documentation: Bump version

documentation: Update DNS manual
dialer: Allow nil router
2026-04-13 20:28:32 +10:00 · 2024-05-03 17:41:59 +08:00 · 2024-05-03 17:41:27 +08:00 · 2024-05-03 17:41:27 +08:00 · 2024-05-03 17:41:27 +08:00 · 2024-05-03 17:41:27 +08:00
56 changed files with 564 additions and 978 deletions
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -33,12 +33,32 @@ jobs:
      - name: Run Test
        run: |
          go test -v ./...
+  build_go118:
+    name: Debug build (Go 1.18)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ~1.18
+      - name: Cache go module
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/go/pkg/mod
+          key: go118-${{ hashFiles('**/go.sum') }}
+      - name: Run Test
+        run: make ci_build_go118
  build_go120:
    name: Debug build (Go 1.20)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -58,7 +78,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -188,7 +208,7 @@ jobs:
      TAGS: with_clash_api,with_quic
    steps:
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -4,35 +4,13 @@ on:
  release:
    types:
      - released
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "The tag version you want to build"
+
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - name: Get commit to build
-        id: ref
-        run: |-
-          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
-            ref="${{ github.ref_name }}"
-          else
-            ref="${{ github.event.inputs.tag }}"
-          fi
-          echo "ref=$ref"
-          echo "ref=$ref" >> $GITHUB_OUTPUT
-          if [[ $ref == *"-"* ]]; then
-            latest=latest-beta
-          else
-            latest=latest
-          fi
-          echo "latest=$latest"
-          echo "latest=$latest" >> $GITHUB_OUTPUT
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
-        with:
-          ref: ${{ steps.ref.outputs.ref }}
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Setup QEMU for Docker Buildx
@@ -52,11 +30,10 @@ jobs:
        uses: docker/build-push-action@v5
        with:
          platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
-          context: .
          target: dist
          build-args: |
            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
          tags: |
-            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.latest }}
-            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.ref }}
+            ghcr.io/sagernet/sing-box:latest
+            ghcr.io/sagernet/sing-box:${{ github.ref_name }}
          push: true
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -30,7 +30,7 @@ jobs:
        with:
          go-version: ^1.22
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v5
        with:
          version: latest
          args: --timeout=30m
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -26,7 +26,7 @@ jobs:
          EOF
          echo "HOME=$HOME" >> "$GITHUB_ENV"
      - name: Publish release
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v5
        with:
          distribution: goreleaser-pro
          version: latest
--- a/.goreleaser.fury.yaml
+++ b/.goreleaser.fury.yaml
@@ -36,6 +36,7 @@ nfpms:
    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
    builds:
      - main
+    vendor: sagernet
    homepage: https://sing-box.sagernet.org/
    maintainer: nekohasekai <contact-git@sekai.icu>
    description: The universal proxy platform.
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -113,6 +113,7 @@ nfpms:
    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
    builds:
      - main
+    vendor: sagernet
    homepage: https://sing-box.sagernet.org/
    maintainer: nekohasekai <contact-git@sekai.icu>
    description: The universal proxy platform.
--- a/9
+++ b/9
@@ -1,6 +1,7 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS_GO120 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls
+TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api
+TAGS_GO120 = with_quic,with_utls
 TAGS_GO121 = with_ech
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120),$(TAGS_GO121)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server
@@ -19,9 +20,13 @@ PREFIX ?= $(shell go env GOPATH)
 build:
 	go build $(MAIN_PARAMS) $(MAIN)

+ci_build_go118:
+	go build $(PARAMS) $(MAIN)
+	go build $(PARAMS) -tags "$(TAGS_GO118)" $(MAIN)
+
 ci_build_go120:
 	go build $(PARAMS) $(MAIN)
-	go build $(PARAMS) -tags "$(TAGS_GO120)" $(MAIN)
+	go build $(PARAMS) -tags "$(TAGS_GO118),$(TAGS_GO120)" $(MAIN)

 ci_build:
 	go build $(PARAMS) $(MAIN)
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -86,13 +86,14 @@ type DNSRule interface {
 	Rule
 	DisableCache() bool
 	RewriteTTL() *uint32
-	ClientSubnet() *netip.Prefix
+	ClientSubnet() *netip.Addr
 	WithAddressLimit() bool
 	MatchAddressLimit(metadata *InboundContext) bool
 }

 type RuleSet interface {
 	StartContext(ctx context.Context, startContext RuleSetStartContext) error
+	PostStart() error
 	Metadata() RuleSetMetadata
 	Close() error
 	HeadlessRule
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/common/settings/proxy_linux.go
+++ b/common/settings/proxy_linux.go
@@ -16,40 +16,30 @@ import (
 )

 type LinuxSystemProxy struct {
-	hasGSettings    bool
-	kWriteConfigCmd string
-	sudoUser        string
-	serverAddr      M.Socksaddr
-	supportSOCKS    bool
-	isEnabled       bool
+	hasGSettings     bool
+	hasKWriteConfig5 bool
+	sudoUser         string
+	serverAddr       M.Socksaddr
+	supportSOCKS     bool
+	isEnabled        bool
 }

 func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*LinuxSystemProxy, error) {
 	hasGSettings := common.Error(exec.LookPath("gsettings")) == nil
-	kWriteConfigCmds := []string{
-		"kwriteconfig5",
-		"kwriteconfig6",
-	}
-	var kWriteConfigCmd string
-	for _, cmd := range kWriteConfigCmds {
-		if common.Error(exec.LookPath(cmd)) == nil {
-			kWriteConfigCmd = cmd
-			break
-		}
-	}
+	hasKWriteConfig5 := common.Error(exec.LookPath("kwriteconfig5")) == nil
 	var sudoUser string
 	if os.Getuid() == 0 {
 		sudoUser = os.Getenv("SUDO_USER")
 	}
-	if !hasGSettings && kWriteConfigCmd == "" {
+	if !hasGSettings && !hasKWriteConfig5 {
 		return nil, E.New("unsupported desktop environment")
 	}
 	return &LinuxSystemProxy{
-		hasGSettings:    hasGSettings,
-		kWriteConfigCmd: kWriteConfigCmd,
-		sudoUser:        sudoUser,
-		serverAddr:      serverAddr,
-		supportSOCKS:    supportSOCKS,
+		hasGSettings:     hasGSettings,
+		hasKWriteConfig5: hasKWriteConfig5,
+		sudoUser:         sudoUser,
+		serverAddr:       serverAddr,
+		supportSOCKS:     supportSOCKS,
 	}, nil
 }

