Fix documentation

Signed-off-by: 世界 <i@sekai.icu> Signed-off-by: unknowndevQwQ <unknowndevQwQ@pm.me>
Update documentation
2022-09-26 12:25:18 +08:00 · 2022-09-25 22:29:18 +08:00 · 2022-09-25 22:29:18 +08:00 · 2022-09-25 22:29:18 +08:00 · 2022-09-25 22:29:18 +08:00 · 2022-09-25 16:43:12 +08:00
172 changed files with 5893 additions and 936 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,34 @@
 name: Test build
 on:
  pull_request:
    branches:
      - main
      - dev
      - dev-next
 jobs:
  build:
    name: Debug build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - name: Get latest go version
        id: version
        run: |
          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Cache go module
        uses: actions/cache@v2
        with:
          path: |
            ~/go/pkg/mod
          key: go-${{ hashFiles('**/go.sum') }}
      - name: Run Test
        run: make test
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -9,8 +9,9 @@ builds:
    gcflags:
      - all=-trimpath={{.Env.GOPATH}}
    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Commit={{ .ShortCommit }} -s -w -buildid=
+      - -s -w -buildid=
    tags:
      - with_gvisor
      - with_quic
      - with_wireguard
      - with_clash_api
--- a/4
+++ b/4
@@ -8,9 +8,9 @@ ENV CGO_ENABLED=0
 RUN set -ex \
    && apk add git build-base \
    && export COMMIT=$(git rev-parse --short HEAD) \
-    && go build -v -trimpath -tags 'no_gvisor,with_quic,with_wireguard,with_acme' \
+    && go build -v -trimpath -tags with_quic,with_wireguard,with_acme \
        -o /go/bin/sing-box \
-        -ldflags "-X github.com/sagernet/sing-box/constant.Commit=${COMMIT} -w -s -buildid=" \
+        -ldflags "-s -w -buildid=" \
        ./cmd/sing-box
 FROM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
--- a/22
+++ b/22
@@ -1,9 +1,8 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_quic,with_wireguard,with_clash_api
+TAGS ?= with_gvisor,with_quic,with_wireguard,with_clash_api
-PARAMS = -v -trimpath -tags '$(TAGS)' -ldflags \
+TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_shadowsocksr
-		'-X "github.com/sagernet/sing-box/constant.Commit=$(COMMIT)" \
+PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-s -w -buildid="
 		-w -s -buildid='
 MAIN = ./cmd/sing-box
 .PHONY: test release
@@ -61,14 +60,19 @@ release_install:
 	go install -v github.com/tcnksm/ghr@latest
 test:
-	@go test -v . && \
+	@go test -v ./... && \
-	pushd test && \
+	cd test && \
 	go mod tidy && \
-	go test -v -tags with_quic,with_wireguard,with_grpc,with_ech,with_utls . && \
+	go test -v -tags "$(TAGS_TEST)" .
-	popd
+
 test_stdio:
 	@go test -v ./... && \
 	cd test && \
 	go mod tidy && \
 	go test -v -tags "$(TAGS_TEST),force_stdio" .
 clean:
-	rm -rf bin dist
+	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box
 update:
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"github.com/sagernet/sing-box/common/urltest"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -12,6 +13,7 @@ type ClashServer interface {
 	Mode() string
 	StoreSelected() bool
 	CacheFile() ClashCacheFile
 	HistoryStorage() *urltest.HistoryStorage
 	RoutedConnection(ctx context.Context, conn net.Conn, metadata InboundContext, matchedRule Rule) (net.Conn, Tracker)
 	RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext, matchedRule Rule) (N.PacketConn, Tracker)
 }
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -11,7 +11,7 @@ import (
 	"github.com/sagernet/sing/common/control"
 	N "github.com/sagernet/sing/common/network"
-	"golang.org/x/net/dns/dnsmessage"
+	mdns "github.com/miekg/dns"
 )
 type Router interface {
@@ -27,11 +27,11 @@ type Router interface {
 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
-	Exchange(ctx context.Context, message *dnsmessage.Message) (*dnsmessage.Message, error)
+	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
 	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
-	InterfaceBindManager() control.BindManager
+	InterfaceFinder() control.InterfaceFinder
 	DefaultInterface() string
 	AutoDetectInterface() bool
 	DefaultMark() int
--- a/adapter/upstream.go
+++ b/adapter/upstream.go
@@ -38,13 +38,25 @@ type myUpstreamHandlerWrapper struct {
 }
 func (w *myUpstreamHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	w.metadata.Destination = metadata.Destination
+	myMetadata := w.metadata
-	return w.connectionHandler(ctx, conn, w.metadata)
+	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.connectionHandler(ctx, conn, myMetadata)
 }
 func (w *myUpstreamHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
-	w.metadata.Destination = metadata.Destination
+	myMetadata := w.metadata
-	return w.packetHandler(ctx, conn, w.metadata)
+	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.packetHandler(ctx, conn, myMetadata)
 }
 func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
@@ -78,13 +90,23 @@ func NewUpstreamContextHandler(
 func (w *myUpstreamContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
-	myMetadata.Destination = metadata.Destination
+	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.connectionHandler(ctx, conn, *myMetadata)
 }
 func (w *myUpstreamContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
-	myMetadata.Destination = metadata.Destination
+	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.packetHandler(ctx, conn, *myMetadata)
 }
--- a/cmd/sing-box/cmd_version.go
+++ b/cmd/sing-box/cmd_version.go
@@ -3,9 +3,9 @@ package main
 import (
 	"os"
 	"runtime"
 	"runtime/debug"
 	C "github.com/sagernet/sing-box/constant"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/spf13/cobra"
 )
@@ -25,30 +25,40 @@ func init() {
 }
 func printVersion(cmd *cobra.Command, args []string) {
-	var version string
+	if nameOnly {
-	if !nameOnly {
+		os.Stdout.WriteString(C.Version + "\n")
-		version = "sing-box "
+		return
 	}
-	version += F.ToString(C.Version)
+	version := "sing-box version " + C.Version + "\n\n"
-	if C.Commit != "" {
+	version += "Environment: " + runtime.Version() + " " + runtime.GOOS + "/" + runtime.GOARCH + "\n"
-		version += "." + C.Commit
+
-	}
+	var tags string
-	if !nameOnly {
+	var revision string
-		version += " ("
+
-		version += runtime.Version()
+	debugInfo, loaded := debug.ReadBuildInfo()
-		version += ", "
+	if loaded {
-		version += runtime.GOOS
+		for _, setting := range debugInfo.Settings {
-		version += "/"
+			switch setting.Key {
-		version += runtime.GOARCH
+			case "-tags":
-		version += ", "
+				tags = setting.Value
-		version += "CGO "
+			case "vcs.revision":
-		if C.CGO_ENABLED {
+				revision = setting.Value
-			version += "enabled"
+			}
 		} else {
 			version += "disabled"
 		}
 		version += ")"
 	}
-	version += "\n"
+
 	if tags != "" {
 		version += "Tags: " + tags + "\n"
 	}
 	if revision != "" {
 		version += "Revision: " + revision + "\n"
 	}
 	if C.CGO_ENABLED {
 		version += "CGO: enabled\n"
 	} else {
 		version += "CGO: disabled\n"
 	}
 	os.Stdout.WriteString(version)
 }
--- a/cmd/sing-box/main.go
+++ b/cmd/sing-box/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	"os"
 	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/spf13/cobra"
--- a/common/baderror/baderror.go
+++ b/common/baderror/baderror.go
@@ -26,7 +26,7 @@ func WrapH2(err error) error {
 	if err == io.ErrUnexpectedEOF {
 		return io.EOF
 	}
-	if Contains(err, "client disconnected", "body closed by handler") {
+	if Contains(err, "client disconnected", "body closed by handler", "response body closed", "; CANCEL") {
 		return net.ErrClosed
 	}
 	return err
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -65,25 +65,23 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
 		warnBindInterfaceOnUnsupportedPlatform.Check()
-		bindFunc := control.BindToInterface(router.InterfaceBindManager(), options.BindInterface)
+		bindFunc := control.BindToInterface(router.InterfaceFinder(), options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	} else if router.AutoDetectInterface() {
-		if C.IsWindows {
+		const useInterfaceName = C.IsLinux
-			bindFunc := control.BindToInterfaceIndexFunc(func(network, address string) int {
+		bindFunc := control.BindToInterfaceFunc(router.InterfaceFinder(), func(network string, address string) (interfaceName string, interfaceIndex int) {
-				return router.InterfaceMonitor().DefaultInterfaceIndex(M.ParseSocksaddr(address).Addr)
+			remoteAddr := M.ParseSocksaddr(address).Addr
-			})
+			if C.IsLinux {
-			dialer.Control = control.Append(dialer.Control, bindFunc)
+				return router.InterfaceMonitor().DefaultInterfaceName(remoteAddr), -1
-			listener.Control = control.Append(listener.Control, bindFunc)
+			} else {
-		} else {
+				return "", router.InterfaceMonitor().DefaultInterfaceIndex(remoteAddr)
-			bindFunc := control.BindToInterfaceFunc(router.InterfaceBindManager(), func(network, address string) string {
+			}
-				return router.InterfaceMonitor().DefaultInterfaceName(M.ParseSocksaddr(address).Addr)
+		})
-			})
+		dialer.Control = control.Append(dialer.Control, bindFunc)
-			dialer.Control = control.Append(dialer.Control, bindFunc)
+		listener.Control = control.Append(listener.Control, bindFunc)
 			listener.Control = control.Append(listener.Control, bindFunc)
 		}
 	} else if router.DefaultInterface() != "" {
-		bindFunc := control.BindToInterface(router.InterfaceBindManager(), router.DefaultInterface())
+		bindFunc := control.BindToInterface(router.InterfaceFinder(), router.DefaultInterface(), -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
@@ -112,7 +110,13 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	if options.TCPFastOpen {
 		warnTFOOnUnsupportedPlatform.Check()
 	}
-	if !options.UDPFragment {
+	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment
 	} else {
 		udpFragment = options.UDPFragmentDefault
 	}
 	if !udpFragment {
 		dialer.Control = control.Append(dialer.Control, control.DisableUDPFragment())
 		listener.Control = control.Append(listener.Control, control.DisableUDPFragment())
 	}
@@ -142,7 +146,7 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 	case N.NetworkUDP:
 		return d.udpDialer.DialContext(ctx, network, address.String())
 	}
-	return d.dialer.DialContext(ctx, network, address.Unwrap().String())
+	return d.dialer.DialContext(ctx, network, address.String())
 }
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
--- a/common/mux/client.go
+++ b/common/mux/client.go
@@ -466,10 +466,7 @@ func (c *ClientPacketAddrConn) ReadPacket(buffer *buf.Buffer) (destination M.Soc
 	if err != nil {
 		return
 	}
-	if buffer.FreeLen() < int(length) {
+	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
 		return destination, io.ErrShortBuffer
 	}
 	_, err = io.ReadFull(c.ExtendedConn, buffer.Extend(int(length)))
 	return
 }
--- a/common/mux/service.go
+++ b/common/mux/service.go
@@ -3,7 +3,6 @@ package mux
 import (
 	"context"
 	"encoding/binary"
 	"io"
 	"net"
 	"github.com/sagernet/sing-box/adapter"
@@ -15,6 +14,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/rw"
 	"github.com/sagernet/sing/common/task"
 )
 func NewConnection(ctx context.Context, router adapter.Router, errorHandler E.Handler, logger log.ContextLogger, conn net.Conn, metadata adapter.InboundContext) error {
@@ -26,14 +26,21 @@ func NewConnection(ctx context.Context, router adapter.Router, errorHandler E.Ha
 	if err != nil {
 		return err
 	}
-	var stream net.Conn
+	var group task.Group
-	for {
+	group.Append0(func(ctx context.Context) error {
-		stream, err = session.Accept()
+		var stream net.Conn
-		if err != nil {
+		for {
-			return err
+			stream, err = session.Accept()
 			if err != nil {
 				return err
 			}
 			go newConnection(ctx, router, errorHandler, logger, stream, metadata)
 		}
-		go newConnection(ctx, router, errorHandler, logger, stream, metadata)
+	})
-	}
+	group.Cleanup(func() {
 		session.Close()
 	})
 	return group.Run(ctx)
 }
 func newConnection(ctx context.Context, router adapter.Router, errorHandler E.Handler, logger log.ContextLogger, stream net.Conn, metadata adapter.InboundContext) {
@@ -158,9 +165,6 @@ func (c *ServerPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksad
 	if err != nil {
 		return
 	}
 	if buffer.FreeLen() < int(length) {
 		return destination, io.ErrShortBuffer
 	}
 	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
 	if err != nil {
 		return
@@ -223,9 +227,6 @@ func (c *ServerPacketAddrConn) ReadPacket(buffer *buf.Buffer) (destination M.Soc
 	if err != nil {
 		return
 	}
 	if buffer.FreeLen() < int(length) {
 		return destination, io.ErrShortBuffer
 	}
 	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
 	if err != nil {
 		return
--- a/common/process/searcher.go
+++ b/common/process/searcher.go
@@ -28,11 +28,5 @@ type Info struct {
 }
 func FindProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	info, err := findProcessInfo(searcher, ctx, network, source, destination)
+	return findProcessInfo(searcher, ctx, network, source, destination)
 	if err != nil {
 		if source.Addr().Is4In6() {
 			info, err = findProcessInfo(searcher, ctx, network, netip.AddrPortFrom(netip.AddrFrom4(source.Addr().As4()), source.Port()), destination)
 		}
 	}
 	return info, err
 }
--- a/common/proxyproto/listener.go
+++ b/common/proxyproto/listener.go
@@ -36,8 +36,8 @@ func (l *Listener) Accept() (net.Conn, error) {
 	}
 	if header != nil {
 		return &bufio.AddrConn{Conn: conn, Metadata: M.Metadata{
-			Source:      M.SocksaddrFromNet(header.SourceAddr),
+			Source:      M.SocksaddrFromNet(header.SourceAddr).Unwrap(),
-			Destination: M.SocksaddrFromNet(header.DestinationAddr),
+			Destination: M.SocksaddrFromNet(header.DestinationAddr).Unwrap(),
 		}}, nil
 	}
 	return conn, nil
--- a/common/redir/tproxy_linux.go
+++ b/common/redir/tproxy_linux.go
@@ -2,14 +2,11 @@ package redir
 import (
 	"encoding/binary"
 	"net"
 	"net/netip"
 	"os"
 	"strconv"
 	"syscall"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	"golang.org/x/sys/unix"
@@ -32,6 +29,18 @@ func TProxy(fd uintptr, isIPv6 bool) error {
 	return err
 }
 func TProxyWriteBack() control.Func {
 	return func(network, address string, conn syscall.RawConn) error {
 		return control.Raw(conn, func(fd uintptr) error {
 			if M.ParseSocksaddr(address).Addr.Is6() {
 				return syscall.SetsockoptInt(int(fd), syscall.SOL_IPV6, unix.IPV6_TRANSPARENT, 1)
 			} else {
 				return syscall.SetsockoptInt(int(fd), syscall.SOL_IP, syscall.IP_TRANSPARENT, 1)
 			}
 		})
 	}
 }
 func GetOriginalDestinationFromOOB(oob []byte) (netip.AddrPort, error) {
 	controlMessages, err := unix.ParseSocketControlMessage(oob)
 	if err != nil {
@@ -46,79 +55,3 @@ func GetOriginalDestinationFromOOB(oob []byte) (netip.AddrPort, error) {
 	}
 	return netip.AddrPort{}, E.New("not found")
 }
 func DialUDP(lAddr *net.UDPAddr, rAddr *net.UDPAddr) (*net.UDPConn, error) {
 	rSockAddr, err := udpAddrToSockAddr(rAddr)
 	if err != nil {
 		return nil, err
 	}
 	lSockAddr, err := udpAddrToSockAddr(lAddr)
 	if err != nil {
 		return nil, err
 	}
 	fd, err := syscall.Socket(udpAddrFamily(lAddr, rAddr), syscall.SOCK_DGRAM, 0)
 	if err != nil {
 		return nil, err
 	}
 	if err = syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_REUSEADDR, 1); err != nil {
 		syscall.Close(fd)
 		return nil, err
 	}
 	if err = syscall.SetsockoptInt(fd, syscall.SOL_IP, syscall.IP_TRANSPARENT, 1); err != nil {
 		syscall.Close(fd)
 		return nil, err
 	}
 	if err = syscall.Bind(fd, lSockAddr); err != nil {
 		syscall.Close(fd)
 		return nil, err
 	}
 	if err = syscall.Connect(fd, rSockAddr); err != nil {
 		syscall.Close(fd)
 		return nil, err
 	}
 	fdFile := os.NewFile(uintptr(fd), F.ToString("net-udp-dial-", rAddr))
 	defer fdFile.Close()
 	c, err := net.FileConn(fdFile)
 	if err != nil {
 		syscall.Close(fd)
 		return nil, err
 	}
 	return c.(*net.UDPConn), nil
 }
 func udpAddrToSockAddr(addr *net.UDPAddr) (syscall.Sockaddr, error) {
 	switch {
 	case addr.IP.To4() != nil:
 		ip := [4]byte{}
 		copy(ip[:], addr.IP.To4())
 		return &syscall.SockaddrInet4{Addr: ip, Port: addr.Port}, nil
 	default:
 		ip := [16]byte{}
 		copy(ip[:], addr.IP.To16())
 		zoneID, err := strconv.ParseUint(addr.Zone, 10, 32)
 		if err != nil {
 			zoneID = 0
 		}
 		return &syscall.SockaddrInet6{Addr: ip, Port: addr.Port, ZoneId: uint32(zoneID)}, nil
 	}
 }
 func udpAddrFamily(lAddr, rAddr *net.UDPAddr) int {
 	if (lAddr == nil || lAddr.IP.To4() != nil) && (rAddr == nil || lAddr.IP.To4() != nil) {
 		return syscall.AF_INET
 	}
 	return syscall.AF_INET6
 }
--- a/common/redir/tproxy_other.go
+++ b/common/redir/tproxy_other.go
@@ -3,19 +3,20 @@
 package redir
 import (
 	"net"
 	"net/netip"
 	"os"
 	"github.com/sagernet/sing/common/control"
 )
 func TProxy(fd uintptr, isIPv6 bool) error {
 	return os.ErrInvalid
 }
 func TProxyWriteBack() control.Func {
 	return nil
 }
 func GetOriginalDestinationFromOOB(oob []byte) (netip.AddrPort, error) {
 	return netip.AddrPort{}, os.ErrInvalid
 }
 func DialUDP(lAddr *net.UDPAddr, rAddr *net.UDPAddr) (*net.UDPConn, error) {
 	return nil, os.ErrInvalid
 }
--- a/common/sniff/dns.go
+++ b/common/sniff/dns.go
@@ -11,9 +11,10 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/task"
-	"golang.org/x/net/dns/dnsmessage"
+	mDNS "github.com/miekg/dns"
 )
 func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
@@ -44,18 +45,13 @@ func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.
