documentation: Bump version

Signed-off-by: 气息 <qdshizh@gmail.com>

.github/workflows/docker.yml

@@ -4,35 +4,13 @@ on:
   release:
     types:
       - released
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "The tag version you want to build"
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - name: Get commit to build
-        id: ref
-        run: |-
-          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
-            ref="${{ github.ref_name }}"
-          else
-            ref="${{ github.event.inputs.tag }}"
-          fi
-          echo "ref=$ref"
-          echo "ref=$ref" >> $GITHUB_OUTPUT
-          if [[ $ref == *"-"* ]]; then
-            latest=latest-beta
-          else
-            latest=latest
-          fi
-          echo "latest=$latest"
-          echo "latest=$latest" >> $GITHUB_OUTPUT
       - name: Checkout
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
-        with:
-          ref: ${{ steps.ref.outputs.ref }}
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Setup QEMU for Docker Buildx
@@ -52,11 +30,10 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
-          context: .
           target: dist
           build-args: |
             BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
           tags: |
-            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.latest }}
-            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.ref }}
+            ghcr.io/sagernet/sing-box:latest
+            ghcr.io/sagernet/sing-box:${{ github.ref_name }}
           push: true

.github/workflows/lint.yml

@@ -30,7 +30,7 @@ jobs:
         with:
           go-version: ^1.22
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v5
         with:
           version: latest
           args: --timeout=30m

.goreleaser.fury.yaml

@@ -36,6 +36,7 @@ nfpms:
     file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
     builds:
       - main
+    vendor: sagernet
     homepage: https://sing-box.sagernet.org/
     maintainer: nekohasekai <contact-git@sekai.icu>
     description: The universal proxy platform.

.goreleaser.yaml

@@ -113,6 +113,7 @@ nfpms:
     file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
     builds:
       - main
+    vendor: sagernet
     homepage: https://sing-box.sagernet.org/
     maintainer: nekohasekai <contact-git@sekai.icu>
     description: The universal proxy platform.

adapter/router.go

@@ -86,7 +86,7 @@ type DNSRule interface {
 	Rule
 	DisableCache() bool
 	RewriteTTL() *uint32
-	ClientSubnet() *netip.Prefix
+	ClientSubnet() *netip.Addr
 	WithAddressLimit() bool
 	MatchAddressLimit(metadata *InboundContext) bool
 }

common/sniff/bittorrent.go

@@ -1,113 +0,0 @@
-package sniff
-
-import (
-	"bytes"
-	"context"
-	"encoding/binary"
-	"io"
-	"os"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-)
-
-const (
-	trackerConnectFlag = iota
-	trackerAnnounceFlag
-	trackerScrapeFlag
-
-	trackerProtocolID = 0x41727101980
-
-	trackerConnectMinSize  = 16
-	trackerAnnounceMinSize = 20
-	trackerScrapeMinSize   = 8
-)
-
-// BitTorrent detects if the stream is a BitTorrent connection.
-// For the BitTorrent protocol specification, see https://www.bittorrent.org/beps/bep_0003.html
-func BitTorrent(_ context.Context, reader io.Reader) (*adapter.InboundContext, error) {
-	var first byte
-	err := binary.Read(reader, binary.BigEndian, &first)
-	if err != nil {
-		return nil, err
-	}
-
-	if first != 19 {
-		return nil, os.ErrInvalid
-	}
-
-	var protocol [19]byte
-	_, err = reader.Read(protocol[:])
-	if err != nil {
-		return nil, err
-	}
-	if string(protocol[:]) != "BitTorrent protocol" {
-		return nil, os.ErrInvalid
-	}
-
-	return &adapter.InboundContext{
-		Protocol: C.ProtocolBitTorrent,
-	}, nil
-}
-
-// UTP detects if the packet is a uTP connection packet.
-// For the uTP protocol specification, see
-//  1. https://www.bittorrent.org/beps/bep_0029.html
-//  2. https://github.com/bittorrent/libutp/blob/2b364cbb0650bdab64a5de2abb4518f9f228ec44/utp_internal.cpp#L112
-func UTP(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
-	// A valid uTP packet must be at least 20 bytes long.
-	if len(packet) < 20 {
-		return nil, os.ErrInvalid
-	}
-
-	version := packet[0] & 0x0F
-	ty := packet[0] >> 4
-	if version != 1 || ty > 4 {
-		return nil, os.ErrInvalid
-	}
-
-	// Validate the extensions
-	extension := packet[1]
-	reader := bytes.NewReader(packet[20:])
-	for extension != 0 {
-		err := binary.Read(reader, binary.BigEndian, &extension)
-		if err != nil {
-			return nil, err
-		}
-
-		var length byte
-		err = binary.Read(reader, binary.BigEndian, &length)
-		if err != nil {
-			return nil, err
-		}
-		_, err = reader.Seek(int64(length), io.SeekCurrent)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return &adapter.InboundContext{
-		Protocol: C.ProtocolBitTorrent,
-	}, nil
-}
-
-// UDPTracker detects if the packet is a UDP Tracker Protocol packet.
-// For the UDP Tracker Protocol specification, see https://www.bittorrent.org/beps/bep_0015.html
-func UDPTracker(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
-	switch {
-	case len(packet) >= trackerConnectMinSize &&
-		binary.BigEndian.Uint64(packet[:8]) == trackerProtocolID &&
-		binary.BigEndian.Uint32(packet[8:12]) == trackerConnectFlag:
-		fallthrough
-	case len(packet) >= trackerAnnounceMinSize &&
-		binary.BigEndian.Uint32(packet[8:12]) == trackerAnnounceFlag:
-		fallthrough
-	case len(packet) >= trackerScrapeMinSize &&
-		binary.BigEndian.Uint32(packet[8:12]) == trackerScrapeFlag:
-		return &adapter.InboundContext{
-			Protocol: C.ProtocolBitTorrent,
-		}, nil
-	default:
-		return nil, os.ErrInvalid
-	}
-}