@@ -80,8 +70,8 @@ func (p *LinuxSystemProxy) Enable() error {
 			return err
 		}
 	}
-	if p.kWriteConfigCmd != "" {
-		err := p.runAsUser(p.kWriteConfigCmd, "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "1")
+	if p.hasKWriteConfig5 {
+		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "1")
 		if err != nil {
 			return err
 		}
@@ -93,7 +83,7 @@ func (p *LinuxSystemProxy) Enable() error {
 		if err != nil {
 			return err
 		}
-		err = p.runAsUser(p.kWriteConfigCmd, "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "Authmode", "0")
+		err = p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "Authmode", "0")
 		if err != nil {
 			return err
 		}
@@ -113,8 +103,8 @@ func (p *LinuxSystemProxy) Disable() error {
 			return err
 		}
 	}
-	if p.kWriteConfigCmd != "" {
-		err := p.runAsUser(p.kWriteConfigCmd, "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "0")
+	if p.hasKWriteConfig5 {
+		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "0")
 		if err != nil {
 			return err
 		}
@@ -160,7 +150,7 @@ func (p *LinuxSystemProxy) setKDEProxy(proxyTypes ...string) error {
 			proxyUrl = "http://" + p.serverAddr.String()
 		}
 		err := p.runAsUser(
-			p.kWriteConfigCmd,
+			"kwriteconfig5",
 			"--file",
 			"kioslaverc",
 			"--group",
--- a/common/sniff/bittorrent.go
+++ b/common/sniff/bittorrent.go
@@ -1,113 +0,0 @@
-package sniff
-
-import (
-	"bytes"
-	"context"
-	"encoding/binary"
-	"io"
-	"os"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-)
-
-const (
-	trackerConnectFlag = iota
-	trackerAnnounceFlag
-	trackerScrapeFlag
-
-	trackerProtocolID = 0x41727101980
-
-	trackerConnectMinSize  = 16
-	trackerAnnounceMinSize = 20
-	trackerScrapeMinSize   = 8
-)
-
-// BitTorrent detects if the stream is a BitTorrent connection.
-// For the BitTorrent protocol specification, see https://www.bittorrent.org/beps/bep_0003.html
-func BitTorrent(_ context.Context, reader io.Reader) (*adapter.InboundContext, error) {
-	var first byte
-	err := binary.Read(reader, binary.BigEndian, &first)
-	if err != nil {
-		return nil, err
-	}
-
-	if first != 19 {
-		return nil, os.ErrInvalid
-	}
-
-	var protocol [19]byte
-	_, err = reader.Read(protocol[:])
-	if err != nil {
-		return nil, err
-	}
-	if string(protocol[:]) != "BitTorrent protocol" {
-		return nil, os.ErrInvalid
-	}
-
-	return &adapter.InboundContext{
-		Protocol: C.ProtocolBitTorrent,
-	}, nil
-}
-
-// UTP detects if the packet is a uTP connection packet.
-// For the uTP protocol specification, see
-//  1. https://www.bittorrent.org/beps/bep_0029.html
-//  2. https://github.com/bittorrent/libutp/blob/2b364cbb0650bdab64a5de2abb4518f9f228ec44/utp_internal.cpp#L112
-func UTP(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
-	// A valid uTP packet must be at least 20 bytes long.
-	if len(packet) < 20 {
-		return nil, os.ErrInvalid
-	}
-
-	version := packet[0] & 0x0F
-	ty := packet[0] >> 4
-	if version != 1 || ty > 4 {
-		return nil, os.ErrInvalid
-	}
-
-	// Validate the extensions
-	extension := packet[1]
-	reader := bytes.NewReader(packet[20:])
-	for extension != 0 {
-		err := binary.Read(reader, binary.BigEndian, &extension)
-		if err != nil {
-			return nil, err
-		}
-
-		var length byte
-		err = binary.Read(reader, binary.BigEndian, &length)
-		if err != nil {
-			return nil, err
-		}
-		_, err = reader.Seek(int64(length), io.SeekCurrent)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return &adapter.InboundContext{
-		Protocol: C.ProtocolBitTorrent,
-	}, nil
-}
-
-// UDPTracker detects if the packet is a UDP Tracker Protocol packet.
-// For the UDP Tracker Protocol specification, see https://www.bittorrent.org/beps/bep_0015.html
-func UDPTracker(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
-	switch {
-	case len(packet) >= trackerConnectMinSize &&
-		binary.BigEndian.Uint64(packet[:8]) == trackerProtocolID &&
-		binary.BigEndian.Uint32(packet[8:12]) == trackerConnectFlag:
-		fallthrough
-	case len(packet) >= trackerAnnounceMinSize &&
-		binary.BigEndian.Uint32(packet[8:12]) == trackerAnnounceFlag:
-		fallthrough
-	case len(packet) >= trackerScrapeMinSize &&
-		binary.BigEndian.Uint32(packet[8:12]) == trackerScrapeFlag:
-		return &adapter.InboundContext{
-			Protocol: C.ProtocolBitTorrent,
-		}, nil
-	default:
-		return nil, os.ErrInvalid
-	}
-}
--- a/common/sniff/bittorrent_test.go
+++ b/common/sniff/bittorrent_test.go
@@ -1,81 +0,0 @@
-package sniff_test
-
-import (
-	"bytes"
-	"context"
-	"encoding/hex"
-	"testing"
-
-	"github.com/sagernet/sing-box/common/sniff"
-	C "github.com/sagernet/sing-box/constant"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestSniffBittorrent(t *testing.T) {
-	t.Parallel()
-
-	packets := []string{
-		"13426974546f7272656e742070726f746f636f6c0000000000100000e21ea9569b69bab33c97851d0298bdfa89bc90922d5554313631302dea812fcd6a3563e3be40c1d1",
-		"13426974546f7272656e742070726f746f636f6c00000000001000052aa4f5a7e209e54b32803d43670971c4c8caaa052d5452333030302d653369733079647675763638",
-		"13426974546f7272656e742070726f746f636f6c00000000001000052aa4f5a7e209e54b32803d43670971c4c8caaa052d5452343035302d6f7a316c6e79377931716130",
-	}
-
-	for _, pkt := range packets {
-		pkt, err := hex.DecodeString(pkt)
-		require.NoError(t, err)
-		metadata, err := sniff.BitTorrent(context.TODO(), bytes.NewReader(pkt))
-		require.NoError(t, err)
-		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
-	}
-}
-
-func TestSniffUTP(t *testing.T) {
-	t.Parallel()
-
-	packets := []string{
-		"010041a282d7ee7b583afb160004000006d8318da776968f92d666f7963f32dae23ba0d2c810d8b8209cc4939f54fde9eeaa521c2c20c9ba7f43f4fb0375f28de06643b5e3ca4685ab7ac76adca99783be72ef05ed59ef4234f5712b75b4c7c0d7bee8fe2ca20ad626ba5bb0ffcc16bf06790896f888048cf72716419a07db1a3dca4550fbcea75b53e97235168a221cf3e553dfbb723961bd719fab038d86e0ecb74747f5a2cd669de1c4b9ad375f3a492d09d98cdfad745435625401315bbba98d35d32086299801377b93495a63a9efddb8d05f5b37a5c5b1c0a25e917f12007bb5e05013ada8aff544fab8cadf61d80ddb0b60f12741e44515a109d144fd53ef845acb4b5ccf0d6fc302d7003d76df3fc3423bb0237301c9e88f900c2d392a8e0fdb36d143cf7527a93fd0a2638b746e72f6699fffcd4fd15348fce780d4caa04382fd9faf1ca0ae377ca805da7536662b84f5ee18dd3ae38fcb095a7543e55f9069ae92c8cf54ae44e97b558d35e2545c66601ed2149cbc32bd6df199a2be7cf0da8b2ff137e0d23e776bc87248425013876d3a3cc31a83b424b752bd0346437f24b532978005d8f5b1b0be1a37a2489c32a18a9ad3118e3f9d30eb299bffae18e1f0677c2a5c185e62519093fe6bc2b7339299ea50a587989f726ca6443a75dd5bb936f6367c6355d80fae53ff529d740b2e5576e3eefdf1fdbfc69c3c8d8ac750512635de63e054bee1d3b689bc1b2bc3d2601e42a00b5c89066d173d4ae7ffedfd2274e5cf6d868fbe640aedb69b8246142f00b32d459974287537ddd5373460dcbc92f5cfdd7a3ed6020822ae922d947893752ca1983d0d32977374c384ac8f5ab566859019b7351526b9f13e932037a55bb052d9deb3b3c23317e0784fdc51a64f2159bfea3b069cf5caf02ee2c3c1a6b6b427bb16165713e8802d95b5c8ed77953690e994bd38c9ae113fedaf6ee7fc2b96c032ceafc2a530ad0422e84546b9c6ad8ef6ea02fa508abddd1805c38a7b42e9b7c971b1b636865ebec06ed754bb404cd6b4e6cc8cb77bd4a0c43410d5cd5ef8fe853a66d49b3b9e06cb141236cdbfdd5761601dc54d1250b86c660e0f898fe62526fdd9acf0eab60a3bbbb2151970461f28f10b31689594bea646c4b03ee197d63bdef4e5a7c22716b3bb9494a83b78ecd81b338b80ac6c09c43485b1b09ba41c74343832c78f0520c1d659ac9eb1502094141e82fb9e5e620970ebc0655514c43c294a7714cbf9a499d277daf089f556398a01589a77494bec8bfb60a108f3813b55368672b88c1af40f6b3c8b513f7c70c3e0efce85228b8b9ec67ba0393f9f7305024d8e2da6a26cf85613d14f249170ce1000089df4c9c260df7f8292aa2ecb5d5bac97656d59aa248caedea2d198e51ce87baece338716d114b458de02d65c9ff808ca5b5b73723b4d1e962d9ac2d98176544dc9984cf8554d07820ef3dd0861cfe57b478328046380de589adad94ee44743ffac73bb7361feca5d56f07cf8ce75080e261282ae30350d7882679b15cab9e7e53ddf93310b33f7390ae5d318bb53f387e6af5d0ef4f947fc9cb8e7e38b52c7f8d772ece6156b38d88796ea19df02c53723b44df7c76315a0de9462f27287e682d2b4cda1a68fe00d7e48c51ee981be44e1ca940fb5190c12655edb4a83c3a4f33e48a015692df4f0b3d61656e362aca657b5ae8c12db5a0db3db1e45135ee918b66918f40e53c4f83e9da0cddfe63f736ae751ab3837a30ae3220d8e8e311487093a7b90c7e7e40dd54ca750e19452f9193aa892aa6a6229ab493dadae988b1724f7898ee69c36d3eb7364c4adbeca811cfe2065873e78c2b6dfdf1595f7a7831c07e03cda82e4f86f76438dfb2b07c13638ce7b509cfa71b88b5102b39a203b423202088e1c2103319cb32c13c1e546ff8612fa194c95a7808ab767c265a1bd5fa0efed5c8ec1701876a00ec8",
-		"01001ecb68176f215d04326300100000dbcf30292d14b54e9ee2d115ee5b8ebc7fad3e882d4fcdd0c14c6b917c11cb4c6a9f410b52a33ae97c2ac77c7a2b122b8955e09af3c5c595f1b2e79ca57cfe44c44e069610773b9bc9ba223d7f6b383e3adddd03fb88a8476028e30979c2ef321ffc97c5c132bcf9ac5b410bbb5ec6cefca3c7209202a14c5ae922b6b157b0a80249d13ffe5b996af0bc8e54ba576d148372494303e7ead0602b05b9c8fc97d48508a028a04d63a1fd28b0edfcd5c51715f63188b53eefede98a76912dca98518551a8856567307a56a702cbfcc115ea0c755b418bc2c7b57721239b82f09fb24328a4b0ce0f109bcb2a64e04b8aadb1f8487585425acdf8fc4ec8ea93cfcec5ac098bb29d42ddef6e46b03f34a5de28316726699b7cb5195c33e5c48abe87d591d63f9991c84c30819d186d6e0e95fd83c8dff07aa669c4430989bcaccfeacb9bcadbdb4d8f1964dbeb9687745656edd30b21c66cc0a1d742a78717d134a19a7f02d285a4973b1a198c00cfdff4676608dc4f3e817e3463c3b4e2c80d3e8d4fbac541a58a2fb7ad6939f607f8144eff6c8b0adc28ee5609ea158987519892fb",
-		"21001ecb6817f2805d044fd700100000dbd03029",
-		"410277ef0b1fb1f60000000000040000c233000000080000000000000000",
-	}
-
-	for _, pkt := range packets {
-		pkt, err := hex.DecodeString(pkt)
-		require.NoError(t, err)
-
-		metadata, err := sniff.UTP(context.TODO(), pkt)
-		require.NoError(t, err)
-		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
-	}
-}
-
-func TestSniffUDPTracker(t *testing.T) {
-	t.Parallel()
-
-	connectPackets := []string{
-		// connect packets
-		"00000417271019800000000078e90560",
-		"00000417271019800000000022c5d64d",
-		"000004172710198000000000b3863541",
-
-		// announce packets
-		"3d7592ead4b8c9e300000001b871a3820000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
-		"3d7592ead4b8c9e30000000188deed1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
-		"3d7592ead4b8c9e300000001ceb948ad0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a3362cdb7020ff920e5aa642c3d4066950dd1f01f4d00000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
-
-		// scrape packets
-		"3d7592ead4b8c9e300000002d2f4bba5a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
-		"3d7592ead4b8c9e300000002441243292aae6c35c94fcfb415dbe95f408b9ce91ee846ed",
-		"3d7592ead4b8c9e300000002b2aa461b1ad1fa9661cf3fe45fb2504ad52ec6c67758e294",
-	}
-
-	for _, pkt := range connectPackets {
-		pkt, err := hex.DecodeString(pkt)
-		require.NoError(t, err)
-
-		metadata, err := sniff.UDPTracker(context.TODO(), pkt)
-		require.NoError(t, err)
-		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
-	}
-}
--- a/constant/protocol.go
+++ b/constant/protocol.go
@@ -1,10 +1,9 @@
 package constant

 const (
-	ProtocolTLS        = "tls"
-	ProtocolHTTP       = "http"
-	ProtocolQUIC       = "quic"
-	ProtocolDNS        = "dns"
-	ProtocolSTUN       = "stun"
-	ProtocolBitTorrent = "bittorrent"
+	ProtocolTLS  = "tls"
+	ProtocolHTTP = "http"
+	ProtocolQUIC = "quic"
+	ProtocolDNS  = "dns"
+	ProtocolSTUN = "stun"
 )
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,189 +2,6 @@
 icon: material/alert-decagram
 ---

-#### 1.10.0-alpha.11
-
-* Fixes and improvements
-
-### 1.9.3
-
-* Fixes and improvements
-
-#### 1.10.0-alpha.10
-
-* Fixes and improvements
-
-### 1.9.2
-
-* Fixes and improvements
-
-#### 1.10.0-alpha.8
-
-* Drop support for go1.18 and go1.19 **1**
-* Update quic-go to v0.45.0
-* Update Hysteria2 BBR congestion control
-* Fixes and improvements
-
-**1**:
-
-Due to maintenance difficulties, sing-box 1.10.0 requires at least Go 1.20 to compile.
-
-### 1.9.1
-
-* Fixes and improvements
-
-#### 1.10.0-alpha.7
-
-* Fixes and improvements
-
-#### 1.10.0-alpha.5
-
-* Improve auto-redirect **1**
-
-**1**:
-
-nftables support and DNS hijacking has been added.
-
-Tun inbounds with `auto_route` and `auto_redirect` now works as expected on routers **without intervention**.
-
-#### 1.10.0-alpha.4
-
-* Fix auto-redirect **1**
-* Improve auto-route on linux **2**
-
-**1**:
-
-Tun inbounds with `auto_route` and `auto_redirect` now works as expected on routers.
-
-**2**:
-
-Tun inbounds with `auto_route` and `strict_route` now works as expected on routers and servers,
-but the usages of [exclude_interface](/configuration/inbound/tun/#exclude_interface) need to be updated.
-
-#### 1.10.0-alpha.2
-
-* Move auto-redirect to Tun **1**
-* Fixes and improvements
-
-**1**:
-
-Linux support are added.
-
-See [Tun](/configuration/inbound/tun/#auto_redirect).
-
-#### 1.10.0-alpha.1
-
-* Add tailing comma support in JSON configuration
-* Add simple auto-redirect for Android **1**
-* Add BitTorrent sniffer **2**
-
-**1**:
-
-It allows you to use redirect inbound in the sing-box Android client
-and automatically configures IPv4 TCP redirection via su.
-
-This may alleviate the symptoms of some OCD patients who think that
-redirect can effectively save power compared to the system HTTP Proxy.
-
-See [Redirect](/configuration/inbound/redirect/).
-
-**2**:
-
-See [Protocol Sniff](/configuration/route/sniff/).
-
-### 1.9.0
-
-* Fixes and improvements
-
-Important changes since 1.8:
-
-* `domain_suffix` behavior update **1**
-* `process_path` format update on Windows **2**
-* Add address filter DNS rule items **3**
-* Add support for `client-subnet` DNS options **4**
-* Add rejected DNS response cache support **5**
-* Add `bypass_domain` and `search_domain` platform HTTP proxy options **6**
-* Fix missing `rule_set_ipcidr_match_source` item in DNS rules **7**
-* Handle Windows power events
-* Always disable cache for fake-ip DNS transport if `dns.independent_cache` disabled
-* Improve DNS truncate behavior
-* Update Hysteria protocol
-* Update quic-go to v0.43.1
-* Update gVisor to 20240422.0
-* Mitigating TunnelVision attacks **8**
-
-**1**:
-
-See [Migration](/migration/#domain_suffix-behavior-update).
-
-**2**:
-
-See [Migration](/migration/#process_path-format-update-on-windows).
-
-**3**:
-
-The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
-if using this method.
-
-See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
-
-[Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.
-
-**4**:
-
-See [DNS](/configuration/dns), [DNS Server](/configuration/dns/server) and [DNS Rules](/configuration/dns/rule).
-
-Since this feature makes the scenario mentioned in `alpha.1` no longer leak DNS requests,
-the [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) has been updated.
-
-**5**:
-
-The new feature allows you to cache the check results of
-[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
-
-**6**:
-
-See [TUN](/configuration/inbound/tun) inbound.
-
-**7**:
-
-See [DNS Rule](/configuration/dns/rule/).
-
-**8**:
-
-See [TunnelVision](/manual/misc/tunnelvision).
-
-#### 1.9.0-rc.22
-
-* Fixes and improvements
-
-#### 1.9.0-rc.20
-
-* Prioritize `*_route_address` in linux auto-route
-* Fix `*_route_address` in darwin auto-route
-
-#### 1.8.14
-
-* Fix hysteria2 panic
-* Fixes and improvements
-
-#### 1.9.0-rc.18
-
-* Add custom prefix support in EDNS0 client subnet options
-* Fix hysteria2 crash
-* Fix `store_rdrc` corrupted
-* Update quic-go to v0.43.1
-* Fixes and improvements
-
-#### 1.9.0-rc.16
-
-* Mitigating TunnelVision attacks **1**
-* Fixes and improvements
-
-**1**:
-
-See [TunnelVision](/manual/misc/tunnelvision).
-
 #### 1.9.0-rc.15

