documentation: Bump version

Refactor Authenticator interface to struct &
Update smux &
Update gVisor to 20231204.0 &
Update quic-go to v0.40.1 &
Update wireguard-go &
Add GSO support for TUN/WireGuard &
Fix router pre-start &
Fix bind forwarder to interface for systems stack

.github/FUNDING.yml

@@ -1 +0,0 @@
-github: nekohasekai

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -65,12 +65,6 @@ body:
         For Apple platform clients, please check `Settings - View Service Log` for crash logs.
         For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
       render: shell
-  - type: checkboxes
-    id: supporter
-    attributes:
-      label: Supporter
-      options:
-        - label: I am a [sponsor](https://github.com/sponsors/nekohasekai/)
   - type: checkboxes
     attributes:
       label: Integrity requirements

.github/ISSUE_TEMPLATE/bug_report_zh.yml

@@ -65,12 +65,6 @@ body:
         对于 Apple 平台图形客户端程序，请检查 `Settings - View Service Log` 以导出崩溃日志。
         对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
       render: shell
-  - type: checkboxes
-    id: supporter
-    attributes:
-      label: 支持我们
-      options:
-        - label: 我已经 [赞助](https://github.com/sponsors/nekohasekai/)
   - type: checkboxes
     attributes:
       label: 完整性要求

.github/update_clients.sh

@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-
-PROJECTS=$(dirname "$0")/../..
-
-function updateClient() {
-  pushd clients/$1
-  git fetch
-  git reset FETCH_HEAD --hard
-  popd
-  git add clients/$1
-}
-
-updateClient "apple"
-updateClient "android"

.github/workflows/debug.yml

@@ -22,55 +22,67 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          fetch-depth: 0
+      - name: Get latest go version
+        id: version
+        run: |
+          echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.version.outputs.go_version }}
+      - name: Add cache to Go proxy
+        run: |
+          version=`git rev-parse HEAD`
+          mkdir build
+          pushd build
+          go mod init build
+          go get -v github.com/sagernet/sing-box@$version
+          popd
+        continue-on-error: true
+      - name: Run Test
+        run: |
+          go test -v ./...
+  build_go118:
+    name: Debug build (Go 1.18)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.22
-        continue-on-error: true
+          go-version: 1.18.10
+      - name: Cache go module
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+          key: go118-${{ hashFiles('**/go.sum') }}
       - name: Run Test
-        run: |
-          go test -v ./...
+        run: make ci_build_go118
   build_go120:
     name: Debug build (Go 1.20)
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.20
+          go-version: 1.20.7
       - name: Cache go module
-        uses: actions/cache@v4
+        uses: actions/cache@v3
         with:
           path: |
             ~/go/pkg/mod
-          key: go120-${{ hashFiles('**/go.sum') }}
-      - name: Run Test
-        run: make ci_build_go120
-  build_go121:
-    name: Debug build (Go 1.21)
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.21
-      - name: Cache go module
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go121-${{ hashFiles('**/go.sum') }}
+          key: go118-${{ hashFiles('**/go.sum') }}
       - name: Run Test
         run: make ci_build
   cross:
@@ -176,7 +188,8 @@ jobs:
           - name: freebsd-arm64
             goos: freebsd
             goarch: arm64
-      fail-fast: true
+
+      fail-fast: false
     runs-on: ubuntu-latest
     env:
       GOOS: ${{ matrix.goos }}
@@ -188,13 +201,22 @@ jobs:
       TAGS: with_clash_api,with_quic
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
+      - name: Get latest go version
+        id: version
+        run: |
+          echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.21
+          go-version: ${{ steps.version.outputs.go_version }}
       - name: Build
         id: build
-        run: make
+        run: make
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sing-box-${{ matrix.name }}
+          path: sing-box*

.github/workflows/docker.yml

@@ -1,9 +1,5 @@
 name: Build Docker Images
-
 on:
-  release:
-    types:
-      - released
   workflow_dispatch:
     inputs:
       tag:
@@ -12,27 +8,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - name: Get commit to build
-        id: ref
-        run: |-
-          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
-            ref="${{ github.ref_name }}"
-          else
-            ref="${{ github.event.inputs.tag }}"
-          fi
-          echo "ref=$ref"
-          echo "ref=$ref" >> $GITHUB_OUTPUT
-          if [[ $ref == *"-"* ]]; then
-            latest=latest-beta
-          else
-            latest=latest
-          fi
-          echo "latest=$latest"
-          echo "latest=$latest" >> $GITHUB_OUTPUT
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-        with:
-          ref: ${{ steps.ref.outputs.ref }}
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Setup QEMU for Docker Buildx
@@ -48,15 +25,23 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: ghcr.io/sagernet/sing-box
+      - name: Get tag to build
+        id: tag
+        run: |
+          echo "latest=ghcr.io/sagernet/sing-box:latest" >> $GITHUB_OUTPUT
+          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
+            echo "versioned=ghcr.io/sagernet/sing-box:${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          else
+            echo "versioned=ghcr.io/sagernet/sing-box:${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
+          fi
       - name: Build and release Docker images
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
         with:
           platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
-          context: .
           target: dist
           build-args: |
             BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
           tags: |
-            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.latest }}
-            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.ref }}
+            ${{ steps.tag.outputs.latest }}
+            ${{ steps.tag.outputs.versioned }}
           push: true

.github/workflows/lint.yml

@@ -22,15 +22,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
+      - name: Get latest go version
+        id: version
+        run: |
+          echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.22
+          go-version: ${{ steps.version.outputs.go_version }}
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v3
         with:
           version: latest
           args: --timeout=30m

.github/workflows/linux.yml

@@ -1,39 +0,0 @@
-name: Release to Linux repository
-
-on:
-  release:
-    types:
-      - published
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.22
-      - name: Extract signing key
-        run: |-
-          mkdir -p $HOME/.gnupg
-          cat > $HOME/.gnupg/sagernet.key <<EOF
-          ${{ secrets.GPG_KEY }}
-          echo "HOME=$HOME" >> "$GITHUB_ENV"
-          EOF
-          echo "HOME=$HOME" >> "$GITHUB_ENV"
-      - name: Publish release
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          distribution: goreleaser-pro
-          version: latest
-          args: release -f .goreleaser.fury.yaml --clean
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-          FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
-          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
-          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

.gitignore

@@ -14,5 +14,3 @@
 /*.xcframework/
 .DS_Store
 /config.d/
-/venv/
-

.gitmodules

@@ -1,6 +0,0 @@
-[submodule "clients/apple"]
-	path = clients/apple
-	url = https://github.com/SagerNet/sing-box-for-apple.git
-[submodule "clients/android"]
-	path = clients/android
-	url = https://github.com/SagerNet/sing-box-for-android.git

.goreleaser.fury.yaml

@@ -1,86 +0,0 @@
-project_name: sing-box
-builds:
-  - id: main
-    main: ./cmd/sing-box
-    flags:
-      - -v
-      - -trimpath
-    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_ech
-      - with_utls
-      - with_reality_server
-      - with_acme
-      - with_clash_api
-    env:
-      - CGO_ENABLED=0
-    targets:
-      - linux_386
-      - linux_amd64_v1
-      - linux_arm64
-      - linux_arm_7
-      - linux_s390x
-      - linux_riscv64
-    mod_timestamp: '{{ .CommitTimestamp }}'
-snapshot:
-  name_template: "{{ .Version }}.{{ .ShortCommit }}"
-nfpms:
-  - &template
-    id: package
-    package_name: sing-box
-    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    builds:
-      - main
-    homepage: https://sing-box.sagernet.org/
-    maintainer: nekohasekai <contact-git@sekai.icu>
-    description: The universal proxy platform.
-    license: GPLv3 or later
-    formats:
-      - deb
-      - rpm
-    priority: extra
-    contents:
-      - src: release/config/config.json
-        dst: /etc/sing-box/config.json
-        type: config
-      - src: release/config/sing-box.service
-        dst: /usr/lib/systemd/system/sing-box.service
-      - src: release/config/sing-box@.service
-        dst: /usr/lib/systemd/system/sing-box@.service
-      - src: LICENSE
-        dst: /usr/share/licenses/sing-box/LICENSE
-    deb:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-      fields:
-        Bugs: https://github.com/SagerNet/sing-box/issues
-    rpm:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-    conflicts:
-      - sing-box-beta
-  - id: package_beta
-    <<: *template
-    package_name: sing-box-beta
-    file_name_template: '{{ .ProjectName }}-beta_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    formats:
-      - deb
-      - rpm
-    conflicts:
-      - sing-box
-release:
-  disable: true
-furies:
-  - account: sagernet
-    ids:
-      - package
-    disable: "{{ not (not .Prerelease) }}"
-  - account: sagernet
-    ids:
-      - package_beta
-    disable: "{{ not .Prerelease }}"

.goreleaser.yaml

@@ -1,11 +1,14 @@
 project_name: sing-box
 builds:
-  - &template
-    id: main
+  - id: main
     main: ./cmd/sing-box
     flags:
       - -v
       - -trimpath
+    asmflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    gcflags:
+      - all=-trimpath={{.Env.GOPATH}}
     ldflags:
       - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
     tags:
@@ -27,35 +30,65 @@ builds:
       - linux_arm64
       - linux_arm_7
       - linux_s390x
-      - linux_riscv64
       - windows_amd64_v1
       - windows_amd64_v3
       - windows_386
       - windows_arm64
       - darwin_amd64_v1
+      - darwin_amd64_v3
       - darwin_arm64
     mod_timestamp: '{{ .CommitTimestamp }}'
   - id: legacy
-    <<: *template
+    main: ./cmd/sing-box
+    flags:
+      - -v
+      - -trimpath
+    asmflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    gcflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    ldflags:
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
     tags:
       - with_gvisor
       - with_quic
       - with_dhcp
       - with_wireguard
+      - with_ech
       - with_utls
       - with_reality_server
       - with_acme
       - with_clash_api
     env:
       - CGO_ENABLED=0
-      - GOROOT={{ .Env.GOPATH }}/go1.20.14
-    gobinary: "{{ .Env.GOPATH }}/go1.20.14/bin/go"
+      - GOROOT=/nix/store/kg6i737jjqs923jcijnm003h68c1dghj-go-1.20.11/share/go
+    gobinary: /nix/store/kg6i737jjqs923jcijnm003h68c1dghj-go-1.20.11/bin/go
     targets:
       - windows_amd64_v1
       - windows_386
       - darwin_amd64_v1
+    mod_timestamp: '{{ .CommitTimestamp }}'
   - id: android
-    <<: *template
+    main: ./cmd/sing-box
+    flags:
+      - -v
+      - -trimpath
+    asmflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    gcflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    ldflags:
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
+    tags:
+      - with_gvisor
+      - with_quic
+      - with_dhcp
+      - with_wireguard
+      - with_ech
+      - with_utls
+      - with_reality_server
+      - with_acme
+      - with_clash_api
     env:
       - CGO_ENABLED=1
     overrides:
@@ -63,8 +96,8 @@ builds:
         goarch: arm
         goarm: 7
         env:
-          - CC=armv7a-linux-androideabi21-clang
-          - CXX=armv7a-linux-androideabi21-clang++
+          - CC=armv7a-linux-androideabi19-clang
+          - CXX=armv7a-linux-androideabi19-clang++
       - goos: android
         goarch: arm64
         env:
@@ -73,8 +106,8 @@ builds:
       - goos: android
         goarch: 386
         env:
-          - CC=i686-linux-android21-clang
-          - CXX=i686-linux-android21-clang++
+          - CC=i686-linux-android19-clang
+          - CXX=i686-linux-android19-clang++
       - goos: android
         goarch: amd64
         goamd64: v1
@@ -86,11 +119,11 @@ builds:
       - android_arm64
       - android_386
       - android_amd64
+    mod_timestamp: '{{ .CommitTimestamp }}'
 snapshot:
   name_template: "{{ .Version }}.{{ .ShortCommit }}"
 archives:
-  - &template
-    id: archive
+  - id: archive
     builds:
       - main
       - android
@@ -103,16 +136,21 @@ archives:
       - LICENSE
     name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
   - id: archive-legacy
-    <<: *template
     builds:
       - legacy
+    format: tar.gz
+    format_overrides:
+      - goos: windows
+        format: zip
+    wrap_in_directory: true
+    files:
+      - LICENSE
     name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}-legacy'
 nfpms:
   - id: package
     package_name: sing-box
     file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    builds:
-      - main
+    vendor: sagernet
     homepage: https://sing-box.sagernet.org/
     maintainer: nekohasekai <contact-git@sekai.icu>
     description: The universal proxy platform.
@@ -127,27 +165,11 @@ nfpms:
         dst: /etc/sing-box/config.json
         type: config
       - src: release/config/sing-box.service
-        dst: /usr/lib/systemd/system/sing-box.service
+        dst: /etc/systemd/system/sing-box.service
       - src: release/config/sing-box@.service
-        dst: /usr/lib/systemd/system/sing-box@.service
+        dst: /etc/systemd/system/sing-box@.service
       - src: LICENSE
         dst: /usr/share/licenses/sing-box/LICENSE
-    deb:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-      fields:
-        Bugs: https://github.com/SagerNet/sing-box/issues
-    rpm:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-    overrides:
-      deb:
-        conflicts:
-          - sing-box-beta
-      rpm:
-        conflicts:
-          - sing-box-beta
-
 source:
   enabled: false
   name_template: '{{ .ProjectName }}-{{ .Version }}.source'
@@ -161,10 +183,6 @@ release:
   github:
     owner: SagerNet
     name: sing-box
+  name_template: '{{ if .IsSnapshot }}{{ nightly }}{{ else }}{{ .Version }}{{ end }}'
   draft: true
-  prerelease: auto
-  mode: replace
-  ids:
-    - archive
-    - package
-  skip_upload: true
+  mode: replace

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.22-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.21-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box

Makefile

@@ -1,8 +1,8 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS_GO120 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls
-TAGS_GO121 = with_ech
-TAGS ?= $(TAGS_GO118),$(TAGS_GO120),$(TAGS_GO121)
+TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api
+TAGS_GO120 = with_quic,with_ech,with_utls
+TAGS ?= $(TAGS_GO118),$(TAGS_GO120)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server
 
 GOHOSTOS = $(shell go env GOHOSTOS)
@@ -14,14 +14,14 @@ MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
 
-.PHONY: test release docs build
+.PHONY: test release docs
 
 build:
 	go build $(MAIN_PARAMS) $(MAIN)
 
-ci_build_go120:
+ci_build_go118:
 	go build $(PARAMS) $(MAIN)
-	go build $(PARAMS) -tags "$(TAGS_GO120)" $(MAIN)
+	go build $(PARAMS) -tags "$(TAGS_GO118)" $(MAIN)
 
 ci_build:
 	go build $(PARAMS) $(MAIN)
@@ -59,35 +59,25 @@ proto_install:
 	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
 
 release:
-	go run ./cmd/internal/build goreleaser release --clean --skip publish
+	go run ./cmd/internal/build goreleaser release --clean --skip-publish || exit 1
 	mkdir dist/release
-	mv dist/*.tar.gz \
-		dist/*.zip \
-		dist/*.deb \
-		dist/*.rpm \
-		dist/*_amd64.pkg.tar.zst \
-		dist/*_amd64v3.pkg.tar.zst \
-		dist/*_arm64.pkg.tar.zst \
-		dist/release
+	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/*.pkg.tar.zst dist/release
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
 	rm -r dist/release
 
-release_repo:
-	go run ./cmd/internal/build goreleaser release -f .goreleaser.fury.yaml --clean
-
 release_install:
+	go install -v github.com/goreleaser/goreleaser@latest
 	go install -v github.com/tcnksm/ghr@latest
 
 update_android_version:
 	go run ./cmd/internal/update_android_version
 
 build_android:
-	cd ../sing-box-for-android && ./gradlew :app:clean :app:assemblePlayRelease :app:assembleOtherRelease && ./gradlew --stop
+	cd ../sing-box-for-android && ./gradlew :app:assemblePlayRelease && ./gradlew --stop
 
 upload_android:
 	mkdir -p dist/release_android
 	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
-	cp ../sing-box-for-android/app/build/outputs/apk/other/release/*-universal.apk dist/release_android
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 
@@ -188,19 +178,17 @@ lib:
 	go run ./cmd/internal/build_libbox -target ios
 
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.3
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.3
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.1
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.1
 
 docs:
-	venv/bin/mkdocs serve
+	mkdocs serve
 
 publish_docs:
-	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
+	mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
 
 docs_install:
-	python -m venv venv
-	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
-
+	pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box

adapter/experimental.go

@@ -4,13 +4,13 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
+	"io"
 	"net"
 	"time"
 
 	"github.com/sagernet/sing-box/common/urltest"
-	"github.com/sagernet/sing-dns"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/varbin"
+	"github.com/sagernet/sing/common/rw"
 )
 
 type ClashServer interface {
@@ -30,9 +30,6 @@ type CacheFile interface {
 	StoreFakeIP() bool
 	FakeIPStorage
 
-	StoreRDRC() bool
-	dns.RDRCStore
-
 	LoadMode() string
 	StoreMode(mode string) error
 	LoadSelected(group string) string
@@ -55,15 +52,16 @@ func (s *SavedRuleSet) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	err = varbin.Write(&buffer, binary.BigEndian, s.Content)
+	err = rw.WriteUVariant(&buffer, uint64(len(s.Content)))
 	if err != nil {
 		return nil, err
 	}
+	buffer.Write(s.Content)
 	err = binary.Write(&buffer, binary.BigEndian, s.LastUpdated.Unix())
 	if err != nil {
 		return nil, err
 	}
-	err = varbin.Write(&buffer, binary.BigEndian, s.LastEtag)
+	err = rw.WriteVString(&buffer, s.LastEtag)
 	if err != nil {
 		return nil, err
 	}
@@ -77,7 +75,12 @@ func (s *SavedRuleSet) UnmarshalBinary(data []byte) error {
 	if err != nil {
 		return err
 	}
-	err = varbin.Read(reader, binary.BigEndian, &s.Content)
+	contentLen, err := rw.ReadUVariant(reader)
+	if err != nil {
+		return err
+	}
+	s.Content = make([]byte, contentLen)
+	_, err = io.ReadFull(reader, s.Content)
 	if err != nil {
 		return err
 	}
@@ -87,7 +90,7 @@ func (s *SavedRuleSet) UnmarshalBinary(data []byte) error {
 		return err
 	}
 	s.LastUpdated = time.Unix(lastUpdated, 0)
-	err = varbin.Read(reader, binary.BigEndian, &s.LastEtag)
+	s.LastEtag, err = rw.ReadVString(reader)
 	if err != nil {
 		return err
 	}

adapter/inbound.go

@@ -51,25 +51,19 @@ type InboundContext struct {
 
 	// rule cache
 
-	IPCIDRMatchSource bool
-	IPCIDRAcceptEmpty bool
-
-	SourceAddressMatch           bool
-	SourcePortMatch              bool
-	DestinationAddressMatch      bool
-	DestinationPortMatch         bool
-	DidMatch                     bool
-	IgnoreDestinationIPCIDRMatch bool
+	IPCIDRMatchSource       bool
+	SourceAddressMatch      bool
+	SourcePortMatch         bool
+	DestinationAddressMatch bool
+	DestinationPortMatch    bool
 }
 
 func (c *InboundContext) ResetRuleCache() {
 	c.IPCIDRMatchSource = false
-	c.IPCIDRAcceptEmpty = false
 	c.SourceAddressMatch = false
 	c.SourcePortMatch = false
 	c.DestinationAddressMatch = false
 	c.DestinationPortMatch = false
-	c.DidMatch = false
 }
 
 type inboundContextKey struct{}
@@ -102,12 +96,3 @@ func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
 	}
 	return WithContext(ctx, &newMetadata), &newMetadata
 }
-
-func OverrideContext(ctx context.Context) context.Context {
-	if metadata := ContextFrom(ctx); metadata != nil {
-		var newMetadata InboundContext
-		newMetadata = *metadata
-		return WithContext(ctx, &newMetadata)
-	}
-	return ctx
-}

adapter/router.go

@@ -10,18 +10,15 @@ import (
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
 
 	mdns "github.com/miekg/dns"
-	"go4.org/netipx"
 )
 
 type Router interface {
 	Service
 	PreStarter
 	PostStarter
-	Cleanup() error
 
 	Outbounds() []Outbound
 	Outbound(tag string) (Outbound, bool)
@@ -36,8 +33,6 @@ type Router interface {
 
 	RuleSet(tag string) (RuleSet, bool)
 
-	NeedWIFIState() bool
-
 	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
 	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
@@ -48,9 +43,7 @@ type Router interface {
 	DefaultInterface() string
 	AutoDetectInterface() bool
 	AutoDetectInterfaceFunc() control.Func
-	DefaultMark() uint32
-	RegisterAutoRedirectOutputMark(mark uint32) error
-	AutoRedirectOutputMark() uint32
+	DefaultMark() int
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
@@ -76,7 +69,6 @@ func RouterFromContext(ctx context.Context) Router {
 
 type HeadlessRule interface {
 	Match(metadata *InboundContext) bool
-	String() string
 }
 
 type Rule interface {
@@ -85,38 +77,26 @@ type Rule interface {
 	Type() string
 	UpdateGeosite() error
 	Outbound() string
+	String() string
 }
 
 type DNSRule interface {
 	Rule
 	DisableCache() bool
 	RewriteTTL() *uint32
-	ClientSubnet() *netip.Prefix
-	WithAddressLimit() bool
-	MatchAddressLimit(metadata *InboundContext) bool
 }
 
 type RuleSet interface {
-	Name() string
 	StartContext(ctx context.Context, startContext RuleSetStartContext) error
 	PostStart() error
 	Metadata() RuleSetMetadata
-	ExtractIPSet() []*netipx.IPSet
-	IncRef()
-	DecRef()
-	Cleanup()
-	RegisterCallback(callback RuleSetUpdateCallback) *list.Element[RuleSetUpdateCallback]
-	UnregisterCallback(element *list.Element[RuleSetUpdateCallback])
 	Close() error
 	HeadlessRule
 }
 