common/sniff/bittorrent_test.go

@@ -1,81 +0,0 @@
-package sniff_test
-
-import (
-	"bytes"
-	"context"
-	"encoding/hex"
-	"testing"
-
-	"github.com/sagernet/sing-box/common/sniff"
-	C "github.com/sagernet/sing-box/constant"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestSniffBittorrent(t *testing.T) {
-	t.Parallel()
-
-	packets := []string{
-		"13426974546f7272656e742070726f746f636f6c0000000000100000e21ea9569b69bab33c97851d0298bdfa89bc90922d5554313631302dea812fcd6a3563e3be40c1d1",
-		"13426974546f7272656e742070726f746f636f6c00000000001000052aa4f5a7e209e54b32803d43670971c4c8caaa052d5452333030302d653369733079647675763638",
-		"13426974546f7272656e742070726f746f636f6c00000000001000052aa4f5a7e209e54b32803d43670971c4c8caaa052d5452343035302d6f7a316c6e79377931716130",
-	}
-
-	for _, pkt := range packets {
-		pkt, err := hex.DecodeString(pkt)
-		require.NoError(t, err)
-		metadata, err := sniff.BitTorrent(context.TODO(), bytes.NewReader(pkt))
-		require.NoError(t, err)
-		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
-	}
-}
-
-func TestSniffUTP(t *testing.T) {
-	t.Parallel()
-
-	packets := []string{
-		"010041a282d7ee7b583afb160004000006d8318da776968f92d666f7963f32dae23ba0d2c810d8b8209cc4939f54fde9eeaa521c2c20c9ba7f43f4fb0375f28de06643b5e3ca4685ab7ac76adca99783be72ef05ed59ef4234f5712b75b4c7c0d7bee8fe2ca20ad626ba5bb0ffcc16bf06790896f888048cf72716419a07db1a3dca4550fbcea75b53e97235168a221cf3e553dfbb723961bd719fab038d86e0ecb74747f5a2cd669de1c4b9ad375f3a492d09d98cdfad745435625401315bbba98d35d32086299801377b93495a63a9efddb8d05f5b37a5c5b1c0a25e917f12007bb5e05013ada8aff544fab8cadf61d80ddb0b60f12741e44515a109d144fd53ef845acb4b5ccf0d6fc302d7003d76df3fc3423bb0237301c9e88f900c2d392a8e0fdb36d143cf7527a93fd0a2638b746e72f6699fffcd4fd15348fce780d4caa04382fd9faf1ca0ae377ca805da7536662b84f5ee18dd3ae38fcb095a7543e55f9069ae92c8cf54ae44e97b558d35e2545c66601ed2149cbc32bd6df199a2be7cf0da8b2ff137e0d23e776bc87248425013876d3a3cc31a83b424b752bd0346437f24b532978005d8f5b1b0be1a37a2489c32a18a9ad3118e3f9d30eb299bffae18e1f0677c2a5c185e62519093fe6bc2b7339299ea50a587989f726ca6443a75dd5bb936f6367c6355d80fae53ff529d740b2e5576e3eefdf1fdbfc69c3c8d8ac750512635de63e054bee1d3b689bc1b2bc3d2601e42a00b5c89066d173d4ae7ffedfd2274e5cf6d868fbe640aedb69b8246142f00b32d459974287537ddd5373460dcbc92f5cfdd7a3ed6020822ae922d947893752ca1983d0d32977374c384ac8f5ab566859019b7351526b9f13e932037a55bb052d9deb3b3c23317e0784fdc51a64f2159bfea3b069cf5caf02ee2c3c1a6b6b427bb16165713e8802d95b5c8ed77953690e994bd38c9ae113fedaf6ee7fc2b96c032ceafc2a530ad0422e84546b9c6ad8ef6ea02fa508abddd1805c38a7b42e9b7c971b1b636865ebec06ed754bb404cd6b4e6cc8cb77bd4a0c43410d5cd5ef8fe853a66d49b3b9e06cb141236cdbfdd5761601dc54d1250b86c660e0f898fe62526fdd9acf0eab60a3bbbb2151970461f28f10b31689594bea646c4b03ee197d63bdef4e5a7c22716b3bb9494a83b78ecd81b338b80ac6c09c43485b1b09ba41c74343832c78f0520c1d659ac9eb1502094141e82fb9e5e620970ebc0655514c43c294a7714cbf9a499d277daf089f556398a01589a77494bec8bfb60a108f3813b55368672b88c1af40f6b3c8b513f7c70c3e0efce85228b8b9ec67ba0393f9f7305024d8e2da6a26cf85613d14f249170ce1000089df4c9c260df7f8292aa2ecb5d5bac97656d59aa248caedea2d198e51ce87baece338716d114b458de02d65c9ff808ca5b5b73723b4d1e962d9ac2d98176544dc9984cf8554d07820ef3dd0861cfe57b478328046380de589adad94ee44743ffac73bb7361feca5d56f07cf8ce75080e261282ae30350d7882679b15cab9e7e53ddf93310b33f7390ae5d318bb53f387e6af5d0ef4f947fc9cb8e7e38b52c7f8d772ece6156b38d88796ea19df02c53723b44df7c76315a0de9462f27287e682d2b4cda1a68fe00d7e48c51ee981be44e1ca940fb5190c12655edb4a83c3a4f33e48a015692df4f0b3d61656e362aca657b5ae8c12db5a0db3db1e45135ee918b66918f40e53c4f83e9da0cddfe63f736ae751ab3837a30ae3220d8e8e311487093a7b90c7e7e40dd54ca750e19452f9193aa892aa6a6229ab493dadae988b1724f7898ee69c36d3eb7364c4adbeca811cfe2065873e78c2b6dfdf1595f7a7831c07e03cda82e4f86f76438dfb2b07c13638ce7b509cfa71b88b5102b39a203b423202088e1c2103319cb32c13c1e546ff8612fa194c95a7808ab767c265a1bd5fa0efed5c8ec1701876a00ec8",
-		"01001ecb68176f215d04326300100000dbcf30292d14b54e9ee2d115ee5b8ebc7fad3e882d4fcdd0c14c6b917c11cb4c6a9f410b52a33ae97c2ac77c7a2b122b8955e09af3c5c595f1b2e79ca57cfe44c44e069610773b9bc9ba223d7f6b383e3adddd03fb88a8476028e30979c2ef321ffc97c5c132bcf9ac5b410bbb5ec6cefca3c7209202a14c5ae922b6b157b0a80249d13ffe5b996af0bc8e54ba576d148372494303e7ead0602b05b9c8fc97d48508a028a04d63a1fd28b0edfcd5c51715f63188b53eefede98a76912dca98518551a8856567307a56a702cbfcc115ea0c755b418bc2c7b57721239b82f09fb24328a4b0ce0f109bcb2a64e04b8aadb1f8487585425acdf8fc4ec8ea93cfcec5ac098bb29d42ddef6e46b03f34a5de28316726699b7cb5195c33e5c48abe87d591d63f9991c84c30819d186d6e0e95fd83c8dff07aa669c4430989bcaccfeacb9bcadbdb4d8f1964dbeb9687745656edd30b21c66cc0a1d742a78717d134a19a7f02d285a4973b1a198c00cfdff4676608dc4f3e817e3463c3b4e2c80d3e8d4fbac541a58a2fb7ad6939f607f8144eff6c8b0adc28ee5609ea158987519892fb",
-		"21001ecb6817f2805d044fd700100000dbd03029",
-		"410277ef0b1fb1f60000000000040000c233000000080000000000000000",
-	}
-
-	for _, pkt := range packets {
-		pkt, err := hex.DecodeString(pkt)
-		require.NoError(t, err)
-
-		metadata, err := sniff.UTP(context.TODO(), pkt)
-		require.NoError(t, err)
-		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
-	}
-}
-
-func TestSniffUDPTracker(t *testing.T) {
-	t.Parallel()
-
-	connectPackets := []string{
-		// connect packets
-		"00000417271019800000000078e90560",
-		"00000417271019800000000022c5d64d",
-		"000004172710198000000000b3863541",
-
-		// announce packets
-		"3d7592ead4b8c9e300000001b871a3820000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
-		"3d7592ead4b8c9e30000000188deed1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
-		"3d7592ead4b8c9e300000001ceb948ad0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a3362cdb7020ff920e5aa642c3d4066950dd1f01f4d00000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
-
-		// scrape packets
-		"3d7592ead4b8c9e300000002d2f4bba5a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
-		"3d7592ead4b8c9e300000002441243292aae6c35c94fcfb415dbe95f408b9ce91ee846ed",
-		"3d7592ead4b8c9e300000002b2aa461b1ad1fa9661cf3fe45fb2504ad52ec6c67758e294",
-	}
-
-	for _, pkt := range connectPackets {
-		pkt, err := hex.DecodeString(pkt)
-		require.NoError(t, err)
-
-		metadata, err := sniff.UDPTracker(context.TODO(), pkt)
-		require.NoError(t, err)
-		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
-	}
-}

constant/protocol.go

@@ -1,10 +1,9 @@
 package constant
 
 const (
-	ProtocolTLS        = "tls"
-	ProtocolHTTP       = "http"
-	ProtocolQUIC       = "quic"
-	ProtocolDNS        = "dns"
-	ProtocolSTUN       = "stun"
-	ProtocolBitTorrent = "bittorrent"
+	ProtocolTLS  = "tls"
+	ProtocolHTTP = "http"
+	ProtocolQUIC = "quic"
+	ProtocolDNS  = "dns"
+	ProtocolSTUN = "stun"
 )

