legacy fake-ip configuration is deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
+    Legacy fake-ip configuration is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
 
 ### Structure
 

docs/configuration/dns/fakeip.zh.md

@@ -1,10 +1,10 @@
 ---
-icon: material/note-remove
+icon: material/delete-clock
 ---
 
-!!! failure "已在 sing-box 1.14.0 移除"
+!!! failure "已在 sing-box 1.12.0 废弃"
 
-    旧的 fake-ip 配置已在 sing-box 1.12.0 废弃且已在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
+    旧的 fake-ip 配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-to-new-dns-servers)。
 
 ### 结构
 

docs/configuration/dns/index.md

@@ -39,7 +39,7 @@ icon: material/alert-decagram
 |----------|---------------------------------|
 | `server` | List of [DNS Server](./server/) |
 | `rules`  | List of [DNS Rule](./rule/)     |
-| `fakeip` | :material-note-remove: [FakeIP](./fakeip/) |
+| `fakeip` | [FakeIP](./fakeip/)             |
 
 #### final
 
@@ -88,4 +88,4 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q
 
 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
-Can be overridden by `servers.[].client_subnet` or `rules.[].client_subnet`.
+Can be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.

docs/configuration/dns/index.zh.md

@@ -88,6 +88,6 @@ LRU 缓存容量。
 
 可以被 `servers.[].client_subnet` 或 `rules.[].client_subnet` 覆盖。
 
-#### fakeip :material-note-remove:
+#### fakeip
 
 [FakeIP](./fakeip/) 设置。

docs/configuration/dns/rule.md

@@ -4,15 +4,8 @@ icon: material/alert-decagram
 
 !!! quote "Changes in sing-box 1.14.0"
 
-    :material-plus: [match_response](#match_response)  
-    :material-plus: [response_rcode](#response_rcode)  
-    :material-plus: [response_answer](#response_answer)  
-    :material-plus: [response_ns](#response_ns)  
-    :material-plus: [response_extra](#response_extra)  
     :material-plus: [source_mac_address](#source_mac_address)  
-    :material-plus: [source_hostname](#source_hostname)  
-    :material-delete-clock: [ip_accept_any](#ip_accept_any)  
-    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)
+    :material-plus: [source_hostname](#source_hostname)
 
 !!! quote "Changes in sing-box 1.13.0"
 
@@ -101,6 +94,12 @@ icon: material/alert-decagram
           "192.168.0.1"
         ],
         "source_ip_is_private": false,
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_is_private": false,
+        "ip_accept_any": false,
         "source_port": [
           12345
         ],
@@ -172,16 +171,7 @@ icon: material/alert-decagram
           "geosite-cn"
         ],
         "rule_set_ip_cidr_match_source": false,
-        "match_response": false,
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_is_private": false,
-        "response_rcode": "",
-        "response_answer": [],
-        "response_ns": [],
-        "response_extra": [],
+        "rule_set_ip_cidr_accept_empty": false,
         "invert": false,
         "outbound": [
           "direct"
@@ -190,9 +180,7 @@ icon: material/alert-decagram
         "server": "local",
 
         // Deprecated
-
-        "ip_accept_any": false,
-        "rule_set_ip_cidr_accept_empty": false,
+        
         "rule_set_ipcidr_match_source": false,
         "geosite": [
           "cn"
@@ -232,7 +220,7 @@ icon: material/alert-decagram
     (`source_port` || `source_port_range`) &&  
     `other fields`
 
-    Additionally, each branch inside an included rule-set can be considered merged into the outer rule, while different branches keep OR semantics.
+    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
 
 #### inbound
 
@@ -489,17 +477,6 @@ Make `ip_cidr` rule items in rule-sets match the source IP.
 
 Make `ip_cidr` rule items in rule-sets match the source IP.
 
-#### match_response
-
-!!! question "Since sing-box 1.14.0"
-
-Enable response-based matching. When enabled, this rule matches against DNS response data
-(set by a preceding [`evaluate`](/configuration/dns/rule_action/#evaluate) action)
-instead of only matching the original query.
-
-Required for `response_rcode`, `response_answer`, `response_ns`, `response_extra` fields.
-Also required for `ip_cidr` and `ip_is_private` when `legacyDNSMode` is disabled.
-
 #### invert
 
 Invert match result.
@@ -570,69 +547,24 @@ Match GeoIP with query response.
 
