Fix documentation

Signed-off-by: 世界 <i@sekai.icu>
Signed-off-by: unknowndevQwQ <unknowndevQwQ@pm.me>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,6 +1,5 @@
 name: Bug Report
 description: "Create a report to help us improve."
-labels: [ bug ]
 body:
   - type: checkboxes
     id: terms
@@ -9,9 +8,11 @@ body:
       options:
         - label: Yes, I'm using the latest major release. Only such installations are supported.
           required: true
+        - label: Yes, I'm using the latest Golang release. Only such installations are supported.
+          required: true
         - label: Yes, I've searched similar issues on GitHub and didn't find any.
           required: true
-        - label: Yes, I've included all information below (version, config, etc).
+        - label: Yes, I've included all information below (version, config, log, etc).
           required: true
 
   - type: textarea
@@ -30,7 +31,7 @@ body:
         <details>
 
         ```console
-        $ sing-box --version
+        $ sing-box version
         # Paste output here
         ```
 
@@ -51,4 +52,19 @@ body:
 
         </details>
     validations:
-      required: true
+      required: true
+
+  - type: textarea
+    id: log
+    attributes:
+      label: Server and client log file
+      value: |-
+        <details>
+
+        ```console
+        # paste log here
+        ```
+
+        </details>
+    validations:
+      required: true

.github/update_dependencies.sh

@@ -1,13 +1,5 @@
 #!/usr/bin/env bash
 
 PROJECTS=$(dirname "$0")/../..
-
-go get -x github.com/sagernet/sing@$(git -C $PROJECTS/sing rev-parse HEAD)
-go get -x github.com/sagernet/sing-dns@$(git -C $PROJECTS/sing-dns rev-parse HEAD)
-go get -x github.com/sagernet/sing-tun@$(git -C $PROJECTS/sing-tun rev-parse HEAD)
-go get -x github.com/sagernet/sing-shadowsocks@$(git -C $PROJECTS/sing-shadowsocks rev-parse HEAD)
-go get -x github.com/sagernet/sing-vmess@$(git -C $PROJECTS/sing-vmess rev-parse HEAD)
+go get -x github.com/sagernet/$1@$(git -C $PROJECTS/$1 rev-parse HEAD)
 go mod tidy
-pushd test
-go mod tidy
-popd

.github/workflows/debug.yml

@@ -3,14 +3,18 @@ name: Debug build
 on:
   push:
     branches:
+      - main
       - dev
+      - dev-next
     paths-ignore:
       - '**.md'
       - '.github/**'
       - '!.github/workflows/debug.yml'
   pull_request:
     branches:
+      - main
       - dev
+      - dev-next
 
 jobs:
   build:
@@ -47,6 +51,7 @@ jobs:
           go mod init build
           go get -v github.com/sagernet/sing-box@$version
           popd
+        continue-on-error: true
       - name: Run Test
         run: |
           go test -v ./...
@@ -160,6 +165,7 @@ jobs:
       GOARM: ${{ matrix.goarm }}
       GOMIPS: ${{ matrix.gomips }}
       CGO_ENABLED: 0
+      TAGS: with_clash_api,with_quic
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -181,18 +187,9 @@ jobs:
           key: go-${{ hashFiles('**/go.sum') }}
       - name: Build
         id: build
-        run: |
-          VERSION="$(date +%Y%m%d).$(git rev-parse --short HEAD)"
-          BUILDTIME="$(LANG=en_US.UTF-8 date -u)"
-          
-          go build -v -trimpath -ldflags '\
-            -X "github.com/sagernet/sing-box/constant.Version=$VERSION" \
-          	-X "github.com/sagernet/sing-box/constant.BuildTime=$BUILDTIME" \
-          	-s -w -buildid=' ./cmd/sing-box
-          
-          echo "::set-output name=VERSION::$VERSION"
+        run: make
       - name: Upload artifact
         uses: actions/upload-artifact@v2
         with:
-          name: sing-box-${{ matrix.name }}-${{ steps.build.outputs.VERSION }}
+          name: sing-box-${{ matrix.name }}
           path: sing-box*

.github/workflows/docker.yml

@@ -0,0 +1,43 @@
+name: Build Docker Images
+on:
+  push:
+    tags:
+      - v*
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "The tag version you want to build"
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Docker metadata
+        id: metadata
+        uses: docker/metadata-action@v3
+        with:
+          images: ghcr.io/sagernet/sing-box
+      - name: Get tag to build
+        id: tag
+        run: |
+          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
+            echo ::set-output name=tag::ghcr.io/sagernet/sing-box:${{ github.ref_name }}
+          else
+            echo ::set-output name=tag::ghcr.io/sagernet/sing-box:${{ github.event.inputs.tag }}
+          fi
+      - name: Build and release Docker images
+        uses: docker/build-push-action@v2
+        with:
+          platforms: linux/386,linux/amd64
+          target: dist
+          tags: ${{ steps.tag.outputs.tag }}
+          push: true

.github/workflows/mkdocs.yml

@@ -14,5 +14,5 @@ jobs:
       - uses: actions/setup-python@v2
         with:
           python-version: 3.x
-      - run: pip install mkdocs-material
+      - run: pip install mkdocs-material mkdocs-static-i18n
       - run: mkdocs gh-deploy -m "{sha}" --force --ignore-version --no-history

.github/workflows/stale.yml

@@ -0,0 +1,15 @@
+name: Mark stale issues and pull requests
+
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v5
+        with:
+          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
+          days-before-stale: 60
+          days-before-close: 5

.github/workflows/test.yml

@@ -0,0 +1,34 @@
+name: Test build
+
+on:
+  pull_request:
+    branches:
+      - main
+      - dev
+      - dev-next
+
+jobs:
+  build:
+    name: Debug build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Get latest go version
+        id: version
+        run: |
+          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ steps.version.outputs.go_version }}
+      - name: Cache go module
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+          key: go-${{ hashFiles('**/go.sum') }}
+      - name: Run Test
+        run: make test

.gitignore

@@ -3,4 +3,5 @@
 /*.json
 /*.db
 /site/
-/bin/
+/bin/
+/dist/

.golangci.yml

@@ -3,18 +3,19 @@ linters:
   enable:
     - gofumpt
     - govet
-    - gci
+#    - gci
     - staticcheck
     - paralleltest
 
-issues:
-  fix: true
+run:
+  skip-dirs:
+    - transport/cloudflaretls
 
 linters-settings:
-  gci:
-    sections:
-      - standard
-      - prefix(github.com/sagernet/)
-      - default
+#  gci:
+#    sections:
+#      - standard
+#      - prefix(github.com/sagernet/)
+#      - default
   staticcheck:
-    go: '1.18'
+    go: '1.19'

.goreleaser.yaml

@@ -0,0 +1,86 @@
+project_name: sing-box
+builds:
+  - main: ./cmd/sing-box
+    flags:
+      - -v
+      - -trimpath
+    asmflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    gcflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    ldflags:
+      - -s -w -buildid=
+    tags:
+      - with_gvisor
+      - with_quic
+      - with_wireguard
+      - with_clash_api
+    env:
+      - CGO_ENABLED=0
+    targets:
+      - android_arm64
+      - android_amd64
+      - android_amd64_v3
+      - linux_amd64_v1
+      - linux_amd64_v3
+      - linux_arm64
+      - linux_arm_7
+      - windows_amd64_v1
+      - windows_amd64_v3
+      - windows_386
+      - windows_arm64
+      - darwin_amd64_v1
+      - darwin_amd64_v3
+      - darwin_arm64
+    mod_timestamp: '{{ .CommitTimestamp }}'
+snapshot:
+  name_template: "{{ .Version }}.{{ .ShortCommit }}"
+archives:
+  - id: archive
+    format: tar.gz
+    format_overrides:
+      - goos: windows
+        format: zip
+    wrap_in_directory: true
+    files:
+      - LICENSE
+    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+nfpms:
+  - id: package
+    package_name: sing-box
+    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    vendor: sagernet
+    homepage: https://sing-box.sagernet.org/
+    maintainer: nekohasekai <contact-git@sekai.icu>
+    description: The universal proxy platform.
+    license: GPLv3 or later
+    formats:
+      - deb
+      - rpm
+    priority: extra
+    contents:
+      - src: release/config/config.json
+        dst: /etc/sing-box/config.json
+        type: config
+      - src: release/config/sing-box.service
+        dst: /etc/systemd/system/sing-box.service
+      - src: release/config/sing-box@.service
+        dst: /etc/systemd/system/sing-box@.service
+      - src: LICENSE
+        dst: /usr/share/licenses/sing-box/LICENSE
+source:
+  enabled: false
+  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
+  prefix_template: '{{ .ProjectName }}-{{ .Version }}/'
+checksum:
+  disable: true
+  name_template: '{{ .ProjectName }}-{{ .Version }}.checksum'
+signs:
+  - artifacts: checksum
+release:
+  github:
+    owner: SagerNet
+    name: sing-box
+  name_template: '{{ if .IsSnapshot }}{{ nightly }}{{ else }}{{ .Version }}{{ end }}'
+  draft: true
+  mode: replace

Dockerfile

@@ -0,0 +1,23 @@
+FROM golang:1.19-alpine AS builder
+LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
+COPY . /go/src/github.com/sagernet/sing-box
+WORKDIR /go/src/github.com/sagernet/sing-box
+ARG GOPROXY=""
+ENV GOPROXY ${GOPROXY}
+ENV CGO_ENABLED=0
+RUN set -ex \
+    && apk add git build-base \
+    && export COMMIT=$(git rev-parse --short HEAD) \
+    && go build -v -trimpath -tags with_quic,with_wireguard,with_acme \
+        -o /go/bin/sing-box \
+        -ldflags "-s -w -buildid=" \
+        ./cmd/sing-box
+FROM alpine AS dist
+LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
+RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
+RUN set -ex \
+    && apk upgrade \
+    && apk add bash tzdata ca-certificates \
+    && rm -rf /var/cache/apk/*
+COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
+ENTRYPOINT ["sing-box"]

Makefile

@@ -0,0 +1,81 @@
+NAME = sing-box
+COMMIT = $(shell git rev-parse --short HEAD)
+TAGS ?= with_gvisor,with_quic,with_wireguard,with_clash_api
+TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_shadowsocksr
+PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-s -w -buildid="
+MAIN = ./cmd/sing-box
+
+.PHONY: test release
+
+build:
+	go build $(PARAMS) $(MAIN)
+
+install:
+	go install $(PARAMS) $(MAIN)
+
+fmt:
+	@gofumpt -l -w .
+	@gofmt -s -w .
+	@gci write -s "standard,prefix(github.com/sagernet/),default" .
+
+fmt_install:
+	go install -v mvdan.cc/gofumpt@latest
+	go install -v github.com/daixiang0/gci@v0.4.0
+
+lint:
+	GOOS=linux golangci-lint run ./...
+	GOOS=android golangci-lint run ./...
+	GOOS=windows golangci-lint run ./...
+	GOOS=darwin golangci-lint run ./...
+	GOOS=freebsd golangci-lint run ./...
+
+lint_install:
+	go install -v github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+
+proto:
+	@go run ./cmd/internal/protogen
+	@gofumpt -l -w .
+	@gofumpt -l -w .
+
+proto_install:
+	go install -v google.golang.org/protobuf/cmd/protoc-gen-go@latest
+	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
+
+snapshot:
+	goreleaser release --rm-dist --snapshot
+	mkdir dist/release
+	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
+	ghr --delete --draft --prerelease -p 1 nightly dist/release
+	rm -r dist
+
+release:
+	goreleaser release --rm-dist --skip-publish
+	mkdir dist/release
+	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
+	ghr --delete --draft --prerelease -p 3 $(shell git describe --tags) dist/release
+	rm -r dist
+
+release_install:
+	go install -v github.com/goreleaser/goreleaser@latest
+	go install -v github.com/tcnksm/ghr@latest
+
+test:
+	@go test -v ./... && \
+	cd test && \
+	go mod tidy && \
+	go test -v -tags "$(TAGS_TEST)" .
+
+test_stdio:
+	@go test -v ./... && \
+	cd test && \
+	go mod tidy && \
+	go test -v -tags "$(TAGS_TEST),force_stdio" .
+
+clean:
+	rm -rf bin dist sing-box
+	rm -f $(shell go env GOPATH)/sing-box
+
+update:
+	git fetch
+	git reset FETCH_HEAD --hard
+	git clean -fdx

adapter/experimental.go

@@ -4,23 +4,29 @@ import (
 	"context"
 	"net"
 
+	"github.com/sagernet/sing-box/common/urltest"
 	N "github.com/sagernet/sing/common/network"
 )
 
 type ClashServer interface {
 	Service
-	TrafficController
+	Mode() string
+	StoreSelected() bool
+	CacheFile() ClashCacheFile
+	HistoryStorage() *urltest.HistoryStorage
+	RoutedConnection(ctx context.Context, conn net.Conn, metadata InboundContext, matchedRule Rule) (net.Conn, Tracker)
+	RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext, matchedRule Rule) (N.PacketConn, Tracker)
+}
+
+type ClashCacheFile interface {
+	LoadSelected(group string) string
+	StoreSelected(group string, selected string) error
 }
 
 type Tracker interface {
 	Leave()
 }
 
-type TrafficController interface {
-	RoutedConnection(ctx context.Context, conn net.Conn, metadata InboundContext, matchedRule Rule) (net.Conn, Tracker)
-	RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext, matchedRule Rule) (N.PacketConn, Tracker)
-}
-
 type OutboundGroup interface {
 	Now() string
 	All() []string

adapter/inbound.go

@@ -2,11 +2,13 @@ package adapter
 
 import (
 	"context"
+	"net"
 	"net/netip"
 
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-dns"
 	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
 )
 
 type Inbound interface {
@@ -15,9 +17,17 @@ type Inbound interface {
 	Tag() string
 }
 
+type InjectableInbound interface {
+	Inbound
+	Network() []string
+	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+}
+
 type InboundContext struct {
 	Inbound     string
 	InboundType string
+	IPVersion   int
 	Network     string
 	Source      M.Socksaddr
 	Destination M.Socksaddr
@@ -28,14 +38,16 @@ type InboundContext struct {
 
 	// cache
 
+	InboundDetour            string
+	LastInbound              string
+	OriginDestination        M.Socksaddr
 	DomainStrategy           dns.DomainStrategy
 	SniffEnabled             bool
 	SniffOverrideDestination bool
 	DestinationAddresses     []netip.Addr
-
-	SourceGeoIPCode string
-	GeoIPCode       string
-	ProcessInfo     *process.Info
+	SourceGeoIPCode          string
+	GeoIPCode                string
+	ProcessInfo              *process.Info
 }
 
 type inboundContextKey struct{}

adapter/router.go

@@ -11,7 +11,7 @@ import (
 	"github.com/sagernet/sing/common/control"
 	N "github.com/sagernet/sing/common/network"
 
-	"golang.org/x/net/dns/dnsmessage"
+	mdns "github.com/miekg/dns"
 )
 
 type Router interface {
@@ -27,18 +27,21 @@ type Router interface {
 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
 
-	Exchange(ctx context.Context, message *dnsmessage.Message) (*dnsmessage.Message, error)
+	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
 	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
 
-	InterfaceBindManager() control.BindManager
+	InterfaceFinder() control.InterfaceFinder
 	DefaultInterface() string
 	AutoDetectInterface() bool
 	DefaultMark() int
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
+	PackageManager() tun.PackageManager
 	Rules() []Rule
-	SetTrafficController(controller TrafficController)
+
+	ClashServer() ClashServer
+	SetClashServer(controller ClashServer)
 }
 
 type Rule interface {

adapter/service.go

@@ -1,12 +1,6 @@
 package adapter
 
-import "io"
-
-type Starter interface {
-	Start() error
-}
-
 type Service interface {
-	Starter
-	io.Closer
+	Start() error
+	Close() error
 }

adapter/upstream.go

@@ -38,13 +38,25 @@ type myUpstreamHandlerWrapper struct {
 }
 
 func (w *myUpstreamHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	w.metadata.Destination = metadata.Destination
-	return w.connectionHandler(ctx, conn, w.metadata)
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.connectionHandler(ctx, conn, myMetadata)
 }
 
 func (w *myUpstreamHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
-	w.metadata.Destination = metadata.Destination
-	return w.packetHandler(ctx, conn, w.metadata)
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.packetHandler(ctx, conn, myMetadata)
 }
 
 func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
@@ -78,13 +90,23 @@ func NewUpstreamContextHandler(
 
 func (w *myUpstreamContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
-	myMetadata.Destination = metadata.Destination
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
 	return w.connectionHandler(ctx, conn, *myMetadata)
 }
 
 func (w *myUpstreamContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
-	myMetadata.Destination = metadata.Destination
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
 	return w.packetHandler(ctx, conn, *myMetadata)
 }
 

adapter/v2ray.go

@@ -0,0 +1,17 @@
+package adapter
+
+import (
+	"context"
+	"net"
+)
+
+type V2RayServerTransport interface {
+	Network() []string
+	Serve(listener net.Listener) error
+	ServePacket(listener net.PacketConn) error
+	Close() error
+}
+
+type V2RayClientTransport interface {
+	DialContext(ctx context.Context) (net.Conn, error)
+}

box.go

@@ -2,8 +2,10 @@ package box
 
 import (
 	"context"
+	"fmt"
 	"io"
 	"os"
+	"runtime/debug"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -60,6 +62,7 @@ func New(ctx context.Context, options option.Options) (*Box, error) {
 			if err != nil {
 				return nil, err
 			}
+			logWriter = logFile
 		}
 		logFormatter := log.Formatter{
 			BaseTime:         createdAt,
@@ -135,7 +138,7 @@ func New(ctx context.Context, options option.Options) (*Box, error) {
 		}
 		outbounds = append(outbounds, out)
 	}
-	err = router.Initialize(outbounds, func() adapter.Outbound {
+	err = router.Initialize(inbounds, outbounds, func() adapter.Outbound {
 		out, oErr := outbound.New(ctx, router, logFactory.NewLogger("outbound/direct"), option.Outbound{Type: "direct", Tag: "default"})
 		common.Must(oErr)
 		outbounds = append(outbounds, out)
@@ -151,7 +154,7 @@ func New(ctx context.Context, options option.Options) (*Box, error) {
 		if err != nil {
 			return nil, E.Cause(err, "create clash api server")
 		}
-		router.SetTrafficController(clashServer)
+		router.SetClashServer(clashServer)
 	}
 	return &Box{
 		router:      router,
@@ -167,6 +170,37 @@ func New(ctx context.Context, options option.Options) (*Box, error) {
 }
 
