documentation: Bump Version

documentation: Update new route address set options
auto-redirect: Add route address set support for nftables
2026-04-13 20:28:32 +10:00 · 2024-06-17 16:18:41 +08:00 · 2024-06-17 16:18:21 +08:00 · 2024-06-17 16:18:21 +08:00 · 2024-06-17 13:08:51 +08:00 · 2024-06-17 13:08:51 +08:00
47 changed files with 1615 additions and 387 deletions
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -38,7 +38,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -58,7 +58,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -188,7 +188,7 @@ jobs:
      TAGS: with_clash_api,with_quic
    steps:
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -30,7 +30,7 @@ jobs:
          echo "latest=$latest"
          echo "latest=$latest" >> $GITHUB_OUTPUT
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          ref: ${{ steps.ref.outputs.ref }}
      - name: Setup Docker Buildx
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,5 @@
 /*.xcframework/
 .DS_Store
 /config.d/
+/venv/
+
--- a/8
+++ b/8
@@ -192,13 +192,15 @@ lib_install:
 	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.3

 docs:
-	mkdocs serve
+	venv/bin/mkdocs serve

 publish_docs:
-	mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
+	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history

 docs_install:
-	pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
+	python -m venv venv
+	source ./venv/bin/active && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
+
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -10,15 +10,18 @@ import (
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"

 	mdns "github.com/miekg/dns"
+	"go4.org/netipx"
 )

 type Router interface {
 	Service
 	PreStarter
 	PostStarter
+	Cleanup() error

 	Outbounds() []Outbound
 	Outbound(tag string) (Outbound, bool)
@@ -45,7 +48,9 @@ type Router interface {
 	DefaultInterface() string
 	AutoDetectInterface() bool
 	AutoDetectInterfaceFunc() control.Func
-	DefaultMark() int
+	DefaultMark() uint32
+	RegisterAutoRedirectOutputMark(mark uint32) error
+	AutoRedirectOutputMark() uint32
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
@@ -92,12 +97,22 @@ type DNSRule interface {
 }

 type RuleSet interface {
+	Name() string
 	StartContext(ctx context.Context, startContext RuleSetStartContext) error
+	PostStart() error
 	Metadata() RuleSetMetadata
+	ExtractIPSet() []*netipx.IPSet
+	IncRef()
+	DecRef()
+	Cleanup()
+	RegisterCallback(callback RuleSetUpdateCallback) *list.Element[RuleSetUpdateCallback]
+	UnregisterCallback(element *list.Element[RuleSetUpdateCallback])
 	Close() error
 	HeadlessRule
 }

+type RuleSetUpdateCallback func(it RuleSet)
+
 type RuleSetMetadata struct {
 	ContainsProcessRule bool
 	ContainsWIFIRule    bool
--- a/box.go
+++ b/box.go
@@ -111,6 +111,7 @@ func New(options Options) (*Box, error) {
 			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
+			tag,
 			inboundOptions,
 			options.PlatformInterface,
 		)
@@ -302,7 +303,11 @@ func (s *Box) start() error {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
-	return s.postStart()
+	err = s.postStart()
+	if err != nil {
+		return err
+	}
+	return s.router.Cleanup()
 }

 func (s *Box) postStart() error {
@@ -312,16 +317,28 @@ func (s *Box) postStart() error {
 			return E.Cause(err, "start ", serviceName)
 		}
 	}
-	for _, outbound := range s.outbounds {
-		if lateOutbound, isLateOutbound := outbound.(adapter.PostStarter); isLateOutbound {
+	// TODO: reorganize ALL start order
+	for _, out := range s.outbounds {
+		if lateOutbound, isLateOutbound := out.(adapter.PostStarter); isLateOutbound {
 			err := lateOutbound.PostStart()
 			if err != nil {
-				return E.Cause(err, "post-start outbound/", outbound.Tag())
+				return E.Cause(err, "post-start outbound/", out.Tag())
 			}
 		}
 	}
-
-	return s.router.PostStart()
+	err := s.router.PostStart()
+	if err != nil {
+		return err
+	}
+	for _, in := range s.inbounds {
+		if lateInbound, isLateInbound := in.(adapter.PostStarter); isLateInbound {
+			err = lateInbound.PostStart()
+			if err != nil {
+				return E.Cause(err, "post-start inbound/", in.Tag())
+			}
+		}
+	}
+	return nil
 }

 func (s *Box) Close() error {
--- a/cmd/sing-box/cmd_tools_fetch.go
+++ b/cmd/sing-box/cmd_tools_fetch.go
@@ -9,8 +9,10 @@ import (
 	"net/url"
 	"os"

+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"

 	"github.com/spf13/cobra"
@@ -32,7 +34,10 @@ func init() {
 	commandTools.AddCommand(commandFetch)
 }

-var httpClient *http.Client
+var (
+	httpClient  *http.Client
+	http3Client *http.Client
+)

 func fetch(args []string) error {
 	instance, err := createPreStartedClient()
@@ -53,8 +58,16 @@ func fetch(args []string) error {
 		},
 	}
 	defer httpClient.CloseIdleConnections()
+	if C.WithQUIC {
+		err = initializeHTTP3Client(instance)
+		if err != nil {
+			return err
+		}
+		defer http3Client.CloseIdleConnections()
+	}
 	for _, urlString := range args {
-		parsedURL, err := url.Parse(urlString)
+		var parsedURL *url.URL
+		parsedURL, err = url.Parse(urlString)
 		if err != nil {
 			return err
 		}
@@ -63,16 +76,27 @@ func fetch(args []string) error {
 			parsedURL.Scheme = "http"
 			fallthrough
 		case "http", "https":
-			err = fetchHTTP(parsedURL)
+			err = fetchHTTP(httpClient, parsedURL)
 			if err != nil {
 				return err
 			}
+		case "http3":
+			if !C.WithQUIC {
+				return C.ErrQUICNotIncluded
+			}
+			parsedURL.Scheme = "https"
+			err = fetchHTTP(http3Client, parsedURL)
+			if err != nil {
+				return err
+			}
+		default:
+			return E.New("unsupported scheme: ", parsedURL.Scheme)
 		}
 	}
 	return nil
 }

-func fetchHTTP(parsedURL *url.URL) error {
+func fetchHTTP(httpClient *http.Client, parsedURL *url.URL) error {
 	request, err := http.NewRequest("GET", parsedURL.String(), nil)
 	if err != nil {
 		return err
--- a/cmd/sing-box/cmd_tools_fetch_http3.go
+++ b/cmd/sing-box/cmd_tools_fetch_http3.go
@@ -0,0 +1,36 @@
+//go:build with_quic
+
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"net/http"
+
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/http3"
+	box "github.com/sagernet/sing-box"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+func initializeHTTP3Client(instance *box.Box) error {
+	dialer, err := createDialer(instance, N.NetworkUDP, commandToolsFlagOutbound)
+	if err != nil {
+		return err
+	}
+	http3Client = &http.Client{
+		Transport: &http3.RoundTripper{
+			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+				destination := M.ParseSocksaddr(addr)
+				udpConn, dErr := dialer.DialContext(ctx, N.NetworkUDP, destination)
+				if dErr != nil {
+					return nil, dErr
+				}
+				return quic.DialEarly(ctx, bufio.NewUnbindPacketConn(udpConn), udpConn.RemoteAddr(), tlsCfg, cfg)
+			},
+		},
+	}
+	return nil
+}
--- a/cmd/sing-box/cmd_tools_fetch_http3_stub.go
+++ b/cmd/sing-box/cmd_tools_fetch_http3_stub.go
@@ -0,0 +1,18 @@
+//go:build !with_quic
+
+package main
+
+import (
+	"net/url"
+	"os"
+
+	box "github.com/sagernet/sing-box"
+)
+
+func initializeHTTP3Client(instance *box.Box) error {
+	return os.ErrInvalid
+}
+
+func fetchHTTP3(parsedURL *url.URL) error {
+	return os.ErrInvalid
+}
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -50,12 +50,26 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
-	if options.RoutingMark != 0 {
+	var autoRedirectOutputMark uint32
+	if router != nil {
+		autoRedirectOutputMark = router.AutoRedirectOutputMark()
+	}
+	if autoRedirectOutputMark > 0 {
+		dialer.Control = control.Append(dialer.Control, control.RoutingMark(autoRedirectOutputMark))
+		listener.Control = control.Append(listener.Control, control.RoutingMark(autoRedirectOutputMark))
+	}
+	if options.RoutingMark > 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(options.RoutingMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(options.RoutingMark))
-	} else if router != nil && router.DefaultMark() != 0 {
+		if autoRedirectOutputMark > 0 {
+			return nil, E.New("`auto_redirect` with `route_[_exclude]_address_set is conflict with `routing_mark`")
+		}
+	} else if router != nil && router.DefaultMark() > 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(router.DefaultMark()))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
+		if autoRedirectOutputMark > 0 {
+			return nil, E.New("`auto_redirect` with `route_[_exclude]_address_set is conflict with `default_mark`")
+		}
 	}
 	if options.ReuseAddr {
 		listener.Control = control.Append(listener.Control, control.ReuseAddr())
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -32,6 +32,12 @@ const (

 func ProxyDisplayName(proxyType string) string {
 	switch proxyType {
+	case TypeTun:
+		return "TUN"
+	case TypeRedirect:
+		return "Redirect"
+	case TypeTProxy:
+		return "TProxy"
 	case TypeDirect:
 		return "Direct"
 	case TypeBlock:
@@ -42,6 +48,8 @@ func ProxyDisplayName(proxyType string) string {
 		return "SOCKS"
 	case TypeHTTP:
 		return "HTTP"
+	case TypeMixed:
+		return "Mixed"
 	case TypeShadowsocks:
 		return "Shadowsocks"
 	case TypeVMess:
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,10 +2,35 @@
 icon: material/alert-decagram
 ---

-#### 1.10.0-alpha.11
+#### 1.10.0-alpha.14

 * Fixes and improvements

+#### 1.10.0-alpha.13
+
+* TUN address fields are merged **1**
+* Add route address set support for auto-redirect **2**
+
+**1**:
+
+See [Migration](/migration/#tun-address-fields-are-merged).
+
+**2**:
+
+The new feature will allow you to configure the destination IP CIDR rules
+in the specified rule-sets to the firewall automatically.
+
+Specified or unspecified destinations will bypass the sing-box routes to get better performance
+(for example, keep hardware offloading of direct traffics on the router).
+
+See [route_address_set](/configuration/inbound/tun/#route_address_set)
+and [route_exclude_address_set](/configuration/inbound/tun/#route_exclude_address_set).
+
+#### 1.10.0-alpha.12
+
+* Fix auto-redirect not configuring nftables forward chain correctly
+* Fixes and improvements
+
 ### 1.9.3

 * Fixes and improvements
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -4,7 +4,18 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.10.0"

-    :material-plus: [auto_redirect](#auto_redirect)
+    :material-plus: [address](#address)  
+    :material-delete-clock: [inet4_address](#inet4_address)  
+    :material-delete-clock: [inet6_address](#inet6_address)  
+    :material-plus: [route_address](#route_address)  
+    :material-delete-clock: [inet4_route_address](#inet4_route_address)  
+    :material-delete-clock: [inet6_route_address](#inet6_route_address)  
+    :material-plus: [route_exclude_address](#route_address)  
+    :material-delete-clock: [inet4_route_exclude_address](#inet4_route_exclude_address)  
+    :material-delete-clock: [inet6_route_exclude_address](#inet6_route_exclude_address)  
+    :material-plus: [auto_redirect](#auto_redirect)  
+    :material-plus: [route_address_set](#route_address_set)  
+    :material-plus: [route_exclude_address_set](#route_address_set)

 !!! quote "Changes in sing-box 1.9.0"

@@ -27,27 +38,57 @@ icon: material/new-box
  "type": "tun",
  "tag": "tun-in",
  "interface_name": "tun0",
-  "inet4_address": "172.19.0.1/30",
-  "inet6_address": "fdfe:dcba:9876::1/126",
+  "address": [
+    "172.18.0.1/30",
+    "fdfe:dcba:9876::1/126"
+  ],
+  // deprecated
+  "inet4_address": [
+    "172.19.0.1/30"
+  ],
+  // deprecated
+  "inet6_address": [
+    "fdfe:dcba:9876::1/126"
+  ],
  "mtu": 9000,
  "gso": false,
  "auto_route": true,
  "strict_route": true,
  "auto_redirect": false,
+  "route_address": [
+    "0.0.0.0/1",
+    "128.0.0.0/1",
+    "::/1",
+    "8000::/1"
+  ],
+  // deprecated
  "inet4_route_address": [
    "0.0.0.0/1",
    "128.0.0.0/1"
  ],
+  // deprecated
  "inet6_route_address": [
    "::/1",
    "8000::/1"
  ],
+  "route_exclude_address": [
+    "192.168.0.0/16",
+    "fc00::/7"
+  ],
+  // deprecated
  "inet4_route_exclude_address": [
    "192.168.0.0/16"
  ],
+  // deprecated
  "inet6_route_exclude_address": [
    "fc00::/7"
  ],
+  "route_address_set": [
+    "geoip-cloudflare"
+  ],
+  "route_exclude_address_set": [
+    "geoip-cn"
+  ],
  "endpoint_independent_nat": false,
  "udp_timeout": "5m",
  "stack": "system",
@@ -107,14 +148,26 @@ icon: material/new-box

 Virtual device name, automatically selected if empty.