 }
 func DomainNameQuery(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
-	var parser dnsmessage.Parser
+	var msg mDNS.Msg
-	_, err := parser.Start(packet)
+	err := msg.Unpack(packet)
 	if err != nil {
 		return nil, err
 	}
-	question, err := parser.Question()
+	if len(msg.Question) == 0 || msg.Question[0].Qclass != mDNS.ClassINET || !M.IsDomainName(msg.Question[0].Name) {
 	if err != nil {
 		return nil, os.ErrInvalid
 	}
-	domain := question.Name.String()
+	return &adapter.InboundContext{Protocol: C.ProtocolDNS}, nil
 	if question.Class == dnsmessage.ClassINET && IsDomainName(domain) {
 		return &adapter.InboundContext{Protocol: C.ProtocolDNS /*, Domain: domain*/}, nil
 	}
 	return nil, os.ErrInvalid
 }
--- a/common/sniff/domain.go
+++ b/common/sniff/domain.go
@@ -1,6 +0,0 @@
 package sniff
 import _ "unsafe" // for linkname
 //go:linkname IsDomainName net.isDomainName
 func IsDomainName(domain string) bool
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -7,11 +7,11 @@ import (
 	"crypto/tls"
 	"strings"
 	"github.com/sagernet/certmagic"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/caddyserver/certmagic"
 	"github.com/mholt/acmez/acme"
 )
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -30,7 +30,7 @@ func NewClient(router adapter.Router, serverAddress string, options option.Outbo
 	}
 }
-func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (net.Conn, error) {
+func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
 	tlsConn := config.Client(conn)
 	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
 	defer cancel()
--- a/common/tls/config.go
+++ b/common/tls/config.go
@@ -15,6 +15,8 @@ type (
 )
 type Config interface {
 	NextProtos() []string
 	SetNextProtos(nextProto []string)
 	Config() (*STDConfig, error)
 	Client(conn net.Conn) Conn
 }
@@ -28,6 +30,7 @@ type ServerConfig interface {
 type Conn interface {
 	net.Conn
 	HandshakeContext(ctx context.Context) error
 	ConnectionState() tls.ConnectionState
 }
 func ParseTLSVersion(version string) (uint16, error) {
--- a/common/tls/ech_client.go
+++ b/common/tls/ech_client.go
@@ -4,6 +4,7 @@ package tls
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"net"
@@ -12,16 +13,23 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/transport/cloudflaretls"
+	cftls "github.com/sagernet/sing-box/transport/cloudflaretls"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	mDNS "github.com/miekg/dns"
 	"golang.org/x/net/dns/dnsmessage"
 )
 type echClientConfig struct {
-	config *tls.Config
+	config *cftls.Config
 }
 func (e *echClientConfig) NextProtos() []string {
 	return e.config.NextProtos
 }
 func (e *echClientConfig) SetNextProtos(nextProto []string) {
 	e.config.NextProtos = nextProto
 }
 func (e *echClientConfig) Config() (*STDConfig, error) {
@@ -29,7 +37,29 @@ func (e *echClientConfig) Config() (*STDConfig, error) {
 }
 func (e *echClientConfig) Client(conn net.Conn) Conn {
-	return tls.Client(conn, e.config)
+	return &echConnWrapper{cftls.Client(conn, e.config)}
 }
 type echConnWrapper struct {
 	*cftls.Conn
 }
 func (c *echConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,
 		DidResume:                   state.DidResume,
 		CipherSuite:                 state.CipherSuite,
 		NegotiatedProtocol:          state.NegotiatedProtocol,
 		NegotiatedProtocolIsMutual:  state.NegotiatedProtocolIsMutual,
 		ServerName:                  state.ServerName,
 		PeerCertificates:            state.PeerCertificates,
 		VerifiedChains:              state.VerifiedChains,
 		SignedCertificateTimestamps: state.SignedCertificateTimestamps,
 		OCSPResponse:                state.OCSPResponse,
 		TLSUnique:                   state.TLSUnique,
 	}
 }
 func newECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
@@ -45,7 +75,7 @@ func newECHClient(router adapter.Router, serverAddress string, options option.Ou
 		return nil, E.New("missing server_name or insecure=true")
 	}
-	var tlsConfig tls.Config
+	var tlsConfig cftls.Config
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -55,7 +85,7 @@ func newECHClient(router adapter.Router, serverAddress string, options option.Ou
 		tlsConfig.InsecureSkipVerify = options.Insecure
 	} else if options.DisableSNI {
 		tlsConfig.InsecureSkipVerify = true
-		tlsConfig.VerifyConnection = func(state tls.ConnectionState) error {
+		tlsConfig.VerifyConnection = func(state cftls.ConnectionState) error {
 			verifyOptions := x509.VerifyOptions{
 				DNSName:       serverName,
 				Intermediates: x509.NewCertPool(),
@@ -87,7 +117,7 @@ func newECHClient(router adapter.Router, serverAddress string, options option.Ou
 	if options.CipherSuites != nil {
 	find:
 		for _, cipherSuite := range options.CipherSuites {
-			for _, tlsCipherSuite := range tls.CipherSuites() {
+			for _, tlsCipherSuite := range cftls.CipherSuites() {
 				if cipherSuite == tlsCipherSuite.Name {
 					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
 					continue find
@@ -124,7 +154,7 @@ func newECHClient(router adapter.Router, serverAddress string, options option.Ou
 		if err != nil {
 			return nil, err
 		}
-		clientConfig, err := tls.UnmarshalECHConfigs(clientConfigContent)
+		clientConfig, err := cftls.UnmarshalECHConfigs(clientConfigContent)
 		if err != nil {
 			return nil, err
 		}
@@ -135,19 +165,17 @@ func newECHClient(router adapter.Router, serverAddress string, options option.Ou
 	return &echClientConfig{&tlsConfig}, nil
 }
-const typeHTTPS = 65
+func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
-
+	return func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
-func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serverName string) ([]tls.ECHConfig, error) {
+		message := &mDNS.Msg{
-	return func(ctx context.Context, serverName string) ([]tls.ECHConfig, error) {
+			MsgHdr: mDNS.MsgHdr{
 		message := &dnsmessage.Message{
 			Header: dnsmessage.Header{
 				RecursionDesired: true,
 			},
-			Questions: []dnsmessage.Question{
+			Question: []mDNS.Question{
 				{
-					Name:  dnsmessage.MustNewName(serverName + "."),
+					Name:   serverName + ".",
-					Type:  typeHTTPS,
+					Qtype:  mDNS.TypeHTTPS,
-					Class: dnsmessage.ClassINET,
+					Qclass: mDNS.ClassINET,
 				},
 			},
 		}
@@ -155,19 +183,10 @@ func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serve
 		if err != nil {
 			return nil, err
 		}
-		if response.RCode != dnsmessage.RCodeSuccess {
+		if response.Rcode != mDNS.RcodeSuccess {
-			return nil, dns.RCodeError(response.RCode)
+			return nil, dns.RCodeError(response.Rcode)
 		}
-		content, err := response.Pack()
+		for _, rr := range response.Answer {
 		if err != nil {
 			return nil, err
 		}
 		var mMsg mDNS.Msg
 		err = mMsg.Unpack(content)
 		if err != nil {
 			return nil, err
 		}
 		for _, rr := range mMsg.Answer {
 			switch resource := rr.(type) {
 			case *mDNS.HTTPS:
 				for _, value := range resource.Value {
@@ -176,7 +195,7 @@ func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serve
 						if err != nil {
 							return nil, E.Cause(err, "decode ECH config")
 						}
-						return tls.UnmarshalECHConfigs(echConfig)
+						return cftls.UnmarshalECHConfigs(echConfig)
 					}
 				}
 			default:
--- a/common/tls/mkcert.go
+++ b/common/tls/mkcert.go
@@ -0,0 +1,50 @@
 package tls
 import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"math/big"
 	"time"
 )
 func GenerateKeyPair(serverName string) (*tls.Certificate, error) {
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, err
 	}
 	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
 	if err != nil {
 		return nil, err
 	}
 	template := &x509.Certificate{
 		SerialNumber:          serialNumber,
 		NotBefore:             time.Now().Add(time.Hour * -1),
 		NotAfter:              time.Now().Add(time.Hour),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 		Subject: pkix.Name{
 			CommonName: serverName,
 		},
 		DNSNames: []string{serverName},
 	}
 	publicDer, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
 	if err != nil {
 		return nil, err
 	}
 	privateDer, err := x509.MarshalPKCS8PrivateKey(key)
 	if err != nil {
 		return nil, err
 	}
 	publicPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicDer})
 	privPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateDer})
 	keyPair, err := tls.X509KeyPair(publicPem, privPem)
 	if err != nil {
 		return nil, err
 	}
 	return &keyPair, err
 }
--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@@ -99,6 +99,14 @@ func newStdClient(serverAddress string, options option.OutboundTLSOptions) (Conf
 	return &stdClientConfig{&tlsConfig}, nil
 }
 func (s *stdClientConfig) NextProtos() []string {
 	return s.config.NextProtos
 }
 func (s *stdClientConfig) SetNextProtos(nextProto []string) {
 	s.config.NextProtos = nextProto
 }
 func (s *stdClientConfig) Config() (*STDConfig, error) {
 	return s.config, nil
 }
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -26,6 +26,16 @@ type STDServerConfig struct {
 	watcher         *fsnotify.Watcher
 }
 func (c *STDServerConfig) NextProtos() []string {
 	return c.config.NextProtos
 }
 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }
 var errInsecureUnused = E.New("tls: insecure unused")
 func newSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
@@ -38,6 +48,9 @@ func newSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		if err != nil {
 			return nil, err
 		}
 		if options.Insecure {
 			return nil, errInsecureUnused
 		}
 	} else {
 		tlsConfig = &tls.Config{}
 	}
@@ -94,17 +107,23 @@ func newSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 			}
 			key = content
 		}
-		if certificate == nil {
+		if certificate == nil && key == nil && options.Insecure {
-			return nil, E.New("missing certificate")
+			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
 				return GenerateKeyPair(info.ServerName)
 			}
 		} else {
 			if certificate == nil {
 				return nil, E.New("missing certificate")
 			} else if key == nil {
 				return nil, E.New("missing key")
 			}
 			keyPair, err := tls.X509KeyPair(certificate, key)
 			if err != nil {
 				return nil, E.Cause(err, "parse x509 key pair")
 			}
 			tlsConfig.Certificates = []tls.Certificate{keyPair}
 		}
 		if key == nil {
 			return nil, E.New("missing key")
 		}
 		keyPair, err := tls.X509KeyPair(certificate, key)
 		if err != nil {
 			return nil, E.Cause(err, "parse x509 key pair")
 		}
 		tlsConfig.Certificates = []tls.Certificate{keyPair}
 	}
 	return &STDServerConfig{
 		config:          tlsConfig,
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -22,6 +22,14 @@ type utlsClientConfig struct {
 	id     utls.ClientHelloID
 }
 func (e *utlsClientConfig) NextProtos() []string {
 	return e.config.NextProtos
 }
 func (e *utlsClientConfig) SetNextProtos(nextProto []string) {
 	e.config.NextProtos = nextProto
 }
 func (e *utlsClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for uTLS")
 }
@@ -38,6 +46,24 @@ func (c *utlsConnWrapper) HandshakeContext(ctx context.Context) error {
 	return c.Conn.Handshake()
 }
 func (c *utlsConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,
 		DidResume:                   state.DidResume,
 		CipherSuite:                 state.CipherSuite,
 		NegotiatedProtocol:          state.NegotiatedProtocol,
 		NegotiatedProtocolIsMutual:  state.NegotiatedProtocolIsMutual,
 		ServerName:                  state.ServerName,
 		PeerCertificates:            state.PeerCertificates,
 		VerifiedChains:              state.VerifiedChains,
 		SignedCertificateTimestamps: state.SignedCertificateTimestamps,
 		OCSPResponse:                state.OCSPResponse,
 		TLSUnique:                   state.TLSUnique,
 	}
 }
 func newUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -1,26 +1,29 @@
 package constant
 const (
-	TypeTun         = "tun"
+	TypeTun          = "tun"
-	TypeRedirect    = "redirect"
+	TypeRedirect     = "redirect"
-	TypeTProxy      = "tproxy"
+	TypeTProxy       = "tproxy"
-	TypeDirect      = "direct"
+	TypeDirect       = "direct"
-	TypeBlock       = "block"
+	TypeBlock        = "block"
-	TypeDNS         = "dns"
+	TypeDNS          = "dns"
-	TypeSocks       = "socks"
+	TypeSocks        = "socks"
-	TypeHTTP        = "http"
+	TypeHTTP         = "http"
-	TypeMixed       = "mixed"
+	TypeMixed        = "mixed"
-	TypeShadowsocks = "shadowsocks"
+	TypeShadowsocks  = "shadowsocks"
-	TypeVMess       = "vmess"
+	TypeVMess        = "vmess"
-	TypeTrojan      = "trojan"
+	TypeTrojan       = "trojan"
-	TypeNaive       = "naive"
+	TypeNaive        = "naive"
-	TypeWireGuard   = "wireguard"
+	TypeWireGuard    = "wireguard"
-	TypeHysteria    = "hysteria"
+	TypeHysteria     = "hysteria"
-	TypeTor         = "tor"
+	TypeTor          = "tor"
-	TypeSSH         = "ssh"
+	TypeSSH          = "ssh"
-	TypeShadowTLS   = "shadowtls"
+	TypeShadowTLS    = "shadowtls"
 	TypeShadowsocksR = "shadowsocksr"
 	TypeVLESS        = "vless"
 )
 const (
 	TypeSelector = "selector"
 	TypeURLTest  = "urltest"
 )
--- a/constant/quic.go
+++ b/constant/quic.go
@@ -1,5 +0,0 @@
 //go:build with_quic
 package constant
 const QUIC_AVAILABLE = true
--- a/constant/quic_stub.go
+++ b/constant/quic_stub.go
@@ -1,9 +0,0 @@
 //go:build !with_quic
 package constant
 import E "github.com/sagernet/sing/common/exceptions"
 const QUIC_AVAILABLE = false
 var ErrQUICNotIncluded = E.New(`QUIC is not included in this build, rebuild with -tags with_quic`)
--- a/constant/timeout.go
+++ b/constant/timeout.go
@@ -3,10 +3,11 @@ package constant
 import "time"
 const (
-	TCPTimeout         = 5 * time.Second
+	TCPTimeout             = 5 * time.Second
-	ReadPayloadTimeout = 300 * time.Millisecond
+	ReadPayloadTimeout     = 300 * time.Millisecond
-	DNSTimeout         = 10 * time.Second
+	DNSTimeout             = 10 * time.Second
-	QUICTimeout        = 30 * time.Second
+	QUICTimeout            = 30 * time.Second
-	STUNTimeout        = 15 * time.Second
+	STUNTimeout            = 15 * time.Second
-	UDPTimeout         = 5 * time.Minute
+	UDPTimeout             = 5 * time.Minute
 	DefaultURLTestInterval = 1 * time.Minute
 )
--- a/constant/version.go
+++ b/constant/version.go
@@ -1,6 +1,3 @@
 package constant
-var (
+var Version = "1.1-beta8"
 	Version = "1.1-beta2"
 	Commit  = ""
 )
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,79 @@
 #### 1.1-beta8
 * Fix leaks on close
 * Improve websocket writer
 * Refine tproxy write back
 * Refine 4in6 processing
 * Fix shadowsocks plugins
 * Fix missing source address from transport connection
 * Fix fqdn socks5 outbound connection
 * Fix read source address from grpc-go
 #### 1.0.5
 * Fix missing source address from transport connection
 * Fix fqdn socks5 outbound connection
 * Fix read source address from grpc-go
 #### 1.1-beta7
 * Add v2ray mux and XUDP support for VMess inbound
 * Add XUDP support for VMess outbound
 * Disable DF on direct outbound by default
 * Fix bugs in 1.1-beta6
 #### 1.1-beta6
 * Add [URLTest outbound](/configuration/outbound/urltest)
 * Fix bugs in 1.1-beta5
 #### 1.1-beta5
 * Print tags in version command
 * Redirect clash hello to external ui
 * Move shadowsocksr implementation to clash
 * Make gVisor optional **1**
 * Refactor to miekg/dns
 * Refactor bind control
 * Fix build on go1.18
 * Fix clash store-selected
 * Fix close grpc conn
 * Fix port rule match logic
 * Fix clash api proxy type
 *1*:
 The build tag `no_gvisor` is replaced by `with_gvisor`.
 The default tun stack is changed to system.