 func (s *Box) Start() error {
+	err := s.start()
+	if err != nil {
+		// TODO: remove catch error
+		defer func() {
+			v := recover()
+			if v != nil {
+				log.Error(E.Cause(err, "origin error"))
+				debug.PrintStack()
+				panic("panic on early close: " + fmt.Sprint(v))
+			}
+		}()
+		s.Close()
+	}
+	return err
+}
+
+func (s *Box) start() error {
+	for i, out := range s.outbounds {
+		if starter, isStarter := out.(common.Starter); isStarter {
+			err := starter.Start()
+			if err != nil {
+				var tag string
+				if out.Tag() == "" {
+					tag = F.ToString(i)
+				} else {
+					tag = out.Tag()
+				}
+				return E.Cause(err, "initialize outbound/", out.Type(), "[", tag, "]")
+			}
+		}
+	}
 	err := s.router.Start()
 	if err != nil {
 		return err
@@ -174,10 +208,13 @@ func (s *Box) Start() error {
 	for i, in := range s.inbounds {
 		err = in.Start()
 		if err != nil {
-			for g := 0; g < i; g++ {
-				s.inbounds[g].Close()
+			var tag string
+			if in.Tag() == "" {
+				tag = F.ToString(i)
+			} else {
+				tag = in.Tag()
 			}
-			return err
+			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
 	if s.clashServer != nil {

cmd/internal/protogen/main.go

@@ -0,0 +1,218 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"go/build"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+)
+
+// envFile returns the name of the Go environment configuration file.
+// Copy from https://github.com/golang/go/blob/c4f2a9788a7be04daf931ac54382fbe2cb754938/src/cmd/go/internal/cfg/cfg.go#L150-L166
+func envFile() (string, error) {
+	if file := os.Getenv("GOENV"); file != "" {
+		if file == "off" {
+			return "", fmt.Errorf("GOENV=off")
+		}
+		return file, nil
+	}
+	dir, err := os.UserConfigDir()
+	if err != nil {
+		return "", err
+	}
+	if dir == "" {
+		return "", fmt.Errorf("missing user-config dir")
+	}
+	return filepath.Join(dir, "go", "env"), nil
+}
+
+// GetRuntimeEnv returns the value of runtime environment variable,
+// that is set by running following command: `go env -w key=value`.
+func GetRuntimeEnv(key string) (string, error) {
+	file, err := envFile()
+	if err != nil {
+		return "", err
+	}
+	if file == "" {
+		return "", fmt.Errorf("missing runtime env file")
+	}
+	var data []byte
+	var runtimeEnv string
+	data, readErr := os.ReadFile(file)
+	if readErr != nil {
+		return "", readErr
+	}
+	envStrings := strings.Split(string(data), "\n")
+	for _, envItem := range envStrings {
+		envItem = strings.TrimSuffix(envItem, "\r")
+		envKeyValue := strings.Split(envItem, "=")
+		if strings.EqualFold(strings.TrimSpace(envKeyValue[0]), key) {
+			runtimeEnv = strings.TrimSpace(envKeyValue[1])
+		}
+	}
+	return runtimeEnv, nil
+}
+
+// GetGOBIN returns GOBIN environment variable as a string. It will NOT be empty.
+func GetGOBIN() string {
+	// The one set by user explicitly by `export GOBIN=/path` or `env GOBIN=/path command`
+	GOBIN := os.Getenv("GOBIN")
+	if GOBIN == "" {
+		var err error
+		// The one set by user by running `go env -w GOBIN=/path`
+		GOBIN, err = GetRuntimeEnv("GOBIN")
+		if err != nil {
+			// The default one that Golang uses
+			return filepath.Join(build.Default.GOPATH, "bin")
+		}
+		if GOBIN == "" {
+			return filepath.Join(build.Default.GOPATH, "bin")
+		}
+		return GOBIN
+	}
+	return GOBIN
+}
+
+func main() {
+	pwd, err := os.Getwd()
+	if err != nil {
+		fmt.Println("Can not get current working directory.")
+		os.Exit(1)
+	}
+
+	GOBIN := GetGOBIN()
+	binPath := os.Getenv("PATH")
+	pathSlice := []string{pwd, GOBIN, binPath}
+	binPath = strings.Join(pathSlice, string(os.PathListSeparator))
+	os.Setenv("PATH", binPath)
+
+	suffix := ""
+	if runtime.GOOS == "windows" {
+		suffix = ".exe"
+	}
+
+	protoc := "protoc"
+
+	if linkPath, err := os.Readlink(protoc); err == nil {
+		protoc = linkPath
+	}
+
+	protoFilesMap := make(map[string][]string)
+	walkErr := filepath.Walk("./", func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			fmt.Println(err)
+			return err
+		}
+
+		if info.IsDir() {
+			return nil
+		}
+
+		dir := filepath.Dir(path)
+		filename := filepath.Base(path)
+		if strings.HasSuffix(filename, ".proto") &&
+			filename != "typed_message.proto" &&
+			filename != "descriptor.proto" {
+			protoFilesMap[dir] = append(protoFilesMap[dir], path)
+		}
+
+		return nil
+	})
+	if walkErr != nil {
+		fmt.Println(walkErr)
+		os.Exit(1)
+	}
+
+	for _, files := range protoFilesMap {
+		for _, relProtoFile := range files {
+			args := []string{
+				"-I", ".",
+				"--go_out", pwd,
+				"--go_opt", "paths=source_relative",
+				"--go-grpc_out", pwd,
+				"--go-grpc_opt", "paths=source_relative",
+				"--plugin", "protoc-gen-go=" + filepath.Join(GOBIN, "protoc-gen-go"+suffix),
+				"--plugin", "protoc-gen-go-grpc=" + filepath.Join(GOBIN, "protoc-gen-go-grpc"+suffix),
+			}
+			args = append(args, relProtoFile)
+			cmd := exec.Command(protoc, args...)
+			cmd.Env = append(cmd.Env, os.Environ()...)
+			output, cmdErr := cmd.CombinedOutput()
+			if len(output) > 0 {
+				fmt.Println(string(output))
+			}
+			if cmdErr != nil {
+				fmt.Println(cmdErr)
+				os.Exit(1)
+			}
+		}
+	}
+
+	normalizeWalkErr := filepath.Walk("./", func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			fmt.Println(err)
+			return err
+		}
+
+		if info.IsDir() {
+			return nil
+		}
+
+		filename := filepath.Base(path)
+		if strings.HasSuffix(filename, ".pb.go") &&
+			path != "config.pb.go" {
+			if err := NormalizeGeneratedProtoFile(path); err != nil {
+				fmt.Println(err)
+				os.Exit(1)
+			}
+		}
+
+		return nil
+	})
+	if normalizeWalkErr != nil {
+		fmt.Println(normalizeWalkErr)
+		os.Exit(1)
+	}
+}
+
+func NormalizeGeneratedProtoFile(path string) error {
+	fd, err := os.OpenFile(path, os.O_RDWR, 0o644)
+	if err != nil {
+		return err
+	}
+
+	_, err = fd.Seek(0, io.SeekStart)
+	if err != nil {
+		return err
+	}
+	out := bytes.NewBuffer(nil)
+	scanner := bufio.NewScanner(fd)
+	valid := false
+	for scanner.Scan() {
+		if !valid && !strings.HasPrefix(scanner.Text(), "package ") {
+			continue
+		}
+		valid = true
+		out.Write(scanner.Bytes())
+		out.Write([]byte("\n"))
+	}
+	_, err = fd.Seek(0, io.SeekStart)
+	if err != nil {
+		return err
+	}
+	err = fd.Truncate(0)
+	if err != nil {
+		return err
+	}
+	_, err = io.Copy(fd, bytes.NewReader(out.Bytes()))
+	if err != nil {
+		return err
+	}
+	return nil
+}

cmd/sing-box/cmd_check.go

@@ -2,12 +2,9 @@ package main
 
 import (
 	"context"
-	"os"
 
 	"github.com/sagernet/sing-box"
-	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
 
 	"github.com/spf13/cobra"
 )
@@ -15,24 +12,26 @@ import (
 var commandCheck = &cobra.Command{
 	Use:   "check",
 	Short: "Check configuration",
-	Run:   checkConfiguration,
-	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := check()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+	Args: cobra.NoArgs,
 }
 
-func checkConfiguration(cmd *cobra.Command, args []string) {
-	configContent, err := os.ReadFile(configPath)
+func init() {
+	mainCommand.AddCommand(commandCheck)
+}
+
+func check() error {
+	options, err := readConfig()
 	if err != nil {
-		log.Fatal("read config: ", err)
-	}
-	var options option.Options
-	err = json.Unmarshal(configContent, &options)
-	if err != nil {
-		log.Fatal("decode config: ", err)
+		return err
 	}
 	ctx, cancel := context.WithCancel(context.Background())
 	_, err = box.New(ctx, options)
-	if err != nil {
-		log.Fatal("create service: ", err)
-	}
 	cancel()
+	return err
 }

cmd/sing-box/cmd_format.go

@@ -8,6 +8,7 @@ import (
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
 
 	"github.com/spf13/cobra"
 )
@@ -17,47 +18,54 @@ var commandFormatFlagWrite bool
 var commandFormat = &cobra.Command{
 	Use:   "format",
 	Short: "Format configuration",
-	Run:   formatConfiguration,
-	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := format()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+	Args: cobra.NoArgs,
 }
 
 func init() {
 	commandFormat.Flags().BoolVarP(&commandFormatFlagWrite, "write", "w", false, "write result to (source) file instead of stdout")
+	mainCommand.AddCommand(commandFormat)
 }
 
-func formatConfiguration(cmd *cobra.Command, args []string) {
+func format() error {
 	configContent, err := os.ReadFile(configPath)
 	if err != nil {
-		log.Fatal("read config: ", err)
+		return E.Cause(err, "read config")
 	}
 	var options option.Options
-	err = json.Unmarshal(configContent, &options)
+	err = options.UnmarshalJSON(configContent)
 	if err != nil {
-		log.Fatal("decode config: ", err)
+		return E.Cause(err, "decode config")
 	}
 	buffer := new(bytes.Buffer)
 	encoder := json.NewEncoder(buffer)
 	encoder.SetIndent("", "  ")
 	err = encoder.Encode(options)
 	if err != nil {
-		log.Fatal("encode config: ", err)
+		return E.Cause(err, "encode config")
 	}
 	if !commandFormatFlagWrite {
 		os.Stdout.WriteString(buffer.String() + "\n")
-		return
+		return nil
 	}
 	if bytes.Equal(configContent, buffer.Bytes()) {
-		return
+		return nil
 	}
 	output, err := os.Create(configPath)
 	if err != nil {
-		log.Fatal("open output: ", err)
+		return E.Cause(err, "open output")
 	}
 	_, err = output.Write(buffer.Bytes())
 	output.Close()
 	if err != nil {
-		log.Fatal("write output: ", err)
+		return E.Cause(err, "write output")
 	}
 	outputPath, _ := filepath.Abs(configPath)
 	os.Stderr.WriteString(outputPath + "\n")
+	return nil
 }

cmd/sing-box/cmd_run.go

@@ -2,16 +2,15 @@ package main
 
 import (
 	"context"
-	"net/http"
+	"io"
 	"os"
 	"os/signal"
+	runtimeDebug "runtime/debug"
 	"syscall"
 
 	"github.com/sagernet/sing-box"
-	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
 
 	"github.com/spf13/cobra"
@@ -20,25 +19,43 @@ import (
 var commandRun = &cobra.Command{
 	Use:   "run",
 	Short: "Run service",
-	Run:   run,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := run()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
 }
 
-func run(cmd *cobra.Command, args []string) {
-	err := run0()
-	if err != nil {
-		log.Fatal(err)
+func init() {
+	mainCommand.AddCommand(commandRun)
+}
+
+func readConfig() (option.Options, error) {
+	var (
+		configContent []byte
+		err           error
+	)
+	if configPath == "stdin" {
+		configContent, err = io.ReadAll(os.Stdin)
+	} else {
+		configContent, err = os.ReadFile(configPath)
 	}
-}
-
-func run0() error {
-	configContent, err := os.ReadFile(configPath)
 	if err != nil {
-		return E.Cause(err, "read config")
+		return option.Options{}, E.Cause(err, "read config")
 	}
 	var options option.Options
-	err = json.Unmarshal(configContent, &options)
+	err = options.UnmarshalJSON(configContent)
 	if err != nil {
-		return E.Cause(err, "decode config")
+		return option.Options{}, E.Cause(err, "decode config")
+	}
+	return options, nil
+}
+
+func create() (*box.Box, context.CancelFunc, error) {
+	options, err := readConfig()
+	if err != nil {
+		return nil, nil, err
 	}
 	if disableColor {
 		if options.Log == nil {
@@ -50,23 +67,40 @@ func run0() error {
 	instance, err := box.New(ctx, options)
 	if err != nil {
 		cancel()
-		return E.Cause(err, "create service")
+		return nil, nil, E.Cause(err, "create service")
 	}
 	err = instance.Start()
 	if err != nil {
 		cancel()
-		return E.Cause(err, "start service")
+		return nil, nil, E.Cause(err, "start service")
 	}
-	if debug.Enabled {
-		http.HandleFunc("/debug/close", func(writer http.ResponseWriter, request *http.Request) {
+	return instance, cancel, nil
+}
+
+func run() error {
+	osSignals := make(chan os.Signal, 1)
+	signal.Notify(osSignals, os.Interrupt, syscall.SIGTERM, syscall.SIGHUP)
+	for {
+		instance, cancel, err := create()
+		if err != nil {
+			return err
+		}
+		runtimeDebug.FreeOSMemory()
+		for {
+			osSignal := <-osSignals
+			if osSignal == syscall.SIGHUP {
+				err = check()
+				if err != nil {
+					log.Error(E.Cause(err, "reload service"))
+					continue
+				}
+			}
 			cancel()
 			instance.Close()
-		})
+			if osSignal != syscall.SIGHUP {
+				return nil
+			}
+			break
+		}
 	}
-	osSignals := make(chan os.Signal, 1)
-	signal.Notify(osSignals, os.Interrupt, syscall.SIGTERM)
-	<-osSignals
-	cancel()
-	instance.Close()
-	return nil
 }

cmd/sing-box/cmd_version.go

@@ -3,9 +3,9 @@ package main
 import (
 	"os"
 	"runtime"
+	"runtime/debug"
 
 	C "github.com/sagernet/sing-box/constant"
-	F "github.com/sagernet/sing/common/format"
 
 	"github.com/spf13/cobra"
 )
@@ -17,11 +17,48 @@ var commandVersion = &cobra.Command{
 	Args:  cobra.NoArgs,
 }
 
-func printVersion(cmd *cobra.Command, args []string) {
-	os.Stderr.WriteString(F.ToString("sing-box version ", C.Version, " (", runtime.Version(), ", ", runtime.GOOS, "/", runtime.GOARCH, ", CGO "))
-	if C.CGO_ENABLED {
-		os.Stderr.WriteString("enabled)\n")
-	} else {
-		os.Stderr.WriteString("disabled)\n")
-	}
+var nameOnly bool
+
+func init() {
+	commandVersion.Flags().BoolVarP(&nameOnly, "name", "n", false, "print version name only")
+	mainCommand.AddCommand(commandVersion)
+}
+
+func printVersion(cmd *cobra.Command, args []string) {
+	if nameOnly {
+		os.Stdout.WriteString(C.Version + "\n")
+		return
+	}
+	version := "sing-box version " + C.Version + "\n\n"
+	version += "Environment: " + runtime.Version() + " " + runtime.GOOS + "/" + runtime.GOARCH + "\n"
+
+	var tags string
+	var revision string
+
+	debugInfo, loaded := debug.ReadBuildInfo()
+	if loaded {
+		for _, setting := range debugInfo.Settings {
+			switch setting.Key {
+			case "-tags":
+				tags = setting.Value
+			case "vcs.revision":
+				revision = setting.Value
+			}
+		}
+	}
+
+	if tags != "" {
+		version += "Tags: " + tags + "\n"
+	}
+	if revision != "" {
+		version += "Revision: " + revision + "\n"
+	}
+
+	if C.CGO_ENABLED {
+		version += "CGO: enabled\n"
+	} else {
+		version += "CGO: disabled\n"
+	}
+
+	os.Stdout.WriteString(version)
 }

cmd/sing-box/main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"os"
 
+	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 
 	"github.com/spf13/cobra"
@@ -23,11 +24,6 @@ func init() {
 	mainCommand.PersistentFlags().StringVarP(&configPath, "config", "c", "config.json", "set configuration file path")
 	mainCommand.PersistentFlags().StringVarP(&workingDir, "directory", "D", "", "set working directory")
 	mainCommand.PersistentFlags().BoolVarP(&disableColor, "disable-color", "", false, "disable color output")
-
-	mainCommand.AddCommand(commandRun)
-	mainCommand.AddCommand(commandCheck)
-	mainCommand.AddCommand(commandFormat)
-	mainCommand.AddCommand(commandVersion)
 }
 
 func main() {

common/baderror/baderror.go

@@ -0,0 +1,62 @@
+package baderror
+
+import (
+	"context"
+	"io"
+	"net"
+	"strings"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func Contains(err error, msgList ...string) bool {
+	for _, msg := range msgList {
+		if strings.Contains(err.Error(), msg) {
+			return true
+		}
+	}
+	return false
+}
+
+func WrapH2(err error) error {
+	if err == nil {
+		return nil
+	}
+	err = E.Unwrap(err)
+	if err == io.ErrUnexpectedEOF {
+		return io.EOF
+	}
+	if Contains(err, "client disconnected", "body closed by handler", "response body closed", "; CANCEL") {
+		return net.ErrClosed
+	}
+	return err
+}
+
+func WrapGRPC(err error) error {
+	// grpc uses stupid internal error types
+	if err == nil {
+		return nil
+	}
+	if Contains(err, "EOF") {
+		return io.EOF
+	}
+	if Contains(err, "Canceled") {
+		return context.Canceled
+	}
+	if Contains(err,
+		"the client connection is closing",
+		"server closed the stream without sending trailers") {
+		return net.ErrClosed
+	}
+	return err
+}
+
+func WrapQUIC(err error) error {
+	if err == nil {
+		return nil
+	}
+	if Contains(err, "canceled with error code 0") {
+		return net.ErrClosed
+	}
+	return err
+}

common/debugio/print.go

@@ -0,0 +1,19 @@
+package debugio
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/sagernet/sing/common"
+)
+
+func PrintUpstream(obj any) {
+	for obj != nil {
+		fmt.Println(reflect.TypeOf(obj))
+		if u, ok := obj.(common.WithUpstream); !ok {
+			break
+		} else {
+			obj = u.Upstream()
+		}
+	}
+}

common/dialer/default.go

@@ -3,6 +3,7 @@ package dialer
 import (
 	"context"
 	"net"
+	"net/netip"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -10,6 +11,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/control"
+	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 
@@ -52,8 +54,10 @@ var warnTFOOnUnsupportedPlatform = warning.New(
 )
 
 type DefaultDialer struct {
-	tfo.Dialer
-	net.ListenConfig
+	dialer      tfo.Dialer
+	udpDialer   net.Dialer
+	udpListener net.ListenConfig
+	bindUDPAddr string
 }
 