+#### address
+
+!!! question "Since sing-box 1.10.0"
+
+IPv4 and IPv6 prefix for the tun interface.
+
 #### inet4_address

-==Required==
+!!! failure "Deprecated in sing-box 1.10.0"
+
+    `inet4_address` is merged to `address` and will be removed in sing-box 1.11.0.

 IPv4 prefix for the tun interface.

 #### inet6_address

+!!! failure "Deprecated in sing-box 1.10.0"
+
+    `inet6_address` is merged to `address` and will be removed in sing-box 1.11.0.
+
 IPv6 prefix for the tun interface.

 #### mtu
@@ -168,7 +221,7 @@ It may prevent some applications (such as VirtualBox) from working properly in c

 !!! quote ""

-    Only supported on Linux.
+    Only supported on Linux with `auto_route` enabled.

 Automatically configure iptables/nftables to redirect connections.

@@ -181,22 +234,76 @@ use [VPNHotspot](https://github.com/Mygod/VPNHotspot).

 `auto_route` with `auto_redirect` now works as expected on routers **without intervention**.

+#### route_address
+
+!!! question "Since sing-box 1.10.0"
+
+Use custom routes instead of default when `auto_route` is enabled.
+
 #### inet4_route_address

+!!! failure "Deprecated in sing-box 1.10.0"
+
+   `inet4_route_address` is deprecated and will be removed in sing-box 1.11.0, please use [route_address](#route_address) instead.
+
 Use custom routes instead of default when `auto_route` is enabled.

 #### inet6_route_address

+!!! failure "Deprecated in sing-box 1.10.0"
+
+   `inet6_route_address` is deprecated and will be removed in sing-box 1.11.0, please use [route_address](#route_address) instead.
+
 Use custom routes instead of default when `auto_route` is enabled.

+#### route_exclude_address
+
+!!! question "Since sing-box 1.10.0"
+
+Exclude custom routes when `auto_route` is enabled.
+
 #### inet4_route_exclude_address

+!!! failure "Deprecated in sing-box 1.10.0"
+
+   `inet4_route_exclude_address` is deprecated and will be removed in sing-box 1.11.0, please use [route_exclude_address](#route_exclude_address) instead.
+
 Exclude custom routes when `auto_route` is enabled.

 #### inet6_route_exclude_address

+!!! failure "Deprecated in sing-box 1.10.0"
+
+   `inet6_route_exclude_address` is deprecated and will be removed in sing-box 1.11.0, please use [route_exclude_address](#route_exclude_address) instead.
+
 Exclude custom routes when `auto_route` is enabled.

+#### route_address_set
+
+!!! question "Since sing-box 1.10.0"
+
+!!! quote ""
+
+    Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
+
+Add the destination IP CIDR rules in the specified rule-sets to the firewall.
+Unmatched traffic will bypass the sing-box routes.
+
+Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
+
+#### route_exclude_address_set
+
+!!! question "Since sing-box 1.10.0"
+
+!!! quote ""
+
+    Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
+
+Add the destination IP CIDR rules in the specified rule-sets to the firewall.
+Matched traffic will bypass the sing-box routes.
+
+Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
+
 #### endpoint_independent_nat

 !!! info ""
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -2,9 +2,20 @@
 icon: material/new-box
 ---

-!!! quote "sing-box 1.10.0 中的更改"
+!!! quote "Changes in sing-box 1.10.0"

-    :material-plus: [auto_redirect](#auto_redirect)
+    :material-plus: [address](#address)  
+    :material-delete-clock: [inet4_address](#inet4_address)  
+    :material-delete-clock: [inet6_address](#inet6_address)  
+    :material-plus: [route_address](#route_address)  
+    :material-delete-clock: [inet4_route_address](#inet4_route_address)  
+    :material-delete-clock: [inet6_route_address](#inet6_route_address)  
+    :material-plus: [route_exclude_address](#route_address)  
+    :material-delete-clock: [inet4_route_exclude_address](#inet4_route_exclude_address)  
+    :material-delete-clock: [inet6_route_exclude_address](#inet6_route_exclude_address)  
+    :material-plus: [auto_redirect](#auto_redirect)  
+    :material-plus: [route_address_set](#route_address_set)  
+    :material-plus: [route_exclude_address_set](#route_address_set)

 !!! quote "sing-box 1.9.0 中的更改"

@@ -27,27 +38,57 @@ icon: material/new-box
  "type": "tun",
  "tag": "tun-in",
  "interface_name": "tun0",
-  "inet4_address": "172.19.0.1/30",
-  "inet6_address": "fdfe:dcba:9876::1/126",
+  "address": [
+    "172.18.0.1/30",
+    "fdfe:dcba:9876::1/126"
+  ],
+  // 已弃用
+  "inet4_address": [
+    "172.19.0.1/30"
+  ],
+  // 已弃用
+  "inet6_address": [
+    "fdfe:dcba:9876::1/126"
+  ],
  "mtu": 9000,
  "gso": false,
  "auto_route": true,
  "strict_route": true,
  "auto_redirect": false,
+  "route_address": [
+    "0.0.0.0/1",
+    "128.0.0.0/1",
+    "::/1",
+    "8000::/1"
+  ],
+  // 已弃用
  "inet4_route_address": [
    "0.0.0.0/1",
    "128.0.0.0/1"
  ],
+  // 已弃用
  "inet6_route_address": [
    "::/1",
    "8000::/1"
  ],
+  "route_exclude_address": [
+    "192.168.0.0/16",
+    "fc00::/7"
+  ],
+  // 已弃用
  "inet4_route_exclude_address": [
    "192.168.0.0/16"
  ],
+  // 已弃用
  "inet6_route_exclude_address": [
    "fc00::/7"
  ],
+  "route_address_set": [
+    "geoip-cloudflare"
+  ],
+  "route_exclude_address_set": [
+    "geoip-cn"
+  ],
  "endpoint_independent_nat": false,
  "udp_timeout": "5m",
  "stack": "system",
@@ -107,14 +148,30 @@ icon: material/new-box

 虚拟设备名称，默认自动选择。

+#### address
+
+!!! question "自 sing-box 1.10.0 起"
+
+==必填==
+
+tun 接口的 IPv4 和 IPv6 前缀。
+
 #### inet4_address

+!!! failure "已在 sing-box 1.10.0 废弃"
+
+    `inet4_address` 已合并到 `address` 且将在 sing-box 1.11.0 移除.
+
 ==必填==

 tun 接口的 IPv4 前缀。

 #### inet6_address

+!!! failure "已在 sing-box 1.10.0 废弃"
+
+    `inet6_address` 已合并到 `address` 且将在 sing-box 1.11.0 移除.
+
 tun 接口的 IPv6 前缀。

 #### mtu
@@ -181,22 +238,76 @@ tun 接口的 IPv6 前缀。

 带有 `auto_redirect `的 `auto_route` 现在可以在路由器上按预期工作，**无需干预**。

+#### route_address
+
+!!! question "自 sing-box 1.10.0 起"
+
+设置到 Tun 的自定义路由。
+
 #### inet4_route_address

+!!! failure "已在 sing-box 1.10.0 废弃"
+
+    `inet4_route_address` 已合并到 `route_address` 且将在 sing-box 1.11.0 移除.
+
 启用 `auto_route` 时使用自定义路由而不是默认路由。

 #### inet6_route_address

+!!! failure "已在 sing-box 1.10.0 废弃"
+
+    `inet6_route_address` 已合并到 `route_address` 且将在 sing-box 1.11.0 移除.
+
 启用 `auto_route` 时使用自定义路由而不是默认路由。

+#### route_exclude_address
+
+!!! question "自 sing-box 1.10.0 起"
+
+设置到 Tun 的排除自定义路由。
+
 #### inet4_route_exclude_address

+!!! failure "已在 sing-box 1.10.0 废弃"
+
+    `inet4_route_exclude_address` 已合并到 `route_exclude_address` 且将在 sing-box 1.11.0 移除.
+
 启用 `auto_route` 时排除自定义路由。

 #### inet6_route_exclude_address

+!!! failure "已在 sing-box 1.10.0 废弃"
+
+    `inet6_route_exclude_address` 已合并到 `route_exclude_address` 且将在 sing-box 1.11.0 移除.
+
 启用 `auto_route` 时排除自定义路由。

+#### route_address_set
+
+!!! question "自 sing-box 1.10.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
+
+将指定规则集中的目标 IP CIDR 规则添加到防火墙。
+不匹配的流量将绕过 sing-box 路由。
+
+与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
+
+#### route_exclude_address_set
+
+!!! question "自 sing-box 1.10.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。
+
+将指定规则集中的目标 IP CIDR 规则添加到防火墙。
+匹配的流量将绕过 sing-box 路由。
+
+与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
+
 #### endpoint_independent_nat

 启用独立于端点的 NAT。
@@ -312,7 +423,7 @@ TCP/IP 栈。

 !!! note ""

-  在 Apple 平台，`bypass_domain` 项匹配主机名 **后缀**.
+    在 Apple 平台，`bypass_domain` 项匹配主机名 **后缀**.

 绕过代理的主机名列表。

--- a/docs/deprecated.md
+++ b/docs/deprecated.md
@@ -6,6 +6,14 @@ icon: material/delete-alert

 ## 1.10.0

+#### TUN address fields are merged
+
+`inet4_address` and `inet6_address` are merged into `address`,
+`inet4_route_address` and `inet6_route_address` are merged into `route_address`,
+`inet4_route_exclude_address` and `inet6_route_exclude_address` are merged into `route_exclude_address`.
+
+Old fields are deprecated and will be removed in sing-box 1.11.0.
+
 #### Drop support for go1.18 and go1.19

 Due to maintenance difficulties, sing-box 1.10.0 requires at least Go 1.20 to compile.
--- a/docs/deprecated.zh.md
+++ b/docs/deprecated.zh.md
@@ -6,6 +6,14 @@ icon: material/delete-alert

 ## 1.10.0

+#### TUN 地址字段已合并
+
+`inet4_address` 和 `inet6_address` 已合并为 `address`，
+`inet4_route_address` 和 `inet6_route_address` 已合并为 `route_address`，
+`inet4_route_exclude_address` 和 `inet6_route_exclude_address` 已合并为 `route_exclude_address`。
+
+旧字段已废弃，且将在 sing-box 1.11.0 中移除。
+
 #### 移除对 go1.18 和 go1.19 的支持

 由于维护困难，sing-box 1.10.0 要求至少 Go 1.20 才能编译。
--- a/docs/migration.md
+++ b/docs/migration.md
@@ -2,6 +2,74 @@
 icon: material/arrange-bring-forward
 ---

+## 1.10.0
+
+### TUN address fields are merged
+
+`inet4_address` and `inet6_address` are merged into `address`,
+`inet4_route_address` and `inet6_route_address` are merged into `route_address`,
+`inet4_route_exclude_address` and `inet6_route_exclude_address` are merged into `route_exclude_address`.
+
+Old fields are deprecated and will be removed in sing-box 1.11.0.
+
+!!! info "References"
+
+    [TUN](/configuration/inbound/tun/)
+
+=== ":material-card-remove: Deprecated"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "tun",
+          "inet4_address": "172.19.0.1/30",
+          "inet6_address": "fdfe:dcba:9876::1/126",
+          "inet4_route_address": [
+            "0.0.0.0/1",
+            "128.0.0.0/1"
+          ],
+          "inet6_route_address": [
+            "::/1",
+            "8000::/1"
+          ],
+          "inet4_route_exclude_address": [
+            "192.168.0.0/16"
+          ],
+          "inet6_route_exclude_address": [
+            "fc00::/7"
+          ]
+        }
+      ]
+    }
+    ```
+
+=== ":material-card-multiple: New"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "tun",
+          "address": [
+            "172.19.0.1/30",
+            "fdfe:dcba:9876::1/126"
+          ],
+          "route_address": [
+            "0.0.0.0/1",
+            "128.0.0.0/1",
+            "::/1",
+            "8000::/1"
+          ],
+          "route_exclude_address": [
+            "192.168.0.0/16",
+            "fc00::/7"
+          ]
+        }
+      ]
+    }
+    ```
+
 ## 1.9.0

 ### `domain_suffix` behavior update
--- a/docs/migration.zh.md
+++ b/docs/migration.zh.md
@@ -2,6 +2,74 @@
 icon: material/arrange-bring-forward
 ---

+## 1.10.0
+
+### TUN 地址字段已合并
+
+`inet4_address` 和 `inet6_address` 已合并为 `address`，
+`inet4_route_address` 和 `inet6_route_address` 已合并为 `route_address`，
+`inet4_route_exclude_address` 和 `inet6_route_exclude_address` 已合并为 `route_exclude_address`。
+
+旧字段已废弃，且将在 sing-box 1.11.0 中移除。
+
+!!! info "参考"
+
+    [TUN](/zh/configuration/inbound/tun/)
+
+=== ":material-card-remove: 弃用的"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "tun",
+          "inet4_address": "172.19.0.1/30",
+          "inet6_address": "fdfe:dcba:9876::1/126",
+          "inet4_route_address": [
+            "0.0.0.0/1",
+            "128.0.0.0/1"
+          ],
+          "inet6_route_address": [
+            "::/1",
+            "8000::/1"
+          ],
+          "inet4_route_exclude_address": [
+            "192.168.0.0/16"
+          ],
+          "inet6_route_exclude_address": [
+            "fc00::/7"
+          ]
+        }
+      ]
+    }
+    ```
+
+=== ":material-card-multiple: 新的"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "tun",
+          "address": [
+            "172.19.0.1/30",
+            "fdfe:dcba:9876::1/126"
+          ],
+          "route_address": [
+            "0.0.0.0/1",
+            "128.0.0.0/1",
+            "::/1",
+            "8000::/1"
+          ],
+          "route_exclude_address": [
+            "192.168.0.0/16",
+            "fc00::/7"
+          ]
+        }
+      ]
+    }
+    ```
+
 ## 1.9.0