 Match IP CIDR with query response.
 
-When `legacyDNSMode` is disabled, `match_response` must be set to `true`.
-
 #### ip_is_private
 
 !!! question "Since sing-box 1.9.0"
 
 Match private IP with query response.
 
-When `legacyDNSMode` is disabled, `match_response` must be set to `true`.
-
 #### rule_set_ip_cidr_accept_empty
 
 !!! question "Since sing-box 1.10.0"
 
-!!! failure "Deprecated in sing-box 1.14.0"
-
-    `rule_set_ip_cidr_accept_empty` is deprecated and will be removed in sing-box 1.16.0.
-    Only supported in `legacyDNSMode`.
-
 Make `ip_cidr` rules in rule-sets accept empty query response.
 
 #### ip_accept_any
 
 !!! question "Since sing-box 1.12.0"
 
-!!! failure "Deprecated in sing-box 1.14.0"
-
-    `ip_accept_any` is deprecated and will be removed in sing-box 1.16.0.
-    Only supported in `legacyDNSMode`. Use `match_response` with response items instead.
-
 Match any IP with query response.
 
-### Response Fields
-
-!!! question "Since sing-box 1.14.0"
-
-Match fields for DNS response data. Require `match_response` to be set to `true`
-and a preceding rule with [`evaluate`](/configuration/dns/rule_action/#evaluate) action to populate the response.
-
-#### response_rcode
-
-Match DNS response code.
-
-Accepted values are the same as in the [predefined action rcode](/configuration/dns/rule_action/#rcode).
-
-#### response_answer
-
-Match DNS answer records.
-
-Record format is the same as in [predefined action answer](/configuration/dns/rule_action/#answer).
-
-#### response_ns
-
-Match DNS name server records.
-
-Record format is the same as in [predefined action ns](/configuration/dns/rule_action/#ns).
-
-#### response_extra
-
-Match DNS extra records.
-
-Record format is the same as in [predefined action extra](/configuration/dns/rule_action/#extra).
-
 ### Logical Fields
 
 #### type
@@ -645,4 +577,4 @@ Record format is the same as in [predefined action extra](/configuration/dns/rul
 
 #### rules
 
-Included rules.
+Included rules.

docs/configuration/dns/rule.zh.md

@@ -4,15 +4,8 @@ icon: material/alert-decagram
 
 !!! quote "sing-box 1.14.0 中的更改"
 
-    :material-plus: [match_response](#match_response)  
-    :material-plus: [response_rcode](#response_rcode)  
-    :material-plus: [response_answer](#response_answer)  
-    :material-plus: [response_ns](#response_ns)  
-    :material-plus: [response_extra](#response_extra)  
     :material-plus: [source_mac_address](#source_mac_address)  
-    :material-plus: [source_hostname](#source_hostname)  
-    :material-delete-clock: [ip_accept_any](#ip_accept_any)  
-    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)
+    :material-plus: [source_hostname](#source_hostname)
 
 !!! quote "sing-box 1.13.0 中的更改"
 
@@ -101,6 +94,12 @@ icon: material/alert-decagram
           "192.168.0.1"
         ],
         "source_ip_is_private": false,
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_is_private": false,
+        "ip_accept_any": false,
         "source_port": [
           12345
         ],
@@ -172,16 +171,7 @@ icon: material/alert-decagram
           "geosite-cn"
         ],
         "rule_set_ip_cidr_match_source": false,
-        "match_response": false,
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_is_private": false,
-        "response_rcode": "",
-        "response_answer": [],
-        "response_ns": [],
-        "response_extra": [],
+        "rule_set_ip_cidr_accept_empty": false,
         "invert": false,
         "outbound": [
           "direct"
@@ -190,9 +180,6 @@ icon: material/alert-decagram
         "server": "local",
 
         // 已弃用
-
-        "ip_accept_any": false,
-        "rule_set_ip_cidr_accept_empty": false,
         "rule_set_ipcidr_match_source": false,
         "geosite": [
           "cn"
@@ -232,7 +219,7 @@ icon: material/alert-decagram
     (`source_port` || `source_port_range`) &&  
     `other fields`
 