 #### 1.0.4
 * Fix close grpc conn
 * Fix port rule match logic
 * Fix clash api proxy type
 #### 1.1-beta4
 * Add internal simple-obfs and v2ray-plugin [Shadowsocks plugins](/configuration/outbound/shadowsocks#plugin)
 * Add [ShadowsocksR outbound](/configuration/outbound/shadowsocksr)
 * Add [VLESS outbound and XUDP](/configuration/outbound/vless)
 * Skip wait for hysteria tcp handshake response
 * Fix socks4 client
 * Fix hysteria inbound
 * Fix concurrent write
 #### 1.0.3
 * Fix socks4 client
 * Fix hysteria inbound
 * Fix concurrent write
 #### 1.1-beta3
 * Fix using custom TLS client in http2 client
 * Fix bugs in 1.1-beta2
 #### 1.1-beta2
 * Add Clash mode and persistence support **1**
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -104,8 +104,10 @@
    The default rule uses the following matching logic:  
    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite`) &&  
    (`port` || `port_range`) &&  
    (`source_geoip` || `source_ip_cidr`) &&  
-    `other fields`  
+    (`source_port` || `source_port_range`) &&  
    `other fields`
 #### inbound
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -103,8 +103,10 @@
    默认规则使用以下匹配逻辑:  
    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite`) &&  
    (`port` || `port_range`) &&  
    (`source_geoip` || `source_ip_cidr`) &&  
-    `other fields`  
+    (`source_port` || `source_port_range`) &&  
    `other fields`
 #### inbound
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -16,7 +16,7 @@
  "auto_route": true,
  "strict_route": true,
  "endpoint_independent_nat": false,
-  "stack": "gvisor",
+  "stack": "system",
  "include_uid": [
    0
  ],
@@ -112,15 +112,15 @@ UDP NAT expiration time in seconds, default is 300 (5 minutes).
 TCP/IP stack.
-| Stack            | Description                                                                    | Status            |
+| Stack            | Description                                                                      | Status            |
-|------------------|--------------------------------------------------------------------------------|-------------------|
+|------------------|----------------------------------------------------------------------------------|-------------------|
-| gVisor (default) | Based on [google/gvisor](https://github.com/google/gvisor)                     | recommended       |
+| system (default) | Sometimes better performance                                                     | recommended       |
- | system           | Less compatibility and sometimes better performance.                           | recommended       |
+| gVisor           | Better compatibility, based on [google/gvisor](https://github.com/google/gvisor) | recommended       |
-| LWIP             | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | upstream archived |
+| LWIP             | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks)   | upstream archived |
 !!! warning ""
-    The LWIP stack is not included by default, see [Installation](/#installation).
+    gVisor and LWIP stacks is not included by default, see [Installation](/#installation).
 #### include_uid
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -16,7 +16,7 @@
  "auto_route": true,
  "strict_route": true,
  "endpoint_independent_nat": false,
-  "stack": "gvisor",
+  "stack": "system",
  "include_uid": [
    0
  ],
@@ -107,15 +107,15 @@ UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。
 TCP/IP 栈。
-| 栈                | 描述                                                                       | 状态    |
+| 栈           | 描述                                                                       | 状态    |
-|------------------|--------------------------------------------------------------------------|-------|
+|-------------|--------------------------------------------------------------------------|-------|
-| gVisor (default) | 基于 [google/gvisor](https://github.com/google/gvisor)                     | 推荐    |
+| system （默认） | 有时性能更好                                                                   | 推荐    |
-| system           | 兼容性较差，有时性能更好。                                                            | 推荐    |
+| gVisor      | 兼容性较好，基于 [google/gvisor](https://github.com/google/gvisor)               | 推荐    |
-| LWIP             | 基于 [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | 上游已存档 |
+| LWIP        | 基于 [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | 上游已存档 |
 !!! warning ""
-    默认安装不包含 LWIP 栈，请参阅 [安装](/zh/#_2)。
+    默认安装不包含 gVisor 和 LWIP 栈，请参阅 [安装](/zh/#_2)。
 #### include_uid
@@ -145,10 +145,10 @@ TCP/IP 栈。
 限制被路由的 Android 用户。
-| 常用用户 | ID  |
+| 常用用户 | ID |
 |--|-----|
-| 您 | 0   |
+| 您 | 0 |
-| 工作资料 | 10  |
+| 工作资料 | 10 |
 #### include_package
--- a/docs/configuration/outbound/index.md
+++ b/docs/configuration/outbound/index.md
@@ -15,21 +15,24 @@
 ### Fields
-| Type          | Format                       |
+| Type           | Format                         |
-|---------------|------------------------------|
+|----------------|--------------------------------|
-| `direct`      | [Direct](./direct)           |
+| `direct`       | [Direct](./direct)             |
-| `block`       | [Block](./block)             |
+| `block`        | [Block](./block)               |
-| `socks`       | [SOCKS](./socks)             |
+| `socks`        | [SOCKS](./socks)               |
-| `http`        | [HTTP](./http)               |
+| `http`         | [HTTP](./http)                 |
-| `shadowsocks` | [Shadowsocks](./shadowsocks) |
+| `shadowsocks`  | [Shadowsocks](./shadowsocks)   |
-| `vmess`       | [VMess](./vmess)             |
+| `vmess`        | [VMess](./vmess)               |
-| `trojan`      | [Trojan](./trojan)           |
+| `trojan`       | [Trojan](./trojan)             |
-| `wireguard`   | [Wireguard](./wireguard)     |
+| `wireguard`    | [Wireguard](./wireguard)       |
-| `hysteria`    | [Hysteria](./hysteria)       |
+| `hysteria`     | [Hysteria](./hysteria)         |
-| `tor`         | [Tor](./tor)                 |
+| `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
-| `ssh`         | [SSH](./ssh)                 |
+| `vless`        | [VLESS](./vless)               |
-| `dns`         | [DNS](./dns)                 |
+| `tor`          | [Tor](./tor)                   |
-| `selector`    | [Selector](./selector)       |
+| `ssh`          | [SSH](./ssh)                   |
 | `dns`          | [DNS](./dns)                   |
 | `selector`     | [Selector](./selector)         |
 | `urltest`      | [URLTest](./urltest)           |
 #### tag
--- a/docs/configuration/outbound/index.zh.md
+++ b/docs/configuration/outbound/index.zh.md
@@ -15,21 +15,24 @@
 ### 字段
-| 类型            | 格式                           |
+| 类型             | 格式                             |
-|---------------|------------------------------|
+|----------------|--------------------------------|
-| `direct`      | [Direct](./direct)           |
+| `direct`       | [Direct](./direct)             |
-| `block`       | [Block](./block)             |
+| `block`        | [Block](./block)               |
-| `socks`       | [SOCKS](./socks)             |
+| `socks`        | [SOCKS](./socks)               |
-| `http`        | [HTTP](./http)               |
+| `http`         | [HTTP](./http)                 |
-| `shadowsocks` | [Shadowsocks](./shadowsocks) |
+| `shadowsocks`  | [Shadowsocks](./shadowsocks)   |
-| `vmess`       | [VMess](./vmess)             |
+| `vmess`        | [VMess](./vmess)               |
-| `trojan`      | [Trojan](./trojan)           |
+| `trojan`       | [Trojan](./trojan)             |
-| `wireguard`   | [Wireguard](./wireguard)     |
+| `wireguard`    | [Wireguard](./wireguard)       |
-| `hysteria`    | [Hysteria](./hysteria)       |
+| `hysteria`     | [Hysteria](./hysteria)         |
-| `tor`         | [Tor](./tor)                 |
+| `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
-| `ssh`         | [SSH](./ssh)                 |
+| `vless`        | [VLESS](./vless)               |
-| `dns`         | [DNS](./dns)                 |
+| `tor`          | [Tor](./tor)                   |
-| `selector`    | [Selector](./selector)       |
+| `ssh`          | [SSH](./ssh)                   |
 | `dns`          | [DNS](./dns)                   |
 | `selector`     | [Selector](./selector)         |
 | `urltest`      | [URLTest](./urltest)           |
 #### tag
--- a/docs/configuration/outbound/shadowsocks.md
+++ b/docs/configuration/outbound/shadowsocks.md
@@ -9,6 +9,8 @@
  "server_port": 1080,
  "method": "2022-blake3-aes-128-gcm",
  "password": "8JCsPssfgS8tiRwiMlhARg==",
  "plugin": "",
  "plugin_opts": "",
  "network": "udp",
  "udp_over_tcp": false,
  "multiplex": {},
@@ -65,6 +67,16 @@ Legacy encryption methods:
 The shadowsocks password.
 #### plugin
 Shadowsocks SIP003 plugin, implemented in internal.
 Only `obfs-local` and `v2ray-plugin` are supported.
 #### plugin_opts
 Shadowsocks SIP003 plugin options.
 #### network
 Enabled network
--- a/docs/configuration/outbound/shadowsocks.zh.md
+++ b/docs/configuration/outbound/shadowsocks.zh.md
@@ -9,6 +9,8 @@
  "server_port": 1080,
  "method": "2022-blake3-aes-128-gcm",
  "password": "8JCsPssfgS8tiRwiMlhARg==",
  "plugin": "",
  "plugin_opts": "",
  "network": "udp",
  "udp_over_tcp": false,
  "multiplex": {},
@@ -65,6 +67,16 @@
 Shadowsocks 密码。
 #### plugin
 Shadowsocks SIP003 插件，由内部实现。
 仅支持 `obfs-local` 和 `v2ray-plugin`。
 #### plugin_opts
 Shadowsocks SIP003 插件参数。
 #### network
 启用的网络协议
--- a/docs/configuration/outbound/shadowsocksr.md
+++ b/docs/configuration/outbound/shadowsocksr.md
@@ -0,0 +1,106 @@
 ### Structure
 ```json
 {
  "type": "shadowsocksr",
  "tag": "ssr-out",
  "server": "127.0.0.1",
  "server_port": 1080,
  "method": "aes-128-cfb",
  "password": "8JCsPssfgS8tiRwiMlhARg==",
  "obfs": "plain",
  "obfs_param": "",
  "protocol": "origin",
  "protocol_param": "",
  "network": "udp",
  ... // Dial Fields
 }
 ```
 !!! warning ""
    The ShadowsocksR protocol is obsolete and unmaintained. This outbound is provided for compatibility only.
 !!! warning ""
    ShadowsocksR is not included by default, see [Installation](/#installation).
 ### Fields
 #### server
 ==Required==
 The server address.
 #### server_port
 ==Required==
 The server port.
 #### method
 ==Required==
 Encryption methods:
 * `aes-128-ctr`
 * `aes-192-ctr`
 * `aes-256-ctr`
 * `aes-128-cfb`
 * `aes-192-cfb`
 * `aes-256-cfb`
 * `rc4-md5`
 * `chacha20-ietf`
 * `xchacha20`
 #### password
 ==Required==
 The shadowsocks password.
 #### obfs
 The ShadowsocksR obfuscate.
 * plain
 * http_simple
 * http_post
 * random_head
 * tls1.2_ticket_auth
 #### obfs_param
 The ShadowsocksR obfuscate parameter.
 #### protocol
 The ShadowsocksR protocol.
 * origin
 * verify_sha1
 * auth_sha1_v4
 * auth_aes128_md5
 * auth_aes128_sha1
 * auth_chain_a
 * auth_chain_b
 #### protocol_param
 The ShadowsocksR protocol parameter.
 #### network
 Enabled network
 One of `tcp` `udp`.
 Both is enabled by default.
 ### Dial Fields
 See [Dial Fields](/configuration/shared/dial) for details.
--- a/docs/configuration/outbound/shadowsocksr.zh.md
+++ b/docs/configuration/outbound/shadowsocksr.zh.md
@@ -0,0 +1,106 @@
 ### 结构
 ```json
 {
  "type": "shadowsocksr",
  "tag": "ssr-out",
  "server": "127.0.0.1",
  "server_port": 1080,
  "method": "aes-128-cfb",
  "password": "8JCsPssfgS8tiRwiMlhARg==",
  "obfs": "plain",
  "obfs_param": "",
  "protocol": "origin",
  "protocol_param": "",
  "network": "udp",
  ... // 拨号字段
 }
 ```
 !!! warning ""
    ShadowsocksR 协议已过时且无人维护。 提供此出站仅出于兼容性目的。
 !!! warning ""
    默认安装不包含被 ShadowsocksR，参阅 [安装](/zh/#_2)。
 ### 字段
 #### server
 ==必填==
 服务器地址。
 #### server_port
 ==必填==
 服务器端口。
 #### method
 ==必填==
 加密方法：
 * `aes-128-ctr`
 * `aes-192-ctr`
 * `aes-256-ctr`
 * `aes-128-cfb`
 * `aes-192-cfb`
 * `aes-256-cfb`
 * `rc4-md5`
 * `chacha20-ietf`
 * `xchacha20`
 #### password
 ==必填==
 Shadowsocks 密码。
 #### obfs
 ShadowsocksR 混淆。
 * plain
 * http_simple
 * http_post
 * random_head
 * tls1.2_ticket_auth
 #### obfs_param
 ShadowsocksR 混淆参数。
 #### protocol
 ShadowsocksR 协议。
 * origin
 * verify_sha1
 * auth_sha1_v4
 * auth_aes128_md5
 * auth_aes128_sha1
 * auth_chain_a
 * auth_chain_b
 #### protocol_param
 ShadowsocksR 协议参数。
 #### network
 启用的网络协议
 `tcp` 或 `udp`。
 默认所有。
 ### 拨号字段
 参阅 [拨号字段](/zh/configuration/shared/dial/)。
--- a/docs/configuration/outbound/urltest.md
+++ b/docs/configuration/outbound/urltest.md
@@ -0,0 +1,37 @@
 ### Structure
 ```json
 {
  "type": "urltest",
  "tag": "auto",
  "outbounds": [
    "proxy-a",
    "proxy-b",
    "proxy-c"
  ],
  "url": "http://www.gstatic.com/generate_204",
  "interval": "1m",
  "tolerance": 50
 }
 ```
 ### Fields
 #### outbounds
 ==Required==
 List of outbound tags to test.
 #### url
 The URL to test. `http://www.gstatic.com/generate_204` will be used if empty.
 #### interval
 The test interval. `1m` will be used if empty.
 #### tolerance
 The test tolerance in milliseconds. `50` will be used if empty.
--- a/docs/configuration/outbound/urltest.zh.md
+++ b/docs/configuration/outbound/urltest.zh.md
@@ -0,0 +1,37 @@
 ### 结构
 ```json
 {
  "type": "urltest",
  "tag": "auto",
  "outbounds": [
    "proxy-a",
    "proxy-b",
    "proxy-c"
  ],
  "url": "http://www.gstatic.com/generate_204",
  "interval": "1m",
  "tolerance": 50
 }
 ```
 ### 字段
 #### outbounds
 ==必填==
 用于测试的出站标签列表。
 #### url
 用于测试的链接。默认使用 `http://www.gstatic.com/generate_204`。
 #### interval
 测试间隔。 默认使用 `1m`。
 #### tolerance
 以毫秒为单位的测试容差。 默认使用 `50`。
--- a/docs/configuration/outbound/vless.md
+++ b/docs/configuration/outbound/vless.md
@@ -0,0 +1,70 @@
 ### Structure
 ```json
 {
  "type": "vless",
  "tag": "vless-out",
  "server": "127.0.0.1",
  "server_port": 1080,
  "uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
  "network": "tcp",
  "tls": {},
  "packet_encoding": "",
  "transport": {},
  ... // Dial Fields
 }
 ```
 !!! warning ""
    The VLESS protocol is architecturally coupled to v2ray and is unmaintained. This outbound is provided for compatibility purposes only.
 ### Fields
 #### server
 ==Required==
 The server address.
 #### server_port
 ==Required==
 The server port.
 #### uuid
 ==Required==
 The VLESS user id.
 #### network
 Enabled network
 One of `tcp` `udp`.
 Both is enabled by default.
 #### tls
 TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
 #### packet_encoding
 | Encoding   | Description           |
 |------------|-----------------------|
 | (none)     | Disabled              |
 | packetaddr | Supported by v2ray 5+ |
 | xudp       | Supported by xray     |
 #### transport
 V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
 ### Dial Fields
 See [Dial Fields](/configuration/shared/dial) for details.
--- a/docs/configuration/outbound/vless.zh.md
+++ b/docs/configuration/outbound/vless.zh.md
@@ -0,0 +1,70 @@
 ### 结构
 ```json
 {
  "type": "vless",
  "tag": "vless-out",
  "server": "127.0.0.1",
  "server_port": 1080,
  "uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
  "network": "tcp",
  "tls": {},
  "packet_encoding": "",
  "transport": {},
  ... // 拨号字段
 }
 ```
 !!! warning ""
    VLESS 协议与 v2ray 架构耦合且无人维护。 提供此出站仅出于兼容性目的。
 ### 字段
 #### server
 ==必填==
 服务器地址。
 #### server_port
 ==必填==
 服务器端口。
 #### uuid
 ==必填==
 VLESS 用户 ID。
 #### network
 启用的网络协议。
 `tcp` 或 `udp`。
 默认所有。
 #### tls
 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 #### packet_encoding
 | 编码         | 描述            |
 |------------|---------------|
 | (空)        | 禁用            |
 | packetaddr | 由 v2ray 5+ 支持 |
 | xudp       | 由 xray 支持     |
 #### transport
 V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
 ### 拨号字段
 参阅 [拨号字段](/zh/configuration/shared/dial/)。
--- a/docs/configuration/outbound/vmess.md
+++ b/docs/configuration/outbound/vmess.md
@@ -14,7 +14,7 @@
  "authenticated_length": true,
  "network": "tcp",
  "tls": {},
-  "packet_addr": false,
+  "packet_encoding": "",
  "multiplex": {},
  "transport": {},
@@ -84,9 +84,13 @@ Both is enabled by default.
 TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
-#### packet_addr
+#### packet_encoding
-Enable packetaddr support.