-type RuleSetUpdateCallback func(it RuleSet)
-
 type RuleSetMetadata struct {
 	ContainsProcessRule bool
 	ContainsWIFIRule    bool
-	ContainsIPCIDRRule  bool
 }
 
 type RuleSetStartContext interface {

box.go

@@ -111,7 +111,6 @@ func New(options Options) (*Box, error) {
 			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
-			tag,
 			inboundOptions,
 			options.PlatformInterface,
 		)
@@ -204,7 +203,7 @@ func (s *Box) PreStart() error {
 		defer func() {
 			v := recover()
 			if v != nil {
-				println(err.Error())
+				log.Error(E.Cause(err, "origin error"))
 				debug.PrintStack()
 				panic("panic on early close: " + fmt.Sprint(v))
 			}
@@ -223,9 +222,9 @@ func (s *Box) Start() error {
 		defer func() {
 			v := recover()
 			if v != nil {
-				println(err.Error())
+				log.Error(E.Cause(err, "origin error"))
 				debug.PrintStack()
-				println("panic on early start: " + fmt.Sprint(v))
+				panic("panic on early close: " + fmt.Sprint(v))
 			}
 		}()
 		s.Close()
@@ -236,7 +235,7 @@ func (s *Box) Start() error {
 }
 
 func (s *Box) preStart() error {
-	monitor := taskmonitor.New(s.logger, C.StartTimeout)
+	monitor := taskmonitor.New(s.logger, C.DefaultStartTimeout)
 	monitor.Start("start logger")
 	err := s.logFactory.Start()
 	monitor.Finish()
@@ -303,11 +302,7 @@ func (s *Box) start() error {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
-	err = s.postStart()
-	if err != nil {
-		return err
-	}
-	return s.router.Cleanup()
+	return s.postStart()
 }
 
 func (s *Box) postStart() error {
@@ -317,28 +312,16 @@ func (s *Box) postStart() error {
 			return E.Cause(err, "start ", serviceName)
 		}
 	}
-	// TODO: reorganize ALL start order
-	for _, out := range s.outbounds {
-		if lateOutbound, isLateOutbound := out.(adapter.PostStarter); isLateOutbound {
+	for _, outbound := range s.outbounds {
+		if lateOutbound, isLateOutbound := outbound.(adapter.PostStarter); isLateOutbound {
 			err := lateOutbound.PostStart()
 			if err != nil {
-				return E.Cause(err, "post-start outbound/", out.Tag())
+				return E.Cause(err, "post-start outbound/", outbound.Tag())
 			}
 		}
 	}
-	err := s.router.PostStart()
-	if err != nil {
-		return err
-	}
-	for _, in := range s.inbounds {
-		if lateInbound, isLateInbound := in.(adapter.PostStarter); isLateInbound {
-			err = lateInbound.PostStart()
-			if err != nil {
-				return E.Cause(err, "post-start inbound/", in.Tag())
-			}
-		}
-	}
-	return nil
+
+	return s.router.PostStart()
 }
 
 func (s *Box) Close() error {
@@ -348,7 +331,7 @@ func (s *Box) Close() error {
 	default:
 		close(s.done)
 	}
-	monitor := taskmonitor.New(s.logger, C.StopTimeout)
+	monitor := taskmonitor.New(s.logger, C.DefaultStopTimeout)
 	var errors error
 	for serviceName, service := range s.postServices {
 		monitor.Start("close ", serviceName)

box_outbound.go

@@ -12,7 +12,7 @@ import (
 )
 
 func (s *Box) startOutbounds() error {
-	monitor := taskmonitor.New(s.logger, C.StartTimeout)
+	monitor := taskmonitor.New(s.logger, C.DefaultStartTimeout)
 	outboundTags := make(map[adapter.Outbound]string)
 	outbounds := make(map[string]adapter.Outbound)
 	for i, outboundToStart := range s.outbounds {
@@ -45,9 +45,7 @@ func (s *Box) startOutbounds() error {
 			}
 			started[outboundTag] = true
 			canContinue = true
-			if starter, isStarter := outboundToStart.(interface {
-				Start() error
-			}); isStarter {
+			if starter, isStarter := outboundToStart.(common.Starter); isStarter {
 				monitor.Start("initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				err := starter.Start()
 				monitor.Finish()

cmd/internal/build_libbox/main.go

@@ -46,13 +46,13 @@ var (
 
 func init() {
 	sharedFlags = append(sharedFlags, "-trimpath")
-	sharedFlags = append(sharedFlags, "-buildvcs=false")
+	sharedFlags = append(sharedFlags, "-ldflags")
 	currentTag, err := build_shared.ReadTag()
 	if err != nil {
 		currentTag = "unknown"
 	}
-	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
-	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
+	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
+	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
 
 	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api")
 	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
@@ -93,7 +93,7 @@ func buildAndroid() {
 
 	const name = "libbox.aar"
 	copyPath := filepath.Join("..", "sing-box-for-android", "app", "libs")
-	if rw.IsDir(copyPath) {
+	if rw.FileExists(copyPath) {
 		copyPath, _ = filepath.Abs(copyPath)
 		err = rw.CopyFile(name, filepath.Join(copyPath, name))
 		if err != nil {
@@ -134,7 +134,7 @@ func buildiOS() {
 	}
 
 	copyPath := filepath.Join("..", "sing-box-for-apple")
-	if rw.IsDir(copyPath) {
+	if rw.FileExists(copyPath) {
 		targetDir := filepath.Join(copyPath, "Libbox.xcframework")
 		targetDir, _ = filepath.Abs(targetDir)
 		os.RemoveAll(targetDir)

cmd/internal/build_shared/sdk.go

@@ -11,9 +11,7 @@ import (
 
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
-	"github.com/sagernet/sing/common/shell"
 )
 
 var (
@@ -30,7 +28,7 @@ func FindSDK() {
 	}
 	for _, path := range searchPath {
 		path = os.ExpandEnv(path)
-		if rw.IsFile(filepath.Join(path, "licenses", "android-sdk-license")) {
+		if rw.FileExists(path + "/licenses/android-sdk-license") {
 			androidSDKPath = path
 			break
 		}
@@ -42,14 +40,6 @@ func FindSDK() {
 		log.Fatal("android NDK not found")
 	}
 
-	javaVersion, err := shell.Exec("java", "--version").ReadOutput()
-	if err != nil {
-		log.Fatal(E.Cause(err, "check java version"))
-	}
-	if !strings.Contains(javaVersion, "openjdk 17") {
-		log.Fatal("java version should be openjdk 17")
-	}
-
 	os.Setenv("ANDROID_HOME", androidSDKPath)
 	os.Setenv("ANDROID_SDK_HOME", androidSDKPath)
 	os.Setenv("ANDROID_NDK_HOME", androidNDKPath)
@@ -58,13 +48,11 @@ func FindSDK() {
 }
 
 func findNDK() bool {
-	const fixedVersion = "26.2.11394342"
-	const versionFile = "source.properties"
-	if fixedPath := filepath.Join(androidSDKPath, "ndk", fixedVersion); rw.IsFile(filepath.Join(fixedPath, versionFile)) {
-		androidNDKPath = fixedPath
+	if rw.FileExists(androidSDKPath + "/ndk/25.1.8937393") {
+		androidNDKPath = androidSDKPath + "/ndk/25.1.8937393"
 		return true
 	}
-	ndkVersions, err := os.ReadDir(filepath.Join(androidSDKPath, "ndk"))
+	ndkVersions, err := os.ReadDir(androidSDKPath + "/ndk")
 	if err != nil {
 		return false
 	}
@@ -85,10 +73,8 @@ func findNDK() bool {
 		return true
 	})
 	for _, versionName := range versionNames {
-		currentNDKPath := filepath.Join(androidSDKPath, "ndk", versionName)
-		if rw.IsFile(filepath.Join(androidSDKPath, versionFile)) {
-			androidNDKPath = currentNDKPath
-			log.Warn("reproducibility warning: using NDK version " + versionName + " instead of " + fixedVersion)
+		if rw.FileExists(androidSDKPath + "/ndk/" + versionName) {
+			androidNDKPath = androidSDKPath + "/ndk/" + versionName
 			return true
 		}
 	}
@@ -99,14 +85,8 @@ var GoBinPath string
 
 func FindMobile() {
 	goBin := filepath.Join(build.Default.GOPATH, "bin")
-	if runtime.GOOS == "windows" {
-		if !rw.IsFile(filepath.Join(goBin, "gobind.exe")) {
-			log.Fatal("missing gomobile installation")
-		}
-	} else {
-		if !rw.IsFile(filepath.Join(goBin, "gobind")) {
-			log.Fatal("missing gomobile installation")
-		}
+	if !rw.FileExists(goBin + "/" + "gobind") {
+		log.Fatal("missing gomobile installation")
 	}
 	GoBinPath = goBin
 }

cmd/internal/update_android_version/main.go

@@ -3,7 +3,6 @@ package main
 import (
 	"os"
 	"path/filepath"
-	"runtime"
 	"strconv"
 	"strings"
 
@@ -19,46 +18,34 @@ func main() {
 		log.Fatal(err)
 	}
 	common.Must(os.Chdir(androidPath))
-	localProps := common.Must1(os.ReadFile("version.properties"))
+	localProps := common.Must1(os.ReadFile("local.properties"))
 	var propsList [][]string
 	for _, propLine := range strings.Split(string(localProps), "\n") {
 		propsList = append(propsList, strings.Split(propLine, "="))
 	}
-	var (
-		versionUpdated   bool
-		goVersionUpdated bool
-	)
 	for _, propPair := range propsList {
-		switch propPair[0] {
-		case "VERSION_NAME":
-			if propPair[1] != newVersion.String() {
-				versionUpdated = true
-				propPair[1] = newVersion.String()
-				log.Info("updated version to ", newVersion.String())
-			}
-		case "GO_VERSION":
-			if propPair[1] != runtime.Version() {
-				goVersionUpdated = true
-				propPair[1] = runtime.Version()
-				log.Info("updated Go version to ", runtime.Version())
+		if propPair[0] == "VERSION_NAME" {
+			if propPair[1] == newVersion.String() {
+				log.Info("version not changed")
+				return
 			}
+			propPair[1] = newVersion.String()
+			log.Info("updated version to ", newVersion.String())
 		}
 	}
-	if !(versionUpdated || goVersionUpdated) {
-		log.Info("version not changed")
-		return
-	}
 	for _, propPair := range propsList {
 		switch propPair[0] {
 		case "VERSION_CODE":
 			versionCode := common.Must1(strconv.ParseInt(propPair[1], 10, 64))
 			propPair[1] = strconv.Itoa(int(versionCode + 1))
 			log.Info("updated version code to ", propPair[1])
+		case "RELEASE_NOTES":
+			propPair[1] = "sing-box " + newVersion.String()
 		}
 	}
 	var newProps []string
 	for _, propPair := range propsList {
 		newProps = append(newProps, strings.Join(propPair, "="))
 	}
-	common.Must(os.WriteFile("version.properties", []byte(strings.Join(newProps, "\n")), 0o644))
+	common.Must(os.WriteFile("local.properties", []byte(strings.Join(newProps, "\n")), 0o644))
 }

cmd/sing-box/cmd_merge.go

@@ -54,11 +54,7 @@ func merge(outputPath string) error {
 			return nil
 		}
 	}
-	err = rw.MkdirParent(outputPath)
-	if err != nil {
-		return err
-	}
-	err = os.WriteFile(outputPath, buffer.Bytes(), 0o644)
+	err = rw.WriteFile(outputPath, buffer.Bytes())
 	if err != nil {
 		return err
 	}

cmd/sing-box/cmd_rule_set.go

@@ -6,7 +6,7 @@ import (
 
 var commandRuleSet = &cobra.Command{
 	Use:   "rule-set",
-	Short: "Manage rule-sets",
+	Short: "Manage rule sets",
 }
 
 func init() {

cmd/sing-box/cmd_rule_set_compile.go

@@ -55,10 +55,10 @@ func compileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
-	ruleSet, err := plainRuleSet.Upgrade()
 	if err != nil {
 		return err
 	}
+	ruleSet := plainRuleSet.Upgrade()
 	var outputPath string
 	if flagRuleSetCompileOutput == flagRuleSetCompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".json") {

cmd/sing-box/cmd_rule_set_match.go

@@ -1,90 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"io"
-	"os"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/srs"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/route"
-	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
-	"github.com/sagernet/sing/common/json"
-
-	"github.com/spf13/cobra"
-)
-
-var flagRuleSetMatchFormat string
-
-var commandRuleSetMatch = &cobra.Command{
-	Use:   "match <rule-set path> <domain>",
-	Short: "Check if a domain matches the rule-set",
-	Args:  cobra.ExactArgs(2),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := ruleSetMatch(args[0], args[1])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandRuleSetMatch.Flags().StringVarP(&flagRuleSetMatchFormat, "format", "f", "source", "rule-set format")
-	commandRuleSet.AddCommand(commandRuleSetMatch)
-}
-
-func ruleSetMatch(sourcePath string, domain string) error {
-	var (
-		reader io.Reader
-		err    error
-	)
-	if sourcePath == "stdin" {
-		reader = os.Stdin
-	} else {
-		reader, err = os.Open(sourcePath)
-		if err != nil {
-			return E.Cause(err, "read rule-set")
-		}
-	}
-	content, err := io.ReadAll(reader)
-	if err != nil {
-		return E.Cause(err, "read rule-set")
-	}
-	var plainRuleSet option.PlainRuleSet
-	switch flagRuleSetMatchFormat {
-	case C.RuleSetFormatSource:
-		var compat option.PlainRuleSetCompat
-		compat, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
-		if err != nil {
-			return err
-		}
-		plainRuleSet, err = compat.Upgrade()
-		if err != nil {
-			return err
-		}
-	case C.RuleSetFormatBinary:
-		plainRuleSet, err = srs.Read(bytes.NewReader(content), false)
-		if err != nil {
-			return err
-		}
-	default:
-		return E.New("unknown rule-set format: ", flagRuleSetMatchFormat)
-	}
-	for i, ruleOptions := range plainRuleSet.Rules {
-		var currentRule adapter.HeadlessRule
-		currentRule, err = route.NewHeadlessRule(nil, ruleOptions)
-		if err != nil {
-			return E.Cause(err, "parse rule_set.rules.[", i, "]")
-		}
-		if currentRule.Match(&adapter.InboundContext{
-			Domain: domain,
-		}) {
-			println(F.ToString("match rules.[", i, "]: ", currentRule))
-		}
-	}
-	return nil
-}

cmd/sing-box/cmd_run.go

@@ -109,7 +109,7 @@ func readConfigAndMerge() (option.Options, error) {
 	}
 	var mergedMessage json.RawMessage
 	for _, options := range optionsList {
-		mergedMessage, err = badjson.MergeJSON(options.options.RawMessage, mergedMessage, false)
+		mergedMessage, err = badjson.MergeJSON(options.options.RawMessage, mergedMessage)
 		if err != nil {
 			return option.Options{}, E.Cause(err, "merge config at ", options.path)
 		}
@@ -199,7 +199,7 @@ func run() error {
 }
 
 func closeMonitor(ctx context.Context) {
-	time.Sleep(C.FatalStopTimeout)
+	time.Sleep(C.DefaultStopFatalTimeout)
 	select {
 	case <-ctx.Done():
 		return

cmd/sing-box/cmd_tools_fetch.go

@@ -9,10 +9,8 @@ import (
 	"net/url"
 	"os"
 
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 
 	"github.com/spf13/cobra"
@@ -34,10 +32,7 @@ func init() {
 	commandTools.AddCommand(commandFetch)
 }
 
-var (
-	httpClient  *http.Client
-	http3Client *http.Client
-)
+var httpClient *http.Client
 
 func fetch(args []string) error {
 	instance, err := createPreStartedClient()
@@ -58,16 +53,8 @@ func fetch(args []string) error {
 		},
 	}
 	defer httpClient.CloseIdleConnections()
-	if C.WithQUIC {
-		err = initializeHTTP3Client(instance)
-		if err != nil {
-			return err
-		}
-		defer http3Client.CloseIdleConnections()
-	}
 	for _, urlString := range args {
-		var parsedURL *url.URL
-		parsedURL, err = url.Parse(urlString)
+		parsedURL, err := url.Parse(urlString)
 		if err != nil {
 			return err
 		}
@@ -76,27 +63,16 @@ func fetch(args []string) error {
 			parsedURL.Scheme = "http"
 			fallthrough
 		case "http", "https":
-			err = fetchHTTP(httpClient, parsedURL)
+			err = fetchHTTP(parsedURL)
 			if err != nil {
 				return err
 			}
-		case "http3":
-			if !C.WithQUIC {
-				return C.ErrQUICNotIncluded
-			}
-			parsedURL.Scheme = "https"
-			err = fetchHTTP(http3Client, parsedURL)
-			if err != nil {
-				return err
-			}
-		default:
-			return E.New("unsupported scheme: ", parsedURL.Scheme)
 		}
 	}
 	return nil
 }
 
-func fetchHTTP(httpClient *http.Client, parsedURL *url.URL) error {
+func fetchHTTP(parsedURL *url.URL) error {
 	request, err := http.NewRequest("GET", parsedURL.String(), nil)
 	if err != nil {
 		return err

cmd/sing-box/cmd_tools_fetch_http3.go

@@ -1,36 +0,0 @@
-//go:build with_quic
-
-package main
-
-import (
-	"context"
-	"crypto/tls"
-	"net/http"
-
-	"github.com/sagernet/quic-go"
-	"github.com/sagernet/quic-go/http3"
-	box "github.com/sagernet/sing-box"
-	"github.com/sagernet/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func initializeHTTP3Client(instance *box.Box) error {
-	dialer, err := createDialer(instance, N.NetworkUDP, commandToolsFlagOutbound)
-	if err != nil {
-		return err
-	}
-	http3Client = &http.Client{
-		Transport: &http3.RoundTripper{
-			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
-				destination := M.ParseSocksaddr(addr)
-				udpConn, dErr := dialer.DialContext(ctx, N.NetworkUDP, destination)
-				if dErr != nil {
-					return nil, dErr
-				}
-				return quic.DialEarly(ctx, bufio.NewUnbindPacketConn(udpConn), udpConn.RemoteAddr(), tlsCfg, cfg)
-			},
-		},
-	}
-	return nil
-}

cmd/sing-box/cmd_tools_fetch_http3_stub.go

@@ -1,18 +0,0 @@
-//go:build !with_quic
-
-package main
-
-import (
-	"net/url"
-	"os"
-
-	box "github.com/sagernet/sing-box"
-)
-
-func initializeHTTP3Client(instance *box.Box) error {
-	return os.ErrInvalid
-}
-
-func fetchHTTP3(parsedURL *url.URL) error {
-	return os.ErrInvalid
-}

common/badtls/read_wait.go

@@ -4,8 +4,6 @@ package badtls
 
 import (
 	"bytes"
-	"context"
-	"net"
 	"os"
 	"reflect"
 	"sync"
@@ -20,32 +18,20 @@ import (
 var _ N.ReadWaiter = (*ReadWaitConn)(nil)
 
 type ReadWaitConn struct {
-	tls.Conn
-	halfAccess                    *sync.Mutex
-	rawInput                      *bytes.Buffer
-	input                         *bytes.Reader
-	hand                          *bytes.Buffer
-	readWaitOptions               N.ReadWaitOptions
-	tlsReadRecord                 func() error
-	tlsHandlePostHandshakeMessage func() error
+	*tls.STDConn
+	halfAccess      *sync.Mutex
+	rawInput        *bytes.Buffer
+	input           *bytes.Reader
+	hand            *bytes.Buffer
+	readWaitOptions N.ReadWaitOptions
 }
 
 func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
-	var (
-		loaded                        bool
-		tlsReadRecord                 func() error
-		tlsHandlePostHandshakeMessage func() error
-	)
-	for _, tlsCreator := range tlsRegistry {
-		loaded, tlsReadRecord, tlsHandlePostHandshakeMessage = tlsCreator(conn)
-		if loaded {
-			break
-		}
-	}
-	if !loaded {
+	stdConn, isSTDConn := conn.(*tls.STDConn)
+	if !isSTDConn {
 		return nil, os.ErrInvalid
 	}
-	rawConn := reflect.Indirect(reflect.ValueOf(conn))
+	rawConn := reflect.Indirect(reflect.ValueOf(stdConn))
 	rawHalfConn := rawConn.FieldByName("in")
 	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
 		return nil, E.New("badtls: invalid half conn")
@@ -71,13 +57,11 @@ func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
 	}
 	hand := (*bytes.Buffer)(unsafe.Pointer(rawHand.UnsafeAddr()))
 	return &ReadWaitConn{
-		Conn:                          conn,
-		halfAccess:                    halfAccess,
-		rawInput:                      rawInput,
-		input:                         input,
-		hand:                          hand,
-		tlsReadRecord:                 tlsReadRecord,
-		tlsHandlePostHandshakeMessage: tlsHandlePostHandshakeMessage,
+		STDConn:    stdConn,
+		halfAccess: halfAccess,
+		rawInput:   rawInput,
+		input:      input,
+		hand:       hand,
 	}, nil
 }
 
@@ -87,19 +71,19 @@ func (c *ReadWaitConn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy
 }
 
 func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
-	err = c.HandshakeContext(context.Background())
+	err = c.Handshake()
 	if err != nil {
 		return
 	}
 	c.halfAccess.Lock()
 	defer c.halfAccess.Unlock()
 	for c.input.Len() == 0 {
-		err = c.tlsReadRecord()
+		err = tlsReadRecord(c.STDConn)
 		if err != nil {
 			return
 		}
 		for c.hand.Len() > 0 {
-			err = c.tlsHandlePostHandshakeMessage()
+			err = tlsHandlePostHandshakeMessage(c.STDConn)
 			if err != nil {
 				return
 			}
@@ -116,7 +100,7 @@ func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
 	if n != 0 && c.input.Len() == 0 && c.rawInput.Len() > 0 &&
 		// recordType(c.rawInput.Bytes()[0]) == recordTypeAlert {
 		c.rawInput.Bytes()[0] == 21 {
-		_ = c.tlsReadRecord()
+		_ = tlsReadRecord(c.STDConn)
 		// return n, err // will be io.EOF on closeNotify
 	}
 
@@ -124,28 +108,8 @@ func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
 	return
 }
 
-func (c *ReadWaitConn) Upstream() any {
-	return c.Conn
-}
+//go:linkname tlsReadRecord crypto/tls.(*Conn).readRecord
+func tlsReadRecord(c *tls.STDConn) error
 
-var tlsRegistry []func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error)
-
-func init() {
-	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
-		tlsConn, loaded := conn.(*tls.STDConn)
-		if !loaded {
-			return
-		}
-		return true, func() error {
-				return stdTLSReadRecord(tlsConn)
-			}, func() error {
-				return stdTLSHandlePostHandshakeMessage(tlsConn)
-			}
-	})
-}
-
-//go:linkname stdTLSReadRecord crypto/tls.(*Conn).readRecord
-func stdTLSReadRecord(c *tls.STDConn) error
-
-//go:linkname stdTLSHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
-func stdTLSHandlePostHandshakeMessage(c *tls.STDConn) error
+//go:linkname tlsHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
+func tlsHandlePostHandshakeMessage(c *tls.STDConn) error

common/badtls/read_wait_ech.go

@@ -1,31 +0,0 @@
-//go:build go1.21 && !without_badtls && with_ech
-
-package badtls
-
-import (
-	"net"
-	_ "unsafe"
-
-	"github.com/sagernet/cloudflare-tls"
-	"github.com/sagernet/sing/common"
-)
-
-func init() {
-	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
-		tlsConn, loaded := common.Cast[*tls.Conn](conn)
-		if !loaded {
-			return
-		}
-		return true, func() error {
-				return echReadRecord(tlsConn)
-			}, func() error {
-				return echHandlePostHandshakeMessage(tlsConn)
-			}
-	})
-}
-
-//go:linkname echReadRecord github.com/sagernet/cloudflare-tls.(*Conn).readRecord
-func echReadRecord(c *tls.Conn) error
-
-//go:linkname echHandlePostHandshakeMessage github.com/sagernet/cloudflare-tls.(*Conn).handlePostHandshakeMessage
-func echHandlePostHandshakeMessage(c *tls.Conn) error

common/badtls/read_wait_utls.go

@@ -1,31 +0,0 @@
-//go:build go1.21 && !without_badtls && with_utls
-
-package badtls
-
-import (
-	"net"
-	_ "unsafe"
-
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/utls"
-)
-
-func init() {
-	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
-		tlsConn, loaded := common.Cast[*tls.UConn](conn)
-		if !loaded {
-			return
-		}
-		return true, func() error {
-				return utlsReadRecord(tlsConn.Conn)
-			}, func() error {
-				return utlsHandlePostHandshakeMessage(tlsConn.Conn)
-			}
-	})
-}
-
-//go:linkname utlsReadRecord github.com/sagernet/utls.(*Conn).readRecord
-func utlsReadRecord(c *tls.Conn) error
-
-//go:linkname utlsHandlePostHandshakeMessage github.com/sagernet/utls.(*Conn).handlePostHandshakeMessage
-func utlsHandlePostHandshakeMessage(c *tls.Conn) error

common/dialer/default.go

@@ -32,44 +32,24 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
-		var interfaceFinder control.InterfaceFinder
-		if router != nil {
-			interfaceFinder = router.InterfaceFinder()
-		} else {
-			interfaceFinder = control.NewDefaultInterfaceFinder()
-		}
-		bindFunc := control.BindToInterface(interfaceFinder, options.BindInterface, -1)
+		bindFunc := control.BindToInterface(router.InterfaceFinder(), options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
-	} else if router != nil && router.AutoDetectInterface() {
+	} else if router.AutoDetectInterface() {
 		bindFunc := router.AutoDetectInterfaceFunc()
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
-	} else if router != nil && router.DefaultInterface() != "" {
+	} else if router.DefaultInterface() != "" {
 		bindFunc := control.BindToInterface(router.InterfaceFinder(), router.DefaultInterface(), -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
-	var autoRedirectOutputMark uint32
-	if router != nil {
-		autoRedirectOutputMark = router.AutoRedirectOutputMark()
-	}
-	if autoRedirectOutputMark > 0 {
-		dialer.Control = control.Append(dialer.Control, control.RoutingMark(autoRedirectOutputMark))
-		listener.Control = control.Append(listener.Control, control.RoutingMark(autoRedirectOutputMark))
-	}
-	if options.RoutingMark > 0 {
+	if options.RoutingMark != 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(options.RoutingMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(options.RoutingMark))
-		if autoRedirectOutputMark > 0 {
-			return nil, E.New("`auto_redirect` with `route_[_exclude]_address_set is conflict with `routing_mark`")
-		}
-	} else if router != nil && router.DefaultMark() > 0 {
+	} else if router.DefaultMark() != 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(router.DefaultMark()))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
-		if autoRedirectOutputMark > 0 {
-			return nil, E.New("`auto_redirect` with `route_[_exclude]_address_set is conflict with `default_mark`")
-		}
 	}
 	if options.ReuseAddr {
 		listener.Control = control.Append(listener.Control, control.ReuseAddr())
@@ -83,9 +63,6 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	} else {
 		dialer.Timeout = C.TCPTimeout
 	}
-	// TODO: Add an option to customize the keep alive period
-	dialer.KeepAlive = C.TCPKeepAliveInitial
-	dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment

common/dialer/dialer.go

@@ -13,9 +13,6 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	if options.IsWireGuardListener {
 		return NewDefault(router, options)
 	}
-	if router == nil {
-		return NewDefault(nil, options)
-	}
 	var (
 		dialer N.Dialer
 		err    error

common/dialer/tfo.go

@@ -80,7 +80,6 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 		c.conn = nil
 		c.err = E.Cause(err, "dial tcp fast open")
 	}
-	n = len(b)
 	close(c.create)
 	return
 }

common/geoip/reader.go

@@ -32,7 +32,3 @@ func (r *Reader) Lookup(addr netip.Addr) string {
 	}
 	return "unknown"
 }
-
-func (r *Reader) Close() error {
-	return r.reader.Close()
-}

common/geosite/reader.go

@@ -1,15 +1,11 @@
 package geosite
 
 import (
-	"bufio"
-	"encoding/binary"
 	"io"
 	"os"
-	"sync/atomic"
 