-    另外，引用规则集中的每个分支都可视为与外层规则合并，不同分支之间仍保持 OR 语义。
+    另外，引用的规则集可视为被合并，而不是作为一个单独的规则子项。
 
 #### inbound
 
@@ -280,7 +267,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! failure "已在 sing-box 1.12.0 中被移除"
 
-    GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。
+    GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geosite)。
 
 匹配 Geosite。
 
@@ -288,7 +275,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! failure "已在 sing-box 1.12.0 中被移除"
 
-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
 
 匹配源 GeoIP。
 
@@ -489,15 +476,6 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 使规则集中的 `ip_cidr` 规则匹配源 IP。
 
-#### match_response
-
-!!! question "自 sing-box 1.14.0 起"
-
-启用响应匹配。启用后，此规则将匹配 DNS 响应数据（由前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作设置），而不仅是匹配原始查询。
-
-`response_rcode`、`response_answer`、`response_ns`、`response_extra` 字段需要此选项。
-当 `legacyDNSMode` 未启用时，`ip_cidr` 和 `ip_is_private` 也需要此选项。
-
 #### invert
 
 反选匹配结果。
@@ -506,7 +484,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 !!! failure "已在 sing-box 1.12.0 废弃"
 
-    `outbound` 规则项已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-outbound-dns-规则项到域解析选项)。
+    `outbound` 规则项已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver)。
 
 匹配出站。
 
@@ -558,7 +536,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 !!! failure "已在 sing-box 1.12.0 中被移除"
 
-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
 
 
 与查询响应匹配 GeoIP。
@@ -569,69 +547,24 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 与查询响应匹配 IP CIDR。
 
-当 `legacyDNSMode` 未启用时，`match_response` 必须设为 `true`。
-
 #### ip_is_private
 
 !!! question "自 sing-box 1.9.0 起"
 
 与查询响应匹配非公开 IP。
 
-当 `legacyDNSMode` 未启用时，`match_response` 必须设为 `true`。
-
 #### ip_accept_any
 
 !!! question "自 sing-box 1.12.0 起"
 
-!!! failure "已在 sing-box 1.14.0 废弃"
-
-    `ip_accept_any` 已废弃且将在 sing-box 1.16.0 中被移除。
-    仅在 `legacyDNSMode` 中可用。请使用 `match_response` 和响应项替代。
-
 匹配任意 IP。
 
 #### rule_set_ip_cidr_accept_empty
 
 !!! question "自 sing-box 1.10.0 起"
 
-!!! failure "已在 sing-box 1.14.0 废弃"
-
-    `rule_set_ip_cidr_accept_empty` 已废弃且将在 sing-box 1.16.0 中被移除。
-    仅在 `legacyDNSMode` 中可用。
-
 使规则集中的 `ip_cidr` 规则接受空查询响应。
 
-### 响应字段
-
-!!! question "自 sing-box 1.14.0 起"
-
-DNS 响应数据的匹配字段。需要将 `match_response` 设为 `true`，
-且需要前序规则使用 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作来填充响应。
-
-#### response_rcode
-
-匹配 DNS 响应码。
-
-接受的值与 [predefined 动作 rcode](/zh/configuration/dns/rule_action/#rcode) 中相同。
-
-#### response_answer
-
-匹配 DNS 应答记录。
-
-记录格式与 [predefined 动作 answer](/zh/configuration/dns/rule_action/#answer) 中相同。
-
-#### response_ns
-
-匹配 DNS 名称服务器记录。
-
-记录格式与 [predefined 动作 ns](/zh/configuration/dns/rule_action/#ns) 中相同。
-
-#### response_extra
-
-匹配 DNS 额外记录。
-
-记录格式与 [predefined 动作 extra](/zh/configuration/dns/rule_action/#extra) 中相同。
-
 ### 逻辑字段
 
 #### type
@@ -648,4 +581,4 @@ DNS 响应数据的匹配字段。需要将 `match_response` 设为 `true`，
 
 ==必填==
 
-包括的规则。
+包括的规则。

docs/configuration/dns/rule_action.md

@@ -2,11 +2,6 @@
 icon: material/new-box
 ---
 
-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-plus: [evaluate](#evaluate)  
-    :material-delete-clock: [strategy](#strategy)
-
 !!! quote "Changes in sing-box 1.12.0"
 
     :material-plus: [strategy](#strategy)  
@@ -39,11 +34,7 @@ Tag of target server.
 