docs/changelog.md

@@ -2,119 +2,6 @@
 icon: material/alert-decagram
 ---
 
-#### 1.10.0-alpha.1
-
-* Add tailing comma support in JSON configuration
-* Add simple auto redirect for Android **1**
-* Add BitTorrent sniffer **2**
-
-**1**:
-
-It allows you to use redirect inbound in the sing-box Android client
-and automatically configures IPv4 TCP redirection via su.
-
-This may alleviate the symptoms of some OCD patients who think that
-redirect can effectively save power compared to the system HTTP Proxy.
-
-See [Redirect](/configuration/inbound/redirect/).
-
-**2**:
-
-See [Protocol Sniff](/configuration/route/sniff/).
-
-### 1.9.0
-
-* Fixes and improvements
-
-Important changes since 1.8:
-
-* `domain_suffix` behavior update **1**
-* `process_path` format update on Windows **2**
-* Add address filter DNS rule items **3**
-* Add support for `client-subnet` DNS options **4**
-* Add rejected DNS response cache support **5**
-* Add `bypass_domain` and `search_domain` platform HTTP proxy options **6**
-* Fix missing `rule_set_ipcidr_match_source` item in DNS rules **7**
-* Handle Windows power events
-* Always disable cache for fake-ip DNS transport if `dns.independent_cache` disabled
-* Improve DNS truncate behavior
-* Update Hysteria protocol
-* Update quic-go to v0.43.1
-* Update gVisor to 20240422.0
-* Mitigating TunnelVision attacks **8**
-
-**1**:
-
-See [Migration](/migration/#domain_suffix-behavior-update).
-
-**2**:
-
-See [Migration](/migration/#process_path-format-update-on-windows).
-
-**3**:
-
-The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
-if using this method.
-
-See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
-
-[Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.
-
-**4**:
-
-See [DNS](/configuration/dns), [DNS Server](/configuration/dns/server) and [DNS Rules](/configuration/dns/rule).
-
-Since this feature makes the scenario mentioned in `alpha.1` no longer leak DNS requests,
-the [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) has been updated.
-
-**5**:
-
-The new feature allows you to cache the check results of
-[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
-
-**6**:
-
-See [TUN](/configuration/inbound/tun) inbound.
-
-**7**:
-
-See [DNS Rule](/configuration/dns/rule/).
-
-**8**:
-
-See [TunnelVision](/manual/misc/tunnelvision).
-
-#### 1.9.0-rc.22
-
-* Fixes and improvements
-
-#### 1.9.0-rc.20
-
-* Prioritize `*_route_address` in linux auto-route
-* Fix `*_route_address` in darwin auto-route
-
-#### 1.8.14
-
-* Fix hysteria2 panic
-* Fixes and improvements
-
-#### 1.9.0-rc.18
-
-* Add custom prefix support in EDNS0 client subnet options
-* Fix hysteria2 crash
-* Fix `store_rdrc` corrupted
-* Update quic-go to v0.43.1
-* Fixes and improvements
-
-#### 1.9.0-rc.16
-
-* Mitigating TunnelVision attacks **1**
-* Fixes and improvements
-
-**1**:
-
-See [TunnelVision](/manual/misc/tunnelvision).
-
 #### 1.9.0-rc.15
 
 * Fixes and improvements
@@ -318,7 +205,7 @@ See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
 
 * Fixes and improvements
 
-### 1.8.0
+#### 1.8.0
 
 * Fixes and improvements
 
@@ -609,7 +496,7 @@ New commands manage GeoIP, Geosite and rule set resources, and help you migrate
 
 Logical rules in route rules, DNS rules, and the new headless rule now allow nesting of logical rules.
 
-### 1.7.0
+#### 1.7.0
 
 * Fixes and improvements
 
@@ -769,7 +656,7 @@ Introduced in V2Ray 5.10.0.
 
 The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.
 
-### 1.6.0
+#### 1.6.0
 
 * Fixes and improvements
 
@@ -948,7 +835,7 @@ introduce new issues.
 None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
 This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
 
-### 1.5.0
+#### 1.5.0
 
 * Fixes and improvements
 
@@ -1142,7 +1029,7 @@ All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria`, `T
 
 * Fixes and improvements
 
-### 1.4.0
+#### 1.4.0
 
 * Fix bugs and update dependencies
 
@@ -1284,7 +1171,7 @@ The old testflight link and app are no longer valid.
 
 * Fixes and improvements
 
-### 1.3.0
+#### 1.3.0
 
 * Fix bugs and update dependencies
 
@@ -1476,7 +1363,7 @@ to `domain` rule.
 * Flush DNS cache for macOS when tun start/close
 * Fix tun's DNS hijacking compatibility with systemd-resolved
 
-### 1.2.0
+#### 1.2.0
 
 * Fix bugs and update dependencies
 

docs/configuration/dns/index.md

@@ -73,8 +73,6 @@ problematic in environments such as macOS, where DNS is proxied and cached by th
 
 !!! question "Since sing-box 1.9.0"
 
-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.
 
 Can be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.

docs/configuration/dns/index.zh.md

@@ -71,10 +71,8 @@ icon: material/new-box
 
 !!! question "自 sing-box 1.9.0 起"
 
-默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
-
-如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
-
+默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
+ 
 可以被 `servers.[].client_subnet` 或 `rules.[].client_subnet` 覆盖。
 
 #### fakeip

docs/configuration/dns/rule.md

@@ -125,7 +125,7 @@ icon: material/new-box
         "server": "local",
         "disable_cache": false,
         "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1/24"
+        "client_subnet": "127.0.0.1"
       },
       {
         "type": "logical",
@@ -134,7 +134,7 @@ icon: material/new-box
         "server": "local",
         "disable_cache": false,
         "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1/24"
+        "client_subnet": "127.0.0.1"
       }
     ]
   }
@@ -339,9 +339,7 @@ Rewrite TTL in DNS responses.
 
 !!! question "Since sing-box 1.9.0"
 
-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.
 
 Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
 

docs/configuration/dns/rule.zh.md

@@ -124,7 +124,7 @@ icon: material/new-box
         ],
         "server": "local",
         "disable_cache": false,
-        "client_subnet": "127.0.0.1/24"
+        "client_subnet": "127.0.0.1"
       },
       {
         "type": "logical",
@@ -132,7 +132,7 @@ icon: material/new-box
         "rules": [],
         "server": "local",
         "disable_cache": false,
-        "client_subnet": "127.0.0.1/24"
+        "client_subnet": "127.0.0.1"
       }
     ]
   }
@@ -337,9 +337,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! question "自 sing-box 1.9.0 起"
 
-默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
-
-如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
 
 将覆盖 `dns.client_subnet` 与 `servers.[].client_subnet`。
 

docs/configuration/dns/server.md

@@ -100,9 +100,7 @@ Default outbound will be used if empty.
 
 !!! question "Since sing-box 1.9.0"
 
-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.
 
 Can be overrides by `rules.[].client_subnet`.
 

docs/configuration/dns/server.zh.md

@@ -100,9 +100,7 @@ DNS 服务器的地址。
 
 !!! question "自 sing-box 1.9.0 起"
 
-默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
-
-如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
 
 可以被 `rules.[].client_subnet` 覆盖。
 

docs/configuration/inbound/redirect.md

@@ -1,11 +1,3 @@
----
-icon: material/new-box
----
-
-!!! quote "Changes in sing-box 1.9.0"
-
-    :material-plus: [auto_redirect](#auto_redirect)
-
 !!! quote ""
 
     Only supported on Linux and macOS.
@@ -17,11 +9,6 @@ icon: material/new-box
   "type": "redirect",
   "tag": "redirect-in",
 
-  "auto_redirect": {
-    "enabled": false,
-    "continue_on_no_permission": false
-  },
-
   ... // Listen Fields
 }
 ```
@@ -29,23 +16,3 @@ icon: material/new-box
 ### Listen Fields
 
 See [Listen Fields](/configuration/shared/listen/) for details.
-
-### Fields
-
-#### `auto_redirect`
-
-!!! question "Since sing-box 1.10.0"
-
-!!! quote ""
-
-    Only supported on Android.
-
-Automatically add iptables nat rules to hijack **IPv4 TCP** connections.
-
-It is expected to run with the Android graphical client (it will attempt to su at runtime).
-
-#### `auto_redirect.continue_on_no_permission`
-
-!!! question "Since sing-box 1.10.0"
-
-Ignore errors when the Android device is not rooted or is denied root access.

docs/configuration/inbound/redirect.zh.md

@@ -1,11 +1,3 @@
----
-icon: material/new-box
----
-
-!!! quote "sing-box 1.10.0 中的更改"
-
-    :material-plus: [auto_redirect](#auto_redirect)
-
 !!! quote ""
 
     仅支持 Linux 和 macOS。
@@ -17,35 +9,9 @@ icon: material/new-box
   "type": "redirect",
   "tag": "redirect-in",
 
-  "auto_redirect": {
-    "enabled": false,
-    "continue_on_no_permission": false
-  },
-  
   ... // 监听字段
 }
 ```
-
 ### 监听字段
 