 func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDialer {
@@ -61,25 +65,23 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
 		warnBindInterfaceOnUnsupportedPlatform.Check()
-		bindFunc := control.BindToInterface(router.InterfaceBindManager(), options.BindInterface)
+		bindFunc := control.BindToInterface(router.InterfaceFinder(), options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	} else if router.AutoDetectInterface() {
-		if C.IsWindows {
-			bindFunc := control.BindToInterfaceIndexFunc(func() int {
-				return router.InterfaceMonitor().DefaultInterfaceIndex()
-			})
-			dialer.Control = control.Append(dialer.Control, bindFunc)
-			listener.Control = control.Append(listener.Control, bindFunc)
-		} else {
-			bindFunc := control.BindToInterfaceFunc(router.InterfaceBindManager(), func() string {
-				return router.InterfaceMonitor().DefaultInterfaceName()
-			})
-			dialer.Control = control.Append(dialer.Control, bindFunc)
-			listener.Control = control.Append(listener.Control, bindFunc)
-		}
+		const useInterfaceName = C.IsLinux
+		bindFunc := control.BindToInterfaceFunc(router.InterfaceFinder(), func(network string, address string) (interfaceName string, interfaceIndex int) {
+			remoteAddr := M.ParseSocksaddr(address).Addr
+			if C.IsLinux {
+				return router.InterfaceMonitor().DefaultInterfaceName(remoteAddr), -1
+			} else {
+				return "", router.InterfaceMonitor().DefaultInterfaceIndex(remoteAddr)
+			}
+		})
+		dialer.Control = control.Append(dialer.Control, bindFunc)
+		listener.Control = control.Append(listener.Control, bindFunc)
 	} else if router.DefaultInterface() != "" {
-		bindFunc := control.BindToInterface(router.InterfaceBindManager(), router.DefaultInterface())
+		bindFunc := control.BindToInterface(router.InterfaceFinder(), router.DefaultInterface(), -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
@@ -108,17 +110,45 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	if options.TCPFastOpen {
 		warnTFOOnUnsupportedPlatform.Check()
 	}
-	return &DefaultDialer{tfo.Dialer{Dialer: dialer, DisableTFO: !options.TCPFastOpen}, listener}
+	var udpFragment bool
+	if options.UDPFragment != nil {
+		udpFragment = *options.UDPFragment
+	} else {
+		udpFragment = options.UDPFragmentDefault
+	}
+	if !udpFragment {
+		dialer.Control = control.Append(dialer.Control, control.DisableUDPFragment())
+		listener.Control = control.Append(listener.Control, control.DisableUDPFragment())
+	}
+	var bindUDPAddr string
+	udpDialer := dialer
+	var bindAddress netip.Addr
+	if options.BindAddress != nil {
+		bindAddress = options.BindAddress.Build()
+	}
+	if bindAddress.IsValid() {
+		dialer.LocalAddr = &net.TCPAddr{
+			IP: bindAddress.AsSlice(),
+		}
+		udpDialer.LocalAddr = &net.UDPAddr{
+			IP: bindAddress.AsSlice(),
+		}
+		bindUDPAddr = M.SocksaddrFrom(bindAddress, 0).String()
+	}
+	return &DefaultDialer{tfo.Dialer{Dialer: dialer, DisableTFO: !options.TCPFastOpen}, udpDialer, listener, bindUDPAddr}
 }
 
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {
-	return d.Dialer.DialContext(ctx, network, address.Unwrap().String())
+	if !address.IsValid() {
+		return nil, E.New("invalid address")
+	}
+	switch N.NetworkName(network) {
+	case N.NetworkUDP:
+		return d.udpDialer.DialContext(ctx, network, address.String())
+	}
+	return d.dialer.DialContext(ctx, network, address.String())
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return d.ListenConfig.ListenPacket(ctx, N.NetworkUDP, "")
-}
-
-func (d *DefaultDialer) Upstream() any {
-	return &d.Dialer
+	return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.bindUDPAddr)
 }

common/dialer/dialer.go

@@ -10,15 +10,12 @@ import (
 )
 
 func New(router adapter.Router, options option.DialerOptions) N.Dialer {
+	var dialer N.Dialer
 	if options.Detour == "" {
-		return NewDefault(router, options)
+		dialer = NewDefault(router, options)
 	} else {
-		return NewDetour(router, options.Detour)
+		dialer = NewDetour(router, options.Detour)
 	}
-}
-
-func NewOutbound(router adapter.Router, options option.OutboundDialerOptions) N.Dialer {
-	dialer := New(router, options.DialerOptions)
 	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
 		dialer = NewResolveDialer(router, dialer, domainStrategy, time.Duration(options.FallbackDelay))

common/dialer/resolve.go

@@ -51,7 +51,7 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 }
 
 func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if !destination.IsFqdn() || destination.Fqdn == "" {
+	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx, metadata := adapter.AppendContext(ctx)

common/geosite/writer.go

@@ -20,13 +20,11 @@ func Write(writer io.Writer, domains map[string][]Item) error {
 	for _, code := range keys {
 		index[code] = content.Len()
 		for _, domain := range domains[code] {
-			err := rw.WriteByte(content, domain.Type)
+			content.WriteByte(domain.Type)
+			err := rw.WriteVString(content, domain.Value)
 			if err != nil {
 				return err
 			}
-			if err = rw.WriteVString(content, domain.Value); err != nil {
-				return err
-			}
 		}
 	}
 

common/json/comment.go

@@ -0,0 +1,128 @@
+package json
+
+import (
+	"bufio"
+	"io"
+)
+
+// kanged from v2ray
+
+type commentFilterState = byte
+
+const (
+	commentFilterStateContent commentFilterState = iota
+	commentFilterStateEscape
+	commentFilterStateDoubleQuote
+	commentFilterStateDoubleQuoteEscape
+	commentFilterStateSingleQuote
+	commentFilterStateSingleQuoteEscape
+	commentFilterStateComment
+	commentFilterStateSlash
+	commentFilterStateMultilineComment
+	commentFilterStateMultilineCommentStar
+)
+
+type CommentFilter struct {
+	br    *bufio.Reader
+	state commentFilterState
+}
+
+func NewCommentFilter(reader io.Reader) io.Reader {
+	return &CommentFilter{br: bufio.NewReader(reader)}
+}
+
+func (v *CommentFilter) Read(b []byte) (int, error) {
+	p := b[:0]
+	for len(p) < len(b)-2 {
+		x, err := v.br.ReadByte()
+		if err != nil {
+			if len(p) == 0 {
+				return 0, err
+			}
+			return len(p), nil
+		}
+		switch v.state {
+		case commentFilterStateContent:
+			switch x {
+			case '"':
+				v.state = commentFilterStateDoubleQuote
+				p = append(p, x)
+			case '\'':
+				v.state = commentFilterStateSingleQuote
+				p = append(p, x)
+			case '\\':
+				v.state = commentFilterStateEscape
+			case '#':
+				v.state = commentFilterStateComment
+			case '/':
+				v.state = commentFilterStateSlash
+			default:
+				p = append(p, x)
+			}
+		case commentFilterStateEscape:
+			p = append(p, '\\', x)
+			v.state = commentFilterStateContent
+		case commentFilterStateDoubleQuote:
+			switch x {
+			case '"':
+				v.state = commentFilterStateContent
+				p = append(p, x)
+			case '\\':
+				v.state = commentFilterStateDoubleQuoteEscape
+			default:
+				p = append(p, x)
+			}
+		case commentFilterStateDoubleQuoteEscape:
+			p = append(p, '\\', x)
+			v.state = commentFilterStateDoubleQuote
+		case commentFilterStateSingleQuote:
+			switch x {
+			case '\'':
+				v.state = commentFilterStateContent
+				p = append(p, x)
+			case '\\':
+				v.state = commentFilterStateSingleQuoteEscape
+			default:
+				p = append(p, x)
+			}
+		case commentFilterStateSingleQuoteEscape:
+			p = append(p, '\\', x)
+			v.state = commentFilterStateSingleQuote
+		case commentFilterStateComment:
+			if x == '\n' {
+				v.state = commentFilterStateContent
+				p = append(p, '\n')
+			}
+		case commentFilterStateSlash:
+			switch x {
+			case '/':
+				v.state = commentFilterStateComment
+			case '*':
+				v.state = commentFilterStateMultilineComment
+			default:
+				p = append(p, '/', x)
+			}
+		case commentFilterStateMultilineComment:
+			switch x {
+			case '*':
+				v.state = commentFilterStateMultilineCommentStar
+			case '\n':
+				p = append(p, '\n')
+			}
+		case commentFilterStateMultilineCommentStar:
+			switch x {
+			case '/':
+				v.state = commentFilterStateContent
+			case '*':
+				// Stay
+			case '\n':
+				p = append(p, '\n')
+			default:
+				v.state = commentFilterStateMultilineComment
+			}
+		default:
+			panic("Unknown state.")
+		}
+	}
+	return len(p), nil
+}

common/mux/client.go

@@ -466,10 +466,7 @@ func (c *ClientPacketAddrConn) ReadPacket(buffer *buf.Buffer) (destination M.Soc
 	if err != nil {
 		return
 	}
-	if buffer.FreeLen() < int(length) {
-		return destination, io.ErrShortBuffer
-	}
-	_, err = io.ReadFull(c.ExtendedConn, buffer.Extend(int(length)))
+	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
 	return
 }
 

common/mux/service.go

@@ -3,7 +3,6 @@ package mux
 import (
 	"context"
 	"encoding/binary"
-	"io"
 	"net"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -15,6 +14,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/sing/common/task"
 )
 
 func NewConnection(ctx context.Context, router adapter.Router, errorHandler E.Handler, logger log.ContextLogger, conn net.Conn, metadata adapter.InboundContext) error {
@@ -26,14 +26,21 @@ func NewConnection(ctx context.Context, router adapter.Router, errorHandler E.Ha
 	if err != nil {
 		return err
 	}
-	var stream net.Conn
-	for {
-		stream, err = session.Accept()
-		if err != nil {
-			return err
+	var group task.Group
+	group.Append0(func(ctx context.Context) error {
+		var stream net.Conn
+		for {
+			stream, err = session.Accept()
+			if err != nil {
+				return err
+			}
+			go newConnection(ctx, router, errorHandler, logger, stream, metadata)
 		}
-		go newConnection(ctx, router, errorHandler, logger, stream, metadata)
-	}
+	})
+	group.Cleanup(func() {
+		session.Close()
+	})
+	return group.Run(ctx)
 }
 
 func newConnection(ctx context.Context, router adapter.Router, errorHandler E.Handler, logger log.ContextLogger, stream net.Conn, metadata adapter.InboundContext) {
@@ -158,9 +165,6 @@ func (c *ServerPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksad
 	if err != nil {
 		return
 	}
-	if buffer.FreeLen() < int(length) {
-		return destination, io.ErrShortBuffer
-	}
 	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
 	if err != nil {
 		return
@@ -223,9 +227,6 @@ func (c *ServerPacketAddrConn) ReadPacket(buffer *buf.Buffer) (destination M.Soc
 	if err != nil {
 		return
 	}
-	if buffer.FreeLen() < int(length) {
-		return destination, io.ErrShortBuffer
-	}
 	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
 	if err != nil {
 		return

common/process/searcher.go

@@ -4,18 +4,29 @@ import (
 	"context"
 	"net/netip"
 
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
 type Searcher interface {
-	FindProcessInfo(ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error)
+	FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error)
 }
 
 var ErrNotFound = E.New("process not found")
 
+type Config struct {
+	Logger         log.ContextLogger
+	PackageManager tun.PackageManager
+}
+
 type Info struct {
 	ProcessPath string
 	PackageName string
 	User        string
 	UserId      int32
 }
+
+func FindProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+	return findProcessInfo(searcher, ctx, network, source, destination)
+}

common/process/searcher_android.go

@@ -2,170 +2,37 @@ package process
 
 import (
 	"context"
-	"encoding/xml"
-	"io"
 	"net/netip"
-	"os"
-	"strconv"
 
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	"github.com/fsnotify/fsnotify"
+	"github.com/sagernet/sing-tun"
 )
 
 var _ Searcher = (*androidSearcher)(nil)
 
 type androidSearcher struct {
-	logger        log.ContextLogger
-	watcher       *fsnotify.Watcher
-	userMap       map[string]int32
-	packageMap    map[int32]string
-	sharedUserMap map[int32]string
+	packageManager tun.PackageManager
 }
 
-func NewSearcher(logger log.ContextLogger) (Searcher, error) {
-	return &androidSearcher{logger: logger}, nil
+func NewSearcher(config Config) (Searcher, error) {
+	return &androidSearcher{config.PackageManager}, nil
 }
 
-func (s *androidSearcher) Start() error {
-	err := s.updatePackages()
-	if err != nil {
-		return E.Cause(err, "read packages list")
-	}
-	err = s.startWatcher()
-	if err != nil {
-		s.logger.Warn("create fsnotify watcher: ", err)
-	}
-	return nil
-}
-
-func (s *androidSearcher) startWatcher() error {
-	watcher, err := fsnotify.NewWatcher()
-	if err != nil {
-		return err
-	}
-	err = watcher.Add("/data/system/packages.xml")
-	if err != nil {
-		return err
-	}
-	s.watcher = watcher
-	go s.loopUpdate()
-	return nil
-}
-
-func (s *androidSearcher) loopUpdate() {
-	for {
-		select {
-		case _, ok := <-s.watcher.Events:
-			if !ok {
-				return
-			}
-			err := s.updatePackages()
-			if err != nil {
-				s.logger.Error(E.Cause(err, "update packages list"))
-			}
-		case err, ok := <-s.watcher.Errors:
-			if !ok {
-				return
-			}
-			s.logger.Error(E.Cause(err, "fsnotify error"))
-		}
-	}
-}
-
-func (s *androidSearcher) Close() error {
-	return common.Close(common.PtrOrNil(s.watcher))
-}
-
-func (s *androidSearcher) FindProcessInfo(ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error) {
-	_, uid, err := resolveSocketByNetlink(network, srcIP, srcPort)
+func (s *androidSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+	_, uid, err := resolveSocketByNetlink(network, source, destination)
 	if err != nil {
 		return nil, err
 	}
-	if sharedUser, loaded := s.sharedUserMap[uid]; loaded {
+	if sharedPackage, loaded := s.packageManager.SharedPackageByID(uid % 100000); loaded {
 		return &Info{
-			UserId:      uid,
-			PackageName: sharedUser,
+			UserId:      int32(uid),
+			PackageName: sharedPackage,
 		}, nil
 	}
-	if packageName, loaded := s.packageMap[uid]; loaded {
+	if packageName, loaded := s.packageManager.PackageByID(uid % 100000); loaded {
 		return &Info{
-			UserId:      uid,
+			UserId:      int32(uid),
 			PackageName: packageName,
 		}, nil
 	}
-	return &Info{UserId: uid}, nil
-}
-
-func (s *androidSearcher) updatePackages() error {
-	userMap := make(map[string]int32)
-	packageMap := make(map[int32]string)
-	sharedUserMap := make(map[int32]string)
-	packagesData, err := os.Open("/data/system/packages.xml")
-	if err != nil {
-		return err
-	}
-	decoder := xml.NewDecoder(packagesData)
-	var token xml.Token
-	for {
-		token, err = decoder.Token()
-		if err == io.EOF {
-			break
-		} else if err != nil {
-			return err
-		}
-
-		element, isStart := token.(xml.StartElement)
-		if !isStart {
-			continue
-		}
-
-		switch element.Name.Local {
-		case "package":
-			var name string
-			var userID int64
-			for _, attr := range element.Attr {
-				switch attr.Name.Local {
-				case "name":
-					name = attr.Value
-				case "userId", "sharedUserId":
-					userID, err = strconv.ParseInt(attr.Value, 10, 32)
-					if err != nil {
-						return err
-					}
-				}
-			}
-			if userID == 0 && name == "" {
-				continue
-			}
-			userMap[name] = int32(userID)
-			packageMap[int32(userID)] = name
-		case "shared-user":
-			var name string
-			var userID int64
-			for _, attr := range element.Attr {
-				switch attr.Name.Local {
-				case "name":
-					name = attr.Value
-				case "userId":
-					userID, err = strconv.ParseInt(attr.Value, 10, 32)
-					if err != nil {
-						return err
-					}
-					packageMap[int32(userID)] = name
-				}
-			}
-			if userID == 0 && name == "" {
-				continue
-			}
-			sharedUserMap[int32(userID)] = name
-		}
-	}
-	s.logger.Info("updated packages list: ", len(packageMap), " packages, ", len(sharedUserMap), " shared users")
-	s.userMap = userMap
-	s.packageMap = packageMap
-	s.sharedUserMap = sharedUserMap
-	return nil
+	return &Info{UserId: int32(uid)}, nil
 }

common/process/searcher_darwin.go

@@ -8,7 +8,6 @@ import (
 	"syscall"
 	"unsafe"
 
-	"github.com/sagernet/sing-box/log"
 	N "github.com/sagernet/sing/common/network"
 
 	"golang.org/x/sys/unix"
@@ -18,12 +17,12 @@ var _ Searcher = (*darwinSearcher)(nil)
 
 type darwinSearcher struct{}
 
-func NewSearcher(logger log.ContextLogger) (Searcher, error) {
+func NewSearcher(_ Config) (Searcher, error) {
 	return &darwinSearcher{}, nil
 }
 
-func (d *darwinSearcher) FindProcessInfo(ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error) {
-	processName, err := findProcessName(network, srcIP, srcPort)
+func (d *darwinSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+	processName, err := findProcessName(network, source.Addr(), int(source.Port()))
 	if err != nil {
 		return nil, err
 	}

common/process/searcher_linux.go

@@ -15,12 +15,12 @@ type linuxSearcher struct {
 	logger log.ContextLogger
 }
 
-func NewSearcher(logger log.ContextLogger) (Searcher, error) {
-	return &linuxSearcher{logger}, nil
+func NewSearcher(config Config) (Searcher, error) {
+	return &linuxSearcher{config.Logger}, nil
 }
 
-func (s *linuxSearcher) FindProcessInfo(ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error) {
-	inode, uid, err := resolveSocketByNetlink(network, srcIP, srcPort)
+func (s *linuxSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+	inode, uid, err := resolveSocketByNetlink(network, source, destination)
 	if err != nil {
 		return nil, err
 	}
@@ -29,7 +29,7 @@ func (s *linuxSearcher) FindProcessInfo(ctx context.Context, network string, src
 		s.logger.DebugContext(ctx, "find process path: ", err)
 	}
 	return &Info{
-		UserId:      uid,
+		UserId:      int32(uid),
 		ProcessPath: processPath,
 	}, nil
 }

common/process/searcher_linux_shared.go

@@ -37,19 +37,9 @@ const (
 	pathProc                = "/proc"
 )
 