 !!! question "Since sing-box 1.12.0"
 
-!!! warning
-
-    `strategy` is deprecated and only supported in `legacyDNSMode`.
-
-Set domain strategy for this query in `legacyDNSMode`.
+Set domain strategy for this query.
 
 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
 
@@ -61,49 +52,7 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q
 
 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
-Will override `dns.client_subnet`.
-
-### evaluate
-
-!!! question "Since sing-box 1.14.0"
-
-```json
-{
-  "action": "evaluate",
-  "server": "",
-  "disable_cache": false,
-  "rewrite_ttl": null,
-  "client_subnet": null
-}
-```
-
-`evaluate` sends a DNS query to the specified server and saves the response for subsequent rules
-to match against using [`match_response`](/configuration/dns/rule/#match_response) and response fields.
-Unlike `route`, it does **not** terminate rule evaluation.
-
-Only allowed on top-level DNS rules (not inside logical sub-rules).
-
-#### server
-
-==Required==
-
-Tag of target server.
-
-#### disable_cache
-
-Disable cache and save cache in this query.
-
-#### rewrite_ttl
-
-Rewrite TTL in DNS responses.
-
-#### client_subnet
-
-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
-
-Will override `dns.client_subnet`.
+Will overrides `dns.client_subnet`.
 
 ### route-options
 

docs/configuration/dns/rule_action.zh.md

@@ -2,11 +2,6 @@
 icon: material/new-box
 ---
 
-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-plus: [evaluate](#evaluate)  
-    :material-delete-clock: [strategy](#strategy)
-
 !!! quote "sing-box 1.12.0 中的更改"
 
     :material-plus: [strategy](#strategy)  
@@ -39,11 +34,7 @@ icon: material/new-box
 
 !!! question "自 sing-box 1.12.0 起"
 
-!!! warning
-
-    `strategy` 已废弃，且仅在 `legacyDNSMode` 中可用。
-
-在 `legacyDNSMode` 中为此查询设置域名策略。
+为此查询设置域名策略。
 
 可选项：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
 
@@ -63,46 +54,6 @@ icon: material/new-box
 
 将覆盖 `dns.client_subnet`.
 