 参阅 [监听字段](/zh/configuration/shared/listen/)。
-
-### 字段
-
-#### `auto_redirect`
-
-!!! question "自 sing-box 1.10.0 起"
-
-!!! quote ""
-
-    仅支持 Android。
-
-自动添加 iptables nat 规则以劫持 **IPv4 TCP** 连接。
-
-它预计与 Android 图形客户端一起运行（将在运行时尝试 su）。
-
-#### `auto_redirect.continue_on_no_permission`
-
-!!! question "自 sing-box 1.10.0 起"
-
-当 Android 设备未获得 root 权限或 root 访问权限被拒绝时，忽略错误。

docs/configuration/route/sniff.md

@@ -2,11 +2,10 @@ If enabled in the inbound, the protocol and domain name (if present) of by the c
 
 #### Supported Protocols
 
-| Network |  Protocol   | Domain Name |
-|:-------:|:-----------:|:-----------:|
-|   TCP   |    HTTP     |    Host     |
-|   TCP   |     TLS     | Server Name |
-|   UDP   |    QUIC     | Server Name |
-|   UDP   |    STUN     |      /      |
-| TCP/UDP |     DNS     |      /      |
-| TCP/UDP | BitTorrent  |      /      |
+| Network | Protocol | Domain Name |
+|:-------:|:--------:|:-----------:|
+|   TCP   |   HTTP   |    Host     |
+|   TCP   |   TLS    | Server Name |
+|   UDP   |   QUIC   | Server Name |
+|   UDP   |   STUN   |      /      |
+| TCP/UDP |   DNS    |      /      |

docs/configuration/route/sniff.zh.md

@@ -2,11 +2,10 @@
 
 #### 支持的协议
 
-|   网络    |     协议      |     域名      |
-|:-------:|:-----------:|:-----------:|
-|   TCP   |    HTTP     |    Host     |
-|   TCP   |     TLS     | Server Name |
-|   UDP   |    QUIC     | Server Name |
-|   UDP   |    STUN     |      /      |
-| TCP/UDP |     DNS     |      /      |
-| TCP/UDP | BitTorrent  |      /      |
+|   网络    |  协议  |     域名      |
+|:-------:|:----:|:-----------:|
+|   TCP   | HTTP |    Host     |
+|   TCP   | TLS  | Server Name |
+|   UDP   | QUIC | Server Name |
+|   UDP   | STUN |      /      |
+| TCP/UDP | DNS  |      /      |

docs/manual/misc/tunnelvision.md

@@ -1,38 +0,0 @@
----
-icon: material/book-lock-open
----
-
-# TunnelVision
-
-TunnelVision is an attack that uses DHCP option 121 to set higher priority routes
-so that traffic does not go through the VPN.
-
-Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3661
-
-## Status
-
-### Android
-
-Android does not handle DHCP option 121 and is not affected.
-
-### Apple platforms
-
-Update [sing-box graphical client](/clients/apple/#download) to `1.9.0-rc.16` or newer,
-then enable `includeAllNetworks` in `Settings` — `Packet Tunnel` and you will be unaffected.
-
-Note: when `includeAllNetworks` is enabled, the default TUN stack is changed to `gvisor`,
-and the `system` and `mixed` stacks are not available.
-
-### Linux
-
-Update sing-box to `1.9.0-rc.16` or newer, rules generated by `auto-route` are unaffected.
-
-### Windows
-
-No solution yet.
-
-## Workarounds
-
-* Don't connect to untrusted networks
-* Relay untrusted network through another device
-* Just ignore it

docs/manual/proxy-protocol/tuic.md

@@ -0,0 +1,208 @@
+---
+icon: material/alpha-t-box
+---
+
+# TUIC
+
+A recently popular Chinese-made simple protocol based on QUIC, the selling point is the BBR congestion control algorithm.
+
+!!! warning
+
+    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more characteristics than TCP based proxies.
+
+| Specification                                             | Binary Characteristics | Active Detect Hiddenness |
+|-----------------------------------------------------------|------------------------|--------------------------|
+| [GitHub](https://github.com/EAimTY/tuic/blob/dev/SPEC.md) | :material-alert:       | :material-check:         | 
+
+## Password Generator
+
+| Generated UUID         | Generated  Password        | Action                                                          |
+|------------------------|----------------------------|-----------------------------------------------------------------|
+| <code id="uuid"><code> | <code id="password"><code> | <button class="md-button" onclick="generate()">Refresh</button> |
+
+<script>
+    function generateUUID() {
+        const uuid = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
+            let r = Math.random() * 16 | 0,
+            v = c === 'x' ? r : (r & 0x3 | 0x8);
+            return v.toString(16);
+        });
+        document.getElementById("uuid").textContent = uuid;
+    }
+    function generatePassword() {
+        const array = new Uint8Array(16);
+        window.crypto.getRandomValues(array);
+        document.getElementById("password").textContent = btoa(String.fromCharCode.apply(null, array));
+    }
+    function generate() {
+        generateUUID();
+        generatePassword();
+    }
+    generate();
+</script>
+
+## :material-server: Server Example
+
+=== ":material-harddisk: With local certificate"
+
+    ```json
+     {
+      "inbounds": [
+        {
+          "type": "tuic",
+          "listen": "::",
+          "listen_port": 8080,
+          "users": [
+            {
+              "name": "sekai",
+              "uuid": "<uuid>",
+              "password": "<password>"
+            }
+          ],
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "key_path": "/path/to/key.pem",
+            "certificate_path": "/path/to/certificate.pem"
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-auto-fix: With ACME"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "tuic",
+          "listen": "::",
+          "listen_port": 8080,
+          "users": [
+            {
+              "name": "sekai",
+              "uuid": "<uuid>",
+              "password": "<password>"
+            }
+          ],
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "acme": {
+              "domain": "example.org",
+              "email": "admin@example.org"
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-cloud: With ACME and Cloudflare API"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "tuic",
+          "listen": "::",
+          "listen_port": 8080,
+          "users": [
+            {
+              "name": "sekai",
+              "uuid": "<uuid>",
+              "password": "<password>"
+            }
+          ],
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "acme": {
+              "domain": "example.org",
+              "email": "admin@example.org",
+              "dns01_challenge": {
+                "provider": "cloudflare",
+                "api_token": "my_token"
+              }
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+## :material-cellphone-link: Client Example
+
+=== ":material-web-check: With valid certificate"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "tuic",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "uuid": "<uuid>",
+          "password": "<password>",
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org"
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-check: With self-sign certificate"
+
+    !!! info "Tip"
+        
+        Use `sing-box merge` command to merge configuration and certificate into one file.
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "tuic",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "uuid": "<uuid>",
+          "password": "<password>",
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "certificate_path": "/path/to/certificate.pem"
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-alert: Ignore certificate verification"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "tuic",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "uuid": "<uuid>",
+          "password": "<password>",
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "insecure": true
+          }
+        }
+      ]
+    }
+    ```
+

docs/manual/proxy/client.md

@@ -471,7 +471,7 @@ flowchart TB
                   }
                 ],
                 "server": "google",
-                "client_subnet": "114.114.114.114/24" // Any China client IP address
+                "client_subnet": "114.114.114.114" // Any China client IP address
               }
             ]
           },

experimental/cachefile/cache.go

@@ -57,7 +57,6 @@ type CacheFile struct {
 type saveRDRCCacheKey struct {
 	TransportName string
 	QuestionName  string
-	QType         uint16
 }
 
 func New(ctx context.Context, options option.CacheFileOptions) *CacheFile {

experimental/cachefile/rdrc.go

@@ -9,7 +9,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 )
 
-var bucketRDRC = []byte("rdrc2")
+var bucketRDRC = []byte("rdrc")
 
 func (c *CacheFile) StoreRDRC() bool {
 	return c.storeRDRC
@@ -19,17 +19,13 @@ func (c *CacheFile) RDRCTimeout() time.Duration {
 	return c.rdrcTimeout
 }
 