+| Encoding   | Description           |
 |------------|-----------------------|
 | (none)     | Disabled              |
 | packetaddr | Supported by v2ray 5+ |
 | xudp       | Supported by xray     |
 #### multiplex
--- a/docs/configuration/outbound/vmess.zh.md
+++ b/docs/configuration/outbound/vmess.zh.md
@@ -14,7 +14,7 @@
  "authenticated_length": true,
  "network": "tcp",
  "tls": {},
-  "packet_addr": false,
+  "packet_encoding": "",
  "multiplex": {},
  "transport": {},
@@ -84,9 +84,13 @@ VMess 用户 ID。
 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
-#### packet_addr
+#### packet_encoding
-启用 packetaddr 支持。
+| 编码         | 描述            |
 |------------|---------------|
 | (空)        | 禁用            |
 | packetaddr | 由 v2ray 5+ 支持 |
 | xudp       | 由 xray 支持     |
 #### multiplex
--- a/docs/configuration/outbound/wireguard.md
+++ b/docs/configuration/outbound/wireguard.md
@@ -26,6 +26,10 @@
    WireGuard is not included by default, see [Installation](/#installation).
 !!! warning ""
    gVisor, which is required by the unprivileged WireGuard is not included by default, see [Installation](/#installation).
 ### Fields
 #### server
@@ -44,7 +48,9 @@ The server port.
 Use system tun support.
-Requires privileges and cannot conflict with system interfaces.
+Requires privilege and cannot conflict with system interfaces.
 Forced if gVisor not included in the build.
 #### interface_name
--- a/docs/configuration/outbound/wireguard.zh.md
+++ b/docs/configuration/outbound/wireguard.zh.md
@@ -26,6 +26,10 @@
    默认安装不包含 WireGuard, 参阅 [安装](/zh/#_2)。
 !!! warning ""
    默认安装不包含被非特权 WireGuard 需要的 gVisor, 参阅 [安装](/zh/#_2)。
 ### 字段
 #### server
@@ -46,6 +50,8 @@
 需要特权且不能与系统接口冲突。
 如果 gVisor 未包含在构建中，则强制执行。
 #### interface_name
 启用 `system_interface` 时的自定义设备名称。
--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@@ -107,8 +107,10 @@
    The default rule uses the following matching logic:  
    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
    (`port` || `port_range`) &&  
    (`source_geoip` || `source_ip_cidr`) &&  
-    `other fields`  
+    (`source_port` || `source_port_range`) &&  
    `other fields`
 #### inbound
--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@@ -105,8 +105,10 @@
    默认规则使用以下匹配逻辑:  
    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
    (`port` || `port_range`) &&  
    (`source_geoip` || `source_ip_cidr`) &&  
-    `other fields`  
+    (`source_port` || `source_port_range`) &&  
    `other fields`
 #### inbound
--- a/docs/contributing/sub-projects.md
+++ b/docs/contributing/sub-projects.md
@@ -53,17 +53,6 @@ we need to do this.
 The library needs to be updated with the upstream.
 #### certmagic
 Link: [GitHub repository](https://github.com/SagerNet/certmagic)
 Fork of `caddyserver/certmagic`
 Since upstream uses `miekg/dns` and we use `x/net/dnsmessage`, we need to replace its DNS part with our own
 implementation.
 The library needs to be updated with the upstream.
 #### smux
 Link: [GitHub repository](https://github.com/SagerNet/smux)
--- a/docs/features.md
+++ b/docs/features.md
@@ -95,7 +95,9 @@
 | cn                | 17.8M    | 140.3M     |
 | cn (Loyalsoldier) | 74.3M    | 246.7M     |
-#### Shadowsocks benchmark
+#### Benchmark
 ##### Shadowsocks
 | /                                  |   none    | aes-128-gcm | 2022-blake3-aes-128-gcm |
 |------------------------------------|:---------:|:-----------:|:-----------------------:|
@@ -103,6 +105,13 @@
 | shadowsocks-rust (v1.15.0-alpha.5) | 10.7 Gbps |      /      |        9.36 Gbps        |
 | sing-box                           | 29.0 Gbps |      /      |        11.8 Gbps        |
 ##### VMess
 | /                  |    TCP    |   HTTP    |  H2 TLS   | WebSocket TLS | gRPC TLS  |
 |--------------------|:---------:|:---------:|:---------:|:-------------:|:---------:|
 | v2ray-core (5.1.0) | 7.86 GBps | 2.86 Gbps | 1.83 Gbps |   2.36 Gbps   | 2.43 Gbps |
 | sing-box           | 7.96 Gbps | 8.09 Gbps | 6.11 Gbps |   8.02 Gbps   | 6.35 Gbps |
 #### License
 | /          | License                           |
--- a/docs/index.md
+++ b/docs/index.md
@@ -27,11 +27,12 @@ go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@lat
 | `with_quic`                        | Build with QUIC support, see [QUIC and HTTP3 dns transports](./configuration/dns/server), [Naive inbound](./configuration/inbound/naive), [Hysteria Inbound](./configuration/inbound/hysteria), [Hysteria Outbound](./configuration/outbound/hysteria) and [V2Ray Transport#QUIC](./configuration/shared/v2ray-transport#quic). |
 | `with_grpc`                        | Build with standard gRPC support, see [V2Ray Transport#gRPC](./configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
 | `with_wireguard`                   | Build with WireGuard support, see [WireGuard outbound](./configuration/outbound/wireguard).                                                                                                                                                                                                                                     |
 | `with_shadowsocksr`                | Build with ShadowsocksR support, see [ShadowsocksR outbound](./configuration/outbound/shadowsocksr).                                                                                                                                                                                                                            |
 | `with_ech`                         | Build with TLS ECH extension support for TLS outbound, see [TLS](./configuration/shared/tls#ech).                                                                                                                                                                                                                               |
 | `with_utls`                        | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](./configuration/shared/tls#utls).                                                                                                                                                                                          |
 | `with_acme`                        | Build with ACME TLS certificate issuer support, see [TLS](./configuration/shared/tls).                                                                                                                                                                                                                                          |
 | `with_clash_api`                   | Build with Clash API support, see [Experimental](./configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
-| `no_gvisor`                        | Build without gVisor Tun stack support, see [Tun inbound](./configuration/inbound/tun#stack).                                                                                                                                                                                                                                   |
+| `with_gvisor`                      | Build with gVisor support, see [Tun inbound](./configuration/inbound/tun#stack) and [WireGuard outbound](./configuration/outbound/wireguard#system_interface).                                                                                                                                                                  |
 | `with_embedded_tor` (CGO required) | Build with embedded Tor support, see [Tor outbound](./configuration/outbound/tor).                                                                                                                                                                                                                                              |
 | `with_lwip` (CGO required)         | Build with LWIP Tun stack support, see [Tun inbound](./configuration/inbound/tun#stack).                                                                                                                                                                                                                                        |
@@ -44,10 +45,6 @@ sing-box version
 It is also recommended to use systemd to manage sing-box service,
 see [Linux server installation example](./examples/linux-server-installation).
 ## Contributors
 [![](https://opencollective.com/sagernet/contributors.svg?width=740&button=false)](https://github.com/sagernet/sing-box/graphs/contributors)
 ## License
 ```
--- a/docs/index.zh.md
+++ b/docs/index.zh.md
@@ -27,11 +27,12 @@ go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@lat
 | `with_quic`                  | 启用 QUIC 支持，参阅 [QUIC 和 HTTP3 DNS 传输层](./configuration/dns/server)，[Naive 入站](./configuration/inbound/naive)，[Hysteria 入站](./configuration/inbound/hysteria)，[Hysteria 出站](./configuration/outbound/hysteria) 和 [V2Ray 传输层#QUIC](./configuration/shared/v2ray-transport#quic)。 |
 | `with_grpc`                  | 启用标准 gRPC 支持，参阅 [V2Ray 传输层#gRPC](./configuration/shared/v2ray-transport#grpc)。                                                                                                                                                                                               |
 | `with_wireguard`             | 启用 WireGuard 支持，参阅 [WireGuard 出站](./configuration/outbound/wireguard)。                                                                                                                                                                                                       |
 | `with_shadowsocksr`          | 启用 ShadowsocksR 支持，参阅 [ShadowsocksR 出站](./configuration/outbound/shadowsocksr)。                                                                                                                                                                                              |
 | `with_ech`                   | 启用 TLS ECH 扩展支持，参阅 [TLS](./configuration/shared/tls#ech)。                                                                                                                                                                                                                    |
-| `with_utls`                  | 启用 [uTLS](https://github.com/refraction-networking/utls) 支持， 参阅 [TLS](./configuration/shared/tls#utls)。                                                                                                                                                                      |
+| `with_utls`                  | 启用 uTLS 支持，参阅 [实验性](./configuration/experimental#clash-api-fields)。                                                                                                                                                                                                          |
 | `with_acme`                  | 启用 ACME TLS 证书签发支持，参阅 [TLS](./configuration/shared/tls)。                                                                                                                                                                                                                     |
-| `with_clash_api`             | 启用 Clash api 支持，参阅 [实验性](./configuration/experimental#clash-api-fields)。                                                                                                                                                                                                     |
+| `with_clash_api`             | 启用 Clash API 支持，参阅 [实验性](./configuration/experimental#clash-api-fields)。                                                                                                                                                                                                     |
-| `no_gvisor`                  | 禁用 gVisor Tun 栈支持，参阅 [Tun 入站](./configuration/inbound/tun#stack)。                                                                                                                                                                                                            |
+| `with_gvisor`                | 启用 gVisor 支持，参阅 [Tun 入站](./configuration/inbound/tun#stack) 和 [WireGuard 出站](./configuration/outbound/wireguard#system_interface)。                                                                                                                                           |
 | `with_embedded_tor` (需要 CGO) | 启用 嵌入式 Tor 支持，参阅 [Tor 出站](./configuration/outbound/tor)。                                                                                                                                                                                                                     |
 | `with_lwip` (需要 CGO)         | 启用 LWIP Tun 栈支持，参阅 [Tun 入站](./configuration/inbound/tun#stack)。                                                                                                                                                                                                              |
@@ -41,13 +42,9 @@ go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@lat
 sing-box version
 ```
-同时推荐使用 Systemd 来管理 sing-box 服务器实例。
+同时推荐使用 systemd 来管理 sing-box 服务器实例。
 参阅 [Linux 服务器安装示例](./examples/linux-server-installation)。
 ## 贡献者
 [![](https://opencollective.com/sagernet/contributors.svg?width=740&button=false)](https://github.com/sagernet/sing-box/graphs/contributors)
 ## 授权
 ```
--- a/experimental/clashapi/connections.go
+++ b/experimental/clashapi/connections.go
@@ -8,10 +8,10 @@ import (
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
 	"github.com/sagernet/websocket"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/render"
 	"github.com/gorilla/websocket"
 )
 func connectionRouter(trafficManager *trafficontrol.Manager) http.Handler {
--- a/experimental/clashapi/proxies.go
+++ b/experimental/clashapi/proxies.go
@@ -61,7 +61,6 @@ func findProxyByName(router adapter.Router) func(next http.Handler) http.Handler
 func proxyInfo(server *Server, detour adapter.Outbound) *badjson.JSONObject {
 	var info badjson.JSONObject
 	var clashType string
 	var isGroup bool
 	switch detour.Type() {
 	case C.TypeDirect:
 		clashType = "Direct"
@@ -70,18 +69,31 @@ func proxyInfo(server *Server, detour adapter.Outbound) *badjson.JSONObject {
 	case C.TypeSocks:
 		clashType = "Socks"
 	case C.TypeHTTP:
-		clashType = "Http"
+		clashType = "HTTP"
 	case C.TypeShadowsocks:
 		clashType = "Shadowsocks"
 	case C.TypeVMess:
-		clashType = "Vmess"
+		clashType = "VMess"
 	case C.TypeTrojan:
 		clashType = "Trojan"
 	case C.TypeHysteria:
 		clashType = "Hysteria"
 	case C.TypeWireGuard:
 		clashType = "WireGuard"
 	case C.TypeShadowsocksR:
 		clashType = "ShadowsocksR"
 	case C.TypeVLESS:
 		clashType = "VLESS"
 	case C.TypeTor:
 		clashType = "Tor"
 	case C.TypeSSH:
 		clashType = "SSH"
 	case C.TypeSelector:
 		clashType = "Selector"
-		isGroup = true
+	case C.TypeURLTest:
 		clashType = "URLTest"
 	default:
-		clashType = "Socks"
+		clashType = "Direct"
 	}
 	info.Put("type", clashType)
 	info.Put("name", detour.Tag())
@@ -92,10 +104,9 @@ func proxyInfo(server *Server, detour adapter.Outbound) *badjson.JSONObject {
 	} else {
 		info.Put("history", []*urltest.History{})
 	}
-	if isGroup {
+	if group, isGroup := detour.(adapter.OutboundGroup); isGroup {
-		selector := detour.(adapter.OutboundGroup)
+		info.Put("now", group.Now())
-		info.Put("now", selector.Now())
+		info.Put("all", group.All())
 		info.Put("all", selector.All())
 	}
 	return &info
 }
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -22,11 +22,11 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/websocket"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/cors"
 	"github.com/go-chi/render"
 	"github.com/gorilla/websocket"
 )
 var _ adapter.ClashServer = (*Server)(nil)
@@ -61,6 +61,7 @@ func NewServer(router adapter.Router, logFactory log.ObservableFactory, options
 		server.mode = "rule"
 	}
 	if options.StoreSelected {
 		server.storeSelected = true
 		cachePath := os.ExpandEnv(options.CacheFile)
 		if cachePath == "" {
 			cachePath = "cache.db"