 * Fixes and improvements
@@ -388,7 +205,7 @@ See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).

 * Fixes and improvements

-### 1.8.0
+#### 1.8.0

 * Fixes and improvements

@@ -679,7 +496,7 @@ New commands manage GeoIP, Geosite and rule set resources, and help you migrate

 Logical rules in route rules, DNS rules, and the new headless rule now allow nesting of logical rules.

-### 1.7.0
+#### 1.7.0

 * Fixes and improvements

@@ -839,7 +656,7 @@ Introduced in V2Ray 5.10.0.

 The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.

-### 1.6.0
+#### 1.6.0

 * Fixes and improvements

@@ -1018,7 +835,7 @@ introduce new issues.
 None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
 This update is intended to address the multi-send defects of the old implementation and may introduce new issues.

-### 1.5.0
+#### 1.5.0

 * Fixes and improvements

@@ -1212,7 +1029,7 @@ All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria`, `T

 * Fixes and improvements

-### 1.4.0
+#### 1.4.0

 * Fix bugs and update dependencies

@@ -1354,7 +1171,7 @@ The old testflight link and app are no longer valid.

 * Fixes and improvements

-### 1.3.0
+#### 1.3.0

 * Fix bugs and update dependencies

@@ -1546,7 +1363,7 @@ to `domain` rule.
 * Flush DNS cache for macOS when tun start/close
 * Fix tun's DNS hijacking compatibility with systemd-resolved

-### 1.2.0
+#### 1.2.0

 * Fix bugs and update dependencies

--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@@ -73,8 +73,6 @@ problematic in environments such as macOS, where DNS is proxied and cached by th

 !!! question "Since sing-box 1.9.0"

-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.

 Can be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@@ -71,10 +71,8 @@ icon: material/new-box

 !!! question "自 sing-box 1.9.0 起"

-默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
-
-如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
-
+默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
+ 
 可以被 `servers.[].client_subnet` 或 `rules.[].client_subnet` 覆盖。

 #### fakeip
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -125,7 +125,7 @@ icon: material/new-box
        "server": "local",
        "disable_cache": false,
        "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1/24"
+        "client_subnet": "127.0.0.1"
      },
      {
        "type": "logical",
@@ -134,7 +134,7 @@ icon: material/new-box
        "server": "local",
        "disable_cache": false,
        "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1/24"
+        "client_subnet": "127.0.0.1"
      }
    ]
  }
@@ -339,9 +339,7 @@ Rewrite TTL in DNS responses.

 !!! question "Since sing-box 1.9.0"

-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.

 Will overrides `dns.client_subnet` and `servers.[].client_subnet`.

--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -124,7 +124,7 @@ icon: material/new-box
        ],
        "server": "local",
        "disable_cache": false,
-        "client_subnet": "127.0.0.1/24"
+        "client_subnet": "127.0.0.1"
      },
      {
        "type": "logical",
@@ -132,7 +132,7 @@ icon: material/new-box
        "rules": [],
        "server": "local",
        "disable_cache": false,
-        "client_subnet": "127.0.0.1/24"
+        "client_subnet": "127.0.0.1"
      }
    ]
  }
@@ -337,9 +337,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 !!! question "自 sing-box 1.9.0 起"

-默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
-
-如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。

 将覆盖 `dns.client_subnet` 与 `servers.[].client_subnet`。

--- a/docs/configuration/dns/server.md
+++ b/docs/configuration/dns/server.md
@@ -100,9 +100,7 @@ Default outbound will be used if empty.

 !!! question "Since sing-box 1.9.0"

-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.

 Can be overrides by `rules.[].client_subnet`.

--- a/docs/configuration/dns/server.zh.md
+++ b/docs/configuration/dns/server.zh.md
@@ -100,9 +100,7 @@ DNS 服务器的地址。

 !!! question "自 sing-box 1.9.0 起"

-默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
-
-如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。

 可以被 `rules.[].client_subnet` 覆盖。

--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -2,10 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "Changes in sing-box 1.10.0"
-
-    :material-plus: [auto_redirect](#auto_redirect)
-
 !!! quote "Changes in sing-box 1.9.0"

    :material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)  
@@ -33,7 +29,6 @@ icon: material/new-box
  "gso": false,
  "auto_route": true,
  "strict_route": true,
-  "auto_redirect": false,
  "inet4_route_address": [
    "0.0.0.0/1",
    "128.0.0.0/1"
@@ -150,10 +145,9 @@ Enforce strict routing rules when `auto_route` is enabled:
 *In Linux*:

 * Let unsupported network unreachable
-* Make ICMP traffic route to tun instead of upstream interfaces
 * Route all connections to tun

-It prevents IP address leaks and makes DNS hijacking work on Android.
+It prevents address leaks and makes DNS hijacking work on Android.

 *In Windows*:

@@ -162,25 +156,6 @@ It prevents IP address leaks and makes DNS hijacking work on Android.

 It may prevent some applications (such as VirtualBox) from working properly in certain situations.

-#### auto_redirect
-
-!!! question "Since sing-box 1.10.0"
-
-!!! quote ""
-
-    Only supported on Linux.
-
-Automatically configure iptables/nftables to redirect connections.
-
-*In Android*：
-
-Only local connections are forwarded. To share your VPN connection over hotspot or repeater,
-use [VPNHotspot](https://github.com/Mygod/VPNHotspot).
-
-*In Linux*:
-
-`auto_route` with `auto_redirect` now works as expected on routers **without intervention**.
-
 #### inet4_route_address

 Use custom routes instead of default when `auto_route` is enabled.
@@ -239,10 +214,6 @@ Conflict with `exclude_interface`.

 #### exclude_interface

-!!! warning ""
-
-    When `strict_route` enabled, return traffic to excluded interfaces will not be automatically excluded, so add them as well (example: `br-lan` and `pppoe-wan`).
-
 Exclude interfaces in route.

 Conflict with `include_interface`.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -2,10 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "sing-box 1.10.0 中的更改"
-
-    :material-plus: [auto_redirect](#auto_redirect)
-
 !!! quote "sing-box 1.9.0 中的更改"

    :material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)  
@@ -33,7 +29,6 @@ icon: material/new-box
  "gso": false,
  "auto_route": true,
  "strict_route": true,
-  "auto_redirect": false,
  "inet4_route_address": [
    "0.0.0.0/1",
    "128.0.0.0/1"
@@ -150,10 +145,9 @@ tun 接口的 IPv6 前缀。
 *在 Linux 中*:

 * 让不支持的网络无法到达
-* 使 ICMP 流量路由到 tun 而不是上游接口
 * 将所有连接路由到 tun

-它可以防止 IP 地址泄漏，并使 DNS 劫持在 Android 上工作。
+它可以防止地址泄漏，并使 DNS 劫持在 Android 上工作。

 *在 Windows 中*:

@@ -163,24 +157,6 @@ tun 接口的 IPv6 前缀。

 它可能会使某些应用程序（如 VirtualBox）在某些情况下无法正常工作。

-#### auto_redirect
-
-!!! question "自 sing-box 1.10.0 起"
-
-!!! quote ""
-
-    仅支持 Linux。
-
-自动配置 iptables 以重定向 TCP 连接。
-
-*在 Android 中*：
-
-仅转发本地 IPv4 连接。 要通过热点或中继共享您的 VPN 连接，请使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot)。
-
-*在 Linux 中*:
-
-带有 `auto_redirect `的 `auto_route` 现在可以在路由器上按预期工作，**无需干预**。
-
 #### inet4_route_address

 启用 `auto_route` 时使用自定义路由而不是默认路由。
@@ -235,10 +211,6 @@ TCP/IP 栈。

 #### exclude_interface

-!!! warning ""
-
-    当 `strict_route` 启用，到被排除接口的回程流量将不会被自动排除，因此也要添加它们（例：`br-lan` 与 `pppoe-wan`）。
-
 排除路由的接口。

 与 `include_interface` 冲突。
--- a/docs/configuration/route/sniff.md
+++ b/docs/configuration/route/sniff.md
@@ -2,11 +2,10 @@ If enabled in the inbound, the protocol and domain name (if present) of by the c

 #### Supported Protocols

-| Network |  Protocol   | Domain Name |
-|:-------:|:-----------:|:-----------:|
-|   TCP   |    HTTP     |    Host     |
-|   TCP   |     TLS     | Server Name |
-|   UDP   |    QUIC     | Server Name |
-|   UDP   |    STUN     |      /      |
-| TCP/UDP |     DNS     |      /      |
-| TCP/UDP | BitTorrent  |      /      |
+| Network | Protocol | Domain Name |
+|:-------:|:--------:|:-----------:|
+|   TCP   |   HTTP   |    Host     |
+|   TCP   |   TLS    | Server Name |
+|   UDP   |   QUIC   | Server Name |
+|   UDP   |   STUN   |      /      |
+| TCP/UDP |   DNS    |      /      |
--- a/docs/configuration/route/sniff.zh.md
+++ b/docs/configuration/route/sniff.zh.md
@@ -2,11 +2,10 @@

 #### 支持的协议

-|   网络    |     协议      |     域名      |
-|:-------:|:-----------:|:-----------:|
-|   TCP   |    HTTP     |    Host     |
-|   TCP   |     TLS     | Server Name |
-|   UDP   |    QUIC     | Server Name |
-|   UDP   |    STUN     |      /      |
-| TCP/UDP |     DNS     |      /      |
-| TCP/UDP | BitTorrent  |      /      |
+|   网络    |  协议  |     域名      |
+|:-------:|:----:|:-----------:|
+|   TCP   | HTTP |    Host     |
+|   TCP   | TLS  | Server Name |
+|   UDP   | QUIC | Server Name |
+|   UDP   | STUN |      /      |
+| TCP/UDP | DNS  |      /      |
--- a/docs/deprecated.md
+++ b/docs/deprecated.md
@@ -4,12 +4,6 @@ icon: material/delete-alert

 # Deprecated Feature List

-## 1.10.0
-
-#### Drop support for go1.18 and go1.19
-
-Due to maintenance difficulties, sing-box 1.10.0 requires at least Go 1.20 to compile.
-
 ## 1.8.0

 #### Cache file and related features in Clash API
--- a/docs/deprecated.zh.md
+++ b/docs/deprecated.zh.md
@@ -4,12 +4,6 @@ icon: material/delete-alert