-func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (rejected bool) {
+func (c *CacheFile) LoadRDRC(transportName string, qName string) (rejected bool) {
 	c.saveRDRCAccess.RLock()
-	rejected, cached := c.saveRDRC[saveRDRCCacheKey{transportName, qName, qType}]
+	rejected, cached := c.saveRDRC[saveRDRCCacheKey{transportName, qName}]
 	c.saveRDRCAccess.RUnlock()
 	if cached {
 		return
 	}
-	key := buf.Get(2 + len(qName))
-	binary.BigEndian.PutUint16(key, qType)
-	copy(key[2:], qName)
-	defer buf.Put(key)
 	var deleteCache bool
 	err := c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := c.bucket(tx, bucketRDRC)
@@ -40,7 +36,7 @@ func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (
 		if bucket == nil {
 			return nil
 		}
-		content := bucket.Get(key)
+		content := bucket.Get([]byte(qName))
 		if content == nil {
 			return nil
 		}
@@ -65,13 +61,13 @@ func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (
 			if bucket == nil {
 				return nil
 			}
-			return bucket.Delete(key)
+			return bucket.Delete([]byte(qName))
 		})
 	}
 	return
 }
 
-func (c *CacheFile) SaveRDRC(transportName string, qName string, qType uint16) error {
+func (c *CacheFile) SaveRDRC(transportName string, qName string) error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket, err := c.createBucket(tx, bucketRDRC)
 		if err != nil {
@@ -81,24 +77,20 @@ func (c *CacheFile) SaveRDRC(transportName string, qName string, qType uint16) e
 		if err != nil {
 			return err
 		}
-		key := buf.Get(2 + len(qName))
-		binary.BigEndian.PutUint16(key, qType)
-		copy(key[2:], qName)
-		defer buf.Put(key)
 		expiresAt := buf.Get(8)
 		defer buf.Put(expiresAt)
 		binary.BigEndian.PutUint64(expiresAt, uint64(time.Now().Add(c.rdrcTimeout).Unix()))
-		return bucket.Put(key, expiresAt)
+		return bucket.Put([]byte(qName), expiresAt)
 	})
 }
 
-func (c *CacheFile) SaveRDRCAsync(transportName string, qName string, qType uint16, logger logger.Logger) {
-	saveKey := saveRDRCCacheKey{transportName, qName, qType}
+func (c *CacheFile) SaveRDRCAsync(transportName string, qName string, logger logger.Logger) {
+	saveKey := saveRDRCCacheKey{transportName, qName}
 	c.saveRDRCAccess.Lock()
 	c.saveRDRC[saveKey] = true
 	c.saveRDRCAccess.Unlock()
 	go func() {
-		err := c.SaveRDRC(transportName, qName, qType)
+		err := c.SaveRDRC(transportName, qName)
 		if err != nil {
 			logger.Warn("save RDRC: ", err)
 		}

experimental/libbox/config.go

@@ -9,7 +9,6 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/process"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
@@ -83,10 +82,6 @@ func (s *platformInterfaceStub) UnderNetworkExtension() bool {
 	return false
 }
 
-func (s *platformInterfaceStub) IncludeAllNetworks() bool {
-	return false
-}
-
 func (s *platformInterfaceStub) ClearDNSCache() {
 }
 
@@ -98,14 +93,6 @@ func (s *platformInterfaceStub) FindProcessInfo(ctx context.Context, network str
 	return nil, os.ErrInvalid
 }
 
-func (s *platformInterfaceStub) PerAppProxyList() ([]uint32, error) {
-	return nil, os.ErrInvalid
-}
-
-func (s *platformInterfaceStub) PerAppProxyMode() int32 {
-	return platform.PerAppProxyModeDisabled
-}
-
 type interfaceMonitorStub struct{}
 
 func (s *interfaceMonitorStub) Start() error {

experimental/libbox/platform.go

@@ -19,11 +19,8 @@ type PlatformInterface interface {
 	UsePlatformInterfaceGetter() bool
 	GetInterfaces() (NetworkInterfaceIterator, error)
 	UnderNetworkExtension() bool
-	IncludeAllNetworks() bool
 	ReadWIFIState() *WIFIState
 	ClearDNSCache()
-	PerAppProxyList() (IntegerIterator, error)
-	PerAppProxyMode() int32
 }
 
 type TunInterface interface {
@@ -56,11 +53,6 @@ type NetworkInterfaceIterator interface {
 	HasNext() bool
 }
 
-type IntegerIterator interface {
-	Next() int32
-	HasNext() bool
-}
-
 type OnDemandRule interface {
 	Target() int32
 	DNSSearchDomainMatch() StringIterator

experimental/libbox/platform/interface.go

@@ -11,12 +11,6 @@ import (
 	"github.com/sagernet/sing/common/logger"
 )
 
-const (
-	PerAppProxyModeDisabled int32 = iota
-	PerAppProxyModeExclude
-	PerAppProxyModeInclude
-)
-
 type Interface interface {
 	Initialize(ctx context.Context, router adapter.Router) error
 	UsePlatformAutoDetectInterfaceControl() bool
@@ -27,10 +21,7 @@ type Interface interface {
 	UsePlatformInterfaceGetter() bool
 	Interfaces() ([]control.Interface, error)
 	UnderNetworkExtension() bool
-	IncludeAllNetworks() bool
 	ClearDNSCache()
 	ReadWIFIState() adapter.WIFIState
-	PerAppProxyList() ([]uint32, error)
-	PerAppProxyMode() int32
 	process.Searcher
 }

experimental/libbox/service.go

@@ -213,10 +213,6 @@ func (w *platformInterfaceWrapper) UnderNetworkExtension() bool {
 	return w.iif.UnderNetworkExtension()
 }
 
-func (w *platformInterfaceWrapper) IncludeAllNetworks() bool {
-	return w.iif.IncludeAllNetworks()
-}
-
 func (w *platformInterfaceWrapper) ClearDNSCache() {
 	w.iif.ClearDNSCache()
 }
@@ -229,18 +225,6 @@ func (w *platformInterfaceWrapper) ReadWIFIState() adapter.WIFIState {
 	return (adapter.WIFIState)(*wifiState)
 }
 
-func (w *platformInterfaceWrapper) PerAppProxyList() ([]uint32, error) {
-	uidIterator, err := w.iif.PerAppProxyList()
-	if err != nil {
-		return nil, err
-	}
-	return common.Map(iteratorToArray[int32](uidIterator), func(it int32) uint32 { return uint32(it) }), nil
-}
-
-func (w *platformInterfaceWrapper) PerAppProxyMode() int32 {
-	return w.iif.PerAppProxyMode()
-}
-
 func (w *platformInterfaceWrapper) DisableColors() bool {
 	return runtime.GOOS != "android"
 }

