Update documentation

Fix shadowtls in go versiojns below 1.20
Update QUIC v2 version number and initial salt
2026-04-12 01:57:18 +10:00 · 2023-02-19 17:49:05 +08:00 · 2023-02-19 12:02:11 +08:00 · 2023-02-18 23:51:55 +08:00 · 2023-02-18 21:14:17 +08:00 · 2023-02-18 19:33:35 +08:00
175 changed files with 25595 additions and 1064 deletions
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -0,0 +1,28 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "commitMessagePrefix": "[dependencies]",
+  "extends": [
+    "config:base",
+    ":disableRateLimiting"
+  ],
+  "baseBranches": [
+    "dev-next"
+  ],
+  "golang": {
+    "enabled": false
+  },
+  "packageRules": [
+    {
+      "matchManagers": [
+        "github-actions"
+      ],
+      "groupName": "github-actions"
+    },
+    {
+      "matchManagers": [
+        "dockerfile"
+      ],
+      "groupName": "Dockerfile"
+    }
+  ]
+}
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -3,8 +3,7 @@ name: Debug build
 on:
  push:
    branches:
-      - main
-      - dev
+      - main-next
      - dev-next
    paths-ignore:
      - '**.md'
@@ -12,8 +11,7 @@ on:
      - '!.github/workflows/debug.yml'
  pull_request:
    branches:
-      - main
-      - dev
+      - main-next
      - dev-next

 jobs:
@@ -21,24 +19,20 @@ jobs:
    name: Debug build
    runs-on: ubuntu-latest
    steps:
-      - name: Cancel previous
-        uses: styfle/cancel-workflow-action@0.7.0
-        with:
-          access_token: ${{ github.token }}
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Get latest go version
        id: version
        run: |
-          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
+          echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Cache go module
-        uses: actions/cache@v2
+        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
@@ -60,22 +54,21 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
-          go-version: 1.18.7
+          go-version: 1.18.10
      - name: Cache go module
-        uses: actions/cache@v2
+        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
          key: go118-${{ hashFiles('**/go.sum') }}
      - name: Run Test
-        run: |
-          go test -v ./...
+        run: make
  cross:
    strategy:
      matrix:
@@ -192,19 +185,19 @@ jobs:
      TAGS: with_clash_api,with_quic
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Get latest go version
        id: version
        run: |
-          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
+          echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Cache go module
-        uses: actions/cache@v2
+        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
@@ -213,7 +206,7 @@ jobs:
        id: build
        run: make
      - name: Upload artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
        with:
          name: sing-box-${{ matrix.name }}
          path: sing-box*
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,8 +1,5 @@
 name: Build Docker Images
 on:
-  push:
-    tags:
-      - v*
  workflow_dispatch:
    inputs:
      tag:
@@ -12,20 +9,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
      - name: Setup QEMU for Docker Buildx
        uses: docker/setup-qemu-action@v2
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker metadata
        id: metadata
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
        with:
          images: ghcr.io/sagernet/sing-box
      - name: Get tag to build
@@ -38,7 +35,7 @@ jobs:
            echo "versioned=ghcr.io/sagernet/sing-box:${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
          fi
      - name: Build and release Docker images
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v4
        with:
          platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
          target: dist
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -3,45 +3,40 @@ name: Lint
 on:
  push:
    branches:
-      - dev
+      - main-next
+      - dev-next
    paths-ignore:
      - '**.md'
      - '.github/**'
-      - '!.github/workflows/debug.yml'
+      - '!.github/workflows/lint.yml'
  pull_request:
    branches:
-      - dev
+      - main-next
+      - dev-next

 jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
-      - name: Cancel previous
-        uses: styfle/cancel-workflow-action@0.7.0
-        with:
-          access_token: ${{ github.token }}
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Get latest go version
        id: version
        run: |
-          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
+          echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Cache go module
-        uses: actions/cache@v2
+        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
          key: go-${{ hashFiles('**/go.sum') }}
-      - name: Get dependencies
-        run: |
-          go mod download -x
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
--- a/.github/workflows/mkdocs.yml
+++ b/.github/workflows/mkdocs.yml
@@ -10,9 +10,11 @@ jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
        with:
          python-version: 3.x
-      - run: pip install mkdocs-material mkdocs-static-i18n
-      - run: mkdocs gh-deploy -m "{sha}" --force --ignore-version --no-history
+      - run: |
+          pip install mkdocs-material=="9.*" mkdocs-static-i18n=="0.53"
+      - run: |
+          mkdocs gh-deploy -m "{sha}" --force --ignore-version --no-history
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,7 +8,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v5
+      - uses: actions/stale@v7
        with:
          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
          days-before-stale: 60
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,34 +0,0 @@
-name: Test build
-
-on:
-  pull_request:
-    branches:
-      - main
-      - dev
-      - dev-next
-
-jobs:
-  build:
-    name: Debug build
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Get latest go version
-        id: version
-        run: |
-          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
-      - name: Setup Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ steps.version.outputs.go_version }}
-      - name: Cache go module
-        uses: actions/cache@v2
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go-${{ hashFiles('**/go.sum') }}
-      - name: Run Test
-        run: make test
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -3,19 +3,24 @@ linters:
  enable:
    - gofumpt
    - govet
-#    - gci
+    - gci
    - staticcheck
    - paralleltest

 run:
  skip-dirs:
+    - transport/simple-obfs
+    - transport/clashssr
    - transport/cloudflaretls
+    - transport/shadowtls/tls
+    - transport/shadowtls/tls_go119

 linters-settings:
-#  gci:
-#    sections:
-#      - standard
-#      - prefix(github.com/sagernet/)
-#      - default
+  gci:
+    custom-order: true
+    sections:
+      - standard
+      - prefix(github.com/sagernet/)
+      - default
  staticcheck:
-    go: '1.19'
+    go: '1.20'
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,6 +1,7 @@
 project_name: sing-box
 builds:
-  - main: ./cmd/sing-box
+  - id: main
+    main: ./cmd/sing-box
    flags:
      - -v
      - -trimpath
@@ -14,13 +15,11 @@ builds:
      - with_gvisor
      - with_quic
      - with_wireguard
+      - with_utls
      - with_clash_api
    env:
      - CGO_ENABLED=0
    targets:
-      - android_arm64
-      - android_amd64
-      - android_amd64_v3
      - linux_amd64_v1
      - linux_amd64_v3
      - linux_arm64
@@ -34,6 +33,54 @@ builds:
      - darwin_amd64_v3
      - darwin_arm64
    mod_timestamp: '{{ .CommitTimestamp }}'
+  - id: android
+    main: ./cmd/sing-box
+    flags:
+      - -v
+      - -trimpath
+    asmflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    gcflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    ldflags:
+      - -s -w -buildid=
+    tags:
+      - with_gvisor
+      - with_quic
+      - with_wireguard
+      - with_utls
+      - with_clash_api
+    env:
+      - CGO_ENABLED=1
+    overrides:
+      - goos: android
+        goarch: arm
+        goarm: 7
+        env:
+          - CC=armv7a-linux-androideabi19-clang
+          - CXX=armv7a-linux-androideabi19-clang++
+      - goos: android
+        goarch: arm64
+        env:
+          - CC=aarch64-linux-android21-clang
+          - CXX=aarch64-linux-android21-clang++
+      - goos: android
+        goarch: 386
+        env:
+          - CC=i686-linux-android19-clang
+          - CXX=i686-linux-android19-clang++
+      - goos: android
+        goarch: amd64
+        goamd64: v1
+        env:
+          - CC=x86_64-linux-android21-clang
+          - CXX=x86_64-linux-android21-clang++
+    targets:
+      - android_arm_7
+      - android_arm64
+      - android_386
+      - android_amd64
+    mod_timestamp: '{{ .CommitTimestamp }}'
 snapshot:
  name_template: "{{ .Version }}.{{ .ShortCommit }}"
 archives:
@@ -69,6 +116,9 @@ nfpms:
        dst: /etc/systemd/system/sing-box@.service
      - src: LICENSE
        dst: /usr/share/licenses/sing-box/LICENSE
+    scripts:
+      postinstall: release/config/postinstall.sh
+      postremove: release/config/postremove.sh
 source:
  enabled: false
  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
--- a/3
+++ b/3
@@ -1,4 +1,4 @@
-FROM golang:1.19-alpine AS builder
+FROM golang:1.20-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
@@ -14,7 +14,6 @@ RUN set -ex \
        ./cmd/sing-box
 FROM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
-RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
 RUN set -ex \
    && apk upgrade \
    && apk add bash tzdata ca-certificates \
--- a/10
+++ b/10
@@ -1,6 +1,6 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_wireguard,with_clash_api
+TAGS ?= with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_shadowsocksr
 PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-s -w -buildid="
 MAIN = ./cmd/sing-box
@@ -16,11 +16,11 @@ install:
 fmt:
 	@gofumpt -l -w .
 	@gofmt -s -w .
-	@gci write -s "standard,prefix(github.com/sagernet/),default" .
+	@gci write --custom-order -s "standard,prefix(github.com/sagernet/),default" .

 fmt_install:
 	go install -v mvdan.cc/gofumpt@latest
-	go install -v github.com/daixiang0/gci@v0.4.0
+	go install -v github.com/daixiang0/gci@latest

 lint:
 	GOOS=linux golangci-lint run ./...
@@ -42,14 +42,14 @@ proto_install:
 	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest

 snapshot:
-	goreleaser release --rm-dist --snapshot
+	go run ./cmd/internal/build goreleaser release --rm-dist --snapshot || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
 	ghr --delete --draft --prerelease -p 1 nightly dist/release
 	rm -r dist

 release:
-	goreleaser release --rm-dist --skip-publish
+	go run ./cmd/internal/build goreleaser release --rm-dist --skip-publish || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
 	ghr --delete --draft --prerelease -p 3 $(shell git describe --tags) dist/release
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -45,6 +45,6 @@ type V2RayServer interface {
 }

 type V2RayStatsService interface {
-	RoutedConnection(inbound string, outbound string, conn net.Conn) net.Conn
-	RoutedPacketConnection(inbound string, outbound string, conn N.PacketConn) N.PacketConn
+	RoutedConnection(inbound string, outbound string, user string, conn net.Conn) net.Conn
+	RoutedPacketConnection(inbound string, outbound string, user string, conn N.PacketConn) N.PacketConn
 }
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -46,6 +46,10 @@ type InboundContext struct {
 	SourceGeoIPCode      string
 	GeoIPCode            string
 	ProcessInfo          *process.Info
+
+	// dns cache
+
+	QueryType uint16
 }

 type inboundContextKey struct{}
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -47,6 +47,20 @@ type Router interface {
 	SetV2RayServer(server V2RayServer)
 }

+type routerContextKey struct{}
+
+func ContextWithRouter(ctx context.Context, router Router) context.Context {
+	return context.WithValue(ctx, (*routerContextKey)(nil), router)
+}
+
+func RouterFromContext(ctx context.Context) Router {
+	metadata := ctx.Value((*routerContextKey)(nil))
+	if metadata == nil {
+		return nil
+	}
+	return metadata.(Router)
+}
+
 type Rule interface {
 	Service
 	Type() string
--- a/adapter/v2ray.go
+++ b/adapter/v2ray.go
@@ -3,6 +3,10 @@ package adapter
 import (
 	"context"
 	"net"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
 )

 type V2RayServerTransport interface {
@@ -12,6 +16,12 @@ type V2RayServerTransport interface {
 	Close() error
 }

+type V2RayServerTransportHandler interface {
+	N.TCPConnectionHandler
+	E.Handler
+	FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error
+}
+
 type V2RayClientTransport interface {
 	DialContext(ctx context.Context) (net.Conn, error)
 }
--- a/box.go
+++ b/box.go
@@ -97,8 +97,7 @@ func New(ctx context.Context, options option.Options) (*Box, error) {

 	router, err := route.NewRouter(
 		ctx,
-		logFactory.NewLogger("router"),
-		logFactory.NewLogger("dns"),
+		logFactory,
 		common.PtrValueOrDefault(options.Route),
 		common.PtrValueOrDefault(options.DNS),
 		options.Inbounds,
--- a/cmd/internal/build/main.go
+++ b/cmd/internal/build/main.go
@@ -0,0 +1,20 @@
+package main
+
+import (
+	"os"
+	"os/exec"
+
+	"github.com/sagernet/sing-box/log"
+)
+
+func main() {
+	findSDK()
+
+	command := exec.Command(os.Args[1], os.Args[2:]...)
+	command.Stdout = os.Stdout
+	command.Stderr = os.Stderr
+	err := command.Run()
+	if err != nil {
+		log.Fatal(err)
+	}
+}
--- a/cmd/internal/build/sdk.go
+++ b/cmd/internal/build/sdk.go
@@ -0,0 +1,81 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/rw"
+)
+
+var (
+	androidSDKPath string
+	androidNDKPath string
+)
+
+func findSDK() {
+	searchPath := []string{
+		"$ANDROID_HOME",
+		"$HOME/Android/Sdk",
+		"$HOME/.local/lib/android/sdk",
+		"$HOME/Library/Android/sdk",
+	}
+	for _, path := range searchPath {
+		path = os.ExpandEnv(path)
+		if rw.FileExists(path + "/licenses/android-sdk-license") {
+			androidSDKPath = path
+			break
+		}
+	}
+	if androidSDKPath == "" {
+		log.Fatal("android SDK not found")
+	}
+	if !findNDK() {
+		log.Fatal("android NDK not found")
+	}
+
+	os.Setenv("ANDROID_HOME", androidSDKPath)
+	os.Setenv("ANDROID_SDK_HOME", androidSDKPath)
+	os.Setenv("ANDROID_NDK_HOME", androidNDKPath)
+	os.Setenv("NDK", androidNDKPath)
+	os.Setenv("PATH", os.Getenv("PATH")+":"+filepath.Join(androidNDKPath, "toolchains", "llvm", "prebuilt", runtime.GOOS+"-x86_64", "bin"))
+}
+
+func findNDK() bool {
+	if rw.FileExists(androidSDKPath + "/ndk/25.1.8937393") {
+		androidNDKPath = androidSDKPath + "/ndk/25.1.8937393"
+		return true
+	}
+	ndkVersions, err := os.ReadDir(androidSDKPath + "/ndk")
+	if err != nil {
+		return false
+	}
+	versionNames := common.Map(ndkVersions, os.DirEntry.Name)
+	if len(versionNames) == 0 {
+		return false
+	}
+	sort.Slice(versionNames, func(i, j int) bool {
+		iVersions := strings.Split(versionNames[i], ".")
+		jVersions := strings.Split(versionNames[j], ".")
+		for k := 0; k < len(iVersions) && k < len(jVersions); k++ {
+			iVersion, _ := strconv.Atoi(iVersions[k])
+			jVersion, _ := strconv.Atoi(jVersions[k])
+			if iVersion != jVersion {
+				return iVersion > jVersion
+			}
+		}
+		return true
+	})
+	for _, versionName := range versionNames {
+		if rw.FileExists(androidSDKPath + "/ndk/" + versionName) {
+			androidNDKPath = androidSDKPath + "/ndk/" + versionName
+			return true
+		}
+	}
+	return false
+}
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@@ -69,6 +69,20 @@ func create() (*box.Box, context.CancelFunc, error) {
 		cancel()
 		return nil, nil, E.Cause(err, "create service")
 	}
+
+	osSignals := make(chan os.Signal, 1)
+	signal.Notify(osSignals, os.Interrupt, syscall.SIGTERM, syscall.SIGHUP)
+	defer func() {
+		signal.Stop(osSignals)
+		close(osSignals)
+	}()
+
+	go func() {
+		_, loaded := <-osSignals
+		if loaded {
+			cancel()
+		}
+	}()
 	err = instance.Start()
 	if err != nil {
 		cancel()
@@ -80,6 +94,7 @@ func create() (*box.Box, context.CancelFunc, error) {
 func run() error {
 	osSignals := make(chan os.Signal, 1)
 	signal.Notify(osSignals, os.Interrupt, syscall.SIGTERM, syscall.SIGHUP)
+	defer signal.Stop(osSignals)
 	for {
 		instance, cancel, err := create()
 		if err != nil {
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -13,8 +13,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-
-	"github.com/database64128/tfo-go/v2"
+	"github.com/sagernet/tfo-go"
 )

 var warnBindInterfaceOnUnsupportedPlatform = warning.New(
--- a/common/dialer/tfo.go
+++ b/common/dialer/tfo.go
@@ -12,8 +12,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-
-	"github.com/database64128/tfo-go/v2"
+	"github.com/sagernet/tfo-go"
 )

 type slowOpenConn struct {
--- a/common/geoip/reader.go
+++ b/common/geoip/reader.go
@@ -4,7 +4,6 @@ import (
 	"net/netip"

 	E "github.com/sagernet/sing/common/exceptions"
-	N "github.com/sagernet/sing/common/network"