@@ -80,7 +81,7 @@ func NewServer(router adapter.Router, logFactory log.ObservableFactory, options
 	chiRouter.Use(cors.Handler)
 	chiRouter.Group(func(r chi.Router) {
 		r.Use(authentication(options.Secret))
-		r.Get("/", hello)
+		r.Get("/", hello(options.ExternalUI != ""))
 		r.Get("/logs", getLogs(logFactory))
 		r.Get("/traffic", traffic(trafficManager))
 		r.Get("/version", version)
@@ -143,6 +144,10 @@ func (s *Server) CacheFile() adapter.ClashCacheFile {
 	return s.cacheFile
 }
 func (s *Server) HistoryStorage() *urltest.HistoryStorage {
 	return s.urlTestHistory
 }
 func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule) (net.Conn, adapter.Tracker) {
 	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, castMetadata(metadata), s.router, matchedRule)
 	return tracker, tracker
@@ -232,8 +237,14 @@ func authentication(serverSecret string) func(next http.Handler) http.Handler {
 	}
 }
-func hello(w http.ResponseWriter, r *http.Request) {
+func hello(redirect bool) func(w http.ResponseWriter, r *http.Request) {
-	render.JSON(w, r, render.M{"hello": "clash"})
+	return func(w http.ResponseWriter, r *http.Request) {
 		if redirect {
 			http.Redirect(w, r, "/ui/", http.StatusTemporaryRedirect)
 		} else {
 			render.JSON(w, r, render.M{"hello": "clash"})
 		}
 	}
 }
 var upgrader = websocket.Upgrader{
--- a/go.mod
+++ b/go.mod
@@ -4,6 +4,8 @@ go 1.18
 require (
 	berty.tech/go-libtor v1.0.385
 	github.com/Dreamacro/clash v1.11.8
 	github.com/caddyserver/certmagic v0.17.1
 	github.com/cloudflare/circl v1.2.1-0.20220831060716-4cf0150356fc
 	github.com/cretz/bine v0.2.0
 	github.com/database64128/tfo-go v1.1.2
@@ -13,7 +15,6 @@ require (
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.2
 	github.com/gofrs/uuid v4.3.0+incompatible
 	github.com/gorilla/websocket v1.5.0
 	github.com/hashicorp/yamux v0.1.1
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/mholt/acmez v1.0.4
@@ -21,23 +22,23 @@ require (
 	github.com/oschwald/maxminddb-golang v1.10.0
 	github.com/pires/go-proxyproto v0.6.2
 	github.com/refraction-networking/utls v1.1.2
 	github.com/sagernet/certmagic v0.0.0-20220819042630-4a57f8b6853a
 	github.com/sagernet/quic-go v0.0.0-20220818150011-de611ab3e2bb
-	github.com/sagernet/sing v0.0.0-20220910144724-62c4ebdbcb3f
+	github.com/sagernet/sing v0.0.0-20220925112014-b12b8b7fd220
-	github.com/sagernet/sing-dns v0.0.0-20220822023312-3e086b06d666
+	github.com/sagernet/sing-dns v0.0.0-20220915084601-812e0864b45b
 	github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6
-	github.com/sagernet/sing-tun v0.0.0-20220909114108-a6b5a9289ecb
+	github.com/sagernet/sing-tun v0.0.0-20220925112147-6bad0c2380ca
-	github.com/sagernet/sing-vmess v0.0.0-20220907073918-72d7fdf6825f
+	github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685
-	github.com/sagernet/smux v0.0.0-20220907034654-1acb8471c15a
+	github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195
 	github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e
 	github.com/spf13/cobra v1.5.0
 	github.com/stretchr/testify v1.8.0
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/atomic v1.10.0
-	go4.org/netipx v0.0.0-20220812043211-3cc044ffd68d
+	go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab
-	golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90
+	golang.org/x/crypto v0.0.0-20220924013350-4ba4fb4dd9e7
-	golang.org/x/net v0.0.0-20220909164309-bea034e7d591
+	golang.org/x/net v0.0.0-20220923203811-8be639271d50
-	golang.org/x/sys v0.0.0-20220909162455-aba9fc2a8ff2
+	golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8
-	golang.zx2c4.com/wireguard v0.0.0-20220904105730-b51010ba13f0
+	golang.zx2c4.com/wireguard v0.0.0-20220829161405-d1d08426b27b
 	google.golang.org/grpc v1.49.0
 	google.golang.org/protobuf v1.28.1
 	gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c
--- a/go.sum
+++ b/go.sum
@@ -3,6 +3,8 @@ berty.tech/go-libtor v1.0.385/go.mod h1:9swOOQVb+kmvuAlsgWUK/4c52pm69AdbJsxLzk+f
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Dreamacro/clash v1.11.8 h1:t/sy3/tiihRlvV3SsliYFjj8rKpbLw5IJ2PymiHcwS8=
 github.com/Dreamacro/clash v1.11.8/go.mod h1:LsWCcJFoKuL1C5F2c0m/1690wihTHYSU3J+im09yTwQ=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
@@ -10,6 +12,8 @@ github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHG
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/caddyserver/certmagic v0.17.1 h1:VrWANhQAj3brK7jAUKyN6XBHg56WsyorI/84Ilq1tCQ=
 github.com/caddyserver/certmagic v0.17.1/go.mod h1:pSS2aZcdKlrTZrb2DKuRafckx20o5Fz1EdDKEB8KOQM=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudflare/circl v1.2.1-0.20220831060716-4cf0150356fc h1:307gdRLiZ08dwOIKwc5lAQ19DRFaQQvdhHalyB4Asx8=
@@ -77,8 +81,6 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
@@ -93,8 +95,8 @@ github.com/klauspost/cpuid/v2 v2.1.0/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8t
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
 github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
@@ -135,8 +137,6 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e h1:5CFRo8FJbCuf5s/eTBdZpmMbn8Fe2eSMLNAYfKanA34=
 github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e/go.mod h1:qbt0dWObotCfcjAJJ9AxtFPNSDUfZF+6dCpgKEOBn/g=
 github.com/sagernet/certmagic v0.0.0-20220819042630-4a57f8b6853a h1:SE3Xn4GOQ+kxbgGa2Xp0H2CCsx1o2pVTt0f+hmfuHH4=
 github.com/sagernet/certmagic v0.0.0-20220819042630-4a57f8b6853a/go.mod h1:Q+ZXyesnkjV5B70B1ixk65ecKrlJ2jz0atv3fPKsVVo=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
@@ -145,18 +145,20 @@ github.com/sagernet/quic-go v0.0.0-20220818150011-de611ab3e2bb h1:wc0yQ+SBn4TaTY
 github.com/sagernet/quic-go v0.0.0-20220818150011-de611ab3e2bb/go.mod h1:MIccjRKnPTjWwAOpl+AUGWOkzyTd9tERytudxu+1ra4=
 github.com/sagernet/sing v0.0.0-20220812082120-05f9836bff8f/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
-github.com/sagernet/sing v0.0.0-20220910144724-62c4ebdbcb3f h1:w1TJq7Lw3It35tDyMsZLtYz4T2msf1UK9JxC85L5+sk=
+github.com/sagernet/sing v0.0.0-20220925112014-b12b8b7fd220 h1:fQk/BHOeHw5murjeNTdmkXmDy9cMlbubRINRH7GDuu4=
-github.com/sagernet/sing v0.0.0-20220910144724-62c4ebdbcb3f/go.mod h1:kZvzh1VDa/Dg/Bt5WaYKU0jl5ept8KKDpl3Ay4gRtRQ=
+github.com/sagernet/sing v0.0.0-20220925112014-b12b8b7fd220/go.mod h1:5/u6RMDMoGIkSNtrZb41kJvyIFg3Ysn69P3WiAu8m0c=
-github.com/sagernet/sing-dns v0.0.0-20220822023312-3e086b06d666 h1:XUTocA/Ek0dFxUX+xJCWMPPFZCn2GC/uLrBjTSr1vHY=
+github.com/sagernet/sing-dns v0.0.0-20220915084601-812e0864b45b h1:cXCMNJ9heZ+c6l+qUcku60x9KyXo4SOAaJfg/6spOmU=
-github.com/sagernet/sing-dns v0.0.0-20220822023312-3e086b06d666/go.mod h1:eDyH7AJmqBGjZQdQmpZIzlbTREudZuWDExMuGKgjRVM=
+github.com/sagernet/sing-dns v0.0.0-20220915084601-812e0864b45b/go.mod h1:SrvWLfOSlnFmH32CWXicfilAGgIXR0VjrH6yRbuXYww=
 github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6 h1:JJfDeYYhWunvtxsU/mOVNTmFQmnzGx9dY034qG6G3g4=
 github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6/go.mod h1:EX3RbZvrwAkPI2nuGa78T2iQXmrkT+/VQtskjou42xM=
-github.com/sagernet/sing-tun v0.0.0-20220909114108-a6b5a9289ecb h1:/swVU2mgwDwZ9l67v1Sim1ias/ZmriGTxQLnMakPhtQ=
+github.com/sagernet/sing-tun v0.0.0-20220925112147-6bad0c2380ca h1:Owgx9izFNYyMyUZ61td+mL3vumBhJz4zNismYlCyQbw=
-github.com/sagernet/sing-tun v0.0.0-20220909114108-a6b5a9289ecb/go.mod h1:5AhPUv9jWDQ3pv3Mj78SL/1TSjhoaj6WNASxRKLqXqM=
+github.com/sagernet/sing-tun v0.0.0-20220925112147-6bad0c2380ca/go.mod h1:ftP5VXlp3RJO5+WS3mPFk7jB9B/K/QrPEZX3BUORGQY=
-github.com/sagernet/sing-vmess v0.0.0-20220907073918-72d7fdf6825f h1:6l9aXZqAl1JqXJWi89KHpWnM/moQUPGG+XiwMc+yD0A=
+github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685 h1:AZzFNRR/ZwMTceUQ1b/mxx6oyKqmFymdMn/yleJmoVM=
-github.com/sagernet/sing-vmess v0.0.0-20220907073918-72d7fdf6825f/go.mod h1:u66Vv7NHXJWfeAmhh7JuJp/cwxmuQlM56QoZ7B7Mmd0=
+github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685/go.mod h1:bwhAdSNET1X+j9DOXGj9NIQR39xgcWIk1rOQ9lLD+gM=
-github.com/sagernet/smux v0.0.0-20220907034654-1acb8471c15a h1:GCNwsN8MEckpjGJjK3qjQBQ9qHsoXB9B/KHUWBvE1V4=
+github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 h1:5VBIbVw9q7aKbrFdT83mjkyvQ+VaRsQ6yflTepfln38=
-github.com/sagernet/smux v0.0.0-20220907034654-1acb8471c15a/go.mod h1:yedWtra8nyGJ+SyI+ziwuaGMzBatbB10P1IOOZbbSK8=
+github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195/go.mod h1:yedWtra8nyGJ+SyI+ziwuaGMzBatbB10P1IOOZbbSK8=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e h1:7uw2njHFGE+VpWamge6o56j2RWk4omF6uLKKxMmcWvs=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e/go.mod h1:45TUl8+gH4SIKr4ykREbxKWTxkDlSzFENzctB1dVRRY=
 github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU=
 github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -186,16 +188,16 @@ go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9i
 go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
 go.uber.org/zap v1.22.0 h1:Zcye5DUgBloQ9BaT4qc9BnjOFog5TvBSAGkJ3Nf70c0=
 go.uber.org/zap v1.22.0/go.mod h1:H4siCOZOrAolnUPJEkfaSjDqyP+BDS0DdDWzwcgt3+U=
-go4.org/netipx v0.0.0-20220812043211-3cc044ffd68d h1:ggxwEf5eu0l8v+87VhX1czFh8zJul3hK16Gmruxn7hw=
+go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab h1:+yW1yrZ09EYNu1spCUOHBBNRbrLnfmutwyhbhCv3b6Q=
-go4.org/netipx v0.0.0-20220812043211-3cc044ffd68d/go.mod h1:tgPU4N2u9RByaTN3NC2p9xOzyFpte4jYwsIIRF7XlSc=
+go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab/go.mod h1:tgPU4N2u9RByaTN3NC2p9xOzyFpte4jYwsIIRF7XlSc=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 h1:Y/gsMcFOcR+6S6f3YeMKl5g+dZMEWqcz5Czj/GWYbkM=
+golang.org/x/crypto v0.0.0-20220924013350-4ba4fb4dd9e7 h1:WJywXQVIb56P2kAvXeMGTIgQ1ZHQxR60+F9dLsodECc=
-golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220924013350-4ba4fb4dd9e7/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
 golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA=
@@ -227,8 +229,8 @@ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211111160137-58aab5ef257a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI=
+golang.org/x/net v0.0.0-20220923203811-8be639271d50 h1:vKyz8L3zkd+xrMeIaBsQ/MNVPVFSffdaU3ZyYlBGFnI=
-golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.0.0-20220923203811-8be639271d50/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -236,8 +238,8 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde h1:ejfdSekXMDxDLbRrJMwUk6KnSLZ2McaUCVcIKM+N6jc=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -262,8 +264,8 @@ golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220909162455-aba9fc2a8ff2 h1:wM1k/lXfpc5HdkJJyW9GELpd8ERGdnh8sMGL6Gzq3Ho=
+golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8 h1:h+EGohizhe9XlX18rfpa8k8RAc5XyaeamM+0VHRd4lc=
-golang.org/x/sys v0.0.0-20220909162455-aba9fc2a8ff2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -295,8 +297,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20220904105730-b51010ba13f0 h1:5ZkdpbduT/g+9OtbSDvbF3KvfQG45CtH/ppO8FUmvCQ=
+golang.zx2c4.com/wireguard v0.0.0-20220829161405-d1d08426b27b h1:qgrKnOfe1zyURRNdmDlGbN32i38Zjmw0B1+TMdHcOvg=
-golang.zx2c4.com/wireguard v0.0.0-20220904105730-b51010ba13f0/go.mod h1:enML0deDxY1ux+B6ANGiwtg0yAJi1rctkTpcHNAVPyg=
+golang.zx2c4.com/wireguard v0.0.0-20220829161405-d1d08426b27b/go.mod h1:6y4CqPAy54NwiN4nC8K+R1eMpQDB1P2d25qmunh2RSA=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
--- a/inbound/default.go
+++ b/inbound/default.go
@@ -3,7 +3,6 @@ package inbound
 import (
 	"context"
 	"net"
 	"sync"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/settings"
@@ -42,7 +41,6 @@ type myInboundAdapter struct {
 	tcpListener          net.Listener
 	udpConn              *net.UDPConn
 	udpAddr              M.Socksaddr
 	packetAccess         sync.RWMutex
 	packetOutboundClosed chan struct{}
 	packetOutbound       chan *myInboundPacket
 }
@@ -143,13 +141,13 @@ func (a *myInboundAdapter) createMetadata(conn net.Conn, metadata adapter.Inboun
 	metadata.SniffOverrideDestination = a.listenOptions.SniffOverrideDestination
 	metadata.DomainStrategy = dns.DomainStrategy(a.listenOptions.DomainStrategy)
 	if !metadata.Source.IsValid() {
-		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr())
+		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
 	}
 	if !metadata.Destination.IsValid() {
-		metadata.Destination = M.SocksaddrFromNet(conn.LocalAddr())
+		metadata.Destination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
 	}
 	if tcpConn, isTCP := common.Cast[*net.TCPConn](conn); isTCP {
-		metadata.OriginDestination = M.SocksaddrFromNet(tcpConn.LocalAddr())
+		metadata.OriginDestination = M.SocksaddrFromNet(tcpConn.LocalAddr()).Unwrap()
 	}
 	return metadata
 }
--- a/inbound/default_udp.go
+++ b/inbound/default_udp.go
@@ -54,7 +54,7 @@ func (a *myInboundAdapter) loopUDPIn() {
 		metadata.SniffEnabled = a.listenOptions.SniffEnabled
 		metadata.SniffOverrideDestination = a.listenOptions.SniffOverrideDestination
 		metadata.DomainStrategy = dns.DomainStrategy(a.listenOptions.DomainStrategy)
-		metadata.Source = M.SocksaddrFromNetIP(addr)
+		metadata.Source = M.SocksaddrFromNetIP(addr).Unwrap()
 		metadata.OriginDestination = a.udpAddr
 		err = a.packetHandler.NewPacket(a.ctx, packetService, buffer, metadata)
 		if err != nil {
@@ -86,7 +86,7 @@ func (a *myInboundAdapter) loopUDPOOBIn() {
 		metadata.SniffEnabled = a.listenOptions.SniffEnabled
 		metadata.SniffOverrideDestination = a.listenOptions.SniffOverrideDestination
 		metadata.DomainStrategy = dns.DomainStrategy(a.listenOptions.DomainStrategy)
-		metadata.Source = M.SocksaddrFromNetIP(addr)
+		metadata.Source = M.SocksaddrFromNetIP(addr).Unwrap()
 		metadata.OriginDestination = a.udpAddr
 		err = a.oobPacketHandler.NewPacket(a.ctx, packetService, buffer, oob[:oobN], metadata)
 		if err != nil {
@@ -112,7 +112,7 @@ func (a *myInboundAdapter) loopUDPInThreadSafe() {
 		metadata.SniffEnabled = a.listenOptions.SniffEnabled
 		metadata.SniffOverrideDestination = a.listenOptions.SniffOverrideDestination
 		metadata.DomainStrategy = dns.DomainStrategy(a.listenOptions.DomainStrategy)
-		metadata.Source = M.SocksaddrFromNetIP(addr)
+		metadata.Source = M.SocksaddrFromNetIP(addr).Unwrap()
 		metadata.OriginDestination = a.udpAddr
 		err = a.packetHandler.NewPacket(a.ctx, packetService, buffer, metadata)
 		if err != nil {
@@ -140,7 +140,7 @@ func (a *myInboundAdapter) loopUDPOOBInThreadSafe() {
 		metadata.SniffEnabled = a.listenOptions.SniffEnabled
 		metadata.SniffOverrideDestination = a.listenOptions.SniffOverrideDestination
 		metadata.DomainStrategy = dns.DomainStrategy(a.listenOptions.DomainStrategy)
-		metadata.Source = M.SocksaddrFromNetIP(addr)
+		metadata.Source = M.SocksaddrFromNetIP(addr).Unwrap()
 		metadata.OriginDestination = a.udpAddr
 		err = a.oobPacketHandler.NewPacket(a.ctx, packetService, buffer, oob[:oobN], metadata)
 		if err != nil {
@@ -208,17 +208,12 @@ func (s *myInboundPacketAdapter) Upstream() any {
 }
 func (s *myInboundPacketAdapter) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	s.packetAccess.RLock()
 	defer s.packetAccess.RUnlock()
 	select {
 	case s.packetOutbound <- &myInboundPacket{buffer, destination}:
 		return nil
 	case <-s.packetOutboundClosed:
 		return os.ErrClosed
 	default:
 	}
 	s.packetOutbound <- &myInboundPacket{buffer, destination}
 	return nil
 }
 func (s *myInboundPacketAdapter) Close() error {
--- a/inbound/hysteria.go
+++ b/inbound/hysteria.go
@@ -255,24 +255,25 @@ func (h *Hysteria) acceptStream(ctx context.Context, conn quic.Connection, strea
 	if err != nil {
 		return err
 	}
 	err = hysteria.WriteServerResponse(stream, hysteria.ServerResponse{
 		OK: true,
 	})
 	if err != nil {
 		return err
 	}
 	var metadata adapter.InboundContext
 	metadata.Inbound = h.tag
 	metadata.InboundType = C.TypeHysteria
 	metadata.SniffEnabled = h.listenOptions.SniffEnabled
 	metadata.SniffOverrideDestination = h.listenOptions.SniffOverrideDestination
 	metadata.DomainStrategy = dns.DomainStrategy(h.listenOptions.DomainStrategy)
-	metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr())
+	metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