 ### `domain_suffix` 行为更新
--- a/experimental/clashapi/connections.go
+++ b/experimental/clashapi/connections.go
@@ -14,6 +14,7 @@ import (

 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/render"
+	"github.com/gofrs/uuid/v5"
 )

 func connectionRouter(router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
@@ -76,10 +77,10 @@ func getConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseW

 func closeConnection(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		id := chi.URLParam(r, "id")
+		id := uuid.FromStringOrNil(chi.URLParam(r, "id"))
 		snapshot := trafficManager.Snapshot()
 		for _, c := range snapshot.Connections {
-			if id == c.ID() {
+			if id == c.Metadata().ID {
 				c.Close()
 				break
 			}
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -19,7 +19,6 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
@@ -218,58 +217,15 @@ func (s *Server) TrafficManager() *trafficontrol.Manager {
 }

 func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule) (net.Conn, adapter.Tracker) {
-	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, castMetadata(metadata), s.router, matchedRule)
+	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, metadata, s.router, matchedRule)
 	return tracker, tracker
 }

 func (s *Server) RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, matchedRule adapter.Rule) (N.PacketConn, adapter.Tracker) {
-	tracker := trafficontrol.NewUDPTracker(conn, s.trafficManager, castMetadata(metadata), s.router, matchedRule)
+	tracker := trafficontrol.NewUDPTracker(conn, s.trafficManager, metadata, s.router, matchedRule)
 	return tracker, tracker
 }

-func castMetadata(metadata adapter.InboundContext) trafficontrol.Metadata {
-	var inbound string
-	if metadata.Inbound != "" {
-		inbound = metadata.InboundType + "/" + metadata.Inbound
-	} else {
-		inbound = metadata.InboundType
-	}
-	var domain string
-	if metadata.Domain != "" {
-		domain = metadata.Domain
-	} else {
-		domain = metadata.Destination.Fqdn
-	}
-	var processPath string
-	if metadata.ProcessInfo != nil {
-		if metadata.ProcessInfo.ProcessPath != "" {
-			processPath = metadata.ProcessInfo.ProcessPath
-		} else if metadata.ProcessInfo.PackageName != "" {
-			processPath = metadata.ProcessInfo.PackageName
-		}
-		if processPath == "" {
-			if metadata.ProcessInfo.UserId != -1 {
-				processPath = F.ToString(metadata.ProcessInfo.UserId)
-			}
-		} else if metadata.ProcessInfo.User != "" {
-			processPath = F.ToString(processPath, " (", metadata.ProcessInfo.User, ")")
-		} else if metadata.ProcessInfo.UserId != -1 {
-			processPath = F.ToString(processPath, " (", metadata.ProcessInfo.UserId, ")")
-		}
-	}
-	return trafficontrol.Metadata{
-		NetWork:     metadata.Network,
-		Type:        inbound,
-		SrcIP:       metadata.Source.Addr,
-		DstIP:       metadata.Destination.Addr,
-		SrcPort:     F.ToString(metadata.Source.Port),
-		DstPort:     F.ToString(metadata.Destination.Port),
-		Host:        domain,
-		DNSMode:     "normal",
-		ProcessPath: processPath,
-	}
-}
-
 func authentication(serverSecret string) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
--- a/experimental/clashapi/trafficontrol/manager.go
+++ b/experimental/clashapi/trafficontrol/manager.go
@@ -2,10 +2,17 @@ package trafficontrol

 import (
 	"runtime"
+	"sync"
 	"time"

+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/clashapi/compatible"
+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/atomic"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/x/list"
+
+	"github.com/gofrs/uuid/v5"
 )

 type Manager struct {
@@ -16,9 +23,11 @@ type Manager struct {
 	uploadTotal   atomic.Int64
 	downloadTotal atomic.Int64

-	connections compatible.Map[string, tracker]
-	ticker      *time.Ticker
-	done        chan struct{}
+	connections             compatible.Map[uuid.UUID, Tracker]
+	closedConnectionsAccess sync.Mutex
+	closedConnections       list.List[TrackerMetadata]
+	ticker                  *time.Ticker
+	done                    chan struct{}
 	// process     *process.Process
 	memory uint64
 }
@@ -33,12 +42,22 @@ func NewManager() *Manager {
 	return manager
 }

-func (m *Manager) Join(c tracker) {
-	m.connections.Store(c.ID(), c)
+func (m *Manager) Join(c Tracker) {
+	m.connections.Store(c.Metadata().ID, c)
 }

-func (m *Manager) Leave(c tracker) {
-	m.connections.Delete(c.ID())
+func (m *Manager) Leave(c Tracker) {
+	metadata := c.Metadata()
+	_, loaded := m.connections.LoadAndDelete(metadata.ID)
+	if loaded {
+		metadata.ClosedAt = time.Now()
+		m.closedConnectionsAccess.Lock()
+		defer m.closedConnectionsAccess.Unlock()
+		if m.closedConnections.Len() >= 1000 {
+			m.closedConnections.PopFront()
+		}
+		m.closedConnections.PushBack(metadata)
+	}
 }

 func (m *Manager) PushUploaded(size int64) {
@@ -59,14 +78,39 @@ func (m *Manager) Total() (up int64, down int64) {
 	return m.uploadTotal.Load(), m.downloadTotal.Load()
 }

-func (m *Manager) Connections() int {
+func (m *Manager) ConnectionsLen() int {
 	return m.connections.Len()
 }

+func (m *Manager) Connections() []TrackerMetadata {
+	var connections []TrackerMetadata
+	m.connections.Range(func(_ uuid.UUID, value Tracker) bool {
+		connections = append(connections, value.Metadata())
+		return true
+	})
+	return connections
+}
+
+func (m *Manager) ClosedConnections() []TrackerMetadata {
+	m.closedConnectionsAccess.Lock()
+	defer m.closedConnectionsAccess.Unlock()
+	return m.closedConnections.Array()
+}
+
+func (m *Manager) Connection(id uuid.UUID) Tracker {
+	connection, loaded := m.connections.Load(id)
+	if !loaded {
+		return nil
+	}
+	return connection
+}
+
 func (m *Manager) Snapshot() *Snapshot {
-	var connections []tracker
-	m.connections.Range(func(_ string, value tracker) bool {
-		connections = append(connections, value)
+	var connections []Tracker
+	m.connections.Range(func(_ uuid.UUID, value Tracker) bool {
+		if value.Metadata().OutboundType != C.TypeDNS {
+			connections = append(connections, value)
+		}
 		return true
 	})

@@ -75,10 +119,10 @@ func (m *Manager) Snapshot() *Snapshot {
 	m.memory = memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased

 	return &Snapshot{
-		UploadTotal:   m.uploadTotal.Load(),
-		DownloadTotal: m.downloadTotal.Load(),
-		Connections:   connections,
-		Memory:        m.memory,
+		Upload:      m.uploadTotal.Load(),
+		Download:    m.downloadTotal.Load(),
+		Connections: connections,
+		Memory:      m.memory,
 	}
 }

@@ -114,8 +158,17 @@ func (m *Manager) Close() error {
 }

 type Snapshot struct {
-	DownloadTotal int64     `json:"downloadTotal"`
-	UploadTotal   int64     `json:"uploadTotal"`
-	Connections   []tracker `json:"connections"`
-	Memory        uint64    `json:"memory"`
+	Download    int64
+	Upload      int64
+	Connections []Tracker
+	Memory      uint64
+}
+
+func (s *Snapshot) MarshalJSON() ([]byte, error) {
+	return json.Marshal(map[string]any{
+		"downloadTotal": s.Download,
+		"uploadTotal":   s.Upload,
+		"connections":   common.Map(s.Connections, func(t Tracker) TrackerMetadata { return t.Metadata() }),
+		"memory":        s.Memory,
+	})
 }
--- a/experimental/clashapi/trafficontrol/tracker.go
+++ b/experimental/clashapi/trafficontrol/tracker.go
@@ -2,97 +2,135 @@ package trafficontrol

 import (
 	"net"
-	"net/netip"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/atomic"
 	"github.com/sagernet/sing/common/bufio"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 	N "github.com/sagernet/sing/common/network"

 	"github.com/gofrs/uuid/v5"
 )

-type Metadata struct {
-	NetWork     string     `json:"network"`
-	Type        string     `json:"type"`
-	SrcIP       netip.Addr `json:"sourceIP"`
-	DstIP       netip.Addr `json:"destinationIP"`
-	SrcPort     string     `json:"sourcePort"`
-	DstPort     string     `json:"destinationPort"`
-	Host        string     `json:"host"`
-	DNSMode     string     `json:"dnsMode"`
-	ProcessPath string     `json:"processPath"`
+type TrackerMetadata struct {
+	ID           uuid.UUID
+	Metadata     adapter.InboundContext
+	CreatedAt    time.Time
+	ClosedAt     time.Time
+	Upload       *atomic.Int64
+	Download     *atomic.Int64
+	Chain        []string
+	Rule         adapter.Rule
+	Outbound     string
+	OutboundType string
 }

-type tracker interface {
-	ID() string
-	Close() error
-	Leave()
-}
-
-type trackerInfo struct {
-	UUID          uuid.UUID     `json:"id"`
-	Metadata      Metadata      `json:"metadata"`
-	UploadTotal   *atomic.Int64 `json:"upload"`
-	DownloadTotal *atomic.Int64 `json:"download"`
-	Start         time.Time     `json:"start"`
-	Chain         []string      `json:"chains"`
-	Rule          string        `json:"rule"`
-	RulePayload   string        `json:"rulePayload"`
-}
-
-func (t trackerInfo) MarshalJSON() ([]byte, error) {
+func (t TrackerMetadata) MarshalJSON() ([]byte, error) {
+	var inbound string
+	if t.Metadata.Inbound != "" {
+		inbound = t.Metadata.InboundType + "/" + t.Metadata.Inbound
+	} else {
+		inbound = t.Metadata.InboundType
+	}
+	var domain string
+	if t.Metadata.Domain != "" {
+		domain = t.Metadata.Domain
+	} else {
+		domain = t.Metadata.Destination.Fqdn
+	}
+	var processPath string
+	if t.Metadata.ProcessInfo != nil {
+		if t.Metadata.ProcessInfo.ProcessPath != "" {
+			processPath = t.Metadata.ProcessInfo.ProcessPath
+		} else if t.Metadata.ProcessInfo.PackageName != "" {
+			processPath = t.Metadata.ProcessInfo.PackageName
+		}
+		if processPath == "" {
+			if t.Metadata.ProcessInfo.UserId != -1 {
+				processPath = F.ToString(t.Metadata.ProcessInfo.UserId)
+			}
+		} else if t.Metadata.ProcessInfo.User != "" {
+			processPath = F.ToString(processPath, " (", t.Metadata.ProcessInfo.User, ")")
+		} else if t.Metadata.ProcessInfo.UserId != -1 {
+			processPath = F.ToString(processPath, " (", t.Metadata.ProcessInfo.UserId, ")")
+		}
+	}
+	var rule string
+	if t.Rule != nil {
+		rule = F.ToString(t.Rule, " => ", t.Rule.Outbound())
+	} else {
+		rule = "final"
+	}
 	return json.Marshal(map[string]any{
-		"id":          t.UUID.String(),
-		"metadata":    t.Metadata,
-		"upload":      t.UploadTotal.Load(),
-		"download":    t.DownloadTotal.Load(),
-		"start":       t.Start,
+		"id": t.ID,
+		"metadata": map[string]any{
+			"network":         t.Metadata.Network,
+			"type":            inbound,
+			"sourceIP":        t.Metadata.Source.Addr,
+			"destinationIP":   t.Metadata.Destination.Addr,
+			"sourcePort":      t.Metadata.Source.Port,
+			"destinationPort": t.Metadata.Destination.Port,
+			"host":            domain,
+			"dnsMode":         "normal",
+			"processPath":     processPath,
+		},
+		"upload":      t.Upload.Load(),
+		"download":    t.Download.Load(),
+		"start":       t.CreatedAt,
 		"chains":      t.Chain,
-		"rule":        t.Rule,
-		"rulePayload": t.RulePayload,
+		"rule":        rule,
+		"rulePayload": "",
 	})
 }

-type tcpTracker struct {
-	N.ExtendedConn `json:"-"`
-	*trackerInfo
-	manager *Manager
+type Tracker interface {
+	adapter.Tracker
+	Metadata() TrackerMetadata
+	Close() error
 }

-func (tt *tcpTracker) ID() string {
-	return tt.UUID.String()
+type TCPConn struct {
+	N.ExtendedConn
+	metadata TrackerMetadata
+	manager  *Manager
 }

-func (tt *tcpTracker) Close() error {
+func (tt *TCPConn) Metadata() TrackerMetadata {
+	return tt.metadata
+}
+
+func (tt *TCPConn) Close() error {
 	tt.manager.Leave(tt)
 	return tt.ExtendedConn.Close()
 }

-func (tt *tcpTracker) Leave() {
+func (tt *TCPConn) Leave() {
 	tt.manager.Leave(tt)
 }