 	"github.com/oschwald/maxminddb-golang"
 )
@@ -31,8 +30,5 @@ func (r *Reader) Lookup(addr netip.Addr) string {
 	if code != "" {
 		return code
 	}
-	if !N.IsPublicAddr(addr) {
-		return "private"
-	}
 	return "unknown"
 }
--- a/common/redir/redir_linux.go
+++ b/common/redir/redir_linux.go
@@ -1,6 +1,7 @@
 package redir

 import (
+	"encoding/binary"
 	"net"
 	"net/netip"
 	"os"
@@ -29,7 +30,9 @@ func GetOriginalDestination(conn net.Conn) (destination netip.AddrPort, err erro
 			if err != nil {
 				return err
 			}
-			destination = netip.AddrPortFrom(M.AddrFromIP(raw.Addr.Addr[:]), raw.Addr.Port)
+			var port [2]byte
+			binary.BigEndian.PutUint16(port[:], raw.Addr.Port)
+			destination = netip.AddrPortFrom(M.AddrFromIP(raw.Addr.Addr[:]), binary.LittleEndian.Uint16(port[:]))
 		}
 		return nil
 	})
--- a/common/settings/proxy_windows.go
+++ b/common/settings/proxy_windows.go
@@ -7,7 +7,7 @@ import (
 )

 func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	err := wininet.SetSystemProxy(F.ToString("http://127.0.0.1:", port), "<local>")
+	err := wininet.SetSystemProxy(F.ToString("http://127.0.0.1:", port), "")
 	if err != nil {
 		return nil, err
 	}
--- a/common/sniff/internal/qtls/qtls.go
+++ b/common/sniff/internal/qtls/qtls.go
@@ -13,13 +13,13 @@ import (
 const (
 	VersionDraft29 = 0xff00001d
 	Version1       = 0x1
-	Version2       = 0x709a50c4
+	Version2       = 0x6b3343cf
 )

 var (
 	SaltOld = []byte{0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c, 0x9e, 0x97, 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0, 0x43, 0x90, 0xa8, 0x99}
 	SaltV1  = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a}
-	SaltV2  = []byte{0xa7, 0x07, 0xc2, 0x03, 0xa5, 0x9b, 0x47, 0x18, 0x4a, 0x1d, 0x62, 0xca, 0x57, 0x04, 0x06, 0xea, 0x7a, 0xe3, 0xe5, 0xd3}
+	SaltV2  = []byte{0x0d, 0xed, 0xe3, 0xde, 0xf7, 0x00, 0xa6, 0xdb, 0x81, 0x93, 0x81, 0xbe, 0x6e, 0x26, 0x9d, 0xcb, 0xf9, 0xbd, 0x2e, 0xd9}
 )

 const (
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -5,6 +5,7 @@ package tls
 import (
 	"context"
 	"crypto/tls"
+	"os"
 	"strings"

 	"github.com/sagernet/sing-box/adapter"
@@ -13,6 +14,8 @@ import (

 	"github.com/caddyserver/certmagic"
 	"github.com/mholt/acmez/acme"
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
 )

 type acmeWrapper struct {
@@ -54,6 +57,11 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 	config := &certmagic.Config{
 		DefaultServerName: options.DefaultServerName,
 		Storage:           storage,
+		Logger: zap.New(zapcore.NewCore(
+			zapcore.NewConsoleEncoder(zap.NewProductionEncoderConfig()),
+			os.Stderr,
+			zap.InfoLevel,
+		)),
 	}
 	acmeConfig := certmagic.ACMEIssuer{
 		CA:                      acmeServer,
@@ -63,8 +71,9 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		DisableTLSALPNChallenge: options.DisableTLSALPNChallenge,
 		AltHTTPPort:             int(options.AlternativeHTTPPort),
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
+		Logger:                  config.Logger,
 	}
-	if options.ExternalAccount != nil {
+	if options.ExternalAccount != nil && options.ExternalAccount.KeyID != "" {
 		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
 	}
 	config.Issuers = []certmagic.Issuer{certmagic.NewACMEIssuer(config, acmeConfig)}
--- a/common/tls/config.go
+++ b/common/tls/config.go
@@ -10,8 +10,9 @@ import (
 )

 type (
-	STDConfig = tls.Config
-	STDConn   = tls.Conn
+	STDConfig       = tls.Config
+	STDConn         = tls.Conn
+	ConnectionState = tls.ConnectionState
 )

 type Config interface {
@@ -33,7 +34,7 @@ type ServerConfig interface {
 type Conn interface {
 	net.Conn
 	HandshakeContext(ctx context.Context) error
-	ConnectionState() tls.ConnectionState
+	ConnectionState() ConnectionState
 }

 func ParseTLSVersion(version string) (uint16, error) {
--- a/constant/dhcp.go
+++ b/constant/dhcp.go
@@ -0,0 +1,8 @@
+package constant
+
+import "time"
+
+const (
+	DHCPTTL     = time.Hour
+	DHCPTimeout = time.Minute
+)
--- a/constant/version.go
+++ b/constant/version.go
@@ -1,3 +1,3 @@
 package constant

-var Version = "1.1-beta15"
+var Version = "1.2-beta3"
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,10 +1,134 @@
+#### 1.2-beta3
+
+* Update QUIC v2 version number and initial salt
+* Fix shadowtls v3 implementation
+
+#### 1.2-beta2
+
+* Add [ShadowTLS protocol v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md)
+* Add fallback support for v2ray transport
+* Fix parse hysteria UDP message
+* Fix socks connect response
+* Disable vmess header protection if transport enabled
+
+#### 1.2-beta1
+
+* Add [DHCP DNS server](/configuration/dns/server) support
+* Add SSH [host key validation](/configuration/outbound/ssh) support
+* Add [query_type](/configuration/dns/rule) DNS rule item
+* Add v2ray [user stats](/configuration/experimental#statsusers) api
+* Add new clash DNS query api
+* Improve vmess request
+* Fix ipv6 redirect on Linux
+* Fix match geoip private
+
+#### 1.1.5
+
+* Add Go 1.20 support
+* Fix inbound default DF value
+* Fix auth_user route for naive inbound
+* Fix gRPC lite header
+* Ignore domain case in route rules
+
+#### 1.1.4
+
+* Fix DNS log
+* Fix write to h2 conn after closed
+* Fix create UDP DNS transport from plain IPv6 address
+
+#### 1.1.2
+
+* Fix http proxy auth
+* Fix user from stream packet conn
+* Fix DNS response TTL
+* Fix override packet conn
+* Skip override system proxy bypass list
+* Improve DNS log
+
+#### 1.1.1
+
+* Fix acme config
+* Fix vmess packet conn
+* Suppress quic-go set DF error
+
+#### 1.1
+
+* Fix close clash cache
+
+Important changes since 1.0:
+
+* Add support for use with android VPNService
+* Add tun support for WireGuard outbound
+* Add system tun stack
+* Add comment filter for config
+* Add option for allow optional proxy protocol header
+* Add Clash mode and persistence support
+* Add TLS ECH and uTLS support for outbound TLS options
+* Add internal simple-obfs and v2ray-plugin
+* Add ShadowsocksR outbound
+* Add VLESS outbound and XUDP
+* Skip wait for hysteria tcp handshake response
+* Add v2ray mux support for all inbound
+* Add XUDP support for VMess 
+* Improve websocket writer
+* Refine tproxy write back
+* Fix DNS leak caused by
+  Windows' ordinary multihomed DNS resolution behavior
+* Add sniff_timeout listen option
+* Add custom route support for tun
+* Add option for custom wireguard reserved bytes
+* Split bind_address into ipv4 and ipv6
+* Add ShadowTLS v1 and v2 support
+
+#### 1.1-rc1
+
+* Fix TLS config for h2 server
+* Fix crash when input bad method in shadowsocks multi-user inbound
+* Fix listen UDP
+* Fix check invalid packet on macOS
+
+#### 1.1-beta18
+
+* Enhance defense against active probe for shadowtls server **1**
+
+**1**:
+
+The `fallback_after` option has been removed.
+
+#### 1.1-beta17
+
+* Fix shadowtls server **1**
+
+*1*:
+
+Added [fallback_after](/configuration/inbound/shadowtls#fallback_after) option.
+
+#### 1.0.7
+
+* Add support for new x/h2 deadline
+* Fix copy pipe
+* Fix decrypt xplus packet
+* Fix macOS Ventura process name match
+* Fix smux keepalive
+* Fix vmess request buffer
+* Fix h2c transport
+* Fix tor geoip
+* Fix udp connect for mux client
+* Fix default dns transport strategy
+
+#### 1.1-beta16
+
+* Improve shadowtls server
+* Fix default dns transport strategy
+* Update uTLS to v1.2.0
+
 #### 1.1-beta15

 * Add support for new x/h2 deadline
 * Fix udp connect for mux client
 * Fix dns buffer
 * Fix quic dns retry
-* Fix create TLS Config
+* Fix create TLS config
 * Fix websocket alpn
 * Fix tor geoip

--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -9,6 +9,11 @@
          "mixed-in"
        ],
        "ip_version": 6,
+        "query_type": [
+          "A",
+          "HTTPS",
+          32768
+        ],
        "network": "tcp",
        "auth_user": [
          "usera",
@@ -119,6 +124,10 @@ Tags of [Inbound](/configuration/inbound).

 Not limited if empty.

+#### query_type
+
+DNS query type. Values can be integers or type name strings.
+
 #### network

 `tcp` or `udp`.
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -9,6 +9,11 @@
          "mixed-in"
        ],
        "ip_version": 6,
+        "query_type": [
+          "A",
+          "HTTPS",
+          32768
+        ],
        "network": "tcp",
        "auth_user": [
          "usera",
@@ -118,6 +123,10 @@

 默认不限制。

+#### query_type
+
+DNS 查询类型。值可以为整数或者类型名称字符串。
+
 #### network

 `tcp` 或 `udp`。
--- a/docs/configuration/dns/server.md
+++ b/docs/configuration/dns/server.md
@@ -30,16 +30,17 @@ The tag of the dns server.

 The address of the dns server.

-| Protocol | Format                      |
-|----------|-----------------------------|
-| `System` | `local`                     |
-| `TCP`    | `tcp://1.0.0.1`             |
-| `UDP`    | `8.8.8.8` `udp://8.8.4.4`   |
-| `TLS`    | `tls://dns.google`          |
-| `HTTPS`  | `https://1.1.1.1/dns-query` |
-| `QUIC`   | `quic://dns.adguard.com`    |
-| `HTTP3`  | `h3://8.8.8.8/dns-query`    |
-| `RCode`  | `rcode://refused`           |
+| Protocol | Format                        |
+|----------|-------------------------------|
+| `System` | `local`                       |
+| `TCP`    | `tcp://1.0.0.1`               |
+| `UDP`    | `8.8.8.8` `udp://8.8.4.4`     |
+| `TLS`    | `tls://dns.google`            |
+| `HTTPS`  | `https://1.1.1.1/dns-query`   |
+| `QUIC`   | `quic://dns.adguard.com`      |
+| `HTTP3`  | `h3://8.8.8.8/dns-query`      |
+| `RCode`  | `rcode://refused`             |
+| `DHCP`   | `dhcp://auto` or `dhcp://en0` |

 !!! warning ""

@@ -53,6 +54,10 @@ The address of the dns server.

    the RCode transport is often used to block queries. Use with rules and the `disable_cache` rule option.

+!!! warning ""
+
+    DHCP transport is not included by default, see [Installation](/#installation).
+
 | RCode             | Description           | 
 |-------------------|-----------------------|
 | `success`         | `No error`            |
--- a/docs/configuration/dns/server.zh.md
+++ b/docs/configuration/dns/server.zh.md
@@ -30,16 +30,17 @@ DNS 服务器的标签。

 DNS 服务器的地址。

-| 协议       | 格式                          |
-|----------|-----------------------------|
-| `System` | `local`                     |
-| `TCP`    | `tcp://1.0.0.1`             |
-| `UDP`    | `8.8.8.8` `udp://8.8.4.4`   |
-| `TLS`    | `tls://dns.google`          |
-| `HTTPS`  | `https://1.1.1.1/dns-query` |
-| `QUIC`   | `quic://dns.adguard.com`    |
-| `HTTP3`  | `h3://8.8.8.8/dns-query`    |
-| `RCode`  | `rcode://refused`           |
+| 协议       | 格式                           |
+|----------|------------------------------|
+| `System` | `local`                      |
+| `TCP`    | `tcp://1.0.0.1`              |
+| `UDP`    | `8.8.8.8` `udp://8.8.4.4`    |
+| `TLS`    | `tls://dns.google`           |
+| `HTTPS`  | `https://1.1.1.1/dns-query`  |
+| `QUIC`   | `quic://dns.adguard.com`     |
+| `HTTP3`  | `h3://8.8.8.8/dns-query`     |
+| `RCode`  | `rcode://refused`            |
+| `DHCP`   | `dhcp://auto` 或 `dhcp://en0` |

 !!! warning ""

@@ -53,6 +54,10 @@ DNS 服务器的地址。

    RCode 传输层传输层常用于屏蔽请求. 与 DNS 规则和 `disable_cache` 规则选项一起使用。

+!!! warning ""
+
+    默认安装不包含 DHCP 传输层，请参阅 [安装](/zh/#_2)。
+
 | RCode             | 描述       | 
 |-------------------|----------|
 | `success`         | `无错误`    |
--- a/docs/configuration/experimental/index.md
+++ b/docs/configuration/experimental/index.md
@@ -9,7 +9,6 @@
      "external_controller": "127.0.0.1:9090",
      "external_ui": "folder",
      "secret": "",
-      "direct_io": false,
      "default_mode": "rule",
      "store_selected": false,
      "cache_file": "cache.db"
@@ -18,13 +17,15 @@
      "listen": "127.0.0.1:8080",
      "stats": {
        "enabled": true,
-        "direct_io": false,
        "inbounds": [
          "socks-in"
        ],
        "outbounds": [
          "proxy",
          "direct"
+        ],
+        "users": [
+          "sekai"
        ]
      }
    }
@@ -58,10 +59,6 @@ Secret for the RESTful API (optional)
 Authenticate by spedifying HTTP header `Authorization: Bearer ${secret}`
 ALWAYS set a secret if RESTful API is listening on 0.0.0.0

-#### direct_io
-
-Allows lossless relays like splice without real-time traffic reporting.
-
 #### default_mode

 Default mode in clash, `rule` will be used if empty.
@@ -98,10 +95,6 @@ Traffic statistics service settings.

 Enable statistics service.

-#### stats.direct_io
-
-Allows lossless relays like splice without real-time traffic reporting.
-
 #### stats.inbounds

 Inbound list to count traffic.
@@ -109,3 +102,7 @@ Inbound list to count traffic.
 #### stats.outbounds

 Outbound list to count traffic.
+
+#### stats.users
+
+User list to count traffic.
--- a/docs/configuration/experimental/index.zh.md
+++ b/docs/configuration/experimental/index.zh.md
@@ -9,7 +9,6 @@
      "external_controller": "127.0.0.1:9090",
      "external_ui": "folder",
      "secret": "",
-      "direct_io": false,
      "default_mode": "rule",
      "store_selected": false,
      "cache_file": "cache.db"
@@ -18,13 +17,15 @@
      "listen": "127.0.0.1:8080",
      "stats": {
        "enabled": true,
-        "direct_io": false,
        "inbounds": [
          "socks-in"
        ],
        "outbounds": [
          "proxy",
          "direct"
+        ],
+        "users": [
+          "sekai"
        ]
      }
    }
@@ -56,10 +57,6 @@ RESTful API 的密钥（可选）
 通过指定 HTTP 标头 `Authorization: Bearer ${secret}` 进行身份验证
 如果 RESTful API 正在监听 0.0.0.0，请始终设置一个密钥。

-#### direct_io
-
-允许像 splice 这样的没有实时流量报告的无损中继。
-
 #### default_mode

 Clash 中的默认模式，默认使用 `rule`。
@@ -96,10 +93,6 @@ gRPC API 监听地址。如果为空，则禁用 V2Ray API。

 启用统计服务。

-#### stats.direct_io
-
-允许像 splice 这样的没有实时流量报告的无损中继。
-
 #### stats.inbounds

 统计流量的入站列表。
@@ -107,3 +100,7 @@ gRPC API 监听地址。如果为空，则禁用 V2Ray API。
 #### stats.outbounds

 统计流量的出站列表。
+
+#### stats.users
+
+统计流量的用户列表。
--- a/docs/configuration/inbound/shadowtls.md
+++ b/docs/configuration/inbound/shadowtls.md
@@ -7,7 +7,7 @@

  ... // Listen Fields

-  "version": 2,
+  "version": 3,
  "password": "fuck me till the daylight",
  "handshake": {
    "server": "google.com",
@@ -32,12 +32,13 @@ ShadowTLS protocol version.
 |---------------|-----------------------------------------------------------------------------------------|
 | `1` (default) | [ShadowTLS v1](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v1) |
 | `2`           | [ShadowTLS v2](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v2) |
+| `3`           | [ShadowTLS v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md) |

 #### password

 Set password.

-Only available in the ShadowTLS v2 protocol.
+Only available in the ShadowTLS v2/v3 protocol.

 #### handshake

--- a/docs/configuration/inbound/shadowtls.zh.md
+++ b/docs/configuration/inbound/shadowtls.zh.md
@@ -7,7 +7,7 @@

  ... // 监听字段

-  "version": 2,
+  "version": 3,
  "password": "fuck me till the daylight",
  "handshake": {
    "server": "google.com",
@@ -32,12 +32,13 @@ ShadowTLS 协议版本。
 |---------------|-----------------------------------------------------------------------------------------|
 | `1` (default) | [ShadowTLS v1](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v1) |
 | `2`           | [ShadowTLS v2](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v2) |
+| `3`           | [ShadowTLS v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md) |

 #### password

 设置密码。

-仅在 ShadowTLS v2 协议中可用。
+仅在 ShadowTLS v2/v3 协议中可用。

 #### handshake

--- a/docs/configuration/outbound/shadowtls.md
+++ b/docs/configuration/outbound/shadowtls.md
@@ -7,7 +7,7 @@
  
  "server": "127.0.0.1",
  "server_port": 1080,
-  "version": 2,
+  "version": 3,
  "password": "fuck me till the daylight",
  "tls": {},

@@ -37,12 +37,13 @@ ShadowTLS protocol version.
 |---------------|-----------------------------------------------------------------------------------------|
 | `1` (default) | [ShadowTLS v1](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v1) |
 | `2`           | [ShadowTLS v2](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v2) |
+| `3`           | [ShadowTLS v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md) |

 #### password

 Set password.

-Only available in the ShadowTLS v2 protocol.
+Only available in the ShadowTLS v2/v3 protocol.