-func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (inode int32, uid int32, err error) {
-	for attempts := 0; attempts < 3; attempts++ {
-		inode, uid, err = resolveSocketByNetlink0(network, ip, srcPort)
-		if err == nil {
-			return
-		}
-	}
-	return
-}
-
-func resolveSocketByNetlink0(network string, ip netip.Addr, srcPort int) (inode int32, uid int32, err error) {
-	var family byte
-	var protocol byte
+func resolveSocketByNetlink(network string, source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
+	var family uint8
+	var protocol uint8
 
 	switch network {
 	case N.NetworkTCP:
@@ -60,13 +50,13 @@ func resolveSocketByNetlink0(network string, ip netip.Addr, srcPort int) (inode
 		return 0, 0, os.ErrInvalid
 	}
 
-	if ip.Is4() {
+	if source.Addr().Is4() {
 		family = syscall.AF_INET
 	} else {
 		family = syscall.AF_INET6
 	}
 
-	req := packSocketDiagRequest(family, protocol, ip, uint16(srcPort))
+	req := packSocketDiagRequest(family, protocol, source)
 
 	socket, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM, syscall.NETLINK_INET_DIAG)
 	if err != nil {
@@ -77,16 +67,18 @@ func resolveSocketByNetlink0(network string, ip netip.Addr, srcPort int) (inode
 	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, &syscall.Timeval{Usec: 100})
 	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, &syscall.Timeval{Usec: 100})
 
-	if err = syscall.Connect(socket, &syscall.SockaddrNetlink{
+	err = syscall.Connect(socket, &syscall.SockaddrNetlink{
 		Family: syscall.AF_NETLINK,
 		Pad:    0,
 		Pid:    0,
 		Groups: 0,
-	}); err != nil {
-		return 0, 0, err
+	})
+	if err != nil {
+		return
 	}
 
-	if _, err = syscall.Write(socket, req); err != nil {
+	_, err = syscall.Write(socket, req)
+	if err != nil {
 		return 0, 0, E.Cause(err, "write netlink request")
 	}
 
@@ -115,15 +107,12 @@ func resolveSocketByNetlink0(network string, ip netip.Addr, srcPort int) (inode
 	}
 
 	inode, uid = unpackSocketDiagResponse(&messages[0])
-	if inode < 0 || uid < 0 {
-		return 0, 0, E.New("invalid inode(", inode, ") or uid(", uid, ")")
-	}
 	return
 }
 
-func packSocketDiagRequest(family, protocol byte, source netip.Addr, sourcePort uint16) []byte {
+func packSocketDiagRequest(family, protocol byte, source netip.AddrPort) []byte {
 	s := make([]byte, 16)
-	copy(s, source.AsSlice())
+	copy(s, source.Addr().AsSlice())
 
 	buf := make([]byte, sizeOfSocketDiagRequest)
 
@@ -139,7 +128,7 @@ func packSocketDiagRequest(family, protocol byte, source netip.Addr, sourcePort
 	buf[19] = 0
 	nativeEndian.PutUint32(buf[20:24], 0xFFFFFFFF)
 
-	binary.BigEndian.PutUint16(buf[24:26], sourcePort)
+	binary.BigEndian.PutUint16(buf[24:26], source.Port())
 	binary.BigEndian.PutUint16(buf[26:28], 0)
 
 	copy(buf[28:44], s)
@@ -151,20 +140,20 @@ func packSocketDiagRequest(family, protocol byte, source netip.Addr, sourcePort
 	return buf
 }
 
-func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid int32) {
+func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid uint32) {
 	if len(msg.Data) < 72 {
 		return 0, 0
 	}
 
 	data := msg.Data
 
-	uid = int32(nativeEndian.Uint32(data[64:68]))
-	inode = int32(nativeEndian.Uint32(data[68:72]))
+	uid = nativeEndian.Uint32(data[64:68])
+	inode = nativeEndian.Uint32(data[68:72])
 
 	return
 }
 
-func resolveProcessNameByProcSearch(inode, uid int32) (string, error) {
+func resolveProcessNameByProcSearch(inode, uid uint32) (string, error) {
 	files, err := os.ReadDir(pathProc)
 	if err != nil {
 		return "", err
@@ -182,7 +171,7 @@ func resolveProcessNameByProcSearch(inode, uid int32) (string, error) {
 		if err != nil {
 			return "", err
 		}
-		if info.Sys().(*syscall.Stat_t).Uid != uint32(uid) {
+		if info.Sys().(*syscall.Stat_t).Uid != uid {
 			continue
 		}
 

common/process/searcher_stub.go

@@ -4,10 +4,8 @@ package process
 
 import (
 	"os"
-
-	"github.com/sagernet/sing-box/log"
 )
 
-func NewSearcher(logger log.ContextLogger) (Searcher, error) {
+func NewSearcher(_ Config) (Searcher, error) {
 	return nil, os.ErrInvalid
 }

common/process/searcher_windows.go

@@ -8,7 +8,6 @@ import (
 	"syscall"
 	"unsafe"
 
-	"github.com/sagernet/sing-box/log"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 
@@ -19,7 +18,7 @@ var _ Searcher = (*windowsSearcher)(nil)
 
 type windowsSearcher struct{}
 
-func NewSearcher(logger log.ContextLogger) (Searcher, error) {
+func NewSearcher(_ Config) (Searcher, error) {
 	err := initWin32API()
 	if err != nil {
 		return nil, E.Cause(err, "init win32 api")
@@ -64,8 +63,8 @@ func initWin32API() error {
 	return nil
 }
 
-func (s *windowsSearcher) FindProcessInfo(ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error) {
-	processName, err := findProcessName(network, srcIP, srcPort)
+func (s *windowsSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+	processName, err := findProcessName(network, source.Addr(), int(source.Port()))
 	if err != nil {
 		return nil, err
 	}

common/process/searcher_with_name.go

@@ -1,4 +1,4 @@
-//go:build cgo && linux && !android
+//go:build linux && !android
 
 package process
 
@@ -10,8 +10,8 @@ import (
 	F "github.com/sagernet/sing/common/format"
 )
 
-func FindProcessInfo(searcher Searcher, ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error) {
-	info, err := searcher.FindProcessInfo(ctx, network, srcIP, srcPort)
+func findProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+	info, err := searcher.FindProcessInfo(ctx, network, source, destination)
 	if err != nil {
 		return nil, err
 	}

common/process/searcher_without_name.go

@@ -1,4 +1,4 @@
-//go:build !(cgo && linux && !android)
+//go:build !linux || android
 
 package process
 
@@ -7,6 +7,6 @@ import (
 	"net/netip"
 )
 
-func FindProcessInfo(searcher Searcher, ctx context.Context, network string, srcIP netip.Addr, srcPort int) (*Info, error) {
-	return searcher.FindProcessInfo(ctx, network, srcIP, srcPort)
+func findProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+	return searcher.FindProcessInfo(ctx, network, source, destination)
 }

common/proxyproto/dialer.go

@@ -0,0 +1,50 @@
+package proxyproto
+
+import (
+	"context"
+	"net"
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	"github.com/pires/go-proxyproto"
+)
+
+var _ N.Dialer = (*Dialer)(nil)
+
+type Dialer struct {
+	N.Dialer
+}
+
+func (d *Dialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	switch N.NetworkName(network) {
+	case N.NetworkTCP:
+		conn, err := d.Dialer.DialContext(ctx, network, destination)
+		if err != nil {
+			return nil, err
+		}
+		var source M.Socksaddr
+		metadata := adapter.ContextFrom(ctx)
+		if metadata != nil {
+			source = metadata.Source
+		}
+		if !source.IsValid() {
+			source = M.SocksaddrFromNet(conn.LocalAddr())
+		}
+		if destination.Addr.Is6() {
+			source = M.SocksaddrFrom(netip.AddrFrom16(source.Addr.As16()), source.Port)
+		}
+		h := proxyproto.HeaderProxyFromAddrs(1, source.TCPAddr(), destination.TCPAddr())
+		_, err = h.WriteTo(conn)
+		if err != nil {
+			conn.Close()
+			return nil, E.Cause(err, "write proxy protocol header")
+		}
+		return conn, nil
+	default:
+		return d.Dialer.DialContext(ctx, network, destination)
+	}
+}

common/proxyproto/listener.go

@@ -0,0 +1,44 @@
+package proxyproto
+
+import (
+	std_bufio "bufio"
+	"net"
+
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
+
+	"github.com/pires/go-proxyproto"
+)
+
+type Listener struct {
+	net.Listener
+	AcceptNoHeader bool
+}
+
+func (l *Listener) Accept() (net.Conn, error) {
+	conn, err := l.Listener.Accept()
+	if err != nil {
+		return nil, err
+	}
+	bufReader := std_bufio.NewReader(conn)
+	header, err := proxyproto.Read(bufReader)
+	if err != nil && !(l.AcceptNoHeader && err == proxyproto.ErrNoProxyProtocol) {
+		return nil, err
+	}
+	if bufReader.Buffered() > 0 {
+		cache := buf.NewSize(bufReader.Buffered())
+		_, err = cache.ReadFullFrom(bufReader, cache.FreeLen())
+		if err != nil {
+			return nil, err
+		}
+		conn = bufio.NewCachedConn(conn, cache)
+	}
+	if header != nil {
+		return &bufio.AddrConn{Conn: conn, Metadata: M.Metadata{
+			Source:      M.SocksaddrFromNet(header.SourceAddr).Unwrap(),
+			Destination: M.SocksaddrFromNet(header.DestinationAddr).Unwrap(),
+		}}, nil
+	}
+	return conn, nil
+}

common/redir/redir_darwin.go

@@ -0,0 +1,64 @@
+package redir
+
+import (
+	"net"
+	"net/netip"
+	"syscall"
+	"unsafe"
+
+	M "github.com/sagernet/sing/common/metadata"
+)
+
+const (
+	PF_OUT      = 0x2
+	DIOCNATLOOK = 0xc0544417
+)
+
+func GetOriginalDestination(conn net.Conn) (destination netip.AddrPort, err error) {
+	fd, err := syscall.Open("/dev/pf", 0, syscall.O_RDONLY)
+	if err != nil {
+		return netip.AddrPort{}, err
+	}
+	defer syscall.Close(fd)
+	nl := struct {
+		saddr, daddr, rsaddr, rdaddr       [16]byte
+		sxport, dxport, rsxport, rdxport   [4]byte
+		af, proto, protoVariant, direction uint8
+	}{
+		af:        syscall.AF_INET,
+		proto:     syscall.IPPROTO_TCP,
+		direction: PF_OUT,
+	}
+	la := conn.LocalAddr().(*net.TCPAddr)
+	ra := conn.RemoteAddr().(*net.TCPAddr)
+	raIP, laIP := ra.IP, la.IP
+	raPort, laPort := ra.Port, la.Port
+	switch {
+	case raIP.To4() != nil:
+		copy(nl.saddr[:net.IPv4len], raIP.To4())
+		copy(nl.daddr[:net.IPv4len], laIP.To4())
+		nl.af = syscall.AF_INET
+	default:
+		copy(nl.saddr[:], raIP.To16())
+		copy(nl.daddr[:], laIP.To16())
+		nl.af = syscall.AF_INET6
+	}
+	nl.sxport[0], nl.sxport[1] = byte(raPort>>8), byte(raPort)
+	nl.dxport[0], nl.dxport[1] = byte(laPort>>8), byte(laPort)
+	if _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), DIOCNATLOOK, uintptr(unsafe.Pointer(&nl))); errno != 0 {
+		return netip.AddrPort{}, errno
+	}
+
+	var ip net.IP
+	switch nl.af {
+	case syscall.AF_INET:
+		ip = make(net.IP, net.IPv4len)
+		copy(ip, nl.rdaddr[:net.IPv4len])
+	case syscall.AF_INET6:
+		ip = make(net.IP, net.IPv6len)
+		copy(ip, nl.rdaddr[:])
+	}
+	port := uint16(nl.rdxport[0])<<8 | uint16(nl.rdxport[1])
+	destination = netip.AddrPortFrom(M.AddrFromIP(ip), port)
+	return
+}

common/redir/redir_linux.go

@@ -3,35 +3,35 @@ package redir
 import (
 	"net"
 	"net/netip"
+	"os"
 	"syscall"
 
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/control"
 	M "github.com/sagernet/sing/common/metadata"
 )
 
 func GetOriginalDestination(conn net.Conn) (destination netip.AddrPort, err error) {
-	rawConn, err := conn.(syscall.Conn).SyscallConn()
-	if err != nil {
-		return
+	syscallConn, ok := common.Cast[syscall.Conn](conn)
+	if !ok {
+		return netip.AddrPort{}, os.ErrInvalid
 	}
-	var rawFd uintptr
-	err = rawConn.Control(func(fd uintptr) {
-		rawFd = fd
+	err = control.Conn(syscallConn, func(fd uintptr) error {
+		const SO_ORIGINAL_DST = 80
+		if conn.RemoteAddr().(*net.TCPAddr).IP.To4() != nil {
+			raw, err := syscall.GetsockoptIPv6Mreq(int(fd), syscall.IPPROTO_IP, SO_ORIGINAL_DST)
+			if err != nil {
+				return err
+			}
+			destination = netip.AddrPortFrom(M.AddrFromIP(raw.Multiaddr[4:8]), uint16(raw.Multiaddr[2])<<8+uint16(raw.Multiaddr[3]))
+		} else {
+			raw, err := syscall.GetsockoptIPv6MTUInfo(int(fd), syscall.IPPROTO_IPV6, SO_ORIGINAL_DST)
+			if err != nil {
+				return err
+			}
+			destination = netip.AddrPortFrom(M.AddrFromIP(raw.Addr.Addr[:]), raw.Addr.Port)
+		}
+		return nil
 	})
-	if err != nil {
-		return
-	}
-	const SO_ORIGINAL_DST = 80
-	if conn.RemoteAddr().(*net.TCPAddr).IP.To4() != nil {
-		raw, err := syscall.GetsockoptIPv6Mreq(int(rawFd), syscall.IPPROTO_IP, SO_ORIGINAL_DST)
-		if err != nil {
-			return netip.AddrPort{}, err
-		}
-		return netip.AddrPortFrom(M.AddrFromIP(raw.Multiaddr[4:8]), uint16(raw.Multiaddr[2])<<8+uint16(raw.Multiaddr[3])), nil
-	} else {
-		raw, err := syscall.GetsockoptIPv6MTUInfo(int(rawFd), syscall.IPPROTO_IPV6, SO_ORIGINAL_DST)
-		if err != nil {
-			return netip.AddrPort{}, err
-		}
-		return netip.AddrPortFrom(M.AddrFromIP(raw.Addr.Addr[:]), raw.Addr.Port), nil
-	}
+	return
 }

common/redir/redir_other.go

@@ -1,4 +1,4 @@
-//go:build !linux
+//go:build !linux && !darwin
 
 package redir
 

common/redir/tproxy_linux.go

@@ -2,14 +2,11 @@ package redir
 
 import (
 	"encoding/binary"
-	"net"
 	"net/netip"
-	"os"
-	"strconv"
 	"syscall"
 
+	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 
 	"golang.org/x/sys/unix"
@@ -32,6 +29,18 @@ func TProxy(fd uintptr, isIPv6 bool) error {
 	return err
 }
 
+func TProxyWriteBack() control.Func {
+	return func(network, address string, conn syscall.RawConn) error {
+		return control.Raw(conn, func(fd uintptr) error {
+			if M.ParseSocksaddr(address).Addr.Is6() {
+				return syscall.SetsockoptInt(int(fd), syscall.SOL_IPV6, unix.IPV6_TRANSPARENT, 1)
+			} else {
+				return syscall.SetsockoptInt(int(fd), syscall.SOL_IP, syscall.IP_TRANSPARENT, 1)
+			}
+		})
+	}
+}
+
 func GetOriginalDestinationFromOOB(oob []byte) (netip.AddrPort, error) {
 	controlMessages, err := unix.ParseSocketControlMessage(oob)
 	if err != nil {
@@ -46,79 +55,3 @@ func GetOriginalDestinationFromOOB(oob []byte) (netip.AddrPort, error) {
 	}
 	return netip.AddrPort{}, E.New("not found")
 }
-
-func DialUDP(lAddr *net.UDPAddr, rAddr *net.UDPAddr) (*net.UDPConn, error) {
-	rSockAddr, err := udpAddrToSockAddr(rAddr)
-	if err != nil {
-		return nil, err
-	}
-
-	lSockAddr, err := udpAddrToSockAddr(lAddr)
-	if err != nil {
-		return nil, err
-	}
-
-	fd, err := syscall.Socket(udpAddrFamily(lAddr, rAddr), syscall.SOCK_DGRAM, 0)
-	if err != nil {
-		return nil, err
-	}
-
-	if err = syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_REUSEADDR, 1); err != nil {
-		syscall.Close(fd)
-		return nil, err
-	}
-
-	if err = syscall.SetsockoptInt(fd, syscall.SOL_IP, syscall.IP_TRANSPARENT, 1); err != nil {
-		syscall.Close(fd)
-		return nil, err
-	}
-
-	if err = syscall.Bind(fd, lSockAddr); err != nil {
-		syscall.Close(fd)
-		return nil, err
-	}
-
-	if err = syscall.Connect(fd, rSockAddr); err != nil {
-		syscall.Close(fd)
-		return nil, err
-	}
-
-	fdFile := os.NewFile(uintptr(fd), F.ToString("net-udp-dial-", rAddr))
-	defer fdFile.Close()
-
-	c, err := net.FileConn(fdFile)
-	if err != nil {
-		syscall.Close(fd)
-		return nil, err
-	}
-
-	return c.(*net.UDPConn), nil
-}
-
-func udpAddrToSockAddr(addr *net.UDPAddr) (syscall.Sockaddr, error) {
-	switch {
-	case addr.IP.To4() != nil:
-		ip := [4]byte{}
-		copy(ip[:], addr.IP.To4())
-
-		return &syscall.SockaddrInet4{Addr: ip, Port: addr.Port}, nil
-
-	default:
-		ip := [16]byte{}
-		copy(ip[:], addr.IP.To16())
-
-		zoneID, err := strconv.ParseUint(addr.Zone, 10, 32)
-		if err != nil {
-			zoneID = 0
-		}
-
-		return &syscall.SockaddrInet6{Addr: ip, Port: addr.Port, ZoneId: uint32(zoneID)}, nil
-	}
-}
-
-func udpAddrFamily(lAddr, rAddr *net.UDPAddr) int {
-	if (lAddr == nil || lAddr.IP.To4() != nil) && (rAddr == nil || lAddr.IP.To4() != nil) {
-		return syscall.AF_INET
-	}
-	return syscall.AF_INET6
-}

common/redir/tproxy_other.go

@@ -3,19 +3,20 @@
 package redir
 
 import (
-	"net"
 	"net/netip"
 	"os"
+
+	"github.com/sagernet/sing/common/control"
 )
 
 func TProxy(fd uintptr, isIPv6 bool) error {
 	return os.ErrInvalid
 }
 
+func TProxyWriteBack() control.Func {
+	return nil
+}
+
 func GetOriginalDestinationFromOOB(oob []byte) (netip.AddrPort, error) {
 	return netip.AddrPort{}, os.ErrInvalid
 }
-
-func DialUDP(lAddr *net.UDPAddr, rAddr *net.UDPAddr) (*net.UDPConn, error) {
-	return nil, os.ErrInvalid
-}

common/settings/command.go

@@ -1,21 +0,0 @@
-package settings
-
-import (
-	"os"
-	"os/exec"
-)
-
-func runCommand(name string, args ...string) error {
-	command := exec.Command(name, args...)
-	command.Env = os.Environ()
-	command.Stdin = os.Stdin
-	command.Stdout = os.Stderr
-	command.Stderr = os.Stderr
-	return command.Run()
-}
-
-func readCommand(name string, args ...string) ([]byte, error) {
-	command := exec.Command(name, args...)
-	command.Env = os.Environ()
-	return command.CombinedOutput()
-}

common/settings/proxy_android.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
 	F "github.com/sagernet/sing/common/format"
 )
 