-	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/varbin"
+	"github.com/sagernet/sing/common/rw"
 )
 
 type Reader struct {
@@ -38,36 +34,45 @@ func Open(path string) (*Reader, []string, error) {
 	return reader, codes, nil
 }
 
-type geositeMetadata struct {
-	Code   string
-	Index  uint64
-	Length uint64
-}
-
 func (r *Reader) readMetadata() error {
-	reader := bufio.NewReader(r.reader)
-	version, err := reader.ReadByte()
+	version, err := rw.ReadByte(r.reader)
 	if err != nil {
 		return err
 	}
 	if version != 0 {
 		return E.New("unknown version")
 	}
-	metadataEntries, err := varbin.ReadValue[[]geositeMetadata](reader, binary.BigEndian)
+	entryLength, err := rw.ReadUVariant(r.reader)
 	if err != nil {
 		return err
 	}
+	keys := make([]string, entryLength)
 	domainIndex := make(map[string]int)
 	domainLength := make(map[string]int)
-	for _, entry := range metadataEntries {
-		domainIndex[entry.Code] = int(entry.Index)
-		domainLength[entry.Code] = int(entry.Length)
+	for i := 0; i < int(entryLength); i++ {
+		var (
+			code       string
+			codeIndex  uint64
+			codeLength uint64
+		)
+		code, err = rw.ReadVString(r.reader)
+		if err != nil {
+			return err
+		}
+		keys[i] = code
+		codeIndex, err = rw.ReadUVariant(r.reader)
+		if err != nil {
+			return err
+		}
+		codeLength, err = rw.ReadUVariant(r.reader)
+		if err != nil {
+			return err
+		}
+		domainIndex[code] = int(codeIndex)
+		domainLength[code] = int(codeLength)
 	}
 	r.domainIndex = domainIndex
 	r.domainLength = domainLength
-	if reader.Buffered() > 0 {
-		return common.Error(r.reader.Seek(int64(-reader.Buffered()), io.SeekCurrent))
-	}
 	return nil
 }
 
@@ -80,28 +85,27 @@ func (r *Reader) Read(code string) ([]Item, error) {
 	if err != nil {
 		return nil, err
 	}
-	counter := &readCounter{Reader: r.reader}
-	domain, err := varbin.ReadValue[[]Item](bufio.NewReader(counter), binary.BigEndian)
-	if err != nil {
-		return nil, err
+	counter := &rw.ReadCounter{Reader: r.reader}
+	domain := make([]Item, r.domainLength[code])
+	for i := range domain {
+		var (
+			item Item
+			err  error
+		)
+		item.Type, err = rw.ReadByte(counter)
+		if err != nil {
+			return nil, err
+		}
+		item.Value, err = rw.ReadVString(counter)
+		if err != nil {
+			return nil, err
+		}
+		domain[i] = item
 	}
-	_, err = r.reader.Seek(int64(-index)-counter.count, io.SeekCurrent)
+	_, err = r.reader.Seek(int64(-index)-counter.Count(), io.SeekCurrent)
 	return domain, err
 }
 
 func (r *Reader) Upstream() any {
 	return r.reader
 }
-
-type readCounter struct {
-	io.Reader
-	count int64
-}
-
-func (r *readCounter) Read(p []byte) (n int, err error) {
-	n, err = r.Reader.Read(p)
-	if n > 0 {
-		atomic.AddInt64(&r.count, int64(n))
-	}
-	return
-}

common/geosite/writer.go

@@ -2,14 +2,13 @@ package geosite
 
 import (
 	"bytes"
-	"encoding/binary"
+	"io"
 	"sort"
 
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/varbin"
+	"github.com/sagernet/sing/common/rw"
 )
 
-func Write(writer varbin.Writer, domains map[string][]Item) error {
+func Write(writer io.Writer, domains map[string][]Item) error {
 	keys := make([]string, 0, len(domains))
 	for code := range domains {
 		keys = append(keys, code)
@@ -20,26 +19,38 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 	index := make(map[string]int)
 	for _, code := range keys {
 		index[code] = content.Len()
-		err := varbin.Write(content, binary.BigEndian, domains[code])
+		for _, domain := range domains[code] {
+			content.WriteByte(domain.Type)
+			err := rw.WriteVString(content, domain.Value)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	err := rw.WriteByte(writer, 0)
+	if err != nil {
+		return err
+	}
+
+	err = rw.WriteUVariant(writer, uint64(len(keys)))
+	if err != nil {
+		return err
+	}
+
+	for _, code := range keys {
+		err = rw.WriteVString(writer, code)
 		if err != nil {
 			return err
 		}
-	}
-
-	err := writer.WriteByte(0)
-	if err != nil {
-		return err
-	}
-
-	err = varbin.Write(writer, binary.BigEndian, common.Map(keys, func(it string) *geositeMetadata {
-		return &geositeMetadata{
-			Code:   it,
-			Index:  uint64(index[it]),
-			Length: uint64(len(domains[it])),
+		err = rw.WriteUVariant(writer, uint64(index[code]))
+		if err != nil {
+			return err
+		}
+		err = rw.WriteUVariant(writer, uint64(len(domains[code])))
+		if err != nil {
+			return err
 		}
-	}))
-	if err != nil {
-		return err
 	}
 
 	_, err = writer.Write(content.Bytes())

common/mux/client.go

@@ -1,16 +1,11 @@
 package mux
 
 import (
-	"context"
-	"net"
-
-	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-mux"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -35,7 +30,7 @@ func NewClientWithOptions(dialer N.Dialer, logger logger.Logger, options option.
 		}
 	}
 	return mux.NewClient(mux.Options{
-		Dialer:         &clientDialer{dialer},
+		Dialer:         dialer,
 		Logger:         logger,
 		Protocol:       options.Protocol,
 		MaxConnections: options.MaxConnections,
@@ -45,15 +40,3 @@ func NewClientWithOptions(dialer N.Dialer, logger logger.Logger, options option.
 		Brutal:         brutalOptions,
 	})
 }
-
-type clientDialer struct {
-	N.Dialer
-}
-
-func (d *clientDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	return d.Dialer.DialContext(adapter.OverrideContext(ctx), network, destination)
-}
-
-func (d *clientDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return d.Dialer.ListenPacket(adapter.OverrideContext(ctx), destination)
-}

common/process/searcher_windows.go

@@ -223,7 +223,7 @@ func getExecPathFromPID(pid uint32) (string, error) {
 	r1, _, err := syscall.SyscallN(
 		procQueryFullProcessImageNameW.Addr(),
 		uintptr(h),
-		uintptr(0),
+		uintptr(1),
 		uintptr(unsafe.Pointer(&buf[0])),
 		uintptr(unsafe.Pointer(&size)),
 	)

common/settings/proxy_linux.go

@@ -16,40 +16,30 @@ import (
 )
 
 type LinuxSystemProxy struct {
-	hasGSettings    bool
-	kWriteConfigCmd string
-	sudoUser        string
-	serverAddr      M.Socksaddr
-	supportSOCKS    bool
-	isEnabled       bool
+	hasGSettings     bool
+	hasKWriteConfig5 bool
+	sudoUser         string
+	serverAddr       M.Socksaddr
+	supportSOCKS     bool
+	isEnabled        bool
 }
 
 func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*LinuxSystemProxy, error) {
 	hasGSettings := common.Error(exec.LookPath("gsettings")) == nil
-	kWriteConfigCmds := []string{
-		"kwriteconfig5",
-		"kwriteconfig6",
-	}
-	var kWriteConfigCmd string
-	for _, cmd := range kWriteConfigCmds {
-		if common.Error(exec.LookPath(cmd)) == nil {
-			kWriteConfigCmd = cmd
-			break
-		}
-	}
+	hasKWriteConfig5 := common.Error(exec.LookPath("kwriteconfig5")) == nil
 	var sudoUser string
 	if os.Getuid() == 0 {
 		sudoUser = os.Getenv("SUDO_USER")
 	}
-	if !hasGSettings && kWriteConfigCmd == "" {
+	if !hasGSettings && !hasKWriteConfig5 {
 		return nil, E.New("unsupported desktop environment")
 	}
 	return &LinuxSystemProxy{
-		hasGSettings:    hasGSettings,
-		kWriteConfigCmd: kWriteConfigCmd,
-		sudoUser:        sudoUser,
-		serverAddr:      serverAddr,
-		supportSOCKS:    supportSOCKS,
+		hasGSettings:     hasGSettings,
+		hasKWriteConfig5: hasKWriteConfig5,
+		sudoUser:         sudoUser,
+		serverAddr:       serverAddr,
+		supportSOCKS:     supportSOCKS,
 	}, nil
 }
 
@@ -80,8 +70,8 @@ func (p *LinuxSystemProxy) Enable() error {
 			return err
 		}
 	}
-	if p.kWriteConfigCmd != "" {
-		err := p.runAsUser(p.kWriteConfigCmd, "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "1")
+	if p.hasKWriteConfig5 {
+		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "1")
 		if err != nil {
 			return err
 		}
@@ -93,7 +83,7 @@ func (p *LinuxSystemProxy) Enable() error {
 		if err != nil {
 			return err
 		}
-		err = p.runAsUser(p.kWriteConfigCmd, "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "Authmode", "0")
+		err = p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "Authmode", "0")
 		if err != nil {
 			return err
 		}
@@ -113,8 +103,8 @@ func (p *LinuxSystemProxy) Disable() error {
 			return err
 		}
 	}
-	if p.kWriteConfigCmd != "" {
-		err := p.runAsUser(p.kWriteConfigCmd, "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "0")
+	if p.hasKWriteConfig5 {
+		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "0")
 		if err != nil {
 			return err
 		}
@@ -160,7 +150,7 @@ func (p *LinuxSystemProxy) setKDEProxy(proxyTypes ...string) error {
 			proxyUrl = "http://" + p.serverAddr.String()
 		}
 		err := p.runAsUser(
-			p.kWriteConfigCmd,
+			"kwriteconfig5",
 			"--file",
 			"kioslaverc",
 			"--group",

common/sniff/bittorrent.go

@@ -1,113 +0,0 @@
-package sniff
-
-import (
-	"bytes"
-	"context"
-	"encoding/binary"
-	"io"
-	"os"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-)
-
-const (
-	trackerConnectFlag = iota
-	trackerAnnounceFlag
-	trackerScrapeFlag
-
-	trackerProtocolID = 0x41727101980
-
-	trackerConnectMinSize  = 16
-	trackerAnnounceMinSize = 20
-	trackerScrapeMinSize   = 8
-)
-
-// BitTorrent detects if the stream is a BitTorrent connection.
-// For the BitTorrent protocol specification, see https://www.bittorrent.org/beps/bep_0003.html
-func BitTorrent(_ context.Context, reader io.Reader) (*adapter.InboundContext, error) {
-	var first byte
-	err := binary.Read(reader, binary.BigEndian, &first)
-	if err != nil {
-		return nil, err
-	}
-
-	if first != 19 {
-		return nil, os.ErrInvalid
-	}
-
-	var protocol [19]byte
-	_, err = reader.Read(protocol[:])
-	if err != nil {
-		return nil, err
-	}
-	if string(protocol[:]) != "BitTorrent protocol" {
-		return nil, os.ErrInvalid
-	}
-
-	return &adapter.InboundContext{
-		Protocol: C.ProtocolBitTorrent,
-	}, nil
-}
-
-// UTP detects if the packet is a uTP connection packet.
-// For the uTP protocol specification, see
-//  1. https://www.bittorrent.org/beps/bep_0029.html
-//  2. https://github.com/bittorrent/libutp/blob/2b364cbb0650bdab64a5de2abb4518f9f228ec44/utp_internal.cpp#L112
-func UTP(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
-	// A valid uTP packet must be at least 20 bytes long.
-	if len(packet) < 20 {
-		return nil, os.ErrInvalid
-	}
-
-	version := packet[0] & 0x0F
-	ty := packet[0] >> 4
-	if version != 1 || ty > 4 {
-		return nil, os.ErrInvalid
-	}
-
-	// Validate the extensions
-	extension := packet[1]
-	reader := bytes.NewReader(packet[20:])
-	for extension != 0 {
-		err := binary.Read(reader, binary.BigEndian, &extension)
-		if err != nil {
-			return nil, err
-		}
-
-		var length byte
-		err = binary.Read(reader, binary.BigEndian, &length)
-		if err != nil {
-			return nil, err
-		}
-		_, err = reader.Seek(int64(length), io.SeekCurrent)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return &adapter.InboundContext{
-		Protocol: C.ProtocolBitTorrent,
-	}, nil
-}
-
-// UDPTracker detects if the packet is a UDP Tracker Protocol packet.
-// For the UDP Tracker Protocol specification, see https://www.bittorrent.org/beps/bep_0015.html
-func UDPTracker(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
-	switch {
-	case len(packet) >= trackerConnectMinSize &&
-		binary.BigEndian.Uint64(packet[:8]) == trackerProtocolID &&
-		binary.BigEndian.Uint32(packet[8:12]) == trackerConnectFlag:
-		fallthrough
-	case len(packet) >= trackerAnnounceMinSize &&
-		binary.BigEndian.Uint32(packet[8:12]) == trackerAnnounceFlag:
-		fallthrough
-	case len(packet) >= trackerScrapeMinSize &&
-		binary.BigEndian.Uint32(packet[8:12]) == trackerScrapeFlag:
-		return &adapter.InboundContext{
-			Protocol: C.ProtocolBitTorrent,
-		}, nil
-	default:
-		return nil, os.ErrInvalid
-	}
-}

common/sniff/bittorrent_test.go

@@ -1,81 +0,0 @@
-package sniff_test
-
-import (
-	"bytes"
-	"context"
-	"encoding/hex"
-	"testing"
-
-	"github.com/sagernet/sing-box/common/sniff"
-	C "github.com/sagernet/sing-box/constant"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestSniffBittorrent(t *testing.T) {
-	t.Parallel()
-
-	packets := []string{
-		"13426974546f7272656e742070726f746f636f6c0000000000100000e21ea9569b69bab33c97851d0298bdfa89bc90922d5554313631302dea812fcd6a3563e3be40c1d1",
-		"13426974546f7272656e742070726f746f636f6c00000000001000052aa4f5a7e209e54b32803d43670971c4c8caaa052d5452333030302d653369733079647675763638",
-		"13426974546f7272656e742070726f746f636f6c00000000001000052aa4f5a7e209e54b32803d43670971c4c8caaa052d5452343035302d6f7a316c6e79377931716130",
-	}
-
-	for _, pkt := range packets {
-		pkt, err := hex.DecodeString(pkt)
-		require.NoError(t, err)
-		metadata, err := sniff.BitTorrent(context.TODO(), bytes.NewReader(pkt))
-		require.NoError(t, err)
-		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
-	}
-}
-
-func TestSniffUTP(t *testing.T) {
-	t.Parallel()
-
-	packets := []string{
-		"010041a282d7ee7b583afb160004000006d8318da776968f92d666f7963f32dae23ba0d2c810d8b8209cc4939f54fde9eeaa521c2c20c9ba7f43f4fb0375f28de06643b5e3ca4685ab7ac76adca99783be72ef05ed59ef4234f5712b75b4c7c0d7bee8fe2ca20ad626ba5bb0ffcc16bf06790896f888048cf72716419a07db1a3dca4550fbcea75b53e97235168a221cf3e553dfbb723961bd719fab038d86e0ecb74747f5a2cd669de1c4b9ad375f3a492d09d98cdfad745435625401315bbba98d35d32086299801377b93495a63a9efddb8d05f5b37a5c5b1c0a25e917f12007bb5e05013ada8aff544fab8cadf61d80ddb0b60f12741e44515a109d144fd53ef845acb4b5ccf0d6fc302d7003d76df3fc3423bb0237301c9e88f900c2d392a8e0fdb36d143cf7527a93fd0a2638b746e72f6699fffcd4fd15348fce780d4caa04382fd9faf1ca0ae377ca805da7536662b84f5ee18dd3ae38fcb095a7543e55f9069ae92c8cf54ae44e97b558d35e2545c66601ed2149cbc32bd6df199a2be7cf0da8b2ff137e0d23e776bc87248425013876d3a3cc31a83b424b752bd0346437f24b532978005d8f5b1b0be1a37a2489c32a18a9ad3118e3f9d30eb299bffae18e1f0677c2a5c185e62519093fe6bc2b7339299ea50a587989f726ca6443a75dd5bb936f6367c6355d80fae53ff529d740b2e5576e3eefdf1fdbfc69c3c8d8ac750512635de63e054bee1d3b689bc1b2bc3d2601e42a00b5c89066d173d4ae7ffedfd2274e5cf6d868fbe640aedb69b8246142f00b32d459974287537ddd5373460dcbc92f5cfdd7a3ed6020822ae922d947893752ca1983d0d32977374c384ac8f5ab566859019b7351526b9f13e932037a55bb052d9deb3b3c23317e0784fdc51a64f2159bfea3b069cf5caf02ee2c3c1a6b6b427bb16165713e8802d95b5c8ed77953690e994bd38c9ae113fedaf6ee7fc2b96c032ceafc2a530ad0422e84546b9c6ad8ef6ea02fa508abddd1805c38a7b42e9b7c971b1b636865ebec06ed754bb404cd6b4e6cc8cb77bd4a0c43410d5cd5ef8fe853a66d49b3b9e06cb141236cdbfdd5761601dc54d1250b86c660e0f898fe62526fdd9acf0eab60a3bbbb2151970461f28f10b31689594bea646c4b03ee197d63bdef4e5a7c22716b3bb9494a83b78ecd81b338b80ac6c09c43485b1b09ba41c74343832c78f0520c1d659ac9eb1502094141e82fb9e5e620970ebc0655514c43c294a7714cbf9a499d277daf089f556398a01589a77494bec8bfb60a108f3813b55368672b88c1af40f6b3c8b513f7c70c3e0efce85228b8b9ec67ba0393f9f7305024d8e2da6a26cf85613d14f249170ce1000089df4c9c260df7f8292aa2ecb5d5bac97656d59aa248caedea2d198e51ce87baece338716d114b458de02d65c9ff808ca5b5b73723b4d1e962d9ac2d98176544dc9984cf8554d07820ef3dd0861cfe57b478328046380de589adad94ee44743ffac73bb7361feca5d56f07cf8ce75080e261282ae30350d7882679b15cab9e7e53ddf93310b33f7390ae5d318bb53f387e6af5d0ef4f947fc9cb8e7e38b52c7f8d772ece6156b38d88796ea19df02c53723b44df7c76315a0de9462f27287e682d2b4cda1a68fe00d7e48c51ee981be44e1ca940fb5190c12655edb4a83c3a4f33e48a015692df4f0b3d61656e362aca657b5ae8c12db5a0db3db1e45135ee918b66918f40e53c4f83e9da0cddfe63f736ae751ab3837a30ae3220d8e8e311487093a7b90c7e7e40dd54ca750e19452f9193aa892aa6a6229ab493dadae988b1724f7898ee69c36d3eb7364c4adbeca811cfe2065873e78c2b6dfdf1595f7a7831c07e03cda82e4f86f76438dfb2b07c13638ce7b509cfa71b88b5102b39a203b423202088e1c2103319cb32c13c1e546ff8612fa194c95a7808ab767c265a1bd5fa0efed5c8ec1701876a00ec8",
-		"01001ecb68176f215d04326300100000dbcf30292d14b54e9ee2d115ee5b8ebc7fad3e882d4fcdd0c14c6b917c11cb4c6a9f410b52a33ae97c2ac77c7a2b122b8955e09af3c5c595f1b2e79ca57cfe44c44e069610773b9bc9ba223d7f6b383e3adddd03fb88a8476028e30979c2ef321ffc97c5c132bcf9ac5b410bbb5ec6cefca3c7209202a14c5ae922b6b157b0a80249d13ffe5b996af0bc8e54ba576d148372494303e7ead0602b05b9c8fc97d48508a028a04d63a1fd28b0edfcd5c51715f63188b53eefede98a76912dca98518551a8856567307a56a702cbfcc115ea0c755b418bc2c7b57721239b82f09fb24328a4b0ce0f109bcb2a64e04b8aadb1f8487585425acdf8fc4ec8ea93cfcec5ac098bb29d42ddef6e46b03f34a5de28316726699b7cb5195c33e5c48abe87d591d63f9991c84c30819d186d6e0e95fd83c8dff07aa669c4430989bcaccfeacb9bcadbdb4d8f1964dbeb9687745656edd30b21c66cc0a1d742a78717d134a19a7f02d285a4973b1a198c00cfdff4676608dc4f3e817e3463c3b4e2c80d3e8d4fbac541a58a2fb7ad6939f607f8144eff6c8b0adc28ee5609ea158987519892fb",
-		"21001ecb6817f2805d044fd700100000dbd03029",
-		"410277ef0b1fb1f60000000000040000c233000000080000000000000000",
-	}
-
-	for _, pkt := range packets {
-		pkt, err := hex.DecodeString(pkt)
-		require.NoError(t, err)
-
-		metadata, err := sniff.UTP(context.TODO(), pkt)
-		require.NoError(t, err)
-		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
-	}
-}
-
-func TestSniffUDPTracker(t *testing.T) {
-	t.Parallel()
-
-	connectPackets := []string{
-		// connect packets
-		"00000417271019800000000078e90560",
-		"00000417271019800000000022c5d64d",
-		"000004172710198000000000b3863541",
-
-		// announce packets
-		"3d7592ead4b8c9e300000001b871a3820000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
-		"3d7592ead4b8c9e30000000188deed1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
-		"3d7592ead4b8c9e300000001ceb948ad0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a3362cdb7020ff920e5aa642c3d4066950dd1f01f4d00000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
-
-		// scrape packets
-		"3d7592ead4b8c9e300000002d2f4bba5a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
-		"3d7592ead4b8c9e300000002441243292aae6c35c94fcfb415dbe95f408b9ce91ee846ed",
-		"3d7592ead4b8c9e300000002b2aa461b1ad1fa9661cf3fe45fb2504ad52ec6c67758e294",
-	}
-
-	for _, pkt := range connectPackets {
-		pkt, err := hex.DecodeString(pkt)
-		require.NoError(t, err)
-
-		metadata, err := sniff.UDPTracker(context.TODO(), pkt)
-		require.NoError(t, err)
-		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
-	}
-}

common/srs/binary.go

@@ -1,7 +1,6 @@
 package srs
 
 import (
-	"bufio"
 	"compress/zlib"
 	"encoding/binary"
 	"io"
@@ -12,7 +11,7 @@ import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/domain"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/varbin"
+	"github.com/sagernet/sing/common/rw"
 