 #### tls

--- a/docs/configuration/outbound/shadowtls.zh.md
+++ b/docs/configuration/outbound/shadowtls.zh.md
@@ -7,7 +7,7 @@
  
  "server": "127.0.0.1",
  "server_port": 1080,
-  "version": 2,
+  "version": 3,
  "password": "fuck me till the daylight",
  "tls": {},

@@ -37,12 +37,13 @@ ShadowTLS 协议版本。
 |---------------|-----------------------------------------------------------------------------------------|
 | `1` (default) | [ShadowTLS v1](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v1) |
 | `2`           | [ShadowTLS v2](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v2) |
+| `3`           | [ShadowTLS v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md) |

 #### password

 设置密码。

-仅在 ShadowTLS v2 协议中可用。
+仅在 ShadowTLS v2/v3 协议中可用。

 #### tls

--- a/docs/configuration/outbound/ssh.md
+++ b/docs/configuration/outbound/ssh.md
@@ -12,6 +12,9 @@
  "private_key": "",
  "private_key_path": "$HOME/.ssh/id_rsa",
  "private_key_passphrase": "",
+  "host_key": [
+    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH..."
+  ],
  "host_key_algorithms": [],
  "client_version": "SSH-2.0-OpenSSH_7.4p1",

@@ -51,6 +54,10 @@ Private key path.

 Private key passphrase.

+#### host_key
+
+Host key. Accept any if empty.
+
 #### host_key_algorithms

 Host key algorithms.
--- a/docs/configuration/outbound/ssh.zh.md
+++ b/docs/configuration/outbound/ssh.zh.md
@@ -12,6 +12,9 @@
  "private_key": "",
  "private_key_path": "$HOME/.ssh/id_rsa",
  "private_key_passphrase": "",
+  "host_key": [
+    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH..."
+  ],
  "host_key_algorithms": [],
  "client_version": "SSH-2.0-OpenSSH_7.4p1",

@@ -51,6 +54,10 @@ SSH 用户, 默认使用 root。

 密钥密码。

+#### host_key
+
+主机密钥，留空接受所有。
+
 #### host_key_algorithms

 主机密钥算法。
--- a/docs/examples/clash-api.md
+++ b/docs/examples/clash-api.md
@@ -0,0 +1,52 @@
+```json
+{
+  "dns": {
+    "rules": [
+      {
+        "domain": [
+          "clash.razord.top",
+          "yacd.haishan.me"
+        ],
+        "server": "local"
+      },
+      {
+        "clash_mode": "direct",
+        "server": "local"
+      }
+    ]
+  },
+  "outbounds": [
+    {
+      "type": "selector",
+      "tag": "default",
+      "outbounds": [
+        "proxy-a",
+        "proxy-b"
+      ]
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "clash_mode": "direct",
+        "outbound": "direct"
+      },
+      {
+        "domain": [
+          "clash.razord.top",
+          "yacd.haishan.me"
+        ],
+        "outbound": "direct"
+      }
+    ],
+    "final": "default"
+  },
+  "experimental": {
+    "clash_api": {
+      "external_controller": "127.0.0.1:9090",
+      "store_selected": true
+    }
+  }
+}
+
+```
--- a/docs/examples/index.md
+++ b/docs/examples/index.md
@@ -3,7 +3,8 @@
 Configuration examples for sing-box.

 * [Linux Server Installation](./linux-server-installation)
-* [Shadowsocks Server](./ss-server)
-* [Shadowsocks Client](./ss-client)
-* [Shadowsocks Tun](./ss-tun)
-* [DNS Hijack](./dns-hijack.md)
+* [Tun](./tun)
+* [DNS Hijack](./dns-hijack.md)
+* [Shadowsocks](./shadowsocks)
+* [ShadowTLS](./shadowtls)
+* [Clash API](./clash-api)
--- a/docs/examples/index.zh.md
+++ b/docs/examples/index.zh.md
@@ -3,7 +3,8 @@
 sing-box 的配置示例。

 * [Linux 服务器安装](./linux-server-installation)
-* [Shadowsocks 服务器](./ss-server)
-* [Shadowsocks 客户端](./ss-client)
-* [Shadowsocks Tun](./ss-tun)
-* [DNS 劫持](./dns-hijack.md)
+* [Tun](./tun)
+* [DNS 劫持](./dns-hijack.md)
+* [Shadowsocks](./shadowsocks)
+* [ShadowTLS](./shadowtls)
+* [Clash API](./clash-api)
--- a/docs/examples/shadowsocks.md
+++ b/docs/examples/shadowsocks.md
@@ -0,0 +1,157 @@
+# Shadowsocks
+
+## Single User
+
+#### Server
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "shadowsocks",
+      "listen": "::",
+      "listen_port": 8080,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg=="
+    }
+  ]
+}
+```
+
+#### Client
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "mixed",
+      "listen": "::",
+      "listen_port": 2080
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "shadowsocks",
+      "server": "127.0.0.1",
+      "server_port": 8080,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg=="
+    }
+  ]
+}
+
+```
+
+## Multiple Users
+
+#### Server
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "shadowsocks",
+      "listen": "::",
+      "listen_port": 8080,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg==",
+      "users": [
+        {
+          "name": "sekai",
+          "password": "BXYxVUXJ9NgF7c7KPLQjkg=="
+        }
+      ]
+    }
+  ]
+}
+```
+
+#### Client
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "mixed",
+      "listen": "::",
+      "listen_port": 2080
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "shadowsocks",
+      "server": "127.0.0.1",
+      "server_port": 8080,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg==:BXYxVUXJ9NgF7c7KPLQjkg=="
+    }
+  ]
+}
+
+```
+
+## Relay
+
+#### Server
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "shadowsocks",
+      "listen": "::",
+      "listen_port": 8080,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg=="
+    }
+  ]
+}
+```
+
+#### Relay
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "shadowsocks",
+      "listen": "::",
+      "listen_port": 8081,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "BXYxVUXJ9NgF7c7KPLQjkg==",
+      "destinations": [
+        {
+          "name": "my_server",
+          "password": "8JCsPssfgS8tiRwiMlhARg==",
+          "server": "127.0.0.1",
+          "server_port": 8080
+        }
+      ]
+    }
+  ]
+}
+```
+
+#### Client
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "mixed",
+      "listen": "::",
+      "listen_port": 2080
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "shadowsocks",
+      "server": "127.0.0.1",
+      "server_port": 8081,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg==:BXYxVUXJ9NgF7c7KPLQjkg=="
+    }
+  ]
+}
+
+```
--- a/docs/examples/shadowtls.md
+++ b/docs/examples/shadowtls.md
@@ -7,6 +7,8 @@
      "type": "shadowtls",
      "listen": "::",
      "listen_port": 4443,
+      "version": 3,
+      "password": "fuck me till the daylight",
      "handshake": {
        "server": "google.com",
        "server_port": 443
@@ -45,6 +47,8 @@
      "tag": "shadowtls-out",
      "server": "127.0.0.1",
      "server_port": 4443,
+      "version": 3,
+      "password": "fuck me till the daylight",
      "tls": {
        "enabled": true,
        "server_name": "google.com"
--- a/docs/examples/ss-client.md
+++ b/docs/examples/ss-client.md
@@ -1,21 +0,0 @@
-```json
-{
-  "inbounds": [
-    {
-      "type": "mixed",
-      "listen": "::",
-      "listen_port": 2080
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "server": "::",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ]
-}
-
-```
--- a/docs/examples/ss-server.md
+++ b/docs/examples/ss-server.md
@@ -1,13 +0,0 @@
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "listen": "::",
-      "listen_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ]
-}
-```
--- a/docs/examples/ss-tun.md
+++ b/docs/examples/ss-tun.md
@@ -10,9 +10,18 @@
        "tag": "local",
        "address": "223.5.5.5",
        "detour": "direct"
+      },
+      {
+        "tag": "block",
+        "address": "rcode://success"
      }
    ],
    "rules": [
+      {
+        "geosite": "category-ads-all",
+        "server": "block",
+        "disable_cache": true
+      },
      {
        "domain": "mydomain.com",
        "geosite": "cn",
@@ -26,6 +35,7 @@
      "type": "tun",
      "inet4_address": "172.19.0.1/30",
      "auto_route": true,
+      "strict_route": false,
      "sniff": true
    }
  ],
@@ -58,13 +68,16 @@
        "outbound": "dns-out"
      },
      {
-        "geosite": "category-ads-all",
-        "outbound": "block"
+        "geosite": "cn",
+        "geoip": [
+          "private",
+          "cn"
+        ],
+        "outbound": "direct"
      },
      {
-        "geosite": "cn",
-        "geoip": "cn",
-        "outbound": "direct"
+        "geosite": "category-ads-all",
+        "outbound": "block"
      }
    ],
    "auto_detect_interface": true
--- a/docs/faq/known-issues.md
+++ b/docs/faq/known-issues.md
@@ -7,11 +7,11 @@ the public internet.

 ##### on Android

-`auto-route` cannot automatically hijack DNS requests when Android's `Private DNS` is enabled.
+`auto-route` cannot automatically hijack DNS requests when Android's `Private DNS` enabled or `strict_route` disabled.

 ##### on Linux

-`auto-route` cannot automatically hijack DNS requests with `systemd-resolved` enabled, you can switch to NetworkManager.
+`auto-route` cannot automatically hijack DNS requests with `systemd-resolved` enabled and `strict_route` disabled.

 #### System proxy

--- a/docs/faq/known-issues.zh.md
+++ b/docs/faq/known-issues.zh.md
@@ -6,11 +6,11 @@

 ##### Android

-`auto-route` 无法自动劫持 DNS 请求如果 `私人 DNS` 开启.
+`auto-route` 无法自动劫持 DNS 请求如果 `私人 DNS` 开启或 `strict_route` 禁用。

 ##### Linux

-`auto-route` 无法自动劫持 DNS 请求如果 `systemd-resolved` 开启, 您可以切换到 NetworkManager.
+`auto-route` 无法自动劫持 DNS 请求如果 `systemd-resolved` 开启且 `strict_route` 禁用。

 #### 系统代理

--- a/docs/index.md
+++ b/docs/index.md
@@ -24,8 +24,9 @@ go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@lat

 | Build Tag                          | Description                                                                                                                                                                                                                                                                                                                     |
 |------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `with_quic`                        | Build with QUIC support, see [QUIC and HTTP3 dns transports](./configuration/dns/server), [Naive inbound](./configuration/inbound/naive), [Hysteria Inbound](./configuration/inbound/hysteria), [Hysteria Outbound](./configuration/outbound/hysteria) and [V2Ray Transport#QUIC](./configuration/shared/v2ray-transport#quic). |
+| `with_quic`                        | Build with QUIC support, see [QUIC and HTTP3 DNS transports](./configuration/dns/server), [Naive inbound](./configuration/inbound/naive), [Hysteria Inbound](./configuration/inbound/hysteria), [Hysteria Outbound](./configuration/outbound/hysteria) and [V2Ray Transport#QUIC](./configuration/shared/v2ray-transport#quic). |
 | `with_grpc`                        | Build with standard gRPC support, see [V2Ray Transport#gRPC](./configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
+| `with_dhcp`                        | Build with DHCP support, see [DHCP DNS transport](./configuration/dns/server).                                                                                                                                                                                                                                                  |
 | `with_wireguard`                   | Build with WireGuard support, see [WireGuard outbound](./configuration/outbound/wireguard).                                                                                                                                                                                                                                     |
 | `with_shadowsocksr`                | Build with ShadowsocksR support, see [ShadowsocksR outbound](./configuration/outbound/shadowsocksr).                                                                                                                                                                                                                            |
 | `with_ech`                         | Build with TLS ECH extension support for TLS outbound, see [TLS](./configuration/shared/tls#ech).                                                                                                                                                                                                                               |
--- a/docs/index.zh.md
+++ b/docs/index.zh.md
@@ -26,6 +26,7 @@ go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@lat
 |------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `with_quic`                  | 启用 QUIC 支持，参阅 [QUIC 和 HTTP3 DNS 传输层](./configuration/dns/server)，[Naive 入站](./configuration/inbound/naive)，[Hysteria 入站](./configuration/inbound/hysteria)，[Hysteria 出站](./configuration/outbound/hysteria) 和 [V2Ray 传输层#QUIC](./configuration/shared/v2ray-transport#quic)。 |
 | `with_grpc`                  | 启用标准 gRPC 支持，参阅 [V2Ray 传输层#gRPC](./configuration/shared/v2ray-transport#grpc)。                                                                                                                                                                                               |
+| `with_dhcp`                  | 启用 DHCP 支持，参阅 [DHCP DNS 传输层](./configuration/dns/server)。                                                                                                                                                                                                                    |
 | `with_wireguard`             | 启用 WireGuard 支持，参阅 [WireGuard 出站](./configuration/outbound/wireguard)。                                                                                                                                                                                                       |
 | `with_shadowsocksr`          | 启用 ShadowsocksR 支持，参阅 [ShadowsocksR 出站](./configuration/outbound/shadowsocksr)。                                                                                                                                                                                              |
 | `with_ech`                   | 启用 TLS ECH 扩展支持，参阅 [TLS](./configuration/shared/tls#ech)。                                                                                                                                                                                                                    |
--- a/experimental/clashapi/cachefile/cache.go
+++ b/experimental/clashapi/cachefile/cache.go
@@ -59,3 +59,7 @@ func (c *CacheFile) StoreSelected(group, selected string) error {
 		return bucket.Put([]byte(group), []byte(selected))
 	})
 }
+
+func (c *CacheFile) Close() error {
+	return c.DB.Close()
+}
--- a/experimental/clashapi/dns.go
+++ b/experimental/clashapi/dns.go
@@ -0,0 +1,82 @@
+package clashapi
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/render"
+	"github.com/miekg/dns"
+)
+
+func dnsRouter(router adapter.Router) http.Handler {
+	r := chi.NewRouter()
+	r.Get("/query", queryDNS(router))
+	return r
+}
+
+func queryDNS(router adapter.Router) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		name := r.URL.Query().Get("name")
+		qTypeStr := r.URL.Query().Get("type")
+		if qTypeStr == "" {
+			qTypeStr = "A"
+		}
+
+		qType, exist := dns.StringToType[qTypeStr]
+		if !exist {
+			render.Status(r, http.StatusBadRequest)
+			render.JSON(w, r, newError("invalid query type"))
+			return
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), C.DNSTimeout)
+		defer cancel()
+
+		msg := dns.Msg{}
+		msg.SetQuestion(dns.Fqdn(name), qType)
+		resp, err := router.Exchange(ctx, &msg)
+		if err != nil {
+			render.Status(r, http.StatusInternalServerError)
+			render.JSON(w, r, newError(err.Error()))
+			return
+		}
+
+		responseData := render.M{
+			"Status":   resp.Rcode,
+			"Question": resp.Question,
+			"Server":   "internal",
+			"TC":       resp.Truncated,
+			"RD":       resp.RecursionDesired,
+			"RA":       resp.RecursionAvailable,
+			"AD":       resp.AuthenticatedData,
+			"CD":       resp.CheckingDisabled,
+		}
+
+		rr2Json := func(rr dns.RR) render.M {
+			header := rr.Header()
+			return render.M{
+				"name": header.Name,
+				"type": header.Rrtype,
+				"TTL":  header.Ttl,
+				"data": rr.String()[len(header.String()):],
+			}
+		}
+
+		if len(resp.Answer) > 0 {
+			responseData["Answer"] = common.Map(resp.Answer, rr2Json)
+		}
+		if len(resp.Ns) > 0 {
+			responseData["Authority"] = common.Map(resp.Ns, rr2Json)
+		}
+		if len(resp.Extra) > 0 {
+			responseData["Additional"] = common.Map(resp.Extra, rr2Json)
+		}
+
+		render.JSON(w, r, responseData)
+	}
+}
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -43,7 +43,6 @@ type Server struct {
 	trafficManager *trafficontrol.Manager
 	urlTestHistory *urltest.HistoryStorage
 	tcpListener    net.Listener
-	directIO       bool
 	mode           string
 	storeSelected  bool
 	cacheFile      adapter.ClashCacheFile
@@ -61,7 +60,6 @@ func NewServer(router adapter.Router, logFactory log.ObservableFactory, options
 		},
 		trafficManager: trafficManager,
 		urlTestHistory: urltest.NewHistoryStorage(),
-		directIO:       options.DirectIO,
 		mode:           strings.ToLower(options.DefaultMode),
 	}
 	if server.mode == "" {
@@ -101,6 +99,7 @@ func NewServer(router adapter.Router, logFactory log.ObservableFactory, options
 		r.Mount("/script", scriptRouter())
 		r.Mount("/profile", profileRouter())
 		r.Mount("/cache", cacheRouter())
+		r.Mount("/dns", dnsRouter(router))
 	})
 	if options.ExternalUI != "" {
 		chiRouter.Group(func(r chi.Router) {
@@ -156,7 +155,7 @@ func (s *Server) HistoryStorage() *urltest.HistoryStorage {
 }

 func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule) (net.Conn, adapter.Tracker) {
-	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, castMetadata(metadata), s.router, matchedRule, s.directIO)
+	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, castMetadata(metadata), s.router, matchedRule)
 	return tracker, tracker
 }

--- a/experimental/clashapi/trafficontrol/tracker.go
+++ b/experimental/clashapi/trafficontrol/tracker.go
@@ -74,7 +74,7 @@ func (tt *tcpTracker) WriterReplaceable() bool {
 	return true
 }