@@ -25,9 +26,9 @@ func init() {
 
 func runAndroidShell(name string, args ...string) error {
 	if !useRish {
-		return runCommand(name, args...)
+		return common.Exec(name, args...).Attach().Run()
 	} else {
-		return runCommand("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " ")))
+		return common.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	}
 }
 

common/settings/proxy_darwin.go

@@ -1,10 +1,12 @@
 package settings
 
 import (
+	"net/netip"
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/x/list"
@@ -18,8 +20,8 @@ type systemProxy struct {
 	isMixed       bool
 }
 
-func (p *systemProxy) update() error {
-	newInterfaceName := p.monitor.DefaultInterfaceName()
+func (p *systemProxy) update(event int) error {
+	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
 	if p.interfaceName == newInterfaceName {
 		return nil
 	}
@@ -32,13 +34,13 @@ func (p *systemProxy) update() error {
 		return err
 	}
 	if p.isMixed {
-		err = runCommand("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port))
+		err = common.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
-		err = runCommand("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port))
+		err = common.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
-		err = runCommand("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port))
+		err = common.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	return err
 }
@@ -49,19 +51,19 @@ func (p *systemProxy) unset() error {
 		return err
 	}
 	if p.isMixed {
-		err = runCommand("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off")
+		err = common.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
-		err = runCommand("networksetup", "-setwebproxystate", interfaceDisplayName, "off")
+		err = common.Exec("networksetup", "-setwebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
-		err = runCommand("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off")
+		err = common.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	return err
 }
 
 func getInterfaceDisplayName(name string) (string, error) {
-	content, err := readCommand("networksetup", "-listallhardwareports")
+	content, err := common.Exec("networksetup", "-listallhardwareports").Read()
 	if err != nil {
 		return "", err
 	}
@@ -86,7 +88,7 @@ func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() er
 		port:    port,
 		isMixed: isMixed,
 	}
-	err := proxy.update()
+	err := proxy.update(tun.EventInterfaceUpdate)
 	if err != nil {
 		return nil, err
 	}

common/settings/proxy_linux.go

@@ -27,9 +27,9 @@ func init() {
 
 func runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
-		return runCommand(name, args...)
+		return common.Exec(name, args...).Attach().Run()
 	} else if sudoUser != "" {
-		return runCommand("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " ")))
+		return common.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}

common/sniff/dns.go

@@ -11,9 +11,10 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/task"
 
-	"golang.org/x/net/dns/dnsmessage"
+	mDNS "github.com/miekg/dns"
 )
 
 func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
@@ -22,7 +23,7 @@ func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.
 	if err != nil {
 		return nil, err
 	}
-	if length > 512 {
+	if length == 0 {
 		return nil, os.ErrInvalid
 	}
 	_buffer := buf.StackNewSize(int(length))
@@ -44,18 +45,13 @@ func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.
 }
 
 func DomainNameQuery(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
-	var parser dnsmessage.Parser
-	_, err := parser.Start(packet)
+	var msg mDNS.Msg
+	err := msg.Unpack(packet)
 	if err != nil {
 		return nil, err
 	}
-	question, err := parser.Question()
-	if err != nil {
+	if len(msg.Question) == 0 || msg.Question[0].Qclass != mDNS.ClassINET || !M.IsDomainName(msg.Question[0].Name) {
 		return nil, os.ErrInvalid
 	}
-	domain := question.Name.String()
-	if question.Class == dnsmessage.ClassINET && IsDomainName(domain) {
-		return &adapter.InboundContext{Protocol: C.ProtocolDNS /*, Domain: domain*/}, nil
-	}
-	return nil, os.ErrInvalid
+	return &adapter.InboundContext{Protocol: C.ProtocolDNS}, nil
 }

common/sniff/domain.go

@@ -1,6 +0,0 @@
-package sniff
-
-import _ "unsafe" // for linkname
-
-//go:linkname IsDomainName net.isDomainName
-func IsDomainName(domain string) bool

common/tls/acme.go

@@ -0,0 +1,77 @@
+//go:build with_acme
+
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"github.com/caddyserver/certmagic"
+	"github.com/mholt/acmez/acme"
+)
+
+type acmeWrapper struct {
+	ctx    context.Context
+	cfg    *certmagic.Config
+	domain []string
+}
+
+func (w *acmeWrapper) Start() error {
+	return w.cfg.ManageSync(w.ctx, w.domain)
+}
+
+func (w *acmeWrapper) Close() error {
+	w.cfg.Unmanage(w.domain)
+	return nil
+}
+
+func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
+	var acmeServer string
+	switch options.Provider {
+	case "", "letsencrypt":
+		acmeServer = certmagic.LetsEncryptProductionCA
+	case "zerossl":
+		acmeServer = certmagic.ZeroSSLProductionCA
+	default:
+		if !strings.HasPrefix(options.Provider, "https://") {
+			return nil, nil, E.New("unsupported acme provider: " + options.Provider)
+		}
+		acmeServer = options.Provider
+	}
+	var storage certmagic.Storage
+	if options.DataDirectory != "" {
+		storage = &certmagic.FileStorage{
+			Path: options.DataDirectory,
+		}
+	} else {
+		storage = certmagic.Default.Storage
+	}
+	config := &certmagic.Config{
+		DefaultServerName: options.DefaultServerName,
+		Storage:           storage,
+	}
+	acmeConfig := certmagic.ACMEIssuer{
+		CA:                      acmeServer,
+		Email:                   options.Email,
+		Agreed:                  true,
+		DisableHTTPChallenge:    options.DisableHTTPChallenge,
+		DisableTLSALPNChallenge: options.DisableTLSALPNChallenge,
+		AltHTTPPort:             int(options.AlternativeHTTPPort),
+		AltTLSALPNPort:          int(options.AlternativeTLSPort),
+	}
+	if options.ExternalAccount != nil {
+		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
+	}
+	config.Issuers = []certmagic.Issuer{certmagic.NewACMEIssuer(config, acmeConfig)}
+	config = certmagic.New(certmagic.NewCache(certmagic.CacheOptions{
+		GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {
+			return config, nil
+		},
+	}), *config)
+	return config.TLSConfig(), &acmeWrapper{ctx, config, options.Domain}, nil
+}

common/tls/acme_stub.go

@@ -0,0 +1,16 @@
+//go:build !with_acme
+
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
+	return nil, nil, E.New(`ACME is not included in this build, rebuild with -tags with_acme`)
+}

common/tls/client.go

@@ -0,0 +1,63 @@
+package tls
+
+import (
+	"context"
+	"net"
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+func NewDialerFromOptions(router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
+	config, err := NewClient(router, serverAddress, options)
+	if err != nil {
+		return nil, err
+	}
+	return NewDialer(dialer, config), nil
+}
+
+func NewClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	if options.ECH != nil && options.ECH.Enabled {
+		return newECHClient(router, serverAddress, options)
+	} else if options.UTLS != nil && options.UTLS.Enabled {
+		return newUTLSClient(router, serverAddress, options)
+	} else {
+		return newStdClient(serverAddress, options)
+	}
+}
+
+func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
+	tlsConn := config.Client(conn)
+	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
+	defer cancel()
+	err := tlsConn.HandshakeContext(ctx)
+	return tlsConn, err
+}
+
+type Dialer struct {
+	dialer N.Dialer
+	config Config
+}
+
+func NewDialer(dialer N.Dialer, config Config) N.Dialer {
+	return &Dialer{dialer, config}
+}
+
+func (d *Dialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	if network != N.NetworkTCP {
+		return nil, os.ErrInvalid
+	}
+	conn, err := d.dialer.DialContext(ctx, network, destination)
+	if err != nil {
+		return nil, err
+	}
+	return ClientHandshake(ctx, conn, d.config)
+}
+
+func (d *Dialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	return nil, os.ErrInvalid
+}

common/tls/common.go

@@ -0,0 +1,12 @@
+package tls
+
+const (
+	VersionTLS10 = 0x0301
+	VersionTLS11 = 0x0302
+	VersionTLS12 = 0x0303
+	VersionTLS13 = 0x0304
+
+	// Deprecated: SSLv3 is cryptographically broken, and is no longer
+	// supported by this package. See golang.org/issue/32716.
+	VersionSSL30 = 0x0300
+)

common/tls/config.go

@@ -0,0 +1,49 @@
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type (
+	STDConfig = tls.Config
+	STDConn   = tls.Conn
+)
+
+type Config interface {
+	NextProtos() []string
+	SetNextProtos(nextProto []string)
+	Config() (*STDConfig, error)
+	Client(conn net.Conn) Conn
+}
+
+type ServerConfig interface {
+	Config
+	adapter.Service
+	Server(conn net.Conn) Conn
+}
+
+type Conn interface {
+	net.Conn
+	HandshakeContext(ctx context.Context) error
+	ConnectionState() tls.ConnectionState
+}
+
+func ParseTLSVersion(version string) (uint16, error) {
+	switch version {
+	case "1.0":
+		return tls.VersionTLS10, nil
+	case "1.1":
+		return tls.VersionTLS11, nil
+	case "1.2":
+		return tls.VersionTLS12, nil
+	case "1.3":
+		return tls.VersionTLS13, nil
+	default:
+		return 0, E.New("unknown tls version:", version)
+	}
+}

common/tls/ech_client.go

@@ -0,0 +1,207 @@
+//go:build with_ech
+
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"net"
+	"net/netip"
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+	cftls "github.com/sagernet/sing-box/transport/cloudflaretls"
+	"github.com/sagernet/sing-dns"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	mDNS "github.com/miekg/dns"
+)
+
+type echClientConfig struct {
+	config *cftls.Config
+}
+
+func (e *echClientConfig) NextProtos() []string {
+	return e.config.NextProtos
+}
+
+func (e *echClientConfig) SetNextProtos(nextProto []string) {
+	e.config.NextProtos = nextProto
+}
+
+func (e *echClientConfig) Config() (*STDConfig, error) {
+	return nil, E.New("unsupported usage for ECH")
+}
+
+func (e *echClientConfig) Client(conn net.Conn) Conn {
+	return &echConnWrapper{cftls.Client(conn, e.config)}
+}
+
+type echConnWrapper struct {
+	*cftls.Conn
+}
+
+func (c *echConnWrapper) ConnectionState() tls.ConnectionState {
+	state := c.Conn.ConnectionState()
+	return tls.ConnectionState{
+		Version:                     state.Version,
+		HandshakeComplete:           state.HandshakeComplete,
+		DidResume:                   state.DidResume,
+		CipherSuite:                 state.CipherSuite,
+		NegotiatedProtocol:          state.NegotiatedProtocol,
+		NegotiatedProtocolIsMutual:  state.NegotiatedProtocolIsMutual,
+		ServerName:                  state.ServerName,
+		PeerCertificates:            state.PeerCertificates,
+		VerifiedChains:              state.VerifiedChains,
+		SignedCertificateTimestamps: state.SignedCertificateTimestamps,
+		OCSPResponse:                state.OCSPResponse,
+		TLSUnique:                   state.TLSUnique,
+	}
+}
+
+func newECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	var serverName string
+	if options.ServerName != "" {
+		serverName = options.ServerName
+	} else if serverAddress != "" {
+		if _, err := netip.ParseAddr(serverName); err != nil {
+			serverName = serverAddress
+		}
+	}
+	if serverName == "" && !options.Insecure {
+		return nil, E.New("missing server_name or insecure=true")
+	}
+
+	var tlsConfig cftls.Config
+	if options.DisableSNI {
+		tlsConfig.ServerName = "127.0.0.1"
+	} else {
+		tlsConfig.ServerName = serverName
+	}
+	if options.Insecure {
+		tlsConfig.InsecureSkipVerify = options.Insecure
+	} else if options.DisableSNI {
+		tlsConfig.InsecureSkipVerify = true
+		tlsConfig.VerifyConnection = func(state cftls.ConnectionState) error {
+			verifyOptions := x509.VerifyOptions{
+				DNSName:       serverName,
+				Intermediates: x509.NewCertPool(),
+			}
+			for _, cert := range state.PeerCertificates[1:] {
+				verifyOptions.Intermediates.AddCert(cert)
+			}
+			_, err := state.PeerCertificates[0].Verify(verifyOptions)
+			return err
+		}
+	}
+	if len(options.ALPN) > 0 {
+		tlsConfig.NextProtos = options.ALPN
+	}
+	if options.MinVersion != "" {
+		minVersion, err := ParseTLSVersion(options.MinVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse min_version")
+		}
+		tlsConfig.MinVersion = minVersion
+	}
+	if options.MaxVersion != "" {
+		maxVersion, err := ParseTLSVersion(options.MaxVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse max_version")
+		}
+		tlsConfig.MaxVersion = maxVersion
+	}
+	if options.CipherSuites != nil {
+	find:
+		for _, cipherSuite := range options.CipherSuites {
+			for _, tlsCipherSuite := range cftls.CipherSuites() {
+				if cipherSuite == tlsCipherSuite.Name {
+					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
+					continue find
+				}
+			}
+			return nil, E.New("unknown cipher_suite: ", cipherSuite)
+		}
+	}
+	var certificate []byte
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
+	} else if options.CertificatePath != "" {
+		content, err := os.ReadFile(options.CertificatePath)
+		if err != nil {
+			return nil, E.Cause(err, "read certificate")
+		}
+		certificate = content
+	}
+	if len(certificate) > 0 {
+		certPool := x509.NewCertPool()
+		if !certPool.AppendCertsFromPEM(certificate) {
+			return nil, E.New("failed to parse certificate:\n\n", certificate)
+		}
+		tlsConfig.RootCAs = certPool
+	}
+
+	// ECH Config
+
+	tlsConfig.ECHEnabled = true
+	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
+	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
+	if options.ECH.Config != "" {
+		clientConfigContent, err := base64.StdEncoding.DecodeString(options.ECH.Config)
+		if err != nil {
+			return nil, err
+		}
+		clientConfig, err := cftls.UnmarshalECHConfigs(clientConfigContent)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig.ClientECHConfigs = clientConfig
+	} else {
+		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(router)
+	}
+	return &echClientConfig{&tlsConfig}, nil
+}
+
+func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
+	return func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
+		message := &mDNS.Msg{
+			MsgHdr: mDNS.MsgHdr{
+				RecursionDesired: true,
+			},
+			Question: []mDNS.Question{
+				{
+					Name:   serverName + ".",
+					Qtype:  mDNS.TypeHTTPS,
+					Qclass: mDNS.ClassINET,
+				},
+			},
+		}
+		response, err := router.Exchange(ctx, message)
+		if err != nil {
+			return nil, err
+		}
+		if response.Rcode != mDNS.RcodeSuccess {
+			return nil, dns.RCodeError(response.Rcode)
+		}
+		for _, rr := range response.Answer {
+			switch resource := rr.(type) {
+			case *mDNS.HTTPS:
+				for _, value := range resource.Value {
+					if value.Key().String() == "ech" {
+						echConfig, err := base64.StdEncoding.DecodeString(value.String())
+						if err != nil {
+							return nil, E.Cause(err, "decode ECH config")
+						}
+						return cftls.UnmarshalECHConfigs(echConfig)
+					}
+				}
+			default:
+				return nil, E.New("unknown resource record type: ", resource.Header().Rrtype)
+			}
+		}
+		return nil, E.New("no ECH config found")
+	}
+}

common/tls/ech_stub.go

@@ -0,0 +1,13 @@
+//go:build !with_ech
+
+package tls
+
+import (
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func newECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	return nil, E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
+}

common/tls/mkcert.go

@@ -0,0 +1,50 @@
+package tls
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"time"
+)
+
+func GenerateKeyPair(serverName string) (*tls.Certificate, error) {
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return nil, err
+	}
+	template := &x509.Certificate{
+		SerialNumber:          serialNumber,
+		NotBefore:             time.Now().Add(time.Hour * -1),
+		NotAfter:              time.Now().Add(time.Hour),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		Subject: pkix.Name{
+			CommonName: serverName,
+		},
+		DNSNames: []string{serverName},
+	}
+	publicDer, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
+	if err != nil {
+		return nil, err
+	}
+	privateDer, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return nil, err
+	}
+	publicPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicDer})
+	privPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateDer})
+	keyPair, err := tls.X509KeyPair(publicPem, privPem)
+	if err != nil {
+		return nil, err
+	}
+	return &keyPair, err
+}

common/tls/server.go

@@ -0,0 +1,12 @@
+package tls
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+)
+
+func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+	return newSTDServer(ctx, logger, options)
+}

common/tls/std_client.go

@@ -1,30 +1,21 @@
-package dialer
+package tls
 
 import (
-	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"net"
 	"net/netip"
 	"os"
 
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 )
 
-type TLSDialer struct {
-	dialer N.Dialer
+type stdClientConfig struct {
 	config *tls.Config
 }
 
-func NewTLS(dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
-	if !options.Enabled {
-		return dialer, nil
-	}
-
+func newStdClient(serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -33,7 +24,7 @@ func NewTLS(dialer N.Dialer, serverAddress string, options option.OutboundTLSOpt
 			serverName = serverAddress
 		}
 	}
-	if serverName == "" && options.Insecure {
+	if serverName == "" && !options.Insecure {
 		return nil, E.New("missing server_name or insecure=true")
 	}
 
@@ -63,14 +54,14 @@ func NewTLS(dialer N.Dialer, serverAddress string, options option.OutboundTLSOpt
 		tlsConfig.NextProtos = options.ALPN
 	}
 	if options.MinVersion != "" {
-		minVersion, err := option.ParseTLSVersion(options.MinVersion)
+		minVersion, err := ParseTLSVersion(options.MinVersion)
 		if err != nil {
 			return nil, E.Cause(err, "parse min_version")
 		}
 		tlsConfig.MinVersion = minVersion
 	}
 	if options.MaxVersion != "" {
-		maxVersion, err := option.ParseTLSVersion(options.MaxVersion)
+		maxVersion, err := ParseTLSVersion(options.MaxVersion)
 		if err != nil {
 			return nil, E.Cause(err, "parse max_version")
 		}
@@ -105,27 +96,21 @@ func NewTLS(dialer N.Dialer, serverAddress string, options option.OutboundTLSOpt
 		}
 		tlsConfig.RootCAs = certPool
 	}
-	return &TLSDialer{
-		dialer: dialer,
-		config: &tlsConfig,
-	}, nil
+	return &stdClientConfig{&tlsConfig}, nil
 }
 