-func (tt *tcpTracker) Upstream() any {
+func (tt *TCPConn) Upstream() any {
 	return tt.ExtendedConn
 }

-func (tt *tcpTracker) ReaderReplaceable() bool {
+func (tt *TCPConn) ReaderReplaceable() bool {
 	return true
 }

-func (tt *tcpTracker) WriterReplaceable() bool {
+func (tt *TCPConn) WriterReplaceable() bool {
 	return true
 }

-func NewTCPTracker(conn net.Conn, manager *Manager, metadata Metadata, router adapter.Router, rule adapter.Rule) *tcpTracker {
-	uuid, _ := uuid.NewV4()
-
-	var chain []string
-	var next string
+func NewTCPTracker(conn net.Conn, manager *Manager, metadata adapter.InboundContext, router adapter.Router, rule adapter.Rule) *TCPConn {
+	id, _ := uuid.NewV4()
+	var (
+		chain        []string
+		next         string
+		outbound     string
+		outboundType string
+	)
 	if rule == nil {
 		if defaultOutbound, err := router.DefaultOutbound(N.NetworkTCP); err == nil {
 			next = defaultOutbound.Tag()
@@ -106,17 +144,17 @@ func NewTCPTracker(conn net.Conn, manager *Manager, metadata Metadata, router ad
 		if !loaded {
 			break
 		}
+		outbound = detour.Tag()
+		outboundType = detour.Type()
 		group, isGroup := detour.(adapter.OutboundGroup)
 		if !isGroup {
 			break
 		}
 		next = group.Now()
 	}
-
 	upload := new(atomic.Int64)
 	download := new(atomic.Int64)
-
-	t := &tcpTracker{
+	tracker := &TCPConn{
 		ExtendedConn: bufio.NewCounterConn(conn, []N.CountFunc{func(n int64) {
 			upload.Add(n)
 			manager.PushUploaded(n)
@@ -124,64 +162,62 @@ func NewTCPTracker(conn net.Conn, manager *Manager, metadata Metadata, router ad
 			download.Add(n)
 			manager.PushDownloaded(n)
 		}}),
-		manager: manager,
-		trackerInfo: &trackerInfo{
-			UUID:          uuid,
-			Start:         time.Now(),
-			Metadata:      metadata,
-			Chain:         common.Reverse(chain),
-			Rule:          "",
-			UploadTotal:   upload,
-			DownloadTotal: download,
+		metadata: TrackerMetadata{
+			ID:           id,
+			Metadata:     metadata,
+			CreatedAt:    time.Now(),
+			Upload:       upload,
+			Download:     download,
+			Chain:        common.Reverse(chain),
+			Rule:         rule,
+			Outbound:     outbound,
+			OutboundType: outboundType,
 		},
+		manager: manager,
 	}
-
-	if rule != nil {
-		t.trackerInfo.Rule = rule.String() + " => " + rule.Outbound()
-	} else {
-		t.trackerInfo.Rule = "final"
-	}
-
-	manager.Join(t)
-	return t
+	manager.Join(tracker)
+	return tracker
 }

-type udpTracker struct {
+type UDPConn struct {
 	N.PacketConn `json:"-"`
-	*trackerInfo
-	manager *Manager
+	metadata     TrackerMetadata
+	manager      *Manager
 }

-func (ut *udpTracker) ID() string {
-	return ut.UUID.String()
+func (ut *UDPConn) Metadata() TrackerMetadata {
+	return ut.metadata
 }

-func (ut *udpTracker) Close() error {
+func (ut *UDPConn) Close() error {
 	ut.manager.Leave(ut)
 	return ut.PacketConn.Close()
 }

-func (ut *udpTracker) Leave() {
+func (ut *UDPConn) Leave() {
 	ut.manager.Leave(ut)
 }

-func (ut *udpTracker) Upstream() any {
+func (ut *UDPConn) Upstream() any {
 	return ut.PacketConn
 }

-func (ut *udpTracker) ReaderReplaceable() bool {
+func (ut *UDPConn) ReaderReplaceable() bool {
 	return true
 }

-func (ut *udpTracker) WriterReplaceable() bool {
+func (ut *UDPConn) WriterReplaceable() bool {
 	return true
 }

-func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata Metadata, router adapter.Router, rule adapter.Rule) *udpTracker {
-	uuid, _ := uuid.NewV4()
-
-	var chain []string
-	var next string
+func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata adapter.InboundContext, router adapter.Router, rule adapter.Rule) *UDPConn {
+	id, _ := uuid.NewV4()
+	var (
+		chain        []string
+		next         string
+		outbound     string
+		outboundType string
+	)
 	if rule == nil {
 		if defaultOutbound, err := router.DefaultOutbound(N.NetworkUDP); err == nil {
 			next = defaultOutbound.Tag()
@@ -195,17 +231,17 @@ func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata Metadata, route
 		if !loaded {
 			break
 		}
+		outbound = detour.Tag()
+		outboundType = detour.Type()
 		group, isGroup := detour.(adapter.OutboundGroup)
 		if !isGroup {
 			break
 		}
 		next = group.Now()
 	}
-
 	upload := new(atomic.Int64)
 	download := new(atomic.Int64)
-
-	ut := &udpTracker{
+	trackerConn := &UDPConn{
 		PacketConn: bufio.NewCounterPacketConn(conn, []N.CountFunc{func(n int64) {
 			upload.Add(n)
 			manager.PushUploaded(n)
@@ -213,24 +249,19 @@ func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata Metadata, route
 			download.Add(n)
 			manager.PushDownloaded(n)
 		}}),
-		manager: manager,
-		trackerInfo: &trackerInfo{
-			UUID:          uuid,
-			Start:         time.Now(),
-			Metadata:      metadata,
-			Chain:         common.Reverse(chain),
-			Rule:          "",
-			UploadTotal:   upload,
-			DownloadTotal: download,
+		metadata: TrackerMetadata{
+			ID:           id,
+			Metadata:     metadata,
+			CreatedAt:    time.Now(),
+			Upload:       upload,
+			Download:     download,
+			Chain:        common.Reverse(chain),
+			Rule:         rule,
+			Outbound:     outbound,
+			OutboundType: outboundType,
 		},
+		manager: manager,
 	}
-
-	if rule != nil {
-		ut.trackerInfo.Rule = rule.String() + " => " + rule.Outbound()
-	} else {
-		ut.trackerInfo.Rule = "final"
-	}
-
-	manager.Join(ut)
-	return ut
+	manager.Join(trackerConn)
+	return trackerConn
 }
--- a/experimental/libbox/command.go
+++ b/experimental/libbox/command.go
@@ -14,4 +14,6 @@ const (
 	CommandSetClashMode
 	CommandGetSystemProxyStatus
 	CommandSetSystemProxyEnabled
+	CommandConnections
+	CommandCloseConnection
 )
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -31,6 +31,7 @@ type CommandClientHandler interface {
 	WriteGroups(message OutboundGroupIterator)
 	InitializeClashMode(modeList StringIterator, currentMode string)
 	UpdateClashMode(newMode string)
+	WriteConnections(message *Connections)
 }

 func NewStandaloneCommandClient() *CommandClient {
@@ -116,6 +117,13 @@ func (c *CommandClient) Connect() error {
 			return nil
 		}
 		go c.handleModeConn(conn)
+	case CommandConnections:
+		err = binary.Write(conn, binary.BigEndian, c.options.StatusInterval)
+		if err != nil {
+			return E.Cause(err, "write interval")
+		}
+		c.handler.Connected()
+		go c.handleConnectionsConn(conn)
 	}
 	return nil
 }
--- a/experimental/libbox/command_close_connection.go
+++ b/experimental/libbox/command_close_connection.go
@@ -0,0 +1,53 @@
+package libbox
+
+import (
+	"bufio"
+	"net"
+
+	"github.com/sagernet/sing-box/experimental/clashapi"
+	"github.com/sagernet/sing/common/binary"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"github.com/gofrs/uuid/v5"
+)
+
+func (c *CommandClient) CloseConnection(connId string) error {
+	conn, err := c.directConnect()
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	writer := bufio.NewWriter(conn)
+	err = binary.WriteData(writer, binary.BigEndian, connId)
+	if err != nil {
+		return err
+	}
+	err = writer.Flush()
+	if err != nil {
+		return err
+	}
+	return readError(conn)
+}
+
+func (s *CommandServer) handleCloseConnection(conn net.Conn) error {
+	reader := bufio.NewReader(conn)
+	var connId string
+	err := binary.ReadData(reader, binary.BigEndian, &connId)
+	if err != nil {
+		return E.Cause(err, "read connection id")
+	}
+	service := s.service
+	if service == nil {
+		return writeError(conn, E.New("service not ready"))
+	}
+	clashServer := service.instance.Router().ClashServer()
+	if clashServer == nil {
+		return writeError(conn, E.New("Clash API disabled"))
+	}
+	targetConn := clashServer.(*clashapi.Server).TrafficManager().Connection(uuid.FromStringOrNil(connId))
+	if targetConn == nil {
+		return writeError(conn, E.New("connection already closed"))
+	}
+	targetConn.Close()
+	return writeError(conn, nil)
+}
--- a/experimental/libbox/command_connections.go
+++ b/experimental/libbox/command_connections.go
@@ -0,0 +1,268 @@
+package libbox
+
+import (
+	"bufio"
+	"net"
+	"slices"
+	"strings"
+	"time"
+
+	"github.com/sagernet/sing-box/experimental/clashapi"
+	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
+	"github.com/sagernet/sing/common/binary"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+
+	"github.com/gofrs/uuid/v5"
+)
+
+func (c *CommandClient) handleConnectionsConn(conn net.Conn) {
+	defer conn.Close()
+	reader := bufio.NewReader(conn)
+	var connections Connections
+	for {
+		err := binary.ReadData(reader, binary.BigEndian, &connections.connections)
+		if err != nil {
+			c.handler.Disconnected(err.Error())
+			return
+		}
+		c.handler.WriteConnections(&connections)
+	}
+}
+
+func (s *CommandServer) handleConnectionsConn(conn net.Conn) error {
+	var interval int64
+	err := binary.Read(conn, binary.BigEndian, &interval)
+	if err != nil {
+		return E.Cause(err, "read interval")
+	}
+	ticker := time.NewTicker(time.Duration(interval))
+	defer ticker.Stop()
+	ctx := connKeepAlive(conn)
+	var trafficManager *trafficontrol.Manager
+	for {
+		service := s.service
+		if service != nil {
+			clashServer := service.instance.Router().ClashServer()
+			if clashServer == nil {
+				return E.New("Clash API disabled")
+			}
+			trafficManager = clashServer.(*clashapi.Server).TrafficManager()
+			break
+		}
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+		}
+	}
+	var (
+		connections    = make(map[uuid.UUID]*Connection)
+		outConnections []Connection
+	)
+	writer := bufio.NewWriter(conn)
+	for {
+		outConnections = outConnections[:0]
+		for _, connection := range trafficManager.Connections() {
+			outConnections = append(outConnections, newConnection(connections, connection, false))
+		}
+		for _, connection := range trafficManager.ClosedConnections() {
+			outConnections = append(outConnections, newConnection(connections, connection, true))
+		}
+		err = binary.WriteData(writer, binary.BigEndian, outConnections)
+		if err != nil {
+			return err
+		}
+		err = writer.Flush()
+		if err != nil {
+			return err
+		}
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+		}
+	}
+}
+
+const (
+	ConnectionStateAll = iota
+	ConnectionStateActive
+	ConnectionStateClosed
+)
+
+type Connections struct {
+	connections         []Connection
+	filteredConnections []Connection
+	outConnections      *[]Connection
+}
+
+func (c *Connections) FilterState(state int32) {
+	c.filteredConnections = c.filteredConnections[:0]
+	switch state {
+	case ConnectionStateAll:
+		c.filteredConnections = append(c.filteredConnections, c.connections...)
+	case ConnectionStateActive:
+		for _, connection := range c.connections {
+			if connection.ClosedAt == 0 {
+				c.filteredConnections = append(c.filteredConnections, connection)
+			}
+		}
+	case ConnectionStateClosed:
+		for _, connection := range c.connections {
+			if connection.ClosedAt != 0 {
+				c.filteredConnections = append(c.filteredConnections, connection)
+			}
+		}
+	}
+}
+
+func (c *Connections) SortByDate() {
+	slices.SortStableFunc(c.filteredConnections, func(x, y Connection) int {
+		if x.CreatedAt < y.CreatedAt {
+			return 1
+		} else if x.CreatedAt > y.CreatedAt {
+			return -1
+		} else {
+			return strings.Compare(y.ID, x.ID)
+		}
+	})
+}
+
+func (c *Connections) SortByTraffic() {
+	slices.SortStableFunc(c.filteredConnections, func(x, y Connection) int {
+		xTraffic := x.Uplink + x.Downlink
+		yTraffic := y.Uplink + y.Downlink
+		if xTraffic < yTraffic {
+			return 1
+		} else if xTraffic > yTraffic {
+			return -1
+		} else {
+			return strings.Compare(y.ID, x.ID)
+		}
+	})
+}
+
+func (c *Connections) SortByTrafficTotal() {
+	slices.SortStableFunc(c.filteredConnections, func(x, y Connection) int {
+		xTraffic := x.UplinkTotal + x.DownlinkTotal
+		yTraffic := y.UplinkTotal + y.DownlinkTotal
+		if xTraffic < yTraffic {
+			return 1
+		} else if xTraffic > yTraffic {
+			return -1
+		} else {
+			return strings.Compare(y.ID, x.ID)
+		}
+	})
+}
+
+func (c *Connections) Iterator() ConnectionIterator {
+	return newPtrIterator(c.filteredConnections)
+}
+
+type Connection struct {
+	ID            string
+	Inbound       string
+	InboundType   string
+	IPVersion     int32
+	Network       string
+	Source        string
+	Destination   string
+	Domain        string
+	Protocol      string
+	User          string
+	FromOutbound  string
+	CreatedAt     int64
+	ClosedAt      int64
+	Uplink        int64
+	Downlink      int64
+	UplinkTotal   int64
+	DownlinkTotal int64
+	Rule          string
+	Outbound      string
+	OutboundType  string
+	ChainList     []string
+}
+
+func (c *Connection) Chain() StringIterator {
+	return newIterator(c.ChainList)
+}
+
+func (c *Connection) DisplayDestination() string {
+	destination := M.ParseSocksaddr(c.Destination)
+	if destination.IsIP() && c.Domain != "" {
+		destination = M.Socksaddr{
+			Fqdn: c.Domain,
+			Port: destination.Port,
+		}
+		return destination.String()
+	}
+	return c.Destination
+}
+
+type ConnectionIterator interface {
+	Next() *Connection
+	HasNext() bool
+}
+
+func newConnection(connections map[uuid.UUID]*Connection, metadata trafficontrol.TrackerMetadata, isClosed bool) Connection {
+	if oldConnection, loaded := connections[metadata.ID]; loaded {
+		if isClosed {
+			if oldConnection.ClosedAt == 0 {
+				oldConnection.Uplink = 0
+				oldConnection.Downlink = 0
+				oldConnection.ClosedAt = metadata.ClosedAt.UnixMilli()
+			}
+			return *oldConnection
+		}
+		lastUplink := oldConnection.UplinkTotal
+		lastDownlink := oldConnection.DownlinkTotal
+		uplinkTotal := metadata.Upload.Load()
+		downlinkTotal := metadata.Download.Load()
+		oldConnection.Uplink = uplinkTotal - lastUplink
+		oldConnection.Downlink = downlinkTotal - lastDownlink
+		oldConnection.UplinkTotal = uplinkTotal
+		oldConnection.DownlinkTotal = downlinkTotal
+		return *oldConnection
+	}
+	var rule string
+	if metadata.Rule != nil {
+		rule = metadata.Rule.String()
+	}
+	uplinkTotal := metadata.Upload.Load()
+	downlinkTotal := metadata.Download.Load()
+	uplink := uplinkTotal
+	downlink := downlinkTotal
+	var closedAt int64
+	if !metadata.ClosedAt.IsZero() {
+		closedAt = metadata.ClosedAt.UnixMilli()
+		uplink = 0
+		downlink = 0
+	}
+	connection := Connection{
+		ID:            metadata.ID.String(),
+		Inbound:       metadata.Metadata.Inbound,
+		InboundType:   metadata.Metadata.InboundType,
+		IPVersion:     int32(metadata.Metadata.IPVersion),
+		Network:       metadata.Metadata.Network,
+		Source:        metadata.Metadata.Source.String(),
+		Destination:   metadata.Metadata.Destination.String(),
+		Domain:        metadata.Metadata.Domain,
+		Protocol:      metadata.Metadata.Protocol,
+		User:          metadata.Metadata.User,
+		FromOutbound:  metadata.Metadata.Outbound,
+		CreatedAt:     metadata.CreatedAt.UnixMilli(),
+		ClosedAt:      closedAt,
+		Uplink:        uplink,
+		Downlink:      downlink,
+		UplinkTotal:   uplinkTotal,
+		DownlinkTotal: downlinkTotal,
+		Rule:          rule,
+		Outbound:      metadata.Outbound,
+		OutboundType:  metadata.OutboundType,
+		ChainList:     metadata.Chain,
+	}
+	connections[metadata.ID] = &connection
+	return connection
+}
--- a/experimental/libbox/command_group.go
+++ b/experimental/libbox/command_group.go
@@ -14,36 +14,6 @@ import (
 	"github.com/sagernet/sing/service"
 )