 # 废弃功能列表

-## 1.10.0
-
-#### 移除对 go1.18 和 go1.19 的支持
-
-由于维护困难，sing-box 1.10.0 要求至少 Go 1.20 才能编译。
-
 ## 1.8.0

 #### Clash API 中的 Cache file 及相关功能
--- a/docs/manual/misc/tunnelvision.md
+++ b/docs/manual/misc/tunnelvision.md
@@ -1,38 +0,0 @@
---
-icon: material/book-lock-open
---
-
-# TunnelVision
-
-TunnelVision is an attack that uses DHCP option 121 to set higher priority routes
-so that traffic does not go through the VPN.
-
-Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3661
-
-## Status
-
-### Android
-
-Android does not handle DHCP option 121 and is not affected.
-
-### Apple platforms
-
-Update [sing-box graphical client](/clients/apple/#download) to `1.9.0-rc.16` or newer,
-then enable `includeAllNetworks` in `Settings` — `Packet Tunnel` and you will be unaffected.
-
-Note: when `includeAllNetworks` is enabled, the default TUN stack is changed to `gvisor`,
-and the `system` and `mixed` stacks are not available.
-
-### Linux
-
-Update sing-box to `1.9.0-rc.16` or newer, rules generated by `auto-route` are unaffected.
-
-### Windows
-
-No solution yet.
-
-## Workarounds
-
-* Don't connect to untrusted networks
-* Relay untrusted network through another device
-* Just ignore it
--- a/docs/manual/proxy-protocol/tuic.md
+++ b/docs/manual/proxy-protocol/tuic.md
@@ -0,0 +1,208 @@
+---
+icon: material/alpha-t-box
+---
+
+# TUIC
+
+A recently popular Chinese-made simple protocol based on QUIC, the selling point is the BBR congestion control algorithm.
+
+!!! warning
+
+    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more characteristics than TCP based proxies.
+
+| Specification                                             | Binary Characteristics | Active Detect Hiddenness |
+|-----------------------------------------------------------|------------------------|--------------------------|
+| [GitHub](https://github.com/EAimTY/tuic/blob/dev/SPEC.md) | :material-alert:       | :material-check:         | 
+
+## Password Generator
+
+| Generated UUID         | Generated  Password        | Action                                                          |
+|------------------------|----------------------------|-----------------------------------------------------------------|
+| <code id="uuid"><code> | <code id="password"><code> | <button class="md-button" onclick="generate()">Refresh</button> |
+
+<script>
+    function generateUUID() {
+        const uuid = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
+            let r = Math.random() * 16 | 0,
+            v = c === 'x' ? r : (r & 0x3 | 0x8);
+            return v.toString(16);
+        });
+        document.getElementById("uuid").textContent = uuid;
+    }
+    function generatePassword() {
+        const array = new Uint8Array(16);
+        window.crypto.getRandomValues(array);
+        document.getElementById("password").textContent = btoa(String.fromCharCode.apply(null, array));
+    }
+    function generate() {
+        generateUUID();
+        generatePassword();
+    }
+    generate();
+</script>
+
+## :material-server: Server Example
+
+=== ":material-harddisk: With local certificate"
+
+    ```json
+     {
+      "inbounds": [
+        {
+          "type": "tuic",
+          "listen": "::",
+          "listen_port": 8080,
+          "users": [
+            {
+              "name": "sekai",
+              "uuid": "<uuid>",
+              "password": "<password>"
+            }
+          ],
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "key_path": "/path/to/key.pem",
+            "certificate_path": "/path/to/certificate.pem"
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-auto-fix: With ACME"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "tuic",
+          "listen": "::",
+          "listen_port": 8080,
+          "users": [
+            {
+              "name": "sekai",
+              "uuid": "<uuid>",
+              "password": "<password>"
+            }
+          ],
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "acme": {
+              "domain": "example.org",
+              "email": "admin@example.org"
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-cloud: With ACME and Cloudflare API"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "tuic",
+          "listen": "::",
+          "listen_port": 8080,
+          "users": [
+            {
+              "name": "sekai",
+              "uuid": "<uuid>",
+              "password": "<password>"
+            }
+          ],
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "acme": {
+              "domain": "example.org",
+              "email": "admin@example.org",
+              "dns01_challenge": {
+                "provider": "cloudflare",
+                "api_token": "my_token"
+              }
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+## :material-cellphone-link: Client Example
+
+=== ":material-web-check: With valid certificate"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "tuic",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "uuid": "<uuid>",
+          "password": "<password>",
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org"
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-check: With self-sign certificate"
+
+    !!! info "Tip"
+        
+        Use `sing-box merge` command to merge configuration and certificate into one file.
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "tuic",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "uuid": "<uuid>",
+          "password": "<password>",
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "certificate_path": "/path/to/certificate.pem"
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-alert: Ignore certificate verification"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "tuic",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "uuid": "<uuid>",
+          "password": "<password>",
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "insecure": true
+          }
+        }
+      ]
+    }
+    ```
+
--- a/docs/manual/proxy/client.md
+++ b/docs/manual/proxy/client.md
@@ -471,7 +471,7 @@ flowchart TB
                  }
                ],
                "server": "google",
-                "client_subnet": "114.114.114.114/24" // Any China client IP address
+                "client_subnet": "114.114.114.114" // Any China client IP address
              }
            ]
          },
--- a/docs/migration.md
+++ b/docs/migration.md
@@ -4,6 +4,10 @@ icon: material/arrange-bring-forward

 ## 1.9.0

+!!! warning "Unstable"
+
+    This version is still under development, and the following migration guide may be changed in the future.
+
 ### `domain_suffix` behavior update

 For historical reasons, sing-box's `domain_suffix` rule matches literal prefixes instead of the same as other projects.
--- a/docs/migration.zh.md
+++ b/docs/migration.zh.md
@@ -4,6 +4,10 @@ icon: material/arrange-bring-forward

 ## 1.9.0

+!!! warning "不稳定的"
+
+    该版本仍在开发中，迁移指南可能将在未来更改。
+
 ### `domain_suffix` 行为更新

 由于历史原因，sing-box 的 `domain_suffix` 规则匹配字面前缀，而不与其他项目相同。
--- a/experimental/cachefile/cache.go
+++ b/experimental/cachefile/cache.go
@@ -57,7 +57,6 @@ type CacheFile struct {
 type saveRDRCCacheKey struct {
 	TransportName string
 	QuestionName  string
-	QType         uint16
 }

 func New(ctx context.Context, options option.CacheFileOptions) *CacheFile {
--- a/experimental/cachefile/rdrc.go
+++ b/experimental/cachefile/rdrc.go
@@ -9,7 +9,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 )

-var bucketRDRC = []byte("rdrc2")
+var bucketRDRC = []byte("rdrc")

 func (c *CacheFile) StoreRDRC() bool {
 	return c.storeRDRC
@@ -19,17 +19,13 @@ func (c *CacheFile) RDRCTimeout() time.Duration {
 	return c.rdrcTimeout
 }

-func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (rejected bool) {
+func (c *CacheFile) LoadRDRC(transportName string, qName string) (rejected bool) {
 	c.saveRDRCAccess.RLock()
-	rejected, cached := c.saveRDRC[saveRDRCCacheKey{transportName, qName, qType}]
+	rejected, cached := c.saveRDRC[saveRDRCCacheKey{transportName, qName}]
 	c.saveRDRCAccess.RUnlock()
 	if cached {
 		return
 	}
-	key := buf.Get(2 + len(qName))
-	binary.BigEndian.PutUint16(key, qType)
-	copy(key[2:], qName)
-	defer buf.Put(key)
 	var deleteCache bool
 	err := c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := c.bucket(tx, bucketRDRC)
@@ -40,7 +36,7 @@ func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (
 		if bucket == nil {
 			return nil
 		}
-		content := bucket.Get(key)
+		content := bucket.Get([]byte(qName))
 		if content == nil {
 			return nil
 		}
@@ -65,13 +61,13 @@ func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (
 			if bucket == nil {
 				return nil
 			}
-			return bucket.Delete(key)
+			return bucket.Delete([]byte(qName))
 		})
 	}
 	return
 }

-func (c *CacheFile) SaveRDRC(transportName string, qName string, qType uint16) error {
+func (c *CacheFile) SaveRDRC(transportName string, qName string) error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket, err := c.createBucket(tx, bucketRDRC)
 		if err != nil {
@@ -81,24 +77,20 @@ func (c *CacheFile) SaveRDRC(transportName string, qName string, qType uint16) e
 		if err != nil {
 			return err
 		}
-		key := buf.Get(2 + len(qName))
-		binary.BigEndian.PutUint16(key, qType)
-		copy(key[2:], qName)
-		defer buf.Put(key)
 		expiresAt := buf.Get(8)
 		defer buf.Put(expiresAt)
 		binary.BigEndian.PutUint64(expiresAt, uint64(time.Now().Add(c.rdrcTimeout).Unix()))
-		return bucket.Put(key, expiresAt)
+		return bucket.Put([]byte(qName), expiresAt)
 	})
 }

-func (c *CacheFile) SaveRDRCAsync(transportName string, qName string, qType uint16, logger logger.Logger) {
-	saveKey := saveRDRCCacheKey{transportName, qName, qType}
+func (c *CacheFile) SaveRDRCAsync(transportName string, qName string, logger logger.Logger) {
+	saveKey := saveRDRCCacheKey{transportName, qName}
 	c.saveRDRCAccess.Lock()
 	c.saveRDRC[saveKey] = true
 	c.saveRDRCAccess.Unlock()
 	go func() {
-		err := c.SaveRDRC(transportName, qName, qType)
+		err := c.SaveRDRC(transportName, qName)
 		if err != nil {
 			logger.Warn("save RDRC: ", err)
 		}
--- a/experimental/libbox/config.go
+++ b/experimental/libbox/config.go
@@ -82,10 +82,6 @@ func (s *platformInterfaceStub) UnderNetworkExtension() bool {
 	return false
 }

-func (s *platformInterfaceStub) IncludeAllNetworks() bool {
-	return false
-}
-
 func (s *platformInterfaceStub) ClearDNSCache() {
 }

--- a/experimental/libbox/platform.go
+++ b/experimental/libbox/platform.go
@@ -19,7 +19,6 @@ type PlatformInterface interface {
 	UsePlatformInterfaceGetter() bool
 	GetInterfaces() (NetworkInterfaceIterator, error)
 	UnderNetworkExtension() bool
-	IncludeAllNetworks() bool
 	ReadWIFIState() *WIFIState
 	ClearDNSCache()
 }
--- a/experimental/libbox/platform/interface.go
+++ b/experimental/libbox/platform/interface.go
@@ -21,7 +21,6 @@ type Interface interface {
 	UsePlatformInterfaceGetter() bool
 	Interfaces() ([]control.Interface, error)
 	UnderNetworkExtension() bool
-	IncludeAllNetworks() bool
 	ClearDNSCache()
 	ReadWIFIState() adapter.WIFIState
 	process.Searcher
--- a/experimental/libbox/service.go
+++ b/experimental/libbox/service.go
@@ -213,10 +213,6 @@ func (w *platformInterfaceWrapper) UnderNetworkExtension() bool {
 	return w.iif.UnderNetworkExtension()
 }