-func (d *TLSDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	if network != N.NetworkTCP {
-		return nil, os.ErrInvalid
-	}
-	conn, err := d.dialer.DialContext(ctx, network, destination)
-	if err != nil {
-		return nil, err
-	}
-	tlsConn := tls.Client(conn, d.config)
-	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
-	defer cancel()
-	err = tlsConn.HandshakeContext(ctx)
-	return tlsConn, err
+func (s *stdClientConfig) NextProtos() []string {
+	return s.config.NextProtos
 }
 
-func (d *TLSDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return nil, os.ErrInvalid
+func (s *stdClientConfig) SetNextProtos(nextProto []string) {
+	s.config.NextProtos = nextProto
+}
+
+func (s *stdClientConfig) Config() (*STDConfig, error) {
+	return s.config, nil
+}
+
+func (s *stdClientConfig) Client(conn net.Conn) Conn {
+	return tls.Client(conn, s.config)
 }

common/tls/std_server.go

@@ -0,0 +1,243 @@
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"github.com/fsnotify/fsnotify"
+)
+
+type STDServerConfig struct {
+	config          *tls.Config
+	logger          log.Logger
+	acmeService     adapter.Service
+	certificate     []byte
+	key             []byte
+	certificatePath string
+	keyPath         string
+	watcher         *fsnotify.Watcher
+}
+
+func (c *STDServerConfig) NextProtos() []string {
+	return c.config.NextProtos
+}
+
+func (c *STDServerConfig) SetNextProtos(nextProto []string) {
+	c.config.NextProtos = nextProto
+}
+
+var errInsecureUnused = E.New("tls: insecure unused")
+
+func newSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+	if !options.Enabled {
+		return nil, nil
+	}
+	var tlsConfig *tls.Config
+	var acmeService adapter.Service
+	var err error
+	if options.ACME != nil && len(options.ACME.Domain) > 0 {
+		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
+		if err != nil {
+			return nil, err
+		}
+		if options.Insecure {
+			return nil, errInsecureUnused
+		}
+	} else {
+		tlsConfig = &tls.Config{}
+	}
+	if options.ServerName != "" {
+		tlsConfig.ServerName = options.ServerName
+	}
+	if len(options.ALPN) > 0 {
+		tlsConfig.NextProtos = append(tlsConfig.NextProtos, options.ALPN...)
+	}
+	if options.MinVersion != "" {
+		minVersion, err := ParseTLSVersion(options.MinVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse min_version")
+		}
+		tlsConfig.MinVersion = minVersion
+	}
+	if options.MaxVersion != "" {
+		maxVersion, err := ParseTLSVersion(options.MaxVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse max_version")
+		}
+		tlsConfig.MaxVersion = maxVersion
+	}
+	if options.CipherSuites != nil {
+	find:
+		for _, cipherSuite := range options.CipherSuites {
+			for _, tlsCipherSuite := range tls.CipherSuites() {
+				if cipherSuite == tlsCipherSuite.Name {
+					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
+					continue find
+				}
+			}
+			return nil, E.New("unknown cipher_suite: ", cipherSuite)
+		}
+	}
+	var certificate []byte
+	var key []byte
+	if acmeService == nil {
+		if options.Certificate != "" {
+			certificate = []byte(options.Certificate)
+		} else if options.CertificatePath != "" {
+			content, err := os.ReadFile(options.CertificatePath)
+			if err != nil {
+				return nil, E.Cause(err, "read certificate")
+			}
+			certificate = content
+		}
+		if options.Key != "" {
+			key = []byte(options.Key)
+		} else if options.KeyPath != "" {
+			content, err := os.ReadFile(options.KeyPath)
+			if err != nil {
+				return nil, E.Cause(err, "read key")
+			}
+			key = content
+		}
+		if certificate == nil && key == nil && options.Insecure {
+			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+				return GenerateKeyPair(info.ServerName)
+			}
+		} else {
+			if certificate == nil {
+				return nil, E.New("missing certificate")
+			} else if key == nil {
+				return nil, E.New("missing key")
+			}
+
+			keyPair, err := tls.X509KeyPair(certificate, key)
+			if err != nil {
+				return nil, E.Cause(err, "parse x509 key pair")
+			}
+			tlsConfig.Certificates = []tls.Certificate{keyPair}
+		}
+	}
+	return &STDServerConfig{
+		config:          tlsConfig,
+		logger:          logger,
+		acmeService:     acmeService,
+		certificate:     certificate,
+		key:             key,
+		certificatePath: options.CertificatePath,
+		keyPath:         options.KeyPath,
+	}, nil
+}
+
+func (c *STDServerConfig) Config() (*STDConfig, error) {
+	return c.config, nil
+}
+
+func (c *STDServerConfig) Client(conn net.Conn) Conn {
+	return tls.Client(conn, c.config)
+}
+
+func (c *STDServerConfig) Server(conn net.Conn) Conn {
+	return tls.Server(conn, c.config)
+}
+
+func (c *STDServerConfig) Start() error {
+	if c.acmeService != nil {
+		return c.acmeService.Start()
+	} else {
+		if c.certificatePath == "" && c.keyPath == "" {
+			return nil
+		}
+		err := c.startWatcher()
+		if err != nil {
+			c.logger.Warn("create fsnotify watcher: ", err)
+		}
+		return nil
+	}
+}
+
+func (c *STDServerConfig) startWatcher() error {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return err
+	}
+	if c.certificatePath != "" {
+		err = watcher.Add(c.certificatePath)
+		if err != nil {
+			return err
+		}
+	}
+	if c.keyPath != "" {
+		err = watcher.Add(c.keyPath)
+		if err != nil {
+			return err
+		}
+	}
+	c.watcher = watcher
+	go c.loopUpdate()
+	return nil
+}
+
+func (c *STDServerConfig) loopUpdate() {
+	for {
+		select {
+		case event, ok := <-c.watcher.Events:
+			if !ok {
+				return
+			}
+			if event.Op&fsnotify.Write != fsnotify.Write {
+				continue
+			}
+			err := c.reloadKeyPair()
+			if err != nil {
+				c.logger.Error(E.Cause(err, "reload TLS key pair"))
+			}
+		case err, ok := <-c.watcher.Errors:
+			if !ok {
+				return
+			}
+			c.logger.Error(E.Cause(err, "fsnotify error"))
+		}
+	}
+}
+
+func (c *STDServerConfig) reloadKeyPair() error {
+	if c.certificatePath != "" {
+		certificate, err := os.ReadFile(c.certificatePath)
+		if err != nil {
+			return E.Cause(err, "reload certificate from ", c.certificatePath)
+		}
+		c.certificate = certificate
+	}
+	if c.keyPath != "" {
+		key, err := os.ReadFile(c.keyPath)
+		if err != nil {
+			return E.Cause(err, "reload key from ", c.keyPath)
+		}
+		c.key = key
+	}
+	keyPair, err := tls.X509KeyPair(c.certificate, c.key)
+	if err != nil {
+		return E.Cause(err, "reload key pair")
+	}
+	c.config.Certificates = []tls.Certificate{keyPair}
+	c.logger.Info("reloaded TLS certificate")
+	return nil
+}
+
+func (c *STDServerConfig) Close() error {
+	if c.acmeService != nil {
+		return c.acmeService.Close()
+	}
+	if c.watcher != nil {
+		return c.watcher.Close()
+	}
+	return nil
+}

common/tls/utls_client.go

@@ -0,0 +1,151 @@
+//go:build with_utls
+
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"net"
+	"net/netip"
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	utls "github.com/refraction-networking/utls"
+)
+
+type utlsClientConfig struct {
+	config *utls.Config
+	id     utls.ClientHelloID
+}
+
+func (e *utlsClientConfig) NextProtos() []string {
+	return e.config.NextProtos
+}
+
+func (e *utlsClientConfig) SetNextProtos(nextProto []string) {
+	e.config.NextProtos = nextProto
+}
+
+func (e *utlsClientConfig) Config() (*STDConfig, error) {
+	return nil, E.New("unsupported usage for uTLS")
+}
+
+func (e *utlsClientConfig) Client(conn net.Conn) Conn {
+	return &utlsConnWrapper{utls.UClient(conn, e.config, e.id)}
+}
+
+type utlsConnWrapper struct {
+	*utls.UConn
+}
+
+func (c *utlsConnWrapper) HandshakeContext(ctx context.Context) error {
+	return c.Conn.Handshake()
+}
+
+func (c *utlsConnWrapper) ConnectionState() tls.ConnectionState {
+	state := c.Conn.ConnectionState()
+	return tls.ConnectionState{
+		Version:                     state.Version,
+		HandshakeComplete:           state.HandshakeComplete,
+		DidResume:                   state.DidResume,
+		CipherSuite:                 state.CipherSuite,
+		NegotiatedProtocol:          state.NegotiatedProtocol,
+		NegotiatedProtocolIsMutual:  state.NegotiatedProtocolIsMutual,
+		ServerName:                  state.ServerName,
+		PeerCertificates:            state.PeerCertificates,
+		VerifiedChains:              state.VerifiedChains,
+		SignedCertificateTimestamps: state.SignedCertificateTimestamps,
+		OCSPResponse:                state.OCSPResponse,
+		TLSUnique:                   state.TLSUnique,
+	}
+}
+
+func newUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	var serverName string
+	if options.ServerName != "" {
+		serverName = options.ServerName
+	} else if serverAddress != "" {
+		if _, err := netip.ParseAddr(serverName); err != nil {
+			serverName = serverAddress
+		}
+	}
+	if serverName == "" && !options.Insecure {
+		return nil, E.New("missing server_name or insecure=true")
+	}
+
+	var tlsConfig utls.Config
+	if options.DisableSNI {
+		tlsConfig.ServerName = "127.0.0.1"
+	} else {
+		tlsConfig.ServerName = serverName
+	}
+	if options.Insecure {
+		tlsConfig.InsecureSkipVerify = options.Insecure
+	} else if options.DisableSNI {
+		return nil, E.New("disable_sni is unsupported in uTLS")
+	}
+	if len(options.ALPN) > 0 {
+		tlsConfig.NextProtos = options.ALPN
+	}
+	if options.MinVersion != "" {
+		minVersion, err := ParseTLSVersion(options.MinVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse min_version")
+		}
+		tlsConfig.MinVersion = minVersion
+	}
+	if options.MaxVersion != "" {
+		maxVersion, err := ParseTLSVersion(options.MaxVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse max_version")
+		}
+		tlsConfig.MaxVersion = maxVersion
+	}
+	if options.CipherSuites != nil {
+	find:
+		for _, cipherSuite := range options.CipherSuites {
+			for _, tlsCipherSuite := range tls.CipherSuites() {
+				if cipherSuite == tlsCipherSuite.Name {
+					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
+					continue find
+				}
+			}
+			return nil, E.New("unknown cipher_suite: ", cipherSuite)
+		}
+	}
+	var certificate []byte
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
+	} else if options.CertificatePath != "" {
+		content, err := os.ReadFile(options.CertificatePath)
+		if err != nil {
+			return nil, E.Cause(err, "read certificate")
+		}
+		certificate = content
+	}
+	if len(certificate) > 0 {
+		certPool := x509.NewCertPool()
+		if !certPool.AppendCertsFromPEM(certificate) {
+			return nil, E.New("failed to parse certificate:\n\n", certificate)
+		}
+		tlsConfig.RootCAs = certPool
+	}
+	var id utls.ClientHelloID
+	switch options.UTLS.Fingerprint {
+	case "chrome", "":
+		id = utls.HelloChrome_Auto
+	case "firefox":
+		id = utls.HelloFirefox_Auto
+	case "ios":
+		id = utls.HelloIOS_Auto
+	case "android":
+		id = utls.HelloAndroid_11_OkHttp
+	case "random":
+		id = utls.HelloRandomized
+	}
+	return &utlsClientConfig{&tlsConfig, id}, nil
+}

common/tls/utls_stub.go

@@ -0,0 +1,13 @@
+//go:build !with_utls
+
+package tls
+
+import (
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func newUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	return nil, E.New(`uTLS is not included in this build, rebuild with -tags with_utls`)
+}

constant/dns.go

@@ -1,11 +0,0 @@
-package constant
-
-type DomainStrategy = uint8
-
-const (
-	DomainStrategyAsIS DomainStrategy = iota
-	DomainStrategyPreferIPv4
-	DomainStrategyPreferIPv6
-	DomainStrategyUseIPv4
-	DomainStrategyUseIPv6
-)

constant/err.go

@@ -0,0 +1,5 @@
+package constant
+
+import E "github.com/sagernet/sing/common/exceptions"
+
+var ErrTLSRequired = E.New("TLS required")

constant/os.go

@@ -20,7 +20,7 @@ const IsIos = goos.IsIos == 1
 
 const IsJs = goos.IsJs == 1
 
-const IsLinux = goos.IsLinux == 1
+const IsLinux = goos.IsLinux == 1 || goos.IsAndroid == 1
 
 const IsNacl = goos.IsNacl == 1
 

constant/path_unix.go

@@ -1,4 +1,4 @@
-//go:build unix
+//go:build unix || linux
 
 package constant
 
@@ -7,9 +7,9 @@ import (
 )
 
 func init() {
-	resourcePaths = append(resourcePaths, "/etc/config")
+	resourcePaths = append(resourcePaths, "/etc")
 	resourcePaths = append(resourcePaths, "/usr/share")
-	resourcePaths = append(resourcePaths, "/usr/local/etc/config")
+	resourcePaths = append(resourcePaths, "/usr/local/etc")
 	resourcePaths = append(resourcePaths, "/usr/local/share")
 	if homeDir := os.Getenv("HOME"); homeDir != "" {
 		resourcePaths = append(resourcePaths, homeDir+"/.local/share")

constant/proxy.go

@@ -1,21 +1,29 @@
 package constant
 
 const (
-	TypeTun         = "tun"
-	TypeRedirect    = "redirect"
-	TypeTProxy      = "tproxy"
-	TypeDirect      = "direct"
-	TypeBlock       = "block"
-	TypeDNS         = "dns"
-	TypeSocks       = "socks"
-	TypeHTTP        = "http"
-	TypeMixed       = "mixed"
-	TypeShadowsocks = "shadowsocks"
-	TypeVMess       = "vmess"
-	TypeTrojan      = "trojan"
-	TypeNaive       = "naive"
+	TypeTun          = "tun"
+	TypeRedirect     = "redirect"
+	TypeTProxy       = "tproxy"
+	TypeDirect       = "direct"
+	TypeBlock        = "block"
+	TypeDNS          = "dns"
+	TypeSocks        = "socks"
+	TypeHTTP         = "http"
+	TypeMixed        = "mixed"
+	TypeShadowsocks  = "shadowsocks"
+	TypeVMess        = "vmess"
+	TypeTrojan       = "trojan"
+	TypeNaive        = "naive"
+	TypeWireGuard    = "wireguard"
+	TypeHysteria     = "hysteria"
+	TypeTor          = "tor"
+	TypeSSH          = "ssh"
+	TypeShadowTLS    = "shadowtls"
+	TypeShadowsocksR = "shadowsocksr"
+	TypeVLESS        = "vless"
 )
 
 const (
 	TypeSelector = "selector"
+	TypeURLTest  = "urltest"
 )

constant/quic.go

@@ -1,5 +0,0 @@
-//go:build with_quic
-
-package constant
-
-const QUIC_AVAILABLE = true

constant/quic_stub.go

@@ -1,5 +0,0 @@
-//go:build !with_quic
-
-package constant
-
-const QUIC_AVAILABLE = false

constant/timeout.go

@@ -3,10 +3,11 @@ package constant
 import "time"
 
 const (
-	TCPTimeout         = 5 * time.Second
-	ReadPayloadTimeout = 300 * time.Millisecond
-	DNSTimeout         = 10 * time.Second
-	QUICTimeout        = 30 * time.Second
-	STUNTimeout        = 15 * time.Second
-	UDPTimeout         = 5 * time.Minute
+	TCPTimeout             = 5 * time.Second
+	ReadPayloadTimeout     = 300 * time.Millisecond
+	DNSTimeout             = 10 * time.Second
+	QUICTimeout            = 30 * time.Second
+	STUNTimeout            = 15 * time.Second
+	UDPTimeout             = 5 * time.Minute
+	DefaultURLTestInterval = 1 * time.Minute
 )

constant/v2ray.go

@@ -0,0 +1,8 @@
+package constant
+
+const (
+	V2RayTransportTypeHTTP      = "http"
+	V2RayTransportTypeWebsocket = "ws"
+	V2RayTransportTypeQUIC      = "quic"
+	V2RayTransportTypeGRPC      = "grpc"
+)

constant/version.go

@@ -1,6 +1,3 @@
 package constant
 
-var (
-	Version   = "nightly"
-	BuildTime = "unknown"
-)
+var Version = "1.1-beta8"

docs/benchmark.md

@@ -1,9 +0,0 @@
-# Benchmark
-
-## Shadowsocks
-
-| /                                  |    none     | aes-128-gcm | 2022-blake3-aes-128-gcm |
-|------------------------------------|:-----------:|:-----------:|:-----------------------:|
-| v2ray-core (5.0.7)                 |  13.0 Gbps  |  5.02 Gbps  |            /            |
-| shadowsocks-rust (v1.15.0-alpha.5) |  10.7 Gbps  |      /      |        9.36 Gbps        |
-| sing-box                           |  29.0 Gbps  |      /      |        11.8 Gbps        |

