Bump version

This change only avoids permanent hangs. We need to implement read deadlines for UDP conns in 1.10 for server inbounds.

.golangci.yml

@@ -6,14 +6,7 @@ linters:
     - gci
     - staticcheck
     - paralleltest
-
-run:
-  skip-dirs:
-    - transport/simple-obfs
-    - transport/clashssr
-    - transport/cloudflaretls
-    - transport/shadowtls/tls
-    - transport/shadowtls/tls_go119
+    - ineffassign
 
 linters-settings:
   gci:
@@ -23,4 +16,13 @@ linters-settings:
       - prefix(github.com/sagernet/)
       - default
   staticcheck:
-    go: '1.20'
+    checks:
+      - all
+      - -SA1003
+
+run:
+  go: "1.23"
+
+issues:
+  exclude-dirs:
+    - transport/simple-obfs

README.md

@@ -4,10 +4,6 @@ The universal proxy platform.
 
 [![Packaging status](https://repology.org/badge/vertical-allrepos/sing-box.svg)](https://repology.org/project/sing-box/versions)
 
-## Documentation
-
-https://sing-box.sagernet.org
-
 ## Support
 
 https://community.sagernet.org/c/sing-box/

docs/changelog.md

@@ -2,6 +2,26 @@
 icon: material/alert-decagram
 ---
 
+!!! failure "Help needed"
+
+    Due to problems with our Apple developer account, sing-box apps on Apple platforms are temporarily unavailable for download or update.
+
+    If your company or organization is willing to help us return to the App Store, please [contact us](mailto:contact@sagernet.org).
+
+### 1.9.4
+
+* Update quic-go to v0.46.0
+* Update Hysteria2 BBR congestion control
+* Filter HTTPS ipv4hint/ipv6hint with domain strategy
+* Fix crash on Android when using process rules
+* Fix non-IP queries accepted by address filter rules
+* Fix UDP server for shadowsocks AEAD multi-user inbounds
+* Fix default next protos for v2ray QUIC transport
+* Fix default end value of port range configuration options
+* Fix reset v2ray transports
+* Fix panic caused by rule-set generation of duplicate keys for `domain_suffix`
+* Fix UDP connnection leak when sniffing
+* Fixes and improvements
 
 ### 1.9.3
 

docs/clients/apple/index.md

@@ -7,6 +7,13 @@ icon: material/apple
 SFI/SFM/SFT allows users to manage and run local or remote sing-box configuration files, and provides
 platform-specific function implementation, such as TUN transparent proxy implementation.
 
+!!! failure "Unavailable"
+
+    Due to problems with our Apple developer account, sing-box apps on Apple platforms are temporarily unavailable for download or update.
+
+    If your company or organization is willing to help us return to the App Store, please [contact us](mailto:contact@sagernet.org).
+
+
 ## :material-graph: Requirements
 
 * iOS 15.0+ / macOS 13.0+ / Apple tvOS 17.0+

docs/clients/index.md

@@ -3,9 +3,9 @@
 Maintained by Project S to provide a unified experience and platform-specific functionality.
 
 | Platform                              | Client                                   |
-|---------------------------------------|------------------------------------------|
+| ------------------------------------- | ---------------------------------------- |
 | :material-android: Android            | [sing-box for Android](./android/)       |
-| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
+| :material-apple: iOS/macOS/Apple tvOS | :material-alert: [Unavailable](./apple/) |
 | :material-laptop: Desktop             | Working in progress                      |
 
 Some third-party projects that claim to use sing-box or use sing-box as a selling point are not listed here. The core

docs/clients/index.zh.md

@@ -2,11 +2,11 @@
 
 由 Project S 维护，提供统一的体验与平台特定的功能。
 
-| 平台                                    | 客户端                                     |
-|---------------------------------------|-----------------------------------------|
-| :material-android: Android            | [sing-box for Android](./android/)       |
-| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
-| :material-laptop: Desktop             | 施工中                                     |
+| 平台                                  | 客户端                              |
+| ------------------------------------- | ----------------------------------- |
+| :material-android: Android            | [sing-box for Android](./android/)  |
+| :material-apple: iOS/macOS/Apple tvOS | :material-alert: [不可用](./apple/) |
+| :material-laptop: Desktop             | 施工中                              |
 