-func (w *platformInterfaceWrapper) IncludeAllNetworks() bool {
-	return w.iif.IncludeAllNetworks()
-}
-
 func (w *platformInterfaceWrapper) ClearDNSCache() {
 	w.iif.ClearDNSCache()
 }
--- a/experimental/libbox/service_pause.go
+++ b/experimental/libbox/service_pause.go
@@ -16,18 +16,25 @@ func (s *BoxService) Pause() {
 	if s.pauseTimer != nil {
 		s.pauseTimer.Stop()
 	}
-	s.pauseTimer = time.AfterFunc(3*time.Second, s.ResetNetwork)
+	s.pauseTimer = time.AfterFunc(time.Minute, s.pause)
+}
+
+func (s *BoxService) pause() {
+	s.pauseAccess.Lock()
+	defer s.pauseAccess.Unlock()
+	s.pauseManager.DevicePause()
+	_ = s.instance.Router().ResetNetwork()
+	s.pauseTimer = nil
 }

 func (s *BoxService) Wake() {
+	_ = s.instance.Router().ResetNetwork()
 	s.pauseAccess.Lock()
 	defer s.pauseAccess.Unlock()
 	if s.pauseTimer != nil {
 		s.pauseTimer.Stop()
+		s.pauseTimer = nil
+		return
 	}
-	s.pauseTimer = time.AfterFunc(3*time.Minute, s.ResetNetwork)
-}
-
-func (s *BoxService) ResetNetwork() {
-	_ = s.instance.Router().ResetNetwork()
+	s.pauseManager.DeviceWake()
 }
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/go-chi/chi/v5 v5.0.12
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
-	github.com/gofrs/uuid/v5 v5.2.0
+	github.com/gofrs/uuid/v5 v5.1.0
 	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
 	github.com/libdns/alidns v1.0.3
 	github.com/libdns/cloudflare v0.1.1
@@ -24,16 +24,16 @@ require (
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
 	github.com/sagernet/gomobile v0.1.3
 	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f
-	github.com/sagernet/quic-go v0.45.0-beta.2
+	github.com/sagernet/quic-go v0.43.0-beta.3
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.5.0-alpha.9
-	github.com/sagernet/sing-dns v0.3.0-beta.5
+	github.com/sagernet/sing v0.4.0-beta.18
+	github.com/sagernet/sing-dns v0.2.0-beta.16
 	github.com/sagernet/sing-mux v0.2.0
-	github.com/sagernet/sing-quic v0.2.0-beta.9
+	github.com/sagernet/sing-quic v0.2.0-beta.1
 	github.com/sagernet/sing-shadowsocks v0.2.6
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/sing-tun v0.4.0-beta.8
+	github.com/sagernet/sing-tun v0.2.8-beta.1
 	github.com/sagernet/sing-vmess v0.1.8
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6
@@ -44,9 +44,9 @@ require (
 	github.com/stretchr/testify v1.9.0
 	go.uber.org/zap v1.27.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.24.0
-	golang.org/x/net v0.26.0
-	golang.org/x/sys v0.21.0
+	golang.org/x/crypto v0.22.0
+	golang.org/x/net v0.24.0
+	golang.org/x/sys v0.19.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	google.golang.org/grpc v1.63.2
 	google.golang.org/protobuf v1.33.0
@@ -65,7 +65,6 @@ require (
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -73,27 +72,24 @@ require (
 	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
-	github.com/mdlayher/netlink v1.7.2 // indirect
-	github.com/mdlayher/socket v0.4.1 // indirect
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/onsi/ginkgo/v2 v2.9.7 // indirect
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
-	github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba // indirect
-	github.com/sagernet/nftables v0.3.0-beta.2 // indirect
+	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
-	github.com/vishvananda/netns v0.0.4 // indirect
+	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 // indirect
-	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
+	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.22.0 // indirect
+	golang.org/x/tools v0.20.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -34,13 +34,12 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM=
-github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gofrs/uuid/v5 v5.1.0 h1:S5rqVKIigghZTCBKPCw0Y+bXkn26K3TB5mvQq2Ix8dk=
+github.com/gofrs/uuid/v5 v5.1.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
@@ -70,10 +69,6 @@ github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
 github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
-github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
-github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
-github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
-github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
 github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
 github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
 github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
@@ -104,31 +99,29 @@ github.com/sagernet/gomobile v0.1.3 h1:ohjIb1Ou2+1558PnZour3od69suSuvkdSVOlO1tC4
 github.com/sagernet/gomobile v0.1.3/go.mod h1:Pqq2+ZVvs10U7xK+UwJgwYWUykewi8H6vlslAO73n9E=
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y/6ZHJWrnNLoiNnSJaow6DPb8VW2I=
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
-github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba h1:EY5AS7CCtfmARNv2zXUOrsEMPFDGYxaw65JzA2p51Vk=
-github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/nftables v0.3.0-beta.2 h1:yKqMl4Dpb6nKxAmlE6fXjJRlLO2c1f2wyNFBg4hBr8w=
-github.com/sagernet/nftables v0.3.0-beta.2/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
-github.com/sagernet/quic-go v0.45.0-beta.2 h1:nWq9KJTR+cGU8UU4E20XNjdM6QgbLkBgpq+NCExg5RY=
-github.com/sagernet/quic-go v0.45.0-beta.2/go.mod h1:rs3XCo3SQ2sB96NtaKnEyq+ZkyaKWL51BvIW3veaiWw=
+github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
+github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
+github.com/sagernet/quic-go v0.43.0-beta.3 h1:qclJbbpgZe76EH62Bdu3LfDSC2zmuxj7zXCpdQBbe7c=
+github.com/sagernet/quic-go v0.43.0-beta.3/go.mod h1:3EtxR1Yaa1FZu6jFPiBHpOAdhOxL4A3EPxmiVgjJvVM=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.5.0-alpha.9 h1:Mmg+LCbaKXBeQD/ttzi0/MQa3NcUyfadIgkGzhQW7o0=
-github.com/sagernet/sing v0.5.0-alpha.9/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
-github.com/sagernet/sing-dns v0.3.0-beta.5 h1:lX+wfnBVaOlSd7+GBgb431Tt/gmYwJXSHvS1HutfnD4=
-github.com/sagernet/sing-dns v0.3.0-beta.5/go.mod h1:qeO/lOUK/c3Zczp5a1VO13fbmolaM8xGKCUXtaX0/NQ=
+github.com/sagernet/sing v0.4.0-beta.18 h1:oK+pvyXnFwxwvQkeUqgxIeATiMHcrH5doLKKDGNmQkU=
+github.com/sagernet/sing v0.4.0-beta.18/go.mod h1:PFQKbElc2Pke7faBLv8oEba5ehtKO21Ho+TkYemTI3Y=
+github.com/sagernet/sing-dns v0.2.0-beta.16 h1:bzd4B8eHD7/WO3HrYknvgE8A56/R3n5oXBjNF97iPzQ=
+github.com/sagernet/sing-dns v0.2.0-beta.16/go.mod h1:XU6Vqr6aHcMz/34Fcv8jmXpRCEuShzW+B7Qg1Xe1nxY=
 github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
 github.com/sagernet/sing-mux v0.2.0/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
-github.com/sagernet/sing-quic v0.2.0-beta.9 h1:gfqUwVgKA6APwFOPhwge9VrPZ0XQtmuXF8hbbIVZML8=
-github.com/sagernet/sing-quic v0.2.0-beta.9/go.mod h1:hb6RwYy9Js0gZi80zlTBWABMOIvJDv46K5yak/pbZ4w=
+github.com/sagernet/sing-quic v0.2.0-beta.1 h1:XR8KPYs50MNcFMR2/lh4eOonYeV15eJolAAWCQZpStI=
+github.com/sagernet/sing-quic v0.2.0-beta.1/go.mod h1:tVUFk5lcW22Bl0ChWlt4Lo93jw0qir3X1fk2ZSypaA4=
 github.com/sagernet/sing-shadowsocks v0.2.6 h1:xr7ylAS/q1cQYS8oxKKajhuQcchd5VJJ4K4UZrrpp0s=
 github.com/sagernet/sing-shadowsocks v0.2.6/go.mod h1:j2YZBIpWIuElPFL/5sJAj470bcn/3QQ5lxZUNKLDNAM=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.4.0-beta.8 h1:3FM7KpE3kmTj7aA9LYtn82pBAFHIrk2O1b84lpx/5ns=
-github.com/sagernet/sing-tun v0.4.0-beta.8/go.mod h1:uoRiCzWHzHLw/angVqXDzUNiQcMRl/ZrElJryQLJFhY=
+github.com/sagernet/sing-tun v0.2.8-beta.1 h1:9loO5/Jqa+54NDi5mKh/CS6LlKsROCSnNQ+jgMcnI+I=
+github.com/sagernet/sing-tun v0.2.8-beta.1/go.mod h1:xPaOkQhngPMILx+/9DMLCFl4vSxUU2tMnCPSlf05HLo=
 github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
 github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
@@ -153,8 +146,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gVBKXc2MVSZ4G/NnWLtzw4gNA=
 github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
-github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
-github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
+github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
 github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
@@ -170,19 +163,20 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
-golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 h1:LoYXNGAShUG3m/ehNk4iFctuhGX/+R1ZpfJ4/ia80JM=
-golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI=
-golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
-golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
+golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
+golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -190,19 +184,19 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
+golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
+golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
-golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
+golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY=
+golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=
--- a/inbound/tun.go
+++ b/inbound/tun.go
@@ -3,7 +3,6 @@ package inbound
 import (
 	"context"
 	"net"
-	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -38,7 +37,6 @@ type Tun struct {
 	tunStack               tun.Stack
 	platformInterface      platform.Interface
 	platformOptions        option.TunPlatformOptions
-	autoRedirect           tun.AutoRedirect
 }

 func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunInboundOptions, platformInterface platform.Interface) (*Tun, error) {
@@ -52,9 +50,9 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 	} else {
 		udpTimeout = C.UDPTimeout
 	}
-	var err error
 	includeUID := uidToRange(options.IncludeUID)
 	if len(options.IncludeUIDRange) > 0 {
+		var err error
 		includeUID, err = parseRange(includeUID, options.IncludeUIDRange)
 		if err != nil {
 			return nil, E.Cause(err, "parse include_uid_range")
@@ -62,13 +60,13 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 	}
 	excludeUID := uidToRange(options.ExcludeUID)
 	if len(options.ExcludeUIDRange) > 0 {
+		var err error
 		excludeUID, err = parseRange(excludeUID, options.ExcludeUIDRange)
 		if err != nil {
 			return nil, E.Cause(err, "parse exclude_uid_range")
 		}
 	}
-
-	inbound := &Tun{
+	return &Tun{
 		tag:            tag,
 		ctx:            ctx,
 		router:         router,
@@ -101,25 +99,7 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		stack:                  options.Stack,
 		platformInterface:      platformInterface,
 		platformOptions:        common.PtrValueOrDefault(options.Platform),
-	}
-	if options.AutoRedirect {
-		if !options.AutoRoute {
-			return nil, E.New("`auto_route` is required by `auto_redirect`")
-		}
-		disableNFTables, dErr := strconv.ParseBool(os.Getenv("DISABLE_NFTABLES"))
-		inbound.autoRedirect, err = tun.NewAutoRedirect(tun.AutoRedirectOptions{
-			TunOptions:      &inbound.tunOptions,
-			Context:         ctx,
-			Handler:         inbound,
-			Logger:          logger,
-			TableName:       "sing-box",
-			DisableNFTables: dErr == nil && disableNFTables,
-		})
-		if err != nil {
-			return nil, E.Cause(err, "initialize auto redirect")
-		}
-	}
-	return inbound, nil
+	}, nil
 }

 func uidToRange(uidList option.Listable[uint32]) []ranges.Range[uint32] {
@@ -186,14 +166,6 @@ func (t *Tun) Start() error {
 	}
 	t.logger.Trace("creating stack")
 	t.tunIf = tunInterface
-	var (
-		forwarderBindInterface bool
-		includeAllNetworks     bool
-	)
-	if t.platformInterface != nil {
-		forwarderBindInterface = true
-		includeAllNetworks = t.platformInterface.IncludeAllNetworks()
-	}
 	t.tunStack, err = tun.NewStack(t.stack, tun.StackOptions{
 		Context:                t.ctx,
 		Tun:                    tunInterface,
@@ -202,9 +174,8 @@ func (t *Tun) Start() error {
 		UDPTimeout:             t.udpTimeout,
 		Handler:                t,
 		Logger:                 t.logger,
-		ForwarderBindInterface: forwarderBindInterface,
+		ForwarderBindInterface: t.platformInterface != nil,
 		InterfaceFinder:        t.router.InterfaceFinder(),
-		IncludeAllNetworks:     includeAllNetworks,
 	})
 	if err != nil {
 		return err
@@ -215,14 +186,6 @@ func (t *Tun) Start() error {
 	if err != nil {
 		return err
 	}
-	if t.autoRedirect != nil {
-		monitor.Start("initiating auto redirect")
-		err = t.autoRedirect.Start()
-		monitor.Finish()
-		if err != nil {
-			return E.Cause(err, "auto redirect")
-		}
-	}
 	t.logger.Info("started at ", t.tunOptions.Name)
 	return nil
 }
@@ -231,7 +194,6 @@ func (t *Tun) Close() error {
 	return common.Close(
 		t.tunStack,
 		t.tunIf,
-		t.autoRedirect,
 	)
 }