docs/changelog.md

@@ -1,19 +1,296 @@
-#### 2022/08/12
+#### 1.1-beta8
+
+* Fix leaks on close
+* Improve websocket writer
+* Refine tproxy write back
+* Refine 4in6 processing
+* Fix shadowsocks plugins
+* Fix missing source address from transport connection
+* Fix fqdn socks5 outbound connection
+* Fix read source address from grpc-go
+
+#### 1.0.5
+
+* Fix missing source address from transport connection
+* Fix fqdn socks5 outbound connection
+* Fix read source address from grpc-go
+
+#### 1.1-beta7
+
+* Add v2ray mux and XUDP support for VMess inbound
+* Add XUDP support for VMess outbound
+* Disable DF on direct outbound by default
+* Fix bugs in 1.1-beta6
+
+#### 1.1-beta6
+
+* Add [URLTest outbound](/configuration/outbound/urltest)
+* Fix bugs in 1.1-beta5
+
+#### 1.1-beta5
+
+* Print tags in version command
+* Redirect clash hello to external ui
+* Move shadowsocksr implementation to clash
+* Make gVisor optional **1**
+* Refactor to miekg/dns
+* Refactor bind control
+* Fix build on go1.18
+* Fix clash store-selected
+* Fix close grpc conn
+* Fix port rule match logic
+* Fix clash api proxy type
+
+*1*:
+
+The build tag `no_gvisor` is replaced by `with_gvisor`.
+
+The default tun stack is changed to system.
+
+#### 1.0.4
+
+* Fix close grpc conn
+* Fix port rule match logic
+* Fix clash api proxy type
+
+#### 1.1-beta4
+
+* Add internal simple-obfs and v2ray-plugin [Shadowsocks plugins](/configuration/outbound/shadowsocks#plugin)
+* Add [ShadowsocksR outbound](/configuration/outbound/shadowsocksr)
+* Add [VLESS outbound and XUDP](/configuration/outbound/vless)
+* Skip wait for hysteria tcp handshake response
+* Fix socks4 client
+* Fix hysteria inbound
+* Fix concurrent write
+
+#### 1.0.3
+
+* Fix socks4 client
+* Fix hysteria inbound
+* Fix concurrent write
+
+#### 1.1-beta3
+
+* Fix using custom TLS client in http2 client
+* Fix bugs in 1.1-beta2
+
+#### 1.1-beta2
+
+* Add Clash mode and persistence support **1**
+* Add TLS ECH and uTLS support for outbound TLS options **2**
+* Fix socks4 request
+* Fix processing empty dns result
+
+*1*:
+
+Switching modes using the Clash API, and `store-selected` are now supported,
+see [Experimental](/configuration/experimental).
+
+*2*:
+
+ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
+message, see [TLS#ECH](/configuration/shared/tls#ech).
+
+uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance,
+see [TLS#uTLS](/configuration/shared/tls#utls).
+
+#### 1.0.2
+
+* Fix socks4 request
+* Fix processing empty dns result
+
+#### 1.1-beta1
+
+* Add support for use with android VPNService **1**
+* Add tun support for WireGuard outbound **2**
+* Add system tun stack **3**
+* Add comment filter for config **4**
+* Add option for allow optional proxy protocol header
+* Add half close for smux
+* Set UDP DF by default **5**
+* Set default tun mtu to 9000
+* Update gVisor to 20220905.0
+
+*1*:
+
+In previous versions, Android VPN would not work with tun enabled.
+
+The usage of tun over VPN and VPN over tun is now supported, see [Tun Inbound](/configuration/inbound/tun#auto_route).
+
+*2*:
+
+In previous releases, WireGuard outbound support was backed by the lower performance gVisor virtual interface.
+
+It achieves the same performance as wireguard-go by providing automatic system interface support.
+
+*3*:
+
+It does not depend on gVisor and has better performance in some cases.
+
+It is less compatible and may not be available in some environments.
+
+*4*:
+
+Annotated json configuration files are now supported.
+
+*5*:
+
+UDP fragmentation is now blocked by default.
+
+Including shadowsocks-libev, shadowsocks-rust and quic-go all disable segmentation by default.
+
+See [Dial Fields](/configuration/shared/dial#udp_fragment)
+and [Listen Fields](/configuration/shared/listen#udp_fragment).
+
+#### 1.0.1
+
+* Fix match 4in6 address in ip_cidr
+* Fix clash api log level format error
+* Fix clash api unknown proxy type
+
+#### 1.0
+
+* Fix wireguard reconnect
+* Fix naive inbound
+* Fix json format error message
+* Fix processing vmess termination signal
+* Fix hysteria stream error
+* Fix listener close when proxyproto failed
+
+#### 1.0-rc1
+
+* Fix write log timestamp
+* Fix write zero
+* Fix dial parallel in direct outbound
+* Fix write trojan udp
+* Fix DNS routing
+* Add attribute support for geosite
+* Update documentation for [Dial Fields](/configuration/shared/dial)
+
+#### 1.0-beta3
+
+* Add [chained inbound](/configuration/shared/listen#detour) support
+* Add process_path rule item
+* Add macOS redirect support
+* Add ShadowTLS [Inbound](/configuration/inbound/shadowtls), [Outbound](/configuration/outbound/shadowtls)
+  and [Examples](/examples/shadowtls)
+* Fix search android package in non-owner users
+* Fix socksaddr type condition
+* Fix smux session status
+* Refactor inbound and outbound documentation
+* Minor fixes
+
+#### 1.0-beta2
+
+* Add strict_route option for [Tun inbound](/configuration/inbound/tun#strict_route)
+* Add packetaddr support for [VMess outbound](/configuration/outbound/vmess#packet_addr)
+* Add better performing alternative gRPC implementation
+* Add [docker image](https://github.com/SagerNet/sing-box/pkgs/container/sing-box)
+* Fix sniff override destination
+
+#### 1.0-beta1
+
+* Initial release
+
+##### 2022/08/26
+
+* Fix ipv6 route on linux
+* Fix read DNS message
+
+##### 2022/08/25
+
+* Let vmess use zero instead of auto if TLS enabled
+* Add trojan fallback for ALPN
+* Improve ip_cidr rule
+* Fix format bind_address
+* Fix http proxy with compressed response
+* Fix route connections
+
+##### 2022/08/24
+
+* Fix naive padding
+* Fix unix search path
+* Fix close non-duplex connections
+* Add ACME EAB support
+* Fix early close on windows and catch any
+* Initial zh-CN document translation
+
+##### 2022/08/23
+
+* Add [V2Ray Transport](/configuration/shared/v2ray-transport) support for VMess and Trojan
+* Allow plain http request in Naive inbound (It can now be used with nginx)
+* Add proxy protocol support
+* Free memory after start
+* Parse X-Forward-For in HTTP requests
+* Handle SIGHUP signal
+
+##### 2022/08/22
+
+* Add strategy setting for each [DNS server](/configuration/dns/server)
+* Add bind address to outbound options
+
+##### 2022/08/21
+
+* Add [Tor outbound](/configuration/outbound/tor)
+* Add [SSH outbound](/configuration/outbound/ssh)
+
+##### 2022/08/20
+
+* Attempt to unwrap ip-in-fqdn socksaddr
+* Fix read packages in android 12
+* Fix route on some android devices
+* Improve linux process searcher
+* Fix write socks5 username password auth request
+* Skip bind connection with private destination to interface
+* Add [Trojan connection fallback](/configuration/inbound/trojan#fallback)
+
+##### 2022/08/19
+
+* Add Hysteria [Inbound](/configuration/inbound/hysteria) and [Outbund](/configuration/outbound/hysteria)
+* Add [ACME TLS certificate issuer](/configuration/shared/tls)
+* Allow read config from stdin (-c stdin)
+* Update gVisor to 20220815.0
+
+##### 2022/08/18
+
+* Fix find process with lwip stack
+* Fix crash on shadowsocks server
+* Fix crash on darwin tun
+* Fix write log to file
+
+##### 2022/08/17
+
+* Improve async dns transports
+
+##### 2022/08/16
+
+* Add ip_version (route/dns) rule item
+* Add [WireGuard](/configuration/outbound/wireguard) outbound
+
+##### 2022/08/15
+
+* Add uid, android user and package rules support in [Tun](/configuration/inbound/tun) routing.
+
+##### 2022/08/13
+
+* Fix dns concurrent write
+
+##### 2022/08/12
 
 * Performance improvements
-* Add UoT option for [Socks](/configuration/outbound/socks) outbound
+* Add UoT option for [SOCKS](/configuration/outbound/socks) outbound
 
-#### 2022/08/11
+##### 2022/08/11
 
 * Add UoT option for [Shadowsocks](/configuration/outbound/shadowsocks) outbound, UoT support for all inbounds
 
-#### 2022/08/10
+##### 2022/08/10
 
 * Add full-featured [Naive](/configuration/inbound/naive) inbound
 * Fix default dns server option [#9] by iKirby
 
-#### 2022/08/09
+##### 2022/08/09
 
 No changelog before.
 
-[#9]: https://github.com/SagerNet/sing-box/pull/9
+[#9]: https://github.com/SagerNet/sing-box/pull/9

docs/configuration/dns/index.md

@@ -1,3 +1,5 @@
+# DNS
+
 ### Structure
 
 ```json
@@ -33,6 +35,8 @@ Default domain strategy for resolving the domain names.
 
 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
 
+Take no effect if `server.strategy` is set.
+
 #### disable_cache
 
 Disable dns cache.

docs/configuration/dns/index.zh.md

@@ -0,0 +1,46 @@
+# DNS
+
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [],
+    "rules": [],
+    "final": "",
+    "strategy": "",
+    "disable_cache": false,
+    "disable_expire": false
+  }
+}
+
+```
+
+### 字段
+
+| 键        | 格式                     |
+|----------|------------------------|
+| `server` | 一组 [DNS 服务器](./server) |
+| `rules`  | 一组 [DNS 规则](./rule)    |
+
+#### final
+
+默认 DNS 服务器的标签。
+
+默认使用第一个服务器。
+
+#### strategy
+
+默认解析域名策略。
+
+可选值: `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
+
+如果设置了 `server.strategy`，则不生效。
+
+#### disable_cache
+
+禁用 DNS 缓存。
+
+#### disable_expire
+
+禁用 DNS 缓存过期。

docs/configuration/dns/rule.md

@@ -8,6 +8,7 @@
         "inbound": [
           "mixed-in"
         ],
+        "ip_version": 6,
         "network": "tcp",
         "auth_user": [
           "usera",
@@ -37,7 +38,8 @@
           "private"
         ],
         "source_ip_cidr": [
-          "10.0.0.0/24"
+          "10.0.0.0/24",
+          "192.168.0.1"
         ],
         "source_port": [
           12345
@@ -59,6 +61,9 @@
         "process_name": [
           "curl"
         ],
+        "process_path": [
+          "/usr/bin/curl"
+        ],
         "package_name": [
           "com.termux"
         ],
@@ -68,6 +73,7 @@
         "user_id": [
           1000
         ],
+        "clash_mode": "direct",
         "invert": false,
         "outbound": [
           "direct"
@@ -98,18 +104,26 @@
 
     The default rule uses the following matching logic:  
     (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite`) &&  
+    (`port` || `port_range`) &&  
     (`source_geoip` || `source_ip_cidr`) &&  
-    `other fields`  
+    (`source_port` || `source_port_range`) &&  
+    `other fields`
 
 #### inbound
 
-Tags of [inbound](../inbound).
+Tags of [Inbound](/configuration/inbound).
+
+#### ip_version
+
+4 (A DNS query) or 6 (AAAA DNS query).
+
+Not limited if empty.
 
 #### network
 
 `tcp` or `udp`.
 
-#### user
+#### auth_user
 
 Username, see each inbound for details.
 
@@ -169,6 +183,14 @@ Match port range.
 
 Match process name.
 
+#### process_path
+
+!!! error ""
+
+    Only supported on Linux, Windows, and macOS.
+
+Match process path.
+
 #### package_name
 
 Match android package name.
@@ -189,6 +211,10 @@ Match user name.
 
 Match user id.
 
+#### clash_mode
+
+Match Clash mode.
+
 #### invert
 
 Invert match result.

docs/configuration/dns/rule.zh.md

@@ -0,0 +1,261 @@
+### 结构
+
+```json
+{
+  "dns": {
+    "rules": [
+      {
+        "inbound": [
+          "mixed-in"
+        ],
+        "ip_version": 6,
+        "network": "tcp",
+        "auth_user": [
+          "usera",
+          "userb"
+        ],
+        "protocol": [
+          "tls",
+          "http",
+          "quic"
+        ],
+        "domain": [
+          "test.com"
+        ],
+        "domain_suffix": [
+          ".cn"
+        ],
+        "domain_keyword": [
+          "test"
+        ],
+        "domain_regex": [
+          "^stun\\..+"
+        ],
+        "geosite": [
+          "cn"
+        ],
+        "source_geoip": [
+          "private"
+        ],
+        "source_ip_cidr": [
+          "10.0.0.0/24"
+        ],
+        "source_port": [
+          12345
+        ],
+        "source_port_range": [
+          "1000:2000",
+          ":3000",
+          "4000:"
+        ],
+        "port": [
+          80,
+          443
+        ],
+        "port_range": [
+          "1000:2000",
+          ":3000",
+          "4000:"
+        ],
+        "process_name": [
+          "curl"
+        ],
+        "process_path": [
+          "/usr/bin/curl"
+        ],
+        "package_name": [
+          "com.termux"
+        ],
+        "user": [
+          "sekai"
+        ],
+        "user_id": [
+          1000
+        ],
+        "clash_mode": "direct",
+        "invert": false,
+        "outbound": [
+          "direct"
+        ],
+        "server": "local",
+        "disable_cache": false
+      },
+      {
+        "type": "logical",
+        "mode": "and",
+        "rules": [],
+        "server": "local",
+        "disable_cache": false
+      }
+    ]
+  }
+}
+
+```
+
+!!! note ""
+
+    当内容只有一项时，可以忽略 JSON 数组 [] 标签
+
+### 默认字段
+
+!!! note ""
+
+    默认规则使用以下匹配逻辑:  
+    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite`) &&  
+    (`port` || `port_range`) &&  
+    (`source_geoip` || `source_ip_cidr`) &&  
+    (`source_port` || `source_port_range`) &&  
+    `other fields`
+
+#### inbound
+
+[入站](/zh/configuration/inbound) 标签.
+
+#### ip_version
+
+4 (A DNS 查询) 或 6 (AAAA DNS 查询)。
+
+默认不限制。
+
+#### network
+
+`tcp` 或 `udp`。
+
+#### auth_user
+
+认证用户名，参阅入站设置。
+
+#### protocol
+
+探测到的协议, 参阅 [协议探测](/zh/configuration/route/sniff/)。
+
+#### domain
+
+匹配完整域名。
+
+#### domain_suffix
+
+匹配域名后缀。
+
+#### domain_keyword
+
+匹配域名关键字。
+
+#### domain_regex
+
+匹配域名正则表达式。
+
+#### geosite
+
+匹配 GeoSite。
+
+#### source_geoip
+
+匹配源 GeoIP。
+
+#### source_ip_cidr
+
+匹配源 IP CIDR。
+
+#### source_port
+
+匹配源端口。
+
+#### source_port_range
+
+匹配源端口范围。
+
+#### port
+
+匹配端口。
+
+#### port_range
+
+匹配端口范围。
+
+#### process_name
+
+!!! error ""
+
+    仅支持 Linux、Windows 和 macOS.
+
+匹配进程名称。
+
+#### process_path
+
+!!! error ""
+
+    仅支持 Linux、Windows 和 macOS.
+
+匹配进程路径。
+
+#### package_name
+
+匹配 Android 应用包名。
+
+#### user
+
+!!! error ""
+
+    仅支持 Linux。
+
+匹配用户名。
+
+#### user_id
+
+!!! error ""
+
+    仅支持 Linux。
+
+匹配用户 ID。
+
+#### clash_mode
+
+匹配 Clash 模式。
+
+#### invert
+
+反选匹配结果。
+
+#### outbound
+
+匹配出站。
+
+#### server
+
+==必填==
+
+目标 DNS 服务器的标签。
+
+#### disable_cache
+
+在此查询中禁用缓存。
+
+### 逻辑字段
+
+#### type
+
+`logical`
+
+#### mode
+
+`and` 或 `or`
+
+#### rules
+
+包括的默认规则。
+
+#### invert
+
+反选匹配结果。
+
+#### server
+
+==必填==
+
+目标 DNS 服务器的标签。
+
+#### disable_cache
+
+在此查询中禁用缓存。

docs/configuration/dns/server.md

@@ -9,6 +9,7 @@
         "address": "tls://dns.google",
         "address_resolver": "local",
         "address_strategy": "prefer_ipv4",
+        "strategy": "ipv4_only",
         "detour": "direct"
       }
     ]
@@ -42,11 +43,11 @@ The address of the dns server.
 
 !!! warning ""
 
-    To ensure that system DNS is in effect, rather than go's built-in default resolver, enable CGO at compile time.
+    To ensure that system DNS is in effect, rather than Go's built-in default resolver, enable CGO at compile time.
 
 !!! warning ""
 
-    QUIC and HTTP3 transport is not included by default, see [Installation](/#Installation).
+    QUIC and HTTP3 transport is not included by default, see [Installation](/#installation).
 
 !!! info ""
 
@@ -59,6 +60,7 @@ The address of the dns server.
 | `server_failure`  | `Server failure`      |
 | `name_error`      | `Non-existent domain` |
 | `not_implemented` | `Not implemented`     |
+| `refused`         | `Query refused`       |
 
 #### address_resolver
 
@@ -74,6 +76,14 @@ One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
 
 `dns.strategy` will be used if empty.
 
+#### strategy
+
+Default domain strategy for resolving the domain names.
+
+One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
+
+Take no effect if override by other settings.
+
 #### detour
 
 Tag of an outbound for connecting to the dns server.

docs/configuration/dns/server.zh.md

@@ -0,0 +1,91 @@
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "tag": "google",
+        "address": "tls://dns.google",
+        "address_resolver": "local",
+        "address_strategy": "prefer_ipv4",
+        "strategy": "ipv4_only",
+        "detour": "direct"
+      }
+    ]
+  }
+}
+
+```
+
+### 字段
+
+#### tag
+
+DNS 服务器的标签。
+
+#### address
+
+==必填==
+
+DNS 服务器的地址。
+
+| 协议       | 格式                          |
+|----------|-----------------------------|
+| `System` | `local`                     |
+| `TCP`    | `tcp://1.0.0.1`             |
+| `UDP`    | `8.8.8.8` `udp://8.8.4.4`   |
+| `TLS`    | `tls://dns.google`          |
+| `HTTPS`  | `https://1.1.1.1/dns-query` |
+| `QUIC`   | `quic://dns.adguard.com`    |
+| `HTTP3`  | `h3://8.8.8.8/dns-query`    |
+| `RCode`  | `rcode://refused`           |
+
+!!! warning ""
+
+    为了确保系统 DNS 生效，而不是 Go 的内置默认解析器，请在编译时启用 CGO。
+
+!!! warning ""
+
+    默认安装不包含 QUIC 和 HTTP3 传输层，请参阅 [安装](/zh/#_2)。
+
+!!! info ""
+
+    RCode 传输层传输层常用于屏蔽请求. 与 DNS 规则和 `disable_cache` 规则选项一起使用。
+
+| RCode             | 描述       | 
+|-------------------|----------|
+| `success`         | `无错误`    |
+| `format_error`    | `请求格式错误` |
+| `server_failure`  | `服务器出错`  |
+| `name_error`      | `域名不存在`  |
+| `not_implemented` | `功能未实现`  |
+| `refused`         | `请求被拒绝`  |
+
+#### address_resolver
+
+==如果服务器地址包括域名则必须==
+
+用于解析本 DNS 服务器的域名的另一个 DNS 服务器的标签。
+
+#### address_strategy
+
+用于解析本 DNS 服务器的域名的策略。
+
+可选项：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
+
+默认使用 `dns.strategy`。
+
+#### strategy
+
+默认解析策略。
+
+可选项：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
+
+如果被其他设置覆盖则不生效。
+
+#### detour
+
+用于连接到 DNS 服务器的出站的标签。
+
+如果为空，将使用默认出站。

docs/configuration/experimental.md

@@ -1,39 +0,0 @@
-### Structure
-
-```json
-{
-  "experimental": {
-    "clash_api": {
-      "external_controller": "127.0.0.1:9090",
-      "external_ui": "folder",
-      "secret": ""
-    }
-  }
-}
-```
-
-### Clash API Fields
-
-!!! error ""
-
-    Clash API is not included by default, see [Installation](/#Installation).
-
-!!! note ""
-
-    Traffic statistics and connection management will disable TCP splice in linux and reduce performance, use at your own risk.
-
-#### external_controller
-
-RESTful web API listening address. Disabled if empty.
-
-#### external_ui
-
-A relative path to the configuration directory or an absolute path to a
-directory in which you put some static web resource. Clash core will then
-serve it at `http://{{external-controller}}/ui`.
-
-#### secret
-
-Secret for the RESTful API (optional)
-Authenticate by spedifying HTTP header `Authorization: Bearer ${secret}`
-ALWAYS set a secret if RESTful API is listening on 0.0.0.0

docs/configuration/experimental/index.md

@@ -0,0 +1,62 @@
+# Experimental
+
+### Structure
+
+```json
+{
+  "experimental": {
+    "clash_api": {
+      "external_controller": "127.0.0.1:9090",
+      "external_ui": "folder",
+      "secret": "",
+      "default_mode": "rule",
+      "store_selected": false,
+      "cache_file": "cache.db"
+    }
+  }
+}
+```
+
+### Clash API Fields
+
+!!! error ""
+
+    Clash API is not included by default, see [Installation](/#installation).
+
+!!! note ""
+
+    Traffic statistics and connection management will disable TCP splice in linux and reduce performance, use at your own risk.
+
+#### external_controller
+
+RESTful web API listening address. Clash API will be disabled if empty.
+
+#### external_ui
+
+A relative path to the configuration directory or an absolute path to a
+directory in which you put some static web resource. sing-box will then
+serve it at `http://{{external-controller}}/ui`.
+
+#### secret
+
+Secret for the RESTful API (optional)
+Authenticate by spedifying HTTP header `Authorization: Bearer ${secret}`
+ALWAYS set a secret if RESTful API is listening on 0.0.0.0
+
+#### default_mode
+
+Default mode in clash, `rule` will be used if empty.
+
+This setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.
+
+#### store_selected
+
+!!! note ""
+
+    The tag must be set for target outbounds.
+
+Store selected outbound for the `Selector` outbound in cache file.
+
+#### cache_file
+
+Cache file path, `cache.db` will be used if empty.

docs/configuration/experimental/index.zh.md

@@ -0,0 +1,60 @@
+# 实验性
+
+### 结构
+
+```json
+{
+  "experimental": {
+    "clash_api": {
+      "external_controller": "127.0.0.1:9090",
+      "external_ui": "folder",
+      "secret": "",
+      "default_mode": "rule",
+      "store_selected": false,
+      "cache_file": "cache.db"
+    }
+  }
+}
+```
+
+### Clash API 字段
+
+!!! error ""
+
+    默认安装不包含 Clash API，参阅 [安装](/zh/#_2)。
+
+!!! note ""
+
+    流量统计和连接管理将禁用 Linux 中的 TCP splice 并降低性能，使用风险自负。
+
+#### external_controller
+
+RESTful web API 监听地址。如果为空，则禁用 Clash API。
+
+#### external_ui
+
+到静态网页资源目录的相对路径或绝对路径。sing-box 会在 `http://{{external-controller}}/ui` 下提供它。
+
+#### secret
+
+RESTful API 的密钥（可选）
+通过指定 HTTP 标头 `Authorization: Bearer ${secret}` 进行身份验证
+如果 RESTful API 正在监听 0.0.0.0，请始终设置一个密钥。
+
+#### default_mode
+
+Clash 中的默认模式，默认使用 `rule`。
+
+此设置没有直接影响，但可以通过 `clash_mode` 规则项在路由和 DNS 规则中使用。
+
+#### store_selected
+
+!!! note ""
+
+    必须为目标出站设置标签。
+
+将 `Selector` 中出站的选定的目标出站存储在缓存文件中。
+
+#### cache_file
+
+缓存文件路径，默认使用`cache.db`。

docs/configuration/inbound/direct.md

@@ -4,70 +4,22 @@
 