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/go-chi/chi/v5 v5.0.12
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
-	github.com/gofrs/uuid/v5 v5.2.0
+	github.com/gofrs/uuid/v5 v5.1.0
 	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
 	github.com/libdns/alidns v1.0.3
 	github.com/libdns/cloudflare v0.1.1
@@ -24,16 +24,16 @@ require (
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
 	github.com/sagernet/gomobile v0.1.3
 	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f
-	github.com/sagernet/quic-go v0.43.1-beta.1
+	github.com/sagernet/quic-go v0.43.0-beta.3
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.5.0-alpha.4
-	github.com/sagernet/sing-dns v0.2.0-beta.18
+	github.com/sagernet/sing v0.4.0-beta.18
+	github.com/sagernet/sing-dns v0.2.0-beta.16
 	github.com/sagernet/sing-mux v0.2.0
-	github.com/sagernet/sing-quic v0.2.0-beta.5
+	github.com/sagernet/sing-quic v0.2.0-beta.1
 	github.com/sagernet/sing-shadowsocks v0.2.6
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/sing-tun v0.3.0-beta.6
+	github.com/sagernet/sing-tun v0.2.8-beta.1
 	github.com/sagernet/sing-vmess v0.1.8
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6
@@ -44,9 +44,9 @@ require (
 	github.com/stretchr/testify v1.9.0
 	go.uber.org/zap v1.27.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.23.0
-	golang.org/x/net v0.25.0
-	golang.org/x/sys v0.20.0
+	golang.org/x/crypto v0.22.0
+	golang.org/x/net v0.24.0
+	golang.org/x/sys v0.19.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	google.golang.org/grpc v1.63.2
 	google.golang.org/protobuf v1.33.0
@@ -78,18 +78,18 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
-	github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba // indirect
+	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
+	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
 	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.21.0 // indirect
+	golang.org/x/tools v0.20.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -34,8 +34,8 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM=
-github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gofrs/uuid/v5 v5.1.0 h1:S5rqVKIigghZTCBKPCw0Y+bXkn26K3TB5mvQq2Ix8dk=
+github.com/gofrs/uuid/v5 v5.1.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
@@ -99,29 +99,29 @@ github.com/sagernet/gomobile v0.1.3 h1:ohjIb1Ou2+1558PnZour3od69suSuvkdSVOlO1tC4
 github.com/sagernet/gomobile v0.1.3/go.mod h1:Pqq2+ZVvs10U7xK+UwJgwYWUykewi8H6vlslAO73n9E=
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y/6ZHJWrnNLoiNnSJaow6DPb8VW2I=
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
-github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba h1:EY5AS7CCtfmARNv2zXUOrsEMPFDGYxaw65JzA2p51Vk=
-github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.43.1-beta.1 h1:alizUjpvWYcz08dBCQsULOd+1xu0o7UtlyYf6SLbRNg=
-github.com/sagernet/quic-go v0.43.1-beta.1/go.mod h1:BkrQYeop7Jx3hN3TW8/76CXcdhYiNPyYEBL/BVJ1ifc=
+github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
+github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
+github.com/sagernet/quic-go v0.43.0-beta.3 h1:qclJbbpgZe76EH62Bdu3LfDSC2zmuxj7zXCpdQBbe7c=
+github.com/sagernet/quic-go v0.43.0-beta.3/go.mod h1:3EtxR1Yaa1FZu6jFPiBHpOAdhOxL4A3EPxmiVgjJvVM=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.5.0-alpha.4 h1:8ljxrEq1BMcDuGe8FxoeUGasPUXQsIywpUusGrlGkQ0=
-github.com/sagernet/sing v0.5.0-alpha.4/go.mod h1:Xh4KO9nGdvm4K/LVg9Xn9jSxJdqe9KcXbAzNC1S2qfw=
-github.com/sagernet/sing-dns v0.2.0-beta.18 h1:6vzXZThRdA7YUzBOpSbUT48XRumtl/KIpIHFSOP0za8=
-github.com/sagernet/sing-dns v0.2.0-beta.18/go.mod h1:k/dmFcQpg6+m08gC1yQBy+13+QkuLqpKr4bIreq4U24=
+github.com/sagernet/sing v0.4.0-beta.18 h1:oK+pvyXnFwxwvQkeUqgxIeATiMHcrH5doLKKDGNmQkU=
+github.com/sagernet/sing v0.4.0-beta.18/go.mod h1:PFQKbElc2Pke7faBLv8oEba5ehtKO21Ho+TkYemTI3Y=
+github.com/sagernet/sing-dns v0.2.0-beta.16 h1:bzd4B8eHD7/WO3HrYknvgE8A56/R3n5oXBjNF97iPzQ=
+github.com/sagernet/sing-dns v0.2.0-beta.16/go.mod h1:XU6Vqr6aHcMz/34Fcv8jmXpRCEuShzW+B7Qg1Xe1nxY=
 github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
 github.com/sagernet/sing-mux v0.2.0/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
-github.com/sagernet/sing-quic v0.2.0-beta.5 h1:ceKFLd1iS5AtM+pScKmcDp5k7R6WgYIe8vl6nB0aVsE=
-github.com/sagernet/sing-quic v0.2.0-beta.5/go.mod h1:lfad61lScAZhAxZ0DHZWvEIcAaT38O6zPTR4vLsHeP0=
+github.com/sagernet/sing-quic v0.2.0-beta.1 h1:XR8KPYs50MNcFMR2/lh4eOonYeV15eJolAAWCQZpStI=
+github.com/sagernet/sing-quic v0.2.0-beta.1/go.mod h1:tVUFk5lcW22Bl0ChWlt4Lo93jw0qir3X1fk2ZSypaA4=
 github.com/sagernet/sing-shadowsocks v0.2.6 h1:xr7ylAS/q1cQYS8oxKKajhuQcchd5VJJ4K4UZrrpp0s=
 github.com/sagernet/sing-shadowsocks v0.2.6/go.mod h1:j2YZBIpWIuElPFL/5sJAj470bcn/3QQ5lxZUNKLDNAM=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.3.0-beta.6 h1:L11kMrM7UfUW0pzQiU66Fffh4o86KZc1SFGbkYi8Ma8=
-github.com/sagernet/sing-tun v0.3.0-beta.6/go.mod h1:DxLIyhjWU/HwGYoX0vNGg2c5QgTQIakphU1MuERR5tQ=
+github.com/sagernet/sing-tun v0.2.8-beta.1 h1:9loO5/Jqa+54NDi5mKh/CS6LlKsROCSnNQ+jgMcnI+I=
+github.com/sagernet/sing-tun v0.2.8-beta.1/go.mod h1:xPaOkQhngPMILx+/9DMLCFl4vSxUU2tMnCPSlf05HLo=
 github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
 github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
@@ -163,16 +163,16 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
+golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
+golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
 golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
+golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -184,19 +184,19 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
+golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
+golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
-golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY=
+golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=

inbound/builder.go

@@ -19,7 +19,7 @@ func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, o
 	case C.TypeTun:
 		return NewTun(ctx, router, logger, options.Tag, options.TunOptions, platformInterface)
 	case C.TypeRedirect:
-		return NewRedirect(ctx, router, logger, options.Tag, options.RedirectOptions, platformInterface)
+		return NewRedirect(ctx, router, logger, options.Tag, options.RedirectOptions), nil
 	case C.TypeTProxy:
 		return NewTProxy(ctx, router, logger, options.Tag, options.TProxyOptions), nil
 	case C.TypeDirect:

inbound/redirect.go

@@ -2,39 +2,25 @@ package inbound
 
 import (
 	"context"
-	"errors"
 	"net"
-	"net/netip"
-	"os"
-	"os/exec"
-	"sort"
-	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/redir"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
 type Redirect struct {
 	myInboundAdapter
-	platformInterface platform.Interface
-	autoRedirect      option.AutoRedirectOptions
-	needSu            bool
-	suPath            string
 }
 
-func NewRedirect(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.RedirectInboundOptions, platformInterface platform.Interface) (*Redirect, error) {
+func NewRedirect(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.RedirectInboundOptions) *Redirect {
 	redirect := &Redirect{
-		myInboundAdapter: myInboundAdapter{
+		myInboundAdapter{
 			protocol:      C.TypeRedirect,
 			network:       []string{N.NetworkTCP},
 			ctx:           ctx,
@@ -43,28 +29,9 @@ func NewRedirect(ctx context.Context, router adapter.Router, logger log.ContextL
 			tag:           tag,
 			listenOptions: options.ListenOptions,
 		},
-		platformInterface: platformInterface,
-		autoRedirect:      common.PtrValueOrDefault(options.AutoRedirect),
-	}
-	if redirect.autoRedirect.Enabled {
-		if !C.IsAndroid {
-			return nil, E.New("auto redirect is only supported on Android")
-		}
-		userId := os.Getuid()
-		if userId != 0 {
-			suPath, err := exec.LookPath("/bin/su")
-			if err == nil {
-				redirect.needSu = true
-				redirect.suPath = suPath
-			} else if redirect.autoRedirect.ContinueOnNoPermission {
-				redirect.autoRedirect.Enabled = false
-			} else {
-				return nil, E.Extend(E.Cause(err, "root permission is required for auto redirect"), os.Getenv("PATH"))
-			}
-		}
 	}
 	redirect.connHandler = redirect
-	return redirect, nil
+	return redirect
 }
 