-### evaluate
-
-!!! question "自 sing-box 1.14.0 起"
-
-```json
-{
-  "action": "evaluate",
-  "server": "",
-  "disable_cache": false,
-  "rewrite_ttl": null,
-  "client_subnet": null
-}
-```
-
-`evaluate` 向指定服务器发送 DNS 查询并保存响应，供后续规则通过 [`match_response`](/zh/configuration/dns/rule/#match_response) 和响应字段进行匹配。与 `route` 不同，它**不会**终止规则评估。
-
-仅允许在顶层 DNS 规则中使用（不可在逻辑子规则内部使用）。
-
-#### server
-
-==必填==
-
-目标 DNS 服务器的标签。
-
-#### disable_cache
-
-在此查询中禁用缓存。
-
-#### rewrite_ttl
-
-重写 DNS 回应中的 TTL。
-
-#### client_subnet
-
-默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
-
-如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
-
-将覆盖 `dns.client_subnet`.
-
 ### route-options
 
 ```json
@@ -133,7 +84,7 @@ icon: material/new-box
 - `default`: 返回 REFUSED。
 - `drop`: 丢弃请求。
 
-默认使用 `default`。
+默认使用 `defualt`。
 
 #### no_drop
 

docs/configuration/dns/server/http3.zh.md

@@ -64,7 +64,7 @@ DNS 服务器的路径。
 
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/dns/server/https.zh.md

@@ -64,7 +64,7 @@ DNS 服务器的路径。
 
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/dns/server/index.md

@@ -29,7 +29,7 @@ The type of the DNS server.
 
 | Type            | Format                    |
 |-----------------|---------------------------|
-| empty (default) | :material-note-remove: [Legacy](./legacy/) |
+| empty (default) | [Legacy](./legacy/)       |
 | `local`         | [Local](./local/)         |
 | `hosts`         | [Hosts](./hosts/)         |
 | `tcp`           | [TCP](./tcp/)             |

docs/configuration/dns/server/index.zh.md

@@ -29,7 +29,7 @@ DNS 服务器的类型。
 
 | 类型              | 格式                        |
 |-----------------|---------------------------|
-| empty (default) | :material-note-remove: [Legacy](./legacy/) |
+| empty (default) | [Legacy](./legacy/)       |
 | `local`         | [Local](./local/)         |
 | `hosts`         | [Hosts](./hosts/)         |
 | `tcp`           | [TCP](./tcp/)             |

docs/configuration/dns/server/legacy.md

@@ -1,10 +1,10 @@
 ---
-icon: material/note-remove
+icon: material/delete-clock
 ---
 
-!!! failure "Removed in sing-box 1.14.0"
+!!! failure "Deprecated in sing-box 1.12.0"
 
-    Legacy DNS servers are deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
+    Legacy DNS servers is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
 
 !!! quote "Changes in sing-box 1.9.0"
 
@@ -108,6 +108,6 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q
 
 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
-Can be overridden by `rules.[].client_subnet`.
+Can be overrides by `rules.[].client_subnet`.
 
-Will override `dns.client_subnet`.
+Will overrides `dns.client_subnet`.

docs/configuration/dns/server/legacy.zh.md

@@ -1,10 +1,10 @@
 ---
-icon: material/note-remove
+icon: material/delete-clock
 ---
 
-!!! failure "已在 sing-box 1.14.0 移除"
+!!! failure "Deprecated in sing-box 1.12.0"
 
-    旧的 DNS 服务器配置已在 sing-box 1.12.0 废弃且已在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
+    旧的 DNS 服务器配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-to-new-dns-servers)。
 
 !!! quote "sing-box 1.9.0 中的更改"
 

docs/configuration/dns/server/quic.zh.md

@@ -51,7 +51,7 @@ DNS 服务器的端口。
 
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/dns/server/tls.zh.md

@@ -51,7 +51,7 @@ DNS 服务器的端口。
 
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/experimental/cache-file.zh.md

@@ -42,7 +42,7 @@
 
 将拒绝的 DNS 响应缓存存储在缓存文件中。
 
-[地址筛选 DNS 规则项](/zh/configuration/dns/rule/#地址筛选字段) 的检查结果将被缓存至过期。
+[地址筛选 DNS 规则项](/zh/configuration/dns/rule/#_3) 的检查结果将被缓存至过期。
 
 #### rdrc_timeout
 

docs/configuration/experimental/v2ray-api.zh.md

@@ -1,6 +1,6 @@
 !!! quote ""
 
-    默认安装不包含 V2Ray API，参阅 [安装](/zh/installation/build-from-source/#构建标记)。
+    默认安装不包含 V2Ray API，参阅 [安装](/zh/installation/build-from-source/#_5)。
 
 ### 结构
 

docs/configuration/inbound/anytls.zh.md

@@ -58,4 +58,4 @@ AnyTLS 填充方案行数组。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/http.zh.md

@@ -26,7 +26,7 @@
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### users
 

docs/configuration/inbound/hysteria.zh.md

@@ -104,4 +104,4 @@ base64 编码的认证密码。
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/hysteria2.md

@@ -2,10 +2,6 @@
 icon: material/alert-decagram
 ---
 
-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-plus: [bbr_profile](#bbr_profile)
-
 !!! quote "Changes in sing-box 1.11.0"
 
     :material-alert: [masquerade](#masquerade)  
@@ -35,7 +31,6 @@ icon: material/alert-decagram
   "ignore_client_bandwidth": false,
   "tls": {},
   "masquerade": "", // or {}
-  "bbr_profile": "",
   "brutal_debug": false
 }
 ```
@@ -146,14 +141,6 @@ Fixed response headers.
 
 Fixed response content.
 