 此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
 VPN 客户端功能， 但代码质量很差且包含广告。

docs/configuration/inbound/index.md

@@ -15,24 +15,24 @@
 
 ### Fields
 
-| Type          | Format                        | Injectable |
-|---------------|-------------------------------|------------|
-| `direct`      | [Direct](./direct/)           | X          |
-| `mixed`       | [Mixed](./mixed/)             | TCP        |
-| `socks`       | [SOCKS](./socks/)             | TCP        |
-| `http`        | [HTTP](./http/)               | TCP        |
-| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP        |
-| `vmess`       | [VMess](./vmess/)             | TCP        |
-| `trojan`      | [Trojan](./trojan/)           | TCP        |
-| `naive`       | [Naive](./naive/)             | X          |
-| `hysteria`    | [Hysteria](./hysteria/)       | X          |
-| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP        |
-| `tuic`        | [TUIC](./tuic/)               | X          |
-| `hysteria2`   | [Hysteria2](./hysteria2/)     | X          |
-| `vless`       | [VLESS](./vless/)             | TCP        |
-| `tun`         | [Tun](./tun/)                 | X          |
-| `redirect`    | [Redirect](./redirect/)       | X          |
-| `tproxy`      | [TProxy](./tproxy/)           | X          |
+| Type          | Format                        | Injectable       |
+|---------------|-------------------------------|------------------|
+| `direct`      | [Direct](./direct/)           | :material-close: |
+| `mixed`       | [Mixed](./mixed/)             | TCP              |
+| `socks`       | [SOCKS](./socks/)             | TCP              |
+| `http`        | [HTTP](./http/)               | TCP              |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP              |
+| `vmess`       | [VMess](./vmess/)             | TCP              |
+| `trojan`      | [Trojan](./trojan/)           | TCP              |
+| `naive`       | [Naive](./naive/)             | :material-close: |
+| `hysteria`    | [Hysteria](./hysteria/)       | :material-close: |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP              |
+| `tuic`        | [TUIC](./tuic/)               | :material-close: |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | :material-close: |
+| `vless`       | [VLESS](./vless/)             | TCP              |
+| `tun`         | [Tun](./tun/)                 | :material-close: |
+| `redirect`    | [Redirect](./redirect/)       | :material-close: |
+| `tproxy`      | [TProxy](./tproxy/)           | :material-close: |
 
 #### tag
 

docs/configuration/inbound/index.zh.md

@@ -15,24 +15,24 @@
 
 ### 字段
 
-| 类型            | 格式                           | 注入支持 |
-|---------------|------------------------------|------|
-| `direct`      | [Direct](./direct/)           | X    |
-| `mixed`       | [Mixed](./mixed/)             | TCP  |
-| `socks`       | [SOCKS](./socks/)             | TCP  |
-| `http`        | [HTTP](./http/)               | TCP  |
-| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP  |
-| `vmess`       | [VMess](./vmess/)             | TCP  |
-| `trojan`      | [Trojan](./trojan/)           | TCP  |
-| `naive`       | [Naive](./naive/)             | X    |
-| `hysteria`    | [Hysteria](./hysteria/)       | X    |
-| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP  |
-| `tuic`        | [TUIC](./tuic/)               | X    |
-| `hysteria2`   | [Hysteria2](./hysteria2/)     | X    |
-| `vless`       | [VLESS](./vless/)             | TCP  |
-| `tun`         | [Tun](./tun/)                 | X    |
-| `redirect`    | [Redirect](./redirect/)       | X    |
-| `tproxy`      | [TProxy](./tproxy/)           | X    |
+| 类型            | 格式                            | 注入支持             |
+|---------------|-------------------------------|------------------|
+| `direct`      | [Direct](./direct/)           | :material-close: |
+| `mixed`       | [Mixed](./mixed/)             | TCP              |
+| `socks`       | [SOCKS](./socks/)             | TCP              |
+| `http`        | [HTTP](./http/)               | TCP              |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP              |
+| `vmess`       | [VMess](./vmess/)             | TCP              |
+| `trojan`      | [Trojan](./trojan/)           | TCP              |
+| `naive`       | [Naive](./naive/)             | :material-close: |
+| `hysteria`    | [Hysteria](./hysteria/)       | :material-close: |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP              |
+| `tuic`        | [TUIC](./tuic/)               | :material-close: |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | :material-close: |
+| `vless`       | [VLESS](./vless/)             | TCP              |
+| `tun`         | [Tun](./tun/)                 | :material-close: |
+| `redirect`    | [Redirect](./redirect/)       | :material-close: |
+| `tproxy`      | [TProxy](./tproxy/)           | :material-close: |
 