-	metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr())
+	metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
-	metadata.Destination = M.ParseSocksaddrHostPort(request.Host, request.Port)
+	metadata.Destination = M.ParseSocksaddrHostPort(request.Host, request.Port).Unwrap()
 	if !request.UDP {
 		err = hysteria.WriteServerResponse(stream, hysteria.ServerResponse{
 			OK: true,
 		})
 		if err != nil {
 			return err
 		}
 		h.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
-		return h.router.RouteConnection(ctx, hysteria.NewConn(stream, metadata.Destination), metadata)
+		return h.router.RouteConnection(ctx, hysteria.NewConn(stream, metadata.Destination, false), metadata)
 	} else {
 		h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
 		var id uint32
@@ -282,6 +283,13 @@ func (h *Hysteria) acceptStream(ctx context.Context, conn quic.Connection, strea
 		h.udpSessions[id] = nCh
 		h.udpSessionId += 1
 		h.udpAccess.Unlock()
 		err = hysteria.WriteServerResponse(stream, hysteria.ServerResponse{
 			OK:           true,
 			UDPSessionID: id,
 		})
 		if err != nil {
 			return err
 		}
 		packetConn := hysteria.NewPacketConn(conn, stream, id, metadata.Destination, nCh, common.Closer(func() error {
 			h.udpAccess.Lock()
 			if ch, ok := h.udpSessions[id]; ok {
--- a/inbound/hysteria_stub.go
+++ b/inbound/hysteria_stub.go
@@ -6,11 +6,11 @@ import (
 	"context"
 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
+	I "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 )
 func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HysteriaInboundOptions) (adapter.Inbound, error) {
-	return nil, C.ErrQUICNotIncluded
+	return nil, I.ErrQUICNotIncluded
 }
--- a/inbound/naive.go
+++ b/inbound/naive.go
@@ -15,6 +15,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@@ -105,7 +106,7 @@ func (n *Naive) Start() error {
 	if common.Contains(n.network, N.NetworkUDP) {
 		err := n.configureHTTP3Listener()
-		if !C.QUIC_AVAILABLE && len(n.network) > 1 {
+		if !include.WithQUIC && len(n.network) > 1 {
 			log.Warn(E.Cause(err, "naive http3 disabled"))
 		} else if err != nil {
 			return err
--- a/inbound/naive_quic_stub.go
+++ b/inbound/naive_quic_stub.go
@@ -3,9 +3,9 @@
 package inbound
 import (
-	C "github.com/sagernet/sing-box/constant"
+	I "github.com/sagernet/sing-box/include"
 )
 func (n *Naive) configureHTTP3Listener() error {
-	return C.ErrQUICNotIncluded
+	return I.ErrQUICNotIncluded
 }
--- a/inbound/tproxy.go
+++ b/inbound/tproxy.go
@@ -75,7 +75,7 @@ func (t *TProxy) Start() error {
 }
 func (t *TProxy) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	metadata.Destination = M.SocksaddrFromNet(conn.LocalAddr())
+	metadata.Destination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
 	return t.newConnection(ctx, conn, metadata)
 }
@@ -84,14 +84,15 @@ func (t *TProxy) NewPacket(ctx context.Context, conn N.PacketConn, buffer *buf.B
 	if err != nil {
 		return E.Cause(err, "get tproxy destination")
 	}
-	metadata.Destination = M.SocksaddrFromNetIP(destination)
+	metadata.Destination = M.SocksaddrFromNetIP(destination).Unwrap()
 	t.udpNat.NewContextPacket(ctx, metadata.Source.AddrPort(), buffer, adapter.UpstreamMetadata(metadata), func(natConn N.PacketConn) (context.Context, N.PacketWriter) {
-		return adapter.WithContext(log.ContextWithNewID(ctx), &metadata), &tproxyPacketWriter{source: natConn}
+		return adapter.WithContext(log.ContextWithNewID(ctx), &metadata), &tproxyPacketWriter{ctx: ctx, source: natConn, destination: metadata.Destination}
 	})
 	return nil
 }
 type tproxyPacketWriter struct {
 	ctx         context.Context
 	source      N.PacketConn
 	destination M.Socksaddr
 	conn        *net.UDPConn
@@ -99,25 +100,27 @@ type tproxyPacketWriter struct {
 func (w *tproxyPacketWriter) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	defer buffer.Release()
-	var udpConn *net.UDPConn
+	if w.destination == destination && w.conn != nil {
 		_, err := w.conn.WriteToUDPAddrPort(buffer.Bytes(), M.AddrPortFromNet(w.source.LocalAddr()))
 		if err == nil {
 			w.conn = nil
 		}
 		return err
 	}
 	var listener net.ListenConfig
 	listener.Control = control.Append(listener.Control, control.ReuseAddr())
 	listener.Control = control.Append(listener.Control, redir.TProxyWriteBack())
 	packetConn, err := listener.ListenPacket(w.ctx, "udp", destination.String())
 	if err != nil {
 		return err
 	}
 	udpConn := packetConn.(*net.UDPConn)
 	if w.destination == destination {
-		if w.conn != nil {
+		w.conn = udpConn
-			udpConn = w.conn
+	} else {
-		}
+		defer udpConn.Close()
 	}
-	if udpConn == nil {
+	return common.Error(udpConn.WriteToUDPAddrPort(buffer.Bytes(), M.AddrPortFromNet(w.source.LocalAddr())))
 		var err error
 		udpConn, err = redir.DialUDP(destination.UDPAddr(), M.SocksaddrFromNet(w.source.LocalAddr()).UDPAddr())
 		if err != nil {
 			return E.Cause(err, "tproxy udp write back")
 		}
 		if w.destination == destination {
 			w.conn = udpConn
 		} else {
 			defer udpConn.Close()
 		}
 	}
 	return common.Error(udpConn.Write(buffer.Bytes()))
 }
 func (w *tproxyPacketWriter) Close() error {
--- a/inbound/tun.go
+++ b/inbound/tun.go
@@ -190,7 +190,7 @@ func (t *Tun) NewConnection(ctx context.Context, conn net.Conn, upstreamMetadata
 	if err != nil {
 		t.NewError(ctx, err)
 	}
-	return err
+	return nil
 }
 func (t *Tun) NewPacketConnection(ctx context.Context, conn N.PacketConn, upstreamMetadata M.Metadata) error {
@@ -212,7 +212,7 @@ func (t *Tun) NewPacketConnection(ctx context.Context, conn N.PacketConn, upstre
 	if err != nil {
 		t.NewError(ctx, err)
 	}
-	return err
+	return nil
 }
 func (t *Tun) NewError(ctx context.Context, err error) {
--- a/include/quic.go
+++ b/include/quic.go
@@ -0,0 +1,7 @@
 //go:build with_quic
 package include
 import _ "github.com/sagernet/sing-dns/quic"
 const WithQUIC = true
--- a/include/quic_stub.go
+++ b/include/quic_stub.go
@@ -0,0 +1,21 @@
 //go:build !with_quic
 package include
 import (
 	"context"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 )
 const WithQUIC = false
 var ErrQUICNotIncluded = E.New(`QUIC is not included in this build, rebuild with -tags with_quic`)
 func init() {
 	dns.RegisterTransport([]string{"quic", "h3"}, func(ctx context.Context, dialer N.Dialer, link string) (dns.Transport, error) {
 		return nil, ErrQUICNotIncluded
 	})
 }
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -84,10 +84,13 @@ nav:
          - WireGuard: configuration/outbound/wireguard.md
          - Hysteria: configuration/outbound/hysteria.md
          - ShadowTLS: configuration/outbound/shadowtls.md
          - ShadowsocksR: configuration/outbound/shadowsocksr.md
          - VLESS: configuration/outbound/vless.md
          - Tor: configuration/outbound/tor.md
          - SSH: configuration/outbound/ssh.md
          - DNS: configuration/outbound/dns.md
          - Selector: configuration/outbound/selector.md
          - URLTest: configuration/outbound/urltest.md
  - FAQ:
      - faq/index.md
      - Known Issues: faq/known-issues.md
--- a/option/clash.go
+++ b/option/clash.go
@@ -14,3 +14,10 @@ type SelectorOutboundOptions struct {
 	Outbounds []string `json:"outbounds"`
 	Default   string   `json:"default,omitempty"`
 }
 type URLTestOutboundOptions struct {
 	Outbounds []string `json:"outbounds"`
 	URL       string   `json:"url,omitempty"`
 	Interval  Duration `json:"interval,omitempty"`
 	Tolerance uint16   `json:"tolerance,omitempty"`
 }
--- a/option/outbound.go
+++ b/option/outbound.go
@@ -8,20 +8,23 @@ import (
 )
 type _Outbound struct {
-	Type               string                     `json:"type"`
+	Type                string                      `json:"type"`
-	Tag                string                     `json:"tag,omitempty"`
+	Tag                 string                      `json:"tag,omitempty"`
-	DirectOptions      DirectOutboundOptions      `json:"-"`
+	DirectOptions       DirectOutboundOptions       `json:"-"`
-	SocksOptions       SocksOutboundOptions       `json:"-"`
+	SocksOptions        SocksOutboundOptions        `json:"-"`
-	HTTPOptions        HTTPOutboundOptions        `json:"-"`
+	HTTPOptions         HTTPOutboundOptions         `json:"-"`
-	ShadowsocksOptions ShadowsocksOutboundOptions `json:"-"`
+	ShadowsocksOptions  ShadowsocksOutboundOptions  `json:"-"`
-	VMessOptions       VMessOutboundOptions       `json:"-"`
+	VMessOptions        VMessOutboundOptions        `json:"-"`
-	TrojanOptions      TrojanOutboundOptions      `json:"-"`
+	TrojanOptions       TrojanOutboundOptions       `json:"-"`
-	WireGuardOptions   WireGuardOutboundOptions   `json:"-"`
+	WireGuardOptions    WireGuardOutboundOptions    `json:"-"`
-	HysteriaOptions    HysteriaOutboundOptions    `json:"-"`
+	HysteriaOptions     HysteriaOutboundOptions     `json:"-"`
-	TorOptions         TorOutboundOptions         `json:"-"`
+	TorOptions          TorOutboundOptions          `json:"-"`
-	SSHOptions         SSHOutboundOptions         `json:"-"`
+	SSHOptions          SSHOutboundOptions          `json:"-"`
-	ShadowTLSOptions   ShadowTLSOutboundOptions   `json:"-"`
+	ShadowTLSOptions    ShadowTLSOutboundOptions    `json:"-"`
-	SelectorOptions    SelectorOutboundOptions    `json:"-"`
+	ShadowsocksROptions ShadowsocksROutboundOptions `json:"-"`
 	VLESSOptions        VLESSOutboundOptions        `json:"-"`
 	SelectorOptions     SelectorOutboundOptions     `json:"-"`
 	URLTestOptions      URLTestOutboundOptions      `json:"-"`
 }
 type Outbound _Outbound
@@ -53,8 +56,14 @@ func (h Outbound) MarshalJSON() ([]byte, error) {
 		v = h.SSHOptions
 	case C.TypeShadowTLS:
 		v = h.ShadowTLSOptions
 	case C.TypeShadowsocksR:
 		v = h.ShadowsocksROptions
 	case C.TypeVLESS:
 		v = h.VLESSOptions
 	case C.TypeSelector:
 		v = h.SelectorOptions
 	case C.TypeURLTest:
 		v = h.URLTestOptions
 	default:
 		return nil, E.New("unknown outbound type: ", h.Type)
 	}
@@ -92,8 +101,14 @@ func (h *Outbound) UnmarshalJSON(bytes []byte) error {
 		v = &h.SSHOptions
 	case C.TypeShadowTLS:
 		v = &h.ShadowTLSOptions
 	case C.TypeShadowsocksR:
 		v = &h.ShadowsocksROptions
 	case C.TypeVLESS:
 		v = &h.VLESSOptions
 	case C.TypeSelector:
 		v = &h.SelectorOptions
 	case C.TypeURLTest:
 		v = &h.URLTestOptions
 	default:
 		return E.New("unknown outbound type: ", h.Type)
 	}
@@ -105,17 +120,18 @@ func (h *Outbound) UnmarshalJSON(bytes []byte) error {
 }
 type DialerOptions struct {
-	Detour         string         `json:"detour,omitempty"`
+	Detour             string         `json:"detour,omitempty"`
-	BindInterface  string         `json:"bind_interface,omitempty"`
+	BindInterface      string         `json:"bind_interface,omitempty"`
-	BindAddress    *ListenAddress `json:"bind_address,omitempty"`
+	BindAddress        *ListenAddress `json:"bind_address,omitempty"`
-	ProtectPath    string         `json:"protect_path,omitempty"`
+	ProtectPath        string         `json:"protect_path,omitempty"`
-	RoutingMark    int            `json:"routing_mark,omitempty"`
+	RoutingMark        int            `json:"routing_mark,omitempty"`
-	ReuseAddr      bool           `json:"reuse_addr,omitempty"`
+	ReuseAddr          bool           `json:"reuse_addr,omitempty"`
-	ConnectTimeout Duration       `json:"connect_timeout,omitempty"`
+	ConnectTimeout     Duration       `json:"connect_timeout,omitempty"`
-	TCPFastOpen    bool           `json:"tcp_fast_open,omitempty"`
+	TCPFastOpen        bool           `json:"tcp_fast_open,omitempty"`
-	UDPFragment    bool           `json:"udp_fragment,omitempty"`
+	UDPFragment        *bool          `json:"udp_fragment,omitempty"`
-	DomainStrategy DomainStrategy `json:"domain_strategy,omitempty"`
+	UDPFragmentDefault bool           `json:"-"`
-	FallbackDelay  Duration       `json:"fallback_delay,omitempty"`
+	DomainStrategy     DomainStrategy `json:"domain_strategy,omitempty"`
 	FallbackDelay      Duration       `json:"fallback_delay,omitempty"`
 }
 type ServerOptions struct {
--- a/option/shadowsocks.go
+++ b/option/shadowsocks.go
@@ -26,6 +26,8 @@ type ShadowsocksOutboundOptions struct {
 	ServerOptions
 	Method           string            `json:"method"`
 	Password         string            `json:"password"`
 	Plugin           string            `json:"plugin,omitempty"`
 	PluginOptions    string            `json:"plugin_opts,omitempty"`
 	Network          NetworkList       `json:"network,omitempty"`
 	UoT              bool              `json:"udp_over_tcp,omitempty"`
 	MultiplexOptions *MultiplexOptions `json:"multiplex,omitempty"`
--- a/option/shadowsocksr.go
+++ b/option/shadowsocksr.go
@@ -0,0 +1,13 @@
 package option
 type ShadowsocksROutboundOptions struct {
 	DialerOptions
 	ServerOptions
 	Method        string      `json:"method"`
 	Password      string      `json:"password"`
 	Obfs          string      `json:"obfs,omitempty"`
 	ObfsParam     string      `json:"obfs_param,omitempty"`
 	Protocol      string      `json:"protocol,omitempty"`
 	ProtocolParam string      `json:"protocol_param,omitempty"`
 	Network       NetworkList `json:"network,omitempty"`
 }
--- a/option/tls.go
+++ b/option/tls.go
@@ -3,6 +3,7 @@ package option
 type InboundTLSOptions struct {
 	Enabled         bool                `json:"enabled,omitempty"`
 	ServerName      string              `json:"server_name,omitempty"`
 	Insecure        bool                `json:"insecure,omitempty"`
 	ALPN            Listable[string]    `json:"alpn,omitempty"`
 	MinVersion      string              `json:"min_version,omitempty"`
 	MaxVersion      string              `json:"max_version,omitempty"`
--- a/option/vless.go
+++ b/option/vless.go
@@ -0,0 +1,11 @@
 package option
 type VLESSOutboundOptions struct {
 	DialerOptions
 	ServerOptions
 	UUID           string                 `json:"uuid"`
 	Network        NetworkList            `json:"network,omitempty"`
 	TLS            *OutboundTLSOptions    `json:"tls,omitempty"`
 	Transport      *V2RayTransportOptions `json:"transport,omitempty"`
 	PacketEncoding string                 `json:"packet_encoding,omitempty"`
 }
--- a/option/vmess.go
+++ b/option/vmess.go
@@ -23,7 +23,7 @@ type VMessOutboundOptions struct {
 	AuthenticatedLength bool                   `json:"authenticated_length,omitempty"`
 	Network             NetworkList            `json:"network,omitempty"`
 	TLS                 *OutboundTLSOptions    `json:"tls,omitempty"`
-	PacketAddr          bool                   `json:"packet_addr,omitempty"`
+	PacketEncoding      string                 `json:"packet_encoding,omitempty"`
 	Multiplex           *MultiplexOptions      `json:"multiplex,omitempty"`
 	Transport           *V2RayTransportOptions `json:"transport,omitempty"`
 }
--- a/outbound/builder.go
+++ b/outbound/builder.go
@@ -41,8 +41,14 @@ func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, o
 		return NewSSH(ctx, router, logger, options.Tag, options.SSHOptions)
 	case C.TypeShadowTLS:
 		return NewShadowTLS(ctx, router, logger, options.Tag, options.ShadowTLSOptions)
 	case C.TypeShadowsocksR:
 		return NewShadowsocksR(ctx, router, logger, options.Tag, options.ShadowsocksROptions)
 	case C.TypeVLESS:
 		return NewVLESS(ctx, router, logger, options.Tag, options.VLESSOptions)
 	case C.TypeSelector:
 		return NewSelector(router, logger, options.Tag, options.SelectorOptions)
 	case C.TypeURLTest:
 		return NewURLTest(router, logger, options.Tag, options.URLTestOptions)
 	default:
 		return nil, E.New("unknown outbound type: ", options.Type)
 	}
--- a/outbound/direct.go
+++ b/outbound/direct.go
@@ -35,6 +35,7 @@ type Direct struct {
 }
 func NewDirect(router adapter.Router, logger log.ContextLogger, tag string, options option.DirectOutboundOptions) (*Direct, error) {
 	options.UDPFragmentDefault = true
 	outbound := &Direct{
 		myOutboundAdapter: myOutboundAdapter{
 			protocol: C.TypeDirect,
--- a/outbound/dns.go
+++ b/outbound/dns.go
@@ -16,7 +16,7 @@ import (
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/task"