-#### bbr_profile
-
-!!! question "Since sing-box 1.14.0"
-
-BBR congestion control algorithm profile, one of `conservative` `standard` `aggressive`.
-
-`standard` is used by default.
-
 #### brutal_debug
 
 Enable debug information logging for Hysteria Brutal CC.

docs/configuration/inbound/hysteria2.zh.md

@@ -2,10 +2,6 @@
 icon: material/alert-decagram
 ---
 
-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-plus: [bbr_profile](#bbr_profile)
-
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-alert: [masquerade](#masquerade)  
@@ -35,7 +31,6 @@ icon: material/alert-decagram
   "ignore_client_bandwidth": false,
   "tls": {},
   "masquerade": "", // 或 {}
-  "bbr_profile": "",
   "brutal_debug": false
 }
 ```
@@ -43,7 +38,7 @@ icon: material/alert-decagram
 !!! warning "与官方 Hysteria2 的区别"
 
     官方程序支持一种名为 **userpass** 的验证方式，
-    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
     要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。
 
 ### 监听字段
@@ -90,7 +85,7 @@ Hysteria 用户
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### masquerade
 
@@ -143,14 +138,6 @@ HTTP3 服务器认证失败时的行为 （对象配置）。
 
 固定响应内容。
 
-#### bbr_profile
-
-!!! question "自 sing-box 1.14.0 起"
-
-BBR 拥塞控制算法配置，可选 `conservative` `standard` `aggressive`。
-
-默认使用 `standard`。
-
 #### brutal_debug
 
 启用 Hysteria Brutal CC 的调试信息日志记录。

docs/configuration/inbound/naive.zh.md

@@ -60,4 +60,4 @@ QUIC 拥塞控制算法。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/shadowsocks.zh.md

@@ -93,4 +93,4 @@
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。

docs/configuration/inbound/trojan.zh.md

@@ -43,7 +43,7 @@ Trojan 用户。
 
 #### tls
 
-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### fallback
 
@@ -61,7 +61,7 @@ TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
 
 #### transport
 

docs/configuration/inbound/tuic.zh.md

@@ -75,4 +75,4 @@ QUIC 拥塞控制算法
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/tun.md

@@ -4,8 +4,8 @@ icon: material/new-box
 
 !!! quote "Changes in sing-box 1.14.0"
 
-    :material-plus: [include_mac_address](#include_mac_address)  
-    :material-plus: [exclude_mac_address](#exclude_mac_address)
+:material-plus: [include_mac_address](#include_mac_address)
+:material-plus: [exclude_mac_address](#exclude_mac_address)
 
 !!! quote "Changes in sing-box 1.13.3"
 

docs/configuration/inbound/tun.zh.md

@@ -4,7 +4,7 @@ icon: material/new-box
 
 !!! quote "sing-box 1.14.0 中的更改"
 
-    :material-plus: [include_mac_address](#include_mac_address)  
+    :material-plus: [include_mac_address](#include_mac_address)
     :material-plus: [exclude_mac_address](#exclude_mac_address)
 
 !!! quote "sing-box 1.13.3 中的更改"

docs/configuration/inbound/vless.zh.md

@@ -48,11 +48,11 @@ VLESS 子协议。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
 
 #### transport
 

docs/configuration/inbound/vmess.zh.md

@@ -43,11 +43,11 @@ VMess 用户。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
 
 #### transport
 

docs/configuration/index.md

@@ -1,6 +1,7 @@
 # Introduction
 
 sing-box uses JSON for configuration files.
+
 ### Structure
 
 ```json
@@ -9,7 +10,6 @@ sing-box uses JSON for configuration files.
   "dns": {},
   "ntp": {},
   "certificate": {},
-  "certificate_providers": [],
   "endpoints": [],
   "inbounds": [],
   "outbounds": [],
@@ -27,7 +27,6 @@ sing-box uses JSON for configuration files.
 | `dns`          | [DNS](./dns/)                   |
 | `ntp`          | [NTP](./ntp/)                   |
 | `certificate`  | [Certificate](./certificate/)   |
-| `certificate_providers` | [Certificate Provider](./shared/certificate-provider/) |
 | `endpoints`    | [Endpoint](./endpoint/)         |
 | `inbounds`     | [Inbound](./inbound/)           |
 | `outbounds`    | [Outbound](./outbound/)         |
@@ -51,4 +50,4 @@ sing-box format -w -c config.json -D config_directory
 
 ```bash
 sing-box merge output.json -c config.json -D config_directory
-```
+```

docs/configuration/index.zh.md

@@ -1,6 +1,7 @@
 # 引言
 
 sing-box 使用 JSON 作为配置文件格式。
+
 ### 结构
 