-type OutboundGroup struct {
-	Tag        string
-	Type       string
-	Selectable bool
-	Selected   string
-	IsExpand   bool
-	items      []*OutboundGroupItem
-}
-
-func (g *OutboundGroup) GetItems() OutboundGroupItemIterator {
-	return newIterator(g.items)
-}
-
-type OutboundGroupIterator interface {
-	Next() *OutboundGroup
-	HasNext() bool
-}
-
-type OutboundGroupItem struct {
-	Tag          string
-	Type         string
-	URLTestTime  int64
-	URLTestDelay int32
-}
-
-type OutboundGroupItemIterator interface {
-	Next() *OutboundGroupItem
-	HasNext() bool
-}
-
 func (c *CommandClient) handleGroupConn(conn net.Conn) {
 	defer conn.Close()

@@ -92,6 +62,36 @@ func (s *CommandServer) handleGroupConn(conn net.Conn) error {
 	}
 }

+type OutboundGroup struct {
+	Tag        string
+	Type       string
+	Selectable bool
+	Selected   string
+	IsExpand   bool
+	items      []*OutboundGroupItem
+}
+
+func (g *OutboundGroup) GetItems() OutboundGroupItemIterator {
+	return newIterator(g.items)
+}
+
+type OutboundGroupIterator interface {
+	Next() *OutboundGroup
+	HasNext() bool
+}
+
+type OutboundGroupItem struct {
+	Tag          string
+	Type         string
+	URLTestTime  int64
+	URLTestDelay int32
+}
+
+type OutboundGroupItemIterator interface {
+	Next() *OutboundGroupItem
+	HasNext() bool
+}
+
 func readGroups(reader io.Reader) (OutboundGroupIterator, error) {
 	var groupLength uint16
 	err := binary.Read(reader, binary.BigEndian, &groupLength)
--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@@ -33,6 +33,8 @@ type CommandServer struct {
 	urlTestUpdate chan struct{}
 	modeUpdate    chan struct{}
 	logReset      chan struct{}
+
+	closedConnections []Connection
 }

 type CommandServerHandler interface {
@@ -176,6 +178,10 @@ func (s *CommandServer) handleConnection(conn net.Conn) error {
 		return s.handleGetSystemProxyStatus(conn)
 	case CommandSetSystemProxyEnabled:
 		return s.handleSetSystemProxyEnabled(conn)
+	case CommandConnections:
+		return s.handleConnectionsConn(conn)
+	case CommandCloseConnection:
+		return s.handleCloseConnection(conn)
 	default:
 		return E.New("unknown command: ", command)
 	}
--- a/experimental/libbox/command_status.go
+++ b/experimental/libbox/command_status.go
@@ -36,7 +36,7 @@ func (s *CommandServer) readStatus() StatusMessage {
 			trafficManager := clashServer.(*clashapi.Server).TrafficManager()
 			message.Uplink, message.Downlink = trafficManager.Now()
 			message.UplinkTotal, message.DownlinkTotal = trafficManager.Total()
-			message.ConnectionsIn = int32(trafficManager.Connections())
+			message.ConnectionsIn = int32(trafficManager.ConnectionsLen())
 		}
 	}

--- a/experimental/libbox/iterator.go
+++ b/experimental/libbox/iterator.go
@@ -17,6 +17,10 @@ func newIterator[T any](values []T) *iterator[T] {
 	return &iterator[T]{values}
 }

+func newPtrIterator[T any](values []T) *iterator[*T] {
+	return &iterator[*T]{common.Map(values, func(value T) *T { return &value })}
+}
+
 func (i *iterator[T]) Next() T {
 	if len(i.values) == 0 {
 		return common.DefaultValue[T]()
--- a/experimental/libbox/service.go
+++ b/experimental/libbox/service.go
@@ -149,33 +149,6 @@ func (w *platformInterfaceWrapper) OpenTun(options *tun.Options, platformOptions
 	return tun.New(*options)
 }

-func (w *platformInterfaceWrapper) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*process.Info, error) {
-	var uid int32
-	if w.useProcFS {
-		uid = procfs.ResolveSocketByProcSearch(network, source, destination)
-		if uid == -1 {
-			return nil, E.New("procfs: not found")
-		}
-	} else {
-		var ipProtocol int32
-		switch N.NetworkName(network) {
-		case N.NetworkTCP:
-			ipProtocol = syscall.IPPROTO_TCP
-		case N.NetworkUDP:
-			ipProtocol = syscall.IPPROTO_UDP
-		default:
-			return nil, E.New("unknown network: ", network)
-		}
-		var err error
-		uid, err = w.iif.FindConnectionOwner(ipProtocol, source.Addr().String(), int32(source.Port()), destination.Addr().String(), int32(destination.Port()))
-		if err != nil {
-			return nil, err
-		}
-	}
-	packageName, _ := w.iif.PackageNameByUid(uid)
-	return &process.Info{UserId: uid, PackageName: packageName}, nil
-}
-
 func (w *platformInterfaceWrapper) UsePlatformDefaultInterfaceMonitor() bool {
 	return w.iif.UsePlatformDefaultInterfaceMonitor()
 }
@@ -229,6 +202,33 @@ func (w *platformInterfaceWrapper) ReadWIFIState() adapter.WIFIState {
 	return (adapter.WIFIState)(*wifiState)
 }

+func (w *platformInterfaceWrapper) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*process.Info, error) {
+	var uid int32
+	if w.useProcFS {
+		uid = procfs.ResolveSocketByProcSearch(network, source, destination)
+		if uid == -1 {
+			return nil, E.New("procfs: not found")
+		}
+	} else {
+		var ipProtocol int32
+		switch N.NetworkName(network) {
+		case N.NetworkTCP:
+			ipProtocol = syscall.IPPROTO_TCP
+		case N.NetworkUDP:
+			ipProtocol = syscall.IPPROTO_UDP
+		default:
+			return nil, E.New("unknown network: ", network)
+		}
+		var err error
+		uid, err = w.iif.FindConnectionOwner(ipProtocol, source.Addr().String(), int32(source.Port()), destination.Addr().String(), int32(destination.Port()))
+		if err != nil {
+			return nil, err
+		}
+	}
+	packageName, _ := w.iif.PackageNameByUid(uid)
+	return &process.Info{UserId: uid, PackageName: packageName}, nil
+}
+
 func (w *platformInterfaceWrapper) DisableColors() bool {
 	return runtime.GOOS != "android"
 }
--- a/experimental/libbox/setup.go
+++ b/experimental/libbox/setup.go
@@ -4,10 +4,12 @@ import (
 	"os"
 	"os/user"
 	"strconv"
+	"time"

 	"github.com/sagernet/sing-box/common/humanize"
 	C "github.com/sagernet/sing-box/constant"
 	_ "github.com/sagernet/sing-box/include"
+	"github.com/sagernet/sing-box/log"
 )

 var (
@@ -59,6 +61,10 @@ func FormatMemoryBytes(length int64) string {
 	return humanize.MemoryBytes(uint64(length))
 }

+func FormatDuration(duration int64) string {
+	return log.FormatDuration(time.Duration(duration) * time.Millisecond)
+}
+
 func ProxyDisplayType(proxyType string) string {
 	return C.ProxyDisplayName(proxyType)
 }
--- a/go.mod
+++ b/go.mod
@@ -26,14 +26,14 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f
 	github.com/sagernet/quic-go v0.45.0-beta.2
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.5.0-alpha.9
+	github.com/sagernet/sing v0.5.0-alpha.11
 	github.com/sagernet/sing-dns v0.3.0-beta.5
 	github.com/sagernet/sing-mux v0.2.0
 	github.com/sagernet/sing-quic v0.2.0-beta.9
 	github.com/sagernet/sing-shadowsocks v0.2.6
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/sing-tun v0.4.0-beta.8
+	github.com/sagernet/sing-tun v0.4.0-beta.9.0.20240616073727-85f5f2dd587d
 	github.com/sagernet/sing-vmess v0.1.8
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6
@@ -81,14 +81,14 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
-	github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba // indirect
-	github.com/sagernet/nftables v0.3.0-beta.2 // indirect
+	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a // indirect
+	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 // indirect
+	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect
 	golang.org/x/mod v0.18.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
 	golang.org/x/text v0.16.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -104,17 +104,17 @@ github.com/sagernet/gomobile v0.1.3 h1:ohjIb1Ou2+1558PnZour3od69suSuvkdSVOlO1tC4
 github.com/sagernet/gomobile v0.1.3/go.mod h1:Pqq2+ZVvs10U7xK+UwJgwYWUykewi8H6vlslAO73n9E=
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y/6ZHJWrnNLoiNnSJaow6DPb8VW2I=
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
-github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba h1:EY5AS7CCtfmARNv2zXUOrsEMPFDGYxaw65JzA2p51Vk=
-github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/nftables v0.3.0-beta.2 h1:yKqMl4Dpb6nKxAmlE6fXjJRlLO2c1f2wyNFBg4hBr8w=
-github.com/sagernet/nftables v0.3.0-beta.2/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
+github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZNjr6sGeT00J8uU7JF4cNUdb44/Duis=
+github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
+github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I=
+github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
 github.com/sagernet/quic-go v0.45.0-beta.2 h1:nWq9KJTR+cGU8UU4E20XNjdM6QgbLkBgpq+NCExg5RY=
 github.com/sagernet/quic-go v0.45.0-beta.2/go.mod h1:rs3XCo3SQ2sB96NtaKnEyq+ZkyaKWL51BvIW3veaiWw=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.5.0-alpha.9 h1:Mmg+LCbaKXBeQD/ttzi0/MQa3NcUyfadIgkGzhQW7o0=
-github.com/sagernet/sing v0.5.0-alpha.9/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.5.0-alpha.11 h1:4nR9hv3Thxb16tdMY8eQ3xNqyvqGV2gLCwiTht6TkD8=
+github.com/sagernet/sing v0.5.0-alpha.11/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-dns v0.3.0-beta.5 h1:lX+wfnBVaOlSd7+GBgb431Tt/gmYwJXSHvS1HutfnD4=
 github.com/sagernet/sing-dns v0.3.0-beta.5/go.mod h1:qeO/lOUK/c3Zczp5a1VO13fbmolaM8xGKCUXtaX0/NQ=
 github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
@@ -127,8 +127,8 @@ github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wK
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.4.0-beta.8 h1:3FM7KpE3kmTj7aA9LYtn82pBAFHIrk2O1b84lpx/5ns=
-github.com/sagernet/sing-tun v0.4.0-beta.8/go.mod h1:uoRiCzWHzHLw/angVqXDzUNiQcMRl/ZrElJryQLJFhY=
+github.com/sagernet/sing-tun v0.4.0-beta.9.0.20240616073727-85f5f2dd587d h1:ppBKR8H4x64nbtselcGdGOrIMJUIXQL135s5tNUcQMQ=
+github.com/sagernet/sing-tun v0.4.0-beta.9.0.20240616073727-85f5f2dd587d/go.mod h1:YgaSM4cm+YIn6erBZN/eF+sW7I27BfBt91EWGo53MME=
 github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
 github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
@@ -172,8 +172,8 @@ golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaE
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
-golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 h1:LoYXNGAShUG3m/ehNk4iFctuhGX/+R1ZpfJ4/ia80JM=
-golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI=
+golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY=
+golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI=
 golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
 golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
--- a/inbound/builder.go
+++ b/inbound/builder.go
@@ -11,43 +11,43 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 )