 func (r *Redirect) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
@@ -75,124 +42,3 @@ func (r *Redirect) NewConnection(ctx context.Context, conn net.Conn, metadata ad
 	metadata.Destination = M.SocksaddrFromNetIP(destination)
 	return r.newConnection(ctx, conn, metadata)
 }
-
-func (r *Redirect) Start() error {
-	err := r.myInboundAdapter.Start()
-	if err != nil {
-		return err
-	}
-	if r.autoRedirect.Enabled {
-		r.cleanupRedirect()
-		err = r.setupRedirect()
-		if err != nil {
-			var exitError *exec.ExitError
-			if errors.As(err, &exitError) && exitError.ExitCode() == 13 && r.autoRedirect.ContinueOnNoPermission {
-				r.logger.Error(E.Cause(err, "setup auto redirect"))
-				return nil
-			}
-			r.cleanupRedirect()
-			return E.Cause(err, "setup auto redirect")
-		}
-	}
-	return nil
-}
-
-func (r *Redirect) Close() error {
-	if r.autoRedirect.Enabled {
-		r.cleanupRedirect()
-	}
-	return r.myInboundAdapter.Close()
-}
-
-func (r *Redirect) setupRedirect() error {
-	tableName := "sing-box"
-	rules := `
-set -e -o pipefail
-iptables -t nat -N sing-box
-`
-	rules += strings.Join(common.FlatMap(r.router.(adapter.Router).InterfaceFinder().Interfaces(), func(it control.Interface) []string {
-		return common.Map(common.Filter(it.Addresses, func(it netip.Prefix) bool { return it.Addr().Is4() }), func(it netip.Prefix) string {
-			return "iptables -t nat -A " + tableName + " -p tcp -j RETURN -d " + it.String()
-		})
-	}), "\n")
-	var (
-		myUid           = uint32(os.Getuid())
-		perAppProxyList []uint32
-		perAppProxyMap  = make(map[uint32]bool)
-		perAppProxyMode int32
-		err             error
-	)
-	if r.platformInterface != nil {
-		perAppProxyMode = r.platformInterface.PerAppProxyMode()
-		if perAppProxyMode != platform.PerAppProxyModeDisabled {
-			perAppProxyList, err = r.platformInterface.PerAppProxyList()
-			if err != nil {
-				return E.Cause(err, "read per app proxy configuration")
-			}
-		}
-		for _, proxyUID := range perAppProxyList {
-			perAppProxyMap[proxyUID] = true
-		}
-	}
-	excludeUser := func(userID uint32) {
-		if perAppProxyMode != platform.PerAppProxyModeInclude {
-			perAppProxyMap[userID] = false
-		} else {
-			delete(perAppProxyMap, userID)
-		}
-	}
-	excludeUser(myUid)
-	if myUid != 0 && myUid != 2000 {
-		excludeUser(0)
-	}
-	perAppProxyList = perAppProxyList[:0]
-	for uid := range perAppProxyMap {
-		perAppProxyList = append(perAppProxyList, uid)
-	}
-	sort.SliceStable(perAppProxyList, func(i, j int) bool {
-		return perAppProxyList[i] < perAppProxyList[j]
-	})
-	redirectPortStr := F.ToString(M.AddrPortFromNet(r.tcpListener.Addr()).Port())
-	if perAppProxyMode != platform.PerAppProxyModeInclude {
-		rules += "\n" + strings.Join(common.Map(perAppProxyList, func(it uint32) string {
-			return "iptables -t nat -A " + tableName + " -j RETURN -m owner --uid-owner " + F.ToString(it)
-		}), "\n")
-		rules += "\niptables -t nat -A " + tableName + " -p tcp -j REDIRECT --to-ports " + redirectPortStr
-	} else {
-		rules += "\n" + strings.Join(common.Map(perAppProxyList, func(it uint32) string {
-			return "iptables -t nat -A " + tableName + " -p tcp -j REDIRECT --to-ports " + redirectPortStr + " -m owner --uid-owner " + F.ToString(it)
-		}), "\n")
-	}
-	rules += "\niptables -t nat -A OUTPUT -p tcp -j " + tableName
-	for _, ruleLine := range strings.Split(rules, "\n") {
-		ruleLine = strings.TrimSpace(ruleLine)
-		if ruleLine == "" {
-			continue
-		}
-		r.logger.Debug("# ", ruleLine)
-	}
-	return r.runAndroidShell(rules)
-}
-
-func (r *Redirect) cleanupRedirect() {
-	_ = r.runAndroidShell(`
-iptables -t nat -D OUTPUT -p tcp -j sing-box
-iptables -t nat -F sing-box
-iptables -t nat -X sing-box
-`)
-}
-
-func (r *Redirect) runAndroidShell(content string) error {
-	var command *exec.Cmd
-	if r.needSu {
-		command = exec.Command(r.suPath, "-c", "sh")
-	} else {
-		command = exec.Command("sh")
-	}
-	command.Stdin = strings.NewReader(content)
-	combinedOutput, err := command.CombinedOutput()
-	if err != nil {
-		return E.Extend(err, string(combinedOutput))
-	}
-	return nil
-}

inbound/tun.go

@@ -166,14 +166,6 @@ func (t *Tun) Start() error {
 	}
 	t.logger.Trace("creating stack")
 	t.tunIf = tunInterface
-	var (
-		forwarderBindInterface bool
-		includeAllNetworks     bool
-	)
-	if t.platformInterface != nil {
-		forwarderBindInterface = true
-		includeAllNetworks = t.platformInterface.IncludeAllNetworks()
-	}
 	t.tunStack, err = tun.NewStack(t.stack, tun.StackOptions{
 		Context:                t.ctx,
 		Tun:                    tunInterface,
@@ -182,9 +174,8 @@ func (t *Tun) Start() error {
 		UDPTimeout:             t.udpTimeout,
 		Handler:                t,
 		Logger:                 t.logger,
-		ForwarderBindInterface: forwarderBindInterface,
+		ForwarderBindInterface: t.platformInterface != nil,
 		InterfaceFinder:        t.router.InterfaceFinder(),
-		IncludeAllNetworks:     includeAllNetworks,
 	})
 	if err != nil {
 		return err

mkdocs.yml

@@ -66,9 +66,8 @@ nav:
       - Proxy Protocol:
           - Shadowsocks: manual/proxy-protocol/shadowsocks.md
           - Trojan: manual/proxy-protocol/trojan.md
+          - TUIC: manual/proxy-protocol/tuic.md
           - Hysteria 2: manual/proxy-protocol/hysteria2.md
-      - Misc:
-          - TunnelVision: manual/misc/tunnelvision.md
   - Configuration:
       - configuration/index.md
       - Log:

option/dns.go

@@ -19,7 +19,7 @@ type DNSServerOptions struct {
 	AddressFallbackDelay Duration       `json:"address_fallback_delay,omitempty"`
 	Strategy             DomainStrategy `json:"strategy,omitempty"`
 	Detour               string         `json:"detour,omitempty"`
-	ClientSubnet         *AddrPrefix    `json:"client_subnet,omitempty"`
+	ClientSubnet         *ListenAddress `json:"client_subnet,omitempty"`
 }
 
 type DNSClientOptions struct {
@@ -27,7 +27,7 @@ type DNSClientOptions struct {
 	DisableCache     bool           `json:"disable_cache,omitempty"`
 	DisableExpire    bool           `json:"disable_expire,omitempty"`
 	IndependentCache bool           `json:"independent_cache,omitempty"`
-	ClientSubnet     *AddrPrefix    `json:"client_subnet,omitempty"`
+	ClientSubnet     *ListenAddress `json:"client_subnet,omitempty"`
 }
 
 type DNSFakeIPOptions struct {

option/redir.go

@@ -2,12 +2,6 @@ package option
 
 type RedirectInboundOptions struct {
 	ListenOptions
-	AutoRedirect *AutoRedirectOptions `json:"auto_redirect,omitempty"`
-}
-
-type AutoRedirectOptions struct {
-	Enabled                bool `json:"enabled,omitempty"`
-	ContinueOnNoPermission bool `json:"continue_on_no_permission,omitempty"`
 }
 
 type TProxyInboundOptions struct {

option/rule_dns.go

@@ -101,7 +101,7 @@ type DefaultDNSRule struct {
 	Server                   string                 `json:"server,omitempty"`
 	DisableCache             bool                   `json:"disable_cache,omitempty"`
 	RewriteTTL               *uint32                `json:"rewrite_ttl,omitempty"`
-	ClientSubnet             *AddrPrefix            `json:"client_subnet,omitempty"`
+	ClientSubnet             *ListenAddress         `json:"client_subnet,omitempty"`
 }
 
 func (r DefaultDNSRule) IsValid() bool {
@@ -115,13 +115,13 @@ func (r DefaultDNSRule) IsValid() bool {
 }
 
 type LogicalDNSRule struct {
-	Mode         string      `json:"mode"`
-	Rules        []DNSRule   `json:"rules,omitempty"`
-	Invert       bool        `json:"invert,omitempty"`
-	Server       string      `json:"server,omitempty"`
-	DisableCache bool        `json:"disable_cache,omitempty"`
-	RewriteTTL   *uint32     `json:"rewrite_ttl,omitempty"`
-	ClientSubnet *AddrPrefix `json:"client_subnet,omitempty"`
+	Mode         string         `json:"mode"`
+	Rules        []DNSRule      `json:"rules,omitempty"`
+	Invert       bool           `json:"invert,omitempty"`
+	Server       string         `json:"server,omitempty"`
+	DisableCache bool           `json:"disable_cache,omitempty"`
+	RewriteTTL   *uint32        `json:"rewrite_ttl,omitempty"`
+	ClientSubnet *ListenAddress `json:"client_subnet,omitempty"`
 }
 
 func (r LogicalDNSRule) IsValid() bool {

option/types.go

@@ -51,40 +51,6 @@ func (a *ListenAddress) Build() netip.Addr {
 	return (netip.Addr)(*a)
 }
 