@@ -243,11 +205,7 @@ func (t *Tun) NewConnection(ctx context.Context, conn net.Conn, upstreamMetadata
 	metadata.Source = upstreamMetadata.Source
 	metadata.Destination = upstreamMetadata.Destination
 	metadata.InboundOptions = t.inboundOptions
-	if upstreamMetadata.Protocol != "" {
-		t.logger.InfoContext(ctx, "inbound ", upstreamMetadata.Protocol, " connection from ", metadata.Source)
-	} else {
-		t.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
-	}
+	t.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	t.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
 	err := t.router.RouteConnection(ctx, conn, metadata)
 	if err != nil {
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -66,9 +66,8 @@ nav:
      - Proxy Protocol:
          - Shadowsocks: manual/proxy-protocol/shadowsocks.md
          - Trojan: manual/proxy-protocol/trojan.md
+          - TUIC: manual/proxy-protocol/tuic.md
          - Hysteria 2: manual/proxy-protocol/hysteria2.md
-      - Misc:
-          - TunnelVision: manual/misc/tunnelvision.md
  - Configuration:
      - configuration/index.md
      - Log:
--- a/option/dns.go
+++ b/option/dns.go
@@ -19,7 +19,7 @@ type DNSServerOptions struct {
 	AddressFallbackDelay Duration       `json:"address_fallback_delay,omitempty"`
 	Strategy             DomainStrategy `json:"strategy,omitempty"`
 	Detour               string         `json:"detour,omitempty"`
-	ClientSubnet         *AddrPrefix    `json:"client_subnet,omitempty"`
+	ClientSubnet         *ListenAddress `json:"client_subnet,omitempty"`
 }

 type DNSClientOptions struct {
@@ -27,7 +27,7 @@ type DNSClientOptions struct {
 	DisableCache     bool           `json:"disable_cache,omitempty"`
 	DisableExpire    bool           `json:"disable_expire,omitempty"`
 	IndependentCache bool           `json:"independent_cache,omitempty"`
-	ClientSubnet     *AddrPrefix    `json:"client_subnet,omitempty"`
+	ClientSubnet     *ListenAddress `json:"client_subnet,omitempty"`
 }

 type DNSFakeIPOptions struct {
--- a/option/rule_dns.go
+++ b/option/rule_dns.go
@@ -101,7 +101,7 @@ type DefaultDNSRule struct {
 	Server                   string                 `json:"server,omitempty"`
 	DisableCache             bool                   `json:"disable_cache,omitempty"`
 	RewriteTTL               *uint32                `json:"rewrite_ttl,omitempty"`
-	ClientSubnet             *AddrPrefix            `json:"client_subnet,omitempty"`
+	ClientSubnet             *ListenAddress         `json:"client_subnet,omitempty"`
 }

 func (r DefaultDNSRule) IsValid() bool {
@@ -115,13 +115,13 @@ func (r DefaultDNSRule) IsValid() bool {
 }

 type LogicalDNSRule struct {
-	Mode         string      `json:"mode"`
-	Rules        []DNSRule   `json:"rules,omitempty"`
-	Invert       bool        `json:"invert,omitempty"`
-	Server       string      `json:"server,omitempty"`
-	DisableCache bool        `json:"disable_cache,omitempty"`
-	RewriteTTL   *uint32     `json:"rewrite_ttl,omitempty"`
-	ClientSubnet *AddrPrefix `json:"client_subnet,omitempty"`
+	Mode         string         `json:"mode"`
+	Rules        []DNSRule      `json:"rules,omitempty"`
+	Invert       bool           `json:"invert,omitempty"`
+	Server       string         `json:"server,omitempty"`
+	DisableCache bool           `json:"disable_cache,omitempty"`
+	RewriteTTL   *uint32        `json:"rewrite_ttl,omitempty"`
+	ClientSubnet *ListenAddress `json:"client_subnet,omitempty"`
 }

 func (r LogicalDNSRule) IsValid() bool {
--- a/option/tun.go
+++ b/option/tun.go
@@ -9,7 +9,6 @@ type TunInboundOptions struct {
 	Inet4Address             Listable[netip.Prefix] `json:"inet4_address,omitempty"`
 	Inet6Address             Listable[netip.Prefix] `json:"inet6_address,omitempty"`
 	AutoRoute                bool                   `json:"auto_route,omitempty"`
-	AutoRedirect             bool                   `json:"auto_redirect,omitempty"`
 	StrictRoute              bool                   `json:"strict_route,omitempty"`
 	Inet4RouteAddress        Listable[netip.Prefix] `json:"inet4_route_address,omitempty"`
 	Inet6RouteAddress        Listable[netip.Prefix] `json:"inet6_route_address,omitempty"`
--- a/option/types.go
+++ b/option/types.go
@@ -51,40 +51,6 @@ func (a *ListenAddress) Build() netip.Addr {
 	return (netip.Addr)(*a)
 }

-type AddrPrefix netip.Prefix
-
-func (a AddrPrefix) MarshalJSON() ([]byte, error) {
-	prefix := netip.Prefix(a)
-	if prefix.Bits() == prefix.Addr().BitLen() {
-		return json.Marshal(prefix.Addr().String())
-	} else {
-		return json.Marshal(prefix.String())
-	}
-}
-
-func (a *AddrPrefix) UnmarshalJSON(content []byte) error {
-	var value string
-	err := json.Unmarshal(content, &value)
-	if err != nil {
-		return err
-	}
-	prefix, prefixErr := netip.ParsePrefix(value)
-	if prefixErr == nil {
-		*a = AddrPrefix(prefix)
-		return nil
-	}
-	addr, addrErr := netip.ParseAddr(value)
-	if addrErr == nil {
-		*a = AddrPrefix(netip.PrefixFrom(addr, addr.BitLen()))
-		return nil
-	}
-	return prefixErr
-}
-
-func (a AddrPrefix) Build() netip.Prefix {
-	return netip.Prefix(a)
-}
-
 type NetworkList string

 func (v *NetworkList) UnmarshalJSON(content []byte) error {
--- a/outbound/urltest.go
+++ b/outbound/urltest.go
@@ -287,23 +287,8 @@ func (g *URLTestGroup) Close() error {

 func (g *URLTestGroup) Select(network string) (adapter.Outbound, bool) {
 	var minDelay uint16
+	var minTime time.Time
 	var minOutbound adapter.Outbound
-	switch network {
-	case N.NetworkTCP:
-		if g.selectedOutboundTCP != nil {
-			if history := g.history.LoadURLTestHistory(RealTag(g.selectedOutboundTCP)); history != nil {
-				minOutbound = g.selectedOutboundTCP
-				minDelay = history.Delay
-			}
-		}
-	case N.NetworkUDP:
-		if g.selectedOutboundUDP != nil {
-			if history := g.history.LoadURLTestHistory(RealTag(g.selectedOutboundUDP)); history != nil {
-				minOutbound = g.selectedOutboundUDP
-				minDelay = history.Delay
-			}
-		}
-	}
 	for _, detour := range g.outbounds {
 		if !common.Contains(detour.Network(), network) {
 			continue
@@ -312,8 +297,9 @@ func (g *URLTestGroup) Select(network string) (adapter.Outbound, bool) {
 		if history == nil {
 			continue
 		}
-		if minDelay == 0 || minDelay > history.Delay+g.tolerance {
+		if minDelay == 0 || minDelay > history.Delay+g.tolerance || minDelay > history.Delay-g.tolerance && minTime.Before(history.Time) {
 			minDelay = history.Delay
+			minTime = history.Time
 			minOutbound = detour
 		}
 	}
--- a/outbound/wireguard.go
+++ b/outbound/wireguard.go
@@ -19,7 +19,6 @@ import (
 	"github.com/sagernet/sing-box/transport/wireguard"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -112,25 +111,6 @@ func NewWireGuard(ctx context.Context, router adapter.Router, logger log.Context
 }

 func (w *WireGuard) Start() error {
-	if common.Any(w.peers, func(peer wireguard.PeerConfig) bool {
-		return !peer.Endpoint.IsValid()
-	}) {
-		// wait for all outbounds to be started and continue in PortStart
-		return nil
-	}
-	return w.start()
-}
-
-func (w *WireGuard) PostStart() error {
-	if common.All(w.peers, func(peer wireguard.PeerConfig) bool {
-		return peer.Endpoint.IsValid()
-	}) {
-		return nil
-	}
-	return w.start()
-}
-
-func (w *WireGuard) start() error {
 	err := wireguard.ResolvePeers(w.ctx, w.router, w.peers)
 	if err != nil {
 		return err
--- a/route/router.go
+++ b/route/router.go
@@ -27,7 +27,7 @@ import (
 	"github.com/sagernet/sing-box/outbound"
 	"github.com/sagernet/sing-box/transport/fakeip"
 	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing-mux"
+	mux "github.com/sagernet/sing-mux"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing/common"
@@ -221,7 +221,7 @@ func NewRouter(
 				if serverAddress == "" {
 					serverAddress = server.Address
 				}
-				notIpAddress := !M.ParseSocksaddr(serverAddress).Addr.IsValid()
+				_, notIpAddress := netip.ParseAddr(serverAddress)
 				if server.AddressResolver != "" {
 					if !transportTagMap[server.AddressResolver] {
 						return nil, E.New("parse dns server[", tag, "]: address resolver not found: ", server.AddressResolver)
@@ -231,11 +231,11 @@ func NewRouter(
 					} else {
 						continue
 					}
-				} else if notIpAddress && strings.Contains(server.Address, ".") {
+				} else if notIpAddress != nil && strings.Contains(server.Address, ".") {
 					return nil, E.New("parse dns server[", tag, "]: missing address_resolver")
 				}
 			}
-			var clientSubnet netip.Prefix
+			var clientSubnet netip.Addr
 			if server.ClientSubnet != nil {
 				clientSubnet = server.ClientSubnet.Build()
 			} else if dnsOptions.ClientSubnet != nil {
@@ -352,6 +352,14 @@ func NewRouter(
 		router.interfaceMonitor = interfaceMonitor
 	}

+	if runtime.GOOS == "windows" {
+		powerListener, err := winpowrprof.NewEventListener(router.notifyWindowsPowerEvent)
+		if err != nil {
+			return nil, E.Cause(err, "initialize power listener")
+		}
+		router.powerListener = powerListener
+	}
+
 	if ntpOptions.Enabled {
 		ntpDialer, err := dialer.New(router, ntpOptions.DialerOptions)
 		if err != nil {
@@ -394,17 +402,20 @@ func (r *Router) Initialize(inbounds []adapter.Inbound, outbounds []adapter.Outb
 			defaultOutboundForPacketConnection = detour
 		}
 	}
+	var index, packetIndex int
 	if defaultOutboundForConnection == nil {
-		for _, detour := range outbounds {
+		for i, detour := range outbounds {
 			if common.Contains(detour.Network(), N.NetworkTCP) {
+				index = i
 				defaultOutboundForConnection = detour
 				break
 			}
 		}
 	}
 	if defaultOutboundForPacketConnection == nil {
-		for _, detour := range outbounds {
+		for i, detour := range outbounds {
 			if common.Contains(detour.Network(), N.NetworkUDP) {
+				packetIndex = i
 				defaultOutboundForPacketConnection = detour
 				break
 			}
@@ -421,6 +432,22 @@ func (r *Router) Initialize(inbounds []adapter.Inbound, outbounds []adapter.Outb
 		outbounds = append(outbounds, detour)
 		outboundByTag[detour.Tag()] = detour
 	}
+	if defaultOutboundForConnection != defaultOutboundForPacketConnection {
+		var description string
+		if defaultOutboundForConnection.Tag() != "" {
+			description = defaultOutboundForConnection.Tag()
+		} else {
+			description = F.ToString(index)
+		}
+		var packetDescription string
+		if defaultOutboundForPacketConnection.Tag() != "" {
+			packetDescription = defaultOutboundForPacketConnection.Tag()
+		} else {
+			packetDescription = F.ToString(packetIndex)
+		}
+		r.logger.Info("using ", defaultOutboundForConnection.Type(), "[", description, "] as default outbound for connection")
+		r.logger.Info("using ", defaultOutboundForPacketConnection.Type(), "[", packetDescription, "] as default outbound for packet connection")
+	}
 	r.inboundByTag = inboundByTag
 	r.outbounds = outbounds
 	r.defaultOutboundForConnection = defaultOutboundForConnection
@@ -509,12 +536,75 @@ func (r *Router) Start() error {
 		r.geositeReader = nil
 	}