 ```json
 {
-  "inbounds": [
-    {
-      "type": "direct",
-      "tag": "direct-in",
-      
-      "listen": "::",
-      "listen_port": 5353,
-      "tcp_fast_open": false,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      "udp_timeout": 300,
-      
-      "network": "udp",
-      "override_address": "1.0.0.1",
-      "override_port": 53
-    }
-  ]
+  "type": "direct",
+  "tag": "direct-in",
+  
+  ... // Listen Fields
+
+  "network": "udp",
+  "override_address": "1.0.0.1",
+  "override_port": 53
 }
 ```
 
 ### Listen Fields
 
-#### listen
+See [Listen Fields](/configuration/shared/listen) for details.
 
-==Required==
-
-Listen address.
-
-#### listen_port
-
-==Required==
-
-Listen port.
-
-#### tcp_fast_open
-
-Enable tcp fast open for listener.
-
-#### sniff
-
-Enable sniffing.
-
-See [Sniff](/configuration/route/sniff/) for details.
-
-#### sniff_override_destination
-
-Override the connection destination address with the sniffed domain.
-
-If the domain name is invalid (like tor), this will not work.
-
-#### domain_strategy
-
-One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
-
-If set, the requested domain name will be resolved to IP before routing.
-
-If `sniff_override_destination` is in effect, its value will be taken as a fallback.
-
-#### udp_timeout
-
-UDP NAT expiration time in seconds, default is 300 (5 minutes).
-
-### Direct Fields
+### Fields
 
 #### network
 

docs/configuration/inbound/direct.zh.md

@@ -0,0 +1,37 @@
+`direct` 入站是一个隧道服务器。
+
+### 结构
+
+```json
+{
+  "type": "direct",
+  "tag": "direct-in",
+
+  ... // 监听字段
+
+  "network": "udp",
+  "override_address": "1.0.0.1",
+  "override_port": 53
+}
+```
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/)。
+
+### 字段
+
+#### network
+
+监听的网络协议，`tcp` `udp` 之一。
+
+默认所有。
+
+#### override_address
+
+覆盖连接目标地址。
+
+#### override_port
+
+覆盖连接目标端口。
+

docs/configuration/inbound/http.md

@@ -1,71 +1,38 @@
-`socks` inbound is a http server.
-
 ### Structure
 
 ```json
 {
-  "inbounds": [
+  "type": "http",
+  "tag": "http-in",
+  
+  ... // Listen Fields
+  
+  "users": [
     {
-      "type": "http",
-      "tag": "http-in",
-      
-      "listen": "::",
-      "listen_port": 2080,
-      "tcp_fast_open": false,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-
-      "users": [
-        {
-          "username": "admin",
-          "password": "admin"
-        }
-      ],
-      "tls": {},
-      "set_system_proxy": false
+      "username": "admin",
+      "password": "admin"
     }
-  ]
+  ],
+  "tls": {},
+  "set_system_proxy": false
 }
 ```
 
 ### Listen Fields
 
-#### listen
+See [Listen Fields](/configuration/shared/listen) for details.
 
-==Required==
+### Fields
 
-Listen address.
+#### tls
 
-#### listen_port
+TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 
-==Required==
+#### users
 
-Listen port.
+HTTP users.
 
-#### tcp_fast_open
-
-Enable tcp fast open for listener.
-
-#### sniff
-
-Enable sniffing.
-
-See [Sniff](/configuration/route/sniff/) for details.
-
-#### sniff_override_destination
-
-Override the connection destination address with the sniffed domain.
-
-If the domain name is invalid (like tor), this will not work.
-
-#### domain_strategy
-
-One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
-
-If set, the requested domain name will be resolved to IP before routing.
-
-If `sniff_override_destination` is in effect, its value will be taken as a fallback.
+No authentication required if empty.
 
 #### set_system_proxy
 
@@ -74,15 +41,3 @@ If `sniff_override_destination` is in effect, its value will be taken as a fallb
     Only supported on Linux, Android, Windows, and macOS.
 
 Automatically set system proxy configuration when start and clean up when stop.
-
-### HTTP Fields
-
-#### tls
-
-TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure).
-
-#### users
-
-HTTP users.
-
-No authentication required if empty.

docs/configuration/inbound/http.zh.md

@@ -0,0 +1,43 @@
+### 结构
+
+```json
+{
+  "type": "http",
+  "tag": "http-in",
+
+  ... // 监听字段
+
+  "users": [
+    {
+      "username": "admin",
+      "password": "admin"
+    }
+  ],
+  "tls": {},
+  "set_system_proxy": false
+}
+```
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/)。
+
+### 字段
+
+#### tls
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+
+#### users
+
+HTTP 用户
+
+如果为空则不需要验证。
+
+#### set_system_proxy
+
+!!! error ""
+
+    仅支持 Linux、Android、Windows 和 macOS。
+
+启动时自动设置系统代理，停止时自动清理。

docs/configuration/inbound/hysteria.md

@@ -0,0 +1,100 @@
+### Structure
+
+```json
+{
+  "type": "hysteria",
+  "tag": "hysteria-in",
+  
+  ... // Listen Fields
+
+  "up": "100 Mbps",
+  "up_mbps": 100,
+  "down": "100 Mbps",
+  "down_mbps": 100,
+  "obfs": "fuck me till the daylight",
+  "auth": "",
+  "auth_str": "password",
+  "recv_window_conn": 0,
+  "recv_window_client": 0,
+  "max_conn_client": 0,
+  "disable_mtu_discovery": false,
+  "tls": {}
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by hysteria is not included by default, see [Installation](/#installation).
+
+### Listen Fields
+
+See [Listen Fields](/configuration/shared/listen) for details.
+
+### Fields
+
+#### up, down
+
+==Required==
+
+Format: `[Integer] [Unit]` e.g. `100 Mbps, 640 KBps, 2 Gbps`
+
+Supported units (case sensitive, b = bits, B = bytes, 8b=1B):
+
+    bps (bits per second)
+    Bps (bytes per second)
+    Kbps (kilobits per second)
+    KBps (kilobytes per second)
+    Mbps (megabits per second)
+    MBps (megabytes per second)
+    Gbps (gigabits per second)
+    GBps (gigabytes per second)
+    Tbps (terabits per second)
+    TBps (terabytes per second)
+
+#### up_mbps, down_mbps
+
+==Required==
+
+`up, down` in Mbps.
+
+#### obfs
+
+Obfuscated password.
+
+#### auth
+
+Authentication password, in base64.
+
+#### auth_str
+
+Authentication password.
+
+#### recv_window_conn
+
+The QUIC stream-level flow control window for receiving data.
+
+`15728640 (15 MB/s)` will be used if empty.
+
+#### recv_window_client
+
+The QUIC connection-level flow control window for receiving data.
+
+`67108864 (64 MB/s)` will be used if empty.
+
+#### max_conn_client
+
+The maximum number of QUIC concurrent bidirectional streams that a peer is allowed to open.
+
+`1024` will be used if empty.
+
+#### disable_mtu_discovery
+
+Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
+
+Force enabled on for systems other than Linux and Windows (according to upstream).
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/inbound/hysteria.zh.md

@@ -0,0 +1,100 @@
+### 结构
+
+```json
+{
+  "type": "hysteria",
+  "tag": "hysteria-in",
+  
+  ... // 监听字段
+
+  "up": "100 Mbps",
+  "up_mbps": 100,
+  "down": "100 Mbps",
+  "down_mbps": 100,
+  "obfs": "fuck me till the daylight",
+  "auth": "",
+  "auth_str": "password",
+  "recv_window_conn": 0,
+  "recv_window_client": 0,
+  "max_conn_client": 0,
+  "disable_mtu_discovery": false,
+  "tls": {}
+}
+```
+
+!!! warning ""
+
+    默认安装不包含被 Hysteria 依赖的 QUIC，参阅 [安装](/zh/#_2)。
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/)。
+
+### 字段
+
+#### up, down
+
+==必填==
+
+格式: `[Integer] [Unit]` 例如： `100 Mbps, 640 KBps, 2 Gbps`
+
+支持的单位 (大小写敏感, b = bits, B = bytes, 8b=1B)：
+
+    bps (bits per second)
+    Bps (bytes per second)
+    Kbps (kilobits per second)
+    KBps (kilobytes per second)
+    Mbps (megabits per second)
+    MBps (megabytes per second)
+    Gbps (gigabits per second)
+    GBps (gigabytes per second)
+    Tbps (terabits per second)
+    TBps (terabytes per second)
+
+#### up_mbps, down_mbps
+
+==必填==
+
+以 Mbps 为单位的 `up, down`。
+
+#### obfs
+
+混淆密码。
+
+#### auth
+
+base64 编码的认证密码。
+
+#### auth_str
+
+认证密码。
+
+#### recv_window_conn
+
+用于接收数据的 QUIC 流级流控制窗口。
+
+默认 `15728640 (15 MB/s)`。
+
+#### recv_window_client
+
+用于接收数据的 QUIC 连接级流控制窗口。
+
+默认 `67108864 (64 MB/s)`。
+
+#### max_conn_client
+
+允许对等点打开的 QUIC 并发双向流的最大数量。
+
+默认 `1024`。
+
+#### disable_mtu_discovery
+
+禁用路径 MTU 发现 (RFC 8899)。 数据包的大小最多为 1252 (IPv4) / 1232 (IPv6) 字节。
+
+强制为 Linux 和 Windows 以外的系统启用（根据上游）。
+
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/index.md

@@ -1,3 +1,5 @@
+# Inbound
+
 ### Structure
 
 ```json
@@ -13,19 +15,20 @@
 
 ### Fields
 
-| Type          | Format                       |
-|---------------|------------------------------|
-| `direct`      | [Direct](./direct)           |
-| `mixed`       | [Mixed](./mixed)             |
-| `socks`       | [Socks](./socks)             |
-| `http`        | [HTTP](./http)               |
-| `shadowsocks` | [Shadowsocks](./shadowsocks) |
-| `vmess`       | [VMess](./vmess)             |
-| `trojan`      | [Trojan](./trojan)           |
-| `naive`       | [Naive](./naive)             |
-| `tun`         | [Tun](./tun)                 |
-| `redirect`    | [Redirect](./redirect)       |
-| `tproxy`      | [TProxy](./tproxy)           |
+| Type          | Format                       | Injectable |
+|---------------|------------------------------|------------|
+| `direct`      | [Direct](./direct)           | X          |
+| `mixed`       | [Mixed](./mixed)             | TCP        |
+| `socks`       | [SOCKS](./socks)             | TCP        |
+| `http`        | [HTTP](./http)               | TCP        |
+| `shadowsocks` | [Shadowsocks](./shadowsocks) | TCP        |
+| `vmess`       | [VMess](./vmess)             | TCP        |
+| `trojan`      | [Trojan](./trojan)           | TCP        |
+| `naive`       | [Naive](./naive)             | X          |
+| `hysteria`    | [Hysteria](./hysteria)       | X          |
+| `tun`         | [Tun](./tun)                 | X          |
+| `redirect`    | [Redirect](./redirect)       | X          |
+| `tproxy`      | [TProxy](./tproxy)           | X          |
 
 #### tag
 

docs/configuration/inbound/index.zh.md

@@ -0,0 +1,35 @@
+# 入站
+
+### 结构
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "",
+      "tag": ""
+    }
+  ]
+}
+```
+
+### 字段
+
+| 类型            | 格式                           | 注入支持 |
+|---------------|------------------------------|------|
+| `direct`      | [Direct](./direct)           | X    |
+| `mixed`       | [Mixed](./mixed)             | TCP  |
+| `socks`       | [SOCKS](./socks)             | TCP  |
+| `http`        | [HTTP](./http)               | TCP  |
+| `shadowsocks` | [Shadowsocks](./shadowsocks) | TCP  |
+| `vmess`       | [VMess](./vmess)             | TCP  |
+| `trojan`      | [Trojan](./trojan)           | TCP  |
+| `naive`       | [Naive](./naive)             | X    |
+| `hysteria`    | [Hysteria](./hysteria)       | X    |
+| `tun`         | [Tun](./tun)                 | X    |
+| `redirect`    | [Redirect](./redirect)       | X    |
+| `tproxy`      | [TProxy](./tproxy)           | X    |
+
+#### tag
+
+入站的标签。

docs/configuration/inbound/mixed.md

@@ -4,68 +4,32 @@
 
 ```json
 {
-  "inbounds": [
+  "type": "mixed",
+  "tag": "mixed-in",
+
+  ... // Listen Fields
+
+  "users": [
     {
-      "type": "mixed",
-      "tag": "mixed-in",
-      
-      "listen": "::",
-      "listen_port": 2080,
-      "tcp_fast_open": false,
-      "sniff": false,
-      "sniff_override_destination": false,
-      "domain_strategy": "prefer_ipv6",
-      
-      "users": [
-        {
-          "username": "admin",
-          "password": "admin"
-        }
-      ],
-      
-      "set_system_proxy": false
+      "username": "admin",
+      "password": "admin"
     }
-  ]
+  ],
+  "set_system_proxy": false
 }
 ```
 
 ### Listen Fields
 
-#### listen
+See [Listen Fields](/configuration/shared/listen) for details.
 
-==Required==
+### Fields
 
-Listen address.
+#### users
 
-#### listen_port
+SOCKS and HTTP users.
 
-==Required==
-
-Listen port.
-
-#### tcp_fast_open
-
-Enable tcp fast open for listener.
-
-#### sniff
-
-Enable sniffing.
-
-See [Sniff](/configuration/route/sniff/) for details.
-
-#### sniff_override_destination
-
-Override the connection destination address with the sniffed domain.
-
-If the domain name is invalid (like tor), this will not work.
-
-#### domain_strategy
-
-One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
-
-If set, the requested domain name will be resolved to IP before routing.
-
-If `sniff_override_destination` is in effect, its value will be taken as a fallback.
+No authentication required if empty.
 
 #### set_system_proxy
 
@@ -73,12 +37,4 @@ If `sniff_override_destination` is in effect, its value will be taken as a fallb
 
     Only supported on Linux, Android, Windows, and macOS.
 
-Automatically set system proxy configuration when start and clean up when stop.
-
-### Mixed Fields
-
-#### users
-
-Socks and HTTP users.
-
-No authentication required if empty.
+Automatically set system proxy configuration when start and clean up when stop.

docs/configuration/inbound/mixed.zh.md

@@ -0,0 +1,40 @@
+`mixed` 入站是一个 socks4, socks4a, socks5 和 http 服务器.
+
+### 结构
+
+```json
+{
+  "type": "mixed",
+  "tag": "mixed-in",
+
+  ... // 监听字段
+
+  "users": [
+    {
+      "username": "admin",
+      "password": "admin"
+    }
+  ],
+  "set_system_proxy": false
+}
+```
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/)。
+
+### 字段
+
+#### users
+
+SOCKS 和 HTTP 用户
+
+如果为空则不需要验证。
+
+#### set_system_proxy
+
+!!! error ""
+
+    仅支持 Linux、Android、Windows 和 macOS。
+
+启动时自动设置系统代理，停止时自动清理。