 #### tag
 

docs/index.md

@@ -4,6 +4,12 @@ description: Welcome to the wiki page for the sing-box project.
 
 # :material-home: Home
 
+!!! failure "Help needed"
+
+    Due to problems with our Apple developer account, sing-box apps on Apple platforms are temporarily unavailable for download or update.
+
+    If your company or organization is willing to help us return to the App Store, please [contact us](mailto:contact@sagernet.org).
+
 Welcome to the wiki page for the sing-box project.
 
 The universal proxy platform.

docs/migration.md

@@ -4,10 +4,6 @@ icon: material/arrange-bring-forward
 
 ## 1.9.0
 
-!!! warning "Unstable"
-
-    This version is still under development, and the following migration guide may be changed in the future.
-
 ### `domain_suffix` behavior update
 
 For historical reasons, sing-box's `domain_suffix` rule matches literal prefixes instead of the same as other projects.

docs/migration.zh.md

@@ -4,10 +4,6 @@ icon: material/arrange-bring-forward
 
 ## 1.9.0
 
-!!! warning "不稳定的"
-
-    该版本仍在开发中，迁移指南可能将在未来更改。
-
 ### `domain_suffix` 行为更新
 
 由于历史原因，sing-box 的 `domain_suffix` 规则匹配字面前缀，而不与其他项目相同。

docs/support.md

@@ -5,8 +5,7 @@ icon: material/forum
 # Support
 
 | Channel                       | Link                                        |
-|:------------------------------|:--------------------------------------------|
-| Community                     | https://community.sagernet.org              |
+| :---------------------------- | :------------------------------------------ |
 | GitHub Issues                 | https://github.com/SagerNet/sing-box/issues |
 | Telegram notification channel | https://t.me/yapnc                          |
 | Telegram user group           | https://t.me/yapug                          |

docs/support.zh.md

@@ -4,11 +4,10 @@ icon: material/forum
 
 # 支持
 
-| 通道            | 链接                                          |
-|:--------------|:--------------------------------------------|
-| 社区            | https://community.sagernet.org              |
-| GitHub Issues | https://github.com/SagerNet/sing-box/issues |
+| 通道              | 链接                                        |
+| :---------------- | :------------------------------------------ |
+| GitHub Issues     | https://github.com/SagerNet/sing-box/issues |
 | Telegram 通知频道 | https://t.me/yapnc                          |
-| Telegram 用户组  | https://t.me/yapug                          |
-| 邮件            | contact@sagernet.org                        |
+| Telegram 用户组   | https://t.me/yapug                          |
+| 邮件              | contact@sagernet.org                        |
 

go.mod

@@ -24,12 +24,12 @@ require (
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
 	github.com/sagernet/gomobile v0.1.3
 	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f
-	github.com/sagernet/quic-go v0.45.1-beta.2
+	github.com/sagernet/quic-go v0.46.0-beta.4
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
 	github.com/sagernet/sing v0.4.2
 	github.com/sagernet/sing-dns v0.2.3
 	github.com/sagernet/sing-mux v0.2.0
-	github.com/sagernet/sing-quic v0.2.0-beta.12
+	github.com/sagernet/sing-quic v0.2.2
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.1.4