-func NewTCPTracker(conn net.Conn, manager *Manager, metadata Metadata, router adapter.Router, rule adapter.Rule, directIO bool) *tcpTracker {
+func NewTCPTracker(conn net.Conn, manager *Manager, metadata Metadata, router adapter.Router, rule adapter.Rule) *tcpTracker {
 	uuid, _ := uuid.NewV4()

 	var chain []string
@@ -107,7 +107,7 @@ func NewTCPTracker(conn net.Conn, manager *Manager, metadata Metadata, router ad
 		}, func(n int64) {
 			download.Add(n)
 			manager.PushDownloaded(n)
-		}, directIO),
+		}),
 		manager: manager,
 		trackerInfo: &trackerInfo{
 			UUID:          uuid,
--- a/experimental/trackerconn/conn.go
+++ b/experimental/trackerconn/conn.go
@@ -10,11 +10,11 @@ import (
 	"go.uber.org/atomic"
 )

-func New(conn net.Conn, readCounter []*atomic.Int64, writeCounter []*atomic.Int64, direct bool) *Conn {
+func New(conn net.Conn, readCounter []*atomic.Int64, writeCounter []*atomic.Int64) *Conn {
 	return &Conn{bufio.NewExtendedConn(conn), readCounter, writeCounter}
 }

-func NewHook(conn net.Conn, readCounter func(n int64), writeCounter func(n int64), direct bool) *HookConn {
+func NewHook(conn net.Conn, readCounter func(n int64), writeCounter func(n int64)) *HookConn {
 	return &HookConn{bufio.NewExtendedConn(conn), readCounter, writeCounter}
 }

--- a/experimental/v2rayapi/stats.go
+++ b/experimental/v2rayapi/stats.go
@@ -29,9 +29,9 @@ var (

 type StatsService struct {
 	createdAt time.Time
-	directIO  bool
 	inbounds  map[string]bool
 	outbounds map[string]bool
+	users     map[string]bool
 	access    sync.Mutex
 	counters  map[string]*atomic.Int64
 }
@@ -42,27 +42,32 @@ func NewStatsService(options option.V2RayStatsServiceOptions) *StatsService {
 	}
 	inbounds := make(map[string]bool)
 	outbounds := make(map[string]bool)
+	users := make(map[string]bool)
 	for _, inbound := range options.Inbounds {
 		inbounds[inbound] = true
 	}
 	for _, outbound := range options.Outbounds {
 		outbounds[outbound] = true
 	}
+	for _, user := range options.Users {
+		users[user] = true
+	}
 	return &StatsService{
 		createdAt: time.Now(),
-		directIO:  options.DirectIO,
 		inbounds:  inbounds,
 		outbounds: outbounds,
+		users:     users,
 		counters:  make(map[string]*atomic.Int64),
 	}
 }

-func (s *StatsService) RoutedConnection(inbound string, outbound string, conn net.Conn) net.Conn {
+func (s *StatsService) RoutedConnection(inbound string, outbound string, user string, conn net.Conn) net.Conn {
 	var readCounter []*atomic.Int64
 	var writeCounter []*atomic.Int64
 	countInbound := inbound != "" && s.inbounds[inbound]
 	countOutbound := outbound != "" && s.outbounds[outbound]
-	if !countInbound && !countOutbound {
+	countUser := user != "" && s.users[user]
+	if !countInbound && !countOutbound && !countUser {
 		return conn
 	}
 	s.access.Lock()
@@ -74,16 +79,21 @@ func (s *StatsService) RoutedConnection(inbound string, outbound string, conn ne
 		readCounter = append(readCounter, s.loadOrCreateCounter("outbound>>>"+outbound+">>>traffic>>>uplink"))
 		writeCounter = append(writeCounter, s.loadOrCreateCounter("outbound>>>"+outbound+">>>traffic>>>downlink"))
 	}
+	if countUser {
+		readCounter = append(readCounter, s.loadOrCreateCounter("user>>>"+user+">>>traffic>>>uplink"))
+		writeCounter = append(writeCounter, s.loadOrCreateCounter("user>>>"+user+">>>traffic>>>downlink"))
+	}
 	s.access.Unlock()
-	return trackerconn.New(conn, readCounter, writeCounter, s.directIO)
+	return trackerconn.New(conn, readCounter, writeCounter)
 }

-func (s *StatsService) RoutedPacketConnection(inbound string, outbound string, conn N.PacketConn) N.PacketConn {
+func (s *StatsService) RoutedPacketConnection(inbound string, outbound string, user string, conn N.PacketConn) N.PacketConn {
 	var readCounter []*atomic.Int64
 	var writeCounter []*atomic.Int64
 	countInbound := inbound != "" && s.inbounds[inbound]
 	countOutbound := outbound != "" && s.outbounds[outbound]
-	if !countInbound && !countOutbound {
+	countUser := user != "" && s.users[user]
+	if !countInbound && !countOutbound && !countUser {
 		return conn
 	}
 	s.access.Lock()
@@ -95,6 +105,10 @@ func (s *StatsService) RoutedPacketConnection(inbound string, outbound string, c
 		readCounter = append(readCounter, s.loadOrCreateCounter("outbound>>>"+outbound+">>>traffic>>>uplink"))
 		writeCounter = append(writeCounter, s.loadOrCreateCounter("outbound>>>"+outbound+">>>traffic>>>downlink"))
 	}
+	if countUser {
+		readCounter = append(readCounter, s.loadOrCreateCounter("user>>>"+user+">>>traffic>>>uplink"))
+		writeCounter = append(writeCounter, s.loadOrCreateCounter("user>>>"+user+">>>traffic>>>downlink"))
+	}
 	s.access.Unlock()
 	return trackerconn.NewPacket(conn, readCounter, writeCounter)
 }
--- a/go.mod
+++ b/go.mod
@@ -4,43 +4,45 @@ go 1.18

 require (
 	berty.tech/go-libtor v1.0.385
-	github.com/Dreamacro/clash v1.11.12
+	github.com/Dreamacro/clash v1.13.0
 	github.com/caddyserver/certmagic v0.17.2
 	github.com/cretz/bine v0.2.0
-	github.com/database64128/tfo-go/v2 v2.0.2
-	github.com/dustin/go-humanize v1.0.0
+	github.com/dustin/go-humanize v1.0.1
 	github.com/fsnotify/fsnotify v1.6.0
-	github.com/go-chi/chi/v5 v5.0.7
+	github.com/go-chi/chi/v5 v5.0.8
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.2
-	github.com/gofrs/uuid v4.3.1+incompatible
+	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/hashicorp/yamux v0.1.1
+	github.com/insomniacslk/dhcp v0.0.0-20221215072855-de60144f33f8
 	github.com/logrusorgru/aurora v2.0.3+incompatible
-	github.com/mholt/acmez v1.0.4
+	github.com/mholt/acmez v1.1.0
 	github.com/miekg/dns v1.1.50
 	github.com/oschwald/maxminddb-golang v1.10.0
 	github.com/pires/go-proxyproto v0.6.2
-	github.com/refraction-networking/utls v1.1.5
+	github.com/refraction-networking/utls v1.2.2
 	github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0
-	github.com/sagernet/quic-go v0.0.0-20221108053023-645bcc4f9b15
-	github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4
-	github.com/sagernet/sing-dns v0.0.0-20221113031420-c6aaf2ea4b10
-	github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6
-	github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f
-	github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0
+	github.com/sagernet/quic-go v0.0.0-20230202071646-a8c8afb18b32
+	github.com/sagernet/sing v0.1.7-0.20230209132010-5f1ef3441c13
+	github.com/sagernet/sing-dns v0.1.2-0.20230209132355-3c2e2957b455
+	github.com/sagernet/sing-shadowsocks v0.1.1-0.20230202035033-e3123545f2f7
+	github.com/sagernet/sing-tun v0.1.1
+	github.com/sagernet/sing-vmess v0.1.1-0.20230212211128-cb4e47dd0acb
 	github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195
+	github.com/sagernet/tfo-go v0.0.0-20230207095944-549363a7327d
 	github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e
-	github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c
+	github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c
 	github.com/spf13/cobra v1.6.1
 	github.com/stretchr/testify v1.8.1
-	go.etcd.io/bbolt v1.3.6
+	go.etcd.io/bbolt v1.3.7
 	go.uber.org/atomic v1.10.0
-	go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab
-	golang.org/x/crypto v0.2.0
-	golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f
-	golang.org/x/net v0.2.0
-	golang.org/x/sys v0.2.0
-	google.golang.org/grpc v1.50.1
+	go.uber.org/zap v1.24.0
+	go4.org/netipx v0.0.0-20230125063823-8449b0a6169f
+	golang.org/x/crypto v0.6.0
+	golang.org/x/exp v0.0.0-20230213192124-5e25df0256eb
+	golang.org/x/net v0.7.0
+	golang.org/x/sys v0.5.0
+	google.golang.org/grpc v1.53.0
 	google.golang.org/protobuf v1.28.1
 	gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c
 )
@@ -52,28 +54,35 @@ require (
 	github.com/andybalholm/brotli v1.0.4 // indirect
 	github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
+	github.com/golang/mock v1.6.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/btree v1.0.1 // indirect
+	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
-	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/josharian/native v1.1.0 // indirect
+	github.com/klauspost/compress v1.15.15 // indirect
 	github.com/klauspost/cpuid/v2 v2.1.1 // indirect
 	github.com/libdns/libdns v0.2.1 // indirect
-	github.com/marten-seemann/qpack v0.3.0 // indirect
-	github.com/marten-seemann/qtls-go1-18 v0.1.3 // indirect
-	github.com/marten-seemann/qtls-go1-19 v0.1.1 // indirect
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/onsi/ginkgo/v2 v2.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e // indirect
+	github.com/quic-go/qpack v0.4.0 // indirect
+	github.com/quic-go/qtls-go1-18 v0.2.0 // indirect
+	github.com/quic-go/qtls-go1-19 v0.2.0 // indirect
+	github.com/quic-go/qtls-go1-20 v0.1.0 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/u-root/uio v0.0.0-20221213070652-c3537552635f // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	go.uber.org/zap v1.23.0 // indirect
 	golang.org/x/mod v0.6.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
 	golang.org/x/tools v0.2.0 // indirect
-	google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f // indirect
+	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.1.7 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,68 +1,43 @@
 berty.tech/go-libtor v1.0.385 h1:RWK94C3hZj6Z2GdvePpHJLnWYobFr3bY/OdUJ5aoEXw=
 berty.tech/go-libtor v1.0.385/go.mod h1:9swOOQVb+kmvuAlsgWUK/4c52pm69AdbJsxLzk+fJEw=
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/Dreamacro/clash v1.11.12 h1:zJ+FUWPHWxhfNl5MK64oezFAPPyGth+SDhjuWEJ/jwM=
-github.com/Dreamacro/clash v1.11.12/go.mod h1:WiRGFHBrOUYP89GXJ9k4KCyZq5i485LWzc4FPsEPlMI=
+github.com/Dreamacro/clash v1.13.0 h1:gF0E0TluE1LCmuhhg0/bjqABYDmSnXkUjXjRhZxyrm8=
+github.com/Dreamacro/clash v1.13.0/go.mod h1:hf0RkWPsQ0e8oS8WVJBIRocY/1ILYzQQg9zeMwd8LsM=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
 github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
-github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/caddyserver/certmagic v0.17.2 h1:o30seC1T/dBqBCNNGNHWwj2i5/I/FMjBbTAhjADP3nE=
 github.com/caddyserver/certmagic v0.17.2/go.mod h1:ouWUuC490GOLJzkyN35eXfV8bSbwMwSf4bdhkIxtdQE=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c h1:K1VdSnBZiGapczwcUKnE1qcsMBclA84DUOD2NG/78VY=
 github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cretz/bine v0.1.0/go.mod h1:6PF6fWAvYtwjRGkAuDEJeWNOv3a2hUouSP/yRYXmvHw=
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
-github.com/database64128/tfo-go/v2 v2.0.2 h1:5rGgkJeLEKlNaqredfrPQNLnctn1b+1fq/8tdKdOzJg=
-github.com/database64128/tfo-go/v2 v2.0.2/go.mod h1:FDdt4JaAsRU66wsYHxSVytYimPkKIHupVsxM+5DhvjY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
-github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/fanliao/go-promise v0.0.0-20141029170127-1890db352a72/go.mod h1:PjfxuH4FZdUyfMdtBio2lsRr1AKEaVPwelzuHuh8Lqc=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-chi/chi/v5 v5.0.7 h1:rDTPXLDHGATaeHvVlLcR4Qe0zftYethFucbjVQ1PxU8=
-github.com/go-chi/chi/v5 v5.0.7/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.0.8 h1:lD+NLqFcAi1ovnVZpsnObHGW4xb4J8lNmoYVfECH1Y0=
+github.com/go-chi/chi/v5 v5.0.8/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-chi/render v1.0.2 h1:4ER/udB0+fMWB2Jlf15RV3F4A2FDuYi/9f+lFttR/Lg=
 github.com/go-chi/render v1.0.2/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
-github.com/gofrs/uuid v4.3.1+incompatible h1:0/KbAdpx3UXAx1kEOWHJeOkpbgRFGHVgv+CFIY7dBJI=
-github.com/gofrs/uuid v4.3.1+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
+github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
+github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
@@ -72,22 +47,33 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
+github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
+github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
+github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/klauspost/compress v1.15.9 h1:wKRjX6JRtDdrE9qwa4b/Cip7ACOshUI4smpCQanqjSY=
-github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
+github.com/insomniacslk/dhcp v0.0.0-20221215072855-de60144f33f8 h1:Z72DOke2yOK0Ms4Z2LK1E1OrRJXOxSj5DllTz2FYTRg=
+github.com/insomniacslk/dhcp v0.0.0-20221215072855-de60144f33f8/go.mod h1:m5WMe03WCvWcXjRnhvaAbAAXdCnu20J5P+mmH44ZzpE=
+github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
+github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
+github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
+github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok=
+github.com/jsimonetti/rtnetlink v0.0.0-20201110080708-d2c240429e6c/go.mod h1:huN4d1phzjhlOsNIjFsw2SVRbwIHj3fJDMEU2SDPTmg=
+github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/klauspost/compress v1.15.15 h1:EF27CXIuDsYJ6mmvtBRlEuB2UVOqHG1tAXgZ7yIO+lw=
+github.com/klauspost/compress v1.15.15/go.mod h1:ZcK2JAFqKOpnBlxcLsJzYfrS9X1akm9fHZNnD9+Vo/4=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.1.1 h1:t0wUqjowdm8ezddV5k0tLWVklVuvLJpoHeb4WBdydm0=
 github.com/klauspost/cpuid/v2 v2.1.1/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -95,59 +81,70 @@ github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
 github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
-github.com/marten-seemann/qpack v0.3.0 h1:UiWstOgT8+znlkDPOg2+3rIuYXJ2CnGDkGUXN6ki6hE=
-github.com/marten-seemann/qpack v0.3.0/go.mod h1:cGfKPBiP4a9EQdxCwEwI/GEeWAsjSekBvx/X8mh58+g=
-github.com/marten-seemann/qtls-go1-18 v0.1.3 h1:R4H2Ks8P6pAtUagjFty2p7BVHn3XiwDAl7TTQf5h7TI=
-github.com/marten-seemann/qtls-go1-18 v0.1.3/go.mod h1:mJttiymBAByA49mhlNZZGrH5u1uXYZJ+RW28Py7f4m4=
-github.com/marten-seemann/qtls-go1-19 v0.1.1 h1:mnbxeq3oEyQxQXwI4ReCgW9DPoPR94sNlqWoDZnjRIE=
-github.com/marten-seemann/qtls-go1-19 v0.1.1/go.mod h1:5HTDWtVudo/WFsHKRNuOhWlbdjrfs5JHrYb0wIJqGpI=
-github.com/mholt/acmez v1.0.4 h1:N3cE4Pek+dSolbsofIkAYz6H1d3pE+2G0os7QHslf80=
-github.com/mholt/acmez v1.0.4/go.mod h1:qFGLZ4u+ehWINeJZjzPlsnjJBCPAADWTcIqE/7DAYQY=
+github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7/go.mod h1:U6ZQobyTjI/tJyq2HG+i/dfSoFUt8/aZCM+GKtmFk/Y=
+github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA=
+github.com/mdlayher/netlink v1.0.0/go.mod h1:KxeJAFOFLG6AjpyDkQ/iIhxygIUKD+vcwqcnu43w/+M=
+github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcKp9uZHgmY=
+github.com/mdlayher/netlink v1.1.1/go.mod h1:WTYpFb/WTvlRJAyKhZL5/uy69TDDpHHu2VZmb2XgV7o=
+github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
+github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
+github.com/mholt/acmez v1.1.0 h1:IQ9CGHKOHokorxnffsqDvmmE30mDenO1lptYZ1AYkHY=
+github.com/mholt/acmez v1.1.0/go.mod h1:zwo5+fbLLTowAX8o8ETfQzbDtwGEXnPhkmGdKIP+bgs=
 github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
 github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
-github.com/onsi/ginkgo/v2 v2.3.0 h1:kUMoxMoQG3ogk/QWyKh3zibV7BKZ+xBpWil1cTylVqc=
-github.com/onsi/gomega v1.22.1 h1:pY8O4lBfsHKZHM/6nrxkhVPUznOlIu3quZcKP/M20KI=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI=
+github.com/onsi/ginkgo/v2 v2.2.0/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk=
+github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
 github.com/oschwald/maxminddb-golang v1.10.0 h1:Xp1u0ZhqkSuopaKmk1WwHtjF0H9Hd9181uj2MQ5Vndg=
 github.com/oschwald/maxminddb-golang v1.10.0/go.mod h1:Y2ELenReaLAZ0b400URyGwvYxHV1dLIxBuyOsyYjHK0=
 github.com/pires/go-proxyproto v0.6.2 h1:KAZ7UteSOt6urjme6ZldyFm4wDe/z0ZUP0Yv0Dos0d8=
 github.com/pires/go-proxyproto v0.6.2/go.mod h1:Odh9VFOZJCf9G8cLW5o435Xf1J95Jw9Gw5rnCjcwzAY=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/refraction-networking/utls v1.1.5 h1:JtrojoNhbUQkBqEg05sP3gDgDj6hIEAAVKbI9lx4n6w=
-github.com/refraction-networking/utls v1.1.5/go.mod h1:jRQxtYi7nkq1p28HF2lwOH5zQm9aC8rpK0O9lIIzGh8=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
+github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
+github.com/quic-go/qtls-go1-18 v0.2.0 h1:5ViXqBZ90wpUcZS0ge79rf029yx0dYB0McyPJwqqj7U=
+github.com/quic-go/qtls-go1-18 v0.2.0/go.mod h1:moGulGHK7o6O8lSPSZNoOwcLvJKJ85vVNc7oJFD65bc=
+github.com/quic-go/qtls-go1-19 v0.2.0 h1:Cvn2WdhyViFUHoOqK52i51k4nDX8EwIh5VJiVM4nttk=
+github.com/quic-go/qtls-go1-19 v0.2.0/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
+github.com/quic-go/qtls-go1-20 v0.1.0 h1:d1PK3ErFy9t7zxKsG3NXBJXZjp/kMLoIb3y/kV54oAI=
+github.com/quic-go/qtls-go1-20 v0.1.0/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
+github.com/refraction-networking/utls v1.2.2 h1:uBE6V173CwG8MQrSBpNZHAix1fxOvuLKYyjFAu3uqo0=
+github.com/refraction-networking/utls v1.2.2/go.mod h1:L1goe44KvhnTfctUffM2isnJpSjPlYShrhXDeZaoYKw=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e h1:5CFRo8FJbCuf5s/eTBdZpmMbn8Fe2eSMLNAYfKanA34=
-github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e/go.mod h1:qbt0dWObotCfcjAJJ9AxtFPNSDUfZF+6dCpgKEOBn/g=
 github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0 h1:KyhtFFt1Jtp5vW2ohNvstvQffTOQ/s5vENuGXzdA+TM=
 github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0/go.mod h1:D4SFEOkJK+4W1v86ZhX0jPM0rAL498fyQAChqMtes/I=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.0.0-20221108053023-645bcc4f9b15 h1:l8RQTjz5LlGEFOc49dXAr14ORbj8mTW7nX88Rbm+FiY=
-github.com/sagernet/quic-go v0.0.0-20221108053023-645bcc4f9b15/go.mod h1:oWFbojDMm85/Jbm/fyWoo8Pux6dIssxGi3q1r+5642A=
+github.com/sagernet/quic-go v0.0.0-20230202071646-a8c8afb18b32 h1:tztuJB+giOWNRKQEBVY2oI3PsheTooMdh+/yxemYQYY=
+github.com/sagernet/quic-go v0.0.0-20230202071646-a8c8afb18b32/go.mod h1:QMCkxXAC3CvBgDZVIJp43NWTuwGBScCzMLVLynjERL8=
 github.com/sagernet/sing v0.0.0-20220812082120-05f9836bff8f/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
-github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4 h1:LO7xMvMGhYmjQg2vjhTzsODyzs9/WLYu5Per+/8jIeo=
-github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4/go.mod h1:zvgDYKI+vCAW9RyfyrKTgleI+DOa8lzHMPC7VZo3OL4=
-github.com/sagernet/sing-dns v0.0.0-20221113031420-c6aaf2ea4b10 h1:K84AY2TxNX37ePYXVO6QTD/kgn9kDo4oGpTIn9PF5bo=
-github.com/sagernet/sing-dns v0.0.0-20221113031420-c6aaf2ea4b10/go.mod h1:VAvOT1pyryBIthTGRryFLXAsR1VRQZ05wolMYeQrr/E=
-github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6 h1:JJfDeYYhWunvtxsU/mOVNTmFQmnzGx9dY034qG6G3g4=
-github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6/go.mod h1:EX3RbZvrwAkPI2nuGa78T2iQXmrkT+/VQtskjou42xM=
-github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f h1:CXF+nErOb9f7qiHingSgTa2/lJAgmEFtAQ47oVwdRGU=
-github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f/go.mod h1:1u3pjXA9HmH7kRiBJqM3C/zPxrxnCLd3svmqtub/RFU=
-github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0 h1:z3kuD3hPNdEq7/wVy5lwE21f+8ZTazBtR81qswxJoCc=
-github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0/go.mod h1:bwhAdSNET1X+j9DOXGj9NIQR39xgcWIk1rOQ9lLD+gM=
+github.com/sagernet/sing v0.1.7-0.20230209132010-5f1ef3441c13 h1:S/+YvJCEChwnckGhzqSrE/Q2m6aVWhkt1I4Pv2yCMVw=
+github.com/sagernet/sing v0.1.7-0.20230209132010-5f1ef3441c13/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
+github.com/sagernet/sing-dns v0.1.2-0.20230209132355-3c2e2957b455 h1:VA/j2Jg+JURgKw2C1Dw2tpjfOZwbLXRy8PJRbJS/HEU=
+github.com/sagernet/sing-dns v0.1.2-0.20230209132355-3c2e2957b455/go.mod h1:nonvn66ja+UNrQl3jzJy0EFRn15QUaCFAVXTXf6TgJ4=
+github.com/sagernet/sing-shadowsocks v0.1.1-0.20230202035033-e3123545f2f7 h1:Plup6oEiyLzY3HDqQ+QsUBzgBGdVmcsgf3t8h940z9U=
+github.com/sagernet/sing-shadowsocks v0.1.1-0.20230202035033-e3123545f2f7/go.mod h1:O5LtOs8Ivw686FqLpO0Zu+A0ROVE15VeqEK3yDRRAms=
+github.com/sagernet/sing-tun v0.1.1 h1:2Hg3GAyJWzQ7Ua1j74dE+mI06vaqSBO9yD4tkTjggn4=
+github.com/sagernet/sing-tun v0.1.1/go.mod h1:WzW/SkT+Nh9uJn/FIYUE2YJHYuPwfbh8sATOzU9QDGw=
+github.com/sagernet/sing-vmess v0.1.1-0.20230212211128-cb4e47dd0acb h1:oyd3w17fXNmWVYFUe17YVHJW5CLW9X2mxJFDP/IWrAM=
+github.com/sagernet/sing-vmess v0.1.1-0.20230212211128-cb4e47dd0acb/go.mod h1:9KkmnQzTL4Gvv8U2TRAH2BOITCGsGPpHtUPP5sxn5sY=
 github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 h1:5VBIbVw9q7aKbrFdT83mjkyvQ+VaRsQ6yflTepfln38=
 github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195/go.mod h1:yedWtra8nyGJ+SyI+ziwuaGMzBatbB10P1IOOZbbSK8=
+github.com/sagernet/tfo-go v0.0.0-20230207095944-549363a7327d h1:trP/l6ZPWvQ/5Gv99Z7/t/v8iYy06akDMejxW1sznUk=
+github.com/sagernet/tfo-go v0.0.0-20230207095944-549363a7327d/go.mod h1:jk6Ii8Y3En+j2KQDLgdgQGwb3M6y7EL567jFnGYhN9g=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e h1:7uw2njHFGE+VpWamge6o56j2RWk4omF6uLKKxMmcWvs=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e/go.mod h1:45TUl8+gH4SIKr4ykREbxKWTxkDlSzFENzctB1dVRRY=
-github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c h1:qP3ZOHnjZalvqbjundbXiv/YrNlo3HOgrKc+S1QGs0U=
-github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
+github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c h1:vK2wyt9aWYHHvNLWniwijBu/n4pySypiKRhN32u/JGo=
+github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
+github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
 github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -157,114 +154,99 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/u-root/uio v0.0.0-20221213070652-c3537552635f h1:dpx1PHxYqAnXzbryJrWP1NQLzEjwcVgFLhkknuFQ7ww=
+github.com/u-root/uio v0.0.0-20221213070652-c3537552635f/go.mod h1:IogEAUBXDEwX7oR/BMmCctShYs80ql4hF0ySdzGxf7E=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
-go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
-go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
+go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
 go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
-go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
-go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY=
-go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY=
-go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab h1:+yW1yrZ09EYNu1spCUOHBBNRbrLnfmutwyhbhCv3b6Q=
-go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab/go.mod h1:tgPU4N2u9RByaTN3NC2p9xOzyFpte4jYwsIIRF7XlSc=
+go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
+go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
+go4.org/netipx v0.0.0-20230125063823-8449b0a6169f h1:ketMxHg+vWm3yccyYiq+uK8D3fRmna2Fcj+awpQp84s=
+go4.org/netipx v0.0.0-20230125063823-8449b0a6169f/go.mod h1:tgPU4N2u9RByaTN3NC2p9xOzyFpte4jYwsIIRF7XlSc=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.2.0 h1:BRXPfhNivWL5Yq0BGQ39a2sW6t44aODpfxkWjYdzewE=
-golang.org/x/crypto v0.2.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f h1:Al51T6tzvuh3oiwX11vex3QgJ2XTedFPGmbEVh8cdoc=
-golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/exp v0.0.0-20230213192124-5e25df0256eb h1:PaBZQdo+iSDyHT053FjUCgZQ/9uqVwPOcl7KSWhKn6w=
+golang.org/x/exp v0.0.0-20230213192124-5e25df0256eb/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I=
 golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190419010253-1f3472d942ba/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190418153312-f0ce4c0180be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606122018-79a91cf218c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
+golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE=
 golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
@@ -272,50 +254,22 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f h1:YORWxaStkWBnWgELOHTmDrqNlFXuVGEbhwbB5iK94bQ=
-google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY=
-google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w=
+google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/grpc v1.53.0 h1:LAv2ds7cmFV/XTS3XG1NneeENYrXGmorPxsBbptIjNc=
+google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c h1:m5lcgWnL3OElQNVyp3qcncItJ2c0sQlSGjYK2+nJTA4=
 gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 lukechampine.com/blake3 v1.1.7 h1:GgRMhmdsuK8+ii6UZFDL8Nb+VyMwadAgcJyfYHxG6n0=
 lukechampine.com/blake3 v1.1.7/go.mod h1:tkKEOtDkNtklkXtLNEOGNq5tcV90tJiA1vAA12R78LA=
--- a/inbound/default_tcp.go
+++ b/inbound/default_tcp.go
@@ -11,8 +11,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-
-	"github.com/database64128/tfo-go/v2"
+	"github.com/sagernet/tfo-go"
 )