-type AddrPrefix netip.Prefix
-
-func (a AddrPrefix) MarshalJSON() ([]byte, error) {
-	prefix := netip.Prefix(a)
-	if prefix.Bits() == prefix.Addr().BitLen() {
-		return json.Marshal(prefix.Addr().String())
-	} else {
-		return json.Marshal(prefix.String())
-	}
-}
-
-func (a *AddrPrefix) UnmarshalJSON(content []byte) error {
-	var value string
-	err := json.Unmarshal(content, &value)
-	if err != nil {
-		return err
-	}
-	prefix, prefixErr := netip.ParsePrefix(value)
-	if prefixErr == nil {
-		*a = AddrPrefix(prefix)
-		return nil
-	}
-	addr, addrErr := netip.ParseAddr(value)
-	if addrErr == nil {
-		*a = AddrPrefix(netip.PrefixFrom(addr, addr.BitLen()))
-		return nil
-	}
-	return prefixErr
-}
-
-func (a AddrPrefix) Build() netip.Prefix {
-	return netip.Prefix(a)
-}
-
 type NetworkList string
 
 func (v *NetworkList) UnmarshalJSON(content []byte) error {

outbound/urltest.go

@@ -287,23 +287,8 @@ func (g *URLTestGroup) Close() error {
 
 func (g *URLTestGroup) Select(network string) (adapter.Outbound, bool) {
 	var minDelay uint16
+	var minTime time.Time
 	var minOutbound adapter.Outbound
-	switch network {
-	case N.NetworkTCP:
-		if g.selectedOutboundTCP != nil {
-			if history := g.history.LoadURLTestHistory(RealTag(g.selectedOutboundTCP)); history != nil {
-				minOutbound = g.selectedOutboundTCP
-				minDelay = history.Delay
-			}
-		}
-	case N.NetworkUDP:
-		if g.selectedOutboundUDP != nil {
-			if history := g.history.LoadURLTestHistory(RealTag(g.selectedOutboundUDP)); history != nil {
-				minOutbound = g.selectedOutboundUDP
-				minDelay = history.Delay
-			}
-		}
-	}
 	for _, detour := range g.outbounds {
 		if !common.Contains(detour.Network(), network) {
 			continue
@@ -312,8 +297,9 @@ func (g *URLTestGroup) Select(network string) (adapter.Outbound, bool) {
 		if history == nil {
 			continue
 		}
-		if minDelay == 0 || minDelay > history.Delay+g.tolerance {
+		if minDelay == 0 || minDelay > history.Delay+g.tolerance || minDelay > history.Delay-g.tolerance && minTime.Before(history.Time) {
 			minDelay = history.Delay
+			minTime = history.Time
 			minOutbound = detour
 		}
 	}

route/router.go

@@ -27,7 +27,7 @@ import (
 	"github.com/sagernet/sing-box/outbound"
 	"github.com/sagernet/sing-box/transport/fakeip"
 	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing-mux"
+	mux "github.com/sagernet/sing-mux"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing/common"
@@ -235,7 +235,7 @@ func NewRouter(
 					return nil, E.New("parse dns server[", tag, "]: missing address_resolver")
 				}
 			}
-			var clientSubnet netip.Prefix
+			var clientSubnet netip.Addr
 			if server.ClientSubnet != nil {
 				clientSubnet = server.ClientSubnet.Build()
 			} else if dnsOptions.ClientSubnet != nil {
@@ -850,16 +850,7 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 
 	if metadata.InboundOptions.SniffEnabled {
 		buffer := buf.NewPacket()
-		sniffMetadata, err := sniff.PeekStream(
-			ctx,
-			conn,
-			buffer,
-			time.Duration(metadata.InboundOptions.SniffTimeout),
-			sniff.StreamDomainNameQuery,
-			sniff.TLSClientHello,
-			sniff.HTTPHost,
-			sniff.BitTorrent,
-		)
+		sniffMetadata, err := sniff.PeekStream(ctx, conn, buffer, time.Duration(metadata.InboundOptions.SniffTimeout), sniff.StreamDomainNameQuery, sniff.TLSClientHello, sniff.HTTPHost)
 		if sniffMetadata != nil {
 			metadata.Protocol = sniffMetadata.Protocol
 			metadata.Domain = sniffMetadata.Domain
@@ -986,15 +977,7 @@ func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, m
 			metadata.Destination = destination
 		}
 		if metadata.InboundOptions.SniffEnabled {
-			sniffMetadata, _ := sniff.PeekPacket(
-				ctx,
-				buffer.Bytes(),
-				sniff.DomainNameQuery,
-				sniff.QUICClientHello,
-				sniff.STUNMessage,
-				sniff.UTP,
-				sniff.UDPTracker,
-			)
+			sniffMetadata, _ := sniff.PeekPacket(ctx, buffer.Bytes(), sniff.DomainNameQuery, sniff.QUICClientHello, sniff.STUNMessage)
 			if sniffMetadata != nil {
 				metadata.Protocol = sniffMetadata.Protocol
 				metadata.Domain = sniffMetadata.Domain

route/rule_dns.go

@@ -40,7 +40,7 @@ type DefaultDNSRule struct {
 	abstractDefaultRule
 	disableCache bool
 	rewriteTTL   *uint32
-	clientSubnet *netip.Prefix
+	clientSubnet *netip.Addr
 }
 
 func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options option.DefaultDNSRule) (*DefaultDNSRule, error) {
@@ -51,7 +51,7 @@ func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options
 		},
 		disableCache: options.DisableCache,
 		rewriteTTL:   options.RewriteTTL,
-		clientSubnet: (*netip.Prefix)(options.ClientSubnet),
+		clientSubnet: (*netip.Addr)(options.ClientSubnet),
 	}
 	if len(options.Inbound) > 0 {
 		item := NewInboundRule(options.Inbound)
@@ -234,7 +234,7 @@ func (r *DefaultDNSRule) RewriteTTL() *uint32 {
 	return r.rewriteTTL
 }
 
-func (r *DefaultDNSRule) ClientSubnet() *netip.Prefix {
+func (r *DefaultDNSRule) ClientSubnet() *netip.Addr {
 	return r.clientSubnet
 }
 
@@ -272,7 +272,7 @@ type LogicalDNSRule struct {
 	abstractLogicalRule
 	disableCache bool
 	rewriteTTL   *uint32
-	clientSubnet *netip.Prefix
+	clientSubnet *netip.Addr
 }
 
 func NewLogicalDNSRule(router adapter.Router, logger log.ContextLogger, options option.LogicalDNSRule) (*LogicalDNSRule, error) {
@@ -284,7 +284,6 @@ func NewLogicalDNSRule(router adapter.Router, logger log.ContextLogger, options
 		},
 		disableCache: options.DisableCache,
 		rewriteTTL:   options.RewriteTTL,
-		clientSubnet: (*netip.Prefix)(options.ClientSubnet),
 	}
 	switch options.Mode {
 	case C.LogicalTypeAnd:
@@ -312,7 +311,7 @@ func (r *LogicalDNSRule) RewriteTTL() *uint32 {
 	return r.rewriteTTL
 }
 
-func (r *LogicalDNSRule) ClientSubnet() *netip.Prefix {
+func (r *LogicalDNSRule) ClientSubnet() *netip.Addr {
 	return r.clientSubnet
 }