-func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.Inbound, platformInterface platform.Interface) (adapter.Inbound, error) {
+func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.Inbound, platformInterface platform.Interface) (adapter.Inbound, error) {
 	if options.Type == "" {
 		return nil, E.New("missing inbound type")
 	}
 	switch options.Type {
 	case C.TypeTun:
-		return NewTun(ctx, router, logger, options.Tag, options.TunOptions, platformInterface)
+		return NewTun(ctx, router, logger, tag, options.TunOptions, platformInterface)
 	case C.TypeRedirect:
-		return NewRedirect(ctx, router, logger, options.Tag, options.RedirectOptions), nil
+		return NewRedirect(ctx, router, logger, tag, options.RedirectOptions), nil
 	case C.TypeTProxy:
-		return NewTProxy(ctx, router, logger, options.Tag, options.TProxyOptions), nil
+		return NewTProxy(ctx, router, logger, tag, options.TProxyOptions), nil
 	case C.TypeDirect:
-		return NewDirect(ctx, router, logger, options.Tag, options.DirectOptions), nil
+		return NewDirect(ctx, router, logger, tag, options.DirectOptions), nil
 	case C.TypeSOCKS:
-		return NewSocks(ctx, router, logger, options.Tag, options.SocksOptions), nil
+		return NewSocks(ctx, router, logger, tag, options.SocksOptions), nil
 	case C.TypeHTTP:
-		return NewHTTP(ctx, router, logger, options.Tag, options.HTTPOptions)
+		return NewHTTP(ctx, router, logger, tag, options.HTTPOptions)
 	case C.TypeMixed:
-		return NewMixed(ctx, router, logger, options.Tag, options.MixedOptions), nil
+		return NewMixed(ctx, router, logger, tag, options.MixedOptions), nil
 	case C.TypeShadowsocks:
-		return NewShadowsocks(ctx, router, logger, options.Tag, options.ShadowsocksOptions)
+		return NewShadowsocks(ctx, router, logger, tag, options.ShadowsocksOptions)
 	case C.TypeVMess:
-		return NewVMess(ctx, router, logger, options.Tag, options.VMessOptions)
+		return NewVMess(ctx, router, logger, tag, options.VMessOptions)
 	case C.TypeTrojan:
-		return NewTrojan(ctx, router, logger, options.Tag, options.TrojanOptions)
+		return NewTrojan(ctx, router, logger, tag, options.TrojanOptions)
 	case C.TypeNaive:
-		return NewNaive(ctx, router, logger, options.Tag, options.NaiveOptions)
+		return NewNaive(ctx, router, logger, tag, options.NaiveOptions)
 	case C.TypeHysteria:
-		return NewHysteria(ctx, router, logger, options.Tag, options.HysteriaOptions)
+		return NewHysteria(ctx, router, logger, tag, options.HysteriaOptions)
 	case C.TypeShadowTLS:
-		return NewShadowTLS(ctx, router, logger, options.Tag, options.ShadowTLSOptions)
+		return NewShadowTLS(ctx, router, logger, tag, options.ShadowTLSOptions)
 	case C.TypeVLESS:
-		return NewVLESS(ctx, router, logger, options.Tag, options.VLESSOptions)
+		return NewVLESS(ctx, router, logger, tag, options.VLESSOptions)
 	case C.TypeTUIC:
-		return NewTUIC(ctx, router, logger, options.Tag, options.TUICOptions)
+		return NewTUIC(ctx, router, logger, tag, options.TUICOptions)
 	case C.TypeHysteria2:
-		return NewHysteria2(ctx, router, logger, options.Tag, options.Hysteria2Options)
+		return NewHysteria2(ctx, router, logger, tag, options.Hysteria2Options)
 	default:
 		return nil, E.New("unknown inbound type: ", options.Type)
 	}
--- a/inbound/tun.go
+++ b/inbound/tun.go
@@ -3,6 +3,7 @@ package inbound
 import (
 	"context"
 	"net"
+	"net/netip"
 	"os"
 	"strconv"
 	"strings"
@@ -20,28 +21,91 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ranges"
+	"github.com/sagernet/sing/common/x/list"
+
+	"go4.org/netipx"
 )

 var _ adapter.Inbound = (*Tun)(nil)

 type Tun struct {
-	tag                    string
-	ctx                    context.Context
-	router                 adapter.Router
-	logger                 log.ContextLogger
-	inboundOptions         option.InboundOptions
-	tunOptions             tun.Options
-	endpointIndependentNat bool
-	udpTimeout             int64
-	stack                  string
-	tunIf                  tun.Tun
-	tunStack               tun.Stack
-	platformInterface      platform.Interface
-	platformOptions        option.TunPlatformOptions
-	autoRedirect           tun.AutoRedirect
+	tag                         string
+	ctx                         context.Context
+	router                      adapter.Router
+	logger                      log.ContextLogger
+	inboundOptions              option.InboundOptions
+	tunOptions                  tun.Options
+	endpointIndependentNat      bool
+	udpTimeout                  int64
+	stack                       string
+	tunIf                       tun.Tun
+	tunStack                    tun.Stack
+	platformInterface           platform.Interface
+	platformOptions             option.TunPlatformOptions
+	autoRedirect                tun.AutoRedirect
+	routeRuleSet                []adapter.RuleSet
+	routeRuleSetCallback        []*list.Element[adapter.RuleSetUpdateCallback]
+	routeExcludeRuleSet         []adapter.RuleSet
+	routeExcludeRuleSetCallback []*list.Element[adapter.RuleSetUpdateCallback]
+	routeAddressSet             []*netipx.IPSet
+	routeExcludeAddressSet      []*netipx.IPSet
 }

 func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunInboundOptions, platformInterface platform.Interface) (*Tun, error) {
+	address := options.Address
+	//nolint:staticcheck
+	//goland:noinspection GoDeprecation
+	if len(options.Inet4Address) > 0 {
+		address = append(address, options.Inet4Address...)
+	}
+	//nolint:staticcheck
+	//goland:noinspection GoDeprecation
+	if len(options.Inet6Address) > 0 {
+		address = append(address, options.Inet6Address...)
+	}
+	inet4Address := common.Filter(address, func(it netip.Prefix) bool {
+		return it.Addr().Is4()
+	})
+	inet6Address := common.Filter(address, func(it netip.Prefix) bool {
+		return it.Addr().Is6()
+	})
+
+	routeAddress := options.RouteAddress
+	//nolint:staticcheck
+	//goland:noinspection GoDeprecation
+	if len(options.Inet4RouteAddress) > 0 {
+		routeAddress = append(routeAddress, options.Inet4RouteAddress...)
+	}
+	//nolint:staticcheck
+	//goland:noinspection GoDeprecation
+	if len(options.Inet6RouteAddress) > 0 {
+		routeAddress = append(routeAddress, options.Inet6RouteAddress...)
+	}
+	inet4RouteAddress := common.Filter(routeAddress, func(it netip.Prefix) bool {
+		return it.Addr().Is4()
+	})
+	inet6RouteAddress := common.Filter(routeAddress, func(it netip.Prefix) bool {
+		return it.Addr().Is6()
+	})
+
+	routeExcludeAddress := options.RouteExcludeAddress
+	//nolint:staticcheck
+	//goland:noinspection GoDeprecation
+	if len(options.Inet4RouteExcludeAddress) > 0 {
+		routeExcludeAddress = append(routeExcludeAddress, options.Inet4RouteExcludeAddress...)
+	}
+	//nolint:staticcheck
+	//goland:noinspection GoDeprecation
+	if len(options.Inet6RouteExcludeAddress) > 0 {
+		routeExcludeAddress = append(routeExcludeAddress, options.Inet6RouteExcludeAddress...)
+	}
+	inet4RouteExcludeAddress := common.Filter(routeExcludeAddress, func(it netip.Prefix) bool {
+		return it.Addr().Is4()
+	})
+	inet6RouteExcludeAddress := common.Filter(routeExcludeAddress, func(it netip.Prefix) bool {
+		return it.Addr().Is6()
+	})
+
 	tunMTU := options.MTU
 	if tunMTU == 0 {
 		tunMTU = 9000
@@ -68,6 +132,23 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		}
 	}

+	tableIndex := options.IPRoute2TableIndex
+	if tableIndex == 0 {
+		tableIndex = tun.DefaultIPRoute2TableIndex
+	}
+	ruleIndex := options.IPRoute2RuleIndex
+	if ruleIndex == 0 {
+		ruleIndex = tun.DefaultIPRoute2RuleIndex
+	}
+	inputMark := options.AutoRedirectInputMark
+	if inputMark == 0 {
+		inputMark = tun.DefaultAutoRedirectInputMark
+	}
+	outputMark := options.AutoRedirectOutputMark
+	if outputMark == 0 {
+		outputMark = tun.DefaultAutoRedirectOutputMark
+	}
+
 	inbound := &Tun{
 		tag:            tag,
 		ctx:            ctx,
@@ -78,23 +159,26 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 			Name:                     options.InterfaceName,
 			MTU:                      tunMTU,
 			GSO:                      options.GSO,
-			Inet4Address:             options.Inet4Address,
-			Inet6Address:             options.Inet6Address,
+			Inet4Address:             inet4Address,
+			Inet6Address:             inet6Address,
 			AutoRoute:                options.AutoRoute,
+			IPRoute2TableIndex:       tableIndex,
+			IPRoute2RuleIndex:        ruleIndex,
+			AutoRedirectInputMark:    inputMark,
+			AutoRedirectOutputMark:   outputMark,
 			StrictRoute:              options.StrictRoute,
 			IncludeInterface:         options.IncludeInterface,
 			ExcludeInterface:         options.ExcludeInterface,
-			Inet4RouteAddress:        options.Inet4RouteAddress,
-			Inet6RouteAddress:        options.Inet6RouteAddress,
-			Inet4RouteExcludeAddress: options.Inet4RouteExcludeAddress,
-			Inet6RouteExcludeAddress: options.Inet6RouteExcludeAddress,
+			Inet4RouteAddress:        inet4RouteAddress,
+			Inet6RouteAddress:        inet6RouteAddress,
+			Inet4RouteExcludeAddress: inet4RouteExcludeAddress,
+			Inet6RouteExcludeAddress: inet6RouteExcludeAddress,
 			IncludeUID:               includeUID,
 			ExcludeUID:               excludeUID,
 			IncludeAndroidUser:       options.IncludeAndroidUser,
 			IncludePackage:           options.IncludePackage,
 			ExcludePackage:           options.ExcludePackage,
 			InterfaceMonitor:         router.InterfaceMonitor(),
-			TableIndex:               2022,
 		},
 		endpointIndependentNat: options.EndpointIndependentNat,
 		udpTimeout:             int64(udpTimeout.Seconds()),
@@ -108,15 +192,45 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		}
 		disableNFTables, dErr := strconv.ParseBool(os.Getenv("DISABLE_NFTABLES"))
 		inbound.autoRedirect, err = tun.NewAutoRedirect(tun.AutoRedirectOptions{
-			TunOptions:      &inbound.tunOptions,
-			Context:         ctx,
-			Handler:         inbound,
-			Logger:          logger,
-			TableName:       "sing-box",
-			DisableNFTables: dErr == nil && disableNFTables,
+			TunOptions:             &inbound.tunOptions,
+			Context:                ctx,
+			Handler:                inbound,
+			Logger:                 logger,
+			NetworkMonitor:         router.NetworkMonitor(),
+			InterfaceFinder:        router.InterfaceFinder(),
+			TableName:              "sing-box",
+			DisableNFTables:        dErr == nil && disableNFTables,
+			RouteAddressSet:        &inbound.routeAddressSet,
+			RouteExcludeAddressSet: &inbound.routeExcludeAddressSet,
 		})
 		if err != nil {
-			return nil, E.Cause(err, "initialize auto redirect")
+			return nil, E.Cause(err, "initialize auto-redirect")
+		}
+		var markMode bool
+		for _, routeAddressSet := range options.RouteAddressSet {
+			ruleSet, loaded := router.RuleSet(routeAddressSet)
+			if !loaded {
+				return nil, E.New("parse route_address_set: rule-set not found: ", routeAddressSet)
+			}
+			ruleSet.IncRef()
+			inbound.routeRuleSet = append(inbound.routeRuleSet, ruleSet)
+			markMode = true
+		}
+		for _, routeExcludeAddressSet := range options.RouteExcludeAddressSet {
+			ruleSet, loaded := router.RuleSet(routeExcludeAddressSet)
+			if !loaded {
+				return nil, E.New("parse route_exclude_address_set: rule-set not found: ", routeExcludeAddressSet)
+			}
+			ruleSet.IncRef()
+			inbound.routeExcludeRuleSet = append(inbound.routeExcludeRuleSet, ruleSet)
+			markMode = true
+		}
+		if markMode {
+			inbound.tunOptions.AutoRedirectMarkMode = true
+			err = router.RegisterAutoRedirectOutputMark(inbound.tunOptions.AutoRedirectOutputMark)
+			if err != nil {
+				return nil, err
+			}
 		}
 	}
 	return inbound, nil
@@ -141,11 +255,11 @@ func parseRange(uidRanges []ranges.Range[uint32], rangeList []string) ([]ranges.
 		}
 		var start, end uint64
 		var err error
-		start, err = strconv.ParseUint(uidRange[:subIndex], 10, 32)
+		start, err = strconv.ParseUint(uidRange[:subIndex], 0, 32)
 		if err != nil {
 			return nil, E.Cause(err, "parse range start")
 		}
-		end, err = strconv.ParseUint(uidRange[subIndex+1:], 10, 32)
+		end, err = strconv.ParseUint(uidRange[subIndex+1:], 0, 32)
 		if err != nil {
 			return nil, E.Cause(err, "parse range end")
 		}
@@ -215,18 +329,43 @@ func (t *Tun) Start() error {
 	if err != nil {
 		return err
 	}
-	if t.autoRedirect != nil {
-		monitor.Start("initiating auto redirect")
-		err = t.autoRedirect.Start()
-		monitor.Finish()
-		if err != nil {
-			return E.Cause(err, "auto redirect")
-		}
-	}
 	t.logger.Info("started at ", t.tunOptions.Name)
 	return nil
 }