 func (a *myInboundAdapter) ListenTCP() (net.Listener, error) {
--- a/inbound/default_udp.go
+++ b/inbound/default_udp.go
@@ -18,7 +18,13 @@ import (
 func (a *myInboundAdapter) ListenUDP() (net.PacketConn, error) {
 	bindAddr := M.SocksaddrFrom(netip.Addr(a.listenOptions.Listen), a.listenOptions.ListenPort)
 	var lc net.ListenConfig
-	if !a.listenOptions.UDPFragment {
+	var udpFragment bool
+	if a.listenOptions.UDPFragment != nil {
+		udpFragment = *a.listenOptions.UDPFragment
+	} else {
+		udpFragment = a.listenOptions.UDPFragmentDefault
+	}
+	if !udpFragment {
 		lc.Control = control.Append(lc.Control, control.DisableUDPFragment())
 	}
 	udpConn, err := lc.ListenPacket(a.ctx, M.NetworkFromNetAddr(N.NetworkUDP, bindAddr.Addr), bindAddr.String())
--- a/inbound/direct.go
+++ b/inbound/direct.go
@@ -25,6 +25,7 @@ type Direct struct {
 }

 func NewDirect(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.DirectInboundOptions) *Direct {
+	options.UDPFragmentDefault = true
 	inbound := &Direct{
 		myInboundAdapter: myInboundAdapter{
 			protocol:      C.TypeDirect,
--- a/inbound/http.go
+++ b/inbound/http.go
@@ -102,6 +102,12 @@ func (a *myInboundAdapter) newUserConnection(ctx context.Context, conn net.Conn,
 }

 func (a *myInboundAdapter) streamUserPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	a.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
+	user, loaded := auth.UserFromContext[string](ctx)
+	if !loaded {
+		a.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
+		return a.router.RoutePacketConnection(ctx, conn, metadata)
+	}
+	metadata.User = user
+	a.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
 	return a.router.RoutePacketConnection(ctx, conn, metadata)
 }
--- a/inbound/hysteria.go
+++ b/inbound/hysteria.go
@@ -43,6 +43,7 @@ type Hysteria struct {
 }

 func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HysteriaInboundOptions) (*Hysteria, error) {
+	options.UDPFragmentDefault = true
 	quicConfig := &quic.Config{
 		InitialStreamReceiveWindow:     options.ReceiveWindowConn,
 		MaxStreamReceiveWindow:         options.ReceiveWindowConn,
--- a/inbound/naive.go
+++ b/inbound/naive.go
@@ -137,14 +137,13 @@ func (n *Naive) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 		return
 	}
 	var authOk bool
+	var userName string
 	authorization := request.Header.Get("Proxy-Authorization")
 	if strings.HasPrefix(authorization, "BASIC ") || strings.HasPrefix(authorization, "Basic ") {
 		userPassword, _ := base64.URLEncoding.DecodeString(authorization[6:])
 		userPswdArr := strings.SplitN(string(userPassword), ":", 2)
+		userName = userPswdArr[0]
 		authOk = n.authenticator.Verify(userPswdArr[0], userPswdArr[1])
-		if authOk {
-			ctx = auth.ContextWithUser(ctx, userPswdArr[0])
-		}
 	}
 	if !authOk {
 		rejectHTTP(writer, http.StatusProxyAuthRequired)
@@ -168,17 +167,29 @@ func (n *Naive) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 			n.badRequest(ctx, request, E.New("hijack failed"))
 			return
 		}
-		n.newConnection(ctx, &naiveH1Conn{Conn: conn}, source, destination)
+		n.newConnection(ctx, &naiveH1Conn{Conn: conn}, userName, source, destination)
 	} else {
-		n.newConnection(ctx, &naiveH2Conn{reader: request.Body, writer: writer, flusher: writer.(http.Flusher)}, source, destination)
+		n.newConnection(ctx, &naiveH2Conn{reader: request.Body, writer: writer, flusher: writer.(http.Flusher)}, userName, source, destination)
 	}
 }

-func (n *Naive) newConnection(ctx context.Context, conn net.Conn, source, destination M.Socksaddr) {
-	n.routeTCP(ctx, conn, n.createMetadata(conn, adapter.InboundContext{
+func (n *Naive) newConnection(ctx context.Context, conn net.Conn, userName string, source, destination M.Socksaddr) {
+	if userName != "" {
+		n.logger.InfoContext(ctx, "[", userName, "] inbound connection from ", source)
+		n.logger.InfoContext(ctx, "[", userName, "] inbound connection to ", destination)
+	} else {
+		n.logger.InfoContext(ctx, "inbound connection from ", source)
+		n.logger.InfoContext(ctx, "inbound connection to ", destination)
+	}
+	hErr := n.router.RouteConnection(ctx, conn, n.createMetadata(conn, adapter.InboundContext{
 		Source:      source,
 		Destination: destination,
+		User:        userName,
 	}))
+	if hErr != nil {
+		conn.Close()
+		n.NewError(ctx, E.Cause(hErr, "process connection from ", source))
+	}
 }

 func (n *Naive) badRequest(ctx context.Context, request *http.Request, err error) {
--- a/inbound/shadowsocks.go
+++ b/inbound/shadowsocks.go
@@ -70,7 +70,7 @@ func newShadowsocks(ctx context.Context, router adapter.Router, logger log.Conte
 	case common.Contains(shadowaead_2022.List, options.Method):
 		inbound.service, err = shadowaead_2022.NewServiceWithPassword(options.Method, options.Password, udpTimeout, inbound.upstreamContextHandler())
 	default:
-		err = E.New("shadowsocks: unsupported method: ", options.Method)
+		err = E.New("unsupported method: ", options.Method)
 	}
 	inbound.packetUpstream = inbound.service
 	return inbound, err
--- a/inbound/shadowsocks_multi.go
+++ b/inbound/shadowsocks_multi.go
@@ -13,6 +13,7 @@ import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/auth"
 	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -48,12 +49,18 @@ func newShadowsocksMulti(ctx context.Context, router adapter.Router, logger log.
 	} else {
 		udpTimeout = int64(C.UDPTimeout.Seconds())
 	}
+	if !common.Contains(shadowaead_2022.List, options.Method) {
+		return nil, E.New("unsupported method: " + options.Method)
+	}
 	service, err := shadowaead_2022.NewMultiServiceWithPassword[int](
 		options.Method,
 		options.Password,
 		udpTimeout,
 		adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound),
 	)
+	if err != nil {
+		return nil, err
+	}
 	err = service.UpdateUsersWithPasswords(common.MapIndexed(options.Users, func(index int, user option.ShadowsocksUser) int {
 		return index
 	}), common.Map(options.Users, func(user option.ShadowsocksUser) string {
--- a/inbound/shadowtls.go
+++ b/inbound/shadowtls.go
@@ -3,7 +3,10 @@ package inbound
 import (
 	"bytes"
 	"context"
+	"crypto/hmac"
+	"crypto/sha1"
 	"encoding/binary"
+	"encoding/hex"
 	"io"
 	"net"
 	"os"
@@ -27,8 +30,9 @@ type ShadowTLS struct {
 	myInboundAdapter
 	handshakeDialer N.Dialer
 	handshakeAddr   M.Socksaddr
-	v2              bool
+	version         int
 	password        string
+	fallbackAfter   int
 }