-	if runtime.GOOS == "windows" {
-		powerListener, err := winpowrprof.NewEventListener(r.notifyWindowsPowerEvent)
-		if err == nil {
-			r.powerListener = powerListener
+	if len(r.ruleSets) > 0 {
+		monitor.Start("initialize rule-set")
+		ruleSetStartContext := NewRuleSetStartContext()
+		var ruleSetStartGroup task.Group
+		for i, ruleSet := range r.ruleSets {
+			ruleSetInPlace := ruleSet
+			ruleSetStartGroup.Append0(func(ctx context.Context) error {
+				err := ruleSetInPlace.StartContext(ctx, ruleSetStartContext)
+				if err != nil {
+					return E.Cause(err, "initialize rule-set[", i, "]")
+				}
+				return nil
+			})
+		}
+		ruleSetStartGroup.Concurrency(5)
+		ruleSetStartGroup.FastFail()
+		err := ruleSetStartGroup.Run(r.ctx)
+		monitor.Finish()
+		if err != nil {
+			return err
+		}
+		ruleSetStartContext.Close()
+	}
+	var (
+		needProcessFromRuleSet   bool
+		needWIFIStateFromRuleSet bool
+	)
+	for _, ruleSet := range r.ruleSets {
+		metadata := ruleSet.Metadata()
+		if metadata.ContainsProcessRule {
+			needProcessFromRuleSet = true
+		}
+		if metadata.ContainsWIFIRule {
+			needWIFIStateFromRuleSet = true
+		}
+	}
+	if needProcessFromRuleSet || r.needFindProcess || r.needPackageManager {
+		if C.IsAndroid && r.platformInterface == nil {
+			monitor.Start("initialize package manager")
+			packageManager, err := tun.NewPackageManager(r)
+			monitor.Finish()
+			if err != nil {
+				return E.Cause(err, "create package manager")
+			}
+			monitor.Start("start package manager")
+			err = packageManager.Start()
+			monitor.Finish()
+			if err != nil {
+				return E.Cause(err, "start package manager")
+			}
+			r.packageManager = packageManager
+		}
+
+		if r.platformInterface != nil {
+			r.processSearcher = r.platformInterface
 		} else {
-			r.logger.Warn("initialize power listener: ", err)
+			monitor.Start("initialize process searcher")
+			searcher, err := process.NewSearcher(process.Config{
+				Logger:         r.logger,
+				PackageManager: r.packageManager,
+			})
+			monitor.Finish()
+			if err != nil {
+				if err != os.ErrInvalid {
+					r.logger.Warn(E.Cause(err, "create process searcher"))
+				}
+			} else {
+				r.processSearcher = searcher
+			}
 		}
 	}

@@ -527,26 +617,29 @@ func (r *Router) Start() error {
 		}
 	}

+	if (needWIFIStateFromRuleSet || r.needWIFIState) && r.platformInterface != nil {
+		monitor.Start("initialize WIFI state")
+		r.needWIFIState = true
+		r.interfaceMonitor.RegisterCallback(func(_ int) {
+			r.updateWIFIState()
+		})
+		r.updateWIFIState()
+		monitor.Finish()
+	}
+
+	for i, rule := range r.rules {
+		monitor.Start("initialize rule[", i, "]")
+		err := rule.Start()
+		monitor.Finish()
+		if err != nil {
+			return E.Cause(err, "initialize rule[", i, "]")
+		}
+	}
+
 	monitor.Start("initialize DNS client")
 	r.dnsClient.Start()
 	monitor.Finish()

-	if C.IsAndroid && r.platformInterface == nil {
-		monitor.Start("initialize package manager")
-		packageManager, err := tun.NewPackageManager(r)
-		monitor.Finish()
-		if err != nil {
-			return E.Cause(err, "create package manager")
-		}
-		monitor.Start("start package manager")
-		err = packageManager.Start()
-		monitor.Finish()
-		if err != nil {
-			return E.Cause(err, "start package manager")
-		}
-		r.packageManager = packageManager
-	}
-
 	for i, rule := range r.dnsRules {
 		monitor.Start("initialize DNS rule[", i, "]")
 		err := rule.Start()
@@ -651,79 +744,14 @@ func (r *Router) Close() error {
 }

 func (r *Router) PostStart() error {
-	monitor := taskmonitor.New(r.logger, C.StopTimeout)
 	if len(r.ruleSets) > 0 {
-		monitor.Start("initialize rule-set")
-		ruleSetStartContext := NewRuleSetStartContext()
-		var ruleSetStartGroup task.Group
 		for i, ruleSet := range r.ruleSets {
-			ruleSetInPlace := ruleSet
-			ruleSetStartGroup.Append0(func(ctx context.Context) error {
-				err := ruleSetInPlace.StartContext(ctx, ruleSetStartContext)
-				if err != nil {
-					return E.Cause(err, "initialize rule-set[", i, "]")
-				}
-				return nil
-			})
-		}
-		ruleSetStartGroup.Concurrency(5)
-		ruleSetStartGroup.FastFail()
-		err := ruleSetStartGroup.Run(r.ctx)
-		monitor.Finish()
-		if err != nil {
-			return err
-		}
-		ruleSetStartContext.Close()
-	}
-	var (
-		needProcessFromRuleSet   bool
-		needWIFIStateFromRuleSet bool
-	)
-	for _, ruleSet := range r.ruleSets {
-		metadata := ruleSet.Metadata()
-		if metadata.ContainsProcessRule {
-			needProcessFromRuleSet = true
-		}
-		if metadata.ContainsWIFIRule {
-			needWIFIStateFromRuleSet = true
-		}
-	}
-	if needProcessFromRuleSet || r.needFindProcess {
-		if r.platformInterface != nil {
-			r.processSearcher = r.platformInterface
-		} else {
-			monitor.Start("initialize process searcher")
-			searcher, err := process.NewSearcher(process.Config{
-				Logger:         r.logger,
-				PackageManager: r.packageManager,
-			})
-			monitor.Finish()
+			err := ruleSet.PostStart()
 			if err != nil {
-				if err != os.ErrInvalid {
-					r.logger.Warn(E.Cause(err, "create process searcher"))
-				}
-			} else {
-				r.processSearcher = searcher
+				return E.Cause(err, "post start rule-set[", i, "]")
 			}
 		}
 	}
-	if (needWIFIStateFromRuleSet || r.needWIFIState) && r.platformInterface != nil {
-		monitor.Start("initialize WIFI state")
-		r.needWIFIState = true
-		r.interfaceMonitor.RegisterCallback(func(_ int) {
-			r.updateWIFIState()
-		})
-		r.updateWIFIState()
-		monitor.Finish()
-	}
-	for i, rule := range r.rules {
-		monitor.Start("initialize rule[", i, "]")
-		err := rule.Start()
-		monitor.Finish()
-		if err != nil {
-			return E.Cause(err, "initialize rule[", i, "]")
-		}
-	}
 	r.started = true
 	return nil
 }
@@ -822,16 +850,7 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad

 	if metadata.InboundOptions.SniffEnabled {
 		buffer := buf.NewPacket()
-		sniffMetadata, err := sniff.PeekStream(
-			ctx,
-			conn,
-			buffer,
-			time.Duration(metadata.InboundOptions.SniffTimeout),
-			sniff.StreamDomainNameQuery,
-			sniff.TLSClientHello,
-			sniff.HTTPHost,
-			sniff.BitTorrent,
-		)
+		sniffMetadata, err := sniff.PeekStream(ctx, conn, buffer, time.Duration(metadata.InboundOptions.SniffTimeout), sniff.StreamDomainNameQuery, sniff.TLSClientHello, sniff.HTTPHost)
 		if sniffMetadata != nil {
 			metadata.Protocol = sniffMetadata.Protocol
 			metadata.Domain = sniffMetadata.Domain
@@ -958,15 +977,7 @@ func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, m
 			metadata.Destination = destination
 		}
 		if metadata.InboundOptions.SniffEnabled {
-			sniffMetadata, _ := sniff.PeekPacket(
-				ctx,
-				buffer.Bytes(),
-				sniff.DomainNameQuery,
-				sniff.QUICClientHello,
-				sniff.STUNMessage,
-				sniff.UTP,
-				sniff.UDPTracker,
-			)
+			sniffMetadata, _ := sniff.PeekPacket(ctx, buffer.Bytes(), sniff.DomainNameQuery, sniff.QUICClientHello, sniff.STUNMessage)
 			if sniffMetadata != nil {
 				metadata.Protocol = sniffMetadata.Protocol
 				metadata.Domain = sniffMetadata.Domain
@@ -1110,9 +1121,6 @@ func (r *Router) AutoDetectInterfaceFunc() control.Func {
 	if r.platformInterface != nil && r.platformInterface.UsePlatformAutoDetectInterfaceControl() {
 		return r.platformInterface.AutoDetectInterfaceControl()
 	} else {
-		if r.interfaceMonitor == nil {
-			return nil
-		}
 		return control.BindToInterfaceFunc(r.InterfaceFinder(), func(network string, address string) (interfaceName string, interfaceIndex int, err error) {
 			remoteAddr := M.ParseSocksaddr(address).Addr
 			if C.IsLinux {
--- a/route/router_dns.go
+++ b/route/router_dns.go
@@ -8,6 +8,7 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/cache"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -121,10 +122,12 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, er
 		for {
 			var (
 				dnsCtx       context.Context
+				cancel       context.CancelFunc
 				addressLimit bool
 			)

 			dnsCtx, transport, strategy, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex)
+			dnsCtx, cancel = context.WithTimeout(dnsCtx, C.DNSTimeout)
 			if rule != nil && rule.WithAddressLimit() && isAddressQuery(message) {
 				addressLimit = true
 				response, err = r.dnsClient.ExchangeWithResponseCheck(dnsCtx, transport, message, strategy, func(response *mDNS.Msg) bool {
@@ -135,6 +138,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, er
 				addressLimit = false
 				response, err = r.dnsClient.Exchange(dnsCtx, transport, message, strategy)
 			}
+			cancel()
 			var rejected bool
 			if err != nil {
 				if errors.Is(err, dns.ErrResponseRejectedCached) {
@@ -196,6 +200,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, strategy dns.DomainS
 	for {
 		var (
 			dnsCtx       context.Context
+			cancel       context.CancelFunc
 			addressLimit bool
 		)
 		metadata.ResetRuleCache()
@@ -204,6 +209,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, strategy dns.DomainS
 		if strategy == dns.DomainStrategyAsIS {
 			strategy = transportStrategy
 		}
+		dnsCtx, cancel = context.WithTimeout(dnsCtx, C.DNSTimeout)
 		if rule != nil && rule.WithAddressLimit() {
 			addressLimit = true
 			responseAddrs, err = r.dnsClient.LookupWithResponseCheck(dnsCtx, transport, domain, strategy, func(responseAddrs []netip.Addr) bool {
@@ -214,6 +220,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, strategy dns.DomainS
 			addressLimit = false
 			responseAddrs, err = r.dnsClient.Lookup(dnsCtx, transport, domain, strategy)
 		}
+		cancel()
 		if err != nil {
 			if errors.Is(err, dns.ErrResponseRejectedCached) {
 				r.dnsLogger.DebugContext(ctx, "response rejected for ", domain, " (cached)")
--- a/route/rule_dns.go
+++ b/route/rule_dns.go
@@ -40,7 +40,7 @@ type DefaultDNSRule struct {
 	abstractDefaultRule
 	disableCache bool
 	rewriteTTL   *uint32
-	clientSubnet *netip.Prefix
+	clientSubnet *netip.Addr
 }

 func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options option.DefaultDNSRule) (*DefaultDNSRule, error) {
@@ -51,7 +51,7 @@ func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options
 		},
 		disableCache: options.DisableCache,
 		rewriteTTL:   options.RewriteTTL,
-		clientSubnet: (*netip.Prefix)(options.ClientSubnet),
+		clientSubnet: (*netip.Addr)(options.ClientSubnet),
 	}
 	if len(options.Inbound) > 0 {
 		item := NewInboundRule(options.Inbound)
@@ -234,7 +234,7 @@ func (r *DefaultDNSRule) RewriteTTL() *uint32 {
 	return r.rewriteTTL
 }