 ```json
@@ -9,7 +10,6 @@ sing-box 使用 JSON 作为配置文件格式。
   "dns": {},
   "ntp": {},
   "certificate": {},
-  "certificate_providers": [],
   "endpoints": [],
   "inbounds": [],
   "outbounds": [],
@@ -27,7 +27,6 @@ sing-box 使用 JSON 作为配置文件格式。
 | `dns`          | [DNS](./dns/)          |
 | `ntp`          | [NTP](./ntp/)          |
 | `certificate`  | [证书](./certificate/)   |
-| `certificate_providers` | [证书提供者](./shared/certificate-provider/) |
 | `endpoints`    | [端点](./endpoint/)      |
 | `inbounds`     | [入站](./inbound/)       |
 | `outbounds`    | [出站](./outbound/)      |
@@ -51,4 +50,4 @@ sing-box format -w -c config.json -D config_directory
 
 ```bash
 sing-box merge output.json -c config.json -D config_directory
-```
+```

docs/configuration/outbound/anytls.zh.md

@@ -59,7 +59,7 @@ AnyTLS 密码。
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/outbound/direct.zh.md

@@ -4,8 +4,8 @@ icon: material/alert-decagram
 
 !!! quote "sing-box 1.11.0 中的更改"
 
-    :material-delete-clock: [override_address](#override_address)  
-    :material-delete-clock: [override_port](#override_port)
+    :material-alert-decagram: [override_address](#override_address)  
+    :material-alert-decagram: [override_port](#override_port)
 
 `direct` 出站直接发送请求。
 
@@ -29,7 +29,7 @@ icon: material/alert-decagram
 
 !!! failure "已在 sing-box 1.11.0 废弃"
 
-    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-direct-出站中的目标地址覆盖字段到路由字段)。
+    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-destination-override-fields-to-route-options)。
 
 覆盖连接目标地址。
 
@@ -37,7 +37,7 @@ icon: material/alert-decagram
 
 !!! failure "已在 sing-box 1.11.0 废弃"
 
-    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-direct-出站中的目标地址覆盖字段到路由字段)。
+    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-destination-override-fields-to-route-options)。
 
 覆盖连接目标端口。
 

docs/configuration/outbound/dns.zh.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "已在 sing-box 1.11.0 废弃"
 
-    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除, 参阅 [迁移指南](/zh/migration/#迁移旧的特殊出站到规则动作). 
+    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除, 参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
 
 `dns` 出站是一个内部 DNS 服务器。
 

docs/configuration/outbound/http.zh.md

@@ -51,7 +51,7 @@ HTTP 请求的额外标头。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/outbound/hysteria.zh.md

@@ -134,7 +134,7 @@ base64 编码的认证密码。
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 
 ### 拨号字段

docs/configuration/outbound/hysteria2.md

@@ -1,8 +1,3 @@
-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-plus: [hop_interval_max](#hop_interval_max)  
-    :material-plus: [bbr_profile](#bbr_profile)
-
 !!! quote "Changes in sing-box 1.11.0"
 
     :material-plus: [server_ports](#server_ports)  
@@ -14,14 +9,13 @@
 {
   "type": "hysteria2",
   "tag": "hy2-out",
-
+  
   "server": "127.0.0.1",
   "server_port": 1080,
   "server_ports": [
     "2080:3000"
   ],
   "hop_interval": "",
-  "hop_interval_max": "",
   "up_mbps": 100,
   "down_mbps": 100,
   "obfs": {
@@ -31,9 +25,8 @@
   "password": "goofy_ahh_password",
   "network": "tcp",
   "tls": {},
-  "bbr_profile": "",
   "brutal_debug": false,
-
+  
   ... // Dial Fields
 }
 ```
@@ -82,14 +75,6 @@ Port hopping interval.
 
 `30s` is used by default.
 