go.sum

@@ -101,8 +101,8 @@ github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
 github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba h1:EY5AS7CCtfmARNv2zXUOrsEMPFDGYxaw65JzA2p51Vk=
 github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.45.1-beta.2 h1:zkEeCbhdFFkrxKcuIRBtXNKci/1t2J/39QSG/sPvlmc=
-github.com/sagernet/quic-go v0.45.1-beta.2/go.mod h1:+N3FqM9DAzOWfe64uxXuBejVJwX7DeW7BslzLO6N/xI=
+github.com/sagernet/quic-go v0.46.0-beta.4 h1:k9f7VSKaM47AY6MPND0Qf1KRN7HwimPg9zdOFTXTiCk=
+github.com/sagernet/quic-go v0.46.0-beta.4/go.mod h1:zJmVdJUNqEDXfubf4KtIOUHHerggjBduiGRLNzJspcM=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
@@ -112,8 +112,8 @@ github.com/sagernet/sing-dns v0.2.3 h1:YzeBUn2tR38F7HtvGEQ0kLRLmZWMEgi/+7wqa4Twb
 github.com/sagernet/sing-dns v0.2.3/go.mod h1:BJpJv6XLnrUbSyIntOT6DG9FW0f4fETmPAHvNjOprLg=
 github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
 github.com/sagernet/sing-mux v0.2.0/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
-github.com/sagernet/sing-quic v0.2.0-beta.12 h1:BhvA5mmrDFEyDUQB5eeu+9UhF+ieyuNJ5Rsb0dAG3QY=
-github.com/sagernet/sing-quic v0.2.0-beta.12/go.mod h1:YVpLfVi8BvYM7NMrjmnvcRm3E8iMETf1gFQmTQDN9jI=
+github.com/sagernet/sing-quic v0.2.2 h1:Ryp02zMhHh/ZDrG7MdLsmhuBU8+BEpOdJonFQiqIopo=
+github.com/sagernet/sing-quic v0.2.2/go.mod h1:YLV1dUDv8Eyp/8e55O/EvfsrwxOgEDVgDCIoPqmDREE=
 github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegEZaKMv9ipx8=
 github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=

route/router.go

@@ -131,7 +131,7 @@ func NewRouter(
 		pauseManager:          service.FromContext[pause.Manager](ctx),
 		platformInterface:     platformInterface,
 		needWIFIState:         hasRule(options.Rules, isWIFIRule) || hasDNSRule(dnsOptions.Rules, isWIFIDNSRule),
-		needPackageManager: C.IsAndroid && platformInterface == nil && common.Any(inbounds, func(inbound option.Inbound) bool {
+		needPackageManager: common.Any(inbounds, func(inbound option.Inbound) bool {
 			return len(inbound.TunOptions.IncludePackage) > 0 || len(inbound.TunOptions.ExcludePackage) > 0
 		}),
 	}
@@ -531,18 +531,20 @@ func (r *Router) Start() error {
 	r.dnsClient.Start()
 	monitor.Finish()
 
-	if r.needPackageManager && r.platformInterface == nil {
+	if C.IsAndroid && r.platformInterface == nil {
 		monitor.Start("initialize package manager")
 		packageManager, err := tun.NewPackageManager(r)
 		monitor.Finish()
 		if err != nil {
 			return E.Cause(err, "create package manager")
 		}
-		monitor.Start("start package manager")
-		err = packageManager.Start()
-		monitor.Finish()
-		if err != nil {
-			return E.Cause(err, "start package manager")
+		if r.needPackageManager {
+			monitor.Start("start package manager")
+			err = packageManager.Start()
+			monitor.Finish()
+			if err != nil {
+				return E.Cause(err, "start package manager")
+			}
 		}
 		r.packageManager = packageManager
 	}
@@ -675,20 +677,30 @@ func (r *Router) PostStart() error {
 		}
 		ruleSetStartContext.Close()
 	}
-	var (
-		needProcessFromRuleSet   bool
-		needWIFIStateFromRuleSet bool
-	)
+	needFindProcess := r.needFindProcess
+	needWIFIState := r.needWIFIState
 	for _, ruleSet := range r.ruleSets {
 		metadata := ruleSet.Metadata()
 		if metadata.ContainsProcessRule {
-			needProcessFromRuleSet = true
+			needFindProcess = true
 		}
 		if metadata.ContainsWIFIRule {
-			needWIFIStateFromRuleSet = true
+			needWIFIState = true
 		}
 	}
-	if needProcessFromRuleSet || r.needFindProcess {
+	if C.IsAndroid && r.platformInterface == nil && !r.needPackageManager {
+		if needFindProcess {
+			monitor.Start("start package manager")
+			err := r.packageManager.Start()
+			monitor.Finish()
+			if err != nil {
+				return E.Cause(err, "start package manager")
+			}
+		} else {
+			r.packageManager = nil
+		}
+	}
+	if needFindProcess {
 		if r.platformInterface != nil {
 			r.processSearcher = r.platformInterface
 		} else {
@@ -707,7 +719,7 @@ func (r *Router) PostStart() error {
 			}
 		}
 	}
-	if (needWIFIStateFromRuleSet || r.needWIFIState) && r.platformInterface != nil {
+	if needWIFIState && r.platformInterface != nil {
 		monitor.Start("initialize WIFI state")
 		r.needWIFIState = true
 		r.interfaceMonitor.RegisterCallback(func(_ int) {
@@ -939,34 +951,57 @@ func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, m
 	}*/
 