 	"go4.org/netipx"
 )
@@ -46,7 +45,7 @@ func Read(reader io.Reader, recovery bool) (ruleSet option.PlainRuleSet, err err
 		return
 	}
 	if magicBytes != MagicBytes {
-		err = E.New("invalid sing-box rule-set file")
+		err = E.New("invalid sing-box rule set file")
 		return
 	}
 	var version uint8
@@ -61,14 +60,13 @@ func Read(reader io.Reader, recovery bool) (ruleSet option.PlainRuleSet, err err
 	if err != nil {
 		return
 	}
-	bReader := bufio.NewReader(zReader)
-	length, err := binary.ReadUvarint(bReader)
+	length, err := rw.ReadUVariant(zReader)
 	if err != nil {
 		return
 	}
 	ruleSet.Rules = make([]option.HeadlessRule, length)
 	for i := uint64(0); i < length; i++ {
-		ruleSet.Rules[i], err = readRule(bReader, recovery)
+		ruleSet.Rules[i], err = readRule(zReader, recovery)
 		if err != nil {
 			err = E.Cause(err, "read rule[", i, "]")
 			return
@@ -90,13 +88,12 @@ func Write(writer io.Writer, ruleSet option.PlainRuleSet) error {
 	if err != nil {
 		return err
 	}
-	bWriter := bufio.NewWriter(zWriter)
-	_, err = varbin.WriteUvarint(bWriter, uint64(len(ruleSet.Rules)))
+	err = rw.WriteUVariant(zWriter, uint64(len(ruleSet.Rules)))
 	if err != nil {
 		return err
 	}
 	for _, rule := range ruleSet.Rules {
-		err = writeRule(bWriter, rule)
+		err = writeRule(zWriter, rule)
 		if err != nil {
 			return err
 		}
@@ -104,7 +101,7 @@ func Write(writer io.Writer, ruleSet option.PlainRuleSet) error {
 	return zWriter.Close()
 }
 
-func readRule(reader varbin.Reader, recovery bool) (rule option.HeadlessRule, err error) {
+func readRule(reader io.Reader, recovery bool) (rule option.HeadlessRule, err error) {
 	var ruleType uint8
 	err = binary.Read(reader, binary.BigEndian, &ruleType)
 	if err != nil {
@@ -123,7 +120,7 @@ func readRule(reader varbin.Reader, recovery bool) (rule option.HeadlessRule, er
 	return
 }
 
-func writeRule(writer varbin.Writer, rule option.HeadlessRule) error {
+func writeRule(writer io.Writer, rule option.HeadlessRule) error {
 	switch rule.Type {
 	case C.RuleTypeDefault:
 		return writeDefaultRule(writer, rule.DefaultOptions)
@@ -134,7 +131,7 @@ func writeRule(writer varbin.Writer, rule option.HeadlessRule) error {
 	}
 }
 
-func readDefaultRule(reader varbin.Reader, recovery bool) (rule option.DefaultHeadlessRule, err error) {
+func readDefaultRule(reader io.Reader, recovery bool) (rule option.DefaultHeadlessRule, err error) {
 	var lastItemType uint8
 	for {
 		var itemType uint8
@@ -212,7 +209,7 @@ func readDefaultRule(reader varbin.Reader, recovery bool) (rule option.DefaultHe
 	}
 }
 
-func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule) error {
+func writeDefaultRule(writer io.Writer, rule option.DefaultHeadlessRule) error {
 	err := binary.Write(writer, binary.BigEndian, uint8(0))
 	if err != nil {
 		return err
@@ -256,7 +253,7 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule) err
 	if len(rule.SourceIPCIDR) > 0 {
 		err = writeRuleItemCIDR(writer, ruleItemSourceIPCIDR, rule.SourceIPCIDR)
 		if err != nil {
-			return E.Cause(err, "source_ip_cidr")
+			return E.Cause(err, "source_ipcidr")
 		}
 	}
 	if len(rule.IPCIDR) > 0 {
@@ -330,31 +327,73 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule) err
 	return nil
 }
 
-func readRuleItemString(reader varbin.Reader) ([]string, error) {
-	return varbin.ReadValue[[]string](reader, binary.BigEndian)
+func readRuleItemString(reader io.Reader) ([]string, error) {
+	length, err := rw.ReadUVariant(reader)
+	if err != nil {
+		return nil, err
+	}
+	value := make([]string, length)
+	for i := uint64(0); i < length; i++ {
+		value[i], err = rw.ReadVString(reader)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return value, nil
 }
 
-func writeRuleItemString(writer varbin.Writer, itemType uint8, value []string) error {
-	err := writer.WriteByte(itemType)
+func writeRuleItemString(writer io.Writer, itemType uint8, value []string) error {
+	err := binary.Write(writer, binary.BigEndian, itemType)
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
-}
-
-func readRuleItemUint16(reader varbin.Reader) ([]uint16, error) {
-	return varbin.ReadValue[[]uint16](reader, binary.BigEndian)
-}
-
-func writeRuleItemUint16(writer varbin.Writer, itemType uint8, value []uint16) error {
-	err := writer.WriteByte(itemType)
+	err = rw.WriteUVariant(writer, uint64(len(value)))
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
+	for _, item := range value {
+		err = rw.WriteVString(writer, item)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
-func writeRuleItemCIDR(writer varbin.Writer, itemType uint8, value []string) error {
+func readRuleItemUint16(reader io.Reader) ([]uint16, error) {
+	length, err := rw.ReadUVariant(reader)
+	if err != nil {
+		return nil, err
+	}
+	value := make([]uint16, length)
+	for i := uint64(0); i < length; i++ {
+		err = binary.Read(reader, binary.BigEndian, &value[i])
+		if err != nil {
+			return nil, err
+		}
+	}
+	return value, nil
+}
+
+func writeRuleItemUint16(writer io.Writer, itemType uint8, value []uint16) error {
+	err := binary.Write(writer, binary.BigEndian, itemType)
+	if err != nil {
+		return err
+	}
+	err = rw.WriteUVariant(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	for _, item := range value {
+		err = binary.Write(writer, binary.BigEndian, item)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func writeRuleItemCIDR(writer io.Writer, itemType uint8, value []string) error {
 	var builder netipx.IPSetBuilder
 	for i, prefixString := range value {
 		prefix, err := netip.ParsePrefix(prefixString)
@@ -380,8 +419,9 @@ func writeRuleItemCIDR(writer varbin.Writer, itemType uint8, value []string) err
 	return writeIPSet(writer, ipSet)
 }
 
-func readLogicalRule(reader varbin.Reader, recovery bool) (logicalRule option.LogicalHeadlessRule, err error) {
-	mode, err := reader.ReadByte()
+func readLogicalRule(reader io.Reader, recovery bool) (logicalRule option.LogicalHeadlessRule, err error) {
+	var mode uint8
+	err = binary.Read(reader, binary.BigEndian, &mode)
 	if err != nil {
 		return
 	}
@@ -394,7 +434,7 @@ func readLogicalRule(reader varbin.Reader, recovery bool) (logicalRule option.Lo
 		err = E.New("unknown logical mode: ", mode)
 		return
 	}
-	length, err := binary.ReadUvarint(reader)
+	length, err := rw.ReadUVariant(reader)
 	if err != nil {
 		return
 	}
@@ -413,7 +453,7 @@ func readLogicalRule(reader varbin.Reader, recovery bool) (logicalRule option.Lo
 	return
 }
 
-func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRule) error {
+func writeLogicalRule(writer io.Writer, logicalRule option.LogicalHeadlessRule) error {
 	err := binary.Write(writer, binary.BigEndian, uint8(1))
 	if err != nil {
 		return err
@@ -429,7 +469,7 @@ func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRu
 	if err != nil {
 		return err
 	}
-	_, err = varbin.WriteUvarint(writer, uint64(len(logicalRule.Rules)))
+	err = rw.WriteUVariant(writer, uint64(len(logicalRule.Rules)))
 	if err != nil {
 		return err
 	}

common/srs/ip_set.go

@@ -2,13 +2,11 @@ package srs
 
 import (
 	"encoding/binary"
+	"io"
 	"net/netip"
-	"os"
 	"unsafe"
 
-	"github.com/sagernet/sing/common"
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/common/varbin"
+	"github.com/sagernet/sing/common/rw"
 
 	"go4.org/netipx"
 )
@@ -22,57 +20,94 @@ type myIPRange struct {
 	to   netip.Addr
 }
 
-type myIPRangeData struct {
-	From []byte
-	To   []byte
-}
-
-func readIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
-	version, err := reader.ReadByte()
+func readIPSet(reader io.Reader) (*netipx.IPSet, error) {
+	var version uint8
+	err := binary.Read(reader, binary.BigEndian, &version)
 	if err != nil {
 		return nil, err
 	}
-	if version != 1 {
-		return nil, os.ErrInvalid
-	}
-	// WTF why using uint64 here
 	var length uint64
 	err = binary.Read(reader, binary.BigEndian, &length)
 	if err != nil {
 		return nil, err
 	}
-	ranges := make([]myIPRangeData, length)
-	err = varbin.Read(reader, binary.BigEndian, &ranges)
-	if err != nil {
-		return nil, err
-	}
 	mySet := &myIPSet{
-		rr: make([]myIPRange, len(ranges)),
+		rr: make([]myIPRange, length),
 	}
-	for i, rangeData := range ranges {
-		mySet.rr[i].from = M.AddrFromIP(rangeData.From)
-		mySet.rr[i].to = M.AddrFromIP(rangeData.To)
+	for i := uint64(0); i < length; i++ {
+		var (
+			fromLen  uint64
+			toLen    uint64
+			fromAddr netip.Addr
+			toAddr   netip.Addr
+		)
+		fromLen, err = rw.ReadUVariant(reader)
+		if err != nil {
+			return nil, err
+		}
+		fromBytes := make([]byte, fromLen)
+		_, err = io.ReadFull(reader, fromBytes)
+		if err != nil {
+			return nil, err
+		}
+		err = fromAddr.UnmarshalBinary(fromBytes)
+		if err != nil {
+			return nil, err
+		}
+		toLen, err = rw.ReadUVariant(reader)
+		if err != nil {
+			return nil, err
+		}
+		toBytes := make([]byte, toLen)
+		_, err = io.ReadFull(reader, toBytes)
+		if err != nil {
+			return nil, err
+		}
+		err = toAddr.UnmarshalBinary(toBytes)
+		if err != nil {
+			return nil, err
+		}
+		mySet.rr[i] = myIPRange{fromAddr, toAddr}
 	}
 	return (*netipx.IPSet)(unsafe.Pointer(mySet)), nil
 }
 
-func writeIPSet(writer varbin.Writer, set *netipx.IPSet) error {
-	err := writer.WriteByte(1)
+func writeIPSet(writer io.Writer, set *netipx.IPSet) error {
+	err := binary.Write(writer, binary.BigEndian, uint8(1))
 	if err != nil {
 		return err
 	}
-	dataList := common.Map((*myIPSet)(unsafe.Pointer(set)).rr, func(rr myIPRange) myIPRangeData {
-		return myIPRangeData{
-			From: rr.from.AsSlice(),
-			To:   rr.to.AsSlice(),
+	mySet := (*myIPSet)(unsafe.Pointer(set))
+	err = binary.Write(writer, binary.BigEndian, uint64(len(mySet.rr)))
+	if err != nil {
+		return err
+	}
+	for _, rr := range mySet.rr {
+		var (
+			fromBinary []byte
+			toBinary   []byte
+		)
+		fromBinary, err = rr.from.MarshalBinary()
+		if err != nil {
+			return err
 		}
-	})
-	err = binary.Write(writer, binary.BigEndian, uint64(len(dataList)))
-	if err != nil {
-		return err
-	}
-	for _, data := range dataList {
-		err = varbin.Write(writer, binary.BigEndian, data)
+		err = rw.WriteUVariant(writer, uint64(len(fromBinary)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write(fromBinary)
+		if err != nil {
+			return err
+		}
+		toBinary, err = rr.to.MarshalBinary()
+		if err != nil {
+			return err
+		}
+		err = rw.WriteUVariant(writer, uint64(len(toBinary)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write(toBinary)
 		if err != nil {
 			return err
 		}

common/tls/ech_quic.go

@@ -27,10 +27,11 @@ func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, ad
 	return quic.DialEarly(ctx, conn, addr, c.config, config)
 }
 
-func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config) http.RoundTripper {
+func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config, enableDatagrams bool) http.RoundTripper {
 	return &http3.RoundTripper{
 		TLSClientConfig: c.config,
-		QUICConfig:      quicConfig,
+		QuicConfig:      quicConfig,
+		EnableDatagrams: enableDatagrams,
 		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
 			if err != nil {

common/tls/ech_server.go

@@ -11,11 +11,12 @@ import (
 	"strings"
 
 	cftls "github.com/sagernet/cloudflare-tls"
-	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
+
+	"github.com/fsnotify/fsnotify"
 )
 
 type echServerConfig struct {
@@ -25,8 +26,9 @@ type echServerConfig struct {
 	key             []byte
 	certificatePath string
 	keyPath         string
+	watcher         *fsnotify.Watcher
 	echKeyPath      string
-	watcher         *fswatch.Watcher
+	echWatcher      *fsnotify.Watcher
 }
 
 func (c *echServerConfig) ServerName() string {
@@ -64,84 +66,146 @@ func (c *echServerConfig) Clone() Config {
 }
 
 func (c *echServerConfig) Start() error {
-	err := c.startWatcher()
-	if err != nil {
-		c.logger.Warn("create credentials watcher: ", err)
+	if c.certificatePath != "" && c.keyPath != "" {
+		err := c.startWatcher()
+		if err != nil {
+			c.logger.Warn("create fsnotify watcher: ", err)
+		}
+	}
+	if c.echKeyPath != "" {
+		err := c.startECHWatcher()
+		if err != nil {
+			c.logger.Warn("create fsnotify watcher: ", err)
+		}
 	}
 	return nil
 }
 
 func (c *echServerConfig) startWatcher() error {
-	var watchPath []string
-	if c.certificatePath != "" {
-		watchPath = append(watchPath, c.certificatePath)
-	}
-	if c.keyPath != "" {
-		watchPath = append(watchPath, c.keyPath)
-	}
-	if c.echKeyPath != "" {
-		watchPath = append(watchPath, c.echKeyPath)
-	}
-	if len(watchPath) == 0 {
-		return nil
-	}
-	watcher, err := fswatch.NewWatcher(fswatch.Options{
-		Path: watchPath,
-		Callback: func(path string) {
-			err := c.credentialsUpdated(path)
-			if err != nil {
-				c.logger.Error(E.Cause(err, "reload credentials from ", path))
-			}
-		},
-	})
+	watcher, err := fsnotify.NewWatcher()
 	if err != nil {
 		return err
 	}
-	c.watcher = watcher
-	return nil
-}
-
-func (c *echServerConfig) credentialsUpdated(path string) error {
-	if path == c.certificatePath || path == c.keyPath {
-		if path == c.certificatePath {
-			certificate, err := os.ReadFile(c.certificatePath)
-			if err != nil {
-				return err
-			}
-			c.certificate = certificate
-		} else {
-			key, err := os.ReadFile(c.keyPath)
-			if err != nil {
-				return err
-			}
-			c.key = key
-		}
-		keyPair, err := cftls.X509KeyPair(c.certificate, c.key)
-		if err != nil {
-			return E.Cause(err, "parse key pair")
-		}
-		c.config.Certificates = []cftls.Certificate{keyPair}
-		c.logger.Info("reloaded TLS certificate")
-	} else {
-		echKeyContent, err := os.ReadFile(c.echKeyPath)
+	if c.certificatePath != "" {
+		err = watcher.Add(c.certificatePath)
 		if err != nil {
 			return err
 		}
-		block, rest := pem.Decode(echKeyContent)
-		if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
-			return E.New("invalid ECH keys pem")
-		}
-		echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
-		if err != nil {
-			return E.Cause(err, "parse ECH keys")
-		}
-		echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
-		if err != nil {
-			return E.Cause(err, "create ECH key set")
-		}
-		c.config.ServerECHProvider = echKeySet
-		c.logger.Info("reloaded ECH keys")
 	}
+	if c.keyPath != "" {
+		err = watcher.Add(c.keyPath)
+		if err != nil {
+			return err
+		}
+	}
+	c.watcher = watcher
+	go c.loopUpdate()
+	return nil
+}
+
+func (c *echServerConfig) loopUpdate() {
+	for {
+		select {
+		case event, ok := <-c.watcher.Events:
+			if !ok {
+				return
+			}
+			if event.Op&fsnotify.Write != fsnotify.Write {
+				continue
+			}
+			err := c.reloadKeyPair()
+			if err != nil {
+				c.logger.Error(E.Cause(err, "reload TLS key pair"))
+			}
+		case err, ok := <-c.watcher.Errors:
+			if !ok {
+				return
+			}
+			c.logger.Error(E.Cause(err, "fsnotify error"))
+		}
+	}
+}
+
+func (c *echServerConfig) reloadKeyPair() error {
+	if c.certificatePath != "" {
+		certificate, err := os.ReadFile(c.certificatePath)
+		if err != nil {
+			return E.Cause(err, "reload certificate from ", c.certificatePath)
+		}
+		c.certificate = certificate
+	}
+	if c.keyPath != "" {
+		key, err := os.ReadFile(c.keyPath)
+		if err != nil {
+			return E.Cause(err, "reload key from ", c.keyPath)
+		}
+		c.key = key
+	}
+	keyPair, err := cftls.X509KeyPair(c.certificate, c.key)
+	if err != nil {
+		return E.Cause(err, "reload key pair")
+	}
+	c.config.Certificates = []cftls.Certificate{keyPair}
+	c.logger.Info("reloaded TLS certificate")
+	return nil
+}
+
+func (c *echServerConfig) startECHWatcher() error {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return err
+	}
+	err = watcher.Add(c.echKeyPath)
+	if err != nil {
+		return err
+	}
+	c.echWatcher = watcher
+	go c.loopECHUpdate()
+	return nil
+}
+
+func (c *echServerConfig) loopECHUpdate() {
+	for {
+		select {
+		case event, ok := <-c.echWatcher.Events:
+			if !ok {
+				return
+			}
+			if event.Op&fsnotify.Write != fsnotify.Write {
+				continue
+			}
+			err := c.reloadECHKey()
+			if err != nil {
+				c.logger.Error(E.Cause(err, "reload ECH key"))
+			}
+		case err, ok := <-c.echWatcher.Errors:
+			if !ok {
+				return
+			}
+			c.logger.Error(E.Cause(err, "fsnotify error"))
+		}
+	}
+}
+
+func (c *echServerConfig) reloadECHKey() error {
+	echKeyContent, err := os.ReadFile(c.echKeyPath)
+	if err != nil {
+		return err
+	}
+	block, rest := pem.Decode(echKeyContent)
+	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
+		return E.New("invalid ECH keys pem")
+	}
+	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
+	if err != nil {
+		return E.Cause(err, "parse ECH keys")
+	}
+	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
+	if err != nil {
+		return E.Cause(err, "create ECH key set")
+	}
+	c.config.ServerECHProvider = echKeySet
+	c.logger.Info("reloaded ECH keys")
 	return nil
 }
 
@@ -149,7 +213,12 @@ func (c *echServerConfig) Close() error {
 	var err error
 	if c.watcher != nil {
 		err = E.Append(err, c.watcher.Close(), func(err error) error {
-			return E.Cause(err, "close credentials watcher")
+			return E.Cause(err, "close certificate watcher")
+		})
+	}
+	if c.echWatcher != nil {
+		err = E.Append(err, c.echWatcher.Close(), func(err error) error {
+			return E.Cause(err, "close ECH key watcher")
 		})
 	}
 	return err

common/tls/std_server.go

@@ -7,13 +7,14 @@ import (
 	"os"
 	"strings"
 
-	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
+
+	"github.com/fsnotify/fsnotify"
 )
 
 var errInsecureUnused = E.New("tls: insecure unused")
@@ -26,7 +27,7 @@ type STDServerConfig struct {
 	key             []byte
 	certificatePath string
 	keyPath         string
-	watcher         *fswatch.Watcher
+	watcher         *fsnotify.Watcher
 }
 
 func (c *STDServerConfig) ServerName() string {
@@ -87,37 +88,59 @@ func (c *STDServerConfig) Start() error {
 }
 
 func (c *STDServerConfig) startWatcher() error {
-	var watchPath []string
-	if c.certificatePath != "" {
-		watchPath = append(watchPath, c.certificatePath)
-	}
-	if c.keyPath != "" {
-		watchPath = append(watchPath, c.keyPath)
-	}
-	watcher, err := fswatch.NewWatcher(fswatch.Options{
-		Path: watchPath,
-		Callback: func(path string) {
-			err := c.certificateUpdated(path)
-			if err != nil {
-				c.logger.Error(err)
-			}
-		},
-	})
+	watcher, err := fsnotify.NewWatcher()
 	if err != nil {
 		return err
 	}
+	if c.certificatePath != "" {
+		err = watcher.Add(c.certificatePath)
+		if err != nil {
+			return err
+		}
+	}
+	if c.keyPath != "" {
+		err = watcher.Add(c.keyPath)
+		if err != nil {
+			return err
+		}
+	}
 	c.watcher = watcher
+	go c.loopUpdate()
 	return nil
 }
 