+func (t *Tun) PostStart() error {
+	monitor := taskmonitor.New(t.logger, C.StartTimeout)
+	if t.autoRedirect != nil {
+		t.routeAddressSet = common.FlatMap(t.routeRuleSet, adapter.RuleSet.ExtractIPSet)
+		t.routeExcludeAddressSet = common.FlatMap(t.routeExcludeRuleSet, adapter.RuleSet.ExtractIPSet)
+		monitor.Start("initiating auto-redirect")
+		err := t.autoRedirect.Start()
+		monitor.Finish()
+		if err != nil {
+			return E.Cause(err, "auto-redirect")
+		}
+		for _, routeRuleSet := range t.routeRuleSet {
+			t.routeRuleSetCallback = append(t.routeRuleSetCallback, routeRuleSet.RegisterCallback(t.updateRouteAddressSet))
+			routeRuleSet.DecRef()
+		}
+		for _, routeExcludeRuleSet := range t.routeExcludeRuleSet {
+			t.routeExcludeRuleSetCallback = append(t.routeExcludeRuleSetCallback, routeExcludeRuleSet.RegisterCallback(t.updateRouteAddressSet))
+			routeExcludeRuleSet.DecRef()
+		}
+		t.routeAddressSet = nil
+		t.routeExcludeAddressSet = nil
+	}
+	return nil
+}
+
+func (t *Tun) updateRouteAddressSet(it adapter.RuleSet) {
+	t.routeAddressSet = common.FlatMap(t.routeRuleSet, adapter.RuleSet.ExtractIPSet)
+	t.routeExcludeAddressSet = common.FlatMap(t.routeExcludeRuleSet, adapter.RuleSet.ExtractIPSet)
+	t.autoRedirect.UpdateRouteAddressSet()
+	t.routeAddressSet = nil
+	t.routeExcludeAddressSet = nil
+}
+
 func (t *Tun) Close() error {
 	return common.Close(
 		t.tunStack,
--- a/log/format.go
+++ b/log/format.go
@@ -43,7 +43,7 @@ func (f Formatter) Format(ctx context.Context, level Level, tag string, message
 		id, hasId = IDFromContext(ctx)
 	}
 	if hasId {
-		activeDuration := formatDuration(time.Since(id.CreatedAt))
+		activeDuration := FormatDuration(time.Since(id.CreatedAt))
 		if !f.DisableColors {
 			var color aurora.Color
 			color = aurora.Color(uint8(id.ID))
@@ -113,7 +113,7 @@ func (f Formatter) FormatWithSimple(ctx context.Context, level Level, tag string
 		id, hasId = IDFromContext(ctx)
 	}
 	if hasId {
-		activeDuration := formatDuration(time.Since(id.CreatedAt))
+		activeDuration := FormatDuration(time.Since(id.CreatedAt))
 		if !f.DisableColors {
 			var color aurora.Color
 			color = aurora.Color(uint8(id.ID))
@@ -163,7 +163,7 @@ func xd(value int, x int) string {
 	return message
 }

-func formatDuration(duration time.Duration) string {
+func FormatDuration(duration time.Duration) string {
 	if duration < time.Second {
 		return F.ToString(duration.Milliseconds(), "ms")
 	} else if duration < time.Minute {
--- a/option/outbound.go
+++ b/option/outbound.go
@@ -113,7 +113,7 @@ type DialerOptions struct {
 	Inet4BindAddress    *ListenAddress `json:"inet4_bind_address,omitempty"`
 	Inet6BindAddress    *ListenAddress `json:"inet6_bind_address,omitempty"`
 	ProtectPath         string         `json:"protect_path,omitempty"`
-	RoutingMark         int            `json:"routing_mark,omitempty"`
+	RoutingMark         uint32         `json:"routing_mark,omitempty"`
 	ReuseAddr           bool           `json:"reuse_addr,omitempty"`
 	ConnectTimeout      Duration       `json:"connect_timeout,omitempty"`
 	TCPFastOpen         bool           `json:"tcp_fast_open,omitempty"`
--- a/option/route.go
+++ b/option/route.go
@@ -10,7 +10,7 @@ type RouteOptions struct {
 	AutoDetectInterface bool            `json:"auto_detect_interface,omitempty"`
 	OverrideAndroidVPN  bool            `json:"override_android_vpn,omitempty"`
 	DefaultInterface    string          `json:"default_interface,omitempty"`
-	DefaultMark         int             `json:"default_mark,omitempty"`
+	DefaultMark         uint32          `json:"default_mark,omitempty"`
 }

 type GeoIPOptions struct {
--- a/option/tun.go
+++ b/option/tun.go
@@ -3,30 +3,46 @@ package option
 import "net/netip"

 type TunInboundOptions struct {
-	InterfaceName            string                 `json:"interface_name,omitempty"`
-	MTU                      uint32                 `json:"mtu,omitempty"`
-	GSO                      bool                   `json:"gso,omitempty"`
-	Inet4Address             Listable[netip.Prefix] `json:"inet4_address,omitempty"`
-	Inet6Address             Listable[netip.Prefix] `json:"inet6_address,omitempty"`
-	AutoRoute                bool                   `json:"auto_route,omitempty"`
-	AutoRedirect             bool                   `json:"auto_redirect,omitempty"`
-	StrictRoute              bool                   `json:"strict_route,omitempty"`
-	Inet4RouteAddress        Listable[netip.Prefix] `json:"inet4_route_address,omitempty"`
-	Inet6RouteAddress        Listable[netip.Prefix] `json:"inet6_route_address,omitempty"`
-	Inet4RouteExcludeAddress Listable[netip.Prefix] `json:"inet4_route_exclude_address,omitempty"`
-	Inet6RouteExcludeAddress Listable[netip.Prefix] `json:"inet6_route_exclude_address,omitempty"`
-	IncludeInterface         Listable[string]       `json:"include_interface,omitempty"`
-	ExcludeInterface         Listable[string]       `json:"exclude_interface,omitempty"`
-	IncludeUID               Listable[uint32]       `json:"include_uid,omitempty"`
-	IncludeUIDRange          Listable[string]       `json:"include_uid_range,omitempty"`
-	ExcludeUID               Listable[uint32]       `json:"exclude_uid,omitempty"`
-	ExcludeUIDRange          Listable[string]       `json:"exclude_uid_range,omitempty"`
-	IncludeAndroidUser       Listable[int]          `json:"include_android_user,omitempty"`
-	IncludePackage           Listable[string]       `json:"include_package,omitempty"`
-	ExcludePackage           Listable[string]       `json:"exclude_package,omitempty"`
-	EndpointIndependentNat   bool                   `json:"endpoint_independent_nat,omitempty"`
-	UDPTimeout               UDPTimeoutCompat       `json:"udp_timeout,omitempty"`
-	Stack                    string                 `json:"stack,omitempty"`
-	Platform                 *TunPlatformOptions    `json:"platform,omitempty"`
+	InterfaceName          string                 `json:"interface_name,omitempty"`
+	MTU                    uint32                 `json:"mtu,omitempty"`
+	GSO                    bool                   `json:"gso,omitempty"`
+	Address                Listable[netip.Prefix] `json:"address,omitempty"`
+	AutoRoute              bool                   `json:"auto_route,omitempty"`
+	IPRoute2TableIndex     int                    `json:"iproute2_table_index,omitempty"`
+	IPRoute2RuleIndex      int                    `json:"iproute2_rule_index,omitempty"`
+	AutoRedirect           bool                   `json:"auto_redirect,omitempty"`
+	AutoRedirectInputMark  uint32                 `json:"auto_redirect_input_mark,omitempty"`
+	AutoRedirectOutputMark uint32                 `json:"auto_redirect_output_mark,omitempty"`
+	StrictRoute            bool                   `json:"strict_route,omitempty"`
+	RouteAddress           Listable[netip.Prefix] `json:"route_address,omitempty"`
+	RouteAddressSet        Listable[string]       `json:"route_address_set,omitempty"`
+	RouteExcludeAddress    Listable[netip.Prefix] `json:"route_exclude_address,omitempty"`
+	RouteExcludeAddressSet Listable[string]       `json:"route_exclude_address_set,omitempty"`
+	IncludeInterface       Listable[string]       `json:"include_interface,omitempty"`
+	ExcludeInterface       Listable[string]       `json:"exclude_interface,omitempty"`
+	IncludeUID             Listable[uint32]       `json:"include_uid,omitempty"`
+	IncludeUIDRange        Listable[string]       `json:"include_uid_range,omitempty"`
+	ExcludeUID             Listable[uint32]       `json:"exclude_uid,omitempty"`
+	ExcludeUIDRange        Listable[string]       `json:"exclude_uid_range,omitempty"`
+	IncludeAndroidUser     Listable[int]          `json:"include_android_user,omitempty"`
+	IncludePackage         Listable[string]       `json:"include_package,omitempty"`
+	ExcludePackage         Listable[string]       `json:"exclude_package,omitempty"`
+	EndpointIndependentNat bool                   `json:"endpoint_independent_nat,omitempty"`
+	UDPTimeout             UDPTimeoutCompat       `json:"udp_timeout,omitempty"`
+	Stack                  string                 `json:"stack,omitempty"`
+	Platform               *TunPlatformOptions    `json:"platform,omitempty"`
 	InboundOptions
+
+	// Deprecated: merged to Address
+	Inet4Address Listable[netip.Prefix] `json:"inet4_address,omitempty"`
+	// Deprecated: merged to Address
+	Inet6Address Listable[netip.Prefix] `json:"inet6_address,omitempty"`
+	// Deprecated: merged to RouteAddress
+	Inet4RouteAddress Listable[netip.Prefix] `json:"inet4_route_address,omitempty"`
+	// Deprecated: merged to RouteAddress
+	Inet6RouteAddress Listable[netip.Prefix] `json:"inet6_route_address,omitempty"`
+	// Deprecated: merged to RouteExcludeAddress
+	Inet4RouteExcludeAddress Listable[netip.Prefix] `json:"inet4_route_exclude_address,omitempty"`
+	// Deprecated: merged to RouteExcludeAddress
+	Inet6RouteExcludeAddress Listable[netip.Prefix] `json:"inet6_route_exclude_address,omitempty"`
 }
--- a/route/router.go
+++ b/route/router.go
@@ -82,7 +82,8 @@ type Router struct {
 	interfaceFinder                    *control.DefaultInterfaceFinder
 	autoDetectInterface                bool
 	defaultInterface                   string
-	defaultMark                        int
+	defaultMark                        uint32
+	autoRedirectOutputMark             uint32
 	networkMonitor                     tun.NetworkUpdateMonitor
 	interfaceMonitor                   tun.DefaultInterfaceMonitor
 	packageManager                     tun.PackageManager
@@ -531,7 +532,7 @@ func (r *Router) Start() error {
 	r.dnsClient.Start()
 	monitor.Finish()