 	if metadata.InboundOptions.SniffEnabled || metadata.Destination.Addr.IsUnspecified() {
-		buffer := buf.NewPacket()
-		destination, err := conn.ReadPacket(buffer)
+		var (
+			buffer      = buf.NewPacket()
+			destination M.Socksaddr
+			done        = make(chan struct{})
+			err         error
+		)
+		go func() {
+			sniffTimeout := C.ReadPayloadTimeout
+			if metadata.InboundOptions.SniffTimeout > 0 {
+				sniffTimeout = time.Duration(metadata.InboundOptions.SniffTimeout)
+			}
+			conn.SetReadDeadline(time.Now().Add(sniffTimeout))
+			destination, err = conn.ReadPacket(buffer)
+			conn.SetReadDeadline(time.Time{})
+			close(done)
+		}()
+		select {
+		case <-done:
+		case <-ctx.Done():
+			conn.Close()
+			return ctx.Err()
+		}
 		if err != nil {
 			buffer.Release()
-			return err
-		}
-		if metadata.Destination.Addr.IsUnspecified() {
-			metadata.Destination = destination
-		}
-		if metadata.InboundOptions.SniffEnabled {
-			sniffMetadata, _ := sniff.PeekPacket(ctx, buffer.Bytes(), sniff.DomainNameQuery, sniff.QUICClientHello, sniff.STUNMessage)
-			if sniffMetadata != nil {
-				metadata.Protocol = sniffMetadata.Protocol
-				metadata.Domain = sniffMetadata.Domain
-				if metadata.InboundOptions.SniffOverrideDestination && M.IsDomainName(metadata.Domain) {
-					metadata.Destination = M.Socksaddr{
-						Fqdn: metadata.Domain,
-						Port: metadata.Destination.Port,
+			if !errors.Is(err, os.ErrDeadlineExceeded) {
+				return err
+			}
+		} else {
+			if metadata.Destination.Addr.IsUnspecified() {
+				metadata.Destination = destination
+			}
+			if metadata.InboundOptions.SniffEnabled {
+				sniffMetadata, _ := sniff.PeekPacket(ctx, buffer.Bytes(), sniff.DomainNameQuery, sniff.QUICClientHello, sniff.STUNMessage)
+				if sniffMetadata != nil {
+					metadata.Protocol = sniffMetadata.Protocol
+					metadata.Domain = sniffMetadata.Domain
+					if metadata.InboundOptions.SniffOverrideDestination && M.IsDomainName(metadata.Domain) {
+						metadata.Destination = M.Socksaddr{
+							Fqdn: metadata.Domain,
+							Port: metadata.Destination.Port,
+						}
+					}
+					if metadata.Domain != "" {
+						r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol, ", domain: ", metadata.Domain)
+					} else {
+						r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol)
 					}
 				}
-				if metadata.Domain != "" {
-					r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol, ", domain: ", metadata.Domain)
-				} else {
-					r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol)
-				}
 			}
+			conn = bufio.NewCachedPacketConn(conn, buffer, destination)
 		}
-		conn = bufio.NewCachedPacketConn(conn, buffer, destination)
 	}
 	if r.dnsReverseMapping != nil && metadata.Domain == "" {
 		domain, loaded := r.dnsReverseMapping.Query(metadata.Destination.Addr)