-#### hop_interval_max
-
-!!! question "Since sing-box 1.14.0"
-
-Maximum port hopping interval, used for randomization.
-
-If set, the actual hop interval will be randomly chosen between `hop_interval` and `hop_interval_max`.
-
 #### up_mbps, down_mbps
 
 Max bandwidth, in Mbps.
@@ -124,14 +109,6 @@ Both is enabled by default.
 
 TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
 
-#### bbr_profile
-
-!!! question "Since sing-box 1.14.0"
-
-BBR congestion control algorithm profile, one of `conservative` `standard` `aggressive`.
-
-`standard` is used by default.
-
 #### brutal_debug
 
 Enable debug information logging for Hysteria Brutal CC.

docs/configuration/outbound/hysteria2.zh.md

@@ -1,8 +1,3 @@
-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-plus: [hop_interval_max](#hop_interval_max)  
-    :material-plus: [bbr_profile](#bbr_profile)
-
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-plus: [server_ports](#server_ports)  
@@ -21,7 +16,6 @@
     "2080:3000"
   ],
   "hop_interval": "",
-  "hop_interval_max": "",
   "up_mbps": 100,
   "down_mbps": 100,
   "obfs": {
@@ -31,9 +25,8 @@
   "password": "goofy_ahh_password",
   "network": "tcp",
   "tls": {},
-  "bbr_profile": "",
   "brutal_debug": false,
-
+  
   ... // 拨号字段
 }
 ```
@@ -45,7 +38,7 @@
 !!! warning "与官方 Hysteria2 的区别"
 
     官方程序支持一种名为 **userpass** 的验证方式，
-    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
     要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。
 
 ### 字段
@@ -80,14 +73,6 @@
 
 默认使用 `30s`。
 
-#### hop_interval_max
-
-!!! question "自 sing-box 1.14.0 起"
-
-最大端口跳跃间隔，用于随机化。
-
-如果设置，实际跳跃间隔将在 `hop_interval` 和 `hop_interval_max` 之间随机选择。
-
 #### up_mbps, down_mbps
 
 最大带宽。
@@ -120,15 +105,7 @@ QUIC 流量混淆器密码.
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
-
-#### bbr_profile
-
-!!! question "自 sing-box 1.14.0 起"
-
-BBR 拥塞控制算法配置，可选 `conservative` `standard` `aggressive`。
-
-默认使用 `standard`。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 #### brutal_debug
 

docs/configuration/outbound/naive.zh.md

@@ -105,7 +105,7 @@ QUIC 拥塞控制算法。
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 只有 `server_name`、`certificate`、`certificate_path` 和 `ech` 是被支持的。
 

docs/configuration/outbound/selector.zh.md

@@ -17,7 +17,7 @@
 
 !!! quote ""
 
-    选择器目前只能通过 [Clash API](/zh/configuration/experimental/clash-api/) 来控制。
+    选择器目前只能通过 [Clash API](/zh/configuration/experimental#clash-api) 来控制。
 
 ### 字段
 

docs/configuration/outbound/shadowsocks.zh.md

@@ -95,7 +95,7 @@ UDP over TCP 配置。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
 
 ### 拨号字段
 

docs/configuration/outbound/shadowtls.zh.md

@@ -49,7 +49,7 @@ ShadowTLS 协议版本。
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/outbound/tor.zh.md

@@ -18,7 +18,7 @@
 
 !!! info ""
 
-    默认安装不包含嵌入式 Tor, 参阅 [安装](/zh/installation/build-from-source/#构建标记)。
+    默认安装不包含嵌入式 Tor, 参阅 [安装](/zh/installation/build-from-source/#_5)。
 
 ### 字段
 

docs/configuration/outbound/trojan.zh.md

@@ -47,11 +47,11 @@ Trojan 密码。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
 
 #### transport
 

docs/configuration/outbound/tuic.zh.md

@@ -97,7 +97,7 @@ UDP 包中继模式
 
 ==必填==
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 ### 拨号字段
 

docs/configuration/outbound/vless.zh.md

@@ -57,7 +57,7 @@ VLESS 子协议。
 
 #### tls
 
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 #### packet_encoding
 
@@ -71,7 +71,7 @@ UDP 包编码，默认使用 xudp。
 
 #### multiplex
 
-参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
 
 #### transport