-	"golang.org/x/net/dns/dnsmessage"
+	mDNS "github.com/miekg/dns"
 )
 var _ adapter.Outbound = (*DNS)(nil)
@@ -72,7 +72,7 @@ func (d *DNS) handleConnection(ctx context.Context, conn net.Conn, metadata adap
 	if err != nil {
 		return err
 	}
-	var message dnsmessage.Message
+	var message mDNS.Msg
 	err = message.Unpack(buffer.Bytes())
 	if err != nil {
 		return err
@@ -88,7 +88,7 @@ func (d *DNS) handleConnection(ctx context.Context, conn net.Conn, metadata adap
 		responseBuffer := common.Dup(_responseBuffer)
 		defer responseBuffer.Release()
 		responseBuffer.Resize(2, 0)
-		n, err := response.AppendPack(responseBuffer.Index(0))
+		n, err := response.PackBuffer(responseBuffer.FreeBytes())
 		if err != nil {
 			return err
 		}
@@ -117,7 +117,7 @@ func (d *DNS) NewPacketConnection(ctx context.Context, conn N.PacketConn, metada
 			if err != nil {
 				return err
 			}
-			var message dnsmessage.Message
+			var message mDNS.Msg
 			err = message.Unpack(buffer.Bytes())
 			if err != nil {
 				return err
@@ -131,7 +131,7 @@ func (d *DNS) NewPacketConnection(ctx context.Context, conn N.PacketConn, metada
 				}
 				timeout.Update()
 				responseBuffer := buf.NewPacket()
-				n, err := response.AppendPack(responseBuffer.Index(0))
+				n, err := response.PackBuffer(responseBuffer.FreeBytes())
 				if err != nil {
 					responseBuffer.Release()
 					return err
--- a/outbound/hysteria.go
+++ b/outbound/hysteria.go
@@ -38,6 +38,7 @@ type Hysteria struct {
 	recvBPS      uint64
 	connAccess   sync.Mutex
 	conn         quic.Connection
 	rawConn      net.Conn
 	udpAccess    sync.RWMutex
 	udpSessions  map[uint32]chan *hysteria.UDPMessage
 	udpDefragger hysteria.Defragger
@@ -149,7 +150,6 @@ func (h *Hysteria) offer(ctx context.Context) (quic.Connection, error) {
 	if err != nil {
 		return nil, err
 	}
 	h.conn = conn
 	if common.Contains(h.network, N.NetworkUDP) {
 		for _, session := range h.udpSessions {
 			close(session)
@@ -201,6 +201,8 @@ func (h *Hysteria) offerNew(ctx context.Context) (quic.Connection, error) {
 		return nil, E.New("remote error: ", serverHello.Message)
 	}
 	quicConn.SetCongestionControl(hysteria.NewBrutalSender(congestion.ByteCount(serverHello.RecvBPS)))
 	h.conn = quicConn
 	h.rawConn = udpConn
 	return quicConn, nil
 }
@@ -240,6 +242,7 @@ func (h *Hysteria) Close() error {
 	defer h.udpAccess.Unlock()
 	if h.conn != nil {
 		h.conn.CloseWithError(0, "")
 		h.rawConn.Close()
 	}
 	for _, session := range h.udpSessions {
 		close(session)
@@ -276,16 +279,7 @@ func (h *Hysteria) DialContext(ctx context.Context, network string, destination
 			stream.Close()
 			return nil, err
 		}
-		response, err := hysteria.ReadServerResponse(stream)
+		return hysteria.NewConn(stream, destination, true), nil
 		if err != nil {
 			stream.Close()
 			return nil, err
 		}
 		if !response.OK {
 			stream.Close()
 			return nil, E.New("remote error: ", response.Message)
 		}
 		return hysteria.NewConn(stream, destination), nil
 	case N.NetworkUDP:
 		conn, err := h.ListenPacket(ctx, destination)
 		if err != nil {
--- a/outbound/hysteria_stub.go
+++ b/outbound/hysteria_stub.go
@@ -6,11 +6,11 @@ import (
 	"context"
 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
+	I "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 )
 func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HysteriaOutboundOptions) (adapter.Outbound, error) {
-	return nil, C.ErrQUICNotIncluded
+	return nil, I.ErrQUICNotIncluded
 }
--- a/outbound/shadowsocks.go
+++ b/outbound/shadowsocks.go
@@ -10,6 +10,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/sip003"
 	"github.com/sagernet/sing-shadowsocks"
 	"github.com/sagernet/sing-shadowsocks/shadowimpl"
 	"github.com/sagernet/sing/common"
@@ -27,6 +28,7 @@ type Shadowsocks struct {
 	dialer          N.Dialer
 	method          shadowsocks.Method
 	serverAddr      M.Socksaddr
 	plugin          sip003.Plugin
 	uot             bool
 	multiplexDialer N.Dialer
 }
@@ -49,6 +51,12 @@ func NewShadowsocks(ctx context.Context, router adapter.Router, logger log.Conte
 		serverAddr: options.ServerOptions.Build(),
 		uot:        options.UoT,
 	}
 	if options.Plugin != "" {
 		outbound.plugin, err = sip003.CreatePlugin(options.Plugin, options.PluginOptions, router, outbound.dialer, outbound.serverAddr)
 		if err != nil {
 			return nil, err
 		}
 	}
 	if !options.UoT {
 		outbound.multiplexDialer, err = mux.NewClientWithOptions(ctx, (*shadowsocksDialer)(outbound), common.PtrValueOrDefault(options.MultiplexOptions))
 		if err != nil {
@@ -135,7 +143,13 @@ type shadowsocksDialer Shadowsocks
 func (h *shadowsocksDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
-		outConn, err := h.dialer.DialContext(ctx, N.NetworkTCP, h.serverAddr)
+		var outConn net.Conn
 		var err error
 		if h.plugin != nil {
 			outConn, err = h.plugin.DialContext(ctx)
 		} else {
 			outConn, err = h.dialer.DialContext(ctx, N.NetworkTCP, h.serverAddr)
 		}
 		if err != nil {
 			return nil, err
 		}
--- a/outbound/shadowsocksr.go
+++ b/outbound/shadowsocksr.go
@@ -0,0 +1,182 @@
 //go:build with_shadowsocksr
 package outbound
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/clashssr/obfs"
 	"github.com/sagernet/sing-box/transport/clashssr/protocol"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/Dreamacro/clash/transport/shadowsocks/core"
 	"github.com/Dreamacro/clash/transport/shadowsocks/shadowstream"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
 var _ adapter.Outbound = (*ShadowsocksR)(nil)
 type ShadowsocksR struct {
 	myOutboundAdapter
 	dialer     N.Dialer
 	serverAddr M.Socksaddr
 	cipher     core.Cipher
 	obfs       obfs.Obfs
 	protocol   protocol.Protocol
 }
 func NewShadowsocksR(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowsocksROutboundOptions) (*ShadowsocksR, error) {
 	outbound := &ShadowsocksR{
 		myOutboundAdapter: myOutboundAdapter{
 			protocol: C.TypeShadowsocksR,
 			network:  options.Network.Build(),
 			router:   router,
 			logger:   logger,
 			tag:      tag,
 		},
 		dialer:     dialer.New(router, options.DialerOptions),
 		serverAddr: options.ServerOptions.Build(),
 	}
 	var cipher string
 	var err error
 	switch options.Method {
 	case "none":
 		cipher = "dummy"
 	default:
 		cipher = options.Method
 	}
 	outbound.cipher, err = core.PickCipher(cipher, nil, options.Password)
 	if err != nil {
 		return nil, err
 	}
 	var (
 		ivSize int
 		key    []byte
 	)
 	if cipher == "dummy" {
 		ivSize = 0
 		key = core.Kdf(options.Password, 16)
 	} else {
 		streamCipher, ok := outbound.cipher.(*core.StreamCipher)
 		if !ok {
 			return nil, fmt.Errorf("%s is not none or a supported stream cipher in ssr", cipher)
 		}
 		ivSize = streamCipher.IVSize()
 		key = streamCipher.Key
 	}
 	obfs, obfsOverhead, err := obfs.PickObfs(options.Obfs, &obfs.Base{
 		Host:   options.Server,
 		Port:   int(options.ServerPort),
 		Key:    key,
 		IVSize: ivSize,
 		Param:  options.ObfsParam,
 	})
 	if err != nil {
 		return nil, E.Cause(err, "initialize obfs")
 	}
 	protocol, err := protocol.PickProtocol(options.Protocol, &protocol.Base{
 		Key:      key,
 		Overhead: obfsOverhead,
 		Param:    options.ProtocolParam,
 	})
 	if err != nil {
 		return nil, E.Cause(err, "initialize protocol")
 	}
 	outbound.obfs = obfs
 	outbound.protocol = protocol
 	return outbound, nil
 }
 func (h *ShadowsocksR) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	switch network {
 	case N.NetworkTCP:
 		h.logger.InfoContext(ctx, "outbound connection to ", destination)
 		conn, err := h.dialer.DialContext(ctx, network, h.serverAddr)
 		if err != nil {
 			return nil, err
 		}
 		conn = h.cipher.StreamConn(h.obfs.StreamConn(conn))
 		writeIv, err := conn.(*shadowstream.Conn).ObtainWriteIV()
 		if err != nil {
 			return nil, err
 		}
 		conn = h.protocol.StreamConn(conn, writeIv)
 		err = M.SocksaddrSerializer.WriteAddrPort(conn, destination)
 		if err != nil {
 			return nil, E.Cause(err, "write request")
 		}
 		return conn, nil
 	case N.NetworkUDP:
 		conn, err := h.ListenPacket(ctx, destination)
 		if err != nil {
 			return nil, err
 		}
 		return &bufio.BindPacketConn{PacketConn: conn, Addr: destination}, nil
 	default:
 		return nil, E.Extend(N.ErrUnknownNetwork, network)
 	}
 }
 func (h *ShadowsocksR) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	outConn, err := h.dialer.DialContext(ctx, N.NetworkUDP, h.serverAddr)
 	if err != nil {
 		return nil, err
 	}
 	packetConn := h.cipher.PacketConn(bufio.NewUnbindPacketConn(outConn))
 	packetConn = h.protocol.PacketConn(packetConn)
 	packetConn = &ssPacketConn{packetConn, outConn.RemoteAddr()}
 	return packetConn, nil
 }
 func (h *ShadowsocksR) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	return NewConnection(ctx, h, conn, metadata)
 }
 func (h *ShadowsocksR) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return NewPacketConnection(ctx, h, conn, metadata)
 }
 type ssPacketConn struct {
 	net.PacketConn
 	rAddr net.Addr
 }
 func (spc *ssPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
 	packet, err := socks5.EncodeUDPPacket(socks5.ParseAddrToSocksAddr(addr), b)
 	if err != nil {
 		return
 	}
 	return spc.PacketConn.WriteTo(packet[3:], spc.rAddr)
 }
 func (spc *ssPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
 	n, _, e := spc.PacketConn.ReadFrom(b)
 	if e != nil {
 		return 0, nil, e
 	}
 	addr := socks5.SplitAddr(b[:n])
 	if addr == nil {
 		return 0, nil, errors.New("parse addr error")
 	}
 	udpAddr := addr.UDPAddr()
 	if udpAddr == nil {
 		return 0, nil, errors.New("parse addr error")
 	}
 	copy(b, b[len(addr):])
 	return n - len(addr), udpAddr, e
 }
--- a/outbound/shadowsocksr_stub.go
+++ b/outbound/shadowsocksr_stub.go
@@ -0,0 +1,16 @@
 //go:build !with_shadowsocksr
 package outbound
 import (
 	"context"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 func NewShadowsocksR(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowsocksROutboundOptions) (adapter.Outbound, error) {
 	return nil, E.New(`ShadowsocksR is not included in this build, rebuild with -tags with_shadowsocksr`)
 }
--- a/outbound/shadowtls.go
+++ b/outbound/shadowtls.go
@@ -60,7 +60,11 @@ func (s *ShadowTLS) DialContext(ctx context.Context, network string, destination
 	if err != nil {
 		return nil, err
 	}
-	return tls.ClientHandshake(ctx, conn, s.tlsConfig)
+	_, err = tls.ClientHandshake(ctx, conn, s.tlsConfig)
 	if err != nil {
 		return nil, err
 	}
 	return conn, nil
 }
 func (s *ShadowTLS) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
--- a/outbound/socks.go
+++ b/outbound/socks.go
@@ -20,8 +20,9 @@ var _ adapter.Outbound = (*Socks)(nil)
 type Socks struct {
 	myOutboundAdapter
-	client *socks.Client
+	client  *socks.Client
-	uot    bool
+	resolve bool
 	uot     bool
 }
 func NewSocks(router adapter.Router, logger log.ContextLogger, tag string, options option.SocksOutboundOptions) (*Socks, error) {
@@ -45,6 +46,7 @@ func NewSocks(router adapter.Router, logger log.ContextLogger, tag string, optio
 			tag:      tag,
 		},
 		socks.NewClient(detour, options.ServerOptions.Build(), version, options.Username, options.Password),
 		version == socks.Version4,
 		options.UoT,
 	}, nil
 }
@@ -72,6 +74,13 @@ func (h *Socks) DialContext(ctx context.Context, network string, destination M.S
 	default:
 		return nil, E.Extend(N.ErrUnknownNetwork, network)
 	}
 	if h.resolve && destination.IsFqdn() {
 		addrs, err := h.router.LookupDefault(ctx, destination.Fqdn)
 		if err != nil {
 			return nil, err
 		}
 		return N.DialSerial(ctx, h.client, network, destination, addrs)
 	}
 	return h.client.DialContext(ctx, network, destination)
 }
--- a/outbound/trojan.go
+++ b/outbound/trojan.go
@@ -103,6 +103,10 @@ func (h *Trojan) NewPacketConnection(ctx context.Context, conn N.PacketConn, met
 	return NewPacketConnection(ctx, h, conn, metadata)
 }
 func (h *Trojan) Close() error {
 	return common.Close(h.multiplexDialer, h.transport)
 }
 type trojanDialer Trojan
 func (h *trojanDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
--- a/outbound/urltest.go
+++ b/outbound/urltest.go
@@ -0,0 +1,287 @@
 package outbound
 import (
 	"context"
 	"net"
 	"sort"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/batch"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 var (
 	_ adapter.Outbound      = (*URLTest)(nil)
 	_ adapter.OutboundGroup = (*URLTest)(nil)
 )
 type URLTest struct {
 	myOutboundAdapter
 	tags      []string
 	link      string
 	interval  time.Duration
 	tolerance uint16
 	group     *URLTestGroup
 }
 func NewURLTest(router adapter.Router, logger log.ContextLogger, tag string, options option.URLTestOutboundOptions) (*URLTest, error) {
 	outbound := &URLTest{
 		myOutboundAdapter: myOutboundAdapter{
 			protocol: C.TypeURLTest,
 			router:   router,
 			logger:   logger,
 			tag:      tag,
 		},
 		tags:      options.Outbounds,
 		link:      options.URL,
 		interval:  time.Duration(options.Interval),
 		tolerance: options.Tolerance,
 	}
 	if len(outbound.tags) == 0 {
 		return nil, E.New("missing tags")
 	}
 	return outbound, nil
 }
 func (s *URLTest) Network() []string {
 	if s.group == nil {
 		return []string{N.NetworkTCP, N.NetworkUDP}
 	}
 	return s.group.Select(N.NetworkTCP).Network()
 }
 func (s *URLTest) Start() error {
 	outbounds := make([]adapter.Outbound, 0, len(s.tags))
 	for i, tag := range s.tags {
 		detour, loaded := s.router.Outbound(tag)
 		if !loaded {
 			return E.New("outbound ", i, " not found: ", tag)
 		}
 		outbounds = append(outbounds, detour)
 	}
 	s.group = NewURLTestGroup(s.router, s.logger, outbounds, s.link, s.interval, s.tolerance)
 	return s.group.Start()
 }
 func (s URLTest) Close() error {
 	return common.Close(
 		common.PtrOrNil(s.group),
 	)
 }
 func (s *URLTest) Now() string {
 	return s.group.Select(N.NetworkTCP).Tag()
 }
 func (s *URLTest) All() []string {
 	return s.tags
 }
 func (s *URLTest) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	outbound := s.group.Select(network)
 	conn, err := outbound.DialContext(ctx, network, destination)
 	if err == nil {
 		return conn, nil
 	}
 	s.logger.ErrorContext(ctx, err)
 	go s.group.checkOutbounds()
 	outbounds := s.group.Fallback(outbound)
 	for _, fallback := range outbounds {
 		conn, err = fallback.DialContext(ctx, network, destination)
 		if err == nil {
 			return conn, nil
 		}
 	}
 	return nil, err
 }
 func (s *URLTest) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	outbound := s.group.Select(N.NetworkUDP)
 	conn, err := outbound.ListenPacket(ctx, destination)
 	if err == nil {
 		return conn, nil
 	}
 	s.logger.ErrorContext(ctx, err)
 	go s.group.checkOutbounds()
 	outbounds := s.group.Fallback(outbound)
 	for _, fallback := range outbounds {
 		conn, err = fallback.ListenPacket(ctx, destination)
 		if err == nil {
 			return conn, nil
 		}
 	}
 	return nil, err
 }
 func (s *URLTest) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	return NewConnection(ctx, s, conn, metadata)
 }
 func (s *URLTest) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return NewPacketConnection(ctx, s, conn, metadata)
 }
 type URLTestGroup struct {
 	router    adapter.Router
 	logger    log.Logger
 	outbounds []adapter.Outbound
 	link      string
 	interval  time.Duration
 	tolerance uint16
 	history   *urltest.HistoryStorage
 	ticker *time.Ticker
 	close  chan struct{}
 }
 func NewURLTestGroup(router adapter.Router, logger log.Logger, outbounds []adapter.Outbound, link string, interval time.Duration, tolerance uint16) *URLTestGroup {
 	if link == "" {
 		//goland:noinspection HttpUrlsUsage
 		link = "http://www.gstatic.com/generate_204"
 	}
 	if interval == 0 {
 		interval = C.DefaultURLTestInterval
 	}
 	if tolerance == 0 {
 		tolerance = 50
 	}
 	var history *urltest.HistoryStorage
 	if clashServer := router.ClashServer(); clashServer != nil {
 		history = clashServer.HistoryStorage()
 	} else {
 		history = urltest.NewHistoryStorage()
 	}
 	return &URLTestGroup{
 		router:    router,
 		logger:    logger,
 		outbounds: outbounds,