 func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowTLSInboundOptions) (*ShadowTLS, error) {
@@ -46,12 +50,18 @@ func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.Context
 		handshakeAddr:   options.Handshake.ServerOptions.Build(),
 		password:        options.Password,
 	}
+	inbound.version = options.Version
 	switch options.Version {
 	case 0:
 		fallthrough
 	case 1:
 	case 2:
-		inbound.v2 = true
+		if options.FallbackAfter == nil {
+			inbound.fallbackAfter = 2
+		} else {
+			inbound.fallbackAfter = *options.FallbackAfter
+		}
+	case 3:
 	default:
 		return nil, E.New("unknown shadowtls protocol version: ", options.Version)
 	}
@@ -64,7 +74,8 @@ func (s *ShadowTLS) NewConnection(ctx context.Context, conn net.Conn, metadata a
 	if err != nil {
 		return err
 	}
-	if !s.v2 {
+	switch s.version {
+	case 1:
 		var handshake task.Group
 		handshake.Append("client handshake", func(ctx context.Context) error {
 			return s.copyUntilHandshakeFinished(handshakeConn, conn)
@@ -81,11 +92,11 @@ func (s *ShadowTLS) NewConnection(ctx context.Context, conn net.Conn, metadata a
 			return err
 		}
 		return s.newConnection(ctx, conn, metadata)
-	} else {
+	case 2:
 		hashConn := shadowtls.NewHashWriteConn(conn, s.password)
 		go bufio.Copy(hashConn, handshakeConn)
 		var request *buf.Buffer
-		request, err = s.copyUntilHandshakeFinishedV2(handshakeConn, conn, hashConn)
+		request, err = s.copyUntilHandshakeFinishedV2(ctx, handshakeConn, conn, hashConn, s.fallbackAfter)
 		if err == nil {
 			handshakeConn.Close()
 			return s.newConnection(ctx, bufio.NewCachedConn(shadowtls.NewConn(conn), request), metadata)
@@ -96,6 +107,97 @@ func (s *ShadowTLS) NewConnection(ctx context.Context, conn net.Conn, metadata a
 		} else {
 			return err
 		}
+	default:
+		fallthrough
+	case 3:
+		var clientHelloFrame *buf.Buffer
+		clientHelloFrame, err = shadowtls.ExtractFrame(conn)
+		if err != nil {
+			return E.Cause(err, "read client handshake")
+		}
+		_, err = handshakeConn.Write(clientHelloFrame.Bytes())
+		if err != nil {
+			clientHelloFrame.Release()
+			return E.Cause(err, "write client handshake")
+		}
+		err = shadowtls.VerifyClientHello(clientHelloFrame.Bytes(), s.password)
+		if err != nil {
+			s.logger.WarnContext(ctx, E.Cause(err, "client hello verify failed"))
+			return bufio.CopyConn(ctx, conn, handshakeConn)
+		}
+		s.logger.TraceContext(ctx, "client hello verify success")
+		clientHelloFrame.Release()
+
+		var serverHelloFrame *buf.Buffer
+		serverHelloFrame, err = shadowtls.ExtractFrame(handshakeConn)
+		if err != nil {
+			return E.Cause(err, "read server handshake")
+		}
+
+		_, err = conn.Write(serverHelloFrame.Bytes())
+		if err != nil {
+			serverHelloFrame.Release()
+			return E.Cause(err, "write server handshake")
+		}
+
+		serverRandom := shadowtls.ExtractServerRandom(serverHelloFrame.Bytes())
+
+		if serverRandom == nil {
+			s.logger.WarnContext(ctx, "server random extract failed, will copy bidirectional")
+			return bufio.CopyConn(ctx, conn, handshakeConn)
+		}
+
+		if !shadowtls.IsServerHelloSupportTLS13(serverHelloFrame.Bytes()) {
+			s.logger.WarnContext(ctx, "TLS 1.3 is not supported, will copy bidirectional")
+			return bufio.CopyConn(ctx, conn, handshakeConn)
+		}
+
+		serverHelloFrame.Release()
+		s.logger.TraceContext(ctx, "client authenticated. server random extracted: ", hex.EncodeToString(serverRandom))
+
+		hmacWrite := hmac.New(sha1.New, []byte(s.password))
+		hmacWrite.Write(serverRandom)
+
+		hmacAdd := hmac.New(sha1.New, []byte(s.password))
+		hmacAdd.Write(serverRandom)
+		hmacAdd.Write([]byte("S"))
+
+		hmacVerify := hmac.New(sha1.New, []byte(s.password))
+		hmacVerifyReset := func() {
+			hmacVerify.Reset()
+			hmacVerify.Write(serverRandom)
+			hmacVerify.Write([]byte("C"))
+		}
+
+		var clientFirstFrame *buf.Buffer
+		var group task.Group
+		var handshakeFinished bool
+		group.Append("client handshake relay", func(ctx context.Context) error {
+			clientFrame, cErr := shadowtls.CopyByFrameUntilHMACMatches(conn, handshakeConn, hmacVerify, hmacVerifyReset)
+			if cErr == nil {
+				clientFirstFrame = clientFrame
+				handshakeFinished = true
+				handshakeConn.Close()
+			}
+			return cErr
+		})
+		group.Append("server handshake relay", func(ctx context.Context) error {
+			cErr := shadowtls.CopyByFrameWithModification(handshakeConn, conn, s.password, serverRandom, hmacWrite)
+			if E.IsClosedOrCanceled(cErr) && handshakeFinished {
+				return nil
+			}
+			return cErr
+		})
+		group.Cleanup(func() {
+			handshakeConn.Close()
+		})
+		err = group.Run(ctx)
+		if err != nil {
+			return E.Cause(err, "handshake relay")
+		}
+
+		s.logger.TraceContext(ctx, "handshake relay finished")
+		return s.newConnection(ctx, bufio.NewCachedConn(shadowtls.NewVerifiedConn(conn, hmacAdd, hmacVerify, nil), clientFirstFrame), metadata)
 	}
 }

@@ -129,7 +231,7 @@ func (s *ShadowTLS) copyUntilHandshakeFinished(dst io.Writer, src io.Reader) err
 	}
 }

-func (s *ShadowTLS) copyUntilHandshakeFinishedV2(dst net.Conn, src io.Reader, hash *shadowtls.HashWriteConn) (*buf.Buffer, error) {
+func (s *ShadowTLS) copyUntilHandshakeFinishedV2(ctx context.Context, dst net.Conn, src io.Reader, hash *shadowtls.HashWriteConn, fallbackAfter int) (*buf.Buffer, error) {
 	const applicationData = 0x17
 	var tlsHdr [5]byte
 	var applicationDataCount int
@@ -146,9 +248,17 @@ func (s *ShadowTLS) copyUntilHandshakeFinishedV2(dst net.Conn, src io.Reader, ha
 				data.Release()
 				return nil, err
 			}
-			if length >= 8 && bytes.Equal(data.To(8), hash.Sum()) {
-				data.Advance(8)
-				return data, nil
+			if hash.HasContent() && length >= 8 {
+				checksum := hash.Sum()
+				if bytes.Equal(data.To(8), checksum) {
+					s.logger.TraceContext(ctx, "match current hashcode")
+					data.Advance(8)
+					return data, nil
+				} else if hash.LastSum() != nil && bytes.Equal(data.To(8), hash.LastSum()) {
+					s.logger.TraceContext(ctx, "match last hashcode")
+					data.Advance(8)
+					return data, nil
+				}
 			}
 			_, err = io.Copy(dst, io.MultiReader(bytes.NewReader(tlsHdr[:]), data))
 			data.Release()
@@ -159,7 +269,7 @@ func (s *ShadowTLS) copyUntilHandshakeFinishedV2(dst net.Conn, src io.Reader, ha
 		if err != nil {
 			return nil, err
 		}
-		if applicationDataCount > 3 {
+		if applicationDataCount > fallbackAfter {
 			return nil, os.ErrPermission
 		}
 	}
--- a/inbound/trojan.go
+++ b/inbound/trojan.go
@@ -10,6 +10,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/transport/trojan"
 	"github.com/sagernet/sing-box/transport/v2ray"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/auth"
@@ -17,7 +18,6 @@ import (
 	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/protocol/trojan"
 )

 var (
@@ -89,7 +89,7 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog
 		return nil, err
 	}
 	if options.Transport != nil {
-		inbound.transport, err = v2ray.NewServerTransport(ctx, common.PtrValueOrDefault(options.Transport), inbound.tlsConfig, adapter.NewUpstreamHandler(adapter.InboundContext{}, inbound.newTransportConnection, nil, nil), inbound)
+		inbound.transport, err = v2ray.NewServerTransport(ctx, common.PtrValueOrDefault(options.Transport), inbound.tlsConfig, (*trojanTransportHandler)(inbound))
 		if err != nil {
 			return nil, E.Cause(err, "create server transport: ", options.Transport.Type)
 		}
@@ -157,7 +157,7 @@ func (h *Trojan) NewConnection(ctx context.Context, conn net.Conn, metadata adap
 			return err
 		}
 	}
-	return h.service.NewConnection(adapter.WithContext(log.ContextWithNewID(ctx), &metadata), conn, adapter.UpstreamMetadata(metadata))
+	return h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, adapter.UpstreamMetadata(metadata))
 }

 func (h *Trojan) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
@@ -216,3 +216,21 @@ func (h *Trojan) newPacketConnection(ctx context.Context, conn N.PacketConn, met
 	h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
 	return h.router.RoutePacketConnection(ctx, conn, metadata)
 }
+
+var _ adapter.V2RayServerTransportHandler = (*trojanTransportHandler)(nil)
+
+type trojanTransportHandler Trojan
+
+func (t *trojanTransportHandler) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	return (*Trojan)(t).newTransportConnection(ctx, conn, adapter.InboundContext{
+		Source:      metadata.Source,
+		Destination: metadata.Destination,
+	})
+}
+
+func (t *trojanTransportHandler) FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	return (*Trojan)(t).fallbackConnection(ctx, conn, adapter.InboundContext{
+		Source:      metadata.Source,
+		Destination: metadata.Destination,
+	})
+}
--- a/inbound/vmess.go
+++ b/inbound/vmess.go
@@ -49,7 +49,11 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		ctx:   ctx,
 		users: options.Users,
 	}
-	service := vmess.NewService[int](adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound))
+	var serviceOptions []vmess.ServiceOption
+	if options.Transport != nil && options.Transport.Type != "" {
+		serviceOptions = append(serviceOptions, vmess.ServiceWithDisableHeaderProtection())
+	}
+	service := vmess.NewService[int](adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound), serviceOptions...)
 	inbound.service = service
 	err := service.UpdateUsers(common.MapIndexed(options.Users, func(index int, it option.VMessUser) int {
 		return index
@@ -68,7 +72,7 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		}
 	}
 	if options.Transport != nil {
-		inbound.transport, err = v2ray.NewServerTransport(ctx, common.PtrValueOrDefault(options.Transport), inbound.tlsConfig, adapter.NewUpstreamHandler(adapter.InboundContext{}, inbound.newTransportConnection, nil, nil), inbound)
+		inbound.transport, err = v2ray.NewServerTransport(ctx, common.PtrValueOrDefault(options.Transport), inbound.tlsConfig, (*vmessTransportHandler)(inbound))
 		if err != nil {
 			return nil, E.Cause(err, "create server transport: ", options.Transport.Type)
 		}
@@ -179,3 +183,18 @@ func (h *VMess) newPacketConnection(ctx context.Context, conn N.PacketConn, meta
 	}
 	return h.router.RoutePacketConnection(ctx, conn, metadata)
 }
+
+var _ adapter.V2RayServerTransportHandler = (*vmessTransportHandler)(nil)
+
+type vmessTransportHandler VMess
+
+func (t *vmessTransportHandler) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	return (*VMess)(t).newTransportConnection(ctx, conn, adapter.InboundContext{
+		Source:      metadata.Source,
+		Destination: metadata.Destination,
+	})
+}
+
+func (t *vmessTransportHandler) FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	return os.ErrInvalid
+}
--- a/include/dhcp.go
+++ b/include/dhcp.go
@@ -0,0 +1,5 @@
+//go:build with_dhcp
+
+package include
+
+import _ "github.com/sagernet/sing-box/transport/dhcp"
--- a/include/dhcp_stub.go
+++ b/include/dhcp_stub.go
@@ -0,0 +1,18 @@
+//go:build !with_dhcp
+
+package include
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-dns"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	N "github.com/sagernet/sing/common/network"
+)
+
+func init() {
+	dns.RegisterTransport([]string{"dhcp"}, func(ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
+		return nil, E.New(`DHCP is not included in this build, rebuild with -tags with_dhcp`)
+	})
+}
--- a/include/quic_stub.go
+++ b/include/quic_stub.go
@@ -11,7 +11,7 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/v2ray"
 	"github.com/sagernet/sing-dns"
-	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -19,11 +19,11 @@ import (
 const WithQUIC = false

 func init() {
-	dns.RegisterTransport([]string{"quic", "h3"}, func(ctx context.Context, dialer N.Dialer, link string) (dns.Transport, error) {
+	dns.RegisterTransport([]string{"quic", "h3"}, func(ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
 		return nil, C.ErrQUICNotIncluded
 	})
 	v2ray.RegisterQUICConstructor(
-		func(ctx context.Context, options option.V2RayQUICOptions, tlsConfig tls.ServerConfig, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
+		func(ctx context.Context, options option.V2RayQUICOptions, tlsConfig tls.ServerConfig, handler adapter.V2RayServerTransportHandler) (adapter.V2RayServerTransport, error) {
 			return nil, C.ErrQUICNotIncluded
 		},
 		func(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, options option.V2RayQUICOptions, tlsConfig tls.Config) (adapter.V2RayClientTransport, error) {
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -97,11 +97,11 @@ nav:
  - Examples:
      - examples/index.md
      - Linux Server Installation: examples/linux-server-installation.md
-      - Shadowsocks Server: examples/ss-server.md
-      - Shadowsocks Client: examples/ss-client.md
-      - Shadowsocks Tun: examples/ss-tun.md
-      - ShadowTLS: examples/shadowtls.md
+      - Tun: examples/tun.md
      - DNS Hijack: examples/dns-hijack.md
+      - Shadowsocks: examples/shadowsocks.md
+      - ShadowTLS: examples/shadowtls.md
+      - Clash API: examples/clash-api.md
  - Contributing:
      - contributing/index.md
      - Developing:
@@ -168,7 +168,4 @@ plugins:
          Known Issues: 已知问题
          Examples: 示例
          Linux Server Installation: Linux 服务器安装
-          Shadowsocks Server: Shadowsocks 服务器
-          Shadowsocks Client: Shadowsocks 客户端
-          Shadowsocks Tun: Shadowsocks Tun
          DNS Hijack: DNS 劫持
--- a/option/clash.go
+++ b/option/clash.go
@@ -4,7 +4,6 @@ type ClashAPIOptions struct {
 	ExternalController string `json:"external_controller,omitempty"`
 	ExternalUI         string `json:"external_ui,omitempty"`
 	Secret             string `json:"secret,omitempty"`
-	DirectIO           bool   `json:"direct_io,omitempty"`
 	DefaultMode        string `json:"default_mode,omitempty"`
 	StoreSelected      bool   `json:"store_selected,omitempty"`
 	CacheFile          string `json:"cache_file,omitempty"`
--- a/option/dns.go
+++ b/option/dns.go
@@ -77,32 +77,33 @@ func (r *DNSRule) UnmarshalJSON(bytes []byte) error {
 }

 type DefaultDNSRule struct {
-	Inbound         Listable[string] `json:"inbound,omitempty"`
-	IPVersion       int              `json:"ip_version,omitempty"`
-	Network         string           `json:"network,omitempty"`
-	AuthUser        Listable[string] `json:"auth_user,omitempty"`
-	Protocol        Listable[string] `json:"protocol,omitempty"`
-	Domain          Listable[string] `json:"domain,omitempty"`
-	DomainSuffix    Listable[string] `json:"domain_suffix,omitempty"`
-	DomainKeyword   Listable[string] `json:"domain_keyword,omitempty"`
-	DomainRegex     Listable[string] `json:"domain_regex,omitempty"`
-	Geosite         Listable[string] `json:"geosite,omitempty"`
-	SourceGeoIP     Listable[string] `json:"source_geoip,omitempty"`
-	SourceIPCIDR    Listable[string] `json:"source_ip_cidr,omitempty"`
-	SourcePort      Listable[uint16] `json:"source_port,omitempty"`
-	SourcePortRange Listable[string] `json:"source_port_range,omitempty"`
-	Port            Listable[uint16] `json:"port,omitempty"`
-	PortRange       Listable[string] `json:"port_range,omitempty"`
-	ProcessName     Listable[string] `json:"process_name,omitempty"`
-	ProcessPath     Listable[string] `json:"process_path,omitempty"`
-	PackageName     Listable[string] `json:"package_name,omitempty"`
-	User            Listable[string] `json:"user,omitempty"`
-	UserID          Listable[int32]  `json:"user_id,omitempty"`
-	Outbound        Listable[string] `json:"outbound,omitempty"`
-	ClashMode       string           `json:"clash_mode,omitempty"`
-	Invert          bool             `json:"invert,omitempty"`
-	Server          string           `json:"server,omitempty"`
-	DisableCache    bool             `json:"disable_cache,omitempty"`
+	Inbound         Listable[string]       `json:"inbound,omitempty"`
+	IPVersion       int                    `json:"ip_version,omitempty"`
+	QueryType       Listable[DNSQueryType] `json:"query_type,omitempty"`
+	Network         string                 `json:"network,omitempty"`
+	AuthUser        Listable[string]       `json:"auth_user,omitempty"`
+	Protocol        Listable[string]       `json:"protocol,omitempty"`
+	Domain          Listable[string]       `json:"domain,omitempty"`
+	DomainSuffix    Listable[string]       `json:"domain_suffix,omitempty"`
+	DomainKeyword   Listable[string]       `json:"domain_keyword,omitempty"`
+	DomainRegex     Listable[string]       `json:"domain_regex,omitempty"`
+	Geosite         Listable[string]       `json:"geosite,omitempty"`
+	SourceGeoIP     Listable[string]       `json:"source_geoip,omitempty"`
+	SourceIPCIDR    Listable[string]       `json:"source_ip_cidr,omitempty"`
+	SourcePort      Listable[uint16]       `json:"source_port,omitempty"`
+	SourcePortRange Listable[string]       `json:"source_port_range,omitempty"`
+	Port            Listable[uint16]       `json:"port,omitempty"`
+	PortRange       Listable[string]       `json:"port_range,omitempty"`
+	ProcessName     Listable[string]       `json:"process_name,omitempty"`
+	ProcessPath     Listable[string]       `json:"process_path,omitempty"`
+	PackageName     Listable[string]       `json:"package_name,omitempty"`
+	User            Listable[string]       `json:"user,omitempty"`
+	UserID          Listable[int32]        `json:"user_id,omitempty"`
+	Outbound        Listable[string]       `json:"outbound,omitempty"`
+	ClashMode       string                 `json:"clash_mode,omitempty"`
+	Invert          bool                   `json:"invert,omitempty"`
+	Server          string                 `json:"server,omitempty"`
+	DisableCache    bool                   `json:"disable_cache,omitempty"`
 }