-	if C.IsAndroid && r.platformInterface == nil {
+	if r.needPackageManager && r.platformInterface == nil {
 		monitor.Start("initialize package manager")
 		packageManager, err := tun.NewPackageManager(r)
 		monitor.Finish()
@@ -724,10 +725,26 @@ func (r *Router) PostStart() error {
 			return E.Cause(err, "initialize rule[", i, "]")
 		}
 	}
+	for _, ruleSet := range r.ruleSets {
+		monitor.Start("post start rule_set[", ruleSet.Name(), "]")
+		err := ruleSet.PostStart()
+		monitor.Finish()
+		if err != nil {
+			return E.Cause(err, "post start rule_set[", ruleSet.Name(), "]")
+		}
+	}
 	r.started = true
 	return nil
 }

+func (r *Router) Cleanup() error {
+	for _, ruleSet := range r.ruleSetMap {
+		ruleSet.Cleanup()
+	}
+	runtime.GC()
+	return nil
+}
+
 func (r *Router) Outbound(tag string) (adapter.Outbound, bool) {
 	outbound, loaded := r.outboundByTag[tag]
 	return outbound, loaded
@@ -1131,11 +1148,23 @@ func (r *Router) AutoDetectInterfaceFunc() control.Func {
 	}
 }

+func (r *Router) RegisterAutoRedirectOutputMark(mark uint32) error {
+	if r.autoRedirectOutputMark > 0 {
+		return E.New("only one auto-redirect can be configured")
+	}
+	r.autoRedirectOutputMark = mark
+	return nil
+}
+
+func (r *Router) AutoRedirectOutputMark() uint32 {
+	return r.autoRedirectOutputMark
+}
+
 func (r *Router) DefaultInterface() string {
 	return r.defaultInterface
 }

-func (r *Router) DefaultMark() int {
+func (r *Router) DefaultMark() uint32 {
 	return r.defaultMark
 }

--- a/route/rule_item_rule_set.go
+++ b/route/rule_item_rule_set.go
@@ -32,6 +32,7 @@ func (r *RuleSetItem) Start() error {
 		if !loaded {
 			return E.New("rule-set not found: ", tag)
 		}
+		ruleSet.IncRef()
 		r.setList = append(r.setList, ruleSet)
 	}
 	return nil
--- a/route/rule_set.go
+++ b/route/rule_set.go
@@ -9,10 +9,13 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+
+	"go4.org/netipx"
 )

 func NewRuleSet(ctx context.Context, router adapter.Router, logger logger.ContextLogger, options option.RuleSet) (adapter.RuleSet, error) {
@@ -26,6 +29,24 @@ func NewRuleSet(ctx context.Context, router adapter.Router, logger logger.Contex
 	}
 }

+func extractIPSetFromRule(rawRule adapter.HeadlessRule) []*netipx.IPSet {
+	switch rule := rawRule.(type) {
+	case *DefaultHeadlessRule:
+		return common.FlatMap(rule.destinationIPCIDRItems, func(rawItem RuleItem) []*netipx.IPSet {
+			switch item := rawItem.(type) {
+			case *IPCIDRItem:
+				return []*netipx.IPSet{item.ipSet}
+			default:
+				return nil
+			}
+		})
+	case *LogicalHeadlessRule:
+		return common.FlatMap(rule.rules, extractIPSetFromRule)
+	default:
+		panic("unexpected rule type")
+	}
+}
+
 var _ adapter.RuleSetStartContext = (*RuleSetStartContext)(nil)

 type RuleSetStartContext struct {
--- a/route/rule_set_local.go
+++ b/route/rule_set_local.go
@@ -9,16 +9,23 @@ import (
 	"github.com/sagernet/sing-box/common/srs"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/atomic"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/x/list"
+
+	"go4.org/netipx"
 )

 var _ adapter.RuleSet = (*LocalRuleSet)(nil)

 type LocalRuleSet struct {
+	tag      string
 	rules    []adapter.HeadlessRule
 	metadata adapter.RuleSetMetadata
+	refs     atomic.Int32
 }

 func NewLocalRuleSet(router adapter.Router, options option.RuleSet) (*LocalRuleSet, error) {
@@ -58,16 +65,11 @@ func NewLocalRuleSet(router adapter.Router, options option.RuleSet) (*LocalRuleS
 	metadata.ContainsProcessRule = hasHeadlessRule(plainRuleSet.Rules, isProcessHeadlessRule)
 	metadata.ContainsWIFIRule = hasHeadlessRule(plainRuleSet.Rules, isWIFIHeadlessRule)
 	metadata.ContainsIPCIDRRule = hasHeadlessRule(plainRuleSet.Rules, isIPCIDRHeadlessRule)
-	return &LocalRuleSet{rules, metadata}, nil
+	return &LocalRuleSet{tag: options.Tag, rules: rules, metadata: metadata}, nil
 }

-func (s *LocalRuleSet) Match(metadata *adapter.InboundContext) bool {
-	for _, rule := range s.rules {
-		if rule.Match(metadata) {
-			return true
-		}
-	}
-	return false
+func (s *LocalRuleSet) Name() string {
+	return s.tag
 }

 func (s *LocalRuleSet) String() string {
@@ -78,10 +80,51 @@ func (s *LocalRuleSet) StartContext(ctx context.Context, startContext adapter.Ru
 	return nil
 }

+func (s *LocalRuleSet) PostStart() error {
+	return nil
+}
+
 func (s *LocalRuleSet) Metadata() adapter.RuleSetMetadata {
 	return s.metadata
 }

-func (s *LocalRuleSet) Close() error {
+func (s *LocalRuleSet) ExtractIPSet() []*netipx.IPSet {
+	return common.FlatMap(s.rules, extractIPSetFromRule)
+}
+
+func (s *LocalRuleSet) IncRef() {
+	s.refs.Add(1)
+}
+
+func (s *LocalRuleSet) DecRef() {
+	if s.refs.Add(-1) < 0 {
+		panic("rule-set: negative refs")
+	}
+}
+
+func (s *LocalRuleSet) Cleanup() {
+	if s.refs.Load() == 0 {
+		s.rules = nil
+	}
+}
+
+func (s *LocalRuleSet) RegisterCallback(callback adapter.RuleSetUpdateCallback) *list.Element[adapter.RuleSetUpdateCallback] {
 	return nil
 }
+
+func (s *LocalRuleSet) UnregisterCallback(element *list.Element[adapter.RuleSetUpdateCallback]) {
+}
+
+func (s *LocalRuleSet) Close() error {
+	s.rules = nil
+	return nil
+}
+
+func (s *LocalRuleSet) Match(metadata *adapter.InboundContext) bool {
+	for _, rule := range s.rules {
+		if rule.Match(metadata) {
+			return true
+		}
+	}
+	return false
+}
--- a/route/rule_set_remote.go
+++ b/route/rule_set_remote.go
@@ -8,20 +8,26 @@ import (
 	"net/http"
 	"runtime"
 	"strings"
+	"sync"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/srs"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/atomic"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
+
+	"go4.org/netipx"
 )

 var _ adapter.RuleSet = (*RemoteRuleSet)(nil)
@@ -40,6 +46,9 @@ type RemoteRuleSet struct {
 	lastEtag       string
 	updateTicker   *time.Ticker
 	pauseManager   pause.Manager
+	callbackAccess sync.Mutex
+	callbacks      list.List[adapter.RuleSetUpdateCallback]
+	refs           atomic.Int32
 }

 func NewRemoteRuleSet(ctx context.Context, router adapter.Router, logger logger.ContextLogger, options option.RuleSet) *RemoteRuleSet {
@@ -61,13 +70,8 @@ func NewRemoteRuleSet(ctx context.Context, router adapter.Router, logger logger.
 	}
 }

-func (s *RemoteRuleSet) Match(metadata *adapter.InboundContext) bool {
-	for _, rule := range s.rules {
-		if rule.Match(metadata) {
-			return true
-		}
-	}
-	return false
+func (s *RemoteRuleSet) Name() string {
+	return s.options.Tag
 }

 func (s *RemoteRuleSet) String() string {
@@ -108,6 +112,10 @@ func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext adapter.R
 		}
 	}
 	s.updateTicker = time.NewTicker(s.updateInterval)
+	return nil
+}
+
+func (s *RemoteRuleSet) PostStart() error {
 	go s.loopUpdate()
 	return nil
 }
@@ -116,6 +124,38 @@ func (s *RemoteRuleSet) Metadata() adapter.RuleSetMetadata {
 	return s.metadata
 }

+func (s *RemoteRuleSet) ExtractIPSet() []*netipx.IPSet {
+	return common.FlatMap(s.rules, extractIPSetFromRule)
+}
+
+func (s *RemoteRuleSet) IncRef() {
+	s.refs.Add(1)
+}
+
+func (s *RemoteRuleSet) DecRef() {
+	if s.refs.Add(-1) < 0 {
+		panic("rule-set: negative refs")
+	}
+}
+
+func (s *RemoteRuleSet) Cleanup() {
+	if s.refs.Load() == 0 {
+		s.rules = nil
+	}
+}
+
+func (s *RemoteRuleSet) RegisterCallback(callback adapter.RuleSetUpdateCallback) *list.Element[adapter.RuleSetUpdateCallback] {
+	s.callbackAccess.Lock()
+	defer s.callbackAccess.Unlock()
+	return s.callbacks.PushBack(callback)
+}
+
+func (s *RemoteRuleSet) UnregisterCallback(element *list.Element[adapter.RuleSetUpdateCallback]) {
+	s.callbackAccess.Lock()
+	defer s.callbackAccess.Unlock()
+	s.callbacks.Remove(element)
+}
+
 func (s *RemoteRuleSet) loadBytes(content []byte) error {
 	var (
 		plainRuleSet option.PlainRuleSet
@@ -148,6 +188,12 @@ func (s *RemoteRuleSet) loadBytes(content []byte) error {
 	s.metadata.ContainsWIFIRule = hasHeadlessRule(plainRuleSet.Rules, isWIFIHeadlessRule)
 	s.metadata.ContainsIPCIDRRule = hasHeadlessRule(plainRuleSet.Rules, isIPCIDRHeadlessRule)
 	s.rules = rules
+	s.callbackAccess.Lock()
+	callbacks := s.callbacks.Array()
+	s.callbackAccess.Unlock()
+	for _, callback := range callbacks {
+		callback(s)
+	}
 	return nil
 }

@@ -156,6 +202,8 @@ func (s *RemoteRuleSet) loopUpdate() {
 		err := s.fetchOnce(s.ctx, nil)
 		if err != nil {
 			s.logger.Error("fetch rule-set ", s.options.Tag, ": ", err)
+		} else if s.refs.Load() == 0 {
+			s.rules = nil
 		}
 	}
 	for {
@@ -168,6 +216,8 @@ func (s *RemoteRuleSet) loopUpdate() {
 			err := s.fetchOnce(s.ctx, nil)
 			if err != nil {
 				s.logger.Error("fetch rule-set ", s.options.Tag, ": ", err)
+			} else if s.refs.Load() == 0 {
+				s.rules = nil
 			}
 		}
 	}
@@ -253,7 +303,17 @@ func (s *RemoteRuleSet) fetchOnce(ctx context.Context, startContext adapter.Rule
 }

 func (s *RemoteRuleSet) Close() error {
+	s.rules = nil
 	s.updateTicker.Stop()
 	s.cancel()
 	return nil
 }
+
+func (s *RemoteRuleSet) Match(metadata *adapter.InboundContext) bool {
+	for _, rule := range s.rules {
+		if rule.Match(metadata) {
+			return true
+		}
+	}
+	return false
+}
Author	SHA1	Message	Date
世界	3ae595dc12	documentation: Bump Version	2024-06-17 16:18:41 +08:00
世界	8e14ae421e	documentation: Update new route address set options	2024-06-17 16:18:21 +08:00
世界	2710e2955d	auto-redirect: Add route address set support for nftables	2024-06-17 16:18:21 +08:00
世界	f827c9882c	Fix hysteria2 test	2024-06-17 13:08:51 +08:00
世界	9ab7b34c21	Update quic-go to v0.44.0	2024-06-17 13:08:51 +08:00
世界	1fb214b4fb	Drop support for go1.18 and go1.19	2024-06-17 13:08:51 +08:00
世界	ab7398db0d	Improve base DNS transports	2024-06-17 13:08:51 +08:00
世界	9e8d2122e6	Add auto-redirect & Improve auto-route	2024-06-17 13:08:35 +08:00
世界	d22c355cfd	platform: Prepare connections list	2024-06-17 13:08:32 +08:00
世界	5d6f138260	Add support for tailing comma in json decoder	2024-06-17 13:08:09 +08:00
iosmanthus	8d8aa9d8e3	Introduce bittorrent related protocol sniffers * Introduce bittorrent related protocol sniffers including, sniffers of 1. BitTorrent Protocol (TCP) 2. uTorrent Transport Protocol (UDP) Signed-off-by: iosmanthus <myosmanthustree@gmail.com> Co-authored-by: 世界 <i@sekai.icu>	2024-06-17 13:06:46 +08:00
renovate[bot]	142ff1b455	[dependencies] Update actions/checkout digest to 692973e	2024-06-17 13:05:54 +08:00
世界	74d662f7a3	Fix always create package manager	2024-06-11 21:16:57 +08:00