-func (r *DefaultDNSRule) ClientSubnet() *netip.Prefix {
+func (r *DefaultDNSRule) ClientSubnet() *netip.Addr {
 	return r.clientSubnet
 }

@@ -272,7 +272,7 @@ type LogicalDNSRule struct {
 	abstractLogicalRule
 	disableCache bool
 	rewriteTTL   *uint32
-	clientSubnet *netip.Prefix
+	clientSubnet *netip.Addr
 }

 func NewLogicalDNSRule(router adapter.Router, logger log.ContextLogger, options option.LogicalDNSRule) (*LogicalDNSRule, error) {
@@ -284,7 +284,6 @@ func NewLogicalDNSRule(router adapter.Router, logger log.ContextLogger, options
 		},
 		disableCache: options.DisableCache,
 		rewriteTTL:   options.RewriteTTL,
-		clientSubnet: (*netip.Prefix)(options.ClientSubnet),
 	}
 	switch options.Mode {
 	case C.LogicalTypeAnd:
@@ -312,7 +311,7 @@ func (r *LogicalDNSRule) RewriteTTL() *uint32 {
 	return r.rewriteTTL
 }

-func (r *LogicalDNSRule) ClientSubnet() *netip.Prefix {
+func (r *LogicalDNSRule) ClientSubnet() *netip.Addr {
 	return r.clientSubnet
 }

--- a/route/rule_set_local.go
+++ b/route/rule_set_local.go
@@ -78,6 +78,10 @@ func (s *LocalRuleSet) StartContext(ctx context.Context, startContext adapter.Ru
 	return nil
 }

+func (s *LocalRuleSet) PostStart() error {
+	return nil
+}
+
 func (s *LocalRuleSet) Metadata() adapter.RuleSetMetadata {
 	return s.metadata
 }
--- a/route/rule_set_remote.go
+++ b/route/rule_set_remote.go
@@ -112,6 +112,16 @@ func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext adapter.R
 	return nil
 }

+func (s *RemoteRuleSet) PostStart() error {
+	if s.lastUpdated.IsZero() {
+		err := s.fetchOnce(s.ctx, nil)
+		if err != nil {
+			s.logger.Error("fetch rule-set ", s.options.Tag, ": ", err)
+		}
+	}
+	return nil
+}
+
 func (s *RemoteRuleSet) Metadata() adapter.RuleSetMetadata {
 	return s.metadata
 }
--- a/test/box_test.go
+++ b/test/box_test.go
@@ -113,7 +113,7 @@ func testSuitLargeUDP(t *testing.T, clientPort uint16, testPort uint16) {
 	require.NoError(t, testPingPongWithPacketConn(t, testPort, dialUDP))
 	require.NoError(t, testLargeDataWithConn(t, testPort, dialTCP))
 	require.NoError(t, testLargeDataWithPacketConn(t, testPort, dialUDP))
-	require.NoError(t, testLargeDataWithPacketConnSize(t, testPort, 4096, dialUDP))
+	require.NoError(t, testLargeDataWithPacketConnSize(t, testPort, 5000, dialUDP))
 }

 func testTCP(t *testing.T, clientPort uint16, testPort uint16) {
--- a/transport/wireguard/client_bind.go
+++ b/transport/wireguard/client_bind.go
@@ -12,8 +12,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
-	"github.com/sagernet/sing/service/pause"
 	"github.com/sagernet/wireguard-go/conn"
 )

@@ -21,9 +19,6 @@ var _ conn.Bind = (*ClientBind)(nil)

 type ClientBind struct {
 	ctx                 context.Context
-	pauseManager        pause.Manager
-	bindCtx             context.Context
-	bindDone            context.CancelFunc
 	errorHandler        E.Handler
 	dialer              N.Dialer
 	reservedForEndpoint map[netip.AddrPort][3]uint8
@@ -38,7 +33,6 @@ type ClientBind struct {
 func NewClientBind(ctx context.Context, errorHandler E.Handler, dialer N.Dialer, isConnect bool, connectAddr netip.AddrPort, reserved [3]uint8) *ClientBind {
 	return &ClientBind{
 		ctx:                 ctx,
-		pauseManager:        service.FromContext[pause.Manager](ctx),
 		errorHandler:        errorHandler,
 		dialer:              dialer,
 		reservedForEndpoint: make(map[netip.AddrPort][3]uint8),
@@ -61,11 +55,6 @@ func (c *ClientBind) connect() (*wireConn, error) {
 	}
 	c.connAccess.Lock()
 	defer c.connAccess.Unlock()
-	select {
-	case <-c.done:
-		return nil, net.ErrClosed
-	default:
-	}
 	serverConn = c.conn
 	if serverConn != nil {
 		select {
@@ -76,7 +65,7 @@ func (c *ClientBind) connect() (*wireConn, error) {
 		}
 	}
 	if c.isConnect {
-		udpConn, err := c.dialer.DialContext(c.bindCtx, N.NetworkUDP, M.SocksaddrFromNetIP(c.connectAddr))
+		udpConn, err := c.dialer.DialContext(c.ctx, N.NetworkUDP, M.SocksaddrFromNetIP(c.connectAddr))
 		if err != nil {
 			return nil, err
 		}
@@ -85,7 +74,7 @@ func (c *ClientBind) connect() (*wireConn, error) {
 			done:       make(chan struct{}),
 		}
 	} else {
-		udpConn, err := c.dialer.ListenPacket(c.bindCtx, M.Socksaddr{Addr: netip.IPv4Unspecified()})
+		udpConn, err := c.dialer.ListenPacket(c.ctx, M.Socksaddr{Addr: netip.IPv4Unspecified()})
 		if err != nil {
 			return nil, err
 		}
@@ -103,7 +92,6 @@ func (c *ClientBind) Open(port uint16) (fns []conn.ReceiveFunc, actualPort uint1
 		c.done = make(chan struct{})
 	default:
 	}
-	c.bindCtx, c.bindDone = context.WithCancel(c.ctx)
 	return []conn.ReceiveFunc{c.receive}, 0, nil
 }

@@ -117,7 +105,6 @@ func (c *ClientBind) receive(packets [][]byte, sizes []int, eps []conn.Endpoint)
 		}
 		c.errorHandler.NewError(context.Background(), E.Cause(err, "connect to server"))
 		err = nil
-		c.pauseManager.WaitActive()
 		time.Sleep(time.Second)
 		return
 	}
@@ -143,17 +130,12 @@ func (c *ClientBind) receive(packets [][]byte, sizes []int, eps []conn.Endpoint)
 }

 func (c *ClientBind) Close() error {
+	common.Close(common.PtrOrNil(c.conn))
 	select {
 	case <-c.done:
 	default:
 		close(c.done)
 	}
-	if c.bindDone != nil {
-		c.bindDone()
-	}
-	c.connAccess.Lock()
-	defer c.connAccess.Unlock()
-	common.Close(common.PtrOrNil(c.conn))
 	return nil
 }

@@ -164,8 +146,6 @@ func (c *ClientBind) SetMark(mark uint32) error {
 func (c *ClientBind) Send(bufs [][]byte, ep conn.Endpoint) error {
 	udpConn, err := c.connect()
 	if err != nil {
-		c.pauseManager.WaitActive()
-		time.Sleep(time.Second)
 		return err
 	}
 	destination := netip.AddrPort(ep.(Endpoint))
Author	SHA1	Message	Date
世界	3fb98f6549	documentation: Bump version	2024-05-03 17:41:59 +08:00
世界	3f48b1bcb2	documentation: Update DNS manual	2024-05-03 17:41:27 +08:00
世界	3e055fae5d	dialer: Allow nil router	2024-05-03 17:41:27 +08:00
世界	79e3e7de7f	Add `rule-set match` command	2024-05-03 17:41:27 +08:00
世界	db85b4b4dc	Add `bypass_domain` and `search_domain` platform HTTP proxy options	2024-05-03 17:41:27 +08:00
世界	014e7fa657	Update gVisor to 20240422.0	2024-05-03 17:41:20 +08:00
世界	12fab046f0	Update quic-go to v0.43.0	2024-05-03 17:38:51 +08:00
世界	d432552614	Fixed order for Clash modes	2024-05-03 17:38:51 +08:00
气息	6a17c756ba	Fix DNS exchange index Signed-off-by: 气息 <qdshizh@gmail.com>	2024-05-03 17:38:50 +08:00
dyhkwong	1ef68d9ec6	Always disable cache for fake-ip servers	2024-05-03 17:38:50 +08:00
PuerNya	e823a2f202	Always disable cache for fake-ip DNS transport if `independent_cache` disabled	2024-05-03 17:38:50 +08:00
世界	229b30aa3d	Fix missing `rule_set_ipcidr_match_source` item in DNS rules	2024-05-03 17:38:50 +08:00
世界	fbdac078dc	Improve DNS truncate behavior	2024-05-03 17:38:50 +08:00
世界	d5713fd44e	Fix DNS fallthrough incorrectly	2024-05-03 17:38:50 +08:00
世界	8c7b71f582	Add rejected DNS response cache support	2024-05-03 17:38:50 +08:00
世界	2e731f9011	Add support for `client-subnet` DNS options	2024-05-03 17:38:49 +08:00
世界	4d43dc38fb	Add address filter support for DNS rules	2024-05-03 17:38:49 +08:00
世界	ac7cf6fb72	Fix timezone for Android and iOS	2024-05-03 17:38:49 +08:00
世界	0f54e7525f	Improve loopback detector	2024-05-03 17:38:49 +08:00
世界	1e1b41d45a	Remove unused fakeip packet conn	2024-05-03 17:38:49 +08:00
世界	e916b38237	Set the default TCP keep alive period	2024-05-03 17:38:48 +08:00
世界	3fe486b40b	Migrate ntp service to library	2024-05-03 17:38:48 +08:00
世界	d703e843e5	Handle Windows power events	2024-05-03 17:38:48 +08:00
世界	cfe9ef4caf	Improve domain suffix match behavior For historical reasons, sing-box's `domain_suffix` rule matches literal prefixes instead of the same as other projects. This change modifies the behavior of `domain_suffix`: If the rule value is prefixed with `.`, the behavior is unchanged, otherwise it matches `(domain\|.+\.domain)` instead.	2024-05-03 17:38:48 +08:00
世界	a889c2cae7	Remove `PROCESS_NAME_NATIVE` dwFlag in process query output The `process_path` rule of sing-box is inherited from Clash, the original code uses the local system's path format (e.g. `\Device\HarddiskVolume1\folder\program.exe`), but when the device has multiple disks, the HarddiskVolume serial number is not stable. This change make QueryFullProcessImageNameW output a Win32 path (such as `C:\folder\program.exe`), which will disrupt the existing `process_path` use cases in Windows.	2024-05-03 17:38:48 +08:00
世界	205106167d	badtls: Support uTLS and TLS ECH for read waiter	2024-05-03 17:38:48 +08:00