 func (r DefaultDNSRule) IsValid() bool {
--- a/option/inbound.go
+++ b/option/inbound.go
@@ -115,7 +115,8 @@ type ListenOptions struct {
 	Listen                      ListenAddress `json:"listen"`
 	ListenPort                  uint16        `json:"listen_port,omitempty"`
 	TCPFastOpen                 bool          `json:"tcp_fast_open,omitempty"`
-	UDPFragment                 bool          `json:"udp_fragment,omitempty"`
+	UDPFragment                 *bool         `json:"udp_fragment,omitempty"`
+	UDPFragmentDefault          bool          `json:"-"`
 	UDPTimeout                  int64         `json:"udp_timeout,omitempty"`
 	ProxyProtocol               bool          `json:"proxy_protocol,omitempty"`
 	ProxyProtocolAcceptNoHeader bool          `json:"proxy_protocol_accept_no_header,omitempty"`
--- a/option/shadowsocks.go
+++ b/option/shadowsocks.go
@@ -2,12 +2,11 @@ package option

 type ShadowsocksInboundOptions struct {
 	ListenOptions
-	Network         NetworkList              `json:"network,omitempty"`
-	Method          string                   `json:"method"`
-	Password        string                   `json:"password"`
-	ControlPassword string                   `json:"control_password,omitempty"`
-	Users           []ShadowsocksUser        `json:"users,omitempty"`
-	Destinations    []ShadowsocksDestination `json:"destinations,omitempty"`
+	Network      NetworkList              `json:"network,omitempty"`
+	Method       string                   `json:"method"`
+	Password     string                   `json:"password"`
+	Users        []ShadowsocksUser        `json:"users,omitempty"`
+	Destinations []ShadowsocksDestination `json:"destinations,omitempty"`
 }

 type ShadowsocksUser struct {
--- a/option/shadowtls.go
+++ b/option/shadowtls.go
@@ -2,9 +2,10 @@ package option

 type ShadowTLSInboundOptions struct {
 	ListenOptions
-	Version   int                       `json:"version,omitempty"`
-	Password  string                    `json:"password,omitempty"`
-	Handshake ShadowTLSHandshakeOptions `json:"handshake"`
+	Version       int                       `json:"version,omitempty"`
+	Password      string                    `json:"password,omitempty"`
+	FallbackAfter *int                      `json:"fallback_after,omitempty"`
+	Handshake     ShadowTLSHandshakeOptions `json:"handshake"`
 }

 type ShadowTLSHandshakeOptions struct {
--- a/option/ssh.go
+++ b/option/ssh.go
@@ -8,6 +8,7 @@ type SSHOutboundOptions struct {
 	PrivateKey           string           `json:"private_key,omitempty"`
 	PrivateKeyPath       string           `json:"private_key_path,omitempty"`
 	PrivateKeyPassphrase string           `json:"private_key_passphrase,omitempty"`
+	HostKey              Listable[string] `json:"host_key,omitempty"`
 	HostKeyAlgorithms    Listable[string] `json:"host_key_algorithms,omitempty"`
 	ClientVersion        string           `json:"client_version,omitempty"`
 }
--- a/option/types.go
+++ b/option/types.go
@@ -8,7 +8,10 @@ import (
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 	N "github.com/sagernet/sing/common/network"
+
+	mDNS "github.com/miekg/dns"
 )

 type ListenAddress netip.Addr
@@ -124,7 +127,7 @@ func (s *DomainStrategy) UnmarshalJSON(bytes []byte) error {
 		return err
 	}
 	switch value {
-	case "", "AsIS":
+	case "", "as_is":
 		*s = DomainStrategy(dns.DomainStrategyAsIS)
 	case "prefer_ipv4":
 		*s = DomainStrategy(dns.DomainStrategyPreferIPv4)
@@ -187,3 +190,40 @@ func (p *ListenPrefix) UnmarshalJSON(bytes []byte) error {
 func (p ListenPrefix) Build() netip.Prefix {
 	return netip.Prefix(p)
 }
+
+type DNSQueryType uint16
+
+func (t DNSQueryType) MarshalJSON() ([]byte, error) {
+	typeName, loaded := mDNS.TypeToString[uint16(t)]
+	if loaded {
+		return json.Marshal(typeName)
+	}
+	return json.Marshal(uint16(t))
+}
+
+func (t *DNSQueryType) UnmarshalJSON(bytes []byte) error {
+	var valueNumber uint16
+	err := json.Unmarshal(bytes, &valueNumber)
+	if err == nil {
+		*t = DNSQueryType(valueNumber)
+		return nil
+	}
+	var valueString string
+	err = json.Unmarshal(bytes, &valueString)
+	if err == nil {
+		queryType, loaded := mDNS.StringToType[valueString]
+		if loaded {
+			*t = DNSQueryType(queryType)
+			return nil
+		}
+	}
+	return E.New("unknown DNS query type: ", string(bytes))
+}
+
+func DNSQueryTypeToString(queryType uint16) string {
+	typeName, loaded := mDNS.TypeToString[queryType]
+	if loaded {
+		return typeName
+	}
+	return F.ToString(queryType)
+}
--- a/option/v2ray.go
+++ b/option/v2ray.go
@@ -7,7 +7,7 @@ type V2RayAPIOptions struct {

 type V2RayStatsServiceOptions struct {
 	Enabled   bool     `json:"enabled,omitempty"`
-	DirectIO  bool     `json:"direct_io,omitempty"`
 	Inbounds  []string `json:"inbounds,omitempty"`
 	Outbounds []string `json:"outbounds,omitempty"`
+	Users     []string `json:"users,omitempty"`
 }
--- a/outbound/default.go
+++ b/outbound/default.go
@@ -78,12 +78,6 @@ func NewEarlyConnection(ctx context.Context, this N.Dialer, conn net.Conn, metad
 }

 func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata adapter.InboundContext) error {
-	switch metadata.Protocol {
-	case C.ProtocolQUIC, C.ProtocolDNS:
-		if !metadata.Destination.Addr.IsUnspecified() {
-			return connectPacketConnection(ctx, this, conn, metadata)
-		}
-	}
 	ctx = adapter.WithContext(ctx, &metadata)
 	var outConn net.PacketConn
 	var err error
@@ -98,29 +92,12 @@ func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn,
 	switch metadata.Protocol {
 	case C.ProtocolSTUN:
 		ctx, conn = canceler.NewPacketConn(ctx, conn, C.STUNTimeout)
-	}
-	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outConn))
-}
-
-func connectPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata adapter.InboundContext) error {
-	ctx = adapter.WithContext(ctx, &metadata)
-	var outConn net.Conn
-	var err error
-	if len(metadata.DestinationAddresses) > 0 {
-		outConn, err = N.DialSerial(ctx, this, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses)
-	} else {
-		outConn, err = this.DialContext(ctx, N.NetworkUDP, metadata.Destination)
-	}
-	if err != nil {
-		return N.HandshakeFailure(conn, err)
-	}
-	switch metadata.Protocol {
 	case C.ProtocolQUIC:
 		ctx, conn = canceler.NewPacketConn(ctx, conn, C.QUICTimeout)
 	case C.ProtocolDNS:
 		ctx, conn = canceler.NewPacketConn(ctx, conn, C.DNSTimeout)
 	}
-	return bufio.CopyPacketConn(ctx, conn, bufio.NewUnbindPacketConn(outConn))
+	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outConn))
 }

 func CopyEarlyConn(ctx context.Context, conn net.Conn, serverConn net.Conn) error {
--- a/outbound/direct.go
+++ b/outbound/direct.go
@@ -12,6 +12,8 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -160,8 +162,30 @@ func (h *Direct) ListenPacket(ctx context.Context, destination M.Socksaddr) (net
 	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
-	h.logger.InfoContext(ctx, "outbound packet connection")
-	return h.dialer.ListenPacket(ctx, destination)
+	switch h.overrideOption {
+	case 1:
+		destination = h.overrideDestination
+	case 2:
+		newDestination := h.overrideDestination
+		newDestination.Port = destination.Port
+		destination = newDestination
+	case 3:
+		destination.Port = h.overrideDestination.Port
+	}
+	if h.overrideOption == 0 {
+		h.logger.InfoContext(ctx, "outbound packet connection")
+	} else {
+		h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
+	}
+	conn, err := h.dialer.ListenPacket(ctx, destination)
+	if err != nil {
+		return nil, err
+	}
+	if h.overrideOption == 0 {
+		return conn, nil
+	} else {
+		return &overridePacketConn{bufio.NewPacketConn(conn), destination}, nil
+	}
 }

 func (h *Direct) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
@@ -171,3 +195,20 @@ func (h *Direct) NewConnection(ctx context.Context, conn net.Conn, metadata adap
 func (h *Direct) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return NewPacketConnection(ctx, h, conn, metadata)
 }
+
+type overridePacketConn struct {
+	N.NetPacketConn
+	overrideDestination M.Socksaddr
+}
+
+func (c *overridePacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	return c.NetPacketConn.WritePacket(buffer, c.overrideDestination)
+}
+
+func (c *overridePacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	return c.NetPacketConn.WriteTo(p, c.overrideDestination.UDPAddr())
+}
+
+func (c *overridePacketConn) Upstream() any {
+	return c.NetPacketConn
+}
--- a/outbound/proxy.go
+++ b/outbound/proxy.go
@@ -3,8 +3,8 @@ package outbound
 import (
 	std_bufio "bufio"
 	"context"
+	"crypto/rand"
 	"encoding/hex"
-	"math/rand"
 	"net"

 	"github.com/sagernet/sing-box/adapter"
--- a/outbound/shadowtls.go
+++ b/outbound/shadowtls.go
@@ -2,6 +2,8 @@ package outbound

 import (
 	"context"
+	"crypto/hmac"
+	"crypto/sha1"
 	"net"
 	"os"

@@ -25,7 +27,7 @@ type ShadowTLS struct {
 	dialer     N.Dialer
 	serverAddr M.Socksaddr
 	tlsConfig  tls.Config
-	v2         bool
+	version    int
 	password   string
 }

@@ -45,6 +47,7 @@ func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.Context
 	if options.TLS == nil || !options.TLS.Enabled {
 		return nil, C.ErrTLSRequired
 	}
+	outbound.version = options.Version
 	switch options.Version {
 	case 0:
 		fallthrough
@@ -52,12 +55,16 @@ func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.Context
 		options.TLS.MinVersion = "1.2"
 		options.TLS.MaxVersion = "1.2"
 	case 2:
-		outbound.v2 = true
+	case 3:
 	default:
 		return nil, E.New("unknown shadowtls protocol version: ", options.Version)
 	}
 	var err error
-	outbound.tlsConfig, err = tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
+	if options.Version != 3 {
+		outbound.tlsConfig, err = tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
+	} else {
+		outbound.tlsConfig, err = shadowtls.NewClientTLSConfig(options.Server, common.PtrValueOrDefault(options.TLS), options.Password)
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -74,19 +81,42 @@ func (s *ShadowTLS) DialContext(ctx context.Context, network string, destination
 	if err != nil {
 		return nil, err
 	}
-	if !s.v2 {
+	switch s.version {
+	default:
+		fallthrough
+	case 1:
 		_, err = tls.ClientHandshake(ctx, conn, s.tlsConfig)
 		if err != nil {
 			return nil, err
 		}
 		return conn, nil
-	} else {
+	case 2:
 		hashConn := shadowtls.NewHashReadConn(conn, s.password)
 		_, err = tls.ClientHandshake(ctx, hashConn, s.tlsConfig)
 		if err != nil {
 			return nil, err
 		}
 		return shadowtls.NewClientConn(hashConn), nil
+	case 3:
+		streamWrapper := shadowtls.NewStreamWrapper(conn, s.password)
+		_, err = tls.ClientHandshake(ctx, streamWrapper, s.tlsConfig)
+		if err != nil {
+			return nil, err
+		}
+		authorized, serverRandom, readHMAC := streamWrapper.Authorized()
+		if !authorized {
+			return nil, E.New("traffic hijacked or TLS1.3 is not supported")
+		}
+
+		hmacAdd := hmac.New(sha1.New, []byte(s.password))
+		hmacAdd.Write(serverRandom)
+		hmacAdd.Write([]byte("C"))
+
+		hmacVerify := hmac.New(sha1.New, []byte(s.password))
+		hmacVerify.Write(serverRandom)
+		hmacVerify.Write([]byte("S"))
+
+		return shadowtls.NewVerifiedConn(conn, hmacAdd, hmacVerify, readHMAC), nil
 	}
 }

--- a/outbound/ssh.go
+++ b/outbound/ssh.go
@@ -1,7 +1,9 @@
 package outbound

 import (
+	"bytes"
 	"context"
+	"encoding/base64"
 	"math/rand"
 	"net"
 	"os"
@@ -32,6 +34,7 @@ type SSH struct {
 	dialer            N.Dialer
 	serverAddr        M.Socksaddr
 	user              string
+	hostKey           []ssh.PublicKey
 	hostKeyAlgorithms []string
 	clientVersion     string
 	authMethod        []ssh.AuthMethod
@@ -91,6 +94,15 @@ func NewSSH(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		}
 		outbound.authMethod = append(outbound.authMethod, ssh.PublicKeys(signer))
 	}
+	if len(options.HostKey) > 0 {
+		for _, hostKey := range options.HostKey {
+			key, _, _, _, err := ssh.ParseAuthorizedKey([]byte(hostKey))
+			if err != nil {
+				return nil, E.New("parse host key ", key)
+			}
+			outbound.hostKey = append(outbound.hostKey, key)
+		}
+	}
 	return outbound, nil
 }

@@ -126,7 +138,16 @@ func (s *SSH) connect() (*ssh.Client, error) {
 		ClientVersion:     s.clientVersion,
 		HostKeyAlgorithms: s.hostKeyAlgorithms,
 		HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
-			return nil
+			if len(s.hostKey) == 0 {
+				return nil
+			}
+			serverKey := key.Marshal()
+			for _, hostKey := range s.hostKey {
+				if bytes.Equal(serverKey, hostKey.Marshal()) {
+					return nil
+				}
+			}
+			return E.New("host key mismatch, server send ", key.Type(), " ", base64.StdEncoding.EncodeToString(serverKey))
 		},
 	}
 	clientConn, chans, reqs, err := ssh.NewClientConn(conn, s.serverAddr.Addr.String(), config)
--- a/outbound/trojan.go
+++ b/outbound/trojan.go
@@ -11,13 +11,13 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/transport/trojan"
 	"github.com/sagernet/sing-box/transport/v2ray"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/protocol/trojan"
 )

 var _ adapter.Outbound = (*Trojan)(nil)
--- a/release/config/postinstall.sh
+++ b/release/config/postinstall.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+mkdir -p /var/lib/sing-box
--- a/release/config/postremove.sh
+++ b/release/config/postremove.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+rm -rf /var/lib/sing-box
--- a/release/config/sing-box.service
+++ b/release/config/sing-box.service
@@ -4,8 +4,9 @@ Documentation=https://sing-box.sagernet.org
 After=network.target nss-lookup.target

 [Service]
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+WorkingDirectory=/var/lib/sing-box
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 ExecStart=/usr/bin/sing-box run -c /etc/sing-box/config.json
 Restart=on-failure
 RestartSec=10s
--- a/release/config/sing-box@.service
+++ b/release/config/sing-box@.service
@@ -4,8 +4,9 @@ Documentation=https://sing-box.sagernet.org
 After=network.target nss-lookup.target

 [Service]
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+WorkingDirectory=/var/lib/sing-box-%i
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 ExecStart=/usr/bin/sing-box run -c /etc/sing-box/%i.json
 Restart=on-failure
 RestartSec=10s
--- a/release/local/install.sh
+++ b/release/local/install.sh
@@ -14,6 +14,7 @@ go install -v -trimpath -ldflags "-s -w -buildid=" -tags with_quic,with_wireguar
 popd

 sudo cp $(go env GOPATH)/bin/sing-box /usr/local/bin/
+sudo mkdir -p /var/lib/sing-box
 sudo mkdir -p /usr/local/etc/sing-box
 sudo cp $PROJECT/release/config/config.json /usr/local/etc/sing-box/config.json
 sudo cp $DIR/sing-box.service /etc/systemd/system
--- a/release/local/install_go.sh
+++ b/release/local/install_go.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash

 set -e -o pipefail
-curl -Lo go.tar.gz https://go.dev/dl/go1.19.3.linux-amd64.tar.gz
+curl -Lo go.tar.gz https://go.dev/dl/go1.20.1.linux-amd64.tar.gz
 sudo rm -rf /usr/local/go
 sudo tar -C /usr/local -xzf go.tar.gz
-rm go.tar.gz
+rm go.tar.gz
--- a/release/local/sing-box.service
+++ b/release/local/sing-box.service
@@ -4,8 +4,9 @@ Documentation=https://sing-box.sagernet.org
 After=network.target nss-lookup.target