-func (c *STDServerConfig) certificateUpdated(path string) error {
-	if path == c.certificatePath {
+func (c *STDServerConfig) loopUpdate() {
+	for {
+		select {
+		case event, ok := <-c.watcher.Events:
+			if !ok {
+				return
+			}
+			if event.Op&fsnotify.Write != fsnotify.Write {
+				continue
+			}
+			err := c.reloadKeyPair()
+			if err != nil {
+				c.logger.Error(E.Cause(err, "reload TLS key pair"))
+			}
+		case err, ok := <-c.watcher.Errors:
+			if !ok {
+				return
+			}
+			c.logger.Error(E.Cause(err, "fsnotify error"))
+		}
+	}
+}
+
+func (c *STDServerConfig) reloadKeyPair() error {
+	if c.certificatePath != "" {
 		certificate, err := os.ReadFile(c.certificatePath)
 		if err != nil {
 			return E.Cause(err, "reload certificate from ", c.certificatePath)
 		}
 		c.certificate = certificate
-	} else if path == c.keyPath {
+	}
+	if c.keyPath != "" {
 		key, err := os.ReadFile(c.keyPath)
 		if err != nil {
 			return E.Cause(err, "reload key from ", c.keyPath)

constant/path.go

@@ -13,14 +13,14 @@ var resourcePaths []string
 
 func FindPath(name string) (string, bool) {
 	name = os.ExpandEnv(name)
-	if rw.IsFile(name) {
+	if rw.FileExists(name) {
 		return name, true
 	}
 	for _, dir := range resourcePaths {
-		if path := filepath.Join(dir, dirName, name); rw.IsFile(path) {
+		if path := filepath.Join(dir, dirName, name); rw.FileExists(path) {
 			return path, true
 		}
-		if path := filepath.Join(dir, name); rw.IsFile(path) {
+		if path := filepath.Join(dir, name); rw.FileExists(path) {
 			return path, true
 		}
 	}

constant/protocol.go

@@ -1,10 +1,9 @@
 package constant
 
 const (
-	ProtocolTLS        = "tls"
-	ProtocolHTTP       = "http"
-	ProtocolQUIC       = "quic"
-	ProtocolDNS        = "dns"
-	ProtocolSTUN       = "stun"
-	ProtocolBitTorrent = "bittorrent"
+	ProtocolTLS  = "tls"
+	ProtocolHTTP = "http"
+	ProtocolQUIC = "quic"
+	ProtocolDNS  = "dns"
+	ProtocolSTUN = "stun"
 )

constant/proxy.go

@@ -32,12 +32,6 @@ const (
 
 func ProxyDisplayName(proxyType string) string {
 	switch proxyType {
-	case TypeTun:
-		return "TUN"
-	case TypeRedirect:
-		return "Redirect"
-	case TypeTProxy:
-		return "TProxy"
 	case TypeDirect:
 		return "Direct"
 	case TypeBlock:
@@ -48,8 +42,6 @@ func ProxyDisplayName(proxyType string) string {
 		return "SOCKS"
 	case TypeHTTP:
 		return "HTTP"
-	case TypeMixed:
-		return "Mixed"
 	case TypeShadowsocks:
 		return "Shadowsocks"
 	case TypeVMess:

constant/quic.go

@@ -1,5 +0,0 @@
-//go:build with_quic
-
-package constant
-
-const WithQUIC = true

constant/quic_stub.go

@@ -1,5 +0,0 @@
-//go:build !with_quic
-
-package constant
-
-const WithQUIC = false

constant/rule.go

@@ -11,7 +11,6 @@ const (
 )
 
 const (
-	RuleSetTypeInline   = "inline"
 	RuleSetTypeLocal    = "local"
 	RuleSetTypeRemote   = "remote"
 	RuleSetVersion1     = 1

constant/timeout.go

@@ -3,18 +3,15 @@ package constant
 import "time"
 
 const (
-	TCPKeepAliveInitial        = 10 * time.Minute
-	TCPKeepAliveInterval       = 75 * time.Second
-	TCPTimeout                 = 5 * time.Second
-	ReadPayloadTimeout         = 300 * time.Millisecond
-	DNSTimeout                 = 10 * time.Second
-	QUICTimeout                = 30 * time.Second
-	STUNTimeout                = 15 * time.Second
-	UDPTimeout                 = 5 * time.Minute
-	DefaultURLTestInterval     = 3 * time.Minute
-	DefaultURLTestIdleTimeout  = 30 * time.Minute
-	StartTimeout               = 10 * time.Second
-	StopTimeout                = 5 * time.Second
-	FatalStopTimeout           = 10 * time.Second
-	FakeIPMetadataSaveInterval = 10 * time.Second
+	TCPTimeout                = 5 * time.Second
+	ReadPayloadTimeout        = 300 * time.Millisecond
+	DNSTimeout                = 10 * time.Second
+	QUICTimeout               = 30 * time.Second
+	STUNTimeout               = 15 * time.Second
+	UDPTimeout                = 5 * time.Minute
+	DefaultURLTestInterval    = 3 * time.Minute
+	DefaultURLTestIdleTimeout = 30 * time.Minute
+	DefaultStartTimeout       = 10 * time.Second
+	DefaultStopTimeout        = 5 * time.Second
+	DefaultStopFatalTimeout   = 10 * time.Second
 )

docs/changelog.md

@@ -2,561 +2,6 @@
 icon: material/alert-decagram
 ---
 
-#### 1.10.0-alpha.18
-
-* Add new `inline` rule-set type **1**
-* Add auto reload support for local rule-set
-* Improve fsnotify usages **2**
-* Fixes and improvements
-
-**1**:
-
-The new [rule-set] type inline (which also becomes the default type)
-allows you to write headless rules directly without creating a rule-set file.
-
-[rule-set]: /configuration/rule-set/
-
-**2**:
-
-sing-box now uses fsnotify correctly and will not cancel watching
-if the target file is deleted or recreated via rename (e.g. `mv`).
-
-This affects all path options that support reload, including
-`tls.certificate_path`, `tls.key_path`, `tls.ech.key_path` and `rule_set.path`.
-
-#### 1.10.0-alpha.17
-
-* Some chaotic changes **1**
-* `rule_set_ipcidr_match_source` rule items are renamed **2**
-* Add `rule_set_ip_cidr_accept_empty` DNS address filter rule item **3**
-* Update quic-go to v0.45.1
-* Fixes and improvements
-
-**1**:
-
-Something may be broken, please actively report problems with this version.
-
-**2**:
-
-`rule_set_ipcidr_match_source` route and DNS rule items are renamed to
-`rule_set_ip_cidr_match_source` and will be remove in sing-box 1.11.0.
-
-**3**:
-
-See [DNS Rule](/configuration/dns/rule/#rule_set_ip_cidr_accept_empty).
-
-#### 1.10.0-alpha.16
-
-* Add custom options for `auto-route` and `auto-redirect` **1**
-* Fixes and improvements
-
-**1**:
-
-See [iproute2_table_index](/configuration/inbound/tun/#iproute2_table_index),
-[iproute2_rule_index](/configuration/inbound/tun/#iproute2_rule_index),
-[auto_redirect_input_mark](/configuration/inbound/tun/#auto_redirect_input_mark) and
-[auto_redirect_output_mark](/configuration/inbound/tun/#auto_redirect_output_mark).
-
-#### 1.10.0-alpha.13
-
-* TUN address fields are merged **1**
-* Add route address set support for auto-redirect **2**
-
-**1**:
-
-See [Migration](/migration/#tun-address-fields-are-merged).
-
-**2**:
-
-The new feature will allow you to configure the destination IP CIDR rules
-in the specified rule-sets to the firewall automatically.
-
-Specified or unspecified destinations will bypass the sing-box routes to get better performance
-(for example, keep hardware offloading of direct traffics on the router).
-
-See [route_address_set](/configuration/inbound/tun/#route_address_set)
-and [route_exclude_address_set](/configuration/inbound/tun/#route_exclude_address_set).
-
-#### 1.10.0-alpha.12
-
-* Fix auto-redirect not configuring nftables forward chain correctly
-* Fixes and improvements
-
-### 1.9.3
-
-* Fixes and improvements
-
-#### 1.10.0-alpha.10
-
-* Fixes and improvements
-
-### 1.9.2
-
-* Fixes and improvements
-
-#### 1.10.0-alpha.8
-
-* Drop support for go1.18 and go1.19 **1**
-* Update quic-go to v0.45.0
-* Update Hysteria2 BBR congestion control
-* Fixes and improvements
-
-**1**:
-
-Due to maintenance difficulties, sing-box 1.10.0 requires at least Go 1.20 to compile.
-
-### 1.9.1
-
-* Fixes and improvements
-
-#### 1.10.0-alpha.7
-
-* Fixes and improvements
-
-#### 1.10.0-alpha.5
-
-* Improve auto-redirect **1**
-
-**1**:
-
-nftables support and DNS hijacking has been added.
-
-Tun inbounds with `auto_route` and `auto_redirect` now works as expected on routers **without intervention**.
-
-#### 1.10.0-alpha.4
-
-* Fix auto-redirect **1**
-* Improve auto-route on linux **2**
-
-**1**:
-
-Tun inbounds with `auto_route` and `auto_redirect` now works as expected on routers.
-
-**2**:
-
-Tun inbounds with `auto_route` and `strict_route` now works as expected on routers and servers,
-but the usages of [exclude_interface](/configuration/inbound/tun/#exclude_interface) need to be updated.
-
-#### 1.10.0-alpha.2
-
-* Move auto-redirect to Tun **1**
-* Fixes and improvements
-
-**1**:
-
-Linux support are added.
-
-See [Tun](/configuration/inbound/tun/#auto_redirect).
-
-#### 1.10.0-alpha.1
-
-* Add tailing comma support in JSON configuration
-* Add simple auto-redirect for Android **1**
-* Add BitTorrent sniffer **2**
-
-**1**:
-
-It allows you to use redirect inbound in the sing-box Android client
-and automatically configures IPv4 TCP redirection via su.
-
-This may alleviate the symptoms of some OCD patients who think that
-redirect can effectively save power compared to the system HTTP Proxy.
-
-See [Redirect](/configuration/inbound/redirect/).
-
-**2**:
-
-See [Protocol Sniff](/configuration/route/sniff/).
-
-### 1.9.0
-
-* Fixes and improvements
-
-Important changes since 1.8:
-
-* `domain_suffix` behavior update **1**
-* `process_path` format update on Windows **2**
-* Add address filter DNS rule items **3**
-* Add support for `client-subnet` DNS options **4**
-* Add rejected DNS response cache support **5**
-* Add `bypass_domain` and `search_domain` platform HTTP proxy options **6**
-* Fix missing `rule_set_ipcidr_match_source` item in DNS rules **7**
-* Handle Windows power events
-* Always disable cache for fake-ip DNS transport if `dns.independent_cache` disabled
-* Improve DNS truncate behavior
-* Update Hysteria protocol
-* Update quic-go to v0.43.1
-* Update gVisor to 20240422.0
-* Mitigating TunnelVision attacks **8**
-
-**1**:
-
-See [Migration](/migration/#domain_suffix-behavior-update).
-
-**2**:
-
-See [Migration](/migration/#process_path-format-update-on-windows).
-
-**3**:
-
-The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
-if using this method.
-
-See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
-
-[Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.
-
-**4**:
-
-See [DNS](/configuration/dns), [DNS Server](/configuration/dns/server) and [DNS Rules](/configuration/dns/rule).
-
-Since this feature makes the scenario mentioned in `alpha.1` no longer leak DNS requests,
-the [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) has been updated.
-
-**5**:
-
-The new feature allows you to cache the check results of
-[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
-
-**6**:
-
-See [TUN](/configuration/inbound/tun) inbound.
-
-**7**:
-
-See [DNS Rule](/configuration/dns/rule/).
-
-**8**:
-
-See [TunnelVision](/manual/misc/tunnelvision).
-
-#### 1.9.0-rc.22
-
-* Fixes and improvements
-
-#### 1.9.0-rc.20
-
-* Prioritize `*_route_address` in linux auto-route
-* Fix `*_route_address` in darwin auto-route
-
-#### 1.8.14
-
-* Fix hysteria2 panic
-* Fixes and improvements
-
-#### 1.9.0-rc.18
-
-* Add custom prefix support in EDNS0 client subnet options
-* Fix hysteria2 crash
-* Fix `store_rdrc` corrupted
-* Update quic-go to v0.43.1
-* Fixes and improvements
-
-#### 1.9.0-rc.16
-
-* Mitigating TunnelVision attacks **1**
-* Fixes and improvements
-
-**1**:
-
-See [TunnelVision](/manual/misc/tunnelvision).
-
-#### 1.9.0-rc.15
-
-* Fixes and improvements
-
-#### 1.8.13
-
-* Fix fake-ip mapping
-* Fixes and improvements
-
-#### 1.9.0-rc.14
-
-* Fixes and improvements
-
-#### 1.9.0-rc.13
-
-* Update Hysteria protocol
-* Update quic-go to v0.43.0
-* Update gVisor to 20240422.0
-* Fixes and improvements
-
-#### 1.8.12
-
-* Now we have official APT and DNF repositories **1**
-* Fix packet MTU for QUIC protocols
-* Fixes and improvements
-
-**1**:
-
-Including stable and beta versions, see https://sing-box.sagernet.org/installation/package-manager/
-
-#### 1.9.0-rc.11
-
-* Fixes and improvements
-
-#### 1.8.11
-
-* Fixes and improvements
-
-#### 1.8.10
-
-* Fixes and improvements
-
-#### 1.9.0-beta.17
-
-* Update `quic-go` to v0.42.0
-* Fixes and improvements
-
-#### 1.9.0-beta.16
-
-* Fixes and improvements
-
-_Our Testflight distribution has been temporarily blocked by Apple (possibly due to too many beta versions)
-and you cannot join the test, install or update the sing-box beta app right now.
-Please wait patiently for processing._
-
-#### 1.9.0-beta.14
-
-* Update gVisor to 20240212.0-65-g71212d503
-* Fixes and improvements
-
-#### 1.8.9
-
-* Fixes and improvements
-
-#### 1.8.8
-
-* Fixes and improvements
-
-#### 1.9.0-beta.7
-
-* Fixes and improvements
-
-#### 1.9.0-beta.6
-
-* Fix address filter DNS rule items **1**
-* Fix DNS outbound responding with wrong data
-* Fixes and improvements
-
-**1**:
-
-Fixed an issue where address filter DNS rule was incorrectly rejected under certain circumstances.
-If you have enabled `store_rdrc` to save results, consider clearing the cache file.
-
-#### 1.8.7
-
-* Fixes and improvements
-
-#### 1.9.0-alpha.15
-
-* Fixes and improvements
-
-#### 1.9.0-alpha.14
-
-* Improve DNS truncate behavior
-* Fixes and improvements
-
-#### 1.9.0-alpha.13
-
-* Fixes and improvements
-
-#### 1.8.6
-
-* Fixes and improvements
-
-#### 1.9.0-alpha.12
-
-* Handle Windows power events
-* Always disable cache for fake-ip DNS transport if `dns.independent_cache` disabled
-* Fixes and improvements
-
-#### 1.9.0-alpha.11
-
-* Fix missing `rule_set_ipcidr_match_source` item in DNS rules **1**
-* Fixes and improvements
-
-**1**:
-
-See [DNS Rule](/configuration/dns/rule/).
-
-#### 1.9.0-alpha.10
-
-* Add `bypass_domain` and `search_domain` platform HTTP proxy options **1**
-* Fixes and improvements
-
-**1**:
-
-See [TUN](/configuration/inbound/tun) inbound.
-
-#### 1.9.0-alpha.8
-
-* Add rejected DNS response cache support **1**
-* Fixes and improvements
-
-**1**:
-
-The new feature allows you to cache the check results of
-[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
-
-#### 1.9.0-alpha.7
-
-* Update gVisor to 20240206.0
-* Fixes and improvements
-
-#### 1.9.0-alpha.6
-
-* Fixes and improvements
-
-#### 1.9.0-alpha.3
-
-* Update `quic-go` to v0.41.0
-* Fixes and improvements
-
-#### 1.9.0-alpha.2
-
-* Add support for `client-subnet` DNS options **1**
-* Fixes and improvements
-
-**1**:
-
-See [DNS](/configuration/dns), [DNS Server](/configuration/dns/server) and [DNS Rules](/configuration/dns/rule).
-
-Since this feature makes the scenario mentioned in `alpha.1` no longer leak DNS requests,
-the [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) has been updated.
-
-#### 1.9.0-alpha.1
-
-* `domain_suffix` behavior update **1**
-* `process_path` format update on Windows **2**
-* Add address filter DNS rule items **3**
-
-**1**:
-
-See [Migration](/migration/#domain_suffix-behavior-update).
-
-**2**:
-
-See [Migration](/migration/#process_path-format-update-on-windows).
-
-**3**:
-
-The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
-if using this method.
-
-See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
-
-[Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.
-
-#### 1.8.5
-
-* Fixes and improvements
-
-#### 1.8.4
-
-* Fixes and improvements
-
-#### 1.8.2
-
-* Fixes and improvements
-
-#### 1.8.1
-
-* Fixes and improvements
-
-### 1.8.0
-
-* Fixes and improvements
-
-Important changes since 1.7:
-
-* Migrate cache file from Clash API to independent options **1**
-* Introducing [rule-set](/configuration/rule-set/) **2**
-* Add `sing-box geoip`, `sing-box geosite` and `sing-box rule-set` commands **3**
-* Allow nested logical rules **4**
-* Independent `source_ip_is_private` and `ip_is_private` rules **5**
-* Add context to JSON decode error message **6**
-* Reject internal fake-ip queries **7**
-* Add GSO support for TUN and WireGuard system interface **8**
-* Add `idle_timeout` for URLTest outbound **9**
-* Add simple loopback detect
-* Optimize memory usage of idle connections
-* Update uTLS to 1.5.4 **10**
-* Update dependencies **11**
-
-**1**:
-
-See [Cache File](/configuration/experimental/cache-file/) and
-[Migration](/migration/#migrate-cache-file-from-clash-api-to-independent-options).
-
-**2**:
-
-rule-set is independent collections of rules that can be compiled into binaries to improve performance.
-Compared to legacy GeoIP and Geosite resources,
-it can include more types of rules, load faster,
-use less memory, and update automatically.
-
-See [Route#rule_set](/configuration/route/#rule_set),
-[Route Rule](/configuration/route/rule/),
-[DNS Rule](/configuration/dns/rule/),
-[rule-set](/configuration/rule-set/),
-[Source Format](/configuration/rule-set/source-format/) and
-[Headless Rule](/configuration/rule-set/headless-rule/).
-
-For GEO resources migration, see [Migrate GeoIP to rule-sets](/migration/#migrate-geoip-to-rule-sets) and
-[Migrate Geosite to rule-sets](/migration/#migrate-geosite-to-rule-sets).
-
-**3**:
-
-New commands manage GeoIP, Geosite and rule-set resources, and help you migrate GEO resources to rule-sets.
-
-**4**:
-
-Logical rules in route rules, DNS rules, and the new headless rule now allow nesting of logical rules.
-
-**5**:
-
-The `private` GeoIP country never existed and was actually implemented inside V2Ray.
-Since GeoIP was deprecated, we made this rule independent, see [Migration](/migration/#migrate-geoip-to-rule-sets).
-
-**6**:
-
-JSON parse errors will now include the current key path.
-Only takes effect when compiled with Go 1.21+.
-
-**7**:
-
-All internal DNS queries now skip DNS rules with `server` type `fakeip`,
-and the default DNS server can no longer be `fakeip`.
-
-This change is intended to break incorrect usage and essentially requires no action.
-
-**8**:
-
-See [TUN](/configuration/inbound/tun/) inbound and [WireGuard](/configuration/outbound/wireguard/) outbound.
-
-**9**:
-
-When URLTest is idle for a certain period of time, the scheduled delay test will be paused.
-
-**10**:
-
-Added some new [fingerprints](/configuration/shared/tls#utls).
-Also, starting with this release, uTLS requires at least Go 1.20.
-
-**11**:
-
-Updated `cloudflare-tls`, `gomobile`, `smux`, `tfo-go` and `wireguard-go` to latest, `quic-go` to `0.40.1` and  `gvisor`
-to `20231204.0`
-
-#### 1.8.0-rc.11
-
-* Fixes and improvements
-
-#### 1.7.8
-
-* Fixes and improvements
-
 #### 1.8.0-rc.10
 
 * Fixes and improvements
@@ -705,7 +150,7 @@ This change is intended to break incorrect usage and essentially requires no act
 
 **1**:
 
-Now the rules in the `rule_set` rule item can be logically considered to be merged into the rule using rule-sets,
+Now the rules in the `rule_set` rule item can be logically considered to be merged into the rule using rule sets,
 rather than completely following the AND logic.
 
 #### 1.8.0-alpha.5
@@ -721,7 +166,7 @@ Since GeoIP was deprecated, we made this rule independent, see [Migration](/migr
 #### 1.8.0-alpha.1
 
 * Migrate cache file from Clash API to independent options **1**
-* Introducing [rule-set](/configuration/rule-set/) **2**
+* Introducing [Rule Set](/configuration/rule-set/) **2**
 * Add `sing-box geoip`, `sing-box geosite` and `sing-box rule-set` commands **3**
 * Allow nested logical rules **4**
 
@@ -732,7 +177,7 @@ See [Cache File](/configuration/experimental/cache-file/) and
 
 **2**:
 
-rule-set is independent collections of rules that can be compiled into binaries to improve performance.
+Rule set is independent collections of rules that can be compiled into binaries to improve performance.
 Compared to legacy GeoIP and Geosite resources,
 it can include more types of rules, load faster,
 use less memory, and update automatically.
@@ -740,22 +185,22 @@ use less memory, and update automatically.
 See [Route#rule_set](/configuration/route/#rule_set),
 [Route Rule](/configuration/route/rule/),
 [DNS Rule](/configuration/dns/rule/),
-[rule-set](/configuration/rule-set/),
+[Rule Set](/configuration/rule-set/),
 [Source Format](/configuration/rule-set/source-format/) and
 [Headless Rule](/configuration/rule-set/headless-rule/).
 
-For GEO resources migration, see [Migrate GeoIP to rule-sets](/migration/#migrate-geoip-to-rule-sets) and
-[Migrate Geosite to rule-sets](/migration/#migrate-geosite-to-rule-sets).
+For GEO resources migration, see [Migrate GeoIP to rule sets](/migration/#migrate-geoip-to-rule-sets) and
+[Migrate Geosite to rule sets](/migration/#migrate-geosite-to-rule-sets).
 
 **3**:
 
-New commands manage GeoIP, Geosite and rule-set resources, and help you migrate GEO resources to rule-sets.
+New commands manage GeoIP, Geosite and rule set resources, and help you migrate GEO resources to rule sets.
 
 **4**:
 
 Logical rules in route rules, DNS rules, and the new headless rule now allow nesting of logical rules.
 
-### 1.7.0
+#### 1.7.0
 
 * Fixes and improvements
 
@@ -797,7 +242,7 @@ see [TCP Brutal](/configuration/shared/tcp-brutal/) for details.
 
 **5**:
 
-Only supported in graphical clients on Android and Apple platforms.
+Only supported in graphical clients on Android and iOS.
 
 #### 1.7.0-rc.3
 
@@ -834,7 +279,7 @@ Only supported in graphical clients on Android and Apple platforms.
 
 **1**:
 
-Only supported in graphical clients on Android and Apple platforms.
+Only supported in graphical clients on Android and iOS.
 
 #### 1.7.0-beta.3
 
@@ -915,7 +360,7 @@ Introduced in V2Ray 5.10.0.
 
 The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.
 
-### 1.6.0
+#### 1.6.0
 
 * Fixes and improvements
 
@@ -1094,7 +539,7 @@ introduce new issues.
 None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
 This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
 
-### 1.5.0
+#### 1.5.0
 
 * Fixes and improvements
 
@@ -1288,7 +733,7 @@ All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria`, `T
 
 * Fixes and improvements
 
-### 1.4.0
+#### 1.4.0
 
 * Fix bugs and update dependencies
 
@@ -1430,7 +875,7 @@ The old testflight link and app are no longer valid.
 