 		link:      link,
 		interval:  interval,
 		tolerance: tolerance,
 		history:   history,
 		close:     make(chan struct{}),
 	}
 }
 func (g *URLTestGroup) Start() error {
 	g.ticker = time.NewTicker(g.interval)
 	go g.loopCheck()
 	return nil
 }
 func (g *URLTestGroup) Close() error {
 	g.ticker.Stop()
 	close(g.close)
 	return nil
 }
 func (g *URLTestGroup) Select(network string) adapter.Outbound {
 	var minDelay uint16
 	var minTime time.Time
 	var minOutbound adapter.Outbound
 	for _, detour := range g.outbounds {
 		if !common.Contains(detour.Network(), network) {
 			continue
 		}
 		history := g.history.LoadURLTestHistory(RealTag(detour))
 		if history == nil {
 			continue
 		}
 		if minDelay == 0 || minDelay > history.Delay+g.tolerance || minDelay > history.Delay-g.tolerance && minTime.Before(history.Time) {
 			minDelay = history.Delay
 			minTime = history.Time
 			minOutbound = detour
 		}
 	}
 	if minOutbound == nil {
 		for _, detour := range g.outbounds {
 			if !common.Contains(detour.Network(), network) {
 				continue
 			}
 			minOutbound = detour
 			break
 		}
 	}
 	return minOutbound
 }
 func (g *URLTestGroup) Fallback(used adapter.Outbound) []adapter.Outbound {
 	outbounds := make([]adapter.Outbound, 0, len(g.outbounds)-1)
 	for _, detour := range g.outbounds {
 		if detour != used {
 			outbounds = append(outbounds, detour)
 		}
 	}
 	sort.Slice(outbounds, func(i, j int) bool {
 		oi := outbounds[i]
 		oj := outbounds[j]
 		hi := g.history.LoadURLTestHistory(RealTag(oi))
 		if hi == nil {
 			return false
 		}
 		hj := g.history.LoadURLTestHistory(RealTag(oj))
 		if hj == nil {
 			return false
 		}
 		return hi.Delay < hj.Delay
 	})
 	return outbounds
 }
 func (g *URLTestGroup) loopCheck() {
 	go g.checkOutbounds()
 	for {
 		select {
 		case <-g.close:
 			return
 		case <-g.ticker.C:
 			g.checkOutbounds()
 		}
 	}
 }
 func (g *URLTestGroup) checkOutbounds() {
 	b, _ := batch.New(context.Background(), batch.WithConcurrencyNum[any](10))
 	checked := make(map[string]bool)
 	for _, detour := range g.outbounds {
 		tag := detour.Tag()
 		realTag := RealTag(detour)
 		if checked[realTag] {
 			continue
 		}
 		history := g.history.LoadURLTestHistory(realTag)
 		if history != nil && time.Now().Sub(history.Time) < g.interval {
 			continue
 		}
 		checked[realTag] = true
 		p, loaded := g.router.Outbound(realTag)
 		if !loaded {
 			continue
 		}
 		b.Go(realTag, func() (any, error) {
 			ctx, cancel := context.WithTimeout(context.Background(), C.TCPTimeout)
 			defer cancel()
 			t, err := urltest.URLTest(ctx, g.link, p)
 			if err != nil {
 				g.logger.Debug("outbound ", tag, " unavailable: ", err)
 				g.history.DeleteURLTestHistory(realTag)
 			} else {
 				g.logger.Debug("outbound ", tag, " available: ", t, "ms")
 				g.history.StoreURLTestHistory(realTag, &urltest.History{
 					Time:  time.Now(),
 					Delay: t,
 				})
 			}
 			return nil, nil
 		})
 	}
 	b.Wait()
 }
--- a/outbound/vless.go
+++ b/outbound/vless.go
@@ -0,0 +1,147 @@
 package outbound
 import (
 	"context"
 	"net"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/v2ray"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-vmess/packetaddr"
 	"github.com/sagernet/sing-vmess/vless"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 var _ adapter.Outbound = (*VLESS)(nil)
 type VLESS struct {
 	myOutboundAdapter
 	dialer     N.Dialer
 	client     *vless.Client
 	serverAddr M.Socksaddr
 	tlsConfig  tls.Config
 	transport  adapter.V2RayClientTransport
 	packetAddr bool
 	xudp       bool
 }
 func NewVLESS(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.VLESSOutboundOptions) (*VLESS, error) {
 	outbound := &VLESS{
 		myOutboundAdapter: myOutboundAdapter{
 			protocol: C.TypeVLESS,
 			network:  options.Network.Build(),
 			router:   router,
 			logger:   logger,
 			tag:      tag,
 		},
 		dialer:     dialer.New(router, options.DialerOptions),
 		serverAddr: options.ServerOptions.Build(),
 	}
 	var err error
 	if options.TLS != nil {
 		outbound.tlsConfig, err = tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}
 	}
 	if options.Transport != nil {
 		outbound.transport, err = v2ray.NewClientTransport(ctx, outbound.dialer, outbound.serverAddr, common.PtrValueOrDefault(options.Transport), outbound.tlsConfig)
 		if err != nil {
 			return nil, E.Cause(err, "create client transport: ", options.Transport.Type)
 		}
 	}
 	switch options.PacketEncoding {
 	case "":
 	case "packetaddr":
 		outbound.packetAddr = true
 	case "xudp":
 		outbound.xudp = true
 	default:
 		return nil, E.New("unknown packet encoding: ", options.PacketEncoding)
 	}
 	outbound.client, err = vless.NewClient(options.UUID)
 	if err != nil {
 		return nil, err
 	}
 	return outbound, nil
 }
 func (h *VLESS) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	var conn net.Conn
 	var err error
 	if h.transport != nil {
 		conn, err = h.transport.DialContext(ctx)
 	} else {
 		conn, err = h.dialer.DialContext(ctx, N.NetworkTCP, h.serverAddr)
 		if err == nil && h.tlsConfig != nil {
 			conn, err = tls.ClientHandshake(ctx, conn, h.tlsConfig)
 		}
 	}
 	if err != nil {
 		return nil, err
 	}
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
 	case N.NetworkUDP:
 	}
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
 		h.logger.InfoContext(ctx, "outbound connection to ", destination)
 		return h.client.DialEarlyConn(conn, destination), nil
 	case N.NetworkUDP:
 		h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 		return h.client.DialEarlyPacketConn(conn, destination), nil
 	default:
 		return nil, E.Extend(N.ErrUnknownNetwork, network)
 	}
 }
 func (h *VLESS) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	var conn net.Conn
 	var err error
 	if h.transport != nil {
 		conn, err = h.transport.DialContext(ctx)
 	} else {
 		conn, err = h.dialer.DialContext(ctx, N.NetworkTCP, h.serverAddr)
 		if err == nil && h.tlsConfig != nil {
 			conn, err = tls.ClientHandshake(ctx, conn, h.tlsConfig)
 		}
 	}
 	if err != nil {
 		return nil, err
 	}
 	if h.xudp {
 		return h.client.DialEarlyXUDPPacketConn(conn, destination), nil
 	} else if h.packetAddr {
 		return dialer.NewResolvePacketConn(ctx, h.router, dns.DomainStrategyAsIS, packetaddr.NewConn(h.client.DialEarlyPacketConn(conn, M.Socksaddr{Fqdn: packetaddr.SeqPacketMagicAddress}), destination)), nil
 	} else {
 		return h.client.DialEarlyPacketConn(conn, destination), nil
 	}
 }
 func (h *VLESS) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	return NewEarlyConnection(ctx, h, conn, metadata)
 }
 func (h *VLESS) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return NewPacketConnection(ctx, h, conn, metadata)
 }
 func (h *VLESS) Close() error {
 	return common.Close(h.transport)
 }
--- a/outbound/vmess.go
+++ b/outbound/vmess.go
@@ -12,6 +12,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/v2ray"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing-vmess/packetaddr"
 	"github.com/sagernet/sing/common"
@@ -31,6 +32,7 @@ type VMess struct {
 	tlsConfig       tls.Config
 	transport       adapter.V2RayClientTransport
 	packetAddr      bool
 	xudp            bool
 }
 func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.VMessOutboundOptions) (*VMess, error) {
@@ -62,8 +64,14 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 	if err != nil {
 		return nil, err
 	}
-	if outbound.multiplexDialer == nil && options.PacketAddr {
+	switch options.PacketEncoding {
 	case "":
 	case "packetaddr":
 		outbound.packetAddr = true
 	case "xudp":
 		outbound.xudp = true
 	default:
 		return nil, E.New("unknown packet encoding: ", options.PacketEncoding)
 	}
 	var clientOptions []vmess.ClientOption
 	if options.GlobalPadding {
@@ -88,7 +96,7 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 }
 func (h *VMess) Close() error {
-	return common.Close(h.transport)
+	return common.Close(h.multiplexDialer, h.transport)
 }
 func (h *VMess) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
@@ -176,7 +184,9 @@ func (h *vmessDialer) ListenPacket(ctx context.Context, destination M.Socksaddr)
 		return nil, err
 	}
 	if h.packetAddr {
-		return packetaddr.NewConn(h.client.DialEarlyPacketConn(conn, M.Socksaddr{Fqdn: packetaddr.SeqPacketMagicAddress}), destination), nil
+		return dialer.NewResolvePacketConn(ctx, h.router, dns.DomainStrategyAsIS, packetaddr.NewConn(h.client.DialEarlyPacketConn(conn, M.Socksaddr{Fqdn: packetaddr.SeqPacketMagicAddress}), destination)), nil
 	} else if h.xudp {
 		return h.client.DialEarlyXUDPPacketConn(conn, destination), nil
 	} else {
 		return h.client.DialEarlyPacketConn(conn, destination), nil
 	}
--- a/outbound/wireguard.go
+++ b/outbound/wireguard.go
@@ -16,6 +16,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/wireguard"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -98,7 +99,7 @@ func NewWireGuard(ctx context.Context, router adapter.Router, logger log.Context
 	}
 	var wireTunDevice wireguard.Device
 	var err error
-	if !options.SystemInterface {
+	if !options.SystemInterface && tun.WithGVisor {
 		wireTunDevice, err = wireguard.NewStackDevice(localPrefixes, mtu)
 	} else {
 		wireTunDevice, err = wireguard.NewSystemDevice(router, options.InterfaceName, localPrefixes, mtu)
@@ -161,9 +162,8 @@ func (w *WireGuard) Start() error {
 }
 func (w *WireGuard) Close() error {
-	return common.Close(
+	if w.device != nil {
-		w.tunDevice,
+		w.device.Close()
-		common.PtrOrNil(w.device),
+	}
-		common.PtrOrNil(w.bind),
+	return common.Close(w.tunDevice)
 	)
 }
--- a/release/local/debug.sh
+++ b/release/local/debug.sh
@@ -13,7 +13,7 @@ pushd $PROJECT
 git fetch
 git reset FETCH_HEAD --hard
 git clean -fdx
-go install -v -trimpath -ldflags "-s -w -buildid=" -tags no_gvisor,with_quic,with_acme,debug ./cmd/sing-box
+go install -v -trimpath -ldflags "-s -w -buildid=" -tags with_quic,with_acme,debug ./cmd/sing-box
 popd
 sudo systemctl stop sing-box
--- a/release/local/install.sh
+++ b/release/local/install.sh
@@ -10,7 +10,7 @@ DIR=$(dirname "$0")
 PROJECT=$DIR/../..
 pushd $PROJECT
-go install -v -trimpath -ldflags "-s -w -buildid=" -tags no_gvisor,with_quic,with_wireguard,with_acme ./cmd/sing-box
+go install -v -trimpath -ldflags "-s -w -buildid=" -tags with_quic,with_wireguard,with_acme ./cmd/sing-box
 popd
 sudo cp $(go env GOPATH)/bin/sing-box /usr/local/bin/
--- a/release/local/install_go.sh
+++ b/release/local/install_go.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -e -o pipefail
-curl -Lo go.tar.gz https://go.dev/dl/go1.19.linux-amd64.tar.gz
+curl -Lo go.tar.gz https://go.dev/dl/go1.19.1.linux-amd64.tar.gz
 sudo rm -rf /usr/local/go
 sudo tar -C /usr/local -xzf go.tar.gz
 rm go.tar.gz
--- a/release/local/reinstall.sh
+++ b/release/local/reinstall.sh
@@ -10,7 +10,7 @@ DIR=$(dirname "$0")
 PROJECT=$DIR/../..
 pushd $PROJECT
-go install -v -trimpath -ldflags "-s -w -buildid=" -tags no_gvisor,with_quic,with_wireguard,with_acme ./cmd/sing-box
+go install -v -trimpath -ldflags "-s -w -buildid=" -tags with_quic,with_wireguard,with_acme ./cmd/sing-box
 popd
 sudo systemctl stop sing-box
--- a/route/interface_finder.go
+++ b/route/interface_finder.go
@@ -0,0 +1,50 @@
 package route
 import (
 	"net"
 	"github.com/sagernet/sing/common/control"
 )
 var _ control.InterfaceFinder = (*myInterfaceFinder)(nil)
 type myInterfaceFinder struct {
 	ifs []net.Interface
 }
 func (f *myInterfaceFinder) update() error {
 	ifs, err := net.Interfaces()
 	if err != nil {
 		return err
 	}
 	f.ifs = ifs
 	return nil
 }
 func (f *myInterfaceFinder) InterfaceIndexByName(name string) (interfaceIndex int, err error) {
 	for _, netInterface := range f.ifs {
 		if netInterface.Name == name {
 			return netInterface.Index, nil
 		}
 	}
 	netInterface, err := net.InterfaceByName(name)
 	if err != nil {
 		return
 	}
 	f.update()
 	return netInterface.Index, nil
 }
 func (f *myInterfaceFinder) InterfaceNameByIndex(index int) (interfaceName string, err error) {
 	for _, netInterface := range f.ifs {
 		if netInterface.Index == index {
 			return netInterface.Name, nil
 		}
 	}
 	netInterface, err := net.InterfaceByIndex(index)
 	if err != nil {
 		return
 	}
 	f.update()
 	return netInterface.Name, nil
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	8ce244dd04	Fix documentation Signed-off-by: 世界 <i@sekai.icu> Signed-off-by: unknowndevQwQ <unknowndevQwQ@pm.me>	2022-09-26 12:25:18 +08:00
世界	0f57b93925	Update documentation	2022-09-25 22:29:18 +08:00
世界	c90a77a185	Refine 4in6 processing	2022-09-25 22:29:18 +08:00
世界	c6586f19fa	Fix read source address from grpc-go	2022-09-25 22:29:18 +08:00
世界	cbab86ae38	Refine tproxy write back	2022-09-25 22:29:18 +08:00
世界	17b5f031f1	Fix shadowsocks plugins	2022-09-25 16:43:12 +08:00
世界	b00b6b9e25	Fix fqdn socks5 outbound connection	2022-09-25 14:42:39 +08:00
世界	fb6b3b0401	Fix missing source address from transport connection	2022-09-23 18:55:28 +08:00
世界	22ea878fe9	Improve websocket writer	2022-09-23 18:55:07 +08:00
世界	abe3dc6039	Add self sign cert support	2022-09-23 17:13:18 +08:00
世界	852829b9dc	Add VMess benchmark result	2022-09-23 16:13:29 +08:00
世界	407509c985	Fix leaks and add test	2022-09-23 13:14:31 +08:00
世界	9856b73cb5	Update documentation	2022-09-23 10:30:07 +08:00
世界	f42356fbcb	Fix system stack ipv4 overflow	2022-09-23 10:29:15 +08:00
世界	d0b467671a	Merge VLESS to library	2022-09-23 10:28:51 +08:00
世界	c18c545798	Add stdio test	2022-09-23 10:28:24 +08:00
世界	693ef293ac	Update buffer usage	2022-09-23 10:27:48 +08:00
世界	a006627795	Disable DF on direct outbound by default	2022-09-23 10:27:46 +08:00
世界	0738b184e4	Fix url test interval	2022-09-23 10:27:42 +08:00
世界	42524ba04e	Fix dns sniffer	2022-09-17 16:59:28 +08:00
世界	63fc95b96d	Add mux server and XUDP client for VMess	2022-09-17 11:54:04 +08:00
世界	ab436fc137	Update documentation	2022-09-16 15:48:31 +08:00
世界	1546770bfd	Skip bind on local addr	2022-09-16 15:35:29 +08:00
世界	f4b2099488	Fix tun log	2022-09-16 15:32:50 +08:00
世界	a2c4d68031	Fix create UDP transport	2022-09-15 16:46:53 +08:00
世界	cfe14f2817	Suppress bad http2 error	2022-09-15 15:34:52 +08:00
世界	a5402ffb69	Add back urltest outbound	2022-09-15 15:22:08 +08:00
世界	4d24cf5ec4	Update documentation	2022-09-15 13:25:51 +08:00
世界	668d354771	Make gVisor optional	2022-09-15 12:24:08 +08:00
世界	ad14719b14	Fix clash api proxy type	2022-09-14 23:02:11 +08:00
世界	d9aa0a67d6	Fix port rule match logic	2022-09-14 22:03:26 +08:00
世界	92bf784f4f	Move shadowsocksr implementation to clash	2022-09-14 21:57:40 +08:00
世界	395b13103a	Fix test	2022-09-14 18:02:51 +08:00
世界	628cf56d3c	Fix close grpc conn	2022-09-14 18:02:37 +08:00
世界	ac5582537f	Add back test workflow	2022-09-14 18:02:37 +08:00
世界	9aa7a20d96	Print tags in version command	2022-09-14 18:02:37 +08:00
世界	189f02c802	Refactor bind control	2022-09-14 18:02:37 +08:00
世界	2373281c41	Fix clash store-selected	2022-09-13 17:34:37 +08:00
世界	e8f4c2d36f	Redirect clash hello to external ui	2022-09-13 17:29:57 +08:00
世界	07b6db23c1	Update install go script	2022-09-13 16:24:44 +08:00
世界	9a3360e5d0	Fix build on go1.18	2022-09-13 16:23:20 +08:00
世界	007a278ac8	Refactor to miekg/dns	2022-09-13 16:18:39 +08:00
世界	1db7f45370	Update documentation	2022-09-13 11:24:33 +08:00
世界	b271e19a23	Fix concurrent write	2022-09-13 10:41:10 +08:00
世界	79b6bdfda1	Skip wait for hysteria tcp handshake response Co-authored-by: arm64v8a <48624112+arm64v8a@users.noreply.github.com>	2022-09-13 10:40:26 +08:00
世界	38088f28b0	Add vless outbound and xudp	2022-09-12 21:59:27 +08:00
世界	dfb8b5f2fa	Fix hysteria inbound	2022-09-12 18:35:36 +08:00
世界	9913e0e025	Add shadowsocksr outbound	2022-09-12 18:35:36 +08:00
世界	ce567ffdde	Add obfs-local and v2ray-plugin support for shadowsocks outbound	2022-09-12 14:55:00 +08:00
世界	5a9913eca5	Fix socks4 client	2022-09-12 11:33:38 +08:00
世界	eaf1ace681	Update documentation	2022-09-11 22:48:42 +08:00
世界	a2d1f89922	Add custom tls client support for v2ray h2/grpclite transports	2022-09-11 22:44:35 +08:00
世界	7e09beb0c3	Minor fixes	2022-09-11 22:44:35 +08:00