 [Service]
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+WorkingDirectory=/var/lib/sing-box
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 ExecStart=/usr/local/bin/sing-box run -c /usr/local/etc/sing-box/config.json
 Restart=on-failure
 RestartSec=10s
--- a/release/local/uninstall.sh
+++ b/release/local/uninstall.sh
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash

 sudo systemctl stop sing-box
+sudo rm -rf /var/lib/sing-box
 sudo rm -rf /usr/local/bin/sing-box
 sudo rm -rf /usr/local/etc/sing-box
 sudo rm -rf /etc/systemd/system/sing-box.service
--- a/route/router.go
+++ b/route/router.go
@@ -99,7 +99,7 @@ type Router struct {
 	v2rayServer                        adapter.V2RayServer
 }

-func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.ContextLogger, options option.RouteOptions, dnsOptions option.DNSOptions, inbounds []option.Inbound) (*Router, error) {
+func NewRouter(ctx context.Context, logFactory log.Factory, options option.RouteOptions, dnsOptions option.DNSOptions, inbounds []option.Inbound) (*Router, error) {
 	if options.DefaultInterface != "" {
 		warnDefaultInterfaceOnUnsupportedPlatform.Check()
 	}
@@ -112,8 +112,8 @@ func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.Cont

 	router := &Router{
 		ctx:                   ctx,
-		logger:                logger,
-		dnsLogger:             dnsLogger,
+		logger:                logFactory.NewLogger("router"),
+		dnsLogger:             logFactory.NewLogger("dns"),
 		outboundByTag:         make(map[string]adapter.Outbound),
 		rules:                 make([]adapter.Rule, 0, len(options.Rules)),
 		dnsRules:              make([]adapter.DNSRule, 0, len(dnsOptions.Rules)),
@@ -123,21 +123,21 @@ func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.Cont
 		geositeOptions:        common.PtrValueOrDefault(options.Geosite),
 		geositeCache:          make(map[string]adapter.Rule),
 		defaultDetour:         options.Final,
-		dnsClient:             dns.NewClient(dnsOptions.DNSClientOptions.DisableCache, dnsOptions.DNSClientOptions.DisableExpire),
 		defaultDomainStrategy: dns.DomainStrategy(dnsOptions.Strategy),
 		autoDetectInterface:   options.AutoDetectInterface,
 		defaultInterface:      options.DefaultInterface,
 		defaultMark:           options.DefaultMark,
 	}
+	router.dnsClient = dns.NewClient(dnsOptions.DNSClientOptions.DisableCache, dnsOptions.DNSClientOptions.DisableExpire, router.dnsLogger)
 	for i, ruleOptions := range options.Rules {
-		routeRule, err := NewRule(router, logger, ruleOptions)
+		routeRule, err := NewRule(router, router.logger, ruleOptions)
 		if err != nil {
 			return nil, E.Cause(err, "parse rule[", i, "]")
 		}
 		router.rules = append(router.rules, routeRule)
 	}
 	for i, dnsRuleOptions := range dnsOptions.Rules {
-		dnsRule, err := NewDNSRule(router, logger, dnsRuleOptions)
+		dnsRule, err := NewDNSRule(router, router.logger, dnsRuleOptions)
 		if err != nil {
 			return nil, E.Cause(err, "parse dns rule[", i, "]")
 		}
@@ -159,6 +159,7 @@ func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.Cont
 		transportTags[i] = tag
 		transportTagMap[tag] = true
 	}
+	ctx = adapter.ContextWithRouter(ctx, router)
 	for {
 		lastLen := len(dummyTransportMap)
 		for i, server := range dnsOptions.Servers {
@@ -173,13 +174,13 @@ func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.Cont
 				detour = dialer.NewDetour(router, server.Detour)
 			}
 			switch server.Address {
-			case "local", "rcode":
+			case "local":
 			default:
-				serverURL, err := url.Parse(server.Address)
-				if err != nil {
-					return nil, err
+				serverURL, _ := url.Parse(server.Address)
+				var serverAddress string
+				if serverURL != nil {
+					serverAddress = serverURL.Hostname()
 				}
-				serverAddress := serverURL.Hostname()
 				if serverAddress == "" {
 					serverAddress = server.Address
 				}
@@ -193,11 +194,15 @@ func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.Cont
 					} else {
 						continue
 					}
-				} else if notIpAddress != nil && (serverURL == nil || serverURL.Scheme != "rcode") {
-					return nil, E.New("parse dns server[", tag, "]: missing address_resolver")
+				} else if notIpAddress != nil {
+					switch serverURL.Scheme {
+					case "rcode", "dhcp":
+					default:
+						return nil, E.New("parse dns server[", tag, "]: missing address_resolver")
+					}
 				}
 			}
-			transport, err := dns.CreateTransport(ctx, detour, server.Address)
+			transport, err := dns.CreateTransport(ctx, logFactory.NewLogger(F.ToString("dns/transport[", tag, "]")), detour, server.Address)
 			if err != nil {
 				return nil, E.Cause(err, "parse dns server[", tag, "]")
 			}
@@ -279,12 +284,12 @@ func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.Cont
 	}
 	if needFindProcess {
 		searcher, err := process.NewSearcher(process.Config{
-			Logger:         logger,
+			Logger:         logFactory.NewLogger("router/process"),
 			PackageManager: router.packageManager,
 		})
 		if err != nil {
 			if err != os.ErrInvalid {
-				logger.Warn(E.Cause(err, "create process searcher"))
+				router.logger.Warn(E.Cause(err, "create process searcher"))
 			}
 		} else {
 			router.processSearcher = searcher
@@ -392,14 +397,20 @@ func (r *Router) Start() error {
 			return err
 		}
 	}
-	for _, rule := range r.rules {
-		err := rule.Start()
+	if r.interfaceMonitor != nil {
+		err := r.interfaceMonitor.Start()
 		if err != nil {
 			return err
 		}
 	}
-	for _, rule := range r.dnsRules {
-		err := rule.Start()
+	if r.networkMonitor != nil {
+		err := r.networkMonitor.Start()
+		if err != nil {
+			return err
+		}
+	}
+	if r.packageManager != nil {
+		err := r.packageManager.Start()
 		if err != nil {
 			return err
 		}
@@ -424,22 +435,22 @@ func (r *Router) Start() error {
 		r.geositeCache = nil
 		r.geositeReader = nil
 	}
-	if r.interfaceMonitor != nil {
-		err := r.interfaceMonitor.Start()
+	for i, rule := range r.rules {
+		err := rule.Start()
 		if err != nil {
-			return err
+			return E.Cause(err, "initialize rule[", i, "]")
 		}
 	}
-	if r.networkMonitor != nil {
-		err := r.networkMonitor.Start()
+	for i, rule := range r.dnsRules {
+		err := rule.Start()
 		if err != nil {
-			return err
+			return E.Cause(err, "initialize DNS rule[", i, "]")
 		}
 	}
-	if r.packageManager != nil {
-		err := r.packageManager.Start()
+	for i, transport := range r.transports {
+		err := transport.Start()
 		if err != nil {
-			return err
+			return E.Cause(err, "initialize DNS server[", i, "]")
 		}
 	}
 	return nil
@@ -458,6 +469,12 @@ func (r *Router) Close() error {
 			return err
 		}
 	}
+	for _, transport := range r.transports {
+		err := transport.Close()
+		if err != nil {
+			return err
+		}
+	}
 	return common.Close(
 		common.PtrOrNil(r.geoIPReader),
 		r.interfaceMonitor,
@@ -583,7 +600,7 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 	}
 	if r.v2rayServer != nil {
 		if statsService := r.v2rayServer.StatsService(); statsService != nil {
-			conn = statsService.RoutedConnection(metadata.Inbound, detour.Tag(), conn)
+			conn = statsService.RoutedConnection(metadata.Inbound, detour.Tag(), metadata.User, conn)
 		}
 	}
 	return detour.NewConnection(ctx, conn, metadata)
@@ -661,7 +678,7 @@ func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, m
 	}
 	if r.v2rayServer != nil {
 		if statsService := r.v2rayServer.StatsService(); statsService != nil {
-			conn = statsService.RoutedPacketConnection(metadata.Inbound, detour.Tag(), conn)
+			conn = statsService.RoutedPacketConnection(metadata.Inbound, detour.Tag(), metadata.User, conn)
 		}
 	}
 	return detour.NewPacketConnection(ctx, conn, metadata)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	73c068b96f	Update documentation	2023-02-19 17:49:05 +08:00
世界	f516026540	Fix shadowtls in go versiojns below 1.20	2023-02-19 12:02:11 +08:00
dyhkwong	3c5bc842ed	Update QUIC v2 version number and initial salt	2023-02-18 23:51:55 +08:00
世界	d8270a66f4	Update release script	2023-02-18 21:14:17 +08:00
世界	123c383eae	Fix documentation	2023-02-18 19:33:35 +08:00
世界	67814faf92	Remove TLS min version for shadowtls v3	2023-02-18 19:26:05 +08:00
世界	ec4a0c8497	Update documentation	2023-02-18 15:02:27 +08:00
世界	21cb227bc2	Add ShadowTLS protocol v3	2023-02-18 14:55:47 +08:00
世界	1610bdc5dd	Update workflow	2023-02-18 14:28:21 +08:00
世界	3296a2f7b2	Update dependencies	2023-02-18 14:28:21 +08:00
世界	2bd91baad0	Add fallback support for v2ray transport	2023-02-18 14:28:21 +08:00
世界	a624cd9b49	Disable vmess header protection if transport enabled	2023-02-13 05:15:26 +08:00
Tim Xylon	02afba132f	Replace deprecated 'set-output'	2023-02-09 22:07:00 +08:00
世界	99890a1af0	Fix socks connect response	2023-02-09 21:25:00 +08:00
世界	437f1f819c	Fix lint	2023-02-09 21:01:48 +08:00
世界	92a79e6158	Remove cancel-workflow-action	2023-02-09 18:04:49 +08:00
renovate[bot]	c9efd0a74f	[dependencies] Update golang Docker tag to v1.20 Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-02-09 18:04:16 +08:00
renovate[bot]	9da349748a	[dependencies] Update github-actions Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-02-09 17:42:06 +08:00
世界	2423cbbbfe	Add renovate config	2023-02-09 17:39:15 +08:00
Gavin Luo	4833f6d5db	Fix systemd service caps for process sniffing	2023-02-09 13:32:31 +08:00
世界	9db3cb5cb7	Update scripts	2023-02-09 13:27:05 +08:00
shadow750d6	c14b353a29	Fix parse hysteria UDP message	2023-02-09 13:20:16 +08:00
世界	19d08b55c8	Update documentation	2023-02-08 17:35:50 +08:00
世界	39514b3ca0	Add v2ray user stats api	2023-02-08 16:50:15 +08:00
世界	7ea9d48987	Add DHCP DNS server support	2023-02-08 16:43:29 +08:00
lyc8503	df3a982141	Add SSH outbound host key validation	2023-02-08 16:20:48 +08:00
世界	687b4509df	Add query_type DNS rule item	2023-02-08 16:18:40 +08:00
世界	41ec2e7944	Add support for clash DNS query API	2023-02-08 14:13:33 +08:00
世界	1bd3a9144d	Upgrade tfo-go	2023-02-08 14:13:33 +08:00
世界	6e852cc99b	Update dependencies	2023-02-08 14:13:15 +08:00
世界	8320dd0b51	Improve vmess request	2023-02-07 14:53:08 +08:00
世界	960d04d172	Fix match geoip	2023-02-07 12:21:00 +08:00
世界	86ea035bdd	Fix ipv6 redir port	2023-02-05 14:48:02 +08:00
世界	9b6449dcf4	Fix find NDK on macOS	2023-02-02 16:30:50 +08:00
世界	4e22ac1a35	Update documentation	2023-02-02 16:11:29 +08:00
世界	8a779f6e94	Update dependencies	2023-02-02 15:38:48 +08:00
世界	d461768ffb	Fix build with go1.20	2023-02-02 15:25:34 +08:00
Dmitry R	5d41e328d4	ignore domain case in route rules	2023-02-02 15:25:34 +08:00
世界	fe492904e9	Fix auth_user route for naive inbound	2023-01-19 10:47:22 +08:00
世界	168253b851	Fix inbound default DF	2023-01-19 10:36:25 +08:00
Hellojack	05620a369e	Fix gRPC lite header Manually set the first byte to 0x00 (No Compression) since we can not ensure that the buffer is not polluted before.	2023-01-16 16:23:06 +08:00
世界	8e0fe55363	Fix wireguard events	2023-01-15 19:48:50 +08:00
世界	59e521c1db	Fix convert netaddr	2023-01-14 20:04:15 +08:00
世界	f32c149738	Bump version	2023-01-14 16:01:07 +08:00
世界	23a35b3c06	Fix create UDP DNS transport from plain IPv6 address	2023-01-13 11:51:20 +08:00
世界	044f9c5d4f	Fix write to h2 conn after closed	2023-01-08 15:43:12 +08:00
世界	54f9625bdc	Fix DNS log	2023-01-03 17:04:10 +08:00
世界	ff0693be32	Bump version	2023-01-03 10:53:38 +08:00
世界	53d9ad93e3	Improve DNS log	2023-01-03 10:36:18 +08:00
世界	f5c5570bec	Skip set windows system proxy bypass list	2022-12-26 12:33:08 +08:00
世界	53f19a6ead	Fix override packet conn	2022-12-21 21:58:03 +08:00
世界	cfaf15f429	Fix DNS response TTL	2022-12-19 13:10:57 +08:00
世界	9e67f3b4a5	Fix user from stream packet conn	2022-12-18 16:08:49 +08:00
isnowly	4d2185a2d4	Fix http proxy auth	2022-12-18 16:08:49 +08:00
世界	33f22263ca	Update dependencies	2022-12-18 15:40:19 +08:00
世界	d09aa07d21	Fix android i686 compiler	2022-12-11 15:01:54 +08:00
世界	8afb8ca7eb	Update documentation	2022-12-11 14:40:03 +08:00
世界	80ed5bf8fb	Fix android package	2022-12-11 14:38:01 +08:00
世界	81e7b0b320	Fix linux package	2022-12-11 11:51:25 +08:00
世界	a828c3b5da	Fix acme config	2022-12-06 13:36:42 +08:00
世界	c95e4a13a1	Fix vmess packet conn	2022-12-06 13:02:28 +08:00
世界	726a7e19eb	Suppress quic-go set DF error	2022-12-06 12:51:52 +08:00
世界	8953ddc6e0	Update workflow	2022-12-03 17:03:04 +08:00
世界	7ebbd58b00	Update documentation	2022-12-03 14:38:52 +08:00
世界	d0095fd0f4	Fix close clash cache	2022-12-03 13:29:37 +08:00
世界	66d8d563eb	Add WorkingDirectory for systemd service	2022-11-28 18:30:50 +08:00
世界	4bf96c7eb5	Fix quic stub	2022-11-28 16:06:54 +08:00
世界	f687c25fa9	Update documentation	2022-11-28 13:11:07 +08:00
世界	a92412ecac	Fix router	2022-11-28 13:11:07 +08:00
世界	8dcafa5b33	Add trojan-go multiplex support for trojan inbound	2022-11-28 12:51:23 +08:00
世界	7a02cb83a7	Revert "Fix listen packet on address" This reverts commit `d1fe17a4db`.	2022-11-28 12:51:23 +08:00
世界	51ce672076	Fix crash when input bad method in shadowsocks multi-user inbound	2022-11-28 12:51:23 +08:00
世界	7734afc40c	Update dependencies	2022-11-28 12:51:23 +08:00
世界	ee3cd49aa5	Fix tls config for h2 server	2022-11-26 14:55:51 +08:00
世界	bf20ff84b5	Fix lint	2022-11-26 11:21:24 +08:00
世界	c58302554c	Fix documentation	2022-11-26 11:06:57 +08:00
世界	05ed88aba8	Update documentation	2022-11-25 22:59:30 +08:00
世界	9f5cc0442b	Fix dockerfile	2022-11-25 22:59:30 +08:00
世界	2641a43ad8	Remove test on pull request	2022-11-25 21:12:45 +08:00
世界	4a6ab5e9fd	Fix cancel on start	2022-11-25 21:12:45 +08:00
世界	d1fe17a4db	Fix listen packet on address	2022-11-25 21:12:45 +08:00
世界	7c910165ef	Cleanup code	2022-11-24 12:37:29 +08:00
世界	8c1fddcf8d	Remove connect packet conn	2022-11-24 12:01:25 +08:00
Hellojack	01b4769852	Cleanup gun conn code	2022-11-23 14:56:31 +08:00
世界	a401828ed5	Fix shadowtls server detection	2022-11-22 22:15:38 +08:00
世界	ffd54eef6c	Update documentation	2022-11-21 21:20:44 +08:00
世界	c16e4316d6	Fix shadowtls server	2022-11-21 21:20:44 +08:00
世界	8b7fe20b7f	Include uTLS in release	2022-11-21 15:25:49 +08:00
世界	696c1065b6	Update stable documentation	2022-11-21 14:57:22 +08:00
世界	5d690f4147	Update documentation	2022-11-21 13:18:04 +08:00
世界	f906641a82	Add uTLS to makefile default tags	2022-11-21 13:18:04 +08:00
世界	89913dfa8c	Improve shadowtls server	2022-11-21 13:18:04 +08:00
世界	468778f67f	Update dependencies	2022-11-21 13:18:04 +08:00
世界	22a22aebe2	Fix default dns transport strategy	2022-11-21 13:18:04 +08:00