 * Fixes and improvements
 
-### 1.3.0
+#### 1.3.0
 
 * Fix bugs and update dependencies
 
@@ -1622,7 +1067,7 @@ to `domain` rule.
 * Flush DNS cache for macOS when tun start/close
 * Fix tun's DNS hijacking compatibility with systemd-resolved
 
-### 1.2.0
+#### 1.2.0
 
 * Fix bugs and update dependencies
 

docs/clients/android/index.md

@@ -16,7 +16,6 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 * [Play Store](https://play.google.com/store/apps/details?id=io.nekohasekai.sfa)
 * [Play Store (Beta)](https://play.google.com/apps/testing/io.nekohasekai.sfa)
 * [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
-* [F-Droid](https://f-droid.org/packages/io.nekohasekai.sfa/) (Unified signature via reproducible builds)
 
 ## :material-source-repository: Source code
 

docs/clients/apple/index.md

@@ -15,12 +15,7 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 ## :material-download: Download
 
 * [App Store](https://apps.apple.com/us/app/sing-box/id6451272673)
-* ~~TestFlight (Beta)~~
-
-TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
-(one-time sponsorships are accepted).
-Once you donate, you can get an invitation by sending us your Apple ID [via email](mailto:contact@sagernet.org),
-or join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot).
+* [TestFlight (Beta)](https://testflight.apple.com/join/AcqO44FH)
 
 ## :material-file-download: Download (macOS standalone version)
 

docs/clients/privacy.md

@@ -6,9 +6,3 @@ icon: material/security
 
 sing-box and official graphics clients do not collect or share personal data,
 and the data generated by the software is always on your device.
-
-## Android
-
-If your configuration contains `wifi_ssid` or `wifi_bssid` routing rules,
-sing-box uses the location permission in the background
-to get information about the connected Wi-Fi network to make them work.

docs/configuration/dns/index.md

@@ -1,11 +1,3 @@
----
-icon: material/new-box
----
-
-!!! quote "Changes in sing-box 1.9.0"
-
-    :material-plus: [client_subnet](#client_subnet)
-
 # DNS
 
 ### Structure
@@ -21,7 +13,6 @@ icon: material/new-box
     "disable_expire": false,
     "independent_cache": false,
     "reverse_mapping": false,
-    "client_subnet": "",
     "fakeip": {}
   }
 }
@@ -30,8 +21,8 @@ icon: material/new-box
 
 ### Fields
 
-| Key      | Format                          |
-|----------|---------------------------------|
+| Key      | Format                         |
+|----------|--------------------------------|
 | `server` | List of [DNS Server](./server/) |
 | `rules`  | List of [DNS Rule](./rule/)     |
 | `fakeip` | [FakeIP](./fakeip/)             |
@@ -69,12 +60,6 @@ Stores a reverse mapping of IP addresses after responding to a DNS query in orde
 Since this process relies on the act of resolving domain names by an application before making a request, it can be
 problematic in environments such as macOS, where DNS is proxied and cached by the system.
 
-#### client_subnet
+#### fakeip
 
-!!! question "Since sing-box 1.9.0"
-
-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
-
-Can be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.
+[FakeIP](./fakeip/) settings.

docs/configuration/dns/index.zh.md

@@ -1,11 +1,3 @@
----
-icon: material/new-box
----
-
-!!! quote "sing-box 1.9.0 中的更改"
-
-    :material-plus: [client_subnet](#client_subnet)
-
 # DNS
 
 ### 结构
@@ -21,7 +13,6 @@ icon: material/new-box
     "disable_expire": false,
     "independent_cache": false,
     "reverse_mapping": false,
-    "client_subnet": "",
     "fakeip": {}
   }
 }
@@ -67,16 +58,6 @@ icon: material/new-box
 
 由于此过程依赖于应用程序在发出请求之前解析域名的行为，因此在 macOS 等 DNS 由系统代理和缓存的环境中可能会出现问题。
 
-#### client_subnet
-
-!!! question "自 sing-box 1.9.0 起"
-
-默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
-
-如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
-
-可以被 `servers.[].client_subnet` 或 `rules.[].client_subnet` 覆盖。
-
 #### fakeip
 
 [FakeIP](./fakeip/) 设置。

docs/configuration/dns/rule.md

@@ -1,21 +1,7 @@
 ---
-icon: material/new-box
+icon: material/alert-decagram
 ---
 
-!!! quote "Changes in sing-box 1.10.0"
-
-    :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
-    :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)  
-    :material-plus: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)
-
-!!! quote "Changes in sing-box 1.9.0"
-
-    :material-plus: [geoip](#geoip)  
-    :material-plus: [ip_cidr](#ip_cidr)  
-    :material-plus: [ip_is_private](#ip_is_private)  
-    :material-plus: [client_subnet](#client_subnet)
-    :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
-
 !!! quote "Changes in sing-box 1.8.0"
 
     :material-plus: [rule_set](#rule_set)  
@@ -67,19 +53,11 @@ icon: material/new-box
         "source_geoip": [
           "private"
         ],
-        "geoip": [
-          "cn"
-        ],
         "source_ip_cidr": [
           "10.0.0.0/24",
           "192.168.0.1"
         ],
         "source_ip_is_private": false,
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_is_private": false,
         "source_port": [
           12345
         ],
@@ -123,18 +101,13 @@ icon: material/new-box
           "geoip-cn",
           "geosite-cn"
         ],
-        // deprecated
-        "rule_set_ipcidr_match_source": false,
-        "rule_set_ip_cidr_match_source": false,
-        "rule_set_ip_cidr_accept_empty": false,
         "invert": false,
         "outbound": [
           "direct"
         ],
         "server": "local",
         "disable_cache": false,
-        "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1/24"
+        "rewrite_ttl": 100
       },
       {
         "type": "logical",
@@ -142,8 +115,7 @@ icon: material/new-box
         "rules": [],
         "server": "local",
         "disable_cache": false,
-        "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1/24"
+        "rewrite_ttl": 100
       }
     ]
   }
@@ -166,7 +138,7 @@ icon: material/new-box
     (`source_port` || `source_port_range`) &&  
     `other fields`
 
-    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
+    Additionally, included rule sets can be considered merged rather than as a single rule sub-item.
 
 #### inbound
 
@@ -294,9 +266,11 @@ Match Clash mode.
 
 #### wifi_ssid
 
+<!-- md:version 1.7.0-beta.4 -->
+
 !!! quote ""
 
-    Only supported in graphical clients on Android and Apple platforms.
+    Only supported in graphical clients on Android and iOS.
 
 Match WiFi SSID.
 
@@ -304,7 +278,7 @@ Match WiFi SSID.
 
 !!! quote ""
 
-    Only supported in graphical clients on Android and Apple platforms.
+    Only supported in graphical clients on Android and iOS.
 
 Match WiFi BSSID.
 
@@ -312,23 +286,7 @@ Match WiFi BSSID.
 
 !!! question "Since sing-box 1.8.0"
 
-Match [rule-set](/configuration/route/#rule_set).
-
-#### rule_set_ipcidr_match_source
-
-!!! question "Since sing-box 1.9.0"
-
-!!! failure "Deprecated in sing-box 1.10.0"
-    
-    `rule_set_ipcidr_match_source` is renamed to `rule_set_ip_cidr_match_source` and will be remove in sing-box 1.11.0.
-
-Make `ip_cidr` rule items in rule-sets match the source IP.
-
-#### rule_set_ip_cidr_match_source
-
-!!! question "Since sing-box 1.10.0"
-
-Make `ip_cidr` rule items in rule-sets match the source IP.
+Match [Rule Set](/configuration/route/#rule_set).
 
 #### invert
 
@@ -354,52 +312,6 @@ Disable cache and save cache in this query.
 
 Rewrite TTL in DNS responses.
 
-#### client_subnet
-
-!!! question "Since sing-box 1.9.0"
-
-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
-
-Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
-
-### Address Filter Fields
-
-Only takes effect for address requests (A/AAAA/HTTPS). When the query results do not match the address filtering rule items, the current rule will be skipped.
-
-!!! info ""
-
-    `ip_cidr` items in included rule-sets also takes effect as an address filtering field.
-
-!!! note ""
-
-    Enable `experimental.cache_file.store_rdrc` to cache results.
-
-#### geoip
-
-!!! question "Since sing-box 1.9.0"
-
-Match GeoIP with query response.
-
-#### ip_cidr
-
-!!! question "Since sing-box 1.9.0"
-
-Match IP CIDR with query response.
-
-#### ip_is_private
-
-!!! question "Since sing-box 1.9.0"
-
-Match private IP with query response.
-
-#### rule_set_ip_cidr_accept_empty
-
-!!! question "Since sing-box 1.10.0"
-
-Make `ip_cidr` rules in rule-sets accept empty query response.
-
 ### Logical Fields
 
 #### type

docs/configuration/dns/rule.zh.md

@@ -1,21 +1,7 @@
 ---
-icon: material/new-box
+icon: material/alert-decagram
 ---
 
-!!! quote "sing-box 1.10.0 中的更改"
-
-    :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
-    :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)  
-    :material-plus: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)
-
-!!! quote "sing-box 1.9.0 中的更改"
-
-    :material-plus: [geoip](#geoip)  
-    :material-plus: [ip_cidr](#ip_cidr)  
-    :material-plus: [ip_is_private](#ip_is_private)  
-    :material-plus: [client_subnet](#client_subnet)
-    :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
-
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-plus: [rule_set](#rule_set)  
@@ -67,19 +53,10 @@ icon: material/new-box
         "source_geoip": [
           "private"
         ],
-        "geoip": [
-          "cn"
-        ],
         "source_ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
+          "10.0.0.0/24"
         ],
         "source_ip_is_private": false,
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_is_private": false,
         "source_port": [
           12345
         ],
@@ -123,25 +100,19 @@ icon: material/new-box
           "geoip-cn",
           "geosite-cn"
         ],
-        // 已弃用
-        "rule_set_ipcidr_match_source": false,
-        "rule_set_ip_cidr_match_source": false,
-        "rule_set_ip_cidr_accept_empty": false,
         "invert": false,
         "outbound": [
           "direct"
         ],
         "server": "local",
-        "disable_cache": false,
-        "client_subnet": "127.0.0.1/24"
+        "disable_cache": false
       },
       {
         "type": "logical",
         "mode": "and",
         "rules": [],
         "server": "local",
-        "disable_cache": false,
-        "client_subnet": "127.0.0.1/24"
+        "disable_cache": false
       }
     ]
   }
@@ -294,7 +265,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! quote ""
 
-    仅在 Android 与 Apple 平台图形客户端中支持。
+    仅在 Android 与 iOS 的图形客户端中支持。
 
 匹配 WiFi SSID。
 
@@ -302,7 +273,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! quote ""
 
-    仅在 Android 与 Apple 平台图形客户端中支持。
+    仅在 Android 与 iOS 的图形客户端中支持。
 
 匹配 WiFi BSSID。
 
@@ -312,22 +283,6 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 匹配[规则集](/zh/configuration/route/#rule_set)。
 
-#### rule_set_ipcidr_match_source
-
-!!! question "自 sing-box 1.9.0 起"
-
-!!! failure "已在 sing-box 1.10.0 废弃"
-
-    `rule_set_ipcidr_match_source` 已重命名为 `rule_set_ip_cidr_match_source` 且将在 sing-box 1.11.0 移除。
-
-使规则集中的 `ip_cidr` 规则匹配源 IP。
-
-#### rule_set_ip_cidr_match_source
-
-!!! question "自 sing-box 1.10.0 起"
-
-使规则集中的 `ip_cidr` 规则匹配源 IP。
-
 #### invert
 
 反选匹配结果。
@@ -352,52 +307,6 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 重写 DNS 回应中的 TTL。
 
-#### client_subnet
-
-!!! question "自 sing-box 1.9.0 起"
-
-默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
-
-如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
-
-将覆盖 `dns.client_subnet` 与 `servers.[].client_subnet`。
-
-### 地址筛选字段
-
-仅对地址请求 (A/AAAA/HTTPS) 生效。 当查询结果与地址筛选规则项不匹配时，将跳过当前规则。
-
-!!! info ""
-
-    引用的规则集中的 `ip_cidr` 项也作为地址筛选字段生效。
-
-!!! note ""
-
-    启用 `experimental.cache_file.store_rdrc` 以缓存结果。
-
-#### geoip
-
-!!! question "自 sing-box 1.9.0 起"
-
-与查询响应匹配 GeoIP。
-
-#### ip_cidr
-
-!!! question "自 sing-box 1.9.0 起"
-
-与查询响应匹配 IP CIDR。
-
-#### ip_is_private
-
-!!! question "自 sing-box 1.9.0 起"
-
-与查询响应匹配非公开 IP。
-
-#### rule_set_ip_cidr_accept_empty
-
-!!! question "自 sing-box 1.10.0 起"
-
-使规则集中的 `ip_cidr` 规则接受空查询响应。
-
 ### 逻辑字段
 
 #### type
@@ -410,4 +319,4 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### rules
 
-包括的规则。
+包括的规则。

docs/configuration/dns/server.md

@@ -1,11 +1,3 @@
----
-icon: material/new-box
----
-
-!!! quote "Changes in sing-box 1.9.0"
-
-    :material-plus: [client_subnet](#client_subnet)
-
 ### Structure
 
 ```json
@@ -13,17 +5,17 @@ icon: material/new-box
   "dns": {
     "servers": [
       {
-        "tag": "",
-        "address": "",
-        "address_resolver": "",
-        "address_strategy": "",
-        "strategy": "",
-        "detour": "",
-        "client_subnet": ""
+        "tag": "google",
+        "address": "tls://dns.google",
+        "address_resolver": "local",
+        "address_strategy": "prefer_ipv4",
+        "strategy": "ipv4_only",
+        "detour": "direct"
       }
     ]
   }
 }
+
 ```
 
 ### Fields
@@ -88,22 +80,10 @@ Default domain strategy for resolving the domain names.
 
 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
 
-Take no effect if overridden by other settings.
+Take no effect if override by other settings.
 
 #### detour
 
 Tag of an outbound for connecting to the dns server.
 
 Default outbound will be used if empty.
-
-#### client_subnet
-
-!!! question "Since sing-box 1.9.0"
-
-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
-
-Can be overrides by `rules.[].client_subnet`.
-
-Will overrides `dns.client_subnet`.

docs/configuration/dns/server.zh.md

@@ -1,11 +1,3 @@
----
-icon: material/new-box
----
-
-!!! quote "sing-box 1.9.0 中的更改"
-
-    :material-plus: [client_subnet](#client_subnet)
-
 ### 结构
 
 ```json
@@ -13,17 +5,17 @@ icon: material/new-box
   "dns": {
     "servers": [
       {
-        "tag": "",
-        "address": "",
-        "address_resolver": "",
-        "address_strategy": "",
-        "strategy": "",
-        "detour": "",
-        "client_subnet": ""
+        "tag": "google",
+        "address": "tls://dns.google",
+        "address_resolver": "local",
+        "address_strategy": "prefer_ipv4",
+        "strategy": "ipv4_only",
+        "detour": "direct"
       }
     ]
   }
 }
+
 ```
 
 ### 字段
@@ -95,15 +87,3 @@ DNS 服务器的地址。
 用于连接到 DNS 服务器的出站的标签。
 
 如果为空，将使用默认出站。
-
-#### client_subnet
-
-!!! question "自 sing-box 1.9.0 起"
-
-默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
-
-如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
-
-可以被 `rules.[].client_subnet` 覆盖。
-
-将覆盖 `dns.client_subnet`。

docs/configuration/experimental/cache-file.md

@@ -4,11 +4,6 @@ icon: material/new-box
 
 !!! question "Since sing-box 1.8.0"
 
-!!! quote "Changes in sing-box 1.9.0"
-
-    :material-plus: [store_rdrc](#store_rdrc)  
-    :material-plus: [rdrc_timeout](#rdrc_timeout)  
-
 ### Structure
 
 ```json
@@ -16,9 +11,7 @@ icon: material/new-box
   "enabled": true,
   "path": "",
   "cache_id": "",
-  "store_fakeip": false,
-  "store_rdrc": false,
-  "rdrc_timeout": ""
+  "store_fakeip": false
 }
 ```
 
@@ -36,23 +29,6 @@ Path to the cache file.
 
 #### cache_id
 
-Identifier in the cache file
+Identifier in cache file.
 
 If not empty, configuration specified data will use a separate store keyed by it.
-
-#### store_fakeip
-
-Store fakeip in the cache file
-
-#### store_rdrc
-
-Store rejected DNS response cache in the cache file
-
-The check results of [Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields)
-will be cached until expiration.
-
-#### rdrc_timeout
-
-Timeout of rejected DNS response cache.
-
-`7d` is used by default.

docs/configuration/experimental/cache-file.zh.md

@@ -4,11 +4,6 @@ icon: material/new-box
 
 !!! question "自 sing-box 1.8.0 起"
 
-!!! quote "sing-box 1.9.0 中的更改"
-
-    :material-plus: [store_rdrc](#store_rdrc)  
-    :material-plus: [rdrc_timeout](#rdrc_timeout)  
-
 ### 结构
 
 ```json
@@ -16,9 +11,7 @@ icon: material/new-box
   "enabled": true,
   "path": "",
   "cache_id": "",
-  "store_fakeip": false,
-  "store_rdrc": false,
-  "rdrc_timeout": ""
+  "store_fakeip": false
 }
 ```
 
@@ -37,19 +30,3 @@ icon: material/new-box
 缓存文件中的标识符。
 
 如果不为空，配置特定的数据将使用由其键控的单独存储。
-
-#### store_fakeip
-
-将 fakeip 存储在缓存文件中。
-
-#### store_rdrc
-
-将拒绝的 DNS 响应缓存存储在缓存文件中。
-
-[地址筛选 DNS 规则项](/zh/configuration/dns/rule/#_3) 的检查结果将被缓存至过期。
-
-#### rdrc_timeout
-
-拒绝的 DNS 响应缓存超时。
-
-默认使用 `7d`。

docs/configuration/experimental/clash-api.md

@@ -1,3 +1,7 @@
+---
+icon: material/alert-decagram
+---
+
 !!! quote "Changes in sing-box 1.8.0"
 
     :material-delete-alert: [store_mode](#store_mode)  

docs/configuration/experimental/clash-api.zh.md

@@ -1,3 +1,7 @@
+---
+icon: material/alert-decagram
+---
+
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-delete-alert: [store_mode](#store_mode)  

docs/configuration/experimental/index.md

@@ -1,3 +1,7 @@
+---
+icon: material/alert-decagram
+---
+
 # Experimental
 
 !!! quote "Changes in sing-box 1.8.0"

docs/configuration/experimental/index.zh.md

@@ -1,3 +1,7 @@
+---
+icon: material/alert-decagram
+---
+
 # 实验性
 
 !!! quote "sing-box 1.8.0 中的更改"

docs/configuration/inbound/http.md

@@ -42,6 +42,6 @@ No authentication required if empty.
 
 !!! warning ""
 
-    To work on Android and Apple platforms without privileges, use tun.platform.http_proxy instead.
+    To work on Android and iOS without privileges, use tun.platform.http_proxy instead.
 
 Automatically set system proxy configuration when start and clean up when stop.

docs/configuration/inbound/mixed.md

@@ -39,6 +39,6 @@ No authentication required if empty.
 
 !!! warning ""
 
-    To work on Android and Apple platforms without privileges, use tun.platform.http_proxy instead.
+    To work on Android and iOS without privileges, use tun.platform.http_proxy instead.
 
 Automatically set system proxy configuration when start and clean up when stop.

docs/configuration/inbound/tun.md

@@ -1,31 +1,7 @@
 ---
-icon: material/new-box
+icon: material/alert-decagram
 ---
 
-!!! quote "Changes in sing-box 1.10.0"
-
-    :material-plus: [address](#address)  
-    :material-delete-clock: [inet4_address](#inet4_address)  
-    :material-delete-clock: [inet6_address](#inet6_address)  
-    :material-plus: [route_address](#route_address)  
-    :material-delete-clock: [inet4_route_address](#inet4_route_address)  
-    :material-delete-clock: [inet6_route_address](#inet6_route_address)  
-    :material-plus: [route_exclude_address](#route_address)  
-    :material-delete-clock: [inet4_route_exclude_address](#inet4_route_exclude_address)  
-    :material-delete-clock: [inet6_route_exclude_address](#inet6_route_exclude_address)  
-    :material-plus: [iproute2_table_index](#iproute2_table_index)  
-    :material-plus: [iproute2_rule_index](#iproute2_table_index)  
-    :material-plus: [auto_redirect](#auto_redirect)  
-    :material-plus: [auto_redirect_input_mark](#auto_redirect_input_mark)  
-    :material-plus: [auto_redirect_output_mark](#auto_redirect_output_mark)  
-    :material-plus: [route_address_set](#route_address_set)  
-    :material-plus: [route_exclude_address_set](#route_address_set)
-
-!!! quote "Changes in sing-box 1.9.0"
-
-    :material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)  
-    :material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)  
-
 !!! quote "Changes in sing-box 1.8.0"
 
     :material-plus: [gso](#gso)  
@@ -42,61 +18,26 @@ icon: material/new-box
   "type": "tun",
   "tag": "tun-in",
   "interface_name": "tun0",
-  "address": [
-    "172.18.0.1/30",
-    "fdfe:dcba:9876::1/126"
-  ],
-  // deprecated
-  "inet4_address": [
-    "172.19.0.1/30"
-  ],
-  // deprecated
-  "inet6_address": [
-    "fdfe:dcba:9876::1/126"
-  ],
+  "inet4_address": "172.19.0.1/30",
+  "inet6_address": "fdfe:dcba:9876::1/126",
   "mtu": 9000,
   "gso": false,
   "auto_route": true,
-  "iproute2_table_index": 2022,
-  "iproute2_rule_index": 9000,
-  "auto_redirect": false,
-  "auto_redirect_input_mark": "0x2023",
-  "auto_redirect_output_mark": "0x2024",
   "strict_route": true,
-  "route_address": [
-    "0.0.0.0/1",
-    "128.0.0.0/1",
-    "::/1",
-    "8000::/1"
-  ],
-  // deprecated
   "inet4_route_address": [
     "0.0.0.0/1",
     "128.0.0.0/1"
   ],
-  // deprecated
   "inet6_route_address": [
     "::/1",
     "8000::/1"
   ],
-  "route_exclude_address": [
-    "192.168.0.0/16",
-    "fc00::/7"
-  ],
-  // deprecated
   "inet4_route_exclude_address": [
     "192.168.0.0/16"
   ],
-  // deprecated
   "inet6_route_exclude_address": [
     "fc00::/7"
   ],
-  "route_address_set": [
-    "geoip-cloudflare"
-  ],
-  "route_exclude_address_set": [
-    "geoip-cn"
-  ],
   "endpoint_independent_nat": false,
   "udp_timeout": "5m",
   "stack": "system",
@@ -132,13 +73,11 @@ icon: material/new-box
     "http_proxy": {
       "enabled": false,
       "server": "127.0.0.1",
-      "server_port": 8080,
-      "bypass_domain": [],
-      "match_domain": []
+      "server_port": 8080
     }
   },
-  ...
-  // Listen Fields
+  
+  ... // Listen Fields
 }
 ```
 
@@ -156,26 +95,14 @@ icon: material/new-box
 
 Virtual device name, automatically selected if empty.
 
-#### address
-
-!!! question "Since sing-box 1.10.0"
-
-IPv4 and IPv6 prefix for the tun interface.
-
 #### inet4_address
 
-!!! failure "Deprecated in sing-box 1.10.0"
-
-    `inet4_address` is merged to `address` and will be removed in sing-box 1.11.0.
+==Required==
 
 IPv4 prefix for the tun interface.
 
 #### inet6_address
 
-!!! failure "Deprecated in sing-box 1.10.0"
-
-    `inet6_address` is merged to `address` and will be removed in sing-box 1.11.0.
-
 IPv6 prefix for the tun interface.
 
 #### mtu
@@ -188,7 +115,7 @@ The maximum transmission unit.
 
 !!! quote ""
 
-    Only supported on Linux with `auto_route` enabled.
+    Only supported on Linux.
 
 Enable generic segmentation offload.
 
@@ -204,57 +131,6 @@ Set the default route to the Tun.
 
     By default, VPN takes precedence over tun. To make tun go through VPN, enable `route.override_android_vpn`.
 
-#### iproute2_table_index
-
-!!! question "Since sing-box 1.10.0"
-
-Linux iproute2 table index generated by `auto_route`.
-
-`2022` is used by default.
-
-#### iproute2_rule_index
-
-!!! question "Since sing-box 1.10.0"
-
-Linux iproute2 rule start index generated by `auto_route`.
-
-`9000` is used by default.
-
-#### auto_redirect
-
-!!! question "Since sing-box 1.10.0"
-
-!!! quote ""
-
-    Only supported on Linux with `auto_route` enabled.
-
-Automatically configure iptables/nftables to redirect connections.
-
-*In Android*：
-
-Only local connections are forwarded. To share your VPN connection over hotspot or repeater,
-use [VPNHotspot](https://github.com/Mygod/VPNHotspot).
-
-*In Linux*:
-
-`auto_route` with `auto_redirect` now works as expected on routers **without intervention**.
-
-#### auto_redirect_input_mark
-
-!!! question "Since sing-box 1.10.0"
-
-Connection input mark used by `route_address_set` and `route_exclude_address_set`.
-
-`0x2023` is used by default.
-
-#### auto_redirect_output_mark
-
-!!! question "Since sing-box 1.10.0"
-
-Connection output mark used by `route_address_set` and `route_exclude_address_set`.
-
-`0x2024` is used by default.
-
 #### strict_route
 
 Enforce strict routing rules when `auto_route` is enabled:
@@ -262,10 +138,9 @@ Enforce strict routing rules when `auto_route` is enabled:
 *In Linux*:
 
 * Let unsupported network unreachable
-* Make ICMP traffic route to tun instead of upstream interfaces
 * Route all connections to tun
 
-It prevents IP address leaks and makes DNS hijacking work on Android.
+It prevents address leaks and makes DNS hijacking work on Android, but your device will not be accessible by others.
 
 *In Windows*:
 
@@ -274,80 +149,22 @@ It prevents IP address leaks and makes DNS hijacking work on Android.
 
 It may prevent some applications (such as VirtualBox) from working properly in certain situations.
 
-#### route_address
-
-!!! question "Since sing-box 1.10.0"
-
-Use custom routes instead of default when `auto_route` is enabled.
-
 #### inet4_route_address
 
-!!! failure "Deprecated in sing-box 1.10.0"
-
-`inet4_route_address` is deprecated and will be removed in sing-box 1.11.0, please use [route_address](#route_address)
-instead.
-
 Use custom routes instead of default when `auto_route` is enabled.
 
 #### inet6_route_address
 
-!!! failure "Deprecated in sing-box 1.10.0"
-
-`inet6_route_address` is deprecated and will be removed in sing-box 1.11.0, please use [route_address](#route_address)
-instead.
-
 Use custom routes instead of default when `auto_route` is enabled.
 
-#### route_exclude_address
-
-!!! question "Since sing-box 1.10.0"
-
-Exclude custom routes when `auto_route` is enabled.
-
 #### inet4_route_exclude_address
 
-!!! failure "Deprecated in sing-box 1.10.0"
-
-`inet4_route_exclude_address` is deprecated and will be removed in sing-box 1.11.0, please
-use [route_exclude_address](#route_exclude_address) instead.
-
 Exclude custom routes when `auto_route` is enabled.
 
 #### inet6_route_exclude_address
 
-!!! failure "Deprecated in sing-box 1.10.0"
-
-`inet6_route_exclude_address` is deprecated and will be removed in sing-box 1.11.0, please
-use [route_exclude_address](#route_exclude_address) instead.
-
 Exclude custom routes when `auto_route` is enabled.
 
-#### route_address_set
-
-!!! question "Since sing-box 1.10.0"
-
-!!! quote ""
-
-    Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
-
-Add the destination IP CIDR rules in the specified rule-sets to the firewall.
-Unmatched traffic will bypass the sing-box routes.
-
-Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
-
-#### route_exclude_address_set
-
-!!! question "Since sing-box 1.10.0"
-
-!!! quote ""
-
-    Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
-
-Add the destination IP CIDR rules in the specified rule-sets to the firewall.
-Matched traffic will bypass the sing-box routes.
-
-Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
-
 #### endpoint_independent_nat
 
 !!! info ""
@@ -390,10 +207,6 @@ Conflict with `exclude_interface`.
 
 #### exclude_interface
 
-!!! warning ""
-
-    When `strict_route` enabled, return traffic to excluded interfaces will not be automatically excluded, so add them as well (example: `br-lan` and `pppoe-wan`).
-
 Exclude interfaces in route.
 
 Conflict with `include_interface`.
@@ -447,38 +260,6 @@ Platform-specific settings, provided by client applications.
 
 System HTTP proxy settings.
 
-#### platform.http_proxy.enabled
-
-Enable system HTTP proxy.
-
-#### platform.http_proxy.server
-
-==Required==
-
-HTTP proxy server address.
-
-#### platform.http_proxy.server_port
-
-==Required==
-
-HTTP proxy server port.
-
-#### platform.http_proxy.bypass_domain
-
-!!! note ""
-
-    On Apple platforms, `bypass_domain` items matches hostname **suffixes**.
-
-Hostnames that bypass the HTTP proxy.
-
-#### platform.http_proxy.match_domain
-
-!!! quote ""
-
-    Only supported in graphical clients on Apple platforms.
-
-Hostnames that use the HTTP proxy.
-
 ### Listen Fields
 
 See [Listen Fields](/configuration/shared/listen/) for details.

docs/configuration/inbound/tun.zh.md

@@ -1,31 +1,7 @@
 ---
-icon: material/new-box
+icon: material/alert-decagram
 ---
 
-!!! quote "Changes in sing-box 1.10.0"
-
-    :material-plus: [address](#address)  
-    :material-delete-clock: [inet4_address](#inet4_address)  
-    :material-delete-clock: [inet6_address](#inet6_address)  
-    :material-plus: [route_address](#route_address)  
-    :material-delete-clock: [inet4_route_address](#inet4_route_address)  
-    :material-delete-clock: [inet6_route_address](#inet6_route_address)  
-    :material-plus: [route_exclude_address](#route_address)  
-    :material-delete-clock: [inet4_route_exclude_address](#inet4_route_exclude_address)  
-    :material-delete-clock: [inet6_route_exclude_address](#inet6_route_exclude_address)   
-    :material-plus: [iproute2_table_index](#iproute2_table_index)  
-    :material-plus: [iproute2_rule_index](#iproute2_table_index)  
-    :material-plus: [auto_redirect](#auto_redirect)  
-    :material-plus: [auto_redirect_input_mark](#auto_redirect_input_mark)  
-    :material-plus: [auto_redirect_output_mark](#auto_redirect_output_mark)  
-    :material-plus: [route_address_set](#route_address_set)  
-    :material-plus: [route_exclude_address_set](#route_address_set)
-
-!!! quote "sing-box 1.9.0 中的更改"
-
-    :material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)  
-    :material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)  
-
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-plus: [gso](#gso)  
@@ -42,61 +18,26 @@ icon: material/new-box
   "type": "tun",
   "tag": "tun-in",
   "interface_name": "tun0",
-  "address": [
-    "172.18.0.1/30",
-    "fdfe:dcba:9876::1/126"
-  ],
-  // 已弃用
-  "inet4_address": [
-    "172.19.0.1/30"
-  ],
-  // 已弃用
-  "inet6_address": [
-    "fdfe:dcba:9876::1/126"
-  ],
+  "inet4_address": "172.19.0.1/30",
+  "inet6_address": "fdfe:dcba:9876::1/126",
   "mtu": 9000,
   "gso": false,
   "auto_route": true,
-  "iproute2_table_index": 2022,
-  "iproute2_rule_index": 9000,
-  "auto_redirect": false,
-  "auto_redirect_input_mark": "0x2023",
-  "auto_redirect_output_mark": "0x2024",
   "strict_route": true,
-  "route_address": [
-    "0.0.0.0/1",
-    "128.0.0.0/1",
-    "::/1",
-    "8000::/1"
-  ],
-  // 已弃用
   "inet4_route_address": [
     "0.0.0.0/1",
     "128.0.0.0/1"
   ],
-  // 已弃用
   "inet6_route_address": [
     "::/1",
     "8000::/1"
   ],
-  "route_exclude_address": [
-    "192.168.0.0/16",
-    "fc00::/7"
-  ],
-  // 已弃用
   "inet4_route_exclude_address": [
     "192.168.0.0/16"
   ],
-  // 已弃用
   "inet6_route_exclude_address": [
     "fc00::/7"
   ],
-  "route_address_set": [
-    "geoip-cloudflare"
-  ],
-  "route_exclude_address_set": [
-    "geoip-cn"
-  ],
   "endpoint_independent_nat": false,
   "udp_timeout": "5m",
   "stack": "system",
@@ -132,9 +73,7 @@ icon: material/new-box
     "http_proxy": {
       "enabled": false,
       "server": "127.0.0.1",
-      "server_port": 8080,
-      "bypass_domain": [],
-      "match_domain": []
+      "server_port": 8080
     }
   },
   
@@ -156,30 +95,14 @@ icon: material/new-box
 
 虚拟设备名称，默认自动选择。
 
-#### address
-
-!!! question "自 sing-box 1.10.0 起"
-
-==必填==
-
-tun 接口的 IPv4 和 IPv6 前缀。
-
 #### inet4_address
 
-!!! failure "已在 sing-box 1.10.0 废弃"
-
-    `inet4_address` 已合并到 `address` 且将在 sing-box 1.11.0 移除。
-
 ==必填==
 
 tun 接口的 IPv4 前缀。
 
 #### inet6_address
 
-!!! failure "已在 sing-box 1.10.0 废弃"
-
-    `inet6_address` 已合并到 `address` 且将在 sing-box 1.11.0 移除。
-
 tun 接口的 IPv6 前缀。
 
 #### mtu
@@ -208,56 +131,6 @@ tun 接口的 IPv6 前缀。
 
     VPN 默认优先于 tun。要使 tun 经过 VPN，启用 `route.override_android_vpn`。
 
-#### iproute2_table_index
-
-!!! question "自 sing-box 1.10.0 起"
-
-`auto_route` 生成的 iproute2 路由表索引。
-
-默认使用 `2022`。
-
-#### iproute2_rule_index
-
-!!! question "自 sing-box 1.10.0 起"
-
-`auto_route` 生成的 iproute2 规则起始索引。
-
-默认使用 `9000`。
-
-#### auto_redirect
-
-!!! question "自 sing-box 1.10.0 起"
-
-!!! quote ""
-
-    仅支持 Linux，且需要 `auto_route` 已启用。 
-
-自动配置 iptables 以重定向 TCP 连接。
-
-*在 Android 中*：
-
-仅转发本地 IPv4 连接。 要通过热点或中继共享您的 VPN 连接，请使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot)。
-
-*在 Linux 中*:
-
-带有 `auto_redirect `的 `auto_route` 现在可以在路由器上按预期工作，**无需干预**。
-
-#### auto_redirect_input_mark
-
-!!! question "自 sing-box 1.10.0 起"
-
-`route_address_set` 和 `route_exclude_address_set` 使用的连接输入标记。
-
-默认使用 `0x2023`。
-
-#### auto_redirect_output_mark
-
-!!! question "自 sing-box 1.10.0 起"
-
-`route_address_set` 和 `route_exclude_address_set` 使用的连接输出标记。
-
-默认使用 `0x2024`。
-
 #### strict_route
 
 启用 `auto_route` 时执行严格的路由规则。
@@ -265,10 +138,9 @@ tun 接口的 IPv6 前缀。
 *在 Linux 中*:
 
 * 让不支持的网络无法到达
-* 使 ICMP 流量路由到 tun 而不是上游接口
 * 将所有连接路由到 tun
 
-它可以防止 IP 地址泄漏，并使 DNS 劫持在 Android 上工作。
+它可以防止地址泄漏，并使 DNS 劫持在 Android 上工作，但你的设备将无法其他设备被访问。
 
 *在 Windows 中*:
 
@@ -278,76 +150,22 @@ tun 接口的 IPv6 前缀。
 
 它可能会使某些应用程序（如 VirtualBox）在某些情况下无法正常工作。
 
-#### route_address
-
-!!! question "自 sing-box 1.10.0 起"
-
-设置到 Tun 的自定义路由。
-
 #### inet4_route_address
 
-!!! failure "已在 sing-box 1.10.0 废弃"
-
-    `inet4_route_address` 已合并到 `route_address` 且将在 sing-box 1.11.0 移除。
-
 启用 `auto_route` 时使用自定义路由而不是默认路由。
 
 #### inet6_route_address
 
-!!! failure "已在 sing-box 1.10.0 废弃"
-
-    `inet6_route_address` 已合并到 `route_address` 且将在 sing-box 1.11.0 移除。
-
 启用 `auto_route` 时使用自定义路由而不是默认路由。
 
-#### route_exclude_address
-
-!!! question "自 sing-box 1.10.0 起"
-
-设置到 Tun 的排除自定义路由。
-
 #### inet4_route_exclude_address
 
-!!! failure "已在 sing-box 1.10.0 废弃"
-
-    `inet4_route_exclude_address` 已合并到 `route_exclude_address` 且将在 sing-box 1.11.0 移除。
-
 启用 `auto_route` 时排除自定义路由。
 
 #### inet6_route_exclude_address
 
-!!! failure "已在 sing-box 1.10.0 废弃"
-
-    `inet6_route_exclude_address` 已合并到 `route_exclude_address` 且将在 sing-box 1.11.0 移除。
-
 启用 `auto_route` 时排除自定义路由。
 
-#### route_address_set
-
-!!! question "自 sing-box 1.10.0 起"
-
-!!! quote ""
-
-    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
-
-将指定规则集中的目标 IP CIDR 规则添加到防火墙。
-不匹配的流量将绕过 sing-box 路由。
-
-与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
-
-#### route_exclude_address_set
-
-!!! question "自 sing-box 1.10.0 起"
-
-!!! quote ""
-
-    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。
-
-将指定规则集中的目标 IP CIDR 规则添加到防火墙。
-匹配的流量将绕过 sing-box 路由。
-
-与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
-
 #### endpoint_independent_nat
 
 启用独立于端点的 NAT。
@@ -386,10 +204,6 @@ TCP/IP 栈。
 
 #### exclude_interface
 
-!!! warning ""
-
-    当 `strict_route` 启用，到被排除接口的回程流量将不会被自动排除，因此也要添加它们（例：`br-lan` 与 `pppoe-wan`）。
-
 排除路由的接口。
 
 与 `include_interface` 冲突。
@@ -443,38 +257,6 @@ TCP/IP 栈。
 
 系统 HTTP 代理设置。
 
-##### platform.http_proxy.enabled
-
-启用系统 HTTP 代理。
-
-##### platform.http_proxy.server
-
-==必填==
-
-系统 HTTP 代理服务器地址。
-
-##### platform.http_proxy.server_port
-
-==必填==
-
-系统 HTTP 代理服务器端口。
-
-##### platform.http_proxy.bypass_domain
-
-!!! note ""
-
-    在 Apple 平台，`bypass_domain` 项匹配主机名 **后缀**.
-
-绕过代理的主机名列表。
-
-##### platform.http_proxy.match_domain
-
-!!! quote ""
-
-    仅在 Apple 平台图形客户端中支持。
-
-代理的主机名列表。
-
 ### 监听字段
 
 参阅 [监听字段](/zh/configuration/shared/listen/)。

docs/configuration/outbound/wireguard.md

@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 !!! quote "Changes in sing-box 1.8.0"
     
     :material-plus: [gso](#gso)  

docs/configuration/outbound/wireguard.zh.md

@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-plus: [gso](#gso)  

docs/configuration/route/index.md

@@ -1,3 +1,7 @@
+---
+icon: material/alert-decagram
+---
+
 # Route
 
 !!! quote "Changes in sing-box 1.8.0"
@@ -39,7 +43,7 @@ List of [Route Rule](./rule/)
 
 !!! question "Since sing-box 1.8.0"
 
-List of [rule-set](/configuration/rule-set/)
+List of [Rule Set](/configuration/rule-set/)
 
 #### final
 

docs/configuration/route/index.zh.md

@@ -1,3 +1,7 @@
+---
+icon: material/alert-decagram
+---
+
 # 路由
 
 !!! quote "sing-box 1.8.0 中的更改"

docs/configuration/route/rule.md

@@ -2,11 +2,6 @@
 icon: material/alert-decagram
 ---
 
-!!! quote "Changes in sing-box 1.10.0"
-
-    :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
-    :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)  
-
 !!! quote "Changes in sing-box 1.8.0"
 
     :material-plus: [rule_set](#rule_set)  
@@ -114,9 +109,6 @@ icon: material/alert-decagram
           "geoip-cn",
           "geosite-cn"
         ],
-        // deprecated
-        "rule_set_ipcidr_match_source": false,
-        "rule_set_ip_cidr_match_source": false,
         "invert": false,
         "outbound": "direct"
       },
@@ -148,7 +140,7 @@ icon: material/alert-decagram
     (`source_port` || `source_port_range`) &&  
     `other fields`
 
-    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
+    Additionally, included rule sets can be considered merged rather than as a single rule sub-item.
 
 #### inbound
 
@@ -292,7 +284,7 @@ Match Clash mode.
 
 !!! quote ""
 
-    Only supported in graphical clients on Android and Apple platforms.
+    Only supported in graphical clients on Android and iOS.
 
 Match WiFi SSID.
 
@@ -300,7 +292,7 @@ Match WiFi SSID.
 
 !!! quote ""
 
-    Only supported in graphical clients on Android and Apple platforms.
+    Only supported in graphical clients on Android and iOS.
 
 Match WiFi BSSID.
 
@@ -308,23 +300,13 @@ Match WiFi BSSID.
 
 !!! question "Since sing-box 1.8.0"
 
-Match [rule-set](/configuration/route/#rule_set).
+Match [Rule Set](/configuration/route/#rule_set).
 
 #### rule_set_ipcidr_match_source
 
 !!! question "Since sing-box 1.8.0"
 
-!!! failure "Deprecated in sing-box 1.10.0"
-
-    `rule_set_ipcidr_match_source` is renamed to `rule_set_ip_cidr_match_source` and will be remove in sing-box 1.11.0.
-
-Make `ip_cidr` in rule-sets match the source IP.
-
-#### rule_set_ip_cidr_match_source
-
-!!! question "Since sing-box 1.10.0"
-
-Make `ip_cidr` in rule-sets match the source IP.
+Make `ipcidr` in rule sets match the source IP.
 
 #### invert
 

docs/configuration/route/rule.zh.md

@@ -2,11 +2,6 @@
 icon: material/alert-decagram
 ---
 
-!!! quote "sing-box 1.10.0 中的更改"
-
-    :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
-    :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)  
-
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-plus: [rule_set](#rule_set)  
@@ -112,9 +107,6 @@ icon: material/alert-decagram
           "geoip-cn",
           "geosite-cn"
         ],
-        // 已弃用
-        "rule_set_ipcidr_match_source": false,
-        "rule_set_ip_cidr_match_source": false,
         "invert": false,
         "outbound": "direct"
       },
@@ -290,7 +282,7 @@ icon: material/alert-decagram
 
 !!! quote ""
 
-    仅在 Android 与 Apple 平台图形客户端中支持。
+    仅在 Android 与 iOS 的图形客户端中支持。
 
 匹配 WiFi SSID。
 
@@ -298,7 +290,7 @@ icon: material/alert-decagram
 
 !!! quote ""
 
-    仅在 Android 与 Apple 平台图形客户端中支持。
+    仅在 Android 与 iOS 的图形客户端中支持。
 
 匹配 WiFi BSSID。
 
@@ -312,17 +304,7 @@ icon: material/alert-decagram
 
 !!! question "自 sing-box 1.8.0 起"
 
-!!! failure "已在 sing-box 1.10.0 废弃"
-
-    `rule_set_ipcidr_match_source` 已重命名为 `rule_set_ip_cidr_match_source` 且将在 sing-box 1.11.0 移除。
-
-使规则集中的 `ip_cidr` 规则匹配源 IP。
-
-#### rule_set_ip_cidr_match_source
-
-!!! question "自 sing-box 1.10.0 起"
-
-使规则集中的 `ip_cidr` 规则匹配源 IP。
+使规则集中的 `ipcidr` 规则匹配源 IP。
 
 #### invert
 

docs/configuration/route/sniff.md

@@ -2,11 +2,10 @@ If enabled in the inbound, the protocol and domain name (if present) of by the c
 
 #### Supported Protocols
 
-| Network |  Protocol   | Domain Name |
-|:-------:|:-----------:|:-----------:|
-|   TCP   |    HTTP     |    Host     |
-|   TCP   |     TLS     | Server Name |
-|   UDP   |    QUIC     | Server Name |
-|   UDP   |    STUN     |      /      |
-| TCP/UDP |     DNS     |      /      |
-| TCP/UDP | BitTorrent  |      /      |
+| Network | Protocol | Domain Name |
+|:-------:|:--------:|:-----------:|
+|   TCP   |   HTTP   |    Host     |
+|   TCP   |   TLS    | Server Name |
+|   UDP   |   QUIC   | Server Name |
+|   UDP   |   STUN   |      /      |
+| TCP/UDP |   DNS    |      /      |

docs/configuration/route/sniff.zh.md

@@ -2,11 +2,10 @@
 
 #### 支持的协议
 
-|   网络    |     协议      |     域名      |
-|:-------:|:-----------:|:-----------:|
-|   TCP   |    HTTP     |    Host     |
-|   TCP   |     TLS     | Server Name |
-|   UDP   |    QUIC     | Server Name |
-|   UDP   |    STUN     |      /      |
-| TCP/UDP |     DNS     |      /      |
-| TCP/UDP | BitTorrent  |      /      |
+|   网络    |  协议  |     域名      |
+|:-------:|:----:|:-----------:|
+|   TCP   | HTTP |    Host     |
+|   TCP   | TLS  | Server Name |
+|   UDP   | QUIC | Server Name |
+|   UDP   | STUN |      /      |
+| TCP/UDP | DNS  |      /      |

docs/configuration/rule-set/headless-rule.md

@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 ### Structure
 
 !!! question "Since sing-box 1.8.0"
@@ -124,7 +128,7 @@ Match source IP CIDR.
 
 !!! info ""
 
-    `ip_cidr` is an alias for `source_ip_cidr` when `rule_set_ipcidr_match_source` enabled in route/DNS rules.
+    `ip_cidr` is an alias for `source_ip_cidr` when the Rule Set is used in DNS rules or `rule_set_ipcidr_match_source` enabled in route rules.
 
 Match IP CIDR.
 
@@ -168,7 +172,7 @@ Match android package name.
 
 !!! quote ""
 
-    Only supported in graphical clients on Android and Apple platforms.
+    Only supported in graphical clients on Android and iOS.
 
 Match WiFi SSID.
 
@@ -176,7 +180,7 @@ Match WiFi SSID.
 
 !!! quote ""
 
-    Only supported in graphical clients on Android and Apple platforms.
+    Only supported in graphical clients on Android and iOS.
 
 Match WiFi BSSID.
 

docs/configuration/rule-set/index.md

@@ -2,55 +2,51 @@
 icon: material/new-box
 ---
 
-!!! quote "Changes in sing-box 1.10.0"
-
-    :material-plus: `type: inline`
-
-# rule-set
+# Rule Set
 
 !!! question "Since sing-box 1.8.0"
 
 ### Structure
 
-=== "Inline"
+```json
+{
+  "type": "",
+  "tag": "",
+  "format": "",
+  
+  ... // Typed Fields
+}
+```
 
-    !!! question "Since sing-box 1.10.0"
+#### Local Structure
 
-    ```json
-    {
-      "type": "inline", // optional
-      "tag": "",
-      "rules": []
-    }
-    ```
+```json
+{
+  "type": "local",
+  
+  ...
+  
+  "path": ""
+}
+```
 
-=== "Local File"
+#### Remote Structure
 
-    ```json
-    {
-      "type": "local",
-      "tag": "",
-      "format": "source", // or binary
-      "path": ""
-    }
-    ```
+!!! info ""
 
-=== "Remote File"
+    Remote rule-set will be cached if `experimental.cache_file.enabled`.
 
-    !!! info ""
-    
-        Remote rule-set will be cached if `experimental.cache_file.enabled`.
-
-    ```json
-    {
-      "type": "remote",
-      "tag": "",
-      "format": "source", // or binary
-      "url": "",
-      "download_detour": "", // optional
-      "update_interval": "" // optional
-    }
-    ```
+```json
+{
+  "type": "remote",
+  
+  ...,
+  
+  "url": "",
+  "download_detour": "",
+  "update_interval": ""
+}
+```
 
 ### Fields
 
@@ -58,31 +54,19 @@ icon: material/new-box
 
 ==Required==
 
-Type of rule-set, `local` or `remote`.
+Type of Rule Set, `local` or `remote`.
 
 #### tag
 
 ==Required==
 
-Tag of rule-set.
-
-### Inline Fields
-
-!!! question "Since sing-box 1.10.0"
-
-#### rules
-
-==Required==
-
-List of [Headless Rule](./headless-rule.md/).
-
-### Local or Remote Fields
+Tag of Rule Set.
 
 #### format
 
 ==Required==
 
-Format of rule-set file, `source` or `binary`.
+Format of Rule Set, `source` or `binary`.
 
 ### Local Fields
 
@@ -90,11 +74,7 @@ Format of rule-set file, `source` or `binary`.
 
 ==Required==
 
-!!! note ""
-
-    Will be automatically reloaded if file modified since sing-box 1.10.0.
-
-File path of rule-set.
+File path of Rule Set.
 
 ### Remote Fields
 
@@ -102,7 +82,7 @@ File path of rule-set.
 
 ==Required==
 
-Download URL of rule-set.
+Download URL of Rule Set.
 
 #### download_detour
 
@@ -112,6 +92,6 @@ Default outbound will be used if empty.
 
 #### update_interval
 
-Update interval of rule-set.
+Update interval of Rule Set.
 
 `1d` will be used if empty.

docs/configuration/rule-set/source-format.md

@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 # Source Format
 
 !!! question "Since sing-box 1.8.0"
@@ -21,7 +25,7 @@ Use `sing-box rule-set compile [--output <file-name>.srs] <file-name>.json` to c
 
 ==Required==
 
-Version of rule-set, must be `1`.
+Version of Rule Set, must be `1`.
 
 #### rules
 

docs/configuration/shared/tls.md

@@ -1,3 +1,8 @@
+---
+icon: material/alert-decagram
+---
+
+
 !!! quote "Changes in sing-box 1.8.0"
 
     :material-alert-decagram: [utls](#utls)  
@@ -178,10 +183,6 @@ The server certificate line array, in PEM format.
 
 #### certificate_path
 
-!!! note ""
-
-    Will be automatically reloaded if file modified.
-
 The path to the server certificate, in PEM format.
 
 #### key
@@ -194,10 +195,6 @@ The server private key line array, in PEM format.
 
 ==Server only==
 
-!!! note ""
-
-    Will be automatically reloaded if file modified.
-
 The path to the server private key, in PEM format.
 
 ## Custom TLS support
@@ -274,10 +271,6 @@ ECH key line array, in PEM format.
 
 ==Server only==
 
-!!! note ""
-
-    Will be automatically reloaded if file modified.
-
 The path to ECH key, in PEM format.
 
 #### config
@@ -409,4 +402,8 @@ A hexadecimal string with zero to eight digits.
 
 The maximum time difference between the server and the client.
 
-Check disabled if empty.
+Check disabled if empty.
+
+### Reload
+
+For server configuration, certificate, key and ECH key will be automatically reloaded if modified.

docs/configuration/shared/tls.zh.md

@@ -1,3 +1,7 @@
+---
+icon: material/alert-decagram
+---
+
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-alert-decagram: [utls](#utls)  
@@ -176,20 +180,12 @@ TLS 版本值：
 
 #### certificate_path
 
-!!! note ""
-
-    文件更改时将自动重新加载。
-
 服务器 PEM 证书路径。
 
 #### key
 
 ==仅服务器==
 
-!!! note ""
-
-    文件更改时将自动重新加载。
-
 服务器 PEM 私钥行数组。
 
 #### key_path
@@ -266,10 +262,6 @@ ECH PEM 密钥行数组
 
 ==仅服务器==
 
-!!! note ""
-
-    文件更改时将自动重新加载。
-
 ECH PEM 密钥路径
 
 #### config
@@ -396,3 +388,7 @@ ACME DNS01 验证字段。如果配置，将禁用其他验证方法。
 服务器与和客户端之间允许的最大时间差。
 
 默认禁用检查。
+
+### 重载
+
+对于服务器配置，如果修改，证书和密钥将自动重新加载。

docs/deprecated.md

@@ -4,20 +4,6 @@ icon: material/delete-alert
 
 # Deprecated Feature List
 
-## 1.10.0
-
-#### TUN address fields are merged
-
-`inet4_address` and `inet6_address` are merged into `address`,
-`inet4_route_address` and `inet6_route_address` are merged into `route_address`,
-`inet4_route_exclude_address` and `inet6_route_exclude_address` are merged into `route_exclude_address`.
-
-Old fields are deprecated and will be removed in sing-box 1.11.0.
-
-#### Drop support for go1.18 and go1.19
-
-Due to maintenance difficulties, sing-box 1.10.0 requires at least Go 1.20 to compile.
-
 ## 1.8.0
 
 #### Cache file and related features in Clash API
@@ -33,7 +19,7 @@ The maxmind GeoIP National Database, as an IP classification database,
 is not entirely suitable for traffic bypassing,
 and all existing implementations suffer from high memory usage and difficult management.
 
-sing-box 1.8.0 introduces [rule-set](/configuration/rule-set/), which can completely replace GeoIP,
+sing-box 1.8.0 introduces [Rule Set](/configuration/rule_set/), which can completely replace GeoIP,
 check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 #### Geosite
@@ -43,9 +29,11 @@ Geosite is deprecated and may be removed in the future.
 Geosite, the `domain-list-community` project maintained by V2Ray as an early traffic bypassing solution,
 suffers from a number of problems, including lack of maintenance, inaccurate rules, and difficult management.
 
-sing-box 1.8.0 introduces [rule-set](/configuration/rule-set/), which can completely replace Geosite,
+sing-box 1.8.0 introduces [Rule Set](/configuration/rule_set/), which can completely replace Geosite,
 check [Migration](/migration/#migrate-geosite-to-rule-sets).
 
+Geosite，即由 V2Ray 维护的 domain-list-community 项目，作为早期流量绕过解决方案，存在着大量问题，包括缺少维护、规则不准确、管理困难。
+
 ## 1.6.0
 
 The following features will be marked deprecated in 1.5.0 and removed entirely in 1.6.0.

docs/deprecated.zh.md

@@ -4,20 +4,6 @@ icon: material/delete-alert
 
 # 废弃功能列表
 
-## 1.10.0
-
-#### TUN 地址字段已合并
-
-`inet4_address` 和 `inet6_address` 已合并为 `address`，
-`inet4_route_address` 和 `inet6_route_address` 已合并为 `route_address`，
-`inet4_route_exclude_address` 和 `inet6_route_exclude_address` 已合并为 `route_exclude_address`。
-
-旧字段已废弃，且将在 sing-box 1.11.0 中移除。
-
-#### 移除对 go1.18 和 go1.19 的支持
-
-由于维护困难，sing-box 1.10.0 要求至少 Go 1.20 才能编译。
-
 ## 1.8.0
 
 #### Clash API 中的 Cache file 及相关功能
@@ -32,7 +18,7 @@ GeoIP 已废弃且可能在不久的将来移除。
 maxmind GeoIP 国家数据库作为 IP 分类数据库，不完全适合流量绕过，
 且现有的实现均存在内存使用大与管理困难的问题。
 
-sing-box 1.8.0 引入了[规则集](/configuration/rule-set/)，
+sing-box 1.8.0 引入了[规则集](/configuration/rule_set/)，
 可以完全替代 GeoIP， 参阅 [迁移指南](/zh/migration/#geoip)。
 
 #### Geosite
@@ -42,7 +28,7 @@ Geosite 已废弃且可能在不久的将来移除。
 Geosite，即由 V2Ray 维护的 domain-list-community 项目，作为早期流量绕过解决方案，
 存在着包括缺少维护、规则不准确和管理困难内的大量问题。
 
-sing-box 1.8.0 引入了[规则集](/configuration/rule-set/)，
+sing-box 1.8.0 引入了[规则集](/configuration/rule_set/)，
 可以完全替代 Geosite，参阅 [迁移指南](/zh/migration/#geosite)。
 
 ## 1.6.0

docs/installation/build-from-source.md

@@ -23,8 +23,7 @@ Since sing-box 1.5.0:
 Since sing-box 1.8.0:
 
 * Go 1.18.5 - ~
-* Go 1.20.0 - ~ with tag `with_quic`, or `with_utls` enabled
-* Go 1.21.0 - ~ with tag `with_ech` enabled
+* Go 1.20.0 - ~ with tag `with_quic`, `with_ech`, or `with_utls` enabled
 
 You can download and install Go from: https://go.dev/doc/install, latest version is recommended.
 
@@ -57,16 +56,16 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | Build Tag                          | Enabled by default | Description                                                                                                                                                                                                                                                                                                                    |
 |------------------------------------|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `with_quic`                        | :material-check:   | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server/), [Naive inbound](/configuration/inbound/naive/), [Hysteria Inbound](/configuration/inbound/hysteria/), [Hysteria Outbound](/configuration/outbound/hysteria/) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
-| `with_grpc`                        | :material-close:️  | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
+| `with_grpc`                        | :material-close:️                 | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
 | `with_dhcp`                        | :material-check:   | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/).                                                                                                                                                                                                                                                 |
 | `with_wireguard`                   | :material-check:   | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/).                                                                                                                                                                                                                                    |
-| `with_ech`                         | :material-check:   | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                               |
-| `with_utls`                        | :material-check:   | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                          |
+| `with_ech`                         | :material-check:                  | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                               |
+| `with_utls`                        | :material-check:                  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                          |
 | `with_reality_server`              | :material-check:   | Build with reality TLS server support,  see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                                 |
 | `with_acme`                        | :material-check:   | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                         |
-| `with_clash_api`                   | :material-check:   | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
-| `with_v2ray_api`                   | :material-close:️  | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
-| `with_gvisor`                      | :material-check:   | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
+| `with_clash_api`                   | :material-check:                  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
+| `with_v2ray_api`                   | :material-close:️                 | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
+| `with_gvisor`                      | :material-check:                  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️  | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
 
 It is not recommended to change the default build tag list unless you really know what you are adding.

docs/installation/build-from-source.zh.md

@@ -23,8 +23,7 @@ sing-box 1.4.0 前:
 从 sing-box 1.8.0:
 
 * Go 1.18.5 - ~
-* Go 1.20.0 - ~ 如果启用构建标记 `with_quic` 或 `with_utls`
-* Go 1.20.1 - ~ 如果启用构建标记 `with_ech`
+* Go 1.20.0 - ~ 如果启用构建标记 `with_quic`、`with_ech` 或 `with_utls`
 
 您可以从 https://go.dev/doc/install 下载并安装 Go，推荐使用最新版本。
 
@@ -54,19 +53,19 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 
 ## :material-folder-settings: 构建标记
 
-| 构建标记                               | 默认启动              | 说明                                                                                                                                                                                                                                                                                                                             |
-|------------------------------------|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 构建标记                               | 默认启动              | 说明                                                                                                                                                                                                                                                                                                                         |
+|------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `with_quic`                        | :material-check:  | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server/), [Naive inbound](/configuration/inbound/naive/), [Hysteria Inbound](/configuration/inbound/hysteria/), [Hysteria Outbound](/configuration/outbound/hysteria/) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
-| `with_grpc`                        | :material-close:️ | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
-| `with_dhcp`                        | :material-check:  | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/).                                                                                                                                                                                                                                                 |
-| `with_wireguard`                   | :material-check:  | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/).                                                                                                                                                                                                                                    |
-| `with_ech`                         | :material-check:  | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                               |
-| `with_utls`                        | :material-check:  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                          |
-| `with_reality_server`              | :material-check:  | Build with reality TLS server support,  see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                                 |
-| `with_acme`                        | :material-check:  | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                         |
-| `with_clash_api`                   | :material-check:  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
-| `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
-| `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
-| `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
+| `with_grpc`                        | :material-close:️ | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                  |
+| `with_dhcp`                        | :material-check:  | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/).                                                                                                                                                                                                                                              |
+| `with_wireguard`                   | :material-check:  | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/).                                                                                                                                                                                                                                 |
+| `with_ech`                         | :material-check:  | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                           |
+| `with_utls`                        | :material-check:  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                      |
+| `with_reality_server`              | :material-check:  | Build with reality TLS server support,  see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                              |
+| `with_acme`                        | :material-check:  | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                      |
+| `with_clash_api`                   | :material-check:  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                            |
+| `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                            |
+| `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                               |
+| `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                          |
 
 除非您确实知道您正在启用什么，否则不建议更改默认构建标签列表。

docs/installation/package-manager.md

@@ -4,35 +4,6 @@ icon: material/package
 
 # Package Manager
 
-## :material-tram: Repository Installation
-
-=== ":material-debian: Debian / APT"
-
-    ```bash
-    sudo curl -fsSL https://sing-box.app/gpg.key -o /etc/apt/keyrings/sagernet.asc
-    sudo chmod a+r /etc/apt/keyrings/sagernet.asc
-    echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/sagernet.asc] https://deb.sagernet.org/ * *" | \
-      sudo tee /etc/apt/sources.list.d/sagernet.list > /dev/null
-    sudo apt-get update
-    sudo apt-get install sing-box # or sing-box-beta
-    ```
-
-=== ":material-redhat: Redhat / DNF"
-
-    ```bash
-    sudo dnf -y install dnf-plugins-core
-    sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo
-    sudo dnf install sing-box # or sing-box-beta
-    ```
-
-=== ":material-redhat: CentOS / YUM"
-
-    ```bash
-    sudo yum install -y yum-utils
-    sudo yum-config-manager --add-repo https://sing-box.app/sing-box.repo
-    sudo yum install sing-box # or sing-box-beta
-    ```
-
 ## :material-download-box: Manual Installation
 
 === ":material-debian: Debian / DEB"
@@ -57,38 +28,38 @@ icon: material/package
 
 === ":material-linux: Linux"
 
-    | Type     | Platform      | Command                      | Link                                                                                                          |
-    |----------|---------------|------------------------------|---------------------------------------------------------------------------------------------------------------|
-    | AUR      | Arch Linux    | `? -S sing-box`              | [![AUR package](https://repology.org/badge/version-for-repo/aur/sing-box.svg)][aur]                           |
-    | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
-    | Homebrew | macOS / Linux | `brew install sing-box`      | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew]                |
-    | APK      | Alpine        | `apk add sing-box`           | [![Alpine Linux Edge package](https://repology.org/badge/version-for-repo/alpine_edge/sing-box.svg)][alpine]  |
+    | Type     | Platform      | Link                    | Command                      | Actively maintained |
+    |----------|---------------|-------------------------|------------------------------|---------------------|
+    | APK      | Alpine        | [sing-box][alpine]      | `apk add sing-box`           | :material-check:    |
+    | AUR      | Arch Linux    | [sing-box][aur] ᴬᵁᴿ     | `? -S sing-box`              | :material-check:    |
+    | nixpkgs  | NixOS         | [sing-box][nixpkgs]     | `nix-env -iA nixos.sing-box` | :material-check:    |
+    | Homebrew | macOS / Linux | [sing-box][brew]        | `brew install sing-box`      | :material-check:    |
 
 === ":material-apple: macOS"
 
-    | Type     | Platform | Command                 | Link                                                                                           |
-    |----------|----------|-------------------------|------------------------------------------------------------------------------------------------|
-    | Homebrew | macOS    | `brew install sing-box` | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew] |
+    | Type     | Platform | Link             | Command                 | Actively maintained |
+    |----------|----------|------------------|-------------------------|---------------------|
+    | Homebrew | macOS    | [sing-box][brew] | `brew install sing-box` | :material-check:    |
 
 === ":material-microsoft-windows: Windows"
 
-    | Type       | Platform | Command                   | Link                                                                                                |
-    |------------|----------|---------------------------|-----------------------------------------------------------------------------------------------------|
-    | Scoop      | Windows  | `scoop install sing-box`  | [![Scoop package](https://repology.org/badge/version-for-repo/scoop/sing-box.svg)][scoop]           |
-    | Chocolatey | Windows  | `choco install sing-box`  | [![Chocolatey package](https://repology.org/badge/version-for-repo/chocolatey/sing-box.svg)][choco] |
-    | winget     | Windows  | `winget install sing-box` | [![winget package](https://repology.org/badge/version-for-repo/winget/sing-box.svg)][winget]        |
+    | Type       | Platform           | Link                | Command                      | Actively maintained |
+    |------------|--------------------|---------------------|------------------------------|---------------------|
+    | Scoop      | Windows            | [sing-box][scoop]   | `scoop install sing-box`     | :material-check:    |
+    | Chocolatey | Windows            | [sing-box][choco]   | `choco install sing-box`     | :material-check:    |
+    | winget     | Windows            | [sing-box][winget]  | `winget install sing-box`    | :material-alert:    |
 
 === ":material-android: Android"
 
-    | Type   | Platform | Command            | Link                                                                                         |
-    |--------|----------|--------------------|----------------------------------------------------------------------------------------------|
-    | Termux | Android  | `pkg add sing-box` | [![Termux package](https://repology.org/badge/version-for-repo/termux/sing-box.svg)][termux] |
+    | Type       | Platform           | Link                | Command                      | Actively maintained |
+    |------------|--------------------|---------------------|------------------------------|---------------------|
+    | Termux     | Android            | [sing-box][termux]  | `pkg add sing-box`           | :material-check:    |
 
 === ":material-freebsd: FreeBSD"
 
-    | Type       | Platform | Command                | Link                                                                                       |
-    |------------|----------|------------------------|--------------------------------------------------------------------------------------------|
-    | FreshPorts | FreeBSD  | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |
+    | Type       | Platform | Link              | Command                | Actively maintained |
+    |------------|----------|-------------------|------------------------|---------------------|
+    | FreshPorts | FreeBSD  | [sing-box][ports] | `pkg install sing-box` | :material-alert:    |
 
 ## :material-book-multiple: Service Management
 

docs/installation/package-manager.zh.md

@@ -4,35 +4,6 @@ icon: material/package
 
 # 包管理器
 
-## :material-tram: 仓库安装
-
-=== ":material-debian: Debian / APT"
-
-    ```bash
-    sudo curl -fsSL https://sing-box.app/gpg.key -o /etc/apt/keyrings/sagernet.asc
-    sudo chmod a+r /etc/apt/keyrings/sagernet.asc
-    echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/sagernet.asc] https://deb.sagernet.org/ * *" | \
-      sudo tee /etc/apt/sources.list.d/sagernet.list > /dev/null
-    sudo apt-get update
-    sudo apt-get install sing-box # or sing-box-beta
-    ```
-
-=== ":material-redhat: Redhat / DNF"
-
-    ```bash
-    sudo dnf -y install dnf-plugins-core
-    sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo
-    sudo dnf install sing-box # or sing-box-beta
-    ```
-
-=== ":material-redhat: CentOS / YUM"
-
-    ```bash
-    sudo yum install -y yum-utils
-    sudo yum-config-manager --add-repo https://sing-box.app/sing-box.repo
-    sudo yum install sing-box # or sing-box-beta
-    ```
-
 ## :material-download-box: 手动安装
 
 === ":material-debian: Debian / DEB"
@@ -57,38 +28,38 @@ icon: material/package
 
 === ":material-linux: Linux"
 
-    | 类型       | 平台            | 链接                           | 命令                                                                                                            |
-    |----------|---------------|------------------------------|---------------------------------------------------------------------------------------------------------------|
-    | AUR      | Arch Linux    | `? -S sing-box`              | [![AUR package](https://repology.org/badge/version-for-repo/aur/sing-box.svg)][aur]                           |
-    | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
-    | Homebrew | macOS / Linux | `brew install sing-box`      | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew]                |
-    | APK      | Alpine        | `apk add sing-box`           | [![Alpine Linux Edge package](https://repology.org/badge/version-for-repo/alpine_edge/sing-box.svg)][alpine]  |
+    | 类型       | 平台         | 链接                  | 命令                           | 活跃维护             |
+    |----------|------------|---------------------|------------------------------|------------------|
+    | Alpine   | Alpine     | [sing-box][alpine]  | `apk add sing-box`           | :material-check: |
+    | AUR      | Arch Linux | [sing-box][aur] ᴬᵁᴿ | `? -S sing-box`              | :material-check: |
+    | nixpkgs  | NixOS      | [sing-box][nixpkgs] | `nix-env -iA nixos.sing-box` | :material-check: |
+    | Homebrew | Linux      | [sing-box][brew]    | `brew install sing-box`      | :material-check: |
 
 === ":material-apple: macOS"
 
-    | 类型       | 平台    | 链接                      | 命令                                                                                             |
-    |----------|-------|-------------------------|------------------------------------------------------------------------------------------------|
-    | Homebrew | macOS | `brew install sing-box` | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew] |
+    | 类型       | 平台    | 链接               | 命令                      | 活跃维护             |
+    |----------|-------|------------------|-------------------------|------------------|
+    | Homebrew | macOS | [sing-box][brew] | `brew install sing-box` | :material-check: |
 
 === ":material-microsoft-windows: Windows"
 
-    | 类型         | 平台      | 链接                        | 命令                                                                                                  |
-    |------------|---------|---------------------------|-----------------------------------------------------------------------------------------------------|
-    | Scoop      | Windows | `scoop install sing-box`  | [![Scoop package](https://repology.org/badge/version-for-repo/scoop/sing-box.svg)][scoop]           |
-    | Chocolatey | Windows | `choco install sing-box`  | [![Chocolatey package](https://repology.org/badge/version-for-repo/chocolatey/sing-box.svg)][choco] |
-    | winget     | Windows | `winget install sing-box` | [![winget package](https://repology.org/badge/version-for-repo/winget/sing-box.svg)][winget]        |
+    | 类型         | 平台      | 链接                 | 命令                        | 活跃维护             |
+    |------------|---------|--------------------|---------------------------|------------------|
+    | Scoop      | Windows | [sing-box][scoop]  | `scoop install sing-box`  | :material-check: |
+    | Chocolatey | Windows | [sing-box][choco]  | `choco install sing-box`  | :material-check: |
+    | winget     | Windows | [sing-box][winget] | `winget install sing-box` | :material-alert: |
 
 === ":material-android: Android"
 
-    | 类型     | 平台      | 链接                 | 命令                                                                                           |
-    |--------|---------|--------------------|----------------------------------------------------------------------------------------------|
-    | Termux | Android | `pkg add sing-box` | [![Termux package](https://repology.org/badge/version-for-repo/termux/sing-box.svg)][termux] |
+    | 类型     | 平台      | 链接                 | 命令                 | 活跃维护             |
+    |--------|---------|--------------------|--------------------|------------------|
+    | Termux | Android | [sing-box][termux] | `pkg add sing-box` | :material-check: |
 
 === ":material-freebsd: FreeBSD"
 
-    | 类型         | 平台      | 链接                     | 命令                                                                                         |
-    |------------|---------|------------------------|--------------------------------------------------------------------------------------------|
-    | FreshPorts | FreeBSD | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |
+    | 类型         | 平台      | 链接                | 命令                     | 活跃维护             |
+    |------------|---------|-------------------|------------------------|------------------|
+    | FreshPorts | FreeBSD | [sing-box][ports] | `pkg install sing-box` | :material-alert: |
 
 ## :material-book-multiple: 服务管理